Edit tour

Windows Analysis Report
yoyrJ.dll

Overview

General Information

Sample Name:	yoyrJ.dll
Analysis ID:	750476
MD5:	dd7105e9748a29b5bd61ea57214d57e3
SHA1:	827b323bda769ba7fb838a231aa4160209266b14
SHA256:	c987ad0cc79b598bdee9ec7da96b07e82a04cadd73cb3caf85b799731deef9a1
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Creates an autostart registry key pointing to binary in C:\Windows

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains an invalid checksum

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Registers a DLL

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 3692 cmdline: loaddll64.exe "C:\Users\user\Desktop\yoyrJ.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)

conhost.exe (PID: 3096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 976 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 5288 cmdline: rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

regsvr32.exe (PID: 5412 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

WMIADAP.exe (PID: 5412 cmdline: wmiadap.exe /F /T /R MD5: 9783D0765F31980950445DFD40DB15DA)

regsvr32.exe (PID: 5020 cmdline: regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 5908 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

rundll32.exe (PID: 5284 cmdline: rundll32.exe C:\Users\user\Desktop\yoyrJ.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

regsvr32.exe (PID: 4644 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 5132 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OGxcy\dYkxHTuA.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 5132 cmdline: C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 4192 cmdline: C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["173.255.211.88:443", "45.63.99.23:7080", "182.162.143.56:443", "91.187.140.35:8080", "212.24.98.99:8080", "119.59.103.152:8080", "45.235.8.30:8080", "172.104.251.154:8080", "72.15.201.15:8080", "169.57.156.166:8080", "103.75.201.2:443", "213.239.212.5:443", "164.90.222.65:443", "201.94.166.162:443", "94.23.45.86:4143", "183.111.227.137:8080", "186.194.240.217:443", "107.170.39.149:8080", "147.139.166.154:8080", "5.135.159.50:443", "206.189.28.199:8080", "104.168.155.143:8080", "129.232.188.93:443", "82.223.21.224:8080", "103.43.75.120:443", "103.132.242.26:8080", "139.59.56.73:8080", "164.68.99.3:8080", "202.129.205.3:8080", "167.172.199.165:8080", "110.232.117.186:8080", "209.97.163.214:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.65.88.10:8080", "95.217.221.146:8080", "153.92.5.27:8080", "91.207.28.33:8080", "188.44.20.25:443", "153.126.146.25:7080", "163.44.196.120:8080", "172.105.226.75:8080", "115.68.227.76:8080", "159.65.140.115:443", "139.59.126.41:443", "197.242.150.244:8080", "45.176.232.124:443", "45.118.115.99:8080", "149.56.131.28:8080", "79.137.35.198:8080", "173.212.193.249:8080", "160.16.142.56:8080", "159.89.202.34:443", "185.4.135.165:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5J0rtUQAbAIw=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2AkoOUQAUAJA="]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x171c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a90c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ac0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b568:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x216e4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2ae01:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ad4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x171c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a90c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ac0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b568:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x216e4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2ae01:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ad4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x171c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a90c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ac0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b568:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x216e4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2ae01:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ad4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x171c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a90c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ac0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b568:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x216e4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2ae01:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ad4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x171c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a90c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ac0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b568:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x216e4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2ae01:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ad4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Emotet_3	Yara detected Emotet	Joe Security
00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x171c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a90c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ac0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b568:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x216e4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2ae01:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ad4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.loaddll64.exe.141aeea0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll64.exe.141aeea0000.0.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
7.2.regsvr32.exe.ba0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.regsvr32.exe.ba0000.0.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
4.2.rundll32.exe.1ebd2220000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.1ebd2220000.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x169c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a10c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x242c0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1ad68:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x20ee4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2a601:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x242d4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
12.2.regsvr32.exe.d20000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.d20000.0.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
0.2.loaddll64.exe.141aeea0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll64.exe.141aeea0000.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x169c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a10c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x242c0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1ad68:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x20ee4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2a601:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x242d4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
7.2.regsvr32.exe.ba0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.regsvr32.exe.ba0000.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x169c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a10c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x242c0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1ad68:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x20ee4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2a601:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x242d4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
3.2.regsvr32.exe.a90000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.a90000.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x169c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a10c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x242c0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1ad68:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x20ee4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2a601:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x242d4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
12.2.regsvr32.exe.d20000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.d20000.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x169c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a10c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x242c0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1ad68:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x20ee4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2a601:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x242d4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
5.2.rundll32.exe.1bbc5810000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.1bbc5810000.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x169c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a10c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x242c0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1ad68:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x20ee4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2a601:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x242d4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
5.2.rundll32.exe.1bbc5810000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.1bbc5810000.0.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
3.2.regsvr32.exe.a90000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.a90000.0.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
4.2.rundll32.exe.1ebd2220000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.1ebd2220000.0.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
Click to see the 19 entries

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 7 - Source IP: 192.168.2.4 - Destination IP: 173.255.211.88

Timestamp:	192.168.2.4173.255.211.88496954432404312 11/21/22-04:20:47.613393
SID:	2404312
Source Port:	49695
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 8 - Source IP: 192.168.2.4 - Destination IP: 182.162.143.56

Timestamp:	192.168.2.4182.162.143.56497004432404314 11/21/22-04:21:09.058938
SID:	2404314
Source Port:	49700
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 16 - Source IP: 192.168.2.4 - Destination IP: 45.63.99.23

Timestamp:	192.168.2.445.63.99.234969970802404330 11/21/22-04:20:53.767379
SID:	2404330
Source Port:	49699
Destination Port:	7080
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: yoyrJ.dll	ReversingLabs: Detection: 88%
Source: yoyrJ.dll	Metadefender: Detection: 47%			Perma Link

Antivirus detection for URL or domain

Source: https://45.63.99.23:7080/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/	Avira URL Cloud: Label: malware

Source: 00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["173.255.211.88:443", "45.63.99.23:7080", "182.162.143.56:443", "91.187.140.35:8080", "212.24.98.99:8080", "119.59.103.152:8080", "45.235.8.30:8080", "172.104.251.154:8080", "72.15.201.15:8080", "169.57.156.166:8080", "103.75.201.2:443", "213.239.212.5:443", "164.90.222.65:443", "201.94.166.162:443", "94.23.45.86:4143", "183.111.227.137:8080", "186.194.240.217:443", "107.170.39.149:8080", "147.139.166.154:8080", "5.135.159.50:443", "206.189.28.199:8080", "104.168.155.143:8080", "129.232.188.93:443", "82.223.21.224:8080", "103.43.75.120:443", "103.132.242.26:8080", "139.59.56.73:8080", "164.68.99.3:8080", "202.129.205.3:8080", "167.172.199.165:8080", "110.232.117.186:8080", "209.97.163.214:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.65.88.10:8080", "95.217.221.146:8080", "153.92.5.27:8080", "91.207.28.33:8080", "188.44.20.25:443", "153.126.146.25:7080", "163.44.196.120:8080", "172.105.226.75:8080", "115.68.227.76:8080", "159.65.140.115:443", "139.59.126.41:443", "197.242.150.244:8080", "45.176.232.124:443", "45.118.115.99:8080", "149.56.131.28:8080", "79.137.35.198:8080", "173.212.193.249:8080", "160.16.142.56:8080", "159.89.202.34:443", "185.4.135.165:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5J0rtUQAbAIw=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2AkoOUQAUAJA="]}

Source: unknown

HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49700 version: TLS 1.2

Source: yoyrJ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_000000018001E0D4 FindFirstFileW,FindNextFileW,FindClose,

7_2_000000018001E0D4

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 45.63.99.23 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 173.255.211.88 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.4:49700 -> 182.162.143.56:443
Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49695 -> 173.255.211.88:443
Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49699 -> 45.63.99.23:7080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 173.255.211.88:443
Source: Malware configuration extractor	IPs: 45.63.99.23:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 91.187.140.35:8080
Source: Malware configuration extractor	IPs: 212.24.98.99:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 172.104.251.154:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.56.73:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 209.97.163.214:443
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 159.65.140.115:443
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 185.4.135.165:8080

Source: Joe Sandbox View	ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
Source: Joe Sandbox View	ASN Name: INPL-IN-APIshansNetworkIN INPL-IN-APIshansNetworkIN

Source: Joe Sandbox View

JA3 fingerprint: 8916410db85077a5460817142dcbc8de

Source: global traffic

HTTP traffic detected: POST /ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 334Host: 182.162.143.56

Source: Joe Sandbox View	IP Address: 110.232.117.186 110.232.117.186
Source: Joe Sandbox View	IP Address: 103.132.242.26 103.132.242.26

Source: global traffic

TCP traffic: 192.168.2.4:49699 -> 45.63.99.23:7080

Source: unknown

Network traffic detected: IP country count 20

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56

Source: regsvr32.exe, 00000007.00000003.455831993.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456335668.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828167119.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000007.00000003.585372915.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828083663.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585447802.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585835870.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584690393.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456292772.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://17.63.99.23:7080/
Source: regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 00000007.00000003.585426852.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828093556.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584653863.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585285064.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585349266.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828075611.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585656644.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584690393.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456292772.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456277440.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585829274.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/
Source: regsvr32.exe, 00000007.00000003.585426852.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584653863.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585349266.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828075611.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456277440.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585829274.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/

Source: unknown

HTTP traffic detected: POST /ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 334Host: 182.162.143.56

Source: unknown

HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49700 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown

Source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll:Zone.Identifier

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

File created: C:\Windows\system32\OGxcy\

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C314574	0_2_00007FF88C314574
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C305D68	0_2_00007FF88C305D68
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C3115B0	0_2_00007FF88C3115B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C30D720	0_2_00007FF88C30D720
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C31C7C0	0_2_00007FF88C31C7C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C30EFA4	0_2_00007FF88C30EFA4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C31C0E8	0_2_00007FF88C31C0E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C31D118	0_2_00007FF88C31D118
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C3119D4	0_2_00007FF88C3119D4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C30EAB8	0_2_00007FF88C30EAB8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C30732C	0_2_00007FF88C30732C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C31DBCC	0_2_00007FF88C31DBCC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C31C420	0_2_00007FF88C31C420
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C313CE8	0_2_00007FF88C313CE8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180001864	0_2_0000000180001864
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180012108	0_2_0000000180012108
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180027AE4	0_2_0000000180027AE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000EB3C	0_2_000000018000EB3C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000FBB4	0_2_000000018000FBB4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180008470	0_2_0000000180008470
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800274F4	0_2_00000001800274F4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180007F20	0_2_0000000180007F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019F38	0_2_0000000180019F38
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180001FE8	0_2_0000000180001FE8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800197F8	0_2_00000001800197F8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180003800	0_2_0000000180003800
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180007014	0_2_0000000180007014
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180015020	0_2_0000000180015020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000E850	0_2_000000018000E850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000B888	0_2_000000018000B888
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180021894	0_2_0000000180021894
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180021094	0_2_0000000180021094
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180026098	0_2_0000000180026098
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800180C8	0_2_00000001800180C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800278D8	0_2_00000001800278D8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001E8E4	0_2_000000018001E8E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800258E8	0_2_00000001800258E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800138F0	0_2_00000001800138F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001C108	0_2_000000018001C108
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180015120	0_2_0000000180015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180007130	0_2_0000000180007130
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002C144	0_2_000000018002C144
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000795C	0_2_000000018000795C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000E97C	0_2_000000018000E97C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180003990	0_2_0000000180003990
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800099A0	0_2_00000001800099A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800299A4	0_2_00000001800299A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000B9B4	0_2_000000018000B9B4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800131C8	0_2_00000001800131C8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000D1CC	0_2_000000018000D1CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800029CC	0_2_00000001800029CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800191E0	0_2_00000001800191E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001A9F0	0_2_000000018001A9F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000320C	0_2_000000018000320C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180011A19	0_2_0000000180011A19
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001BA34	0_2_000000018001BA34
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002BA3C	0_2_000000018002BA3C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180015240	0_2_0000000180015240
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017A40	0_2_0000000180017A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000FA60	0_2_000000018000FA60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001A27C	0_2_000000018001A27C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180025280	0_2_0000000180025280
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002228C	0_2_000000018002228C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001428C	0_2_000000018001428C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800072A4	0_2_00000001800072A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000CAB4	0_2_000000018000CAB4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000BAD0	0_2_000000018000BAD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180025B0C	0_2_0000000180025B0C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180021B10	0_2_0000000180021B10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180003310	0_2_0000000180003310
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000E310	0_2_000000018000E310
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180010330	0_2_0000000180010330
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000C334	0_2_000000018000C334
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180015344	0_2_0000000180015344
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180006B54	0_2_0000000180006B54
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180013B6C	0_2_0000000180013B6C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001337C	0_2_000000018001337C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180009B84	0_2_0000000180009B84
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001F388	0_2_000000018001F388
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019B88	0_2_0000000180019B88
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001238C	0_2_000000018001238C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180023B90	0_2_0000000180023B90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001BB98	0_2_000000018001BB98
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002B39C	0_2_000000018002B39C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000B3A4	0_2_000000018000B3A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180010BAE	0_2_0000000180010BAE
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800293B4	0_2_00000001800293B4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000BBD4	0_2_000000018000BBD4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000ABDC	0_2_000000018000ABDC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180012BFC	0_2_0000000180012BFC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001EBFC	0_2_000000018001EBFC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180008BFC	0_2_0000000180008BFC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002A43C	0_2_000000018002A43C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180002C5C	0_2_0000000180002C5C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180013468	0_2_0000000180013468
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001A470	0_2_000000018001A470
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180016C70	0_2_0000000180016C70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180014C80	0_2_0000000180014C80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180011C90	0_2_0000000180011C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180005498	0_2_0000000180005498
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180017CB0	0_2_0000000180017CB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180025CB8	0_2_0000000180025CB8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000CCB8	0_2_000000018000CCB8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800094BC	0_2_00000001800094BC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001B4CC	0_2_000000018001B4CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180003CD8	0_2_0000000180003CD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180002504	0_2_0000000180002504
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000E50C	0_2_000000018000E50C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180014514	0_2_0000000180014514
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180026518	0_2_0000000180026518
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180015524	0_2_0000000180015524
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180008D40	0_2_0000000180008D40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180001560	0_2_0000000180001560
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001C57C	0_2_000000018001C57C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180013DBC	0_2_0000000180013DBC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001FDC0	0_2_000000018001FDC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000B5CC	0_2_000000018000B5CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800245D0	0_2_00000001800245D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180014DD0	0_2_0000000180014DD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000FDE4	0_2_000000018000FDE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800055F4	0_2_00000001800055F4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019E08	0_2_0000000180019E08
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001F624	0_2_000000018001F624
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180003E2C	0_2_0000000180003E2C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180013634	0_2_0000000180013634
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180007658	0_2_0000000180007658
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000C65C	0_2_000000018000C65C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180025668	0_2_0000000180025668
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180006668	0_2_0000000180006668
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180008E68	0_2_0000000180008E68
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001B670	0_2_000000018001B670
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001BE70	0_2_000000018001BE70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000A678	0_2_000000018000A678
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180005684	0_2_0000000180005684
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000CE88	0_2_000000018000CE88
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180021E8C	0_2_0000000180021E8C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180018698	0_2_0000000180018698
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180023E9C	0_2_0000000180023E9C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800016A0	0_2_00000001800016A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000D6A4	0_2_000000018000D6A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002B6AC	0_2_000000018002B6AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800026B0	0_2_00000001800026B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001EEE0	0_2_000000018001EEE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180027F1C	0_2_0000000180027F1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001FF28	0_2_000000018001FF28
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180011F30	0_2_0000000180011F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180003F54	0_2_0000000180003F54
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180029F58	0_2_0000000180029F58
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001A764	0_2_000000018001A764
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180024788	0_2_0000000180024788
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000C788	0_2_000000018000C788
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800167C4	0_2_00000001800167C4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000AFD4	0_2_000000018000AFD4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800137DC	0_2_00000001800137DC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000141AEED0000	0_2_00000141AEED0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00970000	3_2_00970000
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180001864	3_2_0000000180001864
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180008470	3_2_0000000180008470
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800274F4	3_2_00000001800274F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180012108	3_2_0000000180012108
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180027AE4	3_2_0000000180027AE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180007F20	3_2_0000000180007F20
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180019F38	3_2_0000000180019F38
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000EB3C	3_2_000000018000EB3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000FBB4	3_2_000000018000FBB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180001FE8	3_2_0000000180001FE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800197F8	3_2_00000001800197F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180012BFC	3_2_0000000180012BFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001EBFC	3_2_000000018001EBFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180008BFC	3_2_0000000180008BFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180003800	3_2_0000000180003800
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180007014	3_2_0000000180007014
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180015020	3_2_0000000180015020
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018002A43C	3_2_000000018002A43C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000E850	3_2_000000018000E850
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180002C5C	3_2_0000000180002C5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180013468	3_2_0000000180013468
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001A470	3_2_000000018001A470
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180016C70	3_2_0000000180016C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180014C80	3_2_0000000180014C80
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000B888	3_2_000000018000B888
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180011C90	3_2_0000000180011C90
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180021894	3_2_0000000180021894
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180021094	3_2_0000000180021094
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180026098	3_2_0000000180026098
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180005498	3_2_0000000180005498
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180017CB0	3_2_0000000180017CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180025CB8	3_2_0000000180025CB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000CCB8	3_2_000000018000CCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800094BC	3_2_00000001800094BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800180C8	3_2_00000001800180C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001B4CC	3_2_000000018001B4CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800278D8	3_2_00000001800278D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180003CD8	3_2_0000000180003CD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001E8E4	3_2_000000018001E8E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800258E8	3_2_00000001800258E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800138F0	3_2_00000001800138F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180002504	3_2_0000000180002504
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001C108	3_2_000000018001C108
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000E50C	3_2_000000018000E50C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180014514	3_2_0000000180014514
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180026518	3_2_0000000180026518
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180015120	3_2_0000000180015120
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180015524	3_2_0000000180015524
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180007130	3_2_0000000180007130
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180008D40	3_2_0000000180008D40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018002C144	3_2_000000018002C144
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000795C	3_2_000000018000795C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180001560	3_2_0000000180001560
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001C57C	3_2_000000018001C57C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000E97C	3_2_000000018000E97C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180003990	3_2_0000000180003990
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800099A0	3_2_00000001800099A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800299A4	3_2_00000001800299A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000B9B4	3_2_000000018000B9B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180013DBC	3_2_0000000180013DBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001FDC0	3_2_000000018001FDC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800131C8	3_2_00000001800131C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000D1CC	3_2_000000018000D1CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800029CC	3_2_00000001800029CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000B5CC	3_2_000000018000B5CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800245D0	3_2_00000001800245D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180014DD0	3_2_0000000180014DD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800191E0	3_2_00000001800191E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000FDE4	3_2_000000018000FDE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001A9F0	3_2_000000018001A9F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800055F4	3_2_00000001800055F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180019E08	3_2_0000000180019E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000320C	3_2_000000018000320C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180011A19	3_2_0000000180011A19
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001F624	3_2_000000018001F624
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180003E2C	3_2_0000000180003E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180013634	3_2_0000000180013634
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001BA34	3_2_000000018001BA34
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018002BA3C	3_2_000000018002BA3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180015240	3_2_0000000180015240
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180017A40	3_2_0000000180017A40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180007658	3_2_0000000180007658
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000C65C	3_2_000000018000C65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000FA60	3_2_000000018000FA60
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180025668	3_2_0000000180025668
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180006668	3_2_0000000180006668
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180008E68	3_2_0000000180008E68
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001BE70	3_2_000000018001BE70
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001B670	3_2_000000018001B670
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000A678	3_2_000000018000A678
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001A27C	3_2_000000018001A27C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180025280	3_2_0000000180025280
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180005684	3_2_0000000180005684
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000CE88	3_2_000000018000CE88
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180021E8C	3_2_0000000180021E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018002228C	3_2_000000018002228C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001428C	3_2_000000018001428C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180018698	3_2_0000000180018698
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180023E9C	3_2_0000000180023E9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800016A0	3_2_00000001800016A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800072A4	3_2_00000001800072A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000D6A4	3_2_000000018000D6A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018002B6AC	3_2_000000018002B6AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800026B0	3_2_00000001800026B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000CAB4	3_2_000000018000CAB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000BAD0	3_2_000000018000BAD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001EEE0	3_2_000000018001EEE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180025B0C	3_2_0000000180025B0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180021B10	3_2_0000000180021B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000E310	3_2_000000018000E310
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180003310	3_2_0000000180003310
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180027F1C	3_2_0000000180027F1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001FF28	3_2_000000018001FF28
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180011F30	3_2_0000000180011F30
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180010330	3_2_0000000180010330
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000C334	3_2_000000018000C334
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180015344	3_2_0000000180015344
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180003F54	3_2_0000000180003F54
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180006B54	3_2_0000000180006B54
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180029F58	3_2_0000000180029F58
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001A764	3_2_000000018001A764
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180013B6C	3_2_0000000180013B6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001337C	3_2_000000018001337C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180009B84	3_2_0000000180009B84
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180024788	3_2_0000000180024788
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001F388	3_2_000000018001F388
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180019B88	3_2_0000000180019B88
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000C788	3_2_000000018000C788
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001238C	3_2_000000018001238C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180023B90	3_2_0000000180023B90
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001BB98	3_2_000000018001BB98
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018002B39C	3_2_000000018002B39C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000B3A4	3_2_000000018000B3A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180010BAE	3_2_0000000180010BAE
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800293B4	3_2_00000001800293B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800167C4	3_2_00000001800167C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000AFD4	3_2_000000018000AFD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000BBD4	3_2_000000018000BBD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800137DC	3_2_00000001800137DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000ABDC	3_2_000000018000ABDC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001864	4_2_0000000180001864
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008470	4_2_0000000180008470
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800274F4	4_2_00000001800274F4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180012108	4_2_0000000180012108
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180027AE4	4_2_0000000180027AE4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180007F20	4_2_0000000180007F20
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019F38	4_2_0000000180019F38
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000EB3C	4_2_000000018000EB3C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000FBB4	4_2_000000018000FBB4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001FE8	4_2_0000000180001FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800197F8	4_2_00000001800197F8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180012BFC	4_2_0000000180012BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001EBFC	4_2_000000018001EBFC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008BFC	4_2_0000000180008BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003800	4_2_0000000180003800
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180007014	4_2_0000000180007014
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015020	4_2_0000000180015020
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A43C	4_2_000000018002A43C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000E850	4_2_000000018000E850
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002C5C	4_2_0000000180002C5C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013468	4_2_0000000180013468
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001A470	4_2_000000018001A470
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180016C70	4_2_0000000180016C70
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180014C80	4_2_0000000180014C80
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000B888	4_2_000000018000B888
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011C90	4_2_0000000180011C90
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021894	4_2_0000000180021894
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021094	4_2_0000000180021094
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180026098	4_2_0000000180026098
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180005498	4_2_0000000180005498
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017CB0	4_2_0000000180017CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180025CB8	4_2_0000000180025CB8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000CCB8	4_2_000000018000CCB8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800094BC	4_2_00000001800094BC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800180C8	4_2_00000001800180C8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B4CC	4_2_000000018001B4CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800278D8	4_2_00000001800278D8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003CD8	4_2_0000000180003CD8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001E8E4	4_2_000000018001E8E4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800258E8	4_2_00000001800258E8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800138F0	4_2_00000001800138F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002504	4_2_0000000180002504
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001C108	4_2_000000018001C108
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000E50C	4_2_000000018000E50C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180014514	4_2_0000000180014514
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180026518	4_2_0000000180026518
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015120	4_2_0000000180015120
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015524	4_2_0000000180015524
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180007130	4_2_0000000180007130
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008D40	4_2_0000000180008D40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C144	4_2_000000018002C144
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000795C	4_2_000000018000795C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001560	4_2_0000000180001560
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001C57C	4_2_000000018001C57C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000E97C	4_2_000000018000E97C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003990	4_2_0000000180003990
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800099A0	4_2_00000001800099A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800299A4	4_2_00000001800299A4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000B9B4	4_2_000000018000B9B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013DBC	4_2_0000000180013DBC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FDC0	4_2_000000018001FDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800131C8	4_2_00000001800131C8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000D1CC	4_2_000000018000D1CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800029CC	4_2_00000001800029CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000B5CC	4_2_000000018000B5CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800245D0	4_2_00000001800245D0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180014DD0	4_2_0000000180014DD0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800191E0	4_2_00000001800191E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000FDE4	4_2_000000018000FDE4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001A9F0	4_2_000000018001A9F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800055F4	4_2_00000001800055F4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019E08	4_2_0000000180019E08
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000320C	4_2_000000018000320C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011A19	4_2_0000000180011A19
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F624	4_2_000000018001F624
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003E2C	4_2_0000000180003E2C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013634	4_2_0000000180013634
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BA34	4_2_000000018001BA34
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002BA3C	4_2_000000018002BA3C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015240	4_2_0000000180015240
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017A40	4_2_0000000180017A40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180007658	4_2_0000000180007658
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C65C	4_2_000000018000C65C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000FA60	4_2_000000018000FA60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180025668	4_2_0000000180025668
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180006668	4_2_0000000180006668
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008E68	4_2_0000000180008E68
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BE70	4_2_000000018001BE70
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B670	4_2_000000018001B670
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A678	4_2_000000018000A678
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001A27C	4_2_000000018001A27C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180025280	4_2_0000000180025280
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180005684	4_2_0000000180005684
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000CE88	4_2_000000018000CE88
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021E8C	4_2_0000000180021E8C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002228C	4_2_000000018002228C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001428C	4_2_000000018001428C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018698	4_2_0000000180018698
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180023E9C	4_2_0000000180023E9C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800016A0	4_2_00000001800016A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800072A4	4_2_00000001800072A4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000D6A4	4_2_000000018000D6A4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002B6AC	4_2_000000018002B6AC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800026B0	4_2_00000001800026B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000CAB4	4_2_000000018000CAB4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000BAD0	4_2_000000018000BAD0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001EEE0	4_2_000000018001EEE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180025B0C	4_2_0000000180025B0C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021B10	4_2_0000000180021B10
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000E310	4_2_000000018000E310
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003310	4_2_0000000180003310
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180027F1C	4_2_0000000180027F1C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FF28	4_2_000000018001FF28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011F30	4_2_0000000180011F30
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010330	4_2_0000000180010330
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C334	4_2_000000018000C334
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015344	4_2_0000000180015344
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003F54	4_2_0000000180003F54
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180006B54	4_2_0000000180006B54
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029F58	4_2_0000000180029F58
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001A764	4_2_000000018001A764
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013B6C	4_2_0000000180013B6C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001337C	4_2_000000018001337C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180009B84	4_2_0000000180009B84
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024788	4_2_0000000180024788
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F388	4_2_000000018001F388
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019B88	4_2_0000000180019B88
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C788	4_2_000000018000C788
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001238C	4_2_000000018001238C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180023B90	4_2_0000000180023B90
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BB98	4_2_000000018001BB98
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002B39C	4_2_000000018002B39C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000B3A4	4_2_000000018000B3A4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010BAE	4_2_0000000180010BAE
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800293B4	4_2_00000001800293B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800167C4	4_2_00000001800167C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000AFD4	4_2_000000018000AFD4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000BBD4	4_2_000000018000BBD4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800137DC	4_2_00000001800137DC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000ABDC	4_2_000000018000ABDC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000001EBD2250000	4_2_000001EBD2250000
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180001864	5_2_0000000180001864
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180008470	5_2_0000000180008470
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800274F4	5_2_00000001800274F4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180012108	5_2_0000000180012108
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180027AE4	5_2_0000000180027AE4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180007F20	5_2_0000000180007F20
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180019F38	5_2_0000000180019F38
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000EB3C	5_2_000000018000EB3C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000FBB4	5_2_000000018000FBB4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180001FE8	5_2_0000000180001FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800197F8	5_2_00000001800197F8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180012BFC	5_2_0000000180012BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001EBFC	5_2_000000018001EBFC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180008BFC	5_2_0000000180008BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180003800	5_2_0000000180003800
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180007014	5_2_0000000180007014
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180015020	5_2_0000000180015020
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018002A43C	5_2_000000018002A43C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000E850	5_2_000000018000E850
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180002C5C	5_2_0000000180002C5C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180013468	5_2_0000000180013468
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001A470	5_2_000000018001A470
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180016C70	5_2_0000000180016C70
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180014C80	5_2_0000000180014C80
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000B888	5_2_000000018000B888
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180011C90	5_2_0000000180011C90
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180021894	5_2_0000000180021894
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180021094	5_2_0000000180021094
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180026098	5_2_0000000180026098
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180005498	5_2_0000000180005498
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180017CB0	5_2_0000000180017CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180025CB8	5_2_0000000180025CB8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000CCB8	5_2_000000018000CCB8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800094BC	5_2_00000001800094BC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800180C8	5_2_00000001800180C8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001B4CC	5_2_000000018001B4CC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800278D8	5_2_00000001800278D8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180003CD8	5_2_0000000180003CD8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001E8E4	5_2_000000018001E8E4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800258E8	5_2_00000001800258E8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800138F0	5_2_00000001800138F0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180002504	5_2_0000000180002504
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001C108	5_2_000000018001C108
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000E50C	5_2_000000018000E50C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180014514	5_2_0000000180014514
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180026518	5_2_0000000180026518
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180015120	5_2_0000000180015120
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180015524	5_2_0000000180015524
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180007130	5_2_0000000180007130
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180008D40	5_2_0000000180008D40
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018002C144	5_2_000000018002C144
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000795C	5_2_000000018000795C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180001560	5_2_0000000180001560
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001C57C	5_2_000000018001C57C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000E97C	5_2_000000018000E97C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180003990	5_2_0000000180003990
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800099A0	5_2_00000001800099A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800299A4	5_2_00000001800299A4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000B9B4	5_2_000000018000B9B4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180013DBC	5_2_0000000180013DBC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001FDC0	5_2_000000018001FDC0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800131C8	5_2_00000001800131C8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000D1CC	5_2_000000018000D1CC

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: yoyrJ.dll	ReversingLabs: Detection: 88%
Source: yoyrJ.dll	Metadefender: Detection: 47%

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\yoyrJ.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yoyrJ.dll,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OGxcy\dYkxHTuA.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yoyrJ.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OGxcy\dYkxHTuA.dll"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll"	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@21/2@0/54

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FF88C3038E8 CreateWindowExW,RegisterTouchWindow,MessageBoxW,CoCreateInstance,ShowWindow,UpdateWindow,

0_2_00007FF88C3038E8

Source: C:\Windows\System32\loaddll64.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00000001800274F4 FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,

0_2_00000001800274F4

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1

Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3096:120:WilError_01
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib

Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\wbem\WMIADAP.exe	Automated click: OK
Source: C:\Windows\System32\wbem\WMIADAP.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: yoyrJ.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: yoyrJ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180005098 push ebp; ret	0_2_0000000180005099
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800118AD push esp; retn 0000h	0_2_00000001800118B5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800170C8 push eax; retf	0_2_00000001800170C9
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800170DD push ecx; iretd	0_2_00000001800170E2
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000512B push ebp; retf	0_2_000000018000512F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180004938 push eax; ret	0_2_000000018000493B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800171F0 push eax; retf	0_2_00000001800171F1
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180010F42 push 8B48E1F7h; retf	0_2_0000000180010F51
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800117D6 pushad ; ret	0_2_00000001800117D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180005098 push ebp; ret	3_2_0000000180005099
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800118AD push esp; retn 0000h	3_2_00000001800118B5
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800170C8 push eax; retf	3_2_00000001800170C9
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800170DD push ecx; iretd	3_2_00000001800170E2
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000512B push ebp; retf	3_2_000000018000512F
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180004938 push eax; ret	3_2_000000018000493B
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800171F0 push eax; retf	3_2_00000001800171F1
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180010F42 push 8B48E1F7h; retf	3_2_0000000180010F51
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800117D6 pushad ; ret	3_2_00000001800117D8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180005098 push ebp; ret	4_2_0000000180005099
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800118AD push esp; retn 0000h	4_2_00000001800118B5
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800170C8 push eax; retf	4_2_00000001800170C9
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800170DD push ecx; iretd	4_2_00000001800170E2
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000512B push ebp; retf	4_2_000000018000512F
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180004938 push eax; ret	4_2_000000018000493B
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800171F0 push eax; retf	4_2_00000001800171F1
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010F42 push 8B48E1F7h; retf	4_2_0000000180010F51
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800117D6 pushad ; ret	4_2_00000001800117D8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180005098 push ebp; ret	5_2_0000000180005099
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800118AD push esp; retn 0000h	5_2_00000001800118B5
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800170C8 push eax; retf	5_2_00000001800170C9
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800170DD push ecx; iretd	5_2_00000001800170E2

Source: yoyrJ.dll

Static PE information: section name: text

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FF88C312ED4 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00007FF88C312ED4

Source: yoyrJ.dll

Static PE information: real checksum: 0x6e4a7 should be: 0x72327

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll

Source: C:\Windows\System32\regsvr32.exe

PE file moved: C:\Windows\System32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll

Jump to behavior

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\regsvr32.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qohQcmrlRynEDAUP.dll

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qohQcmrlRynEDAUP.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qohQcmrlRynEDAUP.dll			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\loaddll64.exe	File opened: C:\Windows\system32\OGxcy\dYkxHTuA.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe TID: 5396	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 1664	Thread sleep count: 2698 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 1664	Thread sleep count: 2698 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 2698			Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 2698			Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_000000018001E0D4 FindFirstFileW,FindNextFileW,FindClose,

7_2_000000018001E0D4

Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584622965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828052946.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456259811.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf
Source: loaddll64.exe, 00000000.00000003.320147566.00000141AEF45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\C

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FF88C304980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF88C304980

Source: C:\Windows\System32\loaddll64.exe

0_2_00007FF88C312ED4

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C304980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF88C304980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C3091F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF88C3091F4

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 45.63.99.23 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 173.255.211.88 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW,	0_2_00007FF88C317D58
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesA,	0_2_00007FF88C317EC8
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesA,	0_2_00007FF88C317E88
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesA,	0_2_00007FF88C317F60
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	0_2_00007FF88C317FCC
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF88C3177EC
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,GetLocaleInfoA,	0_2_00007FF88C317910
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FF88C3179F8
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,	0_2_00007FF88C317A88
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW,	0_2_00007FF88C312BF4
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,	0_2_00007FF88C318470

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FF88C308C48 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00007FF88C308C48

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FF88C3075D0 HeapCreate,GetVersion,HeapSetInformation,

0_2_00007FF88C3075D0

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	11 Registry Run Keys / Startup Folder	111 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Hidden Files and Directories	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Regsvr32	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yoyrJ.dll	88%	ReversingLabs	Win64.Trojan.Emotet
yoyrJ.dll	48%	Metadefender		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.2.regsvr32.exe.d20000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
5.2.rundll32.exe.1bbc5810000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
7.2.regsvr32.exe.ba0000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.2.loaddll64.exe.141aeea0000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
3.2.regsvr32.exe.a90000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
4.2.rundll32.exe.1ebd2220000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://182.162.143.56/	0%	URL Reputation	safe
https://17.63.99.23:7080/	0%	Avira URL Cloud	safe
https://182.162.143.56/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/	100%	Avira URL Cloud	malware
https://45.63.99.23:7080/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://182.162.143.56/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://45.63.99.23:7080/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/	regsvr32.exe, 00000007.00000003.585426852.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584653863.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585349266.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828075611.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456277440.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585829274.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://182.162.143.56/	regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://17.63.99.23:7080/	regsvr32.exe, 00000007.00000003.585372915.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828083663.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585447802.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585835870.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584690393.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456292772.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
103.132.242.26	unknown	India	45117	INPL-IN-APIshansNetworkIN	true
104.168.155.143	unknown	United States	54290	HOSTWINDSUS	true
79.137.35.198	unknown	France	16276	OVHFR	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
172.104.251.154	unknown	United States	63949	LINODE-APLinodeLLCUS	true
115.68.227.76	unknown	Korea Republic of	38700	SMILESERV-AS-KRSMILESERVKR	true
163.44.196.120	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
206.189.28.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
45.63.99.23	unknown	United States	20473	AS-CHOOPAUS	true
107.170.39.149	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
185.4.135.165	unknown	Greece	199246	TOPHOSTGR	true
183.111.227.137	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
139.59.56.73	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
169.57.156.166	unknown	United States	36351	SOFTLAYERUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
139.59.126.41	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
167.172.253.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
147.139.166.154	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
202.129.205.3	unknown	Thailand	45328	NIPA-AS-THNIPATECHNOLOGYCOLTDTH	true
167.172.199.165	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
153.92.5.27	unknown	Germany	47583	AS-HOSTINGERLT	true
159.65.140.115	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.226.75	unknown	United States	63949	LINODE-APLinodeLLCUS	true
164.90.222.65	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
213.239.212.5	unknown	Germany	24940	HETZNER-ASDE	true
5.135.159.50	unknown	France	16276	OVHFR	true
173.255.211.88	unknown	United States	63949	LINODE-APLinodeLLCUS	true
212.24.98.99	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
186.194.240.217	unknown	Brazil	262733	NetceteraTelecomunicacoesLtdaBR	true
91.187.140.35	unknown	Serbia	13092	UB-ASRS	true
119.59.103.152	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
159.89.202.34	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
201.94.166.162	unknown	Brazil	28573	CLAROSABR	true
160.16.142.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
91.207.28.33	unknown	Kyrgyzstan	39819	PROHOSTKG	true
103.43.75.120	unknown	Japan	20473	AS-CHOOPAUS	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
45.235.8.30	unknown	Brazil	267405	WIKINETTELECOMUNICACOESBR	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
82.223.21.224	unknown	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
95.217.221.146	unknown	Germany	24940	HETZNER-ASDE	true
149.56.131.28	unknown	Canada	16276	OVHFR	true
209.97.163.214	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
182.162.143.56	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
94.23.45.86	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	750476
Start date and time:	2022-11-21 04:19:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	yoyrJ.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@21/2@0/54
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 67.7% (good quality ratio 58.8%) Quality average: 65.2% Quality standard deviation: 35.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 233
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: yoyrJ.dll

Simulations

Behavior and APIs

Time	Type	Description
04:20:48	API Interceptor	3x Sleep call for process: regsvr32.exe modified
04:21:17	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run qohQcmrlRynEDAUP.dll C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
110.232.117.186	RechX2022.11.11_1045X.xls	Get hash	malicious	Browse
	PO0000001552.xls	Get hash	malicious	Browse
	ozZDLYwvhE.dll	Get hash	malicious	Browse
	ozZDLYwvhE.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	W-9 form.zip	Get hash	malicious	Browse
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse
	GUZyjs3wxI.dll	Get hash	malicious	Browse
	GUZyjs3wxI.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	U71925870143638QYS.xls	Get hash	malicious	Browse
103.132.242.26	RechX2022.11.11_1045X.xls	Get hash	malicious	Browse
	PO0000001552.xls	Get hash	malicious	Browse
	ozZDLYwvhE.dll	Get hash	malicious	Browse
	ozZDLYwvhE.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	W-9 form.zip	Get hash	malicious	Browse
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse
	GUZyjs3wxI.dll	Get hash	malicious	Browse
	GUZyjs3wxI.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	file.dll	Get hash	malicious	Browse
	U71925870143638QYS.xls	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RACKCORP-APRackCorpAU	RechX2022.11.11_1045X.xls	Get hash	malicious	Browse	110.232.117.186
	PO0000001552.xls	Get hash	malicious	Browse	110.232.117.186
	ozZDLYwvhE.dll	Get hash	malicious	Browse	110.232.117.186
	ozZDLYwvhE.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	W-9 form.zip	Get hash	malicious	Browse	110.232.117.186
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	110.232.117.186
	GUZyjs3wxI.dll	Get hash	malicious	Browse	110.232.117.186
	GUZyjs3wxI.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	file.dll	Get hash	malicious	Browse	110.232.117.186
	U71925870143638QYS.xls	Get hash	malicious	Browse	110.232.117.186
INPL-IN-APIshansNetworkIN	RechX2022.11.11_1045X.xls	Get hash	malicious	Browse	103.132.242.26
	PO0000001552.xls	Get hash	malicious	Browse	103.132.242.26
	ozZDLYwvhE.dll	Get hash	malicious	Browse	103.132.242.26
	ozZDLYwvhE.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	W-9 form.zip	Get hash	malicious	Browse	103.132.242.26
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	103.132.242.26
	GUZyjs3wxI.dll	Get hash	malicious	Browse	103.132.242.26
	GUZyjs3wxI.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	file.dll	Get hash	malicious	Browse	103.132.242.26
	U71925870143638QYS.xls	Get hash	malicious	Browse	103.132.242.26

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
8916410db85077a5460817142dcbc8de	kOiaWLNKXpjayWeM.dll	Get hash	malicious	Browse	182.162.143.56
	ozZDLYwvhE.dll	Get hash	malicious	Browse	182.162.143.56
	ozZDLYwvhE.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	Rech 2022.11.11_1346.xls	Get hash	malicious	Browse	182.162.143.56
	9CDZWvxtK7.dll	Get hash	malicious	Browse	182.162.143.56
	dSxFvE2b8M.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	48noBU5j3z.dll	Get hash	malicious	Browse	182.162.143.56
	file.dll	Get hash	malicious	Browse	182.162.143.56
	48noBU5j3z.dll	Get hash	malicious	Browse	182.162.143.56

Dropped Files

⊘No context

Created / dropped Files

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.773063357716462
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	yoyrJ.dll
File size:	433152
MD5:	dd7105e9748a29b5bd61ea57214d57e3
SHA1:	827b323bda769ba7fb838a231aa4160209266b14
SHA256:	c987ad0cc79b598bdee9ec7da96b07e82a04cadd73cb3caf85b799731deef9a1
SHA512:	beca102422697e4cd50b81289bdc5097935f11c0c5acc86b7a69893fb819a3cd225e4b2594a2bb40163fbd68d7ac281b0ff260f30b55cf188112445eb26986b7
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uw:Py7EzZ4+HvY62LxHJ4KTGDlT
TLSH:	1C94E141365506F1C9378334CA931E4BE832740A5335A64F02A9D5F67F7B761AB2F32A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x180005bdc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x636D291C [Thu Nov 10 16:38:52 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b3da9e0a2ac4751e0c486ad7cdc326f7

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FFA20ABA017h
call 00007FFA20ABD060h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FFA20AB9EBCh
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [00062F31h]
call dword ptr [0001C543h]
dec eax
mov eax, dword ptr [0006301Ch]
dec eax
mov dword ptr [esp+58h], eax
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+60h]
dec eax
mov ecx, dword ptr [esp+58h]
call 00007FFA20AD2638h
dec eax
mov dword ptr [esp+50h], eax
dec eax
cmp dword ptr [esp+50h], 00000000h
je 00007FFA20ABA053h
dec eax
mov dword ptr [esp+38h], 00000000h
dec eax
lea eax, dword ptr [esp+48h]
dec eax
mov dword ptr [esp+30h], eax
dec eax
lea eax, dword ptr [esp+40h]
dec eax
mov dword ptr [esp+28h], eax
dec eax
lea eax, dword ptr [00062EDCh]
dec eax
mov dword ptr [esp+20h], eax
dec esp
mov ecx, dword ptr [esp+50h]
dec esp
mov eax, dword ptr [esp+58h]
dec eax
mov edx, dword ptr [esp+60h]
xor ecx, ecx
call 00007FFA20AD25E6h
jmp 00007FFA20ABA034h
dec eax
mov eax, dword ptr [eax+eax+00000000h]

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[EXP] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x66770	0x57	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x65cb4	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x254	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x1ac4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6e000	0x3ec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x22000	0x338	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20182	0x20200	False	0.5494513010700389	data	6.563588075042218	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x22000	0x447c7	0x44800	False	0.6747904311131386	data	6.184568591532381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x67000	0x2fd0	0x1c00	False	0.291015625	data	3.404968127612506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x1ac4	0x1c00	False	0.46861049107142855	data	5.279471356455433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
text	0x6c000	0x91d	0xa00	False	0.389453125	data	5.167000712138923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE
.rsrc	0x6d000	0x254	0x400	False	0.3134765625	data	4.723033814693597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6e000	0x7f6	0x800	False	0.35693359375	data	3.497910650248424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_STRING	0x6d0a0	0x58	data	English	United States
RT_MANIFEST	0x6d0f8	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
USER32.dll	TranslateMessage, DefWindowProcW, UpdateWindow, MessageBoxW, CreateWindowExW, EndPaint, DestroyWindow, TranslateAcceleratorW, GetMessageW, PostQuitMessage, LoadCursorW, BeginPaint, DispatchMessageW, GetTouchInputInfo, RegisterClassExW, RegisterTouchWindow, InvalidateRect, CloseTouchInputHandle, LoadStringW, ShowWindow, UnregisterTouchWindow
GDI32.dll	LineTo, DeleteObject, SelectObject, Polyline, CreatePen, MoveToEx
ole32.dll	CoUninitialize, CoInitialize, CoLoadLibrary, CoCreateInstance
KERNEL32.dll	HeapReAlloc, GetLocaleInfoW, LoadLibraryW, FreeLibrary, SetConsoleCtrlHandler, IsValidCodePage, GetOEMCP, LCMapStringW, GetCPInfo, GetStringTypeW, EnterCriticalSection, FatalAppExitA, LeaveCriticalSection, GetSystemTimeAsFileTime, GetCurrentProcessId, MultiByteToWideChar, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetACP, GetModuleHandleW, GetTickCount, QueryPerformanceCounter, GetEnvironmentStringsW, WideCharToMultiByte, FreeEnvironmentStringsW, HeapAlloc, EncodePointer, DecodePointer, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetLastError, HeapFree, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, HeapSetInformation, GetVersion, HeapCreate, HeapDestroy, Sleep, HeapSize, RtlUnwindEx, RaiseException, RtlPcToFileHeader, FlsGetValue, FlsFree, SetLastError, GetCurrentThread, FlsAlloc, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, GetModuleFileNameA

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180003854

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4173.255.211.88496954432404312 11/21/22-04:20:47.613393	TCP	2404312	ET CNC Feodo Tracker Reported CnC Server TCP group 7	49695	443	192.168.2.4	173.255.211.88
192.168.2.4182.162.143.56497004432404314 11/21/22-04:21:09.058938	TCP	2404314	ET CNC Feodo Tracker Reported CnC Server TCP group 8	49700	443	192.168.2.4	182.162.143.56
192.168.2.445.63.99.234969970802404330 11/21/22-04:20:53.767379	TCP	2404330	ET CNC Feodo Tracker Reported CnC Server TCP group 16	49699	7080	192.168.2.4	45.63.99.23

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2022 04:20:47.613393068 CET	49695	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:47.613487959 CET	443	49695	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:47.613646030 CET	49695	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:47.621453047 CET	49695	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:47.621525049 CET	443	49695	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:47.796107054 CET	443	49695	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:47.797595978 CET	49696	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:47.797673941 CET	443	49696	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:47.797794104 CET	49696	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:47.798702002 CET	49696	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:47.798731089 CET	443	49696	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:47.975795984 CET	443	49696	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:47.977385998 CET	49697	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:47.977452040 CET	443	49697	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:47.977592945 CET	49697	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:47.979526997 CET	49697	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:47.979572058 CET	443	49697	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:48.151135921 CET	443	49697	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:48.152781963 CET	49698	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:48.152836084 CET	443	49698	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:48.152923107 CET	49698	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:48.153774023 CET	49698	443	192.168.2.4	173.255.211.88
Nov 21, 2022 04:20:48.153799057 CET	443	49698	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:48.328830957 CET	443	49698	173.255.211.88	192.168.2.4
Nov 21, 2022 04:20:53.767379045 CET	49699	7080	192.168.2.4	45.63.99.23
Nov 21, 2022 04:20:56.771694899 CET	49699	7080	192.168.2.4	45.63.99.23
Nov 21, 2022 04:21:02.787986040 CET	49699	7080	192.168.2.4	45.63.99.23
Nov 21, 2022 04:21:09.058938026 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:09.059000969 CET	443	49700	182.162.143.56	192.168.2.4
Nov 21, 2022 04:21:09.059458971 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:09.062942028 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:09.063020945 CET	443	49700	182.162.143.56	192.168.2.4
Nov 21, 2022 04:21:09.821538925 CET	443	49700	182.162.143.56	192.168.2.4
Nov 21, 2022 04:21:09.821768045 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:09.830401897 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:09.830475092 CET	443	49700	182.162.143.56	192.168.2.4
Nov 21, 2022 04:21:09.830936909 CET	443	49700	182.162.143.56	192.168.2.4
Nov 21, 2022 04:21:09.882251024 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:10.165709019 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:10.165743113 CET	443	49700	182.162.143.56	192.168.2.4
Nov 21, 2022 04:21:10.165755987 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:10.165762901 CET	443	49700	182.162.143.56	192.168.2.4
Nov 21, 2022 04:21:11.838960886 CET	443	49700	182.162.143.56	192.168.2.4
Nov 21, 2022 04:21:11.839132071 CET	443	49700	182.162.143.56	192.168.2.4
Nov 21, 2022 04:21:11.839271069 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:11.840809107 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:11.840810061 CET	49700	443	192.168.2.4	182.162.143.56
Nov 21, 2022 04:21:11.840852022 CET	443	49700	182.162.143.56	192.168.2.4
Nov 21, 2022 04:21:11.840873957 CET	443	49700	182.162.143.56	192.168.2.4

HTTP Request Dependency Graph

182.162.143.56

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49700	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	Direction	Data
2022-11-21 03:21:10 UTC	OUT	POST /ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 334 Host: 182.162.143.56
2022-11-21 03:21:10 UTC	OUT	Data Raw: 6e 79 73 70 73 7a 62 64 6e 65 75 6e 72 65 63 3d 67 56 49 6f 44 75 42 68 2b 73 5a 68 7a 49 78 69 6c 34 6a 2b 70 53 78 6a 78 38 54 77 4f 4f 66 65 64 56 33 75 51 6e 59 4d 50 53 26 6e 61 6c 64 71 6e 76 6c 72 71 6c 3d 45 35 71 54 78 39 74 2f 39 6a 6e 57 6e 67 75 6c 69 37 4d 7a 55 30 37 6e 6b 39 69 44 56 59 53 39 39 45 79 65 41 46 33 67 4b 6e 4f 56 6a 78 69 67 41 34 4b 66 43 70 75 52 55 30 67 33 71 39 74 42 6d 52 46 59 63 7a 34 2b 50 6b 76 49 2f 6f 6a 6d 53 37 61 6e 31 36 53 4e 30 55 71 4c 67 56 48 6f 32 62 36 45 75 51 4c 4b 73 71 45 37 41 49 42 61 79 58 68 61 55 37 43 39 7a 2f 39 71 43 37 57 6b 33 48 64 44 26 6e 69 72 71 79 6c 71 65 61 77 6b 3d 46 4a 42 44 5a 2f 33 7a 70 35 57 72 2f 6e 55 52 58 78 4f 44 79 50 73 72 53 2f 4f 62 4a 68 77 68 35 78 41 45 73 6e 2f Data Ascii: nyspszbdneunrec=gVIoDuBh+sZhzIxil4j+pSxjx8TwOOfedV3uQnYMPS&naldqnvlrql=E5qTx9t/9jnWnguli7MzU07nk9iDVYS99EyeAF3gKnOVjxigA4KfCpuRU0g3q9tBmRFYcz4+PkvI/ojmS7an16SN0UqLgVHo2b6EuQLKsqE7AIBayXhaU7C9z/9qC7Wk3HdD&nirqylqeawk=FJBDZ/3zp5Wr/nURXxODyPsrS/ObJhwh5xAEsn/
2022-11-21 03:21:11 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 21 Nov 2022 03:21:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-11-21 03:21:11 UTC	IN	Data Raw: 33 63 61 0d 0a 78 ea 95 c5 42 92 41 c3 73 f5 2f 1e 3f a0 9b 06 d2 80 a4 69 a2 a0 61 c1 fb 6b f1 c0 dc a1 f0 65 23 7a 11 e1 99 13 a4 9d 1c 1a 18 41 54 ff 9d 92 4a 0a 4f 31 5a f2 7c f9 2b 17 87 40 79 96 e5 13 98 5c 7e fe 7e f8 0e ef ef 39 c2 04 34 a9 6b 96 2b be 25 fd ed 40 e1 6c 4e 87 16 6c af e8 78 3a e0 dc 86 e3 3d 4c 28 45 00 d3 4b 86 ff 46 73 d8 8c bc 43 39 8c 5d 82 3b 36 73 30 40 71 c2 59 06 5f e1 5c dc 7b 54 06 64 6c cf fa 5c b5 f5 2f 40 46 ae 40 df b8 eb 35 d7 91 19 b2 5f 24 72 29 82 79 75 58 cc 8d 3b f0 a4 14 e3 df 51 7c b8 ef c6 b9 e3 7b 7d 64 f0 54 4b 83 ee ae 40 f0 5c 84 c2 1b fb 31 07 6a 50 8a c6 5d 7d 2d c6 ea 65 66 1a 7e d0 0a 66 79 04 e2 90 c1 5a 7f dc af 96 e1 cb 32 6a 02 c5 c6 a8 ac 0d 23 35 86 19 87 d5 29 dd 96 a3 a7 40 08 ce a0 5f da ae Data Ascii: 3caxBAs/?iake#zATJO1Z\|+@y\~~94k+%@lNlx:=L(EKFsC9];6s0@qY_\{Tdl\/@F@5_$r)yuX;Q\|{}dTK@\1jP]}-ef~fyZ2j#5)@_

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exePID: 3692, Parent PID: 3528

General

Target ID:	0
Start time:	04:20:01
Start date:	21/11/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\yoyrJ.dll"
Imagebase:	0x7ff76b0a0000
File size:	139776 bytes
MD5 hash:	C676FC0263EDD17D4CE7D644B8F3FCD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3096, Parent PID: 3692

General

Target ID:	1
Start time:	04:20:01
Start date:	21/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 976, Parent PID: 3692

General

Target ID:	2
Start time:	04:20:02
Start date:	21/11/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 5020, Parent PID: 3692

General

Target ID:	3
Start time:	04:20:02
Start date:	21/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll
Imagebase:	0x7ff7458f0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5288, Parent PID: 976

General

Target ID:	4
Start time:	04:20:02
Start date:	21/11/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
Imagebase:	0x7ff6a4af0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5284, Parent PID: 3692

General

Target ID:	5
Start time:	04:20:02
Start date:	21/11/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\yoyrJ.dll,DllRegisterServer
Imagebase:	0x7ff6a4af0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 5412, Parent PID: 5288

General

Target ID:	6
Start time:	04:20:07
Start date:	21/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll"
Imagebase:	0x7ff7458f0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 5908, Parent PID: 5020

General

Target ID:	7
Start time:	04:20:07
Start date:	21/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll"
Imagebase:	0x7ff7458f0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 4644, Parent PID: 5284

General

Target ID:	8
Start time:	04:20:07
Start date:	21/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll"
Imagebase:	0x7ff7458f0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 5132, Parent PID: 3692

General

Target ID:	9
Start time:	04:20:08
Start date:	21/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OGxcy\dYkxHTuA.dll"
Imagebase:	0x7ff7458f0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 5132, Parent PID: 3528

General

Target ID:	12
Start time:	04:21:26
Start date:	21/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll
Imagebase:	0x7ff7458f0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 4192, Parent PID: 5132

General

Target ID:	13
Start time:	04:21:30
Start date:	21/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll"
Imagebase:	0x7ff7458f0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WMIADAP.exePID: 5412, Parent PID: 2384

General

Target ID:	14
Start time:	04:21:50
Start date:	21/11/2022
Path:	C:\Windows\System32\wbem\WMIADAP.exe
Wow64 process (32bit):	false
Commandline:	wmiadap.exe /F /T /R
Imagebase:	0x7ff7ece50000
File size:	177664 bytes
MD5 hash:	9783D0765F31980950445DFD40DB15DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: loaddll64.exePID: 3692, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	8.9%
Total number of Nodes:	923
Total number of Limit Nodes:	6

Executed Functions

Function 00000141AEED0000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 00000141AEED0344
VirtualAlloc.KERNELBASE ref: 00000141AEED038A
VirtualProtect.KERNELBASE ref: 00000141AEED085C
RtlAvlRemoveNode.NTDLL ref: 00000141AEED08E9

Strings

aryA, xrefs: 00000141AEED00A5
Cach, xrefs: 00000141AEED0100
o, xrefs: 00000141AEED012E
ualP, xrefs: 00000141AEED00CD
hIns, xrefs: 00000141AEED00EB
Libr, xrefs: 00000141AEED009D
ddFu, xrefs: 00000141AEED013A
ativ, xrefs: 00000141AEED010F
truc, xrefs: 00000141AEED00F2
Load, xrefs: 00000141AEED0095
Flus, xrefs: 00000141AEED00E4
Slee, xrefs: 00000141AEED0084
nf, xrefs: 00000141AEED0127
onTa, xrefs: 00000141AEED0148
eSys, xrefs: 00000141AEED0117
GetN, xrefs: 00000141AEED0107
rote, xrefs: 00000141AEED00D5
RtlA, xrefs: 00000141AEED0133
ualA, xrefs: 00000141AEED00B5
temI, xrefs: 00000141AEED011F
lloc, xrefs: 00000141AEED00BD
ct, xrefs: 00000141AEED00DD
Virt, xrefs: 00000141AEED00AD
tion, xrefs: 00000141AEED00F9
Virt, xrefs: 00000141AEED00C5
ncti, xrefs: 00000141AEED0141

Memory Dump Source

Source File: 00000000.00000002.323141337.00000141AEED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000141AEED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141aeed0000_loaddll64.jbxd

Similarity

API ID: Virtual$AllocInfoNativeNodeProtectRemoveSystem
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 1419936716-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: 8a42a4e8ba0c421e6fe934dda00cb57f65402a12560565ae102cbacc451ffef1
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: FA622630619B489BD729DF18D8957B9B3E1FB44310F24422DE88BC72A1DB31E586CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001864 Relevance: 7.9, Strings: 6, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

rh, xrefs: 0000000180001DA4
Q~, xrefs: 0000000180001905
0, xrefs: 0000000180001980
S, xrefs: 0000000180001B33
Q~, xrefs: 0000000180001C5B, 0000000180001C22, 0000000180001D54, 00000001800019EB, 0000000180001A2B, 0000000180001D18, 0000000180001B6A, 0000000180001B7C, 0000000180001D96, 0000000180001A0C, 0000000180001D09, 0000000180001A50, 0000000180001E74, 0000000180001C39, 00000001800019F7, 00000001800018F7, 0000000180001AEB, 0000000180001C49, 0000000180001CA5, 0000000180001DDE
o_, xrefs: 00000001800019A2

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: Q~$Q~$0$S$o_$rh
API String ID: 0-2138576042
Opcode ID: 5e1b0978f8f9846f43e2bea0e03f405b69613694843aa09990415df6c376f501
Instruction ID: 188c1361a23e6ad5d6055c6decd0cb402179bcc8801bac07be60f8210c67be5b
Opcode Fuzzy Hash: 5e1b0978f8f9846f43e2bea0e03f405b69613694843aa09990415df6c376f501
Instruction Fuzzy Hash: 5D22E570510788DFDB98DF28C889ADD3FA1FB483A8F956219FC0A97290D774D985CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019F38 Relevance: 6.5, Strings: 5, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f], xrefs: 000000018001A219
\, xrefs: 000000018001A227
LLCf, xrefs: 000000018001A1BC
P, xrefs: 000000018001A1DE
<q+, xrefs: 000000018001A1A4

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: <q+$LLCf$\$f]$P
API String ID: 0-3672281703
Opcode ID: 05ccb559511b71173230ca7e7be1dce73a909a9d07f4dc889358141c448b61c4
Instruction ID: 265aeea36392b044b8397e8defa31dfa6669a7a85a24a4f633674630fd2f5fc7
Opcode Fuzzy Hash: 05ccb559511b71173230ca7e7be1dce73a909a9d07f4dc889358141c448b61c4
Instruction Fuzzy Hash: 7A91387051074D8BEB88DF28C88A6DE3FA1FB18388F55822DFC4A96290C778D594CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012108 Relevance: 6.4, Strings: 5, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:P, xrefs: 0000000180012254
TTMl, xrefs: 0000000180012206
g(, xrefs: 0000000180012216
Fm, xrefs: 000000018001219A
g(, xrefs: 00000001800122A2

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: :P$Fm$TTMl$g($g(
API String ID: 0-1760300932
Opcode ID: 35dc3a46165115c5b824d07f550f560c064e34de772aff6205be7b74c0bda806
Instruction ID: 1efb9e605c89b73597f32a758b8ca89b33c921972f7d2c9c749e1d2df1591218
Opcode Fuzzy Hash: 35dc3a46165115c5b824d07f550f560c064e34de772aff6205be7b74c0bda806
Instruction Fuzzy Hash: 9B71F3B0D1070C8FDB48CFA8D48A5DDBBB1FB4C358F259219E81AB6290D7749945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180027AE4 Relevance: 5.1, Strings: 4, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*q, xrefs: 0000000180027D0A
J], xrefs: 0000000180027D1A
IZ, xrefs: 0000000180027C7B
r, xrefs: 0000000180027C63

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: *q$IZ$J]$r
API String ID: 0-2497554898
Opcode ID: 43c7a842463a437fe1eded88d271485cd70f234d753bf00be1fd1f2e6629932a
Instruction ID: a8845266b5974d967b5ababb0eb11ed0c979ed5efda08082c324e04f2968d530
Opcode Fuzzy Hash: 43c7a842463a437fe1eded88d271485cd70f234d753bf00be1fd1f2e6629932a
Instruction Fuzzy Hash: 5361ACB051C7808BE769DF28C48954BBBF1FB86758F004A1DF685862A0D7BAD909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3075D0 Relevance: 4.5, APIs: 3, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 00007FF88C3075E6
GetVersion.KERNEL32 ref: 00007FF88C3075F8
HeapSetInformation.KERNEL32 ref: 00007FF88C307616

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: ff5e6d536eaa35a4d46f5682f650b60aebbb2f539376b8b6ec45a6a19b727594
Instruction ID: b2124f383027bd62e4e1bbab96065ac9002721476e68527d6820a350111dc61d
Opcode Fuzzy Hash: ff5e6d536eaa35a4d46f5682f650b60aebbb2f539376b8b6ec45a6a19b727594
Instruction Fuzzy Hash: 86E06D79A19B4282FBC45758E849F752260BF9B791F800434EA4E027A8DF3DA087CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EB3C Relevance: 4.5, Strings: 3, Instructions: 740COMMON

Download Yara Rule

Strings

jD]d, xrefs: 000000018000EBED
7%, xrefs: 000000018000F78B
9, xrefs: 000000018000F7E5

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 7%$9$jD]d
API String ID: 0-1546762489
Opcode ID: 3a2c75b155999ceca95a1101aa2672927a553c18006282dbc89149371d9a150e
Instruction ID: 169ab63c6de9708b2d6ff7ebaceebcae706aa59c3a2d7becb4d2446022c3bb94
Opcode Fuzzy Hash: 3a2c75b155999ceca95a1101aa2672927a553c18006282dbc89149371d9a150e
Instruction Fuzzy Hash: AC82EA7151074D8BDF88CF24C88A6DE3FA1FB68398F615218FC4AA62A0C778D595CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007F20 Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

-F, xrefs: 00000001800081E6
b/, xrefs: 0000000180008054
+:, xrefs: 0000000180008265

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: +:$-F$b/
API String ID: 0-2853193221
Opcode ID: 320a9a5064c2bc21a0540459f418b250373266716c94cc0e27337242bf2797b8
Instruction ID: 737d24e7272c4c3b9b72648f791c5085104e51d52394de1257a227f0ab4226e1
Opcode Fuzzy Hash: 320a9a5064c2bc21a0540459f418b250373266716c94cc0e27337242bf2797b8
Instruction Fuzzy Hash: 58B1AD7112A784AFD399DF24C58A95BBBF0FB84748F80691DF8D6862A0D7B4D904CB43

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FBB4 Relevance: 3.8, Strings: 3, Instructions: 76COMMON

Download Yara Rule

Strings

iD, xrefs: 000000018000FBD1
=, xrefs: 000000018000FCC7
P1, xrefs: 000000018000FBC9

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: P1$iD$=
API String ID: 0-3914590764
Opcode ID: 54ed1ebd14070d7b33ab5e4994ec722d1d326e05f26750878d1ae811eccdbc9a
Instruction ID: cd48c7c98638ea9050d9ec6f13eccaefb93dc6b992923aa58e6fe742ccc161f4
Opcode Fuzzy Hash: 54ed1ebd14070d7b33ab5e4994ec722d1d326e05f26750878d1ae811eccdbc9a
Instruction Fuzzy Hash: 9E31EEB15587888FD348DF69C48A50AFFE2FBD4784F504A1DF482863A4D7B4D545CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008470 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

{, xrefs: 000000018000848B
\, xrefs: 000000018000895F

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: \${
API String ID: 0-678260969
Opcode ID: 373689a8370a2b976fd3f6cbd9c4ab5b964727591edad26c43d96574c5dc916b
Instruction ID: b27e16a6b33d669af57ca606ea4693b712f978dac00823e541d9e40ea4f99018
Opcode Fuzzy Hash: 373689a8370a2b976fd3f6cbd9c4ab5b964727591edad26c43d96574c5dc916b
Instruction Fuzzy Hash: 3B02E6715087C88BEBBECF64C8897DE3BA9FB44708F10521DEA4A9E298DB745745CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800274F4 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

%N, xrefs: 00000001800277C7

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: %N
API String ID: 0-944680591
Opcode ID: fe83645fe756a776de9565e5026d5fc39fe0b4df6c8eb006d5d39841c4a4c783
Instruction ID: 3c452895d693fb340123c723d27f44680dcccb39e5392457550dc33261e3d05d
Opcode Fuzzy Hash: fe83645fe756a776de9565e5026d5fc39fe0b4df6c8eb006d5d39841c4a4c783
Instruction Fuzzy Hash: 99A100702197489FE7AACF14C5857DABBE1FB99344F805A1DF88A8B291C774DA04CB43

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C301BDC Relevance: 128.5, APIs: 9, Strings: 64, Instructions: 793
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32 ref: 00007FF88C3035E6

Part of subcall function 00007FF88C301B14: CoLoadLibrary.OLE32 ref: 00007FF88C301B41

LoadStringW.USER32 ref: 00007FF88C30360B
LoadStringW.USER32 ref: 00007FF88C303625

Part of subcall function 00007FF88C303874: LoadCursorW.USER32 ref: 00007FF88C3038AE
Part of subcall function 00007FF88C303874: RegisterClassExW.USER32 ref: 00007FF88C3038D9

Part of subcall function 00007FF88C3038E8: CreateWindowExW.USER32 ref: 00007FF88C30393C

CoUninitialize.OLE32 ref: 00007FF88C303644
TranslateAcceleratorW.USER32 ref: 00007FF88C303658
TranslateMessage.USER32 ref: 00007FF88C303667
DispatchMessageW.USER32 ref: 00007FF88C303672
GetMessageW.USER32 ref: 00007FF88C303685
CoUninitialize.OLE32 ref: 00007FF88C30368F

Strings

VdVy, xrefs: 00007FF88C302423
\xE8, xrefs: 00007FF88C301FFF
xK8, xrefs: 00007FF88C3026A3
1v?!, xrefs: 00007FF88C301E3D
<IE, xrefs: 00007FF88C30208B
sN , xrefs: 00007FF88C302621
xmbE, xrefs: 00007FF88C3020EF
y,, xrefs: 00007FF88C30272F
cdVx, xrefs: 00007FF88C302487
mxtx, xrefs: 00007FF88C302C39
,w!, xrefs: 00007FF88C3032DD
qw/D, xrefs: 00007FF88C30328D
4j@, xrefs: 00007FF88C302437
md"o, xrefs: 00007FF88C302D83
_mc=, xrefs: 00007FF88C302121
4]_E, xrefs: 00007FF88C302991
Rx-|, xrefs: 00007FF88C302ED7
`V1, xrefs: 00007FF88C302F77
aqxH, xrefs: 00007FF88C30346D
_{c=, xrefs: 00007FF88C3020BD
kblv, xrefs: 00007FF88C3022C5
xm#_, xrefs: 00007FF88C30321F
vXG8, xrefs: 00007FF88C301F9B
F%hy, xrefs: 00007FF88C30300D
]oo, xrefs: 00007FF88C302509
4IRH, xrefs: 00007FF88C301FC3
`)O, xrefs: 00007FF88C3033AF
E(jX, xrefs: 00007FF88C301F23
dwW!, xrefs: 00007FF88C302685
)\]*, xrefs: 00007FF88C301E29
zK8, xrefs: 00007FF88C30276B
8g$, xrefs: 00007FF88C30242D
0kiK, xrefs: 00007FF88C302F09
\U7, xrefs: 00007FF88C3022F7
bn<, xrefs: 00007FF88C303071
wWe, xrefs: 00007FF88C3026E9
`RZD, xrefs: 00007FF88C302031
bxKq, xrefs: 00007FF88C30244B
n%F, xrefs: 00007FF88C30253B
%4^*, xrefs: 00007FF88C301D27
m)H, xrefs: 00007FF88C302473
F0y@, xrefs: 00007FF88C30217B
Rmm, xrefs: 00007FF88C302775
dwW, xrefs: 00007FF88C302941
_$9, xrefs: 00007FF88C301F2D
x%8, xrefs: 00007FF88C301CCC
I0tx, xrefs: 00007FF88C3021AD
P$s, xrefs: 00007FF88C30224D
x!t, xrefs: 00007FF88C3030F3
R'_, xrefs: 00007FF88C3022CF
5qWe, xrefs: 00007FF88C302239
3sM, xrefs: 00007FF88C301FE1
_hc1, xrefs: 00007FF88C302CD9
w !, xrefs: 00007FF88C302E05
]yO, xrefs: 00007FF88C302C07
%hy, xrefs: 00007FF88C301D19
uRO, xrefs: 00007FF88C3026D5
,w O, xrefs: 00007FF88C302A45
iBnv, xrefs: 00007FF88C302EE1
42We, xrefs: 00007FF88C30229D
@W[e, xrefs: 00007FF88C3021D5
0.$, xrefs: 00007FF88C301F5F
p(mI, xrefs: 00007FF88C302F63
0]#&, xrefs: 00007FF88C301E5B

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Load$Message$StringTranslateUninitialize$AcceleratorClassCreateCursorDispatchInitializeLibraryRegisterWindow
String ID: x%8$%4^*$)\]*$,w O$,w!$0]#&$0kiK$0.$$1v?!$42We$4IRH$4]_E$5qWe$<IE$@W[e$E(jX$F%hy$F0y@$I0tx$P$s$Rmm$Rx-|$VdVy$\xE8$\U7$]yO$]oo$_$9$_hc1$_mc=$_{c=$`)O$`RZD$aqxH$bxKq$cdVx$dwW!$dwW$iBnv$kblv$m)H$md"o$mxtx$n%F$p(mI$qw/D$uRO$vXG8$w !$x!t$xm#_$xmbE$y,$%hy$3sM$4j@$8g$$R'_$`V1$bn<$sN $wWe$xK8$zK8
API String ID: 254501832-2356253762
Opcode ID: e3d9f0cbb17484eccf7d253c8bd93789c39128f6d083e20f5ad30eb0b04a9210
Instruction ID: d7bd1fb9c9207daf1b130cb805d4a94397acab84f1a92b0014b0103c87ed141e
Opcode Fuzzy Hash: e3d9f0cbb17484eccf7d253c8bd93789c39128f6d083e20f5ad30eb0b04a9210
Instruction Fuzzy Hash: 85D2B7B290A7C58FE374CF629A857DD3A61F34274CF608218C2991FA1DCB799246CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C308188 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00007FF87FF88C308188(intOrPtr __rax, long long __rbx, void* __rdx, long long __rdi) {
				signed char _t83;
				signed int _t84;
				intOrPtr _t90;
				intOrPtr _t93;
				void* _t95;
				intOrPtr _t99;
				intOrPtr _t101;
				signed int _t104;
				intOrPtr _t106;
				intOrPtr _t138;
				intOrPtr _t140;
				void* _t142;
				long long _t147;
				struct _STARTUPINFOW* _t149;
				intOrPtr _t163;
				void* _t164;
				void* _t166;
				intOrPtr _t171;
				void* _t173;
				long long _t174;
				long long* _t177;
				void* _t180;
				void* _t181;
				void* _t184;
				intOrPtr* _t186;
				void* _t189;
				signed char* _t190;
				struct _STARTUPINFOW* _t193;

				_t162 = __rdx;
				_t148 = __rbx;
				_t138 = __rax;
				 *((long long*)(_t180 + 8)) = __rbx;
				 *((long long*)(_t180 + 0x10)) = _t174;
				 *((long long*)(_t180 + 0x18)) = __rdi;
				_t181 = _t180 - 0x90;
				GetStartupInfoW(_t193);
				_t5 = _t162 - 0x38; // 0x20
				_t106 = _t5;
				E00007FF87FF88C30796C(__rbx, _t181 + 0x20, __rdx, __rdi, _t173, _t174, _t189, _t184);
				r14d = 0;
				_t163 = _t138;
				if (_t138 != 0) goto 0x8c3081d1;
				goto 0x8c30843c;
				 *0x8c369da0 = _t138;
				 *0x8c369d84 = _t106;
				if (_t163 - _t138 + 0xb00 >= 0) goto 0x8c308230;
				_t164 = _t163 + 9;
				 *(_t164 - 9) =  *(_t164 - 9) | 0xffffffff;
				 *((short*)(_t164 - 1)) = 0xa00;
				 *(_t164 + 3) = r14d;
				 *((short*)(_t164 + 0x2f)) = 0xa00;
				 *((char*)(_t164 + 0x31)) = 0xa;
				 *(_t164 + 0x47) = r14d;
				 *((intOrPtr*)(_t164 + 0x43)) = r14b;
				_t140 =  *0x8c369da0; // 0x141b0981120
				_t14 = _t164 + 0x58 - 9; // -106
				if (_t14 - _t140 + 0xb00 < 0) goto 0x8c3081ef;
				_t93 =  *0x8c369d84; // 0x20
				if ( *((intOrPtr*)(_t181 + 0x62)) == r14w) goto 0x8c308370;
				_t142 =  *((intOrPtr*)(_t181 + 0x68));
				if (_t142 == 0) goto 0x8c308370;
				_t190 = _t142 + 4;
				_t186 =  *_t142 + _t190;
				_t89 =  <  ?  *_t142 : 0x800;
				if (_t93 - 0x800 >= 0) goto 0x8c3082ed;
				E00007FF87FF88C30796C(_t148, _t174, _t164 + 0x58, 0x8c369da8, _t173, _t174);
				if (_t142 == 0) goto 0x8c3082e7;
				_t99 =  *0x8c369d84; // 0x20
				_t18 = _t142 + 0xb00; // 0xb00
				 *0x8c369da8 = _t142;
				 *0x8c369d84 = _t99 + _t106;
				if (_t142 - _t18 >= 0) goto 0x8c3082dd;
				_t19 = _t142 + 9; // 0x9
				_t166 = _t19;
				 *(_t166 - 9) =  *(_t166 - 9) | 0xffffffff;
				 *(_t166 + 0x2f) =  *(_t166 + 0x2f) & 0x00000080;
				 *((short*)(_t166 - 1)) = 0xa00;
				 *(_t166 + 3) = r14d;
				 *((short*)(_t166 + 0x30)) = 0xa0a;
				 *(_t166 + 0x47) = r14d;
				 *((intOrPtr*)(_t166 + 0x43)) = r14b;
				_t29 = _t166 + 0x58 - 9; // -88
				if (_t29 -  *0x8c369da8 + 0xb00 < 0) goto 0x8c3082a0;
				_t101 =  *0x8c369d84; // 0x20
				_t118 = _t101 - ( <  ?  *_t142 : 0x800);
				if (_t101 - ( <  ?  *_t142 : 0x800) < 0) goto 0x8c30826d;
				goto 0x8c3082ed;
				_t90 =  *0x8c369d84; // 0x20
				_t104 = r14d;
				if (_t90 <= 0) goto 0x8c308370;
				if ( *_t186 == 0xffffffff) goto 0x8c308363;
				if ( *_t186 == 0xfffffffe) goto 0x8c308363;
				if (( *_t190 & 0x00000001) == 0) goto 0x8c308363;
				if (( *_t190 & 0x00000008) != 0) goto 0x8c30831e;
				if (GetFileType(??) == 0) goto 0x8c308363;
				_t177 = _t104 * 0x58 +  *((intOrPtr*)(0x8c369da0 + (_t104 >> 5) * 8));
				_t147 =  *_t186;
				 *_t177 = _t147;
				 *((char*)(_t177 + 8)) =  *_t190;
				if (InitializeCriticalSectionAndSpinCount(??, ??) == 0) goto 0x8c3081c9;
				 *((intOrPtr*)(_t177 + 0xc)) =  *((intOrPtr*)(_t177 + 0xc)) + 1;
				if (_t104 + 1 - _t90 < 0) goto 0x8c3082f4;
				r12d = r14d;
				_t149 = _t193;
				_t171 =  *0x8c369da0; // 0x141b0981120
				if ( *((long long*)(_t149 + _t171)) == 0xffffffff) goto 0x8c308395;
				if ( *((long long*)(_t149 + _t171)) == 0xfffffffe) goto 0x8c308395;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000080;
				goto 0x8c30841a;
				 *(_t149 + _t171 + 8) = 0x81;
				asm("sbb ecx, ecx");
				_t95 =  ==  ? 0xfffffff6 : _t93 + 0xfffffff5;
				GetStdHandle(??);
				if (_t147 == 0xffffffff) goto 0x8c30840d;
				if (_t147 == 0) goto 0x8c30840d;
				_t83 = GetFileType(??); // executed
				if (_t83 == 0) goto 0x8c30840d;
				_t84 = _t83 & 0x000000ff;
				 *((long long*)(_t149 + _t171)) = _t147;
				if (_t84 != 2) goto 0x8c3083e5;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000040;
				goto 0x8c3083ef;
				if (_t84 != 3) goto 0x8c3083ef;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000008;
				if (InitializeCriticalSectionAndSpinCount(??, ??) == 0) goto 0x8c3081c9;
				 *((intOrPtr*)(_t149 + _t171 + 0xc)) =  *((intOrPtr*)(_t149 + _t171 + 0xc)) + 1;
				goto 0x8c30841a;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000040;
				 *((long long*)(_t149 + _t171)) = 0xfffffffe;
				r12d = r12d + 1;
				if (_t149 + 0x58 - 0x108 < 0) goto 0x8c308376;
				SetHandleCount(??);
				return 0;
			}

0x7ff88c308188
0x7ff88c308188
0x7ff88c308188
0x7ff88c308188
0x7ff88c30818d
0x7ff88c308192
0x7ff88c30819d
0x7ff88c3081a9
0x7ff88c3081b4
0x7ff88c3081b4
0x7ff88c3081b9
0x7ff88c3081be
0x7ff88c3081c1
0x7ff88c3081c7
0x7ff88c3081cc
0x7ff88c3081d1
0x7ff88c3081e0
0x7ff88c3081e9
0x7ff88c3081eb
0x7ff88c3081ef
0x7ff88c3081f4
0x7ff88c3081fa
0x7ff88c3081fe
0x7ff88c308204
0x7ff88c308208
0x7ff88c30820c
0x7ff88c308210
0x7ff88c30821b
0x7ff88c308228
0x7ff88c30822a
0x7ff88c308236
0x7ff88c30823c
0x7ff88c308244
0x7ff88c308252
0x7ff88c308256
0x7ff88c30825b
0x7ff88c308260
0x7ff88c308275
0x7ff88c30827d
0x7ff88c30827f
0x7ff88c308285
0x7ff88c30828c
0x7ff88c308291
0x7ff88c30829a
0x7ff88c30829c
0x7ff88c30829c
0x7ff88c3082a0
0x7ff88c3082a5
0x7ff88c3082a9
0x7ff88c3082af
0x7ff88c3082b3
0x7ff88c3082b9
0x7ff88c3082bd
0x7ff88c3082c8
0x7ff88c3082d5
0x7ff88c3082d7
0x7ff88c3082e1
0x7ff88c3082e3
0x7ff88c3082e5
0x7ff88c3082e7
0x7ff88c3082ed
0x7ff88c3082f2
0x7ff88c3082f9
0x7ff88c308300
0x7ff88c308307
0x7ff88c30830e
0x7ff88c30831c
0x7ff88c30833b
0x7ff88c30833f
0x7ff88c308343
0x7ff88c30834f
0x7ff88c30835a
0x7ff88c308360
0x7ff88c30836e
0x7ff88c308370
0x7ff88c308373
0x7ff88c308376
0x7ff88c308382
0x7ff88c308389
0x7ff88c30838b
0x7ff88c308390
0x7ff88c30839a
0x7ff88c3083a6
0x7ff88c3083ae
0x7ff88c3083b1
0x7ff88c3083be
0x7ff88c3083c3
0x7ff88c3083c8
0x7ff88c3083d0
0x7ff88c3083d2
0x7ff88c3083d5
0x7ff88c3083dc
0x7ff88c3083de
0x7ff88c3083e3
0x7ff88c3083e8
0x7ff88c3083ea
0x7ff88c308401
0x7ff88c308407
0x7ff88c30840b
0x7ff88c30840d
0x7ff88c308412
0x7ff88c30841e
0x7ff88c308428
0x7ff88c308434
0x7ff88c308459

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF88C3081A9

Part of subcall function 00007FF88C30796C: Sleep.KERNEL32(?,?,?,00007FF88C307F0B,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C3079B1

GetFileType.KERNEL32 ref: 00007FF88C308314
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF88C308352

Strings

@, xrefs: 00007FF88C30840D

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID: @
API String ID: 3473179607-2766056989
Opcode ID: e02c93909526c4f236752285605e8c27f2e0304d9560b3fbe4c2ca2a6fe07655
Instruction ID: 38372bc8b1f260a1421d0416d23dfe50f1662b09218a0c6eb62fa3a261e8331a
Opcode Fuzzy Hash: e02c93909526c4f236752285605e8c27f2e0304d9560b3fbe4c2ca2a6fe07655
Instruction Fuzzy Hash: 29817062A08B8286EB548F54D984B297794FF46BB4F544338CA7E436E9DF3CE456C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C301A2C Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 65
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00007FF87FF88C301A2C(void* __edx, signed char __rbx, void* __rcx, signed char __rdi, signed char __rsi, signed char __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed int _t17;
				signed char _t26;
				void* _t38;
				void* _t40;
				signed char* _t44;
				signed long long _t56;
				signed char* _t66;
				signed char* _t69;
				void* _t72;

				_t44 = _t66;
				_t44[8] = __rbx;
				_t44[0x10] = __rbp;
				_t44[0x18] = __rsi;
				_t44[0x20] = __rdi;
				r12d = __edx;
				__imp__CoLoadLibrary();
				_t56 = "VirtualAlloc";
				_t17 = E00007FF87FF88C303714(_t38, _t40, __rbx, _t44, _t56);
				E00007FF87FF88C30525C();
				E00007FF87FF88C30525C();
				E00007FF87FF88C30525C();
				r9d = _t17;
				r8d = _t17 | _t17; // executed
				VirtualAlloc(_t72, ??, ??); // executed
				r8d = 0;
				if (_t44 == 0) goto 0x8c301af8;
				if (r12d == 0) goto 0x8c301af5;
				_t69 = _t44;
				r8d = r8d + 1;
				_t26 =  *(r8d - (_t56 + _t56 * 4 << 3) + "uRODSdV1dwWeU0j@_hcuRxK8R%hycF!_mx1Kxmb") ^ _t69[__rcx - _t44];
				 *_t69 = _t26;
				if (r8d - r12d < 0) goto 0x8c301ab9;
				return _t26;
			}

0x7ff88c301a2c
0x7ff88c301a2f
0x7ff88c301a33
0x7ff88c301a37
0x7ff88c301a3b
0x7ff88c301a48
0x7ff88c301a54
0x7ff88c301a5a
0x7ff88c301a64
0x7ff88c301a73
0x7ff88c301a81
0x7ff88c301a8f
0x7ff88c301a99
0x7ff88c301a9e
0x7ff88c301aa1
0x7ff88c301aa3
0x7ff88c301aac
0x7ff88c301ab1
0x7ff88c301ab3
0x7ff88c301ace
0x7ff88c301ae6
0x7ff88c301aea
0x7ff88c301af3
0x7ff88c301b12

APIs

CoLoadLibrary.OLE32 ref: 00007FF88C301A54
VirtualAlloc.KERNELBASE ref: 00007FF88C301AA1

Strings

kernel32.dll, xrefs: 00007FF88C301A4B
VirtualAlloc, xrefs: 00007FF88C301A5A
uRODSdV1dwWeU0j@_hcuRxK8R%hycF!_mx1Kxmb, xrefs: 00007FF88C301ADC
8192, xrefs: 00007FF88C301A78
4096, xrefs: 00007FF88C301A86
gfff, xrefs: 00007FF88C301AB9

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID: 4096$8192$VirtualAlloc$gfff$kernel32.dll$uRODSdV1dwWeU0j@_hcuRxK8R%hycF!_mx1Kxmb
API String ID: 3550616410-61892301
Opcode ID: 94780e6cfa56ae025324f8f2b37d746abeccf2a3851669e3a2d9421e6644817d
Instruction ID: 8718ca0134fa1e301b28f1ceb0b7d792a3e4eed146017905c88ac8b873b35af0
Opcode Fuzzy Hash: 94780e6cfa56ae025324f8f2b37d746abeccf2a3851669e3a2d9421e6644817d
Instruction Fuzzy Hash: 3821C922B1575685EB04DBAAE850C697790BFCABC0B495135EE0E97749EE3CF403C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30596C Relevance: 10.6, APIs: 7, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00007FF87FF88C30596C(void* __edx, intOrPtr* __rax, long long __r8, long long _a24) {
				void* __rbx;
				void* _t4;
				void* _t6;
				void* _t11;
				void* _t14;
				intOrPtr _t17;
				void* _t19;
				void* _t25;
				void* _t30;
				void* _t35;
				void* _t38;
				void* _t48;
				intOrPtr* _t57;
				long long _t58;
				intOrPtr* _t59;
				void* _t60;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t66;

				_t70 = __r8;
				_t57 = __rax;
				_t35 = __edx;
				_a24 = __r8;
				_t58 = __r8;
				if (__edx != 1) goto 0x8c3059fb; // executed
				_t4 = E00007FF87FF88C3075D0(__rax); // executed
				if (_t4 != 0) goto 0x8c30598e;
				goto 0x8c305ab8; // executed
				_t6 = E00007FF87FF88C308104(__rax, _t62, _t64, _t65); // executed
				if (_t6 != 0) goto 0x8c30599e;
				E00007FF87FF88C307628();
				goto 0x8c305987;
				E00007FF87FF88C3089C4(_t58);
				GetCommandLineA();
				 *0x8c369fc8 = _t57;
				E00007FF87FF88C3088D0(_t38, _t58, _t64, _t65, _t66);
				 *0x8c368aa8 = _t57; // executed
				_t11 = E00007FF87FF88C308188(_t57, _t58, _t62, _t64); // executed
				if (_t11 >= 0) goto 0x8c3059cc;
				E00007FF87FF88C307DF8(_t58, _t60, _t62);
				goto 0x8c305997;
				if (E00007FF87FF88C3087D8(_t58, _t65, _t70) < 0) goto 0x8c3059f4; // executed
				_t14 = E00007FF87FF88C3084D0(_t30, _t57, _t58, _t62, _t65, _t66); // executed
				if (_t14 < 0) goto 0x8c3059f4;
				if (E00007FF87FF88C307060(0, _t57, _t58, _t70) != 0) goto 0x8c3059f4;
				 *0x8c368aa0 =  *0x8c368aa0 + 1;
				goto 0x8c305ab3;
				E00007FF87FF88C30845C(_t15, _t58, _t65);
				goto 0x8c3059c5;
				if (_t35 != 0) goto 0x8c305a4c;
				_t17 =  *0x8c368aa0; // 0x0
				if (_t17 <= 0) goto 0x8c305987;
				 *0x8c368aa0 = _t17 - 1;
				_t48 =  *0x8c36908c - _t35; // 0x1
				if (_t48 != 0) goto 0x8c305a22;
				_t19 = E00007FF87FF88C3072B8(_t58, _t62, _t70);
				if (_t58 != 0) goto 0x8c305a37;
				E00007FF87FF88C30845C(_t19, _t58, _t65);
				E00007FF87FF88C307DF8(_t58, _t60, _t62);
				E00007FF87FF88C307628();
				if (_t58 != 0) goto 0x8c305ab3;
				if ( *0x8c367610 == 0xffffffff) goto 0x8c305ab3;
				E00007FF87FF88C307DF8(_t58, _t60, _t62);
				goto 0x8c305ab3;
				if (_t35 != 2) goto 0x8c305aa7;
				E00007FF87FF88C307DEC();
				_t25 = E00007FF87FF88C30796C(_t58, _t60, _t62, _t64, _t65, _t66); // executed
				_t59 = _t57;
				if (_t57 == 0) goto 0x8c305987;
				__imp__FlsSetValue();
				if (_t25 == 0) goto 0x8c305a9d;
				E00007FF87FF88C307E20(_t59, _t59, _t57);
				 *_t59 = GetCurrentThreadId();
				 *(_t59 + 8) =  *(_t59 + 8) | 0xffffffff;
				goto 0x8c305ab3;
				free(??);
				goto 0x8c305987;
				if (0 != 3) goto 0x8c305ab3;
				E00007FF87FF88C3080B4(_t57, _t59);
				return 1;
			}

0x7ff88c30596c
0x7ff88c30596c
0x7ff88c30596c
0x7ff88c30596c
0x7ff88c305976
0x7ff88c30597c
0x7ff88c30597e
0x7ff88c305985
0x7ff88c305989
0x7ff88c30598e
0x7ff88c305995
0x7ff88c305997
0x7ff88c30599c
0x7ff88c30599e
0x7ff88c3059a3
0x7ff88c3059a9
0x7ff88c3059b0
0x7ff88c3059b5
0x7ff88c3059bc
0x7ff88c3059c3
0x7ff88c3059c5
0x7ff88c3059ca
0x7ff88c3059d3
0x7ff88c3059d5
0x7ff88c3059dc
0x7ff88c3059e7
0x7ff88c3059e9
0x7ff88c3059ef
0x7ff88c3059f4
0x7ff88c3059f9
0x7ff88c3059fd
0x7ff88c3059ff
0x7ff88c305a07
0x7ff88c305a0f
0x7ff88c305a15
0x7ff88c305a1b
0x7ff88c305a1d
0x7ff88c305a25
0x7ff88c305a27
0x7ff88c305a2c
0x7ff88c305a31
0x7ff88c305a3a
0x7ff88c305a43
0x7ff88c305a45
0x7ff88c305a4a
0x7ff88c305a4f
0x7ff88c305a51
0x7ff88c305a60
0x7ff88c305a65
0x7ff88c305a6b
0x7ff88c305a7a
0x7ff88c305a85
0x7ff88c305a89
0x7ff88c305a94
0x7ff88c305a96
0x7ff88c305a9b
0x7ff88c305a9d
0x7ff88c305aa2
0x7ff88c305aaa
0x7ff88c305aae
0x7ff88c305abd

APIs

Part of subcall function 00007FF88C3075D0: HeapCreate.KERNELBASE ref: 00007FF88C3075E6
Part of subcall function 00007FF88C3075D0: GetVersion.KERNEL32 ref: 00007FF88C3075F8
Part of subcall function 00007FF88C3075D0: HeapSetInformation.KERNEL32 ref: 00007FF88C307616

_RTC_Initialize.LIBCMT ref: 00007FF88C30599E
GetCommandLineA.KERNEL32 ref: 00007FF88C3059A3

Part of subcall function 00007FF88C3088D0: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF88C3059B5), ref: 00007FF88C3088E9
Part of subcall function 00007FF88C3088D0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF88C3059B5), ref: 00007FF88C308940
Part of subcall function 00007FF88C3088D0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF88C3059B5), ref: 00007FF88C30897B
Part of subcall function 00007FF88C3088D0: free.LIBCMT ref: 00007FF88C308988
Part of subcall function 00007FF88C3088D0: FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF88C3059B5), ref: 00007FF88C308993

Part of subcall function 00007FF88C308188: GetStartupInfoW.KERNEL32 ref: 00007FF88C3081A9

__setargv.LIBCMT ref: 00007FF88C3059CC
_cinit.LIBCMT ref: 00007FF88C3059E0

Part of subcall function 00007FF88C307DF8: FlsFree.KERNEL32(?,?,?,?,00007FF88C305A4A), ref: 00007FF88C307E07
Part of subcall function 00007FF88C307DF8: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF88C305A4A), ref: 00007FF88C309563
Part of subcall function 00007FF88C307DF8: free.LIBCMT ref: 00007FF88C30956C
Part of subcall function 00007FF88C307DF8: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF88C305A4A), ref: 00007FF88C309593

Part of subcall function 00007FF88C30845C: free.LIBCMT ref: 00007FF88C3084AD

Part of subcall function 00007FF88C30796C: Sleep.KERNEL32(?,?,?,00007FF88C307F0B,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C3079B1

FlsSetValue.KERNEL32 ref: 00007FF88C305A7A
GetCurrentThreadId.KERNEL32 ref: 00007FF88C305A8E
free.LIBCMT ref: 00007FF88C305A9D

Part of subcall function 00007FF88C30640C: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FF88C307F44,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C306422
Part of subcall function 00007FF88C30640C: _errno.LIBCMT ref: 00007FF88C30642C
Part of subcall function 00007FF88C30640C: GetLastError.KERNEL32(?,?,00000000,00007FF88C307F44,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C306434

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: free$ByteCharCriticalDeleteEnvironmentFreeHeapMultiSectionStringsWide$CommandCreateCurrentErrorInfoInformationInitializeLastLinePrivilegeReleaseSleepStartupThreadValueVersion__setargv_cinit_errno
String ID:
API String ID: 3717519922-0
Opcode ID: 3581c454eeaa65c887dbeccdfa567d82ef0e107ff0199405c75cbb276c5ba23c
Instruction ID: 5cd4bcb0b1c618ee9701ae9b49300f6307cbb68f7475911705a5e04be2665acf
Opcode Fuzzy Hash: 3581c454eeaa65c887dbeccdfa567d82ef0e107ff0199405c75cbb276c5ba23c
Instruction Fuzzy Hash: 6F314D22E0DB0386FA6567E4C842EB92194BF233E4F104634E81D455CFEE2CB443DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3052E4 Relevance: 7.5, APIs: 5, Instructions: 47
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00007FF87FF88C3052E4(intOrPtr* __rax, long long __rbx, void* __rcx, long long __rsi, long long _a8, long long _a16) {
				void* _t7;
				intOrPtr* _t25;
				intOrPtr* _t26;
				void* _t28;
				intOrPtr _t31;
				void* _t34;
				void* _t35;
				void* _t39;

				_t25 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_t28 = __rcx;
				if (__rcx - 0xffffffe0 > 0) goto 0x8c305378;
				_t35 =  !=  ? __rcx : _t34;
				_t31 =  *0x8c3696c8; // 0x141b0980000
				if (_t31 != 0) goto 0x8c305334;
				E00007FF87FF88C30758C();
				E00007FF87FF88C30732C(0x1e, _t31, __rcx, __rsi, _t39);
				E00007FF87FF88C306F0C();
				_t7 = RtlAllocateHeap(??, ??, ??); // executed
				if (_t25 != 0) goto 0x8c305373;
				if ( *0x8c3696d8 == _t7) goto 0x8c30535d;
				if (E00007FF87FF88C307880(_t25, _t28) == 0) goto 0x8c305368;
				goto 0x8c305308;
				E00007FF87FF88C307698(_t25);
				 *_t25 = 0xc;
				E00007FF87FF88C307698(_t25);
				 *_t25 = 0xc;
				_t26 = _t25;
				goto 0x8c30538a;
				E00007FF87FF88C307880(_t26, _t28);
				E00007FF87FF88C307698(_t26);
				 *_t26 = 0xc;
				return 0;
			}

0x7ff88c3052e4
0x7ff88c3052e4
0x7ff88c3052e9
0x7ff88c3052f3
0x7ff88c3052fa
0x7ff88c305304
0x7ff88c305308
0x7ff88c305312
0x7ff88c305314
0x7ff88c30531e
0x7ff88c305328
0x7ff88c305339
0x7ff88c305345
0x7ff88c30534d
0x7ff88c305359
0x7ff88c30535b
0x7ff88c30535d
0x7ff88c305362
0x7ff88c305368
0x7ff88c30536d
0x7ff88c305373
0x7ff88c305376
0x7ff88c305378
0x7ff88c30537d
0x7ff88c305382
0x7ff88c305399

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF88C305314
RtlAllocateHeap.NTDLL(?,?,?,00007FF88C304F2A,?,?,?,00007FF88C304FA4), ref: 00007FF88C305339
_errno.LIBCMT ref: 00007FF88C30535D
_errno.LIBCMT ref: 00007FF88C305368
_errno.LIBCMT ref: 00007FF88C30537D

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno$AllocateHeap
String ID:
API String ID: 502529563-0
Opcode ID: 7709ba9f006bae7f99be5d8f8ca6756eeb13fe1dbf17b5e84122e3cd410d4b7d
Instruction ID: 3446dedde47550006b2b95e26f2dfe2a3778a461a2011052bf60584a50f8e1d8
Opcode Fuzzy Hash: 7709ba9f006bae7f99be5d8f8ca6756eeb13fe1dbf17b5e84122e3cd410d4b7d
Instruction Fuzzy Hash: 39114F22A0934686FB546BE1E401B796250BF97BE0F044674F92E173DEDE7CA442C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C301B14 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoLoadLibrary.OLE32 ref: 00007FF88C301B41

Strings

CryptStringToBinaryA, xrefs: 00007FF88C301B47
crypt32.dll, xrefs: 00007FF88C301B32

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: LibraryLoad
String ID: CryptStringToBinaryA$crypt32.dll
API String ID: 1029625771-1448144620
Opcode ID: 129d98ac87f64c6071855cc89d158c5e72cae8d546f0e331efb10c5967aa142e
Instruction ID: 155623942e6a60a8cdc376d19a8385e894306e5b54602fe6879f96787157a462
Opcode Fuzzy Hash: 129d98ac87f64c6071855cc89d158c5e72cae8d546f0e331efb10c5967aa142e
Instruction Fuzzy Hash: 00113822A09B8586EB50CB56E840A6AB2E5BB89BD4F444134EA8D47B58EF3CD516CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3084D0 Relevance: 4.6, APIs: 3, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00007FF87FF88C3084D0(void* __ecx, long long __rax, long long __rbx, void* __rdx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				signed int _t11;
				void* _t16;
				void* _t26;
				long long _t38;
				signed long long _t41;
				char* _t43;
				void* _t53;
				void* _t55;
				long long* _t56;

				_t58 = __rsi;
				_t53 = __rdx;
				_t38 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				if ( *0x8c369fb8 != 0) goto 0x8c3084f2;
				_t11 = E00007FF87FF88C310F6C();
				_t41 =  *0x8c368aa8; // 0x0
				if (_t41 != 0) goto 0x8c30851b;
				goto 0x8c3085bc;
				if ((_t11 | 0xffffffff) == 0x3d) goto 0x8c30850e;
				E00007FF87FF88C3053B0(_t11 | 0xffffffff, _t41);
				if ( *((intOrPtr*)(_t41 + _t38 + 1)) != 0) goto 0x8c308508;
				_t6 = _t55 + 1; // 0x1
				_t16 = E00007FF87FF88C30796C(_t41 + _t38 + 1, _t6, _t53, _t55, __rsi, __rbp); // executed
				_t56 = _t38;
				 *0x8c369058 = _t38;
				if (_t38 == 0) goto 0x8c308500;
				_t43 =  *0x8c368aa8; // 0x0
				if ( *_t43 == 0) goto 0x8c30859c;
				E00007FF87FF88C3053B0(_t16, _t43);
				_t7 = _t38 + 1; // 0x1
				_t26 = _t7;
				if ( *_t43 == 0x3d) goto 0x8c30858a;
				E00007FF87FF88C30796C(_t43, _t26, _t53, _t56, _t58, _t26);
				 *_t56 = _t38;
				if (_t38 == 0) goto 0x8c3085e7;
				if (E00007FF87FF88C306870(_t38, _t38, _t26, _t43) != 0) goto 0x8c3085d1;
				if ( *((char*)(_t43 + _t26)) != 0) goto 0x8c30854c;
				free(??);
				 *0x8c368aa8 =  *0x8c368aa8 & 0x00000000;
				 *(_t56 + 8) =  *(_t56 + 8) & 0x00000000;
				 *0x8c369fa0 = 1;
				return 0;
			}

0x7ff88c3084d0
0x7ff88c3084d0
0x7ff88c3084d0
0x7ff88c3084d0
0x7ff88c3084d5
0x7ff88c3084da
0x7ff88c3084eb
0x7ff88c3084ed
0x7ff88c3084f2
0x7ff88c3084fe
0x7ff88c308503
0x7ff88c30850a
0x7ff88c308511
0x7ff88c30851f
0x7ff88c308521
0x7ff88c30852c
0x7ff88c308531
0x7ff88c308534
0x7ff88c30853e
0x7ff88c308540
0x7ff88c30854a
0x7ff88c30854f
0x7ff88c308557
0x7ff88c308557
0x7ff88c30855a
0x7ff88c308567
0x7ff88c30856c
0x7ff88c308572
0x7ff88c308584
0x7ff88c308593
0x7ff88c30859f
0x7ff88c3085a4
0x7ff88c3085ac
0x7ff88c3085b0
0x7ff88c3085d0

APIs

__initmbctable.LIBCMT ref: 00007FF88C3084ED
free.LIBCMT ref: 00007FF88C30859F
free.LIBCMT ref: 00007FF88C3085EE

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: free$__initmbctable
String ID:
API String ID: 2804101511-0
Opcode ID: 08db8f476880d57e069c062042d4a10b4ec91f1240d7a9d6f40a12bf27d40e26
Instruction ID: 49fdb17e870c0f8be0fd91a0b89076ce69ae5eb17f1a4e58b789b07083d1f130
Opcode Fuzzy Hash: 08db8f476880d57e069c062042d4a10b4ec91f1240d7a9d6f40a12bf27d40e26
Instruction Fuzzy Hash: 6B315C22E08B8285FB509B61E845BB967D0BF47BC8F184135DA8C06A8EDE7CF443C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C308104 Relevance: 4.5, APIs: 3, Instructions: 35
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 24%

			E00007FF87FF88C308104(long* __rax, void* __rdx, void* __rdi, void* __rsi) {
				void* __rbx;
				intOrPtr _t5;
				void* _t6;
				long _t8;
				long* _t21;
				void* _t22;
				long* _t23;
				void* _t30;

				_t29 = __rsi;
				_t28 = __rdi;
				_t21 = __rax;
				E00007FF87FF88C306F3C(__rax, _t22, __rdx); // executed
				_t5 = E00007FF87FF88C3094AC(_t22, __rdi, __rsi);
				if (_t5 == 0) goto 0x8c308178;
				__imp__FlsAlloc();
				 *0x8c367610 = _t5;
				if (_t5 == 0xffffffff) goto 0x8c308178;
				_t6 = E00007FF87FF88C30796C(_t22, 0x7ff88c307f80, __rdx, _t28, _t29, _t30);
				_t23 = _t21;
				if (_t21 == 0) goto 0x8c308178;
				__imp__FlsSetValue();
				if (_t6 == 0) goto 0x8c308178;
				E00007FF87FF88C307E20(_t23, _t23, _t21);
				_t8 = GetCurrentThreadId();
				_t23[2] = _t23[2] | 0xffffffff;
				 *_t23 = _t8;
				goto 0x8c30817f;
				E00007FF87FF88C307DF8(_t23, _t23, _t21);
				return 0;
			}

0x7ff88c308104
0x7ff88c308104
0x7ff88c308104
0x7ff88c30810a
0x7ff88c30810f
0x7ff88c308116
0x7ff88c30811f
0x7ff88c308125
0x7ff88c30812e
0x7ff88c30813a
0x7ff88c30813f
0x7ff88c308145
0x7ff88c308150
0x7ff88c308158
0x7ff88c30815f
0x7ff88c308164
0x7ff88c30816a
0x7ff88c30816f
0x7ff88c308176
0x7ff88c308178
0x7ff88c308184

APIs

Part of subcall function 00007FF88C306F3C: _initp_misc_winsig.LIBCMT ref: 00007FF88C306F6D
Part of subcall function 00007FF88C306F3C: EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000F), ref: 00007FF88C3124B7

Part of subcall function 00007FF88C3094AC: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FF88C308114,?,?,0000000F,00007FF88C305993), ref: 00007FF88C3094F1

FlsAlloc.KERNEL32(?,?,0000000F,00007FF88C305993), ref: 00007FF88C30811F

Part of subcall function 00007FF88C30796C: Sleep.KERNEL32(?,?,?,00007FF88C307F0B,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C3079B1

FlsSetValue.KERNEL32(?,?,0000000F,00007FF88C305993), ref: 00007FF88C308150

Part of subcall function 00007FF88C307E20: _lock.LIBCMT ref: 00007FF88C307E74
Part of subcall function 00007FF88C307E20: _lock.LIBCMT ref: 00007FF88C307E93

GetCurrentThreadId.KERNEL32 ref: 00007FF88C308164

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _lock$AllocCountCriticalCurrentEncodeInitializePointerSectionSleepSpinThreadValue_initp_misc_winsig
String ID:
API String ID: 3311150041-0
Opcode ID: 4aa2df61ee53bb26ca1ed4030417a0c9faa8cd9753a21884bf9a574fa2b938cc
Instruction ID: c6ef62865424ed79dba382ef179314c00e44e37a53b302dd7bccbe6a63ac417f
Opcode Fuzzy Hash: 4aa2df61ee53bb26ca1ed4030417a0c9faa8cd9753a21884bf9a574fa2b938cc
Instruction Fuzzy Hash: A4017822E1860342FB58ABA5D808E7922E1BF077E0F440634D87D822EEEF2CB443C351

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D93C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 000000018001DAF0

Strings

2y, xrefs: 000000018001DA0C

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 2y
API String ID: 963392458-2238746390
Opcode ID: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction ID: a5f9c5da41c4416b3c5c2b2d7882b63f96947196cfe32bd66f81c6794674ef04
Opcode Fuzzy Hash: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction Fuzzy Hash: 3F512A7051CB858FD7B8DF18D0897AABBE0FB98315F10491EE48DC7251DB749884CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3042CC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00007FF87FF88C3042CC(void* __eax, long long __rcx, unsigned int __rdx, long long __r8, void* _a8, long long _a16, long long _a24, signed int _a32) {
				char _v96;
				long long _v104;
				void* __rbx;
				void* __rdi;
				void* _t32;
				void* _t33;
				void* _t48;
				unsigned long long _t58;
				long long _t70;
				long long* _t71;
				long long _t74;
				unsigned long long _t79;
				long long _t83;

				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				_v104 = 0xfffffffe;
				_t70 = __rcx;
				if ((__rdx | 0x0000000f) - 0xfffffffe <= 0) goto 0x8c30430b;
				goto 0x8c30433c;
				_t79 =  *((intOrPtr*)(__rcx + 0x18));
				_t58 = _t79 >> 1;
				if (_t58 - __rdx >> 1 <= 0) goto 0x8c30433c;
				_t48 = 0xfffffffe - _t58;
				if (_t79 - 0xfffffffe <= 0) goto 0x8c30433c;
				if (0xffffffffffffffff == 0) goto 0x8c304393;
				if (0xffffffffffffffff - 0xffffffff > 0) goto 0x8c30435a; // executed
				E00007FF87FF88C3058C8(_t48, 0xffffffffffffffff); // executed
				if (_t48 != 0) goto 0x8c304393;
				_a32 = _a32 & 0x00000000;
				E00007FF87FF88C304F80( &_v96,  &_a32);
				_v96 = 0x8c322730;
				E00007FF87FF88C307D3C(_t33, _t48, 0x8c322730, 0xfffffffe,  &_v96, 0x8c365c38, _t70);
				_t71 = _a8;
				_t83 = _a24;
				_t74 = _a32;
				if (_t83 == 0) goto 0x8c3043d4;
				if ( *((long long*)(_t71 + 0x18)) - 0x10 < 0) goto 0x8c3043c6;
				goto 0x8c3043c9;
				_t32 = E00007FF87FF88C304B80(_t33,  *((long long*)(_t71 + 0x18)) - 0x10, _t74, _t71, _t83);
				if ( *((long long*)(_t71 + 0x18)) - 0x10 < 0) goto 0x8c3043e3;
				0x8c304a78();
				 *_t71 = 0;
				 *_t71 = _t74;
				 *((long long*)(_t71 + 0x18)) = _a16;
				 *((long long*)(_t71 + 0x10)) = _t83;
				_t72 =  >=  ? _t74 : _t71;
				 *((char*)(( >=  ? _t74 : _t71) + _t83)) = 0;
				return _t32;
			}

0x7ff88c3042cc
0x7ff88c3042d1
0x7ff88c3042d6
0x7ff88c3042e4
0x7ff88c3042f0
0x7ff88c304304
0x7ff88c304309
0x7ff88c30430b
0x7ff88c304312
0x7ff88c304328
0x7ff88c30432d
0x7ff88c304337
0x7ff88c304345
0x7ff88c30434b
0x7ff88c30434d
0x7ff88c304358
0x7ff88c30435a
0x7ff88c304370
0x7ff88c30437c
0x7ff88c30438d
0x7ff88c304395
0x7ff88c30439d
0x7ff88c3043ad
0x7ff88c3043b8
0x7ff88c3043bf
0x7ff88c3043c4
0x7ff88c3043cf
0x7ff88c3043d9
0x7ff88c3043de
0x7ff88c3043e3
0x7ff88c3043e6
0x7ff88c3043e9
0x7ff88c3043ed
0x7ff88c3043f5
0x7ff88c3043f9
0x7ff88c304407

APIs

std::exception::exception.LIBCMT ref: 00007FF88C304370

Strings

OAjfRFBkVjFgd1dlqs9qQOdoY3VSeEs4EiVoeWNGIV9teDFLeG1iAHVST0RTZFYxZHdXZVUwakBfaGN16nhLOFw60ndj8iiSTMAwB7VMNmgcIW80IQsxQwUadwY0XgQvK0gBEHIKPlZyTAZZJwlyfwAXVS5WYG8KUVJPRFNkVjHkIFyNkQYP+5teBs6WTi6D62rowrJyROTUN4jwvVsHu8wd9P+WUjOKNh40DZEGD/tfaGN1UnhLOAJgaHkHwCVflI9a, xrefs: 00007FF88C3042DC

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: std::exception::exception
String ID: OAjfRFBkVjFgd1dlqs9qQOdoY3VSeEs4EiVoeWNGIV9teDFLeG1iAHVST0RTZFYxZHdXZVUwakBfaGN16nhLOFw60ndj8iiSTMAwB7VMNmgcIW80IQsxQwUadwY0XgQvK0gBEHIKPlZyTAZZJwlyfwAXVS5WYG8KUVJPRFNkVjHkIFyNkQYP+5teBs6WTi6D62rowrJyROTUN4jwvVsHu8wd9P+WUjOKNh40DZEGD/tfaGN1UnhLOAJgaHkHwCVflI9a
API String ID: 2807920213-3224431414
Opcode ID: d9c12ae1406452b5f312906f17d1c8f5d90fd254b63518b18597baa1296567fa
Instruction ID: 325bca5a6f23ab014577e3c610a5e0cb46880a6bc964681cb7acaa32255a77fa
Opcode Fuzzy Hash: d9c12ae1406452b5f312906f17d1c8f5d90fd254b63518b18597baa1296567fa
Instruction Fuzzy Hash: D831E133A08B4281EE209B95E540AAD62A4FB567F0F445739DE6C0B6DDDF3CE662C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3058C8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF87FF88C3058C8(intOrPtr* __rax, long long __rcx) {
				void* __rbx;
				void* _t2;
				long long _t6;
				void* _t10;

				_t6 = __rcx;
				goto 0x8c3058e2;
				if (E00007FF87FF88C307880(__rax, __rcx) == 0) goto 0x8c3058f2;
				_t2 = E00007FF87FF88C3052E4(__rax, _t6, _t6, _t10); // executed
				if (__rax == 0) goto 0x8c3058d3;
				return _t2;
			}

0x7ff88c3058ce
0x7ff88c3058d1
0x7ff88c3058dd
0x7ff88c3058e2
0x7ff88c3058ea
0x7ff88c3058f1

APIs

Part of subcall function 00007FF88C3052E4: _FF_MSGBANNER.LIBCMT ref: 00007FF88C305314
Part of subcall function 00007FF88C3052E4: RtlAllocateHeap.NTDLL(?,?,?,00007FF88C304F2A,?,?,?,00007FF88C304FA4), ref: 00007FF88C305339
Part of subcall function 00007FF88C3052E4: _errno.LIBCMT ref: 00007FF88C30535D
Part of subcall function 00007FF88C3052E4: _errno.LIBCMT ref: 00007FF88C305368

std::exception::exception.LIBCMT ref: 00007FF88C30594F

Strings

bad allocation, xrefs: 00007FF88C30591F

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno$AllocateHeapstd::exception::exception
String ID: bad allocation
API String ID: 1314232209-2104205924
Opcode ID: 3e7baf1199727d481d3abec1560be74db8e592b479bc2e4e196976cde6b830c9
Instruction ID: f63958b4a6a2dd3e0cf14e82770b168e959e84db81fcb509bfc0cef4eae53534
Opcode Fuzzy Hash: 3e7baf1199727d481d3abec1560be74db8e592b479bc2e4e196976cde6b830c9
Instruction Fuzzy Hash: 14013962E1C70792EE10AB90E840DB86360BF5A3D0F480431E98E46AAAEF3CF546D745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C303854 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00007FF87FF88C303854() {
				void* _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t5;

				_t5 =  *0x8c369d40; // 0x180000000
				E00007FF87FF88C303714(_t2, _t3, _t4, _t5, "DllRegisterServer"); // executed
				ExitProcess(??);
			}

0x7ff88c303858
0x7ff88c303866
0x7ff88c30386b

APIs

ExitProcess.KERNEL32 ref: 00007FF88C30386B

Strings

DllRegisterServer, xrefs: 00007FF88C30385F

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: ExitProcess
String ID: DllRegisterServer
API String ID: 621844428-1663957109
Opcode ID: a7725c2e1ab9d96b242d7277f1d305e1c0fe06ce0d8d7c5746fcd363cce856e6
Instruction ID: 461d6eecc6214c28370705d5bde9d266f4ecd706830c27377f173cee2360c9e9
Opcode Fuzzy Hash: a7725c2e1ab9d96b242d7277f1d305e1c0fe06ce0d8d7c5746fcd363cce856e6
Instruction Fuzzy Hash: C7C04C52E2554381DA4467A6EC818A492617B967C6F815431C00D5A619DD5CA157D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C313304 Relevance: 3.0, APIs: 2, Instructions: 46
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FF87FF88C313304(void* __eax, long long __rbx, signed int __rcx, signed int __rdx, intOrPtr* __r8, long long _a8) {
				void* _t16;
				intOrPtr* _t29;
				signed int _t36;

				_t36 = __rdx;
				_a8 = __rbx;
				if (__rcx == 0) goto 0x8c313336;
				_t2 = _t36 - 0x20; // -32
				_t29 = _t2;
				if (_t29 - __rdx >= 0) goto 0x8c313336;
				E00007FF87FF88C307698(_t29);
				 *_t29 = 0xc;
				goto 0x8c313393;
				_t39 =  ==  ? _t29 : __rdx * __rcx;
				if (( ==  ? _t29 : __rdx * __rcx) - 0xffffffe0 > 0) goto 0x8c313366;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t29 != 0) goto 0x8c313393;
				if ( *0x8c3696d8 == 0) goto 0x8c313388;
				_t16 = E00007FF87FF88C307880(_t29,  ==  ? _t29 : __rdx * __rcx);
				if (_t16 != 0) goto 0x8c313346;
				if (__r8 == 0) goto 0x8c313332;
				 *__r8 = 0xc;
				goto 0x8c313332;
				if (__r8 == 0) goto 0x8c313393;
				 *__r8 = 0xc;
				return _t16;
			}

0x7ff88c313304
0x7ff88c313304
0x7ff88c313317
0x7ff88c31331b
0x7ff88c31331b
0x7ff88c313325
0x7ff88c313327
0x7ff88c31332c
0x7ff88c313334
0x7ff88c313342
0x7ff88c31334c
0x7ff88c31335b
0x7ff88c313364
0x7ff88c31336d
0x7ff88c313372
0x7ff88c313379
0x7ff88c31337e
0x7ff88c313380
0x7ff88c313386
0x7ff88c31338b
0x7ff88c31338d
0x7ff88c31339d

APIs

_errno.LIBCMT ref: 00007FF88C313327
RtlAllocateHeap.NTDLL(?,?,00000000,00007FF88C30799F,?,?,?,00007FF88C307F0B,?,?,?,00007FF88C3076A1), ref: 00007FF88C31335B

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: AllocateHeap_errno
String ID:
API String ID: 242259997-0
Opcode ID: 15aed51b0303d51ca0d25e19db35722826594bd96e08494acdc70313b1aa94f7
Instruction ID: a6feae958a8dbfc4726a0813508c1170ce5c62f66b4c34dc63106f726c73cf02
Opcode Fuzzy Hash: 15aed51b0303d51ca0d25e19db35722826594bd96e08494acdc70313b1aa94f7
Instruction Fuzzy Hash: 08115261B0D28289FB954B15D644B796291BF96BF0F088A31EA1D866DCEF7CE442C305

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C306F3C Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00007FF87FF88C306F3C(intOrPtr* __rax, void* __rbx, void* __rdx, long long _a8) {
				void* _t3;
				void* _t9;
				long long* _t14;
				long long _t17;
				void* _t28;

				E00007FF87FF88C307DD0(); // executed
				E00007FF87FF88C3124CC(E00007FF87FF88C312AE8(E00007FF87FF88C312DD0(E00007FF87FF88C3091EC(E00007FF87FF88C307810(_t3, __rax), __rax), __rax), __rax), __rax);
				_pop(_t17);
				goto 0x8c3124ac;
				asm("int3");
				if (__rax - __rdx >= 0) goto 0x8c306fb2;
				_a8 = _t17;
				_t14 =  *((intOrPtr*)(__rax));
				if (_t14 == 0) goto 0x8c306f9f;
				_t9 =  *_t14(_t28);
				if (__rax + 8 - __rdx < 0) goto 0x8c306f95;
				return _t9;
			}

0x7ff88c306f42
0x7ff88c306f6d
0x7ff88c306f79
0x7ff88c306f7a
0x7ff88c306f7f
0x7ff88c306f83
0x7ff88c306f85
0x7ff88c306f95
0x7ff88c306f9b
0x7ff88c306f9d
0x7ff88c306fa6
0x7ff88c306fb2

APIs

_initp_misc_winsig.LIBCMT ref: 00007FF88C306F6D
EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000F), ref: 00007FF88C3124B7

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: EncodePointer_initp_misc_winsig
String ID:
API String ID: 2349294043-0
Opcode ID: ca571fb2707188dd051d1751f1c10991be9f4b58be2784e737828950210c4a6d
Instruction ID: 8422ecaa32aac016a14d134c85e68bba48dd042c015aa5ff5942b0a1caaea67e
Opcode Fuzzy Hash: ca571fb2707188dd051d1751f1c10991be9f4b58be2784e737828950210c4a6d
Instruction Fuzzy Hash: 50E0ED41F5960784E908BB63EC66C7812507F97BD0F441431E91F5639BED2DA1A3C344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30796C Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00007FF87FF88C30796C(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t10;
				void* _t11;
				void* _t17;
				void* _t20;
				long long _t29;
				void* _t37;
				void* _t40;
				long _t41;

				_t29 = __rdi;
				_t20 = _t37;
				 *((long long*)(_t20 + 8)) = __rbx;
				 *((long long*)(_t20 + 0x10)) = __rbp;
				 *((long long*)(_t20 + 0x18)) = __rsi;
				 *((long long*)(_t20 + 0x20)) = __rdi;
				r12d = r12d | 0xffffffff;
				r8d = 0;
				_t11 = E00007FF87FF88C313304(_t10, __rbx, __rcx, __rdx, _t40); // executed
				if (_t20 != 0) goto 0x8c3079d1;
				_t17 =  *0x8c3696dc - _t11; // 0x0
				if (_t17 <= 0) goto 0x8c3079d1;
				Sleep(_t41);
				_t5 = _t29 + 0x3e8; // 0x3e8
				r11d = _t5;
				_t15 =  >  ? r12d : r11d;
				_t19 = ( >  ? r12d : r11d) - r12d;
				if (( >  ? r12d : r11d) != r12d) goto 0x8c307991;
				return _t11;
			}

0x7ff88c30796c
0x7ff88c30796c
0x7ff88c30796f
0x7ff88c307973
0x7ff88c307977
0x7ff88c30797b
0x7ff88c30798d
0x7ff88c307991
0x7ff88c30799a
0x7ff88c3079a5
0x7ff88c3079a7
0x7ff88c3079ad
0x7ff88c3079b1
0x7ff88c3079b7
0x7ff88c3079b7
0x7ff88c3079c8
0x7ff88c3079cc
0x7ff88c3079cf
0x7ff88c3079ee

APIs

Part of subcall function 00007FF88C313304: _errno.LIBCMT ref: 00007FF88C313327

Sleep.KERNEL32(?,?,?,00007FF88C307F0B,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C3079B1

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: 1df89c9bbc89020be2e631528f36fa71a39b12f04b70da834663132499cb3824
Instruction ID: aab9ef4fafec1a35651c6269fb36bc594524676e8f9256f410cb9d6bac40978c
Opcode Fuzzy Hash: 1df89c9bbc89020be2e631528f36fa71a39b12f04b70da834663132499cb3824
Instruction Fuzzy Hash: C0018B33614B8586EE549B16D44082DB761F795FD0B495131DE5D17754CF3CE852CB04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF88C30D720 Relevance: 140.8, APIs: 64, Strings: 16, Instructions: 849
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 52%

			E00007FF87FF88C30D720(signed long long __rbx, signed long long* __rcx, signed long long __rdx, void* __r8, void* __r10, void* __r11) {
				void* __rdi;
				void* __rsi;
				void* __r12;
				signed int _t262;
				signed int _t264;
				signed int _t272;
				signed int _t320;
				unsigned int _t369;
				unsigned int _t378;
				unsigned int _t417;
				unsigned int _t426;
				void* _t442;
				signed int _t444;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				unsigned int _t453;
				unsigned int _t461;
				signed int _t519;
				signed int _t521;
				void* _t522;
				signed int _t523;
				void* _t528;
				void* _t536;
				signed int _t548;
				signed int _t593;
				void* _t614;
				void* _t627;
				void* _t628;
				signed int _t631;
				signed int _t632;
				signed int _t636;
				signed long long* _t637;
				char* _t638;
				void* _t788;
				signed long long* _t789;
				void* _t791;
				void* _t793;
				void* _t794;
				signed long long* _t796;
				void* _t797;
				void* _t799;
				char* _t805;
				void* _t808;
				void* _t810;
				signed long long _t811;
				void* _t814;
				void* _t816;

				_t803 = __r10;
				_t799 = __r8;
				_t637 = _t796;
				_t637[1] = __rbx;
				_t794 = _t637 - 0x5f;
				_t797 = _t796 - 0xf0;
				 *(_t797 + 0x40) =  *(_t797 + 0x40) & 0x00000000;
				 *(_t797 + 0x48) =  *(_t797 + 0x48) & 0xffff0000;
				asm("movaps [eax-0x48], xmm6");
				asm("movaps [eax-0x58], xmm7");
				_t811 = __rdx;
				_t789 = __rcx;
				_t262 = E00007FF87FF88C3097F0();
				_t523 = _t262;
				if ( *((long long*)(__rdx)) == 0) goto 0x8c30d77a;
				if (( *(__rdx + 8) & 0x00000200) == 0) goto 0x8c30d77a;
				 *(_t794 + 0x7f) = 1;
				goto 0x8c30d77e;
				 *(_t794 + 0x7f) =  *(_t794 + 0x7f) & 0x00000000;
				if (_t262 != 0xffff) goto 0x8c30d799;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 2;
				goto 0x8c30e411;
				if (_t262 != 0xfffe) goto 0x8c30d7c6;
				E00007FF87FF88C30A490(1, _t637, _t797 + 0x30);
				asm("movups xmm0, [eax]");
				asm("movdqu [edi], xmm0");
				_t264 = E00007FF87FF88C30AC78(_t637, __rcx, __rdx);
				goto 0x8c30e411;
				_t528 = _t264 - 0xfffd;
				if (_t528 != 0) goto 0x8c30d7db;
				asm("inc ecx");
				asm("movdqu [edi], xmm0");
				goto 0x8c30e411;
				r14d = _t264;
				r14d = r14d & 0x00008000;
				if (_t528 == 0) goto 0x8c30dfa1;
				r15d = 0;
				r12d = _t264;
				_t452 = _t264 & 0x00001800;
				 *(_t794 + 0x6f) = _t452;
				r15b = _t452 == 0x800;
				r12d = r12d & 0x00001000;
				_t444 = _t264 & 0x00000400;
				 *((intOrPtr*)(_t794 - 0x39)) = r15d;
				_t266 =  !=  ? _t444 : r12d;
				 *(_t794 + 0x77) = _t444;
				 *(_t794 - 0x35) = r12d;
				_t531 =  !=  ? _t444 : r12d;
				if (( !=  ? _t444 : r12d) == 0) goto 0x8c30d83d;
				if ((_t523 & 0x00001b00) == 0x1000) goto 0x8c30dfa1;
				_t270 =  !=  ? _t444 : r12d;
				_t534 =  !=  ? _t444 : r12d;
				if (( !=  ? _t444 : r12d) == 0) goto 0x8c30d867;
				_t272 = _t523 & 0x00001b00;
				if (_t272 == 0x1100) goto 0x8c30dfa1;
				_t536 = _t272 - 0x1200;
				if (_t536 == 0) goto 0x8c30dfa1;
				asm("bt esi, 0xe");
				if (_t536 >= 0) goto 0x8c30d8f3;
				_t453 =  *0x8c369a8c; // 0x0
				if (( !(_t453 >> 1) & 0x00000001) == 0) goto 0x8c30d8c6;
				if (( !(_t453 >> 3) & 0x00000001) == 0) goto 0x8c30d8c6;
				E00007FF87FF88C30D634( !(_t453 >> 3), 0x1000, _t523, _t637, _t797 + 0x30, __rcx, _t791, _t799, __r10, __r11);
				_t642 = _t637;
				E00007FF87FF88C30A9A8(0x20, _t637, _t794 - 0x59);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x79], xmm0");
				E00007FF87FF88C30AC78(_t637, _t794 - 0x79, _t637);
				asm("movaps xmm5, [ebp-0x79]");
				asm("movdqa [esp+0x40], xmm5");
				goto 0x8c30d8f0;
				E00007FF87FF88C30D634( !(_t453 >> 3), 0x20, _t523, _t637, _t797 + 0x30, _t789, _t791, _t799, __r10, __r11);
				if ( *(_t797 + 0x48) == 3) goto 0x8c30d8f0;
				if (_t637[1] - 1 <= 0) goto 0x8c30d8f0;
				 *(_t797 + 0x48) =  *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff;
				r12d =  !=  ?  *(_t794 + 0x77) : r12d;
				if (r12d == 0) goto 0x8c30daa0;
				if ( *(_t794 + 0x6f) != 0x1800) goto 0x8c30daa0;
				E00007FF87FF88C30B32C(0, _t637, _t637, _t797 + 0x30, _t789, _t791, __r10, __r11, _t816, _t814, _t810);
				asm("inc ecx");
				asm("movdqu [ebp-0x79], xmm5");
				E00007FF87FF88C30AF5C(0x7b, _t523, _t637, _t637, _t794 - 0x79, _t791, _t799, _t808);
				asm("movaps xmm5, [ebp-0x79]");
				asm("movdqa [ebp-0x79], xmm5");
				E00007FF87FF88C30AC78(_t637, _t794 - 0x79, _t797 + 0x30);
				E00007FF87FF88C30AC78(_t637, _t797 + 0x40, _t794 - 0x79);
				_t805 =  *0x8c369a70; // 0x0
				if ( *_t805 == 0) goto 0x8c30d999;
				if ( *_t805 == 0x41) goto 0x8c30d97d;
				 *(_t794 - 0x49) =  *(_t794 - 0x49) & 0x00000000;
				 *(_t794 - 0x41) =  *(_t794 - 0x41) & 0xffff0002 | 0x00000002;
				goto 0x8c30d9a7;
				_t806 = _t805 + 1;
				 *0x8c369a70 = _t805 + 1;
				E00007FF87FF88C30A9E0(_t794 - 0x49, "{flat}");
				goto 0x8c30d9a7;
				E00007FF87FF88C30A490(1, _t637, _t794 - 0x49);
				if (( *0x8c369a8c & 0x00001000) != 0) goto 0x8c30d9fb;
				E00007FF87FF88C30A9A8(0x2c, _t637, _t797 + 0x30);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x79], xmm0");
				E00007FF87FF88C30AC78(_t637, _t794 - 0x79, _t794 - 0x49);
				asm("movaps xmm5, [ebp-0x79]");
				asm("movdqa [ebp-0x79], xmm5");
				E00007FF87FF88C30AFE0( *(_t794 + 0x6f), _t523, _t637, _t637, _t794 - 0x79, "}\' ", _t791, _t799, _t788);
				E00007FF87FF88C30AC78(_t637, _t797 + 0x40, _t794 - 0x79);
				E00007FF87FF88C30AFE0( *(_t794 + 0x6f), _t523, _t637, _t637, _t797 + 0x40, "}\'", _t791, _t799, _t791);
				E00007FF87FF88C30ADBC(_t797 + 0x30);
				r11d =  *0x8c369a8c; // 0x0
				if (( !(r11d >> 1) & 0x00000001) == 0) goto 0x8c30df93;
				_t548 =  !(r11d >> 4) & 0x00000001;
				if (_t548 == 0) goto 0x8c30df93;
				asm("inc ecx");
				if (_t548 < 0) goto 0x8c30df93;
				E00007FF87FF88C30A9A8(0x20, _t637, _t794 - 0x59);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x79], xmm0");
				E00007FF87FF88C30AC78(_t637, _t794 - 0x79, _t797 + 0x30);
				asm("movaps xmm5, [ebp-0x79]");
				asm("movdqa [ebp-0x79], xmm5");
				E00007FF87FF88C30AF5C(0x20, _t523, _t637, _t637, _t794 - 0x79, _t791, _t799, _t793);
				asm("movaps xmm5, [ebp-0x79]");
				asm("movdqa [ebp-0x79], xmm5");
				E00007FF87FF88C30AC78(_t637, _t794 - 0x79, _t797 + 0x40);
				asm("movaps xmm6, [ebp-0x79]");
				r13d =  *(_t794 + 0x6f);
				goto 0x8c30e218;
				 *(_t794 - 0x19) =  *(_t794 - 0x19) & 0x00000000;
				 *(_t794 - 9) =  *(_t794 - 9) & 0x00000000;
				 *(_t794 - 0x29) =  *(_t794 - 0x29) & 0x00000000;
				 *(_t794 - 0x59) =  *(_t794 - 0x59) & 0x00000000;
				 *(_t794 - 0x49) =  *(_t794 - 0x49) & 0x00000000;
				r12d =  *(_t794 - 0x35);
				 *(_t794 - 0x11) =  *(_t794 - 0x11) & 0xffff0000;
				 *(_t794 - 1) =  *(_t794 - 1) & 0xffff0000;
				 *(_t794 - 0x21) =  *(_t794 - 0x21) & 0xffff0000;
				 *(_t794 - 0x51) =  *(_t794 - 0x51) & 0xffff0000;
				_t447 =  *(_t794 - 0x41) & 0xffff0000;
				 *(_t794 - 0x41) = _t447;
				_t309 =  !=  ?  *(_t794 + 0x77) : r12d;
				_t550 =  !=  ?  *(_t794 + 0x77) : r12d;
				if (( !=  ?  *(_t794 + 0x77) : r12d) == 0) goto 0x8c30db6a;
				if (r15d == 0) goto 0x8c30db52;
				if ((_t523 & 0x00000700) != 0x600) goto 0x8c30db29;
				E00007FF87FF88C30B32C(1, _t637, _t642, _t797 + 0x30, _t789, _t791, __r10, _t805 + 1);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x19], xmm5");
				E00007FF87FF88C30B32C(1, _t637, _t642, _t797 + 0x30, _t789, _t791, __r10, _t805 + 1);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x9], xmm5");
				goto 0x8c30db3c;
				if (r15d == 0) goto 0x8c30db52;
				if ((_t523 & 0x00000700) != 0x500) goto 0x8c30db52;
				E00007FF87FF88C30B32C(1, _t637, _t642, _t797 + 0x30, _t789, _t791, __r10, _t805 + 1);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x29], xmm5");
				E00007FF87FF88C30B32C(1, _t637, _t642, _t797 + 0x30, _t789, _t791, _t803, _t805 + 1);
				asm("movaps xmm7, [esp+0x30]");
				goto 0x8c30db6e;
				asm("movaps xmm7, [ebp-0x59]");
				if (r15d == 0) goto 0x8c30dbf8;
				if ((_t523 & 0x00000700) == 0x200) goto 0x8c30dbf8;
				 *(_t794 - 0x51) =  *(_t794 - 0x51) & 0xffff0000;
				 *(_t794 - 0x71) =  *(_t794 - 0x71) & 0xffff0000;
				_t320 =  *0x8c369a8c; // 0x0
				 *(_t794 - 0x59) =  *(_t794 - 0x59) & 0x00000000;
				 *(_t794 - 0x79) =  *(_t794 - 0x79) & 0x00000000;
				 *(_t797 + 0x20) = 1;
				if ((_t320 & 0x00000060) == 0x60) goto 0x8c30dbcf;
				E00007FF87FF88C30EFA4(_t642, _t797 + 0x30, _t794 - 0x79, _t791, 0x8c32398d, _t794 - 0x59, _t803, _t805 + 1);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x49], xmm5");
				goto 0x8c30dbf8;
				E00007FF87FF88C30EFA4(_t642, _t797 + 0x30, _t794 - 0x59, _t791, 0x8c32398d, _t794 - 0x79, _t803, _t806);
				if ( *(_t794 - 0x41) == 3) goto 0x8c30dbf8;
				if ( *(_t797 + 0x38) - 1 <= 0) goto 0x8c30dbf8;
				 *(_t794 - 0x41) = _t447 ^ ( *(_t797 + 0x38) ^ _t447) & 0x000000ff;
				_t461 =  *0x8c369a8c; // 0x0
				if (( !(_t461 >> 1) & 0x00000001) == 0) goto 0x8c30dc40;
				if (( !(_t461 >> 4) & 0x00000001) == 0) goto 0x8c30dc40;
				E00007FF87FF88C30ADBC(_t794 - 0x79);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t637, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x40], xmm5");
				goto 0x8c30dc6a;
				E00007FF87FF88C30ADBC(_t797 + 0x30);
				if ( *(_t797 + 0x48) == 3) goto 0x8c30dc6a;
				if (_t637[1] - 1 <= 0) goto 0x8c30dc6a;
				 *(_t797 + 0x48) =  *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff;
				if ( *_t811 == 0) goto 0x8c30dcc2;
				if ( *(_t797 + 0x40) == 0) goto 0x8c30dcb7;
				if (( *0x8c369a8c & 0x00001000) != 0) goto 0x8c30dcb7;
				E00007FF87FF88C30A9A8(0x20, _t637, _t794 - 0x79);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t637, _t797 + 0x30, _t811);
				E00007FF87FF88C30AC78(_t637, _t797 + 0x40, _t797 + 0x30);
				goto 0x8c30dcc2;
				asm("inc ecx");
				asm("movdqu [esp+0x40], xmm0");
				 *(_t794 - 0x71) =  *(_t794 - 0x71) & 0xffff0000;
				r13d = 0;
				 *(_t794 - 0x79) =  *(_t794 - 0x79) & _t811;
				if ( *(_t794 + 0x7f) == r13d) goto 0x8c30dd35;
				E00007FF87FF88C30A838(_t794 - 0x59);
				_t643 = _t637;
				E00007FF87FF88C30A9E0(_t794 - 0x69, " ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t637, _t797 + 0x30, _t637);
				E00007FF87FF88C30AC78(_t637, _t797 + 0x40, _t797 + 0x30);
				if (( *0x8c369a8c & 0x00001000) == 0) goto 0x8c30dd2f;
				asm("movaps xmm0, [esp+0x40]");
				goto 0x8c30d7d2;
				asm("movaps xmm6, [ebp-0x79]");
				goto 0x8c30dd73;
				r8d = 0;
				E00007FF87FF88C309E00(_t637, 0x8c369a38, _t797 + 0x30, _t791);
				if (_t637 == 0) goto 0x8c30dd61;
				 *_t637 =  *_t637 & 0x00000000;
				_t637[1] = 0;
				_t637[1] = _t637[1] & 0xffff00ff;
				goto 0x8c30dd64;
				r13d = 0;
				E00007FF87FF88C30A838(_t794 - 0x69);
				asm("movups xmm6, [eax]");
				r12d =  !=  ?  *(_t794 + 0x77) : r12d;
				if (r12d == 0) goto 0x8c30deaf;
				if (r15d == 0) goto 0x8c30de78;
				if ((_t523 & 0x00000700) != 0x600) goto 0x8c30de16;
				E00007FF87FF88C30A9E0(_t794 - 0x69, "`vtordispex{");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t637, _t797 + 0x30, _t794 - 0x19);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AF5C(0x2c, _t523, _t637, _t637, _t797 + 0x30, _t791, 0x8c32398d);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AC78(_t637, _t797 + 0x30, _t794 - 9);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AF5C(0x2c, _t523, _t637, _t637, _t797 + 0x30, _t791, 0x8c32398d);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				goto 0x8c30de42;
				if (r15d == 0) goto 0x8c30de78;
				if ((_t523 & 0x00000700) != 0x500) goto 0x8c30de78;
				E00007FF87FF88C30A9E0(_t794 - 0x69, "`vtordisp{");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t637, _t797 + 0x30, _t794 - 0x29);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AF5C(0x2c, _t523, _t637, _t637, _t797 + 0x30, _t791, 0x8c32398d);
				E00007FF87FF88C30AC78(_t637, _t797 + 0x40, _t797 + 0x30);
				goto 0x8c30de89;
				E00007FF87FF88C30AFE0( *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff, _t523, _t637, _t637, _t797 + 0x40, "`adjustor{", _t791, 0x8c32398d);
				asm("movdqa [esp+0x30], xmm7");
				E00007FF87FF88C30AFE0( *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff, _t523, _t637, _t643, _t797 + 0x30, "}\' ", _t791, 0x8c32398d);
				E00007FF87FF88C30AC78(_t637, _t797 + 0x40, _t797 + 0x30);
				E00007FF87FF88C30B594(0x2c, _t523, _t794 - 0x69, _t797 + 0x30, _t791, 0x8c32398d, _t806);
				_t644 = _t637;
				E00007FF87FF88C30A9A8(0x28, _t637, _t794 - 0x79);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t637, _t797 + 0x30, _t637);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AF5C(0x29, _t523, _t637, _t637, _t797 + 0x30, _t791, 0x8c32398d);
				E00007FF87FF88C30AC78(_t637, _t797 + 0x40, _t797 + 0x30);
				if (r15d == 0) goto 0x8c30df23;
				if ((_t523 & 0x00000700) == 0x200) goto 0x8c30df23;
				E00007FF87FF88C30AC78(_t637, _t797 + 0x40, _t794 - 0x49);
				_t369 =  *0x8c369a8c; // 0x0
				if (( !(_t369 >> 8) & 0x00000001) == 0) goto 0x8c30df4a;
				E00007FF87FF88C30B69C(0x29, _t523, _t637, _t794 - 0x69, _t794 - 0x49, _t789, _t791, 0x8c32398d, _t806);
				E00007FF87FF88C30AC78(_t637, _t797 + 0x40, _t637);
				goto 0x8c30df6f;
				E00007FF87FF88C30B69C(0x29, _t523, _t637, _t797 + 0x40, _t637, _t789, _t791, 0x8c32398d, _t806);
				if ( *(_t797 + 0x48) == 3) goto 0x8c30df6f;
				if (_t637[1] - 1 <= 0) goto 0x8c30df6f;
				 *(_t797 + 0x48) =  *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff;
				_t378 =  *0x8c369a8c; // 0x0
				if (( !(_t378 >> 2) & 0x00000001) == 0) goto 0x8c30df93;
				if (_t637 == 0) goto 0x8c30df93;
				asm("movaps xmm0, [esp+0x40]");
				asm("repe inc ecx");
				goto 0x8c30da97;
				asm("movaps xmm6, [esp+0x40]");
				r13d =  *(_t794 + 0x6f);
				goto 0x8c30e21d;
				E00007FF87FF88C30AC78(_t637, _t797 + 0x40, _t637);
				r11d = 0x7c00;
				if (r14d != 0) goto 0x8c30dfe8;
				if ((_t523 & r11d) != 0x6800) goto 0x8c30dfd7;
				E00007FF87FF88C30BD90( *(_t797 + 0x48) ^ (_t637[1] ^  *(_t797 + 0x48)) & 0x000000ff, _t523, _t637, _t789, _t789, _t791);
				goto 0x8c30e411;
				if (r14d != 0) goto 0x8c30dfe8;
				if ((_t523 & r11d) == 0x7000) goto 0x8c30dfc5;
				if (r14d != 0) goto 0x8c30e0bb;
				if ((_t523 & r11d) != 0x6000) goto 0x8c30e057;
				E00007FF87FF88C30B32C(0, _t637, _t637, _t794 - 0x79, _t789, _t791, _t803, _t806);
				asm("movaps xmm5, [esp+0x40]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AF5C(0x7b, _t523, _t637, _t644, _t797 + 0x30, _t791, 0x8c32398d);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AC78(_t637, _t797 + 0x30, _t794 - 0x79);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqu [edi], xmm5");
				E00007FF87FF88C30AFE0(0x6000, _t523, _t637, _t644, _t789, "}\'", _t791, 0x8c32398d);
				goto 0x8c30e411;
				if (r14d != 0) goto 0x8c30e0bb;
				if ((_t523 & r11d) != r11d) goto 0x8c30e0bb;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqu [edi], xmm0");
				E00007FF87FF88C30AFE0(0x6000, _t523, _t637, _t644, _t789, "{for ", _t791, 0x8c32398d);
				E00007FF87FF88C30E6CC(0x7b, _t523, _t644, _t794 - 0x69, _t789, _t791, 0x8c32398d, _t803, _t806);
				E00007FF87FF88C30AC78(_t637, _t789, _t637);
				E00007FF87FF88C30AF5C(0x7d, _t523, _t637, _t644, _t789, _t791, 0x8c32398d);
				_t638 =  *0x8c369a70; // 0x0
				if ( *_t638 != 0x40) goto 0x8c30e411;
				_t639 = _t638 + 1;
				 *0x8c369a70 = _t638 + 1;
				goto 0x8c30e411;
				r15d = 0;
				r13d = _t523;
				r13d = r13d & 0x00001800;
				r12d = _t523;
				r15b = r13d == 0x800;
				_t593 = 0x00006000 & _t523;
				_t471 =  !=  ? r15d : _t593 == 0;
				r12d = r12d & 0x00001000;
				 *((intOrPtr*)(_t794 - 0x39)) =  !=  ? r15d : _t593 == 0;
				r12d =  !=  ? _t523 & 0x00000400 : r12d;
				if (r12d == 0) goto 0x8c30e18a;
				asm("sbb eax, eax");
				if (((0 | (_t523 & 0x00001b00) == 0x00001000) & _t523 & 0x00001b00) == 0) goto 0x8c30e12c;
				goto 0x8c30e17e;
				if (r12d == 0) goto 0x8c30e18a;
				asm("sbb eax, eax");
				if (((0 | (_t523 & 0x00001b00) == 0x00001100) & _t523 & 0x00001b00) == 0) goto 0x8c30e156;
				goto 0x8c30e17e;
				if (r12d == 0) goto 0x8c30e18a;
				asm("sbb eax, eax");
				if (((0 | (_t523 & 0x00001b00) == 0x00001200) & _t523 & 0x00001b00) == 0) goto 0x8c30e18a;
				E00007FF87FF88C30AFE0((_t523 & 0x00001b00) == 0x1200, _t523, _t638 + 1, _t644, _t797 + 0x40, "`template static data member destructor helper\'", _t791, 0x8c32398d);
				goto 0x8c30e19f;
				if (r14d != 0) goto 0x8c30e19f;
				if ((_t523 & r11d) == 0x7800) goto 0x8c30dd25;
				if (r12d == 0) goto 0x8c30e207;
				_t519 = _t523 & 0x00001b00;
				asm("sbb eax, eax");
				if (((0 | _t519 == 0x00001100) &  ~r14d) != 0) goto 0x8c30e1d8;
				asm("sbb eax, eax");
				if ((_t519 == 0x00001200 &  ~r14d) == 0) goto 0x8c30e207;
				E00007FF87FF88C30A9E0(_t794 - 0x69, " ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t638 + 1, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				goto 0x8c30e218;
				E00007FF87FF88C310364(_t519 == 0x1200, _t522, _t523, _t519 == 0x00001200 &  ~r14d, _t638 + 1, _t644, _t794 - 0x69, _t797 + 0x40, _t789, _t791, 0x8c32398d, _t803, _t806, _t808);
				asm("movups xmm6, [eax]");
				asm("movaps [esp+0x40], xmm6");
				if ( *((intOrPtr*)(_t794 - 0x39)) == 0) goto 0x8c30e397;
				_t417 =  *0x8c369a8c; // 0x0
				if (( !(_t417 >> 9) & 0x00000001) == 0) goto 0x8c30e2ea;
				_t450 = _t523 & 0x00000700;
				_t614 = _t450 - 0x200;
				_t421 =  !=  ? _t614 == 0 : 1;
				_t616 =  !=  ? _t614 == 0 : 1;
				if (( !=  ? _t614 == 0 : 1) == 0) goto 0x8c30e28e;
				E00007FF87FF88C30A9E0(_t794 - 0x69, "static ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t638 + 1, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				asm("movaps [esp+0x40], xmm6");
				if (r14d == 0) goto 0x8c30e29b;
				if (_t450 == 0x100) goto 0x8c30e2b8;
				if (r12d == 0) goto 0x8c30e2ea;
				if (_t450 == 0x500) goto 0x8c30e2b8;
				if (_t450 == 0x600) goto 0x8c30e2b8;
				if (_t450 != 0x400) goto 0x8c30e2ea;
				E00007FF87FF88C30A9E0(_t794 - 0x69, "virtual ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t638 + 1, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				asm("movaps [esp+0x40], xmm6");
				_t426 =  *0x8c369a8c; // 0x0
				if (( !(_t426 >> 7) & 0x00000001) == 0) goto 0x8c30e397;
				_t521 = _t523 & 0x000000c0;
				r15d =  !=  ? 0 | _t521 == 0x00000040 : r15d;
				if (r15d == 0) goto 0x8c30e322;
				goto 0x8c30e36c;
				_t627 = _t521 - 0x80;
				_t628 = r13d - 0x1000;
				_t433 =  !=  ? _t627 == 0 : _t628 == 0;
				_t630 =  !=  ? _t627 == 0 : _t628 == 0;
				if (( !=  ? _t627 == 0 : _t628 == 0) == 0) goto 0x8c30e34c;
				goto 0x8c30e36c;
				_t631 = _t521;
				_t632 = r13d;
				_t436 =  !=  ? _t631 == 0 : _t632 == 0;
				_t634 =  !=  ? _t631 == 0 : _t632 == 0;
				if (( !=  ? _t631 == 0 : _t632 == 0) == 0) goto 0x8c30e397;
				E00007FF87FF88C30A9E0(_t794 - 0x69, "public: ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t639, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				asm("movaps [esp+0x40], xmm6");
				if (r12d == 0) goto 0x8c30e3da;
				_t636 =  *0x8c369a8c & 0x00001000;
				if (_t636 != 0) goto 0x8c30e3da;
				E00007FF87FF88C30A9E0(_t794 - 0x69, "[thunk]:");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t639, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				asm("movaps [esp+0x40], xmm6");
				asm("bt esi, 0x10");
				if (_t636 >= 0) goto 0x8c30e40d;
				E00007FF87FF88C30A9E0(_t794 - 0x69, "extern \"C\" ");
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				_t442 = E00007FF87FF88C30AC78(_t639, _t797 + 0x30, _t797 + 0x40);
				asm("movaps xmm6, [esp+0x30]");
				asm("movdqu [edi], xmm6");
				asm("inc ecx");
				asm("inc ecx");
				return _t442;
			}

0x7ff88c30d720
0x7ff88c30d720
0x7ff88c30d720
0x7ff88c30d723
0x7ff88c30d732
0x7ff88c30d736
0x7ff88c30d73d
0x7ff88c30d743
0x7ff88c30d74b
0x7ff88c30d74f
0x7ff88c30d753
0x7ff88c30d756
0x7ff88c30d759
0x7ff88c30d763
0x7ff88c30d765
0x7ff88c30d76f
0x7ff88c30d771
0x7ff88c30d778
0x7ff88c30d77a
0x7ff88c30d783
0x7ff88c30d785
0x7ff88c30d78c
0x7ff88c30d790
0x7ff88c30d794
0x7ff88c30d79e
0x7ff88c30d7aa
0x7ff88c30d7b5
0x7ff88c30d7b8
0x7ff88c30d7bc
0x7ff88c30d7c1
0x7ff88c30d7c6
0x7ff88c30d7cb
0x7ff88c30d7cd
0x7ff88c30d7d2
0x7ff88c30d7d6
0x7ff88c30d7db
0x7ff88c30d7de
0x7ff88c30d7e5
0x7ff88c30d7eb
0x7ff88c30d7f0
0x7ff88c30d7f3
0x7ff88c30d806
0x7ff88c30d809
0x7ff88c30d80d
0x7ff88c30d810
0x7ff88c30d81c
0x7ff88c30d820
0x7ff88c30d823
0x7ff88c30d826
0x7ff88c30d82a
0x7ff88c30d82c
0x7ff88c30d837
0x7ff88c30d843
0x7ff88c30d846
0x7ff88c30d848
0x7ff88c30d84c
0x7ff88c30d856
0x7ff88c30d85c
0x7ff88c30d861
0x7ff88c30d867
0x7ff88c30d86b
0x7ff88c30d871
0x7ff88c30d87f
0x7ff88c30d889
0x7ff88c30d890
0x7ff88c30d89b
0x7ff88c30d89e
0x7ff88c30d8aa
0x7ff88c30d8ad
0x7ff88c30d8b2
0x7ff88c30d8b7
0x7ff88c30d8be
0x7ff88c30d8c4
0x7ff88c30d8cb
0x7ff88c30d8d5
0x7ff88c30d8db
0x7ff88c30d8ec
0x7ff88c30d8f6
0x7ff88c30d8fd
0x7ff88c30d909
0x7ff88c30d916
0x7ff88c30d921
0x7ff88c30d926
0x7ff88c30d92b
0x7ff88c30d935
0x7ff88c30d93d
0x7ff88c30d942
0x7ff88c30d950
0x7ff88c30d955
0x7ff88c30d960
0x7ff88c30d966
0x7ff88c30d973
0x7ff88c30d978
0x7ff88c30d97b
0x7ff88c30d97d
0x7ff88c30d98b
0x7ff88c30d992
0x7ff88c30d997
0x7ff88c30d9a2
0x7ff88c30d9b1
0x7ff88c30d9ba
0x7ff88c30d9c7
0x7ff88c30d9ca
0x7ff88c30d9cf
0x7ff88c30d9d4
0x7ff88c30d9e3
0x7ff88c30d9e8
0x7ff88c30d9f6
0x7ff88c30da07
0x7ff88c30da11
0x7ff88c30da16
0x7ff88c30da26
0x7ff88c30da34
0x7ff88c30da36
0x7ff88c30da3c
0x7ff88c30da41
0x7ff88c30da4d
0x7ff88c30da5b
0x7ff88c30da5e
0x7ff88c30da63
0x7ff88c30da68
0x7ff88c30da72
0x7ff88c30da77
0x7ff88c30da81
0x7ff88c30da89
0x7ff88c30da8e
0x7ff88c30da93
0x7ff88c30da97
0x7ff88c30da9b
0x7ff88c30daa3
0x7ff88c30daa8
0x7ff88c30daad
0x7ff88c30dab2
0x7ff88c30dab7
0x7ff88c30dabc
0x7ff88c30dac5
0x7ff88c30dac8
0x7ff88c30dacb
0x7ff88c30dace
0x7ff88c30dad1
0x7ff88c30dad9
0x7ff88c30dadc
0x7ff88c30dae0
0x7ff88c30dae2
0x7ff88c30daeb
0x7ff88c30daf9
0x7ff88c30db02
0x7ff88c30db0e
0x7ff88c30db13
0x7ff88c30db18
0x7ff88c30db1d
0x7ff88c30db22
0x7ff88c30db27
0x7ff88c30db2c
0x7ff88c30db3a
0x7ff88c30db43
0x7ff88c30db48
0x7ff88c30db4d
0x7ff88c30db59
0x7ff88c30db63
0x7ff88c30db68
0x7ff88c30db6a
0x7ff88c30db71
0x7ff88c30db83
0x7ff88c30db85
0x7ff88c30db88
0x7ff88c30db8b
0x7ff88c30db91
0x7ff88c30db96
0x7ff88c30db9e
0x7ff88c30dbb4
0x7ff88c30dbbe
0x7ff88c30dbc3
0x7ff88c30dbc8
0x7ff88c30dbcd
0x7ff88c30dbd7
0x7ff88c30dbe0
0x7ff88c30dbe7
0x7ff88c30dbf5
0x7ff88c30dbf8
0x7ff88c30dc06
0x7ff88c30dc10
0x7ff88c30dc16
0x7ff88c30dc25
0x7ff88c30dc28
0x7ff88c30dc2e
0x7ff88c30dc33
0x7ff88c30dc38
0x7ff88c30dc3e
0x7ff88c30dc45
0x7ff88c30dc4f
0x7ff88c30dc55
0x7ff88c30dc66
0x7ff88c30dc6f
0x7ff88c30dc77
0x7ff88c30dc83
0x7ff88c30dc8b
0x7ff88c30dc98
0x7ff88c30dc9b
0x7ff88c30dca1
0x7ff88c30dcb0
0x7ff88c30dcb5
0x7ff88c30dcb7
0x7ff88c30dcbc
0x7ff88c30dcc2
0x7ff88c30dcc9
0x7ff88c30dccc
0x7ff88c30dcd4
0x7ff88c30dcdc
0x7ff88c30dcec
0x7ff88c30dcef
0x7ff88c30dcfc
0x7ff88c30dcff
0x7ff88c30dd05
0x7ff88c30dd14
0x7ff88c30dd23
0x7ff88c30dd25
0x7ff88c30dd2a
0x7ff88c30dd2f
0x7ff88c30dd33
0x7ff88c30dd35
0x7ff88c30dd43
0x7ff88c30dd4e
0x7ff88c30dd50
0x7ff88c30dd54
0x7ff88c30dd58
0x7ff88c30dd5f
0x7ff88c30dd61
0x7ff88c30dd6b
0x7ff88c30dd70
0x7ff88c30dd76
0x7ff88c30dd7e
0x7ff88c30dd87
0x7ff88c30dd99
0x7ff88c30dda6
0x7ff88c30ddb4
0x7ff88c30ddb7
0x7ff88c30ddbd
0x7ff88c30ddc2
0x7ff88c30ddce
0x7ff88c30ddd4
0x7ff88c30dddd
0x7ff88c30dde7
0x7ff88c30dded
0x7ff88c30ddf7
0x7ff88c30ddfe
0x7ff88c30de04
0x7ff88c30de09
0x7ff88c30de0e
0x7ff88c30de14
0x7ff88c30de19
0x7ff88c30de27
0x7ff88c30de34
0x7ff88c30de39
0x7ff88c30de3c
0x7ff88c30de4b
0x7ff88c30de57
0x7ff88c30de5c
0x7ff88c30de62
0x7ff88c30de71
0x7ff88c30de76
0x7ff88c30de84
0x7ff88c30de95
0x7ff88c30de9b
0x7ff88c30deaa
0x7ff88c30deb3
0x7ff88c30debe
0x7ff88c30dec1
0x7ff88c30dece
0x7ff88c30ded1
0x7ff88c30ded7
0x7ff88c30dedc
0x7ff88c30dee8
0x7ff88c30deee
0x7ff88c30defd
0x7ff88c30df05
0x7ff88c30df13
0x7ff88c30df1e
0x7ff88c30df23
0x7ff88c30df34
0x7ff88c30df36
0x7ff88c30df43
0x7ff88c30df48
0x7ff88c30df4a
0x7ff88c30df54
0x7ff88c30df5a
0x7ff88c30df6b
0x7ff88c30df6f
0x7ff88c30df7c
0x7ff88c30df81
0x7ff88c30df83
0x7ff88c30df88
0x7ff88c30df8e
0x7ff88c30df93
0x7ff88c30df98
0x7ff88c30df9c
0x7ff88c30dfa9
0x7ff88c30dfae
0x7ff88c30dfb7
0x7ff88c30dfc3
0x7ff88c30dfcd
0x7ff88c30dfd2
0x7ff88c30dfda
0x7ff88c30dfe6
0x7ff88c30dff0
0x7ff88c30dffd
0x7ff88c30e005
0x7ff88c30e011
0x7ff88c30e016
0x7ff88c30e01c
0x7ff88c30e02a
0x7ff88c30e02f
0x7ff88c30e035
0x7ff88c30e044
0x7ff88c30e049
0x7ff88c30e04d
0x7ff88c30e052
0x7ff88c30e05a
0x7ff88c30e064
0x7ff88c30e066
0x7ff88c30e075
0x7ff88c30e079
0x7ff88c30e082
0x7ff88c30e08d
0x7ff88c30e097
0x7ff88c30e09c
0x7ff88c30e0a6
0x7ff88c30e0ac
0x7ff88c30e0af
0x7ff88c30e0b6
0x7ff88c30e0bb
0x7ff88c30e0be
0x7ff88c30e0c3
0x7ff88c30e0ca
0x7ff88c30e0d4
0x7ff88c30e0d8
0x7ff88c30e0e5
0x7ff88c30e0ee
0x7ff88c30e0f7
0x7ff88c30e0fa
0x7ff88c30e101
0x7ff88c30e11d
0x7ff88c30e121
0x7ff88c30e12a
0x7ff88c30e12f
0x7ff88c30e147
0x7ff88c30e14b
0x7ff88c30e154
0x7ff88c30e159
0x7ff88c30e171
0x7ff88c30e175
0x7ff88c30e183
0x7ff88c30e188
0x7ff88c30e18d
0x7ff88c30e199
0x7ff88c30e1a2
0x7ff88c30e1ab
0x7ff88c30e1bc
0x7ff88c30e1c0
0x7ff88c30e1d2
0x7ff88c30e1d6
0x7ff88c30e1e3
0x7ff88c30e1f2
0x7ff88c30e1f5
0x7ff88c30e1fb
0x7ff88c30e200
0x7ff88c30e205
0x7ff88c30e210
0x7ff88c30e215
0x7ff88c30e218
0x7ff88c30e221
0x7ff88c30e227
0x7ff88c30e234
0x7ff88c30e243
0x7ff88c30e249
0x7ff88c30e255
0x7ff88c30e258
0x7ff88c30e25a
0x7ff88c30e267
0x7ff88c30e276
0x7ff88c30e279
0x7ff88c30e27f
0x7ff88c30e284
0x7ff88c30e289
0x7ff88c30e291
0x7ff88c30e299
0x7ff88c30e29e
0x7ff88c30e2a6
0x7ff88c30e2ae
0x7ff88c30e2b6
0x7ff88c30e2c3
0x7ff88c30e2d2
0x7ff88c30e2d5
0x7ff88c30e2db
0x7ff88c30e2e0
0x7ff88c30e2e5
0x7ff88c30e2ea
0x7ff88c30e2f7
0x7ff88c30e301
0x7ff88c30e310
0x7ff88c30e317
0x7ff88c30e320
0x7ff88c30e324
0x7ff88c30e32f
0x7ff88c30e33c
0x7ff88c30e33f
0x7ff88c30e341
0x7ff88c30e34a
0x7ff88c30e34e
0x7ff88c30e355
0x7ff88c30e35e
0x7ff88c30e361
0x7ff88c30e363
0x7ff88c30e370
0x7ff88c30e37f
0x7ff88c30e382
0x7ff88c30e388
0x7ff88c30e38d
0x7ff88c30e392
0x7ff88c30e39a
0x7ff88c30e39c
0x7ff88c30e3a6
0x7ff88c30e3b3
0x7ff88c30e3c2
0x7ff88c30e3c5
0x7ff88c30e3cb
0x7ff88c30e3d0
0x7ff88c30e3d5
0x7ff88c30e3da
0x7ff88c30e3de
0x7ff88c30e3eb
0x7ff88c30e3fa
0x7ff88c30e3fd
0x7ff88c30e403
0x7ff88c30e408
0x7ff88c30e40d
0x7ff88c30e420
0x7ff88c30e425
0x7ff88c30e438

APIs

DName::operator+=.LIBCMT ref: 00007FF88C30D7BC
DName::DName.LIBCMT ref: 00007FF88C30D89E
DName::operator+=.LIBCMT ref: 00007FF88C30D8B2
DName::operator+=.LIBCMT ref: 00007FF88C30D92B
DName::operator+=.LIBCMT ref: 00007FF88C30D942
DName::operator+=.LIBCMT ref: 00007FF88C30D950

Strings

`vtordisp{, xrefs: 00007FF88C30DE29
{for , xrefs: 00007FF88C30E06B
{flat}, xrefs: 00007FF88C30D980
private: , xrefs: 00007FF88C30E319
extern "C" , xrefs: 00007FF88C30E3E0
`vtordispex{, xrefs: 00007FF88C30DD9B
`template static data member destructor helper', xrefs: 00007FF88C30E177
public: , xrefs: 00007FF88C30E365
`local static destructor helper', xrefs: 00007FF88C30E123
`adjustor{, xrefs: 00007FF88C30DE78
protected: , xrefs: 00007FF88C30E343
`template static data member constructor helper', xrefs: 00007FF88C30E14D
[thunk]:, xrefs: 00007FF88C30E3A8
static , xrefs: 00007FF88C30E25C
}' , xrefs: 00007FF88C30D9D8, 00007FF88C30DE89
virtual , xrefs: 00007FF88C30E2B8

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$NameName::
String ID: [thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual ${flat}${for $}'
API String ID: 2762593306-3103905019
Opcode ID: 57be1ad3dfe50d439c9b124d4c822f8f83c416cee76769d434b5545308469df5
Instruction ID: f284b800621e0d2e2eff6046e857e10b6c05631b702fb279531d4ffef17b33e4
Opcode Fuzzy Hash: 57be1ad3dfe50d439c9b124d4c822f8f83c416cee76769d434b5545308469df5
Instruction Fuzzy Hash: A282E163F18A4282FB509B68D441BFD63A0FF96388F50A135EA8E9259DDF3CE546C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30EFA4 Relevance: 65.2, APIs: 35, Strings: 2, Instructions: 472
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 57%

			E00007FF87FF88C30EFA4(long long __rbx, long long* __rcx, intOrPtr* __rdx, long long __rsi, long long __r8, intOrPtr* __r9, void* __r10, void* __r11) {
				void* __rdi;
				void* __r12;
				unsigned int _t193;
				signed int _t199;
				void* _t222;
				char _t223;
				intOrPtr _t227;
				signed int _t233;
				signed int _t258;
				void* _t265;
				void* _t318;
				char* _t319;
				char* _t320;
				long long _t321;
				char* _t322;
				char* _t323;
				intOrPtr* _t324;
				intOrPtr* _t325;
				intOrPtr* _t326;
				intOrPtr* _t327;
				long long _t328;
				long long* _t331;
				intOrPtr _t382;
				intOrPtr _t385;
				void* _t409;
				intOrPtr _t410;
				intOrPtr _t412;
				intOrPtr _t414;
				long long _t417;
				long long _t418;
				void* _t420;
				void* _t421;
				void* _t423;
				void* _t424;
				void* _t431;
				void* _t433;
				intOrPtr* _t434;
				void* _t436;
				void* _t439;
				long long _t440;
				long long _t442;

				_t431 = __r11;
				_t430 = __r10;
				_t417 = __rsi;
				_t318 = _t423;
				 *((long long*)(_t318 + 8)) = __rbx;
				 *((long long*)(_t318 + 0x10)) = __rsi;
				 *((long long*)(_t318 + 0x18)) = __r8;
				_t4 = _t318 - 0x57; // -126
				_t421 = _t4;
				_t424 = _t423 - 0xe0;
				asm("movaps [eax-0x38], xmm6");
				_t319 =  *0x8c369a70; // 0x0
				_t434 = __rdx;
				 *(_t421 - 0x39) =  *(_t421 - 0x39) & 0xffff0000;
				_t331 = __rcx;
				 *((long long*)(_t421 - 0x41)) = __rsi;
				 *((intOrPtr*)(_t424 + 0x20)) = sil;
				if ( *_t319 == sil) goto 0x8c30f614;
				if ( *_t319 != 0x24) goto 0x8c30f029;
				r9d =  *((intOrPtr*)(_t421 + 0x7f));
				_t10 = _t424 + 0x20; // -47
				_t427 = _t10;
				_t11 = _t421 + 0x6f; // -15
				_t12 = _t421 - 0x51; // -207
				E00007FF87FF88C30B790(0,  *_t319 - 0x24, _t319, __rcx, _t12, _t11, _t409, __rsi, _t10, __r10, __rdx, _t439, _t436, _t433);
				if ( *((intOrPtr*)(_t421 - 0x51)) == __rsi) goto 0x8c30f024;
				asm("movups xmm0, [ebp-0x51]");
				asm("movdqu [ebx], xmm0");
				goto 0x8c30f6c0;
				_t320 =  *0x8c369a70; // 0x0
				 *((long long*)(_t421 - 0x71)) = __rsi;
				 *((long long*)(_t421 - 0x51)) = __rsi;
				_t223 =  *_t320;
				_t440 = __rsi;
				_t16 = _t320 + 0x2b; // 0x41
				r8d = _t16;
				_t265 = _t223 - r8b;
				_t150 =  >=  ? r8d : 0x16;
				 *(_t421 - 0x49) =  *(_t421 - 0x49) & 0xffff0000;
				_t256 = _t223 - ( >=  ? r8d : 0x16);
				 *(_t421 - 0x69) =  *(_t421 - 0x69) & 0xffff0000;
				_t233 =  *0x8c369a8c; // 0x0
				asm("movaps xmm6, [ebp-0x71]");
				_t151 = _t223 - ( >=  ? r8d : 0x16);
				_t152 = _t223 - ( >=  ? r8d : 0x16) - 4;
				if (_t265 == 0) goto 0x8c30f164;
				_t153 = _t223 - ( >=  ? r8d : 0x16) - 3;
				if (_t265 == 0) goto 0x8c30f0e6;
				_t266 = _t223 - ( >=  ? r8d : 0x16) - 3 - 3;
				if (_t223 - ( >=  ? r8d : 0x16) - 3 != 3) goto 0x8c30f24a;
				if (( !(_t233 >> 1) & 0x00000001) == 0) goto 0x8c30f1eb;
				if ( *((intOrPtr*)(_t421 - 0x51)) == __rsi) goto 0x8c30f0d7;
				_t410 =  *0x8c323a78; // 0x7ff88c3239a0
				if (( !_t233 & 0x00000001) != 0) goto 0x8c30f0a0;
				asm("movaps xmm0, [ebp-0x51]");
				_t26 = _t421 - 0x11; // -143
				asm("movdqa [ebp-0x11], xmm0");
				E00007FF87FF88C30AF5C(0x20, 0, _t320, __rcx, _t26, __rsi, _t10, _t409);
				_t27 = _t421 - 0x31; // -175
				asm("movaps xmm5, [ebp-0x11]");
				asm("movdqa [ebp-0x31], xmm5");
				E00007FF87FF88C30AFE0(_t223, 0, _t320, _t331, _t27, _t410 + 2, __rsi, _t10, _t420);
				asm("movaps xmm5, [ebp-0x31]");
				asm("movdqa [ebp-0x51], xmm5");
				goto 0x8c30f1df;
				goto 0x8c30f1d0;
				if (1 == 0) goto 0x8c30f1eb;
				if (_t440 == 0) goto 0x8c30f141;
				_t412 =  *0x8c323a80; // 0x7ff88c323990
				if (1 != 0) goto 0x8c30f10b;
				_t34 = _t421 + 0xf; // -111
				asm("movdqa [ebp+0xf], xmm6");
				E00007FF87FF88C30AF5C(0x20, 0, _t320, _t331, _t34, _t417, _t10);
				_t35 = _t421 - 1; // -127
				asm("movaps xmm5, [ebp+0xf]");
				asm("movdqa [ebp-0x1], xmm5");
				E00007FF87FF88C30AFE0(_t223, 0, _t320, _t331, _t35, _t412 + 2, _t417, _t427);
				asm("movaps xmm6, [ebp-0x1]");
				asm("movaps [ebp-0x71], xmm6");
				goto 0x8c30f1df;
				_t382 =  *0x8c323a80; // 0x7ff88c323990
				if (0 != 0) goto 0x8c30f151;
				_t39 = _t421 - 0x71; // -239
				E00007FF87FF88C30AD7C(_t39, _t382 + 2);
				_t442 =  *((intOrPtr*)(_t421 - 0x71));
				asm("movaps xmm6, [ebp-0x71]");
				goto 0x8c30f1df;
				if (1 == 0) goto 0x8c30f1eb;
				if (1 == 0) goto 0x8c30f1eb;
				if ( *((intOrPtr*)(_t421 - 0x51)) == _t417) goto 0x8c30f1c6;
				_t414 =  *0x8c323a70; // 0x7ff88c3239b0
				if (1 != 0) goto 0x8c30f191;
				_t415 = _t414 + 2;
				asm("movaps xmm0, [ebp-0x51]");
				_t48 = _t421 - 0x21; // -159
				asm("movdqa [ebp-0x21], xmm0");
				E00007FF87FF88C30AF5C(0x20, 0, _t320, _t331, _t48, _t417, _t427);
				_t49 = _t424 + 0x30; // -31
				asm("movaps xmm5, [ebp-0x21]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AFE0(_t223, 0, _t320, _t331, _t49, _t414 + 2, _t417, _t427);
				asm("movaps xmm5, [esp+0x30]");
				goto 0x8c30f0cd;
				_t385 =  *0x8c323a70; // 0x7ff88c3239b0
				if (0 != 0) goto 0x8c30f1d6;
				_t52 = _t421 - 0x51; // -207
				E00007FF87FF88C30AD7C(_t52, _t385 + 2);
				r8d = 0x41;
				_t321 =  *0x8c369a70; // 0x0
				_t322 = _t321 + 1;
				 *0x8c369a70 = _t322;
				if ( *_t322 != 0x24) goto 0x8c30f22d;
				r9d =  *((intOrPtr*)(_t421 + 0x7f));
				_t54 = _t424 + 0x20; // -47
				_t428 = _t54;
				_t55 = _t421 + 0x6f; // -15
				_t56 = _t421 - 0x61; // -223
				E00007FF87FF88C30B790(0,  *_t322 - 0x24, _t322, _t331, _t56, _t55, _t414 + 2, _t417, _t54, __r10, _t434);
				if ( *((intOrPtr*)(_t421 - 0x61)) != _t417) goto 0x8c30f60b;
				r8d = 0x41;
				_t323 =  *0x8c369a70; // 0x0
				_t225 =  >=  ? r8d : 0x16;
				_t258 =  *_t323 - ( >=  ? r8d : 0x16);
				goto 0x8c30f062;
				_t324 =  *0x8c369a70; // 0x0
				if ( *_t324 == sil) goto 0x8c30f25d;
				 *0x8c369a70 =  *0x8c369a70 + 1;
				if (_t258 - 0x1f > 0) goto 0x8c30f5f8;
				_t418 =  *((intOrPtr*)(_t421 + 0x6f));
				_t59 = _t421 - 0x71; // -239
				E00007FF87FF88C30A9E0(_t59, _t418);
				_t60 = _t421 - 0x71; // -239
				_t61 = _t424 + 0x30; // -31
				asm("movaps xmm5, [ebp-0x41]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AC78(_t324, _t61, _t60);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				if ( *((long long*)(_t421 - 0x51)) == 0) goto 0x8c30f2d4;
				_t63 = _t424 + 0x30; // -31
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AF5C(0x20, 0, _t324, _t331, _t63, _t418, _t54);
				_t64 = _t421 - 0x51; // -207
				_t65 = _t424 + 0x30; // -31
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AC78(_t324, _t65, _t64);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				if (_t442 == 0) goto 0x8c30f30e;
				_t66 = _t424 + 0x30; // -31
				asm("movdqa [esp+0x30], xmm6");
				E00007FF87FF88C30AF5C(0x20, 0, _t324, _t331, _t66, _t418, _t54);
				_t67 = _t421 - 0x71; // -239
				_t68 = _t424 + 0x30; // -31
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AC78(_t324, _t68, _t67);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				r14d = 0;
				if ((dil & 0x00000010) == 0) goto 0x8c30f431;
				if ( *((intOrPtr*)(_t421 + 0x7f)) == r14d) goto 0x8c30f334;
				 *(_t331 + 8) =  *(_t331 + 8) & 0xffff00ff;
				 *_t331 = _t442;
				 *(_t331 + 8) = 2;
				goto 0x8c30f6c0;
				if ( *_t418 == r14b) goto 0x8c30f3ae;
				_t75 = _t421 - 0x61; // -223
				E00007FF87FF88C30A9E0(_t75, "::");
				_t76 = _t421 - 0x71; // -239
				_t77 = _t424 + 0x30; // -31
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t324, _t77, _t76);
				_t325 =  *0x8c369a70; // 0x0
				asm("movaps xmm5, [esp+0x30]");
				_t78 = _t421 - 0x61; // -223
				asm("movdqa [ebp-0x71], xmm5");
				if ( *_t325 == r14b) goto 0x8c30f381;
				E00007FF87FF88C30E6CC(0x20, 0, _t331, _t78, _t414 + 2, _t418, _t54, __r10, _t431);
				goto 0x8c30f38b;
				E00007FF87FF88C30A490(1, _t325, _t78);
				asm("movups xmm0, [eax]");
				_t79 = _t421 - 0x71; // -239
				_t80 = _t424 + 0x30; // -31
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t325, _t80, _t79);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				goto 0x8c30f3de;
				_t326 =  *0x8c369a70; // 0x0
				if ( *_t326 == r14b) goto 0x8c30f3ff;
				_t81 = _t421 - 0x61; // -223
				E00007FF87FF88C30E6CC(1, 0, _t331, _t81, _t414 + 2, _t418, _t428, __r10, _t431);
				if ( *(_t421 - 0x69) == 3) goto 0x8c30f3de;
				if ( *(_t326 + 8) - 1 <= 0) goto 0x8c30f3de;
				 *(_t421 - 0x69) =  *(_t421 - 0x69) ^ ( *(_t326 + 8) ^  *(_t421 - 0x69)) & 0x000000ff;
				_t327 =  *0x8c369a70; // 0x0
				_t227 =  *_t327;
				if (_t227 == 0) goto 0x8c30f3ff;
				_t328 = _t327 + 1;
				 *0x8c369a70 = _t328;
				if (_t227 == 0x40) goto 0x8c30f431;
				goto 0x8c30f321;
				if ( *(_t421 - 0x69) - 1 > 0) goto 0x8c30f431;
				if ( *((intOrPtr*)(_t421 - 0x71)) == _t442) goto 0x8c30f423;
				E00007FF87FF88C30A12C(1, _t79);
				_t90 = _t421 - 0x71; // -239
				E00007FF87FF88C30A564(_t328, _t331, _t90, _t328, _t428);
				goto 0x8c30f431;
				_t91 = _t421 - 0x71; // -239
				E00007FF87FF88C30A640(1, _t328, _t91);
				_t193 =  *0x8c369a8c; // 0x0
				if (( !(_t193 >> 1) & 0x00000001) == 0) goto 0x8c30f47e;
				if ((_t258 & 0x0000000c) != 0xc) goto 0x8c30f4a7;
				if ( *((intOrPtr*)(_t421 + 0x7f)) != r14d) goto 0x8c30f321;
				_t95 = _t421 - 0x61; // -223
				E00007FF87FF88C30D634(1, 1, 0, _t328, _t95, _t415, _t418, _t428, _t430, _t431);
				_t96 = _t421 - 0x71; // -239
				_t97 = _t424 + 0x30; // -31
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				_t199 = E00007FF87FF88C30AC78(_t328, _t97, _t96);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				goto 0x8c30f4a7;
				if ((_t199 & 0x0000000c) != 0xc) goto 0x8c30f4a7;
				_t98 = _t421 - 0x61; // -223
				E00007FF87FF88C30D634(1, 1, 0, _t328, _t98, _t415, _t418, _t428, _t430, _t431);
				if ( *(_t421 - 0x69) == 3) goto 0x8c30f4a7;
				if ( *(_t328 + 8) - 1 <= 0) goto 0x8c30f4a7;
				 *(_t421 - 0x69) =  *(_t421 - 0x69) ^ ( *(_t328 + 8) ^  *(_t421 - 0x69)) & 0x000000ff;
				if ((dil & 0x00000002) == 0) goto 0x8c30f4de;
				_t107 = _t421 - 0x61; // -223
				E00007FF87FF88C30A9E0(_t107, "volatile ");
				_t108 = _t421 - 0x71; // -239
				_t109 = _t424 + 0x30; // -31
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t328, _t109, _t108);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				if ((dil & 0x00000001) == 0) goto 0x8c30f515;
				_t112 = _t421 - 0x61; // -223
				E00007FF87FF88C30A9E0(_t112, "const ");
				_t113 = _t421 - 0x71; // -239
				_t114 = _t424 + 0x30; // -31
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t328, _t114, _t113);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [ebp-0x71], xmm5");
				if ( *((intOrPtr*)(_t421 + 0x7f)) != r14d) goto 0x8c30f5db;
				if ( *_t434 == _t442) goto 0x8c30f5a6;
				if (( *(_t434 + 8) & 0x00000100) != 0) goto 0x8c30f57f;
				if ( *__r9 == _t442) goto 0x8c30f57f;
				_t119 = _t421 - 0x61; // -223
				E00007FF87FF88C30A9A8(0x20, _t328, _t119);
				_t120 = _t424 + 0x30; // -31
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t328, _t120, __r9);
				asm("movaps xmm5, [esp+0x30]");
				_t121 = _t424 + 0x30; // -31
				asm("movdqa [esp+0x30], xmm5");
				E00007FF87FF88C30AF5C(0x20, 0, _t328, _t331, _t121, _t418, _t428);
				asm("movaps xmm5, [esp+0x30]");
				asm("movdqa [esp+0x30], xmm5");
				goto 0x8c30f5c3;
				if (( *(_t434 + 8) & 0x00000800) == 0) goto 0x8c30f596;
				asm("inc ecx");
				asm("movdqu [ebp-0x71], xmm0");
				goto 0x8c30f5db;
				_t125 = _t421 - 0x61; // -223
				E00007FF87FF88C30A9A8(0x20, _t328, _t125);
				goto 0x8c30f5ba;
				if ( *__r9 == _t442) goto 0x8c30f5db;
				_t126 = _t421 - 0x61; // -223
				E00007FF87FF88C30A9A8(0x20, _t328, _t126);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				_t127 = _t424 + 0x30; // -31
				E00007FF87FF88C30AC78(_t328, _t127, __r9);
				_t128 = _t424 + 0x30; // -31
				_t129 = _t421 - 0x71; // -239
				E00007FF87FF88C30AC78(_t328, _t129, _t128);
				 *(_t421 - 0x69) =  *(_t421 - 0x69) | 0x00000100;
				if ( *((intOrPtr*)(_t424 + 0x20)) == r14b) goto 0x8c30f5ef;
				asm("bts dword [ebp-0x69], 0xd");
				asm("movaps xmm0, [ebp-0x71]");
				goto 0x8c30f01b;
				 *(_t331 + 8) =  *(_t331 + 8) & 0xffff00ff;
				 *_t331 = _t418;
				 *(_t331 + 8) = 2;
				goto 0x8c30f6c0;
				asm("movups xmm0, [ebp-0x61]");
				goto 0x8c30f01b;
				if ( *((intOrPtr*)(_t421 + 0x7f)) != 0) goto 0x8c30f6b6;
				if ( *_t434 == _t418) goto 0x8c30f697;
				if (( *(_t434 + 8) & 0x00000100) != 0) goto 0x8c30f680;
				if ( *__r9 == _t418) goto 0x8c30f680;
				_t140 = _t424 + 0x30; // -31
				E00007FF87FF88C30A490(1, _t328, _t140);
				_t141 = _t421 - 0x61; // -223
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x61], xmm0");
				E00007FF87FF88C30AC78(_t328, _t141, __r9);
				asm("movaps xmm5, [ebp-0x61]");
				_t142 = _t421 - 0x61; // -223
				asm("movdqa [ebp-0x61], xmm5");
				E00007FF87FF88C30AF5C(0x20, 0, _t328, _t331, _t142, _t418, _t428);
				asm("movaps xmm5, [ebp-0x61]");
				asm("movdqu [ebx], xmm5");
				E00007FF87FF88C30AC78(_t328, _t331, _t434);
				goto 0x8c30f6c0;
				_t143 = _t421 - 0x61; // -223
				E00007FF87FF88C30A490(1, _t328, _t143);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebx], xmm0");
				goto 0x8c30f673;
				if ( *__r9 == _t418) goto 0x8c30f6b6;
				_t144 = _t421 - 0x61; // -223
				E00007FF87FF88C30A490(1, _t328, _t144);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebx], xmm0");
				goto 0x8c30f676;
				_t222 = E00007FF87FF88C30A490(1, _t328, _t144);
				asm("inc ecx");
				return _t222;
			}

0x7ff88c30efa4
0x7ff88c30efa4
0x7ff88c30efa4
0x7ff88c30efa4
0x7ff88c30efa7
0x7ff88c30efab
0x7ff88c30efaf
0x7ff88c30efbb
0x7ff88c30efbb
0x7ff88c30efbf
0x7ff88c30efc8
0x7ff88c30efcc
0x7ff88c30efd3
0x7ff88c30efde
0x7ff88c30efe1
0x7ff88c30efe4
0x7ff88c30efe8
0x7ff88c30eff0
0x7ff88c30eff9
0x7ff88c30effb
0x7ff88c30efff
0x7ff88c30efff
0x7ff88c30f004
0x7ff88c30f008
0x7ff88c30f00c
0x7ff88c30f015
0x7ff88c30f017
0x7ff88c30f01b
0x7ff88c30f01f
0x7ff88c30f029
0x7ff88c30f030
0x7ff88c30f034
0x7ff88c30f038
0x7ff88c30f040
0x7ff88c30f043
0x7ff88c30f043
0x7ff88c30f049
0x7ff88c30f04c
0x7ff88c30f050
0x7ff88c30f053
0x7ff88c30f055
0x7ff88c30f058
0x7ff88c30f05e
0x7ff88c30f062
0x7ff88c30f064
0x7ff88c30f067
0x7ff88c30f06d
0x7ff88c30f06f
0x7ff88c30f071
0x7ff88c30f074
0x7ff88c30f082
0x7ff88c30f08e
0x7ff88c30f090
0x7ff88c30f09a
0x7ff88c30f0a0
0x7ff88c30f0a4
0x7ff88c30f0aa
0x7ff88c30f0af
0x7ff88c30f0b4
0x7ff88c30f0b8
0x7ff88c30f0bf
0x7ff88c30f0c4
0x7ff88c30f0c9
0x7ff88c30f0cd
0x7ff88c30f0d2
0x7ff88c30f0e1
0x7ff88c30f0ee
0x7ff88c30f0f9
0x7ff88c30f0fb
0x7ff88c30f105
0x7ff88c30f10b
0x7ff88c30f111
0x7ff88c30f116
0x7ff88c30f11b
0x7ff88c30f122
0x7ff88c30f126
0x7ff88c30f12b
0x7ff88c30f130
0x7ff88c30f134
0x7ff88c30f13c
0x7ff88c30f144
0x7ff88c30f14b
0x7ff88c30f151
0x7ff88c30f155
0x7ff88c30f15a
0x7ff88c30f15e
0x7ff88c30f162
0x7ff88c30f16c
0x7ff88c30f177
0x7ff88c30f17f
0x7ff88c30f181
0x7ff88c30f18b
0x7ff88c30f18d
0x7ff88c30f191
0x7ff88c30f195
0x7ff88c30f19b
0x7ff88c30f1a0
0x7ff88c30f1a5
0x7ff88c30f1aa
0x7ff88c30f1b1
0x7ff88c30f1b7
0x7ff88c30f1bc
0x7ff88c30f1c1
0x7ff88c30f1c9
0x7ff88c30f1d0
0x7ff88c30f1d6
0x7ff88c30f1da
0x7ff88c30f1e5
0x7ff88c30f1eb
0x7ff88c30f1f2
0x7ff88c30f1f5
0x7ff88c30f1ff
0x7ff88c30f201
0x7ff88c30f205
0x7ff88c30f205
0x7ff88c30f20a
0x7ff88c30f20e
0x7ff88c30f212
0x7ff88c30f21b
0x7ff88c30f227
0x7ff88c30f22d
0x7ff88c30f23f
0x7ff88c30f243
0x7ff88c30f245
0x7ff88c30f24a
0x7ff88c30f254
0x7ff88c30f256
0x7ff88c30f260
0x7ff88c30f266
0x7ff88c30f26a
0x7ff88c30f271
0x7ff88c30f276
0x7ff88c30f27a
0x7ff88c30f27f
0x7ff88c30f283
0x7ff88c30f289
0x7ff88c30f293
0x7ff88c30f298
0x7ff88c30f29d
0x7ff88c30f29f
0x7ff88c30f2a6
0x7ff88c30f2ac
0x7ff88c30f2b1
0x7ff88c30f2b5
0x7ff88c30f2ba
0x7ff88c30f2bf
0x7ff88c30f2c5
0x7ff88c30f2ca
0x7ff88c30f2cf
0x7ff88c30f2d7
0x7ff88c30f2d9
0x7ff88c30f2e0
0x7ff88c30f2e6
0x7ff88c30f2eb
0x7ff88c30f2ef
0x7ff88c30f2f4
0x7ff88c30f2f9
0x7ff88c30f2ff
0x7ff88c30f304
0x7ff88c30f309
0x7ff88c30f30e
0x7ff88c30f315
0x7ff88c30f31f
0x7ff88c30f321
0x7ff88c30f328
0x7ff88c30f32b
0x7ff88c30f32f
0x7ff88c30f337
0x7ff88c30f340
0x7ff88c30f344
0x7ff88c30f349
0x7ff88c30f34d
0x7ff88c30f352
0x7ff88c30f355
0x7ff88c30f35b
0x7ff88c30f360
0x7ff88c30f367
0x7ff88c30f36c
0x7ff88c30f370
0x7ff88c30f378
0x7ff88c30f37a
0x7ff88c30f37f
0x7ff88c30f386
0x7ff88c30f38b
0x7ff88c30f38e
0x7ff88c30f392
0x7ff88c30f397
0x7ff88c30f39d
0x7ff88c30f3a2
0x7ff88c30f3a7
0x7ff88c30f3ac
0x7ff88c30f3ae
0x7ff88c30f3b8
0x7ff88c30f3ba
0x7ff88c30f3be
0x7ff88c30f3c7
0x7ff88c30f3cd
0x7ff88c30f3db
0x7ff88c30f3de
0x7ff88c30f3e5
0x7ff88c30f3e9
0x7ff88c30f3eb
0x7ff88c30f3ee
0x7ff88c30f3f8
0x7ff88c30f3fa
0x7ff88c30f403
0x7ff88c30f409
0x7ff88c30f410
0x7ff88c30f415
0x7ff88c30f41c
0x7ff88c30f421
0x7ff88c30f423
0x7ff88c30f42c
0x7ff88c30f431
0x7ff88c30f43f
0x7ff88c30f446
0x7ff88c30f44c
0x7ff88c30f452
0x7ff88c30f456
0x7ff88c30f45b
0x7ff88c30f45f
0x7ff88c30f464
0x7ff88c30f467
0x7ff88c30f46d
0x7ff88c30f472
0x7ff88c30f477
0x7ff88c30f47c
0x7ff88c30f483
0x7ff88c30f485
0x7ff88c30f489
0x7ff88c30f492
0x7ff88c30f498
0x7ff88c30f4a4
0x7ff88c30f4ab
0x7ff88c30f4b4
0x7ff88c30f4b8
0x7ff88c30f4bd
0x7ff88c30f4c1
0x7ff88c30f4c6
0x7ff88c30f4c9
0x7ff88c30f4cf
0x7ff88c30f4d4
0x7ff88c30f4d9
0x7ff88c30f4e2
0x7ff88c30f4eb
0x7ff88c30f4ef
0x7ff88c30f4f4
0x7ff88c30f4f8
0x7ff88c30f4fd
0x7ff88c30f500
0x7ff88c30f506
0x7ff88c30f50b
0x7ff88c30f510
0x7ff88c30f51e
0x7ff88c30f528
0x7ff88c30f52f
0x7ff88c30f535
0x7ff88c30f537
0x7ff88c30f53d
0x7ff88c30f542
0x7ff88c30f54a
0x7ff88c30f54d
0x7ff88c30f553
0x7ff88c30f558
0x7ff88c30f55d
0x7ff88c30f564
0x7ff88c30f56a
0x7ff88c30f572
0x7ff88c30f577
0x7ff88c30f57d
0x7ff88c30f588
0x7ff88c30f58a
0x7ff88c30f58f
0x7ff88c30f594
0x7ff88c30f596
0x7ff88c30f59c
0x7ff88c30f5a4
0x7ff88c30f5aa
0x7ff88c30f5ac
0x7ff88c30f5b2
0x7ff88c30f5ba
0x7ff88c30f5bd
0x7ff88c30f5c3
0x7ff88c30f5c8
0x7ff88c30f5cd
0x7ff88c30f5d2
0x7ff88c30f5d6
0x7ff88c30f5e0
0x7ff88c30f5e8
0x7ff88c30f5ea
0x7ff88c30f5ef
0x7ff88c30f5f3
0x7ff88c30f5f8
0x7ff88c30f5ff
0x7ff88c30f602
0x7ff88c30f606
0x7ff88c30f60b
0x7ff88c30f60f
0x7ff88c30f617
0x7ff88c30f621
0x7ff88c30f62d
0x7ff88c30f632
0x7ff88c30f634
0x7ff88c30f63e
0x7ff88c30f643
0x7ff88c30f64a
0x7ff88c30f64d
0x7ff88c30f652
0x7ff88c30f657
0x7ff88c30f65b
0x7ff88c30f661
0x7ff88c30f666
0x7ff88c30f66b
0x7ff88c30f66f
0x7ff88c30f679
0x7ff88c30f67e
0x7ff88c30f680
0x7ff88c30f689
0x7ff88c30f68e
0x7ff88c30f691
0x7ff88c30f695
0x7ff88c30f69a
0x7ff88c30f69c
0x7ff88c30f6a5
0x7ff88c30f6ad
0x7ff88c30f6b0
0x7ff88c30f6b4
0x7ff88c30f6bb
0x7ff88c30f6d3
0x7ff88c30f6e3

APIs

DName::operator+=.LIBCMT ref: 00007FF88C30F0AF
DName::operator+=.LIBCMT ref: 00007FF88C30F0C4
DName::operator+=.LIBCMT ref: 00007FF88C30F116
DName::operator+=.LIBCMT ref: 00007FF88C30F12B
DName::operator=.LIBCMT ref: 00007FF88C30F1DA
DName::DName.LIBCMT ref: 00007FF88C30F271
DName::operator+=.LIBCMT ref: 00007FF88C30F289
DName::operator+=.LIBCMT ref: 00007FF88C30F2AC
DName::operator+=.LIBCMT ref: 00007FF88C30F2C5
DName::operator+=.LIBCMT ref: 00007FF88C30F2E6
DName::operator+=.LIBCMT ref: 00007FF88C30F2FF
DName::operator+=.LIBCMT ref: 00007FF88C30F652
DName::operator+=.LIBCMT ref: 00007FF88C30F666
DName::operator+=.LIBCMT ref: 00007FF88C30F679

Strings

const , xrefs: 00007FF88C30F4E4
volatile , xrefs: 00007FF88C30F4AD

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$NameName::Name::operator=
String ID: const $volatile
API String ID: 712027794-1610819973
Opcode ID: 31f9a4ddd355bfe73492e8f51654c0df2ef96ea63c7f7937f64cfc69384bc0c7
Instruction ID: d9c981e727acb43bd27d4cd13569aa52e7173ed5f5a5e9c050b93ea016af26af
Opcode Fuzzy Hash: 31f9a4ddd355bfe73492e8f51654c0df2ef96ea63c7f7937f64cfc69384bc0c7
Instruction Fuzzy Hash: 35328B23E1CB8685F7109BA4D4419FD6361BB9A788F409235EE8D56A9DDF3CE18BC340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C312ED4 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF88C312F19
GetProcAddress.KERNEL32 ref: 00007FF88C312F35
EncodePointer.KERNEL32 ref: 00007FF88C312F47
GetProcAddress.KERNEL32 ref: 00007FF88C312F5E
EncodePointer.KERNEL32 ref: 00007FF88C312F67
GetProcAddress.KERNEL32 ref: 00007FF88C312F7E
EncodePointer.KERNEL32 ref: 00007FF88C312F87
GetProcAddress.KERNEL32 ref: 00007FF88C312F9E
EncodePointer.KERNEL32 ref: 00007FF88C312FA7
GetProcAddress.KERNEL32 ref: 00007FF88C312FC6
EncodePointer.KERNEL32 ref: 00007FF88C312FCF
DecodePointer.KERNEL32 ref: 00007FF88C313002
DecodePointer.KERNEL32 ref: 00007FF88C313012
DecodePointer.KERNEL32 ref: 00007FF88C313068
DecodePointer.KERNEL32 ref: 00007FF88C313089
DecodePointer.KERNEL32 ref: 00007FF88C3130A3

Strings

GetUserObjectInformationW, xrefs: 00007FF88C312F8D
GetProcessWindowStation, xrefs: 00007FF88C312FBC
MessageBoxW, xrefs: 00007FF88C312F2B
USER32.DLL, xrefs: 00007FF88C312F12
GetLastActivePopup, xrefs: 00007FF88C312F6D
GetActiveWindow, xrefs: 00007FF88C312F4D

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 936c24f3114b5b2b0dbc4f778c3bf568a701c7c3092e64392ab695acae05a10a
Instruction ID: f06307a9ba534a417c9b2d29d788258b0eff430134a6f3875f3835fe968a68ac
Opcode Fuzzy Hash: 936c24f3114b5b2b0dbc4f778c3bf568a701c7c3092e64392ab695acae05a10a
Instruction Fuzzy Hash: C151E124A1AB4688FE959B62E814DB463A0BF4BBD1F440136ED2E53768EF3DF446C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30EAB8 Relevance: 31.8, APIs: 21, Instructions: 331
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 65%

			E00007FF87FF88C30EAB8(signed int __ecx, long long __rbx, long long* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r10, void* __r11) {
				signed int _t117;
				unsigned int _t121;
				unsigned int _t128;
				signed int _t132;
				signed int _t164;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				void* _t189;
				signed int _t190;
				void* _t201;
				void* _t224;
				char* _t225;
				char* _t226;
				long long _t228;
				char* _t229;
				long long* _t230;
				long long _t233;
				long long* _t290;
				long long _t294;
				void* _t296;
				void* _t297;
				void* _t299;
				void* _t309;
				long long _t311;
				void* _t313;
				intOrPtr* _t314;
				void* _t316;

				_t307 = __r11;
				_t292 = __rsi;
				_t232 = __rbx;
				_t171 = __ecx;
				_t224 = _t299;
				 *((long long*)(_t224 + 8)) = __rbx;
				 *((long long*)(_t224 + 0x10)) = __rsi;
				 *((long long*)(_t224 + 0x18)) = __rdi;
				_t297 = _t224 - 0x5f;
				_t225 =  *0x8c369a70; // 0x0
				_t314 = __rdx;
				_t290 = __rcx;
				if ( *_t225 != 0) goto 0x8c30eb11;
				_t5 = _t232 + 1; // 0x1
				E00007FF87FF88C30A490(_t5, _t225, _t297 + 0x17);
				asm("movups xmm0, [eax]");
				asm("movdqu [edi], xmm0");
				E00007FF87FF88C30AC78(_t225, __rcx, __rdx);
				goto 0x8c30ef7d;
				if ( *_t225 - 0x36 < 0) goto 0x8c30eb1b;
				if ( *_t225 - 0x39 <= 0) goto 0x8c30eb33;
				if ( *_t225 == 0x5f) goto 0x8c30eb33;
				 *(__rcx + 8) =  *(__rcx + 8) & 0xffff00ff;
				 *__rcx = __rbx;
				 *(__rcx + 8) = 2;
				goto 0x8c30ef7d;
				r12d = 1;
				_t172 = _t171 | 0xffffffff;
				_t226 = _t225 + _t309;
				 *0x8c369a70 = _t226;
				if ( *_t225 - 0x36 != 0x29) goto 0x8c30eb77;
				if ( *_t226 == 0) goto 0x8c30eb6f;
				_t189 =  *_t226 - 0x3d;
				 *0x8c369a70 = _t226 + _t309;
				if (_t189 - 4 < 0) goto 0x8c30eb80;
				goto 0x8c30eb7e;
				goto 0x8c30eaf1;
				if (_t189 < 0) goto 0x8c30eb80;
				if (_t189 - 3 <= 0) goto 0x8c30eb82;
				_t190 = _t172;
				_t201 = _t190 - _t172;
				if (_t201 != 0) goto 0x8c30eb99;
				 *(__rcx + 8) =  *(__rcx + 8) & 0xffff00ff;
				 *__rcx = __rbx;
				 *(__rcx + 8) = 2;
				goto 0x8c30ef7d;
				r13d =  *(_t297 - 0x11);
				asm("movups xmm0, [edx]");
				r15d = _t190;
				r13d = r13d & 0xffff0000;
				r15d = r15d & 0x00000002;
				 *((long long*)(_t297 - 0x19)) = __rbx;
				 *(_t297 - 0x11) = r13d;
				asm("movdqu [ebp-0x29], xmm0");
				if (_t201 == 0) goto 0x8c30ecd1;
				E00007FF87FF88C30A9E0(_t297 + 0x17, "::");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x7], xmm0");
				E00007FF87FF88C30AC78(_t226 + _t309, _t297 + 7, _t297 - 0x29);
				_t228 =  *0x8c369a70; // 0x0
				asm("movaps xmm5, [ebp+0x7]");
				asm("movdqa [ebp-0x29], xmm5");
				if ( *_t228 == 0) goto 0x8c30ec3f;
				E00007FF87FF88C30E6CC(r12d, _t190, __rbx, _t297 + 0x17, _t290, __rsi, __r8, __r10, __r11);
				_t233 = _t228;
				E00007FF87FF88C30A9A8(0x20, _t228, _t297 - 9);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x7], xmm0");
				E00007FF87FF88C30AC78(_t228, _t297 + 7, _t233);
				asm("movaps xmm5, [ebp+0x7]");
				asm("movdqa [ebp+0x7], xmm5");
				E00007FF87FF88C30AC78(_t228, _t297 + 7, _t297 - 0x29);
				goto 0x8c30ec5c;
				E00007FF87FF88C30A490(r12d, _t228, _t297 + 7);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x7], xmm0");
				E00007FF87FF88C30AC78(_t228, _t297 + 7, _t297 - 0x29);
				_t229 =  *0x8c369a70; // 0x0
				asm("movaps xmm5, [ebp+0x7]");
				asm("movdqa [ebp-0x29], xmm5");
				if ( *_t229 == 0) goto 0x8c30edb3;
				if ( *_t229 != 0x40) goto 0x8c30eb86;
				_t230 = _t229 + _t309;
				 *((long long*)(_t297 - 9)) = _t233;
				 *((long long*)(_t297 + 7)) = _t233;
				 *0x8c369a70 = _t230;
				_t117 =  *0x8c369a8c; // 0x0
				 *((intOrPtr*)(_t299 - 0x90 + 0x20)) = r12d;
				if ((_t117 & 0x00000060) == 0x60) goto 0x8c30ed76;
				 *(_t297 - 1) =  *(_t297 - 1) & 0xffff0000;
				 *(_t297 + 0xf) =  *(_t297 + 0xf) & 0xffff0000;
				E00007FF87FF88C30EFA4(_t233, _t297 + 0x17, _t297 + 7, _t292, 0x8c32398d, _t297 - 9, __r10, __r11);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp-0x19], xmm5");
				if ((sil & 0x00000004) == 0) goto 0x8c30ed34;
				_t121 =  *0x8c369a8c; // 0x0
				if ((r12b &  !(_t121 >> 1)) == 0) goto 0x8c30edc8;
				E00007FF87FF88C30D634(_t172, r12d, _t190, _t230, _t297 + 7, _t290, _t292, 0x8c32398d, __r10, __r11);
				E00007FF87FF88C30A9A8(0x20, _t230, _t297 - 9);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x17], xmm0");
				E00007FF87FF88C30AC78(_t230, _t297 + 0x17, _t230);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp+0x17], xmm5");
				E00007FF87FF88C30AC78(_t230, _t297 + 0x17, _t297 - 0x29);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp-0x29], xmm5");
				_t128 =  *0x8c369a8c; // 0x0
				if ((r12b &  !(_t128 >> 1)) == 0) goto 0x8c30edfb;
				E00007FF87FF88C30ADBC(_t297 + 7);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x17], xmm0");
				_t132 = E00007FF87FF88C30AC78(_t230, _t297 + 0x17, _t297 - 0x29);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp-0x29], xmm5");
				goto 0x8c30ee1e;
				 *(_t297 + 0xf) =  *(_t297 + 0xf) & _t132;
				 *(_t297 - 1) =  *(_t297 - 1) & _t132;
				E00007FF87FF88C30EFA4(_t230, _t297 + 0x17, _t297 - 9, _t292, 0x8c32398d, _t297 + 7, __r10, __r11);
				if ( *(_t297 - 0x11) == 3) goto 0x8c30ecd1;
				if ( *(_t297 + 0x1f) - r12b <= 0) goto 0x8c30ecd1;
				r13d = r13d ^ ( *(_t297 + 0x1f) ^ r13d) & 0x000000ff;
				 *(_t297 - 0x11) = r13d;
				goto 0x8c30ecd1;
				E00007FF87FF88C30A490(r12d, _t230, _t297 + 0x17);
				goto 0x8c30eafd;
				E00007FF87FF88C30D634(_t172, r12d, _t190, _t230, _t297 + 0x17, _t290, _t292, 0x8c32398d, __r10, __r11);
				if ( *(_t297 - 0x21) == 3) goto 0x8c30ed34;
				if ( *(_t230 + 8) - r12b <= 0) goto 0x8c30ed34;
				_t169 =  *(_t297 - 0x21) ^ ( *(_t230 + 8) ^  *(_t297 - 0x21)) & 0x000000ff;
				 *(_t297 - 0x21) = _t169;
				goto 0x8c30ed37;
				E00007FF87FF88C30ADBC(_t297 + 0x17);
				if ( *(_t297 - 0x21) == 3) goto 0x8c30ee1e;
				if ( *(_t230 + 8) - r12b <= 0) goto 0x8c30ee1e;
				 *(_t297 - 0x21) = _t169 ^ ( *(_t230 + 8) ^ _t169) & 0x000000ff;
				r13d = 0;
				if ( *_t314 == _t311) goto 0x8c30ee63;
				E00007FF87FF88C30A9A8(0x28, _t230, _t297 + 7);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x17], xmm0");
				E00007FF87FF88C30AC78(_t230, _t297 + 0x17, _t297 - 0x29);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp+0x17], xmm5");
				E00007FF87FF88C30AF5C(0x29, _t190, _t230, _t230, _t297 + 0x17, _t292, 0x8c32398d, _t316);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp-0x29], xmm5");
				r8d = 0;
				E00007FF87FF88C309E00(_t230, 0x8c369a38, _t297 - 0x29, _t292, _t313);
				if (_t230 == 0) goto 0x8c30ee8e;
				 *(_t230 + 8) = r13b;
				 *(_t230 + 8) =  *(_t230 + 8) & 0xffff00ff;
				 *_t230 = _t311;
				goto 0x8c30ee91;
				_t294 = _t311;
				E00007FF87FF88C30A838(_t297 + 0x27);
				E00007FF87FF88C30B594(0x7ff88c32399d, _t190, _t297 + 7, _t294, _t294, 0x8c32398d, __r11);
				E00007FF87FF88C30A9A8(0x28, _t230, _t297 - 9);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp+0x17], xmm0");
				E00007FF87FF88C30AC78(_t230, _t297 + 0x17, _t230);
				asm("movaps xmm5, [ebp+0x17]");
				asm("movdqa [ebp+0x17], xmm5");
				E00007FF87FF88C30AF5C(0x29, _t190, _t230, _t230, _t297 + 0x17, _t294, 0x8c32398d, _t311);
				E00007FF87FF88C30AC78(_t230, _t297 - 0x29, _t297 + 0x17);
				r11d =  *0x8c369a8c; // 0x0
				if ((r11d & 0x00000060) == 0x60) goto 0x8c30ef13;
				if (r15d == 0) goto 0x8c30ef13;
				E00007FF87FF88C30AC78(_t230, _t297 - 0x29, _t297 - 0x19);
				r11d =  *0x8c369a8c; // 0x0
				r11d = r11d >> 8;
				r11d =  !r11d;
				if ((r12b & r11b) == 0) goto 0x8c30ef36;
				E00007FF87FF88C30B69C(0x29, _t190, _t230, _t297 + 0x17, _t297 - 0x19, _t290, _t294, 0x8c32398d, _t307, _t309, _t296);
				E00007FF87FF88C30AC78(_t230, _t297 - 0x29, _t230);
				goto 0x8c30ef58;
				E00007FF87FF88C30B69C(0x29, _t190, _t230, _t297 - 0x29, _t230, _t290, _t294, 0x8c32398d, _t307);
				if ( *(_t297 - 0x21) == 3) goto 0x8c30ef58;
				if ( *(_t230 + 8) - r12b <= 0) goto 0x8c30ef58;
				_t173 =  *(_t297 - 0x21);
				_t164 = ( *(_t230 + 8) ^ _t173) & 0x000000ff;
				 *(_t297 - 0x21) = _t173 ^ _t164;
				if (_t294 == 0) goto 0x8c30ef6f;
				asm("movaps xmm0, [ebp-0x29]");
				asm("movdqu [esi], xmm0");
				asm("movups xmm1, [ebp+0x27]");
				asm("movdqu [edi], xmm1");
				goto 0x8c30ef7d;
				 *(_t290 + 8) =  *(_t290 + 8) & 0xffff00ff;
				 *_t290 = _t311;
				 *(_t290 + 8) = 3;
				return _t164;
			}

0x7ff88c30eab8
0x7ff88c30eab8
0x7ff88c30eab8
0x7ff88c30eab8
0x7ff88c30eab8
0x7ff88c30eabb
0x7ff88c30eabf
0x7ff88c30eac3
0x7ff88c30ead0
0x7ff88c30eadb
0x7ff88c30eae4
0x7ff88c30eae7
0x7ff88c30eaec
0x7ff88c30eaee
0x7ff88c30eaf5
0x7ff88c30eafd
0x7ff88c30eb03
0x7ff88c30eb07
0x7ff88c30eb0c
0x7ff88c30eb14
0x7ff88c30eb19
0x7ff88c30eb1e
0x7ff88c30eb20
0x7ff88c30eb27
0x7ff88c30eb2a
0x7ff88c30eb2e
0x7ff88c30eb36
0x7ff88c30eb3c
0x7ff88c30eb3f
0x7ff88c30eb45
0x7ff88c30eb4f
0x7ff88c30eb53
0x7ff88c30eb5b
0x7ff88c30eb5e
0x7ff88c30eb68
0x7ff88c30eb6d
0x7ff88c30eb72
0x7ff88c30eb79
0x7ff88c30eb7e
0x7ff88c30eb80
0x7ff88c30eb82
0x7ff88c30eb84
0x7ff88c30eb86
0x7ff88c30eb8d
0x7ff88c30eb90
0x7ff88c30eb94
0x7ff88c30eb99
0x7ff88c30eb9d
0x7ff88c30eba0
0x7ff88c30eba3
0x7ff88c30ebaa
0x7ff88c30ebae
0x7ff88c30ebb2
0x7ff88c30ebb6
0x7ff88c30ebbb
0x7ff88c30ebcc
0x7ff88c30ebd9
0x7ff88c30ebdc
0x7ff88c30ebe1
0x7ff88c30ebe6
0x7ff88c30ebed
0x7ff88c30ebf5
0x7ff88c30ebfc
0x7ff88c30ebfe
0x7ff88c30ec09
0x7ff88c30ec0c
0x7ff88c30ec18
0x7ff88c30ec1b
0x7ff88c30ec20
0x7ff88c30ec25
0x7ff88c30ec31
0x7ff88c30ec36
0x7ff88c30ec3d
0x7ff88c30ec42
0x7ff88c30ec4f
0x7ff88c30ec52
0x7ff88c30ec57
0x7ff88c30ec5c
0x7ff88c30ec63
0x7ff88c30ec67
0x7ff88c30ec6e
0x7ff88c30ec77
0x7ff88c30ec7d
0x7ff88c30ec80
0x7ff88c30ec84
0x7ff88c30ec88
0x7ff88c30ec8f
0x7ff88c30ec95
0x7ff88c30ecaf
0x7ff88c30ecb5
0x7ff88c30ecb8
0x7ff88c30ecc3
0x7ff88c30ecc8
0x7ff88c30eccc
0x7ff88c30ecd5
0x7ff88c30ecd7
0x7ff88c30ece4
0x7ff88c30ecee
0x7ff88c30ecfc
0x7ff88c30ed08
0x7ff88c30ed0b
0x7ff88c30ed10
0x7ff88c30ed15
0x7ff88c30ed21
0x7ff88c30ed26
0x7ff88c30ed2b
0x7ff88c30ed2f
0x7ff88c30ed37
0x7ff88c30ed44
0x7ff88c30ed4e
0x7ff88c30ed5b
0x7ff88c30ed5e
0x7ff88c30ed63
0x7ff88c30ed68
0x7ff88c30ed6c
0x7ff88c30ed71
0x7ff88c30ed76
0x7ff88c30ed79
0x7ff88c30ed84
0x7ff88c30ed8d
0x7ff88c30ed97
0x7ff88c30eda7
0x7ff88c30edaa
0x7ff88c30edae
0x7ff88c30edba
0x7ff88c30edc3
0x7ff88c30edcc
0x7ff88c30edd5
0x7ff88c30eddf
0x7ff88c30edf1
0x7ff88c30edf3
0x7ff88c30edf6
0x7ff88c30edff
0x7ff88c30ee08
0x7ff88c30ee0e
0x7ff88c30ee1b
0x7ff88c30ee1e
0x7ff88c30ee24
0x7ff88c30ee2c
0x7ff88c30ee39
0x7ff88c30ee3c
0x7ff88c30ee41
0x7ff88c30ee46
0x7ff88c30ee50
0x7ff88c30ee55
0x7ff88c30ee5a
0x7ff88c30ee5e
0x7ff88c30ee63
0x7ff88c30ee71
0x7ff88c30ee7c
0x7ff88c30ee7e
0x7ff88c30ee82
0x7ff88c30ee89
0x7ff88c30ee8c
0x7ff88c30ee8e
0x7ff88c30ee98
0x7ff88c30eea1
0x7ff88c30eeaf
0x7ff88c30eebb
0x7ff88c30eebe
0x7ff88c30eec3
0x7ff88c30eec8
0x7ff88c30eed2
0x7ff88c30eed7
0x7ff88c30eee4
0x7ff88c30eee9
0x7ff88c30eef8
0x7ff88c30eefd
0x7ff88c30ef07
0x7ff88c30ef0c
0x7ff88c30ef13
0x7ff88c30ef1b
0x7ff88c30ef21
0x7ff88c30ef23
0x7ff88c30ef2f
0x7ff88c30ef34
0x7ff88c30ef36
0x7ff88c30ef3f
0x7ff88c30ef45
0x7ff88c30ef47
0x7ff88c30ef50
0x7ff88c30ef55
0x7ff88c30ef5b
0x7ff88c30ef5d
0x7ff88c30ef61
0x7ff88c30ef65
0x7ff88c30ef69
0x7ff88c30ef6d
0x7ff88c30ef6f
0x7ff88c30ef76
0x7ff88c30ef79
0x7ff88c30efa0

APIs

Part of subcall function 00007FF88C30A490: DNameStatusNode::make.LIBCMT ref: 00007FF88C30A4C0

DName::operator+=.LIBCMT ref: 00007FF88C30EB07

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: NameName::operator+=Node::makeStatus
String ID:
API String ID: 2733247609-0
Opcode ID: eb2993ff47c26f89a8bab52ca479db4366fc946142bc3caa6fa039aaa28782f7
Instruction ID: 69c682b72c081aa82a55afa5c219589493a560a1e0ae350d95ee2c24fbb05f64
Opcode Fuzzy Hash: eb2993ff47c26f89a8bab52ca479db4366fc946142bc3caa6fa039aaa28782f7
Instruction Fuzzy Hash: 3FF19E63F08A8699E711DFB4C4414FC73A0FB5A788F448135EA8D56A9EDF38E656C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C317FCC Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00007FF87FF88C317FCC(void* __ecx, void* __eflags, void* __rax, long long __rbx, intOrPtr __rcx, intOrPtr* __rdx, void* __r8, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* _t56;
				int _t59;
				short _t100;
				signed int _t117;
				void* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				char* _t140;
				signed long long _t141;
				intOrPtr* _t143;
				char* _t152;
				int _t162;
				int _t165;
				intOrPtr _t166;
				long long _t169;
				intOrPtr* _t170;
				void* _t172;
				void* _t173;
				void* _t183;
				_Unknown_base(*)()* _t184;
				void* _t185;

				_t183 = __r9;
				_t136 = __rax;
				 *((long long*)(_t172 + 0x10)) = __rbx;
				 *((long long*)(_t172 + 0x18)) = _t169;
				_t173 = _t172 - 0x30;
				_t185 = __r8;
				_t170 = __rdx;
				_t166 = __rcx;
				E00007FF87FF88C307F5C(__ecx, __eflags, __rax, __rcx, __rcx, __r8);
				_t3 = _t136 + 0x140; // 0x140
				_t143 = _t3;
				if (__rcx != 0) goto 0x8c318004;
				 *(_t143 + 0x10) =  *(_t143 + 0x10) | 0x00000104;
				goto 0x8c3180e7;
				_t6 = _t166 + 0x40; // 0xf9
				_t137 = _t6;
				 *_t143 = __rcx;
				 *((long long*)(_t143 + 8)) = _t137;
				if (_t137 == 0) goto 0x8c31802e;
				if ( *_t137 == 0) goto 0x8c31802e;
				_t8 = _t143 + 8; // 0x148
				E00007FF87FF88C317730(0x16, _t143, 0x8c325a40, _t162, __rcx, _t8);
				_t138 =  *_t143;
				 *(_t143 + 0x10) =  *(_t143 + 0x10) & 0x00000000;
				if (_t138 == 0) goto 0x8c3180a3;
				if ( *_t138 == 0) goto 0x8c3180a3;
				_t139 =  *((intOrPtr*)(_t143 + 8));
				if (_t139 == 0) goto 0x8c318057;
				if ( *_t139 == 0) goto 0x8c318057;
				E00007FF87FF88C317EC8(_t139, _t143);
				goto 0x8c31805f;
				E00007FF87FF88C317F60(_t139, _t143);
				if ( *(_t143 + 0x10) != 0) goto 0x8c3180fd;
				if (E00007FF87FF88C317730(0x40, _t143, 0x8c325630, _t162, _t166, _t143) == 0) goto 0x8c3180f3;
				_t140 =  *((intOrPtr*)(_t143 + 8));
				if (_t140 == 0) goto 0x8c318099;
				if ( *_t140 == 0) goto 0x8c318099;
				E00007FF87FF88C317EC8(_t140, _t143);
				goto 0x8c3180f3;
				_t56 = E00007FF87FF88C317F60(_t140, _t143);
				goto 0x8c3180f3;
				_t152 =  *((intOrPtr*)(_t143 + 8));
				if (_t152 == 0) goto 0x8c3180e0;
				if ( *_t152 == 0) goto 0x8c3180e0;
				E00007FF87FF88C3053B0(_t56, _t152);
				 *(_t143 + 0x1c) = 0 | _t140 == 0x00000003;
				EnumSystemLocalesA(_t184);
				if (( *(_t143 + 0x10) & 0x00000004) != 0) goto 0x8c3180f3;
				 *(_t143 + 0x10) =  *(_t143 + 0x10) & 0x00000000;
				goto 0x8c3180f3;
				 *(_t143 + 0x10) = 0x104;
				_t59 = GetUserDefaultLCID();
				 *(_t143 + 0x20) = _t59;
				 *(_t143 + 0x24) = _t59;
				_t117 =  *(_t143 + 0x10);
				if (_t117 == 0) goto 0x8c318294;
				_t28 = _t166 + 0x80; // 0x139
				_t141 = _t28;
				asm("dec eax");
				if (_t117 == 0) goto 0x8c318169;
				if ( *(_t162 & _t141) == 0) goto 0x8c318169;
				if (E00007FF87FF88C3057E0(_t140 == 3, _t162 & _t141, 0x8c325bc8) == 0) goto 0x8c318169;
				if (E00007FF87FF88C3057E0(_t140 == 3, _t162 & _t141, 0x8c325bc4) != 0) goto 0x8c31815f;
				_t30 = _t141 + 2; // 0x2
				r9d = _t30;
				if (GetLocaleInfoW(_t162, _t165) == 0) goto 0x8c318294;
				goto 0x8c31819a;
				E00007FF87FF88C3150DC(_t62, 0x8c325bc4);
				goto 0x8c318198;
				r9d = 2;
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x8c318294;
				if ( *((intOrPtr*)(_t173 + 0x50)) != 0) goto 0x8c3181a2;
				_t100 = GetACP();
				if (_t100 == 0) goto 0x8c318294;
				if (_t100 == 0xfde8) goto 0x8c318294;
				if (_t100 == 0xfde9) goto 0x8c318294;
				if (IsValidCodePage(??) == 0) goto 0x8c318294;
				if (IsValidLocale(??, ??) == 0) goto 0x8c318294;
				if (_t170 == 0) goto 0x8c3181fa;
				 *_t170 =  *(_t143 + 0x20) & 0x0000ffff;
				 *((short*)(_t170 + 4)) = _t100;
				 *((short*)(_t170 + 2)) =  *(_t143 + 0x24) & 0x0000ffff;
				if (_t185 == 0) goto 0x8c31828d;
				if ( *_t170 != 0x814) goto 0x8c31823c;
				if (E00007FF87FF88C306870(_t141, _t185, 0x8c325bc4, "Norwegian-Nynorsk") == 0) goto 0x8c318257;
				 *(_t173 + 0x20) =  *(_t173 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF87FF88C30938C();
				asm("int3");
				r9d = 0x40;
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x8c318294;
				r9d = 0x40;
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x8c318294;
				r9d = 0xa;
				_t47 = _t183 + 6; // 0x6
				r8d = _t47;
				E00007FF87FF88C31A64C(_t100);
				goto 0x8c318296;
				return 0;
			}

0x7ff88c317fcc
0x7ff88c317fcc
0x7ff88c317fcc
0x7ff88c317fd1
0x7ff88c317fda
0x7ff88c317fde
0x7ff88c317fe1
0x7ff88c317fe4
0x7ff88c317fe7
0x7ff88c317fec
0x7ff88c317fec
0x7ff88c317ff6
0x7ff88c317ff8
0x7ff88c317fff
0x7ff88c318004
0x7ff88c318004
0x7ff88c318008
0x7ff88c31800b
0x7ff88c318012
0x7ff88c318017
0x7ff88c318019
0x7ff88c318029
0x7ff88c31802e
0x7ff88c318031
0x7ff88c318038
0x7ff88c31803d
0x7ff88c31803f
0x7ff88c318046
0x7ff88c31804b
0x7ff88c318050
0x7ff88c318055
0x7ff88c31805a
0x7ff88c318063
0x7ff88c31807f
0x7ff88c318081
0x7ff88c318088
0x7ff88c31808d
0x7ff88c318092
0x7ff88c318097
0x7ff88c31809c
0x7ff88c3180a1
0x7ff88c3180a3
0x7ff88c3180aa
0x7ff88c3180af
0x7ff88c3180b1
0x7ff88c3180c4
0x7ff88c3180ce
0x7ff88c3180d8
0x7ff88c3180da
0x7ff88c3180de
0x7ff88c3180e0
0x7ff88c3180e7
0x7ff88c3180ed
0x7ff88c3180f0
0x7ff88c3180f3
0x7ff88c3180f7
0x7ff88c3180fd
0x7ff88c3180fd
0x7ff88c318107
0x7ff88c31810d
0x7ff88c318112
0x7ff88c318125
0x7ff88c318138
0x7ff88c31813d
0x7ff88c31813d
0x7ff88c318153
0x7ff88c31815d
0x7ff88c318162
0x7ff88c318167
0x7ff88c318171
0x7ff88c318184
0x7ff88c318190
0x7ff88c318198
0x7ff88c31819c
0x7ff88c3181a8
0x7ff88c3181b4
0x7ff88c3181c5
0x7ff88c3181db
0x7ff88c3181e4
0x7ff88c3181ea
0x7ff88c3181f2
0x7ff88c3181f6
0x7ff88c3181fd
0x7ff88c31820c
0x7ff88c318224
0x7ff88c318226
0x7ff88c31822c
0x7ff88c31822f
0x7ff88c318236
0x7ff88c31823b
0x7ff88c31823f
0x7ff88c318255
0x7ff88c318264
0x7ff88c318272
0x7ff88c318274
0x7ff88c318284
0x7ff88c318284
0x7ff88c318288
0x7ff88c318292
0x7ff88c3182a8

APIs

_getptd.LIBCMT ref: 00007FF88C317FE7

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

GetUserDefaultLCID.KERNEL32 ref: 00007FF88C3180E7
GetLocaleInfoW.KERNEL32 ref: 00007FF88C31814B
IsValidCodePage.KERNEL32 ref: 00007FF88C3181BD
IsValidLocale.KERNEL32 ref: 00007FF88C3181D3
GetLocaleInfoA.KERNEL32 ref: 00007FF88C31824D
GetLocaleInfoA.KERNEL32 ref: 00007FF88C31826A
_itow_s.LIBCMT ref: 00007FF88C318288

Part of subcall function 00007FF88C30938C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF88C309442), ref: 00007FF88C3093A4

Strings

OCP, xrefs: 00007FF88C318127
ACP, xrefs: 00007FF88C318114
Norwegian-Nynorsk, xrefs: 00007FF88C31820E

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Locale$Info$Valid$CodeCurrentDefaultPageProcessUser_amsg_exit_getptd_itow_s
String ID: ACP$Norwegian-Nynorsk$OCP
API String ID: 2581548026-4064345498
Opcode ID: d362c72375b2087135f792d1d44b420b2d12033d331d9674696bc88b6a400c57
Instruction ID: cea44f573fad2ba41074f110a251975b6cecf03d54633be7d4b267dd71827a7b
Opcode Fuzzy Hash: d362c72375b2087135f792d1d44b420b2d12033d331d9674696bc88b6a400c57
Instruction Fuzzy Hash: 43819462A087428EFB659F61D440BB92391BF46BD4F058036EA0D86ACDDF7CE947C346

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30732C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159
fileCOMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 67%

			E00007FF87FF88C30732C(void* __ecx, void* __eflags, long long __rbx, long long __rsi, long long __rbp, long long _a16, long long _a24, long long _a32) {
				void* _v24;
				signed int _v40;
				intOrPtr _v53;
				char _v552;
				void* _v568;
				long long _v584;
				void* _t33;
				void* _t39;
				signed long long _t83;
				signed long long _t84;
				signed long long _t85;
				signed long long _t88;
				signed long long _t90;
				void* _t105;
				void* _t112;
				void* _t120;
				void* _t131;
				void* _t134;

				_t115 = __rsi;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t83 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t84 = _t83 ^ _t120 - 0x00000250;
				_v40 = _t84;
				E00007FF87FF88C307300(__ecx);
				_t90 = _t84;
				if (_t84 == 0) goto 0x8c30755c;
				_t5 = _t115 + 3; // 0x3
				if (E00007FF87FF88C3132BC(_t5, _t84) == 1) goto 0x8c3074f4;
				_t6 = _t115 + 3; // 0x3
				if (E00007FF87FF88C3132BC(_t6, _t84) != 0) goto 0x8c307398;
				if ( *0x8c368ab8 == 1) goto 0x8c3074f4;
				if (__ecx == 0xfc) goto 0x8c30755c;
				r12d = 0x314;
				if (E00007FF87FF88C313250(_t84, 0x8c3690a0, _t105, L"Runtime Error!\n\nProgram: ") != 0) goto 0x8c3074e1;
				r8d = 0x104;
				 *0x8c3692da = 0;
				if (GetModuleFileNameW(??, ??, ??) != 0) goto 0x8c30741d;
				if (E00007FF87FF88C313250(_t84, 0x8c3690d2, 0x8c3690d2, L"<program name unknown>") == 0) goto 0x8c30741d;
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FF87FF88C30938C();
				asm("int3");
				_t33 = E00007FF87FF88C313234(_t32, 0x8c3690d2);
				_t85 = _t84 + 1;
				if (_t85 - 0x3c <= 0) goto 0x8c307475;
				E00007FF87FF88C313234(_t33, 0x8c3690d2);
				r9d = 3;
				_t88 = 0x8c3690a0 + _t85 * 2 - 0x44 - 0x8c3690d2 >> 1;
				if (E00007FF87FF88C313164(_t88, 0x8c3690a0 + _t85 * 2 - 0x44, _t112 - _t88, L"...", _t131) == 0) goto 0x8c307475;
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FF87FF88C30938C();
				asm("int3");
				if (E00007FF87FF88C3130DC(_t88, 0x8c3690a0, _t134, L"\n\n") != 0) goto 0x8c3074cc;
				if (E00007FF87FF88C3130DC(_t88, 0x8c3690a0, _t134, _t90) != 0) goto 0x8c3074b7;
				r8d = 0x12010;
				E00007FF87FF88C312ED4(0x8c3690a0, L"Microsoft Visual C++ Runtime Library", _t131);
				goto 0x8c30755c;
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FF87FF88C30938C();
				asm("int3");
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FF87FF88C30938C();
				asm("int3");
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FF87FF88C30938C();
				asm("int3");
				_t39 = GetStdHandle(??);
				if (_t88 == 0) goto 0x8c30755c;
				if (_t88 == 0xffffffff) goto 0x8c30755c;
				_t16 =  &_v552; // 0x354
				 *_t16 =  *_t90;
				if ( *_t90 == 0) goto 0x8c30752f;
				if (1 - 0x1f4 < 0) goto 0x8c307514;
				_v53 = sil;
				E00007FF87FF88C3053B0(_t39,  &_v552);
				_v584 = __rsi;
				WriteFile(??, ??, ??, ??, ??);
				return E00007FF87FF88C304980( *_t90, _v40 ^ _t120 - 0x00000250,  &_v552, _t88);
			}

0x7ff88c30732c
0x7ff88c30732c
0x7ff88c307331
0x7ff88c307336
0x7ff88c307347
0x7ff88c30734e
0x7ff88c307351
0x7ff88c30735b
0x7ff88c307362
0x7ff88c307368
0x7ff88c30736e
0x7ff88c307379
0x7ff88c30737f
0x7ff88c307389
0x7ff88c307392
0x7ff88c30739e
0x7ff88c3073ab
0x7ff88c3073c7
0x7ff88c3073d4
0x7ff88c3073da
0x7ff88c3073f1
0x7ff88c307406
0x7ff88c307408
0x7ff88c30740b
0x7ff88c307412
0x7ff88c307417
0x7ff88c30741c
0x7ff88c307420
0x7ff88c307425
0x7ff88c30742c
0x7ff88c307431
0x7ff88c30743d
0x7ff88c30744e
0x7ff88c30745e
0x7ff88c307460
0x7ff88c307463
0x7ff88c30746a
0x7ff88c30746f
0x7ff88c307474
0x7ff88c307489
0x7ff88c30749b
0x7ff88c3074a4
0x7ff88c3074ad
0x7ff88c3074b2
0x7ff88c3074b7
0x7ff88c3074ba
0x7ff88c3074c1
0x7ff88c3074c6
0x7ff88c3074cb
0x7ff88c3074cc
0x7ff88c3074cf
0x7ff88c3074d6
0x7ff88c3074db
0x7ff88c3074e0
0x7ff88c3074e1
0x7ff88c3074e4
0x7ff88c3074e9
0x7ff88c3074ee
0x7ff88c3074f3
0x7ff88c3074f9
0x7ff88c307505
0x7ff88c30750b
0x7ff88c30750f
0x7ff88c307516
0x7ff88c30751c
0x7ff88c30752d
0x7ff88c307534
0x7ff88c30753c
0x7ff88c307551
0x7ff88c307556
0x7ff88c307588

APIs

_set_error_mode.LIBCMT ref: 00007FF88C307371
_set_error_mode.LIBCMT ref: 00007FF88C307382
GetModuleFileNameW.KERNEL32 ref: 00007FF88C3073E4

Part of subcall function 00007FF88C30938C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF88C309442), ref: 00007FF88C3093A4

GetStdHandle.KERNEL32 ref: 00007FF88C3074F9
WriteFile.KERNEL32 ref: 00007FF88C307556

Strings

..., xrefs: 00007FF88C307436
Microsoft Visual C++ Runtime Library, xrefs: 00007FF88C30749D
<program name unknown>, xrefs: 00007FF88C3073F3
Runtime Error!Program: , xrefs: 00007FF88C3073B1

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: d0b2ab18d4dcb737b88f304bfd9d54b47c85ddb07edf073f73903026096e790d
Instruction ID: ab82d92d2e42f0419aa2e8efeca09353abc78453a8535b90710842b3ad0f33da
Opcode Fuzzy Hash: d0b2ab18d4dcb737b88f304bfd9d54b47c85ddb07edf073f73903026096e790d
Instruction Fuzzy Hash: BE519C22B08B8246FB649B65E815EBA6295BF9B7C4F444136EE5D43A8DCF3CE507C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3038E8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 86comregistrywindowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00007FF88C30393C
RegisterTouchWindow.USER32 ref: 00007FF88C303956
MessageBoxW.USER32 ref: 00007FF88C303974
CoCreateInstance.OLE32 ref: 00007FF88C30399C
ShowWindow.USER32 ref: 00007FF88C303A3D
UpdateWindow.USER32 ref: 00007FF88C303A46

Strings

Cannot register application window for multi-touch input, xrefs: 00007FF88C303967
Error, xrefs: 00007FF88C303960

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Window$Create$InstanceMessageRegisterShowTouchUpdate
String ID: Cannot register application window for multi-touch input$Error
API String ID: 2622382097-480840240
Opcode ID: 321e047565b7b9481e35a44dd1e50921cbcd63a5be62ce940b5462df4ae96a7f
Instruction ID: 11d271cc1a556c277e48af267e4d462fe4a8566385a48221bdbcd49af983051b
Opcode Fuzzy Hash: 321e047565b7b9481e35a44dd1e50921cbcd63a5be62ce940b5462df4ae96a7f
Instruction Fuzzy Hash: 3C414932A18B0682EB908B55E854FB8B3A0FF8ABD9F104135CA0D47768DF3DE44AD740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C313CE8 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 82%

			E00007FF87FF88C313CE8(void* __eflags, intOrPtr* __rax, long long __rbx, unsigned int* __rcx, char* __rdx, long long __rdi, void* __r8, void* __r9, void* __r10, void* __r11, signed long long _a8, long long _a16, long long _a24, signed int _a40, intOrPtr _a48) {
				void* _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v72;
				long long _v80;
				intOrPtr _v88;
				void* _t91;
				char _t92;
				signed char _t93;
				signed int _t119;
				signed int _t120;
				void* _t150;
				intOrPtr* _t166;
				signed long long _t170;
				intOrPtr* _t186;
				signed int* _t187;
				signed long long _t205;
				signed long long _t214;
				void* _t215;
				signed long long _t220;
				signed long long _t222;
				signed long long _t223;
				signed long long _t226;
				signed long long _t227;
				char* _t232;
				char* _t233;
				intOrPtr* _t234;
				void* _t235;
				intOrPtr* _t236;
				char* _t237;
				void* _t238;
				char* _t240;
				void* _t241;
				char* _t242;
				char* _t243;
				char* _t244;
				char* _t245;
				char* _t256;
				void* _t258;
				void* _t261;
				long long _t263;
				intOrPtr* _t264;

				_t258 = __r10;
				_t166 = __rax;
				_a16 = __rbx;
				_a24 = __rdi;
				_t232 = __rdx;
				r12d = r9d;
				_a8 = 0x3ff;
				r13d = 0x30;
				E00007FF87FF88C306AE4(__rax,  &_v72, _a48);
				r15d = 0;
				r12d =  <  ? r15d : r12d;
				if (__rdx != 0) goto 0x8c313d5f;
				E00007FF87FF88C307698(_t166);
				 *_t166 = __rdx + 0x16;
				E00007FF87FF88C309444();
				if (_v48 == r15b) goto 0x8c313d58;
				 *(_v56 + 0xc8) =  *(_v56 + 0xc8) & 0xfffffffd;
				goto 0x8c3140ae;
				if (__r8 != 0) goto 0x8c313d88;
				E00007FF87FF88C307698(_t166);
				 *_t166 = 0x16;
				E00007FF87FF88C309444();
				if (_v48 == r15b) goto 0x8c313d58;
				 *(_v56 + 0xc8) =  *(_v56 + 0xc8) & 0xfffffffd;
				goto 0x8c313d58;
				 *((intOrPtr*)(__rdx)) = r15b;
				_t205 = _t261 + 0xb;
				if (__r8 - _t205 > 0) goto 0x8c313da4;
				E00007FF87FF88C307698(_v56);
				goto 0x8c313d40;
				_t170 =  *__rcx >> 0x00000034 & _t205;
				if (_t170 != _t205) goto 0x8c313e4f;
				_t220 = __rdx + 2;
				r9d = r12d;
				_t253 =  ==  ? __r8 : __r8 - 2;
				_v80 = _t263;
				_v88 = r15d;
				if (E00007FF87FF88C313BD4(__rcx, _t220,  ==  ? __r8 : __r8 - 2) == 0) goto 0x8c313e02;
				 *_t232 = r15b;
				if (_v48 == r15b) goto 0x8c3140ae;
				 *(_v56 + 0xc8) =  *(_v56 + 0xc8) & 0xfffffffd;
				goto 0x8c3140ae;
				if ( *((char*)(_t232 + 2)) != 0x2d) goto 0x8c313e0e;
				 *_t232 = 0x2d;
				_t233 = _t232 + 1;
				 *_t233 = 0x30;
				asm("sbb cl, cl");
				 *((char*)(_t233 + 1)) = 0x158;
				E00007FF87FF88C31863C(0x65, _t233 + 2,  ==  ? __r8 : __r8 - 2);
				if (_t170 == 0) goto 0x8c313e46;
				asm("sbb cl, cl");
				 *_t170 = 0xb0;
				 *((intOrPtr*)(_t170 + 3)) = r15b;
				goto 0x8c31409f;
				if (( *__rcx & 0x00000000) == 0) goto 0x8c313e64;
				 *_t233 = 0x2d;
				_t234 = _t233 + 1;
				r9d = _a40;
				r11d = 0x30;
				 *_t234 = r11b;
				asm("sbb cl, cl");
				asm("sbb edx, edx");
				 *((char*)(_t234 + 1)) = 0x118;
				if (( *__rcx & 0x00000000) != 0) goto 0x8c313ec6;
				 *((intOrPtr*)(_t234 + 2)) = r11b;
				_t235 = _t234 + 3;
				asm("dec eax");
				_a8 =  ~( *__rcx & 0xffffffff);
				goto 0x8c313ece;
				 *((char*)(_t235 + 2)) = 0x31;
				_t236 = _t235 + 3;
				_t264 = _t236;
				r10d = 0;
				_t237 = _t236 + 1;
				if (r12d != 0) goto 0x8c313ee1;
				 *_t264 = r10b;
				goto 0x8c313ef4;
				 *_t264 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v72 + 0x128))))));
				if (( *__rcx & 0xffffffff) <= 0) goto 0x8c313f88;
				if (r12d <= 0) goto 0x8c313f3b;
				_t91 = ( ~r9d & 0x000003fe) + r11w;
				_t150 = _t91 - 0x39;
				if (_t150 <= 0) goto 0x8c313f28;
				_t92 = _t91 + 0xffffffff00000087;
				 *_t237 = _t92;
				r12d = r12d - 1;
				_t238 = _t237 + 1;
				r13w = r13w + 0xfffc;
				if (_t150 >= 0) goto 0x8c313f07;
				if (r13w < 0) goto 0x8c313f88;
				if (_t92 - 8 <= 0) goto 0x8c313f88;
				_t186 = _t238 - 1;
				if ( *_t186 == 0x66) goto 0x8c313f64;
				if ( *_t186 != 0x46) goto 0x8c313f6c;
				 *_t186 = r11b;
				_t187 = _t186 - 1;
				goto 0x8c313f5a;
				if (_t187 == _t264) goto 0x8c313f85;
				_t119 =  *_t187;
				if (_t119 != 0x39) goto 0x8c313f7f;
				 *_t187 = 0xffffffff000000c1;
				goto 0x8c313f88;
				_t120 = _t119 + 1;
				 *_t187 = _t120;
				goto 0x8c313f88;
				 *((char*)(_t187 - 1)) =  *((char*)(_t187 - 1)) + 1;
				if (r12d <= 0) goto 0x8c313fac;
				r8d = r12d;
				_t93 = E00007FF87FF88C3056D0(_t92, _t120, r11b, _t238, _t220, 0 >> 4);
				r9d = _a40;
				r10d = 0;
				_t47 = _t258 + 0x30; // 0x30
				r11d = _t47;
				_t240 =  ==  ? _t264 : _t238 + 0xffffffff;
				r9d =  ~r9d;
				asm("sbb al, al");
				 *_t240 = (_t93 & 0x000000e0) + 0x70;
				if ( *_t264 - r10b < 0) goto 0x8c313fdb;
				 *((char*)(_t240 + 1)) = 0x2b;
				_t241 = _t240 + 2;
				goto 0x8c313fe6;
				 *((char*)(_t241 + 1)) = 0x2d;
				_t242 = _t241 + 2;
				_t214 =  ~(( *__rcx >> 0x34) - _a8);
				_t256 = _t242;
				 *_t242 = r11b;
				if (_t214 - 0x3e8 < 0) goto 0x8c314028;
				_t222 = (_t220 >> 7) + (_t220 >> 7 >> 0x3f);
				_t223 = _t222 * 0xfffffc18;
				 *_t242 = __r11 + _t222;
				_t243 = _t242 + 1;
				_t215 = _t214 + _t223;
				if (_t243 != _t256) goto 0x8c31402e;
				if (_t215 - 0x64 < 0) goto 0x8c31405c;
				_t226 = (_t223 + _t215 >> 6) + (_t223 + _t215 >> 6 >> 0x3f);
				_t227 = _t226 * 0xffffff9c;
				 *_t243 = __r11 + _t226;
				_t244 = _t243 + 1;
				if (_t244 != _t256) goto 0x8c314067;
				if (_t215 + _t227 - 0xa < 0) goto 0x8c314092;
				 *_t244 = __r11 + (_t227 >> 2) + (_t227 >> 2 >> 0x3f);
				_t245 = _t244 + 1;
				 *_t245 = (_t120 & 0x000007ff) + r11b;
				 *((intOrPtr*)(_t245 + 1)) = r10b;
				if (_v48 == r10b) goto 0x8c3140ac;
				 *(_v56 + 0xc8) =  *(_v56 + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ff88c313ce8
0x7ff88c313ce8
0x7ff88c313ce8
0x7ff88c313ced
0x7ff88c313d02
0x7ff88c313d10
0x7ff88c313d16
0x7ff88c313d1e
0x7ff88c313d24
0x7ff88c313d29
0x7ff88c313d2f
0x7ff88c313d36
0x7ff88c313d38
0x7ff88c313d40
0x7ff88c313d42
0x7ff88c313d4b
0x7ff88c313d51
0x7ff88c313d5a
0x7ff88c313d62
0x7ff88c313d64
0x7ff88c313d6e
0x7ff88c313d70
0x7ff88c313d79
0x7ff88c313d7f
0x7ff88c313d86
0x7ff88c313d8d
0x7ff88c313d90
0x7ff88c313d96
0x7ff88c313d98
0x7ff88c313da2
0x7ff88c313db0
0x7ff88c313db6
0x7ff88c313dc4
0x7ff88c313dc8
0x7ff88c313dce
0x7ff88c313dd2
0x7ff88c313dd7
0x7ff88c313de3
0x7ff88c313de5
0x7ff88c313dec
0x7ff88c313df6
0x7ff88c313dfd
0x7ff88c313e06
0x7ff88c313e08
0x7ff88c313e0b
0x7ff88c313e11
0x7ff88c313e1d
0x7ff88c313e25
0x7ff88c313e2c
0x7ff88c313e34
0x7ff88c313e38
0x7ff88c313e40
0x7ff88c313e42
0x7ff88c313e4a
0x7ff88c313e5c
0x7ff88c313e5e
0x7ff88c313e61
0x7ff88c313e64
0x7ff88c313e68
0x7ff88c313e7b
0x7ff88c313e83
0x7ff88c313e97
0x7ff88c313e99
0x7ff88c313ea5
0x7ff88c313ea7
0x7ff88c313eae
0x7ff88c313eb8
0x7ff88c313ec0
0x7ff88c313ec4
0x7ff88c313ec6
0x7ff88c313eca
0x7ff88c313ece
0x7ff88c313ed1
0x7ff88c313ed4
0x7ff88c313eda
0x7ff88c313edc
0x7ff88c313edf
0x7ff88c313ef1
0x7ff88c313ef7
0x7ff88c313f0a
0x7ff88c313f1b
0x7ff88c313f1f
0x7ff88c313f23
0x7ff88c313f25
0x7ff88c313f28
0x7ff88c313f2e
0x7ff88c313f31
0x7ff88c313f34
0x7ff88c313f39
0x7ff88c313f3f
0x7ff88c313f54
0x7ff88c313f56
0x7ff88c313f5d
0x7ff88c313f62
0x7ff88c313f64
0x7ff88c313f67
0x7ff88c313f6a
0x7ff88c313f6f
0x7ff88c313f71
0x7ff88c313f76
0x7ff88c313f7b
0x7ff88c313f7d
0x7ff88c313f7f
0x7ff88c313f81
0x7ff88c313f83
0x7ff88c313f85
0x7ff88c313f8b
0x7ff88c313f8d
0x7ff88c313f99
0x7ff88c313f9e
0x7ff88c313fa5
0x7ff88c313fa8
0x7ff88c313fa8
0x7ff88c313faf
0x7ff88c313fb3
0x7ff88c313fb6
0x7ff88c313fbc
0x7ff88c313fcf
0x7ff88c313fd1
0x7ff88c313fd5
0x7ff88c313fd9
0x7ff88c313fdb
0x7ff88c313fdf
0x7ff88c313fe3
0x7ff88c313fe6
0x7ff88c313fe9
0x7ff88c313ff3
0x7ff88c31400d
0x7ff88c314014
0x7ff88c31401b
0x7ff88c31401d
0x7ff88c314020
0x7ff88c314026
0x7ff88c31402c
0x7ff88c314049
0x7ff88c314050
0x7ff88c314054
0x7ff88c314056
0x7ff88c31405f
0x7ff88c314065
0x7ff88c31408a
0x7ff88c31408c
0x7ff88c314099
0x7ff88c31409b
0x7ff88c31409f
0x7ff88c3140a5
0x7ff88c3140c7

APIs

Part of subcall function 00007FF88C306AE4: _getptd.LIBCMT ref: 00007FF88C306AF6

_errno.LIBCMT ref: 00007FF88C313D38
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C313D42
_errno.LIBCMT ref: 00007FF88C313D64
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C313D70
_errno.LIBCMT ref: 00007FF88C313D98
_cftoe_l.LIBCMT ref: 00007FF88C313DDC

Strings

gfffffff, xrefs: 00007FF88C314067

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: 47ce03993f13529761602d467f072e9c290b970637875afc3916dd4e597c0ad0
Instruction ID: dc041994d36a39e286b139d74eefc33ea6525333d3da6de09af2be622a94d135
Opcode Fuzzy Hash: 47ce03993f13529761602d467f072e9c290b970637875afc3916dd4e597c0ad0
Instruction Fuzzy Hash: CFB14763B083868AEB518B29C541BBD6BA5FB127D4F048532EB1D877D9EA3CE416C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C304980 Relevance: 12.1, APIs: 8, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 52%

			E00007FF87FF88C304980(signed int __ecx, intOrPtr* __rcx, void* __rdx, void* __r8) {
				intOrPtr _t10;
				void* _t12;
				signed int _t17;
				void* _t19;
				intOrPtr* _t23;
				void* _t26;

				_t12 = __rcx -  *0x8c3670a0; // 0xfd5a6ce2fd9f
				if (_t12 != 0) goto 0x8c30499a;
				asm("dec eax");
				if ((__ecx & 0x0000ffff) != 0) goto 0x8c304996;
				asm("repe ret");
				asm("dec eax");
				goto 0x8c305c1c;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("o16 nop [eax+eax]");
				_t26 = __rdx - __rcx;
				if (__r8 - 8 < 0) goto 0x8c3049db;
				if ((__ecx & 0x00000007) == 0) goto 0x8c3049d2;
				if ( *__rcx !=  *((intOrPtr*)(_t26 + __rcx))) goto 0x8c3049f3;
				_t23 = __rcx + 1;
				_t17 = __ecx & 0x00000007;
				if (_t17 != 0) goto 0x8c3049c0;
				if (_t17 != 0) goto 0x8c3049fa;
				if (__r8 - 1 == 0) goto 0x8c3049ef;
				_t10 =  *_t23;
				_t19 = _t10 -  *((intOrPtr*)(_t26 + _t23));
				if (_t19 != 0) goto 0x8c3049f3;
				if (_t19 != 0) goto 0x8c3049e0;
				return _t10;
			}

0x7ff88c304980
0x7ff88c304987
0x7ff88c304989
0x7ff88c304992
0x7ff88c304994
0x7ff88c304996
0x7ff88c30499a
0x7ff88c30499f
0x7ff88c3049a0
0x7ff88c3049a1
0x7ff88c3049a2
0x7ff88c3049a3
0x7ff88c3049a4
0x7ff88c3049a5
0x7ff88c3049a6
0x7ff88c3049b0
0x7ff88c3049b7
0x7ff88c3049bc
0x7ff88c3049c5
0x7ff88c3049c7
0x7ff88c3049cd
0x7ff88c3049d0
0x7ff88c3049d9
0x7ff88c3049de
0x7ff88c3049e0
0x7ff88c3049e2
0x7ff88c3049e5
0x7ff88c3049ed
0x7ff88c3049f2

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF88C305C2F
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF88C305C4E
RtlVirtualUnwind.KERNEL32 ref: 00007FF88C305C9A
IsDebuggerPresent.KERNEL32 ref: 00007FF88C305D0C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF88C305D24
UnhandledExceptionFilter.KERNEL32 ref: 00007FF88C305D31
GetCurrentProcess.KERNEL32 ref: 00007FF88C305D4A
TerminateProcess.KERNEL32 ref: 00007FF88C305D58

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: a648bce5b8ee185fe204d0b57b0e5d3de350c2bcdd6a3980e7c46240e88fe07c
Instruction ID: f2914bf7d36ae7e5918b1250f409bf101d7a015f0fa26bce49875d08940c413d
Opcode Fuzzy Hash: a648bce5b8ee185fe204d0b57b0e5d3de350c2bcdd6a3980e7c46240e88fe07c
Instruction Fuzzy Hash: B6312A7590DB8686EB109B54F844F6AB3A0FB4A3D4F800036DA8D43B69EF7CE096D705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015524 Relevance: 10.9, Strings: 8, Instructions: 866COMMON

Download Yara Rule

Strings

m!yq, xrefs: 00000001800156B4
FX, xrefs: 0000000180016417
#*9\, xrefs: 00000001800165F6
u, xrefs: 0000000180015D22
E?b, xrefs: 0000000180015733
.-, xrefs: 0000000180015C63
DpY, xrefs: 000000018001605B
{`&F, xrefs: 0000000180016117

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #*9\$.-$DpY$E?b$FX$m!yq${`&F$u
API String ID: 0-2591828752
Opcode ID: 59df8465ec0652ffea0eb2e0c77569de975800b6e92395329ffff6d08f3d9baf
Instruction ID: 479501bf8952617cb053f1f5f7f5532052027f53c4ae18c355c694bd353bcc94
Opcode Fuzzy Hash: 59df8465ec0652ffea0eb2e0c77569de975800b6e92395329ffff6d08f3d9baf
Instruction Fuzzy Hash: B1A23C7054878A8BDB78CF24C845BEE7BE1FB84304F10452DE8A98A761EB749649DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C312BF4 Relevance: 10.6, APIs: 7, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00007FF87FF88C312BF4(void* __edx, void* __rcx, void* __r8) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int _t11;
				signed int _t15;
				signed int _t19;
				void* _t26;
				signed long long _t38;
				signed long long _t39;
				signed long long* _t40;
				void* _t50;
				void* _t53;
				void* _t55;
				signed long long _t56;
				void* _t61;

				_t38 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t39 = _t38 ^ _t56;
				 *(_t56 + 0xc0) = _t39;
				_t40 =  *((intOrPtr*)(_t56 + 0x130));
				_t26 = r9d;
				r12d = r8d;
				_t61 = __rcx;
				if (__edx != 1) goto 0x8c312d3c;
				r8d = _t26;
				 *(_t56 + 0x20) = 0x80;
				_t11 = E00007FF87FF88C3185C8(r12d, __edx - 1, _t40, __rcx, _t53, __r8, _t56 + 0x40);
				r13d = _t11;
				if (_t11 != 0) goto 0x8c312cb4;
				if (GetLastError() != 0x7a) goto 0x8c312cdb;
				 *(_t56 + 0x20) =  *(_t56 + 0x20) & 0;
				r9d = 0;
				r8d = _t26;
				if (E00007FF87FF88C3185C8(r12d, GetLastError() - 0x7a, _t40, __rcx, _t53, __r8, _t56 + 0x40) == 0) goto 0x8c312cdb;
				E00007FF87FF88C30796C(_t40, _t13, _t50, _t56 + 0x40, _t53, _t55);
				if (_t39 == 0) goto 0x8c312cdb;
				r8d = _t26;
				 *(_t56 + 0x20) = r13d;
				_t15 = E00007FF87FF88C3185C8(r12d, _t39, _t40, _t61, _t53, __r8, _t39);
				r13d = _t15;
				if (_t15 == 0) goto 0x8c312cd3;
				E00007FF87FF88C30796C(_t40, r13d, _t50, _t39, r13d, _t55);
				 *_t40 = _t39;
				if (_t39 != 0) goto 0x8c312d00;
				if (1 == 0) goto 0x8c312cdb;
				free(??);
				return E00007FF87FF88C304980(_t19,  *(_t56 + 0xc0) ^ _t56, _t50, __r8);
			}

0x7ff88c312c06
0x7ff88c312c0d
0x7ff88c312c10
0x7ff88c312c18
0x7ff88c312c20
0x7ff88c312c23
0x7ff88c312c26
0x7ff88c312c2c
0x7ff88c312c37
0x7ff88c312c44
0x7ff88c312c4c
0x7ff88c312c51
0x7ff88c312c56
0x7ff88c312c61
0x7ff88c312c63
0x7ff88c312c67
0x7ff88c312c6a
0x7ff88c312c7d
0x7ff88c312c85
0x7ff88c312c90
0x7ff88c312c95
0x7ff88c312ca3
0x7ff88c312ca8
0x7ff88c312cad
0x7ff88c312cb2
0x7ff88c312cbf
0x7ff88c312cc7
0x7ff88c312ccd
0x7ff88c312cd1
0x7ff88c312cd6
0x7ff88c312cff

APIs

GetLastError.KERNEL32 ref: 00007FF88C312C58

Part of subcall function 00007FF88C30796C: Sleep.KERNEL32(?,?,?,00007FF88C307F0B,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C3079B1

free.LIBCMT ref: 00007FF88C312CD6
free.LIBCMT ref: 00007FF88C312D1D
GetLocaleInfoW.KERNEL32 ref: 00007FF88C312D54
GetLocaleInfoW.KERNEL32 ref: 00007FF88C312D7E
free.LIBCMT ref: 00007FF88C312D8B
GetLocaleInfoW.KERNEL32 ref: 00007FF88C312DB6

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: InfoLocalefree$ErrorLastSleep
String ID:
API String ID: 3746651342-0
Opcode ID: e47d10a84406a34633a24b679209866e5097282d3bb8e6c5d4316b0a21244243
Instruction ID: 770982d0a193b9c5c2c6ca7903ed16de777668cda1f6d3cd37b3760b7dc28738
Opcode Fuzzy Hash: e47d10a84406a34633a24b679209866e5097282d3bb8e6c5d4316b0a21244243
Instruction Fuzzy Hash: DC51E412B1874646F7605A21E810FBA6295BF9ABC4F004036EE4DA7B8DFE3EE403C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003F54 Relevance: 10.3, Strings: 8, Instructions: 262COMMON

Download Yara Rule

Strings

*13B, xrefs: 000000018000411B
rs, xrefs: 00000001800040BF
Q", xrefs: 000000018000406C
;Q, xrefs: 0000000180004236
+, xrefs: 00000001800041B6
U, xrefs: 000000018000431B
-T, xrefs: 0000000180004288
#X, xrefs: 000000018000409E

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #X$*13B$+$;Q$Q"$U$rs$-T
API String ID: 0-544282628
Opcode ID: d1854a6999c0ff55486a99b7506505f72410f9acb5c25179dc35c12dc5b3fa06
Instruction ID: 1b0f9965968cc2688a71ad85e1ceaa8c66d891cfd0c5e8919ebd8b935f04e68c
Opcode Fuzzy Hash: d1854a6999c0ff55486a99b7506505f72410f9acb5c25179dc35c12dc5b3fa06
Instruction Fuzzy Hash: 53C1197190474D8FDF48DF68C8896EE7BB1FB48358F16431DE84AA6290C7789A48CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3091F4 Relevance: 9.1, APIs: 6, Instructions: 80
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00007FF87FF88C3091F4(signed int __ecx, signed int __edx, long long __rbx, void* __rdx, long long __rsi, void* __r8) {
				void* _t37;
				void* _t38;
				int _t40;
				signed long long _t61;
				long long _t63;
				_Unknown_base(*)()* _t81;
				void* _t85;
				void* _t86;
				void* _t88;
				signed long long _t89;
				struct _EXCEPTION_POINTERS* _t96;

				 *((long long*)(_t88 + 0x10)) = __rbx;
				 *((long long*)(_t88 + 0x18)) = __rsi;
				_t86 = _t88 - 0x4f0;
				_t89 = _t88 - 0x5f0;
				_t61 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				 *(_t86 + 0x4e0) = _t61 ^ _t89;
				if (__ecx == 0xffffffff) goto 0x8c309233;
				_t38 = E00007FF87FF88C308CFC(_t37);
				 *(_t89 + 0x70) =  *(_t89 + 0x70) & 0x00000000;
				r8d = 0x94;
				E00007FF87FF88C3056D0(_t38, __ecx, 0, _t89 + 0x74, __rdx, __r8);
				_t63 = _t86 + 0x10;
				 *((long long*)(_t89 + 0x48)) = _t89 + 0x70;
				 *((long long*)(_t89 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				0x8c31e276();
				if (_t63 == 0) goto 0x8c3092ba;
				 *(_t89 + 0x38) =  *(_t89 + 0x38) & 0x00000000;
				 *((long long*)(_t89 + 0x30)) = _t89 + 0x60;
				 *((long long*)(_t89 + 0x28)) = _t89 + 0x58;
				 *((long long*)(_t89 + 0x20)) = _t86 + 0x10;
				0x8c31e270();
				goto 0x8c3092d6;
				 *((long long*)(_t86 + 0x108)) =  *((intOrPtr*)(_t86 + 0x508));
				 *((long long*)(_t86 + 0xa8)) = _t86 + 0x508;
				 *(_t89 + 0x70) = __edx;
				 *((intOrPtr*)(_t89 + 0x74)) = r8d;
				 *((long long*)(_t86 - 0x80)) =  *((intOrPtr*)(_t86 + 0x508));
				_t40 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t81, _t85);
				if (UnhandledExceptionFilter(_t96) != 0) goto 0x8c309318;
				if (_t40 != 0) goto 0x8c309318;
				if (__ecx == 0xffffffff) goto 0x8c309318;
				E00007FF87FF88C308CFC(_t42);
				return E00007FF87FF88C304980(__ecx,  *(_t86 + 0x4e0) ^ _t89,  *((intOrPtr*)(_t89 + 0x40)),  *((intOrPtr*)(_t86 + 0x108)));
			}

0x7ff88c3091f4
0x7ff88c3091f9
0x7ff88c309202
0x7ff88c30920a
0x7ff88c309211
0x7ff88c30921b
0x7ff88c30922c
0x7ff88c30922e
0x7ff88c309233
0x7ff88c30923f
0x7ff88c309245
0x7ff88c30924f
0x7ff88c309257
0x7ff88c30925c
0x7ff88c309261
0x7ff88c309276
0x7ff88c309279
0x7ff88c309281
0x7ff88c309283
0x7ff88c309293
0x7ff88c3092a0
0x7ff88c3092ac
0x7ff88c3092b3
0x7ff88c3092b8
0x7ff88c3092c1
0x7ff88c3092cf
0x7ff88c3092dd
0x7ff88c3092e1
0x7ff88c3092e5
0x7ff88c3092e9
0x7ff88c3092f3
0x7ff88c309306
0x7ff88c30930a
0x7ff88c30930f
0x7ff88c309313
0x7ff88c30933e

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF88C309261
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF88C309279
RtlVirtualUnwind.KERNEL32 ref: 00007FF88C3092B3
IsDebuggerPresent.KERNEL32 ref: 00007FF88C3092E9
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF88C3092F3
UnhandledExceptionFilter.KERNEL32 ref: 00007FF88C3092FE

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f8ac7c2c7cda7271dc3ccd891163401566f153f4bfaa5bbaeb3659fbeae6fd48
Instruction ID: f77b6aa758317ef9e455fbdfd154af40abf6150fb3785304898e08b8fac6b300
Opcode Fuzzy Hash: f8ac7c2c7cda7271dc3ccd891163401566f153f4bfaa5bbaeb3659fbeae6fd48
Instruction Fuzzy Hash: B7317533608B8186EB60DF65E844AAE73A4FB89794F500135EB9D43B99DF3CD546CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3177EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF87FF88C3177EC(void* __ecx, void* __rax, long long __rbx, char* __rcx, void* __rdx, intOrPtr _a8, long long _a16) {
				void* _t31;

				_t31 = __rax;
				_a16 = __rbx;
				if (__rcx == 0) goto 0x8c317854;
				if ( *__rcx == 0) goto 0x8c317854;
				if (E00007FF87FF88C3057E0(__ecx, __rcx, 0x8c325bc8) == 0) goto 0x8c317854;
				if (E00007FF87FF88C3057E0(__ecx, __rcx, 0x8c325bc4) != 0) goto 0x8c31784a;
				_t3 = _t31 + 2; // 0x2
				r9d = _t3;
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x8c317871;
				goto 0x8c317883;
				E00007FF87FF88C3150DC(_a8, 0x8c325bc4);
				goto 0x8c317883;
				r9d = 2;
				if (GetLocaleInfoW(??, ??, ??, ??) != 0) goto 0x8c317875;
				goto 0x8c317883;
				if (_a8 != 0) goto 0x8c317883;
				return GetACP();
			}

0x7ff88c3177ec
0x7ff88c3177ec
0x7ff88c3177ff
0x7ff88c317804
0x7ff88c317814
0x7ff88c317827
0x7ff88c31782c
0x7ff88c31782c
0x7ff88c317842
0x7ff88c317848
0x7ff88c31784d
0x7ff88c317852
0x7ff88c31785c
0x7ff88c31786f
0x7ff88c317873
0x7ff88c31787b
0x7ff88c31788d

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF88C31783A
GetLocaleInfoW.KERNEL32 ref: 00007FF88C317867
GetACP.KERNEL32 ref: 00007FF88C31787D

Strings

ACP, xrefs: 00007FF88C317806
OCP, xrefs: 00007FF88C317816

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 301b7c4afa546ac5c3d39052bd75fd4e0d94975dcd251de3196dc1da9b2f33c7
Instruction ID: bc97c11a5e9921696109f81f17843ac99cdd30bedf1a613716fdfe04563b63f5
Opcode Fuzzy Hash: 301b7c4afa546ac5c3d39052bd75fd4e0d94975dcd251de3196dc1da9b2f33c7
Instruction Fuzzy Hash: 3D114F21F0C2438AFB549B65E901EB96291BF477C5F489032FA0E86998DF6CE947C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021094 Relevance: 8.0, Strings: 6, Instructions: 486COMMON

Download Yara Rule

Strings

.vnW, xrefs: 0000000180021151
%c, xrefs: 0000000180021714
rx, xrefs: 00000001800216E9
/=[U, xrefs: 00000001800215AB
id, xrefs: 00000001800212A8
a, xrefs: 000000018002143E

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: %c$.vnW$/=[U$a$id$rx
API String ID: 0-1294002034
Opcode ID: 1e5ae35585031cd08f0de0970174a96ed6834a92f600fd8be4157363364f8142
Instruction ID: 9862d3b8b7ec747793e7a5ad174fbfa0e6e6e1c1e82e7330e5487f23fe84a42b
Opcode Fuzzy Hash: 1e5ae35585031cd08f0de0970174a96ed6834a92f600fd8be4157363364f8142
Instruction Fuzzy Hash: 6A32F2B1500789DBDB9CCF68C88A59E7FB1FF44398FA0521DFA0296290C7B5D985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026518 Relevance: 7.9, Strings: 6, Instructions: 431COMMON

Download Yara Rule

Strings

J/@, xrefs: 0000000180026968
]$, xrefs: 0000000180026536
{, xrefs: 0000000180026E60
%D, xrefs: 0000000180026B76
^*{(, xrefs: 000000018002674D
Y7, xrefs: 0000000180026DE1

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: %D$J/@$]$$^*{(${$Y7
API String ID: 0-597640275
Opcode ID: 96cc6b87b748fd33b30a0af38629acd40fb34a28ecd0b063911ea826c221f98d
Instruction ID: 8c2740cc35e8c14bf920cbf465cbbd1875e33698a1d588601d56ef32eb9cc919
Opcode Fuzzy Hash: 96cc6b87b748fd33b30a0af38629acd40fb34a28ecd0b063911ea826c221f98d
Instruction Fuzzy Hash: 3042D3709093C88BDBF9CF24C8897CD7BF0FF48344F90555A984E9A694DBB866858F42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001238C Relevance: 7.7, Strings: 6, Instructions: 210COMMON

Download Yara Rule

Strings

^~, xrefs: 0000000180012437
joGh, xrefs: 0000000180012649
dr, xrefs: 0000000180012626
tJ, xrefs: 00000001800126B6
p_", xrefs: 0000000180012486
(, xrefs: 00000001800125DC

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ^~$dr$joGh$tJ$($p_"
API String ID: 0-4105225594
Opcode ID: af3df956917a512f8613edff7383cda619c13abcbb7c3493aeab3f72f305b792
Instruction ID: 8f19cce05f5bb365736b2413bcfc34a5b4e4e077a0ab751c2a2f7d1293ea4f50
Opcode Fuzzy Hash: af3df956917a512f8613edff7383cda619c13abcbb7c3493aeab3f72f305b792
Instruction Fuzzy Hash: C9B1F070D0470D8BDF98CFA8D48A6DEBBF0FB08344F108129E416B6290D7789A49CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C317A88 Relevance: 7.7, APIs: 5, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF87FF88C317A88(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, void* __rsi, long long __rbp, void* __r8, void* __r9, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v152;
				char _v168;
				signed int _t62;
				signed int _t72;
				signed int _t85;
				signed int _t92;
				signed long long _t141;
				signed long long _t142;
				signed long long _t165;
				void* _t169;

				_a16 = __rbx;
				_a24 = __rbp;
				_t141 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t142 = _t141 ^ _t169 - 0x000000c0;
				_v24 = _t142;
				E00007FF87FF88C307F5C(__ecx, __eflags, _t142, __rcx, __rsi, __r8);
				_t165 = _t142;
				_t62 = E00007FF87FF88C3178B8(__rcx, __rdx, __r9);
				r9d = 0x78;
				asm("sbb edx, edx");
				_t92 = _t62;
				if (GetLocaleInfoA(??, ??, ??, ??) != 0) goto 0x8c317b00;
				 *(_t165 + 0x150) = 0;
				goto 0x8c317d30;
				if (E00007FF87FF88C31A374(_t142,  *((intOrPtr*)(_t165 + 0x148))) != 0) goto 0x8c317bf8;
				r9d = 0x78;
				asm("sbb edx, edx");
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x8c317af0;
				if (E00007FF87FF88C31A374(_t142,  *((intOrPtr*)(_t165 + 0x140))) != 0) goto 0x8c317b70;
				 *(_t165 + 0x150) =  *(_t165 + 0x150) | 0x00000304;
				 *(_t165 + 0x160) = _t92;
				goto 0x8c317bf2;
				if (( *(_t165 + 0x150) & 0x00000002) != 0) goto 0x8c317bf8;
				if ( *((intOrPtr*)(_t165 + 0x154)) == 0) goto 0x8c317bc6;
				if (E00007FF87FF88C31A508(_t142,  *((intOrPtr*)(_t165 + 0x140))) != 0) goto 0x8c317bc6;
				 *(_t165 + 0x150) =  *(_t165 + 0x150) | 0x00000002;
				 *(_t165 + 0x164) = _t92;
				if (E00007FF87FF88C3053B0(_t70,  *((intOrPtr*)(_t165 + 0x140))) !=  *((intOrPtr*)(_t165 + 0x154))) goto 0x8c317bf8;
				 *(_t165 + 0x160) = _t92;
				goto 0x8c317bf8;
				_t72 =  *(_t165 + 0x150);
				if ((_t72 & 0x00000001) != 0) goto 0x8c317bf8;
				if (_t92 ==  *0x8c325bb0) goto 0x8c317bf8;
				if (1 - 0xa < 0) goto 0x8c317bd9;
				 *(_t165 + 0x150) = _t72 | 0x00000001;
				 *(_t165 + 0x164) = _t92;
				if (( *(_t165 + 0x150) & 0x00000300) == 0x300) goto 0x8c317d22;
				r9d = 0x78;
				asm("sbb edx, edx");
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x8c317af0;
				if (E00007FF87FF88C31A374(_t142,  *((intOrPtr*)(_t165 + 0x140))) != 0) goto 0x8c317cc0;
				asm("bts dword [edi+0x150], 0x9");
				if ( *((intOrPtr*)(_t165 + 0x158)) == 0) goto 0x8c317c75;
				asm("bts eax, 0x8");
				goto 0x8c317cb0;
				if ( *((intOrPtr*)(_t165 + 0x154)) == 0) goto 0x8c317ca8;
				if (E00007FF87FF88C3053B0( *(_t165 + 0x150),  *((intOrPtr*)(_t165 + 0x140))) !=  *((intOrPtr*)(_t165 + 0x154))) goto 0x8c317ca8;
				_t45 = _t165 + 0x140; // 0x140
				if (E00007FF87FF88C3179F8(_t92, 1, __rcx, __rsi, __rbp, _t45) == 0) goto 0x8c317d22;
				asm("bts dword [edi+0x150], 0x8");
				if ( *(_t165 + 0x160) != 0) goto 0x8c317d22;
				 *(_t165 + 0x160) = _t92;
				goto 0x8c317d22;
				if ( *((intOrPtr*)(_t165 + 0x158)) != 0) goto 0x8c317d22;
				if ( *((intOrPtr*)(_t165 + 0x154)) == 0) goto 0x8c317d22;
				if (E00007FF87FF88C31A374(_t142,  *((intOrPtr*)(_t165 + 0x140))) != 0) goto 0x8c317d22;
				_t52 = _t142 + 2; // 0x2
				r9d = _t52;
				asm("bts ecx, 0xa");
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x8c317d22;
				_t85 =  *(_t165 + 0x160);
				asm("bts dword [edi+0x150], 0x8");
				_t86 =  ==  ? _t92 : _t85;
				 *(_t165 + 0x160) =  ==  ? _t92 : _t85;
				return E00007FF87FF88C304980(_t92 & 0x000003ff, _v24 ^ _t169 - 0x000000c0,  &_v152,  &_v168);
			}

0x7ff88c317a88
0x7ff88c317a8d
0x7ff88c317a9a
0x7ff88c317aa1
0x7ff88c317aa4
0x7ff88c317aaf
0x7ff88c317ab7
0x7ff88c317aba
0x7ff88c317acc
0x7ff88c317ad2
0x7ff88c317ad6
0x7ff88c317aee
0x7ff88c317af0
0x7ff88c317afb
0x7ff88c317b13
0x7ff88c317b24
0x7ff88c317b2e
0x7ff88c317b44
0x7ff88c317b59
0x7ff88c317b5b
0x7ff88c317b65
0x7ff88c317b6b
0x7ff88c317b77
0x7ff88c317b7f
0x7ff88c317b9b
0x7ff88c317ba4
0x7ff88c317bab
0x7ff88c317bbc
0x7ff88c317bbe
0x7ff88c317bc4
0x7ff88c317bc6
0x7ff88c317bce
0x7ff88c317bdc
0x7ff88c317be7
0x7ff88c317bec
0x7ff88c317bf2
0x7ff88c317c07
0x7ff88c317c18
0x7ff88c317c22
0x7ff88c317c38
0x7ff88c317c51
0x7ff88c317c53
0x7ff88c317c67
0x7ff88c317c69
0x7ff88c317c73
0x7ff88c317c7b
0x7ff88c317c8f
0x7ff88c317c91
0x7ff88c317ca6
0x7ff88c317ca8
0x7ff88c317cb6
0x7ff88c317cb8
0x7ff88c317cbe
0x7ff88c317cc6
0x7ff88c317cce
0x7ff88c317ce3
0x7ff88c317ce7
0x7ff88c317ce7
0x7ff88c317cfb
0x7ff88c317d07
0x7ff88c317d09
0x7ff88c317d0f
0x7ff88c317d19
0x7ff88c317d1c
0x7ff88c317d54

APIs

_getptd.LIBCMT ref: 00007FF88C317AAF

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

GetLocaleInfoA.KERNEL32 ref: 00007FF88C317AE4
GetLocaleInfoA.KERNEL32 ref: 00007FF88C317B3C
GetLocaleInfoA.KERNEL32 ref: 00007FF88C317C30

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: InfoLocale$_amsg_exit_getptd
String ID:
API String ID: 3133215516-0
Opcode ID: 011128502a0fcc3ad770cc1debbaac42b99c0b0c360a2ccdac90c21ca37e0867
Instruction ID: 41bc2542ff466f8bec6358737a80ff75a472d1a35e4f1031d1df94f1a52629d1
Opcode Fuzzy Hash: 011128502a0fcc3ad770cc1debbaac42b99c0b0c360a2ccdac90c21ca37e0867
Instruction Fuzzy Hash: 8B717232B186869BEB598B60D944BE9B390FB86786F444036E71DC7289DF3CF426C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C308C48 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF88C308C7F
GetCurrentProcessId.KERNEL32 ref: 00007FF88C308C8A
GetCurrentThreadId.KERNEL32 ref: 00007FF88C308C96
GetTickCount.KERNEL32 ref: 00007FF88C308CA2
QueryPerformanceCounter.KERNEL32 ref: 00007FF88C308CB3

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: e892d1ca8605c0ae0c54fd9a0726e05f56c62d7c77bff685124484777f3dcf30
Instruction ID: a8e10f0ed5d74ac2347b279048172723af394dad65045daf69b054dd9e624537
Opcode Fuzzy Hash: e892d1ca8605c0ae0c54fd9a0726e05f56c62d7c77bff685124484777f3dcf30
Instruction Fuzzy Hash: F5018C2161DA4585EB40CF21E840AA5B360FB4BBD1F846530DE9E477A8DF3CD88AC310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024788 Relevance: 6.7, Strings: 5, Instructions: 428COMMON

Download Yara Rule

Strings

;cL, xrefs: 0000000180024BDA
J7, xrefs: 0000000180024CBE
3, xrefs: 0000000180025129
%, xrefs: 00000001800248BD
&, xrefs: 0000000180025069

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: %$&$3$;cL$J7
API String ID: 0-1627999366
Opcode ID: 18b2b473a27a799896e4f6d2785bf90a267876b71ab08e9e855bd87571d46f63
Instruction ID: e7408fd237053f3c29396380e87e5bb265fed9a4d9f9422f64f1efbac21c3c9f
Opcode Fuzzy Hash: 18b2b473a27a799896e4f6d2785bf90a267876b71ab08e9e855bd87571d46f63
Instruction Fuzzy Hash: 3832D5719097888BEBF9CF24C8897D977F0FF44704F90651ED84E9A690DBB866488F42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014514 Relevance: 6.5, Strings: 5, Instructions: 287COMMON

Download Yara Rule

Strings

2, xrefs: 0000000180014536
5*-, xrefs: 00000001800149AB
ZU, xrefs: 0000000180014715
R^, xrefs: 00000001800149AF
=N, xrefs: 00000001800148C3

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 5*-$=N$ZU$2$R^
API String ID: 0-3591394199
Opcode ID: bb1d6eb7030161a16d253db6a81db699c98e5a8854b46dce3d3e6ac66bc9a55d
Instruction ID: 7724188dd4e5cf52005c6427e59c66d2460b94fd415d5796230484c9bb746d4d
Opcode Fuzzy Hash: bb1d6eb7030161a16d253db6a81db699c98e5a8854b46dce3d3e6ac66bc9a55d
Instruction Fuzzy Hash: 16E1197051074D8FEB88CF24C89A6DE3FA0FB58398F555219FC4AA6290C778D695CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E50C Relevance: 6.5, Strings: 5, Instructions: 225COMMON

Download Yara Rule

Strings

+w, xrefs: 000000018000E760
br, xrefs: 000000018000E52A
6u, xrefs: 000000018000E6A9
ri, xrefs: 000000018000E780
XT, xrefs: 000000018000E629

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: +w$6u$XT$br$ri
API String ID: 0-2037825276
Opcode ID: 2676d45436eb954209f5a2e21bd5a8304a5eb3ce6b678e3d7b326e26e4988652
Instruction ID: ca39b3bbf729964e5f303d5add46a8bac542d1890c14919d2ea7129e4463ce74
Opcode Fuzzy Hash: 2676d45436eb954209f5a2e21bd5a8304a5eb3ce6b678e3d7b326e26e4988652
Instruction Fuzzy Hash: E5A115715106499BCB88DF28C8C99ED3FB1FB483A8F95661CFC0A9B290C774D985CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800180C8 Relevance: 6.4, Strings: 5, Instructions: 199COMMON

Download Yara Rule

Strings

$EHN, xrefs: 00000001800182B9
>, xrefs: 000000018001835D
I, xrefs: 0000000180018214
AOZ, xrefs: 000000018001830B
EU, xrefs: 000000018001833D

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: $EHN$>$AOZ$EU$I
API String ID: 0-3962013524
Opcode ID: 228afdc4e79dfaf18a350c1c1bd7523aacd5aa0f76349953cd5a42596b0da937
Instruction ID: dc1ebcee60942a166437ce33195dc9a2529979fa2925de0649de9cd3141beb5b
Opcode Fuzzy Hash: 228afdc4e79dfaf18a350c1c1bd7523aacd5aa0f76349953cd5a42596b0da937
Instruction Fuzzy Hash: F991F571D0060C8BDB68DFA8D58A6DDBFF0FF48344F14811AE419AB694D774AA4ACF42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C318470 Relevance: 6.1, APIs: 4, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00007FF87FF88C318470(void* __edx, signed int __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, long long __r9) {
				signed int _t27;
				intOrPtr _t33;
				signed int _t49;
				signed long long _t60;
				long long _t68;
				long long _t71;
				void* _t74;
				signed long long _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t93;
				void* _t94;

				_t78 = __rdx;
				_t86 = _t85 - 0x50;
				_t84 = _t86 + 0x40;
				 *((long long*)(_t84 + 0x40)) = __rbx;
				 *((long long*)(_t84 + 0x48)) = __rsi;
				 *((long long*)(_t84 + 0x50)) = __rdi;
				_t60 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				 *_t84 = _t60 ^ _t84;
				r13d = r8d;
				r14d = __edx;
				r12d =  *((intOrPtr*)( *__rcx + 4));
				r8d = 0;
				r9d = 0;
				_t27 = GetLocaleInfoW(??, ??, ??, ??);
				_t82 = _t27;
				_t49 = _t27;
				if (_t49 != 0) goto 0x8c3184cf;
				goto 0x8c3185a2;
				if (_t49 <= 0) goto 0x8c318538;
				_t6 = _t78 - 0x20; // -32
				if (_t6 - 2 < 0) goto 0x8c318538;
				_t74 = _t27 + _t27 + 0x10;
				if (_t74 - 0x400 > 0) goto 0x8c31851f;
				if (_t74 + 0xf - _t74 > 0) goto 0x8c318501;
				E00007FF87FF88C31A210(0 / _t27, 0xffffffffffffff0, _t93, _t94);
				_t87 = _t86 - 0xfffffff0;
				_t68 = _t87 + 0x40;
				if (_t68 == 0) goto 0x8c3184c8;
				 *_t68 = 0xcccc;
				goto 0x8c318532;
				E00007FF87FF88C3052E4(0xffffffffffffff0, _t68, _t74, _t82);
				if (0xfffffff0 == 0) goto 0x8c31853b;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0x8c31853b;
				_t71 = __rdi;
				if (__rdi == 0) goto 0x8c3184c8;
				r9d = __esi;
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x8c31858f;
				_t33 =  *((intOrPtr*)(_t84 + 0x60));
				r9d = r9d | 0xffffffff;
				 *((long long*)(_t87 + 0x38)) = __rdi;
				 *((long long*)(_t87 + 0x30)) = __rdi;
				if (_t33 != 0) goto 0x8c31857e;
				 *((intOrPtr*)(_t87 + 0x28)) = 0;
				 *((long long*)(_t87 + 0x20)) = __rdi;
				goto 0x8c318587;
				 *((intOrPtr*)(_t87 + 0x28)) = _t33;
				 *((long long*)(_t87 + 0x20)) = __r9;
				WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				_t22 = _t71 - 0x10; // -16
				if ( *_t22 != 0xdddd) goto 0x8c3185a0;
				free(??);
				return E00007FF87FF88C304980(r12d,  *_t84 ^ _t84, __rdx, __rdi);
			}

0x7ff88c318470
0x7ff88c31847a
0x7ff88c31847e
0x7ff88c318483
0x7ff88c318487
0x7ff88c31848b
0x7ff88c31848f
0x7ff88c318499
0x7ff88c3184a0
0x7ff88c3184a3
0x7ff88c3184a6
0x7ff88c3184ad
0x7ff88c3184b0
0x7ff88c3184bb
0x7ff88c3184c1
0x7ff88c3184c4
0x7ff88c3184c6
0x7ff88c3184ca
0x7ff88c3184cf
0x7ff88c3184d3
0x7ff88c3184de
0x7ff88c3184e0
0x7ff88c3184ec
0x7ff88c3184f5
0x7ff88c318505
0x7ff88c31850a
0x7ff88c31850d
0x7ff88c318515
0x7ff88c318517
0x7ff88c31851d
0x7ff88c31851f
0x7ff88c31852a
0x7ff88c31852c
0x7ff88c318536
0x7ff88c318538
0x7ff88c31853e
0x7ff88c318540
0x7ff88c318554
0x7ff88c318556
0x7ff88c318559
0x7ff88c31855f
0x7ff88c31856a
0x7ff88c318571
0x7ff88c318573
0x7ff88c318577
0x7ff88c31857c
0x7ff88c31857e
0x7ff88c318582
0x7ff88c318587
0x7ff88c31858f
0x7ff88c318599
0x7ff88c31859b
0x7ff88c3185c7

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00007FF88C31860B), ref: 00007FF88C3184BB
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00007FF88C31860B), ref: 00007FF88C31854C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00007FF88C31860B), ref: 00007FF88C318587
free.LIBCMT ref: 00007FF88C31859B

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: InfoLocale$ByteCharMultiWidefree
String ID:
API String ID: 40707599-0
Opcode ID: d2b73d11294dd950e105d9b92421be71b80308523bcac0165169703b98794f88
Instruction ID: 72718f913912b855bad853f3c9fe1a323615d3f2dcd69ef108ae67a6163e8fa0
Opcode Fuzzy Hash: d2b73d11294dd950e105d9b92421be71b80308523bcac0165169703b98794f88
Instruction Fuzzy Hash: 22419622A08B418AEB148F25D8409A97395FB46BE8F594632EE5D87BD8DF3CE503C305

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31D118 Relevance: 5.8, Strings: 4, Instructions: 796
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 96%

			E00007FF87FF88C31D118(unsigned int __edx, long long __rbx, signed int* __rcx, void* __rdx, signed int* __r9, void* __r10, void* __r11) {
				signed int _t242;
				signed short _t255;
				signed short _t256;
				signed int _t272;
				signed short _t273;
				signed int _t274;
				signed int _t279;
				signed short _t283;
				signed short _t284;
				signed int _t300;
				signed short _t301;
				signed int _t302;
				signed int _t308;
				signed int _t311;
				void* _t314;
				signed int _t325;
				unsigned int _t329;
				void* _t345;
				signed short _t347;
				signed int _t355;
				signed short _t357;
				signed short _t358;
				signed short _t368;
				signed short _t369;
				intOrPtr _t402;
				signed int _t405;
				signed int _t406;
				signed int _t414;
				signed int _t415;
				unsigned int _t418;
				unsigned int _t419;
				unsigned int _t421;
				unsigned int _t422;
				signed short _t425;
				signed short _t426;
				signed int _t427;
				unsigned int _t428;
				unsigned int _t431;
				unsigned int _t438;
				unsigned int _t449;
				signed int _t459;
				void* _t468;
				signed int _t470;
				signed int _t493;
				signed int _t494;
				signed int _t525;
				signed int _t526;
				signed long long _t555;
				signed long long _t556;
				signed int* _t559;
				signed int* _t562;
				unsigned long long _t570;
				void* _t572;
				intOrPtr* _t573;
				void* _t579;
				void* _t581;
				char* _t582;
				void* _t584;
				signed short* _t585;
				void* _t589;
				void* _t591;
				signed long long _t592;
				char* _t597;
				intOrPtr* _t598;
				void* _t599;
				char* _t609;
				intOrPtr* _t611;
				char* _t612;
				void* _t613;
				intOrPtr* _t617;
				intOrPtr* _t618;
				signed short* _t620;
				signed short* _t621;
				long long _t623;
				unsigned long long _t626;
				void* _t633;

				_t577 = __rdx;
				 *((long long*)(_t591 + 0x10)) = __rbx;
				_push(_t584);
				_push(_t581);
				_push(_t623);
				_push(_t633);
				_t589 = _t591 - 0x27;
				_t592 = _t591 - 0xc0;
				_t555 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t556 = _t555 ^ _t592;
				 *(_t589 + 0x17) = _t556;
				_t425 = __rcx[2] & 0x0000ffff;
				r10d =  *__rcx;
				_t559 = __r9;
				r9d = __rcx[1];
				r11d = 1;
				 *(_t589 - 0x4d) = __edx;
				r13d = 0;
				_t347 = _t425 & 0x8000;
				_t7 = _t577 - 1; // 0x7fff
				r15d = _t7;
				 *(_t589 - 0x39) = r8d;
				_t426 = _t425 & r15w;
				 *((long long*)(_t589 - 0x41)) = __r9;
				 *((intOrPtr*)(_t589 - 9)) = 0xcccccccc;
				 *((intOrPtr*)(_t589 - 5)) = 0xcccccccc;
				 *(_t589 - 1) = 0x3ffbcccc;
				 *(_t589 - 0x67) = _t347;
				_t242 = __r11 + 0x1f;
				r8d = __r11 + 0x2c;
				if (_t347 == 0) goto 0x8c31d1a3;
				__r9[0] = r8b;
				goto 0x8c31d1a6;
				__r9[0] = _t242;
				if (_t426 != 0) goto 0x8c31d1da;
				if (r9d != 0) goto 0x8c31d2eb;
				if (r10d != 0) goto 0x8c31d2eb;
				_t243 =  ==  ? r8d : _t242;
				__r9[0] = 0x3001;
				 *__r9 = r13w;
				__r9[0] =  ==  ? r8d : _t242;
				__r9[1] = r13b;
				goto 0x8c31db6c;
				if (_t426 != r15w) goto 0x8c31d2eb;
				 *__r9 = r11w;
				if (r9d != 0x80000000) goto 0x8c31d1f7;
				_t459 = r10d;
				if (_t459 == 0) goto 0x8c31d230;
				asm("inc ecx");
				if (_t459 < 0) goto 0x8c31d230;
				_t21 = _t559 + 4; // 0x5
				if (E00007FF87FF88C306870(_t556, _t21, __rdx, "1#SNAN") == 0) goto 0x8c31d2ca;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t592 + 0x20)) = _t623;
				E00007FF87FF88C30938C();
				asm("int3");
				if (0 == 0) goto 0x8c31d270;
				if (r9d != 0xc0000000) goto 0x8c31d270;
				if (r10d != 0) goto 0x8c31d2b1;
				_t23 = _t559 + 4; // 0x5
				if (E00007FF87FF88C306870(_t556, _t23, __rdx, "1#IND") == 0) goto 0x8c31d292;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t592 + 0x20)) = _t623;
				E00007FF87FF88C30938C();
				asm("int3");
				if (r9d != 0x80000000) goto 0x8c31d2b1;
				if (r10d != 0) goto 0x8c31d2b1;
				_t26 = _t559 + 4; // 0x5
				if (E00007FF87FF88C306870(_t556, _t26, __rdx, "1#INF") != 0) goto 0x8c31d29c;
				__r9[0] = 5;
				goto 0x8c31d2ce;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t592 + 0x20)) = _t623;
				E00007FF87FF88C30938C();
				asm("int3");
				_t30 = _t559 + 4; // 0x5
				_t597 = "1#QNAN";
				_t468 = E00007FF87FF88C306870(_t556, _t30, __rdx, _t597);
				if (_t468 != 0) goto 0x8c31d2d6;
				__r9[0] = 6;
				r11d = r13d;
				goto 0x8c31db6c;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t592 + 0x20)) = _t623;
				E00007FF87FF88C30938C();
				asm("int3");
				r8d = _t426 & 0x0000ffff;
				 *(_t589 - 0x17) = r10d;
				 *(_t589 - 0x13) = r9d;
				r8d = r8d * 0x4d10;
				r14d = 5;
				 *(_t589 - 0xf) = _t426;
				 *(_t589 - 0x19) = r13w;
				r12d = 0xbffd;
				_t40 = _t597 - 0x134312f4; // -323130100
				 *(_t589 - 0x49) = r14d;
				_t42 = _t584 - 1; // 0x4
				_t427 = _t42;
				_t355 = __rdx + _t40 >> 0x10;
				r9d = _t355;
				 *(_t589 - 0x61) = _t355;
				r9d =  ~r9d;
				if (_t468 == 0) goto 0x8c31d6c4;
				if (r9d >= 0) goto 0x8c31d36d;
				r9d =  ~r9d;
				_t470 = r9d;
				if (_t470 == 0) goto 0x8c31d6c4;
				r8d =  *(_t589 - 0x15);
				r9d = r9d >> 3;
				 *(_t589 - 0x51) = r9d;
				 *((long long*)(_t589 - 0x59)) = 0x8c368700;
				if (_t470 == 0) goto 0x8c31d6ac;
				_t617 = 0x7ff88c3686f4 + (_t556 + _t556 * 2) * 4;
				r10d = 0x8000;
				 *((long long*)(_t589 - 0x31)) = _t617;
				if ( *_t617 - r10w < 0) goto 0x8c31d3d3;
				_t570 =  *_t617;
				_t618 = _t589 + 7;
				 *(_t589 + 7) = _t570;
				 *((intOrPtr*)(_t589 + 0xf)) =  *((intOrPtr*)(_t617 + 8));
				 *((long long*)(_t589 - 0x31)) = _t618;
				 *((intOrPtr*)(_t589 + 9)) = _t355 - r11d;
				_t357 =  *(_t618 + 0xa) & 0x0000ffff;
				_t255 =  *(_t589 - 0xf) & 0x0000ffff;
				 *(_t589 - 0x65) = r13d;
				_t358 = _t357 & r15w;
				 *(_t589 - 0x29) = 0;
				_t256 = _t255 & r15w;
				 *(_t589 - 0x21) = r13d;
				r10d = _t556 + (_t570 >> 0x10);
				 *(_t589 - 0x69) = (_t357 & 0x0000ffff ^ _t255) & r10w;
				if (_t256 - r15w >= 0) goto 0x8c31d68c;
				if (_t358 - r15w >= 0) goto 0x8c31d68c;
				r15d = 0xbffd;
				if (r10w - r15w > 0) goto 0x8c31d686;
				if (r10w - 0x3fbf > 0) goto 0x8c31d449;
				 *(_t589 - 0x15) = 0;
				r15d = 0x7fff;
				goto 0x8c31d69f;
				if (_t256 != 0) goto 0x8c31d470;
				r10w = r10w + r11w;
				if (( *(_t589 - 0x11) & _t427) != 0) goto 0x8c31d470;
				if (r8d != 0) goto 0x8c31d470;
				if ( *(_t589 - 0x19) != 0) goto 0x8c31d470;
				 *(_t589 - 0xf) = r13w;
				r15d = 0x7fff;
				goto 0x8c31d6a8;
				if (_t358 != 0) goto 0x8c31d48d;
				r10w = r10w + r11w;
				if (( *(_t618 + 8) & _t427) != 0) goto 0x8c31d48d;
				if ( *((intOrPtr*)(_t618 + 4)) != r13d) goto 0x8c31d48d;
				if ( *_t618 == r13d) goto 0x8c31d436;
				_t598 = _t589 - 0x25;
				_t428 = r14d;
				r15d = _t428;
				_t572 = _t584 + _t584;
				if (_t428 <= 0) goto 0x8c31d4fb;
				r12d = 0;
				r9d = r12d;
				_t402 = _t556 + _t572;
				if (_t402 -  *((intOrPtr*)(_t598 - 4)) < 0) goto 0x8c31d4d4;
				if (_t402 - ( *(_t618 + 8) & 0x0000ffff) * ( *(_t589 + _t572 - 0x19) & 0x0000ffff) >= 0) goto 0x8c31d4d7;
				r9d = r11d;
				 *((intOrPtr*)(_t598 - 4)) = _t402;
				if (r9d == 0) goto 0x8c31d4e4;
				 *_t598 =  *_t598 + r11w;
				r15d = r15d - r11d;
				if (r15d > 0) goto 0x8c31d4b6;
				r13d = 0;
				_t599 = _t598 + 2;
				if (_t428 - r11d > 0) goto 0x8c31d497;
				r9d =  *(_t589 - 0x21);
				r8d =  *(_t589 - 0x29);
				r10w = r10w + 0xc002;
				if (r10w <= 0) goto 0x8c31d566;
				if ((0x80000000 & r9d) != 0) goto 0x8c31d560;
				r9d = r9d + r9d;
				r8d = r8d + r8d;
				r10w = r10w + 0xffff;
				r9d = r9d |  *(_t589 - 0x25) >> 0x0000001f;
				 *(_t589 - 0x29) = r8d;
				 *(_t589 - 0x25) = _t581 + _t581 | r8d >> 0x0000001f;
				 *(_t589 - 0x21) = r9d;
				if (r10w > 0) goto 0x8c31d52a;
				_t493 = r10w;
				if (_t493 > 0) goto 0x8c31d5d3;
				r10w = r10w + 0xffff;
				if (_t493 >= 0) goto 0x8c31d5d3;
				_t405 =  ~(r10w & 0xffffffff) & 0x0000ffff;
				r10w = r10w + _t405;
				 *(_t589 - 0x5d) = r10w;
				r10d =  *(_t589 - 0x65);
				_t494 =  *(_t589 - 0x29) & r11b;
				if (_t494 == 0) goto 0x8c31d58c;
				r10d = r10d + r11d;
				_t431 =  *(_t589 - 0x25);
				r8d = r8d >> 1;
				r9d = r9d >> 1;
				r8d = r8d | _t431 << 0x0000001f;
				 *(_t589 - 0x25) = _t431 >> 0x00000001 | r9d << 0x0000001f;
				 *(_t589 - 0x29) = r8d;
				if (_t494 != 0) goto 0x8c31d583;
				r10d =  *(_t589 - 0x5d) & 0x0000ffff;
				 *(_t589 - 0x21) = r9d;
				if (r10d == 0) goto 0x8c31d5d3;
				 *(_t589 - 0x29) = r8w & 0xffffffff | r11w;
				r8d =  *(_t589 - 0x29);
				goto 0x8c31d5d7;
				if (( *(_t589 - 0x29) & 0x0000ffff) - 0x8000 > 0) goto 0x8c31d5f1;
				r8d = r8d & 0x0001ffff;
				if (r8d != 0x18000) goto 0x8c31d639;
				_t406 = _t405 | 0xffffffff;
				if ( *(_t589 - 0x27) != _t406) goto 0x8c31d633;
				 *(_t589 - 0x27) = r13d;
				if ( *(_t589 - 0x23) != _t406) goto 0x8c31d627;
				_t272 =  *(_t589 - 0x1f) & 0x0000ffff;
				 *(_t589 - 0x23) = r13d;
				if (_t272 != 0xffff) goto 0x8c31d61d;
				 *(_t589 - 0x1f) = 0x8000;
				r10w = r10w + r11w;
				goto 0x8c31d62d;
				_t273 = _t272 + r11w;
				 *(_t589 - 0x1f) = _t273;
				goto 0x8c31d62d;
				_t274 = _t273 + r11d;
				 *(_t589 - 0x23) = _t274;
				r9d =  *(_t589 - 0x21);
				goto 0x8c31d639;
				 *(_t589 - 0x27) = _t274 + r11d;
				r15d = 0x7fff;
				r14d = 5;
				if (r10w - r15w < 0) goto 0x8c31d65d;
				r9d =  *(_t589 - 0x51);
				goto 0x8c31d68f;
				r10w = r10w |  *(_t589 - 0x69);
				 *(_t589 - 0x13) = r9d;
				r9d =  *(_t589 - 0x51);
				 *(_t589 - 0x19) =  *(_t589 - 0x27) & 0x0000ffff;
				_t279 =  *(_t589 - 0x25);
				 *(_t589 - 0x17) = _t279;
				r8d =  *(_t589 - 0x15);
				 *(_t589 - 0xf) = r10w;
				goto 0x8c31d6a8;
				r15d = 0x7fff;
				asm("sbb eax, eax");
				 *(_t589 - 0x15) = r13d;
				 *(_t589 - 0x11) = (_t279 & 0x80000000) + 0x7fff8000;
				r8d = r13d;
				 *(_t589 - 0x19) = r13d;
				if (r9d != 0) goto 0x8c31d37a;
				r12d = 0xbffd;
				goto 0x8c31d6cb;
				r8d =  *(_t589 - 0x15);
				r9d = 0x3fff;
				_t283 =  *(_t589 - 0x11) >> 0x10;
				if (_t283 - r9w < 0) goto 0x8c31d996;
				r9d = 0x8000;
				 *(_t589 - 0x65) = r13d;
				r10d = __r9 - 1;
				 *(_t589 - 0x61) =  *(_t589 - 0x61) + r11w;
				_t368 =  *(_t589 + 1) & 0x0000ffff;
				r15d = _t368 & 0x0000ffff;
				_t369 = _t368 & r10w;
				 *(_t589 - 0x29) = 0;
				r15w = r15w ^ _t283;
				_t284 = _t283 & r10w;
				 *(_t589 - 0x21) = r13d;
				r15w = r15w & r9w;
				r9d = _t556 + _t572;
				if (_t284 - r10w >= 0) goto 0x8c31d980;
				if (_t369 - r10w >= 0) goto 0x8c31d980;
				if (r9w - r12w > 0) goto 0x8c31d980;
				r10d = 0x3fbf;
				if (r9w - r10w > 0) goto 0x8c31d751;
				 *(_t589 - 0x11) = r13d;
				goto 0x8c31d990;
				if (_t284 != 0) goto 0x8c31d772;
				r9w = r9w + r11w;
				if (( *(_t589 - 0x11) & 0x7fffffff) != 0) goto 0x8c31d772;
				if (r8d != 0) goto 0x8c31d772;
				if ( *(_t589 - 0x19) != 0) goto 0x8c31d772;
				 *(_t589 - 0xf) = r13w;
				goto 0x8c31d996;
				if (_t369 != 0) goto 0x8c31d78c;
				r9w = r9w + r11w;
				if (( *(_t589 - 1) & 0x7fffffff) != 0) goto 0x8c31d78c;
				if ( *((intOrPtr*)(_t589 - 5)) != r13d) goto 0x8c31d78c;
				if ( *((intOrPtr*)(_t589 - 9)) == r13d) goto 0x8c31d748;
				_t573 = _t589 - 0x25;
				r13d = r14d;
				_t579 = _t581 + _t581;
				if (r14d <= 0) goto 0x8c31d7f5;
				r14d = r13d;
				_t585 = _t589 - 1;
				_t620 = _t589 + _t579 - 0x19;
				r14d = r14d & r11d;
				r8d = 0;
				r10d = _t556 + _t579;
				if (r10d -  *(_t573 - 4) < 0) goto 0x8c31d7d1;
				if (r10d - ( *_t620 & 0x0000ffff) * ( *_t585 & 0x0000ffff) >= 0) goto 0x8c31d7d4;
				r8d = r11d;
				 *(_t573 - 4) = r10d;
				if (r8d == 0) goto 0x8c31d7e1;
				 *_t573 =  *_t573 + r11w;
				r13d = r13d - r11d;
				_t621 =  &(_t620[1]);
				if (r13d > 0) goto 0x8c31d7b2;
				r14d =  *(_t589 - 0x49);
				r14d = r14d - r11d;
				r13d = 0;
				 *(_t589 - 0x49) = r14d;
				if (r14d > 0) goto 0x8c31d793;
				r8d =  *(_t589 - 0x21);
				r10d =  *(_t589 - 0x29);
				r12d = 0xffff;
				r9w = r9w + 0xc002;
				if (r9w <= 0) goto 0x8c31d86d;
				if ((0x80000000 & r8d) != 0) goto 0x8c31d867;
				r8d = r8d + r8d;
				r10d = r10d + r10d;
				r9w = r9w + r12w;
				r8d = r8d |  *(_t589 - 0x25) >> 0x0000001f;
				 *(_t589 - 0x29) = r10d;
				 *(_t589 - 0x25) = _t581 + _t581 | r10d >> 0x0000001f;
				 *(_t589 - 0x21) = r8d;
				if (r9w > 0) goto 0x8c31d831;
				_t525 = r9w;
				if (_t525 > 0) goto 0x8c31d8d2;
				r9w = r9w + r12w;
				if (_t525 >= 0) goto 0x8c31d8d2;
				_t414 =  ~(r9w & 0xffffffff) & 0x0000ffff;
				r9w = r9w + _t414;
				_t526 =  *(_t589 - 0x29) & r11b;
				if (_t526 == 0) goto 0x8c31d88d;
				_t345 =  *(_t589 - 0x65) + r11d;
				_t438 =  *(_t589 - 0x25);
				r10d = r10d >> 1;
				r8d = r8d >> 1;
				r10d = r10d | _t438 << 0x0000001f;
				 *(_t589 - 0x25) = _t438 >> 0x00000001 | r8d << 0x0000001f;
				 *(_t589 - 0x29) = r10d;
				if (_t526 != 0) goto 0x8c31d884;
				_t562 =  *((intOrPtr*)(_t589 - 0x41));
				 *(_t589 - 0x21) = r8d;
				if (_t345 == 0) goto 0x8c31d8d2;
				 *(_t589 - 0x29) = r10w & 0xffffffff | r11w;
				r10d =  *(_t589 - 0x29);
				goto 0x8c31d8d6;
				if (( *(_t589 - 0x29) & 0x0000ffff) - 0x8000 > 0) goto 0x8c31d8f0;
				r10d = r10d & 0x0001ffff;
				if (r10d != 0x18000) goto 0x8c31d939;
				_t415 = _t414 | 0xffffffff;
				if ( *(_t589 - 0x27) != _t415) goto 0x8c31d933;
				 *(_t589 - 0x27) = r13d;
				if ( *(_t589 - 0x23) != _t415) goto 0x8c31d927;
				_t300 =  *(_t589 - 0x1f) & 0x0000ffff;
				 *(_t589 - 0x23) = r13d;
				if (_t300 != r12w) goto 0x8c31d91d;
				 *(_t589 - 0x1f) = 0x8000;
				r9w = r9w + r11w;
				goto 0x8c31d92d;
				_t301 = _t300 + r11w;
				 *(_t589 - 0x1f) = _t301;
				goto 0x8c31d92d;
				_t302 = _t301 + r11d;
				 *(_t589 - 0x23) = _t302;
				r8d =  *(_t589 - 0x21);
				goto 0x8c31d939;
				 *(_t589 - 0x27) = _t302 + r11d;
				if (r9w - 0x7fff < 0) goto 0x8c31d95c;
				r15w =  ~r15w;
				r8d = r13d;
				asm("sbb eax, eax");
				 *(_t589 - 0x11) = 0x7fff8000;
				goto 0x8c31d99b;
				r9w = r9w | r15w;
				 *(_t589 - 0x13) = r8d;
				 *(_t589 - 0x19) =  *(_t589 - 0x27) & 0x0000ffff;
				_t308 =  *(_t589 - 0x25);
				 *(_t589 - 0xf) = r9w;
				 *(_t589 - 0x17) = _t308;
				r8d =  *(_t589 - 0x15);
				goto 0x8c31d99b;
				r15w =  ~r15w;
				asm("sbb eax, eax");
				 *(_t589 - 0x11) = (_t308 & 0x80000000) + 0x7fff8000;
				_t418 = r13d;
				r8d = r13d;
				_t311 =  *(_t589 - 0x61);
				r12d =  *(_t589 - 0x4d);
				 *_t562 = _t311;
				if (( *(_t589 - 0x39) & r11b) == 0) goto 0x8c31d9c8;
				r12d = r12d + _t311;
				if (r12d > 0) goto 0x8c31d9c8;
				_t212 = _t556 + 0xd; // 0x2d
				_t314 =  ==  ? _t212 : 0x20;
				goto 0x8c31d1c4;
				r9d =  *(_t589 - 0x11);
				 *(_t589 - 0xf) = r13w;
				_t216 = _t556 - 0xd; // 0x8
				r10d = _t216;
				r12d =  >  ? 0x15 : r12d;
				r9d = r9d >> 0x10;
				r9d = r9d - 0x3ffe;
				r8d = r8d + r8d;
				r8d = r8d | _t418 >> 0x0000001f;
				_t449 =  *(_t589 - 0x11) +  *(_t589 - 0x11) | r8d >> 0x0000001f;
				_t419 = _t418 + _t418;
				if (r12d != 0x15) goto 0x8c31d9ef;
				 *(_t589 - 0x15) = r8d;
				 *(_t589 - 0x19) = _t419;
				if (r9d >= 0) goto 0x8c31da49;
				r9d =  ~r9d;
				r10d = r9b & 0xffffffff;
				if (r10d <= 0) goto 0x8c31da49;
				r8d = r8d >> 1;
				r10d = r10d - r11d;
				r8d = r8d | _t449 << 0x0000001f;
				_t421 = _t419 >> 0x00000001 | r8d << 0x0000001f;
				if (r10d > 0) goto 0x8c31da23;
				 *(_t589 - 0x15) = r8d;
				 *(_t589 - 0x19) = _t421;
				r14d =  &(_t621[0]);
				_t222 =  &(_t562[1]); // 0x5
				_t582 = _t222;
				_t609 = _t582;
				if (r14d <= 0) goto 0x8c31db28;
				_t626 =  *(_t589 - 0x19);
				r8d = r8d + r8d;
				_t422 = _t421 + _t421;
				r9d = _t585 - 2 + _t585 - 2;
				 *(_t589 + 7) = _t626;
				r8d = r8d | _t421 >> 0x0000001f;
				r9d = r9d | r8d >> 0x0000001f;
				r8d = r8d + r8d;
				r8d = r8d | _t422 >> 0x0000001f;
				r9d = r9d + r9d;
				r15d = _t556 + _t579 - __r11;
				r9d = r9d | r8d >> 0x0000001f;
				if (r15d - _t422 + _t422 < 0) goto 0x8c31daaa;
				if (r15d - r13d >= 0) goto 0x8c31dac7;
				_t325 = _t599 + 1;
				if (_t325 - r8d < 0) goto 0x8c31daba;
				if (_t325 - r11d >= 0) goto 0x8c31dabd;
				r8d = _t325;
				if (r11d == 0) goto 0x8c31dac7;
				r9d = r9d + r11d;
				r12d = _t599 + (_t626 >> 0x20);
				if (r12d - r8d < 0) goto 0x8c31dad9;
				if (r12d - r13d >= 0) goto 0x8c31dadc;
				r9d = r9d + r11d;
				r9d = r9d + (_t449 >> 1);
				r13d = 0;
				r8d = _t621 + _t621;
				r8d = r8d | r15d >> 0x0000001f;
				_t329 = __r9 + __r9 | r12d >> 0x0000001f;
				r14d = r14d - r11d;
				 *(_t589 - 0x11) = _t329;
				 *(_t589 - 0x19) = _t633 + _t633;
				 *(_t589 - 0x15) = r8d;
				 *(_t589 - 0xe) = r13b;
				 *_t609 = (_t329 >> 0x18) + 0x30;
				if (r14d <= 0) goto 0x8c31db28;
				goto 0x8c31da5e;
				_t611 = _t609 + __r11 - __r11;
				_t612 = _t611 - __r11;
				if ( *_t611 - 0x35 < 0) goto 0x8c31db9f;
				goto 0x8c31db44;
				if ( *_t612 != 0x39) goto 0x8c31db49;
				 *_t612 = 0x30;
				_t613 = _t612 - __r11;
				if (_t613 - _t582 >= 0) goto 0x8c31db37;
				if (_t613 - _t582 >= 0) goto 0x8c31db55;
				 *_t562 =  *_t562 + r11w;
				 *((intOrPtr*)(_t613 + __r11)) =  *((intOrPtr*)(_t613 + __r11)) + r11b;
				r10b = r10b - _t345;
				r10b = r10b - 3;
				_t562[0] = r10b;
				 *( &(_t562[1]) + r10b) = r13b;
				return E00007FF87FF88C304980(r12d >> 0x1f,  *(_t589 + 0x17) ^ _t592, _t579 - __r11, _t599);
			}

0x7ff88c31d118
0x7ff88c31d118
0x7ff88c31d11e
0x7ff88c31d11f
0x7ff88c31d122
0x7ff88c31d126
0x7ff88c31d128
0x7ff88c31d12d
0x7ff88c31d134
0x7ff88c31d13b
0x7ff88c31d13e
0x7ff88c31d142
0x7ff88c31d146
0x7ff88c31d149
0x7ff88c31d14c
0x7ff88c31d153
0x7ff88c31d159
0x7ff88c31d161
0x7ff88c31d164
0x7ff88c31d167
0x7ff88c31d167
0x7ff88c31d16b
0x7ff88c31d16f
0x7ff88c31d173
0x7ff88c31d177
0x7ff88c31d17e
0x7ff88c31d185
0x7ff88c31d18c
0x7ff88c31d190
0x7ff88c31d194
0x7ff88c31d19b
0x7ff88c31d19d
0x7ff88c31d1a1
0x7ff88c31d1a3
0x7ff88c31d1a9
0x7ff88c31d1ae
0x7ff88c31d1b7
0x7ff88c31d1c0
0x7ff88c31d1c4
0x7ff88c31d1ca
0x7ff88c31d1ce
0x7ff88c31d1d1
0x7ff88c31d1d5
0x7ff88c31d1de
0x7ff88c31d1e9
0x7ff88c31d1f0
0x7ff88c31d1f2
0x7ff88c31d1f5
0x7ff88c31d1f7
0x7ff88c31d1fc
0x7ff88c31d1fe
0x7ff88c31d215
0x7ff88c31d21b
0x7ff88c31d21e
0x7ff88c31d225
0x7ff88c31d22a
0x7ff88c31d22f
0x7ff88c31d233
0x7ff88c31d23c
0x7ff88c31d241
0x7ff88c31d243
0x7ff88c31d259
0x7ff88c31d25b
0x7ff88c31d25e
0x7ff88c31d265
0x7ff88c31d26a
0x7ff88c31d26f
0x7ff88c31d273
0x7ff88c31d278
0x7ff88c31d27a
0x7ff88c31d290
0x7ff88c31d297
0x7ff88c31d29a
0x7ff88c31d29c
0x7ff88c31d29f
0x7ff88c31d2a6
0x7ff88c31d2ab
0x7ff88c31d2b0
0x7ff88c31d2b1
0x7ff88c31d2b5
0x7ff88c31d2c6
0x7ff88c31d2c8
0x7ff88c31d2ca
0x7ff88c31d2ce
0x7ff88c31d2d1
0x7ff88c31d2d6
0x7ff88c31d2d9
0x7ff88c31d2e0
0x7ff88c31d2e5
0x7ff88c31d2ea
0x7ff88c31d2eb
0x7ff88c31d2f2
0x7ff88c31d2fc
0x7ff88c31d30f
0x7ff88c31d319
0x7ff88c31d323
0x7ff88c31d327
0x7ff88c31d32c
0x7ff88c31d335
0x7ff88c31d33d
0x7ff88c31d341
0x7ff88c31d341
0x7ff88c31d344
0x7ff88c31d347
0x7ff88c31d34b
0x7ff88c31d34e
0x7ff88c31d351
0x7ff88c31d35a
0x7ff88c31d363
0x7ff88c31d36a
0x7ff88c31d36d
0x7ff88c31d373
0x7ff88c31d381
0x7ff88c31d388
0x7ff88c31d38c
0x7ff88c31d390
0x7ff88c31d39c
0x7ff88c31d3a0
0x7ff88c31d3a6
0x7ff88c31d3af
0x7ff88c31d3b1
0x7ff88c31d3ba
0x7ff88c31d3be
0x7ff88c31d3c6
0x7ff88c31d3cc
0x7ff88c31d3d0
0x7ff88c31d3d3
0x7ff88c31d3d9
0x7ff88c31d3dd
0x7ff88c31d3e4
0x7ff88c31d3e8
0x7ff88c31d3f3
0x7ff88c31d3f7
0x7ff88c31d3ff
0x7ff88c31d403
0x7ff88c31d40b
0x7ff88c31d415
0x7ff88c31d41b
0x7ff88c31d425
0x7ff88c31d434
0x7ff88c31d436
0x7ff88c31d43e
0x7ff88c31d444
0x7ff88c31d44c
0x7ff88c31d44e
0x7ff88c31d455
0x7ff88c31d45a
0x7ff88c31d45e
0x7ff88c31d460
0x7ff88c31d465
0x7ff88c31d46b
0x7ff88c31d473
0x7ff88c31d475
0x7ff88c31d47e
0x7ff88c31d485
0x7ff88c31d48b
0x7ff88c31d490
0x7ff88c31d494
0x7ff88c31d49a
0x7ff88c31d49d
0x7ff88c31d4a2
0x7ff88c31d4b3
0x7ff88c31d4bf
0x7ff88c31d4c9
0x7ff88c31d4ce
0x7ff88c31d4d2
0x7ff88c31d4d4
0x7ff88c31d4d7
0x7ff88c31d4de
0x7ff88c31d4e0
0x7ff88c31d4e4
0x7ff88c31d4f2
0x7ff88c31d4f8
0x7ff88c31d4fe
0x7ff88c31d507
0x7ff88c31d509
0x7ff88c31d50d
0x7ff88c31d516
0x7ff88c31d528
0x7ff88c31d52d
0x7ff88c31d535
0x7ff88c31d53b
0x7ff88c31d546
0x7ff88c31d54c
0x7ff88c31d54f
0x7ff88c31d553
0x7ff88c31d556
0x7ff88c31d55e
0x7ff88c31d560
0x7ff88c31d564
0x7ff88c31d566
0x7ff88c31d56a
0x7ff88c31d573
0x7ff88c31d576
0x7ff88c31d57a
0x7ff88c31d57f
0x7ff88c31d583
0x7ff88c31d587
0x7ff88c31d589
0x7ff88c31d58c
0x7ff88c31d592
0x7ff88c31d5a1
0x7ff88c31d5a4
0x7ff88c31d5aa
0x7ff88c31d5ad
0x7ff88c31d5b1
0x7ff88c31d5b6
0x7ff88c31d5bb
0x7ff88c31d5bf
0x7ff88c31d5c9
0x7ff88c31d5cd
0x7ff88c31d5d1
0x7ff88c31d5df
0x7ff88c31d5e1
0x7ff88c31d5ef
0x7ff88c31d5f4
0x7ff88c31d5f9
0x7ff88c31d5fe
0x7ff88c31d604
0x7ff88c31d606
0x7ff88c31d60a
0x7ff88c31d611
0x7ff88c31d613
0x7ff88c31d617
0x7ff88c31d61b
0x7ff88c31d61d
0x7ff88c31d621
0x7ff88c31d625
0x7ff88c31d627
0x7ff88c31d62a
0x7ff88c31d62d
0x7ff88c31d631
0x7ff88c31d636
0x7ff88c31d639
0x7ff88c31d63f
0x7ff88c31d64e
0x7ff88c31d654
0x7ff88c31d65b
0x7ff88c31d661
0x7ff88c31d666
0x7ff88c31d66a
0x7ff88c31d66e
0x7ff88c31d672
0x7ff88c31d675
0x7ff88c31d678
0x7ff88c31d67f
0x7ff88c31d684
0x7ff88c31d686
0x7ff88c31d68f
0x7ff88c31d691
0x7ff88c31d69c
0x7ff88c31d6a2
0x7ff88c31d6a5
0x7ff88c31d6af
0x7ff88c31d6bc
0x7ff88c31d6c2
0x7ff88c31d6c4
0x7ff88c31d6ce
0x7ff88c31d6d4
0x7ff88c31d6db
0x7ff88c31d6e5
0x7ff88c31d6eb
0x7ff88c31d6ef
0x7ff88c31d6f3
0x7ff88c31d6f6
0x7ff88c31d6fa
0x7ff88c31d6fe
0x7ff88c31d702
0x7ff88c31d70a
0x7ff88c31d70e
0x7ff88c31d712
0x7ff88c31d716
0x7ff88c31d71a
0x7ff88c31d722
0x7ff88c31d72c
0x7ff88c31d736
0x7ff88c31d73c
0x7ff88c31d746
0x7ff88c31d748
0x7ff88c31d74c
0x7ff88c31d754
0x7ff88c31d756
0x7ff88c31d75d
0x7ff88c31d762
0x7ff88c31d766
0x7ff88c31d768
0x7ff88c31d76d
0x7ff88c31d775
0x7ff88c31d777
0x7ff88c31d77e
0x7ff88c31d784
0x7ff88c31d78a
0x7ff88c31d78f
0x7ff88c31d798
0x7ff88c31d79b
0x7ff88c31d7a1
0x7ff88c31d7a3
0x7ff88c31d7a6
0x7ff88c31d7aa
0x7ff88c31d7af
0x7ff88c31d7ba
0x7ff88c31d7c3
0x7ff88c31d7ca
0x7ff88c31d7cf
0x7ff88c31d7d1
0x7ff88c31d7d4
0x7ff88c31d7db
0x7ff88c31d7dd
0x7ff88c31d7e1
0x7ff88c31d7e4
0x7ff88c31d7ef
0x7ff88c31d7f1
0x7ff88c31d7f5
0x7ff88c31d7ff
0x7ff88c31d802
0x7ff88c31d809
0x7ff88c31d80f
0x7ff88c31d813
0x7ff88c31d821
0x7ff88c31d827
0x7ff88c31d82f
0x7ff88c31d834
0x7ff88c31d83c
0x7ff88c31d842
0x7ff88c31d84d
0x7ff88c31d853
0x7ff88c31d856
0x7ff88c31d85a
0x7ff88c31d85d
0x7ff88c31d865
0x7ff88c31d867
0x7ff88c31d86b
0x7ff88c31d86d
0x7ff88c31d871
0x7ff88c31d87d
0x7ff88c31d880
0x7ff88c31d884
0x7ff88c31d888
0x7ff88c31d88a
0x7ff88c31d88d
0x7ff88c31d893
0x7ff88c31d8a2
0x7ff88c31d8a5
0x7ff88c31d8ab
0x7ff88c31d8ae
0x7ff88c31d8b2
0x7ff88c31d8b6
0x7ff88c31d8ba
0x7ff88c31d8be
0x7ff88c31d8c8
0x7ff88c31d8cc
0x7ff88c31d8d0
0x7ff88c31d8de
0x7ff88c31d8e0
0x7ff88c31d8ee
0x7ff88c31d8f3
0x7ff88c31d8f8
0x7ff88c31d8fd
0x7ff88c31d903
0x7ff88c31d905
0x7ff88c31d909
0x7ff88c31d911
0x7ff88c31d913
0x7ff88c31d917
0x7ff88c31d91b
0x7ff88c31d91d
0x7ff88c31d921
0x7ff88c31d925
0x7ff88c31d927
0x7ff88c31d92a
0x7ff88c31d92d
0x7ff88c31d931
0x7ff88c31d936
0x7ff88c31d942
0x7ff88c31d944
0x7ff88c31d948
0x7ff88c31d94e
0x7ff88c31d957
0x7ff88c31d95a
0x7ff88c31d960
0x7ff88c31d964
0x7ff88c31d968
0x7ff88c31d96c
0x7ff88c31d96f
0x7ff88c31d974
0x7ff88c31d977
0x7ff88c31d97e
0x7ff88c31d980
0x7ff88c31d984
0x7ff88c31d98d
0x7ff88c31d990
0x7ff88c31d993
0x7ff88c31d99b
0x7ff88c31d99e
0x7ff88c31d9a2
0x7ff88c31d9a9
0x7ff88c31d9ac
0x7ff88c31d9b2
0x7ff88c31d9bd
0x7ff88c31d9c0
0x7ff88c31d9c3
0x7ff88c31d9c8
0x7ff88c31d9d1
0x7ff88c31d9dc
0x7ff88c31d9dc
0x7ff88c31d9e0
0x7ff88c31d9e4
0x7ff88c31d9e8
0x7ff88c31d9f6
0x7ff88c31d9ff
0x7ff88c31da02
0x7ff88c31da04
0x7ff88c31da09
0x7ff88c31da0b
0x7ff88c31da0f
0x7ff88c31da15
0x7ff88c31da17
0x7ff88c31da1a
0x7ff88c31da21
0x7ff88c31da2a
0x7ff88c31da33
0x7ff88c31da38
0x7ff88c31da3b
0x7ff88c31da40
0x7ff88c31da42
0x7ff88c31da46
0x7ff88c31da49
0x7ff88c31da4e
0x7ff88c31da4e
0x7ff88c31da52
0x7ff88c31da58
0x7ff88c31da5e
0x7ff88c31da65
0x7ff88c31da6d
0x7ff88c31da72
0x7ff88c31da76
0x7ff88c31da7a
0x7ff88c31da7d
0x7ff88c31da88
0x7ff88c31da8b
0x7ff88c31da90
0x7ff88c31da99
0x7ff88c31da9d
0x7ff88c31daa3
0x7ff88c31daa8
0x7ff88c31daaa
0x7ff88c31dab3
0x7ff88c31dab8
0x7ff88c31dabd
0x7ff88c31dac2
0x7ff88c31dac4
0x7ff88c31dacb
0x7ff88c31dad2
0x7ff88c31dad7
0x7ff88c31dad9
0x7ff88c31dadc
0x7ff88c31dadf
0x7ff88c31dae8
0x7ff88c31daef
0x7ff88c31daf9
0x7ff88c31daff
0x7ff88c31db02
0x7ff88c31db08
0x7ff88c31db0d
0x7ff88c31db11
0x7ff88c31db15
0x7ff88c31db1e
0x7ff88c31db23
0x7ff88c31db28
0x7ff88c31db2e
0x7ff88c31db33
0x7ff88c31db35
0x7ff88c31db3b
0x7ff88c31db3d
0x7ff88c31db41
0x7ff88c31db47
0x7ff88c31db4c
0x7ff88c31db51
0x7ff88c31db55
0x7ff88c31db58
0x7ff88c31db5b
0x7ff88c31db63
0x7ff88c31db67
0x7ff88c31db95

Strings

1#QNAN, xrefs: 00007FF88C31D2B5
1#IND, xrefs: 00007FF88C31D247
1#SNAN, xrefs: 00007FF88C31D202
1#INF, xrefs: 00007FF88C31D27E

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: 727ce07a53902cb76f339623ee1da871c8c7256c7c015f9dd5e26a20e53c543f
Instruction ID: 819cf0501464f09c8d8c68f3a7ffaf137c5f65ebdd57447727be02d5864f748d
Opcode Fuzzy Hash: 727ce07a53902cb76f339623ee1da871c8c7256c7c015f9dd5e26a20e53c543f
Instruction Fuzzy Hash: 4462B677F186528EF716CFA5C000EBD37B1BB56788F405036EE49A7A8CDA38A916C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C108 Relevance: 5.3, Strings: 4, Instructions: 268COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018001C403
E, xrefs: 000000018001C3AE
z@, xrefs: 000000018001C525
X, xrefs: 000000018001C44C

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #X$X$z@$E
API String ID: 0-3882157748
Opcode ID: b6a31d4014d88f3ed4831739a4752aba65529418ce781ad2496ce489ba133702
Instruction ID: 6d9294500fce893888222c02a35115425f9b7e085aa530851f65a0cb6f4d2f75
Opcode Fuzzy Hash: b6a31d4014d88f3ed4831739a4752aba65529418ce781ad2496ce489ba133702
Instruction Fuzzy Hash: 15D14771D04A4C8BEBA8CFE8C8896DDBFB1FF44344F14811DE416AA694D7B4994ACF06

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017CB0 Relevance: 5.2, Strings: 4, Instructions: 200COMMON

Download Yara Rule

Strings

O, xrefs: 0000000180017FD3
L1, xrefs: 0000000180017F4A
'j, xrefs: 0000000180017F97
22, xrefs: 0000000180017FAC

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 'j$22$L1$O
API String ID: 0-2877195160
Opcode ID: b7879977c5ce9c1248ad65d086e123eb71db835c7f10f45bad6449e5127c4bcd
Instruction ID: 0d09b015998af2a7f09ef414baaacdc416678862227913243af973efd13c4205
Opcode Fuzzy Hash: b7879977c5ce9c1248ad65d086e123eb71db835c7f10f45bad6449e5127c4bcd
Instruction Fuzzy Hash: 6CB1D37150078E8BDB48DF24D88A5DA3FB1FB68388F114618FC56962A0C7B8D6A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000CE88 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

;1, xrefs: 000000018000D0D6
\, xrefs: 000000018000CEF4
c%, xrefs: 000000018000D141
[i9, xrefs: 000000018000CF58

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ;1$c%$[i9$\
API String ID: 0-1566691149
Opcode ID: 7e0256d9dc0970131b042651486858cae521227d5f926d78ff99adf92a6a296f
Instruction ID: 1d0b1aebc6d805f01a66139074785db3085e3ef57a1ac993a454007b74a5e76a
Opcode Fuzzy Hash: 7e0256d9dc0970131b042651486858cae521227d5f926d78ff99adf92a6a296f
Instruction Fuzzy Hash: 76911C7050034E8BDB48CF24C88A6DE3FB0FB58388F255619FC5AA6290D7B8D695CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014DD0 Relevance: 5.1, Strings: 4, Instructions: 133COMMON

Download Yara Rule

Strings

Hp, xrefs: 0000000180014DF8
!5, xrefs: 0000000180014DF1
e<hY, xrefs: 0000000180014F18
.;Cu, xrefs: 0000000180014EFA

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: !5$.;Cu$Hp$e<hY
API String ID: 0-3886692556
Opcode ID: 2d10b1bc25f04d6e854c85251d274f78bd7fa7e9d86821cc95133926e585948f
Instruction ID: c90e423365ee059e2e53f55b04756d908d8b1b8841c96bc4d45cd8ddcdc16a2a
Opcode Fuzzy Hash: 2d10b1bc25f04d6e854c85251d274f78bd7fa7e9d86821cc95133926e585948f
Instruction Fuzzy Hash: D261C2B090070E8BDF48CFA4C98A5EFBFB0FB58344F204519E916A62A1C7789655CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B5CC Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

[, xrefs: 000000018000B63B
VS, xrefs: 000000018000B6B6
K!, xrefs: 000000018000B75B
K!, xrefs: 000000018000B77A

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: VS$K!$K!$[
API String ID: 0-941600464
Opcode ID: 5203046c57591beb8abf927361a5c1efe92546690a2194395d7fcff6a1efc1e3
Instruction ID: 24cb21ce85cfa0194e449551dcb0960389ee472d40193f350ecb83f0dafd5cb0
Opcode Fuzzy Hash: 5203046c57591beb8abf927361a5c1efe92546690a2194395d7fcff6a1efc1e3
Instruction Fuzzy Hash: 1751B2B190434A8FDB48CF68C48A4DE7FF0FB58398F114219E85AA7250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000795C Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

RH, xrefs: 0000000180007968
U"[1, xrefs: 00000001800079BA
5~, xrefs: 00000001800079EA
r*, xrefs: 0000000180007A8D

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 5~$RH$U"[1$r*
API String ID: 0-2392855146
Opcode ID: 74d4e9e8acceec8678675fea3afeade6188cda64566ec1506fd0b91fe4636237
Instruction ID: 2de3a728fb9f1c234df21541b8d92488d80701569f5b21d6f1c6647fb6b020d0
Opcode Fuzzy Hash: 74d4e9e8acceec8678675fea3afeade6188cda64566ec1506fd0b91fe4636237
Instruction Fuzzy Hash: 7D51E4B091074E8FDF88CF68D89A5DE7FB0FB08358F10461DE926A6250D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019B88 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

/D, xrefs: 0000000180019CA6
vL, xrefs: 0000000180019C8D
d, xrefs: 0000000180019C1E
o, xrefs: 0000000180019C58

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: /D$vL$d$o
API String ID: 0-2977468253
Opcode ID: ed753db6b5ccfd2e979d23812493129d1a1915ed191e1ff12a953608e8c656dd
Instruction ID: 62010c772727c25a8e2be5f45e579bf575341dbbeb2476438e3592c42907976d
Opcode Fuzzy Hash: ed753db6b5ccfd2e979d23812493129d1a1915ed191e1ff12a953608e8c656dd
Instruction Fuzzy Hash: F341A2B180034E8FEF84CF68D8894DE7BF0FB08358F104A19F869A6250D7B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015120 Relevance: 5.1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

Strings

_A, xrefs: 000000018001520A
s, xrefs: 0000000180015134
4, xrefs: 000000018001513C
k$E5, xrefs: 00000001800151CA

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: _A$k$E5$s$4
API String ID: 0-663462204
Opcode ID: 8a40fe451781e9b20feea338120dcb2eaeaaa429e8350153e19f197ed662c18e
Instruction ID: fd2aec7101dbf464b7382e3264293e0797881b621d91629743679140172157c5
Opcode Fuzzy Hash: 8a40fe451781e9b20feea338120dcb2eaeaaa429e8350153e19f197ed662c18e
Instruction Fuzzy Hash: C3316DB052C780AFD389DF28D48981EBBE0BB89748F806E1DF8C69B251D7B5D444CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001BA34 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

|G, xrefs: 000000018001BA48
C, xrefs: 000000018001BB09
ST, xrefs: 000000018001BA38
HH=^, xrefs: 000000018001BAC4

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: C$HH=^$ST$|G
API String ID: 0-2140810170
Opcode ID: 7de7f8c6360f7060eeb293604cd5bc6060700daae64bcca7bcf183f3099b0019
Instruction ID: 85683acb54d2ba5adedf66d596d363cd9430a1a7455b52370ea7d65832e45071
Opcode Fuzzy Hash: 7de7f8c6360f7060eeb293604cd5bc6060700daae64bcca7bcf183f3099b0019
Instruction Fuzzy Hash: D3215EB4528781AFE388CF24C08981BBBF0FB95354F816A1DF98A86250D7B5D444CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C317D58 Relevance: 4.6, APIs: 3, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00007FF87FF88C317D58(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, void* __rsi, void* __rbp, void* __r8, void* __r9, long long _a16) {
				signed int _v24;
				char _v152;
				char _v168;
				signed int _t26;
				signed int _t27;
				void* _t29;
				signed int _t38;
				signed long long _t60;
				signed long long _t61;
				signed long long _t74;
				void* _t77;

				_a16 = __rbx;
				_t60 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t61 = _t60 ^ _t77 - 0x000000c0;
				_v24 = _t61;
				E00007FF87FF88C307F5C(__ecx, __eflags, _t61, __rcx, __rsi, __r8);
				_t74 = _t61;
				_t26 = E00007FF87FF88C3178B8(__rcx, __rdx, __r9);
				r9d = 0x78;
				asm("sbb edx, edx");
				_t38 = _t26;
				_t27 = GetLocaleInfoA(??, ??, ??, ??);
				if (_t27 != 0) goto 0x8c317dc9;
				 *(_t74 + 0x150) =  *(_t74 + 0x150) & _t27;
				goto 0x8c317e65;
				_t29 = E00007FF87FF88C31A374(_t61,  *((intOrPtr*)(_t74 + 0x140)));
				if (_t29 != 0) goto 0x8c317df9;
				if ( *((intOrPtr*)(_t74 + 0x158)) != _t29) goto 0x8c317e44;
				_t10 = _t74 + 0x140; // 0x140
				_t11 = _t61 + 1; // 0x1
				E00007FF87FF88C3179F8(_t38, _t11, __rcx, __rsi, __rbp, _t10);
				goto 0x8c317e40;
				if ( *((intOrPtr*)(_t74 + 0x158)) != 0) goto 0x8c317e57;
				if ( *((intOrPtr*)(_t74 + 0x154)) == 0) goto 0x8c317e57;
				if (E00007FF87FF88C31A374(_t61,  *((intOrPtr*)(_t74 + 0x140))) != 0) goto 0x8c317e57;
				_t16 = _t61 + 2; // 0x2
				r9d = _t16;
				asm("bts ecx, 0xa");
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x8c317e57;
				 *(_t74 + 0x150) =  *(_t74 + 0x150) | 0x00000004;
				 *(_t74 + 0x160) = _t38;
				 *(_t74 + 0x164) = _t38;
				return E00007FF87FF88C304980(_t38 & 0x000003ff, _v24 ^ _t77 - 0x000000c0,  &_v152,  &_v168);
			}

0x7ff88c317d58
0x7ff88c317d65
0x7ff88c317d6c
0x7ff88c317d6f
0x7ff88c317d7a
0x7ff88c317d82
0x7ff88c317d85
0x7ff88c317d97
0x7ff88c317d9d
0x7ff88c317da1
0x7ff88c317daf
0x7ff88c317db7
0x7ff88c317db9
0x7ff88c317dc4
0x7ff88c317dd5
0x7ff88c317ddc
0x7ff88c317de4
0x7ff88c317de6
0x7ff88c317ded
0x7ff88c317df2
0x7ff88c317df7
0x7ff88c317e00
0x7ff88c317e09
0x7ff88c317e1e
0x7ff88c317e22
0x7ff88c317e22
0x7ff88c317e36
0x7ff88c317e42
0x7ff88c317e44
0x7ff88c317e4b
0x7ff88c317e51
0x7ff88c317e85

APIs

_getptd.LIBCMT ref: 00007FF88C317D7A

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

GetLocaleInfoA.KERNEL32 ref: 00007FF88C317DAF

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: InfoLocale_amsg_exit_getptd
String ID:
API String ID: 488165793-0
Opcode ID: 55397dfc4091b28f02ede2eb07137ca85c789b17678921f484a064c378350ee2
Instruction ID: 034ddcd1896fe5cd37d80d7bb2038e8793b87db6f81cadd7ca7a57546fe165c2
Opcode Fuzzy Hash: 55397dfc4091b28f02ede2eb07137ca85c789b17678921f484a064c378350ee2
Instruction Fuzzy Hash: 3531A232B186C28BEB688B65D805BF9B391FB86785F444136E71D87289DF3CE466C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009B84 Relevance: 4.4, Strings: 3, Instructions: 647COMMON

Download Yara Rule

Strings

l", xrefs: 000000018000A47B
%x, xrefs: 000000018000A3E8
#^, xrefs: 000000018000A07B

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #^$%x$l"
API String ID: 0-4041194889
Opcode ID: 84424837eb03941410a3f76e65ed3fc17bb7311e13e60ee642fa55eb5908a1bd
Instruction ID: b3cce10ddb190bf118b68c611af786d042642d553b16e0a3995a72445ede7a32
Opcode Fuzzy Hash: 84424837eb03941410a3f76e65ed3fc17bb7311e13e60ee642fa55eb5908a1bd
Instruction Fuzzy Hash: E9522971A087888FD758CFA8C58A69EFBF1FB84744F10891DE48697292D7F49909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008E68 Relevance: 4.2, Strings: 3, Instructions: 408COMMON

Download Yara Rule

Strings

cY, xrefs: 000000018000947A
R+n/, xrefs: 0000000180009365
#X, xrefs: 00000001800092B0

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #X$R+n/$cY
API String ID: 0-1545568711
Opcode ID: a7848f88ff10e79ab8d01caa9368a18d567130ab1c2b00234daf7e93b79d0f26
Instruction ID: 13f53fdcfb62dda9c0ce2c9061e0ae3b387f6ee7310669008ccd30eb16d24df7
Opcode Fuzzy Hash: a7848f88ff10e79ab8d01caa9368a18d567130ab1c2b00234daf7e93b79d0f26
Instruction Fuzzy Hash: 0D12F07550660DCBDB68CF38C08A5DD3BE1FF54308F609129FC6A8A6A2D774DA29CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A678 Relevance: 4.1, Strings: 3, Instructions: 335COMMON

Download Yara Rule

Strings

@KlA, xrefs: 000000018000A7C8
{JR, xrefs: 000000018000AA72
>Z.5, xrefs: 000000018000A8BC

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: >Z.5$@KlA${JR
API String ID: 0-750345803
Opcode ID: 7657476ff6717f1e5b0e5d94934980a5e5aef6ec125d6f0b080d643f310ec32c
Instruction ID: 0ea8de14f4fe38b8525413eb773a45742b7529844c892c158d549e4966fc3e11
Opcode Fuzzy Hash: 7657476ff6717f1e5b0e5d94934980a5e5aef6ec125d6f0b080d643f310ec32c
Instruction Fuzzy Hash: FAF1F5B050460ACFDB99DF28C089ADE3BE0FF58308F414529FC499B2A4D774DA68DB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021E8C Relevance: 4.0, Strings: 3, Instructions: 254COMMON

Download Yara Rule

Strings

T4), xrefs: 0000000180021F5A
d%1o, xrefs: 0000000180021FDD
'1, xrefs: 000000018002215A

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: '1$T4)$d%1o
API String ID: 0-2486972274
Opcode ID: e6f62019d710a5b172c4250af764a7eeb339ec63b800c2c32e0ab43b0a18c95f
Instruction ID: c1cf03e1cc09df8c2f46dc436ecb0f80ab6fb145c51dc220b48891136fb5fa69
Opcode Fuzzy Hash: e6f62019d710a5b172c4250af764a7eeb339ec63b800c2c32e0ab43b0a18c95f
Instruction Fuzzy Hash: FAC1E2B0514788DFEB9CDF68D89A99A3BB1FB44348F40521DFD0687290D7B9D984CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800026B0 Relevance: 4.0, Strings: 3, Instructions: 224COMMON

Download Yara Rule

Strings

x, xrefs: 0000000180002866
&K, xrefs: 0000000180002705
dz, xrefs: 0000000180002745

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: &K$dz$x
API String ID: 0-1229252104
Opcode ID: 8e3dcf654908fc5c38a7b4cc2b258c0506f91cc2d39a8b8a8dc4c959054faaa9
Instruction ID: d8247fa3af4584371774d9dabd2bd270506ba23bb1c3a634e6552bef147d5643
Opcode Fuzzy Hash: 8e3dcf654908fc5c38a7b4cc2b258c0506f91cc2d39a8b8a8dc4c959054faaa9
Instruction Fuzzy Hash: 99A14C7191475E9BDF8CDFA4C88AAEEBBB1FB48304F40521CE856A7290D7749A44CF81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001EBFC Relevance: 3.9, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

h, xrefs: 000000018001EDB1
/+, xrefs: 000000018001EDE3
U8, xrefs: 000000018001EC7B

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: h$/+$U8
API String ID: 0-883878234
Opcode ID: bbb7fe14f810a7f592b745030da0a777cb7d19ff1c3e8944ff20fcc5bed3dcc1
Instruction ID: 8ba44556e78e3b7b521574266816ad51746ed91dbe2c7fd63154e8208677f515
Opcode Fuzzy Hash: bbb7fe14f810a7f592b745030da0a777cb7d19ff1c3e8944ff20fcc5bed3dcc1
Instruction Fuzzy Hash: 79813A7051078D9BEF98CF24C8896DD3BA0FB483A8F556319FC4AA6290D778D984CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017A40 Relevance: 3.9, Strings: 3, Instructions: 142COMMON

Download Yara Rule

Strings

08, xrefs: 0000000180017BDD
L, xrefs: 0000000180017B46
^", xrefs: 0000000180017C1C

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 08$L$^"
API String ID: 0-1177260694
Opcode ID: cda29e72dc0740c08e8cabbcfcebe2f422bf50595165a4267de80d834ce0b007
Instruction ID: c24403862857c4391aef1775248313adb0a3cae486fea517e37fc1e65729cc2b
Opcode Fuzzy Hash: cda29e72dc0740c08e8cabbcfcebe2f422bf50595165a4267de80d834ce0b007
Instruction Fuzzy Hash: C07191B190070ACFDB48CF68D48A5DE7FB1FB64394F204619F856A62A0D7B496A5CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180023B90 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

%5, xrefs: 0000000180023BA3
SZ, xrefs: 0000000180023BFC
?E, xrefs: 0000000180023C79

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: %5$?E$SZ
API String ID: 0-3267399798
Opcode ID: 356b9b99ff3a14a20e6022121f0725c4e131dc2ac3521a6c48dc14c0b171b3d4
Instruction ID: f20e76e41e2807c6fad9d95e83e5c487efb7f78554c70ad00382b9e6556e21f0
Opcode Fuzzy Hash: 356b9b99ff3a14a20e6022121f0725c4e131dc2ac3521a6c48dc14c0b171b3d4
Instruction Fuzzy Hash: 3751297050078A8BDF4DDF28C85A6DE3BA1FB48348F004A1EF8569A290D7B8D664CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000CCB8 Relevance: 3.9, Strings: 3, Instructions: 113COMMON

Download Yara Rule

Strings

h, xrefs: 000000018000CD76
3, xrefs: 000000018000CE08
#X, xrefs: 000000018000CDB9

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #X$h$3
API String ID: 0-1294449413
Opcode ID: d33c58d9fea67c5e00cdb9e1060bb575a3469de7f64f2d8bd581db19eefcf863
Instruction ID: 533291a7926cdd32bbd6e8d0b2b75c126a7da38aa02169e8600aaa2a8b3730e0
Opcode Fuzzy Hash: d33c58d9fea67c5e00cdb9e1060bb575a3469de7f64f2d8bd581db19eefcf863
Instruction Fuzzy Hash: BE51D2B090038E8FCF48CF68D8865DE7FB1BB58344F104A1DEC26AA260D7B49665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800131C8 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

3x, xrefs: 000000018001333C
'?jD, xrefs: 000000018001336A
rS, xrefs: 00000001800132E0

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: '?jD$3x$rS
API String ID: 0-3606170153
Opcode ID: 0195267ce7e32bc4f7cb68084bc8e103216764e823e79de5164a2b429b297a6c
Instruction ID: 22f802b9e0c13350431e6e4f18d77c177e48155c8e78565d29df3f89ed4fee09
Opcode Fuzzy Hash: 0195267ce7e32bc4f7cb68084bc8e103216764e823e79de5164a2b429b297a6c
Instruction Fuzzy Hash: 4F51C3B190074E8FDB88CF68C48A4DE7FB0FB28398F214619F815A6260D3B49695CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800072A4 Relevance: 3.8, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

e, xrefs: 0000000180007351
]k, xrefs: 00000001800073A1
Hw, xrefs: 00000001800072F8

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: Hw$]k$e
API String ID: 0-2033964818
Opcode ID: 4f1e176e105d723653331bdcb9e16093c0b1e22302329eb9766838a011bfa736
Instruction ID: ffab61b7d51d9aa5314773a45aff0a62ca8de6911970cb555a5cd4c3076be265
Opcode Fuzzy Hash: 4f1e176e105d723653331bdcb9e16093c0b1e22302329eb9766838a011bfa736
Instruction Fuzzy Hash: 1341C3B190078E8FDF48CF68C8864DE7BB0FB58358F104618F865AA294D7B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006B54 Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

H0, xrefs: 0000000180006BFA
>, xrefs: 0000000180006C62
n\, xrefs: 0000000180006C4D

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: H0$n\$>
API String ID: 0-2038091953
Opcode ID: 8399669adf6ddd7989a1b34c04c5480f1e14aba376e11fdf5ca5adfde3ef8d91
Instruction ID: d237bd2cff9410b0a87333e933cab55eb302b172400644dcabb4729d10ca93ef
Opcode Fuzzy Hash: 8399669adf6ddd7989a1b34c04c5480f1e14aba376e11fdf5ca5adfde3ef8d91
Instruction Fuzzy Hash: D941D7B090078E8BDF48CF64C88A5DE7BB0FB18358F50461DE866A6290D3B8D665CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800055F4 Relevance: 3.8, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

N{, xrefs: 0000000180005615
EJ, xrefs: 0000000180005644
M7, xrefs: 000000018001DE29

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: EJ$M7$N{
API String ID: 0-2550331091
Opcode ID: 36cb4f404964e622fbf7bea85eafd490b092147ddbe8c5081c760fe9dc435426
Instruction ID: 7a959005074046617e79b82f9e95c96a422290a3f5572b8545b4ca99a373dd00
Opcode Fuzzy Hash: 36cb4f404964e622fbf7bea85eafd490b092147ddbe8c5081c760fe9dc435426
Instruction Fuzzy Hash: D831157091CB849BE394DF28C48960BBBE0FBD4758F501A1DF595862A0CBB8D905CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005498 Relevance: 3.8, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

ZE, xrefs: 000000018000550D
ot, xrefs: 00000001800054BB
FO, xrefs: 00000001800055B0

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: FO$ZE$ot
API String ID: 0-4035839399
Opcode ID: 61be06ea8247c94d34133f7dfef71fb7ca9e5d1a546109e228ade6049ba6761e
Instruction ID: 27ee06656677cc7ccddd3fd26b57a7f095700a92caf8e6414df9046cc9819dff
Opcode Fuzzy Hash: 61be06ea8247c94d34133f7dfef71fb7ca9e5d1a546109e228ade6049ba6761e
Instruction Fuzzy Hash: AB31E1715487899FE788DF29C08991ABBE2FBC4784F505A1DF4868B3A1C7B4D845CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002504 Relevance: 3.8, Strings: 3, Instructions: 73COMMON

Download Yara Rule

Strings

YQ, xrefs: 0000000180002510
_0, xrefs: 0000000180002626
d, xrefs: 0000000180002508

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: YQ$_0$d
API String ID: 0-2605670869
Opcode ID: 7a41b8197c9ae054c4a83515f5825b8901cf0b17c4f6c0d99e0cb46bf0b8a9ea
Instruction ID: 985f46bedf30828a6a7e54d09bf240b70eb6b6ee6361518d330bfa71303131e7
Opcode Fuzzy Hash: 7a41b8197c9ae054c4a83515f5825b8901cf0b17c4f6c0d99e0cb46bf0b8a9ea
Instruction Fuzzy Hash: C2319270629780AFD3C8DF28D49991ABBE1FBC8314F90AA1DF8868B390D774D405CB06

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B888 Relevance: 3.8, Strings: 3, Instructions: 69COMMON

Download Yara Rule

Strings

u2., xrefs: 000000018000B961
,r, xrefs: 000000018000B8F1
MT, xrefs: 000000018000B90E

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ,r$MT$u2.
API String ID: 0-185580064
Opcode ID: 09032eae2515d87e10fbacd3000b8d4fc28dd18ad5809f69da51fd6fc7c1c2b4
Instruction ID: 83f262825fa791e81a9ae374cf65c3c4bccc3cdc670fad59fb58d236b9e605aa
Opcode Fuzzy Hash: 09032eae2515d87e10fbacd3000b8d4fc28dd18ad5809f69da51fd6fc7c1c2b4
Instruction Fuzzy Hash: 86317F705187C58BD748DFA9C48A51AFBE1BBC4344F504A1DF4828A7A1D7F4E899CB43

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E850 Relevance: 3.8, Strings: 3, Instructions: 66COMMON

Download Yara Rule

Strings

=Y, xrefs: 000000018000E93D
%PA7, xrefs: 000000018000E8E9
%PA7, xrefs: 000000018000E8ED

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: %PA7$%PA7$=Y
API String ID: 0-462617205
Opcode ID: 1c4529c5f768f7c21780f76799fc2d238f8102db03b4cae3b5e9412d32e5cc50
Instruction ID: d25d1b0b152f0bfde1e121c16e8b250b83a0b176dc0a16c28c2a337e6c910ad8
Opcode Fuzzy Hash: 1c4529c5f768f7c21780f76799fc2d238f8102db03b4cae3b5e9412d32e5cc50
Instruction Fuzzy Hash: 6F314BB15087858BD748DF28C45941ABBE1FB9C308F814B1DF8CAAB291D779D605CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001337C Relevance: 3.8, Strings: 3, Instructions: 52COMMON

Download Yara Rule

Strings

-, xrefs: 0000000180013432
5tv, xrefs: 00000001800133C0
&n, xrefs: 00000001800133A1

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: &n$-$5tv
API String ID: 0-2448688631
Opcode ID: 29bcf347d3bcbf683e7f25c8fd40e479166cba1f8f6b47def536886c980d9076
Instruction ID: 7781fa40618f99ab286c39c5376f825e8cdabb89e55de0fb4cb768d259995b38
Opcode Fuzzy Hash: 29bcf347d3bcbf683e7f25c8fd40e479166cba1f8f6b47def536886c980d9076
Instruction Fuzzy Hash: C421027001A784ABE3C5DF24C5CA65BBAE1FB98784F90691CF886C22A1D778C944CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31C7C0 Relevance: 3.6, APIs: 2, Instructions: 613
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 76%

			E00007FF87FF88C31C7C0(signed short __rbx, long long __rcx, long long __rdx, intOrPtr* __r8, void* __r9) {
				void* __rsi;
				void* __rbp;
				intOrPtr _t144;
				intOrPtr _t152;
				signed short _t160;
				signed short _t161;
				signed int _t177;
				signed short _t178;
				intOrPtr _t179;
				signed int _t185;
				signed short _t220;
				signed short _t221;
				signed int _t225;
				signed int _t226;
				intOrPtr _t232;
				intOrPtr _t234;
				void* _t235;
				intOrPtr _t237;
				void* _t238;
				intOrPtr _t239;
				void* _t240;
				intOrPtr _t241;
				void* _t253;
				intOrPtr _t278;
				void* _t314;
				signed int _t367;
				signed int _t368;
				signed long long _t378;
				signed long long _t379;
				intOrPtr* _t387;
				signed long long _t388;
				signed short _t389;
				signed long long _t395;
				unsigned long long _t398;
				intOrPtr* _t400;
				intOrPtr* _t405;
				intOrPtr* _t406;
				void* _t410;
				void* _t413;
				void* _t415;
				intOrPtr* _t420;
				intOrPtr* _t421;
				intOrPtr* _t423;
				intOrPtr* _t426;
				intOrPtr* _t428;
				short* _t433;
				void* _t435;
				char* _t436;
				char* _t437;
				intOrPtr* _t440;
				intOrPtr* _t443;
				void* _t444;
				intOrPtr* _t447;

				_t389 = __rbx;
				 *((long long*)(_t415 + 0x18)) = __rbx;
				_push(_t410);
				_push(_t444);
				_t413 = _t415 - 7;
				_t378 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t379 = _t378 ^ _t415 - 0x000000a0;
				 *(_t413 - 1) = _t379;
				_t447 =  *((intOrPtr*)(_t413 + 0x7f));
				 *(_t413 - 0x71) = r9d;
				_t6 = _t389 + 1; // 0x1
				r9d = _t6;
				 *((long long*)(_t413 - 0x59)) = __rcx;
				 *((long long*)(_t413 - 0x69)) = __rdx;
				_t436 = _t413 - 0x21;
				 *(_t413 - 0x6d) = 0;
				 *(_t413 - 0x75) = r9d;
				r14d = 0;
				 *(_t413 - 0x79) = 0;
				r15d = 0;
				r12d = 0;
				if (_t447 != 0) goto 0x8c31c83a;
				E00007FF87FF88C307698(_t379);
				 *_t379 = 0x16;
				E00007FF87FF88C309444();
				goto 0x8c31cffb;
				_t144 =  *__r8;
				if (_t144 == 0x20) goto 0x8c31c850;
				if (_t144 == 9) goto 0x8c31c850;
				if (_t144 == 0xa) goto 0x8c31c850;
				if (_t144 != 0xd) goto 0x8c31c855;
				goto 0x8c31c83d;
				_t420 = __r8 + __r9 + __r9;
				if (0 - 5 > 0) goto 0x8c31ca7e;
				if (0 == 5) goto 0x8c31ca64;
				r9d = 0;
				if (0 == 0) goto 0x8c31ca03;
				r9d = r9d - 1;
				if (0 == 0) goto 0x8c31c9bb;
				r9d = r9d - 1;
				if (0 == 0) goto 0x8c31c968;
				r9d = r9d - 1;
				if (0 == 0) goto 0x8c31c91b;
				r9d = r9d - 1;
				if (0 != 0) goto 0x8c31cb43;
				r9d = 1;
				r14d = r9d;
				 *(_t413 - 0x79) = r9d;
				if (0 != 0) goto 0x8c31c8db;
				goto 0x8c31c8b5;
				_t232 =  *_t420;
				r12d = r12d - r9d;
				_t421 = _t420 + __r9;
				if (_t232 == 0x30) goto 0x8c31c8ac;
				goto 0x8c31c8db;
				if (_t232 - 0x39 > 0) goto 0x8c31c8e0;
				if (0 - 0x19 >= 0) goto 0x8c31c8d5;
				_t253 = 0 + r9d;
				 *_t436 = _t232 - 0x30;
				_t437 = _t436 + __r9;
				r12d = r12d - r9d;
				_t234 =  *_t421;
				if (_t234 - 0x30 >= 0) goto 0x8c31c8bc;
				if (_t234 == 0x2b) goto 0x8c31c90e;
				if (_t234 == 0x2d) goto 0x8c31c90e;
				if (_t234 - 0x43 <= 0) goto 0x8c31ca3d;
				if (_t234 - 0x45 <= 0) goto 0x8c31c904;
				_t235 = _t234 - 0x64;
				if (_t235 - r9b > 0) goto 0x8c31ca3d;
				goto 0x8c31c855;
				_t423 = _t421 + __r9 - __r9;
				goto 0x8c31c855;
				r9d = 1;
				r14d = r9d;
				goto 0x8c31c948;
				if (_t235 - 0x39 > 0) goto 0x8c31c94c;
				if (_t253 - 0x19 >= 0) goto 0x8c31c93f;
				 *_t437 = _t235 - 0x30;
				goto 0x8c31c942;
				r12d = r12d + r9d;
				_t237 =  *_t423;
				if (_t237 - 0x30 >= 0) goto 0x8c31c928;
				if (_t237 !=  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t447 + 0x128))))))) goto 0x8c31c8e0;
				goto 0x8c31c855;
				if (0x30 - 8 > 0) goto 0x8c31c982;
				r9d = 1;
				goto 0x8c31c855;
				if (_t237 !=  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t447 + 0x128))))))) goto 0x8c31c9a4;
				r9d = 1;
				goto 0x8c31c855;
				if (_t237 != 0x30) goto 0x8c31cba4;
				r9d = 1;
				goto 0x8c31c855;
				r9d = 1;
				r14d = r9d;
				if (0x30 - 8 > 0) goto 0x8c31c9d1;
				goto 0x8c31c97a;
				if (_t237 ==  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t447 + 0x128))))))) goto 0x8c31c95e;
				if (_t237 == 0x2b) goto 0x8c31c90e;
				if (_t237 == 0x2d) goto 0x8c31c90e;
				if (_t237 == 0x30) goto 0x8c31c9b3;
				goto 0x8c31c8ea;
				if (0x30 - 8 <= 0) goto 0x8c31c96f;
				_t395 =  *((intOrPtr*)( *_t447 + 0x128));
				_t387 =  *_t395;
				if (_t237 ==  *_t387) goto 0x8c31c994;
				if (_t237 == 0x2b) goto 0x8c31ca56;
				if (_t237 == 0x2d) goto 0x8c31ca45;
				if (_t237 == 0x30) goto 0x8c31c9ad;
				r9d = 1;
				_t426 = _t423 + __r9 - __r9 - __r9;
				goto 0x8c31cbad;
				 *(_t413 - 0x6d) = 0x8000;
				goto 0x8c31c999;
				 *(_t413 - 0x6d) = 0;
				goto 0x8c31c999;
				_t238 = _t237 - 0x30;
				 *(_t413 - 0x79) = r9d;
				_t314 = _t238 - 9;
				if (_t314 > 0) goto 0x8c31cb4d;
				goto 0x8c31c97a;
				r9d = 4;
				r9d = r9d - 6;
				if (_t314 == 0) goto 0x8c31cb27;
				r9d = r9d - 1;
				if (_t314 == 0) goto 0x8c31cb03;
				r9d = r9d - 1;
				if (_t314 == 0) goto 0x8c31cad7;
				r9d = r9d - 1;
				if (_t314 == 0) goto 0x8c31cb52;
				if (r9d != 2) goto 0x8c31cb43;
				if ( *((intOrPtr*)(_t413 + 0x77)) == 0) goto 0x8c31ca37;
				if (_t238 == 0x2b) goto 0x8c31cacd;
				if (_t238 != 0x2d) goto 0x8c31cba4;
				 *(_t413 - 0x75) =  *(_t413 - 0x75) | 0xffffffff;
				goto 0x8c31c999;
				goto 0x8c31c999;
				r9d = 1;
				r15d = r9d;
				goto 0x8c31cae8;
				_t239 =  *_t426;
				if (_t239 == 0x30) goto 0x8c31cae2;
				_t240 = _t239 - 0x31;
				if (_t240 - 8 > 0) goto 0x8c31ca3d;
				goto 0x8c31c97a;
				if (0x30 - 8 > 0) goto 0x8c31cb14;
				goto 0x8c31c974;
				if (_t240 != 0x30) goto 0x8c31cba4;
				goto 0x8c31c999;
				_t443 = _t426 + __r9 - 2;
				if (__rdx - 0x31 - 8 <= 0) goto 0x8c31cb0a;
				if (_t240 == 0x2b) goto 0x8c31cb3e;
				if (_t240 == 0x2d) goto 0x8c31cabf;
				goto 0x8c31cb14;
				if (7 == 0xa) goto 0x8c31cba7;
				goto 0x8c31c999;
				_t428 = _t443;
				goto 0x8c31cbad;
				r9d = 1;
				r11b = 0x30;
				r15d = r9d;
				goto 0x8c31cb7d;
				if (_t240 - 0x39 > 0) goto 0x8c31cb9a;
				_t35 = _t395 * 2; // 0xfd5a6ce2fd6f
				if (_t387 + _t35 - 0x30 - 0x1450 > 0) goto 0x8c31cb84;
				_t241 =  *_t428;
				if (_t241 - r11b >= 0) goto 0x8c31cb60;
				goto 0x8c31cb9a;
				goto 0x8c31cb9a;
				if (_t241 - 0x39 > 0) goto 0x8c31ca3d;
				if ( *((intOrPtr*)(_t428 + __r9)) - r11b >= 0) goto 0x8c31cb8b;
				goto 0x8c31ca3d;
				r9d = 1;
				_t388 =  *((intOrPtr*)(_t413 - 0x69));
				 *_t388 = _t443;
				if (r14d == 0) goto 0x8c31cfd1;
				if (_t253 + r9d - 0x18 <= 0) goto 0x8c31cbda;
				_t152 =  *((intOrPtr*)(_t413 - 0xa));
				if (_t152 - 5 < 0) goto 0x8c31cbcf;
				 *((char*)(_t413 - 0xa)) = _t152 + r9b;
				r12d = r12d + r9d;
				if (0x18 != 0) goto 0x8c31cbf2;
				goto 0x8c31cfe0;
				r12d = r12d + r9d;
				_t440 = _t437 + __r9 - __r9 - __r9;
				if ( *_t440 == 0) goto 0x8c31cbed;
				E00007FF87FF88C31DBCC(0xffffffffffffffff, 0x1451, __rbx, _t413 - 0x21, __rdx, _t410, _t413, _t413 - 0x41, __r9);
				if ( *(_t413 - 0x75) >= 0) goto 0x8c31cc10;
				if (r15d != 0) goto 0x8c31cc1b;
				if ( *(_t413 - 0x79) != 0) goto 0x8c31cc23;
				if (0x1451 - 0x1450 > 0) goto 0x8c31cfbb;
				if (0x1451 - 0xffffebb0 < 0) goto 0x8c31cfab;
				if (0x1451 == 0) goto 0x8c31cf99;
				if (0x1451 >= 0) goto 0x8c31cc5d;
				if ( *(_t413 - 0x71) != 0) goto 0x8c31cc66;
				 *(_t413 - 0x41) = 0;
				if (0x1451 == 0) goto 0x8c31cf99;
				r10d = 0x7fff;
				r12d = 1;
				 *(_t413 - 0x71) =  ~( ~0x1451 + r12d +  *((intOrPtr*)(_t413 + 0x67)) -  *((intOrPtr*)(_t413 + 0x6f))) >> 3;
				 *((long long*)(_t413 - 0x61)) = 0x8c368700;
				if (0x1451 == 0) goto 0x8c31cf91;
				r15d = 0x8000;
				_t405 = 0x8c368700 + (_t388 + _t388 * 2) * 4;
				if ( *_t405 - r15w < 0) goto 0x8c31ccca;
				_t398 =  *_t405;
				_t406 = _t413 - 0x31;
				 *(_t413 - 0x31) = _t398;
				 *((intOrPtr*)(_t413 - 0x29)) =  *((intOrPtr*)(_t405 + 8));
				 *((intOrPtr*)(_t413 - 0x2f)) = 0 - r12d;
				_t160 =  *(_t406 + 0xa) & 0x0000ffff;
				_t220 =  *(_t413 - 0x37) & 0x0000ffff;
				 *(_t413 - 0x51) = _t389;
				r9d = _t160 & 0x0000ffff;
				_t161 = _t160 & r10w;
				 *(_t413 - 0x49) = 0;
				r9w = r9w ^ _t220;
				_t221 = _t220 & r10w;
				r9w = r9w & r15w;
				r8d = (_t398 >> 0x10) + _t388;
				 *(_t413 - 0x75) = r9w;
				if (_t221 - r10w >= 0) goto 0x8c31cf7d;
				if (_t161 - r10w >= 0) goto 0x8c31cf7d;
				r11d = 0xbffd;
				if (r8w - r11w > 0) goto 0x8c31cf7d;
				r9d = 0x3fbf;
				if (r8w - r9w > 0) goto 0x8c31cd32;
				 *(_t413 - 0x3d) = _t389;
				 *(_t413 - 0x41) = 0;
				goto 0x8c31cf91;
				if (_t221 != 0) goto 0x8c31cd57;
				r8w = r8w + r12w;
				if (( *(_t413 - 0x39) & 0x7fffffff) != 0) goto 0x8c31cd57;
				if ( *(_t413 - 0x3d) != 0) goto 0x8c31cd57;
				if ( *(_t413 - 0x41) != 0) goto 0x8c31cd57;
				 *(_t413 - 0x37) = 0;
				goto 0x8c31cf91;
				if (_t161 != 0) goto 0x8c31cd72;
				r8w = r8w + r12w;
				if (( *(_t406 + 8) & 0x7fffffff) != 0) goto 0x8c31cd72;
				if ( *((intOrPtr*)(_t406 + 4)) != 0) goto 0x8c31cd72;
				if ( *_t406 == 0) goto 0x8c31cd26;
				r10d = 5;
				r12d = 0;
				_t400 = _t413 - 0x4d;
				r13d = _t440 - 4;
				 *(_t413 - 0x79) = r10d;
				_t435 = _t444 + _t444;
				if (r10d <= 0) goto 0x8c31cde8;
				_t83 = _t406 + 8; // 0xd
				r9d =  *_t83 & 0x0000ffff;
				r11d = 0;
				r9d = r9d * ( *(_t413 + _t435 - 0x41) & 0x0000ffff);
				_t278 = _t388 + _t435;
				if (_t278 -  *((intOrPtr*)(_t400 - 4)) < 0) goto 0x8c31cdc1;
				if (_t278 - r9d >= 0) goto 0x8c31cdc4;
				r11d = r13d;
				 *((intOrPtr*)(_t400 - 4)) = _t278;
				if (r11d == 0) goto 0x8c31cdd0;
				 *_t400 =  *_t400 + r13w;
				r11d =  *(_t413 - 0x79);
				r11d = r11d - r13d;
				 *(_t413 - 0x79) = r11d;
				if (r11d > 0) goto 0x8c31cda2;
				r10d = r10d - r13d;
				r12d = r12d + r13d;
				if (r10d > 0) goto 0x8c31cd83;
				r10d =  *(_t413 - 0x49);
				r9d =  *(_t413 - 0x51);
				r8w = r8w + 0xc002;
				r14d = 0xffff;
				if (r8w <= 0) goto 0x8c31ce58;
				if ((0x80000000 & r10d) != 0) goto 0x8c31ce52;
				r11d =  *(_t413 - 0x4d);
				r10d = r10d + r10d;
				r9d = r9d + r9d;
				r8w = r8w + r14w;
				r10d = r10d | r11d >> 0x0000001f;
				 *(_t413 - 0x51) = r9d;
				 *(_t413 - 0x4d) = _t443 + _t443 | r9d >> 0x0000001f;
				 *(_t413 - 0x49) = r10d;
				if (r8w > 0) goto 0x8c31ce19;
				_t367 = r8w;
				if (_t367 > 0) goto 0x8c31cec2;
				r8w = r8w + r14w;
				if (_t367 >= 0) goto 0x8c31cec2;
				r8w = r8w + ( ~(r8w & 0xffffffff) & 0x0000ffff);
				_t368 =  *(_t413 - 0x51) & r13b;
				if (_t368 == 0) goto 0x8c31ce77;
				r11d =  *(_t413 - 0x4d);
				r9d = r9d >> 1;
				r11d = r11d >> 1;
				_t225 = r11d << 0x1f;
				r11d = r11d | r10d << 0x0000001f;
				r10d = r10d >> 1;
				r9d = r9d | _t225;
				 *(_t413 - 0x4d) = r11d;
				 *(_t413 - 0x51) = r9d;
				if (_t368 != 0) goto 0x8c31ce6e;
				 *(_t413 - 0x49) = r10d;
				if (0 + r13d == 0) goto 0x8c31cec2;
				 *(_t413 - 0x51) = r9w & 0xffffffff | r13w;
				r9d =  *(_t413 - 0x51);
				goto 0x8c31cec6;
				r15d = 0x8000;
				if (( *(_t413 - 0x51) & 0x0000ffff) - r15w > 0) goto 0x8c31cee6;
				r9d = r9d & 0x0001ffff;
				if (r9d != 0x18000) goto 0x8c31cf36;
				_t226 = _t225 | 0xffffffff;
				r12d = 1;
				if ( *(_t413 - 0x4f) != _t226) goto 0x8c31cf2e;
				 *(_t413 - 0x4f) = 0;
				if ( *((intOrPtr*)(_t413 - 0x4b)) != _t226) goto 0x8c31cf22;
				_t177 =  *(_t413 - 0x47) & 0x0000ffff;
				 *((intOrPtr*)(_t413 - 0x4b)) = 0;
				if (_t177 != r14w) goto 0x8c31cf18;
				 *(_t413 - 0x47) = r15w;
				r8w = r8w + r12w;
				goto 0x8c31cf28;
				_t178 = _t177 + r12w;
				 *(_t413 - 0x47) = _t178;
				goto 0x8c31cf28;
				_t179 = _t178 + r12d;
				 *((intOrPtr*)(_t413 - 0x4b)) = _t179;
				r10d =  *(_t413 - 0x49);
				goto 0x8c31cf3c;
				 *(_t413 - 0x4f) = _t179 + r12d;
				goto 0x8c31cf3c;
				r12d = 1;
				if (r8w - 0x7fff < 0) goto 0x8c31cf59;
				r10d = 0x7fff;
				goto 0x8c31cf81;
				r8w = r8w |  *(_t413 - 0x75);
				 *(_t413 - 0x3b) = r10d;
				 *(_t413 - 0x41) =  *(_t413 - 0x4f) & 0x0000ffff;
				_t185 =  *(_t413 - 0x4d);
				 *(_t413 - 0x37) = r8w;
				 *(_t413 - 0x3f) = _t185;
				r10d = 0x7fff;
				goto 0x8c31cf91;
				r9w =  ~r9w;
				asm("sbb eax, eax");
				 *(_t413 - 0x41) = _t389;
				 *(_t413 - 0x39) = (_t185 & 0x80000000) + 0x7fff8000;
				if ( *(_t413 - 0x71) != 0) goto 0x8c31cc7f;
				goto 0x8c31cfe0;
				goto 0x8c31cfe0;
				goto 0x8c31cfe0;
				_t433 =  *((intOrPtr*)(_t413 - 0x59));
				 *(_t433 + 0xa) = 2 |  *(_t413 - 0x6d);
				 *_t433 = 2;
				 *((intOrPtr*)(_t433 + 2)) = 2;
				 *((intOrPtr*)(_t433 + 6)) = 2;
				return E00007FF87FF88C304980(2,  *(_t413 - 1) ^ _t415 - 0x000000a0, _t406 - 0x7ff88c3686f4, _t433);
			}

0x7ff88c31c7c0
0x7ff88c31c7c0
0x7ff88c31c7c6
0x7ff88c31c7c8
0x7ff88c31c7d0
0x7ff88c31c7dc
0x7ff88c31c7e3
0x7ff88c31c7e6
0x7ff88c31c7ea
0x7ff88c31c7f0
0x7ff88c31c7f4
0x7ff88c31c7f4
0x7ff88c31c7f8
0x7ff88c31c7fc
0x7ff88c31c800
0x7ff88c31c804
0x7ff88c31c80a
0x7ff88c31c80e
0x7ff88c31c811
0x7ff88c31c814
0x7ff88c31c819
0x7ff88c31c821
0x7ff88c31c823
0x7ff88c31c828
0x7ff88c31c82e
0x7ff88c31c835
0x7ff88c31c83d
0x7ff88c31c842
0x7ff88c31c846
0x7ff88c31c84a
0x7ff88c31c84e
0x7ff88c31c853
0x7ff88c31c858
0x7ff88c31c85e
0x7ff88c31c864
0x7ff88c31c86a
0x7ff88c31c86f
0x7ff88c31c875
0x7ff88c31c878
0x7ff88c31c87e
0x7ff88c31c881
0x7ff88c31c887
0x7ff88c31c88a
0x7ff88c31c890
0x7ff88c31c893
0x7ff88c31c899
0x7ff88c31c89f
0x7ff88c31c8a2
0x7ff88c31c8a8
0x7ff88c31c8aa
0x7ff88c31c8ac
0x7ff88c31c8af
0x7ff88c31c8b2
0x7ff88c31c8b8
0x7ff88c31c8ba
0x7ff88c31c8bf
0x7ff88c31c8c4
0x7ff88c31c8c9
0x7ff88c31c8cc
0x7ff88c31c8cf
0x7ff88c31c8d2
0x7ff88c31c8d5
0x7ff88c31c8de
0x7ff88c31c8e3
0x7ff88c31c8e8
0x7ff88c31c8ed
0x7ff88c31c8f6
0x7ff88c31c8f8
0x7ff88c31c8fe
0x7ff88c31c909
0x7ff88c31c90e
0x7ff88c31c916
0x7ff88c31c91b
0x7ff88c31c923
0x7ff88c31c926
0x7ff88c31c92b
0x7ff88c31c930
0x7ff88c31c937
0x7ff88c31c93d
0x7ff88c31c93f
0x7ff88c31c942
0x7ff88c31c94a
0x7ff88c31c95c
0x7ff88c31c963
0x7ff88c31c96d
0x7ff88c31c974
0x7ff88c31c97d
0x7ff88c31c992
0x7ff88c31c999
0x7ff88c31c99f
0x7ff88c31c9a7
0x7ff88c31c9ad
0x7ff88c31c9b6
0x7ff88c31c9be
0x7ff88c31c9c4
0x7ff88c31c9c9
0x7ff88c31c9cf
0x7ff88c31c9e1
0x7ff88c31c9ea
0x7ff88c31c9f3
0x7ff88c31c9fc
0x7ff88c31c9fe
0x7ff88c31ca08
0x7ff88c31ca12
0x7ff88c31ca19
0x7ff88c31ca1e
0x7ff88c31ca27
0x7ff88c31ca2c
0x7ff88c31ca31
0x7ff88c31ca37
0x7ff88c31ca3d
0x7ff88c31ca40
0x7ff88c31ca4a
0x7ff88c31ca51
0x7ff88c31ca5b
0x7ff88c31ca5f
0x7ff88c31ca64
0x7ff88c31ca67
0x7ff88c31ca6b
0x7ff88c31ca6e
0x7ff88c31ca79
0x7ff88c31ca7e
0x7ff88c31ca81
0x7ff88c31ca85
0x7ff88c31ca8b
0x7ff88c31ca8e
0x7ff88c31ca90
0x7ff88c31ca93
0x7ff88c31ca95
0x7ff88c31ca98
0x7ff88c31caa2
0x7ff88c31caab
0x7ff88c31cab4
0x7ff88c31cab9
0x7ff88c31cabf
0x7ff88c31cac8
0x7ff88c31cad2
0x7ff88c31cad7
0x7ff88c31cadd
0x7ff88c31cae0
0x7ff88c31cae2
0x7ff88c31caeb
0x7ff88c31caed
0x7ff88c31caf3
0x7ff88c31cafe
0x7ff88c31cb08
0x7ff88c31cb0f
0x7ff88c31cb17
0x7ff88c31cb22
0x7ff88c31cb2a
0x7ff88c31cb30
0x7ff88c31cb35
0x7ff88c31cb3a
0x7ff88c31cb3c
0x7ff88c31cb46
0x7ff88c31cb48
0x7ff88c31cb4d
0x7ff88c31cb50
0x7ff88c31cb52
0x7ff88c31cb58
0x7ff88c31cb5b
0x7ff88c31cb5e
0x7ff88c31cb63
0x7ff88c31cb6b
0x7ff88c31cb75
0x7ff88c31cb77
0x7ff88c31cb80
0x7ff88c31cb82
0x7ff88c31cb89
0x7ff88c31cb8e
0x7ff88c31cb9d
0x7ff88c31cb9f
0x7ff88c31cba7
0x7ff88c31cbad
0x7ff88c31cbb1
0x7ff88c31cbb7
0x7ff88c31cbc0
0x7ff88c31cbc2
0x7ff88c31cbc7
0x7ff88c31cbcc
0x7ff88c31cbd7
0x7ff88c31cbdc
0x7ff88c31cbe8
0x7ff88c31cbef
0x7ff88c31cbf2
0x7ff88c31cbf8
0x7ff88c31cc04
0x7ff88c31cc0c
0x7ff88c31cc16
0x7ff88c31cc1e
0x7ff88c31cc29
0x7ff88c31cc35
0x7ff88c31cc48
0x7ff88c31cc4e
0x7ff88c31cc60
0x7ff88c31cc62
0x7ff88c31cc68
0x7ff88c31cc73
0x7ff88c31cc79
0x7ff88c31cc8b
0x7ff88c31cc8e
0x7ff88c31cc92
0x7ff88c31cc9a
0x7ff88c31cca4
0x7ff88c31ccad
0x7ff88c31ccaf
0x7ff88c31ccb5
0x7ff88c31ccb9
0x7ff88c31ccc1
0x7ff88c31ccc7
0x7ff88c31ccca
0x7ff88c31ccce
0x7ff88c31ccd2
0x7ff88c31ccd6
0x7ff88c31ccda
0x7ff88c31ccde
0x7ff88c31cce1
0x7ff88c31cce5
0x7ff88c31cce9
0x7ff88c31cced
0x7ff88c31ccf1
0x7ff88c31ccfa
0x7ff88c31cd04
0x7ff88c31cd0a
0x7ff88c31cd14
0x7ff88c31cd1a
0x7ff88c31cd24
0x7ff88c31cd26
0x7ff88c31cd2a
0x7ff88c31cd2d
0x7ff88c31cd35
0x7ff88c31cd37
0x7ff88c31cd42
0x7ff88c31cd47
0x7ff88c31cd4c
0x7ff88c31cd4e
0x7ff88c31cd52
0x7ff88c31cd5a
0x7ff88c31cd5c
0x7ff88c31cd67
0x7ff88c31cd6c
0x7ff88c31cd70
0x7ff88c31cd72
0x7ff88c31cd78
0x7ff88c31cd7b
0x7ff88c31cd7f
0x7ff88c31cd87
0x7ff88c31cd8b
0x7ff88c31cd91
0x7ff88c31cd9b
0x7ff88c31cda6
0x7ff88c31cdaa
0x7ff88c31cdad
0x7ff88c31cdb4
0x7ff88c31cdba
0x7ff88c31cdbf
0x7ff88c31cdc1
0x7ff88c31cdc4
0x7ff88c31cdca
0x7ff88c31cdcc
0x7ff88c31cdd0
0x7ff88c31cddc
0x7ff88c31cddf
0x7ff88c31cde6
0x7ff88c31cde8
0x7ff88c31cdef
0x7ff88c31cdf5
0x7ff88c31cdf7
0x7ff88c31cdfb
0x7ff88c31ce04
0x7ff88c31ce0d
0x7ff88c31ce17
0x7ff88c31ce1c
0x7ff88c31ce1e
0x7ff88c31ce25
0x7ff88c31ce2b
0x7ff88c31ce38
0x7ff88c31ce3e
0x7ff88c31ce41
0x7ff88c31ce45
0x7ff88c31ce48
0x7ff88c31ce50
0x7ff88c31ce52
0x7ff88c31ce56
0x7ff88c31ce58
0x7ff88c31ce5c
0x7ff88c31ce6a
0x7ff88c31ce6e
0x7ff88c31ce72
0x7ff88c31ce77
0x7ff88c31ce7e
0x7ff88c31ce87
0x7ff88c31ce8a
0x7ff88c31ce8d
0x7ff88c31ce90
0x7ff88c31ce93
0x7ff88c31ce99
0x7ff88c31ce9d
0x7ff88c31cea1
0x7ff88c31cea5
0x7ff88c31ceae
0x7ff88c31ceb8
0x7ff88c31cebc
0x7ff88c31cec0
0x7ff88c31ceca
0x7ff88c31ced4
0x7ff88c31ced6
0x7ff88c31cee4
0x7ff88c31cee9
0x7ff88c31ceec
0x7ff88c31cef4
0x7ff88c31cef9
0x7ff88c31cefe
0x7ff88c31cf00
0x7ff88c31cf04
0x7ff88c31cf0b
0x7ff88c31cf0d
0x7ff88c31cf12
0x7ff88c31cf16
0x7ff88c31cf18
0x7ff88c31cf1c
0x7ff88c31cf20
0x7ff88c31cf22
0x7ff88c31cf25
0x7ff88c31cf28
0x7ff88c31cf2c
0x7ff88c31cf31
0x7ff88c31cf34
0x7ff88c31cf36
0x7ff88c31cf48
0x7ff88c31cf4e
0x7ff88c31cf57
0x7ff88c31cf5d
0x7ff88c31cf62
0x7ff88c31cf66
0x7ff88c31cf6a
0x7ff88c31cf6d
0x7ff88c31cf72
0x7ff88c31cf75
0x7ff88c31cf7b
0x7ff88c31cf7d
0x7ff88c31cf81
0x7ff88c31cf83
0x7ff88c31cf8e
0x7ff88c31cf93
0x7ff88c31cfa9
0x7ff88c31cfb9
0x7ff88c31cfcf
0x7ff88c31cfe0
0x7ff88c31cfe8
0x7ff88c31cfef
0x7ff88c31cff3
0x7ff88c31cff7
0x7ff88c31d021

APIs

_errno.LIBCMT ref: 00007FF88C31C823
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C31C82E

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: f9810067b0f9d9330d3ae48b96d59794a7ec36c49d8bea39d4c0c4633fa7597d
Instruction ID: 80c01f940f901d2a305dc06b04f8a133887ac97a5f0330685c40e0b5e43f61ff
Opcode Fuzzy Hash: f9810067b0f9d9330d3ae48b96d59794a7ec36c49d8bea39d4c0c4633fa7597d
Instruction Fuzzy Hash: 4832A562F181468EF7648E64E050BBC27A2BB127C8F514037EE4ED76C9CA3DA947C709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C317910 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00007FF87FF88C317910(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v152;
				signed int _t20;
				signed int _t38;
				signed long long _t45;
				signed long long _t46;
				signed long long _t59;
				void* _t63;

				_a16 = __rbx;
				_a24 = __rsi;
				_t45 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t46 = _t45 ^ _t63 - 0x000000b0;
				_v24 = _t46;
				E00007FF87FF88C307F5C(__ecx, __eflags, _t46, __rcx, __rsi, __r8);
				_t59 = _t46;
				_t20 = E00007FF87FF88C3178B8(__rcx, __rdx, __r9);
				r9d = 0x78;
				asm("sbb edx, edx");
				_t38 = _t20;
				if (GetLocaleInfoA(??, ??, ??, ??) != 0) goto 0x8c317983;
				 *(_t59 + 0x150) = 0;
				goto 0x8c3179d0;
				if (E00007FF87FF88C31A374(_t46,  *((intOrPtr*)(_t59 + 0x148))) != 0) goto 0x8c3179c2;
				if (_t38 ==  *0x8c325bb0) goto 0x8c3179c2;
				if (1 - 0xa < 0) goto 0x8c31799f;
				 *(_t59 + 0x150) =  *(_t59 + 0x150) | 0x00000004;
				 *((intOrPtr*)(_t59 + 0x164)) = _t38;
				 *((intOrPtr*)(_t59 + 0x160)) = _t38;
				return E00007FF87FF88C304980(_t20, _v24 ^ _t63 - 0x000000b0,  &_v152,  &_v152);
			}

0x7ff88c317910
0x7ff88c317915
0x7ff88c317922
0x7ff88c317929
0x7ff88c31792c
0x7ff88c317937
0x7ff88c31793f
0x7ff88c317942
0x7ff88c317954
0x7ff88c31795a
0x7ff88c31795e
0x7ff88c317976
0x7ff88c317978
0x7ff88c317981
0x7ff88c317996
0x7ff88c3179a2
0x7ff88c3179ad
0x7ff88c3179af
0x7ff88c3179b6
0x7ff88c3179bc
0x7ff88c3179f4

APIs

_getptd.LIBCMT ref: 00007FF88C317937

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

GetLocaleInfoA.KERNEL32 ref: 00007FF88C31796C

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: InfoLocale_amsg_exit_getptd
String ID:
API String ID: 488165793-0
Opcode ID: 99d8fc483b43fa74d6726426d958393f6aa3a2221fe15baf5fcb0f4f79432ae5
Instruction ID: f823780666eda1a89f03e7e1ca722d3559ad239d82e56c403309ede49fe207b2
Opcode Fuzzy Hash: 99d8fc483b43fa74d6726426d958393f6aa3a2221fe15baf5fcb0f4f79432ae5
Instruction Fuzzy Hash: 3221DB32B087858AEB24CB64D8457EA7391FB4A7C0F444136DA5D87358DF3CE416CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002C5C Relevance: 2.9, Strings: 2, Instructions: 355COMMON

Download Yara Rule

Strings

5R, xrefs: 0000000180003111
[TZy, xrefs: 0000000180002D0D

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 5R$[TZy
API String ID: 0-2326696573
Opcode ID: 4061b22af4a1fcad17aa3137ff0b01521b67a12185eeaaec32ffa6dee00a71e1
Instruction ID: 389918b5170f5b25bf030d3dcbfaac28bda9751d729b4d2c05917da80ede6c06
Opcode Fuzzy Hash: 4061b22af4a1fcad17aa3137ff0b01521b67a12185eeaaec32ffa6dee00a71e1
Instruction Fuzzy Hash: 0E02437190670CCBEBA8CF68C08A6DD7BF1FF58344F10412AF916A62A1C775D929CB49

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002228C Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

I,, xrefs: 00000001800225D2
"&{, xrefs: 00000001800223F7

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: "&{$I,
API String ID: 0-3188669710
Opcode ID: e9a85c233bd586419d6d1f90df48442ea2ad5a1eeef0db758a5bd0de9940da0b
Instruction ID: 222759c20f68d3f4b5b0f6f241bbe03cdc40b4d5f2e521a8a119161d8b60415b
Opcode Fuzzy Hash: e9a85c233bd586419d6d1f90df48442ea2ad5a1eeef0db758a5bd0de9940da0b
Instruction Fuzzy Hash: EAD1477090424CCBDF59DFA8D4896DDBFB0FF48398F148229E81AAB294C7749589CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180027F1C Relevance: 2.8, Strings: 2, Instructions: 259COMMON

Download Yara Rule

Strings

B, xrefs: 0000000180028035
S+-=, xrefs: 0000000180028282

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: S+-=$B
API String ID: 0-4075300536
Opcode ID: 1b104f60c6984b61bb84a53f34dbd55ee8b9a8ecbab449b62d83d0f18d81ae79
Instruction ID: c8eb2d7a1a7d369eab29ad9377378876a35e0e6ad5d0998490d43091655a97b4
Opcode Fuzzy Hash: 1b104f60c6984b61bb84a53f34dbd55ee8b9a8ecbab449b62d83d0f18d81ae79
Instruction Fuzzy Hash: 98C1F3B0504609EFDB98CF28C19AADE7BB0FF48308F41816DF84A9B294D774DA19DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BBD4 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

8, xrefs: 000000018000BF46
V, xrefs: 000000018000C030

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: V$8
API String ID: 0-3038727020
Opcode ID: b0041f3bed1d0949c34ee59443941f357a402f5554648ebe8c95ce9b8e07ea6e
Instruction ID: 5ac949c8593714071b1b11e0aacbc4dce9392d9cb92b8871a05392379d3c50f4
Opcode Fuzzy Hash: b0041f3bed1d0949c34ee59443941f357a402f5554648ebe8c95ce9b8e07ea6e
Instruction Fuzzy Hash: 04D1D6706087C98FDBBECF24C8857DA7BA8FB46748F504219E98A8F294DB745744CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002B39C Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

S, xrefs: 000000018002B520
WP, xrefs: 000000018002B5BB

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: WP$S
API String ID: 0-2697376140
Opcode ID: 3d708d70d76f0700e0894de13dd9a06e4866e9a6e32e4962c3402fce254a3e72
Instruction ID: 5cfe9600d47a91dc8925a338af92b553ebf052a5c0f22b5b567fe9e17141e270
Opcode Fuzzy Hash: 3d708d70d76f0700e0894de13dd9a06e4866e9a6e32e4962c3402fce254a3e72
Instruction Fuzzy Hash: EB81F3715087458FD368DF28C19962EBBF1FBC6348F004A2DF6868B290D776D918CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800258E8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

Qx, xrefs: 000000018002592A
L, xrefs: 00000001800259A1

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: Qx$L
API String ID: 0-2782989848
Opcode ID: 8fdb5e7dade6d60b1a023724f9ad65d4b9c7cb52a9aefd581f2ba1f674d3d8b7
Instruction ID: 86f1aab570044b1986f6f1a38bd001868b3a410fe39ff9124833257a8da7a951
Opcode Fuzzy Hash: 8fdb5e7dade6d60b1a023724f9ad65d4b9c7cb52a9aefd581f2ba1f674d3d8b7
Instruction Fuzzy Hash: 93515E702187449FD3A9DF18C4867ABB7E0FB89710F50892DE4CE83251DB74A8898B47

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003990 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

w0]l, xrefs: 0000000180003B57
K"], xrefs: 0000000180003C4C

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: K"]$w0]l
API String ID: 0-2106158253
Opcode ID: a5018aec71ebb3022343b7d4a0fb5606dbe826906eb6b70e798fdd21a72ecac3
Instruction ID: 28f6610df90e400b74c9245c8dd2af4ed90ca0debc87349359620d6bc3ddf6ac
Opcode Fuzzy Hash: a5018aec71ebb3022343b7d4a0fb5606dbe826906eb6b70e798fdd21a72ecac3
Instruction Fuzzy Hash: EC91D77194578CCBEBBACF64C88AADD7BB0FB48304F20421DD85A9B261DB759645CF01

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FDE4 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

+, xrefs: 000000018000FECC
g9, xrefs: 000000018000FEBE

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: +$g9
API String ID: 0-976055154
Opcode ID: 1d4c2adde26999b1ce8492b11b9689b55179302074b7a3fd914b605d443a9b9b
Instruction ID: e997ee4772f8913f01ceadaddcaecfb2df49ceac954d9b4241f0023d572f2cf6
Opcode Fuzzy Hash: 1d4c2adde26999b1ce8492b11b9689b55179302074b7a3fd914b605d443a9b9b
Instruction Fuzzy Hash: E2511D70D0464E8BEB98DFA8C4453FEBAF1FB48344F108529E416E6391C7785A498F95

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800245D0 Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

xE, xrefs: 000000018002469B
=R, xrefs: 0000000180024658

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: =R$xE
API String ID: 0-545514718
Opcode ID: f44d21e5aaee4d09a7906727ccc28054b3bfd477728245e5ecf97a954938050c
Instruction ID: 1e4118fee573a7361052f8509598bb041a5c7e32ecd80efb7901b63fbf11df44
Opcode Fuzzy Hash: f44d21e5aaee4d09a7906727ccc28054b3bfd477728245e5ecf97a954938050c
Instruction Fuzzy Hash: 09416E71108B488FD368DF19D48925ABBF0FB8A741F508A6DE5CAC7261DB71D849CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025280 Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

dI, xrefs: 00000001800252D5
Md, xrefs: 0000000180025315

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: Md$dI
API String ID: 0-3822105114
Opcode ID: 6718a2595727e304f58786852357c464bafa5dbfe32c2cb15ee479bbe7753c2a
Instruction ID: 23b47bd1dbc9ffe159e368d3f6bad8723f55991696dbc6209d303bf4392bdb6f
Opcode Fuzzy Hash: 6718a2595727e304f58786852357c464bafa5dbfe32c2cb15ee479bbe7753c2a
Instruction Fuzzy Hash: C6414D7050DB848FD769DF28D08A76ABBF0FB99700F004A5DE98ACB256C770D905CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025B0C Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

5tv, xrefs: 0000000180025BC9
d, xrefs: 0000000180025C10

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 5tv$d
API String ID: 0-1336818326
Opcode ID: 1b818d572de728eb3031ec2a2a2547713219a8efe97dbf2c879e41f5726fd6ef
Instruction ID: 475345fda201d03b2aa0922abd73baa5058808b6051412fcdb63cef9fa48a10c
Opcode Fuzzy Hash: 1b818d572de728eb3031ec2a2a2547713219a8efe97dbf2c879e41f5726fd6ef
Instruction Fuzzy Hash: EC41317090CB448FE778DF28D48565ABBE0FB98710F204A5EE99987265DB30A845CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011A19 Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

2Y, xrefs: 0000000180011A8A
q, xrefs: 0000000180011AE1

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 2Y$q
API String ID: 0-2334638818
Opcode ID: 74b46a50ed6e68f5435d821121d260a4c410ab1bc8e4c0dc2fa41b3f3e88ba8a
Instruction ID: c6283db541ec513beef892d752db4e568727c1c4c815371c690050367e22e2dd
Opcode Fuzzy Hash: 74b46a50ed6e68f5435d821121d260a4c410ab1bc8e4c0dc2fa41b3f3e88ba8a
Instruction Fuzzy Hash: 64514D70148788CBEBBACE28C8857DD37B0FB48355F904129E84D8A290DF399B4ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800016A0 Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

, xrefs: 000000018000174D
5tv, xrefs: 0000000180001771

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 5tv$
API String ID: 0-2780997735
Opcode ID: cdb677b7efbf6727cc15d00abc8acfbddd9a3a6a0863419609f6b64b25884b1d
Instruction ID: 682efdfb835f0944d9b3cd1d19bf2dc5a795d751ab9dde4968e598024bbf9c71
Opcode Fuzzy Hash: cdb677b7efbf6727cc15d00abc8acfbddd9a3a6a0863419609f6b64b25884b1d
Instruction Fuzzy Hash: 6B41D67060CB848FD7A8DF29D48575ABBE1FB99700F104A6EE48EC7351DB309845CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800099A0 Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

_J, xrefs: 0000000180009AAA
", xrefs: 0000000180009A25

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: _J$"
API String ID: 0-375824316
Opcode ID: 16754b455ce3a7da9d2704e1a58f0594b635269a4c9c34a8065f0cd238c443ce
Instruction ID: a015db09cc69215115070bbc18e5e19218d5f9ca582abc8bde2d6b3cb96b11d5
Opcode Fuzzy Hash: 16754b455ce3a7da9d2704e1a58f0594b635269a4c9c34a8065f0cd238c443ce
Instruction Fuzzy Hash: E451D7B090478E8BDF48CF68C8865DE7BB1FB48344F114A1DF866A7290D7B89665CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800029CC Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

7>, xrefs: 00000001800029DD
+, xrefs: 00000001800029E5

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: +$7>
API String ID: 0-2758361454
Opcode ID: 2e8c382f1f5cae5d0cfd37c4f5f85487ae38f0e72fcc42c912503157f4b58bb7
Instruction ID: 4e37f663fc3c7aa3dcb7570ddacebebcd825af8254e41e5c90c44cc7432e9a11
Opcode Fuzzy Hash: 2e8c382f1f5cae5d0cfd37c4f5f85487ae38f0e72fcc42c912503157f4b58bb7
Instruction Fuzzy Hash: DE51907050478CCBEBBADF28CC9A7DB7BB1FB48348F500619D84A8E294DB765649CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010BAE Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

m!yq, xrefs: 00000001800156B4
fd];, xrefs: 00000001800156C9

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: fd];$m!yq
API String ID: 0-2886939648
Opcode ID: ec9066c96f18cc99003324ad8cba80b3c9e29a914b4d0b9c646a8466c7d4c70b
Instruction ID: 45c9a4aadfef77d207881a56b7ae6fd3159e1bd1bfc115e0ecbadd116dbac687
Opcode Fuzzy Hash: ec9066c96f18cc99003324ad8cba80b3c9e29a914b4d0b9c646a8466c7d4c70b
Instruction Fuzzy Hash: B251963054878ACFDBB9CF14C885BEE77E1FB44344F10852DE46A8B691EB349A48DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021894 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

m, xrefs: 00000001800218F5
L9, xrefs: 00000001800219B0

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: L9$m
API String ID: 0-3029129943
Opcode ID: dcf02cfa2a7336adc6bb41e78a447814b2d4e6be1d3bb45263ee61ee01e9bb49
Instruction ID: c371cc2f659e7c88e38da41d4f73551d4e4d6346abd6407f59104d3dc464ceac
Opcode Fuzzy Hash: dcf02cfa2a7336adc6bb41e78a447814b2d4e6be1d3bb45263ee61ee01e9bb49
Instruction Fuzzy Hash: D551E4B090034E8FDB48CF68C88A4DE7FB0FB58358F20561DE856A6250D77896A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013634 Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

;g, xrefs: 00000001800136DC
qB, xrefs: 0000000180013728

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ;g$qB
API String ID: 0-663762695
Opcode ID: 5d3f0c764fecbb7d488ab6b1d0b4b04407c8fb2aec2096327f09f152605ccfc9
Instruction ID: 0660f12f8a09808dc78b25dad7bc1da49ad33209b448fc61c10a9a874142b489
Opcode Fuzzy Hash: 5d3f0c764fecbb7d488ab6b1d0b4b04407c8fb2aec2096327f09f152605ccfc9
Instruction Fuzzy Hash: 1C51AFB190074A8BDF48CF64C88A4DE7FF0FB68398F11461DE855A6290D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025668 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

uS, xrefs: 000000018002578A
3}, xrefs: 00000001800257A3

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 3}$uS
API String ID: 0-647507659
Opcode ID: 8d8564e839c91ad1a765e7e5f09dd5de43adffc1adeceefb0586eb802114e0de
Instruction ID: 74e33d180aa3f8b76a70b405a3227075f3f50add8b225f92a0698480338c6ef9
Opcode Fuzzy Hash: 8d8564e839c91ad1a765e7e5f09dd5de43adffc1adeceefb0586eb802114e0de
Instruction Fuzzy Hash: AB41B2B090074E8FDB48CF68C48A4DE7BB0FB18398F11461DF856A6290D7B896A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011C90 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

^t, xrefs: 0000000180011D96
@, xrefs: 0000000180011CBB

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: @$^t
API String ID: 0-4131695842
Opcode ID: a58368368c97d3b566623ad094667ddb6c4b2befb01036770ef35246eb38b4ea
Instruction ID: 2db60de07e1335c054fc2d92f6fc6112d48f95fe40d224dddc54528cc3da17ec
Opcode Fuzzy Hash: a58368368c97d3b566623ad094667ddb6c4b2befb01036770ef35246eb38b4ea
Instruction Fuzzy Hash: C2410A705187808FD318DF68C58A51ABBF0FB8A344F504A5DFA858B3A1D7B5D885CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E8E4 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

', xrefs: 000000018001E9A3
"%, xrefs: 000000018001E9CB

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: "%$'
API String ID: 0-4021852118
Opcode ID: 174a401c34f44fa609ac95edce34ea569dd9484cc543c2c0dc597f184044b4b2
Instruction ID: d895a8db6a836dd65a14fa95b8adfd14ec7b7bf6b77f888c55fc06651afbb9ca
Opcode Fuzzy Hash: 174a401c34f44fa609ac95edce34ea569dd9484cc543c2c0dc597f184044b4b2
Instruction Fuzzy Hash: 3F311870118B448FE798DF28C489A1ABBE1FB88384F604A2DF596C7360D374D945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B3A4 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018000B409
&X\, xrefs: 000000018000B48B

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #X$&X\
API String ID: 0-68823137
Opcode ID: e7642a3e4f8f819326dc7b60a532d803c32389be331e47485af71a90eac779b6
Instruction ID: d68ec68d6f63515a3e3bdabecc048ab4ba3cb28e523a66ac6d2b66fee9e09ed2
Opcode Fuzzy Hash: e7642a3e4f8f819326dc7b60a532d803c32389be331e47485af71a90eac779b6
Instruction Fuzzy Hash: 11315AB0108B059FE7A9CF28C085A1ABBE0FB98344F60591CF586C62B1DB35D845CF02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001428C Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

J", xrefs: 00000001800143B3
BF, xrefs: 000000018001439A

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: BF$J"
API String ID: 0-3135042434
Opcode ID: 5f922010ae825af1b28cd17ba37e35f6bd20f53a7b48d21b121c5292f972feba
Instruction ID: 4bd68fb9fd32dc983de20f5bcd24004bd9f52c0e63f984e93b7b08f149123488
Opcode Fuzzy Hash: 5f922010ae825af1b28cd17ba37e35f6bd20f53a7b48d21b121c5292f972feba
Instruction Fuzzy Hash: C141C7B190078E8FDB48CF64C88A5DE7BB0FF18358F50461DE866A6261D7B89664CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014C80 Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

|G, xrefs: 0000000180014CC8
2., xrefs: 0000000180014D23

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 2.$|G
API String ID: 0-156813315
Opcode ID: 61cbdd1641784e2b07d81c51757d3b964695c396bee5423fbc7609edeae1d8a5
Instruction ID: 655b8ac7a7cfca24aaef5ce2e38309ec63c0334a2f5ac8a916f73782318c4cc6
Opcode Fuzzy Hash: 61cbdd1641784e2b07d81c51757d3b964695c396bee5423fbc7609edeae1d8a5
Instruction Fuzzy Hash: 4E310770608B898FD7B8CF28C08639BB7E1FB99314F408A2DD08EC6295DB748845CB07

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007130 Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

iQ, xrefs: 00000001800071BB
P, xrefs: 000000018000725F

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: P$iQ
API String ID: 0-3006515628
Opcode ID: 5139c9901125cf8f8cec41676cb266c44a84552ba89eefd726232ad769ef83bf
Instruction ID: e82642bc8128441b7dcc3334f0729daaa59dc5e1eda0cb024cd7336076dff94b
Opcode Fuzzy Hash: 5139c9901125cf8f8cec41676cb266c44a84552ba89eefd726232ad769ef83bf
Instruction Fuzzy Hash: D831B070958B858BE368DF29C08A51FBBE1BB94344F200A1DF5D5863A1DBB4954ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008D40 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

$/, xrefs: 0000000180008D44
CB, xrefs: 0000000180008D89

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: $/$CB
API String ID: 0-1282250384
Opcode ID: 81911d321b369e19af62be08bddb36ccefe9a8bf58cb624a2ba6607796043e99
Instruction ID: ce9d2fd9107c90121f6ee8c7778ca2acdaa783d179153bfa66d031bb3530ab1d
Opcode Fuzzy Hash: 81911d321b369e19af62be08bddb36ccefe9a8bf58cb624a2ba6607796043e99
Instruction Fuzzy Hash: EC319C7451C3858BD348DF28C44A52BBBE0FB8931CF500B2DF4CAA6251D378D606CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C65C Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

b, xrefs: 000000018000C670
Z?, xrefs: 000000018000C668

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: Z?$b
API String ID: 0-1768779257
Opcode ID: b219a3207434b0e178abd622b61cec7921586d0754f2a2622ef973b06c9928fb
Instruction ID: f85f6c254545b88424a3079b7e614ec61541263b31469fabddb5dd5585c9876d
Opcode Fuzzy Hash: b219a3207434b0e178abd622b61cec7921586d0754f2a2622ef973b06c9928fb
Instruction Fuzzy Hash: 1431A1B4528781AFC798DF28C59A81FBBE1FB88304F806A1DF9868A350D335D405CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BAD0 Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

S=}, xrefs: 000000018000BB90
!', xrefs: 000000018000BB69

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: !'$S=}
API String ID: 0-1426155830
Opcode ID: ce0f6d1e07f533e21861334d9bc8bbf5ea9c1460895176455d4563657c08c79d
Instruction ID: c34bfdd6f23bcda513f3c87e7cfea085e374644de8ccaabb7c270113b5c00615
Opcode Fuzzy Hash: ce0f6d1e07f533e21861334d9bc8bbf5ea9c1460895176455d4563657c08c79d
Instruction Fuzzy Hash: C8317AB190078E8FDB58CF68D84A5DF7BA1FB18718F014A19FC6A96254D3B4C668CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007014 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

YS, xrefs: 00000001800070D9
E, xrefs: 0000000180007118

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: E$YS
API String ID: 0-735149948
Opcode ID: 43a208b0f51a86defcf8492d75f9b0295afcf01c0568758e1aff76522162fb07
Instruction ID: 4592ee0109c1b769a5b0755240e9ee3eac3dd8270b288fe68912ac1910cb6f30
Opcode Fuzzy Hash: 43a208b0f51a86defcf8492d75f9b0295afcf01c0568758e1aff76522162fb07
Instruction Fuzzy Hash: B9315B715187848BD348DF28C45A52ABAE1BB9C31CF454B2DF4CAAA790D37C9A05CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019E08 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

;B, xrefs: 0000000180019E9E
zdJ, xrefs: 0000000180019E90

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ;B$zdJ
API String ID: 0-85318069
Opcode ID: 44403f6004564e55cc460da937d6cb251a3e9e5b06402202718ff149627838ea
Instruction ID: c801a74d2f7d87c2f7774eec352f8aca000c49ff69467b74f72421baa0d30ccb
Opcode Fuzzy Hash: 44403f6004564e55cc460da937d6cb251a3e9e5b06402202718ff149627838ea
Instruction Fuzzy Hash: 71317AB56087848BD348DF28C55651BBBE0BB9C30CF404B5DF5CAAB2A1D778E604CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D6A4 Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

G!, xrefs: 000000018000D6B9
M, xrefs: 000000018000D6A8

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: G!$M
API String ID: 0-4181500389
Opcode ID: d0aebad791f0ef5902cfa85e5254beca2a6b6ba56e5a9a8ce845976339f365cb
Instruction ID: 34657a944fd9670636fc81a615fc3e23ac55de0e76a6fe8c32ee2c4ae6ebfe38
Opcode Fuzzy Hash: d0aebad791f0ef5902cfa85e5254beca2a6b6ba56e5a9a8ce845976339f365cb
Instruction Fuzzy Hash: 9C3126B55087858FD388DF28D48A41BBBE4BB9D308F405B1DF4CAAB260D738D6458B0A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800137DC Relevance: 2.6, Strings: 2, Instructions: 57COMMON

Download Yara Rule

Strings

T|, xrefs: 00000001800138BE
TG, xrefs: 00000001800137E8

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: TG$T|
API String ID: 0-3042096617
Opcode ID: 02422726d864e5295f32e44f7f6a443c31ea0d81d041bc712d4a284db1ff9d5e
Instruction ID: 5a343e11d9fb6a1e52555f0e3ad140c4b181f3131215b95d54a5ec3371dae465
Opcode Fuzzy Hash: 02422726d864e5295f32e44f7f6a443c31ea0d81d041bc712d4a284db1ff9d5e
Instruction Fuzzy Hash: 73216CB452C780AFD3D8DF28D48A90BBBE0BB99314F806A1DF8CA86290D774D445CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C57C Relevance: 2.1, Strings: 1, Instructions: 880COMMON

Download Yara Rule

Strings

NkN, xrefs: 000000018001D3D2

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: NkN
API String ID: 0-239520485
Opcode ID: 5ead05261dbd5eb17ec6fe9b2cfd5b33674e2ea168060564fdc05eddb288b6b2
Instruction ID: 94e7b02698dbaff0378697066703af8d3c180d1fdef3478323a77fda78e5d403
Opcode Fuzzy Hash: 5ead05261dbd5eb17ec6fe9b2cfd5b33674e2ea168060564fdc05eddb288b6b2
Instruction Fuzzy Hash: 59B23CB550478D8FDBBADF28CC497DB3BA5FB59314F00422ADC0ACA2A0E7769655CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005684 Relevance: 2.1, Strings: 1, Instructions: 847COMMON

Download Yara Rule

Strings

4mBG, xrefs: 000000018000633F

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 4mBG
API String ID: 0-888475949
Opcode ID: 935e881693950b67a83cff4f45085fe3be30331c6423612ccdfe2a6f5273adc4
Instruction ID: 217f11d85181cf4ac19dd14d393826e4428b425c7c4e62f155c111bb576ecedc
Opcode Fuzzy Hash: 935e881693950b67a83cff4f45085fe3be30331c6423612ccdfe2a6f5273adc4
Instruction Fuzzy Hash: CB92037550170DCFDBA8CF28C48A6DA3BE4FB18308F614129FC5A962A1D778E919CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3119D4 Relevance: 1.7, APIs: 1, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00007FF87FF88C3119D4(void* __ecx, void* __eflags, intOrPtr* __rcx, intOrPtr* __rdx, void* __r8, intOrPtr* __r9, intOrPtr* _a40) {
				signed int _v88;
				char _v232;
				void* _v248;
				void* _v256;
				void* _v264;
				signed int _v280;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed long long _t75;
				signed long long _t76;
				intOrPtr* _t77;
				intOrPtr* _t80;
				intOrPtr* _t107;
				intOrPtr* _t109;
				intOrPtr* _t110;
				signed int _t120;
				intOrPtr* _t121;
				void* _t123;
				intOrPtr* _t125;

				_t118 = __r9;
				_t111 =  &_v248;
				_t75 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t76 = _t75 ^  &_v248;
				_v88 = _t76;
				_t109 = _a40;
				_t80 = __r9;
				_t123 = __r8;
				_t110 = __rdx;
				_t107 = __rcx;
				E00007FF87FF88C307F5C(__ecx, __eflags, _t76, __rcx, _t109, __r8);
				_t3 = _t76 + 0x170; // 0x170
				_t4 = _t76 + 0x168; // 0x168
				r12d = 0;
				_v248 = _t3;
				_t6 = _t76 + 0x174; // 0x174
				_t7 = _t76 + 0x1f7; // 0x1f7
				_t122 = _t7;
				_v264 = _t4;
				_v256 = _t6;
				if (__rcx == 0) goto 0x8c311bea;
				if (__rdx == 0) goto 0x8c311bea;
				if (__r8 == 0) goto 0x8c311bea;
				if ( *((char*)(__rcx)) != 0x43) goto 0x8c311aaf;
				if ( *((intOrPtr*)(__rcx + 1)) != r12b) goto 0x8c311aaf;
				if (E00007FF87FF88C306870(_t76, __rdx, __r8, 0x8c3246b0) != 0) goto 0x8c311a9a;
				if (__r9 == 0) goto 0x8c311a8a;
				 *__r9 = r12d;
				 *((intOrPtr*)(__r9 + 4)) = r12w;
				if (_t109 == 0) goto 0x8c311a92;
				 *_t109 = r12d;
				_t77 = __rdx;
				goto 0x8c311bec;
				r9d = 0;
				r8d = 0;
				_v280 = _t120;
				E00007FF87FF88C30938C();
				asm("int3");
				E00007FF87FF88C3053B0(_t32, __rcx);
				_t121 = _t77;
				if (_t77 - 0x83 >= 0) goto 0x8c311aea;
				if (E00007FF87FF88C3057E0(0, _t7, __rcx) == 0) goto 0x8c311b79;
				if (E00007FF87FF88C3057E0(0, _v256, __rcx) == 0) goto 0x8c311b79;
				_t14 =  &_v232; // 0xb9
				r15d = 0;
				if (E00007FF87FF88C3115B0(0, _t80, _t14, __rcx, __rcx, _t109, 0x8c3246b0) != 0) goto 0x8c311bea;
				_t16 =  &_v232; // 0xb9
				_t17 =  &_v232; // 0xb9
				if (E00007FF87FF88C317FCC(0, E00007FF87FF88C3115B0(0, _t80, _t14, __rcx, __rcx, _t109, 0x8c3246b0), _t77, _t80, _t17, _v264, _t16, _t118) == 0) goto 0x8c311bea;
				_t78 = _v264;
				 *_v248 =  *(_v264 + 4) & 0x0000ffff;
				0x8c311760();
				if ( *_t107 == r15b) goto 0x8c311b53;
				if (_t121 - 0x83 >= 0) goto 0x8c311b53;
				_t125 = _t121;
				goto 0x8c311b5a;
				_t23 = _t125 + 1; // 0x1
				if (E00007FF87FF88C317670(_v264, _v256, _v264, 0x8c32398d, _t23) != 0) goto 0x8c311bd4;
				if (_t80 == 0) goto 0x8c311b8f;
				r8d = 6;
				E00007FF87FF88C304B80(0, _t80, _t80, _v264, 0x8c32398d);
				if (_t109 == 0) goto 0x8c311ba7;
				r8d = 4;
				E00007FF87FF88C304B80(0, _t109, _t109, _v248, 0x8c32398d);
				if (E00007FF87FF88C306870(_t78, _t110, _t123, _t122) != 0) goto 0x8c311bbe;
				goto 0x8c311bec;
				_v280 = _v280 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF87FF88C30938C();
				asm("int3");
				_v280 = _v280 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF87FF88C30938C();
				asm("int3");
				return E00007FF87FF88C304980(0, _v88 ^ _t111, _t123, _t122);
			}

0x7ff88c3119d4
0x7ff88c3119e1
0x7ff88c3119e8
0x7ff88c3119ef
0x7ff88c3119f2
0x7ff88c3119fa
0x7ff88c311a02
0x7ff88c311a05
0x7ff88c311a08
0x7ff88c311a0b
0x7ff88c311a0e
0x7ff88c311a13
0x7ff88c311a1a
0x7ff88c311a21
0x7ff88c311a24
0x7ff88c311a29
0x7ff88c311a30
0x7ff88c311a30
0x7ff88c311a37
0x7ff88c311a3c
0x7ff88c311a44
0x7ff88c311a4d
0x7ff88c311a56
0x7ff88c311a5f
0x7ff88c311a65
0x7ff88c311a7b
0x7ff88c311a80
0x7ff88c311a82
0x7ff88c311a85
0x7ff88c311a8d
0x7ff88c311a8f
0x7ff88c311a92
0x7ff88c311a95
0x7ff88c311a9a
0x7ff88c311a9d
0x7ff88c311aa4
0x7ff88c311aa9
0x7ff88c311aae
0x7ff88c311ab2
0x7ff88c311ab7
0x7ff88c311ac0
0x7ff88c311acf
0x7ff88c311ae4
0x7ff88c311aea
0x7ff88c311af2
0x7ff88c311afc
0x7ff88c311b07
0x7ff88c311b0c
0x7ff88c311b18
0x7ff88c311b1e
0x7ff88c311b36
0x7ff88c311b3b
0x7ff88c311b43
0x7ff88c311b4c
0x7ff88c311b4e
0x7ff88c311b51
0x7ff88c311b5f
0x7ff88c311b72
0x7ff88c311b7c
0x7ff88c311b7e
0x7ff88c311b8a
0x7ff88c311b92
0x7ff88c311b99
0x7ff88c311ba2
0x7ff88c311bb7
0x7ff88c311bbc
0x7ff88c311bbe
0x7ff88c311bc4
0x7ff88c311bc7
0x7ff88c311bce
0x7ff88c311bd3
0x7ff88c311bd4
0x7ff88c311bda
0x7ff88c311bdd
0x7ff88c311be4
0x7ff88c311be9
0x7ff88c311c0f

APIs

_getptd.LIBCMT ref: 00007FF88C311A0E

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

Part of subcall function 00007FF88C306870: _errno.LIBCMT ref: 00007FF88C306888
Part of subcall function 00007FF88C306870: _invalid_parameter_noinfo.LIBCMT ref: 00007FF88C306894

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _amsg_exit_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 1050512615-0
Opcode ID: 563c8f68154ae00a86a84019f6f1b1bf0a5fce56bde51bd677902d8146a06199
Instruction ID: 33428e4c34782ee6cd69a3d827772e280b8c0d17636dadd75dea8d36787b9ab1
Opcode Fuzzy Hash: 563c8f68154ae00a86a84019f6f1b1bf0a5fce56bde51bd677902d8146a06199
Instruction Fuzzy Hash: 3051A322A1D68246FB659A61E511BBA6694BF86BC4F448032FE4D87B9DEF3CD106C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012BFC Relevance: 1.6, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

uL~X, xrefs: 0000000180012D21

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: uL~X
API String ID: 0-3492378280
Opcode ID: c6f392b216e178daac8f6a633078f7db2729c753e3f84ebd61764f51a21e6990
Instruction ID: d5a2a05253b25fa09d1f4a0a8e293cbf18d5238a569b4b52025f537a0d51a87a
Opcode Fuzzy Hash: c6f392b216e178daac8f6a633078f7db2729c753e3f84ebd61764f51a21e6990
Instruction Fuzzy Hash: 4D02E6B150560ACFDB98CF28C585ADE3BE0FF48318F414129FC0A9B294D774DA69DB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006668 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

7w, xrefs: 000000018000699A

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 7w
API String ID: 0-1590570024
Opcode ID: fc178e956535ca2e047fc9e577a13a2a7fee3c1458e654fa024ae66ce9e8a0d9
Instruction ID: bcdf8af614ce119259372ddc2241b10d7dd4e42d3abf697d6c611332b7fae7fa
Opcode Fuzzy Hash: fc178e956535ca2e047fc9e577a13a2a7fee3c1458e654fa024ae66ce9e8a0d9
Instruction Fuzzy Hash: A0E10A71E0870E8FDB99DFA8C4566EEBBB2FB48354F008119D40AF6290D7749A09CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A9F0 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018001AE6C

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: 6dc5db42fc19b6f7285259d344564077165a90bd868be6f0fe9dfe417e95ce79
Instruction ID: fb7b8c1edf22dcbd8321a170a1b4e40be69899bad680fec357304c9722582c29
Opcode Fuzzy Hash: 6dc5db42fc19b6f7285259d344564077165a90bd868be6f0fe9dfe417e95ce79
Instruction Fuzzy Hash: 8102B671505B888FEBB9CF28CC89BEB7BA1FB44306F10551AD84A9E294DFB45644CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C305D68 Relevance: 1.6, Strings: 1, Instructions: 320
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 61%

			E00007FF87FF88C305D68(void* __eflags, long long __rbx, signed int __rdx, void* __r8, signed int* __r9) {
				void* _t115;
				signed char _t117;
				signed int _t121;
				signed int _t128;
				void* _t138;
				signed long long _t139;
				signed long long _t179;
				unsigned long long _t180;
				signed long long _t194;
				signed long long _t199;
				signed long long _t200;
				signed long long _t203;
				signed long long _t207;
				signed long long _t211;
				signed long long _t215;
				unsigned long long _t219;
				unsigned long long _t223;
				unsigned long long _t227;
				unsigned long long _t231;
				unsigned long long _t235;
				signed long long _t242;
				signed long long _t248;
				signed long long _t252;
				signed long long _t256;
				unsigned long long _t260;
				unsigned long long _t264;
				unsigned long long _t268;
				unsigned long long _t272;
				unsigned long long _t276;
				signed long long _t281;
				signed long long _t287;
				signed long long _t293;
				signed long long _t295;
				signed long long _t296;
				void* _t305;
				void* _t307;
				signed long long _t308;
				signed long long _t311;
				signed long long _t327;
				signed long long _t338;
				signed long long _t340;

				_t138 = _t307;
				 *((long long*)(_t138 + 8)) = __rbx;
				_push(_t338);
				_push(_t340);
				_t305 = _t138 - 0xf28;
				_t308 = _t307 - 0xff0;
				asm("movaps [eax-0x48], xmm6");
				asm("movaps [eax-0x58], xmm7");
				asm("inc esp");
				_t139 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				 *(_t305 + 0xeb0) = _t139 ^ _t308;
				r15d = 0x3ff;
				asm("movsd [esp], xmm0");
				 *(_t305 - 0x58) =  *(_t305 - 0x58) & 0x00000000;
				_t327 =  *_t308 & 0xffffffff | 0x00000000;
				r11d = r11d & 0x000007ff;
				r11d = r11d - r15d;
				r11d = r11d - __rdx + __rdx * 4 + __rdx + __rdx * 4;
				_t311 = __rdx + 0x12;
				_t203 =  *(0x8c3670b0 + _t311 * 8) * _t327;
				_t248 =  *(0x8c3670b0 + _t311 * 8 - 8) * _t327 + (_t203 >> 0xa);
				 *(_t305 - 0x60) = _t203 & _t340;
				_t207 =  *(0x8c3670b0 + _t311 * 8 - 0x10) * _t327 + (_t248 >> 0xa);
				 *(_t305 - 0x68) = _t248 & _t340;
				_t252 =  *(0x8c3670b0 + _t311 * 8 - 0x18) * _t327 + (_t207 >> 0xa);
				 *(_t305 - 0x70) = _t207 & _t340;
				_t211 =  *(0x8c3670b0 + _t311 * 8 - 0x20) * _t327 + (_t252 >> 0xa);
				 *(_t305 - 0x78) = _t252 & _t340;
				_t256 =  *(0x8c3670b0 + _t311 * 8 - 0x28) * _t327 + (_t211 >> 0xa);
				 *(_t305 - 0x80) = _t211 & _t340;
				_t215 =  *(0x8c3670b0 + _t311 * 8 - 0x30) * _t327 + (_t256 >> 0xa);
				 *(_t308 + 0x78) = _t256 & _t340;
				_t260 =  *(0x8c3670b0 + _t311 * 8 - 0x38) * _t327 + (_t215 >> 0xa);
				 *(_t308 + 0x70) = _t215 & _t340;
				 *(_t308 + 0x68) = _t260 & _t340;
				_t219 =  *(0x8c3670b0 + _t311 * 8 - 0x40) * _t327 + (_t260 >> 0xa);
				 *(_t308 + 0x60) = _t219 & _t340;
				_t264 =  *(0x8c3670b0 + _t311 * 8 - 0x48) * _t327 + (_t219 >> 0xa);
				 *(_t308 + 0x58) = _t264 & _t340;
				_t223 =  *(0x8c3670b0 + _t311 * 8 - 0x50) * _t327 + (_t264 >> 0xa);
				 *(_t308 + 0x50) = _t223 & _t340;
				_t268 =  *(0x8c3670b0 + _t311 * 8 - 0x58) * _t327 + (_t223 >> 0xa);
				 *(_t308 + 0x48) = _t268 & _t340;
				_t227 =  *(0x8c3670b0 + _t311 * 8 - 0x60) * _t327 + (_t268 >> 0xa);
				 *(_t308 + 0x40) = _t227 & _t340;
				_t272 =  *(0x8c3670b0 + _t311 * 8 - 0x68) * _t327 + (_t227 >> 0xa);
				 *(_t308 + 0x38) = _t272 & _t340;
				_t231 =  *(0x8c3670b0 + _t311 * 8 - 0x70) * _t327 + (_t272 >> 0xa);
				 *(_t308 + 0x30) = _t231 & _t340;
				_t276 =  *(0x8c3670b0 + _t311 * 8 - 0x78) * _t327 + (_t231 >> 0xa);
				 *(_t308 + 0x28) = _t276 & _t340;
				_t235 =  *(0x8c3670b0 + _t311 * 8 - 0x80) * _t327 + (_t276 >> 0xa);
				 *(_t308 + 0x20) = _t235 & _t340;
				_t179 =  *(0x8c3670b0 + _t311 * 8 - 0x88) * _t327 + (_t235 >> 0xa);
				_t180 = _t179 >> 0xa;
				_t199 = _t179 & _t340;
				_t281 =  *(0x8c3670b0 + _t311 * 8 - 0x90) * _t327 + _t180 & _t340;
				 *(_t308 + 0x18) = _t199;
				 *(_t308 + 0x10) = _t281;
				_t88 = _t180 - 1; // 0x9
				r14d = 1;
				_t121 = (0x66666667 * r11d >> 0x00000020 >> 0x00000002) + (0x66666667 * r11d >> 0x00000020 >> 0x00000002 >> 0x0000001f) & 0x00000007;
				r9d = r14d;
				_t117 = 0xa - r11d;
				_t128 = _t121 & r14d;
				if (__eflags == 0) goto 0x8c306092;
				_t200 =  !_t199;
				 *__r9 = (_t121 >> 0x00000001) + r14d & 0x00000003;
				_t287 = ((_t281 << 0x0000000a | _t199) >> _t88 << _t117) - _t338 & _t200;
				if (_t287 - 0 >= 0) goto 0x8c306085;
				r9d = r9d + r14d;
				if (( !( *(_t308 + 0x20)) & _t340 | _t287 << 0x0000000a) - 0 < 0) goto 0x8c306063;
				goto 0x8c3060c7;
				 *__r9 = r14d >> 1;
				_t293 = (_t338 << _t117) - _t338 & _t200;
				if (_t293 - 0 >= 0) goto 0x8c3060bf;
				r9d = r9d + r14d;
				_t295 = _t293 << 0x0000000a |  *(_t308 + 0x20);
				if (_t295 - 0 < 0) goto 0x8c3060ac;
				r11d = r11d - 0x4ffb57a2066e0;
				r11d = r11d + 0x34;
				goto 0x8c3060f3;
				r11d = r11d + r14d;
				_t296 = _t295 >> 1;
				if (_t296 - 0 >= 0) goto 0x8c3060da;
				_t242 = r11d;
				_t99 = _t242 + 0x3ff; // 0x100000000003fe
				if (_t128 == 0) goto 0x8c306127;
				 *_t308 = _t99 << 0x00000034 | _t296 & 0xffffffff | 0x00000000;
				_t100 = _t242 + 0x3ca; // 0x100000000003c9
				asm("repne inc esp");
				_t194 = _t100 << 0x34;
				 *_t308 = _t194;
				asm("movsd xmm0, [esp]");
				 *_t308 = (_t295 << 0x0000003f |  *(_t308 + 0x18 + r9d * 8) << 0x00000036 >> 0x00000001) >> 0x0000000c | _t194;
				asm("movsd xmm7, [esp]");
				asm("subsd xmm7, xmm0");
				if (_t128 == 0) goto 0x8c306167;
				asm("mulsd xmm7, [0x1c62b]");
				goto 0x8c30616f;
				asm("mulsd xmm7, [0x1c619]");
				asm("mulsd xmm7, [0x1c5f1]");
				asm("repne inc esp");
				asm("inc cx");
				asm("inc cx");
				asm("repne inc esp");
				 *_t308 =  *_t308 & 0xf8000000;
				asm("movsd xmm2, [esp]");
				asm("subsd xmm3, xmm2");
				asm("movapd xmm5, xmm2");
				asm("mulsd xmm6, [0x1c5b5]");
				asm("mulsd xmm2, [0x1c5bd]");
				asm("movapd xmm0, xmm3");
				asm("repne inc esp");
				asm("mulsd xmm5, [0x1c5a4]");
				asm("mulsd xmm0, [0x1c59c]");
				asm("mulsd xmm3, [0x1c59c]");
				asm("subsd xmm5, xmm6");
				asm("addsd xmm5, xmm0");
				asm("addsd xmm5, xmm2");
				asm("addsd xmm5, xmm3");
				asm("repne inc ecx");
				asm("movapd xmm0, xmm5");
				asm("addsd xmm0, xmm6");
				asm("subsd xmm6, xmm0");
				asm("repne inc ecx");
				asm("addsd xmm6, xmm5");
				asm("repne inc ecx");
				_t115 = E00007FF87FF88C304980(_t117,  *(_t305 + 0xeb0) ^ _t308, 0, (_t295 << 0x0000003f |  *(_t308 + 0x18 + r9d * 8) << 0x00000036 >> 0x00000001) >> 0x0000000c | _t194);
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ebp");
				return _t115;
			}

0x7ff88c305d68
0x7ff88c305d6b
0x7ff88c305d76
0x7ff88c305d78
0x7ff88c305d7a
0x7ff88c305d81
0x7ff88c305d88
0x7ff88c305d8c
0x7ff88c305d90
0x7ff88c305d95
0x7ff88c305d9f
0x7ff88c305da9
0x7ff88c305db9
0x7ff88c305dc2
0x7ff88c305dd7
0x7ff88c305de3
0x7ff88c305df4
0x7ff88c305e0c
0x7ff88c305e12
0x7ff88c305e1e
0x7ff88c305e2d
0x7ff88c305e38
0x7ff88c305e47
0x7ff88c305e52
0x7ff88c305e61
0x7ff88c305e6c
0x7ff88c305e7b
0x7ff88c305e86
0x7ff88c305e95
0x7ff88c305ea0
0x7ff88c305eaf
0x7ff88c305eba
0x7ff88c305ecd
0x7ff88c305ed0
0x7ff88c305edb
0x7ff88c305eed
0x7ff88c305eff
0x7ff88c305f08
0x7ff88c305f1a
0x7ff88c305f23
0x7ff88c305f35
0x7ff88c305f3e
0x7ff88c305f50
0x7ff88c305f59
0x7ff88c305f6b
0x7ff88c305f74
0x7ff88c305f86
0x7ff88c305f8f
0x7ff88c305fa1
0x7ff88c305faa
0x7ff88c305fbc
0x7ff88c305fc5
0x7ff88c305fda
0x7ff88c305fef
0x7ff88c305ff5
0x7ff88c305ffc
0x7ff88c306004
0x7ff88c30600a
0x7ff88c30600f
0x7ff88c306018
0x7ff88c306021
0x7ff88c306031
0x7ff88c306034
0x7ff88c306037
0x7ff88c30603b
0x7ff88c30603e
0x7ff88c306042
0x7ff88c30604b
0x7ff88c306056
0x7ff88c30605c
0x7ff88c30606a
0x7ff88c306083
0x7ff88c306090
0x7ff88c306094
0x7ff88c30609f
0x7ff88c3060a5
0x7ff88c3060b4
0x7ff88c3060b7
0x7ff88c3060bd
0x7ff88c3060d1
0x7ff88c3060d4
0x7ff88c3060d8
0x7ff88c3060e0
0x7ff88c3060f0
0x7ff88c3060f6
0x7ff88c3060f8
0x7ff88c306108
0x7ff88c306118
0x7ff88c306127
0x7ff88c30612f
0x7ff88c306136
0x7ff88c30613c
0x7ff88c306140
0x7ff88c306147
0x7ff88c30614c
0x7ff88c306150
0x7ff88c306155
0x7ff88c30615b
0x7ff88c30615d
0x7ff88c306165
0x7ff88c306167
0x7ff88c30616f
0x7ff88c306177
0x7ff88c30617d
0x7ff88c306186
0x7ff88c306191
0x7ff88c30619a
0x7ff88c30619e
0x7ff88c3061a3
0x7ff88c3061a7
0x7ff88c3061ab
0x7ff88c3061b3
0x7ff88c3061bb
0x7ff88c3061bf
0x7ff88c3061c4
0x7ff88c3061cc
0x7ff88c3061d4
0x7ff88c3061dc
0x7ff88c3061e0
0x7ff88c3061e4
0x7ff88c3061e8
0x7ff88c3061ec
0x7ff88c3061f1
0x7ff88c3061f5
0x7ff88c3061f9
0x7ff88c3061fd
0x7ff88c306203
0x7ff88c306207
0x7ff88c306217
0x7ff88c306228
0x7ff88c30622d
0x7ff88c306232
0x7ff88c306245

Strings

gfff, xrefs: 00007FF88C305DDE

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 6e8754b308ad9b1f697bf15cbe2c2a4225513a31ff3c778dee9321d51807d323
Instruction ID: 0bae34e6f51734b7a9e9cfaa6b300d627ebb6e3abadb81f930594383830b32c5
Opcode Fuzzy Hash: 6e8754b308ad9b1f697bf15cbe2c2a4225513a31ff3c778dee9321d51807d323
Instruction Fuzzy Hash: 09C1C5A3B15F8546CE05CB25E855369A3A9BB55BD0F409732EE4D67B58EF3CE045C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C144 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

(EF4, xrefs: 000000018002C640

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: (EF4
API String ID: 0-3036941264
Opcode ID: d030758ce60e971068ff74bdadf18ac8339fa3bd6f35d08c61a9e71d4c9f309d
Instruction ID: 8b5f89ef4a24fff570ae9c4094310d6232847ed88f3400130667ffe0c9cfa0ff
Opcode Fuzzy Hash: d030758ce60e971068ff74bdadf18ac8339fa3bd6f35d08c61a9e71d4c9f309d
Instruction Fuzzy Hash: C40268B5902748CFDB88CF28C68A59D7BF1FF49308F004129FC1A9A2A4D774D929CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800293B4 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

#X, xrefs: 0000000180029633

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: c1e4ad5a732a0b02a5948bed507ed7c2c4c0a1ef3a7530e618f8ffb0e6a5abc9
Instruction ID: fef19a50ed0db9469055086572fe56d7e1246183f775c326acac8bb6deb143aa
Opcode Fuzzy Hash: c1e4ad5a732a0b02a5948bed507ed7c2c4c0a1ef3a7530e618f8ffb0e6a5abc9
Instruction Fuzzy Hash: 9DE1FE7150270CCBEB58DF28D68A69E3BE5FF58304F10412DFC5A8A2A1D774E928CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3179F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00007FF87FF88C3179F8(void* __ecx, void* __edx, long long __rbx, long long __rsi, long long __rbp, intOrPtr* __r8, intOrPtr _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _t11;
				void* _t30;
				int _t36;
				void* _t43;

				_t30 = _t43;
				 *((long long*)(_t30 + 0x10)) = __rbx;
				 *((long long*)(_t30 + 0x18)) = __rbp;
				 *((long long*)(_t30 + 0x20)) = __rsi;
				r9d = 2;
				asm("bts ecx, 0xa");
				if (GetLocaleInfoW(_t36, ??, ??) != 0) goto 0x8c317a3c;
				goto 0x8c317a73;
				if (__ecx == _a8) goto 0x8c317a6e;
				if (__edx == 0) goto 0x8c317a6e;
				_t11 =  *((intOrPtr*)( *__r8));
				if (_t11 - 0x41 < 0) goto 0x8c317a57;
				if (_t11 - 0x5a <= 0) goto 0x8c317a5d;
				if (_t11 - 0x61 - 0x19 > 0) goto 0x8c317a61;
				goto 0x8c317a4a;
				if (1 == E00007FF87FF88C3053B0(_t11 - 0x61,  *__r8)) goto 0x8c317a38;
				return 1;
			}

0x7ff88c3179f8
0x7ff88c3179fb
0x7ff88c3179ff
0x7ff88c317a03
0x7ff88c317a1d
0x7ff88c317a23
0x7ff88c317a36
0x7ff88c317a3a
0x7ff88c317a40
0x7ff88c317a44
0x7ff88c317a4a
0x7ff88c317a51
0x7ff88c317a55
0x7ff88c317a5b
0x7ff88c317a5f
0x7ff88c317a6c
0x7ff88c317a87

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF88C317A2C

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d70b47ea487775fd8fd1ebcd2a2123ab96aa4f68891ad401a68dd50162b2f140
Instruction ID: af1a23bad6359caacb4e04b5e3fef69411fa161a40d4a9d0bb358f851b490b83
Opcode Fuzzy Hash: d70b47ea487775fd8fd1ebcd2a2123ab96aa4f68891ad401a68dd50162b2f140
Instruction Fuzzy Hash: 33018832A086428AE7745A55E4516B927E0FB87BC4F5D5032FB4DD734DCE29EA43C344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C317EC8 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF87FF88C317EC8(void* __rax, intOrPtr* __rcx) {
				void* _t24;
				void* _t25;
				int _t27;
				void* _t41;

				_t41 = __rax;
				_t25 = E00007FF87FF88C3053B0(_t24,  *__rcx);
				 *(__rcx + 0x18) = 0 | _t41 == 0x00000003;
				E00007FF87FF88C3053B0(_t25,  *((intOrPtr*)(__rcx + 8)));
				 *(__rcx + 0x20) =  *(__rcx + 0x20) & 0x00000000;
				 *(__rcx + 0x1c) = 0 | _t41 == 0x00000003;
				if ( *(__rcx + 0x18) == 0) goto 0x8c317f40;
				 *((intOrPtr*)(__rcx + 0x14)) = 2;
				_t27 = EnumSystemLocalesA(??, ??);
				if (( *(__rcx + 0x10) & 0x00000100) == 0) goto 0x8c317f36;
				if (( *(__rcx + 0x10) & 0x00000200) == 0) goto 0x8c317f36;
				if (( *(__rcx + 0x10) & 0x00000007) != 0) goto 0x8c317f3a;
				 *(__rcx + 0x10) =  *(__rcx + 0x10) & 0x00000000;
				return _t27;
			}

0x7ff88c317ec8
0x7ff88c317ed4
0x7ff88c317ee6
0x7ff88c317ee9
0x7ff88c317ef7
0x7ff88c317eff
0x7ff88c317f02
0x7ff88c317f09
0x7ff88c317f18
0x7ff88c317f25
0x7ff88c317f2e
0x7ff88c317f34
0x7ff88c317f36
0x7ff88c317f3f

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FF88C317F18

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 471cc843b4037bc3d9107caf78c3520e798c42812e0debc17b57e4e5d15a5263
Instruction ID: e9375ec7090980460736433f6d62bc1792da2d8cfac6d5b33fdd519bb43343eb
Opcode Fuzzy Hash: 471cc843b4037bc3d9107caf78c3520e798c42812e0debc17b57e4e5d15a5263
Instruction Fuzzy Hash: DB118272A086068BFB198B31C4597BB3391FB56B89F184436E60D822CDCFBCD596C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C317F60 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF87FF88C317F60(void* __rax, intOrPtr* __rcx) {
				void* _t11;
				int _t13;
				signed int _t15;
				void* _t22;

				_t22 = __rax;
				E00007FF87FF88C3053B0(_t11,  *__rcx);
				_t15 = 0 | _t22 == 0x00000003;
				 *(__rcx + 0x18) = _t15;
				if (_t15 == 0) goto 0x8c317fab;
				 *((intOrPtr*)(__rcx + 0x14)) = 2;
				_t13 = EnumSystemLocalesA(??, ??);
				if (( *(__rcx + 0x10) & 0x00000004) != 0) goto 0x8c317fa5;
				 *(__rcx + 0x10) =  *(__rcx + 0x10) & 0x00000000;
				return _t13;
			}

0x7ff88c317f60
0x7ff88c317f6c
0x7ff88c317f77
0x7ff88c317f7a
0x7ff88c317f7f
0x7ff88c317f86
0x7ff88c317f95
0x7ff88c317f9f
0x7ff88c317fa1
0x7ff88c317faa

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FF88C317F95

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 79f756618921ec9bbb1f45445aab9d59cf9f059d4e44cede83f7a7bf555376e6
Instruction ID: de698c083a594439ccd600513723728bfbca286f873a3371c05d38e8ed03ea4e
Opcode Fuzzy Hash: 79f756618921ec9bbb1f45445aab9d59cf9f059d4e44cede83f7a7bf555376e6
Instruction Fuzzy Hash: C1F08162E0850A4FF7198B21C4557B62391BB96B85F1C8036D60D822CACE6DD596C344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C317E88 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF87FF88C317E88(void* __rax, void* __rcx) {
				void* _t11;
				int _t13;
				void* _t20;

				_t20 = __rax;
				E00007FF87FF88C3053B0(_t11,  *((intOrPtr*)(__rcx + 8)));
				 *(__rcx + 0x1c) = 0 | _t20 == 0x00000003;
				_t13 = EnumSystemLocalesA(??, ??);
				if (( *(__rcx + 0x10) & 0x00000004) != 0) goto 0x8c317ec2;
				 *(__rcx + 0x10) =  *(__rcx + 0x10) & 0x00000000;
				return _t13;
			}

0x7ff88c317e88
0x7ff88c317e95
0x7ff88c317eaa
0x7ff88c317eb2
0x7ff88c317ebc
0x7ff88c317ebe
0x7ff88c317ec7

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FF88C317EB2

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: b28db194df395bffae68cc6a1e738accf7ef328d5622b04674ba9b50cc763b50
Instruction ID: 4b4fca6419a4388b735cad74f617f839bee02fa438743a29489482db775103f8
Opcode Fuzzy Hash: b28db194df395bffae68cc6a1e738accf7ef328d5622b04674ba9b50cc763b50
Instruction Fuzzy Hash: DEE0DFA3F0820443EB098B21D8407642290FB95B49F088031DA1C412D9CBBCC597C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180023E9C Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

;0xG, xrefs: 0000000180024188

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ;0xG
API String ID: 0-760963809
Opcode ID: 2ac6aef73004f145c9832d09e3489353ee51daebb3c9bbce0e583765372a3508
Instruction ID: e1ce0d046311d09060dabb304b72a3b603daa738e67fdfa472c4c11d7b7ed73b
Opcode Fuzzy Hash: 2ac6aef73004f145c9832d09e3489353ee51daebb3c9bbce0e583765372a3508
Instruction Fuzzy Hash: 8EC1E470D047588BDB68DFB8C98A59DBBF1FB58308F20421DE816AB2A2DB749945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002BA3C Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

#BQ, xrefs: 000000018002BDBE

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #BQ
API String ID: 0-3480728874
Opcode ID: ec69ecc2c3011c286e8f83292b208dc01f079ea9ee5e21749ca29fc9a84d9ebb
Instruction ID: 4bd203b3754685935ea88d17ca58c286c0398b84f00ad44a0aac603c9aa4d465
Opcode Fuzzy Hash: ec69ecc2c3011c286e8f83292b208dc01f079ea9ee5e21749ca29fc9a84d9ebb
Instruction Fuzzy Hash: 7CC1487190060D8FDB59DFA8C48A6DEBFB1FF54344F108129E806AB294C7749A9ACFC1

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D1CC Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

r[+, xrefs: 000000018000D3F8

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: r[+
API String ID: 0-86127173
Opcode ID: 552607c096838cf115fd81e4e776186d890cbc1676763cf46e7b8b005de89252
Instruction ID: 0d7e3af77b8b752942e86a438abd9f326c11496982b6e8965f69b2f7eba2be57
Opcode Fuzzy Hash: 552607c096838cf115fd81e4e776186d890cbc1676763cf46e7b8b005de89252
Instruction Fuzzy Hash: C9C117715047898BEBB9CE28C8867D93BA0FB55344F90C51DE88ECF391DF749A898B41

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800191E0 Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

y$P2, xrefs: 00000001800194AF

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: y$P2
API String ID: 0-2052838114
Opcode ID: d3fba8c71ba653b337be21bfc5c821221b7847ff7f4f4145c71630cbd7702008
Instruction ID: af04be29cfbb26f8734603d57978402f182defc2485c97293f597167a387eff1
Opcode Fuzzy Hash: d3fba8c71ba653b337be21bfc5c821221b7847ff7f4f4145c71630cbd7702008
Instruction Fuzzy Hash: A1C169B1A047098FDF88DF68C59A59E7BB9BB55308F004129FC0E9A290E775F919CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800094BC Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

WJG, xrefs: 00000001800096EB

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: WJG
API String ID: 0-3237630811
Opcode ID: 9d6c801bdc1b237faa773838eee8f0beff03794f3b8bf96e4e9610ac38792612
Instruction ID: 891d7379a6736ad59a15f2bd9ca0e0e7aa9bc69e8541a48b63682a1a39ca707a
Opcode Fuzzy Hash: 9d6c801bdc1b237faa773838eee8f0beff03794f3b8bf96e4e9610ac38792612
Instruction Fuzzy Hash: 9CC155B590070DCFDB58CF68C08A99E7BB9FB55708F404129FC0E9A2A4D7B4E518CB56

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000ABDC Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

, O6, xrefs: 000000018000AEBC

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: , O6
API String ID: 0-1270239017
Opcode ID: 1aa911f5b7b95dd106d68ec324b05e9f4d445a39aeb37152fbab4812de8cd21e
Instruction ID: 3c4be7746686757421e7955503ac86f474c7edc4d3d79d8dc77912d08fa14a1d
Opcode Fuzzy Hash: 1aa911f5b7b95dd106d68ec324b05e9f4d445a39aeb37152fbab4812de8cd21e
Instruction Fuzzy Hash: C5A11A71E0878C8BEB59CFE8C44ABDEBBF2EB15348F404129D506BA298D7B48519CB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F388 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

84Rx, xrefs: 000000018001F554

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 84Rx
API String ID: 0-3790243014
Opcode ID: 05f828dc8d583a7cb4dfceb09e169c9743c4d84338123e06152ee941db349f64
Instruction ID: 5d9026638de9e31bc9841207fea4698c37f6cb1d122bda01837218ac41b9dba7
Opcode Fuzzy Hash: 05f828dc8d583a7cb4dfceb09e169c9743c4d84338123e06152ee941db349f64
Instruction Fuzzy Hash: 26811571908B08EFDB58DF28C089A9D7BE1FB58304F40C16EE85ADB294DB74DA49CB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C788 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

,MT5, xrefs: 000000018000C88D

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ,MT5
API String ID: 0-998673786
Opcode ID: 054bca4c7d4db6ffa480f83350d3550c28c23d9a57c29e9f915b334c989a3521
Instruction ID: 0c0f437e0ff8ec548d1b83d7fce4e839fa7e820a53018cca1ea92611ff89abb2
Opcode Fuzzy Hash: 054bca4c7d4db6ffa480f83350d3550c28c23d9a57c29e9f915b334c989a3521
Instruction Fuzzy Hash: FEA179B590274DDBDB98DF28C68A58D7BF1FF59304F004029FC5A9A2A0E3B4D529CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800299A4 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

#, xrefs: 0000000180029A1B

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: #
API String ID: 0-2259475770
Opcode ID: 4fab1216560e636846c4e0077fb0153bc3122cc5dd91fdf1c3791336c7a236b5
Instruction ID: f014af94a3d87d64c150a3a738861456c5900205c36fce6610c3e49e2845f8e4
Opcode Fuzzy Hash: 4fab1216560e636846c4e0077fb0153bc3122cc5dd91fdf1c3791336c7a236b5
Instruction Fuzzy Hash: CD51AA309146098BEF89DF68D4863E97BB1FB48390F60911DF842E7291DB38D886CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015344 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

W), xrefs: 00000001800153F3

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: W)
API String ID: 0-4136714496
Opcode ID: aa58a1d29eb591927417709c5ff6981b383c0183172096cfb276ed068bf31a1b
Instruction ID: 7046a0e034b52ac37a1b8491b86b07f5ec2b18bde789a8abaaf0a2f9c7a84f06
Opcode Fuzzy Hash: aa58a1d29eb591927417709c5ff6981b383c0183172096cfb276ed068bf31a1b
Instruction Fuzzy Hash: B1514A71514B8E8BDB59CF18D84579A3BE0FB54345F104A2DF8A6C7295DBB0CA2ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010330 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

]H,4, xrefs: 000000018001052E

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ]H,4
API String ID: 0-2117028608
Opcode ID: edc2f691050df4596d563631735a3ebf903215a1b182d29dca97e8b961dbfc2b
Instruction ID: a4000fa144d7654680c025209b591c7ed87c6842f21b7a4690e5a63011254de6
Opcode Fuzzy Hash: edc2f691050df4596d563631735a3ebf903215a1b182d29dca97e8b961dbfc2b
Instruction Fuzzy Hash: 9C61C87154878CCBEBBADE28C8997D937B1FB48344F90821DD85E8E290DB74574ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001EEE0 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

=i, xrefs: 000000018001EF43

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: =i
API String ID: 0-2257234515
Opcode ID: ec1b152295a7fe302f8d34dc8a196b0ac00e16f654829f9babee527285ab370e
Instruction ID: b2866ee7f69725311540b76dd5608a0f6ee0b10b6433d698f80210b395c18649
Opcode Fuzzy Hash: ec1b152295a7fe302f8d34dc8a196b0ac00e16f654829f9babee527285ab370e
Instruction Fuzzy Hash: 05718EB190074E8FDB49CF68D88A4DE7FB0FB68398F204119F856A6250D3B496A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026098 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

.G, xrefs: 00000001800261EC

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: .G
API String ID: 0-218996393
Opcode ID: d7d879f287b0a9261b25502e2af63799bd74a524d91ce029b3aff8a94adfe669
Instruction ID: 0cc7e45cd08ef152d1e265dbc3d05f5a0dbfa635a64f4929b61d99de85e64566
Opcode Fuzzy Hash: d7d879f287b0a9261b25502e2af63799bd74a524d91ce029b3aff8a94adfe669
Instruction Fuzzy Hash: 7551F4705006888BDB49DF28CD866DD7BE0FB4C34DF128319F88AA6265D77C9909CB49

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A470 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

e{W, xrefs: 000000018001A549

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: e{W
API String ID: 0-4062984353
Opcode ID: d86e3ed5d33b91fb2f35fcfa748914f527afa3803bf7698958360a6d31994bea
Instruction ID: ade444b95570d3d7f89f0b1b0cefea3937e05147eb3c1450965c96d4acf29a62
Opcode Fuzzy Hash: d86e3ed5d33b91fb2f35fcfa748914f527afa3803bf7698958360a6d31994bea
Instruction Fuzzy Hash: B961B5B190078A8FDF98DF68C8494DE7BB0FF18358F104A19E865A6250D3B8D665CF94

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E310 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

)ceS, xrefs: 000000018000E434

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: )ceS
API String ID: 0-1544017277
Opcode ID: 56e9a884abbcd7d48d5070ab7709f921dabee0fd494d5f91ad116a0a9e01e1fb
Instruction ID: db4328d043d7ce9183d1f4de1c8254b0628263dcb251aebb3facae7a7ecf6164
Opcode Fuzzy Hash: 56e9a884abbcd7d48d5070ab7709f921dabee0fd494d5f91ad116a0a9e01e1fb
Instruction Fuzzy Hash: 0551B2B090034A8FCB48CF68D4865DE7FB0FB68398F10461DF816AA250D77496A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3115B0 Relevance: 1.4, Strings: 1, Instructions: 121
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00007FF87FF88C3115B0(void* __ecx, long long __rbx, char* __rcx, char* __rdx, long long __rdi, long long __rsi, void* __r8) {
				void* _t27;
				char _t30;
				signed int _t34;
				intOrPtr* _t73;
				long long _t91;
				intOrPtr* _t93;
				void* _t94;
				void* _t101;

				_t84 = __rdx;
				_t73 = _t93;
				 *((long long*)(_t73 + 8)) = __rbx;
				 *((long long*)(_t73 + 0x10)) = _t91;
				 *((long long*)(_t73 + 0x18)) = __rsi;
				 *((long long*)(_t73 + 0x20)) = __rdi;
				_t94 = _t93 - 0x30;
				r8d = 0x90;
				E00007FF87FF88C3056D0(_t27, __ecx, 0, __rcx, __rdx, __r8);
				if ( *__rdx != 0) goto 0x8c3115e8;
				goto 0x8c311745;
				if ( *__rdx != 0x2e) goto 0x8c31162e;
				if ( *((char*)(__rdx + 1)) == 0) goto 0x8c31162e;
				_t7 = _t84 - 1; // 0xf
				r9d = _t7;
				_t30 = E00007FF87FF88C317670(_t73, __rcx + 0x80, __rdx, __rdx + 1, _t101);
				if (_t30 != 0) goto 0x8c311618;
				 *((char*)(__rcx + 0x8f)) = _t30;
				goto 0x8c3115e1;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF87FF88C30938C();
				asm("int3");
				E00007FF87FF88C3175DC(0, __rdx, 0x8c3246a0, __rdx + 1, _t101);
				if (_t73 == 0) goto 0x8c311742;
				dil =  *((intOrPtr*)(_t73 + __rdx));
				if (0 != 0) goto 0x8c311697;
				if (_t73 - 0x40 >= 0) goto 0x8c311742;
				if (dil == 0x2e) goto 0x8c311742;
				if (E00007FF87FF88C317670(_t73, __rcx, 0x8c3246a0, __rdx, _t73) == 0) goto 0x8c31170d;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF87FF88C30938C();
				asm("int3");
				if (0 != 1) goto 0x8c3116dc;
				if (_t73 - 0x40 >= 0) goto 0x8c311742;
				if (dil == 0x5f) goto 0x8c311742;
				if (E00007FF87FF88C317670(_t73, __rcx + 0x40, 0x8c3246a0, __rdx, _t73) == 0) goto 0x8c31170d;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF87FF88C30938C();
				asm("int3");
				if (0 != 2) goto 0x8c311742;
				if (_t73 - 0x10 >= 0) goto 0x8c311742;
				if (dil == 0) goto 0x8c3116f2;
				if (dil != 0x2c) goto 0x8c311742;
				_t34 = E00007FF87FF88C317670(_t73, __rcx + 0x80, 0x8c3246a0, __rdx, _t73);
				if (_t34 != 0) goto 0x8c31172c;
				if (dil == 0x2c) goto 0x8c3115e1;
				if (dil == 0) goto 0x8c3115e1;
				goto 0x8c311630;
				 *(_t94 + 0x20) =  *(_t94 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF87FF88C30938C();
				asm("int3");
				return _t34 | 0xffffffff;
			}

0x7ff88c3115b0
0x7ff88c3115b0
0x7ff88c3115b3
0x7ff88c3115b7
0x7ff88c3115bb
0x7ff88c3115bf
0x7ff88c3115c5
0x7ff88c3115cc
0x7ff88c3115d7
0x7ff88c3115df
0x7ff88c3115e3
0x7ff88c3115eb
0x7ff88c3115f5
0x7ff88c311603
0x7ff88c311603
0x7ff88c311607
0x7ff88c31160e
0x7ff88c311610
0x7ff88c311616
0x7ff88c311618
0x7ff88c31161e
0x7ff88c311621
0x7ff88c311628
0x7ff88c31162d
0x7ff88c31163a
0x7ff88c311642
0x7ff88c31164c
0x7ff88c311652
0x7ff88c311658
0x7ff88c311662
0x7ff88c31167b
0x7ff88c311681
0x7ff88c311687
0x7ff88c31168a
0x7ff88c311691
0x7ff88c311696
0x7ff88c31169a
0x7ff88c3116a0
0x7ff88c3116aa
0x7ff88c3116c4
0x7ff88c3116c6
0x7ff88c3116cc
0x7ff88c3116cf
0x7ff88c3116d6
0x7ff88c3116db
0x7ff88c3116df
0x7ff88c3116e5
0x7ff88c3116ea
0x7ff88c3116f0
0x7ff88c311704
0x7ff88c31170b
0x7ff88c311711
0x7ff88c31171a
0x7ff88c311727
0x7ff88c31172c
0x7ff88c311732
0x7ff88c311735
0x7ff88c31173c
0x7ff88c311741
0x7ff88c31175f

Strings

_.,, xrefs: 00007FF88C311630

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: CurrentProcess
String ID: _.,
API String ID: 2050909247-2709443920
Opcode ID: d4ba83de0e29a6ce361679c48265e188c18c8996d356c85632479586fba6144a
Instruction ID: fef641601b965a7ffe4f514e5924eca20fdcdacdab938fb3801544f8864d8ebb
Opcode Fuzzy Hash: d4ba83de0e29a6ce361679c48265e188c18c8996d356c85632479586fba6144a
Instruction Fuzzy Hash: 5941B422E087824EFB758A61D415FFA7691BB877C4F484436EE8D82AC9DF2DE442C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013DBC Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

:&@a, xrefs: 0000000180013ED4

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: :&@a
API String ID: 0-1222566720
Opcode ID: ef56b835c1ac4e0f565372fe5218a42215f4a7ac1fc0ee983be682905883d724
Instruction ID: dca83b27cd108ad56cb5c8e9dd3496707112838bcc42d0e40cff073e0d9fad2e
Opcode Fuzzy Hash: ef56b835c1ac4e0f565372fe5218a42215f4a7ac1fc0ee983be682905883d724
Instruction Fuzzy Hash: 1E51E9B190038E8FDF48CF68C8865DE7BB1FB58318F11461DF866A6290D7B89664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011F30 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

9f5N, xrefs: 00000001800120C8

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 9f5N
API String ID: 0-3546837380
Opcode ID: 2d6bbebbf1fffb99614440976ac829ccc1d63a212d4338abcb42fa4d6e83890b
Instruction ID: d7fe8c1a37bf7d93f42541ec35eb2d9279b795251d56db1e3052a43da40964b0
Opcode Fuzzy Hash: 2d6bbebbf1fffb99614440976ac829ccc1d63a212d4338abcb42fa4d6e83890b
Instruction Fuzzy Hash: 7351B4B190038ECFDF48CF64C98A4DE7FB1FB48358F514A19E865AA250D3B89664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F624 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

@tn, xrefs: 000000018001F73F

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: @tn
API String ID: 0-486704939
Opcode ID: 3c7a22537a38b63f7d8a4caf5fc308f545bf2d81324b7bf7ffc0dcbf14c8ceb0
Instruction ID: 1ad08388cb2090aea4793fe9f1d77af1efd936fc687c4d5d49db90a3eff6790a
Opcode Fuzzy Hash: 3c7a22537a38b63f7d8a4caf5fc308f545bf2d81324b7bf7ffc0dcbf14c8ceb0
Instruction Fuzzy Hash: 7151AFB090034ECFDB49CF68D48A5DE7FB0FB28798F205619E816A6250D37496A8CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B670 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

%5, xrefs: 000000018001B692

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: %5
API String ID: 0-4288218683
Opcode ID: e19f81e7731bf8f55acd48642bb7f84a1c679841a035f48cc6e26b3b4c1e9c09
Instruction ID: 171d4cf5f209aac3d30eec7e712f16342b1e6532b50d04c19f0157b94c604ffa
Opcode Fuzzy Hash: e19f81e7731bf8f55acd48642bb7f84a1c679841a035f48cc6e26b3b4c1e9c09
Instruction Fuzzy Hash: 8D315770619B449BD788DF28D49962BBBE0FBD8354F805A2DF486C73A4C7B4D844CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A43C Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

1@, xrefs: 000000018002A59A

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 1@
API String ID: 0-4049097949
Opcode ID: b0dcbee87ea97880fe62916228da27271ec4ec0a6590d100feca8ba74251f583
Instruction ID: 564d36d4ae3bf85f0f9b495a4212e59b0a735af734936f678ad91dad6dec08ae
Opcode Fuzzy Hash: b0dcbee87ea97880fe62916228da27271ec4ec0a6590d100feca8ba74251f583
Instruction Fuzzy Hash: 1951E5B090074E8FCB48DF64C88A5DEBFF0FB58358F105A1DE825A6260D3B89664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

{/, xrefs: 0000000180021BC1

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: {/
API String ID: 0-179448227
Opcode ID: f425cea6d577d2550e9093a617ff984dc38a375202500c18f500f06871d85014
Instruction ID: 9193d036ecfcbd9fbd2dc66581ad9ead9cbe9977bd339fe7c8868008dfc03d32
Opcode Fuzzy Hash: f425cea6d577d2550e9093a617ff984dc38a375202500c18f500f06871d85014
Instruction Fuzzy Hash: 9351B3B190038E8BDF48CF68C88A5DE7FB0FB58358F11461DE866A6250D3B89665CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003800 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

E{, xrefs: 0000000180003886

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: E{
API String ID: 0-184549643
Opcode ID: c84fec003f3615db82e712a9f30eb593275e25114ef0862840c409ef5fec6f13
Instruction ID: 7216f9f5fa68ff11c39a81af28dda8205ef160c074595fba5378e339776bff02
Opcode Fuzzy Hash: c84fec003f3615db82e712a9f30eb593275e25114ef0862840c409ef5fec6f13
Instruction Fuzzy Hash: 9A41D7B090038E8FDB48DF68C98A5DE7BB0FB58358F104A1DF865A7290D7B49664CF94

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B4CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

xw, xrefs: 000000018001B610

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: xw
API String ID: 0-1750992286
Opcode ID: 91b8c8d5e853583d3d1a4b143dba9b680e3fdd6e0d47eec3f1e6f3b81338a568
Instruction ID: 69de6bf323214bd62a7bb9aa21d760b3734cee2d320dc8eeae92c3d9eb18c048
Opcode Fuzzy Hash: 91b8c8d5e853583d3d1a4b143dba9b680e3fdd6e0d47eec3f1e6f3b81338a568
Instruction Fuzzy Hash: 94414C7050074E8BEF58DF24D88A6DA3FA0FB58398F11461DFC5996290C3B8D6A4CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001BE70 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Nn.W, xrefs: 000000018001BF2B

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: Nn.W
API String ID: 0-3872316227
Opcode ID: b5c4fa6daf60d1671f16cc53c8ab824c55c17c66ee48abc462351e50a169873d
Instruction ID: dc0e48a23cb7ee8f93eb512a2fa3fc80c6e41eff836c457cd4608e988600616e
Opcode Fuzzy Hash: b5c4fa6daf60d1671f16cc53c8ab824c55c17c66ee48abc462351e50a169873d
Instruction Fuzzy Hash: 7551C2B181038ECFDB48CFA4C88A5CE7BB0FF18358F104A19E865A6264D3B49665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800167C4 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

, xrefs: 000000018001680F

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-2867612384
Opcode ID: 5b717d18ba60d9c75cf0431fe07eafca68898ff4c6d75803cf7f01b673b45413
Instruction ID: 0021e0fee05d7ab9d294f559ae10260a833c8ca285717dcefd08abab0448beef
Opcode Fuzzy Hash: 5b717d18ba60d9c75cf0431fe07eafca68898ff4c6d75803cf7f01b673b45413
Instruction Fuzzy Hash: 8441E1B190074A8FCF49CF68C48A5EE7FB0FB58358F10461DE85AA6290D3B89694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003310 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

(, xrefs: 0000000180003392

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ca8f72f29fcf747e54bb8de48d0f204d7c792f82ef911c9dd40d775a8ce8755f
Instruction ID: 533401c9c5252423168e53d1919849599028f9b5305fd6d15dc619656584330d
Opcode Fuzzy Hash: ca8f72f29fcf747e54bb8de48d0f204d7c792f82ef911c9dd40d775a8ce8755f
Instruction Fuzzy Hash: 10315B705097049FE3D9CF19C18972ABAE1FB88744F80992DF485DB3A0CB79D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003CD8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

*, xrefs: 0000000180003D8A

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: *
API String ID: 0-3951701628
Opcode ID: dba3190842208ea0f9d7716eaba2b362d887f1657f173cf3b900ec165af27631
Instruction ID: 960ceefefab9737365ba16b8c95702dec69b411f57dfdd255b94d04c422ec242
Opcode Fuzzy Hash: dba3190842208ea0f9d7716eaba2b362d887f1657f173cf3b900ec165af27631
Instruction Fuzzy Hash: A041B1B090074A8BDF48CF64C48A5EE7FB0FB58398F504619E856A6290D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018698 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

}^, xrefs: 000000018001873A

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: }^
API String ID: 0-1469802935
Opcode ID: 914a3f71b8c960fc7552931713e6e4203ade46d5e10d6b98f1cf6f38eefb5a81
Instruction ID: 205a07136b3df52e6849c72addd42ae462c7a889fd8c6357997c34b93d1030d5
Opcode Fuzzy Hash: 914a3f71b8c960fc7552931713e6e4203ade46d5e10d6b98f1cf6f38eefb5a81
Instruction Fuzzy Hash: DF41D7B190034E8FDB44CF68C8864CE7FB0FF28398F214609E855A6260D7B896A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FDC0 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

]p, xrefs: 000000018001FEEF

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ]p
API String ID: 0-516505818
Opcode ID: a998b0c13b7dc478d418a24d321567b15ee48922d17bb3810592d0e5bb1ad7d1
Instruction ID: 931c66f535a299917143666a581b343279f23c4536418fb3d7e10e5e5ff67911
Opcode Fuzzy Hash: a998b0c13b7dc478d418a24d321567b15ee48922d17bb3810592d0e5bb1ad7d1
Instruction Fuzzy Hash: 55419DB1D0071E8BDF88DFA9C88A5EEBBB1FB58708F008219D511B6290C378564ACF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001FE8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

/*, xrefs: 0000000180002080

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: /*
API String ID: 0-2290017092
Opcode ID: a0d690a9e8e4b56653d5edd2257bb541ac33038840f1916700257e3302b896e6
Instruction ID: 439259a45eee3d69469051f7f04d9dd32eb749afa30bce0d9922454acc75758b
Opcode Fuzzy Hash: a0d690a9e8e4b56653d5edd2257bb541ac33038840f1916700257e3302b896e6
Instruction Fuzzy Hash: AC3161B4529381ABD388DF28C09592ABBE1FBC9304F806A1DF8C6C6750D774D555CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000CAB4 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

';, xrefs: 000000018000CB9C

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ';
API String ID: 0-706169278
Opcode ID: 9587db4b2b67fd753a018cb568408f52bd3cf40bd4a4250c7a41da4824b20b5e
Instruction ID: 84ad4d37d5b24612e456a33eed3795b6879453dbc847852894b69ace4711b10a
Opcode Fuzzy Hash: 9587db4b2b67fd753a018cb568408f52bd3cf40bd4a4250c7a41da4824b20b5e
Instruction Fuzzy Hash: AB319DB091038A8BCB48DF68D9464DA3BF4FB19348F004A1AFC66DA250D7B4DA25CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000320C Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

q*, xrefs: 0000000180003228

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: q*
API String ID: 0-2890306462
Opcode ID: e9b16eeb3c05b2dc58fd23e485c86fcc911b04417d1bf7a2c55211357001d955
Instruction ID: 426e468f8026e0b8476299c89ff0f5963c52ec6ee03c74d60595b1f09b38f2d3
Opcode Fuzzy Hash: e9b16eeb3c05b2dc58fd23e485c86fcc911b04417d1bf7a2c55211357001d955
Instruction Fuzzy Hash: 10318BB590038E8BDB48DF29C84A5DE3BA0FB48348B104A29EC2A97350D3B4D664CB95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E97C Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

"0, xrefs: 000000018000EA2D

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: "0
API String ID: 0-3232916595
Opcode ID: ced349a475a942435a58068fa7b5306d4e3e18ca1265cbbaffadb78cb52945e5
Instruction ID: 46df1953fb5514d0ded986e47b465898ac2105ade71d931b54119c8741523ee4
Opcode Fuzzy Hash: ced349a475a942435a58068fa7b5306d4e3e18ca1265cbbaffadb78cb52945e5
Instruction Fuzzy Hash: 1C217BB45183858BD348DF28C08A51ABBE0FB8D30DF404B1DF8CAAA291D779D6158B4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A27C Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Ki, xrefs: 000000018001A38D

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: Ki
API String ID: 0-1715101133
Opcode ID: 4558f2da13ee0eaafe55bb3c5df4eb9d1fb5f9a618e6666c492359686f956a93
Instruction ID: 52fffbabfede286418100c7ee1af114bc6e995e3ef61a1078acf41130dd1023c
Opcode Fuzzy Hash: 4558f2da13ee0eaafe55bb3c5df4eb9d1fb5f9a618e6666c492359686f956a93
Instruction Fuzzy Hash: 3C317AB55083858BD348DF28C45951BBBF1FB8C348F410B6DF4CAAA260D778D645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FF28 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

NR, xrefs: 000000018001FFC7

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: NR
API String ID: 0-2856730796
Opcode ID: 985ffab200b1932dba1a0035db10e8c0f4a764b8fe9193c8efc1cd14a1e7751e
Instruction ID: 888a1bda249568a86adefe0d71e9aa6d507bdbf24dfed568917928c09168a45c
Opcode Fuzzy Hash: 985ffab200b1932dba1a0035db10e8c0f4a764b8fe9193c8efc1cd14a1e7751e
Instruction Fuzzy Hash: 70317EB06087858FD748DF28D15A52ABBE1BB9C318F444B1DF4CAAA394D3789604CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B9B4 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

>, xrefs: 000000018000BA1D

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: >
API String ID: 0-1166260821
Opcode ID: c9bbd9a1c8764c77f55e3730fede6ce06dcc687d073aaf0b9075fbd9e781daa6
Instruction ID: ec8c7fb501e6ecfaf473a8fb5074ea7b0052bf43d6134118ad317f941d440be4
Opcode Fuzzy Hash: c9bbd9a1c8764c77f55e3730fede6ce06dcc687d073aaf0b9075fbd9e781daa6
Instruction Fuzzy Hash: 443138B55187808BD348DF28C55541BBBE1BBCC748F804B1DF4CAAB260D778E645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015240 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

+~, xrefs: 00000001800152CA

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: +~
API String ID: 0-2148840365
Opcode ID: 45cfc3e6f9e7ae098d08d6113d120eb16da4ef82f298c2b9d0a2a09659ef3253
Instruction ID: cb17ed4ef4a7a2aff8d25f33b410329614a0d5b560dda5608ecb6f3f583f77ba
Opcode Fuzzy Hash: 45cfc3e6f9e7ae098d08d6113d120eb16da4ef82f298c2b9d0a2a09659ef3253
Instruction Fuzzy Hash: AE2148B46093848FD389DF28C48951BBBE1BB9C708F404B2DF4DEA6260D7789644CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015020 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

.s, xrefs: 0000000180015024

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: .s
API String ID: 0-2211593045
Opcode ID: a89e1310f1b33d0137d7e7206c74e0aa433ec271eea8e6e9d2676072d0a6b0e0
Instruction ID: ed3710ea687b0090dfe407479a03e5a36cf91d591a0993f6692bb9680592a455
Opcode Fuzzy Hash: a89e1310f1b33d0137d7e7206c74e0aa433ec271eea8e6e9d2676072d0a6b0e0
Instruction Fuzzy Hash: A42164B05187858FE388DF28C04A80BBBE0BB9D358F404B1DF4CAA6264D378D644CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31C420 Relevance: .3, Instructions: 272
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00007FF87FF88C31C420(void* __ecx, signed int __edx, long long __rbx, long long __rcx, long long __rdi, long long __rsi, void* __r11, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				signed int _v56;
				intOrPtr _v64;
				intOrPtr _v70;
				unsigned long long _v72;
				signed int _v78;
				signed int _v80;
				intOrPtr _v82;
				unsigned int _v84;
				signed short _v86;
				signed int _v88;
				void* _v96;
				signed int _v104;
				signed int _v112;
				intOrPtr _v116;
				signed int _v120;
				signed short _t93;
				signed short _t94;
				signed int _t112;
				signed short _t113;
				intOrPtr _t114;
				signed int _t119;
				intOrPtr _t126;
				intOrPtr _t128;
				unsigned int _t129;
				unsigned int _t130;
				signed short _t132;
				signed short _t139;
				signed short _t140;
				intOrPtr _t152;
				signed int _t155;
				signed int _t167;
				signed int _t190;
				signed int _t191;
				signed long long _t201;
				signed long long _t202;
				long long _t203;
				unsigned long long _t207;
				void* _t209;
				intOrPtr* _t212;
				intOrPtr* _t213;
				void* _t222;
				void* _t225;
				long long* _t228;
				intOrPtr* _t229;
				void* _t231;
				void* _t233;

				_t231 = __r11;
				_t203 = __rbx;
				if (__edx == 0) goto 0x8c31c7bd;
				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_push(_t233);
				_t223 = _t222 - 0x50;
				_t201 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t202 = _t201 ^ _t222 - 0x00000050;
				_v56 = _t202;
				r11d = __edx;
				_v96 = __rcx;
				if (__edx >= 0) goto 0x8c31c47e;
				r11d =  ~r11d;
				if (r8d != 0) goto 0x8c31c486;
				 *((short*)(__rcx)) = 0;
				_t167 = r11d;
				if (_t167 == 0) goto 0x8c31c794;
				_t6 = _t203 + 1; // 0x8000
				r12d = _t6;
				r11d = r11d >> 3;
				_v104 = r11d;
				if (_t167 == 0) goto 0x8c31c78b;
				_t212 = 0x7ff88c3686f4 + (_t202 + _t202 * 2) * 4;
				if ( *_t212 - r12w < 0) goto 0x8c31c4e0;
				_t207 =  *_t212;
				_t213 =  &_v72;
				_v72 = _t207;
				_v64 =  *((intOrPtr*)(_t212 + 8));
				_v70 = __ecx - 1;
				_t139 =  *(_t213 + 0xa) & 0x0000ffff;
				_t93 =  *(__rcx + 0xa) & 0x0000ffff;
				_v112 = 0;
				r10d = _t139 & 0x0000ffff;
				_t140 = _t139 & 0x00007fff;
				_v88 = 0;
				r10w = r10w ^ _t93;
				_t94 = _t93 & 0x00007fff;
				_v80 = 0;
				r10w = r10w & r12w;
				r8d = _t202 + (_t207 >> 0x10);
				_v120 = r10w;
				if (_t94 - 0x7fff >= 0) goto 0x8c31c770;
				if (_t140 - 0x7fff >= 0) goto 0x8c31c770;
				if (r8w - 0xbffd > 0) goto 0x8c31c76b;
				r10d = 0x3fbf;
				if (r8w - r10w > 0) goto 0x8c31c554;
				 *((long long*)(__rcx + 4)) = 0;
				 *((intOrPtr*)(__rcx)) = 0;
				goto 0x8c31c78b;
				if (_t94 != 0) goto 0x8c31c579;
				r8w = r8w + 1;
				if (( *(__rcx + 8) & 0x7fffffff) != 0) goto 0x8c31c579;
				if ( *((intOrPtr*)(__rcx + 4)) != 0) goto 0x8c31c579;
				if ( *((intOrPtr*)(__rcx)) != 0) goto 0x8c31c579;
				 *(__rcx + 0xa) = 0;
				goto 0x8c31c54a;
				if (_t140 != 0) goto 0x8c31c594;
				r8w = r8w + 1;
				if (( *(_t213 + 8) & 0x7fffffff) != 0) goto 0x8c31c594;
				if ( *((intOrPtr*)(_t213 + 4)) != 0) goto 0x8c31c594;
				if ( *_t213 == 0) goto 0x8c31c53f;
				r11d = 0;
				_t229 =  &_v84;
				_t35 = _t231 + 5; // 0x5
				_t152 = _t35;
				r12d = r11d;
				_v116 = _t152;
				_t209 = _t233 + _t233;
				if (_t152 <= 0) goto 0x8c31c60b;
				_t39 = _t213 + 8; // 0x3fc7
				r9d = r12d & 0x00000001;
				_t126 = _t202 + _t209;
				if (_t126 -  *((intOrPtr*)(_t229 - 4)) < 0) goto 0x8c31c5dd;
				if (_t126 - ( *_t39 & 0x0000ffff) * ( *(_t209 + __rcx) & 0x0000ffff) >= 0) goto 0x8c31c5e2;
				 *((intOrPtr*)(_t229 - 4)) = _t126;
				if (1 == 0) goto 0x8c31c5f3;
				 *_t229 =  *_t229 + 1;
				_t128 = _v116 - 1;
				_v116 = _t128;
				if (_t128 > 0) goto 0x8c31c5c0;
				r12d = r12d + 1;
				if (_t152 - 1 > 0) goto 0x8c31c5a2;
				r10d = _v80;
				_t129 = _v88;
				r8w = r8w + 0xc002;
				r14d = 0xffff;
				if (r8w <= 0) goto 0x8c31c66d;
				if (r10d < 0) goto 0x8c31c667;
				r10d = r10d + r10d;
				_t130 = _t129 + _t129;
				r8w = r8w + r14w;
				r10d = r10d | _v84 >> 0x0000001f;
				_v88 = _t130;
				_v84 = __rdi + __rdi | _t129 >> 0x0000001f;
				_v80 = r10d;
				if (r8w > 0) goto 0x8c31c634;
				_t190 = r8w;
				if (_t190 > 0) goto 0x8c31c6ce;
				r8w = r8w + r14w;
				if (_t190 >= 0) goto 0x8c31c6ce;
				r9d = _v112;
				r8w = r8w + ( ~(r8w & 0xffffffff) & 0x0000ffff);
				_t191 = _v88 & sil;
				if (_t191 == 0) goto 0x8c31c68e;
				r9d = r9d + 1;
				_t155 = _v84;
				r10d = r10d >> 1;
				_t132 = _t130 >> 0x00000001 | _t155 << 0x0000001f;
				_v84 = _t155 >> 0x00000001 | r10d << 0x0000001f;
				_v88 = _t132;
				if (_t191 != 0) goto 0x8c31c685;
				_t228 = _v96;
				_v80 = r10d;
				if (r9d == 0) goto 0x8c31c6ce;
				_v88 = _t132 & 0x0000ffff | 0x00000001;
				goto 0x8c31c6d2;
				r11d = _v104;
				r12d = 0x8000;
				if ((_v88 & 0x0000ffff) - r12w > 0) goto 0x8c31c6f0;
				if ((_v88 & 0x0001ffff) != 0x18000) goto 0x8c31c736;
				if (_v86 != 0xffffffff) goto 0x8c31c731;
				_v86 = 0;
				if (_v82 != 0xffffffff) goto 0x8c31c726;
				_t112 = _v78 & 0x0000ffff;
				_v82 = 0;
				if (_t112 != r14w) goto 0x8c31c71d;
				_v78 = r12w;
				r8w = r8w + 1;
				goto 0x8c31c72b;
				_t113 = _t112 + 1;
				_v78 = _t113;
				goto 0x8c31c72b;
				_t114 = _t113 + 1;
				_v82 = _t114;
				r10d = _v80;
				goto 0x8c31c738;
				_v86 = _t114 + 1;
				if (r8w - 0x7fff < 0) goto 0x8c31c74c;
				goto 0x8c31c774;
				r8w = r8w | _v120;
				 *(_t228 + 6) = r10d;
				 *_t228 = _v86 & 0x0000ffff;
				_t119 = _v84;
				 *(_t228 + 0xa) = r8w;
				 *(_t228 + 2) = _t119;
				goto 0x8c31c78b;
				r10w =  ~r10w;
				asm("sbb eax, eax");
				 *_t228 = 0;
				 *((intOrPtr*)(_t228 + 8)) = (_t119 & 0x80000000) + 0x7fff8000;
				if (r11d != 0) goto 0x8c31c49d;
				return E00007FF87FF88C304980(_t155 << 0x1f, _v56 ^ _t223, _t213 - __rsi, _t225);
			}

0x7ff88c31c420
0x7ff88c31c420
0x7ff88c31c422
0x7ff88c31c428
0x7ff88c31c42d
0x7ff88c31c432
0x7ff88c31c438
0x7ff88c31c443
0x7ff88c31c447
0x7ff88c31c44e
0x7ff88c31c451
0x7ff88c31c45e
0x7ff88c31c468
0x7ff88c31c46e
0x7ff88c31c477
0x7ff88c31c481
0x7ff88c31c483
0x7ff88c31c486
0x7ff88c31c489
0x7ff88c31c499
0x7ff88c31c499
0x7ff88c31c4a0
0x7ff88c31c4ab
0x7ff88c31c4af
0x7ff88c31c4bb
0x7ff88c31c4c4
0x7ff88c31c4c6
0x7ff88c31c4cc
0x7ff88c31c4d0
0x7ff88c31c4d8
0x7ff88c31c4dd
0x7ff88c31c4e0
0x7ff88c31c4e4
0x7ff88c31c4e9
0x7ff88c31c4ec
0x7ff88c31c4f0
0x7ff88c31c4f3
0x7ff88c31c4fb
0x7ff88c31c4ff
0x7ff88c31c502
0x7ff88c31c505
0x7ff88c31c509
0x7ff88c31c50d
0x7ff88c31c515
0x7ff88c31c51e
0x7ff88c31c52d
0x7ff88c31c533
0x7ff88c31c53d
0x7ff88c31c53f
0x7ff88c31c547
0x7ff88c31c54f
0x7ff88c31c557
0x7ff88c31c559
0x7ff88c31c565
0x7ff88c31c56b
0x7ff88c31c570
0x7ff88c31c572
0x7ff88c31c577
0x7ff88c31c57c
0x7ff88c31c57e
0x7ff88c31c589
0x7ff88c31c58e
0x7ff88c31c592
0x7ff88c31c594
0x7ff88c31c597
0x7ff88c31c59b
0x7ff88c31c59b
0x7ff88c31c59f
0x7ff88c31c5a6
0x7ff88c31c5a9
0x7ff88c31c5ae
0x7ff88c31c5b7
0x7ff88c31c5bd
0x7ff88c31c5d2
0x7ff88c31c5d7
0x7ff88c31c5db
0x7ff88c31c5e4
0x7ff88c31c5ed
0x7ff88c31c5ef
0x7ff88c31c5fe
0x7ff88c31c600
0x7ff88c31c605
0x7ff88c31c611
0x7ff88c31c616
0x7ff88c31c618
0x7ff88c31c61c
0x7ff88c31c624
0x7ff88c31c628
0x7ff88c31c632
0x7ff88c31c637
0x7ff88c31c63e
0x7ff88c31c644
0x7ff88c31c64e
0x7ff88c31c654
0x7ff88c31c657
0x7ff88c31c65a
0x7ff88c31c65d
0x7ff88c31c665
0x7ff88c31c667
0x7ff88c31c66b
0x7ff88c31c66d
0x7ff88c31c671
0x7ff88c31c673
0x7ff88c31c681
0x7ff88c31c685
0x7ff88c31c689
0x7ff88c31c68b
0x7ff88c31c68e
0x7ff88c31c6a2
0x7ff88c31c6a5
0x7ff88c31c6aa
0x7ff88c31c6ad
0x7ff88c31c6b0
0x7ff88c31c6b5
0x7ff88c31c6b9
0x7ff88c31c6bd
0x7ff88c31c6c5
0x7ff88c31c6cc
0x7ff88c31c6d2
0x7ff88c31c6d6
0x7ff88c31c6e0
0x7ff88c31c6ee
0x7ff88c31c6f6
0x7ff88c31c6fd
0x7ff88c31c703
0x7ff88c31c705
0x7ff88c31c709
0x7ff88c31c710
0x7ff88c31c712
0x7ff88c31c717
0x7ff88c31c71b
0x7ff88c31c71d
0x7ff88c31c720
0x7ff88c31c724
0x7ff88c31c726
0x7ff88c31c728
0x7ff88c31c72b
0x7ff88c31c72f
0x7ff88c31c733
0x7ff88c31c741
0x7ff88c31c74a
0x7ff88c31c750
0x7ff88c31c755
0x7ff88c31c759
0x7ff88c31c75d
0x7ff88c31c760
0x7ff88c31c765
0x7ff88c31c769
0x7ff88c31c770
0x7ff88c31c774
0x7ff88c31c776
0x7ff88c31c787
0x7ff88c31c78e
0x7ff88c31c7bd

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3927026404e4a427414931410251a7ff08b57083af26ce8eba506bdcdd4d50f3
Instruction ID: d8de4560983ea0faa2d9fd81eae15ab2bf64487e4021b2158c8e6c0e2fd0526a
Opcode Fuzzy Hash: 3927026404e4a427414931410251a7ff08b57083af26ce8eba506bdcdd4d50f3
Instruction Fuzzy Hash: 9CB1D177F186528EF7148F69E440ABC77B0BB59788F545137FE0993688EB78A842C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31C0E8 Relevance: .2, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00007FF87FF88C31C0E8(long long __rbx, signed short* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, long long _a16, long long _a24, long long _a32) {
				signed int _v56;
				signed int _v62;
				signed int _v64;
				signed short _v66;
				unsigned int _v68;
				signed short _v70;
				signed short _v72;
				void* _v80;
				signed short _v84;
				signed short _v86;
				signed short _v88;
				signed short _t77;
				signed short _t78;
				signed int _t94;
				signed short _t95;
				signed short _t96;
				signed int _t100;
				signed short _t108;
				signed short _t109;
				signed int _t113;
				signed int _t114;
				unsigned int _t129;
				signed int _t160;
				signed int _t161;
				signed long long _t170;
				signed long long _t171;
				intOrPtr* _t175;
				void* _t186;
				long long* _t191;
				void* _t193;
				void* _t195;
				signed short _t196;
				signed short* _t197;

				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_t187 = _t186 - 0x30;
				_t170 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t171 = _t170 ^ _t186 - 0x00000030;
				_v56 = _t171;
				_t77 =  *(__rdx + 0xa) & 0x0000ffff;
				r14d = 0;
				_v80 = __rcx;
				_t108 = __rcx[5] & 0x0000ffff;
				_v84 = r14d;
				_t109 = _t108 & 0x00007fff;
				_t78 = _t77 & 0x00007fff;
				_v72 = _t196;
				r9d = __rcx + _t171;
				_v64 = r14d;
				_v86 = (_t77 & 0x0000ffff ^ _t108) & 0x00008000;
				_v88 = r9w;
				if (_t109 - 0x7fff >= 0) goto 0x8c31c3de;
				if (_t78 - 0x7fff >= 0) goto 0x8c31c3de;
				if (r9w - 0xbffd > 0) goto 0x8c31c3de;
				if (r9w - 0x3fbf > 0) goto 0x8c31c194;
				__rcx[2] = _t196;
				 *__rcx = r14d;
				goto 0x8c31c3f6;
				r13d = 1;
				if (_t109 != 0) goto 0x8c31c1c8;
				r9w = r9w + r13w;
				_v88 = r9w;
				if ((__rcx[4] & 0x7fffffff) != 0) goto 0x8c31c1c8;
				if (__rcx[2] != r14d) goto 0x8c31c1c8;
				if ( *__rcx != r14d) goto 0x8c31c1c8;
				__rcx[5] = r14w;
				goto 0x8c31c3f6;
				if (_t78 != 0) goto 0x8c31c1ea;
				r9w = r9w + r13w;
				_v88 = r9w;
				if (( *(__rdx + 8) & 0x7fffffff) != 0) goto 0x8c31c1ea;
				if ( *((intOrPtr*)(__rdx + 4)) != r14d) goto 0x8c31c1ea;
				if ( *__rdx == r14d) goto 0x8c31c188;
				_t26 =  &_v68; // -27
				_t175 = _t26;
				r13d = 5;
				_t193 = __rbx + __rbx;
				if (5 <= 0) goto 0x8c31c25d;
				_t197 = __rdx + 8;
				r8d = 0;
				r10d =  *(_t193 + __rcx) & 0x0000ffff;
				r10d = r10d * ( *_t197 & 0x0000ffff);
				r11d = _t171 + _t193;
				if (r11d -  *(_t175 - 4) < 0) goto 0x8c31c237;
				if (r11d - r10d >= 0) goto 0x8c31c23a;
				 *(_t175 - 4) = r11d;
				if (r9d == 0) goto 0x8c31c246;
				 *_t175 =  *_t175 + r9w;
				r13d = r13d - r9d;
				if (r13d > 0) goto 0x8c31c217;
				r14d = 0;
				if (5 - r9d > 0) goto 0x8c31c1f9;
				r9d = _v88 & 0x0000ffff;
				r10d = _v64;
				r11d = _v72;
				r12d = 0xffff;
				r9w = r9w + 0xc002;
				if (r9w <= 0) goto 0x8c31c2ce;
				if ((0x80000000 & r10d) != 0) goto 0x8c31c2c8;
				r10d = r10d + r10d;
				r11d = r11d + r11d;
				r9w = r9w + r12w;
				r10d = r10d | _v68 >> 0x0000001f;
				_v72 = r11d;
				_v68 = __rdi + __rdi | r11d >> 0x0000001f;
				_v64 = r10d;
				if (r9w > 0) goto 0x8c31c292;
				_t160 = r9w;
				if (_t160 > 0) goto 0x8c31c33b;
				r9w = r9w + r12w;
				r13d = 1;
				if (_t160 >= 0) goto 0x8c31c341;
				r8d = _v84;
				r9w = r9w + ( ~(r9w & 0xffffffff) & 0x0000ffff);
				_t161 = _v72 & r13b;
				if (_t161 == 0) goto 0x8c31c2f5;
				r8d = r8d + r13d;
				_t129 = _v68;
				r11d = r11d >> 1;
				_t113 = _t129 << 0x1f;
				r10d = r10d >> 1;
				r11d = r11d | _t113;
				_v68 = _t129 >> 0x00000001 | r10d << 0x0000001f;
				_v72 = r11d;
				if (_t161 != 0) goto 0x8c31c2ec;
				_t191 = _v80;
				_v64 = r10d;
				if (r8d == 0) goto 0x8c31c341;
				_v72 = r11w & 0xffffffff | r13w;
				r11d = _v72;
				goto 0x8c31c345;
				r13d = 1;
				if ((_v72 & 0x0000ffff) - 0x8000 > 0) goto 0x8c31c363;
				r11d = r11d & 0x0001ffff;
				if (r11d != 0x18000) goto 0x8c31c3ac;
				_t114 = _t113 | 0xffffffff;
				if (_v70 != _t114) goto 0x8c31c3a6;
				_v70 = r14d;
				if (_v66 != _t114) goto 0x8c31c39a;
				_t94 = _v62 & 0x0000ffff;
				_v66 = r14d;
				if (_t94 != r12w) goto 0x8c31c390;
				_v62 = 0x8000;
				r9w = r9w + r13w;
				goto 0x8c31c3a0;
				_t95 = _t94 + r13w;
				_v62 = _t95;
				goto 0x8c31c3a0;
				_t96 = _t95 + r13d;
				_v66 = _t96;
				r10d = _v64;
				goto 0x8c31c3ac;
				_v70 = _t96 + r13d;
				if (r9w - 0x7fff < 0) goto 0x8c31c3c0;
				 *_t191 = 0;
				goto 0x8c31c3e6;
				r9w = r9w | _v86 & 0x0000ffff;
				 *(_t191 + 6) = r10d;
				 *_t191 = _v70 & 0x0000ffff;
				_t100 = _v68;
				 *(_t191 + 0xa) = r9w;
				 *(_t191 + 2) = _t100;
				goto 0x8c31c3f6;
				 *_t191 = _t197 - 2;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t191 + 8)) = (_t100 & 0x80000000) + 0x7fff8000;
				return E00007FF87FF88C304980(_t114, _v56 ^ _t187, __rdx - _t195, _t191);
			}

0x7ff88c31c0e8
0x7ff88c31c0ed
0x7ff88c31c0f2
0x7ff88c31c103
0x7ff88c31c107
0x7ff88c31c10e
0x7ff88c31c111
0x7ff88c31c115
0x7ff88c31c119
0x7ff88c31c11f
0x7ff88c31c123
0x7ff88c31c13d
0x7ff88c31c141
0x7ff88c31c144
0x7ff88c31c147
0x7ff88c31c14b
0x7ff88c31c14f
0x7ff88c31c153
0x7ff88c31c157
0x7ff88c31c15f
0x7ff88c31c168
0x7ff88c31c177
0x7ff88c31c186
0x7ff88c31c188
0x7ff88c31c18c
0x7ff88c31c18f
0x7ff88c31c199
0x7ff88c31c1a2
0x7ff88c31c1a4
0x7ff88c31c1a8
0x7ff88c31c1b1
0x7ff88c31c1b7
0x7ff88c31c1bc
0x7ff88c31c1be
0x7ff88c31c1c3
0x7ff88c31c1cb
0x7ff88c31c1cd
0x7ff88c31c1d1
0x7ff88c31c1db
0x7ff88c31c1e2
0x7ff88c31c1e8
0x7ff88c31c1ed
0x7ff88c31c1ed
0x7ff88c31c1fc
0x7ff88c31c1ff
0x7ff88c31c204
0x7ff88c31c20c
0x7ff88c31c214
0x7ff88c31c21b
0x7ff88c31c222
0x7ff88c31c229
0x7ff88c31c230
0x7ff88c31c235
0x7ff88c31c23a
0x7ff88c31c240
0x7ff88c31c242
0x7ff88c31c246
0x7ff88c31c254
0x7ff88c31c25a
0x7ff88c31c269
0x7ff88c31c26b
0x7ff88c31c270
0x7ff88c31c274
0x7ff88c31c282
0x7ff88c31c288
0x7ff88c31c290
0x7ff88c31c295
0x7ff88c31c29d
0x7ff88c31c2a3
0x7ff88c31c2ae
0x7ff88c31c2b4
0x7ff88c31c2b7
0x7ff88c31c2bb
0x7ff88c31c2be
0x7ff88c31c2c6
0x7ff88c31c2c8
0x7ff88c31c2cc
0x7ff88c31c2ce
0x7ff88c31c2d2
0x7ff88c31c2d8
0x7ff88c31c2da
0x7ff88c31c2e8
0x7ff88c31c2ec
0x7ff88c31c2f0
0x7ff88c31c2f2
0x7ff88c31c2f5
0x7ff88c31c2fb
0x7ff88c31c305
0x7ff88c31c30a
0x7ff88c31c30d
0x7ff88c31c313
0x7ff88c31c316
0x7ff88c31c31a
0x7ff88c31c31f
0x7ff88c31c323
0x7ff88c31c327
0x7ff88c31c331
0x7ff88c31c335
0x7ff88c31c339
0x7ff88c31c33b
0x7ff88c31c351
0x7ff88c31c353
0x7ff88c31c361
0x7ff88c31c366
0x7ff88c31c36b
0x7ff88c31c370
0x7ff88c31c376
0x7ff88c31c378
0x7ff88c31c37c
0x7ff88c31c384
0x7ff88c31c386
0x7ff88c31c38a
0x7ff88c31c38e
0x7ff88c31c390
0x7ff88c31c394
0x7ff88c31c398
0x7ff88c31c39a
0x7ff88c31c39d
0x7ff88c31c3a0
0x7ff88c31c3a4
0x7ff88c31c3a9
0x7ff88c31c3b5
0x7ff88c31c3b7
0x7ff88c31c3be
0x7ff88c31c3c4
0x7ff88c31c3c8
0x7ff88c31c3cc
0x7ff88c31c3d0
0x7ff88c31c3d3
0x7ff88c31c3d8
0x7ff88c31c3dc
0x7ff88c31c3e3
0x7ff88c31c3e9
0x7ff88c31c3f2
0x7ff88c31c41e

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db52f5c95a03b0e6c900aa874dcf1f267d555641bbb2baf42ed015848d971db
Instruction ID: 3e68a146d66bb82f82b1a5ee0cc6821ec40e4de319b2031fe7d618c43a683296
Opcode Fuzzy Hash: 5db52f5c95a03b0e6c900aa874dcf1f267d555641bbb2baf42ed015848d971db
Instruction Fuzzy Hash: 1691B137F186928EF7508F64E401ABE37A0BB15788F504437FE09A3688DB3CA952C758

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025CB8 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e5a607cb4fab1c828942dee17bc3902e8d42f21f052dbabf23c70adef17431
Instruction ID: ce9a01cb25bcbe83c280eab41490dde06654ab5ba01acb8202d2f0351efd74c8
Opcode Fuzzy Hash: d1e5a607cb4fab1c828942dee17bc3902e8d42f21f052dbabf23c70adef17431
Instruction Fuzzy Hash: 18C164B5900308CFDB98DF68C18A58D7BB9FF59744F40412AFC1E9A2A4D7B4E525CB06

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31DBCC Relevance: .2, Instructions: 173
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00007FF87FF88C31DBCC(void* __edx, unsigned int __esi, long long __rbx, char* __rcx, void* __rdx, long long __rsi, long long __rbp, unsigned int* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				unsigned int _t52;
				unsigned int _t57;
				unsigned int _t83;
				unsigned int _t84;
				signed int _t85;
				void* _t107;
				unsigned long long _t117;
				void* _t124;
				void* _t128;

				_t128 = __r9;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				 *__r8 =  *__r8 & 0x00000000;
				__r8[1] = __r8[1] & 0x00000000;
				__r8[2] = __r8[2] & 0x00000000;
				if (__edx == 0) goto 0x8c31dd3f;
				r9d = 0;
				r10d = 0;
				_t8 = _t128 + 1; // 0x1
				r14d = _t8;
				_t117 =  *__r8;
				r12d = __r8[2];
				r9d = r9d + r9d;
				r10d = r10d + r10d;
				r10d = r10d | r9d >> 0x0000001f;
				r8d = _t117 + _t117;
				r10d = r10d + r10d;
				r9d = r9d | __esi >> 0x0000001f;
				r8d = r8d + r8d;
				r9d = r9d + r9d;
				 *(_t124 - 0x10) = _t117;
				r9d = r9d | r8d >> 0x0000001f;
				r10d = r10d | r9d >> 0x0000001f;
				 *__r8 = r8d;
				_t83 = __r8 + __rcx;
				__r8[1] = r9d;
				__r8[2] = r10d;
				if (_t83 - r8d < 0) goto 0x8c31dc6e;
				if (_t83 - __esi >= 0) goto 0x8c31dc71;
				 *__r8 = _t83;
				if (r14d == 0) goto 0x8c31dc9c;
				r9d = r9d + 1;
				if (r9d - r9d < 0) goto 0x8c31dc8a;
				if (r9d - r14d >= 0) goto 0x8c31dc8d;
				__r8[1] = r9d;
				if (r14d == 0) goto 0x8c31dc9c;
				r10d = r10d + 1;
				__r8[2] = r10d;
				r8d = __r9 + (_t117 >> 0x20);
				if (r8d - r9d < 0) goto 0x8c31dcb0;
				if (r8d - __esi >= 0) goto 0x8c31dcb3;
				__r8[1] = r8d;
				if (r14d == 0) goto 0x8c31dcc2;
				r10d = r10d + r14d;
				__r8[2] = r10d;
				r10d = r10d + r12d;
				_t84 = _t83 + _t83;
				r9d = __r8 + __r8;
				r9d = r9d | _t83 >> 0x0000001f;
				r10d = r10d + r10d;
				r10d = r10d | r8d >> 0x0000001f;
				__r8[1] = r9d;
				 *__r8 = _t84;
				__r8[2] = r10d;
				r8d =  *__rcx;
				_t52 = __rdx + __r8;
				if (_t52 - _t84 < 0) goto 0x8c31dcfe;
				if (_t52 - r8d >= 0) goto 0x8c31dd01;
				 *__r8 = _t52;
				if (r14d == 0) goto 0x8c31dd2c;
				r9d = r9d + 1;
				if (r9d - r9d < 0) goto 0x8c31dd1a;
				if (r9d - r14d >= 0) goto 0x8c31dd1d;
				__r8[1] = r9d;
				_t107 = r14d;
				if (_t107 == 0) goto 0x8c31dd2c;
				r10d = r10d + 1;
				__r8[2] = r10d;
				__r8[1] = r9d;
				__r8[2] = r10d;
				if (_t107 != 0) goto 0x8c31dc11;
				if (__r8[2] != 0) goto 0x8c31dd80;
				r9d = __r8[1];
				_t85 =  *__r8;
				r8d = r9d;
				r8d = r8d >> 0x10;
				__r8[2] = r8d;
				r9d = _t85 >> 0x10;
				 *__r8 = _t85 << 0x10;
				r9d = r9d | r9d << 0x00000010;
				__r8[1] = r9d;
				if (r8d == 0) goto 0x8c31dd4a;
				r8d = __r8[2];
				r10d = 0x8000;
				if ((r10d & r8d) != 0) goto 0x8c31ddc7;
				r9d = __r8[1];
				_t57 =  *__r8;
				r8d = r8d + r8d;
				r9d = r9d + r9d;
				r8d = r8d | r9d >> 0x0000001f;
				r9d = r9d | _t57 >> 0x0000001f;
				 *__r8 = _t57 + _t57;
				__r8[1] = r9d;
				__r8[2] = r8d;
				if ((r10d & r8d) == 0) goto 0x8c31dd93;
				__r8[2] = 0x2403d;
				return 0xffff;
			}

0x7ff88c31dbcc
0x7ff88c31dbcc
0x7ff88c31dbd1
0x7ff88c31dbd6
0x7ff88c31dbe4
0x7ff88c31dbe8
0x7ff88c31dbed
0x7ff88c31dc01
0x7ff88c31dc07
0x7ff88c31dc0a
0x7ff88c31dc0d
0x7ff88c31dc0d
0x7ff88c31dc11
0x7ff88c31dc14
0x7ff88c31dc1b
0x7ff88c31dc1e
0x7ff88c31dc24
0x7ff88c31dc27
0x7ff88c31dc30
0x7ff88c31dc36
0x7ff88c31dc39
0x7ff88c31dc42
0x7ff88c31dc45
0x7ff88c31dc4c
0x7ff88c31dc51
0x7ff88c31dc56
0x7ff88c31dc59
0x7ff88c31dc5d
0x7ff88c31dc61
0x7ff88c31dc68
0x7ff88c31dc6c
0x7ff88c31dc71
0x7ff88c31dc76
0x7ff88c31dc7b
0x7ff88c31dc83
0x7ff88c31dc88
0x7ff88c31dc8d
0x7ff88c31dc93
0x7ff88c31dc95
0x7ff88c31dc98
0x7ff88c31dca2
0x7ff88c31dca9
0x7ff88c31dcae
0x7ff88c31dcb3
0x7ff88c31dcb9
0x7ff88c31dcbb
0x7ff88c31dcbe
0x7ff88c31dcc2
0x7ff88c31dcc7
0x7ff88c31dccf
0x7ff88c31dcd6
0x7ff88c31dcd9
0x7ff88c31dcdc
0x7ff88c31dcdf
0x7ff88c31dce3
0x7ff88c31dce6
0x7ff88c31dcea
0x7ff88c31dcf1
0x7ff88c31dcf7
0x7ff88c31dcfc
0x7ff88c31dd01
0x7ff88c31dd06
0x7ff88c31dd0b
0x7ff88c31dd13
0x7ff88c31dd18
0x7ff88c31dd1d
0x7ff88c31dd21
0x7ff88c31dd23
0x7ff88c31dd25
0x7ff88c31dd28
0x7ff88c31dd31
0x7ff88c31dd35
0x7ff88c31dd39
0x7ff88c31dd44
0x7ff88c31dd46
0x7ff88c31dd4a
0x7ff88c31dd50
0x7ff88c31dd58
0x7ff88c31dd62
0x7ff88c31dd66
0x7ff88c31dd69
0x7ff88c31dd6c
0x7ff88c31dd77
0x7ff88c31dd7e
0x7ff88c31dd80
0x7ff88c31dd84
0x7ff88c31dd8d
0x7ff88c31dd8f
0x7ff88c31dd93
0x7ff88c31dd99
0x7ff88c31dda6
0x7ff88c31dda9
0x7ff88c31ddac
0x7ff88c31ddaf
0x7ff88c31ddba
0x7ff88c31ddbe
0x7ff88c31ddc5
0x7ff88c31ddd1
0x7ff88c31dde4

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: 20fcd799469c70a972e82cdad645198d9b092523b9a6ae99e27029ddbf0de822
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: 65510672F182A28BE7598F18E004F6C3A95FB95385F51D039EA16C7F44DAB9DC51CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800197F8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b60171dc45b79a64648eede91aa010a9deb81f01e779db23a0f33eba1251872
Instruction ID: 1bb92d0f227b8f601480388a2d58d6ea08c0bd89027e7906522efa61ba5df313
Opcode Fuzzy Hash: 1b60171dc45b79a64648eede91aa010a9deb81f01e779db23a0f33eba1251872
Instruction Fuzzy Hash: 2881F77154878C9BEBBACF64D8897D937B0FB09344F908229D80E9E290DF745B89DB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007658 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fce1a3257b5a05a119cec6670cbee55d8817af48b7f2a030da6d074f45caf57
Instruction ID: 4a1aaf2e863724a9d6375048e1fc417388e58e77765aece36950eef269fab687
Opcode Fuzzy Hash: 3fce1a3257b5a05a119cec6670cbee55d8817af48b7f2a030da6d074f45caf57
Instruction Fuzzy Hash: 2C919AB550234DCFDB58CF28C29A59D3BE0FF54308F404129FC5A9A2A4D7B8D629CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800138F0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e783b5e3b40750ff3558cdff26548b2d6ff6e0bc7322d5cc93778d142798f73
Instruction ID: 5a36ab87df37d72e6517729777d4d1e32353e12cc4a4e6535100078dc38a5f3a
Opcode Fuzzy Hash: 9e783b5e3b40750ff3558cdff26548b2d6ff6e0bc7322d5cc93778d142798f73
Instruction Fuzzy Hash: A971187050064E8BDF48CF68C49A2DE3FB1FB58398F254219FC4AAA290D778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001BB98 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd91713c7f3ae684498e4da5220245a4a86c3150db6b50624599d0c02ead068
Instruction ID: e906469827bf169e063eeb2975e3beda6a174f65c5d87a2cd426234b00c2ad56
Opcode Fuzzy Hash: 9dd91713c7f3ae684498e4da5220245a4a86c3150db6b50624599d0c02ead068
Instruction Fuzzy Hash: 2D51687861660CCBDB69CF28C4D56993BE4EF68304F20412DF866872A2DB74D925CB88

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002B6AC Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cb32bfdc82ffefe67ac166da6a4fdf9a731d78aba7ebb784195a22a17b381f
Instruction ID: 6ee23df931dce464e4fe11490ca18f9892bf014009be1bfb4d04ba989e4cce53
Opcode Fuzzy Hash: e5cb32bfdc82ffefe67ac166da6a4fdf9a731d78aba7ebb784195a22a17b381f
Instruction Fuzzy Hash: 82711570D0475C8BEBA9DFE4D88669DBBB0FF44304F104219D419EB295D7B4AA4ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016C70 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2dbe5822058f962f2f58ea1d11b69701a4f8bb347ffca70b9a45be13ac6d1f3
Instruction ID: 1c1ab28b645e3098e9dea95bed53f1ded7810f4d756f74f9e7928d5f69cdaaa7
Opcode Fuzzy Hash: b2dbe5822058f962f2f58ea1d11b69701a4f8bb347ffca70b9a45be13ac6d1f3
Instruction Fuzzy Hash: 6D71C27154878DCBEBBACF24C8897DA7BB0FB48304F904619D84E8A2A0DF745749DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800278D8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933375d79356a5949fd7d4d81705efd8e887f23c277a49a56c4aed68a9df7030
Instruction ID: a13c45715b23b7bb3dffd35bbf57bffe77eb50cbb9881eb01665d399edbc5671
Opcode Fuzzy Hash: 933375d79356a5949fd7d4d81705efd8e887f23c277a49a56c4aed68a9df7030
Instruction Fuzzy Hash: FA51D5B190074ECFDB48CF68D88A5DE7FB0FB68398F104219E856A6250D7B496A5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013468 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2e25ab73f036ab1f86c11415023f90bb19440803f683ce5313aaf47e03009d
Instruction ID: 298e035927da68768de15cc1885f87aa77a9636fda3cfbded06a5eca01a142e6
Opcode Fuzzy Hash: cb2e25ab73f036ab1f86c11415023f90bb19440803f683ce5313aaf47e03009d
Instruction Fuzzy Hash: 1151C6B090078A8FDF48CF64C88A4DE7BB1FB58358F11461DEC26AB290D3B49664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029F58 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692fc913e48dd0fe6a9e40e9b491624281b227042648c739c59f497c3f58c609
Instruction ID: f4898256a3dd464b90f0d9625e24765d6b65505f01e3e1572b94dca47ee7b07d
Opcode Fuzzy Hash: 692fc913e48dd0fe6a9e40e9b491624281b227042648c739c59f497c3f58c609
Instruction Fuzzy Hash: 2351D4B190070E8BDF48CF64C48A4DE7FB1FB68398F104619E855AA290D774D6A5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003E2C Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe8ee57a286e067da43c9dc7ea69928666c4e3e73b081c201f5d4848503ce77
Instruction ID: 6481695fc7842e8413ed9be041f93bea59012a25fae32a8f7786dc5e2a88f693
Opcode Fuzzy Hash: 6fe8ee57a286e067da43c9dc7ea69928666c4e3e73b081c201f5d4848503ce77
Instruction Fuzzy Hash: D73191B0A0478A8FDB48CF68D8495AE3BA1FB48304F014A19FC669B350D7B49A64CF94

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C334 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d3fede260ce1586dc1fd582625f586afe9c81c978c00292da0007e095d2742
Instruction ID: eb1f12b259a80d7095d10e5800bf9173f3d4411df1abdbf8766c7a421c13ce81
Opcode Fuzzy Hash: 96d3fede260ce1586dc1fd582625f586afe9c81c978c00292da0007e095d2742
Instruction Fuzzy Hash: E44193B190038ECFDF58CF64C88A4DE7BB0FB14358F114A19E86996250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008BFC Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11089d9c8f39ef482f174284df1486cce58b3c7e841a064580ad6b12562224be
Instruction ID: a53ab7596d7507cf15f746e5dd34be472238625d89698240ee45d56577c16704
Opcode Fuzzy Hash: 11089d9c8f39ef482f174284df1486cce58b3c7e841a064580ad6b12562224be
Instruction Fuzzy Hash: 80317FB4529381AFD388DF19D49991ABBE1FBC9304F80AA2DF8C58B354D774D849CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001560 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf1c85fe9a0d420d45db198a1145ddf308eb25d6d5a7262cb662565bf41b19e
Instruction ID: 2e6594124d6e5483a51def63e01f6be68389ec9893121a8a6db93d92a6c9905a
Opcode Fuzzy Hash: baf1c85fe9a0d420d45db198a1145ddf308eb25d6d5a7262cb662565bf41b19e
Instruction Fuzzy Hash: 5831E5B090074E8BDF48CF64C88A4DEBBB0FB58348F10461DE856AA290D7B89695CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FA60 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48447c03218eaf706d52c73b9e6161ada3d45fe92dc331461933a2bd30f9ea1a
Instruction ID: 89f1aea0d261bddd19d6636035a1dfb963cce48ce123460c8f61b047169de7cb
Opcode Fuzzy Hash: 48447c03218eaf706d52c73b9e6161ada3d45fe92dc331461933a2bd30f9ea1a
Instruction Fuzzy Hash: 3131C570518B848FE378CF34C48679ABBE0FB84349F604A1DE5DE862A1DB799549CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013B6C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d0bc83decb1ad418ed8f3027fb4d453251688ca1c5686f90f413c9ceb8d8e6
Instruction ID: a9fd8a6fc0bcf7d1748c08eee0a174f1113188a994dbe64f65169028299053e1
Opcode Fuzzy Hash: e7d0bc83decb1ad418ed8f3027fb4d453251688ca1c5686f90f413c9ceb8d8e6
Instruction Fuzzy Hash: 9931E3B080474ADBDB48CF68C88A5CE7FB0FF58398F104619E899A6250D7B89695CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000AFD4 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3ad11e56ad310483d7aec8c24f335e55cf22817372f631bc13dae88bc4ae88
Instruction ID: 261a21c01f508a448a75cede292c600a41cfd91173ca9120789765c36b2fd6e0
Opcode Fuzzy Hash: 6b3ad11e56ad310483d7aec8c24f335e55cf22817372f631bc13dae88bc4ae88
Instruction Fuzzy Hash: 7D317BB05087848BD748DF28D15A41EBBE1BB8D308F404B2DF4CAAB290D778D604CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A764 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180001000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded468ddb96ed6cf85f2a74971ab597a0818c752bb42b8cabf8dbd32b2f8b18e
Instruction ID: 463c539b1b6c2e62265add9d8f0240bca0ce0cba84eaf8db37319ed3ee0766ec
Opcode Fuzzy Hash: ded468ddb96ed6cf85f2a74971ab597a0818c752bb42b8cabf8dbd32b2f8b18e
Instruction Fuzzy Hash: 8F214CB45087848BD348EF28D45951ABBE1BB9C318F404B2DF4CAA7261D7B8DA45CF4B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C316274 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF88C316289

Part of subcall function 00007FF88C30640C: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FF88C307F44,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C306422
Part of subcall function 00007FF88C30640C: _errno.LIBCMT ref: 00007FF88C30642C
Part of subcall function 00007FF88C30640C: GetLastError.KERNEL32(?,?,00000000,00007FF88C307F44,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C306434

free.LIBCMT ref: 00007FF88C316292
free.LIBCMT ref: 00007FF88C31629B
free.LIBCMT ref: 00007FF88C3162A4
free.LIBCMT ref: 00007FF88C3162AD
free.LIBCMT ref: 00007FF88C3162B6
free.LIBCMT ref: 00007FF88C3162BE
free.LIBCMT ref: 00007FF88C3162C7
free.LIBCMT ref: 00007FF88C3162D0
free.LIBCMT ref: 00007FF88C3162D9
free.LIBCMT ref: 00007FF88C3162E2
free.LIBCMT ref: 00007FF88C3162EB
free.LIBCMT ref: 00007FF88C3162F4
free.LIBCMT ref: 00007FF88C3162FD
free.LIBCMT ref: 00007FF88C316306
free.LIBCMT ref: 00007FF88C31630F
free.LIBCMT ref: 00007FF88C31631B
free.LIBCMT ref: 00007FF88C316327
free.LIBCMT ref: 00007FF88C316333
free.LIBCMT ref: 00007FF88C31633F
free.LIBCMT ref: 00007FF88C31634B
free.LIBCMT ref: 00007FF88C316357
free.LIBCMT ref: 00007FF88C316363
free.LIBCMT ref: 00007FF88C31636F
free.LIBCMT ref: 00007FF88C31637B
free.LIBCMT ref: 00007FF88C316387
free.LIBCMT ref: 00007FF88C316393
free.LIBCMT ref: 00007FF88C31639F
free.LIBCMT ref: 00007FF88C3163AB
free.LIBCMT ref: 00007FF88C3163B7
free.LIBCMT ref: 00007FF88C3163C3
free.LIBCMT ref: 00007FF88C3163CF
free.LIBCMT ref: 00007FF88C3163DB
free.LIBCMT ref: 00007FF88C3163E7
free.LIBCMT ref: 00007FF88C3163F3
free.LIBCMT ref: 00007FF88C3163FF
free.LIBCMT ref: 00007FF88C31640B
free.LIBCMT ref: 00007FF88C316417
free.LIBCMT ref: 00007FF88C316423
free.LIBCMT ref: 00007FF88C31642F
free.LIBCMT ref: 00007FF88C31643B
free.LIBCMT ref: 00007FF88C316447
free.LIBCMT ref: 00007FF88C316453
free.LIBCMT ref: 00007FF88C31645F
free.LIBCMT ref: 00007FF88C31646B
free.LIBCMT ref: 00007FF88C316477
free.LIBCMT ref: 00007FF88C316483
free.LIBCMT ref: 00007FF88C31648F
free.LIBCMT ref: 00007FF88C31649B
free.LIBCMT ref: 00007FF88C3164A7
free.LIBCMT ref: 00007FF88C3164B3
free.LIBCMT ref: 00007FF88C3164BF
free.LIBCMT ref: 00007FF88C3164CB
free.LIBCMT ref: 00007FF88C3164D7
free.LIBCMT ref: 00007FF88C3164E3
free.LIBCMT ref: 00007FF88C3164EF
free.LIBCMT ref: 00007FF88C3164FB
free.LIBCMT ref: 00007FF88C316507
free.LIBCMT ref: 00007FF88C316513
free.LIBCMT ref: 00007FF88C31651F
free.LIBCMT ref: 00007FF88C31652B
free.LIBCMT ref: 00007FF88C316537
free.LIBCMT ref: 00007FF88C316543
free.LIBCMT ref: 00007FF88C31654F
free.LIBCMT ref: 00007FF88C31655B
free.LIBCMT ref: 00007FF88C316567
free.LIBCMT ref: 00007FF88C316573
free.LIBCMT ref: 00007FF88C31657F
free.LIBCMT ref: 00007FF88C31658B
free.LIBCMT ref: 00007FF88C316597
free.LIBCMT ref: 00007FF88C3165A3
free.LIBCMT ref: 00007FF88C3165AF
free.LIBCMT ref: 00007FF88C3165BB
free.LIBCMT ref: 00007FF88C3165C7
free.LIBCMT ref: 00007FF88C3165D3
free.LIBCMT ref: 00007FF88C3165DF
free.LIBCMT ref: 00007FF88C3165EB
free.LIBCMT ref: 00007FF88C3165F7
free.LIBCMT ref: 00007FF88C316603
free.LIBCMT ref: 00007FF88C31660F
free.LIBCMT ref: 00007FF88C31661B
free.LIBCMT ref: 00007FF88C316627
free.LIBCMT ref: 00007FF88C316633
free.LIBCMT ref: 00007FF88C31663F
free.LIBCMT ref: 00007FF88C31664B
free.LIBCMT ref: 00007FF88C316657

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: free$ErrorLastPrivilegeRelease_errno
String ID:
API String ID: 1805546551-0
Opcode ID: d6e8cc12211084a7c38c37855535bf0a3e62d60420018dd71de056c538f756e4
Instruction ID: 6a292a74fb0f1618432a243efb6cccb5877972a6d47a2000de47ef5393ce6761
Opcode Fuzzy Hash: d6e8cc12211084a7c38c37855535bf0a3e62d60420018dd71de056c538f756e4
Instruction Fuzzy Hash: FFA15322619956C5FA41EAB1C8D56FC2331BFC6B84F044232EE4D4A5AFCE36DA47C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30C7D0 Relevance: 79.2, APIs: 42, Strings: 3, Instructions: 437
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00007FF87FF88C30C7D0(void* __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __r8, void* __r10, void* __r11) {
				char _t48;
				void* _t62;
				void* _t64;
				void* _t71;
				void* _t85;
				char* _t87;
				char* _t90;
				intOrPtr* _t94;
				long long _t95;
				intOrPtr* _t105;
				void* _t121;
				intOrPtr _t124;
				void* _t126;
				void* _t127;
				void* _t129;

				_t123 = __rsi;
				_t64 = __edx;
				_t85 = _t129;
				 *((long long*)(_t85 + 8)) = __rbx;
				 *((long long*)(_t85 + 0x10)) = __rsi;
				 *((long long*)(_t85 + 0x20)) = __rdi;
				 *((long long*)(_t85 + 0x18)) = __r8;
				_t5 = _t85 - 0x5f; // -230
				_t127 = _t5;
				_t90 =  *0x8c369a70; // 0x0
				r8d = 0;
				_t121 = __rcx;
				_t48 =  *_t90;
				 *(_t127 - 0x61) =  *(_t127 - 0x61) & 0xffff0000;
				 *(_t127 - 0x71) =  *(_t127 - 0x71) & 0xffff0000;
				 *((long long*)(_t127 - 0x69)) = __r8;
				 *((long long*)(_t127 - 0x79)) = __r8;
				 *0x8c369a70 = _t90 + 1;
				_t71 = _t48 - 0x41;
				if (_t71 > 0) goto 0x8c30c9df;
				if (_t71 == 0) goto 0x8c30cecf;
				if (_t48 == 0) goto 0x8c30c9c6;
				if (_t48 - 0x2f <= 0) goto 0x8c30cafe;
				if (_t48 - 0x31 <= 0) goto 0x8c30c8a3;
				if (_t48 - 0x39 > 0) goto 0x8c30cafe;
				_t17 = _t127 - 0x69; // -335
				E00007FF87FF88C30AD7C(_t17,  *((intOrPtr*)(0x7ff88c300000 + 0x23900 +  *(_t90 + 1 - 1) * 8)));
				if ( *((long long*)(_t127 - 0x69)) == 0) goto 0x8c30c9a2;
				_t19 = _t127 - 0x39; // -287
				E00007FF87FF88C30A9E0(_t19, "operator");
				_t20 = _t127 - 0x69; // -335
				_t21 = _t127 - 0x59; // -319
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x59], xmm0");
				E00007FF87FF88C30AC78(_t85, _t21, _t20);
				asm("movaps xmm0, [ebp-0x59]");
				goto 0x8c30c9a6;
				 *(_t127 - 0x71) =  *(_t127 - 0x71) & 0xffff0000;
				 *((long long*)(_t127 - 0x79)) = __r8;
				if (_t64 == 0) goto 0x8c30c93f;
				_t25 = _t127 - 9; // -239
				E00007FF87FF88C30C55C(0x7ff88c300000, _t25, _t20, _t121, __rsi, __r8, __r10, __r11);
				_t26 = _t127 - 0x49; // -303
				E00007FF87FF88C30A9A8(0x3c, _t85, _t26);
				_t27 = _t127 - 0x59; // -319
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x59], xmm0");
				E00007FF87FF88C30AC78(_t85, _t27, _t85);
				_t28 = _t127 - 0x59; // -319
				_t29 = _t127 - 0x79; // -351
				E00007FF87FF88C30AC78(_t85, _t29, _t28);
				_t105 =  *((intOrPtr*)(_t127 - 0x79));
				if (_t105 == 0) goto 0x8c30c908;
				if ( *((intOrPtr*)( *_t105 + 8))() != 0x3e) goto 0x8c30c908;
				_t32 = _t127 - 0x79; // -351
				E00007FF87FF88C30AF5C(0x20, r8d,  *_t105, _t85, _t32, _t123, __r8, _t126);
				_t33 = _t127 - 0x79; // -351
				E00007FF87FF88C30AF5C(0x3e, r8d,  *_t105, _t85, _t33, _t123, __r8);
				_t87 =  *((intOrPtr*)(_t127 + 0x77));
				if (_t87 == 0) goto 0x8c30c91f;
				 *_t87 = 1;
				_t94 =  *0x8c369a70; // 0x0
				if ( *_t94 != sil) goto 0x8c30c931;
				asm("movups xmm0, [ebp-0x79]");
				goto 0x8c30c9a6;
				_t124 =  *((intOrPtr*)(_t127 - 0x79));
				_t95 = _t94 + 1;
				 *0x8c369a70 = _t95;
				_t36 = _t127 + 0x47; // -159
				r8d = 0;
				E00007FF87FF88C30D0E0(0xffff0000, 0, r8d, _t95, _t36, _t121, _t124, __r8, __r10, __r11);
				asm("movups xmm0, [eax]");
				 *0x8c369a70 = _t95;
				asm("movaps [ebp-0x69], xmm0");
				if ( *((long long*)(_t127 - 0x69)) == 0) goto 0x8c30c990;
				if ( *((char*)(_t95 - 1)) != 0x31) goto 0x8c30c990;
				_t39 = _t127 - 0x49; // -303
				E00007FF87FF88C30A9A8(0x7e, _t87, _t39);
				_t40 = _t127 - 0x69; // -335
				_t41 = _t127 - 0x59; // -319
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x59], xmm0");
				E00007FF87FF88C30AC78(_t87, _t41, _t40);
				asm("movaps xmm0, [ebp-0x59]");
				asm("movaps [ebp-0x69], xmm0");
				if (_t124 == 0) goto 0x8c30c9a6;
				_t42 = _t127 - 0x79; // -351
				_t43 = _t127 - 0x69; // -335
				_t62 = E00007FF87FF88C30AC78(_t87, _t43, _t42);
				asm("movaps xmm0, [ebp-0x69]");
				asm("movdqu [edi], xmm0");
				return _t62;
			}

0x7ff88c30c7d0
0x7ff88c30c7d0
0x7ff88c30c7d0
0x7ff88c30c7d3
0x7ff88c30c7d7
0x7ff88c30c7db
0x7ff88c30c7df
0x7ff88c30c7e4
0x7ff88c30c7e4
0x7ff88c30c7ef
0x7ff88c30c7f6
0x7ff88c30c7f9
0x7ff88c30c7fc
0x7ff88c30c807
0x7ff88c30c80a
0x7ff88c30c80d
0x7ff88c30c811
0x7ff88c30c818
0x7ff88c30c81f
0x7ff88c30c822
0x7ff88c30c828
0x7ff88c30c830
0x7ff88c30c839
0x7ff88c30c842
0x7ff88c30c847
0x7ff88c30c861
0x7ff88c30c865
0x7ff88c30c86f
0x7ff88c30c87c
0x7ff88c30c880
0x7ff88c30c885
0x7ff88c30c889
0x7ff88c30c88d
0x7ff88c30c890
0x7ff88c30c895
0x7ff88c30c89a
0x7ff88c30c89e
0x7ff88c30c8a3
0x7ff88c30c8a6
0x7ff88c30c8ac
0x7ff88c30c8b2
0x7ff88c30c8b6
0x7ff88c30c8bb
0x7ff88c30c8c4
0x7ff88c30c8c9
0x7ff88c30c8d0
0x7ff88c30c8d3
0x7ff88c30c8d8
0x7ff88c30c8dd
0x7ff88c30c8e1
0x7ff88c30c8e5
0x7ff88c30c8ea
0x7ff88c30c8f1
0x7ff88c30c8fb
0x7ff88c30c8fd
0x7ff88c30c903
0x7ff88c30c908
0x7ff88c30c90e
0x7ff88c30c913
0x7ff88c30c91a
0x7ff88c30c91c
0x7ff88c30c91f
0x7ff88c30c929
0x7ff88c30c92b
0x7ff88c30c92f
0x7ff88c30c931
0x7ff88c30c935
0x7ff88c30c938
0x7ff88c30c93f
0x7ff88c30c943
0x7ff88c30c948
0x7ff88c30c94d
0x7ff88c30c950
0x7ff88c30c957
0x7ff88c30c960
0x7ff88c30c966
0x7ff88c30c968
0x7ff88c30c96e
0x7ff88c30c973
0x7ff88c30c977
0x7ff88c30c97b
0x7ff88c30c97e
0x7ff88c30c983
0x7ff88c30c988
0x7ff88c30c98c
0x7ff88c30c993
0x7ff88c30c995
0x7ff88c30c999
0x7ff88c30c99d
0x7ff88c30c9a2
0x7ff88c30c9a6
0x7ff88c30c9c5

APIs

DName::DName.LIBCMT ref: 00007FF88C30C880

Part of subcall function 00007FF88C30A9E0: DName::doPchar.LIBCMT ref: 00007FF88C30AA19

DName::operator+=.LIBCMT ref: 00007FF88C30C895
DName::operator+=.LIBCMT ref: 00007FF88C30CC39
UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30CC42
DName::operator+=.LIBCMT ref: 00007FF88C30CC55
DName::operator+=.LIBCMT ref: 00007FF88C30CC62
UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30CC6B
DName::operator+=.LIBCMT ref: 00007FF88C30CC7E
DName::operator+=.LIBCMT ref: 00007FF88C30CC8B
UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30CC94
DName::operator+=.LIBCMT ref: 00007FF88C30CCA7
DName::operator+=.LIBCMT ref: 00007FF88C30CCB4
DName::operator+=.LIBCMT ref: 00007FF88C30CCD2
DName::operator+=.LIBCMT ref: 00007FF88C30CCDF
DName::operator+=.LIBCMT ref: 00007FF88C30CCF1
DName::operator+=.LIBCMT ref: 00007FF88C30CD15
DName::operator+=.LIBCMT ref: 00007FF88C30CD2B
DName::operator=.LIBCMT ref: 00007FF88C30CD6C

Part of subcall function 00007FF88C30C7D0: UnDecorator::getZName.LIBCMT ref: 00007FF88C30C948
Part of subcall function 00007FF88C30C7D0: DName::DName.LIBCMT ref: 00007FF88C30C96E
Part of subcall function 00007FF88C30C7D0: DName::operator+=.LIBCMT ref: 00007FF88C30C983
Part of subcall function 00007FF88C30C7D0: DName::operator+=.LIBCMT ref: 00007FF88C30C99D

DName::DName.LIBCMT ref: 00007FF88C30CE28
DName::operator+=.LIBCMT ref: 00007FF88C30CE49
UnDecorator::getSymbolName.LIBCMT ref: 00007FF88C30CE6A
DName::operator+=.LIBCMT ref: 00007FF88C30CE76
DName::operator+=.LIBCMT ref: 00007FF88C30CE86
DName::operator=.LIBCMT ref: 00007FF88C30C865

Part of subcall function 00007FF88C30AD7C: DName::doPchar.LIBCMT ref: 00007FF88C30ADAB

DName::DName.LIBCMT ref: 00007FF88C30C8C4
DName::operator+=.LIBCMT ref: 00007FF88C30C8D8
DName::operator+=.LIBCMT ref: 00007FF88C30C8E5
DName::operator+=.LIBCMT ref: 00007FF88C30C903
DName::operator+=.LIBCMT ref: 00007FF88C30C90E
DName::DName.LIBCMT ref: 00007FF88C30CA5F
DName::DName.LIBCMT ref: 00007FF88C30CAA4
DName::operator=.LIBCMT ref: 00007FF88C30CB59
DNameStatusNode::make.LIBCMT ref: 00007FF88C30CB86
DName::append.LIBCMT ref: 00007FF88C30CB91
DName::operator=.LIBCMT ref: 00007FF88C30CBA0
DName::operator=.LIBCMT ref: 00007FF88C30CBCE
DName::operator+=.LIBCMT ref: 00007FF88C30CC0D
DName::operator=.LIBCMT ref: 00007FF88C30CEE7

Strings

`anonymous namespace', xrefs: 00007FF88C30CB11
operator, xrefs: 00007FF88C30C875
`string', xrefs: 00007FF88C30CACE

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Name$Name::Name::operator=$Decorator::get$DimensionSigned$Name::doPchar$Name::appendNode::makeStatusSymbol
String ID: `anonymous namespace'$`string'$operator
API String ID: 3844726095-815891235
Opcode ID: db28f363c5dc400984ced6ef5b73e08a8fb1a742ba817ff342aa26a93fec3060
Instruction ID: e69e3767a89d327c8ca25cc26c001c633b5b0c25c9626f07d26e5bc900d2c87c
Opcode Fuzzy Hash: db28f363c5dc400984ced6ef5b73e08a8fb1a742ba817ff342aa26a93fec3060
Instruction Fuzzy Hash: A7228F63F08A5685FB10DBB4E481AFC6371BF16BC8F549131CA4E56A9EDF28A147C381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30FC30 Relevance: 72.0, APIs: 18, Strings: 23, Instructions: 269
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00007FF87FF88C30FC30(void* __ebx, void* __ecx, void* __esi, void* __rax, long long __rbx, void* __rcx, long long __rdx, void* __r8, void* __r10, void* __r11, long long _a8, void* _a16, void* _a24) {
				char _v40;
				char _v56;
				signed int _v64;
				char _v72;
				signed int _v80;
				char _v88;
				signed int _v96;
				signed int _v104;
				void* __rdi;
				void* __rsi;
				signed int _t56;
				void* _t57;
				signed int _t58;
				void* _t63;
				signed int _t67;
				signed int _t84;
				signed char _t89;
				void* _t90;
				void* _t96;
				void* _t103;
				void* _t143;
				signed int* _t150;
				signed char* _t152;
				char* _t156;
				signed long long* _t158;
				char* _t162;
				long long* _t205;
				void* _t211;
				void* _t212;

				_t223 = __r11;
				_t222 = __r10;
				_t143 = __rax;
				_t94 = __esi;
				_t90 = __ecx;
				_a8 = __rbx;
				_a16 = __rdx;
				_t211 = __rcx;
				_t150 =  *0x8c369a70; // 0x0
				sil =  *_t150;
				if (sil == 0) goto 0x8c310035;
				_v104 = _v104 & 0x00000000;
				_v96 = _v96 & 0xffff0000;
				_t56 = sil & 0xffffffff;
				 *0x8c369a70 =  &(_t150[0]);
				_a24 = 0;
				_t96 = _t56 - 0x4e;
				if (_t96 > 0) goto 0x8c30fce5;
				if (_t96 == 0) goto 0x8c30ff02;
				if (_t56 - 0x43 < 0) goto 0x8c30fecc;
				if (_t56 - 0x45 <= 0) goto 0x8c30fcdc;
				if (_t56 - 0x47 <= 0) goto 0x8c30fcd3;
				if (_t56 - 0x49 <= 0) goto 0x8c30fcca;
				if (_t56 - 0x4b <= 0) goto 0x8c30fcc1;
				if (_t56 != 0x4d) goto 0x8c30fecc;
				_t152 =  &_v104;
				_t57 = E00007FF87FF88C30AD7C(_t152, "float");
				goto 0x8c30ff1f;
				goto 0x8c30fcb3;
				goto 0x8c30fcb3;
				goto 0x8c30fcb3;
				goto 0x8c30fcb3;
				_t103 = _t57 - 0x4f;
				if (_t103 == 0) goto 0x8c30fef2;
				if (_t103 <= 0) goto 0x8c30fecc;
				if (_t57 - 0x53 <= 0) goto 0x8c30fec5;
				if (_t57 == 0x58) goto 0x8c30feb9;
				if (_t57 != 0x5f) goto 0x8c30fecc;
				_t84 =  *_t152 & 0x000000ff;
				_t58 = _t84;
				 *0x8c369a70 =  &(_t152[1]);
				if (_t84 - 0x4d > 0) goto 0x8c30fddb;
				if (_t58 - 0x4c >= 0) goto 0x8c30fdcf;
				if (_t58 - 0x47 > 0) goto 0x8c30fdae;
				if (_t58 - 0x46 >= 0) goto 0x8c30fda5;
				if (_t58 == 0) goto 0x8c30fd88;
				if (_t58 == 0x24) goto 0x8c30fd64;
				if (_t58 + 0xffffffbc - 1 > 0) goto 0x8c30fe29;
				E00007FF87FF88C30AD7C( &_v104, "__int8");
				goto 0x8c30ff22;
				E00007FF87FF88C30FC30(_t84, _t90, __esi, _t143, __rbx,  &_v72, "__int8", __r8, __r10, __r11);
				_t156 =  &_v88;
				_t146 = _t143;
				E00007FF87FF88C30A9E0(_t156, "__w64 ");
				goto 0x8c310047;
				 *0x8c369a70 = _t156 - 1;
				_t158 =  &_v104;
				_t63 = E00007FF87FF88C30A640(1, _t143, _t158);
				goto 0x8c30ff22;
				goto 0x8c30fd56;
				if (_t63 - 0x48 < 0) goto 0x8c30fe29;
				if (_t63 - 0x49 <= 0) goto 0x8c30fdc6;
				if (_t63 - 0x4b > 0) goto 0x8c30fe29;
				goto 0x8c30fd56;
				goto 0x8c30fd56;
				goto 0x8c30fd56;
				if (_t63 == 0x4e) goto 0x8c30fead;
				if (_t63 == 0x4f) goto 0x8c30fe4d;
				if (_t63 == 0x52) goto 0x8c30fe41;
				if (_t63 == 0x57) goto 0x8c30fe35;
				if (_t63 + 0xffffffa8 - 1 > 0) goto 0x8c30fe29;
				 *0x8c369a70 = _t158 - 1;
				E00007FF87FF88C30D488(1, _t63 + 0xffffffa8 - 1, _t143, _t143,  &_v56, _t211, _t212, __r8, __r10, __r11);
				asm("movups xmm0, [eax]");
				asm("movaps [ebp-0x50], xmm0");
				if (_v104 != 0) goto 0x8c30ff22;
				asm("movdqu [edi], xmm0");
				goto 0x8c310056;
				goto 0x8c30fd56;
				goto 0x8c30fd56;
				goto 0x8c30fd56;
				asm("movups xmm0, [edx]");
				_v104 = _v104 & 0x00000000;
				_v96 = _v96 & 0xffff0000;
				asm("movdqu [ebp-0x40], xmm0");
				if (0xfffffffe != 0xfffffffe) goto 0x8c30ffd5;
				_t218 =  &_v88;
				_v80 = _v80 | 0x00000800;
				E00007FF87FF88C30F88C(_t90, 1, _t94, _t143,  &_v72,  &_v104, _t211, _t212,  &_v88, 0x8c32398d, __r10, __r11);
				if ((_v64 & 0x00000800) != 0) goto 0x8c30fea4;
				_t162 =  &_v72;
				_t67 = E00007FF87FF88C30AFE0(_t90, _t94, _t143, _t146, _t162, "[]", _t212,  &_v88);
				asm("movups xmm0, [ebp-0x30]");
				goto 0x8c30fe20;
				goto 0x8c30fd56;
				goto 0x8c30fcb3;
				goto 0x8c30ff16;
				 *0x8c369a70 = _t162 - 1;
				E00007FF87FF88C30D488(1, _v64 & 0x00000800, _t143, _t146,  &_v40, _t211, _t212,  &_v88, _t222, _t223);
				asm("movups xmm0, [eax]");
				asm("movaps [ebp-0x50], xmm0");
				if (_v104 != 0) goto 0x8c30ff1f;
				goto 0x8c30fe20;
				E00007FF87FF88C30AD7C( &_v104, "long ");
				E00007FF87FF88C30AFE0(_t90, _t94, _t143, _t146,  &_v104, "double", _t212, _t218);
				if ((_t67 & 0x00000003) != 0xffffffff) goto 0x8c30fe52;
				_t89 = _a24;
				if (sil == 0x43) goto 0x8c30ff68;
				if (sil == 0x45) goto 0x8c30ff5f;
				if (sil == 0x47) goto 0x8c30ff5f;
				if (sil == 0x49) goto 0x8c30ff5f;
				if (sil == 0x4b) goto 0x8c30ff5f;
				if (sil != 0x5f) goto 0x8c30ff96;
				if (_t89 == 0x45) goto 0x8c30ff5f;
				if (_t89 == 0x47) goto 0x8c30ff5f;
				if (_t89 == 0x49) goto 0x8c30ff5f;
				if (_t89 == 0x4b) goto 0x8c30ff5f;
				if (_t89 != 0x4d) goto 0x8c30ff96;
				goto 0x8c30ff6f;
				E00007FF87FF88C30A9E0( &_v40, "signed ");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FF87FF88C30AC78(_t143,  &_v72,  &_v104);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqa [ebp-0x50], xmm5");
				_t147 = _a16;
				if ( *_a16 == 0) goto 0x8c30ffcc;
				E00007FF87FF88C30A9A8(0x20, _t143,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FF87FF88C30AC78(_t143,  &_v72, _a16);
				_t205 =  &_v72;
				E00007FF87FF88C30AC78(_t143,  &_v104, _t205);
				asm("movaps xmm0, [ebp-0x50]");
				goto 0x8c30fe20;
				if ( *_t205 != 0) goto 0x8c31001c;
				if ((_t89 & 0x00000001) == 0) goto 0x8c310007;
				E00007FF87FF88C30AD7C( &_v104, "const");
				if ((_t89 & 0x00000002) == 0) goto 0x8c31001c;
				E00007FF87FF88C30AFE0(_t90, _t94, _t143, _t147,  &_v104, " volatile", _t212, _t218);
				goto 0x8c31001c;
				if ((_t89 & 0x00000002) == 0) goto 0x8c31001c;
				E00007FF87FF88C30AD7C( &_v104, "volatile");
				E00007FF87FF88C30F88C(_t90, 0x20, _t94, _t147, _t211,  &_v104, _t211, _t212,  &_v88, 0x8c323950, _t222, _t223);
				goto 0x8c310056;
				E00007FF87FF88C30A490(1, _t143,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [edi], xmm0");
				return E00007FF87FF88C30AC78(_t143, _t211, _a16);
			}

0x7ff88c30fc30
0x7ff88c30fc30
0x7ff88c30fc30
0x7ff88c30fc30
0x7ff88c30fc30
0x7ff88c30fc30
0x7ff88c30fc35
0x7ff88c30fc44
0x7ff88c30fc47
0x7ff88c30fc4e
0x7ff88c30fc54
0x7ff88c30fc5a
0x7ff88c30fc5f
0x7ff88c30fc69
0x7ff88c30fc70
0x7ff88c30fc77
0x7ff88c30fc7b
0x7ff88c30fc7e
0x7ff88c30fc80
0x7ff88c30fc89
0x7ff88c30fc92
0x7ff88c30fc97
0x7ff88c30fc9c
0x7ff88c30fca1
0x7ff88c30fca6
0x7ff88c30fcb3
0x7ff88c30fcb7
0x7ff88c30fcbc
0x7ff88c30fcc8
0x7ff88c30fcd1
0x7ff88c30fcda
0x7ff88c30fce3
0x7ff88c30fce5
0x7ff88c30fce8
0x7ff88c30fcee
0x7ff88c30fcf7
0x7ff88c30fd00
0x7ff88c30fd09
0x7ff88c30fd0f
0x7ff88c30fd15
0x7ff88c30fd17
0x7ff88c30fd21
0x7ff88c30fd2a
0x7ff88c30fd33
0x7ff88c30fd38
0x7ff88c30fd3c
0x7ff88c30fd41
0x7ff88c30fd49
0x7ff88c30fd5a
0x7ff88c30fd5f
0x7ff88c30fd68
0x7ff88c30fd74
0x7ff88c30fd78
0x7ff88c30fd7b
0x7ff88c30fd83
0x7ff88c30fd90
0x7ff88c30fd97
0x7ff88c30fd9b
0x7ff88c30fda0
0x7ff88c30fdac
0x7ff88c30fdb1
0x7ff88c30fdb6
0x7ff88c30fdbb
0x7ff88c30fdc4
0x7ff88c30fdcd
0x7ff88c30fdd6
0x7ff88c30fdde
0x7ff88c30fde7
0x7ff88c30fdec
0x7ff88c30fdf1
0x7ff88c30fdf9
0x7ff88c30fdfe
0x7ff88c30fe09
0x7ff88c30fe0e
0x7ff88c30fe11
0x7ff88c30fe1a
0x7ff88c30fe20
0x7ff88c30fe24
0x7ff88c30fe30
0x7ff88c30fe3c
0x7ff88c30fe48
0x7ff88c30fe52
0x7ff88c30fe55
0x7ff88c30fe5a
0x7ff88c30fe61
0x7ff88c30fe69
0x7ff88c30fe76
0x7ff88c30fe87
0x7ff88c30fe8a
0x7ff88c30fe92
0x7ff88c30fe9b
0x7ff88c30fe9f
0x7ff88c30fea4
0x7ff88c30fea8
0x7ff88c30feb4
0x7ff88c30fec0
0x7ff88c30feca
0x7ff88c30fecf
0x7ff88c30feda
0x7ff88c30fedf
0x7ff88c30fee2
0x7ff88c30feeb
0x7ff88c30feed
0x7ff88c30fefd
0x7ff88c30ff0d
0x7ff88c30ff19
0x7ff88c30ff1f
0x7ff88c30ff26
0x7ff88c30ff2c
0x7ff88c30ff32
0x7ff88c30ff38
0x7ff88c30ff3e
0x7ff88c30ff44
0x7ff88c30ff49
0x7ff88c30ff4e
0x7ff88c30ff53
0x7ff88c30ff58
0x7ff88c30ff5d
0x7ff88c30ff66
0x7ff88c30ff73
0x7ff88c30ff80
0x7ff88c30ff83
0x7ff88c30ff88
0x7ff88c30ff8d
0x7ff88c30ff91
0x7ff88c30ff96
0x7ff88c30ff9e
0x7ff88c30ffa6
0x7ff88c30ffb2
0x7ff88c30ffb5
0x7ff88c30ffba
0x7ff88c30ffbf
0x7ff88c30ffc7
0x7ff88c30ffcc
0x7ff88c30ffd0
0x7ff88c30ffd9
0x7ff88c30ffde
0x7ff88c30ffeb
0x7ff88c30fff3
0x7ff88c310000
0x7ff88c310005
0x7ff88c31000a
0x7ff88c310017
0x7ff88c31002e
0x7ff88c310033
0x7ff88c31003e
0x7ff88c310047
0x7ff88c31004d
0x7ff88c310068

APIs

DName::operator=.LIBCMT ref: 00007FF88C30FCB7
DName::operator=.LIBCMT ref: 00007FF88C30FD5A
DName::DName.LIBCMT ref: 00007FF88C30FD7B
DName::operator=.LIBCMT ref: 00007FF88C30FD9B
UnDecorator::getECSUDataType.LIBCMT ref: 00007FF88C30FE09
DName::operator+=.LIBCMT ref: 00007FF88C30FE9F
UnDecorator::getECSUDataType.LIBCMT ref: 00007FF88C30FEDA
DName::operator=.LIBCMT ref: 00007FF88C30FEFD
DName::operator+=.LIBCMT ref: 00007FF88C30FF0D
DName::DName.LIBCMT ref: 00007FF88C30FF73
DName::operator+=.LIBCMT ref: 00007FF88C30FF88
DName::DName.LIBCMT ref: 00007FF88C30FFA6
DName::operator+=.LIBCMT ref: 00007FF88C30FFBA
DName::operator+=.LIBCMT ref: 00007FF88C30FFC7
DName::operator=.LIBCMT ref: 00007FF88C30FFEB
DName::operator+=.LIBCMT ref: 00007FF88C310000
DName::operator=.LIBCMT ref: 00007FF88C310017
DName::operator+=.LIBCMT ref: 00007FF88C310051

Strings

<unknown>, xrefs: 00007FF88C30FE41
char, xrefs: 00007FF88C30FCDC
short, xrefs: 00007FF88C30FCD3
unsigned , xrefs: 00007FF88C30FF5F
volatile, xrefs: 00007FF88C30FFF5
wchar_t, xrefs: 00007FF88C30FE35
int, xrefs: 00007FF88C30FCCA
long , xrefs: 00007FF88C30FEF2
__int16, xrefs: 00007FF88C30FDA5
__int64, xrefs: 00007FF88C30FDBD
const, xrefs: 00007FF88C30FFE0
__int8, xrefs: 00007FF88C30FD4F
double, xrefs: 00007FF88C30FF02
signed , xrefs: 00007FF88C30FF68
__w64 , xrefs: 00007FF88C30FD6D
volatile, xrefs: 00007FF88C31000C
__int128, xrefs: 00007FF88C30FDCF
UNKNOWN, xrefs: 00007FF88C30FE29
__int32, xrefs: 00007FF88C30FDC6
float, xrefs: 00007FF88C30FCAC
bool, xrefs: 00007FF88C30FEAD
long, xrefs: 00007FF88C30FCC1
void, xrefs: 00007FF88C30FEB9

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Name::operator=$NameName::$DataDecorator::getType
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 849544831-2219450993
Opcode ID: 0be29c5bb97f33417888a65445ecab1c43a24303d5b246c34b3fb3a8426b1cd2
Instruction ID: 3428735cd6f29c54d6c48310d30487eaab14af5000a76146000ebdb036090863
Opcode Fuzzy Hash: 0be29c5bb97f33417888a65445ecab1c43a24303d5b246c34b3fb3a8426b1cd2
Instruction Fuzzy Hash: 30C14D63E08A5788FB6097A4E881AFC2361BF1B3D8F944132DA0D855DEDF6CE586D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30C0D4 Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 213
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E00007FF87FF88C30C0D4(void* __edx, long long __rbx, signed long long* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r10, void* __r11) {
				char _t59;
				void* _t73;
				char _t93;
				void* _t96;
				void* _t102;
				char _t113;
				char _t116;
				void* _t122;
				void* _t130;
				void* _t132;
				signed long long _t133;
				signed long long _t134;
				long long _t136;
				char* _t140;
				signed long long* _t147;
				signed long long* _t152;
				signed long long* _t197;
				void* _t201;
				void* _t202;
				void* _t204;
				signed long long _t205;
				void* _t207;

				_t209 = __r11;
				_t208 = __r10;
				_t207 = __r8;
				_t199 = __rsi;
				_t179 = __rdx;
				_t136 = __rbx;
				_t132 = _t204;
				 *((long long*)(_t132 + 0x10)) = __rbx;
				 *((long long*)(_t132 + 0x18)) = __rsi;
				 *((long long*)(_t132 + 0x20)) = __rdi;
				_t202 = _t132 - 0x48;
				_t205 = _t204 - 0x140;
				_t133 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t134 = _t133 ^ _t205;
				 *(_t202 + 0x30) = _t134;
				_t197 = __rcx;
				_t140 =  *0x8c369a70; // 0x0
				_t113 =  *_t140;
				 *0x8c369a70 = _t140 + 1;
				_t93 = _t113;
				if (_t113 - 0x44 > 0) goto 0x8c30c264;
				if (_t93 == 0x44) goto 0x8c30c2af;
				_t116 = _t93;
				if (_t116 == 0) goto 0x8c30c248;
				if (_t116 == 0) goto 0x8c30c23b;
				if (_t116 == 0) goto 0x8c30c1ef;
				_t96 = _t93 - 0x2e;
				if (_t116 != 0) goto 0x8c30c184;
				E00007FF87FF88C30C058(_t134, __rbx, _t205 + 0x20, __rdx, __rsi, __r10, __r11);
				E00007FF87FF88C30C058(_t134, _t136, _t202 - 0x50, _t179, __rsi, __r10, __r11);
				if ( *((char*)(_t205 + 0x28)) - 1 > 0) goto 0x8c30c252;
				if ( *((char*)(_t202 - 0x48)) - 1 > 0) goto 0x8c30c252;
				_t10 = _t136 + 0x64; // 0x33
				r8d = _t10;
				E00007FF87FF88C30A4DC(_t136, _t205 + 0x20, _t202 - 0x3f, __rsi, _t201);
				if (_t134 != 0) goto 0x8c30c198;
				_t197[1] = _t197[1] & 0xffff00ff;
				 *_t197 =  *_t197 & 0x00000000;
				_t197[1] = 2;
				goto 0x8c30c411;
				_t59 =  *((intOrPtr*)(_t202 - 0x3f));
				 *((char*)(_t202 - 0x40)) = _t59;
				if (_t59 != 0x2d) goto 0x8c30c1ae;
				 *((char*)(_t202 - 0x3e)) = 0x2e;
				 *((char*)(_t202 - 0x3f)) =  *((intOrPtr*)(_t202 - 0x3e));
				goto 0x8c30c1b2;
				 *((char*)(_t202 - 0x3f)) = 0x2e;
				E00007FF87FF88C30A9E0(_t205 + 0x50, _t202 - 0x40);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x20], xmm0");
				E00007FF87FF88C30AF5C(0x65, _t113, _t134, _t136, _t205 + 0x20, _t199, _t207);
				asm("movups xmm5, [esp+0x20]");
				asm("movdqu [edi], xmm5");
				_t147 = _t197;
				E00007FF87FF88C30AC78(_t134, _t147, _t202 - 0x50);
				goto 0x8c30c411;
				if ( *_t147 != 0x40) goto 0x8c30c212;
				 *0x8c369a70 =  &(_t147[0]);
				E00007FF87FF88C30A9E0(_t197, "NULL");
				goto 0x8c30c411;
				E00007FF87FF88C30E43C(_t113,  *_t147 - 0x40, _t136, _t202 - 0x70, "NULL", _t197, _t199, _t207, __r10, __r11);
				_t137 = _t134;
				E00007FF87FF88C30A9E0(_t205 + 0x70, 0x8c32393c);
				asm("movups xmm0, [eax]");
				asm("movdqu [edi], xmm0");
				goto 0x8c30c1e2;
				_t152 = _t197;
				E00007FF87FF88C30C058(_t134, _t134, _t152, _t134, _t199, __r10, __r11);
				goto 0x8c30c411;
				 *0x8c369a70 = _t152 - 1;
				E00007FF87FF88C30A490(1, _t134, _t197);
				goto 0x8c30c411;
				_t122 = _t96 - 0x45;
				if (_t122 == 0) goto 0x8c30c409;
				if (_t122 <= 0) goto 0x8c30c184;
				if (_t96 - 0x4a <= 0) goto 0x8c30c349;
				if (_t96 == 0x51) goto 0x8c30c2af;
				if (_t96 != 0x52) goto 0x8c30c184;
				r8d = 0;
				E00007FF87FF88C30D0E0(_t102, 0, _t113, _t134, _t202 - 0x50, _t197, _t199, _t207, _t208, _t209);
				E00007FF87FF88C30C058(_t134, _t134, _t205 + 0x20, _t134, _t199, _t208, _t209);
				asm("movups xmm5, [ebp-0x50]");
				asm("movdqu [edi], xmm5");
				goto 0x8c30c411;
				E00007FF87FF88C30C058(_t134, _t137, _t205 + 0x20, _t134, _t199, _t208, _t209);
				if (( *0x8c369a8c & 0x00004000) == 0) goto 0x8c30c2f7;
				r8d = 0x10;
				_t73 = E00007FF87FF88C3150DC(E00007FF87FF88C30A4DC(_t137, _t205 + 0x20, _t202 - 0x50, _t199), _t202 - 0x50);
				 *0x8c369a90();
				if (_t134 == 0) goto 0x8c30c2f7;
				goto 0x8c30c205;
				if (sil != 0x44) goto 0x8c30c340;
				E00007FF87FF88C30A9E0(_t205 + 0x30, "`template-parameter");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x50], xmm0");
				E00007FF87FF88C30AC78(_t134, _t202 - 0x50, _t205 + 0x20);
				asm("movups xmm5, [ebp-0x50]");
				asm("movdqu [edi], xmm5");
				E00007FF87FF88C30AFE0(_t73, _t113, _t134, _t137, _t197, "\'", _t199, _t207);
				goto 0x8c30c411;
				goto 0x8c30c309;
				E00007FF87FF88C30A9A8(0x7b, _t134, _t205 + 0x20);
				if (sil - 0x48 < 0) goto 0x8c30c384;
				_t130 = sil - 0x4a;
				if (_t130 > 0) goto 0x8c30c384;
				E00007FF87FF88C30E43C(_t113, _t130, _t137, _t205 + 0x40, "`non-type-template-parameter", _t197, _t199, _t207, _t208, _t209);
				E00007FF87FF88C30AC78(_t134, _t205 + 0x20, _t134);
				E00007FF87FF88C30AF5C(0x2c, _t113, _t134, _t137, _t205 + 0x20, _t199, _t207);
				if (_t130 == 0) goto 0x8c30c3bc;
				if (_t130 == 0) goto 0x8c30c399;
				if (_t130 == 0) goto 0x8c30c3de;
				if (_t130 == 0) goto 0x8c30c3bc;
				if (_t130 != 0) goto 0x8c30c3f4;
				E00007FF87FF88C30C058(_t134, _t137, _t205 + 0x60, _t134, _t199, _t208, _t209);
				E00007FF87FF88C30AC78(_t134, _t205 + 0x20, _t134);
				E00007FF87FF88C30AF5C(0x2c, _t113, _t134, _t137, _t205 + 0x20, _t199, _t207);
				E00007FF87FF88C30C058(_t134, _t137, _t202 - 0x80, _t134, _t199, _t208, _t209);
				E00007FF87FF88C30AC78(_t134, _t205 + 0x20, _t134);
				E00007FF87FF88C30AF5C(0x2c, _t113, _t134, _t137, _t205 + 0x20, _t199, _t207);
				E00007FF87FF88C30C058(_t134, _t137, _t202 - 0x60, _t134, _t199, _t208, _t209);
				E00007FF87FF88C30AC78(_t134, _t205 + 0x20, _t134);
				asm("movups xmm0, [esp+0x20]");
				asm("movdqu [edi], xmm0");
				E00007FF87FF88C30AF5C(0x7d, _t113, _t134, _t137, _t197, _t199, _t207);
				goto 0x8c30c411;
				E00007FF87FF88C30E43C(_t113, _t130, _t137, _t197, _t134, _t197, _t199, _t207, _t208, _t209);
				return E00007FF87FF88C304980(_t73,  *(_t202 + 0x30) ^ _t205, _t134, _t207);
			}

0x7ff88c30c0d4
0x7ff88c30c0d4
0x7ff88c30c0d4
0x7ff88c30c0d4
0x7ff88c30c0d4
0x7ff88c30c0d4
0x7ff88c30c0d4
0x7ff88c30c0d7
0x7ff88c30c0db
0x7ff88c30c0df
0x7ff88c30c0e4
0x7ff88c30c0e8
0x7ff88c30c0ef
0x7ff88c30c0f6
0x7ff88c30c0f9
0x7ff88c30c0fd
0x7ff88c30c100
0x7ff88c30c107
0x7ff88c30c10d
0x7ff88c30c114
0x7ff88c30c119
0x7ff88c30c122
0x7ff88c30c128
0x7ff88c30c12a
0x7ff88c30c133
0x7ff88c30c13b
0x7ff88c30c141
0x7ff88c30c143
0x7ff88c30c14a
0x7ff88c30c153
0x7ff88c30c15d
0x7ff88c30c167
0x7ff88c30c16d
0x7ff88c30c16d
0x7ff88c30c17a
0x7ff88c30c182
0x7ff88c30c184
0x7ff88c30c18b
0x7ff88c30c18f
0x7ff88c30c193
0x7ff88c30c198
0x7ff88c30c19b
0x7ff88c30c1a0
0x7ff88c30c1a5
0x7ff88c30c1a9
0x7ff88c30c1ac
0x7ff88c30c1ae
0x7ff88c30c1bb
0x7ff88c30c1c7
0x7ff88c30c1ca
0x7ff88c30c1d0
0x7ff88c30c1d5
0x7ff88c30c1de
0x7ff88c30c1e2
0x7ff88c30c1e5
0x7ff88c30c1ea
0x7ff88c30c1f2
0x7ff88c30c1fe
0x7ff88c30c208
0x7ff88c30c20d
0x7ff88c30c216
0x7ff88c30c227
0x7ff88c30c22a
0x7ff88c30c232
0x7ff88c30c235
0x7ff88c30c239
0x7ff88c30c23b
0x7ff88c30c23e
0x7ff88c30c243
0x7ff88c30c24b
0x7ff88c30c25a
0x7ff88c30c25f
0x7ff88c30c264
0x7ff88c30c267
0x7ff88c30c26d
0x7ff88c30c276
0x7ff88c30c27f
0x7ff88c30c284
0x7ff88c30c28e
0x7ff88c30c293
0x7ff88c30c29d
0x7ff88c30c2a2
0x7ff88c30c2a6
0x7ff88c30c2aa
0x7ff88c30c2b4
0x7ff88c30c2c3
0x7ff88c30c2ce
0x7ff88c30c2dd
0x7ff88c30c2e4
0x7ff88c30c2ed
0x7ff88c30c2f2
0x7ff88c30c300
0x7ff88c30c309
0x7ff88c30c317
0x7ff88c30c31a
0x7ff88c30c31f
0x7ff88c30c324
0x7ff88c30c332
0x7ff88c30c336
0x7ff88c30c33b
0x7ff88c30c347
0x7ff88c30c350
0x7ff88c30c359
0x7ff88c30c35b
0x7ff88c30c35f
0x7ff88c30c366
0x7ff88c30c373
0x7ff88c30c37f
0x7ff88c30c387
0x7ff88c30c38b
0x7ff88c30c38f
0x7ff88c30c393
0x7ff88c30c397
0x7ff88c30c39e
0x7ff88c30c3ab
0x7ff88c30c3b7
0x7ff88c30c3c0
0x7ff88c30c3cd
0x7ff88c30c3d9
0x7ff88c30c3e2
0x7ff88c30c3ef
0x7ff88c30c3f4
0x7ff88c30c3fe
0x7ff88c30c402
0x7ff88c30c407
0x7ff88c30c40c
0x7ff88c30c438

APIs

UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30C14A
DName::DName.LIBCMT ref: 00007FF88C30C1BB
DName::operator+=.LIBCMT ref: 00007FF88C30C1D0
DName::DName.LIBCMT ref: 00007FF88C30C309
DName::operator+=.LIBCMT ref: 00007FF88C30C31F
DName::operator+=.LIBCMT ref: 00007FF88C30C336
DName::DName.LIBCMT ref: 00007FF88C30C350
DName::operator+=.LIBCMT ref: 00007FF88C30C373
DName::operator+=.LIBCMT ref: 00007FF88C30C37F
UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30C39E
DName::operator+=.LIBCMT ref: 00007FF88C30C3AB
DName::operator+=.LIBCMT ref: 00007FF88C30C3B7
UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30C153

Part of subcall function 00007FF88C30C058: DName::DName.LIBCMT ref: 00007FF88C30C0A5
Part of subcall function 00007FF88C30C058: DName::operator+=.LIBCMT ref: 00007FF88C30C0B7

DName::operator+=.LIBCMT ref: 00007FF88C30C1E5
DName::DName.LIBCMT ref: 00007FF88C30C208
DName::DName.LIBCMT ref: 00007FF88C30C22A
UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30C23E
UnDecorator::getZName.LIBCMT ref: 00007FF88C30C293
UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30C29D
UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30C2B4
UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30C3C0
DName::operator+=.LIBCMT ref: 00007FF88C30C3CD
DName::operator+=.LIBCMT ref: 00007FF88C30C3D9
UnDecorator::getSignedDimension.LIBCMT ref: 00007FF88C30C3E2
DName::operator+=.LIBCMT ref: 00007FF88C30C3EF
DName::operator+=.LIBCMT ref: 00007FF88C30C402

Strings

NULL, xrefs: 00007FF88C30C1F7
`template-parameter, xrefs: 00007FF88C30C302
`non-type-template-parameter, xrefs: 00007FF88C30C340

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Decorator::get$DimensionSigned$Name$Name::
String ID: NULL$`non-type-template-parameter$`template-parameter
API String ID: 2293539798-3328097798
Opcode ID: ed8b0f3eb4fcedb6b4c3dbaf5ab361220a74bc801824360ca2a66b49b12322c4
Instruction ID: 34c82e081bf40323ac887094ea79fc1178fa20a21a7926be291812dd7e767e78
Opcode Fuzzy Hash: ed8b0f3eb4fcedb6b4c3dbaf5ab361220a74bc801824360ca2a66b49b12322c4
Instruction Fuzzy Hash: 3FA19463E1C68685FB20EBA4E885AFD6360BF567C4F804135DA8D0668EDF2CE14BC701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30E6CC Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 235
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 48%

			E00007FF87FF88C30E6CC(void* __edx, void* __esi, long long __rbx, signed long long* __rcx, long long __rdi, long long __rsi, void* __r8, void* __r10, void* __r11) {
				void* _t53;
				void* _t79;
				void* _t98;
				void* _t106;
				void* _t116;
				char* _t117;
				char* _t118;
				char* _t119;
				intOrPtr _t120;
				char* _t121;
				char* _t122;
				char* _t142;
				intOrPtr* _t153;
				signed long long* _t181;
				void* _t185;
				void* _t186;
				void* _t188;
				void* _t189;
				void* _t191;

				_t193 = __r11;
				_t192 = __r10;
				_t191 = __r8;
				_t183 = __rsi;
				_t98 = __esi;
				_t116 = _t188;
				 *((long long*)(_t116 + 8)) = __rbx;
				 *((long long*)(_t116 + 0x10)) = __rsi;
				 *((long long*)(_t116 + 0x18)) = __rdi;
				_t4 = _t116 - 0xc8; // -319
				_t186 = _t4;
				_t189 = _t188 - 0x1c0;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 0;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				sil = 0;
				_t181 = __rcx;
				if (__rcx[1] != sil) goto 0x8c30ea20;
				_t117 =  *0x8c369a70; // 0x0
				if ( *_t117 == 0) goto 0x8c30ea20;
				if ( *_t117 == 0x40) goto 0x8c30ea20;
				if ( *0x8c369a98 == 0) goto 0x8c30e738;
				if ( *0x8c369a99 == 0) goto 0x8c30ea9b;
				if ( *__rcx == 0) goto 0x8c30e7a2;
				_t9 = _t186 + 0xa0; // -159
				E00007FF87FF88C30A9E0(_t9, "::");
				_t10 = _t186 - 0x30; // -367
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FF87FF88C30AC78(_t117, _t10, _t181);
				asm("movups xmm5, [ebp-0x30]");
				asm("movdqu [edi], xmm5");
				if (sil == 0) goto 0x8c30e7a2;
				_t11 = _t186 + 0xb0; // -143
				E00007FF87FF88C30A9A8(0x5b, _t117, _t11);
				_t12 = _t189 + 0x40; // -63
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x40], xmm0");
				E00007FF87FF88C30AC78(_t117, _t12, _t181);
				asm("movups xmm5, [esp+0x40]");
				sil = 0;
				asm("movdqu [edi], xmm5");
				_t118 =  *0x8c369a70; // 0x0
				_t106 =  *_t118 - 0x3f;
				if (_t106 != 0) goto 0x8c30e9ea;
				_t119 = _t118 + 1;
				 *0x8c369a70 = _t119;
				if (_t106 == 0) goto 0x8c30e9b5;
				if (_t106 == 0) goto 0x8c30e95f;
				if (_t106 == 0) goto 0x8c30e899;
				_t84 =  *_t119 - 7;
				if (_t106 == 0) goto 0x8c30e95f;
				if ( *_t119 - 7 == 8) goto 0x8c30e850;
				_t13 = _t186 + 0x40; // -255
				E00007FF87FF88C30B32C(0, _t119, __rbx, _t13, _t181, __rsi, __r10, __r11);
				_t14 = _t186 + 0x80; // -191
				_t125 = _t119;
				_t53 = E00007FF87FF88C30A9A8(0x60, _t119, _t14);
				_t15 = _t186 - 0x10; // -335
				E00007FF87FF88C309EC8(_t53, _t15);
				_t16 = _t186 - 0x10; // -335
				E00007FF87FF88C30AC78(_t119, _t16, _t119);
				_t17 = _t189 + 0x60; // -31
				asm("movaps xmm5, [ebp-0x10]");
				asm("movdqa [esp+0x60], xmm5");
				E00007FF87FF88C30AF5C(0x27, _t98, _t119, _t119, _t17, _t183, _t191, _t185);
				_t18 = _t186 - 0x20; // -351
				asm("movaps xmm5, [esp+0x60]");
				asm("movdqa [ebp-0x20], xmm5");
				E00007FF87FF88C30AC78(_t119, _t18, _t181);
				asm("movaps xmm5, [ebp-0x20]");
				goto 0x8c30ea13;
				 *0x8c369a70 =  *0x8c369a70 + 1;
				_t19 = _t186 + 0x60; // -223
				r8d = 0;
				E00007FF87FF88C30D0E0( *_t119 - 7, 1, _t98, _t119, _t19, _t181, _t183, _t191, __r10, __r11);
				_t20 = _t186 - 0x80; // -447
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x80], xmm0");
				E00007FF87FF88C30AF5C(0x5d, _t98, _t119, _t119, _t20, _t183, _t191);
				asm("movaps xmm5, [ebp-0x80]");
				_t21 = _t186 - 0x40; // -383
				asm("movdqa [ebp-0x40], xmm5");
				E00007FF87FF88C30AC78(_t119, _t21, _t181);
				sil = 1;
				asm("movaps xmm5, [ebp-0x40]");
				goto 0x8c30ea13;
				_t120 =  *0x8c369a70; // 0x0
				_t22 = _t120 + 1; // 0x1
				_t142 = _t22;
				if ( *_t142 != 0x5f) goto 0x8c30e8fc;
				if ( *((char*)(_t120 + 2)) != 0x3f) goto 0x8c30e8fc;
				 *0x8c369a70 = _t142;
				_t24 = _t186 + 0x20; // -287
				r8d = 0;
				E00007FF87FF88C30C7D0(0, _t125, _t24, _t181, _t183, _t191, __r10, __r11);
				_t25 = _t186 - 0x60; // -415
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x60], xmm0");
				E00007FF87FF88C30AC78(_t120, _t25, _t181);
				asm("movups xmm5, [ebp-0x60]");
				asm("movdqu [edi], xmm5");
				_t121 =  *0x8c369a70; // 0x0
				if ( *_t121 != 0x40) goto 0x8c30ea17;
				 *0x8c369a70 =  *0x8c369a70 + 1;
				goto 0x8c30ea17;
				_t26 = _t186 + 0x30; // -271
				E00007FF87FF88C30E43C(_t98,  *_t121 - 0x40, _t125, _t26, _t181, _t181, _t183, _t191, __r10, __r11);
				_t27 = _t186 + 0x50; // -239
				_t126 = _t121;
				E00007FF87FF88C30A9A8(0x60, _t121, _t27);
				_t28 = _t189 + 0x50; // -47
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x50], xmm0");
				E00007FF87FF88C30AC78(_t121, _t28, _t121);
				asm("movaps xmm5, [esp+0x50]");
				_t29 = _t189 + 0x70; // -15
				asm("movdqa [esp+0x70], xmm5");
				E00007FF87FF88C30AF5C(0x27, _t98, _t121, _t121, _t29, _t183, _t191);
				_t30 = _t186 - 0x70; // -431
				asm("movaps xmm5, [esp+0x70]");
				asm("movdqa [ebp-0x70], xmm5");
				E00007FF87FF88C30AC78(_t121, _t30, _t181);
				asm("movaps xmm5, [ebp-0x70]");
				goto 0x8c30ea13;
				r8b = 0x40;
				E00007FF87FF88C30AA28(_t121, _t186, 0x8c369a70, _t183);
				_t31 = _t186 + 0x70; // -207
				E00007FF87FF88C30A9E0(_t31, "`anonymous namespace\'");
				_t32 = _t186 - 0x50; // -399
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x50], xmm0");
				E00007FF87FF88C30AC78(_t121, _t32, _t181);
				asm("movups xmm5, [ebp-0x50]");
				asm("movdqu [edi], xmm5");
				_t153 =  *0x8c369a60; // 0x0
				if ( *_t153 == 9) goto 0x8c30ea17;
				E00007FF87FF88C30A67C(_t121, _t121, _t153, _t186, _t191);
				goto 0x8c30ea17;
				 *0x8c369a70 =  *0x8c369a70 - 1;
				_t33 = _t186 + 0x90; // -175
				r8d = 0;
				E00007FF87FF88C30D0E0( *_t119 - 7, 1, _t98, _t126, _t33, _t181, _t183, _t191, _t192, _t193);
				_t34 = _t189 + 0x30; // -79
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t121, _t34, _t181);
				asm("movups xmm5, [esp+0x30]");
				goto 0x8c30ea13;
				_t35 = _t186 + 0x10; // -303
				r8d = 0;
				E00007FF87FF88C30D0E0( *_t119 - 7, 1, _t98, _t126, _t35, _t181, _t183, _t191, _t192, _t193);
				_t36 = _t189 + 0x20; // -95
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x20], xmm0");
				E00007FF87FF88C30AC78(_t121, _t36, _t181);
				asm("movups xmm5, [esp+0x20]");
				asm("movdqu [edi], xmm5");
				goto 0x8c30e703;
				_t122 =  *0x8c369a70; // 0x0
				if ( *_t122 == 0) goto 0x8c30ea42;
				if ( *_t122 == 0x40) goto 0x8c30ea9b;
				_t181[1] = _t181[1] & 0xffff00ff;
				 *_t181 =  *_t181 & 0x00000000;
				_t181[1] = 2;
				goto 0x8c30ea9b;
				if ( *_t181 != 0) goto 0x8c30ea57;
				E00007FF87FF88C30A640(1, _t122, _t181);
				goto 0x8c30ea9b;
				_t41 = _t186 + 0x10; // -303
				E00007FF87FF88C30A490(1, _t122, _t41);
				_t42 = _t189 + 0x20; // -95
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x20], xmm0");
				E00007FF87FF88C30AFE0(_t84, _t98, _t122, _t126, _t42, "::", _t183, _t191);
				asm("movaps xmm5, [esp+0x20]");
				_t43 = _t189 + 0x20; // -95
				asm("movdqa [esp+0x20], xmm5");
				_t79 = E00007FF87FF88C30AC78(_t122, _t43, _t181);
				asm("movaps xmm5, [esp+0x20]");
				asm("movdqu [edi], xmm5");
				return _t79;
			}

0x7ff88c30e6cc
0x7ff88c30e6cc
0x7ff88c30e6cc
0x7ff88c30e6cc
0x7ff88c30e6cc
0x7ff88c30e6cc
0x7ff88c30e6cf
0x7ff88c30e6d3
0x7ff88c30e6d7
0x7ff88c30e6dc
0x7ff88c30e6dc
0x7ff88c30e6e3
0x7ff88c30e6ea
0x7ff88c30e6ee
0x7ff88c30e6f2
0x7ff88c30e6f9
0x7ff88c30e6fc
0x7ff88c30e703
0x7ff88c30e709
0x7ff88c30e713
0x7ff88c30e71c
0x7ff88c30e729
0x7ff88c30e732
0x7ff88c30e73c
0x7ff88c30e745
0x7ff88c30e74c
0x7ff88c30e751
0x7ff88c30e758
0x7ff88c30e75b
0x7ff88c30e760
0x7ff88c30e765
0x7ff88c30e769
0x7ff88c30e770
0x7ff88c30e772
0x7ff88c30e77b
0x7ff88c30e780
0x7ff88c30e788
0x7ff88c30e78b
0x7ff88c30e791
0x7ff88c30e796
0x7ff88c30e79b
0x7ff88c30e79e
0x7ff88c30e7a2
0x7ff88c30e7a9
0x7ff88c30e7ac
0x7ff88c30e7b2
0x7ff88c30e7b5
0x7ff88c30e7c2
0x7ff88c30e7ca
0x7ff88c30e7d3
0x7ff88c30e7d9
0x7ff88c30e7dc
0x7ff88c30e7e5
0x7ff88c30e7e7
0x7ff88c30e7ed
0x7ff88c30e7f2
0x7ff88c30e7fb
0x7ff88c30e7fe
0x7ff88c30e803
0x7ff88c30e80a
0x7ff88c30e80f
0x7ff88c30e816
0x7ff88c30e81b
0x7ff88c30e822
0x7ff88c30e826
0x7ff88c30e82c
0x7ff88c30e831
0x7ff88c30e838
0x7ff88c30e83d
0x7ff88c30e842
0x7ff88c30e847
0x7ff88c30e84b
0x7ff88c30e850
0x7ff88c30e857
0x7ff88c30e85b
0x7ff88c30e860
0x7ff88c30e865
0x7ff88c30e86b
0x7ff88c30e86e
0x7ff88c30e873
0x7ff88c30e878
0x7ff88c30e87c
0x7ff88c30e883
0x7ff88c30e888
0x7ff88c30e88d
0x7ff88c30e890
0x7ff88c30e894
0x7ff88c30e899
0x7ff88c30e8a0
0x7ff88c30e8a0
0x7ff88c30e8a7
0x7ff88c30e8ad
0x7ff88c30e8af
0x7ff88c30e8b6
0x7ff88c30e8ba
0x7ff88c30e8bf
0x7ff88c30e8c4
0x7ff88c30e8cb
0x7ff88c30e8ce
0x7ff88c30e8d3
0x7ff88c30e8d8
0x7ff88c30e8dc
0x7ff88c30e8e0
0x7ff88c30e8ea
0x7ff88c30e8f0
0x7ff88c30e8f7
0x7ff88c30e8fc
0x7ff88c30e900
0x7ff88c30e905
0x7ff88c30e90b
0x7ff88c30e90e
0x7ff88c30e913
0x7ff88c30e91b
0x7ff88c30e91e
0x7ff88c30e924
0x7ff88c30e929
0x7ff88c30e92e
0x7ff88c30e935
0x7ff88c30e93b
0x7ff88c30e940
0x7ff88c30e944
0x7ff88c30e94c
0x7ff88c30e951
0x7ff88c30e956
0x7ff88c30e95a
0x7ff88c30e96a
0x7ff88c30e96d
0x7ff88c30e979
0x7ff88c30e97d
0x7ff88c30e982
0x7ff88c30e989
0x7ff88c30e98c
0x7ff88c30e991
0x7ff88c30e996
0x7ff88c30e99a
0x7ff88c30e99e
0x7ff88c30e9a8
0x7ff88c30e9ae
0x7ff88c30e9b3
0x7ff88c30e9b5
0x7ff88c30e9bc
0x7ff88c30e9c3
0x7ff88c30e9c8
0x7ff88c30e9cd
0x7ff88c30e9d5
0x7ff88c30e9d8
0x7ff88c30e9de
0x7ff88c30e9e3
0x7ff88c30e9e8
0x7ff88c30e9ea
0x7ff88c30e9ee
0x7ff88c30e9f3
0x7ff88c30e9f8
0x7ff88c30ea00
0x7ff88c30ea03
0x7ff88c30ea09
0x7ff88c30ea0e
0x7ff88c30ea13
0x7ff88c30ea1b
0x7ff88c30ea20
0x7ff88c30ea2a
0x7ff88c30ea2f
0x7ff88c30ea31
0x7ff88c30ea38
0x7ff88c30ea3c
0x7ff88c30ea40
0x7ff88c30ea4b
0x7ff88c30ea50
0x7ff88c30ea55
0x7ff88c30ea57
0x7ff88c30ea5b
0x7ff88c30ea67
0x7ff88c30ea6c
0x7ff88c30ea6f
0x7ff88c30ea75
0x7ff88c30ea7a
0x7ff88c30ea7f
0x7ff88c30ea87
0x7ff88c30ea8d
0x7ff88c30ea92
0x7ff88c30ea97
0x7ff88c30eab6

APIs

DName::DName.LIBCMT ref: 00007FF88C30E74C
DName::operator+=.LIBCMT ref: 00007FF88C30E760
DName::DName.LIBCMT ref: 00007FF88C30E77B
DName::operator+=.LIBCMT ref: 00007FF88C30E791
DName::DName.LIBCMT ref: 00007FF88C30E7FE
DName::operator+=.LIBCMT ref: 00007FF88C30E816
DName::operator+=.LIBCMT ref: 00007FF88C30E82C
DName::operator+=.LIBCMT ref: 00007FF88C30E842
UnDecorator::getZName.LIBCMT ref: 00007FF88C30E860
DName::operator+=.LIBCMT ref: 00007FF88C30E873
DName::operator+=.LIBCMT ref: 00007FF88C30E888
DName::operator+=.LIBCMT ref: 00007FF88C30E8D3
DName::DName.LIBCMT ref: 00007FF88C30E90E
DName::operator+=.LIBCMT ref: 00007FF88C30E924
DName::operator+=.LIBCMT ref: 00007FF88C30E93B
DName::operator+=.LIBCMT ref: 00007FF88C30E951
DName::DName.LIBCMT ref: 00007FF88C30E97D
DName::operator+=.LIBCMT ref: 00007FF88C30E991

Part of subcall function 00007FF88C30C7D0: DName::operator=.LIBCMT ref: 00007FF88C30C865
Part of subcall function 00007FF88C30C7D0: DName::DName.LIBCMT ref: 00007FF88C30C880
Part of subcall function 00007FF88C30C7D0: DName::operator+=.LIBCMT ref: 00007FF88C30C895

DName::operator=.LIBCMT ref: 00007FF88C30EA50
DName::operator+=.LIBCMT ref: 00007FF88C30EA75
DName::operator+=.LIBCMT ref: 00007FF88C30EA8D

Strings

`anonymous namespace', xrefs: 00007FF88C30E972

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Name$Name::$Name::operator=$Decorator::get
String ID: `anonymous namespace'
API String ID: 1781730666-3062148218
Opcode ID: 3b962ae5eba93f022486d85bf94d9a668456d366c323bf6f1aa605f1a91461a7
Instruction ID: 4b692c0f2086a330f36eee2468ed9b782246a8b252ce551f6ef75f8e15b9020f
Opcode Fuzzy Hash: 3b962ae5eba93f022486d85bf94d9a668456d366c323bf6f1aa605f1a91461a7
Instruction Fuzzy Hash: 9EC1B563E08B8684F7119B78D845AFD6360FF5A7C8F849135EB8D16A9ADF2CE146C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30B9F8 Relevance: 39.2, APIs: 26, Instructions: 188
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E00007FF87FF88C30B9F8(void* __esi, long long __rbx, void* __rcx, intOrPtr* __rdx, void* __rdi, long long __rsi, void* __r8, void* __r10, void* __r11, long long __r12, long long _a8, long long _a16, long long _a24) {
				void* _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				signed int _v112;
				char _v120;
				void* _t86;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t161;
				void* _t170;
				intOrPtr* _t181;
				long long _t183;

				_t176 = __r8;
				_t168 = __rdi;
				_t153 = __rdx;
				_t124 = __rbx;
				_t104 = __esi;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __r12;
				_t121 =  *0x8c369a70; // 0x0
				r14d = 0;
				_t181 = __rdx;
				_t170 = __rcx;
				if ( *_t121 == r14b) goto 0x8c30bbc3;
				r13d = E00007FF87FF88C309780();
				r13d =  <  ? r14d : r13d;
				if (r13d != 0) goto 0x8c30baa3;
				E00007FF87FF88C30A9A8(0x5b, _t121,  &_v72);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x60], xmm0");
				if (_v112 - 1 > 0) goto 0x8c30ba86;
				if (_v120 == _t183) goto 0x8c30ba78;
				_t7 = _t183 + 1; // 0x1
				E00007FF87FF88C30A12C(_t7, _t153);
				E00007FF87FF88C30A564(_t121, __rbx,  &_v120, _t121, __r8);
				goto 0x8c30ba86;
				E00007FF87FF88C30A640(1, _t121,  &_v120);
				asm("movaps xmm0, [ebp-0x60]");
				asm("movdqa [ebp-0x50], xmm0");
				E00007FF87FF88C30AF5C(0x5d, __esi, _t121, _t124,  &_v104, _t170, __r8);
				goto 0x8c30bcb2;
				_v112 = _v112 & 0xffff0000;
				_v120 = _t183;
				if (( *(_t181 + 8) & 0x00000800) == 0) goto 0x8c30bb2f;
				E00007FF87FF88C30AFE0(_t7, __esi, _t121, _t124,  &_v120, "[]", _t170, __r8);
				goto 0x8c30bb2f;
				r13d = r13d - 1;
				if (r13d == 0) goto 0x8c30bb35;
				_t122 =  *0x8c369a70; // 0x0
				if ( *_t122 == r14b) goto 0x8c30bb35;
				E00007FF87FF88C30B32C(0, _t122, _t124,  &_v56, __rdi, _t170, __r10, __r11);
				_t125 = _t122;
				E00007FF87FF88C30A9A8(0x5b, _t122,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x40], xmm0");
				E00007FF87FF88C30AC78(_t122,  &_v88, _t122);
				asm("movaps xmm5, [ebp-0x40]");
				asm("movdqa [ebp-0x30], xmm5");
				E00007FF87FF88C30AF5C(0x5d, _t104, _t122, _t122,  &_v72, _t170, _t176);
				E00007FF87FF88C30AC78(_t122,  &_v120,  &_v72);
				if (_v112 - 1 <= 0) goto 0x8c30bacb;
				if ( *_t181 == _t183) goto 0x8c30bba4;
				if (( *(_t181 + 8) & 0x00000800) == 0) goto 0x8c30bb52;
				asm("inc ecx");
				asm("movdqu [ebp-0x30], xmm0");
				goto 0x8c30bb8e;
				E00007FF87FF88C30A9A8(0x28, _t122,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FF87FF88C30AC78(_t122,  &_v72, _t181);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqa [ebp-0x30], xmm5");
				E00007FF87FF88C30AF5C(0x29, _t104, _t122, _t122,  &_v72, _t170, _t176);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqa [ebp-0x30], xmm5");
				E00007FF87FF88C30AC78(_t122,  &_v72,  &_v120);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqa [ebp-0x60], xmm5");
				_t161 =  &_v120;
				E00007FF87FF88C31006C(_t86, _t7, 0x29, _t104, _t122, _t122,  &_v104, _t161, _t168, _t170, _t176, __r10, __r11, _t181);
				asm("bts dword [ebp-0x48], 0xb");
				asm("movups xmm0, [ebp-0x50]");
				asm("movdqu [esi], xmm0");
				goto 0x8c30bcba;
				if ( *_t161 == _t183) goto 0x8c30bc59;
				E00007FF87FF88C30A9A8(0x28, _t122,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FF87FF88C30AC78(_t122,  &_v72, _t181);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqa [ebp-0x60], xmm5");
				E00007FF87FF88C30AFE0(_t7, _t104, _t122, _t122,  &_v120, ")[", _t170, _t176);
				asm("movaps xmm5, [ebp-0x60]");
				asm("movdqa [ebp-0x50], xmm5");
				if (_v112 - 1 > 0) goto 0x8c30bc3f;
				if (_v120 == _t183) goto 0x8c30bc31;
				E00007FF87FF88C30A12C(1, ")[");
				E00007FF87FF88C30A564(_t122, _t125,  &_v104, _t122, _t176);
				goto 0x8c30bc3f;
				E00007FF87FF88C30A640(1, _t122,  &_v104);
				asm("movaps xmm0, [ebp-0x50]");
				asm("movdqa [ebp-0x40], xmm0");
				E00007FF87FF88C30AF5C(0x5d, _t104, _t122, _t125,  &_v88, _t170, _t176);
				goto 0x8c30bcb2;
				E00007FF87FF88C30A9A8(0x5b, _t122,  &_v88);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x60], xmm0");
				if (_v112 - 1 > 0) goto 0x8c30bc9a;
				if (_v120 == _t183) goto 0x8c30bc8c;
				E00007FF87FF88C30A12C(1,  &_v88);
				E00007FF87FF88C30A564(_t122, _t125,  &_v120, _t122, _t176);
				goto 0x8c30bc9a;
				E00007FF87FF88C30A640(1, _t122,  &_v120);
				asm("movaps xmm0, [ebp-0x60]");
				asm("movdqa [ebp-0x30], xmm0");
				E00007FF87FF88C30AF5C(0x5d, _t104, _t122, _t125,  &_v72, _t170, _t176);
				return E00007FF87FF88C30FC30(_t86, 1, _t104, _t122, _t125, _t170,  &_v72, _t176, __r10, __r11);
			}

0x7ff88c30b9f8
0x7ff88c30b9f8
0x7ff88c30b9f8
0x7ff88c30b9f8
0x7ff88c30b9f8
0x7ff88c30b9f8
0x7ff88c30b9fd
0x7ff88c30ba02
0x7ff88c30ba16
0x7ff88c30ba1d
0x7ff88c30ba20
0x7ff88c30ba23
0x7ff88c30ba29
0x7ff88c30ba36
0x7ff88c30ba39
0x7ff88c30ba40
0x7ff88c30ba48
0x7ff88c30ba4d
0x7ff88c30ba50
0x7ff88c30ba59
0x7ff88c30ba5f
0x7ff88c30ba61
0x7ff88c30ba65
0x7ff88c30ba71
0x7ff88c30ba76
0x7ff88c30ba81
0x7ff88c30ba86
0x7ff88c30ba90
0x7ff88c30ba95
0x7ff88c30ba9e
0x7ff88c30baa3
0x7ff88c30bab3
0x7ff88c30bab7
0x7ff88c30bac4
0x7ff88c30bac9
0x7ff88c30bace
0x7ff88c30bad3
0x7ff88c30bad5
0x7ff88c30badf
0x7ff88c30bae7
0x7ff88c30baf2
0x7ff88c30baf5
0x7ff88c30bb01
0x7ff88c30bb04
0x7ff88c30bb09
0x7ff88c30bb0e
0x7ff88c30bb18
0x7ff88c30bb1d
0x7ff88c30bb2a
0x7ff88c30bb33
0x7ff88c30bb39
0x7ff88c30bb44
0x7ff88c30bb46
0x7ff88c30bb4b
0x7ff88c30bb50
0x7ff88c30bb58
0x7ff88c30bb64
0x7ff88c30bb67
0x7ff88c30bb6c
0x7ff88c30bb71
0x7ff88c30bb7b
0x7ff88c30bb80
0x7ff88c30bb85
0x7ff88c30bb89
0x7ff88c30bb96
0x7ff88c30bb9b
0x7ff88c30bb9f
0x7ff88c30bba4
0x7ff88c30bbac
0x7ff88c30bbb1
0x7ff88c30bbb6
0x7ff88c30bbba
0x7ff88c30bbbe
0x7ff88c30bbca
0x7ff88c30bbd2
0x7ff88c30bbde
0x7ff88c30bbe1
0x7ff88c30bbe6
0x7ff88c30bbeb
0x7ff88c30bbfa
0x7ff88c30bbff
0x7ff88c30bc08
0x7ff88c30bc0c
0x7ff88c30bc11
0x7ff88c30bc17
0x7ff88c30bc1e
0x7ff88c30bc2a
0x7ff88c30bc2f
0x7ff88c30bc3a
0x7ff88c30bc3f
0x7ff88c30bc49
0x7ff88c30bc4e
0x7ff88c30bc57
0x7ff88c30bc5b
0x7ff88c30bc60
0x7ff88c30bc63
0x7ff88c30bc6c
0x7ff88c30bc72
0x7ff88c30bc79
0x7ff88c30bc85
0x7ff88c30bc8a
0x7ff88c30bc95
0x7ff88c30bc9a
0x7ff88c30bca4
0x7ff88c30bca9
0x7ff88c30bcd9

APIs

DNameStatusNode::make.LIBCMT ref: 00007FF88C30BA65
DName::append.LIBCMT ref: 00007FF88C30BA71
DName::operator=.LIBCMT ref: 00007FF88C30BA81
DName::operator+=.LIBCMT ref: 00007FF88C30BA95
DName::DName.LIBCMT ref: 00007FF88C30BAF5
DName::operator+=.LIBCMT ref: 00007FF88C30BB09
DName::operator+=.LIBCMT ref: 00007FF88C30BB1D
DName::operator+=.LIBCMT ref: 00007FF88C30BB2A
DName::DName.LIBCMT ref: 00007FF88C30BB58
DName::operator+=.LIBCMT ref: 00007FF88C30BB6C
DName::operator+=.LIBCMT ref: 00007FF88C30BB80
DName::operator=.LIBCMT ref: 00007FF88C30BC3A
DName::DName.LIBCMT ref: 00007FF88C30BA48

Part of subcall function 00007FF88C30A9A8: DName::doPchar.LIBCMT ref: 00007FF88C30A9D2

DName::operator+=.LIBCMT ref: 00007FF88C30BAC4
DName::operator+=.LIBCMT ref: 00007FF88C30BB96
DName::DName.LIBCMT ref: 00007FF88C30BBD2
DName::operator+=.LIBCMT ref: 00007FF88C30BBE6
DName::operator+=.LIBCMT ref: 00007FF88C30BBFF
DNameStatusNode::make.LIBCMT ref: 00007FF88C30BC1E
DName::append.LIBCMT ref: 00007FF88C30BC2A
DName::operator+=.LIBCMT ref: 00007FF88C30BC4E
DName::DName.LIBCMT ref: 00007FF88C30BC5B
DNameStatusNode::make.LIBCMT ref: 00007FF88C30BC79
DName::append.LIBCMT ref: 00007FF88C30BC85
DName::operator=.LIBCMT ref: 00007FF88C30BC95

Part of subcall function 00007FF88C30A640: DNameStatusNode::make.LIBCMT ref: 00007FF88C30A65C

DName::operator+=.LIBCMT ref: 00007FF88C30BCA9

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Name$Name::$Node::makeStatus$Name::appendName::operator=$Name::doPchar
String ID:
API String ID: 4027959325-0
Opcode ID: 713901862d3d8992a6796a57517459ac42e57481271e151f600c96f1cf72c620
Instruction ID: f4e79221461273765cf51532b84241f208243cdd898f44f1765fe4063d30d1c7
Opcode Fuzzy Hash: 713901862d3d8992a6796a57517459ac42e57481271e151f600c96f1cf72c620
Instruction Fuzzy Hash: B0916F23E08B6698F700DBB4E8859FC6331BB5678CF409135DE4D6668EDF78A586C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C320130 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E00007FF87FF88C320130(void* __ebx, void* __ecx, void* __edi, long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, signed int* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t138;
				void* _t152;
				intOrPtr _t154;
				intOrPtr _t156;
				void* _t164;
				void* _t165;
				signed int _t167;
				void* _t212;
				void* _t213;
				signed long long _t217;
				long long _t218;
				signed int* _t221;
				signed int _t223;
				intOrPtr _t225;
				signed int* _t226;
				void* _t273;
				intOrPtr* _t274;
				intOrPtr* _t275;
				void* _t277;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t303;
				intOrPtr* _t306;
				intOrPtr* _t308;
				void* _t311;
				long long _t312;
				void* _t314;
				void* _t319;
				void* _t321;
				signed int* _t322;

				_t163 = __edi;
				_t152 = __ecx;
				_t212 = _t284;
				 *((long long*)(_t212 + 0x20)) = __rbx;
				 *((long long*)(_t212 + 0x18)) = __r8;
				 *((long long*)(_t212 + 0x10)) = __rdx;
				_t282 = _t212 - 0x3f;
				_t285 = _t284 - 0x90;
				_t225 =  *((intOrPtr*)(_t282 + 0x67));
				_t312 = __rdx;
				_t274 = __rcx;
				r14b = 0;
				_t322 = __r9;
				 *((intOrPtr*)(_t282 + 0x47)) = r14b;
				_t164 = E00007FF87FF88C31ECF0(_t225, __r9);
				E00007FF87FF88C31E3C8(__edi, _t212, _t225, __rdx, _t322, _t277, _t282, _t225, _t282 - 0x21, _t321, _t319);
				if (_t164 - E00007FF87FF88C31ED68(_t212, __rdx, _t225) <= 0) goto 0x8c3201c2;
				r9d = _t164;
				E00007FF87FF88C31ED20(_t106, _t282 - 0x21, _t225);
				r9d = _t164;
				_t291 = _t225;
				E00007FF87FF88C31ED2C(_t212, _t225, _t312, _t225, _t311);
				goto 0x8c3201cc;
				_t165 = E00007FF87FF88C31ED68(_t212, _t312, _t225);
				if (_t165 - 0xffffffff < 0) goto 0x8c3201d6;
				if (_t165 -  *((intOrPtr*)(_t225 + 4)) < 0) goto 0x8c3201db;
				E00007FF87FF88C312484(_t212);
				if ( *_t274 != 0xe06d7363) goto 0x8c3205bf;
				if ( *((intOrPtr*)(_t274 + 0x18)) != 4) goto 0x8c320382;
				if ( *((intOrPtr*)(_t274 + 0x20)) == 0x19930520) goto 0x8c320210;
				if ( *((intOrPtr*)(_t274 + 0x20)) == 0x19930521) goto 0x8c320210;
				if ( *((intOrPtr*)(_t274 + 0x20)) != 0x19930522) goto 0x8c320382;
				if ( *((long long*)(_t274 + 0x30)) != 0) goto 0x8c320382;
				E00007FF87FF88C307F5C(_t152,  *((long long*)(_t274 + 0x30)), _t212, _t312, _t277, _t225);
				if ( *((long long*)(_t212 + 0xf0)) == 0) goto 0x8c3205a4;
				E00007FF87FF88C307F5C(_t152,  *((long long*)(_t212 + 0xf0)), _t212, _t312, _t277, _t225);
				_t275 =  *((intOrPtr*)(_t212 + 0xf0));
				E00007FF87FF88C307F5C(_t152,  *((long long*)(_t212 + 0xf0)), _t212, _t312, _t277, _t225);
				 *((long long*)(_t282 + 0x57)) =  *((intOrPtr*)(_t212 + 0xf8));
				if (E00007FF87FF88C3208A8(E00007FF87FF88C31E500(_t212,  *((intOrPtr*)(_t275 + 0x38))), _t275) != 0) goto 0x8c320269;
				E00007FF87FF88C312484(_t212);
				if ( *_t275 != 0xe06d7363) goto 0x8c32029e;
				if ( *((intOrPtr*)(_t275 + 0x18)) != 4) goto 0x8c32029e;
				if ( *((intOrPtr*)(_t275 + 0x20)) == 0x19930520) goto 0x8c320292;
				if ( *((intOrPtr*)(_t275 + 0x20)) == 0x19930521) goto 0x8c320292;
				if ( *((intOrPtr*)(_t275 + 0x20)) != 0x19930522) goto 0x8c32029e;
				if ( *((long long*)(_t275 + 0x30)) != 0) goto 0x8c32029e;
				E00007FF87FF88C312484(_t212);
				E00007FF87FF88C307F5C(_t152,  *((long long*)(_t275 + 0x30)), _t212, _t275, _t277, _t225);
				if ( *(_t212 + 0x108) == 0) goto 0x8c320382;
				E00007FF87FF88C307F5C(_t152,  *(_t212 + 0x108), _t212, _t275, _t277, _t225);
				_t306 =  *(_t212 + 0x108);
				E00007FF87FF88C307F5C(_t152,  *(_t212 + 0x108), _t212, _t275, _t277, _t291);
				 *(_t212 + 0x108) =  *(_t212 + 0x108) & 0x00000000;
				if (E00007FF87FF88C31F534(_t152, _t212, _t225, _t275, _t306, _t277, _t282) != 0) goto 0x8c32037e;
				r13d = 0;
				if ( *_t306 - r13d <= 0) goto 0x8c32033a;
				E00007FF87FF88C31E4B4(_t212);
				_t213 = _t212 + _t277;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t306 + 4)) + _t213 + 4)) == 0) goto 0x8c320318;
				E00007FF87FF88C31E4B4(_t213);
				_t226 =  *((intOrPtr*)( *((intOrPtr*)(_t306 + 4)) + _t213 + _t277 + 4));
				E00007FF87FF88C31E4B4(_t213 + _t277);
				goto 0x8c32031a;
				if (E00007FF87FF88C304AE4(_t213 + _t277 + _t226, 0x8c368a48) != 0) goto 0x8c320340;
				r13d = r13d + 1;
				if (r13d -  *_t306 < 0) goto 0x8c3202e8;
				E00007FF87FF88C312440(r13d -  *_t306, _t213 + _t277 + _t226, _t213 + _t277 + _t226);
				asm("int3");
				E00007FF87FF88C31F1C0(1, _t275);
				 *((long long*)(_t282 + 0x47)) = "bad exception";
				E00007FF87FF88C304F80(_t282 - 0x11, _t282 + 0x47);
				 *((long long*)(_t282 - 0x11)) = 0x8c362ca8;
				E00007FF87FF88C307D3C(_t152, r13d -  *_t306, _t213 + _t277 + _t226, _t226, _t282 - 0x11, 0x8c365c58, _t275, _t303, _t273, _t277);
				asm("int3");
				if ( *_t275 != 0xe06d7363) goto 0x8c3205bf;
				if ( *((intOrPtr*)(_t275 + 0x18)) != 4) goto 0x8c3205bf;
				if ( *((intOrPtr*)(_t275 + 0x20)) == 0x19930520) goto 0x8c3203b7;
				if ( *((intOrPtr*)(_t275 + 0x20)) == 0x19930521) goto 0x8c3203b7;
				if ( *((intOrPtr*)(_t275 + 0x20)) != 0x19930522) goto 0x8c3205bf;
				if (_t226[3] <= 0) goto 0x8c320504;
				r8d =  *((intOrPtr*)(_t282 + 0x77));
				 *(_t285 + 0x30) = _t322;
				 *(_t285 + 0x28) = _t282 - 0x31;
				_t217 = _t282 - 0x39;
				r9d = 0;
				 *(_t285 + 0x20) = _t217;
				E00007FF87FF88C31E8E0(__ebx, _t217, _t226, _t226, _t277 + 0x14);
				if ( *((intOrPtr*)(_t282 - 0x39)) -  *((intOrPtr*)(_t282 - 0x31)) >= 0) goto 0x8c320504;
				_t54 = _t217 + 0x10; // 0x10
				_t308 = _t54;
				if ( *((intOrPtr*)(_t308 - 0x10)) > 0) goto 0x8c3204ea;
				if (0 -  *((intOrPtr*)(_t308 - 0xc)) > 0) goto 0x8c3204ea;
				E00007FF87FF88C31E4B4(_t217);
				r14d =  *((intOrPtr*)(_t308 - 4));
				_t314 =  *_t308 + _t217;
				if (r14d <= 0) goto 0x8c3204dc;
				E00007FF87FF88C31E4CC(_t217);
				_t218 = _t217 +  *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x30)) + 0xc)) + 4;
				 *((long long*)(_t282 - 0x29)) = _t218;
				E00007FF87FF88C31E4CC(_t218);
				_t154 =  *((intOrPtr*)(_t218 +  *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t282 - 0x35)) = _t154;
				if (_t154 <= 0) goto 0x8c320490;
				E00007FF87FF88C31E4CC(_t218);
				 *((long long*)(_t282 - 0x19)) = _t218 +  *((intOrPtr*)( *((intOrPtr*)(_t282 - 0x29))));
				if (E00007FF87FF88C31EE0C(_t154, _t226, _t314, _t218 +  *((intOrPtr*)( *((intOrPtr*)(_t282 - 0x29)))), _t275, _t277 + 0x14,  *((intOrPtr*)(_t275 + 0x30))) != 0) goto 0x8c320499;
				 *((long long*)(_t282 - 0x29)) =  *((long long*)(_t282 - 0x29)) + 4;
				_t138 =  *((intOrPtr*)(_t282 - 0x35)) - 1;
				 *((intOrPtr*)(_t282 - 0x35)) = _t138;
				if (_t138 > 0) goto 0x8c320459;
				r14d = r14d - 1;
				goto 0x8c320423;
				r14b = 1;
				 *((char*)(_t285 + 0x40)) =  *((intOrPtr*)(_t282 + 0x6f));
				_t77 = _t308 - 0x10; // 0x0
				 *(_t285 + 0x38) = _t77;
				_t221 =  *((intOrPtr*)(_t282 - 0x19));
				 *(_t285 + 0x30) = _t221;
				 *(_t285 + 0x28) = _t314 + 0x14;
				 *((intOrPtr*)(_t282 + 0x47)) = r14b;
				 *(_t285 + 0x20) = _t226;
				E00007FF87FF88C31FE34(_t163, _t226, _t275,  *((intOrPtr*)(_t282 + 0x4f)), _t282,  *((intOrPtr*)(_t282 + 0x57)), _t322);
				goto 0x8c3204e4;
				r14b =  *((intOrPtr*)(_t282 + 0x47));
				_t156 =  *((intOrPtr*)(_t282 - 0x39)) + 1;
				 *((intOrPtr*)(_t282 - 0x39)) = _t156;
				if (_t156 -  *((intOrPtr*)(_t282 - 0x31)) < 0) goto 0x8c3203fc;
				if (r14b != 0) goto 0x8c320590;
				if (( *_t226 & 0x1fffffff) - 0x19930521 < 0) goto 0x8c320590;
				_t167 = _t226[8];
				if (_t167 == 0) goto 0x8c320526;
				E00007FF87FF88C31E4B4(_t221);
				goto 0x8c320528;
				if (_t221 + _t167 == 0) goto 0x8c320590;
				if (_t167 == 0) goto 0x8c320542;
				E00007FF87FF88C31E4B4(_t221 + _t167);
				_t223 = _t226[8];
				goto 0x8c320544;
				if (E00007FF87FF88C31F534(_t156, _t223, _t226, _t275, _t221 + _t167 + _t223, _t167, _t282) != 0) goto 0x8c320590;
				E00007FF87FF88C31E3C8(_t163, _t223, _t226,  *((intOrPtr*)(_t282 + 0x4f)), _t322, _t167, _t282, _t226, _t282 + 0x47);
				 *((char*)(_t285 + 0x40)) =  *((intOrPtr*)(_t282 + 0x6f));
				 *(_t285 + 0x38) = _t322;
				 *(_t285 + 0x30) = _t226;
				 *(_t285 + 0x28) =  *(_t285 + 0x28) | 0xffffffff;
				 *(_t285 + 0x20) =  *(_t285 + 0x20) & 0x00000000;
				E00007FF87FF88C31EAE4(E00007FF87FF88C31F534(_t156, _t223, _t226, _t275, _t221 + _t167 + _t223, _t167, _t282),  *((intOrPtr*)(_t282 + 0x4f)), _t275,  *((intOrPtr*)(_t282 + 0x57)), _t223);
				E00007FF87FF88C307F5C( *((intOrPtr*)(_t282 + 0x6f)), E00007FF87FF88C31F534(_t156, _t223, _t226, _t275, _t221 + _t167 + _t223, _t167, _t282), _t223,  *((intOrPtr*)(_t282 + 0x4f)), _t167,  *((intOrPtr*)(_t282 + 0x57)));
				if ( *((long long*)(_t223 + 0x108)) == 0) goto 0x8c3205a4;
				return E00007FF87FF88C312484(_t223);
			}

0x7ff88c320130
0x7ff88c320130
0x7ff88c320130
0x7ff88c320133
0x7ff88c320137
0x7ff88c32013b
0x7ff88c32014a
0x7ff88c32014e
0x7ff88c320155
0x7ff88c320159
0x7ff88c32015c
0x7ff88c32015f
0x7ff88c320168
0x7ff88c32016e
0x7ff88c320184
0x7ff88c320186
0x7ff88c3201a1
0x7ff88c3201a7
0x7ff88c3201aa
0x7ff88c3201af
0x7ff88c3201b2
0x7ff88c3201bb
0x7ff88c3201c0
0x7ff88c3201ca
0x7ff88c3201cf
0x7ff88c3201d4
0x7ff88c3201d6
0x7ff88c3201e1
0x7ff88c3201eb
0x7ff88c3201f8
0x7ff88c320201
0x7ff88c32020a
0x7ff88c320215
0x7ff88c32021b
0x7ff88c320228
0x7ff88c32022e
0x7ff88c320233
0x7ff88c32023a
0x7ff88c32024a
0x7ff88c320262
0x7ff88c320264
0x7ff88c32026f
0x7ff88c320275
0x7ff88c32027e
0x7ff88c320287
0x7ff88c320290
0x7ff88c320297
0x7ff88c320299
0x7ff88c32029e
0x7ff88c3202ab
0x7ff88c3202b1
0x7ff88c3202b6
0x7ff88c3202bd
0x7ff88c3202c5
0x7ff88c3202d7
0x7ff88c3202dd
0x7ff88c3202e4
0x7ff88c3202e8
0x7ff88c3202f2
0x7ff88c3202fa
0x7ff88c3202fc
0x7ff88c320309
0x7ff88c32030e
0x7ff88c320316
0x7ff88c32032b
0x7ff88c32032d
0x7ff88c320338
0x7ff88c32033a
0x7ff88c32033f
0x7ff88c320345
0x7ff88c320359
0x7ff88c32035d
0x7ff88c320374
0x7ff88c320378
0x7ff88c32037d
0x7ff88c320388
0x7ff88c320392
0x7ff88c32039f
0x7ff88c3203a8
0x7ff88c3203b1
0x7ff88c3203bb
0x7ff88c3203c1
0x7ff88c3203c9
0x7ff88c3203ce
0x7ff88c3203d3
0x7ff88c3203d7
0x7ff88c3203e0
0x7ff88c3203e5
0x7ff88c3203f2
0x7ff88c3203f8
0x7ff88c3203f8
0x7ff88c320401
0x7ff88c32040c
0x7ff88c320412
0x7ff88c32041b
0x7ff88c320420
0x7ff88c320426
0x7ff88c32042c
0x7ff88c320439
0x7ff88c32043e
0x7ff88c320442
0x7ff88c32044f
0x7ff88c320452
0x7ff88c320457
0x7ff88c320459
0x7ff88c320472
0x7ff88c32047d
0x7ff88c320482
0x7ff88c320487
0x7ff88c320489
0x7ff88c32048e
0x7ff88c320490
0x7ff88c320497
0x7ff88c3204a0
0x7ff88c3204a3
0x7ff88c3204a7
0x7ff88c3204af
0x7ff88c3204b4
0x7ff88c3204bb
0x7ff88c3204c0
0x7ff88c3204cc
0x7ff88c3204d0
0x7ff88c3204d5
0x7ff88c3204da
0x7ff88c3204dc
0x7ff88c3204ea
0x7ff88c3204f0
0x7ff88c3204f5
0x7ff88c3204fe
0x7ff88c320510
0x7ff88c320512
0x7ff88c320517
0x7ff88c32051c
0x7ff88c320524
0x7ff88c32052b
0x7ff88c32052f
0x7ff88c320531
0x7ff88c320539
0x7ff88c320540
0x7ff88c32054e
0x7ff88c32055d
0x7ff88c320569
0x7ff88c32056d
0x7ff88c320572
0x7ff88c320577
0x7ff88c32057c
0x7ff88c32058b
0x7ff88c320590
0x7ff88c32059d
0x7ff88c3205be

APIs

Part of subcall function 00007FF88C31E3C8: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF88C31E43C

__GetUnwindTryBlock.LIBCMT ref: 00007FF88C320194
__SetUnwindTryBlock.LIBCMT ref: 00007FF88C3201BB

Part of subcall function 00007FF88C307D3C: RaiseException.KERNEL32 ref: 00007FF88C307DB7

__GetUnwindTryBlock.LIBCMT ref: 00007FF88C3201C5
_getptd.LIBCMT ref: 00007FF88C32021B
_getptd.LIBCMT ref: 00007FF88C32022E
_getptd.LIBCMT ref: 00007FF88C32023A
_SetThrowImageBase.LIBCMT ref: 00007FF88C32024E
_getptd.LIBCMT ref: 00007FF88C32029E
_getptd.LIBCMT ref: 00007FF88C3202B1
_getptd.LIBCMT ref: 00007FF88C3202BD
type_info::operator==.LIBCMT ref: 00007FF88C320324
std::exception::exception.LIBCMT ref: 00007FF88C32035D
_getptd.LIBCMT ref: 00007FF88C320590
std::exception::exception.LIBCMT ref: 00007FF88C320609

Strings

bad exception, xrefs: 00007FF88C32034A
csm, xrefs: 00007FF88C320269
csm, xrefs: 00007FF88C3201DB
csm, xrefs: 00007FF88C320382

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
String ID: bad exception$csm$csm$csm
API String ID: 1639654010-820278400
Opcode ID: f76ac061e4158927cc27cd36f8d008ec2b2907da4b1d6f2bd5993910a0c154e3
Instruction ID: 9023cb9fbdbbb389ee92a0629c951b68743cb0c2d1f30e5cffcd7099ee1a8e78
Opcode Fuzzy Hash: f76ac061e4158927cc27cd36f8d008ec2b2907da4b1d6f2bd5993910a0c154e3
Instruction Fuzzy Hash: 53E19F32A086428AEF249F61E044BBD27A0FF06BC9F144536EE4D57B8ADF38E456C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C312AF0 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00007FF87FF88C312AF0(intOrPtr __rax, long long __rbx, signed int* __rcx, long long __rsi, long long __rbp, void* __r8, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				__imp__DecodePointer();
				if (__rcx != 0) goto 0x8c312b34;
				E00007FF87FF88C307698(__rax);
				 *((intOrPtr*)(__rax)) = 0x16;
				E00007FF87FF88C309444();
				goto 0x8c312bdf;
				 *__rcx =  *__rcx & 0x00000000;
				if (__rax != 0) goto 0x8c312bbb;
				LoadLibraryW(??);
				if (__rax == 0) goto 0x8c312b1c;
				GetProcAddress(??, ??);
				if (__rax != 0) goto 0x8c312b95;
				E00007FF87FF88C307698(__rax);
				 *((intOrPtr*)(__rax)) = E00007FF87FF88C307650(GetLastError(), __rax, __rax, __r8);
				E00007FF87FF88C309444();
				E00007FF87FF88C307650(GetLastError(), __rax, __rax, __r8);
				goto 0x8c312bdf;
				__imp__EncodePointer();
				E00007FF87FF88C307DD0();
				 *0x8c369b40 = __rax;
				if ( *0x8c369b40 == __rax) goto 0x8c312bbb;
				FreeLibrary(??);
				if ( *((long long*)(__rax))() != 0) goto 0x8c312bdd;
				E00007FF87FF88C307698(__rax);
				 *((intOrPtr*)(__rax)) = 0xc;
				E00007FF87FF88C307698(__rax);
				goto 0x8c312bdf;
				return 0;
			}

0x7ff88c312af0
0x7ff88c312af5
0x7ff88c312afa
0x7ff88c312b0e
0x7ff88c312b1a
0x7ff88c312b1c
0x7ff88c312b26
0x7ff88c312b28
0x7ff88c312b2f
0x7ff88c312b34
0x7ff88c312b3b
0x7ff88c312b44
0x7ff88c312b50
0x7ff88c312b5c
0x7ff88c312b68
0x7ff88c312b6a
0x7ff88c312b7f
0x7ff88c312b81
0x7ff88c312b8e
0x7ff88c312b93
0x7ff88c312b98
0x7ff88c312ba1
0x7ff88c312ba6
0x7ff88c312bb0
0x7ff88c312bb5
0x7ff88c312bc7
0x7ff88c312bc9
0x7ff88c312bce
0x7ff88c312bd4
0x7ff88c312bdb
0x7ff88c312bf3

APIs

DecodePointer.KERNEL32 ref: 00007FF88C312B0E
_errno.LIBCMT ref: 00007FF88C312B1C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C312B28
LoadLibraryW.KERNEL32 ref: 00007FF88C312B44
GetProcAddress.KERNEL32 ref: 00007FF88C312B5C
_errno.LIBCMT ref: 00007FF88C312B6A
GetLastError.KERNEL32 ref: 00007FF88C312B72
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C312B81
GetLastError.KERNEL32 ref: 00007FF88C312B86

Strings

SystemFunction036, xrefs: 00007FF88C312B52
ADVAPI32.DLL, xrefs: 00007FF88C312B3D

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: ErrorLast_errno_invalid_parameter_noinfo$AddressDecodeLibraryLoadPointerProc
String ID: ADVAPI32.DLL$SystemFunction036
API String ID: 3960458323-1064046199
Opcode ID: 9b67a1b0469617ba617f044d9da6662ebc23c407a623caaec1165c19b0e4d4bc
Instruction ID: 72ab331b12b8749c1cb2003a730a649ce92a25138ca36ef268444b16d7314dd7
Opcode Fuzzy Hash: 9b67a1b0469617ba617f044d9da6662ebc23c407a623caaec1165c19b0e4d4bc
Instruction Fuzzy Hash: 00211C21A097478AFE50AF65E844E786290BF57BD5F448435EA0E5739EEF3DE542C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31FC24 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00007FF87FF88C31FC24(void* __ecx, intOrPtr __edi, long long __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _v24;
				intOrPtr _v52;
				char _v56;
				long long _v64;
				long long _v72;
				long long _v80;
				intOrPtr _v88;
				intOrPtr _t71;
				char _t73;
				long long _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr* _t102;
				intOrPtr* _t126;
				void* _t130;

				_t98 = __rax;
				_t69 = __ecx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_v64 = _t130 - 0x60;
				_t73 = r8d;
				if (__rcx != 0) goto 0x8c31fc57;
				goto 0x8c31fe18;
				_t101 =  *((intOrPtr*)(__rcx));
				if (__rdx == 0) goto 0x8c31fc65;
				if ( *((char*)(__rdx + 0x10)) != 0) goto 0x8c31fc87;
				if ( *_t101 == 0xe0434f4d) goto 0x8c31fdc5;
				if ( *_t101 == 0xe0434352) goto 0x8c31fdc5;
				if ((r8b & 0x00000040) == 0) goto 0x8c31fdc5;
				if ( *_t101 != 0xe06d7363) goto 0x8c31fc50;
				if ( *((intOrPtr*)(_t101 + 0x18)) != 4) goto 0x8c31fc50;
				if ( *((intOrPtr*)(_t101 + 0x20)) == 0x19930520) goto 0x8c31fcb0;
				if ( *((intOrPtr*)(_t101 + 0x20)) == 0x19930521) goto 0x8c31fcb0;
				if ( *((intOrPtr*)(_t101 + 0x20)) != 0x19930522) goto 0x8c31fc50;
				if ( *((long long*)(_t101 + 0x30)) != 0) goto 0x8c31fcd2;
				E00007FF87FF88C307F5C(__ecx,  *((long long*)(_t101 + 0x30)), __rax, __rcx, __rsi, __r8);
				if ( *((long long*)(_t98 + 0xf0)) == 0) goto 0x8c31fc50;
				E00007FF87FF88C307F5C(_t69,  *((long long*)(_t98 + 0xf0)), _t98, __rcx, __rsi, __r8);
				_t102 =  *((intOrPtr*)(_t98 + 0xf0));
				E00007FF87FF88C31E4B4(_t98);
				_v72 = _t98;
				E00007FF87FF88C31E500(_t98,  *((intOrPtr*)(_t102 + 0x38)));
				0x8c31e2e2();
				_a8 = _t98;
				E00007FF87FF88C31E4E4(_t98, _t98);
				_v52 = __edi;
				_v56 = _t73;
				asm("bts esi, 0x1f");
				_v56 = _t73;
				E00007FF87FF88C31E4CC(_t98);
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_t102 + 0x30)) + 0xc)) + 4; // 0x4
				_t126 = _t98 + _t26;
				_v80 = _t126;
				E00007FF87FF88C31E4CC(_t98);
				_t71 =  *((intOrPtr*)(_t98 +  *((intOrPtr*)( *((intOrPtr*)(_t102 + 0x30)) + 0xc))));
				_v88 = _t71;
				if (_t71 <= 0) goto 0x8c31fdb8;
				E00007FF87FF88C31E4CC(_t98);
				_t99 =  *_t126;
				if (E00007FF87FF88C31EE0C(_t69, _t102,  &_v56, _t98 + _t99, __rdx - _a8, _t126,  *((intOrPtr*)(_t102 + 0x30))) == 0) goto 0x8c31fda7;
				E00007FF87FF88C307F5C(_t69, E00007FF87FF88C31EE0C(_t69, _t102,  &_v56, _t98 + _t99, __rdx - _a8, _t126,  *((intOrPtr*)(_t102 + 0x30))), _t99,  &_v56, _t126,  *((intOrPtr*)(_t102 + 0x30)));
				 *((intOrPtr*)(_t99 + 0x100)) =  *((intOrPtr*)(_t99 + 0x100)) + 1;
				if (__r9 == 0) goto 0x8c31fd96;
				E00007FF87FF88C310450(E00007FF87FF88C31FB74(_t99, _t102, _t102, __r9, _t126,  &_v56, _t98 + _t99));
				_v88 = _t71 - 1;
				_v80 = _t126 + 4;
				goto 0x8c31fd4c;
				E00007FF87FF88C31E4E4(_t99, _t98);
				goto 0x8c31fc50;
				if ( *_t102 != 0xe06d7363) goto 0x8c31fe08;
				if ( *((intOrPtr*)(_t102 + 0x18)) != 4) goto 0x8c31fe08;
				if ( *((intOrPtr*)(_t102 + 0x20)) == 0x19930520) goto 0x8c31fdee;
				if ( *((intOrPtr*)(_t102 + 0x20)) == 0x19930521) goto 0x8c31fdee;
				if ( *((intOrPtr*)(_t102 + 0x20)) != 0x19930522) goto 0x8c31fe08;
				if ( *((long long*)(_t102 + 0x30)) != 0) goto 0x8c31fe08;
				E00007FF87FF88C307F5C(_t69,  *((long long*)(_t102 + 0x30)), _t99, _t98, _t126 + 4,  &_v56);
				if ( *((long long*)(_t99 + 0xf0)) == 0) goto 0x8c31fc50;
				E00007FF87FF88C307F5C(_t69,  *((long long*)(_t99 + 0xf0)), _t99, _t98, _t126 + 4,  &_v56);
				 *((intOrPtr*)(_t99 + 0x100)) =  *((intOrPtr*)(_t99 + 0x100)) + 1;
				return 1;
			}

0x7ff88c31fc24
0x7ff88c31fc24
0x7ff88c31fc24
0x7ff88c31fc29
0x7ff88c31fc2e
0x7ff88c31fc3d
0x7ff88c31fc45
0x7ff88c31fc4e
0x7ff88c31fc52
0x7ff88c31fc57
0x7ff88c31fc5d
0x7ff88c31fc63
0x7ff88c31fc6b
0x7ff88c31fc77
0x7ff88c31fc81
0x7ff88c31fc8d
0x7ff88c31fc93
0x7ff88c31fc9c
0x7ff88c31fca5
0x7ff88c31fcae
0x7ff88c31fcb5
0x7ff88c31fcb7
0x7ff88c31fcc4
0x7ff88c31fcc6
0x7ff88c31fccb
0x7ff88c31fcd2
0x7ff88c31fcda
0x7ff88c31fce3
0x7ff88c31fcf4
0x7ff88c31fcf9
0x7ff88c31fd04
0x7ff88c31fd11
0x7ff88c31fd15
0x7ff88c31fd19
0x7ff88c31fd1d
0x7ff88c31fd21
0x7ff88c31fd2e
0x7ff88c31fd2e
0x7ff88c31fd33
0x7ff88c31fd38
0x7ff88c31fd45
0x7ff88c31fd48
0x7ff88c31fd4e
0x7ff88c31fd50
0x7ff88c31fd58
0x7ff88c31fd71
0x7ff88c31fd73
0x7ff88c31fd78
0x7ff88c31fd81
0x7ff88c31fda2
0x7ff88c31fda9
0x7ff88c31fdb1
0x7ff88c31fdb6
0x7ff88c31fdbb
0x7ff88c31fdc0
0x7ff88c31fdcb
0x7ff88c31fdd1
0x7ff88c31fdda
0x7ff88c31fde3
0x7ff88c31fdec
0x7ff88c31fdf3
0x7ff88c31fdf5
0x7ff88c31fe02
0x7ff88c31fe08
0x7ff88c31fe0d
0x7ff88c31fe32

APIs

_getptd.LIBCMT ref: 00007FF88C31FCB7
_getptd.LIBCMT ref: 00007FF88C31FCC6
_SetThrowImageBase.LIBCMT ref: 00007FF88C31FCE3
RtlPcToFileHeader.KERNEL32 ref: 00007FF88C31FCF4
_SetImageBase.LIBCMT ref: 00007FF88C31FD04
_getptd.LIBCMT ref: 00007FF88C31FD73
_SetImageBase.LIBCMT ref: 00007FF88C31FDBB
_getptd.LIBCMT ref: 00007FF88C31FDF5
_getptd.LIBCMT ref: 00007FF88C31FE08

Strings

csm, xrefs: 00007FF88C31FC87
MOC, xrefs: 00007FF88C31FC65
csm, xrefs: 00007FF88C31FDC5
RCC, xrefs: 00007FF88C31FC71

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _getptd$BaseImage$FileHeaderThrow
String ID: MOC$RCC$csm$csm
API String ID: 3373144978-1441736206
Opcode ID: d869b05e530e87ff415775855786cb5448b1e7eea84fe5cef8c203ffc563e878
Instruction ID: 185fe674281035e25905ab67b4dc2081decbf97fdcd7e85402e230a6185748b6
Opcode Fuzzy Hash: d869b05e530e87ff415775855786cb5448b1e7eea84fe5cef8c203ffc563e878
Instruction Fuzzy Hash: 20513732A086428AEB60AF21D004B7963A0FB9ABC4F144137FE4D8369ECF3DE542C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30BD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 124
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E00007FF87FF88C30BD90(void* __ecx, void* __esi, long long __rbx, long long* __rcx, long long __rdi, long long __rsi, long long _a8, long long _a16) {
				void* _v8;
				char _v24;
				char _v40;
				signed int _v48;
				signed long long _v56;
				signed int _v64;
				signed long long _v72;
				signed int _v88;
				void* _t49;
				void* _t50;
				void* _t58;
				char* _t74;
				char* _t75;
				char* _t76;
				char* _t77;
				char* _t78;
				char* _t79;
				long long* _t97;
				long long* _t109;
				void* _t118;
				void* _t119;

				_t111 = __rsi;
				_t82 = __rbx;
				_t58 = __esi;
				_t50 = __ecx;
				_a8 = __rbx;
				_a16 = __rdi;
				asm("movups xmm0, [edx]");
				_t109 = __rcx;
				asm("movdqu [ecx], xmm0");
				if ( *((char*)(__rcx + 8)) - 1 > 0) goto 0x8c30bf6c;
				_t74 =  *0x8c369a70; // 0x0
				if ( *_t74 == 0) goto 0x8c30bf3c;
				_v72 = _v72 & 0x00000000;
				_v56 = _v56 & 0x00000000;
				_v88 = _v88 & 0x00000000;
				_v64 = _v64 & 0xffff0000;
				_v48 = _v48 & 0xffff0000;
				E00007FF87FF88C30EFA4(__rbx,  &_v24,  &_v56, __rsi, 0x8c32398d,  &_v72, _t118, _t119);
				asm("movaps xmm5, [ebp-0x10]");
				asm("movdqa [ebp-0x20], xmm5");
				E00007FF87FF88C30AF5C(0x20, _t58, _t74, _t82,  &_v40, _t111, 0x8c32398d);
				asm("movaps xmm5, [ebp-0x20]");
				asm("movdqa [ebp-0x20], xmm5");
				E00007FF87FF88C30AC78(_t74,  &_v40, _t109);
				asm("movaps xmm5, [ebp-0x20]");
				asm("movdqu [edi], xmm5");
				if ( *((char*)(_t109 + 8)) - 1 > 0) goto 0x8c30bf6c;
				_t75 =  *0x8c369a70; // 0x0
				if ( *_t75 == 0x40) goto 0x8c30bf30;
				E00007FF87FF88C30AFE0(_t50, _t58, _t75, _t82, _t109, "{for ", _t111, 0x8c32398d);
				_t76 =  *0x8c369a70; // 0x0
				if ( *((char*)(_t109 + 8)) - 1 > 0) goto 0x8c30bf2b;
				if ( *_t76 == 0) goto 0x8c30bee5;
				if ( *_t76 == 0x40) goto 0x8c30bee5;
				E00007FF87FF88C30E6CC(0x20, _t58, _t82,  &_v24, _t109, _t111, 0x8c32398d, _t118, _t119);
				E00007FF87FF88C30A9A8(0x60, _t76,  &_v72);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x20], xmm0");
				E00007FF87FF88C30AC78(_t76,  &_v40, _t76);
				asm("movaps xmm5, [ebp-0x20]");
				asm("movdqa [ebp-0x30], xmm5");
				E00007FF87FF88C30AF5C(0x27, _t58, _t76, _t76,  &_v56, _t111, 0x8c32398d);
				E00007FF87FF88C30AC78(_t76, _t109,  &_v56);
				_t77 =  *0x8c369a70; // 0x0
				if ( *_t77 != 0x40) goto 0x8c30bece;
				_t78 = _t77 + 1;
				 *0x8c369a70 = _t78;
				if ( *((char*)(_t109 + 8)) - 1 > 0) goto 0x8c30bf2b;
				if ( *_t78 == 0x40) goto 0x8c30be59;
				goto 0x8c30be4a;
				if ( *((char*)(_t109 + 8)) - 1 > 0) goto 0x8c30bf2b;
				if ( *_t78 != 0) goto 0x8c30bf1a;
				if ( *_t109 == 0) goto 0x8c30bf0d;
				E00007FF87FF88C30A12C(1, "s ");
				E00007FF87FF88C30A564(_t78, _t76, _t109, _t78, 0x8c32398d);
				goto 0x8c30bf1a;
				E00007FF87FF88C30A640(1, _t78, _t109);
				_t97 = _t109;
				E00007FF87FF88C30AF5C(0x7d, _t58, _t78, _t76, _t97, _t111, 0x8c32398d);
				_t79 =  *0x8c369a70; // 0x0
				if ( *_t79 != 0x40) goto 0x8c30bf6c;
				 *0x8c369a70 = _t79 + 1;
				goto 0x8c30bf6c;
				if ( *((char*)(_t97 + 8)) - 1 > 0) goto 0x8c30bf6c;
				E00007FF87FF88C30A490(1, _t79 + 1,  &_v24);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x20], xmm0");
				_t49 = E00007FF87FF88C30AC78(_t79 + 1,  &_v40, _t109);
				asm("movups xmm5, [ebp-0x20]");
				asm("movdqu [edi], xmm5");
				return _t49;
			}

0x7ff88c30bd90
0x7ff88c30bd90
0x7ff88c30bd90
0x7ff88c30bd90
0x7ff88c30bd90
0x7ff88c30bd95
0x7ff88c30bda2
0x7ff88c30bda5
0x7ff88c30bda8
0x7ff88c30bdb0
0x7ff88c30bdb6
0x7ff88c30bdc0
0x7ff88c30bdc6
0x7ff88c30bdcb
0x7ff88c30bdd0
0x7ff88c30bde5
0x7ff88c30bde8
0x7ff88c30bdf3
0x7ff88c30bdfe
0x7ff88c30be02
0x7ff88c30be07
0x7ff88c30be13
0x7ff88c30be17
0x7ff88c30be1c
0x7ff88c30be21
0x7ff88c30be25
0x7ff88c30be2d
0x7ff88c30be33
0x7ff88c30be3d
0x7ff88c30be4d
0x7ff88c30be52
0x7ff88c30be5d
0x7ff88c30be66
0x7ff88c30be6b
0x7ff88c30be71
0x7ff88c30be7f
0x7ff88c30be8b
0x7ff88c30be8e
0x7ff88c30be93
0x7ff88c30be98
0x7ff88c30bea2
0x7ff88c30bea7
0x7ff88c30beb3
0x7ff88c30beb8
0x7ff88c30bec2
0x7ff88c30bec4
0x7ff88c30bec7
0x7ff88c30bed2
0x7ff88c30bed7
0x7ff88c30bee0
0x7ff88c30bee9
0x7ff88c30beee
0x7ff88c30bef4
0x7ff88c30befb
0x7ff88c30bf06
0x7ff88c30bf0b
0x7ff88c30bf15
0x7ff88c30bf1c
0x7ff88c30bf1f
0x7ff88c30bf24
0x7ff88c30bf2e
0x7ff88c30bf33
0x7ff88c30bf3a
0x7ff88c30bf40
0x7ff88c30bf4b
0x7ff88c30bf57
0x7ff88c30bf5a
0x7ff88c30bf5f
0x7ff88c30bf64
0x7ff88c30bf68
0x7ff88c30bf80

APIs

DName::operator+=.LIBCMT ref: 00007FF88C30BE07

Part of subcall function 00007FF88C30AF5C: DName::doPchar.LIBCMT ref: 00007FF88C30AF9A

DName::operator+=.LIBCMT ref: 00007FF88C30BE1C
DName::operator+=.LIBCMT ref: 00007FF88C30BE4D

Part of subcall function 00007FF88C30AFE0: DName::operator=.LIBCMT ref: 00007FF88C30B00B

DName::DName.LIBCMT ref: 00007FF88C30BE7F

Part of subcall function 00007FF88C30A9A8: DName::doPchar.LIBCMT ref: 00007FF88C30A9D2

DName::operator+=.LIBCMT ref: 00007FF88C30BE93
DName::operator+=.LIBCMT ref: 00007FF88C30BEA7

Part of subcall function 00007FF88C30AF5C: DName::append.LIBCMT ref: 00007FF88C30AFCD

DName::operator+=.LIBCMT ref: 00007FF88C30BEB3

Part of subcall function 00007FF88C30AC78: DName::append.LIBCMT ref: 00007FF88C30ACAA

DNameStatusNode::make.LIBCMT ref: 00007FF88C30BEFB
DName::append.LIBCMT ref: 00007FF88C30BF06
DName::operator=.LIBCMT ref: 00007FF88C30BF15

Part of subcall function 00007FF88C30E6CC: DName::DName.LIBCMT ref: 00007FF88C30E74C
Part of subcall function 00007FF88C30E6CC: DName::operator+=.LIBCMT ref: 00007FF88C30E760
Part of subcall function 00007FF88C30E6CC: DName::DName.LIBCMT ref: 00007FF88C30E77B
Part of subcall function 00007FF88C30E6CC: DName::operator+=.LIBCMT ref: 00007FF88C30E791
Part of subcall function 00007FF88C30E6CC: DName::DName.LIBCMT ref: 00007FF88C30E7FE
Part of subcall function 00007FF88C30E6CC: DName::operator+=.LIBCMT ref: 00007FF88C30E816
Part of subcall function 00007FF88C30E6CC: DName::operator+=.LIBCMT ref: 00007FF88C30E82C
Part of subcall function 00007FF88C30E6CC: DName::operator+=.LIBCMT ref: 00007FF88C30E842
Part of subcall function 00007FF88C30E6CC: UnDecorator::getZName.LIBCMT ref: 00007FF88C30E860

DName::operator+=.LIBCMT ref: 00007FF88C30BF1F
DName::operator+=.LIBCMT ref: 00007FF88C30BF5F

Strings

{for , xrefs: 00007FF88C30BE43

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Name$Name::$Name::append$Name::doName::operator=Pchar$Decorator::getNode::makeStatus
String ID: {for
API String ID: 2672197563-864106941
Opcode ID: f991458babf38872d77373f666b8e03bd92a669f9389b465606812813759d9f0
Instruction ID: 414d2845551ecbe7d12a52c91f12f6e43f27934d118ae51d904aee682f5f9df0
Opcode Fuzzy Hash: f991458babf38872d77373f666b8e03bd92a669f9389b465606812813759d9f0
Instruction Fuzzy Hash: 6D51B263E08B9694FB019BA4D845BFC63A0BB5A7C8F449131DF8D1769ACF7CA586C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3125F4 Relevance: 21.2, APIs: 14, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00007FF87FF88C3125F4(void* __ecx, long long __rax, long long __rbx, void* __rcx, long long __rdx, long long __rdi, long long __rsi, void* __rbp, long long _a8, long long _a16, long long _a24) {
				void* _v24;
				int _t21;
				void* _t37;
				void* _t62;
				long long _t74;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t97;
				intOrPtr _t112;
				void* _t113;
				void* _t114;
				long long _t119;
				signed long long _t126;
				long long _t127;

				_t74 = __rax;
				_t26 = __ecx;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t119 = __rdx;
				_t37 = __ecx;
				r12d = 0;
				if (__rdx == 4) goto 0x8c31286e;
				if (__rdx == 3) goto 0x8c31286e;
				if (__ecx == 2) goto 0x8c312743;
				if (__ecx == 0x15) goto 0x8c312743;
				if (__ecx == 0x16) goto 0x8c312743;
				if (__ecx == 6) goto 0x8c312743;
				if (__ecx == 0xf) goto 0x8c312743;
				if (__ecx == 8) goto 0x8c312665;
				if (__ecx == 4) goto 0x8c312665;
				if (__ecx != 0xb) goto 0x8c31286e;
				E00007FF87FF88C307ED8(__rax, __rbx, __rcx, __rdx, __rdx, __rbp);
				_t127 = _t74;
				if (_t74 == 0) goto 0x8c31286e;
				if ( *((intOrPtr*)(_t74 + 0xa0)) != 0x8c323330) goto 0x8c3126b5;
				E00007FF87FF88C3078EC(_t26,  *((intOrPtr*)(_t74 + 0xa0)) - 0x8c323330, 0x8c323330,  *0x8c3233f8, __rdi, _t119);
				 *((long long*)(_t127 + 0xa0)) = _t74;
				if (_t74 == 0) goto 0x8c31286e;
				E00007FF87FF88C304B80(_t26, _t74, _t74, 0x8c323330,  *0x8c3233f8);
				_t97 =  *((intOrPtr*)(_t127 + 0xa0));
				_t112 = _t97;
				_t126 =  *0x8c3233fc;
				if ( *((intOrPtr*)(_t112 + 4)) == _t37) goto 0x8c3126df;
				_t113 = _t112 + 0x10;
				if (_t113 - (_t126 << 4) + _t97 < 0) goto 0x8c3126c7;
				if (_t113 - (_t126 << 4) + _t97 >= 0) goto 0x8c3126f3;
				if ( *((intOrPtr*)(_t113 + 4)) == _t37) goto 0x8c3126f5;
				if (_t113 == 0) goto 0x8c31286e;
				if (_t119 == 2) goto 0x8c312869;
				_t114 = _t113 + 4;
				goto 0x8c31273a;
				 *((long long*)(_t114 + 4)) = _t119;
				_t12 = _t114 + 0x10 - 4; // -24
				_t81 = _t12;
				if (_t81 - ( *0x8c3233fc << 4) +  *((intOrPtr*)(_t127 + 0xa0)) >= 0) goto 0x8c312869;
				if ( *((intOrPtr*)(_t114 + 0x10)) == _t37) goto 0x8c312712;
				goto 0x8c312869;
				E00007FF87FF88C3096D8();
				if (_t37 == 2) goto 0x8c312755;
				if (_t37 != 0x15) goto 0x8c312793;
				if ( *0x8c369b38 != 0) goto 0x8c312793;
				_t21 = SetConsoleCtrlHandler(??, ??);
				_t62 = _t21 - 1;
				if (_t62 != 0) goto 0x8c31277d;
				 *0x8c369b38 = _t21;
				goto 0x8c312793;
				E00007FF87FF88C3076B8(_t81);
				 *_t81 = GetLastError();
				r12d = 1;
				if (_t62 == 0) goto 0x8c312837;
				if (_t62 == 0) goto 0x8c31280f;
				if (_t62 == 0) goto 0x8c3127e7;
				if (_t62 == 0) goto 0x8c3127bb;
				if (_t62 == 0) goto 0x8c31280f;
				goto 0x8c31285d;
				__imp__DecodePointer();
				if (_t119 == 2) goto 0x8c31285d;
				__imp__EncodePointer();
				 *0x8c369b20 = _t81;
				goto 0x8c31285d;
				__imp__DecodePointer();
				if (_t119 == 2) goto 0x8c31285d;
				__imp__EncodePointer();
				 *0x8c369b30 = _t81;
				goto 0x8c31285d;
				__imp__DecodePointer();
				if (_t119 == 2) goto 0x8c31285d;
				__imp__EncodePointer();
				 *0x8c369b28 = _t81;
				goto 0x8c31285d;
				__imp__DecodePointer();
				if (_t119 == 2) goto 0x8c31285d;
				__imp__EncodePointer();
				 *0x8c369b18 = _t81;
				E00007FF87FF88C3095B8();
				if (r12d != 0) goto 0x8c31286e;
				_t82 = _t81;
				goto 0x8c31289b;
				if (_t37 == 1) goto 0x8c312897;
				if (_t37 == 3) goto 0x8c312897;
				if (_t37 == 0xd) goto 0x8c312897;
				if (_t37 - 0xf <= 0) goto 0x8c312887;
				if (_t37 - 0x11 <= 0) goto 0x8c312897;
				E00007FF87FF88C307698(_t82);
				 *_t82 = 0x16;
				return E00007FF87FF88C309444();
			}

0x7ff88c3125f4
0x7ff88c3125f4
0x7ff88c3125f4
0x7ff88c3125f9
0x7ff88c3125fe
0x7ff88c312609
0x7ff88c31260c
0x7ff88c31260e
0x7ff88c312615
0x7ff88c31261f
0x7ff88c312628
0x7ff88c312631
0x7ff88c31263a
0x7ff88c312643
0x7ff88c31264c
0x7ff88c312655
0x7ff88c31265a
0x7ff88c31265f
0x7ff88c312665
0x7ff88c31266a
0x7ff88c312670
0x7ff88c312684
0x7ff88c31268d
0x7ff88c312692
0x7ff88c31269d
0x7ff88c3126b0
0x7ff88c3126b5
0x7ff88c3126bd
0x7ff88c3126c0
0x7ff88c3126ca
0x7ff88c3126cc
0x7ff88c3126dd
0x7ff88c3126ec
0x7ff88c3126f1
0x7ff88c3126f8
0x7ff88c312706
0x7ff88c31270c
0x7ff88c312710
0x7ff88c312712
0x7ff88c31272d
0x7ff88c31272d
0x7ff88c312734
0x7ff88c31273c
0x7ff88c31273e
0x7ff88c312745
0x7ff88c31274e
0x7ff88c312753
0x7ff88c31275c
0x7ff88c31276a
0x7ff88c312770
0x7ff88c312773
0x7ff88c312775
0x7ff88c31277b
0x7ff88c31277d
0x7ff88c31278b
0x7ff88c31278d
0x7ff88c312798
0x7ff88c3127a1
0x7ff88c3127a6
0x7ff88c3127ab
0x7ff88c3127af
0x7ff88c3127b6
0x7ff88c3127c2
0x7ff88c3127cf
0x7ff88c3127d8
0x7ff88c3127de
0x7ff88c3127e5
0x7ff88c3127ee
0x7ff88c3127fb
0x7ff88c312800
0x7ff88c312806
0x7ff88c31280d
0x7ff88c312816
0x7ff88c312823
0x7ff88c312828
0x7ff88c31282e
0x7ff88c312835
0x7ff88c31283e
0x7ff88c31284b
0x7ff88c312850
0x7ff88c312856
0x7ff88c31285f
0x7ff88c312867
0x7ff88c312869
0x7ff88c31286c
0x7ff88c312871
0x7ff88c312876
0x7ff88c31287b
0x7ff88c312880
0x7ff88c312885
0x7ff88c312887
0x7ff88c31288c
0x7ff88c3128b0

APIs

_lock.LIBCMT ref: 00007FF88C312745
SetConsoleCtrlHandler.KERNEL32 ref: 00007FF88C31276A
__doserrno.LIBCMT ref: 00007FF88C31277D
GetLastError.KERNEL32 ref: 00007FF88C312785
DecodePointer.KERNEL32 ref: 00007FF88C3127C2
EncodePointer.KERNEL32 ref: 00007FF88C3127D8
DecodePointer.KERNEL32 ref: 00007FF88C3127EE
EncodePointer.KERNEL32 ref: 00007FF88C312800
DecodePointer.KERNEL32 ref: 00007FF88C312816
EncodePointer.KERNEL32 ref: 00007FF88C312828
DecodePointer.KERNEL32 ref: 00007FF88C31283E
EncodePointer.KERNEL32 ref: 00007FF88C312850
_errno.LIBCMT ref: 00007FF88C312887
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C312892

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 171417116-0
Opcode ID: 174255f378b25e3063231d76e2d84cfa87c90814d6123d5e052098e8f4fc6e0a
Instruction ID: d1b515a16fcf7e3c7f4353b30e09e8fe1dff24ffebfe9286b0781a8bec96eb24
Opcode Fuzzy Hash: 174255f378b25e3063231d76e2d84cfa87c90814d6123d5e052098e8f4fc6e0a
Instruction Fuzzy Hash: 7E71AF61E0860689FE689B15D455D7D6291BF87BD0F044036E91EA72ADEE2EB443C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C303A5C Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetTouchInputInfo.USER32 ref: 00007FF88C303AEE
CloseTouchInputHandle.USER32 ref: 00007FF88C303B87
InvalidateRect.USER32 ref: 00007FF88C303BA2
DefWindowProcW.USER32 ref: 00007FF88C303BC3
DestroyWindow.USER32 ref: 00007FF88C303BCE
BeginPaint.USER32 ref: 00007FF88C303BDE
EndPaint.USER32 ref: 00007FF88C303BF4
UnregisterTouchWindow.USER32 ref: 00007FF88C303C53
MessageBoxW.USER32 ref: 00007FF88C303C70
PostQuitMessage.USER32 ref: 00007FF88C303CB6

Strings

Cannot unregister application window for touch input, xrefs: 00007FF88C303C64
Error, xrefs: 00007FF88C303C5D

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: TouchWindow$InputMessagePaint$BeginCloseDestroyHandleInfoInvalidatePostProcQuitRectUnregister
String ID: Cannot unregister application window for touch input$Error
API String ID: 1507798779-2666531736
Opcode ID: 0f58f9c20f5c697e616207143ae176cb8818f701bca30e05ecbeb031851873e6
Instruction ID: c88af64f614e3c3aa4881ccba1d29bb45a331f99ab77cee63c9385047b0d44b3
Opcode Fuzzy Hash: 0f58f9c20f5c697e616207143ae176cb8818f701bca30e05ecbeb031851873e6
Instruction Fuzzy Hash: 7E619F22B0CA4686EAA5DB66D804F3963A4BF46BC5F448235DD1E476A8CF3DF456C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30C55C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 144
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E00007FF87FF88C30C55C(long long __rbx, signed long long* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r10, void* __r11) {
				void* _t46;
				void* _t52;
				void* _t64;
				char _t65;
				void* _t85;
				signed long long _t86;
				char* _t88;
				char* _t89;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr* _t92;
				intOrPtr _t93;
				signed long long* _t97;
				signed long long* _t100;
				intOrPtr _t101;
				intOrPtr* _t114;
				intOrPtr _t134;
				void* _t138;
				void* _t139;
				void* _t141;
				signed long long _t142;
				void* _t148;

				_t144 = __r8;
				_t136 = __rsi;
				_t85 = _t141;
				 *((long long*)(_t85 + 0x10)) = __rbx;
				 *((long long*)(_t85 + 0x18)) = __rsi;
				 *((long long*)(_t85 + 0x20)) = __rdi;
				_t139 = _t85 - 0x5f;
				_t142 = _t141 - 0x100;
				_t86 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				 *(_t139 + 0x47) = _t86 ^ _t142;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 0;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				_t97 = __rcx;
				 *0x8c369a99 = sil;
				if (__rcx[1] != 0) goto 0x8c30c79e;
				_t88 =  *0x8c369a70; // 0x0
				if ( *_t88 == 0) goto 0x8c30c79e;
				if ( *_t88 == 0x40) goto 0x8c30c79e;
				if (1 == 0) goto 0x8c30c5ce;
				goto 0x8c30c5df;
				_t100 = __rcx;
				_t46 = E00007FF87FF88C30AF5C(0x2c, 0, _t88, __rcx, __rcx, __rsi, __r8, _t138);
				_t89 =  *0x8c369a70; // 0x0
				_t65 =  *_t89;
				r8d = _t100 - 0x30;
				if (r8d - 9 > 0) goto 0x8c30c60e;
				_t101 =  *0x8c369a68; // 0x0
				_t90 = _t89 + 1;
				 *0x8c369a70 = _t90;
				E00007FF87FF88C30A6DC(_t46, _t101, _t139 - 0x19);
				goto 0x8c30c78c;
				 *(_t142 + 0x20) =  *(_t142 + 0x20) & 0x00000000;
				 *(_t142 + 0x28) =  *(_t142 + 0x28) & 0xffff0000;
				_t134 = _t90;
				if (_t65 != 0x58) goto 0x8c30c644;
				_t91 = _t90 + 1;
				 *0x8c369a70 = _t91;
				E00007FF87FF88C30AD7C(_t142 + 0x20, "void");
				goto 0x8c30c761;
				if (_t65 != 0x24) goto 0x8c30c665;
				_t92 = _t91 + 1;
				if ( *_t92 == _t65) goto 0x8c30c665;
				 *0x8c369a70 = _t92;
				E00007FF87FF88C30C0D4(0x2c, _t97, _t139 + 7, "void", _t134, __rsi, __r8, __r10, __r11);
				goto 0x8c30c758;
				if (_t65 != 0x3f) goto 0x8c30c73f;
				E00007FF87FF88C30C058(_t92, _t97, _t139 - 0x79, "void", _t136, __r10, __r11);
				if (( *0x8c369a8c & 0x00004000) == 0) goto 0x8c30c6f5;
				r8d = 0x10;
				_t52 = E00007FF87FF88C3150DC(E00007FF87FF88C30A4DC(_t97, _t139 - 0x79, _t139 + 0x37, _t136), _t139 + 0x37);
				 *0x8c369a90();
				if (_t92 == 0) goto 0x8c30c6b1;
				goto 0x8c30c635;
				E00007FF87FF88C30A9E0(_t139 - 9, "`template-parameter");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x29], xmm0");
				E00007FF87FF88C30AC78(_t92, _t139 - 0x29, _t139 - 0x79);
				asm("movaps xmm5, [ebp-0x29]");
				asm("movdqa [ebp-0x39], xmm5");
				E00007FF87FF88C30AFE0(_t52, 0, _t92, _t97, _t139 - 0x39, "\'", _t136, _t144);
				asm("movaps xmm5, [ebp-0x39]");
				goto 0x8c30c737;
				E00007FF87FF88C30A9E0(_t139 + 0x27, "`template-parameter");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x49], xmm0");
				E00007FF87FF88C30AC78(_t92, _t139 - 0x49, _t139 - 0x79);
				asm("movaps xmm5, [ebp-0x49]");
				asm("movdqa [ebp-0x59], xmm5");
				E00007FF87FF88C30AFE0(_t52, 0, _t92, _t97, _t139 - 0x59, "\'", _t136, _t144);
				asm("movaps xmm5, [ebp-0x59]");
				asm("movdqa [esp+0x20], xmm5");
				goto 0x8c30c761;
				 *(_t139 - 0x69) =  *(_t139 - 0x69) & 0x00000000;
				 *(_t139 - 0x61) =  *(_t139 - 0x61) & 0xffff0000;
				E00007FF87FF88C31006C(_t64, _t52, 0x2c, 0, _t92, _t97, _t139 + 0x17, _t139 - 0x69, _t134, _t136, _t144, __r10, __r11, _t148);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x20], xmm0");
				_t93 =  *0x8c369a70; // 0x0
				if (_t93 - _t134 - 1 <= 0) goto 0x8c30c787;
				_t114 =  *0x8c369a68; // 0x0
				if ( *_t114 == 9) goto 0x8c30c787;
				E00007FF87FF88C30A67C(_t93 - _t134, _t97, _t114, _t142 + 0x20, _t144);
				E00007FF87FF88C30AC78(_t93 - _t134, _t97, _t142 + 0x20);
				if ( *((char*)(_t97 + 8)) == 0) goto 0x8c30c5ad;
				 *0x8c369a99 = 0;
				return E00007FF87FF88C304980(_t52,  *(_t139 + 0x47) ^ _t142, _t142 + 0x20, _t144);
			}

0x7ff88c30c55c
0x7ff88c30c55c
0x7ff88c30c55c
0x7ff88c30c55f
0x7ff88c30c563
0x7ff88c30c567
0x7ff88c30c56c
0x7ff88c30c570
0x7ff88c30c577
0x7ff88c30c581
0x7ff88c30c585
0x7ff88c30c589
0x7ff88c30c58d
0x7ff88c30c599
0x7ff88c30c59c
0x7ff88c30c5a7
0x7ff88c30c5ad
0x7ff88c30c5b7
0x7ff88c30c5c0
0x7ff88c30c5c8
0x7ff88c30c5cc
0x7ff88c30c5d0
0x7ff88c30c5d3
0x7ff88c30c5d8
0x7ff88c30c5df
0x7ff88c30c5e2
0x7ff88c30c5ea
0x7ff88c30c5ec
0x7ff88c30c5f3
0x7ff88c30c5fa
0x7ff88c30c601
0x7ff88c30c609
0x7ff88c30c60e
0x7ff88c30c614
0x7ff88c30c61c
0x7ff88c30c622
0x7ff88c30c624
0x7ff88c30c62e
0x7ff88c30c63a
0x7ff88c30c63f
0x7ff88c30c647
0x7ff88c30c649
0x7ff88c30c64e
0x7ff88c30c654
0x7ff88c30c65b
0x7ff88c30c660
0x7ff88c30c668
0x7ff88c30c672
0x7ff88c30c681
0x7ff88c30c68b
0x7ff88c30c69a
0x7ff88c30c6a1
0x7ff88c30c6aa
0x7ff88c30c6af
0x7ff88c30c6bc
0x7ff88c30c6c9
0x7ff88c30c6cc
0x7ff88c30c6d1
0x7ff88c30c6d6
0x7ff88c30c6e5
0x7ff88c30c6ea
0x7ff88c30c6ef
0x7ff88c30c6f3
0x7ff88c30c700
0x7ff88c30c70d
0x7ff88c30c710
0x7ff88c30c715
0x7ff88c30c71a
0x7ff88c30c729
0x7ff88c30c72e
0x7ff88c30c733
0x7ff88c30c737
0x7ff88c30c73d
0x7ff88c30c73f
0x7ff88c30c744
0x7ff88c30c753
0x7ff88c30c758
0x7ff88c30c75b
0x7ff88c30c761
0x7ff88c30c76f
0x7ff88c30c771
0x7ff88c30c77b
0x7ff88c30c782
0x7ff88c30c78f
0x7ff88c30c798
0x7ff88c30c79e
0x7ff88c30c7cc

APIs

DName::operator+=.LIBCMT ref: 00007FF88C30C5D3
DName::operator=.LIBCMT ref: 00007FF88C30C63A

Part of subcall function 00007FF88C30AD7C: DName::doPchar.LIBCMT ref: 00007FF88C30ADAB

DName::operator+=.LIBCMT ref: 00007FF88C30C78F

Strings

`template-parameter, xrefs: 00007FF88C30C6B1, 00007FF88C30C6F5
void, xrefs: 00007FF88C30C627

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Name::doName::operator=Pchar
String ID: `template-parameter$void
API String ID: 592721650-4057429177
Opcode ID: cb6d2622e47490461d3dcceb8289e39a323902ee6cf53929493a7c4b90427398
Instruction ID: 8add3510a71ec27d593cb838cc7bf02335aa8b3d145265a2e2e1f155ba505d1e
Opcode Fuzzy Hash: cb6d2622e47490461d3dcceb8289e39a323902ee6cf53929493a7c4b90427398
Instruction Fuzzy Hash: B271AD63E08B4A8AFB20DBA4E441BFC73A1BB56BC8F544135DA4D0669DDF6CE546C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3110C4 Relevance: 19.6, APIs: 13, Instructions: 90
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E00007FF87FF88C3110C4(long long __rbx, long long* __rcx, long long __rdx, void* __rdi, long long __rsi, long long _a8, long long _a16) {
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;
				long long* _t68;
				intOrPtr _t69;
				long long _t70;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				long long* _t91;
				intOrPtr* _t96;
				void* _t98;
				intOrPtr _t101;
				void* _t107;
				intOrPtr* _t108;

				_t94 = __rdx;
				_a8 = __rbx;
				_a16 = __rsi;
				_t60 =  *((intOrPtr*)(__rcx + 0x128));
				_t68 = __rcx;
				if (_t60 == 0) goto 0x8c31115b;
				if (_t60 == 0x8c368490) goto 0x8c31115b;
				_t61 =  *((intOrPtr*)(__rcx + 0x110));
				if (_t61 == 0) goto 0x8c31115b;
				if ( *_t61 != 0) goto 0x8c31115b;
				_t74 =  *((intOrPtr*)(__rcx + 0x120));
				if (_t74 == 0) goto 0x8c311121;
				if ( *_t74 != 0) goto 0x8c311121;
				free(__rdi);
				_t26 = E00007FF87FF88C316A4C(_t25,  *((intOrPtr*)(__rcx + 0x128)));
				_t76 =  *((intOrPtr*)(__rcx + 0x118));
				if (_t76 == 0) goto 0x8c311143;
				if ( *_t76 != 0) goto 0x8c311143;
				free(??);
				_t27 = E00007FF87FF88C31673C(_t26,  *((intOrPtr*)(__rcx + 0x128)));
				free(??);
				free(??);
				_t62 =  *((intOrPtr*)(__rcx + 0x130));
				if (_t62 == 0) goto 0x8c3111ae;
				if ( *_t62 != 0) goto 0x8c3111ae;
				free(??);
				free(??);
				free(??);
				free(??);
				_t87 =  *((intOrPtr*)(__rcx + 0x158));
				if (_t87 == 0x8c367e00) goto 0x8c3111db;
				if ( *((intOrPtr*)(_t87 + 0x160)) != 0) goto 0x8c3111db;
				_t28 = E00007FF87FF88C316274(_t27, _t87);
				free(??);
				_t96 = _t68 + 0x58;
				if ( *((intOrPtr*)(_t96 - 0x10)) == 0x8c367df4) goto 0x8c311203;
				_t89 =  *_t96;
				if (_t89 == 0) goto 0x8c311203;
				if ( *_t89 != 0) goto 0x8c311203;
				free(??);
				if ( *((long long*)(_t96 - 8)) == 0) goto 0x8c31121d;
				_t90 =  *((intOrPtr*)(_t96 + 8));
				if (_t90 == 0) goto 0x8c31121d;
				_t52 =  *_t90;
				if (_t52 != 0) goto 0x8c31121d;
				free(??);
				if (_t52 != 0) goto 0x8c3111e4;
				_t91 = _t68;
				_t69 = _a8;
				_t101 = _a16;
				_pop(_t98);
				goto E00007FF87FF88C30640C;
				asm("int3");
				asm("int3");
				asm("int3");
				_t70 = __rdx;
				if (__rdx == 0) goto 0x8c31128f;
				if (_t91 == 0) goto 0x8c31128f;
				_t108 =  *_t91;
				if (_t108 == __rdx) goto 0x8c31128a;
				 *_t91 = __rdx;
				_t29 = E00007FF87FF88C310F94(_t28, __rdx, _t107);
				if (_t108 == 0) goto 0x8c31128a;
				E00007FF87FF88C311020(_t29, _t108, _t107);
				if ( *_t108 != 0) goto 0x8c31128a;
				if (_t108 == 0x8c3680c0) goto 0x8c31128a;
				E00007FF87FF88C3110C4(_t70, _t108, _t94, _t98, _t101, _t69);
				goto 0x8c311291;
				return 0;
			}

0x7ff88c3110c4
0x7ff88c3110c4
0x7ff88c3110c9
0x7ff88c3110d3
0x7ff88c3110da
0x7ff88c3110e0
0x7ff88c3110ec
0x7ff88c3110ee
0x7ff88c3110f8
0x7ff88c3110fd
0x7ff88c3110ff
0x7ff88c311109
0x7ff88c31110e
0x7ff88c311110
0x7ff88c31111c
0x7ff88c311121
0x7ff88c31112b
0x7ff88c311130
0x7ff88c311132
0x7ff88c31113e
0x7ff88c31114a
0x7ff88c311156
0x7ff88c31115b
0x7ff88c311165
0x7ff88c31116a
0x7ff88c31117a
0x7ff88c31118e
0x7ff88c31119d
0x7ff88c3111a9
0x7ff88c3111ae
0x7ff88c3111bf
0x7ff88c3111c8
0x7ff88c3111ca
0x7ff88c3111d6
0x7ff88c3111db
0x7ff88c3111ef
0x7ff88c3111f1
0x7ff88c3111f7
0x7ff88c3111fc
0x7ff88c3111fe
0x7ff88c311208
0x7ff88c31120a
0x7ff88c311211
0x7ff88c311213
0x7ff88c311216
0x7ff88c311218
0x7ff88c311224
0x7ff88c311226
0x7ff88c311229
0x7ff88c31122e
0x7ff88c311237
0x7ff88c311238
0x7ff88c31123d
0x7ff88c31123e
0x7ff88c31123f
0x7ff88c311246
0x7ff88c31124c
0x7ff88c311251
0x7ff88c311253
0x7ff88c311259
0x7ff88c31125b
0x7ff88c311261
0x7ff88c311269
0x7ff88c31126e
0x7ff88c311277
0x7ff88c311283
0x7ff88c311285
0x7ff88c31128d
0x7ff88c311296

APIs

__free_lconv_mon.LIBCMT ref: 00007FF88C31111C

Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316A6A
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316A7C
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316A8E
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316AA0
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316AB2
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316AC4
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316AD6
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316AE8
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316AFA
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316B0C
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316B21
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316B36
Part of subcall function 00007FF88C316A4C: free.LIBCMT ref: 00007FF88C316B4B

free.LIBCMT ref: 00007FF88C311110

Part of subcall function 00007FF88C30640C: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FF88C307F44,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C306422
Part of subcall function 00007FF88C30640C: _errno.LIBCMT ref: 00007FF88C30642C
Part of subcall function 00007FF88C30640C: GetLastError.KERNEL32(?,?,00000000,00007FF88C307F44,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C306434

free.LIBCMT ref: 00007FF88C311132
__free_lconv_num.LIBCMT ref: 00007FF88C31113E
free.LIBCMT ref: 00007FF88C31114A
free.LIBCMT ref: 00007FF88C311156
free.LIBCMT ref: 00007FF88C31117A
free.LIBCMT ref: 00007FF88C31118E
free.LIBCMT ref: 00007FF88C31119D
free.LIBCMT ref: 00007FF88C3111A9
free.LIBCMT ref: 00007FF88C3111D6
free.LIBCMT ref: 00007FF88C3111FE
free.LIBCMT ref: 00007FF88C311218

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: free$ErrorLastPrivilegeRelease__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 3604738761-0
Opcode ID: 8275107193158de9e2e3268f70a19a604abd9224b6d4d14bc70a98653dcf2d7b
Instruction ID: 49afb06d498ff1d36314a339835afa3f71874f607df4fee05d27c1a75270ad7e
Opcode Fuzzy Hash: 8275107193158de9e2e3268f70a19a604abd9224b6d4d14bc70a98653dcf2d7b
Instruction Fuzzy Hash: CE41DE32A0A94289FE56DA61C490BF873B1BF86BD4F040132EE0D8669DCF3DA593C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31F75C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00007FF87FF88C31F75C(void* __ecx, void* __eflags, void* __rax, void* __rcx, void* __rbp, void* __r8, signed int _a8, void* _a16, long long _a24, long long _a32) {
				char _v72;
				void* _v88;
				signed int _v104;
				signed int _v112;
				signed int _v120;
				signed int _v128;
				signed int _v152;
				void* __rbx;
				void* __rsi;
				void* _t75;
				void* _t93;
				long long _t94;
				signed int _t96;
				void* _t118;
				long long _t119;
				intOrPtr* _t120;
				void* _t124;
				signed long long _t130;

				_t123 = __r8;
				_t103 = __rcx;
				_t93 = __rax;
				_t83 = __eflags;
				_t76 = __ecx;
				r13d = 0;
				_v152 = r13d;
				_a8 = _a8 & r13d;
				_v112 = _v112 & _t130;
				_v120 = _v120 & _t130;
				E00007FF87FF88C307F5C(__ecx, __eflags, __rax, __rcx, _t118, __r8);
				_t94 =  *((intOrPtr*)(_t93 + 0xf8));
				_a32 = _t94;
				E00007FF87FF88C307F5C(_t76, __eflags, _t94, __rcx, _t118, __r8);
				_a24 =  *((intOrPtr*)(_t94 + 0xf0));
				_t119 =  *((intOrPtr*)(__rcx + 0x50));
				_a16 = _t119;
				_t96 =  *((intOrPtr*)(__rcx + 0x48));
				_v128 = _t96;
				_v88 =  *((intOrPtr*)(__rcx + 0x28));
				E00007FF87FF88C307F5C(_t76, __eflags, _t96, __rcx, _t119, __r8);
				 *((long long*)(_t96 + 0xf0)) = _t119;
				E00007FF87FF88C307F5C(_t76, __eflags, _t96, __rcx, _t119, __r8);
				 *((long long*)(_t96 + 0xf8)) =  *((intOrPtr*)(__rcx + 0x40));
				E00007FF87FF88C307F5C(_t76, __eflags, _t96, _t103, _t119, __r8);
				E00007FF87FF88C31EA0C(_t76, _t83, _t96,  &_v72,  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0xf0)) + 0x28)));
				_v104 = _t96;
				_t84 =  *((intOrPtr*)(__rcx + 0x58)) - _t130;
				if ( *((intOrPtr*)(__rcx + 0x58)) == _t130) goto 0x8c31f836;
				_a8 = 1;
				E00007FF87FF88C307F5C(_t76,  *((intOrPtr*)(__rcx + 0x58)) - _t130, _t96,  &_v72, _t119, _t123);
				_v120 =  *((intOrPtr*)(_t96 + 0x138));
				r8d = 0x100;
				_t106 =  *((intOrPtr*)(__rcx + 0x30));
				E00007FF87FF88C320860( *((intOrPtr*)(__rcx + 0x30)),  *((intOrPtr*)(__rcx + 0x28)), _t124);
				_v112 = _t96;
				_v152 = 1;
				E00007FF87FF88C307F5C(_t76, _t84, _t96, _t106, _t119, _t123);
				 *(_t96 + 0x2c0) =  *(_t96 + 0x2c0) & 0x00000000;
				_t120 = _a16;
				if (_a8 == 0) goto 0x8c31f8a7;
				E00007FF87FF88C31F1C0(1, _t120);
				r8d =  *((intOrPtr*)(_v120 + 0x18));
				goto 0x8c31f8b4;
				r8d =  *((intOrPtr*)(_t120 + 0x18));
				RaiseException(??, ??, ??, ??);
				r13d = _v152;
				E00007FF87FF88C31EA84( *_t120, _a8, _t96, _v112, _v104, _t120, __rbp, _t123);
				if (r13d != 0) goto 0x8c31f92b;
				if ( *_t120 != 0xe06d7363) goto 0x8c31f92b;
				if ( *((intOrPtr*)(_t120 + 0x18)) != 4) goto 0x8c31f92b;
				if ( *((intOrPtr*)(_t120 + 0x20)) == 0x19930520) goto 0x8c31f914;
				if ( *((intOrPtr*)(_t120 + 0x20)) == 0x19930521) goto 0x8c31f914;
				if ( *((intOrPtr*)(_t120 + 0x20)) != 0x19930522) goto 0x8c31f92b;
				if (E00007FF87FF88C31EA50( *((intOrPtr*)(_t120 + 0x20)) - 0x19930522, _t96,  *((intOrPtr*)(_t120 + 0x28))) == 0) goto 0x8c31f92b;
				E00007FF87FF88C31F1C0(1, _t120);
				E00007FF87FF88C307F5C( *_t120, E00007FF87FF88C31EA50( *((intOrPtr*)(_t120 + 0x20)) - 0x19930522, _t96,  *((intOrPtr*)(_t120 + 0x28))), _t96, _t120, _t120, _t123);
				 *((long long*)(_t96 + 0xf0)) = _a24;
				_t75 = E00007FF87FF88C307F5C( *_t120, E00007FF87FF88C31EA50( *((intOrPtr*)(_t120 + 0x20)) - 0x19930522, _t96,  *((intOrPtr*)(_t120 + 0x28))), _t96, _t120, _t120, _t123);
				 *((long long*)(_t96 + 0xf8)) = _a32;
				 *((long long*)( *((intOrPtr*)(_v128 + 0x1c)) +  *_v88)) = 0xfffffffe;
				return _t75;
			}

0x7ff88c31f75c
0x7ff88c31f75c
0x7ff88c31f75c
0x7ff88c31f75c
0x7ff88c31f75c
0x7ff88c31f772
0x7ff88c31f775
0x7ff88c31f77a
0x7ff88c31f782
0x7ff88c31f787
0x7ff88c31f78c
0x7ff88c31f791
0x7ff88c31f798
0x7ff88c31f7a0
0x7ff88c31f7ac
0x7ff88c31f7b4
0x7ff88c31f7b8
0x7ff88c31f7c0
0x7ff88c31f7c4
0x7ff88c31f7d5
0x7ff88c31f7da
0x7ff88c31f7df
0x7ff88c31f7e6
0x7ff88c31f7eb
0x7ff88c31f7f2
0x7ff88c31f807
0x7ff88c31f80f
0x7ff88c31f814
0x7ff88c31f818
0x7ff88c31f81a
0x7ff88c31f825
0x7ff88c31f831
0x7ff88c31f836
0x7ff88c31f83f
0x7ff88c31f842
0x7ff88c31f84a
0x7ff88c31f861
0x7ff88c31f869
0x7ff88c31f86e
0x7ff88c31f875
0x7ff88c31f885
0x7ff88c31f88c
0x7ff88c31f89a
0x7ff88c31f8a5
0x7ff88c31f8ab
0x7ff88c31f8b4
0x7ff88c31f8ba
0x7ff88c31f8e1
0x7ff88c31f8e9
0x7ff88c31f8f1
0x7ff88c31f8f7
0x7ff88c31f900
0x7ff88c31f909
0x7ff88c31f912
0x7ff88c31f91f
0x7ff88c31f926
0x7ff88c31f92b
0x7ff88c31f930
0x7ff88c31f937
0x7ff88c31f93c
0x7ff88c31f950
0x7ff88c31f96d

APIs

_getptd.LIBCMT ref: 00007FF88C31F78C

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

_getptd.LIBCMT ref: 00007FF88C31F7A0
_getptd.LIBCMT ref: 00007FF88C31F7DA
_getptd.LIBCMT ref: 00007FF88C31F7E6
_getptd.LIBCMT ref: 00007FF88C31F7F2
_CreateFrameInfo.LIBCMT ref: 00007FF88C31F807

Part of subcall function 00007FF88C31EA0C: _getptd.LIBCMT ref: 00007FF88C31EA18
Part of subcall function 00007FF88C31EA0C: _getptd.LIBCMT ref: 00007FF88C31EA26
Part of subcall function 00007FF88C31EA0C: _getptd.LIBCMT ref: 00007FF88C31EA3A

_getptd.LIBCMT ref: 00007FF88C31F825
_getptd.LIBCMT ref: 00007FF88C31F92B
_getptd.LIBCMT ref: 00007FF88C31F937

Strings

csm, xrefs: 00007FF88C31F8EB

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _getptd$CreateFrameInfo_amsg_exit
String ID: csm
API String ID: 2825728721-1018135373
Opcode ID: 5860030a6f08b9a697e16d77bab3db7902ba8ecb0713b73439a9e44d9fdcb455
Instruction ID: 2d5464cee47413f1ee49934385e558a72488121eb167941b43d9bf8b14388dd5
Opcode Fuzzy Hash: 5860030a6f08b9a697e16d77bab3db7902ba8ecb0713b73439a9e44d9fdcb455
Instruction Fuzzy Hash: 6F414F36508B4286D670AF16E440BBA77A4FB4ABD4F044136EF9D47B89DF38D056C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C301058 Relevance: 16.6, APIs: 11, Instructions: 113COMMON

Download Yara Rule

APIs

CreatePen.GDI32 ref: 00007FF88C301091
SelectObject.GDI32 ref: 00007FF88C3010A0
$pdata$_XMMI_FP_Emulation.LIBCMT ref: 00007FF88C301117
$pdata$_XMMI_FP_Emulation.LIBCMT ref: 00007FF88C301128
Polyline.GDI32 ref: 00007FF88C3011A1
MoveToEx.GDI32 ref: 00007FF88C3011B4
LineTo.GDI32 ref: 00007FF88C3011C4
MoveToEx.GDI32 ref: 00007FF88C3011D7
LineTo.GDI32 ref: 00007FF88C3011E7
SelectObject.GDI32 ref: 00007FF88C3011F3
DeleteObject.GDI32 ref: 00007FF88C3011FC

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Object$$pdata$_EmulationLineMoveSelect$CreateDeletePolyline
String ID:
API String ID: 1734023669-0
Opcode ID: e50320145266f0c62f5261b744deee320b6b784ecb2261ca4089e73084606f16
Instruction ID: 0a0175c96d65ddb3e144b9e1fbdf7d9bedd31e25e6422363462ec12adfcb3762
Opcode Fuzzy Hash: e50320145266f0c62f5261b744deee320b6b784ecb2261ca4089e73084606f16
Instruction Fuzzy Hash: D0513C75F24B118EE716DF71E8509A9B7B4BB4ABD5B008336DD1A63B18DF39A442CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31006C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 130
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00007FF87FF88C31006C(void* __ebx, signed int __ecx, void* __edx, void* __esi, void* __rax, long long __rbx, signed long long* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r10, void* __r11, void* __r12, long long _a8, long long _a16) {
				char _v24;
				signed int _v32;
				signed long long _v40;
				signed int _v48;
				signed long long _v56;
				signed int _v72;
				signed long long _t32;
				char _t56;
				signed long long _t60;
				void* _t63;
				signed long long* _t66;
				char* _t69;
				signed long long* _t73;
				signed long long* _t75;
				signed long long* _t76;
				signed long long* _t78;
				signed long long* _t82;
				long long* _t84;
				signed long long* _t86;
				void* _t102;

				_t116 = __r11;
				_t115 = __r10;
				_t104 = __rsi;
				_t63 = __rax;
				_t55 = __esi;
				_t42 = __ecx;
				_a8 = __rbx;
				_a16 = __rdi;
				_v56 = _v56 & 0x00000000;
				_t66 = __rcx;
				_t69 =  *0x8c369a70; // 0x0
				r8d =  *_t69;
				r9d = 0xffff0000;
				_t102 = __rdx;
				_v48 = _v48 & r9d;
				_t56 = r8d;
				if (_t56 == 0) goto 0x8c310248;
				r8d = r8d - 0x24;
				if (_t56 == 0) goto 0x8c310120;
				r8d = r8d - 0x1d;
				if (_t56 == 0) goto 0x8c3100ed;
				r8d = r8d - 1;
				if (_t56 == 0) goto 0x8c3100c5;
				E00007FF87FF88C30FC30(__ebx, __ecx, __esi, __rax, __rcx, __rcx, __rdx, __r8, __r10, __r11);
				goto 0x8c310268;
				E00007FF87FF88C30AD7C( &_v56, "volatile");
				if ( *_t102 == 0) goto 0x8c3100e6;
				E00007FF87FF88C30AF5C(0x20, __esi, _t63, _t66,  &_v56, __rsi, __r8);
				_t73 =  *0x8c369a70; // 0x0
				asm("movups xmm0, [edi]");
				 *0x8c369a70 = _t73 + 1;
				_t75 = _t66;
				asm("movdqu [ebp-0x20], xmm0");
				asm("bts dword [ebp-0x18], 0x8");
				E00007FF87FF88C30F88C(_t42, 0x20, __esi, _t66, _t75,  &_v56, _t102, __rsi,  &_v40, 0x8c32393c, __r10, __r11);
				goto 0x8c310268;
				_t32 = _t75[0];
				if (_t32 == 0x24) goto 0x8c310143;
				if (_t32 == 0) goto 0x8c310248;
				_t66[1] = _t66[1] & 0xffff00ff;
				 *_t66 =  *_t66 & 0x00000000;
				_t66[1] = 2;
				goto 0x8c310268;
				_t76 =  &(_t75[0]);
				 *0x8c369a70 = _t76;
				_t60 =  *_t76;
				if (_t60 == 0) goto 0x8c310248;
				if (_t60 == 0) goto 0x8c310231;
				if (_t60 == 0) goto 0x8c310214;
				if (_t60 == 0) goto 0x8c3101dd;
				if (_t60 == 0) goto 0x8c3101d1;
				if (_t60 == 0) goto 0x8c3101a9;
				if (_t60 == 0) goto 0x8c31019d;
				if (_t60 != 0) goto 0x8c31012f;
				 *0x8c369a70 =  &(_t76[0]);
				_t78 = _t66;
				E00007FF87FF88C30A9E0(_t78, "std::nullptr_t");
				goto 0x8c310268;
				 *0x8c369a70 =  &(_t78[0]);
				goto 0x8c31012f;
				E00007FF87FF88C30AD7C( &_v56, "volatile");
				if ( *_t102 == 0) goto 0x8c3101ca;
				E00007FF87FF88C30AF5C(0x20, _t55, _t63, _t66,  &_v56, _t104,  &_v40);
				_t82 =  *0x8c369a70; // 0x0
				goto 0x8c3100f4;
				_v32 = _v32 & r9d;
				_v40 = _v40 & 0x00000000;
				_v72 = _v72 & 0x00000000;
				 *0x8c369a70 = _t82 + 1;
				_t84 =  &_v24;
				E00007FF87FF88C30EFA4(_t66, _t84, _t102, _t104, 0x8c32398d,  &_v40, __r10, __r11);
				goto 0x8c3100b8;
				r8d = 1;
				 *0x8c369a70 = _t84 + 1;
				_t86 = _t66;
				E00007FF87FF88C30C43C(0x20, _t55, _t66, _t86, _t102, _t102, _t104, 0x8c32398d, _t115, _t116, __r12);
				goto 0x8c310268;
				 *0x8c369a70 =  &(_t86[0]);
				E00007FF87FF88C30EAB8(_t42, _t66, _t66, _t102, _t102, _t104, 0x8c32398d, _t115, _t116);
				goto 0x8c310268;
				E00007FF87FF88C30A490(1, _t63,  &_v40);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebx], xmm0");
				return E00007FF87FF88C30AC78(_t63, _t66, _t102);
			}

0x7ff88c31006c
0x7ff88c31006c
0x7ff88c31006c
0x7ff88c31006c
0x7ff88c31006c
0x7ff88c31006c
0x7ff88c31006c
0x7ff88c310071
0x7ff88c31007e
0x7ff88c310083
0x7ff88c310086
0x7ff88c31008d
0x7ff88c310091
0x7ff88c310097
0x7ff88c31009a
0x7ff88c31009e
0x7ff88c3100a1
0x7ff88c3100a7
0x7ff88c3100ab
0x7ff88c3100ad
0x7ff88c3100b1
0x7ff88c3100b3
0x7ff88c3100b6
0x7ff88c3100bb
0x7ff88c3100c0
0x7ff88c3100d0
0x7ff88c3100d9
0x7ff88c3100e1
0x7ff88c3100e6
0x7ff88c3100f4
0x7ff88c3100fe
0x7ff88c310109
0x7ff88c31010c
0x7ff88c310111
0x7ff88c310116
0x7ff88c31011b
0x7ff88c310120
0x7ff88c310125
0x7ff88c310129
0x7ff88c31012f
0x7ff88c310136
0x7ff88c31013a
0x7ff88c31013e
0x7ff88c310143
0x7ff88c310147
0x7ff88c310151
0x7ff88c310153
0x7ff88c31015c
0x7ff88c310164
0x7ff88c31016c
0x7ff88c310171
0x7ff88c310175
0x7ff88c310179
0x7ff88c31017d
0x7ff88c310189
0x7ff88c310190
0x7ff88c310193
0x7ff88c310198
0x7ff88c3101a0
0x7ff88c3101a7
0x7ff88c3101b4
0x7ff88c3101bd
0x7ff88c3101c5
0x7ff88c3101ca
0x7ff88c3101d8
0x7ff88c3101dd
0x7ff88c3101e1
0x7ff88c3101e6
0x7ff88c3101f9
0x7ff88c310200
0x7ff88c310207
0x7ff88c31020f
0x7ff88c310217
0x7ff88c310220
0x7ff88c310227
0x7ff88c31022a
0x7ff88c31022f
0x7ff88c310237
0x7ff88c310241
0x7ff88c310246
0x7ff88c310251
0x7ff88c31025c
0x7ff88c31025f
0x7ff88c31027a

APIs

DName::operator=.LIBCMT ref: 00007FF88C3100D0
DName::operator+=.LIBCMT ref: 00007FF88C3100E1
DName::DName.LIBCMT ref: 00007FF88C310193

Part of subcall function 00007FF88C30FC30: DName::operator=.LIBCMT ref: 00007FF88C30FCB7
Part of subcall function 00007FF88C30FC30: DName::DName.LIBCMT ref: 00007FF88C30FF73
Part of subcall function 00007FF88C30FC30: DName::operator+=.LIBCMT ref: 00007FF88C30FF88
Part of subcall function 00007FF88C30FC30: DName::DName.LIBCMT ref: 00007FF88C30FFA6
Part of subcall function 00007FF88C30FC30: DName::operator+=.LIBCMT ref: 00007FF88C30FFBA
Part of subcall function 00007FF88C30FC30: DName::operator+=.LIBCMT ref: 00007FF88C30FFC7

DName::operator+=.LIBCMT ref: 00007FF88C310263

Strings

volatile, xrefs: 00007FF88C3100C5, 00007FF88C3101A9
std::nullptr_t, xrefs: 00007FF88C310182

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$NameName::$Name::operator=
String ID: std::nullptr_t$volatile
API String ID: 3368348380-3726895890
Opcode ID: e3e0294c1502f321fe908f92438bca3b529613c9a668d4bdf7da87f404110895
Instruction ID: b5f0c8f6e671e94b77b07aeb3c8892ad3b311e26f34a021e3e515758067a01e9
Opcode Fuzzy Hash: e3e0294c1502f321fe908f92438bca3b529613c9a668d4bdf7da87f404110895
Instruction Fuzzy Hash: FB519166E1CA1688FB509B64F805FBC63A0BF567C8F548232E94E56A9DCF3DA047C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30D634 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00007FF87FF88C30D634(void* __ecx, void* __edx, void* __esi, void* __rax, long long* __rcx, void* __rdi, void* __rsi, void* __r8, void* __r10, long long __r11) {
				char _v24;
				char _v32;
				char _v40;
				void* __rbx;
				signed int _t15;
				char _t18;
				void* _t25;
				void* _t26;
				void* _t38;
				long long* _t40;
				char* _t43;
				intOrPtr _t51;

				_t58 = __rsi;
				_t38 = __rax;
				_t26 = __ecx;
				_t15 =  *0x8c369a8c; // 0x0
				_t51 =  *0x8c323a30; // 0x7ff88c323a18
				_t40 = __rcx;
				if (( !_t15 & 0x00000001) != 0) goto 0x8c30d654;
				_t3 =  &_v40; // -63
				E00007FF87FF88C30A9E0(_t3, _t51 + 2);
				_t43 =  *0x8c369a70; // 0x0
				r11d = 0;
				if ( *_t43 == r11b) goto 0x8c30d6c5;
				_t18 =  *_t43;
				 *0x8c369a70 = _t43 + 1;
				if (_t18 == 0x30) goto 0x8c30d6b2;
				if (_t18 == 0x32) goto 0x8c30d699;
				if (_t18 != 0x35) goto 0x8c30d6fb;
				 *(_t40 + 8) =  *(_t40 + 8) & 0xffff00ff;
				 *_t40 = __r11;
				 *(_t40 + 8) = 2;
				goto 0x8c30d715;
				_t7 =  &_v24; // -47
				E00007FF87FF88C30D358(_t26, __esi, _t18 - 0x35, _t38, _t40, _t7, _t51 + 2, __rdi, __rsi, __r8, __r10, __r11);
				_t8 =  &_v40; // -63
				E00007FF87FF88C30AC78(_t38, _t8, _t38);
				goto 0x8c30d6fb;
				_t9 =  &_v40; // -63
				E00007FF87FF88C30AFE0(_t26, __esi, _t38, _t40, _t9, "void", __rsi, __r8);
				goto 0x8c30d6fb;
				if (_v32 - 1 > 0) goto 0x8c30d6fb;
				if (_v40 == __r11) goto 0x8c30d6ec;
				E00007FF87FF88C30A12C(1, "void");
				_t12 =  &_v40; // -63
				E00007FF87FF88C30A564(_t38, _t40, _t12, _t38, __r8);
				goto 0x8c30d6fb;
				_t13 =  &_v40; // -63
				E00007FF87FF88C30A640(1, _t38, _t13);
				_t14 =  &_v40; // -63
				_t25 = E00007FF87FF88C30AFE0(1, __esi, _t38, _t40, _t14, ") ", _t58, __r8);
				asm("movups xmm5, [esp+0x20]");
				asm("movdqu [ebx], xmm5");
				return _t25;
			}

0x7ff88c30d634
0x7ff88c30d634
0x7ff88c30d634
0x7ff88c30d63a
0x7ff88c30d640
0x7ff88c30d647
0x7ff88c30d64e
0x7ff88c30d654
0x7ff88c30d659
0x7ff88c30d65e
0x7ff88c30d665
0x7ff88c30d66b
0x7ff88c30d66d
0x7ff88c30d673
0x7ff88c30d67d
0x7ff88c30d682
0x7ff88c30d687
0x7ff88c30d689
0x7ff88c30d690
0x7ff88c30d693
0x7ff88c30d697
0x7ff88c30d699
0x7ff88c30d69e
0x7ff88c30d6a3
0x7ff88c30d6ab
0x7ff88c30d6b0
0x7ff88c30d6b9
0x7ff88c30d6be
0x7ff88c30d6c3
0x7ff88c30d6ca
0x7ff88c30d6d1
0x7ff88c30d6d8
0x7ff88c30d6dd
0x7ff88c30d6e5
0x7ff88c30d6ea
0x7ff88c30d6ec
0x7ff88c30d6f6
0x7ff88c30d702
0x7ff88c30d707
0x7ff88c30d70c
0x7ff88c30d711
0x7ff88c30d71d

APIs

DName::DName.LIBCMT ref: 00007FF88C30D659
UnDecorator::getScopedName.LIBCMT ref: 00007FF88C30D69E

Part of subcall function 00007FF88C30D358: UnDecorator::getZName.LIBCMT ref: 00007FF88C30D380
Part of subcall function 00007FF88C30D358: DName::operator+=.LIBCMT ref: 00007FF88C30D3BF
Part of subcall function 00007FF88C30D358: DName::operator+=.LIBCMT ref: 00007FF88C30D3D4

DName::operator+=.LIBCMT ref: 00007FF88C30D6AB
DName::operator+=.LIBCMT ref: 00007FF88C30D707

Part of subcall function 00007FF88C30AFE0: DName::operator=.LIBCMT ref: 00007FF88C30B00B

Strings

void, xrefs: 00007FF88C30D6B2

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Name$Decorator::get$Name::Name::operator=Scoped
String ID: void
API String ID: 3435855044-3531332078
Opcode ID: 9bdf0d8be4b29ed2f5a80e3554fd8d2770c7793c3c2b7f353ed8f11209626f34
Instruction ID: 3d02c4633562518c4c47c6c01606753f3bf18f57c036cb7e03a4e0e5168443f8
Opcode Fuzzy Hash: 9bdf0d8be4b29ed2f5a80e3554fd8d2770c7793c3c2b7f353ed8f11209626f34
Instruction Fuzzy Hash: 3021B563D1CA8681EB20DB64E45597D63A0FF573C4F848131D98E4669ECE2CE587CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31F244 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF87FF88C31F244(void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, void* __rsi, void* __rbp, void* __r8, long long _a8) {
				void* _t33;
				void* _t44;
				intOrPtr* _t46;
				long long _t47;
				intOrPtr _t54;

				_t61 = __r8;
				_t56 = __rsi;
				_t44 = __rax;
				_a8 = __rbx;
				if (__rcx == 0) goto 0x8c31f2d4;
				_t46 =  *((intOrPtr*)(__rcx));
				if (_t46 == 0) goto 0x8c31f2d4;
				if ( *_t46 != 0xe06d7363) goto 0x8c31f29a;
				if ( *((intOrPtr*)(_t46 + 0x18)) != 4) goto 0x8c31f29a;
				if ( *((intOrPtr*)(_t46 + 0x20)) == 0x19930520) goto 0x8c31f287;
				if ( *((intOrPtr*)(_t46 + 0x20)) == 0x19930521) goto 0x8c31f287;
				if ( *((intOrPtr*)(_t46 + 0x20)) != 0x19930522) goto 0x8c31f29a;
				_t41 =  *((long long*)(_t46 + 0x30));
				if ( *((long long*)(_t46 + 0x30)) != 0) goto 0x8c31f29a;
				E00007FF87FF88C307F5C(_t33,  *((long long*)(_t46 + 0x30)), __rax, __rcx, __rsi, __r8);
				_t47 =  *((intOrPtr*)(_t44 + 0xf0));
				_t54 =  *((intOrPtr*)(_t47 + 0x28));
				E00007FF87FF88C31EA0C(_t33,  *((long long*)(_t46 + 0x30)), _t44, __rdx, _t54);
				E00007FF87FF88C307F5C(_t33, _t41, _t44, __rdx, __rsi, __r8);
				 *((long long*)(__rdx + 0x10)) =  *((intOrPtr*)(_t44 + 0xf0));
				E00007FF87FF88C307F5C(_t33, _t41, _t44,  *((intOrPtr*)(_t44 + 0xf0)), __rsi, __r8);
				_t52 =  *((intOrPtr*)(_t44 + 0xf8));
				 *((long long*)(__rdx + 0x18)) =  *((intOrPtr*)(_t44 + 0xf8));
				E00007FF87FF88C307F5C(_t33, _t41, _t44,  *((intOrPtr*)(_t44 + 0xf8)), _t56, _t61);
				 *((long long*)(_t44 + 0xf0)) = _t47;
				goto 0x8c31f2de;
				 *(_t54 + 0x10) =  *(_t54 + 0x10) | 0xffffffff;
				 *(_t54 + 0x18) =  *(_t54 + 0x18) | 0xffffffff;
				E00007FF87FF88C307F5C(_t33, _t41, _t44,  *((intOrPtr*)(_t44 + 0xf8)), _t56, _t61);
				 *(_t44 + 0x100) =  *(_t44 + 0x100) - 1;
				E00007FF87FF88C307F5C(_t33, _t41, _t44, _t52, _t56, _t61);
				if ( *(_t44 + 0x100) >= 0) goto 0x8c31f303;
				E00007FF87FF88C307F5C(_t33,  *(_t44 + 0x100), _t44, _t52, _t56, _t61);
				 *(_t44 + 0x100) =  *(_t44 + 0x100) & 0x00000000;
				return 1;
			}

0x7ff88c31f244
0x7ff88c31f244
0x7ff88c31f244
0x7ff88c31f244
0x7ff88c31f254
0x7ff88c31f256
0x7ff88c31f25c
0x7ff88c31f264
0x7ff88c31f26a
0x7ff88c31f273
0x7ff88c31f27c
0x7ff88c31f285
0x7ff88c31f287
0x7ff88c31f28c
0x7ff88c31f28e
0x7ff88c31f293
0x7ff88c31f29a
0x7ff88c31f2a1
0x7ff88c31f2a6
0x7ff88c31f2b2
0x7ff88c31f2b6
0x7ff88c31f2bb
0x7ff88c31f2c2
0x7ff88c31f2c6
0x7ff88c31f2cb
0x7ff88c31f2d2
0x7ff88c31f2d4
0x7ff88c31f2d9
0x7ff88c31f2de
0x7ff88c31f2e3
0x7ff88c31f2e9
0x7ff88c31f2f5
0x7ff88c31f2f7
0x7ff88c31f2fc
0x7ff88c31f312

APIs

_getptd.LIBCMT ref: 00007FF88C31F28E
_CreateFrameInfo.LIBCMT ref: 00007FF88C31F2A1
_getptd.LIBCMT ref: 00007FF88C31F2A6
_getptd.LIBCMT ref: 00007FF88C31F2B6
_getptd.LIBCMT ref: 00007FF88C31F2C6
_getptd.LIBCMT ref: 00007FF88C31F2DE
_getptd.LIBCMT ref: 00007FF88C31F2E9
_getptd.LIBCMT ref: 00007FF88C31F2F7

Strings

csm, xrefs: 00007FF88C31F25E

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: 4275ce68d65128f1caca79e562f1c792041253e0e39948ca886fefc6bb3175a3
Instruction ID: b3a13e79612cf36fcab0d5efcc978a4cea000f7a5e894f94dda38c550dcb53b5
Opcode Fuzzy Hash: 4275ce68d65128f1caca79e562f1c792041253e0e39948ca886fefc6bb3175a3
Instruction Fuzzy Hash: 25211D3A90474389EA649B61D4407B833A0FF6ABE4F194336EA6D466CACF78D493C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C317044 Relevance: 15.3, APIs: 10, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00007FF87FF88C317044(signed long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9) {
				void* _v40;
				signed int _v48;
				char _v65;
				intOrPtr _v66;
				signed short _v72;
				signed long long _v96;
				signed int _v104;
				char _v120;
				char _v128;
				char _v136;
				long long _v144;
				long long _v152;
				void* __rdi;
				signed int _t102;
				signed int _t133;
				signed int _t138;
				void* _t140;
				intOrPtr _t166;
				signed long long _t169;
				signed long long _t170;
				intOrPtr* _t171;
				signed int _t172;
				long long _t174;
				signed long long _t182;
				signed char* _t188;
				signed char* _t193;
				signed long long _t210;
				int _t221;
				long long _t222;
				long long _t224;
				intOrPtr* _t227;
				long long _t228;
				void* _t230;
				void* _t235;
				void* _t238;
				void* _t240;
				signed long long _t241;
				void* _t243;
				signed long long _t244;
				void* _t246;
				signed long long _t247;
				void* _t249;
				signed long long _t250;

				_t235 = __r9;
				_t224 = __rsi;
				_t182 = __rbx;
				_t238 = _t230;
				 *((long long*)(_t238 + 0x10)) = __rbx;
				 *((long long*)(_t238 + 0x18)) = __rbp;
				 *((long long*)(_t238 + 0x20)) = __rsi;
				_t169 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t170 = _t169 ^ _t230 - 0x00000090;
				_v48 = _t170;
				_t222 = __rcx;
				 *((long long*)(_t238 - 0x58)) = __rcx;
				_v96 = __rbx;
				r13d = 0;
				r15d = 0;
				r14d = 0;
				r12d = 0;
				 *((long long*)(_t238 - 0x50)) = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x14)) == 0) goto 0x8c3173df;
				_t227 = __rcx + 4;
				_t10 = _t182 + 1; // 0x1
				_t140 = _t10;
				if ( *_t227 != 0) goto 0x8c3170cb;
				r8d =  *(__rcx + 0x30) & 0x0000ffff;
				r9d = 0x1004;
				_v152 = _t227;
				if (E00007FF87FF88C312BF4(0, _t238 - 0x58, __r8) != 0) goto 0x8c3173af;
				E00007FF87FF88C3078EC(4, E00007FF87FF88C312BF4(0, _t238 - 0x58, __r8), __rbx, _t238 - 0x58, __rcx, __rsi);
				r12d = 0x180;
				_v96 = _t170;
				E00007FF87FF88C30796C(_t182, _t238 - 0x58, __rdx, _t222, _t224, _t227, _t249, _t246);
				_t244 = _t170;
				E00007FF87FF88C30796C(_t182, _t238 - 0x58, _t224, _t222, _t224, _t227, _t243, _t240);
				_t250 = _t170;
				E00007FF87FF88C30796C(_t182, _t238 - 0x58, _t224, _t222, _t224, _t227);
				_t247 = _t170;
				E00007FF87FF88C30796C(_t182, _t238 - 0x58, _t224, _t222, _t224, _t227);
				_t241 = _t170;
				_t171 = _v96;
				if (_t171 == 0) goto 0x8c3173af;
				if (_t244 == 0) goto 0x8c3173af;
				if (_t241 == 0) goto 0x8c3173af;
				if (_t250 == 0) goto 0x8c3173af;
				if (_t247 == 0) goto 0x8c3173af;
				 *_t171 = 0;
				 *_t241 = 0;
				if (0 + _t140 - 0x100 < 0) goto 0x8c317155;
				if (GetCPInfo(_t221) == 0) goto 0x8c3173af;
				if (_v72 - 5 > 0) goto 0x8c3173af;
				_t102 = _v72 & 0x0000ffff;
				_v104 = _t102;
				if (_t102 - _t140 <= 0) goto 0x8c3171c0;
				if (_v66 == 0) goto 0x8c3171c0;
				_t22 =  &_v65; // 0x1f7
				_t188 = _t22;
				if ( *_t188 == 0) goto 0x8c3171c0;
				_t133 =  *(_t188 - 1) & 0x000000ff;
				goto 0x8c3171b0;
				_t172 = _t133;
				 *((char*)(_t172 + _t241)) = 0x20;
				if (_t133 + _t140 - ( *_t188 & 0x000000ff) <= 0) goto 0x8c3171a6;
				if ( *((intOrPtr*)( &(_t188[2]) - 1)) != 0) goto 0x8c31719c;
				_v128 = 0;
				_t27 = _t244 + 0x100; // 0x100
				_v136 = 0;
				_v144 =  *_t227;
				_v152 = _t27;
				r9d = 0x100;
				if (E00007FF87FF88C315684(_t140,  *((intOrPtr*)( &(_t188[2]) - 1)), _t172, _t182, _t27, _t224, _t241, _t235) == 0) goto 0x8c3173af;
				_v120 = 0;
				_v128 =  *_t227;
				_t34 = _t250 + 0x81; // 0x81
				_v136 = 0xff;
				_v144 = _t34;
				_t37 = _t172 + 1; // 0x100
				r8d = _t37;
				_t38 = _t241 + 1; // 0x1
				_v152 = 0xff;
				if (E00007FF87FF88C31548C( *((intOrPtr*)(_t222 + 0x14)), E00007FF87FF88C315684(_t140,  *((intOrPtr*)( &(_t188[2]) - 1)), _t172, _t182, _t27, _t224, _t241, _t235), _t172, _t182, _t34, _t224, _t241, _t38) == 0) goto 0x8c3173af;
				_v120 = 0;
				_v128 =  *_t227;
				_t43 = _t247 + 0x81; // 0x81
				_v136 = 0xff;
				_v144 = _t43;
				_t46 = _t241 + 1; // 0x1
				r8d = 0x200;
				_v152 = 0xff;
				if (E00007FF87FF88C31548C( *((intOrPtr*)(_t222 + 0x14)), E00007FF87FF88C31548C( *((intOrPtr*)(_t222 + 0x14)), E00007FF87FF88C315684(_t140,  *((intOrPtr*)( &(_t188[2]) - 1)), _t172, _t182, _t27, _t224, _t241, _t235), _t172, _t182, _t34, _t224, _t241, _t38), _t172, _t182, _t43, _t224, _t241, _t46) == 0) goto 0x8c3173af;
				_t48 = _t244 + 0xfe; // 0xfe
				_t228 = _t48;
				 *_t228 = 0;
				 *((char*)(_t250 + 0x7f)) = 0;
				 *((char*)(_t247 + 0x7f)) = 0;
				 *((char*)(_t250 + 0x80)) = 0;
				 *((char*)(_t247 + 0x80)) = 0;
				if (_v104 - _t140 <= 0) goto 0x8c3172d5;
				if (_v66 == 0) goto 0x8c3172d5;
				_t55 =  &_v65; // 0x1f7
				_t193 = _t55;
				if ( *_t193 == 0) goto 0x8c3172d5;
				_t138 =  *(_t193 - 1) & 0x000000ff;
				goto 0x8c3172c5;
				r8d = 0x8000;
				 *((intOrPtr*)(_t244 + 0x100 + _t138 * 2)) = r8w;
				if (_t138 + _t140 - ( *_t193 & 0x000000ff) <= 0) goto 0x8c3172b1;
				if ( *((intOrPtr*)( &(_t193[2]) - 1)) != 0) goto 0x8c3172a7;
				_t61 = _t244 + 0x200; // 0x200
				r8d = 0xfe;
				E00007FF87FF88C304B80(0,  *((intOrPtr*)( &(_t193[2]) - 1)), _t244, _t61, _t241);
				_t62 = _t250 + 0x100; // 0x100
				r8d = 0x7f;
				E00007FF87FF88C304B80(0,  *((intOrPtr*)( &(_t193[2]) - 1)), _t250, _t62, _t241);
				_t63 = _t247 + 0x100; // 0x100
				r8d = 0x7f;
				E00007FF87FF88C304B80(0,  *((intOrPtr*)( &(_t193[2]) - 1)), _t247, _t63, _t241);
				_t166 =  *((intOrPtr*)(_t222 + 0x130));
				if (_t166 == 0) goto 0x8c317364;
				asm("lock dec dword [ecx]");
				if (_t166 != 0) goto 0x8c317364;
				free(??);
				free(??);
				free(??);
				free(??);
				_t174 = _v96;
				 *_t174 = _t140;
				 *((long long*)(_t222 + 0x130)) = _t174;
				_t71 = _t244 + 0x100; // 0x100
				 *((long long*)(_t222 + 0x140)) = _t71;
				_t73 = _t250 + 0x80; // 0x80
				 *((long long*)(_t222 + 0x138)) = _t228;
				 *((long long*)(_t222 + 0x148)) = _t73;
				_t76 = _t247 + 0x80; // 0x80
				 *((long long*)(_t222 + 0x150)) = _t76;
				 *(_t222 + 0x10c) = _v104;
				goto 0x8c3173d3;
				free(??);
				free(??);
				free(??);
				free(??);
				_t210 = _t241;
				free(??);
				goto 0x8c317433;
				if ( *(_t210 + 0x130) == 0) goto 0x8c3173ee;
				asm("lock dec dword [eax]");
				 *(_t210 + 0x130) = _t182;
				 *((long long*)(_t210 + 0x140)) = 0x8c324960;
				 *(_t210 + 0x138) = _t182;
				 *((long long*)(_t210 + 0x148)) = 0x8c324df0;
				 *((intOrPtr*)(_t210 + 0x10c)) = 1;
				 *((long long*)(_t210 + 0x150)) = 0x8c324f70;
				return E00007FF87FF88C304980(0, _v48 ^ _t230 - 0x00000090, _t63, _t241);
			}

0x7ff88c317044
0x7ff88c317044
0x7ff88c317044
0x7ff88c317044
0x7ff88c317047
0x7ff88c31704b
0x7ff88c31704f
0x7ff88c317063
0x7ff88c31706a
0x7ff88c31706d
0x7ff88c317077
0x7ff88c31707a
0x7ff88c31707e
0x7ff88c317083
0x7ff88c317086
0x7ff88c317089
0x7ff88c31708c
0x7ff88c31708f
0x7ff88c317096
0x7ff88c31709c
0x7ff88c3170a0
0x7ff88c3170a0
0x7ff88c3170a6
0x7ff88c3170a8
0x7ff88c3170b3
0x7ff88c3170b9
0x7ff88c3170c5
0x7ff88c3170d0
0x7ff88c3170d5
0x7ff88c3170e3
0x7ff88c3170e8
0x7ff88c3170f3
0x7ff88c3170f6
0x7ff88c317101
0x7ff88c317104
0x7ff88c317111
0x7ff88c317114
0x7ff88c317119
0x7ff88c31711c
0x7ff88c317124
0x7ff88c31712d
0x7ff88c317136
0x7ff88c31713f
0x7ff88c317148
0x7ff88c31714e
0x7ff88c317155
0x7ff88c317161
0x7ff88c317173
0x7ff88c31717e
0x7ff88c317184
0x7ff88c317189
0x7ff88c31718f
0x7ff88c317195
0x7ff88c317197
0x7ff88c317197
0x7ff88c31719e
0x7ff88c3171a0
0x7ff88c3171a4
0x7ff88c3171a6
0x7ff88c3171ab
0x7ff88c3171b5
0x7ff88c3171be
0x7ff88c3171c3
0x7ff88c3171c7
0x7ff88c3171ce
0x7ff88c3171d2
0x7ff88c3171d6
0x7ff88c3171dd
0x7ff88c3171ef
0x7ff88c3171fb
0x7ff88c3171ff
0x7ff88c317208
0x7ff88c31720f
0x7ff88c317213
0x7ff88c317218
0x7ff88c317218
0x7ff88c31721c
0x7ff88c317223
0x7ff88c31722e
0x7ff88c31723a
0x7ff88c31723e
0x7ff88c317247
0x7ff88c31724e
0x7ff88c317252
0x7ff88c317257
0x7ff88c31725e
0x7ff88c317264
0x7ff88c31726f
0x7ff88c317275
0x7ff88c317275
0x7ff88c31727c
0x7ff88c317280
0x7ff88c317284
0x7ff88c317288
0x7ff88c31728f
0x7ff88c31729a
0x7ff88c3172a0
0x7ff88c3172a2
0x7ff88c3172a2
0x7ff88c3172a9
0x7ff88c3172ab
0x7ff88c3172af
0x7ff88c3172b4
0x7ff88c3172bc
0x7ff88c3172ca
0x7ff88c3172d3
0x7ff88c3172d5
0x7ff88c3172dc
0x7ff88c3172e5
0x7ff88c3172ea
0x7ff88c3172f1
0x7ff88c3172fa
0x7ff88c3172ff
0x7ff88c317306
0x7ff88c31730f
0x7ff88c31731b
0x7ff88c31731e
0x7ff88c317320
0x7ff88c317323
0x7ff88c317333
0x7ff88c317343
0x7ff88c317353
0x7ff88c31735f
0x7ff88c317364
0x7ff88c317369
0x7ff88c31736b
0x7ff88c317372
0x7ff88c317379
0x7ff88c317380
0x7ff88c317387
0x7ff88c31738e
0x7ff88c317395
0x7ff88c31739c
0x7ff88c3173a7
0x7ff88c3173ad
0x7ff88c3173b4
0x7ff88c3173bc
0x7ff88c3173c4
0x7ff88c3173cc
0x7ff88c3173d3
0x7ff88c3173d6
0x7ff88c3173dd
0x7ff88c3173e9
0x7ff88c3173eb
0x7ff88c3173fa
0x7ff88c317401
0x7ff88c31740f
0x7ff88c317416
0x7ff88c317424
0x7ff88c31742a
0x7ff88c317463

APIs

GetCPInfo.KERNEL32 ref: 00007FF88C31716B

Part of subcall function 00007FF88C312BF4: GetLastError.KERNEL32 ref: 00007FF88C312C58
Part of subcall function 00007FF88C312BF4: free.LIBCMT ref: 00007FF88C312CD6

free.LIBCMT ref: 00007FF88C317333
free.LIBCMT ref: 00007FF88C317343
free.LIBCMT ref: 00007FF88C317353
free.LIBCMT ref: 00007FF88C31735F
free.LIBCMT ref: 00007FF88C3173B4
free.LIBCMT ref: 00007FF88C3173BC
free.LIBCMT ref: 00007FF88C3173C4
free.LIBCMT ref: 00007FF88C3173CC
free.LIBCMT ref: 00007FF88C3173D6

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: 5b3cedf5892a88679238b254cc7ed3fbde736adc97075d0204ee1f638311c18d
Instruction ID: 1ebe32a19d52d90deabc717fbe350e750e710fcaaa0b0e65e55255c16ffaf7e4
Opcode Fuzzy Hash: 5b3cedf5892a88679238b254cc7ed3fbde736adc97075d0204ee1f638311c18d
Instruction Fuzzy Hash: 93B1C132A086D28AE710CF25E444BAD77A4FB8ABC4F584136EA8C87799DF3DD542C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30B494 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00007FF87FF88C30B494(void* __edx, long long __rbx, long long __rcx, long long _a8) {
				char _v24;
				char _v40;
				signed int _v48;
				char _v56;
				intOrPtr _t13;
				char _t20;
				intOrPtr* _t35;
				char* _t36;
				long long* _t39;
				long long _t44;

				_a8 = __rbx;
				_t35 =  *0x8c369a70; // 0x0
				_v48 = _v48 & 0xffff0000;
				_t39 = __rcx;
				_v56 = __rcx;
				if ( *_t35 == 0) goto 0x8c30b579;
				_t13 =  *_t35;
				if (_t13 - 0x30 < 0) goto 0x8c30b569;
				if (_t13 - 0x31 <= 0) goto 0x8c30b4ff;
				if (_t13 - 0x33 <= 0) goto 0x8c30b4f6;
				if (_t13 == 0x34) goto 0x8c30b50f;
				if (_t13 == 0x35) goto 0x8c30b4ed;
				if (_t13 - 0x36 - 1 > 0) goto 0x8c30b569;
				goto 0x8c30b506;
				goto 0x8c30b506;
				goto 0x8c30b506;
				E00007FF87FF88C30AD7C( &_v56, "char ");
				_t36 =  *0x8c369a70; // 0x0
				_t20 =  *_t36;
				 *0x8c369a70 =  *0x8c369a70 + 1;
				if (_t20 == 0x31) goto 0x8c30b53a;
				if (_t20 == 0x33) goto 0x8c30b53a;
				if (_t20 == 0x35) goto 0x8c30b53a;
				if (_t20 == 0x37) goto 0x8c30b53a;
				asm("movaps xmm0, [ebp-0x30]");
				goto 0x8c30b563;
				E00007FF87FF88C30A9E0( &_v24, "unsigned ");
				_t44 =  &_v40;
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x20], xmm0");
				E00007FF87FF88C30AC78(_t36, _t44,  &_v56);
				asm("movaps xmm0, [ebp-0x20]");
				asm("movdqu [ebx], xmm0");
				goto 0x8c30b586;
				 *(_t39 + 8) =  *(_t39 + 8) & 0xffff00ff;
				 *_t39 = _t44;
				 *(_t39 + 8) = 2;
				goto 0x8c30b586;
				return E00007FF87FF88C30A490(1, _t36, _t39);
			}

0x7ff88c30b494
0x7ff88c30b4a1
0x7ff88c30b4a8
0x7ff88c30b4af
0x7ff88c30b4b4
0x7ff88c30b4ba
0x7ff88c30b4c0
0x7ff88c30b4c4
0x7ff88c30b4cc
0x7ff88c30b4d0
0x7ff88c30b4d4
0x7ff88c30b4d8
0x7ff88c30b4de
0x7ff88c30b4eb
0x7ff88c30b4f4
0x7ff88c30b4fd
0x7ff88c30b50a
0x7ff88c30b50f
0x7ff88c30b516
0x7ff88c30b519
0x7ff88c30b523
0x7ff88c30b528
0x7ff88c30b52d
0x7ff88c30b532
0x7ff88c30b534
0x7ff88c30b538
0x7ff88c30b545
0x7ff88c30b54e
0x7ff88c30b552
0x7ff88c30b555
0x7ff88c30b55a
0x7ff88c30b55f
0x7ff88c30b563
0x7ff88c30b567
0x7ff88c30b569
0x7ff88c30b570
0x7ff88c30b573
0x7ff88c30b577
0x7ff88c30b593

APIs

DName::operator=.LIBCMT ref: 00007FF88C30B50A
DName::DName.LIBCMT ref: 00007FF88C30B545
DName::operator+=.LIBCMT ref: 00007FF88C30B55A

Strings

unsigned , xrefs: 00007FF88C30B53A
short , xrefs: 00007FF88C30B4F6
char , xrefs: 00007FF88C30B4FF
int , xrefs: 00007FF88C30B4ED
long , xrefs: 00007FF88C30B4E4

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: NameName::Name::operator+=Name::operator=
String ID: char $int $long $short $unsigned
API String ID: 2246115127-3894466517
Opcode ID: 1243f92251c8e19eea035179f36734e9d5a2edfa9e2e6b8ac2dd73cf8380ae09
Instruction ID: 852ee4c39448cb2ec46a94f51482ca8f571ab51bc7c6ec5d18fc373f74479c03
Opcode Fuzzy Hash: 1243f92251c8e19eea035179f36734e9d5a2edfa9e2e6b8ac2dd73cf8380ae09
Instruction Fuzzy Hash: E7318123E1C64694FB158BA8E8558BC23A1BF03788F848171D68E1A6ADDF2CE547C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30B69C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 57%

			E00007FF87FF88C30B69C(void* __edx, void* __esi, long long __rbx, void* __rcx, void* __rdx, long long __rdi, void* __rsi, void* __r8, void* __r11, long long _a8, long long _a16) {
				char _v24;
				char _v40;
				signed int _v48;
				char _v56;
				char* _t34;
				long long _t35;
				long long _t38;
				void* _t54;

				_a8 = __rbx;
				_a16 = __rdi;
				_t34 =  *0x8c369a70; // 0x0
				_t54 = __rcx;
				if ( *_t34 == 0) goto 0x8c30b71f;
				if ( *_t34 != 0x5a) goto 0x8c30b6e5;
				_t35 = _t34 + 1;
				_v48 = _v48 & 0xffff0000;
				_v56 = __rbx;
				asm("movups xmm0, [ebp-0x30]");
				 *0x8c369a70 = _t35;
				asm("movdqu [ecx], xmm0");
				goto 0x8c30b77b;
				_t6 =  &_v40; // -47
				E00007FF87FF88C30B594(__edx, __esi, _t6, __rdx, __rsi, __r8, __r11);
				_t7 =  &_v24; // -31
				_t38 = _t35;
				E00007FF87FF88C30A9E0(_t7, " throw(");
				_t8 =  &_v56; // -63
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FF87FF88C30AC78(_t35, _t8, _t38);
				asm("movups xmm5, [ebp-0x30]");
				asm("movdqu [edi], xmm5");
				goto 0x8c30b771;
				_t9 =  &_v24; // -31
				E00007FF87FF88C30A9E0(_t9, " throw(");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				if (_v48 - 1 > 0) goto 0x8c30b769;
				if (_v56 == _t38) goto 0x8c30b75b;
				E00007FF87FF88C30A12C(1, " throw(");
				_t12 =  &_v56; // -63
				E00007FF87FF88C30A564(_t35, _t38, _t12, _t35, __r8);
				goto 0x8c30b769;
				_t13 =  &_v56; // -63
				E00007FF87FF88C30A640(1, _t35, _t13);
				asm("movups xmm0, [ebp-0x30]");
				asm("movdqu [edi], xmm0");
				return E00007FF87FF88C30AF5C(0x29, __esi, _t35, _t38, _t54, __rsi, __r8);
			}

0x7ff88c30b69c
0x7ff88c30b6a1
0x7ff88c30b6ae
0x7ff88c30b6b7
0x7ff88c30b6bc
0x7ff88c30b6c1
0x7ff88c30b6c3
0x7ff88c30b6c6
0x7ff88c30b6cd
0x7ff88c30b6d1
0x7ff88c30b6d5
0x7ff88c30b6dc
0x7ff88c30b6e0
0x7ff88c30b6e5
0x7ff88c30b6e9
0x7ff88c30b6f5
0x7ff88c30b6f9
0x7ff88c30b6fc
0x7ff88c30b701
0x7ff88c30b708
0x7ff88c30b70b
0x7ff88c30b710
0x7ff88c30b715
0x7ff88c30b719
0x7ff88c30b71d
0x7ff88c30b726
0x7ff88c30b72a
0x7ff88c30b72f
0x7ff88c30b732
0x7ff88c30b73b
0x7ff88c30b741
0x7ff88c30b748
0x7ff88c30b74d
0x7ff88c30b754
0x7ff88c30b759
0x7ff88c30b75b
0x7ff88c30b764
0x7ff88c30b769
0x7ff88c30b76d
0x7ff88c30b78d

APIs

DName::DName.LIBCMT ref: 00007FF88C30B6FC
DName::operator+=.LIBCMT ref: 00007FF88C30B710
DName::DName.LIBCMT ref: 00007FF88C30B72A
DNameStatusNode::make.LIBCMT ref: 00007FF88C30B748
DName::append.LIBCMT ref: 00007FF88C30B754
DName::operator+=.LIBCMT ref: 00007FF88C30B776

Strings

throw(, xrefs: 00007FF88C30B6EE, 00007FF88C30B71F

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name$Name::Name::operator+=$Name::appendNode::makeStatus
String ID: throw(
API String ID: 1273216807-3159766648
Opcode ID: 6ed7ac167c6794ebb61a8798f0f8af70d9180646039040b14f5f680f2cadbfa9
Instruction ID: 297980fd467377f58961a221ff04e17b4f3dfe29f468017637fe7d34a03b6929
Opcode Fuzzy Hash: 6ed7ac167c6794ebb61a8798f0f8af70d9180646039040b14f5f680f2cadbfa9
Instruction Fuzzy Hash: FB214F23E18B6694F700DBA4E9419FC2360BB5A788F449130EF4E1678EDF7CA186C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30B790 Relevance: 13.6, APIs: 9, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00007FF87FF88C30B790(void* __esi, void* __eflags, void* __rax, long long __rbx, signed long long* __rcx, long long* __rdx, long long __rdi, void* __rsi, signed int __r8, void* __r10, long long __r12, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				char _v24;
				char _v40;
				signed int _v48;
				signed int _v56;
				char _v72;
				void* _t44;
				void* _t53;
				void* _t80;
				char* _t81;
				char* _t83;
				signed long long* _t90;
				long long _t93;
				char* _t94;
				long long _t105;
				intOrPtr* _t115;
				long long* _t124;

				_t122 = __r8;
				_t117 = __rsi;
				_t80 = __rax;
				_a8 = __rbx;
				_a16 = __rdi;
				_a24 = __r12;
				r10d = _v48;
				_v56 = _v56 & 0x00000000;
				_t90 = __rcx;
				_t93 =  *0x8c369a70; // 0x0
				_t124 = __rdx;
				r10d = r10d & 0xffff0000;
				r12d = 1;
				_t115 = __r8;
				_v48 = r10d;
				_t94 = _t93 + __r12;
				 *0x8c369a70 = _t94;
				r8d =  *_t94;
				if (__eflags == 0) goto 0x8c30b99a;
				if (__eflags == 0) goto 0x8c30b95a;
				if (__eflags == 0) goto 0x8c30b94e;
				if ( *_t94 == 0) goto 0x8c30b93e;
				if ( *((intOrPtr*)(_t94 + 1)) == 0) goto 0x8c30b93e;
				if (r9d == 0) goto 0x8c30b828;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 2;
				goto 0x8c30b9dc;
				r8d = r8d + r8d;
				 *0x8c369a70 = _t94 + 2;
				if (__rax + __r8 * 8 - 0x330 - r12d <= 0) goto 0x8c30b897;
				_v56 = _v56 & 0x00000000;
				r10d = r10d & 0xffffff00;
				_t17 =  &_v72; // -159
				r10d = r10d & 0xffff00ff;
				_t18 =  &_v56; // -143
				r8d = r12d;
				_v48 = r10d;
				_v72 = 0x2c;
				_t44 = E00007FF87FF88C30A8FC(__rax, __rcx, _t18, _t17, __rsi, __r8);
				_t21 =  &_v24; // -111
				E00007FF87FF88C30AB18(_t44, _t21, _t17, _t117, __r10);
				_t22 =  &_v40; // -127
				asm("movaps xmm0, [ebp-0x30]");
				asm("movdqa [ebp-0x20], xmm0");
				E00007FF87FF88C30AC78(_t80, _t22, _t80);
				asm("movaps xmm5, [ebp-0x20]");
				goto 0x8c30b89b;
				asm("movaps xmm5, [ebp-0x30]");
				_t23 =  &_v40; // -127
				asm("movdqa [ebp-0x20], xmm5");
				E00007FF87FF88C30AF5C(0x3e, __esi, _t80, __rcx, _t23, _t117, _t122);
				_t81 =  *0x8c369a70; // 0x0
				asm("movaps xmm5, [ebp-0x20]");
				asm("movdqa [ebp-0x30], xmm5");
				if ( *_t81 != 0x24) goto 0x8c30b8cc;
				 *0x8c369a70 = _t81 + __r12;
				goto 0x8c30b8ec;
				_t24 =  &_v40; // -127
				asm("movdqa [ebp-0x20], xmm5");
				E00007FF87FF88C30AF5C(0x5e, __esi, _t81 + __r12, _t90, _t24, _t117, _t122);
				_t83 =  *0x8c369a70; // 0x0
				asm("movaps xmm5, [ebp-0x20]");
				asm("movdqa [ebp-0x30], xmm5");
				if ( *_t83 == 0) goto 0x8c30b8fd;
				_t84 = _t83 + __r12;
				 *0x8c369a70 = _t83 + __r12;
				goto 0x8c30b92c;
				if (_v48 - r12b > 0) goto 0x8c30b92c;
				if (_v56 == 0) goto 0x8c30b920;
				E00007FF87FF88C30A12C(r12d, _t80);
				_t27 =  &_v56; // -143
				E00007FF87FF88C30A564(_t83 + __r12, _t90, _t27, _t83 + __r12, _t122);
				goto 0x8c30b92c;
				_t28 =  &_v56; // -143
				E00007FF87FF88C30A640(r12d, _t84, _t28);
				asm("bts dword [ebp-0x28], 0xe");
				asm("movaps xmm0, [ebp-0x30]");
				asm("movdqu [ebx], xmm0");
				goto 0x8c30b9dc;
				E00007FF87FF88C30A490(r12d, _t84, _t90);
				goto 0x8c30b9dc;
				 *_t124 = 0x8c323930;
				goto 0x8c30b991;
				if (r9d != 0) goto 0x8c30b814;
				_v56 = _v56 & 0x00000000;
				r10d = r10d & 0xffffff00;
				_t31 =  &_v72; // -159
				r10d = r10d & 0xffff00ff;
				_t32 =  &_v56; // -143
				r8d = r12d;
				 *_t115 = r12b;
				_v72 = 0x3e;
				_v48 = r10d;
				_t53 = E00007FF87FF88C30A8FC(_t84, _t90, _t32, _t31, _t117, _t122);
				 *0x8c369a70 =  *0x8c369a70 + __r12;
				goto 0x8c30b9cd;
				if (r9d != 0) goto 0x8c30b9c3;
				_t87 =  ==  ? 0x8c323930 : 0x8c323910;
				 *_t124 =  ==  ? 0x8c323930 : 0x8c323910;
				_t105 =  *0x8c369a70; // 0x0
				 *0x8c369a70 = _t105 + __r12;
				 *_t90 =  *_t90 & 0x00000000;
				_t90[1] = 0;
				_t90[1] = _t90[1] & 0xffff00ff;
				return _t53;
			}

0x7ff88c30b790
0x7ff88c30b790
0x7ff88c30b790
0x7ff88c30b790
0x7ff88c30b795
0x7ff88c30b79a
0x7ff88c30b7a7
0x7ff88c30b7ab
0x7ff88c30b7b0
0x7ff88c30b7b3
0x7ff88c30b7ba
0x7ff88c30b7bd
0x7ff88c30b7c4
0x7ff88c30b7ca
0x7ff88c30b7cd
0x7ff88c30b7d1
0x7ff88c30b7d4
0x7ff88c30b7db
0x7ff88c30b7e5
0x7ff88c30b7ed
0x7ff88c30b7f5
0x7ff88c30b7fe
0x7ff88c30b809
0x7ff88c30b812
0x7ff88c30b814
0x7ff88c30b81b
0x7ff88c30b81f
0x7ff88c30b823
0x7ff88c30b828
0x7ff88c30b83a
0x7ff88c30b844
0x7ff88c30b846
0x7ff88c30b84b
0x7ff88c30b852
0x7ff88c30b856
0x7ff88c30b85d
0x7ff88c30b861
0x7ff88c30b864
0x7ff88c30b868
0x7ff88c30b86c
0x7ff88c30b871
0x7ff88c30b877
0x7ff88c30b87c
0x7ff88c30b880
0x7ff88c30b887
0x7ff88c30b88c
0x7ff88c30b891
0x7ff88c30b895
0x7ff88c30b897
0x7ff88c30b89b
0x7ff88c30b8a1
0x7ff88c30b8a6
0x7ff88c30b8ab
0x7ff88c30b8b2
0x7ff88c30b8b9
0x7ff88c30b8be
0x7ff88c30b8c3
0x7ff88c30b8ca
0x7ff88c30b8cc
0x7ff88c30b8d2
0x7ff88c30b8d7
0x7ff88c30b8dc
0x7ff88c30b8e3
0x7ff88c30b8e7
0x7ff88c30b8ef
0x7ff88c30b8f1
0x7ff88c30b8f4
0x7ff88c30b8fb
0x7ff88c30b901
0x7ff88c30b908
0x7ff88c30b90d
0x7ff88c30b912
0x7ff88c30b919
0x7ff88c30b91e
0x7ff88c30b920
0x7ff88c30b927
0x7ff88c30b92c
0x7ff88c30b931
0x7ff88c30b935
0x7ff88c30b939
0x7ff88c30b944
0x7ff88c30b949
0x7ff88c30b955
0x7ff88c30b958
0x7ff88c30b95d
0x7ff88c30b963
0x7ff88c30b968
0x7ff88c30b96f
0x7ff88c30b973
0x7ff88c30b97a
0x7ff88c30b97e
0x7ff88c30b981
0x7ff88c30b984
0x7ff88c30b988
0x7ff88c30b98c
0x7ff88c30b991
0x7ff88c30b998
0x7ff88c30b99d
0x7ff88c30b9b5
0x7ff88c30b9b9
0x7ff88c30b9bc
0x7ff88c30b9c6
0x7ff88c30b9cd
0x7ff88c30b9d1
0x7ff88c30b9d5
0x7ff88c30b9f4

APIs

DName::doPchar.LIBCMT ref: 00007FF88C30B86C
DName::DName.LIBCMT ref: 00007FF88C30B877
DName::operator+=.LIBCMT ref: 00007FF88C30B88C
DName::operator+=.LIBCMT ref: 00007FF88C30B8A6
DName::doPchar.LIBCMT ref: 00007FF88C30B98C

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::doName::operator+=Pchar$NameName::
String ID:
API String ID: 2781464480-0
Opcode ID: 99671a4e335a8329cffdfb9985cf23364a79fa902206f28572c9fbdf4b870813
Instruction ID: 932c28785bfd1e91d02c93983741da7fd18fa9b67473926911233f78b5f344a5
Opcode Fuzzy Hash: 99671a4e335a8329cffdfb9985cf23364a79fa902206f28572c9fbdf4b870813
Instruction Fuzzy Hash: 3B718163E18B5294F7118BB4E845BBC67B0BB1A788F544134DE8E16B9DDF3CA542CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30B32C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00007FF87FF88C30B32C(void* __edx, void* __rax, long long __rbx, signed long long* __rcx, long long __rdi, long long __rsi, void* __r10, void* __r11, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				void* _t22;
				signed int _t24;
				void* _t29;
				void* _t30;
				void* _t33;
				void* _t34;
				void* _t52;
				long long _t77;
				char* _t78;
				char* _t84;
				char* _t85;
				long long _t86;
				intOrPtr* _t87;

				_t77 = __rsi;
				_t52 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t84 =  *0x8c369a70; // 0x0
				r9b = __edx;
				_t4 = _t77 + 1; // 0x1
				r10d = _t4;
				if ( *_t84 != 0x51) goto 0x8c30b36d;
				_t85 = _t84 + __r10;
				_t78 = "`non-type-template-parameter";
				 *0x8c369a70 = _t85;
				if ( *_t85 != 0) goto 0x8c30b381;
				_t22 = E00007FF87FF88C30A490(r10d, __rax, __rcx);
				goto 0x8c30b47b;
				if (_t22 - 0x30 < 0) goto 0x8c30b3b4;
				if (_t22 - 0x39 > 0) goto 0x8c30b3b4;
				_t86 = _t85 + __r10;
				_t24 =  *_t85 - 0x2f;
				 *0x8c369a70 = _t86;
				if (_t78 == 0) goto 0x8c30b3ab;
				goto 0x8c30b43d;
				goto 0x8c30b46f;
				r11b = 0x40;
				goto 0x8c30b3e4;
				if (_t24 == 0) goto 0x8c30b421;
				if (_t24 - 0x41 < 0) goto 0x8c30b410;
				if (_t24 - 0x50 > 0) goto 0x8c30b410;
				_t87 = _t86 + __r10;
				 *0x8c369a70 = _t87;
				if ( *_t87 != r11b) goto 0x8c30b3bb;
				 *0x8c369a70 = _t87 + __r10;
				if ( *_t87 != r11b) goto 0x8c30b410;
				if (r9b == 0) goto 0x8c30b434;
				if (_t78 == 0) goto 0x8c30b429;
				_t29 = E00007FF87FF88C30ABA8( *_t87,  &_v24, (_t24 << 4) + _t24 - 0x41, _t78, __r11);
				goto 0x8c30b442;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 2;
				goto 0x8c30b47b;
				goto 0x8c30b374;
				_t30 = E00007FF87FF88C30ABA8(_t29,  &_v56, (_t24 << 4) + _t24 - 0x41, _t78, __r11);
				goto 0x8c30b474;
				if (_t78 == 0) goto 0x8c30b46b;
				E00007FF87FF88C30AB18(_t30,  &_v24, (_t24 << 4) + _t24 - 0x41, _t78, __r10);
				E00007FF87FF88C30A9E0( &_v40, _t78);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x40], xmm0");
				_t33 = E00007FF87FF88C30AC78(_t52,  &_v72, _t52);
				goto 0x8c30b474;
				_t34 = E00007FF87FF88C30AB18(_t33,  &_v56, _t52, _t78, __r10);
				asm("movups xmm0, [eax]");
				asm("movdqu [edi], xmm0");
				return _t34;
			}

0x7ff88c30b32c
0x7ff88c30b32c
0x7ff88c30b32c
0x7ff88c30b331
0x7ff88c30b336
0x7ff88c30b343
0x7ff88c30b34c
0x7ff88c30b356
0x7ff88c30b356
0x7ff88c30b35a
0x7ff88c30b35c
0x7ff88c30b35f
0x7ff88c30b366
0x7ff88c30b372
0x7ff88c30b377
0x7ff88c30b37c
0x7ff88c30b383
0x7ff88c30b387
0x7ff88c30b38d
0x7ff88c30b390
0x7ff88c30b393
0x7ff88c30b3a0
0x7ff88c30b3a6
0x7ff88c30b3af
0x7ff88c30b3b6
0x7ff88c30b3b9
0x7ff88c30b3bd
0x7ff88c30b3c1
0x7ff88c30b3c5
0x7ff88c30b3d7
0x7ff88c30b3da
0x7ff88c30b3e7
0x7ff88c30b3ef
0x7ff88c30b3f9
0x7ff88c30b3fe
0x7ff88c30b403
0x7ff88c30b409
0x7ff88c30b40e
0x7ff88c30b410
0x7ff88c30b417
0x7ff88c30b41b
0x7ff88c30b41f
0x7ff88c30b424
0x7ff88c30b42d
0x7ff88c30b432
0x7ff88c30b437
0x7ff88c30b43d
0x7ff88c30b44c
0x7ff88c30b458
0x7ff88c30b45b
0x7ff88c30b460
0x7ff88c30b469
0x7ff88c30b46f
0x7ff88c30b474
0x7ff88c30b477
0x7ff88c30b493

APIs

DName::DName.LIBCMT ref: 00007FF88C30B409
DName::DName.LIBCMT ref: 00007FF88C30B43D

Part of subcall function 00007FF88C30AB18: DName::doPchar.LIBCMT ref: 00007FF88C30AB8C

DName::DName.LIBCMT ref: 00007FF88C30B44C
DName::operator+=.LIBCMT ref: 00007FF88C30B460
DName::DName.LIBCMT ref: 00007FF88C30B46F

Strings

`non-type-template-parameter, xrefs: 00007FF88C30B35F

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: NameName::$Name::doName::operator+=Pchar
String ID: `non-type-template-parameter
API String ID: 1070866305-4247534891
Opcode ID: ebfb67ad80e1486a4e21ed64bc85b18c645d60f7a7fcbe1c197d33356fb7316f
Instruction ID: b3e678f0363f18376323bc851cfb90d1a5c4cb33c8386a7ef7c5ffa09eb37a52
Opcode Fuzzy Hash: ebfb67ad80e1486a4e21ed64bc85b18c645d60f7a7fcbe1c197d33356fb7316f
Instruction Fuzzy Hash: 0A41A133E4CB92A5FA109BA4D841ABC6361BF167C8F944036CA9D16B8EDF2CE547C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30B594 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 54%

			E00007FF87FF88C30B594(void* __edx, void* __esi, long long* __rcx, void* __rdx, void* __rsi, void* __r8, long long __r11) {
				intOrPtr _v16;
				char _v24;
				void* __rbx;
				void* _t19;
				void* _t21;
				char* _t31;
				char* _t32;
				char* _t34;
				long long _t35;
				char* _t37;
				long long* _t40;
				void* _t48;
				long long _t52;

				_t52 = __r11;
				_t50 = __rsi;
				_t21 = __esi;
				_t31 =  *0x8c369a70; // 0x0
				_t40 = __rcx;
				if ( *_t31 == 0x58) goto 0x8c30b67c;
				if ( *_t31 == 0x5a) goto 0x8c30b651;
				_t1 =  &_v24; // 0x11
				E00007FF87FF88C30B06C(__rcx, _t1, __rdx, __rsi, __r8);
				r11d = 0;
				if (_v16 != r11b) goto 0x8c30b646;
				_t32 =  *0x8c369a70; // 0x0
				if ( *_t32 == r11b) goto 0x8c30b646;
				if ( *_t32 == 0x40) goto 0x8c30b63c;
				if ( *_t32 == 0x5a) goto 0x8c30b5f3;
				 *(_t40 + 8) =  *(_t40 + 8) & 0xffff00ff;
				 *_t40 = _t52;
				 *(_t40 + 8) = 2;
				goto 0x8c30b692;
				asm("movaps xmm0, [esp+0x20]");
				 *0x8c369a70 = _t32 + 1;
				_t6 =  &_v24; // 0x11
				asm("movdqa [esp+0x20], xmm0");
				_t34 = ",...";
				_t46 =  !=  ? _t34 : ",<ellipsis>";
				E00007FF87FF88C30AFE0(_t19, _t21, _t34, _t40, _t6,  !=  ? _t34 : ",<ellipsis>", _t50, __r8);
				asm("movaps xmm5, [esp+0x20]");
				asm("movdqu [ebx], xmm5");
				goto 0x8c30b692;
				_t35 = _t34 + 1;
				 *0x8c369a70 = _t35;
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqu [ebx], xmm0");
				goto 0x8c30b692;
				 *0x8c369a70 = _t35 + 1;
				_t37 = "...";
				_t48 =  !=  ? _t37 : "<ellipsis>";
				goto 0x8c30b68d;
				 *0x8c369a70 = _t37 + 1;
				return E00007FF87FF88C30A9E0(_t6, "void");
			}

0x7ff88c30b594
0x7ff88c30b594
0x7ff88c30b594
0x7ff88c30b59a
0x7ff88c30b5a1
0x7ff88c30b5a7
0x7ff88c30b5b0
0x7ff88c30b5b6
0x7ff88c30b5bb
0x7ff88c30b5c0
0x7ff88c30b5c8
0x7ff88c30b5ca
0x7ff88c30b5d4
0x7ff88c30b5d9
0x7ff88c30b5de
0x7ff88c30b5e0
0x7ff88c30b5e7
0x7ff88c30b5ea
0x7ff88c30b5ee
0x7ff88c30b5f3
0x7ff88c30b602
0x7ff88c30b60f
0x7ff88c30b614
0x7ff88c30b621
0x7ff88c30b628
0x7ff88c30b62c
0x7ff88c30b631
0x7ff88c30b636
0x7ff88c30b63a
0x7ff88c30b63c
0x7ff88c30b63f
0x7ff88c30b646
0x7ff88c30b64b
0x7ff88c30b64f
0x7ff88c30b65b
0x7ff88c30b66f
0x7ff88c30b676
0x7ff88c30b67a
0x7ff88c30b686
0x7ff88c30b69a

APIs

DName::DName.LIBCMT ref: 00007FF88C30B68D

Part of subcall function 00007FF88C30B06C: DName::operator+=.LIBCMT ref: 00007FF88C30B106

DName::operator+=.LIBCMT ref: 00007FF88C30B62C

Strings

..., xrefs: 00007FF88C30B66F
<ellipsis>, xrefs: 00007FF88C30B654
,..., xrefs: 00007FF88C30B621
,<ellipsis>, xrefs: 00007FF88C30B5FB
void, xrefs: 00007FF88C30B67F

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$NameName::
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2762593306-2211150622
Opcode ID: 2d7cf302916db1ecd5d891cd0d34d7e29f4f0e15d4064c183889cdf6d2640d66
Instruction ID: 7d036e40dc7e95c524589daf924d61b85e8b2e0f75ceb41d7743b4b42fbb030b
Opcode Fuzzy Hash: 2d7cf302916db1ecd5d891cd0d34d7e29f4f0e15d4064c183889cdf6d2640d66
Instruction Fuzzy Hash: 12317F63D0CB8AA5FB618B24E840979A7E4FF46789F449231DA8D06669DF3CE547CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3151C0 Relevance: 12.2, APIs: 8, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF88C31525A
MultiByteToWideChar.KERNEL32 ref: 00007FF88C3152F7
LCMapStringW.KERNEL32 ref: 00007FF88C31531E
LCMapStringW.KERNEL32 ref: 00007FF88C315366
LCMapStringW.KERNEL32 ref: 00007FF88C3153F8
WideCharToMultiByte.KERNEL32 ref: 00007FF88C315438
free.LIBCMT ref: 00007FF88C31544C

Part of subcall function 00007FF88C3052E4: _FF_MSGBANNER.LIBCMT ref: 00007FF88C305314
Part of subcall function 00007FF88C3052E4: RtlAllocateHeap.NTDLL(?,?,?,00007FF88C304F2A,?,?,?,00007FF88C304FA4), ref: 00007FF88C305339
Part of subcall function 00007FF88C3052E4: _errno.LIBCMT ref: 00007FF88C30535D
Part of subcall function 00007FF88C3052E4: _errno.LIBCMT ref: 00007FF88C305368

free.LIBCMT ref: 00007FF88C31545D

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofree$AllocateHeap
String ID:
API String ID: 826377931-0
Opcode ID: 71ba438707870b54f0aa3c6e8792739d52b07d9480e9c5713b9f3b8f1337d58f
Instruction ID: 05789181358975f0cebce931312ca8cdc57521a0ed34f462326c1d208f6d9f78
Opcode Fuzzy Hash: 71ba438707870b54f0aa3c6e8792739d52b07d9480e9c5713b9f3b8f1337d58f
Instruction Fuzzy Hash: CD81A432B087828BEB248F26D440A6976A5FB4A7E5F544236FA5D87BD8DF7CD502C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30F88C Relevance: 12.1, APIs: 8, Instructions: 88
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00007FF87FF88C30F88C(signed int __ecx, void* __edx, void* __esi, long long __rbx, long long __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, intOrPtr* __r8, char* __r9, void* __r10, void* __r11, long long _a8, long long _a16, long long _a24) {
				char _v40;
				intOrPtr _v56;
				void* __r12;
				void* _t34;
				signed int _t37;
				void* _t38;
				void* _t41;
				char* _t54;
				long long _t56;
				long long _t84;
				intOrPtr* _t96;
				char* _t97;

				_t56 = __rbx;
				_t41 = __esi;
				_t38 = __edx;
				_t37 = __ecx;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t54 =  *0x8c369a70; // 0x0
				_t97 = __r9;
				_t96 = __rdx;
				_t84 = __rcx;
				if ( *_t54 == 0) goto 0x8c30f950;
				if ( *_t54 - 0x36 < 0) goto 0x8c30f8ce;
				if ( *_t54 - 0x39 <= 0) goto 0x8c30f8d3;
				if ( *_t54 != 0x5f) goto 0x8c30f921;
				E00007FF87FF88C30A9E0( &_v40, __r9);
				if ( *__rdx == __rbx) goto 0x8c30f8ff;
				if ( *__r8 == __rbx) goto 0x8c30f8f3;
				if (( *(__r8 + 8) & 0x00000100) != 0) goto 0x8c30f8ff;
				E00007FF87FF88C30AC78(_t54,  &_v40, __rdx);
				if ( *__r8 == __rbx) goto 0x8c30f910;
				E00007FF87FF88C30AC78(_t54,  &_v40, __r8);
				E00007FF87FF88C30EAB8(_t37, __rbx, _t84,  &_v40, __r8, _t84, __r8, __r10, __r11);
				goto 0x8c30f9a6;
				_v56 = 0;
				E00007FF87FF88C30EFA4(_t56,  &_v40, __r8, _t84, _t97,  &_v40, __r10, __r11);
				r8d = 0 |  *_t97 == 0x0000002a;
				E00007FF87FF88C30C43C(_t38, _t41, _t56, _t84,  &_v40, __r8, _t84, _t97, __r10, __r11, _t96);
				goto 0x8c30f9a6;
				E00007FF87FF88C30A490(1, _t54,  &_v40);
				E00007FF87FF88C30AFE0(_t37, _t41, _t54, _t56,  &_v40, _t97, _t84, _t97);
				if ( *_t96 == _t56) goto 0x8c30f97c;
				E00007FF87FF88C30AC78(_t54,  &_v40, _t96);
				if ( *__r8 == _t56) goto 0x8c30f99e;
				if ( *_t96 == _t56) goto 0x8c30f992;
				E00007FF87FF88C30AF5C(0x20, _t41, _t54, _t56,  &_v40, _t84, _t97);
				_t34 = E00007FF87FF88C30AC78(_t54,  &_v40, __r8);
				asm("movups xmm0, [ebp-0x10]");
				asm("movdqu [esi], xmm0");
				return _t34;
			}

0x7ff88c30f88c
0x7ff88c30f88c
0x7ff88c30f88c
0x7ff88c30f88c
0x7ff88c30f88c
0x7ff88c30f891
0x7ff88c30f896
0x7ff88c30f8a7
0x7ff88c30f8b0
0x7ff88c30f8b6
0x7ff88c30f8b9
0x7ff88c30f8be
0x7ff88c30f8c7
0x7ff88c30f8cc
0x7ff88c30f8d1
0x7ff88c30f8da
0x7ff88c30f8e3
0x7ff88c30f8e8
0x7ff88c30f8f1
0x7ff88c30f8fa
0x7ff88c30f902
0x7ff88c30f90b
0x7ff88c30f917
0x7ff88c30f91c
0x7ff88c30f92e
0x7ff88c30f932
0x7ff88c30f946
0x7ff88c30f949
0x7ff88c30f94e
0x7ff88c30f959
0x7ff88c30f965
0x7ff88c30f96e
0x7ff88c30f977
0x7ff88c30f97f
0x7ff88c30f985
0x7ff88c30f98d
0x7ff88c30f999
0x7ff88c30f99e
0x7ff88c30f9a2
0x7ff88c30f9c1

APIs

DName::DName.LIBCMT ref: 00007FF88C30F8DA
DName::operator+=.LIBCMT ref: 00007FF88C30F8FA
DName::operator+=.LIBCMT ref: 00007FF88C30F90B
UnDecorator::getPtrRefDataType.LIBCMT ref: 00007FF88C30F949
DName::operator+=.LIBCMT ref: 00007FF88C30F965
DName::operator+=.LIBCMT ref: 00007FF88C30F977
DName::operator+=.LIBCMT ref: 00007FF88C30F98D
DName::operator+=.LIBCMT ref: 00007FF88C30F999

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$DataDecorator::getNameName::Type
String ID:
API String ID: 3992992251-0
Opcode ID: 7e6c286c6c48ef6f753f78de37e16501fa56a0ee91237fe5db063ec76c69990d
Instruction ID: 3e91ccbb0af5e43e77d60091ac82bb1a031487e0091c7d99fba66ade36fdced2
Opcode Fuzzy Hash: 7e6c286c6c48ef6f753f78de37e16501fa56a0ee91237fe5db063ec76c69990d
Instruction Fuzzy Hash: B4316CA3E08B9255FB10DBA1D9449BD6364BB5ABC4F848832DF4C4268EDF3CD156C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3095F0 Relevance: 12.1, APIs: 8, Instructions: 59
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 48%

			E00007FF87FF88C3095F0(void* __ecx, long long __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _t21;
				long long _t36;
				void* _t38;
				void* _t41;
				signed long long _t48;

				_t50 = __rsi;
				_t41 = __rcx;
				_t36 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t38 = __ecx;
				if ( *0x8c3696c8 != 0) goto 0x8c30962e;
				E00007FF87FF88C30758C();
				_t4 = _t50 + 0x1d; // 0x1e
				E00007FF87FF88C30732C(_t4,  *0x8c3696c8, _t38, __rsi, __rbp);
				E00007FF87FF88C306F0C();
				_t48 = _t38 + _t38;
				if ( *((long long*)(0x8c367680 + _t48 * 8)) == 0) goto 0x8c309647;
				goto 0x8c3096c0;
				E00007FF87FF88C3078EC(0x28,  *((long long*)(0x8c367680 + _t48 * 8)), _t38, _t41, _t48, _t50);
				if (_t36 != 0) goto 0x8c309668;
				E00007FF87FF88C307698(_t36);
				 *_t36 = 0xc;
				goto 0x8c3096c0;
				E00007FF87FF88C3096D8();
				if ( *((long long*)(0x8c367680 + _t48 * 8)) != 0) goto 0x8c3096ab;
				if (InitializeCriticalSectionAndSpinCount(??, ??) != 0) goto 0x8c3096a4;
				free(??);
				_t21 = E00007FF87FF88C307698(_t36);
				 *_t36 = 0xc;
				goto 0x8c3096b1;
				 *((long long*)(0x8c367680 + _t48 * 8)) = _t36;
				goto 0x8c3096b1;
				free(??);
				LeaveCriticalSection(??);
				goto 0x8c309643;
				return _t21;
			}

0x7ff88c3095f0
0x7ff88c3095f0
0x7ff88c3095f0
0x7ff88c3095f0
0x7ff88c3095f5
0x7ff88c3095fa
0x7ff88c309605
0x7ff88c309615
0x7ff88c309617
0x7ff88c30961c
0x7ff88c30961f
0x7ff88c309629
0x7ff88c309631
0x7ff88c309641
0x7ff88c309645
0x7ff88c30964c
0x7ff88c309657
0x7ff88c309659
0x7ff88c30965e
0x7ff88c309666
0x7ff88c30966d
0x7ff88c30967c
0x7ff88c30968b
0x7ff88c309690
0x7ff88c309695
0x7ff88c30969a
0x7ff88c3096a2
0x7ff88c3096a4
0x7ff88c3096a9
0x7ff88c3096ab
0x7ff88c3096b8
0x7ff88c3096be
0x7ff88c3096d5

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF88C309617

Part of subcall function 00007FF88C30758C: _set_error_mode.LIBCMT ref: 00007FF88C307595
Part of subcall function 00007FF88C30758C: _set_error_mode.LIBCMT ref: 00007FF88C3075A4

Part of subcall function 00007FF88C30732C: _set_error_mode.LIBCMT ref: 00007FF88C307371
Part of subcall function 00007FF88C30732C: _set_error_mode.LIBCMT ref: 00007FF88C307382
Part of subcall function 00007FF88C30732C: GetModuleFileNameW.KERNEL32 ref: 00007FF88C3073E4

Part of subcall function 00007FF88C306F0C: ExitProcess.KERNEL32 ref: 00007FF88C306F1B

Part of subcall function 00007FF88C3078EC: Sleep.KERNEL32(?,?,?,00007FF88C309651,?,?,?,00007FF88C3096FB,?,?,?,?,?,?,00000000,00007FF88C307F30), ref: 00007FF88C30792A

_errno.LIBCMT ref: 00007FF88C309659
_lock.LIBCMT ref: 00007FF88C30966D
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FF88C3096FB,?,?,?,?,?,?,00000000,00007FF88C307F30), ref: 00007FF88C309683
free.LIBCMT ref: 00007FF88C309690
_errno.LIBCMT ref: 00007FF88C309695
LeaveCriticalSection.KERNEL32(?,?,?,00007FF88C3096FB,?,?,?,?,?,?,00000000,00007FF88C307F30), ref: 00007FF88C3096B8

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfree
String ID:
API String ID: 4009675462-0
Opcode ID: 685001a587131c23b7d419c8656bc22d27c73556493ddaaae7142070e5070203
Instruction ID: 088d521e5b61b50e338d770203b3903994328796ca4b240fd93acbea5ed8bbe5
Opcode Fuzzy Hash: 685001a587131c23b7d419c8656bc22d27c73556493ddaaae7142070e5070203
Instruction Fuzzy Hash: ED213822E1D74A82F660ABA0E804FBA6264BF837E0F444034E94E476DECF3CA442C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C316B58 Relevance: 10.8, APIs: 7, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00007FF87FF88C316B58(intOrPtr* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _v40;
				long long _v48;
				char _v56;
				long long _v72;
				void* __rbp;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				char _t138;
				char _t139;
				char _t140;
				signed int _t190;
				intOrPtr* _t196;
				intOrPtr _t204;
				intOrPtr* _t206;
				char* _t275;
				char* _t276;
				long long _t278;
				long long _t281;
				void* _t284;
				char* _t288;
				void* _t291;
				long long _t294;
				long long _t295;
				long long _t296;
				intOrPtr* _t297;

				_t291 = __r9;
				_t287 = __r8;
				_t278 = __rdi;
				_t233 = __rcx;
				_t231 = __rbx;
				_t206 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t281 = __rcx;
				_v56 = __rcx;
				r13d = 0;
				_v48 = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0) goto 0x8c316ba0;
				if ( *((intOrPtr*)(__rcx + 0x1c)) != 0) goto 0x8c316ba0;
				r14d = 0;
				goto 0x8c316f9f;
				r15d = 0x98;
				E00007FF87FF88C30796C(__rbx, __rcx, __rdx, __rdi, __rcx, _t284);
				_t294 = _t206;
				if (_t206 != 0) goto 0x8c316bc5;
				goto 0x8c316fee;
				E00007FF87FF88C3078EC(4, _t206, _t231, _t233, _t278, _t281);
				_t296 = _t206;
				if (_t206 != 0) goto 0x8c316be3;
				free(??);
				goto 0x8c316bbb;
				 *_t206 = 0;
				if ( *((intOrPtr*)(_t281 + 0x18)) == 0) goto 0x8c316f2b;
				E00007FF87FF88C3078EC(4,  *((intOrPtr*)(_t281 + 0x18)), _t231, _t278, _t278, _t281);
				_t295 = _t206;
				_t196 = _t206;
				if (_t196 != 0) goto 0x8c316c0b;
				free(??);
				goto 0x8c316bdc;
				 *_t206 = 0;
				_t190 =  *(_t281 + 0x38) & 0x0000ffff;
				r9d = 0x15;
				_t10 = _t294 + 0x18; // 0x18
				r8d = _t190;
				_v72 = _t10;
				_t115 = E00007FF87FF88C312BF4(__r9 - 0x14,  &_v56, __r8);
				_t14 = _t294 + 0x20; // 0x20
				r9d = 0x14;
				_v72 = _t14;
				r8d = _t190;
				_t116 = E00007FF87FF88C312BF4(_t291 - 0x13,  &_v56, __r8);
				_t18 = _t294 + 0x28; // 0x28
				r9d = 0x16;
				_v72 = _t18;
				r8d = _t190;
				_t117 = E00007FF87FF88C312BF4(_t291 - 0x15,  &_v56, __r8);
				r9d = 0x17;
				_t23 = _t294 + 0x30; // 0x30
				r8d = _t190;
				_v72 = _t23;
				_t118 = E00007FF87FF88C312BF4(_t291 - 0x16,  &_v56, __r8);
				r9d = 0x18;
				_t26 = _t294 + 0x38; // 0x38
				_t297 = _t26;
				r8d = _t190;
				_v72 = _t297;
				_t119 = E00007FF87FF88C312BF4(_t291 - 0x17,  &_v56, _t287);
				r9d = 0x50;
				_t30 = _t294 + 0x40; // 0x40
				r8d = _t190;
				_v72 = _t30;
				_t120 = E00007FF87FF88C312BF4(_t291 - 0x4f,  &_v56, _t287);
				r9d = 0x51;
				_t34 = _t294 + 0x48; // 0x48
				r8d = _t190;
				_v72 = _t34;
				_t121 = E00007FF87FF88C312BF4(_t291 - 0x50,  &_v56, _t287);
				r9d = 0x1a;
				_t39 = _t294 + 0x50; // 0x50
				r8d = _t190;
				_v72 = _t39;
				_t122 = E00007FF87FF88C312BF4(0,  &_v56, _t287);
				r9d = 0x19;
				_t42 = _t294 + 0x51; // 0x51
				r8d = _t190;
				_v72 = _t42;
				_t123 = E00007FF87FF88C312BF4(0,  &_v56, _t287);
				r9d = 0x54;
				_t45 = _t294 + 0x52; // 0x52
				r8d = _t190;
				_v72 = _t45;
				_t124 = E00007FF87FF88C312BF4(0,  &_v56, _t287);
				_t47 = _t294 + 0x53; // 0x53
				r9d = 0x55;
				r8d = _t190;
				_v72 = _t47;
				_t125 = E00007FF87FF88C312BF4(0,  &_v56, _t287);
				_t51 = _t294 + 0x54; // 0x54
				r9d = 0x56;
				r8d = _t190;
				_v72 = _t51;
				_t126 = E00007FF87FF88C312BF4(0,  &_v56, _t287);
				r9d = 0x57;
				_t54 = _t294 + 0x55; // 0x55
				r8d = _t190;
				_v72 = _t54;
				_t127 = E00007FF87FF88C312BF4(0,  &_v56, _t287);
				r9d = 0x52;
				_t57 = _t294 + 0x56; // 0x56
				r8d = _t190;
				_v72 = _t57;
				_t128 = E00007FF87FF88C312BF4(0,  &_v56, _t287);
				r9d = 0x53;
				_t60 = _t294 + 0x57; // 0x57
				r8d = _t190;
				_v72 = _t60;
				_t129 = E00007FF87FF88C312BF4(0,  &_v56, _t287);
				r9d = 0x15;
				_t63 = _t294 + 0x68; // 0x68
				r8d = _t190;
				_v72 = _t63;
				_t130 = E00007FF87FF88C312BF4(_t291 - 0x13,  &_v56, _t287);
				r9d = 0x14;
				_t67 = _t294 + 0x70; // 0x70
				r8d = _t190;
				_v72 = _t67;
				_t131 = E00007FF87FF88C312BF4(_t291 - 0x12,  &_v56, _t287);
				r9d = 0x16;
				_t71 = _t294 + 0x78; // 0x78
				r8d = _t190;
				_v72 = _t71;
				_t132 = E00007FF87FF88C312BF4(_t291 - 0x14,  &_v56, _t287);
				r9d = 0x17;
				_t75 = _t294 + 0x80; // 0x80
				r8d = _t190;
				_v72 = _t75;
				_t133 = E00007FF87FF88C312BF4(_t291 - 0x15,  &_v56, _t287);
				r9d = 0x50;
				_t79 = _t294 + 0x88; // 0x88
				r8d = _t190;
				_v72 = _t79;
				_t134 = E00007FF87FF88C312BF4(_t291 - 0x4e,  &_v56, _t287);
				r9d = 0x51;
				_t82 = _t294 + 0x90; // 0x90
				r8d = _t190;
				_v72 = _t82;
				_t135 = E00007FF87FF88C312BF4(_t291 - 0x4f,  &_v56, _t287);
				if (_t196 == 0) goto 0x8c316ef6;
				E00007FF87FF88C316A4C(_t135 | _t115 | _t116 | _t117 | _t118 | _t119 | _t120 | _t121 | _t122 | _t123 | _t124 | _t125 | _t126 | _t127 | _t128 | _t129 | _t130 | _t131 | _t132 | _t133 | _t134, _t294);
				free(??);
				free(??);
				goto 0x8c316bdc;
				_t275 =  *_t297;
				goto 0x8c316f0e;
				_t138 =  *_t275;
				if (_t138 - 0x30 < 0) goto 0x8c316f14;
				if (_t138 - 0x39 > 0) goto 0x8c316f14;
				_t139 = _t138 - 0x30;
				 *_t275 = _t139;
				_t276 = _t275 + 1;
				if ( *_t276 != 0) goto 0x8c316efd;
				goto 0x8c316f3d;
				if (_t139 != 0x3b) goto 0x8c316f0b;
				_t288 = _t276;
				_t140 =  *((intOrPtr*)(_t288 + 1));
				 *_t288 = _t140;
				if (_t140 != 0) goto 0x8c316f1b;
				goto 0x8c316f0e;
				E00007FF87FF88C304B80(4, _t140, _t294, 0x8c368490, _t297);
				 *_t294 =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x128))));
				 *((long long*)(_t294 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x128)) + 8));
				 *((long long*)(_t294 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x128)) + 0x10));
				 *((long long*)(_t294 + 0x58)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x128)) + 0x58));
				 *((long long*)(_t294 + 0x60)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x128)) + 0x60));
				 *_t296 = 1;
				if (_t295 == 0) goto 0x8c316f9f;
				 *_t295 = 1;
				if ( *((intOrPtr*)(_t281 + 0x120)) == 0) goto 0x8c316fae;
				asm("lock dec dword [eax]");
				_t204 =  *((intOrPtr*)(_t281 + 0x110));
				if (_t204 == 0) goto 0x8c316fd7;
				asm("lock dec dword [ecx]");
				if (_t204 != 0) goto 0x8c316fd7;
				free(??);
				free(??);
				 *((long long*)(_t281 + 0x120)) = _t295;
				 *((long long*)(_t281 + 0x110)) = _t296;
				 *((long long*)(_t281 + 0x128)) = _t294;
				return 0;
			}

0x7ff88c316b58
0x7ff88c316b58
0x7ff88c316b58
0x7ff88c316b58
0x7ff88c316b58
0x7ff88c316b58
0x7ff88c316b58
0x7ff88c316b5d
0x7ff88c316b62
0x7ff88c316b79
0x7ff88c316b7c
0x7ff88c316b80
0x7ff88c316b83
0x7ff88c316b8a
0x7ff88c316b8f
0x7ff88c316b91
0x7ff88c316b9b
0x7ff88c316ba0
0x7ff88c316bae
0x7ff88c316bb3
0x7ff88c316bb9
0x7ff88c316bc0
0x7ff88c316bcc
0x7ff88c316bd1
0x7ff88c316bd7
0x7ff88c316bdc
0x7ff88c316be1
0x7ff88c316be3
0x7ff88c316be8
0x7ff88c316bf1
0x7ff88c316bf6
0x7ff88c316bf9
0x7ff88c316bfc
0x7ff88c316c01
0x7ff88c316c09
0x7ff88c316c0b
0x7ff88c316c0d
0x7ff88c316c11
0x7ff88c316c17
0x7ff88c316c24
0x7ff88c316c27
0x7ff88c316c2c
0x7ff88c316c31
0x7ff88c316c36
0x7ff88c316c3c
0x7ff88c316c49
0x7ff88c316c4e
0x7ff88c316c53
0x7ff88c316c58
0x7ff88c316c5e
0x7ff88c316c6b
0x7ff88c316c70
0x7ff88c316c75
0x7ff88c316c81
0x7ff88c316c8a
0x7ff88c316c8d
0x7ff88c316c92
0x7ff88c316c97
0x7ff88c316c9d
0x7ff88c316c9d
0x7ff88c316caa
0x7ff88c316caf
0x7ff88c316cb4
0x7ff88c316cb9
0x7ff88c316cc1
0x7ff88c316cce
0x7ff88c316cd1
0x7ff88c316cd6
0x7ff88c316cdb
0x7ff88c316ce3
0x7ff88c316cf0
0x7ff88c316cf3
0x7ff88c316cf8
0x7ff88c316d01
0x7ff88c316d09
0x7ff88c316d0e
0x7ff88c316d13
0x7ff88c316d18
0x7ff88c316d21
0x7ff88c316d29
0x7ff88c316d2e
0x7ff88c316d33
0x7ff88c316d38
0x7ff88c316d41
0x7ff88c316d49
0x7ff88c316d4e
0x7ff88c316d53
0x7ff88c316d58
0x7ff88c316d5f
0x7ff88c316d68
0x7ff88c316d6e
0x7ff88c316d73
0x7ff88c316d78
0x7ff88c316d83
0x7ff88c316d88
0x7ff88c316d8e
0x7ff88c316d93
0x7ff88c316d98
0x7ff88c316da1
0x7ff88c316da9
0x7ff88c316dae
0x7ff88c316db3
0x7ff88c316db8
0x7ff88c316dc1
0x7ff88c316dc9
0x7ff88c316dce
0x7ff88c316dd3
0x7ff88c316dd8
0x7ff88c316de1
0x7ff88c316de9
0x7ff88c316dee
0x7ff88c316df3
0x7ff88c316df8
0x7ff88c316dfd
0x7ff88c316e09
0x7ff88c316e12
0x7ff88c316e15
0x7ff88c316e1a
0x7ff88c316e1f
0x7ff88c316e2b
0x7ff88c316e34
0x7ff88c316e37
0x7ff88c316e3c
0x7ff88c316e41
0x7ff88c316e4d
0x7ff88c316e56
0x7ff88c316e59
0x7ff88c316e5e
0x7ff88c316e63
0x7ff88c316e6f
0x7ff88c316e7b
0x7ff88c316e7e
0x7ff88c316e83
0x7ff88c316e88
0x7ff88c316e94
0x7ff88c316ea0
0x7ff88c316ea3
0x7ff88c316ea8
0x7ff88c316eaf
0x7ff88c316eb5
0x7ff88c316ec5
0x7ff88c316ec8
0x7ff88c316ecd
0x7ff88c316ed4
0x7ff88c316ed9
0x7ff88c316ee1
0x7ff88c316ee9
0x7ff88c316ef1
0x7ff88c316ef6
0x7ff88c316efb
0x7ff88c316efd
0x7ff88c316f01
0x7ff88c316f05
0x7ff88c316f07
0x7ff88c316f09
0x7ff88c316f0b
0x7ff88c316f10
0x7ff88c316f12
0x7ff88c316f16
0x7ff88c316f18
0x7ff88c316f1b
0x7ff88c316f1f
0x7ff88c316f27
0x7ff88c316f29
0x7ff88c316f38
0x7ff88c316f47
0x7ff88c316f56
0x7ff88c316f66
0x7ff88c316f76
0x7ff88c316f86
0x7ff88c316f8b
0x7ff88c316f95
0x7ff88c316f97
0x7ff88c316fa9
0x7ff88c316fab
0x7ff88c316fb5
0x7ff88c316fb8
0x7ff88c316fba
0x7ff88c316fbd
0x7ff88c316fc6
0x7ff88c316fd2
0x7ff88c316fd7
0x7ff88c316fde
0x7ff88c316fe5
0x7ff88c31700b

APIs

free.LIBCMT ref: 00007FF88C316BDC
free.LIBCMT ref: 00007FF88C316C01
free.LIBCMT ref: 00007FF88C316FC6
free.LIBCMT ref: 00007FF88C316FD2

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a6dea2fbb0ae2075eb9fe0f6b5096ad3541770c391177aeb214c7deedac596bb
Instruction ID: c75e8a054bf1b99ad82c204d80afe757ea8492ef8b141cb17c4edf8c572d05de
Opcode Fuzzy Hash: a6dea2fbb0ae2075eb9fe0f6b5096ad3541770c391177aeb214c7deedac596bb
Instruction Fuzzy Hash: 56D16E32B04B5289EB21DB92E4449AE77B4FB8A784F404536EB8D93749EF7DD206C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C307110 Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF88C307139

Part of subcall function 00007FF88C3096D8: _amsg_exit.LIBCMT ref: 00007FF88C309702

DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF88C3072FD,?,?,00000000,00007FF88C309707), ref: 00007FF88C30716C
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF88C3072FD,?,?,00000000,00007FF88C309707), ref: 00007FF88C30718A
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF88C3072FD,?,?,00000000,00007FF88C309707), ref: 00007FF88C3071CA
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF88C3072FD,?,?,00000000,00007FF88C309707), ref: 00007FF88C3071E4
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF88C3072FD,?,?,00000000,00007FF88C309707), ref: 00007FF88C3071F4
ExitProcess.KERNEL32 ref: 00007FF88C307280

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: 5459dcc7e4fd50bf1b24922bb4882d2528be841234dea332ab5c6eb656d25aa5
Instruction ID: 7b1a5e4f9972a090f248a4ffe97c64de858f1251349869d1bede62fa912bfd05
Opcode Fuzzy Hash: 5459dcc7e4fd50bf1b24922bb4882d2528be841234dea332ab5c6eb656d25aa5
Instruction Fuzzy Hash: FC418D32A1AB4281EA409B91FC40D7962A8BF9BBD4F440135EA8D477ADDF7DE457C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31EF30 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00007FF87FF88C31EF30(void* __ecx, intOrPtr* __rcx, void* __rsi, void* __r8) {
				intOrPtr* _t17;

				_t11 = __ecx;
				_t17 =  *((intOrPtr*)(__rcx));
				if ( *_t17 == 0xe0434352) goto 0x8c31ef61;
				if ( *_t17 == 0xe0434f4d) goto 0x8c31ef61;
				if ( *_t17 != 0xe06d7363) goto 0x8c31ef7a;
				E00007FF87FF88C307F5C(__ecx,  *_t17 - 0xe06d7363, _t17, __rcx, __rsi, __r8);
				 *(_t17 + 0x100) =  *(_t17 + 0x100) & 0x00000000;
				E00007FF87FF88C312440( *_t17 - 0xe06d7363, _t17, __rcx);
				asm("int3");
				E00007FF87FF88C307F5C(_t11,  *_t17 - 0xe06d7363, _t17, __rcx, __rsi, __r8);
				if ( *(_t17 + 0x100) <= 0) goto 0x8c31ef7a;
				E00007FF87FF88C307F5C(_t11,  *(_t17 + 0x100), _t17, __rcx, __rsi, __r8);
				 *(_t17 + 0x100) =  *(_t17 + 0x100) - 1;
				return 0;
			}

0x7ff88c31ef30
0x7ff88c31ef34
0x7ff88c31ef3d
0x7ff88c31ef45
0x7ff88c31ef4d
0x7ff88c31ef4f
0x7ff88c31ef54
0x7ff88c31ef5b
0x7ff88c31ef60
0x7ff88c31ef61
0x7ff88c31ef6d
0x7ff88c31ef6f
0x7ff88c31ef74
0x7ff88c31ef80

APIs

_getptd.LIBCMT ref: 00007FF88C31EF4F

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

Part of subcall function 00007FF88C312440: _getptd.LIBCMT ref: 00007FF88C312444

_getptd.LIBCMT ref: 00007FF88C31EF61
_getptd.LIBCMT ref: 00007FF88C31EF6F

Strings

MOC, xrefs: 00007FF88C31EF3F
RCC, xrefs: 00007FF88C31EF37
csm, xrefs: 00007FF88C31EF47

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _getptd$_amsg_exit
String ID: MOC$RCC$csm
API String ID: 2610988583-2671469338
Opcode ID: 6e2df090ba086a59c0383ae29f36c7551b2c077b2134757da0ca2b7865838cc4
Instruction ID: 76d79f033f2153ea88d05fc707b31f988b2ac9dda806a54c07cdc546427168b8
Opcode Fuzzy Hash: 6e2df090ba086a59c0383ae29f36c7551b2c077b2134757da0ca2b7865838cc4
Instruction Fuzzy Hash: 1AF03036D082038AE7152BA0C4097B822A0FF9A785F879472E64C82386CF7D6486CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C310D8C Relevance: 9.1, APIs: 6, Instructions: 118
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E00007FF87FF88C310D8C(void* __ecx, void* __edx, void* __esp, void* __eflags, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r11, long long __r12, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v24;
				void* _t43;
				signed int _t46;
				char _t52;
				void* _t66;
				signed int _t75;
				long long _t86;
				intOrPtr* _t87;
				long long _t90;
				long long _t99;
				long long _t106;
				long long _t109;
				void* _t114;
				void* _t119;

				_t114 = __r11;
				_t92 = __rcx;
				_t61 = __edx;
				_t55 = __ecx;
				_t86 = _t109;
				 *((long long*)(_t86 + 8)) = __rbx;
				 *((long long*)(_t86 + 0x10)) = __rsi;
				 *((long long*)(_t86 + 0x18)) = __rdi;
				 *((long long*)(_t86 + 0x20)) = __r12;
				_t66 = __ecx;
				r13d = r13d | 0xffffffff;
				E00007FF87FF88C307F5C(__ecx, __eflags, _t86, __rcx, __rsi, __r8);
				_t106 = _t86;
				E00007FF87FF88C310978(_t55, __edx, __eflags, _t86, __rbx, __rcx, _t106, __rbp, _t119);
				_t43 = E00007FF87FF88C310A34(_t66, __eflags, _t86);
				r12d = _t43;
				if (_t43 ==  *((intOrPtr*)( *((intOrPtr*)(_t106 + 0xb8)) + 4))) goto 0x8c310f47;
				E00007FF87FF88C3078EC(0x220, _t43 -  *((intOrPtr*)( *((intOrPtr*)(_t106 + 0xb8)) + 4)),  *((intOrPtr*)(_t106 + 0xb8)), _t92, __rdi, _t106);
				_t90 = _t86;
				if (_t86 == 0) goto 0x8c310f4c;
				r8d = 0x220;
				E00007FF87FF88C304B80(0x220, _t86, _t86,  *((intOrPtr*)(_t106 + 0xb8)), __r8);
				 *_t90 = 0;
				_t46 = E00007FF87FF88C310AC4(r12d, _t61, __esp, _t86, _t90, _t90, __r8, _t114);
				r13d = _t46;
				_t75 = _t46;
				if (_t75 != 0) goto 0x8c310f21;
				asm("lock dec dword [ecx]");
				if (_t75 != 0) goto 0x8c310e3b;
				if ( *((intOrPtr*)(_t106 + 0xb8)) == 0x8c3678c0) goto 0x8c310e3b;
				free(??);
				 *((long long*)(_t106 + 0xb8)) = _t90;
				asm("lock inc dword [ebx]");
				if (( *(_t106 + 0xc8) & 0x00000002) != 0) goto 0x8c310f4c;
				if (( *0x8c367df0 & 0x00000001) != 0) goto 0x8c310f4c;
				E00007FF87FF88C3096D8();
				 *0x8c369afc =  *((intOrPtr*)(_t90 + 4));
				 *0x8c369b00 =  *((intOrPtr*)(_t90 + 8));
				 *0x8c369b04 =  *((intOrPtr*)(_t90 + 0xc));
				_v24 = 0;
				if (0 - 5 >= 0) goto 0x8c310eae;
				 *0x7FF88C369AF0 =  *(_t90 + 0x10) & 0x0000ffff;
				goto 0x8c310e90;
				_v24 = 0;
				if (0 - 0x101 >= 0) goto 0x8c310ecf;
				 *0x7FF88C367AE0 =  *((intOrPtr*)(0 + _t90 + 0x1c));
				goto 0x8c310eb0;
				_v24 = 0;
				if (0 - 0x100 >= 0) goto 0x8c310ef1;
				_t52 =  *((intOrPtr*)(0 + _t90 + 0x11d));
				 *0x7FF88C367BF0 = _t52;
				goto 0x8c310ecf;
				_t87 =  *0x8c367cf0; // 0x141b0981c30
				asm("lock dec dword [eax]");
				if (0 != 0x100) goto 0x8c310f0e;
				_t99 =  *0x8c367cf0; // 0x141b0981c30
				if (_t99 == 0x8c3678c0) goto 0x8c310f0e;
				free(??);
				 *0x8c367cf0 = _t90;
				asm("lock inc dword [ebx]");
				E00007FF87FF88C3095B8();
				goto 0x8c310f4c;
				if (_t52 != 0xffffffff) goto 0x8c310f4c;
				if (_t90 == 0x8c3678c0) goto 0x8c310f3a;
				free(??);
				E00007FF87FF88C307698(_t87);
				 *_t87 = 0x16;
				goto 0x8c310f4c;
				r13d = 0;
				return r13d;
			}

0x7ff88c310d8c
0x7ff88c310d8c
0x7ff88c310d8c
0x7ff88c310d8c
0x7ff88c310d8c
0x7ff88c310d8f
0x7ff88c310d93
0x7ff88c310d97
0x7ff88c310d9b
0x7ff88c310da5
0x7ff88c310da7
0x7ff88c310dab
0x7ff88c310db0
0x7ff88c310db3
0x7ff88c310dc1
0x7ff88c310dc6
0x7ff88c310dcc
0x7ff88c310dd7
0x7ff88c310ddc
0x7ff88c310de4
0x7ff88c310df4
0x7ff88c310dfa
0x7ff88c310dff
0x7ff88c310e07
0x7ff88c310e0c
0x7ff88c310e0f
0x7ff88c310e11
0x7ff88c310e25
0x7ff88c310e28
0x7ff88c310e34
0x7ff88c310e36
0x7ff88c310e3b
0x7ff88c310e42
0x7ff88c310e4c
0x7ff88c310e59
0x7ff88c310e66
0x7ff88c310e6f
0x7ff88c310e78
0x7ff88c310e81
0x7ff88c310e90
0x7ff88c310e97
0x7ff88c310ea1
0x7ff88c310eac
0x7ff88c310eb0
0x7ff88c310eba
0x7ff88c310ec3
0x7ff88c310ecd
0x7ff88c310ecf
0x7ff88c310ed9
0x7ff88c310ede
0x7ff88c310ee5
0x7ff88c310eef
0x7ff88c310ef1
0x7ff88c310ef8
0x7ff88c310efb
0x7ff88c310efd
0x7ff88c310f07
0x7ff88c310f09
0x7ff88c310f0e
0x7ff88c310f15
0x7ff88c310f1a
0x7ff88c310f1f
0x7ff88c310f24
0x7ff88c310f30
0x7ff88c310f35
0x7ff88c310f3a
0x7ff88c310f3f
0x7ff88c310f45
0x7ff88c310f49
0x7ff88c310f69

APIs

_getptd.LIBCMT ref: 00007FF88C310DAB

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

Part of subcall function 00007FF88C310978: _getptd.LIBCMT ref: 00007FF88C310982
Part of subcall function 00007FF88C310978: _amsg_exit.LIBCMT ref: 00007FF88C310A1F

Part of subcall function 00007FF88C310A34: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FF88C310DC6,?,?,?,?,?,00007FF88C310F83), ref: 00007FF88C310A5E

Part of subcall function 00007FF88C3078EC: Sleep.KERNEL32(?,?,?,00007FF88C309651,?,?,?,00007FF88C3096FB,?,?,?,?,?,?,00000000,00007FF88C307F30), ref: 00007FF88C30792A

free.LIBCMT ref: 00007FF88C310E36

Part of subcall function 00007FF88C30640C: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FF88C307F44,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C306422
Part of subcall function 00007FF88C30640C: _errno.LIBCMT ref: 00007FF88C30642C
Part of subcall function 00007FF88C30640C: GetLastError.KERNEL32(?,?,00000000,00007FF88C307F44,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C306434

_lock.LIBCMT ref: 00007FF88C310E66
free.LIBCMT ref: 00007FF88C310F09
free.LIBCMT ref: 00007FF88C310F35
_errno.LIBCMT ref: 00007FF88C310F3A

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$ErrorLastPrivilegeReleaseSleep_lock
String ID:
API String ID: 441742810-0
Opcode ID: d760397185f36797921a454ceceac083bf9007480528e2f1f060533bce753b25
Instruction ID: cf1ecd9b2c2c1f4896ff2a5ba0c3a30f6220a8544397f6cea8dd5b5ab9fe7dc9
Opcode Fuzzy Hash: d760397185f36797921a454ceceac083bf9007480528e2f1f060533bce753b25
Instruction Fuzzy Hash: 4E51BF72A08A428AE7509B61E541A79B7A1FF82BC4F144137EA5E8739ECF3CE443C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30CF0C Relevance: 9.1, APIs: 6, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00007FF87FF88C30CF0C(signed int __ecx, void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r10, void* __r11) {
				void* _t43;
				signed int _t47;
				char* _t64;
				char* _t65;
				char* _t68;
				intOrPtr* _t83;
				signed long long* _t85;
				void* _t86;
				void* _t90;
				long long _t92;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t104;
				void* _t106;
				long long _t107;
				void* _t109;
				long long _t110;
				void* _t112;
				long long _t113;

				_t92 = __rsi;
				_t86 = __rdx;
				_t71 = __rbx;
				 *((long long*)(_t97 + 8)) = __rbx;
				 *((long long*)(_t97 + 0x10)) = __rsi;
				 *((long long*)(_t97 + 0x20)) = __rdi;
				_t95 = _t97 - 0x80;
				_t98 = _t97 - 0x180;
				_t64 =  *0x8c369a70; // 0x0
				r12b = __edx;
				_t90 = __rcx;
				if ( *_t64 != 0x3f) goto 0x8c30d0ab;
				if ( *((char*)(_t64 + 1)) != 0x24) goto 0x8c30d0ab;
				_t107 =  *0x8c369a30; // 0x0
				_t110 =  *0x8c369a60; // 0x0
				_t113 =  *0x8c369a68; // 0x0
				_t47 = __ecx | 0xffffffff;
				_t65 = _t64 + 2;
				 *(_t98 + 0x60) = _t47;
				 *(_t95 - 0x40) = _t47;
				 *(_t95 + 0x20) = _t47;
				 *0x8c369a70 = _t65;
				 *0x8c369a30 = _t98 + 0x60;
				 *((char*)(_t95 + 0xc0)) = 0;
				 *0x8c369a60 = _t95 - 0x40;
				 *0x8c369a68 = _t95 + 0x20;
				if ( *_t65 != 0x3f) goto 0x8c30cfd7;
				_t66 = _t65 + __rsi;
				 *0x8c369a70 = _t65 + __rsi;
				E00007FF87FF88C30C7D0(sil, __rbx, _t98 + 0x30, __rcx, __rsi, _t95 + 0xc0, __r10, __r11);
				goto 0x8c30cfdf;
				r8b = sil;
				E00007FF87FF88C30D0E0(_t47, sil, 1, _t71, _t98 + 0x30, _t90, _t92, _t95 + 0xc0, __r10, __r11, _t112, _t109, _t106, _t104);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x20], xmm0");
				_t36 =  ==  ? 1 :  *0x8c369a98 & 0x000000ff;
				 *0x8c369a98 =  ==  ? 1 :  *0x8c369a98 & 0x000000ff;
				if ( *((intOrPtr*)(_t95 + 0xc0)) != 0) goto 0x8c30d08b;
				E00007FF87FF88C30C55C(_t71, _t98 + 0x50, _t86, _t90, _t92, _t95 + 0xc0, __r10, __r11);
				E00007FF87FF88C30A9A8(0x3c, _t66, _t98 + 0x40);
				asm("movups xmm0, [eax]");
				asm("movdqu [esp+0x30], xmm0");
				E00007FF87FF88C30AC78(_t66, _t98 + 0x30, _t66);
				E00007FF87FF88C30AC78(_t66, _t98 + 0x20, _t98 + 0x30);
				_t83 =  *((intOrPtr*)(_t98 + 0x20));
				if (_t83 == 0) goto 0x8c30d064;
				if ( *((intOrPtr*)( *_t83 + 8))() != 0x3e) goto 0x8c30d064;
				E00007FF87FF88C30AF5C(0x20, 1,  *_t83, _t66, _t98 + 0x20, _t92, _t95 + 0xc0, _t94);
				_t85 = _t98 + 0x20;
				_t43 = E00007FF87FF88C30AF5C(0x3e, 1,  *_t83, _t66, _t85, _t92, _t95 + 0xc0);
				if (r12b == 0) goto 0x8c30d08b;
				_t68 =  *0x8c369a70; // 0x0
				if ( *_t68 == 0) goto 0x8c30d08b;
				 *0x8c369a70 = _t68 + _t92;
				asm("movups xmm0, [esp+0x20]");
				 *0x8c369a30 = _t107;
				 *0x8c369a60 = _t110;
				 *0x8c369a68 = _t113;
				asm("movdqu [edi], xmm0");
				goto 0x8c30d0ba;
				_t85[1] = _t85[1] & 0xffff00ff;
				 *_t85 =  *_t85 & 0x00000000;
				_t85[1] = 2;
				return _t43;
			}

0x7ff88c30cf0c
0x7ff88c30cf0c
0x7ff88c30cf0c
0x7ff88c30cf0c
0x7ff88c30cf11
0x7ff88c30cf16
0x7ff88c30cf24
0x7ff88c30cf29
0x7ff88c30cf30
0x7ff88c30cf37
0x7ff88c30cf3a
0x7ff88c30cf40
0x7ff88c30cf4a
0x7ff88c30cf50
0x7ff88c30cf57
0x7ff88c30cf5e
0x7ff88c30cf65
0x7ff88c30cf68
0x7ff88c30cf6e
0x7ff88c30cf72
0x7ff88c30cf75
0x7ff88c30cf82
0x7ff88c30cf89
0x7ff88c30cf94
0x7ff88c30cf9a
0x7ff88c30cfa8
0x7ff88c30cfb7
0x7ff88c30cfb9
0x7ff88c30cfc3
0x7ff88c30cfca
0x7ff88c30cfd5
0x7ff88c30cfd7
0x7ff88c30cfda
0x7ff88c30cfdf
0x7ff88c30cfe9
0x7ff88c30cff5
0x7ff88c30cff8
0x7ff88c30d000
0x7ff88c30d00b
0x7ff88c30d01a
0x7ff88c30d027
0x7ff88c30d02a
0x7ff88c30d030
0x7ff88c30d03f
0x7ff88c30d044
0x7ff88c30d04c
0x7ff88c30d056
0x7ff88c30d05f
0x7ff88c30d064
0x7ff88c30d06b
0x7ff88c30d073
0x7ff88c30d075
0x7ff88c30d07f
0x7ff88c30d084
0x7ff88c30d08b
0x7ff88c30d090
0x7ff88c30d097
0x7ff88c30d09e
0x7ff88c30d0a5
0x7ff88c30d0a9
0x7ff88c30d0ab
0x7ff88c30d0b2
0x7ff88c30d0b6
0x7ff88c30d0dd

APIs

UnDecorator::getZName.LIBCMT ref: 00007FF88C30CFDA
DName::DName.LIBCMT ref: 00007FF88C30D01A
DName::operator+=.LIBCMT ref: 00007FF88C30D030
DName::operator+=.LIBCMT ref: 00007FF88C30D03F
DName::operator+=.LIBCMT ref: 00007FF88C30D05F
DName::operator+=.LIBCMT ref: 00007FF88C30D06B

Part of subcall function 00007FF88C30C7D0: DName::operator=.LIBCMT ref: 00007FF88C30C865
Part of subcall function 00007FF88C30C7D0: DName::DName.LIBCMT ref: 00007FF88C30C880
Part of subcall function 00007FF88C30C7D0: DName::operator+=.LIBCMT ref: 00007FF88C30C895

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Name$Name::$Decorator::getName::operator=
String ID:
API String ID: 212298780-0
Opcode ID: 6b038015eec91a649b324f7f4d2e8a15648c67a5f8d942a2bd87b7c8591de4c9
Instruction ID: f0c96e8c11f5abc63198d2a3d6301c72e4e475dfdf3db78ce9b461e5573c12a6
Opcode Fuzzy Hash: 6b038015eec91a649b324f7f4d2e8a15648c67a5f8d942a2bd87b7c8591de4c9
Instruction Fuzzy Hash: B1519C33D08B8685E7519B64E840BE9B3A4FB5A784F444232EA8E03B99DF3DE547C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30B06C Relevance: 9.1, APIs: 6, Instructions: 86
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00007FF87FF88C30B06C(long long __rbx, signed long long* __rcx, void* __rdx, long long __rsi, void* __r8, long long _a8, long long _a16) {
				char _v24;
				char _v40;
				signed int _v48;
				signed long long _v56;
				void* __rdi;
				void* _t23;
				void* _t32;
				void* _t33;
				char* _t51;
				char* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed long long* _t58;
				intOrPtr _t62;
				intOrPtr* _t65;
				intOrPtr _t76;
				void* _t83;
				void* _t84;
				intOrPtr _t85;
				void* _t87;

				_a8 = __rbx;
				_a16 = __rsi;
				 *__rcx =  *__rcx & 0x00000000;
				__rcx[1] = 0;
				__rcx[1] = __rcx[1] & 0xffff00ff;
				_t58 = __rcx;
				if (__rcx[1] != 0) goto 0x8c30b1be;
				_t51 =  *0x8c369a70; // 0x0
				if ( *_t51 == 0x40) goto 0x8c30b1be;
				if ( *_t51 == 0x5a) goto 0x8c30b1be;
				if (1 == 0) goto 0x8c30b0bd;
				goto 0x8c30b0ce;
				_t23 = E00007FF87FF88C30AF5C(0x2c, 0, _t51, __rcx, __rcx, __rsi, __r8);
				_t52 =  *0x8c369a70; // 0x0
				if ( *_t52 == 0) goto 0x8c30b18e;
				r8d =  *_t52;
				r8d = r8d - 0x30;
				if (r8d - 9 > 0) goto 0x8c30b10d;
				_t62 =  *0x8c369a30; // 0x0
				_t53 = _t52 + 1;
				_t7 =  &_v24; // 0x21
				 *0x8c369a70 = _t53;
				E00007FF87FF88C30A6DC(_t23, _t62, _t7);
				E00007FF87FF88C30AC78(_t53, _t58, _t53);
				goto 0x8c30b17b;
				_v56 = _v56 & 0x00000000;
				_v48 = _v48 & 0xffff0000;
				_t13 =  &_v40; // 0x11
				_t76 = _t53;
				E00007FF87FF88C31006C(_t32, _t33, 0x2c, 0, _t53, _t58, _t13,  &_v56, _t76, __rsi, __r8, _t83, _t84, _t87);
				_t85 =  *0x8c369a70; // 0x0
				if (_t85 - _t76 - 1 <= 0) goto 0x8c30b153;
				_t65 =  *0x8c369a30; // 0x0
				if ( *_t65 == 9) goto 0x8c30b153;
				_t14 =  &_v40; // 0x11
				E00007FF87FF88C30A67C(_t53, _t58, _t65, _t14, __r8);
				_t15 =  &_v40; // 0x11
				E00007FF87FF88C30AC78(_t53, _t58, _t15);
				_t54 =  *0x8c369a70; // 0x0
				if (_t54 != _t76) goto 0x8c30b182;
				_t58[1] = _t58[1] & 0xffff00ff;
				 *_t58 =  *_t58 & 0x00000000;
				_t58[1] = 2;
				_t55 =  *0x8c369a70; // 0x0
				if (_t58[1] == 0) goto 0x8c30b0a3;
				goto 0x8c30b1be;
				if (_t58[1] - 1 > 0) goto 0x8c30b1be;
				if ( *_t58 == 0) goto 0x8c30b1b1;
				E00007FF87FF88C30A12C(1, _t15);
				E00007FF87FF88C30A564(_t55, _t58, _t58, _t55, __r8);
				goto 0x8c30b1be;
				return E00007FF87FF88C30A640(1, _t55, _t58);
			}

0x7ff88c30b06c
0x7ff88c30b071
0x7ff88c30b07b
0x7ff88c30b07f
0x7ff88c30b083
0x7ff88c30b08e
0x7ff88c30b096
0x7ff88c30b09c
0x7ff88c30b0a6
0x7ff88c30b0af
0x7ff88c30b0b7
0x7ff88c30b0bb
0x7ff88c30b0c2
0x7ff88c30b0c7
0x7ff88c30b0d1
0x7ff88c30b0d7
0x7ff88c30b0db
0x7ff88c30b0e3
0x7ff88c30b0e5
0x7ff88c30b0ec
0x7ff88c30b0ef
0x7ff88c30b0f4
0x7ff88c30b0fb
0x7ff88c30b106
0x7ff88c30b10b
0x7ff88c30b10d
0x7ff88c30b113
0x7ff88c30b120
0x7ff88c30b125
0x7ff88c30b128
0x7ff88c30b12d
0x7ff88c30b13b
0x7ff88c30b13d
0x7ff88c30b147
0x7ff88c30b149
0x7ff88c30b14e
0x7ff88c30b153
0x7ff88c30b15b
0x7ff88c30b160
0x7ff88c30b16a
0x7ff88c30b16c
0x7ff88c30b173
0x7ff88c30b177
0x7ff88c30b17b
0x7ff88c30b186
0x7ff88c30b18c
0x7ff88c30b192
0x7ff88c30b198
0x7ff88c30b19f
0x7ff88c30b1aa
0x7ff88c30b1af
0x7ff88c30b1d0

APIs

DName::operator+=.LIBCMT ref: 00007FF88C30B0C2
DName::operator+=.LIBCMT ref: 00007FF88C30B106
DName::operator+=.LIBCMT ref: 00007FF88C30B15B
DNameStatusNode::make.LIBCMT ref: 00007FF88C30B19F
DName::append.LIBCMT ref: 00007FF88C30B1AA
DName::operator=.LIBCMT ref: 00007FF88C30B1B9

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$NameName::appendName::operator=Node::makeStatus
String ID:
API String ID: 686042019-0
Opcode ID: 7f119c2f728e663512a21fad36a58f8b4bb160e8e67cfffcd570b793229b76e1
Instruction ID: ff48aa07759d7d2f12fe0f4ba6e838cf9e2a9411b6a215e66fc22315b0e1496e
Opcode Fuzzy Hash: 7f119c2f728e663512a21fad36a58f8b4bb160e8e67cfffcd570b793229b76e1
Instruction Fuzzy Hash: 4941B463E1C78291F7659B64E845B796791BB42BC8F048131D64E0B79ECF6DE843CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3088D0 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF88C3059B5), ref: 00007FF88C3088E9
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF88C3059B5), ref: 00007FF88C308940
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF88C3059B5), ref: 00007FF88C30897B
free.LIBCMT ref: 00007FF88C308988
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF88C3059B5), ref: 00007FF88C308993
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF88C3059B5), ref: 00007FF88C3089A1

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: b2b9c43db829d3a4119f1860b20af2ae59217770f507bb3298b768e750526c84
Instruction ID: 277b5294aaaf4dea2739e95ddd9290ef2d53fd9c2c30df7ca09d93f6856e2f78
Opcode Fuzzy Hash: b2b9c43db829d3a4119f1860b20af2ae59217770f507bb3298b768e750526c84
Instruction Fuzzy Hash: 89215332A08B8185EB649F56E80096977E5FB8ABD1F484034DE8E07B5CDF3CE552CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C307ED8 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382,?,?,?,00007FF88C304F2A), ref: 00007FF88C307EE2
FlsGetValue.KERNEL32(?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382,?,?,?,00007FF88C304F2A), ref: 00007FF88C307EF0
SetLastError.KERNEL32(?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382,?,?,?,00007FF88C304F2A), ref: 00007FF88C307F48

Part of subcall function 00007FF88C30796C: Sleep.KERNEL32(?,?,?,00007FF88C307F0B,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C3079B1

FlsSetValue.KERNEL32(?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382,?,?,?,00007FF88C304F2A), ref: 00007FF88C307F1C
free.LIBCMT ref: 00007FF88C307F3F

Part of subcall function 00007FF88C307E20: _lock.LIBCMT ref: 00007FF88C307E74
Part of subcall function 00007FF88C307E20: _lock.LIBCMT ref: 00007FF88C307E93

GetCurrentThreadId.KERNEL32 ref: 00007FF88C307F30

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: fa859107910109a155dbf600c95d40e56401b10a38e9f5d4afe29130ea1b7547
Instruction ID: e1ae1055ea69d503723497e2e7d9d432ff9a9bb4eb55ed1c72e404f6b752abe4
Opcode Fuzzy Hash: fa859107910109a155dbf600c95d40e56401b10a38e9f5d4afe29130ea1b7547
Instruction Fuzzy Hash: 32011E21A0974382FE559BA5E884C386291BF5BBE1F484634D96D423D9EF3DF406C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31FEF8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00007FF87FF88C31FEF8(void* __ebx, void* __ecx, void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __r8, signed long long __r9) {
				void* __rsi;
				void* __rbp;
				void* _t92;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t117;
				long long _t120;
				void* _t121;
				void* _t122;
				signed int* _t162;
				intOrPtr* _t166;
				long long _t169;
				void* _t171;
				void* _t172;
				long long _t184;
				signed long long _t187;
				void* _t190;

				_t117 = __rax;
				_t94 = __ecx;
				 *((long long*)(_t171 + 0x10)) = __rbx;
				 *((long long*)(_t171 + 0x18)) = __r8;
				_t172 = _t171 - 0x60;
				_t187 = __r9;
				_t190 = __rdx;
				_t166 = __rcx;
				if ( *__rcx == 0x80000003) goto 0x8c320118;
				E00007FF87FF88C307F5C(__ecx,  *__rcx - 0x80000003, __rax, __rcx, __rcx, __r8);
				_t100 =  *((intOrPtr*)(_t172 + 0xd0));
				_t169 =  *((intOrPtr*)(_t172 + 0xc0));
				if ( *((long long*)(_t117 + 0xe0)) == 0) goto 0x8c31ff9c;
				E00007FF87FF88C307F5C(_t94,  *((long long*)(_t117 + 0xe0)), _t117, __rcx, __rcx, __r8);
				E00007FF87FF88C307DD0();
				if ( *((intOrPtr*)(_t117 + 0xe0)) == _t117) goto 0x8c31ff9c;
				if ( *__rcx == 0xe0434f4d) goto 0x8c31ff9c;
				if ( *__rcx == 0xe0434352) goto 0x8c31ff9c;
				 *(_t172 + 0x30) =  *((intOrPtr*)(_t172 + 0xd8));
				 *((intOrPtr*)(_t172 + 0x28)) = _t100;
				 *((long long*)(_t172 + 0x20)) = _t169;
				if (E00007FF87FF88C31E88C(_t94, __rcx, __rdx, __r8, __r9) != 0) goto 0x8c320118;
				if ( *((intOrPtr*)(_t169 + 0xc)) != 0) goto 0x8c31ffa7;
				E00007FF87FF88C312484( *((intOrPtr*)(_t172 + 0xd8)));
				r12d =  *((intOrPtr*)(_t172 + 0xc8));
				 *(_t172 + 0x30) = __r9;
				 *((long long*)(_t172 + 0x28)) = _t172 + 0x50;
				_t120 = _t172 + 0xa0;
				r8d = _t100;
				r9d = r12d;
				 *((long long*)(_t172 + 0x20)) = _t120;
				E00007FF87FF88C31E8E0(__ebx, _t120, _t117, _t169, _t166);
				if ( *((intOrPtr*)(_t172 + 0xa0)) -  *((intOrPtr*)(_t172 + 0x50)) >= 0) goto 0x8c320118;
				_t20 = _t120 + 0xc; // 0xc
				_t162 = _t20;
				_t21 = _t162 - 0xc; // 0x0
				_t184 = _t21;
				if (r12d -  *_t184 < 0) goto 0x8c320101;
				if (r12d -  *((intOrPtr*)(_t162 - 8)) > 0) goto 0x8c320101;
				E00007FF87FF88C31E4B4(_t120);
				if ( *((intOrPtr*)(_t120 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x10)) == 0) goto 0x8c320047;
				E00007FF87FF88C31E4B4(_t120);
				E00007FF87FF88C31E4B4(_t120);
				_t121 = _t120 +  *((intOrPtr*)(_t120 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x10));
				goto 0x8c320049;
				if (_t121 == 0) goto 0x8c320094;
				E00007FF87FF88C31E4B4(_t121);
				if ( *((intOrPtr*)(_t121 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x10)) == 0) goto 0x8c32008c;
				E00007FF87FF88C31E4B4(_t121);
				E00007FF87FF88C31E4B4(_t121);
				_t122 = _t121 +  *((intOrPtr*)(_t121 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x10));
				goto 0x8c32008e;
				if ( *((char*)(_t122 + 0x10)) != 0) goto 0x8c3200fa;
				E00007FF87FF88C31E4B4(_t122);
				if (( *(_t122 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x14) & 0x00000040) != 0) goto 0x8c3200fa;
				E00007FF87FF88C31E4B4(_t122);
				 *((char*)(_t172 + 0x40)) = 0;
				 *((long long*)(_t172 + 0x38)) = _t184;
				 *(_t172 + 0x30) =  *(_t172 + 0x30) & 0x00000000;
				 *((long long*)(_t172 + 0x28)) = _t122 + ( *_t162 - 1 + ( *_t162 - 1) * 4) * 4 + _t162[1];
				 *((long long*)(_t172 + 0x20)) = _t169;
				_t92 = E00007FF87FF88C31FE34(_t100,  *((intOrPtr*)(_t121 + _t162[1] + ( *_t162 +  *_t162 * 4) * 4 - 0x10)), _t166, _t190, _t169,  *((intOrPtr*)(_t172 + 0xb0)), _t187);
				_t99 =  *((intOrPtr*)(_t172 + 0xa0)) + 1;
				 *((intOrPtr*)(_t172 + 0xa0)) = _t99;
				if (_t99 -  *((intOrPtr*)(_t172 + 0x50)) < 0) goto 0x8c31fff1;
				return _t92;
			}

0x7ff88c31fef8
0x7ff88c31fef8
0x7ff88c31fef8
0x7ff88c31fefd
0x7ff88c31ff0d
0x7ff88c31ff17
0x7ff88c31ff1d
0x7ff88c31ff20
0x7ff88c31ff23
0x7ff88c31ff29
0x7ff88c31ff2e
0x7ff88c31ff35
0x7ff88c31ff45
0x7ff88c31ff47
0x7ff88c31ff4f
0x7ff88c31ff5b
0x7ff88c31ff63
0x7ff88c31ff6b
0x7ff88c31ff7b
0x7ff88c31ff86
0x7ff88c31ff8a
0x7ff88c31ff96
0x7ff88c31ffa0
0x7ff88c31ffa2
0x7ff88c31ffa7
0x7ff88c31ffb4
0x7ff88c31ffb9
0x7ff88c31ffbe
0x7ff88c31ffc6
0x7ff88c31ffc9
0x7ff88c31ffd2
0x7ff88c31ffd7
0x7ff88c31ffe7
0x7ff88c31ffed
0x7ff88c31ffed
0x7ff88c31fff1
0x7ff88c31fff1
0x7ff88c31fff9
0x7ff88c320003
0x7ff88c320009
0x7ff88c320022
0x7ff88c320024
0x7ff88c32003d
0x7ff88c320042
0x7ff88c320045
0x7ff88c32004c
0x7ff88c32004e
0x7ff88c320067
0x7ff88c320069
0x7ff88c320082
0x7ff88c320087
0x7ff88c32008a
0x7ff88c320092
0x7ff88c320094
0x7ff88c3200ad
0x7ff88c3200af
0x7ff88c3200c0
0x7ff88c3200c5
0x7ff88c3200ca
0x7ff88c3200e8
0x7ff88c3200f0
0x7ff88c3200f5
0x7ff88c320101
0x7ff88c320107
0x7ff88c320112
0x7ff88c32012f

APIs

_getptd.LIBCMT ref: 00007FF88C31FF29

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

_getptd.LIBCMT ref: 00007FF88C31FF47
_CallSETranslator.LIBCMT ref: 00007FF88C31FF8F

Part of subcall function 00007FF88C31E88C: _getptd.LIBCMT ref: 00007FF88C31E8B3

Strings

RCC, xrefs: 00007FF88C31FF65
MOC, xrefs: 00007FF88C31FF5D

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _getptd$CallTranslator_amsg_exit
String ID: MOC$RCC
API String ID: 1374396951-2084237596
Opcode ID: 9bccf88b379eb61f99a9fdc3ec2439514d190e531cff61b1110d6f8f82524727
Instruction ID: 8f61a9f05079cab9a617206c4d58c0f8dd2267c8aa6b6b6f0a2c7c85916a3441
Opcode Fuzzy Hash: 9bccf88b379eb61f99a9fdc3ec2439514d190e531cff61b1110d6f8f82524727
Instruction Fuzzy Hash: 6E617372A08AC289DE24DB15E094BBDB360FB86BC9F044536EB4E47689DF7CE156C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31F861 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00007FF87FF88C31F861(void* __ecx, void* __eflags, void* __rax, void* __rcx, void* __rsi, void* __rbp, void* __r8, intOrPtr _a32, intOrPtr _a56, intOrPtr _a64, intOrPtr _a72, intOrPtr _a80, intOrPtr* _a96, intOrPtr _a192, intOrPtr* _a200, long long _a208, long long _a216) {
				void* _t35;
				void* _t52;
				intOrPtr* _t67;

				_t52 = __rax;
				_a32 = 1;
				E00007FF87FF88C307F5C(__ecx, __eflags, __rax, __rcx, __rsi, __r8);
				 *(_t52 + 0x2c0) =  *(_t52 + 0x2c0) & 0x00000000;
				_t67 = _a200;
				if (_a192 == 0) goto 0x8c31f8a7;
				E00007FF87FF88C31F1C0(1, _t67);
				r8d =  *((intOrPtr*)(_a64 + 0x18));
				goto 0x8c31f8b4;
				r8d =  *((intOrPtr*)(_t67 + 0x18));
				RaiseException(??, ??, ??, ??);
				r13d = _a32;
				E00007FF87FF88C31EA84( *_t67, _a192, _t52, _a72, _a80, _t67, __rbp, __r8);
				if (r13d != 0) goto 0x8c31f92b;
				if ( *_t67 != 0xe06d7363) goto 0x8c31f92b;
				if ( *((intOrPtr*)(_t67 + 0x18)) != 4) goto 0x8c31f92b;
				if ( *((intOrPtr*)(_t67 + 0x20)) == 0x19930520) goto 0x8c31f914;
				if ( *((intOrPtr*)(_t67 + 0x20)) == 0x19930521) goto 0x8c31f914;
				if ( *((intOrPtr*)(_t67 + 0x20)) != 0x19930522) goto 0x8c31f92b;
				if (E00007FF87FF88C31EA50( *((intOrPtr*)(_t67 + 0x20)) - 0x19930522, _t52,  *((intOrPtr*)(_t67 + 0x28))) == 0) goto 0x8c31f92b;
				E00007FF87FF88C31F1C0(1, _t67);
				E00007FF87FF88C307F5C( *_t67, E00007FF87FF88C31EA50( *((intOrPtr*)(_t67 + 0x20)) - 0x19930522, _t52,  *((intOrPtr*)(_t67 + 0x28))), _t52, _t67, _t67, __r8);
				 *((long long*)(_t52 + 0xf0)) = _a208;
				_t35 = E00007FF87FF88C307F5C( *_t67, E00007FF87FF88C31EA50( *((intOrPtr*)(_t67 + 0x20)) - 0x19930522, _t52,  *((intOrPtr*)(_t67 + 0x28))), _t52, _t67, _t67, __r8);
				 *((long long*)(_t52 + 0xf8)) = _a216;
				 *((long long*)( *((intOrPtr*)(_a56 + 0x1c)) +  *_a96)) = 0xfffffffe;
				return _t35;
			}

0x7ff88c31f861
0x7ff88c31f861
0x7ff88c31f869
0x7ff88c31f86e
0x7ff88c31f875
0x7ff88c31f885
0x7ff88c31f88c
0x7ff88c31f89a
0x7ff88c31f8a5
0x7ff88c31f8ab
0x7ff88c31f8b4
0x7ff88c31f8ba
0x7ff88c31f8e1
0x7ff88c31f8e9
0x7ff88c31f8f1
0x7ff88c31f8f7
0x7ff88c31f900
0x7ff88c31f909
0x7ff88c31f912
0x7ff88c31f91f
0x7ff88c31f926
0x7ff88c31f92b
0x7ff88c31f930
0x7ff88c31f937
0x7ff88c31f93c
0x7ff88c31f950
0x7ff88c31f96d

APIs

RaiseException.KERNEL32 ref: 00007FF88C31F8B4
_getptd.LIBCMT ref: 00007FF88C31F869

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

_getptd.LIBCMT ref: 00007FF88C31F92B
_getptd.LIBCMT ref: 00007FF88C31F937

Strings

csm, xrefs: 00007FF88C31F8EB

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _getptd$ExceptionRaise_amsg_exit
String ID: csm
API String ID: 4155239085-1018135373
Opcode ID: c720a69a8dfa12875f701ee6b3a2c8951e49c0eb2fb37e6c94c5a608e604f258
Instruction ID: a027e5333f9c291507eb73d27be3efc1d84746bb83156b5b05a4a4e5664152a4
Opcode Fuzzy Hash: c720a69a8dfa12875f701ee6b3a2c8951e49c0eb2fb37e6c94c5a608e604f258
Instruction Fuzzy Hash: 2431303650864286E770AF16E040B6A73A0FB5A7A5F044236EF9E43799CF3DE946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31027C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00007FF87FF88C31027C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, long long __rax, long long __rbx, long long __rcx, void* __rdx, void* __rdi, long long __rsi, void* __r8, void* __r10, void* __r12, long long _a8) {
				char _v24;
				signed int _v32;
				char _v40;
				char _v56;
				intOrPtr _v72;
				intOrPtr _t20;
				void* _t26;
				long long _t36;
				long long _t39;
				char* _t65;
				long long _t66;

				_t36 = __rax;
				_t26 = __edx;
				_a8 = __rbx;
				_t39 = __rcx;
				_t2 =  &_v56; // -79
				E00007FF87FF88C30A418(__rax, __rcx, _t2, __rdx, __r8);
				_t65 =  *0x8c369a70; // 0x0
				if ( *_t65 == 0) goto 0x8c310332;
				if ( *_t65 == 0x3f) goto 0x8c3102f7;
				if ( *_t65 == 0x58) goto 0x8c3102c4;
				_t3 =  &_v56; // -79
				E00007FF87FF88C31006C(__ebx, __ecx, _t26, __esi, _t36, __rcx, __rcx, _t3, __rdi, __rsi, __r8, __r10, _t65, __r12);
				goto 0x8c310353;
				_t66 = _t65 + 1;
				 *0x8c369a70 = _t66;
				if (_v56 != _t36) goto 0x8c3102e5;
				E00007FF87FF88C30A9E0(_t39, "void");
				goto 0x8c310353;
				_t5 =  &_v40; // -63
				_t20 = E00007FF87FF88C30A9E0(_t5, "void ");
				goto 0x8c310340;
				_v32 = _v32 & 0xffff0000;
				_t8 =  &_v40; // -63
				_t9 =  &_v56; // -79
				_t10 =  &_v24; // -47
				 *0x8c369a70 = _t66 + 1;
				_v40 = _t36;
				_v72 = _t20;
				E00007FF87FF88C30EFA4(_t39, _t10, _t9, __rsi, 0x8c32398d, _t8, __r10, _t66 + 1);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				goto 0x8c3102b3;
				_t13 =  &_v40; // -63
				E00007FF87FF88C30A490(1, _t36, _t13);
				asm("movups xmm0, [eax]");
				_t14 =  &_v56; // -79
				asm("movdqu [ebx], xmm0");
				return E00007FF87FF88C30AC78(_t36, _t39, _t14);
			}

0x7ff88c31027c
0x7ff88c31027c
0x7ff88c31027c
0x7ff88c310289
0x7ff88c31028c
0x7ff88c310290
0x7ff88c310295
0x7ff88c3102a1
0x7ff88c3102ab
0x7ff88c3102b1
0x7ff88c3102b3
0x7ff88c3102ba
0x7ff88c3102bf
0x7ff88c3102c4
0x7ff88c3102c7
0x7ff88c3102d2
0x7ff88c3102de
0x7ff88c3102e3
0x7ff88c3102ec
0x7ff88c3102f0
0x7ff88c3102f5
0x7ff88c3102f7
0x7ff88c310301
0x7ff88c31030c
0x7ff88c310310
0x7ff88c310314
0x7ff88c31031b
0x7ff88c31031f
0x7ff88c310323
0x7ff88c310328
0x7ff88c31032b
0x7ff88c310330
0x7ff88c310332
0x7ff88c31033b
0x7ff88c310340
0x7ff88c310343
0x7ff88c31034a
0x7ff88c310360

APIs

DName::DName.LIBCMT ref: 00007FF88C3102DE
DName::DName.LIBCMT ref: 00007FF88C3102F0

Part of subcall function 00007FF88C30A9E0: DName::doPchar.LIBCMT ref: 00007FF88C30AA19

DName::operator+=.LIBCMT ref: 00007FF88C31034E

Strings

void , xrefs: 00007FF88C3102E5
void, xrefs: 00007FF88C3102D4

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: NameName::$Name::doName::operator+=Pchar
String ID: void$void
API String ID: 1070866305-3746155364
Opcode ID: 20db89e7c28dedfa57394d69a0078c1c452a18b48af22bf9f4d007e9861a8803
Instruction ID: 90bc36533cd7d6d5b156d45d2eb6a05f61c4dbc61e511f7fc3022d889d2af850
Opcode Fuzzy Hash: 20db89e7c28dedfa57394d69a0078c1c452a18b48af22bf9f4d007e9861a8803
Instruction Fuzzy Hash: 05216D62E18B5698FB11DB74E8418FC2360BB4A788F848532EA4E5665EEF7CE547C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3167A8 Relevance: 7.7, APIs: 5, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00007FF87FF88C3167A8(signed int* __rbx, long long __rcx, void* __rdx, signed int __rsi, void* __r9) {
				void* __rdi;
				signed int _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				char _t55;
				char _t56;
				char _t57;
				signed int _t75;
				signed int* _t81;
				signed int* _t89;
				signed int* _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int* _t100;
				char* _t120;
				char* _t121;
				void* _t122;
				long long _t125;
				signed int _t127;
				signed int* _t129;
				signed int* _t131;
				void* _t132;
				char* _t135;
				void* _t137;
				void* _t139;
				void* _t141;
				signed int* _t143;
				void* _t145;
				signed int* _t146;
				void* _t148;
				signed int* _t149;

				_t137 = __r9;
				_t100 = __rbx;
				_t91 = _t131;
				_t91[2] = __rbx;
				_t91[4] = _t127;
				_t91[6] = __rsi;
				_t132 = _t131 - 0x40;
				_t125 = __rcx;
				 *((long long*)(_t91 - 0x38)) = __rcx;
				 *((long long*)(_t91 - 0x30)) = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x1c)) != 0) goto 0x8c3167ed;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0) goto 0x8c3167ed;
				r13d = 0;
				r14d = 0;
				goto 0x8c3169a3;
				r12d = 1;
				E00007FF87FF88C30796C(__rbx, __rcx, __rdx, _t122, __rcx, 0x8c368490, _t148, _t145);
				_t129 = _t91;
				if (_t91 != 0) goto 0x8c316812;
				goto 0x8c3169f2;
				_t134 = _t122;
				E00007FF87FF88C304B80(r12d, _t91, _t91,  *(_t125 + 0x128), _t122);
				E00007FF87FF88C3078EC(4, _t91, _t100, _t91, _t122, _t125);
				_t146 = _t91;
				if (_t91 != 0) goto 0x8c316842;
				free(_t141);
				goto 0x8c31680a;
				 *_t91 = 0;
				if ( *((intOrPtr*)(_t125 + 0x1c)) == 0) goto 0x8c31695d;
				E00007FF87FF88C3078EC(4,  *((intOrPtr*)(_t125 + 0x1c)), _t100, _t122, _t122, _t125);
				_t81 = _t91;
				if (_t81 == 0) goto 0x8c316918;
				 *_t91 = 0;
				_t75 =  *(_t125 + 0x3e) & 0x0000ffff;
				_t11 = _t132 + 0x30; // 0x31
				r9d = 0xe;
				r8d = _t75;
				 *(_t132 + 0x20) = _t129;
				_t48 = E00007FF87FF88C312BF4(r12d, _t11, _t122);
				_t13 =  &(_t129[2]); // 0x8
				 *(_t132 + 0x20) = _t13;
				_t15 = _t132 + 0x30; // 0x31
				r9d = 0xf;
				r8d = _t75;
				_t49 = E00007FF87FF88C312BF4(r12d, _t15, _t122);
				_t16 =  &(_t129[4]); // 0x10
				_t149 = _t16;
				_t17 = _t132 + 0x30; // 0x31
				r9d = 0x10;
				r8d = _t75;
				 *(_t132 + 0x20) = _t149;
				_t50 = E00007FF87FF88C312BF4(r12d, _t17, _t122);
				r9d = 0xe;
				_t19 =  &(_t129[0x16]); // 0x58
				_t20 = _t132 + 0x30; // 0x31
				r8d = _t75;
				 *(_t132 + 0x20) = _t19;
				_t51 = E00007FF87FF88C312BF4(_t137 - 0xc, _t20, _t122);
				r9d = 0xf;
				_t23 =  &(_t129[0x18]); // 0x60
				_t24 = _t132 + 0x30; // 0x31
				r8d = _t75;
				 *(_t132 + 0x20) = _t23;
				_t52 = E00007FF87FF88C312BF4(_t137 - 0xd, _t24, _t134);
				if (_t81 == 0) goto 0x8c316928;
				E00007FF87FF88C31673C(_t52 | _t48 | _t49 | _t50 | _t51, _t129);
				r12d = r12d | 0xffffffff;
				free(_t139);
				goto 0x8c31683b;
				_t120 =  *_t149;
				goto 0x8c316940;
				_t55 =  *_t120;
				if (_t55 - 0x30 < 0) goto 0x8c316946;
				if (_t55 - 0x39 > 0) goto 0x8c316946;
				_t56 = _t55 - 0x30;
				 *_t120 = _t56;
				_t121 = _t120 + _t139;
				if ( *_t121 != 0) goto 0x8c31692f;
				goto 0x8c316997;
				if (_t56 != 0x3b) goto 0x8c31693d;
				_t135 = _t121;
				_t57 =  *((intOrPtr*)(_t135 + 1));
				 *_t135 = _t57;
				if (_t57 != 0) goto 0x8c31694d;
				goto 0x8c316940;
				_t94 =  *0x8c368490; // 0x7ff88c368480
				_t143 = _t100;
				 *_t129 = _t94;
				_t95 =  *0x8c368498; // 0x7ff88c369b78
				_t129[2] = _t95;
				_t96 =  *0x8c3684a0; // 0x7ff88c369b78
				_t129[4] = _t96;
				_t97 =  *0x8c3684e8; // 0x7ff88c368484
				_t129[0x16] = _t97;
				_t98 =  *0x8c3684f0; // 0x7ff88c369b7c
				_t129[0x18] = _t98;
				 *_t146 = r12d;
				if (_t143 == 0) goto 0x8c3169a3;
				 *_t143 = r12d;
				if ( *(_t125 + 0x118) == 0) goto 0x8c3169b2;
				asm("lock dec dword [eax]");
				_t89 =  *(_t125 + 0x110);
				if (_t89 == 0) goto 0x8c3169db;
				asm("lock dec dword [ecx]");
				if (_t89 != 0) goto 0x8c3169db;
				free(_t122);
				free(??);
				 *(_t125 + 0x118) = _t143;
				 *(_t125 + 0x110) = _t146;
				 *(_t125 + 0x128) = _t129;
				return 0;
			}

0x7ff88c3167a8
0x7ff88c3167a8
0x7ff88c3167a8
0x7ff88c3167ab
0x7ff88c3167af
0x7ff88c3167b3
0x7ff88c3167c0
0x7ff88c3167c6
0x7ff88c3167c9
0x7ff88c3167cd
0x7ff88c3167d4
0x7ff88c3167d9
0x7ff88c3167db
0x7ff88c3167de
0x7ff88c3167e8
0x7ff88c3167f2
0x7ff88c3167fd
0x7ff88c316802
0x7ff88c316808
0x7ff88c31680d
0x7ff88c31681c
0x7ff88c31681f
0x7ff88c31682b
0x7ff88c316830
0x7ff88c316836
0x7ff88c31683b
0x7ff88c316840
0x7ff88c316842
0x7ff88c316847
0x7ff88c316850
0x7ff88c316858
0x7ff88c31685b
0x7ff88c316861
0x7ff88c316863
0x7ff88c316867
0x7ff88c31686c
0x7ff88c316875
0x7ff88c316878
0x7ff88c31687d
0x7ff88c316882
0x7ff88c316886
0x7ff88c31688b
0x7ff88c316890
0x7ff88c316896
0x7ff88c31689e
0x7ff88c3168a3
0x7ff88c3168a3
0x7ff88c3168a7
0x7ff88c3168ac
0x7ff88c3168b2
0x7ff88c3168ba
0x7ff88c3168bf
0x7ff88c3168c4
0x7ff88c3168cc
0x7ff88c3168d0
0x7ff88c3168d9
0x7ff88c3168dc
0x7ff88c3168e1
0x7ff88c3168e6
0x7ff88c3168ee
0x7ff88c3168f2
0x7ff88c3168fb
0x7ff88c3168fe
0x7ff88c316903
0x7ff88c31690a
0x7ff88c31690f
0x7ff88c316914
0x7ff88c31691b
0x7ff88c316923
0x7ff88c316928
0x7ff88c31692d
0x7ff88c31692f
0x7ff88c316933
0x7ff88c316937
0x7ff88c316939
0x7ff88c31693b
0x7ff88c31693d
0x7ff88c316942
0x7ff88c316944
0x7ff88c316948
0x7ff88c31694a
0x7ff88c31694d
0x7ff88c316951
0x7ff88c316959
0x7ff88c31695b
0x7ff88c31695d
0x7ff88c316964
0x7ff88c316967
0x7ff88c31696b
0x7ff88c316972
0x7ff88c316976
0x7ff88c31697d
0x7ff88c316981
0x7ff88c316988
0x7ff88c31698c
0x7ff88c316993
0x7ff88c316997
0x7ff88c31699d
0x7ff88c31699f
0x7ff88c3169ad
0x7ff88c3169af
0x7ff88c3169b9
0x7ff88c3169bc
0x7ff88c3169be
0x7ff88c3169c1
0x7ff88c3169ca
0x7ff88c3169d6
0x7ff88c3169db
0x7ff88c3169e2
0x7ff88c3169e9
0x7ff88c316a0f

APIs

free.LIBCMT ref: 00007FF88C31683B
__free_lconv_num.LIBCMT ref: 00007FF88C31690F
free.LIBCMT ref: 00007FF88C31691B
free.LIBCMT ref: 00007FF88C3169CA
free.LIBCMT ref: 00007FF88C3169D6

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: free$__free_lconv_num
String ID:
API String ID: 1547021563-0
Opcode ID: d3c8176391f41a5c27f56b3efe38b829e8bc72502893e69a1051d8bc9e91eaaa
Instruction ID: b0fe26a8c2c42ef3221745fec45be53226f3e1be73656c103cc60cb6c5dbeeea
Opcode Fuzzy Hash: d3c8176391f41a5c27f56b3efe38b829e8bc72502893e69a1051d8bc9e91eaaa
Instruction Fuzzy Hash: 43617232A09B828AEB659F55E440AA977B0FB867C4F404136EE8D87749DF3DE643C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3148D4 Relevance: 7.7, APIs: 5, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00007FF87FF88C3148D4(signed int __ecx, signed long long __rax, long long __rbx, void* __rdx, signed int __r8) {
				signed short _t35;
				unsigned int _t38;
				unsigned int _t39;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				void* _t55;
				unsigned int _t56;
				void* _t59;
				signed int _t66;
				signed int _t67;
				void* _t70;
				signed int _t71;
				signed int _t72;
				void* _t73;
				signed int _t77;
				signed int _t80;
				signed long long _t83;
				void* _t88;
				void* _t97;
				void* _t99;
				void* _t100;
				signed long long _t105;
				void* _t108;
				void* _t111;
				void* _t113;

				_t86 = __rbx;
				_t83 = __rax;
				 *((long long*)(_t99 + 0x10)) = __rbx;
				_push(_t97);
				_t100 = _t99 - 0x30;
				asm("movaps [esp+0x20], xmm6");
				_t44 = __ecx & 0x0000001f;
				r14d = __ecx;
				_t2 = _t97 + 0x10; // 0x10
				r15d = _t2;
				if ((__ecx & 0x00000008) == 0) goto 0x8c31491b;
				if (r8b >= 0) goto 0x8c31491b;
				E00007FF87FF88C315038(_t44, __rax, __rbx, _t88);
				_t45 = _t44 & 0xfffffff7;
				goto 0x8c314b03;
				_t66 = 0x00000004 & r14b;
				if (_t66 == 0) goto 0x8c314939;
				asm("dec ecx");
				if (_t66 >= 0) goto 0x8c314939;
				E00007FF87FF88C315038(_t45, _t83, _t86, _t88);
				_t46 = _t45 & 0xfffffffb;
				goto 0x8c314b03;
				_t67 = dil & r14b;
				if (_t67 == 0) goto 0x8c3149fa;
				asm("dec ecx");
				if (_t67 >= 0) goto 0x8c3149fa;
				E00007FF87FF88C315038(_t46, _t83, _t86, _t88);
				_t105 = __r8 & _t83;
				if (_t67 == 0) goto 0x8c3149c6;
				if (_t105 == 0x2000) goto 0x8c3149ae;
				if (_t105 == 0x4000) goto 0x8c314996;
				_t70 = _t105 - _t83;
				if (_t70 != 0) goto 0x8c3149f2;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xfdee]");
				asm("movsd xmm0, [0x53bc6]");
				if (_t70 > 0) goto 0x8c3149ee;
				goto 0x8c3149e6;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xfdd6]");
				if (_t70 > 0) goto 0x8c3149d4;
				asm("movsd xmm0, [0x53bac]");
				goto 0x8c3149e6;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xfdbe]");
				if (_t70 <= 0) goto 0x8c3149de;
				asm("movsd xmm0, [0x53b94]");
				goto 0x8c3149ee;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xfda6]");
				if (_t70 <= 0) goto 0x8c3149de;
				asm("movsd xmm0, [0x53b6c]");
				goto 0x8c3149ee;
				asm("movsd xmm0, [0x53b62]");
				asm("xorpd xmm0, [0xfe62]");
				asm("movsd [esi], xmm0");
				_t47 = _t46 & 0xfffffffe;
				goto 0x8c314b03;
				_t71 = r14b & 0x00000002;
				if (_t71 == 0) goto 0x8c314b03;
				asm("dec ecx");
				if (_t71 >= 0) goto 0x8c314b03;
				asm("movsd xmm0, [edx]");
				asm("xorpd xmm6, xmm6");
				_t72 = r15b & r14b;
				r12d = 0;
				r12d =  !=  ? 1 : r12d;
				asm("ucomisd xmm0, xmm6");
				if (_t72 != 0) goto 0x8c314a31;
				if (_t72 != 0) goto 0x8c314a31;
				r12d = 1;
				goto 0x8c314af3;
				_t35 = E00007FF87FF88C319A18(0x6000, _t59, _t72, _t100 + 0x70, _t113, _t111, _t108);
				_t55 =  *((intOrPtr*)(_t100 + 0x70)) + 0xfffffa00;
				asm("movsd [esp+0x88], xmm0");
				_t73 = _t55 - 0xfffffbce;
				if (_t73 >= 0) goto 0x8c314a62;
				asm("mulsd xmm0, xmm6");
				r12d = 1;
				goto 0x8c314aef;
				asm("comisd xmm6, xmm0");
				if (_t73 > 0) goto 0x8c314a6c;
				 *(_t100 + 0x8e) = _t35 & 0x0000000f | r15w;
				if (_t55 - 0xfffffc03 >= 0) goto 0x8c314ada;
				_t38 =  *(_t100 + 0x88);
				r8d = 0xfffffc03;
				r8d = r8d - _t55;
				_t56 =  *(_t100 + 0x8c);
				if ((dil & _t38) == 0) goto 0x8c314ab3;
				r12d =  ==  ? 1 : r12d;
				_t39 = _t38 >> 1;
				 *(_t100 + 0x88) = _t39;
				_t77 = dil & _t56;
				if (_t77 == 0) goto 0x8c314acc;
				asm("bts eax, 0x1f");
				 *(_t100 + 0x88) = _t39;
				if (_t77 != 0) goto 0x8c314aa7;
				 *(_t100 + 0x8c) = _t56 >> 1;
				asm("movsd xmm0, [esp+0x88]");
				if (0 == 0) goto 0x8c314aef;
				asm("xorpd xmm0, [0xfd61]");
				asm("movsd [esi], xmm0");
				if (r12d == 0) goto 0x8c314b00;
				E00007FF87FF88C315038(_t47,  *(_t100 + 0x88) >> 0x30, _t86, _t113);
				_t48 = _t47 & 0xfffffffd;
				_t80 = r15b & r14b;
				if (_t80 == 0) goto 0x8c314b1c;
				asm("dec ecx");
				if (_t80 >= 0) goto 0x8c314b1c;
				E00007FF87FF88C315038(_t48,  *(_t100 + 0x88) >> 0x30, _t86, _t113);
				asm("movaps xmm6, [esp+0x20]");
				bpl = (_t48 & 0xffffffef) == 0;
				return 0;
			}

0x7ff88c3148d4
0x7ff88c3148d4
0x7ff88c3148d4
0x7ff88c3148d9
0x7ff88c3148e4
0x7ff88c3148ec
0x7ff88c3148f1
0x7ff88c3148fa
0x7ff88c3148fd
0x7ff88c3148fd
0x7ff88c314904
0x7ff88c314909
0x7ff88c31490e
0x7ff88c314913
0x7ff88c314916
0x7ff88c314920
0x7ff88c314923
0x7ff88c314925
0x7ff88c31492a
0x7ff88c31492c
0x7ff88c314931
0x7ff88c314934
0x7ff88c31493e
0x7ff88c314941
0x7ff88c314947
0x7ff88c31494c
0x7ff88c314955
0x7ff88c314962
0x7ff88c314965
0x7ff88c31496e
0x7ff88c314977
0x7ff88c314979
0x7ff88c31497c
0x7ff88c31497e
0x7ff88c314982
0x7ff88c31498a
0x7ff88c314992
0x7ff88c314994
0x7ff88c314996
0x7ff88c31499a
0x7ff88c3149a2
0x7ff88c3149a4
0x7ff88c3149ac
0x7ff88c3149ae
0x7ff88c3149b2
0x7ff88c3149ba
0x7ff88c3149bc
0x7ff88c3149c4
0x7ff88c3149c6
0x7ff88c3149ca
0x7ff88c3149d2
0x7ff88c3149d4
0x7ff88c3149dc
0x7ff88c3149de
0x7ff88c3149e6
0x7ff88c3149ee
0x7ff88c3149f2
0x7ff88c3149f5
0x7ff88c3149fa
0x7ff88c3149fe
0x7ff88c314a04
0x7ff88c314a09
0x7ff88c314a0f
0x7ff88c314a13
0x7ff88c314a17
0x7ff88c314a1a
0x7ff88c314a1d
0x7ff88c314a21
0x7ff88c314a25
0x7ff88c314a27
0x7ff88c314a29
0x7ff88c314a2c
0x7ff88c314a36
0x7ff88c314a3f
0x7ff88c314a45
0x7ff88c314a4e
0x7ff88c314a54
0x7ff88c314a56
0x7ff88c314a5a
0x7ff88c314a5d
0x7ff88c314a62
0x7ff88c314a68
0x7ff88c314a80
0x7ff88c314a8e
0x7ff88c314a90
0x7ff88c314a97
0x7ff88c314a9d
0x7ff88c314aa0
0x7ff88c314aaa
0x7ff88c314aaf
0x7ff88c314ab3
0x7ff88c314ab5
0x7ff88c314abc
0x7ff88c314abf
0x7ff88c314ac1
0x7ff88c314ac5
0x7ff88c314ad1
0x7ff88c314ad3
0x7ff88c314ada
0x7ff88c314ae5
0x7ff88c314ae7
0x7ff88c314aef
0x7ff88c314af6
0x7ff88c314afb
0x7ff88c314b00
0x7ff88c314b03
0x7ff88c314b06
0x7ff88c314b08
0x7ff88c314b0d
0x7ff88c314b14
0x7ff88c314b1c
0x7ff88c314b28
0x7ff88c314b3d

APIs

_set_statfp.LIBCMT ref: 00007FF88C31490E
_set_statfp.LIBCMT ref: 00007FF88C31492C
_set_statfp.LIBCMT ref: 00007FF88C314955
_set_statfp.LIBCMT ref: 00007FF88C314B14

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 32046ce077eb0d4c09ab2571985d77e1313bccb37bdafd444ae120eeda8f2021
Instruction ID: 56a7cc782525335072e286fa56f2e0608bf81e3f814232d2c101afa9ff5a03be
Opcode Fuzzy Hash: 32046ce077eb0d4c09ab2571985d77e1313bccb37bdafd444ae120eeda8f2021
Instruction Fuzzy Hash: F9517812D18A468DF6629E34E410B76A290BF537D0F158236FA9EA65DCEF3CA543CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C312284 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00007FF87FF88C312284(void* __ecx, void* __edx, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, long long _a16, signed int* _a24, long long _a32) {
				signed int* _v40;
				void* _t30;
				void* _t39;
				intOrPtr _t44;
				void* _t48;
				signed int* _t62;
				signed int* _t67;
				signed int _t80;
				signed int* _t85;
				intOrPtr _t97;
				void* _t98;

				_t79 = __rdx;
				_t62 = __rax;
				_t48 = __edx;
				_t40 = __ecx;
				_a8 = __rbx;
				_a16 = __rsi;
				_a32 = __rdi;
				_t98 = __rdx;
				r12d = __ecx;
				_t52 = __ecx - 5;
				if (__ecx - 5 <= 0) goto 0x8c3122c1;
				E00007FF87FF88C307698(__rax);
				 *__rax = 0x16;
				E00007FF87FF88C309444();
				goto 0x8c312426;
				E00007FF87FF88C307F5C(_t40, _t52, __rax, __rcx, __rsi, __r8);
				_t67 = _t62;
				_a24 = _t62;
				E00007FF87FF88C311298(_t40, _t48, _t52, _t62, __rcx, __rdi, __rsi);
				_t67[0x32] = _t67[0x32] | 0x00000010;
				E00007FF87FF88C30796C(_t67, __rcx, _t79, __rdi, __rsi, __rbp);
				_t85 = _t62;
				if (_t62 == 0) goto 0x8c31241c;
				E00007FF87FF88C3096D8();
				_t80 = _t67[0x30];
				if (_t80 == 0) goto 0x8c31232b;
				if (_t85 == _t80) goto 0x8c31232b;
				r8d = 0x160;
				_t30 = E00007FF87FF88C304B80(0xc, _t85 - _t80, _t85, _t80, __r8);
				 *_t85 =  *_t85 & 0x00000000;
				E00007FF87FF88C310F94(_t30, _t85, __r8);
				E00007FF87FF88C3095B8();
				E00007FF87FF88C311F20(0xc, r12d, _t85, _t98);
				_v40 = _t62;
				if (_t62 == 0) goto 0x8c31240b;
				if (_t98 == 0) goto 0x8c312382;
				E00007FF87FF88C3057E0(0xc, _t98, 0x8c367df4);
				_t44 =  *0x8c369b08; // 0x0
				r12d = 1;
				_t45 =  !=  ? r12d : _t44;
				 *0x8c369b08 =  !=  ? r12d : _t44;
				goto 0x8c312388;
				r12d = 1;
				E00007FF87FF88C3096D8();
				_t9 =  &(_t67[0x30]); // 0xc0
				E00007FF87FF88C311020(E00007FF87FF88C311240(_t62, _t9, _t85, _t85, _t62, _t98), _t85, _t98);
				if ((_t67[0x32] & 0x00000002) != 0) goto 0x8c3123ff;
				if (( *0x8c367df0 & r12b) != 0) goto 0x8c3123ff;
				E00007FF87FF88C311240(_t62, 0x8c368220, _t67[0x30], _t85, _t62, _t98);
				_t97 =  *0x8c368220; // 0x7ff88c3680c0
				_t16 = _t97 + 0x128; // 0x7ff88c368490
				 *0x8c368488 =  *_t16;
				_t17 = _t97 + 0x140; // 0x7ff88c324960
				 *0x8c368468 =  *_t17;
				_t18 = _t97 + 0x10c; // 0x1
				 *0x8c368528 =  *_t18;
				E00007FF87FF88C3095B8();
				goto 0x8c31241c;
				E00007FF87FF88C311020( *_t18, _t85, _t98);
				_t39 = E00007FF87FF88C3110C4(_t67, _t85, _t67[0x30], _t85, _t62);
				_t67[0x32] = _t67[0x32] & 0xffffffef;
				return _t39;
			}

0x7ff88c312284
0x7ff88c312284
0x7ff88c312284
0x7ff88c312284
0x7ff88c312284
0x7ff88c312289
0x7ff88c31228e
0x7ff88c31229d
0x7ff88c3122a0
0x7ff88c3122a5
0x7ff88c3122a8
0x7ff88c3122aa
0x7ff88c3122af
0x7ff88c3122b5
0x7ff88c3122bc
0x7ff88c3122c1
0x7ff88c3122c6
0x7ff88c3122c9
0x7ff88c3122ce
0x7ff88c3122d3
0x7ff88c3122e4
0x7ff88c3122e9
0x7ff88c3122ef
0x7ff88c3122fa
0x7ff88c312300
0x7ff88c31230a
0x7ff88c31230f
0x7ff88c312314
0x7ff88c31231a
0x7ff88c31231f
0x7ff88c312325
0x7ff88c312330
0x7ff88c31233e
0x7ff88c312346
0x7ff88c31234e
0x7ff88c312357
0x7ff88c312363
0x7ff88c312368
0x7ff88c312370
0x7ff88c312376
0x7ff88c31237a
0x7ff88c312380
0x7ff88c312382
0x7ff88c31238d
0x7ff88c312396
0x7ff88c3123a5
0x7ff88c3123b1
0x7ff88c3123ba
0x7ff88c3123ca
0x7ff88c3123cf
0x7ff88c3123d6
0x7ff88c3123dd
0x7ff88c3123e4
0x7ff88c3123eb
0x7ff88c3123f2
0x7ff88c3123f9
0x7ff88c312404
0x7ff88c312409
0x7ff88c31240e
0x7ff88c312416
0x7ff88c31241c
0x7ff88c31243f

APIs

_errno.LIBCMT ref: 00007FF88C3122AA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C3122B5
_getptd.LIBCMT ref: 00007FF88C3122C1
_lock.LIBCMT ref: 00007FF88C3122FA
_lock.LIBCMT ref: 00007FF88C31238D

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _lock$_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808128820-0
Opcode ID: 5f3b5c5d687af83f64d7d5234137c8fd33df6528416cfad91178659c89b0326c
Instruction ID: 5325aa9619e3b90e459f815fb63abc55a31641a77b2c7c28d1b606d999da624f
Opcode Fuzzy Hash: 5f3b5c5d687af83f64d7d5234137c8fd33df6528416cfad91178659c89b0326c
Instruction Fuzzy Hash: 02418E31A0978289F745AB22E950FBA6291BF4B7C0F040136EE4D8779EEE3DA443C305

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C308F40 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 00007FF88C308F81
_exception_enabled.LIBCMT ref: 00007FF88C308FA3

Part of subcall function 00007FF88C308E84: _set_statfp.LIBCMT ref: 00007FF88C308EAB
Part of subcall function 00007FF88C308E84: _set_statfp.LIBCMT ref: 00007FF88C308F1E

_raise_excf.LIBCMT ref: 00007FF88C308FEF
_ctrlfp.LIBCMT ref: 00007FF88C30903B
_ctrlfp.LIBCMT ref: 00007FF88C30906C

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_excf
String ID:
API String ID: 3843346586-0
Opcode ID: 1b50414a80639452b7d273b3766bd6da263888b3791c87089997bba76336f12f
Instruction ID: ef9ad69eb0e5774d4a036040ee6e4ca005345d119cb9bc54339460890d41a5ed
Opcode Fuzzy Hash: 1b50414a80639452b7d273b3766bd6da263888b3791c87089997bba76336f12f
Instruction Fuzzy Hash: F4418833A18B858AE711DB65E4416ABB761FB8A3D8F040235FA4D57A5DDF3CE446CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C312144 Relevance: 7.6, APIs: 5, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00007FF87FF88C312144(void* __ecx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr* _t21;
				intOrPtr* _t34;

				_t21 = _t34;
				 *((long long*)(_t21 + 8)) = __rbx;
				 *((long long*)(_t21 + 0x10)) = __rbp;
				 *((long long*)(_t21 + 0x18)) = __rsi;
				 *((long long*)(_t21 + 0x20)) = __rdi;
				if (__ecx - 5 > 0) goto 0x8c312192;
				if (__rdx == 0) goto 0x8c312192;
				r12d = 1;
				E00007FF87FF88C30796C(__rbx, __rcx, __rdx, __rdi, __rdx, __rbp);
				if (_t21 != 0) goto 0x8c3121af;
				E00007FF87FF88C307698(_t21);
				 *_t21 = 0xc;
				return 0;
			}

0x7ff88c312144
0x7ff88c312147
0x7ff88c31214b
0x7ff88c31214f
0x7ff88c312153
0x7ff88c312165
0x7ff88c31216a
0x7ff88c31216c
0x7ff88c31217a
0x7ff88c312185
0x7ff88c312187
0x7ff88c31218c
0x7ff88c3121ae

APIs

_errno.LIBCMT ref: 00007FF88C312187
free.LIBCMT ref: 00007FF88C3121C7
free.LIBCMT ref: 00007FF88C3121E7
free.LIBCMT ref: 00007FF88C312244
free.LIBCMT ref: 00007FF88C31225C

Part of subcall function 00007FF88C30796C: Sleep.KERNEL32(?,?,?,00007FF88C307F0B,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C3079B1

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: free$Sleep_errno
String ID:
API String ID: 2081351063-0
Opcode ID: a52b42de46a5615ca2b388d49ae21bda1e98984a3fa8a53537a30db7aca59961
Instruction ID: 8ca2b03e77978a94bccf4c6e598137894a77ea385167da6870121d77bfe2b480
Opcode Fuzzy Hash: a52b42de46a5615ca2b388d49ae21bda1e98984a3fa8a53537a30db7aca59961
Instruction Fuzzy Hash: 77315022A09B4289EB55DB52D451A7D73A1BF86FC4F048036EE4D5739EEE3DE802C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30909C Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 21%

			E00007FF87FF88C30909C(signed int __edx, void* __eflags, long long __rcx, long long __r8) {
				void* __rbx;
				void* __rsi;
				void* _t24;
				void* _t34;
				void* _t35;
				signed int _t42;
				signed long long _t52;
				signed long long _t53;
				void* _t64;
				void* _t69;
				void* _t70;
				void* _t71;
				signed long long _t72;
				void* _t76;

				_t70 = _t71 - 0x38;
				_t72 = _t71 - 0x108;
				asm("movaps [eax-0x48], xmm6");
				_t52 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t53 = _t52 ^ _t72;
				 *(_t70 - 0x20) = _t53;
				r13d = 0xffc0;
				_t42 = r9d;
				E00007FF87FF88C314FBC(_t35, _t42, __r8, __rcx, _t64, _t69);
				 *(_t72 + 0x30) = _t53;
				 *((long long*)(_t72 + 0x40)) = __r8;
				asm("movsd xmm0, [esp+0x40]");
				asm("movsd [esp+0x38], xmm0");
				_t24 = E00007FF87FF88C308E84( *((intOrPtr*)(_t70 + 0x60)), r13d, __r8,  *(_t72 + 0x30), _t69);
				asm("movsd xmm6, [ebp+0x78]");
				if (_t24 != 0) goto 0x8c309151;
				if ( *((intOrPtr*)(_t70 + 0x80)) != 2) goto 0x8c309128;
				asm("movsd [ebp-0x60], xmm6");
				 *(_t70 - 0x50) =  *(_t70 - 0x50) & 0xffffffe3 | 0x00000003;
				r8d =  *((intOrPtr*)(_t70 + 0x60));
				 *((long long*)(_t72 + 0x28)) = _t72 + 0x38;
				_t14 = _t70 + 0x70; // 0x10030
				r9d = __edx;
				 *((long long*)(_t72 + 0x20)) = _t14;
				E00007FF87FF88C314880();
				if ( *0x8c368460 != 0) goto 0x8c3091ae;
				if (_t42 == 0) goto 0x8c3091ae;
				asm("movsd xmm0, [ebp+0x70]");
				asm("movsd xmm1, [esp+0x38]");
				 *((intOrPtr*)(_t72 + 0x48)) = _t42;
				 *((long long*)(_t72 + 0x50)) = __rcx;
				asm("movsd [esp+0x58], xmm0");
				asm("movsd [esp+0x68], xmm1");
				asm("movsd [esp+0x60], xmm6");
				E00007FF87FF88C314FBC(_t35, _t42, __r8,  *(_t72 + 0x30), _t76, _t69);
				if (E00007FF87FF88C314F84() != 0) goto 0x8c3091a6;
				E00007FF87FF88C314B40(_t42, _t14);
				asm("movsd xmm0, [esp+0x68]");
				goto 0x8c3091c8;
				E00007FF87FF88C314B40(_t42, _t14);
				E00007FF87FF88C314FBC(_t35, _t42, __r8,  *(_t72 + 0x30), _t76, _t69);
				asm("movsd xmm0, [esp+0x38]");
				_t34 = E00007FF87FF88C304980(_t42,  *(_t70 - 0x20) ^ _t72, _t76, __r8);
				asm("movaps xmm6, [esp+0xf0]");
				return _t34;
			}

0x7ff88c3090a7
0x7ff88c3090ab
0x7ff88c3090b2
0x7ff88c3090b6
0x7ff88c3090bd
0x7ff88c3090c0
0x7ff88c3090c9
0x7ff88c3090d7
0x7ff88c3090dd
0x7ff88c3090e5
0x7ff88c3090ea
0x7ff88c3090ef
0x7ff88c3090fa
0x7ff88c309100
0x7ff88c309105
0x7ff88c30910c
0x7ff88c309115
0x7ff88c30911a
0x7ff88c309125
0x7ff88c309128
0x7ff88c309136
0x7ff88c30913b
0x7ff88c309144
0x7ff88c309147
0x7ff88c30914c
0x7ff88c309158
0x7ff88c30915c
0x7ff88c30915e
0x7ff88c309163
0x7ff88c309171
0x7ff88c309175
0x7ff88c30917a
0x7ff88c309180
0x7ff88c309186
0x7ff88c30918c
0x7ff88c30919d
0x7ff88c3091a1
0x7ff88c3091a6
0x7ff88c3091ac
0x7ff88c3091b0
0x7ff88c3091bd
0x7ff88c3091c2
0x7ff88c3091cf
0x7ff88c3091d4
0x7ff88c3091eb

APIs

_ctrlfp.LIBCMT ref: 00007FF88C3090DD
_exception_enabled.LIBCMT ref: 00007FF88C309100

Part of subcall function 00007FF88C308E84: _set_statfp.LIBCMT ref: 00007FF88C308EAB
Part of subcall function 00007FF88C308E84: _set_statfp.LIBCMT ref: 00007FF88C308F1E

_raise_exc.LIBCMT ref: 00007FF88C30914C
_ctrlfp.LIBCMT ref: 00007FF88C30918C
_ctrlfp.LIBCMT ref: 00007FF88C3091BD

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_exc
String ID:
API String ID: 3456427917-0
Opcode ID: bbdcec2d665f9670fe17ef3f8aa769760990ff81749426f459c7f0c17560835d
Instruction ID: 2140f875fa3cdbaea1956d196c49288a6a8f705613ed2859ad70e60bc8538872
Opcode Fuzzy Hash: bbdcec2d665f9670fe17ef3f8aa769760990ff81749426f459c7f0c17560835d
Instruction Fuzzy Hash: E4316032A18B858AE751DF65E801AABA765FB863C8F000235FA8D56B59DF3CD446CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C305590 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FF88C3056A5,?,?,?,?,00007FF88C3070B6,?,?,?,00007FF88C3059E5), ref: 00007FF88C3055B9
DecodePointer.KERNEL32(?,?,?,00007FF88C3056A5,?,?,?,?,00007FF88C3070B6,?,?,?,00007FF88C3059E5), ref: 00007FF88C3055C9

Part of subcall function 00007FF88C307B00: _errno.LIBCMT ref: 00007FF88C307B09
Part of subcall function 00007FF88C307B00: _invalid_parameter_noinfo.LIBCMT ref: 00007FF88C307B14

EncodePointer.KERNEL32(?,?,?,00007FF88C3056A5,?,?,?,?,00007FF88C3070B6,?,?,?,00007FF88C3059E5), ref: 00007FF88C305647

Part of subcall function 00007FF88C3079F0: realloc.LIBCMT ref: 00007FF88C307A1B
Part of subcall function 00007FF88C3079F0: Sleep.KERNEL32(?,?,00000000,00007FF88C305637,?,?,?,00007FF88C3056A5,?,?,?,?,00007FF88C3070B6), ref: 00007FF88C307A37

EncodePointer.KERNEL32(?,?,?,00007FF88C3056A5,?,?,?,?,00007FF88C3070B6,?,?,?,00007FF88C3059E5), ref: 00007FF88C305657
EncodePointer.KERNEL32(?,?,?,00007FF88C3056A5,?,?,?,?,00007FF88C3070B6,?,?,?,00007FF88C3059E5), ref: 00007FF88C305664

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: c56fcdd11b20363de1917eb9bf5ea348424f4bb33bde1d58603edb43d8e9abfe
Instruction ID: 3d6f769e905b80bdf2657a8e79dcd323838b72c546a34a7c569590b715a0684a
Opcode Fuzzy Hash: c56fcdd11b20363de1917eb9bf5ea348424f4bb33bde1d58603edb43d8e9abfe
Instruction Fuzzy Hash: 31219522B0AB4A82EE009B91E94887AA3A1BF4ABD1F445435EE4D1775DDF7CF447C344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C305458 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FF88C30547A
DecodePointer.KERNEL32 ref: 00007FF88C30548A

Part of subcall function 00007FF88C307B00: _errno.LIBCMT ref: 00007FF88C307B09
Part of subcall function 00007FF88C307B00: _invalid_parameter_noinfo.LIBCMT ref: 00007FF88C307B14

EncodePointer.KERNEL32 ref: 00007FF88C305502

Part of subcall function 00007FF88C3079F0: realloc.LIBCMT ref: 00007FF88C307A1B
Part of subcall function 00007FF88C3079F0: Sleep.KERNEL32(?,?,00000000,00007FF88C305637,?,?,?,00007FF88C3056A5,?,?,?,?,00007FF88C3070B6), ref: 00007FF88C307A37

EncodePointer.KERNEL32 ref: 00007FF88C305512
EncodePointer.KERNEL32 ref: 00007FF88C30551F

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: bbf7ca0c674fe320cd355004688deff3e5009fa670da5bf74980f2a14ead86fd
Instruction ID: d61a09fd09c9009643d7238876236a26a7e5769680a10f1808a62379e3999c89
Opcode Fuzzy Hash: bbf7ca0c674fe320cd355004688deff3e5009fa670da5bf74980f2a14ead86fd
Instruction Fuzzy Hash: 65214F22A09B4686EE409B91F904969A3A1BB5ABD1F484434EE4E0735DEF7CF093C344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30F6E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 31%

			E00007FF87FF88C30F6E4(void* __edx, void* __esi, long long __rbx, void* __rdx, void* __rdi, void* __rsi, void* __r8, void* __r10, void* __r11, long long _a8) {
				char _v24;
				char _v40;
				char _v56;
				signed int _v64;
				signed int _v72;
				signed int _v80;
				signed long long _v88;
				char _t37;
				char _t39;
				signed int _t40;
				char* _t61;
				intOrPtr _t62;
				char* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t76;
				char* _t81;
				char* _t82;
				intOrPtr _t87;
				char* _t98;
				intOrPtr* _t100;
				intOrPtr* _t101;

				_t95 = __r8;
				_t90 = __rsi;
				_t89 = __rdi;
				_t44 = __esi;
				_a8 = __rbx;
				_v88 = _v88 & 0x00000000;
				_v72 = _v72 & 0x00000000;
				_v80 = _v80 & 0xffff0000;
				_v64 = _v64 & 0xffff0000;
				_t61 =  *0x8c369a78; // 0x0
				if (_t61 == 0) goto 0x8c30f79e;
				if ( *_t61 != 0x3f) goto 0x8c30f78c;
				_t40 =  *((intOrPtr*)(_t61 + 1));
				if (_t40 != 0x40) goto 0x8c30f761;
				 *0x8c369a70 =  *0x8c369a70 + 2;
				E00007FF87FF88C30E43C(__esi, _t40 - 0x40, __rbx,  &_v40, __rdx, __rdi, __rsi, __r8, __r10, __r11);
				E00007FF87FF88C30A9E0( &_v24, "CV: ");
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x30], xmm0");
				E00007FF87FF88C30AC78(_t61,  &_v56, _t61);
				asm("movaps xmm5, [ebp-0x30]");
				goto 0x8c30f798;
				if (_t40 != 0x24) goto 0x8c30f78c;
				E00007FF87FF88C30CF0C(_t40, 0, _t61,  &_v24, _t61, __rdi, _t90, __r10, __r11);
				asm("movups xmm5, [eax]");
				asm("movaps [ebp-0x50], xmm5");
				if (_v80 != 2) goto 0x8c30f7a2;
				_t62 =  *0x8c369a78; // 0x0
				 *0x8c369a70 = _t62;
				E00007FF87FF88C30E43C(_t44, _v80 - 2, _t61,  &_v24, _t61, _t89, _t90, _t95, __r10, __r11);
				asm("movups xmm5, [eax]");
				asm("movaps [ebp-0x50], xmm5");
				goto 0x8c30f7a2;
				asm("movaps xmm5, [ebp-0x50]");
				if (_v80 != 3) goto 0x8c30f7af;
				goto 0x8c30f87c;
				if (_v80 == 2) goto 0x8c30f7d4;
				if (( *0x8c369a8c & 0x00001000) != 0) goto 0x8c30f7cd;
				_t63 =  *0x8c369a70; // 0x0
				if ( *_t63 != 0) goto 0x8c30f7d4;
				asm("movdqa [ebp-0x40], xmm5");
				goto 0x8c30f7e4;
				_t87 =  *0x8c369a78; // 0x0
				E00007FF87FF88C30AD7C( &_v72, _t87);
				_t64 =  *0x8c369a80; // 0x0
				if (_t64 != 0) goto 0x8c30f823;
				_t76 = _v72;
				if (_t76 == 0) goto 0x8c30f7fe;
				_t65 =  *_t76;
				 *0x8c369a88 =  *_t65() + 1;
				 *0x8c369a38();
				 *0x8c369a80 = _t65;
				if (_t65 == 0) goto 0x8c30f87c;
				r8d =  *0x8c369a88; // 0x0
				E00007FF87FF88C30A4DC(_t61,  &_v72, _t65, _t90);
				_t98 =  *0x8c369a80; // 0x0
				_t37 =  *_t98;
				_t81 = _t98;
				if (_t37 == 0) goto 0x8c30f870;
				if (_t37 != 0x20) goto 0x8c30f861;
				 *_t81 = 0x20;
				_t82 = _t81 + 1;
				goto 0x8c30f85a;
				_t100 = _t98 + 2;
				if ( *_t100 == 0x20) goto 0x8c30f857;
				goto 0x8c30f869;
				 *_t82 = _t37;
				_t101 = _t100 + 1;
				if ( *_t101 != 0) goto 0x8c30f849;
				_t39 =  *_t101;
				 *((char*)(_t82 + 1)) = _t39;
				return _t39;
			}

0x7ff88c30f6e4
0x7ff88c30f6e4
0x7ff88c30f6e4
0x7ff88c30f6e4
0x7ff88c30f6e4
0x7ff88c30f6f1
0x7ff88c30f6f6
0x7ff88c30f700
0x7ff88c30f703
0x7ff88c30f706
0x7ff88c30f710
0x7ff88c30f719
0x7ff88c30f71b
0x7ff88c30f721
0x7ff88c30f723
0x7ff88c30f72f
0x7ff88c30f742
0x7ff88c30f74e
0x7ff88c30f751
0x7ff88c30f756
0x7ff88c30f75b
0x7ff88c30f75f
0x7ff88c30f764
0x7ff88c30f76c
0x7ff88c30f771
0x7ff88c30f774
0x7ff88c30f77c
0x7ff88c30f77e
0x7ff88c30f785
0x7ff88c30f790
0x7ff88c30f795
0x7ff88c30f798
0x7ff88c30f79c
0x7ff88c30f79e
0x7ff88c30f7a6
0x7ff88c30f7aa
0x7ff88c30f7b3
0x7ff88c30f7bf
0x7ff88c30f7c1
0x7ff88c30f7cb
0x7ff88c30f7cd
0x7ff88c30f7d2
0x7ff88c30f7d4
0x7ff88c30f7df
0x7ff88c30f7e4
0x7ff88c30f7ee
0x7ff88c30f7f0
0x7ff88c30f7f7
0x7ff88c30f7f9
0x7ff88c30f803
0x7ff88c30f811
0x7ff88c30f817
0x7ff88c30f821
0x7ff88c30f823
0x7ff88c30f831
0x7ff88c30f836
0x7ff88c30f83d
0x7ff88c30f840
0x7ff88c30f845
0x7ff88c30f84b
0x7ff88c30f850
0x7ff88c30f852
0x7ff88c30f855
0x7ff88c30f857
0x7ff88c30f85d
0x7ff88c30f85f
0x7ff88c30f861
0x7ff88c30f866
0x7ff88c30f86e
0x7ff88c30f870
0x7ff88c30f873
0x7ff88c30f889

APIs

DName::DName.LIBCMT ref: 00007FF88C30F742

Part of subcall function 00007FF88C30A9E0: DName::doPchar.LIBCMT ref: 00007FF88C30AA19

DName::operator+=.LIBCMT ref: 00007FF88C30F756
DName::operator=.LIBCMT ref: 00007FF88C30F7DF

Strings

CV: , xrefs: 00007FF88C30F734

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: NameName::Name::doName::operator+=Name::operator=Pchar
String ID: CV:
API String ID: 3883879377-3725821052
Opcode ID: a86a0f8eaa0663e3be6ccd0c22ac171db998113c97d966c170ef7d56a079b069
Instruction ID: 740e81e03f84e3f07dde6b653323729d1215cdeaabc8d51f7d7d43620c3e35d5
Opcode Fuzzy Hash: a86a0f8eaa0663e3be6ccd0c22ac171db998113c97d966c170ef7d56a079b069
Instruction Fuzzy Hash: 9051AE13E08B9688FB519BA4D845BFC37A0BF5ABD9F544235CA4E0669ADF2CA447D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C304AD4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF87FF88C304AD4(void* __rcx, void* __rdx) {
				void* _t7;

				goto 0x8c3066c4;
				asm("int3");
				asm("int3");
				asm("int3");
				goto 0x8c306620;
				asm("int3");
				asm("int3");
				asm("int3");
				return E00007FF87FF88C3057E0(_t7, __rdx + 0x11, __rcx + 0x11) & 0xffffff00 | _t5 == 0x00000000;
			}

0x7ff88c304ad4
0x7ff88c304ad9
0x7ff88c304ada
0x7ff88c304adb
0x7ff88c304adc
0x7ff88c304ae1
0x7ff88c304ae2
0x7ff88c304ae3
0x7ff88c304b01

APIs

_lock.LIBCMT ref: 00007FF88C3066F8

Part of subcall function 00007FF88C3096D8: _amsg_exit.LIBCMT ref: 00007FF88C309702

free.LIBCMT ref: 00007FF88C3067EF

Strings

, xrefs: 00007FF88C306774

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _amsg_exit_lockfree
String ID:
API String ID: 1309213036-3916222277
Opcode ID: fc154583434b98a0a7a9d7f18726423fc2ba4813a2cb351f82a7e7d1208b6c57
Instruction ID: 888302adac77fb6fc7cd5e82a47f88223330cbf81609de56db9b6aa89987a479
Opcode Fuzzy Hash: fc154583434b98a0a7a9d7f18726423fc2ba4813a2cb351f82a7e7d1208b6c57
Instruction Fuzzy Hash: 1B317E23A09B8682FA14DBA2E451B7A62A4FF4ABC0F445035EE8D4778DDE3CE542C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C314368 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 54%

			E00007FF87FF88C314368(signed int __ecx, void* __edx, intOrPtr* __rcx, char* __rdx, void* __r8, intOrPtr _a40, long long _a48) {
				signed int _v56;
				char _v80;
				intOrPtr _v100;
				char _v104;
				long long _v120;
				void* _v128;
				long long _v136;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t33;
				char _t34;
				signed int _t38;
				intOrPtr _t41;
				void* _t42;
				signed long long _t54;
				signed long long _t55;
				intOrPtr* _t59;
				signed long long _t69;
				void* _t75;
				char* _t76;
				void* _t77;
				void* _t81;
				void* _t84;

				_t38 = __ecx;
				_t54 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				_t55 = _t54 ^  &_v128;
				_v56 = _t55;
				_t75 = __r8;
				_t76 = __rdx;
				_t41 = r9d;
				_t69 =  &_v104;
				r9d = 0x16;
				E00007FF87FF88C31980C(_t42,  *__rcx, _t69,  &_v80, _t81, _t84);
				if (_t76 != 0) goto 0x8c3143c0;
				E00007FF87FF88C307698(_t55);
				 *_t55 = 0x16;
				E00007FF87FF88C309444();
				goto 0x8c314481;
				if (_t75 == 0) goto 0x8c3143ad;
				r12d = _v100;
				r12d = r12d - 1;
				_t59 = _t55 + _t76;
				if (_t75 == (_t69 | 0xffffffff)) goto 0x8c3143ea;
				r8d = _t41;
				if (E00007FF87FF88C319678(_t55, _t59, _t59, _t75 - _t55,  &_v104) == 0) goto 0x8c314403;
				 *_t76 = 0;
				goto 0x8c314481;
				_t33 = _v100 - 1;
				if (_t33 - 0xfffffffc < 0) goto 0x8c31444f;
				if (_t33 - _t41 >= 0) goto 0x8c31444f;
				if ((_t38 & 0xffffff00 | r12d - _t33 < 0x00000000) == 0) goto 0x8c314428;
				_t34 =  *_t59;
				if (_t34 != 0) goto 0x8c31441c;
				 *((char*)(_t59 + 1 - 2)) = _t34;
				r8d = _t41;
				_v128 = _a48;
				_v136 = 1;
				E00007FF87FF88C3140E4(_t38 & 0xffffff00 | r12d - _t33 < 0x00000000, _t34, _t59 + 1, _t76, _t75, _t75, _t76, _t77,  &_v104);
				goto 0x8c314481;
				r9d = _a40;
				r8d = _t41;
				_v120 = _a48;
				_v128 = 1;
				_v136 =  &_v104;
				0x8c3139a0();
				return E00007FF87FF88C304980(_t38 & 0xffffff00 | r12d - _t33 < 0x00000000, _v56 ^  &_v128, _t75,  &_v80);
			}

0x7ff88c314368
0x7ff88c314376
0x7ff88c31437d
0x7ff88c314380
0x7ff88c314388
0x7ff88c31438b
0x7ff88c31438e
0x7ff88c31439b
0x7ff88c3143a0
0x7ff88c3143a3
0x7ff88c3143ab
0x7ff88c3143ad
0x7ff88c3143b2
0x7ff88c3143b4
0x7ff88c3143bb
0x7ff88c3143c3
0x7ff88c3143c5
0x7ff88c3143cc
0x7ff88c3143db
0x7ff88c3143e2
0x7ff88c3143ef
0x7ff88c3143fc
0x7ff88c3143fe
0x7ff88c314401
0x7ff88c314407
0x7ff88c314412
0x7ff88c314416
0x7ff88c31441a
0x7ff88c31441c
0x7ff88c314423
0x7ff88c314425
0x7ff88c314435
0x7ff88c314438
0x7ff88c314443
0x7ff88c314448
0x7ff88c31444d
0x7ff88c314457
0x7ff88c31445f
0x7ff88c314462
0x7ff88c314472
0x7ff88c314477
0x7ff88c31447c
0x7ff88c31449b

APIs

_fltout2.LIBCMT ref: 00007FF88C3143A3
_errno.LIBCMT ref: 00007FF88C3143AD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C3143B4

Strings

-, xrefs: 00007FF88C3143CF

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 6de6eeb44deb5c97469eccab94f75fc10c1770063f15b04a8e2b9e09bce0002d
Instruction ID: 5c94ef8065023a7fd35055f0137a4fc873eda1ce22f6a9d19049f771d66cc459
Opcode Fuzzy Hash: 6de6eeb44deb5c97469eccab94f75fc10c1770063f15b04a8e2b9e09bce0002d
Instruction Fuzzy Hash: 2F31E92270868189EA209A26E440BAAB760BF57BD4F544237FF9C47BCDDF2CD406C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C304A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF88C306578
free.LIBCMT ref: 00007FF88C3065E9
free.LIBCMT ref: 00007FF88C3065F1

Strings

, xrefs: 00007FF88C30655F

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: free$_lock
String ID:
API String ID: 538337703-3916222277
Opcode ID: f8cf7f7b5a1622d53e07f8d2eeeabf8aebdaf235d41beca78e05f628581b931b
Instruction ID: 4220311c14237c13e85309767a26fb9ec63ac95fec53d2bc31928e5c5f3fe4cb
Opcode Fuzzy Hash: f8cf7f7b5a1622d53e07f8d2eeeabf8aebdaf235d41beca78e05f628581b931b
Instruction Fuzzy Hash: F9315923A09B9681FB14DBA5D055B6A63A4FF4A7C4F54403ADE4C4778DEE3CE552C304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C319678 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF87FF88C319678(intOrPtr* __rax, long long __rbx, char* __rcx, void* __rdx, void* __r9, long long _a8) {
				void* _t15;
				void* _t17;
				void* _t30;
				char* _t36;
				char* _t37;
				char* _t38;
				char* _t42;
				intOrPtr* _t52;

				_t42 = __rcx;
				_a8 = __rbx;
				_t52 =  *((intOrPtr*)(__r9 + 0x10));
				r11d = 0;
				_t40 = __rcx;
				if (__rcx != 0) goto 0x8c3196a9;
				E00007FF87FF88C307698(__rax);
				 *__rax = 0x16;
				E00007FF87FF88C309444();
				goto 0x8c319739;
				if (__rdx == 0) goto 0x8c319691;
				 *((intOrPtr*)(__rcx)) = r11b;
				_t14 =  >  ? r8d : r11d;
				_t15 = ( >  ? r8d : r11d) + 1;
				if (__rdx - __rax > 0) goto 0x8c3196d0;
				_t17 = E00007FF87FF88C307698(__rax);
				goto 0x8c31969b;
				 *__rcx = 0x30;
				_t3 = _t42 + 1; // 0x1
				_t36 = _t3;
				goto 0x8c3196f4;
				if ( *_t52 == r11b) goto 0x8c3196e7;
				goto 0x8c3196ec;
				 *_t36 = 0x30;
				_t37 = _t36 + 1;
				r8d = r8d - 1;
				_t30 = r8d;
				if (_t30 > 0) goto 0x8c3196d9;
				 *_t37 = r11b;
				if (_t30 < 0) goto 0x8c319713;
				if ( *((char*)(_t52 + 1)) - 0x35 < 0) goto 0x8c319713;
				goto 0x8c319709;
				 *_t37 = 0x30;
				_t38 = _t37 - 1;
				if ( *_t38 == 0x39) goto 0x8c319706;
				 *_t38 =  *_t38 + 1;
				if ( *__rcx != 0x31) goto 0x8c31971e;
				 *((intOrPtr*)(__r9 + 4)) =  *((intOrPtr*)(__r9 + 4)) + 1;
				goto 0x8c319737;
				_t6 = _t40 + 1; // 0x1
				E00007FF87FF88C3053B0(_t17, _t6);
				_t7 = _t40 + 1; // 0x1
				_t8 = _t38 + 1; // 0x1
				E00007FF87FF88C304B80(0x30,  *__rcx - 0x31, __rcx, _t7, _t8);
				return 0;
			}

0x7ff88c319678
0x7ff88c319678
0x7ff88c319682
0x7ff88c319686
0x7ff88c319689
0x7ff88c31968f
0x7ff88c319691
0x7ff88c31969b
0x7ff88c31969d
0x7ff88c3196a4
0x7ff88c3196ac
0x7ff88c3196b4
0x7ff88c3196b7
0x7ff88c3196bb
0x7ff88c3196c2
0x7ff88c3196c4
0x7ff88c3196ce
0x7ff88c3196d0
0x7ff88c3196d3
0x7ff88c3196d3
0x7ff88c3196d7
0x7ff88c3196dc
0x7ff88c3196e5
0x7ff88c3196ec
0x7ff88c3196ee
0x7ff88c3196f1
0x7ff88c3196f4
0x7ff88c3196f7
0x7ff88c3196f9
0x7ff88c3196fc
0x7ff88c319702
0x7ff88c319704
0x7ff88c319706
0x7ff88c319709
0x7ff88c31970f
0x7ff88c319711
0x7ff88c319716
0x7ff88c319718
0x7ff88c31971c
0x7ff88c31971e
0x7ff88c319722
0x7ff88c319727
0x7ff88c31972e
0x7ff88c319732
0x7ff88c319743

APIs

_errno.LIBCMT ref: 00007FF88C319691
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C31969D
_errno.LIBCMT ref: 00007FF88C3196C4

Strings

1, xrefs: 00007FF88C319713

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: 98b6736d22ec9c38237573216724a09e87e3c7d5bbbaa4ae57ddbb29dd16388b
Instruction ID: 1ca8aba16725aee5cd402d5c70aa6e44f8e3b8c0d4878abd8cd4de44ff5b66bd
Opcode Fuzzy Hash: 98b6736d22ec9c38237573216724a09e87e3c7d5bbbaa4ae57ddbb29dd16388b
Instruction Fuzzy Hash: CC21C82291D3C28EF7168F24D414B7C6A94BF077C0F598032E64A8628BDE2DA942C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30B1D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00007FF87FF88C30B1D4(void* __ecx, void* __edx, void* __esi, void* __rax, void* __rcx, void* __rsi, void* __r8) {
				char _v24;
				void* __rbx;
				void* _t5;
				void* _t7;
				void* _t12;
				void* _t14;
				void* _t21;
				void* _t24;
				void* _t25;
				char* _t26;

				_t22 = __rsi;
				_t12 = __rax;
				_t7 = __edx;
				asm("movups xmm0, [edx]");
				_t14 = __rcx;
				asm("movdqu [ecx], xmm0");
				E00007FF87FF88C30AFE0(__ecx, __esi, __rax, __rcx, __rcx, "{for ", __rsi, __r8);
				E00007FF87FF88C30E6CC(_t7, __esi, _t14,  &_v24, _t21, _t22, __r8, _t24, _t25);
				E00007FF87FF88C30AC78(_t12, _t14, _t12);
				_t5 = E00007FF87FF88C30AF5C(0x7d, __esi, _t12, _t14, _t14, _t22, __r8);
				_t26 =  *0x8c369a70; // 0x0
				if ( *_t26 != 0x40) goto 0x8c30b226;
				 *0x8c369a70 = _t26 + 1;
				return _t5;
			}

0x7ff88c30b1d4
0x7ff88c30b1d4
0x7ff88c30b1d4
0x7ff88c30b1da
0x7ff88c30b1e4
0x7ff88c30b1e7
0x7ff88c30b1eb
0x7ff88c30b1f5
0x7ff88c30b200
0x7ff88c30b20a
0x7ff88c30b20f
0x7ff88c30b21a
0x7ff88c30b21f
0x7ff88c30b22e

APIs

DName::operator+=.LIBCMT ref: 00007FF88C30B1EB

Part of subcall function 00007FF88C30AFE0: DName::operator=.LIBCMT ref: 00007FF88C30B00B

Part of subcall function 00007FF88C30E6CC: DName::DName.LIBCMT ref: 00007FF88C30E74C
Part of subcall function 00007FF88C30E6CC: DName::operator+=.LIBCMT ref: 00007FF88C30E760
Part of subcall function 00007FF88C30E6CC: DName::DName.LIBCMT ref: 00007FF88C30E77B
Part of subcall function 00007FF88C30E6CC: DName::operator+=.LIBCMT ref: 00007FF88C30E791
Part of subcall function 00007FF88C30E6CC: DName::DName.LIBCMT ref: 00007FF88C30E7FE
Part of subcall function 00007FF88C30E6CC: DName::operator+=.LIBCMT ref: 00007FF88C30E816
Part of subcall function 00007FF88C30E6CC: DName::operator+=.LIBCMT ref: 00007FF88C30E82C
Part of subcall function 00007FF88C30E6CC: DName::operator+=.LIBCMT ref: 00007FF88C30E842
Part of subcall function 00007FF88C30E6CC: UnDecorator::getZName.LIBCMT ref: 00007FF88C30E860

DName::operator+=.LIBCMT ref: 00007FF88C30B200
DName::operator+=.LIBCMT ref: 00007FF88C30B20A

Part of subcall function 00007FF88C30AF5C: DName::doPchar.LIBCMT ref: 00007FF88C30AF9A

Strings

{for , xrefs: 00007FF88C30B1DD

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Name$Name::$Decorator::getName::doName::operator=Pchar
String ID: {for
API String ID: 1290961062-864106941
Opcode ID: 26711504c110b420eeea02d5d788ca6692a628dbfd78d0615118f93bdd6e123f
Instruction ID: e8c0772ed112d9f17c4621ce53d23f2474c3e537b441919536f666a4c748e577
Opcode Fuzzy Hash: 26711504c110b420eeea02d5d788ca6692a628dbfd78d0615118f93bdd6e123f
Instruction Fuzzy Hash: E7F03796E5874A50EA01EB61EC0587863507F577C4F449430DE4E4A25ADF3CA593C304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C306ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF88C306F19,?,?,00000000,00007FF88C30962E,?,?,?,00007FF88C3096FB), ref: 00007FF88C306EDF
GetProcAddress.KERNEL32(?,?,000000FF,00007FF88C306F19,?,?,00000000,00007FF88C30962E,?,?,?,00007FF88C3096FB), ref: 00007FF88C306EF4

Strings

mscoree.dll, xrefs: 00007FF88C306ED8
CorExitProcess, xrefs: 00007FF88C306EEA

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 66ac55ddac3b015a9f28852b454fc3581cf5d3fbe873153d3e3725eb55b56a6e
Instruction ID: e03b18b7336984160a96bf2fcd839d33523433e924941c47c300c94b994c7b8f
Opcode Fuzzy Hash: 66ac55ddac3b015a9f28852b454fc3581cf5d3fbe873153d3e3725eb55b56a6e
Instruction Fuzzy Hash: CCE01211F1970341FF199BA1EC4497413E0BF4ABA2F885038C92E16399DF2DA69BC350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C306B9C Relevance: 6.2, APIs: 4, Instructions: 195
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00007FF87FF88C306B9C(void* __eflags, signed long long __rax, long long __rbx, void* __rcx, long long __rdx, long long* __r8, long long _a8, long long _a16, signed int _a40) {
				char _v64;
				intOrPtr _v72;
				char _v88;
				void* _t41;
				signed short _t65;
				signed short _t67;
				void* _t100;
				signed int _t106;
				signed long long _t117;
				signed long long _t118;
				signed short* _t122;
				signed short* _t124;
				signed long long _t139;
				void* _t140;
				void* _t145;
				long long _t154;
				signed long long _t155;

				_t117 = __rax;
				_a8 = __rbx;
				_a16 = __rdx;
				r12d = r9d;
				E00007FF87FF88C306AE4(__rax,  &_v88, __rcx);
				r15d = 0;
				if (__r8 == 0) goto 0x8c306bd7;
				 *__r8 = __rdx;
				if (__rdx != 0) goto 0x8c306bf1;
				E00007FF87FF88C307698(_t117);
				 *_t117 = 0x16;
				E00007FF87FF88C309444();
				goto 0x8c306df0;
				if (r12d == 0) goto 0x8c306c02;
				if (r12d - 2 < 0) goto 0x8c306bdc;
				if (r12d - 0x24 > 0) goto 0x8c306bdc;
				_t139 = _t155;
				_t122 = __rdx + 2;
				goto 0x8c306c1b;
				_t65 =  *_t122 & 0x0000ffff;
				_t123 =  &(_t122[1]);
				if (E00007FF87FF88C31064C(_t65 & 0x0000ffff, 8,  &_v88) != 0) goto 0x8c306c14;
				if (_t65 != 0x2d) goto 0x8c306c3b;
				goto 0x8c306c41;
				if (_t65 != 0x2b) goto 0x8c306c48;
				_t124 =  &(_t122[2]);
				if (r12d < 0) goto 0x8c306de7;
				if (r12d == 1) goto 0x8c306de7;
				if (r12d - 0x24 > 0) goto 0x8c306de7;
				if (r12d != 0) goto 0x8c306c98;
				if (E00007FF87FF88C3104B4( *_t123 & 0xffff) == 0) goto 0x8c306c7e;
				r12d = 0xa;
				goto 0x8c306cbe;
				if ( *_t124 == 0x78) goto 0x8c306c92;
				if ( *_t124 == 0x58) goto 0x8c306c92;
				r12d = 8;
				goto 0x8c306cbe;
				r12d = 0x10;
				if (r12d != 0x10) goto 0x8c306cbe;
				if (E00007FF87FF88C3104B4( *_t123 & 0xffff) != 0) goto 0x8c306cbe;
				if ( *_t124 == 0x78) goto 0x8c306cb6;
				if ( *_t124 != 0x58) goto 0x8c306cbe;
				_t67 = _t124[1] & 0x0000ffff;
				_t118 = _t117 | 0xffffffff;
				_t41 = E00007FF87FF88C3104B4(_t67 & 0x0000ffff);
				r11d = _t41;
				if (_t41 != 0xffffffff) goto 0x8c306d0c;
				if (0x41 - _t67 > 0) goto 0x8c306cf0;
				if (_t67 - 0x5a <= 0) goto 0x8c306cf9;
				if (_t145 - 0x61 - 0x19 > 0) goto 0x8c306d2b;
				if (_t145 - 0x61 - 0x19 > 0) goto 0x8c306d08;
				r11d = _t118 - 0x37;
				if (r11d - r12d >= 0) goto 0x8c306d2b;
				_t100 = _t139 - _t118;
				if (_t100 < 0) goto 0x8c306d48;
				if (_t100 != 0) goto 0x8c306d23;
				if (_t118 - __rcx <= 0) goto 0x8c306d48;
				if (__r8 != 0) goto 0x8c306d55;
				_t154 = _a16;
				if ((bpl & 0x00000008) != 0) goto 0x8c306d61;
				_t127 =  !=  ? _t154 :  &(_t124[2]) - 2;
				goto 0x8c306dbd;
				_t140 = _t139 + r12d * _t139;
				goto 0x8c306cd0;
				if ((bpl & 0x00000004) != 0) goto 0x8c306d96;
				_t106 = bpl & 0x00000001;
				if (_t106 != 0) goto 0x8c306dbd;
				if (_t106 == 0) goto 0x8c306d8d;
				if (_t140 - 0 > 0) goto 0x8c306d96;
				if (((_a40 | 0xe) & 0x00000002) != 0) goto 0x8c306dbd;
				if (_t140 - 0xffffffff <= 0) goto 0x8c306dbd;
				E00007FF87FF88C307698(_t118);
				 *_t118 = 0x22;
				if ((bpl & 0x00000001) == 0) goto 0x8c306dad;
				goto 0x8c306dbd;
				asm("dec eax");
				if (__r8 == 0) goto 0x8c306dc6;
				 *__r8 = ( !=  ? _t154 :  &(_t124[2]) - 2) + 2;
				if ((bpl & 0x00000002) == 0) goto 0x8c306dcf;
				if (_v64 == 0) goto 0x8c306de2;
				 *(_v72 + 0xc8) =  *(_v72 + 0xc8) & 0xfffffffd;
				goto 0x8c306e05;
				if (__r8 == 0) goto 0x8c306df0;
				 *__r8 = _t154;
				if (_v64 == r15b) goto 0x8c306e03;
				 *(_v72 + 0xc8) =  *(_v72 + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ff88c306b9c
0x7ff88c306b9c
0x7ff88c306ba1
0x7ff88c306bc0
0x7ff88c306bc6
0x7ff88c306bcb
0x7ff88c306bd1
0x7ff88c306bd3
0x7ff88c306bda
0x7ff88c306bdc
0x7ff88c306be1
0x7ff88c306be7
0x7ff88c306bec
0x7ff88c306bf4
0x7ff88c306bfa
0x7ff88c306c00
0x7ff88c306c06
0x7ff88c306c09
0x7ff88c306c12
0x7ff88c306c14
0x7ff88c306c17
0x7ff88c306c27
0x7ff88c306c34
0x7ff88c306c39
0x7ff88c306c3f
0x7ff88c306c44
0x7ff88c306c4b
0x7ff88c306c55
0x7ff88c306c5f
0x7ff88c306c68
0x7ff88c306c74
0x7ff88c306c76
0x7ff88c306c7c
0x7ff88c306c82
0x7ff88c306c88
0x7ff88c306c8a
0x7ff88c306c90
0x7ff88c306c92
0x7ff88c306c9c
0x7ff88c306ca8
0x7ff88c306cae
0x7ff88c306cb4
0x7ff88c306cb6
0x7ff88c306cc3
0x7ff88c306cd3
0x7ff88c306cd8
0x7ff88c306cde
0x7ff88c306ce8
0x7ff88c306cee
0x7ff88c306cf7
0x7ff88c306d03
0x7ff88c306d08
0x7ff88c306d0f
0x7ff88c306d14
0x7ff88c306d17
0x7ff88c306d19
0x7ff88c306d21
0x7ff88c306d29
0x7ff88c306d2b
0x7ff88c306d3b
0x7ff88c306d40
0x7ff88c306d46
0x7ff88c306d52
0x7ff88c306d5c
0x7ff88c306d6f
0x7ff88c306d71
0x7ff88c306d75
0x7ff88c306d7c
0x7ff88c306d8b
0x7ff88c306d8f
0x7ff88c306d94
0x7ff88c306d96
0x7ff88c306d9b
0x7ff88c306da5
0x7ff88c306dab
0x7ff88c306db4
0x7ff88c306dc0
0x7ff88c306dc2
0x7ff88c306dca
0x7ff88c306dd4
0x7ff88c306ddb
0x7ff88c306de5
0x7ff88c306dea
0x7ff88c306dec
0x7ff88c306df5
0x7ff88c306dfc
0x7ff88c306e1c

APIs

Part of subcall function 00007FF88C306AE4: _getptd.LIBCMT ref: 00007FF88C306AF6

_errno.LIBCMT ref: 00007FF88C306BDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C306BE7
iswctype.LIBCMT ref: 00007FF88C306C20
_errno.LIBCMT ref: 00007FF88C306D96

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno$_getptd_invalid_parameter_noinfoiswctype
String ID:
API String ID: 2104083562-0
Opcode ID: af032c57f517698ef8f18db5f09aed04e3dcf08fc8bf4856ebadedf53158825d
Instruction ID: 95fad1dd8c28747a9e101f8e9bb938ed5f2202c09fa4273469386f0b58cebf2c
Opcode Fuzzy Hash: af032c57f517698ef8f18db5f09aed04e3dcf08fc8bf4856ebadedf53158825d
Instruction Fuzzy Hash: D261D313E0825241FBB5EA95D506B7A21E1BF42BE4F144231DE6E066CDEF6CEA86C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C30E43C Relevance: 6.2, APIs: 4, Instructions: 169
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00007FF87FF88C30E43C(void* __esi, void* __eflags, long long __rbx, signed long long* __rcx, void* __rdx, void* __rdi, long long __rsi, void* __r8, void* __r10, void* __r11, long long _a8, signed int _a16, signed int _a24, long long _a32) {
				char _v24;
				signed int _v32;
				signed long long _v40;
				unsigned int _v48;
				char _v56;
				signed int _t47;
				void* _t61;
				void* _t62;
				signed int _t74;
				void* _t76;
				signed int _t79;
				signed int _t80;
				long long _t87;
				void* _t105;
				intOrPtr* _t106;
				intOrPtr* _t107;
				long long _t109;
				long long _t110;
				char* _t111;
				char* _t112;
				char* _t113;
				signed long long* _t116;
				void* _t146;
				void* _t147;

				_t146 = __r11;
				_t145 = __r10;
				_t144 = __r8;
				_t138 = __rsi;
				_t137 = __rdi;
				_t131 = __rdx;
				_t77 = __esi;
				_a8 = __rbx;
				_a32 = __rsi;
				_t47 =  *0x8c369a8c; // 0x0
				_t116 = __rcx;
				asm("bt eax, 0xd");
				if (__eflags >= 0) goto 0x8c30e487;
				asm("btr eax, 0xd");
				 *0x8c369a8c = _t47;
				E00007FF87FF88C31027C(_t61, _t62, 0, _t76, __esi, __eflags, _t105, __rcx,  &_v24, __rdx, __rdi, __rsi, __r8, __r10, _t147);
				asm("bts dword [0x5b612], 0xd");
				asm("movups xmm0, [ebp-0x10]");
				asm("movdqu [ebx], xmm0");
				goto 0x8c30e6b6;
				_t106 =  *0x8c369a70; // 0x0
				if ( *_t106 != 0x3f) goto 0x8c30e6a5;
				_t107 = _t106 + 1;
				 *0x8c369a70 = _t107;
				if ( *_t107 != 0x3f) goto 0x8c30e4f7;
				if ( *((intOrPtr*)(_t107 + 1)) != 0x3f) goto 0x8c30e4d2;
				E00007FF87FF88C30E43C(__esi,  *((intOrPtr*)(_t107 + 1)) - 0x3f, _t116,  &_v24, _t131, __rdi, __rsi, __r8, __r10, _t146);
				_t109 =  *0x8c369a70; // 0x0
				goto 0x8c30e4cb;
				_t110 = _t109 + 1;
				 *0x8c369a70 = _t110;
				if ( *_t110 != 0) goto 0x8c30e4c1;
				goto 0x8c30e47a;
				if ( *_t110 != 0x24) goto 0x8c30e4e4;
				E00007FF87FF88C30CF0C( *_t106, 1, _t116,  &_v56, _t131, __rdi, _t138, __r10, _t146);
				goto 0x8c30e505;
				r8d = 0;
				 *0x8c369a70 = _t110;
				E00007FF87FF88C30C7D0(0, _t116,  &_v56, _t137, _t138, _t144, __r10, _t146);
				goto 0x8c30e505;
				r8d = 0;
				E00007FF87FF88C30D0E0( *_t106, 1, _t77, _t116,  &_v56, _t137, _t138, _t144, __r10, _t146);
				_t87 = _v56;
				if (_t87 == 0) goto 0x8c30e51e;
				asm("bt esi, 0x9");
				if (_t87 >= 0) goto 0x8c30e51e;
				_a24 = 1;
				goto 0x8c30e522;
				_a24 = _a24 & 0x00000000;
				_a16 = _v48 >> 0x0000000f & 0x00000001;
				if (_v48 - 1 <= 0) goto 0x8c30e53c;
				asm("movaps xmm0, [ebp-0x30]");
				goto 0x8c30e47e;
				_t111 =  *0x8c369a70; // 0x0
				if ( *_t111 == 0) goto 0x8c30e5fd;
				if ( *_t111 == 0x40) goto 0x8c30e5fd;
				E00007FF87FF88C30E6CC(1, _v48, _t116,  &_v40, _t137, _t138, _t144, _t145, _t146);
				if (_v40 == 0) goto 0x8c30e5fa;
				if ( *0x8c369a98 == 0) goto 0x8c30e5c3;
				asm("movaps xmm0, [ebp-0x30]");
				 *0x8c369a98 = 0;
				asm("movdqa [ebp-0x10], xmm0");
				E00007FF87FF88C30AC78(_t111,  &_v24,  &_v40);
				_t112 =  *0x8c369a70; // 0x0
				asm("movaps xmm5, [ebp-0x10]");
				asm("movdqa [ebp-0x30], xmm5");
				if ( *_t112 == 0x40) goto 0x8c30e5f7;
				E00007FF87FF88C30E6CC(1, _v48, _t116,  &_v24, _t137, _t138, _t144, _t145, _t146);
				asm("movups xmm0, [eax]");
				asm("movdqu [ebp-0x20], xmm0");
				asm("movups xmm1, [eax]");
				asm("movdqu [ebp-0x10], xmm1");
				goto 0x8c30e5cc;
				asm("movaps xmm0, [ebp-0x20]");
				asm("movdqa [ebp-0x10], xmm0");
				E00007FF87FF88C30AFE0(_v48 >> 0x0000000f & 0x00000001, _v48, _t112, _t116,  &_v24, "::", _t138, _t144);
				asm("movaps xmm5, [ebp-0x10]");
				asm("movdqa [ebp-0x10], xmm5");
				E00007FF87FF88C30AC78(_t112,  &_v24,  &_v56);
				asm("movaps xmm5, [ebp-0x10]");
				asm("movdqa [ebp-0x30], xmm5");
				_t79 = _v48;
				_t74 = _a24;
				if (_t74 == 0) goto 0x8c30e612;
				if (_v56 == 0) goto 0x8c30e612;
				asm("bts esi, 0x9");
				_v48 = _t79;
				r8d = 0x8000;
				if (_a16 == 0) goto 0x8c30e622;
				_t80 = _t79 | r8d;
				_v48 = _t80;
				if (_v56 == 0) goto 0x8c30e533;
				if ((0x00001000 & _t80) != 0) goto 0x8c30e533;
				_t113 =  *0x8c369a70; // 0x0
				if ( *_t113 == 0) goto 0x8c30e663;
				if ( *_t113 == 0x40) goto 0x8c30e65c;
				_t116[1] = _t116[1] & 0xffff00ff;
				 *_t116 =  *_t116 & 0x00000000;
				_t116[1] = 2;
				goto 0x8c30e6b6;
				 *0x8c369a70 =  *0x8c369a70 + 1;
				if (( *0x8c369a8c & 0x00001000) == 0) goto 0x8c30e697;
				if (_t74 != 0) goto 0x8c30e697;
				if ((r8d & _t80) != 0) goto 0x8c30e697;
				_v40 = _v40 & 0x00000000;
				_v32 = _v32 & 0xffff0000;
				E00007FF87FF88C30D720(_t116,  &_v24,  &_v40, _t144, _t145, _t146);
				asm("movaps xmm5, [ebp-0x30]");
				asm("movdqu [ebx], xmm5");
				goto 0x8c30e6b6;
				E00007FF87FF88C30D720(_t116, _t116,  &_v56, _t144, _t145, _t146);
				goto 0x8c30e6b6;
				if (0x1000 != 0) goto 0x8c30e64b;
				return E00007FF87FF88C30A490(1, _t113, _t116);
			}

0x7ff88c30e43c
0x7ff88c30e43c
0x7ff88c30e43c
0x7ff88c30e43c
0x7ff88c30e43c
0x7ff88c30e43c
0x7ff88c30e43c
0x7ff88c30e43c
0x7ff88c30e441
0x7ff88c30e44e
0x7ff88c30e454
0x7ff88c30e457
0x7ff88c30e45b
0x7ff88c30e45d
0x7ff88c30e467
0x7ff88c30e46d
0x7ff88c30e472
0x7ff88c30e47a
0x7ff88c30e47e
0x7ff88c30e482
0x7ff88c30e487
0x7ff88c30e494
0x7ff88c30e49a
0x7ff88c30e49d
0x7ff88c30e4a6
0x7ff88c30e4ad
0x7ff88c30e4b3
0x7ff88c30e4b8
0x7ff88c30e4bf
0x7ff88c30e4c1
0x7ff88c30e4c4
0x7ff88c30e4ce
0x7ff88c30e4d0
0x7ff88c30e4d9
0x7ff88c30e4dd
0x7ff88c30e4e2
0x7ff88c30e4e4
0x7ff88c30e4e9
0x7ff88c30e4f0
0x7ff88c30e4f5
0x7ff88c30e4fb
0x7ff88c30e500
0x7ff88c30e505
0x7ff88c30e50d
0x7ff88c30e50f
0x7ff88c30e513
0x7ff88c30e515
0x7ff88c30e51c
0x7ff88c30e51e
0x7ff88c30e52e
0x7ff88c30e531
0x7ff88c30e533
0x7ff88c30e537
0x7ff88c30e53c
0x7ff88c30e546
0x7ff88c30e54f
0x7ff88c30e559
0x7ff88c30e563
0x7ff88c30e574
0x7ff88c30e576
0x7ff88c30e57e
0x7ff88c30e585
0x7ff88c30e58a
0x7ff88c30e58f
0x7ff88c30e596
0x7ff88c30e59d
0x7ff88c30e5a2
0x7ff88c30e5a8
0x7ff88c30e5b1
0x7ff88c30e5b4
0x7ff88c30e5b9
0x7ff88c30e5bc
0x7ff88c30e5c1
0x7ff88c30e5c3
0x7ff88c30e5c7
0x7ff88c30e5d3
0x7ff88c30e5e0
0x7ff88c30e5e4
0x7ff88c30e5e9
0x7ff88c30e5ee
0x7ff88c30e5f2
0x7ff88c30e5f7
0x7ff88c30e5fd
0x7ff88c30e602
0x7ff88c30e609
0x7ff88c30e60b
0x7ff88c30e60f
0x7ff88c30e612
0x7ff88c30e61a
0x7ff88c30e61c
0x7ff88c30e61f
0x7ff88c30e627
0x7ff88c30e634
0x7ff88c30e63a
0x7ff88c30e644
0x7ff88c30e649
0x7ff88c30e64b
0x7ff88c30e652
0x7ff88c30e656
0x7ff88c30e65a
0x7ff88c30e65c
0x7ff88c30e669
0x7ff88c30e66d
0x7ff88c30e672
0x7ff88c30e674
0x7ff88c30e679
0x7ff88c30e688
0x7ff88c30e68d
0x7ff88c30e691
0x7ff88c30e695
0x7ff88c30e69e
0x7ff88c30e6a3
0x7ff88c30e6a7
0x7ff88c30e6c8

APIs

UnDecorator::getZName.LIBCMT ref: 00007FF88C30E500
DName::operator+=.LIBCMT ref: 00007FF88C30E58A
DName::operator+=.LIBCMT ref: 00007FF88C30E5D3
DName::operator+=.LIBCMT ref: 00007FF88C30E5E9

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: Name::operator+=$Decorator::getName
String ID:
API String ID: 3826463593-0
Opcode ID: 21c3e6f6eb3fdf3c1a5089ebda31f20f98ff603de8859b3de623c28833d96c97
Instruction ID: 735a8272645b63fbd0d5f753ac04b964c41a6ac3dcd5b7c2be5eff790317b74b
Opcode Fuzzy Hash: 21c3e6f6eb3fdf3c1a5089ebda31f20f98ff603de8859b3de623c28833d96c97
Instruction Fuzzy Hash: F581CF63F1876688FB118BB4E841BBC67B0BB56788F444935DA8E16A9DDF3CA442C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3068D4 Relevance: 6.2, APIs: 4, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FF87FF88C3068D4(intOrPtr* __rax, long long __rbx, long long __rcx, long long* __rdx, long long _a8, long long _a24) {
				signed int _t29;
				signed int _t30;
				void* _t38;
				signed int _t56;
				signed short _t62;
				signed short _t64;
				void* _t93;
				signed int _t99;
				intOrPtr* _t106;
				signed short* _t108;
				signed short* _t109;
				signed short* _t110;
				void* _t118;
				void* _t119;
				long long* _t123;

				_t106 = __rax;
				_a24 = __rbx;
				_a8 = __rcx;
				r12d = r8d;
				_t123 = __rdx;
				if (__rdx == 0) goto 0x8c3068fe;
				 *__rdx = __rcx;
				if (__rcx != 0) goto 0x8c30691a;
				E00007FF87FF88C307698(__rax);
				 *__rax = 0x16;
				E00007FF87FF88C309444();
				goto 0x8c306aa7;
				if (r8d == 0) goto 0x8c30692b;
				if (r8d - 2 < 0) goto 0x8c306903;
				if (r8d - 0x24 > 0) goto 0x8c306903;
				_t108 = __rcx + 2;
				_t4 = _t118 + 8; // 0x8
				r15d = _t4;
				goto 0x8c306941;
				_t62 =  *_t108 & 0x0000ffff;
				_t109 =  &(_t108[1]);
				if (E00007FF87FF88C31064C(_t62 & 0x0000ffff, r15d, __rcx) != 0) goto 0x8c30693a;
				if (_t62 != 0x2d) goto 0x8c30695b;
				goto 0x8c306961;
				if (_t62 != 0x2b) goto 0x8c306968;
				_t63 =  *_t109 & 0x0000ffff;
				_t110 =  &(_t109[1]);
				if (r12d != 0) goto 0x8c306998;
				if (E00007FF87FF88C3104B4( *_t109 & 0xffff) == 0) goto 0x8c306981;
				r12d = 0xa;
				goto 0x8c3069be;
				if ( *_t110 == 0x78) goto 0x8c306992;
				if ( *_t110 == 0x58) goto 0x8c306992;
				r12d = r15d;
				goto 0x8c3069be;
				r12d = 0x10;
				if (r12d != 0x10) goto 0x8c3069be;
				_t29 = E00007FF87FF88C3104B4(_t63 & 0x0000ffff);
				if (_t29 != 0) goto 0x8c3069be;
				if ( *_t110 == 0x78) goto 0x8c3069b6;
				if ( *_t110 != 0x58) goto 0x8c3069be;
				_t64 = _t110[1] & 0x0000ffff;
				_t30 = _t29 | 0xffffffff;
				r15d = _t30 / r12d;
				r14d = _t30 % r12d;
				if (E00007FF87FF88C3104B4(_t64 & 0x0000ffff) != 0xffffffff) goto 0x8c306a04;
				if (0x41 - _t64 > 0) goto 0x8c3069e9;
				if (_t64 - 0x5a <= 0) goto 0x8c3069f2;
				if (_t119 - 0x61 - 0x19 > 0) goto 0x8c306a20;
				if (_t119 - 0x61 - 0x19 > 0) goto 0x8c306a01;
				_t38 = (_t64 & 0x0000ffff) - 0x20 + 0xffffffc9;
				if (_t38 - r12d >= 0) goto 0x8c306a20;
				_t93 = 0 - r15d;
				if (_t93 < 0) goto 0x8c306a3a;
				if (_t93 != 0) goto 0x8c306a18;
				if (_t38 - r14d <= 0) goto 0x8c306a3a;
				if (_t123 != 0) goto 0x8c306a40;
				if ((bpl & 0x00000008) != 0) goto 0x8c306a49;
				_t113 =  !=  ? _a8 :  &(_t110[2]) - 2;
				goto 0x8c306a94;
				_t56 = 0 * r12d + _t38;
				goto 0x8c3069cc;
				if ((bpl & 0x00000004) != 0) goto 0x8c306a71;
				_t99 = bpl & 0x00000001;
				if (_t99 != 0) goto 0x8c306a94;
				if (_t99 == 0) goto 0x8c306a69;
				if (_t56 - 0x80000000 > 0) goto 0x8c306a71;
				if (((r9d | 0xe) & 0x00000002) != 0) goto 0x8c306a94;
				if (_t56 - 0x7fffffff <= 0) goto 0x8c306a94;
				E00007FF87FF88C307698(_t106);
				 *_t106 = 0x22;
				if ((bpl & 0x00000001) == 0) goto 0x8c306a87;
				goto 0x8c306a94;
				asm("sbb edi, edi");
				if (_t123 == 0) goto 0x8c306a9d;
				 *_t123 = ( !=  ? _a8 :  &(_t110[2]) - 2) + 2;
				if ((bpl & 0x00000002) == 0) goto 0x8c306aa5;
				return  ~( ~(_t56 | 0xffffffff) + 0x7fffffff);
			}

0x7ff88c3068d4
0x7ff88c3068d4
0x7ff88c3068d9
0x7ff88c3068f0
0x7ff88c3068f3
0x7ff88c3068f9
0x7ff88c3068fb
0x7ff88c306901
0x7ff88c306903
0x7ff88c306908
0x7ff88c30690e
0x7ff88c306915
0x7ff88c30691d
0x7ff88c306923
0x7ff88c306929
0x7ff88c306930
0x7ff88c306934
0x7ff88c306934
0x7ff88c306938
0x7ff88c30693a
0x7ff88c30693d
0x7ff88c30694e
0x7ff88c306954
0x7ff88c306959
0x7ff88c30695f
0x7ff88c306961
0x7ff88c306964
0x7ff88c30696b
0x7ff88c306977
0x7ff88c306979
0x7ff88c30697f
0x7ff88c306985
0x7ff88c30698b
0x7ff88c30698d
0x7ff88c306990
0x7ff88c306992
0x7ff88c30699c
0x7ff88c3069a1
0x7ff88c3069a8
0x7ff88c3069ae
0x7ff88c3069b4
0x7ff88c3069b6
0x7ff88c3069c0
0x7ff88c3069c6
0x7ff88c3069c9
0x7ff88c3069d7
0x7ff88c3069e1
0x7ff88c3069e7
0x7ff88c3069f0
0x7ff88c3069fc
0x7ff88c306a01
0x7ff88c306a07
0x7ff88c306a0c
0x7ff88c306a0f
0x7ff88c306a11
0x7ff88c306a16
0x7ff88c306a1e
0x7ff88c306a2d
0x7ff88c306a32
0x7ff88c306a38
0x7ff88c306a3e
0x7ff88c306a47
0x7ff88c306a52
0x7ff88c306a54
0x7ff88c306a58
0x7ff88c306a5f
0x7ff88c306a67
0x7ff88c306a6b
0x7ff88c306a6f
0x7ff88c306a71
0x7ff88c306a76
0x7ff88c306a80
0x7ff88c306a85
0x7ff88c306a8e
0x7ff88c306a97
0x7ff88c306a99
0x7ff88c306aa1
0x7ff88c306abb

APIs

_errno.LIBCMT ref: 00007FF88C306903
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C30690E
iswctype.LIBCMT ref: 00007FF88C306947
_errno.LIBCMT ref: 00007FF88C306A71

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: abaaa9a80eb7cca7b31992979574e0795be7e9ce20ef753e96028a1c82d6f166
Instruction ID: 5bca7ac5e92f7dd8b3104a469bc5f3c5d38dd1467fe2147a4a1bd3bc3c9c092e
Opcode Fuzzy Hash: abaaa9a80eb7cca7b31992979574e0795be7e9ce20ef753e96028a1c82d6f166
Instruction Fuzzy Hash: 2351E193D4895344FB74A6A9C802B7A21E4BF427D4F258132DE9A425CDEE3CFA83C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3128B4 Relevance: 6.2, APIs: 4, Instructions: 159
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 40%

			E00007FF87FF88C3128B4(void* __ecx, void* __eflags, long* __rax, long long __rbx, void* __rdx, long long __rsi, void* __rbp, intOrPtr _a8, long long _a16, long long _a24) {
				signed long long _v48;
				intOrPtr _v56;
				intOrPtr _t38;
				void* _t40;
				void* _t41;
				intOrPtr _t46;
				intOrPtr _t61;
				long* _t89;
				long long* _t95;
				long long _t96;
				intOrPtr _t101;
				intOrPtr _t102;
				void* _t103;
				intOrPtr _t108;
				long* _t110;
				signed long long _t116;
				long long* _t123;
				signed long long _t125;

				_t97 = __rbx;
				_t89 = __rax;
				_a16 = __rbx;
				_a24 = __rsi;
				_t41 = __ecx;
				_a8 = 0;
				if (__eflags == 0) goto 0x8c3129a5;
				if (__eflags == 0) goto 0x8c312947;
				if (__eflags == 0) goto 0x8c312937;
				if (__eflags == 0) goto 0x8c312947;
				if (__eflags == 0) goto 0x8c312947;
				if (__eflags == 0) goto 0x8c312927;
				if (__eflags == 0) goto 0x8c312914;
				if (__eflags == 0) goto 0x8c312937;
				E00007FF87FF88C307698(__rax);
				 *((intOrPtr*)(__rax)) = 0x16;
				E00007FF87FF88C309444();
				goto 0x8c312954;
				goto 0x8c3129b3;
				goto 0x8c3129b3;
				_t101 =  *0x8c369b28; // 0x4864f1588000
				goto 0x8c3129b3;
				E00007FF87FF88C307ED8(__rax, __rbx, _t101, __rdx, __rsi, __rbp);
				_t110 = _t89;
				if (_t89 != 0) goto 0x8c31295c;
				goto 0x8c312ace;
				_t108 =  *((intOrPtr*)(_t89 + 0xa0));
				_t102 = _t108;
				_t116 =  *0x8c3233fc;
				if ( *((intOrPtr*)(_t102 + 4)) == _t41) goto 0x8c312985;
				_t103 = _t102 + 0x10;
				if (_t103 - (_t116 << 4) + _t108 < 0) goto 0x8c31296d;
				_t95 = (_t116 << 4) + _t108;
				if (_t103 - _t95 >= 0) goto 0x8c312999;
				if ( *((intOrPtr*)(_t103 + 4)) == _t41) goto 0x8c31299b;
				goto 0x8c3129c5;
				_a8 = 1;
				__imp__DecodePointer();
				_t123 = _t95;
				if (_t123 != 1) goto 0x8c3129d2;
				goto 0x8c312ace;
				if (_t123 != 0) goto 0x8c3129e1;
				E00007FF87FF88C3072AC(_t97, _t108, _t116);
				asm("int3");
				if (1 == 0) goto 0x8c3129ed;
				E00007FF87FF88C3096D8();
				if (_t41 == 8) goto 0x8c312a03;
				if (_t41 == 0xb) goto 0x8c312a03;
				if (_t41 == 4) goto 0x8c312a03;
				goto 0x8c312a2f;
				_t125 =  *(_t110 + 0xa8);
				_v48 = _t125;
				 *(_t110 + 0xa8) =  *(_t110 + 0xa8) & 0x00000000;
				if (_t41 != 8) goto 0x8c312a2f;
				r14d =  *((intOrPtr*)(_t110 + 0xb0));
				 *((intOrPtr*)(_t110 + 0xb0)) = 0x8c;
				goto 0x8c312a34;
				r14d = _a8;
				if (_t41 != 8) goto 0x8c312a72;
				_t46 =  *0x8c3233f0; // 0x3
				_t61 = _t46;
				_v56 = _t46;
				_t38 =  *0x8c3233f4; // 0x9
				if (_t61 - _t46 + _t38 >= 0) goto 0x8c312a7b;
				_t96 =  *((intOrPtr*)(_t110 + 0xa0));
				 *(_t96 + 8 + (_t61 + _t61) * 8) =  *(_t96 + 8 + (_t61 + _t61) * 8) & 0x00000000;
				_v56 = _t61 + 1;
				goto 0x8c312a45;
				E00007FF87FF88C307DD0();
				 *0x8c369b18 = _t96;
				if (1 == 0) goto 0x8c312a86;
				E00007FF87FF88C3095B8();
				if (_t41 != 8) goto 0x8c312a9c;
				 *_t123();
				goto 0x8c312aa1;
				_t40 =  *_t123();
				if (_t41 == 8) goto 0x8c312ab3;
				if (_t41 == 0xb) goto 0x8c312ab3;
				if (_t41 != 4) goto 0x8c3129cb;
				 *(_t110 + 0xa8) = _t125;
				if (_t41 != 8) goto 0x8c3129cb;
				 *((intOrPtr*)(_t110 + 0xb0)) = r14d;
				goto 0x8c3129cb;
				return _t40;
			}

0x7ff88c3128b4
0x7ff88c3128b4
0x7ff88c3128b4
0x7ff88c3128b9
0x7ff88c3128cb
0x7ff88c3128cf
0x7ff88c3128da
0x7ff88c3128e3
0x7ff88c3128e8
0x7ff88c3128ed
0x7ff88c3128f2
0x7ff88c3128f7
0x7ff88c3128fc
0x7ff88c312900
0x7ff88c312902
0x7ff88c312907
0x7ff88c31290d
0x7ff88c312912
0x7ff88c312922
0x7ff88c312935
0x7ff88c31293e
0x7ff88c312945
0x7ff88c312947
0x7ff88c31294c
0x7ff88c312952
0x7ff88c312957
0x7ff88c31295c
0x7ff88c312963
0x7ff88c312966
0x7ff88c312970
0x7ff88c312972
0x7ff88c312983
0x7ff88c31298c
0x7ff88c312992
0x7ff88c312997
0x7ff88c3129a3
0x7ff88c3129b8
0x7ff88c3129bc
0x7ff88c3129c2
0x7ff88c3129c9
0x7ff88c3129cd
0x7ff88c3129d5
0x7ff88c3129db
0x7ff88c3129e0
0x7ff88c3129e3
0x7ff88c3129e7
0x7ff88c3129f0
0x7ff88c3129f5
0x7ff88c3129fa
0x7ff88c312a01
0x7ff88c312a03
0x7ff88c312a0a
0x7ff88c312a0f
0x7ff88c312a1a
0x7ff88c312a1c
0x7ff88c312a23
0x7ff88c312a2d
0x7ff88c312a2f
0x7ff88c312a37
0x7ff88c312a39
0x7ff88c312a3f
0x7ff88c312a41
0x7ff88c312a45
0x7ff88c312a4f
0x7ff88c312a57
0x7ff88c312a5e
0x7ff88c312a66
0x7ff88c312a70
0x7ff88c312a72
0x7ff88c312a77
0x7ff88c312a7d
0x7ff88c312a81
0x7ff88c312a8d
0x7ff88c312a97
0x7ff88c312a9a
0x7ff88c312a9e
0x7ff88c312aa3
0x7ff88c312aa8
0x7ff88c312aad
0x7ff88c312ab3
0x7ff88c312abc
0x7ff88c312ac2
0x7ff88c312ac9
0x7ff88c312ae5

APIs

_errno.LIBCMT ref: 00007FF88C312902
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C31290D
DecodePointer.KERNEL32(?,?,?,?,?,00007FF88C31842C,?,?,?,?,00007FF88C31245E), ref: 00007FF88C3129BC
_lock.LIBCMT ref: 00007FF88C3129E7

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: c11d4c9705c64b78f327aaf77e961155e27d671e8fba546a7906370b916f6901
Instruction ID: 0ad51b162feb0a22c6deb696e1f6f305a7cec32de432f88c48d446b85b01444d
Opcode Fuzzy Hash: c11d4c9705c64b78f327aaf77e961155e27d671e8fba546a7906370b916f6901
Instruction Fuzzy Hash: B3517732E0C6424AEA698B19E440E796291FF877D0F154536F95E9269CEF3EF453C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3140E4 Relevance: 6.1, APIs: 4, Instructions: 115
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF87FF88C3140E4(void* __ecx, void* __eflags, long long __rbx, char* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, intOrPtr* __r9, void* _a8, void* _a16, void* _a24, void* _a32, char _a40, intOrPtr _a48) {
				char _v16;
				intOrPtr _v24;
				intOrPtr _v40;
				void* _t50;
				intOrPtr _t62;
				signed int _t63;
				void* _t67;
				void* _t69;
				intOrPtr* _t87;
				intOrPtr _t88;
				void* _t89;
				signed int _t90;
				intOrPtr* _t91;
				char* _t115;
				char* _t117;
				intOrPtr* _t125;
				intOrPtr* _t135;

				_t67 = __ecx;
				_t87 = _t125;
				 *((long long*)(_t87 + 8)) = __rbx;
				 *((long long*)(_t87 + 0x10)) = __rbp;
				 *((long long*)(_t87 + 0x18)) = __rsi;
				 *((long long*)(_t87 + 0x20)) = __rdi;
				_t135 = __r9;
				_t69 = r8d;
				E00007FF87FF88C306AE4(_t87, _t87 - 0x28, _a48);
				if (__rcx != 0) goto 0x8c31414b;
				E00007FF87FF88C307698(_t87);
				 *_t87 = __rcx + 0x16;
				E00007FF87FF88C309444();
				if (_v16 == dil) goto 0x8c314144;
				 *(_v24 + 0xc8) =  *(_v24 + 0xc8) & 0xfffffffd;
				goto 0x8c314262;
				if (__rdx != 0) goto 0x8c314174;
				E00007FF87FF88C307698(_t87);
				_t62 = __rdx + 0x16;
				 *_t87 = _t62;
				E00007FF87FF88C309444();
				if (_v16 == sil) goto 0x8c314144;
				_t88 = _v24;
				 *(_t88 + 0xc8) =  *(_t88 + 0xc8) & 0xfffffffd;
				goto 0x8c314144;
				if (_a40 == 0) goto 0x8c314195;
				if (_t62 != _t69) goto 0x8c314195;
				_t89 = _t88 + __rcx;
				 *((short*)(_t62 + _t89)) = 0x30;
				if ( *__r9 != 0x2d) goto 0x8c3141a2;
				 *__rcx = 0x2d;
				_t115 = __rcx + 1;
				_t79 =  *((intOrPtr*)(__r9 + 4));
				if ( *((intOrPtr*)(__r9 + 4)) > 0) goto 0x8c3141ca;
				E00007FF87FF88C3053B0(0 |  *__r9 == 0x0000002d, _t115);
				_t24 = _t89 + 1; // 0x1
				_t50 = E00007FF87FF88C304B80(_t67, _t79, _t115 + 1, _t115, _t24);
				 *_t115 = 0x30;
				goto 0x8c3141d2;
				_t90 =  *(_t135 + 4);
				_t117 = _t115 + 1 + _t90;
				if (_t69 <= 0) goto 0x8c31424d;
				_t121 = _t117 + 1;
				E00007FF87FF88C3053B0(_t50, _t117);
				_t27 = _t90 + 1; // 0x1
				E00007FF87FF88C304B80(_t67, _t69, _t117 + 1, _t117, _t27);
				_t91 =  *((intOrPtr*)(_v40 + 0x128));
				 *_t117 =  *((intOrPtr*)( *_t91));
				_t63 =  *(_t135 + 4);
				if (_t63 >= 0) goto 0x8c31424d;
				if (_a40 != 0) goto 0x8c31421f;
				_t66 =  >=  ?  ~_t63 : _t69;
				if (( >=  ?  ~_t63 : _t69) == 0) goto 0x8c31423d;
				E00007FF87FF88C3053B0( ~_t63, _t117 + 1);
				_t32 = _t91 + 1; // 0x1
				E00007FF87FF88C3056D0(E00007FF87FF88C304B80(_t67,  >=  ?  ~_t63 : _t69, ( >=  ?  ~_t63 : _t69) + _t121, _t121, _t32), _t67, 0x30, _t121, _t121, _t66);
				if (_v16 == 0) goto 0x8c314260;
				 *(_v24 + 0xc8) =  *(_v24 + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ff88c3140e4
0x7ff88c3140e4
0x7ff88c3140e7
0x7ff88c3140eb
0x7ff88c3140ef
0x7ff88c3140f3
0x7ff88c314110
0x7ff88c314115
0x7ff88c314118
0x7ff88c314120
0x7ff88c314122
0x7ff88c31412a
0x7ff88c31412c
0x7ff88c314136
0x7ff88c31413d
0x7ff88c314146
0x7ff88c31414e
0x7ff88c314150
0x7ff88c314155
0x7ff88c314158
0x7ff88c31415a
0x7ff88c314164
0x7ff88c314166
0x7ff88c31416b
0x7ff88c314172
0x7ff88c314179
0x7ff88c31417d
0x7ff88c31418c
0x7ff88c31418f
0x7ff88c31419a
0x7ff88c31419c
0x7ff88c31419f
0x7ff88c3141a2
0x7ff88c3141a8
0x7ff88c3141ad
0x7ff88c3141b9
0x7ff88c3141bd
0x7ff88c3141c2
0x7ff88c3141c8
0x7ff88c3141ca
0x7ff88c3141cf
0x7ff88c3141d4
0x7ff88c3141d9
0x7ff88c3141dd
0x7ff88c3141e8
0x7ff88c3141ec
0x7ff88c3141f6
0x7ff88c314202
0x7ff88c314204
0x7ff88c31420b
0x7ff88c314214
0x7ff88c31421c
0x7ff88c314221
0x7ff88c314226
0x7ff88c314231
0x7ff88c314248
0x7ff88c314252
0x7ff88c314259
0x7ff88c31427c

APIs

Part of subcall function 00007FF88C306AE4: _getptd.LIBCMT ref: 00007FF88C306AF6

_errno.LIBCMT ref: 00007FF88C314122
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C31412C
_errno.LIBCMT ref: 00007FF88C314150
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C31415A

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: 935b354935433d327fe195aac0a6e1a519b339dfaf1ac7f6f11b535f2c6d5ff6
Instruction ID: 6cee01568c880122b1c3fb2b0faf41e998d8323e58d2b21b20e0a26778db0302
Opcode Fuzzy Hash: 935b354935433d327fe195aac0a6e1a519b339dfaf1ac7f6f11b535f2c6d5ff6
Instruction Fuzzy Hash: 4041F122A087818AE750DF54D584A7D77A0FB96BE0F044132EB8E83B9ACF2CE447C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31EF84 Relevance: 6.1, APIs: 4, Instructions: 104
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00007FF87FF88C31EF84(void* __ecx, void* __eflags, long long __rcx, long long __rdx, void* __rbp, long long __r8, intOrPtr _a8, void* _a16, intOrPtr _a24, intOrPtr _a32) {
				long long _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* __rsi;
				void* _t62;
				signed long long _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t68;
				long long _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t96;
				long long _t108;
				long long _t112;
				void* _t118;
				signed long long _t120;
				long long _t125;

				_t115 = __r8;
				_t91 = __rcx;
				_t68 = __eflags;
				_t64 = __ecx;
				_t79 = _t112;
				 *((intOrPtr*)(_t79 + 0x20)) = r9d;
				 *((long long*)(_t79 + 0x18)) = __r8;
				 *((long long*)(_t79 + 0x10)) = __rdx;
				 *((long long*)(_t79 + 8)) = __rcx;
				r13d = r9d;
				_t108 = __r8;
				_t125 = __rcx;
				_t65 = E00007FF87FF88C31ECF8(__rcx, __rdx, __r8);
				E00007FF87FF88C31E4B4(_t79);
				_v64 = _t79;
				E00007FF87FF88C307F5C(__ecx, _t68, _t79, _t91, _t108, _t115);
				 *((intOrPtr*)(_t79 + 0x100)) =  *((intOrPtr*)(_t79 + 0x100)) + 1;
				if (_t65 == 0xffffffff) goto 0x8c31f0c4;
				if (_t65 - r13d <= 0) goto 0x8c31f0c4;
				if (_t65 - 0xffffffff <= 0) goto 0x8c31efea;
				if (_t65 -  *((intOrPtr*)(_t108 + 4)) < 0) goto 0x8c31efef;
				E00007FF87FF88C312484(_t79);
				_t120 = _t65;
				E00007FF87FF88C31E4B4(_t79);
				_t80 = _t79 + _t120 * 8;
				_t66 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 8)) + _t80));
				_v72 = _t66;
				E00007FF87FF88C31E4B4(_t80);
				_t81 = _t80 + _t120 * 8;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t108 + 8)) + _t81 + 4)) == 0) goto 0x8c31f036;
				E00007FF87FF88C31E4B4(_t81);
				_t82 = _t81 + _t120 * 8;
				E00007FF87FF88C31E4B4(_t82);
				_t83 = _t82 +  *((intOrPtr*)( *((intOrPtr*)(_t108 + 8)) + _t82 + 4));
				goto 0x8c31f038;
				if (_t83 == 0) goto 0x8c31f09b;
				r9d = _t66;
				_t116 = _t108;
				E00007FF87FF88C31ED20(0, _t125, _t108);
				E00007FF87FF88C31E4B4(_t83);
				_t96 =  *((intOrPtr*)(_t108 + 8));
				_t84 = _t83 + _t120 * 8;
				_t75 =  *((intOrPtr*)(_t96 + _t84 + 4));
				if ( *((intOrPtr*)(_t96 + _t84 + 4)) == 0) goto 0x8c31f07e;
				E00007FF87FF88C31E4B4(_t84);
				_t85 = _t84 + _t120 * 8;
				E00007FF87FF88C31E4B4(_t85);
				_t86 = _t85 +  *((intOrPtr*)( *((intOrPtr*)(_t108 + 8)) + _t85 + 4));
				goto 0x8c31f080;
				r8d = 0x103;
				E00007FF87FF88C320860(_t86, _t125, _t118);
				_t99 = _v64;
				E00007FF87FF88C31E4E4(_t86, _v64);
				r13d = _a32;
				_t109 = _a24;
				_t67 = _v72;
				_v68 = _t67;
				goto 0x8c31efce;
				E00007FF87FF88C307F5C(_t64, _t75, _t86, _t99, _a24, _t116);
				if ( *((intOrPtr*)(_t86 + 0x100)) <= 0) goto 0x8c31f0dd;
				E00007FF87FF88C307F5C(_t64,  *((intOrPtr*)(_t86 + 0x100)), _t86, _t99, _a24, _t116);
				 *((intOrPtr*)(_t86 + 0x100)) =  *((intOrPtr*)(_t86 + 0x100)) - 1;
				if (_t67 == 0xffffffff) goto 0x8c31f0ec;
				if (_t67 - r13d <= 0) goto 0x8c31f0ec;
				_t62 = E00007FF87FF88C312484(_t86);
				r9d = _t67;
				return E00007FF87FF88C31ED20(_t62, _a8, _t109);
			}

0x7ff88c31ef84
0x7ff88c31ef84
0x7ff88c31ef84
0x7ff88c31ef84
0x7ff88c31ef84
0x7ff88c31ef87
0x7ff88c31ef8b
0x7ff88c31ef8f
0x7ff88c31ef93
0x7ff88c31efa6
0x7ff88c31efa9
0x7ff88c31efaf
0x7ff88c31efb7
0x7ff88c31efb9
0x7ff88c31efbe
0x7ff88c31efc3
0x7ff88c31efc8
0x7ff88c31efd1
0x7ff88c31efda
0x7ff88c31efe3
0x7ff88c31efe8
0x7ff88c31efea
0x7ff88c31efef
0x7ff88c31eff2
0x7ff88c31effb
0x7ff88c31efff
0x7ff88c31f002
0x7ff88c31f006
0x7ff88c31f00f
0x7ff88c31f018
0x7ff88c31f01a
0x7ff88c31f023
0x7ff88c31f02c
0x7ff88c31f031
0x7ff88c31f034
0x7ff88c31f03b
0x7ff88c31f03d
0x7ff88c31f040
0x7ff88c31f049
0x7ff88c31f04e
0x7ff88c31f053
0x7ff88c31f057
0x7ff88c31f05b
0x7ff88c31f060
0x7ff88c31f062
0x7ff88c31f06b
0x7ff88c31f074
0x7ff88c31f079
0x7ff88c31f07c
0x7ff88c31f080
0x7ff88c31f08c
0x7ff88c31f091
0x7ff88c31f096
0x7ff88c31f09d
0x7ff88c31f0a5
0x7ff88c31f0b7
0x7ff88c31f0bb
0x7ff88c31f0bf
0x7ff88c31f0c4
0x7ff88c31f0d0
0x7ff88c31f0d2
0x7ff88c31f0d7
0x7ff88c31f0e0
0x7ff88c31f0e5
0x7ff88c31f0e7
0x7ff88c31f0ec
0x7ff88c31f10c

APIs

Part of subcall function 00007FF88C31E4B4: _getptd.LIBCMT ref: 00007FF88C31E4B8

_getptd.LIBCMT ref: 00007FF88C31EFC3

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

_SetImageBase.LIBCMT ref: 00007FF88C31F096
_getptd.LIBCMT ref: 00007FF88C31F0C4
_getptd.LIBCMT ref: 00007FF88C31F0D2

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _getptd$BaseImage_amsg_exit
String ID:
API String ID: 2306399499-0
Opcode ID: 26becd220303018106cd234ffe4ebfb24dc66a80549a63e170b8fb2b1986c4fe
Instruction ID: 0704291a406ee482d352c096a13aca7750d2ab7d0926f23718c8cce1909be035
Opcode Fuzzy Hash: 26becd220303018106cd234ffe4ebfb24dc66a80549a63e170b8fb2b1986c4fe
Instruction Fuzzy Hash: C8416332A049438DEA20A716D4459BD66A0BF46BD8F158133FA5D837E6DE3DE447C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C315524 Relevance: 6.1, APIs: 4, Instructions: 102
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 31%

			E00007FF87FF88C315524(signed int __edx, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8) {
				int _t23;
				void* _t26;
				int _t28;
				intOrPtr _t43;
				int _t45;
				signed long long _t55;
				long long _t63;
				long long _t66;
				void* _t69;
				signed long long _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t90;
				void* _t91;
				int _t92;
				void* _t93;

				_t82 = _t81 - 0x40;
				_t1 = _t82 + 0x30; // -31
				_t80 = _t1;
				 *((long long*)(_t80 + 0x40)) = __rbx;
				 *((long long*)(_t80 + 0x48)) = __rsi;
				 *((long long*)(_t80 + 0x50)) = __rdi;
				_t55 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				 *_t80 = _t55 ^ _t80;
				r13d = r9d;
				_t93 = __r8;
				r15d = __edx;
				if ( *((intOrPtr*)(_t80 + 0x68)) != 0) goto 0x8c315569;
				_t43 =  *((intOrPtr*)( *__rcx + 4));
				 *(_t80 + 0x70) =  ~( *(_t80 + 0x70));
				 *((intOrPtr*)(_t82 + 0x28)) = 0;
				asm("sbb edx, edx");
				 *((long long*)(_t82 + 0x20)) = __rdi;
				_t23 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				_t92 = _t23;
				_t45 = _t23;
				if (_t45 != 0) goto 0x8c315592;
				goto 0x8c31565c;
				if (_t45 <= 0) goto 0x8c3155fb;
				if (_t92 - 0xfffffff0 > 0) goto 0x8c3155fb;
				_t12 = _t92 + 0x10; // 0x10
				_t69 = _t92 + _t12;
				if (_t69 - 0x400 > 0) goto 0x8c3155e2;
				_t13 = _t69 + 0xf; // 0x1f
				if (_t13 - _t69 > 0) goto 0x8c3155c4;
				E00007FF87FF88C31A210(0, 0xffffffffffffff0, _t90, _t91);
				_t83 = _t82 - 0xfffffff0;
				_t14 = _t83 + 0x30; // -31
				_t63 = _t14;
				if (_t63 == 0) goto 0x8c31558b;
				 *_t63 = 0xcccc;
				goto 0x8c3155f5;
				_t26 = E00007FF87FF88C3052E4(0xffffffffffffff0, _t63, _t69, __rsi);
				if (0xfffffff0 == 0) goto 0x8c3155fe;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0x8c3155fe;
				_t66 = __rdi;
				if (__rdi == 0) goto 0x8c31558b;
				E00007FF87FF88C3056D0(_t26, _t43, 0, __rdi, __rdx, _t92 + _t92);
				r9d = r13d;
				 *((intOrPtr*)(_t83 + 0x28)) = r12d;
				 *((long long*)(_t83 + 0x20)) = __rdi;
				_t28 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t28 == 0) goto 0x8c315649;
				r8d = _t28;
				GetStringTypeW(??, ??, ??, ??);
				_t18 = _t66 - 0x10; // -16
				if ( *_t18 != 0xdddd) goto 0x8c31565a;
				free(??);
				return E00007FF87FF88C304980(r15d,  *_t80 ^ _t80, __rdi, _t93);
			}

0x7ff88c31552e
0x7ff88c315532
0x7ff88c315532
0x7ff88c315537
0x7ff88c31553b
0x7ff88c31553f
0x7ff88c315543
0x7ff88c31554d
0x7ff88c315556
0x7ff88c315559
0x7ff88c31555c
0x7ff88c315561
0x7ff88c315566
0x7ff88c315569
0x7ff88c31556e
0x7ff88c315572
0x7ff88c315574
0x7ff88c31557e
0x7ff88c315584
0x7ff88c315587
0x7ff88c315589
0x7ff88c31558d
0x7ff88c315592
0x7ff88c3155a1
0x7ff88c3155a3
0x7ff88c3155a3
0x7ff88c3155af
0x7ff88c3155b1
0x7ff88c3155b8
0x7ff88c3155c8
0x7ff88c3155cd
0x7ff88c3155d0
0x7ff88c3155d0
0x7ff88c3155d8
0x7ff88c3155da
0x7ff88c3155e0
0x7ff88c3155e2
0x7ff88c3155ed
0x7ff88c3155ef
0x7ff88c3155f9
0x7ff88c3155fb
0x7ff88c315601
0x7ff88c31560e
0x7ff88c315613
0x7ff88c315620
0x7ff88c315625
0x7ff88c31562a
0x7ff88c315632
0x7ff88c315638
0x7ff88c315641
0x7ff88c315649
0x7ff88c315653
0x7ff88c315655
0x7ff88c315681

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF88C31557E
MultiByteToWideChar.KERNEL32 ref: 00007FF88C31562A
GetStringTypeW.KERNEL32 ref: 00007FF88C315641
free.LIBCMT ref: 00007FF88C315655

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefree
String ID:
API String ID: 3522554955-0
Opcode ID: 012ca370cfe8b8dd57c4f755b3acaeec1c7902dadb39f85116b475ce24ba9a04
Instruction ID: 16929d6c0f8dbdeb1250d2ba4248bb02c367f8531963259c352c6945607e6ae1
Opcode Fuzzy Hash: 012ca370cfe8b8dd57c4f755b3acaeec1c7902dadb39f85116b475ce24ba9a04
Instruction Fuzzy Hash: 3B415422A05A818AEB109F65D8009A96395FF45BF8F584636FE2E877D9DF3CD402C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31A558 Relevance: 6.1, APIs: 4, Instructions: 80
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00007FF87FF88C31A558(signed int __ecx, intOrPtr* __rax, long long __rbx, signed int __rcx, char* __rdx, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16, intOrPtr _a40) {
				signed int _t20;
				signed int _t34;
				signed int _t37;
				signed int _t40;
				void* _t57;
				void* _t58;
				char* _t67;
				char* _t68;
				intOrPtr* _t69;
				void* _t71;
				char* _t72;

				_t71 = __r9;
				_a8 = __rbx;
				_a16 = __rsi;
				_t40 = r9d;
				_t74 = __rdx;
				_t37 = __ecx;
				if (__rdx != 0) goto 0x8c31a58f;
				E00007FF87FF88C307698(__rax);
				 *__rax = 0x16;
				E00007FF87FF88C309444();
				goto 0x8c31a639;
				if (__r8 == 0) goto 0x8c31a577;
				 *__rdx = 0;
				asm("dec eax");
				_t57 =  ~__rcx + 1;
				if (__r8 - _t57 > 0) goto 0x8c31a5b9;
				E00007FF87FF88C307698(__rax);
				goto 0x8c31a581;
				_t4 = _t71 - 2; // -2
				if (_t4 - 0x22 > 0) goto 0x8c31a577;
				if (_a40 == 0) goto 0x8c31a5dc;
				 *__rdx = 0x2d;
				_t5 = _t74 + 1; // 0x13a
				_t67 = _t5;
				_t72 = _t67;
				_t20 =  ~_t37;
				_t34 = _t20 % _t40;
				if (_t34 - 9 <= 0) goto 0x8c31a5f1;
				goto 0x8c31a5f4;
				 *_t67 = _t34 + 0x87;
				_t58 = _t57 + 1;
				_t68 = _t67 + 1;
				if (_t20 / _t40 == 0) goto 0x8c31a606;
				if (_t58 - __r8 < 0) goto 0x8c31a5df;
				if (_t58 - __r8 < 0) goto 0x8c31a619;
				 *__rdx = 0;
				E00007FF87FF88C307698(__rax);
				goto 0x8c31a581;
				 *_t68 = 0;
				_t69 = _t68 - 1;
				 *_t69 =  *_t72;
				 *_t72 =  *_t69;
				if (_t72 + 1 - _t69 - 1 < 0) goto 0x8c31a620;
				return 0;
			}

0x7ff88c31a558
0x7ff88c31a558
0x7ff88c31a55d
0x7ff88c31a567
0x7ff88c31a56d
0x7ff88c31a570
0x7ff88c31a575
0x7ff88c31a577
0x7ff88c31a581
0x7ff88c31a583
0x7ff88c31a58a
0x7ff88c31a592
0x7ff88c31a594
0x7ff88c31a59f
0x7ff88c31a5a5
0x7ff88c31a5ab
0x7ff88c31a5ad
0x7ff88c31a5b7
0x7ff88c31a5b9
0x7ff88c31a5c4
0x7ff88c31a5cd
0x7ff88c31a5cf
0x7ff88c31a5d3
0x7ff88c31a5d3
0x7ff88c31a5dc
0x7ff88c31a5e1
0x7ff88c31a5e3
0x7ff88c31a5ea
0x7ff88c31a5ef
0x7ff88c31a5f4
0x7ff88c31a5f7
0x7ff88c31a5fa
0x7ff88c31a5ff
0x7ff88c31a604
0x7ff88c31a609
0x7ff88c31a60b
0x7ff88c31a60f
0x7ff88c31a614
0x7ff88c31a619
0x7ff88c31a61d
0x7ff88c31a626
0x7ff88c31a629
0x7ff88c31a635
0x7ff88c31a648

APIs

_errno.LIBCMT ref: 00007FF88C31A577
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C31A583
_errno.LIBCMT ref: 00007FF88C31A5AD
_errno.LIBCMT ref: 00007FF88C31A60F

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: e822f98671c07c2ce8ca044e1ea374783c45761b316b2f1ea4ea93c32f7f0e3c
Instruction ID: 00014038f9b3a620fe746ed753bcc37cc959b220ca3d59a82c52e0965cbedae2
Opcode Fuzzy Hash: e822f98671c07c2ce8ca044e1ea374783c45761b316b2f1ea4ea93c32f7f0e3c
Instruction Fuzzy Hash: EB21A362A0C3C68EF7448A69D450A7D6791BB573C1F598033E68AC368BDE6D9846C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C31A6AC Relevance: 6.1, APIs: 4, Instructions: 80
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00007FF87FF88C31A6AC(intOrPtr* __rax, long long __rbx, signed int __rcx, char* __rdx, signed int __rsi, void* __r8, long long _a8, long long _a16, intOrPtr _a40) {
				signed int _t19;
				signed int _t32;
				void* _t53;
				void* _t54;
				char* _t66;
				char* _t67;
				intOrPtr* _t68;
				char* _t70;

				_a8 = __rbx;
				_a16 = __rsi;
				if (__rdx != 0) goto 0x8c31a6e4;
				E00007FF87FF88C307698(__rax);
				 *__rax = 0x16;
				E00007FF87FF88C309444();
				goto 0x8c31a792;
				if (__r8 == 0) goto 0x8c31a6cc;
				 *__rdx = 0;
				asm("dec eax");
				_t53 =  ~__rcx + 1;
				if (__r8 - _t53 > 0) goto 0x8c31a70e;
				E00007FF87FF88C307698(__rax);
				goto 0x8c31a6d6;
				_t19 = __rsi - 2;
				if (_t19 - 0x22 > 0) goto 0x8c31a6cc;
				if (_a40 == 0) goto 0x8c31a731;
				 *__rdx = 0x2d;
				_t66 = __rdx + 1;
				_t70 = _t66;
				_t32 = _t19 % __rsi;
				if (_t32 - 9 <= 0) goto 0x8c31a749;
				goto 0x8c31a74c;
				 *_t66 = _t32 + 0x87;
				_t54 = _t53 + 1;
				_t67 = _t66 + 1;
				if ( ~__rcx == 0) goto 0x8c31a75f;
				if (_t54 - __r8 < 0) goto 0x8c31a734;
				if (_t54 - __r8 < 0) goto 0x8c31a772;
				 *__rdx = 0;
				E00007FF87FF88C307698( ~__rcx);
				goto 0x8c31a6d6;
				 *_t67 = 0;
				_t68 = _t67 - 1;
				 *_t68 =  *_t70;
				 *_t70 =  *_t68;
				if (_t70 + 1 - _t68 - 1 < 0) goto 0x8c31a779;
				return 0;
			}

0x7ff88c31a6ac
0x7ff88c31a6b1
0x7ff88c31a6ca
0x7ff88c31a6cc
0x7ff88c31a6d6
0x7ff88c31a6d8
0x7ff88c31a6df
0x7ff88c31a6e7
0x7ff88c31a6e9
0x7ff88c31a6f4
0x7ff88c31a6fa
0x7ff88c31a700
0x7ff88c31a702
0x7ff88c31a70c
0x7ff88c31a70e
0x7ff88c31a718
0x7ff88c31a721
0x7ff88c31a723
0x7ff88c31a727
0x7ff88c31a731
0x7ff88c31a739
0x7ff88c31a742
0x7ff88c31a747
0x7ff88c31a74c
0x7ff88c31a74f
0x7ff88c31a752
0x7ff88c31a758
0x7ff88c31a75d
0x7ff88c31a762
0x7ff88c31a764
0x7ff88c31a768
0x7ff88c31a76d
0x7ff88c31a772
0x7ff88c31a776
0x7ff88c31a77f
0x7ff88c31a782
0x7ff88c31a78e
0x7ff88c31a7a1

APIs

_errno.LIBCMT ref: 00007FF88C31A6CC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF88C31A6D8
_errno.LIBCMT ref: 00007FF88C31A702
_errno.LIBCMT ref: 00007FF88C31A768

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 454a581c9aef82d5c2a75e614494dd54dd2b682ed2281b821beb9cda3ca8224a
Instruction ID: af2a713502f346da41aee2895cd5165f8da0ab1497b0d8976ca031d1add45a09
Opcode Fuzzy Hash: 454a581c9aef82d5c2a75e614494dd54dd2b682ed2281b821beb9cda3ca8224a
Instruction Fuzzy Hash: 16212722B0D3C24DFB4486A5D550A7D6791BB237C1F18C433E64A837CBD96D9946C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C314E7C Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF88C3148D4: _set_statfp.LIBCMT ref: 00007FF88C31490E
Part of subcall function 00007FF88C3148D4: _set_statfp.LIBCMT ref: 00007FF88C314B14

_raise_exc_ex.LIBCMT ref: 00007FF88C314F02

Part of subcall function 00007FF88C314B40: _errno.LIBCMT ref: 00007FF88C314B50

_errcode.LIBCMT ref: 00007FF88C314F0D
_umatherr.LIBCMT ref: 00007FF88C314F3B
_ctrlfp.LIBCMT ref: 00007FF88C314F51

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _set_statfp$_ctrlfp_errcode_errno_raise_exc_ex_umatherr
String ID:
API String ID: 3627922240-0
Opcode ID: 8890f3d1aad585699acb7d798ee0a6572a5914d0a9e669a1cd69efa2da621ede
Instruction ID: b1244b6b3952fa297e5e37c61642aa5512470bb4649f3f96aff7779e38226f4d
Opcode Fuzzy Hash: 8890f3d1aad585699acb7d798ee0a6572a5914d0a9e669a1cd69efa2da621ede
Instruction Fuzzy Hash: E8317826A18A45CEE7218F38D4006EE73A4BB8A388F045336FE4C97B69DF38D502C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C314D88 Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00007FF87FF88C314D88(signed int __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __r9) {
				void* __rdi;
				void* __rsi;
				signed int _t21;
				void* _t23;
				signed int _t24;
				void* _t27;
				void* _t28;
				signed int _t36;
				void* _t37;
				void* _t43;
				signed long long _t44;
				void* _t59;
				void* _t61;
				void* _t64;
				void* _t66;
				signed long long _t67;

				_t43 = _t66;
				 *((long long*)(_t43 + 0x10)) = __rbx;
				_t64 = _t43 - 0x57;
				_t67 = _t66 - 0xe0;
				asm("movaps [eax-0x28], xmm6");
				_t44 =  *0x8c3670a0; // 0xfd5a6ce2fd9f
				 *(_t64 + 0x1f) = _t44 ^ _t67;
				_t37 = __edx;
				asm("movsd [ebp-0x59], xmm2");
				asm("movsd [ebp-0x61], xmm3");
				asm("movapd xmm6, xmm2");
				_t36 = __ecx;
				_t21 = E00007FF87FF88C3148D4(__ecx, _t44 ^ _t67,  *((intOrPtr*)(_t64 + 0x7f)), _t64 - 0x61,  *((intOrPtr*)(_t64 + 0x7f)));
				if (_t21 != 0) goto 0x8c314e06;
				 *(_t67 + 0x30) =  *(_t67 + 0x30) & _t21;
				 *(_t64 - 0x11) =  *(_t64 - 0x11) & 0xfffffffe;
				 *((long long*)(_t67 + 0x28)) = _t64 - 0x61;
				r9d = _t37;
				r8d = _t36;
				 *((long long*)(_t67 + 0x20)) = _t64 - 0x59;
				E00007FF87FF88C314574(_t21,  *((intOrPtr*)(_t64 + 0x7f)), _t64 - 0x51, _t64 + 0x7f, _t59, _t61);
				_t23 = E00007FF87FF88C314BA4(_t36);
				if ( *0x8c368460 != 0) goto 0x8c314e3d;
				if (_t23 == 0) goto 0x8c314e3d;
				asm("movsd xmm0, [ebp-0x61]");
				asm("xorpd xmm3, xmm3");
				asm("movapd xmm2, xmm6");
				 *((long long*)(_t67 + 0x28)) =  *((intOrPtr*)(_t64 + 0x7f));
				asm("movsd [esp+0x20], xmm0");
				_t24 = E00007FF87FF88C314BE8(_t23, _t37);
				goto 0x8c314e56;
				E00007FF87FF88C314B40(_t24, _t64 - 0x59);
				E00007FF87FF88C314FBC(_t28, _t36,  *((intOrPtr*)(_t64 + 0x7f)),  *((intOrPtr*)(_t64 + 0x7f)), _t64 + 0x7f, _t61, _t59, _t61);
				asm("movsd xmm0, [ebp-0x61]");
				_t27 = E00007FF87FF88C304980(_t24,  *(_t64 + 0x1f) ^ _t67, _t64 + 0x7f,  *((intOrPtr*)(_t64 + 0x7f)));
				asm("inc ecx");
				return _t27;
			}

0x7ff88c314d88
0x7ff88c314d8b
0x7ff88c314d92
0x7ff88c314d96
0x7ff88c314d9d
0x7ff88c314da1
0x7ff88c314dab
0x7ff88c314db3
0x7ff88c314db9
0x7ff88c314dbe
0x7ff88c314dc3
0x7ff88c314dca
0x7ff88c314dcc
0x7ff88c314dd3
0x7ff88c314dd5
0x7ff88c314dd9
0x7ff88c314de1
0x7ff88c314df2
0x7ff88c314df5
0x7ff88c314df8
0x7ff88c314dfd
0x7ff88c314e08
0x7ff88c314e14
0x7ff88c314e18
0x7ff88c314e1a
0x7ff88c314e1f
0x7ff88c314e23
0x7ff88c314e2b
0x7ff88c314e30
0x7ff88c314e36
0x7ff88c314e3b
0x7ff88c314e3f
0x7ff88c314e4c
0x7ff88c314e51
0x7ff88c314e5d
0x7ff88c314e6e
0x7ff88c314e79

APIs

Part of subcall function 00007FF88C3148D4: _set_statfp.LIBCMT ref: 00007FF88C31490E
Part of subcall function 00007FF88C3148D4: _set_statfp.LIBCMT ref: 00007FF88C314B14

_raise_exc_ex.LIBCMT ref: 00007FF88C314DFD

Part of subcall function 00007FF88C314B40: _errno.LIBCMT ref: 00007FF88C314B50

_errcode.LIBCMT ref: 00007FF88C314E08
_umatherr.LIBCMT ref: 00007FF88C314E36
_ctrlfp.LIBCMT ref: 00007FF88C314E4C

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _set_statfp$_ctrlfp_errcode_errno_raise_exc_ex_umatherr
String ID:
API String ID: 3627922240-0
Opcode ID: 49f89b86d69a25b8b2a7744dc72d9119a528f445768c11ed6a09633d5e007dfa
Instruction ID: 8946fecd6253906ebf74a7e139fa605e681fc9708189298846219e234243495b
Opcode Fuzzy Hash: 49f89b86d69a25b8b2a7744dc72d9119a528f445768c11ed6a09633d5e007dfa
Instruction Fuzzy Hash: 2B219A22B19B41CDEB20CB34D400AEE63A5BB8A788F444236AE0C5B659DF38E507C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3113F0 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00007FF87FF88C3113F0(long long __rcx, void* __rdi, long long __rsi, void* __r8) {
				void* __rbx;
				void* _t4;
				intOrPtr _t13;
				void* _t21;
				long long* _t22;
				long long* _t28;
				long long _t30;

				if (__rcx == 0) goto 0x8c311495;
				_t22 = __rcx;
				E00007FF87FF88C3096D8();
				_t13 =  *((intOrPtr*)(__rcx + 8));
				if (_t13 == 0) goto 0x8c311430;
				asm("lock dec dword [ecx]");
				if (_t13 != 0) goto 0x8c311430;
				if ( *((intOrPtr*)(__rcx + 8)) == 0x8c3678c0) goto 0x8c311430;
				free(_t21);
				E00007FF87FF88C3095B8();
				if ( *((long long*)(__rcx)) == 0) goto 0x8c31147c;
				E00007FF87FF88C3096D8();
				E00007FF87FF88C311020(_t4,  *((intOrPtr*)(__rcx)), __r8);
				_t28 =  *((intOrPtr*)(__rcx));
				if (_t28 == 0) goto 0x8c311472;
				if ( *_t28 != 0) goto 0x8c311472;
				if (_t28 == 0x8c3680c0) goto 0x8c311472;
				E00007FF87FF88C3110C4(__rcx, _t28, _t30, __rdi, __rsi);
				E00007FF87FF88C3095B8();
				 *_t22 = 0x8c3680c0;
				 *((long long*)(_t22 + 8)) = 0x8c3680c0;
				free(??);
				return 0xbaadf00d;
			}

0x7ff88c3113f3
0x7ff88c3113fe
0x7ff88c311406
0x7ff88c311410
0x7ff88c311413
0x7ff88c311415
0x7ff88c311418
0x7ff88c311428
0x7ff88c31142a
0x7ff88c311435
0x7ff88c31143e
0x7ff88c311445
0x7ff88c31144e
0x7ff88c311453
0x7ff88c311459
0x7ff88c31145e
0x7ff88c31146a
0x7ff88c31146c
0x7ff88c311477
0x7ff88c311481
0x7ff88c311484
0x7ff88c31148b
0x7ff88c311495

APIs

_lock.LIBCMT ref: 00007FF88C311406

Part of subcall function 00007FF88C3096D8: _amsg_exit.LIBCMT ref: 00007FF88C309702

free.LIBCMT ref: 00007FF88C31142A

Part of subcall function 00007FF88C30640C: RtlReleasePrivilege.NTDLL(?,?,00000000,00007FF88C307F44,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C306422
Part of subcall function 00007FF88C30640C: _errno.LIBCMT ref: 00007FF88C30642C
Part of subcall function 00007FF88C30640C: GetLastError.KERNEL32(?,?,00000000,00007FF88C307F44,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C306434

_lock.LIBCMT ref: 00007FF88C311445
free.LIBCMT ref: 00007FF88C31148B

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _lockfree$ErrorLastPrivilegeRelease_amsg_exit_errno
String ID:
API String ID: 3411715761-0
Opcode ID: a8b7416102451f74a8af0c6d078df36bae68a8ac8152c0969ceab47448d70fac
Instruction ID: 19faaad2994468c3a99cc45083081893420b528f1eb94e607ef3b35668685679
Opcode Fuzzy Hash: a8b7416102451f74a8af0c6d078df36bae68a8ac8152c0969ceab47448d70fac
Instruction Fuzzy Hash: E4115612E0B50289FF569BA1C451FF832A0BF46BC4F845132E54E872CDDE2CA843C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C307DF8 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,00007FF88C305A4A), ref: 00007FF88C307E07
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF88C305A4A), ref: 00007FF88C309563
free.LIBCMT ref: 00007FF88C30956C
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF88C305A4A), ref: 00007FF88C309593

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 2a3604f3cee8a248475c699c614c92f714952c2453d3a69da133fa28b9de4b29
Instruction ID: 8770b4e48a656c2fb51c509cf6277337facfc650ee5f05d5addb8bead18aef4a
Opcode Fuzzy Hash: 2a3604f3cee8a248475c699c614c92f714952c2453d3a69da133fa28b9de4b29
Instruction Fuzzy Hash: 6F116072E19B4186EA548F55E850A39A360FF56BE4F980630E66E022A8DF3CE493C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C310978 Relevance: 6.0, APIs: 4, Instructions: 45
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E00007FF87FF88C310978(void* __ecx, void* __edx, void* __eflags, void* __rax, long long __rbx, void* __rcx, void* __rsi, void* __rbp, long long _a8, long long _a16) {
				void* _t26;
				long long _t27;
				void* _t30;
				long long _t32;
				long long _t33;
				long long _t37;
				void* _t42;
				void* _t48;

				_t30 = __rax;
				_a16 = __rbx;
				E00007FF87FF88C307F5C(__ecx, __eflags, __rax, __rcx, __rsi, _t48);
				_t42 = _t30;
				if (( *0x8c367df0 &  *(_t30 + 0xc8)) == 0) goto 0x8c3109ab;
				if ( *((long long*)(_t30 + 0xc0)) == 0) goto 0x8c3109ab;
				goto 0x8c310a17;
				E00007FF87FF88C3096D8();
				_t37 =  *((intOrPtr*)(_t42 + 0xb8));
				_a8 = _t37;
				_t26 = _t37 -  *0x8c367cf0; // 0x141b0981c30
				if (_t26 == 0) goto 0x8c310a0d;
				_t27 = _t37;
				if (_t27 == 0) goto 0x8c3109eb;
				asm("lock dec dword [ebx]");
				if (_t27 != 0) goto 0x8c3109eb;
				if (_a8 == 0x8c3678c0) goto 0x8c3109eb;
				free(??);
				_t32 =  *0x8c367cf0; // 0x141b0981c30
				 *((long long*)(_t42 + 0xb8)) = _t32;
				_t33 =  *0x8c367cf0; // 0x141b0981c30
				_a8 = _t33;
				asm("lock inc dword [eax]");
				E00007FF87FF88C3095B8();
				if (_a8 != 0) goto 0x8c310a24;
				return E00007FF87FF88C3072D8(_a8 + 0x20, _a8, _t48);
			}

0x7ff88c310978
0x7ff88c310978
0x7ff88c310982
0x7ff88c310987
0x7ff88c310996
0x7ff88c3109a0
0x7ff88c3109a9
0x7ff88c3109b0
0x7ff88c3109b6
0x7ff88c3109bd
0x7ff88c3109c2
0x7ff88c3109c9
0x7ff88c3109cb
0x7ff88c3109ce
0x7ff88c3109d0
0x7ff88c3109d3
0x7ff88c3109e4
0x7ff88c3109e6
0x7ff88c3109eb
0x7ff88c3109f2
0x7ff88c3109f9
0x7ff88c310a00
0x7ff88c310a05
0x7ff88c310a12
0x7ff88c310a1a
0x7ff88c310a31

APIs

_getptd.LIBCMT ref: 00007FF88C310982

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

_lock.LIBCMT ref: 00007FF88C3109B0
free.LIBCMT ref: 00007FF88C3109E6
_amsg_exit.LIBCMT ref: 00007FF88C310A1F

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 2ef4612454d6d75ca460afe0c0a07bbd2284739c945846a1227e11925fd45e10
Instruction ID: bce49b1d97edab2bcbdf6fc103e1c9c02d48256cefb20430cc44a65f488cfca0
Opcode Fuzzy Hash: 2ef4612454d6d75ca460afe0c0a07bbd2284739c945846a1227e11925fd45e10
Instruction Fuzzy Hash: FB116332A1964686FA949B51E451FB973A0FF46BC4F480036EA4D433AECF3CE852C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3114A0 Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00007FF87FF88C3114A0(void* __ecx, void* __eflags, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, void* __rsi, void* __rbp, void* __r8, long long _a8) {
				void* __rdi;
				void* _t13;
				void* _t14;
				intOrPtr* _t26;
				intOrPtr* _t31;
				intOrPtr* _t36;

				_t38 = __rbp;
				_t37 = __rsi;
				_t35 = __rdx;
				_t33 = __rcx;
				_t26 = __rax;
				_a8 = __rbx;
				E00007FF87FF88C307F5C(__ecx, __eflags, __rax, __rcx, __rsi, __r8);
				_t36 = _t26;
				_t2 = _t35 + 0xf; // 0x10
				E00007FF87FF88C30796C(__rbx, __rcx, __rdx, _t36, __rsi, __rbp);
				_t31 = _t26;
				if (_t26 != 0) goto 0x8c3114d6;
				E00007FF87FF88C307698(_t26);
				 *_t26 = 0xc;
				goto 0x8c311531;
				E00007FF87FF88C311298(_t2, 1, 0, _t26, _t33, _t36, _t37);
				_t13 = E00007FF87FF88C310978(_t2, 1, 0, _t26, _t31, _t33, _t37, _t38);
				 *_t31 =  *((intOrPtr*)(_t36 + 0xc0));
				 *((long long*)(_t31 + 8)) =  *((intOrPtr*)(_t36 + 0xb8));
				E00007FF87FF88C3096D8();
				_t14 = E00007FF87FF88C310F94(_t13,  *_t31, __r8);
				E00007FF87FF88C3095B8();
				E00007FF87FF88C3096D8();
				asm("lock inc dword [eax]");
				E00007FF87FF88C3095B8();
				return _t14;
			}

0x7ff88c3114a0
0x7ff88c3114a0
0x7ff88c3114a0
0x7ff88c3114a0
0x7ff88c3114a0
0x7ff88c3114a0
0x7ff88c3114aa
0x7ff88c3114af
0x7ff88c3114b7
0x7ff88c3114ba
0x7ff88c3114bf
0x7ff88c3114c5
0x7ff88c3114c7
0x7ff88c3114cc
0x7ff88c3114d4
0x7ff88c3114d6
0x7ff88c3114db
0x7ff88c3114e7
0x7ff88c3114f1
0x7ff88c3114fa
0x7ff88c311503
0x7ff88c31150e
0x7ff88c31151a
0x7ff88c311524
0x7ff88c311529
0x7ff88c31153b

APIs

_getptd.LIBCMT ref: 00007FF88C3114AA

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

Part of subcall function 00007FF88C30796C: Sleep.KERNEL32(?,?,?,00007FF88C307F0B,?,?,?,00007FF88C3076A1,?,?,?,?,00007FF88C305382), ref: 00007FF88C3079B1

_errno.LIBCMT ref: 00007FF88C3114C7
_lock.LIBCMT ref: 00007FF88C3114FA
_lock.LIBCMT ref: 00007FF88C31151A

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _lock$Sleep_amsg_exit_errno_getptd
String ID:
API String ID: 511150081-0
Opcode ID: 174e7759716eb80b6c882189a588989c37476cf2cfdcd891cc3ee00f0d74f4a7
Instruction ID: 5b596d630690da3ac04de0a19b38822b25f28a7770e00927dedfa29ca08fda7e
Opcode Fuzzy Hash: 174e7759716eb80b6c882189a588989c37476cf2cfdcd891cc3ee00f0d74f4a7
Instruction Fuzzy Hash: 1B015E22B0964686F6456BB6D451BBD7261FF87BC0F448031EA4E573DBCE2CE852C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C311298 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00007FF87FF88C311298(void* __ecx, void* __edx, void* __eflags, void* __rax, void* __rcx, void* __rdi, void* __rsi) {
				void* __rbx;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				intOrPtr _t29;
				void* _t32;

				_t22 = __rax;
				E00007FF87FF88C307F5C(__ecx, __eflags, __rax, __rcx, __rsi, _t32);
				if (( *0x8c367df0 &  *(_t22 + 0xc8)) == 0) goto 0x8c3112cc;
				if ( *((long long*)(_t22 + 0xc0)) == 0) goto 0x8c3112cc;
				E00007FF87FF88C307F5C( *(_t22 + 0xc8),  *((long long*)(_t22 + 0xc0)), _t22, __rcx, __rsi, _t32);
				_t25 =  *((intOrPtr*)(_t22 + 0xc0));
				goto 0x8c3112f7;
				E00007FF87FF88C3096D8();
				_t6 = _t25 + 0xc0; // 0xc0
				_t29 =  *0x8c368220; // 0x7ff88c3680c0
				E00007FF87FF88C311240(_t22, _t6, _t29, __rdi, __rsi, _t32);
				_t26 = _t22;
				E00007FF87FF88C3095B8();
				if (_t26 != 0) goto 0x8c311304;
				_t7 = _t26 + 0x20; // 0x20
				return E00007FF87FF88C3072D8(_t7, _t26, _t32);
			}

0x7ff88c311298
0x7ff88c31129e
0x7ff88c3112b2
0x7ff88c3112bc
0x7ff88c3112be
0x7ff88c3112c3
0x7ff88c3112ca
0x7ff88c3112d1
0x7ff88c3112d7
0x7ff88c3112de
0x7ff88c3112e5
0x7ff88c3112ea
0x7ff88c3112f2
0x7ff88c3112fa
0x7ff88c3112fc
0x7ff88c31130c

APIs

_getptd.LIBCMT ref: 00007FF88C31129E

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

_getptd.LIBCMT ref: 00007FF88C3112BE
_lock.LIBCMT ref: 00007FF88C3112D1
_amsg_exit.LIBCMT ref: 00007FF88C3112FF

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 61de52a570ce59d3dd549c6722c005d8cba93f103870302328cc2ce3a9da2817
Instruction ID: 074fe7e5b0a021ebfbf3295e66c9aa078caa8cc320b42904877634ed134a3e4c
Opcode Fuzzy Hash: 61de52a570ce59d3dd549c6722c005d8cba93f103870302328cc2ce3a9da2817
Instruction Fuzzy Hash: 32F01D22A0A54786FA556B91C851FF822A0FF5B7C0F080135EA1D873DADF1CA847D311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C320624 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E00007FF87FF88C320624(void* __ecx, void* __edi, void* __eflags, void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				intOrPtr _t50;
				void* _t52;
				void* _t72;
				intOrPtr _t73;
				char _t85;
				void* _t102;
				intOrPtr _t104;
				intOrPtr* _t108;
				signed int* _t125;
				void* _t127;
				void* _t130;
				long long* _t145;
				void* _t146;

				_t102 = __rax;
				_t72 = __edi;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t130 = __r9;
				_t146 = __r8;
				_t127 = __rdx;
				_t108 = __rcx;
				E00007FF87FF88C307F5C(__ecx, __eflags, __rax, __rcx, __rdx, __r8);
				_t125 = _a40;
				r8d = 0x80000029;
				r9d = 0x80000026;
				r14d = 1;
				if ( *((intOrPtr*)(_t102 + 0x2c0)) != 0) goto 0x8c3206ad;
				if ( *__rcx == 0xe06d7363) goto 0x8c3206ad;
				if ( *__rcx != r8d) goto 0x8c320692;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x8c320692;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0x8c3206ad;
				if ( *__rcx == r9d) goto 0x8c3206ad;
				if (( *_t125 & 0x1fffffff) - 0x19930522 < 0) goto 0x8c3206ad;
				if ((_t125[9] & r14b) != 0) goto 0x8c32082d;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x8c32074b;
				if (_t125[1] == 0) goto 0x8c32082d;
				_t85 = _a48;
				if (_t85 != 0) goto 0x8c32082d;
				if (_t85 == 0) goto 0x8c320714;
				if ( *__rcx != r9d) goto 0x8c320714;
				_t50 = E00007FF87FF88C31EC64(_t102, __rcx, _t125, __r9, __rdx, __r9,  *((intOrPtr*)(__r8 + 0xf8)));
				if (_t50 - 0xffffffff < 0) goto 0x8c3206f9;
				if (_t50 - _t125[1] < 0) goto 0x8c3206fe;
				E00007FF87FF88C312484(_t102);
				r9d = _t50;
				_t52 = E00007FF87FF88C31EF84( *_t125 & 0x1fffffff, _t50 - _t125[1], __rdx, _t130, _t130, _t125);
				goto 0x8c32082d;
				if (_t52 == 0) goto 0x8c320738;
				if ( *_t108 != r8d) goto 0x8c320738;
				_t73 =  *((intOrPtr*)(_t108 + 0x38));
				if (_t73 - 0xffffffff < 0) goto 0x8c32072a;
				if (_t73 - _t125[1] < 0) goto 0x8c32072f;
				E00007FF87FF88C312484(_t102);
				r9d = _t73;
				goto 0x8c320704;
				E00007FF87FF88C31E624(_t72, _t108, _t127, _t130, _t127, _t125);
				goto 0x8c32082d;
				if (_t125[3] != 0) goto 0x8c32077f;
				if (( *_t125 & 0x1fffffff) - 0x19930521 < 0) goto 0x8c32082d;
				if (_t125[8] == 0) goto 0x8c320774;
				E00007FF87FF88C31E4B4(_t102);
				goto 0x8c320776;
				if (_t102 + _t125[8] == 0) goto 0x8c32082d;
				if ( *_t108 != 0xe06d7363) goto 0x8c3207f4;
				if ( *((intOrPtr*)(_t108 + 0x18)) - 3 < 0) goto 0x8c3207f4;
				if ( *((intOrPtr*)(_t108 + 0x20)) - 0x19930522 <= 0) goto 0x8c3207f4;
				_t104 =  *((intOrPtr*)(_t108 + 0x30));
				if ( *((intOrPtr*)(_t104 + 8)) == 0) goto 0x8c3207b2;
				E00007FF87FF88C31E4CC(_t104);
				_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x30)) + 8)) + _t104;
				goto 0x8c3207b5;
				r11d = 0;
				if (_t145 == 0) goto 0x8c3207f4;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t125;
				 *_t145();
				goto 0x8c320830;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t125;
				E00007FF87FF88C320130(_t50,  *_t125 & 0x1fffffff, _t72, _t108, _t108, _t127, _t146, _t130);
				return r14d;
			}

0x7ff88c320624
0x7ff88c320624
0x7ff88c320624
0x7ff88c320629
0x7ff88c32062e
0x7ff88c32063c
0x7ff88c32063f
0x7ff88c320642
0x7ff88c320645
0x7ff88c320648
0x7ff88c32064d
0x7ff88c320661
0x7ff88c320667
0x7ff88c32066d
0x7ff88c320673
0x7ff88c32067b
0x7ff88c320680
0x7ff88c320686
0x7ff88c320690
0x7ff88c320695
0x7ff88c3206a1
0x7ff88c3206a7
0x7ff88c3206b2
0x7ff88c3206bc
0x7ff88c3206c2
0x7ff88c3206ca
0x7ff88c3206d3
0x7ff88c3206d8
0x7ff88c3206e8
0x7ff88c3206f2
0x7ff88c3206f7
0x7ff88c3206f9
0x7ff88c3206fe
0x7ff88c32070a
0x7ff88c32070f
0x7ff88c320716
0x7ff88c32071b
0x7ff88c32071d
0x7ff88c320723
0x7ff88c320728
0x7ff88c32072a
0x7ff88c320733
0x7ff88c320736
0x7ff88c320741
0x7ff88c320746
0x7ff88c32074f
0x7ff88c32075a
0x7ff88c320764
0x7ff88c320766
0x7ff88c320772
0x7ff88c320779
0x7ff88c320785
0x7ff88c32078b
0x7ff88c320794
0x7ff88c320796
0x7ff88c32079e
0x7ff88c3207a0
0x7ff88c3207ad
0x7ff88c3207b0
0x7ff88c3207b2
0x7ff88c3207b8
0x7ff88c3207c8
0x7ff88c3207d7
0x7ff88c3207e6
0x7ff88c3207ea
0x7ff88c3207ef
0x7ff88c3207f2
0x7ff88c320802
0x7ff88c320811
0x7ff88c32081f
0x7ff88c320823
0x7ff88c320828
0x7ff88c320848

APIs

_getptd.LIBCMT ref: 00007FF88C320648

Part of subcall function 00007FF88C307F5C: _amsg_exit.LIBCMT ref: 00007FF88C307F72

Strings

csm, xrefs: 00007FF88C320675
csm, xrefs: 00007FF88C32077F

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _amsg_exit_getptd
String ID: csm$csm
API String ID: 4217099735-3733052814
Opcode ID: 2ae13b9a017ee306c96eda2d01e27949c1ec616db7b794437f9e586f3de020f0
Instruction ID: f351de3d6a4461ac171b087470b1af0521adb04a77ff4f653acfd829005162a2
Opcode Fuzzy Hash: 2ae13b9a017ee306c96eda2d01e27949c1ec616db7b794437f9e586f3de020f0
Instruction Fuzzy Hash: BA5195329083828AEF648F25E044B797A90FB46BC6F044136DA9D57B9DCF3CE496CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C320FAD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF87FF88C320FAD(long long __rcx, void* __rdx) {
				void* __rbp;
				void* _t38;
				intOrPtr _t63;
				void* _t69;
				void* _t71;

				 *((long long*)(__rdx + 0x68)) = __rcx;
				 *((long long*)(__rdx + 0x58)) = __rcx;
				 *((long long*)(__rdx + 0x28)) =  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x58))));
				 *((intOrPtr*)(__rdx + 0x20)) = 0;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)))) != 0xe06d7363) goto 0x8c321029;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x18)) != 4) goto 0x8c321029;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) == 0x19930520) goto 0x8c32100d;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) == 0x19930521) goto 0x8c32100d;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) != 0x19930522) goto 0x8c321029;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x28)) !=  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0xc8)) + 0x28))) goto 0x8c321029;
				 *((intOrPtr*)(__rdx + 0x20)) = 1;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)))) != 0xe06d7363) goto 0x8c321090;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x18)) != 4) goto 0x8c321090;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) == 0x19930520) goto 0x8c321066;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) == 0x19930521) goto 0x8c321066;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rdx + 0x28)) + 0x20)) != 0x19930522) goto 0x8c321090;
				_t63 =  *((intOrPtr*)(__rdx + 0x28));
				if ( *((long long*)(_t63 + 0x30)) != 0) goto 0x8c321090;
				E00007FF87FF88C307F5C(_t38,  *((long long*)(_t63 + 0x30)), _t63,  *((intOrPtr*)( *((intOrPtr*)(__rdx + 0xc8)) + 0x28)), _t69, _t71);
				 *((intOrPtr*)(_t63 + 0x2c0)) = 1;
				 *((intOrPtr*)(__rdx + 0x20)) = 1;
				 *((intOrPtr*)(__rdx + 0x30)) = 1;
				goto 0x8c321097;
				 *((intOrPtr*)(__rdx + 0x30)) = 0;
				return  *((intOrPtr*)(__rdx + 0x30));
			}

0x7ff88c320fb6
0x7ff88c320fba
0x7ff88c320fc5
0x7ff88c320fc9
0x7ff88c320fda
0x7ff88c320fe4
0x7ff88c320ff1
0x7ff88c320ffe
0x7ff88c32100b
0x7ff88c321020
0x7ff88c321022
0x7ff88c321033
0x7ff88c32103d
0x7ff88c32104a
0x7ff88c321057
0x7ff88c321064
0x7ff88c321066
0x7ff88c32106f
0x7ff88c321071
0x7ff88c321076
0x7ff88c321080
0x7ff88c321087
0x7ff88c32108e
0x7ff88c321090
0x7ff88c32109f

APIs

_getptd.LIBCMT ref: 00007FF88C321071

Strings

csm, xrefs: 00007FF88C32102D
csm, xrefs: 00007FF88C320FD4

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: abc3af286f30aed5d5a8bed9763bb470f1ed2f399841bf4c9372b2c81c7bde87
Instruction ID: 34e24136aeb6e70a745ab78346c8bfd3f1ac1b67f28c5379da407046066003b8
Opcode Fuzzy Hash: abc3af286f30aed5d5a8bed9763bb470f1ed2f399841bf4c9372b2c81c7bde87
Instruction Fuzzy Hash: 9D314B73504784CADB618F66C0806A87BB4F759BDEF465235EA0D0BB58CB3AD8C1C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF88C3210AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00007FF87FF88C3210AD(void* __ecx, void* __eflags, void* __rax, void* __rdx, void* __rsi, void* __r8) {
				void* __rbx;
				void* __rbp;
				void* _t17;
				void* _t28;
				void* _t29;
				intOrPtr* _t30;
				void* _t38;

				_t28 = __rax;
				_t18 = __ecx;
				_t38 = __rdx;
				E00007FF87FF88C31EA84(__ecx, __eflags, __rax, _t29,  *((intOrPtr*)(__rdx + 0x50)), __rsi, __rdx, __r8);
				if ( *((intOrPtr*)(__rdx + 0x20)) != 0) goto 0x8c32110e;
				_t30 =  *((intOrPtr*)(__rdx + 0xc8));
				if ( *_t30 != 0xe06d7363) goto 0x8c32110e;
				if ( *((intOrPtr*)(_t30 + 0x18)) != 4) goto 0x8c32110e;
				if ( *((intOrPtr*)(_t30 + 0x20)) == 0x19930520) goto 0x8c3210f6;
				if ( *((intOrPtr*)(_t30 + 0x20)) == 0x19930521) goto 0x8c3210f6;
				if ( *((intOrPtr*)(_t30 + 0x20)) != 0x19930522) goto 0x8c32110e;
				if (E00007FF87FF88C31EA50( *((intOrPtr*)(_t30 + 0x20)) - 0x19930522, __rax,  *((intOrPtr*)(_t30 + 0x28))) == 0) goto 0x8c32110e;
				E00007FF87FF88C31F1C0(1, _t30);
				E00007FF87FF88C307F5C(__ecx, E00007FF87FF88C31EA50( *((intOrPtr*)(_t30 + 0x20)) - 0x19930522, __rax,  *((intOrPtr*)(_t30 + 0x28))), _t28, _t30, __rsi, __r8);
				 *((long long*)(_t28 + 0xf0)) =  *((intOrPtr*)(_t38 + 0xd0));
				_t17 = E00007FF87FF88C307F5C(_t18, E00007FF87FF88C31EA50( *((intOrPtr*)(_t30 + 0x20)) - 0x19930522, __rax,  *((intOrPtr*)(_t30 + 0x28))), _t28,  *((intOrPtr*)(_t38 + 0xd0)), __rsi, __r8);
				 *((long long*)(_t28 + 0xf8)) =  *((intOrPtr*)(_t38 + 0xd8));
				return _t17;
			}

0x7ff88c3210ad
0x7ff88c3210ad
0x7ff88c3210b4
0x7ff88c3210bb
0x7ff88c3210c4
0x7ff88c3210c6
0x7ff88c3210d3
0x7ff88c3210d9
0x7ff88c3210e2
0x7ff88c3210eb
0x7ff88c3210f4
0x7ff88c321101
0x7ff88c321108
0x7ff88c32110e
0x7ff88c32111a
0x7ff88c321121
0x7ff88c32112d
0x7ff88c32113a

APIs

Part of subcall function 00007FF88C31EA84: _getptd.LIBCMT ref: 00007FF88C31EA91
Part of subcall function 00007FF88C31EA84: _getptd.LIBCMT ref: 00007FF88C31EAA4

_getptd.LIBCMT ref: 00007FF88C32110E
_getptd.LIBCMT ref: 00007FF88C321121

Strings

csm, xrefs: 00007FF88C3210CD

Memory Dump Source

Source File: 00000000.00000002.323590886.00007FF88C301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF88C300000, based on PE: true

Associated: 00000000.00000002.323573707.00007FF88C300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323655700.00007FF88C322000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323798879.00007FF88C367000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323812343.00007FF88C36A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323824687.00007FF88C36C000.00000010.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.323839114.00007FF88C36D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff88c300000_loaddll64.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 06c3fd111063ce84b499b1a638d3de97d14af7166f4864d1cde499098eb39903
Instruction ID: 75563a1d4e9e9d5ea6368e0232a3efe6248abffee4488a6875af3abf79648039
Opcode Fuzzy Hash: 06c3fd111063ce84b499b1a638d3de97d14af7166f4864d1cde499098eb39903
Instruction Fuzzy Hash: EB015222A4524289DF719F62C841AB833A4FB5679BF554136DE0D4A64DCF38E882C341

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 5020, Parent PID: 3692COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	55
Total number of Limit Nodes:	2

Executed Functions

Function 00970000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 00970344
VirtualAlloc.KERNELBASE ref: 0097038A
VirtualProtect.KERNELBASE ref: 0097085C
RtlAddFunctionTable.KERNEL32 ref: 009708E9

Strings

RtlA, xrefs: 00970133
Virt, xrefs: 009700AD
ualP, xrefs: 009700CD
GetN, xrefs: 00970107
aryA, xrefs: 009700A5
o, xrefs: 0097012E
eSys, xrefs: 00970117
ativ, xrefs: 0097010F
onTa, xrefs: 00970148
lloc, xrefs: 009700BD
rote, xrefs: 009700D5
Libr, xrefs: 0097009D
Load, xrefs: 00970095
truc, xrefs: 009700F2
hIns, xrefs: 009700EB
ct, xrefs: 009700DD
tion, xrefs: 009700F9
Flus, xrefs: 009700E4
ncti, xrefs: 00970141
Slee, xrefs: 00970084
temI, xrefs: 0097011F
ualA, xrefs: 009700B5
Cach, xrefs: 00970100
nf, xrefs: 00970127
ddFu, xrefs: 0097013A
Virt, xrefs: 009700C5

Memory Dump Source

Source File: 00000003.00000002.320335286.0000000000970000.00000040.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_970000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocFunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 998211078-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: 979c7b63c6e068c7fd45d36b7be21a1315e7d518973cbd55f229ed12842a3f58
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: CD520231618B49CBD719DF18D8856BAB7E1FB94304F14862DE88FC7251EB34E942CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D93C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 000000018001DAF0

Strings

2y, xrefs: 000000018001DA0C

Memory Dump Source

Source File: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 2y
API String ID: 963392458-2238746390
Opcode ID: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction ID: a5f9c5da41c4416b3c5c2b2d7882b63f96947196cfe32bd66f81c6794674ef04
Opcode Fuzzy Hash: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction Fuzzy Hash: 3F512A7051CB858FD7B8DF18D0897AABBE0FB98315F10491EE48DC7251DB749884CB86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5288, Parent PID: 976COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	55
Total number of Limit Nodes:	2

Executed Functions

Function 000001EBD2250000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 000001EBD2250344
VirtualAlloc.KERNELBASE ref: 000001EBD225038A
VirtualProtect.KERNELBASE ref: 000001EBD225085C
RtlAddFunctionTable.KERNEL32 ref: 000001EBD22508E9

Strings

eSys, xrefs: 000001EBD2250117
aryA, xrefs: 000001EBD22500A5
ncti, xrefs: 000001EBD2250141
ativ, xrefs: 000001EBD225010F
o, xrefs: 000001EBD225012E
Load, xrefs: 000001EBD2250095
tion, xrefs: 000001EBD22500F9
nf, xrefs: 000001EBD2250127
rote, xrefs: 000001EBD22500D5
Cach, xrefs: 000001EBD2250100
Slee, xrefs: 000001EBD2250084
ct, xrefs: 000001EBD22500DD
truc, xrefs: 000001EBD22500F2
ddFu, xrefs: 000001EBD225013A
Virt, xrefs: 000001EBD22500AD
ualA, xrefs: 000001EBD22500B5
ualP, xrefs: 000001EBD22500CD
Flus, xrefs: 000001EBD22500E4
RtlA, xrefs: 000001EBD2250133
Virt, xrefs: 000001EBD22500C5
Libr, xrefs: 000001EBD225009D
GetN, xrefs: 000001EBD2250107
temI, xrefs: 000001EBD225011F
lloc, xrefs: 000001EBD22500BD
onTa, xrefs: 000001EBD2250148
hIns, xrefs: 000001EBD22500EB

Memory Dump Source

Source File: 00000004.00000002.319400631.000001EBD2250000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EBD2250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1ebd2250000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 998211078-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: 990bd71619858432a82874c589e8e36da1d33c09e18c29379eefffb43e0ee89c
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: 0462F530618B888BD718DF58DC857BEB7E0FB58714F14862DE88AC7255DB34E942CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D93C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 000000018001DAF0

Strings

2y, xrefs: 000000018001DA0C

Memory Dump Source

Source File: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 2y
API String ID: 963392458-2238746390
Opcode ID: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction ID: a5f9c5da41c4416b3c5c2b2d7882b63f96947196cfe32bd66f81c6794674ef04
Opcode Fuzzy Hash: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction Fuzzy Hash: 3F512A7051CB858FD7B8DF18D0897AABBE0FB98315F10491EE48DC7251DB749884CB86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5284, Parent PID: 3692COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	55
Total number of Limit Nodes:	2

Executed Functions

Function 000001BBC5840000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 000001BBC5840344
VirtualAlloc.KERNELBASE ref: 000001BBC584038A
VirtualProtect.KERNELBASE ref: 000001BBC584085C
RtlAddFunctionTable.KERNEL32 ref: 000001BBC58408E9

Strings

rote, xrefs: 000001BBC58400D5
Cach, xrefs: 000001BBC5840100
temI, xrefs: 000001BBC584011F
ncti, xrefs: 000001BBC5840141
Flus, xrefs: 000001BBC58400E4
Load, xrefs: 000001BBC5840095
RtlA, xrefs: 000001BBC5840133
Slee, xrefs: 000001BBC5840084
ativ, xrefs: 000001BBC584010F
onTa, xrefs: 000001BBC5840148
nf, xrefs: 000001BBC5840127
lloc, xrefs: 000001BBC58400BD
GetN, xrefs: 000001BBC5840107
truc, xrefs: 000001BBC58400F2
Libr, xrefs: 000001BBC584009D
Virt, xrefs: 000001BBC58400AD
Virt, xrefs: 000001BBC58400C5
o, xrefs: 000001BBC584012E
ddFu, xrefs: 000001BBC584013A
aryA, xrefs: 000001BBC58400A5
hIns, xrefs: 000001BBC58400EB
ualP, xrefs: 000001BBC58400CD
tion, xrefs: 000001BBC58400F9
ualA, xrefs: 000001BBC58400B5
ct, xrefs: 000001BBC58400DD
eSys, xrefs: 000001BBC5840117

Memory Dump Source

Source File: 00000005.00000002.321729425.000001BBC5840000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BBC5840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1bbc5840000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 998211078-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: e6419c7484434768c9cccbd138739d4b27105b180a43cb1efd1ed14af12ce31c
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: B3620430618B48CBD759DF18D8967BABBE0FB54304F14462DE88BCB651DB74E442CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D93C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 000000018001DAF0

Strings

2y, xrefs: 000000018001DA0C

Memory Dump Source

Source File: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 2y
API String ID: 963392458-2238746390
Opcode ID: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction ID: a5f9c5da41c4416b3c5c2b2d7882b63f96947196cfe32bd66f81c6794674ef04
Opcode Fuzzy Hash: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction Fuzzy Hash: 3F512A7051CB858FD7B8DF18D0897AABBE0FB98315F10491EE48DC7251DB749884CB86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 5908, Parent PID: 5020COMMON

Execution Graph

Execution Coverage:	20.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	51
Total number of Limit Nodes:	3

Executed Functions

Function 000000018001E0D4 Relevance: 6.7, Strings: 5, Instructions: 403
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

zI, xrefs: 000000018001E237
Z, xrefs: 000000018001E60C
IZL, xrefs: 000000018001E32D
X%, xrefs: 000000018001E2A7
@L, xrefs: 000000018001E647

Memory Dump Source

Source File: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @L$IZL$X%$Z$zI
API String ID: 0-2146194583
Opcode ID: 8803a61a648fd2d23010938de892311290a201dda5baf31970736f127354a276
Instruction ID: 4add6158c358bea3a512313222934765461296ee6d6738580abd453837acc3cb
Opcode Fuzzy Hash: 8803a61a648fd2d23010938de892311290a201dda5baf31970736f127354a276
Instruction Fuzzy Hash: 2412E2705087C48BE799DFA8C48969EFBE1FB94744F108A1DF486872A0D7F8D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 00BD0344
VirtualAlloc.KERNELBASE ref: 00BD038A
VirtualProtect.KERNELBASE ref: 00BD085C
RtlAddFunctionTable.KERNEL32 ref: 00BD08E9

Strings

Slee, xrefs: 00BD0084
ncti, xrefs: 00BD0141
ualA, xrefs: 00BD00B5
rote, xrefs: 00BD00D5
RtlA, xrefs: 00BD0133
o, xrefs: 00BD012E
hIns, xrefs: 00BD00EB
ddFu, xrefs: 00BD013A
Flus, xrefs: 00BD00E4
ualP, xrefs: 00BD00CD
Libr, xrefs: 00BD009D
GetN, xrefs: 00BD0107
truc, xrefs: 00BD00F2
aryA, xrefs: 00BD00A5
lloc, xrefs: 00BD00BD
Cach, xrefs: 00BD0100
onTa, xrefs: 00BD0148
ativ, xrefs: 00BD010F
nf, xrefs: 00BD0127
ct, xrefs: 00BD00DD
Virt, xrefs: 00BD00C5
eSys, xrefs: 00BD0117
temI, xrefs: 00BD011F
tion, xrefs: 00BD00F9
Virt, xrefs: 00BD00AD
Load, xrefs: 00BD0095

Memory Dump Source

Source File: 00000007.00000002.827933340.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bd0000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocFunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 998211078-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: b2625140eb3870161f8a21e4593e17f9cc7daa535688bcae73f0ac68aba6bcc0
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: 1E52E530628B498BC719EF18D8857B9F7E1FB54304F14466EE88AC7351EB34E946CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B2C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE ref: 000000018001B4AA

Strings

,s, xrefs: 000000018001B404

Memory Dump Source

Source File: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: Create
String ID: ,s
API String ID: 2289755597-2984532439
Opcode ID: 3b4caa2fe7ca2ea1c2874e4f2cbc73bd9f56a6bfc2f501be4396ef37ab9ab295
Instruction ID: 43270bf4dd8581051b2b4a310a74bf0f83b2524e8811a94fc43aa08003324a9a
Opcode Fuzzy Hash: 3b4caa2fe7ca2ea1c2874e4f2cbc73bd9f56a6bfc2f501be4396ef37ab9ab295
Instruction Fuzzy Hash: 005107B051C7848BD7B8CF18D08579ABBE5FB98314F10891EE8CD87291DB749989CB87

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800013C4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 0000000180001542

Strings

L, xrefs: 0000000180001452

Memory Dump Source

Source File: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: L
API String ID: 2039140958-2226508354
Opcode ID: 6abb3e58112a1fd9d5f0b0aeef1fe02fe816892609f00500427ea04b28a5b157
Instruction ID: ce3e36543b2d169caf896082366697c2db3951efa8e1d5fdb17d3eb2514a6597
Opcode Fuzzy Hash: 6abb3e58112a1fd9d5f0b0aeef1fe02fe816892609f00500427ea04b28a5b157
Instruction Fuzzy Hash: D941507051CB858FE7B8DF18D489B9AB7E0FB88315F104A5DE88DC7285DB789488CB46

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 5132, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	51
Total number of Limit Nodes:	2

Executed Functions

Function 00D50000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 00D50344
VirtualAlloc.KERNELBASE ref: 00D5038A
VirtualProtect.KERNELBASE ref: 00D5085C
RtlAddFunctionTable.KERNEL32 ref: 00D508E9

Strings

nf, xrefs: 00D50127
eSys, xrefs: 00D50117
RtlA, xrefs: 00D50133
Slee, xrefs: 00D50084
Libr, xrefs: 00D5009D
Virt, xrefs: 00D500AD
rote, xrefs: 00D500D5
ct, xrefs: 00D500DD
Load, xrefs: 00D50095
ativ, xrefs: 00D5010F
Cach, xrefs: 00D50100
GetN, xrefs: 00D50107
hIns, xrefs: 00D500EB
ualA, xrefs: 00D500B5
Flus, xrefs: 00D500E4
lloc, xrefs: 00D500BD
Virt, xrefs: 00D500C5
onTa, xrefs: 00D50148
o, xrefs: 00D5012E
tion, xrefs: 00D500F9
temI, xrefs: 00D5011F
aryA, xrefs: 00D500A5
truc, xrefs: 00D500F2
ncti, xrefs: 00D50141
ddFu, xrefs: 00D5013A
ualP, xrefs: 00D500CD

Memory Dump Source

Source File: 0000000C.00000002.496115764.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d50000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocFunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 998211078-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: cb82ede3b02250a10345a643f08ea7e8b618664826a0061de1900e58ebd520c0
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: 8A52F530618B488BDB19DF18D8856BABBE1FB54306F14462DECCBC7251DB34E54ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D93C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 000000018001DAF0

Strings

2y, xrefs: 000000018001DA0C

Memory Dump Source

Source File: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 2y
API String ID: 963392458-2238746390
Opcode ID: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction ID: a5f9c5da41c4416b3c5c2b2d7882b63f96947196cfe32bd66f81c6794674ef04
Opcode Fuzzy Hash: 043d7bb3bb5bc427a1cf4fe11f7da4be06e278070db963a4d042fa6ecd32c9f3
Instruction Fuzzy Hash: 3F512A7051CB858FD7B8DF18D0897AABBE0FB98315F10491EE48DC7251DB749884CB86

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yoyrJ.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
yoyrJ.dll

Function 00000141AEED0000 Relevance: 53.5, APIs: 4, Strings: 26, Instructions: 953
memoryCOMMON

Function 0000000180001864 Relevance: 7.9, Strings: 6, Instructions: 418
COMMON

Function 0000000180019F38 Relevance: 6.5, Strings: 5, Instructions: 203
COMMON

Function 0000000180012108 Relevance: 6.4, Strings: 5, Instructions: 167
COMMON

Function 0000000180027AE4 Relevance: 5.1, Strings: 4, Instructions: 132
COMMON

Function 00007FF88C3075D0 Relevance: 4.5, APIs: 3, Instructions: 20
memoryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre