Edit tour

Windows Analysis Report
1q3HnZAcnJ.exe

Overview

General Information

Sample Name:	1q3HnZAcnJ.exe
Original Sample Name:	b7b3f1dc9bf4c289cca45e7435b0517a.exe
Analysis ID:	1270695
MD5:	b7b3f1dc9bf4c289cca45e7435b0517a
SHA1:	571afaba3fa57301d764f6f1d0b1a55144b1bc3f
SHA256:	b5936bb67edde581cbd73771f51c5b7a5304eee82103c02ed6a748d2128f94d1
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Checks if the current machine is a virtual machine (disk enumeration)

One or more processes crash

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

PE file contains sections with non-standard names

Contains capabilities to detect virtual machines

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

PE file contains more sections than normal

Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

System is w10x64

1q3HnZAcnJ.exe (PID: 7084 cmdline: C:\Users\user\Desktop\1q3HnZAcnJ.exe MD5: B7B3F1DC9BF4C289CCA45E7435B0517A)

WerFault.exe (PID: 4784 cmdline: C:\Windows\system32\WerFault.exe -u -p 7084 -s 1012 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 1q3HnZAcnJ.exe	ReversingLabs: Detection: 28%
Source: 1q3HnZAcnJ.exe	Virustotal: Detection: 35%			Perma Link

Source: 1q3HnZAcnJ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: 1q3HnZAcnJ.exe, 00000000.00000002.556489568.00000191EB52B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/
Source: 1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB56B000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB597000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556489568.00000191EB52B000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB597000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB56B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txt
Source: 1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB56B000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB56B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txt&$
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556489568.00000191EB52B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txt771N
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556489568.00000191EB52B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txt;
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556489568.00000191EB52B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txtDLLOm
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB597000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txtF

Source: unknown

DNS traffic detected: queries for: qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7084 -s 1012

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Section loaded: mscvrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Section loaded: mscvrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Section loaded: mscvrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Section loaded: mscvrt.dll	Jump to behavior

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B24FCE0	0_2_00007FF63B24FCE0
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B25CB90	0_2_00007FF63B25CB90
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B25BA78	0_2_00007FF63B25BA78
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B250B2C	0_2_00007FF63B250B2C
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B25414C	0_2_00007FF63B25414C
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B241180	0_2_00007FF63B241180
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B25C984	0_2_00007FF63B25C984
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B258218	0_2_00007FF63B258218
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B25020C	0_2_00007FF63B25020C
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B25E87C	0_2_00007FF63B25E87C
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B241910	0_2_00007FF63B241910
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B243760	0_2_00007FF63B243760
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B25AFDC	0_2_00007FF63B25AFDC
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B254ECC	0_2_00007FF63B254ECC
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B245550	0_2_00007FF63B245550
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B2415B0	0_2_00007FF63B2415B0
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00007FF63B25FDD0	0_2_00007FF63B25FDD0
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00000191EB4B3AD8	0_2_00000191EB4B3AD8
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00000191EB4BD9AC	0_2_00000191EB4BD9AC
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00000191EB4BFBD8	0_2_00000191EB4BFBD8
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00000191ECDFDD68	0_2_00000191ECDFDD68
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00000191ECDF751C	0_2_00000191ECDF751C

Source: 1q3HnZAcnJ.exe

Static PE information: Number of sections : 12 > 10

Source: 1q3HnZAcnJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1q3HnZAcnJ.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: 1q3HnZAcnJ.exe	ReversingLabs: Detection: 28%
Source: 1q3HnZAcnJ.exe	Virustotal: Detection: 35%

Source: 1q3HnZAcnJ.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1q3HnZAcnJ.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1q3HnZAcnJ.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1q3HnZAcnJ.exe C:\Users\user\Desktop\1q3HnZAcnJ.exe
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7084 -s 1012

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:120:WilError_01

Source: classification engine

Classification label: mal56.evad.winEXE@2/0@1/1

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 1q3HnZAcnJ.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 1q3HnZAcnJ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1q3HnZAcnJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00000191EB4C417D push esi; ret	0_2_00000191EB4C4186
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00000191ECDF1101 push edi; retn 2F7Dh	0_2_00000191ECDF11A7
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00000191ECE053BE push ecx; retf 003Fh	0_2_00000191ECE0541E
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Code function: 0_2_00000191ECDFF1C3 push ecx; ret	0_2_00000191ECDFF1CA

Source: 1q3HnZAcnJ.exe	Static PE information: section name: _RDATA
Source: 1q3HnZAcnJ.exe	Static PE information: section name: .vdata

Source: initial sample

Static PE information: section name: .text entropy: 7.791970244454378

Source: C:\Windows\System32\WerFault.exe

Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	File opened: HKEY_LOCAL_MACHINE\SOFTWARE\Wine	Jump to behavior

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe

Code function: 0_2_00007FF63B2D2398 rdtsc

0_2_00007FF63B2D2398

Source: 1q3HnZAcnJ.exe, 1q3HnZAcnJ.exe, 00000000.00000003.478999135.00000191EB620000.00000040.00001000.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMware
Source: 1q3HnZAcnJ.exe, 00000000.00000003.478734866.00000191EB715000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SFvioscsiviosVirtIO-FS ioSeriBALLOONBalloonnetkvmMicrosoft Machine\\ParameterVMware, Inc. ToolWine\CurrentDisk\Enum
Source: 1q3HnZAcnJ.exe, 00000000.00000003.478734866.00000191EB715000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ARDWARE\DEVICEMAP\Scsi Port 0Bus 0\Target Id 0\Logical UniVMWARE12%dSYSTEM\CSet001\InformationManufacturxenProductVBOionBiosVersVideoVIRTUALDate06/23/99QEMU32\drivers\vmmouse.syshgfsmemctlrawdskusbACPI\DSDT\VBOX_FARSSOFTOracle\VirtualBox Guest AdditionServices\VBoxMouseSFvioscsiviosVirtIO-FS ioSeriBALLOONBalloonnetkvmMicrosoft Machine\\ParameterVMware, Inc. ToolWine\CurrentDisk\EnumqemvirtiovmwarevboxCouEnum\IDSCSIKVMTCGenVMMprl hyperlrpepyh vVBoxbhyve ACRNQNXQVMBSQGkernelFirTablesGet
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB5B1000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB5B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: 1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB56B000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB56B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP][
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB5B1000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB5B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMWARE
Source: 1q3HnZAcnJ.exe, 1q3HnZAcnJ.exe, 00000000.00000003.478999135.00000191EB620000.00000040.00001000.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\RSDT\VBOX__
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: System32\drivers\vmmouse.sys
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxService
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxGuest
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxMouse
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMwareVMware
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREVMWAREHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWARE%dSYSTEM\ControlSet001\Control\SystemInformationSystemManufacturerVMWARExenSYSTEM\ControlSet001\Control\SystemInformationSystemProductNameVMWAREVBOXHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierHARDWARE\Description\SystemSystemBiosVersionVBOXHARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHARDWARE\Description\SystemSystemBiosDate06/23/99IdentifierQEMUHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemSystemBiosVersionQEMUSystem32\drivers\vmmouse.sysSystem32\drivers\vmhgfs.sysSystem32\drivers\vmmemctl.sysSystem32\drivers\vmrawdsk.sysSystem32\drivers\vmusbmouse.sysHARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SOFTWARE\Oracle\VirtualBox Guest AdditionsSYSTEM\ControlSet001\Services\VBoxGuestSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxVideoSYSTEM\ControlSet001\Services\vioscsiSYSTEM\ControlSet001\Services\viostorSYSTEM\ControlSet001\Services\VirtIO-FS ServiceSYSTEM\ControlSet001\Services\VirtioSerialSYSTEM\ControlSet001\Services\BALLOONSYSTEM\ControlSet001\Services\BalloonServiceSYSTEM\ControlSet001\Services\netkvmSOFTWARE\Microsoft\Virtual Machine\Guest\ParametersSOFTWARE\VMware, Inc.\VMware ToolsSOFTWARE\WineSystem\CurrentControlSet\Services\Disk\EnumqemuvirtiovmwarevboxCountSystem\CurrentControlSet\Enum\IDESystem\CurrentControlSet\Enum\SCSIqemuvirtiovboxKVMKVMKVMTCGTCGTCGTCGVMwareVMwareXenVMMXenVMMprl hypervlrpepyh vrVBoxVBoxVBoxbhyve bhyveACRNACRNACRNQNXQVMBSQGVMwareVirtualBoxvboxVBOXVMWAREVirtualBoxvboxVBOXkernel32.dllEnumSystemFirmwareTablesGetSystemFirmwareTable
Source: 1q3HnZAcnJ.exe, 00000000.00000003.478734866.00000191EB715000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 06/23/99QEMU32\drivers\vmmouse.syshgfsmemctlrawdskusbACPI\DSDT\VBOX_FARSSOFTOracle\VirtualBox Guest AdditionServices\VBoxMouse
Source: 1q3HnZAcnJ.exe, 00000000.00000003.478734866.00000191EB715000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE12%d
Source: 1q3HnZAcnJ.exe, 00000000.00000003.478999135.00000191EB620000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: g_optsHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREVMWAREHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWARE%dSYSTEM\ControlSet001\Control\SystemInformationSystemManufacturerVMWARExenSYSTEM\ControlSet001\Control\SystemInformationSystemProductNameVMWAREVBOXHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierHARDWARE\Description\SystemSystemBiosVersionVBOXHARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHARDWARE\Description\SystemSystemBiosDate06/23/99IdentifierQEMUHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemSystemBiosVersionQEMUSystem32\drivers\vmmouse.sysSystem32\drivers\vmhgfs.sysSystem32\drivers\vmmemctl.sysSystem32\drivers\vmrawdsk.sysSystem32\drivers\vmusbmouse.sysHARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SOFTWARE\Oracle\VirtualBox Guest AdditionsSYSTEM\ControlSet001\Services\VBoxGuestSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxVideoSYSTEM\ControlSet001\Services\vioscsiSYSTEM\ControlSet001\Services\viostorSYSTEM\ControlSet001\Services\VirtIO-FS ServiceSYSTEM\ControlSet001\Services\VirtioSerialSYSTEM\ControlSet001\Services\BALLOONSYSTEM\ControlSet001\Services\BalloonServiceSYSTEM\ControlSet001\Services\netkvmSOFTWARE\Microsoft\Virtual Machine\Guest\ParametersSOFTWARE\VMware, Inc.\VMware ToolsSOFTWARE\WineSystem\CurrentControlSet\Services\Disk\EnumqemuvirtiovmwarevboxCountSystem\CurrentControlSet\Enum\IDESystem\CurrentControlSet\Enum\SCSIqemuvirtiovboxKVMKVMKVMTCGTCGTCGTCGVMwareVMwareXenVMMXenVMMprl hypervlrpepyh vrVBoxVBoxVBoxbhyve bhyveACRNACRNACRNQNXQVMBSQGVMwareVirtualBoxvboxVBOXVMWAREVirtualBoxvboxVBOXkernel32.dllEnumSystemFirmwareTablesGetSystemFirmwareTable
Source: 1q3HnZAcnJ.exe, 1q3HnZAcnJ.exe, 00000000.00000003.478999135.00000191EB620000.00000040.00001000.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\FADT\VBOX__
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: System32\drivers\vmhgfs.sys
Source: 1q3HnZAcnJ.exe, 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: System32\drivers\vmmemctl.sys

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe

Code function: 0_2_00007FF63B2D2398 rdtsc

0_2_00007FF63B2D2398

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe

Code function: 0_2_00007FF63B24866C SetUnhandledExceptionFilter,_invalid_parameter_noinfo,

0_2_00007FF63B24866C

Source: C:\Users\user\Desktop\1q3HnZAcnJ.exe

Code function: 0_2_00007FF63B25C130 cpuid

0_2_00007FF63B25C130

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Software Packing	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1q3HnZAcnJ.exe	29%	ReversingLabs	Win64.Trojan.Barys
1q3HnZAcnJ.exe	35%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bj.file.myqcloud.com	82.156.94.45	true	false		high
qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txt&$	1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB56B000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB56B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txtDLLOm	1q3HnZAcnJ.exe, 00000000.00000002.556489568.00000191EB52B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txtF	1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB597000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB597000.00000004.00000020.00020000.00000000.sdmp	false	high
https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txt	1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB56B000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB597000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556489568.00000191EB52B000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000003.551724074.00000191EB597000.00000004.00000020.00020000.00000000.sdmp, 1q3HnZAcnJ.exe, 00000000.00000002.556583717.00000191EB56B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/	1q3HnZAcnJ.exe, 00000000.00000002.556489568.00000191EB52B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txt771N	1q3HnZAcnJ.exe, 00000000.00000002.556489568.00000191EB52B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com/b.txt;	1q3HnZAcnJ.exe, 00000000.00000002.556489568.00000191EB52B000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.156.94.45	bj.file.myqcloud.com	China		12513	ECLIPSEGB	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1270695
Start date and time:	2023-07-11 11:08:17 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	1q3HnZAcnJ.exe
Original Sample Name:	b7b3f1dc9bf4c289cca45e7435b0517a.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@2/0@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 41.3% (good quality ratio 34.9%) Quality average: 59.5% Quality standard deviation: 34.4%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): WerFault.exe, WMIADAP.exe, svchost.exe
Report size getting too big, too many NtQueryValueKey calls found.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.782405363026744
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1q3HnZAcnJ.exe
File size:	759'296 bytes
MD5:	b7b3f1dc9bf4c289cca45e7435b0517a
SHA1:	571afaba3fa57301d764f6f1d0b1a55144b1bc3f
SHA256:	b5936bb67edde581cbd73771f51c5b7a5304eee82103c02ed6a748d2128f94d1
SHA512:	3418c433d51fede80ac1060267fa71b180a90348ec5cc3a4ca4e656059561f08bf4e3ccdb45a1be36bc92d46f45e370ae26d29b3a5f238ffda6e5e8726a21e0d
SSDEEP:	12288:FmKG1kyRAn13L1uOt7v7eafKet2CoBCpvCZeHzQGczP15kv6t9ONfU5XzPMYO:FPF1/3K/JCRqeTQ/LXCqEYO
TLSH:	B2F40246B7850AFCD67BE679C903236FEF7038998214870B16E589573F275386B2E312
File Content Preview:	MZ......................@...............SENS............................!..L.!This program cannot be run in DOS mode....$.........@...............-..............+.E............-.......+......./......./......'......-.............,.....Rich...........

File Icon


Icon Hash:	d1c9beb19bcec15b

Static PE Info

General

Entrypoint:	0x140180da0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64ACC784 [Tue Jul 11 03:07:48 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c227e9ac4acc08281941d59ae61530a1

Entrypoint Preview

Instruction
call 00007F9EA89D7F40h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a3178	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a6000	0x1324	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x184648	0x2130	.text
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a5000	0x48	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x190b70	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x300	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23a0c	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x14dea	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x49a8	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3f000	0x2130	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x42000	0xf4	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vdata	0x43000	0x200	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.text	0x44000	0x9eb30	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xe3000	0x8550	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0xec000	0xb7280	0xb7400	False	0.8774140944747613	data	7.791970244454378	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1a4000	0x620	0x800	False	0.353515625	data	3.4122728521452954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1a5000	0x48	0x200	False	0.162109375	data	0.9062043961648203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1a6000	0x2000	0x1400	False	0.876171875	data	7.658129981106197	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a60bc	0x1252	PNG image data, 200 x 200, 8-bit/color RGBA, non-interlaced			0.9307036247334755
RT_GROUP_ICON	0x1a7310	0x14	data			1.2

Imports

DLL	Import
WININET.dll	InternetReadFile
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW
KERNEL32.dll	RtlUnwind

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 11, 2023 11:09:20.107882023 CEST	49706	443	192.168.2.6	82.156.94.45
Jul 11, 2023 11:09:20.107991934 CEST	443	49706	82.156.94.45	192.168.2.6
Jul 11, 2023 11:09:20.108103037 CEST	49706	443	192.168.2.6	82.156.94.45
Jul 11, 2023 11:09:20.167463064 CEST	49706	443	192.168.2.6	82.156.94.45
Jul 11, 2023 11:09:20.167527914 CEST	443	49706	82.156.94.45	192.168.2.6
Jul 11, 2023 11:09:52.451844931 CEST	49706	443	192.168.2.6	82.156.94.45

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 11, 2023 11:09:19.759326935 CEST	59082	53	192.168.2.6	8.8.8.8
Jul 11, 2023 11:09:20.085742950 CEST	53	59082	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 11, 2023 11:09:19.759326935 CEST	192.168.2.6	8.8.8.8	0xc2b2	Standard query (0)	qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 11, 2023 11:09:20.085742950 CEST	8.8.8.8	192.168.2.6	0xc2b2	No error (0)	qwedsazxc-1259409518.cos.ap-beijing.myqcloud.com	bj.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 11, 2023 11:09:20.085742950 CEST	8.8.8.8	192.168.2.6	0xc2b2	No error (0)	bj.file.myqcloud.com		82.156.94.45	A (IP address)	IN (0x0001)	false
Jul 11, 2023 11:09:20.085742950 CEST	8.8.8.8	192.168.2.6	0xc2b2	No error (0)	bj.file.myqcloud.com		82.156.94.47	A (IP address)	IN (0x0001)	false
Jul 11, 2023 11:09:20.085742950 CEST	8.8.8.8	192.168.2.6	0xc2b2	No error (0)	bj.file.myqcloud.com		82.156.94.48	A (IP address)	IN (0x0001)	false
Jul 11, 2023 11:09:20.085742950 CEST	8.8.8.8	192.168.2.6	0xc2b2	No error (0)	bj.file.myqcloud.com		82.156.94.13	A (IP address)	IN (0x0001)	false
Jul 11, 2023 11:09:20.085742950 CEST	8.8.8.8	192.168.2.6	0xc2b2	No error (0)	bj.file.myqcloud.com		82.156.94.17	A (IP address)	IN (0x0001)	false

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: 1q3HnZAcnJ.exePID: 7084, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	44.4%
Signature Coverage:	22.2%
Total number of Nodes:	18
Total number of Limit Nodes:	2

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00007FF67FF63B24866C(void* __edx, void* __eflags, intOrPtr* __rax, long long __rbx, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16) {
				char _v24;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t23;
				void* _t24;
				void* _t28;
				intOrPtr _t37;
				intOrPtr* _t58;
				intOrPtr* _t59;
				void* _t78;
				void* _t86;

				_t86 = __r9;
				_t76 = __rsi;
				_t60 = __rbx;
				_t58 = __rax;
				0x3b248d44(); // executed
				SetUnhandledExceptionFilter(??);
				goto 0x3b25610c;
				asm("int3");
				asm("int3");
				asm("int3");
				_a8 = __rbx;
				_a16 = __rsi;
				_t10 = E00007FF67FF63B248388(1); // executed
				if (_t10 == 0) goto 0x3b2487df;
				sil = 0;
				_v24 = sil;
				_t11 = E00007FF67FF63B24834C();
				_t37 =  *0x3b27b710; // 0x2
				if (_t37 == 1) goto 0x3b2487ea;
				if (_t37 != 0) goto 0x3b248715;
				 *0x3b27b710 = 1;
				_t12 = E00007FF67FF63B25473C(_t11, __rbx, 0x3b265390, 0x3b2653d0); // executed
				if (_t12 == 0) goto 0x3b2486f6;
				goto 0x3b2487cf;
				E00007FF67FF63B2546D8(0xff, _t60, 0x3b265328, 0x3b265388, __rsi, _t78); // executed
				 *0x3b27b710 = 2;
				goto 0x3b24871d;
				sil = 1;
				_v24 = sil;
				E00007FF67FF63B248EA4(E00007FF67FF63B2484F8(_t11, 0x3b265388));
				if ( *_t58 == 0) goto 0x3b248750;
				if (E00007FF67FF63B248460(_t58, _t58) == 0) goto 0x3b248750;
				r8d = 0;
				_t59 =  *_t58;
				E00007FF67FF63B265310();
				E00007FF67FF63B248EAC(_t17);
				if ( *_t59 == 0) goto 0x3b248772;
				if (E00007FF67FF63B248460(_t59, _t59) == 0) goto 0x3b248772;
				_t69 =  *_t59;
				E00007FF67FF63B253954( *_t59);
				_t23 = E00007FF67FF63B2547E4(E00007FF67FF63B2547EC(E00007FF67FF63B25407C( *_t59, _t76)));
				_t85 = _t59;
				_t72 =  *_t59;
				_t24 = E00007FF67FF63B244410(_t23, _t59,  *_t59, _t86); // executed
				if (E00007FF67FF63B248CF0(_t59) == 0) goto 0x3b2487f4;
				if (sil != 0) goto 0x3b2487a9;
				E00007FF67FF63B253938( *_t59,  *_t59, _t59);
				E00007FF67FF63B24851C(1, 0);
				_t28 = _t24;
				if (E00007FF67FF63B248CF0(_t59) == 0) goto 0x3b2487fc;
				if (_v24 != 0) goto 0x3b2487cd;
				E00007FF67FF63B253928(_t69, _t72, _t85);
				return _t28;
			}

0x7ff63b24866c
0x7ff63b24866c
0x7ff63b24866c
0x7ff63b24866c
0x7ff63b248670
0x7ff63b248675
0x7ff63b248680
0x7ff63b248685
0x7ff63b248686
0x7ff63b248687
0x7ff63b248688
0x7ff63b24868d
0x7ff63b24869c
0x7ff63b2486a3
0x7ff63b2486a9
0x7ff63b2486ac
0x7ff63b2486b1
0x7ff63b2486b8
0x7ff63b2486c1
0x7ff63b2486c9
0x7ff63b2486cb
0x7ff63b2486e3
0x7ff63b2486ea
0x7ff63b2486f1
0x7ff63b248704
0x7ff63b248709
0x7ff63b248713
0x7ff63b248715
0x7ff63b248718
0x7ff63b248724
0x7ff63b248730
0x7ff63b24873c
0x7ff63b24873e
0x7ff63b248747
0x7ff63b24874a
0x7ff63b248750
0x7ff63b24875c
0x7ff63b248768
0x7ff63b24876a
0x7ff63b24876d
0x7ff63b248782
0x7ff63b248787
0x7ff63b24878a
0x7ff63b24878f
0x7ff63b24879d
0x7ff63b2487a2
0x7ff63b2487a4
0x7ff63b2487ad
0x7ff63b2487b2
0x7ff63b2487bf
0x7ff63b2487c6
0x7ff63b2487c8
0x7ff63b2487de

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF63B248675
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63B256120

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: 4268160b5956d37e71ef8e276ddd907075a7d85410443afb9998badc2daf71b0
Instruction ID: 0643d22f9cfa46340ae86c1ca0efc955a63565a6eb91540e6801338e5e6fa2f7
Opcode Fuzzy Hash: 4268160b5956d37e71ef8e276ddd907075a7d85410443afb9998badc2daf71b0
Instruction Fuzzy Hash: E4E0B620E1E10686FA1E376A8A430BD66911F5D320F504336E19DC97E7CD6D64926A1A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B248688 Relevance: 4.6, APIs: 3, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00007FF67FF63B248688(void* __edx, void* __eflags, intOrPtr* __rax, long long __rbx, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16) {
				char _v24;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t22;
				void* _t23;
				void* _t27;
				intOrPtr _t35;
				intOrPtr* _t56;
				intOrPtr* _t57;
				void* _t74;
				void* _t80;

				_t80 = __r9;
				_t72 = __rsi;
				_t58 = __rbx;
				_t56 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_t9 = E00007FF67FF63B248388(1); // executed
				if (_t9 == 0) goto 0x3b2487df;
				sil = 0;
				_v24 = sil;
				_t10 = E00007FF67FF63B24834C();
				_t35 =  *0x3b27b710; // 0x2
				if (_t35 == 1) goto 0x3b2487ea;
				if (_t35 != 0) goto 0x3b248715;
				 *0x3b27b710 = 1;
				_t11 = E00007FF67FF63B25473C(_t10, __rbx, 0x3b265390, 0x3b2653d0); // executed
				if (_t11 == 0) goto 0x3b2486f6;
				goto 0x3b2487cf;
				E00007FF67FF63B2546D8(0xff, _t58, 0x3b265328, 0x3b265388, __rsi, _t74); // executed
				 *0x3b27b710 = 2;
				goto 0x3b24871d;
				sil = 1;
				_v24 = sil;
				E00007FF67FF63B248EA4(E00007FF67FF63B2484F8(_t10, 0x3b265388));
				if ( *_t56 == 0) goto 0x3b248750;
				if (E00007FF67FF63B248460(_t56, _t56) == 0) goto 0x3b248750;
				r8d = 0;
				_t57 =  *_t56;
				E00007FF67FF63B265310();
				E00007FF67FF63B248EAC(_t16);
				if ( *_t57 == 0) goto 0x3b248772;
				if (E00007FF67FF63B248460(_t57, _t57) == 0) goto 0x3b248772;
				_t67 =  *_t57;
				E00007FF67FF63B253954( *_t57);
				_t22 = E00007FF67FF63B2547E4(E00007FF67FF63B2547EC(E00007FF67FF63B25407C( *_t57, _t72)));
				_t79 = _t57;
				_t70 =  *_t57;
				_t23 = E00007FF67FF63B244410(_t22, _t57,  *_t57, _t80); // executed
				if (E00007FF67FF63B248CF0(_t57) == 0) goto 0x3b2487f4;
				if (sil != 0) goto 0x3b2487a9;
				E00007FF67FF63B253938( *_t57,  *_t57, _t57);
				E00007FF67FF63B24851C(1, 0);
				_t27 = _t23;
				if (E00007FF67FF63B248CF0(_t57) == 0) goto 0x3b2487fc;
				if (_v24 != 0) goto 0x3b2487cd;
				E00007FF67FF63B253928(_t67, _t70, _t79);
				return _t27;
			}

0x7ff63b248688
0x7ff63b248688
0x7ff63b248688
0x7ff63b248688
0x7ff63b248688
0x7ff63b24868d
0x7ff63b24869c
0x7ff63b2486a3
0x7ff63b2486a9
0x7ff63b2486ac
0x7ff63b2486b1
0x7ff63b2486b8
0x7ff63b2486c1
0x7ff63b2486c9
0x7ff63b2486cb
0x7ff63b2486e3
0x7ff63b2486ea
0x7ff63b2486f1
0x7ff63b248704
0x7ff63b248709
0x7ff63b248713
0x7ff63b248715
0x7ff63b248718
0x7ff63b248724
0x7ff63b248730
0x7ff63b24873c
0x7ff63b24873e
0x7ff63b248747
0x7ff63b24874a
0x7ff63b248750
0x7ff63b24875c
0x7ff63b248768
0x7ff63b24876a
0x7ff63b24876d
0x7ff63b248782
0x7ff63b248787
0x7ff63b24878a
0x7ff63b24878f
0x7ff63b24879d
0x7ff63b2487a2
0x7ff63b2487a4
0x7ff63b2487ad
0x7ff63b2487b2
0x7ff63b2487bf
0x7ff63b2487c6
0x7ff63b2487c8
0x7ff63b2487de

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF63B24869C

Part of subcall function 00007FF63B248388: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF63B2483AA

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF63B2486B1
__scrt_release_startup_lock.LIBCMT ref: 00007FF63B24871F

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 54f66248f408053cd02dd1a6a0aef8ec967fdf2c0165e9f36b56c92536b21659
Instruction ID: bfecfa6e9acbdf30ee018b9ee7c3d56158957c0b4a62304b19a5fa9e6678a6ef
Opcode Fuzzy Hash: 54f66248f408053cd02dd1a6a0aef8ec967fdf2c0165e9f36b56c92536b21659
Instruction Fuzzy Hash: F6418225E2C10345FA04BB2197213B96291AF8DB84F540735EEDECFBFBDE6CA404A215

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDF1101 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\qMU, xrefs: 00000191ECDF118A

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID: \qMU
API String ID: 0-2876963154
Opcode ID: 574a64ab50f8fe8cfec418fd4bd59ff5c7b86b50eac42b81a17150164831b35b
Instruction ID: 8f92745808d112b2bda4ba9b0639aba84df5ba83ebcf8793db6d48d4c496ef4e
Opcode Fuzzy Hash: 574a64ab50f8fe8cfec418fd4bd59ff5c7b86b50eac42b81a17150164831b35b
Instruction Fuzzy Hash: 25519E31D186839BE71A9F28ACA27F5B7E0FB92350F14429EFCC686183E51298D5C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B2485A4 Relevance: 3.1, APIs: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00007FF67FF63B2485A4(void* __eflags, intOrPtr* __rax, void* __rcx) {
				void* __rbx;
				void* _t2;
				intOrPtr _t6;
				void* _t18;
				intOrPtr* _t31;
				void* _t32;
				void* _t36;

				_t31 = __rax;
				E00007FF67FF63B254650(_t2, 1);
				E00007FF67FF63B25477C(E00007FF67FF63B248E5C(), __rax, __rcx);
				_t6 = E00007FF67FF63B246E20();
				E00007FF67FF63B256138(_t6);
				 *_t31 = _t6;
				if (E00007FF67FF63B2483D4(1, _t31) == 0) goto 0x3b24864f;
				E00007FF67FF63B248EB4(_t8, _t32);
				E00007FF67FF63B248584(E00007FF67FF63B2483D4(1, _t31), _t31);
				if (E00007FF67FF63B253BBC(E00007FF67FF63B24688C(), _t31, _t32, E00007FF67FF63B248EF0, _t36) != 0) goto 0x3b24864f;
				0x3b248e64();
				if (E00007FF67FF63B248E98() == 0) goto 0x3b248617;
				E00007FF67FF63B246778(E00007FF67FF63B2546B0(_t13, 0x7ff63b246e20), _t11);
				E00007FF67FF63B246778(_t14, _t11);
				E00007FF67FF63B254DA0(E00007FF67FF63B246E20(), _t31, 0x7ff63b246e20);
				if (E00007FF67FF63B246888() == 0) goto 0x3b24863b; // executed
				0x3b2540cc(); // executed
				_t18 = E00007FF67FF63B246E20();
				0x3b248ce8();
				if (_t18 != 0) goto 0x3b24864f;
				return _t18;
			}

0x7ff63b2485a4
0x7ff63b2485af
0x7ff63b2485bb
0x7ff63b2485c0
0x7ff63b2485c7
0x7ff63b2485d1
0x7ff63b2485da
0x7ff63b2485dc
0x7ff63b2485e8
0x7ff63b2485fb
0x7ff63b2485fd
0x7ff63b248609
0x7ff63b248617
0x7ff63b24861c
0x7ff63b248628
0x7ff63b248634
0x7ff63b248636
0x7ff63b24863b
0x7ff63b248640
0x7ff63b248647
0x7ff63b24864e

APIs

_set_fmode.LIBCMT ref: 00007FF63B2485BB
_RTC_Initialize.LIBCMT ref: 00007FF63B2485DC

Part of subcall function 00007FF63B253BBC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63B253BEE

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: c1561249f3f8e23dcaf87a6a0b2251261af1d609c03c2088adb3bb21bf72f051
Instruction ID: bebea616c11c85ecee9e17831cfe69c2b1f553438bb8450d23447d0a86760e96
Opcode Fuzzy Hash: c1561249f3f8e23dcaf87a6a0b2251261af1d609c03c2088adb3bb21bf72f051
Instruction Fuzzy Hash: 3911BD40E2820341FA9977B197122B951924F8C300F440675EADDCABFBEE6CB8467666

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B243990 Relevance: 1.7, APIs: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF63B243C12

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 1ad6e667e8fafcc883d6fc708c961f0de87946f213509ade22bf3e365fd501e1
Instruction ID: f50bf6a19c679ae303ff2ea85d9e0bc140408b8314015ca1cfdca52dba25bc88
Opcode Fuzzy Hash: 1ad6e667e8fafcc883d6fc708c961f0de87946f213509ade22bf3e365fd501e1
Instruction Fuzzy Hash: 17610522A186C184EB11CB25E5047FEAB91FB4D7D0F814235EA9D87FAADE7CD245D300

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDF1134 Relevance: 1.6, APIs: 1, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00000191ECDF1286

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 52e2558699723df90f6768f4bc3c9edd71af597dfd2183743c03cf9e1adf94d6
Instruction ID: 8d4777fa8faf2f26e768ae814c7f0cfc400c9d9d1cd7f1279f1bebe4f7e757ad
Opcode Fuzzy Hash: 52e2558699723df90f6768f4bc3c9edd71af597dfd2183743c03cf9e1adf94d6
Instruction Fuzzy Hash: 9E41393091CA869BD70E9B19E8D26F5B7E1FB85300F00425DECCBC6087DA25E986C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDF11AB Relevance: 1.6, APIs: 1, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00000191ECDF1286

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8d0c08ffa62e8d22ae2cb6687896bbdba221f312940170ef3401011b8c7a547c
Instruction ID: 0864f3d3b612c2e3816f2ce907bcd9a71d4fd7c384e96dcb2e45f15c3b6b2f46
Opcode Fuzzy Hash: 8d0c08ffa62e8d22ae2cb6687896bbdba221f312940170ef3401011b8c7a547c
Instruction Fuzzy Hash: 4431283051CA868BD70D9B1DE8D26B5B7E0FB85300F00425DE8CBC7183E925E946C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDF6F08 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 00000191ECDF6F5D

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7aad959358c1129470fdeee313612d7b6ed1a23662f77854d46a063e3c7d71f7
Instruction ID: 79feef5be46b881b0927f2828af2276734550794dd8d6417a6656f6c8c43aab2
Opcode Fuzzy Hash: 7aad959358c1129470fdeee313612d7b6ed1a23662f77854d46a063e3c7d71f7
Instruction Fuzzy Hash: B0014470F30A4B6AFB5667B94CA93F931C5FF68701F4440355C05C19D1ED56CCD58691

Uniqueness

Uniqueness Score: -1.00%

Function 00000191EB4B7F88 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 00000191EB4B7FDD

Memory Dump Source

Source File: 00000000.00000002.556430783.00000191EB4B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191EB4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191eb4b1000_1q3HnZAcnJ.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f9380678d1ed3da221125d5c24f2653f0c49f3b7b2e0c654868b9d50f33e9da9
Instruction ID: f8d432d25e4fd40d10cddd691a67b07079cd29611c89323fc2a590ec5d045c16
Opcode Fuzzy Hash: f9380678d1ed3da221125d5c24f2653f0c49f3b7b2e0c654868b9d50f33e9da9
Instruction Fuzzy Hash: 64016930354A0B6BFB5BA6AB48F97B571C5FBA8701F404436AB07C21E2EE64C9808235

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF63B25C984 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00007FF67FF63B25C984(void* __ecx, intOrPtr* __rax, long long __rbx, intOrPtr* __rcx, long long __rdx, long long _a8, void* _a16, long long _a24, intOrPtr _a26, long long _a32) {
				long long _v72;
				intOrPtr _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rsi;
				void* __rbp;
				void* _t36;
				void* _t39;
				void* _t40;
				intOrPtr _t67;
				signed long long _t70;
				long long _t72;
				long long _t74;
				long long _t80;
				void* _t85;
				void* _t92;
				long long _t106;
				long long _t110;
				signed long long _t112;
				signed long long _t113;
				void* _t118;
				intOrPtr _t130;
				void* _t132;
				void* _t133;
				signed long long _t136;
				intOrPtr* _t137;
				intOrPtr* _t142;

				_a8 = __rbx;
				_a16 = __rdx;
				if (__rdx != 0) goto 0x3b25c9c0;
				E00007FF67FF63B250A0C(__rax);
				_t3 = _t110 + 0x16; // 0x16
				 *__rax = _t3;
				E00007FF67FF63B24E69C();
				goto 0x3b25cb60;
				asm("xorps xmm0, xmm0");
				 *((long long*)(__rdx)) = _t110;
				_t67 =  *__rcx;
				asm("movdqu [ebp-0x20], xmm0");
				_v72 = _t110;
				if (_t67 == 0) goto 0x3b25ca2d;
				_a24 = 0x3f2a;
				_a26 = dil;
				E00007FF67FF63B261FE0();
				if (_t67 != 0) goto 0x3b25ca05;
				r8d = 0;
				_t36 = E00007FF67FF63B25CB90(__rcx,  *__rcx,  &_a24, _t112, _t118,  &_v88);
				goto 0x3b25ca11;
				0x3b25cd18();
				if (_t36 != 0) goto 0x3b25ca20;
				goto 0x3b25c9d2;
				goto 0x3b25cb25;
				_t142 = _v88;
				_t130 = _v80;
				_a24 = _t110;
				_t70 = _t130 - _t142;
				_t136 = (_t70 >> 3) + 1;
				_t92 =  >  ? _t110 : _t70 + 7 >> 3;
				_t113 = _t112 | 0xffffffff;
				if (_t92 == 0) goto 0x3b25ca8f;
				_t72 = _t113 + 1;
				if ( *((intOrPtr*)( *_t142 + _t72)) != dil) goto 0x3b25ca70;
				if (_t110 + 1 != _t92) goto 0x3b25ca6a;
				_a24 = _t110 + 1 + _t72;
				r8d = 1;
				E00007FF67FF63B253B5C(_t36, _t136, _t110 + 1 + _t72, _t110 + 1);
				_t80 = _t72;
				if (_t72 == 0) goto 0x3b25cb1e;
				_t106 = _t72 + _t136 * 8;
				_t137 = _t142;
				_v96 = _t106;
				_a32 = _t106;
				if (_t142 == _t130) goto 0x3b25cb15;
				_v104 = _t80 - _t142;
				_t132 = _t113 + 1;
				if ( *((intOrPtr*)( *_t137 + _t132)) != dil) goto 0x3b25cacf;
				_t133 = _t132 + 1;
				if (E00007FF67FF63B261538(_t106, _t80, _t106, _t106 - _t106 + _a24,  *_t137, _t133) != 0) goto 0x3b25cb78;
				_t74 = _a32;
				 *((long long*)(_v104 + _t137)) = _t74;
				_a32 = _t74 + _t133;
				if (_t137 + 8 != _t130) goto 0x3b25cac9;
				 *_a16 = _t80;
				_t39 = E00007FF67FF63B256F7C(_t38, _a16, _v104);
				_t85 =  >  ? _t110 : _t130 - _t142 + 7 >> 3;
				if (_t85 == 0) goto 0x3b25cb56;
				_t40 = E00007FF67FF63B256F7C(_t39, _a16,  *_t142);
				if (_t110 + 1 != _t85) goto 0x3b25cb42;
				E00007FF67FF63B256F7C(_t40, _a16, _t142);
				return 0;
			}

0x7ff63b25c984
0x7ff63b25c989
0x7ff63b25c9a8
0x7ff63b25c9aa
0x7ff63b25c9af
0x7ff63b25c9b2
0x7ff63b25c9b4
0x7ff63b25c9bb
0x7ff63b25c9c0
0x7ff63b25c9c3
0x7ff63b25c9c6
0x7ff63b25c9c9
0x7ff63b25c9ce
0x7ff63b25c9d5
0x7ff63b25c9db
0x7ff63b25c9e4
0x7ff63b25c9e8
0x7ff63b25c9f3
0x7ff63b25c9f9
0x7ff63b25c9fe
0x7ff63b25ca03
0x7ff63b25ca0c
0x7ff63b25ca15
0x7ff63b25ca1e
0x7ff63b25ca28
0x7ff63b25ca2d
0x7ff63b25ca34
0x7ff63b25ca3e
0x7ff63b25ca42
0x7ff63b25ca4f
0x7ff63b25ca5d
0x7ff63b25ca61
0x7ff63b25ca68
0x7ff63b25ca70
0x7ff63b25ca77
0x7ff63b25ca89
0x7ff63b25ca8b
0x7ff63b25ca8f
0x7ff63b25ca9b
0x7ff63b25caa0
0x7ff63b25caa6
0x7ff63b25caa8
0x7ff63b25caac
0x7ff63b25caaf
0x7ff63b25cab6
0x7ff63b25cabd
0x7ff63b25cac5
0x7ff63b25cacf
0x7ff63b25cad6
0x7ff63b25cadb
0x7ff63b25caef
0x7ff63b25caf5
0x7ff63b25cb01
0x7ff63b25cb0c
0x7ff63b25cb13
0x7ff63b25cb1b
0x7ff63b25cb20
0x7ff63b25cb39
0x7ff63b25cb40
0x7ff63b25cb45
0x7ff63b25cb54
0x7ff63b25cb59
0x7ff63b25cb77

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63B25C9B4

Strings

*?, xrefs: 00007FF63B25C9DB

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *?
API String ID: 3215553584-2564092906
Opcode ID: 01c1c4ddc769a0b7adfc109aa75110f471eaba31983d70450534be51a8c4b5ca
Instruction ID: b30e9a4bf82400bdd5f2733c97629e600ed5c00d08bfd92cc1e416284e528ec8
Opcode Fuzzy Hash: 01c1c4ddc769a0b7adfc109aa75110f471eaba31983d70450534be51a8c4b5ca
Instruction Fuzzy Hash: 0B510162B1479585EB10DFA29A004B9A7A1FB4CBD8F444632EE8D87B9DEF3CD445D308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B24FCE0 Relevance: 3.2, APIs: 2, Instructions: 207
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 55%

			E00007FF67FF63B24FCE0(long long __rbx, intOrPtr* __rcx, long long __rsi, intOrPtr _a16, long long _a24, long long _a32) {
				void* _v40;
				long long _v72;
				void* _t11;
				void* _t12;
				intOrPtr* _t25;
				void* _t32;

				_a24 = __rbx;
				_a32 = __rsi;
				_t25 =  *((intOrPtr*)(__rcx));
				r14d =  *_t25;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rcx + 8)))) != 0) goto 0x3b24fd20;
				E00007FF67FF63B2553B4(r14d, _t25, _t32);
				goto 0x3b24fdc8;
				_v72 = 0x7fffffff;
				r8d = 0;
				_t11 = E00007FF67FF63B25A88C();
				if (_t11 == 0x16) goto 0x3b24ff4e;
				if (_t11 == 0x22) goto 0x3b24ff4e;
				_t12 = E00007FF67FF63B257AF8(_t11, _a16, _t32);
				if (_t25 != 0) goto 0x3b24fd82;
				E00007FF67FF63B256F7C(_t12, _t25, _a16);
				return 0;
			}

0x7ff63b24fce0
0x7ff63b24fce5
0x7ff63b24fd05
0x7ff63b24fd08
0x7ff63b24fd0e
0x7ff63b24fd13
0x7ff63b24fd1b
0x7ff63b24fd23
0x7ff63b24fd2c
0x7ff63b24fd33
0x7ff63b24fd3b
0x7ff63b24fd44
0x7ff63b24fd53
0x7ff63b24fd60
0x7ff63b24fd62
0x7ff63b24fd81

APIs

_Wcsftime.LIBCMT ref: 00007FF63B24FD92
_Wcsftime.LIBCMT ref: 00007FF63B24FD33

Part of subcall function 00007FF63B2553B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63B2553DF

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: Wcsftime$_invalid_parameter_noinfo
String ID:
API String ID: 4239037671-0
Opcode ID: f084947fea94184b357488ab45de48c21969ff2a0859095be37cc77cc94a4ef8
Instruction ID: 0b9e205a376878429860f5e746b63d3e46bd07f5e57a327990284cceaf0d1cc0
Opcode Fuzzy Hash: f084947fea94184b357488ab45de48c21969ff2a0859095be37cc77cc94a4ef8
Instruction Fuzzy Hash: AC819172A04A5186EB64DF65D68137D3360FB88B98F158736EE9EC7BA9CF38D0419304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B25E87C Relevance: 1.8, APIs: 1, Instructions: 335
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00007FF67FF63B25E87C(long long __rax, long long __rbx, long long __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r9, void* __r10, void* __r11, long long _a8, long long _a16, long long _a24) {
				void* _v40;
				signed int _v48;
				char _v56;
				long long _v72;
				void* _t114;
				void* _t115;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				void* _t122;
				signed int _t152;
				char _t182;
				char _t183;
				long long _t213;
				long long _t224;
				long long _t242;
				char* _t296;
				char* _t297;
				char* _t329;
				void* _t331;
				long long _t335;
				void* _t336;
				intOrPtr* _t337;
				long long _t339;
				signed long long _t340;
				long long _t341;

				_t333 = __r11;
				_t332 = __r10;
				_t331 = __r9;
				_t224 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				r15d = 0;
				_v56 = __rcx;
				_v48 = _v48 & _t340;
				if ( *((intOrPtr*)(__rcx + 0x140)) != _t340) goto 0x3b25e8ca;
				if ( *((intOrPtr*)(__rcx + 0x148)) != _t340) goto 0x3b25e8ca;
				r12d = 0;
				goto 0x3b25ed3a;
				r13d = 1;
				_t115 = E00007FF67FF63B257AF8(_t114, __rcx, __rdx);
				_t339 = _t224;
				E00007FF67FF63B256F7C(_t115, _t224, __rcx);
				if (_t339 != 0) goto 0x3b25e8f4;
				goto 0x3b25ed90;
				_t118 = E00007FF67FF63B257AF8(r13d, _t336, __rdx);
				_t335 = _t224;
				_t119 = E00007FF67FF63B256F7C(_t118, _t224, _t336);
				if (_t335 != 0) goto 0x3b25e91c;
				_t120 = E00007FF67FF63B256F7C(_t119, _t224, _t339);
				goto 0x3b25e8ec;
				if ( *((intOrPtr*)(__rcx + 0x140)) == _t340) goto 0x3b25ec77;
				_t121 = E00007FF67FF63B257AF8(_t120, _t336, __rbx);
				_t341 = _t224;
				_t122 = E00007FF67FF63B256F7C(_t121, _t224, _t336);
				_t213 = _t341;
				if (_t213 != 0) goto 0x3b25e950;
				E00007FF67FF63B256F7C(_t122, _t224, _t339);
				goto 0x3b25e915;
				_t299 =  *((intOrPtr*)(__rcx + 0x140));
				_t11 = _t339 + 0x18; // 0x18
				_v72 = _t11;
				r9d = 0x15;
				_t13 =  &_v56; // -15
				E00007FF67FF63B25AFDC(0, r13d, _t13,  *((intOrPtr*)(__rcx + 0x140)), __r10, __r11);
				_t14 = _t339 + 0x20; // 0x20
				r9d = 0x14;
				_v72 = _t14;
				_t16 =  &_v56; // -15
				E00007FF67FF63B25AFDC(0, r13d, _t16,  *((intOrPtr*)(__rcx + 0x140)), __r10, __r11);
				_t17 = _t339 + 0x28; // 0x28
				r9d = 0x16;
				_v72 = _t17;
				_t19 =  &_v56; // -15
				E00007FF67FF63B25AFDC(0, r13d, _t19,  *((intOrPtr*)(__rcx + 0x140)), __r10, __r11);
				_t20 =  &_v56; // -15
				_t21 = _t339 + 0x30; // 0x30
				r9d = 0x17;
				_v72 = _t21;
				E00007FF67FF63B25AFDC(0, r13d, _t20, _t299, __r10, __r11);
				r9d = 0x18;
				_t23 = _t339 + 0x38; // 0x38
				_t337 = _t23;
				_v72 = _t337;
				_t25 =  &_v56; // -15
				E00007FF67FF63B25AFDC(0, _t331 - 0x17, _t25, _t299, _t332, _t333);
				r9d = 0x50;
				_t27 =  &_v56; // -15
				_t28 = _t339 + 0x40; // 0x40
				_v72 = _t28;
				E00007FF67FF63B25AFDC(0, _t331 - 0x4f, _t27, _t299, _t332, _t333);
				r9d = 0x51;
				_t31 =  &_v56; // -15
				_t32 = _t339 + 0x48; // 0x48
				_v72 = _t32;
				E00007FF67FF63B25AFDC(0, _t331 - 0x50, _t31, _t299, _t332, _t333);
				_t35 =  &_v56; // -15
				_t36 = _t339 + 0x50; // 0x50
				r9d = 0x1a;
				_v72 = _t36;
				E00007FF67FF63B25AFDC(0, 0, _t35, _t299, _t332, _t333);
				_t38 =  &_v56; // -15
				_t39 = _t339 + 0x51; // 0x51
				r9d = 0x19;
				_v72 = _t39;
				E00007FF67FF63B25AFDC(0, 0, _t38, _t299, _t332, _t333);
				_t41 =  &_v56; // -15
				_t42 = _t339 + 0x52; // 0x52
				r9d = 0x54;
				_v72 = _t42;
				E00007FF67FF63B25AFDC(0, 0, _t41, _t299, _t332, _t333);
				_t44 = _t339 + 0x53; // 0x53
				r9d = 0x55;
				_v72 = _t44;
				_t46 =  &_v56; // -15
				E00007FF67FF63B25AFDC(0, 0, _t46, _t299, _t332, _t333);
				_t47 =  &_v56; // -15
				_t48 = _t339 + 0x54; // 0x54
				r9d = 0x56;
				_v72 = _t48;
				E00007FF67FF63B25AFDC(0, 0, _t47, _t299, _t332, _t333);
				_t50 =  &_v56; // -15
				_t51 = _t339 + 0x55; // 0x55
				r9d = 0x57;
				_v72 = _t51;
				E00007FF67FF63B25AFDC(0, 0, _t50, _t299, _t332, _t333);
				_t53 =  &_v56; // -15
				_t54 = _t339 + 0x56; // 0x56
				r9d = 0x52;
				_v72 = _t54;
				E00007FF67FF63B25AFDC(0, 0, _t53, _t299, _t332, _t333);
				_t56 =  &_v56; // -15
				_t57 = _t339 + 0x57; // 0x57
				r9d = 0x53;
				_v72 = _t57;
				E00007FF67FF63B25AFDC(0, 0, _t56, _t299, _t332, _t333);
				r9d = 0x15;
				_t59 =  &_v56; // -15
				_t60 = _t339 + 0x68; // 0x68
				_v72 = _t60;
				E00007FF67FF63B25AFDC(0, _t331 - 0x13, _t59, _t299, _t332, _t333);
				r9d = 0x14;
				_t63 =  &_v56; // -15
				_t64 = _t339 + 0x70; // 0x70
				_v72 = _t64;
				E00007FF67FF63B25AFDC(0, _t331 - 0x12, _t63, _t299, _t332, _t333);
				r9d = 0x16;
				_t67 =  &_v56; // -15
				_t68 = _t339 + 0x78; // 0x78
				_v72 = _t68;
				E00007FF67FF63B25AFDC(0, _t331 - 0x14, _t67, _t299, _t332, _t333);
				r9d = 0x17;
				_t71 =  &_v56; // -15
				_t72 = _t339 + 0x80; // 0x80
				_v72 = _t72;
				E00007FF67FF63B25AFDC(0, _t331 - 0x15, _t71, _t299, _t332, _t333);
				r9d = 0x50;
				_t75 =  &_v56; // -15
				_t76 = _t339 + 0x88; // 0x88
				_v72 = _t76;
				E00007FF67FF63B25AFDC(0, _t331 - 0x4e, _t75, _t299, _t332, _t333);
				_t79 = _t339 + 0x90; // 0x90
				_t242 = _t79;
				r9d = 0x51;
				_v72 = _t242;
				_t81 =  &_v56; // -15
				E00007FF67FF63B25AFDC(0, _t331 - 0x4f, _t81, _t299, _t332, _t333);
				if (_t213 == 0) goto 0x3b25ec2d;
				E00007FF67FF63B256F7C(E00007FF67FF63B256F7C(E00007FF67FF63B256F7C(E00007FF67FF63B25E770(_t339), _t242, _t339), _t242, _t335), _t242, _t341);
				goto 0x3b25ed90;
				_t296 =  *_t337;
				if ( *_t296 == 0) goto 0x3b25ecdf;
				_t83 = _t242 - 0x30; // -48
				_t182 = _t83;
				if (_t182 - 9 > 0) goto 0x3b25ec59;
				 *_t296 = _t182;
				r13d = 1;
				_t297 = _t296 + _t337;
				_t152 =  *_t297;
				if (_t152 != 0) goto 0x3b25ec3b;
				goto 0x3b25ece5;
				if (_t152 != 0x3b) goto 0x3b25ec45;
				_t329 = _t297;
				_t183 =  *((intOrPtr*)(_t329 + 1));
				 *_t329 = _t183;
				if (_t183 != 0) goto 0x3b25ec60;
				r13d = 1;
				goto 0x3b25ec4e;
				asm("movups xmm0, [eax]");
				asm("inc ecx");
				asm("movups xmm1, [eax+0x10]");
				asm("inc ecx");
				asm("movups xmm0, [eax+0x20]");
				asm("inc ecx");
				asm("movups xmm1, [eax+0x30]");
				asm("inc ecx");
				asm("movups xmm0, [eax+0x40]");
				asm("inc ecx");
				asm("movups xmm1, [eax+0x50]");
				asm("inc ecx");
				asm("movups xmm0, [eax+0x60]");
				asm("inc ecx");
				asm("movups xmm0, [eax+0x70]");
				asm("inc ecx");
				asm("movups xmm1, [eax+edx]");
				asm("inc ecx");
				 *((long long*)(_t339 + _t297 + 0x10)) =  *((intOrPtr*)(0x3b27a1a0 + _t297 + 0x10));
				goto 0x3b25ece5;
				r13d = 1;
				 *_t339 =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xf8))));
				 *((long long*)(_t339 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xf8)) + 8));
				 *((long long*)(_t339 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xf8)) + 0x10));
				 *((long long*)(_t339 + 0x58)) =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xf8)) + 0x58));
				 *((long long*)(_t339 + 0x60)) =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xf8)) + 0x60));
				 *_t335 = r13d;
				if (_t341 == 0) goto 0x3b25ed3a;
				 *_t341 = r13d;
				if ( *((intOrPtr*)(__rcx + 0xf0)) == 0) goto 0x3b25ed49;
				asm("lock dec dword [eax]");
				if ( *((intOrPtr*)(__rcx + 0xe0)) == 0) goto 0x3b25ed79;
				asm("lock xadd [ecx], eax");
				if (1 != 1) goto 0x3b25ed79;
				E00007FF67FF63B256F7C(E00007FF67FF63B256F7C(_t152 | 0xffffffff,  *((intOrPtr*)(__rcx + 0xf0)),  *((intOrPtr*)(__rcx + 0xf8))),  *((intOrPtr*)(__rcx + 0xf0)),  *((intOrPtr*)(__rcx + 0xe0)));
				 *((long long*)(__rcx + 0xf0)) = _t341;
				 *((long long*)(__rcx + 0xe0)) = _t335;
				 *((long long*)(__rcx + 0xf8)) = _t339;
				return 0;
			}

0x7ff63b25e87c
0x7ff63b25e87c
0x7ff63b25e87c
0x7ff63b25e87c
0x7ff63b25e87c
0x7ff63b25e881
0x7ff63b25e886
0x7ff63b25e89b
0x7ff63b25e89e
0x7ff63b25e8a2
0x7ff63b25e8b0
0x7ff63b25e8b9
0x7ff63b25e8bb
0x7ff63b25e8c5
0x7ff63b25e8ca
0x7ff63b25e8d8
0x7ff63b25e8df
0x7ff63b25e8e2
0x7ff63b25e8ea
0x7ff63b25e8ef
0x7ff63b25e8fe
0x7ff63b25e905
0x7ff63b25e908
0x7ff63b25e910
0x7ff63b25e915
0x7ff63b25e91a
0x7ff63b25e923
0x7ff63b25e92f
0x7ff63b25e936
0x7ff63b25e939
0x7ff63b25e93e
0x7ff63b25e941
0x7ff63b25e946
0x7ff63b25e94e
0x7ff63b25e950
0x7ff63b25e957
0x7ff63b25e95e
0x7ff63b25e963
0x7ff63b25e969
0x7ff63b25e970
0x7ff63b25e975
0x7ff63b25e979
0x7ff63b25e97f
0x7ff63b25e987
0x7ff63b25e990
0x7ff63b25e995
0x7ff63b25e999
0x7ff63b25e99f
0x7ff63b25e9a7
0x7ff63b25e9b0
0x7ff63b25e9b7
0x7ff63b25e9bb
0x7ff63b25e9bf
0x7ff63b25e9c8
0x7ff63b25e9d0
0x7ff63b25e9d5
0x7ff63b25e9db
0x7ff63b25e9db
0x7ff63b25e9e2
0x7ff63b25e9e7
0x7ff63b25e9f1
0x7ff63b25e9f6
0x7ff63b25e9fc
0x7ff63b25ea05
0x7ff63b25ea09
0x7ff63b25ea12
0x7ff63b25ea17
0x7ff63b25ea1d
0x7ff63b25ea26
0x7ff63b25ea2a
0x7ff63b25ea33
0x7ff63b25ea3a
0x7ff63b25ea3e
0x7ff63b25ea42
0x7ff63b25ea4b
0x7ff63b25ea52
0x7ff63b25ea59
0x7ff63b25ea5d
0x7ff63b25ea61
0x7ff63b25ea6a
0x7ff63b25ea71
0x7ff63b25ea78
0x7ff63b25ea7c
0x7ff63b25ea80
0x7ff63b25ea89
0x7ff63b25ea90
0x7ff63b25ea97
0x7ff63b25ea9b
0x7ff63b25eaa4
0x7ff63b25eaab
0x7ff63b25eaaf
0x7ff63b25eab6
0x7ff63b25eaba
0x7ff63b25eabe
0x7ff63b25eac7
0x7ff63b25eace
0x7ff63b25ead5
0x7ff63b25ead9
0x7ff63b25eadd
0x7ff63b25eae6
0x7ff63b25eaed
0x7ff63b25eaf4
0x7ff63b25eaf8
0x7ff63b25eafc
0x7ff63b25eb05
0x7ff63b25eb0c
0x7ff63b25eb13
0x7ff63b25eb17
0x7ff63b25eb1b
0x7ff63b25eb24
0x7ff63b25eb2b
0x7ff63b25eb30
0x7ff63b25eb36
0x7ff63b25eb3f
0x7ff63b25eb43
0x7ff63b25eb4c
0x7ff63b25eb51
0x7ff63b25eb57
0x7ff63b25eb60
0x7ff63b25eb64
0x7ff63b25eb6d
0x7ff63b25eb72
0x7ff63b25eb78
0x7ff63b25eb81
0x7ff63b25eb85
0x7ff63b25eb8e
0x7ff63b25eb93
0x7ff63b25eb99
0x7ff63b25eba2
0x7ff63b25eba9
0x7ff63b25ebb2
0x7ff63b25ebb7
0x7ff63b25ebbd
0x7ff63b25ebc6
0x7ff63b25ebcd
0x7ff63b25ebd6
0x7ff63b25ebdd
0x7ff63b25ebdd
0x7ff63b25ebe4
0x7ff63b25ebea
0x7ff63b25ebf2
0x7ff63b25ebfa
0x7ff63b25ec01
0x7ff63b25ec1e
0x7ff63b25ec28
0x7ff63b25ec2d
0x7ff63b25ec35
0x7ff63b25ec3b
0x7ff63b25ec3b
0x7ff63b25ec41
0x7ff63b25ec43
0x7ff63b25ec45
0x7ff63b25ec4b
0x7ff63b25ec4e
0x7ff63b25ec52
0x7ff63b25ec54
0x7ff63b25ec5b
0x7ff63b25ec5d
0x7ff63b25ec60
0x7ff63b25ec64
0x7ff63b25ec6d
0x7ff63b25ec6f
0x7ff63b25ec75
0x7ff63b25ec83
0x7ff63b25ec86
0x7ff63b25ec8a
0x7ff63b25ec8e
0x7ff63b25ec93
0x7ff63b25ec97
0x7ff63b25ec9c
0x7ff63b25eca0
0x7ff63b25eca5
0x7ff63b25eca9
0x7ff63b25ecae
0x7ff63b25ecb2
0x7ff63b25ecb7
0x7ff63b25ecbb
0x7ff63b25ecc0
0x7ff63b25ecc4
0x7ff63b25ecca
0x7ff63b25ecce
0x7ff63b25ecd8
0x7ff63b25ecdd
0x7ff63b25ecdf
0x7ff63b25ecef
0x7ff63b25ecfd
0x7ff63b25ed0c
0x7ff63b25ed1b
0x7ff63b25ed2a
0x7ff63b25ed2e
0x7ff63b25ed35
0x7ff63b25ed37
0x7ff63b25ed44
0x7ff63b25ed46
0x7ff63b25ed53
0x7ff63b25ed58
0x7ff63b25ed5f
0x7ff63b25ed74
0x7ff63b25ed79
0x7ff63b25ed82
0x7ff63b25ed89
0x7ff63b25edad

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8e939dcc2d2671d7dd44d6ebdbfecaa6f8848426abbf99a73ead18919da4e9
Instruction ID: d77151dea96cbf66ce10d0739b9970a71648b6ce16f411769acdc1e6e475221a
Opcode Fuzzy Hash: 9c8e939dcc2d2671d7dd44d6ebdbfecaa6f8848426abbf99a73ead18919da4e9
Instruction Fuzzy Hash: F2E1D032A04B8585E710DB61E9416FE77A4FB58788F014632DF9D937AAEF38D245D308

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDFDD68 Relevance: 1.8, APIs: 1, Instructions: 326COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00000191ECDFDFB7

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 271c0d8bf9f0ad158ff07bec116ba512e9fe6929010cab1ea0d58cf796623e8d
Instruction ID: 31e4b53b456ea6e96284c34374a4e6f43393f9d27b2ea373a43915dfd2f2897e
Opcode Fuzzy Hash: 271c0d8bf9f0ad158ff07bec116ba512e9fe6929010cab1ea0d58cf796623e8d
Instruction Fuzzy Hash: D0C18F31910A8ECFEB99CF1CC89AB9573E0FF55304F198599E859CB2A1C336D892CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00000191EB4BFBD8 Relevance: 1.8, APIs: 1, Instructions: 326COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00000191EB4BFE27

Memory Dump Source

Source File: 00000000.00000002.556430783.00000191EB4B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191EB4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191eb4b1000_1q3HnZAcnJ.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 57c0aad7674539f30f3b5eb1b32e0dbdf3af3d9e6d373f3973137eb903cdae01
Instruction ID: 79937fb03e46ff06afba3843e11eee086f1014226332f0152cb27fadf1c10aef
Opcode Fuzzy Hash: 57c0aad7674539f30f3b5eb1b32e0dbdf3af3d9e6d373f3973137eb903cdae01
Instruction Fuzzy Hash: 74C14C31510A4E9FEB9ACF1CC4D6BA577E0FB59304F148599E89BCB2A2C335D892CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B25BA78 Relevance: 1.7, APIs: 1, Instructions: 233
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 47%

			E00007FF67FF63B25BA78(signed int __eax, long long __rbx, long long __rcx, signed long long* __rdx, long long __rdi, long long __rsi, signed int* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, signed int* _a48, intOrPtr _a56) {
				signed int _t149;
				signed int _t153;
				signed int _t157;
				signed int _t184;
				signed int _t219;
				void* _t222;
				signed long long _t241;
				signed long long _t242;
				signed int* _t267;
				signed int* _t268;
				signed int* _t269;
				signed long long _t273;
				signed int* _t276;
				signed int _t280;
				signed int* _t284;
				void* _t286;
				void* _t289;

				_t222 = _t289;
				 *((long long*)(_t222 + 0x10)) = __rbx;
				 *((long long*)(_t222 + 0x18)) = __rsi;
				 *((long long*)(_t222 + 0x20)) = __rdi;
				 *((long long*)(_t222 + 8)) = __rcx;
				 *((intOrPtr*)(__rcx + 4)) = 0;
				_a8[2] = 0;
				_a8[3] = 0;
				if ((r8b & 0x00000010) == 0) goto 0x3b25bac4;
				_a8[1] = _a8[1] | 0x00000001;
				if ((r8b & 0x00000002) == 0) goto 0x3b25bad7;
				_a8[1] = _a8[1] | 0x00000002;
				if ((r8b & 0x00000001) == 0) goto 0x3b25baea;
				_a8[1] = _a8[1] | 0x00000004;
				if ((r8b & 0x00000004) == 0) goto 0x3b25bafd;
				_a8[1] = _a8[1] | 0x00000008;
				if ((r8b & 0x00000008) == 0) goto 0x3b25bb10;
				_a8[1] = _a8[1] | 0x00000010;
				_t267 = _a8;
				_t149 = ( !(__eax << 4) ^  *(_t267 + 8)) & 0x00000010;
				 *(_t267 + 8) =  *(_t267 + 8) ^ _t149;
				_t268 = _a8;
				_t153 = ( !(_t149 << 3) ^  *(_t268 + 8)) & 0x00000008;
				 *(_t268 + 8) =  *(_t268 + 8) ^ _t153;
				_t269 = _a8;
				_t157 = ( !(_t153 << 2) ^  *(_t269 + 8)) & 0x00000004;
				 *(_t269 + 8) =  *(_t269 + 8) ^ _t157;
				_a8[2] = _a8[2] ^ ( !(_t157 + _t157) ^ _a8[2]) & 0x00000002;
				_a8[2] = _a8[2] ^ ( !( *__rdx) ^ _a8[2]) & 0x00000001;
				if ((E00007FF67FF63B25BEA0() & 0x00000001) == 0) goto 0x3b25bb9c;
				_a8[3] = _a8[3] | 0x00000010;
				if (0 == 0) goto 0x3b25bba9;
				_t273 = _a8;
				 *(_t273 + 0xc) =  *(_t273 + 0xc) | 0x00000008;
				if (0 == 0) goto 0x3b25bbb6;
				_a8[3] = _a8[3] | 0x00000004;
				if (0 == 0) goto 0x3b25bbc3;
				_a8[3] = _a8[3] | 0x00000002;
				if (0 == 0) goto 0x3b25bbd0;
				_t241 = _a8;
				 *(_t241 + 0xc) =  *(_t241 + 0xc) | 0x00000001;
				_t242 = _t241 & _t273;
				if (0 == 0) goto 0x3b25bc1a;
				if (_t242 == 0x2000) goto 0x3b25bc0a;
				if (_t242 == 0x4000) goto 0x3b25bbfa;
				if (_t242 != _t273) goto 0x3b25bc21;
				 *_a8 =  *_a8 | 0x00000003;
				goto 0x3b25bc21;
				 *_a8 =  *_a8 & 0xfffffffe;
				 *_a8 =  *_a8 | 0x00000002;
				goto 0x3b25bc21;
				 *_a8 =  *_a8 & 0xfffffffd;
				 *_a8 =  *_a8 | 0x00000001;
				goto 0x3b25bc21;
				 *_a8 =  *_a8 & 0xfffffffc;
				 *_a8 =  *_a8 & 0xfffe001f;
				 *_a8 =  *_a8 | (r9d & 0x00000fff) << 0x00000005;
				_t284 = _a48;
				_a8[8] = _a8[8] | 0x00000001;
				if (_a56 == 0) goto 0x3b25bc7f;
				_a8[8] = _a8[8] & 0xffffffe1;
				_a8[4] =  *_a40;
				_a8[0x18] = _a8[0x18] | 0x00000001;
				_a8[0x18] = _a8[0x18] & 0xffffffe1;
				_a8[0x14] =  *_t284;
				goto 0x3b25bcc7;
				r8d = 0xffffffe3;
				_a8[8] = _a8[8] & r8d | 0x00000002;
				_a8[4] =  *_a40;
				_a8[0x18] = _a8[0x18] | 0x00000001;
				_a8[0x18] = _a8[0x18] & r8d | 0x00000002;
				_t280 =  *_t284;
				_a8[0x14] = _t280;
				E00007FF67FF63B25BDE4();
				_t122 = _t280 + 1; // 0x1
				r8d = _t122;
				0x3b2a9748(_t286);
				_t276 = _a8;
				if ((_t276[2] & 0x00000010) == 0) goto 0x3b25bcf1;
				asm("dec eax");
				if ((_t276[2] & 0x00000008) == 0) goto 0x3b25bcfd;
				asm("dec eax");
				if ((_t276[2] & 0x00000004) == 0) goto 0x3b25bd09;
				asm("dec eax");
				if ((_t276[2] & 0x00000002) == 0) goto 0x3b25bd15;
				asm("dec eax");
				_t219 = _t276[2] & 0x00000001;
				if (_t219 == 0) goto 0x3b25bd1e;
				asm("dec eax");
				if (_t219 == 0) goto 0x3b25bd55;
				if (_t219 == 0) goto 0x3b25bd49;
				if (_t219 == 0) goto 0x3b25bd3d;
				if (( *_t276 & 0x00000003) != 1) goto 0x3b25bd5c;
				 *__rdx =  *__rdx | 0x00006000;
				goto 0x3b25bd5c;
				asm("dec eax");
				asm("dec eax");
				goto 0x3b25bd5c;
				asm("dec eax");
				asm("dec eax");
				goto 0x3b25bd5c;
				 *__rdx =  *__rdx & 0xffff9fff;
				if (_a56 == 0) goto 0x3b25bd69;
				_t184 = _t276[0x14];
				 *_t284 = _t184;
				goto 0x3b25bd70;
				 *_t284 = _t276[0x14];
				return _t184;
			}

0x7ff63b25ba78
0x7ff63b25ba7b
0x7ff63b25ba7f
0x7ff63b25ba83
0x7ff63b25ba87
0x7ff63b25baa0
0x7ff63b25baa7
0x7ff63b25baae
0x7ff63b25bab5
0x7ff63b25bac0
0x7ff63b25bac8
0x7ff63b25bad3
0x7ff63b25badb
0x7ff63b25bae6
0x7ff63b25baee
0x7ff63b25baf9
0x7ff63b25bb01
0x7ff63b25bb0c
0x7ff63b25bb10
0x7ff63b25bb23
0x7ff63b25bb26
0x7ff63b25bb29
0x7ff63b25bb3c
0x7ff63b25bb3f
0x7ff63b25bb42
0x7ff63b25bb55
0x7ff63b25bb58
0x7ff63b25bb70
0x7ff63b25bb85
0x7ff63b25bb92
0x7ff63b25bb98
0x7ff63b25bb9f
0x7ff63b25bba1
0x7ff63b25bba5
0x7ff63b25bbac
0x7ff63b25bbb2
0x7ff63b25bbb9
0x7ff63b25bbbf
0x7ff63b25bbc6
0x7ff63b25bbc8
0x7ff63b25bbcc
0x7ff63b25bbd7
0x7ff63b25bbda
0x7ff63b25bbe2
0x7ff63b25bbea
0x7ff63b25bbef
0x7ff63b25bbf5
0x7ff63b25bbf8
0x7ff63b25bbfe
0x7ff63b25bc05
0x7ff63b25bc08
0x7ff63b25bc0e
0x7ff63b25bc15
0x7ff63b25bc18
0x7ff63b25bc1e
0x7ff63b25bc2e
0x7ff63b25bc38
0x7ff63b25bc3e
0x7ff63b25bc42
0x7ff63b25bc4a
0x7ff63b25bc55
0x7ff63b25bc62
0x7ff63b25bc69
0x7ff63b25bc71
0x7ff63b25bc7a
0x7ff63b25bc7d
0x7ff63b25bc83
0x7ff63b25bc92
0x7ff63b25bca0
0x7ff63b25bca8
0x7ff63b25bcb9
0x7ff63b25bcc0
0x7ff63b25bcc3
0x7ff63b25bcc7
0x7ff63b25bcd4
0x7ff63b25bcd4
0x7ff63b25bcd8
0x7ff63b25bcde
0x7ff63b25bce7
0x7ff63b25bce9
0x7ff63b25bcf3
0x7ff63b25bcf5
0x7ff63b25bcff
0x7ff63b25bd01
0x7ff63b25bd0b
0x7ff63b25bd0d
0x7ff63b25bd15
0x7ff63b25bd17
0x7ff63b25bd19
0x7ff63b25bd23
0x7ff63b25bd28
0x7ff63b25bd2d
0x7ff63b25bd32
0x7ff63b25bd34
0x7ff63b25bd3b
0x7ff63b25bd3d
0x7ff63b25bd42
0x7ff63b25bd47
0x7ff63b25bd49
0x7ff63b25bd4e
0x7ff63b25bd53
0x7ff63b25bd55
0x7ff63b25bd60
0x7ff63b25bd62
0x7ff63b25bd65
0x7ff63b25bd67
0x7ff63b25bd6d
0x7ff63b25bd84

APIs

_clrfp.LIBCMT ref: 00007FF63B25BCC7

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 5b81b9c7d7bc20fd4ec6fdca5d2e2d151a845ab1815c54bbf80251bc5b1fec34
Instruction ID: c09731e8de037208f5c9c4ce14c4a8da0a3cc3fc15cc296b40aaaee8ac6ca02f
Opcode Fuzzy Hash: 5b81b9c7d7bc20fd4ec6fdca5d2e2d151a845ab1815c54bbf80251bc5b1fec34
Instruction Fuzzy Hash: 79B14D77601B498BEB15CF29C58636C77A0F748B48F148A22EA9D877B8CF39D851D704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B241910 Relevance: 1.5, Strings: 1, Instructions: 295
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00007FF67FF63B241910(long long __rbx, void* __rcx, long long __rsi, void* __r9, void* __r10) {
				signed int _t120;
				void* _t122;
				void* _t129;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t153;
				signed int _t154;
				signed int _t158;
				intOrPtr _t160;
				signed int _t163;
				signed int _t166;
				signed int _t200;
				signed int _t212;
				void* _t218;
				void* _t219;
				signed long long _t225;
				unsigned long long _t231;
				void* _t249;
				signed long long _t251;
				signed int* _t254;
				unsigned long long _t256;
				signed long long _t258;
				void* _t259;
				signed char* _t260;
				signed char* _t261;
				unsigned long long _t269;
				long long _t281;
				void* _t286;
				void* _t294;
				signed int _t295;
				signed int _t297;
				intOrPtr* _t300;
				intOrPtr* _t302;
				void* _t306;
				signed int* _t308;
				signed long long _t313;
				signed long long _t322;

				 *((long long*)(_t286 + 8)) = __rbx;
				 *((long long*)(_t286 + 0x10)) = _t281;
				 *((long long*)(_t286 + 0x20)) = __rsi;
				 *(__rcx + 0x3cc) = 0x10;
				 *(__rcx + 0x3d0) = 0x10;
				asm("movups xmm0, [0x33d36]");
				asm("movups [ecx+0x3d8], xmm0");
				asm("movups xmm1, [0x33d28]");
				asm("movups [ecx+0x3f8], xmm1");
				_t120 =  *(__rcx + 0x3cc);
				_t158 =  *(__rcx + 0x3d0);
				if (_t120 == 0x10) goto 0x3b241987;
				if (_t120 != 0x18) goto 0x3b2419a1;
				_t122 =  !=  ? 0xc : 0xe;
				goto 0x3b2419a1;
				if (_t158 != 0x10) goto 0x3b241991;
				goto 0x3b2419a1;
				_t125 =  ==  ? 0xc : 0xe;
				 *((intOrPtr*)(__rcx + 0x3d4)) =  ==  ? 0xc : 0xe;
				asm("cdq");
				_t322 = _t158 >> 2;
				if ( *((intOrPtr*)(__rcx + 0x3d4)) < 0) goto 0x3b2419ee;
				if (r14d <= 0) goto 0x3b2419de;
				_t129 = E00007FF67FF63B24A830(_t158 >> 2, 0, __rcx + 0xc, _t259, _t322 << 2);
				_t160 =  *((intOrPtr*)(__rcx + 0x3d4));
				if (1 - _t160 <= 0) goto 0x3b2419c8;
				if (_t160 < 0) goto 0x3b241a26;
				if (r14d <= 0) goto 0x3b241a16;
				_t249 = __rcx + 0x1ec;
				E00007FF67FF63B24A830(_t129, 0, _t249, _t259, _t322 << 2);
				if (1 -  *((intOrPtr*)(__rcx + 0x3d4)) <= 0) goto 0x3b241a00;
				asm("cdq");
				_t200 = (_t249 + 1) * r14d;
				_t260 = "asdfwetyhjuytrfd";
				_t133 =  *(__rcx + 0x3cc) >> 2;
				_t313 = _t133;
				_t212 = _t133;
				if (_t212 <= 0) goto 0x3b241a9c;
				r9d = r12d;
				_t294 = __rcx + 0x41c;
				_t163 = ( *_t260 & 0x000000ff) << 0x18;
				_t261 =  &(_t260[4]);
				 *(_t294 - 4) = _t163;
				_t136 = ( *(_t261 - 3) & 0x000000ff) << 0x00000010 | _t163;
				 *(_t294 - 4) = _t136;
				_t166 = ( *(_t261 - 2) & 0x000000ff) << 0x00000008 | _t136;
				 *(_t294 - 4) = _t166;
				 *(_t294 - 4) = _t166 |  *(_t261 - 1) & 0x000000ff;
				if (_t212 != 0) goto 0x3b241a60;
				r11d = 0;
				if (r12d <= 0) goto 0x3b241afe;
				r10d = 0;
				_t300 = __rcx + 0x418;
				if (r11d - _t200 >= 0) goto 0x3b241cd8;
				_t138 = r11d;
				_t306 = __r10 + 1;
				asm("cdq");
				r11d = r11d + 1;
				_t139 = _t138 / r14d;
				_t295 = _t138 % r14d;
				 *((intOrPtr*)(__rcx + 0xc + (_t295 + _t139 * 8) * 4)) =  *_t300;
				_t251 = _t295 + ( *((intOrPtr*)(__rcx + 0x3d4)) - _t139) * 8;
				 *((intOrPtr*)(__rcx + 0x1ec + _t251 * 4)) =  *_t300;
				if (_t306 - _t313 < 0) goto 0x3b241ab5;
				if (r11d - _t200 >= 0) goto 0x3b241cd8;
				asm("o16 nop [eax+eax]");
				r10d =  *(__rcx + 0x414 + _t313 * 4);
				_t231 = r10d >> 8;
				r9d =  *(_t251 + 0x7ff63b273900);
				r9d = r9d ^  *0x3b274e60 & 0x000000ff;
				r9d = r9d << 8;
				r9d = r9d ^  *(_t251 + 0x7ff63b273900) & 0x000000ff;
				r9d = r9d << 8;
				r9d = r9d ^  *(_t231 + 0x7ff63b273900) & 0x000000ff;
				r9d = r9d << 8;
				r9d = r9d ^  *((_t231 >> 0x18) + 0x7ff63b273900) & 0x000000ff;
				 *(__rcx + 0x418) =  *(__rcx + 0x418) ^ r9d;
				if (r12d == 8) goto 0x3b241bc4;
				_t218 = _t313 - 1;
				if (_t218 <= 0) goto 0x3b241c71;
				 *(__rcx + 0x41c) =  *(__rcx + 0x41c) ^  *(__rcx + 0x41c - 4);
				if (_t218 != 0) goto 0x3b241bb0;
				goto 0x3b241c76;
				_t254 = __rcx + 0x41c;
				 *_t254 =  *_t254 ^  *(_t254 - 4);
				if (_t218 != 0) goto 0x3b241bd0;
				_t256 =  &(_t254[1]) >> 0x18;
				r8d =  *(_t256 + 0x7ff63b273900);
				r8d = r8d << 8;
				r8d = r8d ^  *(_t256 + 0x7ff63b273900) & 0x000000ff;
				r8d = r8d << 8;
				r8d = r8d ^  *(_t256 + 0x7ff63b273900) & 0x000000ff;
				r8d = r8d << 8;
				r8d = r8d ^  *(( *(__rcx + 0x424) >> 8) + 0x7ff63b273900) & 0x000000ff;
				 *(__rcx + 0x428) =  *(__rcx + 0x428) ^ r8d;
				_t219 = _t313 - 5;
				if (_t219 <= 0) goto 0x3b241c71;
				 *(__rcx + 0x42c) =  *(__rcx + 0x42c) ^  *(__rcx + 0x42c - 4);
				if (_t219 != 0) goto 0x3b241c60;
				goto 0x3b241c76;
				if (r12d <= 0) goto 0x3b241cc5;
				_t302 = __rcx + 0x418;
				r10d = 0;
				if (r11d - _t200 >= 0) goto 0x3b241cce;
				_t153 = r11d;
				asm("cdq");
				r11d = r11d + 1;
				_t154 = _t153 / r14d;
				_t297 = _t153 % r14d;
				_t269 = _t297 + _t154 * 8;
				 *((intOrPtr*)(__rcx + 0xc + _t269 * 4)) =  *_t302;
				_t258 = _t297 + ( *((intOrPtr*)(__rcx + 0x3d4)) - _t154) * 8;
				 *((intOrPtr*)(__rcx + 0x1ec + _t258 * 4)) =  *_t302;
				if (_t306 + 1 - _t313 < 0) goto 0x3b241c80;
				if (r11d - _t200 < 0) goto 0x3b241b20;
				if ( *((intOrPtr*)(__rcx + 0x3d4)) - 1 <= 0) goto 0x3b241d66;
				_t225 = _t322;
				if (_t225 <= 0) goto 0x3b241d52;
				_t308 = __rcx + 0x20c;
				r8d =  *(0x7ff63b240000 + 0x35280 + (_t269 >> 0x18) * 4);
				r8d = r8d ^  *(0x7ff63b240000 + 0x33a00 + _t258 * 4);
				r8d = r8d ^  *(0x7ff63b240000 + 0x34200 + _t258 * 4);
				r8d = r8d ^  *(0x7ff63b240000 + 0x34e80 + ( *_t308 >> 8) * 4);
				 *( &(_t308[1]) - 4) = r8d;
				if (_t225 != 0) goto 0x3b241d00;
				if (2 -  *((intOrPtr*)(__rcx + 0x3d4)) < 0) goto 0x3b241cf0;
				 *((char*)(__rcx + 8)) = 1;
				goto 0x3b241d6a;
				 *((intOrPtr*)(__rcx + 8)) = dil;
				return r9b & 0xffffffff;
			}

0x7ff63b241910
0x7ff63b241915
0x7ff63b24191a
0x7ff63b24192c
0x7ff63b241939
0x7ff63b241943
0x7ff63b24194a
0x7ff63b241951
0x7ff63b241958
0x7ff63b24195f
0x7ff63b241965
0x7ff63b24196e
0x7ff63b241978
0x7ff63b241982
0x7ff63b241985
0x7ff63b24198a
0x7ff63b24198f
0x7ff63b24199e
0x7ff63b2419a1
0x7ff63b2419b1
0x7ff63b2419ba
0x7ff63b2419c2
0x7ff63b2419cb
0x7ff63b2419d9
0x7ff63b2419de
0x7ff63b2419ec
0x7ff63b2419f2
0x7ff63b241a03
0x7ff63b241a0e
0x7ff63b241a11
0x7ff63b241a24
0x7ff63b241a2f
0x7ff63b241a30
0x7ff63b241a40
0x7ff63b241a47
0x7ff63b241a4a
0x7ff63b241a4d
0x7ff63b241a4f
0x7ff63b241a51
0x7ff63b241a63
0x7ff63b241a67
0x7ff63b241a6a
0x7ff63b241a6e
0x7ff63b241a79
0x7ff63b241a7b
0x7ff63b241a86
0x7ff63b241a88
0x7ff63b241a92
0x7ff63b241a9a
0x7ff63b241a9c
0x7ff63b241aa9
0x7ff63b241aab
0x7ff63b241aae
0x7ff63b241ab8
0x7ff63b241abe
0x7ff63b241ac1
0x7ff63b241ac4
0x7ff63b241ac5
0x7ff63b241ac8
0x7ff63b241ace
0x7ff63b241ad8
0x7ff63b241ae7
0x7ff63b241af2
0x7ff63b241afc
0x7ff63b241b01
0x7ff63b241b15
0x7ff63b241b20
0x7ff63b241b41
0x7ff63b241b45
0x7ff63b241b4e
0x7ff63b241b54
0x7ff63b241b60
0x7ff63b241b67
0x7ff63b241b73
0x7ff63b241b7d
0x7ff63b241b89
0x7ff63b241b8c
0x7ff63b241b97
0x7ff63b241b99
0x7ff63b241b9d
0x7ff63b241bb3
0x7ff63b241bbd
0x7ff63b241bbf
0x7ff63b241bc4
0x7ff63b241bd3
0x7ff63b241bdd
0x7ff63b241bea
0x7ff63b241bf5
0x7ff63b241c01
0x7ff63b241c0d
0x7ff63b241c17
0x7ff63b241c26
0x7ff63b241c2c
0x7ff63b241c38
0x7ff63b241c3b
0x7ff63b241c42
0x7ff63b241c46
0x7ff63b241c63
0x7ff63b241c6d
0x7ff63b241c6f
0x7ff63b241c74
0x7ff63b241c76
0x7ff63b241c7d
0x7ff63b241c83
0x7ff63b241c85
0x7ff63b241c8b
0x7ff63b241c8c
0x7ff63b241c8f
0x7ff63b241c95
0x7ff63b241c98
0x7ff63b241c9f
0x7ff63b241cae
0x7ff63b241cb9
0x7ff63b241cc3
0x7ff63b241cc8
0x7ff63b241ce3
0x7ff63b241cf0
0x7ff63b241cf3
0x7ff63b241cf5
0x7ff63b241d21
0x7ff63b241d29
0x7ff63b241d38
0x7ff63b241d40
0x7ff63b241d48
0x7ff63b241d50
0x7ff63b241d5e
0x7ff63b241d60
0x7ff63b241d64
0x7ff63b241d66
0x7ff63b241d86

Strings

asdfwetyhjuytrfd, xrefs: 00007FF63B241A40

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID: asdfwetyhjuytrfd
API String ID: 0-3432166582
Opcode ID: e0c8495275b225bfc5f6123e47a946111061d65a3aabfb5c2d1251ce4bdc6e4e
Instruction ID: 731595d9702f3f5c6c42fae4022152f0b4fa1c96b7a36c451ac63efd28dcaa05
Opcode Fuzzy Hash: e0c8495275b225bfc5f6123e47a946111061d65a3aabfb5c2d1251ce4bdc6e4e
Instruction Fuzzy Hash: F8C14572B041918AE725CF2AD6507FD3F90EB48B49F85823ADA898B755CE7CE641D700

Uniqueness

Uniqueness Score: -1.00%

Function 00000191EB4B3AD8 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

0, xrefs: 00000191EB4B3C71

Memory Dump Source

Source File: 00000000.00000002.556430783.00000191EB4B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191EB4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191eb4b1000_1q3HnZAcnJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 7795948cfd765bef9381294a4e1b829f89c49aa63f3f1a464909e031b2790c9f
Instruction ID: a6b1e890790297833d37ab6b8f635019ad45b2a99828b27d88ce4dc740bf6a52
Opcode Fuzzy Hash: 7795948cfd765bef9381294a4e1b829f89c49aa63f3f1a464909e031b2790c9f
Instruction Fuzzy Hash: 0071343529C64B6BFAAB8A1F85F53E573D2F745304F64150DDE87872CBC62188C78262

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B250B2C Relevance: .5, Instructions: 535COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c408ca2bdfafd6fa989b2a9d0995db3b621eed4d7e849dfa8481d5330a0df5
Instruction ID: dc418d0683bdccf8437aab9194647d5b3e4bf59542fd0b989cc2908e9fac15b3
Opcode Fuzzy Hash: 90c408ca2bdfafd6fa989b2a9d0995db3b621eed4d7e849dfa8481d5330a0df5
Instruction Fuzzy Hash: 49426421D2DE8689E6538F35AA117356324BF5A3C5F018333ED8EBA774DF6CA442A604

Uniqueness

Uniqueness Score: -1.00%

Function 00000191EB4BD9AC Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.556430783.00000191EB4B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191EB4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191eb4b1000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724baf72195310b1dc216f7aa84dc3b548b0c8b89f03789b1ede33962e9eb6f3
Instruction ID: 5f386365a4a688349c158d519e3f123b86b5857d2425bd967a9266d7b7eab285
Opcode Fuzzy Hash: 724baf72195310b1dc216f7aa84dc3b548b0c8b89f03789b1ede33962e9eb6f3
Instruction Fuzzy Hash: CFF12430648E4D5BD71AEF6DC8D42E9B7E1FB98310F1442AED88BD7192DA30D546CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B25020C Relevance: .4, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E00007FF67FF63B25020C(signed long long __rbx, long long __rcx, long long __rsi) {
				void* __rdi;
				void* _t121;
				void* _t123;
				void* _t125;
				void* _t127;
				void* _t129;
				void* _t132;
				signed int _t133;
				signed int _t155;
				void* _t165;
				void* _t172;
				signed int _t188;
				signed int _t194;
				void* _t199;
				signed long long _t237;
				signed long long _t238;
				signed int _t239;
				long long _t240;
				signed long long _t241;
				long long _t243;
				long long _t252;
				signed char* _t260;
				long long _t264;
				void* _t266;
				signed long long _t279;
				void* _t282;
				signed char* _t289;
				void* _t291;
				long long _t294;
				long long _t296;
				signed long long _t297;
				void* _t299;
				signed long long _t300;
				char* _t304;
				void* _t310;
				void* _t313;
				void* _t315;
				signed long long _t316;
				void* _t318;
				signed long long _t319;
				void* _t320;
				void* _t322;
				signed long long _t323;
				void* _t325;
				intOrPtr* _t326;

				_t294 = __rsi;
				_t252 = __rbx;
				_t313 = _t299;
				 *((long long*)(_t313 + 0x10)) = __rbx;
				 *((long long*)(_t313 + 0x18)) = _t296;
				 *((long long*)(_t313 + 0x20)) = __rsi;
				_t300 = _t299 - 0xa0;
				_t237 =  *0x3b27a028; // 0x7f80d271952
				_t238 = _t237 ^ _t300;
				 *(_t300 + 0x98) = _t238;
				 *((long long*)(_t313 - 0x58)) = __rcx;
				 *((long long*)(_t313 - 0x50)) = __rbx;
				r13d = 0;
				r14d = 0;
				r12d = 0;
				if ( *((intOrPtr*)(__rcx + 0x138)) == 0) goto 0x3b2507ef;
				_t326 = __rcx + 0xc;
				 *(_t300 + 0x58) = __rbx;
				_t10 = _t252 + 1; // 0x1
				_t199 = _t10;
				if ( *_t326 != 0) goto 0x3b250294;
				 *((long long*)(_t300 + 0x20)) = _t326;
				r9d = 0x1004;
				if (E00007FF67FF63B25AFDC(_t172, 0, _t313 - 0x58,  *((intOrPtr*)(__rcx + 0x138)), _t310, _t313) != 0) goto 0x3b2507bf;
				_t256 = __rsi;
				_t121 = E00007FF67FF63B257AF8(_t120, __rsi, _t282);
				 *(_t300 + 0x58) = _t238;
				_t123 = E00007FF67FF63B257AF8(E00007FF67FF63B256F7C(_t121, _t238, __rsi), __rsi, _t282);
				_t319 = _t238;
				_t125 = E00007FF67FF63B257AF8(E00007FF67FF63B256F7C(_t123, _t238, __rsi), _t256, __rsi);
				_t323 = _t238;
				_t127 = E00007FF67FF63B257AF8(E00007FF67FF63B256F7C(_t125, _t238, _t256), _t256, __rsi);
				_t297 = _t238;
				_t129 = E00007FF67FF63B257AF8(E00007FF67FF63B256F7C(_t127, _t238, _t256), _t256, __rsi);
				_t316 = _t238;
				E00007FF67FF63B256F7C(_t129, _t238, _t256);
				if ( *(_t300 + 0x58) == __rbx) goto 0x3b2507bf;
				if (_t319 == 0) goto 0x3b2507bf;
				if (_t316 == 0) goto 0x3b2507bf;
				if (_t323 == 0) goto 0x3b2507bf;
				if (_t297 == 0) goto 0x3b2507bf;
				 *_t316 = 0;
				_t132 = 0 + _t199;
				if (_t132 - 0x100 < 0) goto 0x3b25033b;
				0x3b2a6108(_t325, _t322, _t318, _t315, _t291);
				if (_t132 == 0) goto 0x3b2507bf;
				if ( *(_t300 + 0x80) - 5 > 0) goto 0x3b2507bf;
				_t133 =  *(_t300 + 0x80) & 0x0000ffff;
				 *(_t300 + 0x50) = _t133;
				if (_t133 - _t199 <= 0) goto 0x3b2503db;
				if ( *_t326 != 0xfde9) goto 0x3b2503a0;
				_t19 = _t316 + 0x80; // 0x80
				r8d = 0x80;
				E00007FF67FF63B24A830(_t133, 0x20, _t19, _t300 + 0x80,  *((intOrPtr*)(__rcx + 0x138)));
				goto 0x3b2503db;
				_t260 = _t300 + 0x86;
				if ( *((intOrPtr*)(_t300 + 0x86)) == 0) goto 0x3b2503db;
				if (_t260[1] == 0) goto 0x3b2503db;
				_t194 =  *_t260 & 0x000000ff;
				if (_t194 - (_t260[1] & 0x000000ff) > 0) goto 0x3b2503d3;
				_t239 = _t194;
				 *((char*)(_t239 + _t316)) = 0x20;
				if (_t194 + _t199 - (_t260[1] & 0x000000ff) <= 0) goto 0x3b2503c1;
				if (_t260[2] != 0) goto 0x3b2503b1;
				_t26 = _t323 + 0x81; // 0x81
				_t28 = _t316 + 1; // 0x1
				 *((intOrPtr*)(_t300 + 0x40)) = 0;
				 *((intOrPtr*)(_t300 + 0x38)) =  *_t326;
				 *((intOrPtr*)(_t300 + 0x30)) = 0xff;
				 *((long long*)(_t300 + 0x28)) = _t26;
				 *((intOrPtr*)(_t300 + 0x20)) = 0xff;
				_t34 = _t239 + 1; // 0x100
				r8d = _t34;
				if (E00007FF67FF63B25B64C(0, 0, _t194 + _t199, _t260[2], _t239, __rbx, _t26,  *((intOrPtr*)(__rcx + 0x138)), __rsi, _t28, _t310, _t313) == 0) goto 0x3b2507bf;
				_t35 = _t297 + 0x81; // 0x81
				_t37 = _t316 + 1; // 0x1
				 *((intOrPtr*)(_t300 + 0x40)) = 0;
				r8d = 0x200;
				 *((intOrPtr*)(_t300 + 0x38)) =  *_t326;
				 *((intOrPtr*)(_t300 + 0x30)) = 0xff;
				 *((long long*)(_t300 + 0x28)) = _t35;
				 *((intOrPtr*)(_t300 + 0x20)) = 0xff;
				if (E00007FF67FF63B25B64C(0, 0, _t194 + _t199, E00007FF67FF63B25B64C(0, 0, _t194 + _t199, _t260[2], _t239, __rbx, _t26,  *((intOrPtr*)(__rcx + 0x138)), __rsi, _t28, _t310, _t313), _t239, _t252, _t35,  *((intOrPtr*)(__rcx + 0x138)), _t294, _t37, _t310, _t313) == 0) goto 0x3b2507bf;
				_t43 = _t319 + 0x100; // 0x100
				_t264 = _t43;
				 *((intOrPtr*)(_t300 + 0x30)) = 0;
				r9d = 0x100;
				 *((intOrPtr*)(_t300 + 0x28)) =  *_t326;
				 *((long long*)(_t300 + 0x60)) = _t264;
				 *((long long*)(_t300 + 0x20)) = _t264;
				if (E00007FF67FF63B25B1A4(_t199, E00007FF67FF63B25B64C(0, 0, _t194 + _t199, E00007FF67FF63B25B64C(0, 0, _t194 + _t199, _t260[2], _t239, __rbx, _t26,  *((intOrPtr*)(__rcx + 0x138)), __rsi, _t28, _t310, _t313), _t239, _t252, _t35,  *((intOrPtr*)(__rcx + 0x138)), _t294, _t37, _t310, _t313), _t252, _t264, __rcx, _t294, _t316, _t310, _t313) == 0) goto 0x3b2507bf;
				_t48 = _t319 + 0xfe; // 0xfe
				_t240 = _t48;
				 *_t240 = 0;
				 *((char*)(_t323 + 0x7f)) = 0;
				 *((char*)(_t297 + 0x7f)) = 0;
				 *((char*)(_t323 + 0x80)) = 0;
				 *((char*)(_t297 + 0x80)) = 0;
				 *((long long*)(_t300 + 0x68)) = _t240;
				if ( *(_t300 + 0x50) - _t199 <= 0) goto 0x3b250570;
				if ( *_t326 != 0xfde9) goto 0x3b25051c;
				_t55 = _t297 + 0x100; // 0x100
				_t304 = _t55;
				_t56 = _t319 + 0x200; // 0x200
				r11d = 0x8000;
				_t187 =  >  ? 0 : r11d;
				 *_t56 =  >  ? 0 : r11d;
				 *((char*)(_t323 - _t297 + _t304)) = 0x20;
				 *_t304 = 0x80;
				if (0x80 + _t199 - 0xff <= 0) goto 0x3b2504ee;
				goto 0x3b250570;
				_t289 = _t300 + 0x86;
				if ( *((intOrPtr*)(_t300 + 0x86)) == 0) goto 0x3b250570;
				r11d = 0x8000;
				if (_t289[1] == 0) goto 0x3b250570;
				_t188 =  *_t289 & 0x000000ff;
				if (_t188 - (_t289[1] & 0x000000ff) > 0) goto 0x3b250568;
				_t241 = _t188;
				 *((intOrPtr*)(_t319 + 0x100 + _t241 * 2)) = r11w;
				 *(_t241 + _t323 + 0x80) = _t188;
				 *(_t241 + _t297 + 0x80) = _t188;
				if (_t188 + _t199 - (_t289[1] & 0x000000ff) <= 0) goto 0x3b250543;
				if (_t289[2] != 0) goto 0x3b250533;
				_t72 = _t319 + 0x200; // 0x200
				asm("movups xmm0, [ecx]");
				asm("movups xmm1, [ecx+0x10]");
				_t266 = _t72 + 0x80;
				asm("inc ecx");
				_t242 =  *((intOrPtr*)(_t266 + 0x70));
				asm("inc ecx");
				asm("movups xmm0, [ecx-0x60]");
				asm("movups xmm1, [ecx-0x50]");
				asm("inc ecx");
				asm("inc ecx");
				asm("movups xmm0, [ecx-0x40]");
				asm("movups xmm1, [ecx-0x30]");
				asm("inc ecx");
				asm("inc ecx");
				asm("movups xmm0, [ecx-0x20]");
				asm("movups xmm1, [ecx-0x10]");
				asm("inc ecx");
				_t320 = _t319 - 0xffffff80;
				asm("movups xmm0, [ecx]");
				asm("inc ecx");
				asm("movups xmm1, [ecx+0x10]");
				asm("inc ecx");
				asm("movups xmm0, [ecx+0x20]");
				asm("inc ecx");
				asm("movups xmm1, [ecx+0x30]");
				asm("inc ecx");
				asm("movups xmm0, [ecx+0x40]");
				asm("inc ecx");
				asm("movups xmm1, [ecx+0x50]");
				asm("inc ecx");
				asm("movups xmm0, [ecx+0x60]");
				asm("inc ecx");
				asm("inc ecx");
				 *((long long*)(_t320 + 0x70)) =  *((intOrPtr*)(_t266 + 0x70));
				 *((intOrPtr*)(_t320 + 0x78)) =  *((intOrPtr*)(_t266 + 0x78));
				 *((short*)(_t320 + 0x7c)) =  *(_t266 + 0x7c) & 0x0000ffff;
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("repne inc ecx");
				asm("inc ecx");
				asm("repne inc ecx");
				 *((intOrPtr*)(_t323 + 0x78)) =  *((intOrPtr*)(_t323 + 0x178));
				 *((short*)(_t323 + 0x7c)) =  *(_t323 + 0x17c) & 0x0000ffff;
				 *((char*)(_t323 + 0x7e)) =  *((intOrPtr*)(_t323 + 0x17e));
				asm("movups xmm0, [ebp+0x100]");
				asm("movups xmm1, [ebp+0x110]");
				asm("movups [ebp], xmm0");
				asm("movups xmm0, [ebp+0x120]");
				asm("movups [ebp+0x10], xmm1");
				asm("movups xmm1, [ebp+0x130]");
				asm("movups [ebp+0x20], xmm0");
				asm("movups xmm0, [ebp+0x140]");
				asm("movups [ebp+0x30], xmm1");
				asm("movups xmm1, [ebp+0x150]");
				asm("movups [ebp+0x40], xmm0");
				asm("movups xmm0, [ebp+0x160]");
				asm("movups [ebp+0x50], xmm1");
				asm("movsd xmm1, [ebp+0x170]");
				asm("movups [ebp+0x60], xmm0");
				asm("movsd [ebp+0x70], xmm1");
				 *((intOrPtr*)(_t297 + 0x78)) =  *((intOrPtr*)(_t297 + 0x178));
				 *((short*)(_t297 + 0x7c)) =  *(_t297 + 0x17c) & 0x0000ffff;
				_t155 =  *((intOrPtr*)(_t297 + 0x17e));
				 *(_t297 + 0x7e) = _t155;
				if ( *((intOrPtr*)(__rcx + 0x100)) == 0) goto 0x3b250778;
				asm("lock xadd [ecx], eax");
				if ((_t155 | 0xffffffff) != _t199) goto 0x3b250778;
				E00007FF67FF63B256F7C(E00007FF67FF63B256F7C(E00007FF67FF63B256F7C(E00007FF67FF63B256F7C(_t155 | 0xffffffff,  *((intOrPtr*)(_t266 + 0x70)),  *((intOrPtr*)(__rcx + 0x108)) - 0xfe),  *((intOrPtr*)(_t266 + 0x70)),  *((intOrPtr*)(__rcx + 0x110)) + 0xffffff80),  *((intOrPtr*)(_t266 + 0x70)),  *((intOrPtr*)(__rcx + 0x118)) + 0xffffff80), _t242,  *((intOrPtr*)(__rcx + 0x100)));
				_t243 =  *(_t300 + 0x58);
				 *_t243 = _t199;
				 *((long long*)(__rcx + 0x100)) = _t243;
				 *((long long*)(__rcx)) =  *((intOrPtr*)(_t300 + 0x60));
				 *((long long*)(__rcx + 0x108)) =  *((intOrPtr*)(_t300 + 0x68));
				_t102 = _t323 + 0x80; // 0x80
				 *((long long*)(__rcx + 0x110)) = _t102;
				_t104 = _t297 + 0x80; // 0x80
				_t247 = _t104;
				 *((long long*)(__rcx + 0x118)) = _t104;
				 *(__rcx + 8) =  *(_t300 + 0x50);
				goto 0x3b2507e3;
				_t165 = E00007FF67FF63B256F7C(E00007FF67FF63B256F7C(E00007FF67FF63B256F7C(E00007FF67FF63B256F7C( *(_t300 + 0x50), _t104,  *(_t300 + 0x58)), _t104, _t320), _t104, _t323), _t247, _t297);
				_t279 = _t316;
				E00007FF67FF63B256F7C(_t165, _t247, _t279);
				goto 0x3b25083c;
				if ( *((intOrPtr*)(_t279 + 0x100)) == 0) goto 0x3b2507fe;
				asm("lock dec dword [eax]");
				 *((long long*)(_t279 + 0x100)) = _t252;
				 *_t279 = 0x3b267990;
				 *((long long*)(_t279 + 0x108)) = _t252;
				 *((long long*)(_t279 + 0x110)) = 0x3b267c10;
				 *((long long*)(_t279 + 0x118)) = 0x3b267d90;
				 *((intOrPtr*)(_t279 + 8)) = 1;
				return E00007FF67FF63B248930(0, _t188 + _t199,  *(_t300 + 0x98) ^ _t300);
			}

0x7ff63b25020c
0x7ff63b25020c
0x7ff63b25020c
0x7ff63b25020f
0x7ff63b250213
0x7ff63b250217
0x7ff63b250224
0x7ff63b25022b
0x7ff63b250232
0x7ff63b250235
0x7ff63b250246
0x7ff63b25024d
0x7ff63b250251
0x7ff63b250254
0x7ff63b250259
0x7ff63b25025f
0x7ff63b250265
0x7ff63b250269
0x7ff63b25026e
0x7ff63b25026e
0x7ff63b250274
0x7ff63b250278
0x7ff63b25027d
0x7ff63b25028e
0x7ff63b250299
0x7ff63b25029c
0x7ff63b2502a3
0x7ff63b2502b9
0x7ff63b2502c0
0x7ff63b2502cd
0x7ff63b2502d4
0x7ff63b2502e1
0x7ff63b2502e8
0x7ff63b2502f8
0x7ff63b2502ff
0x7ff63b250302
0x7ff63b25030c
0x7ff63b250315
0x7ff63b25031e
0x7ff63b250327
0x7ff63b250330
0x7ff63b25033b
0x7ff63b250340
0x7ff63b250347
0x7ff63b250354
0x7ff63b25035c
0x7ff63b25036a
0x7ff63b250370
0x7ff63b250378
0x7ff63b25037e
0x7ff63b250387
0x7ff63b250389
0x7ff63b250391
0x7ff63b250399
0x7ff63b25039e
0x7ff63b2503a0
0x7ff63b2503af
0x7ff63b2503b4
0x7ff63b2503b6
0x7ff63b2503bf
0x7ff63b2503c1
0x7ff63b2503c6
0x7ff63b2503d1
0x7ff63b2503d9
0x7ff63b2503de
0x7ff63b2503ec
0x7ff63b2503f1
0x7ff63b2503f5
0x7ff63b2503fe
0x7ff63b250402
0x7ff63b250409
0x7ff63b25040d
0x7ff63b25040d
0x7ff63b250418
0x7ff63b250421
0x7ff63b25042f
0x7ff63b250434
0x7ff63b250438
0x7ff63b25043e
0x7ff63b250447
0x7ff63b25044b
0x7ff63b250452
0x7ff63b25045d
0x7ff63b250466
0x7ff63b250466
0x7ff63b25046d
0x7ff63b250471
0x7ff63b250477
0x7ff63b25047e
0x7ff63b250485
0x7ff63b250493
0x7ff63b250499
0x7ff63b250499
0x7ff63b2504a0
0x7ff63b2504a3
0x7ff63b2504a7
0x7ff63b2504aa
0x7ff63b2504b1
0x7ff63b2504b7
0x7ff63b2504c0
0x7ff63b2504cd
0x7ff63b2504d2
0x7ff63b2504d2
0x7ff63b2504dc
0x7ff63b2504e8
0x7ff63b2504fa
0x7ff63b2504fe
0x7ff63b250506
0x7ff63b25050a
0x7ff63b250518
0x7ff63b25051a
0x7ff63b25051c
0x7ff63b25052b
0x7ff63b25052d
0x7ff63b250536
0x7ff63b250538
0x7ff63b250541
0x7ff63b250543
0x7ff63b250546
0x7ff63b25054f
0x7ff63b250557
0x7ff63b250566
0x7ff63b25056e
0x7ff63b250570
0x7ff63b250577
0x7ff63b25057a
0x7ff63b25057e
0x7ff63b250585
0x7ff63b25058a
0x7ff63b25058e
0x7ff63b250593
0x7ff63b250597
0x7ff63b25059b
0x7ff63b2505a0
0x7ff63b2505a5
0x7ff63b2505a9
0x7ff63b2505ad
0x7ff63b2505b2
0x7ff63b2505b7
0x7ff63b2505bb
0x7ff63b2505bf
0x7ff63b2505c4
0x7ff63b2505c8
0x7ff63b2505cb
0x7ff63b2505d0
0x7ff63b2505d4
0x7ff63b2505d9
0x7ff63b2505dd
0x7ff63b2505e2
0x7ff63b2505e6
0x7ff63b2505eb
0x7ff63b2505ef
0x7ff63b2505f4
0x7ff63b2505f8
0x7ff63b2505fd
0x7ff63b250601
0x7ff63b250606
0x7ff63b25060b
0x7ff63b250612
0x7ff63b25061a
0x7ff63b250626
0x7ff63b25062e
0x7ff63b250636
0x7ff63b25063a
0x7ff63b250642
0x7ff63b250647
0x7ff63b25064f
0x7ff63b250654
0x7ff63b25065c
0x7ff63b250661
0x7ff63b250669
0x7ff63b25066e
0x7ff63b250676
0x7ff63b25067b
0x7ff63b250684
0x7ff63b250689
0x7ff63b25068f
0x7ff63b25069b
0x7ff63b2506a7
0x7ff63b2506ab
0x7ff63b2506b8
0x7ff63b2506bf
0x7ff63b2506c3
0x7ff63b2506ca
0x7ff63b2506ce
0x7ff63b2506d5
0x7ff63b2506d9
0x7ff63b2506e0
0x7ff63b2506e4
0x7ff63b2506eb
0x7ff63b2506ef
0x7ff63b2506f6
0x7ff63b2506fa
0x7ff63b250702
0x7ff63b250706
0x7ff63b25070b
0x7ff63b250715
0x7ff63b250719
0x7ff63b25071f
0x7ff63b25072c
0x7ff63b250731
0x7ff63b250737
0x7ff63b250773
0x7ff63b250778
0x7ff63b25077d
0x7ff63b25077f
0x7ff63b25078b
0x7ff63b250793
0x7ff63b25079a
0x7ff63b2507a1
0x7ff63b2507a8
0x7ff63b2507a8
0x7ff63b2507af
0x7ff63b2507ba
0x7ff63b2507bd
0x7ff63b2507dc
0x7ff63b2507e3
0x7ff63b2507e6
0x7ff63b2507ed
0x7ff63b2507f9
0x7ff63b2507fb
0x7ff63b250805
0x7ff63b25080c
0x7ff63b25081b
0x7ff63b250822
0x7ff63b250830
0x7ff63b250839
0x7ff63b25086c

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcebc567e64d4abf328a5ec5764d44f3f9517cfcd374bff8facd9dbf049a16d
Instruction ID: 86155a13a667c45a1b1b7324f248f39a26833b6a14fc0a99cde45c27ed8def03
Opcode Fuzzy Hash: 4dcebc567e64d4abf328a5ec5764d44f3f9517cfcd374bff8facd9dbf049a16d
Instruction Fuzzy Hash: FD028F22A18BC186E751CF2899452FDB3A4FB5C748F059336EADC82766EF39E184D704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B258218 Relevance: .3, Instructions: 333
COMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E00007FF67FF63B258218(signed int __eax, signed int __edx, void* __edi, void* __eflags, long long __rbx, long long __rcx, void* __rdx, long long __r8, long long __r11) {
				void* __rsi;
				void* __rbp;
				signed int _t190;
				signed int _t196;
				signed int _t202;
				short _t203;
				signed int _t206;
				signed int _t213;
				signed int _t217;
				void* _t219;
				void* _t223;
				signed char _t224;
				intOrPtr _t233;
				void* _t240;
				signed long long _t280;
				signed long long _t286;
				long long _t290;
				void* _t291;
				long long _t300;
				intOrPtr _t306;
				signed long long _t314;
				intOrPtr _t336;
				void* _t341;
				void* _t342;
				void* _t344;
				intOrPtr* _t345;
				void* _t347;
				void* _t351;
				char _t354;
				void* _t356;
				void* _t357;
				void* _t360;
				void* _t361;
				void* _t363;
				signed long long _t364;
				void* _t373;
				intOrPtr _t377;
				void* _t389;
				signed long long _t391;
				void* _t393;
				long long _t394;
				intOrPtr _t395;
				void* _t398;
				signed long long _t399;
				void* _t401;

				_t386 = __r11;
				_t300 = __rbx;
				 *((long long*)(_t363 + 8)) = __rbx;
				_t361 = _t363 - 0x27;
				_t364 = _t363 - 0x100;
				_t280 =  *0x3b27a028; // 0x7f80d271952
				 *(_t361 + 0x17) = _t280 ^ _t364;
				 *((long long*)(_t361 - 9)) = __rcx;
				 *(_t361 - 0x11) = __edx;
				r13d = r9d;
				_t394 = _t393 + __r8;
				 *((long long*)(_t361 - 0x21)) = __r8;
				 *((long long*)(_t361 - 0x51)) = _t394;
				_t391 = __edx >> 6;
				_t399 = __edx + __edx * 8;
				 *((long long*)(_t361 - 0x49)) =  *((intOrPtr*)( *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + _t391 * 8)) + 0x28 + _t399 * 8));
				 *((intOrPtr*)(_t361 - 0x59)) = E00007FF67FF63B31DF60(__eax & 0x0000003f, _t219,  *((intOrPtr*)( *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + _t391 * 8)) + 0x28 + _t399 * 8)));
				E00007FF67FF63B250A2C( *((intOrPtr*)( *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + _t391 * 8)) + 0x28 + _t399 * 8)), __rbx, _t364 + 0x50, __rdx, __edx, _t401);
				_t306 =  *((intOrPtr*)(_t364 + 0x58));
				r11d = 0;
				 *(_t361 - 0x69) = r11d;
				 *(_t361 - 0x65) = r11d;
				_t233 =  *((intOrPtr*)(_t306 + 0xc));
				 *(_t364 + 0x40) = r11d;
				 *((intOrPtr*)(_t361 - 0x55)) = _t233;
				if (__r8 - _t394 >= 0) goto 0x3b2586a9;
				_t286 = __edx >> 6;
				 *(_t361 - 0x19) = _t286;
				r15d = 1;
				 *((char*)(_t364 + 0x44)) =  *((intOrPtr*)(__r8));
				 *(_t364 + 0x48) = r11d;
				if (_t233 != 0xfde9) goto 0x3b258462;
				_t377 =  *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + _t286 * 8));
				if ( *((intOrPtr*)(_t377 + _t399 * 8 + __r11 + 0x3e)) == r11b) goto 0x3b25831d;
				_t351 = __r11 + 1;
				if (_t351 - 5 < 0) goto 0x3b25830b;
				if (_t351 <= 0) goto 0x3b258406;
				r15d =  *((char*)(_t306 + 0x7ff63b27a2c0));
				r15d = r15d + 1;
				r13d = r15d;
				r13d = r13d - r11d + 1;
				if (r13d -  *((intOrPtr*)(_t361 - 0x51)) - __r8 > 0) goto 0x3b2585d1;
				 *((char*)(_t361 - 1 + __r11)) =  *((intOrPtr*)(_t361 - 1 + __r11 + _t377 - _t361 - 1 + _t399 * 8 + 0x3e));
				if (__r11 + 1 - _t351 < 0) goto 0x3b258367;
				if (r13d <= 0) goto 0x3b258397;
				E00007FF67FF63B24A180();
				r11d = 0;
				 *((intOrPtr*)( *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + _t391 * 8)) + __r11 + 0x3e + _t399 * 8)) = r11b;
				if (__r11 + 1 - _t351 < 0) goto 0x3b2583a1;
				_t290 = _t361 - 1;
				 *((long long*)(_t361 - 0x41)) = __r11;
				 *((long long*)(_t361 - 0x39)) = _t290;
				_t190 = (r11d & 0xffffff00 | r15d == 0x00000004) + 1;
				r8d = _t190;
				r15d = _t190;
				E00007FF67FF63B261268(_t290, _t300, _t364 + 0x48, _t361 - 0x39, 0x7ff63b240000, _t361 - 0x41);
				if (_t290 == 0xffffffff) goto 0x3b2584ca;
				_t395 =  *((intOrPtr*)(_t361 - 0x51));
				goto 0x3b2584ec;
				_t354 =  *((char*)(_t290 + 0x7ff63b27a2c0));
				_t223 = _t354 + 1;
				_t291 = _t223;
				if (_t291 - _t395 - __r8 > 0) goto 0x3b25860b;
				 *((long long*)(_t361 - 0x31)) = __r11;
				 *((long long*)(_t361 - 0x29)) = __r8;
				_t196 = (r11d & 0xffffff00 | _t223 == 0x00000004) + 1;
				r8d = _t196;
				_t314 = _t364 + 0x48;
				E00007FF67FF63B261268(_t291, _t300, _t314, _t361 - 0x29, 0x7ff63b240000, _t361 - 0x31);
				if (_t291 == 0xffffffff) goto 0x3b2584ca;
				r15d = _t196;
				goto 0x3b2584ec;
				_t336 =  *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + _t391 * 8));
				_t224 =  *(_t336 + 0x3d + _t399 * 8);
				if ((_t224 & 0x00000004) == 0) goto 0x3b258496;
				 *((char*)(_t361 + 7)) =  *((intOrPtr*)(_t336 + 0x3e + _t399 * 8));
				 *(_t336 + 0x3d + _t399 * 8) = _t224 & 0x000000fb;
				 *((char*)(_t361 + 8)) =  *((intOrPtr*)(__r8));
				goto 0x3b2584b5;
				E00007FF67FF63B250014(0x7ff63b240000);
				if ( *((intOrPtr*)(0x7ff63b240000 + _t314 * 2)) >= 0) goto 0x3b2584d3;
				_t356 = _t354 + __r8 + 1;
				if (_t356 - _t395 >= 0) goto 0x3b258664;
				r8d = 2;
				if (E00007FF67FF63B25C11C(_t196, 0, 0x7ff63b240000, __r8, 0x7ff63b240000) != 0xffffffff) goto 0x3b2584ec;
				goto 0x3b25865e;
				_t202 = E00007FF67FF63B25C11C(_t196, 0, 0x7ff63b240000, __r8, 0x7ff63b240000);
				if (_t202 == 0xffffffff) goto 0x3b25869b;
				_t373 = _t364 + 0x48;
				 *((long long*)(_t364 + 0x38)) = _t300;
				_t344 = _t356 + 1;
				 *((long long*)(_t364 + 0x30)) = _t300;
				r9d = r15d;
				 *((intOrPtr*)(_t364 + 0x28)) = 5;
				 *((long long*)(_t364 + 0x20)) = _t361 + 0xf;
				E00007FF67FF63B25C4AC();
				if (_t202 == 0) goto 0x3b2586fb;
				r8d = _t202;
				 *((long long*)(_t364 + 0x20)) = _t300;
				0x3b2aa6b8(_t398, _t393, _t389, _t342, _t347, _t360);
				r11d = 0;
				if (_t202 == 0) goto 0x3b2586f2;
				r15d =  *(_t364 + 0x40);
				_t213 = __edi -  *((intOrPtr*)(_t361 - 0x21)) + r15d;
				 *(_t361 - 0x65) = _t213;
				if ( *((intOrPtr*)(_t364 + 0x4c)) - _t202 < 0) goto 0x3b25865a;
				if ( *((char*)(_t364 + 0x44)) != 0xa) goto 0x3b2585b9;
				_t121 = _t386 + 0xd; // 0xd
				_t203 = _t121;
				 *((short*)(_t364 + 0x44)) = _t203;
				_t124 = _t386 + 1; // 0x1
				r8d = _t124;
				 *((long long*)(_t364 + 0x20)) = __r11;
				_t341 = _t364 + 0x44;
				0x3b2aa6b8();
				r11d = 0;
				if (_t203 == 0) goto 0x3b258692;
				if ( *((intOrPtr*)(_t364 + 0x4c)) - 1 < 0) goto 0x3b25865a;
				r15d = r15d + 1;
				 *(_t364 + 0x40) = r15d;
				 *(_t361 - 0x65) = _t213 + 1;
				_t357 = _t344;
				if (_t344 - _t395 >= 0) goto 0x3b2586a5;
				goto 0x3b2582d5;
				if (_t373 <= 0) goto 0x3b258606;
				_t345 = _t344 - _t357;
				_t240 = r11d + 1;
				 *((char*)( *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + _t391 * 8)) + _t357 + 0x3e + _t399 * 8)) =  *((intOrPtr*)(_t345 + _t357));
				if (_t240 - _t373 < 0) goto 0x3b2585e3;
				goto 0x3b258657;
				r9d = r11d;
				if (_t341 <= 0) goto 0x3b258655;
				r13d = r13d & 0x0000003f;
				r9d = r9d + 1;
				 *((char*)( *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + ( *(_t361 - 0x11) >> 6) * 8)) + __r11 + 0x3e + ( *(_t361 - 0x11) * 8 +  *(_t361 - 0x11)) * 8)) =  *((intOrPtr*)(__r11 + _t345));
				if (r9d - _t341 < 0) goto 0x3b258630;
				r11d = 0;
				_t217 =  *(_t361 - 0x65) + r8d + _t240;
				 *(_t361 - 0x65) = _t217;
				goto 0x3b2586ad;
				_t206 =  *_t345;
				 *(_t361 - 0x65) = _t217 + 1;
				 *( *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + _t391 * 8)) + 0x3e + _t399 * 8) = _t206;
				 *( *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + _t391 * 8)) + 0x3d + _t399 * 8) =  *( *((intOrPtr*)(0x7ff63b240000 + 0x3c470 + _t391 * 8)) + 0x3d + _t399 * 8) | 0x00000004;
				goto 0x3b25865e;
				0x3b2e4be0();
				 *(_t361 - 0x69) = _t206;
				goto 0x3b2586ad;
				if ( *((intOrPtr*)(_t361 - 0x71)) == r11b) goto 0x3b2586bb;
				 *( *((intOrPtr*)(_t364 + 0x50)) + 0x3a8) =  *( *((intOrPtr*)(_t364 + 0x50)) + 0x3a8) & 0xfffffffd;
				asm("movsd xmm0, [ebp-0x69]");
				asm("movsd [eax], xmm0");
				 *( *((intOrPtr*)(_t361 - 9)) + 8) =  *(_t364 + 0x40);
				return E00007FF67FF63B248930(_t206,  *(_t364 + 0x40),  *(_t361 + 0x17) ^ _t364);
			}

0x7ff63b258218
0x7ff63b258218
0x7ff63b258218
0x7ff63b258228
0x7ff63b25822d
0x7ff63b258234
0x7ff63b25823e
0x7ff63b25824b
0x7ff63b25824f
0x7ff63b25825d
0x7ff63b258260
0x7ff63b258263
0x7ff63b25826a
0x7ff63b25826e
0x7ff63b258272
0x7ff63b258283
0x7ff63b258294
0x7ff63b258297
0x7ff63b25829c
0x7ff63b2582a1
0x7ff63b2582a4
0x7ff63b2582ab
0x7ff63b2582b1
0x7ff63b2582b7
0x7ff63b2582bb
0x7ff63b2582c1
0x7ff63b2582cd
0x7ff63b2582d1
0x7ff63b2582d7
0x7ff63b2582dd
0x7ff63b2582e1
0x7ff63b2582ec
0x7ff63b2582fc
0x7ff63b258310
0x7ff63b258314
0x7ff63b25831b
0x7ff63b258320
0x7ff63b25833b
0x7ff63b258344
0x7ff63b258347
0x7ff63b25834a
0x7ff63b258353
0x7ff63b258376
0x7ff63b25837b
0x7ff63b258380
0x7ff63b25838f
0x7ff63b258394
0x7ff63b2583af
0x7ff63b2583b7
0x7ff63b2583b9
0x7ff63b2583bd
0x7ff63b2583c1
0x7ff63b2583dc
0x7ff63b2583de
0x7ff63b2583e1
0x7ff63b2583e4
0x7ff63b2583ed
0x7ff63b2583f7
0x7ff63b258401
0x7ff63b25840f
0x7ff63b258418
0x7ff63b25841b
0x7ff63b258421
0x7ff63b25842a
0x7ff63b258431
0x7ff63b25843c
0x7ff63b258442
0x7ff63b258445
0x7ff63b25844c
0x7ff63b258455
0x7ff63b25845a
0x7ff63b25845d
0x7ff63b258469
0x7ff63b258471
0x7ff63b258479
0x7ff63b258483
0x7ff63b258488
0x7ff63b258491
0x7ff63b258494
0x7ff63b258496
0x7ff63b2584a4
0x7ff63b2584a6
0x7ff63b2584ac
0x7ff63b2584b5
0x7ff63b2584c8
0x7ff63b2584ce
0x7ff63b2584de
0x7ff63b2584e6
0x7ff63b2584f5
0x7ff63b2584fa
0x7ff63b2584ff
0x7ff63b258503
0x7ff63b258508
0x7ff63b25850b
0x7ff63b258515
0x7ff63b25851a
0x7ff63b258523
0x7ff63b258532
0x7ff63b258535
0x7ff63b25853e
0x7ff63b258544
0x7ff63b258549
0x7ff63b25854f
0x7ff63b258559
0x7ff63b25855c
0x7ff63b258563
0x7ff63b25856e
0x7ff63b258574
0x7ff63b258574
0x7ff63b25857d
0x7ff63b258582
0x7ff63b258582
0x7ff63b258586
0x7ff63b25858b
0x7ff63b258590
0x7ff63b258596
0x7ff63b25859b
0x7ff63b2585a6
0x7ff63b2585ac
0x7ff63b2585b1
0x7ff63b2585b6
0x7ff63b2585b9
0x7ff63b2585bf
0x7ff63b2585cc
0x7ff63b2585d7
0x7ff63b2585d9
0x7ff63b2585e6
0x7ff63b2585f6
0x7ff63b258601
0x7ff63b258609
0x7ff63b25860b
0x7ff63b258611
0x7ff63b25861d
0x7ff63b258634
0x7ff63b258645
0x7ff63b258650
0x7ff63b258652
0x7ff63b258655
0x7ff63b258657
0x7ff63b258662
0x7ff63b258664
0x7ff63b258677
0x7ff63b25867a
0x7ff63b258687
0x7ff63b258690
0x7ff63b258692
0x7ff63b258698
0x7ff63b2586a3
0x7ff63b2586ad
0x7ff63b2586b4
0x7ff63b2586bf
0x7ff63b2586c4
0x7ff63b2586c8
0x7ff63b2586f1

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb661760fcfefd2654b26f8bf08a54d38130697dd6e30beb8121e55d262aad6
Instruction ID: c0fe499f7d5bd58e29b644f44d343b1a69cb9afd3ec4e38ccd1746779a236db1
Opcode Fuzzy Hash: 4cb661760fcfefd2654b26f8bf08a54d38130697dd6e30beb8121e55d262aad6
Instruction Fuzzy Hash: E8E10272B186858AE701CB64D2401FDBBB0FB49788F104236DF9E9BBA9DE78D406D704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B254ECC Relevance: .3, Instructions: 309
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF63B254ECC(void* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t12;
				signed long long _t15;
				void* _t25;
				void* _t26;
				signed long long _t27;

				_t25 = _t26 - 0x168;
				_t27 = _t26 - 0x268;
				_t15 =  *0x3b27a028; // 0x7f80d271952
				 *(_t25 + 0x150) = _t15 ^ _t27;
				r15d = 0;
				 *((long long*)(_t27 + 0x70)) = __r8;
				 *((long long*)(_t27 + 0x78)) = __rdx;
				 *((long long*)(_t27 + 0x30)) =  *((intOrPtr*)(_t25 + 0x1d0));
				 *((long long*)(_t27 + 0x68)) =  *((intOrPtr*)(_t25 + 0x1d8));
				if (__rcx != 0) goto 0x3b254f54;
				return E00007FF67FF63B248930(0, _t12,  *(_t25 + 0x150) ^ _t27);
			}

0x7ff63b254ed9
0x7ff63b254ee1
0x7ff63b254ee8
0x7ff63b254ef2
0x7ff63b254f00
0x7ff63b254f0d
0x7ff63b254f15
0x7ff63b254f1d
0x7ff63b254f25
0x7ff63b254f2d
0x7ff63b254f53

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: NameTranslate$_invalid_parameter_noinfotry_get_function
String ID:
API String ID: 4002208117-0
Opcode ID: 0889a81ba19d73bd0a077de3d8d7ef769782cb48cc0c12f42b716fa58040a0ff
Instruction ID: 24a745fad1e75077b4e2ab9c76261e0c91acea3592cb7d18d724cfc110b01c84
Opcode Fuzzy Hash: 0889a81ba19d73bd0a077de3d8d7ef769782cb48cc0c12f42b716fa58040a0ff
Instruction Fuzzy Hash: 7DC1C525A1868649FB609B629A103BAA7A0FF88788F404233DEDDC77ADDF3CD545D704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B25FDD0 Relevance: .3, Instructions: 272
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E00007FF67FF63B25FDD0(void* __ecx, signed int __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rbp, void* __r9, long long _a16, long long _a24) {
				void* _v24;
				signed int _v40;
				char _v168;
				void* __rsi;
				void* _t67;
				void* _t71;
				unsigned int _t84;
				unsigned int _t87;
				signed char _t98;
				signed int _t100;
				void* _t111;
				signed long long _t146;
				signed long long _t147;
				long long _t151;
				void* _t179;
				signed long long _t181;
				signed long long _t182;
				signed long long _t183;
				signed long long _t184;
				void* _t186;
				void* _t189;
				signed short* _t206;
				void* _t209;

				_t187 = __rbp;
				_t111 = __eflags;
				_t100 = __edx;
				_a16 = __rbx;
				_a24 = __rbp;
				_t146 =  *0x3b27a028; // 0x7f80d271952
				_t147 = _t146 ^ _t189 - 0x000000c0;
				_v40 = _t147;
				_t186 = __rcx;
				E00007FF67FF63B256CD4(_t67, _t147, __rbx, __rdx, __rcx);
				r9d = 0x40;
				_t5 = _t147 + 0x98; // 0x98
				_t151 = _t5;
				asm("sbb edx, edx");
				if (E00007FF67FF63B257564((_t100 & 0xfffff005) + 0x1002, _t111, _t147, _t151, _t186, _t186, __rbp,  &_v168) != 0) goto 0x3b25fe3f;
				 *(_t151 + 0x10) = 0;
				goto 0x3b26007d;
				_t71 = E00007FF67FF63B25C59C(_t147,  *((intOrPtr*)(_t151 + 8)));
				_t182 = _t181 | 0xffffffff;
				r13d = _t182 + 0x56;
				if (_t71 != 0) goto 0x3b25ff06;
				r9d = _t182 + 0x41;
				asm("sbb edx, edx");
				if (E00007FF67FF63B257564(((_t100 & 0xfffff005) + 0x00001002 & 0xfffff002) + 0x1001, _t71, _t147, _t151, _t186, _t186, _t187,  &_v168) == 0) goto 0x3b25fe32;
				if (E00007FF67FF63B25C59C(_t147,  *_t151) != 0) goto 0x3b25feb1;
				_t98 =  *(_t151 + 0x10) | 0x00000304;
				 *(_t151 + 0x10) = _t98;
				if ( *((intOrPtr*)(_t186 + (_t182 + 1) * 2)) != 0) goto 0x3b25fea5;
				goto 0x3b25fee9;
				if ((_t98 & 0x00000002) != 0) goto 0x3b25ff06;
				if ( *((intOrPtr*)(_t151 + 0x14)) == 0) goto 0x3b25ff8f;
				if (E00007FF67FF63B2628F4(_t147,  *_t151) != 0) goto 0x3b25ff8f;
				 *(_t151 + 0x10) =  *(_t151 + 0x10) | 0x00000002;
				if ( *((intOrPtr*)(_t186 + (_t182 + 1) * 2)) != 0) goto 0x3b25fedf;
				_t28 = _t151 + 0x258; // 0x2f0
				if (E00007FF67FF63B25E34C(_t147, _t151, _t28, _t209, _t186, _t182 + 2) != 0) goto 0x3b2600a5;
				if (( *(_t151 + 0x10) & 0x00000300) == 0x300) goto 0x3b260072;
				r9d = 0x40;
				asm("sbb edx, edx");
				if (E00007FF67FF63B257564((((_t100 & 0xfffff005) + 0x00001002 & 0xfffff002) + 0x00001001 & 0xfffff002) + 0x1001, ( *(_t151 + 0x10) & 0x00000300) - 0x300, _t147, _t151, _t186, _t186, _t187,  &_v168) == 0) goto 0x3b25fe32;
				if (E00007FF67FF63B25C59C(_t147,  *_t151) != 0) goto 0x3b260072;
				_t84 =  *(_t151 + 0x10);
				asm("bts eax, 0x9");
				 *(_t151 + 0x10) = _t84;
				if ( *((intOrPtr*)(_t151 + 0x18)) == 0) goto 0x3b25ffbf;
				asm("bts eax, 0x8");
				_t36 = _t151 + 0x258; // 0x2f0
				 *(_t151 + 0x10) = _t84;
				if ( *_t36 != 0) goto 0x3b260072;
				_t183 = _t182 + 1;
				if ( *((intOrPtr*)(_t186 + _t183 * 2)) != 0) goto 0x3b25ff81;
				goto 0x3b26005f;
				if (( *(_t151 + 0x10) & 0x00000001) != 0) goto 0x3b25ff06;
				if (E00007FF67FF63B260274(0x300,  *(_t151 + 0x10) & 0x00000001, _t186,  &_v168, _t186, _t187, _t182 + 2) == 0) goto 0x3b25ff06;
				 *(_t151 + 0x10) =  *(_t151 + 0x10) | 0x00000001;
				if ( *((intOrPtr*)(_t186 + (_t183 + 1) * 2)) != 0) goto 0x3b25ffb0;
				goto 0x3b25fee9;
				if ( *((intOrPtr*)(_t151 + 0x14)) == 0) goto 0x3b260043;
				_t179 =  *_t151;
				if ( *((intOrPtr*)(_t179 + (_t183 + 1) * 2)) != 0) goto 0x3b25ffca;
				if (0x300 !=  *((intOrPtr*)(_t151 + 0x14))) goto 0x3b260043;
				if (E00007FF67FF63B260274(0x300, 0x300 -  *((intOrPtr*)(_t151 + 0x14)), _t186, _t179, _t186, _t187, _t183 + 1) != 0) goto 0x3b260027;
				_t206 =  *_t151;
				r8d = 0;
				if (_t206 == 0) goto 0x3b260015;
				_t87 = _t179 - 0x41;
				if (_t87 - 0x19 <= 0) goto 0x3b26000d;
				if (( *_t206 & 0x0000ffff) - 0x61 - 0x19 > 0) goto 0x3b260015;
				r8d = r8d + 1;
				goto 0x3b25fff6;
				if (_t206[_t183 + 1] != 0) goto 0x3b260018;
				if (r8d == _t87) goto 0x3b260072;
				asm("bts dword [ebx+0x10], 0x8");
				_t54 = _t151 + 0x258; // 0x2f0
				if ( *_t54 != 0) goto 0x3b260072;
				_t184 = _t183 + 1;
				if ( *((intOrPtr*)(_t186 + _t184 * 2)) != 0) goto 0x3b260038;
				goto 0x3b26005f;
				asm("bts eax, 0x8");
				_t57 = _t151 + 0x258; // 0x2f0
				 *(_t151 + 0x10) = _t87;
				if ( *_t57 != 0) goto 0x3b260072;
				if ( *((intOrPtr*)(_t186 + (_t184 + 1) * 2)) != 0) goto 0x3b260056;
				if (E00007FF67FF63B25E34C(_t183 + 1, _t151, _t57, _t209, _t186, _t184 + 2) != 0) goto 0x3b2600a5;
				return E00007FF67FF63B248930( !( *(_t151 + 0x10) >> 2) & 0x00000001, 0x300, _v40 ^ _t189 - 0x000000c0);
			}

0x7ff63b25fdd0
0x7ff63b25fdd0
0x7ff63b25fdd0
0x7ff63b25fdd0
0x7ff63b25fdd5
0x7ff63b25fde5
0x7ff63b25fdec
0x7ff63b25fdef
0x7ff63b25fdf7
0x7ff63b25fdfa
0x7ff63b25fdff
0x7ff63b25fe0a
0x7ff63b25fe0a
0x7ff63b25fe19
0x7ff63b25fe30
0x7ff63b25fe32
0x7ff63b25fe3a
0x7ff63b25fe48
0x7ff63b25fe4d
0x7ff63b25fe51
0x7ff63b25fe57
0x7ff63b25fe60
0x7ff63b25fe6e
0x7ff63b25fe83
0x7ff63b25fe97
0x7ff63b25fe99
0x7ff63b25fea2
0x7ff63b25fead
0x7ff63b25feaf
0x7ff63b25feb4
0x7ff63b25feb9
0x7ff63b25fed2
0x7ff63b25fed8
0x7ff63b25fee7
0x7ff63b25fee9
0x7ff63b25ff00
0x7ff63b25ff12
0x7ff63b25ff22
0x7ff63b25ff2b
0x7ff63b25ff40
0x7ff63b25ff55
0x7ff63b25ff5b
0x7ff63b25ff5e
0x7ff63b25ff62
0x7ff63b25ff68
0x7ff63b25ff6a
0x7ff63b25ff6e
0x7ff63b25ff75
0x7ff63b25ff7b
0x7ff63b25ff81
0x7ff63b25ff88
0x7ff63b25ff8a
0x7ff63b25ff93
0x7ff63b25ffa3
0x7ff63b25ffa9
0x7ff63b25ffb8
0x7ff63b25ffba
0x7ff63b25ffc2
0x7ff63b25ffc4
0x7ff63b25ffd1
0x7ff63b25ffd6
0x7ff63b25ffe2
0x7ff63b25ffe4
0x7ff63b25ffe7
0x7ff63b25fff0
0x7ff63b25fffa
0x7ff63b260001
0x7ff63b26000b
0x7ff63b260010
0x7ff63b260013
0x7ff63b260020
0x7ff63b260025
0x7ff63b260027
0x7ff63b26002c
0x7ff63b260036
0x7ff63b260038
0x7ff63b26003f
0x7ff63b260041
0x7ff63b260043
0x7ff63b260047
0x7ff63b26004e
0x7ff63b260054
0x7ff63b26005d
0x7ff63b260070
0x7ff63b2600a4

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: try_get_function
String ID:
API String ID: 2742660187-0
Opcode ID: 9470b706d7f8d1d0a2e589d8bb0162305b1fb4ab9e7073d25ca62827e31d0741
Instruction ID: d43574b54e86f34e8f9a22a1f523c438b3ff0cdc0819254b39d3082a606dd84a
Opcode Fuzzy Hash: 9470b706d7f8d1d0a2e589d8bb0162305b1fb4ab9e7073d25ca62827e31d0741
Instruction Fuzzy Hash: B2B1E732E1864682EB649F21D6517BA7350FB48B88F004332DA99C37E9DF7CE541E744

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDF751C Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef3678d958b46794eecf0df1851234eb2d7854d7fa8526325da489b60c7879a
Instruction ID: 3d4c8ead66fe082aae4f147f6c7a8ae9f8a35f4c5e183dab0f96f89acfc77ed2
Opcode Fuzzy Hash: 5ef3678d958b46794eecf0df1851234eb2d7854d7fa8526325da489b60c7879a
Instruction Fuzzy Hash: 71713930D1CB9E5FE729AF289C196E9B7D1FB84720F05465EE846C3195DA309CC286C2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B241180 Relevance: .2, Instructions: 244
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00007FF67FF63B241180(long long __rbx, signed int __rcx, signed int __rdx, long long __rdi, long long __rsi, long long __r8, long long __r13, long long __r14, long long __r15) {
				signed char _t236;
				signed char _t238;
				signed char _t240;
				signed char _t242;
				void* _t271;
				signed long long _t290;
				signed long long _t308;
				void* _t320;
				long long* _t321;
				signed long long _t332;
				signed char* _t341;
				signed long long _t344;
				signed long long _t345;
				void* _t350;

				 *((long long*)(_t320 + 0x18)) = __r8;
				_t321 = _t320 - 0x18;
				if ( *((char*)(__rcx + 8)) == 0) goto 0x3b2415a2;
				r8d =  *(__rdx + 7) & 0x000000ff;
				r9d =  *(__rdx + 2) & 0x000000ff;
				r10d =  *(__rdx + 3) & 0x000000ff;
				 *((long long*)(_t321 + 0x30)) = __rbx;
				 *((long long*)(_t321 + 0x38)) = __rsi;
				 *((long long*)(_t321 + 0x48)) = __rdi;
				 *((long long*)(_t321 + 0x10)) = __r13;
				_t344 =  *((intOrPtr*)(__rcx + 0x3d4));
				r8d =  *(__rdx + 0xb) & 0x000000ff;
				r8d =  *(__rdx + 0xc) & 0x000000ff;
				r8d = r8d << 8;
				r8d = r8d |  *(__rdx + 0xd) & 0x000000ff;
				 *((long long*)(_t321 + 8)) = __r14;
				r8d = r8d << 8;
				r8d = r8d |  *(__rdx + 0xe) & 0x000000ff;
				r8d = r8d << 8;
				r8d = r8d |  *(__rdx + 0xf) & 0x000000ff;
				r8d = r8d ^  *(__rcx + 0x1f8);
				_t271 = _t344 - 1;
				if (_t271 <= 0) goto 0x3b2413cc;
				 *_t321 = __r15;
				asm("o16 nop [eax+eax]");
				_t350 = __rcx + 0x234;
				_t332 = (((( *(__rdx + 8) & 0x000000ff) << 0x00000008 |  *(__rdx + 9) & 0x000000ff) << 0x00000008 |  *(__rdx + 0xa) & 0x000000ff) << 0x00000008 | r8d) ^  *(__rcx + 0x1f4);
				_t290 = _t332 >> 0x18;
				r8d =  *(0x7ff63b240000 + 0x33500 + __rcx * 4);
				r8d = r8d ^  *(0x7ff63b240000 + 0x34a00 + _t290 * 4);
				r8d = r8d ^  *(0x7ff63b240000 + 0x32500 + _t290 * 4);
				r8d = r8d ^  *(0x7ff63b240000 + 0x34600 + _t290 * 4);
				r8d = r8d ^  *(_t350 - 0x1c);
				if (_t271 != 0) goto 0x3b241290;
				_t341 =  *((intOrPtr*)(_t321 + 0x40));
				_t345 = _t344 << 5;
				_t236 =  *(__rcx + _t345 + 0x1ec);
				 *_t341 = _t236 >> 0x00000018 ^  *(__rcx + 0x7ff63b272400);
				_t341[1] = _t236 >> 0x00000010 ^  *(__rcx + 0x7ff63b272400);
				_t341[2] = _t236 >> 0x00000008 ^  *(__rcx + 0x7ff63b272400);
				_t341[3] = _t236 ^  *((( *(0x7ff63b240000 + 0x33500 + __rdx * 4) ^  *(0x7ff63b240000 + 0x32500 + __rcx * 4) ^  *(0x7ff63b240000 + 0x34a00 + __rcx * 4) ^  *(0x7ff63b240000 + 0x34600 + _t290 * 4) ^  *(_t350 - 0x20)) >> 8) + 0x7ff63b272400);
				_t238 =  *(__rcx + _t345 + 0x1f0);
				_t341[4] = _t238 >> 0x00000018 ^  *(__rcx + 0x7ff63b272400);
				_t341[5] = _t238 >> 0x00000010 ^  *(__rcx + 0x7ff63b272400);
				_t341[6] = _t238 >> 0x00000008 ^  *(__rcx + 0x7ff63b272400);
				_t341[7] = _t238 ^  *((r8d >> 8) + 0x7ff63b272400);
				_t240 =  *(__rcx + _t345 + 0x1f4);
				_t341[8] = _t240 >> 0x00000018 ^  *(__rcx + 0x7ff63b272400);
				_t341[9] = _t240 >> 0x00000010 ^  *(__rcx + 0x7ff63b272400);
				_t308 = ( *(0x7ff63b240000 + 0x34a00 + __rdx * 4) ^  *(0x7ff63b240000 + 0x32500 + __rcx * 4) ^  *(0x7ff63b240000 + 0x33500 + __rcx * 4) ^  *(0x7ff63b240000 + 0x34600 + (_t332 >> 8) * 4) ^  *(_t350 - 0x28)) >> 8;
				_t341[0xa] = _t240 >> 0x00000008 ^  *(__rcx + 0x7ff63b272400);
				_t341[0xb] = _t240 ^  *(_t308 + 0x7ff63b272400);
				_t242 =  *(__rcx + _t345 + 0x1f8);
				_t341[0xc] = _t242 >> 0x00000018 ^  *(__rcx + 0x7ff63b272400);
				_t341[0xd] = _t242 >> 0x00000010 ^  *(__rcx + 0x7ff63b272400);
				_t341[0xe] = _t242 >> 0x00000008 ^  *(__rcx + 0x7ff63b272400);
				_t341[0xf] = _t242 ^  *(_t308 + 0x7ff63b272400);
				return r11b & 0xffffffff;
			}

0x7ff63b241180
0x7ff63b241188
0x7ff63b241196
0x7ff63b2411a0
0x7ff63b2411a5
0x7ff63b2411aa
0x7ff63b2411af
0x7ff63b2411b7
0x7ff63b2411c0
0x7ff63b2411f6
0x7ff63b241205
0x7ff63b24121d
0x7ff63b24122b
0x7ff63b241236
0x7ff63b24123a
0x7ff63b24123d
0x7ff63b24124d
0x7ff63b241251
0x7ff63b241258
0x7ff63b24125c
0x7ff63b24125f
0x7ff63b241266
0x7ff63b24126a
0x7ff63b241270
0x7ff63b241286
0x7ff63b241293
0x7ff63b24129a
0x7ff63b24134f
0x7ff63b241386
0x7ff63b24138e
0x7ff63b24139a
0x7ff63b2413a6
0x7ff63b2413ae
0x7ff63b2413b6
0x7ff63b2413bc
0x7ff63b2413cc
0x7ff63b2413dc
0x7ff63b2413fb
0x7ff63b241416
0x7ff63b241432
0x7ff63b24144d
0x7ff63b241452
0x7ff63b241467
0x7ff63b241483
0x7ff63b24149f
0x7ff63b2414ba
0x7ff63b2414bf
0x7ff63b2414d4
0x7ff63b2414f0
0x7ff63b2414f8
0x7ff63b24150c
0x7ff63b24151d
0x7ff63b241522
0x7ff63b24155b
0x7ff63b241571
0x7ff63b241587
0x7ff63b24159d
0x7ff63b2415a9

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff476d9db398ff6bb9145d8c52bcfb7381b9af3ec4646bda28dcfed1da5e4acb
Instruction ID: e5d0f01d3c6bdf401500af6ddb4cc1fb2e3ee8c327e1c8328c20bc47623e0455
Opcode Fuzzy Hash: ff476d9db398ff6bb9145d8c52bcfb7381b9af3ec4646bda28dcfed1da5e4acb
Instruction Fuzzy Hash: 22A1B4732283F049C7028B2958988FE7FA4F36678A74E9206EFC45B782C53CE152D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B2415B0 Relevance: .2, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00007FF67FF63B2415B0(signed int __edx, signed int __ebp, void* __rcx, signed char* __rdx, long long __rdi, long long __rbp, long long __r8, long long __r12, long long __r13, long long __r14, long long __r15, long long _a24, signed int _a32, long long _a40, long long _a64, long long _a72, long long _a80, long long _a88, long long _a96, intOrPtr _a128, long long _a136, intOrPtr _a144, intOrPtr _a152) {
				intOrPtr _t141;
				signed int _t145;
				signed int _t177;
				signed int _t191;
				signed int _t209;
				signed int _t211;
				signed long long _t218;
				void* _t226;
				signed long long _t229;
				signed long long _t230;
				signed long long _t234;
				void* _t240;
				void* _t249;
				void* _t251;
				signed int _t253;
				signed long long _t260;
				signed char* _t264;
				void* _t267;
				signed long long _t268;
				signed int _t278;

				_a24 = __r8;
				if ( *((char*)(__rcx + 8)) == 0) goto 0x3b241908;
				_t141 =  *((intOrPtr*)(__rcx + 0x3d0));
				if (_t141 != 0x10) goto 0x3b2415e4;
				_pop(_t226);
				goto E00007FF67FF63B241180;
				_a136 = __rbp;
				asm("cdq");
				_a88 = __r12;
				_a80 = __r13;
				_t253 = _t141 + (__edx & 0x00000003) >> 2;
				_a72 = __r14;
				_a64 = __r15;
				if (__ebp == 4) goto 0x3b24161c;
				_t229 = __rcx + 1 << 5;
				_a96 = __rdi;
				_t268 = _t226 + 0x458;
				_t260 = _t268;
				r14d =  *(_t229 + 0x7ff63b274e0c);
				r15d =  *((intOrPtr*)(_t229 + 0x7ff63b274e14));
				_a128 =  *((intOrPtr*)(_t229 + 0x7ff63b274e1c));
				_a32 = r14d;
				_a152 = r15d;
				_t209 = __ebp;
				if (_t209 <= 0) goto 0x3b2416cd;
				asm("o16 nop [eax+eax]");
				_t264 =  &(__rdx[4]);
				_t145 = ( *__rdx & 0x000000ff) << 0x18;
				_t267 = _t226 + 0x1f0;
				 *_t260 = _t145;
				_t177 = ( *(_t264 - 3) & 0x000000ff) << 0x00000010 | _t145;
				 *_t260 = _t177;
				_t191 = ( *(_t264 - 2) & 0x000000ff) << 0x00000008 | _t177;
				_t230 = _t260;
				 *_t260 = _t191;
				 *_t230 = (_t191 |  *(_t264 - 1) & 0x000000ff) ^  *(_t267 - 4);
				if (_t209 != 0) goto 0x3b241680;
				r12d = 1;
				if ( *(_t226 + 0x3d4) - r12d <= 0) goto 0x3b241815;
				_a40 = 0x7ff63b240000;
				_t211 = _t253;
				if (_t211 <= 0) goto 0x3b2417c5;
				r10d = _a152;
				r10d = r10d - r14d;
				r11d = _a128;
				r11d = r11d - r14d;
				asm("o16 nop [eax+eax]");
				asm("cdq");
				_t249 = _t268 + 4;
				asm("cdq");
				r8d =  *(_t226 + 0x458 + (_t253 - 1 + _t267) % __ebp * 4) & 0x000000ff;
				r9d =  *(0x7ff63b240000 + 0x33500 + (_t260 + 4) * 4);
				asm("cdq");
				r9d = r9d ^  *(0x7ff63b240000 + 0x34600 + (_t230 >> 8) * 4);
				_t218 = r14d % __ebp;
				r9d = r9d ^  *(0x7ff63b240000 + 0x32500 + _t218 * 4);
				r9d = r9d ^  *(0x7ff63b240000 + 0x34a00 + _t218 * 4);
				r9d = r9d ^  *(0xfffffdb4 + _t249 - 4);
				 *(_t249 - 0x24) = r9d;
				if (_t211 != 0) goto 0x3b241730;
				r14d = _a32;
				_t278 = _t253;
				E00007FF67FF63B24A180();
				_t240 = _t226 + 0x438;
				r12d = r12d + 1;
				if (r12d -  *(_t226 + 0x3d4) < 0) goto 0x3b241700;
				r15d = _a152;
				if (_t278 <= 0) goto 0x3b2418ec;
				r10d = _a128;
				r10d = r10d - r15d;
				r14d = r14d - r15d;
				r9d = 0;
				_t251 = _a144 + 4;
				_t234 = _t264 +  *(_t226 + 0x3d4) * 8;
				r8d =  *(_t226 + 0x1ec + _t234 * 4);
				 *(_t251 - 4) = r8d >> 0x00000018 ^  *(_t234 + 0x7ff63b272400);
				asm("cdq");
				 *(_t251 - 3) = r8d >> 0x00000010 ^  *(_t240 + 0x7ff63b272400);
				asm("cdq");
				 *(_t251 - 2) = r8d >> 0x00000008 ^  *(_t240 + 0x7ff63b272400);
				asm("cdq");
				r15d = r15d + 1;
				r8b = r8b ^  *((_t234 >> 0x10 >> 8) + 0x7ff63b272400);
				 *(_t251 - 1) = r8b;
				if ( &(_t264[1]) - _t278 < 0) goto 0x3b241840;
				return (_t267 + 0xfffffffffffffdd4) / __ebp;
			}

0x7ff63b2415b0
0x7ff63b2415c8
0x7ff63b2415ce
0x7ff63b2415d7
0x7ff63b2415de
0x7ff63b2415df
0x7ff63b2415e4
0x7ff63b2415ec
0x7ff63b2415ed
0x7ff63b2415f7
0x7ff63b241601
0x7ff63b241604
0x7ff63b241609
0x7ff63b241611
0x7ff63b24161c
0x7ff63b241627
0x7ff63b24162c
0x7ff63b241633
0x7ff63b241639
0x7ff63b241641
0x7ff63b241650
0x7ff63b241657
0x7ff63b24165c
0x7ff63b241664
0x7ff63b241666
0x7ff63b241676
0x7ff63b241684
0x7ff63b241688
0x7ff63b24168b
0x7ff63b24168f
0x7ff63b24169a
0x7ff63b24169c
0x7ff63b2416a7
0x7ff63b2416a9
0x7ff63b2416ac
0x7ff63b2416be
0x7ff63b2416c4
0x7ff63b2416cd
0x7ff63b2416da
0x7ff63b2416f7
0x7ff63b241700
0x7ff63b241703
0x7ff63b241709
0x7ff63b241714
0x7ff63b241717
0x7ff63b24171a
0x7ff63b241727
0x7ff63b241734
0x7ff63b241735
0x7ff63b241749
0x7ff63b241750
0x7ff63b241757
0x7ff63b241769
0x7ff63b24176e
0x7ff63b241776
0x7ff63b241787
0x7ff63b241793
0x7ff63b24179b
0x7ff63b2417a0
0x7ff63b2417a8
0x7ff63b2417aa
0x7ff63b2417c2
0x7ff63b2417cb
0x7ff63b2417e3
0x7ff63b2417ea
0x7ff63b2417f8
0x7ff63b24180d
0x7ff63b24181d
0x7ff63b241823
0x7ff63b241832
0x7ff63b241835
0x7ff63b241838
0x7ff63b241847
0x7ff63b24184f
0x7ff63b241856
0x7ff63b241870
0x7ff63b241877
0x7ff63b241898
0x7ff63b24189e
0x7ff63b2418bf
0x7ff63b2418c6
0x7ff63b2418c7
0x7ff63b2418d7
0x7ff63b2418df
0x7ff63b2418e6
0x7ff63b24190e

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c6767b3191bcea1aa5da3f75068bb26fb5f4e6c451b13c7bc3a25125991ed2
Instruction ID: 96f49d33237014ded27475e9ed740001f28b4112c3979494f62ea412e9659c33
Opcode Fuzzy Hash: f1c6767b3191bcea1aa5da3f75068bb26fb5f4e6c451b13c7bc3a25125991ed2
Instruction Fuzzy Hash: 579105B2708AC486D725CF29E4406BDBBA0F749B89F488239DF8D93B55CE39E545CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B25CB90 Relevance: .1, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF63B25CB90(long long __rbx, void* __rcx, void* __rdx, long long __rsi, signed int __r8, void* __r9) {
				signed long long _t25;
				void* _t27;
				void* _t30;

				 *((long long*)(_t30 + 8)) = __rbx;
				 *(_t30 + 0x10) = _t25;
				 *((long long*)(_t30 + 0x18)) = __rsi;
				_t27 = (_t25 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(__rcx + _t27)) != sil) goto 0x3b25cbbe;
				if (_t27 + __rdx -  !__r8 <= 0) goto 0x3b25cbfa;
				return __rdx + 0xb;
			}

0x7ff63b25cb90
0x7ff63b25cb95
0x7ff63b25cb9a
0x7ff63b25cbbe
0x7ff63b25cbc5
0x7ff63b25cbd8
0x7ff63b25cbf9

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbca66fda634f9cd7397d0d3161aa3b81a1d4dec00f933e64c6de2866c934fc8
Instruction ID: b0054bbba786f57b2fbdd20ca5a65737c5edddd0f3c76efb1165b0313825b518
Opcode Fuzzy Hash: fbca66fda634f9cd7397d0d3161aa3b81a1d4dec00f933e64c6de2866c934fc8
Instruction Fuzzy Hash: D151F722B1869144F7209B75AA001BEBBA4AB48BD4F144336EEDC97FA9DF3CD045D704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B25AFDC Relevance: .1, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00007FF67FF63B25AFDC(void* __ecx, void* __edx, void* __rcx, void* __r8, void* __r10, void* __r11, signed long long* _a40) {
				signed int _v72;
				char _v200;
				signed int _v216;
				intOrPtr _v232;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r12;
				long long _t14;
				void* _t15;
				intOrPtr _t40;
				intOrPtr _t44;
				signed long long _t59;
				signed long long _t60;
				signed long long _t61;
				void* _t62;
				long long _t63;
				signed long long _t64;
				signed long long _t84;
				signed long long* _t85;
				void* _t86;
				signed long long _t87;
				void* _t98;

				_t96 = __r11;
				_t59 =  *0x3b27a028; // 0x7f80d271952
				_t60 = _t59 ^ _t87;
				_v72 = _t60;
				_t85 = _a40;
				_t44 = r9d;
				_t98 = __r8;
				 *_t85 = _t84;
				if (__edx != 1) goto 0x3b25b0f9;
				_v232 = 0x80;
				r8d = _t44;
				_t14 = E00007FF67FF63B25AE60(__ecx, __edx - 1, _t62, __rcx, __r8, _t84, _t85, __r8,  &_v200, __r10, __r11, __rcx);
				_t63 = _t14;
				if (_t14 == 0) goto 0x3b25b081;
				_t15 = E00007FF67FF63B257AF8(_t14, _t63, __r8);
				 *_t85 = _t60;
				E00007FF67FF63B256F7C(_t15, _t60, _t63);
				if ( *_t85 == _t84) goto 0x3b25b16a;
				_t6 = _t63 - 1; // -1
				if (E00007FF67FF63B261538(_t60, _t63,  *_t85, _t63,  &_v200, _t6) != 0) goto 0x3b25b18f;
				goto 0x3b25b16d;
				0x3b2e4be0();
				if (0 != 0x7a) goto 0x3b25b16a;
				r9d = 0;
				_v232 = 0;
				r8d = _t44;
				if (E00007FF67FF63B25AE60(0, 0 - 0x7a, _t63, __rcx, _t98, _t84, _t85,  &_v200, _t6, __r10, _t96, __rcx) == 0) goto 0x3b25b16a;
				E00007FF67FF63B257AF8(_t20, _t20, _t98);
				_t64 = _t60;
				if (_t60 == 0) goto 0x3b25b0ea;
				_v232 = r15d;
				r8d = _t44;
				if (E00007FF67FF63B25AE60(0, _t60, _t64, __rcx, _t98, _t84, _t85,  &_v200, _t60, __r10, _t96, __rcx) == 0) goto 0x3b25b0ea;
				_t61 = _t64;
				 *_t85 = _t61;
				goto 0x3b25b0ed;
				E00007FF67FF63B256F7C(_t22, _t61, _t84);
				goto 0x3b25b16d;
				if (1 != 2) goto 0x3b25b13d;
				r9d = 0;
				r8d = 0;
				if (E00007FF67FF63B257564(_t44, 1 - 2, _t61, _t84, _t98, _t85, _t86,  &_v200) == 0) goto 0x3b25b16a;
				E00007FF67FF63B257AF8(_t25, _t25, _t98);
				if (_t61 == 0) goto 0x3b25b0ea;
				r9d = r15d;
				_t40 = _t44;
				E00007FF67FF63B257564(_t40, _t61, _t61, _t61, _t98, _t85, _t86, _t61);
				goto 0x3b25b0db;
				if (_t40 != 0) goto 0x3b25b16a;
				asm("bts ebp, 0x1d");
				_v216 = 0xffffffff;
				r9d = 2;
				if (E00007FF67FF63B257564(_t44, _t40, _t61, _t61, _t98, _t85, _t86,  &_v216) == 0) goto 0x3b25b16a;
				 *_t85 = _v216;
				goto 0x3b25b07a;
				return E00007FF67FF63B248930(_v216 | 0xffffffff, 0, _v72 ^ _t87);
			}

0x7ff63b25afdc
0x7ff63b25afee
0x7ff63b25aff5
0x7ff63b25aff8
0x7ff63b25b000
0x7ff63b25b00a
0x7ff63b25b00d
0x7ff63b25b013
0x7ff63b25b019
0x7ff63b25b024
0x7ff63b25b02c
0x7ff63b25b032
0x7ff63b25b037
0x7ff63b25b03c
0x7ff63b25b044
0x7ff63b25b04b
0x7ff63b25b04e
0x7ff63b25b056
0x7ff63b25b05f
0x7ff63b25b074
0x7ff63b25b07c
0x7ff63b25b081
0x7ff63b25b08a
0x7ff63b25b090
0x7ff63b25b093
0x7ff63b25b097
0x7ff63b25b0aa
0x7ff63b25b0b8
0x7ff63b25b0bd
0x7ff63b25b0c3
0x7ff63b25b0c8
0x7ff63b25b0cd
0x7ff63b25b0dd
0x7ff63b25b0df
0x7ff63b25b0e5
0x7ff63b25b0e8
0x7ff63b25b0f0
0x7ff63b25b0f7
0x7ff63b25b100
0x7ff63b25b102
0x7ff63b25b105
0x7ff63b25b117
0x7ff63b25b11e
0x7ff63b25b129
0x7ff63b25b12b
0x7ff63b25b131
0x7ff63b25b136
0x7ff63b25b13b
0x7ff63b25b13f
0x7ff63b25b141
0x7ff63b25b145
0x7ff63b25b150
0x7ff63b25b15d
0x7ff63b25b163
0x7ff63b25b165
0x7ff63b25b18e

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 450aea1ac32a542e04897aa5ca1b3ea50cb517b7a153c9d69432c37968909d4a
Instruction ID: 122889949fe901f7f88cafb993f754b4e5fadc1ffda0fafff14f7eeee647987f
Opcode Fuzzy Hash: 450aea1ac32a542e04897aa5ca1b3ea50cb517b7a153c9d69432c37968909d4a
Instruction Fuzzy Hash: FA412B21F1964301FA605E266A5577AE290AF8DBC0F008336FDDDC7BAADE3CE4016304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B25414C Relevance: .1, Instructions: 126
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 59%

			E00007FF67FF63B25414C(signed int __edx, void* __edi, void* __esp, long long __rbx, signed long long*** __rcx, long long __rsi) {
				void* _t24;
				void* _t25;
				int _t26;
				signed int _t51;
				void* _t52;
				signed long long _t66;
				signed int* _t73;
				signed long long _t75;
				signed long long _t77;
				signed long long _t78;
				signed long long _t95;
				signed long long _t96;
				signed long long _t98;
				signed long long _t104;
				long long _t115;
				void* _t117;
				void* _t120;
				signed long long* _t123;
				signed long long _t124;
				signed long long _t126;
				signed long long _t129;
				signed long long*** _t132;

				_t52 = __edi;
				_t51 = __edx;
				 *((long long*)(_t117 + 0x10)) = __rbx;
				 *((long long*)(_t117 + 0x18)) = _t115;
				 *((long long*)(_t117 + 0x20)) = __rsi;
				_t66 =  *((intOrPtr*)(__rcx));
				_t132 = __rcx;
				_t73 =  *_t66;
				if (_t73 == 0) goto 0x3b2542e0;
				_t124 =  *0x3b27a028; // 0x7f80d271952
				_t111 = _t124 ^  *_t73;
				_t75 = _t73[4] ^ _t124;
				asm("dec eax");
				asm("dec eax");
				asm("dec ecx");
				if ((_t73[2] ^ _t124) != _t75) goto 0x3b254252;
				_t77 = _t75 - (_t124 ^  *_t73) >> 3;
				_t101 =  >  ? _t66 : _t77;
				_t6 = _t115 + 0x20; // 0x20
				_t102 = ( >  ? _t66 : _t77) + _t77;
				_t103 =  ==  ? _t66 : ( >  ? _t66 : _t77) + _t77;
				if (( ==  ? _t66 : ( >  ? _t66 : _t77) + _t77) - _t77 < 0) goto 0x3b2541ee;
				_t7 = _t115 + 8; // 0x8
				r8d = _t7;
				_t24 = E00007FF67FF63B256F7C(E00007FF67FF63B25E150(_t6, r10d & 0x0000003f, _t77, _t111,  ==  ? _t66 : ( >  ? _t66 : _t77) + _t77, _t111, _t115, _t120), _t66, _t111);
				if (_t66 != 0) goto 0x3b254216;
				_t104 = _t77 + 4;
				r8d = 8;
				_t25 = E00007FF67FF63B25E150(_t24, 0, _t77, _t111, _t104, _t111, _t115, _t120);
				_t129 = _t66;
				_t26 = E00007FF67FF63B256F7C(_t25, _t66, _t111);
				if (_t129 == 0) goto 0x3b2542e0;
				_t123 = _t129 + _t77 * 8;
				_t78 = _t129 + _t104 * 8;
				_t88 =  >  ? _t115 : _t78 - _t123 + 7 >> 3;
				_t64 =  >  ? _t115 : _t78 - _t123 + 7 >> 3;
				if (( >  ? _t115 : _t78 - _t123 + 7 >> 3) == 0) goto 0x3b254252;
				memset(_t52, _t26, 0 << 0);
				_t126 =  *0x3b27a028; // 0x7f80d271952
				r8d = 0x40;
				asm("dec eax");
				 *_t123 =  *(_t132[1]) ^ _t126;
				_t95 =  *0x3b27a028; // 0x7f80d271952
				asm("dec eax");
				 *( *( *_t132)) = _t129 ^ _t95;
				_t96 =  *0x3b27a028; // 0x7f80d271952
				asm("dec eax");
				( *( *_t132))[1] =  &(_t123[1]) ^ _t96;
				_t98 =  *0x3b27a028; // 0x7f80d271952
				r8d = r8d - (_t51 & 0x0000003f);
				asm("dec eax");
				( *( *_t132))[2] = _t78 ^ _t98;
				goto 0x3b2542e3;
				return 0xffffffff;
			}

0x7ff63b25414c
0x7ff63b25414c
0x7ff63b25414c
0x7ff63b254151
0x7ff63b254156
0x7ff63b254164
0x7ff63b254169
0x7ff63b25416c
0x7ff63b254172
0x7ff63b254178
0x7ff63b254186
0x7ff63b254196
0x7ff63b254199
0x7ff63b25419c
0x7ff63b25419f
0x7ff63b2541a5
0x7ff63b2541b3
0x7ff63b2541bd
0x7ff63b2541c1
0x7ff63b2541c4
0x7ff63b2541c7
0x7ff63b2541ce
0x7ff63b2541d0
0x7ff63b2541d0
0x7ff63b2541e4
0x7ff63b2541ec
0x7ff63b2541ee
0x7ff63b2541f2
0x7ff63b2541fe
0x7ff63b254205
0x7ff63b254208
0x7ff63b254210
0x7ff63b25421d
0x7ff63b254221
0x7ff63b254239
0x7ff63b25423d
0x7ff63b254240
0x7ff63b254248
0x7ff63b25424b
0x7ff63b254252
0x7ff63b254271
0x7ff63b254277
0x7ff63b25427a
0x7ff63b25428d
0x7ff63b254296
0x7ff63b25429c
0x7ff63b2542ad
0x7ff63b2542b6
0x7ff63b2542ba
0x7ff63b2542c6
0x7ff63b2542cf
0x7ff63b2542da
0x7ff63b2542de
0x7ff63b2542fb

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fadefa4403b6738cf0a6f4e51a8896adfc2252fb51d60350a989e811ef6a4e5
Instruction ID: 87e4c75646ad2912d8093417321b2f1c1ceae86be2f202bd09c76d43c6926c50
Opcode Fuzzy Hash: 2fadefa4403b6738cf0a6f4e51a8896adfc2252fb51d60350a989e811ef6a4e5
Instruction Fuzzy Hash: 3D410422B14A5842EF04CF26DA11179A3A1A74CFE4B099133DE4DC7B6CDE3CC4459708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B243760 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551b75b7b265ada26daef0465abffb0554bc68d4f4e856ea58590ef990e7590a
Instruction ID: d71205869e12701a1f7773c2e2bcc8c93409862e9d22efe230396a9563671e83
Opcode Fuzzy Hash: 551b75b7b265ada26daef0465abffb0554bc68d4f4e856ea58590ef990e7590a
Instruction Fuzzy Hash: D151F562E19B8281FB11CB3496027B56760FF9E794F505335DAC9A3BB1DF6CA180E704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B2D2398 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7db9724530184a630c9dc9df2a2434fc99172af8fd014bc21af5f774327a1f1
Instruction ID: 2606e827ff1d23be2a836f7bee471b43660142b452b7391e8e4da13a32165cf7
Opcode Fuzzy Hash: b7db9724530184a630c9dc9df2a2434fc99172af8fd014bc21af5f774327a1f1
Instruction Fuzzy Hash: 3741446360CE52E9DB128F41E4414ADB764FB88B84F988136DBCC87B29DE7CD155DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B245550 Relevance: .1, Instructions: 110
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00007FF67FF63B245550(signed int __rax, long long __rbx, signed int* __rcx, void* __r9) {
				signed int _t57;
				signed int _t61;
				signed int _t64;
				signed int _t67;
				void* _t94;
				void* _t95;
				signed int* _t102;
				long long* _t103;
				signed int* _t111;
				signed int* _t113;

				_t102 = __rcx;
				r9d = 0x270;
				_t57 =  *__rcx;
				_t94 = _t57 - r9d;
				if (_t94 != 0) goto 0x3b2455b1;
				_t104 =  &(__rcx[2]);
				asm("btr edx, 0x1f");
				asm("sbb ecx, ecx");
				__rcx[0x271] = _t57 & 0x9908b0df ^ __rcx[0x18e] ^ ( *( &(__rcx[2]) - 4) ^  *_t104 ^  *( &(__rcx[3]) - 8)) >> 0x00000001;
				if (_t94 != 0) goto 0x3b245570;
				_t61 =  *__rcx;
				goto 0x3b24569a;
				_t95 = _t61 - 0x4e0;
				if (_t95 < 0) goto 0x3b24569a;
				_t111 =  &(__rcx[0x271]);
				 *_t103 = __rbx;
				asm("btr edx, 0x1f");
				asm("sbb ecx, ecx");
				_t64 = _t61 & 0x9908b0df ^ _t111[0x18d] ^ (_t111[1] ^  *_t111 ^  *_t111) >> 0x00000001;
				 *(_t111 - 0x9c0) = _t64;
				if (_t95 != 0) goto 0x3b2455d0;
				_t113 =  &(__rcx[0x354]);
				asm("btr edx, 0x1f");
				asm("sbb ecx, ecx");
				_t67 = _t64 & 0x9908b0df ^  *(_t113 - 0xd4c) ^ ( *_t113 ^ _t113[1] ^  *_t113) >> 0x00000001;
				 *(_t113 - 0x9c0) = _t67;
				if (_t95 != 0) goto 0x3b245620;
				asm("btr edx, 0x1f");
				asm("sbb ecx, ecx");
				__rcx[0x270] = _t67 & 0x9908b0df ^ __rcx[0x18d] ^ (__rcx[0x4e0] ^ __rcx[1] ^ __rcx[0x4e0]) >> 0x00000001;
				 *__rcx = 0;
				_t24 =  &(_t102[0]); // 0x1
				 *__rcx = _t24;
				return ( *(__rcx + 4 + __rax * 4) ^ __rcx[0x4e1] &  *(__rcx + 4 + __rax * 4) >> 0x0000000b ^ (( *(__rcx + 4 + __rax * 4) ^ __rcx[0x4e1] &  *(__rcx + 4 + __rax * 4) >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ (( *(__rcx + 4 + __rax * 4) ^ __rcx[0x4e1] &  *(__rcx + 4 + __rax * 4) >> 0x0000000b ^ (( *(__rcx + 4 + __rax * 4) ^ __rcx[0x4e1] &  *(__rcx + 4 + __rax * 4) >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^  *(__rcx + 4 + __rax * 4) ^ __rcx[0x4e1] &  *(__rcx + 4 + __rax * 4) >> 0x0000000b ^ (( *(__rcx + 4 + __rax * 4) ^ __rcx[0x4e1] &  *(__rcx + 4 + __rax * 4) >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ (( *(__rcx + 4 + __rax * 4) ^ __rcx[0x4e1] &  *(__rcx + 4 + __rax * 4) >> 0x0000000b ^ (( *(__rcx + 4 + __rax * 4) ^ __rcx[0x4e1] &  *(__rcx + 4 + __rax * 4) >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x7ff63b245550
0x7ff63b245557
0x7ff63b24555d
0x7ff63b24555f
0x7ff63b245562
0x7ff63b245564
0x7ff63b24557b
0x7ff63b245589
0x7ff63b24559c
0x7ff63b2455a7
0x7ff63b2455a9
0x7ff63b2455ac
0x7ff63b2455b1
0x7ff63b2455b7
0x7ff63b2455bd
0x7ff63b2455c4
0x7ff63b2455da
0x7ff63b2455e9
0x7ff63b2455fa
0x7ff63b2455fc
0x7ff63b24560a
0x7ff63b24560c
0x7ff63b245629
0x7ff63b245638
0x7ff63b245649
0x7ff63b24564b
0x7ff63b245659
0x7ff63b24566a
0x7ff63b24567b
0x7ff63b24568e
0x7ff63b245697
0x7ff63b2456a1
0x7ff63b2456a4
0x7ff63b2456da

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c983a2938cf48172002bf867be787710d5e0ba9960fdfd4591bd0f51ee9138b
Instruction ID: 842979b8276e90f1af9827607b07d9d93fb6d9cbbe5ac07f404271b87bafa146
Opcode Fuzzy Hash: 1c983a2938cf48172002bf867be787710d5e0ba9960fdfd4591bd0f51ee9138b
Instruction Fuzzy Hash: 62415133B155508BD78CCF39C855AAD33A6E39C304F96C23AE619C7795DE369906CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B25C130 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00007FF67FF63B25C130(intOrPtr __ebx, intOrPtr __edx, signed int __rax, signed int __rdx, void* __r8, signed long long _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t25;

				_t25 = __r8;
				r8d = 0;
				 *0x3b27c8b8 = r8d;
				_t1 = _t25 + 1; // 0x1
				r9d = _t1;
				asm("cpuid");
				_v16 = r9d;
				_v16 = 0;
				_v20 = __ebx;
				_v12 = __edx;
				if (0 != 0x18001000) goto 0x3b25c191;
				asm("xgetbv");
				_a8 = __rdx << 0x00000020 | __rax;
				r8d =  *0x3b27c8b8; // 0x1
				r8d =  ==  ? r9d : r8d;
				 *0x3b27c8b8 = r8d;
				 *0x3b27c8bc = r8d;
				return 0;
			}

0x7ff63b25c130
0x7ff63b25c136
0x7ff63b25c13b
0x7ff63b25c142
0x7ff63b25c142
0x7ff63b25c149
0x7ff63b25c14b
0x7ff63b25c153
0x7ff63b25c159
0x7ff63b25c15d
0x7ff63b25c163
0x7ff63b25c167
0x7ff63b25c171
0x7ff63b25c17b
0x7ff63b25c186
0x7ff63b25c18a
0x7ff63b25c191
0x7ff63b25c19f

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67da62bf4be796f07af908b5cc85a463e5c84a38402494253f22ca0c087d1788
Instruction ID: 36f42f0e07bf48bdb2c50331a060f260b0126c4f2b684c57283973e1d8551e1e
Opcode Fuzzy Hash: 67da62bf4be796f07af908b5cc85a463e5c84a38402494253f22ca0c087d1788
Instruction Fuzzy Hash: 28F068717182559AEB958F28A54363977D0E70C380F50857ED5CDC3B14DA7C90509F08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B257924 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00007FF67FF63B257924(void* __edi, void* __esp, void* __eflags, void* __rcx, long long __rdi, long long _a8) {
				void* _v4;
				int _t13;
				void* _t38;
				void* _t55;

				E00007FF67FF63B257060(0, _t38, "AreFileApisANSI", _t55, 0x3b26a788, 0x3b26a78c);
				E00007FF67FF63B257060(1, _t38, "CompareStringEx", _t55, 0x3b26a7a0, "CompareStringEx");
				E00007FF67FF63B257060(2, _t38, "EnumSystemLocalesEx", _t55, 0x3b26a7b8, "EnumSystemLocalesEx");
				E00007FF67FF63B257060(8, _t38, "GetDateFormatEx", _t55, 0x3b26a7f8, "GetDateFormatEx");
				E00007FF67FF63B257060(0xb, _t38, "GetLocaleInfoEx", _t55, 0x3b26a810, "GetLocaleInfoEx");
				E00007FF67FF63B257060(0xe, _t38, "GetTimeFormatEx", _t55, 0x3b26a828, "GetTimeFormatEx");
				E00007FF67FF63B257060(0xf, _t38, "GetUserDefaultLocaleName", _t55, 0x3b26a840, "GetUserDefaultLocaleName");
				E00007FF67FF63B257060(0x13, _t38, "IsValidLocaleName", _t55, 0x3b26a870, "IsValidLocaleName");
				E00007FF67FF63B257060(0x14, _t38, "LCMapStringEx", _t55, 0x3b26a890, "LCMapStringEx");
				_t13 = E00007FF67FF63B257060(0x15, _t38, "LCIDToLocaleName", _t55, 0x3b26a8a8, "LCIDToLocaleName");
				goto E00007FF67FF63B257060;
				asm("int3");
				asm("int3");
				_a8 = __rdi;
				asm("dec eax");
				memset(__edi, _t13, 0x16 << 0);
				return 1;
			}

0x7ff63b25793f
0x7ff63b25795e
0x7ff63b25797d
0x7ff63b25799c
0x7ff63b2579bb
0x7ff63b2579da
0x7ff63b2579f9
0x7ff63b257a18
0x7ff63b257a37
0x7ff63b257a56
0x7ff63b257a79
0x7ff63b257a7e
0x7ff63b257a7f
0x7ff63b257a80
0x7ff63b257a9d
0x7ff63b257aa6
0x7ff63b257ab0

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF63B25793F
try_get_function.LIBVCRUNTIME ref: 00007FF63B25795E
try_get_function.LIBVCRUNTIME ref: 00007FF63B25797D
try_get_function.LIBVCRUNTIME ref: 00007FF63B25799C
try_get_function.LIBVCRUNTIME ref: 00007FF63B2579BB
try_get_function.LIBVCRUNTIME ref: 00007FF63B2579DA
try_get_function.LIBVCRUNTIME ref: 00007FF63B2579F9
try_get_function.LIBVCRUNTIME ref: 00007FF63B257A18
try_get_function.LIBVCRUNTIME ref: 00007FF63B257A37
try_get_function.LIBVCRUNTIME ref: 00007FF63B257A56

Strings

LCIDToLocaleName, xrefs: 00007FF63B257A3C, 00007FF63B257A4F
AreFileApisANSI, xrefs: 00007FF63B257938
EnumSystemLocalesEx, xrefs: 00007FF63B257963, 00007FF63B257976
GetDateFormatEx, xrefs: 00007FF63B257982, 00007FF63B257995
LocaleNameToLCID, xrefs: 00007FF63B257A5B, 00007FF63B257A6E
GetTimeFormatEx, xrefs: 00007FF63B2579C0, 00007FF63B2579D3
GetLocaleInfoEx, xrefs: 00007FF63B2579A1, 00007FF63B2579B4
IsValidLocaleName, xrefs: 00007FF63B2579FE, 00007FF63B257A11
LCMapStringEx, xrefs: 00007FF63B257A1D, 00007FF63B257A30
GetUserDefaultLocaleName, xrefs: 00007FF63B2579DF, 00007FF63B2579F2
CompareStringEx, xrefs: 00007FF63B257944, 00007FF63B257957

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: try_get_function
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 2742660187-3252031757
Opcode ID: a9568b9818c998d83b93b571b13dcf2b483c22f15a05bd3ad29f1d2e7a1eb50b
Instruction ID: b10996fad04491c442d17403c405bbfcd0ec129a4d9c19bc14fafbc8edef25e7
Opcode Fuzzy Hash: a9568b9818c998d83b93b571b13dcf2b483c22f15a05bd3ad29f1d2e7a1eb50b
Instruction Fuzzy Hash: B1317760B58A4BA4F605EB54EA517F523B1EF0E300FC25633D18D823B58FBCA64AE351

Uniqueness

Uniqueness Score: -1.00%

Function 00000191EB4B12D8 Relevance: 15.3, APIs: 10, Instructions: 300COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000191EB4B1300
__scrt_acquire_startup_lock.LIBCMT ref: 00000191EB4B1352
_RTC_Initialize.LIBCMT ref: 00000191EB4B1380
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000191EB4B13A6
__scrt_release_startup_lock.LIBCMT ref: 00000191EB4B13D1
__scrt_fastfail.LIBCMT ref: 00000191EB4B1437

Memory Dump Source

Source File: 00000000.00000002.556430783.00000191EB4B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191EB4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191eb4b1000_1q3HnZAcnJ.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
String ID:
API String ID: 2904100720-0
Opcode ID: bdc4e10cf2850800bad6ec58f36eb416631004feb4e78b6242bb27f2f577f552
Instruction ID: 726cd7362cf4066f7fa6e9304e4a161040ab0fa2529dd778b5fa8d2f5dadabb6
Opcode Fuzzy Hash: bdc4e10cf2850800bad6ec58f36eb416631004feb4e78b6242bb27f2f577f552
Instruction Fuzzy Hash: CA911CB07B86176BF757AB6E94E57E932D1FB59300F440539EE07C32D2DA24C88583A2

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDF3D18 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000191ECDF3D74

Part of subcall function 00000191ECDF4C58: _GetEstablisherFrame.LIBVCRUNTIME ref: 00000191ECDF4C8D
Part of subcall function 00000191ECDF4C58: __GetUnwindTryBlock.LIBCMT ref: 00000191ECDF4C9B
Part of subcall function 00000191ECDF4C58: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000191ECDF4CC0

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000191ECDF3E4C
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000191ECDF4092
_GetEstablisherFrame.LIBVCRUNTIME ref: 00000191ECDF40E4
std::bad_alloc::bad_alloc.LIBCMT ref: 00000191ECDF419E

Strings

csm, xrefs: 00000191ECDF3E6F
csm, xrefs: 00000191ECDF3DF5
csm, xrefs: 00000191ECDF3D8E

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3606184308-393685449
Opcode ID: 79cbf356fa7523505b0b2d73901c5b9c00bad9cdc203df130224571c4628b0d4
Instruction ID: b7cf7fbaf37f7ec6ac0a7de9a1c3773f85f9967369f70d67f195280c3a7d1f0a
Opcode Fuzzy Hash: 79cbf356fa7523505b0b2d73901c5b9c00bad9cdc203df130224571c4628b0d4
Instruction Fuzzy Hash: CDF15E30D18A8A9BEB66EF5888957E977E0FB58310F50065EEC59C7292DB31D8C1C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B24B894 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 313
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00007FF67FF63B24B894(intOrPtr __ecx, void* __edx, intOrPtr* __rcx, long long __rdx, long long __r8, long long __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int* _t127;
				void* _t144;
				intOrPtr _t145;
				intOrPtr _t153;
				void* _t172;
				intOrPtr _t175;
				signed int _t176;
				signed int _t177;
				void* _t179;
				void* _t208;
				signed long long _t218;
				signed long long _t219;
				signed long long _t225;
				long long _t227;
				signed int _t234;
				intOrPtr* _t235;
				intOrPtr* _t236;
				signed long long _t245;
				long long _t266;
				signed int* _t279;
				long long _t280;
				void* _t281;
				void* _t282;
				signed long long _t283;
				long long _t295;
				signed int _t304;

				_t281 = _t282 - 0x28;
				_t283 = _t282 - 0x128;
				_t218 =  *0x3b27a028; // 0x7f80d271952
				_t219 = _t218 ^ _t283;
				 *(_t281 + 0x10) = _t219;
				_t279 =  *((intOrPtr*)(_t281 + 0x90));
				_t304 =  *((intOrPtr*)(_t281 + 0xa8));
				 *((long long*)(_t283 + 0x68)) = __r8;
				_t235 = __rcx;
				 *((long long*)(_t281 - 0x80)) = __rdx;
				 *(_t281 - 0x68) = _t304;
				 *((char*)(_t283 + 0x60)) = 0;
				_t280 = __r9;
				_t127 = E00007FF67FF63B24DB50(__ecx, __rcx, __rdx, __r9, __r9, _t281, _t279, __r9);
				r14d = _t127;
				if (_t127 - 0xffffffff < 0) goto 0x3b24bd53;
				if (_t127 - _t279[1] >= 0) goto 0x3b24bd53;
				if ( *_t235 != 0xe06d7363) goto 0x3b24b9df;
				if ( *((intOrPtr*)(_t235 + 0x18)) != 4) goto 0x3b24b9df;
				if ( *((intOrPtr*)(_t235 + 0x20)) - 0x19930520 - 2 > 0) goto 0x3b24b9df;
				if ( *((long long*)(_t235 + 0x30)) != 0) goto 0x3b24b9df;
				E00007FF67FF63B24ADD0(_t219);
				if ( *((long long*)(_t219 + 0x20)) == 0) goto 0x3b24bcec;
				E00007FF67FF63B24ADD0(_t219);
				_t236 =  *((intOrPtr*)(_t219 + 0x20));
				E00007FF67FF63B24ADD0(_t219);
				 *((char*)(_t283 + 0x60)) = 1;
				 *((long long*)(_t283 + 0x68)) =  *((intOrPtr*)(_t219 + 0x28));
				E00007FF67FF63B249D08(_t219,  *((intOrPtr*)(_t236 + 0x38)));
				if ( *_t236 != 0xe06d7363) goto 0x3b24b997;
				if ( *((intOrPtr*)(_t236 + 0x18)) != 4) goto 0x3b24b997;
				if ( *((intOrPtr*)(_t236 + 0x20)) - 0x19930520 - 2 > 0) goto 0x3b24b997;
				if ( *((long long*)(_t236 + 0x30)) == 0) goto 0x3b24bd53;
				E00007FF67FF63B24ADD0(_t219);
				if ( *(_t219 + 0x38) == 0) goto 0x3b24b9df;
				E00007FF67FF63B24ADD0(_t219);
				E00007FF67FF63B24ADD0(_t219);
				 *(_t219 + 0x38) =  *(_t219 + 0x38) & 0x00000000;
				if (E00007FF67FF63B24DBE8(_t219, _t236, _t236,  *(_t219 + 0x38), __r9) != 0) goto 0x3b24b9da;
				if (E00007FF67FF63B24DCD8(_t219, _t236,  *(_t219 + 0x38), __r9, _t281) == 0) goto 0x3b24bd30;
				goto 0x3b24bd0c;
				 *((long long*)(_t281 - 0x40)) =  *((intOrPtr*)(__r9 + 8));
				 *(_t281 - 0x48) = _t279;
				if ( *_t236 != 0xe06d7363) goto 0x3b24bca3;
				if ( *((intOrPtr*)(_t236 + 0x18)) != 4) goto 0x3b24bca3;
				if ( *((intOrPtr*)(_t236 + 0x20)) - 0x19930520 - 2 > 0) goto 0x3b24bca3;
				r13d = 0;
				if (_t279[3] - r13d <= 0) goto 0x3b24bbd4;
				 *(_t283 + 0x28) =  *(_t281 + 0xa0);
				 *(_t283 + 0x20) = _t279;
				r8d = r14d;
				_t144 = E00007FF67FF63B2495AC(_t236, _t281 - 0x28, _t281 - 0x48, __r9, _t281, __r9, __r10);
				asm("movups xmm0, [ebp-0x28]");
				asm("movdqu [ebp-0x38], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t144 -  *((intOrPtr*)(_t281 - 0x10)) >= 0) goto 0x3b24bbd4;
				_t295 =  *((intOrPtr*)(_t281 - 0x28));
				r12d =  *((intOrPtr*)(_t281 - 0x30));
				 *((long long*)(_t283 + 0x78)) = _t295;
				_t145 = r12d;
				asm("inc ecx");
				 *((intOrPtr*)(_t281 - 0x50)) = __ecx;
				asm("movd eax, xmm0");
				asm("movups [ebp-0x60], xmm0");
				if (_t145 - r14d > 0) goto 0x3b24bbc3;
				_t225 =  *(_t281 - 0x60) >> 0x20;
				if (r14d - _t145 > 0) goto 0x3b24bbc3;
				_t266 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t281 - 0x38)) + 0x10)) + ( *( *(_t281 - 0x38)) +  *( *(_t281 - 0x38)) * 4) * 4 +  *((intOrPtr*)(_t295 + 8)) + 0x10)) +  *((intOrPtr*)(__r9 + 8));
				 *((long long*)(_t281 - 0x70)) = _t266;
				if (r15d == 0) goto 0x3b24bbc0;
				_t245 = _t225 + _t225 * 4;
				asm("movups xmm0, [edx+ecx*4]");
				asm("movups [ebp-0x8], xmm0");
				_t59 = _t245 * 4; // 0x48ccccc35f40c483
				 *((intOrPtr*)(_t281 + 8)) =  *((intOrPtr*)(_t266 + _t59 + 0x10));
				E00007FF67FF63B249CDC(_t225);
				_t227 = _t225 + 4 +  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x30)) + 0xc));
				 *((long long*)(_t283 + 0x70)) = _t227;
				E00007FF67FF63B249CDC(_t227);
				_t175 =  *((intOrPtr*)(_t227 +  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t283 + 0x64)) = _t175;
				if (_t175 <= 0) goto 0x3b24bb51;
				E00007FF67FF63B249CDC(_t227);
				 *((long long*)(_t281 - 0x78)) = _t227 +  *((intOrPtr*)( *((intOrPtr*)(_t283 + 0x70))));
				if (E00007FF67FF63B24C760(_t179, _t236, _t281 - 8, _t227 +  *((intOrPtr*)( *((intOrPtr*)(_t283 + 0x70)))), _t279, __r9,  *((intOrPtr*)(_t236 + 0x30))) != 0) goto 0x3b24bb62;
				 *((long long*)(_t283 + 0x70)) =  *((long long*)(_t283 + 0x70)) + 4;
				_t153 =  *((intOrPtr*)(_t283 + 0x64)) - 1;
				 *((intOrPtr*)(_t283 + 0x64)) = _t153;
				if (_t153 > 0) goto 0x3b24bb15;
				r13d = r13d + 1;
				if (r13d == r15d) goto 0x3b24bbbb;
				goto 0x3b24bace;
				 *((char*)(_t283 + 0x58)) =  *((intOrPtr*)(_t281 + 0x98));
				 *(_t283 + 0x50) =  *((intOrPtr*)(_t283 + 0x60));
				 *((long long*)(_t283 + 0x48)) =  *(_t281 - 0x68);
				 *(_t283 + 0x40) =  *(_t281 + 0xa0);
				 *(_t283 + 0x38) = _t281 - 0x60;
				 *(_t283 + 0x30) =  *((intOrPtr*)(_t281 - 0x78));
				 *(_t283 + 0x28) = _t281 - 8;
				 *(_t283 + 0x20) = _t279;
				E00007FF67FF63B24B6EC(_t175, _t236, _t236,  *((intOrPtr*)(_t281 - 0x80)),  *((intOrPtr*)(_t283 + 0x68)), _t280);
				r13d = 0;
				r12d = r12d + 1;
				if (r12d -  *((intOrPtr*)(_t281 - 0x10)) < 0) goto 0x3b24ba69;
				if (( *_t279 & 0x1fffffff) - 0x19930521 < 0) goto 0x3b24bce0;
				_t208 = _t279[8] - r13d;
				if (_t208 == 0) goto 0x3b24bbfa;
				E00007FF67FF63B249CC8(_t281 - 8);
				if (_t208 != 0) goto 0x3b24bc1b;
				if ((_t279[9] >> 0x00000002 & 0x00000001) == 0) goto 0x3b24bce0;
				if (E00007FF67FF63B2493F0(_t279[9] >> 0x00000002 & 0x00000001, _t281 - 8 + _t279[8], _t280, _t279) != 0) goto 0x3b24bce0;
				if ((_t279[9] >> 0x00000002 & 0x00000001) != 0) goto 0x3b24bd36;
				if (_t279[8] == r13d) goto 0x3b24bc40;
				E00007FF67FF63B249CC8(_t281 - 8 + _t279[8]);
				_t234 = _t279[8];
				goto 0x3b24bc43;
				if (E00007FF67FF63B24DBE8(_t234, _t236, _t236, _t304, _t280) != 0) goto 0x3b24bce0;
				E00007FF67FF63B2494BC(_t236,  *((intOrPtr*)(_t281 - 0x80)), _t280, _t281, _t279, _t281 - 0x78);
				_t176 =  *((intOrPtr*)(_t281 + 0x98));
				 *(_t283 + 0x50) = _t176;
				_t177 = _t176 | 0xffffffff;
				 *((long long*)(_t283 + 0x48)) = _t280;
				 *(_t283 + 0x40) = _t304;
				 *(_t283 + 0x38) = _t177;
				 *(_t283 + 0x30) = _t177;
				 *(_t283 + 0x28) = _t279;
				 *(_t283 + 0x20) = _t304;
				E00007FF67FF63B249854( *((intOrPtr*)(_t281 - 0x80)), _t236,  *((intOrPtr*)(_t283 + 0x68)), _t234);
				goto 0x3b24bce0;
				if (_t279[3] <= 0) goto 0x3b24bce0;
				if ( *((char*)(_t281 + 0x98)) != 0) goto 0x3b24bd53;
				 *(_t283 + 0x38) = _t304;
				 *(_t283 + 0x30) =  *(_t281 + 0xa0);
				 *(_t283 + 0x28) = r14d;
				 *(_t283 + 0x20) = _t279;
				E00007FF67FF63B24C258(_t236, _t236,  *((intOrPtr*)(_t281 - 0x80)),  *(_t281 - 0x58) >> 0x20, _t280);
				_t172 = E00007FF67FF63B24ADD0(_t234);
				if ( *((long long*)(_t234 + 0x38)) != 0) goto 0x3b24bd53;
				return E00007FF67FF63B248930(_t172, _t177,  *(_t281 + 0x10) ^ _t283);
			}

0x7ff63b24b8a1
0x7ff63b24b8a6
0x7ff63b24b8ad
0x7ff63b24b8b4
0x7ff63b24b8b7
0x7ff63b24b8bb
0x7ff63b24b8c5
0x7ff63b24b8cf
0x7ff63b24b8d4
0x7ff63b24b8d7
0x7ff63b24b8e1
0x7ff63b24b8e8
0x7ff63b24b8ed
0x7ff63b24b8f0
0x7ff63b24b8f5
0x7ff63b24b8fb
0x7ff63b24b904
0x7ff63b24b910
0x7ff63b24b91a
0x7ff63b24b92b
0x7ff63b24b936
0x7ff63b24b93c
0x7ff63b24b946
0x7ff63b24b94c
0x7ff63b24b951
0x7ff63b24b955
0x7ff63b24b95e
0x7ff63b24b967
0x7ff63b24b96c
0x7ff63b24b977
0x7ff63b24b97d
0x7ff63b24b98a
0x7ff63b24b991
0x7ff63b24b997
0x7ff63b24b9a1
0x7ff63b24b9a3
0x7ff63b24b9ac
0x7ff63b24b9b7
0x7ff63b24b9c3
0x7ff63b24b9cf
0x7ff63b24b9d5
0x7ff63b24b9e3
0x7ff63b24b9e7
0x7ff63b24b9f1
0x7ff63b24b9fb
0x7ff63b24ba0c
0x7ff63b24ba12
0x7ff63b24ba19
0x7ff63b24ba29
0x7ff63b24ba34
0x7ff63b24ba39
0x7ff63b24ba3c
0x7ff63b24ba41
0x7ff63b24ba45
0x7ff63b24ba4a
0x7ff63b24ba4f
0x7ff63b24ba56
0x7ff63b24ba5c
0x7ff63b24ba60
0x7ff63b24ba64
0x7ff63b24ba74
0x7ff63b24ba83
0x7ff63b24ba8d
0x7ff63b24ba90
0x7ff63b24ba94
0x7ff63b24ba9b
0x7ff63b24baa5
0x7ff63b24baac
0x7ff63b24bab9
0x7ff63b24bac1
0x7ff63b24bac8
0x7ff63b24bad1
0x7ff63b24bad5
0x7ff63b24bad9
0x7ff63b24badd
0x7ff63b24bae1
0x7ff63b24bae4
0x7ff63b24baf5
0x7ff63b24baf8
0x7ff63b24bafd
0x7ff63b24bb0a
0x7ff63b24bb0d
0x7ff63b24bb13
0x7ff63b24bb15
0x7ff63b24bb30
0x7ff63b24bb3b
0x7ff63b24bb41
0x7ff63b24bb47
0x7ff63b24bb49
0x7ff63b24bb4f
0x7ff63b24bb51
0x7ff63b24bb57
0x7ff63b24bb5d
0x7ff63b24bb77
0x7ff63b24bb7f
0x7ff63b24bb87
0x7ff63b24bb92
0x7ff63b24bb9a
0x7ff63b24bba3
0x7ff63b24bbac
0x7ff63b24bbb1
0x7ff63b24bbb6
0x7ff63b24bbc0
0x7ff63b24bbc3
0x7ff63b24bbca
0x7ff63b24bbe0
0x7ff63b24bbe6
0x7ff63b24bbea
0x7ff63b24bbec
0x7ff63b24bbf8
0x7ff63b24bc02
0x7ff63b24bc15
0x7ff63b24bc23
0x7ff63b24bc2d
0x7ff63b24bc2f
0x7ff63b24bc37
0x7ff63b24bc3e
0x7ff63b24bc4d
0x7ff63b24bc60
0x7ff63b24bc65
0x7ff63b24bc76
0x7ff63b24bc7a
0x7ff63b24bc7d
0x7ff63b24bc82
0x7ff63b24bc87
0x7ff63b24bc8b
0x7ff63b24bc92
0x7ff63b24bc97
0x7ff63b24bc9c
0x7ff63b24bca1
0x7ff63b24bca7
0x7ff63b24bcb0
0x7ff63b24bcbf
0x7ff63b24bcc7
0x7ff63b24bcce
0x7ff63b24bcd6
0x7ff63b24bcdb
0x7ff63b24bce0
0x7ff63b24bcea
0x7ff63b24bd0b

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF63B24B8F0

Part of subcall function 00007FF63B24DB50: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF63B24DB85
Part of subcall function 00007FF63B24DB50: __GetUnwindTryBlock.LIBCMT ref: 00007FF63B24DB93
Part of subcall function 00007FF63B24DB50: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF63B24DBB8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF63B24B9C8
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF63B24BC0E
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF63B24BC60
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF63B24BD1A

Strings

csm, xrefs: 00007FF63B24B971
csm, xrefs: 00007FF63B24B90A
csm, xrefs: 00007FF63B24B9EB

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3606184308-393685449
Opcode ID: 736a9ef24bc1992ad8ecc86695bbfa69cf1b4884a07dbee44eadd9c60b1c8c7a
Instruction ID: 5123bb7f76a18fde4996931d526c0628f31e09b44ad9632b9d5b9306f1472f6f
Opcode Fuzzy Hash: 736a9ef24bc1992ad8ecc86695bbfa69cf1b4884a07dbee44eadd9c60b1c8c7a
Instruction Fuzzy Hash: 80D16032A08B458AEB209F65D6453BE77A4FB49798F000235EE8D97F69CF38E491D740

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDF1310 Relevance: 13.8, APIs: 9, Instructions: 300COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000191ECDF1338
__scrt_acquire_startup_lock.LIBCMT ref: 00000191ECDF138A
_RTC_Initialize.LIBCMT ref: 00000191ECDF13B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000191ECDF13DE
__scrt_release_startup_lock.LIBCMT ref: 00000191ECDF1409

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 18ca84266680a1e2f633b274323ff404595b4032268b30acec0f04b53010ea6b
Instruction ID: af7a70eecac98218cc582a34e3a63a377bd952379fae9b0bd03b08e568351b68
Opcode Fuzzy Hash: 18ca84266680a1e2f633b274323ff404595b4032268b30acec0f04b53010ea6b
Instruction Fuzzy Hash: DA91E430F18A876FF796AB6C9C657E932E1FB99300F04451AFC45C3296DA66C8C187D2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B244900 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00007FF67FF63B244900(intOrPtr* __rcx, char _a8, char _a16, long long _a24) {
				long long _v48;
				char _v56;
				void* __rbx;
				void* __rsi;
				intOrPtr _t31;
				void* _t34;
				void* _t38;
				signed char _t40;
				void* _t53;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr* _t69;
				intOrPtr* _t74;
				intOrPtr _t91;
				signed long long _t92;
				intOrPtr* _t93;
				long long _t94;
				intOrPtr* _t97;

				_t97 = __rcx;
				_t93 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *__rcx + 4)) + __rcx + 0x40)) + 8));
				_v48 = _t93;
				_t65 =  *_t93;
				 *((intOrPtr*)(_t65 + 8))();
				E00007FF67FF63B245CDC(0,  &_a16);
				_t94 =  *0x3b27ca28; // 0x191eb54e1b0
				_a24 = _t94;
				_t91 =  *0x3b27b498; // 0x1
				if (_t91 != 0) goto 0x3b24498f;
				E00007FF67FF63B245CDC(0,  &_a8);
				_t53 =  *0x3b27b498 - _t91; // 0x1
				if (_t53 != 0) goto 0x3b24497e;
				_t31 =  *0x3b27b480; // 0x1
				 *0x3b27b480 = _t31 + 1;
				 *0x3b27b498 = _t65;
				_t34 = E00007FF67FF63B245D54(_t65,  &_a8);
				_t92 =  *0x3b27b498; // 0x1
				if (_t92 -  *((intOrPtr*)(_t93 + 0x18)) >= 0) goto 0x3b2449a4;
				_t66 =  *((intOrPtr*)(_t93 + 0x10));
				if ( *((intOrPtr*)(_t66 + _t92 * 8)) != 0) goto 0x3b244a05;
				goto 0x3b2449a6;
				if ( *((char*)(_t93 + 0x24)) == 0) goto 0x3b2449bf;
				E00007FF67FF63B2476C4(_t34);
				if (_t92 -  *((intOrPtr*)(_t66 + 0x18)) >= 0) goto 0x3b2449c4;
				_t67 =  *((intOrPtr*)(_t66 + 0x10));
				if ( *((intOrPtr*)(_t67 + _t92 * 8)) != 0) goto 0x3b244a05;
				if (_t94 == 0) goto 0x3b2449ce;
				goto 0x3b244a05;
				E00007FF67FF63B242E90(_t67, _t94,  &_a24,  &_v56, _t93);
				if (_t67 == 0xffffffff) goto 0x3b244a5a;
				_t74 = _a24;
				_a24 = _t74;
				E00007FF67FF63B24768C(_t67, _t74);
				_t38 =  *((intOrPtr*)( *_t74 + 8))();
				 *0x3b27ca28 = _t74;
				E00007FF67FF63B245D54(_t38,  &_a16);
				_t69 =  *_t74;
				_t40 =  *((intOrPtr*)(_t69 + 0x40))();
				 *((intOrPtr*)( *_t93 + 0x10))();
				if (_t69 == 0) goto 0x3b244a39;
				 *((intOrPtr*)( *_t69))();
				E00007FF67FF63B245160(_t40 & 0xff, _t97);
				return E00007FF67FF63B245070(_t74, _t97);
			}

0x7ff63b24490b
0x7ff63b24491a
0x7ff63b24491e
0x7ff63b244923
0x7ff63b244929
0x7ff63b244934
0x7ff63b24493a
0x7ff63b244941
0x7ff63b244946
0x7ff63b244950
0x7ff63b244959
0x7ff63b24495e
0x7ff63b244965
0x7ff63b244967
0x7ff63b24496f
0x7ff63b244977
0x7ff63b244983
0x7ff63b244988
0x7ff63b244993
0x7ff63b244995
0x7ff63b2449a0
0x7ff63b2449a2
0x7ff63b2449aa
0x7ff63b2449ac
0x7ff63b2449b5
0x7ff63b2449b7
0x7ff63b2449c2
0x7ff63b2449c7
0x7ff63b2449cc
0x7ff63b2449d8
0x7ff63b2449e1
0x7ff63b2449e3
0x7ff63b2449e8
0x7ff63b2449f0
0x7ff63b2449fb
0x7ff63b2449fe
0x7ff63b244a0a
0x7ff63b244a0f
0x7ff63b244a17
0x7ff63b244a23
0x7ff63b244a29
0x7ff63b244a36
0x7ff63b244a3f
0x7ff63b244a59

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63B244934
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63B244959
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF63B244983
std::_Facet_Register.LIBCPMT ref: 00007FF63B2449F0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF63B244A0A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63B244A5A

Strings

ios_base::badbit set, xrefs: 00007FF63B244900

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: ios_base::badbit set
API String ID: 2081738530-3882152299
Opcode ID: 0dbcd14b6e3bfd6926bb507d78e223fd507ed51af4fe736e95ca0b975ee04812
Instruction ID: 8d4ead27d99c2b3c1f475c83ba3af7d8437b3110ff231744e90e42b6851d2efc
Opcode Fuzzy Hash: 0dbcd14b6e3bfd6926bb507d78e223fd507ed51af4fe736e95ca0b975ee04812
Instruction Fuzzy Hash: F0419122A08A5285EB10DF16E6651B967A0FB8CB90F184332DADD83BB5DF3CE445E704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B245300 Relevance: 9.1, APIs: 6, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00007FF67FF63B245300(signed int __edx, void* __rcx, long long _a8, char _a24, void* _a32) {
				long long _v48;
				char _v56;
				void* __rbx;
				void* __rsi;
				intOrPtr _t29;
				void* _t32;
				void* _t36;
				signed char _t38;
				void* _t50;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr* _t64;
				intOrPtr* _t68;
				intOrPtr _t83;
				signed long long _t84;
				intOrPtr* _t85;
				long long _t86;

				r14d = __edx & 0x000000ff;
				_t85 =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x40)) + 8));
				_v48 = _t85;
				_t60 =  *_t85;
				 *((intOrPtr*)(_t60 + 8))();
				E00007FF67FF63B245CDC(0,  &_a24);
				_t86 =  *0x3b27ca28; // 0x191eb54e1b0
				_a32 = _t86;
				_t83 =  *0x3b27b498; // 0x1
				if (_t83 != 0) goto 0x3b245388;
				E00007FF67FF63B245CDC(0,  &_a8);
				_t50 =  *0x3b27b498 - _t83; // 0x1
				if (_t50 != 0) goto 0x3b245377;
				_t29 =  *0x3b27b480; // 0x1
				 *0x3b27b480 = _t29 + 1;
				 *0x3b27b498 = _t60;
				_t32 = E00007FF67FF63B245D54(_t60,  &_a8);
				_t84 =  *0x3b27b498; // 0x1
				if (_t84 -  *((intOrPtr*)(_t85 + 0x18)) >= 0) goto 0x3b24539d;
				_t61 =  *((intOrPtr*)(_t85 + 0x10));
				if ( *((intOrPtr*)(_t61 + _t84 * 8)) != 0) goto 0x3b2453fe;
				goto 0x3b24539f;
				if ( *((char*)(_t85 + 0x24)) == 0) goto 0x3b2453b8;
				E00007FF67FF63B2476C4(_t32);
				if (_t84 -  *((intOrPtr*)(_t61 + 0x18)) >= 0) goto 0x3b2453bd;
				_t62 =  *((intOrPtr*)(_t61 + 0x10));
				if ( *((intOrPtr*)(_t62 + _t84 * 8)) != 0) goto 0x3b2453fe;
				if (_t86 == 0) goto 0x3b2453c7;
				goto 0x3b2453fe;
				E00007FF67FF63B242E90(_t62, _t86,  &_a32,  &_v56, _t85);
				if (_t62 == 0xffffffff) goto 0x3b245442;
				_t68 = _a32;
				_a8 = _t68;
				E00007FF67FF63B24768C(_t62, _t68);
				_t36 =  *((intOrPtr*)( *_t68 + 8))();
				 *0x3b27ca28 = _t68;
				E00007FF67FF63B245D54(_t36,  &_a24);
				_t64 =  *_t68;
				_t38 =  *((intOrPtr*)(_t64 + 0x40))();
				 *((intOrPtr*)( *_t85 + 0x10))();
				if (_t64 == 0) goto 0x3b245434;
				 *((intOrPtr*)( *_t64))();
				return _t38 & 0xff;
			}

0x7ff63b24530b
0x7ff63b245313
0x7ff63b245317
0x7ff63b24531c
0x7ff63b245322
0x7ff63b24532d
0x7ff63b245333
0x7ff63b24533a
0x7ff63b24533f
0x7ff63b245349
0x7ff63b245352
0x7ff63b245357
0x7ff63b24535e
0x7ff63b245360
0x7ff63b245368
0x7ff63b245370
0x7ff63b24537c
0x7ff63b245381
0x7ff63b24538c
0x7ff63b24538e
0x7ff63b245399
0x7ff63b24539b
0x7ff63b2453a3
0x7ff63b2453a5
0x7ff63b2453ae
0x7ff63b2453b0
0x7ff63b2453bb
0x7ff63b2453c0
0x7ff63b2453c5
0x7ff63b2453d1
0x7ff63b2453da
0x7ff63b2453dc
0x7ff63b2453e1
0x7ff63b2453e9
0x7ff63b2453f4
0x7ff63b2453f7
0x7ff63b245403
0x7ff63b245408
0x7ff63b245412
0x7ff63b24541e
0x7ff63b245424
0x7ff63b245431
0x7ff63b245441

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63B24532D
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63B245352
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF63B24537C
std::_Facet_Register.LIBCPMT ref: 00007FF63B2453E9
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF63B245403
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63B245442

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 47644c1624d2d1bfe2ea937ef0be88a04143994f04022e9ed414480c2b0cc4e9
Instruction ID: 87ad5c46ad36c77619fdd853fbec5f30ead217fc60f5ade8604458193a24ab1b
Opcode Fuzzy Hash: 47644c1624d2d1bfe2ea937ef0be88a04143994f04022e9ed414480c2b0cc4e9
Instruction Fuzzy Hash: 6B41A222A09A4185EA119F25E6551B967A0FB9CB90F180232EACE83BB5DF7CE445E700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B245EC8 Relevance: 9.1, APIs: 6, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FF67FF63B245EC8(intOrPtr __rax, long long __rbx, void* __rcx, long long _a8, char _a16, void* _a24, long long _a32) {
				void* __rsi;
				void* __rbp;
				intOrPtr _t24;
				void* _t27;
				void* _t30;
				void* _t35;
				void* _t37;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				long long _t54;
				long long _t60;
				intOrPtr _t67;
				signed long long _t68;
				long long _t69;
				void* _t70;

				_t45 = __rax;
				_a32 = __rbx;
				_t70 = __rcx;
				E00007FF67FF63B245CDC(0,  &_a16);
				_t69 =  *0x3b27b478; // 0x0
				_a24 = _t69;
				_t67 =  *0x3b27b468; // 0x0
				if (_t67 != 0) goto 0x3b245f39;
				E00007FF67FF63B245CDC(0,  &_a8);
				_t37 =  *0x3b27b468 - _t67; // 0x0
				if (_t37 != 0) goto 0x3b245f28;
				_t24 =  *0x3b27b480; // 0x1
				 *0x3b27b480 = _t24 + 1;
				 *0x3b27b468 = _t45;
				_t27 = E00007FF67FF63B245D54(_t45,  &_a8);
				_t68 =  *0x3b27b468; // 0x0
				_t60 = _a8;
				if (_t68 -  *((intOrPtr*)(_t60 + 0x18)) >= 0) goto 0x3b245f52;
				_t46 =  *((intOrPtr*)(_t60 + 0x10));
				if ( *((intOrPtr*)(_t46 + _t68 * 8)) != 0) goto 0x3b245fb8;
				goto 0x3b245f54;
				if ( *((char*)(_t60 + 0x24)) == 0) goto 0x3b245f6d;
				E00007FF67FF63B2476C4(_t27);
				if (_t68 -  *((intOrPtr*)(_t46 + 0x18)) >= 0) goto 0x3b245f72;
				_t47 =  *((intOrPtr*)(_t46 + 0x10));
				if ( *((intOrPtr*)(_t47 + _t68 * 8)) != 0) goto 0x3b245fb8;
				if (_t69 == 0) goto 0x3b245f7c;
				goto 0x3b245fb8;
				E00007FF67FF63B2464D8(0, _t35, _t47, _t69,  &_a24, _t70, _t69, _t70);
				if (_t47 == 0xffffffff) goto 0x3b245fd2;
				_t54 = _a24;
				_a8 = _t54;
				_t30 = E00007FF67FF63B24768C(_t47, _t54);
				E00007FF67FF63B265310();
				 *0x3b27b478 = _t54;
				return E00007FF67FF63B245D54(_t30,  &_a16);
			}

0x7ff63b245ec8
0x7ff63b245ec8
0x7ff63b245ed4
0x7ff63b245ede
0x7ff63b245ee4
0x7ff63b245eeb
0x7ff63b245ef0
0x7ff63b245efa
0x7ff63b245f03
0x7ff63b245f08
0x7ff63b245f0f
0x7ff63b245f11
0x7ff63b245f19
0x7ff63b245f21
0x7ff63b245f2d
0x7ff63b245f32
0x7ff63b245f39
0x7ff63b245f41
0x7ff63b245f43
0x7ff63b245f4e
0x7ff63b245f50
0x7ff63b245f58
0x7ff63b245f5a
0x7ff63b245f63
0x7ff63b245f65
0x7ff63b245f70
0x7ff63b245f75
0x7ff63b245f7a
0x7ff63b245f84
0x7ff63b245f8d
0x7ff63b245f8f
0x7ff63b245f94
0x7ff63b245f9c
0x7ff63b245fab
0x7ff63b245fb1
0x7ff63b245fd1

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63B245EDE
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63B245F03
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF63B245F2D
std::_Facet_Register.LIBCPMT ref: 00007FF63B245F9C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF63B245FBD
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63B245FD2

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: c80bbe650ee4fff30e803fae2b71c1545041e252fb9885c5e531d81fa604436f
Instruction ID: 55867334d99c3933f3e2184b4c85ba93e5c5500142e48bfeb573a0ef607da6b2
Opcode Fuzzy Hash: c80bbe650ee4fff30e803fae2b71c1545041e252fb9885c5e531d81fa604436f
Instruction Fuzzy Hash: B831B221A08A4289EB119B15E6640B96360FF9DB94F180332EEDD87BF6DF7CE445E300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B24BD5C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 317
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00007FF67FF63B24BD5C(void* __ecx, intOrPtr* __rcx, long long __rdx, void* __r8, void* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t157;
				intOrPtr _t158;
				intOrPtr _t160;
				void* _t179;
				intOrPtr _t195;
				intOrPtr _t200;
				void* _t201;
				signed long long _t239;
				signed long long _t240;
				signed char _t241;
				intOrPtr* _t243;
				long long _t245;
				long long _t253;
				intOrPtr* _t255;
				signed char* _t257;
				intOrPtr* _t269;
				void* _t290;
				void* _t291;
				void* _t292;
				void* _t293;
				signed long long _t294;
				long long _t303;
				long long _t304;
				intOrPtr* _t305;
				long long _t313;
				signed char* _t316;
				intOrPtr _t321;

				_t292 = _t293 - 0x88;
				_t294 = _t293 - 0x188;
				_t239 =  *0x3b27a028; // 0x7f80d271952
				_t240 = _t239 ^ _t294;
				 *(_t292 + 0x70) = _t240;
				_t316 =  *((intOrPtr*)(_t292 + 0xf0));
				 *((long long*)(_t294 + 0x78)) = __rdx;
				_t257 = _t316;
				 *((long long*)(_t292 - 0x60)) =  *((intOrPtr*)(_t292 + 0x108));
				_t291 = __r9;
				 *((char*)(_t294 + 0x60)) = 0;
				E00007FF67FF63B24B00C(_t257, __r9, __r9);
				if ( *((intOrPtr*)(__r9 + 0x48)) == 0) goto 0x3b24bdd8;
				E00007FF67FF63B24ADD0(_t240);
				if ( *((intOrPtr*)(_t240 + 0x78)) != 0xfffffffe) goto 0x3b24c251;
				goto 0x3b24bdf7;
				E00007FF67FF63B24ADD0(_t240);
				if ( *((intOrPtr*)(_t240 + 0x78)) == 0xfffffffe) goto 0x3b24bdf7;
				E00007FF67FF63B24ADD0(_t240);
				_t200 =  *((intOrPtr*)(_t240 + 0x78));
				E00007FF67FF63B24ADD0(_t240);
				 *((intOrPtr*)(_t240 + 0x78)) = 0xfffffffe;
				if (_t200 - 0xffffffff < 0) goto 0x3b24c251;
				if (_t316[8] == 0) goto 0x3b24be37;
				_t241 = _t257[0x7ff63b266810];
				goto 0x3b24be39;
				if (_t200 >= 0) goto 0x3b24c251;
				if ( *__rcx != 0xe06d7363) goto 0x3b24bf11;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 4) goto 0x3b24bf11;
				if ( *((intOrPtr*)(__rcx + 0x20)) - 0x19930520 - 2 > 0) goto 0x3b24bf11;
				if ( *((long long*)(__rcx + 0x30)) != 0) goto 0x3b24bf11;
				E00007FF67FF63B24ADD0(_t241);
				if ( *((long long*)(_t241 + 0x20)) == 0) goto 0x3b24c1ef;
				E00007FF67FF63B24ADD0(_t241);
				_t255 =  *((intOrPtr*)(_t241 + 0x20));
				E00007FF67FF63B24ADD0(_t241);
				 *((char*)(_t294 + 0x60)) = 1;
				E00007FF67FF63B249D08(_t241,  *((intOrPtr*)(_t255 + 0x38)));
				if ( *_t255 != 0xe06d7363) goto 0x3b24bec9;
				if ( *((intOrPtr*)(_t255 + 0x18)) != 4) goto 0x3b24bec9;
				if ( *((intOrPtr*)(_t255 + 0x20)) - 0x19930520 - 2 > 0) goto 0x3b24bec9;
				if ( *((long long*)(_t255 + 0x30)) == 0) goto 0x3b24c251;
				E00007FF67FF63B24ADD0(_t241);
				if ( *(_t241 + 0x38) == 0) goto 0x3b24bf11;
				E00007FF67FF63B24ADD0(_t241);
				E00007FF67FF63B24ADD0(_t241);
				 *(_t241 + 0x38) =  *(_t241 + 0x38) & 0x00000000;
				if (E00007FF67FF63B24DBE8(_t241, _t255, _t255,  *(_t241 + 0x38), __r9) != 0) goto 0x3b24bf0c;
				if (E00007FF67FF63B24DCD8(_t241, _t255,  *(_t241 + 0x38), __r9, _t292) == 0) goto 0x3b24c233;
				goto 0x3b24c20f;
				E00007FF67FF63B24CF2C(_t292 - 0x10, _t316,  *((intOrPtr*)(__r9 + 8)));
				if ( *_t255 != 0xe06d7363) goto 0x3b24c1a7;
				if ( *((intOrPtr*)(_t255 + 0x18)) != 4) goto 0x3b24c1a7;
				if ( *((intOrPtr*)(_t255 + 0x20)) - 0x19930520 - 2 > 0) goto 0x3b24c1a7;
				if ( *((intOrPtr*)(_t292 - 0x10)) <= 0) goto 0x3b24c18c;
				 *((intOrPtr*)(_t294 + 0x28)) =  *((intOrPtr*)(_t292 + 0x100));
				 *(_t294 + 0x20) = _t316;
				r8d = _t200;
				_t157 = E00007FF67FF63B2496EC(_t255, _t292 - 0x58, _t292 - 0x10, _t290, _t291, _t292);
				asm("movups xmm0, [ebp-0x58]");
				asm("movdqu [ebp-0x78], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t157 -  *((intOrPtr*)(_t292 - 0x40)) >= 0) goto 0x3b24c18c;
				_t158 =  *((intOrPtr*)(_t292 - 0x70));
				 *((long long*)(_t292 - 0x80)) =  *((intOrPtr*)(_t292 - 0x58));
				 *((intOrPtr*)(_t294 + 0x68)) = _t158;
				asm("inc ecx");
				asm("dec ax");
				asm("movups [ebp-0x78], xmm0");
				if (_t158 - _t200 > 0) goto 0x3b24c0e7;
				if (_t200 - _t158 > 0) goto 0x3b24c0e7;
				_t243 =  *((intOrPtr*)(_t291 + 0x10));
				r9d =  *_t243;
				E00007FF67FF63B24CEB0(_t243, _t292 + 0x20, _t292 - 0x78,  *((intOrPtr*)(_t291 + 8)));
				_t160 =  *((intOrPtr*)(_t292 + 0x20));
				r12d = 0;
				 *((intOrPtr*)(_t294 + 0x64)) = r12d;
				 *((intOrPtr*)(_t294 + 0x6c)) = _t160;
				if (_t160 == 0) goto 0x3b24c0e7;
				asm("movups xmm0, [ebp+0x38]");
				asm("movups xmm1, [ebp+0x48]");
				asm("movups [ebp-0x38], xmm0");
				asm("movsd xmm0, [ebp+0x58]");
				asm("movsd [ebp-0x18], xmm0");
				asm("movups [ebp-0x28], xmm1");
				E00007FF67FF63B249CDC(_t243);
				_t245 = _t243 + 4 +  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x30)) + 0xc));
				 *((long long*)(_t294 + 0x70)) = _t245;
				E00007FF67FF63B249CDC(_t245);
				r15d =  *((intOrPtr*)(_t245 +  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x30)) + 0xc))));
				if (r15d <= 0) goto 0x3b24c072;
				E00007FF67FF63B249CDC(_t245);
				_t313 = _t245 +  *((intOrPtr*)( *((intOrPtr*)(_t294 + 0x70))));
				if (E00007FF67FF63B24C8A0(_t201, _t255, _t292 - 0x38, _t313, _t290, _t291,  *((intOrPtr*)(_t255 + 0x30))) != 0) goto 0x3b24c08f;
				 *((long long*)(_t294 + 0x70)) =  *((long long*)(_t294 + 0x70)) + 4;
				r15d = r15d - 1;
				if (r15d > 0) goto 0x3b24c038;
				r12d =  *((intOrPtr*)(_t294 + 0x64));
				E00007FF67FF63B24D49C( *((intOrPtr*)(_t294 + 0x70)), _t292 + 0x20);
				r12d = r12d + 1;
				 *((intOrPtr*)(_t294 + 0x64)) = r12d;
				if (r12d ==  *((intOrPtr*)(_t294 + 0x6c))) goto 0x3b24c0e3;
				goto 0x3b24bfef;
				 *((char*)(_t294 + 0x58)) =  *((intOrPtr*)(_t292 + 0xf8));
				_t269 = _t255;
				 *((char*)(_t294 + 0x50)) =  *((intOrPtr*)(_t294 + 0x60));
				 *((long long*)(_t294 + 0x48)) =  *((intOrPtr*)(_t292 - 0x60));
				 *((intOrPtr*)(_t294 + 0x40)) =  *((intOrPtr*)(_t292 + 0x100));
				 *((long long*)(_t294 + 0x38)) = _t292 - 0x78;
				 *((long long*)(_t294 + 0x30)) = _t313;
				 *((long long*)(_t294 + 0x28)) = _t292 - 0x38;
				 *(_t294 + 0x20) = _t316;
				E00007FF67FF63B24B7C0(_t257[0x7ff63b266820], _t255, _t269,  *((intOrPtr*)(_t294 + 0x78)),  *((intOrPtr*)(_t241 + 0x28)), _t291);
				_t321 =  *((intOrPtr*)(_t292 - 0x80));
				_t303 =  *((intOrPtr*)(_t321 + 8)) -  *((char*)(_t269 + 0x7ff63b266810));
				 *((long long*)(_t321 + 8)) = _t303;
				 *(_t321 + 0x18) =  *(_t303 - 4) >>  *(_t269 + 0x7ff63b266820);
				_t304 = _t303 -  *((char*)(_t269 + 0x7ff63b266810));
				 *((long long*)(_t321 + 8)) = _t304;
				 *(_t321 + 0x1c) =  *(_t304 - 4) >>  *(_t269 + 0x7ff63b266820);
				_t305 = _t304 -  *((char*)(_t269 + 0x7ff63b266810));
				 *(_t321 + 0x20) =  *(_t305 - 4) >>  *(_t269 + 0x7ff63b266820);
				_t195 =  *((intOrPtr*)(_t294 + 0x68)) + 1;
				 *((long long*)(_t321 + 8)) = _t305;
				_t116 = _t305 + 4; // 0x4
				_t253 = _t116;
				 *((long long*)(_t321 + 8)) = _t253;
				 *((intOrPtr*)(_t321 + 0x24)) =  *_t305;
				 *((intOrPtr*)(_t294 + 0x68)) = _t195;
				if (_t195 -  *((intOrPtr*)(_t292 - 0x40)) < 0) goto 0x3b24bf9e;
				if (( *_t316 & 0x00000040) == 0) goto 0x3b24c1e3;
				if (E00007FF67FF63B24941C(_t316) == 0) goto 0x3b24c239;
				goto 0x3b24c1e3;
				if ( *((intOrPtr*)(_t292 - 0x10)) <= 0) goto 0x3b24c1e3;
				if ( *((char*)(_t292 + 0xf8)) != 0) goto 0x3b24c251;
				 *((long long*)(_t294 + 0x38)) = _t313;
				 *((intOrPtr*)(_t294 + 0x30)) =  *((intOrPtr*)(_t292 + 0x100));
				 *((intOrPtr*)(_t294 + 0x28)) = _t200;
				 *(_t294 + 0x20) = _t316;
				E00007FF67FF63B24C470( *_t305, _t255, _t321,  *((intOrPtr*)(_t241 + 0x28)), _t291);
				_t179 = E00007FF67FF63B24ADD0(_t253);
				if ( *((long long*)(_t253 + 0x38)) != 0) goto 0x3b24c251;
				return E00007FF67FF63B248930(_t179, _t195,  *(_t292 + 0x70) ^ _t294);
			}

0x7ff63b24bd69
0x7ff63b24bd71
0x7ff63b24bd78
0x7ff63b24bd7f
0x7ff63b24bd82
0x7ff63b24bd86
0x7ff63b24bd9a
0x7ff63b24bd9f
0x7ff63b24bda5
0x7ff63b24bda9
0x7ff63b24bdac
0x7ff63b24bdb4
0x7ff63b24bdbf
0x7ff63b24bdc1
0x7ff63b24bdca
0x7ff63b24bdd6
0x7ff63b24bdd8
0x7ff63b24bde1
0x7ff63b24bde3
0x7ff63b24bde8
0x7ff63b24bdeb
0x7ff63b24bdf0
0x7ff63b24bdfa
0x7ff63b24be0c
0x7ff63b24be1c
0x7ff63b24be35
0x7ff63b24be3b
0x7ff63b24be47
0x7ff63b24be51
0x7ff63b24be62
0x7ff63b24be6d
0x7ff63b24be73
0x7ff63b24be7d
0x7ff63b24be83
0x7ff63b24be88
0x7ff63b24be8c
0x7ff63b24be95
0x7ff63b24be9e
0x7ff63b24bea9
0x7ff63b24beaf
0x7ff63b24bebc
0x7ff63b24bec3
0x7ff63b24bec9
0x7ff63b24bed3
0x7ff63b24bed5
0x7ff63b24bede
0x7ff63b24bee9
0x7ff63b24bef5
0x7ff63b24bf01
0x7ff63b24bf07
0x7ff63b24bf1c
0x7ff63b24bf27
0x7ff63b24bf31
0x7ff63b24bf42
0x7ff63b24bf4c
0x7ff63b24bf5c
0x7ff63b24bf67
0x7ff63b24bf6c
0x7ff63b24bf6f
0x7ff63b24bf74
0x7ff63b24bf78
0x7ff63b24bf7d
0x7ff63b24bf82
0x7ff63b24bf89
0x7ff63b24bf93
0x7ff63b24bf96
0x7ff63b24bf9a
0x7ff63b24bf9e
0x7ff63b24bfa3
0x7ff63b24bfa8
0x7ff63b24bfae
0x7ff63b24bfba
0x7ff63b24bfc0
0x7ff63b24bfd0
0x7ff63b24bfd3
0x7ff63b24bfd8
0x7ff63b24bfdb
0x7ff63b24bfde
0x7ff63b24bfe3
0x7ff63b24bfe9
0x7ff63b24bfef
0x7ff63b24bff3
0x7ff63b24bff7
0x7ff63b24bffb
0x7ff63b24c000
0x7ff63b24c005
0x7ff63b24c009
0x7ff63b24c01a
0x7ff63b24c01d
0x7ff63b24c022
0x7ff63b24c02f
0x7ff63b24c036
0x7ff63b24c038
0x7ff63b24c04c
0x7ff63b24c05d
0x7ff63b24c05f
0x7ff63b24c065
0x7ff63b24c06b
0x7ff63b24c06d
0x7ff63b24c076
0x7ff63b24c07b
0x7ff63b24c07e
0x7ff63b24c088
0x7ff63b24c08a
0x7ff63b24c0a0
0x7ff63b24c0a4
0x7ff63b24c0ab
0x7ff63b24c0b3
0x7ff63b24c0be
0x7ff63b24c0c6
0x7ff63b24c0cf
0x7ff63b24c0d4
0x7ff63b24c0d9
0x7ff63b24c0de
0x7ff63b24c0e3
0x7ff63b24c109
0x7ff63b24c112
0x7ff63b24c116
0x7ff63b24c131
0x7ff63b24c13a
0x7ff63b24c13e
0x7ff63b24c159
0x7ff63b24c166
0x7ff63b24c16a
0x7ff63b24c16c
0x7ff63b24c170
0x7ff63b24c170
0x7ff63b24c177
0x7ff63b24c17b
0x7ff63b24c17f
0x7ff63b24c186
0x7ff63b24c190
0x7ff63b24c19f
0x7ff63b24c1a5
0x7ff63b24c1ab
0x7ff63b24c1b4
0x7ff63b24c1c3
0x7ff63b24c1cb
0x7ff63b24c1d2
0x7ff63b24c1d9
0x7ff63b24c1de
0x7ff63b24c1e3
0x7ff63b24c1ed
0x7ff63b24c20e

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF63B24BEFA
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF63B24C21D

Strings

csm, xrefs: 00007FF63B24BF21
csm, xrefs: 00007FF63B24BE41
csm, xrefs: 00007FF63B24BEA3

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 4c470496aee4a7f777d327cae03a896d6ddd3aeb43af27f4732cb54813788a32
Instruction ID: 602dfe9ee92670b4cf74254acd05276a8b4c04dd1875f5071e755d227d6b2f2d
Opcode Fuzzy Hash: 4c470496aee4a7f777d327cae03a896d6ddd3aeb43af27f4732cb54813788a32
Instruction Fuzzy Hash: 85E1B072A086828AE7109F79D5842BD37A0FB49748F114335EECD97BA6DF38E581E700

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDF4538 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 230COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000191ECDF4560
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000191ECDF4648
__std_exception_copy.LIBVCRUNTIME ref: 00000191ECDF4794

Strings

csm, xrefs: 00000191ECDF469A
csm, xrefs: 00000191ECDF4582

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record__std_exception_copy
String ID: csm$csm
API String ID: 851805269-3733052814
Opcode ID: adc472149e4e56186bc450ed1a3872d1f0fcfeb392c61f80b6798e54dbfd64c6
Instruction ID: d31d7a193002a7625435d938006bc52bce6e7ac21f8308ac5fa5126d679ed699
Opcode Fuzzy Hash: adc472149e4e56186bc450ed1a3872d1f0fcfeb392c61f80b6798e54dbfd64c6
Instruction Fuzzy Hash: 12817430D04A8B9FEB76EF1888A47A573D1FB54311F54465ADC49C7692CB7198C0CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B242E90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00007FF67FF63B242E90(long long __rax, long long __rbx, long long* __rcx, void* __rdx, long long __rsi) {
				void* _t51;
				intOrPtr _t76;
				long long* _t91;
				long long _t94;
				void* _t97;
				void* _t99;
				void* _t102;
				long long _t104;

				_t67 = __rax;
				 *((long long*)(_t99 + 0x10)) = __rbx;
				 *((long long*)(_t99 + 0x18)) = __rsi;
				_push(_t104);
				_t97 = _t99 - 0x47;
				_t91 = __rcx;
				if (__rcx == 0) goto 0x3b242ff2;
				if ( *__rcx != 0) goto 0x3b242ff2;
				E00007FF67FF63B248310(__rax, __rcx);
				_t94 = __rax;
				 *((long long*)(_t97 + 0x67)) = __rax;
				_t76 =  *((intOrPtr*)(__rdx + 8));
				if (_t76 == 0) goto 0x3b242eec;
				if ( *((intOrPtr*)(_t76 + 0x28)) != 0) goto 0x3b242ef3;
				goto 0x3b242ef3;
				E00007FF67FF63B245CDC(0, _t97 - 0x49);
				r14d = 0;
				 *((long long*)(_t97 - 0x41)) = _t104;
				 *((intOrPtr*)(_t97 - 0x39)) = r14b;
				 *((long long*)(_t97 - 0x31)) = _t104;
				 *((intOrPtr*)(_t97 - 0x29)) = r14b;
				 *((long long*)(_t97 - 0x21)) = _t104;
				 *((intOrPtr*)(_t97 - 0x19)) = r14w;
				 *((long long*)(_t97 - 0x11)) = _t104;
				 *((intOrPtr*)(_t97 - 9)) = r14w;
				 *((long long*)(_t97 - 1)) = _t104;
				 *((intOrPtr*)(_t97 + 7)) = r14b;
				 *((long long*)(_t97 + 0xf)) = _t104;
				 *((intOrPtr*)(_t97 + 0x17)) = r14b;
				if (0x3b275747 == 0) goto 0x3b24300f;
				E00007FF67FF63B247840(_t67, 0x3b275747, _t97 - 0x49, 0x3b275747);
				 *((intOrPtr*)(_t94 + 8)) = r14d;
				 *_t94 = 0x3b265580;
				E00007FF67FF63B247AD0(0x3b265580, _t97 + 0x1f, 0x3b275747, _t102);
				asm("movups xmm0, [eax]");
				asm("movups [esi+0x10], xmm0");
				asm("movups xmm1, [eax+0x10]");
				asm("movups [esi+0x20], xmm1");
				 *_t91 = _t94;
				E00007FF67FF63B2478AC(_t97 - 0x49);
				if ( *((intOrPtr*)(_t97 + 0xf)) == 0) goto 0x3b242f8a;
				E00007FF67FF63B24E734();
				 *((long long*)(_t97 + 0xf)) = _t104;
				if ( *((intOrPtr*)(_t97 - 1)) == 0) goto 0x3b242f9c;
				E00007FF67FF63B24E734();
				 *((long long*)(_t97 - 1)) = _t104;
				if ( *((intOrPtr*)(_t97 - 0x11)) == 0) goto 0x3b242fae;
				E00007FF67FF63B24E734();
				 *((long long*)(_t97 - 0x11)) = _t104;
				if ( *((intOrPtr*)(_t97 - 0x21)) == 0) goto 0x3b242fc0;
				E00007FF67FF63B24E734();
				 *((long long*)(_t97 - 0x21)) = _t104;
				if ( *((intOrPtr*)(_t97 - 0x31)) == 0) goto 0x3b242fd2;
				E00007FF67FF63B24E734();
				 *((long long*)(_t97 - 0x31)) = _t104;
				if ( *((intOrPtr*)(_t97 - 0x41)) == 0) goto 0x3b242fe4;
				_t51 = E00007FF67FF63B24E734();
				 *((long long*)(_t97 - 0x41)) = _t104;
				E00007FF67FF63B245D54(_t51, _t97 - 0x49);
				return 2;
			}

0x7ff63b242e90
0x7ff63b242e90
0x7ff63b242e95
0x7ff63b242e9c
0x7ff63b242e9e
0x7ff63b242ead
0x7ff63b242eb3
0x7ff63b242ebd
0x7ff63b242ec8
0x7ff63b242ecd
0x7ff63b242ed0
0x7ff63b242ed4
0x7ff63b242edb
0x7ff63b242ee4
0x7ff63b242eea
0x7ff63b242ef9
0x7ff63b242eff
0x7ff63b242f02
0x7ff63b242f06
0x7ff63b242f0a
0x7ff63b242f0e
0x7ff63b242f12
0x7ff63b242f16
0x7ff63b242f1b
0x7ff63b242f1f
0x7ff63b242f24
0x7ff63b242f28
0x7ff63b242f2c
0x7ff63b242f30
0x7ff63b242f37
0x7ff63b242f44
0x7ff63b242f4a
0x7ff63b242f55
0x7ff63b242f5c
0x7ff63b242f61
0x7ff63b242f64
0x7ff63b242f68
0x7ff63b242f6c
0x7ff63b242f70
0x7ff63b242f77
0x7ff63b242f83
0x7ff63b242f85
0x7ff63b242f8a
0x7ff63b242f95
0x7ff63b242f97
0x7ff63b242f9c
0x7ff63b242fa7
0x7ff63b242fa9
0x7ff63b242fae
0x7ff63b242fb9
0x7ff63b242fbb
0x7ff63b242fc0
0x7ff63b242fcb
0x7ff63b242fcd
0x7ff63b242fd2
0x7ff63b242fdd
0x7ff63b242fdf
0x7ff63b242fe4
0x7ff63b242fec
0x7ff63b24300e

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63B242EF9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF63B242F44
_Getctype.LIBCPMT ref: 00007FF63B242F5C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF63B242FEC

Strings

bad locale name, xrefs: 00007FF63B24300F

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2967684691-1405518554
Opcode ID: 6075910705afd4b4ffb8bb803edd3eb62ca67f186e6cee4970a8d775000719d9
Instruction ID: 84d7e1b63e15517b2a6f6024552564d690b0eb778164cc35cb0cc8e0b595b63a
Opcode Fuzzy Hash: 6075910705afd4b4ffb8bb803edd3eb62ca67f186e6cee4970a8d775000719d9
Instruction Fuzzy Hash: DB415822F4AB8189FB14DBA1D5902BC23A4EF48744F444635DE8EA6F66DE38D516E304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B24B164 Relevance: 7.8, APIs: 5, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00007FF67FF63B24B164(signed int __ecx, void* __rax, long long __rbx, void* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, signed char* __r8, signed char* __r9, long long _a8, long long _a16, long long _a24) {
				intOrPtr _v40;
				void* _t38;
				void* _t40;
				void* _t83;
				long long _t87;
				long long _t99;
				long long* _t120;
				signed char* _t130;

				_t83 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t130 = __r9;
				if (__r8[4] == 0) goto 0x3b24b1a0;
				E00007FF67FF63B249CC8(__rax);
				goto 0x3b24b1a6;
				r15d = 0;
				if (__rdi == 0) goto 0x3b24b326;
				if (r15d == 0) goto 0x3b24b1c5;
				_t38 = E00007FF67FF63B249CC8(_t83);
				goto 0x3b24b1c8;
				if ( *((intOrPtr*)(__rdi + 0x10)) == dil) goto 0x3b24b326;
				if (__r8[8] != 0) goto 0x3b24b1df;
				if ( *__r8 >= 0) goto 0x3b24b326;
				if ( *__r8 < 0) goto 0x3b24b1ed;
				_t120 = __r8[8] +  *__rdx;
				if (( *__r8 & 0x00000080) == 0) goto 0x3b24b224;
				if (( *__r9 & 0x00000010) == 0) goto 0x3b24b224;
				_t87 =  *0x3b27bd00; // 0x0
				if (_t87 == 0) goto 0x3b24b224;
				E00007FF67FF63B265310();
				if (_t87 == 0) goto 0x3b24b342;
				if (_t120 == 0) goto 0x3b24b342;
				 *_t120 = _t87;
				goto 0x3b24b283;
				if (( *__r8 & 0x00000008) == 0) goto 0x3b24b244;
				_t99 =  *((intOrPtr*)(__rcx + 0x28));
				if (_t99 == 0) goto 0x3b24b347;
				if (_t120 == 0) goto 0x3b24b347;
				 *_t120 = _t99;
				goto 0x3b24b283;
				if (( *__r9 & 0x00000001) == 0) goto 0x3b24b294;
				if ( *((intOrPtr*)(__rcx + 0x28)) == 0) goto 0x3b24b34c;
				if (_t120 == 0) goto 0x3b24b34c;
				E00007FF67FF63B24A180();
				if (__r9[0x14] != 8) goto 0x3b24b322;
				if ( *_t120 == __rdi) goto 0x3b24b322;
				E00007FF67FF63B249F0C(_t38,  *_t120,  &(__r9[8]));
				 *_t120 = _t87;
				goto 0x3b24b322;
				if ( *((intOrPtr*)(_t130 + 0x18)) == 0) goto 0x3b24b2a9;
				_t40 = E00007FF67FF63B249CDC(_t87);
				goto 0x3b24b2ae;
				if (__rdi != 0) goto 0x3b24b2e7;
				if ( *((intOrPtr*)(__rcx + 0x28)) == __rdi) goto 0x3b24b351;
				if (_t120 == 0) goto 0x3b24b351;
				E00007FF67FF63B249F0C(_t40,  *((intOrPtr*)(__rcx + 0x28)), _t130 + 8);
				E00007FF67FF63B24A180();
				goto 0x3b24b322;
				if ( *((intOrPtr*)(__rcx + 0x28)) == __rdi) goto 0x3b24b356;
				if (_t120 == 0) goto 0x3b24b356;
				if (0 == 0) goto 0x3b24b307;
				E00007FF67FF63B249CDC(_t87);
				goto 0x3b24b30a;
				if (__rdi == 0) goto 0x3b24b356;
				asm("sbb ecx, ecx");
				_v40 =  ~__ecx + 1;
				goto 0x3b24b328;
				return 0;
			}

0x7ff63b24b164
0x7ff63b24b164
0x7ff63b24b169
0x7ff63b24b16e
0x7ff63b24b17d
0x7ff63b24b18f
0x7ff63b24b195
0x7ff63b24b19e
0x7ff63b24b1a3
0x7ff63b24b1a9
0x7ff63b24b1b2
0x7ff63b24b1b4
0x7ff63b24b1c3
0x7ff63b24b1cc
0x7ff63b24b1d5
0x7ff63b24b1d9
0x7ff63b24b1e1
0x7ff63b24b1ea
0x7ff63b24b1f0
0x7ff63b24b1f6
0x7ff63b24b1f8
0x7ff63b24b202
0x7ff63b24b204
0x7ff63b24b20d
0x7ff63b24b216
0x7ff63b24b21c
0x7ff63b24b222
0x7ff63b24b227
0x7ff63b24b229
0x7ff63b24b230
0x7ff63b24b239
0x7ff63b24b23f
0x7ff63b24b242
0x7ff63b24b248
0x7ff63b24b251
0x7ff63b24b25a
0x7ff63b24b267
0x7ff63b24b271
0x7ff63b24b27a
0x7ff63b24b287
0x7ff63b24b28c
0x7ff63b24b28f
0x7ff63b24b298
0x7ff63b24b29e
0x7ff63b24b2a7
0x7ff63b24b2b1
0x7ff63b24b2b7
0x7ff63b24b2c0
0x7ff63b24b2d2
0x7ff63b24b2e0
0x7ff63b24b2e5
0x7ff63b24b2eb
0x7ff63b24b2f0
0x7ff63b24b2f4
0x7ff63b24b2f6
0x7ff63b24b305
0x7ff63b24b30d
0x7ff63b24b316
0x7ff63b24b31e
0x7ff63b24b324
0x7ff63b24b341

APIs

__AdjustPointer.LIBCMT ref: 00007FF63B24B287
__AdjustPointer.LIBCMT ref: 00007FF63B24B2D2

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0967c2bf1b9252b058520c34bc2232c91a9ba19197a4538d060f5cc1616786be
Instruction ID: 47abe985c2e579652e8ac6d1affb2719ea366ce0912290c23c73e8db7b42fa5d
Opcode Fuzzy Hash: 0967c2bf1b9252b058520c34bc2232c91a9ba19197a4538d060f5cc1616786be
Instruction Fuzzy Hash: 8BB1B521E0E64281EE65DB16968867D7790EF4CB84F098635EECD87FA5DF3CE442A301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B26179C Relevance: 7.6, APIs: 5, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00007FF67FF63B26179C(signed int __ecx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				void* _t51;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0x3b2617ce;
				if (sil >= 0) goto 0x3b2617ce;
				E00007FF67FF63B25BE80(_t27, _t51);
				_t28 = _t27 & 0xfffffff7;
				goto 0x3b261825;
				_t42 = 0x00000004 & dil;
				if (_t42 == 0) goto 0x3b2617e9;
				asm("dec eax");
				if (_t42 >= 0) goto 0x3b2617e9;
				E00007FF67FF63B25BE80(_t28, _t51);
				_t29 = _t28 & 0xfffffffb;
				goto 0x3b261825;
				_t43 = dil & 0x00000001;
				if (_t43 == 0) goto 0x3b261805;
				asm("dec eax");
				if (_t43 >= 0) goto 0x3b261805;
				E00007FF67FF63B25BE80(_t29, _t51);
				_t30 = _t29 & 0xfffffffe;
				goto 0x3b261825;
				_t44 = dil & 0x00000002;
				if (_t44 == 0) goto 0x3b261825;
				asm("dec eax");
				if (_t44 >= 0) goto 0x3b261825;
				if ((dil & 0x00000010) == 0) goto 0x3b261822;
				E00007FF67FF63B25BE80(_t30, _t51);
				_t31 = _t30 & 0xfffffffd;
				_t46 = dil & 0x00000010;
				if (_t46 == 0) goto 0x3b26183f;
				asm("dec eax");
				if (_t46 >= 0) goto 0x3b26183f;
				E00007FF67FF63B25BE80(_t31, _t51);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}

0x7ff63b26179c
0x7ff63b2617a1
0x7ff63b2617b0
0x7ff63b2617b8
0x7ff63b2617bd
0x7ff63b2617c4
0x7ff63b2617c9
0x7ff63b2617cc
0x7ff63b2617d3
0x7ff63b2617d6
0x7ff63b2617d8
0x7ff63b2617dd
0x7ff63b2617df
0x7ff63b2617e4
0x7ff63b2617e7
0x7ff63b2617e9
0x7ff63b2617ed
0x7ff63b2617ef
0x7ff63b2617f4
0x7ff63b2617fb
0x7ff63b261800
0x7ff63b261803
0x7ff63b261805
0x7ff63b261809
0x7ff63b26180b
0x7ff63b261810
0x7ff63b261816
0x7ff63b26181d
0x7ff63b261822
0x7ff63b261825
0x7ff63b261829
0x7ff63b26182b
0x7ff63b261830
0x7ff63b261837
0x7ff63b261855

APIs

_set_statfp.LIBCMT ref: 00007FF63B2617C4
_set_statfp.LIBCMT ref: 00007FF63B2617DF
_set_statfp.LIBCMT ref: 00007FF63B2617FB
_set_statfp.LIBCMT ref: 00007FF63B261837

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 373c00b7e460bf62ee208cbed5e91b47fcee4b4a4ce8664a38bdacaad33c272d
Instruction ID: 11c9caac3ca77b5b3641fbaf0003028dd296d51f58a3ee3ed55fd597eed9e070
Opcode Fuzzy Hash: 373c00b7e460bf62ee208cbed5e91b47fcee4b4a4ce8664a38bdacaad33c272d
Instruction Fuzzy Hash: B011B222F58B0745F66A1528E64637500426F5C371E482B31FAEE863FFCEAC78816184

Uniqueness

Uniqueness Score: -1.00%

Function 00000191EB4B363C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000191EB4B3671
_invalid_parameter_noinfo.LIBCMT ref: 00000191EB4B383D

Strings

*, xrefs: 00000191EB4B3771
, xrefs: 00000191EB4B37C6

Memory Dump Source

Source File: 00000000.00000002.556430783.00000191EB4B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191EB4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191eb4b1000_1q3HnZAcnJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: f29546d3a36cf79c47e3619aed576d9b14d69aabdb658179f5724d34d282a78c
Instruction ID: b8226b3396b0d25e07fbeab9ff3f2922a6a8b0aed67123cc3afd87aa4d69b8d6
Opcode Fuzzy Hash: f29546d3a36cf79c47e3619aed576d9b14d69aabdb658179f5724d34d282a78c
Instruction Fuzzy Hash: 686191B0184646ABEBA78F1BC2E93E53BE0BB05305F545199DE838A1D6C365C8C5C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B24C9E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E00007FF67FF63B24C9E4(long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				void* _t55;
				intOrPtr _t60;
				signed int _t99;
				void* _t107;
				intOrPtr _t109;
				signed int* _t114;
				intOrPtr* _t134;
				void* _t137;
				void* _t140;
				void* _t142;
				void* _t157;

				_t107 = _t142;
				 *((long long*)(_t107 + 8)) = __rbx;
				 *((long long*)(_t107 + 0x10)) = __rbp;
				 *((long long*)(_t107 + 0x18)) = __rsi;
				 *((long long*)(_t107 + 0x20)) = __rdi;
				_t134 = __rcx;
				_t137 = __r9;
				_t157 = __r8;
				_t140 = __rdx;
				E00007FF67FF63B24E064(_t55, __r8);
				E00007FF67FF63B24ADD0(_t107);
				_t114 = _a40;
				if ( *((intOrPtr*)(_t107 + 0x40)) != 0) goto 0x3b24ca66;
				if ( *__rcx == 0xe06d7363) goto 0x3b24ca66;
				if ( *__rcx != 0x80000029) goto 0x3b24ca4a;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x3b24ca4e;
				goto 0x3b24ca4c;
				if ( *__rcx == 0x80000026) goto 0x3b24ca66;
				if (( *_t114 & 0x1fffffff) - 0x19930522 < 0) goto 0x3b24ca66;
				if ((_t114[9] & 0x00000001) != 0) goto 0x3b24cbf5;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x3b24cafe;
				if (_t114[1] == 0) goto 0x3b24cbf5;
				if (_a48 != 0) goto 0x3b24cbf5;
				if (( *(__rcx + 4) & 0x00000020) == 0) goto 0x3b24caeb;
				if ( *__rcx != 0x80000026) goto 0x3b24cac9;
				_t60 = E00007FF67FF63B24B014(_t114, __r9,  *((intOrPtr*)(__r9 + 0x20)), __r9);
				if (_t60 - 0xffffffff < 0) goto 0x3b24cc15;
				if (_t60 - _t114[1] >= 0) goto 0x3b24cc15;
				r9d = _t60;
				E00007FF67FF63B24D6DC(_t107, _t140, __r9, _t114);
				goto 0x3b24cbf5;
				if ( *_t134 != 0x80000029) goto 0x3b24caeb;
				r9d =  *((intOrPtr*)(_t134 + 0x38));
				if (r9d - 0xffffffff < 0) goto 0x3b24cc15;
				if (r9d - _t114[1] >= 0) goto 0x3b24cc15;
				goto 0x3b24cab9;
				E00007FF67FF63B249424(r9d - _t114[1], _t107, _t114, __r9, __r9, _t114);
				goto 0x3b24cbf5;
				if (_t114[3] != 0) goto 0x3b24cb46;
				if (( *_t114 & 0x1fffffff) - 0x19930521 < 0) goto 0x3b24cb26;
				_t99 = _t114[8];
				if (_t99 == 0) goto 0x3b24cb26;
				E00007FF67FF63B249CC8(_t107);
				if (_t99 != 0) goto 0x3b24cb46;
				if (( *_t114 & 0x1fffffff) - 0x19930522 < 0) goto 0x3b24cbf5;
				if ((_t114[9] >> 0x00000002 & 0x00000001) == 0) goto 0x3b24cbf5;
				if ( *_t134 != 0xe06d7363) goto 0x3b24cbbc;
				if ( *((intOrPtr*)(_t134 + 0x18)) - 3 < 0) goto 0x3b24cbbc;
				if ( *((intOrPtr*)(_t134 + 0x20)) - 0x19930522 <= 0) goto 0x3b24cbbc;
				_t109 =  *((intOrPtr*)(_t134 + 0x30));
				if ( *((intOrPtr*)(_t109 + 8)) == 0) goto 0x3b24cbbc;
				E00007FF67FF63B249CDC(_t109);
				if (_t109 +  *((intOrPtr*)( *((intOrPtr*)(_t134 + 0x30)) + 8)) == 0) goto 0x3b24cbbc;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t114;
				E00007FF67FF63B265310();
				goto 0x3b24cbfa;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t114;
				E00007FF67FF63B24B894(_a48, 0x80000026, _t134, _t140, _t157, _t137, _t109 +  *((intOrPtr*)( *((intOrPtr*)(_t134 + 0x30)) + 8)));
				return 1;
			}

0x7ff63b24c9e4
0x7ff63b24c9e7
0x7ff63b24c9eb
0x7ff63b24c9ef
0x7ff63b24c9f3
0x7ff63b24c9fd
0x7ff63b24ca00
0x7ff63b24ca06
0x7ff63b24ca09
0x7ff63b24ca0c
0x7ff63b24ca11
0x7ff63b24ca16
0x7ff63b24ca2c
0x7ff63b24ca34
0x7ff63b24ca38
0x7ff63b24ca3e
0x7ff63b24ca48
0x7ff63b24ca4c
0x7ff63b24ca5a
0x7ff63b24ca60
0x7ff63b24ca6a
0x7ff63b24ca74
0x7ff63b24ca82
0x7ff63b24ca8c
0x7ff63b24ca90
0x7ff63b24ca9c
0x7ff63b24caa4
0x7ff63b24caad
0x7ff63b24cab3
0x7ff63b24cabf
0x7ff63b24cac4
0x7ff63b24cacb
0x7ff63b24cacd
0x7ff63b24cad5
0x7ff63b24cadf
0x7ff63b24cae9
0x7ff63b24caf4
0x7ff63b24caf9
0x7ff63b24cb02
0x7ff63b24cb10
0x7ff63b24cb12
0x7ff63b24cb16
0x7ff63b24cb18
0x7ff63b24cb24
0x7ff63b24cb32
0x7ff63b24cb40
0x7ff63b24cb4c
0x7ff63b24cb52
0x7ff63b24cb5b
0x7ff63b24cb5d
0x7ff63b24cb65
0x7ff63b24cb67
0x7ff63b24cb7a
0x7ff63b24cb87
0x7ff63b24cb99
0x7ff63b24cba8
0x7ff63b24cbaf
0x7ff63b24cbb4
0x7ff63b24cbba
0x7ff63b24cbc7
0x7ff63b24cbd9
0x7ff63b24cbe7
0x7ff63b24cbeb
0x7ff63b24cbf0
0x7ff63b24cc14

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF63B24CA0C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF63B24CAF4

Strings

csm, xrefs: 00007FF63B24CA2E
csm, xrefs: 00007FF63B24CB46

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: aa97355ab144a1ccbde8d2f77ab6dd523f43816e808619965a27f9d492bec7eb
Instruction ID: 6d26e49311b07791f8bd4592831d598c90903b275cfcffca2756c0c56e7c8dec
Opcode Fuzzy Hash: aa97355ab144a1ccbde8d2f77ab6dd523f43816e808619965a27f9d492bec7eb
Instruction Fuzzy Hash: 9851603290824286EB648F1A964427976A0FB5CB94F148336DADDC7FA9CF7CE494E704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B242850 Relevance: 6.2, APIs: 4, Instructions: 177COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF63B242A8C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63B242A92
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF63B242A98
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF63B242ABD

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_destroy
String ID:
API String ID: 3964811064-0
Opcode ID: 4c93ece58f8dba3f15dfb932c69249ec7807dc2b0b4f1827353351d722f19c59
Instruction ID: 1805f859b0fff2c183dd6ac947c21d2d6b090ab2206da6365db0ab7bdbeade48
Opcode Fuzzy Hash: 4c93ece58f8dba3f15dfb932c69249ec7807dc2b0b4f1827353351d722f19c59
Instruction Fuzzy Hash: AF718D22F24B5588FB10CBA5D6442FC2361BB487A4F504735DEAC57BAAEF78A485D300

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDF41E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000191ECDF427B

Strings

RCC, xrefs: 00000191ECDF424A
MOC, xrefs: 00000191ECDF4241

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: fe3e686cfa4e538c71a950090f609aba00e85d7e20fd5edda6afec13e5278ef2
Instruction ID: 42424c7b48cb36db9e3724c4a21fab6c801ba50f678736ca67e7cbc66851b670
Opcode Fuzzy Hash: fe3e686cfa4e538c71a950090f609aba00e85d7e20fd5edda6afec13e5278ef2
Instruction Fuzzy Hash: 3C716C30D18A4E9FEB6AEF58D8827E9B7E0FB58300F10055AEC45D3252D675E9C28BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B260374 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00007FF67FF63B260374(void* __ecx, void* __edx, long long __rbx, intOrPtr* __rcx, signed short* __rdx, long long __rdi, long long __rsi, void* __r8, signed int __r9) {
				void* _t28;
				signed short _t37;
				signed short _t49;
				void* _t50;
				void* _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t114;
				intOrPtr* _t118;
				long long _t121;
				void* _t122;
				void* _t124;
				signed long long _t137;
				void* _t138;
				void* _t139;
				void* _t141;
				signed short* _t142;
				void* _t144;
				intOrPtr* _t145;

				_t110 = __rdx;
				_t50 = __ecx;
				_t87 = _t124;
				 *((long long*)(_t87 + 8)) = __rbx;
				 *((long long*)(_t87 + 0x10)) = _t121;
				 *((long long*)(_t87 + 0x18)) = __rsi;
				 *((long long*)(_t87 + 0x20)) = __rdi;
				_t122 = __r8;
				_t142 = __rdx;
				_t118 = __rcx;
				E00007FF67FF63B256CD4(_t28, _t87, __rbx, __rdx, __rcx, _t144);
				r12d = 0;
				_t5 = _t87 + 0x98; // 0x98
				_t93 = _t5;
				_t88 = _t118 + 0x80;
				 *((intOrPtr*)(_t93 + 0x10)) = r12d;
				_t8 = _t93 + 0x258; // 0x2f0
				_t145 = _t8;
				 *_t93 = _t118;
				_t9 = _t93 + 8; // 0xa0
				_t114 = _t9;
				 *_t145 = r12w;
				 *_t114 = _t88;
				if ( *_t88 == r12w) goto 0x3b2603e9;
				_t10 = _t139 + 0x16; // 0x16
				E00007FF67FF63B2602D8(_t10, _t93, 0x3b26d2b0, _t114, _t118, _t114);
				if ( *((intOrPtr*)( *_t93)) == r12w) goto 0x3b26043f;
				if ( *((intOrPtr*)( *_t114)) == r12w) goto 0x3b260402;
				E00007FF67FF63B25FC68(_t93, _t93, _t114, __r9);
				goto 0x3b260407;
				E00007FF67FF63B25FD38(_t93, _t93, _t114, __r9);
				if ( *((intOrPtr*)(_t93 + 0x10)) != r12d) goto 0x3b26044e;
				if (E00007FF67FF63B2602D8(0x40, _t93, 0x3b26ce90, _t114, _t118, _t93) == 0) goto 0x3b260444;
				_t90 =  *_t114;
				if ( *_t90 == r12w) goto 0x3b260438;
				E00007FF67FF63B25FC68(_t93, _t93, _t93, __r9);
				goto 0x3b260444;
				E00007FF67FF63B25FD38(_t93, _t93, _t93, __r9);
				goto 0x3b260444;
				E00007FF67FF63B25FBC0(_t50,  *_t90 - r12w, _t93, _t93, _t110, _t93, __r9);
				if ( *((intOrPtr*)(_t93 + 0x10)) == r12d) goto 0x3b2605a1;
				if ( *_t118 != r12w) goto 0x3b260469;
				if ( *((intOrPtr*)(_t118 + 0x100)) != r12w) goto 0x3b260469;
				0x3b31f030(_t141, _t139);
				goto 0x3b260471;
				_t37 = E00007FF67FF63B2601A8(_t50, _t93, _t118 + 0x100, _t93, _t118, __r8, __r9);
				_t49 = _t37;
				if (_t37 == 0) goto 0x3b2605a1;
				if (_t37 == 0xfde8) goto 0x3b2605a1;
				if (E00007FF67FF63B291230(_t37, _t49 & 0x0000ffff, _t90, _t118 + 0x100, _t93, _t114, _t118) == 0) goto 0x3b2605a1;
				if (_t142 == 0) goto 0x3b26049f;
				 *_t142 = _t49;
				if (_t122 == 0) goto 0x3b26059a;
				_t119 = _t122 + 0x120;
				 *((intOrPtr*)(_t122 + 0x120)) = r12w;
				_t137 = (__r9 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(_t145 + _t137 * 2)) != r12w) goto 0x3b2604b7;
				_t138 = _t137 + 1;
				if (E00007FF67FF63B25E34C(_t90, _t93, _t122 + 0x120, _t93, _t145, _t138) != 0) goto 0x3b2605c2;
				_t17 = _t90 + 0x40; // 0x40
				r9d = _t17;
				if (E00007FF67FF63B257564(0x1001, E00007FF67FF63B25E34C(_t90, _t93, _t122 + 0x120, _t93, _t145, _t138), _t90, _t93, _t122 + 0x120, _t122 + 0x120, _t122, _t122) == 0) goto 0x3b2605a1;
				r9d = 0x40;
				if (E00007FF67FF63B257564(0x1002, E00007FF67FF63B257564(0x1001, E00007FF67FF63B25E34C(_t90, _t93, _t122 + 0x120, _t93, _t145, _t138), _t90, _t93, _t122 + 0x120, _t122 + 0x120, _t122, _t122), _t90, _t93, _t122 + 0x120, _t119, _t122, _t122 + 0x80) == 0) goto 0x3b2605a1;
				E00007FF67FF63B263D24(0x5f, _t122 + 0x80, _t138);
				if (_t90 != 0) goto 0x3b26053f;
				_t19 = _t90 + 0x2e; // 0x2e
				E00007FF67FF63B263D24(_t19, _t122 + 0x80, _t138);
				if (_t90 == 0) goto 0x3b260558;
				r9d = 0x40;
				_t20 = _t138 - 0x39; // 0x7
				if (E00007FF67FF63B257564(_t20, _t90, _t90, _t93, _t119, _t119, _t122, _t122 + 0x80) == 0) goto 0x3b2605a1;
				if (_t49 != 0xfde9) goto 0x3b260586;
				r9d = 5;
				if (E00007FF67FF63B25E34C(_t122 + 0x100, _t93, _t122 + 0x100, _t93, L"utf8", _t138) != 0) goto 0x3b2605c2;
				goto 0x3b26059a;
				r9d = 0xa;
				_t23 = _t138 + 6; // 0x46
				r8d = _t23;
				E00007FF67FF63B262888(_t49);
				goto 0x3b2605a3;
				return 0;
			}

0x7ff63b260374
0x7ff63b260374
0x7ff63b260374
0x7ff63b260377
0x7ff63b26037b
0x7ff63b26037f
0x7ff63b260383
0x7ff63b260391
0x7ff63b260394
0x7ff63b260397
0x7ff63b26039a
0x7ff63b26039f
0x7ff63b2603a5
0x7ff63b2603a5
0x7ff63b2603ac
0x7ff63b2603b3
0x7ff63b2603b7
0x7ff63b2603b7
0x7ff63b2603be
0x7ff63b2603c1
0x7ff63b2603c1
0x7ff63b2603c5
0x7ff63b2603c9
0x7ff63b2603d0
0x7ff63b2603d5
0x7ff63b2603e1
0x7ff63b2603f0
0x7ff63b2603f9
0x7ff63b2603fb
0x7ff63b260400
0x7ff63b260402
0x7ff63b26040b
0x7ff63b260423
0x7ff63b260425
0x7ff63b26042f
0x7ff63b260431
0x7ff63b260436
0x7ff63b260438
0x7ff63b26043d
0x7ff63b26043f
0x7ff63b260448
0x7ff63b260459
0x7ff63b26045f
0x7ff63b260461
0x7ff63b260467
0x7ff63b26046c
0x7ff63b260471
0x7ff63b260475
0x7ff63b260480
0x7ff63b260491
0x7ff63b26049a
0x7ff63b26049c
0x7ff63b2604a2
0x7ff63b2604a8
0x7ff63b2604b3
0x7ff63b2604b7
0x7ff63b2604bf
0x7ff63b2604c1
0x7ff63b2604d6
0x7ff63b2604dc
0x7ff63b2604dc
0x7ff63b2604f2
0x7ff63b2604ff
0x7ff63b260517
0x7ff63b260525
0x7ff63b26052d
0x7ff63b26052f
0x7ff63b260535
0x7ff63b26053d
0x7ff63b26053f
0x7ff63b26054b
0x7ff63b260556
0x7ff63b260565
0x7ff63b260567
0x7ff63b260582
0x7ff63b260584
0x7ff63b260586
0x7ff63b260591
0x7ff63b260591
0x7ff63b260595
0x7ff63b26059f
0x7ff63b2605c1

APIs

TranslateName.LIBCMT ref: 00007FF63B2603E1
TranslateName.LIBCMT ref: 00007FF63B26041C

Strings

utf8, xrefs: 00007FF63B26056D

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: NameTranslate
String ID: utf8
API String ID: 2039356047-905460609
Opcode ID: 44b13824d199e3edefff80ae929aec6054e773accadfd3da39e84877875c0493
Instruction ID: 2fa1c29000c3f2eac0fbb6811ff81cb94d35244870da97415587a0172dc198c3
Opcode Fuzzy Hash: 44b13824d199e3edefff80ae929aec6054e773accadfd3da39e84877875c0493
Instruction Fuzzy Hash: 21917132A1878285E7249B21D6913BA63A4FF4CB80F444231DACD977A6DFBCE551E304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B24C470 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E00007FF67FF63B24C470(void* __edx, intOrPtr* __rcx, void* __rdx, long long __r8, void* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t94;
				intOrPtr _t95;
				intOrPtr _t125;
				void* _t136;
				intOrPtr _t137;
				signed long long _t143;
				long long _t145;
				long long _t150;
				void* _t151;
				intOrPtr* _t171;
				long long _t182;
				long long _t183;
				intOrPtr* _t184;
				void* _t185;
				intOrPtr* _t186;
				intOrPtr* _t187;
				void* _t188;
				signed long long _t189;
				intOrPtr _t197;
				void* _t204;
				long long _t205;

				_t187 = _t188 - 0x38;
				_t189 = _t188 - 0x138;
				_t143 =  *0x3b27a028; // 0x7f80d271952
				 *(_t187 + 0x28) = _t143 ^ _t189;
				_t185 = __r9;
				_t145 =  *((intOrPtr*)(_t187 + 0xb8));
				_t204 = __rdx;
				_t205 =  *((intOrPtr*)(_t187 + 0xa0));
				_t186 = __rcx;
				 *((long long*)(_t189 + 0x70)) = _t145;
				 *((long long*)(_t189 + 0x78)) = __r8;
				if ( *__rcx == 0x80000003) goto 0x3b24c739;
				E00007FF67FF63B24ADD0(_t145);
				r12d =  *((intOrPtr*)(_t187 + 0xb0));
				r15d =  *((intOrPtr*)(_t187 + 0xa8));
				if ( *((long long*)(_t145 + 0x10)) == 0) goto 0x3b24c538;
				0x3b290648();
				_t160 = _t145;
				E00007FF67FF63B24ADD0(_t145);
				if ( *((intOrPtr*)(_t145 + 0x10)) == _t145) goto 0x3b24c538;
				if ( *__rcx == 0xe0434f4d) goto 0x3b24c538;
				if ( *__rcx == 0xe0434352) goto 0x3b24c538;
				 *((intOrPtr*)(_t189 + 0x38)) = r15d;
				 *(_t189 + 0x30) =  *((intOrPtr*)(_t189 + 0x70));
				 *((intOrPtr*)(_t189 + 0x28)) = r12d;
				 *((long long*)(_t189 + 0x20)) = _t205;
				if (E00007FF67FF63B249224(__rcx, __rdx,  *((intOrPtr*)(_t189 + 0x78)), __r9) != 0) goto 0x3b24c739;
				E00007FF67FF63B24CF2C(_t187, _t205,  *((intOrPtr*)(__r9 + 8)));
				if ( *_t187 <= 0) goto 0x3b24c759;
				 *((intOrPtr*)(_t189 + 0x28)) = r12d;
				 *((long long*)(_t189 + 0x20)) = _t205;
				r8d = r15d;
				_t94 = E00007FF67FF63B2496EC(_t145, _t187 - 0x70, _t187, _t185, __rcx, _t187);
				asm("movups xmm0, [ebp-0x70]");
				asm("movdqu [ebp-0x80], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t94 -  *((intOrPtr*)(_t187 - 0x58)) >= 0) goto 0x3b24c739;
				_t95 =  *((intOrPtr*)(_t187 - 0x78));
				 *((long long*)(_t189 + 0x68)) =  *((intOrPtr*)(_t187 - 0x70));
				 *((intOrPtr*)(_t189 + 0x60)) = _t95;
				asm("inc ecx");
				asm("dec ax");
				asm("movups [ebp-0x80], xmm0");
				if (_t95 - r15d > 0) goto 0x3b24c69f;
				_t136 = r15d - _t95;
				if (_t136 > 0) goto 0x3b24c69f;
				r9d =  *((intOrPtr*)( *((intOrPtr*)(_t185 + 0x10))));
				E00007FF67FF63B24CEB0( *((intOrPtr*)(_t185 + 0x10)), _t187 - 0x50, _t187 - 0x80,  *((intOrPtr*)(_t185 + 8)));
				 *((long long*)(_t187 - 0x48)) =  *((intOrPtr*)(_t187 - 0x40));
				E00007FF67FF63B24D49C( *((intOrPtr*)(_t187 - 0x40)), _t187 - 0x50);
				_t150 =  *((intOrPtr*)(_t187 - 0x40));
				 *((long long*)(_t187 - 0x48)) = _t150;
				E00007FF67FF63B24D49C(_t150, _t187 - 0x50);
				if (_t136 == 0) goto 0x3b24c616;
				E00007FF67FF63B24D49C(_t150, _t187 - 0x50);
				if (_t136 != 0) goto 0x3b24c607;
				_t137 =  *((intOrPtr*)(_t187 - 0x30));
				if (_t137 == 0) goto 0x3b24c644;
				E00007FF67FF63B249CC8(_t150);
				_t151 = _t150 +  *((intOrPtr*)(_t187 - 0x30));
				if (_t137 == 0) goto 0x3b24c644;
				if (__edx == 0) goto 0x3b24c63c;
				E00007FF67FF63B249CC8(_t151);
				goto 0x3b24c63e;
				if ( *((char*)(_t151 +  *((intOrPtr*)(_t187 - 0x30)) + 0x10)) != 0) goto 0x3b24c693;
				if (( *(_t187 - 0x34) & 0x00000040) != 0) goto 0x3b24c693;
				 *((char*)(_t189 + 0x58)) = 0;
				_t171 = _t186;
				 *((char*)(_t189 + 0x50)) = 1;
				 *((long long*)(_t189 + 0x48)) =  *((intOrPtr*)(_t189 + 0x70));
				 *((intOrPtr*)(_t189 + 0x40)) = r12d;
				 *((long long*)(_t189 + 0x38)) = _t187 - 0x80;
				 *(_t189 + 0x30) =  *(_t189 + 0x30) & 0x00000000;
				 *((long long*)(_t189 + 0x28)) = _t187 - 0x38;
				 *((long long*)(_t189 + 0x20)) = _t205;
				E00007FF67FF63B24B7C0(0, _t160 - 1, _t171, _t204,  *((intOrPtr*)(_t189 + 0x78)), _t185);
				_t197 =  *((intOrPtr*)(_t189 + 0x68));
				_t182 =  *((intOrPtr*)(_t197 + 8)) -  *((char*)(_t171 + 0x7ff63b266810));
				 *((long long*)(_t197 + 8)) = _t182;
				 *(_t197 + 0x18) =  *(_t182 - 4) >>  *(_t171 + 0x7ff63b266820);
				_t183 = _t182 -  *((char*)(_t171 + 0x7ff63b266810));
				 *((long long*)(_t197 + 8)) = _t183;
				 *(_t197 + 0x1c) =  *(_t183 - 4) >>  *(_t171 + 0x7ff63b266820);
				_t184 = _t183 -  *((char*)(_t171 + 0x7ff63b266810));
				 *(_t197 + 0x20) =  *(_t184 - 4) >>  *(_t171 + 0x7ff63b266820);
				 *((long long*)(_t197 + 8)) = _t184;
				 *((intOrPtr*)(_t197 + 0x24)) =  *_t184;
				_t125 =  *((intOrPtr*)(_t189 + 0x60)) + 1;
				 *((long long*)(_t197 + 8)) = _t184 + 4;
				 *((intOrPtr*)(_t189 + 0x60)) = _t125;
				if (_t125 -  *((intOrPtr*)(_t187 - 0x58)) < 0) goto 0x3b24c5a1;
				return E00007FF67FF63B248930( *(_t184 - 4) >>  *(_t171 + 0x7ff63b266820), _t125,  *(_t187 + 0x28) ^ _t189);
			}

0x7ff63b24c47d
0x7ff63b24c482
0x7ff63b24c489
0x7ff63b24c493
0x7ff63b24c49d
0x7ff63b24c4a0
0x7ff63b24c4a7
0x7ff63b24c4aa
0x7ff63b24c4b1
0x7ff63b24c4b4
0x7ff63b24c4b9
0x7ff63b24c4be
0x7ff63b24c4c4
0x7ff63b24c4c9
0x7ff63b24c4d0
0x7ff63b24c4dc
0x7ff63b24c4e0
0x7ff63b24c4e6
0x7ff63b24c4e9
0x7ff63b24c4f2
0x7ff63b24c4fa
0x7ff63b24c502
0x7ff63b24c514
0x7ff63b24c51c
0x7ff63b24c521
0x7ff63b24c526
0x7ff63b24c532
0x7ff63b24c543
0x7ff63b24c54c
0x7ff63b24c552
0x7ff63b24c55e
0x7ff63b24c563
0x7ff63b24c56a
0x7ff63b24c56f
0x7ff63b24c573
0x7ff63b24c578
0x7ff63b24c57d
0x7ff63b24c584
0x7ff63b24c595
0x7ff63b24c598
0x7ff63b24c59d
0x7ff63b24c5a1
0x7ff63b24c5a6
0x7ff63b24c5ab
0x7ff63b24c5b2
0x7ff63b24c5bc
0x7ff63b24c5bf
0x7ff63b24c5d5
0x7ff63b24c5d8
0x7ff63b24c5e5
0x7ff63b24c5e9
0x7ff63b24c5ee
0x7ff63b24c5f9
0x7ff63b24c5fd
0x7ff63b24c605
0x7ff63b24c60b
0x7ff63b24c614
0x7ff63b24c616
0x7ff63b24c61a
0x7ff63b24c61c
0x7ff63b24c625
0x7ff63b24c628
0x7ff63b24c62c
0x7ff63b24c62e
0x7ff63b24c63a
0x7ff63b24c642
0x7ff63b24c648
0x7ff63b24c65a
0x7ff63b24c65f
0x7ff63b24c662
0x7ff63b24c667
0x7ff63b24c670
0x7ff63b24c675
0x7ff63b24c67e
0x7ff63b24c684
0x7ff63b24c689
0x7ff63b24c68e
0x7ff63b24c693
0x7ff63b24c6ba
0x7ff63b24c6c2
0x7ff63b24c6c6
0x7ff63b24c6e1
0x7ff63b24c6e9
0x7ff63b24c6ed
0x7ff63b24c708
0x7ff63b24c710
0x7ff63b24c718
0x7ff63b24c71e
0x7ff63b24c726
0x7ff63b24c728
0x7ff63b24c72c
0x7ff63b24c733
0x7ff63b24c758

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00007FF63B24C52B

Strings

MOC, xrefs: 00007FF63B24C4F4
RCC, xrefs: 00007FF63B24C4FC

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 3b92e86198a56ae2b3a3bd9fe9e4e847486b45ed470cc5b09ea871e565c9be10
Instruction ID: 30c9a1364976717e17a8cf949097cb0df56b452304d5a424f0b69f422546e5a4
Opcode Fuzzy Hash: 3b92e86198a56ae2b3a3bd9fe9e4e847486b45ed470cc5b09ea871e565c9be10
Instruction Fuzzy Hash: D1919173A087818AE710DB69E5402BD7BA0F74D788F14423AEE8D97B65DF38E195DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B24CC1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E00007FF67FF63B24CC1C(void* __edx, void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9) {
				void* __rdi;
				void* __r14;
				void* _t73;
				intOrPtr _t78;
				unsigned int _t103;
				void* _t130;
				intOrPtr _t134;
				intOrPtr* _t139;
				signed char* _t143;
				void* _t144;
				signed char* _t169;
				long long _t173;
				void* _t174;
				void* _t176;
				void* _t177;
				void* _t192;
				void* _t193;
				void* _t195;

				_t186 = __r9;
				_t130 = __rax;
				 *((long long*)(_t176 + 8)) = __rbx;
				 *((long long*)(_t176 + 0x10)) = _t173;
				 *((long long*)(_t176 + 0x18)) = __rsi;
				_t177 = _t176 - 0x80;
				_t139 = __rcx;
				_t174 = __r9;
				_t193 = __rdx;
				E00007FF67FF63B24E064(_t73, __r8);
				E00007FF67FF63B24ADD0(_t130);
				_t169 =  *((intOrPtr*)(_t177 + 0xc0));
				r8d = 0x80000029;
				r9d = 0x80000026;
				if ( *((intOrPtr*)(_t130 + 0x40)) != 0) goto 0x3b24cc96;
				if ( *__rcx == 0xe06d7363) goto 0x3b24cc96;
				if ( *__rcx != r8d) goto 0x3b24cc88;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x3b24cc8d;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0x3b24cc96;
				if ( *__rcx == r9d) goto 0x3b24cc96;
				if (( *_t169 & 0x00000020) != 0) goto 0x3b24ce88;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x3b24cdba;
				if (_t169[8] == 0) goto 0x3b24ce88;
				if ( *(_t169[8] +  *((intOrPtr*)(__r9 + 8)) -  *((char*)(__r8 + 0x7ff63b266810)) - 4) >>  *(__r8 + 0x7ff63b266820) == 0) goto 0x3b24ce88;
				if ( *((intOrPtr*)(_t177 + 0xc8)) != 0) goto 0x3b24ce88;
				if (( *(__rcx + 4) & 0x00000020) == 0) goto 0x3b24cda7;
				if ( *__rcx != r9d) goto 0x3b24cd5e;
				_t143 = _t169;
				_t78 = E00007FF67FF63B24B07C(__edx, __rcx, _t143, __r9, _t169, __rsi,  *((intOrPtr*)(__r9 + 0x20)), _t193, _t195, _t192);
				r9d = _t78;
				if (_t78 - 0xffffffff < 0) goto 0x3b24ceaa;
				if (_t169[8] == 0) goto 0x3b24cd42;
				_t103 =  *(_t169[8] +  *((intOrPtr*)(_t174 + 8)) - _t143[0x7ff63b266810] - 4) >> _t143[0x7ff63b266820];
				if (r9d - _t103 >= 0) goto 0x3b24ceaa;
				_t144 = _t193;
				E00007FF67FF63B24D868(_t143[0x7ff63b266820], _t144, _t174, _t169, _t186);
				goto 0x3b24ce88;
				if ( *__rcx != r8d) goto 0x3b24cda7;
				r9d =  *((intOrPtr*)(__rcx + 0x38));
				if (r9d - 0xffffffff < 0) goto 0x3b24ceaa;
				if (r9d -  *(_t169[8] +  *((intOrPtr*)(_t174 + 8)) -  *((char*)(_t144 + 0x7ff63b266810)) - 4) >>  *(_t144 + 0x7ff63b266820) >= 0) goto 0x3b24ceaa;
				goto 0x3b24cd4e;
				E00007FF67FF63B249488( *((char*)(_t144 + 0x7ff63b266810)), _t193, _t169);
				goto 0x3b24ce88;
				E00007FF67FF63B24CF2C(_t177 + 0x50, _t169,  *((intOrPtr*)(_t174 + 8)));
				if ( *((intOrPtr*)(_t177 + 0x50)) != _t103) goto 0x3b24cdda;
				if (( *_t169 & 0x00000040) == 0) goto 0x3b24ce88;
				if ( *_t139 != 0xe06d7363) goto 0x3b24ce4f;
				if ( *((intOrPtr*)(_t139 + 0x18)) - 3 < 0) goto 0x3b24ce4f;
				if ( *((intOrPtr*)(_t139 + 0x20)) - 0x19930522 <= 0) goto 0x3b24ce4f;
				_t134 =  *((intOrPtr*)(_t139 + 0x30));
				if ( *((intOrPtr*)(_t134 + 8)) == _t103) goto 0x3b24ce4f;
				E00007FF67FF63B249CDC(_t134);
				if (_t134 +  *((intOrPtr*)( *((intOrPtr*)(_t139 + 0x30)) + 8)) == 0) goto 0x3b24ce4f;
				 *(_t177 + 0x38) =  *(_t177 + 0xd8) & 0x000000ff;
				 *((long long*)(_t177 + 0x30)) =  *((intOrPtr*)(_t177 + 0xd0));
				 *((intOrPtr*)(_t177 + 0x28)) =  *((intOrPtr*)(_t177 + 0xc8));
				 *(_t177 + 0x20) = _t169;
				E00007FF67FF63B265310();
				goto 0x3b24ce8d;
				 *(_t177 + 0x38) =  *((intOrPtr*)(_t177 + 0xd0));
				 *((intOrPtr*)(_t177 + 0x30)) =  *((intOrPtr*)(_t177 + 0xc8));
				 *((char*)(_t177 + 0x28)) =  *(_t177 + 0xd8);
				 *(_t177 + 0x20) = _t169;
				E00007FF67FF63B24BD5C( *((intOrPtr*)(_t177 + 0xc8)), _t139, _t193, 0x7ff63b240000, _t174);
				return 1;
			}

0x7ff63b24cc1c
0x7ff63b24cc1c
0x7ff63b24cc1c
0x7ff63b24cc21
0x7ff63b24cc26
0x7ff63b24cc30
0x7ff63b24cc37
0x7ff63b24cc3a
0x7ff63b24cc43
0x7ff63b24cc46
0x7ff63b24cc4b
0x7ff63b24cc50
0x7ff63b24cc5a
0x7ff63b24cc60
0x7ff63b24cc69
0x7ff63b24cc71
0x7ff63b24cc76
0x7ff63b24cc7c
0x7ff63b24cc86
0x7ff63b24cc8b
0x7ff63b24cc90
0x7ff63b24cc9a
0x7ff63b24cca3
0x7ff63b24ccd9
0x7ff63b24cce6
0x7ff63b24ccf0
0x7ff63b24ccf9
0x7ff63b24cd02
0x7ff63b24cd05
0x7ff63b24cd0a
0x7ff63b24cd10
0x7ff63b24cd19
0x7ff63b24cd40
0x7ff63b24cd45
0x7ff63b24cd4b
0x7ff63b24cd54
0x7ff63b24cd59
0x7ff63b24cd61
0x7ff63b24cd63
0x7ff63b24cd6b
0x7ff63b24cd9b
0x7ff63b24cda5
0x7ff63b24cdb0
0x7ff63b24cdb5
0x7ff63b24cdc6
0x7ff63b24cdcf
0x7ff63b24cdd4
0x7ff63b24cde0
0x7ff63b24cde6
0x7ff63b24cdef
0x7ff63b24cdf1
0x7ff63b24cdf8
0x7ff63b24cdfa
0x7ff63b24ce0d
0x7ff63b24ce1a
0x7ff63b24ce2c
0x7ff63b24ce3b
0x7ff63b24ce42
0x7ff63b24ce47
0x7ff63b24ce4d
0x7ff63b24ce5a
0x7ff63b24ce6c
0x7ff63b24ce7a
0x7ff63b24ce7e
0x7ff63b24ce83
0x7ff63b24cea9

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF63B24CC46

Strings

csm, xrefs: 00007FF63B24CDDA
csm, xrefs: 00007FF63B24CC6B

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: b07cc560009d00506efbcbe16c06923953fc079e4ad488764cf0156cf1ebd926
Instruction ID: f0fa54bd65e26a780774cf0740f79cc468dc94611c513d1a0305e419f081f65d
Opcode Fuzzy Hash: b07cc560009d00506efbcbe16c06923953fc079e4ad488764cf0156cf1ebd926
Instruction Fuzzy Hash: 90719F72A086818AD7648F29D6547797BA0EB48B85F048335DE8C87FA9CF3CD462E740

Uniqueness

Uniqueness Score: -1.00%

Function 00000191ECDFE3E8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

__C_specific_handler.LIBVCRUNTIME ref: 00000191ECDFE3F8

Part of subcall function 00000191ECDF20B0: __except_validate_context_record.LIBVCRUNTIME ref: 00000191ECDF20DB
Part of subcall function 00000191ECDF20B0: _IsNonwritableInCurrentImage.LIBCMT ref: 00000191ECDF2170

Strings

csm, xrefs: 00000191ECDFE403
f, xrefs: 00000191ECDFE3FD

Memory Dump Source

Source File: 00000000.00000002.556733649.00000191ECDF1000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191ECDF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191ecdf1000_1q3HnZAcnJ.jbxd

Similarity

API ID: C_specific_handlerCurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 1856668521-629598281
Opcode ID: e4aceac7fb55da6b5ef62b65721dccf62f3eb69130347cbc6551502fa420d132
Instruction ID: d98298df39eb308e4b811cda78a300ff2ed348d7edf9375a1f17c162c2c26b7f
Opcode Fuzzy Hash: e4aceac7fb55da6b5ef62b65721dccf62f3eb69130347cbc6551502fa420d132
Instruction Fuzzy Hash: 7041B730D28C9F5AEA6A9B3888687B476D5F725319F94099CD895C7AD3D51BC8C28280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B24C258 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E00007FF67FF63B24C258(long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t19;
				void* _t27;
				void* _t36;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;

				_t27 = _t45;
				 *((long long*)(_t27 + 0x20)) = __rbx;
				 *((long long*)(_t27 + 0x18)) = __r8;
				 *((long long*)(_t27 + 0x10)) = __rdx;
				_t43 = _t27 - 0x3f;
				_t46 = _t45 - 0xc0;
				if ( *__rcx == 0x80000003) goto 0x3b24c2fc;
				E00007FF67FF63B24ADD0(_t27);
				r12d =  *((intOrPtr*)(_t43 + 0x6f));
				if ( *((long long*)(_t27 + 0x10)) == 0) goto 0x3b24c317;
				0x3b290648(_t59, _t56, _t54, _t52, _t36, _t39, _t42);
				E00007FF67FF63B24ADD0(_t27);
				if ( *((intOrPtr*)(_t27 + 0x10)) == _t27) goto 0x3b24c317;
				if ( *__rcx == 0xe0434f4d) goto 0x3b24c317;
				r13d =  *((intOrPtr*)(_t43 + 0x77));
				if ( *__rcx == 0xe0434352) goto 0x3b24c31b;
				 *((intOrPtr*)(_t46 + 0x38)) = r12d;
				 *((long long*)(_t46 + 0x30)) =  *((intOrPtr*)(_t43 + 0x7f));
				 *((intOrPtr*)(_t46 + 0x28)) = r13d;
				 *((long long*)(_t46 + 0x20)) =  *((intOrPtr*)(_t43 + 0x67));
				_t19 = E00007FF67FF63B2491D0(__rcx,  *((intOrPtr*)(_t43 + 0x4f)), __r8, __r9);
				if (_t19 == 0) goto 0x3b24c31b;
				return _t19;
			}

0x7ff63b24c258
0x7ff63b24c25b
0x7ff63b24c25f
0x7ff63b24c263
0x7ff63b24c272
0x7ff63b24c276
0x7ff63b24c28c
0x7ff63b24c28e
0x7ff63b24c293
0x7ff63b24c2a0
0x7ff63b24c2a4
0x7ff63b24c2ad
0x7ff63b24c2b6
0x7ff63b24c2bf
0x7ff63b24c2c8
0x7ff63b24c2cc
0x7ff63b24c2dc
0x7ff63b24c2e4
0x7ff63b24c2e9
0x7ff63b24c2ee
0x7ff63b24c2f3
0x7ff63b24c2fa
0x7ff63b24c316

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00007FF63B24C2F3

Strings

RCC, xrefs: 00007FF63B24C2C1
MOC, xrefs: 00007FF63B24C2B8

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 5c82c521753f307809f12f913bd9ec9ebd52f1839d106bce5f02b3f5aaff15a3
Instruction ID: cb5a25c255725eb6abe24558cfb9856a3c352446956cdbcbee76b69107d139d0
Opcode Fuzzy Hash: 5c82c521753f307809f12f913bd9ec9ebd52f1839d106bce5f02b3f5aaff15a3
Instruction Fuzzy Hash: BB515933A08A858AE720CF69D1803BD7BA0FB49B88F144625EF8D57B69DF38E445D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B24D24C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF67FF63B24D24C(void* __eflags, void* __rcx, intOrPtr _a8, intOrPtr _a16, signed int _a24, void* _a32) {
				char _v80;
				signed long long _v96;
				long long _v104;
				long long _v136;
				signed long long _v144;
				signed int _v152;
				long long _v160;
				long long _v168;
				signed long long _v176;
				signed int _v184;
				void* __rbx;
				void* _t106;
				void* _t125;
				long long _t126;
				signed long long _t130;
				signed int _t131;
				long long _t133;
				signed long long _t135;
				long long _t154;
				intOrPtr* _t155;
				void* _t156;
				void* _t159;
				signed long long _t162;

				_t125 = _t156;
				r12d = 0;
				_v184 = r12d;
				_a24 = _a24 & r12d;
				_v176 = _v176 & _t162;
				_v152 = _v152 & _t162;
				 *((intOrPtr*)(_t125 - 0x80)) = r12b;
				 *(_t125 - 0x7c) =  *(_t125 - 0x7c) & r12d;
				 *(_t125 - 0x78) =  *(_t125 - 0x78) & r12d;
				 *(_t125 - 0x74) =  *(_t125 - 0x74) & r12d;
				 *(_t125 - 0x70) =  *(_t125 - 0x70) & r12d;
				 *(_t125 - 0x6c) =  *(_t125 - 0x6c) & r12d;
				E00007FF67FF63B24ADD0(_t125);
				_t126 =  *((intOrPtr*)(_t125 + 0x28));
				_v160 = _t126;
				E00007FF67FF63B24ADD0(_t126);
				_v168 =  *((intOrPtr*)(_t126 + 0x20));
				_t154 =  *((intOrPtr*)(__rcx + 0x50));
				_a32 = _t154;
				_t133 =  *((intOrPtr*)(__rcx + 0x40));
				_v136 =  *((intOrPtr*)(__rcx + 0x30));
				_v104 =  *((intOrPtr*)(__rcx + 0x48));
				_t130 =  *((intOrPtr*)(__rcx + 0x68));
				_v96 = _t130;
				_a16 =  *((intOrPtr*)(__rcx + 0x78));
				_a8 =  *((intOrPtr*)(__rcx + 0x38));
				E00007FF67FF63B24E064( *((intOrPtr*)(__rcx + 0x38)), _t133);
				E00007FF67FF63B24ADD0(_t130);
				 *((long long*)(_t130 + 0x20)) = _t154;
				E00007FF67FF63B24ADD0(_t130);
				 *((long long*)(_t130 + 0x28)) = _t133;
				E00007FF67FF63B24ADD0(_t130);
				E00007FF67FF63B249C38(_t130,  &_v80,  *((intOrPtr*)( *((intOrPtr*)(_t130 + 0x20)) + 0x28)));
				_v144 = _t130;
				if ( *((intOrPtr*)(__rcx + 0x58)) == _t162) goto 0x3b24d34e;
				_a24 = 1;
				E00007FF67FF63B24ADD0(_t130);
				_v152 =  *((intOrPtr*)(_t130 + 0x70));
				r8d = 0x100;
				E00007FF67FF63B24E3E0(_v136,  *((intOrPtr*)(__rcx + 0x28)), _t159);
				_v176 = _t130;
				if (_t130 - 2 >= 0) goto 0x3b24d382;
				_t135 =  *((intOrPtr*)(_t156 - 0xa8 + 0x70 + _t130 * 8));
				if (_t135 == 0) goto 0x3b24d495;
				_v176 = _t135;
				E00007FF67FF63B24E410(_t135,  *((intOrPtr*)(__rcx + 0x28)));
				_v184 = 1;
				E00007FF67FF63B24ADD0(_t130);
				 *(_t130 + 0x40) =  *(_t130 + 0x40) & 0x00000000;
				E00007FF67FF63B24ADD0(_t130);
				 *((intOrPtr*)(_t130 + 0x78)) = _a16;
				_t155 = _a32;
				if (_a24 == 0) goto 0x3b24d3e9;
				E00007FF67FF63B249E68(1, _t155);
				_t131 = _v152;
				r8d =  *((intOrPtr*)(_t131 + 0x18));
				goto 0x3b24d3f6;
				r8d =  *((intOrPtr*)(_t155 + 0x18));
				 *0x3b265178();
				r12d = _v184;
				E00007FF67FF63B249C74(_t131, _v176, _v144);
				if (r12d != 0) goto 0x3b24d454;
				if ( *_t155 != 0xe06d7363) goto 0x3b24d454;
				if ( *((intOrPtr*)(_t155 + 0x18)) != 4) goto 0x3b24d454;
				if ( *((intOrPtr*)(_t155 + 0x20)) - 0x19930520 - 2 > 0) goto 0x3b24d454;
				if (E00007FF67FF63B249EDC(_t131,  *((intOrPtr*)(_t155 + 0x28))) == 0) goto 0x3b24d454;
				E00007FF67FF63B249E68(1, _t155);
				E00007FF67FF63B24ADD0(_t131);
				 *((long long*)(_t131 + 0x20)) = _v168;
				E00007FF67FF63B24ADD0(_t131);
				 *((long long*)(_t131 + 0x28)) = _v160;
				E00007FF67FF63B24ADD0(_t131);
				 *((intOrPtr*)(_t131 + 0x78)) = _a8;
				_t106 = E00007FF67FF63B24ADD0(_t131);
				 *((intOrPtr*)(_t131 + 0x78)) = 0xfffffffe;
				return _t106;
			}

0x7ff63b24d24c
0x7ff63b24d262
0x7ff63b24d265
0x7ff63b24d26a
0x7ff63b24d272
0x7ff63b24d277
0x7ff63b24d27c
0x7ff63b24d280
0x7ff63b24d284
0x7ff63b24d288
0x7ff63b24d28c
0x7ff63b24d290
0x7ff63b24d294
0x7ff63b24d299
0x7ff63b24d29d
0x7ff63b24d2a2
0x7ff63b24d2ab
0x7ff63b24d2b0
0x7ff63b24d2b4
0x7ff63b24d2bc
0x7ff63b24d2c4
0x7ff63b24d2d1
0x7ff63b24d2d6
0x7ff63b24d2da
0x7ff63b24d2e2
0x7ff63b24d2ec
0x7ff63b24d2f6
0x7ff63b24d2fb
0x7ff63b24d300
0x7ff63b24d304
0x7ff63b24d309
0x7ff63b24d30d
0x7ff63b24d322
0x7ff63b24d32a
0x7ff63b24d333
0x7ff63b24d335
0x7ff63b24d340
0x7ff63b24d349
0x7ff63b24d34e
0x7ff63b24d35c
0x7ff63b24d364
0x7ff63b24d36d
0x7ff63b24d36f
0x7ff63b24d377
0x7ff63b24d37d
0x7ff63b24d388
0x7ff63b24d399
0x7ff63b24d3a1
0x7ff63b24d3a6
0x7ff63b24d3aa
0x7ff63b24d3b6
0x7ff63b24d3b9
0x7ff63b24d3c9
0x7ff63b24d3d0
0x7ff63b24d3d5
0x7ff63b24d3de
0x7ff63b24d3e7
0x7ff63b24d3ed
0x7ff63b24d3f6
0x7ff63b24d3fc
0x7ff63b24d418
0x7ff63b24d420
0x7ff63b24d428
0x7ff63b24d42e
0x7ff63b24d43b
0x7ff63b24d448
0x7ff63b24d44f
0x7ff63b24d454
0x7ff63b24d459
0x7ff63b24d45d
0x7ff63b24d462
0x7ff63b24d466
0x7ff63b24d472
0x7ff63b24d475
0x7ff63b24d47a
0x7ff63b24d494

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF63B24D2F6
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF63B24D322

Strings

csm, xrefs: 00007FF63B24D422

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 52bc8585fab4509a567637cd5535a07a67278d7647b033f76b768db78ecbde83
Instruction ID: 4d44566840fae13058ea6c46d45c7328fe8baee203d896d5b5286739fd9aecd9
Opcode Fuzzy Hash: 52bc8585fab4509a567637cd5535a07a67278d7647b033f76b768db78ecbde83
Instruction Fuzzy Hash: 9A514C3261874586E620EF26E64127E77A4FB8DB91F110635EBCD87B66CF38E461DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B25C2C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00007FF67FF63B25C2C4() {
				intOrPtr _t35;
				void* _t36;
				void* _t37;
				void* _t41;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t52;

				_t47 = _t51;
				_t50 = _t47 - 0x5f;
				_t52 = _t51 - 0x90;
				asm("movaps [eax-0x18], xmm6");
				asm("movaps xmm6, xmm2");
				if (r9d == 1) goto 0x3b25c3fc;
				_t41 = r9d - 2;
				if (_t41 == 0) goto 0x3b25c3c9;
				if (_t41 <= 0) goto 0x3b25c43b;
				if (r9d - 5 <= 0) goto 0x3b25c3ba;
				if (r9d == 6) goto 0x3b25c38c;
				if (r9d == 7) goto 0x3b25c353;
				if (r9d != 9) goto 0x3b25c43b;
				 *(_t50 + 0x17) =  *(_t50 + 0x17) & 0x00000000;
				_t4 = _t47 + 1; // 0x3
				r9d = _t4;
				 *((intOrPtr*)(_t52 + 0x40)) = 2;
				asm("movss [esp+0x38], xmm1");
				asm("movss [esp+0x30], xmm0");
				 *(_t52 + 0x28) = 0x22;
				asm("movss [ebp+0x17], xmm6");
				 *((intOrPtr*)(_t52 + 0x20)) = 0x11;
				goto 0x3b25c42a;
				 *(_t50 + 0x1f) =  *(_t50 + 0x1f) & 0x00000000;
				r9d = 4;
				 *((intOrPtr*)(_t52 + 0x40)) = 2;
				asm("movss [esp+0x38], xmm1");
				asm("movss [esp+0x30], xmm0");
				 *(_t52 + 0x28) = 0x22;
				asm("movss [ebp+0x1f], xmm6");
				 *((intOrPtr*)(_t52 + 0x20)) = 0x12;
				goto 0x3b25c42a;
				 *(_t50 + 0x27) =  *(_t50 + 0x27) & 0x00000000;
				r9d = 1;
				 *((intOrPtr*)(_t52 + 0x40)) = 2;
				asm("movss [esp+0x38], xmm1");
				asm("movss [esp+0x30], xmm0");
				asm("movss [ebp+0x27], xmm6");
				 *(_t52 + 0x28) = 0x21;
				goto 0x3b25c422;
				asm("movss [ebp+0x7f], xmm6");
				_t35 = E00007FF67FF63B261AD0(2,  *((intOrPtr*)(_t50 + 0x7f)));
				goto 0x3b25c43e;
				 *(_t50 + 0x2f) =  *(_t50 + 0x2f) & 0x00000000;
				r9d = _t35;
				 *((intOrPtr*)(_t52 + 0x40)) = _t35;
				asm("movss [esp+0x38], xmm1");
				asm("movss [esp+0x30], xmm0");
				 *(_t52 + 0x28) = 0x22;
				asm("movss [ebp+0x2f], xmm6");
				 *((intOrPtr*)(_t52 + 0x20)) = 4;
				goto 0x3b25c42a;
				 *(_t50 + 0x37) =  *(_t50 + 0x37) & 0x00000000;
				 *((intOrPtr*)(_t52 + 0x40)) = _t35;
				asm("movss [esp+0x38], xmm1");
				asm("movss [esp+0x30], xmm0");
				 *(_t52 + 0x28) =  *(_t52 + 0x28) & 0x00000000;
				asm("movss [ebp+0x37], xmm6");
				r9d = 0;
				 *((intOrPtr*)(_t52 + 0x20)) = 8;
				_t36 = E00007FF67FF63B261980(_t37, 0x1d, r9d, 0x3b26c410, _t49,  *(_t50 + 0x37));
				asm("movaps xmm0, xmm6");
				asm("movaps xmm6, [esp+0x80]");
				return _t36;
			}

0x7ff63b25c2c4
0x7ff63b25c2c8
0x7ff63b25c2cc
0x7ff63b25c2d3
0x7ff63b25c2d7
0x7ff63b25c2e3
0x7ff63b25c2e9
0x7ff63b25c2ec
0x7ff63b25c2f2
0x7ff63b25c2fc
0x7ff63b25c306
0x7ff63b25c310
0x7ff63b25c316
0x7ff63b25c31c
0x7ff63b25c321
0x7ff63b25c321
0x7ff63b25c325
0x7ff63b25c329
0x7ff63b25c32f
0x7ff63b25c335
0x7ff63b25c33d
0x7ff63b25c346
0x7ff63b25c34e
0x7ff63b25c353
0x7ff63b25c358
0x7ff63b25c35e
0x7ff63b25c362
0x7ff63b25c368
0x7ff63b25c36e
0x7ff63b25c376
0x7ff63b25c37f
0x7ff63b25c387
0x7ff63b25c38c
0x7ff63b25c391
0x7ff63b25c397
0x7ff63b25c39b
0x7ff63b25c3a1
0x7ff63b25c3a7
0x7ff63b25c3b0
0x7ff63b25c3b8
0x7ff63b25c3ba
0x7ff63b25c3c2
0x7ff63b25c3c7
0x7ff63b25c3c9
0x7ff63b25c3ce
0x7ff63b25c3d1
0x7ff63b25c3d5
0x7ff63b25c3db
0x7ff63b25c3e1
0x7ff63b25c3e9
0x7ff63b25c3f2
0x7ff63b25c3fa
0x7ff63b25c3fc
0x7ff63b25c401
0x7ff63b25c405
0x7ff63b25c40b
0x7ff63b25c411
0x7ff63b25c416
0x7ff63b25c41b
0x7ff63b25c422
0x7ff63b25c436
0x7ff63b25c43b
0x7ff63b25c43e
0x7ff63b25c44e

APIs

_handle_errorf.LIBCMT ref: 00007FF63B25C436

Strings

powf, xrefs: 00007FF63B25C42F
", xrefs: 00007FF63B25C3E1

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: 4a26ca49615e7c1f4b9e5560e491e0c833ccb5087df5f6f57135340145661f68
Instruction ID: 65dd35257af1139278d2ef7496df83d4f8283f72ff6392f0d2cd4984eaa4cef3
Opcode Fuzzy Hash: 4a26ca49615e7c1f4b9e5560e491e0c833ccb5087df5f6f57135340145661f68
Instruction Fuzzy Hash: 17412573D28680DAD370CF21E0847B9B6A0F79D348F102326F78941AA8DF7DD554AB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B25C1A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00007FF67FF63B25C1A0(void* __rax, intOrPtr _a32, intOrPtr _a40, intOrPtr _a64, intOrPtr _a80) {
				void* _v40;
				intOrPtr _v56;
				intOrPtr _v80;
				intOrPtr _v88;
				void* _t17;
				void* _t18;
				void* _t20;
				void* _t22;
				void* _t25;
				void* _t28;

				_t25 = __rax;
				asm("movaps [esp+0x60], xmm6");
				asm("movaps xmm6, xmm2");
				_t20 = r9d - 2;
				if (_t20 == 0) goto 0x3b25c278;
				if (_t20 <= 0) goto 0x3b25c2b7;
				if (r9d - 5 <= 0) goto 0x3b25c25f;
				_t22 = r9d - 6;
				if (_t22 == 0) goto 0x3b25c237;
				if (_t22 <= 0) goto 0x3b25c2b7;
				if (r9d - 8 <= 0) goto 0x3b25c20f;
				if (r9d != 9) goto 0x3b25c2b7;
				_v56 = 2;
				_t2 = _t25 + 1; // 0x3
				r9d = _t2;
				asm("movsd [esp+0x38], xmm1");
				asm("movsd [esp+0x30], xmm0");
				_v80 = 0x22;
				_v88 = 0x11;
				goto 0x3b25c29b;
				_v56 = 2;
				r9d = 4;
				asm("movsd [esp+0x38], xmm1");
				asm("movsd [esp+0x30], xmm0");
				_v80 = 0x22;
				_v88 = 0x12;
				goto 0x3b25c29b;
				_v56 = 2;
				r9d = 1;
				asm("movsd [esp+0x38], xmm1");
				asm("movsd [esp+0x30], xmm0");
				_v80 = 0x21;
				_v88 = 8;
				goto 0x3b25c29b;
				asm("movsd [esp+0x50], xmm6");
				asm("movaps xmm6, [esp+0x60]");
				goto 0x3b261ab4;
				_a64 = 2;
				r9d = 2;
				asm("movsd [esp+0x38], xmm1");
				asm("movsd [esp+0x30], xmm0");
				_a40 = 0x22;
				_a32 = 4;
				asm("movsd [esp+0x50], xmm6");
				_t17 = E00007FF67FF63B261858(_t18, 0x1d, r9d - 9, 0x3b26afdc, _t28, _a80);
				asm("movaps xmm0, xmm6");
				asm("movaps xmm6, [esp+0x60]");
				return _t17;
			}

0x7ff63b25c1a0
0x7ff63b25c1a9
0x7ff63b25c1ae
0x7ff63b25c1b1
0x7ff63b25c1b4
0x7ff63b25c1ba
0x7ff63b25c1c4
0x7ff63b25c1ca
0x7ff63b25c1ce
0x7ff63b25c1d0
0x7ff63b25c1da
0x7ff63b25c1e0
0x7ff63b25c1e6
0x7ff63b25c1ea
0x7ff63b25c1ea
0x7ff63b25c1ee
0x7ff63b25c1f4
0x7ff63b25c1fa
0x7ff63b25c202
0x7ff63b25c20a
0x7ff63b25c20f
0x7ff63b25c213
0x7ff63b25c219
0x7ff63b25c21f
0x7ff63b25c225
0x7ff63b25c22d
0x7ff63b25c235
0x7ff63b25c237
0x7ff63b25c23b
0x7ff63b25c241
0x7ff63b25c247
0x7ff63b25c24d
0x7ff63b25c255
0x7ff63b25c25d
0x7ff63b25c25f
0x7ff63b25c26a
0x7ff63b25c273
0x7ff63b25c278
0x7ff63b25c27c
0x7ff63b25c27f
0x7ff63b25c285
0x7ff63b25c28b
0x7ff63b25c293
0x7ff63b25c29b
0x7ff63b25c2b2
0x7ff63b25c2b7
0x7ff63b25c2ba
0x7ff63b25c2c3

APIs

_handle_error.LIBCMT ref: 00007FF63B25C2B2

Strings

", xrefs: 00007FF63B25C28B
pow, xrefs: 00007FF63B25C2A1

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: aef5c3396333538ce8dcb51fe7f9577093ec2d66b7d89bb7efc05b2b26168eee
Instruction ID: b3fe587f99bb829b31182cfb52d92db9f7e4ab8963bed4412fbcd02c99b4b996
Opcode Fuzzy Hash: aef5c3396333538ce8dcb51fe7f9577093ec2d66b7d89bb7efc05b2b26168eee
Instruction Fuzzy Hash: 1E315072D1CA8886D770CF54E04477AA6A0FBDA344F101326F6C986A68DFBDD085AB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF63B242D20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00007FF67FF63B242D20(long long __rax, long long __rbx, long long __rcx, void* __rdx, long long _a8, long long _a16) {
				long long _t21;
				long long _t24;

				_t21 = __rax;
				_a16 = __rbx;
				_a8 = __rcx;
				_t24 = __rcx;
				E00007FF67FF63B245CDC(0, __rcx);
				 *((long long*)(_t24 + 8)) = _t21;
				 *((char*)(_t24 + 0x10)) = 0;
				 *((long long*)(_t24 + 0x18)) = _t21;
				 *((char*)(_t24 + 0x20)) = 0;
				 *((long long*)(_t24 + 0x28)) = _t21;
				 *((short*)(_t24 + 0x30)) = 0;
				 *((long long*)(_t24 + 0x38)) = _t21;
				 *((short*)(_t24 + 0x40)) = 0;
				 *((long long*)(_t24 + 0x48)) = _t21;
				 *((char*)(_t24 + 0x50)) = 0;
				 *((long long*)(_t24 + 0x58)) = _t21;
				 *((char*)(_t24 + 0x60)) = 0;
				if (__rdx == 0) goto 0x3b242d8a;
				return E00007FF67FF63B247840(_t21, _t24, _t24, __rdx);
			}

0x7ff63b242d20
0x7ff63b242d20
0x7ff63b242d25
0x7ff63b242d32
0x7ff63b242d37
0x7ff63b242d3f
0x7ff63b242d43
0x7ff63b242d46
0x7ff63b242d4a
0x7ff63b242d4d
0x7ff63b242d51
0x7ff63b242d55
0x7ff63b242d59
0x7ff63b242d5d
0x7ff63b242d61
0x7ff63b242d64
0x7ff63b242d68
0x7ff63b242d6e
0x7ff63b242d89

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF63B242D37
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF63B242D76

Part of subcall function 00007FF63B247840: _Yarn.LIBCPMT ref: 00007FF63B24786E

Strings

bad locale name, xrefs: 00007FF63B242D8A

Memory Dump Source

Source File: 00000000.00000002.556808357.00007FF63B241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF63B240000, based on PE: true

Associated: 00000000.00000002.556798378.00007FF63B240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556881205.00007FF63B27C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B27F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.556890864.00007FF63B284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557189912.00007FF63B32C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557371250.00007FF63B3E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.557378386.00007FF63B3E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b240000_1q3HnZAcnJ.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_Yarn
String ID: bad locale name
API String ID: 1838369231-1405518554
Opcode ID: e48acd1da705b3a14c898bc81e8a7abf09aae063daf96a56183738835806f788
Instruction ID: 0478490d20cab6ac477fc74878f1f38214d2c5884c04515d65aa4e76481189f6
Opcode Fuzzy Hash: e48acd1da705b3a14c898bc81e8a7abf09aae063daf96a56183738835806f788
Instruction Fuzzy Hash: 31014B2250AB8189D7459F75A98016976A5EB6CB88B285639CADCC3B2AEF38C590C344

Uniqueness

Uniqueness Score: -1.00%

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bj.file.myqcloud.com	word.exe	Get hash	malicious	Unknown	Browse	82.156.94.48
bj.file.myqcloud.com	182cv6Y090.dll	Get hash	malicious	Unknown	Browse	120.53.180.27

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ECLIPSEGB	kTYmDw3kL2.elf	Get hash	malicious	Mirai	Browse	82.157.226.252
	armv6l-20230706-1258.elf	Get hash	malicious	Unknown	Browse	82.156.253.90
	nmUm7F53fC.elf	Get hash	malicious	Mirai	Browse	91.85.78.217
	14MBT6vPRP.elf	Get hash	malicious	Mirai	Browse	82.156.253.98
	Qq18sG6NYz.elf	Get hash	malicious	Mirai	Browse	82.156.253.92
	qy3KRnuJrA.elf	Get hash	malicious	Mirai	Browse	213.152.62.168
	7CFGxby8bj.elf	Get hash	malicious	Mirai	Browse	213.152.62.180
	76jchSM1O1.elf	Get hash	malicious	Mirai	Browse	82.152.88.106
	tiOxLaAfn6.elf	Get hash	malicious	Mirai	Browse	109.176.44.205
	2RHqfPWOO2.elf	Get hash	malicious	Mirai	Browse	91.85.31.227
	artifact.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	82.157.161.99
	beacon1.exe	Get hash	malicious	CobaltStrike, ReflectiveLoader	Browse	82.157.161.99
	Ezh12FYTa9.elf	Get hash	malicious	Mirai	Browse	82.153.67.148
	Cj1mRQdRCL.elf	Get hash	malicious	Mirai, Moobot	Browse	82.152.229.210
	M3fIwAt1k3.exe	Get hash	malicious	Wannacry	Browse	91.84.126.111
	QE4lNfYXdS.elf	Get hash	malicious	Mirai	Browse	81.168.23.3
	6qMM6o58Cm.exe	Get hash	malicious	CobaltStrike	Browse	82.157.173.159
	hewUWYL8GR.elf	Get hash	malicious	Mirai	Browse	91.84.192.2
	7sH6M8eR52.elf	Get hash	malicious	Moobot	Browse	82.153.219.124
	u4Q8kZlBvR.elf	Get hash	malicious	Mirai	Browse	82.156.253.69

Target ID:	0
Start time:	11:09:17
Start date:	11/07/2023
Path:	C:\Users\user\Desktop\1q3HnZAcnJ.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\1q3HnZAcnJ.exe
Imagebase:	0x7ff63b240000
File size:	759'296 bytes
MD5 hash:	B7B3F1DC9BF4C289CCA45E7435B0517A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	4
Start time:	11:09:53
Start date:	11/07/2023
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7084 -s 1012
Imagebase:	0x7ff74ed80000
File size:	494'488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1q3HnZAcnJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: 1q3HnZAcnJ.exePID: 7084, Parent PID: 3452

General

Chronological Activities

Windows Analysis Report
1q3HnZAcnJ.exe

Function 00007FF63B24866C Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Function 00007FF63B248688 Relevance: 4.6, APIs: 3, Instructions: 98
COMMON

Function 00000191ECDF1101 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174
COMMON

Function 00007FF63B2485A4 Relevance: 3.1, APIs: 2, Instructions: 55
COMMON

Function 00007FF63B243990 Relevance: 1.7, APIs: 1, Instructions: 174
COMMON

Function 00000191ECDF1134 Relevance: 1.6, APIs: 1, Instructions: 131
memoryCOMMON

Function 00000191ECDF11AB Relevance: 1.6, APIs: 1, Instructions: 119
memoryCOMMON

Function 00000191ECDF6F08 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Function 00000191EB4B7F88 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Function 00007FF63B25C984 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165
COMMONCrypto

Function 00007FF63B24FCE0 Relevance: 3.2, APIs: 2, Instructions: 207
COMMONLIBRARYCODECrypto

Function 00007FF63B25E87C Relevance: 1.8, APIs: 1, Instructions: 335
COMMONCrypto

Function 00007FF63B25BA78 Relevance: 1.7, APIs: 1, Instructions: 233
COMMONLIBRARYCODECrypto

Function 00007FF63B241910 Relevance: 1.5, Strings: 1, Instructions: 295
COMMONCrypto

Function 00007FF63B25020C Relevance: .4, Instructions: 372
COMMONCrypto

Function 00007FF63B258218 Relevance: .3, Instructions: 333
COMMONCrypto

Function 00007FF63B254ECC Relevance: .3, Instructions: 309
COMMONLIBRARYCODECrypto

Function 00007FF63B25FDD0 Relevance: .3, Instructions: 272
COMMONCrypto

Function 00007FF63B241180 Relevance: .2, Instructions: 244
COMMONCrypto

Function 00007FF63B2415B0 Relevance: .2, Instructions: 201
COMMONCrypto

Function 00007FF63B25CB90 Relevance: .1, Instructions: 147
COMMONCrypto

Function 00007FF63B25AFDC Relevance: .1, Instructions: 138
COMMONCrypto

Function 00007FF63B25414C Relevance: .1, Instructions: 126
COMMONLIBRARYCODECrypto

Function 00007FF63B245550 Relevance: .1, Instructions: 110
COMMONCrypto

Function 00007FF63B25C130 Relevance: .0, Instructions: 32
COMMON

Function 00007FF63B257924 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57
COMMONLIBRARYCODE

Function 00007FF63B24B894 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 313
COMMONLIBRARYCODE

Function 00007FF63B244900 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103
COMMON

Function 00007FF63B245300 Relevance: 9.1, APIs: 6, Instructions: 104
COMMON

Function 00007FF63B245EC8 Relevance: 9.1, APIs: 6, Instructions: 75
COMMON

Function 00007FF63B24BD5C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 317
COMMONLIBRARYCODE

Function 00007FF63B242E90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114
COMMON

Function 00007FF63B24B164 Relevance: 7.8, APIs: 5, Instructions: 290
COMMONLIBRARYCODE

Function 00007FF63B26179C Relevance: 7.6, APIs: 5, Instructions: 56
COMMONLIBRARYCODE

Function 00007FF63B24C9E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145
COMMONLIBRARYCODE

Function 00007FF63B260374 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225
COMMONLIBRARYCODE

Function 00007FF63B24C470 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191
COMMONLIBRARYCODE