Create Interactive Tour

Windows Analysis Report
Hydra.exe

Overview

General Information

Sample Name:	Hydra.exe
Analysis ID:	690527
MD5:	8717dfead50f1bdcd3e43499c77d7d2b
SHA1:	77ce8090c74d5e4334ae9fde27adde928a2920e1
SHA256:	806e10d7939c6a4317bd65d400a6361f0dd6e3416501c608971a32e6057f14ef
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Contains functionality to dynamically determine API calls

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Program does not show much activity (idle)

Detected potential crypto function

Found potential string decryption / allocating functions

Classification

Process Tree

System is w10x64

Hydra.exe (PID: 5928 cmdline: "C:\Users\user\Desktop\Hydra.exe" MD5: 8717DFEAD50F1BDCD3E43499C77D7D2B)

conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Hydra.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb source: Hydra.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdbhhh source: Hydra.exe

Source: Hydra.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: Hydra.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=

Source: Hydra.exe	Binary or memory string: OriginalFilename vs Hydra.exe
Source: Hydra.exe, 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHydra.dll, vs Hydra.exe
Source: Hydra.exe	Binary or memory string: OriginalFilenameHydra.dll, vs Hydra.exe

Source: C:\Users\user\Desktop\Hydra.exe	Code function: 0_2_00007FF712DB3738	0_2_00007FF712DB3738
Source: C:\Users\user\Desktop\Hydra.exe	Code function: 0_2_00007FF712DA6080	0_2_00007FF712DA6080
Source: C:\Users\user\Desktop\Hydra.exe	Code function: 0_2_00007FF712DB0560	0_2_00007FF712DB0560

Source: C:\Users\user\Desktop\Hydra.exe

Code function: String function: 00007FF712DAC460 appears 57 times

Source: Hydra.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Hydra.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean4.winEXE@2/1@0/0

Source: unknown	Process created: C:\Users\user\Desktop\Hydra.exe "C:\Users\user\Desktop\Hydra.exe"
Source: C:\Users\user\Desktop\Hydra.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01

Source: Hydra.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Hydra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Hydra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Hydra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Hydra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Hydra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Hydra.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Hydra.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Hydra.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb source: Hydra.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdbhhh source: Hydra.exe

Source: Hydra.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Hydra.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Hydra.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Hydra.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Hydra.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Hydra.exe

Code function: 0_2_00007FF712DAEAB0 memset,LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

0_2_00007FF712DAEAB0

Source: C:\Users\user\Desktop\Hydra.exe

Code function: 0_2_00007FF712DB3738 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF712DB3738

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Hydra.exe

API coverage: 8.7 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Hydra.exe

Code function: 0_2_00007FF712DAEAB0 memset,LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

0_2_00007FF712DAEAB0

Source: C:\Users\user\Desktop\Hydra.exe

Code function: 0_2_00007FF712DB4A28 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF712DB4A28

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Hydra.exe	Code function: 0_2_00007FF712DB44D0 SetUnhandledExceptionFilter,_set_new_mode,	0_2_00007FF712DB44D0
Source: C:\Users\user\Desktop\Hydra.exe	Code function: 0_2_00007FF712DB4BD0 SetUnhandledExceptionFilter,	0_2_00007FF712DB4BD0
Source: C:\Users\user\Desktop\Hydra.exe	Code function: 0_2_00007FF712DB470C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF712DB470C
Source: C:\Users\user\Desktop\Hydra.exe	Code function: 0_2_00007FF712DB4A28 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF712DB4A28

Source: C:\Users\user\Desktop\Hydra.exe

Code function: 0_2_00007FF712DB4C18 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF712DB4C18

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=	Hydra.exe	false		high
https://aka.ms/dotnet-core-applaunch?	Hydra.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	690527
Start date and time:	2022-08-25 23:40:43 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Hydra.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 60%) Quality average: 43.5% Quality standard deviation: 41.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Hydra.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.579426964684141
Encrypted:	false
SSDEEP:	3:V2MQrfdA+WFKBWRT5jAuWXp5vtchEDKyn:VgfCpQgRT5jAuWXpFuIKy
MD5:	F6FA287FEB5DBF1B632E5B73E39406AA
SHA1:	A5F33FDDBDBDCE7590112AAFD19F17295E216F70
SHA-256:	82011C093BA06C70FFB235FF0E8AE6B20CFCA4B5D1F16551CA5AE4C567849EC6
SHA-512:	4948A968E41ACB87E841144784875E1058DC6B7F4B86C41A9CDB52D2F68ED456EEE987B0486AEC9E8F6ABD04B2767A2ADA2896590E4DB68945CBCC10BC186066
Malicious:	false
Reputation:	low
Preview:	The application to execute does not exist: 'C:\Users\user\Desktop\Hydra.dll'...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.776996366881932
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Hydra.exe
File size:	174592
MD5:	8717dfead50f1bdcd3e43499c77d7d2b
SHA1:	77ce8090c74d5e4334ae9fde27adde928a2920e1
SHA256:	806e10d7939c6a4317bd65d400a6361f0dd6e3416501c608971a32e6057f14ef
SHA512:	8100dd5cc75535b164ba944e6373026c533c261f35e99ec1f6c7eb1d84eb840683e133422ffad2237b14d0e715442db52176e9101088562fceb83928b614d87c
SSDEEP:	3072:m6eSqsywT/IiODn5Ikt8pKO9WpheWyutIR5tc5nuxzl:mLDn5I7p8henzv
TLSH:	5904070AB3AA01F9F1B3E53888A24A46F7B678154B719BCF0390023E5E777D49D35B61
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... u@. u@. u@.HvA. u@.HpA. u@.HqA. u@.X.@. u@.FtA. u@. t@& u@'IpA. u@'IwA. u@Rich. u@................PE..d...m8.b.........."

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x140014670
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x62CF386D [Wed Jul 13 21:26:05 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7d19699275e08b389d5869dc7132efbc

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FEAC8A94B64h
dec eax
add esp, 28h
jmp 00007FEAC8A9442Fh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
mov eax, edx
dec eax
lea ecx, dword ptr [000056E9h]
dec eax
mov dword ptr [ebx], ecx
dec eax
lea edx, dword ptr [ebx+08h]
xor ecx, ecx
dec eax
mov dword ptr [edx], ecx
dec eax
mov dword ptr [edx+08h], ecx
dec eax
lea ecx, dword ptr [eax+08h]
call 00007FEAC8A94E09h
dec eax
lea eax, dword ptr [0000D4B1h]
dec eax
mov dword ptr [ebx], eax
dec eax
mov eax, ebx
dec eax
add esp, 20h
pop ebx
ret
int3
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [0000D4A8h]
dec eax
mov dword ptr [ecx+08h], eax
dec eax
lea eax, dword ptr [0000D48Dh]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
ret
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FEAC8A94597h
dec eax
lea edx, dword ptr [00012ABFh]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FEAC8A94E6Eh
int3
jmp 00007FEAC8A92630h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00004A43h]
dec eax
mov ecx, ebx
call dword ptr [00004A42h]
call dword ptr [00004964h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2727c	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0x524	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2b000	0x162c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e000	0x6dc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x22770	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x228d0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x227d0	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x468	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17d2c	0x17e00	False	0.4948666557591623	data	6.288759783245294	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0xf224	0xf400	False	0.33340804303278687	data	4.078017280370601	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x29000	0x19e8	0xe00	False	0.17940848214285715	data	3.0333200447632396	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2b000	0x162c	0x1800	False	0.45947265625	PEX Binary Archive	4.937559236192136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2d000	0x524	0x600	False	0.40234375	data	4.67478058714398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e000	0x6dc	0x800	False	0.52001953125	data	5.070696183554438	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2d0a0	0x298	data
RT_MANIFEST	0x2d338	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
KERNEL32.dll	FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, GetFullPathNameW, GetTempPathW, GetLastError, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetEnvironmentVariableW, GetCurrentProcess, IsWow64Process, GetModuleFileNameW, GetModuleHandleExW, GetProcAddress, LoadLibraryExW, LoadLibraryA, MultiByteToWideChar, WideCharToMultiByte, FreeLibrary, RtlUnwindEx, RaiseException, OutputDebugStringW, GetModuleHandleW, GetCurrentProcessId, Sleep, RemoveDirectoryW, DeleteCriticalSection, CreateDirectoryW, RtlPcToFileHeader, InitializeSListHead, GetCurrentThreadId, QueryPerformanceCounter, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, LCMapStringW, GetSystemTimeAsFileTime, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SwitchToThread, InitializeCriticalSectionAndSpinCount, SetLastError, DecodePointer, EncodePointer, GetStringTypeW
USER32.dll	MessageBoxW
SHELL32.dll	ShellExecuteW
ADVAPI32.dll	RegOpenKeyExW, RegCloseKey, ReportEventW, RegisterEventSourceW, DeregisterEventSource, RegGetValueW
api-ms-win-crt-runtime-l1-1-0.dll	_initialize_wide_environment, _set_app_type, _invalid_parameter_noinfo_noreturn, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, terminate, _configure_wide_argv, exit, _exit, __p___argc, __p___wargv, _c_exit, _register_thread_local_exe_atexit_callback, abort, _get_initial_wide_environment, _errno, _initterm, _initialize_onexit_table, _initterm_e
api-ms-win-crt-heap-l1-1-0.dll	malloc, calloc, free, _callnewh, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, frexp
api-ms-win-crt-stdio-l1-1-0.dll	_wfopen, __stdio_common_vswprintf, fclose, fread, fseek, fwrite, __acrt_iob_func, _set_fmode, fputwc, fputws, __stdio_common_vfwprintf, fflush, __p__commode, __stdio_common_vsprintf_s
api-ms-win-crt-string-l1-1-0.dll	_wcsicmp, _wcsdup, _wcsnicmp, wcsncmp, strcspn, wcsnlen, memset, strcpy_s
api-ms-win-crt-locale-l1-1-0.dll	_unlock_locales, __pctype_func, ___lc_locale_name_func, ___mb_cur_max_func, setlocale, _configthreadlocale, _lock_locales, localeconv, ___lc_codepage_func
api-ms-win-crt-filesystem-l1-1-0.dll	_wremove, _wrename
api-ms-win-crt-convert-l1-1-0.dll	_wtoi, wcstoul
api-ms-win-crt-time-l1-1-0.dll	wcsftime, _gmtime64, _time64

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• Hydra.exe
• conhost.exe

Click to jump to process

Memory Usage

• Hydra.exe
• conhost.exe

Click to jump to process

Click to jump to process

System Behavior

Analysis Process: Hydra.exePID: 5928, Parent PID: 5364

Function Logs

General

Target ID:	0
Start time:	23:41:38
Start date:	25/08/2022
Path:	C:\Users\user\Desktop\Hydra.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Hydra.exe"
Imagebase:	0x7ff712da0000
File size:	174592 bytes
MD5 hash:	8717DFEAD50F1BDCD3E43499C77D7D2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5352, Parent PID: 5928

Function Logs

General

Target ID:	1
Start time:	23:41:39
Start date:	25/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: Hydra.exePID: 5928, Parent PID: 5364COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.7%
Total number of Nodes:	1157
Total number of Limit Nodes:	10

Executed Functions

Function 00007FF712DB44D0 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 26%

			E00007FF77FF712DB44D0(void* __edx, void* __ebp, void* __esp, void* __eflags, intOrPtr* __rax, long long __rbx, long long __rsi, void* __rbp, void* __r8, void* __r9, void* __r13, long long _a8, long long _a16) {
				char _v24;
				void* __rdi;
				void* _t11;
				void* _t19;
				void* _t22;
				intOrPtr _t30;
				intOrPtr* _t53;
				void* _t68;
				void* _t79;
				void* _t81;

				_t81 = __r9;
				_t79 = __r8;
				_t53 = __rax;
				E00007FF77FF712DB4BD0(); // executed
				SetUnhandledExceptionFilter(??);
				goto 0x12db7c3d;
				asm("int3");
				asm("int3");
				asm("int3");
				_a8 = __rbx;
				_a16 = __rsi;
				if (E00007FF77FF712DB4180(1) == 0) goto 0x12db4643;
				sil = 0;
				_v24 = sil;
				_t11 = E00007FF77FF712DB4144();
				_t30 =  *0x12dca270; // 0x2
				if (_t30 == 1) goto 0x12db464e;
				if (_t30 != 0) goto 0x12db4579;
				 *0x12dca270 = 1;
				0x12db7c07(_t68); // executed
				if (_t11 == 0) goto 0x12db455a;
				goto 0x12db4633;
				0x12db7c01(); // executed
				 *0x12dca270 = 2;
				goto 0x12db4581;
				sil = 1;
				_v24 = sil;
				E00007FF77FF712DB4D10(E00007FF77FF712DB4340(_t11, 0x12db94e8));
				if ( *_t53 == 0) goto 0x12db45b4;
				if (E00007FF77FF712DB42A4(_t53) == 0) goto 0x12db45b4;
				r8d = 0;
				_t5 = _t79 + 2; // 0x2
				_t54 =  *_t53;
				E00007FF77FF712DB4D18( *0x12db9470());
				if ( *((long long*)( *_t53)) == 0) goto 0x12db45d6;
				if (E00007FF77FF712DB42A4( *_t53) == 0) goto 0x12db45d6;
				0x12db7c31();
				0x12db7c25();
				0x12db7c1f();
				0x12db7bfb();
				_t19 = E00007FF77FF712DB26C0( *( *_t53), _t5, __ebp, __esp, E00007FF77FF712DB42A4( *_t53), _t54, _t54,  *_t54,  *_t54, __rbp, _t54, _t81, __r13); // executed
				if (E00007FF77FF712DB4B7C(_t54) == 0) goto 0x12db4658;
				if (sil != 0) goto 0x12db460d;
				0x12db7bd7();
				E00007FF77FF712DB4364(1, 0);
				_t22 = _t19;
				if (E00007FF77FF712DB4B7C(_t54) == 0) goto 0x12db4660;
				if (_v24 != 0) goto 0x12db4631;
				0x12db7c2b();
				return _t22;
			}

0x7ff712db44d0
0x7ff712db44d0
0x7ff712db44d0
0x7ff712db44d4
0x7ff712db44d9
0x7ff712db44e4
0x7ff712db44e9
0x7ff712db44ea
0x7ff712db44eb
0x7ff712db44ec
0x7ff712db44f1
0x7ff712db4507
0x7ff712db450d
0x7ff712db4510
0x7ff712db4515
0x7ff712db451c
0x7ff712db4525
0x7ff712db452d
0x7ff712db452f
0x7ff712db4547
0x7ff712db454e
0x7ff712db4555
0x7ff712db4568
0x7ff712db456d
0x7ff712db4577
0x7ff712db4579
0x7ff712db457c
0x7ff712db4588
0x7ff712db4594
0x7ff712db45a0
0x7ff712db45a2
0x7ff712db45a5
0x7ff712db45ab
0x7ff712db45b4
0x7ff712db45c0
0x7ff712db45cc
0x7ff712db45d1
0x7ff712db45d6
0x7ff712db45de
0x7ff712db45e6
0x7ff712db45f3
0x7ff712db4601
0x7ff712db4606
0x7ff712db4608
0x7ff712db4611
0x7ff712db4616
0x7ff712db4623
0x7ff712db462a
0x7ff712db462c
0x7ff712db4642

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF712DB44D9

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: db9f212f67596af25094563743b34dc8b279e37d591c7530d0127360de652d0a
Instruction ID: c21952604093509440047c085d2faab01d51d531ae61471c7638b311565a8752
Opcode Fuzzy Hash: db9f212f67596af25094563743b34dc8b279e37d591c7530d0127360de652d0a
Instruction Fuzzy Hash: 96C04811E8EC4EA2F60833A298724B890909F46321FA14035D189856828CAC26AAEA72

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB1D00 Relevance: 40.7, APIs: 2, Strings: 21, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 36%

			E00007FF77FF712DB1D00(void* __ecx, void* __esp, long long __rbx, long long __rdx, void* __r8, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r13;
				void* __r14;
				void* _t166;
				void* _t168;
				void* _t177;
				void* _t203;
				void* _t206;
				void* _t228;
				void* _t255;
				void* _t305;
				signed long long _t306;
				intOrPtr _t308;
				short* _t309;
				short* _t313;
				long long _t317;
				long long _t320;
				signed long long _t324;
				long long _t327;
				short* _t329;
				short* _t330;
				void* _t333;
				long long _t403;
				signed long long _t413;
				signed long long _t416;
				signed long long _t444;
				long long _t445;
				void* _t448;
				long long _t454;
				long long* _t455;
				void* _t456;
				signed long long _t457;
				void* _t459;
				void* _t470;
				long long _t471;
				signed long long _t472;
				signed long long _t473;

				_t466 = __r9;
				_t459 = __r8;
				_t403 = __rdx;
				_t321 = __rbx;
				_t238 = __ecx;
				_t305 = _t456;
				_t455 = _t305 - 0x128;
				_t457 = _t456 - 0x1f0;
				 *((long long*)(_t457 + 0x40)) = 0xfffffffe;
				 *((long long*)(_t305 + 0x18)) = __rbx;
				asm("movaps [eax-0x48], xmm6");
				_t306 =  *0x12dc9568; // 0x438b11ead5c6
				 *(_t455 + 0xd0) = _t306 ^ _t457;
				_t471 = __rdx;
				 *((long long*)(_t457 + 0x38)) = __rdx;
				r13d = __ecx;
				asm("movdqa xmm0, [0x849f]");
				asm("movdqu [ebp-0x68], xmm0");
				 *((short*)(_t455 - 0x78)) = 0;
				if (E00007FF77FF712DAF9B0(_t306 ^ _t457, __rbx, _t455 - 0x78) == 0) goto 0x12db2488;
				if (E00007FF77FF712DB0560(_t238, 0, 0, __esp, _t321, _t455 - 0x78, _t444, _t448, __r9, _t470) == 0) goto 0x12db2488;
				 *(_t457 + 0x58) = _t444;
				 *((long long*)(_t457 + 0x60)) = 7;
				 *((short*)(_t457 + 0x48)) = 0;
				asm("movdqa xmm0, [0x8455]");
				asm("movdqu [ebp+0xc0], xmm0");
				 *((short*)(_t455 + 0xb0)) = 0;
				asm("movdqu [ebp-0x28], xmm0");
				 *((short*)(_t455 - 0x38)) = 0;
				if (E00007FF77FF712DB24F0(_t238, 0, _t321, _t455 - 0x38, _t444, _t448, _t455, __r9, _t471) != 0) goto 0x12db1dd6;
				E00007FF77FF712DAC460(_t306 ^ _t457, L"A fatal error was encountered. This executable was not bound to load a managed DLL.", _t403, _t459, __r9);
				goto 0x12db2465;
				_t15 = _t403 + 0x2d; // 0x5c
				r8d = _t15;
				_t166 = E00007FF77FF712DADBE0(0x2f, _t306 ^ _t457, _t455 - 0x38);
				_t341 =  >=  ?  *((void*)(_t455 - 0x38)) : _t455 - 0x38;
				_t308 =  *((intOrPtr*)(_t455 - 0x28));
				if (_t308 == 0) goto 0x12db1e12;
				_t255 =  *((short*)( >=  ?  *((void*)(_t455 - 0x38)) : _t455 - 0x38)) - 0x5c;
				if (_t255 == 0) goto 0x12db1e6f;
				_t309 = _t308 - 1;
				if (_t255 != 0) goto 0x12db1e02;
				E00007FF77FF712DAA5C0(_t166);
				if (_t309 == 0) goto 0x12db206a;
				asm("xorps xmm0, xmm0");
				asm("movdqa [ebp+0x30], xmm0");
				 *(_t455 + 0x40) = _t444;
				 *(_t455 + 0x58) = _t444;
				 *(_t455 + 0x60) = _t444;
				_t472 =  *((intOrPtr*)(_t455 - 0x68));
				_t478 =  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78;
				if (_t472 - 8 >= 0) goto 0x12db1e7c;
				asm("inc ecx");
				asm("movups [ebp+0x48], xmm0");
				 *(_t455 + 0x60) = 7;
				goto 0x12db1eb2;
				if (0xffffffff == 0) goto 0x12db1e12;
				goto 0x12db1e19;
				_t324 =  >  ? 0xfffffffe : _t472 | 0x00000007;
				_t168 = E00007FF77FF712DA53B0(_t324 + 1);
				 *((long long*)(_t455 + 0x48)) = _t309;
				_t405 =  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78;
				E00007FF77FF712DB5690(_t168, _t309,  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78, 2 + _t472 * 2);
				 *(_t455 + 0x60) = _t324;
				 *(_t455 + 0x58) = _t472;
				 *(_t455 + 0x78) = _t444;
				 *((long long*)(_t455 + 0x80)) = 7;
				 *((short*)(_t455 + 0x68)) = 0;
				 *(_t455 + 0x98) = _t444;
				 *((long long*)(_t455 + 0xa0)) = 7;
				 *((short*)(_t455 + 0x88)) = 0;
				if (E00007FF77FF712DA9900(_t238, _t309, _t324, _t455 + 0x30, 0xffffffff - ( >=  ?  *((void*)(_t455 - 0x38)) : _t455 - 0x38) >> 1, _t455, 2 + _t472 * 2, _t466) == 0) goto 0x12db1f4d;
				E00007FF77FF712DAC460(_t309, L"A fatal error was encountered. Could not extract contents of the bundle",  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78, 2 + _t472 * 2, _t466);
				E00007FF77FF712DA5300(_t455 + 0x88);
				E00007FF77FF712DA5300(_t455 + 0x68);
				E00007FF77FF712DB1BE0(E00007FF77FF712DA5300(_t455 + 0x48), _t324, _t455 + 0x40);
				_t445 =  *((intOrPtr*)(_t455 + 0x38));
				if (_t445 == 0) goto 0x12db2465;
				E00007FF77FF712DA5300(_t445 + 0x10);
				0x12db3f50();
				goto 0x12db2465;
				_t473 =  *(_t455 + 0x78);
				_t480 =  >=  ?  *((void*)(_t455 + 0x68)) : _t455 + 0x68;
				if (_t473 - 8 >= 0) goto 0x12db1f76;
				asm("inc ecx");
				 *_t455 = 7;
				goto 0x12db1fb0;
				_t327 =  >  ? 0xfffffffe : _t473 | 0x00000007;
				_t177 = E00007FF77FF712DA53B0(_t327 + 1);
				 *((long long*)(_t455 - 0x18)) = _t309;
				_t407 =  >=  ?  *((void*)(_t455 + 0x68)) : _t455 + 0x68;
				E00007FF77FF712DB5690(_t177, _t309,  >=  ?  *((void*)(_t455 + 0x68)) : _t455 + 0x68, 2 + _t473 * 2);
				 *_t455 = _t327;
				asm("movups xmm6, [ebp-0x18]");
				 *(_t455 - 8) = _t473;
				_t59 = _t457 + 0x48; // 0x8000000000000046
				E00007FF77FF712DA5300(_t59);
				asm("movups [esp+0x48], xmm6");
				asm("movups xmm0, [ebp-0x8]");
				asm("movups [esp+0x58], xmm0");
				E00007FF77FF712DA5300(_t455 + 0x88);
				E00007FF77FF712DA5300(_t455 + 0x68);
				E00007FF77FF712DB1BE0(E00007FF77FF712DA5300(_t455 + 0x48), _t327, _t455 + 0x40);
				_t328 =  *((intOrPtr*)(_t455 + 0x38));
				if ( *((intOrPtr*)(_t455 + 0x38)) == 0) goto 0x12db2012;
				E00007FF77FF712DA5300( *((intOrPtr*)(_t455 + 0x38)) + 0x10);
				0x12db3f50();
				_t409 =  >=  ?  *((void*)(_t455 - 0x38)) : _t455 - 0x38;
				E00007FF77FF712DACD10( *((intOrPtr*)(_t455 + 0x38)), _t457 + 0x48,  >=  ?  *((void*)(_t455 - 0x38)) : _t455 - 0x38, _t470);
				if (E00007FF77FF712DB0560(_t238, 0, 0, __esp,  *((intOrPtr*)(_t455 + 0x38)), _t457 + 0x48, _t445, 0xffffffff - ( >=  ?  *((void*)(_t455 - 0x38)) : _t455 - 0x38) >> 1, _t466, _t470) != 0) goto 0x12db20f7;
				_t411 =  >=  ?  *((void*)(_t457 + 0x48)) : _t457 + 0x48;
				E00007FF77FF712DAC460(_t309, L"The application to execute does not exist: \'%s\'.",  >=  ?  *((void*)(_t457 + 0x48)) : _t457 + 0x48, 2 + _t473 * 2, _t466); // executed
				goto 0x12db2465;
				E00007FF77FF712DACF10(_t328, _t455 + 8, _t455 - 0x78);
				_t329 = _t309;
				if (_t457 + 0x48 == _t329) goto 0x12db20ae;
				E00007FF77FF712DA5300(_t457 + 0x48);
				asm("movups xmm0, [ebx]");
				asm("movups [esp+0x48], xmm0");
				asm("movups xmm1, [ebx+0x10]");
				asm("movups [esp+0x58], xmm1");
				 *((long long*)(_t329 + 0x10)) = _t445;
				 *((long long*)(_t329 + 0x18)) = 7;
				 *_t329 = 0;
				_t413 =  *((intOrPtr*)(_t455 + 0x20));
				if (_t413 - 8 < 0) goto 0x12db2017;
				if (2 + _t413 * 2 - 0x1000 < 0) goto 0x12db20ed;
				_t313 =  *((intOrPtr*)(_t455 + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t455 + 8)) - 8)) + 0xfffffff8;
				if (_t313 - 0x1f > 0) goto 0x12db24ea;
				0x12db3f50();
				goto 0x12db2017;
				E00007FF77FF712DACF10(_t329, _t455 + 8, 2 + _t413 * 2 + 0x27);
				_t330 = _t313;
				if (_t455 + 0xb0 == _t330) goto 0x12db213f;
				E00007FF77FF712DA5300(_t455 + 0xb0);
				asm("movups xmm0, [ebx]");
				asm("movups [ebp+0xb0], xmm0");
				asm("movups xmm1, [ebx+0x10]");
				asm("movups [ebp+0xc0], xmm1");
				 *((long long*)(_t330 + 0x10)) = _t445;
				 *((long long*)(_t330 + 0x18)) = 7;
				 *_t330 = 0;
				_t416 =  *((intOrPtr*)(_t455 + 0x20));
				if (_t416 - 8 < 0) goto 0x12db217f;
				if (2 + _t416 * 2 - 0x1000 < 0) goto 0x12db217a;
				_t317 =  *((intOrPtr*)(_t455 + 8)) -  *((intOrPtr*)( *((intOrPtr*)(_t455 + 8)) - 8)) + 0xfffffff8;
				if (_t317 - 0x1f > 0) goto 0x12db24e4;
				0x12db3f50();
				 *((long long*)(_t455 - 0x48)) = _t445;
				 *((long long*)(_t455 - 0x40)) = 7;
				 *((short*)(_t455 - 0x58)) = 0;
				asm("movdqa xmm0, [0x8059]");
				asm("movdqu [esp+0x78], xmm0");
				 *((short*)(_t457 + 0x68)) = 0;
				if (E00007FF77FF712DB14D0(_t238, 0, _t330, _t455 + 0xb0, _t455 - 0x58, _t457 + 0x68, _t466) != 0) goto 0x12db21c5;
				goto 0x12db2450;
				if (E00007FF77FF712DAFD60(_t238, _t330, _t457 + 0x68, _t457 + 0x30, 0xffffffff - ( >=  ?  *((void*)(_t455 - 0x38)) : _t455 - 0x38) >> 1, _t466) != 0) goto 0x12db2224;
				_t464 =  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68;
				E00007FF77FF712DAC460(_t317, L"The library %s was found, but loading it from %s failed", L"hostfxr.dll",  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68, _t466);
				E00007FF77FF712DAC460(_t317, L"  - Installing .NET Core prerequisites might help resolve this problem.", L"hostfxr.dll",  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68, _t466);
				E00007FF77FF712DAC460(_t317, L"     %s", L"https://go.microsoft.com/fwlink/?linkid=798306",  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68, _t466);
				goto 0x12db2450;
				E00007FF77FF712DAF9C0(_t317, _t330, "hostfxr_main_startupinfo");
				if (_t317 == 0) goto 0x12db23ce;
				_t476 =  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78;
				if ( *((long long*)(_t455 - 0x48)) != 0) goto 0x12db225b;
				goto 0x12db2269;
				_t333 =  >=  ?  *((void*)(_t455 - 0x58)) : _t455 - 0x58;
				if ( *(_t457 + 0x58) == 0) goto 0x12db2282;
				_t447 =  >=  ?  *((void*)(_t457 + 0x48)) : _t457 + 0x48;
				_t425 =  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68;
				E00007FF77FF712DAC6B0(_t317, L"Invoking fx resolver [%s] v2",  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68,  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68, _t466);
				_t427 =  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78;
				E00007FF77FF712DAC6B0(_t317, L"Host path: [%s]",  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78,  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68, _t466);
				_t429 =  >=  ?  *((void*)(_t455 - 0x58)) : _t455 - 0x58;
				E00007FF77FF712DAC6B0(_t317, L"Dotnet path: [%s]",  >=  ?  *((void*)(_t455 - 0x58)) : _t455 - 0x58, _t464, _t466);
				_t431 =  >=  ?  *((void*)(_t457 + 0x48)) : _t457 + 0x48;
				E00007FF77FF712DAC6B0(_t317, L"App path: [%s]",  >=  ?  *((void*)(_t457 + 0x48)) : _t457 + 0x48, _t464, _t466);
				E00007FF77FF712DAF9C0(_t317, _t333, "hostfxr_set_error_writer");
				_t454 = _t317;
				_t203 = E00007FF77FF712DAC630(_t317);
				 *((long long*)(_t455 - 0x18)) = _t454;
				r15b = 0;
				 *((intOrPtr*)(_t455 - 0x10)) = r15b;
				E00007FF77FF712DAC690(_t203,  *((intOrPtr*)(_t457 + 0x30)), "hostfxr_set_error_writer");
				if (_t317 == 0) goto 0x12db2335;
				if (_t454 == 0) goto 0x12db2335;
				 *0x12db9470();
				r15b = 1;
				 *((intOrPtr*)(_t455 - 0x10)) = r15b;
				 *((long long*)(_t457 + 0x20)) =  >=  ?  *((void*)(_t457 + 0x48)) : _t457 + 0x48;
				_t467 = _t333;
				_t465 =  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78;
				_t206 =  *0x12db9470();
				E00007FF77FF712DAC690(_t206, _t317,  *((intOrPtr*)(_t457 + 0x38)));
				if (_t317 == 0) goto 0x12db23b6;
				if (_t206 != 0x80008096) goto 0x12db23b6;
				if (_t454 != 0) goto 0x12db23b6;
				r8d = 0;
				E00007FF77FF712DAD290(_t455 + 8,  *((intOrPtr*)(_t457 + 0x38)),  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78, _t470);
				E00007FF77FF712DAC460(_t317, L"  _ To run this application, you need to install a newer version of .NET Core.",  *((intOrPtr*)(_t457 + 0x38)),  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78, _t333);
				E00007FF77FF712DAC460(_t317, 0x12db9f90,  *((intOrPtr*)(_t457 + 0x38)),  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78, _t333);
				_t435 =  >=  ?  *((void*)(_t455 + 8)) : _t455 + 8;
				E00007FF77FF712DAC460(_t317, L"  - %s",  >=  ?  *((void*)(_t455 + 8)) : _t455 + 8,  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78, _t333);
				E00007FF77FF712DA5300(_t455 + 8);
				if (r15b == 0) goto 0x12db23cc;
				if (_t454 == 0) goto 0x12db23cc;
				_t320 = _t454;
				 *0x12db9470();
				goto 0x12db2445;
				if (_t454 == 0xffffffff) goto 0x12db23e2;
				goto 0x12db2430;
				_t437 =  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68;
				E00007FF77FF712DAC6B0(_t320, L"Invoking fx resolver [%s] v1",  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68,  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78, _t333);
				E00007FF77FF712DAC630(_t320);
				E00007FF77FF712DAF9C0(_t320, _t333, "hostfxr_main");
				if (_t320 == 0) goto 0x12db2424;
				 *0x12db9470();
				goto 0x12db2445;
				_t441 =  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68;
				E00007FF77FF712DA4F70(E00007FF77FF712DAC460(_t320, L"The required library %s does not contain the expected entry point.",  >=  ?  *((void*)(_t457 + 0x68)) : _t457 + 0x68, _t465, _t333));
				E00007FF77FF712DA5300(_t457 + 0x68);
				E00007FF77FF712DA5300(_t455 - 0x58);
				E00007FF77FF712DA5300(_t455 - 0x38);
				E00007FF77FF712DA5300(_t455 + 0xb0);
				E00007FF77FF712DA5300(_t457 + 0x48);
				goto 0x12db24a7;
				_t443 =  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78;
				E00007FF77FF712DAC460(_t320, L"Failed to resolve full path of the current executable [%s]",  >=  ?  *((void*)(_t455 - 0x78)) : _t455 - 0x78, _t465, _t467);
				E00007FF77FF712DA5300(_t455 - 0x78);
				_t228 = E00007FF77FF712DB4070(0x80008085, r13d, 0,  *(_t455 + 0xd0) ^ _t457);
				asm("movaps xmm6, [esp+0x1e0]");
				return _t228;
			}

0x7ff712db1d00
0x7ff712db1d00
0x7ff712db1d00
0x7ff712db1d00
0x7ff712db1d00
0x7ff712db1d00
0x7ff712db1d0e
0x7ff712db1d15
0x7ff712db1d1c
0x7ff712db1d25
0x7ff712db1d29
0x7ff712db1d2d
0x7ff712db1d37
0x7ff712db1d3e
0x7ff712db1d41
0x7ff712db1d46
0x7ff712db1d49
0x7ff712db1d51
0x7ff712db1d58
0x7ff712db1d67
0x7ff712db1d7a
0x7ff712db1d80
0x7ff712db1d85
0x7ff712db1d8e
0x7ff712db1d93
0x7ff712db1d9b
0x7ff712db1da3
0x7ff712db1daa
0x7ff712db1daf
0x7ff712db1dbe
0x7ff712db1dc7
0x7ff712db1dd1
0x7ff712db1ddb
0x7ff712db1ddb
0x7ff712db1de3
0x7ff712db1df1
0x7ff712db1df6
0x7ff712db1dfd
0x7ff712db1e02
0x7ff712db1e06
0x7ff712db1e0c
0x7ff712db1e10
0x7ff712db1e19
0x7ff712db1e21
0x7ff712db1e27
0x7ff712db1e2a
0x7ff712db1e2f
0x7ff712db1e33
0x7ff712db1e37
0x7ff712db1e3b
0x7ff712db1e48
0x7ff712db1e5b
0x7ff712db1e5d
0x7ff712db1e61
0x7ff712db1e65
0x7ff712db1e6d
0x7ff712db1e72
0x7ff712db1e7a
0x7ff712db1e86
0x7ff712db1e92
0x7ff712db1e97
0x7ff712db1ea3
0x7ff712db1ea9
0x7ff712db1eae
0x7ff712db1eb2
0x7ff712db1eb6
0x7ff712db1eba
0x7ff712db1ec5
0x7ff712db1ec9
0x7ff712db1ed0
0x7ff712db1edb
0x7ff712db1eef
0x7ff712db1ef8
0x7ff712db1f05
0x7ff712db1f0e
0x7ff712db1f20
0x7ff712db1f25
0x7ff712db1f2c
0x7ff712db1f36
0x7ff712db1f43
0x7ff712db1f48
0x7ff712db1f4d
0x7ff712db1f5d
0x7ff712db1f66
0x7ff712db1f68
0x7ff712db1f6c
0x7ff712db1f74
0x7ff712db1f80
0x7ff712db1f8c
0x7ff712db1f91
0x7ff712db1f9d
0x7ff712db1fa3
0x7ff712db1fa8
0x7ff712db1fac
0x7ff712db1fb0
0x7ff712db1fb4
0x7ff712db1fb9
0x7ff712db1fbe
0x7ff712db1fc3
0x7ff712db1fc7
0x7ff712db1fd3
0x7ff712db1fdc
0x7ff712db1fee
0x7ff712db1ff3
0x7ff712db1ffa
0x7ff712db2000
0x7ff712db200d
0x7ff712db2020
0x7ff712db202a
0x7ff712db2042
0x7ff712db204e
0x7ff712db205b
0x7ff712db2065
0x7ff712db2072
0x7ff712db2077
0x7ff712db2082
0x7ff712db2089
0x7ff712db208e
0x7ff712db2091
0x7ff712db2096
0x7ff712db209a
0x7ff712db209f
0x7ff712db20a3
0x7ff712db20ab
0x7ff712db20ae
0x7ff712db20b6
0x7ff712db20d2
0x7ff712db20df
0x7ff712db20e7
0x7ff712db20ed
0x7ff712db20f2
0x7ff712db20fb
0x7ff712db2100
0x7ff712db210d
0x7ff712db2116
0x7ff712db211b
0x7ff712db211e
0x7ff712db2125
0x7ff712db2129
0x7ff712db2130
0x7ff712db2134
0x7ff712db213c
0x7ff712db213f
0x7ff712db2147
0x7ff712db215f
0x7ff712db216c
0x7ff712db2174
0x7ff712db217a
0x7ff712db217f
0x7ff712db2183
0x7ff712db218b
0x7ff712db218f
0x7ff712db2197
0x7ff712db219d
0x7ff712db21b9
0x7ff712db21c0
0x7ff712db21d6
0x7ff712db21e2
0x7ff712db21f6
0x7ff712db2202
0x7ff712db2215
0x7ff712db221f
0x7ff712db2230
0x7ff712db223b
0x7ff712db224a
0x7ff712db2254
0x7ff712db2259
0x7ff712db2264
0x7ff712db226f
0x7ff712db227c
0x7ff712db228c
0x7ff712db2299
0x7ff712db22a7
0x7ff712db22b3
0x7ff712db22c1
0x7ff712db22cd
0x7ff712db22dd
0x7ff712db22ea
0x7ff712db22fb
0x7ff712db2300
0x7ff712db2303
0x7ff712db2308
0x7ff712db230c
0x7ff712db230f
0x7ff712db2313
0x7ff712db231b
0x7ff712db2320
0x7ff712db2328
0x7ff712db232e
0x7ff712db2331
0x7ff712db2335
0x7ff712db233a
0x7ff712db233d
0x7ff712db234b
0x7ff712db2353
0x7ff712db235b
0x7ff712db2363
0x7ff712db2368
0x7ff712db236a
0x7ff712db2373
0x7ff712db2380
0x7ff712db238c
0x7ff712db239a
0x7ff712db23a6
0x7ff712db23b0
0x7ff712db23b9
0x7ff712db23be
0x7ff712db23c2
0x7ff712db23c5
0x7ff712db23cc
0x7ff712db23d7
0x7ff712db23e0
0x7ff712db23e7
0x7ff712db23f4
0x7ff712db23f9
0x7ff712db240a
0x7ff712db2412
0x7ff712db241a
0x7ff712db2422
0x7ff712db2435
0x7ff712db244a
0x7ff712db2455
0x7ff712db245f
0x7ff712db2469
0x7ff712db2476
0x7ff712db2481
0x7ff712db2486
0x7ff712db2491
0x7ff712db249d
0x7ff712db24ab
0x7ff712db24bc
0x7ff712db24c9
0x7ff712db24e3

APIs

Part of subcall function 00007FF712DB0560: GetFileAttributesExW.KERNEL32 ref: 00007FF712DB064E

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB24E4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB24EA

Part of subcall function 00007FF712DAC460: EnterCriticalSection.KERNEL32 ref: 00007FF712DAC498
Part of subcall function 00007FF712DAC460: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC4CE
Part of subcall function 00007FF712DAC460: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC519
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC544
Part of subcall function 00007FF712DAC460: fputws.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC54F
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC557
Part of subcall function 00007FF712DAC460: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC562
Part of subcall function 00007FF712DAC460: OutputDebugStringW.KERNEL32 ref: 00007FF712DAC575
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC589
Part of subcall function 00007FF712DAC460: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC5B6
Part of subcall function 00007FF712DAC460: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC5C3

Strings

- %s, xrefs: 00007FF712DB239F
hostfxr_main, xrefs: 00007FF712DB23FE
The application to execute does not exist: '%s'., xrefs: 00007FF712DB2054
The library %s was found, but loading it from %s failed, xrefs: 00007FF712DB21EF
The required library %s does not support relative app dll paths., xrefs: 00007FF712DB23D9
_ To run this application, you need to install a newer version of .NET Core., xrefs: 00007FF712DB2379
hostfxr.dll, xrefs: 00007FF712DB21E8
Host path: [%s], xrefs: 00007FF712DB22AC
A fatal error was encountered. This executable was not bound to load a managed DLL., xrefs: 00007FF712DB1DC0
The required library %s does not contain the expected entry point., xrefs: 00007FF712DB2429
hostfxr_main_startupinfo, xrefs: 00007FF712DB2224
Invoking fx resolver [%s] v1, xrefs: 00007FF712DB23ED
hostfxr_set_error_writer, xrefs: 00007FF712DB22EF
%s, xrefs: 00007FF712DB220E
Invoking fx resolver [%s] v2, xrefs: 00007FF712DB2292
App path: [%s], xrefs: 00007FF712DB22E3
- Installing .NET Core prerequisites might help resolve this problem., xrefs: 00007FF712DB21FB
A fatal error was encountered. Could not extract contents of the bundle, xrefs: 00007FF712DB1EF1
https://go.microsoft.com/fwlink/?linkid=798306, xrefs: 00007FF712DB2207
Failed to resolve full path of the current executable [%s], xrefs: 00007FF712DB2496
Dotnet path: [%s], xrefs: 00007FF712DB22C6

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vswprintf_invalid_parameter_noinfo_noreturnfputwc$AttributesCriticalDebugEnterFileOutputSectionString__stdio_common_vfwprintffputws
String ID: %s$ - %s$ - Installing .NET Core prerequisites might help resolve this problem.$ _ To run this application, you need to install a newer version of .NET Core.$A fatal error was encountered. Could not extract contents of the bundle$A fatal error was encountered. This executable was not bound to load a managed DLL.$App path: [%s]$Dotnet path: [%s]$Failed to resolve full path of the current executable [%s]$Host path: [%s]$Invoking fx resolver [%s] v1$Invoking fx resolver [%s] v2$The application to execute does not exist: '%s'.$The library %s was found, but loading it from %s failed$The required library %s does not contain the expected entry point.$The required library %s does not support relative app dll paths.$hostfxr.dll$hostfxr_main$hostfxr_main_startupinfo$hostfxr_set_error_writer$https://go.microsoft.com/fwlink/?linkid=798306
API String ID: 230286161-3785391667
Opcode ID: 41f4f511ad1e9563ab41fa3edc10d546ac6be34c543722e998adf76018c73a9c
Instruction ID: efd6b97a1d49ac9ebf3802404f1cf6095c85fb98964738fa89ca256cc605784c
Opcode Fuzzy Hash: 41f4f511ad1e9563ab41fa3edc10d546ac6be34c543722e998adf76018c73a9c
Instruction Fuzzy Hash: 29229622A18E4A94EB00EF24D4542EDA760FF55768FD05131DACD46AA9DFBCE68DC330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB44EC Relevance: 22.6, APIs: 15, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 33%

			E00007FF77FF712DB44EC(void* __edx, void* __ebp, void* __esp, void* __eflags, intOrPtr* __rax, long long __rbx, long long __rsi, void* __rbp, void* __r8, void* __r9, void* __r13, long long _a8, long long _a16) {
				char _v24;
				void* __rdi;
				void* _t10;
				void* _t18;
				void* _t21;
				intOrPtr _t28;
				intOrPtr* _t51;
				void* _t73;
				void* _t75;

				_t75 = __r9;
				_t73 = __r8;
				_t51 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				if (E00007FF77FF712DB4180(1) == 0) goto 0x12db4643;
				sil = 0;
				_v24 = sil;
				_t10 = E00007FF77FF712DB4144();
				_t28 =  *0x12dca270; // 0x2
				if (_t28 == 1) goto 0x12db464e;
				if (_t28 != 0) goto 0x12db4579;
				 *0x12dca270 = 1;
				0x12db7c07(); // executed
				if (_t10 == 0) goto 0x12db455a;
				goto 0x12db4633;
				0x12db7c01(); // executed
				 *0x12dca270 = 2;
				goto 0x12db4581;
				sil = 1;
				_v24 = sil;
				E00007FF77FF712DB4D10(E00007FF77FF712DB4340(_t10, 0x12db94e8));
				if ( *_t51 == 0) goto 0x12db45b4;
				if (E00007FF77FF712DB42A4(_t51) == 0) goto 0x12db45b4;
				r8d = 0;
				_t5 = _t73 + 2; // 0x2
				_t52 =  *_t51;
				E00007FF77FF712DB4D18( *0x12db9470());
				if ( *((long long*)( *_t51)) == 0) goto 0x12db45d6;
				if (E00007FF77FF712DB42A4(_t52) == 0) goto 0x12db45d6;
				0x12db7c31();
				0x12db7c25();
				0x12db7c1f();
				0x12db7bfb();
				_t18 = E00007FF77FF712DB26C0( *_t52, _t5, __ebp, __esp, E00007FF77FF712DB42A4(_t52), _t52, _t52,  *_t52,  *_t52, __rbp, _t52, _t75, __r13); // executed
				if (E00007FF77FF712DB4B7C(_t52) == 0) goto 0x12db4658;
				if (sil != 0) goto 0x12db460d;
				0x12db7bd7();
				E00007FF77FF712DB4364(1, 0);
				_t21 = _t18;
				if (E00007FF77FF712DB4B7C(_t52) == 0) goto 0x12db4660;
				if (_v24 != 0) goto 0x12db4631;
				0x12db7c2b();
				return _t21;
			}

0x7ff712db44ec
0x7ff712db44ec
0x7ff712db44ec
0x7ff712db44ec
0x7ff712db44f1
0x7ff712db4507
0x7ff712db450d
0x7ff712db4510
0x7ff712db4515
0x7ff712db451c
0x7ff712db4525
0x7ff712db452d
0x7ff712db452f
0x7ff712db4547
0x7ff712db454e
0x7ff712db4555
0x7ff712db4568
0x7ff712db456d
0x7ff712db4577
0x7ff712db4579
0x7ff712db457c
0x7ff712db4588
0x7ff712db4594
0x7ff712db45a0
0x7ff712db45a2
0x7ff712db45a5
0x7ff712db45ab
0x7ff712db45b4
0x7ff712db45c0
0x7ff712db45cc
0x7ff712db45d1
0x7ff712db45d6
0x7ff712db45de
0x7ff712db45e6
0x7ff712db45f3
0x7ff712db4601
0x7ff712db4606
0x7ff712db4608
0x7ff712db4611
0x7ff712db4616
0x7ff712db4623
0x7ff712db462a
0x7ff712db462c
0x7ff712db4642

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF712DB4500

Part of subcall function 00007FF712DB4180: __vcrt_initialize.LIBVCRUNTIME ref: 00007FF712DB41A2

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF712DB4515
__scrt_release_startup_lock.LIBCMT ref: 00007FF712DB4583
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF712DB4599
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF712DB45C5
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB45D1
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB45D6
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB45DE
_get_initial_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB45E6
__scrt_is_managed_app.LIBCMT ref: 00007FF712DB45FA
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB4608
__scrt_uninitialize_crt.LIBCMT ref: 00007FF712DB4611
__scrt_fastfail.LIBCMT ref: 00007FF712DB4648
__scrt_fastfail.LIBCMT ref: 00007FF712DB4653
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB4662

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 3120079559-0
Opcode ID: 399ffa6a1914c7f1509af2b9e98608163a7ddf7e7d9502e015ee413d330179df
Instruction ID: c04dd2b49b23c470de561685c6bbee8183d610808770329093b27af6d401e53c
Opcode Fuzzy Hash: 399ffa6a1914c7f1509af2b9e98608163a7ddf7e7d9502e015ee413d330179df
Instruction Fuzzy Hash: C3311821E08D8A62FA14FB24D4313B99291EF437A4FC45439E98D47296DEACEA4DC670

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAC460 Relevance: 18.1, APIs: 12, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF712DAC498
__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC4CE

Part of subcall function 00007FF712DAC140: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712DAC1A3

__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC519
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC544
fputws.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC54F
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC557
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC562
OutputDebugStringW.KERNEL32 ref: 00007FF712DAC575
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC589
__stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC5B6
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC5C3
LeaveCriticalSection.KERNEL32 ref: 00007FF712DAC60A

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: __acrt_iob_func$CriticalSection__stdio_common_vswprintffputwc$DebugEnterLeaveOutputString__stdio_common_vfwprintffputwsmemset
String ID:
API String ID: 286819346-0
Opcode ID: dc4943da362cf470aa6a38d742ed8591afd2c7c40870aa2803b326bd8e076d04
Instruction ID: d012dde7e95b0e107bb0a614beb2663095651e8d603fce309b848c2f2450ee6f
Opcode Fuzzy Hash: dc4943da362cf470aa6a38d742ed8591afd2c7c40870aa2803b326bd8e076d04
Instruction Fuzzy Hash: 8541A622608E4991EA54EB15E8147AAE350EF86BF0F844235EEDD07BE5DF7CE548C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DABF30 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 121
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00007FF77FF712DABF30(void* __eflags, long long __rbx, short* __rcx, void* __rdx, long long __rbp, void* __r8) {
				void* _v24;
				signed int _v40;
				signed long long _v48;
				char _v72;
				char _v88;
				long long _v104;
				long long _v112;
				intOrPtr _v120;
				short _v128;
				long long _v136;
				int _t48;
				void* _t62;
				signed long long _t63;
				signed long long _t64;
				signed long long _t105;
				void* _t108;
				short* _t109;
				void* _t113;
				intOrPtr _t121;
				void* _t124;
				long long _t125;

				_t116 = __r8;
				_t71 = __rbx;
				_t62 = _t113;
				 *((long long*)(_t62 - 0x50)) = 0xfffffffe;
				 *((long long*)(_t62 + 0x18)) = __rbx;
				 *((long long*)(_t62 + 0x20)) = __rbp;
				_t63 =  *0x12dc9568; // 0x438b11ead5c6
				_t64 = _t63 ^ _t113 - 0x00000090;
				_v40 = _t64;
				_t108 = __rdx;
				_t109 = __rcx;
				RegisterEventSourceW(??, ??); // executed
				_t111 = _t64;
				asm("movdqa xmm0, [0xe270]");
				asm("movdqu [esp+0x70], xmm0");
				r14d = 0;
				_v72 = r14w;
				_t6 = _t125 + 0x2d; // 0x2d
				r8d = _t6;
				E00007FF77FF712DAAE00(__rbx,  &_v72, L"Description: A .NET Core application failed.\n", _t64, __r8, _t124);
				_t8 = _t125 + 0xd; // 0xd
				r8d = _t8;
				E00007FF77FF712DAAE00(_t71,  &_v72, L"Application: ", _t64, _t116, _t124);
				if ( *((short*)(_t108 + 0xfffffffffffffffe)) != 0) goto 0x12dabfc3;
				E00007FF77FF712DAAE00(0xffffffff, _t64, _t108, _t64, 0, _t124);
				r8d = 1;
				E00007FF77FF712DAAE00(0xffffffff, _t64, 0x12dbaf38, _t64, 0, _t124);
				_t12 = _t108 + 5; // 0x6
				r8d = _t12;
				E00007FF77FF712DAAE00(0xffffffff,  &_v72, L"Path: ", _t64, 0, _t124);
				if ( *_t109 != 0) goto 0x12dac005;
				E00007FF77FF712DAAE00(0, _t64, _t109, _t111, 0, _t124);
				E00007FF77FF712DAAE00(0, _t64, 0x12dbaf38, _t111, _t108, _t124);
				r8d = 9;
				E00007FF77FF712DAAE00(0,  &_v72, L"Message: ", _t111, _t108, _t124);
				_t103 =  >=  ?  *0x12dc9028 : 0x12dc9028;
				_t121 =  *0x12dc9038; // 0x0
				E00007FF77FF712DAAE00(0, _t64,  >=  ?  *0x12dc9028 : 0x12dc9028, _t111, _t121, _t124);
				E00007FF77FF712DAAE00(0, _t64, 0x12dbaf38, _t111, _t108, _t124);
				_t66 =  >=  ? _v72 :  &_v72;
				_v88 =  >=  ? _v72 :  &_v72;
				r8d = 0;
				_v104 = _t125;
				_v112 =  &_v88;
				_v120 = r14d;
				_v128 = 1;
				_v136 = _t125;
				r9d = 0x3ff;
				ReportEventW(??, ??, ??, ??, ??, ??, ??, ??, ??);
				_t48 = DeregisterEventSource(??);
				_t105 = _v48;
				if (_t105 - 8 < 0) goto 0x12dac10e;
				if (2 + _t105 * 2 - 0x1000 < 0) goto 0x12dac109;
				if (_v72 -  *((intOrPtr*)(_v72 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12dac136;
				0x12db3f50();
				return E00007FF77FF712DB4070(_t48, 0, 1, _v40 ^ _t113 - 0x00000090);
			}

0x7ff712dabf30
0x7ff712dabf30
0x7ff712dabf30
0x7ff712dabf3e
0x7ff712dabf46
0x7ff712dabf4a
0x7ff712dabf4e
0x7ff712dabf55
0x7ff712dabf58
0x7ff712dabf60
0x7ff712dabf63
0x7ff712dabf6f
0x7ff712dabf75
0x7ff712dabf78
0x7ff712dabf80
0x7ff712dabf86
0x7ff712dabf89
0x7ff712dabf8f
0x7ff712dabf8f
0x7ff712dabf9f
0x7ff712dabfa4
0x7ff712dabfa4
0x7ff712dabfb4
0x7ff712dabfcc
0x7ff712dabfd4
0x7ff712dabfde
0x7ff712dabfeb
0x7ff712dabff0
0x7ff712dabff0
0x7ff712dac000
0x7ff712dac00d
0x7ff712dac018
0x7ff712dac02a
0x7ff712dac02f
0x7ff712dac041
0x7ff712dac055
0x7ff712dac05d
0x7ff712dac067
0x7ff712dac079
0x7ff712dac089
0x7ff712dac08f
0x7ff712dac094
0x7ff712dac099
0x7ff712dac0a3
0x7ff712dac0a8
0x7ff712dac0ad
0x7ff712dac0b2
0x7ff712dac0b7
0x7ff712dac0c0
0x7ff712dac0c9
0x7ff712dac0d0
0x7ff712dac0d9
0x7ff712dac0f2
0x7ff712dac107
0x7ff712dac109
0x7ff712dac135

APIs

RegisterEventSourceW.ADVAPI32 ref: 00007FF712DABF6F

Part of subcall function 00007FF712DAAE00: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAAF68

ReportEventW.ADVAPI32 ref: 00007FF712DAC0C0
DeregisterEventSource.ADVAPI32 ref: 00007FF712DAC0C9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAC136

Strings

Message: , xrefs: 00007FF712DAC035
Path: , xrefs: 00007FF712DABFF4
Application: , xrefs: 00007FF712DABFA8
Description: A .NET Core application failed., xrefs: 00007FF712DABF93
.NET Runtime, xrefs: 00007FF712DABF66

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: Event$Source_invalid_parameter_noinfo_noreturn$DeregisterRegisterReport
String ID: .NET Runtime$Application: $Description: A .NET Core application failed.$Message: $Path:
API String ID: 1921289036-1764938453
Opcode ID: cdf8a97e9fd1846bc362af3e485a0595004b27bcbb1e00804d4107cac1e93929
Instruction ID: da586deadd771f4c6019d07aa049c17d82f96d26a9c3337536d13442470485a0
Opcode Fuzzy Hash: cdf8a97e9fd1846bc362af3e485a0595004b27bcbb1e00804d4107cac1e93929
Instruction Fuzzy Hash: 2551B461B18F8A91EA50AB15E4146E9A361FB45BB0FC00235EADD037E5DFBCE249C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB26C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00007FF77FF712DB26C0(void* __ecx, void* __edx, void* __ebp, void* __esp, void* __eflags, void* __rax, signed int __rbx, void* __rdx, long long __rdi, long long __rbp, void* __r8, void* __r9, void* __r13, long long _a8, long long _a16, long long _a24) {
				void* __rsi;
				void* _t15;
				void* _t20;
				void* _t31;
				void* _t44;
				void* _t46;

				_t31 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_t44 = __rdx;
				_t46 = __ecx;
				if (E00007FF77FF712DAC740(E00007FF77FF712DAC780(__rbx, __rdx, __r8, __r9)) == 0) goto 0x12db2739;
				_t54 = L"ce3350c1cc0e928c1215d8700727703cf287acac";
				_a8 = __rdi;
				_t52 = L"3.1.28";
				E00007FF77FF712DAC6B0(_t31, L"--- Invoked %s [version: %s, commit hash: %s] main = {", L"apphost", L"3.1.28", L"ce3350c1cc0e928c1215d8700727703cf287acac");
				if (__ebp <= 0) goto 0x12db2728;
				E00007FF77FF712DAC6B0(_t31, L"%s",  *((intOrPtr*)(_t44 + __rbx * 8)), L"3.1.28", L"ce3350c1cc0e928c1215d8700727703cf287acac");
				_t33 = __rbx + 1;
				if (__rbx + 1 - _t46 < 0) goto 0x12db2710;
				E00007FF77FF712DAC6B0(_t31, "}",  *((intOrPtr*)(_t44 + __rbx * 8)), L"3.1.28", L"ce3350c1cc0e928c1215d8700727703cf287acac");
				E00007FF77FF712DAAF80(_t31, _t46, __r13);
				_t15 = E00007FF77FF712DB1D00(__ebp, __esp, __rbx + 1, _t44, _t52, _t54); // executed
				_t20 = _t15;
				E00007FF77FF712DAC630(_t31);
				E00007FF77FF712DABD30(_t20, __ebp, _t33, _a8, _t44, __r13); // executed
				return _t20;
			}

0x7ff712db26c0
0x7ff712db26c0
0x7ff712db26c5
0x7ff712db26cf
0x7ff712db26d2
0x7ff712db26e1
0x7ff712db26e3
0x7ff712db26ea
0x7ff712db26ef
0x7ff712db2704
0x7ff712db270b
0x7ff712db271b
0x7ff712db2720
0x7ff712db2726
0x7ff712db272f
0x7ff712db2739
0x7ff712db2743
0x7ff712db2748
0x7ff712db274a
0x7ff712db2751
0x7ff712db2767

APIs

shared_ptr.LIBCMT ref: 00007FF712DB2739

Part of subcall function 00007FF712DAC6B0: EnterCriticalSection.KERNEL32 ref: 00007FF712DAC6E3
Part of subcall function 00007FF712DAC6B0: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC70C
Part of subcall function 00007FF712DAC6B0: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC719
Part of subcall function 00007FF712DAC6B0: LeaveCriticalSection.KERNEL32 ref: 00007FF712DAC726

Strings

3.1.28, xrefs: 00007FF712DB26EF
ce3350c1cc0e928c1215d8700727703cf287acac, xrefs: 00007FF712DB26E3
--- Invoked %s [version: %s, commit hash: %s] main = {, xrefs: 00007FF712DB26FD
apphost, xrefs: 00007FF712DB26F6

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: CriticalSection$EnterLeave__stdio_common_vfwprintffputwcshared_ptr
String ID: --- Invoked %s [version: %s, commit hash: %s] main = {$3.1.28$apphost$ce3350c1cc0e928c1215d8700727703cf287acac
API String ID: 2890140739-2550298977
Opcode ID: 89d4f1977f36321b494d2dafb5ddfbba82800875c68c4b27c7edf73ce25f9bb6
Instruction ID: 28cef361658280f4d9c8e37e5c0399ea528bcbc51b845750a3b6bc698c348c4c
Opcode Fuzzy Hash: 89d4f1977f36321b494d2dafb5ddfbba82800875c68c4b27c7edf73ce25f9bb6
Instruction Fuzzy Hash: 74117021A18E4EA1E640BF64E4614F6E310AF417A4FC86435EACD067A7DEACE64DC370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DABD30 Relevance: 6.1, APIs: 4, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E00007FF77FF712DABD30(void* __ecx, void* __ebp, long long __rbx, long long __rdi, long long __rsi, void* __r13) {
				void* __rbp;
				void* _t54;
				void* _t60;
				void* _t80;
				signed long long _t81;
				signed long long _t82;
				void* _t86;
				signed long long _t94;
				void* _t102;
				signed long long _t112;
				signed long long _t117;
				signed long long _t120;
				void* _t127;
				void* _t128;
				void* _t131;

				_t80 = _t128;
				_t127 = _t80 - 0x5f;
				 *((long long*)(_t127 - 0x19)) = 0xfffffffe;
				 *((long long*)(_t80 + 0x10)) = __rbx;
				 *((long long*)(_t80 + 0x18)) = __rsi;
				 *((long long*)(_t80 + 0x20)) = __rdi;
				_t81 =  *0x12dc9568; // 0x438b11ead5c6
				_t82 = _t81 ^ _t128 - 0x00000090;
				 *(_t127 + 0x4f) = _t82;
				_t60 = __ecx;
				if ( *0x12dc9038 == 0) goto 0x12dabef5;
				asm("movdqa xmm0, [0xe477]");
				asm("movdqu [ebp+0x1f], xmm0");
				 *((short*)(_t127 + 0xf)) = 0;
				asm("movdqu [ebp-0x1], xmm0");
				 *((short*)(_t127 - 0x11)) = 0;
				if (E00007FF77FF712DAF9B0(_t82, __rbx, _t127 + 0xf) == 0) goto 0x12dabe1e;
				E00007FF77FF712DAD710(_t127 + 0x2f, _t127 + 0xf);
				_t94 = _t82;
				if (_t127 - 0x11 == _t94) goto 0x12dabdde;
				E00007FF77FF712DA5300(_t127 - 0x11);
				asm("movups xmm0, [ebx]");
				asm("movups [ebp-0x11], xmm0");
				asm("movups xmm1, [ebx+0x10]");
				asm("movups [ebp-0x1], xmm1");
				 *((long long*)(_t94 + 0x10)) = __rsi;
				 *((long long*)(_t94 + 0x18)) = 7;
				 *_t94 = 0;
				_t112 =  *((intOrPtr*)(_t127 + 0x47));
				if (_t112 - 8 < 0) goto 0x12dabe1e;
				if (2 + _t112 * 2 - 0x1000 < 0) goto 0x12dabe19;
				_t86 =  *((intOrPtr*)(_t127 + 0x2f)) -  *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x2f)) - 8)) + 0xfffffff8;
				if (_t86 - 0x1f > 0) goto 0x12dabf20;
				0x12db3f50();
				_t116 =  >=  ?  *((void*)(_t127 - 0x11)) : _t127 - 0x11;
				_t102 =  >=  ?  *((void*)(_t127 + 0xf)) : _t127 + 0xf;
				E00007FF77FF712DABF30( *((long long*)(_t127 + 0x27)) - 8, _t94, _t102,  >=  ?  *((void*)(_t127 - 0x11)) : _t127 - 0x11, _t127, _t131); // executed
				GetModuleHandleW(??);
				if ( *((short*)(_t102 + _t86 + 0x5c)) != 2) goto 0x12dabe68;
				_t104 =  >=  ?  *((void*)(_t127 - 0x11)) : _t127 - 0x11;
				_t54 = E00007FF77FF712DAB150( *((intOrPtr*)(_t86 + 0x3c)), _t60, __ebp, _t94,  >=  ?  *((void*)(_t127 - 0x11)) : _t127 - 0x11, __rsi, _t131, __r13);
				_t117 =  *((intOrPtr*)(_t127 + 7));
				if (_t117 - 8 < 0) goto 0x12dabea8;
				if (2 + _t117 * 2 - 0x1000 < 0) goto 0x12dabea3;
				if ( *((intOrPtr*)(_t127 - 0x11)) -  *((intOrPtr*)( *((intOrPtr*)(_t127 - 0x11)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12dabf26;
				0x12db3f50();
				asm("movdqa xmm0, [0xe340]");
				asm("movdqu [ebp-0x1], xmm0");
				 *((short*)(_t127 - 0x11)) = 0;
				_t120 =  *((intOrPtr*)(_t127 + 0x27));
				if (_t120 - 8 < 0) goto 0x12dabef5;
				if (2 + _t120 * 2 - 0x1000 < 0) goto 0x12dabef0;
				if ( *((intOrPtr*)(_t127 + 0xf)) -  *((intOrPtr*)( *((intOrPtr*)(_t127 + 0xf)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12dabf1a;
				0x12db3f50();
				return E00007FF77FF712DB4070(_t54,  *((intOrPtr*)(_t86 + 0x3c)), _t60,  *(_t127 + 0x4f) ^ _t128 - 0x00000090);
			}

0x7ff712dabd30
0x7ff712dabd34
0x7ff712dabd3f
0x7ff712dabd47
0x7ff712dabd4b
0x7ff712dabd4f
0x7ff712dabd53
0x7ff712dabd5a
0x7ff712dabd5d
0x7ff712dabd61
0x7ff712dabd6b
0x7ff712dabd71
0x7ff712dabd79
0x7ff712dabd80
0x7ff712dabd84
0x7ff712dabd89
0x7ff712dabd98
0x7ff712dabda6
0x7ff712dabdab
0x7ff712dabdb5
0x7ff712dabdbb
0x7ff712dabdc0
0x7ff712dabdc3
0x7ff712dabdc7
0x7ff712dabdcb
0x7ff712dabdcf
0x7ff712dabdd3
0x7ff712dabddb
0x7ff712dabdde
0x7ff712dabde6
0x7ff712dabdfe
0x7ff712dabe0b
0x7ff712dabe13
0x7ff712dabe19
0x7ff712dabe27
0x7ff712dabe35
0x7ff712dabe3a
0x7ff712dabe41
0x7ff712dabe50
0x7ff712dabe5b
0x7ff712dabe62
0x7ff712dabe68
0x7ff712dabe70
0x7ff712dabe88
0x7ff712dabe9d
0x7ff712dabea3
0x7ff712dabea8
0x7ff712dabeb0
0x7ff712dabeb5
0x7ff712dabeb9
0x7ff712dabec1
0x7ff712dabed9
0x7ff712dabeee
0x7ff712dabef0
0x7ff712dabf19

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF712DABE41
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DABF1A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DABF20
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DABF26

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$HandleModule
String ID:
API String ID: 542465422-0
Opcode ID: 19d48a8764aba0e0304d5cbc81e846b030bcab24eeee1f56e03ac761ee98ae2b
Instruction ID: 1806e7155845d7c171b18a6e0ef3c963da4c4d46262c4d0a48bda4918cfa4ecd
Opcode Fuzzy Hash: 19d48a8764aba0e0304d5cbc81e846b030bcab24eeee1f56e03ac761ee98ae2b
Instruction Fuzzy Hash: C7519462E14F8594EB00EF34D4553BC6361EB54BB8F905631DA9C02BD9EFB8D28AC320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAAFA0 Relevance: 4.5, APIs: 3, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAAFE4
fputws.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAAFEF
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAAFF9

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: __acrt_iob_func$fputws
String ID:
API String ID: 3984006290-0
Opcode ID: 65304bd5c99957bab3005e1334df96c6675a6780d3e47e8dc74eb3dc750ff1ff
Instruction ID: c27f0dc9671b8eb1e37fd6a30bd7e13cb3d96fa6832d4ed7e1b913dadb00a963
Opcode Fuzzy Hash: 65304bd5c99957bab3005e1334df96c6675a6780d3e47e8dc74eb3dc750ff1ff
Instruction Fuzzy Hash: D5F08281F0890E50FA487252D4397F5C1528B16BF0F901338E9AE0BBD2DC9C968CC3B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF712DB3738 Relevance: 145.5, APIs: 42, Strings: 41, Instructions: 234
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EncodePointer.KERNEL32(?,?,?,?,00007FF712DB349D), ref: 00007FF712DB3752
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB378D
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB37A0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB37BE
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB37DC
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB37FA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB3818
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB3836
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB3854
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB3872
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB3890
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB38AE
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB38CC
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB38EA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB3908
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB3926
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB3944
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF712DB349D), ref: 00007FF712DB3962

Strings

FlsGetValue, xrefs: 00007FF712DB37CB
CompareStringEx, xrefs: 00007FF712DB3BE5
CloseThreadpoolTimer, xrefs: 00007FF712DB38F7
CloseThreadpoolWait, xrefs: 00007FF712DB3951
SleepConditionVariableCS, xrefs: 00007FF712DB3AD7
SetFileInformationByHandle, xrefs: 00007FF712DB3A41
GetCurrentProcessorNumber, xrefs: 00007FF712DB39AB
WaitForThreadpoolTimerCallbacks, xrefs: 00007FF712DB38D9
LCMapStringEx, xrefs: 00007FF712DB3C21
FlsSetValue, xrefs: 00007FF712DB37E9
WakeAllConditionVariable, xrefs: 00007FF712DB3AB9
CreateEventExW, xrefs: 00007FF712DB3843
GetLocaleInfoEx, xrefs: 00007FF712DB3C03
GetFileInformationByHandleEx, xrefs: 00007FF712DB3A23
ReleaseSRWLockExclusive, xrefs: 00007FF712DB3B4F
InitializeSRWLock, xrefs: 00007FF712DB3AF5
CreateSymbolicLinkW, xrefs: 00007FF712DB39C9
CloseThreadpoolWork, xrefs: 00007FF712DB3BC7
CreateThreadpoolWait, xrefs: 00007FF712DB3915
SubmitThreadpoolWork, xrefs: 00007FF712DB3BA9
GetSystemTimePreciseAsFileTime, xrefs: 00007FF712DB3A5F
SetThreadpoolWait, xrefs: 00007FF712DB3933
CreateThreadpoolTimer, xrefs: 00007FF712DB389D
FlushProcessWriteBuffers, xrefs: 00007FF712DB396F
GetCurrentPackageId, xrefs: 00007FF712DB39E7
kernel32.dll, xrefs: 00007FF712DB3786
GetTickCount64, xrefs: 00007FF712DB3A05
TryAcquireSRWLockExclusive, xrefs: 00007FF712DB3B31
CreateSemaphoreExW, xrefs: 00007FF712DB387F
SetThreadpoolTimer, xrefs: 00007FF712DB38BB
CreateSemaphoreW, xrefs: 00007FF712DB3861
AcquireSRWLockExclusive, xrefs: 00007FF712DB3B13
InitializeConditionVariable, xrefs: 00007FF712DB3A7D
SleepConditionVariableSRW, xrefs: 00007FF712DB3B6D
InitializeCriticalSectionEx, xrefs: 00007FF712DB3807
FlsAlloc, xrefs: 00007FF712DB3796
WakeConditionVariable, xrefs: 00007FF712DB3A9B
FreeLibraryWhenCallbackReturns, xrefs: 00007FF712DB398D
InitOnceExecuteOnce, xrefs: 00007FF712DB3825
FlsFree, xrefs: 00007FF712DB37AD
CreateThreadpoolWork, xrefs: 00007FF712DB3B8B

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: AddressProc$EncodeHandleModulePointer
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 73157160-295688737
Opcode ID: 1768bd0181979894e5c76b022fdef0f0e4152cc001d8c2bed6cbd9eb8891b85a
Instruction ID: 8b0e1ea750906d8246d5a9f891056e5d1018e95457d079c05d5ac71c0230fcaa
Opcode Fuzzy Hash: 1768bd0181979894e5c76b022fdef0f0e4152cc001d8c2bed6cbd9eb8891b85a
Instruction Fuzzy Hash: 0AE14460929F4BA0EA00AF55F8A81B0A3B5BF0A764BD15435C98D47334DEBCE16DC771

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAEAB0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 136
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF77FF712DAEAB0(long long __rbx, long long __rcx, long long __rsi, long long __rbp, void* __r8, void* __r13) {
				void* _v8;
				signed int _v24;
				char _v30;
				void _v352;
				signed int _v356;
				intOrPtr _v360;
				signed long long _v376;
				intOrPtr _v384;
				char _v400;
				long long _v408;
				long long _v416;
				short _v424;
				signed int _t47;
				void* _t57;
				signed int _t60;
				void* _t79;
				void* _t89;
				signed long long _t90;
				signed long long _t91;
				void* _t116;
				signed long long _t120;
				long long _t124;
				void* _t128;
				short* _t137;

				_t139 = __r13;
				_t131 = __r8;
				_t126 = __rbp;
				_t97 = __rbx;
				_t89 = _t128;
				_v416 = 0xfffffffe;
				 *((long long*)(_t89 + 0x10)) = __rbx;
				 *((long long*)(_t89 + 0x18)) = __rbp;
				 *((long long*)(_t89 + 0x20)) = __rsi;
				_t90 =  *0x12dc9568; // 0x438b11ead5c6
				_t91 = _t90 ^ _t128 - 0x000001c0;
				_v24 = _t91;
				_t124 = __rcx;
				_v408 = __rcx;
				_v424 = 0;
				 *((long long*)(__rcx + 0x10)) = __rbp;
				 *((long long*)(__rcx + 0x18)) = 7;
				 *((short*)(__rcx)) = 0;
				_v424 = 1;
				r8d = 0x110;
				memset(??, ??, ??);
				_v360 = 0x114;
				LoadLibraryA(??);
				if (_t91 == 0) goto 0x12daeccc;
				GetProcAddress(??, ??);
				if (_t91 == 0) goto 0x12daeccc;
				if ( *0x12db9470() != 0) goto 0x12daeccc;
				_t47 = _v356;
				if (_t47 - 6 <= 0) goto 0x12daeb75;
				_t60 = _t47;
				_t71 =  >  ? _v352 : 0;
				_t79 = _t60 - 6;
				if (_t79 != 0) goto 0x12daebd3;
				_t72 = ( >  ? _v352 : 0) - 1;
				_t104 = __rcx;
				if (_t79 == 0) goto 0x12daebbc;
				_t80 = ( >  ? _v352 : 0) - 1 - 1;
				if (( >  ? _v352 : 0) - 1 == 1) goto 0x12daeba5;
				_t17 = _t97 - 1; // 0x5
				r8d = _t17;
				E00007FF77FF712DAAE00(__rbx, __rcx, L"win81", __rbp, __r8, __r13);
				goto 0x12daeccc;
				r8d = 4;
				E00007FF77FF712DAAE00(_t97, _t104, L"win8", _t126, _t131, _t139);
				goto 0x12daeccc;
				r8d = 4;
				E00007FF77FF712DAAE00(_t97, _t104, L"win7", _t126, _t131, _t139);
				goto 0x12daeccc;
				if (_t60 - 0xa < 0) goto 0x12daeccc;
				r8d = 3;
				_t116 = L"win";
				E00007FF77FF712DAAE00(_t97, _t124, _t116, _t126, _t131, _t139);
				_t137 =  &_v30 - 2;
				 *_t137 = _t60 - _t91 + _t116 + _t91 + _t116 + 0x30;
				if (0xcccccccd * _t60 >> 0x20 >> 3 != 0) goto 0x12daec00;
				asm("movdqa xmm0, [0xb5bc]");
				asm("movdqu [esp+0x48], xmm0");
				_v400 = 0;
				if (_t137 ==  &_v30) goto 0x12daec67;
				E00007FF77FF712DA56F0(_t97,  &_v400, _t137, _t124, _t126,  &_v30 - _t137 >> 1);
				_v424 = 0xf;
				_t119 =  >=  ? _v400 :  &_v400;
				_t57 = E00007FF77FF712DAAE00(_t97, _t124,  >=  ? _v400 :  &_v400, _t126, _v384, _t139);
				_t120 = _v376;
				if (_t120 - 8 < 0) goto 0x12daeccc;
				if (2 + _t120 * 2 - 0x1000 < 0) goto 0x12daecc7;
				if (_v400 -  *((intOrPtr*)(_v400 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12daecf8;
				0x12db3f50();
				return E00007FF77FF712DB4070(_t57, _t91 + _t116 + _t91 + _t116, 0xcccccccd * _t60 >> 0x20 >> 3, _v24 ^ _t128 - 0x000001c0);
			}

0x7ff712daeab0
0x7ff712daeab0
0x7ff712daeab0
0x7ff712daeab0
0x7ff712daeab0
0x7ff712daeabb
0x7ff712daeac4
0x7ff712daeac8
0x7ff712daeacc
0x7ff712daead0
0x7ff712daead7
0x7ff712daeada
0x7ff712daeae2
0x7ff712daeae5
0x7ff712daeaec
0x7ff712daeaf0
0x7ff712daeaf4
0x7ff712daeafc
0x7ff712daeb04
0x7ff712daeb0a
0x7ff712daeb15
0x7ff712daeb1a
0x7ff712daeb29
0x7ff712daeb32
0x7ff712daeb42
0x7ff712daeb4b
0x7ff712daeb5e
0x7ff712daeb69
0x7ff712daeb6f
0x7ff712daeb71
0x7ff712daeb79
0x7ff712daeb7e
0x7ff712daeb81
0x7ff712daeb83
0x7ff712daeb86
0x7ff712daeb89
0x7ff712daeb8b
0x7ff712daeb8e
0x7ff712daeb90
0x7ff712daeb90
0x7ff712daeb9b
0x7ff712daeba0
0x7ff712daeba5
0x7ff712daebb2
0x7ff712daebb7
0x7ff712daebbc
0x7ff712daebc9
0x7ff712daebce
0x7ff712daebd6
0x7ff712daebdc
0x7ff712daebe2
0x7ff712daebec
0x7ff712daec00
0x7ff712daec22
0x7ff712daec2a
0x7ff712daec2c
0x7ff712daec34
0x7ff712daec3a
0x7ff712daec4a
0x7ff712daec62
0x7ff712daec67
0x7ff712daec7a
0x7ff712daec88
0x7ff712daec8e
0x7ff712daec97
0x7ff712daecb0
0x7ff712daecc5
0x7ff712daecc7
0x7ff712daecf7

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712DAEB15
LoadLibraryA.KERNEL32 ref: 00007FF712DAEB29
GetProcAddress.KERNEL32 ref: 00007FF712DAEB42
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAECF8

Strings

win8, xrefs: 00007FF712DAEBAB
win81, xrefs: 00007FF712DAEB94
ntdll.dll, xrefs: 00007FF712DAEB22
win7, xrefs: 00007FF712DAEBC2
win, xrefs: 00007FF712DAEBE2
RtlGetVersion, xrefs: 00007FF712DAEB38

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: AddressLibraryLoadProc_invalid_parameter_noinfo_noreturnmemset
String ID: RtlGetVersion$ntdll.dll$win$win7$win8$win81
API String ID: 3866494120-238241336
Opcode ID: ed0b9fe597ef60ff69cc213fe9122f7085284950a79fe502319227cbb5a6fe34
Instruction ID: 146d9e3dc3f98f373bdd1b836714b6e12d5c85f04fb7d685fe4461380f6543e7
Opcode Fuzzy Hash: ed0b9fe597ef60ff69cc213fe9122f7085284950a79fe502319227cbb5a6fe34
Instruction Fuzzy Hash: 0251B232B18B8A95EA50AB15E4547A9B361FBC5BB0FD00135DACD03794DFBCE648C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB0560 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 310
COMMONCrypto

Download Yara Rule

C-Code - Quality: 23%

			E00007FF77FF712DB0560(void* __ecx, signed int __edx, void* __edi, void* __esp, long long __rbx, intOrPtr* __rcx, long long __rdi, long long __rsi, long long __r9, void* __r13) {
				void* __rbp;
				void* __r14;
				long _t56;
				void* _t66;
				void* _t71;
				short _t89;
				void* _t99;
				signed long long _t100;
				intOrPtr* _t111;
				intOrPtr* _t112;
				signed long long _t136;
				signed long long _t142;
				signed long long _t144;
				long long _t151;
				void* _t153;
				void* _t154;
				signed long long _t155;
				signed long long _t166;
				void* _t168;

				_t164 = __r9;
				_t151 = __rsi;
				_t71 = __edi;
				_t66 = __ecx;
				_t99 = _t154;
				_t153 = _t99 - 0x1d8;
				_t155 = _t154 - 0x2c0;
				 *((long long*)(_t155 + 0x20)) = 0xfffffffe;
				 *((long long*)(_t99 + 0x10)) = __rbx;
				 *((long long*)(_t99 + 0x18)) = __rsi;
				 *((long long*)(_t99 + 0x20)) = __rdi;
				_t100 =  *0x12dc9568; // 0x438b11ead5c6
				 *(_t153 + 0x1b0) = _t100 ^ _t155;
				r14d = __edx & 0x000000ff;
				_t111 = __rcx;
				if ( *((long long*)(__rcx + 0x18)) - 8 < 0) goto 0x12db05b0;
				asm("movdqa xmm0, [0x9c38]");
				asm("movdqu [esp+0x58], xmm0");
				r12d = 0;
				 *((intOrPtr*)(_t155 + 0x48)) = r12w;
				if ( *((intOrPtr*)( *__rcx + 0xfffffffffffffffe)) != r12w) goto 0x12db05d1;
				E00007FF77FF712DA56F0(__rcx, _t155 + 0x48,  *__rcx, __rsi, _t153, 0);
				E00007FF77FF712DB0CD0(_t155 + 0x48);
				_t136 =  *((intOrPtr*)(_t155 + 0x60));
				if (_t136 - 8 < 0) goto 0x12db0635;
				if (2 + _t136 * 2 - 0x1000 < 0) goto 0x12db0630;
				if ( *((intOrPtr*)(_t155 + 0x48)) -  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x48)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db0a47;
				0x12db3f50();
				if (sil == 0) goto 0x12db065f;
				if ( *((long long*)(_t111 + 0x18)) - 8 < 0) goto 0x12db0647;
				if (GetFileAttributesExW(??, ??, ??) == 0) goto 0x12db065f;
				goto 0x12db07b3;
				if ( *((long long*)(_t111 + 0x18)) - 8 < 0) goto 0x12db066c;
				r9d = 0;
				_t56 = GetFullPathNameW(??, ??, ??, ??);
				if (_t56 != 0) goto 0x12db06a9;
				if (r14b != 0) goto 0x12db06a2;
				if ( *((long long*)(_t111 + 0x18)) - 8 < 0) goto 0x12db0693;
				_t112 =  *_t111;
				E00007FF77FF712DAC460( *((intOrPtr*)(_t155 + 0x48)) -  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x48)) - 8)) + 0xfffffff8, L"Error resolving full path [%s]", _t112, _t153 - 0x60, __r9);
				goto 0x12db07b3;
				 *(_t155 + 0x38) = _t166;
				 *((long long*)(_t155 + 0x40)) = 7;
				 *((intOrPtr*)(_t155 + 0x28)) = r12w;
				if (_t56 - 0x104 >= 0) goto 0x12db06f5;
				_t89 =  *((short*)(_t153 - 0x60 + 0xfffffffffffffffe));
				if (_t89 != 0) goto 0x12db06d0;
				E00007FF77FF712DA56F0(_t112, _t155 + 0x28, _t153 - 0x60, _t151, _t153, 0);
				goto 0x12db09ee;
				_t142 = _t151 +  *0x12dc90e0;
				if (_t89 != 0) goto 0x12db070e;
				 *(_t155 + 0x38) = _t142;
				 *((intOrPtr*)(_t155 + 0x28 + _t142 * 2)) = r12w;
				goto 0x12db071b;
				r8d = 0;
				E00007FF77FF712DAE7D0(_t66, _t71, __esp, _t112, _t155 + 0x28, _t142, __r13, _t168);
				_t163 =  >=  ?  *((void*)(_t155 + 0x28)) : _t155 + 0x28;
				if ( *((long long*)(_t112 + 0x18)) - 8 < 0) goto 0x12db0739;
				r9d = 0;
				if (GetFullPathNameW(??, ??, ??, ??) != 0) goto 0x12db07df;
				if (r14b != 0) goto 0x12db076c;
				if ( *((long long*)(_t112 + 0x18)) - 8 < 0) goto 0x12db075d;
				E00007FF77FF712DAC460( *((intOrPtr*)(_t155 + 0x40)), L"Error resolving full path [%s]",  *_t112,  >=  ?  *((void*)(_t155 + 0x28)) : _t155 + 0x28, _t164);
				_t144 =  *((intOrPtr*)(_t155 + 0x40));
				if (_t144 - 8 < 0) goto 0x12db07b0;
				if (2 + _t144 * 2 - 0x1000 < 0) goto 0x12db07ab;
				if ( *((intOrPtr*)(_t155 + 0x28)) -  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x28)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db0a4d;
				0x12db3f50();
				return E00007FF77FF712DB4070(0, _t66, _t56,  *(_t153 + 0x1b0) ^ _t155);
			}

0x7ff712db0560
0x7ff712db0560
0x7ff712db0560
0x7ff712db0560
0x7ff712db0560
0x7ff712db0568
0x7ff712db056f
0x7ff712db0576
0x7ff712db057f
0x7ff712db0583
0x7ff712db0587
0x7ff712db058b
0x7ff712db0595
0x7ff712db059c
0x7ff712db05a0
0x7ff712db05ab
0x7ff712db05b0
0x7ff712db05b8
0x7ff712db05be
0x7ff712db05c1
0x7ff712db05d9
0x7ff712db05e0
0x7ff712db05eb
0x7ff712db05f3
0x7ff712db05fc
0x7ff712db0615
0x7ff712db062a
0x7ff712db0630
0x7ff712db0638
0x7ff712db0642
0x7ff712db0656
0x7ff712db065a
0x7ff712db0667
0x7ff712db066c
0x7ff712db0678
0x7ff712db0682
0x7ff712db0687
0x7ff712db068e
0x7ff712db0690
0x7ff712db069d
0x7ff712db06a4
0x7ff712db06a9
0x7ff712db06ae
0x7ff712db06b7
0x7ff712db06c3
0x7ff712db06d3
0x7ff712db06d8
0x7ff712db06e6
0x7ff712db06f0
0x7ff712db06f8
0x7ff712db06ff
0x7ff712db0701
0x7ff712db0706
0x7ff712db070c
0x7ff712db070e
0x7ff712db0716
0x7ff712db0726
0x7ff712db0734
0x7ff712db0739
0x7ff712db0748
0x7ff712db0751
0x7ff712db0758
0x7ff712db0767
0x7ff712db076e
0x7ff712db0777
0x7ff712db0790
0x7ff712db07a5
0x7ff712db07ab
0x7ff712db07de

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF712DB064E
GetFullPathNameW.KERNEL32 ref: 00007FF712DB0678
GetFullPathNameW.KERNEL32 ref: 00007FF712DB073E
GetFileAttributesExW.KERNEL32 ref: 00007FF712DB0A04
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB0A41
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB0A47
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB0A4D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB0A53

Strings

Error resolving full path [%s], xrefs: 00007FF712DB0696, 00007FF712DB0760

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AttributesFileFullNamePath
String ID: Error resolving full path [%s]
API String ID: 561720233-1390578158
Opcode ID: 606f94484f1805f4a20648360f0d4654d96082df6959f2305b0d7ed7d6a00eeb
Instruction ID: c1e77eed690ca0ec4ac704e08f49f86aad2532a21c02a188b27acb4b6dd7540c
Opcode Fuzzy Hash: 606f94484f1805f4a20648360f0d4654d96082df6959f2305b0d7ed7d6a00eeb
Instruction Fuzzy Hash: 77D1DB62A08E4991EE10AB15D4642BDA361FB867F5FD00231DADD03AE8DFBCD649C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA6080 Relevance: 9.4, APIs: 6, Instructions: 448
COMMONCrypto

Download Yara Rule

C-Code - Quality: 29%

			E00007FF77FF712DA6080(void* __ebx, void* __ebp, void* __esp, long long __rbx, void* __rcx, long long __rdx, void* __r8, long long __r9) {
				void* __rdi;
				void* __rbp;
				void* __r12;
				void* __r15;
				signed int _t60;
				long long _t72;
				void* _t74;
				void* _t75;
				signed int _t81;
				signed char _t87;
				void* _t95;
				void* _t101;
				void* _t120;
				signed long long _t121;
				char* _t128;
				short* _t129;
				long long _t145;
				intOrPtr _t158;
				void* _t159;
				intOrPtr _t162;
				void* _t166;
				intOrPtr _t167;
				void* _t168;
				void* _t169;
				signed long long _t170;
				void* _t181;
				long long _t183;
				long long _t184;

				_t120 = _t169;
				_t168 = _t120 - 0x4f;
				_t170 = _t169 - 0xa0;
				 *((long long*)(_t168 - 0x41)) = 0xfffffffe;
				 *((long long*)(_t120 + 8)) = __rbx;
				asm("movaps [eax-0x48], xmm6");
				_t121 =  *0x12dc9568; // 0x438b11ead5c6
				 *(_t168 - 1) = _t121 ^ _t170;
				_t183 = __r9;
				_t184 = __rdx;
				_t181 = __rcx;
				 *((long long*)(_t168 - 0x19)) = __rdx;
				r9d = 0xf;
				 *((long long*)(_t168 - 0x11)) = __r9;
				 *((char*)(_t168 - 0x29)) = 0;
				_t60 =  *(__r9 + 0x18) & 0x00003000;
				_t167 =  *((intOrPtr*)(__r9 + 0x20));
				if (_t167 > 0) goto 0x12da60f4;
				if (_t60 == 0x2000) goto 0x12da60f4;
				asm("movsd xmm6, [ebp+0x7f]");
				_t101 = _t60 - 0x2000;
				if (_t101 != 0) goto 0x12da6150;
				asm("movaps xmm0, xmm6");
				asm("andps xmm0, [0x14103]");
				asm("comisd xmm0, [0x140cb]");
				if (_t101 <= 0) goto 0x12da6150;
				asm("movaps xmm0, xmm6");
				0x12db277a();
				asm("cdq");
				_t158 =  *((intOrPtr*)(_t168 - 0x19));
				_t145 = (0x14f8b589 * ( *(_t168 - 0x49) ^ 0) * 0x7597 >> 0x20 >> 0xd) + (0x14f8b589 * ( *(_t168 - 0x49) ^ 0) * 0x7597 >> 0x20 >> 0xd >> 0x1f) + _t167 + 0x32;
				if (_t145 - _t158 > 0) goto 0x12da6170;
				 *((long long*)(_t168 - 0x19)) = _t145;
				_t124 =  >=  ?  *((void*)(_t168 - 0x29)) : _t168 - 0x29;
				 *((char*)(( >=  ?  *((void*)(_t168 - 0x29)) : _t168 - 0x29) + _t145)) = 0;
				goto 0x12da61bf;
				_t166 = _t145 - _t158;
				if (_t166 -  *((intOrPtr*)(_t168 - 0x11)) - _t158 > 0) goto 0x12da61a8;
				 *((long long*)(_t168 - 0x19)) = _t145;
				_t138 =  >=  ?  *((void*)(_t168 - 0x29)) : _t168 - 0x29;
				_t139 = ( >=  ?  *((void*)(_t168 - 0x29)) : _t168 - 0x29) + _t158;
				memset(??, ??, ??);
				 *((char*)(( >=  ?  *((void*)(_t168 - 0x29)) : _t168 - 0x29) + _t158 + _t166)) = 0;
				goto 0x12da61bf;
				 *((char*)(_t170 + 0x20)) = 0;
				r8d = 0;
				_t159 = _t166;
				E00007FF77FF712DA19D0(_t168 - 0x29, _t159, _t166, _t166, __rcx, __rdx);
				_t87 =  *(__r9 + 0x18);
				 *((char*)(_t168 - 9)) = 0x25;
				r8d = 0x2b;
				_t71 =  !=  ? r8d :  *(_t168 - 8) & 0x000000ff;
				 *(_t168 - 8) =  !=  ? r8d :  *(_t168 - 8) & 0x000000ff;
				_t128 =  !=  ? _t168 - 7 : _t168 - 8;
				if ((_t87 & 0x00000010) == 0) goto 0x12da61f6;
				 *_t128 = 0x23;
				_t129 = _t128 + 1;
				 *_t129 = 0x2a2e;
				_t81 = _t87 & 0x00003000;
				if ((_t87 & 0x00000004) == 0) goto 0x12da622b;
				if (_t81 != 0x2000) goto 0x12da6214;
				goto 0x12da6258;
				if (_t81 != 0x3000) goto 0x12da6220;
				goto 0x12da6258;
				_t38 = _t159 - 2; // 0x45
				r8d = _t38;
				goto 0x12da624e;
				if (_t81 != 0x2000) goto 0x12da6237;
				goto 0x12da6258;
				if (_t81 != 0x3000) goto 0x12da6243;
				goto 0x12da6258;
				r8d = 0x65;
				_t94 =  ==  ? r8d : 0x67;
				 *((char*)(_t129 + 2)) =  ==  ? r8d : 0x67;
				 *((char*)(_t129 + 3)) = 0;
				_t149 =  >=  ?  *((void*)(_t168 - 0x29)) : _t168 - 0x29;
				asm("movsd [esp+0x20], xmm6");
				r9d = 6;
				_t72 = E00007FF77FF712DA88E0(_t129,  >=  ?  *((void*)(_t168 - 0x29)) : _t168 - 0x29,  *((intOrPtr*)(_t168 - 0x19)), _t168 - 9, _t166);
				asm("inc ecx");
				asm("movaps [ebp-0x39], xmm0");
				_t131 =  >=  ?  *((void*)(_t168 - 0x29)) : _t168 - 0x29;
				 *((long long*)(_t170 + 0x30)) = _t72;
				 *((long long*)(_t170 + 0x28)) =  >=  ?  *((void*)(_t168 - 0x29)) : _t168 - 0x29;
				 *((short*)(_t170 + 0x20)) =  *(_t168 + 0x77) & 0x0000ffff;
				_t74 = E00007FF77FF712DA3D90(__ebx, _t81,  ==  ? r8d : 0x67, _t95, __ebp, __esp, ( >=  ?  *((void*)(_t168 - 0x29)) : _t168 - 0x29) + _t158, _t181, _t184, _t168 - 0x39, _t183);
				_t162 =  *((intOrPtr*)(_t168 - 0x11));
				if (_t162 - 0x10 < 0) goto 0x12da62fa;
				if (_t162 + 1 - 0x1000 < 0) goto 0x12da62f5;
				if ( *((intOrPtr*)(_t168 - 0x29)) -  *((intOrPtr*)( *((intOrPtr*)(_t168 - 0x29)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12da632c;
				0x12db3f50();
				_t75 = E00007FF77FF712DB4070(_t74, _t81,  ==  ? r8d : 0x67,  *(_t168 - 1) ^ _t170);
				asm("movaps xmm6, [esp+0x90]");
				return _t75;
			}

0x7ff712da6080
0x7ff712da608e
0x7ff712da6092
0x7ff712da6099
0x7ff712da60a1
0x7ff712da60a5
0x7ff712da60a9
0x7ff712da60b3
0x7ff712da60b7
0x7ff712da60bd
0x7ff712da60c0
0x7ff712da60c5
0x7ff712da60c9
0x7ff712da60cf
0x7ff712da60d3
0x7ff712da60da
0x7ff712da60df
0x7ff712da60e6
0x7ff712da60ed
0x7ff712da60f7
0x7ff712da60fc
0x7ff712da6101
0x7ff712da6103
0x7ff712da6106
0x7ff712da610d
0x7ff712da6115
0x7ff712da611b
0x7ff712da611e
0x7ff712da6126
0x7ff712da614c
0x7ff712da6150
0x7ff712da6157
0x7ff712da6159
0x7ff712da6165
0x7ff712da616a
0x7ff712da616e
0x7ff712da6173
0x7ff712da617f
0x7ff712da6181
0x7ff712da618d
0x7ff712da6192
0x7ff712da619d
0x7ff712da61a2
0x7ff712da61a6
0x7ff712da61a8
0x7ff712da61b0
0x7ff712da61b3
0x7ff712da61ba
0x7ff712da61bf
0x7ff712da61c3
0x7ff712da61d0
0x7ff712da61d6
0x7ff712da61da
0x7ff712da61e7
0x7ff712da61ee
0x7ff712da61f0
0x7ff712da61f3
0x7ff712da61f6
0x7ff712da61fd
0x7ff712da6206
0x7ff712da620e
0x7ff712da6212
0x7ff712da621a
0x7ff712da621e
0x7ff712da6225
0x7ff712da6225
0x7ff712da6229
0x7ff712da6231
0x7ff712da6235
0x7ff712da623d
0x7ff712da6241
0x7ff712da6248
0x7ff712da6254
0x7ff712da6258
0x7ff712da625b
0x7ff712da6268
0x7ff712da626d
0x7ff712da6273
0x7ff712da627e
0x7ff712da6286
0x7ff712da628b
0x7ff712da6298
0x7ff712da629d
0x7ff712da62a2
0x7ff712da62ab
0x7ff712da62bd
0x7ff712da62c3
0x7ff712da62cb
0x7ff712da62de
0x7ff712da62f3
0x7ff712da62f5
0x7ff712da6304
0x7ff712da6311
0x7ff712da632b

APIs

frexp.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF712DA611E
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712DA619D

Part of subcall function 00007FF712DA19D0: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,FFFFFFFF,7FFFFFFFFFFFFFFE,00007FF712DA5498), ref: 00007FF712DA1AC5

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA632C
frexp.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF712DA63DE
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712DA645D

Part of subcall function 00007FF712DA19D0: memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,FFFFFFFF,7FFFFFFFFFFFFFFE,00007FF712DA5498), ref: 00007FF712DA1B0F
Part of subcall function 00007FF712DA19D0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,FFFFFFFF,7FFFFFFFFFFFFFFE,00007FF712DA5498), ref: 00007FF712DA1B3E

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA65F0

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturn$frexp
String ID:
API String ID: 10557478-0
Opcode ID: 0ec212c260a28bc209936fc98d8a13d88178ff4987c536964a00264c0e880033
Instruction ID: e41be1495e70cce98ed7d48522fa195de77431a69c538994dbe695f442808c7c
Opcode Fuzzy Hash: 0ec212c260a28bc209936fc98d8a13d88178ff4987c536964a00264c0e880033
Instruction Fuzzy Hash: F2024612B18A88C9FB649B74D4107FDA361EB85BA8F844231DE8C17BC9DEBCD549C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB4BD0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13450a5e3110363d0a4217b873084003e7fcb4409b2e74039d017c6253e56ce2
Instruction ID: 7a0af4f50b4afc3dd08df9491b0655cb6de95495c104d4fffa132cfc85a832c3
Opcode Fuzzy Hash: 13450a5e3110363d0a4217b873084003e7fcb4409b2e74039d017c6253e56ce2
Instruction Fuzzy Hash: 38A0012994CC5AE0EA44AB01E874166A228FB923A0BC00431D18D410A09EACA608D635

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB14D0 Relevance: 42.4, APIs: 8, Strings: 16, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00007FF77FF712DB14D0(void* __ecx, void* __edx, long long __rbx, intOrPtr* __rcx, intOrPtr* __rdx, intOrPtr* __r8, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r13;
				void* __r14;
				void* __r15;
				void* _t146;
				void* _t165;
				void* _t171;
				void* _t228;
				signed long long _t229;
				intOrPtr* _t240;
				long long _t263;
				signed long long _t321;
				signed long long _t343;
				signed long long _t348;
				signed long long _t351;
				signed long long _t354;
				signed long long _t358;
				signed long long _t361;
				signed long long _t364;
				intOrPtr* _t367;
				intOrPtr* _t369;
				intOrPtr* _t370;
				signed int* _t372;
				void* _t373;
				signed long long _t374;
				signed long long _t390;
				long long _t391;
				intOrPtr* _t392;
				void* _t394;

				_t385 = __r9;
				_t260 = __rbx;
				_t171 = __ecx;
				_t228 = _t373;
				_t372 = _t228 - 0x68;
				_t374 = _t373 - 0x130;
				 *((long long*)(_t374 + 0x38)) = 0xfffffffe;
				 *((long long*)(_t228 + 0x20)) = __rbx;
				asm("movaps [eax-0x48], xmm6");
				asm("movaps [eax-0x58], xmm7");
				_t229 =  *0x12dc9568; // 0x438b11ead5c6
				 *_t372 = _t229 ^ _t374;
				_t392 = __r8;
				_t367 = __rdx;
				_t369 = __rcx;
				r13d = 0;
				r15d = r13d;
				 *(_t374 + 0x30) = r13d;
				_t389 = __rcx + 0x10;
				if ( *(__rcx + 0x10) - _t391 <= 0) goto 0x12db1579;
				asm("movdqa xmm0, [0x8cbe]");
				asm("movdqu [esp+0x70], xmm0");
				 *((intOrPtr*)(_t374 + 0x60)) = r13w;
				_t7 = _t391 + 0xb; // 0xb
				r8d = _t7;
				E00007FF77FF712DA56F0(__rbx, _t374 + 0x60, L"hostfxr.dll", __rcx, _t372, __r8);
				r15d = 1;
				 *(_t374 + 0x30) = r15d;
				_t377 = __r8;
				if (E00007FF77FF712DAD920(_t369, _t374 + 0x60, __r8, _t391) == 0) goto 0x12db1579;
				goto 0x12db157b;
				if ((r15b & 0x00000001) == 0) goto 0x12db15c7;
				r15d = r15d & 0xfffffffe;
				_t321 =  *((intOrPtr*)(_t374 + 0x78));
				if (_t321 - 8 < 0) goto 0x12db15c7;
				_t268 =  *((intOrPtr*)(_t374 + 0x60));
				if (2 + _t321 * 2 - 0x1000 < 0) goto 0x12db15c2;
				if ( *((intOrPtr*)(_t374 + 0x60)) -  *((intOrPtr*)(_t268 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db1b7d;
				0x12db3f50();
				if (0 == 0) goto 0x12db1609;
				if ( *((long long*)(_t392 + 0x18)) - 8 < 0) goto 0x12db15d5;
				E00007FF77FF712DAC6B0( *((intOrPtr*)(_t374 + 0x60)) -  *((intOrPtr*)(_t268 - 8)) + 0xfffffff8, L"Resolved fxr [%s]...",  *_t392, _t377, __r9);
				if (_t367 == _t369) goto 0x12db1602;
				if ( *((long long*)(_t369 + 0x18)) - 8 < 0) goto 0x12db15f3;
				_t370 =  *_t369;
				E00007FF77FF712DA56F0(_t260, _t367, _t370, _t370, _t372,  *_t389);
				goto 0x12db1b46;
				 *((long long*)(_t374 + 0x50)) = _t391;
				 *((long long*)(_t374 + 0x58)) = 7;
				 *((intOrPtr*)(_t374 + 0x40)) = r13w;
				E00007FF77FF712DAD240( *((intOrPtr*)(_t374 + 0x60)) -  *((intOrPtr*)(_t268 - 8)) + 0xfffffff8, _t372 - 0x60);
				_t274 =  >=  ?  *((void*)(_t372 - 0x60)) : _t372 - 0x60;
				E00007FF77FF712DAD5F0(_t260,  >=  ?  *((void*)(_t372 - 0x60)) : _t372 - 0x60, _t367, _t370, _t372, __r9);
				if (1 == 0) goto 0x12db166a;
				if ( *((long long*)(_t367 + 0x18)) - 8 < 0) goto 0x12db164e;
				_t328 =  >=  ?  *((void*)(_t372 - 0x60)) : _t372 - 0x60;
				E00007FF77FF712DAC6B0( *((intOrPtr*)(_t374 + 0x60)) -  *((intOrPtr*)(_t268 - 8)) + 0xfffffff8, L"Using environment variable %s=[%s] as runtime location.",  >=  ?  *((void*)(_t372 - 0x60)) : _t372 - 0x60,  *_t367, __r9);
				goto 0x12db16de;
				E00007FF77FF712DAF6B0(_t171, _t260, _t374 + 0x40, _t367, _t370, __r9,  *_t392);
				if (1 != 0) goto 0x12db1699;
				E00007FF77FF712DAEDE0(_t260, _t374 + 0x40, _t370, _t372, __r9, _t391);
				if (1 != 0) goto 0x12db1699;
				E00007FF77FF712DAC460( *((intOrPtr*)(_t374 + 0x60)) -  *((intOrPtr*)(_t268 - 8)) + 0xfffffff8, L"A fatal error occurred, the default install location cannot be obtained.",  >=  ?  *((void*)(_t372 - 0x60)) : _t372 - 0x60,  *_t367, __r9);
				goto 0x12db1ab3;
				_t330 =  >=  ?  *((void*)(_t374 + 0x40)) : _t374 + 0x40;
				E00007FF77FF712DAC6B0( *((intOrPtr*)(_t374 + 0x60)) -  *((intOrPtr*)(_t268 - 8)) + 0xfffffff8, L"Using global installation location [%s] as runtime location.",  >=  ?  *((void*)(_t374 + 0x40)) : _t374 + 0x40,  *_t367, _t385);
				if (_t367 == _t374 + 0x40) goto 0x12db16de;
				_t332 =  >=  ?  *((void*)(_t374 + 0x40)) : _t374 + 0x40;
				E00007FF77FF712DA56F0(_t260, _t367,  >=  ?  *((void*)(_t374 + 0x40)) : _t374 + 0x40, _t370, _t372,  *((intOrPtr*)(_t374 + 0x50)));
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x70], xmm0");
				_t390 =  *((intOrPtr*)(_t367 + 0x10));
				if ( *((long long*)(_t367 + 0x18)) - 8 < 0) goto 0x12db16f4;
				if (_t390 - 8 >= 0) goto 0x12db170b;
				asm("movups xmm0, [edi]");
				asm("movups [ebp-0x80], xmm0");
				 *((long long*)(_t372 - 0x68)) = 7;
				goto 0x12db174b;
				_t263 =  >  ? 0xfffffffe : _t390 | 0x00000007;
				_t146 = E00007FF77FF712DA53B0(_t263 + 1);
				 *((long long*)(_t372 - 0x80)) = 0xfffffffe;
				E00007FF77FF712DB5690(_t146, 0xfffffffe,  *_t367, 2 + _t390 * 2);
				 *((long long*)(_t372 - 0x68)) = _t263;
				 *(_t372 - 0x70) = _t390;
				E00007FF77FF712DACD10(_t263, _t372 - 0x80, L"host", _t391);
				E00007FF77FF712DACD10(_t263, _t372 - 0x80, L"fxr", _t391);
				E00007FF77FF712DAE980(_t263, _t372 - 0x80, _t370);
				if (1 != 0) goto 0x12db1a2d;
				if ( *((long long*)(_t374 + 0x50)) != 0) goto 0x12db17a4;
				E00007FF77FF712DAF6B0(_t171, _t263, _t374 + 0x40,  *_t367, _t370, _t385,  *_t392);
				if ( *((long long*)(_t374 + 0x50)) != 0) goto 0x12db17a4;
				E00007FF77FF712DAEDE0(_t263, _t374 + 0x40, _t370, _t372, _t385, _t391);
				 *((long long*)(_t372 - 0x10)) = _t391;
				 *((long long*)(_t372 - 8)) = 7;
				 *((intOrPtr*)(_t372 - 0x20)) = r13w;
				asm("movdqa xmm0, [0x8a33]");
				asm("movdqu [ebp-0x30], xmm0");
				 *((intOrPtr*)(_t372 - 0x40)) = r13w;
				E00007FF77FF712DAF440(_t263, _t372 - 0x20,  *_t367, _t391);
				if (1 == 0) goto 0x12db18bb;
				asm("movdqa xmm0, [0x8a10]");
				asm("movdqu [esp+0x70], xmm0");
				 *((intOrPtr*)(_t374 + 0x60)) = r13w;
				r15d = r15d | 0x00000002;
				 *(_t374 + 0x30) = r15d;
				E00007FF77FF712DADC50(_t374 + 0x60,  *((intOrPtr*)(_t372 - 0x10)) + 0x26, _t370, _t394);
				r8d = 0x26;
				E00007FF77FF712DAAE00(_t263, _t374 + 0x60, L" or register the runtime location in [", _t372, 2 + _t390 * 2, _t391);
				_t341 =  >=  ?  *((void*)(_t372 - 0x20)) : _t372 - 0x20;
				E00007FF77FF712DAAE00(_t263, _t374 + 0x60,  >=  ?  *((void*)(_t372 - 0x20)) : _t372 - 0x20, _t372,  *((intOrPtr*)(_t372 - 0x10)), _t391);
				r8d = 1;
				E00007FF77FF712DAAE00(_t263, _t374 + 0x60, "]", _t372,  *((intOrPtr*)(_t372 - 0x10)), _t391);
				asm("movups xmm6, [eax]");
				asm("movups xmm7, [eax+0x10]");
				 *0x800000000000000E = _t391;
				 *0x8000000000000016 = 7;
				 *0xfffffffe = r13w;
				E00007FF77FF712DA5300(_t372 - 0x40);
				asm("movups [ebp-0x40], xmm6");
				asm("movups [ebp-0x30], xmm7");
				_t343 =  *((intOrPtr*)(_t374 + 0x78));
				if (_t343 - 8 < 0) goto 0x12db18bb;
				if (2 + _t343 * 2 - 0x1000 < 0) goto 0x12db18b6;
				if ( *((intOrPtr*)(_t374 + 0x60)) -  *((intOrPtr*)( *((intOrPtr*)(_t374 + 0x60)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db1b83;
				0x12db3f50();
				_t240 =  >=  ?  *((void*)(_t372 - 0x40)) : _t372 - 0x40;
				_t297 =  >=  ?  *((void*)(_t372 - 0x60)) : _t372 - 0x60;
				_t387 =  >=  ?  *((void*)(_t374 + 0x40)) : _t374 + 0x40;
				if ( *((long long*)(_t370 + 0x18)) - 8 < 0) goto 0x12db18f2;
				 *((long long*)(_t374 + 0x28)) = _t240;
				 *((long long*)(_t374 + 0x20)) =  >=  ?  *((void*)(_t372 - 0x60)) : _t372 - 0x60;
				E00007FF77FF712DAC460(_t240, L"A fatal error occurred. The required library %s could not be found.\nIf this is a self-contained application, that library should exist in [%s].\nIf this is a framework-dependent application, install the runtime in the global location [%s] or use the %s environment variable to specify the runtime location%s.", L"hostfxr.dll",  *_t370,  >=  ?  *((void*)(_t374 + 0x40)) : _t374 + 0x40);
				E00007FF77FF712DAC460(_t240, 0x12db9f90, L"hostfxr.dll",  *_t370,  >=  ?  *((void*)(_t374 + 0x40)) : _t374 + 0x40);
				E00007FF77FF712DAC460(_t240, L"The .NET Core runtime can be found at:", L"hostfxr.dll",  *_t370,  >=  ?  *((void*)(_t374 + 0x40)) : _t374 + 0x40);
				r8d = 0;
				E00007FF77FF712DAD290(_t374 + 0x60, L"hostfxr.dll",  *_t370, _t391);
				if ( *((long long*)(_t240 + 0x18)) - 8 < 0) goto 0x12db1944;
				E00007FF77FF712DAC460( *_t240, L"  - %s",  *_t240,  *_t370,  >=  ?  *((void*)(_t374 + 0x40)) : _t374 + 0x40);
				_t348 =  *((intOrPtr*)(_t374 + 0x78));
				if (_t348 - 8 < 0) goto 0x12db1997;
				if (2 + _t348 * 2 - 0x1000 < 0) goto 0x12db1991;
				if ( *((intOrPtr*)(_t374 + 0x60)) -  *((intOrPtr*)( *((intOrPtr*)(_t374 + 0x60)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db1b89;
				0x12db3f50();
				_t351 =  *((intOrPtr*)(_t372 - 0x28));
				if (_t351 - 8 < 0) goto 0x12db19d7;
				if (2 + _t351 * 2 - 0x1000 < 0) goto 0x12db19d2;
				if ( *((intOrPtr*)(_t372 - 0x40)) -  *((intOrPtr*)( *((intOrPtr*)(_t372 - 0x40)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db1b8f;
				0x12db3f50();
				asm("movdqa xmm0, [0x8811]");
				asm("movdqu [ebp-0x30], xmm0");
				 *((intOrPtr*)(_t372 - 0x40)) = r13w;
				_t354 =  *((intOrPtr*)(_t372 - 8));
				if (_t354 - 8 < 0) goto 0x12db1a29;
				if (2 + _t354 * 2 - 0x1000 < 0) goto 0x12db1a24;
				if ( *((intOrPtr*)(_t372 - 0x20)) -  *((intOrPtr*)( *((intOrPtr*)(_t372 - 0x20)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db1b95;
				0x12db3f50();
				goto 0x12db1a61;
				asm("movups xmm0, [ebp-0x80]");
				asm("movups [esp+0x60], xmm0");
				asm("movups xmm1, [ebp-0x70]");
				asm("movups [esp+0x70], xmm1");
				asm("movdqa xmm0, [0x87a9]");
				asm("movdqu [ebp-0x70], xmm0");
				 *((intOrPtr*)(_t372 - 0x80)) = r13w;
				0x12db0f20();
				_t358 =  *((intOrPtr*)(_t372 - 0x68));
				if (_t358 - 8 < 0) goto 0x12db1aa1;
				if (2 + _t358 * 2 - 0x1000 < 0) goto 0x12db1a9c;
				if ( *((intOrPtr*)(_t372 - 0x80)) -  *((intOrPtr*)( *((intOrPtr*)(_t372 - 0x80)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db1b9b;
				0x12db3f50();
				asm("movdqa xmm0, [0x8747]");
				asm("movdqu [ebp-0x70], xmm0");
				 *((intOrPtr*)(_t372 - 0x80)) = r13w;
				_t361 =  *((intOrPtr*)(_t372 - 0x48));
				if (_t361 - 8 < 0) goto 0x12db1af3;
				if (2 + _t361 * 2 - 0x1000 < 0) goto 0x12db1aee;
				if ( *((intOrPtr*)(_t372 - 0x60)) -  *((intOrPtr*)( *((intOrPtr*)(_t372 - 0x60)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db1ba1;
				0x12db3f50();
				asm("movdqa xmm0, [0x86f5]");
				asm("movdqu [ebp-0x50], xmm0");
				 *((intOrPtr*)(_t372 - 0x60)) = r13w;
				_t364 =  *((intOrPtr*)(_t374 + 0x58));
				if (_t364 - 8 < 0) goto 0x12db1b43;
				if (2 + _t364 * 2 - 0x1000 < 0) goto 0x12db1b3e;
				if ( *((intOrPtr*)(_t374 + 0x40)) -  *((intOrPtr*)( *((intOrPtr*)(_t374 + 0x40)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db1b77;
				0x12db3f50();
				_t165 = E00007FF77FF712DB4070(0, _t171, 0,  *_t372 ^ _t374);
				asm("inc ecx");
				asm("inc ecx");
				return _t165;
			}

0x7ff712db14d0
0x7ff712db14d0
0x7ff712db14d0
0x7ff712db14d0
0x7ff712db14de
0x7ff712db14e2
0x7ff712db14e9
0x7ff712db14f2
0x7ff712db14f6
0x7ff712db14fa
0x7ff712db14fe
0x7ff712db1508
0x7ff712db150c
0x7ff712db150f
0x7ff712db1512
0x7ff712db1515
0x7ff712db1518
0x7ff712db151b
0x7ff712db1520
0x7ff712db1528
0x7ff712db152a
0x7ff712db1532
0x7ff712db1538
0x7ff712db153e
0x7ff712db153e
0x7ff712db154e
0x7ff712db1554
0x7ff712db155a
0x7ff712db155f
0x7ff712db1571
0x7ff712db1577
0x7ff712db157f
0x7ff712db1581
0x7ff712db1585
0x7ff712db158e
0x7ff712db1598
0x7ff712db15a7
0x7ff712db15bc
0x7ff712db15c2
0x7ff712db15c9
0x7ff712db15d0
0x7ff712db15df
0x7ff712db15e7
0x7ff712db15ee
0x7ff712db15f0
0x7ff712db15fd
0x7ff712db1604
0x7ff712db1609
0x7ff712db160e
0x7ff712db1617
0x7ff712db1621
0x7ff712db1630
0x7ff712db1638
0x7ff712db163f
0x7ff712db1649
0x7ff712db1657
0x7ff712db1663
0x7ff712db1668
0x7ff712db166f
0x7ff712db1676
0x7ff712db167d
0x7ff712db1684
0x7ff712db168d
0x7ff712db1694
0x7ff712db16a4
0x7ff712db16b1
0x7ff712db16be
0x7ff712db16cb
0x7ff712db16d9
0x7ff712db16de
0x7ff712db16e1
0x7ff712db16e6
0x7ff712db16ef
0x7ff712db16f8
0x7ff712db16fa
0x7ff712db16fd
0x7ff712db1701
0x7ff712db1709
0x7ff712db171f
0x7ff712db172b
0x7ff712db1730
0x7ff712db1742
0x7ff712db1747
0x7ff712db174b
0x7ff712db175a
0x7ff712db176a
0x7ff712db1773
0x7ff712db177a
0x7ff712db1786
0x7ff712db178d
0x7ff712db1798
0x7ff712db179f
0x7ff712db17a4
0x7ff712db17a8
0x7ff712db17b0
0x7ff712db17b5
0x7ff712db17bd
0x7ff712db17c2
0x7ff712db17cb
0x7ff712db17d2
0x7ff712db17d8
0x7ff712db17e0
0x7ff712db17e6
0x7ff712db17ec
0x7ff712db17f0
0x7ff712db1802
0x7ff712db1807
0x7ff712db1819
0x7ff712db1827
0x7ff712db1835
0x7ff712db183a
0x7ff712db184c
0x7ff712db1851
0x7ff712db1854
0x7ff712db1858
0x7ff712db185c
0x7ff712db1864
0x7ff712db186c
0x7ff712db1871
0x7ff712db1875
0x7ff712db1879
0x7ff712db1882
0x7ff712db189b
0x7ff712db18b0
0x7ff712db18b6
0x7ff712db18c4
0x7ff712db18d2
0x7ff712db18e2
0x7ff712db18ed
0x7ff712db18f2
0x7ff712db18f7
0x7ff712db190d
0x7ff712db1919
0x7ff712db1925
0x7ff712db192a
0x7ff712db1934
0x7ff712db193f
0x7ff712db194e
0x7ff712db1954
0x7ff712db195d
0x7ff712db1976
0x7ff712db198b
0x7ff712db1991
0x7ff712db1997
0x7ff712db199f
0x7ff712db19b7
0x7ff712db19cc
0x7ff712db19d2
0x7ff712db19d7
0x7ff712db19df
0x7ff712db19e4
0x7ff712db19e9
0x7ff712db19f1
0x7ff712db1a09
0x7ff712db1a1e
0x7ff712db1a24
0x7ff712db1a2b
0x7ff712db1a2d
0x7ff712db1a31
0x7ff712db1a36
0x7ff712db1a3a
0x7ff712db1a3f
0x7ff712db1a47
0x7ff712db1a4c
0x7ff712db1a59
0x7ff712db1a61
0x7ff712db1a69
0x7ff712db1a81
0x7ff712db1a96
0x7ff712db1a9c
0x7ff712db1aa1
0x7ff712db1aa9
0x7ff712db1aae
0x7ff712db1ab3
0x7ff712db1abb
0x7ff712db1ad3
0x7ff712db1ae8
0x7ff712db1aee
0x7ff712db1af3
0x7ff712db1afb
0x7ff712db1b00
0x7ff712db1b05
0x7ff712db1b0e
0x7ff712db1b27
0x7ff712db1b3c
0x7ff712db1b3e
0x7ff712db1b4d
0x7ff712db1b5e
0x7ff712db1b63
0x7ff712db1b76

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB1B77
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB1B7D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB1B83
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB1B89
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB1B8F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB1B95
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB1B9B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB1BA1

Part of subcall function 00007FF712DAC460: EnterCriticalSection.KERNEL32 ref: 00007FF712DAC498
Part of subcall function 00007FF712DAC460: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC4CE
Part of subcall function 00007FF712DAC460: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC519
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC544
Part of subcall function 00007FF712DAC460: fputws.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC54F
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC557
Part of subcall function 00007FF712DAC460: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC562
Part of subcall function 00007FF712DAC460: OutputDebugStringW.KERNEL32 ref: 00007FF712DAC575
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC589
Part of subcall function 00007FF712DAC460: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC5B6
Part of subcall function 00007FF712DAC460: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC5C3

Strings

- %s, xrefs: 00007FF712DB1947
host, xrefs: 00007FF712DB174F
or register the runtime location in [, xrefs: 00007FF712DB180D
fxr, xrefs: 00007FF712DB175F
hostfxr.dll, xrefs: 00007FF712DB11FB, 00007FF712DB1379, 00007FF712DB1542, 00007FF712DB18FF
Using global installation location [%s] as runtime location., xrefs: 00007FF712DB16AA
A fatal error occurred, the folder [%s] does not contain any version-numbered child folders, xrefs: 00007FF712DB1112
Considering fxr version=[%s]..., xrefs: 00007FF712DB0FC1
Detected latest fxr version=[%s]..., xrefs: 00007FF712DB11D5
The .NET Core runtime can be found at:, xrefs: 00007FF712DB191E
Reading fx resolver directory=[%s], xrefs: 00007FF712DB0F6D
Using environment variable %s=[%s] as runtime location., xrefs: 00007FF712DB165C
A fatal error occurred, the required library %s could not be found in [%s], xrefs: 00007FF712DB1380
A fatal error occurred, the default install location cannot be obtained., xrefs: 00007FF712DB1686
A fatal error occurred. The required library %s could not be found.If this is a self-contained application, that library should e, xrefs: 00007FF712DB1906
Resolved fxr [%s]..., xrefs: 00007FF712DB1276, 00007FF712DB15D8

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__acrt_iob_func$__stdio_common_vswprintffputwc$CriticalDebugEnterOutputSectionString__stdio_common_vfwprintffputws
String ID: - %s$ or register the runtime location in [$A fatal error occurred, the default install location cannot be obtained.$A fatal error occurred, the folder [%s] does not contain any version-numbered child folders$A fatal error occurred, the required library %s could not be found in [%s]$A fatal error occurred. The required library %s could not be found.If this is a self-contained application, that library should e$Considering fxr version=[%s]...$Detected latest fxr version=[%s]...$Reading fx resolver directory=[%s]$Resolved fxr [%s]...$The .NET Core runtime can be found at:$Using environment variable %s=[%s] as runtime location.$Using global installation location [%s] as runtime location.$fxr$host$hostfxr.dll
API String ID: 3397661578-2114547534
Opcode ID: 14305e560ffe7074957a71d28d07e1895f3e25e3cce461538c471b1e8c832928
Instruction ID: cd725d6f68c7b0853c01bf72ee07ec9e59670fc0a2c8bd0bbeaf864e420c8385
Opcode Fuzzy Hash: 14305e560ffe7074957a71d28d07e1895f3e25e3cce461538c471b1e8c832928
Instruction Fuzzy Hash: 3612AA62F18F8A91EA00AB65D4542ADA371FB467B4F905231DADD036D5DFBCE648C330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA8EA0 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 237
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 24%

			E00007FF77FF712DA8EA0(long long __rbx, void* __rcx, intOrPtr* __rdx) {
				void* __rsi;
				void* __r13;
				void* _t77;
				void* _t80;
				void* _t84;
				void* _t88;
				void* _t92;
				signed long long _t129;
				signed long long _t130;
				intOrPtr* _t135;
				signed long long _t145;
				signed long long _t148;
				intOrPtr _t157;
				short* _t159;
				short* _t160;
				void* _t168;
				intOrPtr _t189;
				signed long long _t191;
				void* _t195;
				signed long long _t199;
				signed long long _t202;
				intOrPtr* _t205;
				intOrPtr* _t207;
				signed long long _t209;
				void* _t210;
				void* _t211;
				signed long long _t212;
				void* _t218;
				signed long long _t219;
				signed long long _t221;
				void* _t224;

				_t210 = _t211 - 0x27;
				_t212 = _t211 - 0xa0;
				 *((long long*)(_t210 - 0x51)) = 0xfffffffe;
				 *((long long*)(_t212 + 0xf0)) = __rbx;
				_t129 =  *0x12dc9568; // 0x438b11ead5c6
				_t130 = _t129 ^ _t212;
				 *(_t210 + 0x17) = _t130;
				_t205 = __rdx;
				_t224 = __rcx;
				_t207 = __rcx + 0x58;
				r12d = 0;
				 *(_t210 - 0x19) = _t219;
				 *(_t210 - 0x11) = _t219;
				_t221 =  *((intOrPtr*)(_t207 + 0x10));
				if ( *((long long*)(_t207 + 0x18)) - 8 < 0) goto 0x12da8ef9;
				if (_t221 - 8 >= 0) goto 0x12da8f1a;
				asm("movups xmm0, [esi]");
				asm("movups [ebp-0x29], xmm0");
				 *(_t210 - 0x11) = 7;
				goto 0x12da8f50;
				_t145 =  >  ? 0xfffffffe : _t221 | 0x00000007;
				_t77 = E00007FF77FF712DA53B0(_t145 + 1);
				 *(_t210 - 0x29) = _t130;
				E00007FF77FF712DB5690(_t77, _t130,  *_t207, 2 + _t221 * 2);
				 *(_t210 - 0x11) = _t145;
				 *(_t210 - 0x19) = _t221;
				if ( *((long long*)(__rdx + 0x18)) - 8 < 0) goto 0x12da8f61;
				_t19 = _t210 - 0x29; // 0x7fffffffffffffd5
				E00007FF77FF712DACD10(_t145, _t19,  *__rdx, 0xfffffffe);
				 *(_t210 - 0x39) = _t219;
				 *(_t210 - 0x31) = _t219;
				_t209 =  *((intOrPtr*)(_t224 + 0x48));
				if ( *((long long*)(_t224 + 0x50)) - 8 < 0) goto 0x12da8f85;
				if (_t209 - 8 >= 0) goto 0x12da8f9d;
				asm("inc ecx");
				asm("movups [ebp-0x49], xmm0");
				 *(_t210 - 0x31) = 7;
				goto 0x12da8fd3;
				_t148 =  >  ? 0xfffffffe : _t209 | 0x00000007;
				_t80 = E00007FF77FF712DA53B0(_t148 + 1);
				 *(_t210 - 0x49) = _t130;
				E00007FF77FF712DB5690(_t80, _t130,  *((intOrPtr*)(_t224 + 0x38)), 2 + _t209 * 2);
				 *(_t210 - 0x31) = _t148;
				 *(_t210 - 0x39) = _t209;
				if ( *((long long*)(_t205 + 0x18)) - 8 < 0) goto 0x12da8fe4;
				_t35 = _t210 - 0x49; // 0x7fffffffffffffb5
				E00007FF77FF712DACD10(_t148, _t35,  *_t205, 0xfffffffe);
				if ( *((long long*)(_t205 + 0x18)) - 8 < 0) goto 0x12da8ffa;
				_t189 =  *_t205;
				_t157 =  *((intOrPtr*)(_t205 + 0x10));
				if (_t157 == 0) goto 0x12da9094;
				_t132 =  <  ? _t157 - 1 : 0xffffffff;
				_t159 = _t189 + ( <  ? _t157 - 1 : 0xffffffff) * 2;
				if ( *_t159 == 0x5c) goto 0x12da9031;
				if (_t159 == _t189) goto 0x12da9094;
				_t160 = _t159 - 2;
				if ( *_t160 != 0x5c) goto 0x12da9022;
				if (_t160 - _t189 >> 1 == 0xffffffff) goto 0x12da9094;
				_t40 = _t210 - 0x49; // 0x7fffffffffffffb5
				_t41 = _t210 - 9; // 0x7ffffffffffffff5
				E00007FF77FF712DACF10(_t148, _t41, _t40);
				_t84 = E00007FF77FF712DA9250( <  ? _t157 - 1 : 0xffffffff);
				_t191 =  *((intOrPtr*)(_t210 + 0xf));
				if (_t191 - 8 < 0) goto 0x12da9094;
				if (2 + _t191 * 2 - 0x1000 < 0) goto 0x12da908f;
				_t135 =  *((intOrPtr*)(_t210 - 9)) -  *((intOrPtr*)( *((intOrPtr*)(_t210 - 9)) - 8)) + 0xfffffff8;
				if (_t135 - 0x1f > 0) goto 0x12da9242;
				0x12db3f50();
				asm("o16 nop [eax+eax]");
				_t47 = _t210 - 0x49; // 0x7fffffffffffffb5
				_t195 =  >=  ?  *(_t210 - 0x49) : _t47;
				_t50 = _t210 - 0x29; // 0x7fffffffffffffd5
				_t168 =  >=  ?  *(_t210 - 0x29) : _t50;
				0x12db27a4();
				if (_t84 == 0) goto 0x12da9132;
				0x12db279e();
				_t53 = _t210 - 0x49; // 0x7fffffffffffffb5
				if (E00007FF77FF712DAE980(_t148, _t53, _t209) != 0) goto 0x12da9126;
				if ( *_t135 != 0xd) goto 0x12da9206;
				_t54 = _t210 - 0x49; // 0x7fffffffffffffb5
				_t217 =  >=  ?  *(_t210 - 0x49) : _t54;
				_t57 = _t210 - 0x29; // 0x7fffffffffffffd5
				_t197 =  >=  ?  *(_t210 - 0x29) : _t57;
				E00007FF77FF712DAC6B0(_t135, L"Retrying Rename [%s] to [%s] due to EACCES error",  >=  ?  *(_t210 - 0x29) : _t57,  >=  ?  *(_t210 - 0x49) : _t54, _t218);
				Sleep(??);
				if (r12d + 1 - 0x1f4 >= 0) goto 0x12da9206;
				goto 0x12da90a0;
				E00007FF77FF712DAC6B0(_t135, L"Extraction completed by another process, aborting current extraction.",  >=  ?  *(_t210 - 0x29) : _t57,  >=  ?  *(_t210 - 0x49) : _t54, _t218);
				if ( *((long long*)(_t205 + 0x18)) - 8 < 0) goto 0x12da913c;
				_t88 = E00007FF77FF712DAC6B0(_t135, L"Extraction recovered [%s]",  *_t205,  >=  ?  *(_t210 - 0x49) : _t54, _t218);
				_t199 =  *(_t210 - 0x31);
				if (_t199 - 8 < 0) goto 0x12da918c;
				if (2 + _t199 * 2 - 0x1000 < 0) goto 0x12da9187;
				if ( *(_t210 - 0x49) -  *((intOrPtr*)( *(_t210 - 0x49) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12da9248;
				0x12db3f50();
				 *(_t210 - 0x39) = _t219;
				 *(_t210 - 0x31) = 7;
				 *(_t210 - 0x49) = r12w;
				_t202 =  *(_t210 - 0x11);
				if (_t202 - 8 < 0) goto 0x12da91d9;
				if (2 + _t202 * 2 - 0x1000 < 0) goto 0x12da91d4;
				if ( *(_t210 - 0x29) -  *((intOrPtr*)( *(_t210 - 0x29) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12da9200;
				0x12db3f50();
				return E00007FF77FF712DB4070(_t88, _t148 + 0x57, _t92,  *(_t210 + 0x17) ^ _t212);
			}

0x7ff712da8eac
0x7ff712da8eb1
0x7ff712da8eb8
0x7ff712da8ec0
0x7ff712da8ec8
0x7ff712da8ecf
0x7ff712da8ed2
0x7ff712da8ed6
0x7ff712da8ed9
0x7ff712da8edc
0x7ff712da8ee0
0x7ff712da8ee3
0x7ff712da8ee7
0x7ff712da8eeb
0x7ff712da8ef4
0x7ff712da8f07
0x7ff712da8f09
0x7ff712da8f0c
0x7ff712da8f10
0x7ff712da8f18
0x7ff712da8f24
0x7ff712da8f30
0x7ff712da8f35
0x7ff712da8f47
0x7ff712da8f4c
0x7ff712da8f50
0x7ff712da8f5c
0x7ff712da8f61
0x7ff712da8f65
0x7ff712da8f6a
0x7ff712da8f6e
0x7ff712da8f72
0x7ff712da8f7f
0x7ff712da8f89
0x7ff712da8f8b
0x7ff712da8f8f
0x7ff712da8f93
0x7ff712da8f9b
0x7ff712da8fa7
0x7ff712da8fb3
0x7ff712da8fb8
0x7ff712da8fca
0x7ff712da8fcf
0x7ff712da8fd3
0x7ff712da8fdf
0x7ff712da8fe4
0x7ff712da8fe8
0x7ff712da8ff5
0x7ff712da8ff7
0x7ff712da8ffa
0x7ff712da9001
0x7ff712da9014
0x7ff712da9018
0x7ff712da9020
0x7ff712da9025
0x7ff712da9027
0x7ff712da902f
0x7ff712da903b
0x7ff712da903d
0x7ff712da9041
0x7ff712da9045
0x7ff712da904e
0x7ff712da9054
0x7ff712da905c
0x7ff712da9074
0x7ff712da9081
0x7ff712da9089
0x7ff712da908f
0x7ff712da9097
0x7ff712da90a0
0x7ff712da90a9
0x7ff712da90ae
0x7ff712da90b7
0x7ff712da90bc
0x7ff712da90c3
0x7ff712da90c5
0x7ff712da90cc
0x7ff712da90d7
0x7ff712da90dc
0x7ff712da90e2
0x7ff712da90eb
0x7ff712da90f0
0x7ff712da90f9
0x7ff712da9105
0x7ff712da910d
0x7ff712da911b
0x7ff712da9121
0x7ff712da912d
0x7ff712da9137
0x7ff712da9146
0x7ff712da914c
0x7ff712da9154
0x7ff712da916c
0x7ff712da9181
0x7ff712da9187
0x7ff712da918c
0x7ff712da9190
0x7ff712da9198
0x7ff712da919d
0x7ff712da91a5
0x7ff712da91bd
0x7ff712da91d2
0x7ff712da91d4
0x7ff712da91ff

APIs

_wrename.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF712DA90BC
Sleep.KERNEL32 ref: 00007FF712DA910D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA90C5

Part of subcall function 00007FF712DAC6B0: EnterCriticalSection.KERNEL32 ref: 00007FF712DAC6E3
Part of subcall function 00007FF712DAC6B0: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC70C
Part of subcall function 00007FF712DAC6B0: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC719
Part of subcall function 00007FF712DAC6B0: LeaveCriticalSection.KERNEL32 ref: 00007FF712DAC726

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA9200
_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA923C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA9242
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA9248

Strings

Extraction completed by another process, aborting current extraction., xrefs: 00007FF712DA9126, 00007FF712DA9A2A
Temporary directory used to extract bundled files is [%s], xrefs: 00007FF712DA9702
Completed new extraction., xrefs: 00007FF712DA9A4C
Failed to open file [%s] for writing, xrefs: 00007FF712DA95F7
Files embedded within the bundled will be extracted to [%s] directory, xrefs: 00007FF712DA9847
Failed to commit extracted files to directory [%s]., xrefs: 00007FF712DA921E, 00007FF712DA9AF6
Retrying Rename [%s] to [%s] due to EACCES error, xrefs: 00007FF712DA90FE
Extraction recovered [%s], xrefs: 00007FF712DA913F
Failed to determine location for extracting embedded files, xrefs: 00007FF712DA98C2
DOTNET_BUNDLE_EXTRACT_BASE_DIR is not set, and a read-write cache directory couldn't be created., xrefs: 00007FF712DA98CE
Failure processing application bundle., xrefs: 00007FF712DA9206, 00007FF712DA95DF, 00007FF712DA98B6, 00007FF712DA9ADE

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterExceptionLeaveSleepThrow__stdio_common_vfwprintf_errno_wrenamefputwc
String ID: Completed new extraction.$DOTNET_BUNDLE_EXTRACT_BASE_DIR is not set, and a read-write cache directory couldn't be created.$Extraction completed by another process, aborting current extraction.$Extraction recovered [%s]$Failed to commit extracted files to directory [%s].$Failed to determine location for extracting embedded files$Failed to open file [%s] for writing$Failure processing application bundle.$Files embedded within the bundled will be extracted to [%s] directory$Retrying Rename [%s] to [%s] due to EACCES error$Temporary directory used to extract bundled files is [%s]
API String ID: 2341520270-2084913442
Opcode ID: 6101915226dbe1efbae134d8ce72e583bb7fda285a3ad1ff8964a6c39d018558
Instruction ID: cffe1a5f1cb61d1f5d4f7ff9f0b0abebb5239f160066d5c33af230f3496facdc
Opcode Fuzzy Hash: 6101915226dbe1efbae134d8ce72e583bb7fda285a3ad1ff8964a6c39d018558
Instruction Fuzzy Hash: 8EA1C122B04E4A95EF00EB64D4546ECA372EB45BB8F804235DEAD13AD9DFB8D149C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA9900 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E00007FF77FF712DA9900(void* __ecx, long long __rax, long long __rbx, intOrPtr* __rcx, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, signed char _a16, long long _a24, long long _a32) {
				long long _v40;
				intOrPtr _v44;
				void* __rdi;
				void* _t26;
				void* _t31;
				void* _t36;
				void* _t43;
				signed int _t44;
				void* _t45;
				long long _t59;
				long long _t60;
				intOrPtr* _t90;
				intOrPtr* _t92;
				void* _t98;
				void* _t100;

				_t100 = __r9;
				_t98 = __r8;
				_t94 = __rbp;
				_t59 = __rax;
				_t45 = __ecx;
				_a8 = __rcx;
				_v40 = 0xfffffffe;
				_a24 = __rbx;
				_a32 = __rsi;
				_t92 = __rcx;
				if ( *((long long*)(__rcx + 0x30)) - 8 < 0) goto 0x12da9932;
				0x12db27aa();
				 *((long long*)(__rcx)) = __rax;
				if (__rax == 0) goto 0x12da9a7c;
				E00007FF77FF712DAA5C0(_t26);
				r8d = 0;
				if (fseek(??, ??, ??) != 0) goto 0x12da9aad;
				E00007FF77FF712DA8CB0(_t59, __rbx,  *__rcx);
				_t62 =  *((intOrPtr*)(_t92 + 8));
				 *((long long*)(_t92 + 8)) = _t59;
				if ( *((intOrPtr*)(_t92 + 8)) == 0) goto 0x12da9993;
				E00007FF77FF712DA5300( *((intOrPtr*)(_t92 + 8)) + 0x10);
				0x12db3f50();
				_t60 =  *((intOrPtr*)(_t92 + 8));
				_t31 = E00007FF77FF712DA8BC0( *((intOrPtr*)(_t60 + 8)), _t60,  *((intOrPtr*)(_t92 + 8)),  *_t92, L"rb", __rbp, _t98);
				 *((long long*)(_t92 + 0x10)) = _t60;
				if ( *((intOrPtr*)(_t92 + 0x10)) == 0) goto 0x12da99b4;
				E00007FF77FF712DA8E20(_t31,  *((intOrPtr*)(_t92 + 8)),  *((intOrPtr*)(_t92 + 0x10)));
				0x12da9740();
				if (E00007FF77FF712DAE980(_t62, _t92 + 0x38, _t92) == 0) goto 0x12da99e0;
				E00007FF77FF712DAA400(_t43, _t45,  *((intOrPtr*)(_t60 + 8)), _t62, _t92, _t92, _t94, _t100);
				0x12db27bc();
				goto 0x12da9a68;
				0x12da9620();
				_t90 =  *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x10))));
				_t63 =  *_t90;
				if ( *_t90 == _t90) goto 0x12da9a06;
				_t36 = E00007FF77FF712DA9B20(_t60,  *_t90, _t92,  *((intOrPtr*)( *_t90 + 0x10)));
				goto 0x12da99f0;
				_a16 = 0;
				r14d = E00007FF77FF712DAA2D0(_t36, _t60,  *_t63, _t92 + 0x58, _t92 + 0x38, _t90, _t92, _t94,  &_a16) & 0x000000ff;
				_t44 = _a16 & 0x000000ff;
				if (_t44 == 0) goto 0x12da9a3f;
				E00007FF77FF712DAC6B0(_t60, L"Extraction completed by another process, aborting current extraction.", _t92 + 0x38,  &_a16, _t100);
				E00007FF77FF712DA9F00( *_t63, _t92 + 0x58, _t90, _t92);
				if (r14b != 0) goto 0x12da9a4c;
				if (_t44 == 0) goto 0x12da9ade;
				E00007FF77FF712DAC6B0(_t60, L"Completed new extraction.", _t92 + 0x38,  &_a16, _t100);
				0x12db27bc();
				return _v44;
			}

0x7ff712da9900
0x7ff712da9900
0x7ff712da9900
0x7ff712da9900
0x7ff712da9900
0x7ff712da9900
0x7ff712da990e
0x7ff712da9917
0x7ff712da991c
0x7ff712da9921
0x7ff712da992d
0x7ff712da9939
0x7ff712da993e
0x7ff712da9944
0x7ff712da994a
0x7ff712da994f
0x7ff712da995e
0x7ff712da9967
0x7ff712da996c
0x7ff712da9970
0x7ff712da9977
0x7ff712da997d
0x7ff712da998a
0x7ff712da998f
0x7ff712da9999
0x7ff712da99a2
0x7ff712da99a9
0x7ff712da99af
0x7ff712da99b7
0x7ff712da99ca
0x7ff712da99cc
0x7ff712da99d4
0x7ff712da99db
0x7ff712da99e0
0x7ff712da99e9
0x7ff712da99ec
0x7ff712da99f3
0x7ff712da99fc
0x7ff712da9a04
0x7ff712da9a06
0x7ff712da9a1d
0x7ff712da9a21
0x7ff712da9a28
0x7ff712da9a31
0x7ff712da9a3a
0x7ff712da9a42
0x7ff712da9a46
0x7ff712da9a53
0x7ff712da9a5b
0x7ff712da9a7b

APIs

_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DA9939
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DA9957

Strings

DOTNET_BUNDLE_EXTRACT_BASE_DIR, xrefs: 00007FF712DA9773
Failure processing application bundle; possible file corruption., xrefs: 00007FF712DA9AAD
Files embedded within the bundled will be extracted to [%s] directory, xrefs: 00007FF712DA9847
I/O seek failure within the bundle., xrefs: 00007FF712DA9AB9
Failed to commit extracted files to directory [%s]., xrefs: 00007FF712DA921E, 00007FF712DA9AF6
Failed to determine location for extracting embedded files, xrefs: 00007FF712DA98C2
Couldn't open host binary for reading contents, xrefs: 00007FF712DA9A88
DOTNET_BUNDLE_EXTRACT_BASE_DIR is not set, and a read-write cache directory couldn't be created., xrefs: 00007FF712DA98CE
Failure processing application bundle., xrefs: 00007FF712DA9206, 00007FF712DA95DF, 00007FF712DA98B6, 00007FF712DA9A7C, 00007FF712DA9ADE

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _wfopenfseek
String ID: Couldn't open host binary for reading contents$DOTNET_BUNDLE_EXTRACT_BASE_DIR$DOTNET_BUNDLE_EXTRACT_BASE_DIR is not set, and a read-write cache directory couldn't be created.$Failed to commit extracted files to directory [%s].$Failed to determine location for extracting embedded files$Failure processing application bundle.$Failure processing application bundle; possible file corruption.$Files embedded within the bundled will be extracted to [%s] directory$I/O seek failure within the bundle.
API String ID: 422461886-1185880807
Opcode ID: bb9403316d487f422570438cce3f5e0f437e7ee546fb2c327345ecc5f167d1db
Instruction ID: e4bb326d9d333734cd7f58d43cb00a1e3b26b13fa9d3db2fd25c1a5e2ad9c1c3
Opcode Fuzzy Hash: bb9403316d487f422570438cce3f5e0f437e7ee546fb2c327345ecc5f167d1db
Instruction Fuzzy Hash: 3C315221918E4AA1EA50FB10E8514B9E3A0FF84B64BC04135E6CD466AADFECE60DC370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAF6B0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 193registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF712DAF798
RegGetValueW.ADVAPI32 ref: 00007FF712DAF7DC
RegGetValueW.ADVAPI32 ref: 00007FF712DAF82F
RegCloseKey.ADVAPI32 ref: 00007FF712DAF84B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAF997
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAF99D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAF9A3

Part of subcall function 00007FF712DAC8C0: EnterCriticalSection.KERNEL32 ref: 00007FF712DAC8F3
Part of subcall function 00007FF712DAC8C0: LeaveCriticalSection.KERNEL32 ref: 00007FF712DAC936

Strings

Can't get the size of the SDK location registry value or it's empty, result: 0x%X, xrefs: 00007FF712DAF8C7
_DOTNET_TEST_GLOBALLY_REGISTERED_PATH, xrefs: 00007FF712DAF712
Can't open the SDK installed location registry key, result: 0x%X, xrefs: 00007FF712DAF7A4
Can't get the value of the SDK location registry value, result: 0x%X, xrefs: 00007FF712DAF83B

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CriticalSectionValue$CloseEnterLeaveOpen
String ID: Can't get the size of the SDK location registry value or it's empty, result: 0x%X$Can't get the value of the SDK location registry value, result: 0x%X$Can't open the SDK installed location registry key, result: 0x%X$_DOTNET_TEST_GLOBALLY_REGISTERED_PATH
API String ID: 3288147984-3444099095
Opcode ID: 7b3bc6bb921de42af4907b2f76d9430500f0d1e6436492e2c3f99eb840e03d1e
Instruction ID: d45437ca236df7193fa776344b38887cb0a5a97852b697d85a22533464ddf050
Opcode Fuzzy Hash: 7b3bc6bb921de42af4907b2f76d9430500f0d1e6436492e2c3f99eb840e03d1e
Instruction Fuzzy Hash: 6981B132B08E4A99EB40AF24D4546AC6361FB49BB8F900231DE9D13BD9DFB8D549C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAD290 Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00007FF77FF712DAD290(long long __rcx, short* __rdx, short* __r8, void* __r13) {
				void* __rbx;
				void* __rsi;
				void* __rbp;
				void* _t70;
				void* _t72;
				void* _t73;
				signed long long _t94;
				void* _t103;
				void* _t108;
				signed long long _t144;
				signed long long _t153;
				long long _t156;
				short* _t157;
				void* _t158;
				void* _t159;
				long long _t167;
				short* _t169;

				_t168 = __r13;
				_t158 = _t159 - 0x27;
				 *((long long*)(_t158 - 0x51)) = 0xfffffffe;
				_t94 =  *0x12dc9568; // 0x438b11ead5c6
				 *(_t158 + 0x1f) = _t94 ^ _t159 - 0x000000a0;
				_t169 = __r8;
				_t157 = __rdx;
				_t156 = __rcx;
				 *((long long*)(_t158 - 0x49)) = __rcx;
				r12d = 0;
				 *(_t158 - 0x59) = r12d;
				 *((long long*)(__rcx + 0x10)) = _t167;
				 *((long long*)(__rcx + 0x18)) = 7;
				 *((intOrPtr*)(__rcx)) = r12w;
				_t8 = _t167 + 0x25; // 0x25
				r8d = _t8;
				E00007FF77FF712DA56F0(_t108, __rcx, L"https://aka.ms/dotnet-core-applaunch?", __rdx, _t158, __r8);
				r15d = 1;
				 *(_t158 - 0x59) = r15d;
				if (__rdx == 0) goto 0x12dad398;
				if ( *((short*)(__rdx + 0xfffffffffffffffe)) != 0) goto 0x12dad310;
				if (0 == 0) goto 0x12dad398;
				r8d = 0xa;
				E00007FF77FF712DAAE00(0xffffffff, _t156, L"framework=", _t158, __r8, __r13);
				asm("o16 nop [eax+eax]");
				if ( *_t157 != 0) goto 0x12dad340;
				E00007FF77FF712DAAE00(0xffffffff, _t156, _t157, _t158, 0, _t168);
				if (_t169 == 0) goto 0x12dad3ad;
				if ( *_t169 != 0) goto 0x12dad360;
				if (0 == 0) goto 0x12dad3ad;
				r8d = 0x13;
				E00007FF77FF712DAAE00(0xffffffff, _t156, L"&framework_version=", _t158, 0, _t168);
				if ( *_t169 != 0) goto 0x12dad385;
				goto 0x12dad3a5;
				r8d = 0x14;
				E00007FF77FF712DAAE00(0, _t156, L"missing_runtime=true", _t158, 0, _t168);
				r8d = 6;
				E00007FF77FF712DAAE00(0, _t156, L"&arch=", _t158, 0, _t168);
				r8d = 3;
				E00007FF77FF712DAAE00(0, _t156, L"x64", _t158, 0, _t168);
				 *((long long*)(_t158 - 0x31)) = _t167;
				 *((long long*)(_t158 - 0x29)) = 7;
				 *((intOrPtr*)(_t158 - 0x41)) = r12w;
				if (E00007FF77FF712DAFAB0(L"DOTNET_RUNTIME_ID", _t158 - 0x41, _t157, _t158) == 0) goto 0x12dad418;
				asm("movups xmm0, [ebp-0x41]");
				asm("movups [ebp-0x21], xmm0");
				asm("movups xmm1, [ebp-0x31]");
				asm("movups [ebp-0x11], xmm1");
				 *(_t158 - 0x59) = 3;
				goto 0x12dad540;
				E00007FF77FF712DAEAB0(0, _t158 - 1, _t157, _t158, 0, _t168);
				if (_t158 - 0x41 == 0) goto 0x12dad455;
				E00007FF77FF712DA5300(_t158 - 0x41);
				asm("movups xmm0, [ebx]");
				asm("movups [ebp-0x41], xmm0");
				asm("movups xmm1, [ebx+0x10]");
				asm("movups [ebp-0x31], xmm1");
				 *0x00000010 = _t167;
				 *0x00000018 = 7;
				 *((intOrPtr*)(0)) = r12w;
				_t144 =  *((intOrPtr*)(_t158 + 0x17));
				if (_t144 - 8 < 0) goto 0x12dad495;
				if (2 + _t144 * 2 - 0x1000 < 0) goto 0x12dad490;
				_t103 =  *((intOrPtr*)(_t158 - 1)) -  *((intOrPtr*)( *((intOrPtr*)(_t158 - 1)) - 8)) + 0xfffffff8;
				if (_t103 - 0x1f > 0) goto 0x12dad5e4;
				0x12db3f50();
				asm("movdqa xmm0, [0xcd53]");
				asm("movdqu [ebp+0xf], xmm0");
				 *((intOrPtr*)(_t158 - 1)) = r12w;
				if ( *((long long*)(_t158 - 0x31)) != 0) goto 0x12dad4fc;
				asm("movdqu [ebp-0x11], xmm0");
				 *((intOrPtr*)(_t158 - 0x21)) = r12w;
				r8d = 5;
				E00007FF77FF712DA56F0(0, _t158 - 0x21, L"win10", _t157, _t158, 0);
				r15d = 5;
				 *(_t158 - 0x59) = r15d;
				E00007FF77FF712DA5300(_t158 - 0x41);
				asm("movups xmm1, [ebp-0x21]");
				asm("movups [ebp-0x41], xmm1");
				asm("movdqu xmm0, [ebp-0x11]");
				asm("movups [ebp-0x31], xmm0");
				asm("dec ax");
				if (_t103 == 0) goto 0x12dad530;
				r8d = 1;
				E00007FF77FF712DAAE00(0, _t158 - 0x41, "-", _t158, 0, _t168);
				r8d = 3;
				E00007FF77FF712DAAE00(0, _t158 - 0x41, L"x64", _t158, 0, _t168);
				asm("movups xmm0, [ebp-0x31]");
				asm("movups xmm1, [ebp-0x41]");
				asm("movups [ebp-0x21], xmm1");
				asm("movups [ebp-0x11], xmm0");
				r15d = r15d | 0x00000002;
				 *(_t158 - 0x59) = r15d;
				 *((intOrPtr*)(_t158 - 0x41)) = r12w;
				 *((long long*)(_t158 - 0x29)) = 7;
				 *((long long*)(_t158 - 0x31)) = _t167;
				r8d = 5;
				E00007FF77FF712DAAE00(0, _t156, L"&rid=", _t158, 0, _t168);
				_t152 =  >=  ?  *((void*)(_t158 - 0x21)) : _t158 - 0x21;
				_t70 = E00007FF77FF712DAAE00(0, _t156,  >=  ?  *((void*)(_t158 - 0x21)) : _t158 - 0x21, _t158,  *((intOrPtr*)(_t158 - 0x11)), _t168);
				_t153 =  *((intOrPtr*)(_t158 - 9));
				if (_t153 - 8 < 0) goto 0x12dad5bd;
				if (2 + _t153 * 2 - 0x1000 < 0) goto 0x12dad5b8;
				if ( *((intOrPtr*)(_t158 - 0x21)) -  *((intOrPtr*)( *((intOrPtr*)(_t158 - 0x21)) - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12dad5de;
				0x12db3f50();
				return E00007FF77FF712DB4070(_t70, _t72, _t73,  *(_t158 + 0x1f) ^ _t159 - 0x000000a0);
			}

0x7ff712dad290
0x7ff712dad29b
0x7ff712dad2a7
0x7ff712dad2af
0x7ff712dad2b9
0x7ff712dad2bd
0x7ff712dad2c0
0x7ff712dad2c3
0x7ff712dad2c6
0x7ff712dad2ca
0x7ff712dad2cd
0x7ff712dad2d1
0x7ff712dad2d5
0x7ff712dad2dd
0x7ff712dad2e1
0x7ff712dad2e1
0x7ff712dad2ed
0x7ff712dad2f2
0x7ff712dad2f8
0x7ff712dad2ff
0x7ff712dad318
0x7ff712dad31d
0x7ff712dad31f
0x7ff712dad32f
0x7ff712dad337
0x7ff712dad349
0x7ff712dad351
0x7ff712dad359
0x7ff712dad369
0x7ff712dad36e
0x7ff712dad370
0x7ff712dad380
0x7ff712dad38e
0x7ff712dad396
0x7ff712dad398
0x7ff712dad3a8
0x7ff712dad3ad
0x7ff712dad3bd
0x7ff712dad3c2
0x7ff712dad3d2
0x7ff712dad3d7
0x7ff712dad3db
0x7ff712dad3e3
0x7ff712dad3fa
0x7ff712dad3fc
0x7ff712dad400
0x7ff712dad404
0x7ff712dad408
0x7ff712dad40c
0x7ff712dad413
0x7ff712dad41c
0x7ff712dad42b
0x7ff712dad431
0x7ff712dad436
0x7ff712dad439
0x7ff712dad43d
0x7ff712dad441
0x7ff712dad445
0x7ff712dad449
0x7ff712dad451
0x7ff712dad455
0x7ff712dad45d
0x7ff712dad475
0x7ff712dad482
0x7ff712dad48a
0x7ff712dad490
0x7ff712dad495
0x7ff712dad49d
0x7ff712dad4a2
0x7ff712dad4ac
0x7ff712dad4ae
0x7ff712dad4b3
0x7ff712dad4b8
0x7ff712dad4c9
0x7ff712dad4ce
0x7ff712dad4d4
0x7ff712dad4dc
0x7ff712dad4e1
0x7ff712dad4e5
0x7ff712dad4e9
0x7ff712dad4ee
0x7ff712dad4f2
0x7ff712dad4fa
0x7ff712dad4fc
0x7ff712dad50d
0x7ff712dad512
0x7ff712dad523
0x7ff712dad528
0x7ff712dad52c
0x7ff712dad530
0x7ff712dad534
0x7ff712dad538
0x7ff712dad53c
0x7ff712dad540
0x7ff712dad545
0x7ff712dad54d
0x7ff712dad551
0x7ff712dad561
0x7ff712dad56f
0x7ff712dad57b
0x7ff712dad581
0x7ff712dad589
0x7ff712dad5a1
0x7ff712dad5b6
0x7ff712dad5b8
0x7ff712dad5dd

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAD5DE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAD5E4

Strings

missing_runtime=true, xrefs: 00007FF712DAD39E
framework=, xrefs: 00007FF712DAD325
&framework_version=, xrefs: 00007FF712DAD376
https://aka.ms/dotnet-core-applaunch?, xrefs: 00007FF712DAD2E6
&rid=, xrefs: 00007FF712DAD557
DOTNET_RUNTIME_ID, xrefs: 00007FF712DAD3EC
win10, xrefs: 00007FF712DAD4BE
x64, xrefs: 00007FF712DAD3C8, 00007FF712DAD518
ios_base::failbit set, xrefs: 00007FF712DAD292
&arch=, xrefs: 00007FF712DAD3B3

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: &arch=$&framework_version=$&rid=$DOTNET_RUNTIME_ID$framework=$https://aka.ms/dotnet-core-applaunch?$ios_base::failbit set$missing_runtime=true$win10$x64
API String ID: 3668304517-1600443800
Opcode ID: 7b0fd0cca6316d19378bd1888c563f088c2e288cd90bd67b6cd416c8d67cb242
Instruction ID: d4a6abe44b1a2e5d9e5006a562184550bfafe7df0b2c4c57c5f643ee328f6f30
Opcode Fuzzy Hash: 7b0fd0cca6316d19378bd1888c563f088c2e288cd90bd67b6cd416c8d67cb242
Instruction Fuzzy Hash: 1F91B152F18B4985FB40EB64D4107BC6371AB45BA8F805234DE9D16BD9EFBCA24AC370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA9B20 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 95fileCOMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,?), ref: 00007FF712DA9B66
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00007FF712DA9B8F
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?), ref: 00007FF712DA9BA9
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?), ref: 00007FF712DA9BC2
_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA9C17
_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA9C49
_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA9C7B

Strings

I/O failure reading contents of the bundle., xrefs: 00007FF712DA9BF7
Failure processing application bundle; possible file corruption., xrefs: 00007FF712DA9BEB, 00007FF712DA9C1D
I/O seek failure within the bundle., xrefs: 00007FF712DA9C29
I/O failure when writing extracted files., xrefs: 00007FF712DA9C5B
Failure extracting contents of the application bundle., xrefs: 00007FF712DA9C4F

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionThrow$fclosefreadfseekfwrite
String ID: Failure extracting contents of the application bundle.$Failure processing application bundle; possible file corruption.$I/O failure reading contents of the bundle.$I/O failure when writing extracted files.$I/O seek failure within the bundle.
API String ID: 3999204853-3591051616
Opcode ID: 375c0b0f133a1d10c7a02765402c8a35581ede2bb8ccf4ae9d3897294b36b24b
Instruction ID: 4d3a252a43f1ec711453cb249e5eeb9da48d4931247c82bc6ddb32b3596a690f
Opcode Fuzzy Hash: 375c0b0f133a1d10c7a02765402c8a35581ede2bb8ccf4ae9d3897294b36b24b
Instruction Fuzzy Hash: 55318811A18D4961EA50FB10E8656B9A361FF85BA4FC04031E5CD436A6DFACE60DC734

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAEDE0 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00007FF77FF712DAEDE0(long long __rbx, void* __rcx, void* __rsi, void* __rbp, void* __r9, void* __r13, long long _a16) {
				signed int _v24;
				signed long long _v32;
				intOrPtr _v40;
				char _v56;
				long long _v64;
				short _v72;
				void* _t25;
				void* _t33;
				void* _t34;
				signed long long _t47;
				void* _t54;
				signed long long _t74;
				signed long long _t79;

				_t78 = __rbp;
				_t77 = __rsi;
				_v64 = 0xfffffffe;
				_a16 = __rbx;
				_t47 =  *0x12dc9568; // 0x438b11ead5c6
				_v24 = _t47 ^ _t79;
				_t54 = __rcx;
				asm("movdqa xmm0, [0xb3e2]");
				asm("movdqu [esp+0x40], xmm0");
				_v56 = 0;
				if (E00007FF77FF712DAE0A0() == 0) goto 0x12daee5a;
				if (__rcx ==  &_v56) goto 0x12daeeb1;
				_t69 =  >=  ? _v56 :  &_v56;
				E00007FF77FF712DA56F0(__rcx, __rcx,  >=  ? _v56 :  &_v56, __rsi, __rbp, _v40);
				goto 0x12daeeb1;
				_v72 = 0;
				_t25 = GetCurrentProcess();
				__imp__IsWow64Process();
				if (_t25 == 0) goto 0x12daee7e;
				_t61 =  ==  ? L"ProgramFiles" : L"ProgramFiles(x86)";
				if (E00007FF77FF712DAD5F0(_t54,  ==  ? L"ProgramFiles" : L"ProgramFiles(x86)", _t54, _t77, _t78, __r9) != 0) goto 0x12daeea2;
				goto 0x12daeeb3;
				E00007FF77FF712DACD10(_t54, _t54, L"dotnet", __r13);
				_t74 = _v32;
				if (_t74 - 8 < 0) goto 0x12daeef1;
				if (2 + _t74 * 2 - 0x1000 < 0) goto 0x12daeeec;
				if (_v56 -  *((intOrPtr*)(_v56 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12daef0c;
				0x12db3f50();
				return E00007FF77FF712DB4070(1, _t33, _t34, _v24 ^ _t79);
			}

0x7ff712daede0
0x7ff712daede0
0x7ff712daede6
0x7ff712daedef
0x7ff712daedf4
0x7ff712daedfe
0x7ff712daee03
0x7ff712daee06
0x7ff712daee0e
0x7ff712daee16
0x7ff712daee2e
0x7ff712daee38
0x7ff712daee45
0x7ff712daee53
0x7ff712daee58
0x7ff712daee5a
0x7ff712daee5e
0x7ff712daee6c
0x7ff712daee74
0x7ff712daee8e
0x7ff712daee9c
0x7ff712daeea0
0x7ff712daeeac
0x7ff712daeeb3
0x7ff712daeebc
0x7ff712daeed5
0x7ff712daeeea
0x7ff712daeeec
0x7ff712daef0b

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF712DAEE5E
IsWow64Process.KERNEL32 ref: 00007FF712DAEE6C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAEF0C

Strings

HKLM\, xrefs: 00007FF712DAF4A3
HKEY_CURRENT_USER\, xrefs: 00007FF712DAEFDD
ProgramFiles, xrefs: 00007FF712DAEE7E
dotnet, xrefs: 00007FF712DAEEA2
\Setup\InstalledVersions\, xrefs: 00007FF712DAF1BB
ProgramFiles(x86), xrefs: 00007FF712DAEE85
InstallLocation, xrefs: 00007FF712DAF336
HKCU\, xrefs: 00007FF712DAF49C
_DOTNET_TEST_DEFAULT_INSTALL_PATH, xrefs: 00007FF712DAEE20

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: Process$CurrentWow64_invalid_parameter_noinfo_noreturn
String ID: HKCU\$HKEY_CURRENT_USER\$HKLM\$InstallLocation$ProgramFiles$ProgramFiles(x86)$\Setup\InstalledVersions\$_DOTNET_TEST_DEFAULT_INSTALL_PATH$dotnet
API String ID: 1909928518-2684703508
Opcode ID: 0baa4a76c6c81b57b2a6033ce1d8f8ebd39fcfba4290c74dd24eef49286b1555
Instruction ID: 851272833379819211859176429f267d27a4ed70d211fe345cebd43d74871a05
Opcode Fuzzy Hash: 0baa4a76c6c81b57b2a6033ce1d8f8ebd39fcfba4290c74dd24eef49286b1555
Instruction Fuzzy Hash: 8D31D621A18E4A91EE50AB19E4505B9E360EF85BB0FD01231EADD077D9DFBCD248C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA4520 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00007FF77FF712DA4520(long long __rbx, long long __rcx, long long __rsi) {
				void* _v40;
				signed int _v56;
				intOrPtr _v64;
				char _v104;
				char _v152;
				long long _v160;
				long long _v168;
				long long _v176;
				long long _v184;
				signed int _v192;
				char _v200;
				long long _v216;
				void* _t63;
				void* _t64;
				void* _t98;
				void* _t101;
				void* _t102;
				void* _t105;
				void* _t108;
				signed long long _t109;
				signed long long _t110;
				long long _t111;
				long long _t113;
				long long _t122;
				void* _t124;
				long long _t125;
				void* _t127;
				long long _t128;
				void* _t146;
				signed long long _t147;
				signed char* _t155;
				long long _t158;
				long long _t161;
				long long _t166;
				long long _t169;
				void* _t171;
				void* _t182;

				_t117 = __rbx;
				_t108 = _t171;
				_v160 = 0xfffffffe;
				 *((long long*)(_t108 + 0x10)) = __rbx;
				 *((long long*)(_t108 + 0x18)) = __rsi;
				_t109 =  *0x12dc9568; // 0x438b11ead5c6
				_t110 = _t109 ^ _t171 - 0x000000d0;
				_v56 = _t110;
				r12d = r8b & 0xffffffff;
				_v168 = __rcx;
				0x12db2792();
				_t64 = E00007FF77FF712DB2CC4(_t63, _t110, __rbx,  &_v152, _t146, _t182);
				asm("movups xmm0, [eax]");
				asm("movups [esp+0x90], xmm0");
				asm("movups xmm1, [eax+0x10]");
				asm("movups [esp+0xa0], xmm1");
				asm("movsd xmm0, [eax+0x20]");
				asm("movsd [esp+0xb0], xmm0");
				_v64 =  *((intOrPtr*)(_t110 + 0x28));
				 *(__rcx + 0x10) = __rsi;
				 *((long long*)(__rcx + 0x20)) = __rsi;
				 *((long long*)(__rcx + 0x28)) = __rsi;
				if (r12b != 0) goto 0x12da45c1;
				_t155 =  *((intOrPtr*)(_t110 + 0x10));
				E00007FF77FF712DB2CC4(_t64, _t110, _t117,  &_v152, _t146, _t182);
				if (_t155[0xffffffffffffffff] != 0) goto 0x12da45d2;
				calloc(??, ??);
				_t147 = _t110;
				if (_t110 == 0) goto 0x12da485f;
				if (0xffffffff == 0) goto 0x12da4620;
				asm("o16 nop [eax+eax]");
				 *((char*)(_t147 - _t155 + _t155)) =  *_t155 & 0x000000ff;
				if (0xffffffff != 0) goto 0x12da4610;
				 *(__rcx + 0x10) = _t147;
				_v176 = __rsi;
				_t122 = __rsi;
				_t111 =  &_v104;
				_v216 = _t111;
				_t98 = E00007FF77FF712DB2DD0(__rsi,  &_v192, 0x12db9dd0, 0x12db9dd0,  &(_t155[1]));
				if (_t98 <= 0) goto 0x12da4673;
				if (_t98 != 0) goto 0x12da4640;
				_t124 = _t122 + 2;
				calloc(??, ??);
				_t166 = _t111;
				if (_t111 == 0) goto 0x12da4865;
				_t158 = _t166;
				_v184 = _t111;
				if (_t124 == 0) goto 0x12da46d6;
				_v216 =  &_v104;
				r8d = 6;
				_t101 = E00007FF77FF712DB2DD0(_t124, _t158, 0x12db9dd0, _t166,  &(_t155[1]));
				if (_t101 <= 0) goto 0x12da46d6;
				_t159 = _t158 + 2;
				_t125 = _t124 - 1;
				if (_t101 != 0) goto 0x12da46a0;
				 *((short*)(_t158 + 2)) = 0;
				 *((long long*)(__rcx + 0x20)) = _t166;
				_v184 = _t125;
				_t113 =  &_v104;
				_v216 = _t113;
				_t102 = E00007FF77FF712DB2DD0(_t125,  &_v192, 0x12db9dd8, 0x12db9dd8, _t158 + 2);
				if (_t102 <= 0) goto 0x12da4724;
				if (_t102 != 0) goto 0x12da46f1;
				_t127 = _t125 + 2;
				calloc(??, ??);
				_t169 = _t113;
				if (_t113 == 0) goto 0x12da486a;
				_t161 = _t169;
				_v176 = _t113;
				if (_t127 == 0) goto 0x12da4786;
				_v216 =  &_v104;
				r8d = 5;
				_t105 = E00007FF77FF712DB2DD0(_t127, _t161, 0x12db9dd8, _t169, _t159);
				if (_t105 <= 0) goto 0x12da4786;
				_t128 = _t127 - 1;
				if (_t105 != 0) goto 0x12da4750;
				 *((short*)(_t161 + 2)) = 0;
				 *((long long*)(__rcx + 0x28)) = _t169;
				if (r12b == 0) goto 0x12da4845;
				_v200 = 0x2e;
				_v192 = 0;
				_v184 = _t128;
				_v216 =  &_v104;
				r8d = 1;
				E00007FF77FF712DB2DD0(_t128,  &_v192,  &_v200, _t169, _t159);
				 *((short*)(__rcx + 0x18)) = _v192 & 0x0000ffff;
				_v200 = 0x2c;
				_v192 = 0;
				_v184 = _t128;
				_v216 =  &_v104;
				r8d = 1;
				E00007FF77FF712DB2DD0(_t128,  &_v192,  &_v200, _t169, _t159);
				 *((short*)(__rcx + 0x1a)) = _v192 & 0x0000ffff;
				return E00007FF77FF712DB4070(_v192 & 0x0000ffff,  *((intOrPtr*)(_t110 + 0x28)), 2, _v56 ^ _t171 - 0x000000d0);
			}

0x7ff712da4520
0x7ff712da4520
0x7ff712da4533
0x7ff712da453c
0x7ff712da4540
0x7ff712da4544
0x7ff712da454b
0x7ff712da454e
0x7ff712da4556
0x7ff712da455d
0x7ff712da4562
0x7ff712da456f
0x7ff712da4574
0x7ff712da4577
0x7ff712da457f
0x7ff712da4583
0x7ff712da458b
0x7ff712da4590
0x7ff712da459c
0x7ff712da45a5
0x7ff712da45a9
0x7ff712da45ad
0x7ff712da45bb
0x7ff712da45bd
0x7ff712da45c6
0x7ff712da45d9
0x7ff712da45e6
0x7ff712da45eb
0x7ff712da45f1
0x7ff712da45fa
0x7ff712da4606
0x7ff712da4613
0x7ff712da461e
0x7ff712da4620
0x7ff712da462b
0x7ff712da4635
0x7ff712da4640
0x7ff712da4648
0x7ff712da4662
0x7ff712da4664
0x7ff712da4671
0x7ff712da4673
0x7ff712da467e
0x7ff712da4683
0x7ff712da4689
0x7ff712da468f
0x7ff712da4694
0x7ff712da469c
0x7ff712da46a8
0x7ff712da46b2
0x7ff712da46c3
0x7ff712da46c5
0x7ff712da46cc
0x7ff712da46d0
0x7ff712da46d4
0x7ff712da46d8
0x7ff712da46db
0x7ff712da46e6
0x7ff712da46f1
0x7ff712da46f9
0x7ff712da4713
0x7ff712da4715
0x7ff712da4722
0x7ff712da4724
0x7ff712da472f
0x7ff712da4734
0x7ff712da473a
0x7ff712da4740
0x7ff712da4745
0x7ff712da474d
0x7ff712da4758
0x7ff712da4762
0x7ff712da4773
0x7ff712da4775
0x7ff712da4780
0x7ff712da4784
0x7ff712da4788
0x7ff712da478b
0x7ff712da4792
0x7ff712da4798
0x7ff712da479d
0x7ff712da47a2
0x7ff712da47af
0x7ff712da47b9
0x7ff712da47c9
0x7ff712da47d3
0x7ff712da47d8
0x7ff712da47dd
0x7ff712da47e2
0x7ff712da47ef
0x7ff712da47f9
0x7ff712da4809
0x7ff712da4813
0x7ff712da4844

APIs

_Getcvt.LIBCPMT ref: 00007FF712DA456F

Part of subcall function 00007FF712DB2CC4: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF712DB2CDC
Part of subcall function 00007FF712DB2CC4: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF712DB2CEB
Part of subcall function 00007FF712DB2CC4: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF712DB2D06

_Getcvt.LIBCPMT ref: 00007FF712DA45C6
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF712DA45E6
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF712DA467E
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF712DA472F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712DA485F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712DA4865
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF712DA486A

Strings

false, xrefs: 00007FF712DA4624
,, xrefs: 00007FF712DA47D8
true, xrefs: 00007FF712DA46DF

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: Concurrency::cancel_current_taskcalloc$Getcvt$___lc_codepage_func___lc_locale_name_func__pctype_func
String ID: ,$false$true
API String ID: 1533061592-760133229
Opcode ID: 9af88a1ebc57f185b483a457454a61060a282bcebc03f0d6d31bf0f601863719
Instruction ID: 334f8d66d776b977624148b2f0887472fb362f8e59084ff1f1ae7145c5533b51
Opcode Fuzzy Hash: 9af88a1ebc57f185b483a457454a61060a282bcebc03f0d6d31bf0f601863719
Instruction Fuzzy Hash: C491C422619FC991E750AF21E4106AAF3A4FF85BA0F841232EADD43B95EF7CD545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA9250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00007FF77FF712DA9250(void* __rcx) {
				signed int _v24;
				signed long long _v32;
				char _v56;
				long long _v64;
				void* __rbx;
				void* _t19;
				signed long long _t31;
				signed long long _t49;
				void* _t52;
				signed long long _t53;

				_v64 = 0xfffffffe;
				_t31 =  *0x12dc9568; // 0x438b11ead5c6
				_v24 = _t31 ^ _t53;
				if ( *((long long*)(__rcx + 0x10)) == 0) goto 0x12da930f;
				if (E00007FF77FF712DAE980(__rcx, __rcx, _t52) != 0) goto 0x12da930f;
				if (E00007FF77FF712DA9D90(_t12, __rcx) == 0) goto 0x12da92ea;
				E00007FF77FF712DACF10(__rcx,  &_v56, __rcx);
				E00007FF77FF712DA9250(_t31 ^ _t53);
				_t49 = _v32;
				if (_t49 - 8 < 0) goto 0x12da92ea;
				if (2 + _t49 * 2 - 0x1000 < 0) goto 0x12da92e5;
				if (_v56 -  *((intOrPtr*)(_v56 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12da935f;
				0x12db3f50();
				if ( *((long long*)(__rcx + 0x18)) - 8 < 0) goto 0x12da92f7;
				if (CreateDirectoryW(??, ??) != 0) goto 0x12da930f;
				if (E00007FF77FF712DAE980(__rcx, __rcx, _t52) == 0) goto 0x12da9322;
				return E00007FF77FF712DB4070(_t17, _t19, 0, _v24 ^ _t53);
			}

0x7ff712da9256
0x7ff712da925f
0x7ff712da9269
0x7ff712da9276
0x7ff712da9283
0x7ff712da9293
0x7ff712da929d
0x7ff712da92a6
0x7ff712da92ac
0x7ff712da92b5
0x7ff712da92ce
0x7ff712da92e3
0x7ff712da92e5
0x7ff712da92f2
0x7ff712da9301
0x7ff712da930d
0x7ff712da9321

APIs

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA9359
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA935F

Strings

Failed to open file [%s] for writing, xrefs: 00007FF712DA95F7
Failed to create directory [%s] for extracting bundled files, xrefs: 00007FF712DA9339
Failure processing application bundle., xrefs: 00007FF712DA9322, 00007FF712DA95DF

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionThrow_invalid_parameter_noinfo_noreturn
String ID: Failed to create directory [%s] for extracting bundled files$Failed to open file [%s] for writing$Failure processing application bundle.
API String ID: 2937565306-3211113558
Opcode ID: cfe14029731f398b12ba0e3830df146d6db4fa569fc97d04a44cc9e63b3cccd7
Instruction ID: 50557a20ea14c1d79515587dd0daa4f64c7a132f21072cc772719c237f0f1d33
Opcode Fuzzy Hash: cfe14029731f398b12ba0e3830df146d6db4fa569fc97d04a44cc9e63b3cccd7
Instruction Fuzzy Hash: 3B619E21A14E4A90EA40FB61E8545E9A361FF45BB8FC40235DADD07BE9DFACE149C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAFD60 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 162
libraryCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00007FF77FF712DAFD60(void* __ecx, long long __rbx, intOrPtr* __rcx, intOrPtr* __rdx, long long __rsi, long long __r9) {
				void* _v24;
				signed int _v40;
				signed long long _v48;
				char _v72;
				void* _v80;
				signed long long _v88;
				char _v104;
				void* _v112;
				long long _v120;
				void* __rdi;
				void* _t49;
				signed short _t54;
				void* _t57;
				void* _t58;
				void* _t72;
				void* _t73;
				void* _t95;
				signed long long _t96;
				long long _t108;
				void* _t116;
				void* _t133;
				signed long long _t139;
				signed long long _t142;
				intOrPtr _t146;
				signed long long _t148;
				void* _t151;
				void* _t159;
				intOrPtr* _t160;

				_t157 = __r9;
				_t95 = _t151;
				_v120 = 0xfffffffe;
				 *((long long*)(_t95 + 0x18)) = __rbx;
				 *((long long*)(_t95 + 0x20)) = __rsi;
				_t96 =  *0x12dc9568; // 0x438b11ead5c6
				_v40 = _t96 ^ _t151 - 0x00000080;
				_t160 = __rdx;
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x40], xmm0");
				_t148 =  *((intOrPtr*)(__rcx + 0x10));
				if ( *((long long*)(__rcx + 0x18)) - 8 < 0) goto 0x12dafdab;
				_t146 =  *__rcx;
				if (_t148 - 8 >= 0) goto 0x12dafdc2;
				asm("movups xmm0, [edi]");
				asm("movups [ebp-0x50], xmm0");
				_v80 = 7;
				goto 0x12dafe02;
				_t108 =  >  ? 0xfffffffe : _t148 | 0x00000007;
				_t49 = E00007FF77FF712DA53B0(_t108 + 1);
				_v104 = 0xfffffffe;
				E00007FF77FF712DB5690(_t49, 0xfffffffe, _t146, 2 + _t148 * 2);
				_v80 = _t108;
				_v88 = _t148;
				if (E00007FF77FF712DB0D10( &_v104) == 0) goto 0x12dafe22;
				if (E00007FF77FF712DB0560(__ecx, 0, _t72, _t73, _t108,  &_v104, _t146, _t148, __r9, _t159) == 0) goto 0x12dafe46;
				_t116 =  >=  ? _v104 :  &_v104;
				r8d = 0x1100;
				LoadLibraryExW(??, ??, ??);
				 *_t160 = 0xfffffffe;
				if (0xfffffffe != 0) goto 0x12dafe7c;
				_t54 = GetLastError();
				if (_t54 <= 0) goto 0x12dafe58;
				_t131 =  >=  ? _v104 :  &_v104;
				r8d = _t54 & 0x0000ffff | 0x80070000;
				_t57 = E00007FF77FF712DAC460(0xfffffffe, L"Failed to load the dll from [%s], HRESULT: 0x%X",  >=  ? _v104 :  &_v104, 2 + _t148 * 2, __r9);
				goto 0x12daff46;
				_t133 =  >=  ? _v104 :  &_v104;
				__imp__GetModuleHandleExW();
				if (_t57 != 0) goto 0x12dafec5;
				_t135 =  >=  ? _v104 :  &_v104;
				_t58 = E00007FF77FF712DAC460(0xfffffffe, L"Failed to pin library [%s] in [%s]",  >=  ? _v104 :  &_v104, L"pal::load_library", _t157);
				goto 0x12daff46;
				if (E00007FF77FF712DAC740(_t58) == 0) goto 0x12daff44;
				asm("movdqa xmm0, [0xa31a]");
				asm("movdqu [ebp-0x20], xmm0");
				_v72 = 0;
				E00007FF77FF712DAE5E0(_t108,  *_t160,  &_v72, L"pal::load_library");
				_t138 =  >=  ? _v72 :  &_v72;
				E00007FF77FF712DAC6B0(0xfffffffe, L"Loaded library from %s",  >=  ? _v72 :  &_v72, L"pal::load_library", _t157);
				_t139 = _v48;
				if (_t139 - 8 < 0) goto 0x12daff44;
				if (2 + _t139 * 2 - 0x1000 < 0) goto 0x12daff3f;
				if (_v72 -  *((intOrPtr*)(_v72 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12daffaf;
				0x12db3f50();
				_t142 = _v80;
				if (_t142 - 8 < 0) goto 0x12daff82;
				if (2 + _t142 * 2 - 0x1000 < 0) goto 0x12daff7d;
				if (_v104 -  *((intOrPtr*)(_v104 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12daffa9;
				0x12db3f50();
				return E00007FF77FF712DB4070(1, 1, 0, _v40 ^ _t151 - 0x00000080);
			}

0x7ff712dafd60
0x7ff712dafd60
0x7ff712dafd71
0x7ff712dafd79
0x7ff712dafd7d
0x7ff712dafd81
0x7ff712dafd8b
0x7ff712dafd8f
0x7ff712dafd95
0x7ff712dafd98
0x7ff712dafd9d
0x7ff712dafda6
0x7ff712dafda8
0x7ff712dafdaf
0x7ff712dafdb1
0x7ff712dafdb4
0x7ff712dafdb8
0x7ff712dafdc0
0x7ff712dafdd6
0x7ff712dafde2
0x7ff712dafde7
0x7ff712dafdf9
0x7ff712dafdfe
0x7ff712dafe02
0x7ff712dafe11
0x7ff712dafe20
0x7ff712dafe2b
0x7ff712dafe32
0x7ff712dafe38
0x7ff712dafe3e
0x7ff712dafe44
0x7ff712dafe46
0x7ff712dafe4e
0x7ff712dafe61
0x7ff712dafe66
0x7ff712dafe70
0x7ff712dafe77
0x7ff712dafe85
0x7ff712dafe93
0x7ff712dafe9b
0x7ff712dafea6
0x7ff712dafeb9
0x7ff712dafec0
0x7ff712dafecc
0x7ff712dafece
0x7ff712dafed6
0x7ff712dafedd
0x7ff712dafee8
0x7ff712dafef6
0x7ff712daff02
0x7ff712daff08
0x7ff712daff10
0x7ff712daff28
0x7ff712daff3d
0x7ff712daff3f
0x7ff712daff46
0x7ff712daff4e
0x7ff712daff66
0x7ff712daff7b
0x7ff712daff7d
0x7ff712daffa8

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF712DAFE38
GetLastError.KERNEL32 ref: 00007FF712DAFE46
GetModuleHandleExW.KERNEL32 ref: 00007FF712DAFE93
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAFFA9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAFFAF

Part of subcall function 00007FF712DAC460: EnterCriticalSection.KERNEL32 ref: 00007FF712DAC498
Part of subcall function 00007FF712DAC460: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC4CE
Part of subcall function 00007FF712DAC460: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC519
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC544
Part of subcall function 00007FF712DAC460: fputws.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC54F
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC557
Part of subcall function 00007FF712DAC460: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC562
Part of subcall function 00007FF712DAC460: OutputDebugStringW.KERNEL32 ref: 00007FF712DAC575
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC589
Part of subcall function 00007FF712DAC460: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC5B6
Part of subcall function 00007FF712DAC460: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC5C3

Strings

Failed to load the dll from [%s], HRESULT: 0x%X, xrefs: 00007FF712DAFE69
pal::load_library, xrefs: 00007FF712DAFEAB
Failed to pin library [%s] in [%s], xrefs: 00007FF712DAFEB2
Loaded library from %s, xrefs: 00007FF712DAFEFB

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vswprintf_invalid_parameter_noinfo_noreturnfputwc$CriticalDebugEnterErrorHandleLastLibraryLoadModuleOutputSectionString__stdio_common_vfwprintffputws
String ID: Failed to load the dll from [%s], HRESULT: 0x%X$Failed to pin library [%s] in [%s]$Loaded library from %s$pal::load_library
API String ID: 482845221-4234151505
Opcode ID: fa9f3d5be0f5981eeab04ac63e8189ded7090a367ed78195c2a911891d8f9843
Instruction ID: b9e40806be0247124d13ca54c531efe8f8a5ccfcb92aca5cd9cd360d8b0fc7ff
Opcode Fuzzy Hash: fa9f3d5be0f5981eeab04ac63e8189ded7090a367ed78195c2a911891d8f9843
Instruction Fuzzy Hash: E361A022F04E5A98FB40EBA4D8542EC6362BB45BB8F904271DE9D166D9DFB8D149C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA9F00 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF77FF712DA9F00(long long __rbx, intOrPtr* __rcx, long long __rdi, long long __rsi) {
				void* _v40;
				signed int _v48;
				void* _v56;
				signed long long _v64;
				char _v80;
				long long _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				void* _v112;
				long long _v120;
				intOrPtr _v128;
				void* _v136;
				void* __r13;
				void* _t79;
				void* _t84;
				void* _t86;
				void* _t91;
				void* _t93;
				void* _t94;
				void* _t130;
				signed long long _t131;
				signed long long _t150;
				signed long long _t153;
				intOrPtr _t155;
				intOrPtr _t157;
				intOrPtr _t159;
				intOrPtr _t161;
				void* _t176;
				signed long long _t194;
				signed long long _t204;
				intOrPtr* _t217;
				intOrPtr _t219;
				intOrPtr _t220;
				intOrPtr* _t223;
				intOrPtr* _t225;
				void* _t229;
				void* _t234;
				intOrPtr _t236;
				long long _t238;
				signed long long _t239;
				signed long long _t240;
				intOrPtr _t242;

				_t130 = _t229;
				_v88 = 0xfffffffe;
				 *((long long*)(_t130 + 0x10)) = __rbx;
				 *((long long*)(_t130 + 0x18)) = __rsi;
				 *((long long*)(_t130 + 0x20)) = __rdi;
				_t131 =  *0x12dc9568; // 0x438b11ead5c6
				_v48 = _t131 ^ _t229 - 0x00000080;
				_t217 = __rcx;
				if ( *((long long*)(__rcx + 0x10)) == 0) goto 0x12daa289;
				r13d = 0;
				_v112 = _t238;
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x40], xmm0");
				E00007FF77FF712DB0490(__rbx, __rcx,  &_v112);
				_t223 = _v112;
				_t236 = _v104;
				if (_t223 == _t236) goto 0x12daa063;
				_v64 = _t238;
				_v56 = _t238;
				_t239 =  *((intOrPtr*)(__rcx + 0x10));
				if ( *((long long*)(__rcx + 0x18)) - 8 < 0) goto 0x12da9f99;
				_t242 =  *__rcx;
				if (_t239 - 8 >= 0) goto 0x12da9fb1;
				asm("inc ecx");
				asm("movups [ebp-0x28], xmm0");
				_v56 = 7;
				goto 0x12da9fe7;
				_t150 = _t239 | 0x00000007;
				_t16 = ( >  ? 0xfffffffe : _t150) + 1; // 0x1
				_t79 = E00007FF77FF712DA53B0(_t16);
				_v80 = 0xfffffffe;
				E00007FF77FF712DB5690(_t79, 0xfffffffe, _t242, 2 + _t239 * 2);
				_v56 =  >  ? 0xfffffffe : _t150;
				_v64 = _t239;
				if ( *((long long*)(_t223 + 0x18)) - 8 < 0) goto 0x12da9ff8;
				E00007FF77FF712DACD10( >  ? 0xfffffffe : _t150,  &_v80,  *_t223, _t238);
				E00007FF77FF712DA9F00( >  ? 0xfffffffe : _t150,  &_v80, _t217, _t223);
				_t194 = _v56;
				if (_t194 - 8 < 0) goto 0x12daa04b;
				if (2 + _t194 * 2 - 0x1000 < 0) goto 0x12daa046;
				if (_v80 -  *((intOrPtr*)(_v80 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12daa2bc;
				0x12db3f50();
				if (_t223 + 0x20 == _t236) goto 0x12daa063;
				goto 0x12da9f80;
				_v136 = _t238;
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x58], xmm0");
				E00007FF77FF712DB03C0( >  ? 0xfffffffe : _t150, _t217,  &_v136);
				_t225 = _v136;
				if (_t225 == _v128) goto 0x12daa192;
				_v64 = _t238;
				_v56 = _t238;
				_t240 =  *((intOrPtr*)(_t217 + 0x10));
				if ( *((long long*)(_t217 + 0x18)) - 8 < 0) goto 0x12daa0a5;
				if (_t240 - 8 >= 0) goto 0x12daa0bd;
				asm("inc ecx");
				asm("movups [ebp-0x28], xmm0");
				_v56 = 7;
				goto 0x12daa0fd;
				_t153 = _t240 | 0x00000007;
				_t40 = ( >  ? 0xfffffffe : _t153) + 1; // 0x1
				_t84 = E00007FF77FF712DA53B0(_t40);
				_v80 = 0xfffffffe;
				E00007FF77FF712DB5690(_t84, 0xfffffffe,  *_t217, 2 + _t240 * 2);
				_v56 =  >  ? 0xfffffffe : _t153;
				_v64 = _t240;
				if ( *((long long*)(_t225 + 0x18)) - 8 < 0) goto 0x12daa10e;
				_t86 = E00007FF77FF712DACD10( >  ? 0xfffffffe : _t153,  &_v80,  *_t225, _t238);
				_t176 =  >=  ? _v80 :  &_v80;
				0x12db27b0();
				if (_t86 != 0) goto 0x12daa149;
				_t203 =  >=  ? _v80 :  &_v80;
				E00007FF77FF712DAC950(0xfffffffe, L"Failed to remove temporary file [%s].",  >=  ? _v80 :  &_v80, 2 + _t240 * 2, _t234);
				_t204 = _v56;
				if (_t204 - 8 < 0) goto 0x12daa189;
				if (2 + _t204 * 2 - 0x1000 < 0) goto 0x12daa184;
				if (_v80 -  *((intOrPtr*)(_v80 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12daa2c2;
				0x12db3f50();
				goto 0x12daa083;
				if ( *((long long*)(_t217 + 0x18)) - 8 < 0) goto 0x12daa19f;
				if (RemoveDirectoryW(??) != 0) goto 0x12daa1c3;
				if ( *((long long*)(_t217 + 0x18)) - 8 < 0) goto 0x12daa1b3;
				E00007FF77FF712DAC950(_v80 -  *((intOrPtr*)(_v80 - 8)) + 0xfffffff8, L"Failed to remove temporary directory [%s].",  *_t217, 2 + _t240 * 2, _t234);
				_t155 = _v136;
				if (_t155 == 0) goto 0x12daa22e;
				_t219 = _v128;
				if (_t155 == _t219) goto 0x12daa1ea;
				E00007FF77FF712DA5300(_t155);
				if (_t155 + 0x20 != _t219) goto 0x12daa1d5;
				_t157 = _v136;
				if ((_v120 - _t157 & 0xffffffe0) - 0x1000 < 0) goto 0x12daa21a;
				if (_t157 -  *((intOrPtr*)(_t157 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12daa2c8;
				0x12db3f50();
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x60], xmm0");
				_v120 = _t238;
				_t159 = _v112;
				if (_t159 == 0) goto 0x12daa289;
				_t220 = _v104;
				if (_t159 == _t220) goto 0x12daa255;
				_t91 = E00007FF77FF712DA5300(_t159);
				if (_t159 + 0x20 != _t220) goto 0x12daa240;
				_t161 = _v112;
				if ((_v96 - _t161 & 0xffffffe0) - 0x1000 < 0) goto 0x12daa281;
				if (_t161 -  *((intOrPtr*)(_t161 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12daa2b6;
				0x12db3f50();
				return E00007FF77FF712DB4070(_t91, _t93, _t94, _v48 ^ _t229 - 0x00000080);
			}

0x7ff712da9f00
0x7ff712da9f16
0x7ff712da9f1e
0x7ff712da9f22
0x7ff712da9f26
0x7ff712da9f2a
0x7ff712da9f34
0x7ff712da9f38
0x7ff712da9f40
0x7ff712da9f46
0x7ff712da9f49
0x7ff712da9f4d
0x7ff712da9f50
0x7ff712da9f59
0x7ff712da9f5e
0x7ff712da9f62
0x7ff712da9f73
0x7ff712da9f80
0x7ff712da9f84
0x7ff712da9f88
0x7ff712da9f94
0x7ff712da9f96
0x7ff712da9f9d
0x7ff712da9f9f
0x7ff712da9fa3
0x7ff712da9fa7
0x7ff712da9faf
0x7ff712da9fb4
0x7ff712da9fbf
0x7ff712da9fc7
0x7ff712da9fcc
0x7ff712da9fde
0x7ff712da9fe3
0x7ff712da9fe7
0x7ff712da9ff3
0x7ff712da9ffc
0x7ff712daa005
0x7ff712daa00b
0x7ff712daa013
0x7ff712daa02b
0x7ff712daa040
0x7ff712daa046
0x7ff712daa052
0x7ff712daa05e
0x7ff712daa063
0x7ff712daa067
0x7ff712daa06a
0x7ff712daa076
0x7ff712daa07b
0x7ff712daa086
0x7ff712daa08c
0x7ff712daa090
0x7ff712daa094
0x7ff712daa0a0
0x7ff712daa0a9
0x7ff712daa0ab
0x7ff712daa0af
0x7ff712daa0b3
0x7ff712daa0bb
0x7ff712daa0c0
0x7ff712daa0d5
0x7ff712daa0dd
0x7ff712daa0e2
0x7ff712daa0f4
0x7ff712daa0f9
0x7ff712daa0fd
0x7ff712daa109
0x7ff712daa112
0x7ff712daa120
0x7ff712daa125
0x7ff712daa12c
0x7ff712daa137
0x7ff712daa143
0x7ff712daa149
0x7ff712daa151
0x7ff712daa169
0x7ff712daa17e
0x7ff712daa184
0x7ff712daa18d
0x7ff712daa19a
0x7ff712daa1a7
0x7ff712daa1ae
0x7ff712daa1bd
0x7ff712daa1c3
0x7ff712daa1ca
0x7ff712daa1cc
0x7ff712daa1d3
0x7ff712daa1d8
0x7ff712daa1e4
0x7ff712daa1e6
0x7ff712daa1ff
0x7ff712daa214
0x7ff712daa21d
0x7ff712daa222
0x7ff712daa225
0x7ff712daa22a
0x7ff712daa22e
0x7ff712daa235
0x7ff712daa237
0x7ff712daa23e
0x7ff712daa243
0x7ff712daa24f
0x7ff712daa251
0x7ff712daa26a
0x7ff712daa27f
0x7ff712daa284
0x7ff712daa2b5

APIs

_wremove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF712DAA125
RemoveDirectoryW.KERNEL32 ref: 00007FF712DAA19F

Strings

Failed to remove temporary directory [%s]., xrefs: 00007FF712DAA1B6
Failed to remove temporary file [%s]., xrefs: 00007FF712DAA13C

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: DirectoryRemove_wremove
String ID: Failed to remove temporary directory [%s].$Failed to remove temporary file [%s].
API String ID: 4125015853-3585224255
Opcode ID: 5fcc082552ba8dda137f26cb538f234e2bdf9b0f088bab50d543afa3b8693fa4
Instruction ID: 090ac08ebf37f00081c3bf96df31809405a3fc28d0297f3a348ef68402efee6e
Opcode Fuzzy Hash: 5fcc082552ba8dda137f26cb538f234e2bdf9b0f088bab50d543afa3b8693fa4
Instruction Fuzzy Hash: D9A1B522F14E0554EB40AB61D8442EDA371BB09BB8F945735CEAC17BC9DFB8D089C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAC260 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF712DAC2BC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC2C7

Part of subcall function 00007FF712DAFAB0: GetEnvironmentVariableW.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFAE4
Part of subcall function 00007FF712DAFAB0: GetLastError.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFAF1
Part of subcall function 00007FF712DAFAB0: GetLastError.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFAFE

LeaveCriticalSection.KERNEL32 ref: 00007FF712DAC3BD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAC449
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAC44F

Strings

COREHOST_TRACEFILE, xrefs: 00007FF712DAC2D8
Unable to open COREHOST_TRACEFILE=%s for writing, xrefs: 00007FF712DAC3D8
COREHOST_TRACE_VERBOSITY, xrefs: 00007FF712DAC32D

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: CriticalErrorLastSection_invalid_parameter_noinfo_noreturn$EnterEnvironmentLeaveVariable__acrt_iob_func
String ID: COREHOST_TRACEFILE$COREHOST_TRACE_VERBOSITY$Unable to open COREHOST_TRACEFILE=%s for writing
API String ID: 1003891545-3560840189
Opcode ID: 082f40b8a5bb4eda74c0164210189a1c6ae20b0c980447eb090277d348187f44
Instruction ID: 5c415d314a0e9507ea573952e3e3afb34c9c972baddf21b31e21435aa0490aa9
Opcode Fuzzy Hash: 082f40b8a5bb4eda74c0164210189a1c6ae20b0c980447eb090277d348187f44
Instruction Fuzzy Hash: 6F51A561A18F8A91EA40AB14E450279E360FF85BB0F905235EADD037E5DFBCE149C734

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA9C90 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DA9CB8

Part of subcall function 00007FF712DAC460: EnterCriticalSection.KERNEL32 ref: 00007FF712DAC498
Part of subcall function 00007FF712DAC460: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC4CE
Part of subcall function 00007FF712DAC460: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC519
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC544
Part of subcall function 00007FF712DAC460: fputws.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC54F
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC557
Part of subcall function 00007FF712DAC460: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC562
Part of subcall function 00007FF712DAC460: OutputDebugStringW.KERNEL32 ref: 00007FF712DAC575
Part of subcall function 00007FF712DAC460: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC589
Part of subcall function 00007FF712DAC460: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC5B6
Part of subcall function 00007FF712DAC460: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC5C3

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA9D1D

Part of subcall function 00007FF712DB4FAC: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF712DB2BD6), ref: 00007FF712DB5021
Part of subcall function 00007FF712DB4FAC: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF712DB2BD6), ref: 00007FF712DB5053

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA9D4F
_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA9D81

Strings

I/O failure reading contents of the bundle., xrefs: 00007FF712DA9CFD
Failure processing application bundle; possible file corruption., xrefs: 00007FF712DA9CF1, 00007FF712DA9D23, 00007FF712DA9D55
Path length is zero or too long, xrefs: 00007FF712DA9D61
Path length encoding read beyond two bytes, xrefs: 00007FF712DA9D2F

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: Exception$Throw__acrt_iob_func$__stdio_common_vswprintffputwc$CriticalDebugEnterFileHeaderOutputRaiseSectionString__stdio_common_vfwprintffputwsfread
String ID: Failure processing application bundle; possible file corruption.$I/O failure reading contents of the bundle.$Path length encoding read beyond two bytes$Path length is zero or too long
API String ID: 2673117985-3676025953
Opcode ID: f19a62fdc2cf90c35896c2b371614e292f42fbc41c4351e84e55bb63460e9266
Instruction ID: 2a2478a9b5fa2b8ce2c26099e8946baa0bd36266cd44116a2b49516d72fcedd0
Opcode Fuzzy Hash: f19a62fdc2cf90c35896c2b371614e292f42fbc41c4351e84e55bb63460e9266
Instruction Fuzzy Hash: 37215161A2CD4A62EA40FB10E4606B9A760FF95B64FD01031E5CD466E6DFDDE60CC734

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB24F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00007FF77FF712DB24F0(void* __ecx, void* __edx, long long __rbx, intOrPtr* __rcx, long long __rdi, long long __rsi, void* __rbp, long long __r9, void* __r14, long long _a16, long long _a24, long long _a32) {
				signed int _v16;
				long long _v24;
				long long _v32;
				char _v48;
				long long _v56;
				void* _t41;
				void* _t42;
				signed long long _t65;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr _t97;
				intOrPtr _t101;
				void* _t102;
				long long _t104;
				void* _t105;
				void* _t107;
				signed long long _t108;
				long long _t115;
				void* _t117;

				_t115 = __r9;
				_t107 = __rbp;
				_t104 = __rsi;
				_t42 = __edx;
				_t41 = __ecx;
				_v56 = 0xfffffffe;
				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_t65 =  *0x12dc9568; // 0x438b11ead5c6
				_v16 = _t65 ^ _t108;
				_t72 = __rcx;
				_v32 = 0;
				_v24 = 0xf;
				_v48 = 0;
				if ( *((char*)("Hydra.dll" + 0xffffffff)) != 0) goto 0x12db2545;
				if (E00007FF77FF712DB0A70(E00007FF77FF712DA55A0(__rcx,  &_v48, "Hydra.dll", 0, __r14), _t72,  &_v48, _t72, __rdi, __rsi, _t107) != 0) goto 0x12db257e;
				E00007FF77FF712DAC460(_t65 ^ _t108, L"The managed DLL bound to this executable could not be retrieved from the executable image.", _t72, 0, _t115);
				goto 0x12db264f;
				_t101 = _v32;
				if (_t101 - 0x40 < 0) goto 0x12db2634;
				r15d = 0x20;
				_t105 =  <  ? _t101 : _t104;
				_t81 =  >=  ? _v48 :  &_v48;
				_t112 =  >  ? _t117 : _t105;
				if (E00007FF77FF712DB5AD0(_t41,  >=  ? _v48 :  &_v48, "c3ab8ff13720e8ad9047dd39466b3c89",  >  ? _t117 : _t105) != 0) goto 0x12db2634;
				if (_t105 != _t117) goto 0x12db2634;
				if (_t101 - _t117 < 0) goto 0x12db26b4;
				_t16 = _t101 - 0x20; // 0x0
				_t102 =  <  ? _t16 : _t101;
				_t83 =  >=  ? _v48 :  &_v48;
				_t114 =  >  ? _t117 : _t102;
				_t84 = ( >=  ? _v48 :  &_v48) + _t117;
				if (E00007FF77FF712DB5AD0(_t41, ( >=  ? _v48 :  &_v48) + _t117, "74e592c2fa383d4a3960714caef0c4f2",  >  ? _t117 : _t102) != 0) goto 0x12db2634;
				if (_t102 != _t117) goto 0x12db2634;
				if ( *((long long*)(_t72 + 0x18)) - 8 < 0) goto 0x12db2621;
				_t73 =  *_t72;
				E00007FF77FF712DAC460(_t16, L"This executable is not bound to a managed DLL to execute. The binding value is: \'%s\'", _t73,  >  ? _t117 : _t102, _t115);
				goto 0x12db264f;
				if ( *((long long*)(_t73 + 0x18)) - 8 < 0) goto 0x12db263e;
				E00007FF77FF712DAC6B0(_t16, L"The managed DLL bound to this executable is: \'%s\'",  *_t73,  >  ? _t117 : _t102, _t115);
				_t97 = _v24;
				if (_t97 - 0x10 < 0) goto 0x12db2688;
				if (_t97 + 1 - 0x1000 < 0) goto 0x12db2683;
				if (_v48 -  *((intOrPtr*)(_v48 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12db26ae;
				0x12db3f50();
				return E00007FF77FF712DB4070(1, _t41, _t42, _v16 ^ _t108);
			}

0x7ff712db24f0
0x7ff712db24f0
0x7ff712db24f0
0x7ff712db24f0
0x7ff712db24f0
0x7ff712db24f6
0x7ff712db24ff
0x7ff712db2504
0x7ff712db2509
0x7ff712db250e
0x7ff712db2518
0x7ff712db251d
0x7ff712db2520
0x7ff712db2529
0x7ff712db2532
0x7ff712db254d
0x7ff712db2569
0x7ff712db2572
0x7ff712db2579
0x7ff712db257e
0x7ff712db2587
0x7ff712db258d
0x7ff712db2599
0x7ff712db25a8
0x7ff712db25b4
0x7ff712db25c6
0x7ff712db25cb
0x7ff712db25d0
0x7ff712db25d6
0x7ff712db25e0
0x7ff712db25ef
0x7ff712db25fb
0x7ff712db25ff
0x7ff712db2610
0x7ff712db2615
0x7ff712db261c
0x7ff712db261e
0x7ff712db262b
0x7ff712db2632
0x7ff712db2639
0x7ff712db2648
0x7ff712db264f
0x7ff712db2658
0x7ff712db266c
0x7ff712db2681
0x7ff712db2683
0x7ff712db26ad

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB26AE

Strings

This executable is not bound to a managed DLL to execute. The binding value is: '%s', xrefs: 00007FF712DB2624
74e592c2fa383d4a3960714caef0c4f2, xrefs: 00007FF712DB2602
Hydra.dll, xrefs: 00007FF712DB2537
The managed DLL bound to this executable could not be retrieved from the executable image., xrefs: 00007FF712DB256B
c3ab8ff13720e8ad9047dd39466b3c89, xrefs: 00007FF712DB25B8
The managed DLL bound to this executable is: '%s', xrefs: 00007FF712DB2641

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: 74e592c2fa383d4a3960714caef0c4f2$Hydra.dll$The managed DLL bound to this executable could not be retrieved from the executable image.$The managed DLL bound to this executable is: '%s'$This executable is not bound to a managed DLL to execute. The binding value is: '%s'$c3ab8ff13720e8ad9047dd39466b3c89
API String ID: 3668304517-1060040086
Opcode ID: 92e7e3a4787dc95351cd13f00ea29915c7825820256dd6b1c5992a94720cc80d
Instruction ID: 0d2e8e28ea60f5079d12d65f16000107eb9727ef48146ee174a216b62b2d2d9c
Opcode Fuzzy Hash: 92e7e3a4787dc95351cd13f00ea29915c7825820256dd6b1c5992a94720cc80d
Instruction Fuzzy Hash: 9841DA62A0CE8950EA10A724D474279E3A1EB56BF0FD00631D6DD13AE9DFBCD649C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA1B50 Relevance: 10.6, APIs: 7, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00007FF77FF712DA1B50(long long __rbx, void* __rcx, long long __rbp, long long _a8, char _a16) {
				void* _v24;
				char _v128;
				char _v176;
				char _v208;
				long long _v216;
				void* _t37;
				void* _t38;
				intOrPtr _t40;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t47;
				void* _t52;
				void* _t62;
				intOrPtr _t73;
				intOrPtr _t74;
				long long _t75;
				intOrPtr _t76;
				long long _t84;
				intOrPtr _t90;
				intOrPtr _t102;
				signed long long _t103;
				long long _t104;
				intOrPtr _t107;
				void* _t110;
				void* _t111;
				void* _t113;

				_t73 = _t107;
				_v216 = 0xfffffffe;
				 *((long long*)(_t73 + 0x18)) = __rbx;
				 *((long long*)(_t73 + 0x20)) = __rbp;
				_t113 = __rcx;
				_a8 = 0;
				_t38 = E00007FF77FF712DB2870(_t37, 0, _t73 + 0x10);
				_t104 =  *0x12dc9d18; // 0x0
				_t102 =  *0x12dc9ec0; // 0x0
				if (_t102 != 0) goto 0x12da1bdd;
				E00007FF77FF712DB2870(_t38, 0,  &_a8);
				_t62 =  *0x12dc9ec0 - _t102; // 0x0
				if (_t62 != 0) goto 0x12da1bc9;
				_t40 =  *0x12dc9eb0; // 0x0
				 *0x12dc9eb0 = _t40 + 1;
				 *0x12dc9ec0 = _t73;
				_t43 = E00007FF77FF712DB28F0(_t73,  &_a8);
				_t103 =  *0x12dc9ec0; // 0x0
				_t90 =  *((intOrPtr*)(_t113 + 8));
				if (_t103 -  *((intOrPtr*)(_t90 + 0x18)) >= 0) goto 0x12da1bfa;
				_t74 =  *((intOrPtr*)(_t90 + 0x10));
				if ( *((intOrPtr*)(_t74 + _t103 * 8)) != 0) goto 0x12da1d05;
				goto 0x12da1bfc;
				if ( *((char*)(_t90 + 0x24)) == 0) goto 0x12da1c15;
				_t44 = E00007FF77FF712DB3244(_t43);
				if (_t103 -  *((intOrPtr*)(_t74 + 0x18)) >= 0) goto 0x12da1c1e;
				_t75 =  *((intOrPtr*)(_t74 + 0x10));
				if ( *((intOrPtr*)(_t75 + _t103 * 8)) != 0) goto 0x12da1d05;
				if (_t104 == 0) goto 0x12da1c2b;
				goto 0x12da1d05;
				E00007FF77FF712DB3F14(_t44, _t75, _t90);
				_t84 = _t75;
				_a8 = _t75;
				if (_t75 == 0) goto 0x12da1ccc;
				_t76 =  *((intOrPtr*)(_t113 + 8));
				if (_t76 != 0) goto 0x12da1c5b;
				goto 0x12da1c68;
				if ( *((intOrPtr*)(_t76 + 0x28)) != 0) goto 0x12da1c68;
				_t46 = E00007FF77FF712DA2440(_t76, _t84,  &_v128, _t76 + 0x30);
				 *((intOrPtr*)(_t84 + 8)) = 0;
				 *_t84 = 0x12db9e10;
				_t47 = E00007FF77FF712DB2BFC(_t46, 0x12db9e10, _t84,  &_v208, _t76 + 0x30, _t110);
				asm("movups xmm0, [eax]");
				asm("movups [ebx+0x10], xmm0");
				asm("movups xmm1, [eax+0x10]");
				asm("movups [ebx+0x20], xmm1");
				E00007FF77FF712DB2CC4(_t47, 0x12db9e10, _t84,  &_v176, _t76 + 0x30, _t111);
				asm("movups xmm0, [eax]");
				asm("movups [ebx+0x30], xmm0");
				asm("movups xmm1, [eax+0x10]");
				asm("movups [ebx+0x40], xmm1");
				asm("movsd xmm0, [eax+0x20]");
				asm("movsd [ebx+0x50], xmm0");
				 *((intOrPtr*)(_t84 + 0x58)) =  *0x7FF712DB9E38;
				goto 0x12da1cce;
				if ((bpl & 0x00000001) == 0) goto 0x12da1cde;
				E00007FF77FF712DA3290(_t84,  &_v128);
				_a8 = _t84;
				E00007FF77FF712DB320C(0x12db9e10, _t84);
				_t52 =  *0x12db9470();
				 *0x12dc9d18 = _t84;
				return E00007FF77FF712DB28F0(_t52,  &_a16);
			}

0x7ff712da1b50
0x7ff712da1b5e
0x7ff712da1b67
0x7ff712da1b6b
0x7ff712da1b6f
0x7ff712da1b74
0x7ff712da1b81
0x7ff712da1b87
0x7ff712da1b8e
0x7ff712da1b98
0x7ff712da1ba4
0x7ff712da1ba9
0x7ff712da1bb0
0x7ff712da1bb2
0x7ff712da1bba
0x7ff712da1bc2
0x7ff712da1bd1
0x7ff712da1bd6
0x7ff712da1bdd
0x7ff712da1be5
0x7ff712da1be7
0x7ff712da1bf2
0x7ff712da1bf8
0x7ff712da1c00
0x7ff712da1c02
0x7ff712da1c0b
0x7ff712da1c0d
0x7ff712da1c18
0x7ff712da1c21
0x7ff712da1c26
0x7ff712da1c30
0x7ff712da1c35
0x7ff712da1c38
0x7ff712da1c43
0x7ff712da1c49
0x7ff712da1c50
0x7ff712da1c59
0x7ff712da1c62
0x7ff712da1c6d
0x7ff712da1c77
0x7ff712da1c85
0x7ff712da1c8d
0x7ff712da1c92
0x7ff712da1c95
0x7ff712da1c99
0x7ff712da1c9d
0x7ff712da1ca6
0x7ff712da1cab
0x7ff712da1cae
0x7ff712da1cb2
0x7ff712da1cb6
0x7ff712da1cba
0x7ff712da1cbf
0x7ff712da1cc7
0x7ff712da1cca
0x7ff712da1cd2
0x7ff712da1cd9
0x7ff712da1cde
0x7ff712da1ce9
0x7ff712da1cf8
0x7ff712da1cfe
0x7ff712da1d2c

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF712DA1B81
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF712DA1BA4
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF712DA1BD1
std::_Locinfo::_Locinfo.LIBCPMT ref: 00007FF712DA1C6D
_Getcvt.LIBCPMT ref: 00007FF712DA1CA6
std::_Facet_Register.LIBCPMT ref: 00007FF712DA1CE9
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF712DA1D0D

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcvtLocinfoLocinfo::_Register
String ID:
API String ID: 2452388251-0
Opcode ID: fc0245bf1a73855aa678f268d90f29db2f164e8496454e306af8e5f356928726
Instruction ID: 89dcfb21df87a63e5e3b1a2e8e472520b7e1cad6f1665c7a7965ca48fe4843da
Opcode Fuzzy Hash: fc0245bf1a73855aa678f268d90f29db2f164e8496454e306af8e5f356928726
Instruction Fuzzy Hash: EA517122A09F8981EB55EF25D4502B8B761FB95BA4F844235CACD033A5DFB8E589C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA7190 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF712DA7190(void* __ebx, void* __ebp, long long __rbx, long long __rcx, long long __rdx, long long __rdi, long long __rsi, long long __rbp) {
				void* _v8;
				long long _v56;
				char _v64;
				signed short _t40;
				long long _t60;
				long long _t62;
				long long _t69;
				long long _t84;
				intOrPtr* _t85;
				long long _t90;
				long long _t92;
				void* _t95;
				void* _t98;
				long long _t100;

				_t62 = _t92;
				 *((long long*)(_t62 - 0x48)) = 0xfffffffe;
				 *((long long*)(_t62 + 8)) = __rbx;
				 *((long long*)(_t62 + 0x10)) = __rbp;
				 *((long long*)(_t62 + 0x18)) = __rsi;
				 *((long long*)(_t62 + 0x20)) = __rdi;
				_t90 = __rdx;
				_t69 = __rcx;
				r14d = 0;
				 *((long long*)(__rcx + 0x40)) = _t100;
				 *((long long*)(__rcx + 8)) = _t100;
				 *((intOrPtr*)(__rcx + 0x14)) = r14d;
				 *((intOrPtr*)(__rcx + 0x18)) = 0x201;
				 *((long long*)(__rcx + 0x20)) = 6;
				 *((long long*)(__rcx + 0x28)) = _t100;
				 *((long long*)(__rcx + 0x30)) = _t100;
				 *((long long*)(__rcx + 0x38)) = _t100;
				E00007FF77FF712DB3F14(E00007FF77FF712DA5820(0, __rcx), _t62, __rcx);
				if (_t62 == 0) goto 0x12da720a;
				E00007FF77FF712DB324C(1, _t62, _t69, __rsi, _t95);
				 *((long long*)(_t62 + 8)) = _t62;
				goto 0x12da720d;
				_t84 = _t100;
				 *((long long*)(_t69 + 0x40)) = _t84;
				 *((long long*)(_t69 + 0x48)) = _t90;
				 *((long long*)(_t69 + 0x50)) = _t100;
				_t85 =  *((intOrPtr*)(_t84 + 8));
				_v56 = _t85;
				 *0x12db9470();
				E00007FF77FF712DA1B50(_t69,  &_v64, _t90);
				_t40 =  *0x12db9470();
				if (_t85 == 0) goto 0x12da7287;
				 *0x12db9470();
				if ( *((intOrPtr*)( *_t85 + 0x10)) == 0) goto 0x12da7287;
				 *0x12db9470();
				 *((short*)(_t69 + 0x58)) = _t40 & 0x0000ffff;
				_t60 =  *((long long*)(_t69 + 0x48));
				if (_t60 != 0) goto 0x12da72a3;
				 *(_t69 + 0x10) =  *(_t69 + 0x10) & 0x00000013 | 0x00000004;
				if (_t60 != 0) goto 0x12da72cb;
				if (sil == 0) goto 0x12da72b0;
				return E00007FF77FF712DB3554( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t85 + 0x10)))))), _t69,  *_t85, _t98);
			}

0x7ff712da7190
0x7ff712da7199
0x7ff712da71a1
0x7ff712da71a5
0x7ff712da71a9
0x7ff712da71ad
0x7ff712da71b5
0x7ff712da71b8
0x7ff712da71bb
0x7ff712da71be
0x7ff712da71c2
0x7ff712da71c6
0x7ff712da71ca
0x7ff712da71d1
0x7ff712da71d9
0x7ff712da71dd
0x7ff712da71e1
0x7ff712da71f0
0x7ff712da71fb
0x7ff712da71ff
0x7ff712da7204
0x7ff712da7208
0x7ff712da720a
0x7ff712da720d
0x7ff712da7211
0x7ff712da7215
0x7ff712da7219
0x7ff712da721d
0x7ff712da722c
0x7ff712da7238
0x7ff712da724c
0x7ff712da7258
0x7ff712da7264
0x7ff712da7270
0x7ff712da7280
0x7ff712da7287
0x7ff712da728b
0x7ff712da7290
0x7ff712da729b
0x7ff712da72a1
0x7ff712da72a6
0x7ff712da72ca

APIs

Part of subcall function 00007FF712DB3F14: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE), ref: 00007FF712DB3F2E

std::locale::_Init.LIBCPMT ref: 00007FF712DA71FF

Part of subcall function 00007FF712DB324C: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF712DB326A
Part of subcall function 00007FF712DB324C: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00007FF712DB327E
Part of subcall function 00007FF712DB324C: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF712DB3289
Part of subcall function 00007FF712DB324C: _Yarn.LIBCPMT ref: 00007FF712DB32A0
Part of subcall function 00007FF712DB324C: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF712DB32E5

std::ios_base::_Addstd.LIBCPMT ref: 00007FF712DA72AB
_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA7317

Strings

ios_base::badbit set, xrefs: 00007FF712DA72CF
ios_base::eofbit set, xrefs: 00007FF712DA72E1
ios_base::failbit set, xrefs: 00007FF712DA72DA

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: std::locale::_$Lockitstd::_$AddstdExceptionInitLocimpLocimp::_Lockit::_Lockit::~_New_SetgloballocaleThrowYarnmallocstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3567259056-1866435925
Opcode ID: a933ea790c5002e9c6aadb6c9fd23561d6a29daed734e6493f01685791277ff3
Instruction ID: 298d62b3c75bb66ff8392ddfe402f8666ec9af989d988a62211268cc0ac3702b
Opcode Fuzzy Hash: a933ea790c5002e9c6aadb6c9fd23561d6a29daed734e6493f01685791277ff3
Instruction Fuzzy Hash: 4941D032604F4992EB58EB15D4502ACB3A4FB44FA4F944135DA9E03BA0DF7CE55AC360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAE0C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF712DAE11F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAE1BE
wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF712DAE1E4

Strings

0123456789, xrefs: 00007FF712DAE124, 00007FF712DAE184
stoul argument out of range, xrefs: 00007FF712DAE226
invalid stoul argument, xrefs: 00007FF712DAE233

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _errnomemsetwcstoul
String ID: 0123456789$invalid stoul argument$stoul argument out of range
API String ID: 2954855158-67083455
Opcode ID: 24bd47a2a706b7e0f0dbbfd7e5bfc0bbdbe5719b3809e27fb320277b7041f980
Instruction ID: f795986e128bed43de41ae5e53d5021c660fa556c809cfb930d89c6bce4c9cbd
Opcode Fuzzy Hash: 24bd47a2a706b7e0f0dbbfd7e5bfc0bbdbe5719b3809e27fb320277b7041f980
Instruction Fuzzy Hash: D041C232A08A6951EEA8AB15D4246B8E350EB55BB4FD44631CADD03BD4DEBCE54AC330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAFAB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00007FF77FF712DAFAB0(long long __rcx, intOrPtr* __rdx, long long __rsi, long long __rbp, long long _a24, long long _a32) {
				long _t7;
				signed short _t9;
				long long _t37;
				long long _t38;

				_a24 = __rbp;
				_a32 = __rsi;
				 *((long long*)(__rdx + 0x10)) = __rcx;
				if ( *((long long*)(__rdx + 0x18)) - 8 < 0) goto 0x12dafad9;
				 *((short*)( *((intOrPtr*)(__rdx)))) = 0;
				r8d = 0;
				_t7 = GetEnvironmentVariableW(??, ??, ??);
				r14d = _t7;
				if (_t7 != 0) goto 0x12dafb35;
				if (GetLastError() == 0xcb) goto 0x12dafb22;
				_t9 = GetLastError();
				if (_t9 <= 0) goto 0x12dafb10;
				r8d = _t9 & 0x0000ffff | 0x80070000;
				E00007FF77FF712DAC460( *((intOrPtr*)(__rdx)), L"Failed to read environment variable [%s], HRESULT: 0x%X", __rcx, _t37, _t38);
				return 0;
			}

0x7ff712dafab0
0x7ff712dafab5
0x7ff712dafad0
0x7ff712dafad4
0x7ff712dafad9
0x7ff712dafadc
0x7ff712dafae4
0x7ff712dafaea
0x7ff712dafaef
0x7ff712dafafc
0x7ff712dafafe
0x7ff712dafb06
0x7ff712dafb10
0x7ff712dafb1d
0x7ff712dafb34

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFAE4
GetLastError.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFAF1
GetLastError.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFAFE
GetEnvironmentVariableW.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFB66
GetLastError.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFB70

Strings

Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF712DAFB13, 00007FF712DAFB85

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID: Failed to read environment variable [%s], HRESULT: 0x%X
API String ID: 2691138088-3628523914
Opcode ID: cc308ab90fdcab265bb1682da5321ca09d3fcf4fd966340a4b0125f7c4ab4639
Instruction ID: f83f0b1eb3bfa5a02ba1c1728fdad10180895e7a58d1ea9c3333169b9501f8e2
Opcode Fuzzy Hash: cc308ab90fdcab265bb1682da5321ca09d3fcf4fd966340a4b0125f7c4ab4639
Instruction Fuzzy Hash: E431F311B0CA4A86E640BF22E4206BAA3A0EB45FE0F941174EE9D877D5CE6DE048C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA1ED0 Relevance: 9.1, APIs: 6, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00007FF77FF712DA1ED0(void* __rcx, long long _a8, char _a16, long long _a24) {
				char _v144;
				long long _v152;
				void* __rbx;
				void* __rsi;
				void* _t29;
				void* _t30;
				intOrPtr _t32;
				void* _t35;
				void* _t36;
				void* _t42;
				void* _t52;
				intOrPtr _t63;
				intOrPtr _t64;
				long long _t65;
				intOrPtr _t66;
				long long _t72;
				intOrPtr _t77;
				intOrPtr _t90;
				signed long long _t91;
				long long _t92;
				long long _t93;
				intOrPtr _t94;
				void* _t97;

				_t63 = _t94;
				_v152 = 0xfffffffe;
				_t97 = __rcx;
				 *((intOrPtr*)(_t63 + 8)) = 0;
				_t30 = E00007FF77FF712DB2870(_t29, 0, _t63 + 0x10);
				_t93 =  *0x12dc9d10; // 0x0
				_t90 =  *0x12dc9ce8; // 0x0
				if (_t90 != 0) goto 0x12da1f53;
				E00007FF77FF712DB2870(_t30, 0,  &_a8);
				_t52 =  *0x12dc9ce8 - _t90; // 0x0
				if (_t52 != 0) goto 0x12da1f3f;
				_t32 =  *0x12dc9eb0; // 0x0
				 *0x12dc9eb0 = _t32 + 1;
				 *0x12dc9ce8 = _t63;
				_t35 = E00007FF77FF712DB28F0(_t63,  &_a8);
				_t91 =  *0x12dc9ce8; // 0x0
				_t77 =  *((intOrPtr*)(_t97 + 8));
				if (_t91 -  *((intOrPtr*)(_t77 + 0x18)) >= 0) goto 0x12da1f70;
				_t64 =  *((intOrPtr*)(_t77 + 0x10));
				if ( *((intOrPtr*)(_t64 + _t91 * 8)) != 0) goto 0x12da204d;
				goto 0x12da1f72;
				if ( *((char*)(_t77 + 0x24)) == 0) goto 0x12da1f8b;
				_t36 = E00007FF77FF712DB3244(_t35);
				if (_t91 -  *((intOrPtr*)(_t64 + 0x18)) >= 0) goto 0x12da1f94;
				_t65 =  *((intOrPtr*)(_t64 + 0x10));
				if ( *((intOrPtr*)(_t65 + _t91 * 8)) != 0) goto 0x12da204d;
				if (_t93 == 0) goto 0x12da1fa1;
				goto 0x12da204d;
				E00007FF77FF712DB3F14(_t36, _t65, _t77);
				_t72 = _t65;
				_a24 = _t65;
				if (_t65 == 0) goto 0x12da2014;
				_t66 =  *((intOrPtr*)(_t97 + 8));
				if (_t66 != 0) goto 0x12da1fcd;
				goto 0x12da1fda;
				if ( *((intOrPtr*)(_t66 + 0x28)) != 0) goto 0x12da1fda;
				E00007FF77FF712DA2440(_t66, _t72,  &_v144, _t66 + 0x30);
				_a8 = 1;
				 *((intOrPtr*)(_t72 + 8)) = 0;
				 *_t72 = 0x12dba170;
				r8d = sil & 0xffffffff;
				E00007FF77FF712DA4520(_t72, _t72, _t92);
				goto 0x12da2016;
				if ((sil & 0x00000001) == 0) goto 0x12da2026;
				E00007FF77FF712DA3290(_t72,  &_v144);
				_a8 = _t72;
				E00007FF77FF712DB320C(_t66, _t72);
				_t42 =  *0x12db9470();
				 *0x12dc9d10 = _t72;
				return E00007FF77FF712DB28F0(_t42,  &_a16);
			}

0x7ff712da1ed0
0x7ff712da1ee0
0x7ff712da1ee9
0x7ff712da1eee
0x7ff712da1ef7
0x7ff712da1efd
0x7ff712da1f04
0x7ff712da1f0e
0x7ff712da1f1a
0x7ff712da1f1f
0x7ff712da1f26
0x7ff712da1f28
0x7ff712da1f30
0x7ff712da1f38
0x7ff712da1f47
0x7ff712da1f4c
0x7ff712da1f53
0x7ff712da1f5b
0x7ff712da1f5d
0x7ff712da1f68
0x7ff712da1f6e
0x7ff712da1f76
0x7ff712da1f78
0x7ff712da1f81
0x7ff712da1f83
0x7ff712da1f8e
0x7ff712da1f97
0x7ff712da1f9c
0x7ff712da1fa6
0x7ff712da1fab
0x7ff712da1fae
0x7ff712da1fb9
0x7ff712da1fbb
0x7ff712da1fc2
0x7ff712da1fcb
0x7ff712da1fd4
0x7ff712da1fdf
0x7ff712da1fea
0x7ff712da1ff1
0x7ff712da1fff
0x7ff712da2002
0x7ff712da200c
0x7ff712da2012
0x7ff712da201a
0x7ff712da2021
0x7ff712da2026
0x7ff712da2031
0x7ff712da2040
0x7ff712da2046
0x7ff712da206a

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF712DA1EF7
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF712DA1F1A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF712DA1F47
std::_Locinfo::_Locinfo.LIBCPMT ref: 00007FF712DA1FDF
std::_Facet_Register.LIBCPMT ref: 00007FF712DA2031
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF712DA2055

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_LocinfoLocinfo::_Register
String ID:
API String ID: 1750885376-0
Opcode ID: af098f13bc0381162074e17624cb91a32d94ed7fadaa83cb62236e19a6c11667
Instruction ID: 78e2ac1e9c44dc54b484d840a6896d09ff337dbbb1bde904979b707eab7885c2
Opcode Fuzzy Hash: af098f13bc0381162074e17624cb91a32d94ed7fadaa83cb62236e19a6c11667
Instruction Fuzzy Hash: 9241A122A09E8A80EA61AB15D4507B9E3A1FB54FB0F884135D98D073E5DFBCE449C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA1D30 Relevance: 9.1, APIs: 6, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF712DA1D30(long long __rbx, void* __rcx, long long __rbp, long long _a8, char _a16) {
				void* _v24;
				char _v128;
				long long _v136;
				void* _t33;
				void* _t34;
				intOrPtr _t36;
				void* _t39;
				void* _t40;
				void* _t45;
				void* _t55;
				intOrPtr _t66;
				intOrPtr _t67;
				long long _t68;
				intOrPtr _t69;
				long long _t77;
				intOrPtr _t83;
				intOrPtr _t93;
				signed long long _t94;
				long long _t95;
				intOrPtr _t98;
				void* _t102;

				_t66 = _t98;
				_v136 = 0xfffffffe;
				 *((long long*)(_t66 + 0x18)) = __rbx;
				 *((long long*)(_t66 + 0x20)) = __rbp;
				_t102 = __rcx;
				_a8 = 0;
				_t34 = E00007FF77FF712DB2870(_t33, 0, _t66 + 0x10);
				_t95 =  *0x12dc9d08; // 0x0
				_t93 =  *0x12dc9cd8; // 0x0
				if (_t93 != 0) goto 0x12da1dbd;
				E00007FF77FF712DB2870(_t34, 0,  &_a8);
				_t55 =  *0x12dc9cd8 - _t93; // 0x0
				if (_t55 != 0) goto 0x12da1da9;
				_t36 =  *0x12dc9eb0; // 0x0
				 *0x12dc9eb0 = _t36 + 1;
				 *0x12dc9cd8 = _t66;
				_t39 = E00007FF77FF712DB28F0(_t66,  &_a8);
				_t94 =  *0x12dc9cd8; // 0x0
				_t83 =  *((intOrPtr*)(_t102 + 8));
				if (_t94 -  *((intOrPtr*)(_t83 + 0x18)) >= 0) goto 0x12da1dda;
				_t67 =  *((intOrPtr*)(_t83 + 0x10));
				if ( *((intOrPtr*)(_t67 + _t94 * 8)) != 0) goto 0x12da1e9f;
				goto 0x12da1ddc;
				if ( *((char*)(_t83 + 0x24)) == 0) goto 0x12da1df5;
				_t40 = E00007FF77FF712DB3244(_t39);
				if (_t94 -  *((intOrPtr*)(_t67 + 0x18)) >= 0) goto 0x12da1dfe;
				_t68 =  *((intOrPtr*)(_t67 + 0x10));
				if ( *((intOrPtr*)(_t68 + _t94 * 8)) != 0) goto 0x12da1e9f;
				if (_t95 == 0) goto 0x12da1e0b;
				goto 0x12da1e9f;
				E00007FF77FF712DB3F14(_t40, _t68, _t83);
				_t77 = _t68;
				_a8 = _t68;
				if (_t68 == 0) goto 0x12da1e66;
				_t69 =  *((intOrPtr*)(_t102 + 8));
				if (_t69 != 0) goto 0x12da1e37;
				goto 0x12da1e44;
				if ( *((intOrPtr*)(_t69 + 0x28)) != 0) goto 0x12da1e44;
				E00007FF77FF712DA2440(_t69, _t77,  &_v128, _t69 + 0x30);
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *_t77 = 0x12dba108;
				goto 0x12da1e68;
				if ((bpl & 0x00000001) == 0) goto 0x12da1e78;
				E00007FF77FF712DA3290(_t77,  &_v128);
				_a8 = _t77;
				E00007FF77FF712DB320C(0x12dba108, _t77);
				_t45 =  *0x12db9470();
				 *0x12dc9d08 = _t77;
				return E00007FF77FF712DB28F0(_t45,  &_a16);
			}

0x7ff712da1d30
0x7ff712da1d3e
0x7ff712da1d47
0x7ff712da1d4b
0x7ff712da1d4f
0x7ff712da1d54
0x7ff712da1d61
0x7ff712da1d67
0x7ff712da1d6e
0x7ff712da1d78
0x7ff712da1d84
0x7ff712da1d89
0x7ff712da1d90
0x7ff712da1d92
0x7ff712da1d9a
0x7ff712da1da2
0x7ff712da1db1
0x7ff712da1db6
0x7ff712da1dbd
0x7ff712da1dc5
0x7ff712da1dc7
0x7ff712da1dd2
0x7ff712da1dd8
0x7ff712da1de0
0x7ff712da1de2
0x7ff712da1deb
0x7ff712da1ded
0x7ff712da1df8
0x7ff712da1e01
0x7ff712da1e06
0x7ff712da1e10
0x7ff712da1e15
0x7ff712da1e18
0x7ff712da1e23
0x7ff712da1e25
0x7ff712da1e2c
0x7ff712da1e35
0x7ff712da1e3e
0x7ff712da1e49
0x7ff712da1e53
0x7ff712da1e61
0x7ff712da1e64
0x7ff712da1e6c
0x7ff712da1e73
0x7ff712da1e78
0x7ff712da1e83
0x7ff712da1e92
0x7ff712da1e98
0x7ff712da1ec6

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF712DA1D61
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF712DA1D84
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF712DA1DB1
std::_Locinfo::_Locinfo.LIBCPMT ref: 00007FF712DA1E49
std::_Facet_Register.LIBCPMT ref: 00007FF712DA1E83
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF712DA1EA7

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_LocinfoLocinfo::_Register
String ID:
API String ID: 1750885376-0
Opcode ID: fcde7ab78dd1806b4ed746c3bcca11a10f122d9a422204256540f4345ce50e5a
Instruction ID: 35ec9543807a8e318cfce3b838ce4b62f7f38e08cfc33ef9b668446b666cf38b
Opcode Fuzzy Hash: fcde7ab78dd1806b4ed746c3bcca11a10f122d9a422204256540f4345ce50e5a
Instruction Fuzzy Hash: EA419322A09F8A80EAA5AB25D4507F9F761EB44FA0F844135CACD073A5DFBCE549C330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAC630 Relevance: 9.0, APIs: 6, Instructions: 20COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF712DAC644
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC65A
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC662
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC66C
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC674
LeaveCriticalSection.KERNEL32 ref: 00007FF712DAC681

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: CriticalSection__acrt_iob_funcfflush$EnterLeave
String ID:
API String ID: 1572519478-0
Opcode ID: 16ff02ad3a1a9de86d2fa231c28c557681d238daa9cece1e30885f374d5928a8
Instruction ID: fb2e8af9d0b9c9f4e68b8273cdc97f3ef5164670dfd364eeb48334e4cdc1630f
Opcode Fuzzy Hash: 16ff02ad3a1a9de86d2fa231c28c557681d238daa9cece1e30885f374d5928a8
Instruction Fuzzy Hash: ABE0C916E19D4E61E904B761D83A1B892146F82770FD00338E4AE56AF3CD9CA65EC374

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAA5D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 248
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00007FF77FF712DAA5D0(long long __rcx, long long* __rdx, void* _a8, signed short _a24, signed char _a32) {
				long long _v112;
				long long _v128;
				char _v136;
				void* _v144;
				signed int _v148;
				signed int _v152;
				void* __rbx;
				char _t81;
				signed short _t82;
				intOrPtr _t84;
				void* _t87;
				signed int _t94;
				signed int _t103;
				intOrPtr _t154;
				long long _t159;
				void* _t168;
				intOrPtr* _t172;
				void* _t174;
				intOrPtr _t179;
				intOrPtr _t181;
				unsigned long long _t183;
				long long _t186;
				signed short* _t194;
				intOrPtr* _t196;
				void* _t203;
				long long _t205;
				signed long long _t211;
				intOrPtr* _t212;
				signed long long _t214;
				long long _t215;
				intOrPtr _t218;
				long long _t220;

				_a24 = r8w;
				_a8 = __rcx;
				_v112 = 0xfffffffe;
				r14d = r8w & 0xffffffff;
				_t212 = __rcx;
				_v148 = 0;
				_a32 = 0;
				_v144 = __rcx;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__rcx)) + 4)) + __rcx + 0x48)) == 0) goto 0x12daa636;
				 *0x12db9470();
				_t81 = E00007FF77FF712DAAB80(1, _t168, __rcx, __rdx);
				_v136 = _t81;
				if (_t81 == 0) goto 0x12daa886;
				 *((long long*)(__rdx + 0x10)) = _t205;
				if ( *((long long*)(__rdx + 0x18)) - 8 < 0) goto 0x12daa65d;
				 *((short*)( *((intOrPtr*)(__rdx)))) = 0;
				_t179 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__rcx)) + 4)) + __rcx + 0x48));
				_t194 =  *((intOrPtr*)( *((intOrPtr*)(_t179 + 0x38))));
				if (_t194 == 0) goto 0x12daa68c;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t179 + 0x50)))) <= 0) goto 0x12daa68c;
				_v152 =  *_t194 & 0x0000ffff;
				goto 0x12daa6a1;
				_t82 =  *0x12db9470();
				_t103 = _t82 & 0x0000ffff;
				_v152 = _t82;
				if (0xffff != _t103) goto 0x12daa6bc;
				goto 0x12daa717;
				if (_t103 != r14w) goto 0x12daa709;
				_a32 = 1;
				_t181 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__rcx)) + 4)) + __rcx + 0x48));
				if ( *((long long*)( *((intOrPtr*)(_t181 + 0x38)))) == 0) goto 0x12daa6fa;
				_t196 =  *((intOrPtr*)(_t181 + 0x50));
				_t84 =  *_t196;
				if (_t84 <= 0) goto 0x12daa6fa;
				 *_t196 = _t84 - 1;
				 *((long long*)( *((intOrPtr*)(_t181 + 0x38)))) =  *((long long*)( *((intOrPtr*)(_t181 + 0x38)))) + 2;
				goto 0x12daa71b;
				 *0x12db9470();
				goto 0x12daa71b;
				_t214 =  *((intOrPtr*)(__rdx + 0x10));
				if (_t214 - _t196 < 0) goto 0x12daa720;
				_v148 = 2;
				goto 0x12daa87d;
				_t211 =  *((intOrPtr*)(__rdx + 0x18));
				if (_t214 - _t211 >= 0) goto 0x12daa74d;
				 *((long long*)(__rdx + 0x10)) = _t214 + 1;
				if (_t211 - 8 < 0) goto 0x12daa73d;
				_t154 =  *((intOrPtr*)(__rdx));
				 *(_t154 + _t214 * 2) = _t103;
				 *((short*)(_t154 + 2 + _t214 * 2)) = 2;
				goto 0x12daa838;
				if (_t196 - _t214 - 1 < 0) goto 0x12daa8e8;
				if ((_t214 + 0x00000001 | 0x00000007) - _t196 <= 0) goto 0x12daa76f;
				goto 0x12daa790;
				_t183 = _t211 >> 1;
				if (_t211 - _t196 - _t183 <= 0) goto 0x12daa785;
				_t172 = _t196;
				goto 0x12daa790;
				_t159 = _t183 + _t211;
				_t42 = ( <  ? _t159 : _t172) + 1; // 0x7fffffffffffffff
				_t87 = E00007FF77FF712DA53B0(_t42);
				_v128 = _t159;
				 *((long long*)(__rdx + 0x10)) = _t214 + 1;
				 *((long long*)(__rdx + 0x18)) =  <  ? _t159 : _t172;
				_t174 = _t214 + _t214;
				if (_t211 - 8 < 0) goto 0x12daa81a;
				_t218 =  *((intOrPtr*)(__rdx));
				_t215 = _v128;
				E00007FF77FF712DB5690(_t87, _t215, _t218, _t174);
				 *((short*)(_t174 + _t215)) = _v152 & 0x0000ffff;
				 *((short*)(_t174 + _t215 + 2)) = 2;
				if (2 + _t211 * 2 - 0x1000 < 0) goto 0x12daa80d;
				_t186 =  *((intOrPtr*)(_t218 - 8));
				_t56 = _t218 - _t186 - 8; // -8
				if (_t56 - 0x1f > 0) goto 0x12daa8ee;
				_t220 = _t186;
				0x12db3f50();
				 *__rdx = _t215;
				goto 0x12daa838;
				E00007FF77FF712DB5690(_v152 & 0x0000ffff, _t220, __rdx, _t174);
				 *((short*)(_t174 + _t220)) = _v152 & 0x0000ffff;
				 *((short*)(_t174 + _t220 + 2)) = 2;
				 *__rdx = _t220;
				_a32 = 1;
				_v152 = E00007FF77FF712DABC80( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 4)) + _t212 + 0x48)));
				r14d = _a24 & 0x0000ffff;
				if ((_a32 & 0x000000ff) != 0) goto 0x12daa889;
				_t203 =  *((intOrPtr*)( *_a8 + 4)) + _a8;
				_t94 =  *(_t203 + 0x10) | _v148 | 0x00000002;
				_t107 =  !=  ? _t94 : _t94 | 0x00000004;
				_t108 = ( !=  ? _t94 : _t94 | 0x00000004) & 0x00000017;
				 *(_t203 + 0x10) = ( !=  ? _t94 : _t94 | 0x00000004) & 0x00000017;
				if ( *((long long*)(_t203 + 0x48)) != 0) goto 0x12daa8f4;
				if ( *((intOrPtr*)( *((intOrPtr*)( *_v144 + 4)) + _v144 + 0x48)) == 0) goto 0x12daa8d2;
				return  *0x12db9470();
			}

0x7ff712daa5d0
0x7ff712daa5d6
0x7ff712daa5ed
0x7ff712daa5f6
0x7ff712daa5fd
0x7ff712daa602
0x7ff712daa608
0x7ff712daa612
0x7ff712daa626
0x7ff712daa62f
0x7ff712daa63b
0x7ff712daa640
0x7ff712daa646
0x7ff712daa64c
0x7ff712daa658
0x7ff712daa65d
0x7ff712daa668
0x7ff712daa671
0x7ff712daa677
0x7ff712daa680
0x7ff712daa685
0x7ff712daa68a
0x7ff712daa693
0x7ff712daa699
0x7ff712daa69c
0x7ff712daa6b3
0x7ff712daa6ba
0x7ff712daa6c0
0x7ff712daa6c4
0x7ff712daa6d3
0x7ff712daa6e0
0x7ff712daa6e2
0x7ff712daa6e6
0x7ff712daa6ea
0x7ff712daa6ee
0x7ff712daa6f4
0x7ff712daa6f8
0x7ff712daa701
0x7ff712daa707
0x7ff712daa709
0x7ff712daa710
0x7ff712daa717
0x7ff712daa71b
0x7ff712daa720
0x7ff712daa727
0x7ff712daa72d
0x7ff712daa738
0x7ff712daa73a
0x7ff712daa73d
0x7ff712daa742
0x7ff712daa748
0x7ff712daa757
0x7ff712daa768
0x7ff712daa76d
0x7ff712daa772
0x7ff712daa77e
0x7ff712daa780
0x7ff712daa783
0x7ff712daa785
0x7ff712daa790
0x7ff712daa797
0x7ff712daa79f
0x7ff712daa7a8
0x7ff712daa7ac
0x7ff712daa7b0
0x7ff712daa7bb
0x7ff712daa7bd
0x7ff712daa7c3
0x7ff712daa7cb
0x7ff712daa7d5
0x7ff712daa7da
0x7ff712daa7ef
0x7ff712daa7f5
0x7ff712daa7fc
0x7ff712daa804
0x7ff712daa80a
0x7ff712daa810
0x7ff712daa815
0x7ff712daa818
0x7ff712daa820
0x7ff712daa82a
0x7ff712daa82f
0x7ff712daa835
0x7ff712daa83a
0x7ff712daa856
0x7ff712daa85b
0x7ff712daa884
0x7ff712daa891
0x7ff712daa897
0x7ff712daa8a3
0x7ff712daa8a6
0x7ff712daa8a9
0x7ff712daa8b1
0x7ff712daa8c2
0x7ff712daa8e7

Strings

ios_base::badbit set, xrefs: 00007FF712DAA8F8
ios_base::eofbit set, xrefs: 00007FF712DAA90A
ios_base::failbit set, xrefs: 00007FF712DAA903

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID:
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 0-1866435925
Opcode ID: 502f52c560feba10dc59055e01ab47038b6bd180146a329bffccbd113d0089ed
Instruction ID: c4975e948702cb36bfe138d5539de3f88f608753f6fe5773378dd8e2e9665d05
Opcode Fuzzy Hash: 502f52c560feba10dc59055e01ab47038b6bd180146a329bffccbd113d0089ed
Instruction Fuzzy Hash: 60A1C022619E8981DB94AF19D09067EB770FB48FA4F848232DA8E477A0DF7CD459C371

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA2DD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF712DA2DD0(long long __rbx, long long __rcx, long long __rdx, long long __rsi) {
				void* _v8;
				char _v72;
				void* _v80;
				signed int _t50;
				signed int _t53;
				void* _t62;
				void* _t67;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t94;
				void* _t103;
				intOrPtr* _t104;
				void* _t109;

				_t67 = _t109;
				 *((long long*)(_t67 + 8)) = __rcx;
				 *((long long*)(_t67 - 0x58)) = 0xfffffffe;
				 *((long long*)(_t67 + 0x10)) = __rbx;
				 *((long long*)(_t67 + 0x18)) = __rsi;
				_t104 = __rdx;
				 *((long long*)(__rcx)) = __rdx;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__rdx)) + 4)) + __rdx + 0x48)) == 0) goto 0x12da2e16;
				 *0x12db9470(_t103);
				_t85 =  *((intOrPtr*)( *((intOrPtr*)(__rdx)) + 4));
				if ( *((intOrPtr*)(_t85 + __rdx + 0x10)) != 0) goto 0x12da2ee0;
				_t86 =  *((intOrPtr*)(_t85 + __rdx + 0x50));
				if (_t86 == 0) goto 0x12da2ee0;
				if (_t86 == __rdx) goto 0x12da2ee0;
				if ( *((long long*)( *((intOrPtr*)( *_t86 + 4)) + _t86 + 0x48)) == 0) goto 0x12da2ee0;
				E00007FF77FF712DA2DD0(_t86,  &_v80, _t86, __rcx);
				if (_v72 == 0) goto 0x12da2ea5;
				_t62 =  *0x12db9470() - 0xffffffff;
				if (_t62 != 0) goto 0x12da2ea5;
				_t94 =  *((intOrPtr*)( *_t86 + 4));
				_t50 =  *(_t94 + _t86 + 0x10) & 0x00000013 | 0x00000004;
				 *(_t94 + _t86 + 0x10) = _t50;
				if (_t62 != 0) goto 0x12da2f04;
				0x12db2924();
				if (_t50 != 0) goto 0x12da2eb9;
				E00007FF77FF712DA5140(_v80);
				if ( *((intOrPtr*)( *((intOrPtr*)( *_v80 + 4)) + _v80 + 0x48)) == 0) goto 0x12da2edd;
				_t53 =  *0x12db9470() & 0xffffff00 |  *((intOrPtr*)( *((intOrPtr*)( *_t104 + 4)) + _t104 + 0x10)) == 0x00000000;
				 *(__rcx + 8) = _t53;
				return _t53;
			}

0x7ff712da2dd0
0x7ff712da2dd3
0x7ff712da2ddc
0x7ff712da2de4
0x7ff712da2de8
0x7ff712da2dec
0x7ff712da2df2
0x7ff712da2e04
0x7ff712da2e0d
0x7ff712da2e16
0x7ff712da2e22
0x7ff712da2e28
0x7ff712da2e30
0x7ff712da2e39
0x7ff712da2e4f
0x7ff712da2e5d
0x7ff712da2e68
0x7ff712da2e83
0x7ff712da2e86
0x7ff712da2e8b
0x7ff712da2e96
0x7ff712da2e99
0x7ff712da2ea3
0x7ff712da2ea5
0x7ff712da2eac
0x7ff712da2eb3
0x7ff712da2ecd
0x7ff712da2ee9
0x7ff712da2eec
0x7ff712da2f03

APIs

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA2F52
__std_exception_copy.LIBVCRUNTIME ref: 00007FF712DA2F8B

Strings

ios_base::badbit set, xrefs: 00007FF712DA2F09
ios_base::eofbit set, xrefs: 00007FF712DA2F1C
ios_base::failbit set, xrefs: 00007FF712DA2F15

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionThrow__std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1552479455-1866435925
Opcode ID: 0f73f8ebfde480ab42f11f4d35ba6dc7477d60cdbfd828aa3f3f1c81f4a32b65
Instruction ID: 5c18afe6e22495c030da53148c47953d06893daa976492cdf199ac2db3d80391
Opcode Fuzzy Hash: 0f73f8ebfde480ab42f11f4d35ba6dc7477d60cdbfd828aa3f3f1c81f4a32b65
Instruction Fuzzy Hash: 8351B272605F4991EB50DF16E5842A8B3A0FB44FA4F988132CE9D437A4DF7CD599C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB4E9C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF712DB4E9C(intOrPtr* __rcx) {
				intOrPtr* _t12;

				_t12 =  *((intOrPtr*)(__rcx));
				if ( *_t12 == 0xe0434352) goto 0x12db4ebd;
				if ( *_t12 == 0xe0434f4d) goto 0x12db4ebd;
				if ( *_t12 == 0xe06d7363) goto 0x12db4ed7;
				goto 0x12db4ed0;
				E00007FF77FF712DB5F00(_t12);
				if ( *((intOrPtr*)(_t12 + 0x30)) <= 0) goto 0x12db4ed0;
				E00007FF77FF712DB5F00(_t12);
				 *((intOrPtr*)(_t12 + 0x30)) =  *((intOrPtr*)(_t12 + 0x30)) - 1;
				return 0;
			}

0x7ff712db4ea0
0x7ff712db4ea9
0x7ff712db4eb1
0x7ff712db4eb9
0x7ff712db4ebb
0x7ff712db4ebd
0x7ff712db4ec6
0x7ff712db4ec8
0x7ff712db4ecd
0x7ff712db4ed6

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB4EE0
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB4EEC

Strings

MOC, xrefs: 00007FF712DB4EAB
csm, xrefs: 00007FF712DB4EB3
RCC, xrefs: 00007FF712DB4EA3

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: terminate
String ID: MOC$RCC$csm
API String ID: 1821763600-2671469338
Opcode ID: dcb3ce20138cc7c4efc824d1290c16dfda77bc8376a6de07470000a711f4ca6f
Instruction ID: 98ff1c81a110aceaf60f0a2490c9c54cab8d7d8e801bfdc079129885739bc6d5
Opcode Fuzzy Hash: dcb3ce20138cc7c4efc824d1290c16dfda77bc8376a6de07470000a711f4ca6f
Instruction Fuzzy Hash: 45F0B43ED1880E96E3687B62C07D17DB250EF49729FC91930C288067C28FBC7648CA32

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAAB80 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DAAD9A
_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DAADEB

Strings

ios_base::badbit set, xrefs: 00007FF712DAAD54, 00007FF712DAADA5
ios_base::eofbit set, xrefs: 00007FF712DAAD67, 00007FF712DAADB8
ios_base::failbit set, xrefs: 00007FF712DAAD60, 00007FF712DAADB1

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: af7c7dab254287601a15ba7d57ca47ef34674fecda53a775f071678dc325cd0d
Instruction ID: 7b83d149008f42339c682b5fdd588ed48c94d49aee431fd991bf93041533b74b
Opcode Fuzzy Hash: af7c7dab254287601a15ba7d57ca47ef34674fecda53a775f071678dc325cd0d
Instruction Fuzzy Hash: 8E71C622608E4992EF90DB15D4907B9A371EB84FA4F948132CA8E473A4DF7DD94AC331

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA3290 Relevance: 7.5, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF712DA1CDE), ref: 00007FF712DA32B6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF712DA1CDE), ref: 00007FF712DA32CB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF712DA1CDE), ref: 00007FF712DA32DE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF712DA1CDE), ref: 00007FF712DA32F1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF712DA1CDE), ref: 00007FF712DA3304
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF712DA1CDE), ref: 00007FF712DA3317

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9516d1864ef05c1374f9e5628253e55282f20046e557040644703134b4a60f38
Instruction ID: 8f58f832a5efee2fb1967026ec63a587f536d8bcc03e91440f51afad5848bf6e
Opcode Fuzzy Hash: 9516d1864ef05c1374f9e5628253e55282f20046e557040644703134b4a60f38
Instruction Fuzzy Hash: 7411942260AE4584EF98BF70D0A1439F3E4EF82F64B640235C6DD03AE9CEA8D954C274

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA9DF0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA9E40

Strings

I/O failure reading contents of the bundle., xrefs: 00007FF712DA9E20
Failure processing application bundle; possible file corruption., xrefs: 00007FF712DA9E14
Retrying Rename [%s] to [%s] due to EACCES error, xrefs: 00007FF712DAA34A
Failed to remove temporary file [%s]., xrefs: 00007FF712DAA13C

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionThrow
String ID: Failed to remove temporary file [%s].$Failure processing application bundle; possible file corruption.$I/O failure reading contents of the bundle.$Retrying Rename [%s] to [%s] due to EACCES error
API String ID: 432778473-48631612
Opcode ID: 211841bcfa512ab09608545478f4f62557c88f1c55fba6d0e8b632667d7dbf63
Instruction ID: 2a4fd121c49ed449dcf71832aed9c399596854958714a92fcfac9d7fa1ace483
Opcode Fuzzy Hash: 211841bcfa512ab09608545478f4f62557c88f1c55fba6d0e8b632667d7dbf63
Instruction Fuzzy Hash: 53E06D91E28D4E61EA84FB50E8911F49610AFA9BA4FD41030E58D027F6AEDCE68CC335

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA84A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00007FF77FF712DA84A0(signed int __ebx, long long __rbx, signed short** __rcx, signed int __rdx, long long __rsi, long long __rbp) {
				void* _v24;
				signed int _v32;
				void* _v40;
				long long _v48;
				char _v64;
				signed int _t49;
				signed int _t54;
				void* _t60;
				void* _t65;
				void* _t66;
				void* _t86;
				signed long long _t87;
				void* _t107;
				signed short* _t113;
				char _t117;
				intOrPtr _t118;
				void* _t119;
				signed int _t126;
				signed long long _t128;
				signed long long _t131;
				signed long long _t133;
				intOrPtr* _t136;
				void* _t141;
				void* _t144;
				signed short* _t153;
				long long _t155;

				_t138 = __rsi;
				_t126 = __rdx;
				_t86 = _t144;
				 *((long long*)(_t86 - 0x48)) = 0xfffffffe;
				 *((long long*)(_t86 + 0x10)) = __rbx;
				 *((long long*)(_t86 + 0x18)) = __rbp;
				 *((long long*)(_t86 + 0x20)) = __rsi;
				_t87 =  *0x12dc9568; // 0x438b11ead5c6
				_v32 = _t87 ^ _t144 - 0x00000050;
				_t136 = __rcx;
				if (__rcx[2] != 0) goto 0x12da84e0;
				goto 0x12da86cd;
				_t60 = __rcx[3] - 8;
				if (_t60 < 0) goto 0x12da84f0;
				if (_t60 < 0) goto 0x12da84fb;
				_t54 =  *( *__rcx) & 0x0000ffff;
				r14b = _t54 == 0x2b;
				if (( *( *__rcx) & 0x0000ffff) == 0x2d) goto 0x12da8519;
				if (_t54 == 0x2b) goto 0x12da8519;
				goto 0x12da86cd;
				_t8 = _t126 - 2; // -1
				_t141 = _t8;
				r15d = 0;
				asm("o16 nop [eax+eax]");
				_t153 = __rcx[3];
				if (_t153 - 8 < 0) goto 0x12da8540;
				_t113 = __rcx[2];
				_t65 = __rdx - _t113;
				if (_t65 >= 0) goto 0x12da8569;
				if (_t65 == 0) goto 0x12da8569;
				_t66 = ( *__rcx)[__rdx] - 0x2e;
				if (_t66 == 0) goto 0x12da8626;
				if (_t66 != 0) goto 0x12da8555;
				_t107 = _t141;
				_v64 = r15w;
				if (_t107 == 0xffffffff) goto 0x12da863a;
				_v48 = _t155;
				_v40 = 7;
				if (_t113 - __rdx < 0) goto 0x12da8700;
				_t151 =  <  ? _t113 - __rdx : _t107 - __rdx;
				if (_t153 - 8 < 0) goto 0x12da85af;
				_t97 =  *__rcx;
				E00007FF77FF712DA56F0(_t107,  &_v64,  &(( *__rcx)[__rdx]), __rsi, _t141,  <  ? _t113 - __rdx : _t107 - __rdx);
				E00007FF77FF712DA8390(r14b & 0xffffffff, _t97,  &_v64);
				sil = 0 == 0;
				_t128 = _v40;
				if (_t128 - 8 < 0) goto 0x12da8614;
				_t117 = _v64;
				if (2 + _t128 * 2 - 0x1000 < 0) goto 0x12da860f;
				_t118 =  *((intOrPtr*)(_t117 - 8));
				if (_t117 - _t118 + 0xfffffff8 - 0x1f > 0) goto 0x12da86fa;
				0x12db3f50();
				if (sil != 0) goto 0x12da8512;
				_t25 = _t107 + 1; // 0x0
				_t131 = _t25;
				goto 0x12da8530;
				if (_t107 == 0) goto 0x12da8569;
				goto 0x12da856c;
				asm("movdqa xmm0, [0x11bae]");
				asm("movdqu [esp+0x38], xmm0");
				if (_t118 - _t131 < 0) goto 0x12da8706;
				_t119 = _t118 - _t131;
				_t142 =  <  ? _t119 : _t141;
				if (_t153 - 8 < 0) goto 0x12da8665;
				_t152 =  <  ? _t119 : _t141;
				E00007FF77FF712DA56F0(_t107 - _t151 >> 1,  &_v64,  *_t136 + _t131 * 2, _t138,  <  ? _t119 : _t141,  <  ? _t119 : _t141);
				_t49 = E00007FF77FF712DA8390(r14b & 0xffffffff, _t117 - _t118 + 0xfffffff8,  &_v64);
				_t133 = _v40;
				if (_t133 - 8 < 0) goto 0x12da86c8;
				if (2 + _t133 * 2 - 0x1000 < 0) goto 0x12da86c3;
				if (_v64 -  *((intOrPtr*)(_v64 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12da86f4;
				0x12db3f50();
				return E00007FF77FF712DB4070(_t49 & 0xffffff00 | (__ebx & 0xffffff00 | 0 == 0x00000000) == 0x00000000, _t54, r14b & 0xffffffff, _v32 ^ _t144 - 0x00000050);
			}

0x7ff712da84a0
0x7ff712da84a0
0x7ff712da84a0
0x7ff712da84ac
0x7ff712da84b4
0x7ff712da84b8
0x7ff712da84bc
0x7ff712da84c0
0x7ff712da84ca
0x7ff712da84cf
0x7ff712da84d7
0x7ff712da84db
0x7ff712da84e7
0x7ff712da84eb
0x7ff712da84f6
0x7ff712da84fb
0x7ff712da8502
0x7ff712da850a
0x7ff712da8510
0x7ff712da8514
0x7ff712da851e
0x7ff712da851e
0x7ff712da8522
0x7ff712da8525
0x7ff712da8533
0x7ff712da853b
0x7ff712da8540
0x7ff712da8544
0x7ff712da8547
0x7ff712da8553
0x7ff712da8555
0x7ff712da8559
0x7ff712da8567
0x7ff712da8569
0x7ff712da856c
0x7ff712da8576
0x7ff712da857c
0x7ff712da8581
0x7ff712da858d
0x7ff712da859f
0x7ff712da85aa
0x7ff712da85ac
0x7ff712da85b8
0x7ff712da85c7
0x7ff712da85ce
0x7ff712da85d2
0x7ff712da85db
0x7ff712da85e5
0x7ff712da85f4
0x7ff712da85fa
0x7ff712da8609
0x7ff712da860f
0x7ff712da8617
0x7ff712da861d
0x7ff712da861d
0x7ff712da8621
0x7ff712da8629
0x7ff712da8635
0x7ff712da863a
0x7ff712da8642
0x7ff712da864b
0x7ff712da8651
0x7ff712da8658
0x7ff712da8660
0x7ff712da8669
0x7ff712da8671
0x7ff712da8680
0x7ff712da868a
0x7ff712da8693
0x7ff712da86ac
0x7ff712da86c1
0x7ff712da86c3
0x7ff712da86f3

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA86F4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA86FA

Strings

., xrefs: 00007FF712DA8555
Unknown exception, xrefs: 00007FF712DA8714

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .$Unknown exception
API String ID: 3668304517-4018657147
Opcode ID: 46d298be9ce588d71aa74e774159ca3b3f96cb1b698fad3c835ff8e44653291e
Instruction ID: a80dfc1b68c6b44b2fb0b9c62068e4adbbe7d5a0749af4fbf7b2bc5a93fd6c2c
Opcode Fuzzy Hash: 46d298be9ce588d71aa74e774159ca3b3f96cb1b698fad3c835ff8e44653291e
Instruction Fuzzy Hash: 2561F472A18E8A40EE54AB18D1156A9A362EB45FF0FD44231DEAD437E4DFBCD588C230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DADE70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00007FF77FF712DADE70(long long __rbx, long long __rcx, void* __rdx, long long __rsi, void* __r8) {
				void* _v8;
				signed int _v24;
				void* _v32;
				signed long long _v40;
				char _v56;
				signed long long _v64;
				intOrPtr _v72;
				char _v88;
				long long _v96;
				void* _t49;
				void* _t51;
				void* _t53;
				void* _t54;
				signed long long _t73;
				long long _t90;
				char _t96;
				intOrPtr _t97;
				signed long long _t101;
				signed long long _t112;
				void* _t116;
				signed long long _t118;
				signed long long _t122;
				void* _t125;
				void* _t128;
				void* _t129;
				void* _t135;

				_t126 = __rsi;
				_t135 = _t129;
				 *((long long*)(_t135 - 0x68)) = 0xfffffffe;
				 *((long long*)(_t135 + 0x18)) = __rbx;
				 *((long long*)(_t135 + 0x20)) = __rsi;
				_t73 =  *0x12dc9568; // 0x438b11ead5c6
				_v24 = _t73 ^ _t129 - 0x00000080;
				_t125 = __rdx;
				_t90 = __rcx;
				_v96 = __rcx;
				 *((long long*)(_t135 - 0x48)) = __rsi;
				 *((long long*)(_t135 - 0x40)) = 7;
				_v88 = 0;
				_t9 = _t126 + 4; // 0x4
				r8d = _t9;
				E00007FF77FF712DA56F0(__rcx, _t135 - 0x58, L".exe", __rsi, _t128, __r8);
				if (_v72 != 0) goto 0x12dadf2d;
				_t49 = E00007FF77FF712DA2070(_t73 ^ _t129 - 0x00000080, _t90, _t90, __rdx, _t126, _t128);
				_t112 = _v64;
				if (_t112 - 8 < 0) goto 0x12dae03f;
				_t96 = _v88;
				if (2 + _t112 * 2 - 0x1000 < 0) goto 0x12dae03a;
				_t97 =  *((intOrPtr*)(_t96 - 8));
				if (_t96 - _t97 + 0xfffffff8 - 0x1f > 0) goto 0x12dae06a;
				goto 0x12dae03a;
				if ( *((intOrPtr*)(_t125 + 0x10)) - _t97 < 0) goto 0x12dadff5;
				_t116 =  >=  ? _v88 :  &_v88;
				if ( *((long long*)(_t125 + 0x18)) - 8 < 0) goto 0x12dadf58;
				0x12dade40();
				if (_t49 != 0) goto 0x12dadff5;
				E00007FF77FF712DA2070( *((intOrPtr*)(_t125 + 0x10)) - _t97, _t90,  &_v56, _t125, _t126, _t128);
				_t101 = _v40 - _v72;
				if (_v40 - _t101 < 0) goto 0x12dae076;
				_v40 = _t101;
				_t81 =  >=  ? _v56 :  &_v56;
				 *((short*)(( >=  ? _v56 :  &_v56) + _t101 * 2)) = 0;
				asm("movups xmm0, [esp+0x50]");
				asm("movups [ebx], xmm0");
				asm("movups xmm1, [esp+0x60]");
				asm("movups [ebx+0x10], xmm1");
				_t118 = _v64;
				if (_t118 - 8 < 0) goto 0x12dae03f;
				if (2 + _t118 * 2 - 0x1000 < 0) goto 0x12dae03a;
				if (_v88 -  *((intOrPtr*)(_v88 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12dae070;
				goto 0x12dae03a;
				_t51 = E00007FF77FF712DA2070(_v88 -  *((intOrPtr*)(_v88 - 8)) + 0xfffffff8, _t90, _t90, _t125, _t126, _t128);
				_t122 = _v64;
				if (_t122 - 8 < 0) goto 0x12dae03f;
				if (2 + _t122 * 2 - 0x1000 < 0) goto 0x12dae03a;
				if (_v88 -  *((intOrPtr*)(_v88 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12dae064;
				0x12db3f50();
				return E00007FF77FF712DB4070(_t51, _t53, _t54, _v24 ^ _t129 - 0x00000080);
			}

0x7ff712dade70
0x7ff712dade70
0x7ff712dade7b
0x7ff712dade83
0x7ff712dade87
0x7ff712dade8b
0x7ff712dade95
0x7ff712dade9a
0x7ff712dade9d
0x7ff712dadea0
0x7ff712dadea7
0x7ff712dadeab
0x7ff712dadeb3
0x7ff712dadeb8
0x7ff712dadeb8
0x7ff712dadec7
0x7ff712daded5
0x7ff712dadedd
0x7ff712dadee3
0x7ff712dadeec
0x7ff712dadefa
0x7ff712dadf09
0x7ff712dadf13
0x7ff712dadf22
0x7ff712dadf28
0x7ff712dadf34
0x7ff712dadf45
0x7ff712dadf53
0x7ff712dadf5f
0x7ff712dadf66
0x7ff712dadf74
0x7ff712dadf7f
0x7ff712dadf89
0x7ff712dadf8f
0x7ff712dadf9f
0x7ff712dadfa5
0x7ff712dadfa9
0x7ff712dadfae
0x7ff712dadfb1
0x7ff712dadfb6
0x7ff712dadfba
0x7ff712dadfc3
0x7ff712dadfdc
0x7ff712dadff1
0x7ff712dadff3
0x7ff712dadffb
0x7ff712dae001
0x7ff712dae00a
0x7ff712dae023
0x7ff712dae038
0x7ff712dae03a
0x7ff712dae063

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAE064
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAE06A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAE070

Strings

.exe, xrefs: 00007FF712DADEBC

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .exe
API String ID: 3668304517-4119554291
Opcode ID: 11070d2371fc0d96e4bee3b8699e36799c00881639322a49628df4c678ddbfdb
Instruction ID: 7eca074d6c69b0047b94edad9b5a49f65b5d2bfa48d915d1800dc48b7220d190
Opcode Fuzzy Hash: 11070d2371fc0d96e4bee3b8699e36799c00881639322a49628df4c678ddbfdb
Instruction Fuzzy Hash: CC51D962A18F8981DE50AB15E15976DA321FB85BF0F904231EAEC03BD9DFBCD448C724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAC780 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF712DAFAB0: GetEnvironmentVariableW.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFAE4
Part of subcall function 00007FF712DAFAB0: GetLastError.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFAF1
Part of subcall function 00007FF712DAFAB0: GetLastError.KERNEL32(?,?,00000000,00007FF712DAC2E4), ref: 00007FF712DAFAFE

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAC8A5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAC8AB

Part of subcall function 00007FF712DAC260: EnterCriticalSection.KERNEL32 ref: 00007FF712DAC2BC
Part of subcall function 00007FF712DAC260: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC2C7
Part of subcall function 00007FF712DAC260: LeaveCriticalSection.KERNEL32 ref: 00007FF712DAC3BD

Part of subcall function 00007FF712DAC6B0: EnterCriticalSection.KERNEL32 ref: 00007FF712DAC6E3
Part of subcall function 00007FF712DAC6B0: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC70C
Part of subcall function 00007FF712DAC6B0: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC719
Part of subcall function 00007FF712DAC6B0: LeaveCriticalSection.KERNEL32 ref: 00007FF712DAC726

Strings

Tracing enabled @ %s, xrefs: 00007FF712DAC809
COREHOST_TRACE, xrefs: 00007FF712DAC7B6

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave_invalid_parameter_noinfo_noreturn$EnvironmentVariable__acrt_iob_func__stdio_common_vfwprintffputwc
String ID: COREHOST_TRACE$Tracing enabled @ %s
API String ID: 1981972018-2113631315
Opcode ID: 138c4a074391e0c30ac60d752d9b179ac968093ce81519951dd9248cbe441a73
Instruction ID: f022a155f8b527df8e51b7d7d013b93abb033a8477ec34c1fd2238256dc6e3e1
Opcode Fuzzy Hash: 138c4a074391e0c30ac60d752d9b179ac968093ce81519951dd9248cbe441a73
Instruction Fuzzy Hash: 3E318761A08E4A90EE50A728D45526D9361EF85BF4FD01335E6ED027E9DEACD188C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB3524 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF712DB3524(void* __eax, void* __ecx) {

				r9d = 0;
				if ( *0x12dbd790 == __ecx) goto 0x12db354f;
				if (0x7ff712dbd7a0 != "address family not supported") goto 0x12db3533;
				return __eax;
			}

0x7ff712db3524
0x7ff712db3535
0x7ff712db3545
0x7ff712db354e

APIs

SetLastError.KERNEL32(?,?,\\.\,?,?,00007FF712DA7351), ref: 00007FF712DB3D0F

Strings

\\.\, xrefs: 00007FF712DB3C67
H?w<, xrefs: 00007FF712DB3C6D

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ErrorLast
String ID: \\.\$H?w<
API String ID: 1452528299-2207242472
Opcode ID: 1929648e7c59ea321e2ab7de9dbba5f3cca538bae1583e4b5fb7eec2d05dd5b0
Instruction ID: 8fc2b8a5d4bc44507f95c8538d14c4d5dbe453ae62b7d2b510732717ede93adc
Opcode Fuzzy Hash: 1929648e7c59ea321e2ab7de9dbba5f3cca538bae1583e4b5fb7eec2d05dd5b0
Instruction Fuzzy Hash: 8121CF31A08F5991EB50AF62D820169A3A0BF49FF1F844434CD8D47750CEBCE589E3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAA2D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

_wrename.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF712DAA30F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DAA318
Sleep.KERNEL32 ref: 00007FF712DAA35B

Strings

Retrying Rename [%s] to [%s] due to EACCES error, xrefs: 00007FF712DAA34A

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: Sleep_errno_wrename
String ID: Retrying Rename [%s] to [%s] due to EACCES error
API String ID: 2469886698-376458415
Opcode ID: a46702fe1e80e5689aa479f81a4e373da6e9dcb04db2a91459d9469d4286b133
Instruction ID: f78eb49a4a4487a133d86188f5983e94c94992b8c14d959fe1be17618fd4f269
Opcode Fuzzy Hash: a46702fe1e80e5689aa479f81a4e373da6e9dcb04db2a91459d9469d4286b133
Instruction Fuzzy Hash: E311AE22A08E4681EA90EF52E54447EA761FB42FE0F844131DBC957745CFBDE4A8C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAED00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00007FF77FF712DAED00(void* __rcx, void* __rsi, void* __rbp, void* __r13) {
				signed int _v24;
				char _v552;
				void* __rbx;
				void* _t25;
				void* _t26;
				signed long long _t35;
				void* _t38;
				void* _t52;
				signed long long _t55;
				void* _t58;

				_t53 = __rsi;
				_t35 =  *0x12dc9568; // 0x438b11ead5c6
				_v24 = _t35 ^ _t55;
				_t38 = __rcx;
				if (GetTempPathW(??, ??) == 0) goto 0x12daedbb;
				if ( *((short*)( &_v552 + 0xfffffffffffffffe)) != 0) goto 0x12daed42;
				E00007FF77FF712DA56F0(__rcx, __rcx,  &_v552, __rsi, __rbp, 0);
				if (E00007FF77FF712DB0560(0x105, 0, _t25, _t26, _t38, _t38, _t52, _t53, _t58, __r13) == 0) goto 0x12daedbb;
				E00007FF77FF712DACD10(_t38, _t38, L".net", __r13);
				if (E00007FF77FF712DB0560(0x105, 0, _t25, _t26, _t38, _t38, _t52, _t53, _t58, __r13) == 0) goto 0x12daed89;
				goto 0x12daedbd;
				if ( *((long long*)(_t38 + 0x18)) - 8 < 0) goto 0x12daed96;
				if (CreateDirectoryW(??, ??) != 0) goto 0x12daedaf;
				if (GetLastError() != 0xb7) goto 0x12daedbb;
				E00007FF77FF712DB0560(0x105, 0, _t25, _t26, _t38, _t38, _t52, _t53, _t58, __r13);
				goto 0x12daedbd;
				return E00007FF77FF712DB4070(0, 0x105, 0, _v24 ^ _t55);
			}

0x7ff712daed00
0x7ff712daed09
0x7ff712daed13
0x7ff712daed1b
0x7ff712daed30
0x7ff712daed4b
0x7ff712daed55
0x7ff712daed66
0x7ff712daed72
0x7ff712daed83
0x7ff712daed87
0x7ff712daed91
0x7ff712daeda0
0x7ff712daedad
0x7ff712daedb4
0x7ff712daedb9
0x7ff712daedd5

APIs

GetTempPathW.KERNEL32 ref: 00007FF712DAED28
CreateDirectoryW.KERNEL32 ref: 00007FF712DAED98
GetLastError.KERNEL32 ref: 00007FF712DAEDA2

Strings

.net, xrefs: 00007FF712DAED68

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: CreateDirectoryErrorLastPathTemp
String ID: .net
API String ID: 3750913106-1812122620
Opcode ID: 4954cb36602926a8c0441b1c51de7a166ca29b73b31265cf9a34fee3020a0701
Instruction ID: 8f5248cd670ef2b76ceccdc8decadef98a9edaeb1a91353f44d83e1cd6bf0b1f
Opcode Fuzzy Hash: 4954cb36602926a8c0441b1c51de7a166ca29b73b31265cf9a34fee3020a0701
Instruction Fuzzy Hash: CB115110A08E4A90FE94BB22E4613F99391AF96B70FC45231C9DE473D5EEACE14DC630

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA9E50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DA9E8E
_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA9EEE

Strings

I/O failure reading contents of the bundle., xrefs: 00007FF712DA9ECE
Failure processing application bundle; possible file corruption., xrefs: 00007FF712DA9EC2

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionThrowfread
String ID: Failure processing application bundle; possible file corruption.$I/O failure reading contents of the bundle.
API String ID: 1304442913-4132748757
Opcode ID: 4643ed7905d7859517f8ee590eb084cabd7f590a24dad8206e87453028b82b72
Instruction ID: f95397f1705ffb3f5796a721df4efe98b9ec853edc0d38e1f92516fc4807d127
Opcode Fuzzy Hash: 4643ed7905d7859517f8ee590eb084cabd7f590a24dad8206e87453028b82b72
Instruction Fuzzy Hash: 9501A521A08E8A51EA40BB11E8101A5D710AF95FB4F984234EADC077E6DEACE549C330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA1430 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 191COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA16BC

Strings

ios_base::badbit set, xrefs: 00007FF712DA1674
ios_base::eofbit set, xrefs: 00007FF712DA1686
ios_base::failbit set, xrefs: 00007FF712DA167F

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: 45718f10107a6ac0c1ce4a1487f46040e216be5469140b8b9c6b90576d61479a
Instruction ID: 91c59d47f51328f40493dd483440ce55c8f5e587290d21ead4c23d96858ff062
Opcode Fuzzy Hash: 45718f10107a6ac0c1ce4a1487f46040e216be5469140b8b9c6b90576d61479a
Instruction Fuzzy Hash: 65715062608E4981EBA09F19D490779F7A0FB44FE4F948132DA8E877A4DFBDD449C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA1180 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 188COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA1405

Strings

ios_base::badbit set, xrefs: 00007FF712DA13BD
ios_base::eofbit set, xrefs: 00007FF712DA13CF
ios_base::failbit set, xrefs: 00007FF712DA13C8

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: def7bb1bb159163f18ac93b36a6e28c35617b3ffb4ab8012f45933d3ecaf2650
Instruction ID: 1fbbd4c0232c5e7dd84ed54a390bc47d86374531b131394d338a4fb84d4e5bba
Opcode Fuzzy Hash: def7bb1bb159163f18ac93b36a6e28c35617b3ffb4ab8012f45933d3ecaf2650
Instruction Fuzzy Hash: 4D815E62608E4981EBA09F19D48076DB7A0FB45FE4F948131CA9E837A0DF7DD589C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA3510 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF712DA1D30: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF712DA1D61
Part of subcall function 00007FF712DA1D30: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF712DA1D84
Part of subcall function 00007FF712DA1D30: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF712DA1DB1
Part of subcall function 00007FF712DA1D30: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF712DA1EA7

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA36ED

Strings

ios_base::badbit set, xrefs: 00007FF712DA369F
ios_base::eofbit set, xrefs: 00007FF712DA36B1
ios_base::failbit set, xrefs: 00007FF712DA36AA

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4074540200-1866435925
Opcode ID: 508380eacbef244fd48d063fe62d1ce3dd5ca8cb4f9044cbaf55f5da11f9b911
Instruction ID: 565461621572b134ce6045867cc8707003390eea43fec446082cb944b315d5f4
Opcode Fuzzy Hash: 508380eacbef244fd48d063fe62d1ce3dd5ca8cb4f9044cbaf55f5da11f9b911
Instruction Fuzzy Hash: 1A51B332609F8992EB50DF19D4903A9B7A0FB85FA4F844136DA8D43BA4DFBCD549C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB8AA0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB8B04
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB8B74
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB8BE4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DB8C54

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 650fb5b0c03c2d7f79003e097218321c6bfb797dd845e131c6c3fe97f667e572
Instruction ID: dd2b9ac20875b24ccd29ecd480641433afe04b0cd05f38b2ee19998a41434d22
Opcode Fuzzy Hash: 650fb5b0c03c2d7f79003e097218321c6bfb797dd845e131c6c3fe97f667e572
Instruction Fuzzy Hash: 5541B5A0F19E8BA4EA04B728D8593B89321BF467B5FD00435D5CC06565EFDC969CC374

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAB010 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF712DAB010(long long __rcx) {
				char _v72;
				long long _v80;
				long long _v88;
				intOrPtr _t32;
				signed int _t36;
				void* _t47;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t69;

				_v88 = 0xfffffffe;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__rcx)) + 4)) + __rcx + 0x48)) == 0) goto 0x12dab0e9;
				_v80 = __rcx;
				 *0x12db9470();
				_t65 =  *((intOrPtr*)( *((intOrPtr*)(__rcx)) + 4));
				if ( *((intOrPtr*)(_t65 + __rcx + 0x10)) != 0) goto 0x12dab071;
				_t66 =  *((intOrPtr*)(_t65 + __rcx + 0x50));
				if (_t66 == 0) goto 0x12dab071;
				if (_t66 == __rcx) goto 0x12dab071;
				E00007FF77FF712DAB010(_t66);
				_t32 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__rcx)) + 4)) + __rcx + 0x10));
				_v72 = _t32 == 0;
				if (_t32 != 0) goto 0x12dab0b8;
				_t47 =  *0x12db9470() - 0xffffffff;
				if (_t47 != 0) goto 0x12dab0b8;
				_t69 =  *((intOrPtr*)( *((intOrPtr*)(__rcx)) + 4));
				_t36 =  *(_t69 + __rcx + 0x10) & 0x00000013 | 0x00000004;
				 *(_t69 + __rcx + 0x10) = _t36;
				if (_t47 != 0) goto 0x12dab0f2;
				0x12db2924();
				if (_t36 != 0) goto 0x12dab0ca;
				E00007FF77FF712DA5140(__rcx);
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__rcx)) + 4)) + __rcx + 0x48)) == 0) goto 0x12dab0e9;
				return  *0x12db9470();
			}

0x7ff712dab016
0x7ff712dab031
0x7ff712dab037
0x7ff712dab043
0x7ff712dab04c
0x7ff712dab058
0x7ff712dab05a
0x7ff712dab062
0x7ff712dab067
0x7ff712dab069
0x7ff712dab075
0x7ff712dab07b
0x7ff712dab082
0x7ff712dab096
0x7ff712dab099
0x7ff712dab09e
0x7ff712dab0a9
0x7ff712dab0ac
0x7ff712dab0b6
0x7ff712dab0b8
0x7ff712dab0bf
0x7ff712dab0c4
0x7ff712dab0d9
0x7ff712dab0f1

APIs

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DAB140

Strings

ios_base::badbit set, xrefs: 00007FF712DAB0F7
ios_base::eofbit set, xrefs: 00007FF712DAB10A
ios_base::failbit set, xrefs: 00007FF712DAB103

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: 18ff28d61a1f07a9f86f6fc88a3d055f5720184f28a5b22602cd6f6bc8708ed8
Instruction ID: 178b7e8376fe7890ea952f12d6dbed8568445f3081d31ea9259536d2c7282403
Opcode Fuzzy Hash: 18ff28d61a1f07a9f86f6fc88a3d055f5720184f28a5b22602cd6f6bc8708ed8
Instruction Fuzzy Hash: 1331AE22604E0D81EE50EB29D491678A760FF55FA4FA48635DA9E433B4DF7DD44AC320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA5140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 00007FF712DA51EF

Strings

ios_base::badbit set, xrefs: 00007FF712DA51A6
ios_base::eofbit set, xrefs: 00007FF712DA51B9
ios_base::failbit set, xrefs: 00007FF712DA51B2

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: 9f6942e0f1fb7c52ec13ea2d832f3ad1a4fc0cf1d5611fa81c2d4e423c24500e
Instruction ID: 44387c0658bfeb171157f2302b97cf81d05dfa9a3571878aae41c22efc56aa4f
Opcode Fuzzy Hash: 9f6942e0f1fb7c52ec13ea2d832f3ad1a4fc0cf1d5611fa81c2d4e423c24500e
Instruction Fuzzy Hash: E211C362A08E4D81EA509B14D4856B8B360EB84FB4FD44631DA9E473F5DF7CD54AC360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAC950 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF712DAC983
__stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC9AC
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC9B9
LeaveCriticalSection.KERNEL32 ref: 00007FF712DAC9C6

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: CriticalSection$EnterLeave__stdio_common_vfwprintffputwc
String ID:
API String ID: 4070124032-0
Opcode ID: 9d40ede551d8d4190c64d84c77a0e5482f13d7dc537a7fef841687b1688eb216
Instruction ID: b545755f8e36b7d69febf581496ae326e82f27d91a10ae323aa1b3e9d6a2557f
Opcode Fuzzy Hash: 9d40ede551d8d4190c64d84c77a0e5482f13d7dc537a7fef841687b1688eb216
Instruction Fuzzy Hash: FFF08F72918F4A91D600AB10F8014A9A260FB967B0F804235E9DC52AF5CFACE158C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DAC6B0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF712DAC6E3
__stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC70C
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF712DAC719
LeaveCriticalSection.KERNEL32 ref: 00007FF712DAC726

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: CriticalSection$EnterLeave__stdio_common_vfwprintffputwc
String ID:
API String ID: 4070124032-0
Opcode ID: aaff010bcad925f144b5dfa322496cbda3781ec8092bd3324fa35ff399faeb97
Instruction ID: cc241c9c65942bbee936562f1676312b97712b34770fb4ac682549ec010f65fa
Opcode Fuzzy Hash: aaff010bcad925f144b5dfa322496cbda3781ec8092bd3324fa35ff399faeb97
Instruction Fuzzy Hash: B1F08F72A18F4991E600AB10F8014AAA260FB967B0F804235E9DC52AF5CFACE158C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA2880 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00007FF77FF712DA2880(intOrPtr __edx, long long __rbx, long long __rcx, long long __rsi) {
				void* _t55;
				void* _t57;
				void* _t58;
				void* _t61;
				signed long long _t78;
				signed long long _t82;
				signed long long _t93;
				signed long long _t96;
				signed long long _t120;
				intOrPtr _t121;
				long long _t124;
				intOrPtr _t125;
				void* _t128;
				signed long long _t129;
				void* _t131;
				void* _t134;
				signed long long _t136;
				intOrPtr* _t137;
				signed long long _t140;
				signed long long _t141;

				_t119 = __rsi;
				_t90 = __rbx;
				_t134 = _t128;
				_t129 = _t128 - 0x80;
				 *((long long*)(_t129 + 0x20)) = 0xfffffffe;
				 *((long long*)(_t134 + 0x10)) = __rbx;
				 *((long long*)(_t134 + 0x18)) = _t124;
				 *((long long*)(_t134 + 0x20)) = __rsi;
				_t78 =  *0x12dc9568; // 0x438b11ead5c6
				 *(_t129 + 0x70) = _t78 ^ _t129;
				_t137 = __rcx;
				 *((long long*)(_t134 - 0x80)) = __rcx;
				asm("movdqa xmm0, [0x17922]");
				asm("movdqu [esp+0x60], xmm0");
				r15d = 0;
				 *((intOrPtr*)(_t134 - 0x58)) = r15w;
				r8d = 0;
				E00007FF77FF712DA56F0(__rbx, _t134 - 0x58, 0x12db9f90, __rsi, _t124, _t131);
				asm("movdqa xmm0, [0x178f8]");
				asm("movdqu [esp+0x40], xmm0");
				 *((intOrPtr*)(_t129 + 0x30)) = r15w;
				r8d = 0;
				E00007FF77FF712DA56F0(_t90, _t129 + 0x30, 0x12db9f90, _t119, _t124, _t131);
				 *_t137 = __edx;
				 *((intOrPtr*)(_t137 + 4)) = r8d;
				 *((intOrPtr*)(_t137 + 8)) = r9d;
				 *(_t137 + 0x20) = _t141;
				 *(_t137 + 0x28) = _t141;
				_t125 =  *((intOrPtr*)(_t129 + 0x30));
				_t139 =  >=  ? _t125 : _t129 + 0x30;
				_t120 =  *((intOrPtr*)(_t129 + 0x40));
				if (_t120 - 8 >= 0) goto 0x12da2969;
				asm("inc ecx");
				asm("inc ecx");
				 *(_t137 + 0x28) = 7;
				goto 0x12da29a9;
				_t93 =  >  ? 0xfffffffe : _t120 | 0x00000007;
				_t55 = E00007FF77FF712DA53B0(_t93 + 1);
				 *((long long*)(_t137 + 0x10)) = 0xfffffffe;
				_t112 =  >=  ? _t125 : _t129 + 0x30;
				E00007FF77FF712DB5690(_t55, 0xfffffffe,  >=  ? _t125 : _t129 + 0x30, 2 + _t120 * 2);
				 *(_t137 + 0x28) = _t93;
				 *(_t137 + 0x20) = _t120;
				 *(_t137 + 0x40) = _t141;
				 *(_t137 + 0x48) = _t141;
				_t121 =  *((intOrPtr*)(_t129 + 0x50));
				_t136 =  *((intOrPtr*)(_t129 + 0x68));
				_t143 =  >=  ? _t121 : _t129 + 0x50;
				_t140 =  *((intOrPtr*)(_t129 + 0x60));
				if (_t140 - 8 >= 0) goto 0x12da29ea;
				asm("inc ecx");
				asm("inc ecx");
				 *(_t137 + 0x48) = 7;
				goto 0x12da2a20;
				_t96 =  >  ? 0xfffffffe : _t140 | 0x00000007;
				_t57 = E00007FF77FF712DA53B0(_t96 + 1);
				 *((long long*)(_t137 + 0x30)) = 0xfffffffe;
				_t114 =  >=  ? _t121 : _t129 + 0x50;
				_t58 = E00007FF77FF712DB5690(_t57, 0xfffffffe,  >=  ? _t121 : _t129 + 0x50, 2 + _t140 * 2);
				 *(_t137 + 0x48) = _t96;
				 *(_t137 + 0x40) = _t140;
				_t82 =  *((intOrPtr*)(_t129 + 0x48));
				if (_t82 - 8 < 0) goto 0x12da2a61;
				if (2 + _t82 * 2 - 0x1000 < 0) goto 0x12da2a58;
				if (_t125 -  *((intOrPtr*)(_t125 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12da2acf;
				0x12db3f50();
				if (_t136 - 8 < 0) goto 0x12da2a98;
				if (2 + _t136 * 2 - 0x1000 < 0) goto 0x12da2a90;
				if (_t121 -  *((intOrPtr*)(_t121 - 8)) + 0xfffffff8 - 0x1f > 0) goto 0x12da2ac9;
				0x12db3f50();
				return E00007FF77FF712DB4070(_t58, _t61, __edx,  *(_t129 + 0x70) ^ _t129);
			}

0x7ff712da2880
0x7ff712da2880
0x7ff712da2880
0x7ff712da288c
0x7ff712da2893
0x7ff712da289c
0x7ff712da28a0
0x7ff712da28a4
0x7ff712da28a8
0x7ff712da28b2
0x7ff712da28bf
0x7ff712da28c2
0x7ff712da28c6
0x7ff712da28ce
0x7ff712da28d4
0x7ff712da28d7
0x7ff712da28dc
0x7ff712da28ea
0x7ff712da28f0
0x7ff712da28f8
0x7ff712da28fe
0x7ff712da2904
0x7ff712da2913
0x7ff712da2919
0x7ff712da291d
0x7ff712da2921
0x7ff712da2925
0x7ff712da2929
0x7ff712da2932
0x7ff712da293d
0x7ff712da294b
0x7ff712da2954
0x7ff712da2956
0x7ff712da295a
0x7ff712da295f
0x7ff712da2967
0x7ff712da2973
0x7ff712da297f
0x7ff712da2984
0x7ff712da2990
0x7ff712da2996
0x7ff712da299b
0x7ff712da29a9
0x7ff712da29ad
0x7ff712da29b1
0x7ff712da29ba
0x7ff712da29bf
0x7ff712da29c8
0x7ff712da29cc
0x7ff712da29d5
0x7ff712da29d7
0x7ff712da29db
0x7ff712da29e0
0x7ff712da29e8
0x7ff712da29f4
0x7ff712da2a00
0x7ff712da2a05
0x7ff712da2a11
0x7ff712da2a17
0x7ff712da2a1c
0x7ff712da2a20
0x7ff712da2a24
0x7ff712da2a2d
0x7ff712da2a41
0x7ff712da2a56
0x7ff712da2a5b
0x7ff712da2a65
0x7ff712da2a79
0x7ff712da2a8e
0x7ff712da2a93
0x7ff712da2ac8

APIs

Part of subcall function 00007FF712DA56F0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF712DA106D), ref: 00007FF712DA580D

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA2AC9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF712DA2ACF

Strings

\\.\, xrefs: 00007FF712DA288A

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: \\.\
API String ID: 3668304517-2900601889
Opcode ID: 1fd5a8f85cbc889dc301cfbb9477b51405081634abaa146a99fb39337a801618
Instruction ID: 54b104396d09ba98aacbec7484ea41e072458fb4b5a49b4aa95002073ecf5c80
Opcode Fuzzy Hash: 1fd5a8f85cbc889dc301cfbb9477b51405081634abaa146a99fb39337a801618
Instruction Fuzzy Hash: 2B51E722A18FD991EA50AB16E44869EB368FB45BB0F810335EAED037D5DF78D145C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DA56F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF712DA56F0(long long __rbx, long long* __rcx, void* __rdx, long long __rsi, long long __rbp, signed int __r8, long long _a8, long long _a16, long long _a24) {
				void* _t21;
				void* _t24;
				long long _t38;
				void* _t42;
				void* _t46;
				signed long long _t51;
				unsigned long long _t59;
				long long* _t64;
				signed long long _t66;
				intOrPtr _t70;
				long long _t71;
				long long _t80;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t66 =  *((intOrPtr*)(__rcx + 0x18));
				_t80 = __r8;
				_t64 = __rcx;
				if (__r8 - _t66 > 0) goto 0x12da5744;
				if (_t66 - 8 < 0) goto 0x12da5726;
				_t70 =  *((intOrPtr*)(__rcx));
				_t42 = __r8 + __r8;
				 *((long long*)(__rcx + 0x10)) = __r8;
				E00007FF77FF712DB5690(_t21, _t70, __rdx, _t42);
				 *((short*)(_t42 + _t70)) = 0;
				goto 0x12da57eb;
				if (__r8 - 0xfffffffe > 0) goto 0x12da5807;
				_t51 = __r8 | 0x00000007;
				if (_t51 - 0xfffffffe > 0) goto 0x12da5782;
				_t59 = _t66 >> 1;
				if (_t66 - 0xfffffffe - _t59 > 0) goto 0x12da5782;
				_t38 = _t59 + _t66;
				_t9 = ( <  ? _t38 : _t51) + 1; // 0x7fffffffffffffff
				_t24 = E00007FF77FF712DA53B0(_t9);
				 *((long long*)(_t64 + 0x18)) =  <  ? _t38 : _t51;
				_t46 = _t80 + _t80;
				 *((long long*)(_t64 + 0x10)) = _t80;
				_t71 = _t38;
				E00007FF77FF712DB5690(_t24, _t38, __rdx, _t46);
				 *((short*)(_t46 + _t71)) = 0;
				if (_t66 - 8 < 0) goto 0x12da57e8;
				_t54 =  *_t64;
				if (2 + _t66 * 2 - 0x1000 < 0) goto 0x12da57e3;
				if ( *_t64 -  *((intOrPtr*)(_t54 - 8)) - 8 - 0x1f > 0) goto 0x12da580d;
				0x12db3f50();
				 *_t64 = _t71;
				return 0;
			}

0x7ff712da56f0
0x7ff712da56f5
0x7ff712da56fa
0x7ff712da5708
0x7ff712da570c
0x7ff712da5712
0x7ff712da5718
0x7ff712da5721
0x7ff712da5723
0x7ff712da5726
0x7ff712da572a
0x7ff712da5734
0x7ff712da573b
0x7ff712da573f
0x7ff712da5751
0x7ff712da575a
0x7ff712da5761
0x7ff712da5769
0x7ff712da5772
0x7ff712da5774
0x7ff712da5782
0x7ff712da5789
0x7ff712da578e
0x7ff712da5795
0x7ff712da5799
0x7ff712da57a3
0x7ff712da57a6
0x7ff712da57ad
0x7ff712da57b5
0x7ff712da57b7
0x7ff712da57c9
0x7ff712da57de
0x7ff712da57e3
0x7ff712da57e8
0x7ff712da5806

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF712DA106D), ref: 00007FF712DA580D

Strings

\\.\, xrefs: 00007FF712DA55AC, 00007FF712DA58A9
ios_base::badbit set, xrefs: 00007FF712DA583F

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: \\.\$ios_base::badbit set
API String ID: 3668304517-1001580282
Opcode ID: 103f23ad3227254f1d2014c665acf444cf221d79b5070fd87055cebc89dd3d7f
Instruction ID: c19deca718d71608c84676d453648d08424fc76845010367d021a87e248a33e9
Opcode Fuzzy Hash: 103f23ad3227254f1d2014c665acf444cf221d79b5070fd87055cebc89dd3d7f
Instruction Fuzzy Hash: 3131CD22B04B8A95EA54EF26E5441ADA360BB04FE0FD84131DF9D17B86DFB8D195C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF712DB7928 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 27%

			E00007FF77FF712DB7928(void* __ecx, void* __eflags, void* __rax, long long __rbx, void* __rdx, long long _a8) {
				void* _t12;
				void* _t19;

				_t12 = __rax;
				_a8 = __rbx;
				E00007FF77FF712DB7678(3, __rdx, "FlsSetValue", _t19, 0x12dc1d98, 0x12dc1da0);
				if (_t12 == 0) goto 0x12db7968;
				 *0x12db9470();
				goto 0x12db796e;
				return TlsSetValue(??, ??);
			}

0x7ff712db7928
0x7ff712db7928
0x7ff712db7951
0x7ff712db795e
0x7ff712db7960
0x7ff712db7966
0x7ff712db7978

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF712DB7951
TlsSetValue.KERNEL32(?,?,00000000,00007FF712DB5F6E,?,?,?,00007FF712DB5F09,?,?,?,?,00007FF712DB55FE), ref: 00007FF712DB7968

Strings

FlsSetValue, xrefs: 00007FF712DB793E

Memory Dump Source

Source File: 00000000.00000002.252556355.00007FF712DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF712DA0000, based on PE: true

Associated: 00000000.00000002.252549842.00007FF712DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252705366.00007FF712DB9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252717639.00007FF712DC9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.252722439.00007FF712DCB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff712da0000_Hydra.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 4ccbfe4da607b57243755a09d4ce65d4ff0d40f2df8d368459ee74196d65cd4f
Instruction ID: 903802c6cd57f2f516d6f4ef34945b8dad5cf9051806859bc9e7075b1d402f25
Opcode Fuzzy Hash: 4ccbfe4da607b57243755a09d4ce65d4ff0d40f2df8d368459ee74196d65cd4f
Instruction Fuzzy Hash: E6E06C51E08D4AA2FB496764E4105F89221BF4D7D0FD84035D59D16394CE7CDA5DC730

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Hydra.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: Hydra.exePID: 5928, Parent PID: 5364

General

File Activities

File Opened

File Created

File Written

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Windows Analysis Report
Hydra.exe

Function 00007FF712DB44D0 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Function 00007FF712DB1D00 Relevance: 40.7, APIs: 2, Strings: 21, Instructions: 463
COMMON