Edit tour

Windows Analysis Report
bHLOVVmF1t.exe

Overview

General Information

Sample Name:	bHLOVVmF1t.exe
Analysis ID:	698343
MD5:	27f71b12cb585541885a31be22f61c83
SHA1:	d05defe2c8efef10ed5f1361760fa0ae41fa79f5
SHA256:	f9d9b9ded9a67aa3cfdbd5002f3b524b265c4086c188e1be7c936ab25627bf01
Infos:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Sample file is different than original file name gathered from version info

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Detected potential crypto function

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

System is w10x64

bHLOVVmF1t.exe (PID: 6072 cmdline: "C:\Users\user\Desktop\bHLOVVmF1t.exe" MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F3E730 GetFileAttributesW,DuplicateEncryptionInfoFile,PathFileExistsW,CreateFileW,GetLastError,SendMessageW,SendMessageW,SendMessageW,SendMessageW,LocalLock,WriteFile,GetACP,WideCharToMultiByte,WriteFile,WriteFile,WriteFile,WriteFile,SetEndOfFile,LocalUnlock,SendMessageW,CloseHandle,memset,#170,PathFindExtensionW,memset,CoTaskMemFree,memset,CoTaskMemFree,GetFileAttributesW,DecryptFileW,WindowsCreateStringReference,RoGetActivationFactory,CoTaskMemFree,SetCursor,SetCursor,CloseHandle,LocalUnlock,DeleteFileW,

0_2_00007FF681F3E730

Source: bHLOVVmF1t.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: notepad.pdbGCTL source: bHLOVVmF1t.exe
Source:	Binary string: notepad.pdb source: bHLOVVmF1t.exe

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3B83C LocalFree,FindFirstFileW,FindClose,FormatMessageW,SetWindowTextW,LocalFree,LocalFree,		0_2_00007FF681F3B83C
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F41188 CoTaskMemFree,CoTaskMemFree,PathIsFileSpecW,FindFirstFileW,FindClose,PathFindExtensionW,FindFirstFileW,FindClose,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,		0_2_00007FF681F41188

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F3BA28 GetMenu,SendMessageW,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,OpenClipboard,IsClipboardFormatAvailable,CloseClipboard,GetSubMenu,EnableMenuItem,SendMessageW,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,SendMessageW,GetSubMenu,EnableMenuItem,GetSubMenu,CheckMenuItem,GetSubMenu,CheckMenuItem,

0_2_00007FF681F3BA28

Source: bHLOVVmF1t.exe	Binary or memory string: OriginalFilename vs bHLOVVmF1t.exe
Source: bHLOVVmF1t.exe, 00000000.00000000.241702181.00007FF681F66000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNOTEPAD.EXEj% vs bHLOVVmF1t.exe
Source: bHLOVVmF1t.exe, 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNOTEPAD.EXEj% vs bHLOVVmF1t.exe
Source: bHLOVVmF1t.exe	Binary or memory string: OriginalFilenameNOTEPAD.EXEj% vs bHLOVVmF1t.exe

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F36B98	0_2_00007FF681F36B98
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3AD6C	0_2_00007FF681F3AD6C
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F4224C	0_2_00007FF681F4224C
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F41F40	0_2_00007FF681F41F40
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3C75C	0_2_00007FF681F3C75C
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3CB70	0_2_00007FF681F3CB70
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3679C	0_2_00007FF681F3679C
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F4EBAC	0_2_00007FF681F4EBAC
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3B3B8	0_2_00007FF681F3B3B8
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F4CFE0	0_2_00007FF681F4CFE0
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F4D824	0_2_00007FF681F4D824
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3D07C	0_2_00007FF681F3D07C
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3709C	0_2_00007FF681F3709C
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3C8B8	0_2_00007FF681F3C8B8
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3D8CC	0_2_00007FF681F3D8CC
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3F0D4	0_2_00007FF681F3F0D4
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3B130	0_2_00007FF681F3B130
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3CD48	0_2_00007FF681F3CD48
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F4F548	0_2_00007FF681F4F548
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F4C988	0_2_00007FF681F4C988
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F391C4	0_2_00007FF681F391C4
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3D1D8	0_2_00007FF681F3D1D8
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3CA14	0_2_00007FF681F3CA14
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F4F248	0_2_00007FF681F4F248
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3A290	0_2_00007FF681F3A290
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F40B08	0_2_00007FF681F40B08
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3CF20	0_2_00007FF681F3CF20
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3E730	0_2_00007FF681F3E730

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F33464 NtQueryWnfStateData,GetModuleHandleW,GetProcAddress,		0_2_00007FF681F33464
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3350C NtUpdateWnfStateData,GetModuleHandleW,GetProcAddress,		0_2_00007FF681F3350C

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F3FDAC GetLastError,FormatMessageW,MessageBoxW,

0_2_00007FF681F3FDAC

Source: bHLOVVmF1t.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean8.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F50950 CoCreateInstance,

0_2_00007FF681F50950

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F4F900 CreateDirectoryW,GetLastError,CreateFileW,CloseHandle,GetDiskFreeSpaceExW,SendMessageW,CoTaskMemFree,

0_2_00007FF681F4F900

Source: bHLOVVmF1t.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: bHLOVVmF1t.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: bHLOVVmF1t.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: bHLOVVmF1t.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: bHLOVVmF1t.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: bHLOVVmF1t.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: bHLOVVmF1t.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: bHLOVVmF1t.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: bHLOVVmF1t.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: notepad.pdbGCTL source: bHLOVVmF1t.exe
Source:	Binary string: notepad.pdb source: bHLOVVmF1t.exe

Source: bHLOVVmF1t.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: bHLOVVmF1t.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: bHLOVVmF1t.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: bHLOVVmF1t.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: bHLOVVmF1t.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: bHLOVVmF1t.exe

Static PE information: section name: .didat

Source: bHLOVVmF1t.exe

Static PE information: 0xBDD4ADCD [Wed Dec 3 11:32:29 2070 UTC]

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3A290 GetDlgCtrlID,memset,WindowsCreateStringReference,RoGetActivationFactory,MessageBeep,MessageBeep,DestroyWindow,DestroyWindow,DeleteObject,SendMessageW,IsIconic,SetFocus,IsIconic,GetForegroundWindow,GetForegroundWindow,DefWindowProcW,PostQuitMessage,SetCursor,SetCursor,SetCursor,SetCursor,GetKeyboardLayout,MessageBoxW,SetWindowPos,SendMessageW,GetDpiForWindow,MulDiv,CreateFontIndirectW,DeleteObject,SendMessageW,RedrawWindow,DefWindowProcW,EnableMenuItem,DefWindowProcW,		0_2_00007FF681F3A290
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3A290 GetDlgCtrlID,memset,WindowsCreateStringReference,RoGetActivationFactory,MessageBeep,MessageBeep,DestroyWindow,DestroyWindow,DeleteObject,SendMessageW,IsIconic,SetFocus,IsIconic,GetForegroundWindow,GetForegroundWindow,DefWindowProcW,PostQuitMessage,SetCursor,SetCursor,SetCursor,SetCursor,GetKeyboardLayout,MessageBoxW,SetWindowPos,SendMessageW,GetDpiForWindow,MulDiv,CreateFontIndirectW,DeleteObject,SendMessageW,RedrawWindow,DefWindowProcW,EnableMenuItem,DefWindowProcW,		0_2_00007FF681F3A290

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

API coverage: 2.5 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F4224C rdtsc

0_2_00007FF681F4224C

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F4224C GetKeyboardLayout followed by cmp: cmp ax, 0011h and CTI: jne 00007FF681F42C69h country: Japanese (ja)

0_2_00007FF681F4224C

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F3B83C LocalFree,FindFirstFileW,FindClose,FormatMessageW,SetWindowTextW,LocalFree,LocalFree,		0_2_00007FF681F3B83C
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F41188 CoTaskMemFree,CoTaskMemFree,PathIsFileSpecW,FindFirstFileW,FindClose,PathFindExtensionW,FindFirstFileW,FindClose,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,		0_2_00007FF681F41188

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F31F84 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF681F31F84

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F36B98 GetCurrentProcessId,CreateMutexW,WaitForSingleObjectEx,GetProcessHeap,HeapAlloc,GetProcessHeap,GetProcessHeap,HeapFree,memset,InitializeCriticalSectionEx,

0_2_00007FF681F36B98

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F4224C rdtsc

0_2_00007FF681F4224C

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F53A20 DelayLoadFailureHook,LdrResolveDelayLoadedAPI,

0_2_00007FF681F53A20

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F53DA0 SetUnhandledExceptionFilter,_o__set_new_mode,	0_2_00007FF681F53DA0
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F53F98 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF681F53F98
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F548C8 SetUnhandledExceptionFilter,	0_2_00007FF681F548C8
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: 0_2_00007FF681F546D0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF681F546D0

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: GetLocaleInfoW,	0_2_00007FF681F3E348
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: memset,GetLocalTime,GetLocaleInfoW,GetUserDefaultUILanguage,GetDateFormatW,GetTimeFormatW,SendMessageW,	0_2_00007FF681F3E3A8
Source: C:\Users\user\Desktop\bHLOVVmF1t.exe	Code function: GetLocaleInfoW,	0_2_00007FF681F37CF4

Source: C:\Users\user\Desktop\bHLOVVmF1t.exe

Code function: 0_2_00007FF681F3E3A8 memset,GetLocalTime,GetLocaleInfoW,GetUserDefaultUILanguage,GetDateFormatW,GetTimeFormatW,SendMessageW,

0_2_00007FF681F3E3A8

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Timestomp	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
bHLOVVmF1t.exe	0%	ReversingLabs
bHLOVVmF1t.exe	0%	Virustotal	Browse
bHLOVVmF1t.exe	0%	Metadefender	Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	698343
Start date and time:	2022-09-06 18:06:34 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	bHLOVVmF1t.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean8.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 98.5% (good quality ratio 43%) Quality average: 25.9% Quality standard deviation: 34.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 127
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.314653547136082
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bHLOVVmF1t.exe
File size:	201216
MD5:	27f71b12cb585541885a31be22f61c83
SHA1:	d05defe2c8efef10ed5f1361760fa0ae41fa79f5
SHA256:	f9d9b9ded9a67aa3cfdbd5002f3b524b265c4086c188e1be7c936ab25627bf01
SHA512:	15e1782612460d63c0bffe464296e6974f9606a94075af2bc4d880145f2ee86953675de90264eb04df8607a99cfc02c15a5771a6c923d8fbc8428f7513ce9c75
SSDEEP:	6144:8T4eymtyPadTbb9WBmhrYhsIxGPOk4G9:Y0mtzdT3MkrYog
TLSH:	D214392D22AE10E5E47B917CCD424606F6B2B035272262EF15E0C17D9F13AEDBA78F51
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........w.r.$.r.$.r.$..h$.r.$...%.r.$...%.r.$...%.r.$.r.$.w.$...%.r.$...%.r.$...$.r.$...$.r.$...%.r.$Rich.r.$.......................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x140023f40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0xBDD4ADCD [Wed Dec 3 11:32:29 2070 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	320faf01086570930eff84a436797927

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F9878721E1Ch
dec eax
add esp, 28h
jmp 00007F9878721663h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [0000C4F9h]
jne 00007F9878721805h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F98787217F5h
ret
dec eax
ror ecx, 10h
jmp 00007F9878721864h
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
call dword ptr [00002951h]
mov ecx, 00000001h
mov dword ptr [0000D24Eh], eax
call 00007F9878721EFEh
xor ecx, ecx
call dword ptr [00002E11h]
dec eax
mov ecx, ebx
call dword ptr [00002E10h]
cmp dword ptr [0000D231h], 00000000h
jne 00007F98787217FCh
mov ecx, 00000001h
call 00007F9878721EDAh
call dword ptr [00002947h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00002E1Bh]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d0c0	0x244	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0xbd8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x33000	0x10ec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x37000	0x2d4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2ac20	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x266d0	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x267e8	0x900	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2c9d8	0xe0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x247ff	0x24800	False	0.5147086365582192	data	6.284312467662616	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x26000	0x9280	0x9400	False	0.5293496621621622	data	5.922590529785045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x30000	0x2728	0xe00	False	0.15931919642857142	data	1.7984996497344239	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x33000	0x10ec	0x1200	False	0.4967447916666667	data	4.89362924004292	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x35000	0x178	0x200	False	0.27734375	data	2.517465809693691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x36000	0xbd8	0xc00	False	0.4117838541666667	data	4.606322802046901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x37000	0x2d4	0x400	False	0.4091796875	data	4.126327221624759	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
EDPENLIGHTENEDAPPINFOID	0x36710	0x2	data	English	United States
EDPPERMISSIVEAPPINFOID	0x36718	0x2	data	English	United States
MUI	0x36a98	0x140	data	English	United States
RT_VERSION	0x36720	0x374	data	English	United States
RT_MANIFEST	0x36260	0x4af	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, CreateMutexExW, AcquireSRWLockShared, DeleteCriticalSection, GetCurrentProcessId, GetProcessHeap, GetModuleHandleW, DebugBreak, IsDebuggerPresent, GlobalFree, GetLocaleInfoW, CreateFileW, ReadFile, MulDiv, GetCurrentProcess, GetCommandLineW, HeapSetInformation, FreeLibrary, LocalFree, LocalAlloc, FindFirstFileW, FindClose, FoldStringW, GetModuleFileNameW, GetUserDefaultUILanguage, GetLocalTime, HeapFree, HeapAlloc, WideCharToMultiByte, WriteFile, GetFileAttributesW, LocalLock, GetACP, LocalUnlock, DeleteFileW, SetEndOfFile, GetFileAttributesExW, GetFileInformationByHandle, CreateFileMappingW, MapViewOfFile, MultiByteToWideChar, LocalReAlloc, UnmapViewOfFile, GetFullPathNameW, LocalSize, GetStartupInfoW, lstrcmpiW, FindNLSString, GlobalLock, GlobalUnlock, GlobalAlloc, GetDiskFreeSpaceExW, CreateDirectoryW, RegisterApplicationRestart, CreateSemaphoreExW, CreateThreadpoolTimer, ReleaseSRWLockShared, SetThreadpoolTimer, CloseHandle, OpenSemaphoreW, WaitForSingleObjectEx, AcquireSRWLockExclusive, CloseThreadpoolTimer, OutputDebugStringW, ReleaseSRWLockExclusive, GetLastError, FormatMessageW, ReleaseMutex, GetCurrentThreadId, WaitForSingleObject, WaitForThreadpoolTimerCallbacks, InitializeCriticalSectionEx, LeaveCriticalSection, GetModuleHandleExW, ReleaseSemaphore, EnterCriticalSection, GetTimeFormatW, SetLastError, GetDateFormatW, ResolveDelayLoadedAPI, DelayLoadFailureHook, GetModuleFileNameA
GDI32.dll	CreateDCW, StartPage, StartDocW, SetAbortProc, DeleteDC, EndDoc, AbortDoc, EndPage, GetTextMetricsW, SetBkMode, LPtoDP, SetWindowExtEx, SetViewportExtEx, SetMapMode, GetTextExtentPoint32W, TextOutW, EnumFontsW, GetTextFaceW, SelectObject, DeleteObject, CreateFontIndirectW, GetDeviceCaps
USER32.dll	PostMessageW, MessageBoxW, GetMenu, CheckMenuItem, GetSubMenu, EnableMenuItem, ShowWindow, GetDC, ReleaseDC, SetCursor, GetDpiForWindow, SetActiveWindow, LoadStringW, DefWindowProcW, IsIconic, SetFocus, PostQuitMessage, DestroyWindow, MessageBeep, GetForegroundWindow, GetDlgCtrlID, SetWindowPos, RedrawWindow, GetKeyboardLayout, CharNextW, SetWinEventHook, GetMessageW, TranslateAcceleratorW, IsDialogMessageW, TranslateMessage, DispatchMessageW, UnhookWinEvent, SetWindowTextW, OpenClipboard, IsClipboardFormatAvailable, CloseClipboard, SetDlgItemTextW, GetDlgItemTextW, EndDialog, SendDlgItemMessageW, SetScrollPos, InvalidateRect, UpdateWindow, GetWindowPlacement, SetWindowPlacement, CharUpperW, GetSystemMenu, LoadAcceleratorsW, SetWindowLongW, CreateWindowExW, MonitorFromWindow, RegisterWindowMessageW, LoadCursorW, RegisterClassExW, GetWindowTextLengthW, GetWindowLongW, PeekMessageW, GetWindowTextW, EnableWindow, CreateDialogParamW, DrawTextExW, LoadIconW, LoadImageW, DialogBoxParamW, SetThreadDpiAwarenessContext, SendMessageW, MoveWindow, GetClientRect, GetFocus
api-ms-win-crt-string-l1-1-0.dll	memset, wcsnlen, wcscmp
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, _register_thread_local_exe_atexit_callback, _initterm_e, _initterm
api-ms-win-crt-private-l1-1-0.dll	_o__callnewh, _o__cexit, _o__configthreadlocale, _o__configure_wide_argv, _o__crt_atexit, _o__errno, _o__exit, _o__get_wide_winmain_command_line, _o__initialize_onexit_table, _o__initialize_wide_environment, _o__invalid_parameter_noinfo, _o__purecall, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, _o__wcsicmp, _o__wtol, _o_exit, _o_free, _o_iswdigit, _o_malloc, _o_terminate, _o_toupper, __CxxFrameHandler3, _CxxThrowException, _o___std_exception_destroy, _o___std_exception_copy, _o___p__commode, _o___stdio_common_vswprintf, __C_specific_handler, memcmp, memcpy, memmove
api-ms-win-core-com-l1-1-0.dll	CoWaitForMultipleHandles, CoUninitialize, PropVariantClear, CoTaskMemFree, CoTaskMemAlloc, CoCreateFreeThreadedMarshaler, CoCreateInstance, CoInitializeEx, CoCreateGuid
api-ms-win-core-shlwapi-legacy-l1-1-0.dll	PathIsFileSpecW, PathFindExtensionW, PathFileExistsW
api-ms-win-shcore-obsolete-l1-1-0.dll	SHStrDupW
api-ms-win-shcore-path-l1-1-0.dll
api-ms-win-shcore-scaling-l1-1-1.dll	GetDpiForMonitor
api-ms-win-core-rtlsupport-l1-1-0.dll	RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind
api-ms-win-core-errorhandling-l1-1-0.dll	SetUnhandledExceptionFilter, UnhandledExceptionFilter, RaiseException
api-ms-win-core-processthreads-l1-1-0.dll	TerminateProcess
api-ms-win-core-processthreads-l1-1-1.dll	GetProcessMitigationPolicy, IsProcessorFeaturePresent
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll	GetTickCount, GetSystemTimeAsFileTime
api-ms-win-core-interlocked-l1-1-0.dll	InitializeSListHead
api-ms-win-core-libraryloader-l1-2-0.dll	LoadLibraryExW
api-ms-win-core-winrt-string-l1-1-0.dll	WindowsCreateString, WindowsDeleteString, WindowsGetStringRawBuffer, WindowsCreateStringReference
api-ms-win-core-synch-l1-1-0.dll	SetEvent, CreateEventExW
api-ms-win-core-winrt-error-l1-1-0.dll	SetRestrictedErrorInfo
api-ms-win-core-string-l1-1-0.dll	CompareStringOrdinal
api-ms-win-core-winrt-l1-1-0.dll	RoInitialize, RoUninitialize, RoGetActivationFactory
api-ms-win-core-winrt-error-l1-1-1.dll	RoGetMatchingRestrictedErrorInfo
api-ms-win-eventing-provider-l1-1-0.dll	EventProviderEnabled
api-ms-win-core-synch-l1-2-0.dll	Sleep
COMCTL32.dll	CreateStatusWindowW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: bHLOVVmF1t.exePID: 6072, Parent PID: 5380

General

Target ID:	0
Start time:	18:07:27
Start date:	06/09/2022
Path:	C:\Users\user\Desktop\bHLOVVmF1t.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bHLOVVmF1t.exe"
Imagebase:	0x7ff681f30000
File size:	201216 bytes
MD5 hash:	27F71B12CB585541885A31BE22F61C83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: bHLOVVmF1t.exePID: 6072, Parent PID: 5380COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	35.7%
Total number of Nodes:	666
Total number of Limit Nodes:	7

Executed Functions

Function 00007FF681F4224C Relevance: 775.1, APIs: 416, Strings: 21, Instructions: 10329
windowregistrythreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 16%

			E00007FF67FF681F4224C(void* __edx, void* __rax, long long __rcx, long long __rdx, short* __r8, void* __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r14;
				int _t49;
				int _t50;
				void* _t52;
				intOrPtr _t80;
				intOrPtr _t83;
				intOrPtr _t123;
				void* _t131;
				signed int _t153;
				intOrPtr _t169;
				void* _t176;
				void* _t178;
				signed long long _t200;
				signed long long _t201;
				signed long long _t202;
				long long _t203;
				void* _t204;
				void* _t214;
				long long _t276;
				signed long long _t278;
				short* _t279;
				void* _t280;
				short* _t281;
				void* _t283;
				void* _t284;
				signed long long _t285;
				long long _t300;

				_t295 = __r9;
				_t287 = __r8;
				_t283 = _t284 - 0x1138;
				E00007FF67FF681F55520();
				_t285 = _t284 - __rax;
				_t200 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t201 = _t200 ^ _t285;
				 *(_t283 + 0x1120) = _t201;
				_t276 = __rcx;
				r12d = r9d;
				_t279 = __r8;
				_t300 = __rdx;
				_t49 = RegisterWindowMessageW(??);
				 *0x81f6150c = _t49;
				if (_t49 == 0) goto 0x81f429c5;
				_t50 = RegisterWindowMessageW(??);
				 *0x81f61508 = _t50;
				if (_t50 == 0) goto 0x81f429c5;
				GetDC(??);
				if (_t201 == 0) goto 0x81f429c5;
				_t52 = E00007FF67FF681F41444(_t201, _t204, __rdx, __r8, _t283); // executed
				if (_t52 == 0) goto 0x81f429c5;
				LoadCursorW(??, ??);
				 *0x81f61688 = _t201;
				LoadCursorW(??, ??);
				 *0x81f61680 = _t201;
				LoadAcceleratorsW(??, ??);
				 *0x81f615f8 = _t201;
				LoadAcceleratorsW(??, ??);
				_t176 =  *0x81f61680 - _t204; // 0x10007
				 *0x81f615f0 = _t201;
				if (_t176 == 0) goto 0x81f429c5;
				if (_t201 == 0) goto 0x81f429c5;
				_t178 =  *0x81f615f8 - _t201; // 0x0
				if (_t178 == 0) goto 0x81f429c5;
				E00007FF67FF681F4C860(_t204, _t276, _t300, _t276, _t279, _t300);
				asm("xorps xmm0, xmm0");
				 *0x81f61678 = _t276;
				asm("movdqu [0x1f177], xmm0");
				 *0x81f61670 = _t300;
				 *0x81f61510 = 0x80;
				 *0x81f61560 = _t300;
				E00007FF67FF681F37CF4(__r9);
				E00007FF67FF681F37D94();
				E00007FF67FF681F4FA54(E00007FF67FF681F40B08(0, _t204, _t300, _t279, __r9), _t204, _t283 + 0x2c8, _t300, _t276, _t279, _t287);
				_t214 = _t283 + 0x2d0;
				E00007FF67FF681F4CAE4(_t201, _t204, _t214, _t201);
				 *_t201 = _t214;
				E00007FF67FF681F3C72C(0x81f620e8,  *_t201);
				E00007FF67FF681F3E324(E00007FF67FF681F3C72C(_t283 + 0x2d0,  *_t201), _t283 + 0x2c8);
				if ( *0x81f620e8 == 0) goto 0x81f42432;
				E00007FF67FF681F4FB7C( *0x81f620e8, _t204,  *((intOrPtr*)( *0x81f620e8 + 0x10)), _t279, _t283, _t287, _t295, __r10);
				 *(_t285 + 0x58) = _t201;
				 *((long long*)(_t285 + 0x50)) = _t300;
				 *(_t285 + 0x48) = _t201;
				r9d = 0xcf0000;
				 *(_t285 + 0x40) = _t201;
				 *((intOrPtr*)(_t285 + 0x38)) =  *0x81f62110;
				 *((intOrPtr*)(_t285 + 0x30)) =  *0x81f6210c;
				 *((intOrPtr*)(_t285 + 0x28)) =  *0x81f62104;
				 *((intOrPtr*)(_t285 + 0x20)) =  *0x81f62108;
				CreateWindowExW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				 *0x81f62598 = _t201;
				 *0x81f61518 = _t201;
				if (_t201 == 0) goto 0x81f429c5;
				E00007FF67FF681F3C5C0(0, _t204);
				E00007FF67FF681F51EA0(_t204);
				_t222 =  <  ? _t204 :  *0x81f62138;
				 *0x81f62138 =  <  ? _t204 :  *0x81f62138;
				if ( *0x81f62104 == 0x80000000) goto 0x81f425ce;
				if ( *0x81f62108 == 0x80000000) goto 0x81f425ce;
				asm("xorps xmm0, xmm0");
				asm("movups [ebp+0xa70], xmm0");
				 *(_t283 + 0xa90) = _t201;
				asm("movups [ebp+0xa80], xmm0");
				_t19 = _t201 + 0x2c; // 0x2c
				_t169 = _t19;
				 *((intOrPtr*)(_t283 + 0xa98)) = 0;
				 *((intOrPtr*)(_t283 + 0xa70)) = _t169;
				if (GetWindowPlacement(??, ??) == 0) goto 0x81f4258f;
				_t80 =  *0x81f62108;
				asm("xorps xmm0, xmm0");
				 *0x81f617fc = _t80;
				 *0x81f61804 = _t80 -  *((intOrPtr*)(_t283 + 0xa8c)) +  *((intOrPtr*)(_t283 + 0xa94));
				_t83 =  *0x81f62104;
				 *0x81f61800 = _t83;
				 *0x81f61808 = _t83 -  *(_t283 + 0xa90) +  *((intOrPtr*)(_t283 + 0xa98));
				asm("movdqu [0x1f262], xmm0");
				 *0x81f617f4 =  *0x81f62598;
				 *0x81f617e0 = _t169;
				_t205 =  *0x81f62598;
				__imp__SetThreadDpiAwarenessContext();
				SetWindowPlacement(??, ??);
				__imp__SetThreadDpiAwarenessContext();
				r13d = 1;
				 *0x81f65138();
				GetClientRect(??, ??);
				asm("inc ebp");
				 *(_t285 + 0x58) = _t201;
				r9d = r9d & 0xfff00000;
				 *((long long*)(_t285 + 0x50)) = _t300;
				 *(_t285 + 0x48) = _t201;
				r9d = r9d + 0x50300104;
				_t202 =  *0x81f62598;
				 *(_t285 + 0x40) = _t202;
				 *((intOrPtr*)(_t285 + 0x38)) =  *((intOrPtr*)(_t283 + 0x44c));
				 *((intOrPtr*)(_t285 + 0x30)) =  *((intOrPtr*)(_t283 + 0x448));
				 *((intOrPtr*)(_t285 + 0x28)) = 0;
				 *((intOrPtr*)(_t285 + 0x20)) = 0;
				CreateWindowExW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				if (_t202 == 0) goto 0x81f429c5;
				E00007FF67FF681F41CA8(0, _t202, _t202, 0x81f57b40, _t295);
				r9d = r13d;
				r8d = r13d;
				SendMessageW(??, ??, ??, ??);
				r9d = r9d ^ r9d;
				r8d = r13d;
				SendMessageW(??, ??, ??, ??);
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				r9d = 0x401;
				asm("sbb ecx, ecx");
				CreateStatusWindowW(??, ??, ??, ??);
				if (_t202 == 0) goto 0x81f429c5;
				E00007FF67FF681F41EF0(0x44800000,  *0x81f62598, _t202, _t201, _t279);
				E00007FF67FF681F3B130(_t169,  *0x81f62598, _t201, _t279, L"NPCTXT");
				GetClientRect(??, ??);
				E00007FF67FF681F41F40( *((intOrPtr*)(_t283 + 0x918)) -  *((intOrPtr*)(_t283 + 0x910)),  *0x81f62598, _t201, _t279);
				r9d = 0;
				SendMessageW(??, ??, ??, ??);
				E00007FF67FF681F3CEA4(3, _t202, 0x81f61488);
				__imp__GetDpiForWindow();
				r8d = 0x2d0;
				 *0x81f61610 =  ~(MulDiv(??, ??, ??));
				CreateFontIndirectW(??);
				 *0x81f61608 = _t202;
				SelectObject(??, ??);
				_t278 = _t202;
				GetTextFaceW(??, ??, ??);
				SelectObject(??, ??);
				if (lstrcmpiW(??, ??) == 0) goto 0x81f4288e;
				EnumFontsW(??, ??, ??, ??);
				DeleteObject(??);
				CreateFontIndirectW(??);
				 *0x81f61608 = _t202;
				goto 0x81f42895;
				_t203 =  *0x81f61608; // 0x0
				r9d = 0;
				SendMessageW(??, ??, ??, ??);
				ReleaseDC(??, ??);
				r9d = r9d ^ r9d;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				 *0x81f61690 = _t203;
				_t123 =  *0x81f615e8; // 0x0
				 *0x81f615e4 = _t123;
				E00007FF67FF681F3B83C( *0x81f62598, _t278, _t203);
				E00007FF67FF681F3B130(_t169, _t205, _t278, _t279, 0x81f61610);
				ShowWindow(??, ??);
				SetCursor(??);
				_t46 = _t278 - 0x1e; // 0x2
				r14d = _t46;
				if ( *_t279 == 0x20) goto 0x81f42941;
				if ( *_t279 != 9) goto 0x81f42946;
				_t280 = _t279 + 0x81f61610;
				goto 0x81f42936;
				 *0x81f62100 = 0;
				if (E00007FF67FF681F41114(0, _t203, _t205, L"/A", _t280, _t280) != 0) goto 0x81f42968;
				 *0x81f62100 = r13d;
				goto 0x81f4298d;
				E00007FF67FF681F41114(0, _t203, _t205, L"/W", _t280, _t280);
				_t153 =  ==  ? r14d :  *0x81f62100;
				 *0x81f62100 = _t153;
				if (_t153 == 0) goto 0x81f429a1;
				_t281 = _t280 + 4;
				if ( *_t281 == 0x20) goto 0x81f4299c;
				if ( *_t281 != 9) goto 0x81f429a1;
				goto 0x81f42991;
				if (E00007FF67FF681F41BB4(_t280) == 0) goto 0x81f42a3a;
				_t131 = E00007FF67FF681F415FC(E00007FF67FF681F41BB4(_t280), _t203, _t205, _t281 + 0x81f61610, _t278, _t281 + 0x81f61610, 0x81f61610, __r10);
				if (_t131 == 0) goto 0x81f429eb;
				if (_t131 != r14d) goto 0x81f42ba1;
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f4224c
0x7ff681f4224c
0x7ff681f42259
0x7ff681f42266
0x7ff681f4226b
0x7ff681f4226e
0x7ff681f42275
0x7ff681f42278
0x7ff681f4227f
0x7ff681f42282
0x7ff681f4228c
0x7ff681f4228f
0x7ff681f42292
0x7ff681f422a0
0x7ff681f422a8
0x7ff681f422b5
0x7ff681f422c1
0x7ff681f422c9
0x7ff681f422d1
0x7ff681f422e3
0x7ff681f422ec
0x7ff681f422f3
0x7ff681f42300
0x7ff681f42313
0x7ff681f4231a
0x7ff681f42330
0x7ff681f42337
0x7ff681f4234d
0x7ff681f42354
0x7ff681f42360
0x7ff681f42367
0x7ff681f4236e
0x7ff681f42377
0x7ff681f4237f
0x7ff681f42386
0x7ff681f42392
0x7ff681f42397
0x7ff681f4239a
0x7ff681f423a1
0x7ff681f423a9
0x7ff681f423b0
0x7ff681f423ba
0x7ff681f423c1
0x7ff681f423c6
0x7ff681f423d7
0x7ff681f423df
0x7ff681f423e6
0x7ff681f423f0
0x7ff681f423fa
0x7ff681f42414
0x7ff681f42425
0x7ff681f4242b
0x7ff681f42432
0x7ff681f4243e
0x7ff681f4244a
0x7ff681f4244f
0x7ff681f42455
0x7ff681f42462
0x7ff681f4246c
0x7ff681f42476
0x7ff681f42480
0x7ff681f42484
0x7ff681f42490
0x7ff681f42497
0x7ff681f424a1
0x7ff681f424a9
0x7ff681f424bc
0x7ff681f424cf
0x7ff681f424d9
0x7ff681f424e0
0x7ff681f424ec
0x7ff681f42502
0x7ff681f42505
0x7ff681f4250c
0x7ff681f42513
0x7ff681f4251a
0x7ff681f4251a
0x7ff681f4251d
0x7ff681f42523
0x7ff681f42539
0x7ff681f4253b
0x7ff681f42541
0x7ff681f42544
0x7ff681f42556
0x7ff681f4255c
0x7ff681f42562
0x7ff681f42574
0x7ff681f4257a
0x7ff681f42582
0x7ff681f42589
0x7ff681f4258f
0x7ff681f4259a
0x7ff681f425b3
0x7ff681f425c2
0x7ff681f425d5
0x7ff681f425de
0x7ff681f425f8
0x7ff681f4261a
0x7ff681f4261f
0x7ff681f42624
0x7ff681f4262b
0x7ff681f42634
0x7ff681f42639
0x7ff681f42640
0x7ff681f42649
0x7ff681f42654
0x7ff681f4265e
0x7ff681f42664
0x7ff681f42668
0x7ff681f4266c
0x7ff681f4267d
0x7ff681f42686
0x7ff681f42692
0x7ff681f42695
0x7ff681f4269d
0x7ff681f426b0
0x7ff681f426b3
0x7ff681f426bb
0x7ff681f426d5
0x7ff681f426dd
0x7ff681f426ff
0x7ff681f42705
0x7ff681f42713
0x7ff681f42722
0x7ff681f4272b
0x7ff681f42733
0x7ff681f42746
0x7ff681f4275e
0x7ff681f4276a
0x7ff681f42779
0x7ff681f4278e
0x7ff681f4279a
0x7ff681f427ac
0x7ff681f427cc
0x7ff681f427d2
0x7ff681f427e1
0x7ff681f427eb
0x7ff681f42804
0x7ff681f42807
0x7ff681f42819
0x7ff681f42841
0x7ff681f42857
0x7ff681f4286a
0x7ff681f42879
0x7ff681f42885
0x7ff681f4288c
0x7ff681f4288e
0x7ff681f4289c
0x7ff681f428a6
0x7ff681f428b7
0x7ff681f428ca
0x7ff681f428cd
0x7ff681f428d5
0x7ff681f428e1
0x7ff681f428eb
0x7ff681f428f1
0x7ff681f428f7
0x7ff681f428ff
0x7ff681f4290e
0x7ff681f42921
0x7ff681f42932
0x7ff681f42932
0x7ff681f42939
0x7ff681f4293f
0x7ff681f42941
0x7ff681f42944
0x7ff681f42949
0x7ff681f4295d
0x7ff681f4295f
0x7ff681f42966
0x7ff681f42972
0x7ff681f4297f
0x7ff681f42983
0x7ff681f4298b
0x7ff681f4298d
0x7ff681f42994
0x7ff681f4299a
0x7ff681f4299f
0x7ff681f429aa
0x7ff681f429b3
0x7ff681f429ba
0x7ff681f429bf
0x7ff681f429d1
0x7ff681f429e9

APIs

RegisterWindowMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F42292
RegisterWindowMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F422B5
GetDC.USER32 ref: 00007FF681F422D1

Part of subcall function 00007FF681F41444: LocalAlloc.KERNEL32 ref: 00007FF681F41473
Part of subcall function 00007FF681F41444: LoadStringW.USER32 ref: 00007FF681F414B2
Part of subcall function 00007FF681F41444: LocalFree.KERNEL32 ref: 00007FF681F414D5
Part of subcall function 00007FF681F41444: LocalAlloc.KERNEL32 ref: 00007FF681F414FB

LoadCursorW.USER32 ref: 00007FF681F42300
LoadCursorW.USER32 ref: 00007FF681F4231A
LoadAcceleratorsW.USER32 ref: 00007FF681F42337
LoadAcceleratorsW.USER32 ref: 00007FF681F42354

Part of subcall function 00007FF681F4C860: LoadCursorW.USER32 ref: 00007FF681F4C89F
Part of subcall function 00007FF681F4C860: LoadIconW.USER32 ref: 00007FF681F4C8BD
Part of subcall function 00007FF681F4C860: LoadImageW.USER32 ref: 00007FF681F4C902
Part of subcall function 00007FF681F4C860: RegisterClassExW.USER32 ref: 00007FF681F4C955

Part of subcall function 00007FF681F37CF4: GetLocaleInfoW.KERNEL32 ref: 00007FF681F37D25

Part of subcall function 00007FF681F40B08: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F40B37
Part of subcall function 00007FF681F40B08: RegOpenKeyExW.ADVAPI32 ref: 00007FF681F40B9C

Part of subcall function 00007FF681F4FA54: CoCreateGuid.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4FA88

Part of subcall function 00007FF681F3E324: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3E330

CreateWindowExW.USER32 ref: 00007FF681F42484
GetWindowPlacement.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F42529
SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F4259A
SetWindowPlacement.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F425B3
SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F425C2
GetClientRect.USER32 ref: 00007FF681F425F8

Part of subcall function 00007FF681F4FB7C: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,00000001,00007FF681F41B5B), ref: 00007FF681F4FBFF

CreateWindowExW.USER32 ref: 00007FF681F4266C

Part of subcall function 00007FF681F41CA8: DestroyWindow.USER32(?,?,?,?,?,?,?,?,FFFFFFEC,00000000,?,00007FF681F4D218), ref: 00007FF681F41CD0
Part of subcall function 00007FF681F41CA8: SendMessageW.USER32(?,?,?,?,?,?,?,?,FFFFFFEC,00000000,?,00007FF681F4D218), ref: 00007FF681F41CF1
Part of subcall function 00007FF681F41CA8: SendMessageW.USER32 ref: 00007FF681F41D89
Part of subcall function 00007FF681F41CA8: SendMessageW.USER32 ref: 00007FF681F41DB6
Part of subcall function 00007FF681F41CA8: SendMessageW.USER32 ref: 00007FF681F41E3C

SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F4269D
SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F426BB
SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F426DD
CreateStatusWindowW.COMCTL32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F42713

Part of subcall function 00007FF681F41EF0: DestroyWindow.USER32 ref: 00007FF681F41F11

Part of subcall function 00007FF681F3B130: SendMessageW.USER32 ref: 00007FF681F3B1E5
Part of subcall function 00007FF681F3B130: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3B200
Part of subcall function 00007FF681F3B130: SendMessageW.USER32 ref: 00007FF681F3B25C
Part of subcall function 00007FF681F3B130: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3B2EB

GetClientRect.USER32 ref: 00007FF681F42746

Part of subcall function 00007FF681F41F40: MonitorFromWindow.USER32 ref: 00007FF681F41F7B
Part of subcall function 00007FF681F41F40: GetDpiForMonitor.API-MS-WIN-SHCORE-SCALING-L1-1-1 ref: 00007FF681F41F94
Part of subcall function 00007FF681F41F40: MulDiv.KERNEL32 ref: 00007FF681F4201B
Part of subcall function 00007FF681F41F40: MulDiv.KERNEL32 ref: 00007FF681F42097

SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F42779
GetDpiForWindow.USER32 ref: 00007FF681F4279A
MulDiv.KERNEL32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F427B4
CreateFontIndirectW.GDI32 ref: 00007FF681F427D2
SelectObject.GDI32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F427EB
GetTextFaceW.GDI32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F42807
SelectObject.GDI32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F42819
lstrcmpiW.KERNEL32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F42833
EnumFontsW.GDI32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F42857
DeleteObject.GDI32 ref: 00007FF681F4286A
CreateFontIndirectW.GDI32 ref: 00007FF681F42879

Part of subcall function 00007FF681F41114: CharUpperW.USER32 ref: 00007FF681F41137
Part of subcall function 00007FF681F41114: CharUpperW.USER32 ref: 00007FF681F4114D

SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F428A6
ReleaseDC.USER32 ref: 00007FF681F428B7
SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F428D5
ShowWindow.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F4290E
SetCursor.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF681F3AF12), ref: 00007FF681F42921

Strings

Security-SPP-GenuineLocalStatus, xrefs: 00007FF681F43828, 00007FF681F43C94, 00007FF681F43DDB
z, xrefs: 00007FF681F46C85
NPCTXT, xrefs: 00007FF681F426CE
ntdll.dll, xrefs: 00007FF681F44F33, 00007FF681F4B7DE
{, xrefs: 00007FF681F46BA3
Default, xrefs: 00007FF681F43530
MainAcc, xrefs: 00007FF681F42343
commdlg_help, xrefs: 00007FF681F422AE
Edit, xrefs: 00007FF681F42613
Segoe UI Light, xrefs: 00007FF681F470B7
GlobalAcc, xrefs: 00007FF681F42326
, xrefs: 00007FF681F49C2E
z, xrefs: 00007FF681F4A4A5
Notepad, xrefs: 00007FF681F42443
z, xrefs: 00007FF681F4662C
NtQuerySystemInformation, xrefs: 00007FF681F44FA9, 00007FF681F4B84D
commdlg_FindReplace, xrefs: 00007FF681F42285
{, xrefs: 00007FF681F4A3D1
3, xrefs: 00007FF681F42AD1
{, xrefs: 00007FF681F4654C
WinSta0, xrefs: 00007FF681F43514

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Message$SendWindow$Load$Create$Cursor$FreeLocalObjectRegistermemset$AcceleratorsAllocAwarenessCharClientContextDestroyFontIndirectMonitorPlacementRectSelectTaskThreadUpper$ClassDeleteEnumFaceFontsFromGuidIconImageInfoLocaleOpenReleaseShowStatusStringTextlstrcmpi
String ID: $3$Default$Edit$GlobalAcc$MainAcc$NPCTXT$Notepad$NtQuerySystemInformation$Security-SPP-GenuineLocalStatus$Segoe UI Light$WinSta0$commdlg_FindReplace$commdlg_help$ntdll.dll$z$z$z${${${
API String ID: 2606882876-378693033
Opcode ID: 60025d0362eeeb04a58784ad7de976f97f1a52469b4d6932aff077b871d24ad6
Instruction ID: 7eaf360abf7f412d48c7d263a585cf934b8c2a86bb2b03dc33b2859345a337d4
Opcode Fuzzy Hash: 60025d0362eeeb04a58784ad7de976f97f1a52469b4d6932aff077b871d24ad6
Instruction Fuzzy Hash: EE24BF72A08A82CAE724CF25E9542B97BE1FF89788F459139DA0EC7B54DF38E544C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3AD6C Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 224
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 00007FF681F3AE2D
CoCreateGuid.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3AE43
HeapSetInformation.KERNEL32 ref: 00007FF681F3AE71
CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3AE82
CharNextW.USER32 ref: 00007FF681F3AED8
GetCurrentProcessId.KERNEL32 ref: 00007FF681F3AF26
SetWinEventHook.USER32 ref: 00007FF681F3AF51
PostMessageW.USER32 ref: 00007FF681F3AF7D
TranslateAcceleratorW.USER32 ref: 00007FF681F3AF9B
IsDialogMessageW.USER32 ref: 00007FF681F3AFBB
TranslateAcceleratorW.USER32 ref: 00007FF681F3AFDD
TranslateMessage.USER32 ref: 00007FF681F3AFF1
DispatchMessageW.USER32 ref: 00007FF681F3B001
GetMessageW.USER32 ref: 00007FF681F3B019
UnhookWinEvent.USER32 ref: 00007FF681F3B086
FreeLibrary.KERNEL32 ref: 00007FF681F3B0CA
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3B0D6
EtwEventUnregister.NTDLL ref: 00007FF681F3B0F7

Strings

, xrefs: 00007FF681F3AEEF

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Message$EventTranslate$Accelerator$CharCommandCreateCurrentDialogDispatchFreeGuidHeapHookInformationInitializeLibraryLineNextPostProcessUnhookUninitializeUnregister
String ID:
API String ID: 3896377122-3916222277
Opcode ID: 12fb79eaf8cd2b9406e2115cd7d2f5eabe106fba900453102f621da8ae7f24e3
Instruction ID: fee854069c21c7ec0505b685b794d3ae6cb7095beb007a8d0ad1697ad09b6229
Opcode Fuzzy Hash: 12fb79eaf8cd2b9406e2115cd7d2f5eabe106fba900453102f621da8ae7f24e3
Instruction Fuzzy Hash: 87B17A36A08A46CAEB109F21E8546B87BE0FF89B95F459139DA1EC3764DF3CE446C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F36B98 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 210
synchronizationCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00007FF67FF681F36B98(long long __rbx, long long __rcx, signed long long* __rdx, signed int __rsi, void* __r9) {
				long _t24;
				signed int _t28;
				long _t29;
				signed long long _t56;
				signed long long _t57;
				WCHAR* _t76;
				signed long long _t80;
				void* _t82;
				void* _t85;
				signed long long _t86;
				void* _t91;
				int _t93;
				struct _SECURITY_ATTRIBUTES* _t96;
				void* _t99;

				 *((long long*)(_t85 + 0x18)) = __rbx;
				 *((long long*)(_t85 + 0x20)) = __rsi;
				_t86 = _t85 - 0x280;
				_t56 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t57 = _t56 ^ _t86;
				 *(_t85 - 0x180 + 0x170) = _t57;
				 *__rdx =  *__rdx & 0x00000000;
				_t24 = GetCurrentProcessId();
				 *((long long*)(_t86 + 0x28)) = __rcx;
				r9d = _t24;
				 *((intOrPtr*)(_t86 + 0x20)) = 0x130;
				E00007FF67FF681F31860(_t86 + 0x60, __rdx, L"Local\\SM0:%d:%d:%hs", __r9, _t99);
				r9d = 0x1f0001;
				r8d = 0;
				CreateMutexW(_t96, _t93, _t76); // executed
				 *(_t86 + 0x48) = _t57;
				if (_t57 != 0) goto 0x81f36c3b;
				E00007FF67FF681F31EFC();
				goto 0x81f36ced;
				r8d = 0;
				_t28 = WaitForSingleObjectEx(_t82, ??);
				if (_t28 == 0x102) goto 0x81f36c66;
				if (_t28 == 0) goto 0x81f36c72;
				if (_t28 != 0x80) goto 0x81f36eb1;
				if ((_t28 & 0xffffff7f) == 0) goto 0x81f36c72;
				r14d = 0;
				goto 0x81f36c75;
				 *(_t86 + 0x30) =  *(_t86 + 0x30) & __rsi;
				_t29 = E00007FF67FF681F37868(_t28 & 0xffffff7f, _t57, _t86 + 0x60, _t86 + 0x30, __rsi, _t91); // executed
				if (_t29 >= 0) goto 0x81f36caf;
				r9d = _t29;
				E00007FF67FF681F325BC();
				goto 0x81f36cba;
				_t80 =  *(_t86 + 0x30) << 2;
				if (0 >= 0) goto 0x81f36cc8;
				goto 0x81f36e9a;
				if (_t80 == 0) goto 0x81f36d28;
				 *__rdx = _t80;
				 *( *__rdx) =  *_t80 + 1;
				if (_t57 == 0) goto 0x81f36ced;
				E00007FF67FF681F326B0();
				if ( *(_t86 + 0x48) == 0) goto 0x81f36cfa;
				0x81f3267c();
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f36b98
0x7ff681f36b9d
0x7ff681f36bb2
0x7ff681f36bb9
0x7ff681f36bc0
0x7ff681f36bc3
0x7ff681f36bca
0x7ff681f36bd4
0x7ff681f36be0
0x7ff681f36bec
0x7ff681f36bef
0x7ff681f36c01
0x7ff681f36c06
0x7ff681f36c11
0x7ff681f36c16
0x7ff681f36c22
0x7ff681f36c2d
0x7ff681f36c2f
0x7ff681f36c36
0x7ff681f36c3b
0x7ff681f36c44
0x7ff681f36c55
0x7ff681f36c59
0x7ff681f36c60
0x7ff681f36c6b
0x7ff681f36c6d
0x7ff681f36c70
0x7ff681f36c7c
0x7ff681f36c86
0x7ff681f36c96
0x7ff681f36ca2
0x7ff681f36ca8
0x7ff681f36cad
0x7ff681f36cb4
0x7ff681f36cbc
0x7ff681f36cc3
0x7ff681f36ccb
0x7ff681f36ccd
0x7ff681f36cdc
0x7ff681f36ce3
0x7ff681f36ce8
0x7ff681f36cf0
0x7ff681f36cf5
0x7ff681f36d06
0x7ff681f36d26

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF681F36BD4

Part of subcall function 00007FF681F31860: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF681F318A0

CreateMutexW.KERNELBASE ref: 00007FF681F36C16
WaitForSingleObjectEx.KERNEL32 ref: 00007FF681F36C44

Part of subcall function 00007FF681F31EFC: GetLastError.KERNEL32 ref: 00007FF681F31F00

Strings

onecore\internal\sdk\inc\wil\opensource\wil\resource.h, xrefs: 00007FF681F36EB8
wil, xrefs: 00007FF681F36C8B
Local\SM0:%d:%d:%hs, xrefs: 00007FF681F36BE5

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexObjectProcessSingleWait_vsnwprintf
String ID: Local\SM0:%d:%d:%hs$onecore\internal\sdk\inc\wil\opensource\wil\resource.h$wil
API String ID: 3333087404-847674279
Opcode ID: 979ba261817bf94b9492d3d2c06e68975d30fe62e1bac2d684fcae0c5ed7208d
Instruction ID: 7a7859828fc01ded599e74afa2a0153a904bb881a4c78d1cfd40789a7a3023cb
Opcode Fuzzy Hash: 979ba261817bf94b9492d3d2c06e68975d30fe62e1bac2d684fcae0c5ed7208d
Instruction Fuzzy Hash: 92917E36A08A42C6E7609B16F4502B9B7E1FF89B91F448139DE4E87B95DF3CE146C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F53A20 Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrResolveDelayLoadedAPI.NTDLL ref: 00007FF681F53A4B

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: DelayLoadedResolve
String ID:
API String ID: 841769287-0
Opcode ID: 707665836041825b19f8da3ddbc31b5b7299c1c24b8d82e339149b5e40a73e96
Instruction ID: 9ceeb3d236a73c465289fbffa9a2a8e30d4cbd4699a7295f97bb09b16780da3c
Opcode Fuzzy Hash: 707665836041825b19f8da3ddbc31b5b7299c1c24b8d82e339149b5e40a73e96
Instruction Fuzzy Hash: 30E0BDB4A08A41C6D7108B44E9040A4BBE0BF49794F84813AD94C83324CF3CE166CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F53DA0 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 35%

			E00007FF67FF681F53DA0(intOrPtr* __rax, long long __rbx, void* __r8, long long _a8) {
				char _v24;
				void* __rdi;
				void* _t10;
				signed short _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				intOrPtr* _t50;
				void* _t64;
				void* _t66;
				void* _t74;
				void* _t75;

				_t50 = __rax;
				E00007FF67FF681F548C8(); // executed
				SetUnhandledExceptionFilter(??);
				goto 0x81f54edc;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_a8 = __rbx;
				if (E00007FF67FF681F542C4(1) == 0) goto 0x81f53f0c;
				dil = 0;
				_v24 = dil;
				_t10 = E00007FF67FF681F54284();
				_t31 =  *0x81f61204; // 0x2
				if (_t31 == 1) goto 0x81f53f17;
				if (_t31 != 0) goto 0x81f53e48;
				 *0x81f61204 = 1;
				0x81f54dc8(_t64); // executed
				if (_t10 == 0) goto 0x81f53e29;
				goto 0x81f53f01;
				0x81f54dbc(); // executed
				 *0x81f61204 = 2;
				goto 0x81f53e50;
				dil = 1;
				_v24 = dil;
				E00007FF67FF681F546A0(E00007FF67FF681F5446C(_t10, 0x81f57158));
				if ( *_t50 == 0) goto 0x81f53e83;
				if (E00007FF67FF681F543CC(_t50, _t50) == 0) goto 0x81f53e83;
				r8d = 0;
				_t51 =  *_t50;
				E00007FF67FF681F546B0( *0x81f570f0());
				if ( *((long long*)( *_t50)) == 0) goto 0x81f53ea5;
				if (E00007FF67FF681F543CC( *_t50,  *_t50) == 0) goto 0x81f53ea5;
				0x81f54de0();
				_t18 = E00007FF67FF681F54824(0x81f57158);
				0x81f54e70();
				r9d = _t18 & 0x0000ffff;
				_t19 = E00007FF67FF681F3AD6C(0, _t51, 0x7ff681f30000, _t64, _t66, _t74, _t75); // executed
				if (E00007FF67FF681F54870(_t51) == 0) goto 0x81f53f21;
				if (dil != 0) goto 0x81f53edb;
				0x81f54e34();
				E00007FF67FF681F54498(1, 0);
				_t22 = _t19;
				if (E00007FF67FF681F54870(_t51) == 0) goto 0x81f53f29;
				if (_v24 != 0) goto 0x81f53eff;
				0x81f54dd4();
				return _t22;
			}

0x7ff681f53da0
0x7ff681f53da4
0x7ff681f53da9
0x7ff681f53db4
0x7ff681f53db9
0x7ff681f53dba
0x7ff681f53dbb
0x7ff681f53dbc
0x7ff681f53dbd
0x7ff681f53dbe
0x7ff681f53dbf
0x7ff681f53dc0
0x7ff681f53dd6
0x7ff681f53ddc
0x7ff681f53ddf
0x7ff681f53de4
0x7ff681f53deb
0x7ff681f53df4
0x7ff681f53dfc
0x7ff681f53dfe
0x7ff681f53e16
0x7ff681f53e1d
0x7ff681f53e24
0x7ff681f53e37
0x7ff681f53e3c
0x7ff681f53e46
0x7ff681f53e48
0x7ff681f53e4b
0x7ff681f53e57
0x7ff681f53e63
0x7ff681f53e6f
0x7ff681f53e71
0x7ff681f53e7a
0x7ff681f53e83
0x7ff681f53e8f
0x7ff681f53e9b
0x7ff681f53ea0
0x7ff681f53ea5
0x7ff681f53ead
0x7ff681f53eb2
0x7ff681f53ec1
0x7ff681f53ecf
0x7ff681f53ed4
0x7ff681f53ed6
0x7ff681f53edf
0x7ff681f53ee4
0x7ff681f53ef1
0x7ff681f53ef8
0x7ff681f53efa
0x7ff681f53f0b

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF681F53DA9

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cd4125e94d3b6b5d5c28a2bcc53765e20cac458a2095323c1e4ff0701eb5f60f
Instruction ID: fdc971fefb439824850a492d7911fa715c4b17e7ed68b4c9bdd63e75ae75e819
Opcode Fuzzy Hash: cd4125e94d3b6b5d5c28a2bcc53765e20cac458a2095323c1e4ff0701eb5f60f
Instruction Fuzzy Hash: 8BC04800E5D882C2E70877A528420F961E0BF85311F50813DD00987286EC2C20A7DA22

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F53290 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F532BE
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F532EB
RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF681F5330A
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F5333E
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F533C8
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F5340B
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F53483

Strings

Windows.ApplicationModel.Resources.Core.ResourceManager, xrefs: 00007FF681F532E4
Files/Resources/notepad.exe.mui, xrefs: 00007FF681F533C1

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: StringWindows$CreateDeleteReference$ActivationExceptionFactoryInitializeRaise
String ID: Files/Resources/notepad.exe.mui$Windows.ApplicationModel.Resources.Core.ResourceManager
API String ID: 2941117075-1600936776
Opcode ID: ee473cb3f6896552c4c58991e0335a9dd66229e6298459dcf8d98038478e4638
Instruction ID: 3edbeafbf9c5d1d47db8a86dfa1a56993dca8287eb1cbfef3e1f6a70395ed94b
Opcode Fuzzy Hash: ee473cb3f6896552c4c58991e0335a9dd66229e6298459dcf8d98038478e4638
Instruction Fuzzy Hash: EB81D52AB14A56C6EB018BA5E8543AD7BB0FF48B98F55813ACE0E97B64DF38D445C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F53DC0 Relevance: 13.6, APIs: 9, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00007FF67FF681F53DC0(intOrPtr* __rax, long long __rbx, void* __r8, long long _a8) {
				char _v24;
				void* __rdi;
				void* _t9;
				signed short _t17;
				void* _t18;
				void* _t21;
				intOrPtr _t29;
				intOrPtr* _t48;
				void* _t62;
				void* _t63;
				void* _t69;
				void* _t70;

				_t48 = __rax;
				_a8 = __rbx;
				if (E00007FF67FF681F542C4(1) == 0) goto 0x81f53f0c;
				dil = 0;
				_v24 = dil;
				_t9 = E00007FF67FF681F54284();
				_t29 =  *0x81f61204; // 0x2
				if (_t29 == 1) goto 0x81f53f17;
				if (_t29 != 0) goto 0x81f53e48;
				 *0x81f61204 = 1;
				0x81f54dc8(); // executed
				if (_t9 == 0) goto 0x81f53e29;
				goto 0x81f53f01;
				0x81f54dbc(); // executed
				 *0x81f61204 = 2;
				goto 0x81f53e50;
				dil = 1;
				_v24 = dil;
				E00007FF67FF681F546A0(E00007FF67FF681F5446C(_t9, 0x81f57158));
				if ( *_t48 == 0) goto 0x81f53e83;
				if (E00007FF67FF681F543CC(_t48, _t48) == 0) goto 0x81f53e83;
				r8d = 0;
				_t49 =  *_t48;
				E00007FF67FF681F546B0( *0x81f570f0());
				if ( *((long long*)( *_t48)) == 0) goto 0x81f53ea5;
				if (E00007FF67FF681F543CC( *_t48, _t49) == 0) goto 0x81f53ea5;
				0x81f54de0();
				_t17 = E00007FF67FF681F54824(0x81f57158);
				0x81f54e70();
				r9d = _t17 & 0x0000ffff;
				_t18 = E00007FF67FF681F3AD6C(0, _t49, 0x7ff681f30000, _t62, _t63, _t69, _t70); // executed
				if (E00007FF67FF681F54870(_t49) == 0) goto 0x81f53f21;
				if (dil != 0) goto 0x81f53edb;
				0x81f54e34();
				E00007FF67FF681F54498(1, 0);
				_t21 = _t18;
				if (E00007FF67FF681F54870(_t49) == 0) goto 0x81f53f29;
				if (_v24 != 0) goto 0x81f53eff;
				0x81f54dd4();
				return _t21;
			}

0x7ff681f53dc0
0x7ff681f53dc0
0x7ff681f53dd6
0x7ff681f53ddc
0x7ff681f53ddf
0x7ff681f53de4
0x7ff681f53deb
0x7ff681f53df4
0x7ff681f53dfc
0x7ff681f53dfe
0x7ff681f53e16
0x7ff681f53e1d
0x7ff681f53e24
0x7ff681f53e37
0x7ff681f53e3c
0x7ff681f53e46
0x7ff681f53e48
0x7ff681f53e4b
0x7ff681f53e57
0x7ff681f53e63
0x7ff681f53e6f
0x7ff681f53e71
0x7ff681f53e7a
0x7ff681f53e83
0x7ff681f53e8f
0x7ff681f53e9b
0x7ff681f53ea0
0x7ff681f53ea5
0x7ff681f53ead
0x7ff681f53eb2
0x7ff681f53ec1
0x7ff681f53ecf
0x7ff681f53ed4
0x7ff681f53ed6
0x7ff681f53edf
0x7ff681f53ee4
0x7ff681f53ef1
0x7ff681f53ef8
0x7ff681f53efa
0x7ff681f53f0b

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF681F53DCF
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF681F53DE4
__scrt_release_startup_lock.LIBCMT ref: 00007FF681F53E52
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF681F53EA0
__scrt_get_show_window_mode.LIBCMT ref: 00007FF681F53EA5
_o__get_wide_winmain_command_line.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F53EAD
__scrt_is_managed_app.LIBCMT ref: 00007FF681F53EC8
_o__cexit.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F53ED6
_o__exit.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F53F2B

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_o__cexit_o__exit_o__get_wide_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 105026157-0
Opcode ID: 1f426bf3a2983b836c283970bc6239ceb38b0616300f9a50ce44603518859d41
Instruction ID: 90c044173d1113528d222e9d075497a67e9baab1d8f63b25ab76237184d7444d
Opcode Fuzzy Hash: 1f426bf3a2983b836c283970bc6239ceb38b0616300f9a50ce44603518859d41
Instruction Fuzzy Hash: 1E312F21E0C143C2FB14AB69E4153F926D1BF91744F85D13CE94EC72D3EE2CA849D250

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F41444 Relevance: 10.6, APIs: 7, Instructions: 115
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32 ref: 00007FF681F41473
LoadStringW.USER32 ref: 00007FF681F414B2
LocalFree.KERNEL32 ref: 00007FF681F414D5
LocalAlloc.KERNEL32 ref: 00007FF681F414FB

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Local$Alloc$FreeLoadString
String ID:
API String ID: 4206045929-0
Opcode ID: 500b96ba4e5bf8c84ddb7e2c7e249bb8ce83e926dbd0536f236c720110971746
Instruction ID: 50d00b3ae6795a7dda69f2536b14e76d0a7736e1b2a80729b5e0138fcd7578ae
Opcode Fuzzy Hash: 500b96ba4e5bf8c84ddb7e2c7e249bb8ce83e926dbd0536f236c720110971746
Instruction Fuzzy Hash: 42416935A09A46C6EB108F51B9501B9BBE2FF89B91F488039DE0E97365DF3CE406C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F37868 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 35%

			E00007FF67FF681F37868(void* __eflags, long long __rbx, void* __rcx, signed long long* __rdx, long long __rsi, void* __r10) {
				void* _t33;
				void* _t38;
				signed long long _t68;
				signed long long _t69;
				long _t96;
				int _t101;
				void* _t104;
				signed long long _t105;
				WCHAR* _t119;
				int _t122;
				long _t126;

				_t99 = __rsi;
				_t72 = __rbx;
				 *((long long*)(_t104 + 8)) = __rbx;
				 *((long long*)(_t104 + 0x18)) = __rsi;
				_t105 = _t104 - 0x250;
				_t68 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t69 = _t68 ^ _t105;
				 *(_t104 - 0x150 + 0x140) = _t69;
				 *__rdx =  *__rdx & 0x00000000;
				r14d = 0;
				E00007FF67FF681F316FC(__rbx, _t105 + 0x30, __rdx, __rcx, __r10);
				E00007FF67FF681F31788(_t72, _t105 + 0x30, __rdx, L"_p0");
				OpenSemaphoreW(_t126, _t122, _t119);
				if (_t69 != 0) goto 0x81f37920;
				if (GetLastError() == 2) goto 0x81f37a26;
				E00007FF67FF681F325F4();
				goto 0x81f37a07;
				 *(_t105 + 0x24) =  *(_t105 + 0x24) & r14d;
				 *(_t105 + 0x20) =  *(_t105 + 0x20) & r14d;
				_t33 = E00007FF67FF681F32948(_t69, _t105 + 0x24, __rsi);
				if (_t33 >= 0) goto 0x81f37961;
				r9d = _t33;
				E00007FF67FF681F325BC();
				0x81f3267c();
				goto 0x81f37a07;
				E00007FF67FF681F31788(_t69, _t105 + 0x30, _t96, "h");
				OpenSemaphoreW(_t96, _t101);
				if (_t69 != 0) goto 0x81f379ad;
				E00007FF67FF681F325F4();
				goto 0x81f37954;
				_t38 = E00007FF67FF681F32948(_t69, _t105 + 0x20, _t99);
				if (_t38 >= 0) goto 0x81f379e4;
				r9d = _t38;
				E00007FF67FF681F325BC();
				0x81f3267c();
				goto 0x81f37954;
				0x81f3267c(); // executed
				0x81f3267c();
				if (0 >= 0) goto 0x81f37a26;
				r9d = 0;
				E00007FF67FF681F325BC();
				goto 0x81f37a2b;
				 *__rdx =  *(_t105 + 0x24) |  *(_t105 + 0x20) << 0x0000001f;
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f37868
0x7ff681f37868
0x7ff681f37868
0x7ff681f3786d
0x7ff681f37882
0x7ff681f37889
0x7ff681f37890
0x7ff681f37893
0x7ff681f3789a
0x7ff681f378b0
0x7ff681f378b3
0x7ff681f378c6
0x7ff681f378d7
0x7ff681f378f0
0x7ff681f37901
0x7ff681f37914
0x7ff681f3791b
0x7ff681f37920
0x7ff681f3792a
0x7ff681f37932
0x7ff681f3793b
0x7ff681f37944
0x7ff681f3794f
0x7ff681f37957
0x7ff681f3795c
0x7ff681f37970
0x7ff681f37981
0x7ff681f37993
0x7ff681f379a4
0x7ff681f379ab
0x7ff681f379b5
0x7ff681f379be
0x7ff681f379c7
0x7ff681f379d2
0x7ff681f379da
0x7ff681f379df
0x7ff681f379e7
0x7ff681f37a00
0x7ff681f37a09
0x7ff681f37a12
0x7ff681f37a1d
0x7ff681f37a24
0x7ff681f37a26
0x7ff681f37a35
0x7ff681f37a55

APIs

OpenSemaphoreW.KERNEL32 ref: 00007FF681F378D7
GetLastError.KERNEL32 ref: 00007FF681F378F2

Strings

_p0, xrefs: 00007FF681F378B8
wil, xrefs: 00007FF681F378E3

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ErrorLastOpenSemaphore
String ID: _p0$wil
API String ID: 1909229842-1814513734
Opcode ID: e5b1a2e940c77a106f7896ddf18ace4afe7980b084c5b80b82e84f69d5af9266
Instruction ID: f0c0e31c36ad5d71e19cac280eb7c74f517b8cd417aad353fd624f38e7c0851d
Opcode Fuzzy Hash: e5b1a2e940c77a106f7896ddf18ace4afe7980b084c5b80b82e84f69d5af9266
Instruction Fuzzy Hash: 89519262A08A82C5EB21DB66E8502F967D0BF88B98F444239EE4ED7755DE3CE506C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F326B0 Relevance: 7.6, APIs: 5, Instructions: 51
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReleaseMutex.KERNEL32 ref: 00007FF681F326B4
GetLastError.KERNEL32 ref: 00007FF681F326FA
SetLastError.KERNEL32 ref: 00007FF681F32712
GetLastError.KERNEL32 ref: 00007FF681F3272B
SetLastError.KERNEL32 ref: 00007FF681F32743

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ErrorLast$MutexRelease
String ID:
API String ID: 3084565237-0
Opcode ID: 14cf35bfc82b9d18f75cfe8f57f9061e4447e0648476dfc0df44d8346f2fd19a
Instruction ID: 6006ad5a914a61559837d34d1aa8432dff04586847b5371b0c96d2474aa4c007
Opcode Fuzzy Hash: 14cf35bfc82b9d18f75cfe8f57f9061e4447e0648476dfc0df44d8346f2fd19a
Instruction Fuzzy Hash: BD111822A14A91C3E7045B62E454379BAA0FF89B91F48D138DA1E87B55CF3CE456CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F35CB4 Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F35D23
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F35D49
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F35D71
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F35DAD

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 8fecca9feeceddc8a463ec02ab85b0c27bdc1dc34f4d8a3f2706db5689e0905d
Instruction ID: 51f8bfd52db81fa9b877722f7c8527d9f6dc6b198de02bb20b6e74f63307e49e
Opcode Fuzzy Hash: 8fecca9feeceddc8a463ec02ab85b0c27bdc1dc34f4d8a3f2706db5689e0905d
Instruction Fuzzy Hash: DB314B22A09B82C5EB509F52A4183B97BE0FF89B94F498439DE4E877A5DF3CD446C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3DD74 Relevance: 3.2, APIs: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F3DEFE
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F3DF53

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: e41ce89c66a1c314061ff3575b190c0ee1251a755bfdb2e0c48fe5d02525254a
Instruction ID: 57527b965f0b1a9687c7191e3a74ce38ac43d327c2afb421ddec3fd565747ff8
Opcode Fuzzy Hash: e41ce89c66a1c314061ff3575b190c0ee1251a755bfdb2e0c48fe5d02525254a
Instruction Fuzzy Hash: 09719022A5CB4AC2EB614B25E88077526D1BF95B90F98423DE92EC37D4DF3CE946C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F53CD0 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E00007FF67FF681F53CD0(intOrPtr* __rax) {
				void* __rbx;
				intOrPtr _t2;
				void* _t6;
				void* _t11;
				void* _t18;
				void* _t24;

				_t23 = __rax;
				0x81f54ec4();
				E00007FF67FF681F5463C();
				0x81f54ed0();
				_t2 = E00007FF67FF681F54630();
				0x81f54df8();
				 *__rax = _t2;
				if (E00007FF67FF681F54314(1, _t18, __rax) == 0) goto 0x81f53d66;
				E00007FF67FF681F54920(_t24);
				E00007FF67FF681F54520(E00007FF67FF681F54314(1, _t18, __rax), _t23);
				_t6 = E00007FF67FF681F54624();
				0x81f54e4c();
				if (_t6 != 0) goto 0x81f53d66;
				E00007FF67FF681F54648();
				E00007FF67FF681F54670(E00007FF67FF681F54670(_t6));
				E00007FF67FF681F54630();
				0x81f54e40();
				if (E00007FF67FF681F5465C() == 0) goto 0x81f53d52; // executed
				0x81f54e88(); // executed
				_t11 = E00007FF67FF681F54630();
				0x81f54864();
				if (_t11 != 0) goto 0x81f53d66;
				return _t11;
			}

0x7ff681f53cd0
0x7ff681f53cdb
0x7ff681f53ce0
0x7ff681f53ce7
0x7ff681f53cec
0x7ff681f53cf3
0x7ff681f53cfd
0x7ff681f53d06
0x7ff681f53d08
0x7ff681f53d14
0x7ff681f53d19
0x7ff681f53d20
0x7ff681f53d27
0x7ff681f53d29
0x7ff681f53d33
0x7ff681f53d38
0x7ff681f53d3f
0x7ff681f53d4b
0x7ff681f53d4d
0x7ff681f53d52
0x7ff681f53d57
0x7ff681f53d5e
0x7ff681f53d65

APIs

Part of subcall function 00007FF681F54314: _o__initialize_onexit_table.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF681F53D04), ref: 00007FF681F54356

_RTC_Initialize.LIBCMT ref: 00007FF681F53D08

Part of subcall function 00007FF681F54520: _onexit.LIBCMT ref: 00007FF681F54524

__scrt_initialize_default_local_stdio_options.LIBCMT ref: 00007FF681F53D84

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Initialize__scrt_initialize_default_local_stdio_options_o__initialize_onexit_table_onexit
String ID:
API String ID: 3742801250-0
Opcode ID: 9a9e6d424866c17b6ce5095e3cb63a140f927dc74eee5f4af8c722828a9dd489
Instruction ID: 974cac0b8869daf6dc3413c0af20d54da522beb796eaf6dda55af4f3a1798c2f
Opcode Fuzzy Hash: 9a9e6d424866c17b6ce5095e3cb63a140f927dc74eee5f4af8c722828a9dd489
Instruction Fuzzy Hash: B8015580E1C247C2FB147BB464662F881E53F90304F84843CE91EC76C3FE1DA885E622

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F35F40 Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF681F35A56), ref: 00007FF681F35F9F
ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF681F35A56), ref: 00007FF681F35FC3

Part of subcall function 00007FF681F36B98: GetCurrentProcessId.KERNEL32 ref: 00007FF681F36BD4
Part of subcall function 00007FF681F36B98: CreateMutexW.KERNELBASE ref: 00007FF681F36C16

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireCreateCurrentMutexProcessRelease
String ID:
API String ID: 4097130892-0
Opcode ID: cec0a7e63adb3bc69bced4a22702ac45cf8eb2846997374ee2fe2811efa5e207
Instruction ID: 4885fbb6dcd4bcc75588c9223513a3c1c1b368333f9d4568202645476bec7fef
Opcode Fuzzy Hash: cec0a7e63adb3bc69bced4a22702ac45cf8eb2846997374ee2fe2811efa5e207
Instruction Fuzzy Hash: 8B115822B05B56C2EF048F26E04066877E0FB98F98F254139DA1E87728DF39D993C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F31380 Relevance: 3.0, APIs: 2, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E00007FF67FF681F31380(long long __rbx, void* __rcx, long long __rsi, long long _a16, long long _a24) {
				signed long long _v24;
				void* _v40;
				signed short _t17;
				signed long long _t27;
				void* _t41;

				_a16 = __rbx;
				_a24 = __rsi;
				_t27 =  *0x81f60470; // 0xbba9a5b3aaf9
				_v24 = _t27 ^ _t41 - 0x00000040;
				asm("movups xmm0, [eax-0x10]");
				 *(__rcx + 0x28) =  *(__rcx + 0x28) & 0x00000000;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) & 0x00000000;
				asm("movdqu [esp+0x20], xmm0");
				_t17 =  *0x81f65070(); // executed
				if (_t17 == 0) goto 0x81f313ee;
				_t22 =  <=  ? _t17 : _t17 & 0x0000ffff | 0x80070000;
				goto 0x81f3140b;
				r9d =  *( *(__rcx + 8)) & 0x0000ffff;
				E00007FF67FF681F65068();
				_t18 =  <=  ? _t17 : _t17 & 0x0000ffff | 0x80070000;
				E00007FF67FF681F53F70();
				return  <=  ? _t17 : _t17 & 0x0000ffff | 0x80070000;
			}

0x7ff681f31380
0x7ff681f31385
0x7ff681f3138f
0x7ff681f31399
0x7ff681f313b3
0x7ff681f313b7
0x7ff681f313bc
0x7ff681f313c6
0x7ff681f313cc
0x7ff681f313dc
0x7ff681f313e9
0x7ff681f313ec
0x7ff681f313fb
0x7ff681f313ff
0x7ff681f3140b
0x7ff681f31415
0x7ff681f31429

APIs

EtwEventRegister.NTDLL ref: 00007FF681F313CC
EtwEventSetInformation.NTDLL ref: 00007FF681F313FF

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Event$InformationRegister
String ID:
API String ID: 1404366003-0
Opcode ID: 2a13eaa9dea2c7df74d8a4776f8d34a8b3f9ba66861ea935c4d52ff7d95dfdcd
Instruction ID: 831a3b1fc77bc03514ff7674ad350417d77339827860da443670027aa991814b
Opcode Fuzzy Hash: 2a13eaa9dea2c7df74d8a4776f8d34a8b3f9ba66861ea935c4d52ff7d95dfdcd
Instruction Fuzzy Hash: 64114F62A08B85C2E7108B25E440369B7E0FB8CB84F504235EB8D87715DF38D456C740

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF681F4D824 Relevance: 109.0, APIs: 61, Strings: 1, Instructions: 525timewindowCOMMON

Download Yara Rule

APIs

SetCursor.USER32 ref: 00007FF681F4D883
GetDeviceCaps.GDI32 ref: 00007FF681F4D896
GetDeviceCaps.GDI32 ref: 00007FF681F4D8AF
GetDeviceCaps.GDI32 ref: 00007FF681F4D8C8
GetDeviceCaps.GDI32 ref: 00007FF681F4D8E1
GetDeviceCaps.GDI32 ref: 00007FF681F4D8FA
GetDeviceCaps.GDI32 ref: 00007FF681F4D913
GetDeviceCaps.GDI32 ref: 00007FF681F4D92C
GetLocalTime.KERNEL32 ref: 00007FF681F4D945
GetDateFormatW.KERNEL32 ref: 00007FF681F4D97D
GetTimeFormatW.KERNEL32 ref: 00007FF681F4D9A8
SetMapMode.GDI32 ref: 00007FF681F4DA2F
SetViewportExtEx.GDI32 ref: 00007FF681F4DA4E
SetWindowExtEx.GDI32 ref: 00007FF681F4DA6D
LPtoDP.GDI32 ref: 00007FF681F4DA96
SetMapMode.GDI32 ref: 00007FF681F4DAA8
CreateFontIndirectW.GDI32 ref: 00007FF681F4DAB8
SelectObject.GDI32 ref: 00007FF681F4DAD6
SetBkMode.GDI32 ref: 00007FF681F4DAF4
GetTextMetricsW.GDI32 ref: 00007FF681F4DB07
SelectObject.GDI32 ref: 00007FF681F4DB2B
DeleteObject.GDI32 ref: 00007FF681F4DB3A
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F4DB50
CreateFontIndirectW.GDI32 ref: 00007FF681F4DB59
SelectObject.GDI32 ref: 00007FF681F4DB77
GetTextMetricsW.GDI32 ref: 00007FF681F4DB96
SetAbortProc.GDI32 ref: 00007FF681F4DC77
SendMessageW.USER32 ref: 00007FF681F4DC9F
LocalLock.KERNEL32 ref: 00007FF681F4DCBE
GetWindowTextLengthW.USER32 ref: 00007FF681F4DCDD
GetWindowTextW.USER32 ref: 00007FF681F4DD0D
EnableWindow.USER32 ref: 00007FF681F4DD29
CreateDialogParamW.USER32 ref: 00007FF681F4DD54
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4DD74
SetLastError.KERNEL32 ref: 00007FF681F4DDA6
StartDocW.GDI32 ref: 00007FF681F4DDBA
GetLastError.KERNEL32 ref: 00007FF681F4DDCE
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4DDE4
SelectObject.GDI32 ref: 00007FF681F4DE00
DeleteObject.GDI32 ref: 00007FF681F4DE0F
LocalUnlock.KERNEL32 ref: 00007FF681F4DE26
EndPage.GDI32 ref: 00007FF681F4DE3A
GetLastError.KERNEL32 ref: 00007FF681F4DE4E
AbortDoc.GDI32 ref: 00007FF681F4DE77
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F4DEF1
GetWindowLongW.USER32 ref: 00007FF681F4DF0C
SetDlgItemTextW.USER32 ref: 00007FF681F4DF64
StartPage.GDI32 ref: 00007FF681F4DF98
DrawTextExW.USER32 ref: 00007FF681F4DFE1
EndPage.GDI32 ref: 00007FF681F4DFFB
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4E049
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4E065
MessageBoxW.USER32 ref: 00007FF681F4E091
SetLastError.KERNEL32 ref: 00007FF681F4E09F
GetLastError.KERNEL32 ref: 00007FF681F4E0B0
EndDoc.GDI32 ref: 00007FF681F4E0C6
GetLastError.KERNEL32 ref: 00007FF681F4E0DA
DeleteDC.GDI32 ref: 00007FF681F4E0EB
EnableWindow.USER32 ref: 00007FF681F4E103
DestroyWindow.USER32 ref: 00007FF681F4E116
SetCursor.USER32 ref: 00007FF681F4E130

Strings

(, xrefs: 00007FF681F4DD8D

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CapsDeviceWindow$ErrorLastObjectText$FreeSelectTask$CreateDeleteLocalModePage$AbortCursorEnableFontFormatIndirectMessageMetricsStartTime$DateDestroyDialogDrawItemLengthLockLongParamProcSendUnlockViewportmemsetwcsnlen
String ID: (
API String ID: 2953118813-3887548279
Opcode ID: cea0d93c02bb6290b054c6525c38072c8e0dd2080b652f5b9e32b206efdf7c5e
Instruction ID: 319f9ad82c08caa67d83ee1a06a74cf8fcb0b519211a32489af1021fe3f817f9
Opcode Fuzzy Hash: cea0d93c02bb6290b054c6525c38072c8e0dd2080b652f5b9e32b206efdf7c5e
Instruction Fuzzy Hash: BC423771A08A46CBEB148F65E9545B8BBE1FF89B95F488138DA1EC3724DF3CA445CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F40B08 Relevance: 77.3, APIs: 5, Strings: 39, Instructions: 304
registryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 25%

			E00007FF67FF681F40B08(signed int __ecx, long long __rbx, void* __rdx, long long __rsi, void* __r9) {
				void* __rbp;
				intOrPtr _t92;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				char _t99;
				char _t100;
				char _t101;
				char _t102;
				char _t103;
				char _t104;
				signed int _t109;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t119;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				long _t139;
				signed int _t146;
				signed long long _t160;
				signed long long _t161;
				intOrPtr* _t163;
				intOrPtr* _t164;
				long long _t166;
				void* _t219;
				void* _t263;
				void* _t264;
				void* _t266;
				signed long long _t267;

				_t261 = __rsi;
				_t219 = __rdx;
				_t166 = __rbx;
				_t146 = __ecx;
				 *((long long*)(_t266 + 8)) = __rbx;
				 *((long long*)(_t266 + 0x10)) = __rsi;
				_t264 = _t266 - 0x40;
				_t267 = _t266 - 0x140;
				_t160 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t161 = _t160 ^ _t267;
				 *(_t264 + 0x30) = _t161;
				_t6 = _t219 + 0x5c; // 0x5c
				r8d = _t6;
				memset(??, ??, ??);
				_t92 =  *0x81f57fc8; // 0x65006c
				asm("movups xmm0, [0x17460]");
				r9d = 0x20019;
				 *((intOrPtr*)(_t264 - 8)) = _t92;
				asm("movsd xmm1, [0x1745f]");
				r8d = 0;
				 *((short*)(_t264 - 4)) =  *0x81f57fcc & 0x0000ffff;
				asm("movaps [ebp-0x20], xmm0");
				asm("xorps xmm0, xmm0");
				 *((intOrPtr*)(_t264 + 0x1e)) = 0;
				asm("movsd [ebp-0x10], xmm1");
				_t10 = _t161 + 0x64; // 0x64
				 *((long long*)(_t267 + 0x20)) = _t267 + 0x40;
				asm("movups [ebp-0x2], xmm0");
				asm("movups [ebp+0xe], xmm0");
				RegOpenKeyExW(??, ??, ??, ??, ??);
				r8d =  *(_t264 - 0x78);
				 *0x81f61614 = 0;
				_t171 =  !=  ? __rsi :  *((intOrPtr*)(_t267 + 0x40));
				 *((long long*)(_t267 + 0x40)) =  !=  ? __rsi :  *((intOrPtr*)(_t267 + 0x40));
				_t96 = E00007FF67FF681F4051C( !=  ? __rsi :  *((intOrPtr*)(_t267 + 0x40)), _t263);
				r8d =  *(_t264 - 0x74);
				 *0x81f61618 = _t96;
				_t97 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d =  *(_t264 - 0x70);
				 *0x81f6161c = _t97;
				_t98 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f61620 = _t98;
				_t99 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f61624 = _t99;
				_t100 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f61625 = _t100;
				_t101 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f61626 = _t101;
				_t102 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f61627 = _t102;
				_t103 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f61628 = _t103;
				_t104 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f61629 = _t104;
				 *0x81f6162a = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f6162b = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				_t163 = _t267 + 0x58;
				r9d = 0x20019;
				r8d = 0;
				 *((long long*)(_t267 + 0x20)) = _t163;
				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0x81f40d58;
				 *((intOrPtr*)(_t267 + 0x20)) = 0x20;
				E00007FF67FF681F40660(__rbx,  *((intOrPtr*)(_t267 + 0x58)), __rsi, _t264, L"Lucida Console", _t264 - 0x20);
				r8d = _t10;
				_t109 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x58)));
				RegCloseKey(??);
				 *((intOrPtr*)(_t267 + 0x20)) = 0x20;
				E00007FF67FF681F40660(_t166,  *((intOrPtr*)(_t267 + 0x40)), _t261, _t264, _t264 - 0x20, 0x81f6162c);
				r8d = _t109;
				_t112 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f6067c = _t112;
				_t113 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d =  *0x81f614b8; // 0x0
				 *0x81f6236c = _t113;
				if ((r8b & 0x00000002) != 0) goto 0x81f40dd9;
				E00007FF67FF681F3D07C(_t166, 0x81f614b8, _t267 + 0x68, _t261, 0x81f6162c);
				 *((long long*)(_t267 + 0x60)) =  *_t163;
				r8d = _t146;
				r9d = r8d;
				 *((intOrPtr*)(_t267 + 0x30)) = 3;
				r9d = r9d >> 9;
				r8d = r8d >> 8;
				_t164 = _t267 + 0x48;
				r9d = r9d & 0x00000001;
				 *(_t267 + 0x28) = 1;
				r8d = r8d & 0x00000001;
				 *((intOrPtr*)(_t267 + 0x48)) = 0;
				 *((char*)(_t267 + 0x4c)) = 3;
				 *((long long*)(_t267 + 0x20)) = _t164;
				E00007FF67FF681F3DD74(1, 0x127655e, _t166, 0x81f614c0, _t261, _t264, _t264 - 0x20);
				_t51 = _t166 + 4; // 0x5
				r8d = _t51;
				_t116 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d =  *0x81f614a8; // 0x0
				 *0x81f615e8 = _t116;
				if ((r8b & 0x00000002) != 0) goto 0x81f40e63;
				E00007FF67FF681F3D1D8(_t166, 0x81f614a8, _t267 + 0x70, _t261, 0x81f6162c);
				 *((long long*)(_t267 + 0x60)) =  *_t164;
				r8d = _t146;
				r9d = r8d;
				 *((intOrPtr*)(_t267 + 0x30)) = 3;
				r9d = r9d >> 9;
				_t165 = _t267 + 0x50;
				r8d = r8d >> 8;
				r9d = r9d & 0x00000001;
				 *(_t267 + 0x28) = 1;
				r8d = r8d & 0x00000001;
				 *((intOrPtr*)(_t267 + 0x50)) = 0;
				 *((char*)(_t267 + 0x54)) = 3;
				 *((long long*)(_t267 + 0x20)) = _t267 + 0x50;
				E00007FF67FF681F3DD74(1, 0x107b944, _t166, 0x81f614b0, _t261, _t264, _t264 - 0x20);
				r8d = 1;
				_t119 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f62378 = _t119;
				E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				 *0x81f62368 = E00007FF67FF681F40584(_t267 + 0x50, _t166,  *((intOrPtr*)(_t267 + 0x40)), L"fWindowsOnlyEOL");
				 *0x81f62364 = E00007FF67FF681F40584(_t267 + 0x50, _t166,  *((intOrPtr*)(_t267 + 0x40)), L"fPasteOriginalEOL");
				 *0x81f625a0 = E00007FF67FF681F40584(_t267 + 0x50, _t166,  *((intOrPtr*)(_t267 + 0x40)), L"fReverse") != 0;
				 *0x81f625a1 = E00007FF67FF681F40584(_t267 + 0x50, _t166,  *((intOrPtr*)(_t267 + 0x40)), L"fWrapAround") != 0;
				 *0x81f625a2 = E00007FF67FF681F40584(_t165, _t166,  *((intOrPtr*)(_t267 + 0x40)), L"fMatchCase") != 0;
				 *((intOrPtr*)(_t267 + 0x20)) = 0x80;
				E00007FF67FF681F40660(_t166,  *((intOrPtr*)(_t267 + 0x40)), _t261, _t264, 0x81f62480, 0x81f62480);
				 *((intOrPtr*)(_t267 + 0x20)) = 0x80;
				E00007FF67FF681F40660(_t166,  *((intOrPtr*)(_t267 + 0x40)), _t261, _t264, 0x81f62380, 0x81f62380);
				 *((intOrPtr*)(_t267 + 0x20)) = 0x28;
				E00007FF67FF681F40660(_t166,  *((intOrPtr*)(_t267 + 0x40)), _t261, _t264, 0x81f616a0, 0x81f616a0);
				 *((intOrPtr*)(_t267 + 0x20)) = 0x28;
				E00007FF67FF681F40660(_t166,  *((intOrPtr*)(_t267 + 0x40)), _t261, _t264, 0x81f616f0, 0x81f616f0);
				r8d =  *0x81f61550; // 0x0
				_t130 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d =  *0x81f61558; // 0x0
				 *0x81f61550 = _t130;
				_t131 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d =  *0x81f6154c; // 0x0
				 *0x81f61558 = _t131;
				_t132 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d =  *0x81f61554; // 0x0
				 *0x81f6154c = _t132;
				 *0x81f61554 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0x80000000;
				_t134 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0x80000000;
				 *0x81f62104 = _t134;
				_t135 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0x80000000;
				 *0x81f62108 = _t135;
				_t136 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0x80000000;
				 *0x81f6210c = _t136;
				_t137 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				r8d = 0;
				 *0x81f62110 = _t137;
				 *0x81f62130 = E00007FF67FF681F4051C( *((intOrPtr*)(_t267 + 0x40)));
				if ( *((intOrPtr*)(_t267 + 0x40)) == 0) goto 0x81f410e9;
				_t139 = RegCloseKey(??);
				E00007FF67FF681F53F70();
				return _t139;
			}

0x7ff681f40b08
0x7ff681f40b08
0x7ff681f40b08
0x7ff681f40b08
0x7ff681f40b08
0x7ff681f40b0d
0x7ff681f40b13
0x7ff681f40b18
0x7ff681f40b1f
0x7ff681f40b26
0x7ff681f40b29
0x7ff681f40b33
0x7ff681f40b33
0x7ff681f40b37
0x7ff681f40b3c
0x7ff681f40b49
0x7ff681f40b50
0x7ff681f40b56
0x7ff681f40b59
0x7ff681f40b61
0x7ff681f40b72
0x7ff681f40b78
0x7ff681f40b7c
0x7ff681f40b7f
0x7ff681f40b82
0x7ff681f40b87
0x7ff681f40b8f
0x7ff681f40b94
0x7ff681f40b98
0x7ff681f40b9c
0x7ff681f40bb4
0x7ff681f40bbc
0x7ff681f40bc2
0x7ff681f40bc6
0x7ff681f40bcb
0x7ff681f40bd0
0x7ff681f40be0
0x7ff681f40be6
0x7ff681f40beb
0x7ff681f40bfb
0x7ff681f40c01
0x7ff681f40c12
0x7ff681f40c15
0x7ff681f40c1b
0x7ff681f40c2c
0x7ff681f40c2f
0x7ff681f40c35
0x7ff681f40c46
0x7ff681f40c49
0x7ff681f40c4f
0x7ff681f40c60
0x7ff681f40c63
0x7ff681f40c69
0x7ff681f40c7a
0x7ff681f40c7d
0x7ff681f40c83
0x7ff681f40c94
0x7ff681f40c97
0x7ff681f40c9d
0x7ff681f40cae
0x7ff681f40cb1
0x7ff681f40cbc
0x7ff681f40cc2
0x7ff681f40cd6
0x7ff681f40ce3
0x7ff681f40ce8
0x7ff681f40cee
0x7ff681f40cf1
0x7ff681f40d0b
0x7ff681f40d1d
0x7ff681f40d2c
0x7ff681f40d3d
0x7ff681f40d40
0x7ff681f40d4c
0x7ff681f40d68
0x7ff681f40d77
0x7ff681f40d88
0x7ff681f40d8b
0x7ff681f40d9c
0x7ff681f40d9f
0x7ff681f40da5
0x7ff681f40daa
0x7ff681f40db1
0x7ff681f40dbb
0x7ff681f40dc9
0x7ff681f40dd1
0x7ff681f40dd6
0x7ff681f40dd9
0x7ff681f40ddc
0x7ff681f40de9
0x7ff681f40ded
0x7ff681f40df1
0x7ff681f40df6
0x7ff681f40df9
0x7ff681f40dfd
0x7ff681f40e00
0x7ff681f40e09
0x7ff681f40e15
0x7ff681f40e1a
0x7ff681f40e24
0x7ff681f40e24
0x7ff681f40e2f
0x7ff681f40e34
0x7ff681f40e3b
0x7ff681f40e45
0x7ff681f40e53
0x7ff681f40e5b
0x7ff681f40e60
0x7ff681f40e63
0x7ff681f40e66
0x7ff681f40e6e
0x7ff681f40e72
0x7ff681f40e77
0x7ff681f40e82
0x7ff681f40e85
0x7ff681f40e89
0x7ff681f40e8c
0x7ff681f40e95
0x7ff681f40e9a
0x7ff681f40e9f
0x7ff681f40eb0
0x7ff681f40eb3
0x7ff681f40ec4
0x7ff681f40ec7
0x7ff681f40ecd
0x7ff681f40eef
0x7ff681f40f06
0x7ff681f40f1f
0x7ff681f40f39
0x7ff681f40f62
0x7ff681f40f69
0x7ff681f40f6d
0x7ff681f40f81
0x7ff681f40f8c
0x7ff681f40fac
0x7ff681f40fb0
0x7ff681f40fc4
0x7ff681f40fcf
0x7ff681f40fd4
0x7ff681f40fe7
0x7ff681f40fec
0x7ff681f40fff
0x7ff681f41005
0x7ff681f4100a
0x7ff681f4101d
0x7ff681f41023
0x7ff681f41028
0x7ff681f4103b
0x7ff681f41057
0x7ff681f4105d
0x7ff681f41060
0x7ff681f41071
0x7ff681f41074
0x7ff681f4107a
0x7ff681f4108b
0x7ff681f4108e
0x7ff681f41094
0x7ff681f410a5
0x7ff681f410a8
0x7ff681f410ae
0x7ff681f410bf
0x7ff681f410c2
0x7ff681f410d2
0x7ff681f410db
0x7ff681f410dd
0x7ff681f410f0
0x7ff681f41109

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F40B37
RegOpenKeyExW.ADVAPI32 ref: 00007FF681F40B9C

Part of subcall function 00007FF681F4051C: RegQueryValueExW.ADVAPI32 ref: 00007FF681F40558

RegCloseKey.ADVAPI32 ref: 00007FF681F40D4C
RegOpenKeyExW.ADVAPI32 ref: 00007FF681F40CFD

Part of subcall function 00007FF681F40660: RegQueryValueExW.ADVAPI32 ref: 00007FF681F406A8
Part of subcall function 00007FF681F40660: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF681F40D7C), ref: 00007FF681F406CB

RegCloseKey.ADVAPI32 ref: 00007FF681F410DD

Strings

lfItalic, xrefs: 00007FF681F40C0B
fPasteOriginalEOL, xrefs: 00007FF681F40EE8
fMLE_is_broken, xrefs: 00007FF681F410B8
fWrapAround, xrefs: 00007FF681F40F16
lfFaceName, xrefs: 00007FF681F40D25, 00007FF681F40D70
fWrap, xrefs: 00007FF681F40D95
Software\Microsoft\Notepad\DefaultFonts, xrefs: 00007FF681F40CDC
, xrefs: 00007FF681F40D68
Lucida Console, xrefs: 00007FF681F40D16
fWindowsOnlyEOL, xrefs: 00007FF681F40ED7
lfClipPrecision, xrefs: 00007FF681F40C8D
iMarginBottom, xrefs: 00007FF681F40FF3
lfQuality, xrefs: 00007FF681F40CA7
fSaveWindowPositions, xrefs: 00007FF681F40EBD
iWindowPosY, xrefs: 00007FF681F4104B
fMatchCase, xrefs: 00007FF681F40F30
iMarginTop, xrefs: 00007FF681F40FDB
lfWeight, xrefs: 00007FF681F40BEF
iMarginLeft, xrefs: 00007FF681F41011
lfEscapement, xrefs: 00007FF681F40BAD
szTrailer, xrefs: 00007FF681F40FC8
iWindowPosX, xrefs: 00007FF681F4106A
iDefaultEncoding, xrefs: 00007FF681F40E28
lfCharSet, xrefs: 00007FF681F40C59
replaceString, xrefs: 00007FF681F40F85
StatusBar, xrefs: 00007FF681F40EA9
iWindowPosDY, xrefs: 00007FF681F4109E
iWindowPosDX, xrefs: 00007FF681F41084
lfOutPrecision, xrefs: 00007FF681F40C73
lfOrientation, xrefs: 00007FF681F40BD4
searchString, xrefs: 00007FF681F40F53
iMarginRight, xrefs: 00007FF681F4102F
lfPitchAndFamily, xrefs: 00007FF681F40CCA
lfUnderline, xrefs: 00007FF681F40C25
iPointSize, xrefs: 00007FF681F40D36, 00007FF681F40D81
lfStrikeOut, xrefs: 00007FF681F40C3F
szHeader, xrefs: 00007FF681F40FA2
Software\Microsoft\Notepad, xrefs: 00007FF681F40B42
fReverse, xrefs: 00007FF681F40EFF

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CloseOpenQueryValue$memcpymemset
String ID: $Lucida Console$Software\Microsoft\Notepad$Software\Microsoft\Notepad\DefaultFonts$StatusBar$fMLE_is_broken$fMatchCase$fPasteOriginalEOL$fReverse$fSaveWindowPositions$fWindowsOnlyEOL$fWrap$fWrapAround$iDefaultEncoding$iMarginBottom$iMarginLeft$iMarginRight$iMarginTop$iPointSize$iWindowPosDX$iWindowPosDY$iWindowPosX$iWindowPosY$lfCharSet$lfClipPrecision$lfEscapement$lfFaceName$lfItalic$lfOrientation$lfOutPrecision$lfPitchAndFamily$lfQuality$lfStrikeOut$lfUnderline$lfWeight$replaceString$searchString$szHeader$szTrailer
API String ID: 216777390-570872617
Opcode ID: 1a870d7a0a9e649426acd24d5dbcc58158405ed65726b5b14411e4a7e210deff
Instruction ID: 4e5a403c385e27fdcdfbe89420eeb7edf3460147e5f5f79c9d28fee87060f8d0
Opcode Fuzzy Hash: 1a870d7a0a9e649426acd24d5dbcc58158405ed65726b5b14411e4a7e210deff
Instruction Fuzzy Hash: 61F16966A1CA8BC6EB10CB25E8505A977F0FF85784F80513AEA4DC7A29DF3DE505CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3F0D4 Relevance: 72.4, APIs: 40, Strings: 1, Instructions: 600
filewindowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 21%

			E00007FF67FF681F3F0D4(signed int __edx, long long __rbx, long long __rcx, void* __rsi, void* __rbp, void* __r8, void* __r9, intOrPtr _a24) {
				void* _v40;
				signed long long _v48;
				signed int _v68;
				intOrPtr _v72;
				void* _v104;
				signed int _v112;
				char _v632;
				signed long long _v640;
				void* _v644;
				signed int _v648;
				char _v664;
				char _v672;
				void* _v680;
				signed short* _v688;
				void* _v696;
				void* _v704;
				void* _v712;
				long long _v720;
				signed int _v728;
				signed long long _v736;
				signed int _v740;
				signed int _v744;
				signed long long _v752;
				char _v760;
				char _v764;
				char _v768;
				char _v772;
				signed int _v776;
				long long _v784;
				int _v792;
				char _v796;
				signed int _v800;
				signed int _v804;
				int _v808;
				signed int _v816;
				signed int _v820;
				int _v824;
				char _v840;
				int _v848;
				void* _v856;
				void* __rdi;
				void* __r12;
				void* __r14;
				void* _t162;
				int _t163;
				int _t173;
				signed int _t186;
				void* _t190;
				long _t196;
				long _t221;
				signed char _t232;
				signed int _t245;
				unsigned int _t303;
				signed int _t305;
				signed int _t330;
				void* _t348;
				signed long long _t358;
				signed long long _t359;
				signed long long _t360;
				void* _t361;
				void* _t362;
				void* _t363;
				signed long long _t365;
				intOrPtr* _t369;
				signed long long _t375;
				intOrPtr _t437;
				intOrPtr _t440;
				intOrPtr _t442;
				intOrPtr _t444;
				void* _t445;
				void* _t447;
				void* _t450;
				intOrPtr _t457;
				intOrPtr _t460;
				intOrPtr _t462;
				intOrPtr _t463;
				void* _t464;
				intOrPtr _t467;
				signed short* _t469;
				void* _t471;
				void* _t472;
				void* _t475;
				int _t477;
				void* _t479;
				signed long long _t480;
				int _t482;
				intOrPtr* _t483;
				intOrPtr* _t485;
				signed long long _t486;
				void* _t489;

				_t464 = __r9;
				_t449 = __rbp;
				_t447 = __rsi;
				_t367 = __rbx;
				_t471 = _t450;
				 *((long long*)(_t471 + 0x10)) = __rbx;
				 *((long long*)(_t471 + 0x20)) = __rsi;
				 *(_t471 + 0x18) = r8b;
				_t358 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t359 = _t358 ^ _t450 - 0x00000350;
				_v48 = _t359;
				_v800 = __edx;
				_t483 = __rcx;
				_v720 = __rcx;
				_v680 = __rcx;
				_v824 = 0;
				 *((long long*)(_t471 - 0x2c8)) = __rsi;
				_v792 = 0;
				r12d = 0;
				_v808 = 0;
				asm("xorps xmm0, xmm0");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				 *((intOrPtr*)(_t471 - 0x38)) = 0;
				 *((long long*)(_t471 - 0x2c0)) = __rsi;
				_v816 = 0;
				E00007FF67FF681F4FEDC();
				r8d = 0x210;
				_t162 = memset(_t489, _t482, _t477);
				__imp__#170();
				_v644 = _t162;
				__imp__PathFindExtensionW();
				_v640 = _t359;
				_t375 =  *0x81f61500; // 0x0
				if (_t375 == (_t477 | 0xffffffff)) goto 0x81f3fbb5;
				_t163 = GetFileInformationByHandle(_t475);
				r15d = _v68;
				_v776 = r15d;
				_v648 = r15d;
				E00007FF67FF681F3EFFC(_t163, _t359, __rbx,  *((intOrPtr*)(__rcx)),  &_v632, _t445);
				if (_t163 == 0) goto 0x81f3fb9b;
				if (r15d - 0x40000000 >= 0) goto 0x81f3fb76;
				if (_v72 != 0) goto 0x81f3fb76;
				SetCursor(??);
				if (E00007FF67FF681F3FE88( *_t483, _t445, __rsi, _t483) == 0) goto 0x81f3fbb5;
				_t24 = _t447 + 2; // 0x2
				r13d = _t24;
				if (r15d == 0) goto 0x81f3f2ba;
				r14d = 0;
				_v736 = _t447;
				_v848 = _t447;
				_v856 = r15d;
				r9d = 0;
				r8d = r13d;
				CreateFileMappingW(??, ??, ??, ??, ??, ??);
				_v752 = _t359;
				if (_t359 == 0) goto 0x81f3f2d1;
				_v856 = _t489;
				r9d = 0;
				r8d = 0;
				MapViewOfFile(??, ??, ??, ??, ??);
				_v736 = _t359;
				CloseHandle(??);
				goto 0x81f3f2d1;
				_t485 =  &_v796;
				_v736 = _t485;
				_v796 = 0;
				CloseHandle(??);
				_t360 = _t359 | 0xffffffff;
				 *0x81f61500 = _t360;
				if (_t485 != 0) goto 0x81f3f30c;
				SetCursor(??);
				goto 0x81f3fbb5;
				_v784 = _t485;
				if (_v800 != 0) goto 0x81f3f4d1;
				if ( *_t485 == 0xbbef) goto 0x81f3f364;
				if ( *_t485 == 0xfeff) goto 0x81f3f35f;
				if ( *_t485 != 0xfffe) goto 0x81f3f386;
				r12d = 1;
				_v808 = r12d;
				_v820 = 3;
				goto 0x81f3f61b;
				goto 0x81f3f346;
				if (r15d - r13d <= 0) goto 0x81f3f386;
				if ( *((char*)(_t485 + 2)) != 0xbf) goto 0x81f3f386;
				_v816 = 0xfde9;
				_v804 = 0xfde9;
				_v820 = r13d;
				goto 0x81f3f5da;
				_v800 = 0xfde9;
				_t173 = IsTextUnicode(??, ??, ??);
				r12d = _t173;
				_v744 = _t173;
				if (_t173 == 0) goto 0x81f3f3c6;
				if (_v800 != r13d) goto 0x81f3f3c6;
				r12d =  <  ? 0 : r12d;
				_v744 = r12d;
				_v808 = r12d;
				if (r12d == 0) goto 0x81f3f3ea;
				_v820 = r13d;
				_v824 = r15d >> 1;
				goto 0x81f3f621;
				_v848 = 0;
				_v856 = _t447;
				r9d = r15d;
				_v816 = 0xfde9;
				if (MultiByteToWideChar(??, ??, ??, ??, ??, ??) != 0) goto 0x81f3f43e;
				if (GetLastError() != 0x459) goto 0x81f3f43e;
				_v820 = 1;
				_v804 = 0;
				goto 0x81f3f5a7;
				r8d =  *0x81f614b8; // 0x0
				_v728 = r8d;
				_t330 = r13b & r8b;
				if (_t330 != 0) goto 0x81f3f474;
				E00007FF67FF681F3D07C(_t367, 0x81f614b8,  &_v672, _t447, _t464);
				_v728 =  *_t360;
				r8d = 0xfde9;
				_v772 = 0;
				_v768 = 3;
				r9d = r8d;
				r9d = r9d >> 9;
				r9d = r9d & 0x00000001;
				r8d = r8d >> 8;
				r8d = r8d & 0x00000001;
				_v840 = 3;
				_v848 = 1;
				_t361 =  &_v772;
				_v856 = _t361;
				E00007FF67FF681F3DD74(1, 0x127655e, _t367, 0x81f614c0, _t447, __rbp, _t485);
				_v820 = 5;
				_v804 = _v816;
				goto 0x81f3f599;
				if (_t330 == 0) goto 0x81f3f5f5;
				if (_t330 == 0) goto 0x81f3f5e9;
				if (_t330 == 0) goto 0x81f3f5b2;
				if (0xfde9 - r13d == 1) goto 0x81f3f509;
				_v820 = 1;
				_v816 = 0;
				_v804 = 0;
				goto 0x81f3f625;
				_v804 = 0xfde9;
				r8d =  *0x81f614b8; // 0x0
				_v816 = r8d;
				if ((r13b & r8b) != 0) goto 0x81f3f542;
				E00007FF67FF681F3D07C(_t367, 0x81f614b8,  &_v664, _t447, _t464);
				_v816 =  *_t361;
				r8d = 0xfde9;
				_v764 = 0;
				_v760 = 3;
				r9d = r8d;
				r9d = r9d >> 9;
				r9d = r9d & 0x00000001;
				r8d = r8d >> 8;
				r8d = r8d & 0x00000001;
				_v840 = 3;
				_v848 = 1;
				_t362 =  &_v764;
				_v856 = _t362;
				E00007FF67FF681F3DD74(1, 0x127655e, _t367, 0x81f614c0, _t447, _t449, _t485);
				_v820 = 5;
				r12d = _v808;
				r15d = _v776;
				_v816 = _v804;
				goto 0x81f3f625;
				_v816 = 0xfde9;
				_v804 = 0xfde9;
				_v820 = 5;
				if (r15d - r13d <= 0) goto 0x81f3f625;
				if ( *_t485 != 0xbbef) goto 0x81f3f625;
				if ( *((char*)(_t485 + 2)) != 0xbf) goto 0x81f3f625;
				_v784 = _t485 + 3;
				r15d = r15d + 0xfffffffd;
				goto 0x81f3f625;
				goto 0x81f3f5fd;
				_t245 = r13d;
				r12d = 1;
				_v808 = r12d;
				_v820 = _t245;
				_t303 = r15d >> 1;
				_v824 = _t303;
				if ( *_t485 != 0xfeff) goto 0x81f3f621;
				_v824 = _t303 - 1;
				if (r12d != 0) goto 0x81f3f64f;
				_v848 = 0;
				_v856 = _t447;
				r9d = r15d;
				_t186 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				_t305 = _t186;
				_v824 = _t186;
				r9d = 0;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				r9d = 0;
				r8d = r8d ^ r8d;
				SendMessageW(??, ??, ??, ??);
				r9d = 0;
				r8d = r8d ^ r8d;
				SendMessageW(??, ??, ??, ??);
				_t109 = _t445 + 1; // 0x1
				r8d = r13d;
				_t190 = LocalReAlloc(??, ??, ??);
				_v704 = _t362;
				if (_t362 != 0) goto 0x81f3f778;
				_t112 =  &_v752; // 0x89
				E00007FF67FF681F3D5D0(_t190, _t112, _v720);
				E00007FF67FF681F3FBEC(0, _t109, _t362, _t362, _t367, _t112, _v720, _t447, _t449, _t485 + 3, _t464, _t475);
				SetCursor(??);
				_v856 = 0x30;
				_t457 =  *0x81f60638; // 0x1bb5cf5299e
				_t437 =  *0x81f60630; // 0x1bb5cf529a0
				E00007FF67FF681F3BDA4(_t367,  *0x81f62598, _t437, _t445, _t447, _t449, _t457, _v752);
				_t115 =  &_v796; // 0x5d
				_t363 = _t115;
				if (_t485 == _t363) goto 0x81f3f747;
				UnmapViewOfFile(??);
				r9d = 0;
				r8d = r8d ^ r8d;
				_t196 = SendMessageW(??, ??, ??, ??);
				_t117 =  &_v752; // 0x89
				E00007FF67FF681F3E324(_t196, _t117);
				goto 0x81f3fbb7;
				LocalLock(??);
				_t479 = _t363;
				_v712 = _t363;
				if (r12d == 0) goto 0x81f3f839;
				if ( *_t485 != 0xfeff) goto 0x81f3f7ac;
				goto 0x81f3f829;
				if ( *_t485 != 0xfffe) goto 0x81f3f826;
				_t469 = _t485 + 2;
				_t472 = _t479;
				_v696 = _t479;
				r9d = 0;
				_v740 = 0;
				_v688 = _t469;
				if (r9d - _t305 >= 0) goto 0x81f3f862;
				r8d =  *_t469 & 0x0000ffff;
				r8w = r8w >> 8;
				 *_t472 = (r8w & 0xff) * 0x100 + r8w;
				r9d = r9d + 1;
				_v740 = r9d;
				_v696 = _t472 + 2;
				goto 0x81f3f7d0;
				r8d = _t305;
				memcpy(??, ??, ??);
				goto 0x81f3f862;
				_v848 = _t305;
				_v856 = _t479;
				r9d = r15d;
				_v824 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				 *0x81f615e4 = _t245;
				_v112 = _t245;
				_v856 = 0x30;
				_t369 = _v680;
				_t460 =  *0x81f60670; // 0x1bb5cf52990
				_t440 =  *0x81f60630; // 0x1bb5cf529a0
				E00007FF67FF681F3BDA4(_t369,  *0x81f62598, _t440, _t445, _t447, _t449, _t460,  *_t369);
				_v824 = 0;
				_t480 = _v712;
				_t486 = _v736;
				_t138 =  &_v796; // 0x5d
				if (_t486 == _t138) goto 0x81f3f8d7;
				UnmapViewOfFile(??);
				r12b = _a24;
				if (_t480 == 0) goto 0x81f3f93c;
				 *((short*)(_t480 + _t486 * 2)) = 0;
				if (r12b != 0) goto 0x81f3f93c;
				_t365 = _t480;
				if (0 == 0) goto 0x81f3f90f;
				_t348 =  *_t365;
				if (_t348 != 0) goto 0x81f3f905;
				 *_t365 = 0x20;
				if (_t348 != 0) goto 0x81f3f8f8;
				if ( *_t480 != 0x2e) goto 0x81f3f937;
				if ( *((short*)(_t480 + 2)) != 0x4c) goto 0x81f3f937;
				if ( *((short*)(_t480 + 4)) != 0x4f) goto 0x81f3f937;
				if ( *((short*)(_t480 + 6)) != 0x47) goto 0x81f3f937;
				r15d = 1;
				goto 0x81f3f941;
				r15d = 0;
				goto 0x81f3f941;
				r15d = _v792;
				LocalUnlock(??);
				 *0x81f61690 = _v704;
				r9d = r9d ^ r9d;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				if (0x81f620e0 == _t369) goto 0x81f3f991;
				E00007FF67FF681F3C6A8(_t369, 0x81f620e0, _t369, _t445, _t447, _t449);
				E00007FF67FF681F3B83C(_t369, _t445, _t460);
				 *0x81f60678 = 0;
				 *0x81f62374 = 1;
				r9d = 0;
				SendMessageW(??, ??, ??, ??);
				if ( *0x81f62374 != 2) goto 0x81f3fa39;
				SetCursor(??);
				 *0x81f62374 = 0;
				_v856 = 0x30;
				_t467 =  *_t369;
				_t462 =  *0x81f60638; // 0x1bb5cf5299e
				_t442 =  *0x81f60630; // 0x1bb5cf529a0
				E00007FF67FF681F3BDA4(_t369,  *0x81f62598, _t442, _t445, _t447, _t449, _t462, _t467);
				E00007FF67FF681F3FBEC(0, 0xbc,  *0x81f62374 - 2, _t365 + 2, _t369,  *0x81f62598, _t442, _t447, _t449, _t462, _t467, _t475);
				r9d = 0;
				_t149 = _t467 + 1; // 0x1
				r8d = _t149;
				SendMessageW(??, ??, ??, ??);
				goto 0x81f3fbb5;
				 *0x81f62374 = 0;
				r9d = 0;
				r8d = 0;
				PostMessageW(??, ??, ??, ??);
				if (r15d == 0) goto 0x81f3faa8;
				r8d = 0;
				r9d = 0;
				SendMessageW(??, ??, ??, ??);
				r9d = 0;
				r8d = r8d ^ r8d;
				SendMessageW(??, ??, ??, ??);
				E00007FF67FF681F3E3A8(1, r15d, _t369, _t442, _t445, _t462, _t467);
				r9d = 0;
				_t150 = _t442 - 0x57; // 0xbe
				r8d = _t150;
				_t221 = SendMessageW(??, ??, ??, ??);
				r9d = 1;
				r8d = _t221;
				SetScrollPos(??, ??, ??, ??);
				r9d = 0;
				_t152 = _t467 + 1; // 0x1
				r8d = _t152;
				SendMessageW(??, ??, ??, ??);
				_t153 = _t442 + 1; // 0x1
				r8d = _t153;
				InvalidateRect(??, ??, ??);
				UpdateWindow(??);
				E00007FF67FF681F3B130(0, _t369, _t445, _t447, _t467);
				SetCursor(??);
				if (r12b != 0) goto 0x81f3fb65;
				 *0x81f65130();
				_t154 =  &_v648; // 0xf1
				E00007FF67FF681F4FF5C(_t154);
				goto 0x81f3fbb7;
				_v856 = 0x30;
				_t463 =  *0x81f60638; // 0x1bb5cf5299e
				_t444 =  *0x81f60630; // 0x1bb5cf529a0
				E00007FF67FF681F3BDA4(_t369,  *0x81f62598, _t444, _t445, _t447, _t449, _t463,  *_v704);
				_t232 = CloseHandle(??);
				 *0x81f61500 = _t480;
				E00007FF67FF681F53F70();
				return _t232 ^ _t232;
			}

0x7ff681f3f0d4
0x7ff681f3f0d4
0x7ff681f3f0d4
0x7ff681f3f0d4
0x7ff681f3f0d4
0x7ff681f3f0d7
0x7ff681f3f0db
0x7ff681f3f0df
0x7ff681f3f0f3
0x7ff681f3f0fa
0x7ff681f3f0fd
0x7ff681f3f105
0x7ff681f3f109
0x7ff681f3f10c
0x7ff681f3f114
0x7ff681f3f120
0x7ff681f3f124
0x7ff681f3f12b
0x7ff681f3f12f
0x7ff681f3f132
0x7ff681f3f136
0x7ff681f3f13b
0x7ff681f3f140
0x7ff681f3f145
0x7ff681f3f14a
0x7ff681f3f14e
0x7ff681f3f155
0x7ff681f3f159
0x7ff681f3f160
0x7ff681f3f16e
0x7ff681f3f176
0x7ff681f3f182
0x7ff681f3f18c
0x7ff681f3f198
0x7ff681f3f1a0
0x7ff681f3f1ae
0x7ff681f3f1bc
0x7ff681f3f1ca
0x7ff681f3f1d2
0x7ff681f3f1d7
0x7ff681f3f1ea
0x7ff681f3f1f1
0x7ff681f3f1fe
0x7ff681f3f20b
0x7ff681f3f218
0x7ff681f3f22e
0x7ff681f3f234
0x7ff681f3f234
0x7ff681f3f23b
0x7ff681f3f23d
0x7ff681f3f240
0x7ff681f3f248
0x7ff681f3f24d
0x7ff681f3f252
0x7ff681f3f255
0x7ff681f3f261
0x7ff681f3f270
0x7ff681f3f27e
0x7ff681f3f280
0x7ff681f3f285
0x7ff681f3f288
0x7ff681f3f28d
0x7ff681f3f29c
0x7ff681f3f2ac
0x7ff681f3f2b8
0x7ff681f3f2ba
0x7ff681f3f2bf
0x7ff681f3f2c7
0x7ff681f3f2d8
0x7ff681f3f2e4
0x7ff681f3f2e8
0x7ff681f3f2f2
0x7ff681f3f2fb
0x7ff681f3f307
0x7ff681f3f30f
0x7ff681f3f31a
0x7ff681f3f329
0x7ff681f3f334
0x7ff681f3f33f
0x7ff681f3f346
0x7ff681f3f34c
0x7ff681f3f351
0x7ff681f3f35a
0x7ff681f3f362
0x7ff681f3f367
0x7ff681f3f36e
0x7ff681f3f375
0x7ff681f3f379
0x7ff681f3f37d
0x7ff681f3f381
0x7ff681f3f386
0x7ff681f3f395
0x7ff681f3f3a1
0x7ff681f3f3a4
0x7ff681f3f3ad
0x7ff681f3f3b4
0x7ff681f3f3ba
0x7ff681f3f3be
0x7ff681f3f3c6
0x7ff681f3f3ce
0x7ff681f3f3d3
0x7ff681f3f3dc
0x7ff681f3f3e5
0x7ff681f3f3ea
0x7ff681f3f3ee
0x7ff681f3f3f3
0x7ff681f3f403
0x7ff681f3f415
0x7ff681f3f428
0x7ff681f3f42f
0x7ff681f3f435
0x7ff681f3f439
0x7ff681f3f43e
0x7ff681f3f445
0x7ff681f3f44d
0x7ff681f3f450
0x7ff681f3f461
0x7ff681f3f469
0x7ff681f3f471
0x7ff681f3f474
0x7ff681f3f478
0x7ff681f3f47d
0x7ff681f3f480
0x7ff681f3f484
0x7ff681f3f488
0x7ff681f3f48c
0x7ff681f3f490
0x7ff681f3f498
0x7ff681f3f4a0
0x7ff681f3f4a5
0x7ff681f3f4b6
0x7ff681f3f4c0
0x7ff681f3f4c8
0x7ff681f3f4cc
0x7ff681f3f4d4
0x7ff681f3f4dd
0x7ff681f3f4e6
0x7ff681f3f4ef
0x7ff681f3f4f6
0x7ff681f3f4fc
0x7ff681f3f500
0x7ff681f3f504
0x7ff681f3f50e
0x7ff681f3f512
0x7ff681f3f519
0x7ff681f3f521
0x7ff681f3f532
0x7ff681f3f53a
0x7ff681f3f53f
0x7ff681f3f542
0x7ff681f3f546
0x7ff681f3f54e
0x7ff681f3f551
0x7ff681f3f555
0x7ff681f3f559
0x7ff681f3f55d
0x7ff681f3f561
0x7ff681f3f569
0x7ff681f3f571
0x7ff681f3f576
0x7ff681f3f587
0x7ff681f3f591
0x7ff681f3f599
0x7ff681f3f5a2
0x7ff681f3f5a7
0x7ff681f3f5b0
0x7ff681f3f5b7
0x7ff681f3f5bb
0x7ff681f3f5bf
0x7ff681f3f5c6
0x7ff681f3f5d1
0x7ff681f3f5d8
0x7ff681f3f5de
0x7ff681f3f5e3
0x7ff681f3f5e7
0x7ff681f3f5f3
0x7ff681f3f5f5
0x7ff681f3f5fd
0x7ff681f3f603
0x7ff681f3f60b
0x7ff681f3f60f
0x7ff681f3f611
0x7ff681f3f619
0x7ff681f3f61d
0x7ff681f3f628
0x7ff681f3f62a
0x7ff681f3f62e
0x7ff681f3f633
0x7ff681f3f63d
0x7ff681f3f649
0x7ff681f3f64b
0x7ff681f3f64f
0x7ff681f3f652
0x7ff681f3f660
0x7ff681f3f66c
0x7ff681f3f66f
0x7ff681f3f67e
0x7ff681f3f68a
0x7ff681f3f68d
0x7ff681f3f69c
0x7ff681f3f6a8
0x7ff681f3f6ae
0x7ff681f3f6b8
0x7ff681f3f6c4
0x7ff681f3f6cf
0x7ff681f3f6dd
0x7ff681f3f6e5
0x7ff681f3f6ec
0x7ff681f3f6f8
0x7ff681f3f704
0x7ff681f3f714
0x7ff681f3f71b
0x7ff681f3f729
0x7ff681f3f72e
0x7ff681f3f72e
0x7ff681f3f736
0x7ff681f3f73b
0x7ff681f3f747
0x7ff681f3f74a
0x7ff681f3f758
0x7ff681f3f764
0x7ff681f3f76c
0x7ff681f3f773
0x7ff681f3f77b
0x7ff681f3f787
0x7ff681f3f78a
0x7ff681f3f795
0x7ff681f3f7a4
0x7ff681f3f7aa
0x7ff681f3f7b5
0x7ff681f3f7b7
0x7ff681f3f7bb
0x7ff681f3f7be
0x7ff681f3f7c6
0x7ff681f3f7c9
0x7ff681f3f7d0
0x7ff681f3f7db
0x7ff681f3f7e1
0x7ff681f3f7fc
0x7ff681f3f805
0x7ff681f3f809
0x7ff681f3f80c
0x7ff681f3f818
0x7ff681f3f824
0x7ff681f3f829
0x7ff681f3f832
0x7ff681f3f837
0x7ff681f3f839
0x7ff681f3f83d
0x7ff681f3f842
0x7ff681f3f85e
0x7ff681f3f862
0x7ff681f3f868
0x7ff681f3f879
0x7ff681f3f881
0x7ff681f3f88c
0x7ff681f3f893
0x7ff681f3f8a1
0x7ff681f3f8a8
0x7ff681f3f8ae
0x7ff681f3f8b6
0x7ff681f3f8be
0x7ff681f3f8c6
0x7ff681f3f8cb
0x7ff681f3f8d7
0x7ff681f3f8e2
0x7ff681f3f8e6
0x7ff681f3f8ef
0x7ff681f3f8f1
0x7ff681f3f8f6
0x7ff681f3f8f8
0x7ff681f3f8fb
0x7ff681f3f902
0x7ff681f3f90d
0x7ff681f3f915
0x7ff681f3f91d
0x7ff681f3f925
0x7ff681f3f92d
0x7ff681f3f92f
0x7ff681f3f935
0x7ff681f3f937
0x7ff681f3f93a
0x7ff681f3f93c
0x7ff681f3f94c
0x7ff681f3f958
0x7ff681f3f95f
0x7ff681f3f962
0x7ff681f3f971
0x7ff681f3f987
0x7ff681f3f98c
0x7ff681f3f991
0x7ff681f3f996
0x7ff681f3f99c
0x7ff681f3f9a6
0x7ff681f3f9bc
0x7ff681f3f9cf
0x7ff681f3f9d8
0x7ff681f3f9e4
0x7ff681f3f9ea
0x7ff681f3f9f2
0x7ff681f3f9f5
0x7ff681f3f9fc
0x7ff681f3fa0a
0x7ff681f3fa11
0x7ff681f3fa16
0x7ff681f3fa1d
0x7ff681f3fa1d
0x7ff681f3fa28
0x7ff681f3fa34
0x7ff681f3fa39
0x7ff681f3fa3f
0x7ff681f3fa42
0x7ff681f3fa51
0x7ff681f3fa60
0x7ff681f3fa62
0x7ff681f3fa65
0x7ff681f3fa74
0x7ff681f3fa80
0x7ff681f3fa83
0x7ff681f3fa92
0x7ff681f3faa3
0x7ff681f3faa8
0x7ff681f3fab0
0x7ff681f3fab0
0x7ff681f3fabb
0x7ff681f3fac7
0x7ff681f3facd
0x7ff681f3fada
0x7ff681f3fae6
0x7ff681f3faed
0x7ff681f3faed
0x7ff681f3faf8
0x7ff681f3fb06
0x7ff681f3fb06
0x7ff681f3fb11
0x7ff681f3fb24
0x7ff681f3fb30
0x7ff681f3fb3c
0x7ff681f3fb4b
0x7ff681f3fb59
0x7ff681f3fb65
0x7ff681f3fb6d
0x7ff681f3fb74
0x7ff681f3fb76
0x7ff681f3fb81
0x7ff681f3fb88
0x7ff681f3fb96
0x7ff681f3fba2
0x7ff681f3fbae
0x7ff681f3fbc2
0x7ff681f3fbe3

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3F16E
#170.API-MS-WIN-SHCORE-PATH-L1-1-0 ref: 00007FF681F3F176
PathFindExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF681F3F18C
GetFileInformationByHandle.KERNEL32 ref: 00007FF681F3F1BC

Part of subcall function 00007FF681F3EFFC: PathFindExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF681F3F012
Part of subcall function 00007FF681F3EFFC: _o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F3F031
Part of subcall function 00007FF681F3EFFC: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3F08D

SetCursor.USER32 ref: 00007FF681F3F218

Part of subcall function 00007FF681F3FE88: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3FEE5
Part of subcall function 00007FF681F3FE88: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F400A9

CreateFileMappingW.KERNEL32 ref: 00007FF681F3F261
MapViewOfFile.KERNEL32 ref: 00007FF681F3F28D
CloseHandle.KERNEL32 ref: 00007FF681F3F2AC
CloseHandle.KERNEL32 ref: 00007FF681F3F2D8
SetCursor.USER32 ref: 00007FF681F3F2FB
IsTextUnicode.ADVAPI32 ref: 00007FF681F3F395
MultiByteToWideChar.KERNEL32 ref: 00007FF681F3F407
GetLastError.KERNEL32 ref: 00007FF681F3F417
MultiByteToWideChar.KERNEL32 ref: 00007FF681F3F63D
SendMessageW.USER32 ref: 00007FF681F3F660
SendMessageW.USER32 ref: 00007FF681F3F67E
SendMessageW.USER32 ref: 00007FF681F3F69C
LocalReAlloc.KERNEL32 ref: 00007FF681F3F6B8
SetCursor.USER32 ref: 00007FF681F3F6F8
UnmapViewOfFile.KERNEL32 ref: 00007FF681F3F73B
SendMessageW.USER32 ref: 00007FF681F3F758
LocalLock.KERNEL32 ref: 00007FF681F3F77B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F3F832
MultiByteToWideChar.KERNEL32 ref: 00007FF681F3F850
UnmapViewOfFile.KERNEL32 ref: 00007FF681F3F8CB
LocalUnlock.KERNEL32 ref: 00007FF681F3F94C
SendMessageW.USER32 ref: 00007FF681F3F971
CloseHandle.KERNEL32 ref: 00007FF681F3FBA2

Strings

0, xrefs: 00007FF681F3FB76

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: FileMessageSend$Handle$ByteCharCloseCursorLocalMultiViewWide$ExtensionFindFreePathTaskUnmapmemset$#170AllocCreateErrorInformationLastLockMappingTextUnicodeUnlock_o__wcsicmpmemcpy
String ID: 0
API String ID: 585679752-4108050209
Opcode ID: b9f6b76761b60d78ad34f009834d38523b2e65c2cec6f592a3966b920139ffe1
Instruction ID: 7e879e594c42675ee6ebb79344d53bc1cbb1a44a19ee1e68eabb4a443dad5d03
Opcode Fuzzy Hash: b9f6b76761b60d78ad34f009834d38523b2e65c2cec6f592a3966b920139ffe1
Instruction Fuzzy Hash: 4F526F72A08682C6E7608F15E45467ABBE0FFC9B90F509139DA4E83B64DF7DE845CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3E730 Relevance: 72.2, APIs: 38, Strings: 3, Instructions: 498filewindowCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF681F3E7B0
DuplicateEncryptionInfoFile.ADVAPI32 ref: 00007FF681F3E7DE
PathFileExistsW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF681F3E7ED
CreateFileW.KERNEL32 ref: 00007FF681F3E81D
GetLastError.KERNEL32 ref: 00007FF681F3E83A
SendMessageW.USER32 ref: 00007FF681F3E88A
SendMessageW.USER32 ref: 00007FF681F3E8A8
SendMessageW.USER32 ref: 00007FF681F3E8C5
SendMessageW.USER32 ref: 00007FF681F3E8E6
LocalLock.KERNEL32 ref: 00007FF681F3E901
WriteFile.KERNEL32 ref: 00007FF681F3E957
GetACP.KERNEL32 ref: 00007FF681F3E974
WideCharToMultiByte.KERNEL32 ref: 00007FF681F3E9BF
WriteFile.KERNEL32 ref: 00007FF681F3EA44
WriteFile.KERNEL32 ref: 00007FF681F3EA8D
WriteFile.KERNEL32 ref: 00007FF681F3EADD
WriteFile.KERNEL32 ref: 00007FF681F3EB01
SetEndOfFile.KERNEL32 ref: 00007FF681F3EB20
LocalUnlock.KERNEL32 ref: 00007FF681F3EB2F
SendMessageW.USER32 ref: 00007FF681F3EB59
CloseHandle.KERNEL32 ref: 00007FF681F3EB97
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3EBB8
#170.API-MS-WIN-SHCORE-PATH-L1-1-0 ref: 00007FF681F3EBCB
PathFindExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF681F3EBDE
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3EC69
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3EC98
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3ECDF
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3ED13
GetFileAttributesW.KERNEL32 ref: 00007FF681F3ED27
DecryptFileW.ADVAPI32 ref: 00007FF681F3ED43
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F3EDFB
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F3EE22
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3EED4
SetCursor.USER32 ref: 00007FF681F3EEE7
SetCursor.USER32 ref: 00007FF681F3EF11
CloseHandle.KERNEL32 ref: 00007FF681F3EF24
LocalUnlock.KERNEL32 ref: 00007FF681F3EF43
DeleteFileW.KERNEL32 ref: 00007FF681F3EF57

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF681F3EDF4
shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF681F3ED5A, 00007FF681F3ED95
1, xrefs: 00007FF681F3E9F1

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: File$MessageSendWrite$FreeLocalTaskmemset$AttributesCloseCreateCursorHandlePathUnlock$#170ActivationByteCharDecryptDeleteDuplicateEncryptionErrorExistsExtensionFactoryFindInfoLastLockMultiReferenceStringWideWindows
String ID: 1$Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 545286052-3300918443
Opcode ID: 80a5f16888c73491157e454303b1bfe07a221cae7afa8b5b6bf87528c003cba7
Instruction ID: 01c334f1f1bcc9ae09a6d2c455d88f204472c7f6446101b6874745e06c887aad
Opcode Fuzzy Hash: 80a5f16888c73491157e454303b1bfe07a221cae7afa8b5b6bf87528c003cba7
Instruction Fuzzy Hash: F4328031A08A82C6EB609F25E4146B9B7E0FFC9B94F448139DA5E87755DF3CE446CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3A290 Relevance: 61.8, APIs: 34, Strings: 1, Instructions: 599
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 24%

			E00007FF67FF681F3A290(intOrPtr __edx, void* __rcx, void* __r8, signed int* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r12;
				void* _t119;
				signed char _t174;
				signed int _t177;
				signed char _t178;
				signed short _t185;
				int _t191;
				signed int _t208;
				signed char _t210;
				signed char _t214;
				signed int _t216;
				signed int _t219;
				intOrPtr _t227;
				void* _t269;
				long long _t302;
				void* _t303;
				void* _t305;
				signed long long _t327;
				intOrPtr* _t336;
				intOrPtr* _t337;
				intOrPtr* _t338;
				signed int* _t342;
				long long _t346;
				unsigned long long _t347;
				signed int* _t349;
				intOrPtr _t372;
				intOrPtr _t386;
				intOrPtr _t388;
				signed int* _t406;
				void* _t416;
				intOrPtr* _t421;
				long long _t422;
				unsigned long long _t424;
				void* _t425;
				void* _t426;
				signed long long _t427;
				intOrPtr _t443;
				void* _t448;
				void* _t449;
				signed int* _t450;
				void* _t452;

				_t425 = _t426 - 0x1f0;
				_t427 = _t426 - 0x2f0;
				_t327 =  *0x81f60470; // 0xbba9a5b3aaf9
				 *(_t425 + 0x1e0) = _t327 ^ _t427;
				_t452 = __rcx;
				 *((intOrPtr*)(_t427 + 0x50)) = __edx;
				 *((long long*)(_t427 + 0x48)) = __r9;
				_t450 = __r9;
				_t269 = __edx - 0x111;
				if (_t269 > 0) goto 0x81f3a806;
				if (_t269 == 0) goto 0x81f3aa61;
				if (_t269 == 0) goto 0x81f3a7f3;
				if (_t269 == 0) goto 0x81f3a7ae;
				if (_t269 == 0) goto 0x81f3a758;
				if (_t269 == 0) goto 0x81f3a725;
				if (_t269 == 0) goto 0x81f3a708;
				if (_t269 == 0) goto 0x81f3a614;
				if (_t269 == 0) goto 0x81f3a53c;
				if (_t269 == 0) goto 0x81f3a499;
				if (__edx - 0xffffffffffffffee != 0x38) goto 0x81f3a865;
				if ( *0x81f62588 == 0) goto 0x81f3acb2;
				if ( *((intOrPtr*)(__r9 + 8)) != GetDlgCtrlID(??)) goto 0x81f3acb2;
				if ( *((intOrPtr*)(__r9 + 0x10)) != 0x800) goto 0x81f3a479;
				if ( *0x81f62348 != 0) goto 0x81f3a471;
				r8d = 0x1fa;
				_t119 = E00007FF67FF681F51808(memset(??, ??, ??), __r8, _t425 - 0x20, _t421, _t422, _t448);
				if (_t119 < 0) goto 0x81f3a471;
				if ( *((intOrPtr*)(_t425 - 0x20)) == 0) goto 0x81f3a471;
				 *(_t427 + 0x40) = sil;
				 *((long long*)(_t427 + 0x48)) = _t425 - 0x20;
				 *((long long*)(_t427 + 0x70)) = _t422;
				 *((long long*)(_t425 - 0x50)) = _t422;
				__imp__WindowsCreateStringReference();
				if (_t119 < 0) goto 0x81f3acd6;
				__imp__RoGetActivationFactory();
				 *((long long*)(_t425 - 0x50)) = _t422;
				if (_t119 < 0) goto 0x81f3a43c;
				_t346 =  *((intOrPtr*)(_t427 + 0x70));
				E00007FF67FF681F52274(_t119, _t425 - 0x20, _t346, _t425 - 0x48, _t427 + 0x48);
				_t432 = _t427 + 0x40;
				_t443 =  *((intOrPtr*)( *_t346 + 0x38));
				 *0x81f570f0();
				 *((long long*)(_t425 - 0x30)) = _t422;
				_t208 =  *(_t427 + 0x40) & 0x000000ff;
				if ( *((intOrPtr*)(_t427 + 0x70)) == 0) goto 0x81f3a45d;
				 *((long long*)(_t427 + 0x70)) = _t422;
				 *0x81f570f0();
				if (_t208 == 0) goto 0x81f3a46a;
				E00007FF67FF681F3C540(_t346, _t425 - 0x20);
				 *0x81f614f6 =  *0x81f614f6 + 1;
				goto 0x81f3acb4;
				if (_t450[4] != 0xfffffa10) goto 0x81f3acb2;
				_t216 = _t450[6];
				E00007FF67FF681F505EC(_t216);
				goto 0x81f3acb2;
				if (_t346 == 0) goto 0x81f3acb2;
				r8d =  *0x81f614c8; // 0x0
				if ((r8b & 0x00000002) != 0) goto 0x81f3a4cd;
				E00007FF67FF681F3CB70(_t346, 0x81f614c8, _t427 + 0x78, _t422, _t443);
				 *((long long*)(_t427 + 0x48)) =  *_t421;
				r8d = _t216;
				r9d = r8d;
				 *((intOrPtr*)(_t427 + 0x30)) = 3;
				r9d = r9d >> 9;
				r8d = r8d >> 8;
				r9d = r9d & 0x00000001;
				 *(_t427 + 0x28) = 1;
				r8d = r8d & 0x00000001;
				 *((intOrPtr*)(_t427 + 0x50)) = 0;
				 *((char*)(_t427 + 0x54)) = 3;
				 *((long long*)(_t427 + 0x20)) = _t427 + 0x50;
				E00007FF67FF681F3DD74(_t208, 0x1228103, _t346, 0x81f614d0, _t422, _t425, _t427 + 0x40);
				_t336 =  *0x81f620e8;
				if (_t336 == 0) goto 0x81f3acb2;
				if ((dil & r14b) == 0) goto 0x81f3acb2;
				 *(_t336 + 0x18) = dil;
				E00007FF67FF681F4F248(_t216, 0x1228103,  *0x81f620e8, _t443, _t448);
				goto 0x81f3acb2;
				if ( *0x81f62360 == 0) goto 0x81f3a574;
				MessageBeep(??);
				MessageBeep(??);
				r9d = 0x1000;
				goto 0x81f3aac3;
				if (E00007FF67FF681F39F54(_t336, _t443) == 0) goto 0x81f3a471;
				r8d =  *0x81f614c8; // 0x0
				if ((r8b & 0x00000002) != 0) goto 0x81f3a5a9;
				E00007FF67FF681F3CB70(_t346, 0x81f614c8, _t425 - 0x80, _t422, _t443);
				 *((long long*)(_t427 + 0x48)) =  *_t336;
				r8d = 0;
				r9d = r8d;
				 *((intOrPtr*)(_t427 + 0x30)) = 3;
				r9d = r9d >> 9;
				_t337 = _t427 + 0x58;
				r8d = r8d >> 8;
				r9d = r9d & 0x00000001;
				 *(_t427 + 0x28) = 1;
				r8d = r8d & 0x00000001;
				 *((intOrPtr*)(_t427 + 0x58)) = 0;
				 *((char*)(_t427 + 0x5c)) = 3;
				 *((long long*)(_t427 + 0x20)) = _t337;
				E00007FF67FF681F3DD74(_t208, 0x1228103, _t346, 0x81f614d0, _t422, _t425, _t427 + 0x40);
				if ( *0x81f620e8 == 0) goto 0x81f3a608;
				if ((dil & r14b) == 0) goto 0x81f3a608;
				if (E00007FF67FF681F4F900(_t337, _t346,  *0x81f620e8, _t425 - 0x80, _t443) != 0) goto 0x81f3a471;
				E00007FF67FF681F39FB4(0, 0x1228103, E00007FF67FF681F4F900(_t337, _t346,  *0x81f620e8, _t425 - 0x80, _t443), _t346,  *0x81f620e8, _t425 - 0x80, _t421, _t422, _t427 + 0x40, _t443, _t449);
				goto 0x81f3acb4;
				E00007FF67FF681F406EC(_t346,  *0x81f620e8, _t421, _t422);
				if (E00007FF67FF681F39F54(_t337, _t443) == 0) goto 0x81f3a6be;
				r8d =  *0x81f614c8; // 0x0
				if ((r8b & 0x00000002) != 0) goto 0x81f3a650;
				_t416 = _t425 - 0x78;
				E00007FF67FF681F3CB70(_t346, 0x81f614c8, _t416, _t422, _t443);
				 *((long long*)(_t427 + 0x48)) =  *_t337;
				r8d = 0;
				r9d = r8d;
				 *((intOrPtr*)(_t427 + 0x30)) = 3;
				r9d = r9d >> 9;
				r8d = r8d >> 8;
				_t338 = _t427 + 0x60;
				r9d = r9d & 0x00000001;
				 *(_t427 + 0x28) = 1;
				r8d = r8d & 0x00000001;
				 *((intOrPtr*)(_t427 + 0x60)) = 0;
				 *((char*)(_t427 + 0x64)) = 3;
				 *((long long*)(_t427 + 0x20)) = _t338;
				E00007FF67FF681F3DD74(_t208, 0x1228103, _t346, 0x81f614d0, _t422, _t425, _t427 + 0x40);
				_t372 =  *0x81f620e8;
				if (_t372 == 0) goto 0x81f3a6b1;
				if ( *((intOrPtr*)(_t372 + 0x18)) == sil) goto 0x81f3a6b1;
				if (E00007FF67FF681F4F248(0, 0x1228103, _t372, _t443, _t448) != 0) goto 0x81f3a6be;
				if (E00007FF67FF681F39FB4(0, 0x1228103, E00007FF67FF681F4F248(0, 0x1228103, _t372, _t443, _t448), _t346, _t372, _t416, _t421, _t422, _t427 + 0x40, _t443, _t449) == 0) goto 0x81f3acb2;
				E00007FF67FF681F509EC( *0x81f62588);
				DestroyWindow(??);
				DestroyWindow(??);
				DeleteObject(??);
				goto 0x81f3acb2;
				SendMessageW(??, ??, ??, ??);
				goto 0x81f3acb2;
				if (IsIconic(??) != 0) goto 0x81f3acb2;
				SetFocus(??);
				goto 0x81f3acb2;
				if (_t208 - 1 - 1 > 0) goto 0x81f3acb2;
				if (IsIconic(??) != 0) goto 0x81f3acb2;
				GetForegroundWindow();
				if (_t338 !=  *0x81f62598) goto 0x81f3acb2;
				GetForegroundWindow();
				goto 0x81f3a747;
				_t302 = _t346;
				if (_t302 == 0) goto 0x81f3a7c3;
				_t347 = _t346 - 1;
				if (_t302 == 0) goto 0x81f3a7d6;
				_t303 = _t347 - 1;
				if (_t303 != 0) goto 0x81f3acb2;
				_t219 = r14w;
				E00007FF67FF681F37DB8(_t219,  *((short*)(_t427 + 0x4a)), _t347);
				goto 0x81f3acb2;
				_t73 = _t416 - 4; // 0x1
				r8d = _t73;
				DefWindowProcW(??, ??, ??, ??);
				goto 0x81f3acb4;
				PostQuitMessage(??);
				goto 0x81f3acb2;
				r10d = 0x112;
				if (_t303 == 0) goto 0x81f3ac75;
				if (_t303 == 0) goto 0x81f3ac6b;
				if (_t303 == 0) goto 0x81f3ac39;
				if (_t303 == 0) goto 0x81f3ac1d;
				if (_t303 == 0) goto 0x81f3ac1d;
				if (_t303 == 0) goto 0x81f3ac0d;
				if (_t303 == 0) goto 0x81f3ab07;
				if (_t303 == 0) goto 0x81f3aa2e;
				if (5 - r10d - 0xfffffffffffffe01 == 0x7ce8) goto 0x81f3a9fb;
				_t305 = 5 -  *0x81f6150c; // 0xc148
				if (_t305 != 0) goto 0x81f3a7df;
				_t210 =  *(_t443 + 0x18);
				r8d =  *0x81f62660;
				 *0x81f625a0 =  !_t210 & dil;
				 *0x81f625a2 = _t210 >> 0x00000002 & dil;
				if ((r8b & 0x00000002) != 0) goto 0x81f3a8bd;
				E00007FF67FF681F3CF20(_t347, 0x81f62660, _t425 - 0x70, _t422, _t443);
				 *((long long*)(_t427 + 0x48)) =  *_t338;
				r8d = _t219 ^ _t219;
				r9d = r8d;
				 *((intOrPtr*)(_t427 + 0x30)) = 3;
				r9d = r9d >> 9;
				r8d = r8d >> 8;
				 *(_t427 + 0x28) = 1;
				r9d = r9d & 0x00000001;
				 *((intOrPtr*)(_t427 + 0x68)) = 0;
				r8d = r8d & 0x00000001;
				 *((char*)(_t427 + 0x6c)) = 3;
				 *((long long*)(_t427 + 0x20)) = _t427 + 0x68;
				E00007FF67FF681F3DD74(_t210, 0x10d8158, _t347, 0x81f62668, _t422, _t425, _t432);
				 *0x81f625a1 = _t210 >> 0x00000014 & dil;
				if ((_t210 & 0x00000008) == 0) goto 0x81f3a954;
				_t386 =  *0x81f61680; // 0x10007
				SetCursor(??);
				_t174 = E00007FF67FF681F4CC28( *0x81f625a0, _t427 + 0x68, _t347, _t386);
				SetCursor(??);
				asm("dec ebp");
				r8d = r8d & 0x00000008;
				goto 0x81f3a9de;
				if (( ~_t174 & 0x00000010) == 0) goto 0x81f3a9ab;
				_t388 =  *0x81f61680; // 0x10007
				SetCursor(??);
				_t177 = E00007FF67FF681F4EF38(1, _t427 + 0x68);
				_t178 = E00007FF67FF681F4CC28( *0x81f625a0, _t427 + 0x68, _t347, _t388);
				SetCursor(??);
				_t214 =  ~_t178;
				asm("dec ebp");
				r8d = r8d & 0x00000008;
				asm("dec eax");
				goto 0x81f3a9de;
				if ((_t214 & 0x00000020) == 0) goto 0x81f3a9c0;
				E00007FF67FF681F4EBAC(1,  ~_t177, _t427 + 0x68, _t347, _t425 - 0x70, _t425, _t443);
				asm("dec ebp");
				r8d = r8d & 0x00000020;
				goto 0x81f3a9de;
				if ((_t214 & 0x00000040) == 0) goto 0x81f3a9de;
				E00007FF67FF681F3B7B0(0x81f57b40, _t443);
				 *0x81f62580 = _t422;
				if ( *0x81f62580 == 0) goto 0x81f3acb2;
				goto 0x81f3a714;
				_t185 = GetKeyboardLayout(??) & 0x000003ff;
				r8d = 1;
				sil = _t185 == 0x11;
				goto 0x81f3a70d;
				r12d = 5;
				if ((_t185 & 0x00000fff) != r12w) goto 0x81f3aa5e;
				r8d = 0;
				0x81f38d34();
				goto 0x81f3acb2;
				_t342 = _t450;
				if (_t342 !=  *0x81f62588) goto 0x81f3aae2;
				_t424 = _t347 >> 0x10;
				if (0 != 0x300) goto 0x81f3aa8d;
				if (E00007FF67FF681F39F54(_t342, _t422) ==  *0x81f6235c) goto 0x81f3aae2;
				E00007FF67FF681F3B83C(_t347, _t421, _t422);
				if (0xfffffffffffffb00 - 1 > 0) goto 0x81f3aae2;
				if ( *0x81f62374 != 1) goto 0x81f3aab6;
				 *0x81f62374 = 2;
				goto 0x81f3acb2;
				r9d = 0x1010;
				_t191 = MessageBoxW(??, ??, ??, ??);
				goto 0x81f3acb2;
				0x81f38d34();
				if (_t191 != 0) goto 0x81f3acb2;
				goto 0x81f3a7df;
				r9d = _t450[1];
				r8d =  *_t450;
				 *((intOrPtr*)(_t427 + 0x30)) = 0x14;
				 *(_t427 + 0x28) = _t450[3] - r9d;
				 *((intOrPtr*)(_t427 + 0x20)) = _t450[2] -  *_t450;
				SetWindowPos(??, ??, ??, ??, ??, ??, ??);
				r12d = 5;
				SendMessageW(??, ??, ??, ??);
				__imp__GetDpiForWindow();
				_t227 =  *0x81f6067c; // 0x78
				r8d = 0x2d0;
				 *0x81f61610 =  ~(MulDiv(??, ??, ??));
				CreateFontIndirectW(??);
				if (_t342 == 0) goto 0x81f3abed;
				DeleteObject(??);
				r9d = _t449 - 4;
				 *0x81f61608 = _t342;
				SendMessageW(??, ??, ??, ??);
				r9d = r12d;
				r8d = 0;
				RedrawWindow(??, ??, ??, ??);
				goto 0x81f3acb2;
				0x81f39ca4();
				goto 0x81f3acb2;
				DefWindowProcW(??, ??, ??, ??);
				_t349 = _t342;
				E00007FF67FF681F3B660(_t227, _t349, _t421);
				goto 0x81f3acb4;
				if ( *0x81f62370 == 0) goto 0x81f3acb2;
				if (r14w == 0) goto 0x81f3acb2;
				_t103 = _t424 + 3; // 0x3
				r8d = _t103;
				EnableMenuItem(??, ??, ??);
				goto 0x81f3acb2;
				E00007FF67FF681F3BA28(_t349, _t452);
				goto 0x81f3acb2;
				if ( *0x81f62370 == 0) goto 0x81f3aca0;
				_t406 = _t349;
				if ((_t406 - 0x0000f020 & 0xffffffcf) != 0) goto 0x81f3aca0;
				if (_t406 != 0xf030) goto 0x81f3acb2;
				DefWindowProcW(??, ??, ??, ??);
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f3a29b
0x7ff681f3a2a3
0x7ff681f3a2aa
0x7ff681f3a2b4
0x7ff681f3a2bb
0x7ff681f3a2be
0x7ff681f3a2c7
0x7ff681f3a2cc
0x7ff681f3a2d2
0x7ff681f3a2d4
0x7ff681f3a2dd
0x7ff681f3a2e8
0x7ff681f3a2f1
0x7ff681f3a2fa
0x7ff681f3a303
0x7ff681f3a30c
0x7ff681f3a315
0x7ff681f3a322
0x7ff681f3a32b
0x7ff681f3a334
0x7ff681f3a346
0x7ff681f3a35c
0x7ff681f3a36a
0x7ff681f3a376
0x7ff681f3a382
0x7ff681f3a391
0x7ff681f3a398
0x7ff681f3a3a2
0x7ff681f3a3ac
0x7ff681f3a3b5
0x7ff681f3a3be
0x7ff681f3a3c6
0x7ff681f3a3d1
0x7ff681f3a3df
0x7ff681f3a3f5
0x7ff681f3a401
0x7ff681f3a407
0x7ff681f3a409
0x7ff681f3a417
0x7ff681f3a41f
0x7ff681f3a428
0x7ff681f3a432
0x7ff681f3a438
0x7ff681f3a441
0x7ff681f3a449
0x7ff681f3a44b
0x7ff681f3a457
0x7ff681f3a45f
0x7ff681f3a465
0x7ff681f3a46a
0x7ff681f3a474
0x7ff681f3a481
0x7ff681f3a48b
0x7ff681f3a48f
0x7ff681f3a494
0x7ff681f3a49e
0x7ff681f3a4a4
0x7ff681f3a4af
0x7ff681f3a4bd
0x7ff681f3a4c5
0x7ff681f3a4ca
0x7ff681f3a4cd
0x7ff681f3a4d0
0x7ff681f3a4d8
0x7ff681f3a4e1
0x7ff681f3a4ec
0x7ff681f3a4ef
0x7ff681f3a4f3
0x7ff681f3a4f6
0x7ff681f3a4ff
0x7ff681f3a504
0x7ff681f3a509
0x7ff681f3a50e
0x7ff681f3a518
0x7ff681f3a521
0x7ff681f3a527
0x7ff681f3a532
0x7ff681f3a537
0x7ff681f3a544
0x7ff681f3a548
0x7ff681f3a556
0x7ff681f3a569
0x7ff681f3a56f
0x7ff681f3a57b
0x7ff681f3a581
0x7ff681f3a58c
0x7ff681f3a599
0x7ff681f3a5a1
0x7ff681f3a5a6
0x7ff681f3a5a9
0x7ff681f3a5ac
0x7ff681f3a5b4
0x7ff681f3a5b8
0x7ff681f3a5bd
0x7ff681f3a5c8
0x7ff681f3a5cb
0x7ff681f3a5cf
0x7ff681f3a5d2
0x7ff681f3a5db
0x7ff681f3a5e0
0x7ff681f3a5e5
0x7ff681f3a5f4
0x7ff681f3a5f9
0x7ff681f3a602
0x7ff681f3a608
0x7ff681f3a60f
0x7ff681f3a614
0x7ff681f3a622
0x7ff681f3a628
0x7ff681f3a633
0x7ff681f3a635
0x7ff681f3a640
0x7ff681f3a648
0x7ff681f3a64d
0x7ff681f3a650
0x7ff681f3a653
0x7ff681f3a660
0x7ff681f3a664
0x7ff681f3a668
0x7ff681f3a66d
0x7ff681f3a670
0x7ff681f3a674
0x7ff681f3a677
0x7ff681f3a680
0x7ff681f3a68c
0x7ff681f3a691
0x7ff681f3a696
0x7ff681f3a6a0
0x7ff681f3a6a6
0x7ff681f3a6af
0x7ff681f3a6b8
0x7ff681f3a6c5
0x7ff681f3a6d1
0x7ff681f3a6e4
0x7ff681f3a6f7
0x7ff681f3a703
0x7ff681f3a714
0x7ff681f3a720
0x7ff681f3a73a
0x7ff681f3a747
0x7ff681f3a753
0x7ff681f3a763
0x7ff681f3a77e
0x7ff681f3a784
0x7ff681f3a797
0x7ff681f3a79d
0x7ff681f3a7ac
0x7ff681f3a7ae
0x7ff681f3a7b1
0x7ff681f3a7b3
0x7ff681f3a7b7
0x7ff681f3a7b9
0x7ff681f3a7bd
0x7ff681f3a7c8
0x7ff681f3a7cc
0x7ff681f3a7d1
0x7ff681f3a7db
0x7ff681f3a7db
0x7ff681f3a7e2
0x7ff681f3a7ee
0x7ff681f3a7f5
0x7ff681f3a801
0x7ff681f3a808
0x7ff681f3a811
0x7ff681f3a81a
0x7ff681f3a823
0x7ff681f3a82e
0x7ff681f3a837
0x7ff681f3a840
0x7ff681f3a84b
0x7ff681f3a854
0x7ff681f3a85f
0x7ff681f3a865
0x7ff681f3a86b
0x7ff681f3a871
0x7ff681f3a87a
0x7ff681f3a888
0x7ff681f3a896
0x7ff681f3a8a0
0x7ff681f3a8ad
0x7ff681f3a8b5
0x7ff681f3a8ba
0x7ff681f3a8bd
0x7ff681f3a8c0
0x7ff681f3a8c8
0x7ff681f3a8d1
0x7ff681f3a8de
0x7ff681f3a8e2
0x7ff681f3a8e5
0x7ff681f3a8e9
0x7ff681f3a8ec
0x7ff681f3a8f6
0x7ff681f3a8fb
0x7ff681f3a908
0x7ff681f3a911
0x7ff681f3a913
0x7ff681f3a91a
0x7ff681f3a92c
0x7ff681f3a93a
0x7ff681f3a948
0x7ff681f3a94b
0x7ff681f3a94f
0x7ff681f3a957
0x7ff681f3a959
0x7ff681f3a960
0x7ff681f3a96e
0x7ff681f3a97b
0x7ff681f3a989
0x7ff681f3a995
0x7ff681f3a997
0x7ff681f3a99a
0x7ff681f3a9a0
0x7ff681f3a9a9
0x7ff681f3a9ae
0x7ff681f3a9b0
0x7ff681f3a9b7
0x7ff681f3a9ba
0x7ff681f3a9be
0x7ff681f3a9c6
0x7ff681f3a9cf
0x7ff681f3a9d7
0x7ff681f3a9e8
0x7ff681f3a9f6
0x7ff681f3aa10
0x7ff681f3aa1c
0x7ff681f3aa22
0x7ff681f3aa29
0x7ff681f3aa3a
0x7ff681f3aa47
0x7ff681f3aa49
0x7ff681f3aa54
0x7ff681f3aa59
0x7ff681f3aa5e
0x7ff681f3aa68
0x7ff681f3aa72
0x7ff681f3aa79
0x7ff681f3aa86
0x7ff681f3aa88
0x7ff681f3aa9d
0x7ff681f3aaa5
0x7ff681f3aaa7
0x7ff681f3aab1
0x7ff681f3aabd
0x7ff681f3aad1
0x7ff681f3aadd
0x7ff681f3aaeb
0x7ff681f3aaf2
0x7ff681f3ab02
0x7ff681f3ab0d
0x7ff681f3ab1b
0x7ff681f3ab1e
0x7ff681f3ab26
0x7ff681f3ab31
0x7ff681f3ab35
0x7ff681f3ab48
0x7ff681f3ab57
0x7ff681f3ab6a
0x7ff681f3ab76
0x7ff681f3ab7c
0x7ff681f3ab99
0x7ff681f3ab9f
0x7ff681f3abb1
0x7ff681f3abba
0x7ff681f3abcd
0x7ff681f3abd5
0x7ff681f3abe1
0x7ff681f3abf4
0x7ff681f3abf7
0x7ff681f3abfc
0x7ff681f3ac08
0x7ff681f3ac13
0x7ff681f3ac18
0x7ff681f3ac20
0x7ff681f3ac2c
0x7ff681f3ac2f
0x7ff681f3ac37
0x7ff681f3ac41
0x7ff681f3ac4b
0x7ff681f3ac54
0x7ff681f3ac54
0x7ff681f3ac5d
0x7ff681f3ac69
0x7ff681f3ac6e
0x7ff681f3ac73
0x7ff681f3ac7d
0x7ff681f3ac7f
0x7ff681f3ac95
0x7ff681f3ac9e
0x7ff681f3aca6
0x7ff681f3acbe
0x7ff681f3acd4

APIs

GetDlgCtrlID.USER32 ref: 00007FF681F3A34C
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3A388

Part of subcall function 00007FF681F51808: WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681F39B32), ref: 00007FF681F5184F
Part of subcall function 00007FF681F51808: RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681F39B32), ref: 00007FF681F5188B

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F3A3D1
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F3A3F5

Part of subcall function 00007FF681F52274: WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F522B0

MessageBeep.USER32 ref: 00007FF681F3A548
MessageBeep.USER32 ref: 00007FF681F3A556
DestroyWindow.USER32 ref: 00007FF681F3A6D1
DestroyWindow.USER32 ref: 00007FF681F3A6E4
DeleteObject.GDI32 ref: 00007FF681F3A6F7
SendMessageW.USER32 ref: 00007FF681F3A714
IsIconic.USER32 ref: 00007FF681F3A72C
SetFocus.USER32 ref: 00007FF681F3A747
IsIconic.USER32 ref: 00007FF681F3A770
GetForegroundWindow.USER32 ref: 00007FF681F3A784
GetForegroundWindow.USER32 ref: 00007FF681F3A79D
DefWindowProcW.USER32 ref: 00007FF681F3A7E2
PostQuitMessage.USER32 ref: 00007FF681F3A7F5
SetCursor.USER32 ref: 00007FF681F3A91A
SetCursor.USER32 ref: 00007FF681F3A93A
SetCursor.USER32 ref: 00007FF681F3A960
SetCursor.USER32 ref: 00007FF681F3A989
GetKeyboardLayout.USER32 ref: 00007FF681F3A9FD
MessageBoxW.USER32 ref: 00007FF681F3AAD1
SetWindowPos.USER32 ref: 00007FF681F3AB35
SendMessageW.USER32 ref: 00007FF681F3AB57
GetDpiForWindow.USER32 ref: 00007FF681F3AB6A
MulDiv.KERNEL32 ref: 00007FF681F3AB84
CreateFontIndirectW.GDI32 ref: 00007FF681F3AB9F
DeleteObject.GDI32 ref: 00007FF681F3ABBA
SendMessageW.USER32 ref: 00007FF681F3ABE1
RedrawWindow.USER32 ref: 00007FF681F3ABFC

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF681F3A3CA

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Window$Message$CreateCursor$ReferenceSendStringWindows$ActivationBeepDeleteDestroyFactoryForegroundIconicObject$CtrlFocusFontIndirectKeyboardLayoutPostProcQuitRedrawmemset
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager
API String ID: 679159887-1562784004
Opcode ID: 39cf4432cf9d4aa666251afe8dd00d5427c4e535c3bffe319c0f9fd7c51e4be7
Instruction ID: d1bf37c5c94b8f4bfe3cfbbd6299c4047975cb21de669273168f4594f9a74d96
Opcode Fuzzy Hash: 39cf4432cf9d4aa666251afe8dd00d5427c4e535c3bffe319c0f9fd7c51e4be7
Instruction Fuzzy Hash: 1F425F32E08A56C6EB649B16E8542B97BE0FF85B80F444139DA4EC37A5CF3DE846C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3BA28 Relevance: 46.7, APIs: 31, Instructions: 211windowclipboardCOMMON

Download Yara Rule

APIs

GetMenu.USER32 ref: 00007FF681F3BA4E
SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00007FF681F3AC73), ref: 00007FF681F3BA71
GetSubMenu.USER32 ref: 00007FF681F3BA94
EnableMenuItem.USER32 ref: 00007FF681F3BAAB
GetSubMenu.USER32 ref: 00007FF681F3BABD
EnableMenuItem.USER32 ref: 00007FF681F3BAD4
GetSubMenu.USER32 ref: 00007FF681F3BAE6
EnableMenuItem.USER32 ref: 00007FF681F3BAFD
GetSubMenu.USER32 ref: 00007FF681F3BB0F
EnableMenuItem.USER32 ref: 00007FF681F3BB26
OpenClipboard.USER32 ref: 00007FF681F3BB35
IsClipboardFormatAvailable.USER32(?,?,?,?,?,?,?,?,?,00007FF681F3AC73), ref: 00007FF681F3BB48
CloseClipboard.USER32(?,?,?,?,?,?,?,?,?,00007FF681F3AC73), ref: 00007FF681F3BB57
GetSubMenu.USER32 ref: 00007FF681F3BB72
EnableMenuItem.USER32 ref: 00007FF681F3BB89
SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00007FF681F3AC73), ref: 00007FF681F3BBA6
GetSubMenu.USER32 ref: 00007FF681F3BBC2
EnableMenuItem.USER32 ref: 00007FF681F3BBD9
GetSubMenu.USER32 ref: 00007FF681F3BBEB
EnableMenuItem.USER32 ref: 00007FF681F3BC02
GetSubMenu.USER32 ref: 00007FF681F3BC14
EnableMenuItem.USER32 ref: 00007FF681F3BC2B
GetSubMenu.USER32 ref: 00007FF681F3BC4A
EnableMenuItem.USER32 ref: 00007FF681F3BC61
SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00007FF681F3AC73), ref: 00007FF681F3BC7F
GetSubMenu.USER32 ref: 00007FF681F3BC99
EnableMenuItem.USER32 ref: 00007FF681F3BCB0
GetSubMenu.USER32 ref: 00007FF681F3BCD1
CheckMenuItem.USER32 ref: 00007FF681F3BCE8
GetSubMenu.USER32 ref: 00007FF681F3BCFE
CheckMenuItem.USER32 ref: 00007FF681F3BD1F

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Menu$Item$Enable$ClipboardMessageSend$Check$AvailableCloseFormatOpen
String ID:
API String ID: 2500327735-0
Opcode ID: c6d8594c091236eac6000342d5b088a58ac381c840e31daed74db47db534a9f5
Instruction ID: 58421a2c975848ef880bb6e66faa5a68dd87fd182145784816ee63558a8fe464
Opcode Fuzzy Hash: c6d8594c091236eac6000342d5b088a58ac381c840e31daed74db47db534a9f5
Instruction Fuzzy Hash: 4491E775A04A56DBE7009B21A8585B9BBE1FF8AB91F45D138CD1E87B24CF3DD446CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4CFE0 Relevance: 42.2, APIs: 28, Instructions: 187windowmemoryCOMMON

Download Yara Rule

APIs

SetCursor.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D010
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D043
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D061
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D088
LocalAlloc.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D0A2
SetCursor.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D0B9

Part of subcall function 00007FF681F37E58: SendMessageW.USER32 ref: 00007FF681F37EE7
Part of subcall function 00007FF681F37E58: SendMessageW.USER32 ref: 00007FF681F37F0A
Part of subcall function 00007FF681F37E58: SendMessageW.USER32 ref: 00007FF681F37F28

GetClientRect.USER32 ref: 00007FF681F4D0D7
LocalLock.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D0E6
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D107

Part of subcall function 00007FF681F41C48: CreateWindowExW.USER32 ref: 00007FF681F41C90

SetCursor.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D133
LocalUnlock.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D142
LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D151
GetWindowLongW.USER32 ref: 00007FF681F4D172
SetWindowLongW.USER32 ref: 00007FF681F4D187
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D1A5
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D1BE
SetCursor.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D1D2
DestroyWindow.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D1E1
LocalUnlock.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D1F5
LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D204
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D22A
ShowWindow.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D24B
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D269
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D289
SetFocus.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D29C
SetCursor.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D2AB
GetClientRect.USER32 ref: 00007FF681F4D2CB
ShowWindow.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF681F4D2F6

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: MessageSend$LocalWindow$Cursor$ClientFreeLongRectShowUnlock$AllocCreateDestroyFocusLock
String ID:
API String ID: 126884220-0
Opcode ID: bf6a7d30ae95c0d271b89b0641b4b12e91f628d31a564a535e4299d22ea6fa58
Instruction ID: 834faf844d68fd443c5d350292231658c55a9eee56eaa42e4fb3b8bcf0ccbde4
Opcode Fuzzy Hash: bf6a7d30ae95c0d271b89b0641b4b12e91f628d31a564a535e4299d22ea6fa58
Instruction Fuzzy Hash: FA91F635A08A56CBE7109B61E8645B8BBA0FFCABA5F459579CE1E83724CF3CA445C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4F548 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 241registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF681F4F595
RegOpenKeyExW.ADVAPI32 ref: 00007FF681F4F5C9
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF681F4F61D
RegEnumValueW.ADVAPI32 ref: 00007FF681F4F693
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4F892
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4F8A7
RegCloseKey.ADVAPI32 ref: 00007FF681F4F8C1
RegCloseKey.ADVAPI32 ref: 00007FF681F4F8D6

Strings

Software\Microsoft\Notepad\Autosave, xrefs: 00007FF681F4F587

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CloseFreeOpenTask$EnumInfoQueryValue
String ID: Software\Microsoft\Notepad\Autosave
API String ID: 10180006-1427544894
Opcode ID: cb2e6d0840f0f24ed592800b7a406fac5cff7ebf27e7a373aa0a8fc4f217435d
Instruction ID: bfef3746571451628869351e6eaafd13122521b8279fb766357ab54df100674b
Opcode Fuzzy Hash: cb2e6d0840f0f24ed592800b7a406fac5cff7ebf27e7a373aa0a8fc4f217435d
Instruction Fuzzy Hash: 58B18B36B08A42DAEB609F65E5502B97BE0FF89B98F448139DE4E97B58DF38D405C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4F248 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 195registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 00007FF681F4F29D
RegCreateKeyExW.ADVAPI32 ref: 00007FF681F4F2E3
RegCloseKey.ADVAPI32 ref: 00007FF681F4F4FC
RegCloseKey.ADVAPI32 ref: 00007FF681F4F511

Strings

Software\Microsoft\Notepad\Autosave, xrefs: 00007FF681F4F266
%s\%s.autosave, xrefs: 00007FF681F4F312
%i,%s, xrefs: 00007FF681F4F3E7

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CloseCreate
String ID: %i,%s$%s\%s.autosave$Software\Microsoft\Notepad\Autosave
API String ID: 2932200918-285130182
Opcode ID: 39d179df07f4d6ddf02dda3a2e217f1768b47bae636349df4f652e9d4ffdcf81
Instruction ID: 94a800c4941279e0a18abcd6571d5d054fdd9196cf2e60022a01df86a747004f
Opcode Fuzzy Hash: 39d179df07f4d6ddf02dda3a2e217f1768b47bae636349df4f652e9d4ffdcf81
Instruction Fuzzy Hash: 6E917F32A08A42CAEB208F65E9406B97BE0FF89B98F445539DE5E83B64DF38D445C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3709C Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 208
synchronizationCOMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E00007FF67FF681F3709C(long long __rbx, long long __rcx, signed long long* __rdx, signed int __rsi, void* __r9) {
				long _t24;
				signed int _t27;
				long _t28;
				signed long long _t55;
				signed long long _t56;
				int _t75;
				signed long long _t79;
				void* _t81;
				void* _t84;
				signed long long _t85;
				void* _t90;
				long _t92;
				void* _t95;
				void* _t98;

				 *((long long*)(_t84 + 0x18)) = __rbx;
				 *((long long*)(_t84 + 0x20)) = __rsi;
				_t85 = _t84 - 0x280;
				_t55 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t56 = _t55 ^ _t85;
				 *(_t84 - 0x180 + 0x170) = _t56;
				 *__rdx =  *__rdx & 0x00000000;
				_t24 = GetCurrentProcessId();
				 *((long long*)(_t85 + 0x28)) = __rcx;
				r9d = _t24;
				 *((intOrPtr*)(_t85 + 0x20)) = 0x78;
				E00007FF67FF681F31860(_t85 + 0x60, __rdx, L"Local\\SM0:%d:%d:%hs", __r9, _t98);
				r9d = 0x1f0001;
				r8d = 0;
				__imp__CreateMutexExW(_t81);
				 *(_t85 + 0x48) = _t56;
				if (_t56 != 0) goto 0x81f3713f;
				E00007FF67FF681F31EFC();
				goto 0x81f371f1;
				r8d = 0;
				_t27 = WaitForSingleObjectEx(_t95, _t92, _t75);
				if (_t27 == 0x102) goto 0x81f3716a;
				if (_t27 == 0) goto 0x81f37176;
				if (_t27 != 0x80) goto 0x81f373a0;
				if ((_t27 & 0xffffff7f) == 0) goto 0x81f37176;
				r14d = 0;
				goto 0x81f37179;
				 *(_t85 + 0x40) =  *(_t85 + 0x40) & __rsi;
				_t28 = E00007FF67FF681F37868(_t27 & 0xffffff7f, _t56, _t85 + 0x60, _t85 + 0x40, __rsi, _t90);
				if (_t28 >= 0) goto 0x81f371b3;
				r9d = _t28;
				E00007FF67FF681F325BC();
				goto 0x81f371be;
				_t79 =  *(_t85 + 0x40) << 2;
				if (0 >= 0) goto 0x81f371cc;
				goto 0x81f37389;
				if (_t79 == 0) goto 0x81f3722c;
				 *__rdx = _t79;
				 *( *__rdx) =  *_t79 + 1;
				if (_t56 == 0) goto 0x81f371f1;
				E00007FF67FF681F326B0();
				if ( *(_t85 + 0x48) == 0) goto 0x81f371fe;
				0x81f3267c();
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f3709c
0x7ff681f370a1
0x7ff681f370b6
0x7ff681f370bd
0x7ff681f370c4
0x7ff681f370c7
0x7ff681f370ce
0x7ff681f370d8
0x7ff681f370e4
0x7ff681f370f0
0x7ff681f370f3
0x7ff681f37105
0x7ff681f3710a
0x7ff681f37115
0x7ff681f3711a
0x7ff681f37126
0x7ff681f37131
0x7ff681f37133
0x7ff681f3713a
0x7ff681f3713f
0x7ff681f37148
0x7ff681f37159
0x7ff681f3715d
0x7ff681f37164
0x7ff681f3716f
0x7ff681f37171
0x7ff681f37174
0x7ff681f37180
0x7ff681f3718a
0x7ff681f3719a
0x7ff681f371a6
0x7ff681f371ac
0x7ff681f371b1
0x7ff681f371b8
0x7ff681f371c0
0x7ff681f371c7
0x7ff681f371cf
0x7ff681f371d1
0x7ff681f371e0
0x7ff681f371e7
0x7ff681f371ec
0x7ff681f371f4
0x7ff681f371f9
0x7ff681f3720a
0x7ff681f3722a

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF681F370D8

Part of subcall function 00007FF681F31860: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF681F318A0

CreateMutexExW.KERNEL32 ref: 00007FF681F3711A
WaitForSingleObjectEx.KERNEL32 ref: 00007FF681F37148

Part of subcall function 00007FF681F31EFC: GetLastError.KERNEL32 ref: 00007FF681F31F00

Strings

onecore\internal\sdk\inc\wil\opensource\wil\resource.h, xrefs: 00007FF681F373A7
wil, xrefs: 00007FF681F3718F
x, xrefs: 00007FF681F370F3
Local\SM0:%d:%d:%hs, xrefs: 00007FF681F370E9

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexObjectProcessSingleWait_vsnwprintf
String ID: Local\SM0:%d:%d:%hs$onecore\internal\sdk\inc\wil\opensource\wil\resource.h$wil$x
API String ID: 3333087404-3363748427
Opcode ID: 2cce9067b0bea144410cec9eb2392d632eac8467d0d38292a8ab446e98737e71
Instruction ID: 2375472143abc6907eda43cf3030eefcaa0587ac15f7d82894ec80242245756c
Opcode Fuzzy Hash: 2cce9067b0bea144410cec9eb2392d632eac8467d0d38292a8ab446e98737e71
Instruction Fuzzy Hash: 03816F32608A82C6E7609B16E4406BAB7E1FF89B84F548239EE4DC7B55DF3CE446C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F41188 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 178
fileCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00007FF67FF681F41188(long long __rbx, signed short* __rcx, void* __rdx, void* __r9, void* __r10) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t42;
				void* _t47;
				void* _t58;
				signed int _t60;
				signed long long _t87;
				signed long long _t88;
				signed long long _t90;
				signed long long _t92;
				signed long long _t130;
				void* _t141;
				intOrPtr _t144;
				void* _t146;
				WCHAR* _t150;
				void* _t153;
				signed long long _t154;
				void* _t164;
				void* _t165;
				long long _t167;
				void* _t169;
				signed short* _t170;
				void* _t171;
				void* _t174;

				 *((long long*)(_t153 + 0x18)) = __rbx;
				_t151 = _t153 - 0x1a0;
				_t154 = _t153 - 0x2a0;
				_t87 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t88 = _t87 ^ _t154;
				 *(_t153 - 0x1a0 + 0x190) = _t88;
				r13d = 0;
				_t170 = __rcx;
				_t60 =  *__rcx & 0x0000ffff;
				_t165 = __rdx;
				 *((long long*)(_t154 + 0x28)) = _t167;
				if (_t60 == 0x22) goto 0x81f41230;
				if (_t60 == 0x27) goto 0x81f41230;
				_t90 = (_t88 | 0xffffffff) + 1;
				if (__rcx[_t90] != r13w) goto 0x81f411dc;
				_t7 = _t90 + 1; // 0xbba9a5b3aafb
				_t96 = _t7;
				E00007FF67FF681F3E224(_t7, _t154 + 0x38, __rdx, _t141, _t146, _t153 - 0x1a0, _t7, _t174, _t169);
				if (_t154 + 0x28 == _t90) goto 0x81f41215;
				_t130 = _t90;
				_t42 = E00007FF67FF681F3C6A8(_t7, _t154 + 0x28, _t130, _t141, _t146, _t153 - 0x1a0, _t167, _t164);
				if ( *((intOrPtr*)(_t154 + 0x38)) == 0) goto 0x81f4122b;
				__imp__CoTaskMemFree();
				goto 0x81f41299;
				_t171 = _t170 + 2;
				_t147 = _t171;
				goto 0x81f41247;
				if (_t42 == _t60) goto 0x81f41250;
				if (( *(_t171 + 2) & 0x0000ffff) != 0) goto 0x81f4123c;
				_t13 = _t130 + 1; // 0x2
				r8d = _t13;
				E00007FF67FF681F3E224(_t96, _t154 + 0x38, _t130,  *((intOrPtr*)(_t154 + 0x28)), _t171, _t151, _t170, _t141, _t146);
				if (_t154 + 0x28 == _t90) goto 0x81f41280;
				E00007FF67FF681F3C6A8(_t96, _t154 + 0x28, _t90,  *((intOrPtr*)(_t154 + 0x28)), _t171, _t151);
				if ( *((intOrPtr*)(_t154 + 0x38)) == 0) goto 0x81f41296;
				__imp__CoTaskMemFree();
				_t47 = E00007FF67FF681F316FC(_t96,  *((intOrPtr*)(_t154 + 0x28)), _t96, _t171, __r10);
				 *((long long*)(_t154 + 0x20)) = _t167;
				__imp__PathIsFileSpecW();
				if (_t47 == 0) goto 0x81f412d2;
				E00007FF67FF681F3C6A8(_t96, _t154 + 0x20, _t154 + 0x28,  *((intOrPtr*)(_t154 + 0x28)), _t147, _t151);
				_t144 =  *((intOrPtr*)(_t154 + 0x28));
				goto 0x81f412df;
				E00007FF67FF681F400F0(_t144, _t154 + 0x20);
				_t97 =  *((intOrPtr*)(_t154 + 0x20));
				FindFirstFileW(_t150);
				if (_t90 == 0xffffffff) goto 0x81f41312;
				FindClose(??);
				goto 0x81f413c9;
				__imp__PathFindExtensionW();
				if ( *_t90 != r13w) goto 0x81f413c9;
				_t92 = (_t90 | 0xffffffff) + 1;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x20)) + _t92 * 2)) != r13w) goto 0x81f4132f;
				_t28 = _t92 + 5; // 0x6
				E00007FF67FF681F3E224( *((intOrPtr*)(_t154 + 0x20)), _t154 + 0x30, _t154 + 0x40, _t144, _t147, _t151, _t28);
				_t148 =  *((intOrPtr*)(_t154 + 0x30));
				if ( *((intOrPtr*)(_t154 + 0x30)) == 0) goto 0x81f41376;
				E00007FF67FF681F31788( *((intOrPtr*)(_t154 + 0x20)),  *((intOrPtr*)(_t154 + 0x30)), _t28, _t97);
				E00007FF67FF681F31788(_t97,  *((intOrPtr*)(_t154 + 0x30)), _t28, L".txt");
				FindFirstFileW(??, ??);
				if (_t92 == 0xffffffff) goto 0x81f4139f;
				FindClose(??);
				E00007FF67FF681F3C6A8(_t97, _t154 + 0x20, _t154 + 0x30, _t144, _t148, _t151);
				if ( *((intOrPtr*)(_t154 + 0x30)) == 0) goto 0x81f413c4;
				__imp__CoTaskMemFree();
				if (_t165 == _t154 + 0x20) goto 0x81f413e5;
				_t58 = E00007FF67FF681F3C6A8( *((intOrPtr*)(_t154 + 0x20)), _t165, _t154 + 0x20, _t144, _t148, _t151);
				if ( *((intOrPtr*)(_t154 + 0x20)) == 0) goto 0x81f413f9;
				__imp__CoTaskMemFree();
				if (_t144 == 0) goto 0x81f4140d;
				__imp__CoTaskMemFree();
				E00007FF67FF681F53F70();
				return _t58;
			}

0x7ff681f41188
0x7ff681f41198
0x7ff681f411a0
0x7ff681f411a7
0x7ff681f411ae
0x7ff681f411b1
0x7ff681f411b8
0x7ff681f411bb
0x7ff681f411be
0x7ff681f411c1
0x7ff681f411c4
0x7ff681f411d0
0x7ff681f411d6
0x7ff681f411dc
0x7ff681f411e4
0x7ff681f411e6
0x7ff681f411e6
0x7ff681f411f4
0x7ff681f41201
0x7ff681f41203
0x7ff681f4120b
0x7ff681f4121d
0x7ff681f4121f
0x7ff681f4122e
0x7ff681f41230
0x7ff681f41237
0x7ff681f4123a
0x7ff681f4123f
0x7ff681f4124e
0x7ff681f41250
0x7ff681f41255
0x7ff681f4125f
0x7ff681f4126c
0x7ff681f41276
0x7ff681f41288
0x7ff681f4128a
0x7ff681f4129f
0x7ff681f412a7
0x7ff681f412ac
0x7ff681f412ba
0x7ff681f412c6
0x7ff681f412cb
0x7ff681f412d0
0x7ff681f412da
0x7ff681f412df
0x7ff681f412ec
0x7ff681f412fc
0x7ff681f41301
0x7ff681f4130d
0x7ff681f41315
0x7ff681f41325
0x7ff681f4132f
0x7ff681f41337
0x7ff681f41339
0x7ff681f41347
0x7ff681f4134c
0x7ff681f41354
0x7ff681f4135f
0x7ff681f41371
0x7ff681f4137e
0x7ff681f4138e
0x7ff681f41393
0x7ff681f413a9
0x7ff681f413b6
0x7ff681f413b8
0x7ff681f413d1
0x7ff681f413db
0x7ff681f413e8
0x7ff681f413ed
0x7ff681f413fc
0x7ff681f41401
0x7ff681f4141a
0x7ff681f41439

APIs

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4121F
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4128A
PathIsFileSpecW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF681F412AC
FindFirstFileW.KERNEL32 ref: 00007FF681F412EC
FindClose.KERNEL32 ref: 00007FF681F41301
PathFindExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF681F41315
FindFirstFileW.KERNEL32 ref: 00007FF681F4137E
FindClose.KERNEL32 ref: 00007FF681F41393
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F413B8
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F413ED
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F41401

Strings

.txt, xrefs: 00007FF681F41364

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: FindFreeTask$File$CloseFirstPath$ExtensionSpec
String ID: .txt
API String ID: 3904377374-2195685702
Opcode ID: 9fccbe78e752a8f6e6e6d0bae36afe1a6c80cd5786e489edaae7084942020d4e
Instruction ID: 8edd8978ec6e9abd462c259908d16e8adef64faca175197949b21679466d66d0
Opcode Fuzzy Hash: 9fccbe78e752a8f6e6e6d0bae36afe1a6c80cd5786e489edaae7084942020d4e
Instruction Fuzzy Hash: B371956660D942C2EB209B11E5101BAB7E1FF8ABA4F489239EA5E877D4DF3CE545C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4F900 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84filewindowCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 00007FF681F4F915
GetLastError.KERNEL32 ref: 00007FF681F4F927
CreateFileW.KERNEL32 ref: 00007FF681F4F9B4
CloseHandle.KERNEL32 ref: 00007FF681F4F9C9
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FF681F4F9E4
SendMessageW.USER32 ref: 00007FF681F4FA05
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4FA2E

Strings

probe.autosave, xrefs: 00007FF681F4F96E
%s\%s, xrefs: 00007FF681F4F97D

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CreateFree$CloseDirectoryDiskErrorFileHandleLastMessageSendSpaceTask
String ID: %s\%s$probe.autosave
API String ID: 3915114138-22072891
Opcode ID: b64f6b281aefdce99fbaee90597cb314c5a114e806cd92ea32214cf62ef44932
Instruction ID: 2a7fff8f8e77a46d731ce651cb1e8128a8f17327ccaddcb21faa52f028bcbd1e
Opcode Fuzzy Hash: b64f6b281aefdce99fbaee90597cb314c5a114e806cd92ea32214cf62ef44932
Instruction Fuzzy Hash: 52312F32A08A42C6E7208B15F9146B97BE0FF89B64F499235DA6E83794DF3CE455C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3E3A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00007FF67FF681F3E3A8(void* __ecx, void* __eflags, long long __rbx, void* __rdx, long long __rdi, void* __r8, void* __r9) {
				void* _t36;
				long _t45;
				void* _t64;
				void* _t68;
				signed long long _t73;
				long long _t77;
				struct _SYSTEMTIME* _t96;
				void* _t97;
				void* _t99;
				signed long long _t100;

				_t77 = __rbx;
				 *((long long*)(_t99 + 0x10)) = __rbx;
				 *((long long*)(_t99 + 0x18)) = __rdi;
				_t3 = _t99 - 0x340; // -847
				_t97 = _t3;
				_t100 = _t99 - 0x440;
				_t73 =  *0x81f60470; // 0xbba9a5b3aaf9
				 *(_t97 + 0x330) = _t73 ^ _t100;
				_t64 = __ecx;
				r8d = 0x294;
				memset(??, ??, ??);
				GetLocalTime(_t96);
				 *((intOrPtr*)(_t100 + 0x30)) = 1;
				if (E00007FF67FF681F3E348(__r9) == 0) goto 0x81f3e46d;
				_t8 = _t77 + 1; // 0x2
				r9d = _t8;
				GetLocaleInfoW(??, ??, ??, ??);
				if ( *((intOrPtr*)(_t100 + 0x30)) != 1) goto 0x81f3e44e;
				__imp__GetUserDefaultUILanguage();
				_t36 = E00007FF67FF681F3E348(__r9);
				goto 0x81f3e45f;
				_t68 = _t36 - 0x17;
				if (_t68 > 0) goto 0x81f3e468;
				asm("bt ecx, eax");
				if (_t68 >= 0) goto 0x81f3e468;
				if (1 != 0) goto 0x81f3e46d;
				_t11 = _t97 - 0x10; // -863
				 *((intOrPtr*)(_t100 + 0x28)) = 0x50;
				r9d = 0;
				 *((long long*)(_t100 + 0x20)) = _t11;
				GetDateFormatW(??, ??, ??, ??, ??, ??);
				r9d = 0;
				 *((intOrPtr*)(_t100 + 0x28)) = 0x50;
				_t16 = _t100 + 0x50; // 0x41
				 *((long long*)(_t100 + 0x20)) = _t16;
				GetTimeFormatW(??, ??, ??, ??, ??, ??);
				if (_t64 == 0) goto 0x81f3e4e6;
				_t20 = _t97 + 0x90; // -703
				E00007FF67FF681F31788(__rbx, _t20, __rdx, 0x81f57bb0);
				_t21 = _t100 + 0x50; // 0x41
				_t22 = _t97 + 0x90; // -703
				E00007FF67FF681F31788(_t77, _t22, _t77, _t21);
				_t23 = _t97 + 0x90; // -703
				E00007FF67FF681F31788(_t77, _t23, _t77, 0x81f57bb8);
				_t24 = _t97 - 0x10; // -863
				_t25 = _t97 + 0x90; // -703
				E00007FF67FF681F31788(_t77, _t25, _t77, _t24);
				if (_t64 == 0) goto 0x81f3e53d;
				_t26 = _t97 + 0x90; // -703
				E00007FF67FF681F31788(_t77, _t26, _t77, 0x81f57bb0);
				r8d = 1;
				_t45 = SendMessageW(??, ??, ??, ??);
				E00007FF67FF681F50724();
				E00007FF67FF681F53F70();
				return _t45;
			}

0x7ff681f3e3a8
0x7ff681f3e3a8
0x7ff681f3e3ad
0x7ff681f3e3b3
0x7ff681f3e3b3
0x7ff681f3e3bb
0x7ff681f3e3c2
0x7ff681f3e3cc
0x7ff681f3e3d3
0x7ff681f3e3de
0x7ff681f3e3e4
0x7ff681f3e3f3
0x7ff681f3e404
0x7ff681f3e40f
0x7ff681f3e411
0x7ff681f3e411
0x7ff681f3e424
0x7ff681f3e436
0x7ff681f3e438
0x7ff681f3e447
0x7ff681f3e44c
0x7ff681f3e44e
0x7ff681f3e451
0x7ff681f3e458
0x7ff681f3e45b
0x7ff681f3e466
0x7ff681f3e46d
0x7ff681f3e471
0x7ff681f3e479
0x7ff681f3e47c
0x7ff681f3e48d
0x7ff681f3e499
0x7ff681f3e49c
0x7ff681f3e4a4
0x7ff681f3e4b3
0x7ff681f3e4bc
0x7ff681f3e4cf
0x7ff681f3e4da
0x7ff681f3e4e1
0x7ff681f3e4e6
0x7ff681f3e4ee
0x7ff681f3e4f5
0x7ff681f3e504
0x7ff681f3e50b
0x7ff681f3e510
0x7ff681f3e517
0x7ff681f3e51e
0x7ff681f3e525
0x7ff681f3e531
0x7ff681f3e538
0x7ff681f3e550
0x7ff681f3e556
0x7ff681f3e564
0x7ff681f3e573
0x7ff681f3e58c

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3E3E4
GetLocalTime.KERNEL32 ref: 00007FF681F3E3F3

Part of subcall function 00007FF681F3E348: GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,00007FF681F3FC07), ref: 00007FF681F3E36A

GetLocaleInfoW.KERNEL32 ref: 00007FF681F3E424
GetUserDefaultUILanguage.KERNEL32 ref: 00007FF681F3E438
GetDateFormatW.KERNEL32 ref: 00007FF681F3E48D
GetTimeFormatW.KERNEL32 ref: 00007FF681F3E4BC
SendMessageW.USER32 ref: 00007FF681F3E556

Strings

P, xrefs: 00007FF681F3E49C

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: FormatInfoLocaleTime$DateDefaultLanguageLocalMessageSendUsermemset
String ID: P
API String ID: 1142591158-3110715001
Opcode ID: 2300565938936d6dcaefa9484525a8758f01da794c59a31383b2a7b771174534
Instruction ID: 845232e53531f10e77da88a1f0c6e156c4c2966f37511e57133e0e640773d131
Opcode Fuzzy Hash: 2300565938936d6dcaefa9484525a8758f01da794c59a31383b2a7b771174534
Instruction Fuzzy Hash: CD414D36608A81D6E7209B20E8507F977A1FF88744F84443AEA4E87B9ADF3CD509CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4EBAC Relevance: 13.6, APIs: 9, Instructions: 112
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 23%

			E00007FF67FF681F4EBAC(void* __ecx, void* __edi, void* __rax, long long __rbx, void* __rdx, long long __rbp, void* __r9, signed int _a8, long long _a16, long long _a24) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				int _t18;
				void* _t20;
				signed int _t47;
				long long _t61;
				void* _t79;
				void* _t80;
				void* _t82;
				void* _t88;

				_t88 = __r9;
				_t63 = __rbx;
				_a16 = __rbx;
				_a24 = __rbp;
				 *0x81f625a0 = 0;
				SetCursor(??);
				r9d = r9d ^ r9d;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				r9d = r9d ^ r9d;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				_t3 = _t63 + 1; // 0x1
				r12d = _t3;
				_t82 = __rax;
				if (__rax == 0) goto 0x81f4ecd3;
				LocalLock(??);
				_t80 = __rax;
				if (__rax == 0) goto 0x81f4ecbc;
				_t18 = GetWindowTextLengthW(??);
				_a8 = _a8 & 0;
				r15d = _t18;
				r14d = 0;
				_t61 =  &_a8;
				_v56 = _t61;
				E00007FF67FF681F4CBB0(_t18, r15d - _t18, __rbx, __rax, __rax, 0x81f62480);
				if (_t61 == 0) goto 0x81f4eca4;
				_t47 = 0 + r12d;
				r14d = r14d + _a8;
				goto 0x81f4ec65;
				if (_t47 - r12d <= 0) goto 0x81f4ecbc;
				r9d = _t47;
				r8d = r14d;
				_t20 = E00007FF67FF681F4ED68(r15d, _a8, _t63, _t80);
				LocalUnlock(??);
				if (_t47 == 0) goto 0x81f4ecf1;
				if (_t20 != 0) goto 0x81f4ecf1;
				E00007FF67FF681F4EF38(0, _a8);
				_t32 =  !=  ? r12d : 0;
				if (E00007FF67FF681F4CC28( *0x81f625a0, _a8, _t63, _t82) != 0) goto 0x81f4ecd5;
				SetCursor(??);
				r9d = r9d ^ r9d;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				r9d = r9d ^ r9d;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				E00007FF67FF681F3B3B8(r12b, _t47, _t63, _t79, _t80, _t88);
				_t28 =  !=  ? r12d : 0;
				return  !=  ? r12d : 0;
			}

0x7ff681f4ebac
0x7ff681f4ebac
0x7ff681f4ebac
0x7ff681f4ebb1
0x7ff681f4ebcb
0x7ff681f4ebd4
0x7ff681f4ebe7
0x7ff681f4ebea
0x7ff681f4ebf2
0x7ff681f4ec05
0x7ff681f4ec08
0x7ff681f4ec10
0x7ff681f4ec1c
0x7ff681f4ec1c
0x7ff681f4ec20
0x7ff681f4ec26
0x7ff681f4ec2f
0x7ff681f4ec3b
0x7ff681f4ec41
0x7ff681f4ec4a
0x7ff681f4ec56
0x7ff681f4ec5c
0x7ff681f4ec5f
0x7ff681f4ec7a
0x7ff681f4ec7f
0x7ff681f4ec84
0x7ff681f4ec8f
0x7ff681f4ec96
0x7ff681f4ec99
0x7ff681f4eca2
0x7ff681f4eca7
0x7ff681f4eca9
0x7ff681f4ecac
0x7ff681f4ecb5
0x7ff681f4ecbf
0x7ff681f4eccd
0x7ff681f4ecd1
0x7ff681f4ecd7
0x7ff681f4ece4
0x7ff681f4ecef
0x7ff681f4ecf8
0x7ff681f4ed0b
0x7ff681f4ed0e
0x7ff681f4ed16
0x7ff681f4ed29
0x7ff681f4ed2c
0x7ff681f4ed34
0x7ff681f4ed43
0x7ff681f4ed4d
0x7ff681f4ed60

APIs

SetCursor.USER32 ref: 00007FF681F4EBD4
SendMessageW.USER32 ref: 00007FF681F4EBF2
SendMessageW.USER32 ref: 00007FF681F4EC10
LocalLock.KERNEL32 ref: 00007FF681F4EC2F
GetWindowTextLengthW.USER32 ref: 00007FF681F4EC4A

Part of subcall function 00007FF681F4CBB0: FindNLSString.KERNEL32 ref: 00007FF681F4CBF0

LocalUnlock.KERNEL32 ref: 00007FF681F4ECBF
SetCursor.USER32 ref: 00007FF681F4ECF8
SendMessageW.USER32 ref: 00007FF681F4ED16
SendMessageW.USER32 ref: 00007FF681F4ED34

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: MessageSend$CursorLocal$FindLengthLockStringTextUnlockWindow
String ID:
API String ID: 3257532295-0
Opcode ID: 1ece0b814c376132f4a3d3b47796c39bd5f08aec5d5f6828e821346b205a095c
Instruction ID: cf05f7849f2ec2128f406db15ac52986e4f6fcd55be571086f3938b625c4371b
Opcode Fuzzy Hash: 1ece0b814c376132f4a3d3b47796c39bd5f08aec5d5f6828e821346b205a095c
Instruction Fuzzy Hash: B2415121A18B56C6EB209B25B860AB9BBE0FFC9B51F455139DE1E83B61DF3CE445C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F546D0 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF681F546EC
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F54710
RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF681F54719
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF681F54733
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF681F54774
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F547A7
IsDebuggerPresent.KERNEL32 ref: 00007FF681F547C8
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF681F547E9
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF681F547F4

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 05d1d027d43fef3400eb78d84ea7f2dd31953303670bad5e123061446a832ecb
Instruction ID: 04f47308ddea02f4fa639b4d53517b0b6b1ccb056ae1000c7f4c3d373ce763b2
Opcode Fuzzy Hash: 05d1d027d43fef3400eb78d84ea7f2dd31953303670bad5e123061446a832ecb
Instruction Fuzzy Hash: 90315B72609B81CAEB609F60E8507EE73A0FB84754F44843ADA4E87A98EF78D548C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F41F40 Relevance: 12.2, APIs: 8, Instructions: 187
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 24%

			E00007FF67FF681F41F40(signed int __ecx, long long __rbx, long long __rdi, long long __rsi) {
				void* __rbp;
				int _t70;
				int _t73;
				int _t76;
				long _t87;
				signed int _t91;
				void* _t97;
				signed int _t110;
				void* _t111;
				signed int _t112;
				signed int _t114;
				void* _t124;
				signed long long _t125;
				signed long long _t126;
				intOrPtr* _t127;
				intOrPtr* _t128;
				intOrPtr* _t129;
				long long _t131;
				int _t159;
				void* _t160;
				void* _t162;
				signed long long _t163;
				int _t169;
				int _t171;

				_t157 = __rsi;
				_t131 = __rbx;
				_t91 = __ecx;
				_t124 = _t162;
				 *((long long*)(_t124 + 0x10)) = __rbx;
				 *((long long*)(_t124 + 0x18)) = __rsi;
				 *((long long*)(_t124 + 0x20)) = __rdi;
				_t160 = _t124 - 0x5f;
				_t163 = _t162 - 0xc0;
				_t125 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t126 = _t125 ^ _t163;
				 *(_t160 + 0x37) = _t126;
				_t110 = __ecx;
				__imp__MonitorFromWindow();
				_t165 = _t160 - 0x39;
				__imp__GetDpiForMonitor();
				r8d =  *0x81f614b8; // 0x0
				if ((r8b & 0x00000002) != 0) goto 0x81f41fc7;
				E00007FF67FF681F3D07C(__rbx, 0x81f614b8, _t160 - 1, __rsi, _t160 - 9);
				 *((long long*)(_t160 - 0x31)) =  *_t126;
				r8d = _t91;
				r9d = r8d;
				 *((intOrPtr*)(_t163 + 0x30)) = 3;
				r9d = r9d >> 9;
				r8d = r8d >> 8;
				_t127 = _t160 - 0x29;
				 *((intOrPtr*)(_t160 - 0x29)) = 0;
				 *((char*)(_t160 - 0x25)) = 3;
				_t16 = _t131 + 1; // 0x1
				r15d = _t16;
				r9d = r9d & r15d;
				 *(_t163 + 0x28) = r15d;
				r8d = r8d & r15d;
				 *((long long*)(_t163 + 0x20)) = _t127;
				E00007FF67FF681F3DD74(0, 0x127655e, _t131, 0x81f614c0, _t157, _t160, _t160 - 0x39);
				_t20 = _t131 + 0x60; // 0x60
				r14d = _t20;
				_t21 = _t131 + 0x78; // 0x78
				_t112 = _t21;
				r8d = r14d;
				_t70 = MulDiv(_t171, _t169, _t159);
				r8d =  *0x81f61488; // 0x0
				_t111 = _t110 - _t70;
				if ((r8b & 0x00000002) != 0) goto 0x81f42050;
				E00007FF67FF681F3CD48(_t131, 0x81f61488, _t160 + 7, _t157, _t160 - 9);
				 *((long long*)(_t160 - 0x31)) =  *_t127;
				r8d = _t112;
				r9d = r8d;
				 *((intOrPtr*)(_t163 + 0x30)) = 3;
				r9d = r9d >> 9;
				_t128 = _t160 - 0x21;
				r8d = r8d >> 8;
				r9d = r9d & r15d;
				 *(_t163 + 0x28) = r15d;
				r8d = r8d & r15d;
				 *((intOrPtr*)(_t160 - 0x21)) = 0;
				 *((char*)(_t160 - 0x1d)) = 3;
				 *((long long*)(_t163 + 0x20)) = _t128;
				E00007FF67FF681F3DD74(0, 0x71cda0, _t131, 0x81f61490, _t157, _t160, _t160 - 0x39);
				r8d = r14d;
				_t73 = MulDiv(??, ??, ??);
				r8d =  *0x81f61498; // 0x0
				_t114 = _t111 - _t73;
				if ((r8b & 0x00000002) != 0) goto 0x81f420ce;
				E00007FF67FF681F3C75C(_t131, 0x81f61498, _t160 + 0xf, _t157, _t160 - 9);
				 *((long long*)(_t160 - 0x31)) =  *_t128;
				r8d = _t112;
				r9d = r8d;
				 *((intOrPtr*)(_t163 + 0x30)) = 3;
				r9d = r9d >> 9;
				_t129 = _t160 - 0x19;
				r8d = r8d >> 8;
				r9d = r9d & r15d;
				 *(_t163 + 0x28) = r15d;
				r8d = r8d & r15d;
				 *((intOrPtr*)(_t160 - 0x19)) = 0;
				 *((char*)(_t160 - 0x15)) = 3;
				 *((long long*)(_t163 + 0x20)) = _t129;
				E00007FF67FF681F3DD74(0, 0x10f6105, _t131, 0x81f614a0, _t157, _t160, _t165);
				r8d = r14d;
				_t76 = MulDiv(??, ??, ??);
				r8d =  *0x81f614a8; // 0x0
				r14d = _t114;
				r14d = r14d - _t76;
				if ((r8b & 0x00000002) != 0) goto 0x81f42151;
				E00007FF67FF681F3D1D8(_t131, 0x81f614a8, _t160 + 0x17, _t157, _t160 - 9);
				 *((long long*)(_t160 - 0x31)) =  *_t129;
				r8d = 0x32;
				r9d = r8d;
				 *((intOrPtr*)(_t163 + 0x30)) = 3;
				r9d = r9d >> 9;
				r8d = r8d >> 8;
				r9d = r9d & r15d;
				 *(_t163 + 0x28) = r15d;
				r8d = r8d & r15d;
				 *((intOrPtr*)(_t160 - 0x11)) = 0;
				 *((char*)(_t160 - 0xd)) = 3;
				 *((long long*)(_t163 + 0x20)) = _t160 - 0x11;
				E00007FF67FF681F3DD74(0, 0x107b944, _t131, 0x81f614b0, _t157, _t160, _t165);
				r8d = 0x60;
				_t97 = r14d - MulDiv(??, ??, ??);
				_t81 =  >  ? _t97 : 0;
				 *((intOrPtr*)(_t160 + 0x1f)) =  >  ? _t97 : 0;
				_t83 =  >  ? r14d : 0;
				 *((intOrPtr*)(_t160 + 0x23)) =  >  ? r14d : 0;
				_t85 =  >  ? _t114 : 0;
				 *((intOrPtr*)(_t160 + 0x27)) =  >  ? _t114 : 0;
				_t89 =  >  ? _t111 : 0;
				 *(_t160 + 0x2f) =  *(_t160 + 0x2f) | 0xffffffff;
				 *((intOrPtr*)(_t160 + 0x2b)) =  >  ? _t111 : 0;
				r8d = 5;
				SendMessageW(??, ??, ??, ??);
				r9d = r9d ^ r9d;
				r8d = 0;
				_t87 = SendMessageW(??, ??, ??, ??);
				E00007FF67FF681F53F70();
				return _t87;
			}

0x7ff681f41f40
0x7ff681f41f40
0x7ff681f41f40
0x7ff681f41f40
0x7ff681f41f43
0x7ff681f41f47
0x7ff681f41f4b
0x7ff681f41f54
0x7ff681f41f58
0x7ff681f41f5f
0x7ff681f41f66
0x7ff681f41f69
0x7ff681f41f6d
0x7ff681f41f7b
0x7ff681f41f90
0x7ff681f41f94
0x7ff681f41fa0
0x7ff681f41fab
0x7ff681f41fb8
0x7ff681f41fc0
0x7ff681f41fc4
0x7ff681f41fc7
0x7ff681f41fca
0x7ff681f41fd4
0x7ff681f41fd8
0x7ff681f41fdc
0x7ff681f41fe5
0x7ff681f41fef
0x7ff681f41ff3
0x7ff681f41ff3
0x7ff681f41ff7
0x7ff681f41ffa
0x7ff681f41fff
0x7ff681f42002
0x7ff681f42007
0x7ff681f4200f
0x7ff681f4200f
0x7ff681f42013
0x7ff681f42013
0x7ff681f42016
0x7ff681f4201b
0x7ff681f42027
0x7ff681f4202e
0x7ff681f42034
0x7ff681f42041
0x7ff681f42049
0x7ff681f4204d
0x7ff681f42050
0x7ff681f42053
0x7ff681f4205b
0x7ff681f4205f
0x7ff681f42063
0x7ff681f4206e
0x7ff681f42071
0x7ff681f42076
0x7ff681f42079
0x7ff681f42081
0x7ff681f42085
0x7ff681f4208a
0x7ff681f42092
0x7ff681f42097
0x7ff681f420a3
0x7ff681f420ac
0x7ff681f420b2
0x7ff681f420bf
0x7ff681f420c7
0x7ff681f420cb
0x7ff681f420ce
0x7ff681f420d1
0x7ff681f420d9
0x7ff681f420dd
0x7ff681f420e1
0x7ff681f420ec
0x7ff681f420ef
0x7ff681f420f4
0x7ff681f420f7
0x7ff681f420ff
0x7ff681f42103
0x7ff681f42108
0x7ff681f42110
0x7ff681f42118
0x7ff681f42124
0x7ff681f4212b
0x7ff681f4212e
0x7ff681f42135
0x7ff681f42142
0x7ff681f4214a
0x7ff681f4214e
0x7ff681f42151
0x7ff681f42154
0x7ff681f4215c
0x7ff681f42164
0x7ff681f4216f
0x7ff681f42172
0x7ff681f42177
0x7ff681f4217a
0x7ff681f42182
0x7ff681f42186
0x7ff681f4218b
0x7ff681f42193
0x7ff681f421b0
0x7ff681f421bb
0x7ff681f421c5
0x7ff681f421cd
0x7ff681f421d3
0x7ff681f421d8
0x7ff681f421dd
0x7ff681f421e0
0x7ff681f421e3
0x7ff681f421e7
0x7ff681f421ef
0x7ff681f421f2
0x7ff681f42205
0x7ff681f42208
0x7ff681f4220d
0x7ff681f42220
0x7ff681f42241

APIs

MonitorFromWindow.USER32 ref: 00007FF681F41F7B
GetDpiForMonitor.API-MS-WIN-SHCORE-SCALING-L1-1-1 ref: 00007FF681F41F94
MulDiv.KERNEL32 ref: 00007FF681F4201B
MulDiv.KERNEL32 ref: 00007FF681F42097
MulDiv.KERNEL32 ref: 00007FF681F42118

Part of subcall function 00007FF681F3DD74: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F3DEFE

MulDiv.KERNEL32 ref: 00007FF681F4219D
SendMessageW.USER32 ref: 00007FF681F421F2
SendMessageW.USER32 ref: 00007FF681F4220D

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: MessageMonitorSend$AcquireExclusiveFromLockWindow
String ID:
API String ID: 863332692-0
Opcode ID: 2c108b7e8abde92bef2e408c8b15b9f60e622cb2571115d7cd47538047cbfdde
Instruction ID: f572e70fc4c34f6167321a36888448891b54485b7b15ade10eaa7378e1a60a97
Opcode Fuzzy Hash: 2c108b7e8abde92bef2e408c8b15b9f60e622cb2571115d7cd47538047cbfdde
Instruction Fuzzy Hash: 2F914F72B18A52CAE720CF65E4546AC3BF0FB89B88F405139EA4E93B55CF38D506CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3B83C Relevance: 10.6, APIs: 7, Instructions: 101
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00007FF67FF681F3B83C(long long __rbx, long long __rdi, signed int __r8) {
				void* __rbp;
				void* _t46;
				int _t48;
				void* _t54;
				signed long long _t64;
				signed long long _t65;
				long long _t77;
				intOrPtr _t93;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;
				signed long long _t107;
				void* _t111;

				_t100 = __rdi;
				_t75 = __rbx;
				 *((long long*)(_t106 + 8)) = __rbx;
				 *((long long*)(_t106 + 0x10)) = __rdi;
				_t3 = _t106 - 0x250; // -607
				_t104 = _t3;
				_t107 = _t106 - 0x350;
				_t64 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t65 = _t64 ^ _t107;
				 *(_t104 + 0x240) = _t65;
				 *(_t107 + 0x40) =  *(_t107 + 0x40) & 0x00000000;
				if ( *0x81f620e0 != 0) goto 0x81f3b8bc;
				_t93 =  *0x81f60658; // 0x1bb5cf52996
				_t7 = _t107 + 0x58; // 0x49
				E00007FF67FF681F3E004(__rbx, _t7, _t93, __rdi, _t102, _t104, __r8 | 0xffffffff);
				_t8 = _t107 + 0x58; // 0x49
				E00007FF67FF681F3E104(_t75, _t107 + 0x40, _t8, _t100, _t102, _t104);
				if ( *((intOrPtr*)(_t107 + 0x58)) == 0) goto 0x81f3b93f;
				LocalFree(_t103);
				goto 0x81f3b93f;
				_t46 = FindFirstFileW(??, ??);
				 *((long long*)(_t107 + 0x78)) = 0x81f560b8;
				_t14 = _t107 + 0x70; // 0x61
				if (_t65 == 0xffffffff) goto 0x81f3b91c;
				_t15 = _t104 + 0x1c; // -579
				 *((long long*)(_t107 + 0x50)) = _t15;
				_t17 = _t107 + 0x50; // 0x41
				 *((long long*)(_t104 - 0x80)) = _t17;
				_t19 = _t107 + 0x78; // 0x69
				 *((long long*)(_t104 - 0x20)) = _t19;
				E00007FF67FF681F3D630(_t46, _t65, _t107 + 0x40, _t14);
				_t48 = FindClose(??);
				goto 0x81f3b93f;
				 *((long long*)(_t107 + 0x50)) =  *0x81f620e0;
				_t22 = _t107 + 0x50; // 0x41
				 *((long long*)(_t104 - 0x80)) = _t22;
				_t24 = _t107 + 0x78; // 0x69
				 *((long long*)(_t104 - 0x20)) = _t24;
				E00007FF67FF681F3D630(_t48, _t65, _t65, _t14);
				_t77 =  *(_t107 + 0x40);
				if (_t77 == 0) goto 0x81f3b9fc;
				dil = E00007FF67FF681F39F54(_t24, _t111);
				 *((long long*)(_t107 + 0x68)) = _t77;
				_t87 =  !=  ? "*" : 0x81f57b40;
				 *(_t107 + 0x48) =  *(_t107 + 0x48) & 0x00000000;
				_t30 = _t107 + 0x60; // 0x51
				 *((long long*)(_t107 + 0x60)) =  !=  ? "*" : 0x81f57b40;
				 *((long long*)(_t107 + 0x30)) = _t30;
				r9d = 0;
				 *(_t107 + 0x28) =  *(_t107 + 0x28) & 0x00000000;
				_t35 = _t107 + 0x48; // 0x39
				r8d = 0;
				 *((long long*)(_t107 + 0x20)) = _t35;
				if (FormatMessageW(??, ??, ??, ??, ??, ??, ??) != 0) goto 0x81f3b9c4;
				SetWindowTextW(??, ??);
				 *0x81f6235c = dil;
				if ( *(_t107 + 0x48) == 0) goto 0x81f3b9ed;
				LocalFree(??);
				_t54 = LocalFree(??);
				E00007FF67FF681F53F70();
				return _t54;
			}

0x7ff681f3b83c
0x7ff681f3b83c
0x7ff681f3b83c
0x7ff681f3b841
0x7ff681f3b847
0x7ff681f3b847
0x7ff681f3b84f
0x7ff681f3b856
0x7ff681f3b85d
0x7ff681f3b860
0x7ff681f3b867
0x7ff681f3b877
0x7ff681f3b879
0x7ff681f3b880
0x7ff681f3b889
0x7ff681f3b88e
0x7ff681f3b898
0x7ff681f3b8a5
0x7ff681f3b8ab
0x7ff681f3b8b7
0x7ff681f3b8c0
0x7ff681f3b8d6
0x7ff681f3b8e0
0x7ff681f3b8e9
0x7ff681f3b8eb
0x7ff681f3b8ef
0x7ff681f3b8f4
0x7ff681f3b8f9
0x7ff681f3b8fd
0x7ff681f3b902
0x7ff681f3b906
0x7ff681f3b90e
0x7ff681f3b91a
0x7ff681f3b923
0x7ff681f3b928
0x7ff681f3b92d
0x7ff681f3b931
0x7ff681f3b936
0x7ff681f3b93a
0x7ff681f3b93f
0x7ff681f3b947
0x7ff681f3b960
0x7ff681f3b963
0x7ff681f3b972
0x7ff681f3b976
0x7ff681f3b97c
0x7ff681f3b981
0x7ff681f3b986
0x7ff681f3b98b
0x7ff681f3b98e
0x7ff681f3b993
0x7ff681f3b998
0x7ff681f3b99b
0x7ff681f3b9bf
0x7ff681f3b9c4
0x7ff681f3b9d5
0x7ff681f3b9df
0x7ff681f3b9e1
0x7ff681f3b9f0
0x7ff681f3ba06
0x7ff681f3ba1f

APIs

LocalFree.KERNEL32 ref: 00007FF681F3B8AB
FindFirstFileW.KERNEL32 ref: 00007FF681F3B8C0
FindClose.KERNEL32 ref: 00007FF681F3B90E
FormatMessageW.KERNEL32 ref: 00007FF681F3B9A5
SetWindowTextW.USER32 ref: 00007FF681F3B9C4
LocalFree.KERNEL32 ref: 00007FF681F3B9E1
LocalFree.KERNEL32 ref: 00007FF681F3B9F0

Part of subcall function 00007FF681F3E004: LocalAlloc.KERNEL32(00000000,?,00000000,00007FF681F3D752), ref: 00007FF681F3E083

Part of subcall function 00007FF681F3E104: GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF681F3D752), ref: 00007FF681F3E12E
Part of subcall function 00007FF681F3E104: LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF681F3D752), ref: 00007FF681F3E13F
Part of subcall function 00007FF681F3E104: SetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF681F3D752), ref: 00007FF681F3E14D

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Local$Free$ErrorFindLast$AllocCloseFileFirstFormatMessageTextWindow
String ID:
API String ID: 3165367029-0
Opcode ID: 18f98f267c844455c058eaa033f4983bcfa135eb32ab1f86c23277928966e1c5
Instruction ID: 9cdd3f477544e1c64654b0de68cbf74de65a55d3f1b40fd9fddae27ee757a8b7
Opcode Fuzzy Hash: 18f98f267c844455c058eaa033f4983bcfa135eb32ab1f86c23277928966e1c5
Instruction Fuzzy Hash: D8510932609B82C6EB108F51E8502AAB7F4FF89765F544239DA9E837A8DF3CD145CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F391C4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 198windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF681F39227
SendMessageW.USER32 ref: 00007FF681F396FB
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F39C5D

Strings

shell\osshell\accesory\notepad\notepad.cpp, xrefs: 00007FF681F39345

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: MessageSend$FreeTask
String ID: shell\osshell\accesory\notepad\notepad.cpp
API String ID: 3291876417-1693142988
Opcode ID: 1f38d53ab0ca0c2c2be74528d6322711ab10c661e6b1bb145ec99a923bd41197
Instruction ID: 4a09fd6c84ade6dcdd5e16ed2c8a1af9af5e2e2618b35b6bfc7ca1cbf623aa81
Opcode Fuzzy Hash: 1f38d53ab0ca0c2c2be74528d6322711ab10c661e6b1bb145ec99a923bd41197
Instruction Fuzzy Hash: A5917CB6E0CA46C6E7609B61E8506B97BE0FF85348F44513DDA4EC36A5DF3CA449CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3B3B8 Relevance: 7.7, APIs: 5, Instructions: 151
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 38%

			E00007FF67FF681F3B3B8(signed int __ecx, signed int __edi, long long __rbx, long long __rdi, long long __rsi, void* __r9) {
				void* __rbp;
				long _t54;
				long _t59;
				signed int _t61;
				signed int _t62;
				signed int _t72;
				intOrPtr _t74;
				void* _t85;
				signed long long _t86;
				signed long long _t87;
				intOrPtr* _t88;
				intOrPtr* _t89;
				long long _t90;
				void* _t112;
				void* _t118;
				signed long long* _t119;
				void* _t121;
				signed long long _t122;
				void* _t124;
				intOrPtr _t125;
				int _t130;
				struct HWND__* _t132;

				_t116 = __rsi;
				_t91 = __rbx;
				_t72 = __edi;
				_t62 = __ecx;
				_t85 = _t121;
				 *((long long*)(_t85 + 8)) = __rbx;
				 *((long long*)(_t85 + 0x10)) = __rsi;
				 *((long long*)(_t85 + 0x18)) = __rdi;
				_t119 = _t85 - 0x28;
				_t122 = _t121 - 0x110;
				_t86 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t87 = _t86 ^ _t122;
				 *_t119 = _t87;
				r14d = 0;
				sil = __ecx;
				r15d = 1;
				if ( *0x81f6236c == r14d) goto 0x81f3b467;
				r8d =  *0x81f614a8; // 0x0
				if ((0x00000002 & r8b) != 0) goto 0x81f3b424;
				E00007FF67FF681F3D1D8(__rbx, 0x81f614a8, _t122 + 0x60, __rsi, __r9);
				 *((long long*)(_t122 + 0x40)) =  *_t87;
				r8d = _t62;
				r9d = r8d;
				 *((intOrPtr*)(_t122 + 0x30)) = 3;
				r9d = r9d >> 9;
				_t88 = _t122 + 0x48;
				r8d = r8d >> 8;
				r9d = r9d & r15d;
				 *(_t122 + 0x28) = r15d;
				r8d = r8d & r15d;
				 *((intOrPtr*)(_t122 + 0x48)) = r14d;
				 *((char*)(_t122 + 0x4c)) = 3;
				 *((long long*)(_t122 + 0x20)) = _t88;
				E00007FF67FF681F3DD74(2, 0x107b944, _t91, 0x81f614b0, _t116, _t119, _t124);
				r8d =  *0x81f62670;
				if ((0x00000002 & r8b) != 0) goto 0x81f3b48f;
				E00007FF67FF681F3C8B8(_t91, 0x81f62670, _t122 + 0x68, _t116, __r9);
				 *((long long*)(_t122 + 0x40)) =  *_t88;
				r8d = _t62;
				r9d = r8d;
				 *((intOrPtr*)(_t122 + 0x30)) = 3;
				r9d = r9d >> 9;
				_t89 = _t122 + 0x50;
				r8d = r8d >> 8;
				r9d = r9d & r15d;
				 *(_t122 + 0x28) = r15d;
				r8d = r8d & r15d;
				 *((intOrPtr*)(_t122 + 0x50)) = r14d;
				 *((char*)(_t122 + 0x54)) = 3;
				 *((long long*)(_t122 + 0x20)) = _t89;
				E00007FF67FF681F3DD74(2, 0x1072a70, _t91, 0x81f62678, _t116, _t119, _t124);
				r9d = 0;
				r8d = 0;
				SendMessageW(_t132, _t130);
				r8d =  *0x81f614a8; // 0x0
				if ((0x00000002 & r8b) != 0) goto 0x81f3b51b;
				_t112 = _t122 + 0x70;
				E00007FF67FF681F3D1D8(_t91, 0x81f614a8, _t112, _t116, __r9);
				 *((long long*)(_t122 + 0x40)) =  *_t89;
				r8d = _t62;
				r9d = r8d;
				 *((intOrPtr*)(_t122 + 0x30)) = 3;
				r9d = r9d >> 9;
				_t90 = _t122 + 0x58;
				r8d = r8d >> 8;
				r9d = r9d & r15d;
				 *(_t122 + 0x28) = r15d;
				r8d = r8d & r15d;
				 *((intOrPtr*)(_t122 + 0x58)) = r14d;
				 *((char*)(_t122 + 0x5c)) = 3;
				 *((long long*)(_t122 + 0x20)) = _t90;
				E00007FF67FF681F3DD74(2, 0x107b944, _t91, 0x81f614b0, _t116, _t119, _t124);
				r9d = 0;
				r8d = _t72;
				_t54 = SendMessageW(??, ??, ??, ??);
				r9d = r9d ^ r9d;
				r8d = _t54;
				_t35 = _t90 + 1; // 0x1
				_t61 = _t35;
				_t74 = _t72 - SendMessageW(??, ??, ??, ??) + 1;
				if (sil != 0) goto 0x81f3b5b6;
				if (_t74 !=  *0x81f620f0) goto 0x81f3b5b6;
				if (_t61 ==  *0x81f620f4) goto 0x81f3b61c;
				_t37 = _t112 + 0x7e; // 0x7e
				r8d = _t37;
				memset(??, ??, ??);
				_t125 =  *0x81f60530; // 0x1bb5cf529dc
				 *((intOrPtr*)(_t122 + 0x20)) = _t74;
				r9d = _t61;
				 *((short*)(_t119 - 0x80)) = 0x20;
				if (E00007FF67FF681F31860(_t119 - 0x7e, _t112, _t125, __r9, _t118) < 0) goto 0x81f3b610;
				if ( *0x81f62590 == 0) goto 0x81f3b610;
				_t59 = SendMessageW(??, ??, ??, ??);
				 *0x81f620f0 = _t74;
				 *0x81f620f4 = _t61;
				E00007FF67FF681F53F70();
				return _t59;
			}

0x7ff681f3b3b8
0x7ff681f3b3b8
0x7ff681f3b3b8
0x7ff681f3b3b8
0x7ff681f3b3b8
0x7ff681f3b3bb
0x7ff681f3b3bf
0x7ff681f3b3c3
0x7ff681f3b3cc
0x7ff681f3b3d0
0x7ff681f3b3d7
0x7ff681f3b3de
0x7ff681f3b3e1
0x7ff681f3b3e5
0x7ff681f3b3e8
0x7ff681f3b3f4
0x7ff681f3b3fa
0x7ff681f3b3fc
0x7ff681f3b406
0x7ff681f3b414
0x7ff681f3b41c
0x7ff681f3b421
0x7ff681f3b424
0x7ff681f3b427
0x7ff681f3b42f
0x7ff681f3b433
0x7ff681f3b438
0x7ff681f3b443
0x7ff681f3b446
0x7ff681f3b44b
0x7ff681f3b44e
0x7ff681f3b458
0x7ff681f3b45d
0x7ff681f3b462
0x7ff681f3b467
0x7ff681f3b471
0x7ff681f3b47f
0x7ff681f3b487
0x7ff681f3b48c
0x7ff681f3b48f
0x7ff681f3b492
0x7ff681f3b49a
0x7ff681f3b49e
0x7ff681f3b4a3
0x7ff681f3b4ae
0x7ff681f3b4b1
0x7ff681f3b4b6
0x7ff681f3b4b9
0x7ff681f3b4c3
0x7ff681f3b4c8
0x7ff681f3b4cd
0x7ff681f3b4d9
0x7ff681f3b4dc
0x7ff681f3b4e4
0x7ff681f3b4f0
0x7ff681f3b4fd
0x7ff681f3b4ff
0x7ff681f3b50b
0x7ff681f3b513
0x7ff681f3b518
0x7ff681f3b51b
0x7ff681f3b51e
0x7ff681f3b526
0x7ff681f3b52a
0x7ff681f3b52f
0x7ff681f3b53a
0x7ff681f3b53d
0x7ff681f3b542
0x7ff681f3b545
0x7ff681f3b54f
0x7ff681f3b554
0x7ff681f3b559
0x7ff681f3b565
0x7ff681f3b568
0x7ff681f3b570
0x7ff681f3b583
0x7ff681f3b586
0x7ff681f3b58e
0x7ff681f3b58e
0x7ff681f3b59f
0x7ff681f3b5a4
0x7ff681f3b5ac
0x7ff681f3b5b4
0x7ff681f3b5bc
0x7ff681f3b5bc
0x7ff681f3b5c0
0x7ff681f3b5c5
0x7ff681f3b5d5
0x7ff681f3b5d9
0x7ff681f3b5dc
0x7ff681f3b5ea
0x7ff681f3b5f6
0x7ff681f3b604
0x7ff681f3b610
0x7ff681f3b616
0x7ff681f3b623
0x7ff681f3b644

APIs

SendMessageW.USER32 ref: 00007FF681F3B4E4
SendMessageW.USER32 ref: 00007FF681F3B570
SendMessageW.USER32 ref: 00007FF681F3B591
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3B5C0
SendMessageW.USER32 ref: 00007FF681F3B604

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: MessageSend$memset
String ID:
API String ID: 2191228795-0
Opcode ID: 75b285319dbb9f65646ac2cba72a6b0d4aa58d3d3fbd4f02b898bd9a7c3e6312
Instruction ID: 419226b11b8cfe6447748f68682b0949a6e98404f1354310face3b9da9f349c2
Opcode Fuzzy Hash: 75b285319dbb9f65646ac2cba72a6b0d4aa58d3d3fbd4f02b898bd9a7c3e6312
Instruction Fuzzy Hash: 3B617C72A18A86D6EB20CF55E850AA97BE0FFC5784F405139EA4D87B64CF3CD546CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3B130 Relevance: 7.6, APIs: 5, Instructions: 147
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 41%

			E00007FF67FF681F3B130(signed int __edi, long long __rbx, long long __rdi, long long __rsi, void* __r9) {
				void* __rbp;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				intOrPtr _t55;
				signed int _t71;
				signed int _t73;
				signed int _t77;
				signed long long _t82;
				signed long long _t83;
				intOrPtr* _t84;
				long long _t86;
				void* _t111;
				void* _t114;
				signed long long _t115;
				void* _t117;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t128;

				_t122 = __r9;
				_t109 = __rsi;
				_t86 = __rbx;
				_t71 = __edi;
				 *((long long*)(_t114 + 8)) = __rbx;
				 *((long long*)(_t114 + 0x10)) = __rsi;
				 *((long long*)(_t114 + 0x18)) = __rdi;
				_t112 = _t114 - 0x80;
				_t115 = _t114 - 0x180;
				_t82 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t83 = _t82 ^ _t115;
				 *(_t114 - 0x80 + 0x70) = _t83;
				E00007FF67FF681F3B3B8(1, __edi, __rbx, __rdi, __rsi, __r9);
				r8d =  *0x81f61488; // 0x0
				_t73 = r8b & 0x00000002;
				if (_t73 != 0) goto 0x81f3b18a;
				E00007FF67FF681F3CD48(_t86, 0x81f61488, _t115 + 0x58, _t109, _t122);
				 *((long long*)(_t115 + 0x50)) =  *_t83;
				r8d = 1;
				r9d = r8d;
				 *((intOrPtr*)(_t115 + 0x30)) = 3;
				r9d = r9d >> 9;
				_t84 = _t115 + 0x40;
				r8d = r8d >> 8;
				 *(_t115 + 0x28) = 1;
				r9d = r9d & 0x00000001;
				 *((intOrPtr*)(_t115 + 0x40)) = 0;
				r8d = r8d & 0x00000001;
				 *((char*)(_t115 + 0x44)) = 3;
				 *((long long*)(_t115 + 0x20)) = _t84;
				E00007FF67FF681F3DD74(_t52, 0x71cda0, _t86, 0x81f61490, _t109, _t114 - 0x80, _t117);
				r9d = 0;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				r8d = 0x80;
				memset(??, ??, ??);
				if (_t73 == 0) goto 0x81f3b228;
				if (_t73 == 0) goto 0x81f3b21f;
				if (_t71 != 1) goto 0x81f3b228;
				goto 0x81f3b22f;
				goto 0x81f3b22f;
				_t120 =  *0x81f60528; // 0x1bb5cf529fa
				if (E00007FF67FF681F31860(_t114 - 0x70, _t115 + 0x58, _t120, _t122, _t111) < 0) goto 0x81f3b268;
				if ( *0x81f62590 == 0) goto 0x81f3b268;
				_t19 = _t86 - 0x3d; // 0x3
				r8d = _t19;
				SendMessageW(??, ??, ??, ??);
				r8d =  *0x81f614b8; // 0x0
				 *0x81f62640 = _t71;
				_t77 = r8b & 0x00000002;
				if (_t77 != 0) goto 0x81f3b297;
				E00007FF67FF681F3D07C(_t86, 0x81f614b8, _t115 + 0x60, _t109, _t112 - 0x10);
				 *((long long*)(_t115 + 0x50)) =  *_t84;
				r8d = 1;
				r9d = r8d;
				 *((intOrPtr*)(_t115 + 0x30)) = 3;
				r9d = r9d >> 9;
				r8d = r8d >> 8;
				r9d = r9d & 0x00000001;
				 *(_t115 + 0x28) = 1;
				r8d = r8d & 0x00000001;
				 *((intOrPtr*)(_t115 + 0x48)) = 0;
				 *((char*)(_t115 + 0x4c)) = 3;
				 *((long long*)(_t115 + 0x20)) = _t115 + 0x48;
				E00007FF67FF681F3DD74(0x40, 0x127655e, _t86, 0x81f614c0, _t109, _t112, _t120);
				r8d = 0x80;
				memset(??, ??, ??);
				_t55 =  *0x81f615e4; // 0x0
				if (_t77 == 0) goto 0x81f3b333;
				if (_t77 == 0) goto 0x81f3b32a;
				if (_t77 == 0) goto 0x81f3b321;
				if (_t77 == 0) goto 0x81f3b318;
				if (_t55 - 0xfffffffffffffffe != 1) goto 0x81f3b333;
				goto 0x81f3b33a;
				goto 0x81f3b33a;
				goto 0x81f3b33a;
				goto 0x81f3b33a;
				_t128 =  *0x81f60560; // 0x1bb5cf529cc
				_t121 =  *0x81f604f8; // 0x1bb5cf52a06
				if (E00007FF67FF681F31860(_t115 + 0x70, _t86, _t121, _t128) < 0) goto 0x81f3b37a;
				if ( *0x81f62590 == 0) goto 0x81f3b37a;
				r8d = 4;
				SendMessageW(??, ??, ??, ??);
				_t50 =  *0x81f615e4; // 0x0
				 *0x81f62644 = _t50;
				_t51 = E00007FF67FF681F3B660(_t55 - 0xfffffffffffffffe, _t86, _t84);
				E00007FF67FF681F53F70();
				return _t51;
			}

0x7ff681f3b130
0x7ff681f3b130
0x7ff681f3b130
0x7ff681f3b130
0x7ff681f3b130
0x7ff681f3b135
0x7ff681f3b13a
0x7ff681f3b140
0x7ff681f3b145
0x7ff681f3b14c
0x7ff681f3b153
0x7ff681f3b156
0x7ff681f3b15c
0x7ff681f3b161
0x7ff681f3b168
0x7ff681f3b16c
0x7ff681f3b17a
0x7ff681f3b182
0x7ff681f3b187
0x7ff681f3b18a
0x7ff681f3b18d
0x7ff681f3b195
0x7ff681f3b199
0x7ff681f3b19e
0x7ff681f3b1ab
0x7ff681f3b1b3
0x7ff681f3b1b7
0x7ff681f3b1bb
0x7ff681f3b1bf
0x7ff681f3b1c9
0x7ff681f3b1ce
0x7ff681f3b1da
0x7ff681f3b1dd
0x7ff681f3b1e5
0x7ff681f3b1f7
0x7ff681f3b200
0x7ff681f3b20a
0x7ff681f3b20f
0x7ff681f3b214
0x7ff681f3b21d
0x7ff681f3b226
0x7ff681f3b228
0x7ff681f3b241
0x7ff681f3b24d
0x7ff681f3b258
0x7ff681f3b258
0x7ff681f3b25c
0x7ff681f3b268
0x7ff681f3b26f
0x7ff681f3b275
0x7ff681f3b279
0x7ff681f3b287
0x7ff681f3b28f
0x7ff681f3b294
0x7ff681f3b297
0x7ff681f3b29a
0x7ff681f3b2a2
0x7ff681f3b2ab
0x7ff681f3b2b6
0x7ff681f3b2ba
0x7ff681f3b2c2
0x7ff681f3b2c6
0x7ff681f3b2cf
0x7ff681f3b2d4
0x7ff681f3b2d9
0x7ff681f3b2e5
0x7ff681f3b2eb
0x7ff681f3b2f0
0x7ff681f3b2f9
0x7ff681f3b2fe
0x7ff681f3b303
0x7ff681f3b308
0x7ff681f3b30d
0x7ff681f3b316
0x7ff681f3b31f
0x7ff681f3b328
0x7ff681f3b331
0x7ff681f3b333
0x7ff681f3b33a
0x7ff681f3b350
0x7ff681f3b35c
0x7ff681f3b368
0x7ff681f3b36e
0x7ff681f3b37a
0x7ff681f3b380
0x7ff681f3b386
0x7ff681f3b392
0x7ff681f3b3af

APIs

Part of subcall function 00007FF681F3B3B8: SendMessageW.USER32 ref: 00007FF681F3B4E4
Part of subcall function 00007FF681F3B3B8: SendMessageW.USER32 ref: 00007FF681F3B570

SendMessageW.USER32 ref: 00007FF681F3B1E5
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3B200
SendMessageW.USER32 ref: 00007FF681F3B25C
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3B2EB
SendMessageW.USER32 ref: 00007FF681F3B36E

Part of subcall function 00007FF681F3B660: SendMessageW.USER32 ref: 00007FF681F3B703
Part of subcall function 00007FF681F3B660: SendMessageW.USER32 ref: 00007FF681F3B776

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: MessageSend$memset
String ID:
API String ID: 2191228795-0
Opcode ID: 4285d87d195cd1e960e8f51ae0ca83dc38586dde5f62c131c7b169247242ec81
Instruction ID: 354ed374191d037da523bc5ced56591085ec0dbe8bd9c2a593a9387863dbbd84
Opcode Fuzzy Hash: 4285d87d195cd1e960e8f51ae0ca83dc38586dde5f62c131c7b169247242ec81
Instruction Fuzzy Hash: 26616932A1CA56C6E761CB55E8246B937E0FF85784F50413AEA4DC7A69CF3DE402CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3350C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF681F33543
GetProcAddress.KERNEL32 ref: 00007FF681F33560

Strings

ntdll.dll, xrefs: 00007FF681F3353C
NtUpdateWnfStateData, xrefs: 00007FF681F33556

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtUpdateWnfStateData$ntdll.dll
API String ID: 1646373207-3251081820
Opcode ID: 6ce51e187a54486ac23cd4d4ab6aa347e5d083fc6171979730ab9b126de9cd6b
Instruction ID: 306e0e5ed41d89f900321e358380248d6dfaaa461558e442c09d6fde2b31306b
Opcode Fuzzy Hash: 6ce51e187a54486ac23cd4d4ab6aa347e5d083fc6171979730ab9b126de9cd6b
Instruction Fuzzy Hash: B511E965A09B46C6E750CB15F440665BBE0FF89B94F448239EA4DC7754EF3CE445CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3FDAC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF67FF681F3FDAC(long long __rcx) {
				signed long long _v24;
				char _v536;
				signed long long _v552;
				intOrPtr _v560;
				long long _v568;
				void* __rbx;
				long _t10;
				void* _t13;
				signed long long _t19;
				intOrPtr _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				signed long long _t33;
				intOrPtr _t36;

				_t19 =  *0x81f60470; // 0xbba9a5b3aaf9
				_v24 = _t19 ^ _t33;
				_t10 = GetLastError();
				if (_t10 != 5) goto 0x81f3fde4;
				goto 0x81f3fe47;
				_v552 = _v552 & 0x00000000;
				_v560 = 0x100;
				r9d = 0;
				_v568 =  &_v536;
				r8d = _t10;
				if (FormatMessageW(??, ??, ??, ??, ??, ??, ??) == 0) goto 0x81f3fe40;
				r9d = 0x30;
				MessageBoxW(??, ??, ??, ??);
				goto 0x81f3fe65;
				_t36 =  *0x81f60670; // 0x1bb5cf52990
				_t29 =  *0x81f60630; // 0x1bb5cf529a0
				_v568 = 0x30;
				_t13 = E00007FF67FF681F3BDA4(__rcx,  *0x81f62598, _t29, _t30, _t31, _t32, _t36, __rcx);
				E00007FF67FF681F53F70();
				return _t13;
			}

0x7ff681f3fdb5
0x7ff681f3fdbf
0x7ff681f3fdca
0x7ff681f3fdd9
0x7ff681f3fde2
0x7ff681f3fde4
0x7ff681f3fdef
0x7ff681f3fdf7
0x7ff681f3fdfa
0x7ff681f3fdff
0x7ff681f3fe17
0x7ff681f3fe2c
0x7ff681f3fe32
0x7ff681f3fe3e
0x7ff681f3fe40
0x7ff681f3fe47
0x7ff681f3fe58
0x7ff681f3fe60
0x7ff681f3fe70
0x7ff681f3fe7d

APIs

GetLastError.KERNEL32 ref: 00007FF681F3FDCA
FormatMessageW.KERNEL32 ref: 00007FF681F3FE09
MessageBoxW.USER32 ref: 00007FF681F3FE32

Part of subcall function 00007FF681F3BDA4: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3BDDF
Part of subcall function 00007FF681F3BDA4: LocalAlloc.KERNEL32 ref: 00007FF681F3BE1C
Part of subcall function 00007FF681F3BDA4: MessageBoxW.USER32 ref: 00007FF681F3BEBD
Part of subcall function 00007FF681F3BDA4: LocalFree.KERNEL32 ref: 00007FF681F3BECE

Strings

0, xrefs: 00007FF681F3FE58

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Message$Local$AllocErrorFormatFreeLastwcsnlen
String ID: 0
API String ID: 230745121-4108050209
Opcode ID: 8760b56581ec2811f66a8d475eb1c0926926e57e5f90996f070d5d70a6d2647b
Instruction ID: 4ed8ad1a02988164709374f77875d585bcb1fd0488440a12117733717db9bcd4
Opcode Fuzzy Hash: 8760b56581ec2811f66a8d475eb1c0926926e57e5f90996f070d5d70a6d2647b
Instruction Fuzzy Hash: F1111671A18A86C2F7608B11F8683B97BA0FF89B84F545139DA4E83755CF3DE585CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F33464 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF681F33493
GetProcAddress.KERNEL32 ref: 00007FF681F334B0

Strings

ntdll.dll, xrefs: 00007FF681F3348C
NtQueryWnfStateData, xrefs: 00007FF681F334A6

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueryWnfStateData$ntdll.dll
API String ID: 1646373207-3115237368
Opcode ID: f5376dce8cd3d852963dc6d07f076b70244c84a767f9dd6f7db245f0ff71a9b1
Instruction ID: e10449683c4b07715fb716bfdd3beb2e54a741ff9d2188380226b0837c00df21
Opcode Fuzzy Hash: f5376dce8cd3d852963dc6d07f076b70244c84a767f9dd6f7db245f0ff71a9b1
Instruction Fuzzy Hash: 70010525A0DB4AC6EB51CB1AF800575B6E0FF89B94F858239DA4D83724EF3CE491CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F53F98 Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF67FF681F53F98() {
				long _t4;

				 *0x81f61200 = IsDebuggerPresent();
				E00007FF67FF681F546C0(_t1);
				SetUnhandledExceptionFilter(??);
				_t4 = UnhandledExceptionFilter(??);
				if ( *0x81f61200 != 0) goto 0x81f53fdb;
				E00007FF67FF681F546C0(_t4);
				GetCurrentProcess();
				return TerminateProcess(??, ??);
			}

0x7ff681f53fac
0x7ff681f53fb2
0x7ff681f53fb9
0x7ff681f53fc2
0x7ff681f53fcf
0x7ff681f53fd6
0x7ff681f53fdb
0x7ff681f53fee

APIs

IsDebuggerPresent.KERNEL32(?,?,?,00007FF681F540CD), ref: 00007FF681F53FA1
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF681F540CD), ref: 00007FF681F53FB9
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF681F540CD), ref: 00007FF681F53FC2
GetCurrentProcess.KERNEL32(?,?,?,00007FF681F540CD), ref: 00007FF681F53FDB

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentDebuggerPresentProcess
String ID:
API String ID: 2506494423-0
Opcode ID: 4c3363a7135af5e78631cbfed436ee33212215c8b21c9ce7ab314b918fd772b9
Instruction ID: 7f3a363cedbcef6547f51bb549df5ff837f8358dec043498071785f574f5dc0e
Opcode Fuzzy Hash: 4c3363a7135af5e78631cbfed436ee33212215c8b21c9ce7ab314b918fd772b9
Instruction Fuzzy Hash: 7AF0C9A0E08606C6F7586FA1B8152F432E1BF88766F00853CDA2AC72A1DE7D64C5C614

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F31F84 Relevance: 4.7, APIs: 3, Instructions: 185threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF681F32085
IsDebuggerPresent.KERNEL32 ref: 00007FF681F3217B
OutputDebugStringW.KERNEL32 ref: 00007FF681F321F6

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: 4e18264df6e48f380319f5887354ee458063e37a2e8e087444bb783893cccf68
Instruction ID: 49dc263230563db841a6f60f370a83a17c469542ed623c01e1f51fe99c468d5c
Opcode Fuzzy Hash: 4e18264df6e48f380319f5887354ee458063e37a2e8e087444bb783893cccf68
Instruction Fuzzy Hash: 36814766A0CB86C5EB649F26A84027977E1FF85B84F58813DDA4D83764DF3CE482C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F37CF4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF681F37D25

Strings

1, xrefs: 00007FF681F37D31

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: InfoLocale
String ID: 1
API String ID: 2299586839-2212294583
Opcode ID: dfe7a1840282e86d1618c6205a8a0be00ba686fa199d4305ac6bc33845fea3f6
Instruction ID: 27a5809971c1633b7083e48d57e3d26051700b1d138038ad709678337df84e77
Opcode Fuzzy Hash: dfe7a1840282e86d1618c6205a8a0be00ba686fa199d4305ac6bc33845fea3f6
Instruction Fuzzy Hash: 10017275E1D68ACAE7408B58E8447A4BAE0BFC5344F44423AE60EC76A0EF7CA955CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F50950 Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F5098E

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: d2c53f67e5013a859918ab45323b25bde666a032ec1a1483b04e19c59aa8f616
Instruction ID: 96cff5db670d09942be63fc7f1ecda4810c6b85aee5943533b53890b068eb40f
Opcode Fuzzy Hash: d2c53f67e5013a859918ab45323b25bde666a032ec1a1483b04e19c59aa8f616
Instruction Fuzzy Hash: 49014032A08A86D6EB108B16F8514A577A1FF88B94F54C239DE9D83724DF3DE585C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3E348 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,00007FF681F3FC07), ref: 00007FF681F3E36A

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 324d670a88c67a413994f2c293c05d59efaa1bcde211c7ea4bf73df14e97e295
Instruction ID: 1c5e8a134b3d19430a607db748abf3545d66535e7ec5b30eae0fc38b2add87d5
Opcode Fuzzy Hash: 324d670a88c67a413994f2c293c05d59efaa1bcde211c7ea4bf73df14e97e295
Instruction Fuzzy Hash: 75F03036708A86C2EB649B14E4112B976E5FF89708F804039DA8DC7685DE2DE506CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3D8CC Relevance: .2, Instructions: 210
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00007FF67FF681F3D8CC(long long __rbx, signed int* __rcx, signed int* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed int _t35;
				unsigned int _t37;
				signed int _t56;
				signed int _t72;
				signed int _t75;
				signed int _t78;
				signed int _t81;
				signed int _t93;
				signed int _t111;
				void* _t113;
				void* _t117;
				void* _t118;
				void* _t122;
				void* _t124;
				void* _t128;
				void* _t130;
				void* _t133;
				unsigned long long _t135;
				unsigned long long _t136;
				long long _t145;
				unsigned long long _t151;
				signed long long _t156;

				_t152 = __r8;
				_t145 = __rdi;
				_t135 = _t151;
				 *((long long*)(_t135 + 8)) = __rbx;
				 *((long long*)(_t135 + 0x10)) = __rbp;
				 *((long long*)(_t135 + 0x18)) = __rsi;
				 *((long long*)(_t135 + 0x20)) = __rdi;
				_push(_t156);
				asm("xorps xmm0, xmm0");
				r11d = 0;
				r9d = r8d;
				asm("movups [ecx], xmm0");
				__rcx[4] = _t135;
				_t6 = _t135 + 1; // 0x1
				_t111 = _t6;
				if (r8d == 0) goto 0x81f3da9a;
				_t7 = _t135 + 5; // 0x5
				r15d = _t7;
				_t113 = r8d - _t111;
				if (_t113 == 0) goto 0x81f3d9ee;
				if (_t113 <= 0) goto 0x81f3d992;
				if (r8d - 3 <= 0) goto 0x81f3d935;
				if (r8d == 4) goto 0x81f3da9a;
				if (r8d == r15d) goto 0x81f3d9ee;
				_t8 = _t152 - 6; // 0xf9
				_t117 = _t8 - _t111;
				if (_t117 > 0) goto 0x81f3d992;
				r9d = r9d - 2;
				if (_t117 == 0) goto 0x81f3d963;
				r9d = r9d - _t111;
				if (_t117 == 0) goto 0x81f3d95c;
				r9d = r9d - 3;
				if (_t117 == 0) goto 0x81f3d955;
				_t118 = r9d - _t111;
				if (_t118 != 0) goto 0x81f3d968;
				goto 0x81f3d968;
				goto 0x81f3d968;
				goto 0x81f3d968;
				asm("prefetch [ebx]");
				_t35 =  *__rdx;
				asm("lock cmpxchg [ebx], ecx");
				if (_t118 != 0) goto 0x81f3d96f;
				 *__rcx =  !_t35 & _t111;
				r11b = (_t35 & 0x00000002) == ((0x00000002 | _t111) & 0xfffffffe);
				goto 0x81f3db53;
				r8d = r8d + 0xfffffec0;
				if (r8d - 0x40 >= 0) goto 0x81f3d9dd;
				_t37 = __rdx[1];
				if ((0x00000010 & _t37) == 0) goto 0x81f3d9c3;
				_t122 = (_t37 >> 0x00000005 & 0x0000003f) - r8d;
				if (_t122 == 0) goto 0x81f3d9c6;
				__rcx[4] = r11d;
				asm("lock cmpxchg [ebx+0x4], ecx");
				if (_t122 != 0) goto 0x81f3d9b0;
				__rcx[2] = r9d;
				__rcx[1] = _t111;
				__rcx[3] = r11d;
				goto 0x81f3db57;
				sil = r9d == r15d;
				__rcx[1] = r11d;
				_t72 =  *__rdx | _t111;
				_t124 = (_t72 >> 0x00000016 & _t111) - r11d;
				if (_t124 == 0) goto 0x81f3da4b;
				r8d = _t72;
				r8d = r8d >> 0xf;
				r8d = r8d & 0x0000007f;
				if (_t124 <= 0) goto 0x81f3da31;
				__rcx[1] = r8d;
				_t42 =  ==  ? r15d : _t111;
				__rcx[2] =  ==  ? r15d : _t111;
				r8d = r11d;
				r8d =  ==  ? 0x400000 : r8d;
				asm("btr eax, 0x16");
				_t75 = r8d | _t72 & 0xffc07fff;
				_t19 = _t145 + 1; // 0x1
				r8d = _t19;
				if (__r8 - 0x7f > 0) goto 0x81f3da6b;
				_t136 = _t135 >> 0xf;
				_t128 = __r8 - _t136;
				if (_t128 >= 0) goto 0x81f3da76;
				__rcx[2] = r9d;
				__rcx[1] = _t75 >> 0x0000000f & 0x0000007f;
				r8d = r8d << 0xf;
				r8d = r8d ^ _t75;
				r8d = r8d & 0x003f8000;
				asm("lock cmpxchg [ebx], ecx");
				if (_t128 == 0) goto 0x81f3db4c;
				goto 0x81f3d9fa;
				_t93 =  *__rdx;
				r15d = 0x1ff;
				sil = r9d == 4;
				__rcx[1] = r11d;
				_t78 = _t93 | _t111;
				_t130 = (_t78 >> 0x0000000e & _t111) - r11d;
				if (_t130 == 0) goto 0x81f3db02;
				if (_t130 <= 0) goto 0x81f3dae7;
				__rcx[1] = _t78 >> 0x00000005 & r15d;
				asm("inc ebp");
				r8d =  !r8d;
				r8d = r8d & 0x00000004;
				__rcx[2] = r8d;
				r8d = r11d;
				r8d =  ==  ? 0x4000 : r8d;
				asm("btr eax, 0xe");
				_t81 = r8d | _t78 & 0xffffc01f;
				_t25 = _t145 + 1; // 0x1
				r8d = _t25;
				if (__rbp - _t156 > 0) goto 0x81f3db21;
				_t133 = __rbp - (_t136 >> 0x00000005 & _t156);
				if (_t133 >= 0) goto 0x81f3db2c;
				__rcx[2] = r9d;
				__rcx[1] = _t81 >> 0x00000005 & r15d;
				r8d = r8d << 5;
				_t56 = _t93;
				r8d = r8d ^ _t81;
				r8d = r8d & 0x00003fe0;
				asm("lock cmpxchg [ebx], ecx");
				if (_t133 == 0) goto 0x81f3db4c;
				goto 0x81f3daad;
				 *__rcx =  !_t56 & _t111;
				__rcx[4] = r11d;
				return _t56;
			}

0x7ff681f3d8cc
0x7ff681f3d8cc
0x7ff681f3d8cc
0x7ff681f3d8cf
0x7ff681f3d8d3
0x7ff681f3d8d7
0x7ff681f3d8db
0x7ff681f3d8df
0x7ff681f3d8e3
0x7ff681f3d8e6
0x7ff681f3d8e9
0x7ff681f3d8f2
0x7ff681f3d8f5
0x7ff681f3d8f9
0x7ff681f3d8f9
0x7ff681f3d8ff
0x7ff681f3d905
0x7ff681f3d905
0x7ff681f3d909
0x7ff681f3d90c
0x7ff681f3d912
0x7ff681f3d918
0x7ff681f3d91e
0x7ff681f3d927
0x7ff681f3d92d
0x7ff681f3d931
0x7ff681f3d933
0x7ff681f3d938
0x7ff681f3d93c
0x7ff681f3d93e
0x7ff681f3d941
0x7ff681f3d943
0x7ff681f3d947
0x7ff681f3d949
0x7ff681f3d94c
0x7ff681f3d953
0x7ff681f3d95a
0x7ff681f3d961
0x7ff681f3d96a
0x7ff681f3d96d
0x7ff681f3d973
0x7ff681f3d977
0x7ff681f3d986
0x7ff681f3d989
0x7ff681f3d98d
0x7ff681f3d992
0x7ff681f3d99d
0x7ff681f3d99f
0x7ff681f3d9b2
0x7ff681f3d9bc
0x7ff681f3d9c1
0x7ff681f3d9c6
0x7ff681f3d9d6
0x7ff681f3d9db
0x7ff681f3d9dd
0x7ff681f3d9e1
0x7ff681f3d9e5
0x7ff681f3d9e9
0x7ff681f3d9f6
0x7ff681f3d9fc
0x7ff681f3da00
0x7ff681f3da09
0x7ff681f3da0b
0x7ff681f3da0d
0x7ff681f3da10
0x7ff681f3da14
0x7ff681f3da18
0x7ff681f3da1d
0x7ff681f3da23
0x7ff681f3da2d
0x7ff681f3da39
0x7ff681f3da3c
0x7ff681f3da42
0x7ff681f3da49
0x7ff681f3da53
0x7ff681f3da53
0x7ff681f3da5b
0x7ff681f3da5f
0x7ff681f3da66
0x7ff681f3da69
0x7ff681f3da6e
0x7ff681f3da72
0x7ff681f3da76
0x7ff681f3da7c
0x7ff681f3da7f
0x7ff681f3da89
0x7ff681f3da8d
0x7ff681f3da95
0x7ff681f3da9a
0x7ff681f3daa3
0x7ff681f3daa9
0x7ff681f3daaf
0x7ff681f3dab3
0x7ff681f3dabc
0x7ff681f3dabe
0x7ff681f3dac8
0x7ff681f3dacd
0x7ff681f3dad3
0x7ff681f3dad6
0x7ff681f3dad9
0x7ff681f3dadd
0x7ff681f3daf0
0x7ff681f3daf3
0x7ff681f3daf9
0x7ff681f3db00
0x7ff681f3db0a
0x7ff681f3db0a
0x7ff681f3db11
0x7ff681f3db1c
0x7ff681f3db1f
0x7ff681f3db24
0x7ff681f3db28
0x7ff681f3db2c
0x7ff681f3db30
0x7ff681f3db32
0x7ff681f3db35
0x7ff681f3db3f
0x7ff681f3db43
0x7ff681f3db47
0x7ff681f3db50
0x7ff681f3db53
0x7ff681f3db70

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f0404d8c561c9b3f4b608d8456b6dc327ba9193c3a7336f6d2d0eee7641468
Instruction ID: d7ac3875abb118ea38539700966b400dc4a492a28df10a4d8d0e52fcb1dcf75e
Opcode Fuzzy Hash: f6f0404d8c561c9b3f4b608d8456b6dc327ba9193c3a7336f6d2d0eee7641468
Instruction Fuzzy Hash: 4A71E3B3B266A587EB6C8E14C511A3836D2BB80740F99C13DD60AC7BC4DE39E942CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3679C Relevance: .1, Instructions: 132
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E00007FF67FF681F3679C(long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				signed long long _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				unsigned int _v92;
				intOrPtr _v96;
				signed int _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				unsigned int _t33;
				signed int _t34;
				signed int _t45;
				signed int _t48;
				signed int _t49;
				void* _t51;
				signed int _t56;
				unsigned int _t57;
				signed int _t64;
				unsigned int _t67;
				void* _t72;
				signed long long _t79;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr _t96;
				void* _t102;
				unsigned int* _t105;

				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_t79 =  *0x81f60470; // 0xbba9a5b3aaf9
				_v56 = _t79 ^ _t102 - 0x00000080;
				_t96 =  *((intOrPtr*)(__rcx + 0x38));
				_t89 =  *((intOrPtr*)(__rcx + 0x30));
				_t72 = _t96 - _t89 - 0x10;
				if (_t72 < 0) goto 0x81f36944;
				r13d = 0;
				goto 0x81f36908;
				_t105 =  *((intOrPtr*)(_t89 + 8));
				r12d =  *_t89;
				asm("inc ecx");
				_t33 =  *_t105;
				asm("lock inc ecx");
				if (_t72 != 0) goto 0x81f367fd;
				_t67 = _t33;
				_t56 = _t33 >> 0x00000001 & 0x0000000f;
				if (_t72 == 0) goto 0x81f36832;
				asm("inc ecx");
				_t34 = _t105[1];
				r8d = _t34;
				r8d = r8d | _t56;
				asm("lock inc ebp");
				if (_t72 != 0) goto 0x81f36820;
				_t57 = _t56 &  !_t34;
				_v120 = 2;
				_v112 = 6;
				_v116 = _t57 & 0x00000001;
				_v104 = 3;
				r8d = _t67;
				r8d = r8d >> 5;
				_v108 = _t57 >> 0x00000001 & 0x00000001;
				r8d = r8d & 0x000001ff;
				_v96 = 7;
				r14d = r13d;
				_v100 = _t57 >> 0x00000002 & 0x00000001;
				_v92 = _t57 >> 3;
				_v88 = r13d;
				_v80 = 4;
				_t45 =  !=  ? r13d : r8d;
				_v72 = 1;
				_v84 = _t45;
				_v64 = 5;
				asm("sbb eax, eax");
				_t64 = _t67 >> 0x0000000f & 0x0000007f;
				_v76 = _t45 & r8d;
				_t48 =  !=  ? r13d : _t64;
				_v68 = _t48;
				asm("sbb eax, eax");
				_t49 = _t48 & _t64;
				_v60 = _t49;
				if (_t49 == 0) goto 0x81f368f7;
				r9d = 0;
				r8d = _t49;
				E00007FF67FF681F36698();
				r14d = r14d + 1;
				if (r14d - 8 < 0) goto 0x81f368db;
				if (_t89 + 0x10 != _t96) goto 0x81f367ef;
				 *((long long*)(__rcx + 0x38)) =  *((intOrPtr*)(__rcx + 0x30));
				_t86 =  *0x81f61360; // 0x7ff681f36420
				if (_t86 != 0) goto 0x81f36931;
				_t87 =  *0x81f613b0; // 0x0
				if (_t87 == 0) goto 0x81f36944;
				r9d = 0;
				r8d = 0;
				_t51 =  *0x81f570f0();
				E00007FF67FF681F53F70();
				return _t51;
			}

0x7ff681f3679c
0x7ff681f367a1
0x7ff681f367a6
0x7ff681f367be
0x7ff681f367c8
0x7ff681f367cc
0x7ff681f367d3
0x7ff681f367dd
0x7ff681f367e1
0x7ff681f367e7
0x7ff681f367ea
0x7ff681f367ef
0x7ff681f367f3
0x7ff681f367f6
0x7ff681f367fa
0x7ff681f36805
0x7ff681f3680a
0x7ff681f3680e
0x7ff681f36812
0x7ff681f36815
0x7ff681f36817
0x7ff681f3681c
0x7ff681f36820
0x7ff681f36823
0x7ff681f36826
0x7ff681f3682c
0x7ff681f36830
0x7ff681f36834
0x7ff681f3683e
0x7ff681f36845
0x7ff681f3684e
0x7ff681f36857
0x7ff681f3685d
0x7ff681f36861
0x7ff681f36864
0x7ff681f3686d
0x7ff681f36877
0x7ff681f36880
0x7ff681f36886
0x7ff681f36891
0x7ff681f36895
0x7ff681f3689c
0x7ff681f368a0
0x7ff681f368a9
0x7ff681f368ae
0x7ff681f368b5
0x7ff681f368bd
0x7ff681f368c0
0x7ff681f368cb
0x7ff681f368d1
0x7ff681f368d4
0x7ff681f368d6
0x7ff681f368d8
0x7ff681f368e4
0x7ff681f368e9
0x7ff681f368ec
0x7ff681f368f2
0x7ff681f368f7
0x7ff681f36902
0x7ff681f3690b
0x7ff681f36915
0x7ff681f36919
0x7ff681f36923
0x7ff681f36925
0x7ff681f3692f
0x7ff681f36931
0x7ff681f36934
0x7ff681f3693e
0x7ff681f3694b
0x7ff681f36970

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987cd3aaa9c9fe3205455a58b1e8d840781539ced4197cabd3b0357128b8e033
Instruction ID: 6c442e89472cb99f3b806f88fb9988cf067fcbeb636e6da147931903e521d360
Opcode Fuzzy Hash: 987cd3aaa9c9fe3205455a58b1e8d840781539ced4197cabd3b0357128b8e033
Instruction Fuzzy Hash: BF518932B25A518AEB54CB69E8117AD76E0BB48748F14503DEE0ED7B44DF3CD442CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3C75C Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 8e577f517e332e4f7e283a589121c343e26b81c8421d3100cb5cf1e49c9531cd
Instruction ID: a631e9de6fa53f09153619eee5b6974f98f6c37ef9f81691ab2081639d0acdbd
Opcode Fuzzy Hash: 8e577f517e332e4f7e283a589121c343e26b81c8421d3100cb5cf1e49c9531cd
Instruction Fuzzy Hash: C131C433B28551C6EBA9CA39D84176A26D1FF84794F448139EA0AC7B88DE3DD542CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3CB70 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: aed1c3e9f8cf7e79696ab40ea2eb3f63128b5292b2ae66d5b2ff5fc0e3b7907c
Instruction ID: f1e8978d1ff46176fb77f78f498a0eda9a2b6cb189286033eb257cf68cfa836e
Opcode Fuzzy Hash: aed1c3e9f8cf7e79696ab40ea2eb3f63128b5292b2ae66d5b2ff5fc0e3b7907c
Instruction Fuzzy Hash: 9331C433B28991C6EBA88A39D80176B76D1FF84784F549139EA09C7B88DE3DD442CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3D07C Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: eb895135e43fe282414907e62153d87dc8ebf48f9da769d7ec6fb3f7cce3f84f
Instruction ID: 07902a79ce53d9e9c10b4c10f9d2faf2b6dffb9b0a9f962e72cfc64233a343ba
Opcode Fuzzy Hash: eb895135e43fe282414907e62153d87dc8ebf48f9da769d7ec6fb3f7cce3f84f
Instruction Fuzzy Hash: 4F319533B28551C7FBA98A39D80176A66D1FB85784F949138EA0DC7B88DE3DD442CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3C8B8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: f70c31a03c606dbe5195662962fffb003b6937259684669260c92ecc7d0c6669
Instruction ID: a219c88313ecc9f5aad0c704e28a0d2156cd81d94b57ee8223fd2056f7b0139d
Opcode Fuzzy Hash: f70c31a03c606dbe5195662962fffb003b6937259684669260c92ecc7d0c6669
Instruction Fuzzy Hash: AD31C633B2955186EBA88A39D80176B3AD1FB85784F448139EA4AC7B98DE3DD442CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3CD48 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 3ed59450bba96c5e38c40ccc6bc0b49a832d45a894d42d673de30f0ea7602489
Instruction ID: 25af927f1adef8d9f0c712bcc8082a24ab35d34f267a595f667e0dc4d1c7236d
Opcode Fuzzy Hash: 3ed59450bba96c5e38c40ccc6bc0b49a832d45a894d42d673de30f0ea7602489
Instruction Fuzzy Hash: 21310833B28551C6E7A88A39D80176A36D1FB85784F448139EA1DC7B88DE3DE443CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4C988 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: aeb340b7e8fc6ef74a85059585521936b34618129abd9d2a5c9cacd89c7e041b
Instruction ID: 8f033000fc7efdad19f7ad13d08d6b9d3cd5608a49ca273fbb4fa61560651cef
Opcode Fuzzy Hash: aeb340b7e8fc6ef74a85059585521936b34618129abd9d2a5c9cacd89c7e041b
Instruction Fuzzy Hash: DA31E433B2855186EBB8CA39D91176A26D1FB85784F449138EA0EC7B98DE3CD442CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3D1D8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: c542e77083bd6d1466b116333908efeae6d259ae2e8993ad6847ecd386b90c1e
Instruction ID: a11a19a4ff59cd80dac58d49fd6c141c97808d1585e2b344e6ab1d55fa28823e
Opcode Fuzzy Hash: c542e77083bd6d1466b116333908efeae6d259ae2e8993ad6847ecd386b90c1e
Instruction Fuzzy Hash: F931CA32B28551C7E7A48B35D801B6A76D1FB85794F848138EA19C7B84DE3CD842CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3CA14 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 8d7ea84f9bc8bc0e93addff3a5b1b4a7198dd641fc4567ac406d3953896e39ad
Instruction ID: aaa52e6ded87f02c409e03776faf675fd336b579f4d15deefb29a92eaa2d25ab
Opcode Fuzzy Hash: 8d7ea84f9bc8bc0e93addff3a5b1b4a7198dd641fc4567ac406d3953896e39ad
Instruction Fuzzy Hash: 9D31D333B2855186EBA8CA39D81176A36D1FB85784F488139EA19C7B98DE3CE443CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3CF20 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 77819d53264f987cb066d99ba7c7d02fc858bd7a37e5cc2c38a87a062e12487a
Instruction ID: aa2769ecd85d5c94014dc588940665e1bdade9c8f6bdd50cde0c2701f6c247a6
Opcode Fuzzy Hash: 77819d53264f987cb066d99ba7c7d02fc858bd7a37e5cc2c38a87a062e12487a
Instruction Fuzzy Hash: C931E472B28551C7EBA88B39D80176A66D1FB85B84F448139EA1DC7B88DE3DD443CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F548C8 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71629fbc2741f91f3912b9e77a92460c653c13217be7315eb21751cbdd150363
Instruction ID: 0eb4595e82387692c0cb5129b899c254c5cafd4027d7f02d750a63c7bb27defd
Opcode Fuzzy Hash: 71629fbc2741f91f3912b9e77a92460c653c13217be7315eb21751cbdd150363
Instruction Fuzzy Hash: 70A00125908862D1E744AB00B8600A022B0BF91351B808839D01D820A0EE3CA450D200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F406EC Relevance: 63.2, APIs: 5, Strings: 31, Instructions: 201
registrythreadCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00007FF67FF681F406EC(long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				signed long long _v16;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v64;
				intOrPtr _v72;
				int _t52;
				long _t53;
				long _t84;
				signed long long _t104;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t187;

				_t184 = __rsi;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t104 =  *0x81f60470; // 0xbba9a5b3aaf9
				_v16 = _t104 ^ _t187 - 0x00000060;
				_t109 =  *0x81f62598;
				_v64 = 0x2c;
				__imp__SetThreadDpiAwarenessContext();
				_t52 = GetWindowPlacement(??, ??);
				__imp__SetThreadDpiAwarenessContext();
				if (_t52 == 0) goto 0x81f4077d;
				_t106 =  *0x81f617fc; // 0x0
				if (_t106 != _v36) goto 0x81f40776;
				_t107 =  *0x81f61804; // 0x0
				if (_t107 == _v28) goto 0x81f4077d;
				goto 0x81f407a1;
				if ( *0x81f62354 != 1) goto 0x81f407a1;
				if ( *0x81f62358 != 1) goto 0x81f407a1;
				if ( *0x81f62350 != 1) goto 0x81f407a1;
				if ( *0x81f6234c == 1) goto 0x81f40adf;
				_t53 = RegCreateKeyW(??, ??, ??);
				if (_t53 != 0) goto 0x81f40adf;
				if ( *0x81f62350 == _t53) goto 0x81f4090c;
				r8d =  *0x81f61618; // 0x0
				E00007FF67FF681F40470();
				r8d =  *0x81f6161c; // 0x0
				E00007FF67FF681F40470();
				r8d =  *0x81f61620; // 0x0
				E00007FF67FF681F40470();
				r8d =  *0x81f61624 & 0x000000ff;
				E00007FF67FF681F40470();
				r8d =  *0x81f61625 & 0x000000ff;
				E00007FF67FF681F40470();
				r8d =  *0x81f61626 & 0x000000ff;
				E00007FF67FF681F40470();
				r8d =  *0x81f61627 & 0x000000ff;
				E00007FF67FF681F40470();
				r8d =  *0x81f61628 & 0x000000ff;
				E00007FF67FF681F40470();
				r8d =  *0x81f61629 & 0x000000ff;
				E00007FF67FF681F40470();
				r8d =  *0x81f6162a & 0x000000ff;
				E00007FF67FF681F40470();
				r8d =  *0x81f6162b & 0x000000ff;
				E00007FF67FF681F40470();
				r9d = 0x20;
				E00007FF67FF681F404A8(_t107,  *0x81f62598, _v72, L"lfFaceName", __rsi, 0x81f6162c);
				r8d =  *0x81f6067c; // 0x78
				E00007FF67FF681F40470();
				if ( *0x81f62358 == 0) goto 0x81f40943;
				r8d =  *0x81f6236c;
				E00007FF67FF681F40470();
				r8d =  *0x81f62378;
				E00007FF67FF681F40470();
				if ( *0x81f62354 == 0) goto 0x81f409e5;
				r9d = 0x28;
				E00007FF67FF681F404A8(_t107,  *0x81f62598, _v72, L"szHeader", _t184, 0x81f616a0);
				r9d = 0x28;
				E00007FF67FF681F404A8(_t107,  *0x81f62598, _v72, L"szTrailer", _t184, 0x81f616f0);
				r8d =  *0x81f61550; // 0x0
				E00007FF67FF681F40470();
				r8d =  *0x81f61558; // 0x0
				E00007FF67FF681F40470();
				r8d =  *0x81f6154c; // 0x0
				E00007FF67FF681F40470();
				r8d =  *0x81f61554; // 0x0
				E00007FF67FF681F40470();
				if (1 == 0) goto 0x81f40a41;
				r8d = _v36;
				E00007FF67FF681F40470();
				r8d = _v32;
				E00007FF67FF681F40470();
				r8d = _v28;
				r8d = r8d - _v36;
				E00007FF67FF681F40470();
				r8d = _v24;
				r8d = r8d - _v32;
				E00007FF67FF681F40470();
				if ( *0x81f6234c == 0) goto 0x81f40acf;
				r8d =  *0x81f625a0 & 0x000000ff;
				E00007FF67FF681F40470();
				r8d =  *0x81f625a1 & 0x000000ff;
				E00007FF67FF681F40470();
				r8d =  *0x81f625a2 & 0x000000ff;
				E00007FF67FF681F40470();
				r9d = 0x80;
				E00007FF67FF681F404A8(_t107, _t109, _v72, L"searchString", _t184, 0x81f62480);
				r9d = 0x80;
				E00007FF67FF681F404A8(_t107, _t109, _v72, L"replaceString", _t184, 0x81f62380);
				_t84 = RegCloseKey(??);
				E00007FF67FF681F53F70();
				return _t84;
			}

0x7ff681f406ec
0x7ff681f406ec
0x7ff681f406f1
0x7ff681f406f6
0x7ff681f40703
0x7ff681f4070d
0x7ff681f40711
0x7ff681f4071e
0x7ff681f40725
0x7ff681f4073b
0x7ff681f4074c
0x7ff681f4075a
0x7ff681f4075c
0x7ff681f40767
0x7ff681f40769
0x7ff681f40774
0x7ff681f4077b
0x7ff681f40783
0x7ff681f4078b
0x7ff681f40793
0x7ff681f4079b
0x7ff681f407b3
0x7ff681f407c1
0x7ff681f407cd
0x7ff681f407d3
0x7ff681f407e5
0x7ff681f407ea
0x7ff681f407fc
0x7ff681f40801
0x7ff681f40813
0x7ff681f40818
0x7ff681f4082b
0x7ff681f40830
0x7ff681f40843
0x7ff681f40848
0x7ff681f4085b
0x7ff681f40860
0x7ff681f40873
0x7ff681f40878
0x7ff681f4088b
0x7ff681f40890
0x7ff681f408a3
0x7ff681f408a8
0x7ff681f408bb
0x7ff681f408c0
0x7ff681f408d3
0x7ff681f408e3
0x7ff681f408f0
0x7ff681f408f5
0x7ff681f40907
0x7ff681f40913
0x7ff681f40915
0x7ff681f40927
0x7ff681f4092c
0x7ff681f4093e
0x7ff681f4094a
0x7ff681f40967
0x7ff681f4096a
0x7ff681f4097a
0x7ff681f40984
0x7ff681f40989
0x7ff681f4099b
0x7ff681f409a0
0x7ff681f409b2
0x7ff681f409b7
0x7ff681f409c9
0x7ff681f409ce
0x7ff681f409e0
0x7ff681f409e7
0x7ff681f409e9
0x7ff681f409f8
0x7ff681f409fd
0x7ff681f40a0c
0x7ff681f40a11
0x7ff681f40a1c
0x7ff681f40a24
0x7ff681f40a29
0x7ff681f40a34
0x7ff681f40a3c
0x7ff681f40a48
0x7ff681f40a4e
0x7ff681f40a61
0x7ff681f40a66
0x7ff681f40a79
0x7ff681f40a7e
0x7ff681f40a91
0x7ff681f40aad
0x7ff681f40ab0
0x7ff681f40ac0
0x7ff681f40aca
0x7ff681f40ad3
0x7ff681f40ae6
0x7ff681f40b00

APIs

SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F40725
GetWindowPlacement.USER32 ref: 00007FF681F4073B
SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F4074C
RegCreateKeyW.ADVAPI32 ref: 00007FF681F407B3
RegCloseKey.ADVAPI32 ref: 00007FF681F40AD3

Strings

lfItalic, xrefs: 00007FF681F40820
fWrapAround, xrefs: 00007FF681F40A6E
lfFaceName, xrefs: 00007FF681F408E9
fWrap, xrefs: 00007FF681F4091C
lfClipPrecision, xrefs: 00007FF681F40898
iMarginBottom, xrefs: 00007FF681F409A7
lfQuality, xrefs: 00007FF681F408B0
iWindowPosY, xrefs: 00007FF681F40A01
fMatchCase, xrefs: 00007FF681F40A86
iMarginTop, xrefs: 00007FF681F40990
lfWeight, xrefs: 00007FF681F40808
iMarginLeft, xrefs: 00007FF681F409BE
lfEscapement, xrefs: 00007FF681F407DA
szTrailer, xrefs: 00007FF681F4097D
iWindowPosX, xrefs: 00007FF681F409ED
replaceString, xrefs: 00007FF681F40AC3
lfCharSet, xrefs: 00007FF681F40868
StatusBar, xrefs: 00007FF681F40933
iWindowPosDY, xrefs: 00007FF681F40A2D
iWindowPosDX, xrefs: 00007FF681F40A15
lfOutPrecision, xrefs: 00007FF681F40880
lfOrientation, xrefs: 00007FF681F407F1
searchString, xrefs: 00007FF681F40AA6
iMarginRight, xrefs: 00007FF681F409D5
lfPitchAndFamily, xrefs: 00007FF681F408C8
lfUnderline, xrefs: 00007FF681F40838
iPointSize, xrefs: 00007FF681F408FC
lfStrikeOut, xrefs: 00007FF681F40850
szHeader, xrefs: 00007FF681F40960
fReverse, xrefs: 00007FF681F40A56
Software\Microsoft\Notepad, xrefs: 00007FF681F407AC

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AwarenessContextThread$CloseCreatePlacementWindow
String ID: Software\Microsoft\Notepad$StatusBar$fMatchCase$fReverse$fWrap$fWrapAround$iMarginBottom$iMarginLeft$iMarginRight$iMarginTop$iPointSize$iWindowPosDX$iWindowPosDY$iWindowPosX$iWindowPosY$lfCharSet$lfClipPrecision$lfEscapement$lfFaceName$lfItalic$lfOrientation$lfOutPrecision$lfPitchAndFamily$lfQuality$lfStrikeOut$lfUnderline$lfWeight$replaceString$searchString$szHeader$szTrailer
API String ID: 521538346-3265294410
Opcode ID: ac032638508ef463785b777634c2afa24b3efc5236287ea98066d74a5926b5a7
Instruction ID: 95659cded64c11fce56eb7336e219c99bd21098f2eeee297abb6380923905f93
Opcode Fuzzy Hash: ac032638508ef463785b777634c2afa24b3efc5236287ea98066d74a5926b5a7
Instruction Fuzzy Hash: 58C12565F18A27C9FB209BA1E9500F837A1BF84788F94813EDA4DD7679CE6CE805C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3970C Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 104threadwindowCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F39722
GetDC.USER32 ref: 00007FF681F39729
GetDeviceCaps.GDI32 ref: 00007FF681F39759
MulDiv.KERNEL32 ref: 00007FF681F39776
ReleaseDC.USER32 ref: 00007FF681F3979F
SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F397AF
SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F397D3
SetCursor.USER32 ref: 00007FF681F397EE
GetDpiForWindow.USER32 ref: 00007FF681F39801
MulDiv.KERNEL32 ref: 00007FF681F39815
CreateFontIndirectW.GDI32 ref: 00007FF681F3982C
DeleteObject.GDI32 ref: 00007FF681F39847
SendMessageW.USER32 ref: 00007FF681F3986C
SetCursor.USER32 ref: 00007FF681F39888
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F39C5D

Strings

A, xrefs: 00007FF681F39785

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AwarenessContextCursorThread$CapsCreateDeleteDeviceFontFreeIndirectMessageObjectReleaseSendTaskWindowmemset
String ID: A
API String ID: 548684209-3554254475
Opcode ID: fa4c1aeeeaf7183a3e60c434619fdd4a5c18b289bf64541989719882847ee71c
Instruction ID: ecd738e08945f7e29ba89e17a052e1311f4a2f0bb98943059e190709bc658b0e
Opcode Fuzzy Hash: fa4c1aeeeaf7183a3e60c434619fdd4a5c18b289bf64541989719882847ee71c
Instruction Fuzzy Hash: C941EA75A08A46CAEB009F61E8541B97BE0FF8AB96F489539DE1EC3764DF3CA445C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F31964 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00007FF67FF681F31964(long long __rbx, intOrPtr* __rcx, signed int __rdx, intOrPtr* __r8, long long _a32) {
				signed long long _v56;
				char _v568;
				long long _v576;
				long long _v584;
				long _v592;
				long long _v600;
				long _t44;
				intOrPtr _t54;
				void* _t63;
				intOrPtr _t65;
				signed long long _t77;
				intOrPtr _t79;
				long long _t81;
				long long _t93;
				void* _t116;
				intOrPtr _t137;
				long long _t140;

				_a32 = __rbx;
				_t77 =  *0x81f60470; // 0xbba9a5b3aaf9
				_v56 = _t77 ^ _t116 - 0x00000250;
				r15d = 0;
				if (__rdx == 0) goto 0x81f31ba7;
				if (__rcx == 0) goto 0x81f31ba7;
				_t79 =  *0x81f612d0; // 0x0
				 *__rcx = r15w;
				if (_t79 == 0) goto 0x81f319d9;
				_t63 =  *0x81f612e8 - r15b; // 0x0
				if (_t63 == 0) goto 0x81f319d9;
				 *0x81f570f0();
				if ( *__rcx != r15w) goto 0x81f31ba7;
				_t54 =  *__r8;
				_t65 = _t54;
				if (_t65 == 0) goto 0x81f31a10;
				if (_t65 == 0) goto 0x81f31a07;
				if (_t65 == 0) goto 0x81f319fe;
				if (_t54 != 1) goto 0x81f31a17;
				goto 0x81f31a17;
				goto 0x81f31a17;
				goto 0x81f31a17;
				r8d =  *((intOrPtr*)(__r8 + 4));
				_v584 = _t140;
				r9d = 0x400;
				_v592 = 0x100;
				_v600 =  &_v568;
				_v568 = r15w;
				FormatMessageW(??, ??, ??, ??, ??, ??, ??);
				_t110 = __rcx + __rdx * 2;
				_t81 =  *((intOrPtr*)(__r8 + 0x80));
				if ( *((intOrPtr*)(__r8 + 0x30)) == _t140) goto 0x81f31a8f;
				_v584 = _t81;
				_v592 =  *((intOrPtr*)(__r8 + 0x78));
				_v600 =  *((intOrPtr*)(__r8 + 0x38));
				E00007FF67FF681F318E0(__rcx, __rcx + __rdx * 2, L"%hs(%u)\\%hs!%p: ",  *((intOrPtr*)(__r8 + 0x30)));
				goto 0x81f31aa0;
				_v600 = _t81;
				E00007FF67FF681F318E0(__rcx, _t110, L"%hs!%p: ",  *((intOrPtr*)(__r8 + 0x30)));
				if ( *((intOrPtr*)(__r8 + 0x88)) == 0) goto 0x81f31ac4;
				E00007FF67FF681F318E0(_t81, _t110, L"(caller: %p) ",  *((intOrPtr*)(__r8 + 0x88)));
				_t44 = GetCurrentThreadId();
				_v576 =  &_v568;
				_v584 =  *((intOrPtr*)(__r8 + 4));
				_v592 = _t44;
				_v600 =  *((intOrPtr*)(__r8 + 0x3c));
				E00007FF67FF681F318E0(_t81, _t110, L"%hs(%d) tid(%x) %08X %ws", "Exception");
				if ( *((intOrPtr*)(__r8 + 0x10)) != _t140) goto 0x81f31b17;
				if ( *((intOrPtr*)(__r8 + 0x40)) != _t140) goto 0x81f31b17;
				if ( *((intOrPtr*)(__r8 + 0x28)) == _t140) goto 0x81f31ba7;
				E00007FF67FF681F318E0(_t81, _t110, L"    ", "Exception");
				if ( *((intOrPtr*)(__r8 + 0x10)) == 0) goto 0x81f31b44;
				E00007FF67FF681F318E0(_t81, _t110, L"Msg:[%ws] ",  *((intOrPtr*)(__r8 + 0x10)));
				if ( *((intOrPtr*)(__r8 + 0x40)) == 0) goto 0x81f31b5f;
				E00007FF67FF681F318E0(_t81, _t110, L"CallContext:[%hs] ",  *((intOrPtr*)(__r8 + 0x40)));
				_t93 =  *((intOrPtr*)(__r8 + 0x20));
				_t137 =  *((intOrPtr*)(__r8 + 0x28));
				if (_t93 == 0) goto 0x81f31b85;
				_v600 = _t93;
				E00007FF67FF681F318E0(_t81, _t110, L"[%hs(%hs)]\n", _t137);
				goto 0x81f31ba7;
				if (_t137 == 0) goto 0x81f31b9b;
				E00007FF67FF681F318E0(_t81, _t110, L"[%hs]\n", _t137);
				goto 0x81f31ba7;
				E00007FF67FF681F318E0(_t81, _t110, "\n", _t137);
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f31964
0x7ff681f31977
0x7ff681f31981
0x7ff681f31989
0x7ff681f31998
0x7ff681f319a1
0x7ff681f319a7
0x7ff681f319ae
0x7ff681f319b5
0x7ff681f319b7
0x7ff681f319be
0x7ff681f319c9
0x7ff681f319d3
0x7ff681f319d9
0x7ff681f319e2
0x7ff681f319e4
0x7ff681f319e9
0x7ff681f319ee
0x7ff681f319f3
0x7ff681f319fc
0x7ff681f31a05
0x7ff681f31a0e
0x7ff681f31a17
0x7ff681f31a20
0x7ff681f31a25
0x7ff681f31a2b
0x7ff681f31a3a
0x7ff681f31a3f
0x7ff681f31a45
0x7ff681f31a51
0x7ff681f31a55
0x7ff681f31a6a
0x7ff681f31a6c
0x7ff681f31a7b
0x7ff681f31a84
0x7ff681f31a88
0x7ff681f31a8d
0x7ff681f31a96
0x7ff681f31a9b
0x7ff681f31aad
0x7ff681f31abc
0x7ff681f31ac7
0x7ff681f31adb
0x7ff681f31ae7
0x7ff681f31aee
0x7ff681f31af5
0x7ff681f31afc
0x7ff681f31b05
0x7ff681f31b0b
0x7ff681f31b11
0x7ff681f31b24
0x7ff681f31b30
0x7ff681f31b3f
0x7ff681f31b4b
0x7ff681f31b5a
0x7ff681f31b5f
0x7ff681f31b66
0x7ff681f31b6d
0x7ff681f31b6f
0x7ff681f31b7e
0x7ff681f31b83
0x7ff681f31b8b
0x7ff681f31b94
0x7ff681f31b99
0x7ff681f31ba2
0x7ff681f31bb4
0x7ff681f31bcf

APIs

FormatMessageW.KERNEL32 ref: 00007FF681F31A45
GetCurrentThreadId.KERNEL32 ref: 00007FF681F31AC7

Part of subcall function 00007FF681F318E0: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF681F31918

Strings

Exception, xrefs: 00007FF681F31A10
CallContext:[%hs] , xrefs: 00007FF681F31B4D
FailFast, xrefs: 00007FF681F319F5
[%hs(%hs)], xrefs: 00007FF681F31B74
ReturnHr, xrefs: 00007FF681F31A07
(caller: %p) , xrefs: 00007FF681F31AAF
LogHr, xrefs: 00007FF681F319FE
%hs!%p: , xrefs: 00007FF681F31A8F
Msg:[%ws] , xrefs: 00007FF681F31B32
%hs(%u)\%hs!%p: , xrefs: 00007FF681F31A71
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF681F31AE0
, xrefs: 00007FF681F31B17
[%hs], xrefs: 00007FF681F31B8D

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CurrentFormatMessageThread_vsnwprintf
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 223436642-3173542853
Opcode ID: 91cb3ddca721cbb7667ece9cc7e52f6625b052f279b733235efd6f8daa4cefe5
Instruction ID: 4b8dce74aa44fb9df6c683d58d5bbfa1b00cad553403518ece9b1cd42242b08d
Opcode Fuzzy Hash: 91cb3ddca721cbb7667ece9cc7e52f6625b052f279b733235efd6f8daa4cefe5
Instruction Fuzzy Hash: 80613B61A0DA82D6EB68DB91A4405B967E4FF45BC4F84423EEA4DC3B54DF3CE562C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F535D8 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 240
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00007FF67FF681F535D8(void* __edi, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi) {
				signed int _t100;
				void* _t101;
				void* _t110;
				signed int _t113;
				intOrPtr _t126;
				void* _t139;
				void* _t149;
				void* _t155;
				signed long long _t156;
				signed long long _t157;
				signed long long _t161;
				signed long long _t167;
				intOrPtr* _t176;
				intOrPtr _t177;
				signed long long _t178;
				long long _t190;
				void* _t197;
				void* _t198;
				void* _t202;
				long _t206;
				long long* _t207;
				void* _t209;
				signed long long _t210;
				signed int _t215;
				long long _t217;
				void* _t219;
				void* _t221;
				int _t225;

				_t204 = __rsi;
				_t155 = _t209;
				 *((long long*)(_t155 + 8)) = __rbx;
				 *((long long*)(_t155 + 0x10)) = __rsi;
				 *((long long*)(_t155 + 0x18)) = __rdi;
				_t207 = _t155 - 0x168;
				_t210 = _t209 - 0x240;
				_t156 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t157 = _t156 ^ _t210;
				 *(_t207 + 0x130) = _t157;
				_t202 = __rcx;
				r12d = 0;
				r13d = r12d;
				__imp__AcquireSRWLockExclusive();
				_t176 =  *0x81f625e0;
				if (_t176 == 0) goto 0x81f5364d;
				if ( *_t176 == __rcx) goto 0x81f53648;
				_t177 =  *((intOrPtr*)(_t176 + 0x18));
				if (_t177 != 0) goto 0x81f5363a;
				if (_t177 != 0) goto 0x81f5369a;
				LocalAlloc(_t225);
				_t178 = _t157;
				if (_t157 == 0) goto 0x81f539b9;
				 *_t157 = __rcx;
				 *((intOrPtr*)(_t178 + 8)) = GetTickCount() - 0xea61;
				 *(_t178 + 0xc) = _t215;
				 *((long long*)(_t178 + 0x18)) =  *0x81f625e0;
				 *0x81f625e0 = _t178;
				 *(_t178 + 0xc) =  *(_t178 + 0xc) + 1;
				 *((intOrPtr*)(_t178 + 0x10)) =  *((intOrPtr*)(_t178 + 0x10)) + 1;
				if (GetTickCount() -  *((intOrPtr*)(_t178 + 8)) - 0xea60 <= 0) goto 0x81f539b9;
				 *((intOrPtr*)(_t178 + 8)) = GetTickCount();
				_t197 = _t207 + 0x20;
				 *((long long*)(_t210 + 0x20)) = _t210 + 0x30;
				_t100 = E00007FF67FF681F5352C(_t197, _t210 + 0x38);
				 *(_t210 + 0x34) = _t100;
				r14d = _t100;
				if (_t100 == 0) goto 0x81f5370d;
				if (_t202 - 0x7ff681f30000 < 0) goto 0x81f5370d;
				_t198 = _t197 + 0x7ff681f30000;
				if (_t198 - 0x7ff681f30000 <= 0) goto 0x81f5370d;
				if (_t202 - _t198 > 0) goto 0x81f5370d;
				goto 0x81f53710;
				if ( *((intOrPtr*)(_t178 + 0x10)) != 1) goto 0x81f53813;
				_t101 = E00007FF67FF681F31380(_t178, 0x81f60230, __rsi, _t221);
				if (_t101 != 0) goto 0x81f53813;
				_t139 =  *0x81f60230 - r12d; // 0x0
				if (_t139 <= 0) goto 0x81f537f2;
				 *((intOrPtr*)(_t210 + 0x58)) = 0x1d1727a6;
				r13d = 0x7ff681f30001;
				 *((intOrPtr*)(_t210 + 0x5c)) = 0x4e2792c8;
				r15d = r12d;
				 *((intOrPtr*)(_t210 + 0x60)) = 0x8b0f69bc;
				 *((intOrPtr*)(_t210 + 0x64)) = 0x9d548c45;
				if ( *((intOrPtr*)(_t207 + 0x20)) == 0) goto 0x81f537b4;
				__imp___o_toupper();
				 *((intOrPtr*)(_t210 + _t215 + 0x58)) =  *((intOrPtr*)(_t210 + _t215 + 0x58)) + _t101;
				_t217 = _t207 + 0x21;
				_t36 = _t225 + 1; // 0x1
				_t113 = _t36;
				asm("inc ebp");
				r15d = r15d & _t113;
				asm("dec ebp");
				if ( *_t217 != 0) goto 0x81f53772;
				r14d =  *(_t210 + 0x34);
				r12d = 0;
				r8d = 0;
				0x81f53c0f();
				if (_t101 != 0) goto 0x81f537f2;
				r8d = 0;
				__imp__EventProviderEnabled();
				_t126 =  !=  ? r12d : 0x7ff681f30001;
				0x81f53c2d();
				 *0x81f60250 = _t217;
				 *0x81f60230 = r12d;
				E00007FF67FF681F65078();
				if (E00007FF67FF681F31380(_t178, 0x81f60268, _t204, _t219) != 0) goto 0x81f5399b;
				if ( *0x81f60268 - 5 <= 0) goto 0x81f5397a;
				if (( *0x81f60278 & 0x00000000) == 0) goto 0x81f5397a;
				_t161 =  *0x81f60280; // 0x0
				_t149 = (_t161 & 0x00000000) -  *0x81f60280; // 0x0
				if (_t149 != 0) goto 0x81f5397a;
				 *((intOrPtr*)(_t210 + 0x4c)) =  *((intOrPtr*)(_t178 + 0x10));
				 *(_t210 + 0x50) =  *(_t178 + 0xc);
				 *(_t210 + 0x34) = r13d;
				 *((intOrPtr*)(_t210 + 0x48)) = _t126;
				asm("sbb ecx, ecx");
				 *(_t210 + 0x54) = r12d;
				 *(_t210 + 0x30) =  *(_t210 + 0x30) & _t113;
				 *((intOrPtr*)(_t210 + 0x40)) = 0xa;
				 *((long long*)(_t207 + 0x18)) = 4;
				 *((long long*)(_t207 + 0x10)) = _t210 + 0x34;
				asm("sbb ecx, ecx");
				 *(_t210 + 0x38) =  *(_t210 + 0x38) & _t113;
				 *_t207 = _t210 + 0x48;
				 *((long long*)(_t207 + 8)) = 4;
				 *((long long*)(_t207 - 0x10)) = _t210 + 0x4c;
				 *((long long*)(_t207 - 8)) = 4;
				 *((long long*)(_t207 - 0x20)) = _t210 + 0x50;
				_t167 = "<unknown>";
				_t190 =  ==  ? _t167 : _t207 + 0x20;
				 *((long long*)(_t207 - 0x18)) = 4;
				if ( *((intOrPtr*)(_t190 + (_t167 | 0xffffffff) + 1)) != r12b) goto 0x81f538f5;
				 *((long long*)(_t207 - 0x30)) = _t190;
				 *((intOrPtr*)(_t207 - 0x28)) =  ~r14d + 1;
				 *(_t207 - 0x24) = r12d;
				 *((long long*)(_t207 - 0x40)) = _t210 + 0x30;
				 *((long long*)(_t207 - 0x38)) = 4;
				 *((long long*)(_t207 - 0x50)) = _t210 + 0x38;
				r9d = 0;
				 *((long long*)(_t207 - 0x48)) = 4;
				 *((long long*)(_t207 - 0x60)) = _t210 + 0x54;
				r8d = 0;
				 *((long long*)(_t207 - 0x58)) = 4;
				 *((long long*)(_t207 - 0x70)) = _t210 + 0x40;
				 *((long long*)(_t210 + 0x28)) = _t210 + 0x70;
				 *((intOrPtr*)(_t210 + 0x20)) = 0xb;
				 *((long long*)(_t207 - 0x68)) = 4;
				_t110 = E00007FF67FF681F3125C(0x81f60268, 0x81f5b3c8, _t215);
				 *0x81f60288 = _t217;
				 *0x81f60268 = r12d;
				E00007FF67FF681F65078();
				if (r13d == 0) goto 0x81f539b5;
				if (_t126 == 0) goto 0x81f539b5;
				Sleep(_t206);
				 *(_t178 + 0xc) = r12d;
				__imp__ReleaseSRWLockExclusive();
				E00007FF67FF681F53F70();
				return _t110;
			}

0x7ff681f535d8
0x7ff681f535d8
0x7ff681f535db
0x7ff681f535df
0x7ff681f535e3
0x7ff681f535f0
0x7ff681f535f7
0x7ff681f535fe
0x7ff681f53605
0x7ff681f53608
0x7ff681f5360f
0x7ff681f53612
0x7ff681f5361f
0x7ff681f53622
0x7ff681f5362e
0x7ff681f53638
0x7ff681f5363d
0x7ff681f5363f
0x7ff681f53646
0x7ff681f5364b
0x7ff681f53655
0x7ff681f53661
0x7ff681f53667
0x7ff681f5366d
0x7ff681f53688
0x7ff681f5368b
0x7ff681f5368f
0x7ff681f53693
0x7ff681f5369a
0x7ff681f5369d
0x7ff681f536b4
0x7ff681f536c6
0x7ff681f536d3
0x7ff681f536d7
0x7ff681f536dc
0x7ff681f536e1
0x7ff681f536e5
0x7ff681f536ea
0x7ff681f536f6
0x7ff681f536fc
0x7ff681f53702
0x7ff681f53707
0x7ff681f5370b
0x7ff681f53714
0x7ff681f53721
0x7ff681f53728
0x7ff681f5372e
0x7ff681f53735
0x7ff681f53741
0x7ff681f53749
0x7ff681f5374c
0x7ff681f53754
0x7ff681f53757
0x7ff681f5375f
0x7ff681f53769
0x7ff681f53775
0x7ff681f53781
0x7ff681f53786
0x7ff681f53789
0x7ff681f53789
0x7ff681f53798
0x7ff681f5379b
0x7ff681f537a1
0x7ff681f537aa
0x7ff681f537ac
0x7ff681f537b1
0x7ff681f537b9
0x7ff681f537c3
0x7ff681f537ca
0x7ff681f537d1
0x7ff681f537d6
0x7ff681f537e9
0x7ff681f537ed
0x7ff681f537f9
0x7ff681f53800
0x7ff681f53807
0x7ff681f53821
0x7ff681f5382e
0x7ff681f53845
0x7ff681f5384b
0x7ff681f53855
0x7ff681f5385c
0x7ff681f53865
0x7ff681f5386c
0x7ff681f53875
0x7ff681f5387d
0x7ff681f53881
0x7ff681f53883
0x7ff681f53887
0x7ff681f5388d
0x7ff681f5389a
0x7ff681f538a2
0x7ff681f538a6
0x7ff681f538a8
0x7ff681f538b1
0x7ff681f538be
0x7ff681f538c6
0x7ff681f538d2
0x7ff681f538da
0x7ff681f538de
0x7ff681f538e5
0x7ff681f538e9
0x7ff681f538fc
0x7ff681f53900
0x7ff681f53904
0x7ff681f53913
0x7ff681f53917
0x7ff681f53927
0x7ff681f5392f
0x7ff681f53933
0x7ff681f5393b
0x7ff681f53943
0x7ff681f53947
0x7ff681f5394f
0x7ff681f53957
0x7ff681f53960
0x7ff681f53965
0x7ff681f5396d
0x7ff681f53975
0x7ff681f53981
0x7ff681f53988
0x7ff681f5398f
0x7ff681f5399e
0x7ff681f539a2
0x7ff681f539a9
0x7ff681f539b5
0x7ff681f539c0
0x7ff681f539d6
0x7ff681f539fb

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F53622
LocalAlloc.KERNEL32 ref: 00007FF681F53655
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF681F53670
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF681F536A0
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF681F536BA
_o_toupper.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F53775
EtwEventRegister.NTDLL ref: 00007FF681F537C3
EventProviderEnabled.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF681F537D6
EtwEventUnregister.NTDLL ref: 00007FF681F537ED
EtwEventUnregister.NTDLL ref: 00007FF681F53807
EtwEventUnregister.NTDLL ref: 00007FF681F5398F
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF681F539A9
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F539C0

Strings

<unknown>, xrefs: 00007FF681F538DE

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Event$CountTickUnregister$ExclusiveLock$AcquireAllocEnabledLocalProviderRegisterReleaseSleep_o_toupper
String ID: <unknown>
API String ID: 1911282264-1574992787
Opcode ID: b7980d1cae30f6bddfb3eef8dd4195bfa67450cc337f007282a6a28eff6ab808
Instruction ID: 1ae811be5866adcfc907878146df02a7dba1edd5c439e599cb5313211d120f76
Opcode Fuzzy Hash: b7980d1cae30f6bddfb3eef8dd4195bfa67450cc337f007282a6a28eff6ab808
Instruction Fuzzy Hash: D1C14972A18B82CAE7508F24E8843A97BE4FF49B58F549139DA4E83B54DF3CD449CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F373C0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 186memoryCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32 ref: 00007FF681F37410
GetLastError.KERNEL32 ref: 00007FF681F3745B
SetLastError.KERNEL32 ref: 00007FF681F3747F
GetProcessHeap.KERNEL32 ref: 00007FF681F374AC
HeapFree.KERNEL32 ref: 00007FF681F374C0
GetProcessHeap.KERNEL32 ref: 00007FF681F37507
HeapFree.KERNEL32 ref: 00007FF681F3751B

Strings

onecore\internal\sdk\inc\wil\opensource\wil\resource.h, xrefs: 00007FF681F37559

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess$ObjectSingleWait
String ID: onecore\internal\sdk\inc\wil\opensource\wil\resource.h
API String ID: 1185803644-3341287125
Opcode ID: 9235c4644799cec304b837f528220500a8893ca45dfd6540711a6977207cc07f
Instruction ID: 2a1d06fbdab5a7bad3e6645de2ce0fc96db5444b6e22d67cbf0d71cd95bab417
Opcode Fuzzy Hash: 9235c4644799cec304b837f528220500a8893ca45dfd6540711a6977207cc07f
Instruction Fuzzy Hash: 66717321A09A42C6FB549F66E4502B8BBE0FF89B94F488538DA4EC7791CF3CE456C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3BFE0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF681F3C038
GetDlgItemTextW.USER32 ref: 00007FF681F3C05C
FoldStringW.KERNEL32 ref: 00007FF681F3C083
_o__wtol.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F3C094
SendMessageW.USER32 ref: 00007FF681F3C0B9
MessageBoxW.USER32 ref: 00007FF681F3C0EE
SendMessageW.USER32 ref: 00007FF681F3C10C
SetDlgItemTextW.USER32 ref: 00007FF681F3C13E
SetFocus.USER32 ref: 00007FF681F3C14D
SendMessageW.USER32 ref: 00007FF681F3C176
SendMessageW.USER32 ref: 00007FF681F3C196
SetDlgItemTextW.USER32 ref: 00007FF681F3C1C9
SetFocus.USER32 ref: 00007FF681F3C1D8

Strings

d, xrefs: 00007FF681F3C06D

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Message$Send$ItemText$Focus$DialogFoldString_o__wtol
String ID: d
API String ID: 1997187840-2564639436
Opcode ID: fb60cd3f045150bfe589f00dbc7d0fa248f214ca48ed3cbac35199ef45b136f5
Instruction ID: 5db52f4a61f4905d0262e21a6de65a63974f42c503d3d0aca0bfc1375883c81c
Opcode Fuzzy Hash: fb60cd3f045150bfe589f00dbc7d0fa248f214ca48ed3cbac35199ef45b136f5
Instruction Fuzzy Hash: 95517171A08A86C6E7509B20F8146FA7BA0FFCAB51F54913ADA4E83B94CF3DD446C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4CC28 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00007FF67FF681F4CC28(void* __edx, void* __rax, long long __rbx, long long __rcx, char _a8, long long _a16, intOrPtr _a24, intOrPtr _a32) {
				intOrPtr _v72;
				long long _v88;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				int _t38;
				int _t43;
				void* _t45;
				intOrPtr _t53;
				intOrPtr _t68;
				long long _t86;
				long long _t87;
				long long _t88;
				intOrPtr _t116;
				signed long long _t117;
				void* _t118;
				void* _t120;
				intOrPtr _t126;
				void* _t130;

				_a16 = __rbx;
				_a8 = __rcx;
				r13b = __edx;
				if ( *0x81f62480 == 0) goto 0x81f4ce5b;
				SendMessageW(??, ??, ??, ??);
				r9d = 0;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				if (_a32 != 0) goto 0x81f4cca2;
				_t53 = _a24;
				_t54 =  ==  ? 0 : _t53;
				_a24 =  ==  ? 0 : _t53;
				r9d = 0;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				if (__rax == 0) goto 0x81f4ce5b;
				LocalLock(??);
				_t118 = __rax;
				if (__rax == 0) goto 0x81f4ce5b;
				_t68 = _a24;
				r12d = 0;
				_a8 = 0;
				asm("inc ebp");
				r15d = r15d & _t68 - _a32;
				if (r13b == 0) goto 0x81f4cd75;
				_t86 =  &_a8;
				_t58 =  ==  ? _t68 : _t117 - 1;
				_v88 = _t86;
				_v72 =  ==  ? _t68 : _t117 - 1;
				E00007FF67FF681F4CB30(_a32,  ==  ? _t68 : _t117 - 1, __rbx, __rax, __rax);
				if ( *0x81f625a1 == r12b) goto 0x81f4cdde;
				if (_t86 != 0) goto 0x81f4cdde;
				_t38 = GetWindowTextLengthW(??);
				_t87 =  &_a8;
				_v88 = _t87;
				E00007FF67FF681F4CB30(r15d, _t38 + r15d - ( ==  ? _t68 : _t117 - 1), _t86, _t118 + (_v72 - _t86) * 2, _t118);
				goto 0x81f4cdd5;
				_t43 = GetWindowTextLengthW(??);
				_v88 =  &_a8;
				_t45 = E00007FF67FF681F4CBB0(_t43 - _t68, _t43 - _t68, _t118 + _t117 * 2, _t118 + _t117 * 2, _t118, 0x81f62480);
				if ( *0x81f625a1 == r12b) goto 0x81f4cdde;
				if (_t87 != 0) goto 0x81f4cdde;
				_t88 =  &_a8;
				_v88 = _t88;
				E00007FF67FF681F4CBB0(_t45, _t117 + _t130, _t87, _t118, _t118, 0x81f62480);
				r12d = 1;
				LocalUnlock(??);
				if (_t88 != 0) goto 0x81f4ce76;
				if (( *0x81f615a8 & 0x00000020) != 0) goto 0x81f4ce5b;
				SetCursor(??);
				_t126 =  *0x81f60648; // 0x1bb5cf5299a
				_t113 =  !=  ?  *0x81f62580 :  *0x81f62598;
				_v88 = 0x40;
				_t116 =  *0x81f60630; // 0x1bb5cf529a0
				E00007FF67FF681F3BDA4(_t88,  !=  ?  *0x81f62580 :  *0x81f62598, _t116, _t117, _t118, _t120, _t126, 0x81f62480);
				SetCursor(??);
				return 0;
			}

0x7ff681f4cc28
0x7ff681f4cc2d
0x7ff681f4cc46
0x7ff681f4cc50
0x7ff681f4cc6a
0x7ff681f4cc80
0x7ff681f4cc83
0x7ff681f4cc86
0x7ff681f4cc95
0x7ff681f4cc97
0x7ff681f4cc9c
0x7ff681f4cc9f
0x7ff681f4cca9
0x7ff681f4ccac
0x7ff681f4ccb4
0x7ff681f4ccc6
0x7ff681f4cccf
0x7ff681f4ccdb
0x7ff681f4cce1
0x7ff681f4cce7
0x7ff681f4ccea
0x7ff681f4ccf4
0x7ff681f4ccf9
0x7ff681f4ccfc
0x7ff681f4cd02
0x7ff681f4cd09
0x7ff681f4cd0d
0x7ff681f4cd10
0x7ff681f4cd15
0x7ff681f4cd1d
0x7ff681f4cd2c
0x7ff681f4cd35
0x7ff681f4cd42
0x7ff681f4cd61
0x7ff681f4cd65
0x7ff681f4cd6e
0x7ff681f4cd73
0x7ff681f4cd80
0x7ff681f4cd92
0x7ff681f4cda3
0x7ff681f4cdb2
0x7ff681f4cdb7
0x7ff681f4cdb9
0x7ff681f4cdc4
0x7ff681f4cdd0
0x7ff681f4cdd5
0x7ff681f4cde1
0x7ff681f4cdf0
0x7ff681f4cdfd
0x7ff681f4ce06
0x7ff681f4ce2a
0x7ff681f4ce34
0x7ff681f4ce38
0x7ff681f4ce40
0x7ff681f4ce47
0x7ff681f4ce4f
0x7ff681f4ce74

APIs

SendMessageW.USER32 ref: 00007FF681F4CC6A
SendMessageW.USER32 ref: 00007FF681F4CC86
SendMessageW.USER32 ref: 00007FF681F4CCB4
LocalLock.KERNEL32 ref: 00007FF681F4CCCF
GetWindowTextLengthW.USER32 ref: 00007FF681F4CD42
GetWindowTextLengthW.USER32 ref: 00007FF681F4CD80

Part of subcall function 00007FF681F4CBB0: FindNLSString.KERNEL32 ref: 00007FF681F4CBF0

LocalUnlock.KERNEL32 ref: 00007FF681F4CDE1
SetCursor.USER32 ref: 00007FF681F4CE06
SetCursor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF681F3950B), ref: 00007FF681F4CE4F

Strings

@, xrefs: 00007FF681F4CE38

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: MessageSend$CursorLengthLocalTextWindow$FindLockStringUnlock
String ID: @
API String ID: 1480118076-2766056989
Opcode ID: f039feef98e91795de42e4454bc8313f23d5d2fd6c92edea9a7e10dc45a8b410
Instruction ID: 093cd2fde70e15cf8db7e8a57cfe1398c0bd7588c4275ec29ad4c29034f8598d
Opcode Fuzzy Hash: f039feef98e91795de42e4454bc8313f23d5d2fd6c92edea9a7e10dc45a8b410
Instruction Fuzzy Hash: D6713C71A08A86C6EB248F21E9642B97BE0FF89B58F449139DE0E83754DF3CE845C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F415FC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 124
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E00007FF67FF681F415FC(void* __eflags, long long __rax, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r9, void* __r10, long long _a8, char _a16, long long _a24, long long _a32) {
				long long _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				void* __rbp;
				long _t29;
				long long _t56;
				short* _t64;
				intOrPtr _t73;
				long long _t77;
				void* _t80;
				intOrPtr _t83;
				intOrPtr _t86;

				_t77 = __rsi;
				_t57 = __rbx;
				_t56 = __rax;
				_a8 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_t75 = __rcx;
				if (E00007FF67FF681F41114(0, __rax, __rbx, L"/.SETUP", __rcx, __rsi) != 0) goto 0x81f417ca;
				 *0x81f62370 = 1;
				GetSystemMenu(??, ??);
				 *0x81f61600 = __rax;
				LoadAcceleratorsW(??, ??);
				r8d = 0xfd0000;
				 *0x81f615f0 = __rax;
				SetWindowLongW(??, ??, ??);
				_t5 = _t75 + 0xe; // 0xe
				_t64 = _t5;
				if ( *_t64 == 0x20) goto 0x81f416a4;
				if ( *_t64 != 9) goto 0x81f416aa;
				goto 0x81f41698;
				if ( *((intOrPtr*)(_t64 + 2)) == 0) goto 0x81f4181f;
				_a16 = _t77;
				E00007FF67FF681F41188(_t57, _t64 + 2,  &_a16, __r9, __r10);
				_v24 = _t77;
				r8d = 3;
				_v32 = 0x80;
				r9d = 0;
				_v40 = 3;
				CreateFileW(??, ??, ??, ??, ??, ??, ??);
				 *0x81f61500 = _t56;
				if (_t56 != 0xffffffff) goto 0x81f417e2;
				_t29 = GetLastError();
				_t73 =  *0x81f60630; // 0x1bb5cf529a0
				if (_t29 == 2) goto 0x81f41759;
				_v40 = 0x31;
				if (_t29 == 5) goto 0x81f41750;
				if (_t29 == 0x7b) goto 0x81f41747;
				_t83 =  *0x81f60670; // 0x1bb5cf52990
				E00007FF67FF681F3BDA4(_t57,  *0x81f62598, _t73, __rcx, _t77, _t80, _t83, _a16);
				goto 0x81f417ab;
				goto 0x81f4173e;
				goto 0x81f4173e;
				_t86 =  *0x81f60668; // 0x1bb5cf52992
				_v40 = 0x33;
				if (E00007FF67FF681F3BDA4(_t57,  *0x81f62598, _t73, _t75, _t77, _t80, _t86, _a16) != 6) goto 0x81f417ab;
				r9d = 0;
				_v24 = _t77;
				r8d = 3;
				_v32 = 0x80;
				_v40 = 4;
				CreateFileW(??, ??, ??, ??, ??, ??, ??);
				 *0x81f61500 = _t56;
				if ( *0x81f61500 != 0xffffffff) goto 0x81f417e2;
				if (_a16 == 0) goto 0x81f417ca;
				__imp__CoTaskMemFree();
				return 0;
			}

0x7ff681f415fc
0x7ff681f415fc
0x7ff681f415fc
0x7ff681f415fc
0x7ff681f41601
0x7ff681f41606
0x7ff681f41613
0x7ff681f4162b
0x7ff681f4163a
0x7ff681f41644
0x7ff681f4165e
0x7ff681f41665
0x7ff681f4167b
0x7ff681f41681
0x7ff681f41688
0x7ff681f41694
0x7ff681f41694
0x7ff681f4169c
0x7ff681f416a2
0x7ff681f416a8
0x7ff681f416ad
0x7ff681f416b7
0x7ff681f416bb
0x7ff681f416c9
0x7ff681f416ce
0x7ff681f416d1
0x7ff681f416d9
0x7ff681f416e1
0x7ff681f416e5
0x7ff681f416f1
0x7ff681f416fc
0x7ff681f41702
0x7ff681f41712
0x7ff681f41723
0x7ff681f41725
0x7ff681f41730
0x7ff681f41735
0x7ff681f41737
0x7ff681f4173e
0x7ff681f41745
0x7ff681f4174e
0x7ff681f41757
0x7ff681f41759
0x7ff681f41760
0x7ff681f41772
0x7ff681f41778
0x7ff681f4177b
0x7ff681f41780
0x7ff681f41783
0x7ff681f41790
0x7ff681f41798
0x7ff681f417a4
0x7ff681f417b3
0x7ff681f417bc
0x7ff681f417be
0x7ff681f417e0

APIs

Part of subcall function 00007FF681F41114: CharUpperW.USER32 ref: 00007FF681F41137
Part of subcall function 00007FF681F41114: CharUpperW.USER32 ref: 00007FF681F4114D

GetSystemMenu.USER32 ref: 00007FF681F41644
LoadAcceleratorsW.USER32 ref: 00007FF681F41665
SetWindowLongW.USER32 ref: 00007FF681F41688
CreateFileW.KERNEL32(?,?,?,?,?,?,00007FF681F3AF12), ref: 00007FF681F416E5
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF681F3AF12), ref: 00007FF681F41702
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,00007FF681F3AF12), ref: 00007FF681F417BE

Part of subcall function 00007FF681F3BDA4: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3BDDF
Part of subcall function 00007FF681F3BDA4: LocalAlloc.KERNEL32 ref: 00007FF681F3BE1C
Part of subcall function 00007FF681F3BDA4: MessageBoxW.USER32 ref: 00007FF681F3BEBD
Part of subcall function 00007FF681F3BDA4: LocalFree.KERNEL32 ref: 00007FF681F3BECE

CreateFileW.KERNEL32(?,?,?,?,?,?,00007FF681F3AF12), ref: 00007FF681F41798

Strings

SlipUpAcc, xrefs: 00007FF681F41657
3, xrefs: 00007FF681F41760
/.SETUP, xrefs: 00007FF681F4161B

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CharCreateFileFreeLocalUpper$AcceleratorsAllocErrorLastLoadLongMenuMessageSystemTaskWindowwcsnlen
String ID: /.SETUP$3$SlipUpAcc
API String ID: 1676377551-1567928811
Opcode ID: b96d3f0a65d615813bb33b6394fe7cf0f785528e49f759a1faa2238ee3f0e181
Instruction ID: 6b379552fafcba05353738bc585f636c4e1828e5ea232ea20af477a075032219
Opcode Fuzzy Hash: b96d3f0a65d615813bb33b6394fe7cf0f785528e49f759a1faa2238ee3f0e181
Instruction Fuzzy Hash: 97512671A0CA42C6EB208F61E5542B97BE0FF89BA4F148639EA5EC3695DF3CE445C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F37668 Relevance: 18.1, APIs: 12, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF67FF681F37668(signed int __edx, void* __rax, long long __rbx, char* __rcx, long long __rsi, void* __rbp, long long _a8, long long _a16) {
				void* __rdi;
				void* _t66;
				void* _t83;
				char* _t84;

				_a8 = __rbx;
				_a16 = __rsi;
				 *__rcx = 0;
				_t84 = __rcx;
				if ( *(__rcx + 0x30) == 0) goto 0x81f376aa;
				GetLastError();
				E00007FF67FF681F3781C();
				SetLastError(??);
				 *(__rcx + 0x30) =  *(__rcx + 0x30) & 0x00000000;
				if ( *(__rcx + 0x38) == 0) goto 0x81f376dc;
				GetLastError();
				E00007FF67FF681F3781C();
				SetLastError(??);
				 *(__rcx + 0x38) =  *(__rcx + 0x38) & 0x00000000;
				 *(__rcx + 0x110) =  *(__rcx + 0x110) & 0x00000000;
				if ( *(__rcx + 0x110) == 0) goto 0x81f37715;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				_t66 = __rcx + 0xb0;
				 *(_t66 + 0x40) =  *(_t66 + 0x40) & 0x00000000;
				if ( *(_t66 + 0x40) == 0) goto 0x81f3774a;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				DeleteCriticalSection(??);
				_t89 =  *(__rcx + 0xa8);
				 *(__rcx + 0xa8) =  *(__rcx + 0xa8) & 0x00000000;
				if ( *(__rcx + 0xa8) == 0) goto 0x81f3778d;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				DeleteCriticalSection(??);
				if ( *((intOrPtr*)(__rcx + 0x60)) == 0) goto 0x81f377ab;
				E00007FF67FF681F36288( *((intOrPtr*)(__rcx + 0x60)));
				if ( *((intOrPtr*)(_t84 + 0x58)) == 0) goto 0x81f377b9;
				E00007FF67FF681F34360( *((intOrPtr*)(_t84 + 0x58)));
				if ( *((intOrPtr*)(_t84 + 0x50)) == 0) goto 0x81f377c7;
				E00007FF67FF681F342EC( *((intOrPtr*)(_t84 + 0x50)));
				if ( *((intOrPtr*)(_t84 + 0x48)) == 0) goto 0x81f377d5;
				E00007FF67FF681F342EC( *((intOrPtr*)(_t84 + 0x48)));
				if ( *((intOrPtr*)(_t84 + 0x38)) == 0) goto 0x81f377e3;
				E00007FF67FF681F3781C();
				if ( *((intOrPtr*)(_t84 + 0x30)) == 0) goto 0x81f377f1;
				E00007FF67FF681F3781C();
				if ( *((intOrPtr*)(_t84 + 0x10)) == 0) goto 0x81f377ff;
				return E00007FF67FF681F36ED0(__edx ^ __edx ^ __edx ^ __edx ^ __edx ^ __edx ^ __edx ^ __edx, _t66,  *((intOrPtr*)(_t84 + 0x10)), _t83, _t84, _t89, __rbp, _t89);
			}

0x7ff681f37668
0x7ff681f3766d
0x7ff681f37677
0x7ff681f3767a
0x7ff681f37684
0x7ff681f37686
0x7ff681f37697
0x7ff681f3769e
0x7ff681f376aa
0x7ff681f376b6
0x7ff681f376b8
0x7ff681f376c9
0x7ff681f376d0
0x7ff681f376dc
0x7ff681f376e8
0x7ff681f376f3
0x7ff681f376f5
0x7ff681f37709
0x7ff681f37715
0x7ff681f37720
0x7ff681f37728
0x7ff681f3772a
0x7ff681f3773e
0x7ff681f3774d
0x7ff681f37759
0x7ff681f37760
0x7ff681f3776b
0x7ff681f3776d
0x7ff681f37781
0x7ff681f37791
0x7ff681f377a4
0x7ff681f377a6
0x7ff681f377b2
0x7ff681f377b4
0x7ff681f377c0
0x7ff681f377c2
0x7ff681f377ce
0x7ff681f377d0
0x7ff681f377dc
0x7ff681f377de
0x7ff681f377ea
0x7ff681f377ec
0x7ff681f377f8
0x7ff681f37811

APIs

SetLastError.KERNEL32 ref: 00007FF681F3769E
GetLastError.KERNEL32 ref: 00007FF681F37686

Part of subcall function 00007FF681F3781C: SetThreadpoolTimer.KERNEL32(?,?,?,00007FF681F3764C), ref: 00007FF681F3782D
Part of subcall function 00007FF681F3781C: WaitForThreadpoolTimerCallbacks.KERNEL32(?,?,?,00007FF681F3764C), ref: 00007FF681F37841

GetLastError.KERNEL32 ref: 00007FF681F376B8
SetLastError.KERNEL32 ref: 00007FF681F376D0
GetProcessHeap.KERNEL32 ref: 00007FF681F376F5
HeapFree.KERNEL32 ref: 00007FF681F37709
GetProcessHeap.KERNEL32 ref: 00007FF681F3772A
HeapFree.KERNEL32 ref: 00007FF681F3773E
DeleteCriticalSection.KERNEL32 ref: 00007FF681F3774D
GetProcessHeap.KERNEL32 ref: 00007FF681F3776D
HeapFree.KERNEL32 ref: 00007FF681F37781
DeleteCriticalSection.KERNEL32 ref: 00007FF681F37791

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$ErrorLast$FreeProcess$CriticalDeleteSectionThreadpoolTimer$CallbacksWait
String ID:
API String ID: 3162582620-0
Opcode ID: 16c7ce156dc203958264b9e524bee7905a33b188acb2075dd0c03a216c75a3ff
Instruction ID: e12ee6191ef27738b23555880ad6a76dc6a60de989900a06b656618eff09cacd
Opcode Fuzzy Hash: 16c7ce156dc203958264b9e524bee7905a33b188acb2075dd0c03a216c75a3ff
Instruction Fuzzy Hash: 24411F21A05A82D7EB499B61E5513B8BBE0FF49F55F089638CA1E87741CF3CE466C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F38DAB Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 247
threadwindowfileCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00007FF67FF681F38DAB(void* __eax, signed int __ecx, void* __ebp, long long __rax, signed int* __rbx, void* __rdx, long long __rdi, long long __rsi, void* __r10, long long __r12, void* __r13) {
				void* _t175;
				signed int _t182;
				void* _t186;
				void* _t187;
				void* _t197;
				void* _t201;
				void* _t208;
				signed int _t218;
				signed int _t226;
				struct HICON__* _t238;
				signed int _t246;
				signed int _t252;
				void* _t255;
				void* _t261;
				long _t296;
				signed int _t299;
				signed int _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t305;
				signed int _t306;
				signed int _t327;
				intOrPtr _t330;
				signed int _t337;
				void* _t339;
				signed int _t341;
				void* _t351;
				signed int _t352;
				signed int _t354;
				void* _t359;
				void* _t360;
				void* _t362;
				signed int _t368;
				signed int _t411;
				void* _t418;
				signed int _t419;
				void* _t424;
				void* _t425;
				void* _t426;
				intOrPtr _t450;
				void* _t456;
				void* _t457;
				void* _t471;
				void* _t476;
				long long _t506;
				intOrPtr* _t508;
				long long _t511;
				long long _t512;
				long long _t513;
				intOrPtr _t518;
				intOrPtr* _t519;
				long long _t521;
				char* _t522;
				long long _t525;
				intOrPtr* _t541;
				intOrPtr _t569;
				intOrPtr* _t582;
				intOrPtr _t612;
				void* _t624;
				void* _t625;
				long long _t626;
				void* _t629;
				long long _t632;
				void* _t635;
				void* _t637;
				void* _t639;
				intOrPtr _t643;
				intOrPtr _t644;
				intOrPtr _t647;
				intOrPtr _t658;
				void* _t659;
				long long _t662;
				void* _t674;
				long long _t675;
				long long _t680;

				_t675 = __r12;
				_t673 = __r10;
				_t632 = __rsi;
				_t626 = __rdi;
				_t602 = __rdx;
				_t506 = __rax;
				_t418 = __ebp;
				asm("sbb eax, [eax+eax]");
				 *((intOrPtr*)(__rdi)) =  *((intOrPtr*)(__rdi)) + __ecx;
				_t419 =  *__rbx & __ecx;
				 *((intOrPtr*)(__rbx - 0x32d4be35)) =  *((intOrPtr*)(__rbx - 0x32d4be35)) + __ecx;
				if (_t419 == 0) goto 0x81f391ab;
				if (_t419 == 0) goto 0x81f39065;
				if (_t419 == 0) goto 0x81f38ecc;
				if (_t419 == 0) goto 0x81f38f09;
				if (_t419 == 0) goto 0x81f38e58;
				if (__ecx - r13d - r13d - r13d - r13d != r13d) goto 0x81f39a76;
				 *0x81f614de =  *0x81f614de + r13w;
				__imp__SetThreadDpiAwarenessContext();
				_t521 = __rax;
				E00007FF67FF681F4EA3C(0, _t362, __rdx, __rdi, __rsi, _t635, _t639, _t659);
				__imp__SetThreadDpiAwarenessContext();
				goto 0x81f39c51;
				_t175 =  *0x81f65098();
				_t6 = _t506 - 0x1009; // -4105
				if ((_t6 & 0xfffffffc) != 0) goto 0x81f38ec2;
				if (_t175 == 0x100a) goto 0x81f38ec2;
				E00007FF67FF681F37CA8();
				 *0x81f61528 = __r12;
				 *0x81f61520 = __r12;
				if (E00007FF67FF681F3C650(_t506, _t521, 0x81f61510) == 0) goto 0x81f38e20;
				E00007FF67FF681F316FC(_t521, 0x81f616a0, _t602, 0x81f61740, __r10);
				E00007FF67FF681F316FC(_t521, 0x81f616f0, _t602, 0x81f61790, __r10);
				_t424 =  *0x81f616a0 - r12w; // 0x0
				 *0x81f62354 = r13d;
				if (_t424 != 0) goto 0x81f38eb5;
				_t425 =  *0x81f616f0 - r12w; // 0x0
				if (_t425 == 0) goto 0x81f38eb8;
				E00007FF67FF681F50830(r13d);
				goto 0x81f39c51;
				E00007FF67FF681F3BF20();
				goto 0x81f39c51;
				 *0x81f614da =  *0x81f614da + r13w;
				_t426 =  *0x81f60678 - r12d; // 0x1
				_t182 =  *0x81f615e4; // 0x0
				 *0x81f615e0 = _t182;
				if (_t426 != 0) goto 0x81f38f09;
				r9d = 0;
				r8d = 0;
				if (E00007FF67FF681F3E730(_t411, _t521, 0x81f620e0, __rdi, __rsi, 0x81f61790, _t659, __r10) == 0) goto 0x81f38f09;
				E00007FF67FF681F3B83C(_t521, _t626, 0x81f61790);
				goto 0x81f39c51;
				if (0x28 != 4) goto 0x81f38f1b;
				 *0x81f614dc =  *0x81f614dc + r13w;
				_t522 = L"*.txt";
				 *((long long*)(_t635 - 0x70)) = __r12;
				_t605 =  ==  ?  *0x81f620e0 : _t522;
				 *((long long*)(_t637 + 0x50)) = __r12;
				dil = r12b;
				_t186 = E00007FF67FF681F38A60(4, r13d, _t522, _t632,  ==  ?  *0x81f620e0 : _t522, _t626, _t632, _t637 + 0x50, _t635 - 0x70);
				if (_t186 >= 0) goto 0x81f38fb3;
				if (_t186 == 0x800704c7) goto 0x81f38f7b;
				_t523 =  ==  ?  *0x81f620e0 : _t522;
				_t534 =  ==  ?  *0x81f620e0 : _t522;
				_t187 = E00007FF67FF681F3885C( ==  ?  *0x81f620e0 : _t522,  ==  ?  *0x81f620e0 : _t522, _t637 + 0x50, _t626, _t632, __r10);
				dil = r13b;
				if (_t187 >= 0) goto 0x81f38fb3;
				if (_t187 != 0x8007000e) goto 0x81f3902c;
				_t643 =  *0x81f60630; // 0x1bb5cf529a0
				r9d = 0x1010;
				MessageBoxW(??, ??, ??, ??);
				goto 0x81f3902c;
				r8d = 0x1fa;
				memset(??, ??, ??);
				if ( *((intOrPtr*)(_t635 - 0x70)) == 0) goto 0x81f38ff6;
				if (E00007FF67FF681F51688( *((intOrPtr*)(_t635 - 0x70)), _t635 + 0x290, __r10) < 0) goto 0x81f38ff6;
				if ( *((intOrPtr*)(_t635 + 0x290)) == r12w) goto 0x81f38ff6;
				if (dil == 0) goto 0x81f38ff9;
				_t662 = __r12;
				r8b = r13b;
				if (E00007FF67FF681F3E730(_t411,  ==  ?  *0x81f620e0 : _t522, _t637 + 0x50, _t626, _t632, _t643, __r12, __r10) == 0) goto 0x81f39022;
				E00007FF67FF681F3C6A8( ==  ?  *0x81f620e0 : _t522, 0x81f620e0, _t637 + 0x50, _t626, _t632, _t635);
				E00007FF67FF681F3B83C( ==  ?  *0x81f620e0 : _t522, _t626, _t643);
				goto 0x81f3902c;
				E00007FF67FF681F3FDAC( *((intOrPtr*)(_t637 + 0x50)));
				if ( *((intOrPtr*)(_t637 + 0x50)) == 0) goto 0x81f39042;
				__imp__CoTaskMemFree();
				_t541 =  *((intOrPtr*)(_t635 - 0x70));
				if (_t541 == 0) goto 0x81f39c51;
				 *((long long*)(_t635 - 0x70)) = __r12;
				_t508 =  *((intOrPtr*)( *_t541 + 0x10));
				 *0x81f570f0();
				goto 0x81f39c51;
				if (E00007FF67FF681F39FB4(r13d, 0, _t541,  ==  ?  *0x81f620e0 : _t522, _t541, _t637 + 0x50, _t626, _t632, _t643, __r12, __r12) == 0) goto 0x81f39c51;
				r14d =  *0x81f615e4; // 0x0
				 *((long long*)(_t637 + 0x58)) = _t675;
				_t197 = E00007FF67FF681F386FC(_t196, r13d, _t523, _t632, _t637 + 0x58);
				if (_t197 >= 0) goto 0x81f390ac;
				if (_t197 == 0x800704c7) goto 0x81f390a4;
				if (E00007FF67FF681F384EC(_t523, _t637 + 0x58, _t637 + 0x58, _t626, _t632, _t673) < 0) goto 0x81f39156;
				_t680 =  *0x81f61500; // 0x0
				r9d = 0;
				 *((long long*)(_t637 + 0x30)) = _t675;
				 *(_t637 + 0x28) = 0x80;
				_t32 = _t508 - 0x7d; // 0x3
				r8d = _t32;
				 *((intOrPtr*)(_t637 + 0x20)) = 3;
				CreateFileW(??, ??, ??, ??, ??, ??, ??);
				_t299 =  *0x81f62378;
				_t412 =  *0x81f6236c;
				 *0x81f61500 = _t508;
				_t201 = E00007FF67FF681F3EFB4();
				r9d = _t299;
				r8d =  *0x81f6236c;
				E00007FF67FF681F5021C(_t201, _t523, 0x81f614d8, _t674);
				E00007FF67FF681F5053C(E00007FF67FF681F3ACE4(_t508), _t523);
				_t368 =  *0x81f615e4; // 0x0
				r8d = 0;
				if (E00007FF67FF681F3F0D4(_t368, _t523, _t637 + 0x58, _t632, _t635, _t643, _t662) != 0) goto 0x81f39152;
				E00007FF67FF681F3FDAC( *((intOrPtr*)(_t637 + 0x58)));
				 *0x81f61500 = _t680;
				if (0x80004005 >= 0) goto 0x81f3918c;
				 *0x81f615e4 = r14d;
				if (0x80004005 != 0x8007000e) goto 0x81f3918c;
				_t644 =  *0x81f60630; // 0x1bb5cf529a0
				r9d = 0x1010;
				_t612 =  *0x81f60640; // 0x1bb5cf52998
				MessageBoxW(??, ??, ??, ??);
				if ( *((intOrPtr*)(_t637 + 0x58)) == 0) goto 0x81f39c51;
				__imp__CoTaskMemFree();
				goto 0x81f39c51;
				 *0x81f614d8 =  *0x81f614d8 + r13w;
				_t450 =  *0x81f614d8;
				_t208 = E00007FF67FF681F3FBEC(r13d, _t368, _t450, _t508, _t523,  *((intOrPtr*)(_t637 + 0x58)), _t612, _t632, _t635, _t644, _t662, _t675);
				goto 0x81f39c51;
				if (_t450 != 0) goto 0x81f391d2;
				 *_t508 =  *_t508 + _t208;
				if (_t450 == 0) goto 0x81f3932f;
				if (_t450 == 0) goto 0x81f39c51;
				if (_t450 == 0) goto 0x81f3931d;
				if (_t450 == 0) goto 0x81f39510;
				_t327 = _t299 - 1 - r13d - 5 - r13d;
				if (_t450 == 0) goto 0x81f394ed;
				if (_t327 != r13d) goto 0x81f39a76;
				 *0x81f614ec =  *0x81f614ec + r13w;
				 *0x81f6234c = r13d;
				if ( *0x81f62580 == 0) goto 0x81f39233;
				r9d = 0;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				r8d =  *0x81f62660;
				 *0x81f615a8 = 0x10001;
				if ((r8b & 0x00000002) != 0) goto 0x81f39265;
				E00007FF67FF681F3CF20(_t523, 0x81f62660, _t635 - 0x48, _t632, _t662);
				 *((long long*)(_t637 + 0x48)) =  *_t508;
				r8d = _t327;
				r9d = r8d;
				 *((intOrPtr*)(_t637 + 0x30)) = 3;
				r9d = r9d >> 9;
				r8d = r8d >> 8;
				r9d = r9d & r13d;
				 *(_t637 + 0x28) = r13d;
				r8d = r8d & r13d;
				 *(_t637 + 0x78) = r12d;
				 *((char*)(_t637 + 0x7c)) = 3;
				 *((long long*)(_t637 + 0x20)) = _t637 + 0x78;
				E00007FF67FF681F3DD74(_t299, 0x10d8158, _t523, 0x81f62668, _t632, _t635, _t644);
				asm("sbb edx, edx");
				asm("sbb ecx, ecx");
				 *0x81f615a8 =  *0x81f615a8 | 0x010d8158;
				E00007FF67FF681F4CF00(0x40000 | _t327 & 0x00000004, _t523, 0x81f62668);
				 *0x81f615c0 = 0x800080;
				 *0x81f615b0 = 0x81f62480;
				_t510 = 0x81f62380;
				 *0x81f615b8 = 0x81f62380;
				 *0x81f650b8();
				 *0x81f62580 = 0x81f62380;
				goto 0x81f39c51;
				 *0x81f614e0 =  *0x81f614e0 + r13w;
				goto 0x81f396ee;
				_t218 = E00007FF67FF681F3D37C(_t327 & 0x00000004, _t418, 0x81f62380, _t523, 0x81f61590, _t635 - 0x68);
				_t300 = _t218;
				if (_t218 >= 0) goto 0x81f3935e;
				r9d = _t218;
				E00007FF67FF681F325BC();
				goto 0x81f39c54;
				 *(_t637 + 0x28) = 5;
				 *((long long*)(_t637 + 0x20)) = _t675;
				 *0x81f65110();
				_t647 =  *0x81f62598;
				 *0x81f614ee =  *0x81f614ee + r13w;
				 *((long long*)(_t637 + 0x20)) = _t675;
				DialogBoxParamW(??, ??, ??, ??, ??);
				if (0x81f62380 != 0) goto 0x81f39c51;
				_t330 =  *0x81f6166c; // 0x0
				E00007FF67FF681F37E58(_t330, 0xe, 0x81f62380);
				goto 0x81f39c51;
				_t456 = _t300 - 0x21;
				if (_t456 > 0) goto 0x81f398a0;
				if (_t456 == 0) goto L7;
				if (_t456 == 0) goto 0x81f396ca;
				if (_t456 == 0) goto 0x81f396be;
				if (_t456 == 0) goto 0x81f3962e;
				_t351 = _t300 - 0x19 - r13d - r13d - r13d;
				_t457 = _t351;
				if (_t457 == 0) goto 0x81f39adf;
				_t352 = _t351 - r13d;
				if (_t457 == 0) goto 0x81f394ed;
				if (_t352 != 3) goto 0x81f39a76;
				asm("sbb ecx, ecx");
				_t354 = (_t352 & 0x00100000) + 0x50200104;
				if (E00007FF67FF681F4CFE0(_t300, _t354, 0xe, _t412, _t352 - 3, _t523, _t632, _t647, _t673) == 0) goto 0x81f39459;
				 *0x81f62358 = r13d;
				 *0x81f6236c = r12d & 0xffffff00 |  *0x81f6236c == r12d;
				goto 0x81f39480;
				_t658 =  *0x81f60630; // 0x1bb5cf529a0
				r9d = 0x30;
				MessageBoxW(??, ??, ??, ??);
				r8d =  *0x81f61488; // 0x0
				if ((r8b & 0x00000002) != 0) goto 0x81f394a8;
				E00007FF67FF681F3CD48(_t523, 0x81f61488, _t635 - 0x40, _t632, E00007FF67FF681F3BFE0);
				 *((long long*)(_t637 + 0x48)) =  *0x81f62380;
				r8d = _t354;
				r9d = r8d;
				 *((intOrPtr*)(_t637 + 0x30)) = 3;
				r9d = r9d >> 9;
				_t519 = _t635 - 0x80;
				r8d = r8d >> 8;
				r9d = r9d & r13d;
				 *(_t637 + 0x28) = r13d;
				r8d = r8d & r13d;
				 *(_t635 - 0x80) = r12d;
				 *((char*)(_t635 - 0x7c)) = 3;
				 *((long long*)(_t637 + 0x20)) = _t519;
				E00007FF67FF681F3DD74(_t300, 0x71cda0, _t523, 0x81f61490, _t632, _t635, _t658);
				goto 0x81f39c51;
				if ( *0x81f6234c == r12d) goto 0x81f39510;
				if ( *0x81f62480 == r12w) goto 0x81f39510;
				E00007FF67FF681F4CC28(0x71cd00 | _t300 == 0x0000001d, _t519, _t523, 0x81f61490);
				goto 0x81f39c51;
				 *0x81f6234c = r13d;
				if (_t300 != 0x15) goto 0x81f39524;
				 *0x81f614ea =  *0x81f614ea + r13w;
				if ( *0x81f62580 == 0) goto 0x81f39546;
				r9d = 0;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				r8d =  *0x81f62660;
				 *0x81f615a8 = 0x10000;
				if ((r8b & 0x00000002) != 0) goto 0x81f39578;
				E00007FF67FF681F3CF20(_t523, 0x81f62660, _t635 - 0x38, _t632, E00007FF67FF681F3BFE0);
				 *((long long*)(_t637 + 0x48)) =  *_t519;
				r8d = _t354;
				r9d = r8d;
				 *((intOrPtr*)(_t637 + 0x30)) = 3;
				r9d = r9d >> 9;
				_t510 = _t635 - 0x78;
				r8d = r8d >> 8;
				r9d = r9d & r13d;
				 *(_t637 + 0x28) = r13d;
				r8d = r8d & r13d;
				 *(_t635 - 0x78) = r12d;
				 *((char*)(_t635 - 0x74)) = 3;
				 *((long long*)(_t637 + 0x20)) = _t510;
				E00007FF67FF681F3DD74(_t300, 0x10d8158, _t523, 0x81f62668, _t632, _t635, _t658);
				asm("sbb ecx, ecx");
				asm("sbb ecx, ecx");
				 *0x81f615a8 =  *0x81f615a8 | r12d & 0xffffff00 |  *0x81f625a0 == r12b | (_t354 & 0x00100000) + 0x00040000 | (_t354 & 0x00100000) + 0x00040000 & 0x00000004;
				E00007FF67FF681F4CF00(r12d & 0xffffff00 |  *0x81f625a0 == r12b | (_t354 & 0x00100000) + 0x00040000 | (_t354 & 0x00100000) + 0x00040000 & 0x00000004, _t523, 0x81f62668);
				 *0x81f615b8 = _t675;
				 *0x81f615b0 = 0x81f62480;
				 *0x81f615c0 = 0x80;
				 *0x81f650c0();
				goto 0x81f39311;
				_t624 = _t635 + 0x40;
				GetClientRect(??, ??);
				if ( *0x81f62378 == r12d) goto 0x81f3967d;
				 *0x81f62378 = r12d;
				ShowWindow(??, ??);
				_t407 =  *((intOrPtr*)(_t635 + 0x4c)) -  *((intOrPtr*)(_t635 + 0x44));
				_t359 =  *((intOrPtr*)(_t635 + 0x48)) -  *((intOrPtr*)(_t635 + 0x40));
				E00007FF67FF681F37DB8(_t359,  *((intOrPtr*)(_t635 + 0x4c)) -  *((intOrPtr*)(_t635 + 0x44)), _t523);
				asm("out 0xff, eax");
				asm("invalid");
				_t625 = _t624 -  *((intOrPtr*)(_t635 + 0x44));
				_t360 = _t359 -  *((intOrPtr*)(_t635 + 0x40));
				_t471 = _t360;
				 *0x81f62378 = r13d;
				E00007FF67FF681F37DB8(_t360, _t407, _t523);
				asm("out 0xff, eax");
				asm("invalid");
				asm("sbb al, [eax]");
				 *((intOrPtr*)(_t510 - 0x75)) =  *((intOrPtr*)(_t510 - 0x75)) + _t360;
				ShowWindow(??, ??);
				 *0x81f62358 = r13d;
				goto 0x81f39c51;
				E00007FF67FF681F3E3A8(0, _t471, _t523, _t625, _t626, _t658, E00007FF67FF681F3BFE0);
				goto 0x81f39c51;
				r8d = 0;
				_t296 = SendMessageW(??, ??, ??, ??);
				 *_t510 =  *_t510 + _t296;
				r9d = 0;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				 *0x81f614f0 =  *0x81f614f0 + r13w;
				r8d = 0x68;
				memset(??, ??, ??);
				GetDC(??);
				if (_t510 == 0) goto 0x81f39c51;
				 *((long long*)(_t635 - 0x28)) = _t632;
				 *(_t635 - 0x30) = 0x68;
				 *((long long*)(_t635 - 0x18)) = 0x81f61610;
				GetDeviceCaps(??, ??);
				r14d = 0x2d0;
				r8d = r14d;
				_t226 = MulDiv(??, ??, ??);
				 *((intOrPtr*)(_t635 - 0xc)) = 0x1010041;
				 *0x81f61610 =  ~_t226;
				 *((short*)(_t635 + 0x28)) = 0x2000;
				ReleaseDC(??, ??);
				__imp__SetThreadDpiAwarenessContext();
				_t301 =  *0x81f650c8();
				__imp__SetThreadDpiAwarenessContext();
				if (_t301 == 0) goto 0x81f39c51;
				SetCursor(??);
				__imp__GetDpiForWindow();
				r8d = r14d;
				 *0x81f61610 =  ~(MulDiv(??, ??, ??));
				CreateFontIndirectW(??);
				_t525 = _t510;
				if (_t510 == 0) goto 0x81f39881;
				DeleteObject(??);
				 *0x81f61608 = _t525;
				SendMessageW(??, ??, ??, ??);
				 *0x81f6067c =  *((intOrPtr*)(_t635 - 0x10));
				_t569 =  *0x81f61688; // 0x10005
				_t238 = SetCursor(??);
				 *0x81f62350 = r13d;
				goto 0x81f39c51;
				_t302 = _t301 - 0x22;
				_t476 = _t302;
				goto 0x81f398c5;
				if (_t476 == 0) goto 0x81f399e7;
				_t303 = _t302 - r13d;
				if (_t303 == 0) goto 0x81f39992;
				 *_t510 =  *_t510 + _t238;
				 *((intOrPtr*)(_t569 + 0x2b)) =  *((intOrPtr*)(_t569 + 0x2b)) + _t238;
				asm("fisttp qword [edi]");
				 *_t510 =  *_t510 + _t238;
				 *((intOrPtr*)(_t525 - 0x7bf0e315)) =  *((intOrPtr*)(_t525 - 0x7bf0e315)) + _t238;
				 *_t510 =  *_t510 + _t238;
				 *((intOrPtr*)(_t569 + 0x2b)) =  *((intOrPtr*)(_t569 + 0x2b)) + _t238;
				asm("fnsave [ebp+ebx+0x41]");
				if (_t303 != _t418) goto 0x81f39a76;
				 *(_t637 + 0x28) = r13d;
				r9d = 0;
				goto 0x81f39371;
				_t511 =  *0x81f61670; // 0x0
				 *((long long*)(_t635 - 0x58)) = _t511;
				_t512 =  *0x81f61678; // 0x0
				 *((long long*)(_t635 - 0x50)) = _t512;
				LoadIconW(??, ??);
				if (_t512 != 0) goto 0x81f3992b;
				_t305 = r12d + r13d;
				_t629 = _t635 - 0x58 + 8;
				if (_t305 - 2 < 0) goto 0x81f39903;
				_t513 = _t675;
				 *0x81f65118();
				 *(_t637 + 0x28) = r13d;
				r9d = 0;
				 *((long long*)(_t637 + 0x20)) = _t675;
				 *0x81f65110();
				E00007FF67FF681F507B0();
				goto 0x81f39c51;
				r9d = 0x64;
				r8d = 0x64;
				goto 0x81f39a44;
				SendMessageW(??, ??, ??, ??);
				if ( *(_t637 + 0x64) == 0) goto 0x81f399c4;
				if ( *(_t637 + 0x60) != 0) goto 0x81f399d2;
				_t337 = r13d;
				_t246 = r13d;
				 *(_t637 + 0x60) = _t337;
				 *(_t637 + 0x64) = _t246;
				_t339 =  >  ? _t246 * 0x64 / _t337 - 0xa : 0xa;
				goto 0x81f39a3b;
				SendMessageW(??, ??, ??, ??);
				if ( *(_t637 + 0x6c) == 0) goto 0x81f39a19;
				if ( *(_t637 + 0x68) != 0) goto 0x81f39a27;
				_t341 = r13d;
				_t252 = r13d;
				 *(_t637 + 0x68) = _t341;
				 *(_t637 + 0x6c) = _t252;
				_t255 = _t252 * 0x64 / _t341 + 0xa;
				_t343 =  <  ? _t255 : 0x1f4;
				r8d = 0x1f4;
				r9d = 0x64;
				SendMessageW(??, ??, ??, ??);
				E00007FF67FF681F3B660( <  ? _t255 : 0x1f4, _t525, _t629);
				goto 0x81f39c51;
				if (_t255 == 0x1f4) goto 0x81f39af3;
				if (_t305 - r14d == r13d) goto 0x81f39a7e;
				_t306 = r12d;
				goto 0x81f39c54;
				if (_t306 != 0x4e1) goto 0x81f39a8d;
				 *0x81f614e2 =  *0x81f614e2 + r13w;
				goto 0x81f39aa5;
				if (_t306 != r8w) goto 0x81f39a9d;
				 *0x81f614e4 =  *0x81f614e4 + r13w;
				goto 0x81f39aa5;
				 *0x81f614e8 =  *0x81f614e8 + r13w;
				 *(_t637 + 0x74) = r12d;
				 *(_t637 + 0x70) = r12d;
				SendMessageW(??, ??, ??, ??);
				if ( *(_t637 + 0x74) ==  *(_t637 + 0x70)) goto 0x81f39c51;
				_t514 =  !=  ? _t629 : _t513;
				_t630 =  !=  ? _t629 : _t513;
				if (0x68 != r14w) goto 0x81f39c1b;
				 *0x81f614e6 =  *0x81f614e6 + r13w;
				if ( *0x81f62348 != r12d) goto 0x81f39c1b;
				r8d = 0x1fa;
				0x81f54f24();
				_t261 = E00007FF67FF681F51808(0x150f, _t525, _t635 + 0x90,  !=  ? _t629 : _t513, 0x81f61610, _t673);
				if (_t261 < 0) goto 0x81f39c1b;
				if ( *((intOrPtr*)(_t635 + 0x90)) == r12w) goto 0x81f39c1b;
				 *(_t637 + 0x40) = r12b;
				 *((long long*)(_t635 - 0x60)) = _t635 + 0x90;
				 *((long long*)(_t637 + 0x48)) = _t675;
				 *((long long*)(_t635 + 0x68)) = _t675;
				__imp__WindowsCreateStringReference();
				if (_t261 < 0) goto 0x81f39c96;
				__imp__RoGetActivationFactory();
				 *((long long*)(_t635 + 0x68)) = _t675;
				if (_t261 < 0) goto 0x81f39be2;
				E00007FF67FF681F52274(_t261, _t635 + 0x90,  *((intOrPtr*)(_t637 + 0x48)), _t635 + 0x70, _t635 - 0x60);
				 *0x81f570f0();
				 *((long long*)(_t635 + 0x88)) = _t675;
				_t582 =  *((intOrPtr*)(_t637 + 0x48));
				if (_t582 == 0) goto 0x81f39c03;
				 *((long long*)(_t637 + 0x48)) = _t675;
				_t518 =  *((intOrPtr*)( *_t582 + 0x10));
				 *0x81f570f0();
				if (( *(_t637 + 0x40) & 0x000000ff) == 0) goto 0x81f39c13;
				E00007FF67FF681F3C540( *((intOrPtr*)(_t637 + 0x48)), _t635 + 0x90);
				 *0x81f614f6 =  *0x81f614f6 + r13w;
				GetFocus();
				if (_t518 ==  *0x81f62588) goto 0x81f39c3c;
				if (_t518 !=  *0x81f62598) goto 0x81f39c51;
				r9d = 0;
				r8d = 0;
				PostMessageW(??, ??, ??, ??);
				if ( *((intOrPtr*)(_t635 - 0x68)) == 0) goto 0x81f39c69;
				__imp__CoTaskMemFree();
				E00007FF67FF681F53F70();
				return r13d;
			}

0x7ff681f38dab
0x7ff681f38dab
0x7ff681f38dab
0x7ff681f38dab
0x7ff681f38dab
0x7ff681f38dab
0x7ff681f38dab
0x7ff681f38dab
0x7ff681f38dae
0x7ff681f38db0
0x7ff681f38db4
0x7ff681f38dba
0x7ff681f38dc3
0x7ff681f38dcc
0x7ff681f38dd5
0x7ff681f38dde
0x7ff681f38de3
0x7ff681f38de9
0x7ff681f38df6
0x7ff681f38e04
0x7ff681f38e07
0x7ff681f38e0f
0x7ff681f38e1b
0x7ff681f38e20
0x7ff681f38e2c
0x7ff681f38e38
0x7ff681f38e43
0x7ff681f38e45
0x7ff681f38e4a
0x7ff681f38e51
0x7ff681f38e66
0x7ff681f38e7d
0x7ff681f38e92
0x7ff681f38e97
0x7ff681f38e9f
0x7ff681f38ea6
0x7ff681f38ea8
0x7ff681f38eb3
0x7ff681f38eb8
0x7ff681f38ebd
0x7ff681f38ec2
0x7ff681f38ec7
0x7ff681f38ecc
0x7ff681f38ed4
0x7ff681f38edb
0x7ff681f38ee1
0x7ff681f38ee7
0x7ff681f38ee9
0x7ff681f38ef3
0x7ff681f38efd
0x7ff681f38eff
0x7ff681f38f04
0x7ff681f38f11
0x7ff681f38f13
0x7ff681f38f22
0x7ff681f38f2c
0x7ff681f38f30
0x7ff681f38f41
0x7ff681f38f49
0x7ff681f38f4c
0x7ff681f38f53
0x7ff681f38f5a
0x7ff681f38f68
0x7ff681f38f70
0x7ff681f38f73
0x7ff681f38f78
0x7ff681f38f7d
0x7ff681f38f84
0x7ff681f38f8a
0x7ff681f38f91
0x7ff681f38fa5
0x7ff681f38fb1
0x7ff681f38fbc
0x7ff681f38fc2
0x7ff681f38fce
0x7ff681f38fde
0x7ff681f38fe8
0x7ff681f38ff4
0x7ff681f38ff6
0x7ff681f38ff9
0x7ff681f39008
0x7ff681f39016
0x7ff681f3901b
0x7ff681f39020
0x7ff681f39027
0x7ff681f39034
0x7ff681f39036
0x7ff681f39042
0x7ff681f39049
0x7ff681f3904f
0x7ff681f39056
0x7ff681f3905a
0x7ff681f39060
0x7ff681f3906c
0x7ff681f39072
0x7ff681f39081
0x7ff681f39086
0x7ff681f3908f
0x7ff681f39096
0x7ff681f390a6
0x7ff681f390b6
0x7ff681f390bd
0x7ff681f390c0
0x7ff681f390ca
0x7ff681f390ce
0x7ff681f390ce
0x7ff681f390d2
0x7ff681f390da
0x7ff681f390ed
0x7ff681f390f3
0x7ff681f390f9
0x7ff681f39100
0x7ff681f39105
0x7ff681f3910f
0x7ff681f39114
0x7ff681f39120
0x7ff681f39125
0x7ff681f39130
0x7ff681f3913a
0x7ff681f39141
0x7ff681f39146
0x7ff681f39154
0x7ff681f39156
0x7ff681f39163
0x7ff681f39165
0x7ff681f3916c
0x7ff681f39172
0x7ff681f39180
0x7ff681f39194
0x7ff681f3919a
0x7ff681f391a6
0x7ff681f391ab
0x7ff681f391ab
0x7ff681f391b6
0x7ff681f391bb
0x7ff681f391c6
0x7ff681f391c8
0x7ff681f391cf
0x7ff681f391d8
0x7ff681f391e1
0x7ff681f391ea
0x7ff681f391f0
0x7ff681f391f3
0x7ff681f391fc
0x7ff681f39202
0x7ff681f39211
0x7ff681f3921b
0x7ff681f3921d
0x7ff681f39220
0x7ff681f39227
0x7ff681f39233
0x7ff681f3923a
0x7ff681f39248
0x7ff681f39255
0x7ff681f3925d
0x7ff681f39262
0x7ff681f39265
0x7ff681f39268
0x7ff681f39270
0x7ff681f39279
0x7ff681f39284
0x7ff681f39287
0x7ff681f3928c
0x7ff681f3928f
0x7ff681f39299
0x7ff681f3929e
0x7ff681f392a3
0x7ff681f392b6
0x7ff681f392c6
0x7ff681f392cd
0x7ff681f392d3
0x7ff681f392df
0x7ff681f392e9
0x7ff681f392f0
0x7ff681f392fe
0x7ff681f39305
0x7ff681f39311
0x7ff681f39318
0x7ff681f3931d
0x7ff681f3932a
0x7ff681f39333
0x7ff681f39338
0x7ff681f3933c
0x7ff681f3934c
0x7ff681f39354
0x7ff681f39359
0x7ff681f39369
0x7ff681f39373
0x7ff681f3937a
0x7ff681f3938b
0x7ff681f393a5
0x7ff681f393ad
0x7ff681f393b2
0x7ff681f393c1
0x7ff681f393c7
0x7ff681f393cd
0x7ff681f393d2
0x7ff681f393d7
0x7ff681f393da
0x7ff681f393e0
0x7ff681f393eb
0x7ff681f393f4
0x7ff681f393fd
0x7ff681f39403
0x7ff681f39403
0x7ff681f39406
0x7ff681f3940c
0x7ff681f3940f
0x7ff681f39418
0x7ff681f39426
0x7ff681f3942e
0x7ff681f3943b
0x7ff681f39447
0x7ff681f39451
0x7ff681f39457
0x7ff681f39459
0x7ff681f39460
0x7ff681f39474
0x7ff681f39480
0x7ff681f3948b
0x7ff681f39498
0x7ff681f394a0
0x7ff681f394a5
0x7ff681f394a8
0x7ff681f394ab
0x7ff681f394b3
0x7ff681f394b7
0x7ff681f394bb
0x7ff681f394c6
0x7ff681f394c9
0x7ff681f394ce
0x7ff681f394d1
0x7ff681f394da
0x7ff681f394de
0x7ff681f394e3
0x7ff681f394e8
0x7ff681f394f4
0x7ff681f394fe
0x7ff681f39506
0x7ff681f3950b
0x7ff681f39510
0x7ff681f3951a
0x7ff681f3951c
0x7ff681f3952e
0x7ff681f39530
0x7ff681f39533
0x7ff681f3953a
0x7ff681f39546
0x7ff681f3954d
0x7ff681f3955b
0x7ff681f39568
0x7ff681f39570
0x7ff681f39575
0x7ff681f39578
0x7ff681f3957b
0x7ff681f39583
0x7ff681f39587
0x7ff681f3958b
0x7ff681f39596
0x7ff681f39599
0x7ff681f3959e
0x7ff681f395a1
0x7ff681f395aa
0x7ff681f395ae
0x7ff681f395b3
0x7ff681f395d3
0x7ff681f395e5
0x7ff681f395ec
0x7ff681f395f2
0x7ff681f395fe
0x7ff681f39605
0x7ff681f39613
0x7ff681f3961d
0x7ff681f39629
0x7ff681f39635
0x7ff681f39639
0x7ff681f3964c
0x7ff681f39657
0x7ff681f3965e
0x7ff681f39670
0x7ff681f39673
0x7ff681f39676
0x7ff681f39678
0x7ff681f3967a
0x7ff681f39681
0x7ff681f39686
0x7ff681f39686
0x7ff681f39689
0x7ff681f39690
0x7ff681f39692
0x7ff681f39694
0x7ff681f39697
0x7ff681f39699
0x7ff681f396a6
0x7ff681f396b2
0x7ff681f396b9
0x7ff681f396c0
0x7ff681f396c5
0x7ff681f396d5
0x7ff681f396dd
0x7ff681f396ec
0x7ff681f396f5
0x7ff681f396f8
0x7ff681f396fb
0x7ff681f3970c
0x7ff681f3971f
0x7ff681f39722
0x7ff681f39729
0x7ff681f3973b
0x7ff681f39741
0x7ff681f3974f
0x7ff681f39755
0x7ff681f39759
0x7ff681f3976b
0x7ff681f39771
0x7ff681f39776
0x7ff681f39785
0x7ff681f39790
0x7ff681f3979b
0x7ff681f3979f
0x7ff681f397af
0x7ff681f397d1
0x7ff681f397d3
0x7ff681f397e1
0x7ff681f397ee
0x7ff681f39801
0x7ff681f39810
0x7ff681f39826
0x7ff681f3982c
0x7ff681f39838
0x7ff681f3983e
0x7ff681f39847
0x7ff681f39860
0x7ff681f3986c
0x7ff681f3987b
0x7ff681f39881
0x7ff681f39888
0x7ff681f39894
0x7ff681f3989b
0x7ff681f398a0
0x7ff681f398a0
0x7ff681f398a1
0x7ff681f398a3
0x7ff681f398a9
0x7ff681f398ac
0x7ff681f398af
0x7ff681f398b1
0x7ff681f398b4
0x7ff681f398b8
0x7ff681f398ba
0x7ff681f398c1
0x7ff681f398c3
0x7ff681f398c6
0x7ff681f398cc
0x7ff681f398d2
0x7ff681f398de
0x7ff681f398e1
0x7ff681f398e6
0x7ff681f398f1
0x7ff681f398f8
0x7ff681f398ff
0x7ff681f3990b
0x7ff681f3991a
0x7ff681f3991c
0x7ff681f3991f
0x7ff681f39926
0x7ff681f39928
0x7ff681f39943
0x7ff681f39954
0x7ff681f39960
0x7ff681f39963
0x7ff681f3996c
0x7ff681f39978
0x7ff681f3997d
0x7ff681f39987
0x7ff681f3998a
0x7ff681f3998d
0x7ff681f399a8
0x7ff681f399ba
0x7ff681f399c2
0x7ff681f399c4
0x7ff681f399c7
0x7ff681f399ca
0x7ff681f399ce
0x7ff681f399e2
0x7ff681f399e5
0x7ff681f399fd
0x7ff681f39a0f
0x7ff681f39a17
0x7ff681f39a19
0x7ff681f39a1c
0x7ff681f39a1f
0x7ff681f39a23
0x7ff681f39a33
0x7ff681f39a38
0x7ff681f39a3b
0x7ff681f39a3e
0x7ff681f39a50
0x7ff681f39a5c
0x7ff681f39a61
0x7ff681f39a6b
0x7ff681f39a74
0x7ff681f39a76
0x7ff681f39a79
0x7ff681f39a81
0x7ff681f39a83
0x7ff681f39a8b
0x7ff681f39a91
0x7ff681f39a93
0x7ff681f39a9b
0x7ff681f39a9d
0x7ff681f39ab6
0x7ff681f39ac0
0x7ff681f39ac5
0x7ff681f39ad9
0x7ff681f39aec
0x7ff681f39af0
0x7ff681f39af7
0x7ff681f39afd
0x7ff681f39b0c
0x7ff681f39b1b
0x7ff681f39b21
0x7ff681f39b2d
0x7ff681f39b34
0x7ff681f39b42
0x7ff681f39b4f
0x7ff681f39b58
0x7ff681f39b60
0x7ff681f39b6a
0x7ff681f39b75
0x7ff681f39b83
0x7ff681f39b99
0x7ff681f39ba5
0x7ff681f39bab
0x7ff681f39bba
0x7ff681f39bd5
0x7ff681f39bdb
0x7ff681f39be2
0x7ff681f39bef
0x7ff681f39bf1
0x7ff681f39bf9
0x7ff681f39bfd
0x7ff681f39c05
0x7ff681f39c0e
0x7ff681f39c13
0x7ff681f39c1b
0x7ff681f39c31
0x7ff681f39c3a
0x7ff681f39c3f
0x7ff681f39c42
0x7ff681f39c45
0x7ff681f39c5b
0x7ff681f39c5d
0x7ff681f39c75
0x7ff681f39c94

APIs

SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F38DF6

Part of subcall function 00007FF681F4EA3C: SetCursor.USER32 ref: 00007FF681F4EA60
Part of subcall function 00007FF681F4EA3C: SetCursor.USER32 ref: 00007FF681F4EA94

SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F38E0F
MessageBoxW.USER32 ref: 00007FF681F38FA5
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F39036
CreateFileW.KERNEL32 ref: 00007FF681F390DA
MessageBoxW.USER32 ref: 00007FF681F39180
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3919A
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F39C5D

Strings

*.txt, xrefs: 00007FF681F38F22

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: FreeTask$AwarenessContextCursorMessageThread$CreateFile
String ID: *.txt
API String ID: 1452784593-4006125282
Opcode ID: 58cd2408820ae76065b3722be9b7c388aedd0eefd1c0f73dbc78f1615b8a092d
Instruction ID: e209d8a71734221cbdf6a76b6e8f99bf0f315959f7a2beafa6ce7b293362b562
Opcode Fuzzy Hash: 58cd2408820ae76065b3722be9b7c388aedd0eefd1c0f73dbc78f1615b8a092d
Instruction Fuzzy Hash: 5AC16866E0CA47C6FB109BA1A8501BA77E0BF84794F44413EDA0EC36A5DF3DE846C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F39FB4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00007FF67FF681F39FB4(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9, long long __r12) {
				void* __rbp;
				void* _t40;
				void* _t41;
				intOrPtr _t51;
				long _t54;
				long _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t96;
				signed long long _t97;
				void* _t108;
				long long _t131;
				int _t135;
				void* _t138;
				signed long long _t139;
				void* _t141;
				void* _t147;
				int _t151;
				void* _t154;

				_t141 = __r8;
				_t133 = __rsi;
				_t131 = __rdi;
				_t102 = __rbx;
				_t96 = _t138;
				 *((long long*)(_t96 + 8)) = __rbx;
				 *((long long*)(_t96 + 0x10)) = __rsi;
				 *((long long*)(_t96 + 0x18)) = __rdi;
				 *((long long*)(_t96 + 0x20)) = __r12;
				_t139 = _t138 - 0x250;
				_t97 =  *0x81f60470; // 0xbba9a5b3aaf9
				 *(_t96 - 0x168 + 0x140) = _t97 ^ _t139;
				if (E00007FF67FF681F39F54(_t97 ^ _t139, __r9) != 0) goto 0x81f39ffe;
				goto 0x81f3a257;
				_t106 =  !=  ?  *0x81f60658 :  *0x81f620e0;
				 *0x81f62360 = 1;
				_t40 = E00007FF67FF681F39DF0(__rbx,  !=  ?  *0x81f60658 :  *0x81f620e0);
				 *0x81f62360 = 0;
				r12d = _t40;
				if (_t40 != 6) goto 0x81f3a24d;
				_t67 =  *0x81f60678; // 0x1
				r15d = 1;
				if (_t67 != 0) goto 0x81f3a077;
				_t64 =  *0x81f615e4; // 0x0
				r9d = 0;
				 *0x81f615e0 = _t64;
				r8d = 0;
				_t41 = E00007FF67FF681F3E730(0, _t102, 0x81f620e0, __rdi, __rsi, _t141, __r9, _t147);
				r15d = 0;
				r15b = _t41 == 0;
				if (_t41 != 0) goto 0x81f3a246;
				 *((long long*)(_t139 + 0x28)) = _t131;
				_t108 =  ==  ?  *0x81f620e0 : L"*.txt";
				__imp__SHStrDupW();
				if (_t41 < 0) goto 0x81f3a1f7;
				if (r15d == 0) goto 0x81f3a1f7;
				 *(_t139 + 0x30) = _t131;
				 *((long long*)(_t139 + 0x20)) = _t131;
				if (E00007FF67FF681F38A60(_t41, _t64, _t102,  *0x81f62598,  *((intOrPtr*)(_t139 + 0x28)), _t131, _t133, _t139 + 0x20, _t139 + 0x30) < 0) goto 0x81f3a1bd;
				r8d = 0x1fa;
				memset(_t154, _t151, _t135);
				if ( *(_t139 + 0x30) == 0) goto 0x81f3a11c;
				if (E00007FF67FF681F51688( *(_t139 + 0x30), _t139 + 0x40, _t147) < 0) goto 0x81f3a119;
				if ( *(_t139 + 0x40) != 0) goto 0x81f3a11c;
				r8b = sil;
				asm("dec ebp");
				if (E00007FF67FF681F3E730(0, _t102, _t139 + 0x20, _t131, _t133, _t139 + 0x20, _t139 + 0x00000030 & _t139 + 0x00000040, _t147) == 0) goto 0x81f3a161;
				E00007FF67FF681F3C6A8(_t102, 0x81f620e0, _t139 + 0x20, _t131, _t133, _t96 - 0x168);
				_t51 =  *0x81f615e0; // 0x0
				r15d = 0;
				 *0x81f615e4 = _t51;
				E00007FF67FF681F3B83C(_t102, _t131, _t139 + 0x20);
				goto 0x81f3a1bd;
				E00007FF67FF681F3FDAC( *((intOrPtr*)(_t139 + 0x20)));
				if ( *((intOrPtr*)(_t139 + 0x28)) == 0) goto 0x81f3a1a0;
				_t54 = GetLastError();
				__imp__CoTaskMemFree();
				SetLastError(??);
				 *((long long*)(_t139 + 0x28)) = _t131;
				__imp__SHStrDupW();
				_t62 = _t54;
				if ( *((intOrPtr*)(_t139 + 0x20)) == 0) goto 0x81f3a1d3;
				__imp__CoTaskMemFree();
				if ( *(_t139 + 0x30) == 0) goto 0x81f3a1ef;
				 *(_t139 + 0x30) = _t131;
				 *0x81f570f0();
				if (_t62 >= 0) goto 0x81f3a0a8;
				if ( *((intOrPtr*)(_t139 + 0x28)) == 0) goto 0x81f3a20d;
				__imp__CoTaskMemFree();
				if (_t62 >= 0) goto 0x81f3a246;
				r12d = 2;
				if (_t62 != 0x8007000e) goto 0x81f3a246;
				r9d = 0x1010;
				MessageBoxW(??, ??, ??, ??);
				 *0x81f614da =  *0x81f614da + 1;
				dil = r12d != 2;
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f39fb4
0x7ff681f39fb4
0x7ff681f39fb4
0x7ff681f39fb4
0x7ff681f39fb4
0x7ff681f39fb7
0x7ff681f39fbb
0x7ff681f39fbf
0x7ff681f39fc3
0x7ff681f39fd3
0x7ff681f39fda
0x7ff681f39fe4
0x7ff681f39ff4
0x7ff681f39ff9
0x7ff681f3a010
0x7ff681f3a018
0x7ff681f3a01e
0x7ff681f3a023
0x7ff681f3a029
0x7ff681f3a02f
0x7ff681f3a035
0x7ff681f3a03b
0x7ff681f3a040
0x7ff681f3a042
0x7ff681f3a04f
0x7ff681f3a052
0x7ff681f3a058
0x7ff681f3a05b
0x7ff681f3a062
0x7ff681f3a065
0x7ff681f3a06b
0x7ff681f3a079
0x7ff681f3a085
0x7ff681f3a092
0x7ff681f3a0a2
0x7ff681f3a0ab
0x7ff681f3a0c7
0x7ff681f3a0cc
0x7ff681f3a0da
0x7ff681f3a0e7
0x7ff681f3a0ed
0x7ff681f3a0fd
0x7ff681f3a10d
0x7ff681f3a117
0x7ff681f3a128
0x7ff681f3a12b
0x7ff681f3a138
0x7ff681f3a146
0x7ff681f3a14b
0x7ff681f3a151
0x7ff681f3a154
0x7ff681f3a15a
0x7ff681f3a15f
0x7ff681f3a166
0x7ff681f3a173
0x7ff681f3a175
0x7ff681f3a186
0x7ff681f3a194
0x7ff681f3a1aa
0x7ff681f3a1af
0x7ff681f3a1bb
0x7ff681f3a1c5
0x7ff681f3a1c7
0x7ff681f3a1db
0x7ff681f3a1dd
0x7ff681f3a1e9
0x7ff681f3a1f1
0x7ff681f3a1ff
0x7ff681f3a201
0x7ff681f3a20f
0x7ff681f3a211
0x7ff681f3a21d
0x7ff681f3a226
0x7ff681f3a23a
0x7ff681f3a246
0x7ff681f3a251
0x7ff681f3a261
0x7ff681f3a286

APIs

Part of subcall function 00007FF681F39F54: SendMessageW.USER32(?,?,?,?,00007FF681F39FF0), ref: 00007FF681F39F72
Part of subcall function 00007FF681F39F54: SendMessageW.USER32(?,?,?,?,00007FF681F39FF0), ref: 00007FF681F39F95

SHStrDupW.API-MS-WIN-SHCORE-OBSOLETE-L1-1-0 ref: 00007FF681F3A092
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3A0ED
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3A1C7
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3A201

Strings

*.txt, xrefs: 00007FF681F3A07E

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: FreeMessageSendTask$memset
String ID: *.txt
API String ID: 3126664776-4006125282
Opcode ID: 26e3368a3790bb51e01a8b905038fa56fdc94211e07daa8ae71939928cf8bd43
Instruction ID: f696a9ba52f21df3d4c90b20c118a6f67e3331938b2684100325867ba2a495da
Opcode Fuzzy Hash: 26e3368a3790bb51e01a8b905038fa56fdc94211e07daa8ae71939928cf8bd43
Instruction Fuzzy Hash: BB717032A08A46C6EB209F52E8505B977E0FF89B84F449139DA4EC3765DF3DE546CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F51A94 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F51AE4
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F51AFE
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F51B17
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F51B7E
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F51BA6
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F51BE2
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F51C71

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF681F51B9F
shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF681F51B2D, 00007FF681F51BFC

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: StringWindows$Delete$Create$ActivationFactoryReference
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 3735519776-1088074545
Opcode ID: c0240f44373326b59471d2ece10b277895bec627ccfacca5a38ea797b2473314
Instruction ID: 125dff76f6b9c07ca55981005eda4b9647b72b17662e07f6f73cceb03e26cb0c
Opcode Fuzzy Hash: c0240f44373326b59471d2ece10b277895bec627ccfacca5a38ea797b2473314
Instruction Fuzzy Hash: 4B512D36B08A56C9EB008B65E8501EC77F5FF48B98B59813ADE1E97754DF38E446C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F32948 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF681F3295A

Strings

wil, xrefs: 00007FF681F32975, 00007FF681F32AA5

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: f945c3dbab8e48bd20b55b1e18601c03cb6953976220a55848bfa18f3196f67d
Instruction ID: 86cd77db75c1a6c2ca0caaebffdfdb8dcbae98e2827e252103538c633f411be3
Opcode Fuzzy Hash: f945c3dbab8e48bd20b55b1e18601c03cb6953976220a55848bfa18f3196f67d
Instruction Fuzzy Hash: 7F41F921A08542C7FB608B15A4003BA7AE1FF857A1F64C139DA5EC7A94DF3DE847D602

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4D528 Relevance: 15.1, APIs: 10, Instructions: 112COMMON

Download Yara Rule

APIs

wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F4D5A5
TextOutW.GDI32 ref: 00007FF681F4D5C8
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F4D5EF
GetTextExtentPoint32W.GDI32 ref: 00007FF681F4D609
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F4D63F
TextOutW.GDI32 ref: 00007FF681F4D65A
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F4D67D
GetTextExtentPoint32W.GDI32 ref: 00007FF681F4D697
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F4D6B9
TextOutW.GDI32 ref: 00007FF681F4D6D4

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Textwcsnlen$ExtentPoint32
String ID:
API String ID: 4145614311-0
Opcode ID: b6b6a5c7873fcae2a294a1afc06505db794e3dfaadc64c96db393d280417fd64
Instruction ID: 70a8c8697f63dfa177cfecb3bfb6525ac2c7607577bbdca943b11a99ccab0042
Opcode Fuzzy Hash: b6b6a5c7873fcae2a294a1afc06505db794e3dfaadc64c96db393d280417fd64
Instruction Fuzzy Hash: 4551E875A08A46CBE710DF65A9441A9BBE1FF89B85F448139EA0EC3B64CF3CE545CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3FBEC Relevance: 15.1, APIs: 10, Instructions: 94
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF67FF681F3FBEC(void* __ecx, void* __edx, void* __eflags, short* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, void* __r12, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				void* _t8;
				intOrPtr _t18;
				void* _t21;
				void* _t25;
				void* _t39;
				short* _t49;
				long long _t58;
				void* _t65;
				void* _t74;
				void* _t78;

				_t74 = __r8;
				_t50 = __rbx;
				_t49 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t25 = __ecx;
				_t8 = E00007FF67FF681F39FB4(__ecx, __edx, __eflags, __rbx, __rcx, __rdx, _t65, __rsi, __r8, __r9, __r12);
				_t39 = _t8;
				if (_t25 == 0) goto 0x81f3fc17;
				if (_t8 == 0) goto 0x81f3fd8e;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				 *0x81f60678 = 1;
				if ( *0x81f620e0 == 0) goto 0x81f3fc79;
				GetLastError();
				__imp__CoTaskMemFree();
				SetLastError(??);
				 *0x81f620e0 = __rbp;
				E00007FF67FF681F3B83C(_t50, _t65, _t74);
				r9d = 0;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				r9d = r9d ^ r9d;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				r8d = 2;
				LocalReAlloc(??, ??, ??);
				_t58 =  *0x81f61690; // 0x0
				_t59 =  !=  ? _t49 : _t58;
				 *0x81f61690 =  !=  ? _t49 : _t58;
				LocalLock(??);
				if (_t49 == 0) goto 0x81f3fd05;
				 *_t49 = 0;
				LocalUnlock(??);
				r9d = r9d ^ r9d;
				SendMessageW(??, ??, ??, ??);
				_t18 =  *0x81f615e8; // 0x0
				 *0x81f615e4 = _t18;
				E00007FF67FF681F3B130(_t39, _t50, _t65,  *0x81f620e0, 0x81f57b40);
				E00007FF67FF681F3C5C0(0, _t50);
				if (_t39 == 0) goto 0x81f3fd8e;
				_t21 = E00007FF67FF681F3EFB4();
				r9d =  *0x81f62378;
				r8d =  *0x81f6236c;
				E00007FF67FF681F5021C(_t21, _t50, 0x81f614d8, _t78);
				return E00007FF67FF681F5053C(E00007FF67FF681F3ACE4(_t49), _t50);
			}

0x7ff681f3fbec
0x7ff681f3fbec
0x7ff681f3fbec
0x7ff681f3fbec
0x7ff681f3fbf1
0x7ff681f3fbf6
0x7ff681f3fc00
0x7ff681f3fc02
0x7ff681f3fc09
0x7ff681f3fc0d
0x7ff681f3fc11
0x7ff681f3fc25
0x7ff681f3fc2c
0x7ff681f3fc3f
0x7ff681f3fc4c
0x7ff681f3fc4e
0x7ff681f3fc5f
0x7ff681f3fc6d
0x7ff681f3fc79
0x7ff681f3fc80
0x7ff681f3fc8c
0x7ff681f3fc8f
0x7ff681f3fc97
0x7ff681f3fcaa
0x7ff681f3fcad
0x7ff681f3fcb5
0x7ff681f3fccd
0x7ff681f3fcd0
0x7ff681f3fcdc
0x7ff681f3fce6
0x7ff681f3fcea
0x7ff681f3fcf1
0x7ff681f3fd00
0x7ff681f3fd02
0x7ff681f3fd0c
0x7ff681f3fd1f
0x7ff681f3fd2e
0x7ff681f3fd3a
0x7ff681f3fd40
0x7ff681f3fd46
0x7ff681f3fd4d
0x7ff681f3fd54
0x7ff681f3fd69
0x7ff681f3fd6e
0x7ff681f3fd78
0x7ff681f3fd7d
0x7ff681f3fda2

APIs

SendMessageW.USER32 ref: 00007FF681F3FC2C
GetLastError.KERNEL32 ref: 00007FF681F3FC4E
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3FC5F
SetLastError.KERNEL32 ref: 00007FF681F3FC6D
SendMessageW.USER32 ref: 00007FF681F3FC97
SendMessageW.USER32 ref: 00007FF681F3FCB5
LocalReAlloc.KERNEL32 ref: 00007FF681F3FCD0
LocalLock.KERNEL32 ref: 00007FF681F3FCF1
LocalUnlock.KERNEL32 ref: 00007FF681F3FD0C
SendMessageW.USER32 ref: 00007FF681F3FD2E

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: MessageSend$Local$ErrorLast$AllocFreeLockTaskUnlock
String ID:
API String ID: 1218993353-0
Opcode ID: 24b01ed9cf3984f9a77b69c2e45d0be82da2c8a34d6d744a386ab6d509a37895
Instruction ID: 62d1178fd63278abf0acec53e07ab6fa8f6e370fbaa57be87d08c4f51d50bd75
Opcode Fuzzy Hash: 24b01ed9cf3984f9a77b69c2e45d0be82da2c8a34d6d744a386ab6d509a37895
Instruction Fuzzy Hash: EA41E035A08A56C6E7109B61B8646B97BE0FFC9B90F489439DA0E83765CF3DE845CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F52630 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F526DA
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F52710
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F52725
CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF681F52746
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F5275B
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F527BB
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F52806

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF681F5266F, 00007FF681F527EE

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: String$Windows$Delete$Buffer$CompareOrdinal
String ID: shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 3050908022-1113416246
Opcode ID: ef14974cddbe88d2e638513ad2aa62d0ca9b2c1547528d0622758460c9cbb472
Instruction ID: ca7332b306bd5f08c59e4885e80bcca617391fe2cf2ba04fe7fb640355ca1b51
Opcode Fuzzy Hash: ef14974cddbe88d2e638513ad2aa62d0ca9b2c1547528d0622758460c9cbb472
Instruction Fuzzy Hash: 93512C36604B86CBEB548F25E8905B877E0FF88B98B549139EE0E97764DF38D445C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3276C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00007FF67FF681F3276C(signed int __ebx, void* __ebp, long long __rbx, signed long long* __rcx, void* __rdx, long long __rbp, unsigned int __r8, void* __r10, long long _a16, long long _a32) {
				void* _v0;
				void* _v40;
				signed long long _v56;
				char _v584;
				intOrPtr _v592;
				signed int _v600;
				signed int _t33;
				void* _t37;
				signed long long _t62;
				signed long long _t63;
				void* _t87;
				void* _t99;

				_t33 = __ebx;
				_a16 = __rbx;
				_a32 = __rbp;
				_t62 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t63 = _t62 ^ _t87 - 0x00000250;
				_v56 = _t63;
				if ((r8b & 0x00000003) != 0) goto 0x81f3293a;
				r12d = 0x104;
				_t6 =  &_v584; // 0x134
				E00007FF67FF681F316FC(__r8 >> 2, _t6, __rdx, __rdx, __r10);
				_t7 =  &_v584; // 0x134
				E00007FF67FF681F31788(__r8 >> 2, _t7, __rdx, L"_p0");
				_v592 = 0x1f0003;
				r14d = 1;
				r8d = r14d;
				r8d =  >  ? _t33 & 0x7fffffff : r8d;
				_v600 = _v600 & 0x00000000;
				__imp__CreateSemaphoreExW();
				if (_t63 == 0) goto 0x81f3284c;
				if ( *__rcx == 0) goto 0x81f32845;
				GetLastError();
				0x81f3267c();
				SetLastError(??);
				 *__rcx = _t63;
				goto 0x81f32853;
				_t37 = E00007FF67FF681F31EFC();
				if (_t37 >= 0) goto 0x81f32878;
				r9d = _t37;
				E00007FF67FF681F325BC();
				goto 0x81f3290b;
				_t13 =  &_v584; // 0x134
				E00007FF67FF681F31788(__r8 >> 2, _t13, _t99, "h");
				_v592 = 0x1f0003;
				r14d =  !=  ? __ebp : r14d;
				_v600 = _v600 & 0x00000000;
				r8d = r14d;
				__imp__CreateSemaphoreExW();
				if (_t63 == 0) goto 0x81f328f4;
				if (__rcx[1] == 0) goto 0x81f328ec;
				GetLastError();
				0x81f3267c();
				SetLastError(??);
				__rcx[1] = _t63;
				goto 0x81f328fb;
				if (E00007FF67FF681F31EFC() >= 0) goto 0x81f32909;
				goto 0x81f3285c;
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f3276c
0x7ff681f3276c
0x7ff681f32771
0x7ff681f32785
0x7ff681f3278c
0x7ff681f3278f
0x7ff681f327a1
0x7ff681f327ae
0x7ff681f327b4
0x7ff681f327bc
0x7ff681f327cb
0x7ff681f327d0
0x7ff681f327d8
0x7ff681f327ef
0x7ff681f327f5
0x7ff681f327fa
0x7ff681f327fe
0x7ff681f32805
0x7ff681f32817
0x7ff681f3281f
0x7ff681f32821
0x7ff681f32832
0x7ff681f32839
0x7ff681f32845
0x7ff681f3284a
0x7ff681f32851
0x7ff681f32855
0x7ff681f3286b
0x7ff681f3286e
0x7ff681f32873
0x7ff681f32882
0x7ff681f32887
0x7ff681f3288e
0x7ff681f3289d
0x7ff681f328a1
0x7ff681f328a6
0x7ff681f328ab
0x7ff681f328bd
0x7ff681f328c6
0x7ff681f328c8
0x7ff681f328d9
0x7ff681f328e0
0x7ff681f328ec
0x7ff681f328f2
0x7ff681f328fd
0x7ff681f32904
0x7ff681f32918
0x7ff681f32938

APIs

CreateSemaphoreExW.KERNEL32 ref: 00007FF681F32805
GetLastError.KERNEL32 ref: 00007FF681F32821

Part of subcall function 00007FF681F326B0: FindCloseChangeNotification.KERNELBASE ref: 00007FF681F32680

SetLastError.KERNEL32 ref: 00007FF681F32839
CreateSemaphoreExW.KERNEL32 ref: 00007FF681F328AB
GetLastError.KERNEL32 ref: 00007FF681F328C8
SetLastError.KERNEL32 ref: 00007FF681F328E0

Strings

_p0, xrefs: 00007FF681F327C1
wil, xrefs: 00007FF681F32864

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ErrorLast$CreateSemaphore$ChangeCloseFindNotification
String ID: _p0$wil
API String ID: 17413022-1814513734
Opcode ID: ce4429791c09b843be52d415b05d80ceda785b1705ffd9a50c3ffab9cf97b73a
Instruction ID: d54ca74b1d5d0f10ce8aa5898f241334a9542fc13a4bfc311b308ce13e15357d
Opcode Fuzzy Hash: ce4429791c09b843be52d415b05d80ceda785b1705ffd9a50c3ffab9cf97b73a
Instruction Fuzzy Hash: E541A121B08B42C6E7219F66A4546B976D0FF88B90F44803DEE4E87B95CF3CE40AC701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3F879 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 105
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00007FF67FF681F3F879(void* __ecx, void* __rdi, void* __rsi, void* __rbp, intOrPtr _a32, signed int _a64, char _a92, signed int _a96, signed long long _a152, long long _a176, intOrPtr* _a184, intOrPtr* _a208, char _a240, void* _a840, void* _a848, intOrPtr _a912) {
				long _t43;
				signed char _t54;
				short _t78;
				short* _t89;
				intOrPtr* _t91;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t121;
				intOrPtr _t129;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t134;
				void* _t137;
				long long _t139;
				signed long long _t141;

				_t126 = __rbp;
				_t124 = __rsi;
				_t122 = __rdi;
				_a32 = 0x30;
				_t91 = _a208;
				_t129 =  *0x81f60670; // 0x1bb5cf52990
				_t117 =  *0x81f60630; // 0x1bb5cf529a0
				E00007FF67FF681F3BDA4(_t91,  *0x81f62598, _t117, __rdi, __rsi, __rbp, _t129,  *_t91);
				_a64 = 0;
				_t139 = _a176;
				_t141 = _a152;
				_t6 =  &_a92; // 0x5d
				if (_t141 == _t6) goto 0x81f3f8d7;
				UnmapViewOfFile(??);
				r12b = _a912;
				if (_t139 == 0) goto 0x81f3f93c;
				 *((short*)(_t139 + _t141 * 2)) = 0;
				if (r12b != 0) goto 0x81f3f93c;
				_t89 = _t139;
				if (0 == 0) goto 0x81f3f90f;
				_t78 =  *_t89;
				if (_t78 != 0) goto 0x81f3f905;
				 *_t89 = 0x20;
				if (_t78 != 0) goto 0x81f3f8f8;
				if ( *_t139 != 0x2e) goto 0x81f3f937;
				if ( *((short*)(_t139 + 2)) != 0x4c) goto 0x81f3f937;
				if ( *((short*)(_t139 + 4)) != 0x4f) goto 0x81f3f937;
				if ( *((short*)(_t139 + 6)) != 0x47) goto 0x81f3f937;
				r15d = 1;
				goto 0x81f3f941;
				r15d = 0;
				goto 0x81f3f941;
				r15d = _a96;
				LocalUnlock(??);
				 *0x81f61690 = _a184;
				r9d = r9d ^ r9d;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				if (0x81f620e0 == _t91) goto 0x81f3f991;
				E00007FF67FF681F3C6A8(_t91, 0x81f620e0, _t91, _t122, _t124, _t126);
				E00007FF67FF681F3B83C(_t91, _t122, _t129);
				 *0x81f60678 = 0;
				 *0x81f62374 = 1;
				r9d = 0;
				SendMessageW(??, ??, ??, ??);
				if ( *0x81f62374 != 2) goto 0x81f3fa39;
				SetCursor(??);
				 *0x81f62374 = 0;
				_a32 = 0x30;
				_t134 =  *_t91;
				_t131 =  *0x81f60638; // 0x1bb5cf5299e
				_t119 =  *0x81f60630; // 0x1bb5cf529a0
				E00007FF67FF681F3BDA4(_t91,  *0x81f62598, _t119, _t122, _t124, _t126, _t131, _t134);
				E00007FF67FF681F3FBEC(0, 0xbc,  *0x81f62374 - 2, _t89 + 2, _t91,  *0x81f62598, _t119, _t124, _t126, _t131, _t134, _t137);
				r9d = 0;
				_t17 = _t134 + 1; // 0x1
				r8d = _t17;
				SendMessageW(??, ??, ??, ??);
				goto 0x81f3fbb5;
				 *0x81f62374 = 0;
				r9d = 0;
				r8d = 0;
				PostMessageW(??, ??, ??, ??);
				if (r15d == 0) goto 0x81f3faa8;
				r8d = 0;
				r9d = 0;
				SendMessageW(??, ??, ??, ??);
				r9d = 0;
				r8d = r8d ^ r8d;
				SendMessageW(??, ??, ??, ??);
				E00007FF67FF681F3E3A8(1, r15d, _t91, _t119, _t122, _t131, _t134);
				r9d = 0;
				_t18 = _t119 - 0x57; // 0xbe
				r8d = _t18;
				_t43 = SendMessageW(??, ??, ??, ??);
				r9d = 1;
				r8d = _t43;
				SetScrollPos(??, ??, ??, ??);
				r9d = 0;
				_t20 = _t134 + 1; // 0x1
				r8d = _t20;
				SendMessageW(??, ??, ??, ??);
				_t21 = _t119 + 1; // 0x1
				r8d = _t21;
				InvalidateRect(??, ??, ??);
				UpdateWindow(??);
				E00007FF67FF681F3B130(0, _t91, _t122, _t124, _t134);
				SetCursor(??);
				if (r12b != 0) goto 0x81f3fb65;
				 *0x81f65130();
				_t22 =  &_a240; // 0xf1
				E00007FF67FF681F4FF5C(_t22);
				goto 0x81f3fbb7;
				_a32 = 0x30;
				_t132 =  *0x81f60638; // 0x1bb5cf5299e
				_t121 =  *0x81f60630; // 0x1bb5cf529a0
				E00007FF67FF681F3BDA4(_t91,  *0x81f62598, _t121, _t122, _t124, _t126, _t132,  *_a184);
				_t54 = CloseHandle(??);
				 *0x81f61500 = _t139;
				E00007FF67FF681F53F70();
				return _t54 ^ _t54;
			}

0x7ff681f3f879
0x7ff681f3f879
0x7ff681f3f879
0x7ff681f3f879
0x7ff681f3f881
0x7ff681f3f88c
0x7ff681f3f893
0x7ff681f3f8a1
0x7ff681f3f8a8
0x7ff681f3f8ae
0x7ff681f3f8b6
0x7ff681f3f8be
0x7ff681f3f8c6
0x7ff681f3f8cb
0x7ff681f3f8d7
0x7ff681f3f8e2
0x7ff681f3f8e6
0x7ff681f3f8ef
0x7ff681f3f8f1
0x7ff681f3f8f6
0x7ff681f3f8f8
0x7ff681f3f8fb
0x7ff681f3f902
0x7ff681f3f90d
0x7ff681f3f915
0x7ff681f3f91d
0x7ff681f3f925
0x7ff681f3f92d
0x7ff681f3f92f
0x7ff681f3f935
0x7ff681f3f937
0x7ff681f3f93a
0x7ff681f3f93c
0x7ff681f3f94c
0x7ff681f3f958
0x7ff681f3f95f
0x7ff681f3f962
0x7ff681f3f971
0x7ff681f3f987
0x7ff681f3f98c
0x7ff681f3f991
0x7ff681f3f996
0x7ff681f3f99c
0x7ff681f3f9a6
0x7ff681f3f9bc
0x7ff681f3f9cf
0x7ff681f3f9d8
0x7ff681f3f9e4
0x7ff681f3f9ea
0x7ff681f3f9f2
0x7ff681f3f9f5
0x7ff681f3f9fc
0x7ff681f3fa0a
0x7ff681f3fa11
0x7ff681f3fa16
0x7ff681f3fa1d
0x7ff681f3fa1d
0x7ff681f3fa28
0x7ff681f3fa34
0x7ff681f3fa39
0x7ff681f3fa3f
0x7ff681f3fa42
0x7ff681f3fa51
0x7ff681f3fa60
0x7ff681f3fa62
0x7ff681f3fa65
0x7ff681f3fa74
0x7ff681f3fa80
0x7ff681f3fa83
0x7ff681f3fa92
0x7ff681f3faa3
0x7ff681f3faa8
0x7ff681f3fab0
0x7ff681f3fab0
0x7ff681f3fabb
0x7ff681f3fac7
0x7ff681f3facd
0x7ff681f3fada
0x7ff681f3fae6
0x7ff681f3faed
0x7ff681f3faed
0x7ff681f3faf8
0x7ff681f3fb06
0x7ff681f3fb06
0x7ff681f3fb11
0x7ff681f3fb24
0x7ff681f3fb30
0x7ff681f3fb3c
0x7ff681f3fb4b
0x7ff681f3fb59
0x7ff681f3fb65
0x7ff681f3fb6d
0x7ff681f3fb74
0x7ff681f3fb76
0x7ff681f3fb81
0x7ff681f3fb88
0x7ff681f3fb96
0x7ff681f3fba2
0x7ff681f3fbae
0x7ff681f3fbc2
0x7ff681f3fbe3

APIs

Part of subcall function 00007FF681F3BDA4: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3BDDF
Part of subcall function 00007FF681F3BDA4: LocalAlloc.KERNEL32 ref: 00007FF681F3BE1C
Part of subcall function 00007FF681F3BDA4: MessageBoxW.USER32 ref: 00007FF681F3BEBD
Part of subcall function 00007FF681F3BDA4: LocalFree.KERNEL32 ref: 00007FF681F3BECE

UnmapViewOfFile.KERNEL32 ref: 00007FF681F3F8CB
LocalUnlock.KERNEL32 ref: 00007FF681F3F94C
SendMessageW.USER32 ref: 00007FF681F3F971
SendMessageW.USER32 ref: 00007FF681F3F9BC
SetCursor.USER32 ref: 00007FF681F3F9D8
SendMessageW.USER32 ref: 00007FF681F3FA28

Strings

0, xrefs: 00007FF681F3F879
0, xrefs: 00007FF681F3F9EA

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Message$LocalSend$AllocCursorFileFreeUnlockUnmapViewwcsnlen
String ID: 0$0
API String ID: 2825476163-203156872
Opcode ID: 58795591c16274a3248df0f8af45c206b9a7cf14b786561b0484648211de92fe
Instruction ID: 2ae4775cd6ff3b6ba01b7a5343fddc94fbf29e1c45921416cffe48617212c32e
Opcode Fuzzy Hash: 58795591c16274a3248df0f8af45c206b9a7cf14b786561b0484648211de92fe
Instruction Fuzzy Hash: C3516132909686C6EB608F11E81467A77E4FF85B54F44803ACA4E83764CF7DE886C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F51808 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681F39B32), ref: 00007FF681F5184F
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF681F39B32), ref: 00007FF681F5188B

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF681F518A1, 00007FF681F518DD, 00007FF681F51919, 00007FF681F5195B, 00007FF681F519A8
Windows.ApplicationModel.DataTransfer.Clipboard, xrefs: 00007FF681F51841

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.ApplicationModel.DataTransfer.Clipboard$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 1966789792-3637659222
Opcode ID: fadc129054a8009cd0d05b225924beefd3da79777366271dca0f636e3d93d78f
Instruction ID: 648ea5c2522ed7582ed10315c915069d6f096ed1f29ea38b58c603f543ddf0af
Opcode Fuzzy Hash: fadc129054a8009cd0d05b225924beefd3da79777366271dca0f636e3d93d78f
Instruction Fuzzy Hash: 6E71C526B08B56C5EB109BA5E8501ED37F4FF88B88B54813ADE0E97B69DF38E505C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4182C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00007FF67FF681F4182C(void* __ecx, void* __edx, void* __eflags, void* __rax, long long __rbx, void* __rcx, long long __rbp, void* __r9, void* __r10, long long _a8, long long _a16, char _a24) {
				void* __rsi;
				void* _t8;
				signed int _t9;
				signed int _t11;
				void* _t15;
				signed int _t17;
				void* _t41;
				signed short* _t42;
				signed short* _t46;
				signed short* _t47;
				void* _t60;
				long long _t68;

				_t41 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_t8 = E00007FF67FF681F41114(_t15, __rax, __rcx, L"/PT", __rcx, _t60);
				r14d = 0;
				if (_t8 != 0) goto 0x81f41881;
				_t46 = __rcx + 6;
				_t9 =  *_t46 & 0x0000ffff;
				if (_t9 == 0x20) goto 0x81f41871;
				if (_t9 != 9) goto 0x81f41877;
				_t47 =  &(_t46[1]);
				goto 0x81f41862;
				goto 0x81f418b3;
				if (E00007FF67FF681F41114(_t15, __rax, _t47, L"/P", _t47, _t60) != 0) goto 0x81f41924;
				_t11 = _t47[2] & 0x0000ffff;
				if (_t11 == 0x20) goto 0x81f418ab;
				if (_t11 != 9) goto 0x81f418b1;
				goto 0x81f4189c;
				if (_t11 == 0) goto 0x81f41924;
				ShowWindow(??, ??);
				_a24 = _t68;
				E00007FF67FF681F41188( &(_t47[3]),  &(_t47[3]),  &_a24, __r9, __r10);
				_t42 = _t41 + 2;
				if (r14d != 0) goto 0x81f41985;
				_t17 =  *_t42 & 0x0000ffff;
				if (_t17 == 0) goto 0x81f4190e;
				if (_t17 == 0x20) goto 0x81f418ff;
				if (_t17 != 9) goto 0x81f41908;
				goto 0x81f418f3;
				if ((_t42[1] & 0x0000ffff) == 0x22) goto 0x81f4193a;
				if (_a24 == 0) goto 0x81f41924;
				__imp__CoTaskMemFree();
				return 0;
			}

0x7ff681f4182c
0x7ff681f4182c
0x7ff681f41831
0x7ff681f41852
0x7ff681f41857
0x7ff681f4185c
0x7ff681f4185e
0x7ff681f41862
0x7ff681f41869
0x7ff681f4186f
0x7ff681f41871
0x7ff681f41875
0x7ff681f4187f
0x7ff681f41892
0x7ff681f4189c
0x7ff681f418a3
0x7ff681f418a9
0x7ff681f418af
0x7ff681f418b6
0x7ff681f418c1
0x7ff681f418d2
0x7ff681f418da
0x7ff681f418df
0x7ff681f418e5
0x7ff681f418eb
0x7ff681f418f1
0x7ff681f418f7
0x7ff681f418fd
0x7ff681f41906
0x7ff681f4190c
0x7ff681f41916
0x7ff681f41918
0x7ff681f41938

APIs

Part of subcall function 00007FF681F41114: CharUpperW.USER32 ref: 00007FF681F41137
Part of subcall function 00007FF681F41114: CharUpperW.USER32 ref: 00007FF681F4114D

ShowWindow.USER32 ref: 00007FF681F418C1
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F41918

Strings

/PT, xrefs: 00007FF681F4184B
0, xrefs: 00007FF681F41A15

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CharUpper$FreeShowTaskWindow
String ID: /PT$0
API String ID: 4259454098-4063893260
Opcode ID: 05292cead8d38d151ffa673337df004634e0a015ad0201037c4bfa1272ecf129
Instruction ID: f608bcd7495583cb557859bc4641232d07c3fa7d44a9a102f84678cde50e20b4
Opcode Fuzzy Hash: 05292cead8d38d151ffa673337df004634e0a015ad0201037c4bfa1272ecf129
Instruction Fuzzy Hash: 14516A66E0C642C2FB709B15A6152B976E0FF85B90F548139EA9EC3695DF3CF842C601

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3FE88 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF67FF681F3FE88(void* __rcx, long long __rdi, long long __rsi, long long __r14) {
				void* __rbp;
				void* _t57;
				signed int _t68;
				void* _t81;
				void* _t93;
				signed long long _t94;
				void* _t100;
				intOrPtr _t123;
				void* _t129;
				void* _t130;
				void* _t132;
				signed long long _t133;
				intOrPtr _t138;
				void* _t143;
				void* _t146;

				_t93 = _t132;
				 *((long long*)(_t93 + 0x10)) = __rsi;
				 *((long long*)(_t93 + 0x18)) = __rdi;
				 *((long long*)(_t93 + 0x20)) = __r14;
				_t130 = _t93 - 0x1a8;
				_t133 = _t132 - 0x2a0;
				_t94 =  *0x81f60470; // 0xbba9a5b3aaf9
				 *(_t130 + 0x190) = _t94 ^ _t133;
				_t146 = __rcx;
				dil =  *0x81f62348 == 2;
				E00007FF67FF681F3C5C0(0, _t100);
				 *(_t133 + 0x40) =  *(_t133 + 0x40) & 0x00000000;
				 *(_t133 + 0x38) =  *(_t133 + 0x38) & 0x00000000;
				r8d = 0x1fa;
				memset(??, ??, ??);
				if (E00007FF67FF681F400F0(_t146, _t133 + 0x40) < 0) goto 0x81f4008e;
				_t81 = E00007FF67FF681F51160( *(_t133 + 0x40), _t130 - 0x70, _t133 + 0x38, _t143);
				if (_t81 < 0) goto 0x81f4008e;
				_t68 =  *(_t133 + 0x38);
				 *0x81f62348 = _t68;
				if (_t81 == 0) goto 0x81f4009c;
				if (_t81 == 0) goto 0x81f3ff46;
				if (_t68 != 3) goto 0x81f40043;
				goto 0x81f40097;
				 *0x81f614f2 =  *0x81f614f2 + 1;
				if ( *0x81f62134 == 0) goto 0x81f3ff6c;
				if (0 != 0) goto 0x81f3ff6c;
				_t57 = E00007FF67FF681F52144(_t56, _t100, _t130 - 0x70);
				if (_t57 == 2) goto 0x81f40095;
				 *(_t133 + 0x38) =  *(_t133 + 0x38) & 0x00000000;
				 *(_t133 + 0x68) =  *(_t133 + 0x68) & 0x00000000;
				 *((long long*)(_t133 + 0x48)) = _t130 - 0x70;
				 *(_t133 + 0x30) = 0;
				__imp__WindowsCreateStringReference();
				if (_t57 < 0) goto 0x81f400e0;
				__imp__RoGetActivationFactory();
				 *(_t133 + 0x68) =  *(_t133 + 0x68) & 0x00000000;
				if (_t57 < 0) goto 0x81f4000c;
				E00007FF67FF681F52274(_t57, _t130 - 0x70, _t100, _t133 + 0x70, _t133 + 0x48);
				 *0x81f570f0();
				 *(_t130 - 0x78) =  *(_t130 - 0x78) & 0x00000000;
				if ( *(_t133 + 0x38) == 0) goto 0x81f4002e;
				 *(_t133 + 0x38) =  *(_t133 + 0x38) & 0x00000000;
				 *0x81f570f0();
				if (( *(_t133 + 0x30) & 0x000000ff) == 0) goto 0x81f4003d;
				E00007FF67FF681F3C540(_t100, _t130 - 0x70);
				goto 0x81f4003f;
				if (0 != 0) goto 0x81f4009c;
				_t138 =  *0x81f60498; // 0x1bb5cf529f8
				_t123 =  *0x81f604a0; // 0x1bb5cf529f6
				 *((intOrPtr*)(_t133 + 0x20)) = 0x30;
				E00007FF67FF681F3BDA4(_t100,  *0x81f62598, _t123,  *(_t133 + 0x38), __rsi, _t130, _t138, _t146);
				CloseHandle(_t129);
				 *0x81f61500 =  *0x81f61500 | 0xffffffff;
				 *0x81f62348 =  *0x81f62348 & 0x00000000;
				goto 0x81f4009c;
				 *0x81f614f8 =  *0x81f614f8;
				E00007FF67FF681F3C5C0(0, _t100);
				if ( *(_t133 + 0x40) == 0) goto 0x81f400b5;
				__imp__CoTaskMemFree();
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f3fe88
0x7ff681f3fe8b
0x7ff681f3fe8f
0x7ff681f3fe93
0x7ff681f3fe98
0x7ff681f3fe9f
0x7ff681f3fea6
0x7ff681f3feb0
0x7ff681f3feb9
0x7ff681f3fec3
0x7ff681f3fec9
0x7ff681f3fece
0x7ff681f3fed8
0x7ff681f3fedf
0x7ff681f3fee5
0x7ff681f3fefe
0x7ff681f3ff17
0x7ff681f3ff19
0x7ff681f3ff1f
0x7ff681f3ff23
0x7ff681f3ff2b
0x7ff681f3ff33
0x7ff681f3ff38
0x7ff681f3ff41
0x7ff681f3ff46
0x7ff681f3ff54
0x7ff681f3ff58
0x7ff681f3ff5e
0x7ff681f3ff66
0x7ff681f3ff6c
0x7ff681f3ff76
0x7ff681f3ff86
0x7ff681f3ff90
0x7ff681f3ff9c
0x7ff681f3ffaa
0x7ff681f3ffc1
0x7ff681f3ffcd
0x7ff681f3ffd5
0x7ff681f3ffe6
0x7ff681f40001
0x7ff681f40007
0x7ff681f40019
0x7ff681f4001b
0x7ff681f40028
0x7ff681f40030
0x7ff681f40036
0x7ff681f4003b
0x7ff681f40041
0x7ff681f40043
0x7ff681f4004d
0x7ff681f4005b
0x7ff681f40063
0x7ff681f4006f
0x7ff681f4007b
0x7ff681f40083
0x7ff681f4008c
0x7ff681f4008e
0x7ff681f40097
0x7ff681f400a2
0x7ff681f400a9
0x7ff681f400c1
0x7ff681f400de

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3FEE5
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F3FF9C
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F3FFC1
CloseHandle.KERNEL32 ref: 00007FF681F4006F
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F400A9

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF681F3FF95
0, xrefs: 00007FF681F4005B

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ActivationCloseCreateFactoryFreeHandleReferenceStringTaskWindowsmemset
String ID: 0$Windows.Security.EnterpriseData.ProtectionPolicyManager
API String ID: 1025271488-297563236
Opcode ID: 585042c758698f7b950c7d838edc7b538acc78d971915aa02f8c2c83a04af0da
Instruction ID: 3710aa9d02707f15a7ed8129b56620870f0129e60f2f7318a6e0555fd6a5b5c4
Opcode Fuzzy Hash: 585042c758698f7b950c7d838edc7b538acc78d971915aa02f8c2c83a04af0da
Instruction Fuzzy Hash: 08615A32A18A46C6EB608B25E8543FA77E0FF84B94F50413AEA4EC76A4DF3DE545C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F384EC Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 117
threadCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00007FF67FF681F384EC(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r10) {
				void* __rbp;
				void* _t53;
				intOrPtr _t58;
				void* _t73;
				signed long long _t74;
				long long _t77;
				long long _t78;
				long long _t79;
				long long _t84;
				long long _t104;
				void* _t108;
				void* _t109;
				void* _t111;
				signed long long _t112;
				void* _t114;
				intOrPtr _t117;
				void* _t120;
				void* _t121;
				void* _t123;

				_t106 = __rsi;
				_t104 = __rdi;
				_t102 = __rdx;
				_t73 = _t111;
				 *((long long*)(_t73 + 0x10)) = __rbx;
				 *((long long*)(_t73 + 0x18)) = __rsi;
				 *((long long*)(_t73 + 0x20)) = __rdi;
				_t109 = _t73 - 0xc8;
				_t112 = _t111 - 0x1b0;
				_t74 =  *0x81f60470; // 0xbba9a5b3aaf9
				 *(_t109 + 0xa0) = _t74 ^ _t112;
				_t121 = __rcx;
				r15d = 0x104;
				r8d = r15d;
				E00007FF67FF681F3E224(__rbx, _t112 + 0x50, __rdx, __rdi, __rsi, _t109, _t114, _t123, _t120);
				_t84 =  *((intOrPtr*)(_t112 + 0x50));
				if (_t84 == 0) goto 0x81f386c5;
				_t58 = _t123 - 0x6c;
				r8d = _t58;
				memset(??, ??, ??);
				 *((long long*)(_t112 + 0x68)) =  *0x81f62598;
				_t77 =  *0x81f61670; // 0x0
				 *((long long*)(_t112 + 0x70)) = _t77;
				 *((intOrPtr*)(_t112 + 0x60)) = _t58;
				 *((intOrPtr*)(_t109 - 0x68)) = r15d;
				 *((long long*)(_t109 - 0x70)) = _t84;
				E00007FF67FF681F316FC(_t84, _t84, _t102, L"*.txt", __r10);
				 *(_t112 + 0x40) =  *(_t112 + 0x40) & 0x00000000;
				_t78 =  *0x81f605b8; // 0x1bb5cf529b6
				 *(_t112 + 0x38) =  *(_t112 + 0x38) & 0x00000000;
				_t117 =  *0x81f605c8; // 0x1bb5cf529b2
				 *((long long*)(_t109 - 0x48)) = _t78;
				_t79 =  *0x81f605c0; // 0x1bb5cf529b4
				 *((long long*)(_t112 + 0x30)) = _t79;
				 *(_t112 + 0x28) =  *(_t112 + 0x28) & 0x00000000;
				 *(_t112 + 0x20) =  *(_t112 + 0x20) & 0x00000000;
				E00007FF67FF681F31860(_t109, _t102, L"%s%c*.txt%c%s%c*.*%c", _t117, _t108);
				 *((intOrPtr*)(_t109 - 0x40)) = 0x881064;
				 *((intOrPtr*)(_t109 - 0x74)) = 1;
				 *((long long*)(_t109 - 0x38)) = L"txt";
				_t93 =  <  ?  *((void*)(_t112 + 0x78)) : _t109;
				 *((long long*)(_t112 + 0x78)) =  <  ?  *((void*)(_t112 + 0x78)) : _t109;
				 *((long long*)(_t109 - 0x20)) = 0xf;
				 *((long long*)(_t109 - 0x28)) = E00007FF67FF681F3C4A0;
				__imp__SetThreadDpiAwarenessContext();
				if ( *0x81f650a8() != 0) goto 0x81f38664;
				if ( *0x81f65098() != 0) goto 0x81f3865d;
				goto 0x81f38664;
				E00007FF67FF681F3BF20();
				__imp__SetThreadDpiAwarenessContext();
				if (0x80004005 < 0) goto 0x81f386b1;
				E00007FF67FF681F508BC(_t53);
				if ( *0x81f615e4 != 0) goto 0x81f38695;
				 *0x81f615e4 = E00007FF67FF681F3809C(_t84, _t117);
				if (_t121 == _t112 + 0x50) goto 0x81f386b1;
				E00007FF67FF681F3C6A8(_t84, _t121, _t112 + 0x50, _t104, _t106, _t109);
				if ( *((intOrPtr*)(_t112 + 0x50)) == 0) goto 0x81f386c5;
				__imp__CoTaskMemFree();
				E00007FF67FF681F53F70();
				return 0x80004005;
			}

0x7ff681f384ec
0x7ff681f384ec
0x7ff681f384ec
0x7ff681f384ec
0x7ff681f384ef
0x7ff681f384f3
0x7ff681f384f7
0x7ff681f38500
0x7ff681f38507
0x7ff681f3850e
0x7ff681f38518
0x7ff681f3851f
0x7ff681f38522
0x7ff681f38528
0x7ff681f38537
0x7ff681f3853c
0x7ff681f38544
0x7ff681f3854a
0x7ff681f38550
0x7ff681f38558
0x7ff681f3856b
0x7ff681f38573
0x7ff681f3857d
0x7ff681f38582
0x7ff681f38586
0x7ff681f3858a
0x7ff681f3858e
0x7ff681f38593
0x7ff681f385a0
0x7ff681f385aa
0x7ff681f385b4
0x7ff681f385bb
0x7ff681f385bf
0x7ff681f385c6
0x7ff681f385cb
0x7ff681f385d1
0x7ff681f385d7
0x7ff681f385de
0x7ff681f385ec
0x7ff681f385f3
0x7ff681f385fb
0x7ff681f38608
0x7ff681f38614
0x7ff681f3861c
0x7ff681f38620
0x7ff681f38644
0x7ff681f38654
0x7ff681f3865b
0x7ff681f3865d
0x7ff681f38669
0x7ff681f38677
0x7ff681f38679
0x7ff681f38685
0x7ff681f3868f
0x7ff681f3869d
0x7ff681f386a7
0x7ff681f386b4
0x7ff681f386b9
0x7ff681f386d1
0x7ff681f386f2

APIs

Part of subcall function 00007FF681F3E224: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF681F3853C), ref: 00007FF681F3E2A1

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F38558

Part of subcall function 00007FF681F31860: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF681F318A0

SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F38620
SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F38669
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F386B9

Strings

*.txt, xrefs: 00007FF681F38564
txt, xrefs: 00007FF681F385E5
%s%c*.txt%c%s%c*.*%c, xrefs: 00007FF681F38599

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AwarenessContextTaskThread$AllocFree_vsnwprintfmemset
String ID: %s%c*.txt%c%s%c*.*%c$*.txt$txt
API String ID: 2351153411-3032785013
Opcode ID: 690a3a3765457d3c503370c3cbd2004ab96f88a2d9d781725bd1182859288bd4
Instruction ID: 9d554d181f7685894dcbbe6c9dfda0d4b5515d685e826b202eb761d2ac9f9e0c
Opcode Fuzzy Hash: 690a3a3765457d3c503370c3cbd2004ab96f88a2d9d781725bd1182859288bd4
Instruction Fuzzy Hash: 9A513972A08B86CAEB10CB61E8443A977E4FF89B54F544239EA4D877A4DF7CE445CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3EFFC Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PathFindExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF681F3F012
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F3F031
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3F08D

Strings

.log, xrefs: 00007FF681F3F027
Unknown, xrefs: 00007FF681F3F0AD
FAIL/Error, xrefs: 00007FF681F3F09B
test/log, xrefs: 00007FF681F3F0A4

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExtensionFindFreePathTask_o__wcsicmp
String ID: .log$FAIL/Error$Unknown$test/log
API String ID: 2494169980-2209339843
Opcode ID: 772121dd7c2f18367cc5b261438552ea5625e3c0a997af2abb6ed11bbc5aebb5
Instruction ID: 1a25efe3d4aea9b7c3ab0c01940c7989d5ec6e4fcb7e68420ec628188bd9e4c4
Opcode Fuzzy Hash: 772121dd7c2f18367cc5b261438552ea5625e3c0a997af2abb6ed11bbc5aebb5
Instruction Fuzzy Hash: 0C115EB2A08B82C3E7008B51F4543BAB6A1FF85790F848139DA4E83694DF3DE445C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4ED68 Relevance: 12.1, APIs: 8, Instructions: 117windowmemoryCOMMON

Download Yara Rule

APIs

wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,00000001,00000000,00000000,00000000,00007FF681F4ECBA), ref: 00007FF681F4EDA5
GlobalAlloc.KERNEL32(?,00000001,00000000,00000000,00000000,00007FF681F4ECBA), ref: 00007FF681F4EDE2
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000001,00000000,00000000,00000000,00007FF681F4ECBA), ref: 00007FF681F4EE61
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000001,00000000,00000000,00000000,00007FF681F4ECBA), ref: 00007FF681F4EE76
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000001,00000000,00000000,00000000,00007FF681F4ECBA), ref: 00007FF681F4EEBF
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF681F4ECBA), ref: 00007FF681F4EED6
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF681F4ECBA), ref: 00007FF681F4EEF7
GlobalFree.KERNEL32 ref: 00007FF681F4EF06

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: memcpy$GlobalMessageSend$AllocFreewcsnlen
String ID:
API String ID: 1997934235-0
Opcode ID: cce4c02b65b32d33fc32bfed86f7c26e5e3448b497c9ee82785b04ec56a7c11e
Instruction ID: 56f4ef4a0770072e24d9b6c085d32c2be90eeaea7772bb5989dd75be4fc26755
Opcode Fuzzy Hash: cce4c02b65b32d33fc32bfed86f7c26e5e3448b497c9ee82785b04ec56a7c11e
Instruction Fuzzy Hash: 7C419621718A96CADB609F16A8146BABBE0FF89BD8F448039DE4E87B55DE3CD445C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3C20C Relevance: 12.1, APIs: 8, Instructions: 106windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32 ref: 00007FF681F3C247
SendDlgItemMessageW.USER32 ref: 00007FF681F3C26A
SendDlgItemMessageW.USER32 ref: 00007FF681F3C28D
SendDlgItemMessageW.USER32 ref: 00007FF681F3C2B0
SendDlgItemMessageW.USER32 ref: 00007FF681F3C2D3
SendDlgItemMessageW.USER32 ref: 00007FF681F3C370
SendDlgItemMessageW.USER32 ref: 00007FF681F3C390
SendDlgItemMessageW.USER32 ref: 00007FF681F3C3B4

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: fdcd48ce6362af679fa868171d93333fe91bd05a63efb56ce54f1af56445c96c
Instruction ID: b3c382ee5d753d1bbe70ef4f5b42cf38ab6c0cc5044df94fe54d0c699c568038
Opcode Fuzzy Hash: fdcd48ce6362af679fa868171d93333fe91bd05a63efb56ce54f1af56445c96c
Instruction Fuzzy Hash: 59414031B18A85C6E7608F15F8046AABBE0FF8AB95F555239DA9D83B54CF3CD141CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4EF38 Relevance: 12.1, APIs: 8, Instructions: 93windowCOMMON

Download Yara Rule

APIs

wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000001,00000000,00000000,00000000,00007FF681F4ECDC), ref: 00007FF681F4EF65
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF681F4ECDC), ref: 00007FF681F4EF8A
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF681F4ECDC), ref: 00007FF681F4EFA8
LocalLock.KERNEL32(?,00000001,00000000,00000000,00000000,00007FF681F4ECDC), ref: 00007FF681F4EFC3
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF681F4ECDC), ref: 00007FF681F4F03A
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF681F4ECDC), ref: 00007FF681F4F05D
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF681F4ECDC), ref: 00007FF681F4F080
LocalUnlock.KERNEL32(?,00000001,00000000,00000000,00000000,00007FF681F4ECDC), ref: 00007FF681F4F091

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: MessageSend$Local$LockUnlockwcsnlen
String ID:
API String ID: 3687776761-0
Opcode ID: 2b35946008a9c2317d430dd5becb667aed054256675c89b653d611667adb67c7
Instruction ID: b2f5590124cc08e5ae47a609da157ca9fa0f5f553c45b1d158405e0947717ac9
Opcode Fuzzy Hash: 2b35946008a9c2317d430dd5becb667aed054256675c89b653d611667adb67c7
Instruction Fuzzy Hash: 29410836A08656C6E7608B59E450679BBA0FFC9B91F448139DE0E83B64DF3CE485CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4FC20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00007FF67FF681F4FC20(void* __ecx, void* __eflags, void* __rax, void* __rcx, intOrPtr* __rdx, long long __r8, long long __r9, long long _a16, char _a24, long long _a32) {
				void* _v0;
				char _v88;
				char _v96;
				void* _v104;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t56;
				void* _t62;
				void* _t63;
				long long _t66;
				long long _t67;
				void* _t86;
				void* _t87;
				signed long long _t88;
				void* _t91;
				void* _t101;
				signed long long _t102;
				intOrPtr* _t103;

				_t62 = __rax;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t103 = __rdx;
				_t101 = __rcx;
				_t87 = E00007FF67FF681F54FA4(__ecx, __rax, _t66, __rdx,  &_a24);
				r13d = 0;
				_v104 = _t66;
				E00007FF67FF681F3E224(_t66,  &_v88,  &_a24, _t86, _t87, _t91, _t87);
				if ( &_v104 == _t62) goto 0x81f4fc88;
				E00007FF67FF681F3C6A8(_t66,  &_v104, _t62, _t86, _t87, _t91);
				_t67 = _v104;
				if (_v88 == 0) goto 0x81f4fc9d;
				__imp__CoTaskMemFree();
				if (_t67 != 0) goto 0x81f4fcc4;
				r9d = 0x8007000e;
				E00007FF67FF681F325BC();
				goto 0x81f4fdaa;
				_t88 = _t87 + 1;
				_t12 = _t88 - 1; // 0x0
				_t63 = _t12;
				_t42 =  >  ? 0x80070057 : r13d;
				_t52 =  >  ? 0x80070057 : r13d;
				if (( >  ? 0x80070057 : r13d) < 0) goto 0x81f4fd40;
				if (_t88 != 0) goto 0x81f4fcf4;
				if ( *_t103 == r13w) goto 0x81f4fd76;
				goto 0x81f4fd4d;
				_t14 = _t88 - 1; // 0x0
				_t102 = _t14;
				if (E00007FF67FF681F54F3C(0x80070057, _t63, _t67, _t67, _t102, _t88, _t91, _t103,  &_a24) < 0) goto 0x81f4fd21;
				_t56 = _t63 - _t102;
				if (_t56 > 0) goto 0x81f4fd21;
				if (_t56 != 0) goto 0x81f4fd2b;
				 *((intOrPtr*)(_t67 + _t102 * 2)) = r13w;
				goto 0x81f4fd49;
				 *((intOrPtr*)(_t67 + _t102 * 2)) = r13w;
				if (0x8007007a >= 0) goto 0x81f4fd76;
				if (0x8007007a <= 0) goto 0x81f4fd49;
				goto 0x81f4fd45;
				if ((_t88 & 0xffffffff) == 0) goto 0x81f4fd49;
				 *_t67 = r13w;
				if (0x8007007a >= 0) goto 0x81f4fd76;
				r9d = 0x8007007a;
				E00007FF67FF681F325BC();
				__imp__CoTaskMemFree();
				goto 0x81f4fdaa;
				_v96 = _t67;
				if (_t101 ==  &_v96) goto 0x81f4fd93;
				E00007FF67FF681F3C6A8(_t67, _t101,  &_v96, _t86, _t88 & 0xffffffff, _t91);
				if (_v96 == 0) goto 0x81f4fda7;
				__imp__CoTaskMemFree();
				return r13d;
			}

0x7ff681f4fc20
0x7ff681f4fc20
0x7ff681f4fc25
0x7ff681f4fc2a
0x7ff681f4fc42
0x7ff681f4fc45
0x7ff681f4fc54
0x7ff681f4fc5b
0x7ff681f4fc66
0x7ff681f4fc6a
0x7ff681f4fc76
0x7ff681f4fc7f
0x7ff681f4fc84
0x7ff681f4fc8f
0x7ff681f4fc91
0x7ff681f4fca0
0x7ff681f4fcb7
0x7ff681f4fcba
0x7ff681f4fcbf
0x7ff681f4fcc4
0x7ff681f4fccf
0x7ff681f4fccf
0x7ff681f4fcd9
0x7ff681f4fcdc
0x7ff681f4fcde
0x7ff681f4fce3
0x7ff681f4fce9
0x7ff681f4fcf2
0x7ff681f4fcf4
0x7ff681f4fcf4
0x7ff681f4fd0f
0x7ff681f4fd13
0x7ff681f4fd16
0x7ff681f4fd18
0x7ff681f4fd1a
0x7ff681f4fd1f
0x7ff681f4fd21
0x7ff681f4fd2d
0x7ff681f4fd3c
0x7ff681f4fd3e
0x7ff681f4fd43
0x7ff681f4fd45
0x7ff681f4fd4b
0x7ff681f4fd58
0x7ff681f4fd60
0x7ff681f4fd68
0x7ff681f4fd74
0x7ff681f4fd7a
0x7ff681f4fd81
0x7ff681f4fd8a
0x7ff681f4fd96
0x7ff681f4fd9b
0x7ff681f4fdbc

APIs

_vscwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF681F4FC4F

Part of subcall function 00007FF681F54FA4: _o___stdio_common_vswprintf.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F54FD3

Part of subcall function 00007FF681F3E224: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF681F3853C), ref: 00007FF681F3E2A1

_vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF681F4FD08
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(00000000,?,?,00000000,00000002,00000000,000F003F,?,00007FF681F4F32A), ref: 00007FF681F4FD68
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(00000000,?,?,00000000,00000002,00000000,000F003F,?,00007FF681F4F32A), ref: 00007FF681F4FC91

Part of subcall function 00007FF681F3C6A8: GetLastError.KERNEL32 ref: 00007FF681F3C6D2
Part of subcall function 00007FF681F3C6A8: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3C6E3
Part of subcall function 00007FF681F3C6A8: SetLastError.KERNEL32 ref: 00007FF681F3C6F1

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(00000000,?,?,00000000,00000002,00000000,000F003F,?,00007FF681F4F32A), ref: 00007FF681F4FD9B

Strings

onecore\internal\sdk\inc\wil\opensource\wil\resource.h, xrefs: 00007FF681F4FCA6, 00007FF681F4FD51

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Task$Free$ErrorLast$Alloc_o___stdio_common_vswprintf_vscwprintf_vsnwprintf
String ID: onecore\internal\sdk\inc\wil\opensource\wil\resource.h
API String ID: 3516882015-3341287125
Opcode ID: 80b6787068d9beb0673e01070b51a0613f898fac05ebeba8744cfbd2093ad900
Instruction ID: 616c3cb881eb6ae4bde7a5617a22b0ab3e2e93700e267bec651a9cb4a150b395
Opcode Fuzzy Hash: 80b6787068d9beb0673e01070b51a0613f898fac05ebeba8744cfbd2093ad900
Instruction Fuzzy Hash: 4F41D426B08A42D5EB20DB55D9101FD66F5BF89BA8F548139DE6D9B788DF3CE442C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F36ED0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118
memoryCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00007FF67FF681F36ED0(signed int __edx, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				char _v72;
				char _v136;
				char _v200;
				signed int _t30;
				signed int _t51;
				signed int _t60;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr* _t96;

				_t98 = __rbp;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t96 = __rcx;
				if ( *0x81f61330 != 0) goto 0x81f36ff0;
				_t69 =  *0x81f61310; // 0x7ff681f33350
				if (_t69 == 0) goto 0x81f36f0d;
				if (( *0x81f570f0() & 0x000000ff) != 0) goto 0x81f36ff0;
				_t71 =  *((intOrPtr*)(__rcx + 8));
				r8d = 0;
				_t51 = __edx | 0xffffffff;
				_t30 = WaitForSingleObjectEx(??, ??, ??);
				if (_t30 == 0x102) goto 0x81f36f44;
				if (_t30 == 0) goto 0x81f36f4d;
				if (_t30 != 0x80) goto 0x81f3707a;
				_t60 = _t30 & 0xffffff7f;
				if (_t60 == 0) goto 0x81f36f4d;
				 *__rcx =  *__rcx - 1;
				if (_t60 != 0) goto 0x81f36fe1;
				0x81f326e0();
				if (_t71 == 0) goto 0x81f36f8c;
				GetLastError();
				E00007FF67FF681F326B0();
				SetLastError(??);
				E00007FF67FF681F357EC(_t51, _t71, _t69, _t71, __rcx + 0x20, __rdx, __rdi, __rcx, __rbp, __r8);
				if ( *((intOrPtr*)(_t96 + 0x18)) == 0) goto 0x81f36fa5;
				0x81f3267c();
				if ( *((intOrPtr*)(_t96 + 0x10)) == 0) goto 0x81f36fb3;
				0x81f3267c();
				if ( *((intOrPtr*)(_t96 + 8)) == 0) goto 0x81f36fc1;
				0x81f3267c();
				GetProcessHeap();
				HeapFree(??, ??, ??);
				_t65 = _t71;
				if (_t65 == 0) goto 0x81f3705f;
				E00007FF67FF681F326B0();
				goto 0x81f3705f;
				 *_t96 =  *_t96 - 1;
				if (_t65 != 0) goto 0x81f3705f;
				E00007FF67FF681F353C0(_t69,  &_v200, __rdx);
				if ( *((char*)(_t96 + 0x60)) == 0) goto 0x81f37017;
				E00007FF67FF681F345B8(_t51 ^ _t51, _t71,  &_v200, _t96 + 0x28, _t96, __rbp);
				if ( *((char*)(_t96 + 0xa0)) == 0) goto 0x81f3702e;
				E00007FF67FF681F345B8(_t51 ^ _t51, _t71,  &_v136, _t96 + 0x68, _t96, _t98);
				if ( *((char*)(_t96 + 0xe0)) == 0) goto 0x81f3704b;
				E00007FF67FF681F345B8(_t51 ^ _t51, _t71,  &_v72, _t96 + 0xa8, _t96, _t98);
				E00007FF67FF681F35480(_t71,  &_v200);
				return E00007FF67FF681F35974(_t51 ^ _t51, _t69, _t71,  &_v200);
			}

0x7ff681f36ed0
0x7ff681f36ed0
0x7ff681f36ed5
0x7ff681f36eda
0x7ff681f36eef
0x7ff681f36ef2
0x7ff681f36ef8
0x7ff681f36f02
0x7ff681f36f0f
0x7ff681f36f15
0x7ff681f36f19
0x7ff681f36f1f
0x7ff681f36f22
0x7ff681f36f33
0x7ff681f36f37
0x7ff681f36f3e
0x7ff681f36f44
0x7ff681f36f49
0x7ff681f36f52
0x7ff681f36f54
0x7ff681f36f5e
0x7ff681f36f66
0x7ff681f36f68
0x7ff681f36f79
0x7ff681f36f80
0x7ff681f36f92
0x7ff681f36f9e
0x7ff681f36fa0
0x7ff681f36fac
0x7ff681f36fae
0x7ff681f36fba
0x7ff681f36fbc
0x7ff681f36fc1
0x7ff681f36fd5
0x7ff681f36fe1
0x7ff681f36fe4
0x7ff681f36fe9
0x7ff681f36fee
0x7ff681f36ff5
0x7ff681f36ff7
0x7ff681f36ffe
0x7ff681f37007
0x7ff681f37012
0x7ff681f3701e
0x7ff681f37029
0x7ff681f37035
0x7ff681f37046
0x7ff681f37050
0x7ff681f37078

APIs

WaitForSingleObjectEx.KERNEL32 ref: 00007FF681F36F22
GetLastError.KERNEL32 ref: 00007FF681F36F68
SetLastError.KERNEL32 ref: 00007FF681F36F80
GetProcessHeap.KERNEL32 ref: 00007FF681F36FC1
HeapFree.KERNEL32 ref: 00007FF681F36FD5

Strings

onecore\internal\sdk\inc\wil\opensource\wil\resource.h, xrefs: 00007FF681F37082

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ErrorHeapLast$FreeObjectProcessSingleWait
String ID: onecore\internal\sdk\inc\wil\opensource\wil\resource.h
API String ID: 453756160-3341287125
Opcode ID: c0575599e6d7ccb43ae7829119a4f2efa883fc364398d82e162323840e701aaa
Instruction ID: ddb6d244a6d69bbba35a740a86436b674abdc334cbc915ca50c5b5e0adefcd52
Opcode Fuzzy Hash: c0575599e6d7ccb43ae7829119a4f2efa883fc364398d82e162323840e701aaa
Instruction Fuzzy Hash: DA517F62A08682C6EB60DB65E4503BDB7E0FF84754F848539DA9EC36D2DF2CE546C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3885C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF681F3E224: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF681F3853C), ref: 00007FF681F3E2A1

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F388CA

Part of subcall function 00007FF681F31860: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF681F318A0

SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F38995
SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F389EB
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F38A1F

Strings

%s%c*.txt%c%s%c*.*%c, xrefs: 00007FF681F3890C
txt, xrefs: 00007FF681F38970

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AwarenessContextTaskThread$AllocFree_vsnwprintfmemset
String ID: %s%c*.txt%c%s%c*.*%c$txt
API String ID: 2351153411-81093622
Opcode ID: 8e826b60cd5439a123f2353ed2aba0152018bd5efbc6b2260c9a773936fc3309
Instruction ID: c88484e3892e9d77fcbcf8fd9b53595fa4e68f6740c0e3060090319d2a9f4d22
Opcode Fuzzy Hash: 8e826b60cd5439a123f2353ed2aba0152018bd5efbc6b2260c9a773936fc3309
Instruction Fuzzy Hash: 2A513932A09B86C6EB10CB61E8403AA77E4FF89B94F544239DA4E87754DF3CE446C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F36420 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00007FF67FF681F36420(signed long long __ecx, signed int __edx, void* __rdx, void* __rbp, void* __r8, void* __r10) {
				signed long long _v40;
				char _v248;
				intOrPtr _v264;
				intOrPtr _v288;
				char _v344;
				signed short _v354;
				short _v356;
				signed int _v360;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* _t29;
				signed long long _t38;
				unsigned int _t40;
				void* _t44;
				void* _t47;
				signed long long _t58;
				intOrPtr _t60;
				long long _t61;
				long long _t62;
				void* _t63;
				intOrPtr _t78;
				void* _t80;
				void* _t81;
				void* _t82;
				signed long long _t83;

				_t82 = __rbp;
				_t31 = __ecx;
				_t58 =  *0x81f60470; // 0xbba9a5b3aaf9
				_v40 = _t58 ^ _t83;
				_t30 = __edx;
				_t40 = __edx >> 0x1f;
				asm("btr ebx, 0x1f");
				_t38 = __ecx;
				if (__ecx != 0) goto 0x81f364ac;
				if (r8d != 0) goto 0x81f364ac;
				if (__edx != 0) goto 0x81f364ac;
				_t44 =  *0x81f61330 - _t30; // 0x0
				if (_t44 != 0) goto 0x81f365d4;
				_t60 =  *0x81f61310; // 0x7ff681f33350
				if (_t60 == 0) goto 0x81f36478;
				if (( *0x81f570f0() & 0x000000ff) != 0) goto 0x81f365d4;
				_t47 = E00007FF67FF681F35F40(_t63, 0x81f602b0, _t81);
				if (_t47 == 0) goto 0x81f365d4;
				_t78 =  *0x81f602c8; // 0x1bb5cf632c0
				_t2 = _t78 + 0xc8; // 0x1bb5cf63388
				E00007FF67FF681F356C8(_t63, _t2, _t78, _t81);
				goto 0x81f365d4;
				asm("bt ebx, 0x1e");
				if (_t47 >= 0) goto 0x81f364cc;
				r9d = r8d;
				r8d = __edx & 0x0000ffff;
				E00007FF67FF681F35DDC(__ecx, _t63, 0x81f602b0, _t81, _t82);
				goto 0x81f365d4;
				if (r8d != 0) goto 0x81f365c0;
				if (__edx == 0xfe) goto 0x81f365c0;
				_v360 = _v360 & 0x00000000;
				_v360 = _t38;
				_v356 = __edx;
				if (_t40 == 0) goto 0x81f364fa;
				_v354 = _v354 | 0x00000001;
				_t61 =  *0x81f61298; // 0x0
				if (_t61 != 0) goto 0x81f36555;
				_t62 =  *0x81f61410; // 0x7ffd23360000
				if (_t62 != 0) goto 0x81f3652c;
				GetModuleHandleW(??);
				 *0x81f61410 = _t62;
				GetProcAddress(??, ??);
				 *0x81f61298 = _t62;
				if (_t62 != 0) goto 0x81f36555;
				goto 0x81f36560;
				if ( *0x81f570f0() == 0) goto 0x81f365d4;
				if (E00007FF67FF681F335C8(_t31, 0, _t63,  &_v344, "RtlNotifyFeatureUsage",  &_v248, __r10) != 0) goto 0x81f365d4;
				r9d = _t40;
				r8d = __edx & 0x0000ffff;
				E00007FF67FF681F33AA4(_t38, _t63,  &_v344, "RtlNotifyFeatureUsage", _t80, _t81);
				if (_v264 == 0) goto 0x81f365d4;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				goto 0x81f365d4;
				r9d = r8d;
				r8d = __edx;
				_t29 = E00007FF67FF681F35A24(_t38, _v288, 0x81f602b0, _t80, _t81, _t82,  &_v248);
				E00007FF67FF681F53F70();
				return _t29;
			}

0x7ff681f36420
0x7ff681f36420
0x7ff681f3642b
0x7ff681f36435
0x7ff681f3643d
0x7ff681f36441
0x7ff681f36444
0x7ff681f36448
0x7ff681f3644c
0x7ff681f36451
0x7ff681f36455
0x7ff681f36457
0x7ff681f3645d
0x7ff681f36463
0x7ff681f3646d
0x7ff681f3647a
0x7ff681f3648c
0x7ff681f3648e
0x7ff681f36494
0x7ff681f3649b
0x7ff681f364a2
0x7ff681f364a7
0x7ff681f364ac
0x7ff681f364b0
0x7ff681f364b2
0x7ff681f364bc
0x7ff681f364c2
0x7ff681f364c7
0x7ff681f364cf
0x7ff681f364db
0x7ff681f364e1
0x7ff681f364e7
0x7ff681f364eb
0x7ff681f364f2
0x7ff681f364f4
0x7ff681f364fa
0x7ff681f36504
0x7ff681f36506
0x7ff681f36510
0x7ff681f36519
0x7ff681f36525
0x7ff681f36536
0x7ff681f36542
0x7ff681f3654c
0x7ff681f36553
0x7ff681f36562
0x7ff681f3657a
0x7ff681f3657c
0x7ff681f36584
0x7ff681f3658a
0x7ff681f36597
0x7ff681f3659e
0x7ff681f365b2
0x7ff681f365be
0x7ff681f365c0
0x7ff681f365ca
0x7ff681f365cf
0x7ff681f365df
0x7ff681f365ee

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF681F36519
GetProcAddress.KERNEL32 ref: 00007FF681F36536
GetProcessHeap.KERNEL32 ref: 00007FF681F3659E
HeapFree.KERNEL32 ref: 00007FF681F365B2

Strings

ntdll.dll, xrefs: 00007FF681F36512
RtlNotifyFeatureUsage, xrefs: 00007FF681F3652C

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$AddressFreeHandleModuleProcProcess
String ID: RtlNotifyFeatureUsage$ntdll.dll
API String ID: 3729415315-2443152447
Opcode ID: fb4140fbb984f72ffa07b0b5de34581acf7a4b9fc87e63bdb910fd881656bf3b
Instruction ID: e7a41e1f48e351da88dbd79321c28bfb3a6591a419f3342a2243d41597808de2
Opcode Fuzzy Hash: fb4140fbb984f72ffa07b0b5de34581acf7a4b9fc87e63bdb910fd881656bf3b
Instruction Fuzzy Hash: 87417A21A0D646C2FBA08B15F4403B9B6E0BF95755F44813DEA0EC36E5DF2CE546C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F35B74 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00007FF67FF681F35B74(long long __rbx, char* __rcx, signed long long* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _t19;
				long long _t29;
				long long _t30;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t49;
				signed long long* _t51;
				void* _t54;
				signed long long* _t66;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				 *__rdx =  *__rdx & 0x00000000;
				_t54 = __r9;
				_t66 = __rdx;
				if ( *__rcx == 0) goto 0x81f35c93;
				_t49 = __rcx + 0x20;
				__imp__AcquireSRWLockExclusive();
				_t51 = __rcx + 0x58;
				if ( *_t51 != 0) goto 0x81f35c39;
				 *_t51 =  *_t51 & 0x00000000;
				_t29 =  *0x81f612a8; // 0x0
				if (_t29 != 0) goto 0x81f35c21;
				_t30 =  *0x81f61410; // 0x7ffd23360000
				if (_t30 != 0) goto 0x81f35bf8;
				GetModuleHandleW(??);
				 *0x81f61410 = _t30;
				GetProcAddress(??, ??);
				 *0x81f612a8 = _t30;
				if (_t30 != 0) goto 0x81f35c21;
				goto 0x81f35c3b;
				r8d = 0;
				 *0x81f570f0();
				goto 0x81f35c3b;
				if (0 != 0) goto 0x81f35c7f;
				_t46 =  *0x81f578e8; // 0x418a073aa3bc7c75
				if (E00007FF67FF681F360B8(__rcx, __rcx + 0x48, _t46, __rcx) != 0) goto 0x81f35c7f;
				_t47 =  *0x81f57888; // 0x418a073aa3bc88f5
				if (E00007FF67FF681F360B8(__rcx, __rcx + 0x50, _t47, __rcx) != 0) goto 0x81f35c7f;
				_t19 = E00007FF67FF681F35590(_t30, __rcx, __rcx + 0x68, _t66, __r8, _t54);
				if (_t49 == 0) goto 0x81f35c93;
				__imp__ReleaseSRWLockExclusive();
				return _t19;
			}

0x7ff681f35b74
0x7ff681f35b79
0x7ff681f35b7e
0x7ff681f35b8c
0x7ff681f35b90
0x7ff681f35b99
0x7ff681f35b9f
0x7ff681f35ba5
0x7ff681f35bac
0x7ff681f35bb8
0x7ff681f35bc0
0x7ff681f35bc2
0x7ff681f35bc6
0x7ff681f35bd0
0x7ff681f35bd2
0x7ff681f35bdc
0x7ff681f35be5
0x7ff681f35bf1
0x7ff681f35c02
0x7ff681f35c0e
0x7ff681f35c18
0x7ff681f35c1f
0x7ff681f35c2b
0x7ff681f35c31
0x7ff681f35c37
0x7ff681f35c3d
0x7ff681f35c3f
0x7ff681f35c54
0x7ff681f35c56
0x7ff681f35c6b
0x7ff681f35c7a
0x7ff681f35c82
0x7ff681f35c87
0x7ff681f35cab

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F35BAC
GetModuleHandleW.KERNEL32 ref: 00007FF681F35BE5
GetProcAddress.KERNEL32 ref: 00007FF681F35C02
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F35C87

Strings

ntdll.dll, xrefs: 00007FF681F35BDE
RtlRegisterFeatureConfigurationChangeNotification, xrefs: 00007FF681F35BF8

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireAddressHandleModuleProcRelease
String ID: RtlRegisterFeatureConfigurationChangeNotification$ntdll.dll
API String ID: 303310891-4023217342
Opcode ID: 71b3410d2a6fd67df6683cfb827208500938a0cd8a63cfe6adaf992d60a60849
Instruction ID: 509478f3ac61fffb52c85017c42d9f1fe1055900ea4bd73d580fb004773f2947
Opcode Fuzzy Hash: 71b3410d2a6fd67df6683cfb827208500938a0cd8a63cfe6adaf992d60a60849
Instruction Fuzzy Hash: E531F861A08A46C5EB409F21A8403B967E1FF99BD9F448639DE0EC7765EF3CE546C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F360B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00007FF67FF681F360B8(long long __rbx, signed long long* __rcx, long long __rdx, long long __r8, void* _a32) {
				signed long long _v56;
				void* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v96;
				signed int _v104;
				signed long long _v112;
				long long _v120;
				signed long long _t41;
				long long _t44;
				long long _t45;
				struct HINSTANCE__* _t60;
				void* _t62;
				signed long long* _t63;
				void* _t65;
				void* _t68;
				void* _t74;
				WCHAR* _t75;
				long _t77;

				_t74 = _t68;
				 *((long long*)(_t74 + 0x20)) = __rbx;
				_t41 =  *0x81f60470; // 0xbba9a5b3aaf9
				_v56 = _t41 ^ _t68 - 0x00000070;
				 *((long long*)(_t74 - 0x40)) = __rdx;
				_t63 = __rcx;
				if ( *((long long*)(__rcx)) != 0) goto 0x81f361d3;
				_v72 = _v72 & 0x00000000;
				_v68 = _v68 & 0x00000000;
				 *((long long*)(_t74 - 0x70)) = _t74 - 0x44;
				 *(_t74 - 0x78) =  *(_t74 - 0x78) & 0x00000000;
				E00007FF67FF681F33464(__rbx, _t74 - 0x40, _t74 - 0x48);
				r14d = _v72;
				if ( *_t63 == 0) goto 0x81f36147;
				GetLastError();
				E00007FF67FF681F342EC( *_t63);
				SetLastError(_t77);
				 *_t63 =  *_t63 & 0x00000000;
				_t44 =  *0x81f61398; // 0x0
				if (_t44 != 0) goto 0x81f361a6;
				_t45 =  *0x81f61410; // 0x7ffd23360000
				if (_t45 != 0) goto 0x81f3617d;
				GetModuleHandleW(_t75);
				 *0x81f61410 = _t45;
				GetProcAddress(_t60);
				 *0x81f61398 = _t45;
				if (_t45 != 0) goto 0x81f361a6;
				goto 0x81f361d5;
				_v96 = _v96 & 0x00000000;
				_v104 = _v104 & 0x00000000;
				r8d = r14d;
				_v112 = _v112 & 0x00000000;
				_v120 = __r8;
				 *0x81f570f0(_t62, _t65);
				goto 0x81f361d5;
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f360b8
0x7ff681f360bb
0x7ff681f360ca
0x7ff681f360d4
0x7ff681f360d9
0x7ff681f360e4
0x7ff681f360e7
0x7ff681f360ed
0x7ff681f360f6
0x7ff681f360ff
0x7ff681f36107
0x7ff681f3610c
0x7ff681f36114
0x7ff681f36121
0x7ff681f36123
0x7ff681f36134
0x7ff681f3613b
0x7ff681f36147
0x7ff681f3614b
0x7ff681f36155
0x7ff681f36157
0x7ff681f36161
0x7ff681f3616a
0x7ff681f36176
0x7ff681f36187
0x7ff681f36193
0x7ff681f3619d
0x7ff681f361a4
0x7ff681f361a6
0x7ff681f361b2
0x7ff681f361b7
0x7ff681f361ba
0x7ff681f361c6
0x7ff681f361cb
0x7ff681f361d1
0x7ff681f361dd
0x7ff681f361f5

APIs

Part of subcall function 00007FF681F33464: GetModuleHandleW.KERNEL32 ref: 00007FF681F33493
Part of subcall function 00007FF681F33464: GetProcAddress.KERNEL32 ref: 00007FF681F334B0

GetLastError.KERNEL32 ref: 00007FF681F36123

Part of subcall function 00007FF681F342EC: GetModuleHandleW.KERNEL32 ref: 00007FF681F34314
Part of subcall function 00007FF681F342EC: GetProcAddress.KERNEL32 ref: 00007FF681F34331

SetLastError.KERNEL32 ref: 00007FF681F3613B
GetModuleHandleW.KERNEL32 ref: 00007FF681F3616A
GetProcAddress.KERNEL32 ref: 00007FF681F36187

Strings

RtlSubscribeWnfStateChangeNotification, xrefs: 00007FF681F3617D
ntdll.dll, xrefs: 00007FF681F36163

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AddressHandleModuleProc$ErrorLast
String ID: RtlSubscribeWnfStateChangeNotification$ntdll.dll
API String ID: 798792539-2214456325
Opcode ID: 83e61bc986c80f06e8cf6de679de483e8f6e7cbc90c49e70bfd41fbd6e37685f
Instruction ID: 2df48241716d6e31f9cb3bb406538f76ace9330368b55794aa690a343eae9330
Opcode Fuzzy Hash: 83e61bc986c80f06e8cf6de679de483e8f6e7cbc90c49e70bfd41fbd6e37685f
Instruction Fuzzy Hash: 45313232A18A41C6EB109F11E8043BAB7E0FF88BA5F448139EA4D87751EF3CE546C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4D3E0 Relevance: 10.6, APIs: 7, Instructions: 77windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 00007FF681F4D424
EnableWindow.USER32 ref: 00007FF681F4D446
DestroyWindow.USER32 ref: 00007FF681F4D459
GetSystemMenu.USER32 ref: 00007FF681F4D478
CharNextW.USER32 ref: 00007FF681F4D4C2
SetDlgItemTextW.USER32 ref: 00007FF681F4D4EC
SetFocus.USER32 ref: 00007FF681F4D4FB

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: EnableItemMenuWindow$CharDestroyFocusNextSystemText
String ID:
API String ID: 1812101388-0
Opcode ID: 9340b66c93f93809e698dab28d07aaeb8bf22925eff08f89042681ed7cc7ef3a
Instruction ID: 31f6d16db448a6f6f9d6495dc1d76b06aebd37d443d55ce5822ac67b5c03793b
Opcode Fuzzy Hash: 9340b66c93f93809e698dab28d07aaeb8bf22925eff08f89042681ed7cc7ef3a
Instruction Fuzzy Hash: EB313A31A08A46C6E7608F16A9441B8BBE0FF99B85F588079CE4E87765CF3DE485C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4E2CC Relevance: 9.3, APIs: 6, Instructions: 313
COMMON

Download Yara Rule

C-Code - Quality: 15%

			E00007FF67FF681F4E2CC(void* __esi, long long __rbx, signed short* __rcx, long long __rdi, long long __rsi, signed int __r10, void* __r11) {
				signed int _t106;
				signed int _t107;
				signed int _t108;
				void* _t111;
				void* _t112;
				void* _t114;
				signed int _t115;
				short _t122;
				intOrPtr _t134;
				signed int _t161;
				signed int _t168;
				void* _t172;
				void* _t180;
				signed long long _t181;
				signed long long _t185;
				signed int* _t192;
				void* _t197;
				signed long long _t200;
				signed long long _t204;
				signed long long _t209;
				signed int* _t226;
				signed int* _t227;
				signed int* _t229;
				intOrPtr _t239;
				intOrPtr _t243;
				void* _t246;
				signed short* _t260;
				signed short* _t261;
				signed short* _t262;
				intOrPtr _t268;
				void* _t270;
				void* _t271;
				void* _t273;
				signed long long _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t280;
				void* _t295;
				intOrPtr _t296;
				long long _t298;
				intOrPtr _t299;
				void* _t301;
				intOrPtr _t303;
				signed long long _t305;

				_t180 = _t273;
				 *((long long*)(_t180 + 0x10)) = __rbx;
				 *((long long*)(_t180 + 0x18)) = __rsi;
				 *((long long*)(_t180 + 0x20)) = __rdi;
				_t271 = _t180 - 0x5f;
				_t274 = _t273 - 0xe0;
				_t181 =  *0x81f60470; // 0xbba9a5b3aaf9
				 *(_t271 + 0x2f) = _t181 ^ _t274;
				r9d =  *__rcx & 0x0000ffff;
				r13d = 0;
				r10d = 1;
				 *(_t274 + 0x20) = r10d;
				 *((long long*)(_t271 + 7)) = _t298;
				r14d = 0x100;
				 *(_t271 + 0xf) = r13d;
				if (r9w == 0) goto 0x81f4e768;
				_t276 =  *0x81f605d0; // 0x1bb5cf529ec
				r15d = r10d;
				r14d = 0x26;
				if (r9w == r14w) goto 0x81f4e375;
				_t243 =  *((intOrPtr*)(_t271 + 7 + _t305 * 4));
				_t260 =  &(__rcx[1]);
				 *((intOrPtr*)(_t271 + 7 + _t305 * 4)) = _t243 + 1;
				 *((intOrPtr*)(0x81f61a50 + ((_t305 << 8) + _t243) * 2)) = r9w;
				r9d =  *_t260 & 0x0000ffff;
				if (r9w != 0) goto 0x81f4e345;
				_t268 =  *((intOrPtr*)(_t271 + 7 + _t305 * 4));
				_t122 = r14d;
				r14d = 0x100;
				_t296 = _t268;
				if (_t268 - _t301 >= 0) goto 0x81f4e78a;
				if (__esi < 0) goto 0x81f4e78a;
				r9d =  *_t260 & 0x0000ffff;
				if (r9w != _t122) goto 0x81f4e75e;
				_t261 =  &(_t260[1]);
				_t106 =  *_t261 & 0x0000ffff;
				if (_t106 ==  *_t276) goto 0x81f4e663;
				if (_t106 ==  *((intOrPtr*)(_t276 + 2))) goto 0x81f4e663;
				if (_t106 ==  *((intOrPtr*)(_t276 + 4))) goto 0x81f4e5aa;
				if (_t106 ==  *((intOrPtr*)(_t276 + 6))) goto 0x81f4e5aa;
				if (_t106 ==  *((intOrPtr*)(_t276 + 8))) goto 0x81f4e526;
				if (_t106 ==  *((intOrPtr*)(_t276 + 0xa))) goto 0x81f4e526;
				if (_t106 ==  *((intOrPtr*)(_t276 + 0xc))) goto 0x81f4e484;
				if (_t106 ==  *((intOrPtr*)(_t276 + 0xe))) goto 0x81f4e484;
				if (_t106 != _t122) goto 0x81f4e42b;
				_t134 = __esi + 1;
				if (_t134 - r14d >= 0) goto 0x81f4e756;
				 *((intOrPtr*)(_t271 + 7 + _t305 * 4)) = _t134;
				_t185 = (_t305 << 8) + _t296;
				 *((short*)(0x81f61a50 + _t185 * 2)) = _t122;
				goto 0x81f4e756;
				if (_t106 ==  *((intOrPtr*)(_t276 + 0x10))) goto 0x81f4e47c;
				if (_t106 ==  *((intOrPtr*)(_t276 + 0x12))) goto 0x81f4e47c;
				if (_t106 ==  *((intOrPtr*)(_t276 + 0x14))) goto 0x81f4e469;
				if (_t106 ==  *((intOrPtr*)(_t276 + 0x16))) goto 0x81f4e469;
				if (_t106 ==  *((intOrPtr*)(_t276 + 0x18))) goto 0x81f4e459;
				if (_t106 !=  *((intOrPtr*)(_t276 + 0x1a))) goto 0x81f4e756;
				r10d = r13d;
				 *(_t274 + 0x20) = r13d;
				goto 0x81f4e756;
				r10d = 2;
				 *(_t274 + 0x20) = r10d;
				goto 0x81f4e756;
				r10d = 1;
				goto 0x81f4e46f;
				__imp__wcsnlen(_t301, _t298, _t295, _t270);
				r10d = _t268 + _t185;
				if (r10d - r14d >= 0) goto 0x81f4e51a;
				_t277 = _t106;
				_t246 = _t301 - _t296;
				r11d = 0x7ffffffe;
				_t226 = 0x81f61a50 + ((__r10 << 8) + _t296) * 2;
				_t45 = _t246 - 1; // -1
				if (_t45 - __r11 > 0) goto 0x81f4e50c;
				if (_t277 - __r11 > 0) goto 0x81f4e511;
				if (_t246 + _t277 - _t246 == 0) goto 0x81f4e4fb;
				_t107 =  *(0x81f60890 - _t226 + _t226) & 0x0000ffff;
				_t161 = _t107;
				if (_t161 == 0) goto 0x81f4e4fb;
				 *_t226 = _t107;
				_t227 =  &(_t226[0]);
				if (_t161 != 0) goto 0x81f4e4db;
				_t192 =  !=  ? _t227 : _t227 - 2;
				 *_t192 = r13w;
				goto 0x81f4e515;
				if (_t246 - 1 == 0) goto 0x81f4e515;
				 *_t227 = r13w;
				 *(_t271 + 7 + __r10 * 4) = r10d;
				goto 0x81f4e74c;
				__imp__wcsnlen();
				r10d = _t268 + _t192;
				if (r10d - r14d >= 0) goto 0x81f4e51a;
				_t280 = _t107;
				_t250 = _t301 - _t296;
				r11d = 0x7ffffffe;
				_t229 = 0x81f61a50 + ((__r10 << 8) + _t296) * 2;
				_t55 = _t250 - 1; // -1
				if (_t55 - __r11 > 0) goto 0x81f4e50c;
				if (_t280 - __r11 > 0) goto 0x81f4e511;
				_t197 = _t301 - _t296 + _t280 - _t301 - _t296;
				if (_t197 == 0) goto 0x81f4e4fb;
				_t108 =  *(0x81f60690 + _t229) & 0x0000ffff;
				_t168 = _t108;
				if (_t168 == 0) goto 0x81f4e4fb;
				 *_t229 = _t108;
				if (_t168 != 0) goto 0x81f4e57d;
				goto 0x81f4e4fb;
				_t262 =  &(_t261[1]);
				if ( *_t262 != 0x2b) goto 0x81f4e5dc;
				goto 0x81f4e5c5;
				__imp___o_iswdigit();
				if (( *_t262 & 0x0000ffff) != 0) goto 0x81f4e5b9;
				r9d =  *0x81f61698; // 0x0
				r9d = r9d + _t197 + 0xffed03ec34a0;
				E00007FF67FF681F31860(_t271 + 0x17, _t250 - 1, L"%d", 0x81f60690 - _t229, _t305);
				__imp__wcsnlen();
				if (_t197 + _t268 - r14d >= 0) goto 0x81f4e65a;
				_t200 = ( *(_t274 + 0x20) << 8) + _t296;
				_t111 = E00007FF67FF681F316FC(0x81f61a50, 0x81f61a50 + _t200 * 2, _t301 - _t296, _t271 + 0x17, __r10);
				__imp__wcsnlen();
				 *(_t271 + 7 + __r10 * 4) = _t268 + _t200;
				goto 0x81f4e51a;
				_t172 =  *0x81f60678 - r13d; // 0x1
				 *((long long*)(_t274 + 0x28)) = _t298;
				if (_t172 != 0) goto 0x81f4e6c1;
				 *((long long*)(_t271 - 0x79)) =  *0x81f620e0;
				 *((long long*)(_t271 - 0x69)) = 0x81f56108;
				 *((long long*)(_t271 - 0x61)) = _t271 - 0x79;
				_t204 = _t271 - 0x69;
				 *(_t271 - 1) = _t204;
				_t112 = E00007FF67FF681F40138(_t111, _t268 + _t200, _t298, _t274 + 0x28, _t271 - 0x71);
				r10d =  *(_t274 + 0x20);
				_t299 =  *((intOrPtr*)(_t274 + 0x28));
				goto 0x81f4e6c8;
				_t303 =  *0x81f60658; // 0x1bb5cf52996
				if ( *((intOrPtr*)(_t303 + ((_t204 | 0xffffffff) + 1) * 2)) != 0) goto 0x81f4e6ce;
				if (_t112 + _t134 - 0x100 >= 0) goto 0x81f4e721;
				_t209 = (r10d << 8) + _t296;
				_t114 = E00007FF67FF681F316FC( *((intOrPtr*)(_t274 + 0x28)), 0x81f61a50 + _t209 * 2, _t271 - 0x71 - _t296, _t303, __r10);
				if ( *((intOrPtr*)(_t303 + ((_t209 | 0xffffffff) + 1) * 2)) != 0) goto 0x81f4e709;
				_t115 = _t114 + _t134;
				 *(_t271 + 7 + __r10 * 4) = _t115;
				if (_t299 == 0) goto 0x81f4e73c;
				__imp__CoTaskMemFree();
				r14d = 0x100;
				r13d = 0;
				r10d =  *(_t274 + 0x20);
				r9d =  *( &(_t262[1]) - 2 + 2) & 0x0000ffff;
				if (r9w != 0) goto 0x81f4e33f;
				_t239 = _t299;
				 *(0x81f61a50 + ( *((intOrPtr*)(_t271 + 7)) + _t239) * 2) = r13w;
				if (_t239 + _t303 - 0x200 <= 0) goto 0x81f4e76f;
				E00007FF67FF681F53F70();
				return _t115;
			}

0x7ff681f4e2cc
0x7ff681f4e2cf
0x7ff681f4e2d3
0x7ff681f4e2d7
0x7ff681f4e2e4
0x7ff681f4e2e8
0x7ff681f4e2ef
0x7ff681f4e2f9
0x7ff681f4e2fd
0x7ff681f4e308
0x7ff681f4e30b
0x7ff681f4e311
0x7ff681f4e319
0x7ff681f4e31d
0x7ff681f4e323
0x7ff681f4e32b
0x7ff681f4e331
0x7ff681f4e33c
0x7ff681f4e33f
0x7ff681f4e349
0x7ff681f4e34b
0x7ff681f4e350
0x7ff681f4e361
0x7ff681f4e366
0x7ff681f4e36b
0x7ff681f4e373
0x7ff681f4e375
0x7ff681f4e37a
0x7ff681f4e37d
0x7ff681f4e383
0x7ff681f4e389
0x7ff681f4e391
0x7ff681f4e397
0x7ff681f4e39f
0x7ff681f4e3a5
0x7ff681f4e3a9
0x7ff681f4e3b0
0x7ff681f4e3bb
0x7ff681f4e3c6
0x7ff681f4e3d1
0x7ff681f4e3dc
0x7ff681f4e3e7
0x7ff681f4e3f2
0x7ff681f4e3fd
0x7ff681f4e406
0x7ff681f4e408
0x7ff681f4e40d
0x7ff681f4e416
0x7ff681f4e41f
0x7ff681f4e422
0x7ff681f4e426
0x7ff681f4e430
0x7ff681f4e437
0x7ff681f4e43e
0x7ff681f4e445
0x7ff681f4e44c
0x7ff681f4e453
0x7ff681f4e459
0x7ff681f4e45c
0x7ff681f4e464
0x7ff681f4e469
0x7ff681f4e46f
0x7ff681f4e477
0x7ff681f4e47c
0x7ff681f4e482
0x7ff681f4e48e
0x7ff681f4e49a
0x7ff681f4e4a1
0x7ff681f4e4a3
0x7ff681f4e4a9
0x7ff681f4e4b3
0x7ff681f4e4bc
0x7ff681f4e4c0
0x7ff681f4e4c7
0x7ff681f4e4cc
0x7ff681f4e4e2
0x7ff681f4e4e4
0x7ff681f4e4e9
0x7ff681f4e4ec
0x7ff681f4e4ee
0x7ff681f4e4f1
0x7ff681f4e4f9
0x7ff681f4e502
0x7ff681f4e506
0x7ff681f4e50a
0x7ff681f4e50f
0x7ff681f4e511
0x7ff681f4e515
0x7ff681f4e521
0x7ff681f4e530
0x7ff681f4e53c
0x7ff681f4e543
0x7ff681f4e545
0x7ff681f4e54b
0x7ff681f4e555
0x7ff681f4e55e
0x7ff681f4e562
0x7ff681f4e569
0x7ff681f4e56e
0x7ff681f4e57d
0x7ff681f4e584
0x7ff681f4e58a
0x7ff681f4e58f
0x7ff681f4e592
0x7ff681f4e598
0x7ff681f4e5a3
0x7ff681f4e5a5
0x7ff681f4e5aa
0x7ff681f4e5b5
0x7ff681f4e5b7
0x7ff681f4e5cc
0x7ff681f4e5da
0x7ff681f4e5dc
0x7ff681f4e5ea
0x7ff681f4e5f8
0x7ff681f4e603
0x7ff681f4e61c
0x7ff681f4e62e
0x7ff681f4e638
0x7ff681f4e646
0x7ff681f4e655
0x7ff681f4e65e
0x7ff681f4e663
0x7ff681f4e66d
0x7ff681f4e672
0x7ff681f4e67f
0x7ff681f4e68f
0x7ff681f4e697
0x7ff681f4e69b
0x7ff681f4e69f
0x7ff681f4e6a3
0x7ff681f4e6b7
0x7ff681f4e6bc
0x7ff681f4e6bf
0x7ff681f4e6c1
0x7ff681f4e6d6
0x7ff681f4e6e1
0x7ff681f4e6f4
0x7ff681f4e6fe
0x7ff681f4e711
0x7ff681f4e71a
0x7ff681f4e71c
0x7ff681f4e724
0x7ff681f4e729
0x7ff681f4e743
0x7ff681f4e749
0x7ff681f4e74c
0x7ff681f4e75a
0x7ff681f4e762
0x7ff681f4e768
0x7ff681f4e77c
0x7ff681f4e788
0x7ff681f4e791
0x7ff681f4e7b6

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e21e4896d06db156c74801729892eb0fb5ee92526f0ead029ee3c0284e34a64
Instruction ID: 86e4f0dfc8ad8e31d12470abdcf95afddbb02f1c503dc2071c223b758e446b0d
Opcode Fuzzy Hash: 3e21e4896d06db156c74801729892eb0fb5ee92526f0ead029ee3c0284e34a64
Instruction Fuzzy Hash: 59D1C276A09646C6EB308F24D500AB977E0FF44B98F94813ADA5E93795EF3CE585CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F41CA8 Relevance: 9.1, APIs: 6, Instructions: 131
windowCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00007FF67FF681F41CA8(signed int __ecx, intOrPtr* __rax, intOrPtr __rcx, signed long long __r8, signed int __r9, char _a8, char _a12, char _a16, char _a20, char _a24, char _a28, long long _a32) {
				char _v40;
				char _v48;
				char _v56;
				char _v72;
				intOrPtr _v80;
				long long _v88;
				void* __rbx;
				void* __rbp;
				signed int _t52;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr _t71;
				intOrPtr _t93;
				void* _t94;
				void* _t96;
				signed long long _t99;

				_t99 = __r8;
				_t67 = __rax;
				_t52 = __ecx;
				_t71 = __rcx;
				if ( *0x81f62588 == 0) goto 0x81f41cdc;
				E00007FF67FF681F509EC( *0x81f62588);
				DestroyWindow(??);
				r9d = 0;
				 *0x81f62588 = __rcx;
				r8d = 0;
				SendMessageW(??, ??, ??, ??);
				r8d =  *0x81f61488; // 0x0
				if ((r8b & 0x00000002) != 0) goto 0x81f41d24;
				E00007FF67FF681F3CD48(__rcx, 0x81f61488,  &_v56, _t94, __r9);
				_a32 =  *_t67;
				r8d = _t52;
				r9d = r8d;
				_v72 = 3;
				r9d = r9d >> 9;
				r8d = r8d >> 8;
				_t68 =  &_a8;
				r9d = r9d & 0x00000001;
				_v80 = 1;
				r8d = r8d & 0x00000001;
				_a8 = 0;
				_a12 = 3;
				_v88 = _t68;
				E00007FF67FF681F3DD74(1, 0x71cda0, _t71, 0x81f61490, _t94, _t96, _t99);
				_t11 = _t71 + 2; // 0x3
				r8d = _t11;
				asm("dec ebp");
				r9d = r9d & 0x00000003;
				SendMessageW(??, ??, ??, ??);
				_t12 = _t71 + 3; // 0x4
				r8d = _t12;
				asm("dec ebp");
				SendMessageW(??, ??, ??, ??);
				r8d =  *0x81f61498; // 0x0
				if ((r8b & 0x00000002) != 0) goto 0x81f41de9;
				E00007FF67FF681F3C75C(_t71, 0x81f61498,  &_v48, _t94,  !( !__r9) & _t99);
				_a32 =  *_t68;
				r8d = _t52;
				r9d = r8d;
				_v72 = 3;
				r9d = r9d >> 9;
				_t69 =  &_a16;
				r8d = r8d >> 8;
				r9d = r9d & 0x00000001;
				_v80 = 1;
				r8d = r8d & 0x00000001;
				_a16 = 0;
				_a20 = 3;
				_v88 = _t69;
				E00007FF67FF681F3DD74(1, 0x10f6105, _t71, 0x81f614a0, _t94, _t96, _t99);
				r8d = 0x10;
				r9d = r8d;
				SendMessageW(??, ??, ??, ??);
				r8d =  *0x81f62680;
				if ((r8b & 0x00000002) != 0) goto 0x81f41e6f;
				E00007FF67FF681F4C988(_t71, 0x81f62680,  &_v40, _t94,  !( !__r9) & _t99);
				_a32 =  *_t69;
				r8d = _t52;
				r9d = r8d;
				_v72 = 3;
				r9d = r9d >> 9;
				r8d = r8d >> 8;
				r9d = r9d & 0x00000001;
				_v80 = 1;
				r8d = r8d & 0x00000001;
				_a24 = 0;
				_a28 = 3;
				_v88 =  &_a24;
				E00007FF67FF681F3DD74(1, 0x10dbb9e, _t71, 0x81f62688, _t94, _t96, _t99);
				r8d = 8;
				r9d = r8d;
				SendMessageW(??, ??, ??, ??);
				_t93 =  *0x81f604b0; // 0x1bb5cf529f2
				return E00007FF67FF681F50950(_t71,  *0x81f62588, _t93);
			}

0x7ff681f41ca8
0x7ff681f41ca8
0x7ff681f41ca8
0x7ff681f41cb3
0x7ff681f41cc2
0x7ff681f41cc4
0x7ff681f41cd0
0x7ff681f41cdc
0x7ff681f41cdf
0x7ff681f41ce6
0x7ff681f41cf1
0x7ff681f41cfd
0x7ff681f41d08
0x7ff681f41d15
0x7ff681f41d1d
0x7ff681f41d21
0x7ff681f41d24
0x7ff681f41d27
0x7ff681f41d34
0x7ff681f41d38
0x7ff681f41d3c
0x7ff681f41d40
0x7ff681f41d43
0x7ff681f41d47
0x7ff681f41d4a
0x7ff681f41d52
0x7ff681f41d5d
0x7ff681f41d62
0x7ff681f41d6d
0x7ff681f41d6d
0x7ff681f41d7f
0x7ff681f41d85
0x7ff681f41d89
0x7ff681f41d9b
0x7ff681f41d9b
0x7ff681f41dad
0x7ff681f41db6
0x7ff681f41dc2
0x7ff681f41dcd
0x7ff681f41dda
0x7ff681f41de2
0x7ff681f41de6
0x7ff681f41de9
0x7ff681f41dec
0x7ff681f41df4
0x7ff681f41df8
0x7ff681f41dfc
0x7ff681f41e07
0x7ff681f41e0a
0x7ff681f41e0e
0x7ff681f41e11
0x7ff681f41e19
0x7ff681f41e1d
0x7ff681f41e22
0x7ff681f41e2e
0x7ff681f41e34
0x7ff681f41e3c
0x7ff681f41e48
0x7ff681f41e53
0x7ff681f41e60
0x7ff681f41e68
0x7ff681f41e6c
0x7ff681f41e6f
0x7ff681f41e72
0x7ff681f41e7a
0x7ff681f41e82
0x7ff681f41e8d
0x7ff681f41e90
0x7ff681f41e94
0x7ff681f41e97
0x7ff681f41e9f
0x7ff681f41ea3
0x7ff681f41ea8
0x7ff681f41eb4
0x7ff681f41eba
0x7ff681f41ec2
0x7ff681f41ece
0x7ff681f41ee8

APIs

DestroyWindow.USER32(?,?,?,?,?,?,?,?,FFFFFFEC,00000000,?,00007FF681F4D218), ref: 00007FF681F41CD0

Part of subcall function 00007FF681F3DD74: AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F3DEFE

SendMessageW.USER32(?,?,?,?,?,?,?,?,FFFFFFEC,00000000,?,00007FF681F4D218), ref: 00007FF681F41CF1
SendMessageW.USER32 ref: 00007FF681F41D89
SendMessageW.USER32 ref: 00007FF681F41DB6
SendMessageW.USER32 ref: 00007FF681F41E3C
SendMessageW.USER32 ref: 00007FF681F41EC2

Part of subcall function 00007FF681F50950: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F5098E

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: MessageSend$AcquireCreateDestroyExclusiveInstanceLockWindow
String ID:
API String ID: 2645812326-0
Opcode ID: 4dbf96120f8ba9b095a51dd7ee8c699201e7463295c8993755eebca340af00db
Instruction ID: eaad15c9dff4a20496ed9808c1962e23dfddfd4f44e9692f54b98ba44e2c5c03
Opcode Fuzzy Hash: 4dbf96120f8ba9b095a51dd7ee8c699201e7463295c8993755eebca340af00db
Instruction Fuzzy Hash: 96518136B18A56C6E7608F51E891AA87BA0FF99784F405139EA4EC7B54CF3CD545C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3BDA4 Relevance: 9.1, APIs: 6, Instructions: 110windowmemoryCOMMON

Download Yara Rule

APIs

wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3BDDF
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F3BE03
LocalAlloc.KERNEL32 ref: 00007FF681F3BE1C
MessageBoxW.USER32 ref: 00007FF681F3BEBD
LocalFree.KERNEL32 ref: 00007FF681F3BECE
MessageBoxW.USER32 ref: 00007FF681F3BEEA

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: LocalMessagewcsnlen$AllocFree
String ID:
API String ID: 4016091692-0
Opcode ID: a0f018e09a933d2e6e00ed2e0e737e4831a2bd32b3eae5a3ee43d94dfb3bf2b1
Instruction ID: 11741fc7193c65d3895a81f654d4c26acd206afcb9e5e87eec6995a5e42f4c33
Opcode Fuzzy Hash: a0f018e09a933d2e6e00ed2e0e737e4831a2bd32b3eae5a3ee43d94dfb3bf2b1
Instruction Fuzzy Hash: D5416C36A08752C6EB104B1AA424279B6E0FF99F91F588439DF4E83754EF3CE892C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3E594 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF681F3E608

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 81972ef720c8a392cea853dedfd736992bb26704e034fb5e437a6a61229bc16e
Instruction ID: 312a1801298ec9e0b8db92494e970a056fca0e4e091353b782bef446b7001d88
Opcode Fuzzy Hash: 81972ef720c8a392cea853dedfd736992bb26704e034fb5e437a6a61229bc16e
Instruction Fuzzy Hash: 09315C72618B82C6D3508F12B8446A9BBE4FB8DB94F599139DE4E83754DF3CE446CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F35DDC Relevance: 9.1, APIs: 6, Instructions: 83threadtimeCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F35E43
CreateThreadpoolTimer.KERNEL32 ref: 00007FF681F35E9A
GetLastError.KERNEL32 ref: 00007FF681F35EB2
SetLastError.KERNEL32 ref: 00007FF681F35ECA
SetThreadpoolTimer.KERNEL32 ref: 00007FF681F35EF9
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F35F11

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ErrorExclusiveLastLockThreadpoolTimer$AcquireCreateRelease
String ID:
API String ID: 117860038-0
Opcode ID: eba3041a9812cbf991dd3698e1117cfa6e65d2fc8c9c729c908daf7c02c7f6e5
Instruction ID: 4ef3cf768ccdf3bc0529d833c36204d53cffb592f497b6c12a2acd4c499a6a1f
Opcode Fuzzy Hash: eba3041a9812cbf991dd3698e1117cfa6e65d2fc8c9c729c908daf7c02c7f6e5
Instruction Fuzzy Hash: 4A318226A08791C6E7609F22A500179BBE0FF89B94F488539DE5E83F64DF3CE556CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3DBD8 Relevance: 9.1, APIs: 6, Instructions: 76threadtimeCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F3DC2C
CreateThreadpoolTimer.KERNEL32 ref: 00007FF681F3DC75
GetLastError.KERNEL32 ref: 00007FF681F3DC8D
SetLastError.KERNEL32 ref: 00007FF681F3DCA5
SetThreadpoolTimer.KERNEL32 ref: 00007FF681F3DCDA
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F3DCF2

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ErrorExclusiveLastLockThreadpoolTimer$AcquireCreateRelease
String ID:
API String ID: 117860038-0
Opcode ID: 1b91175bfb963b2f9d03e1e7cc553e660cc7f483eba5ef6f4dedf6abf5950720
Instruction ID: acd69890465dd4a1ea8f68b34bc64a4b508abbbb757bf3fc1870416f5a43a6a5
Opcode Fuzzy Hash: 1b91175bfb963b2f9d03e1e7cc553e660cc7f483eba5ef6f4dedf6abf5950720
Instruction Fuzzy Hash: 19319026A18B91DBEB118B26E4102B9BBE0FF49B90F488538DE5E83B54CF7CD056C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F356C8 Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 00007FF681F356E9
ReleaseSRWLockShared.KERNEL32 ref: 00007FF681F35709
EnterCriticalSection.KERNEL32 ref: 00007FF681F35729
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F35738
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F35790
LeaveCriticalSection.KERNEL32 ref: 00007FF681F357B5

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared$EnterLeave
String ID:
API String ID: 3221859647-0
Opcode ID: 9359f790cca8c3d8c19b62d3757d2f17ec755722d8ffe7ef5eaa5b3c3613e38c
Instruction ID: 4dd504a6f76a1028c35eccd8dd8539fb9df240b0cc1f260d767998969c63178e
Opcode Fuzzy Hash: 9359f790cca8c3d8c19b62d3757d2f17ec755722d8ffe7ef5eaa5b3c3613e38c
Instruction Fuzzy Hash: 4E314D66A08A85C6EB128F12A5001B9BBA1FF89FA4F499538DE4E47B14DF3CE446C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4E7C0 Relevance: 9.1, APIs: 6, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF681F4E819
GlobalLock.KERNEL32 ref: 00007FF681F4E82C
GlobalLock.KERNEL32 ref: 00007FF681F4E849
CreateDCW.GDI32 ref: 00007FF681F4E871
GlobalUnlock.KERNEL32(?,?,?,00007FF681F4EA7A), ref: 00007FF681F4E887
GlobalUnlock.KERNEL32(?,?,?,00007FF681F4EA7A), ref: 00007FF681F4E89F

Part of subcall function 00007FF681F3C650: SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F3C664
Part of subcall function 00007FF681F3C650: SetThreadDpiAwarenessContext.USER32 ref: 00007FF681F3C687

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Global$AwarenessContextLockThreadUnlock$CreateMessage
String ID:
API String ID: 2654941827-0
Opcode ID: e8d169956f1e37bd93306ea1110073dbe71a6615df9bb3574147eeac034661f3
Instruction ID: 944d36c4f2d947875f024ec0d19eda5ecdfd989f234f2c35abfd3b6be1b8d0f2
Opcode Fuzzy Hash: e8d169956f1e37bd93306ea1110073dbe71a6615df9bb3574147eeac034661f3
Instruction Fuzzy Hash: 30210722A19A46C6FB148B91F964574B6E0FFC8B91F499139DA1EC3661EF3CE854C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F34C1C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 291COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00007FF681F3482D), ref: 00007FF681F34C9A

Part of subcall function 00007FF681F3495C: memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00000000,?,00000000,?,00007FF681F34E55), ref: 00007FF681F34AD7

_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00007FF681F3482D), ref: 00007FF681F34F2C
_o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00007FF681F3482D), ref: 00007FF681F34F3E
_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00007FF681F3482D), ref: 00007FF681F34F4F

Strings

onecore\internal\sdk\inc\wil/Staging.h, xrefs: 00007FF681F34C2B

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: _o__errnomemcmp$_o__invalid_parameter_noinfo
String ID: onecore\internal\sdk\inc\wil/Staging.h
API String ID: 859076816-4099157372
Opcode ID: cc7745052300ccbce5b5b6eeebf3defa31f29463b0c4331ab61f5fe64b26220a
Instruction ID: 5a84ada313c0bbc4054f774474d2a501b7f259b1b0086b955b64a878115a69b4
Opcode Fuzzy Hash: cc7745052300ccbce5b5b6eeebf3defa31f29463b0c4331ab61f5fe64b26220a
Instruction Fuzzy Hash: 73C15C62E08692C9EB24CFB194042FC67F1BF5579CF14403AEE49A7B99DE389487C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F335C8 Relevance: 9.0, APIs: 7, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F33606

Part of subcall function 00007FF681F33464: GetModuleHandleW.KERNEL32 ref: 00007FF681F33493
Part of subcall function 00007FF681F33464: GetProcAddress.KERNEL32 ref: 00007FF681F334B0

GetProcessHeap.KERNEL32 ref: 00007FF681F336A1
HeapFree.KERNEL32 ref: 00007FF681F336B5
GetProcessHeap.KERNEL32 ref: 00007FF681F336C1
HeapAlloc.KERNEL32 ref: 00007FF681F336D5
GetProcessHeap.KERNEL32 ref: 00007FF681F33889
HeapFree.KERNEL32 ref: 00007FF681F3389D

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$Process$Free$AddressAllocHandleModuleProcmemset
String ID:
API String ID: 2903015918-0
Opcode ID: 9b2464182955e9789c6ecbb532fea99eaa506d7884772a9e3b7f82ddbb18919e
Instruction ID: e66f00a4a8040812c5dda56d6c40472ddb26b53048953b7d10829da6284765f5
Opcode Fuzzy Hash: 9b2464182955e9789c6ecbb532fea99eaa506d7884772a9e3b7f82ddbb18919e
Instruction Fuzzy Hash: 5F914A72A04B61CAEB21CF66E4405A9BBF0FB58B48B488539DF4E83B54DF38E195C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F40138 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F40204

Part of subcall function 00007FF681F3E224: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF681F3853C), ref: 00007FF681F3E2A1

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F40280
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4030E

Part of subcall function 00007FF681F3C6A8: GetLastError.KERNEL32 ref: 00007FF681F3C6D2
Part of subcall function 00007FF681F3C6A8: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3C6E3
Part of subcall function 00007FF681F3C6A8: SetLastError.KERNEL32 ref: 00007FF681F3C6F1

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F40368

Strings

onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h, xrefs: 00007FF681F40220, 00007FF681F40298, 00007FF681F402F7, 00007FF681F403BA

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Task$Free$ErrorLast$Alloc
String ID: onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h
API String ID: 3148345226-1752416456
Opcode ID: 2824144435b1be11479e7bf1830ef172fc333de402f44df452078e84d19da7a1
Instruction ID: fd306dea9c81b662d1ad3bd170090eb81b5b677633ca22d6ffa810ed913d068c
Opcode Fuzzy Hash: 2824144435b1be11479e7bf1830ef172fc333de402f44df452078e84d19da7a1
Instruction Fuzzy Hash: 6B717D66709A46C2EB64DF11E5902FA67E0FF88B84F84853ADA4E87B64DF3CE541C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4E190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32 ref: 00007FF681F4E1EA
SetDlgItemTextW.USER32 ref: 00007FF681F4E1FE
SendDlgItemMessageW.USER32 ref: 00007FF681F4E22C
GetDlgItemTextW.USER32 ref: 00007FF681F4E297

Strings

https://go.microsoft.com/fwlink/p/?linkid=838060, xrefs: 00007FF681F4E25B

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Item$MessageSendText
String ID: https://go.microsoft.com/fwlink/p/?linkid=838060
API String ID: 3392263854-3259131482
Opcode ID: 9bef8b76c0a2b56a9b19fbd78e42ff32b0db1aa8ec447d016e078e751a37e2e3
Instruction ID: 82fddcb25eb6924ededc304e623fbad4a8a1372b508a7780763e5d28fbc41eb1
Opcode Fuzzy Hash: 9bef8b76c0a2b56a9b19fbd78e42ff32b0db1aa8ec447d016e078e751a37e2e3
Instruction Fuzzy Hash: F2316131F08A41CBF7708B15B5447ADAAA1FF86B94F548139DA4987B99CF3CD586CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4C860 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrywindowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 00007FF681F4C89F
LoadIconW.USER32 ref: 00007FF681F4C8BD
LoadImageW.USER32 ref: 00007FF681F4C902
RegisterClassExW.USER32 ref: 00007FF681F4C955

Strings

Notepad, xrefs: 00007FF681F4C923

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Load$ClassCursorIconImageRegister
String ID: Notepad
API String ID: 2097758932-311999004
Opcode ID: 1f4307254acf907356b4fbc513a6c66e23139650bc274ecb65749d59c1ad8848
Instruction ID: a23be938639f785cacd5bd511770d68538581e1ce6762bf73221560a8bf74817
Opcode Fuzzy Hash: 1f4307254acf907356b4fbc513a6c66e23139650bc274ecb65749d59c1ad8848
Instruction Fuzzy Hash: AD312832B04B01DAE7208F21E4443ACB7E5FB88B58F558539DA8D93B58DF39D965C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4EA3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00007FF67FF681F4EA3C(void* __ecx, void* __edx, void* __rdx, void* __rdi, void* __rsi, void* __rbp, void* __r8, void* __r9) {
				signed long long _v24;
				char _v824;
				signed long long _v840;
				intOrPtr _v848;
				long long _v856;
				void* __rbx;
				long _t15;
				void* _t21;
				signed long long _t39;
				signed long long _t40;
				long long _t42;
				intOrPtr _t50;
				signed long long _t54;
				void* _t58;

				_t58 = __r9;
				_t52 = __rsi;
				_t51 = __rdi;
				_t39 =  *0x81f60470; // 0xbba9a5b3aaf9
				_t40 = _t39 ^ _t54;
				_v24 = _t40;
				SetCursor(??);
				if (__ecx == 0) goto 0x81f4ea83;
				if (__ecx == 2) goto 0x81f4ea7c;
				E00007FF67FF681F4E7C0(_t40, _t42);
				goto 0x81f4ea88;
				E00007FF67FF681F4E8CC(_t42, _t58);
				goto 0x81f4ea88;
				E00007FF67FF681F4D708(_t40, _t42);
				if (_t40 != 0) goto 0x81f4eaa5;
				SetCursor(??);
				goto 0x81f4eb66;
				_t15 = E00007FF67FF681F4D824(_t42, _t40, __rdi, __rsi, _t58);
				r8d = _t15;
				if (_t15 == 0) goto 0x81f4eb66;
				if (_t15 + 3 - 1 <= 0) goto 0x81f4eb66;
				r8d =  ==  ? 0x70 : r8d;
				r8d =  ==  ? 0xe : r8d;
				if (r8d != 0xffffffff) goto 0x81f4eaf3;
				r8d = GetLastError();
				if (r8d == 0) goto 0x81f4eb66;
				_v840 = _v840 & 0x00000000;
				_v848 = 0x190;
				r9d = 0;
				_v856 =  &_v824;
				FormatMessageW(??, ??, ??, ??, ??, ??, ??);
				_t50 =  *0x81f60630; // 0x1bb5cf529a0
				_t57 =  ==  ?  *0x81f60618 :  &_v824;
				_v856 = 0x30;
				_t60 =  !=  ?  *0x81f60658 :  *0x81f620e0;
				_t21 = E00007FF67FF681F3BDA4(_t42,  *0x81f62598, _t50, _t51, _t52, __rbp,  ==  ?  *0x81f60618 :  &_v824,  !=  ?  *0x81f60658 :  *0x81f620e0);
				E00007FF67FF681F53F70();
				return _t21;
			}

0x7ff681f4ea3c
0x7ff681f4ea3c
0x7ff681f4ea3c
0x7ff681f4ea45
0x7ff681f4ea4c
0x7ff681f4ea4f
0x7ff681f4ea60
0x7ff681f4ea6e
0x7ff681f4ea73
0x7ff681f4ea75
0x7ff681f4ea7a
0x7ff681f4ea7c
0x7ff681f4ea81
0x7ff681f4ea83
0x7ff681f4ea8b
0x7ff681f4ea94
0x7ff681f4eaa0
0x7ff681f4eaa8
0x7ff681f4eaad
0x7ff681f4eab2
0x7ff681f4eabe
0x7ff681f4eacd
0x7ff681f4eada
0x7ff681f4eae2
0x7ff681f4eaf0
0x7ff681f4eaf6
0x7ff681f4eaf8
0x7ff681f4eb03
0x7ff681f4eb0b
0x7ff681f4eb10
0x7ff681f4eb1a
0x7ff681f4eb32
0x7ff681f4eb42
0x7ff681f4eb51
0x7ff681f4eb59
0x7ff681f4eb61
0x7ff681f4eb71
0x7ff681f4eb7e

APIs

SetCursor.USER32 ref: 00007FF681F4EA60
SetCursor.USER32 ref: 00007FF681F4EA94
GetLastError.KERNEL32 ref: 00007FF681F4EAE4
FormatMessageW.KERNEL32 ref: 00007FF681F4EB1A

Part of subcall function 00007FF681F4E7C0: MessageBoxW.USER32 ref: 00007FF681F4E819

Strings

0, xrefs: 00007FF681F4EB51

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CursorMessage$ErrorFormatLast
String ID: 0
API String ID: 405598114-4108050209
Opcode ID: c0e77e6677bd1b6f30c6920a6440a5047415d89b86217d94bef39dd4861a6a8d
Instruction ID: 623ad425bdbead8e6c1634c9be5f873e10d532c6772ea47d09c943f7ee527e3c
Opcode Fuzzy Hash: c0e77e6677bd1b6f30c6920a6440a5047415d89b86217d94bef39dd4861a6a8d
Instruction Fuzzy Hash: 3D318F21A1CA46C6FB709B24E951BB932E0FF89750F54413DDA1EC36A1CF3DE884CA11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F40584 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FF681F405D0
RegCreateKeyW.ADVAPI32 ref: 00007FF681F405FE
RegSetValueExW.ADVAPI32 ref: 00007FF681F4062F
RegCloseKey.ADVAPI32 ref: 00007FF681F4063F

Strings

Software\Microsoft\Notepad, xrefs: 00007FF681F405F0

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Value$CloseCreateQuery
String ID: Software\Microsoft\Notepad
API String ID: 409396109-2830939880
Opcode ID: 547b44b8036d2013119422bd966ea6cfbbda646e292da4ec2e9aeb4a916a40f1
Instruction ID: d3b4cc9ac45c0c61469a31fc92f16d4ea71990c61c6eeeaf784b91d12e198006
Opcode Fuzzy Hash: 547b44b8036d2013119422bd966ea6cfbbda646e292da4ec2e9aeb4a916a40f1
Instruction Fuzzy Hash: 94210372A04B42DEEB108F20D8442EC3BE4FB49798F454639EA5E83B58DF38D544CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F32AD0 Relevance: 7.7, APIs: 6, Instructions: 205
memoryCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00007FF67FF681F32AD0(long long __rbx, void* __rcx, long long __rdx, long long __rsi) {
				void* _t109;
				void* _t113;
				long _t114;
				intOrPtr _t117;
				long _t119;
				long _t120;
				long _t121;
				intOrPtr _t125;
				void* _t127;
				intOrPtr _t137;
				signed long long _t139;
				intOrPtr _t142;
				void* _t147;
				void* _t150;
				void* _t151;
				void* _t153;
				void* _t154;
				void* _t155;
				long long _t159;
				void* _t160;
				signed long long _t163;
				signed long long _t164;
				signed long long _t165;
				void* _t167;
				void* _t168;
				intOrPtr _t170;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr* _t175;
				void* _t184;
				long* _t185;
				long _t187;
				long _t188;
				long _t190;
				long* _t191;
				void* _t193;
				long* _t194;

				_t109 = _t167;
				 *((long long*)(_t109 + 8)) = __rbx;
				 *(_t109 + 0x18) = _t163;
				 *((long long*)(_t109 + 0x20)) = __rsi;
				 *((long long*)(_t109 + 0x10)) = __rdx;
				_t168 = _t167 - 0x20;
				 *((intOrPtr*)(__rcx + 4)) = r8d;
				_t191 = __rcx + 0x10;
				_t185 = __rcx + 0x20;
				 *((intOrPtr*)(__rcx + 8)) =  *((intOrPtr*)(__rdx + 4));
				_t194 = __rcx + 0x38;
				r13d = 0;
				 *_t191 = _t187;
				_t164 = _t163 | 0xffffffff;
				 *((short*)(__rcx + 0x18)) =  *(__rdx + 0x38) & 0x0000ffff;
				 *((char*)(__rcx + 0x1a)) =  *((intOrPtr*)(__rdx));
				 *_t185 = _t187;
				 *((long long*)(__rcx + 0x28)) =  *((intOrPtr*)(__rdx + 0x80));
				 *((long long*)(__rcx + 0x30)) =  *((intOrPtr*)(__rdx + 0x88));
				 *_t194 = _t187;
				_t125 =  *((intOrPtr*)(__rdx + 0x30));
				if (_t125 != 0) goto 0x81f32b4e;
				goto 0x81f32b5d;
				_t113 = _t164 + 1;
				if ( *((intOrPtr*)(_t125 + _t113)) != r13b) goto 0x81f32b51;
				_t114 = _t113 + 1;
				_t137 =  *((intOrPtr*)(__rdx + 0x78));
				if (_t137 != 0) goto 0x81f32b6b;
				goto 0x81f32b7a;
				_t127 = _t164 + 1;
				if ( *((intOrPtr*)(_t137 + _t127)) != r13b) goto 0x81f32b6e;
				_t170 =  *((intOrPtr*)(__rdx + 0x10));
				if (_t170 != 0) goto 0x81f32b89;
				goto 0x81f32b9e;
				_t139 = _t164 + 1;
				if ( *((intOrPtr*)(_t170 + _t139 * 2)) != r13w) goto 0x81f32b8c;
				_t159 = 2 + _t139 * 2 + _t127 + 1 + _t114;
				if ( *(__rcx + 0x40) == _t187) goto 0x81f32bb5;
				if ( *((intOrPtr*)(__rcx + 0x48)) - _t159 >= 0) goto 0x81f32c3b;
				GetProcessHeap();
				HeapAlloc(_t193, _t190, _t187);
				_t117 =  *0x81f61300; // 0x7ff681f333d0
				_t188 = _t114;
				if (_t117 == 0) goto 0x81f32c02;
				GetProcessHeap();
				 *0x81f570f0();
				if (_t188 == 0) goto 0x81f32c33;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				 *(__rcx + 0x40) = _t188;
				 *((long long*)(__rcx + 0x48)) = _t159;
				r13d = 0;
				_t119 =  *(__rcx + 0x40);
				if (_t119 == 0) goto 0x81f32d60;
				_t142 =  *((intOrPtr*)(__rcx + 0x48));
				_t173 =  *((intOrPtr*)( *((intOrPtr*)(_t168 + 0x58)) + 0x30));
				_t160 = _t142 + _t119;
				if (_t119 == _t160) goto 0x81f32c99;
				if (_t173 == 0) goto 0x81f32c99;
				if ( *_t173 == r13b) goto 0x81f32c99;
				_t150 = _t164 + 1;
				if ( *((intOrPtr*)(_t173 + _t150)) != r13b) goto 0x81f32c66;
				_t151 = _t150 + 1;
				if (_t142 - _t151 < 0) goto 0x81f32c99;
				if (_t151 == 0) goto 0x81f32c8c;
				E00007FF67FF681F31664(_t117, _t119, _t119, _t142, _t160, _t173, _t151, _t184);
				if (_t191 == 0) goto 0x81f32c94;
				 *_t191 = _t119;
				_t120 = _t119 + _t151;
				goto 0x81f32ca1;
				if (_t191 == 0) goto 0x81f32ca1;
				 *_t191 = _t188;
				_t174 =  *((intOrPtr*)( *((intOrPtr*)(_t168 + 0x58)) + 0x78));
				if (_t120 == _t160) goto 0x81f32cf1;
				if (_t174 == 0) goto 0x81f32cf1;
				if ( *_t174 == r13b) goto 0x81f32cf1;
				_t153 = _t164 + 1;
				if ( *((intOrPtr*)(_t174 + _t153)) != r13b) goto 0x81f32cb7;
				_t154 = _t153 + 1;
				if (_t160 - _t120 - _t154 < 0) goto 0x81f32cf1;
				if (_t154 == 0) goto 0x81f32ce3;
				E00007FF67FF681F31664(_t117, _t120, _t120, _t160 - _t120, _t160, _t174, _t154, _t147);
				if (_t185 == 0) goto 0x81f32cec;
				 *_t185 = _t120;
				_t121 = _t120 + _t154;
				goto 0x81f32cfa;
				if (_t185 == 0) goto 0x81f32cfa;
				 *_t185 = _t188;
				_t175 =  *((intOrPtr*)( *((intOrPtr*)(_t168 + 0x58)) + 0x10));
				if (_t121 == _t160) goto 0x81f32d48;
				if (_t175 == 0) goto 0x81f32d48;
				if ( *_t175 == r13w) goto 0x81f32d48;
				_t165 = _t164 + 1;
				if ( *((intOrPtr*)(_t175 + _t165 * 2)) != r13w) goto 0x81f32d0e;
				_t155 = 2 + _t165 * 2;
				if (_t160 - _t121 - _t155 < 0) goto 0x81f32d48;
				if (_t155 == 0) goto 0x81f32d3b;
				E00007FF67FF681F31664(_t117, _t121, _t121, _t160 - _t121, _t160, _t175, _t155);
				if (_t194 == 0) goto 0x81f32d43;
				 *_t194 = _t121;
				goto 0x81f32d50;
				if (_t194 == 0) goto 0x81f32d50;
				 *_t194 = _t188;
				return memset(??, ??, ??);
			}

0x7ff681f32ad0
0x7ff681f32ad3
0x7ff681f32ad7
0x7ff681f32adb
0x7ff681f32adf
0x7ff681f32aec
0x7ff681f32af0
0x7ff681f32af4
0x7ff681f32afb
0x7ff681f32aff
0x7ff681f32b02
0x7ff681f32b06
0x7ff681f32b0c
0x7ff681f32b0f
0x7ff681f32b1a
0x7ff681f32b20
0x7ff681f32b23
0x7ff681f32b2e
0x7ff681f32b39
0x7ff681f32b3d
0x7ff681f32b40
0x7ff681f32b47
0x7ff681f32b4c
0x7ff681f32b51
0x7ff681f32b58
0x7ff681f32b5a
0x7ff681f32b5d
0x7ff681f32b64
0x7ff681f32b69
0x7ff681f32b6e
0x7ff681f32b75
0x7ff681f32b7a
0x7ff681f32b81
0x7ff681f32b87
0x7ff681f32b8c
0x7ff681f32b94
0x7ff681f32ba2
0x7ff681f32ba9
0x7ff681f32baf
0x7ff681f32bb5
0x7ff681f32bcc
0x7ff681f32bd8
0x7ff681f32bdf
0x7ff681f32be5
0x7ff681f32be7
0x7ff681f32bfc
0x7ff681f32c05
0x7ff681f32c0b
0x7ff681f32c1f
0x7ff681f32c2b
0x7ff681f32c2f
0x7ff681f32c38
0x7ff681f32c3b
0x7ff681f32c42
0x7ff681f32c48
0x7ff681f32c4c
0x7ff681f32c50
0x7ff681f32c57
0x7ff681f32c5c
0x7ff681f32c61
0x7ff681f32c66
0x7ff681f32c6d
0x7ff681f32c6f
0x7ff681f32c75
0x7ff681f32c7a
0x7ff681f32c82
0x7ff681f32c8f
0x7ff681f32c91
0x7ff681f32c94
0x7ff681f32c97
0x7ff681f32c9c
0x7ff681f32c9e
0x7ff681f32ca1
0x7ff681f32ca8
0x7ff681f32cad
0x7ff681f32cb2
0x7ff681f32cb7
0x7ff681f32cbe
0x7ff681f32cc3
0x7ff681f32ccc
0x7ff681f32cd1
0x7ff681f32cd9
0x7ff681f32ce6
0x7ff681f32ce8
0x7ff681f32cec
0x7ff681f32cef
0x7ff681f32cf4
0x7ff681f32cf6
0x7ff681f32cfa
0x7ff681f32d01
0x7ff681f32d06
0x7ff681f32d0c
0x7ff681f32d0e
0x7ff681f32d16
0x7ff681f32d1b
0x7ff681f32d29
0x7ff681f32d2e
0x7ff681f32d36
0x7ff681f32d3e
0x7ff681f32d40
0x7ff681f32d46
0x7ff681f32d4b
0x7ff681f32d4d
0x7ff681f32d7c

APIs

GetProcessHeap.KERNEL32 ref: 00007FF681F32BB5
HeapAlloc.KERNEL32 ref: 00007FF681F32BCC
GetProcessHeap.KERNEL32 ref: 00007FF681F32BE7
GetProcessHeap.KERNEL32 ref: 00007FF681F32C0B
HeapFree.KERNEL32 ref: 00007FF681F32C1F
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F32D5B

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$Process$AllocFreememset
String ID:
API String ID: 2653029805-0
Opcode ID: 43c539fbc884c82d2f084bdb0609e0718587f8c2ac0b17e60f0bf6767186aa81
Instruction ID: f28367a1098da9f8ca1b0fd1973560ad8d9e1ce40c2a939e373c12a87693b0d2
Opcode Fuzzy Hash: 43c539fbc884c82d2f084bdb0609e0718587f8c2ac0b17e60f0bf6767186aa81
Instruction Fuzzy Hash: 97817AA6A09B82C6EB558F51AA041B9B7E5FF05FD4F188039DE0D877A0DE39E497C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3D630 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00007FF67FF681F3D630(void* __eax, long long __rbx, void* __rcx, void* __rdx) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed long long _t91;
				long long _t105;
				intOrPtr* _t117;
				intOrPtr* _t136;
				void* _t143;
				void* _t144;
				void* _t146;
				void* _t148;
				void* _t151;
				signed long long _t152;
				void* _t163;
				void* _t164;
				long long _t166;

				_t103 = __rbx;
				 *((long long*)(_t151 + 0x18)) = __rbx;
				_t149 = _t151 - 0x160;
				_t152 = _t151 - 0x260;
				_t91 =  *0x81f60470; // 0xbba9a5b3aaf9
				 *(_t151 - 0x160 + 0x150) = _t91 ^ _t152;
				r15d = 0;
				_t144 = __rdx;
				 *((intOrPtr*)(_t152 + 0x50)) = r15w;
				_t164 = __rcx;
				 *((long long*)(_t152 + 0x28)) = _t166;
				r8d = 0x100;
				 *((long long*)(_t152 + 0x20)) = __rbx;
				0x81f3d5e8();
				if (__eax >= 0) goto 0x81f3d6b6;
				_t136 =  *((intOrPtr*)(__rdx + 0x70));
				if (_t136 == 0) goto 0x81f3d6af;
				 *0x81f570f0();
				goto 0x81f3d884;
				if ( *((intOrPtr*)(_t152 + 0x28)) - 0x100 > 0) goto 0x81f3d743;
				E00007FF67FF681F3E004(__rbx, _t152 + 0x30, _t152 + 0x50, __rdx, _t146, _t151 - 0x160,  *((intOrPtr*)(_t152 + 0x28)) - 1, _t166, _t163);
				if (_t152 + 0x20 ==  *((intOrPtr*)( *_t136 + 0x18))) goto 0x81f3d6f2;
				E00007FF67FF681F3E104(_t103, _t152 + 0x20,  *((intOrPtr*)( *_t136 + 0x18)), _t144, _t146, _t151 - 0x160, _t143, _t146);
				if ( *((intOrPtr*)(_t152 + 0x30)) == 0) goto 0x81f3d708;
				LocalFree(_t148);
				if ( *((intOrPtr*)(_t152 + 0x20)) != 0) goto 0x81f3d837;
				r9d = 0x8007000e;
				E00007FF67FF681F325BC();
				_t117 =  *((intOrPtr*)(_t144 + 0x70));
				if (_t117 == 0) goto 0x81f3d7be;
				goto 0x81f3d7b8;
				E00007FF67FF681F3E004( *((intOrPtr*)(_t152 + 0x20)), _t152 + 0x40,  *((intOrPtr*)( *_t136 + 0x18)), _t144, _t146, _t151 - 0x160, "onecore\\internal\\sdk\\inc\\wil\\opensource/wil/win32_helpers.h" - 1);
				if (_t152 + 0x20 ==  *((intOrPtr*)( *_t117 + 0x18))) goto 0x81f3d76e;
				E00007FF67FF681F3E104( *((intOrPtr*)(_t152 + 0x20)), _t152 + 0x20,  *((intOrPtr*)( *_t117 + 0x18)), _t144, _t146, _t149);
				_t105 =  *((intOrPtr*)(_t152 + 0x20));
				if ( *((intOrPtr*)(_t152 + 0x40)) == 0) goto 0x81f3d784;
				LocalFree(??);
				if (_t105 != 0) goto 0x81f3d7c8;
				r9d = 0x8007000e;
				E00007FF67FF681F325BC();
				if ( *((intOrPtr*)(_t144 + 0x70)) == 0) goto 0x81f3d7be;
				 *0x81f570f0();
				goto 0x81f3d884;
				 *((long long*)(_t152 + 0x30)) = _t166;
				0x81f3d5e8();
				if (0x8007000e >= 0) goto 0x81f3d82b;
				r9d = 0x8007000e;
				E00007FF67FF681F325BC();
				LocalFree(??);
				if ( *((intOrPtr*)(_t144 + 0x70)) == 0) goto 0x81f3d6af;
				goto 0x81f3d6a9;
				if ( *((intOrPtr*)(_t152 + 0x28)) !=  *((intOrPtr*)(_t152 + 0x30))) goto 0x81f3d8ab;
				 *((long long*)(_t152 + 0x38)) = _t105;
				if (_t164 == _t152 + 0x38) goto 0x81f3d858;
				E00007FF67FF681F3E104(_t105, _t164, _t152 + 0x38, _t144, _t146, _t149);
				if ( *((intOrPtr*)(_t152 + 0x38)) == 0) goto 0x81f3d86c;
				LocalFree(??);
				if ( *((intOrPtr*)(_t144 + 0x70)) == 0) goto 0x81f3d882;
				 *0x81f570f0();
				E00007FF67FF681F53F70();
				return 0;
			}

0x7ff681f3d630
0x7ff681f3d630
0x7ff681f3d63c
0x7ff681f3d644
0x7ff681f3d64b
0x7ff681f3d655
0x7ff681f3d65c
0x7ff681f3d664
0x7ff681f3d667
0x7ff681f3d66d
0x7ff681f3d670
0x7ff681f3d67d
0x7ff681f3d683
0x7ff681f3d68b
0x7ff681f3d694
0x7ff681f3d696
0x7ff681f3d69d
0x7ff681f3d6a9
0x7ff681f3d6b1
0x7ff681f3d6c2
0x7ff681f3d6d1
0x7ff681f3d6de
0x7ff681f3d6e8
0x7ff681f3d6fa
0x7ff681f3d6fc
0x7ff681f3d70b
0x7ff681f3d71f
0x7ff681f3d728
0x7ff681f3d72d
0x7ff681f3d734
0x7ff681f3d741
0x7ff681f3d74d
0x7ff681f3d75a
0x7ff681f3d764
0x7ff681f3d769
0x7ff681f3d776
0x7ff681f3d778
0x7ff681f3d787
0x7ff681f3d797
0x7ff681f3d7a0
0x7ff681f3d7ac
0x7ff681f3d7b8
0x7ff681f3d7c3
0x7ff681f3d7d5
0x7ff681f3d7dd
0x7ff681f3d7e6
0x7ff681f3d7f6
0x7ff681f3d7fe
0x7ff681f3d806
0x7ff681f3d819
0x7ff681f3d826
0x7ff681f3d835
0x7ff681f3d83c
0x7ff681f3d844
0x7ff681f3d84e
0x7ff681f3d85b
0x7ff681f3d860
0x7ff681f3d873
0x7ff681f3d87c
0x7ff681f3d88e
0x7ff681f3d8a9

APIs

LocalFree.KERNEL32 ref: 00007FF681F3D6FC

Part of subcall function 00007FF681F3E004: LocalAlloc.KERNEL32(00000000,?,00000000,00007FF681F3D752), ref: 00007FF681F3E083

LocalFree.KERNEL32 ref: 00007FF681F3D778
LocalFree.KERNEL32 ref: 00007FF681F3D806

Part of subcall function 00007FF681F3E104: GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF681F3D752), ref: 00007FF681F3E12E
Part of subcall function 00007FF681F3E104: LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF681F3D752), ref: 00007FF681F3E13F
Part of subcall function 00007FF681F3E104: SetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF681F3D752), ref: 00007FF681F3E14D

LocalFree.KERNEL32 ref: 00007FF681F3D860

Strings

onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h, xrefs: 00007FF681F3D718, 00007FF681F3D790, 00007FF681F3D7EF, 00007FF681F3D8B2

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Local$Free$ErrorLast$Alloc
String ID: onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h
API String ID: 3879364810-1752416456
Opcode ID: b62886d129df5acf179b2e4e5788251491232125b39c0fe565b1b6d23b496b22
Instruction ID: 866ca0c6d12a86af80c704f17f202857b5f6845bec2a088245e729883bf449ec
Opcode Fuzzy Hash: b62886d129df5acf179b2e4e5788251491232125b39c0fe565b1b6d23b496b22
Instruction Fuzzy Hash: F5616C66B09A82C2EB25DB15E4502F967E0FF88B84F848039DA4E87B64DF3CE542C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F347E8 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 100
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00007FF67FF681F347E8(signed int __edx, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a40, intOrPtr _a48) {
				void* _v40;
				intOrPtr* _v48;
				void* _v56;
				char _v72;
				intOrPtr _v80;
				long long _v88;
				void* __rdi;
				void* _t37;
				signed int _t38;
				void* _t41;
				void* _t51;
				intOrPtr* _t52;
				void* _t58;
				intOrPtr* _t65;
				intOrPtr _t71;
				void* _t74;
				void* _t81;
				void* _t83;
				void* _t90;
				void* _t96;
				void* _t97;
				long _t99;
				void* _t100;
				void* _t102;
				void* _t104;
				long long _t105;
				void* _t107;
				void* _t108;

				_t38 = __edx;
				_t51 = _t83;
				 *((long long*)(_t51 + 8)) = __rbx;
				 *((long long*)(_t51 + 0x10)) = __rbp;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				r13d = _a48;
				_t108 = __r9;
				_t105 = _a40;
				_t81 = __r8;
				 *((intOrPtr*)(_t51 - 0x50)) = r13d;
				_t100 = __rdx;
				 *((long long*)(_t51 - 0x58)) = _t105;
				_t58 = __rcx;
				if (E00007FF67FF681F34C1C(_t37, _t41, __rcx, __rcx, __rdx, __r8, __r9, _t96, _t97) == 0) goto 0x81f34838;
				goto 0x81f34936;
				if ( *((long long*)(_t58 + 0x18)) != 0) goto 0x81f348ef;
				asm("xorps xmm0, xmm0");
				asm("xorps xmm1, xmm1");
				asm("movdqu [esp+0x30], xmm0");
				asm("movdqu [esp+0x40], xmm1");
				if (E00007FF67FF681F33F64(_t38, _t58,  &_v72, _t105 + 0x20 + _t81 + 0xa, _t74, __rsi, _t81, _t107, _t104) == 0) goto 0x81f348c3;
				_t71 = _v72;
				r8d = 0;
				0x81f346ac();
				_t52 = _v48;
				 *((long long*)(_t58 + 0x30)) = _t52;
				if ( *((intOrPtr*)(_t58 + 0x30)) == 0) goto 0x81f348bd;
				GetProcessHeap();
				HeapFree(_t102, _t99, _t74);
				 *((char*)(_t58 + 0x3a)) = 1;
				goto 0x81f348c8;
				if (_v48 == 0) goto 0x81f3491b;
				GetProcessHeap();
				_t65 = _t52;
				HeapFree(??, ??, ??);
				goto 0x81f3491b;
				if ( *((char*)(_t58 + 0x3a)) == 0) goto 0x81f3491b;
				_t90 =  *((intOrPtr*)(_t65 + 0x10)) -  *_t65;
				if ( *((intOrPtr*)(_t65 + 8)) -  *_t65 + _t71 - _t90 < 0) goto 0x81f3491b;
				_t72 =  <  ? _t90 + _t90 : _t71;
				E00007FF67FF681F33F64(_t38 ^ _t38 ^ _t38 ^ _t38, _t58, _t65,  <  ? _t90 + _t90 : _t71, _v48,  *((intOrPtr*)(_t58 + 0x30)), _t81);
				_v80 = r13d;
				_v88 = _t105;
				return E00007FF67FF681F34C1C(_t37, 0, _t58, _t58, _t100, _t81, _t108, _t96, _t97);
			}

0x7ff681f347e8
0x7ff681f347e8
0x7ff681f347eb
0x7ff681f347ef
0x7ff681f347f3
0x7ff681f34804
0x7ff681f3480c
0x7ff681f3480f
0x7ff681f34817
0x7ff681f3481a
0x7ff681f3481e
0x7ff681f34821
0x7ff681f34825
0x7ff681f3482f
0x7ff681f34833
0x7ff681f34847
0x7ff681f3484d
0x7ff681f34855
0x7ff681f3485c
0x7ff681f34862
0x7ff681f3486f
0x7ff681f34871
0x7ff681f34876
0x7ff681f34884
0x7ff681f3488f
0x7ff681f34894
0x7ff681f3489b
0x7ff681f3489d
0x7ff681f348b1
0x7ff681f348bd
0x7ff681f348c1
0x7ff681f348cb
0x7ff681f348cd
0x7ff681f348de
0x7ff681f348e1
0x7ff681f348ed
0x7ff681f348f3
0x7ff681f34903
0x7ff681f34909
0x7ff681f34912
0x7ff681f34916
0x7ff681f3491b
0x7ff681f34926
0x7ff681f34953

APIs

Part of subcall function 00007FF681F34C1C: _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00007FF681F3482D), ref: 00007FF681F34F2C

GetProcessHeap.KERNEL32 ref: 00007FF681F3489D
HeapFree.KERNEL32 ref: 00007FF681F348B1
GetProcessHeap.KERNEL32 ref: 00007FF681F348CD
HeapFree.KERNEL32 ref: 00007FF681F348E1

Strings

onecore\internal\sdk\inc\wil/Staging.h, xrefs: 00007FF681F347CE

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$FreeProcess$_o__errno
String ID: onecore\internal\sdk\inc\wil/Staging.h
API String ID: 1235431766-4099157372
Opcode ID: 100133b1b09b94243008ed6b078ee6c109c1ff958c3dda5b613a71547f84c39e
Instruction ID: 152a3454e751431ca0a910c8aef8c2b83a81c9bfbae9024241cb77fc3257f276
Opcode Fuzzy Hash: 100133b1b09b94243008ed6b078ee6c109c1ff958c3dda5b613a71547f84c39e
Instruction Fuzzy Hash: 1041BA62A08B81C6EB10DF26A4446A9B7E1FF8AFC4F548139EE4D53755CF38D486C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4E8CC Relevance: 7.6, APIs: 5, Instructions: 81memorywindowCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF681F4E934
LocalFree.KERNEL32 ref: 00007FF681F4E988
CreateDCW.GDI32 ref: 00007FF681F4E9C7
LocalFree.KERNEL32 ref: 00007FF681F4E9D9
MessageBoxW.USER32 ref: 00007FF681F4EA14

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Local$Free$AllocCreateMessage
String ID:
API String ID: 1500861735-0
Opcode ID: af7922431fd5b89488e0a9958a9a9ef89088d5a3db658d13e9ca975239e53fe2
Instruction ID: 3baa30aea7a673f132017101991596793ceb83817d1e1625bf0ba0566c605689
Opcode Fuzzy Hash: af7922431fd5b89488e0a9958a9a9ef89088d5a3db658d13e9ca975239e53fe2
Instruction Fuzzy Hash: FB411836A18A46C6E7208B11F8445B9BBF0FF8AB95F549139DA4E83764EF3CE444CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F39DF0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF681F39E26
LoadStringW.USER32 ref: 00007FF681F39E7D
FormatMessageW.KERNEL32 ref: 00007FF681F39EC4
#345.COMCTL32 ref: 00007FF681F39EED
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F39F16

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: #345FormatFreeLoadMessageStringTaskmemset
String ID:
API String ID: 2015745548-0
Opcode ID: c4d2084a5ab906855f1382a1a9e7be7220e8222ac611cda88a2f0402d7c9176f
Instruction ID: d64d542227e6fcae1d428afd12b9313606f535ab4fba06d9df9e0878ffb67399
Opcode Fuzzy Hash: c4d2084a5ab906855f1382a1a9e7be7220e8222ac611cda88a2f0402d7c9176f
Instruction Fuzzy Hash: 80311632608B85CAE7508B65F8507AAB7E4FB89748F548039EB8D87B58DF7DD509CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4CF00 Relevance: 7.6, APIs: 5, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF681F4CF31
SendMessageW.USER32 ref: 00007FF681F4CF4F
LocalLock.KERNEL32 ref: 00007FF681F4CF70
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F4CFAD
LocalUnlock.KERNEL32 ref: 00007FF681F4CFB9

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: LocalMessageSend$LockUnlockmemcpy
String ID:
API String ID: 4230444973-0
Opcode ID: 8efabb2b63fcb47c80e8b26a60be5f2137709e13b336ec06629a7073aaa13ed9
Instruction ID: 740faba39d7ed3b2a59ae9682063f3553b24981e105cf7ee1e0ed0128f4d69e2
Opcode Fuzzy Hash: 8efabb2b63fcb47c80e8b26a60be5f2137709e13b336ec06629a7073aaa13ed9
Instruction Fuzzy Hash: F5215932A04B46CAEB148F55F4505A9BBA0FFC9B95B559039DB0E43B64DF3CE986CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3E188 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF681F3E2CE,?,?,?,00007FF681F3853C), ref: 00007FF681F3E1AE
_o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF681F3E2CE,?,?,?,00007FF681F3853C), ref: 00007FF681F3E1C1

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: _o__errno_o__invalid_parameter_noinfo
String ID:
API String ID: 2671245207-0
Opcode ID: f3d093db7cf251173d3ed00e68203e0bc45c311c5e9a420d823c42425fee1594
Instruction ID: 28c61731ccf4eb4135bc8d71dd526f47f7bdae2747e43caf22d5a79d598ca16e
Opcode Fuzzy Hash: f3d093db7cf251173d3ed00e68203e0bc45c311c5e9a420d823c42425fee1594
Instruction Fuzzy Hash: 1B018C20F0D642C6FB502B51A9045B9A5D1BF89B94F048438EE1AC7BCBDE2CE843CA02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F35974 Relevance: 7.5, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF681F35867), ref: 00007FF681F35995
HeapFree.KERNEL32(?,?,?,00007FF681F35867), ref: 00007FF681F359A9
GetProcessHeap.KERNEL32(?,?,?,00007FF681F35867), ref: 00007FF681F359C3
HeapFree.KERNEL32(?,?,?,00007FF681F35867), ref: 00007FF681F359D7
GetProcessHeap.KERNEL32(?,?,?,00007FF681F35867), ref: 00007FF681F359F1
HeapFree.KERNEL32(?,?,?,00007FF681F35867), ref: 00007FF681F35A05

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 45a333315a80a1b54ccd8a3f4225cdaee213a78823b1eed5680f689113bad27d
Instruction ID: e2bf01c43737c7f29a97d25ecc86e4bd4a2d3c5d70af391238980b5f3f8b74a2
Opcode Fuzzy Hash: 45a333315a80a1b54ccd8a3f4225cdaee213a78823b1eed5680f689113bad27d
Instruction Fuzzy Hash: 0111E536A05B81C7E7449B62A6083B9BAE1FF8EFE5F099138CE1A47764DF38D045C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F51400 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

Windows.Security.EnterpriseData.FileProtectionManager, xrefs: 00007FF681F514AD
shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF681F5143F, 00007FF681F5147F, 00007FF681F514ED, 00007FF681F51541, 00007FF681F515C9

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CreateReferenceStringWindows
String ID: Windows.Security.EnterpriseData.FileProtectionManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 3143385082-4012696473
Opcode ID: 32a65b77b535a7c5bf8171b482c2481355724b6311a96c431762207ef34305e7
Instruction ID: bde47db857122ae3c15e61c1cc75234b12a6d1539354fbf4ca402e9417f4e863
Opcode Fuzzy Hash: 32a65b77b535a7c5bf8171b482c2481355724b6311a96c431762207ef34305e7
Instruction Fuzzy Hash: 9571F966B18A06DAEB009BA5D4502ED23F5FF88B88F44853ADE0ED7B59DF38E515C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3D37C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF681F3E224: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF681F3853C), ref: 00007FF681F3E2A1

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3D3DE
GetModuleFileNameW.KERNEL32 ref: 00007FF681F3D40B
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F3D49C

Strings

onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h, xrefs: 00007FF681F3D486, 00007FF681F3D4AF, 00007FF681F3D4DE

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Task$Free$AllocFileModuleName
String ID: onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h
API String ID: 3233965490-1752416456
Opcode ID: 663b1a4ba81e6f6d199bf3fbfe33a283f855b0a96880735a8f13bc1ced272cf4
Instruction ID: 0815346efe99ee3eff781cf3e81e7ed590e2e67b9b2fe0bffff97fc97dc8acee
Opcode Fuzzy Hash: 663b1a4ba81e6f6d199bf3fbfe33a283f855b0a96880735a8f13bc1ced272cf4
Instruction Fuzzy Hash: 93417066B08746D2EB109B12E4101FAA7D1FF88B94F88843ADE4D87795DE3CF946C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F33DDC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF67FF681F33DDC(void* __edx, signed int* __rcx, signed int* _a40, intOrPtr* _a48) {
				signed long long _v64;
				signed int _v72;
				unsigned int _v76;
				void* _v80;
				char _v88;
				signed int* _v104;
				void* __rbx;
				void* _t38;
				unsigned int _t50;
				signed long long _t68;
				intOrPtr* _t70;
				long long _t71;
				long long _t72;
				signed int* _t73;

				_t68 =  *0x81f60470; // 0xbba9a5b3aaf9
				_v64 = _t68 ^  &_v80;
				_t73 = _a40;
				r12d = r9d;
				_t70 = _a48;
				r14d = r8d;
				r15d = __edx;
				if (_t73 == 0) goto 0x81f33e1e;
				 *_t73 =  *_t73 & 0x00000000;
				 *_t70 = 1;
				bpl = r14d == 0;
				_v80 = _t70;
				_v72 = 0;
				_t71 =  *0x81f612a0; // 0x0
				if (_t71 != 0) goto 0x81f33e96;
				_t72 =  *0x81f61410; // 0x7ffd23360000
				if (_t72 != 0) goto 0x81f33e6c;
				GetModuleHandleW(??);
				 *0x81f61410 = _t72;
				GetProcAddress(??, ??);
				 *0x81f612a0 = _t72;
				if (_t72 != 0) goto 0x81f33e96;
				r8d = 0xc0000139;
				goto 0x81f33eae;
				_t83 =  &_v88;
				r8d =  *0x81f570f0();
				if (r8d != 0) goto 0x81f33ef8;
				_t50 = _v76;
				_t9 = _t83 + 1; // 0x1
				__rcx[3] = _v72;
				__rcx[2] = _t50 >> 0x0000000e & 0x00000003;
				 *__rcx = _t50 >> 0x00000004 & 0x00000003;
				__rcx[1] = _t50 >> 0x00000008 & 0x0000003f;
				__rcx[4] = _t50 >> 0x00000007 & 0x00000001;
				__rcx[5] = _t50 >> 0x00000006 & 0x00000001;
				goto 0x81f33f0e;
				if (r8d != 0x117) goto 0x81f33f0e;
				__rcx[4] = _v76 >> 0x00000007 & 0x00000001;
				if (_t73 == 0) goto 0x81f33f21;
				 *_t73 = 0 | r8d != 0x80000022;
				if (_t9 != 0) goto 0x81f33f3d;
				r9d = r14d;
				_v104 = _t73;
				r8d = r15d;
				_t38 = E00007FF67FF681F33C50(r12d, _t9, _t73, __rcx,  &_v88);
				E00007FF67FF681F53F70();
				return _t38;
			}

0x7ff681f33deb
0x7ff681f33df5
0x7ff681f33dfa
0x7ff681f33e02
0x7ff681f33e05
0x7ff681f33e0d
0x7ff681f33e10
0x7ff681f33e19
0x7ff681f33e1b
0x7ff681f33e20
0x7ff681f33e2b
0x7ff681f33e31
0x7ff681f33e36
0x7ff681f33e3a
0x7ff681f33e44
0x7ff681f33e46
0x7ff681f33e50
0x7ff681f33e59
0x7ff681f33e65
0x7ff681f33e76
0x7ff681f33e82
0x7ff681f33e8c
0x7ff681f33e8e
0x7ff681f33e94
0x7ff681f33e9d
0x7ff681f33eab
0x7ff681f33eb1
0x7ff681f33eb3
0x7ff681f33eb7
0x7ff681f33ec1
0x7ff681f33ed2
0x7ff681f33ed5
0x7ff681f33eed
0x7ff681f33ef0
0x7ff681f33ef3
0x7ff681f33ef6
0x7ff681f33eff
0x7ff681f33f0b
0x7ff681f33f11
0x7ff681f33f1f
0x7ff681f33f23
0x7ff681f33f25
0x7ff681f33f28
0x7ff681f33f2d
0x7ff681f33f36
0x7ff681f33f47
0x7ff681f33f5a

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF681F33E59
GetProcAddress.KERNEL32 ref: 00007FF681F33E76

Strings

RtlQueryFeatureConfiguration, xrefs: 00007FF681F33E6C
ntdll.dll, xrefs: 00007FF681F33E52

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlQueryFeatureConfiguration$ntdll.dll
API String ID: 1646373207-4111156962
Opcode ID: a2f8d1607dca46ebc95a5f7d43c4632a360f764fbff8b4bffa839e1bd34822b9
Instruction ID: 55e9d70b94bc07d23f65603b8f01dabbae47195222b36ea15dd151e3a3c252cc
Opcode Fuzzy Hash: a2f8d1607dca46ebc95a5f7d43c4632a360f764fbff8b4bffa839e1bd34822b9
Instruction Fuzzy Hash: B7417072A19A46CAE765CF19E80066976E1FF98790F44813DDA4EC3B54EF3CE482CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F51688 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

PropVariantClear.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F51759
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F517A0
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F517B7

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF681F516CA

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: FreeTask$ClearPropVariant
String ID: shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 3162903231-1113416246
Opcode ID: 3e31994006d891dfce1461056fa3fd0c13095867e6b8b7831c3e59ca9cd0125e
Instruction ID: 8989ac4226dccea6a76b51eb51b22540c73315eabc9df0392e426be9dbbcbbfd
Opcode Fuzzy Hash: 3e31994006d891dfce1461056fa3fd0c13095867e6b8b7831c3e59ca9cd0125e
Instruction Fuzzy Hash: 38411036608A96C6EB118F69E8505E97BF0FF48F95B558135EE0D83764EF38E845C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F51EA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F51F48
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F51F87

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF681F51F41
shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF681F51F9E

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 1966789792-1088074545
Opcode ID: 2c99d33c682d93b7bd889d018855ae7519be51e3b65fc3a3c7ad7ae89c12f9b6
Instruction ID: c57f75583e635e48a234d0e694a6b3d6103063a05a762b74b3a154b3df4001b3
Opcode Fuzzy Hash: 2c99d33c682d93b7bd889d018855ae7519be51e3b65fc3a3c7ad7ae89c12f9b6
Instruction Fuzzy Hash: 9741E626A09B4AC2EB118B15E4503B9B7E0FF88B88F44813AEA4E87764DF3CE545C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F37F44 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00007FF67FF681F37F44(signed int __edx, intOrPtr* __rax, signed short* __rcx, signed int _a8, char _a24, char _a28, char _a32) {
				char _v40;
				char _v48;
				long long _v56;
				void* __rbx;
				void* __rsi;
				int _t20;
				signed int _t32;
				signed int _t33;
				intOrPtr* _t52;
				void* _t54;
				long long _t62;
				void* _t63;
				signed short* _t65;
				void* _t66;

				_t52 = __rax;
				_t33 =  *__rcx & 0x0000ffff;
				_t32 = __edx;
				if (_t33 == 0xbbef) goto 0x81f38079;
				if (_t33 == 0xfeff) goto 0x81f37fac;
				if (_t33 == 0xfffe) goto 0x81f38072;
				_a8 = _a8 | 0xffffffff;
				_t20 = IsTextUnicode(??, ??, ??);
				if (_t20 == 0) goto 0x81f37fb6;
				if (_a8 != 2) goto 0x81f37fa8;
				_t21 =  <  ? 0 : _t20;
				_t46 =  <  ? 0 : _t20;
				if (( <  ? 0 : _t20) == 0) goto 0x81f37fb6;
				goto 0x81f3808a;
				_v48 = 0;
				r9d = __edx;
				_t65 = __rcx;
				_v56 = _t62;
				if (MultiByteToWideChar(??, ??, ??, ??, ??, ??) != 0) goto 0x81f37ffc;
				if (GetLastError() != 0x459) goto 0x81f37ffc;
				goto 0x81f3808a;
				r8d =  *0x81f614b8; // 0x0
				if ((r8b & 0x00000002) != 0) goto 0x81f38025;
				E00007FF67FF681F3D07C(_t54, 0x81f614b8,  &_a32, _t62, _t66);
				_a8 =  *_t52;
				r8d = 0xfde9;
				r9d = r8d;
				_v40 = 3;
				r9d = r9d >> 9;
				_v48 = 1;
				r8d = r8d >> 8;
				r9d = r9d & 0x00000001;
				r8d = r8d & 0x00000001;
				_a24 = 0;
				_a28 = 3;
				_v56 =  &_a24;
				E00007FF67FF681F3DD74(_t32, 0x127655e, _t54, 0x81f614c0, _t62, _t63, _t65);
				goto 0x81f3808a;
				goto 0x81f3808a;
				if (_t32 - 2 <= 0) goto 0x81f3808a;
				_t31 =  ==  ? 4 : 3;
				return  ==  ? 4 : 3;
			}

0x7ff681f37f44
0x7ff681f37f55
0x7ff681f37f58
0x7ff681f37f60
0x7ff681f37f6c
0x7ff681f37f76
0x7ff681f37f7c
0x7ff681f37f89
0x7ff681f37f99
0x7ff681f37fa0
0x7ff681f37fa5
0x7ff681f37fa8
0x7ff681f37faa
0x7ff681f37fb1
0x7ff681f37fb6
0x7ff681f37fba
0x7ff681f37fbd
0x7ff681f37fc0
0x7ff681f37fdd
0x7ff681f37ff0
0x7ff681f37ff7
0x7ff681f37ffc
0x7ff681f38007
0x7ff681f38015
0x7ff681f3801d
0x7ff681f38022
0x7ff681f38025
0x7ff681f38028
0x7ff681f38035
0x7ff681f38039
0x7ff681f38044
0x7ff681f38048
0x7ff681f3804b
0x7ff681f3804e
0x7ff681f38057
0x7ff681f38061
0x7ff681f38066
0x7ff681f38070
0x7ff681f38077
0x7ff681f3807c
0x7ff681f38087
0x7ff681f38091

APIs

IsTextUnicode.ADVAPI32 ref: 00007FF681F37F89
MultiByteToWideChar.KERNEL32 ref: 00007FF681F37FCF
GetLastError.KERNEL32 ref: 00007FF681F37FDF

Strings

d, xrefs: 00007FF681F37FA2

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ByteCharErrorLastMultiTextUnicodeWide
String ID: d
API String ID: 160532073-2564639436
Opcode ID: dd729ede18ede361e7e734e3df6fb4bc56fdf32236826dc8690e6dbc9d61ebe2
Instruction ID: b37f2608d08ee572c395f68ba6a331d94f3308d3f646b27552aa9e8ce29dfb70
Opcode Fuzzy Hash: dd729ede18ede361e7e734e3df6fb4bc56fdf32236826dc8690e6dbc9d61ebe2
Instruction Fuzzy Hash: 56317E71A0C642C3F7604B25A840679BAE0FF85794F544239EA4EC7AE4DF2CD886CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F5203C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F52078
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F520B7

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF681F52071
shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF681F520CE

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 1966789792-1088074545
Opcode ID: 9cbad4fa80623ab15648c66547dc5810224f9fcb8713142f36343dbf394c11f4
Instruction ID: e5e68a94fb8868f472300964e571177e2646a73675eee33764acab74707c3de7
Opcode Fuzzy Hash: 9cbad4fa80623ab15648c66547dc5810224f9fcb8713142f36343dbf394c11f4
Instruction Fuzzy Hash: AF212826B18A46C2EB108B15E4543AA73E1FF88B84F91823ADA5D87764DF3DD545C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F51CB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F51CEC
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F51D2B

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF681F51CE5
shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF681F51D42

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 1966789792-1088074545
Opcode ID: 9b54d51945ec7612e7febebc37788d7d1dc1dc52e1eb9d4c7131a8ae64f297a7
Instruction ID: 6ef57c59639f47c824d2e53d65da5e6e820a632473000fa6bc48ef5e637d9814
Opcode Fuzzy Hash: 9b54d51945ec7612e7febebc37788d7d1dc1dc52e1eb9d4c7131a8ae64f297a7
Instruction Fuzzy Hash: C1213726B18A4AC2EB10DB25E4543B963E1FF88B84F55823ADA5DC7764DF3CE505CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F51324 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF67FF681F51324(void* __eax) {
				void* _v0;
				signed long long _v16;
				void* _v24;
				signed long long _v56;
				void* _t20;
				signed long long _t31;
				void* _t45;
				void* _t52;

				_t52 = _t45;
				_t31 =  *0x81f60470; // 0xbba9a5b3aaf9
				_v16 = _t31 ^ _t45 - 0x00000050;
				 *(_t52 - 0x38) =  *(_t52 - 0x38) & 0x00000000;
				 *(_t52 - 0x18) =  *(_t52 - 0x18) & 0x00000000;
				__imp__WindowsCreateStringReference();
				if (__eax < 0) goto 0x81f513f2;
				__imp__RoGetActivationFactory();
				if (__eax >= 0) goto 0x81f513ab;
				r9d = __eax;
				E00007FF67FF681F325BC();
				goto 0x81f513bf;
				_t20 =  *0x81f570f0();
				if (_v56 == 0) goto 0x81f513dc;
				_v56 = _v56 & 0x00000000;
				 *0x81f570f0();
				E00007FF67FF681F53F70();
				return _t20;
			}

0x7ff681f51324
0x7ff681f5132c
0x7ff681f51336
0x7ff681f5133b
0x7ff681f51344
0x7ff681f51359
0x7ff681f51367
0x7ff681f5137e
0x7ff681f5138e
0x7ff681f5139c
0x7ff681f513a4
0x7ff681f513a9
0x7ff681f513b7
0x7ff681f513c7
0x7ff681f513c9
0x7ff681f513d6
0x7ff681f513e6
0x7ff681f513f0

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F51359
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F5137E

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF681F51352
shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF681F51395

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 1966789792-1088074545
Opcode ID: 7e3d0aa8d26a667705f50b30e129484814e865311abf4cf636b1cf462d088175
Instruction ID: 9904ce144695f077bb6c75560e581daa855341e3bf24233abdc05f717844a339
Opcode Fuzzy Hash: 7e3d0aa8d26a667705f50b30e129484814e865311abf4cf636b1cf462d088175
Instruction Fuzzy Hash: A0214726B18A46C2EB108B25E4943A927E0FF88B84F40813ADA4EC7764DF3DE405CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4FB7C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF681F3E224: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF681F3853C), ref: 00007FF681F3E2A1

RegisterApplicationRestart.KERNEL32 ref: 00007FF681F4FBC8
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,00000001,00007FF681F41B5B), ref: 00007FF681F4FBFF

Strings

RestartByRestartManager:, xrefs: 00007FF681F4FB89
shell\osshell\accesory\notepad\nprestart.cpp, xrefs: 00007FF681F4FBE4

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Task$AllocApplicationFreeRegisterRestart
String ID: RestartByRestartManager:$shell\osshell\accesory\notepad\nprestart.cpp
API String ID: 1630650924-2284408686
Opcode ID: da351b8f35ab4f826fd6d1895de109382ab1f50980144ae47a069849991bfaa6
Instruction ID: 0fc3aa0da4522b7ef84643a353fa04ee318e5671143ca7ac57063fe32f168072
Opcode Fuzzy Hash: da351b8f35ab4f826fd6d1895de109382ab1f50980144ae47a069849991bfaa6
Instruction Fuzzy Hash: AF019221B08A83C2EB508B16F9505B96691FFC9BD0F589039DD0EC77A5DE3CD946C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F333D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF681F33406
GetProcAddress.KERNEL32 ref: 00007FF681F33423

Strings

ntdll.dll, xrefs: 00007FF681F333FF
RtlDisownModuleHeapAllocation, xrefs: 00007FF681F33419

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDisownModuleHeapAllocation$ntdll.dll
API String ID: 1646373207-704576883
Opcode ID: 44a3313659df747c91bc26f6efa3b579e2b7650a858d0817919534101e0b4c01
Instruction ID: 5688bf2a910debd89515f2955faf29739d43267c507b6f2cdc1d1901bda18591
Opcode Fuzzy Hash: 44a3313659df747c91bc26f6efa3b579e2b7650a858d0817919534101e0b4c01
Instruction Fuzzy Hash: 9A01A264A09B42C2EB45CB56F84416576E0FF89B95B848139EA5DC3764EF3CE456C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F332D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF681F332FD
GetProcAddress.KERNEL32 ref: 00007FF681F3331A

Strings

RtlNtStatusToDosErrorNoTeb, xrefs: 00007FF681F33310
ntdll.dll, xrefs: 00007FF681F332F6

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlNtStatusToDosErrorNoTeb$ntdll.dll
API String ID: 1646373207-1321910969
Opcode ID: 8341a2afa5b822e032f2ea88079b3cad7884ff232c796a8ed393f9f56ccde82b
Instruction ID: a1abc5461cb9e447f8102fc91131c84c1633fd88836872a76c78e378e2a5752d
Opcode Fuzzy Hash: 8341a2afa5b822e032f2ea88079b3cad7884ff232c796a8ed393f9f56ccde82b
Instruction Fuzzy Hash: 4CF0B261A09B46C2EB458B59F8801B976E0BF89795F85853DDA1DC3360EF3CE895C600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F33350 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF681F33377
GetProcAddress.KERNEL32 ref: 00007FF681F33394

Strings

RtlDllShutdownInProgress, xrefs: 00007FF681F3338A
ntdll.dll, xrefs: 00007FF681F33370

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: 9592d6e0d32bec945156ebd9e59a863fb50ce6f72d8cfd328fcd348032835da4
Instruction ID: 2af2772946c2283d0a1c6676f5f7388095c513fe2bbb22fcc9ba29e6a49b5c44
Opcode Fuzzy Hash: 9592d6e0d32bec945156ebd9e59a863fb50ce6f72d8cfd328fcd348032835da4
Instruction Fuzzy Hash: 61F0B2A4A0AB07C6FB458B94A8411B437E0BF9EB51F84913CC95DC7360EF3CA499D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F34360 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF681F34388
GetProcAddress.KERNEL32 ref: 00007FF681F343A5

Strings

ntdll.dll, xrefs: 00007FF681F34381
RtlUnregisterFeatureConfigurationChangeNotification, xrefs: 00007FF681F3439B

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlUnregisterFeatureConfigurationChangeNotification$ntdll.dll
API String ID: 1646373207-1836318313
Opcode ID: 50aa888cfd563240c89559385d26c607fd4300d46421c10fababc8a3d92b401c
Instruction ID: c7835701024401d428b66ca86b777570c44463c7b602fb33c31297c46254af69
Opcode Fuzzy Hash: 50aa888cfd563240c89559385d26c607fd4300d46421c10fababc8a3d92b401c
Instruction Fuzzy Hash: 0AF0AFA4A0EB46C2FB558B55B8401B436E0BF8AB95F889638D91DC7360EF3CA455C240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F31E30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF681F31E4F
GetProcAddress.KERNEL32 ref: 00007FF681F31E65

Strings

RaiseFailFastException, xrefs: 00007FF681F31E5E
kernelbase.dll, xrefs: 00007FF681F31E45

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 66f1de9fffce6b197e6a5b641e57d1e5ea8161b7102844d8a503cd04f3c189c7
Instruction ID: f40144b515031494b0f01020deeff6d4a169617713eb02c3f8c1a8f21b62ff02
Opcode Fuzzy Hash: 66f1de9fffce6b197e6a5b641e57d1e5ea8161b7102844d8a503cd04f3c189c7
Instruction Fuzzy Hash: 4FF0DA65A18A91C2EB548B02F4440B9BAA0FF89FD1B88D139EA5E87B14DF3CD541C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F342EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF681F34314
GetProcAddress.KERNEL32 ref: 00007FF681F34331

Strings

ntdll.dll, xrefs: 00007FF681F3430D
RtlUnsubscribeWnfNotificationWaitForCompletion, xrefs: 00007FF681F34327

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlUnsubscribeWnfNotificationWaitForCompletion$ntdll.dll
API String ID: 1646373207-368597124
Opcode ID: 15d83f1509575ba2f10d587d377e931e73b25e24715aec08e8aada507ffe1ecb
Instruction ID: 5a58c2433d6f0747caece365671d94db32da020021dc8efde7bb1fcc5826db18
Opcode Fuzzy Hash: 15d83f1509575ba2f10d587d377e931e73b25e24715aec08e8aada507ffe1ecb
Instruction Fuzzy Hash: D3F0AFA4A0AB07C2FB458B55B8411B436E0BF8AB51F88913DC91DC7360EF3CA495D650

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F33F64 Relevance: 6.3, APIs: 5, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00007FF67FF681F33F64(void* __edx, long long __rbx, long long* __rcx, signed int __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _t31;
				void* _t34;
				long long _t36;
				long long _t52;
				void* _t57;
				intOrPtr _t60;
				void* _t62;
				void* _t64;
				void* _t71;

				_t34 = _t64;
				 *((long long*)(_t34 + 8)) = __rbx;
				 *((long long*)(_t34 + 0x10)) = __rbp;
				 *((long long*)(_t34 + 0x18)) = __rsi;
				 *((long long*)(_t34 + 0x20)) = __rdi;
				_t36 =  *((intOrPtr*)(__rcx + 0x10)) -  *((intOrPtr*)(__rcx));
				if (_t36 - __rdx >= 0) goto 0x81f34048;
				_t57 = (__rdx & 0xffffffc0) + 0x40;
				GetProcessHeap();
				HeapAlloc(??, ??, ??);
				_t60 =  *0x81f61300; // 0x7ff681f333d0
				_t52 = _t36;
				if (_t60 == 0) goto 0x81f33fe5;
				GetProcessHeap();
				 *0x81f570f0();
				_t31 = _t52;
				if (_t31 != 0) goto 0x81f33fee;
				goto 0x81f3404a;
				_t62 =  *((intOrPtr*)(__rcx + 8)) -  *((intOrPtr*)(__rcx));
				if (_t31 == 0) goto 0x81f34008;
				E00007FF67FF681F31664(_t60, __rcx, _t52, _t57, _t57,  *((intOrPtr*)(__rcx)), _t62, _t71);
				 *((long long*)(__rcx + 0x18)) = _t52;
				if ( *((intOrPtr*)(__rcx + 0x18)) == 0) goto 0x81f34035;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				 *__rcx = _t52;
				 *((long long*)(__rcx + 8)) = _t52 + _t62;
				 *((long long*)(__rcx + 0x10)) = _t52 + _t57;
				return 1;
			}

0x7ff681f33f64
0x7ff681f33f67
0x7ff681f33f6b
0x7ff681f33f6f
0x7ff681f33f73
0x7ff681f33f84
0x7ff681f33f8d
0x7ff681f33f97
0x7ff681f33f9b
0x7ff681f33faf
0x7ff681f33fbb
0x7ff681f33fc2
0x7ff681f33fc8
0x7ff681f33fca
0x7ff681f33fdf
0x7ff681f33fe5
0x7ff681f33fe8
0x7ff681f33fec
0x7ff681f33ff2
0x7ff681f33ff5
0x7ff681f34003
0x7ff681f3400c
0x7ff681f34013
0x7ff681f34015
0x7ff681f34029
0x7ff681f34039
0x7ff681f3403c
0x7ff681f34044
0x7ff681f34064

APIs

GetProcessHeap.KERNEL32 ref: 00007FF681F33F9B
HeapAlloc.KERNEL32 ref: 00007FF681F33FAF
GetProcessHeap.KERNEL32 ref: 00007FF681F33FCA
GetProcessHeap.KERNEL32 ref: 00007FF681F34015
HeapFree.KERNEL32 ref: 00007FF681F34029

Part of subcall function 00007FF681F31664: _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F31681
Part of subcall function 00007FF681F31664: _o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF681F31694

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$Process$AllocFree_o__errno_o__invalid_parameter_noinfo
String ID:
API String ID: 2883572028-0
Opcode ID: 3caac2e20cffed1734430e606bc09657c3f14a70e7c6a66b2567d7527cdff4eb
Instruction ID: a4b5f56f59da47d3ae6cc2c7522f5bd211bab69e98e05d377a12342ba8f0118a
Opcode Fuzzy Hash: 3caac2e20cffed1734430e606bc09657c3f14a70e7c6a66b2567d7527cdff4eb
Instruction Fuzzy Hash: 66212876A04F81CADB049F62A5000A8BBE4FF49FD5B088239DE5D43754DF38E456C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F35A24 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF681F35F40: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF681F35A56), ref: 00007FF681F35F9F
Part of subcall function 00007FF681F35F40: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF681F35A56), ref: 00007FF681F35FC3

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F35A91
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F35AE5
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F35B2A
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F35B46

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: dea53c38a4cbf6a14de4607c51b0a0b7a19795a81558a141b76b5f864f021c51
Instruction ID: 2111b06391a630a5867d86d31c403c940de40643fa96e4da8feac6a519b33b78
Opcode Fuzzy Hash: dea53c38a4cbf6a14de4607c51b0a0b7a19795a81558a141b76b5f864f021c51
Instruction Fuzzy Hash: 3A312121A09742C6FB589B12A58027CB7D0FF85B80F585479DA9F87BA2DF2DE447C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F35FF0 Relevance: 6.0, APIs: 4, Instructions: 46threadtimeCOMMON

Download Yara Rule

APIs

CreateThreadpoolTimer.KERNEL32 ref: 00007FF681F36027
GetLastError.KERNEL32(?,?,?,00007FF681F35B3E), ref: 00007FF681F3603F

Part of subcall function 00007FF681F3781C: SetThreadpoolTimer.KERNEL32(?,?,?,00007FF681F3764C), ref: 00007FF681F3782D
Part of subcall function 00007FF681F3781C: WaitForThreadpoolTimerCallbacks.KERNEL32(?,?,?,00007FF681F3764C), ref: 00007FF681F37841

SetLastError.KERNEL32(?,?,?,00007FF681F35B3E), ref: 00007FF681F36057
SetThreadpoolTimer.KERNEL32(?,?,?,00007FF681F35B3E), ref: 00007FF681F3608C

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ThreadpoolTimer$ErrorLast$CallbacksCreateWait
String ID:
API String ID: 1675045912-0
Opcode ID: d78f7b610ce1553f885d01ba68feb6ce20bde5d3a3211ccda48ab4ab4ecd49ee
Instruction ID: ed10da3d945122f8925049f26102ee9e899505344b29fdedf42766b398e0346f
Opcode Fuzzy Hash: d78f7b610ce1553f885d01ba68feb6ce20bde5d3a3211ccda48ab4ab4ecd49ee
Instruction Fuzzy Hash: CA115B22A18B91CBE7109B25B400169BBE0FF4AFA4F489238EE5E47F54CF39E516C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F35628 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF681F35649
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF681F35658
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF681F3568F
LeaveCriticalSection.KERNEL32 ref: 00007FF681F356A3

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CriticalExclusiveLockSection$AcquireEnterLeaveRelease
String ID:
API String ID: 1115728412-0
Opcode ID: c0f786ded37f19bf50ebd62f399ba953e2143bd44b69f6d8f78e6704c9b84ce2
Instruction ID: 39dd0d7ea7a92e5ac0b0a3e852e52d87753b5d1010ee3cd65033b24237b6b5ac
Opcode Fuzzy Hash: c0f786ded37f19bf50ebd62f399ba953e2143bd44b69f6d8f78e6704c9b84ce2
Instruction Fuzzy Hash: 44014C62A18B82C2EB548B12B554078BBA0FF8AF94B59D234DE5F43724DF3CD481C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4D340 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF681F4D35F
IsDialogMessageW.USER32 ref: 00007FF681F4D380
TranslateMessage.USER32 ref: 00007FF681F4D395
DispatchMessageW.USER32 ref: 00007FF681F4D3A6

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 81e67ffd0a72a6b6ab54f7aaad7a6f530d6acb8d6c2d2963f99cbc5280699dc7
Instruction ID: c9987d67aa362b23d2dc8c8a5c37cd771b7b35ba8d1f78929192de9ebe3df33a
Opcode Fuzzy Hash: 81e67ffd0a72a6b6ab54f7aaad7a6f530d6acb8d6c2d2963f99cbc5280699dc7
Instruction Fuzzy Hash: A4012932B2DA46C7EB608B20E854AB976E0FF95B05F449078DA4EC3654DF2CE448CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F3ACE4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,00007FF681F3FD87), ref: 00007FF681F3ACF1
OpenProcessToken.ADVAPI32 ref: 00007FF681F3AD08
GetTokenInformation.ADVAPI32 ref: 00007FF681F3AD38
CloseHandle.KERNEL32(?,?,?,?,?,00007FF681F3FD87), ref: 00007FF681F3AD50

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 4ebd0514a5beb64820ec45735c57caf71171ba91723a91a91caafb87a0120ef9
Instruction ID: 46d4282ea1f9fe7ada6dcb39d466a0ea8856c96733e1b4b19a4cf7a3c56fdd34
Opcode Fuzzy Hash: 4ebd0514a5beb64820ec45735c57caf71171ba91723a91a91caafb87a0120ef9
Instruction Fuzzy Hash: A601FF36608B82C7D7009F61F8440AAFBB0FB89B55B448135DB4E43728DF78D559CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F38A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F38AA8
PathIsFileSpecW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF681F38B9A

Strings

prop:System.Security.EncryptionOwners, xrefs: 00007FF681F38AD2

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CreateFileInstancePathSpec
String ID: prop:System.Security.EncryptionOwners
API String ID: 4203885736-2773134222
Opcode ID: e7266f4a3965f336cbc8512158aba8c1528d7f8f28c9373434c608584a9533ef
Instruction ID: 374a1a0de6447150f5afe330471ca42e25a81d13a858f337d38d551f89497374
Opcode Fuzzy Hash: e7266f4a3965f336cbc8512158aba8c1528d7f8f28c9373434c608584a9533ef
Instruction Fuzzy Hash: 5E91A526B19F5AC6EB008B66D8947A927E0BF48B88F44823ACE0D97764DF3DE445C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F52144 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F52181
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F521BD

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF681F5217A

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager
API String ID: 1966789792-1562784004
Opcode ID: f8949423a0edfbd90fa0b7f0346a067cb8db8aada04dfe2bd1143914f46497ab
Instruction ID: b87863a891462b6a2d25a892ec60a4098b15a8ecab74ac374761c213063420b1
Opcode Fuzzy Hash: f8949423a0edfbd90fa0b7f0346a067cb8db8aada04dfe2bd1143914f46497ab
Instruction Fuzzy Hash: F3310A2AB08A56C5FB048BA5E8503FD37B0FF48B88F55853ACA0E97A54DF39E445C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4FA54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00007FF67FF681F4FA54(void* __eax, long long __rbx, signed long long* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8) {
				void* __rbp;
				void* _t39;
				void* _t50;
				signed long long _t51;
				signed long long _t55;
				void* _t69;
				void* _t70;
				void* _t72;
				signed long long _t73;
				void* _t77;
				void* _t79;
				void* _t81;
				signed long long* _t82;

				_t64 = __rdx;
				_t50 = _t72;
				 *((long long*)(_t50 + 0x10)) = __rbx;
				 *((long long*)(_t50 + 0x18)) = __rsi;
				 *((long long*)(_t50 + 0x20)) = __rdi;
				_t70 = _t50 - 0x5f;
				_t73 = _t72 - 0x90;
				_t51 =  *0x81f60470; // 0xbba9a5b3aaf9
				 *(_t70 + 0x3f) = _t51 ^ _t73;
				_t82 = __rcx;
				__imp__CoCreateGuid();
				if (__eax >= 0) goto 0x81f4faa1;
				 *__rcx =  *__rcx & 0x00000000;
				goto 0x81f4fb47;
				_t7 = _t70 + 0x27; // 0x27
				_t8 = _t64 + 0x25; // 0x25
				r8d = _t8;
				E00007FF67FF681F3E224(__rbx, _t7, __rdx, __rdi, __rsi, _t70, __r8, _t81, _t79);
				r8d =  *(_t70 + 0x3c) & 0x000000ff;
				r9d =  *(_t70 + 0x3b) & 0x000000ff;
				r10d =  *(_t70 + 0x3a) & 0x000000ff;
				r11d =  *(_t70 + 0x39) & 0x000000ff;
				r14d =  *(_t70 + 0x33) & 0x0000ffff;
				 *(_t73 + 0x68) =  *(_t70 + 0x3e) & 0x000000ff;
				 *(_t73 + 0x60) =  *(_t70 + 0x3d) & 0x000000ff;
				 *(_t73 + 0x58) = r8d;
				 *(_t73 + 0x50) = r9d;
				r9d =  *(_t70 + 0x2f);
				 *(_t73 + 0x48) = r10d;
				 *(_t73 + 0x40) = r11d;
				 *(_t73 + 0x38) =  *(_t70 + 0x38) & 0x000000ff;
				_t55 =  *((intOrPtr*)(_t70 + 0x27));
				 *(_t73 + 0x30) =  *(_t70 + 0x37) & 0x000000ff;
				 *(_t73 + 0x28) =  *(_t70 + 0x35) & 0x0000ffff;
				 *(_t73 + 0x20) = r14d;
				_t39 = E00007FF67FF681F31860(_t55, _t64, L"%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X", _t77, _t69);
				if (_t39 >= 0) goto 0x81f4fb44;
				 *_t82 =  *_t82 & 0x00000000;
				if (_t55 == 0) goto 0x81f4fb47;
				__imp__CoTaskMemFree();
				goto 0x81f4fb47;
				 *_t82 = _t55;
				E00007FF67FF681F53F70();
				return _t39;
			}

0x7ff681f4fa54
0x7ff681f4fa54
0x7ff681f4fa57
0x7ff681f4fa5b
0x7ff681f4fa5f
0x7ff681f4fa68
0x7ff681f4fa6c
0x7ff681f4fa73
0x7ff681f4fa7d
0x7ff681f4fa81
0x7ff681f4fa88
0x7ff681f4fa96
0x7ff681f4fa98
0x7ff681f4fa9c
0x7ff681f4faa3
0x7ff681f4faa7
0x7ff681f4faa7
0x7ff681f4faab
0x7ff681f4fab9
0x7ff681f4fabe
0x7ff681f4facb
0x7ff681f4fad0
0x7ff681f4fadd
0x7ff681f4fae2
0x7ff681f4fae6
0x7ff681f4faea
0x7ff681f4faf6
0x7ff681f4fafb
0x7ff681f4faff
0x7ff681f4fb04
0x7ff681f4fb09
0x7ff681f4fb0d
0x7ff681f4fb11
0x7ff681f4fb18
0x7ff681f4fb1c
0x7ff681f4fb21
0x7ff681f4fb28
0x7ff681f4fb2a
0x7ff681f4fb31
0x7ff681f4fb36
0x7ff681f4fb42
0x7ff681f4fb44
0x7ff681f4fb51
0x7ff681f4fb72

APIs

CoCreateGuid.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4FA88
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F4FB36

Strings

%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 00007FF681F4FAEF

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: CreateFreeGuidTask
String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X
API String ID: 2319009263-4283501729
Opcode ID: 403e40a1437d0df4f87bfb22d502a5e6c878389cfca687769969253fe587ac7c
Instruction ID: 806566aa278920fdedcec7831fb07e8823d76b8fe92ebfb71ff9362a8643b66d
Opcode Fuzzy Hash: 403e40a1437d0df4f87bfb22d502a5e6c878389cfca687769969253fe587ac7c
Instruction Fuzzy Hash: E53141336196A1CAD7918F21E8507A9BBF4FB49748F495125FE8E83B55CF38D491CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F4F0B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00000000,00000000,00007FF681F4CB17), ref: 00007FF681F4F17A
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00000000,00000000,00007FF681F4CB17), ref: 00007FF681F4F190

Strings

\Notepad, xrefs: 00007FF681F4F13D

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: FreeTask
String ID: \Notepad
API String ID: 734271698-3898563714
Opcode ID: aa0c3bdfa09f2c612a2b47732d0dc94572261aeb0b580e7b15b500922ce9c431
Instruction ID: 8ebbe8ef853f5ae3a9aeea35f8b4b06801a9688d0d7f08d85e6f61f7031ed77d
Opcode Fuzzy Hash: aa0c3bdfa09f2c612a2b47732d0dc94572261aeb0b580e7b15b500922ce9c431
Instruction Fuzzy Hash: A4219E36A09B82D6EB209F55E5000A977A0FF89BA4F588635DE9D83791DF3CD542C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F51DB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF681F51DF5
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF681F51E31

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF681F51DEE

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager
API String ID: 1966789792-1562784004
Opcode ID: eca4b97d53dc2840903868df843f268a2d33c87ab31d2b648ad2d025024d0c53
Instruction ID: 54343fc7d3faa6a10f7f80ba78462234eefb88ebe3b18f52fde83339082d0d1a
Opcode Fuzzy Hash: eca4b97d53dc2840903868df843f268a2d33c87ab31d2b648ad2d025024d0c53
Instruction Fuzzy Hash: BA21F726B19A56CAFB00CB65E4903EC37B0BF48B48F54843ADE0E97A64DF38E445C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F398A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00007FF681F3990B
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF681F39C5D

Strings

feedback-hub://?tabid=2&contextid=1010, xrefs: 00007FF681F398D7

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: FreeIconLoadTask
String ID: feedback-hub://?tabid=2&contextid=1010
API String ID: 2336424503-1864734595
Opcode ID: cb8396ba166c1bacf73437eb3ea66c50c9cf90927d901b03b16e3011047727be
Instruction ID: 09edda5cc9733a757137afe9a7e7b56720aaf26eed82053444174593f54723a9
Opcode Fuzzy Hash: cb8396ba166c1bacf73437eb3ea66c50c9cf90927d901b03b16e3011047727be
Instruction Fuzzy Hash: 67215E66A09B47C6FB208B91A8942B967E0BF89798F444139CE0E87754CE3CA586C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F35014 Relevance: 5.2, APIs: 4, Instructions: 247memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF681F35320
HeapFree.KERNEL32 ref: 00007FF681F35334
GetProcessHeap.KERNEL32 ref: 00007FF681F35369
HeapFree.KERNEL32 ref: 00007FF681F3537D

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 9e791e51f6c7c0254ba37692731560536c236e6605c8e268f0f023daa51b704b
Instruction ID: 78ddcdf5ae94b7205c55913f5fe0ac1e21b517685f3add98a4cf8af5d4f3923d
Opcode Fuzzy Hash: 9e791e51f6c7c0254ba37692731560536c236e6605c8e268f0f023daa51b704b
Instruction Fuzzy Hash: 0FB15866A08B81CAEB208F65D4401ED7BF1FF89788F104529EE8D97B69DF38D491CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F345B8 Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF681F34615
HeapFree.KERNEL32 ref: 00007FF681F34629
GetProcessHeap.KERNEL32 ref: 00007FF681F34656
HeapFree.KERNEL32 ref: 00007FF681F3466A

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: c197e9531961170161ad386eff99e62051f81ef606aa6b9803ee9c554961741e
Instruction ID: 549d9a75b50ff1a9f949271c4e8b87a112900e80d06531f251014a43a0c3c527
Opcode Fuzzy Hash: c197e9531961170161ad386eff99e62051f81ef606aa6b9803ee9c554961741e
Instruction Fuzzy Hash: CE314B27915F90C6D3418F25A0402A9BBB0FB9AF94F18A214CF8927715DF34D4E2C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF681F32D84 Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF681F32DC2
HeapFree.KERNEL32 ref: 00007FF681F32DD6
GetProcessHeap.KERNEL32 ref: 00007FF681F32DFA
HeapFree.KERNEL32 ref: 00007FF681F32E0E

Memory Dump Source

Source File: 00000000.00000002.242166859.00007FF681F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF681F30000, based on PE: true

Associated: 00000000.00000002.242162264.00007FF681F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242186922.00007FF681F56000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242194386.00007FF681F60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242238373.00007FF681F63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff681f30000_bHLOVVmF1t.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 9919f41e9577b5d3344f0023d76036e445d4144bd2848ce3f9d38c58db47da7e
Instruction ID: e4cb833b34ec4716a6a81f5a6610035dffc7154fa6b0aa5abf06f46cc997ec6f
Opcode Fuzzy Hash: 9919f41e9577b5d3344f0023d76036e445d4144bd2848ce3f9d38c58db47da7e
Instruction Fuzzy Hash: 0E11D476604B81CBDB149F52F4400A9BBB4FB89F81B599125DF8E53B24CF38E5A6C700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bHLOVVmF1t.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: bHLOVVmF1t.exePID: 6072, Parent PID: 5380

General

Chronological Activities

Disassembly

Analysis Process: bHLOVVmF1t.exePID: 6072, Parent PID: 5380COMMON

Execution Graph

Graph

Executed Functions

Function 00007FF681F4224C Relevance: 775.1, APIs: 416, Strings: 21, Instructions: 10329windowregistrythreadCOMMONCrypto

Function 00007FF681F3AD6C Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 224windowmemoryCOMMON

Control-flow Graph

Windows Analysis Report
bHLOVVmF1t.exe

Function 00007FF681F4224C Relevance: 775.1, APIs: 416, Strings: 21, Instructions: 10329
windowregistrythreadCOMMONCrypto

Function 00007FF681F3AD6C Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 224
windowmemoryCOMMON

Function 00007FF681F36B98 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 210
synchronizationCOMMONCrypto

Function 00007FF681F53A20 Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Function 00007FF681F53DA0 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Function 00007FF681F53290 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165
COMMON

Function 00007FF681F53DC0 Relevance: 13.6, APIs: 9, Instructions: 106
COMMON

Function 00007FF681F41444 Relevance: 10.6, APIs: 7, Instructions: 115
memoryCOMMON

Function 00007FF681F37868 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124
COMMON

Function 00007FF681F326B0 Relevance: 7.6, APIs: 5, Instructions: 51
synchronizationCOMMON

Function 00007FF681F35CB4 Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Function 00007FF681F3DD74 Relevance: 3.2, APIs: 2, Instructions: 180
COMMON

Function 00007FF681F53CD0 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Function 00007FF681F35F40 Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Function 00007FF681F31380 Relevance: 3.0, APIs: 2, Instructions: 42
COMMON

Function 00007FF681F40B08 Relevance: 77.3, APIs: 5, Strings: 39, Instructions: 304
registryCOMMONCrypto

Function 00007FF681F3F0D4 Relevance: 72.4, APIs: 40, Strings: 1, Instructions: 600
filewindowmemoryCOMMONCrypto

Function 00007FF681F3A290 Relevance: 61.8, APIs: 34, Strings: 1, Instructions: 599
windowCOMMONCrypto

Function 00007FF681F3709C Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 208
synchronizationCOMMONCrypto

Function 00007FF681F41188 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 178
fileCOMMON

Function 00007FF681F3E3A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106
timewindowCOMMON

Function 00007FF681F4EBAC Relevance: 13.6, APIs: 9, Instructions: 112
windowCOMMONCrypto

Function 00007FF681F41F40 Relevance: 12.2, APIs: 8, Instructions: 187
windowCOMMONCrypto

Function 00007FF681F3B83C Relevance: 10.6, APIs: 7, Instructions: 101
filewindowCOMMON

Function 00007FF681F3B3B8 Relevance: 7.7, APIs: 5, Instructions: 151
windowCOMMONCrypto

Function 00007FF681F3B130 Relevance: 7.6, APIs: 5, Instructions: 147
windowCOMMONCrypto

Function 00007FF681F3FDAC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
windowCOMMON

Function 00007FF681F53F98 Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Function 00007FF681F3D8CC Relevance: .2, Instructions: 210
COMMONCrypto

Function 00007FF681F3679C Relevance: .1, Instructions: 132
COMMONCrypto

Function 00007FF681F406EC Relevance: 63.2, APIs: 5, Strings: 31, Instructions: 201
registrythreadCOMMON

Function 00007FF681F31964 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153
windowthreadCOMMON