Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ__637456464647.exe

Overview

General Information

Sample Name:RFQ__637456464647.exe
Analysis ID:632544
MD5:b4bc907e8d48e8f09b4d9fdd8d416599
SHA1:592a814a428c8a5de3f06245996fc775e8dc987f
SHA256:7f7804a5460695dae61e378d733f0a613083e84c654ea6264a5276944b33f943
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Yara detected Credential Stealer
Uses the system / local time for branch decision (may execute only at specific dates)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • RFQ__637456464647.exe (PID: 6312 cmdline: "C:\Users\user\Desktop\RFQ__637456464647.exe" MD5: B4BC907E8D48E8F09B4D9FDD8D416599)
    • RFQ__637456464647.exe (PID: 6400 cmdline: C:\Users\user\Desktop\RFQ__637456464647.exe MD5: B4BC907E8D48E8F09B4D9FDD8D416599)
    • chrome.exe (PID: 6672 cmdline: "C:\Users\user\AppData\Local\Temp\chrome.exe" MD5: 7F916511A313837EFCDE9E4112A64E5B)
    • WerFault.exe (PID: 7124 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 1296 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Token": "Null!", "Telegram ID": "5164987354:AAFbwY5baNRyoCilWU25jL6nSQnU8yn8vuc"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x185d0:$x1: $%SMTPDV$
        • 0x17292:$x2: $#TheHashHere%&
        • 0x18578:$x3: %FTPDV$
        • 0x17274:$x4: $%TelegramDv$
        • 0x14ba3:$x5: KeyLoggerEventArgs
        • 0x14f39:$x5: KeyLoggerEventArgs
        • 0x185fc:$m1: | Snake Keylogger
        • 0x186a2:$m1: | Snake Keylogger
        • 0x187f6:$m1: | Snake Keylogger
        • 0x1891c:$m1: | Snake Keylogger
        • 0x18a76:$m1: | Snake Keylogger
        • 0x1859c:$m2: Clipboard Logs ID
        • 0x187ac:$m2: Screenshot Logs ID
        • 0x188c0:$m2: keystroke Logs ID
        • 0x18aac:$m3: SnakePW
        • 0x18784:$m4: \SnakeKeylogger\
        00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 57 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.0.RFQ__637456464647.exe.400000.6.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1b0d0:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1a2b9:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x1a700:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1b881:$a5: \Kometa\User Data\Default\Login Data
          1.0.RFQ__637456464647.exe.400000.6.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            1.0.RFQ__637456464647.exe.400000.6.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              1.0.RFQ__637456464647.exe.400000.6.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                1.0.RFQ__637456464647.exe.400000.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 109 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.3132.226.8.16949740802842536 05/23/22-19:00:12.710166
                  SID:2842536
                  Source Port:49740
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "Null!", "Telegram ID": "5164987354:AAFbwY5baNRyoCilWU25jL6nSQnU8yn8vuc"}
                  Multi AV Scanner detection for submitted file
                  Source: RFQ__637456464647.exeReversingLabs: Detection: 46%
                  Machine Learning detection for sample
                  Source: RFQ__637456464647.exeJoe Sandbox ML: detected
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: RFQ__637456464647.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: RFQ__637456464647.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: System.Windows.Forms.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: k,C:\Windows\System.pdb source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.Windows.Forms.pdbxT source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.ni.pdbRSDS source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: 7.PDB source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\RFQ__637456464647.PDB source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: .pdb, source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.pdbP>Q source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: C:\Users\user\Desktop\RFQ__637456464647.PDB6 source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: chrome.exe.pdb source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.dr
                  Source: Binary string: System.Core.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 054D0741h1_2_054D0498
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 054D02E9h1_2_054D0040
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 054D0B99h1_2_054D08F0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648E0A9h1_2_0648DE00
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 064848D1h1_2_06484628
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06485181h1_2_06484ED8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648E981h1_2_0648E6D8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06488149h1_2_06487EA0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 064889F9h1_2_06488750
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06485A31h1_2_06485788
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648F231h1_2_0648EF88
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06483771h1_2_064834C8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06486739h1_2_06486490
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06486FE9h1_2_06486D40
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06484021h1_2_06483D78
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06487899h1_2_064875F0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06487CF1h1_2_06487A48
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 064885A1h1_2_064882F8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06484D29h1_2_06484A80
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648E529h1_2_0648E280
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 064855D9h1_2_06485330
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648EDD9h1_2_0648EB30
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06485E89h1_2_06485BE0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648F689h1_2_0648F3E0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06483319h1_2_06483070
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 064862E1h1_2_06486038
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648FAE1h1_2_0648F838
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06486B91h1_2_064868E8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06483BC9h1_2_06483920
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06484479h1_2_064841D0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06487441h1_2_06487198
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]1_2_0648C336
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]1_2_0648C00F
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]1_2_0648C020

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.3:49740 -> 132.226.8.169:80
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewASN Name: UTMEMUS UTMEMUS
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: RFQ__637456464647.exe, 00000001.00000002.529500482.0000000002FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000002.529500482.0000000002FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org4Jk
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: chrome.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: RFQ__637456464647.exeString found in binary or memory: http://sawebservice.red-gate.com/
                  Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: RFQ__637456464647.exeString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/
                  Source: RFQ__637456464647.exeString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2
                  Source: RFQ__637456464647.exeString found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/
                  Source: RFQ__637456464647.exeString found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drString found in binary or memory: https://crashpad.chromium.org/
                  Source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drString found in binary or memory: https://crashpad.chromium.org/bug/new
                  Source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
                  Source: RFQ__637456464647.exeString found in binary or memory: https://dsssdsa.fa
                  Source: RFQ__637456464647.exeString found in binary or memory: https://dsssdsa.fa)Uri
                  Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: RFQ__637456464647.exe, 00000000.00000002.316474597.000000000174A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: RFQ__637456464647.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 1296
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D04981_2_054D0498
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D00401_2_054D0040
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D43181_2_054D4318
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D23981_2_054D2398
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D4FB01_2_054D4FB0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D49681_2_054D4968
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D29E01_2_054D29E0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D08F01_2_054D08F0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D36781_2_054D3678
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D16F81_2_054D16F8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D30281_2_054D3028
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D1D481_2_054D1D48
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D3CC81_2_054D3CC8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D04931_2_054D0493
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D00161_2_054D0016
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D430A1_2_054D430A
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D23881_2_054D2388
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D4F9F1_2_054D4F9F
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D49591_2_054D4959
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D29CF1_2_054D29CF
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D08E01_2_054D08E0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D36681_2_054D3668
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D16EA1_2_054D16EA
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D30181_2_054D3018
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D1D381_2_054D1D38
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D3CB91_2_054D3CB9
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648DE001_2_0648DE00
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064846281_2_06484628
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06484ED81_2_06484ED8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648E6D81_2_0648E6D8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06487EA01_2_06487EA0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064887501_2_06488750
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648B7701_2_0648B770
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064857881_2_06485788
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648EF881_2_0648EF88
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064834C81_2_064834C8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064864901_2_06486490
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06486D401_2_06486D40
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06483D781_2_06483D78
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064875F01_2_064875F0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06487A481_2_06487A48
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064882F81_2_064882F8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06484A801_2_06484A80
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648E2801_2_0648E280
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064853301_2_06485330
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648EB301_2_0648EB30
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06485BE01_2_06485BE0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648F3E01_2_0648F3E0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648C3981_2_0648C398
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06488BA81_2_06488BA8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064800401_2_06480040
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064830701_2_06483070
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064860381_2_06486038
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648F8381_2_0648F838
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064868E81_2_064868E8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648D0981_2_0648D098
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064839201_2_06483920
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064841D01_2_064841D0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064871981_2_06487198
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064846211_2_06484621
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06484EC81_2_06484EC8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648E6C81_2_0648E6C8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648B6C91_2_0648B6C9
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06487E901_2_06487E90
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064887411_2_06488741
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064857781_2_06485778
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648EF791_2_0648EF79
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064864831_2_06486483
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064834B81_2_064834B8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06483D681_2_06483D68
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06486D371_2_06486D37
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064875E01_2_064875E0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648DDF01_2_0648DDF0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06484A701_2_06484A70
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648E2711_2_0648E271
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06487A3B1_2_06487A3B
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064882E81_2_064882E8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648EB201_2_0648EB20
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064853211_2_06485321
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06485BD01_2_06485BD0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648F3D01_2_0648F3D0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064830631_2_06483063
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648C00F1_2_0648C00F
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648F8281_2_0648F828
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648602F1_2_0648602F
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648C0201_2_0648C020
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064800331_2_06480033
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064868D81_2_064868D8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064839101_2_06483910
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064841C01_2_064841C0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064871881_2_06487188
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B761E05_2_00007FF7A8B761E0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B76A105_2_00007FF7A8B76A10
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B671605_2_00007FF7A8B67160
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B5B1705_2_00007FF7A8B5B170
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B139805_2_00007FF7A8B13980
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B3B2205_2_00007FF7A8B3B220
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AADA805_2_00007FF7A8AADA80
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B993DC5_2_00007FF7A8B993DC
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A76BA05_2_00007FF7A8A76BA0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A74B505_2_00007FF7A8A74B50
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B5DB205_2_00007FF7A8B5DB20
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8BE1CE05_2_00007FF7A8BE1CE0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AAE4B05_2_00007FF7A8AAE4B0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B3DC905_2_00007FF7A8B3DC90
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A76C805_2_00007FF7A8A76C80
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B395A05_2_00007FF7A8B395A0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B665D05_2_00007FF7A8B665D0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AA45405_2_00007FF7A8AA4540
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AB05405_2_00007FF7A8AB0540
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A75D905_2_00007FF7A8A75D90
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8C055505_2_00007FF7A8C05550
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A77D605_2_00007FF7A8A77D60
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AB96A05_2_00007FF7A8AB96A0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8C0CEC05_2_00007FF7A8C0CEC0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B5A6305_2_00007FF7A8B5A630
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B5AFE05_2_00007FF7A8B5AFE0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B65FA05_2_00007FF7A8B65FA0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AE97805_2_00007FF7A8AE9780
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B3E8B05_2_00007FF7A8B3E8B0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AC60E05_2_00007FF7A8AC60E0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: String function: 00007FF7A8A9AED0 appears 36 times
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: String function: 00007FF7A8BBD690 appears 39 times
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 0_2_01722F68 CreateProcessAsUserA,0_2_01722F68
                  Source: RFQ__637456464647.exeBinary or memory string: OriginalFilename vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000000.292339706.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000002.316474597.000000000174A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000000.298522029.000000000174A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exeBinary or memory string: OriginalFilename vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000001.00000000.267745770.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000001.00000002.527555148.0000000000F37000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exeBinary or memory string: OriginalFilenameJxIIaRUTvaLxexPWTLbbe.exe4 vs RFQ__637456464647.exe
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Number of sections : 11 > 10
                  Source: RFQ__637456464647.exeReversingLabs: Detection: 46%
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile read: C:\Users\user\Desktop\RFQ__637456464647.exeJump to behavior
                  Source: RFQ__637456464647.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\RFQ__637456464647.exe "C:\Users\user\Desktop\RFQ__637456464647.exe"
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\Desktop\RFQ__637456464647.exe C:\Users\user\Desktop\RFQ__637456464647.exe
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe"
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 1296
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\Desktop\RFQ__637456464647.exe C:\Users\user\Desktop\RFQ__637456464647.exeJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                  Source: chrome.exe.0.drBinary string: HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolumeverifier.dllKeyg_handles_to_closesbox_alternate_desktop_local_winstation_0x%X
                  Source: chrome.exe.0.drBinary string: CreateAppContainerProfileuserenvDeriveAppContainerSidFromAppContainerNameGetAppContainerRegistryLocationGetAppContainerFolderPath\\.\pipe\%ls\%ls@g_interceptionsntdll.dllg_originalsg_ntntdll.dllNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenExkernel32.dll\Device\
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@2/2
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 1.0.RFQ__637456464647.exe.8f0000.13.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 1.0.RFQ__637456464647.exe.8f0000.0.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.2.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 1.0.RFQ__637456464647.exe.8f0000.11.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 1.0.RFQ__637456464647.exe.8f0000.1.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.0.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: RFQ__637456464647.exe, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8BDA170 FormatMessageA,GetLastError,5_2_00007FF7A8BDA170
                  Source: RFQ__637456464647.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6312
                  Source: chrome.exeString found in binary or memory: Try '%ls --help' for more information.
                  Source: chrome.exeString found in binary or memory: Try '%ls --help' for more information.
                  Source: chrome.exeString found in binary or memory: Try '%ls --help' for more information.
                  Source: chrome.exeString found in binary or memory: Try '%ls --help' for more information.
                  Source: RFQ__637456464647.exe, u0097/u0005u0002.csCryptographic APIs: 'CreateDecryptor'
                  Source: RFQ__637456464647.exe, u0097/u0005u0002.csCryptographic APIs: 'TransformFinalBlock'
                  Source: RFQ__637456464647.exe, u001a/u0094u0008.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u0097/u0005u0002.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u0097/u0005u0002.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u001a/u0094u0008.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u0097/u0005u0002.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u0097/u0005u0002.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u001a/u0094u0008.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: RFQ__637456464647.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: RFQ__637456464647.exeStatic file information: File size 2844160 > 1048576
                  Source: RFQ__637456464647.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: RFQ__637456464647.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2b5a00
                  Source: RFQ__637456464647.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: System.Windows.Forms.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: k,C:\Windows\System.pdb source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.Windows.Forms.pdbxT source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.ni.pdbRSDS source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: 7.PDB source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\RFQ__637456464647.PDB source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: .pdb, source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.pdbP>Q source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: C:\Users\user\Desktop\RFQ__637456464647.PDB6 source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: chrome.exe.pdb source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.dr
                  Source: Binary string: System.Core.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D9B97 push B000005Eh; iretd 1_2_054D9BB1
                  Source: chrome.exe.0.drStatic PE information: section name: .00cfg
                  Source: chrome.exe.0.drStatic PE information: section name: .retplne
                  Source: chrome.exe.0.drStatic PE information: section name: CPADinfo
                  Source: chrome.exe.0.drStatic PE information: section name: _RDATA
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B391C0 GetSystemTimeAsFileTime followed by cmp: cmp rdi, 13h and CTI: jc 00007FF7A8B39523h5_2_00007FF7A8B391C0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AA4330 GetCurrentThread,IsDebuggerPresent,GetModuleHandleW,GetProcAddress,_Init_thread_footer,GetCurrentThreadId,RaiseException,5_2_00007FF7A8AA4330
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06482D81 LdrInitializeThunk,1_2_06482D81
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B13980 SetUnhandledExceptionFilter,K32GetPerformanceInfo,K32GetProcessMemoryInfo,GetProcessHandleCount,5_2_00007FF7A8B13980
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A77D60 SetUnhandledExceptionFilter,SetConsoleCtrlHandler,_Init_thread_footer,SetProcessShutdownParameters,GetLastError,5_2_00007FF7A8A77D60
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B9AFA0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00007FF7A8B9AFA0

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: RFQ__637456464647.exe, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 0.0.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 0.2.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 1.0.RFQ__637456464647.exe.8f0000.0.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 1.0.RFQ__637456464647.exe.8f0000.11.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, ufffdW?ufffd?/u061d????.csReference to suspicious API methods: ('???Z?', 'MapVirtualKey@user32.dll')
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, ?u0040???/ufffd?ufffd??.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: 1.0.RFQ__637456464647.exe.8f0000.13.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 1.0.RFQ__637456464647.exe.8f0000.1.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeMemory written: C:\Users\user\Desktop\RFQ__637456464647.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\Desktop\RFQ__637456464647.exe C:\Users\user\Desktop\RFQ__637456464647.exeJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Users\user\Desktop\RFQ__637456464647.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Users\user\Desktop\RFQ__637456464647.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AC60E0 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,_Init_thread_footer,CreateNamedPipeW,SetLastError,GetLastError,GetLastError,5_2_00007FF7A8AC60E0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B8819C GetSystemTimeAsFileTime,5_2_00007FF7A8B8819C
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A8B550 GetVersionExW,GetProductInfo,_Init_thread_footer,GetNativeSystemInfo,_Init_thread_footer,5_2_00007FF7A8A8B550

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  1
                  Valid Accounts                  		2
                  Command and Scripting Interpreter                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		2
                  OS Credential Dumping                  		11
                  System Time Discovery                  		Remote Services1
                  Email Collection                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Native API                  		Boot or Logon Initialization Scripts1
                  Access Token Manipulation                  		1
                  Access Token Manipulation                  		1
                  Input Capture                  		2
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		Exfiltration Over Bluetooth1
                  Ingress Tool Transfer                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)112
                  Process Injection                  		1
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		Automated Exfiltration2
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Disable or Modify Tools                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model2
                  Data from Local System                  		Scheduled Transfer2
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script112
                  Process Injection                  		LSA Secrets1
                  Remote System Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common11
                  Deobfuscate/Decode Files or Information                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                  Obfuscated Files or Information                  		DCSync15
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Software Packing                  		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  RFQ__637456464647.exe46%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                  RFQ__637456464647.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\chrome.exe0%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\chrome.exe0%ReversingLabs

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  1.0.RFQ__637456464647.exe.400000.12.unpack100%AviraTR/ATRAPS.GenDownload File
                  1.2.RFQ__637456464647.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                  1.0.RFQ__637456464647.exe.400000.8.unpack100%AviraTR/ATRAPS.GenDownload File
                  1.0.RFQ__637456464647.exe.400000.6.unpack100%AviraTR/ATRAPS.GenDownload File
                  1.0.RFQ__637456464647.exe.400000.4.unpack100%AviraTR/ATRAPS.GenDownload File
                  1.0.RFQ__637456464647.exe.400000.10.unpack100%AviraTR/ATRAPS.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://dsssdsa.fa)Uri0%Avira URL Cloudsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://www.smartassembly.com/webservices/Reporting/UploadReport20%URL Reputationsafe
                  https://dsssdsa.fa0%Avira URL Cloudsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://www.smartassembly.com/webservices/Reporting/0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  http://www.smartassembly.com/webservices/UploadReportLogin/0%URL Reputationsafe
                  http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL0%URL Reputationsafe
                  http://checkip.dyndns.org4Jk0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  checkip.dyndns.com
                  		132.226.8.169
                  		truetrue
                    		unknown
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/true
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dsssdsa.fa)UriRFQ__637456464647.exefalse
                      • Avira URL Cloud: safe
                      		low
                      https://crashpad.chromium.org/RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drfalse
                        		high
                        https://api.telegram.org/botRFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          https://crashpad.chromium.org/bug/newRFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drfalse
                            		high
                            http://checkip.dyndns.org/qRFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://sawebservice.red-gate.com/RFQ__637456464647.exefalse
                              		high
                              http://www.smartassembly.com/webservices/Reporting/UploadReport2RFQ__637456464647.exefalse
                              • URL Reputation: safe
                              		unknown
                              https://dsssdsa.faRFQ__637456464647.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://checkip.dyndns.orgRFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000002.529500482.0000000002FF7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.smartassembly.com/webservices/Reporting/RFQ__637456464647.exefalse
                              • URL Reputation: safe
                              		unknown
                              http://checkip.dyndns.comRFQ__637456464647.exe, 00000001.00000002.529500482.0000000002FF7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newRFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drfalse
                                  		high
                                  http://www.smartassembly.com/webservices/UploadReportLogin/RFQ__637456464647.exefalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURLRFQ__637456464647.exefalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://checkip.dyndns.org4JkRFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  132.226.8.169
                                  		checkip.dyndns.comUnited States
                                  		16989UTMEMUStrue

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:632544
                                  Start date and time: 23/05/202218:58:492022-05-23 18:58:49 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 10m 22s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:RFQ__637456464647.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:29
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@6/5@2/2
                                  EGA Information:
                                  • Successful, ratio: 66.7%
                                  HDC Information:
                                  • Successful, ratio: 16.1% (good quality ratio 13%)
                                  • Quality average: 58.1%
                                  • Quality standard deviation: 37.6%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 108
                                  • Number of non-executed functions: 61
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Adjust boot time
                                  • Enable AMSI

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                  • Execution Graph export aborted for target chrome.exe, PID 6672 because there are no executed function
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  19:00:24API Interceptor1x Sleep call for process: WerFault.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  132.226.8.169Avviso di pagamento.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  Documentation Details 001.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  SecuriteInfo.com.W32.AIDetectNet.01.14431.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  PO#120111.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  confirm.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  IMG_001 051922 SCANNED JPG.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  HRACAT BELGELER#U0130.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  OfferXRequest.docGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  SecuriteInfo.com.W32.AIDetectNet.01.2337.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  http://62.197.136.176/files/gregzx.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  needed.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  Fr84htpTZM.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  kings.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  RFQ#1952022(BOQ-IT-Equipment.pdf.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  3nGz3LDZze.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  kings.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  ScanDocuments01-pdf.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  Bank TT slip.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  BDCEN2022-786-AWB.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/
                                  Payment Copy.exeGet hashmaliciousBrowse
                                  • checkip.dyndns.org/

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  checkip.dyndns.comAvviso di pagamento.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  p.order.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  56516426-056C-4DBA-984B-979F68AB8D18 pdf.exeGet hashmaliciousBrowse
                                  • 158.101.44.242
                                  18mWpunGZC.exeGet hashmaliciousBrowse
                                  • 193.122.130.0
                                  0008098909878787 docx.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  #U0e04#U0e33#U0e2a#U0e31#U0e48#U0e07.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  Due payment.exeGet hashmaliciousBrowse
                                  • 193.122.130.0
                                  Halkbank_Ekstre_20220523_075819_154055..exeGet hashmaliciousBrowse
                                  • 193.122.130.0
                                  PO_287104.exeGet hashmaliciousBrowse
                                  • 193.122.130.0
                                  SecuriteInfo.com.W32.AIDetectNet.01.22733.exeGet hashmaliciousBrowse
                                  • 158.101.44.242
                                  SecuriteInfo.com.Trojan.DownLoader44.60969.14302.exeGet hashmaliciousBrowse
                                  • 158.101.44.242
                                  Documentation Details 001.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  n4aA5mtShj.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  Required Order Details 00012435 RFQ.exeGet hashmaliciousBrowse
                                  • 193.122.6.168
                                  SecuriteInfo.com.W32.AIDetectNet.01.14431.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  9zpoQBlR5r.exeGet hashmaliciousBrowse
                                  • 158.101.44.242
                                  Requested.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  7GCECChauo.exeGet hashmaliciousBrowse
                                  • 193.122.6.168
                                  PO-87655.exeGet hashmaliciousBrowse
                                  • 193.122.6.168
                                  zkVYp3YMvk.exeGet hashmaliciousBrowse
                                  • 132.226.247.73

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  UTMEMUSAvviso di pagamento.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  p.order.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  0008098909878787 docx.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  #U0e04#U0e33#U0e2a#U0e31#U0e48#U0e07.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  SecuriteInfo.com.Trojan.DownLoader44.60969.14302.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  Documentation Details 001.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  n4aA5mtShj.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  SecuriteInfo.com.W32.AIDetectNet.01.14431.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  Requested.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  zkVYp3YMvk.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  HiddenzHVNC.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  PO#120111.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  confirm.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  IMG_001 051922 SCANNED JPG.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  HRACAT BELGELER#U0130.exeGet hashmaliciousBrowse
                                  • 132.226.8.169
                                  PO#101581.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  HZxqdZ8HjS.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  Orden_de_Compra_13774.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  5KcG71McD9.exeGet hashmaliciousBrowse
                                  • 132.226.247.73
                                  Invoice#65748345.exeGet hashmaliciousBrowse
                                  • 132.226.247.73

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RFQ__63745646464_94dd9d68755d61cc97c9e42d0ec1b28c5989ec6_083b13b0_1b958159\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.0802804484479727
                                  Encrypted:false
                                  SSDEEP:192:WOyEvUsxHBUZMXSaKtXfW/u7s4S274Itw:ZyEvUSBUZMXSah/u7s4X4Itw
                                  MD5:E56BC667B3B678430631F7CE3B8BBD4C
                                  SHA1:EA08F52BDD81A1D5BD03C34A20802621A13A5E8C
                                  SHA-256:3C7F3BEF460243B93180F3CCBD3CBC10971A29097D21F53C4B57598568A8058C
                                  SHA-512:F0ED9A2F476CD8B0899F8234DF82D1FFE2480992EC4EAE7A3957214828AFE6A64B9DCF86399061B7889A108F69F41485A778C450FBDC86D64B8B15D2E69B33D4
                                  Malicious:false
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.8.3.1.2.2.0.5.7.1.0.4.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.8.3.1.2.2.2.9.1.4.7.8.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.a.a.d.a.1.6.-.4.1.d.c.-.4.9.d.f.-.a.e.5.1.-.3.4.8.f.7.9.c.5.3.0.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.5.2.5.6.8.f.-.b.b.9.9.-.4.8.f.2.-.b.a.9.1.-.9.a.0.e.c.b.9.8.4.a.0.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.F.Q._._.6.3.7.4.5.6.4.6.4.6.4.7...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.J.x.I.I.a.R.U.T.v.a.L.x.e.x.P.W.T.L.b.b.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.a.8.-.0.0.0.1.-.0.0.1.d.-.9.b.e.e.-.a.2.f.7.1.1.6.f.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.d.2.8.a.4.2.a.c.e.9.6.7.0.f.5.3.9.7.b.7.b.0.8.5.f.4.b.9.c.f.0.0.0.0.0.0.0.0.!.0.0.0.0.5.9.2.a.8.1.4.a.4.2.8.c.8.a.5.d.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER7284.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Tue May 24 02:00:21 2022, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):265529
                                  Entropy (8bit):3.312337303087705
                                  Encrypted:false
                                  SSDEEP:3072:rkHORSy0dv9UCgUnOw9gIOgF5xlH0DhmGndsTjd+pe:rkkTcTjP9RpDxt0AGFp
                                  MD5:7973C58C32915FBA6B5E4EEE9BF12854
                                  SHA1:8FBE6CBECD95C5CE84DC87F9A6399D06FD2BDBBC
                                  SHA-256:0583DBAE1CBBF287351119BDE87703268E64DA8D430F9D3C33A9D99C185432B2
                                  SHA-512:16E6182D38A8D0AB550B3FA310E6FC81E84E8AEEF686015B9050A2F8CB1A74D6C406CEFBC0A830E496F8655DEADB904F7444CA7835083ECBF4B1235098380EE9
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP....... .......5<.b............t.......................T...p"...........T..........`.......8...........T............A..)............"...........$...................................................................U...........B......H%......GenuineIntelW...........T............<.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER78ED.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8422
                                  Entropy (8bit):3.6962392631754497
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNicG6yVG6YWhSUvlCvGgmfZF3S3Cprz89bphsfSYjm:RrlsNi16yVG6YgSUvlzgmf73S7pafSx
                                  MD5:DB6D045DBC6C75AE674930E621C24D0C
                                  SHA1:EC5D9E89F492C938C6B45FD7948D6D7E630575C0
                                  SHA-256:6763D58AA2DA5B1C0DB34B2CD54ABF3DEA1334933A99F235945CFDD3CD6B445A
                                  SHA-512:27D6CDA8DA201F33BCEFFBD510B010C421FD95B0D2871636315AA63C3147B43E11CB310388FB9AD143452D723651EFF61E9350C20A72AD7EB47BF5352048A18A
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.1.2.<./.P.i.d.>.......

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A56.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4794
                                  Entropy (8bit):4.506229802328503
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zsjJgtWI9AGWgc8sqYj68fm8M4JKOwO7FnHno+q8vrOwOsUPOY4TsK3QE:uITf9nHgrsqYbJ7wcIKawyPO1Y1ud
                                  MD5:10BD2D57F1961B27D477C05A55D89E59
                                  SHA1:1ABFAD5821C4BC61962184488F33565531BB59F9
                                  SHA-256:40DBD1A60D73AA328FAB8171384B79764B1A0F1A934FB1038CC0BE506F2CEB11
                                  SHA-512:D8A24722E437F15B220AF4A2AC6BB5DA80E8F6B90C25CA69C3FCE203329D755953F8F9B739039FC3EE766DFB9D7273A9790535D741CBB8856F02A386D36C828F
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1528511" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                  C:\Users\user\AppData\Local\Temp\chrome.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\RFQ__637456464647.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):2622352
                                  Entropy (8bit):6.584925607886023
                                  Encrypted:false
                                  SSDEEP:49152:ZkwWDBRk5Swp1oFSFb8XUK+3crWECSP/cESM0RCZ/Sf8peUTbVkyC:2TX79FXCaSMHpC
                                  MD5:7F916511A313837EFCDE9E4112A64E5B
                                  SHA1:6A2A2427CF1D888CB40A18527478C84DEDF1DB61
                                  SHA-256:F342AF2B1E3DD9BA90C10F643EC1F50459EFBB5912496E8AC553682C2B7A9F6E
                                  SHA-512:A2F92AE37D6ECD16D7B4312EA2548F494D01BD386A439E05258073F4038FCFA60BD7D79FCB8CA5B285BAC121799826B87655EC594F7B4A9CCF5DA70CE3273E1B
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....|b.........."...........................@..............................(.......(...`..........................................u ......u .P.....#.P.....".......'..#....(..#...L .8...................XK .(....!..0............} .....`f .`....................text...x........................... ..`.rdata...#... ...$..................@..@.data....+...P!......,!.............@....pdata........".......!.............@..@.00cfg..(....`#.......".............@..@.retplne$....p#......."..................tls....9.....#.......".............@...CPADinfo8.....#.......".............@..._RDATA........#.......".............@..@.rsrc...P.....#.......".............@..@.reloc...#....(..$....'.............@..B................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.991836040381107
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:RFQ__637456464647.exe
                                  File size:2844160
                                  MD5:b4bc907e8d48e8f09b4d9fdd8d416599
                                  SHA1:592a814a428c8a5de3f06245996fc775e8dc987f
                                  SHA256:7f7804a5460695dae61e378d733f0a613083e84c654ea6264a5276944b33f943
                                  SHA512:b74608846f9e494789e52b79e1aab9fd5fa7918b46441cc0cf2ee0d2883151c327180b4119bbeae6bd83360dcedc8c6142e6fab0b56650b818aa51a2527d6759
                                  SSDEEP:49152:oXJTCTSfReUawVjvGdhAD7E3IJ6daAQeFdjwCE1/02Xro9+83qpK:suoRZawVjvGdhGE3IJA/jwD82013q
                                  TLSH:A9D52383B38AA47AF0BC25B4DCC3EB834F65579C5665FCD62A8151AC38253BBE570213
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.................Z+..........y+.. ....+...@.. ........................+.......+...@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x6b791a
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x628B062E [Mon May 23 03:57:34 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2b78d00x4a.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2b80000x72a.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2ba0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x2b59200x2b5a00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0x2b80000x72a0x800False0.31591796875data4.48924436504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x2ba0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0x2b80b80x27cdata
                                  RT_MANIFEST0x2b83340x1faXML 1.0 document, ASCII text, with very long lines, with no line terminators
                                  RT_MANIFEST0x2b85300x1faXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyright
                                  Assembly Version0.0.0.0
                                  InternalNameJxIIaRUTvaLxexPWTLbbe.exe
                                  FileVersion0.0.0.0
                                  ProductVersion0.0.0.0
                                  FileDescription
                                  OriginalFilenameJxIIaRUTvaLxexPWTLbbe.exe

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  192.168.2.3132.226.8.16949740802842536 05/23/22-19:00:12.710166TCP2842536ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check4974080192.168.2.3132.226.8.169

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 23, 2022 19:00:09.422519922 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:00:12.433237076 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:00:12.709538937 CEST8049740132.226.8.169192.168.2.3
                                  May 23, 2022 19:00:12.709647894 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:00:12.710165977 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:00:12.986522913 CEST8049740132.226.8.169192.168.2.3
                                  May 23, 2022 19:00:13.988107920 CEST8049740132.226.8.169192.168.2.3
                                  May 23, 2022 19:00:14.126456022 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:01:18.987670898 CEST8049740132.226.8.169192.168.2.3
                                  May 23, 2022 19:01:18.987759113 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:01:54.057121992 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:01:54.333545923 CEST8049740132.226.8.169192.168.2.3

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 23, 2022 19:00:09.279763937 CEST6485153192.168.2.38.8.8.8
                                  May 23, 2022 19:00:09.298605919 CEST53648518.8.8.8192.168.2.3
                                  May 23, 2022 19:00:09.312563896 CEST4931653192.168.2.38.8.8.8
                                  May 23, 2022 19:00:09.331444979 CEST53493168.8.8.8192.168.2.3

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  May 23, 2022 19:00:09.279763937 CEST192.168.2.38.8.8.80xc5eeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.312563896 CEST192.168.2.38.8.8.80x2cceStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • checkip.dyndns.org

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.349740132.226.8.16980C:\Users\user\Desktop\RFQ__637456464647.exe
                                  TimestampkBytes transferredDirectionData
                                  May 23, 2022 19:00:12.710165977 CEST1139OUTGET / HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                  Host: checkip.dyndns.org
                                  Connection: Keep-Alive
                                  May 23, 2022 19:00:13.988107920 CEST1139INHTTP/1.1 200 OK
                                  Date: Mon, 23 May 2022 17:00:13 GMT
                                  Content-Type: text/html
                                  Content-Length: 103
                                  Connection: keep-alive
                                  Cache-Control: no-cache
                                  Pragma: no-cache
                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.19</body></html>


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:18:59:56
                                  Start date:23/05/2022
                                  Path:C:\Users\user\Desktop\RFQ__637456464647.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\RFQ__637456464647.exe"
                                  Imagebase:0xd20000
                                  File size:2844160 bytes
                                  MD5 hash:B4BC907E8D48E8F09B4D9FDD8D416599
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low

                                  General

                                  Target ID:1
                                  Start time:18:59:58
                                  Start date:23/05/2022
                                  Path:C:\Users\user\Desktop\RFQ__637456464647.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\RFQ__637456464647.exe
                                  Imagebase:0x8f0000
                                  File size:2844160 bytes
                                  MD5 hash:B4BC907E8D48E8F09B4D9FDD8D416599
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low

                                  General

                                  Target ID:5
                                  Start time:19:00:08
                                  Start date:23/05/2022
                                  Path:C:\Users\user\AppData\Local\Temp\chrome.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\AppData\Local\Temp\chrome.exe"
                                  Imagebase:0x7ff7a8a70000
                                  File size:2622352 bytes
                                  MD5 hash:7F916511A313837EFCDE9E4112A64E5B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 0%, Metadefender, Browse
                                  • Detection: 0%, ReversingLabs
                                  Reputation:low

                                  General

                                  Target ID:13
                                  Start time:19:00:19
                                  Start date:23/05/2022
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 1296
                                  Imagebase:0xf40000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:24.9%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:5.8%
                                    Total number of Nodes:52
                                    Total number of Limit Nodes:2
                                    execution_graph 2272 1720448 2273 172044e 2272->2273 2274 1720452 2273->2274 2276 1721b14 2273->2276 2277 1721b20 2276->2277 2281 1721e96 2277->2281 2285 1721e98 2277->2285 2278 1721b7f 2278->2274 2282 1721ea9 2281->2282 2283 1721eb5 2282->2283 2289 1722b86 2282->2289 2283->2278 2286 1721ea9 2285->2286 2287 1721eb5 2286->2287 2288 1722b86 12 API calls 2286->2288 2287->2278 2288->2286 2290 1722bab 2289->2290 2291 1722e56 2290->2291 2300 1723560 WriteProcessMemory 2290->2300 2301 1723558 WriteProcessMemory 2290->2301 2308 1722f68 2290->2308 2312 1722f5d 2290->2312 2316 1723331 2290->2316 2320 1723338 2290->2320 2324 17233f8 2290->2324 2327 17233f0 2290->2327 2330 17234b1 2290->2330 2333 17234b8 2290->2333 2304 1723331 SetThreadContext 2291->2304 2305 1723338 SetThreadContext 2291->2305 2292 1722e7a 2336 1723631 2292->2336 2339 1723638 2292->2339 2293 1722e8b 2293->2282 2300->2290 2301->2290 2304->2292 2305->2292 2309 1722ff5 CreateProcessAsUserA 2308->2309 2311 172320d 2309->2311 2314 1722ff5 CreateProcessAsUserA 2312->2314 2315 172320d 2314->2315 2318 1723380 SetThreadContext 2316->2318 2319 17233be 2318->2319 2319->2290 2321 1723380 SetThreadContext 2320->2321 2323 17233be 2321->2323 2323->2290 2325 1723440 ReadProcessMemory 2324->2325 2326 172347d 2325->2326 2326->2290 2328 1723440 ReadProcessMemory 2327->2328 2329 172347d 2328->2329 2329->2290 2331 17234fb VirtualAllocEx 2330->2331 2332 1723532 2331->2332 2332->2290 2334 17234fb VirtualAllocEx 2333->2334 2335 1723532 2334->2335 2335->2290 2337 1723679 ResumeThread 2336->2337 2338 17236a6 2337->2338 2338->2293 2340 1723679 ResumeThread 2339->2340 2341 17236a6 2340->2341 2341->2293

                                    Executed Functions

                                    Function 01722F68 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 57 1722f68-1723001 59 1723003-1723028 57->59 60 1723055-1723075 57->60 59->60 65 172302a-172302c 59->65 63 1723077-172309c 60->63 64 17230c9-17230fa 60->64 63->64 74 172309e-17230a0 63->74 72 1723151-172320b CreateProcessAsUserA 64->72 73 17230fc-1723124 64->73 66 172302e-1723038 65->66 67 172304f-1723052 65->67 69 172303a 66->69 70 172303c-172304b 66->70 67->60 69->70 70->70 75 172304d 70->75 89 1723214-1723288 72->89 90 172320d-1723213 72->90 73->72 82 1723126-1723128 73->82 76 17230a2-17230ac 74->76 77 17230c3-17230c6 74->77 75->67 79 17230b0-17230bf 76->79 80 17230ae 76->80 77->64 79->79 83 17230c1 79->83 80->79 84 172312a-1723134 82->84 85 172314b-172314e 82->85 83->77 87 1723136 84->87 88 1723138-1723147 84->88 85->72 87->88 88->88 91 1723149 88->91 99 172328a-172328e 89->99 100 1723298-172329c 89->100 90->89 91->85 99->100 101 1723290 99->101 102 172329e-17232a2 100->102 103 17232ac-17232b0 100->103 101->100 102->103 104 17232a4 102->104 105 17232b2-17232b6 103->105 106 17232c0-17232c4 103->106 104->103 105->106 107 17232b8 105->107 108 17232d6-17232dd 106->108 109 17232c6-17232cc 106->109 107->106 110 17232f4 108->110 111 17232df-17232ee 108->111 109->108 113 17232f5 110->113 111->110 113->113
                                    APIs
                                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 017231F8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: CreateProcessUser
                                    • String ID:
                                    • API String ID: 2217836671-0
                                    • Opcode ID: 2b722ced9ec47f17a32bf50870b23069c725f35e956ca41a47e3d42539478c04
                                    • Instruction ID: 1148bbf6b44eda22195f47654888f34e88f20dec1c65821c687cb01d23dce837
                                    • Opcode Fuzzy Hash: 2b722ced9ec47f17a32bf50870b23069c725f35e956ca41a47e3d42539478c04
                                    • Instruction Fuzzy Hash: 76A15A71E002298FDB20CFA8C9417DDBBF2FF49304F048169E919A7291DB789986CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01722F5D Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 1722f5d-1723001 2 1723003-1723028 0->2 3 1723055-1723075 0->3 2->3 8 172302a-172302c 2->8 6 1723077-172309c 3->6 7 17230c9-17230fa 3->7 6->7 17 172309e-17230a0 6->17 15 1723151-172320b CreateProcessAsUserA 7->15 16 17230fc-1723124 7->16 9 172302e-1723038 8->9 10 172304f-1723052 8->10 12 172303a 9->12 13 172303c-172304b 9->13 10->3 12->13 13->13 18 172304d 13->18 32 1723214-1723288 15->32 33 172320d-1723213 15->33 16->15 25 1723126-1723128 16->25 19 17230a2-17230ac 17->19 20 17230c3-17230c6 17->20 18->10 22 17230b0-17230bf 19->22 23 17230ae 19->23 20->7 22->22 26 17230c1 22->26 23->22 27 172312a-1723134 25->27 28 172314b-172314e 25->28 26->20 30 1723136 27->30 31 1723138-1723147 27->31 28->15 30->31 31->31 34 1723149 31->34 42 172328a-172328e 32->42 43 1723298-172329c 32->43 33->32 34->28 42->43 44 1723290 42->44 45 172329e-17232a2 43->45 46 17232ac-17232b0 43->46 44->43 45->46 47 17232a4 45->47 48 17232b2-17232b6 46->48 49 17232c0-17232c4 46->49 47->46 48->49 50 17232b8 48->50 51 17232d6-17232dd 49->51 52 17232c6-17232cc 49->52 50->49 53 17232f4 51->53 54 17232df-17232ee 51->54 52->51 56 17232f5 53->56 54->53 56->56
                                    APIs
                                    • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 017231F8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: CreateProcessUser
                                    • String ID:
                                    • API String ID: 2217836671-0
                                    • Opcode ID: 370d2d9364f8ee61e79116a58b95e7ea2ce2c983794b6a4d0ce228ae1b83bb57
                                    • Instruction ID: 7ac3bd8b224e4b373ac27eec9e7462a34281a1c01b02c61ef3a9a6b99b183e27
                                    • Opcode Fuzzy Hash: 370d2d9364f8ee61e79116a58b95e7ea2ce2c983794b6a4d0ce228ae1b83bb57
                                    • Instruction Fuzzy Hash: 4AA16A71E002298FDB20CFA8C8417DDBBF2FF49304F048169E919A7291DB789986CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01723558 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 114 1723558-17235b1 116 17235b3-17235bf 114->116 117 17235c1-17235fa WriteProcessMemory 114->117 116->117 118 1723603-1723624 117->118 119 17235fc-1723602 117->119 119->118
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 017235ED
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: 590a30710d6ef13da455d1d6c00f937c6762bfba24b02d7eb96d4ff38f2d5278
                                    • Instruction ID: 918bace6e18eeb11891c8544004409b16dbb894bfeddc9f16b722a33218899b9
                                    • Opcode Fuzzy Hash: 590a30710d6ef13da455d1d6c00f937c6762bfba24b02d7eb96d4ff38f2d5278
                                    • Instruction Fuzzy Hash: 812124B19002599FCB10CFA9D885BDEBBF4FB48310F14852AE919A7250D378A945CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01723560 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 121 1723560-17235b1 123 17235b3-17235bf 121->123 124 17235c1-17235fa WriteProcessMemory 121->124 123->124 125 1723603-1723624 124->125 126 17235fc-1723602 124->126 126->125
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 017235ED
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: f22a163f40692e0f75f3125fa0fe51f4b2b3f8e96f7b9797413b13fbf8cc37a5
                                    • Instruction ID: 419a9c8313f3c037f0ccaf0a342a5b5cea09cb645e7e57464df5950272b0889d
                                    • Opcode Fuzzy Hash: f22a163f40692e0f75f3125fa0fe51f4b2b3f8e96f7b9797413b13fbf8cc37a5
                                    • Instruction Fuzzy Hash: 812114B19002599FCB10CFAAC885BDEFBF4FB48310F14852AE919A3340D778A944CBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01723331 Relevance: 1.6, APIs: 1, Instructions: 59threadinjectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 128 1723331-1723384 130 1723390-17233bc SetThreadContext 128->130 131 1723386-172338e 128->131 132 17233c5-17233e6 130->132 133 17233be-17233c4 130->133 131->130 133->132
                                    APIs
                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 017233AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: ContextThread
                                    • String ID:
                                    • API String ID: 1591575202-0
                                    • Opcode ID: 77a006e390ee8ff0e7b6cc7681c037dca440980c57f3b6e6d92f3d12839cf2bc
                                    • Instruction ID: 89d49f0d417d32cb4054220bd92b28dd4f97a0bca8d802671badae8b4606e13c
                                    • Opcode Fuzzy Hash: 77a006e390ee8ff0e7b6cc7681c037dca440980c57f3b6e6d92f3d12839cf2bc
                                    • Instruction Fuzzy Hash: 9121E3B1D006199FDB10CF9AC8857EEFBF4BB48324F14812AD819A3741D778AA558FA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01723338 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 135 1723338-1723384 137 1723390-17233bc SetThreadContext 135->137 138 1723386-172338e 135->138 139 17233c5-17233e6 137->139 140 17233be-17233c4 137->140 138->137 140->139
                                    APIs
                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 017233AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: ContextThread
                                    • String ID:
                                    • API String ID: 1591575202-0
                                    • Opcode ID: 02d645db66c661f910033aac3aa733f5ef638a9b5d1d563a91e1cf0cd3eb9cce
                                    • Instruction ID: ff7ef47da484f37bfe7fd53bc61964a4a982124f05d75bab15f5bc2024d3246a
                                    • Opcode Fuzzy Hash: 02d645db66c661f910033aac3aa733f5ef638a9b5d1d563a91e1cf0cd3eb9cce
                                    • Instruction Fuzzy Hash: AA2117B1D006199FDB10CF9AC8857DEFBF4BB48224F04812AD918B3341D778AA458FA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017233F0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 142 17233f0-172347b ReadProcessMemory 144 1723484-17234a5 142->144 145 172347d-1723483 142->145 145->144
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0172346E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 46d93d8324f2e75bd223ade7e8a47173f093981ad84dea3952bf575d90233675
                                    • Instruction ID: dd83ce151183b52c0b2280c959ac278543a7599732b31e4b7c0413b24a55e395
                                    • Opcode Fuzzy Hash: 46d93d8324f2e75bd223ade7e8a47173f093981ad84dea3952bf575d90233675
                                    • Instruction Fuzzy Hash: C821F3B5D002499FCB10CF9AC884AEEFBF4FB48320F15802AE959A3250C378A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017233F8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 147 17233f8-172347b ReadProcessMemory 149 1723484-17234a5 147->149 150 172347d-1723483 147->150 150->149
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0172346E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 29ce871c5fa577c644dee7ff4235add1e931612916af1e013e90536229817a30
                                    • Instruction ID: 155de2e3c2e8a25eb57cff7cf86d39e6b9c7a1701fd7f3d02f2ee5998357e3eb
                                    • Opcode Fuzzy Hash: 29ce871c5fa577c644dee7ff4235add1e931612916af1e013e90536229817a30
                                    • Instruction Fuzzy Hash: 582117B59002499FCB10CF9AC884BDEFBF4FF48324F148429E959A3250D378A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017234B1 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 152 17234b1-1723530 VirtualAllocEx 154 1723532-1723538 152->154 155 1723539-172354d 152->155 154->155
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01723523
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 107332e491e6f73e4a57007b86b5b2b938426e01e6b12e0f032acfef373dfdbf
                                    • Instruction ID: 2a46a23196131005051a876644bd649a0caa726be5832ab801b17fc5c62fcb8a
                                    • Opcode Fuzzy Hash: 107332e491e6f73e4a57007b86b5b2b938426e01e6b12e0f032acfef373dfdbf
                                    • Instruction Fuzzy Hash: FA11B2B59002499FCB10CF9AD884BDEFBF4FB48324F14851AE919A7210C775A594CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 017234B8 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 157 17234b8-1723530 VirtualAllocEx 159 1723532-1723538 157->159 160 1723539-172354d 157->160 159->160
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01723523
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: a6368af35d8984fa2932b9c1118a4fe877ddbb51c97b33c081d27b008cc6f273
                                    • Instruction ID: ddb3a7b872e6108e67a2516be1cd3c3bdebcaa04b0c3678596b77c08b393239f
                                    • Opcode Fuzzy Hash: a6368af35d8984fa2932b9c1118a4fe877ddbb51c97b33c081d27b008cc6f273
                                    • Instruction Fuzzy Hash: 3711F5B59042499FCB10DF9AD884BDEFFF4FB48324F148419E919A7210C775A594CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01723631 Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 162 1723631-17236a4 ResumeThread 164 17236a6-17236ac 162->164 165 17236ad-17236c1 162->165 164->165
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 515d64c832f49ecc359d12a3389e5ea4efc97df58b1dcafa795e0d6e77e9b43b
                                    • Instruction ID: bd10850af92a5a4bf772b5c7e7c501f630edc0cc291ecc6890165a0ef55655e0
                                    • Opcode Fuzzy Hash: 515d64c832f49ecc359d12a3389e5ea4efc97df58b1dcafa795e0d6e77e9b43b
                                    • Instruction Fuzzy Hash: D011E0B1C00259CFCB20CF9AD884BDEFBF4BB48324F14855AD519A7200C775A985CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01723638 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 167 1723638-17236a4 ResumeThread 169 17236a6-17236ac 167->169 170 17236ad-17236c1 167->170 169->170
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.316447368.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1720000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 6ea95b2697dcf89dde6469a58249d1e124b4fd641bd32b9a2b0f62fa63f76631
                                    • Instruction ID: eedf69080f228cc151c6c036a7274b2ffac35fb45b3c7b166c6add38146be02a
                                    • Opcode Fuzzy Hash: 6ea95b2697dcf89dde6469a58249d1e124b4fd641bd32b9a2b0f62fa63f76631
                                    • Instruction Fuzzy Hash: 4C1123B18042488FCB20DF9AD884BDEFBF8FB48324F14841AD519A3300C778A984CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Execution Graph

                                    Execution Coverage:8.7%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:44.4%
                                    Total number of Nodes:18
                                    Total number of Limit Nodes:1
                                    execution_graph 17778 54db988 DuplicateHandle 17779 54dba1e 17778->17779 17688 54d0040 17689 54d0062 KiUserExceptionDispatcher 17688->17689 17691 54d011c 17689->17691 17820 6482f2c 17821 6482dee 17820->17821 17822 6482eab 17820->17822 17822->17821 17823 6482de1 LdrInitializeThunk 17822->17823 17823->17821 17746 6483070 17747 6483092 KiUserExceptionDispatcher 17746->17747 17749 648314c 17747->17749 17750 6483471 17749->17750 17751 6482ad8 KiUserExceptionDispatcher 17749->17751 17751->17749 17758 6482c73 17761 6482b37 17758->17761 17759 6482c2a KiUserExceptionDispatcher 17760 6482c1b 17759->17760 17761->17759 17761->17760

                                    Executed Functions

                                    Function 06480040 Relevance: 3.5, Strings: 1, Instructions: 2230COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: K
                                    • API String ID: 0-856455061
                                    • Opcode ID: 8081257b7d13206ed0e43324c2359272ee4a7de25de116f59034e5139332b76c
                                    • Instruction ID: 20a632d6c7c2f865793892d081408841693ac5c4fd0719b14c53c121c4a03fa4
                                    • Opcode Fuzzy Hash: 8081257b7d13206ed0e43324c2359272ee4a7de25de116f59034e5139332b76c
                                    • Instruction Fuzzy Hash: 1233F270D1461A8EDB51EF68C884ADDF7B1FF99304F11C69AE44867221EB70AAC5CF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06487A48 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06487B13
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: c30238a091b4eaae0ee95bbbf97951629301b1927819b5dfff1f51164851e150
                                    • Instruction ID: a98d9535d23f1d7c9997871dde67468a8e4fa92a6176c0c45e69d3cf677d9bb4
                                    • Opcode Fuzzy Hash: c30238a091b4eaae0ee95bbbf97951629301b1927819b5dfff1f51164851e150
                                    • Instruction Fuzzy Hash: D6C1B374E00218CFDB54DFA5C994B9DBBB2BF89304F2081AAD509AB355DB355E81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06483070 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 569 6483070-6483090 570 6483092 569->570 571 6483097-6483144 KiUserExceptionDispatcher 569->571 570->571 576 648314c-648315a 571->576 577 6483160-6483177 call 6482958 576->577 578 6483472-64834a4 576->578 582 6483179 577->582 583 648317e-6483187 577->583 582->583 584 6483465-648346b 583->584 585 648318c-6483202 call 6482ad8 * 3 call 6482fd8 584->585 586 6483471 584->586 595 6483208-6483276 585->595 596 64832be-6483318 call 6482ad8 585->596 586->578 606 6483278-64832b8 595->606 607 64832b9-64832bc 595->607 608 6483319-6483367 596->608 606->607 607->608 613 648336d-648344f 608->613 614 6483450-648345b 608->614 613->614 615 648345d 614->615 616 6483462 614->616 615->616 616->584
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648313B
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: cc4bfa9649c8d73baa8282a7362958a25f1f95bbeeb19ec3fdd254a58df1593b
                                    • Instruction ID: 59c2891283974f81933a1c7e06111e89aeecbb506e036253e669149788cd3650
                                    • Opcode Fuzzy Hash: cc4bfa9649c8d73baa8282a7362958a25f1f95bbeeb19ec3fdd254a58df1593b
                                    • Instruction Fuzzy Hash: 90C1D274E00218CFDB55EFA5C994B9DBBB2FF89304F1081AAD809AB365DB355A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648DE00 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648DECB
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 3708909748000f3dee6801079a3ca5f3cb7dc5ad6daa0c345e348f05f7d5fc51
                                    • Instruction ID: 5790e2ce8fa8022ed8db787ff0ca2c46b2f0a646530542651dfb1ea031081536
                                    • Opcode Fuzzy Hash: 3708909748000f3dee6801079a3ca5f3cb7dc5ad6daa0c345e348f05f7d5fc51
                                    • Instruction Fuzzy Hash: 57C1C274E00218CFDB54EFA5C994B9DBBB2BF89304F1081AAD909AB355DB345E81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06484628 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 869 6484628-6484648 870 648464a 869->870 871 648464f-64846fc KiUserExceptionDispatcher 869->871 870->871 876 6484704-6484712 871->876 877 6484718-648472f call 6482958 876->877 878 6484a2a-6484a5c 876->878 882 6484731 877->882 883 6484736-648473f 877->883 882->883 884 6484a1d-6484a23 883->884 885 6484a29 884->885 886 6484744-64847ba call 6482ad8 * 3 call 6482fd8 884->886 885->878 895 64847c0-648482e 886->895 896 6484876-64848d0 call 6482ad8 886->896 906 6484830-6484870 895->906 907 6484871-6484874 895->907 908 64848d1-648491f 896->908 906->907 907->908 913 6484a08-6484a13 908->913 914 6484925-6484a07 908->914 915 6484a1a 913->915 916 6484a15 913->916 914->913 915->884 916->915
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064846F3
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 5fab3a235a12250e57b92d1a9c9f827a7c51ea19efc7b035929a804066b639a5
                                    • Instruction ID: 413e8d4e2bc2a16beb7c4313eacaab3da981110b2dc3693f2e49d5310867b7c0
                                    • Opcode Fuzzy Hash: 5fab3a235a12250e57b92d1a9c9f827a7c51ea19efc7b035929a804066b639a5
                                    • Instruction Fuzzy Hash: 2DC1C274E00218CFDB54EFA5C994B9DBBB2FF89304F1081AAD909AB365DB355A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648F838 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648F903
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 53416eb7b3b09d2437d96caf2aff2c8cc06856c4fb88901262b6d602793a9077
                                    • Instruction ID: 6a08711e35635edc3e7f78f09249ff4297e46d3eeb210bb2090ee0f973c1c81b
                                    • Opcode Fuzzy Hash: 53416eb7b3b09d2437d96caf2aff2c8cc06856c4fb88901262b6d602793a9077
                                    • Instruction Fuzzy Hash: B0C1C274E00218CFDB54EFA5C994B9DBBB2FF89304F2081AAD909AB355DB345A85CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06486038 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1229 6486038-6486058 1230 648605a 1229->1230 1231 648605f-648610c KiUserExceptionDispatcher 1229->1231 1230->1231 1236 6486114-6486122 1231->1236 1237 6486128-648613f call 6482958 1236->1237 1238 648643a-648646c 1236->1238 1242 6486141 1237->1242 1243 6486146-648614f 1237->1243 1242->1243 1244 648642d-6486433 1243->1244 1245 6486439 1244->1245 1246 6486154-64861ca call 6482ad8 * 3 call 6482fd8 1244->1246 1245->1238 1255 64861d0-648623e 1246->1255 1256 6486286-64862e0 call 6482ad8 1246->1256 1266 6486240-6486280 1255->1266 1267 6486281-6486284 1255->1267 1268 64862e1-648632f 1256->1268 1266->1267 1267->1268 1273 6486418-6486423 1268->1273 1274 6486335-6486417 1268->1274 1275 648642a 1273->1275 1276 6486425 1273->1276 1274->1273 1275->1244 1276->1275
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06486103
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 3ee5074e276ecbca173d23ef9370c3f4d0bf29192f7016b5d6dbd895244f7e82
                                    • Instruction ID: b29dd0c5a164228b80e40c303cec2d4e174e8285269e3311a511d32355656505
                                    • Opcode Fuzzy Hash: 3ee5074e276ecbca173d23ef9370c3f4d0bf29192f7016b5d6dbd895244f7e82
                                    • Instruction Fuzzy Hash: 18C1C374E00218CFDB54EFA5C994B9DBBB2FF89304F2081AAD909AB355DB355A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064834C8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 629 64834c8-64834e8 630 64834ea 629->630 631 64834ef-648359c KiUserExceptionDispatcher 629->631 630->631 636 64835a4-64835b2 631->636 637 64835b8-64835cf call 6482958 636->637 638 64838ca-64838fc 636->638 642 64835d1 637->642 643 64835d6-64835df 637->643 642->643 644 64838bd-64838c3 643->644 645 64838c9 644->645 646 64835e4-648365a call 6482ad8 * 3 call 6482fd8 644->646 645->638 655 6483660-64836ce 646->655 656 6483716-6483770 call 6482ad8 646->656 666 64836d0-6483710 655->666 667 6483711-6483714 655->667 668 6483771-64837bf 656->668 666->667 667->668 673 64838a8-64838b3 668->673 674 64837c5-64838a7 668->674 676 64838ba 673->676 677 64838b5 673->677 674->673 676->644 677->676
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06483593
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 00b241045c7a21e2d6ec7bb7914fcfcac62d38f10f2d9fc7c35f9fb359e5a355
                                    • Instruction ID: a8edbc866d65e086099a493b74cfa4a2cea2953b67d6429c0bb7e205f1291f80
                                    • Opcode Fuzzy Hash: 00b241045c7a21e2d6ec7bb7914fcfcac62d38f10f2d9fc7c35f9fb359e5a355
                                    • Instruction Fuzzy Hash: 3BC1C374E00218CFDB54EFA5C994B9DBBB2FF89304F2081AAD909AB355DB355A85CF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06484ED8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 989 6484ed8-6484ef8 990 6484efa 989->990 991 6484eff-6484fac KiUserExceptionDispatcher 989->991 990->991 996 6484fb4-6484fc2 991->996 997 6484fc8-6484fdf call 6482958 996->997 998 64852da-648530c 996->998 1002 6484fe1 997->1002 1003 6484fe6-6484fef 997->1003 1002->1003 1004 64852cd-64852d3 1003->1004 1005 64852d9 1004->1005 1006 6484ff4-648506a call 6482ad8 * 3 call 6482fd8 1004->1006 1005->998 1015 6485070-64850de 1006->1015 1016 6485126-6485180 call 6482ad8 1006->1016 1026 64850e0-6485120 1015->1026 1027 6485121-6485124 1015->1027 1028 6485181-64851cf 1016->1028 1026->1027 1027->1028 1033 64852b8-64852c3 1028->1033 1034 64851d5-64852b7 1028->1034 1035 64852ca 1033->1035 1036 64852c5 1033->1036 1034->1033 1035->1004 1036->1035
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06484FA3
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 52c3716ebb9e3a69d901bfbf57b6f3efe051004d924e6e6c13899a0c6b37b8cc
                                    • Instruction ID: 7f30dae3aab54cb1479fcc45e103075aa01f9ced7a247c3bc96b37d81eff5443
                                    • Opcode Fuzzy Hash: 52c3716ebb9e3a69d901bfbf57b6f3efe051004d924e6e6c13899a0c6b37b8cc
                                    • Instruction Fuzzy Hash: 12C1B274E00218CFDB54EFA5C994B9DBBB2BF89304F2081AAD909AB355DB345A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648E6D8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648E7A3
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 02151577a728db351039356cd745711d7063b28dc745f058f5359d0a5bd32a23
                                    • Instruction ID: 1a3e695522bc9feefee2d2da497924311e714caef12de9984f130c43f16e7fca
                                    • Opcode Fuzzy Hash: 02151577a728db351039356cd745711d7063b28dc745f058f5359d0a5bd32a23
                                    • Instruction Fuzzy Hash: 61C1C374E00218CFDB54EFA5C994B9DBBB2FF89304F1081AAD909AB355DB345A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064868E8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064869B3
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 05fbf7e9959a30e37cf47c85416f5547f2d8c37cb80c568e1042707cf5dfecfa
                                    • Instruction ID: 374759e14b1153fb308c5712b2bf248c3d7c49b8d885396747c3f4f506e89ec1
                                    • Opcode Fuzzy Hash: 05fbf7e9959a30e37cf47c85416f5547f2d8c37cb80c568e1042707cf5dfecfa
                                    • Instruction Fuzzy Hash: 92C1C274E00218CFDB54EFA5C994B9DBBB2FF89304F2081AAD909AB355DB345A81CF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064882F8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064883C3
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 25c65dff9945d12a058a6e6af82c502ddccfd1b672024a9dedca4026783cda59
                                    • Instruction ID: 93eab0e6c097b001c6a37a10d94091af5b406bb41b4aad1d00f0b48253739cd7
                                    • Opcode Fuzzy Hash: 25c65dff9945d12a058a6e6af82c502ddccfd1b672024a9dedca4026783cda59
                                    • Instruction Fuzzy Hash: D5C1C374E01218CFDB54EFA5C994B9DBBB2FF89304F2081AAD509AB365DB355A81CF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648E280 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648E34B
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 5f57f439631689a86e2d4404968ae1afc770d52708234ed913c0cc66f15232e8
                                    • Instruction ID: d74679249414c6aa3dd3bf7b953f6ab0c2c25e970ac5691b24d7882c3cadd51b
                                    • Opcode Fuzzy Hash: 5f57f439631689a86e2d4404968ae1afc770d52708234ed913c0cc66f15232e8
                                    • Instruction Fuzzy Hash: D8C1B274E00218CFDB54EFA5C994B9DBBB2BF89304F1081AAD509AB365DB345A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06484A80 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 929 6484a80-6484aa0 930 6484aa2 929->930 931 6484aa7-6484b54 KiUserExceptionDispatcher 929->931 930->931 936 6484b5c-6484b6a 931->936 937 6484b70-6484b87 call 6482958 936->937 938 6484e82-6484eb4 936->938 942 6484b89 937->942 943 6484b8e-6484b97 937->943 942->943 944 6484e75-6484e7b 943->944 945 6484b9c-6484c12 call 6482ad8 * 3 call 6482fd8 944->945 946 6484e81 944->946 955 6484c18-6484c86 945->955 956 6484cce-6484d28 call 6482ad8 945->956 946->938 966 6484c88-6484cc8 955->966 967 6484cc9-6484ccc 955->967 968 6484d29-6484d77 956->968 966->967 967->968 973 6484d7d-6484e5f 968->973 974 6484e60-6484e6b 968->974 973->974 976 6484e6d 974->976 977 6484e72 974->977 976->977 977->944
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06484B4B
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 2e3b76c6e93b2e1f62535265c41e2ddf22569d21d98de353c0939fcddb04718c
                                    • Instruction ID: d410320504df59c46b711679ad62400abc98fe10892d03d9f3af155c25e3d609
                                    • Opcode Fuzzy Hash: 2e3b76c6e93b2e1f62535265c41e2ddf22569d21d98de353c0939fcddb04718c
                                    • Instruction Fuzzy Hash: F0C1C374E00218CFDB54EFA5C994BADBBB2FF89304F2081AAD509AB355DB345A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06486490 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648655B
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: df673ab237730b5eed111f494684b0a52a502311f78212e74461b7d62a0db002
                                    • Instruction ID: 5bd7e01a0a5f8d4044cbfe6ce6fc837a938651b093e79701777add3fe02962bb
                                    • Opcode Fuzzy Hash: df673ab237730b5eed111f494684b0a52a502311f78212e74461b7d62a0db002
                                    • Instruction Fuzzy Hash: F0C1D374E01218CFDB54EFA5C990B9DBBB2FF89304F2081AAD509AB355DB355A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06487EA0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06487F6B
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 9653f24b39cbe2dddc4cb5f2adc2403bda5652f832582a72b629976bad6b4513
                                    • Instruction ID: e1febef9ffaad0af1c41d420019e2fabeff09ac1d7b96085e6a48d7cd747b287
                                    • Opcode Fuzzy Hash: 9653f24b39cbe2dddc4cb5f2adc2403bda5652f832582a72b629976bad6b4513
                                    • Instruction Fuzzy Hash: CEC1C374E00218CFDB54EFA5C994B9DBBB2FF89304F2081AAD909AB355DB345A81CF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06486D40 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06486E0B
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 64bab72dce9b0e4497dff0627eee31d54d9bda736b2ab6894895da495504419b
                                    • Instruction ID: db6db548f8d7ef7819ba1837a3652ef35217fa0bdde048621e15eb1a84004ea1
                                    • Opcode Fuzzy Hash: 64bab72dce9b0e4497dff0627eee31d54d9bda736b2ab6894895da495504419b
                                    • Instruction Fuzzy Hash: EBC1C374E00218CFDB54EFA5C994B9DBBB2FF89304F2081AAD909AB355DB355A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06488750 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648881B
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: dde53446d2228f7d10fe10dd4e05b91ceb3c81a8191166ca8f8e3db332728484
                                    • Instruction ID: c08990421130a687f9389ec1d2250173a1c1b585841cf2345bb2d144c5fa247b
                                    • Opcode Fuzzy Hash: dde53446d2228f7d10fe10dd4e05b91ceb3c81a8191166ca8f8e3db332728484
                                    • Instruction Fuzzy Hash: 76C1C274E01218CFDB54EFA5C994B9DBBB2FF89304F1081AAD909AB365DB345A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06483D78 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 749 6483d78-6483d98 750 6483d9a 749->750 751 6483d9f-6483e4c KiUserExceptionDispatcher 749->751 750->751 756 6483e54-6483e62 751->756 757 6483e68-6483e7f call 6482958 756->757 758 648417a-64841ac 756->758 762 6483e81 757->762 763 6483e86-6483e8f 757->763 762->763 764 648416d-6484173 763->764 765 6484179 764->765 766 6483e94-6483f0a call 6482ad8 * 3 call 6482fd8 764->766 765->758 775 6483f10-6483f7e 766->775 776 6483fc6-6484020 call 6482ad8 766->776 786 6483f80-6483fc0 775->786 787 6483fc1-6483fc4 775->787 788 6484021-648406f 776->788 786->787 787->788 793 6484158-6484163 788->793 794 6484075-6484157 788->794 795 648416a 793->795 796 6484165 793->796 794->793 795->764 796->795
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06483E43
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 9f7a64ab8fcc3d535f8051863d7ffbac384e1df0edb3fecaf216ebb6470035ff
                                    • Instruction ID: b4d6ca2e2e3a66fd4cde5c58b22a788faa4bc7462f24de3960492d7c260bc22a
                                    • Opcode Fuzzy Hash: 9f7a64ab8fcc3d535f8051863d7ffbac384e1df0edb3fecaf216ebb6470035ff
                                    • Instruction Fuzzy Hash: B7C1C374E00218CFDB54EFA5C994B9DBBB2BF89304F1081AAD909AB355DB345E81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06483920 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 689 6483920-6483940 690 6483942 689->690 691 6483947-64839f4 KiUserExceptionDispatcher 689->691 690->691 696 64839fc-6483a0a 691->696 697 6483a10-6483a27 call 6482958 696->697 698 6483d22-6483d54 696->698 702 6483a29 697->702 703 6483a2e-6483a37 697->703 702->703 704 6483d15-6483d1b 703->704 705 6483a3c-6483ab2 call 6482ad8 * 3 call 6482fd8 704->705 706 6483d21 704->706 715 6483ab8-6483b26 705->715 716 6483b6e-6483bc8 call 6482ad8 705->716 706->698 726 6483b28-6483b68 715->726 727 6483b69-6483b6c 715->727 728 6483bc9-6483c17 716->728 726->727 727->728 733 6483c1d-6483cff 728->733 734 6483d00-6483d0b 728->734 733->734 735 6483d0d 734->735 736 6483d12 734->736 735->736 736->704
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064839EB
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: e1afbbab67b67cac0a63c7dab86666e99705770e56699e1b1584fd564ba52b35
                                    • Instruction ID: fefe14efea2ef2f0eb9ad72ebb0f0c53b479597ad8b897725d6e14229d9828ef
                                    • Opcode Fuzzy Hash: e1afbbab67b67cac0a63c7dab86666e99705770e56699e1b1584fd564ba52b35
                                    • Instruction Fuzzy Hash: 29C1C374E00218CFDB54EFA5C994B9DBBB2FF89304F2081AAD509AB355DB355A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648EB30 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648EBFB
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 74b1e3e57a4976029a6c7e3d470f9d94e976d359408704dc95ad648baaf148b9
                                    • Instruction ID: 54566ac7e2ef4fef932a52a913a961e3a734b728a0d2f536a6553d0889c88e8c
                                    • Opcode Fuzzy Hash: 74b1e3e57a4976029a6c7e3d470f9d94e976d359408704dc95ad648baaf148b9
                                    • Instruction Fuzzy Hash: 88C1D274E00218CFDB54EFA5C994B9DBBB2FF89304F1081AAD909AB365DB355A85CF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06485330 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1049 6485330-6485350 1050 6485352 1049->1050 1051 6485357-6485404 KiUserExceptionDispatcher 1049->1051 1050->1051 1056 648540c-648541a 1051->1056 1057 6485420-6485437 call 6482958 1056->1057 1058 6485732-6485764 1056->1058 1062 6485439 1057->1062 1063 648543e-6485447 1057->1063 1062->1063 1064 6485725-648572b 1063->1064 1065 648544c-64854c2 call 6482ad8 * 3 call 6482fd8 1064->1065 1066 6485731 1064->1066 1075 64854c8-6485536 1065->1075 1076 648557e-64855d8 call 6482ad8 1065->1076 1066->1058 1086 6485538-6485578 1075->1086 1087 6485579-648557c 1075->1087 1088 64855d9-6485627 1076->1088 1086->1087 1087->1088 1093 648562d-648570f 1088->1093 1094 6485710-648571b 1088->1094 1093->1094 1095 648571d 1094->1095 1096 6485722 1094->1096 1095->1096 1096->1064
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064853FB
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: fcb53bf162a8a990f1fb2b100097db103abf1ff1ce3b39af96d355eff77e2f6b
                                    • Instruction ID: d421050f7be3dde27f42077c25d9875f6838b12c8f41d735dbd03b063edd749a
                                    • Opcode Fuzzy Hash: fcb53bf162a8a990f1fb2b100097db103abf1ff1ce3b39af96d355eff77e2f6b
                                    • Instruction Fuzzy Hash: 5BC1C374E00218CFDB58EFA5C994B9DBBB2FF89304F1081AAD509AB365DB345A85CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064841D0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 809 64841d0-64841f0 810 64841f2 809->810 811 64841f7-64842a4 KiUserExceptionDispatcher 809->811 810->811 816 64842ac-64842ba 811->816 817 64842c0-64842d7 call 6482958 816->817 818 64845d2-6484604 816->818 822 64842d9 817->822 823 64842de-64842e7 817->823 822->823 824 64845c5-64845cb 823->824 825 64842ec-6484362 call 6482ad8 * 3 call 6482fd8 824->825 826 64845d1 824->826 835 6484368-64843d6 825->835 836 648441e-6484478 call 6482ad8 825->836 826->818 846 64843d8-6484418 835->846 847 6484419-648441c 835->847 848 6484479-64844c7 836->848 846->847 847->848 853 64844cd-64845af 848->853 854 64845b0-64845bb 848->854 853->854 855 64845bd 854->855 856 64845c2 854->856 855->856 856->824
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648429B
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: e76a38d90863972a0db16a57f4e88bb39f03a1c2b1291f9e6a7df494598833bd
                                    • Instruction ID: b3f302240bb39c30a1f2b179e5655b50b8822a3d18fc49e99f229b72694bbcc6
                                    • Opcode Fuzzy Hash: e76a38d90863972a0db16a57f4e88bb39f03a1c2b1291f9e6a7df494598833bd
                                    • Instruction Fuzzy Hash: B7C1C374E00218CFDB54EFA5C994B9DBBB2FF89304F1081AAD909AB355DB345A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648F3E0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648F4AB
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 08e98cf1338e9aae6acaf4dc332066d2f4def4c5bc0d965968cd8b5179128cf6
                                    • Instruction ID: df08fbd6742445d2a80d4f9f14092f1acdfe9e2d9f6bb337b2a36b0d3e4a72d5
                                    • Opcode Fuzzy Hash: 08e98cf1338e9aae6acaf4dc332066d2f4def4c5bc0d965968cd8b5179128cf6
                                    • Instruction Fuzzy Hash: 8EC1C474E00218CFDB54EFA5C994B9DBBB2FF89304F1081AAD509AB365DB345A85CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06485BE0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1169 6485be0-6485c00 1170 6485c02 1169->1170 1171 6485c07-6485cb4 KiUserExceptionDispatcher 1169->1171 1170->1171 1176 6485cbc-6485cca 1171->1176 1177 6485cd0-6485ce7 call 6482958 1176->1177 1178 6485fe2-6486014 1176->1178 1182 6485ce9 1177->1182 1183 6485cee-6485cf7 1177->1183 1182->1183 1184 6485fd5-6485fdb 1183->1184 1185 6485cfc-6485d72 call 6482ad8 * 3 call 6482fd8 1184->1185 1186 6485fe1 1184->1186 1195 6485d78-6485de6 1185->1195 1196 6485e2e-6485e88 call 6482ad8 1185->1196 1186->1178 1206 6485de8-6485e28 1195->1206 1207 6485e29-6485e2c 1195->1207 1208 6485e89-6485ed7 1196->1208 1206->1207 1207->1208 1213 6485edd-6485fbf 1208->1213 1214 6485fc0-6485fcb 1208->1214 1213->1214 1216 6485fcd 1214->1216 1217 6485fd2 1214->1217 1216->1217 1217->1184
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06485CAB
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 03d20ba49a76c39c91f2801bec51b134b0c174452315c7a6e8d52be13be4cf79
                                    • Instruction ID: 46b6a2ebe627b3b838a4485cda0c1fde299c59e668180a8454f962eb438a3938
                                    • Opcode Fuzzy Hash: 03d20ba49a76c39c91f2801bec51b134b0c174452315c7a6e8d52be13be4cf79
                                    • Instruction Fuzzy Hash: 27C1C374E00218CFDB54EFA5C994B9DBBB2FF89304F2081AAD909AB355DB345A85CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064875F0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064876BB
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 19c0330b29038f0439b3d6ac6b25361026d03eab7532207192327833dc26f799
                                    • Instruction ID: af51a588c99a2f7de4ad4d69fd8db606267a1ecd4010926b413cb5ff5d33bee4
                                    • Opcode Fuzzy Hash: 19c0330b29038f0439b3d6ac6b25361026d03eab7532207192327833dc26f799
                                    • Instruction Fuzzy Hash: 19C1C374E00218CFDB54EFA5C994B9DBBB2FF89304F2081AAD909AB355DB355A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648EF88 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648F053
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: d71742aeb5b13ce5f3c556b5c20a2340f4aae4435ad6a57fc87b99e73dab8c81
                                    • Instruction ID: 37451fae7bff37d4c0c3ebff217adf87331a75af0796960c6babe592a5b048c2
                                    • Opcode Fuzzy Hash: d71742aeb5b13ce5f3c556b5c20a2340f4aae4435ad6a57fc87b99e73dab8c81
                                    • Instruction Fuzzy Hash: 26C1C474E00218CFDB54EFA5C990B9DBBB2BF89304F1081AAD909AB355DB345E85CF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06485788 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1109 6485788-64857a8 1110 64857aa 1109->1110 1111 64857af-648585c KiUserExceptionDispatcher 1109->1111 1110->1111 1116 6485864-6485872 1111->1116 1117 6485878-648588f call 6482958 1116->1117 1118 6485b8a-6485bbc 1116->1118 1122 6485891 1117->1122 1123 6485896-648589f 1117->1123 1122->1123 1124 6485b7d-6485b83 1123->1124 1125 6485b89 1124->1125 1126 64858a4-648591a call 6482ad8 * 3 call 6482fd8 1124->1126 1125->1118 1135 6485920-648598e 1126->1135 1136 64859d6-6485a30 call 6482ad8 1126->1136 1146 6485990-64859d0 1135->1146 1147 64859d1-64859d4 1135->1147 1148 6485a31-6485a7f 1136->1148 1146->1147 1147->1148 1153 6485b68-6485b73 1148->1153 1154 6485a85-6485b67 1148->1154 1156 6485b7a 1153->1156 1157 6485b75 1153->1157 1154->1153 1156->1124 1157->1156
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06485853
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 62b9f220b2455b0bc6e9a5f4795bff02b66eaddba96d64aa2335082cf6484f29
                                    • Instruction ID: 0de4ed2cc2a1a377350e2b2a3d5ffad6f7d222b3f38b3feff3a1584d590dc868
                                    • Opcode Fuzzy Hash: 62b9f220b2455b0bc6e9a5f4795bff02b66eaddba96d64aa2335082cf6484f29
                                    • Instruction Fuzzy Hash: 21C1C374E00218CFDB58EFA5C994B9DBBB2FF89304F2081AAD509AB355DB355A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06487198 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06487263
                                      • Part of subcall function 06482AD8: KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 4c95b3dccf213cfdc1968ca435fe6c60e6908f66a1d56b23cde2b8cb20a542d9
                                    • Instruction ID: a5c977894dd35c403980d2cca3d553257d724a2801424f303e93223df8ebee98
                                    • Opcode Fuzzy Hash: 4c95b3dccf213cfdc1968ca435fe6c60e6908f66a1d56b23cde2b8cb20a542d9
                                    • Instruction Fuzzy Hash: C7C1B374E00218CFDB54EFA5C994B9DBBB2BF89304F2081AAD909AB355DB355A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D0498 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 461 54d0498-54d04b8 462 54d04bf-54d056c KiUserExceptionDispatcher 461->462 463 54d04ba 461->463 468 54d0574-54d0582 462->468 463->462 469 54d0588-54d059f 468->469 470 54d089a-54d08cc 468->470 473 54d05a6-54d05af 469->473 474 54d05a1 469->474 475 54d088d-54d0893 473->475 474->473 476 54d0899 475->476 477 54d05b4-54d062a 475->477 476->470 482 54d06e6-54d0740 477->482 483 54d0630-54d069e 477->483 494 54d0741-54d078f 482->494 492 54d06e1-54d06e4 483->492 493 54d06a0-54d06e0 483->493 492->494 493->492 499 54d0878-54d0883 494->499 500 54d0795-54d0877 494->500 501 54d088a 499->501 502 54d0885 499->502 500->499 501->475 502->501
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 054D0563
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 72cc246da2961f11658f2d6dfcc2d2bc1ab6147b5203401e177db5c495694796
                                    • Instruction ID: afff41737a8d401063b21781309c6fcb2ef699f7f988a54c77376fb7eb16f31e
                                    • Opcode Fuzzy Hash: 72cc246da2961f11658f2d6dfcc2d2bc1ab6147b5203401e177db5c495694796
                                    • Instruction Fuzzy Hash: 52C1C374E00218CFDB54DFA5C994B9DBBB2FF89304F2081AAD909AB365DB355A81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D0040 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 406 54d0040-54d0060 407 54d0067-54d0114 KiUserExceptionDispatcher 406->407 408 54d0062 406->408 414 54d011c-54d012a 407->414 408->407 415 54d0130-54d0147 414->415 416 54d0442-54d0474 414->416 419 54d014e-54d0157 415->419 420 54d0149 415->420 421 54d0435-54d043b 419->421 420->419 422 54d015c-54d01d2 421->422 423 54d0441 421->423 428 54d028e-54d02e8 422->428 429 54d01d8-54d0246 422->429 423->416 440 54d02e9-54d0337 428->440 438 54d0289-54d028c 429->438 439 54d0248-54d0288 429->439 438->440 439->438 445 54d033d-54d041f 440->445 446 54d0420-54d042b 440->446 445->446 448 54d042d 446->448 449 54d0432 446->449 448->449 449->421
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 054D010B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: f74bc41f829eba88ea47cf98dbad2eadea9cf0a1441afb78aa955fcdfe31c867
                                    • Instruction ID: 8daede879d71527071c3707f992c3e33a7b8e26f73600d73c6a54b7a0c3b2d0f
                                    • Opcode Fuzzy Hash: f74bc41f829eba88ea47cf98dbad2eadea9cf0a1441afb78aa955fcdfe31c867
                                    • Instruction Fuzzy Hash: E9C1C374E01218CFDB54DFA5C994BADBBB2BF89304F1081AAD909AB355DB355E81CF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D08F0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 515 54d08f0-54d0910 516 54d0917-54d09c4 KiUserExceptionDispatcher 515->516 517 54d0912 515->517 522 54d09cc-54d09da 516->522 517->516 523 54d09e0-54d09f7 522->523 524 54d0cf2-54d0d24 522->524 527 54d09fe-54d0a07 523->527 528 54d09f9 523->528 529 54d0ce5-54d0ceb 527->529 528->527 530 54d0a0c-54d0a82 529->530 531 54d0cf1 529->531 536 54d0b3e-54d0b98 530->536 537 54d0a88-54d0af6 530->537 531->524 548 54d0b99-54d0be7 536->548 546 54d0b39-54d0b3c 537->546 547 54d0af8-54d0b38 537->547 546->548 547->546 553 54d0bed-54d0ccf 548->553 554 54d0cd0-54d0cdb 548->554 553->554 556 54d0cdd 554->556 557 54d0ce2 554->557 556->557 557->529
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 054D09BB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 8f151fdbabbacad86fa58320ca0a095cc4e39ae7ab8149c2b4b2fd4c8d11b069
                                    • Instruction ID: d0fd0b9b55f2aa4aaa76db47d87c6f822bb799036651a097f697256ee5f0cc0e
                                    • Opcode Fuzzy Hash: 8f151fdbabbacad86fa58320ca0a095cc4e39ae7ab8149c2b4b2fd4c8d11b069
                                    • Instruction Fuzzy Hash: F9C1C274E05218CFDB54DFA5C994B9DBBB2FF89304F2081AAD809AB365DB345A81CF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064882E8 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064883C3
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: bd5a8bcd12edfed8078f573b199ca3229ec8ee5328193493a81617208f161556
                                    • Instruction ID: bcc590f36419286bc207819f8f5fc0459cf295fe6892355c5d8c35e6edb49bfe
                                    • Opcode Fuzzy Hash: bd5a8bcd12edfed8078f573b199ca3229ec8ee5328193493a81617208f161556
                                    • Instruction Fuzzy Hash: 0841F575E00248CFDB58DFAAD9506EEFBB2AF89304F20D12AC419BB255DB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D0016 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 054D010B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: b545ecb60ce66e8ab8b22182a59a712e33d178c4b87b80c7b144651602f34ec5
                                    • Instruction ID: 857ab4185153b61f638854eef48599cfa965d0eb6400cb09c7424c12f174756c
                                    • Opcode Fuzzy Hash: b545ecb60ce66e8ab8b22182a59a712e33d178c4b87b80c7b144651602f34ec5
                                    • Instruction Fuzzy Hash: 95410270D05248CBDB19DFA6D9646DEFBB2BF89300F24C16AC418BB265EB344946CF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06488741 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648881B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 6b06fab5a3538ef4a2bd2b6a65ad3735873ad9077e0737330b1ddf4404f6e204
                                    • Instruction ID: 7ee104f773b4790fcc8c57a1753db01ea3e0bc3cae7b584e41c072b86c549ee5
                                    • Opcode Fuzzy Hash: 6b06fab5a3538ef4a2bd2b6a65ad3735873ad9077e0737330b1ddf4404f6e204
                                    • Instruction Fuzzy Hash: 3541F471E01248CFEB58EFAAD9506DEFBB2AF89304F24C12AD418BB254DB354946CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648F828 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648F903
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: c516e8c6fe44ff821a08cae9d2597a223aa4c63007b7f4c14b73ef69247eb110
                                    • Instruction ID: 323e975c5814ee380dfda7b435f62fc7e9fb36dff12f7c41cb915d060bdae575
                                    • Opcode Fuzzy Hash: c516e8c6fe44ff821a08cae9d2597a223aa4c63007b7f4c14b73ef69247eb110
                                    • Instruction Fuzzy Hash: ED41E170E00248CFDB58DFAAD9546DEBBB2BF89304F20D16AC414BB258DB35594ACF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064834B8 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06483593
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: a22c08bf3ad5be18943086f778f14a96118b8da23c1e84f50b4e630b5037ed5b
                                    • Instruction ID: 82a0939733cd6c816b51f40f86382e76e505a2c9f812e87eb0da1684ae4bb58c
                                    • Opcode Fuzzy Hash: a22c08bf3ad5be18943086f778f14a96118b8da23c1e84f50b4e630b5037ed5b
                                    • Instruction Fuzzy Hash: 6F41BF70E01248CFEB59EFAAD55469EFBB2BF89304F20C12AC418BB254DB395946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06483D68 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06483E43
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 622bbe9332b216322a8a9fab86fa0b9805aec2eeee3357e3519a5e20acf42fd8
                                    • Instruction ID: 34ab9b90f44fb5f0f597624d2e62086af2aae1eaea02f7e540d0f91783dfb52f
                                    • Opcode Fuzzy Hash: 622bbe9332b216322a8a9fab86fa0b9805aec2eeee3357e3519a5e20acf42fd8
                                    • Instruction Fuzzy Hash: 1C41C170E01209CFEB59DFAAD9546AEFBF2BF89304F20C12AC414AB264DB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06487188 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06487263
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 474219e7516bee25af789d2a16389f613dd4fe7d7ff025f7f9428b7652986401
                                    • Instruction ID: 6e6c41861216b79d85803eb9894b1dfd8f5d6d61e542c64336bb71f21998f2d2
                                    • Opcode Fuzzy Hash: 474219e7516bee25af789d2a16389f613dd4fe7d7ff025f7f9428b7652986401
                                    • Instruction Fuzzy Hash: 3641B075E01208CFDB59DFAAD9506DEFBB2AF89304F24C12AC414AB258DB385946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D08E0 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 054D09BB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 7dbc2f0dba62b7c6ecec6343e1490ea34ae2ad053a9239babcde26e3bbae3e62
                                    • Instruction ID: 31ebfa380a9ac025cdef02af55391608c00d3713b43b71cfc61226bc15ced457
                                    • Opcode Fuzzy Hash: 7dbc2f0dba62b7c6ecec6343e1490ea34ae2ad053a9239babcde26e3bbae3e62
                                    • Instruction Fuzzy Hash: BE41D170E05248CBEB18DFAAD5546EEFBB2BF89304F24C16AD418AB254EB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648F3D0 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648F4AB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 9482775be7e46003a89b8485823fa562c0f7ad8845d6d5bb8c2bf41706188195
                                    • Instruction ID: c450131c6b6080f7dcbfeac71690b18adfc44700485095f4ae06c3682a81bcc6
                                    • Opcode Fuzzy Hash: 9482775be7e46003a89b8485823fa562c0f7ad8845d6d5bb8c2bf41706188195
                                    • Instruction Fuzzy Hash: 9C41C270E01248CFDB58EFAAD95469EFBB2AF89304F20D12AC414BB258DB34594ACF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06482D81 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: a3595bb5b75d339477f81c11ee59d48956c5196351f643f67d737038d91f8910
                                    • Instruction ID: a6868ab94065762ca70c0faebe5963db0eb035ad91f58a51e8fae687f997a302
                                    • Opcode Fuzzy Hash: a3595bb5b75d339477f81c11ee59d48956c5196351f643f67d737038d91f8910
                                    • Instruction Fuzzy Hash: 0D413874E001099FDB14DF99D584AEEFBB2BF88304F25815AD4056B385C771AA86CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648E6C8 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648E7A3
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 5ad389a281894c3136d6c7baa33d79264c3aa80201eafefb1ecabd47a5ad59c8
                                    • Instruction ID: 227640415c2895a3654a418de7bd35e7ef4094feccca5dc9986486e5ed422e56
                                    • Opcode Fuzzy Hash: 5ad389a281894c3136d6c7baa33d79264c3aa80201eafefb1ecabd47a5ad59c8
                                    • Instruction Fuzzy Hash: DD41B270E01249CFDB58EFAAD99469EFBB2BF89304F24D12AC414BB258DB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06485778 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06485853
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: eddd8fd79f63099274c70ea543b8e3675e5936552b0a14064c9c7d9178cc63e9
                                    • Instruction ID: c0f60beba27df1aca1dd91c4706fa314d9e2f8b0dc03b422014c696e9d6c4a0b
                                    • Opcode Fuzzy Hash: eddd8fd79f63099274c70ea543b8e3675e5936552b0a14064c9c7d9178cc63e9
                                    • Instruction Fuzzy Hash: FD41D170E012088FDB58DFAAD5506DEFBB2AF89304F20C12AC414AB254DB344946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648EF79 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648F053
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 3fde9b003c83ad25ccdaedabc4d36d5641b07882cac33248d93056bc188b66d8
                                    • Instruction ID: e28031703119d4b51ffe592408a78c978bad49070260f2c5582cababa92e2bbb
                                    • Opcode Fuzzy Hash: 3fde9b003c83ad25ccdaedabc4d36d5641b07882cac33248d93056bc188b66d8
                                    • Instruction Fuzzy Hash: EE41E274E00248CFDB58DFAAD55469EFBB2BF89304F20C12AC414BB268DB344946CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648EB20 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648EBFB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 886f5d17b5e6138133d1866d0c48a0fbf90b5ed726a9e72dee965d83a9a61aaf
                                    • Instruction ID: 162410c96601e13f3068cc8b9334bf1fa093b152061539ebcd784dda07c261df
                                    • Opcode Fuzzy Hash: 886f5d17b5e6138133d1866d0c48a0fbf90b5ed726a9e72dee965d83a9a61aaf
                                    • Instruction Fuzzy Hash: 7A41C370E01248CFEB58DFBAD5546DEBBB2AF89304F24C12AC418BB254DB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06485BD0 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06485CAB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: e01f7d8aa7d1bcbb16d4206f6a5c08995494fc3a8e19cf4995825e0b008901e6
                                    • Instruction ID: a5304f020d6cb175cf6d1cbcb7efa360d675bbeaa3027bd9e259557c2a2e7f21
                                    • Opcode Fuzzy Hash: e01f7d8aa7d1bcbb16d4206f6a5c08995494fc3a8e19cf4995825e0b008901e6
                                    • Instruction Fuzzy Hash: 4041C070E01248CFEB58EFAAD55069EFBB2BF89304F20C12AC418AB259DB354946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648E271 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648E34B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: f6aedc2a28d5fb7766928950005e7a780352283970298b144f3de7ba212dc879
                                    • Instruction ID: cd67a3d4b252919f5ce11165719ae3f4e36c3a151a2f0eca5bb0d9ffeeb66e45
                                    • Opcode Fuzzy Hash: f6aedc2a28d5fb7766928950005e7a780352283970298b144f3de7ba212dc879
                                    • Instruction Fuzzy Hash: BA41C271E00208CFDB58DFA6D9546DEBBB2AF89304F20D12AC418BB264DB344946CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064868D8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064869B3
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 7bac3e52f1a0957daa9ecf0b176e6669e41bd35043c8c87f0e9250def623f769
                                    • Instruction ID: 8d9cb7bc0bf90ff2f2716ec08a63ab3060e6583557751955a9e319872f2efcae
                                    • Opcode Fuzzy Hash: 7bac3e52f1a0957daa9ecf0b176e6669e41bd35043c8c87f0e9250def623f769
                                    • Instruction Fuzzy Hash: 4041B270E01248CFDB58EFAAD55469EFBB2BF89304F20D12AD414BB265DB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06487E90 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06487F6B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 716a889c29072f8a066f35c978f29ae37a0ea06f17ec70d3916e83f0e88dba72
                                    • Instruction ID: dce196050d7c317938fd02d81fc9405330c43cd4cac2668057b82474518805b5
                                    • Opcode Fuzzy Hash: 716a889c29072f8a066f35c978f29ae37a0ea06f17ec70d3916e83f0e88dba72
                                    • Instruction Fuzzy Hash: DB41D470E01648CFEB58DFAAD9506EEFBB2BF89304F24C12AC414AB264DB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06483910 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064839EB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 2027219f006174b33a26c33df6170837c98da6e312da035db81754358af71e12
                                    • Instruction ID: 0a853b824f323678444f64c1e765adab921104c103dcc14e45cc9712ace9626b
                                    • Opcode Fuzzy Hash: 2027219f006174b33a26c33df6170837c98da6e312da035db81754358af71e12
                                    • Instruction Fuzzy Hash: 6D41AF70E01248CFEB59EFAAD5546AEBBB2AF89304F20D12AC418AB255DB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064841C0 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648429B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: daac0c368d16d83ab232677ec34ed22086f52e469bb7189e3240585c3539c2d3
                                    • Instruction ID: 1b1cf7b583b62b8b060afc270004bc1b0c93936fb6e38626bf37b62a223599a3
                                    • Opcode Fuzzy Hash: daac0c368d16d83ab232677ec34ed22086f52e469bb7189e3240585c3539c2d3
                                    • Instruction Fuzzy Hash: 7C41E270E05249CFEB58DFAAD95469EFBF2AF89304F24C12AC414BB258DB385946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648DDF0 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648DECB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 717e6e107c3e3db50f597c7f557939ef7073c60a9565e9ceb9bd30081dc5369d
                                    • Instruction ID: a05d125efea2525db03c39b40e83f906bd179e21b9ffbaa524e2999569c3b769
                                    • Opcode Fuzzy Hash: 717e6e107c3e3db50f597c7f557939ef7073c60a9565e9ceb9bd30081dc5369d
                                    • Instruction Fuzzy Hash: 3641E270E012488FDB59EFEAD9546DEFBB2AF89304F24C12AC814AB255DB385946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06484A70 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06484B4B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 48ed37a97c2c9e75b5a2ebe7ddcac023074e4a43aada0840673537d67282e787
                                    • Instruction ID: f95be35895f6757273cee120a9633bd537e02547f5782bbdac4802ebb2bd2526
                                    • Opcode Fuzzy Hash: 48ed37a97c2c9e75b5a2ebe7ddcac023074e4a43aada0840673537d67282e787
                                    • Instruction Fuzzy Hash: 0441C270E012498FEB58DFAAD5546AEFBF2AF89304F20C12AD414AB264DB344946CF54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06484EC8 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06484FA3
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 2990154d7cf1be6a46c31826e645801a5c19b7739aabbc611473b4c176c74676
                                    • Instruction ID: 845c9edfb10b388b446b7811022fb6e76fc531cee75933c8cdc5b100fa6e443b
                                    • Opcode Fuzzy Hash: 2990154d7cf1be6a46c31826e645801a5c19b7739aabbc611473b4c176c74676
                                    • Instruction Fuzzy Hash: 6B41B270E01249CFEB58DFAAD5546DEFBB2AF89304F24D12AC418BB254DB385946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06486D37 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06486E0B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: af4e30adee0b52f6fae219ea67d7ac8651f05cc5d35134fd1279e0e14ddc7974
                                    • Instruction ID: 329acb16ed26f68cc2e34cfe94c09fe909a38eafe6c5e1bbd21310fc4296542f
                                    • Opcode Fuzzy Hash: af4e30adee0b52f6fae219ea67d7ac8651f05cc5d35134fd1279e0e14ddc7974
                                    • Instruction Fuzzy Hash: 4041D270E012488FEB58DFAAD9546EEFBF2AF89304F20C12AC414BB255DB385946CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 064875E0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064876BB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 72a75918c96f587c5b637ec57c704177e86c02be96fb93beea40bdc58f07c11f
                                    • Instruction ID: ad6974d132277336d30fd8f0437941769846aee8e3db17c8c9498c9391da32e8
                                    • Opcode Fuzzy Hash: 72a75918c96f587c5b637ec57c704177e86c02be96fb93beea40bdc58f07c11f
                                    • Instruction Fuzzy Hash: A4410270E00248CFEB58DFAAD9546DEFBB2AF89304F24C12AC414BB254DB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648602F Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06486103
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 116eb2fadc2eb23484476d79e645a7ae073f07889d28e261363296f37c6c84a3
                                    • Instruction ID: d1f2bbc8ec4e7687e0bf3efdd849c3fa633f32036c4122faf473e769dde20dea
                                    • Opcode Fuzzy Hash: 116eb2fadc2eb23484476d79e645a7ae073f07889d28e261363296f37c6c84a3
                                    • Instruction Fuzzy Hash: 2A41C070E012488FEB58DFAAD5546EEFBF2AF89304F20C12AC414BB259DB345946CF54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06485321 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064853FB
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: a4c7d397ae2089cedee2d397ec41c1cb45dc06d4a0c5041a5ed3ac657b2d6dbb
                                    • Instruction ID: d3bec7216c0db781ac55fa158e15c7316f72d7fdd610c17a7a541f1d26ac8def
                                    • Opcode Fuzzy Hash: a4c7d397ae2089cedee2d397ec41c1cb45dc06d4a0c5041a5ed3ac657b2d6dbb
                                    • Instruction Fuzzy Hash: 2741C070E01248CFDB58EFAAD5546AEFBB2AF89304F24D12AC414BB264DB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06483063 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648313B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 2c0c9202082655b0d9e711eae87c7f9b76b737dcf170f101a9e174703b55b008
                                    • Instruction ID: ff35d77d467297b7b8a74503ec5cca538fa9239015deb752fc0e89704cc4b75c
                                    • Opcode Fuzzy Hash: 2c0c9202082655b0d9e711eae87c7f9b76b737dcf170f101a9e174703b55b008
                                    • Instruction Fuzzy Hash: F441D270E00248CFDB59DFEAD55469EFBB2AF89304F24C12AC414BB259DB355946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06484621 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 064846F3
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 169dfd67d13746b993c34aea234da5ed52f04b9cb4cb30e620431a443c7a20a1
                                    • Instruction ID: e3f87b673ac10b88425b358b70308a687193cc0f3afce3cb922fd56ffcf1c3a9
                                    • Opcode Fuzzy Hash: 169dfd67d13746b993c34aea234da5ed52f04b9cb4cb30e620431a443c7a20a1
                                    • Instruction Fuzzy Hash: 3C41E070E00248CFEB58EFAAD5506AEFBF2AF89304F24D12AC414BB264DB345946CF54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06487A3B Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 06487B13
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 974139d3ab8dd91c740f59c454199bdc170a17c7f395d184b55d2590c0f30318
                                    • Instruction ID: 8886dc6c1dd90114752da1c2375340a80d2bb9f0bbdb090e58ea9f5b43de908e
                                    • Opcode Fuzzy Hash: 974139d3ab8dd91c740f59c454199bdc170a17c7f395d184b55d2590c0f30318
                                    • Instruction Fuzzy Hash: CE41C370E01248CFDB58DFAAD5646EEBBB2AF89304F24D12AC414BB264DB344946CF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06486483 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 0648655B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 808ddf7812fcdec7a8234736cd924a99df92671eaae7e131708a76c4897404a9
                                    • Instruction ID: 28587999f4864cd99cadbd13e5f5a426f80ff58b4d8da5a1320abdbcc49ba402
                                    • Opcode Fuzzy Hash: 808ddf7812fcdec7a8234736cd924a99df92671eaae7e131708a76c4897404a9
                                    • Instruction Fuzzy Hash: 8341D270E01248CFDB59DFAAD95469EFBB2BF89304F24C12AC418BB259DB355946CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D0493 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 054D0563
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 711295c1ff0efda07e816a3ca87de39e04472cdf363f9a3923d1b201e89c9098
                                    • Instruction ID: 37510e09093a8c0fdfa488f8929b19b4f4410091b2f87773ecce1ea2519dddf0
                                    • Opcode Fuzzy Hash: 711295c1ff0efda07e816a3ca87de39e04472cdf363f9a3923d1b201e89c9098
                                    • Instruction Fuzzy Hash: 4F41A470E01248CBDB18DFA6D9546DEFBB2BF89304F24D16AD418BB258EB345946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06480033 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: K
                                    • API String ID: 0-856455061
                                    • Opcode ID: 4f77b9d12af575ea60ea67a6b85b2f45cceeb8cc5ea709735f5917af752ffafc
                                    • Instruction ID: a3efb126ef3f0996881c2ba5ad130ce7b0f02789012f7c0d3b5e2739dad569df
                                    • Opcode Fuzzy Hash: 4f77b9d12af575ea60ea67a6b85b2f45cceeb8cc5ea709735f5917af752ffafc
                                    • Instruction Fuzzy Hash: 94B1F470D146198FDB55EFA9C8887DDFBB1EF99304F10C2AAE40867250EB74AA85CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06488BA8 Relevance: .7, Instructions: 745COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4b3cd05b29d415d20322e18d35622b8009c5b730ffa2c4643938aa8c1e8ed282
                                    • Instruction ID: 952ea5919945581255ef2aaab219efc152e47fa09f5cfc1fd455a3338991b667
                                    • Opcode Fuzzy Hash: 4b3cd05b29d415d20322e18d35622b8009c5b730ffa2c4643938aa8c1e8ed282
                                    • Instruction Fuzzy Hash: F582B074E052298FDB64DF68C894BDDBBB2AF89304F1181EAD90DA7265DB305E81CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648D098 Relevance: .7, Instructions: 693COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8355807183ede65760f455ce467e94e38f48aeb514cf5f1a8a62acac2a9634b3
                                    • Instruction ID: 138a614f1d7c26d525b0a9613345b3bda6bf2fd9a53b25dc01c4a8a4bd492eae
                                    • Opcode Fuzzy Hash: 8355807183ede65760f455ce467e94e38f48aeb514cf5f1a8a62acac2a9634b3
                                    • Instruction Fuzzy Hash: A882AF74E052299FDB64DF69C994BDDBBB2AF89304F1081EAD90DA7260DB305E81CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648C398 Relevance: .7, Instructions: 677COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5861a7b3b848b878deb600a33fa28feaa1d4e4a250f7dc8b64553e630b8acfe0
                                    • Instruction ID: a23e56abec138f13b21f159ac877df3933f1f089de2ab3a278296214114f3a15
                                    • Opcode Fuzzy Hash: 5861a7b3b848b878deb600a33fa28feaa1d4e4a250f7dc8b64553e630b8acfe0
                                    • Instruction Fuzzy Hash: 4B72B074E012288FDB65DF68C994BDEBBB2AF89304F1081EAD50DA7260DB305E81CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D4318 Relevance: .2, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d25075eda6ceb8e01f4a8b68da0210f2722fffa63e0d27cbb1dbf5b66b688264
                                    • Instruction ID: c4fe73ee16cde23b3c29a2efe34ca4390773595076960e76def4e660665054be
                                    • Opcode Fuzzy Hash: d25075eda6ceb8e01f4a8b68da0210f2722fffa63e0d27cbb1dbf5b66b688264
                                    • Instruction Fuzzy Hash: 42A19470E012188FDB68CF6AD954BDEFAF2BB89300F14C1AAD50DA7254D7745A85CF21
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D4FB0 Relevance: .2, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6542e09540ab199ed63ef71d1e4e16301784d94d011fc689ceb672a671d53698
                                    • Instruction ID: d3ff2edfae03a3b955afa6f1842194e747baa0b562be3b603b684a8ea2225d93
                                    • Opcode Fuzzy Hash: 6542e09540ab199ed63ef71d1e4e16301784d94d011fc689ceb672a671d53698
                                    • Instruction Fuzzy Hash: FEA19575E012188FEB28DF6AD954BDEF6F2BB89300F14C1AAD40DA7254DB305A85CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D3678 Relevance: .2, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e3c8306a2569c2b2d01a35124258ef4adda0b6d4e1c58d2ff8a707e3b26eb7d8
                                    • Instruction ID: 08c068a99422c0fd319dde12190ae49c4d77ded29ea77d169a4ab738d94fdb59
                                    • Opcode Fuzzy Hash: e3c8306a2569c2b2d01a35124258ef4adda0b6d4e1c58d2ff8a707e3b26eb7d8
                                    • Instruction Fuzzy Hash: 4DA1A474E052188FEB28CF6AD954BDEFBF2BB89300F14C4AAD409A7254D7345A85CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D16F8 Relevance: .2, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 746e680e3933d1fcc504c584b268be9688b137a0e4b120b6e50546639f97e8a7
                                    • Instruction ID: 119b3ed7e837299c15afd7c3c72c9f58d141c9665eb11089add44fa510a51a35
                                    • Opcode Fuzzy Hash: 746e680e3933d1fcc504c584b268be9688b137a0e4b120b6e50546639f97e8a7
                                    • Instruction Fuzzy Hash: 40A1A470E052188FEB68CF6AC954BDEFAF2BB89300F14D1AAD40DA7254D7345A85CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D3028 Relevance: .2, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 49b46b86629e3c0568678a546e7310c1522a523d1c201e6013ff2817eb9e5cbf
                                    • Instruction ID: fdcc6e4cf8942a2ee7c158d29f957a7f3b4cc32772174bc014ad672e29d8b2b0
                                    • Opcode Fuzzy Hash: 49b46b86629e3c0568678a546e7310c1522a523d1c201e6013ff2817eb9e5cbf
                                    • Instruction Fuzzy Hash: 43A1A474E012188FDB68CF6AC954BDEFAF2BB89300F14C5AAD50DA7254DB305A85CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D1D48 Relevance: .2, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2db00e9a183415ba794447b3182c60eb4ff232f32e004aec675c93456386cd6
                                    • Instruction ID: a210ddf0f22b7cbc1e96dc06c29e55203306baa4d1ee2daa9076cd2f58cc8240
                                    • Opcode Fuzzy Hash: b2db00e9a183415ba794447b3182c60eb4ff232f32e004aec675c93456386cd6
                                    • Instruction Fuzzy Hash: F5A19374E052188FEB28CF6AC954BDEFAF2BB89300F14C1AAD509A7254D7745A85CF21
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D3CC8 Relevance: .2, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 87648657486b45428e2cdbe9693c075de16f74d30422b1c02af741274d0ef32c
                                    • Instruction ID: 5f869f9763bf951f94cc7cdd99f5078dcf8cdcae937556503acaedb5a13f16d9
                                    • Opcode Fuzzy Hash: 87648657486b45428e2cdbe9693c075de16f74d30422b1c02af741274d0ef32c
                                    • Instruction Fuzzy Hash: 7BA19374E012188FEB28CF6AD954BDEFAF2BB89300F14C5AAD50DA7254D7705A85CF21
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648B6C9 Relevance: .2, Instructions: 218COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5083e7d99aef28701583d60e8e0f070e608cf15f965e72beb7d08a547fcb0677
                                    • Instruction ID: f0aede387d470aaf2cef866313f8adba688c32728d01cad40cbb76541fd5798f
                                    • Opcode Fuzzy Hash: 5083e7d99aef28701583d60e8e0f070e608cf15f965e72beb7d08a547fcb0677
                                    • Instruction Fuzzy Hash: 9391C974E006188FDB58DF6AC854A9DBBF2BF89300F14C1A9D819AB365DB345942CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D2398 Relevance: .2, Instructions: 218COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5ac5afb61063e161d0fa3c680c26f5870be1da4ffbf94e16368c2a42fd4082a8
                                    • Instruction ID: 75a5c7c7b04db9f1a6de6afdd458b0d992104d511022562d0da60f63e35f2504
                                    • Opcode Fuzzy Hash: 5ac5afb61063e161d0fa3c680c26f5870be1da4ffbf94e16368c2a42fd4082a8
                                    • Instruction Fuzzy Hash: 63A1A374E052188FEB68CF6AC954BDEFAF2BB89300F14C1AAD40DA7254D7705A85CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D4968 Relevance: .2, Instructions: 218COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 22a39523bc90b84a82e7a3cee0e92bfb4e71328800e3956a69925bacaa1714b9
                                    • Instruction ID: 311288952f589c476a63dc124f4fc72cb8fe196899b36f31263269a4858e268a
                                    • Opcode Fuzzy Hash: 22a39523bc90b84a82e7a3cee0e92bfb4e71328800e3956a69925bacaa1714b9
                                    • Instruction Fuzzy Hash: 7AA1A475E012188FDB24CF6AC954BDDFBF2BB89300F14C1AAD409A7254D7705A85CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D29E0 Relevance: .2, Instructions: 218COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 52dae59100f50376a57351441c2228a877185cdde6389abf044f67f7e8327f95
                                    • Instruction ID: ecc6210e581c361218e326e0278b314bd159542e586fe63a5f2c7ca4b91c7d47
                                    • Opcode Fuzzy Hash: 52dae59100f50376a57351441c2228a877185cdde6389abf044f67f7e8327f95
                                    • Instruction Fuzzy Hash: F9A1A474E052188FDB28CF6AC9547DEFAF2BB89300F14C1AAD409A7254DB745A85CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648B770 Relevance: .2, Instructions: 181COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 110206381f1780deaee4ac3d967dad30d32813b77a3e8f87081cbe62bc8f89df
                                    • Instruction ID: b4aabca30bb2c6ce2ed691502a0a117417d6bac51fcead5d201c468f68e6c297
                                    • Opcode Fuzzy Hash: 110206381f1780deaee4ac3d967dad30d32813b77a3e8f87081cbe62bc8f89df
                                    • Instruction Fuzzy Hash: 12917574E00618CFDB58DF6AC954B9DBBF2BF89300F1481A9D909AB365DB309982CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D2388 Relevance: .2, Instructions: 163COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5670057f9642f12afcb5b69d82250d68b90631f8b0b5bf44bae0a5168bf4cb3e
                                    • Instruction ID: bb4d2f173ab1bc191106e37c5bd388b6da7f8fbad12e2968f129ea875c07a8f4
                                    • Opcode Fuzzy Hash: 5670057f9642f12afcb5b69d82250d68b90631f8b0b5bf44bae0a5168bf4cb3e
                                    • Instruction Fuzzy Hash: 3A719574E046588FEB68CF66C954B9AFAF2BF89300F14C1AAD40DA7254DB745A85CF20
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D29CF Relevance: .2, Instructions: 162COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2cb662af8af6c288a58f6523847a11a0c58311b55b7ac95ff01be9f9318471cc
                                    • Instruction ID: c010570a2079a14d1196ff7912fad66046d2ec99c79939ed72a974ab1ca304e5
                                    • Opcode Fuzzy Hash: 2cb662af8af6c288a58f6523847a11a0c58311b55b7ac95ff01be9f9318471cc
                                    • Instruction Fuzzy Hash: C971A4B5E006188FEB68CF66C9547DEFAF2AF89304F14C1AAD40DA7254DB744A85CF11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D4959 Relevance: .2, Instructions: 161COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cc8cd3f969dca9ccbdc7b7159a7939e92fe9cdd2eb2b1156674378d810991919
                                    • Instruction ID: 655e30b58c7489406bc5d722eabe8df1df843d27d035db4ab881ffd6c8e14451
                                    • Opcode Fuzzy Hash: cc8cd3f969dca9ccbdc7b7159a7939e92fe9cdd2eb2b1156674378d810991919
                                    • Instruction Fuzzy Hash: 31719571E016188FEB68CF66C954B9EFAF2AF89300F14C1AAD40DA7254DB745A85CF11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D3CB9 Relevance: .1, Instructions: 119COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0ac5a55f3cb496262ee0343dc847070415b8bf0304437f9fc3e2d04e7dfd8e84
                                    • Instruction ID: 2e0e972eb1022956cd27e07f3ffb960fdd0dcc72a147b40c1a3f3c073e9ee4f4
                                    • Opcode Fuzzy Hash: 0ac5a55f3cb496262ee0343dc847070415b8bf0304437f9fc3e2d04e7dfd8e84
                                    • Instruction Fuzzy Hash: D45178B1E016188BEB58CF6BD9557DAFAF3AFC9300F14C1AAC50CA7254DB341A858F11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D4F9F Relevance: .1, Instructions: 110COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3126407e19cce4184483d7ad7d669c1afee2ae720fc9a8d3afa34a583414efb6
                                    • Instruction ID: 4c04a98c98fd77ee946287e2626b6cc34f4de0e9d38216f0cb8699bbce7d4ecc
                                    • Opcode Fuzzy Hash: 3126407e19cce4184483d7ad7d669c1afee2ae720fc9a8d3afa34a583414efb6
                                    • Instruction Fuzzy Hash: EF416BB1D016188BEB58CF6BCD557DAFAF3AFC8304F14C1AAC50CA6264EB740A858F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D430A Relevance: .1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fbdbfaa6687427f566da1ec618fc7f57f3a76fc3c3bb1c67e39759262857e7d4
                                    • Instruction ID: 36dc5d78f3adb358f2b96202591b79572d2074a30dee5514e188e676910c4f2d
                                    • Opcode Fuzzy Hash: fbdbfaa6687427f566da1ec618fc7f57f3a76fc3c3bb1c67e39759262857e7d4
                                    • Instruction Fuzzy Hash: 1C4167B1E016188BEB58CF6BD9557CAFAF3AFC8314F04C1AAC50CA7254EB741A858F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D3668 Relevance: .1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3996dfeb107ab1a1c063a40cc56911a821386cdd550e533ca26d945e7187d488
                                    • Instruction ID: 44c55b056a3b5722837330980c2840900b035889e50535b043dcbeeb293d773c
                                    • Opcode Fuzzy Hash: 3996dfeb107ab1a1c063a40cc56911a821386cdd550e533ca26d945e7187d488
                                    • Instruction Fuzzy Hash: 734169B1E016188BEB58CF6BC9557CAFAF3AFC8304F14C1AAC50CA7254EB741A858F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D3018 Relevance: .1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6a7fdb54e70a7832f1c9e8db992453ba2fa375396ffe6f22877807f14307bea3
                                    • Instruction ID: 67f730d0cf3b641d4e0c11f1abd8b1d96634f4a7791047a2a6f2f93ec2628114
                                    • Opcode Fuzzy Hash: 6a7fdb54e70a7832f1c9e8db992453ba2fa375396ffe6f22877807f14307bea3
                                    • Instruction Fuzzy Hash: 494179B1D016188BEB58CF6BC9557CAFAF3AFC8304F14C1AAC50CA7264DB340A858F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D16EA Relevance: .1, Instructions: 106COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 917bc2731dd9178e043dc1cf2850941cdbe3f9972f1a65c2447041943f2e7e7f
                                    • Instruction ID: 93981d44e6d8636b94c8ac146d62b89adf8ace31a9a329a4fec15fb3f3763cf7
                                    • Opcode Fuzzy Hash: 917bc2731dd9178e043dc1cf2850941cdbe3f9972f1a65c2447041943f2e7e7f
                                    • Instruction Fuzzy Hash: 274168B1D016188BEB58CF6BDD557CAFAF3AFC9304F14C1AAC50CA6265EB740A858F50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054D1D38 Relevance: .1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 494ecc0746f90d03b68a90aa12e18f259559188ce2cb8402238a73673093a3bd
                                    • Instruction ID: 71f28e80164dc395d22d633a874979811c0681ef6b52dc007a5c5787b6cf0c8c
                                    • Opcode Fuzzy Hash: 494ecc0746f90d03b68a90aa12e18f259559188ce2cb8402238a73673093a3bd
                                    • Instruction Fuzzy Hash: 2A4169B1E016188BEB58CF6BC9547CAFAF3AFC9304F14C1AAD50CA6254DB740A85CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06482AD8 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06482C3A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 619050f08e94c4e84e51fdd6c451b390ebf984f96d3e5df92569de28c61f1e92
                                    • Instruction ID: f0e710f7019a2916d6acd9dc7fe0d7151795c0bb848f8077bff6d5530a4e937a
                                    • Opcode Fuzzy Hash: 619050f08e94c4e84e51fdd6c451b390ebf984f96d3e5df92569de28c61f1e92
                                    • Instruction Fuzzy Hash: 1651F4B0D01218CFDB18DFAAD4446DEBBF2BF88314F10C12AE414AB294D7749945CF54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06482C73 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 32ca8bb48035216a9704111d5983b66e69d2e1e84f4b1087c5caa4b94b04b98c
                                    • Instruction ID: afb68e2d2c159be9d14f9430e157147b6bf3b3740b3eb71fe3fd0bce966172a2
                                    • Opcode Fuzzy Hash: 32ca8bb48035216a9704111d5983b66e69d2e1e84f4b1087c5caa4b94b04b98c
                                    • Instruction Fuzzy Hash: 6D512274D05208CFDB54EFA8D4846EEBBF1BF08315F20812AE415BB295D7B49A86CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06482F2C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 063f8c11b51231482bf78ade406abab7d27f0dcc2bfde0af37815ce2c72875b5
                                    • Instruction ID: 2e3ba2ae83cc7f1d40f1b2449a086de858d216cf80bb0705e41ed9a913e1de8a
                                    • Opcode Fuzzy Hash: 063f8c11b51231482bf78ade406abab7d27f0dcc2bfde0af37815ce2c72875b5
                                    • Instruction Fuzzy Hash: 2C416A74A04109DFDB54EFA8D1809EEF7B2FB58304F20814AD50AAB285C7719A86CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06482ECC Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dc4133e1a1de170f3ec365383704fc01c4900b12798b0989650114b295c7d18c
                                    • Instruction ID: dac078d05d316e8c0304cc18a04b62153a6dc8a7113057effcaa76a8252ca8f6
                                    • Opcode Fuzzy Hash: dc4133e1a1de170f3ec365383704fc01c4900b12798b0989650114b295c7d18c
                                    • Instruction Fuzzy Hash: 65415574E04109DFDB54DFA8D080AEEF7B2FF58314F24815AE409A7281C771AA86CF94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054DB981 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 054DBA0F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: f9b8f3f5c2b739e17c3c813444146c98e89c94ad2606e6de5353b394057f709c
                                    • Instruction ID: 3d5848f73f653ef12d381afac86100435c6b3f3f40cdfc7f77da4a2ed3ce09a7
                                    • Opcode Fuzzy Hash: f9b8f3f5c2b739e17c3c813444146c98e89c94ad2606e6de5353b394057f709c
                                    • Instruction Fuzzy Hash: F721F2B5900248AFCB00CFA9D984AEEFBF4EB48324F14841AE955A3310D378A954CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054DB988 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 054DBA0F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530592954.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_54d0000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 397563925ec8b5699416a10cbdf489755ef99a76ad4c0593ec5b9f4fdc079937
                                    • Instruction ID: fbee4adb460344b8e6ac72567c39331e1940d1445c5477cfcec0f4854d0b7f25
                                    • Opcode Fuzzy Hash: 397563925ec8b5699416a10cbdf489755ef99a76ad4c0593ec5b9f4fdc079937
                                    • Instruction Fuzzy Hash: BE21D5B5D04208AFDB10CF99D984ADEFBF9FB48324F15841AE915A3310D378A954CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 0648C020 Relevance: .2, Instructions: 222COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 39bfb0b704b224ae34053afd5d6d9f710123d3b9c65acf405d09735b01d1eae7
                                    • Instruction ID: b3a113dcb106333ff1b93420e7f8d8bf6546a3795db1b32748b75eb2e19d2d8a
                                    • Opcode Fuzzy Hash: 39bfb0b704b224ae34053afd5d6d9f710123d3b9c65acf405d09735b01d1eae7
                                    • Instruction Fuzzy Hash: CEB1A474E00618CFDB54DFA9D894A9DBBB2FF89304F1181A9D819AB365DB30AD46CF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648C00F Relevance: .1, Instructions: 130COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 72ed901ec339f8272a2cf97edb407b1ed47dea0452a3ed16a5aa3b3354301648
                                    • Instruction ID: 2ceab4ef7fdb0d1a96ed3f24fd85c5824bda6d3f7bde7340a80e618b7c5c7933
                                    • Opcode Fuzzy Hash: 72ed901ec339f8272a2cf97edb407b1ed47dea0452a3ed16a5aa3b3354301648
                                    • Instruction Fuzzy Hash: 6D517374E006088FDB48DFAAD594A9DBBF2BF89300F14816AD419AB365DB349946CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0648C336 Relevance: .0, Instructions: 17COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.531108476.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_6480000_RFQ__637456464647.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4e4fdc47f5e901358c5f23959e135ff7e970ff456dfbe0e576916ecc4ee8bf57
                                    • Instruction ID: 8a4dfc13d9a0557b10101b2ed385b0a61f28f093a63959b47b9396cd1b7a49c7
                                    • Opcode Fuzzy Hash: 4e4fdc47f5e901358c5f23959e135ff7e970ff456dfbe0e576916ecc4ee8bf57
                                    • Instruction Fuzzy Hash: 0ED09E34D082598ACF14EF54D9803EDB772BB96204F0161D6C11DB3610D7305E55CF56
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00007FF7A8B13980 Relevance: 27.1, APIs: 4, Strings: 11, Instructions: 840COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 62%
                                    			E00007FF77FF7A8B13980(void* __rbx, void* __rcx, void* __rdi, void* __rsi, void* __r12, void* __r14, void* __r15) {
				signed long long _v56;
				char _v88;
				long long _v424;
				long long _v552;
				void* _t16;
				void* _t22;
				signed long long _t24;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t45;
				signed long long _t47;
				void* _t48;
				void* _t50;

				_t24 =  *0xa8c85028; // 0x2b992ddfa232
				_v56 = _t24 ^ _t47;
				asm("xorps xmm0, xmm0");
				_t2 =  &_v88; // -6148914691236516766
				asm("movaps [ecx], xmm0");
				 *((long long*)(_t2 + 0x10)) = 0;
				if (E00007FF77FF7A8BFABB0(_t16, _t2, _t40, _t48, _t50) == 0) goto 0xa8b13aea;
				_t42 =  *((intOrPtr*)(__rcx + 0x78));
				_t45 =  *((intOrPtr*)(__rcx + 0x80));
				if (_t42 == _t45) goto 0xa8b13b23;
				if (( *(_t42 + 0x17) & 0x000000ff) >= 0) goto 0xa8b139ef;
				if ( *((intOrPtr*)(_t42 + 8)) != 0xe) goto 0xa8b13a1a;
				_v552 = 0xe;
				if (E00007FF77FF7A8B59E40(_t42, _t40, 0xffffffff, "--monitor-self") == 0) goto 0xa8b13ad8;
				_t22 = _t42 + 0x18 - _t45;
				if (_t22 != 0) goto 0xa8b139e3;
				asm("xorps xmm0, xmm0");
				asm("movaps [esp+0x90], xmm0");
				_v424 = 0;
				if (_t22 == 0) goto 0xa8b13b3a;
			}
















                                    0x7ff7a8b13993
                                    0x7ff7a8b1399d
                                    0x7ff7a8b139a5
                                    0x7ff7a8b139a8
                                    0x7ff7a8b139b0
                                    0x7ff7a8b139b3
                                    0x7ff7a8b139c2
                                    0x7ff7a8b139c8
                                    0x7ff7a8b139cc
                                    0x7ff7a8b139d6
                                    0x7ff7a8b139e9
                                    0x7ff7a8b139f3
                                    0x7ff7a8b139f5
                                    0x7ff7a8b13a14
                                    0x7ff7a8b13a1e
                                    0x7ff7a8b13a21
                                    0x7ff7a8b13a37
                                    0x7ff7a8b13a3a
                                    0x7ff7a8b13a42
                                    0x7ff7a8b13a51

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: InfoProcess$CountExceptionFileFilterHandleMemoryModuleNamePerformanceUnhandled
                                    • String ID: --monitor-self$--monitor-self-annotation=%s=%s$--monitor-self-argument=--monitor-self is not supported$--no-identify-client-via-url$--no-periodic-tasks$--no-rate-limit$--no-upload-gzip$../../third_party/crashpad/crashpad/handler/handler_main.cc$ActivityTracker.CollectCrash.Event$ActivityTracker.CollectCrash.Status$ActivityTrackerLocation
                                    • API String ID: 545287106-3098618262
                                    • Opcode ID: a7af4a51517e8fef7b293b2e7706e5bfa9b9b99b76cb4507e009598f94574908
                                    • Instruction ID: 428a8c5330c720790095fe12af99c1bc0fa05e329948506a84bf3040cbc27aec
                                    • Opcode Fuzzy Hash: a7af4a51517e8fef7b293b2e7706e5bfa9b9b99b76cb4507e009598f94574908
                                    • Instruction Fuzzy Hash: B582B631A0AB8181EA20EB15E4403FAF7A2FF84B94F814135DA9D0BBA5EF3CE555C754
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A77D60 Relevance: 23.4, APIs: 5, Strings: 8, Instructions: 600COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 27%
                                    			E00007FF77FF7A8A77D60() {
				signed long long _v112;
				long long _v120;
				char _v136;
				char _v152;
				char _v184;
				char _v208;
				char _v288;
				char _v312;
				char _v384;
				char _v424;
				char _v448;
				char _v456;
				char _v881;
				void _v896;
				void _v904;
				long long _v960;
				long long _v968;
				long long _v976;
				long long _v984;
				void* _t50;
				void* _t54;
				void* _t57;
				void* _t59;
				signed long long _t73;
				long long _t92;
				char* _t98;
				intOrPtr* _t99;
				long long* _t102;
				long long* _t108;
				long long _t109;
				signed long long _t111;
				long long _t112;

				asm("movaps [esp+0x3a0], xmm7");
				asm("movaps [esp+0x390], xmm6");
				_t73 =  *0xa8c85028; // 0x2b992ddfa232
				_v112 = _t73 ^ _t111;
				_t108 =  &_v904;
				 *_t108 = 0x2;
				 *((long long*)(_t108 + 8)) = 0;
				 *((long long*)(_t108 + 0x10)) = 0;
				E00007FF77FF7A8A7A8D0(_t108);
				SetUnhandledExceptionFilter(??);
				 *0xa8c95fe8 = 0;
				SetConsoleCtrlHandler(??, ??);
				if ( *0xa8c95fe0 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + 0x3ffbd45f6a980)) + 4)) <= 0) goto 0xa8a77e5b;
				E00007FF77FF7A8B88008();
				if ( *0xa8c95fe0 != 0xffffffff) goto 0xa8a77e5b;
				E00007FF77FF7A8B88160(0, 0xa8c95fe0);
				_t50 = E00007FF77FF7A8A7A710(0);
				 *0 = 0xa8c5f028;
				 *0xa8c95fd8 = 0;
				E00007FF77FF7A8B87FA8();
				_v120 = 0xaaaaaaaa;
				asm("movaps xmm6, [0x1e89bc]");
				asm("movaps [esp+0x370], xmm6");
				_t92 =  *_t99;
				_v456 = _t92;
				if (_t92 == 0) goto 0xa8a78989;
				_v960 = _t112;
				E00007FF77FF7A8BA8660(_t50, _t92);
				 *((long long*)( &_v456 + 8)) = 0xa8c5f028;
				E00007FF77FF7A8A78D30(_t108);
				_t109 =  <  ? _v904 : _t108;
				_t102 =  &_v152;
				 *_t102 = _t109;
				_t78 =  <  ? _v896 : 0xa8c5f028;
				 *((long long*)(_t102 + 8)) =  <  ? _v896 : 0xa8c5f028;
				_t54 = E00007FF77FF7A8B761E0( <  ? _v896 : 0xa8c5f028,  &_v136, _t102);
				if (_v881 >= 0) goto 0xa8a77ef4;
				0xa8b88150();
				 *((long long*)( &_v184 + 0x10)) = 0xaaaaaaaa;
				asm("movaps [edx], xmm6");
				0xa8b70b10();
				 *((long long*)( &_v384 + 0xc0)) = 0xaaaaaaaa;
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("xorps xmm7, xmm7");
				asm("movups [eax], xmm7");
				 *((long long*)( &_v448 - 8)) =  &_v448;
				asm("movups [eax], xmm7");
				 *((long long*)( &_v424 - 8)) =  &_v424;
				_v968 =  &_v312;
				asm("movups [ecx-0x78], xmm7");
				asm("movups [ecx-0x68], xmm7");
				asm("movups [ecx-0x58], xmm7");
				asm("movups [ecx-0x48], xmm7");
				asm("movups [ecx-0x38], xmm7");
				asm("movups [ecx-0x28], xmm7");
				asm("movups [ecx-0x18], xmm7");
				 *((long long*)( &_v288 - 8)) = _t109;
				E00007FF77FF7A8A78DA0(_t54,  &_v288);
				_t98 =  &_v208;
				 *((intOrPtr*)(_t98 - 8)) = 0;
				asm("movups [ecx], xmm7");
				 *((long long*)(_t98 + 0x10)) = _t109;
				 *((char*)(_t98 - 8)) = 1;
				 *((short*)(_t98 - 6)) = 0x101;
				 *((char*)(_t98 - 4)) = 1;
				_v976 = 0;
				_v984 = 0;
				_t57 = E00007FF77FF7A8AA9E30(1, _t59, _t99, 0xa8c60bc0, 0xa8c6c240);
				if (_t57 - 0xff <= 0) goto 0xa8a781bd;
				if (_t57 + 0xffffff00 - 0xd > 0) goto 0xa8a78cb3;
				goto __rax;
			}



































                                    0x7ff7a8a77d73
                                    0x7ff7a8a77d7b
                                    0x7ff7a8a77d8b
                                    0x7ff7a8a77d95
                                    0x7ff7a8a77da7
                                    0x7ff7a8a77dac
                                    0x7ff7a8a77daf
                                    0x7ff7a8a77dc1
                                    0x7ff7a8a77dc8
                                    0x7ff7a8a77dd4
                                    0x7ff7a8a77dda
                                    0x7ff7a8a77ded
                                    0x7ff7a8a77e12
                                    0x7ff7a8a77e1b
                                    0x7ff7a8a77e27
                                    0x7ff7a8a77e2e
                                    0x7ff7a8a77e39
                                    0x7ff7a8a77e45
                                    0x7ff7a8a77e48
                                    0x7ff7a8a77e56
                                    0x7ff7a8a77e65
                                    0x7ff7a8a77e6d
                                    0x7ff7a8a77e74
                                    0x7ff7a8a77e7c
                                    0x7ff7a8a77e7f
                                    0x7ff7a8a77e8a
                                    0x7ff7a8a77e90
                                    0x7ff7a8a77e95
                                    0x7ff7a8a77ea2
                                    0x7ff7a8a77ea9
                                    0x7ff7a8a77eb8
                                    0x7ff7a8a77ebe
                                    0x7ff7a8a77ec6
                                    0x7ff7a8a77ec9
                                    0x7ff7a8a77ecf
                                    0x7ff7a8a77edb
                                    0x7ff7a8a77ee8
                                    0x7ff7a8a77eef
                                    0x7ff7a8a77efc
                                    0x7ff7a8a77f00
                                    0x7ff7a8a77f0b
                                    0x7ff7a8a77f18
                                    0x7ff7a8a77f1f
                                    0x7ff7a8a77f27
                                    0x7ff7a8a77f2f
                                    0x7ff7a8a77f37
                                    0x7ff7a8a77f3f
                                    0x7ff7a8a77f44
                                    0x7ff7a8a77f51
                                    0x7ff7a8a77f54
                                    0x7ff7a8a77f57
                                    0x7ff7a8a77f63
                                    0x7ff7a8a77f66
                                    0x7ff7a8a77f72
                                    0x7ff7a8a77f7f
                                    0x7ff7a8a77f83
                                    0x7ff7a8a77f87
                                    0x7ff7a8a77f8b
                                    0x7ff7a8a77f8f
                                    0x7ff7a8a77f93
                                    0x7ff7a8a77f97
                                    0x7ff7a8a77f9d
                                    0x7ff7a8a77fa1
                                    0x7ff7a8a77fa6
                                    0x7ff7a8a77fae
                                    0x7ff7a8a77fb5
                                    0x7ff7a8a77fb8
                                    0x7ff7a8a77fbe
                                    0x7ff7a8a77fc1
                                    0x7ff7a8a77fc7
                                    0x7ff7a8a77fe4
                                    0x7ff7a8a77fec
                                    0x7ff7a8a78000
                                    0x7ff7a8a7800a
                                    0x7ff7a8a78018
                                    0x7ff7a8a78025

                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7A8A77DD4
                                    • SetConsoleCtrlHandler.KERNEL32 ref: 00007FF7A8A77DED
                                      • Part of subcall function 00007FF7A8B88008: EnterCriticalSection.KERNEL32(?,?,?,00007FF7A8A710BF,?,?,?,?,?,00007FF7A8A7100E), ref: 00007FF7A8B88018
                                      • Part of subcall function 00007FF7A8A7A710: CreateEventW.KERNEL32 ref: 00007FF7A8A7A76B
                                      • Part of subcall function 00007FF7A8A7A710: CreateEventW.KERNEL32 ref: 00007FF7A8A7A7B5
                                    • _Init_thread_footer.LIBCMT ref: 00007FF7A8A77E56
                                      • Part of subcall function 00007FF7A8B87FA8: EnterCriticalSection.KERNEL32(?,?,?,00007FF7A8A710F7,?,?,?,?,?,00007FF7A8A7100E), ref: 00007FF7A8B87FB8
                                      • Part of subcall function 00007FF7A8B87FA8: LeaveCriticalSection.KERNEL32(?,?,?,00007FF7A8A710F7,?,?,?,?,?,00007FF7A8A7100E), ref: 00007FF7A8B87FF8
                                    Strings
                                    • SetProcessShutdownParameters, xrefs: 00007FF7A8A78B92
                                    • failed to parse --initial-client-data, xrefs: 00007FF7A8A78998
                                    • ../../third_party/crashpad/crashpad/handler/handler_main.cc, xrefs: 00007FF7A8A78B6A
                                    • --initial-client-data or --pipe-name is required, xrefs: 00007FF7A8A78A70
                                    • CrashpadMetrics, xrefs: 00007FF7A8A78C10
                                    • Usage: %ls [OPTION]...Crashpad's exception handler server. --annotation=KEY=VALUE set a process annotation in each crash report --attachment=FILE_PATH attach specified file to each crash report at the time of the c, xrefs: 00007FF7A8A78C8F
                                    • --database is required, xrefs: 00007FF7A8A78A82
                                    • --initial-client-data and --pipe-name are incompatible, xrefs: 00007FF7A8A78A79
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CreateEnterEvent$ConsoleCtrlExceptionFilterHandlerInit_thread_footerLeaveUnhandled
                                    • String ID: --database is required$--initial-client-data and --pipe-name are incompatible$--initial-client-data or --pipe-name is required$../../third_party/crashpad/crashpad/handler/handler_main.cc$CrashpadMetrics$SetProcessShutdownParameters$Usage: %ls [OPTION]...Crashpad's exception handler server. --annotation=KEY=VALUE set a process annotation in each crash report --attachment=FILE_PATH attach specified file to each crash report at the time of the c$failed to parse --initial-client-data
                                    • API String ID: 445079017-4180809517
                                    • Opcode ID: bc249306b93f9e7759da2be2187d72d82e45289b5c7ab80569b7228d72d8af9c
                                    • Instruction ID: e1ca2572b55c8d08873edbe86a8799f52629c08169590e01a416482d6ce519af
                                    • Opcode Fuzzy Hash: bc249306b93f9e7759da2be2187d72d82e45289b5c7ab80569b7228d72d8af9c
                                    • Instruction Fuzzy Hash: 5452C521A0FAC281EA21AB14E4447FAF364FF94B44F860131DA8D477A5EF3CE555DB28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B391C0 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 223COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 27%
                                    			E00007FF77FF7A8B391C0() {
				signed int _t56;
				void* _t63;
				void* _t67;
				void* _t71;
				intOrPtr _t73;
				void* _t81;
				intOrPtr _t85;
				intOrPtr _t98;
				void* _t116;
				union _LARGE_INTEGER* _t122;
				signed long long _t124;
				intOrPtr _t127;
				long long _t128;
				void* _t134;
				signed long long _t138;
				signed long long _t159;
				void* _t160;
				long long _t168;
				struct _FILETIME* _t169;
				intOrPtr _t172;
				intOrPtr _t176;
				union _LARGE_INTEGER* _t177;
				long long _t178;
				void* _t179;
				void* _t180;
				void* _t182;
				void* _t183;
				void* _t186;
				void* _t187;
				union _LARGE_INTEGER* _t188;
				union _LARGE_INTEGER* _t190;
				void* _t191;
				void* _t192;
				void* _t194;

				_t183 = _t182 - 0x78;
				_t180 = _t183 + 0x70;
				asm("movaps [ebp-0x10], xmm6");
				 *((long long*)(_t180 - 0x18)) = 0xfffffffe;
				_t178 = _t128;
				 *((long long*)(_t180 - 0x40)) = _t128 + 0x10;
				 *(_t180 - 0x48) = _t128 + 8;
				_t191 = _t180 - 0x28;
				asm("xorps xmm6, xmm6");
				goto 0xa8b39230;
				0xa8a718a0(_t192, _t194, _t179);
				asm("o16 nop [cs:eax+eax]");
				 *((long long*)(_t180 - 0x30)) = 0xaaaaaa01;
				 *((long long*)(_t180 - 0x38)) = _t178;
				0xa8b39580();
				if ( *((intOrPtr*)(_t178 + 0x10)) != 0) goto 0xa8b3927f;
				if ( *((intOrPtr*)(_t178 + 0x18)) != 0) goto 0xa8b39290;
				0xa8a71330();
				_t124 =  *((intOrPtr*)(_t178 + 0x18));
				if (_t124 != 0) goto 0xa8b39484;
				_t85 =  *((intOrPtr*)(_t178 + 0x10));
				if (_t85 == 0) goto 0xa8b3925c;
				asm("movups [eax], xmm6");
				goto 0xa8b39424;
				if (_t85 <= 0) goto 0xa8b3941a;
				_t73 =  *0xa8c8eb14; // 0x0
				if ( *0xa8c90080 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] +  *(_t180 - 0x48) * 8)) + 4)) > 0) goto 0xa8b3949f;
				 *((long long*)(_t180 - 0x28)) = 0xaaaaaaaa;
				_t56 = QueryPerformanceCounter(_t122);
				 *((long long*)(_t180 - 0x28)) = 0xaaaaaaaa;
				GetSystemTimeAsFileTime(_t169);
				_t172 =  *((intOrPtr*)(_t180 - 0x28));
				_t134 = _t172 + 0x2ac18000;
				if (_t172 + 0x2ac18009 - 0x13 < 0) goto 0xa8b39523;
				if (_t134 - 0x7ae147af > 0) goto 0xa8b3934e;
				if (_t134 - 0x851eb851 < 0) goto 0xa8b3934e;
				if (_t124 - 0xa5e353f7 > 0) goto 0xa8b39367;
				_t159 = _t124 * 0x3e8;
				if ( *((char*)(_t180 - 0x30)) == 0) goto 0xa8b3952a;
				_t160 = _t159 + 0x5b3d43790;
				_t161 =  >=  ? 0xe941 : _t160;
				if (0x5b3d43790 - 0xffffffff - _t159 > 0) goto 0xa8b3938c;
				_t137 =  >=  ? 0xe941 : _t160;
				 *((long long*)(_t180 - 0x20)) = 0xaaaaaaaa;
				_t116 =  >=  ? 0xe941 : _t160;
				 *((long long*)(_t180 - 0x28)) = 0x175b75a;
				 *((intOrPtr*)(_t180 - 0x20)) = _t73 + (_t56 * 0x66666667 * 0x26d694b3 >> 0x20) * 0xc4653600;
				_t138 =  *(_t180 - 0x48);
				if (E00007FF77FF7A8A71270((_t56 * 0x66666667 * 0x26d694b3 >> 0x20) * 0xc4653600, _t138,  *((intOrPtr*)(_t180 - 0x38)), _t191) != 0x8a) goto 0xa8b39492;
				if ( *0xa8c90080 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + _t138 * 8)) + 4)) > 0) goto 0xa8b394e1;
				 *((long long*)(_t180 - 0x28)) = 0xaaaaaaaa;
				QueryPerformanceCounter(_t177);
				_t176 =  *((intOrPtr*)( *((intOrPtr*)(_t180 - 0x40))));
				if (_t176 != 0) goto 0xa8b3927f;
				 *((long long*)(_t178 + 0x18)) = 0;
				if ( *((char*)(_t180 - 0x30)) == 0) goto 0xa8b39433;
				0xa8b39590();
				_t98 = _t176;
				if (_t98 == 0) goto 0xa8b3921b;
				_t63 = E00007FF77FF7A8B395A0(_t81, _t176);
				asm("lock dec dword [edi]");
				if (_t98 != 0) goto 0xa8b39230;
				0xa8a711e0();
				_t127 =  *((intOrPtr*)(_t176 + 0x10));
				 *((long long*)(_t176 + 0x10)) = 0;
				if (_t127 == 0) goto 0xa8b39477;
				0xa8a71180();
				0xa8a713a0();
				0xa8a713a0();
				goto 0xa8b39230;
				if (_t176 == 0) goto 0xa8b39257;
				goto 0xa8b3927f;
				if (_t63 == 0) goto 0xa8b393d8;
				goto 0xa8b3953b;
				E00007FF77FF7A8B88008();
				if ( *0xa8c90080 != 0xffffffff) goto 0xa8b392bb;
				 *((long long*)(_t180 - 0x28)) = 0xaaaaaaaa;
				QueryPerformanceFrequency(_t188);
				 *0xa8c90078 =  *((intOrPtr*)(_t180 - 0x28));
				E00007FF77FF7A8B87FA8();
				goto 0xa8b392bb;
				E00007FF77FF7A8B88008();
				if ( *0xa8c90080 != 0xffffffff) goto 0xa8b393fd;
				 *((long long*)(_t180 - 0x28)) = 0xaaaaaaaa;
				QueryPerformanceFrequency(_t190);
				 *0xa8c90078 =  *((intOrPtr*)(_t180 - 0x28));
				E00007FF77FF7A8B87FA8();
				goto 0xa8b393fd;
				goto 0xa8b3934e;
				_t67 = E00007FF77FF7A8BD8910(_t71, 1, _t56 * 0x66666667 * 0x26d694b3 >> 0x20,  *0xa8c90080 - 0xffffffff, _t127, 0xa8c90080, "condition_variable::timed wait: mutex not locked", _t176, _t186, _t187);
				_t168 = "condition_variable timed_wait failed";
				E00007FF77FF7A8BD8910(_t71, _t67, _t56 * 0x66666667 * 0x26d694b3 >> 0x20,  *0xa8c90080 - 0xffffffff, _t127, 0xa8c90080, _t168, _t176, _t186, _t187);
				asm("int3");
				asm("o16 nop [eax+eax]");
				 *((long long*)(_t183 + 0x10)) = _t168;
				asm("movaps [esp+0x20], xmm6");
				E00007FF77FF7A8B88070(_t56 * 0x66666667 * 0x26d694b3 >> 0x20,  *((intOrPtr*)(_t180 - 0x28)), _t127, 0xa8c90080, _t178, _t191, _t186);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				return __imp__AcquireSRWLockExclusive(_t127, _t176, _t178, 0xe941, _t191, 0xffffffff, 0xaaaaaaaa, _t180);
			}





































                                    0x7ff7a8b391cc
                                    0x7ff7a8b391d0
                                    0x7ff7a8b391d5
                                    0x7ff7a8b391d9
                                    0x7ff7a8b391e1
                                    0x7ff7a8b391e8
                                    0x7ff7a8b391f0
                                    0x7ff7a8b391fe
                                    0x7ff7a8b39202
                                    0x7ff7a8b39219
                                    0x7ff7a8b39220
                                    0x7ff7a8b39225
                                    0x7ff7a8b3923a
                                    0x7ff7a8b3923e
                                    0x7ff7a8b39245
                                    0x7ff7a8b39251
                                    0x7ff7a8b3925a
                                    0x7ff7a8b39264
                                    0x7ff7a8b3926d
                                    0x7ff7a8b39274
                                    0x7ff7a8b3927a
                                    0x7ff7a8b3927d
                                    0x7ff7a8b39283
                                    0x7ff7a8b39286
                                    0x7ff7a8b39290
                                    0x7ff7a8b3929c
                                    0x7ff7a8b392b5
                                    0x7ff7a8b392bb
                                    0x7ff7a8b392c2
                                    0x7ff7a8b392c8
                                    0x7ff7a8b392cf
                                    0x7ff7a8b392d5
                                    0x7ff7a8b392e3
                                    0x7ff7a8b39308
                                    0x7ff7a8b3931e
                                    0x7ff7a8b39337
                                    0x7ff7a8b3935e
                                    0x7ff7a8b39360
                                    0x7ff7a8b3936b
                                    0x7ff7a8b39377
                                    0x7ff7a8b3937d
                                    0x7ff7a8b39387
                                    0x7ff7a8b39389
                                    0x7ff7a8b3938c
                                    0x7ff7a8b39390
                                    0x7ff7a8b393ae
                                    0x7ff7a8b393ba
                                    0x7ff7a8b393c1
                                    0x7ff7a8b393d2
                                    0x7ff7a8b393f7
                                    0x7ff7a8b393fd
                                    0x7ff7a8b39404
                                    0x7ff7a8b3940e
                                    0x7ff7a8b39414
                                    0x7ff7a8b3941a
                                    0x7ff7a8b39428
                                    0x7ff7a8b3942e
                                    0x7ff7a8b39433
                                    0x7ff7a8b39436
                                    0x7ff7a8b3943f
                                    0x7ff7a8b39444
                                    0x7ff7a8b39447
                                    0x7ff7a8b39451
                                    0x7ff7a8b39456
                                    0x7ff7a8b3945a
                                    0x7ff7a8b39465
                                    0x7ff7a8b3946a
                                    0x7ff7a8b39472
                                    0x7ff7a8b3947a
                                    0x7ff7a8b3947f
                                    0x7ff7a8b39487
                                    0x7ff7a8b3948d
                                    0x7ff7a8b39494
                                    0x7ff7a8b3949a
                                    0x7ff7a8b394a6
                                    0x7ff7a8b394b2
                                    0x7ff7a8b394b8
                                    0x7ff7a8b394bf
                                    0x7ff7a8b394c9
                                    0x7ff7a8b394d7
                                    0x7ff7a8b394dc
                                    0x7ff7a8b394e8
                                    0x7ff7a8b394f4
                                    0x7ff7a8b394fa
                                    0x7ff7a8b39501
                                    0x7ff7a8b3950b
                                    0x7ff7a8b39519
                                    0x7ff7a8b3951e
                                    0x7ff7a8b39525
                                    0x7ff7a8b39536
                                    0x7ff7a8b3953b
                                    0x7ff7a8b39544
                                    0x7ff7a8b39549
                                    0x7ff7a8b3954a
                                    0x7ff7a8b39550
                                    0x7ff7a8b39569
                                    0x7ff7a8b3956e
                                    0x7ff7a8b39573
                                    0x7ff7a8b39574
                                    0x7ff7a8b39575
                                    0x7ff7a8b39576
                                    0x7ff7a8b39577
                                    0x7ff7a8b39578
                                    0x7ff7a8b39579
                                    0x7ff7a8b3957a
                                    0x7ff7a8b3957b
                                    0x7ff7a8b3957c
                                    0x7ff7a8b3957d
                                    0x7ff7a8b3957e
                                    0x7ff7a8b3957f
                                    0x7ff7a8b39580

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExclusiveLock$AcquireRelease
                                    • String ID: A$condition_variable timed_wait failed$condition_variable::timed wait: mutex not locked$gfffffff
                                    • API String ID: 17069307-4287900171
                                    • Opcode ID: 9aff17acd0fd2a0072ac94849f2289c9b71ff3ccef59ba34075bbe4f2170fab8
                                    • Instruction ID: 37784f1cda94136c0888d3a08f8e9713732a852569692b3b986b1ad6a7fcd6bc
                                    • Opcode Fuzzy Hash: 9aff17acd0fd2a0072ac94849f2289c9b71ff3ccef59ba34075bbe4f2170fab8
                                    • Instruction Fuzzy Hash: 6C91A471F1AA0289EB14AB21E9402BDF3A0FB45794F950175DE5D47FB5EE3CE0418328
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AC60E0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 198pipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ConditionErrorLastMask$CreateCriticalEnterInfoInit_thread_footerNamedPipeSectionVerifyVersion
                                    • String ID: ../../third_party/crashpad/crashpad/util/win/registration_protocol_win.cc$BuildSecurityDescriptor$ConvertStringSecurityDescriptorToSecurityDescriptor$D:(A;;GA;;;SY)(A;;GWGR;;;S-1-15-2-1)S:(ML;;;;;S-1-16-0)
                                    • API String ID: 1951224536-440191626
                                    • Opcode ID: 4c8c5dcdb60937ae92639783a63f3c8836adbe670483777b777e00a6a0071d64
                                    • Instruction ID: 325956e921cee2a0c1c9e9f332dadf66121be6b699730d7f8d5152c15d797048
                                    • Opcode Fuzzy Hash: 4c8c5dcdb60937ae92639783a63f3c8836adbe670483777b777e00a6a0071d64
                                    • Instruction Fuzzy Hash: 7A91D371A0A68281F720AB55E4447BAF3A0FF84794F815135DA8D07BB5EF3DE146CB28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AB96A0 Relevance: 21.4, APIs: 14, Instructions: 398COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExclusiveLock$Release$AcquireUnregisterWait
                                    • String ID:
                                    • API String ID: 3416598872-0
                                    • Opcode ID: a3c25f3240c8da2df4fe793cf4de6894df4f75e3d11cac6651e5cc86dd77b81e
                                    • Instruction ID: 9698e8c82b376e2ebcfa366dca4a589f3e3ca373a7a86f0e265ceba8cdd1bcfb
                                    • Opcode Fuzzy Hash: a3c25f3240c8da2df4fe793cf4de6894df4f75e3d11cac6651e5cc86dd77b81e
                                    • Instruction Fuzzy Hash: D7F18732A0AA8186EA11EF15D4457BAE3A1FF84B94F8A4131EE5D077B5EF3CD841C714
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AB0540 Relevance: 18.3, APIs: 12, Instructions: 288COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00007FF7A8B88160: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7A8B88190
                                    • CreateEventW.KERNEL32 ref: 00007FF7A8AB0642
                                    • GetLastError.KERNEL32 ref: 00007FF7A8AB065C
                                    • SetLastError.KERNEL32 ref: 00007FF7A8AB068D
                                    • GetCurrentProcess.KERNEL32 ref: 00007FF7A8AB06B0
                                    • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,-5555555555555556,?,?,00007FF7A8AB0281), ref: 00007FF7A8AB06D4
                                    • CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,-5555555555555556,?,?,00007FF7A8AB0281), ref: 00007FF7A8AB06EC
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,-5555555555555556,?,?,00007FF7A8AB0281), ref: 00007FF7A8AB0700
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,-5555555555555556,?,?,00007FF7A8AB0281), ref: 00007FF7A8AB0730
                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,-5555555555555556,?,?,00007FF7A8AB0281), ref: 00007FF7A8AB0750
                                    • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,-5555555555555556,?,?,00007FF7A8AB0281), ref: 00007FF7A8AB0774
                                      • Part of subcall function 00007FF7A8AB0A00: RegisterWaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8AB08B1), ref: 00007FF7A8AB0A56
                                      • Part of subcall function 00007FF7A8AB0A00: TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8AB08B1), ref: 00007FF7A8AB0A6E
                                      • Part of subcall function 00007FF7A8AB0A00: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8AB08B1), ref: 00007FF7A8AB0AA2
                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,-5555555555555556,?,?,00007FF7A8AB0281), ref: 00007FF7A8AB08DF
                                    • DuplicateHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,-5555555555555556,?,?,00007FF7A8AB0281), ref: 00007FF7A8AB0903
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CurrentDuplicateHandleProcess$CreateEventExclusiveLock$AcquireConcurrency::cancel_current_taskObjectRegisterReleaseSingleWait
                                    • String ID:
                                    • API String ID: 4107246765-0
                                    • Opcode ID: 4aa5d1f76f99b2950fd7fd4d465493156e405e5e878e8f5174a40afca2f69d58
                                    • Instruction ID: 4ae8830db25390f021e414e60e2ba75eefcd3fd02e6ce86db3e4df787f810f33
                                    • Opcode Fuzzy Hash: 4aa5d1f76f99b2950fd7fd4d465493156e405e5e878e8f5174a40afca2f69d58
                                    • Instruction Fuzzy Hash: 34C1A332B0AB4586E710AF15E40877AF7A1FB48B84F868135DA8D477A4DF3CE840C758
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AA4330 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80threadlibraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E00007FF77FF7A8AA4330(signed long long __rax, intOrPtr* __rcx) {
				void* _t14;
				int _t21;
				signed long long _t29;
				void* _t32;
				long long* _t44;
				void* _t48;
				void* _t49;

				_t29 = __rax;
				_t48 = _t49 + 0x40;
				E00007FF77FF7A8B7A0E0(_t14);
				E00007FF77FF7A8AA4540();
				if ( *0xa8c93100 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + _t29 * 8)) + 4)) > 0) goto 0xa8aa43e7;
				if ( *0xa8c930f8 == 0) goto 0xa8aa43d4;
				_t38 =  >=  ? __rcx :  *__rcx;
				_t44 = _t48 - 0x20;
				 *_t44 =  >=  ? __rcx :  *__rcx;
				_t30 =  <  ?  *((void*)(__rcx + 8)) : _t29;
				 *((long long*)(_t44 + 8)) =  <  ?  *((void*)(__rcx + 8)) : _t29;
				_t32 = _t48 - 0x10;
				E00007FF77FF7A8B65FA0(_t32, _t44);
				if ( *((char*)(_t32 + 0x17)) >= 0) goto 0xa8aa43b0;
				GetCurrentThread();
				 *0xa8ca6010();
				if ( *((char*)(_t48 + 7)) >= 0) goto 0xa8aa43d4;
				0xa8b88150();
				_t21 = IsDebuggerPresent();
				if (_t21 != 0) goto 0xa8aa4435;
				return _t21;
			}










                                    0x7ff7a8aa4330
                                    0x7ff7a8aa4338
                                    0x7ff7a8aa4340
                                    0x7ff7a8aa434b
                                    0x7ff7a8aa436f
                                    0x7ff7a8aa437b
                                    0x7ff7a8aa4386
                                    0x7ff7a8aa438a
                                    0x7ff7a8aa438e
                                    0x7ff7a8aa4391
                                    0x7ff7a8aa4396
                                    0x7ff7a8aa439a
                                    0x7ff7a8aa43a1
                                    0x7ff7a8aa43aa
                                    0x7ff7a8aa43b0
                                    0x7ff7a8aa43bf
                                    0x7ff7a8aa43c9
                                    0x7ff7a8aa43cf
                                    0x7ff7a8aa43d4
                                    0x7ff7a8aa43dc
                                    0x7ff7a8aa43e6

                                    APIs
                                      • Part of subcall function 00007FF7A8AA4540: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8AA4350,?,?,?,?,?,?,?), ref: 00007FF7A8AA4565
                                      • Part of subcall function 00007FF7A8AA4540: TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8AA4350,?,?,?,?,?,?,?), ref: 00007FF7A8AA4571
                                    • GetCurrentThread.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8A7103F), ref: 00007FF7A8AA43B0
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8A7103F), ref: 00007FF7A8AA43D4
                                    • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8A7103F), ref: 00007FF7A8AA4407
                                    • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8A7103F), ref: 00007FF7A8AA4417
                                    • _Init_thread_footer.LIBCMT ref: 00007FF7A8AA442B
                                    • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8A7103F), ref: 00007FF7A8AA443E
                                    • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8A7103F), ref: 00007FF7A8AA4472
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CurrentThread$AcquireAddressDebuggerExceptionExclusiveHandleInit_thread_footerLockModulePresentProcRaise
                                    • String ID: Kernel32.dll$SetThreadDescription
                                    • API String ID: 2748992336-1724334159
                                    • Opcode ID: 18e6205e0df6f2c0609f2152050cb4a51b0d8aa3f67e70de3a676c680bc08929
                                    • Instruction ID: a52a2bcdd2b2d2b446e990ad21233555adb4f6b5e825c1f0486f51349037e9fa
                                    • Opcode Fuzzy Hash: 18e6205e0df6f2c0609f2152050cb4a51b0d8aa3f67e70de3a676c680bc08929
                                    • Instruction Fuzzy Hash: 2B315375A0BA5296FB10AB21E8406B8F360BB44B84F854075E94E477B4EF3CE454CB69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B76A10 Relevance: 9.3, APIs: 6, Instructions: 328threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExclusiveLock$AcquireRelease$CurrentThreadValue
                                    • String ID:
                                    • API String ID: 1199538118-0
                                    • Opcode ID: 495e3eabd00fac9e9658d91af0be7a0b8bcc29f13dc67ed064843c34a77b3a08
                                    • Instruction ID: 03ddc5f0abd340e88856f768f330b5945661db7968250bbedc99e0af4ae53385
                                    • Opcode Fuzzy Hash: 495e3eabd00fac9e9658d91af0be7a0b8bcc29f13dc67ed064843c34a77b3a08
                                    • Instruction Fuzzy Hash: 87021532A4ABC1AAE78DCB3896543A9FBE0F719340F554139C7AC87361EB79A074C714
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B9AFA0 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E00007FF77FF7A8B9AFA0(void* __ecx, intOrPtr __edx, long long __rbx, void* __rdx, long long __rsi, void* __r8) {
				void* _t36;
				void* _t37;
				void* _t38;
				int _t40;
				signed long long _t62;
				long long _t65;
				_Unknown_base(*)()* _t85;
				void* _t89;
				void* _t90;
				void* _t92;
				signed long long _t93;
				struct _EXCEPTION_POINTERS* _t99;

				 *((long long*)(_t92 + 0x10)) = __rbx;
				 *((long long*)(_t92 + 0x18)) = __rsi;
				_t90 = _t92 - 0x4f0;
				_t93 = _t92 - 0x5f0;
				_t62 =  *0xa8c85028; // 0x2b992ddfa232
				 *(_t90 + 0x4e0) = _t62 ^ _t93;
				if (__ecx == 0xffffffff) goto 0xa8b9afdf;
				_t37 = E00007FF77FF7A8B899E4(_t36);
				r8d = 0x98;
				_t38 = E00007FF77FF7A8B8CA20(_t37, 0, _t93 + 0x70, __rdx, __r8);
				r8d = 0x4d0;
				E00007FF77FF7A8B8CA20(_t38, 0, _t90 + 0x10, __rdx, __r8);
				 *((long long*)(_t93 + 0x48)) = _t93 + 0x70;
				_t65 = _t90 + 0x10;
				 *((long long*)(_t93 + 0x50)) = _t65;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t65 == 0) goto 0xa8b9b072;
				 *(_t93 + 0x38) =  *(_t93 + 0x38) & 0x00000000;
				 *((long long*)(_t93 + 0x30)) = _t93 + 0x58;
				 *((long long*)(_t93 + 0x28)) = _t93 + 0x60;
				 *((long long*)(_t93 + 0x20)) = _t90 + 0x10;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t90 + 0x108)) =  *((intOrPtr*)(_t90 + 0x508));
				 *((intOrPtr*)(_t93 + 0x70)) = __edx;
				 *((long long*)(_t90 + 0xa8)) = _t90 + 0x510;
				 *((long long*)(_t90 - 0x80)) =  *((intOrPtr*)(_t90 + 0x508));
				 *((intOrPtr*)(_t93 + 0x74)) = r8d;
				_t40 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t85, _t89);
				if (UnhandledExceptionFilter(_t99) != 0) goto 0xa8b9b0d4;
				if (_t40 != 0) goto 0xa8b9b0d4;
				if (__ecx == 0xffffffff) goto 0xa8b9b0d4;
				E00007FF77FF7A8B899E4(_t42);
				return E00007FF77FF7A8B8A7E0(__ecx,  *((intOrPtr*)(_t90 + 0x508)),  *(_t90 + 0x4e0) ^ _t93);
			}















                                    0x7ff7a8b9afa0
                                    0x7ff7a8b9afa5
                                    0x7ff7a8b9afae
                                    0x7ff7a8b9afb6
                                    0x7ff7a8b9afbd
                                    0x7ff7a8b9afc7
                                    0x7ff7a8b9afd8
                                    0x7ff7a8b9afda
                                    0x7ff7a8b9afe6
                                    0x7ff7a8b9afec
                                    0x7ff7a8b9aff7
                                    0x7ff7a8b9affd
                                    0x7ff7a8b9b007
                                    0x7ff7a8b9b010
                                    0x7ff7a8b9b014
                                    0x7ff7a8b9b019
                                    0x7ff7a8b9b02e
                                    0x7ff7a8b9b031
                                    0x7ff7a8b9b03a
                                    0x7ff7a8b9b03c
                                    0x7ff7a8b9b04f
                                    0x7ff7a8b9b05c
                                    0x7ff7a8b9b065
                                    0x7ff7a8b9b06c
                                    0x7ff7a8b9b079
                                    0x7ff7a8b9b08b
                                    0x7ff7a8b9b08f
                                    0x7ff7a8b9b09d
                                    0x7ff7a8b9b0a1
                                    0x7ff7a8b9b0a5
                                    0x7ff7a8b9b0af
                                    0x7ff7a8b9b0c2
                                    0x7ff7a8b9b0c6
                                    0x7ff7a8b9b0cb
                                    0x7ff7a8b9b0cf
                                    0x7ff7a8b9b0fa

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                    • String ID:
                                    • API String ID: 1239891234-0
                                    • Opcode ID: 762345e029b0ff665c6e9ee0669d5b722104e842bd60e7bf0a6b7f9e8a2ea462
                                    • Instruction ID: 7df6ebb05056565ba11efd370fe90d7226394691245f0c3ff30d2460f88636c9
                                    • Opcode Fuzzy Hash: 762345e029b0ff665c6e9ee0669d5b722104e842bd60e7bf0a6b7f9e8a2ea462
                                    • Instruction Fuzzy Hash: 5F318F32619B8186DB60DF25E8402AEF3A4FB88755F91013AEB9D43BA8DF3CC155CB14
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A8B550 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00007FF77FF7A8A8B550(signed int __rcx) {
				signed int _v24;
				intOrPtr _t8;
				signed long long _t11;
				signed long long _t20;

				_t11 =  *0xa8c85028; // 0x2b992ddfa232
				_v24 = _t11 ^ _t20;
				_t8 =  *0xa8c8eb14; // 0x0
				if ( *0xa8c93160 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + __rcx * 8)) + 4)) > 0) goto 0xa8a8b5b0;
				return E00007FF77FF7A8B8A7E0(_t8, _t11 ^ _t20, _v24 ^ _t20);
			}







                                    0x7ff7a8a8b559
                                    0x7ff7a8a8b563
                                    0x7ff7a8a8b571
                                    0x7ff7a8a8b58a
                                    0x7ff7a8a8b5af

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: InfoInit_thread_footer$CriticalEnterNativeProductSectionSystemVersion
                                    • String ID:
                                    • API String ID: 4263187468-0
                                    • Opcode ID: 2ffa7edd82e45744adb9ccc88086119d184a22787f119cd72e46a2b15ba7ba0e
                                    • Instruction ID: 8f21c85ed8e40a8330172420cc0089126d47215348b5e7db4538fabaa0f14dd6
                                    • Opcode Fuzzy Hash: 2ffa7edd82e45744adb9ccc88086119d184a22787f119cd72e46a2b15ba7ba0e
                                    • Instruction Fuzzy Hash: 7B418331A1A64696F610FB20E8506B5F360FB84751FC251B5EA4D037B4EF3CE456CB28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B5A630 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 45%
                                    			E00007FF77FF7A8B5A630(signed long long __rcx) {
				void* _t33;
				void* _t41;
				void* _t57;
				signed long long _t72;
				intOrPtr _t74;
				intOrPtr* _t86;
				intOrPtr _t87;
				signed long long _t100;
				intOrPtr* _t104;
				signed long long _t118;
				char* _t119;
				unsigned long long _t135;
				signed long long _t136;
				void* _t140;
				void* _t144;
				signed long long _t151;
				void* _t152;
				void* _t154;
				signed long long _t155;
				long long _t157;
				intOrPtr _t158;
				char* _t162;

				_t136 = __rcx;
				_t72 =  *0xa8c85028; // 0x2b992ddfa232
				 *(_t151 + 0x30) = _t72 ^ _t151;
				if ( *0xa8c93750 == 0) goto 0xa8b5a689;
				 *((long long*)(_t151 + 0x28)) = 0xaaaaaaaa;
				_t33 = E00007FF77FF7A8B5AA30(0xf1645913, _t72 ^ _t151,  *0xa8c93750 + 0x58, _t152, _t154);
				if (_t33 != 0) goto 0xa8b5a8e3;
				_t157 =  *0xa8c93710;
				if (_t157 - 1 <= 0) goto 0xa8b5a975;
				__imp__TryAcquireSRWLockExclusive();
				if (_t33 == 0) goto 0xa8b5a950;
				_t74 =  *0xa8c93710;
				if (_t74 - 1 <= 0) goto 0xa8b5a9b5;
				_t104 =  *0xa8c93720;
				if (_t104 == 0) goto 0xa8b5a9ee;
				_t162 =  *_t136;
				_t155 =  *((intOrPtr*)(_t136 + 8));
				if (_t155 == 0) goto 0xa8b5a949;
				_t57 = _t155 - 1 - 7;
				if (_t57 >= 0) goto 0xa8b5a6f7;
				goto 0xa8b5a795;
				_t111 = _t162;
				asm("o16 nop [cs:eax+eax]");
				_t144 = (_t155 & 0xfffffff8) + 0xfffffff8;
				if (_t57 != 0) goto 0xa8b5a710;
				if (_t74 == 0) goto 0xa8b5a7b7;
				_t140 = ((((((((_t136 * 0x83 +  *_t162) * 0x83 +  *((char*)(_t162 + 1))) * 0x83 +  *((char*)(_t162 + 2))) * 0x83 +  *((char*)(_t111 + 3))) * 0x83 +  *((char*)(_t111 + 4))) * 0x83 +  *((char*)(_t111 + 5))) * 0x83 +  *((char*)(_t111 + 6))) * 0x83 +  *((char*)(_t111 + 7))) * 0x83 +  *((char*)(_t111 + 8 + _t144));
				if (_t74 != _t144 + 1) goto 0xa8b5a7a0;
				_t135 =  *((intOrPtr*)(_t104 + 8));
				if (_t135 == 0) goto 0xa8b5a941;
				_t118 = ((_t135 - (0x55555555 & _t135 >> 0x00000001) >> 0x00000002 & 0x33333333) + (_t135 - (0x55555555 & _t135 >> 0x00000001) & 0x33333333) >> 4) + (_t135 - (0x55555555 & _t135 >> 0x00000001) >> 0x00000002 & 0x33333333) + (_t135 - (0x55555555 & _t135 >> 0x00000001) & 0x33333333);
				if (0x1010101 * (0x0f0f0f0f & _t118) >> 0x38 - 1 <= 0) goto 0xa8b5a969;
				if (_t140 - _t135 < 0) goto 0xa8b5a83d;
				_t100 = _t118;
				_t86 =  *((intOrPtr*)( *_t104 + _t100 * 8));
				if (_t86 == 0) goto 0xa8b5a941;
				 *((long long*)(_t151 + 0x20)) = _t157;
				_t158 =  *_t86;
				r13d = 0;
				if (_t158 == 0) goto 0xa8b5a8b4;
				_t87 =  *((intOrPtr*)(_t158 + 8));
				if (_t87 != _t140) goto 0xa8b5a890;
				if ( *((intOrPtr*)(_t158 + 0x18)) != _t155) goto 0xa8b5a8ab;
				_t119 = _t162;
				if (E00007FF77FF7A8B8C510(_t41,  *((intOrPtr*)(_t158 + 0x10)), _t119, _t155) == 0) goto 0xa8b5a8b0;
				goto 0xa8b5a8ab;
				asm("o16 nop [cs:eax+eax]");
				if (0 - 1 <= 0) goto 0xa8b5a95d;
				if (_t87 - _t135 < 0) goto 0xa8b5a8a6;
				if (_t119 != _t100) goto 0xa8b5a8b4;
				goto 0xa8b5a858;
				__imp__ReleaseSRWLockExclusive();
				return E00007FF77FF7A8B8A7E0(_t41, _t119,  *(_t151 + 0x30) ^ _t151);
			}

























                                    0x7ff7a8b5a640
                                    0x7ff7a8b5a643
                                    0x7ff7a8b5a64d
                                    0x7ff7a8b5a65c
                                    0x7ff7a8b5a66f
                                    0x7ff7a8b5a67c
                                    0x7ff7a8b5a683
                                    0x7ff7a8b5a689
                                    0x7ff7a8b5a694
                                    0x7ff7a8b5a69d
                                    0x7ff7a8b5a6a5
                                    0x7ff7a8b5a6ab
                                    0x7ff7a8b5a6b6
                                    0x7ff7a8b5a6bc
                                    0x7ff7a8b5a6c6
                                    0x7ff7a8b5a6cc
                                    0x7ff7a8b5a6cf
                                    0x7ff7a8b5a6d6
                                    0x7ff7a8b5a6e7
                                    0x7ff7a8b5a6eb
                                    0x7ff7a8b5a6f2
                                    0x7ff7a8b5a700
                                    0x7ff7a8b5a703
                                    0x7ff7a8b5a78b
                                    0x7ff7a8b5a78f
                                    0x7ff7a8b5a798
                                    0x7ff7a8b5a7ac
                                    0x7ff7a8b5a7b5
                                    0x7ff7a8b5a7b7
                                    0x7ff7a8b5a7be
                                    0x7ff7a8b5a7fe
                                    0x7ff7a8b5a824
                                    0x7ff7a8b5a830
                                    0x7ff7a8b5a83a
                                    0x7ff7a8b5a840
                                    0x7ff7a8b5a847
                                    0x7ff7a8b5a84d
                                    0x7ff7a8b5a852
                                    0x7ff7a8b5a855
                                    0x7ff7a8b5a85b
                                    0x7ff7a8b5a85d
                                    0x7ff7a8b5a864
                                    0x7ff7a8b5a86a
                                    0x7ff7a8b5a870
                                    0x7ff7a8b5a87d
                                    0x7ff7a8b5a87f
                                    0x7ff7a8b5a881
                                    0x7ff7a8b5a893
                                    0x7ff7a8b5a89c
                                    0x7ff7a8b5a8a9
                                    0x7ff7a8b5a8ae
                                    0x7ff7a8b5a8bc
                                    0x7ff7a8b5a8e2

                                    APIs
                                    • TryAcquireSRWLockExclusive.KERNEL32(-5555555555555556,00000001,?,?,00000007,?,00007FF7A8B76008), ref: 00007FF7A8B5A69D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: AcquireExclusiveLock
                                    • String ID: 33333333$UUUUUUUU
                                    • API String ID: 4021432409-3483174168
                                    • Opcode ID: ed0543be6dbf5f4a2c771a990ce0195aa239e699fae8c24842e88766117f374a
                                    • Instruction ID: 6fd7e752d98bbdcc31cc3c9ca1e8db695d45a4a2309e8ef211ab111f2ff96ae7
                                    • Opcode Fuzzy Hash: ed0543be6dbf5f4a2c771a990ce0195aa239e699fae8c24842e88766117f374a
                                    • Instruction Fuzzy Hash: B1A12562F0B54640EE18AB11A550378E791BF44BE4FCAA232DD1E177F5EE3CE9418328
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8BDA170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80windowCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 23%
                                    			E00007FF77FF7A8BDA170(signed int __edx, void* __rcx, void* __rdx, void* __r8, void* __r9) {
				signed int _v40;
				char _v296;
				char _v297;
				intOrPtr _v312;
				char _v320;
				char _v321;
				char _v344;
				char _v360;
				long long _v376;
				signed int _v384;
				void* _v392;
				void* _t21;
				void* _t24;
				signed int _t35;
				signed long long _t41;
				signed long long _t42;
				long long _t44;
				long long* _t63;
				char* _t64;
				void* _t69;
				void* _t70;

				_t69 = __r9;
				_t35 = __edx;
				_t70 = __rcx;
				_t41 =  *0xa8c85028; // 0x2b992ddfa232
				_t42 = _t41 ^  &_v392;
				_v40 = _t42;
				_t44 =  &_v296;
				r8d = 0x100;
				E00007FF77FF7A8B8CA20(_t21, 0xaa, _t44, __rdx, __r8);
				_v392 = _t44;
				_v376 = 0;
				_v384 = 0x100;
				r8d = __edx;
				r9d = 0;
				if (FormatMessageA(??, ??, ??, ??, ??, ??, ??) == 0) goto 0xa8bda27a;
				_t64 =  &_v320;
				r8d = __edx;
				_t24 = E00007FF77FF7A8B59750(_t64, " (0x%lX)", __r8, _t69);
				_t63 =  &_v360;
				 *_t63 = _t44;
				E00007FF77FF7A8BA8660(_t24, _t44);
				 *(_t63 + 8) = _t42;
				r8b = 1;
				E00007FF77FF7A8BDCDB0( &_v344);
				r8d =  *(_t64 + 0x17) & 0x000000ff;
				if (r8b >= 0) goto 0xa8bda22e;
				E00007FF77FF7A8B599E0( &_v344, _v320, _v312);
				 *((long long*)(_t70 + 0x10)) =  *((intOrPtr*)(_t42 + 0x10));
				asm("movups xmm0, [eax]");
				asm("inc ecx");
				asm("xorps xmm0, xmm0");
				asm("movups [eax], xmm0");
				 *((long long*)(_t42 + 0x10)) = 0;
				if (_v321 >= 0) goto 0xa8bda267;
				0xa8b88150();
				if (_v297 >= 0) goto 0xa8bda295;
				0xa8b88150();
				goto 0xa8bda295;
				r8d = GetLastError();
				r9d = _t35;
				E00007FF77FF7A8B59750(_t70, "Error (0x%lX) while retrieving error. (0x%lX)", _v312, _t69);
				return E00007FF77FF7A8B8A7E0(0x1200, _t42, _v40 ^  &_v392);
			}
























                                    0x7ff7a8bda170
                                    0x7ff7a8bda17c
                                    0x7ff7a8bda17e
                                    0x7ff7a8bda181
                                    0x7ff7a8bda188
                                    0x7ff7a8bda18b
                                    0x7ff7a8bda193
                                    0x7ff7a8bda19b
                                    0x7ff7a8bda1a6
                                    0x7ff7a8bda1ab
                                    0x7ff7a8bda1b0
                                    0x7ff7a8bda1b9
                                    0x7ff7a8bda1c8
                                    0x7ff7a8bda1cb
                                    0x7ff7a8bda1d6
                                    0x7ff7a8bda1e3
                                    0x7ff7a8bda1eb
                                    0x7ff7a8bda1ee
                                    0x7ff7a8bda1f3
                                    0x7ff7a8bda1f8
                                    0x7ff7a8bda1fe
                                    0x7ff7a8bda203
                                    0x7ff7a8bda212
                                    0x7ff7a8bda215
                                    0x7ff7a8bda21a
                                    0x7ff7a8bda222
                                    0x7ff7a8bda234
                                    0x7ff7a8bda23d
                                    0x7ff7a8bda241
                                    0x7ff7a8bda244
                                    0x7ff7a8bda248
                                    0x7ff7a8bda24b
                                    0x7ff7a8bda24e
                                    0x7ff7a8bda25b
                                    0x7ff7a8bda262
                                    0x7ff7a8bda26c
                                    0x7ff7a8bda273
                                    0x7ff7a8bda278
                                    0x7ff7a8bda28a
                                    0x7ff7a8bda28d
                                    0x7ff7a8bda290
                                    0x7ff7a8bda2b4

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FormatMessage
                                    • String ID: (0x%lX)$Error (0x%lX) while retrieving error. (0x%lX)
                                    • API String ID: 71157656-3206765257
                                    • Opcode ID: c608e1e427230d7fba9a88372126ebba990b92bfcbdcd080bafac959943e28e6
                                    • Instruction ID: 46a8325acd6f884fe82c57bcd278d52c49a652025d347297a24ba42d226dff40
                                    • Opcode Fuzzy Hash: c608e1e427230d7fba9a88372126ebba990b92bfcbdcd080bafac959943e28e6
                                    • Instruction Fuzzy Hash: 9231B231B1975192FB11AB22F8407AAE750FB88B80F855135EE8D47B65CF3CE045CB54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AA4540 Relevance: 6.3, APIs: 4, Instructions: 329threadCOMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 63%
                                    			E00007FF77FF7A8AA4540() {
				signed int _t78;
				void* _t80;
				signed int _t82;
				void* _t83;
				void* _t87;
				void* _t92;
				void* _t96;
				void* _t100;
				void* _t123;
				void* _t132;
				void* _t150;
				signed long long _t158;
				signed long long _t159;
				long long _t160;
				void* _t168;
				intOrPtr _t172;
				long long _t173;
				intOrPtr _t177;
				long long _t180;
				void* _t182;
				signed long long _t183;
				void* _t184;
				signed long long _t186;
				intOrPtr _t193;
				signed long long _t194;
				intOrPtr* _t210;
				long long _t221;
				intOrPtr _t229;
				intOrPtr _t232;
				intOrPtr _t240;
				void* _t242;
				long long _t244;
				void* _t249;
				long long* _t256;
				void* _t257;
				void* _t258;
				signed long long _t259;
				void* _t269;
				void* _t270;
				void* _t271;
				void* _t272;
				intOrPtr* _t275;
				void* _t278;
				intOrPtr* _t279;
				void* _t280;
				intOrPtr* _t281;

				_t259 = _t258 - 0x48;
				_t275 = _t210;
				_t270 = _t184;
				_t158 =  *0xa8c85028; // 0x2b992ddfa232
				_t159 = _t158 ^ _t259;
				 *(_t259 + 0x40) = _t159;
				_t78 = GetCurrentThreadId();
				r13d = _t78;
				__imp__TryAcquireSRWLockExclusive();
				if (_t78 == 0) goto 0xa8aa4981;
				_t229 =  *((intOrPtr*)(_t270 + 0x10));
				 *(_t259 + 0x30) = _t159;
				if (_t229 == 0) goto 0xa8aa4676;
				 *(_t259 + 0x2c) = r13d;
				_t160 =  *(_t259 + 0x30);
				if (( *(_t275 + 0x17) & 0x000000ff) >= 0) goto 0xa8aa45b2;
				_t240 =  *((intOrPtr*)(_t275 + 8));
				_t8 = _t270 + 0x10; // 0x10
				_t280 = _t8;
				r13d =  *(_t229 + 0x37) & 0x000000ff;
				if (r13b < 0) goto 0xa8aa460f;
				_t186 = _t229 + 0x20;
				_t263 =  <  ? _t240 : _t272;
				_t122 =  <  ? _t240 : _t272;
				if (( <  ? _t240 : _t272) == 0) goto 0xa8aa498e;
				_t80 = E00007FF77FF7A8B8C510(_t100, _t186,  *_t275,  <  ? _t240 : _t272);
				_t123 = _t240 - _t272;
				_t103 =  >  ? 0xffffffff : _t123 > 0;
				if (_t80 != 0) goto 0xa8aa45f9;
				_t81 =  >  ? 0xffffffff : _t123 > 0;
				_t249 =  >=  ? _t229 : _t280;
				if ( *((intOrPtr*)(_t229 + _t186 * 8)) != 0) goto 0xa8aa45ba;
				goto 0xa8aa4619;
				goto 0xa8aa45c8;
				r13d =  *(_t259 + 0x2c);
				if (_t249 == _t280) goto 0xa8aa4676;
				_t82 =  *(_t249 + 0x37) & 0x000000ff;
				if (_t82 >= 0) goto 0xa8aa4632;
				_t232 =  *((intOrPtr*)(_t249 + 0x28));
				_t265 =  <  ? _t240 : _t232;
				_t130 =  <  ? _t240 : _t232;
				if (( <  ? _t240 : _t232) == 0) goto 0xa8aa49a3;
				_t20 = _t249 + 0x20; // 0x30
				if (_t82 >= 0) goto 0xa8aa4650;
				_t83 = E00007FF77FF7A8B8C510(( >  ? 0xffffffff : _t123 > 0) >> 0x1f,  *_t275,  *_t20,  <  ? _t240 : _t232);
				_t132 = _t232 - _t240;
				_t107 =  <=  ? _t132 > 0 : 0xffffffff;
				if (_t83 != 0) goto 0xa8aa466e;
				_t84 =  <=  ? _t132 > 0 : 0xffffffff;
				_t134 =  <=  ? _t132 > 0 : 0xffffffff;
				if (( <=  ? _t132 > 0 : 0xffffffff) >= 0) goto 0xa8aa48fc;
				_t23 = _t270 + 8; // 0x8
				_t281 = _t23;
				E00007FF77FF7A8B88160(_t160,  *_t275);
				_t180 = _t160;
				if ( *(_t259 + 0x30) < 0) goto 0xa8aa48d7;
				 *((long long*)(_t180 + 0x10)) =  *((intOrPtr*)(_t275 + 0x10));
				asm("inc ecx");
				asm("movups [ebx], xmm0");
				 *((long long*)(_t259 + 0x38)) = 0xaaaaaaaa;
				E00007FF77FF7A8A9FA00(_t281, _t259 + 0x38, _t275);
				if ( *0xaaaaaaaa != 0) goto 0xa8aa4734;
				_t87 = E00007FF77FF7A8B88160(0xaaaaaaaa, _t281);
				if ( *(_t275 + 0x17) < 0) goto 0xa8aa48eb;
				 *0xAAAAAAAAAAAAAADA =  *((intOrPtr*)(_t275 + 0x10));
				asm("inc ecx");
				asm("movups [ecx], xmm0");
				 *0xAAAAAAAAAAAAAAE2 = 0;
				asm("xorps xmm0, xmm0");
				asm("movups [ebp], xmm0");
				 *0xAAAAAAAAAAAAAABA =  *((intOrPtr*)(_t259 + 0x38));
				 *0xaaaaaaaa = 0xaaaaaaaa;
				if ( *((intOrPtr*)( *_t281)) != 0) goto 0xa8aa49f0;
				E00007FF77FF7A8B74C10(_t87,  *((intOrPtr*)(_t270 + 0x10)), 0xaaaaaaaa);
				 *((long long*)(_t270 + 0x18)) =  *((long long*)(_t270 + 0x18)) + 1;
				 *((long long*)(0xaaaaaaaaaaaaaae2)) = _t180;
				_t38 = _t270 + 0x28; // 0x28
				_t242 = _t38;
				_t193 =  *((intOrPtr*)(_t270 + 0x28));
				if (_t193 == 0) goto 0xa8aa4776;
				_t168 =  >=  ? _t193 : _t242;
				_t194 =  *((intOrPtr*)(_t193 + 0x5555555555555550));
				if (_t194 != 0) goto 0xa8aa474d;
				if (_t168 == _t242) goto 0xa8aa4776;
				_t169 =  <  ? _t242 : _t168;
				_t278 =  <  ? _t242 : _t168;
				if ( *0xa8c937c0 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + _t194 * 8)) + 4)) > 0) goto 0xa8aa49b8;
				if ( *((char*)(_t180 + 0x17)) >= 0) goto 0xa8aa48cf;
				E00007FF77FF7A8B6C670( *((char*)(_t180 + 0x17)),  <  ? _t242 : _t168, 0xa8c937b8,  *_t180);
				if ( *((intOrPtr*)(_t270 + 0x60)) ==  *((intOrPtr*)(_t270 + 0x68))) goto 0xa8aa47e7;
				if ( *((char*)(_t180 + 0x17)) >= 0) goto 0xa8aa47e2;
				 *0xa8ca6010();
				goto 0xa8aa47be;
				goto 0xa8aa47cc;
				if (_t278 == _t242) goto 0xa8aa4905;
				_t172 =  *((intOrPtr*)(_t270 + 0x40));
				if (_t172 == 0) goto 0xa8aa4979;
				_t150 =  *((intOrPtr*)(_t278 + 0x28)) -  *((intOrPtr*)(_t172 + 0x20));
				if (_t150 < 0) goto 0xa8aa4827;
				if (_t150 <= 0) goto 0xa8aa483a;
				_t221 =  *((intOrPtr*)(_t172 + 8));
				if (_t221 == 0) goto 0xa8aa483a;
				_t173 = _t221;
				goto 0xa8aa480a;
				if ( *_t173 != 0) goto 0xa8aa4822;
				_t256 = _t173;
				goto 0xa8aa483d;
				if ( *_t256 != 0) goto 0xa8aa4894;
				_t92 = E00007FF77FF7A8B88160(_t173,  *((intOrPtr*)(_t278 + 0x28)));
				_t244 = _t173;
				 *((long long*)(_t244 + 0x20)) =  *((intOrPtr*)(_t278 + 0x28));
				 *((long long*)(_t244 + 0x28)) = 0;
				asm("xorps xmm0, xmm0");
				asm("movups [esi], xmm0");
				 *((long long*)(_t244 + 0x10)) = _t173;
				 *_t256 = _t244;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t270 + 0x38)))) != 0) goto 0xa8aa496b;
				E00007FF77FF7A8B74C10(_t92,  *((intOrPtr*)(_t270 + 0x40)), _t244);
				 *((long long*)(_t270 + 0x48)) =  *((long long*)(_t270 + 0x48)) + 1;
				 *((long long*)(_t244 + 0x28)) = _t180;
				__imp__ReleaseSRWLockExclusive();
				if ( *((char*)(_t180 + 0x17)) >= 0) goto 0xa8aa48aa;
				E00007FF77FF7A8B8A7E0(0x30,  *((intOrPtr*)( *((intOrPtr*)(_t270 + 0x38)))),  *(_t259 + 0x40) ^ _t259);
				_pop(_t182);
				_pop(_t257);
				_pop(_t271);
				_pop(_t279);
				goto 0xa8a75200;
				goto 0xa8aa47a8;
				E00007FF77FF7A8B5DAA0( *((intOrPtr*)( *((intOrPtr*)(_t270 + 0x38)))), _t182,  *_t279,  *((intOrPtr*)(_t279 + 8)));
				goto 0xa8aa46a2;
				_t96 = E00007FF77FF7A8B5DAA0( *((intOrPtr*)( *((intOrPtr*)(_t270 + 0x38)))), _t182,  *_t279,  *((intOrPtr*)(_t279 + 8)));
				goto 0xa8aa46f8;
				_t183 =  *((intOrPtr*)(_t257 + 0x38));
				goto 0xa8aa4738;
				_t177 =  *0xa8c86f88; // 0xffffffffffffffff
				if (( *(_t271 + 0x50) & 0x00000000) == _t177) goto 0xa8aa49fb;
				if ((0x00000000 & _t183) != _t177) goto 0xa8aa493a;
				E00007FF77FF7A8B53000(_t96, 0 |  *((intOrPtr*)(_t193 + 0x20)) - r13d > 0x00000000, (0x00000000 & _t183) - _t177, _t183, _t269);
				 *(_t271 + 0x50) = _t183;
				 *(_t271 + 0x58) = r13d;
				E00007FF77FF7A8B8A7E0(0x30, _t177,  *(_t259 + 0x88) ^ _t259 + 0x00000048);
				return __imp__ReleaseSRWLockExclusive();
			}

















































                                    0x7ff7a8aa454c
                                    0x7ff7a8aa4550
                                    0x7ff7a8aa4553
                                    0x7ff7a8aa4556
                                    0x7ff7a8aa455d
                                    0x7ff7a8aa4560
                                    0x7ff7a8aa4565
                                    0x7ff7a8aa456b
                                    0x7ff7a8aa4571
                                    0x7ff7a8aa4579
                                    0x7ff7a8aa457f
                                    0x7ff7a8aa4589
                                    0x7ff7a8aa4591
                                    0x7ff7a8aa4597
                                    0x7ff7a8aa459c
                                    0x7ff7a8aa45a9
                                    0x7ff7a8aa45ab
                                    0x7ff7a8aa45b2
                                    0x7ff7a8aa45b2
                                    0x7ff7a8aa45ba
                                    0x7ff7a8aa45c2
                                    0x7ff7a8aa45c4
                                    0x7ff7a8aa45ce
                                    0x7ff7a8aa45d2
                                    0x7ff7a8aa45d5
                                    0x7ff7a8aa45de
                                    0x7ff7a8aa45e5
                                    0x7ff7a8aa45f0
                                    0x7ff7a8aa45f5
                                    0x7ff7a8aa45f7
                                    0x7ff7a8aa4600
                                    0x7ff7a8aa460b
                                    0x7ff7a8aa460d
                                    0x7ff7a8aa4617
                                    0x7ff7a8aa461c
                                    0x7ff7a8aa4621
                                    0x7ff7a8aa4623
                                    0x7ff7a8aa462c
                                    0x7ff7a8aa462e
                                    0x7ff7a8aa4638
                                    0x7ff7a8aa463c
                                    0x7ff7a8aa463f
                                    0x7ff7a8aa4645
                                    0x7ff7a8aa464b
                                    0x7ff7a8aa4653
                                    0x7ff7a8aa465a
                                    0x7ff7a8aa4665
                                    0x7ff7a8aa466a
                                    0x7ff7a8aa466c
                                    0x7ff7a8aa466e
                                    0x7ff7a8aa4670
                                    0x7ff7a8aa4676
                                    0x7ff7a8aa4676
                                    0x7ff7a8aa4680
                                    0x7ff7a8aa4685
                                    0x7ff7a8aa468d
                                    0x7ff7a8aa4697
                                    0x7ff7a8aa469b
                                    0x7ff7a8aa469f
                                    0x7ff7a8aa46b1
                                    0x7ff7a8aa46ba
                                    0x7ff7a8aa46c5
                                    0x7ff7a8aa46cf
                                    0x7ff7a8aa46e3
                                    0x7ff7a8aa46ed
                                    0x7ff7a8aa46f1
                                    0x7ff7a8aa46f5
                                    0x7ff7a8aa46f8
                                    0x7ff7a8aa4705
                                    0x7ff7a8aa4708
                                    0x7ff7a8aa470c
                                    0x7ff7a8aa4710
                                    0x7ff7a8aa471f
                                    0x7ff7a8aa472a
                                    0x7ff7a8aa472f
                                    0x7ff7a8aa4734
                                    0x7ff7a8aa4738
                                    0x7ff7a8aa4738
                                    0x7ff7a8aa473d
                                    0x7ff7a8aa4748
                                    0x7ff7a8aa4756
                                    0x7ff7a8aa475a
                                    0x7ff7a8aa4761
                                    0x7ff7a8aa4769
                                    0x7ff7a8aa476f
                                    0x7ff7a8aa4773
                                    0x7ff7a8aa4795
                                    0x7ff7a8aa479f
                                    0x7ff7a8aa47af
                                    0x7ff7a8aa47c1
                                    0x7ff7a8aa47c7
                                    0x7ff7a8aa47d6
                                    0x7ff7a8aa47e0
                                    0x7ff7a8aa47e5
                                    0x7ff7a8aa47ea
                                    0x7ff7a8aa47f5
                                    0x7ff7a8aa47fd
                                    0x7ff7a8aa480e
                                    0x7ff7a8aa4811
                                    0x7ff7a8aa4813
                                    0x7ff7a8aa4819
                                    0x7ff7a8aa4820
                                    0x7ff7a8aa4822
                                    0x7ff7a8aa4825
                                    0x7ff7a8aa4830
                                    0x7ff7a8aa4835
                                    0x7ff7a8aa4838
                                    0x7ff7a8aa4844
                                    0x7ff7a8aa484b
                                    0x7ff7a8aa4850
                                    0x7ff7a8aa4857
                                    0x7ff7a8aa485b
                                    0x7ff7a8aa4863
                                    0x7ff7a8aa4866
                                    0x7ff7a8aa4869
                                    0x7ff7a8aa486d
                                    0x7ff7a8aa487f
                                    0x7ff7a8aa488a
                                    0x7ff7a8aa488f
                                    0x7ff7a8aa4894
                                    0x7ff7a8aa489b
                                    0x7ff7a8aa48a5
                                    0x7ff7a8aa48b2
                                    0x7ff7a8aa48be
                                    0x7ff7a8aa48bf
                                    0x7ff7a8aa48c2
                                    0x7ff7a8aa48c6
                                    0x7ff7a8aa48ca
                                    0x7ff7a8aa48d2
                                    0x7ff7a8aa48e1
                                    0x7ff7a8aa48e6
                                    0x7ff7a8aa48f2
                                    0x7ff7a8aa48f7
                                    0x7ff7a8aa48fc
                                    0x7ff7a8aa4900
                                    0x7ff7a8aa491a
                                    0x7ff7a8aa4924
                                    0x7ff7a8aa4930
                                    0x7ff7a8aa4935
                                    0x7ff7a8aa493a
                                    0x7ff7a8aa493f
                                    0x7ff7a8aa494c
                                    0x7ff7a8aa4964

                                    APIs
                                    • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8AA4350,?,?,?,?,?,?,?), ref: 00007FF7A8AA4565
                                    • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,00007FF7A8AA4350,?,?,?,?,?,?,?), ref: 00007FF7A8AA4571
                                    • ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF7A8AA489B
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExclusiveLock$AcquireCurrentReleaseThread
                                    • String ID:
                                    • API String ID: 135963836-0
                                    • Opcode ID: 6680307c01f9e5b8365598088cd377f532b379cd7d0149d3c370b3a37b0ba5c7
                                    • Instruction ID: 2f8f85f87cfd891cd0521dd2f0fb2e20ebeae554c075680ceecc9b245d6da7e7
                                    • Opcode Fuzzy Hash: 6680307c01f9e5b8365598088cd377f532b379cd7d0149d3c370b3a37b0ba5c7
                                    • Instruction Fuzzy Hash: 8BD1F962B0BB9285EA11EB15D414679E3A4FB48FD4F864131EE4E4BBA4EF3CE441C364
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8C0CEC0 Relevance: 6.3, APIs: 4, Instructions: 322COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 88%
                                    			E00007FF77FF7A8C0CEC0(void* __ecx, void* __eflags, void* __rcx, void* __rdx) {
				signed int _t44;
				void* _t60;
				signed long long _t76;
				signed long long _t77;
				intOrPtr* _t87;
				long long _t96;
				void* _t99;
				signed long long _t101;
				signed short* _t104;
				signed long long _t107;
				unsigned long long _t112;
				signed long long* _t116;
				signed long long _t117;
				intOrPtr* _t119;
				void* _t120;
				void* _t121;
				signed long long _t122;
				signed long long _t123;

				_t99 = __rdx;
				_t76 =  *0xa8c85028; // 0x2b992ddfa232
				_t77 = _t76 ^ _t117;
				 *(_t117 + 0x50) = _t77;
				E00007FF77FF7A8B3A8B0(__rcx);
				_t89 =  !=  ? __rcx : __rcx;
				r13d =  *((intOrPtr*)(_t77 + 8));
				_t121 = _t120 + ( !=  ? __rcx : __rcx);
				if (_t121 - __rcx < 0) goto 0xa8c0d3cf;
				_t123 = _t77;
				if ( *((char*)(_t77 + 3)) != 0) goto 0xa8c0cf58;
				_t60 = _t121 - 0x101 - 0x7fefe;
				if (_t60 > 0) goto 0xa8c0cf58;
				if (_t60 == 0) goto 0xa8c0d0c6;
				asm("bsr ecx, eax");
				_t112 =  <  ? 1 : 0xbadbb1 >> 2;
				if (_t112 == 0) goto 0xa8c0cf6f;
				asm("dec eax");
				_t100 = _t99 - 0x3e;
				asm("dec eax");
				r14d =  *(0xa8c68368 + 0x200 + ((_t112 >>  *(_t99 - 0x3e + 0xa8c68780)) + _t100 * 4) * 2) & 0x0000ffff;
				 *((char*)(_t117 + 0x4f)) = 0;
				 *((long long*)(_t117 + 0x40)) = 0xaaaaaaaa;
				r9b =  *_t123;
				if (r9b == 2) goto 0xa8c0d1b7;
				if ( *((char*)(_t123 + 2)) == 0) goto 0xa8c0d0d0;
				_t44 =  *0xa8c8eb14; // 0x0
				_t96 =  *[gs:0x58];
				_t87 =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x5555555555555550)) + 0x130));
				if (_t87 - 2 < 0) goto 0xa8c0d254;
				 *((long long*)(_t87 + 8)) =  *((long long*)(_t87 + 8)) + 1;
				if (r14w - 0x10 >= 0) goto 0xa8c0d278;
				_t107 = _t122 << 4;
				_t116 = _t87 + _t107 + 0x58;
				_t119 =  *_t116;
				if (_t119 == 0) goto 0xa8c0d2de;
				 *((long long*)(_t87 + 0x10)) =  *((long long*)(_t87 + 0x10)) + 1;
				_t101 =  *_t119;
				if (_t101 == 0) goto 0xa8c0d0c2;
				asm("dec eax");
				if ((_t44 & 0x001fc000) == 0) goto 0xa8c0d30f;
				if ( *((intOrPtr*)(_t119 + 8)) !=  !_t101) goto 0xa8c0d30f;
				asm("prefetcht0 [eax]");
				_t104 = _t87 + _t107 + 0x62;
				 *((char*)(_t104 - 2)) =  *((char*)(_t104 - 2)) - 1;
				 *_t116 = _t101;
				 *((long long*)(_t117 + 0x40)) = _t96;
				 *_t87 =  *_t87 - ( *_t104 & 0x0000ffff);
				if (_t119 == 0) goto 0xa8c0d280;
				if ( *((char*)(_t123 + 6)) == 0) goto 0xa8c0d097;
				 *_t119 = 1;
				if (r9b == 2) goto 0xa8c0d1db;
				return E00007FF77FF7A8B8A7E0( *(_t87 + _t107 + 0x62) & 0x0000ffff, _t101,  *(_t117 + 0x50) ^ _t117);
			}





















                                    0x7ff7a8c0cec0
                                    0x7ff7a8c0ced3
                                    0x7ff7a8c0ceda
                                    0x7ff7a8c0cedd
                                    0x7ff7a8c0cee2
                                    0x7ff7a8c0ceef
                                    0x7ff7a8c0cef3
                                    0x7ff7a8c0cef7
                                    0x7ff7a8c0cefd
                                    0x7ff7a8c0cf06
                                    0x7ff7a8c0cf11
                                    0x7ff7a8c0cf1d
                                    0x7ff7a8c0cf24
                                    0x7ff7a8c0cf2b
                                    0x7ff7a8c0cf31
                                    0x7ff7a8c0cf54
                                    0x7ff7a8c0cf65
                                    0x7ff7a8c0cf67
                                    0x7ff7a8c0cf6f
                                    0x7ff7a8c0cf98
                                    0x7ff7a8c0cfa3
                                    0x7ff7a8c0cfac
                                    0x7ff7a8c0cfbb
                                    0x7ff7a8c0cfc0
                                    0x7ff7a8c0cfc7
                                    0x7ff7a8c0cfd2
                                    0x7ff7a8c0cfd8
                                    0x7ff7a8c0cfde
                                    0x7ff7a8c0cfeb
                                    0x7ff7a8c0cff6
                                    0x7ff7a8c0cffc
                                    0x7ff7a8c0d005
                                    0x7ff7a8c0d00e
                                    0x7ff7a8c0d016
                                    0x7ff7a8c0d01a
                                    0x7ff7a8c0d021
                                    0x7ff7a8c0d027
                                    0x7ff7a8c0d030
                                    0x7ff7a8c0d037
                                    0x7ff7a8c0d040
                                    0x7ff7a8c0d048
                                    0x7ff7a8c0d056
                                    0x7ff7a8c0d05c
                                    0x7ff7a8c0d063
                                    0x7ff7a8c0d067
                                    0x7ff7a8c0d06a
                                    0x7ff7a8c0d06e
                                    0x7ff7a8c0d076
                                    0x7ff7a8c0d07b
                                    0x7ff7a8c0d08d
                                    0x7ff7a8c0d08f
                                    0x7ff7a8c0d09b
                                    0x7ff7a8c0d0c1

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExclusiveLock$Acquire$Release
                                    • String ID:
                                    • API String ID: 1678258262-0
                                    • Opcode ID: 089a949f215c5ae9d337ef257dc7af53db0eca133724499658510d19fb6d4055
                                    • Instruction ID: f2f1583718abcbee4cc1c0b6aba6badb68d3f26173fa1eb2a7db115252ba3e5a
                                    • Opcode Fuzzy Hash: 089a949f215c5ae9d337ef257dc7af53db0eca133724499658510d19fb6d4055
                                    • Instruction Fuzzy Hash: ECD12172B0AA8186EA04AB01E454379EBB1FF45BD4F8A4275DF2E077A4DE3CE441C718
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A74B50 Relevance: 6.3, APIs: 4, Instructions: 308COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 19%
                                    			E00007FF77FF7A8A74B50(void* __rcx, void* __rdx) {
				signed int _v72;
				char _v73;
				void* _v88;
				signed long long _v112;
				long long _v120;
				signed int _t35;
				signed long long _t62;
				signed long long _t63;
				signed long long _t70;
				long long _t75;
				signed long long _t82;
				intOrPtr _t92;
				void* _t96;
				signed long long _t102;
				unsigned long long _t104;
				void* _t109;
				unsigned long long _t110;
				signed long long _t113;
				signed long long _t115;

				_t96 = __rdx;
				_t62 =  *0xa8c85028; // 0x2b992ddfa232
				_t63 = _t62 ^  &_v88;
				_v72 = _t63;
				_t35 = E00007FF77FF7A8B3A8B0(__rcx);
				_t81 =  !=  ? __rcx : __rcx;
				r12d =  *((intOrPtr*)(_t63 + 8));
				_t110 = _t109 + ( !=  ? __rcx : __rcx);
				if (_t110 - __rcx < 0) goto 0xa8a74da9;
				_t113 = _t63;
				_t102 = _t63;
				if ( *((char*)(_t113 + 3)) != 0) goto 0xa8a74bbb;
				_t82 = _t110 - 0x101;
				_t104 = _t110;
				if (_t82 - 0x7fefe <= 0) goto 0xa8a74f1c;
				if (_t104 == 0) goto 0xa8a74bd2;
				asm("dec eax");
				asm("dec eax");
				r15d =  *(0xa8c68368 + 0x200 + ((_t104 >>  *(_t96 - (_t82 ^ 0x0000003f) + 0xa8c68780)) + (_t96 - (_t82 ^ 0x0000003f)) * 4) * 2) & 0x0000ffff;
				_v73 = 0;
				_v88 = 0xaaaaaaaa;
				bpl =  *_t102;
				if (bpl == 2) goto 0xa8a74dac;
				if ( *((char*)(_t102 + 2)) != 0) goto 0xa8a74dc4;
				__imp__TryAcquireSRWLockExclusive();
				if ((_t35 & 0x00000003) == 0) goto 0xa8a74e79;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t113 + (_t115 + _t115 * 4) * 8 + 0x48)))) != 0) goto 0xa8a74d3b;
				_t20 =  &_v73; // 0x59682f000000e918
				_t70 = _t20;
				_v112 = _t70;
				_v120 = 0x4000;
				r8d = 0;
				0xa8b4eca0();
				if (_t70 == 0) goto 0xa8a74f0c;
				_t75 =  *((intOrPtr*)((_t70 >> 9) + (_t70 & 0xffe00000) - ((_t70 & 0xffe00000) << 5) + 0x1010)) +  *((intOrPtr*)(_t102 + 0xa98));
				 *((long long*)(_t102 + 0xa98)) = _t75;
				_t92 =  *((intOrPtr*)(_t102 + 0xaa0));
				_t76 =  >  ? _t92 : _t75;
				 *((long long*)(_t102 + 0xaa0)) =  >  ? _t92 : _t75;
				__imp__ReleaseSRWLockExclusive();
				if ( *((char*)(_t102 + 6)) != 0) goto 0xa8a74e86;
				if (bpl == 2) goto 0xa8a74e93;
				return E00007FF77FF7A8B8A7E0( *((_t70 >> 9) + (_t70 & 0xffe00000) + 0x101e) & 0x3f,  >  ? _t92 : _t75, _v72 ^  &_v88);
			}






















                                    0x7ff7a8a74b50
                                    0x7ff7a8a74b63
                                    0x7ff7a8a74b6a
                                    0x7ff7a8a74b6d
                                    0x7ff7a8a74b72
                                    0x7ff7a8a74b7f
                                    0x7ff7a8a74b83
                                    0x7ff7a8a74b87
                                    0x7ff7a8a74b8d
                                    0x7ff7a8a74b93
                                    0x7ff7a8a74b96
                                    0x7ff7a8a74ba1
                                    0x7ff7a8a74ba3
                                    0x7ff7a8a74bab
                                    0x7ff7a8a74bb5
                                    0x7ff7a8a74bc8
                                    0x7ff7a8a74bca
                                    0x7ff7a8a74bfb
                                    0x7ff7a8a74c06
                                    0x7ff7a8a74c0f
                                    0x7ff7a8a74c1e
                                    0x7ff7a8a74c23
                                    0x7ff7a8a74c2a
                                    0x7ff7a8a74c34
                                    0x7ff7a8a74c4d
                                    0x7ff7a8a74c55
                                    0x7ff7a8a74c64
                                    0x7ff7a8a74c6a
                                    0x7ff7a8a74c6a
                                    0x7ff7a8a74c6f
                                    0x7ff7a8a74c74
                                    0x7ff7a8a74c83
                                    0x7ff7a8a74c89
                                    0x7ff7a8a74c91
                                    0x7ff7a8a74cd4
                                    0x7ff7a8a74cdb
                                    0x7ff7a8a74ce2
                                    0x7ff7a8a74cec
                                    0x7ff7a8a74cf0
                                    0x7ff7a8a74cfa
                                    0x7ff7a8a74d0a
                                    0x7ff7a8a74d14
                                    0x7ff7a8a74d3a

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExclusiveLock$Acquire$Release
                                    • String ID:
                                    • API String ID: 1678258262-0
                                    • Opcode ID: 9e5ef5353a1d2123c37c4a3e98fecab345cbb279d8818787276e64d05076c685
                                    • Instruction ID: 42f5c5bb9773602aecf5ee89f63a340ea9cda3555b377c3fe9b2d81eaffde756
                                    • Opcode Fuzzy Hash: 9e5ef5353a1d2123c37c4a3e98fecab345cbb279d8818787276e64d05076c685
                                    • Instruction Fuzzy Hash: 6FC1EF72B0BA4286EA14AB01D41477AF3A0FF44B94FC64131DA4E877A4EF3CE441DB28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AB0E20 Relevance: 4.6, APIs: 3, Instructions: 61memoryinjectionCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: Virtual$AllocFreeMemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3247110995-0
                                    • Opcode ID: b1ca5a4774c8c4033cc2aca9fb60ba1517d355951c2f4146e68bae8f70e751f1
                                    • Instruction ID: 2711ede08c626fdd8d04a4e8e992700342c053b916e0450185916135c1abf53e
                                    • Opcode Fuzzy Hash: b1ca5a4774c8c4033cc2aca9fb60ba1517d355951c2f4146e68bae8f70e751f1
                                    • Instruction Fuzzy Hash: EA119032B1A74081F750AB12A804B69E6D0BB48FD0F8A8034EE4C077A4EE3CD556CB18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B8819C Relevance: 1.5, APIs: 1, Instructions: 27timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem
                                    • String ID:
                                    • API String ID: 2086374402-0
                                    • Opcode ID: be3ac14b68d7d30021cf87e1eee623bf8ea8daa818002e4c4ff422cdc02b3372
                                    • Instruction ID: 25ddbf8f6beddd133a67ffcc1c14a6dc73e925118f5a76b139c0903d31f98fa7
                                    • Opcode Fuzzy Hash: be3ac14b68d7d30021cf87e1eee623bf8ea8daa818002e4c4ff422cdc02b3372
                                    • Instruction Fuzzy Hash: 3DF052A2B2A54D03ED04AB049450729D281AF28BF6F005730EE3E0EBD4EF2CD4258700
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AA9040 Relevance: 66.7, APIs: 1, Strings: 37, Instructions: 167COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00007FF77FF7A8AA9040() {
				signed int _v16;
				void* _t4;
				signed long long _t7;
				signed long long _t13;

				_t7 =  *0xa8c85028; // 0x2b992ddfa232
				_v16 = _t7 ^ _t13;
				if ( *0xa8c96080 == 0) goto 0xa8aa907a;
				return E00007FF77FF7A8B8A7E0(_t4, _t7 ^ _t13, _v16 ^ _t13);
			}







                                    0x7ff7a8aa9045
                                    0x7ff7a8aa904f
                                    0x7ff7a8aa905b
                                    0x7ff7a8aa9079

                                    APIs
                                    • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,00007FF7A8ABA0CB), ref: 00007FF7A8AA9081
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID: NtAllocateVirtualMemory$NtClose$NtCreateFile$NtCreateSection$NtDuplicateObject$NtFreeVirtualMemory$NtMapViewOfSection$NtOpenFile$NtOpenProcess$NtOpenProcessToken$NtOpenProcessTokenEx$NtOpenThread$NtProtectVirtualMemory$NtQueryAttributesFile$NtQueryFullAttributesFile$NtQueryInformationProcess$NtQueryObject$NtQuerySection$NtQueryVirtualMemory$NtSetInformationFile$NtSetInformationProcess$NtSignalAndWaitForSingleObject$NtUnmapViewOfSection$NtWaitForSingleObject$RtlAllocateHeap$RtlAnsiStringToUnicodeString$RtlCompareUnicodeString$RtlCreateHeap$RtlCreateUserThread$RtlDestroyHeap$RtlFreeHeap$RtlNtStatusToDosError$_strnicmp$memcpy$ntdll.dll$strlen$wcslen
                                    • API String ID: 4139908857-416949117
                                    • Opcode ID: 75a9dbb8103e4a1711cb288be53c29ba77267b85e5fa9c434708348d2575be4a
                                    • Instruction ID: 5f70947e1642fbed454df51be5c4e4fa96de7c5f3bd04b86421aab25e459b722
                                    • Opcode Fuzzy Hash: 75a9dbb8103e4a1711cb288be53c29ba77267b85e5fa9c434708348d2575be4a
                                    • Instruction Fuzzy Hash: 3B91EB3090FA1691F900B714E8514B9F3A16F44B80FC661B2E85E067B6FF6CB116D76D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AB0113 Relevance: 15.2, APIs: 10, Instructions: 179injectionfileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 27%
                                    			E00007FF77FF7A8AB0113(signed long long __rax, long long __rbx, void* __rdi, intOrPtr* __rsi, void* __r13, long long _a32, intOrPtr _a40, intOrPtr _a48, long long _a56, long long _a64, long long _a72, signed int _a80, intOrPtr* _a200) {
				void* _t29;
				signed long long _t72;
				signed long long _t73;
				intOrPtr _t81;
				signed long long _t105;
				void* _t111;
				signed long long _t115;
				long long _t124;
				long long _t129;

				_t72 = __rax;
				r9d = 0;
				_t29 = MapViewOfFile(??, ??, ??, ??, ??);
				if (__rax == 0) goto 0xa8ab03e1;
				_t124 = __rax;
				r13d = r14d;
				if (__rdi == 0) goto 0xa8ab016b;
				if (r14d == 0) goto 0xa8ab016b;
				_t111 = __rax + __rbx;
				E00007FF77FF7A8B8C610(_t29, _t111, __rdi, __r13);
				_t81 =  *((intOrPtr*)(_t111 + _t72 * 8));
				if (_t81 != 0) goto 0xa8ab0161;
				_t73 = _t72 + 1;
				if (_t73 != 0x40) goto 0xa8ab014c;
				goto 0xa8ab016b;
				 *((long long*)(_t111 + _t73 * 8)) = _t81 - __rdi;
				goto 0xa8ab0156;
				 *0xa8c977e8 = __rbx;
				if (E00007FF77FF7A8AAF360(__rsi) == 0) goto 0xa8ab03fb;
				_t129 =  &_a72;
				 *_t129 = 0xaaaaaaaa;
				_a32 = _t129;
				r9d = 8;
				if (WriteProcessMemory(??, ??, ??, ??, ??) == 0) goto 0xa8ab0339;
				 *0xa8c977e8 = 0;
				if (_a72 != 8) goto 0xa8ab03c0;
				 *0xa8c977f0 = __r13;
				if (E00007FF77FF7A8AAF360(__rsi) == 0) goto 0xa8ab0405;
				_a72 = 0xaaaaaaaa;
				_a32 = _t129;
				r9d = 8;
				if (WriteProcessMemory(??, ??, ??, ??, ??) == 0) goto 0xa8ab0379;
				 *0xa8c977f0 = 0;
				if (_a72 != 8) goto 0xa8ab03c0;
				E00007FF77FF7A8B88160(_t73,  *__rsi);
				_t105 = _t73;
				_a32 = _a56;
				r8d =  *((intOrPtr*)(__rsi + 0x10));
				E00007FF77FF7A8AB0490(_a56, _t105,  *__rsi,  *((intOrPtr*)(__rsi + 0x40)));
				 *(__rsi + 0x38) = _t105;
				if ( *(__rsi + 0x38) != 0) goto 0xa8ab040f;
				r8d = r15d;
				r9d = 0x400;
				if (E00007FF77FF7A8AB0540(_a56, _t105, _t124, 0xa8c977f0) == 0) goto 0xa8ab0428;
				_a64 = 0xaaaaaaaa;
				GetCurrentProcess();
				_a48 = 0;
				_a40 = 0;
				_a32 = 7;
				if (DuplicateHandle(??, ??, ??, ??, ??, ??, ??) == 0) goto 0xa8ab0432;
				 *0xa8c96078 = _a64;
				if (E00007FF77FF7A8AAF360(__rsi) == 0) goto 0xa8ab044c;
				_a72 = 0xaaaaaaaa;
				_a32 = _t129;
				r9d = 8;
				if (WriteProcessMemory(??, ??, ??, ??, ??) == 0) goto 0xa8ab038b;
				 *0xa8c96078 = 0;
				if (_a72 != 8) goto 0xa8ab03c0;
				E00007FF77FF7A8AB0460(__rsi);
				CloseHandle(??);
				goto 0xa8ab0359;
				 *0xa8c977e8 = 0;
				 *_a200 = GetLastError();
				E00007FF77FF7A8B8A7E0(0, _a64, _a80 ^ _t115);
				return 0x39;
			}












                                    0x7ff7a8ab0113
                                    0x7ff7a8ab0113
                                    0x7ff7a8ab0116
                                    0x7ff7a8ab011f
                                    0x7ff7a8ab0125
                                    0x7ff7a8ab012b
                                    0x7ff7a8ab0131
                                    0x7ff7a8ab0136
                                    0x7ff7a8ab0138
                                    0x7ff7a8ab0145
                                    0x7ff7a8ab014c
                                    0x7ff7a8ab0154
                                    0x7ff7a8ab0156
                                    0x7ff7a8ab015d
                                    0x7ff7a8ab015f
                                    0x7ff7a8ab0164
                                    0x7ff7a8ab0169
                                    0x7ff7a8ab016b
                                    0x7ff7a8ab017c
                                    0x7ff7a8ab018c
                                    0x7ff7a8ab0191
                                    0x7ff7a8ab0197
                                    0x7ff7a8ab01a3
                                    0x7ff7a8ab01b4
                                    0x7ff7a8ab01c0
                                    0x7ff7a8ab01cb
                                    0x7ff7a8ab01d1
                                    0x7ff7a8ab01e2
                                    0x7ff7a8ab01e8
                                    0x7ff7a8ab01f0
                                    0x7ff7a8ab01fc
                                    0x7ff7a8ab020d
                                    0x7ff7a8ab0219
                                    0x7ff7a8ab0224
                                    0x7ff7a8ab0238
                                    0x7ff7a8ab023d
                                    0x7ff7a8ab0249
                                    0x7ff7a8ab0254
                                    0x7ff7a8ab0257
                                    0x7ff7a8ab0260
                                    0x7ff7a8ab0267
                                    0x7ff7a8ab0273
                                    0x7ff7a8ab0276
                                    0x7ff7a8ab0283
                                    0x7ff7a8ab028e
                                    0x7ff7a8ab0298
                                    0x7ff7a8ab02a0
                                    0x7ff7a8ab02a4
                                    0x7ff7a8ab02a8
                                    0x7ff7a8ab02c4
                                    0x7ff7a8ab02cf
                                    0x7ff7a8ab02e0
                                    0x7ff7a8ab02e6
                                    0x7ff7a8ab02ee
                                    0x7ff7a8ab02fa
                                    0x7ff7a8ab030b
                                    0x7ff7a8ab0313
                                    0x7ff7a8ab031e
                                    0x7ff7a8ab0327
                                    0x7ff7a8ab032f
                                    0x7ff7a8ab0337
                                    0x7ff7a8ab033e
                                    0x7ff7a8ab0357
                                    0x7ff7a8ab0361
                                    0x7ff7a8ab0378

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: Process$MemoryWrite$ErrorHandleLast$CloseCurrentDuplicateFileView
                                    • String ID:
                                    • API String ID: 3760339274-0
                                    • Opcode ID: 18e17debfeb7bf28f81ac6a21478801422019261747605c668304bd229160e3e
                                    • Instruction ID: bcc5ba178e4c1e79bb986a72160181194759b787f194f590ab07722b58735e9c
                                    • Opcode Fuzzy Hash: 18e17debfeb7bf28f81ac6a21478801422019261747605c668304bd229160e3e
                                    • Instruction Fuzzy Hash: 69817431F0B60286E760AF12B948739E2A0BB45B94F865075DE8D577B4EE3CE8458728
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8C208A0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 104COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 21%
                                    			E00007FF77FF7A8C208A0(void* __rcx, void* __rdx, void* __r8, void* __r9) {
				signed int _v56;
				char _v64;
				long long _v392;
				void* _t9;
				signed long long _t13;
				long long _t16;
				signed long long _t25;

				_t13 =  *0xa8c85028; // 0x2b992ddfa232
				_v56 = _t13 ^ _t25;
				_t2 =  &_v64; // -6148914691236516606
				_t16 = _t2;
				 *_t16 = 0;
				_v392 = _t16;
				if (ReadProcessMemory(??, ??, ??, ??, ??) == 0) goto 0xa8c2092b;
				if (_v64 < 0) goto 0xa8c20a36;
				return E00007FF77FF7A8B8A7E0(_t9, _t13 ^ _t25, _v56 ^ _t25);
			}










                                    0x7ff7a8c208bc
                                    0x7ff7a8c208c6
                                    0x7ff7a8c208ce
                                    0x7ff7a8c208ce
                                    0x7ff7a8c208d6
                                    0x7ff7a8c208e1
                                    0x7ff7a8c208f4
                                    0x7ff7a8c20901
                                    0x7ff7a8c2092a

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ErrorLastMemoryProcessRead
                                    • String ID: bytes failed$ of $../../third_party/crashpad/crashpad/util/process/process_memory_win.cc$ReadMemory at 0x
                                    • API String ID: 2417666006-2955109599
                                    • Opcode ID: 47cd00311f20155c15b742237b783fc0a7f753dece38ee7777759c5a048172fa
                                    • Instruction ID: bb015a339beee00e75c15152fc79c61c4e561efb3d4e13377adf86d773583442
                                    • Opcode Fuzzy Hash: 47cd00311f20155c15b742237b783fc0a7f753dece38ee7777759c5a048172fa
                                    • Instruction Fuzzy Hash: E141D321B0AA4680EA10BB12D8407BAE760BF85FE0FC58275DE5E077F5EE3DD1018B18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8BBAE4C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 86libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 50%
                                    			E00007FF77FF7A8BBAE4C(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				struct HINSTANCE__* _t81;
				long long _t85;
				void* _t89;
				struct HINSTANCE__* _t94;
				long _t97;
				void* _t100;
				signed long long _t101;
				WCHAR* _t104;

				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = _t85;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t61 =  *((intOrPtr*)(0x7ff7a8a70000 + 0x220020 + _t81 * 8));
				_t101 = _t100 | 0xffffffff;
				if (_t61 == _t101) goto 0xa8bbaf79;
				if (_t61 != 0) goto 0xa8bbaf7b;
				if (__r8 == __r9) goto 0xa8bbaf71;
				_t67 =  *((intOrPtr*)(0x7ff7a8a70000 + 0x220008 + __rsi * 8));
				if (_t67 == 0) goto 0xa8bbaebc;
				if (_t67 != _t101) goto 0xa8bbaf53;
				goto 0xa8bbaf27;
				r8d = 0x800;
				LoadLibraryExW(_t104, _t100, _t97);
				_t68 = _t61;
				if (_t61 != 0) goto 0xa8bbaf33;
				if (GetLastError() != 0x57) goto 0xa8bbaf15;
				_t14 = _t68 + 7; // 0x7
				r8d = _t14;
				if (E00007FF77FF7A8BA9F70(__r8) == 0) goto 0xa8bbaf15;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t61 != 0) goto 0xa8bbaf33;
				 *((intOrPtr*)(0x7ff7a8a70000 + 0x220008 + __rsi * 8)) = _t101;
				goto 0xa8bbae9b;
				_t21 = 0x7ff7a8a70000 + 0x220008 + __rsi * 8;
				_t65 =  *_t21;
				 *_t21 = _t61;
				if (_t65 == 0) goto 0xa8bbaf53;
				FreeLibrary(_t94);
				GetProcAddress(_t81);
				if (_t65 == 0) goto 0xa8bbaf71;
				 *((intOrPtr*)(0x7ff7a8a70000 + 0x220020 + _t81 * 8)) = _t65;
				goto 0xa8bbaf7b;
				 *((intOrPtr*)(0x7ff7a8a70000 + 0x220020 + _t81 * 8)) = _t101;
				return 0;
			}















                                    0x7ff7a8bbae4c
                                    0x7ff7a8bbae51
                                    0x7ff7a8bbae56
                                    0x7ff7a8bbae7a
                                    0x7ff7a8bbae82
                                    0x7ff7a8bbae89
                                    0x7ff7a8bbae92
                                    0x7ff7a8bbae9b
                                    0x7ff7a8bbaea4
                                    0x7ff7a8bbaeaf
                                    0x7ff7a8bbaeb4
                                    0x7ff7a8bbaeba
                                    0x7ff7a8bbaec9
                                    0x7ff7a8bbaecf
                                    0x7ff7a8bbaed5
                                    0x7ff7a8bbaedb
                                    0x7ff7a8bbaee6
                                    0x7ff7a8bbaee8
                                    0x7ff7a8bbaee8
                                    0x7ff7a8bbaefd
                                    0x7ff7a8bbaeff
                                    0x7ff7a8bbaf07
                                    0x7ff7a8bbaf13
                                    0x7ff7a8bbaf1f
                                    0x7ff7a8bbaf2e
                                    0x7ff7a8bbaf3d
                                    0x7ff7a8bbaf3d
                                    0x7ff7a8bbaf3d
                                    0x7ff7a8bbaf48
                                    0x7ff7a8bbaf4d
                                    0x7ff7a8bbaf59
                                    0x7ff7a8bbaf62
                                    0x7ff7a8bbaf67
                                    0x7ff7a8bbaf6f
                                    0x7ff7a8bbaf71
                                    0x7ff7a8bbaf97

                                    APIs
                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF7A8BBAD73,?,?,00000000,00007FF7A8BAA10E,?,?,?,00007FF7A8B8C3F9), ref: 00007FF7A8BBAECF
                                    • GetLastError.KERNEL32(?,?,?,00007FF7A8BBAD73,?,?,00000000,00007FF7A8BAA10E,?,?,?,00007FF7A8B8C3F9), ref: 00007FF7A8BBAEDD
                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF7A8BBAD73,?,?,00000000,00007FF7A8BAA10E,?,?,?,00007FF7A8B8C3F9), ref: 00007FF7A8BBAF07
                                    • FreeLibrary.KERNEL32(?,?,?,00007FF7A8BBAD73,?,?,00000000,00007FF7A8BAA10E,?,?,?,00007FF7A8B8C3F9), ref: 00007FF7A8BBAF4D
                                    • GetProcAddress.KERNEL32(?,?,?,00007FF7A8BBAD73,?,?,00000000,00007FF7A8BAA10E,?,?,?,00007FF7A8B8C3F9), ref: 00007FF7A8BBAF59
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                    • String ID: MZx$api-ms-
                                    • API String ID: 2559590344-259127448
                                    • Opcode ID: e48b04549ff1dee9f5ecc426367ad7469a5fc135d4e14a3891e99d56ac3e63ae
                                    • Instruction ID: 881fa50d81c8c20d3a0892c6096ccb5ba3c76ab0ace49d48e07acbb141cb6490
                                    • Opcode Fuzzy Hash: e48b04549ff1dee9f5ecc426367ad7469a5fc135d4e14a3891e99d56ac3e63ae
                                    • Instruction Fuzzy Hash: 8931C421F1B64296EE11AB02A844AB9E394BF48BA0F8A5535DD1D873A5DE3CE045872C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A73821 Relevance: 10.7, APIs: 7, Instructions: 187COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 33%
                                    			E00007FF77FF7A8A73821(void* __ebp, void* __rbx, signed int __rdi, intOrPtr __rsi) {
				void* _t32;
				void* _t56;
				void* _t57;
				void* _t59;
				void* _t88;
				void* _t91;
				void* _t94;
				void* _t96;
				char _t98;
				signed long long _t105;
				void* _t128;
				long long _t135;
				void* _t138;
				long long _t146;

				E00007FF77FF7A8A73D60(_t32, __rdi, _t128, __rbx);
				asm("xorps xmm0, xmm0");
				asm("movups [esi+0xa0], xmm0");
				asm("movups [esi+0xb0], xmm0");
				_t105 =  *((intOrPtr*)( *[gs:0x58] + __rdi * 8));
				if ( *0xa8c938a0 -  *((intOrPtr*)(_t105 + 4)) > 0) goto 0xa8a73af5;
				 *((char*)(__rsi + 0xc0)) =  *0xa8c93870;
				 *((long long*)(__rsi + 0xc8)) = 0xa8c8e2c0;
				if (__rsi == 0) goto 0xa8a73884;
				asm("lock inc dword [esi]");
				if ( *0xa8c938a0 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + _t105 * 8)) + 4)) > 0) goto 0xa8a73bbd;
				if (__rsi == 0) goto 0xa8a738b1;
				asm("lock inc dword [esi]");
				0xa8b39580();
				 *0xa8c937d0 = __rsi;
				if ( *0xa8c937d0 != 0) goto 0xa8a73cb4;
				0xa8b39590();
				if (__ebp != 1) goto 0xa8a73cd2;
				if ( *0xa8c96218 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + 0x3ffbd4649bec0)) + 4)) > 0) goto 0xa8a73c85;
				0xa8b39580();
				 *0xa8c96208 = __rsi;
				if ( *0xa8c96208 != 0) goto 0xa8a73cf0;
				 *0xa8c96210 = 0;
				0xa8b39590();
				asm("movaps xmm6, [esp+0x20]");
				_pop(_t135);
				_pop(_t138);
				_pop(_t146);
				goto 0xa8a73d50;
				E00007FF77FF7A8B88008();
				if ( *0xa8c938a0 != 0xffffffff) goto 0xa8a737e2;
				asm("xorps xmm6, xmm6");
				asm("movups [0x21fe53], xmm6");
				asm("movups [0x21fe3c], xmm6");
				 *0xa8c93800 = 0x3f800000;
				asm("movups [0x21fe62], xmm6");
				asm("movups [0x21fe6b], xmm6");
				 *0xa8c93828 = 0x3f800000;
				r14d = 0;
				 *0xa8c93830 = _t146;
				 *0xa8c93838 = r14b;
				asm("movups [0x21fe75], xmm6");
				asm("movups [0x21fe7e], xmm6");
				 *0xa8c93860 = 0x3f800000;
				 *0xa8c93868 = _t146;
				 *0xa8c93870 = r14b;
				 *0xa8c93878 = _t146;
				E00007FF77FF7A8A75050(0xa8c938a0);
				_t42 =  ==  ?  *0x7FF7A8C8E2E1 != r14b : 2;
				 *0xa8c93880 =  ==  ?  *0x7FF7A8C8E2E1 != r14b : 2;
				asm("movups [0x21fe74], xmm6");
				 *0xa8c93898 = r14b;
				E00007FF77FF7A8B87FA8();
				goto 0xa8a737e2;
				E00007FF77FF7A8B88008();
				if ( *0xa8c938a0 != 0xffffffff) goto 0xa8a7381a;
				asm("xorps xmm6, xmm6");
				asm("movups [0x21fd8a], xmm6");
				asm("movups [0x21fd73], xmm6");
				 *0xa8c93800 = 0x3f800000;
				asm("movups [0x21fd99], xmm6");
				asm("movups [0x21fda2], xmm6");
				 *0xa8c93828 = 0x3f800000;
				r14d = 0;
				 *0xa8c93830 = _t146;
				 *0xa8c93838 = r14b;
				asm("movups [0x21fdac], xmm6");
				asm("movups [0x21fdb5], xmm6");
				 *0xa8c93860 = 0x3f800000;
				 *0xa8c93868 = _t146;
				 *0xa8c93870 = r14b;
				 *0xa8c93878 = _t146;
				E00007FF77FF7A8A75050(0xa8c938a0);
				_t88 =  *((intOrPtr*)(0x7ff7a8c8e2e1)) - r14b;
				_t47 =  ==  ? _t88 != 0 : 2;
				 *0xa8c93880 =  ==  ? _t88 != 0 : 2;
				asm("movups [0x21fdab], xmm6");
				 *0xa8c93898 = r14b;
				E00007FF77FF7A8B87FA8();
				goto 0xa8a7381a;
				E00007FF77FF7A8B88008();
				if ( *0xa8c938a0 != 0xffffffff) goto 0xa8a73862;
				asm("xorps xmm6, xmm6");
				asm("movups [0x21fcd8], xmm6");
				asm("movups [0x21fcc1], xmm6");
				asm("movups [0x21fcaa], xmm6");
				 *0xa8c93800 = 0x3f800000;
				asm("movups [0x21fcd0], xmm6");
				asm("movups [0x21fcd9], xmm6");
				 *0xa8c93828 = 0x3f800000;
				 *0xa8c93830 = _t135;
				 *0xa8c93838 = dil;
				asm("movups [0x21fce4], xmm6");
				asm("movups [0x21fced], xmm6");
				 *0xa8c93860 = 0x3f800000;
				 *0xa8c93868 = _t135;
				 *0xa8c93870 = dil;
				 *0xa8c93878 = _t135;
				E00007FF77FF7A8A75050(0xa8c938a0);
				_t91 =  *((intOrPtr*)(0x7ff7a8c8e2e1)) - dil;
				_t51 =  ==  ? _t91 != 0 : 2;
				 *0xa8c93880 =  ==  ? _t91 != 0 : 2;
				asm("movups [0x21fce3], xmm6");
				 *0xa8c93898 = dil;
				E00007FF77FF7A8B87FA8();
				goto 0xa8a73862;
				E00007FF77FF7A8B88008();
				if ( *0xa8c938a0 != 0xffffffff) goto 0xa8a738a9;
				asm("xorps xmm6, xmm6");
				asm("movups [0x21fc10], xmm6");
				asm("movups [0x21fbf9], xmm6");
				asm("movups [0x21fbe2], xmm6");
				 *0xa8c93800 = 0x3f800000;
				asm("movups [0x21fc08], xmm6");
				asm("movups [0x21fc11], xmm6");
				 *0xa8c93828 = 0x3f800000;
				 *0xa8c93830 = _t135;
				 *0xa8c93838 = dil;
				asm("movups [0x21fc1c], xmm6");
				asm("movups [0x21fc25], xmm6");
				 *0xa8c93860 = 0x3f800000;
				 *0xa8c93868 = _t135;
				 *0xa8c93870 = dil;
				 *0xa8c93878 = _t135;
				E00007FF77FF7A8A75050(0xa8c938a0);
				_t94 =  *((intOrPtr*)(0x7ff7a8c8e2e1)) - dil;
				_t55 =  ==  ? _t94 != 0 : 2;
				 *0xa8c93880 =  ==  ? _t94 != 0 : 2;
				asm("movups [0x21fc1b], xmm6");
				 *0xa8c93898 = dil;
				E00007FF77FF7A8B87FA8();
				goto 0xa8a738a9;
				E00007FF77FF7A8B88008();
				_t96 =  *0xa8c96218 - 0xffffffff;
				if (_t96 != 0) goto 0xa8a7390e;
				_t56 = E00007FF77FF7A8A75B60(0xa8c8e2c0);
				E00007FF77FF7A8B87FA8();
				goto 0xa8a7390e;
				asm("lock dec dword [edi]");
				if (_t96 != 0) goto 0xa8a738d4;
				_t57 = E00007FF77FF7A8BF5C00(_t56, _t135);
				0xa8a713a0(_t135, _t135);
				goto 0xa8a738d4;
				if (__ebp != 3) goto 0xa8a73d0e;
				 *0xa8c8e2f8 = 2;
				_t98 =  *0xa8c8e2fa;
				if (_t98 == 0) goto 0xa8a73d16;
				 *0xa8c8e2f9 = 1;
				goto 0xa8a73d16;
				asm("lock dec dword [edi]");
				if (_t98 != 0) goto 0xa8a73931;
				E00007FF77FF7A8BF5C00(_t57, _t135);
				0xa8a713a0();
				goto 0xa8a73931;
				_t59 = E00007FF77FF7A8B395A0(__ebp, _t138);
				if (_t138 != 0) goto 0xa8a73d2b;
				asm("movaps xmm6, [esp+0x20]");
				return _t59;
			}

















                                    0x7ff7a8a73827
                                    0x7ff7a8a7382c
                                    0x7ff7a8a7382f
                                    0x7ff7a8a73836
                                    0x7ff7a8a73852
                                    0x7ff7a8a7385c
                                    0x7ff7a8a73868
                                    0x7ff7a8a73875
                                    0x7ff7a8a7387f
                                    0x7ff7a8a73881
                                    0x7ff7a8a738a3
                                    0x7ff7a8a738ac
                                    0x7ff7a8a738ae
                                    0x7ff7a8a738b8
                                    0x7ff7a8a738c4
                                    0x7ff7a8a738ce
                                    0x7ff7a8a738db
                                    0x7ff7a8a738e3
                                    0x7ff7a8a73908
                                    0x7ff7a8a73915
                                    0x7ff7a8a73921
                                    0x7ff7a8a7392b
                                    0x7ff7a8a73931
                                    0x7ff7a8a73943
                                    0x7ff7a8a7394f
                                    0x7ff7a8a7395a
                                    0x7ff7a8a7395b
                                    0x7ff7a8a7395c
                                    0x7ff7a8a7395e
                                    0x7ff7a8a7396a
                                    0x7ff7a8a73976
                                    0x7ff7a8a7397c
                                    0x7ff7a8a73986
                                    0x7ff7a8a7398d
                                    0x7ff7a8a73999
                                    0x7ff7a8a7399f
                                    0x7ff7a8a739a6
                                    0x7ff7a8a739ad
                                    0x7ff7a8a739b3
                                    0x7ff7a8a739b6
                                    0x7ff7a8a739bd
                                    0x7ff7a8a739c4
                                    0x7ff7a8a739cb
                                    0x7ff7a8a739d2
                                    0x7ff7a8a739d8
                                    0x7ff7a8a739df
                                    0x7ff7a8a739e6
                                    0x7ff7a8a739ed
                                    0x7ff7a8a73a04
                                    0x7ff7a8a73a07
                                    0x7ff7a8a73a0d
                                    0x7ff7a8a73a14
                                    0x7ff7a8a73a22
                                    0x7ff7a8a73a27
                                    0x7ff7a8a73a33
                                    0x7ff7a8a73a3f
                                    0x7ff7a8a73a45
                                    0x7ff7a8a73a4f
                                    0x7ff7a8a73a56
                                    0x7ff7a8a73a62
                                    0x7ff7a8a73a68
                                    0x7ff7a8a73a6f
                                    0x7ff7a8a73a76
                                    0x7ff7a8a73a7c
                                    0x7ff7a8a73a7f
                                    0x7ff7a8a73a86
                                    0x7ff7a8a73a8d
                                    0x7ff7a8a73a94
                                    0x7ff7a8a73a9b
                                    0x7ff7a8a73aa1
                                    0x7ff7a8a73aa8
                                    0x7ff7a8a73aaf
                                    0x7ff7a8a73ab6
                                    0x7ff7a8a73abd
                                    0x7ff7a8a73acd
                                    0x7ff7a8a73ad0
                                    0x7ff7a8a73ad6
                                    0x7ff7a8a73add
                                    0x7ff7a8a73aeb
                                    0x7ff7a8a73af0
                                    0x7ff7a8a73afc
                                    0x7ff7a8a73b08
                                    0x7ff7a8a73b0e
                                    0x7ff7a8a73b11
                                    0x7ff7a8a73b18
                                    0x7ff7a8a73b1f
                                    0x7ff7a8a73b2b
                                    0x7ff7a8a73b31
                                    0x7ff7a8a73b38
                                    0x7ff7a8a73b3f
                                    0x7ff7a8a73b47
                                    0x7ff7a8a73b4e
                                    0x7ff7a8a73b55
                                    0x7ff7a8a73b5c
                                    0x7ff7a8a73b63
                                    0x7ff7a8a73b69
                                    0x7ff7a8a73b70
                                    0x7ff7a8a73b77
                                    0x7ff7a8a73b7e
                                    0x7ff7a8a73b85
                                    0x7ff7a8a73b95
                                    0x7ff7a8a73b98
                                    0x7ff7a8a73b9e
                                    0x7ff7a8a73ba5
                                    0x7ff7a8a73bb3
                                    0x7ff7a8a73bb8
                                    0x7ff7a8a73bc4
                                    0x7ff7a8a73bd0
                                    0x7ff7a8a73bd6
                                    0x7ff7a8a73bd9
                                    0x7ff7a8a73be0
                                    0x7ff7a8a73be7
                                    0x7ff7a8a73bf3
                                    0x7ff7a8a73bf9
                                    0x7ff7a8a73c00
                                    0x7ff7a8a73c07
                                    0x7ff7a8a73c0f
                                    0x7ff7a8a73c16
                                    0x7ff7a8a73c1d
                                    0x7ff7a8a73c24
                                    0x7ff7a8a73c2b
                                    0x7ff7a8a73c31
                                    0x7ff7a8a73c38
                                    0x7ff7a8a73c3f
                                    0x7ff7a8a73c46
                                    0x7ff7a8a73c4d
                                    0x7ff7a8a73c5d
                                    0x7ff7a8a73c60
                                    0x7ff7a8a73c66
                                    0x7ff7a8a73c6d
                                    0x7ff7a8a73c7b
                                    0x7ff7a8a73c80
                                    0x7ff7a8a73c8c
                                    0x7ff7a8a73c91
                                    0x7ff7a8a73c98
                                    0x7ff7a8a73c9e
                                    0x7ff7a8a73caa
                                    0x7ff7a8a73caf
                                    0x7ff7a8a73cb4
                                    0x7ff7a8a73cb7
                                    0x7ff7a8a73cc0
                                    0x7ff7a8a73cc8
                                    0x7ff7a8a73ccd
                                    0x7ff7a8a73cd5
                                    0x7ff7a8a73cd7
                                    0x7ff7a8a73cde
                                    0x7ff7a8a73ce5
                                    0x7ff7a8a73ce7
                                    0x7ff7a8a73cee
                                    0x7ff7a8a73cf0
                                    0x7ff7a8a73cf3
                                    0x7ff7a8a73cfc
                                    0x7ff7a8a73d04
                                    0x7ff7a8a73d09
                                    0x7ff7a8a73d11
                                    0x7ff7a8a73d19
                                    0x7ff7a8a73d1b
                                    0x7ff7a8a73d2a

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExclusiveLock$AcquireRelease$Init_thread_footer
                                    • String ID:
                                    • API String ID: 2011303873-0
                                    • Opcode ID: 73d9d560e2234cfb1e2008b3354618b880c7b561bb943de51ce6da88458e5615
                                    • Instruction ID: 7e3e4a2ac630e2443166c591a8cf64bbdb0b9890d590f7433810e4ae67fd1f40
                                    • Opcode Fuzzy Hash: 73d9d560e2234cfb1e2008b3354618b880c7b561bb943de51ce6da88458e5615
                                    • Instruction Fuzzy Hash: 80A19F61D1F68285F611F724A940675F3A0AF55344FC322F6E94E42AB2EF2C7582DB2C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AC3E40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 181libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 42%
                                    			E00007FF77FF7A8AC3E40(signed int __rcx, long long __rdx, void* __rdi) {
				void* _t29;
				void* _t34;
				intOrPtr _t49;
				signed long long _t50;
				void* _t52;
				long long* _t53;
				long long _t54;
				signed long long _t56;
				signed long long _t57;
				long long _t59;
				struct HINSTANCE__* _t60;
				signed long long _t75;
				void* _t83;
				intOrPtr* _t89;
				signed long long _t90;
				void* _t91;
				intOrPtr _t92;
				signed long long _t94;
				signed long long _t96;
				void* _t99;
				void* _t108;
				void* _t109;
				void* _t112;
				intOrPtr _t114;
				void* _t116;
				void* _t119;
				long long _t120;

				_t120 = __rcx;
				if ( *0xa8c93680 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + __rcx * 8)) + 4)) > 0) goto 0xa8ac3f7d;
				_t89 =  *0xa8c93678;
				0xa8b39580(__rdi, _t109, _t112, _t116, _t119);
				_t53 =  *((intOrPtr*)(_t89 + 8));
				_t49 =  *((intOrPtr*)(_t89 + 0x10));
				_t34 = _t53 - _t49;
				if (_t34 >= 0) goto 0xa8ac3eae;
				 *_t53 = __rcx;
				 *((long long*)(_t53 + 8)) = __rdx;
				_t54 = _t53 + 0x10;
				 *((long long*)(_t89 + 8)) = _t54;
				goto 0xa8ac3f66;
				_t92 =  *_t89;
				_t56 = _t54 - _t92 >> 4;
				_t83 = _t56 + 1;
				if (_t34 != 0) goto 0xa8ac3fc2;
				_t50 = _t49 - _t92;
				_t94 = _t50 >> 3;
				_t95 =  <=  ? _t83 : _t94;
				_t96 =  >=  ? 0xffffffff :  <=  ? _t83 : _t94;
				if (_t96 == 0) goto 0xa8ac3f11;
				if (_t96 - 0xffffffff > 0) goto 0xa8ac3fca;
				E00007FF77FF7A8B88160(_t50, _t96 << 4);
				goto 0xa8ac3f13;
				_t57 = _t56 << 4;
				_t59 = _t57 + _t50 + 0x10;
				 *((long long*)(_t59 - 0x10)) = _t120;
				 *((long long*)(_t59 - 8)) = __rdx;
				_t108 =  *((intOrPtr*)(_t89 + 8)) -  *_t89;
				_t114 = _t50 + _t57 - _t108;
				if (_t108 <= 0) goto 0xa8ac3f4e;
				E00007FF77FF7A8B8C610(0, _t114,  *_t89, _t108);
				 *_t89 = _t114;
				 *((long long*)(_t89 + 8)) = _t59;
				 *((long long*)(_t89 + 0x10)) = (_t96 << 4) + _t50;
				if ( *_t89 == 0) goto 0xa8ac3f66;
				0xa8b88150();
				_t60 = _t52;
				_pop(_t90);
				_t99 = _t91;
				goto 0xa8b39590;
				E00007FF77FF7A8B88008();
				if ( *0xa8c93680 != 0xffffffff) goto 0xa8ac3e7a;
				E00007FF77FF7A8B88160(_t50, 0xa8c93680);
				asm("xorps xmm0, xmm0");
				asm("movups [eax], xmm0");
				asm("movups [eax+0x10], xmm0");
				 *0xa8c93678 = _t50;
				E00007FF77FF7A8B87FA8();
				goto 0xa8ac3e7a;
				_t75 = _t90;
				E00007FF77FF7A8BBD430( *0xa8c93680 - 0xffffffff,  *_t89);
				0xa8b87f50();
				asm("int3");
				if (E00007FF77FF7A8AC4120(_t75) == 0) goto 0xa8ac4074;
				if (E00007FF77FF7A8AC4120(_t75) == 0) goto 0xa8ac407b;
				if ( *0xa8c93128 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + _t75 * 8)) + 4)) <= 0) goto 0xa8ac4057;
				E00007FF77FF7A8B88008();
				if ( *0xa8c93128 != 0xffffffff) goto 0xa8ac4057;
				0xa8ac16b0(_t99);
				if (_t50 == 0) goto 0xa8ac40dc;
				GetProcAddress(_t60);
				 *0xa8c93120 = _t50;
				E00007FF77FF7A8B87FA8();
				if ( *0xa8c93120 == 0) goto 0xa8ac407b;
				_t29 =  *0xa8ca6010();
				if (_t29 == 0) goto 0xa8ac407b;
				return _t29;
			}






























                                    0x7ff7a8ac3e52
                                    0x7ff7a8ac3e74
                                    0x7ff7a8ac3e7a
                                    0x7ff7a8ac3e88
                                    0x7ff7a8ac3e8d
                                    0x7ff7a8ac3e91
                                    0x7ff7a8ac3e95
                                    0x7ff7a8ac3e98
                                    0x7ff7a8ac3e9a
                                    0x7ff7a8ac3e9d
                                    0x7ff7a8ac3ea1
                                    0x7ff7a8ac3ea5
                                    0x7ff7a8ac3ea9
                                    0x7ff7a8ac3eae
                                    0x7ff7a8ac3eb4
                                    0x7ff7a8ac3eb8
                                    0x7ff7a8ac3ec3
                                    0x7ff7a8ac3ed3
                                    0x7ff7a8ac3ed9
                                    0x7ff7a8ac3ee0
                                    0x7ff7a8ac3ef1
                                    0x7ff7a8ac3ef8
                                    0x7ff7a8ac3efd
                                    0x7ff7a8ac3f0a
                                    0x7ff7a8ac3f0f
                                    0x7ff7a8ac3f13
                                    0x7ff7a8ac3f25
                                    0x7ff7a8ac3f29
                                    0x7ff7a8ac3f2d
                                    0x7ff7a8ac3f38
                                    0x7ff7a8ac3f3b
                                    0x7ff7a8ac3f41
                                    0x7ff7a8ac3f46
                                    0x7ff7a8ac3f4e
                                    0x7ff7a8ac3f51
                                    0x7ff7a8ac3f55
                                    0x7ff7a8ac3f5c
                                    0x7ff7a8ac3f61
                                    0x7ff7a8ac3f6d
                                    0x7ff7a8ac3f6e
                                    0x7ff7a8ac3f6f
                                    0x7ff7a8ac3f78
                                    0x7ff7a8ac3f84
                                    0x7ff7a8ac3f90
                                    0x7ff7a8ac3f9b
                                    0x7ff7a8ac3fa0
                                    0x7ff7a8ac3fa3
                                    0x7ff7a8ac3fa6
                                    0x7ff7a8ac3faa
                                    0x7ff7a8ac3fb8
                                    0x7ff7a8ac3fbd
                                    0x7ff7a8ac3fc2
                                    0x7ff7a8ac3fc5
                                    0x7ff7a8ac3fca
                                    0x7ff7a8ac3fcf
                                    0x7ff7a8ac3fdd
                                    0x7ff7a8ac3fea
                                    0x7ff7a8ac400f
                                    0x7ff7a8ac4018
                                    0x7ff7a8ac4024
                                    0x7ff7a8ac4026
                                    0x7ff7a8ac402e
                                    0x7ff7a8ac403e
                                    0x7ff7a8ac4044
                                    0x7ff7a8ac4052
                                    0x7ff7a8ac4061
                                    0x7ff7a8ac406a
                                    0x7ff7a8ac4072
                                    0x7ff7a8ac407a

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$AcquireAddressExclusiveLockProc
                                    • String ID: SetProcessDpiAwarenessContext
                                    • API String ID: 3550650047-2310897281
                                    • Opcode ID: 36e9f2131e04dfa5ce1f100a17156b504c62fb7a52c0ed7e6b0b6d0d72a77a13
                                    • Instruction ID: 7e3ab4a722a760c37ce2899a2c74dc80ca83cabeb020ae4f7e76786422ce9c1f
                                    • Opcode Fuzzy Hash: 36e9f2131e04dfa5ce1f100a17156b504c62fb7a52c0ed7e6b0b6d0d72a77a13
                                    • Instruction Fuzzy Hash: DF718261E0B64291EA10BB61E840579F2A0BF44BA0F824675EA6D473F1FF3CF491872C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A7A710 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 36%
                                    			E00007FF77FF7A8A7A710(long long __rcx) {
				signed int _v24;
				void* _t15;
				void* _t17;
				signed long long _t39;
				intOrPtr _t45;
				intOrPtr _t46;
				signed long long _t53;

				_t39 =  *0xa8c85028; // 0x2b992ddfa232
				_v24 = _t39 ^ _t53;
				asm("xorps xmm0, xmm0");
				asm("movups [ecx+0x8], xmm0");
				 *((long long*)(__rcx)) = 0xa8c5f048;
				 *((long long*)(__rcx + 0x18)) = 0xa8c5d030;
				 *((long long*)(__rcx + 0x20)) = __rcx;
				 *((char*)(__rcx + 0x28)) = 0;
				 *((long long*)(__rcx + 0x30)) = 0xa8c5d030;
				 *((long long*)(__rcx + 0x38)) = __rcx;
				 *((char*)(__rcx + 0x40)) = 0;
				r8d = 0;
				r9d = 0;
				_t15 = CreateEventW(??, ??, ??, ??);
				_t45 =  *((intOrPtr*)(__rcx + 0x20));
				if (_t45 == 0) goto 0xa8a7a786;
				if (_t45 == 0xa8c5d030) goto 0xa8a7a872;
				if (_t45 != 0) goto 0xa8a7a81b;
				 *((long long*)(__rcx + 0x20)) = 0xa8c5d030;
				if (E00007FF77FF7A8B44A10(_t15, 2, 1) == 0) goto 0xa8a7a7a8;
				if ( *((long long*)(__rcx + 0x20)) == 0) goto 0xa8a7a825;
				r8d = 0;
				r9d = 0;
				_t17 = CreateEventW(??, ??, ??, ??);
				_t46 =  *((intOrPtr*)(__rcx + 0x38));
				if (_t46 == 0) goto 0xa8a7a7d0;
				if (_t46 == 0xa8c5d030) goto 0xa8a7a872;
				if (_t46 != 0) goto 0xa8a7a877;
				 *((long long*)(__rcx + 0x38)) = 0xa8c5d030;
				if (E00007FF77FF7A8B44A10(_t17, 2, 1) == 0) goto 0xa8a7a7f6;
				if ( *((long long*)(__rcx + 0x38)) == 0) goto 0xa8a7a881;
				E00007FF77FF7A8ABE5D0(__rcx);
				return E00007FF77FF7A8B8A7E0(2, 0xa8c5d030, _v24 ^ _t53);
			}










                                    0x7ff7a8a7a71c
                                    0x7ff7a8a7a726
                                    0x7ff7a8a7a72e
                                    0x7ff7a8a7a731
                                    0x7ff7a8a7a73c
                                    0x7ff7a8a7a746
                                    0x7ff7a8a7a74c
                                    0x7ff7a8a7a750
                                    0x7ff7a8a7a753
                                    0x7ff7a8a7a757
                                    0x7ff7a8a7a75b
                                    0x7ff7a8a7a765
                                    0x7ff7a8a7a768
                                    0x7ff7a8a7a76b
                                    0x7ff7a8a7a774
                                    0x7ff7a8a7a77b
                                    0x7ff7a8a7a780
                                    0x7ff7a8a7a789
                                    0x7ff7a8a7a78f
                                    0x7ff7a8a7a79f
                                    0x7ff7a8a7a7a6
                                    0x7ff7a8a7a7af
                                    0x7ff7a8a7a7b2
                                    0x7ff7a8a7a7b5
                                    0x7ff7a8a7a7be
                                    0x7ff7a8a7a7c5
                                    0x7ff7a8a7a7ca
                                    0x7ff7a8a7a7d3
                                    0x7ff7a8a7a7d9
                                    0x7ff7a8a7a7e9
                                    0x7ff7a8a7a7f0
                                    0x7ff7a8a7a7f9
                                    0x7ff7a8a7a81a

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CreateErrorEventLast
                                    • String ID: ../../third_party/crashpad/crashpad/util/win/session_end_watcher.cc$CreateEvent
                                    • API String ID: 545576003-1378153383
                                    • Opcode ID: ad6d78088babaeaaf9714b904df38554a2c23e460b53d21aa829126187ff6e89
                                    • Instruction ID: f4fcdafbd855ad3aa793c271fbfaaaa16e7021338a7a06e4e0b90fa2bb557b37
                                    • Opcode Fuzzy Hash: ad6d78088babaeaaf9714b904df38554a2c23e460b53d21aa829126187ff6e89
                                    • Instruction Fuzzy Hash: B341A321B1F64251FA64B721F551BBAE360EF45780F825135DA4E83EB1EE2CF0419B29
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AC4120 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00007FF77FF7A8AC4120(signed int __rcx) {
				signed int _v32;
				intOrPtr _t10;
				signed long long _t13;
				signed long long _t20;

				_t13 =  *0xa8c85028; // 0x2b992ddfa232
				_v32 = _t13 ^ _t20;
				_t10 =  *0xa8c8eb14; // 0x0
				if ( *0xa8c93118 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + __rcx * 8)) + 4)) > 0) goto 0xa8ac4174;
				E00007FF77FF7A8B8A7E0(_t10, _t13 ^ _t20, _v32 ^ _t20);
				return  *0xa8c93114;
			}







                                    0x7ff7a8ac4127
                                    0x7ff7a8ac4131
                                    0x7ff7a8ac413c
                                    0x7ff7a8ac4155
                                    0x7ff7a8ac4165
                                    0x7ff7a8ac4173

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: AddressCurrentHandleInit_thread_footerModuleProcProcess
                                    • String ID: GetProcessMitigationPolicy$kernel32.dll
                                    • API String ID: 243150566-1680159014
                                    • Opcode ID: bc7a7029cae63685779e325df0fdb56d88634898b2eb724ef54b5c468d4ce64d
                                    • Instruction ID: 80b14627a128fd2902d2b1262411618bb1d90e447294fea165d9d54a0f144ff4
                                    • Opcode Fuzzy Hash: bc7a7029cae63685779e325df0fdb56d88634898b2eb724ef54b5c468d4ce64d
                                    • Instruction Fuzzy Hash: 8221DB64A0F68285FA10BB20E8416B5F7A0BF54B90F8610B5D94D473B0EF2CA646CB2C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AB9DB0 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 16%
                                    			E00007FF77FF7A8AB9DB0(signed int __ebx, void* __rcx, long long* __rdx) {
				signed int _v48;
				long long _v56;
				intOrPtr _v72;
				void* _v80;
				intOrPtr _v88;
				int _t13;
				long _t14;
				signed long long _t31;
				long long _t37;

				_t31 =  *0xa8c85028; // 0x2b992ddfa232
				_v48 = _t31 ^  &_v80;
				if (__rcx == 0) goto 0xa8ab9e89;
				_v56 = 0;
				GetCurrentProcess();
				GetCurrentProcess();
				_v80 = 0;
				_v88 = 0;
				_v72 = 2;
				_t13 = DuplicateHandle(??, ??, ??, ??, ??, ??, ??);
				if (_t13 == 0) goto 0xa8ab9e8d;
				_t37 = _v56;
				if ( *((intOrPtr*)(__rdx)) == _t37) goto 0xa8ab9e54;
				_t14 = GetLastError();
				if ( *((intOrPtr*)(__rdx)) + 1 - 2 >= 0) goto 0xa8ab9e73;
				if (_t37 + 1 - 2 < 0) goto 0xa8ab9e4c;
				 *__rdx = _t37;
				E00007FF77FF7A8B42830(_t14);
				SetLastError(??);
				E00007FF77FF7A8B8A7E0(_t14, _t37 + 1, _v48 ^  &_v80);
				return __ebx & 0xffffff00 | _t13 != 0x00000000;
			}












                                    0x7ff7a8ab9dba
                                    0x7ff7a8ab9dc4
                                    0x7ff7a8ab9dcc
                                    0x7ff7a8ab9ddd
                                    0x7ff7a8ab9deb
                                    0x7ff7a8ab9df0
                                    0x7ff7a8ab9df4
                                    0x7ff7a8ab9df8
                                    0x7ff7a8ab9dfc
                                    0x7ff7a8ab9e10
                                    0x7ff7a8ab9e1a
                                    0x7ff7a8ab9e1c
                                    0x7ff7a8ab9e24
                                    0x7ff7a8ab9e26
                                    0x7ff7a8ab9e38
                                    0x7ff7a8ab9e42
                                    0x7ff7a8ab9e44
                                    0x7ff7a8ab9e47
                                    0x7ff7a8ab9e4e
                                    0x7ff7a8ab9e61
                                    0x7ff7a8ab9e72

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CurrentProcess$DuplicateHandle
                                    • String ID:
                                    • API String ID: 4190883320-0
                                    • Opcode ID: 21191bb0280b4132280cff3ac00b1f457427787d2bdfddbdce98ffe49daf861c
                                    • Instruction ID: 488b07401a05d50aad4c1429970ee8e6b5f04eea673656f91001fec546ac9af2
                                    • Opcode Fuzzy Hash: 21191bb0280b4132280cff3ac00b1f457427787d2bdfddbdce98ffe49daf861c
                                    • Instruction Fuzzy Hash: 9721A132A0B70686EB10AF11A44567AF361AF45B80FCA4035DE4E47365FE3CD8518A28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A7CB00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182timeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E00007FF77FF7A8A7CB00(void* __rcx, long long __rdx) {
				signed int _v72;
				char _v88;
				void* _v104;
				long long _v128;
				char _v136;
				void* _t53;
				intOrPtr _t65;
				void* _t75;
				signed int _t88;
				signed long long _t90;
				signed long long _t91;
				long long _t92;
				signed long long _t96;
				char* _t98;
				long long* _t102;
				long long* _t137;
				long long* _t144;
				void* _t152;
				long long _t153;
				long long _t157;
				signed long long _t159;

				_t90 =  *0xa8c85028; // 0x2b992ddfa232
				_t91 = _t90 ^  &_v104;
				_v72 = _t91;
				if (__rdx == 0) goto 0xa8a7cd95;
				r14d = r8d;
				_t157 = __rdx;
				_t152 = __rcx;
				E00007FF77FF7A8BA8660(_t53, __rdx);
				_t159 = _t91;
				_t92 = "\\/";
				_t137 =  &_v136;
				 *_t137 = _t92;
				 *((long long*)(_t137 + 8)) = 2;
				_t102 =  &_v88;
				 *_t102 = _t157;
				 *(_t102 + 8) = _t159;
				0xa8a7d140();
				if (_t92 != 0xffffffff) goto 0xa8a7cd82;
				_t6 = _t152 + 0x10; // 0x12
				_t158 = _t6;
				_v136 = 0x5b;
				r8d = 1;
				E00007FF77FF7A8BBD690(_t6);
				asm("movaps xmm0, [0x1e3c97]");
				asm("movaps [edi], xmm0");
				_t149 =  &_v136;
				GetLocalTime(??);
				 *((intOrPtr*)(__rcx +  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x10)) + 4)) + 0xa0)) = 0x30;
				_t96 =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x10)) + 4));
				 *((long long*)(__rcx + _t96 + 0x28)) = _t153;
				E00007FF77FF7A8A7CDF0( *( &_v136 + 2) & 0x0000ffff, _t6);
				 *((long long*)(_t96 +  *((intOrPtr*)( *_t96 + 4)) + 0x18)) = _t153;
				E00007FF77FF7A8A7CDF0( *( &_v136 + 6) & 0x0000ffff, _t96);
				_t98 =  &_v88;
				 *_t98 = 0x2f;
				r8d = 1;
				E00007FF77FF7A8BBD690(_t96);
				 *((long long*)(_t96 +  *((intOrPtr*)( *_t96 + 4)) + 0x18)) = _t153;
				E00007FF77FF7A8A7CDF0( *( &_v136 + 8) & 0x0000ffff, _t96);
				 *((long long*)(_t96 +  *((intOrPtr*)( *_t96 + 4)) + 0x18)) = _t153;
				E00007FF77FF7A8A7CDF0( *(_t149 + 0xa) & 0x0000ffff, _t96);
				 *((long long*)(_t96 +  *((intOrPtr*)( *_t96 + 4)) + 0x18)) = _t153;
				E00007FF77FF7A8A7CDF0( *(_t149 + 0xc) & 0x0000ffff, _t96);
				 *_t98 = 0x2e;
				r8d = 1;
				E00007FF77FF7A8BBD690(_t96);
				 *((long long*)(_t96 +  *((intOrPtr*)( *_t96 + 4)) + 0x18)) = 3;
				E00007FF77FF7A8A7CDF0( *(_t149 + 0xe) & 0x0000ffff, _t96);
				_v88 = 0x3a;
				r8d = 1;
				E00007FF77FF7A8BBD690(_t96);
				_t65 =  *((intOrPtr*)(_t152 + 8));
				if (_t65 < 0) goto 0xa8a7cd98;
				if (_t65 - 3 > 0) goto 0xa8a7cdbf;
				E00007FF77FF7A8BA8660(_t65,  *((intOrPtr*)(0xa8c638b0 + _t96 * 8)));
				E00007FF77FF7A8BBD690(_t6);
				r8d = 1;
				E00007FF77FF7A8BBD690(_t158);
				_t144 =  &_v104;
				 *_t144 = _t157;
				 *(_t144 + 8) = _t159;
				E00007FF77FF7A8A7CDD0(_t96, _t144);
				r8d = 1;
				E00007FF77FF7A8BBD690(_t96);
				E00007FF77FF7A8A7D380(r14d, _t96);
				r8d = 3;
				E00007FF77FF7A8BBD690(_t96);
				0xa8a7d030();
				_t88 =  *( &_v136 + 0x17) & 0x000000ff;
				if (_t88 >= 0) goto 0xa8a7cd50;
				 *((long long*)(_t152 + 0x118)) = _v128;
				if (_t88 >= 0) goto 0xa8a7cd63;
				0xa8b88150();
				return E00007FF77FF7A8B8A7E0(_t75, _v128, _v72 ^  &_v104);
			}
























                                    0x7ff7a8a7cb10
                                    0x7ff7a8a7cb17
                                    0x7ff7a8a7cb1a
                                    0x7ff7a8a7cb22
                                    0x7ff7a8a7cb28
                                    0x7ff7a8a7cb2b
                                    0x7ff7a8a7cb2e
                                    0x7ff7a8a7cb34
                                    0x7ff7a8a7cb39
                                    0x7ff7a8a7cb3c
                                    0x7ff7a8a7cb43
                                    0x7ff7a8a7cb48
                                    0x7ff7a8a7cb4b
                                    0x7ff7a8a7cb53
                                    0x7ff7a8a7cb58
                                    0x7ff7a8a7cb5b
                                    0x7ff7a8a7cb66
                                    0x7ff7a8a7cb6f
                                    0x7ff7a8a7cb75
                                    0x7ff7a8a7cb75
                                    0x7ff7a8a7cb7e
                                    0x7ff7a8a7cb81
                                    0x7ff7a8a7cb8d
                                    0x7ff7a8a7cb92
                                    0x7ff7a8a7cb99
                                    0x7ff7a8a7cb9c
                                    0x7ff7a8a7cba4
                                    0x7ff7a8a7cbb2
                                    0x7ff7a8a7cbc1
                                    0x7ff7a8a7cbca
                                    0x7ff7a8a7cbd6
                                    0x7ff7a8a7cbe2
                                    0x7ff7a8a7cbee
                                    0x7ff7a8a7cbf3
                                    0x7ff7a8a7cbf8
                                    0x7ff7a8a7cbfb
                                    0x7ff7a8a7cc07
                                    0x7ff7a8a7cc13
                                    0x7ff7a8a7cc1f
                                    0x7ff7a8a7cc2b
                                    0x7ff7a8a7cc37
                                    0x7ff7a8a7cc43
                                    0x7ff7a8a7cc4f
                                    0x7ff7a8a7cc54
                                    0x7ff7a8a7cc5c
                                    0x7ff7a8a7cc68
                                    0x7ff7a8a7cc74
                                    0x7ff7a8a7cc84
                                    0x7ff7a8a7cc89
                                    0x7ff7a8a7cc91
                                    0x7ff7a8a7cc9a
                                    0x7ff7a8a7cc9f
                                    0x7ff7a8a7cca4
                                    0x7ff7a8a7ccad
                                    0x7ff7a8a7ccc1
                                    0x7ff7a8a7cccf
                                    0x7ff7a8a7ccdb
                                    0x7ff7a8a7cce4
                                    0x7ff7a8a7cce9
                                    0x7ff7a8a7ccee
                                    0x7ff7a8a7ccf1
                                    0x7ff7a8a7ccf8
                                    0x7ff7a8a7cd04
                                    0x7ff7a8a7cd0d
                                    0x7ff7a8a7cd18
                                    0x7ff7a8a7cd24
                                    0x7ff7a8a7cd2d
                                    0x7ff7a8a7cd3e
                                    0x7ff7a8a7cd47
                                    0x7ff7a8a7cd49
                                    0x7ff7a8a7cd50
                                    0x7ff7a8a7cd57
                                    0x7ff7a8a7cd5e
                                    0x7ff7a8a7cd81

                                    APIs
                                    • GetLocalTime.KERNEL32(?,?,?,?,../../base/metrics/persistent_memory_allocator.cc,?,0000001A,00000002,00000010,?,00000000,00000000,00007FF7A8A7C4A0,?,-00000002,?), ref: 00007FF7A8A7CBA4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: )] $../../base/metrics/persistent_memory_allocator.cc$UNKNOWN$VERBOSE
                                    • API String ID: 481472006-3302554768
                                    • Opcode ID: a9a249720dd7dacbe55ee6a51266ee15526a05261f40c065fc886524d4907488
                                    • Instruction ID: ae39a3d3a42789916832b70e1ba1c484f41dce38620f8d49fc7aa6fe2a6115c9
                                    • Opcode Fuzzy Hash: a9a249720dd7dacbe55ee6a51266ee15526a05261f40c065fc886524d4907488
                                    • Instruction Fuzzy Hash: F671D526B0AA4281EB14EF11E4507B9EBA0FB89F84F858131DE5E477A6EF3CE141D714
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AB9EA0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 159libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: AddressHandleInit_thread_footerModuleProc
                                    • String ID: GetAppContainerRegistryLocation$userenv
                                    • API String ID: 892586790-1384793904
                                    • Opcode ID: 5b6213ead26794047849ccaba966fa17cb4c8f3e0e6ab89a07d3446d2d0fba36
                                    • Instruction ID: d0f1b388705fb6015266f7b4c5d918b7c211cc5d9d3b8c2cd3435d71b2d444f7
                                    • Opcode Fuzzy Hash: 5b6213ead26794047849ccaba966fa17cb4c8f3e0e6ab89a07d3446d2d0fba36
                                    • Instruction Fuzzy Hash: 39518531E1B61681FA24BB25E8917B9E350AF44B90FC74171DE4E467B1EF2CE4818B28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A79280 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 112COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00007FF77FF7A8A79280(void* __edi, void* __rcx) {
				signed int _v24;
				signed char _t6;
				void* _t9;
				signed long long _t15;
				signed long long _t22;

				_t15 =  *0xa8c85028; // 0x2b992ddfa232
				_v24 = _t15 ^ _t22;
				if ( *((char*)(__rcx + 0x17)) >= 0) goto 0xa8a792a7;
				_t6 = GetFileAttributesW(??);
				if (_t6 == 0xffffffff) goto 0xa8a792d9;
				dil = 1;
				if ((_t6 & 0x00000010) == 0) goto 0xa8a79393;
				E00007FF77FF7A8B8A7E0(_t9, _t15 ^ _t22, _v24 ^ _t22);
				return __edi;
			}








                                    0x7ff7a8a7928c
                                    0x7ff7a8a79296
                                    0x7ff7a8a792a2
                                    0x7ff7a8a792a7
                                    0x7ff7a8a792b0
                                    0x7ff7a8a792b2
                                    0x7ff7a8a792b7
                                    0x7ff7a8a792c8
                                    0x7ff7a8a792d8

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: AttributesErrorFileLast
                                    • String ID: ../../third_party/crashpad/crashpad/client/crash_report_database_win.cc$: not a directory$GetFileAttributes
                                    • API String ID: 1799206407-3496458271
                                    • Opcode ID: 685d0e9757be1f535de879fd51cb65f7c88cc6b97e520b4975de2544d575e8e3
                                    • Instruction ID: d022de35c9661a17270f7d9b7109addfe6c54bdab50abf1b46447225a232b3b8
                                    • Opcode Fuzzy Hash: 685d0e9757be1f535de879fd51cb65f7c88cc6b97e520b4975de2544d575e8e3
                                    • Instruction Fuzzy Hash: E351CA21B1E65241FB10FB11E4447BEE721EF85B80F854036EA8D47BE6DE2CE141DB29
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A7A8D0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00007FF77FF7A8A7A8D0(signed char* __rcx) {
				signed int _v48;
				signed char _t7;
				void* _t11;
				signed long long _t17;
				signed char* _t28;
				signed long long _t29;

				_t28 = __rcx;
				_t17 =  *0xa8c85028; // 0x2b992ddfa232
				_t18 = _t17 ^ _t29;
				_v48 = _t17 ^ _t29;
				_t27 =  *0xa8c91770;
				if ( *0xa8c91770 == 0) goto 0xa8a7a925;
				if (E00007FF77FF7A8B44040(_t17 ^ _t29,  *0xa8c91770, 0xa8c65da3) != 0) goto 0xa8a7a955;
				if (E00007FF77FF7A8B44040(_t17 ^ _t29, _t27, "vmodule") != 0) goto 0xa8a7a955;
				_t7 =  *_t28;
				 *0xa8c86f18 = _t7;
				if ((_t7 & 0x00000001) != 0) goto 0xa8a7aa0b;
				E00007FF77FF7A8B8A7E0(_t11, _t18, _v48 ^ _t29);
				return 1;
			}









                                    0x7ff7a8a7a8de
                                    0x7ff7a8a7a8e1
                                    0x7ff7a8a7a8e8
                                    0x7ff7a8a7a8eb
                                    0x7ff7a8a7a8f0
                                    0x7ff7a8a7a8fa
                                    0x7ff7a8a7a910
                                    0x7ff7a8a7a923
                                    0x7ff7a8a7a925
                                    0x7ff7a8a7a927
                                    0x7ff7a8a7a931
                                    0x7ff7a8a7a93f
                                    0x7ff7a8a7a954

                                    APIs
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A8A77DCD), ref: 00007FF7A8A7AA25
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7A8A77DCD), ref: 00007FF7A8A7AA8A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CloseDeleteFileHandle
                                    • String ID: ../../third_party/crashpad/crashpad/client/settings.cc$Invalid file handle$vmodule
                                    • API String ID: 2633145722-2763209661
                                    • Opcode ID: 4438a789334b66df1ec7bc335ca1995e450d0e36913bd52fc927170b853eb188
                                    • Instruction ID: 6aba09bffa7f1cd85932c015449e130030dab268c282c53fb8b17111d3398d17
                                    • Opcode Fuzzy Hash: 4438a789334b66df1ec7bc335ca1995e450d0e36913bd52fc927170b853eb188
                                    • Instruction Fuzzy Hash: A1514F31A0BA0295FB10BB21E951775E3A0AF54BC0F9240B6E98D473B1EE3CF0558B68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B45850 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107timeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 62%
                                    			E00007FF77FF7A8B45850(long long* __rcx) {
				void* _v64;
				void* _v72;
				signed long long _v80;
				void* _t16;
				signed long long _t23;
				intOrPtr _t25;
				signed long long _t26;
				signed long long _t27;
				void* _t28;
				intOrPtr _t37;

				_t23 =  *0xa8c85028; // 0x2b992ddfa232
				_v64 = _t23 ^  &_v64;
				if ( *0xa8c931b8 == 0) goto 0xa8b45946;
				_v80 = 0xaaaaaaaa;
				_t25 =  *0xa8c86fc0; // 0x7ff7a8aae330
				if (_t25 != 0xa8b87090) goto 0xa8b459f4;
				_v72 = 0;
				QueryPerformanceCounter(??);
				_t26 = _v72;
				if (_t26 - 0x7bd05af6 > 0) goto 0xa8b45a0a;
				_t27 = _t26 * 0xf4240;
				asm("dec eax");
				_v80 = _t27;
				_t28 = _t27 -  *0xa8c93208;
				if (_t28 - 0x3938701 >= 0) goto 0xa8b4599d;
				_t37 =  *0xa8c931b8;
				_t30 =  <  ? 0x00000000 ^ _t28 + _t37 >> 0x0000003f : _t28 + _t37;
				 *__rcx =  <  ? 0x00000000 ^ _t28 + _t37 >> 0x0000003f : _t28 + _t37;
				return E00007FF77FF7A8B8A7E0(_t16,  <  ? 0x00000000 ^ _t28 + _t37 >> 0x0000003f : _t28 + _t37, _v64 ^  &_v64);
			}













                                    0x7ff7a8b45862
                                    0x7ff7a8b4586c
                                    0x7ff7a8b45883
                                    0x7ff7a8b458a6
                                    0x7ff7a8b458ab
                                    0x7ff7a8b458b5
                                    0x7ff7a8b458bb
                                    0x7ff7a8b458c7
                                    0x7ff7a8b458ca
                                    0x7ff7a8b458d2
                                    0x7ff7a8b458d8
                                    0x7ff7a8b458df
                                    0x7ff7a8b458e8
                                    0x7ff7a8b458ed
                                    0x7ff7a8b458fa
                                    0x7ff7a8b45900
                                    0x7ff7a8b4591f
                                    0x7ff7a8b45923
                                    0x7ff7a8b45945

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem$CounterPerformanceQuery
                                    • String ID: gfffffff$gfffffff
                                    • API String ID: 3444630516-161084747
                                    • Opcode ID: b68132005a3cfd701964ba0a6d4b9eff1ae86e2279abd6fdd21352c5feac6e68
                                    • Instruction ID: dd0973194fc3e1b67db687c980170c9522c8f979c80e57e38e36fef94569b771
                                    • Opcode Fuzzy Hash: b68132005a3cfd701964ba0a6d4b9eff1ae86e2279abd6fdd21352c5feac6e68
                                    • Instruction Fuzzy Hash: A4419F71A1AB4691EA40EB16F940629F3A1FB48B90F866071ED4E47774DF3CE046CB19
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AC3CE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00007FF77FF7A8AC3CE0(intOrPtr* __rcx) {
				signed int _v32;
				intOrPtr _t4;
				void* _t7;
				long _t8;
				signed long long _t14;
				signed long long _t20;

				_t14 =  *0xa8c85028; // 0x2b992ddfa232
				_v32 = _t14 ^ _t20;
				_t8 = GetCurrentThreadId();
				_t4 =  *0xa8c93670;
				if (_t4 == 0) goto 0xa8ac3d34;
				if (_t8 == 0) goto 0xa8ac3d38;
				if (_t4 != _t8) goto 0xa8ac3d38;
				if ( *__rcx != 1) goto 0xa8ac3dea;
				return E00007FF77FF7A8B8A7E0(_t7, _t14 ^ _t20, _v32 ^ _t20);
			}









                                    0x7ff7a8ac3cea
                                    0x7ff7a8ac3cf4
                                    0x7ff7a8ac3cff
                                    0x7ff7a8ac3d01
                                    0x7ff7a8ac3d09
                                    0x7ff7a8ac3d0d
                                    0x7ff7a8ac3d11
                                    0x7ff7a8ac3d18
                                    0x7ff7a8ac3d33

                                    APIs
                                    • GetCurrentThreadId.KERNEL32(?,?,?,?,-555555555555530E,00007FF7A8C00811), ref: 00007FF7A8AC3CF9
                                    • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,-555555555555530E,00007FF7A8C00811), ref: 00007FF7A8AC3D63
                                    • _Init_thread_footer.LIBCMT ref: 00007FF7A8AC3DE0
                                    Strings
                                    • CHECK failed: (scc->visit_status.load(std::memory_order_relaxed)) == (SCCInfoBase::kRunning): , xrefs: 00007FF7A8AC3E09
                                    • ../../third_party/protobuf/src/google/protobuf/generated_message_util.cc, xrefs: 00007FF7A8AC3DEA
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: AcquireCurrentExclusiveInit_thread_footerLockThread
                                    • String ID: ../../third_party/protobuf/src/google/protobuf/generated_message_util.cc$CHECK failed: (scc->visit_status.load(std::memory_order_relaxed)) == (SCCInfoBase::kRunning):
                                    • API String ID: 3606377367-2889724117
                                    • Opcode ID: 42803a43b0f5231d8a8d126c0c57830c027f814d9f09ce6799e751bef2539269
                                    • Instruction ID: 0bfd24f81051302eb4188dcb90a1ff22c6f79703666809fbf4f30f2dd9f62685
                                    • Opcode Fuzzy Hash: 42803a43b0f5231d8a8d126c0c57830c027f814d9f09ce6799e751bef2539269
                                    • Instruction Fuzzy Hash: 07315061E0F64286FA11FB25E850675E360AF94B94FD211B1D80D423B5EF3CF8868B38
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A790A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00007FF77FF7A8A790A0(void* __esi, void* __rcx, signed int _a400) {
				signed int _v24;
				void* _t10;
				signed long long _t17;
				signed long long _t29;

				_t17 =  *0xa8c85028; // 0x2b992ddfa232
				_v24 = _t17 ^ _t29;
				if ( *((char*)(__rcx + 0x17)) >= 0) goto 0xa8a790c7;
				if (CreateDirectoryW(??, ??) != 0) goto 0xa8a79101;
				if (GetLastError() != 0xb7) goto 0xa8a79120;
				E00007FF77FF7A8B8A7E0(_t10, _t17 ^ _t29, _v24 ^ _t29);
				goto E00007FF77FF7A8A79280;
				sil = 1;
				E00007FF77FF7A8B8A7E0(_t10, _t17 ^ _t29, _a400 ^ _t29 + 0x00000198);
				return __esi;
			}







                                    0x7ff7a8a790ac
                                    0x7ff7a8a790b6
                                    0x7ff7a8a790c2
                                    0x7ff7a8a790d1
                                    0x7ff7a8a790de
                                    0x7ff7a8a790eb
                                    0x7ff7a8a790fc
                                    0x7ff7a8a79101
                                    0x7ff7a8a7910f
                                    0x7ff7a8a7911f

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryErrorLast
                                    • String ID: ../../third_party/crashpad/crashpad/client/crash_report_database_win.cc$CreateDirectory
                                    • API String ID: 1375471231-4140125794
                                    • Opcode ID: 7efe45de573c656a676344c61f6d1650fde3f819dc371b9fede981748974cc29
                                    • Instruction ID: 1ba608d696b84ae816874a69dd45b6bf00ffa8a0b80ed646c6862070b41e7757
                                    • Opcode Fuzzy Hash: 7efe45de573c656a676344c61f6d1650fde3f819dc371b9fede981748974cc29
                                    • Instruction Fuzzy Hash: 3E310A21B0E59285FB60FB11F4547BEE720EF84B80F854036EA8E477A5DE2CE0419B28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A796D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FileLock
                                    • String ID: ../../third_party/crashpad/crashpad/util/file/file_io_win.cc$LockFileEx
                                    • API String ID: 3337302902-1251665049
                                    • Opcode ID: f30c641fc74af63e8be23fbe44e9cc0a1138d038451e6d5aab37bd4ac843d64c
                                    • Instruction ID: 7cc113fbc075bf2c7ee56a487d668075d2c16c3948b892f70c2237e5f812f917
                                    • Opcode Fuzzy Hash: f30c641fc74af63e8be23fbe44e9cc0a1138d038451e6d5aab37bd4ac843d64c
                                    • Instruction Fuzzy Hash: 5C21E731E1A65285F720BB25E402BFAE360BF45790F8A5232D94D477F1EE2CD5418B68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B8807C Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 34%
                                    			E00007FF77FF7A8B8807C(void* __edx, intOrPtr* __rax, long long __rbx, void* __rcx, long long __rsi, void* __r8, void* __r9, long long _a8, long long _a16, char _a24, intOrPtr _a40) {
				long long _v16;
				intOrPtr _v24;
				int _t20;
				intOrPtr* _t31;
				long long _t32;
				intOrPtr* _t35;

				_t31 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				if (__r8 != 0) goto 0xa8b880ac;
				E00007FF77FF7A8B8828C(__rax);
				 *__rax = 0x16;
				E00007FF77FF7A8B9AF38();
				goto 0xa8b8812c;
				E00007FF77FF7A8B96D8C(__rax, __rbx, __r8, __r9, __rcx, __r8);
				_t35 = _t31;
				if (_t31 == 0) goto 0xa8b880fc;
				_t3 =  &_a24; // 0x59682f000000e971
				_t32 = _t3;
				_v16 = _t32;
				_v24 = _a40;
				CreateThread(??, ??, ??, ??, ??, ??);
				if (_t32 != 0) goto 0xa8b8813c;
				E00007FF77FF7A8B99CB0(GetLastError(), _t32, _t35);
				if (_t35 == 0) goto 0xa8b88129;
				if ( *((intOrPtr*)(_t35 + 0x10)) == 0) goto 0xa8b88112;
				CloseHandle(??);
				if ( *((intOrPtr*)(_t35 + 0x18)) == 0) goto 0xa8b88121;
				_t20 = FreeLibrary(??);
				E00007FF77FF7A8B69A50();
				return _t20;
			}









                                    0x7ff7a8b8807c
                                    0x7ff7a8b8807c
                                    0x7ff7a8b88081
                                    0x7ff7a8b88093
                                    0x7ff7a8b88095
                                    0x7ff7a8b8809a
                                    0x7ff7a8b880a0
                                    0x7ff7a8b880a7
                                    0x7ff7a8b880b2
                                    0x7ff7a8b880b7
                                    0x7ff7a8b880bd
                                    0x7ff7a8b880bf
                                    0x7ff7a8b880bf
                                    0x7ff7a8b880c7
                                    0x7ff7a8b880dd
                                    0x7ff7a8b880e1
                                    0x7ff7a8b880ed
                                    0x7ff7a8b880f7
                                    0x7ff7a8b88101
                                    0x7ff7a8b8810a
                                    0x7ff7a8b8810c
                                    0x7ff7a8b88119
                                    0x7ff7a8b8811b
                                    0x7ff7a8b88124
                                    0x7ff7a8b8813b

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
                                    • String ID:
                                    • API String ID: 2067211477-0
                                    • Opcode ID: 3e9cb9f6cefd90764a21f793a14bfa847506eb625ef47dfd2a0192ba45a8c645
                                    • Instruction ID: 223b369aa9776d8ce3d2ebf562aefeecd46618ecb46f5bf9ced1a783e0ff1879
                                    • Opcode Fuzzy Hash: 3e9cb9f6cefd90764a21f793a14bfa847506eb625ef47dfd2a0192ba45a8c645
                                    • Instruction Fuzzy Hash: 8F216225A0B74287EE55FB65A81017AF2A0AF88B81F864435DE4D477B5DF3CE4108A68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8BFABB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 78%
                                    			E00007FF77FF7A8BFABB0(void* __edi, void* __rcx, void* __rdx, void* __r8, void* __r9) {
				signed int _v32;
				char _v552;
				char _v856;
				char _v872;
				char _v888;
				long _v904;
				void* _t10;
				long _t12;
				void* _t15;
				void* _t20;
				signed long long _t35;
				signed long long _t36;
				long long* _t37;
				long long _t55;
				signed long long _t59;
				void* _t61;

				_t61 = __r9;
				_t60 = __r8;
				_t35 =  *0xa8c85028; // 0x2b992ddfa232
				_t36 = _t35 ^ _t59;
				_v32 = _t36;
				_t2 =  &_v552; // -6148914691236516910
				_t55 = _t2;
				r8d = 0x208;
				E00007FF77FF7A8B8CA20(_t10, 0xaa, _t55, __rdx, __r8);
				r8d = 0x104;
				_t12 = GetModuleFileNameW(??, ??, ??);
				if (_t12 == 0) goto 0xa8bfac43;
				if (_t12 - 0x104 >= 0) goto 0xa8bfac9b;
				_t3 =  &_v888; // -6148914691236517246
				_t37 = _t3;
				 *_t37 = _t55;
				0xa8b88650();
				 *(_t37 + 8) = _t36;
				_t5 =  &_v872; // -6148914691236517230
				_t15 = E00007FF77FF7A8B761D0(E00007FF77FF7A8B78680(E00007FF77FF7A8B761E0(_t36, _t5, _t37), __rcx, _t5), _t5);
				sil = 1;
				goto 0xa8bfacab;
				if (E00007FF77FF7A8B44A10(_t15, 2, 0xaa) == 0) goto 0xa8bfaca9;
				_v904 = GetLastError();
				_t7 =  &_v872; // -6148914691236517230
				r8d = 0x1f;
				r9d = 2;
				E00007FF77FF7A8BDA2C0(2, _t7, "../../third_party/crashpad/crashpad/util/misc/paths_win.cc", _t60);
				_t8 =  &_v856; // -6148914691236517214
				r8d = 0x11;
				E00007FF77FF7A8BBD690(_t8);
				_t20 = E00007FF77FF7A8BDA340(2, E00007FF77FF7A8B44A10(_t15, 2, 0xaa), _t7, _t60, _t61);
				goto 0xa8bfaca9;
				if (E00007FF77FF7A8B44A10(_t20, 2, 0xaa) != 0) goto 0xa8bfacc8;
				E00007FF77FF7A8B8A7E0(2, _t36, _v32 ^ _t59);
				return 0;
			}



















                                    0x7ff7a8bfabb0
                                    0x7ff7a8bfabb0
                                    0x7ff7a8bfabbd
                                    0x7ff7a8bfabc4
                                    0x7ff7a8bfabc7
                                    0x7ff7a8bfabcf
                                    0x7ff7a8bfabcf
                                    0x7ff7a8bfabd7
                                    0x7ff7a8bfabe2
                                    0x7ff7a8bfabec
                                    0x7ff7a8bfabf2
                                    0x7ff7a8bfabfa
                                    0x7ff7a8bfac01
                                    0x7ff7a8bfac07
                                    0x7ff7a8bfac07
                                    0x7ff7a8bfac0c
                                    0x7ff7a8bfac12
                                    0x7ff7a8bfac17
                                    0x7ff7a8bfac1b
                                    0x7ff7a8bfac39
                                    0x7ff7a8bfac3e
                                    0x7ff7a8bfac41
                                    0x7ff7a8bfac4f
                                    0x7ff7a8bfac56
                                    0x7ff7a8bfac61
                                    0x7ff7a8bfac69
                                    0x7ff7a8bfac6f
                                    0x7ff7a8bfac75
                                    0x7ff7a8bfac7a
                                    0x7ff7a8bfac86
                                    0x7ff7a8bfac8c
                                    0x7ff7a8bfac94
                                    0x7ff7a8bfac99
                                    0x7ff7a8bfaca7
                                    0x7ff7a8bfacb6
                                    0x7ff7a8bfacc7

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastModuleName
                                    • String ID: ../../third_party/crashpad/crashpad/util/misc/paths_win.cc$GetModuleFileName
                                    • API String ID: 2776309574-3182889293
                                    • Opcode ID: c04a907a786b8e8d1a132889aa5765668111720229e996a661ec4168a0701d41
                                    • Instruction ID: 1a800f0c4ba10daed120e5ea540e06f79369c3f6f3da87569ca3400f163d4f95
                                    • Opcode Fuzzy Hash: c04a907a786b8e8d1a132889aa5765668111720229e996a661ec4168a0701d41
                                    • Instruction Fuzzy Hash: 5231F521B1E61341FA14BB11E8513FAE315AF85BC4FC21036ED4E07BE6CE5CE6068B29
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A7A480 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 32%
                                    			E00007FF77FF7A8A7A480(signed int __edx, void* __rcx) {
				signed int _v32;
				long long _v408;
				intOrPtr _v416;
				intOrPtr _v424;
				signed long long _t22;
				signed long long _t34;

				_t22 =  *0xa8c85028; // 0x2b992ddfa232
				_v32 = _t22 ^ _t34;
				if (__edx - 3 > 0) goto 0xa8a7a4b3;
				if ( *((char*)(__rcx + 0x17)) >= 0) goto 0xa8a7a4bf;
				_v424 =  *((intOrPtr*)(0xa8c71264 + __edx * 4));
				_v408 = 0;
				_v416 = 0x80;
				r8d = 3;
				r9d = 0;
				if (E00007FF77FF7A8B44A10(CreateFileW(??, ??, ??, ??, ??, ??, ??), 2, 0xc0000000) == 0) goto 0xa8a7a4ff;
				if (__edx == 0xffffffff) goto 0xa8a7a51d;
				return E00007FF77FF7A8B8A7E0(2, __edx, _v32 ^ _t34);
			}









                                    0x7ff7a8a7a48d
                                    0x7ff7a8a7a497
                                    0x7ff7a8a7a4a4
                                    0x7ff7a8a7a4ba
                                    0x7ff7a8a7a4bf
                                    0x7ff7a8a7a4c3
                                    0x7ff7a8a7a4cc
                                    0x7ff7a8a7a4d9
                                    0x7ff7a8a7a4df
                                    0x7ff7a8a7a4f7
                                    0x7ff7a8a7a4fd
                                    0x7ff7a8a7a51c

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CreateErrorFileLast
                                    • String ID: ../../third_party/crashpad/crashpad/util/file/file_io_win.cc$CreateFile
                                    • API String ID: 1214770103-2196637939
                                    • Opcode ID: 1a977291b9f7a1f85fe0cb32e46d6482f184ddefa58ebc9aeb27d954f80993b2
                                    • Instruction ID: c59d53454b8f9b0c38014e810b450960815037508581ed2fb59bdf90827edc3d
                                    • Opcode Fuzzy Hash: 1a977291b9f7a1f85fe0cb32e46d6482f184ddefa58ebc9aeb27d954f80993b2
                                    • Instruction Fuzzy Hash: DD310232B0E68191FB10EB21E5507BAF761EB89B90F850135DA8D87BE5EF2CE0458F54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8C11C00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 32%
                                    			E00007FF77FF7A8C11C00(void* __rcx, void* __rdx) {
				signed int _v32;
				long long _v408;
				intOrPtr _v416;
				intOrPtr _v424;
				signed long long _t16;
				signed long long _t17;
				signed long long _t26;

				_t16 =  *0xa8c85028; // 0x2b992ddfa232
				_t17 = _t16 ^ _t26;
				_v32 = _t17;
				if ( *((char*)(__rcx + 0x17)) >= 0) goto 0xa8c11c28;
				_v408 = 0;
				_v416 = 0;
				_v424 = 3;
				r8d = 3;
				r9d = 0;
				if (E00007FF77FF7A8B44A10(CreateFileW(??, ??, ??, ??, ??, ??, ??), 2, 0x80000000) == 0) goto 0xa8c11c6c;
				if (_t17 == 0xffffffff) goto 0xa8c11c8a;
				return E00007FF77FF7A8B8A7E0(2, _t17, _v32 ^ _t26);
			}










                                    0x7ff7a8c11c0d
                                    0x7ff7a8c11c14
                                    0x7ff7a8c11c17
                                    0x7ff7a8c11c23
                                    0x7ff7a8c11c28
                                    0x7ff7a8c11c31
                                    0x7ff7a8c11c39
                                    0x7ff7a8c11c46
                                    0x7ff7a8c11c4c
                                    0x7ff7a8c11c64
                                    0x7ff7a8c11c6a
                                    0x7ff7a8c11c89

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CreateErrorFileLast
                                    • String ID: ../../third_party/crashpad/crashpad/util/file/file_io_win.cc$CreateFile
                                    • API String ID: 1214770103-2196637939
                                    • Opcode ID: 5e512663dd4e5637101cf7ecf0ceb03a77ab0fb1212e10fcf45af1706c25ec94
                                    • Instruction ID: 6e31ac831cb376e0e6d61818e42e498a4eb7a6fc72ef6674a22998997c9d63d0
                                    • Opcode Fuzzy Hash: 5e512663dd4e5637101cf7ecf0ceb03a77ab0fb1212e10fcf45af1706c25ec94
                                    • Instruction Fuzzy Hash: CF31F331B0E64181FB10BB11E5503BAE760EB89BA0F811136EA8D07BE5CF6CE155CB18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A79460 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastUnlock
                                    • String ID: ../../third_party/crashpad/crashpad/util/file/file_io_win.cc$UnlockFileEx
                                    • API String ID: 3655728120-3846138344
                                    • Opcode ID: 0f461ad060ddd836c1f119df55c090ba4e3b4a4532941b252391302eeb9805fb
                                    • Instruction ID: 17c9804a5769ad99b2657960713b0f21d3e75d2e6820585a2d18cfacd2321dd5
                                    • Opcode Fuzzy Hash: 0f461ad060ddd836c1f119df55c090ba4e3b4a4532941b252391302eeb9805fb
                                    • Instruction Fuzzy Hash: 6C11EB32B1EA4281F620BB25B4017F6D351AF857A0F865331ED4D477E1EE2CD1458B28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A7ACD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00007FF77FF7A8A7ACD0(void* __eflags, void* __rcx) {
				signed int _v24;
				int _t4;
				void* _t7;
				signed long long _t14;
				signed long long _t15;
				signed long long _t21;

				_t14 =  *0xa8c85028; // 0x2b992ddfa232
				_t15 = _t14 ^ _t21;
				_v24 = _t15;
				r8d = 0;
				E00007FF77FF7A8A79900();
				if (_t15 != 0) goto 0xa8a7ad0f;
				_t4 = SetEndOfFile(??);
				sil = 1;
				if (_t4 == 0) goto 0xa8a7ad2b;
				E00007FF77FF7A8B8A7E0(_t7, _t15, _v24 ^ _t21);
				return 0;
			}









                                    0x7ff7a8a7acdc
                                    0x7ff7a8a7ace3
                                    0x7ff7a8a7ace6
                                    0x7ff7a8a7acf2
                                    0x7ff7a8a7acf5
                                    0x7ff7a8a7acfd
                                    0x7ff7a8a7ad02
                                    0x7ff7a8a7ad08
                                    0x7ff7a8a7ad0d
                                    0x7ff7a8a7ad1a
                                    0x7ff7a8a7ad2a

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: File$ErrorLastPointer
                                    • String ID: ../../third_party/crashpad/crashpad/util/file/file_io_win.cc$SetEndOfFile
                                    • API String ID: 841452515-591553600
                                    • Opcode ID: e3505e357fa504547c6335524412482bb61800f798933f61dabcc6372e1eea6e
                                    • Instruction ID: 92b21ef01bdf3086b40b580377a39b8a3de0aa9580a44b2001f840a24ea74525
                                    • Opcode Fuzzy Hash: e3505e357fa504547c6335524412482bb61800f798933f61dabcc6372e1eea6e
                                    • Instruction Fuzzy Hash: 9C11E521F0F55291FA20BB21A4517FAD261AF89B81FC24035DD4E477E2EE1CE0029F28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A79900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 28%
                                    			E00007FF77FF7A8A79900() {
				signed int _v24;
				long long _v32;
				void* _t7;
				signed long long _t12;
				signed long long _t19;

				_t12 =  *0xa8c85028; // 0x2b992ddfa232
				r9d = 0;
				r9b = r8d == 1;
				r9d =  ==  ? r8d : r9d;
				_v24 = _t12 ^ _t19;
				_v32 = 0xaaaaaaaa;
				if (SetFilePointerEx(??, ??, ??, ??) == 0) goto 0xa8a79972;
				return E00007FF77FF7A8B8A7E0(_t7, 0xaaaaaaaa, _v24 ^ _t19);
			}








                                    0x7ff7a8a79909
                                    0x7ff7a8a79913
                                    0x7ff7a8a7991a
                                    0x7ff7a8a79922
                                    0x7ff7a8a79926
                                    0x7ff7a8a79940
                                    0x7ff7a8a7994b
                                    0x7ff7a8a79971

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastPointer
                                    • String ID: ../../third_party/crashpad/crashpad/util/file/file_io_win.cc$SetFilePointerEx
                                    • API String ID: 2976181284-2639227240
                                    • Opcode ID: 417f2883d7ec63928e4879917ef830ffb1fd74ea23a3c521cd452c09672dc6d1
                                    • Instruction ID: a3b4c4a4033d21ec0e1e6c5131b2cc90de994585f4cab2d74c7000e199bf39fb
                                    • Opcode Fuzzy Hash: 417f2883d7ec63928e4879917ef830ffb1fd74ea23a3c521cd452c09672dc6d1
                                    • Instruction Fuzzy Hash: FA11C431B0E64280FB60AB21A501BFAE3A0AB457A0FC51235DD5D47BF1DE2CD1459F24
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8ABA1B0 Relevance: 6.3, APIs: 5, Instructions: 93COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 54%
                                    			E00007FF77FF7A8ABA1B0(char* __rcx, void* __rdx) {
				signed int _v32;
				long long _v40;
				long _t9;
				void* _t10;
				long _t12;
				signed long long _t27;
				long long _t30;
				signed long long _t37;

				_t27 =  *0xa8c85028; // 0x2b992ddfa232
				_v32 = _t27 ^ _t37;
				_v40 = 0;
				if (r8b != 0) goto 0xa8aba273;
				if ( *0xa8c8e7b0() == 0) goto 0xa8aba2e1;
				_t30 = _v40;
				if (_t30 == 0) goto 0xa8aba26b;
				_t9 = GetLastError();
				if (_t30 == 0xffffffff) goto 0xa8aba26f;
				_t10 = E00007FF77FF7A8B42830(_t9);
				SetLastError(??);
				 *__rcx = 1;
				 *((long long*)(__rcx + 8)) = 0;
				if (_t30 == 0) goto 0xa8aba253;
				if (_t30 == 0xffffffff) goto 0xa8aba2e9;
				E00007FF77FF7A8B42830(_t10);
				_t12 = GetLastError();
				 *((long long*)(__rcx + 8)) = _t30;
				E00007FF77FF7A8B42830(_t12);
				SetLastError(??);
				return E00007FF77FF7A8B8A7E0(_t12, _t27 ^ _t37, _v32 ^ _t37);
			}











                                    0x7ff7a8aba1ba
                                    0x7ff7a8aba1c4
                                    0x7ff7a8aba1c9
                                    0x7ff7a8aba1d5
                                    0x7ff7a8aba1f0
                                    0x7ff7a8aba1f6
                                    0x7ff7a8aba1fe
                                    0x7ff7a8aba200
                                    0x7ff7a8aba20c
                                    0x7ff7a8aba20e
                                    0x7ff7a8aba215
                                    0x7ff7a8aba21b
                                    0x7ff7a8aba21e
                                    0x7ff7a8aba229
                                    0x7ff7a8aba22f
                                    0x7ff7a8aba235
                                    0x7ff7a8aba23a
                                    0x7ff7a8aba242
                                    0x7ff7a8aba246
                                    0x7ff7a8aba24d
                                    0x7ff7a8aba26a

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: b2e98cc8ca44d3e024951dedb6dbbad1a9abdf644d34abae2901383d60e55403
                                    • Instruction ID: e9e3ea34cbf7faa1ec7801f3590b62ff5b2c0886d3681d0403b59af331faf294
                                    • Opcode Fuzzy Hash: b2e98cc8ca44d3e024951dedb6dbbad1a9abdf644d34abae2901383d60e55403
                                    • Instruction Fuzzy Hash: A741CA21A1FA4241FB50BB60E445B7EE350AF847A0F8A4270DA5E033F5EE3DF845C629
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B42530 Relevance: 6.1, APIs: 4, Instructions: 147COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E00007FF77FF7A8B42530(long long __rdx) {
				signed int _v40;
				long long _v48;
				signed long long _v56;
				signed long long _v96;
				void* _v104;
				long long _v120;
				signed long long _v136;
				void* _t33;
				void* _t41;
				void* _t54;
				void* _t56;
				void* _t57;
				intOrPtr _t58;
				signed long long _t60;
				signed long long _t68;
				signed long long _t69;
				signed long long _t70;
				signed long long _t72;
				signed long long _t79;
				signed long long _t95;
				intOrPtr _t96;
				signed long long _t98;

				_t60 =  *0xa8c85028; // 0x2b992ddfa232
				_v40 = _t60 ^ _t98;
				_v120 = 0xaaaaaaaa;
				asm("movaps xmm0, [0x11e2c9]");
				asm("movaps [esp+0x30], xmm0");
				E00007FF77FF7A8B42830(_t33);
				_v104 =  *((intOrPtr*)(__rdx + 0x68));
				if ( *0xa8c936a8 != 0) goto 0xa8b427d5;
				_t54 = (0x00000000 & _t95) -  *0xa8c86f88; // 0xffffffffffffffff
				if (_t54 == 0) goto 0xa8b427e2;
				_v136 = _t95;
				if (_t95 != 0) goto 0xa8b427ef;
				_v120 = 0;
				_v104 = 0xd017d00d;
				_v48 = 0x1d178119;
				_t68 =  *((intOrPtr*)(__rdx + 0x20));
				_v96 = _t68;
				asm("movups xmm0, [esi+0x38]");
				asm("movups xmm1, [esi+0x48]");
				asm("movups [esp+0x60], xmm0");
				asm("movups [esp+0x70], xmm1");
				_v56 = _t68;
				E00007FF77FF7A8B42820( *((intOrPtr*)(__rdx + 0x58)));
				_t56 =  *0xa8c978b0 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] +  &_v104 * 8)) + 4));
				if (_t56 > 0) goto 0xa8b42765;
				TlsGetValue(??);
				_t69 = _t68 & 0xfffffffc;
				if (_t56 == 0) goto 0xa8b427ce;
				_t79 =  *0xa8c978a8 << 4;
				_t57 =  *((intOrPtr*)(_t69 + _t79 + 8)) -  *0xa8c978ac;
				if (_t57 != 0) goto 0xa8b427ce;
				TlsGetValue(??);
				_t70 = _t69 & 0xfffffffc;
				if (_t57 == 0) goto 0xa8b427a8;
				 *((long long*)(_t70 + ( *0xa8c978a8 << 4))) = __rdx;
				 *((intOrPtr*)(_t70 + ( *0xa8c978a8 << 4) + 8)) =  *0xa8c978ac;
				_t96 =  *((intOrPtr*)(__rdx));
				 *((long long*)(__rdx)) = 0;
				 *0xa8ca6010();
				_t58 = _t96;
				if (_t58 != 0) goto 0xa8b4274a;
				_t41 = TlsGetValue(??);
				_t72 =  *(_t96 + 8) & 0xfffffffc;
				if (_t58 == 0) goto 0xa8b427bb;
				 *((long long*)(_t72 + ( *0xa8c978a8 << 4))) =  *((intOrPtr*)(_t69 + _t79));
				 *((intOrPtr*)(_t72 + ( *0xa8c978a8 << 4) + 8)) =  *0xa8c978ac;
				_v104 = 0;
				_v48 = 0;
				E00007FF77FF7A8B42840(E00007FF77FF7A8B42820(_t41),  &_v136);
				return E00007FF77FF7A8B8A7E0( *0xa8c978ac, _t72, _v40 ^ _t98);
			}

























                                    0x7ff7a8b4253f
                                    0x7ff7a8b42549
                                    0x7ff7a8b4255b
                                    0x7ff7a8b42560
                                    0x7ff7a8b42567
                                    0x7ff7a8b4256c
                                    0x7ff7a8b42578
                                    0x7ff7a8b4258b
                                    0x7ff7a8b425a0
                                    0x7ff7a8b425a7
                                    0x7ff7a8b425ad
                                    0x7ff7a8b425b5
                                    0x7ff7a8b425bb
                                    0x7ff7a8b425ce
                                    0x7ff7a8b425dd
                                    0x7ff7a8b425e5
                                    0x7ff7a8b425e9
                                    0x7ff7a8b425ee
                                    0x7ff7a8b425f2
                                    0x7ff7a8b425f6
                                    0x7ff7a8b425fb
                                    0x7ff7a8b42603
                                    0x7ff7a8b42610
                                    0x7ff7a8b4262e
                                    0x7ff7a8b42634
                                    0x7ff7a8b42640
                                    0x7ff7a8b42646
                                    0x7ff7a8b4264a
                                    0x7ff7a8b42657
                                    0x7ff7a8b4265f
                                    0x7ff7a8b42665
                                    0x7ff7a8b42675
                                    0x7ff7a8b4267b
                                    0x7ff7a8b4267f
                                    0x7ff7a8b42690
                                    0x7ff7a8b426a5
                                    0x7ff7a8b426a9
                                    0x7ff7a8b426ac
                                    0x7ff7a8b426ba
                                    0x7ff7a8b426c0
                                    0x7ff7a8b426c3
                                    0x7ff7a8b426cf
                                    0x7ff7a8b426d5
                                    0x7ff7a8b426d9
                                    0x7ff7a8b426ea
                                    0x7ff7a8b426ff
                                    0x7ff7a8b42703
                                    0x7ff7a8b4270c
                                    0x7ff7a8b42727
                                    0x7ff7a8b42749

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: Value$Init_thread_footer
                                    • String ID:
                                    • API String ID: 707193494-0
                                    • Opcode ID: a3b324d4dd461a296630e4039cc3937a10febaf50cda0ca7e63befc101e4df93
                                    • Instruction ID: fe3776adbfa9f7f3ea19befc7c74e84322a72c533ef0a8f933ffd6c3b4f37af2
                                    • Opcode Fuzzy Hash: a3b324d4dd461a296630e4039cc3937a10febaf50cda0ca7e63befc101e4df93
                                    • Instruction Fuzzy Hash: 7A71B135A0BA8186EA10EB15E841379F3A1FF84761F864275DA5E037B4DF3CE441DB28
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A800C0 Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExclusiveLock$AcquireRelease
                                    • String ID:
                                    • API String ID: 17069307-0
                                    • Opcode ID: 35bce4dc91131df29fbc7016c54f79a002347710a50ebc8934e51852237b0442
                                    • Instruction ID: 9768ab895ee368641efbfea13d8296beca37f33c0f816820b3f6ec86ea6826f2
                                    • Opcode Fuzzy Hash: 35bce4dc91131df29fbc7016c54f79a002347710a50ebc8934e51852237b0442
                                    • Instruction Fuzzy Hash: A641B632F1B64A81FE58A641D519BB9D216AB107E6FC65431CE0E077A4FEBCA085C33C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A862D0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E00007FF77FF7A8A862D0(signed int __rcx) {
				signed int _v24;
				char _v40;
				intOrPtr _t13;
				intOrPtr _t17;
				signed long long _t23;
				signed long long _t28;
				intOrPtr* _t38;
				signed long long _t42;

				_t23 =  *0xa8c85028; // 0x2b992ddfa232
				_v24 = _t23 ^ _t42;
				_t28 =  *((intOrPtr*)( *[gs:0x58] + __rcx * 8));
				if ( *0xa8c917e0 -  *((intOrPtr*)(_t28 + 4)) > 0) goto 0xa8a86395;
				_t13 =  *0xa8c917f0;
				_t17 =  *0xa8c8eb14; // 0x0
				if (_t13 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + _t28 * 8)) + 4)) > 0) goto 0xa8a863d7;
				__imp__TryAcquireSRWLockExclusive();
				if (_t13 == 0) goto 0xa8a8640c;
				_t38 =  &_v40;
				E00007FF77FF7A8B5D750(0xa8c917c8, _t38, __rcx, __rcx);
				if ( *((char*)( *_t38 + 0x37)) >= 0) goto 0xa8a86371;
				__imp__ReleaseSRWLockExclusive();
				return E00007FF77FF7A8B8A7E0(_t17,  *_t38, _v24 ^ _t42);
			}











                                    0x7ff7a8a862d9
                                    0x7ff7a8a862e3
                                    0x7ff7a8a862fd
                                    0x7ff7a8a86307
                                    0x7ff7a8a8630d
                                    0x7ff7a8a86313
                                    0x7ff7a8a8632c
                                    0x7ff7a8a86339
                                    0x7ff7a8a86341
                                    0x7ff7a8a8634e
                                    0x7ff7a8a8635c
                                    0x7ff7a8a8636c
                                    0x7ff7a8a86378
                                    0x7ff7a8a86394

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExclusiveInit_thread_footerLock$AcquireCriticalEnterReleaseSection
                                    • String ID:
                                    • API String ID: 3934407881-0
                                    • Opcode ID: ba0b1ba657fa26a7338d3fb7ef26cbc833b1268470a15dfa8b744b4c72746ce1
                                    • Instruction ID: 3518fa07f7312b57b71bcb9e6cd0120f45f07ac70cf90c036a23727547df2482
                                    • Opcode Fuzzy Hash: ba0b1ba657fa26a7338d3fb7ef26cbc833b1268470a15dfa8b744b4c72746ce1
                                    • Instruction Fuzzy Hash: D1310A30A1A64385FA00FB21E895674F3A0FF44795FC212B6E98D432B4EF2CA455CB29
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A91E50 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00007FF77FF7A8A91E50() {
				signed int _v40;
				void* _t3;
				void* _t7;
				void* _t8;
				signed long long _t14;
				void* _t17;
				signed long long _t22;
				signed long long _t26;
				signed long long _t28;

				_t14 =  *0xa8c85028; // 0x2b992ddfa232
				_v40 = _t14 ^ _t28;
				E00007FF77FF7A8A91F70(E00007FF77FF7A8A91F70(_t3));
				if ( *0xa8c961c5 != 1) goto 0xa8a91ed8;
				_t19 =  ==  ? 0xffff0000 : 0xffff0000;
				_t24 = (_t22 | _t26 << 0x00000020) & ( ==  ? 0xffff0000 : 0xffff0000);
				_t25 = ((_t22 | _t26 << 0x00000020) & ( ==  ? 0xffff0000 : 0xffff0000)) - 0x80000000;
				_t7 = E00007FF77FF7A8B8A7E0(_t8, 0xffff0000, _v40 ^ _t28);
				_t17 = ((_t22 | _t26 << 0x00000020) & ( ==  ? 0xffff0000 : 0xffff0000)) - 0x80000000;
				return _t7;
			}












                                    0x7ff7a8a91e5c
                                    0x7ff7a8a91e66
                                    0x7ff7a8a91e75
                                    0x7ff7a8a91e83
                                    0x7ff7a8a91ea1
                                    0x7ff7a8a91eae
                                    0x7ff7a8a91eb1
                                    0x7ff7a8a91ec3
                                    0x7ff7a8a91ec8
                                    0x7ff7a8a91ed7

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ConditionMask$ExclusiveLock$AcquireInfoReleaseVerifyVersion
                                    • String ID:
                                    • API String ID: 2002708333-0
                                    • Opcode ID: 1f3413b221c70ebc5cfd4231bd266730386394fac98465d206f7a669135f425e
                                    • Instruction ID: 25545fb76cf0fb275ce72247c6fb69757158769fd8f1e3ec5ebe6ffa0a457d8f
                                    • Opcode Fuzzy Hash: 1f3413b221c70ebc5cfd4231bd266730386394fac98465d206f7a669135f425e
                                    • Instruction Fuzzy Hash: 3D210831B0E24541FB10E771B8147FAE690AF887A4F860174DD6C4B7E9EE3DD4464B18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AA1710 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E00007FF77FF7A8AA1710(signed int __ebx) {
				signed int _v32;
				void* _t12;
				int _t13;
				signed long long _t18;
				signed long long _t22;

				_t18 =  *0xa8c85028; // 0x2b992ddfa232
				_v32 = _t18 ^ _t22;
				_t13 = CloseHandle(??);
				if (E00007FF77FF7A8B44A10(_t5, 2, _t12) == 0) goto 0xa8aa1746;
				if (_t13 == 0) goto 0xa8aa1768;
				E00007FF77FF7A8B8A7E0(2, _t18 ^ _t22, _v32 ^ _t22);
				return __ebx & 0xffffff00 | _t13 != 0x00000000;
			}








                                    0x7ff7a8aa171a
                                    0x7ff7a8aa1724
                                    0x7ff7a8aa1732
                                    0x7ff7a8aa1740
                                    0x7ff7a8aa1744
                                    0x7ff7a8aa1756
                                    0x7ff7a8aa1767

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CloseErrorHandleLast
                                    • String ID: ../../third_party/crashpad/crashpad/util/file/file_io_win.cc$CloseHandle
                                    • API String ID: 918212764-1576210609
                                    • Opcode ID: 92667be90bca3e92099026d306ce524094528178de2cf8a4f9b0e3e1021a712a
                                    • Instruction ID: 4b254bb97636dd436feaa4e867f6906cf9c57970822e6bf1edbb5282eed46b09
                                    • Opcode Fuzzy Hash: 92667be90bca3e92099026d306ce524094528178de2cf8a4f9b0e3e1021a712a
                                    • Instruction Fuzzy Hash: FB019221F0F61291F620B710E9017FAE7519F44790FC61135EC8E0B6B5DE1CE5458A68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A93830 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,toplevel.flow,00007FF7A8B6CDE3,?,?,?,?,?,00007FF7A8B424D3), ref: 00007FF7A8A939B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CurrentProcess
                                    • String ID: TraceLog$toplevel.flow
                                    • API String ID: 2050909247-1791373173
                                    • Opcode ID: 48570c70bc1c64c53b7f248b644543c9c5e5ab7971167df465b120c2f9eb7f6d
                                    • Instruction ID: 4833640b9760663a578ae1476132f951a326ad88bc06b5237bf846f1b101a733
                                    • Opcode Fuzzy Hash: 48570c70bc1c64c53b7f248b644543c9c5e5ab7971167df465b120c2f9eb7f6d
                                    • Instruction Fuzzy Hash: 0D617223D1E7C087E7559B1898443FAB360F769B48F666339EA8E06271DF39A1D3C204
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B6A180 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 62%
                                    			E00007FF77FF7A8B6A180(signed int __edx, intOrPtr* __rcx) {
				void* _t36;
				void* _t39;
				intOrPtr _t61;
				void* _t62;
				void* _t65;

				asm("movaps [ebp-0x10], xmm6");
				 *((long long*)(_t65 + 0x40 - 0x18)) = 0xfffffffe;
				r12d = __edx;
				_t39 = r8d;
				if (_t39 == 0) goto 0xa8b6a387;
				 *((long long*)(__rcx)) = 0xa8c60ca4;
				 *((long long*)(__rcx + 0x70)) = 0xa8c5da48;
				 *((long long*)(__rcx +  *0x7FF7A8C60CA8)) = 0xa8c5da40;
				 *((long long*)(__rcx +  *((intOrPtr*)( *__rcx + 4)))) = 0xa8c5da58;
				_t61 =  *((intOrPtr*)( *__rcx + 4));
				 *((long long*)(__rcx + _t61 + 0x28)) = __rcx + 8;
				 *(__rcx + _t61 + 0x20) = 0 | _t39 == 0x00000000;
				 *((intOrPtr*)(__rcx + _t61 + 0x24)) = 0;
				 *((intOrPtr*)(__rcx + _t61 + 8)) = 0x1002;
				 *((long long*)(__rcx + _t61 + 0x18)) = 0;
				 *((long long*)(__rcx + _t61 + 0x10)) = 6;
				asm("xorps xmm6, xmm6");
				asm("movups [esi+edi+0x38], xmm6");
				asm("movups [esi+edi+0x48], xmm6");
				asm("movups [esi+edi+0x58], xmm6");
				asm("movups [esi+edi+0x68], xmm6");
				asm("movups [esi+edi+0x78], xmm6");
				if ( *0xa8c909a0 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + 0x3ffbd462ed2c0)) + 4)) > 0) goto 0xa8b6a2cd;
				_t62 = _t61 + __rcx;
				 *((long long*)(_t62 + 0x30)) =  *((intOrPtr*)( *0xa8c90998));
				asm("lock inc dword [eax+0x8]");
				 *((long long*)(_t62 + 0x88)) = 0;
				 *((intOrPtr*)(_t62 + 0x90)) = 0xffffffff;
				 *((long long*)(__rcx +  *((intOrPtr*)( *__rcx + 4)))) = 0xa8c5da40;
				_t36 = E00007FF77FF7A8B6A3D0(__rcx + 8);
				 *((long long*)(__rcx + 8)) = 0xa8c5da60;
				r12d = r12d | 0x00000010;
				asm("movups [esi+0x48], xmm6");
				asm("movups [esi+0x58], xmm6");
				 *(__rcx + 0x68) = r12d;
				asm("movaps xmm6, [ebp-0x10]");
				return _t36;
			}








                                    0x7ff7a8b6a193
                                    0x7ff7a8b6a197
                                    0x7ff7a8b6a19f
                                    0x7ff7a8b6a1a5
                                    0x7ff7a8b6a1a8
                                    0x7ff7a8b6a1b5
                                    0x7ff7a8b6a1bf
                                    0x7ff7a8b6a1ce
                                    0x7ff7a8b6a1e0
                                    0x7ff7a8b6a1e7
                                    0x7ff7a8b6a1f4
                                    0x7ff7a8b6a1fc
                                    0x7ff7a8b6a200
                                    0x7ff7a8b6a208
                                    0x7ff7a8b6a210
                                    0x7ff7a8b6a219
                                    0x7ff7a8b6a222
                                    0x7ff7a8b6a225
                                    0x7ff7a8b6a22a
                                    0x7ff7a8b6a22f
                                    0x7ff7a8b6a234
                                    0x7ff7a8b6a239
                                    0x7ff7a8b6a25d
                                    0x7ff7a8b6a25f
                                    0x7ff7a8b6a26c
                                    0x7ff7a8b6a270
                                    0x7ff7a8b6a274
                                    0x7ff7a8b6a27f
                                    0x7ff7a8b6a290
                                    0x7ff7a8b6a297
                                    0x7ff7a8b6a2a3
                                    0x7ff7a8b6a2a7
                                    0x7ff7a8b6a2ab
                                    0x7ff7a8b6a2af
                                    0x7ff7a8b6a2b3
                                    0x7ff7a8b6a2ba
                                    0x7ff7a8b6a2cc

                                    APIs
                                    • _Init_thread_footer.LIBCMT ref: 00007FF7A8B6A331
                                      • Part of subcall function 00007FF7A8B88008: EnterCriticalSection.KERNEL32(?,?,?,00007FF7A8A710BF,?,?,?,?,?,00007FF7A8A7100E), ref: 00007FF7A8B88018
                                    • _Init_thread_footer.LIBCMT ref: 00007FF7A8B6A380
                                    Strings
                                    • ../../third_party/crashpad/crashpad/util/file/file_io_win.cc, xrefs: 00007FF7A8B6A188
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: Init_thread_footer$CriticalEnterSection
                                    • String ID: ../../third_party/crashpad/crashpad/util/file/file_io_win.cc
                                    • API String ID: 540175162-2901045336
                                    • Opcode ID: 29c3674c3da3a94fd996a020362dd51c68a8f26c92dec383b7b3e807b0f375bf
                                    • Instruction ID: 98df9c7ed98edf868a2ff451b904fd6201bcdd0093a003cfd60f2a4358f64e60
                                    • Opcode Fuzzy Hash: 29c3674c3da3a94fd996a020362dd51c68a8f26c92dec383b7b3e807b0f375bf
                                    • Instruction Fuzzy Hash: D351413290AB8296E610AB15E980276F360FB94754F925275DE9E037B1DF3CE091C714
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8ABA080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID: (
                                    • API String ID: 1726664587-3887548279
                                    • Opcode ID: eb9c88ae4e850be50a9517ec6ab6e3acdbffe326b00eb80a9d40adf2603386aa
                                    • Instruction ID: 930a968a2203c49df110ef7f695a59cb16aeab043283895ec1808451483ec3d4
                                    • Opcode Fuzzy Hash: eb9c88ae4e850be50a9517ec6ab6e3acdbffe326b00eb80a9d40adf2603386aa
                                    • Instruction Fuzzy Hash: 3A31D92160AA8181F7619B26F8047E6E7A0FF99794F469231DECD13B64EF3CD186CB14
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8BC2D40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00007FF7A8BA2798: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A8BA27CD
                                    • __uncaught_exceptions.LIBVCRUNTIME ref: 00007FF7A8BC2DF4
                                      • Part of subcall function 00007FF7A8B8C3F0: __vcrt_getptd_noinit.LIBVCRUNTIME ref: 00007FF7A8B8C3F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: __uncaught_exceptions__vcrt_getptd_noinit_invalid_parameter_noinfo
                                    • String ID: terminate_handler unexpectedly returned$terminate_handler unexpectedly threw an exception
                                    • API String ID: 3063739209-1901931556
                                    • Opcode ID: dccaef3c9d35e636358d32f8e825efaf10006947889e20fca434470c56847be2
                                    • Instruction ID: a9ec034b765a084e8ee40f3c32a7728ffb04246376e64ab66415b744a62fc557
                                    • Opcode Fuzzy Hash: dccaef3c9d35e636358d32f8e825efaf10006947889e20fca434470c56847be2
                                    • Instruction Fuzzy Hash: 5A01D618E1AA4686E204B77094063F8D324FF94310FD10634E97D077E3CF2DE1628728
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8ACE870 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 25%
                                    			E00007FF77FF7A8ACE870(signed int __ebx, void* __rcx) {
				signed int _v32;
				char _v120;
				char _v152;
				void* _t9;
				long _t12;
				void* _t17;
				signed long long _t21;
				signed long long _t37;

				_t21 =  *0xa8c85028; // 0x2b992ddfa232
				_v32 = _t21 ^ _t37;
				_t2 =  &_v120; // -6148914691236517278
				 *((long long*)(_t2 + 0x50)) = 0xaaaaaaaa;
				asm("movaps xmm0, [0x191f87]");
				asm("movaps [esi+0x40], xmm0");
				asm("movaps [esi+0x30], xmm0");
				asm("movaps [esi+0x20], xmm0");
				asm("movaps [esi+0x10], xmm0");
				asm("movaps [esi], xmm0");
				_t4 =  &_v152; // -6148914691236517310
				r9d = 0x1af;
				E00007FF77FF7A8B4CD80(_t9, _t4, "PathExists", "../../base/files/file_util_win.cc");
				r8d = 0;
				E00007FF77FF7A8B588E0(_t2, _t4);
				if ( *((char*)(__rcx + 0x17)) >= 0) goto 0xa8ace8f4;
				_t12 = GetFileAttributesW(??);
				0xa8b590b0();
				E00007FF77FF7A8B8A7E0(_t17, 0xaaaaaaaa, _v32 ^ _t37);
				return __ebx & 0xffffff00 | _t12 != 0xffffffff;
			}











                                    0x7ff7a8ace87d
                                    0x7ff7a8ace887
                                    0x7ff7a8ace899
                                    0x7ff7a8ace89e
                                    0x7ff7a8ace8a2
                                    0x7ff7a8ace8a9
                                    0x7ff7a8ace8ad
                                    0x7ff7a8ace8b1
                                    0x7ff7a8ace8b5
                                    0x7ff7a8ace8b9
                                    0x7ff7a8ace8ca
                                    0x7ff7a8ace8d2
                                    0x7ff7a8ace8d8
                                    0x7ff7a8ace8e3
                                    0x7ff7a8ace8e6
                                    0x7ff7a8ace8ef
                                    0x7ff7a8ace8f7
                                    0x7ff7a8ace906
                                    0x7ff7a8ace916
                                    0x7ff7a8ace927

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID: ../../base/files/file_util_win.cc$PathExists
                                    • API String ID: 3188754299-1196770437
                                    • Opcode ID: f859f30f6567d60f0ff151b47a6f597a0caae249cb7ddb40ed298b2514636eca
                                    • Instruction ID: 592312da16de0dc1045f1dee34c74c0f634d6a01a3d64109ee85af06c5bf463a
                                    • Opcode Fuzzy Hash: f859f30f6567d60f0ff151b47a6f597a0caae249cb7ddb40ed298b2514636eca
                                    • Instruction Fuzzy Hash: 20110431A096D152FA256B28A8013E5E3F0BF84790F811130DE8D03B60EF3DE597C755
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B8B26C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A8BD7B24), ref: 00007FF7A8B8B2B0
                                    • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7A8BD7B24), ref: 00007FF7A8B8B2F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ExceptionFileHeaderRaise
                                    • String ID: csm
                                    • API String ID: 2573137834-1018135373
                                    • Opcode ID: 8f6e1c9027a953d3a855d160c13a705cefde2fbc9058db2b367367704602a948
                                    • Instruction ID: 5a54f549634fd7fee391bb71455ac8610d1650d7c4d459a1bb19146637b9c3b6
                                    • Opcode Fuzzy Hash: 8f6e1c9027a953d3a855d160c13a705cefde2fbc9058db2b367367704602a948
                                    • Instruction Fuzzy Hash: A4114C32619B4182EB209F25F44026DFBA1FB88B84F994235DF8D07768DF3CD5518B04
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8A71080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00007FF77FF7A8A71080(signed int __rcx) {
				long long _v8;
				void* _t8;
				void* _t13;

				_v8 = 0xfffffffe;
				if ( *0xa8c91764 -  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x58] + __rcx * 8)) + 4)) <= 0) goto 0xa8a710f7;
				E00007FF77FF7A8B88008();
				if ( *0xa8c91764 != 0xffffffff) goto 0xa8a710f7;
				if (E00007FF77FF7A8A71150( *0xa8c91764, 0xa8c91760, 0xa8bd8a50) != 0) goto 0xa8a71104;
				_t8 = E00007FF77FF7A8B88B40(_t13);
				E00007FF77FF7A8B87FA8();
				return _t8;
			}






                                    0x7ff7a8a7108a
                                    0x7ff7a8a710b1
                                    0x7ff7a8a710ba
                                    0x7ff7a8a710c6
                                    0x7ff7a8a710dd
                                    0x7ff7a8a710e6
                                    0x7ff7a8a710f2
                                    0x7ff7a8a71103

                                    APIs
                                      • Part of subcall function 00007FF7A8B88008: EnterCriticalSection.KERNEL32(?,?,?,00007FF7A8A710BF,?,?,?,?,?,00007FF7A8A7100E), ref: 00007FF7A8B88018
                                    • _Init_thread_abort.LIBCMT ref: 00007FF7A8A71135
                                      • Part of subcall function 00007FF7A8A71150: FlsAlloc.KERNEL32(?,?,?,00007FF7A8A710DB,?,?,?,?,?,00007FF7A8A7100E), ref: 00007FF7A8A7115B
                                    • _Init_thread_footer.LIBCMT ref: 00007FF7A8A710F2
                                      • Part of subcall function 00007FF7A8B87FA8: EnterCriticalSection.KERNEL32(?,?,?,00007FF7A8A710F7,?,?,?,?,?,00007FF7A8A7100E), ref: 00007FF7A8B87FB8
                                      • Part of subcall function 00007FF7A8B87FA8: LeaveCriticalSection.KERNEL32(?,?,?,00007FF7A8A710F7,?,?,?,?,?,00007FF7A8A7100E), ref: 00007FF7A8B87FF8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CriticalSection$Enter$AllocInit_thread_abortInit_thread_footerLeave
                                    • String ID: __thread_specific_ptr construction failed
                                    • API String ID: 2231943355-969011497
                                    • Opcode ID: 25230f76503e04e6c8ef8a692a800c950f8415b54297500fd369fde3d36db356
                                    • Instruction ID: 73c50d6c4d35d375e2b677334bcf8e7212347cd87155cc6ecfa1788860961854
                                    • Opcode Fuzzy Hash: 25230f76503e04e6c8ef8a692a800c950f8415b54297500fd369fde3d36db356
                                    • Instruction Fuzzy Hash: 9E119320E1BA4395E600FB20D9420B4F360FB40360FC202B6D96E432F1BF2CE556CB29
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8ABE5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 16%
                                    			E00007FF77FF7A8ABE5D0(void* __rcx) {
				signed int _v16;
				long long _v32;
				intOrPtr _v40;
				signed long long _t12;
				signed long long _t13;
				signed long long _t18;

				_t12 =  *0xa8c85028; // 0x2b992ddfa232
				_t13 = _t12 ^ _t18;
				_v16 = _t13;
				_v32 = 0;
				_v40 = 0;
				CreateThread(??, ??, ??, ??, ??, ??);
				 *(__rcx + 8) = _t13;
				if (_t13 == 0) goto 0xa8abe629;
				return E00007FF77FF7A8B8A7E0(0, _t13, _v16 ^ _t18);
			}









                                    0x7ff7a8abe5d8
                                    0x7ff7a8abe5df
                                    0x7ff7a8abe5e2
                                    0x7ff7a8abe5e7
                                    0x7ff7a8abe5f0
                                    0x7ff7a8abe606
                                    0x7ff7a8abe60c
                                    0x7ff7a8abe613
                                    0x7ff7a8abe628

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: CreateThread
                                    • String ID: ../../third_party/crashpad/crashpad/util/thread/thread_win.cc$CreateThread
                                    • API String ID: 2422867632-2064233884
                                    • Opcode ID: 391006bfea265f42c0e9e981fbb048e051b611dbb6348676f9c036f9157981a2
                                    • Instruction ID: fbb03156bb3f73de3b034dbe0e6914f9079430c30c383258af487fb8fd5a3987
                                    • Opcode Fuzzy Hash: 391006bfea265f42c0e9e981fbb048e051b611dbb6348676f9c036f9157981a2
                                    • Instruction Fuzzy Hash: 89017161A1E65282FA04F712B4557BAE351AF88B80FC69036E94E07775DF2CE1028B29
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8B67AA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00007FF77FF7A8B67AA0() {

				if ( *0xa8c938a8 == 0) goto 0xa8b67ad1;
				goto __r8;
			}



                                    0x7ff7a8b67ab0
                                    0x7ff7a8b67ace

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetHandleVerifier
                                    • API String ID: 1646373207-1090674830
                                    • Opcode ID: 93542f787222fad66d04f09964f0a9de28d8eeca265a1e6d5c710e00428c53c3
                                    • Instruction ID: a1364438ace1df9c99275c4d56e949231ba70919bf599a93a7a7c4b9a7780dea
                                    • Opcode Fuzzy Hash: 93542f787222fad66d04f09964f0a9de28d8eeca265a1e6d5c710e00428c53c3
                                    • Instruction Fuzzy Hash: 0C016D24A0FA0A81FA14BB65A494679E362AF44B40FCA4576C80F433B0DE3CA485DB3D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8BAE5BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 27%
                                    			E00007FF77FF7A8BAE5BC(void* __ecx, void* __rax, long long __rbx, void* __rdx, long long _a8) {
				void* _t11;
				void* _t18;

				_t11 = __rax;
				_a8 = __rbx;
				E00007FF77FF7A8BAED54(6, __rdx, "FlsSetValue", _t18, 0xa8c53080, 0xa8c53088);
				if (_t11 == 0) goto 0xa8bae5fc;
				 *0xa8ca6010();
				goto 0xa8bae602;
				return TlsSetValue(??, ??);
			}





                                    0x7ff7a8bae5bc
                                    0x7ff7a8bae5bc
                                    0x7ff7a8bae5e5
                                    0x7ff7a8bae5f2
                                    0x7ff7a8bae5f4
                                    0x7ff7a8bae5fa
                                    0x7ff7a8bae60c

                                    APIs
                                    • try_get_function.LIBVCRUNTIME ref: 00007FF7A8BAE5E5
                                    • TlsSetValue.KERNEL32(?,?,?,00007FF7A8BADE4A,?,?,?,00007FF7A8B88295,?,?,?,?,00007FF7A8BAD2E2,?,?,00000000), ref: 00007FF7A8BAE5FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: Valuetry_get_function
                                    • String ID: FlsSetValue
                                    • API String ID: 738293619-3750699315
                                    • Opcode ID: 3b172f7f2b103442f8270b8a4401e04df67f00001a75c34a7fe6d42cd7643d01
                                    • Instruction ID: 48cddae1adefd7fd1e0f98bf2ca4510115077b846477a2f07f717bea1f96895b
                                    • Opcode Fuzzy Hash: 3b172f7f2b103442f8270b8a4401e04df67f00001a75c34a7fe6d42cd7643d01
                                    • Instruction Fuzzy Hash: AAE09361A0A64292FF157754F4445B5E222BF44780FC94075D91D0A375CD3CE494CF3C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FF7A8AAA5A0 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E00007FF77FF7A8AAA5A0(void* __rax, long long* __rcx, intOrPtr* __rdx) {
				long _t15;
				long _t17;
				intOrPtr _t20;
				long long _t42;
				long long _t47;

				if ( *((intOrPtr*)(__rcx + 0x10)) != 0) goto 0xa8aaa68c;
				if ( *__rcx != 0) goto 0xa8aaa68c;
				if ( *((intOrPtr*)(__rcx + 0x14)) != 0) goto 0xa8aaa68c;
				if ( *((long long*)(__rcx + 8)) != 0) goto 0xa8aaa68c;
				_t42 =  *((intOrPtr*)(__rdx));
				if (__rax == _t42) goto 0xa8aaa60f;
				_t15 = GetLastError();
				if ( *((intOrPtr*)(__rcx)) + 1 - 2 >= 0) goto 0xa8aaa65e;
				if (_t42 + 1 - 2 < 0) goto 0xa8aaa607;
				 *__rcx = _t42;
				E00007FF77FF7A8B42830(_t15);
				SetLastError(??);
				_t47 =  *((intOrPtr*)(__rdx + 8));
				if ( *((intOrPtr*)(__rcx + 8)) == _t47) goto 0xa8aaa649;
				_t17 = GetLastError();
				if ( *((intOrPtr*)(__rcx + 8)) + 1 - 2 >= 0) goto 0xa8aaa674;
				if (_t47 + 1 - 2 < 0) goto 0xa8aaa641;
				 *((long long*)(__rcx + 8)) = _t47;
				E00007FF77FF7A8B42830(_t17);
				SetLastError(??);
				 *((intOrPtr*)(__rcx + 0x10)) =  *((intOrPtr*)(__rdx + 0x10));
				_t20 =  *((intOrPtr*)(__rdx + 0x14));
				 *((intOrPtr*)(__rcx + 0x14)) = _t20;
				return _t20;
			}








                                    0x7ff7a8aaa5b2
                                    0x7ff7a8aaa5bc
                                    0x7ff7a8aaa5c6
                                    0x7ff7a8aaa5d1
                                    0x7ff7a8aaa5d9
                                    0x7ff7a8aaa5df
                                    0x7ff7a8aaa5e1
                                    0x7ff7a8aaa5f3
                                    0x7ff7a8aaa5fd
                                    0x7ff7a8aaa5ff
                                    0x7ff7a8aaa602
                                    0x7ff7a8aaa609
                                    0x7ff7a8aaa60f
                                    0x7ff7a8aaa617
                                    0x7ff7a8aaa619
                                    0x7ff7a8aaa62c
                                    0x7ff7a8aaa636
                                    0x7ff7a8aaa638
                                    0x7ff7a8aaa63c
                                    0x7ff7a8aaa643
                                    0x7ff7a8aaa64c
                                    0x7ff7a8aaa64f
                                    0x7ff7a8aaa652
                                    0x7ff7a8aaa65d

                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,00000000,00007FF7A8AB99CC), ref: 00007FF7A8AAA5E1
                                    • SetLastError.KERNEL32(?,?,?,00000000,00007FF7A8AB99CC), ref: 00007FF7A8AAA609
                                    • GetLastError.KERNEL32(?,?,?,00000000,00007FF7A8AB99CC), ref: 00007FF7A8AAA619
                                    • SetLastError.KERNEL32(?,?,?,00000000,00007FF7A8AB99CC), ref: 00007FF7A8AAA643
                                      • Part of subcall function 00007FF7A8B67AA0: GetModuleHandleW.KERNEL32 ref: 00007FF7A8B67AD3
                                      • Part of subcall function 00007FF7A8B67AA0: GetProcAddress.KERNEL32 ref: 00007FF7A8B67AE3
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.282202405.00007FF7A8A71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A8A70000, based on PE: true
                                    • Associated: 00000005.00000002.282193308.00007FF7A8A70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282677117.00007FF7A8C32000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282689759.00007FF7A8C3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282700365.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282744839.00007FF7A8C85000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282751860.00007FF7A8C8E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282767122.00007FF7A8C98000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    • Associated: 00000005.00000002.282780464.00007FF7A8CAA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff7a8a70000_chrome.jbxd
                                    Similarity
                                    • API ID: ErrorLast$AddressHandleModuleProc
                                    • String ID:
                                    • API String ID: 1762409328-0
                                    • Opcode ID: 3c80398c79a68dcb6ae62e2d472cb9cd69c1737753dd41454808656704c9f3ad
                                    • Instruction ID: 467dcd219ba55eec170ae07a70dd8c8fe7349c21daca156c1797cbb43cf684dc
                                    • Opcode Fuzzy Hash: 3c80398c79a68dcb6ae62e2d472cb9cd69c1737753dd41454808656704c9f3ad
                                    • Instruction Fuzzy Hash: 53316F32A0B64686EB24BF11E14576DE3A5EB04740F864430CB4E46AB1EF7CF4858B68
                                    Uniqueness

                                    Uniqueness Score: -1.00%