Edit tour

Windows Analysis Report
AppInstallerPythonRedirector.exe

Overview

General Information

Sample Name:	AppInstallerPythonRedirector.exe
Analysis ID:	1335590
MD5:	874861e3ab75b9cb123a069a62892bb3
SHA1:	eec3a3aea76f7467247f5694c8ed2e487b48af06
SHA256:	26408681bda8d430af07f5338723bb10b419ae482a4c4aa6446cc536d21bac4c

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sample file is different than original file name gathered from version info

Contains functionality to dynamically determine API calls

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Detected potential crypto function

Classification

Process Tree

System is w7x64

AppInstallerPythonRedirector.exe (PID: 2944 cmdline: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe MD5: 874861E3AB75B9CB123A069A62892BB3)

cleanup

Joe Sandbox Signatures

• Compliance
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: AppInstallerPythonRedirector.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\b\release\x64\AppInstallerPythonRedirector\AppInstallerPythonRedirector.pdb)) source: AppInstallerPythonRedirector.exe
Source:	Binary string: D:\a\_work\1\b\release\x64\AppInstallerPythonRedirector\AppInstallerPythonRedirector.pdb source: AppInstallerPythonRedirector.exe

Source: AppInstallerPythonRedirector.exe

Binary or memory string: OriginalFilename vs AppInstallerPythonRedirector.exe

Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe	Code function: 0_2_000000013FAD19D0		0_2_000000013FAD19D0
Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe	Code function: 0_2_000000013FAD28D0		0_2_000000013FAD28D0

Source: AppInstallerPythonRedirector.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean3.winEXE@1/0@0/0

Source: AppInstallerPythonRedirector.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: AppInstallerPythonRedirector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AppInstallerPythonRedirector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AppInstallerPythonRedirector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AppInstallerPythonRedirector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AppInstallerPythonRedirector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AppInstallerPythonRedirector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: AppInstallerPythonRedirector.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: AppInstallerPythonRedirector.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\b\release\x64\AppInstallerPythonRedirector\AppInstallerPythonRedirector.pdb)) source: AppInstallerPythonRedirector.exe
Source:	Binary string: D:\a\_work\1\b\release\x64\AppInstallerPythonRedirector\AppInstallerPythonRedirector.pdb source: AppInstallerPythonRedirector.exe

Source: AppInstallerPythonRedirector.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AppInstallerPythonRedirector.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AppInstallerPythonRedirector.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AppInstallerPythonRedirector.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AppInstallerPythonRedirector.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe

Code function: 0_2_000000013FAD89C0 AcquireSRWLockExclusive,LoadLibraryW,GetProcAddress,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,_CxxThrowException,

0_2_000000013FAD89C0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe

Code function: 0_2_000000013FAD89C0 AcquireSRWLockExclusive,LoadLibraryW,GetProcAddress,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,_CxxThrowException,

0_2_000000013FAD89C0

Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe

Code function: 0_2_000000013FADCE7C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000000013FADCE7C

Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe

Code function: 0_2_000000013FADC3A0 GetProcessHeap,HeapFree,abort,_CxxThrowException,_CxxThrowException,

0_2_000000013FADC3A0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe	Code function: 0_2_000000013FADCE7C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000013FADCE7C
Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe	Code function: 0_2_000000013FADC87C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000013FADC87C
Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe	Code function: 0_2_000000013FADD024 SetUnhandledExceptionFilter,	0_2_000000013FADD024

Source: C:\Users\user\Desktop\AppInstallerPythonRedirector.exe

Code function: 0_2_000000013FADD09C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_000000013FADD09C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AppInstallerPythonRedirector.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	69.164.0.0	true	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1335590
Start date and time:	2023-11-01 17:37:49 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	AppInstallerPythonRedirector.exe
Detection:	CLEAN
Classification:	clean3.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.221.227.168, 23.221.227.182
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target AppInstallerPythonRedirector.exe, PID 2944 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: AppInstallerPythonRedirector.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
windowsupdatebg.s.llnwi.net	Missed_voicemail_001.one	Get hash	malicious	Unknown	Browse	69.164.0.128
	dump5.exe	Get hash	malicious	Unknown	Browse	69.164.0.128
	Impeditrt.js	Get hash	malicious	Unknown	Browse	69.164.0.0
	nKdPFPuJoq.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, RedLine	Browse	69.164.0.0
	Detalhes_Reserva.ppam	Get hash	malicious	RevengeRAT	Browse	69.164.0.0
	ORDER_001.doc	Get hash	malicious	AgentTesla	Browse	69.164.0.0
	Payment_Advise.doc	Get hash	malicious	Unknown	Browse	69.164.0.128
	https://pilotl.ink/r?i=howdy&e=cbstuqapdt2qjdyseeabazkabxpfwh2hs34pl5adac7niw33dpfc3r6t2p74d4iu3wkfbrp3x5otymzawi3wj6unvaful7723trbm4mhlshazedruueefeoi2phhcgao7llh6v4kv5kntajqnk4dgvdc6alcfxbzokounbriy7edemwg4zswa6noduzbhm4mpvhptzaswerirf4ymm3vqa2sztdruwr3cc6a	Get hash	malicious	Unknown	Browse	69.164.0.0
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.5389.4377.doc	Get hash	malicious	Unknown	Browse	69.164.0.128
	Bestellung_-10_0652023_Oktober_2023.xlam.xlsx	Get hash	malicious	AgentTesla, zgRAT	Browse	69.164.0.128
	bRaA.exe	Get hash	malicious	Remcos	Browse	69.164.0.0
	New_order_98987006305#.doc	Get hash	malicious	FormBook, NSISDropper	Browse	69.164.0.0
	PR_301023xlam.xlsx	Get hash	malicious	AgentTesla, zgRAT	Browse	69.164.0.0
	Cities Skylines II v1.0 Plus 6 Trainer.exe	Get hash	malicious	Unknown	Browse	69.164.0.0
	SHIPPING DOCUMENT.xls	Get hash	malicious	Lokibot	Browse	69.164.0.128
	Checkeur netflix validator by crips.exe	Get hash	malicious	LimeRAT	Browse	69.164.0.128
	Revised_enquiry_for_Urgent_buy_Denmark.xlam.xlsx	Get hash	malicious	AgentTesla, zgRAT	Browse	69.164.0.128
	WAYBILL_XTREME_REF_STA335E_.xlam.xlsx	Get hash	malicious	AgentTesla, zgRAT	Browse	69.164.0.128
	Nuevo_pedido11142023.xlam.xlsx	Get hash	malicious	Unknown	Browse	69.164.0.0
	new_rfq_200618_pft0098.xlam.xlsx	Get hash	malicious	Unknown	Browse	69.164.0.128

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.163208021191311
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AppInstallerPythonRedirector.exe
File size:	278'528 bytes
MD5:	874861e3ab75b9cb123a069a62892bb3
SHA1:	eec3a3aea76f7467247f5694c8ed2e487b48af06
SHA256:	26408681bda8d430af07f5338723bb10b419ae482a4c4aa6446cc536d21bac4c
SHA512:	0913a38fef0c03f2f4c58a0b0f3165b6a8e2ea97049f26ffd804dbca66e484daf319820eba5e91d1efa215cba95febb33a81467a9f4aa195ecd855250c0bd66c
SSDEEP:	3072:Jk8raZua+iV1QEZMnmBkZs7gljF1J+ZjHGW+3XhrjQIRMxGW+3XhrjQIRM7:JkyoDnMnSejLJ+ZjHGxFWxGxFW
TLSH:	8D44184776EC82D4D531A138BB1296A4D7697C651750E3CF33D0BB1B1E3AAE0AE346E0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............q...q...q..W....q..W....q..W....q..W....q.......q.......q...q..(q..1....q..1.b..q...q...q..1....q..Rich.q.................

File Icon


Icon Hash:	02021a3a3e27641a

Static PE Info

General

Entrypoint:	0x14000cc70
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x651DF85B [Wed Oct 4 23:42:19 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	53d2582025e5b9fc285a75c2d49b91f6

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FB6293C3868h
dec eax
add esp, 28h
jmp 00007FB6293C32AFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
retn 0000h
int3
jmp 00007FB6293C3A86h
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FB6293BCC3Bh
dec eax
lea edx, dword ptr [0000BAA7h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FB6293C39BCh
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov edx, edx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor edx, 49656E69h
inc esp
mov ecx, ebx
mov esi, eax
xor ecx, ecx
inc ecx
lea eax, dword ptr [ebx+01h]
inc ebp
or edx, eax
cpuid
inc ecx
xor ecx, 756E6547h
mov dword ptr [esp], eax
inc ebp
or edx, ecx
mov dword ptr [esp+04h], ebx
mov edi, ecx
mov dword ptr [esp+08h], ecx
mov dword ptr [esp+0Ch], edx
jne 00007FB6293C349Dh
dec eax
or dword ptr [0000E30Bh], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [0000E2F3h], 00008000h
cmp eax, 000106C0h
je 00007FB6293C346Ah
cmp eax, 00020660h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x188e4	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x27270	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1e000	0x14dc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0x25c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x141d0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x14090	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12000	0x5e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x100fb	0x10200	False	0.4805141715116279	data	6.106824509353285	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x12000	0x8702	0x8800	False	0.3503848805147059	data	4.499189658620598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x2eb0	0x2400	False	0.1283637152777778	DOS executable (block device driver \322f\324\377\3772)	4.604826151746903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1e000	0x14dc	0x1600	False	0.43110795454545453	data	4.750600296363665	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x27270	0x27400	False	0.5286748606687898	data	6.075728432362387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0x25c	0x400	False	0.4580078125	data	3.873262972946178	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x20730	0x3b55	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9815656066890512
RT_ICON	0x24288	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.33568406205923834
RT_ICON	0x258b0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.4482942430703625
RT_ICON	0x26758	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.46344765342960287
RT_ICON	0x27000	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.5524193548387096
RT_ICON	0x276c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4328034682080925
RT_ICON	0x27c30	0x35cd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9848253829957162
RT_ICON	0x2b200	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.16213982050070855
RT_ICON	0x2f428	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.2226141078838174
RT_ICON	0x319d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3116791744840525
RT_ICON	0x32a78	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.40491803278688526
RT_ICON	0x33400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4423758865248227
RT_ICON	0x33918	0x3b55	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9815656066890512
RT_ICON	0x37470	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.33568406205923834
RT_ICON	0x38a98	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.4482942430703625
RT_ICON	0x39940	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.46344765342960287
RT_ICON	0x3a1e8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.5524193548387096
RT_ICON	0x3a8b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4328034682080925
RT_ICON	0x3ae18	0x35cd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9848253829957162
RT_ICON	0x3e3e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.16213982050070855
RT_ICON	0x42610	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.2226141078838174
RT_ICON	0x44bb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3116791744840525
RT_ICON	0x45c60	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.40491803278688526
RT_ICON	0x465e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4423758865248227
RT_MENU	0x46b00	0x4a	data	English	United States	0.8648648648648649
RT_DIALOG	0x46b60	0x154	data	English	United States	0.5558823529411765
RT_STRING	0x46cb8	0x60	data	English	United States	0.7083333333333334
RT_ACCELERATOR	0x46b50	0x10	data	English	United States	1.25
RT_GROUP_ICON	0x33868	0xae	data	English	United States	0.6379310344827587
RT_GROUP_ICON	0x46a50	0xae	data	English	United States	0.632183908045977
RT_VERSION	0x46d18	0x3d4	data	English	United States	0.41020408163265304
RT_MANIFEST	0x470f0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
api-ms-win-core-errorhandling-l1-1-0.dll	SetLastError, SetUnhandledExceptionFilter, GetLastError, UnhandledExceptionFilter
api-ms-win-core-string-l1-1-0.dll	MultiByteToWideChar
api-ms-win-core-debug-l1-1-0.dll	OutputDebugStringW, DebugBreak, IsDebuggerPresent
api-ms-win-core-com-l1-1-0.dll	CoCreateInstance, CoInitializeEx, CoGetObjectContext, CoTaskMemFree, CoGetApartmentType, CoCreateFreeThreadedMarshaler, CoTaskMemAlloc
api-ms-win-core-processthreads-l1-1-0.dll	GetCurrentProcessId, GetCurrentThreadId, GetCurrentProcess, TerminateProcess
api-ms-win-core-localization-l1-2-0.dll	FormatMessageW
api-ms-win-core-processenvironment-l1-1-0.dll	GetCommandLineW
api-ms-win-core-console-l1-2-0.dll	FreeConsole
api-ms-win-core-libraryloader-l1-2-0.dll	FreeLibrary, GetModuleFileNameA, GetModuleHandleW, GetModuleHandleExW, GetProcAddress
api-ms-win-core-heap-l1-1-0.dll	HeapAlloc, GetProcessHeap, HeapFree
SHELL32.dll	ShellExecuteW
MSVCP140.dll	??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ?clear@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ, ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEBA?AVlocale@2@XZ, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z, ?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z, ?__ExceptionPtrRethrow@@YAXPEBX@Z, ?__ExceptionPtrCurrentException@@YAXPEAX@Z, ?__ExceptionPtrAssign@@YAXPEAXPEBX@Z, ?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A, _Thrd_yield, ?__ExceptionPtrCreate@@YAXPEAX@Z, ?__ExceptionPtrCopy@@YAXPEAXPEBX@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?_Xlength_error@std@@YAXPEBD@Z, ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z, ?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z, ?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z, ?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ, ?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z, ??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ?__ExceptionPtrDestroy@@YAXPEAX@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ??Bid@locale@std@@QEAA_KXZ, ?uncaught_exception@std@@YA_NXZ, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?unshift@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A, ?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	_CxxThrowException, __current_exception_context, memset, memmove, __C_specific_handler, __std_exception_copy, __std_exception_destroy, __std_terminate, __current_exception, memcpy
api-ms-win-crt-runtime-l1-1-0.dll	_exit, terminate, _cexit, exit, _c_exit, _seh_filter_exe, _set_app_type, _initialize_wide_environment, _register_thread_local_exe_atexit_callback, _crt_atexit, _register_onexit_function, _invalid_parameter_noinfo_noreturn, _initialize_onexit_table, _configure_wide_argv, __p___argc, _errno, _initterm_e, _initterm, __p___wargv, abort, _invalid_parameter_noinfo, _get_initial_wide_environment
api-ms-win-crt-string-l1-1-0.dll	iswspace
api-ms-win-crt-stdio-l1-1-0.dll	fputwc, fgetwc, fgetc, __p__commode, _set_fmode, __stdio_common_vsnprintf_s, __stdio_common_vswprintf, fclose, fwrite, fgetpos, _fseeki64, fsetpos, setvbuf, fflush, ungetc, ungetwc
api-ms-win-crt-time-l1-1-0.dll	asctime_s, _localtime64_s, _time64
api-ms-win-crt-filesystem-l1-1-0.dll	_lock_file, _unlock_file
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, malloc, _set_new_mode, free
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-core-rtlsupport-l1-1-0.dll	RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind
api-ms-win-core-processthreads-l1-1-1.dll	IsProcessorFeaturePresent
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll	GetSystemTimeAsFileTime
api-ms-win-core-interlocked-l1-1-0.dll	InitializeSListHead, InterlockedPushEntrySList
OLEAUT32.dll	SysFreeString, SysStringLen, SysAllocString, SetErrorInfo, GetErrorInfo
api-ms-win-core-libraryloader-l1-2-1.dll	LoadLibraryW
api-ms-win-core-synch-l1-1-0.dll	CreateEventW, ReleaseSRWLockExclusive, WaitForSingleObject, SetEvent, AcquireSRWLockExclusive
api-ms-win-core-handle-l1-1-0.dll	CloseHandle
api-ms-win-core-threadpool-l1-2-0.dll	TrySubmitThreadpoolCallback

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2023 17:38:39.223906994 CET	8.8.8.8	192.168.2.22	0xcb71	No error (0)	windowsupdatebg.s.llnwi.net		69.164.0.0	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• AppInstallerPythonRedirector.exe

Click to jump to process

Memory Usage

• AppInstallerPythonRedirector.exe

Click to jump to process

Target ID:	0
Start time:	17:38:34
Start date:	01/11/2023
Path:	C:\Users\user\Desktop\AppInstallerPythonRedirector.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\AppInstallerPythonRedirector.exe
Imagebase:	0x13fad0000
File size:	278'528 bytes
MD5 hash:	874861E3AB75B9CB123A069A62892BB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 000000013FAD19D0 Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 531memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD1B89
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD1B9B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD1BDC
memcpy.VCRUNTIME140 ref: 000000013FAD1D2E
memmove.VCRUNTIME140 ref: 000000013FAD1DFD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD1E80
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD1ED5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD1F33
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD1F97
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 000000013FAD1FBD

Part of subcall function 000000013FADC5DC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000000013FAD6F70,?,?,?,?,000000013FAD101D), ref: 000000013FADC5F6

memmove.VCRUNTIME140 ref: 000000013FAD206E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD20EE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD2149
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD21AD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD2268
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD22B4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD231B
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FAD238A

Strings

] - *** Start Log ***, xrefs: 000000013FAD1FE4
\AILog.txt, xrefs: 000000013FAD1BE9
] Log File is located under: , xrefs: 000000013FAD1D63

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Heapmemmove$Concurrency::cancel_current_taskDebugFreeOutputProcessStringabortmallocmemcpy
String ID: \AILog.txt$] - *** Start Log ***$] Log File is located under:
API String ID: 3286436829-1593896272
Opcode ID: 6cdbac02ef4e3b609a848244dd2107d887413ea368713e6aef35e6275811b42b
Instruction ID: c52f9323253d1a7bf0dd676ea1859e11e74ebb3faae90acf340c5170341a3f53
Opcode Fuzzy Hash: 6cdbac02ef4e3b609a848244dd2107d887413ea368713e6aef35e6275811b42b
Instruction Fuzzy Hash: 23427372A15BC481EA20DF15E4983DE73A5F795790F40532AEAAD43BE9DF78C286C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD89C0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 150libraryloaderCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD89F5
LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 000000013FAD8A3D
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FAD8A4C
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD8B8A
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD8B95
_CxxThrowException.VCRUNTIME140 ref: 000000013FAD8BE6

Strings

combase.dll, xrefs: 000000013FAD8A36
RoGetAgileReference, xrefs: 000000013FAD8A45

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: ExclusiveLock$Release$AcquireAddressExceptionLibraryLoadProcThrow
String ID: RoGetAgileReference$combase.dll
API String ID: 1972360279-3498391780
Opcode ID: a2387c6643e2560f51aa001f39b950bc3aa2c96f738baaca5d349a1c29685c2f
Instruction ID: 9f9ad6bfac929574825035ff0cb7e550cf37531e1d4f58cda5ac04b7072d55ec
Opcode Fuzzy Hash: a2387c6643e2560f51aa001f39b950bc3aa2c96f738baaca5d349a1c29685c2f
Instruction Fuzzy Hash: F8510672B02B448AFB109F65E9603ED37A4AB54B88F484839EE4D577A9DF78C656C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADCE7C Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 000000013FADCE98
memset.VCRUNTIME140 ref: 000000013FADCEBC
RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 000000013FADCEC5
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 000000013FADCEDF
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 000000013FADCF20
memset.VCRUNTIME140 ref: 000000013FADCF53
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 000000013FADCF74
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FADCF95
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013FADCFA0

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 5a9ccc9c7e008765f3d9d053f49876354f1f1005e353d57dd539d14ebddde566
Instruction ID: 8758bd332672dc91b3f7ecbd7050900293bbff0c58e143b8f8975eff7f56c751
Opcode Fuzzy Hash: 5a9ccc9c7e008765f3d9d053f49876354f1f1005e353d57dd539d14ebddde566
Instruction Fuzzy Hash: 09314D72A05B808AEB609F60E8503ED73A5F794744F44403EEA4E47B99EF78C649CB14

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADC3A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FAD5130: #7.OLEAUT32 ref: 000000013FAD51B6
Part of subcall function 000000013FAD5130: iswspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013FAD51D3
Part of subcall function 000000013FAD5130: #6.OLEAUT32 ref: 000000013FAD5275
Part of subcall function 000000013FAD5130: #6.OLEAUT32 ref: 000000013FAD5287
Part of subcall function 000000013FAD5130: #6.OLEAUT32 ref: 000000013FAD529D

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADC3FF
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADC40C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADC420
_CxxThrowException.VCRUNTIME140 ref: 000000013FADC4AD

Strings

winrt::hresult_error: %ls, xrefs: 000000013FADC3D4

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Heap$ExceptionFreeProcessThrowabortiswspace
String ID: winrt::hresult_error: %ls
API String ID: 4015227188-1685348404
Opcode ID: 5d7c67d97d68004c9048846aa43f2e6f5902098aca1b6387b809ae8700b04256
Instruction ID: f607882314f98a003b5841d532f6973fcda81c510d573b12979e2de3021d657a
Opcode Fuzzy Hash: 5d7c67d97d68004c9048846aa43f2e6f5902098aca1b6387b809ae8700b04256
Instruction Fuzzy Hash: 2021D272E1068083FA18EF71A8257E97261AB907D8F98843DBA9D476D9CE3CC3138740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD28D0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 000000013FAD2910
_localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0 ref: 000000013FAD293B
asctime_s.API-MS-WIN-CRT-TIME-L1-1-0 ref: 000000013FAD296E
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 000000013FAD29A7

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: ByteCharMultiWide_localtime64_s_time64asctime_s
String ID:
API String ID: 2879144323-0
Opcode ID: b2cd8246a16a1eba88e5d9ff66fb2ae118717a5f4059bb5b6aabe783a6d8042a
Instruction ID: aebd8f7180a9e6184f7d89e36e416d0b4bafabd9243c6a9c5ad64d6954589e30
Opcode Fuzzy Hash: b2cd8246a16a1eba88e5d9ff66fb2ae118717a5f4059bb5b6aabe783a6d8042a
Instruction Fuzzy Hash: 1C417F32918BC482D7208F24E4503DAB3A1FBA5794F50932AE6DD13A59EF78D2D5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADD024 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f3424b09be9ca0531ac80e710ff12a8ef1aaad0c0d7b62fefa1a5062f89832
Instruction ID: 3be111ae9ac3e8ca16b58b3576ef8ae784799ee4c12a6c1ad0e5a01938996059
Opcode Fuzzy Hash: 45f3424b09be9ca0531ac80e710ff12a8ef1aaad0c0d7b62fefa1a5062f89832
Instruction Fuzzy Hash: 25A00132944811D1E6888B00E8607903660B3A0300F404029E00E560A09A6886028200

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD6A10 Relevance: 72.1, APIs: 40, Strings: 1, Instructions: 315memoryCOMMON

Download Yara Rule

APIs

#200.OLEAUT32(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6A5C
#6.OLEAUT32(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6AEA
#7.OLEAUT32(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6B83
iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6BA4
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6BDC
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6BE5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6BEA
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6BF6
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6C1E
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6C2B
#6.OLEAUT32(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6C39
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6C7A
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CDC
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6CEA
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CFA
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D08

Part of subcall function 000000013FAD64D0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,000000013FAD6BC0,?,?,?,?,?,?,?,?), ref: 000000013FAD64F6

_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D18
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D26
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D36
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D44
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D54
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D62
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D72
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D80
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D90
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D9E
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DAE
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DBC
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DCC
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DDA
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DEA
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DF8
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E08
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E16
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E26
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E34
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E44
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E52
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E62
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E7A

Strings

W, xrefs: 000000013FAD6D3C

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$Heap$Process$#200Free_errno_invalid_parameter_noinfoabortiswspacememcpymemset
String ID: W
API String ID: 1651764358-655174618
Opcode ID: 28cbe46e4ded38a03f2289523a4a35036eae6b3bfbad52ac31041a9e16f29a5d
Instruction ID: c57271b07cd64eb546d4c2f7fcd0a1e445d6b0d73113dfbe8c0d5ee10e867892
Opcode Fuzzy Hash: 28cbe46e4ded38a03f2289523a4a35036eae6b3bfbad52ac31041a9e16f29a5d
Instruction Fuzzy Hash: 56D12932E10A0596FF14AF65D8A13ED33B4BB58B84F94843DEA0D577E9DE38C6468360

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD6C90 Relevance: 50.9, APIs: 28, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CDC
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6CEA
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CFA
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D08
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D18
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D26
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D36
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D44
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D54
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D62
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D72
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D80
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D90
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D9E
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DAE
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DBC
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DCC
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DDA
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DEA
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DF8
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E08
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E16
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E26
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E34
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E44
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E52
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E62

Part of subcall function 000000013FAD6A10: #200.OLEAUT32(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6A5C
Part of subcall function 000000013FAD6A10: #6.OLEAUT32(?,?,?,?,?,?,?,?,?,000000013FAD6E6F), ref: 000000013FAD6AEA

_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E7A

Strings

W, xrefs: 000000013FAD6D3C

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$#200
String ID: W
API String ID: 1998815002-655174618
Opcode ID: aab8fa341a756e808f215fdaca447f514306a16c8474f9f9162cc5d3d7d152de
Instruction ID: bef9c673be8b524c17e16187c394b8432d03fb49a95b803e1a6cb862118e17fa
Opcode Fuzzy Hash: aab8fa341a756e808f215fdaca447f514306a16c8474f9f9162cc5d3d7d152de
Instruction Fuzzy Hash: A7511A31E60A0696FF00BBA0D8A13DD3375AB64348FA0943DF50D175EADE69CB4783A0

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADDC0B Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 437memoryCOMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 000000013FADDC7F
_Thrd_yield.MSVCP140 ref: 000000013FADDD10
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE28C

Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CDC
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6CEA
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CFA
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D08
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D18
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D26
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D36
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D44
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D54
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D62
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D72
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D80
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D90
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D9E
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DAE
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DBC
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DCC
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DDA
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DEA
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DF8
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E08
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E16
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E26

memcpy.VCRUNTIME140 ref: 000000013FADE09D
memset.VCRUNTIME140 ref: 000000013FADE0A6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADE0AB
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADE0B7
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE0DB
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE0E8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADE0F3
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE122
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE12F

Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E34
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E44
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E52
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E62
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E7A

Part of subcall function 000000013FAD64D0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,000000013FAD6BC0,?,?,?,?,?,?,?,?), ref: 000000013FAD64F6

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADE13A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE1E8
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE1F5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADE200

Strings

Python final Store URI: %s, xrefs: 000000013FADE16C
Python fwlink Response Status Code: %d, xrefs: 000000013FADDDA2
Location, xrefs: 000000013FADDFCA

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$Heap$Process$Freeabort$Thrd_yield_errno_invalid_parameter_noinfomemcpymemset
String ID: Location$Python final Store URI: %s$Python fwlink Response Status Code: %d
API String ID: 3404251189-3434260397
Opcode ID: 9eca222ebfd8e7dc94802ffe957f86b2215f2473641dd9ba2a6914d1df9be335
Instruction ID: 342c19b248fc6587ab866a3a3e1da36b4cca87fd5654b7edd2e8dded5a7b3260
Opcode Fuzzy Hash: 9eca222ebfd8e7dc94802ffe957f86b2215f2473641dd9ba2a6914d1df9be335
Instruction Fuzzy Hash: A7224636B00B8093EA59DF25D5A43D973A4F788B80F44452AEBAD837D5EF38D666C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD5130 Relevance: 27.2, APIs: 18, Instructions: 159COMMON

Download Yara Rule

APIs

#7.OLEAUT32 ref: 000000013FAD51B6
iswspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013FAD51D3
memcpy.VCRUNTIME140 ref: 000000013FAD5211
memset.VCRUNTIME140 ref: 000000013FAD521A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD521F
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD522B
#7.OLEAUT32 ref: 000000013FAD5237
iswspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013FAD5253
#6.OLEAUT32 ref: 000000013FAD5275
#6.OLEAUT32 ref: 000000013FAD5287
#6.OLEAUT32 ref: 000000013FAD529D
memcpy.VCRUNTIME140 ref: 000000013FAD52CA
memset.VCRUNTIME140 ref: 000000013FAD52D3
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD52D8
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD52E4
#6.OLEAUT32 ref: 000000013FAD52F8
#6.OLEAUT32 ref: 000000013FAD530A
#6.OLEAUT32 ref: 000000013FAD531C

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfoiswspacememcpymemset
String ID:
API String ID: 909017697-0
Opcode ID: 22a44ee5a3788ba758ac3f7eceeae537b7fe89f68d86bde6ae4b11dd7b0f07f0
Instruction ID: eca3612c4e1207bc2bec3c60098acc3714e0511479bd597cfb365873032c6407
Opcode Fuzzy Hash: 22a44ee5a3788ba758ac3f7eceeae537b7fe89f68d86bde6ae4b11dd7b0f07f0
Instruction Fuzzy Hash: 5E514A36F116108AFB549FA299603ED33A4BB54B94F084539EE0E57AC9DF38C6468324

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD5430 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 276libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,000000013FAD58A9), ref: 000000013FAD5499
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,000000013FAD58A9), ref: 000000013FAD54A8
LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,000000013FAD58A9), ref: 000000013FAD54E2
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,000000013FAD58A9), ref: 000000013FAD54F1

Strings

combase.dll, xrefs: 000000013FAD5492, 000000013FAD54DB
RoGetActivationFactory, xrefs: 000000013FAD54A1
CoIncrementMTAUsage, xrefs: 000000013FAD54EA
DllGetActivationFactory, xrefs: 000000013FAD56F5
.dll, xrefs: 000000013FAD564D

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-2454113998
Opcode ID: 056476dbf31580c8d2e16b428b8d604d93d7274bbc43a287d6593937809309ae
Instruction ID: d865cc69d444a603608486af279d6fbb6bbf409c3abd6e5d07b8b491a7dcdd21
Opcode Fuzzy Hash: 056476dbf31580c8d2e16b428b8d604d93d7274bbc43a287d6593937809309ae
Instruction Fuzzy Hash: C5C16A72F10B408AFB10DFA5D8643EC37B5AB54B94F94452AEE1D577E8EB38C6868300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADAD00 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 246libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,000000013FADAAB9), ref: 000000013FADAD6C
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,000000013FADAAB9), ref: 000000013FADAD7B
#200.OLEAUT32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,000000013FADAAB9), ref: 000000013FADADA9
LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1(?,?,?,?,?,?,?,00000000), ref: 000000013FADAF6B
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,00000000), ref: 000000013FADAFFF
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,00000000), ref: 000000013FADB00C

Strings

combase.dll, xrefs: 000000013FADAD65, 000000013FADADF3
RoGetActivationFactory, xrefs: 000000013FADAD74
CoIncrementMTAUsage, xrefs: 000000013FADAE02
DllGetActivationFactory, xrefs: 000000013FADAFF5
.dll, xrefs: 000000013FADAF4D

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Library$AddressLoadProc$#200Free
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 1745672646-2454113998
Opcode ID: 4f4074350b89888db1d18728084815970943a18f7a6205ce631e712c72c68d36
Instruction ID: 79747569f2c5d62f3c505f3f184bd9a08d140773d4312ab77e3b953c7ed684dd
Opcode Fuzzy Hash: 4f4074350b89888db1d18728084815970943a18f7a6205ce631e712c72c68d36
Instruction Fuzzy Hash: A8A15B72B10B5096FB10DF65D8643EC33A5BB58B84F94413AEE1E677E9EF3886468310

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD43B0 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 151windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013FAD448C
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FAD450D

Part of subcall function 000000013FAD42F0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013FAD4356

Strings

CallContext:[%hs] , xrefs: 000000013FAD4590
%hs!%p: , xrefs: 000000013FAD44D7
[%hs(%hs)], xrefs: 000000013FAD45B7
Exception, xrefs: 000000013FAD4457
LogHr, xrefs: 000000013FAD4445
FailFast, xrefs: 000000013FAD443C
%hs(%d) tid(%x) %08X %ws, xrefs: 000000013FAD452F
(caller: %p) , xrefs: 000000013FAD44F5
ReturnHr, xrefs: 000000013FAD444E
, xrefs: 000000013FAD455A
Msg:[%ws] , xrefs: 000000013FAD4575
%hs(%u)\%hs!%p: , xrefs: 000000013FAD44C1
[%hs], xrefs: 000000013FAD45D0

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: CurrentFormatMessageThread__stdio_common_vswprintf
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 3751486987-3173542853
Opcode ID: cc8e9b6749c43a411b14fa79bc166aaccc3655fce448df5038464bf3274cbc8c
Instruction ID: a427a197e41066a0a36d6ae5e88d81497f9852da5194f2d4344995cfc775724c
Opcode Fuzzy Hash: cc8e9b6749c43a411b14fa79bc166aaccc3655fce448df5038464bf3274cbc8c
Instruction Fuzzy Hash: 1A617D75E01B4497EA68DF52A420BE9B3A4FB58B80F44413EEE4D43BD4DB39CB668700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD16B0 Relevance: 24.2, APIs: 16, Instructions: 191COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 000000013FAD16FB
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000013FAD1710
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP140 ref: 000000013FAD172F
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000013FAD176D
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ.MSVCP140 ref: 000000013FAD178D
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 000000013FAD17C4
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ.MSVCP140 ref: 000000013FAD17E3
?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 000000013FAD1806

Part of subcall function 000000013FAD3BF0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 000000013FAD3C1D
Part of subcall function 000000013FAD3BF0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 000000013FAD3C37
Part of subcall function 000000013FAD3BF0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 000000013FAD3C70
Part of subcall function 000000013FAD3BF0: ?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 000000013FAD3C9E
Part of subcall function 000000013FAD3BF0: std::_Facet_Register.LIBCPMT ref: 000000013FAD3CB7
Part of subcall function 000000013FAD3BF0: ??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 000000013FAD3CDD

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 000000013FAD181B
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ.MSVCP140 ref: 000000013FAD1834
?clear@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 000000013FAD1884
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 000000013FAD18A4
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ.MSVCP140 ref: 000000013FAD1901
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ.MSVCP140 ref: 000000013FAD190B
_CxxThrowException.VCRUNTIME140 ref: 000000013FAD194B
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ.MSVCP140 ref: 000000013FAD19AC

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: U?$char_traits@_$W@std@@@std@@$Init@?$basic_streambuf@_$??1?$basic_ostream@_Lockit@std@@$??0?$basic_ios@_??0?$basic_ostream@_??0?$basic_streambuf@_??0_??1?$basic_ios@_??1_?always_noconv@codecvt_base@std@@?clear@?$basic_ios@_?getloc@?$basic_streambuf@_?setstate@?$basic_ios@_Bid@locale@std@@ExceptionFacet_Fiopen@std@@Getcat@?$codecvt@_Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterThrowU_iobuf@@V42@@V?$basic_streambuf@_Vfacet@locale@2@Vlocale@2@W@std@@@1@_memsetstd::_
String ID:
API String ID: 2183502873-0
Opcode ID: 09b94ce90acdd2bbbad19b1323d13e1050da3243f5bb4fc5fbfdb2c5daa65b21
Instruction ID: 2e328842a129fe9c6c05b30eea701c8db11fc9a89da651020f7f2c5013efd750
Opcode Fuzzy Hash: 09b94ce90acdd2bbbad19b1323d13e1050da3243f5bb4fc5fbfdb2c5daa65b21
Instruction Fuzzy Hash: 07910B32A05B4496EB10CF25E8943DD77B1F795B99F544039EA8D43BA8DF39CA4ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADD4EA Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 353memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013FAD64D0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,000000013FAD6BC0,?,?,?,?,?,?,?,?), ref: 000000013FAD64F6

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADD50D
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADD519

Part of subcall function 000000013FADAA50: InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 000000013FADAB3A

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADD9E3
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADD9F0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADD83D

Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CDC
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6CEA
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CFA
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D08
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D18
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D26
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D36
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D44
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D54
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D62
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D72
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D80
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D90
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D9E
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DAE
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DBC
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DCC
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DDA
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DEA
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DF8
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E08
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E16
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E26

Part of subcall function 000000013FADA890: InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 000000013FADA98B

Part of subcall function 000000013FADA6D0: InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 000000013FADA7CB

_CxxThrowException.VCRUNTIME140 ref: 000000013FADDAA2

Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E34
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E44
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E52
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E62
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E7A

Strings

Python fwlink Request URI: %s, xrefs: 000000013FADD99D
https://go.microsoft.com/fwlink?linkID=2082640, xrefs: 000000013FADD855

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$EntryHeapInterlockedListPush$Process$Free_errno_invalid_parameter_noinfoabort
String ID: Python fwlink Request URI: %s$https://go.microsoft.com/fwlink?linkID=2082640
API String ID: 3717153275-583019223
Opcode ID: 1fc67943e3076d5f47bf91003a86f9a4cb8f1bc3b780c7af87f633d1c6c51089
Instruction ID: cce1a9414633a3a269600f70405cbf6b7a5c0e21f110061c5afdf91f54bf84b5
Opcode Fuzzy Hash: 1fc67943e3076d5f47bf91003a86f9a4cb8f1bc3b780c7af87f633d1c6c51089
Instruction Fuzzy Hash: DE123936A01B84D7EB598F25E9503D973B4F758B84F40412ADB5D83BA1EF38E2A6C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD2610 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 000000013FAD2681
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD2700
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 000000013FAD2714
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD2795
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 000000013FAD27C0
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 000000013FAD27CF

Strings

[%s]{%id} %s, xrefs: 000000013FAD26AE

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: FreeTask_invalid_parameter_noinfo_noreturn$CurrentDebugOutputProcessString
String ID: [%s]{%id} %s
API String ID: 3191231080-2140529298
Opcode ID: c39910baeec43891f3422e972e77629a5012b50d97327c0debc316dc7a1b426a
Instruction ID: 20326815cb6cef3e2ae3a1eeff7b93f9015038eb0215ea61518659fe460086c3
Opcode Fuzzy Hash: c39910baeec43891f3422e972e77629a5012b50d97327c0debc316dc7a1b426a
Instruction Fuzzy Hash: 1C61A372F1078483EA109F25E8683DD73A1F795B90F505239EA9D47AE5EF78D286C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD64D0 Relevance: 15.1, APIs: 10, Instructions: 126memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,000000013FAD6BC0,?,?,?,?,?,?,?,?), ref: 000000013FAD64F6
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,000000013FAD6BC0,?,?,?,?,?,?,?,?), ref: 000000013FAD6558
_CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,000000013FAD6BC0,?,?,?,?,?,?,?,?), ref: 000000013FAD6574
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013FAD65CE
iswspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013FAD65EA
memcpy.VCRUNTIME140 ref: 000000013FAD6622
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD664F
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD665C

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Heap$ExceptionProcessThrow$FormatFreeMessageiswspacememcpy
String ID:
API String ID: 3181153401-0
Opcode ID: 60dfad19fbc10b1b35d1bc9550e1e4b44ba02a3fd2024f9eba379ed961bb30cc
Instruction ID: 17f0471ab397d81eefe387b00c78502c54c686ecdbd45d1992b913224417caf2
Opcode Fuzzy Hash: 60dfad19fbc10b1b35d1bc9550e1e4b44ba02a3fd2024f9eba379ed961bb30cc
Instruction Fuzzy Hash: CA418F32A0474483EB14EF25E4603D976A4FB98B94F54413DEA5D47BE9EE38C6038B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD72A0 Relevance: 13.6, APIs: 9, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD733C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD7349
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD73C3
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD73D0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD73EA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD73F5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD7423
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD7430
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD745D

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Heap$FreeProcessabort
String ID:
API String ID: 1597918624-0
Opcode ID: ae335e98506095168ea88267b63e1a72fa600dca8a94823e8b78082e2e1d81de
Instruction ID: 0c296d890ba1fb4a65dfca57a12577c01f66790e34bb0aed6919ce9a91e3d149
Opcode Fuzzy Hash: ae335e98506095168ea88267b63e1a72fa600dca8a94823e8b78082e2e1d81de
Instruction Fuzzy Hash: 4D518B32A04B8483EB299F25A860399B7A8F795B95F58403DFF8D837D5DF38C6428740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADCAEC Relevance: 13.6, APIs: 9, Instructions: 102COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 000000013FADCB00
__scrt_acquire_startup_lock.LIBCMT ref: 000000013FADCB15
__scrt_release_startup_lock.LIBCMT ref: 000000013FADCB83
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADCBD1
_get_initial_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADCBD6
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADCBDE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADCBE6
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADCC08
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADCC62

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1184979102-0
Opcode ID: b7d513678c03e0d34edb09e37032bd93b50f611ec7447b860d7d41711acd3282
Instruction ID: 6ff5db5f89d778b06bd5ea9dd763955643be3d8b9a5752bff31613e0f1268618
Opcode Fuzzy Hash: b7d513678c03e0d34edb09e37032bd93b50f611ec7447b860d7d41711acd3282
Instruction Fuzzy Hash: AF315731E0169183FA14BB64E9353E973A1AB96784F84543DBA4E4B2E7DE68CB07C341

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADB170 Relevance: 13.6, APIs: 9, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADB1AC
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADB1BA
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADB1DB
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADB1EA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADB20C
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADB218
memcpy.VCRUNTIME140 ref: 000000013FADB226
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADB244
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADB252

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Heap$Process$Free$Alloc_errno_invalid_parameter_noinfomemcpy
String ID:
API String ID: 3188122928-0
Opcode ID: d264d51b63b8e06f21560bdb06b225ecadf62572b901f04673315e42ad0491b3
Instruction ID: 45d276e12dd188b123f47a8a9eaeb78a4c44cf5131d3a4563a957cad7dc017bb
Opcode Fuzzy Hash: d264d51b63b8e06f21560bdb06b225ecadf62572b901f04673315e42ad0491b3
Instruction Fuzzy Hash: 40314932A01B4086EB54DF56E9643AD73E0FB99B90F188528EF5E477E5DF38C6528700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD39F0 Relevance: 12.2, APIs: 8, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,?,?,?,?,?,000000013FAD2674), ref: 000000013FAD3A33
CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,?,?,?,?,?,000000013FAD2674), ref: 000000013FAD3A5D
__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,?,?,?,?,?,000000013FAD2674), ref: 000000013FAD3ABE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,?,?,?,?,000000013FAD2674), ref: 000000013FAD3B21
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,?,?,?,?,?,000000013FAD2674), ref: 000000013FAD3B2C
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,?,?,?,?,000000013FAD2674), ref: 000000013FAD3B35
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,?,?,?,?,?,000000013FAD2674), ref: 000000013FAD3B73

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Task$ErrorFreeLast__stdio_common_vswprintf$Alloc
String ID:
API String ID: 2452254462-0
Opcode ID: f3909d0291a23d2626125d494710183db8519eab5c1474e9d1a93f0d48b4156f
Instruction ID: 428dfa112050f78ad9bdc1eb91caa954ae1f592b3d5d88226d583cff3f8deccd
Opcode Fuzzy Hash: f3909d0291a23d2626125d494710183db8519eab5c1474e9d1a93f0d48b4156f
Instruction Fuzzy Hash: D4519332B05B4082E7219F15E82439AB794FB99BA4F544239EEAD477E4DF39C643C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADE7EC Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FAD5130: #7.OLEAUT32 ref: 000000013FAD51B6
Part of subcall function 000000013FAD5130: iswspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013FAD51D3
Part of subcall function 000000013FAD5130: #6.OLEAUT32 ref: 000000013FAD5275
Part of subcall function 000000013FAD5130: #6.OLEAUT32 ref: 000000013FAD5287
Part of subcall function 000000013FAD5130: #6.OLEAUT32 ref: 000000013FAD529D

memmove.VCRUNTIME140 ref: 000000013FADE958
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 000000013FADEA0E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADEA1E

Part of subcall function 000000013FAD5A60: memcpy.VCRUNTIME140(?,?,00000000,?,00000000,00000000,000000013FAD5D46,?,?,?,?,?,000000013FAD565D), ref: 000000013FAD5B91
Part of subcall function 000000013FAD5A60: memcpy.VCRUNTIME140(?,?,00000000,?,00000000,00000000,000000013FAD5D46,?,?,?,?,?,000000013FAD565D), ref: 000000013FAD5B9F

Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CDC
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6CEA
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CFA
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D08
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D18
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D26
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D36
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D44
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D54
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D62
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D72
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D80
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D90
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D9E
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DAE
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DBC
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DCC
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DDA
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DEA
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DF8
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E08
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E16
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E26

Strings

+, xrefs: 000000013FADEA2F
] Retrieving application storage data failed with error: , xrefs: 000000013FADE8AB
Microsoft.DesktopAppInstaller_8wekyb3d8bbwe, xrefs: 000000013FADEA39

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$memcpy$DebugOutputStringabortiswspacememmove
String ID: +$Microsoft.DesktopAppInstaller_8wekyb3d8bbwe$] Retrieving application storage data failed with error:
API String ID: 3950540674-2082096487
Opcode ID: 69f447c8c0a9b6c7dc3cd1726c4cede65935a6da93088a9dc68e78f42fc0708e
Instruction ID: f2c0f69ab2700935212193b42d77133b6b2df4036df76ed402c5ce314f2ad71d
Opcode Fuzzy Hash: 69f447c8c0a9b6c7dc3cd1726c4cede65935a6da93088a9dc68e78f42fc0708e
Instruction Fuzzy Hash: A9A13D72A11BC59AEB20EF34D8A43DD3360F755788F90512AEA0D47AA9DF74D78AC340

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD3EF0 Relevance: 10.7, APIs: 7, Instructions: 197COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,FFFFFFFF,00000007,000000013FAD39A2), ref: 000000013FAD3FFF
memcpy.VCRUNTIME140(?,?,?,FFFFFFFF,00000007,000000013FAD39A2), ref: 000000013FAD400D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,FFFFFFFF,00000007,000000013FAD39A2), ref: 000000013FAD4048
memcpy.VCRUNTIME140(?,?,?,FFFFFFFF,00000007,000000013FAD39A2), ref: 000000013FAD404F
memcpy.VCRUNTIME140(?,?,?,FFFFFFFF,00000007,000000013FAD39A2), ref: 000000013FAD405D
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FAD4086
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FAD1B6F), ref: 000000013FAD4187

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: ed3572d1baba6e8f6b2cbe439c71bf748d41e44b2710898ee9fd38bad44f7621
Instruction ID: 281b77c1150406e63d9adaaede478ccfd54f2852e87c7c704e6ac596d6465c67
Opcode Fuzzy Hash: ed3572d1baba6e8f6b2cbe439c71bf748d41e44b2710898ee9fd38bad44f7621
Instruction Fuzzy Hash: D6719172B0178482EE149B16E5543E9B3A5A748BF0F880B39AE7D077E5DE7CD6828304

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD5A60 Relevance: 10.7, APIs: 7, Instructions: 175COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,?,00000000,00000000,000000013FAD5D46,?,?,?,?,?,000000013FAD565D), ref: 000000013FAD5B91
memcpy.VCRUNTIME140(?,?,00000000,?,00000000,00000000,000000013FAD5D46,?,?,?,?,?,000000013FAD565D), ref: 000000013FAD5B9F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,00000000,00000000,000000013FAD5D46,?,?,?,?,?,000000013FAD565D), ref: 000000013FAD5BE0
memcpy.VCRUNTIME140(?,?,00000000,?,00000000,00000000,000000013FAD5D46,?,?,?,?,?,000000013FAD565D), ref: 000000013FAD5BEA
memcpy.VCRUNTIME140(?,?,00000000,?,00000000,00000000,000000013FAD5D46,?,?,?,?,?,000000013FAD565D), ref: 000000013FAD5BF8

Part of subcall function 000000013FADC5DC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000000013FAD6F70,?,?,?,?,000000013FAD101D), ref: 000000013FADC5F6

Concurrency::cancel_current_task.LIBCPMT ref: 000000013FAD5C2E
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00000000,000000013FAD5D46), ref: 000000013FAD5C81

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemmove
String ID:
API String ID: 3070920775-0
Opcode ID: 87d623c8cb8aa16600f2cf8eda478ec466ac17e0194010284ae65cc13b06c746
Instruction ID: c6c94d84758148fdf5b4cce95f6b5e83e9ec241b97c5efa69b045b437e15367d
Opcode Fuzzy Hash: 87d623c8cb8aa16600f2cf8eda478ec466ac17e0194010284ae65cc13b06c746
Instruction Fuzzy Hash: 5051EE76B11B8486EA149B16E5643E9B361F748FE0F940B29EE6D07BD5EF38C252C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD93B0 Relevance: 10.6, APIs: 7, Instructions: 139COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 000000013FAD944B
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 000000013FAD94A6
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z.MSVCP140 ref: 000000013FAD94D0
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 000000013FAD94F6
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 000000013FAD953D
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 000000013FAD9544
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 000000013FAD9551

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID:
API String ID: 4072499529-0
Opcode ID: 187fe77ed1386ffa6713cb6c017368c9de3d06abe0ae7896b4387a06f26c740a
Instruction ID: e115fa066dbf974d7e8eedef2f1e317598f29127e46c11ae66296de9b7cdc915
Opcode Fuzzy Hash: 187fe77ed1386ffa6713cb6c017368c9de3d06abe0ae7896b4387a06f26c740a
Instruction Fuzzy Hash: FD516376A05A4482EB208F1AE594369B7A0F788F95F15C529DF5E437E1CB39C647C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD3D10 Relevance: 10.6, APIs: 7, Instructions: 135COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 000000013FAD3D9C
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 000000013FAD3DF6
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z.MSVCP140 ref: 000000013FAD3E24
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 000000013FAD3E46
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 000000013FAD3E8D
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 000000013FAD3E94
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 000000013FAD3EA1

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID:
API String ID: 4072499529-0
Opcode ID: 7af7209eafcedb6db326ab0b3de9164063774959af141b6a2addf5fc8fa45fab
Instruction ID: 7bfbea5b4ea74b013d71d97b1865ea737ee199c1f0d4d13f27c41c7f5975e694
Opcode Fuzzy Hash: 7af7209eafcedb6db326ab0b3de9164063774959af141b6a2addf5fc8fa45fab
Instruction Fuzzy Hash: 5E512032A05B4082EB208F5AE594369B7A1FB95F85F15843ADE4E437E4CF79CA47C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD81C0 Relevance: 10.6, APIs: 7, Instructions: 99COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD81F1
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD82E6

Part of subcall function 000000013FAD68E0: LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1(?,?,?,?,?,?,?,000000013FAD6C0A,?,?,?,?,?,?,?,?), ref: 000000013FAD6919
Part of subcall function 000000013FAD68E0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,000000013FAD6C0A,?,?,?,?,?,?,?,?), ref: 000000013FAD6928
Part of subcall function 000000013FAD68E0: #200.OLEAUT32(?,?,?,?,?,?,?,000000013FAD6C0A,?,?,?,?,?,?,?,?), ref: 000000013FAD695E

?__ExceptionPtrCreate@@YAXPEAX@Z.MSVCP140 ref: 000000013FAD824F
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z.MSVCP140 ref: 000000013FAD8266
#6.OLEAUT32 ref: 000000013FAD8287
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z.MSVCP140 ref: 000000013FAD82A6
?__ExceptionPtrDestroy@@YAXPEAX@Z.MSVCP140 ref: 000000013FAD82B1

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Exception$ExclusiveLock$#200AcquireAddressAssign@@CopyCreate@@Destroy@@Exception@@LibraryLoadProcRelease
String ID:
API String ID: 2506070101-0
Opcode ID: aadf6e7260f66b712a403ae715238f50de7d690da631747b85ee4b93f5c3743e
Instruction ID: efced6911c9025629a4764300d80ae8bfddd14ecd656216fbea670ee5d9992e9
Opcode Fuzzy Hash: aadf6e7260f66b712a403ae715238f50de7d690da631747b85ee4b93f5c3743e
Instruction Fuzzy Hash: 8B415136605B4487EB64DF10E66039E73A4F798B84F984529EB8D43BA8DF3CCA46C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD3BF0 Relevance: 10.6, APIs: 7, Instructions: 74COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 000000013FAD3C1D
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 000000013FAD3C37
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 000000013FAD3C70
?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 000000013FAD3C9E
std::_Facet_Register.LIBCPMT ref: 000000013FAD3CB7
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 000000013FAD3CDD
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FAD3D08

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@_Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 929128910-0
Opcode ID: 5c37568f28bf62b6514e65e66d0d000a532cc62ff25605341f49d75ce17406f8
Instruction ID: 31a95662c99b80891292f23be381364b95fe5fff04bfb908fe26eb7f6d5a4d7f
Opcode Fuzzy Hash: 5c37568f28bf62b6514e65e66d0d000a532cc62ff25605341f49d75ce17406f8
Instruction Fuzzy Hash: DA315032A04B4482EA649F16E8503D973A0F798FD4F480639EB9D477A9DF3CC656C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD2D90 Relevance: 9.2, APIs: 6, Instructions: 178COMMON

Download Yara Rule

APIs

fgetwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013FAD2E47

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: 26be7e255fd59defd178a420233cf6237572351d1ed841f93790ec775256202e
Instruction ID: 5a477306371e6af83990144b161f03af062fcf396b7c1535523ecd0fbd51ebca
Opcode Fuzzy Hash: 26be7e255fd59defd178a420233cf6237572351d1ed841f93790ec775256202e
Instruction Fuzzy Hash: 99814636B10A409AEB10CFA5D4A03EC37B1F748B58F94592AEE5D53B98DF34C696C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD5350 Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 000000013FAD64D0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,000000013FAD6BC0,?,?,?,?,?,?,?,?), ref: 000000013FAD64F6

memcpy.VCRUNTIME140 ref: 000000013FAD53C8
memset.VCRUNTIME140 ref: 000000013FAD53D1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD53D6
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD53E2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD53F1
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD53FD

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$HeapProcessmemcpymemset
String ID:
API String ID: 2323437529-0
Opcode ID: 6836dc5a64d9a0b53f22ec3b16fda24155f98cffd2959f21ff3fa33a3ba1f3d3
Instruction ID: c61f7245660a5bfd04f3e419b77d5e7752c6c5636cf0440bf3957f4b129c9e9a
Opcode Fuzzy Hash: 6836dc5a64d9a0b53f22ec3b16fda24155f98cffd2959f21ff3fa33a3ba1f3d3
Instruction Fuzzy Hash: 72216836A04B50CBEB149F16A5603ADB7A0FBA4F90F584439EE5D03B95CB78C6528710

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD68E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1(?,?,?,?,?,?,?,000000013FAD6C0A,?,?,?,?,?,?,?,?), ref: 000000013FAD6919
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,000000013FAD6C0A,?,?,?,?,?,?,?,?), ref: 000000013FAD6928
#200.OLEAUT32(?,?,?,?,?,?,?,000000013FAD6C0A,?,?,?,?,?,?,?,?), ref: 000000013FAD695E

Strings

combase.dll, xrefs: 000000013FAD6912
RoOriginateLanguageException, xrefs: 000000013FAD6921

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: #200AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 423797293-3996158991
Opcode ID: 7b26c48a2c63d0bfd60989e5da788a29ec016f8ce133f7a7665e0c184c05d36a
Instruction ID: fa08ad92719c17d392077534c947377ef6d1da121284a765b0138628d839628b
Opcode Fuzzy Hash: 7b26c48a2c63d0bfd60989e5da788a29ec016f8ce133f7a7665e0c184c05d36a
Instruction Fuzzy Hash: 0D314035B15B4482EA509F15E4A079A73A4FB98B84F84553AFA8E47BA9DF3CC202C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD4D40 Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,000000013FAD2ECA), ref: 000000013FAD4E26
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,000000013FAD2ECA), ref: 000000013FAD4E66
memcpy.VCRUNTIME140(?,?,?,?,000000013FAD2ECA), ref: 000000013FAD4E70
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FAD4EA3
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 000000013FAD4EBC

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_taskFreeTask_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2898125277-0
Opcode ID: f103ea3f2c06d271dbcd05e21d1245714f375f2bcc8a349c47848772106f5cca
Instruction ID: c18402aadd2e5b045ac8f5e6bdf1c0d931c9c610014636f89017ab681a5585e2
Opcode Fuzzy Hash: f103ea3f2c06d271dbcd05e21d1245714f375f2bcc8a349c47848772106f5cca
Instruction Fuzzy Hash: BB41F232B05784A6FE149F26E4647D9B791E748BD0F984A39AF6D077CADF38D2528300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD84F0 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD851A
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD8535
_CxxThrowException.VCRUNTIME140 ref: 000000013FAD8574
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD85B5
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD85E5

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$ExceptionThrow
String ID:
API String ID: 602545018-0
Opcode ID: b8f8cf3f062fc40b25aa728694ce0bdb250adbe1553e5257aa4ec7c614edf252
Instruction ID: eaccddd8c8c7aa7302e808063377a4d396956247b692728dc63cefcb6f2252da
Opcode Fuzzy Hash: b8f8cf3f062fc40b25aa728694ce0bdb250adbe1553e5257aa4ec7c614edf252
Instruction Fuzzy Hash: 24213C32714B4492EB54DF21E660399B364F788B84F588035EE8D93B99DF38C663C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADBE60 Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADBEA5
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADBEB3
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADBEE3
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADBEF1
__std_exception_destroy.VCRUNTIME140 ref: 000000013FADBF13

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Heap$FreeProcess$__std_exception_destroy
String ID:
API String ID: 107506009-0
Opcode ID: 84e9403e6d65d63d55b0c696ba2409da3d8cb8f516d6b916d13d98f5b0243cc7
Instruction ID: 9a67d2645bd8041b7bbd1da75d14faf305487d638f672289f84a1215e99551db
Opcode Fuzzy Hash: 84e9403e6d65d63d55b0c696ba2409da3d8cb8f516d6b916d13d98f5b0243cc7
Instruction Fuzzy Hash: 48216532B05B8083EB888F26E550399B3A5F789B90F184138DF5D57BA4CF38D566C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADF34B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 000000013FADF3A7
#6.OLEAUT32 ref: 000000013FADF455

Part of subcall function 000000013FAD64D0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,000000013FAD6BC0,?,?,?,?,?,?,?,?), ref: 000000013FAD64F6

MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 000000013FADF3E1

Part of subcall function 000000013FAD66A0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD66C4
Part of subcall function 000000013FAD66A0: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD66D1

Strings

W, xrefs: 000000013FADF40A

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Heap$ByteCharMultiProcessWide$Free
String ID: W
API String ID: 2450846010-655174618
Opcode ID: 8a3bbb60dbfe68a57a56f232ffac05ea42dd9637a6c4adaa300a3f7fd0fdc5ca
Instruction ID: 9c4b40caf0f083676fa39958ebb8499eb66a4a610dce04f4b48c06c1f0c5413b
Opcode Fuzzy Hash: 8a3bbb60dbfe68a57a56f232ffac05ea42dd9637a6c4adaa300a3f7fd0fdc5ca
Instruction Fuzzy Hash: CA31B672600A848AE714EF25D8603EA7B90F7847A8F144238FA1E47BD9DF35C642C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADF0EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 000000013FADF118
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FADF127

Strings

combase.dll, xrefs: 000000013FADF111
RoTransformError, xrefs: 000000013FADF120

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoTransformError$combase.dll
API String ID: 2574300362-573582502
Opcode ID: 78e125cc571689ebcbcf8c57560caa77403630f998167701c51f339b3d2a5f36
Instruction ID: 7f8c3b75da99a545686f157220d456d4e6916721f01ac1e55d6608766917834a
Opcode Fuzzy Hash: 78e125cc571689ebcbcf8c57560caa77403630f998167701c51f339b3d2a5f36
Instruction Fuzzy Hash: 9D01A271B0174092FA159B19E8F43E532A5AB64780F98053DB94D073F5EB2C8B838600

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADB430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FADB44F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013FADB45F

Strings

kernelbase.dll, xrefs: 000000013FADB445
RaiseFailFastException, xrefs: 000000013FADB458

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: a5c09a597bd7429ea1764acadafb63a95e53af90842b864f6a22c5b7c1857d30
Instruction ID: b9211276942dcdab4bd50602d7a4eabac9b9d2a81e0610b471f8ae158dfe3807
Opcode Fuzzy Hash: a5c09a597bd7429ea1764acadafb63a95e53af90842b864f6a22c5b7c1857d30
Instruction Fuzzy Hash: A0F03031B1475182EA048F03F994799B7A0BB58FC0F485179ED4D07B68DF2CC682C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD9CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1(?,?,?,?,000000013FAD9D2B,?,?,?,000000013FAD9029), ref: 000000013FAD9CD5
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,000000013FAD9D2B,?,?,?,000000013FAD9029), ref: 000000013FAD9CE4

Strings

combase.dll, xrefs: 000000013FAD9CCE
RoFailFastWithErrorContext, xrefs: 000000013FAD9CDD

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoFailFastWithErrorContext$combase.dll
API String ID: 2574300362-2782301107
Opcode ID: be78c640b75c8f7186211671416750e83c4dd661fcac90cae89f7e765939b219
Instruction ID: c5c48c5d4caf6d80c32e4d850bf32045b9835758979b9ed43da4ecf5303dc032
Opcode Fuzzy Hash: be78c640b75c8f7186211671416750e83c4dd661fcac90cae89f7e765939b219
Instruction Fuzzy Hash: 69E04274E06B4196FA15AF51ECA13E532A0AB68354FC0153EA44D476E5EF2CC7578700

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD3810 Relevance: 6.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,000000013FAD1B6F), ref: 000000013FAD3870
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FAD1B6F), ref: 000000013FAD4187
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,000000013FAD1B6F), ref: 000000013FAD41F5
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FAD4202

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmemcpymemmove
String ID:
API String ID: 1427643678-0
Opcode ID: 8e7e6c07b6a6b828746a5aba9a6833bba2a24eabc2f2d9f53b31b6879a617688
Instruction ID: 4a4f1beeee3a107cd23cd38b7c801c2b5be101e1a9913749439bd937e8d349b2
Opcode Fuzzy Hash: 8e7e6c07b6a6b828746a5aba9a6833bba2a24eabc2f2d9f53b31b6879a617688
Instruction Fuzzy Hash: FA51A372B0278482EA14DF15E9547E9B3A5E754BE0F544739BE3D077E5DA28D2928300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD8740 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON

Download Yara Rule

APIs

CoGetObjectContext.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,00000000,000000013FAD7588), ref: 000000013FAD87A8
TrySubmitThreadpoolCallback.API-MS-WIN-CORE-THREADPOOL-L1-2-0(?,?,?,?,?,?,00000000,000000013FAD7588), ref: 000000013FAD88BE

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: CallbackContextObjectSubmitThreadpool
String ID:
API String ID: 266140992-0
Opcode ID: cdee487354f67443d8fc2f293876f255da70b9ad9ad5e63af41f8dc7a30609bc
Instruction ID: 70ad5e1e6c3c857194a39f9d63401a4011f0ffc93015a6d3037dcbb443157ff1
Opcode Fuzzy Hash: cdee487354f67443d8fc2f293876f255da70b9ad9ad5e63af41f8dc7a30609bc
Instruction Fuzzy Hash: 4D517032A15B4483EA649B15E6603DE73A4FB84BC4F584139FA8E43BE9DF38D652C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD7D00 Relevance: 6.1, APIs: 4, Instructions: 133synchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD7DA9
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013FAD7E2D

Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CDC
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6CEA
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6CFA
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D08
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D18
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D26
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D36
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D44
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D54
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D62
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D72
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D80
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6D90
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6D9E
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DAE
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DBC
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DCC
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DDA
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6DEA
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6DF8
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E08
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E16
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E26

Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E34
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E44
Part of subcall function 000000013FAD6C90: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 000000013FAD6E52
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E62
Part of subcall function 000000013FAD6C90: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000013FAD599B), ref: 000000013FAD6E7A

_CxxThrowException.VCRUNTIME140 ref: 000000013FAD7ECA
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013FAD7EE1

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$CloseCreateEventHandleObjectSingleWait
String ID:
API String ID: 3459269677-0
Opcode ID: 47079fbeabe9e5f7f3bb7d3a70522a923c1bd0a9fcfcc11b61dd799aae788a1e
Instruction ID: f19aaf82976ec02b1a83c0f313ce47ad42a7f759ec622ac2d7da9bd2afd812cd
Opcode Fuzzy Hash: 47079fbeabe9e5f7f3bb7d3a70522a923c1bd0a9fcfcc11b61dd799aae788a1e
Instruction Fuzzy Hash: A9517B32A14B4487EB14DF25E46039977A4F788B84F54413AEA8D437A5DF38D652CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD5D50 Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,00000000,?,00000000,000000013FAD564D), ref: 000000013FAD5E5E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00000000,000000013FAD564D), ref: 000000013FAD5EB1
memcpy.VCRUNTIME140(?,?,?,00000000,?,00000000,000000013FAD564D), ref: 000000013FAD5EBB
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FAD5F04

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 4cce100ca421bee33c305a623da8798426b9235ebea911c7d5a8d06e022e0440
Instruction ID: 1f28083c25e1f24a7a52fb87328cca184e383dd21f3a361c64c90b9aded60038
Opcode Fuzzy Hash: 4cce100ca421bee33c305a623da8798426b9235ebea911c7d5a8d06e022e0440
Instruction Fuzzy Hash: CB41B231B01A5456EE14EB15E22439D7291B748FE4F940729AE7D07BE4DE78C242C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADC020 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 000000013FADC05C
_CxxThrowException.VCRUNTIME140 ref: 000000013FADC078
_CxxThrowException.VCRUNTIME140 ref: 000000013FADC0A0
__std_exception_copy.VCRUNTIME140 ref: 000000013FADC0D8

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: ExceptionThrow$__std_exception_copy
String ID:
API String ID: 174860668-0
Opcode ID: 3ac4fff9b3b632a8a520936401893a7b83c3b55cbe217eaf572a2a28854c1252
Instruction ID: 6d52c91b017402b896fa7fe03426b00602d0fef2229fc6936253d188546973a6
Opcode Fuzzy Hash: 3ac4fff9b3b632a8a520936401893a7b83c3b55cbe217eaf572a2a28854c1252
Instruction Fuzzy Hash: 87412832A14BC492E7098F35D9513A973A5FBA8748F58D2399F8C47666EF34E2E5C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD3470 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00000000,000000013FAD2570), ref: 000000013FAD34CF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,000000013FAD2570), ref: 000000013FAD3557
memcpy.VCRUNTIME140(?,?,00000000,000000013FAD2570), ref: 000000013FAD3584
Concurrency::cancel_current_task.LIBCPMT ref: 000000013FAD35A0

Part of subcall function 000000013FADC5DC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000000013FAD6F70,?,?,?,?,000000013FAD101D), ref: 000000013FADC5F6

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemcpymemmove
String ID:
API String ID: 966911907-0
Opcode ID: b4040cb8c897e552615c90f7e112ddfb6deba80149133c43ac79d6b67071d54c
Instruction ID: 68de9b53f101cf9ecd89d92c465068b8d0a6d4c9c08cf7022d8a6a30c3633004
Opcode Fuzzy Hash: b4040cb8c897e552615c90f7e112ddfb6deba80149133c43ac79d6b67071d54c
Instruction Fuzzy Hash: 75310672F01B4446EE58EB1AA5603E93255AB44FF0F544738AA3D03BD5EE78C6D38340

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD31C0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ.MSVCP140 ref: 000000013FAD3210

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Pninc@?$basic_streambuf@_U?$char_traits@_W@std@@@std@@
String ID:
API String ID: 2830299734-0
Opcode ID: 892cd87427cc7af600065aef31b0ee6b91c063e2fc17bc249e2c01ed729ce323
Instruction ID: 8b78207148f7cf1be45c2e534ef83940cd0800081684a91730a7daad42f2c7eb
Opcode Fuzzy Hash: 892cd87427cc7af600065aef31b0ee6b91c063e2fc17bc249e2c01ed729ce323
Instruction Fuzzy Hash: 66418177A05B8086EB50CF65E0503EA73A4F794B84F944036EB8D47798EF78C64AC710

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADDB33 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

_Thrd_yield.MSVCP140 ref: 000000013FADDB70
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADDBE7
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADDBF4
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADDBFF

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Heap$FreeProcessThrd_yieldabort
String ID:
API String ID: 956433050-0
Opcode ID: 0a41764caceaac74d3a48df7f0b647cc7ab0c1389470708bad75d13aa25f9b07
Instruction ID: f3e7f93b6011ef4b30090caaff36af5f58c19316e78ceb580b6723d8284ab0aa
Opcode Fuzzy Hash: 0a41764caceaac74d3a48df7f0b647cc7ab0c1389470708bad75d13aa25f9b07
Instruction Fuzzy Hash: B9318D32B52A8493EA559B35D5643E873A4FB887A4F84413AEA5D833D5EF38C663C310

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FAD6290 Relevance: 6.1, APIs: 4, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD62DA
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FAD62E7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD632D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FAD6334

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Heapabort$FreeProcess
String ID:
API String ID: 1099042497-0
Opcode ID: 9d2eed6175f7f2b971c00806e498e68a901b21d66ebe442018c56a72768c2922
Instruction ID: a41abf98d3df02d3719cf2906da974756158784c712ba97804bfb2a3b353e29b
Opcode Fuzzy Hash: 9d2eed6175f7f2b971c00806e498e68a901b21d66ebe442018c56a72768c2922
Instruction Fuzzy Hash: 2D11C632E0179087EA54AF29A9243D93664E795B60F1D053CFA8D477C9CF39CA43C780

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADA500 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

InterlockedPushEntrySList.API-MS-WIN-CORE-INTERLOCKED-L1-1-0 ref: 000000013FADA5EA

Strings

Windows.ApplicationModel.Resources.ResourceLoader, xrefs: 000000013FADA53A
1, xrefs: 000000013FADA533

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: EntryInterlockedListPush
String ID: 1$Windows.ApplicationModel.Resources.ResourceLoader
API String ID: 4129690577-2719804123
Opcode ID: b1b6ec9b60b8a5f59fde8f92ba900b9d97ad2b9e29b76d208fd793eb9d359579
Instruction ID: 314d1cc99e21b33cd7c04245d51218157614f37286e5ac571f123affdc9d31c2
Opcode Fuzzy Hash: b1b6ec9b60b8a5f59fde8f92ba900b9d97ad2b9e29b76d208fd793eb9d359579
Instruction Fuzzy Hash: 4551E536B11B1489FB109F65E8503DD37B4B758B88F44002AEE4D57BA9EF38C656C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADE254 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE28C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE299
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADE2A4
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE2D0
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADE2DD
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013FADE2E6

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Heap$FreeProcessabort
String ID:
API String ID: 1597918624-0
Opcode ID: bf060658c976e53605af3936443f9bbeb6f8e8eb1b4211607b838dd63cb850b6
Instruction ID: 5f93e6e9f281f670c7ff08c98d1be211d4fbabcc4d80d6f948ea07ee4e8435ed
Opcode Fuzzy Hash: bf060658c976e53605af3936443f9bbeb6f8e8eb1b4211607b838dd63cb850b6
Instruction Fuzzy Hash: F6312736B10A8593EA55DF62E4A83ED73A8F784B84F89402AEA0D537C5DF38C657C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000013FADBF50 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADBF8C
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADBF9A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADBFCA
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 000000013FADBFD8

Memory Dump Source

Source File: 00000000.00000002.348466215.000000013FAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000000013FAD0000, based on PE: true

Associated: 00000000.00000002.348463662.000000013FAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348469671.000000013FAE2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348472323.000000013FAE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348474933.000000013FAEB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.348477338.000000013FAEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fad0000_AppInstallerPythonRedirector.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a8831d67cae4eac58f0eaa6016447df784c17e2613bf3b27e416e483279de986
Instruction ID: 7b8901f611a03b16c6ef1869a49d312ffcd107a777c709f372931cdba08f682f
Opcode Fuzzy Hash: a8831d67cae4eac58f0eaa6016447df784c17e2613bf3b27e416e483279de986
Instruction Fuzzy Hash: 8F118232B05B8097DB488F66E940399B3A5F788F90F088138DB5D43764DF38D666C740

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AppInstallerPythonRedirector.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: AppInstallerPythonRedirector.exePID: 2944, Parent PID: 1244

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried

Process Activities

Process Queried

Windows Analysis Report
AppInstallerPythonRedirector.exe