Edit tour

Windows Analysis Report
R.exe

Overview

General Information

Sample name:	R.exe
Analysis ID:	1466756
MD5:	24cf2f25cbf27d1ea57a4b995f8d36d9
SHA1:	4ccaac4c85285eeb807de52d190634541ec77593
SHA256:	ed01d6efe145985efb364bb7e0929330425586e3fec7090fe751a97a34b6911c
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

R.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\R.exe" MD5: 24CF2F25CBF27D1EA57A4B995F8D36D9)

conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4412 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\bin\x64\R.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: R.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\R.exe

Code function: 4x nop then sub rsp, 58h

0_2_00007FF78E664AF0

Source: R.exe	String found in binary or memory: https://bugs.R-project.org
Source: R.exe	String found in binary or memory: https://www.r-project.orgD

Source: C:\Users\user\Desktop\R.exe

Code function: 0_2_00007FF78E662000

0_2_00007FF78E662000

Source: R.exe

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: clean4.winEXE@4/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03

Source: R.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\R.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: R.exe	String found in binary or memory: Options: -h, --helpprint short help message and exit
Source: R.exe	String found in binary or memory: Options: -h, --helpprint short help message and exit
Source: R.exe	String found in binary or memory: --help
Source: R.exe	String found in binary or memory: --help
Source: R.exe	String found in binary or memory: %s --arch %s --help
Source: R.exe	String found in binary or memory: %s --arch %s --help
Source: R.exe	String found in binary or memory: command --help
Source: R.exe	String found in binary or memory: command --help
Source: R.exe	String found in binary or memory: "%s/%s/Rterm.exe" --help
Source: R.exe	String found in binary or memory: "%s/%s/Rterm.exe" --help
Source: R.exe	String found in binary or memory: %s --arch %s --help
Source: R.exe	String found in binary or memory: %s --arch %s --help
Source: R.exe	String found in binary or memory: command --help
Source: R.exe	String found in binary or memory: command --help
Source: R.exe	String found in binary or memory: Options: -h, --helpprint short help message and exit
Source: R.exe	String found in binary or memory: Options: -h, --helpprint short help message and exit
Source: R.exe	String found in binary or memory: %s --arch %s --help
Source: R.exe	String found in binary or memory: %s --arch %s --help
Source: R.exe	String found in binary or memory: --help
Source: R.exe	String found in binary or memory: --help
Source: R.exe	String found in binary or memory: command --help
Source: R.exe	String found in binary or memory: command --help
Source: R.exe	String found in binary or memory: "%s/%s/Rterm.exe" --help
Source: R.exe	String found in binary or memory: "%s/%s/Rterm.exe" --help
Source: R.exe	String found in binary or memory: -h, --helpprint short help message and exit
Source: R.exe	String found in binary or memory: -h, --helpprint short help message and exit
Source: R.exe	String found in binary or memory: %s%s%s any other arguments listed by %s --arch %s --help
Source: R.exe	String found in binary or memory: %s%s%s any other arguments listed by %s --arch %s --help
Source: R.exe	String found in binary or memory: --help--arch3264i386x64valid values for --arch are i386, x64, 32, 64
Source: R.exe	String found in binary or memory: --help--arch3264i386x64valid values for --arch are i386, x64, 32, 64
Source: R.exe	String found in binary or memory: --help"%s/%s/Rterm.exe" --helpbin/x64
Source: R.exe	String found in binary or memory: --help"%s/%s/Rterm.exe" --helpbin/x64

Source: unknown	Process created: C:\Users\user\Desktop\R.exe "C:\Users\user\Desktop\R.exe"
Source: C:\Users\user\Desktop\R.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\R.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\bin\x64\R.exe""
Source: C:\Users\user\Desktop\R.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\bin\x64\R.exe""	Jump to behavior

Source: C:\Users\user\Desktop\R.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\R.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: R.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: R.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: R.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\R.exe

Code function: 0_2_00007FF78E66CDA8 push rax; iretd

0_2_00007FF78E66CDB6

Source: C:\Users\user\Desktop\R.exe

API coverage: 5.1 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\R.exe	Code function: 0_2_00007FF78E661180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm,exit,	0_2_00007FF78E661180
Source: C:\Users\user\Desktop\R.exe	Code function: 0_2_00007FF78E665BE1 SetUnhandledExceptionFilter,	0_2_00007FF78E665BE1
Source: C:\Users\user\Desktop\R.exe	Code function: 0_2_00007FF78E691500 SetUnhandledExceptionFilter,	0_2_00007FF78E691500

Source: C:\Users\user\Desktop\R.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\bin\x64\R.exe""

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	1 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
R.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://www.r-project.orgD	0%	Avira URL Cloud	safe
https://bugs.R-project.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.r-project.orgD	R.exe	false	Avira URL Cloud: safe	unknown
https://bugs.R-project.org	R.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466756
Start date and time:	2024-07-03 11:03:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	R.exe
Detection:	CLEAN
Classification:	clean4.winEXE@4/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: R.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.11500075536029
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	R.exe
File size:	154'112 bytes
MD5:	24cf2f25cbf27d1ea57a4b995f8d36d9
SHA1:	4ccaac4c85285eeb807de52d190634541ec77593
SHA256:	ed01d6efe145985efb364bb7e0929330425586e3fec7090fe751a97a34b6911c
SHA512:	c488858b701c15d6d3a1714c11328485a54818e3744da19ce3b26a5c70cfbc29dba4df8d0fcf7af67db4fab02a9f0e848dcd8e28c1f7adeb2f8b061bb4f0487e
SSDEEP:	3072:bmDyT4868TnC89QB+5UsdfQZJqGW85QP9w2WkNFXp:SDyL7n+u/YDqMmO2rJ
TLSH:	22E3BF1A9713DCFDDD29417685F3AB127332BC6601A8EB6F0710A3B39C376D59E2A148
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...).kf...............*.R...V.................@.............................`......=R....`... ............................

File Icon


Icon Hash:	70fc865392ec9012

Static PE Info

General

Entrypoint:	0x1400013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x666BFC29 [Fri Jun 14 08:15:37 2024 UTC]
TLS Callbacks:	0x40004760, 0x1, 0x40004730, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	11ea9d33fb238a8371ad43b1edabbff8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00008875h]
mov dword ptr [eax], 00000000h
call 00007FDFBCDC03CFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FDFBCDC4ADCh
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FDFBCDC0629h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
xor eax, eax
cmp ecx, 01h
setbe al
ret
nop dword ptr [eax+00000000h]
push edi
push esi
push ebx
dec eax
sub esp, 30h
dec eax
mov edi, dword ptr [0003020Ah]
dec eax
mov ebx, ecx
dec eax
mov esi, edx
mov ecx, 00000002h
call edi
dec ecx
mov ecx, ebx
dec esp
lea eax, dword ptr [00006B7Bh]
dec eax
lea edx, dword ptr [00006B7Bh]
dec eax
mov ecx, eax
dec eax
lea eax, dword ptr [00006B7Ah]
dec eax
mov dword ptr [esp+20h], eax
call 00007FDFBCDC4925h
mov ecx, 00000002h
call edi
dec esp
lea ecx, dword ptr [00006B7Ah]
dec esp
lea eax, dword ptr [00006B9Bh]
dec eax
mov ecx, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31000	0xfe0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0x10b08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x16000	0x354	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x45000	0x98	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x98a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31468	0x328	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5088	0x5200	aaa44e7c1f801b5daffc8dc3399633ed	False	0.5284394054878049	data	6.1463348631951575	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x7000	0x100	0x200	f03a9d434bb40ff52b3fa1cf66f0a57f	False	0.1953125	data	1.4730901332139021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x8000	0xd7b0	0xd800	d07dc6d093135b277e4237e5053c302b	False	0.6234085648148148	data	6.972168700246094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x16000	0x354	0x400	c182885a057ba7c42b66440a501f8225	False	0.4609375	data	3.784913397418341	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x17000	0x2dc	0x400	4e49ecb7539ea73f921598ce2fb02bcc	False	0.3193359375	data	3.368554073700875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x18000	0x18840	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x31000	0xfe0	0x1000	967414c7e4109196a7d14e98b8738bb2	False	0.336181640625	data	4.415075331196741	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x32000	0x60	0x200	9839801f39aa28999fa98d4c72f84e8c	False	0.068359375	data	0.28265357431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x33000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x34000	0x10b08	0x10c00	acac1328ef6f58b520c1fe38dd8d9d1f	False	0.847831156716418	data	7.523330168787664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x45000	0x98	0x200	6ae486e11b0399b43fa885107b36e0aa	False	0.28125	data	1.7703747442651037	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x341f8	0xbc9c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9932897025929914
RT_ICON	0x3fe98	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.4532139951179821
RT_ICON	0x42500	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.5714936247723132
RT_ICON	0x43628	0x9b8	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.6531350482315113
RT_ICON	0x43fe0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.775709219858156
RT_GROUP_ICON	0x44448	0x4c	data	English	United States	0.8026315789473685
RT_VERSION	0x44498	0x264	data	English	United States	0.5196078431372549
RT_MANIFEST	0x44700	0x403	XML 1.0 document, ASCII text	English	United States	0.45180136319376824

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegQueryValueExA
KERNEL32.dll	CloseHandle, CreateFileA, CreateProcessA, DeleteCriticalSection, EnterCriticalSection, GetCurrentDirectoryA, GetEnvironmentVariableA, GetExitCodeProcess, GetLastError, GetModuleFileNameA, GetShortPathNameA, InitializeCriticalSection, LeaveCriticalSection, SetConsoleCtrlHandler, SetStdHandle, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject
api-ms-win-crt-convert-l1-1-0.dll	wcstombs
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, getenv, _putenv
api-ms-win-crt-filesystem-l1-1-0.dll	_stat64
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-private-l1-1-0.dll	__C_specific_handler, memcpy, strchr, strrchr
api-ms-win-crt-runtime-l1-1-0.dll	_set_app_type, __p___argc, __p___argv, __p___wargv, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _exit, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_invalid_parameter_handler, abort, exit, signal, system
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfprintf, __stdio_common_vfwprintf, __stdio_common_vsprintf, fclose, feof, fgets, fopen, fputs, fwrite
api-ms-win-crt-string-l1-1-0.dll	isspace, memset, strcat, strcmp, strcpy, strlen, strncat, strncmp, strncpy, _stricmp
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _tzset
ole32.dll	CoTaskMemFree
SHELL32.dll	SHGetKnownFolderPath
USER32.dll	MessageBoxA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: R.exePID: 6632, Parent PID: 2580

General

Target ID:	0
Start time:	05:04:04
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\R.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\R.exe"
Imagebase:	0x7ff78e660000
File size:	154'112 bytes
MD5 hash:	24CF2F25CBF27D1EA57A4B995F8D36D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6612, Parent PID: 6632

General

Target ID:	1
Start time:	05:04:04
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4412, Parent PID: 6632

General

Target ID:	2
Start time:	05:04:04
Start date:	03/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\bin\x64\R.exe""
Imagebase:	0x7ff707680000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: R.exePID: 6632, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	35.2%
Total number of Nodes:	403
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF78E661180 Relevance: 13.6, APIs: 9, Instructions: 146
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF78E661406), ref: 00007FF78E6611BE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF78E66122F
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF78E661406), ref: 00007FF78E661246
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF78E661406), ref: 00007FF78E661263
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF78E661406), ref: 00007FF78E661284
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF78E661406), ref: 00007FF78E661290
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF78E661406), ref: 00007FF78E6612A8

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 959198572-0
Opcode ID: 03c83894507cc251075f75523bff636a4f1825e5cb24bc4e260cfe5d02f64e5c
Instruction ID: 24245bf2b14e968edeabd25db7f18171861792df8f0079ae307a5a7d61e52320
Opcode Fuzzy Hash: 03c83894507cc251075f75523bff636a4f1825e5cb24bc4e260cfe5d02f64e5c
Instruction Fuzzy Hash: 82511336F2964685EA51BFD5E891279A3B2BF84B80FA44535DD0D877B1CF3CA841C360

Function 00007FF78E665CB0 Relevance: 80.7, APIs: 32, Strings: 14, Instructions: 204
stringfileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665CFC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665D13
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665D3C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665D4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665D62
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665D79
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665D95
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E665DA3
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665DBE
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665DC8
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665DD4
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665DED
strlen.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665E19
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665E2A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665E3A
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665EDE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665EEC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E665F0E
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665F29
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665F33
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665F48
strlen.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665F50
system.API-MS-WIN-CRT-RUNTIME-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665F67
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665F6E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E665FB6
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665FD1
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E665FDB
strlen.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E66600C
SetConsoleCtrlHandler.KERNEL32 ref: 00007FF78E666023
strlen.API-MS-WIN-CRT-STRING-L1-1-0(-00000008,00000001,?,00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E666031

Strings

valid values for --arch are i386, x64, 32, 64, xrefs: 00007FF78E665DB4
--help, xrefs: 00007FF78E665CF2
--arch, xrefs: 00007FF78E665D09
R_ARCH, xrefs: 00007FF78E665DCD
x64, xrefs: 00007FF78E665D2E
Rscript, xrefs: 00007FF78E665E3F
i386, xrefs: 00007FF78E665D6F
CMD, xrefs: 00007FF78E665E92
""%s\bin\%s\Rscript.exe", xrefs: 00007FF78E665E6D
command line too long, xrefs: 00007FF78E665F1F
x64, xrefs: 00007FF78E665D89
Invalid R_HOME, xrefs: 00007FF78E665FC7
""%s\bin\%s\R.exe", xrefs: 00007FF78E665F8D
Rscript.exe, xrefs: 00007FF78E665E1E

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: strcmp$strlen$exit$__acrt_iob_funcfwrite$_stricmpstrncpy$ConsoleCtrlHandlergetenvsystem
String ID: ""%s\bin\%s\R.exe"$""%s\bin\%s\Rscript.exe"$--arch$--help$CMD$Invalid R_HOME$R_ARCH$Rscript$Rscript.exe$command line too long$i386$valid values for --arch are i386, x64, 32, 64$x64$x64
API String ID: 4168535574-258609378
Opcode ID: fa6471a33660901095dd06be3169944942d08465e6262ca932810c5a7d63293a
Instruction ID: 49c1f383ed91ea3245a3bb1a828fe4ad85638d498f8d845e3daf634eb6f3aa43
Opcode Fuzzy Hash: fa6471a33660901095dd06be3169944942d08465e6262ca932810c5a7d63293a
Instruction Fuzzy Hash: 52913A20B3864392FA10BBA194562B99373BF41784FE41835E90E577E6EF3CE501C361

Non-executed Functions

Function 00007FF78E662000 Relevance: 419.9, APIs: 107, Strings: 132, Instructions: 1666stringprocessCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E66203C

Part of subcall function 00007FF78E6616F0: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E66172C
Part of subcall function 00007FF78E6616F0: GetShortPathNameA.KERNEL32 ref: 00007FF78E661741

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E662091
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E6620E5
SetConsoleCtrlHandler.KERNEL32 ref: 00007FF78E66212D
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E662143
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E6621D2
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78E6621EB
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E662225
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E662242

Strings

""%s/%s/Rterm.exe" -e tools:::.SHLIB() R_DEFAULT_PACKAGES=NULL --no-restore --no-echo --no-site-file --no-init-file --args, xrefs: 00007FF78E663713
and '.Rout' appended., xrefs: 00007FF78E662DE8
TMPDIR, xrefs: 00007FF78E6627ED, 00007FF78E6629F2, 00007FF78E662CDF
no input file, xrefs: 00007FF78E6633B5
Sweave, xrefs: 00007FF78E66345D
TMP, xrefs: 00007FF78E6629B6
-, xrefs: 00007FF78E6625C6
/etc/Rcm, xrefs: 00007FF78E66250F
Rdiff, xrefs: 00007FF78E6633ED
""%s/%s/Rterm.exe" -e tools:::.check_packages() R_DEFAULT_PACKAGES= LC_COLLATE=C --no-restore --no-echo --args , xrefs: 00007FF78E662F3D
2024, xrefs: 00007FF78E662D3F
SHLIB Make a DLL for use with dynload, xrefs: 00007FF78E662459
by default is started with '--restore --save'., xrefs: 00007FF78E662D94
REMOVE Remove add-on packages, xrefs: 00007FF78E662465
Stangle, xrefs: 00007FF78E663479
The R Core Team., xrefs: 00007FF78E662D33
Rd2pdf, xrefs: 00007FF78E663441
nextArg, xrefs: 00007FF78E662E8F
nextArg, xrefs: 00007FF78E66366E
Rcmd, xrefs: 00007FF78E662060
Report bugs at <https://bugs.R-project.org>., xrefs: 00007FF78E662D7E
Stangle Extract S/R code from vignette, xrefs: 00007FF78E6623ED
config, xrefs: 00007FF78E663495
""%s/%s/open.exe", xrefs: 00007FF78E663A70
Rprof, xrefs: 00007FF78E6628BA
Invalid R_HOME, xrefs: 00007FF78E66386D
Run R non-interactively with input from infile and place output (stdout, xrefs: 00007FF78E662E0C
build Build add-on packages, xrefs: 00007FF78E662441
x64, xrefs: 00007FF78E6627C3
Rcmd.exe, xrefs: 00007FF78E66221B
"%s/%s/Rterm.exe" --help, xrefs: 00007FF78E662332
Rd2txt Convert Rd format to pretty text, xrefs: 00007FF78E6623F9
--help, xrefs: 00007FF78E6622C3, 00007FF78E66264F
rcmd, xrefs: 00007FF78E662087
rl , xrefs: 00007FF78E663513
"texify.exe -I "%s/share/texmf/tex/latex" -I "%s/share/texmf/bibtex/bst", xrefs: 00007FF78E66290B
, xrefs: 00007FF78E662A84
Rdconv, xrefs: 00007FF78E663409
Sweave Process vignette documentation, xrefs: 00007FF78E6623E1
unable to run Rterm.exe, xrefs: 00007FF78E6631FC
-v, --versionprint version info and exit, xrefs: 00007FF78E662DD0
Rdconv Convert Rd format to various other formats, xrefs: 00007FF78E66241D
as '--' was not encountered, and are passed on to the R process, which, xrefs: 00007FF78E662DA0
check Check add-on packages, xrefs: 00007FF78E662435
nextArg, xrefs: 00007FF78E663C9E
nextArg, xrefs: 00007FF78E6638CF
BINDIR, xrefs: 00007FF78E6627DC
open, xrefs: 00007FF78E6634B1
nextArg, xrefs: 00007FF78E663BC9
""%s/%s/Rterm.exe" -e tools:::.build_packages() R_DEFAULT_PACKAGES= LC_COLLATE=C --no-restore --no-echo --args , xrefs: 00007FF78E662E65
""%s/%s/Rterm.exe" -e tools:::.install_packages() R_DEFAULT_PACKAGES= LC_COLLATE=C --no-restore --no-echo --args , xrefs: 00007FF78E662BD0
R batch front end: %s.%s (r%d)%s%s%s%s%s, xrefs: 00007FF78E662D1B
R_VERSION=%s.%s, xrefs: 00007FF78E6626EB
check, xrefs: 00007FF78E66289E
--no-timingdo not report the timings, xrefs: 00007FF78E662DC4
""%s/%s/Rterm.exe", xrefs: 00007FF78E662112, 00007FF78E662A3D
"%s/%s/Rterm.exe" -f "%s" --restore --save, xrefs: 00007FF78E663057
texify, xrefs: 00007FF78E6628D6
REMOVE, xrefs: 00007FF78E662866
command args, xrefs: 00007FF78E6623A2
PATH, xrefs: 00007FF78E662712
Rcmd, xrefs: 00007FF78E6622FD
INSTALL Install add-on packages, xrefs: 00007FF78E6623BA
RHOME, xrefs: 00007FF78E6620DE
Further arguments starting with a '-' are considered as options as long, xrefs: 00007FF78E662DAC
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF78E6623D2
nextArg, xrefs: 00007FF78E662BFA
and stderr) to another file. If not given, the name of the output file, xrefs: 00007FF78E662E00
v, xrefs: 00007FF78E66266C
Rprof Post process R profiling files, xrefs: 00007FF78E662429
command line too long, xrefs: 00007FF78E662298, 00007FF78E662CC0
R_BATCH=1234, xrefs: 00007FF78E6635E6
Options: -h, --helpprint short help message and exit, xrefs: 00007FF78E662DDC
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF78E662D85
or later for copying conditions. There is NO warranty., xrefs: 00007FF78E662D14
-, xrefs: 00007FF78E6622DA
BATCH [options] infile [outfile], xrefs: 00007FF78E662E18
--end processing of options, xrefs: 00007FF78E662DB8
BATCH, xrefs: 00007FF78E66253D
""%s/%s/Rterm.exe" -e tools:::.Rdconv() R_DEFAULT_PACKAGES= LC_COLLATE=C --vanilla --no-echo --args nextArg-tnextArgtxt, xrefs: 00007FF78E66389F
Use , xrefs: 00007FF78E662480
""%s/%s/Rterm.exe" --vanilla --no-echo -e utils:::.Stangle() --args , xrefs: 00007FF78E663ABD
--no-timing, xrefs: 00007FF78E662693
.pl, xrefs: 00007FF78E6634F4
nextArg, xrefs: 00007FF78E663AED
--version, xrefs: 00007FF78E66267C
config Obtain configuration information about R open Open a file via Windows file associations texify Process a latex file, xrefs: 00007FF78E6623CB
nextArg, xrefs: 00007FF78E6632FA
for usage information for each command., xrefs: 00007FF78E662491
Rd2pdf Convert Rd format to PDF, xrefs: 00007FF78E662405
""%s/%s/Rterm.exe" -e tools:::.Rprof() R_DEFAULT_PACKAGES=utils LC_COLLATE=C --vanilla --no-echo --args , xrefs: 00007FF78E6632D0
R_ARCH=, xrefs: 00007FF78E6627B9
R_BATCH_OPTIONS, xrefs: 00007FF78E662563
""%s/%s/Rterm.exe" -f "%s/share/R/REMOVE.R" R_DEFAULT_PACKAGES=NULL --no-restore --no-echo --args, xrefs: 00007FF78E662AB0
nextArg, xrefs: 00007FF78E6639A4
"per, xrefs: 00007FF78E66351E
build, xrefs: 00007FF78E662882
""%s/%s/Rterm.exe" -e tools:::.Rdconv() R_DEFAULT_PACKAGES= LC_COLLATE=C --vanilla --no-echo --args , xrefs: 00007FF78E663974
""%s/%s/Rterm.exe" --no-restore --no-echo -e utils:::.Sweave() --args , xrefs: 00007FF78E663B99
HOME, xrefs: 00007FF78E66281A, 00007FF78E662E44
PATH too long, xrefs: 00007FF78E663859
Or: R CMD command args, xrefs: 00007FF78E662362
This is free software; see the GNU General Public Licence version 2, xrefs: 00007FF78E662D27
d_enviro, xrefs: 00007FF78E662505
""%s/%s/Rterm.exe" -e tools:::.Rdiff() R_DEFAULT_PACKAGES=NULL --vanilla --no-echo --args , xrefs: 00007FF78E663644
4.1, xrefs: 00007FF78E6626D0, 00007FF78E662D03
R_CMD=R CMD, xrefs: 00007FF78E662706
Copyright (C) 1997-, xrefs: 00007FF78E662D4B
rcmd.exe, xrefs: 00007FF78E662238
h, xrefs: 00007FF78E66314D
Usage: , xrefs: 00007FF78E662391, 00007FF78E662D74
is the one of the input file, with a possible '.R' extension stripped,, xrefs: 00007FF78E662DF4
nextArg, xrefs: 00007FF78E662F67
R_HOME, xrefs: 00007FF78E6624BF
%s%s%s, xrefs: 00007FF78E662398
Rdiff difference R output files, xrefs: 00007FF78E662411
"sh "%s/bin/config.sh", xrefs: 00007FF78E663A99
Usage: %s texify [options] filename, xrefs: 00007FF78E663829
.sh, xrefs: 00007FF78E6634D5
bin/x64, xrefs: 00007FF78E6620F2, 00007FF78E662316, 00007FF78E6626FA, 00007FF78E662A1E, 00007FF78E663036
Allocation error, xrefs: 00007FF78E663883
unable to open output file, xrefs: 00007FF78E663620
%s%s%s%s, xrefs: 00007FF78E662487
command --help, xrefs: 00007FF78E66249D
INSTALL, xrefs: 00007FF78E66283F
SHLIB, xrefs: 00007FF78E6633D1
where 'command' is one of:, xrefs: 00007FF78E6623C1
PATH=%s\%s;%s, xrefs: 00007FF78E66272F, 00007FF78E66277D
""%s/%s/Rterm.exe" -e tools:::..Rd2pdf() R_DEFAULT_PACKAGES= LC_ALL=C --vanilla --no-echo --args , xrefs: 00007FF78E663C6E
Rd2txt, xrefs: 00007FF78E663425
TEMP, xrefs: 00007FF78E662985
BATCH Run R in batch mode, xrefs: 00007FF78E66244D

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: strlenstrncmp$ConsoleCtrlHandlerNamePathShortisspacestrcmpsystem
String ID: Or: R CMD command args$%s%s%s%s$Usage: %s texify [options] filename$ $ --end processing of options$ --no-timingdo not report the timings$ -v, --versionprint version info and exit$ BATCH Run R in batch mode$ INSTALL Install add-on packages$ REMOVE Remove add-on packages$ Rd2pdf Convert Rd format to PDF$ Rd2txt Convert Rd format to pretty text$ Rdconv Convert Rd format to various other formats$ Rdiff difference R output files$ Rprof Post process R profiling files$ SHLIB Make a DLL for use with dynload$ Stangle Extract S/R code from vignette$ Sweave Process vignette documentation$ build Build add-on packages$ check Check add-on packages$ config Obtain configuration information about R open Open a file via Windows file associations texify Process a latex file$ BATCH [options] infile [outfile]$ The R Core Team.$ command --help$ command args$""%s/%s/Rterm.exe"$""%s/%s/Rterm.exe" --no-restore --no-echo -e utils:::.Sweave() --args $""%s/%s/Rterm.exe" --vanilla --no-echo -e utils:::.Stangle() --args $""%s/%s/Rterm.exe" -e tools:::..Rd2pdf() R_DEFAULT_PACKAGES= LC_ALL=C --vanilla --no-echo --args $""%s/%s/Rterm.exe" -e tools:::.Rdconv() R_DEFAULT_PACKAGES= LC_COLLATE=C --vanilla --no-echo --args $""%s/%s/Rterm.exe" -e tools:::.Rdconv() R_DEFAULT_PACKAGES= LC_COLLATE=C --vanilla --no-echo --args nextArg-tnextArgtxt$""%s/%s/Rterm.exe" -e tools:::.Rdiff() R_DEFAULT_PACKAGES=NULL --vanilla --no-echo --args $""%s/%s/Rterm.exe" -e tools:::.Rprof() R_DEFAULT_PACKAGES=utils LC_COLLATE=C --vanilla --no-echo --args $""%s/%s/Rterm.exe" -e tools:::.SHLIB() R_DEFAULT_PACKAGES=NULL --no-restore --no-echo --no-site-file --no-init-file --args$""%s/%s/Rterm.exe" -e tools:::.build_packages() R_DEFAULT_PACKAGES= LC_COLLATE=C --no-restore --no-echo --args $""%s/%s/Rterm.exe" -e tools:::.check_packages() R_DEFAULT_PACKAGES= LC_COLLATE=C --no-restore --no-echo --args $""%s/%s/Rterm.exe" -e tools:::.install_packages() R_DEFAULT_PACKAGES= LC_COLLATE=C --no-restore --no-echo --args $""%s/%s/Rterm.exe" -f "%s/share/R/REMOVE.R" R_DEFAULT_PACKAGES=NULL --no-restore --no-echo --args$""%s/%s/open.exe"$"%s/%s/Rterm.exe" --help$"%s/%s/Rterm.exe" -f "%s" --restore --save$"per$"sh "%s/bin/config.sh"$"texify.exe -I "%s/share/texmf/tex/latex" -I "%s/share/texmf/bibtex/bst"$%s%s%s$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$-$-$--help$--no-timing$--version$.pl$.sh$/etc/Rcm$2024$4.1$Allocation error$BATCH$BINDIR$Copyright (C) 1997-$Further arguments starting with a '-' are considered as options as long$HOME$INSTALL$Invalid R_HOME$Options: -h, --helpprint short help message and exit$PATH$PATH too long$PATH=%s\%s;%s$R batch front end: %s.%s (r%d)%s%s%s%s%s$REMOVE$RHOME$R_ARCH=$R_BATCH=1234$R_BATCH_OPTIONS$R_CMD=R CMD$R_HOME$R_VERSION=%s.%s$Rcmd$Rcmd$Rcmd.exe$Rd2pdf$Rd2txt$Rdconv$Rdiff$Report bugs at <https://bugs.R-project.org>.$Rprof$Run R non-interactively with input from infile and place output (stdout$SHLIB$Stangle$Sweave$TEMP$TMP$TMPDIR$This is free software; see the GNU General Public Licence version 2$Usage: $Use $and '.Rout' appended.$and stderr) to another file. If not given, the name of the output file$as '--' was not encountered, and are passed on to the R process, which$bin/x64$build$by default is started with '--restore --save'.$check$command line too long$config$d_enviro$for usage information for each command.$h$is the one of the input file, with a possible '.R' extension stripped,$nextArg$nextArg$nextArg$nextArg$nextArg$nextArg$nextArg$nextArg$nextArg$nextArg$no input file$open$or later for copying conditions. There is NO warranty.$rcmd$rcmd.exe$rl $texify$unable to open output file$unable to run Rterm.exe$v$where 'command' is one of:$x64
API String ID: 3568832039-1499293692
Opcode ID: 46245dd1cfb52122cde71c1e8d398b43eb38a5d4fe97db9fa08cffeeb4da8f6a
Instruction ID: 81a814d43c158bf3b47dd3fb06860e2579b2f80c9b2010104bc933bd253129ed
Opcode Fuzzy Hash: 46245dd1cfb52122cde71c1e8d398b43eb38a5d4fe97db9fa08cffeeb4da8f6a
Instruction Fuzzy Hash: 99F2B061B2C68391EB20ABA1D4513BAA7B2FF85784FE44132DA4D077A5EF3DE505C720

Function 00007FF78E664AF0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF78E664C7D
Unknown pseudo relocation protocol version %d., xrefs: 00007FF78E664E40
Unknown pseudo relocation bit size %d., xrefs: 00007FF78E664E34

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: cfa1ab49608f499993313d1ca1703ed2bfd60a263591ea11e2b178e878078614
Instruction ID: 601d2d8f55c097c21fed960a6808dc69211379c3e7e24f1767730cb6ac24a16d
Opcode Fuzzy Hash: cfa1ab49608f499993313d1ca1703ed2bfd60a263591ea11e2b178e878078614
Instruction Fuzzy Hash: 6691A326F6955286EB107B94D440279E7B2BF55764FB48231CE2D17BE8DF3CE801C660

Function 00007FF78E691500 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15237477549028585dc5db6f9f78ab19850947b79f22dc0f2a99830ce0cb3106
Instruction ID: 3d851df243c4274b09cc733749bece96f844915d538baa2361aaf1aa32950d7f
Opcode Fuzzy Hash: 15237477549028585dc5db6f9f78ab19850947b79f22dc0f2a99830ce0cb3106
Instruction Fuzzy Hash: 18E0C0C7F5EBD14AF36365A40C690286FA26AB29117AF40ABCA8982393E91C1C05C361

Function 00007FF78E665BE1 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cd29d41daa30ee76ae90526a2c61eff9a6165e3ac920f448551f49f6cf1959
Instruction ID: 9f56091ef3bf28483c94178eff3dc0484a99e41caccd02a3aba1c478b1bdecef
Opcode Fuzzy Hash: 27cd29d41daa30ee76ae90526a2c61eff9a6165e3ac920f448551f49f6cf1959
Instruction Fuzzy Hash: 61A00252D5DC1191D2002B80E901174B269F706385B663170C55D91112DB3C90418114

Function 00007FF78E661960 Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 136
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF78E66196F
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E661983
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78E66198F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF78E6619A9
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E6619B1
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF78E661A0F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78E661A59
wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF78E661A75
CoTaskMemFree.OLE32 ref: 00007FF78E661A7F

Strings

HOME, xrefs: 00007FF78E661A08
R_USER, xrefs: 00007FF78E661968
HOMEPATH, xrefs: 00007FF78E661AA9
HOMEDRIVE, xrefs: 00007FF78E661A95
Cannot determine R user directory, xrefs: 00007FF78E661B0F

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: getenvmallocstrlen$FreeTaskmemcpywcstombs
String ID: Cannot determine R user directory$HOME$HOMEDRIVE$HOMEPATH$R_USER
API String ID: 2739796868-1163827264
Opcode ID: 965aa38b02c312cc29fbe3f859030c2b2edaee2032e54cd03225702d2ada1350
Instruction ID: 284964f3320e135bac32eef60478733f64e550acb632e3cb36db0da534bc555f
Opcode Fuzzy Hash: 965aa38b02c312cc29fbe3f859030c2b2edaee2032e54cd03225702d2ada1350
Instruction Fuzzy Hash: CE511711B2964741EA24BBE294261B9D2A37F85BC4FE84635D90E463F6EF3CE505C320

Function 00007FF78E661BC0 Relevance: 45.6, APIs: 4, Strings: 22, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E661BCD

Part of subcall function 00007FF78E665770: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF78E6614A0,?,?,?,00007FF78E6612EE), ref: 00007FF78E665798

exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF78E661955), ref: 00007FF78E661BEA
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E661C08
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E661CCB

Strings

Rd2txt Convert Rd format to pretty text, xrefs: 00007FF78E661C49
config Obtain configuration information about R open Open a file via Windows file associations texify Process a latex file, xrefs: 00007FF78E661C1B
Rdiff difference R output files, xrefs: 00007FF78E661C61
for usage information for each command., xrefs: 00007FF78E661CE1
Rd2pdf Convert Rd format to PDF, xrefs: 00007FF78E661C55
%s%s%s%s, xrefs: 00007FF78E661CD7
Sweave Process vignette documentation, xrefs: 00007FF78E661C31
command --help, xrefs: 00007FF78E661CED
FATAL ERROR:%s, xrefs: 00007FF78E661BD6
Stangle Extract S/R code from vignette, xrefs: 00007FF78E661C3D
SHLIB Make a DLL for use with dynload, xrefs: 00007FF78E661CA9
where 'command' is one of:, xrefs: 00007FF78E661C11
INSTALL Install add-on packages, xrefs: 00007FF78E661C0A
REMOVE Remove add-on packages, xrefs: 00007FF78E661CB5
Rdconv Convert Rd format to various other formats, xrefs: 00007FF78E661C6D
check Check add-on packages, xrefs: 00007FF78E661C85
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00007FF78E661C22
build Build add-on packages, xrefs: 00007FF78E661C91
Use , xrefs: 00007FF78E661CD0
BATCH Run R in batch mode, xrefs: 00007FF78E661C9D
Rprof Post process R profiling files, xrefs: 00007FF78E661C79
Allocation error, xrefs: 00007FF78E661BF1

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintfexit
String ID: %s%s%s%s$ BATCH Run R in batch mode$ INSTALL Install add-on packages$ REMOVE Remove add-on packages$ Rd2pdf Convert Rd format to PDF$ Rd2txt Convert Rd format to pretty text$ Rdconv Convert Rd format to various other formats$ Rdiff difference R output files$ Rprof Post process R profiling files$ SHLIB Make a DLL for use with dynload$ Stangle Extract S/R code from vignette$ Sweave Process vignette documentation$ build Build add-on packages$ check Check add-on packages$ config Obtain configuration information about R open Open a file via Windows file associations texify Process a latex file$ command --help$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$Allocation error$FATAL ERROR:%s$Use $for usage information for each command.$where 'command' is one of:
API String ID: 77255540-4120045317
Opcode ID: 9d5ac44ee0ce17c411ffe043a7a945915cfd06320ab0c9837d5042e0773d849a
Instruction ID: 11629feddf348b5e47fe22f0826b49ce17139e0c222b4564b9fed4b32e12b488
Opcode Fuzzy Hash: 9d5ac44ee0ce17c411ffe043a7a945915cfd06320ab0c9837d5042e0773d849a
Instruction Fuzzy Hash: 3931A835B29F4295EA11ABA0F8412A6B7BAFB44354FA00236D98C03775FF3CE558C760

Function 00007FF78E663EA4 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,0000006E,?,?,00000000,?,00000000,00007FF78E66252D), ref: 00007FF78E663EC9
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,0000006E,?,?,00000000,?,00000000,00007FF78E66252D), ref: 00007FF78E663EEB
feof.API-MS-WIN-CRT-STDIO-L1-1-0(?,0000006E,?,?,00000000,?,00000000,00007FF78E66252D), ref: 00007FF78E663F03
strchr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF78E663F14
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E664408

Strings

[... tru, xrefs: 00007FF78E66440D
They, xrefs: 00007FF78E6644E0
were ig, xrefs: 00007FF78E6644ED
(too lo, xrefs: 00007FF78E6644B4
, xrefs: 00007FF78E6643E6
%s, xrefs: 00007FF78E664474
ncated], xrefs: 00007FF78E664417
gnored, xrefs: 00007FF78E6644FA
ng), xrefs: 00007FF78E6644C4

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: strlen$feoffgetsstrchr
String ID: $ They$ (too lo$ were ig$%s$[... tru$gnored$ncated]$ng)
API String ID: 3422207619-477468304
Opcode ID: 3606084a430fa74925453b2e39ea1100009912a46597f4855f5cffe40c070a64
Instruction ID: 508f3e8b6c62db7df542f6054f64242115a752aa3536eae3accc48796eb69521
Opcode Fuzzy Hash: 3606084a430fa74925453b2e39ea1100009912a46597f4855f5cffe40c070a64
Instruction Fuzzy Hash: 8E318361B2C74280EB14BB91A5513B9A6A7FF51BC4FE48432C91E0B3A5DF3CA455C330

Function 00007FF78E661460 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E661479

Part of subcall function 00007FF78E665770: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF78E6614A0,?,?,?,00007FF78E6612EE), ref: 00007FF78E665798

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E6614A5
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E6614D5

Strings

%s %s %s, xrefs: 00007FF78E661485
any other arguments listed by , xrefs: 00007FF78E6614B8
[command args], xrefs: 00007FF78E66148F
--arch n for n=i386, x64, 32 or 64, xrefs: 00007FF78E6614A7
where 'command args' can be, xrefs: 00007FF78E6614AE
Usage:, xrefs: 00007FF78E66147E
%s%s%s, xrefs: 00007FF78E6614BF
%s --arch %s --help, xrefs: 00007FF78E6614DD

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintf
String ID: --arch n for n=i386, x64, 32 or 64$ any other arguments listed by $%s %s %s$%s --arch %s --help$%s%s%s$Usage:$[command args]$where 'command args' can be
API String ID: 2815179470-3153187424
Opcode ID: 5e6b6bade9d4603493204c545df2240710c8ec71d30465c748cf47aa7cc81abb
Instruction ID: 6620dabdbc08db789c16388476d228e27c91f5db9e1ce9279888a0207bf58abb
Opcode Fuzzy Hash: 5e6b6bade9d4603493204c545df2240710c8ec71d30465c748cf47aa7cc81abb
Instruction Fuzzy Hash: E8011266B28A4690EA11BBE1F8015F5A776BF487C4FA00936D94C073B1EF3CA649C760

Function 00007FF78E6617B0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF78E6617C2
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E6617D2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78E6617DE
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF78E6617F4
GetEnvironmentVariableA.KERNEL32 ref: 00007FF78E661817
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78E661821
GetEnvironmentVariableA.KERNEL32 ref: 00007FF78E661837
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78E661844

Strings

R_HOME, xrefs: 00007FF78E6617B8

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: EnvironmentVariablemalloc$freegetenvmemcpystrlen
String ID: R_HOME
API String ID: 250769884-750808637
Opcode ID: 2b7f1ce91d3d8c7260c45e60c6339bfdc5c6891de52c9bbbfbb8f901bed166c4
Instruction ID: 2867e694c821494c4c5eaa65a9edede9249ae999a6405de2331a81f1cfc67151
Opcode Fuzzy Hash: 2b7f1ce91d3d8c7260c45e60c6339bfdc5c6891de52c9bbbfbb8f901bed166c4
Instruction Fuzzy Hash: 0A11A101B2921244ED11B6E72811279C6A66F89BE0FE80535EE1C4B7E6EF3CF442C320

Function 00007FF78E661500 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF78E661531
RegQueryValueExA.ADVAPI32 ref: 00007FF78E66157D
RegCloseKey.ADVAPI32 ref: 00007FF78E66158B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78E6615B4
RegQueryValueExA.ADVAPI32 ref: 00007FF78E6615DC
RegCloseKey.ADVAPI32 ref: 00007FF78E6615E5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78E6615F2

Strings

Software\R-core\R, xrefs: 00007FF78E661525
InstallPath, xrefs: 00007FF78E66154E

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: CloseQueryValue$Openfreemalloc
String ID: InstallPath$Software\R-core\R
API String ID: 1831836589-1207309336
Opcode ID: 79ccf594febd729f6b05a07d9edd5af4924362cde2d01905bd02bd3a0adc9282
Instruction ID: 83b8972157d77b5834eee96fd5f0b3c8c866e41d5160a197e8ea9168a10303d7
Opcode Fuzzy Hash: 79ccf594febd729f6b05a07d9edd5af4924362cde2d01905bd02bd3a0adc9282
Instruction Fuzzy Hash: E121B57272965185E750AB91E85076AE7B1FB88BD8FD41031ED8E03764DF3CD045CB11

Function 00007FF78E664910 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,00007FF78E664AE1,?,?,?,?,?,?,00007FF78E6757A8,00000000,00000001), ref: 00007FF78E664960
VirtualQuery.KERNEL32 ref: 00007FF78E664A2B

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FF78E664A9E
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF78E664AC1
Address %p has no image-section, xrefs: 00007FF78E664982, 00007FF78E664AD5
Mingw-w64 runtime failure:, xrefs: 00007FF78E664947

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: QueryVirtual__acrt_iob_func
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 4109086920-1534286854
Opcode ID: ef85da7716b72a3eef3f920e39715f0d3d62ad2bc96772dd5510ebd7d84267fc
Instruction ID: e7e7450bbf9fb514b411e561837bec66d0ac3d91b9de8fe77a35be8f766ba176
Opcode Fuzzy Hash: ef85da7716b72a3eef3f920e39715f0d3d62ad2bc96772dd5510ebd7d84267fc
Instruction Fuzzy Hash: DE51D132B18A4682EB50BB91E8406A9EBB2FF89B94FE44130DE4D077A5DF3CE545C750

Function 00007FF78E661600 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF78E6616FD,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E661630
GetModuleFileNameA.KERNEL32(?,?,?,00007FF78E6616FD,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E661645
strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00007FF78E6616FD,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E661668

Strings

Terminating, xrefs: 00007FF78E6616A6
Installation problem, xrefs: 00007FF78E6616AD

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: FileModuleNamemallocstrrchr
String ID: Installation problem$Terminating
API String ID: 3522390497-187078536
Opcode ID: 91227076f1a32b2a2b7e6d6a82942215d146034241fce4c2c102eb1e654e70b6
Instruction ID: cde0619f286c3eb37b33c9960423f89c7574c537ca460c257753696a1971b78d
Opcode Fuzzy Hash: 91227076f1a32b2a2b7e6d6a82942215d146034241fce4c2c102eb1e654e70b6
Instruction Fuzzy Hash: C7119D16F6A20741FE263BE6A821279D1A27F44BD0FEC0435CD0D873A2EE3CA840C360

Function 00007FF78E6616F0 Relevance: 7.6, APIs: 5, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78E661600: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF78E6616FD,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E661630
Part of subcall function 00007FF78E661600: GetModuleFileNameA.KERNEL32(?,?,?,00007FF78E6616FD,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E661645
Part of subcall function 00007FF78E661600: strrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00007FF78E6616FD,?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E661668

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00007FF78E6612EE,?,?,?,00007FF78E661406), ref: 00007FF78E66172C
GetShortPathNameA.KERNEL32 ref: 00007FF78E661741

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: Name$FileModulePathShortisspacemallocstrrchr
String ID:
API String ID: 3046994494-0
Opcode ID: d2541af3311b53901e3a4cd5581fa442d5d6b4c02213e01fa5a7aa125e004a75
Instruction ID: 52299ed3463172c42a95966ba7438ba27ff4aa35153249d66ccc491ce64ce385
Opcode Fuzzy Hash: d2541af3311b53901e3a4cd5581fa442d5d6b4c02213e01fa5a7aa125e004a75
Instruction Fuzzy Hash: FE016904B2925641FA15B7E72A602798DAB2F59BC5BBC0436CD0D4E7A2EF2CF402C330

Function 00007FF78E6618B0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 54
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E6618C3
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78E6618CE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78E6618DB

Strings

%s=%s, xrefs: 00007FF78E6618F6
Allocation error, xrefs: 00007FF78E661949

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: strlen$malloc
String ID: %s=%s$Allocation error
API String ID: 3157260142-2506080796
Opcode ID: 821bc6db03c61d46e25f7c13dad5c89f375a4697b851dd8049f3edb6d544c683
Instruction ID: 2b0be7dae6592935ba0d768154c409db85ecf90a4e7eeb0b8dbffff013ee01e4
Opcode Fuzzy Hash: 821bc6db03c61d46e25f7c13dad5c89f375a4697b851dd8049f3edb6d544c683
Instruction Fuzzy Hash: 28118651B3C19241F61577D264211B9E6B27F02BD5EF84535ED4D072E2DF3DA550D320

Function 00007FF78E664E93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78E664F52

Strings

CCG , xrefs: 00007FF78E664EB5

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 81a49df3ab1667ca20ddf6adae0bda8151d1afbde82aacbd11c684ddccbd279e
Instruction ID: 3997d4d70e6ba744fefe7aff4842d9b8ca63a5ea00c17b8e7e471a5d50c0b415
Opcode Fuzzy Hash: 81a49df3ab1667ca20ddf6adae0bda8151d1afbde82aacbd11c684ddccbd279e
Instruction Fuzzy Hash: C3218011F2D1064AFAA432E4606137891A3BFC6755FB45835C51D823F9CFBDB881C271

Function 00007FF78E664800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E664858

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78E664867
Unknown error, xrefs: 00007FF78E6648EC

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: __acrt_iob_func
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 711238415-3474627141
Opcode ID: b3e4272d8f730992db3fc0a96da2d7ebe13f2151ba264febf40a2a718a1d03ed
Instruction ID: 05b80628ddf436faf0378ac6b6f13f44e0d0e90b875796e373572701be0e9e09
Opcode Fuzzy Hash: b3e4272d8f730992db3fc0a96da2d7ebe13f2151ba264febf40a2a718a1d03ed
Instruction Fuzzy Hash: 5E018E62A18E84C2D6069F5CE8411EAB3B6FF9975AF645325EE8C2A230DF39D543C700

Function 00007FF78E6648E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E664858

Part of subcall function 00007FF78E665770: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF78E6614A0,?,?,?,00007FF78E6612EE), ref: 00007FF78E665798

Strings

Total loss of significance (TLOSS), xrefs: 00007FF78E6648E0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78E664867

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-4273532761
Opcode ID: 750dae999c2e40d9c50c35b8b4727a5bd4a09f47ce2cbb820a4e2782fe4533ee
Instruction ID: f5c5a04012281bfcb142679f873688975fdbc1dc2976127cf0cb04e6d84ddefe
Opcode Fuzzy Hash: 750dae999c2e40d9c50c35b8b4727a5bd4a09f47ce2cbb820a4e2782fe4533ee
Instruction Fuzzy Hash: 99F06212918E8482D202AF5DA4001EBB375FF5E799F685326EF8D2A535DF38D542C710

Function 00007FF78E6648D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E664858

Part of subcall function 00007FF78E665770: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF78E6614A0,?,?,?,00007FF78E6612EE), ref: 00007FF78E665798

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78E664867
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF78E6648D0

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-2187435201
Opcode ID: 0fc6081a0d67de01ecb736c8aa6537878729f86dc2bd76f3c5a352c97d04d91b
Instruction ID: f2d94d006801e1d44eca54300835cbd2f1828740458103a5bf3200ac17ce504f
Opcode Fuzzy Hash: 0fc6081a0d67de01ecb736c8aa6537878729f86dc2bd76f3c5a352c97d04d91b
Instruction Fuzzy Hash: 85F06212918E8482D242AF5CA4001EBB371FF5D799F685326EF8D2A175DF38D542C710

Function 00007FF78E6648C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E664858

Part of subcall function 00007FF78E665770: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF78E6614A0,?,?,?,00007FF78E6612EE), ref: 00007FF78E665798

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF78E6648C0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78E664867

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-4064033741
Opcode ID: 87143e0ba1d7a1ba79c40d24ca248ebb933f592bc986b65bfe762e70ccac2235
Instruction ID: 4d68ac28f01a6554847ed3c0b43e29e52083d55d695db02494ab3b2727318298
Opcode Fuzzy Hash: 87143e0ba1d7a1ba79c40d24ca248ebb933f592bc986b65bfe762e70ccac2235
Instruction Fuzzy Hash: 43F06212918E8482D242AF5CA4001EBB371FF5D799F685326EF8D2A175DF38D542C710

Function 00007FF78E6648B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E664858

Part of subcall function 00007FF78E665770: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF78E6614A0,?,?,?,00007FF78E6612EE), ref: 00007FF78E665798

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF78E6648B0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78E664867

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-4283191376
Opcode ID: 2ef2c019f3e1b1d33502362393de387076caa0ea043dc020c98783b6dd1ffb19
Instruction ID: 208be4351f8be3d8c68938c072316d1cdb1a4aa8cc8932a3975282df909c57cb
Opcode Fuzzy Hash: 2ef2c019f3e1b1d33502362393de387076caa0ea043dc020c98783b6dd1ffb19
Instruction Fuzzy Hash: 96F06212918E8482D242AF5CA4001EBB371FF5D799F685326EF8D2A175DF38D542C710

Function 00007FF78E6648A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E664858

Part of subcall function 00007FF78E665770: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF78E6614A0,?,?,?,00007FF78E6612EE), ref: 00007FF78E665798

Strings

Argument domain error (DOMAIN), xrefs: 00007FF78E6648A0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78E664867

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-2713391170
Opcode ID: 90380be96c40173264bb39a5122ead8a19dc065170a6f1cb2dfbfbb2f4310937
Instruction ID: 9d6f89f811479f67b11bfb18a8dfa0a611787bd3f936cdbd1fe8173658a4d43e
Opcode Fuzzy Hash: 90380be96c40173264bb39a5122ead8a19dc065170a6f1cb2dfbfbb2f4310937
Instruction Fuzzy Hash: 94F06212918E8482D242AF5CA4001EBB371FF5D799F685726EF8D2A175DF38D542D710

Function 00007FF78E664838 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E664858

Part of subcall function 00007FF78E665770: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF78E6614A0,?,?,?,00007FF78E6612EE), ref: 00007FF78E665798

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78E664867
Argument singularity (SIGN), xrefs: 00007FF78E664838

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-2468659920
Opcode ID: b42d38e611c88dde33a716be440f43b7cd45b119c8f5925fc4a97fe48ebfa007
Instruction ID: 4fabc8509b15619a4f81a078c100009138a6a3a5c9ce37e38a4e870f67fb8eff
Opcode Fuzzy Hash: b42d38e611c88dde33a716be440f43b7cd45b119c8f5925fc4a97fe48ebfa007
Instruction Fuzzy Hash: ADF06D22918E8482D202AF58A4400ABB371FF9E799F685726EE8D2A135DF28D542C710

Function 00007FF78E664557 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78E664577

Part of subcall function 00007FF78E665770: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF78E6614A0,?,?,?,00007FF78E6612EE), ref: 00007FF78E665798

Strings

Problem in setting variable '%s' in Renviron, xrefs: 00007FF78E664563
%s, xrefs: 00007FF78E664580

Memory Dump Source

Source File: 00000000.00000002.1631787161.00007FF78E661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E660000, based on PE: true

Associated: 00000000.00000002.1631774661.00007FF78E660000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631801265.00007FF78E667000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631812990.00007FF78E668000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631828763.00007FF78E691000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1631843883.00007FF78E694000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78e660000_R.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: %s$Problem in setting variable '%s' in Renviron
API String ID: 2168557111-4078073676
Opcode ID: 5160d2240ccbd6a06f3eb28efa3a81bc74ba8ed1461d50ab607c6a229dd56acd
Instruction ID: 91f860b5c2d75652daed540014223f557f66167862bfb3a06d2d2b4633136a54
Opcode Fuzzy Hash: 5160d2240ccbd6a06f3eb28efa3a81bc74ba8ed1461d50ab607c6a229dd56acd
Instruction Fuzzy Hash: BBD0E264B6960282E600BBE1E8156F8A736BF44780FE40036DD0E273A6DF3CA505C260

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report R.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: R.exePID: 6632, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 6612, Parent PID: 6632

General

Chronological Activities

Analysis Process: cmd.exePID: 4412, Parent PID: 6632

General

Chronological Activities

Disassembly

Analysis Process: R.exePID: 6632, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
R.exe

Function 00007FF78E661180 Relevance: 13.6, APIs: 9, Instructions: 146
sleepstringCOMMON

Function 00007FF78E665CB0 Relevance: 80.7, APIs: 32, Strings: 14, Instructions: 204
stringfileprocessCOMMON

Function 00007FF78E664AF0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232
COMMON

Function 00007FF78E661960 Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 136
stringCOMMON

Function 00007FF78E661BC0 Relevance: 45.6, APIs: 4, Strings: 22, Instructions: 66
COMMON

Function 00007FF78E663EA4 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82
stringCOMMON

Function 00007FF78E661460 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 36
COMMON

Function 00007FF78E6617B0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73
stringCOMMON

Function 00007FF78E661500 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
registryCOMMON

Function 00007FF78E664910 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138
COMMON

Function 00007FF78E661600 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
stringCOMMON

Function 00007FF78E6616F0 Relevance: 7.6, APIs: 5, Instructions: 54
COMMON

Function 00007FF78E6618B0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 54
stringCOMMON

Function 00007FF78E664E93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON